From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc8512.txt | 5267 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 5267 insertions(+) create mode 100644 doc/rfc/rfc8512.txt (limited to 'doc/rfc/rfc8512.txt') diff --git a/doc/rfc/rfc8512.txt b/doc/rfc/rfc8512.txt new file mode 100644 index 0000000..d4d703e --- /dev/null +++ b/doc/rfc/rfc8512.txt @@ -0,0 +1,5267 @@ + + + + + + +Internet Engineering Task Force (IETF) M. Boucadair, Ed. +Request for Comments: 8512 Orange +Category: Standards Track S. Sivakumar +ISSN: 2070-1721 Cisco Systems + C. Jacquenet + Orange + S. Vinapamula + Juniper Networks + Q. Wu + Huawei + January 2019 + + + A YANG Module for + Network Address Translation (NAT) and Network Prefix Translation (NPT) + +Abstract + + This document defines a YANG module for the Network Address + Translation (NAT) function. + + Network Address Translation from IPv4 to IPv4 (NAT44), Network + Address and Protocol Translation from IPv6 Clients to IPv4 Servers + (NAT64), customer-side translator (CLAT), Stateless IP/ICMP + Translation (SIIT), Explicit Address Mappings (EAM) for SIIT, + IPv6-to-IPv6 Network Prefix Translation (NPTv6), and Destination NAT + are covered in this document. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8512. + + + + + + + + + + +Boucadair, et al. Standards Track [Page 1] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +Copyright Notice + + Copyright (c) 2019 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 2] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 6 + 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 7 + 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8 + 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8 + 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 9 + 2.6. Port-Set Assignment . . . . . . . . . . . . . . . . . . . 9 + 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9 + 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 10 + 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 13 + 2.10. Binding the NAT Function to an External Interface . . . . 16 + 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 16 + 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 17 + 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 68 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 70 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 70 + 6.1. Normative References . . . . . . . . . . . . . . . . . . 70 + 6.2. Informative References . . . . . . . . . . . . . . . . . 73 + Appendix A. Some Examples . . . . . . . . . . . . . . . . . . . 75 + A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 75 + A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 76 + A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 80 + A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 80 + A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 81 + A.6. Explicit Address Mappings (EAM) for Stateless IP/ICMP + Translation (SIIT) . . . . . . . . . . . . . . . . . . . 82 + A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 85 + A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 86 + A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 86 + A.10. Customer-Side Translator (CLAT) . . . . . . . . . . . . . 89 + A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 90 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 93 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94 + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 3] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +1. Introduction + + This document defines a data model for Network Address Translation + (NAT) and Network Prefix Translation (NPT) capabilities using the + YANG data modeling language [RFC7950]. + + Traditional NAT is defined in [RFC2663], while Carrier Grade NAT + (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is + used to optimize the usage of global IP address space at the scale of + a domain: a CGN is not managed by end users but by service providers + instead. This document covers both traditional NATs and CGNs. + + This document also covers NAT64 [RFC6146], customer-side translator + (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], + Explicit Address Mappings (EAM) for SIIT [RFC7757], IPv6 Network + Prefix Translation (NPTv6) [RFC6296], and Destination NAT. The full + set of translation schemes that are in scope is included in + Section 2.2. + + Some examples are provided in Appendix A. These examples are not + intended to be exhaustive. + +1.1. Terminology + + This document makes use of the following terms: + + o Basic Network Address Translation from IPv4 to IPv4 (NAT44): + translation is limited to IP addresses alone (Section 2.1 of + [RFC3022]). + + o Network Address Port Translator (NAPT): translation in NAPT is + extended to include IP addresses and transport identifiers (such + as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of + [RFC3022]. A NAPT may use an extra identifier, in addition to the + five transport tuples, to disambiguate bindings [RFC6619]. + + o Destination NAT: is a translation that acts on the destination IP + address and/or destination port number. This flavor is usually + deployed in load balancers or at devices in front of public + servers. + + o Port-restricted IPv4 address: an IPv4 address with a restricted + port set. Multiple hosts may share the same IPv4 address; + however, their port sets must not overlap [RFC7596]. + + + + + + + +Boucadair, et al. Standards Track [Page 4] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + o Restricted port set: a non-overlapping range of allowed external + ports to use for NAT operation. Source ports of IPv4 packets + translated by a NAT must belong to the assigned port set. The + port set is used for all port-aware IP protocols [RFC7596]. + + o Internal host: a host that may need to use a translation + capability to send to and receive traffic from the Internet. + + o Internal address/prefix: the IP address/prefix of an internal + host. + + o External address: the IP address/prefix assigned by a translator + to an internal host; this is the address that will be seen by a + remote host on the Internet. + + o Mapping: denotes a state at the translator that is necessary for + network address and/or port translation. + + o Dynamic implicit mapping: is created implicitly as a side effect + of processing a packet (e.g., an initial TCP SYN packet) that + requires a new mapping. A validity lifetime is associated with + this mapping. + + o Dynamic explicit mapping: is created as a result of an explicit + request, e.g., a Port Control Protocol (PCP) message [RFC6887]. A + validity lifetime is associated with this mapping. + + o Static explicit mapping: is created using, e.g., a command-line + interface (CLI). This mapping is likely to be maintained by the + NAT function till an explicit action is executed to remove it. + + The usage of the term NAT in this document refers to any translation + flavor (NAT44, NAT64, etc.) indifferently. + + This document uses the term "session" as defined in [RFC2663] and + [RFC6146] for NAT64. + + This document follows the guidelines of [RFC8407], uses the common + YANG types defined in [RFC6991], and adopts the Network Management + Datastore Architecture (NMDA). The meaning of the symbols in tree + diagrams is defined in [RFC8340]. + + + + + + + + + + +Boucadair, et al. Standards Track [Page 5] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +2. Overview of the NAT YANG Data Model + +2.1. Overview + + The NAT YANG module is designed to cover dynamic implicit mappings + and static explicit mappings. The required functionality to instruct + dynamic explicit mappings is defined in separate documents such as + [YANG-PCP]. Considerations about instructing by explicit dynamic + means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of scope. + As a reminder, REQ-9 of [RFC6888] requires that a CGN must implement + a protocol giving subscribers explicit control over NAT mappings; + that protocol should be the Port Control Protocol [RFC6887]. + + A single NAT device can have multiple NAT instances; each of these + instances can be provided with its own policies (e.g., be responsible + for serving a group of hosts). This document does not make any + assumption about how internal hosts or flows are associated with a + given NAT instance. + + The NAT YANG module assumes that each NAT instance can be enabled/ + disabled, be provisioned with a specific set of configuration data, + and maintain its own mapping tables. + + The NAT YANG module allows for a NAT instance to be provided with + multiple NAT policies (/nat/instances/instance/policy). The document + does not make any assumption about how flows are associated with a + given NAT policy of a given NAT instance. Classification filters are + out of scope. + + Defining multiple NAT instances or configuring multiple NAT policies + within one single NAT instance is implementation and deployment + specific. + + This YANG module does not provide any method to instruct a NAT + function to enable the logging feature or to specify the information + to be logged for administrative or regulatory reasons (Section 2.3 of + [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of + the scope of this document. + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 6] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +2.2. Various Translation Flavors + + The following translation modes are supported: + + o Basic NAT44 + o NAPT + o Destination NAT + o Port-restricted NAT + o Stateful NAT64 (including with destination-based Pref64::/n + [RFC7050]) + o SIIT + o CLAT + o EAM + o NPTv6 + o Combination of Basic NAT/NAPT and Destination NAT + o Combination of port-restricted and Destination NAT + o Combination of NAT64 and EAM + o Stateful and Stateless NAT64 + + [RFC8513] specifies an extension to the NAT YANG module to support + Dual-Stack Lite (DS-Lite). + + The YANG "feature" statement is used to indicate which of the + different translation modes is relevant for a specific data node. + Table 1 lists defined features: + + +---------------------------------+--------------+ + | Translation Mode | YANG Feature | + +---------------------------------+--------------+ + | Basic NAT44 | basic-nat44 | + | NAPT | napt44 | + | Destination NAT | dst-nat | + | Stateful NAT64 | nat64 | + | Stateless IPv4/IPv6 Translation | siit | + | CLAT | clat | + | EAM | eam | + | NPTv6 | nptv6 | + +---------------------------------+--------------+ + + Table 1: NAT YANG Features + + The following translation modes do not require that dedicated + features be defined: + + o Port-restricted NAT: This mode corresponds to supplying port- + restriction policies to a NAPT or NAT64 (port-set-restrict). + o Combination of Basic NAT/NAPT and Destination NAT: This mode + corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. + + + +Boucadair, et al. Standards Track [Page 7] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + o Combination of port-restricted and Destination NAT: This mode can + be achieved by configuring a NAPT with port restriction policies + (port-set-restrict) together with a destination IP address pool + (dst-ip-address-pool). + o Combination of NAT64 and EAM: This mode corresponds to configuring + static mappings for NAT64. + o Stateful and stateless NAT64: A NAT64 implementation can be + instructed to behave in the stateless mode for a given prefix by + setting the parameter (nat64-prefixes/stateless-enable). A NAT64 + implementation may behave in both stateful and stateless modes if, + in addition to appropriately setting the parameter + (nat64-prefixes/stateless-enable), an external IPv4 address pool + is configured. + + The NAT YANG module provides a method to retrieve the capabilities of + a NAT instance (including a list of supported translation modes, a + list of supported protocols, the supported NAT mapping types, the + supported NAT filtering types, the behavior for handling fragments + (all, out-of-order, in-order), and the support statuses for the + following: port restriction, port range allocation, port parity + preservation, and port preservation). + +2.3. TCP/UDP/ICMP NAT Behavioral Requirements + + This document assumes NAT behavioral recommendations for UDP + [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. + + Furthermore, the NAT YANG module relies upon the recommendations + detailed in [RFC6888] and [RFC7857]. + +2.4. Other Transport Protocols + + The module is structured to support protocols other than UDP, TCP, + and ICMP. Concretely, the module allows the operator to enable + translation for other transport protocols when required + (/nat/instances/instance/policy/transport-protocols). Moreover, the + mapping table is designed so that it can indicate any transport + protocol. For example, this module may be used to manage a NAT + capable of the Datagram Congestion Control Protocol (DCCP) that + adheres to [RFC5597]. + + Future extensions may be needed to cover NAT-related considerations + that are specific to other transport protocols such as the Stream + Control Transmission Protocol (SCTP) [NAT-SUPP]. Typically, the + mapping entry can be extended to record two optional SCTP-specific + parameters: the Internal Verification Tag (Int-VTag) and External + Verification Tag (Ext-VTag). + + + + +Boucadair, et al. Standards Track [Page 8] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + This document only specifies transport-protocol-specific timers for + UDP, TCP, and ICMP. While some timers could potentially be + generalized for other connection-oriented protocols, this document + does not follow such an approach because there is no standard + document specifying such generic behavior. Future documents may be + edited to clarify how to reuse TCP-specific timers when needed. + +2.5. IP Addresses Used for Translation + + The NAT YANG module assumes that blocks of IP external addresses + (external-ip-address-pool) can be provisioned to the NAT function. + These blocks may be contiguous or not. + + This behavior is aligned with [RFC6888], which specifies that a NAT + function should not have any limitations on the size or the + contiguity of the external address pool. In particular, the NAT + function must be configurable with contiguous or non-contiguous + external IPv4 address ranges. To accommodate traditional NAT, the + module allows for a single IP address to be configured for external- + ip-address-pool. + + Likewise, one or multiple IP address pools may be configured for + Destination NAT (dst-ip-address-pool). + +2.6. Port-Set Assignment + + Port numbers can be assigned by a NAT individually (that is, a single + port is assigned on a per-session basis), but this port allocation + scheme may not be optimal for logging purposes (Section 12 of + [RFC6269]). A NAT function should be able to assign port sets (e.g., + [RFC7753]) to optimize the volume of the logging data (REQ-14 of + [RFC6888]). Both allocation schemes are supported in the NAT YANG + module. + + When port-set assignment is activated (i.e., port-allocation- + type==port-range-allocation), the NAT can be provided with the size + of the port set to be assigned (port-set-size). + +2.7. Port-Restricted IP Addresses + + Some NATs restrict the source port numbers (e.g., Lightweight 4over6 + [RFC7596] and Mapping of Address and Port with Encapsulation (MAP-E) + [RFC7597]). Two schemes of port-set assignments (port-set-restrict) + are supported in this document: + + o Simple port range: is defined by two port values, the start and + the end of the port range [RFC8045]. + + + + +Boucadair, et al. Standards Track [Page 9] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + o Algorithmic: an algorithm is defined in [RFC7597] to characterize + the set of ports that can be used. + +2.8. NAT Mapping Entries + + A TCP/UDP mapping entry maintains an association between the + following information: + + (internal-src-address, internal-src-port) (internal-dst-address, + internal-dst-port) <=> (external-src-address, external-src-port) + (external-dst-address, external-dst-port) + + An ICMP mapping entry maintains an association between the following + information: + + (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 + identifier) <=> (external-src-address, external-dst-address, + external ICMP/ICMPv6 identifier) + + As a reminder, all the ICMP Query messages contain an 'Identifier' + field, which is referred to in this document as the 'ICMP + Identifier'. + + To cover TCP, UDP, and ICMP, the NAT YANG module assumes the + following structure of a mapping entry: + + type: Indicates how the mapping was instantiated. For example, it + may indicate whether a mapping is dynamically instantiated by a + packet or statically configured. + + transport-protocol: Indicates the transport protocol (e.g., UDP, + TCP, and ICMP) of a given mapping. + + internal-src-address: Indicates the source IP address/prefix as used + by an internal host. + + internal-src-port: Indicates the source port number (or ICMP + identifier) as used by an internal host. + + external-src-address: Indicates the source IP address/prefix as + assigned by the NAT. + + external-src-port: Indicates the source port number (or ICMP + identifier) as assigned by the NAT. + + internal-dst-address: Indicates the destination IP address/prefix as + used by an internal host when sending a packet to a remote host. + + + + +Boucadair, et al. Standards Track [Page 10] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + internal-dst-port: Indicates the destination port number as used by + an internal host when sending a packet to a remote host. + + external-dst-address: Indicates the destination IP address/prefix + used by a NAT when processing a packet issued by an internal host + towards a remote host. + + external-dst-port: Indicates the destination port number used by a + NAT when processing a packet issued by an internal host towards a + remote host. + + In order to cover both NAT64 and NAT44 flavors, the NAT mapping + structure allows for the inclusion of an IPv4 or an IPv6 address as + an internal IP address. Remaining fields are common to both NAT + schemes. + + For example, the mapping that will be created by a NAT64 upon receipt + of a TCP SYN from source address 2001:db8:aaaa::1 and source port + number 25636 to destination IP address 2001:db8:1234::198.51.100.1 + and destination port number 8080 is shown in Table 2. This example + assumes Endpoint-Dependent Mapping (EDM). + + +-----------------------+-------------------------------------------+ + | Mapping Entry | Value | + | Attribute | | + +-----------------------+-------------------------------------------+ + | type | dynamic implicit mapping | + | transport-protocol | 6 (TCP) | + | internal-src-address | 2001:db8:aaaa::1 | + | internal-src-port | 25636 | + | external-src-address | T (an IPv4 address configured on the | + | | NAT64) | + | external-src-port | t (a port number that is chosen by the | + | | NAT64) | + | internal-dst-address | 2001:db8:1234::198.51.100.1 | + | internal-dst-port | 8080 | + | external-dst-address | 198.51.100.1 | + | external-dst-port | 8080 | + +-----------------------+-------------------------------------------+ + + Table 2: Example of an EDM NAT64 Mapping + + + + + + + + + + +Boucadair, et al. Standards Track [Page 11] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + The mappings that will be created by a NAT44 upon receipt of an ICMP + request from source address 198.51.100.1 and ICMP identifier (ID1) to + destination IP address 198.51.100.11 is depicted in Table 3. This + example assumes Endpoint-Independent Mapping (EIM). + + +----------------------+--------------------------------------------+ + | Mapping-Entry | Value | + | Attribute | | + +----------------------+--------------------------------------------+ + | type | dynamic implicit mapping | + | transport-protocol | 1 (ICMP) | + | internal-src-address | 198.51.100.1 | + | internal-src-port | ID1 | + | external-src-address | T (an IPv4 address configured on the | + | | NAT44) | + | external-src-port | ID2 (an ICMP identifier that is chosen by | + | | the NAT44) | + +----------------------+--------------------------------------------+ + + Table 3: Example of an EIM NAT44 Mapping Entry + + The mapping that will be created by a NAT64 (EIM mode) upon receipt + of an ICMP request from source address 2001:db8:aaaa::1 and ICMP + identifier (ID1) to destination IP address + 2001:db8:1234::198.51.100.1 is shown in Table 4. + + +----------------------+--------------------------------------------+ + | Mapping-Entry | Value | + | Attribute | | + +----------------------+--------------------------------------------+ + | type | dynamic implicit mapping | + | transport-protocol | 58 (ICMPv6) | + | internal-src-address | 2001:db8:aaaa::1 | + | internal-src-port | ID1 | + | external-src-address | T (an IPv4 address configured on the | + | | NAT64) | + | external-src-port | ID2 (an ICMP identifier that is chosen by | + | | the NAT64) | + +----------------------+--------------------------------------------+ + + Table 4: Example of an EIM NAT64 Mapping Entry + + + + + + + + + + +Boucadair, et al. Standards Track [Page 12] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + Note that a mapping table is maintained only for stateful NAT + functions. Particularly: + + o No mapping table is maintained for NPTv6 given that it is + stateless and transport-agnostic. + + o The double translations are stateless in CLAT if a dedicated IPv6 + prefix is provided for CLAT. If not, a stateful NAT44 will be + required. + + o No per-flow mapping is maintained for EAM [RFC7757]. + + o No mapping table is maintained for Stateless IPv4/IPv6 + translation. As a reminder, in such deployments, internal IPv6 + nodes are addressed using IPv4-translatable IPv6 addresses, which + enable them to be accessed by IPv4 nodes [RFC6052]. + +2.9. Resource Limits + + In order to comply with CGN deployments in particular, the NAT YANG + module allows limiting the number of external ports per subscriber + (port-quota) and the amount of state memory allocated per mapping and + per subscriber (mapping-limits and connection-limits). According to + [RFC6888], the module is designed to allow for the following: + + o Per-subscriber limits are configurable by the NAT administrator. + + o Per-subscriber limits are configurable independently per the + transport protocol. + + o Administrator-adjustable thresholds to prevent a single subscriber + from consuming excessive CPU resources from the NAT (e.g., rate- + limit the subscriber's creation of new mappings) can be + configured. + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 13] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + Table 5 lists the various limits that can be set using the NAT YANG + module. Once a limit is reached, packets that would normally trigger + new port mappings or be translated because they match existing + mappings, are dropped by the translator. + + +-------------------+-----------------------------------------------+ + | Limit | Description | + +-------------------+-----------------------------------------------+ + | port-quota | Specifies a port quota to be assigned per | + | | subscriber. It corresponds to the maximum | + | | number of ports to be used by a subscriber. | + | | The port quota can be configured to apply to | + | | all protocols or to a specific protocol. | + | | Distinct port quota may be configured per | + | | protocol. | + +-------------------+-----------------------------------------------+ + | fragments-limit | In order to prevent denial-of-service (DoS) | + | | attacks that can be caused by fragments, this | + | | parameter is used to limit the number of out- | + | | of-order fragments that can be handled by a | + | | translator. | + +-------------------+-----------------------------------------------+ + | mapping-limits | This parameter can be used to control the | + | | maximum number of subscribers that can be | + | | serviced by a NAT instance (limit-subscriber) | + | | and the maximum number of address and/or port | + | | mappings that can be maintained by a NAT | + | | instance (limit-address-mappings and limit- | + | | port-mappings). Also, limits specific to | + | | protocols (e.g., TCP, UDP, ICMP) can also be | + | | specified (limit-per-protocol). | + +-------------------+-----------------------------------------------+ + | connection-limits | In order to prevent exhausting the resources | + | | of a NAT implementation and to ensure | + | | fairness usage among subscribers, various | + | | rate limits can be specified. Rate-limiting | + | | can be enforced per subscriber (limit- | + | | subscriber), per NAT instance (limit-per- | + | | instance), and/or be specified for each | + | | supported protocol (limit-per-protocol). | + +-------------------+-----------------------------------------------+ + + Table 5: NAT Limits + + + + + + + + +Boucadair, et al. Standards Track [Page 14] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + Table 6 describes limits that, once exceeded, will trigger + notifications to be generated: + + +--------------------------+----------------------------------------+ + | Notification Threshold | Description | + +--------------------------+----------------------------------------+ + | high-threshold | Used to notify high address | + | | utilization of a given pool. When | + | | exceeded, a nat-pool-event | + | | notification will be generated. | + +--------------------------+----------------------------------------+ + | low-threshold | Used to notify low address utilization | + | | of a given pool. An administrator is | + | | supposed to configure low-threshold so | + | | that it can reflect an abnormal usage | + | | of NAT resources. When exceeded, a | + | | nat-pool-event notification will be | + | | generated. | + +--------------------------+----------------------------------------+ + | notify-addresses-usage | Used to notify high address | + | | utilization of all pools configured to | + | | a NAT instance. When exceeded, a nat- | + | | instance-event will be generated. | + +--------------------------+----------------------------------------+ + | notify-ports-usage | Used to notify high port allocation | + | | taking into account all pools | + | | configured to a NAT instance. When | + | | exceeded, a nat-instance-event | + | | notification will be generated. | + +--------------------------+----------------------------------------+ + | notify-subscribers-limit | Used to notify a high number of active | + | | subscribers that are serviced by a NAT | + | | instance. When exceeded, a nat- | + | | instance-event notification will be | + | | generated. | + +--------------------------+----------------------------------------+ + + Table 6: Notification Thresholds + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 15] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + In order to prevent a NAT implementation from generating frequent + notifications, the NAT YANG module supports the following limits + (Table 7) used to control how frequent notifications can be + generated. That is, notifications are subject to rate-limiting + imposed by these intervals. + + +-------------------------------------+-----------------------------+ + | Interval | Description | + +-------------------------------------+-----------------------------+ + | notify-pool-usage/notify-interval | Indicates the minimum | + | | number of seconds between | + | | successive notifications | + | | for a given address pool. | + +-------------------------------------+-----------------------------+ + | notification-limits/notify-interval | Indicates the minimum | + | | number of seconds between | + | | successive notifications | + | | for a NAT instance. | + +-------------------------------------+-----------------------------+ + + Table 7: Notification Intervals + +2.10. Binding the NAT Function to an External Interface + + The module is designed to specify an external realm on which the NAT + function must be applied (external-realm). The module supports + indicating an interface as an external realm [RFC8343], but the + module is extensible so that other choices can be indicated in the + future (e.g., Virtual Routing and Forwarding (VRF) instance). + + Distinct external realms can be provided as a function of the NAT + policy (see, for example, Section 4 of [RFC7289]). + + If no external realm is provided, this assumes that the system is + able to determine the external interface (VRF instance, etc.) on + which the NAT will be applied. Typically, the WAN and LAN interfaces + of Customer Premises Equipment (CPE) are determined by the CPE. + +2.11. Relationship to NATV2-MIB + + Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that + the following information is configured on the NAT by some means, + which is not specified in [RFC7659]: + + o The set of address realms to which the device connects. + + + + + + +Boucadair, et al. Standards Track [Page 16] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + o For the CGN case, per-subscriber information including the + subscriber index, address realm, assigned prefix or address, and + (possibly) policies regarding address pool selection in the + various possible address realms to which the subscriber may + connect. + + o The set of NAT instances running on the device, identified by NAT + instance index and name. + + o The port mapping, filtering, pooling, and fragment behaviors for + each NAT instance. + + o The set of protocols supported by each NAT instance. + + o Address pools for each NAT instance, including for each pool the + pool index, address realm, and minimum and maximum port numbers. + + o Static address and port mapping entries. + + All the above parameters can be configured by means of the NAT YANG + module. + + Unlike the NATV2-MIB, the NAT YANG module allows the configuration of + multiple policies per NAT instance. + +2.12. Tree Structure + + The tree structure of the NAT YANG module is provided below: + + module: ietf-nat + +--rw nat + +--rw instances + +--rw instance* [id] + +--rw id uint32 + +--rw name? string + +--rw enable? boolean + +--ro capabilities + | +--ro nat-flavor* + | | identityref + | +--ro per-interface-binding* + | | enumeration + | +--ro transport-protocols* [protocol-id] + | | +--ro protocol-id uint8 + | | +--ro protocol-name? string + | +--ro restricted-port-support? + | | boolean + | +--ro static-mapping-support? + | | boolean + + + +Boucadair, et al. Standards Track [Page 17] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + | +--ro port-randomization-support? + | | boolean + | +--ro port-range-allocation-support? + | | boolean + | +--ro port-preservation-suport? + | | boolean + | +--ro port-parity-preservation-support? + | | boolean + | +--ro address-roundrobin-support? + | | boolean + | +--ro paired-address-pooling-support? + | | boolean + | +--ro endpoint-independent-mapping-support? + | | boolean + | +--ro address-dependent-mapping-support? + | | boolean + | +--ro address-and-port-dependent-mapping-support? + | | boolean + | +--ro endpoint-independent-filtering-support? + | | boolean + | +--ro address-dependent-filtering? + | | boolean + | +--ro address-and-port-dependent-filtering? + | | boolean + | +--ro fragment-behavior? + | enumeration + +--rw type? identityref + +--rw per-interface-binding? enumeration + +--rw nat-pass-through* [id] + | {basic-nat44 or napt44 or dst-nat}? + | +--rw id uint32 + | +--rw prefix inet:ip-prefix + | +--rw port? inet:port-number + +--rw policy* [id] + | +--rw id uint32 + | +--rw clat-parameters {clat}? + | | +--rw clat-ipv6-prefixes* [ipv6-prefix] + | | | +--rw ipv6-prefix inet:ipv6-prefix + | | +--rw ipv4-prefixes* [ipv4-prefix] + | | +--rw ipv4-prefix inet:ipv4-prefix + | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? + | | +--rw internal-ipv6-prefix inet:ipv6-prefix + | | +--rw external-ipv6-prefix inet:ipv6-prefix + | +--rw eam* [ipv4-prefix] {eam}? + | | +--rw ipv4-prefix inet:ipv4-prefix + | | +--rw ipv6-prefix inet:ipv6-prefix + + + + + +Boucadair, et al. Standards Track [Page 18] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + | +--rw nat64-prefixes* [nat64-prefix] + | | {siit or nat64 or clat}? + | | +--rw nat64-prefix inet:ipv6-prefix + | | +--rw destination-ipv4-prefix* [ipv4-prefix] + | | | +--rw ipv4-prefix inet:ipv4-prefix + | | +--rw stateless-enable? boolean + | +--rw external-ip-address-pool* [pool-id] + | | {basic-nat44 or napt44 or nat64}? + | | +--rw pool-id uint32 + | | +--rw external-ip-pool inet:ipv4-prefix + | +--rw port-set-restrict {napt44 or nat64}? + | | +--rw (port-type)? + | | +--:(port-range) + | | | +--rw start-port-number? inet:port-number + | | | +--rw end-port-number? inet:port-number + | | +--:(port-set-algo) + | | +--rw psid-offset? uint8 + | | +--rw psid-len uint8 + | | +--rw psid uint16 + | +--rw dst-nat-enable? boolean + | | {basic-nat44 or napt44}? + | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? + | | +--rw pool-id uint32 + | | +--rw dst-in-ip-pool? inet:ip-prefix + | | +--rw dst-out-ip-pool inet:ip-prefix + | +--rw transport-protocols* [protocol-id] + | | {napt44 or nat64 or dst-nat}? + | | +--rw protocol-id uint8 + | | +--rw protocol-name? string + | +--rw subscriber-mask-v6? uint8 + | +--rw subscriber-match* [match-id] + | | {basic-nat44 or napt44 or dst-nat}? + | | +--rw match-id uint32 + | | +--rw subnet inet:ip-prefix + | +--rw address-allocation-type? enumeration + | +--rw port-allocation-type? enumeration + | | {napt44 or nat64}? + | +--rw mapping-type? enumeration + | | {napt44 or nat64}? + | +--rw filtering-type? enumeration + | | {napt44 or nat64}? + | +--rw fragment-behavior? enumeration + | | {napt44 or nat64}? + | +--rw port-quota* [quota-type] {napt44 or nat64}? + | | +--rw port-limit? uint16 + | | +--rw quota-type uint8 + + + + + +Boucadair, et al. Standards Track [Page 19] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + | +--rw port-set {napt44 or nat64}? + | | +--rw port-set-size uint16 + | | +--rw port-set-timeout? uint32 + | +--rw timers {napt44 or nat64}? + | | +--rw udp-timeout? uint32 + | | +--rw tcp-idle-timeout? uint32 + | | +--rw tcp-trans-open-timeout? uint32 + | | +--rw tcp-trans-close-timeout? uint32 + | | +--rw tcp-in-syn-timeout? uint32 + | | +--rw fragment-min-timeout? uint32 + | | +--rw icmp-timeout? uint32 + | | +--rw per-port-timeout* [port-number] + | | | +--rw port-number inet:port-number + | | | +--rw protocol? uint32 + | | | +--rw timeout uint32 + | | +--rw hold-down-timeout? uint32 + | | +--rw hold-down-max? uint32 + | +--rw fragments-limit? uint32 + | +--rw algs* [name] + | | +--rw name string + | | +--rw transport-protocol? uint32 + | | +--rw dst-transport-port + | | | +--rw start-port-number? inet:port-number + | | | +--rw end-port-number? inet:port-number + | | +--rw src-transport-port + | | | +--rw start-port-number? inet:port-number + | | | +--rw end-port-number? inet:port-number + | | +--rw status? boolean + | +--rw all-algs-enable? boolean + | +--rw notify-pool-usage + | | {basic-nat44 or napt44 or nat64}? + | | +--rw pool-id? uint32 + | | +--rw low-threshold? percent + | | +--rw high-threshold? percent + | | +--rw notify-interval? uint32 + | +--rw external-realm + | +--rw (realm-type)? + | +--:(interface) + | +--rw external-interface? if:interface-ref + +--rw mapping-limits {napt44 or nat64}? + | +--rw limit-subscribers? uint32 + | +--rw limit-address-mappings? uint32 + | +--rw limit-port-mappings? uint32 + | +--rw limit-per-protocol* [protocol-id] + | {napt44 or nat64 or dst-nat}? + | +--rw protocol-id uint8 + | +--rw limit? uint32 + + + + +Boucadair, et al. Standards Track [Page 20] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + +--rw connection-limits + | {basic-nat44 or napt44 or nat64}? + | +--rw limit-per-subscriber? uint32 + | +--rw limit-per-instance? uint32 + | +--rw limit-per-protocol* [protocol-id] + | {napt44 or nat64}? + | +--rw protocol-id uint8 + | +--rw limit? uint32 + +--rw notification-limits + | +--rw notify-interval? uint32 + | | {basic-nat44 or napt44 or nat64}? + | +--rw notify-addresses-usage? percent + | | {basic-nat44 or napt44 or nat64}? + | +--rw notify-ports-usage? percent + | | {napt44 or nat64}? + | +--rw notify-subscribers-limit? uint32 + | {basic-nat44 or napt44 or nat64}? + +--rw mapping-table + | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? + | +--rw mapping-entry* [index] + | +--rw index uint32 + | +--rw type? enumeration + | +--rw transport-protocol? uint8 + | +--rw internal-src-address? inet:ip-prefix + | +--rw internal-src-port + | | +--rw start-port-number? inet:port-number + | | +--rw end-port-number? inet:port-number + | +--rw external-src-address? inet:ip-prefix + | +--rw external-src-port + | | +--rw start-port-number? inet:port-number + | | +--rw end-port-number? inet:port-number + | +--rw internal-dst-address? inet:ip-prefix + | +--rw internal-dst-port + | | +--rw start-port-number? inet:port-number + | | +--rw end-port-number? inet:port-number + | +--rw external-dst-address? inet:ip-prefix + | +--rw external-dst-port + | | +--rw start-port-number? inet:port-number + | | +--rw end-port-number? inet:port-number + | +--rw lifetime? uint32 + +--ro statistics + +--ro discontinuity-time yang:date-and-time + +--ro traffic-statistics + | +--ro sent-packets? + | | yang:zero-based-counter64 + | +--ro sent-bytes? + | | yang:zero-based-counter64 + + + + +Boucadair, et al. Standards Track [Page 21] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + | +--ro rcvd-packets? + | | yang:zero-based-counter64 + | +--ro rcvd-bytes? + | | yang:zero-based-counter64 + | +--ro dropped-packets? + | | yang:zero-based-counter64 + | +--ro dropped-bytes? + | | yang:zero-based-counter64 + | +--ro dropped-fragments? + | | yang:zero-based-counter64 + | | {napt44 or nat64}? + | +--ro dropped-address-limit-packets? + | | yang:zero-based-counter64 + | | {basic-nat44 or napt44 or nat64}? + | +--ro dropped-address-limit-bytes? + | | yang:zero-based-counter64 + | | {basic-nat44 or napt44 or nat64}? + | +--ro dropped-address-packets? + | | yang:zero-based-counter64 + | | {basic-nat44 or napt44 or nat64}? + | +--ro dropped-address-bytes? + | | yang:zero-based-counter64 + | | {basic-nat44 or napt44 or nat64}? + | +--ro dropped-port-limit-packets? + | | yang:zero-based-counter64 + | | {napt44 or nat64}? + | +--ro dropped-port-limit-bytes? + | | yang:zero-based-counter64 + | | {napt44 or nat64}? + | +--ro dropped-port-packets? + | | yang:zero-based-counter64 + | | {napt44 or nat64}? + | +--ro dropped-port-bytes? + | | yang:zero-based-counter64 + | | {napt44 or nat64}? + | +--ro dropped-subscriber-limit-packets? + | | yang:zero-based-counter64 + | | {basic-nat44 or napt44 or nat64}? + | +--ro dropped-subscriber-limit-bytes? + | yang:zero-based-counter64 + | {basic-nat44 or napt44 or nat64}? + +--ro mappings-statistics + | +--ro total-active-subscribers? yang:gauge32 + | | {basic-nat44 or napt44 or nat64}? + | +--ro total-address-mappings? yang:gauge32 + | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? + | +--ro total-port-mappings? yang:gauge32 + | | {napt44 or nat64}? + + + +Boucadair, et al. Standards Track [Page 22] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + | +--ro total-per-protocol* [protocol-id] + | {napt44 or nat64}? + | +--ro protocol-id uint8 + | +--ro total? yang:gauge32 + +--ro pools-stats {basic-nat44 or napt44 or nat64}? + +--ro addresses-allocated? yang:gauge32 + +--ro addresses-free? yang:gauge32 + +--ro ports-stats {napt44 or nat64}? + | +--ro ports-allocated? yang:gauge32 + | +--ro ports-free? yang:gauge32 + +--ro per-pool-stats* [pool-id] + | {basic-nat44 or napt44 or nat64}? + +--ro pool-id uint32 + +--ro discontinuity-time yang:date-and-time + +--ro pool-stats + | +--ro addresses-allocated? yang:gauge32 + | +--ro addresses-free? yang:gauge32 + +--ro port-stats {napt44 or nat64}? + +--ro ports-allocated? yang:gauge32 + +--ro ports-free? yang:gauge32 + + notifications: + +---n nat-pool-event {basic-nat44 or napt44 or nat64}? + | +--ro id -> /nat/instances/instance/id + | +--ro policy-id? + | | -> /nat/instances/instance/policy/id + | +--ro pool-id + | | -> /nat/instances/instance/policy/ + | | external-ip-address-pool/pool-id + | +--ro notify-pool-threshold percent + +---n nat-instance-event {basic-nat44 or napt44 or nat64}? + +--ro id + | -> /nat/instances/instance/id + +--ro notify-subscribers-threshold? uint32 + +--ro notify-addresses-threshold? percent + +--ro notify-ports-threshold? percent + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 23] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +3. NAT YANG Module + + file "ietf-nat@2019-01-10.yang" + + module ietf-nat { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; + prefix nat; + + import ietf-inet-types { + prefix inet; + reference + "Section 4 of RFC 6991"; + } + import ietf-yang-types { + prefix yang; + reference + "Section 3 of RFC 6991"; + } + import ietf-interfaces { + prefix if; + reference + "RFC 8343: A YANG Data Model for Interface Management"; + } + + organization + "IETF OPSAWG (Operations and Management Area Working Group)"; + contact + "WG Web: + WG List: + + Editor: Mohamed Boucadair + + + Author: Senthil Sivakumar + + + Author: Christian Jacquenet + + + Author: Suresh Vinapamula + + + Author: Qin Wu + "; + + description + "This module is a YANG module for NAT implementations. + + + +Boucadair, et al. Standards Track [Page 24] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + NAT44, Network Address and Protocol Translation from IPv6 + Clients to IPv4 Servers (NAT64), customer-side translator + (CLAT), Stateless IP/ICMP Translation (SIIT), Explicit + Address Mappings (EAM) for SIIT, IPv6 Network Prefix + Translation (NPTv6), and Destination NAT are covered. + + Copyright (c) 2018 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC 8512; see + the RFC itself for full legal notices."; + + revision 2019-01-10 { + description + "Initial revision."; + reference + "RFC 8512: A YANG Module for Network Address Translation + (NAT) and Network Prefix Translation (NPT)"; + } + + /* + * Definitions + */ + + typedef percent { + type uint8 { + range "0 .. 100"; + } + description + "Percentage"; + } + + /* + * Features + */ + + feature basic-nat44 { + description + "Basic NAT44 translation is limited to IP addresses alone."; + reference + "RFC 3022: Traditional IP Network Address Translator + + + +Boucadair, et al. Standards Track [Page 25] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + (Traditional NAT)"; + } + + feature napt44 { + description + "Network Address Port Translator (NAPT): translation is + extended to include IP addresses and transport identifiers + (such as a TCP/UDP port or ICMP query ID). + + If the internal IP address is not sufficient to uniquely + disambiguate NAPT44 mappings, an additional attribute is + required. For example, that additional attribute may + be an IPv6 address (a.k.a., DS-Lite) or + a Layer 2 identifier (a.k.a., Per-Interface NAT)"; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + feature dst-nat { + description + "Destination NAT is a translation that acts on the destination + IP address and/or destination port number. This flavor is + usually deployed in load balancers or at devices + in front of public servers."; + } + + feature nat64 { + description + "NAT64 translation allows IPv6-only clients to contact IPv4 + servers using, e.g., UDP, TCP, or ICMP. One or more + public IPv4 addresses assigned to a NAT64 translator are + shared among several IPv6-only clients."; + reference + "RFC 6146: Stateful NAT64: Network Address and Protocol + Translation from IPv6 Clients to IPv4 Servers"; + } + + feature siit { + description + "The Stateless IP/ICMP Translation Algorithm (SIIT), which + translates between IPv4 and IPv6 packet headers (including + ICMP headers). + + In the stateless mode, an IP/ICMP translator converts IPv4 + addresses to IPv6, and vice versa, solely based on the + configuration of the stateless IP/ICMP translator and + information contained within the packet being translated. + + + +Boucadair, et al. Standards Track [Page 26] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + The translator must support the stateless address mapping + algorithm defined in RFC 6052, which is the default behavior."; + reference + "RFC 7915: IP/ICMP Translation Algorithm"; + } + + feature clat { + description + "CLAT is customer-side translator that algorithmically + translates 1:1 private IPv4 addresses to global IPv6 + addresses, and vice versa. + + When a dedicated /64 prefix is not available for translation + from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN + packets so that all the LAN-originated IPv4 packets appear + from a single IPv4 address and are then statelessly translated + to one interface IPv6 address that is claimed by the CLAT via + the Neighbor Discovery Protocol (NDP) and defended with + Duplicate Address Detection."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and + Stateless Translation"; + } + + feature eam { + description + "Explicit Address Mapping (EAM) is a bidirectional coupling + between an IPv4 prefix and an IPv6 prefix."; + reference + "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP + Translation"; + } + + feature nptv6 { + description + "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 + prefix translation."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + + /* + * Identities + */ + + identity nat-type { + description + "Base identity for nat type."; + + + +Boucadair, et al. Standards Track [Page 27] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + } + + identity basic-nat44 { + base nat:nat-type; + description + "Identity for Basic NAT support."; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + identity napt44 { + base nat:nat-type; + description + "Identity for NAPT support."; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + identity dst-nat { + base nat:nat-type; + description + "Identity for Destination NAT support."; + } + + identity nat64 { + base nat:nat-type; + description + "Identity for NAT64 support."; + reference + "RFC 6146: Stateful NAT64: Network Address and Protocol + Translation from IPv6 Clients to IPv4 Servers"; + } + + identity siit { + base nat:nat-type; + description + "Identity for SIIT support."; + reference + "RFC 7915: IP/ICMP Translation Algorithm"; + } + + identity clat { + base nat:nat-type; + description + "Identity for CLAT support."; + reference + + + +Boucadair, et al. Standards Track [Page 28] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "RFC 6877: 464XLAT: Combination of Stateful and Stateless + Translation"; + } + + identity eam { + base nat:nat-type; + description + "Identity for EAM support."; + reference + "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP + Translation"; + } + + identity nptv6 { + base nat:nat-type; + description + "Identity for NPTv6 support."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + + /* + * Grouping + */ + + grouping port-number { + description + "An individual port number or a range of ports. + When only start-port-number is present, + it represents a single port number."; + leaf start-port-number { + type inet:port-number; + description + "Beginning of the port range."; + reference + "Section 3.2.9 of RFC 8045"; + } + leaf end-port-number { + type inet:port-number; + must '. >= ../start-port-number' { + error-message + "The end-port-number must be greater than or + equal to start-port-number."; + } + description + "End of the port range."; + reference + "Section 3.2.10 of RFC 8045"; + + + +Boucadair, et al. Standards Track [Page 29] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + } + } + + grouping port-set { + description + "Indicates a set of port numbers. + + It may be a simple port range, or use the Port Set + Identifier (PSID) algorithm to represent a range of + transport-layer port numbers that will be used by a + NAPT."; + choice port-type { + default "port-range"; + description + "Port type: port-range or port-set-algo."; + case port-range { + uses port-number; + } + case port-set-algo { + leaf psid-offset { + type uint8 { + range "0..15"; + } + description + "The number of offset bits (a.k.a., 'a' bits). + Specifies the numeric value for the excluded port + range/offset bits. + + Allowed values are between 0 and 15."; + reference + "Section 5.1 of RFC 7597"; + } + leaf psid-len { + type uint8 { + range "0..15"; + } + mandatory true; + description + "The length of PSID, representing the sharing + ratio for an IPv4 address. + + (also known as 'k'). + + The address-sharing ratio would be 2^k."; + reference + "Section 5.1 of RFC 7597"; + } + leaf psid { + + + +Boucadair, et al. Standards Track [Page 30] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + type uint16; + mandatory true; + description + "PSID value, which identifies a set + of ports algorithmically."; + reference + "Section 5.1 of RFC 7597"; + } + } + reference + "RFC 7597: Mapping of Address and Port with + Encapsulation (MAP-E)"; + } + } + + grouping mapping-entry { + description + "NAT mapping entry. + + If an attribute is not stored in the mapping/session table, + it means the corresponding field of a packet that + matches this entry is not rewritten by the NAT or this + information is not required for NAT filtering purposes."; + leaf index { + type uint32; + description + "A unique identifier of a mapping entry. This identifier + can be automatically assigned by the NAT instance or be + explicitly configured."; + } + leaf type { + type enumeration { + enum static { + description + "The mapping entry is explicitly configured + (e.g., via a command-line interface)."; + } + enum dynamic-implicit { + description + "This mapping is created implicitly as a side effect + of processing a packet that requires a new mapping."; + } + enum dynamic-explicit { + description + "This mapping is created as a result of an explicit + request, e.g., a PCP message."; + } + } + + + +Boucadair, et al. Standards Track [Page 31] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + description + "Indicates the type of a mapping entry. For example, + a mapping can be: static, implicit dynamic, + or explicit dynamic."; + } + leaf transport-protocol { + type uint8; + description + "The upper-layer protocol associated with this mapping. + Values are taken from the IANA Protocol Numbers registry: + . + + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP. + + If this leaf is not instantiated, then the mapping + applies to any protocol."; + } + leaf internal-src-address { + type inet:ip-prefix; + description + "Corresponds to the source IPv4/IPv6 address/prefix + of the packet received on an internal interface."; + } + container internal-src-port { + description + "Corresponds to the source port of the packet received + on an internal interface. + + It is also used to indicate the internal source ICMP + identifier. + + As a reminder, all the ICMP Query messages contain + an 'Identifier' field, which is referred to in this + document as the 'ICMP Identifier'."; + uses port-number; + } + leaf external-src-address { + type inet:ip-prefix; + description + "Source IP address/prefix of the packet sent on an + external interface of the NAT."; + } + container external-src-port { + description + "Source port of the packet sent on an external + interface of the NAT. + + + + +Boucadair, et al. Standards Track [Page 32] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + It is also used to indicate the external source ICMP + identifier."; + uses port-number; + } + leaf internal-dst-address { + type inet:ip-prefix; + description + "Corresponds to the destination IP address/prefix + of the packet received on an internal interface + of the NAT. + + For example, some NAT implementations support + the translation of both source and destination + addresses and port numbers, sometimes referred to + as 'Twice NAT'."; + } + container internal-dst-port { + description + "Corresponds to the destination port of the + IP packet received on the internal interface. + + It is also used to include the internal + destination ICMP identifier."; + uses port-number; + } + leaf external-dst-address { + type inet:ip-prefix; + description + "Corresponds to the destination IP address/prefix + of the packet sent on an external interface + of the NAT."; + } + container external-dst-port { + description + "Corresponds to the destination port number of + the packet sent on the external interface + of the NAT. + + It is also used to include the external + destination ICMP identifier."; + uses port-number; + } + leaf lifetime { + type uint32; + units "seconds"; + description + "When specified, it is used to track the connection that is + fully formed (e.g., once the three-way handshake + + + +Boucadair, et al. Standards Track [Page 33] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + TCP is completed) or the duration for maintaining + an explicit mapping alive. The mapping entry will be + removed by the NAT instance once this lifetime is expired. + + When reported in a get operation, the lifetime indicates + the remaining validity lifetime. + + Static mappings may not be associated with a + lifetime. If no lifetime is associated with a + static mapping, an explicit action is required to + remove that mapping."; + } + } + + /* + * NAT Module + */ + + container nat { + description + "NAT module"; + container instances { + description + "NAT instances"; + list instance { + key "id"; + description + "A NAT instance. This identifier can be automatically + assigned or explicitly configured."; + leaf id { + type uint32; + must '. >= 1'; + description + "NAT instance identifier. + + The identifier must be greater than zero."; + reference + "RFC 7659: Definitions of Managed Objects for Network + Address Translators (NATs)"; + } + leaf name { + type string; + description + "A name associated with the NAT instance."; + reference + "RFC 7659: Definitions of Managed Objects for Network + Address Translators (NATs)"; + } + + + +Boucadair, et al. Standards Track [Page 34] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf enable { + type boolean; + description + "Status of the NAT instance."; + } + container capabilities { + config false; + description + "NAT capabilities."; + leaf-list nat-flavor { + type identityref { + base nat-type; + } + description + "Supported translation type(s)."; + } + leaf-list per-interface-binding { + type enumeration { + enum unsupported { + description + "No capability to associate a NAT binding with + an extra identifier."; + } + enum layer-2 { + description + "The NAT instance is able to associate a mapping with + a Layer 2 identifier."; + } + enum dslite { + description + "The NAT instance is able to associate a mapping with + an IPv6 address (a.k.a., DS-Lite)."; + } + } + description + "Indicates the capability of a NAT to associate a + particular NAT session not only with the five + tuples used for the transport connection on both + sides of the NAT but also with the internal + interface on which the user device is + connected to the NAT."; + reference + "Section 4 of RFC 6619"; + } + list transport-protocols { + key "protocol-id"; + description + "List of supported protocols."; + + + +Boucadair, et al. Standards Track [Page 35] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf protocol-id { + type uint8; + mandatory true; + description + "The upper-layer protocol associated with a mapping. + + Values are taken from the IANA Protocol Numbers + registry. + + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP."; + } + leaf protocol-name { + type string; + description + "The name of the upper-layer protocol associated + with this mapping. + + For example, TCP, UDP, DCCP, and SCTP."; + } + } + leaf restricted-port-support { + type boolean; + description + "Indicates source port NAT restriction support."; + reference + "RFC 7596: Lightweight 4over6: An Extension to + the Dual-Stack Lite Architecture"; + } + leaf static-mapping-support { + type boolean; + description + "Indicates whether static mappings are supported."; + } + leaf port-randomization-support { + type boolean; + description + "Indicates whether port randomization is supported."; + reference + "Section 4.2.1 of RFC 4787"; + } + leaf port-range-allocation-support { + type boolean; + description + "Indicates whether port range allocation is supported."; + reference + "Section 1.1 of RFC 7753"; + } + + + +Boucadair, et al. Standards Track [Page 36] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf port-preservation-suport { + type boolean; + description + "Indicates whether port preservation is supported."; + reference + "Section 4.2.1 of RFC 4787"; + } + leaf port-parity-preservation-support { + type boolean; + description + "Indicates whether port parity preservation is + supported."; + reference + "Section 8 of RFC 7857"; + } + leaf address-roundrobin-support { + type boolean; + description + "Indicates whether address allocation round robin is + supported."; + } + leaf paired-address-pooling-support { + type boolean; + description + "Indicates whether paired-address-pooling is + supported"; + reference + "REQ-2 of RFC 4787"; + } + leaf endpoint-independent-mapping-support { + type boolean; + description + "Indicates whether endpoint-independent- + mapping is supported."; + reference + "Section 4 of RFC 4787"; + } + leaf address-dependent-mapping-support { + type boolean; + description + "Indicates whether address-dependent-mapping is + supported."; + reference + "Section 4 of RFC 4787"; + } + leaf address-and-port-dependent-mapping-support { + type boolean; + description + + + +Boucadair, et al. Standards Track [Page 37] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Indicates whether address-and-port-dependent-mapping is + supported."; + reference + "Section 4 of RFC 4787"; + } + leaf endpoint-independent-filtering-support { + type boolean; + description + "Indicates whether endpoint-independent-filtering is + supported."; + reference + "Section 5 of RFC 4787"; + } + leaf address-dependent-filtering { + type boolean; + description + "Indicates whether address-dependent-filtering is + supported."; + reference + "Section 5 of RFC 4787"; + } + leaf address-and-port-dependent-filtering { + type boolean; + description + "Indicates whether address-and-port-dependent is + supported."; + reference + "Section 5 of RFC 4787"; + } + leaf fragment-behavior { + type enumeration { + enum unsupported { + description + "No capability to translate incoming fragments. + All received fragments are dropped."; + } + enum in-order { + description + "The NAT instance is able to translate fragments + only if they are received in order. That is, in + particular the header is in the first packet. + Fragments received out of order are dropped. "; + } + enum out-of-order { + description + "The NAT instance is able to translate a fragment even + if it is received out of order. + + + + +Boucadair, et al. Standards Track [Page 38] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + This behavior is recommended."; + reference + "REQ-14 of RFC 4787"; + } + } + description + "The fragment behavior is the NAT instance's capability to + translate fragments received on the external interface of + the NAT."; + } + } + leaf type { + type identityref { + base nat-type; + } + description + "Specify the translation type. Particularly useful when + multiple translation flavors are supported. + + If one type is supported by a NAT, this parameter is by + default set to that type."; + } + leaf per-interface-binding { + type enumeration { + enum disabled { + description + "Disable the capability to associate an extra identifier + with NAT mappings."; + } + enum layer-2 { + description + "The NAT instance is able to associate a mapping with + a Layer 2 identifier."; + } + enum dslite { + description + "The NAT instance is able to associate a mapping with + an IPv6 address (a.k.a., DS-Lite)."; + } + } + description + "A NAT that associates a particular NAT session not + only with the five tuples used for the transport + connection on both sides of the NAT but also with + the internal interface on which the user device is + connected to the NAT. + + If supported, this mode of operation should be + + + +Boucadair, et al. Standards Track [Page 39] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + configurable, and it should be disabled by default in + general-purpose NAT devices. + If one single per-interface binding behavior is + supported by a NAT, this parameter is by default set to + that behavior."; + reference + "Section 4 of RFC 6619"; + } + list nat-pass-through { + if-feature "basic-nat44 or napt44 or dst-nat"; + key "id"; + description + "IP prefix NAT pass-through."; + leaf id { + type uint32; + description + "An identifier of the IP prefix pass-through."; + } + leaf prefix { + type inet:ip-prefix; + mandatory true; + description + "The IP addresses that match should not be translated. + + It must be possible to administratively turn + off translation for specific destination addresses + and/or ports."; + reference + "REQ-6 of RFC 6888"; + } + leaf port { + type inet:port-number; + description + "It must be possible to administratively turn off + translation for specific destination addresses + and/or ports. + + If no prefix is defined, the NAT pass-through bound + to a given port applies for any destination address."; + reference + "REQ-6 of RFC 6888"; + } + } + list policy { + key "id"; + description + "NAT parameters for a given instance"; + leaf id { + + + +Boucadair, et al. Standards Track [Page 40] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + type uint32; + description + "An identifier of the NAT policy. It must be unique + within the NAT instance."; + } + container clat-parameters { + if-feature "clat"; + description + "CLAT parameters."; + list clat-ipv6-prefixes { + key "ipv6-prefix"; + description + "464XLAT double-translation treatment is stateless + when a dedicated /64 is available for translation + on the CLAT. Otherwise, the CLAT will have both + stateful and stateless translation since it requires + NAT44 from the LAN to a single IPv4 address and then + stateless translation to a single IPv6 address."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and + Stateless Translation"; + leaf ipv6-prefix { + type inet:ipv6-prefix; + description + "An IPv6 prefix used for CLAT."; + } + } + list ipv4-prefixes { + key "ipv4-prefix"; + description + "Pool of IPv4 addresses used for CLAT. + 192.0.0.0/29 is the IPv4 service continuity prefix."; + reference + "RFC 7335: IPv4 Service Continuity Prefix"; + leaf ipv4-prefix { + type inet:ipv4-prefix; + description + "464XLAT double-translation treatment is + stateless when a dedicated /64 is available + for translation on the CLAT. Otherwise, the + CLAT will have both stateful and stateless + translation since it requires NAT44 from the + LAN to a single IPv4 address and then stateless + translation to a single IPv6 address. + The CLAT performs NAT44 for all IPv4 LAN + packets so that all the LAN-originated IPv4 + packets appear from a single IPv4 address + and are then statelessly translated to one + + + +Boucadair, et al. Standards Track [Page 41] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + interface IPv6 address that is claimed by + the CLAT. + + An IPv4 address from this pool is also + provided to an application that makes + use of literals."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and + Stateless Translation"; + } + } + } + list nptv6-prefixes { + if-feature "nptv6"; + key "internal-ipv6-prefix"; + description + "Provides one or a list of (internal IPv6 prefix, + external IPv6 prefix) required for NPTv6. + + In its simplest form, NPTv6 interconnects two + network links: one is an 'internal' network + link attached to a leaf network within a single + administrative domain, and the other is an + 'external' network with connectivity to the + global Internet."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + leaf internal-ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "An IPv6 prefix used by an internal interface of + NPTv6."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + leaf external-ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "An IPv6 prefix used by the external interface of + NPTv6."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + } + list eam { + if-feature "eam"; + + + +Boucadair, et al. Standards Track [Page 42] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + key "ipv4-prefix"; + description + "The Explicit Address Mapping Table is a conceptual + table in which each row represents an EAM. + + Each EAM describes a mapping between IPv4 and IPv6 + prefixes/addresses."; + reference + "Section 3.1 of RFC 7757"; + leaf ipv4-prefix { + type inet:ipv4-prefix; + mandatory true; + description + "The IPv4 prefix of an EAM."; + reference + "Section 3.2 of RFC 7757"; + } + leaf ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "The IPv6 prefix of an EAM."; + reference + "Section 3.2 of RFC 7757"; + } + } + list nat64-prefixes { + if-feature "siit or nat64 or clat"; + key "nat64-prefix"; + description + "Provides one or a list of NAT64 prefixes + with or without a list of destination IPv4 prefixes. + It allows mapping IPv4 address ranges to IPv6 prefixes. + For example: + 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. + 198.51.100.0/24 is mapped to 2001:db8:122::/48."; + reference + "Section 5.1 of RFC 7050"; + leaf nat64-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "A NAT64 prefix. Can be a Network-Specific Prefix (NSP) + or a Well-Known Prefix (WKP). + + Organizations deploying stateless IPv4/IPv6 translation + should assign an NSP to their IPv4/IPv6 translation + service. + + + +Boucadair, et al. Standards Track [Page 43] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + For stateless NAT64, IPv4-translatable IPv6 addresses + must use the selected NSP. + + Both IPv4-translatable IPv6 addresses and + IPv4-converted IPv6 addresses should use + the same prefix."; + reference + "Sections 3.3 and 3.4 of RFC 6052"; + } + list destination-ipv4-prefix { + key "ipv4-prefix"; + description + "An IPv4 prefix/address."; + leaf ipv4-prefix { + type inet:ipv4-prefix; + description + "An IPv4 address/prefix."; + } + } + leaf stateless-enable { + type boolean; + default "false"; + description + "Enable explicitly stateless NAT64."; + } + } + list external-ip-address-pool { + if-feature "basic-nat44 or napt44 or nat64"; + key "pool-id"; + description + "Pool of external IP addresses used to service internal + hosts. + + A pool is a set of IP prefixes."; + leaf pool-id { + type uint32; + must '. >= 1'; + description + "An identifier that uniquely identifies the address pool + within a NAT instance. + + The identifier must be greater than zero."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + leaf external-ip-pool { + type inet:ipv4-prefix; + + + +Boucadair, et al. Standards Track [Page 44] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + mandatory true; + description + "An IPv4 prefix used for NAT purposes."; + } + } + container port-set-restrict { + if-feature "napt44 or nat64"; + description + "Configures contiguous and non-contiguous port ranges. + + The port set is used to restrict the external source + port numbers used by the translator."; + uses port-set; + } + leaf dst-nat-enable { + if-feature "basic-nat44 or napt44"; + type boolean; + default "false"; + description + "Enable/disable Destination NAT. + + A NAT44 may be configured to enable Destination + NAT, too."; + } + list dst-ip-address-pool { + if-feature "dst-nat"; + key "pool-id"; + description + "Pool of IP addresses used for Destination NAT."; + leaf pool-id { + type uint32; + description + "An identifier of the address pool."; + } + leaf dst-in-ip-pool { + type inet:ip-prefix; + description + "Is used to identify an internal destination + IP prefix/address to be translated."; + } + leaf dst-out-ip-pool { + type inet:ip-prefix; + mandatory true; + description + "IP address/prefix used for Destination NAT."; + } + } + list transport-protocols { + + + +Boucadair, et al. Standards Track [Page 45] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + if-feature "napt44 or nat64 or dst-nat"; + key "protocol-id"; + description + "Configure the transport protocols to be handled by + the translator. + + TCP and UDP are supported by default."; + leaf protocol-id { + type uint8; + mandatory true; + description + "The upper-layer protocol associated with this + mapping. + + Values are taken from the IANA Protocol Numbers + registry. + + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP."; + } + leaf protocol-name { + type string; + description + "The name of the upper-layer protocol associated + with this mapping. + + For example, TCP, UDP, DCCP, and SCTP."; + } + } + leaf subscriber-mask-v6 { + type uint8 { + range "0 .. 128"; + } + description + "The subscriber mask is an integer that indicates + the length of significant bits to be applied on + the source IPv6 address (internal side) to + unambiguously identify a user device (e.g., CPE). + + Subscriber mask is a system-wide configuration + parameter that is used to enforce generic + per-subscriber policies (e.g., port-quota). + + The enforcement of these generic policies does not + require the configuration of every subscriber's + prefix. + + Example: suppose the 2001:db8:100:100::/56 prefix + + + +Boucadair, et al. Standards Track [Page 46] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + is assigned to a NAT64-serviced CPE. Suppose also + that 2001:db8:100:100::1 is the IPv6 address used + by the client that resides in that CPE. When the + NAT64 receives a packet from this client, + it applies the subscriber-mask-v6 (e.g., 56) on + the source IPv6 address to compute the associated + prefix for this client (2001:db8:100:100::/56). + Then, the NAT64 enforces policies based on that + prefix (2001:db8:100:100::/56), not on the exact + source IPv6 address."; + } + list subscriber-match { + if-feature "basic-nat44 or napt44 or dst-nat"; + key "match-id"; + description + "IP prefix match. + A subscriber is identified by a subnet."; + leaf match-id { + type uint32; + description + "An identifier of the subscriber match."; + } + leaf subnet { + type inet:ip-prefix; + mandatory true; + description + "The IP address subnets that match + should be translated. For example, all addresses + that belong to the 192.0.2.0/24 prefix must + be processed by the NAT."; + } + } + leaf address-allocation-type { + type enumeration { + enum arbitrary { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Arbitrary pooling behavior means that the NAT + instance may create the new port mapping using any + address in the pool that has a free port for the + protocol concerned."; + } + enum roundrobin { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Round-robin allocation."; + } + enum paired { + + + +Boucadair, et al. Standards Track [Page 47] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + if-feature "napt44 or nat64"; + description + "Paired address pooling informs the NAT + that all the flows from an internal IP + address must be assigned the same external + address. This is the recommended behavior + for NAPT/NAT64."; + reference + "RFC 4787: Network Address Translation (NAT) + Behavioral Requirements for Unicast UDP"; + } + } + description + "Specifies how external IP addresses are allocated."; + } + leaf port-allocation-type { + if-feature "napt44 or nat64"; + type enumeration { + enum random { + description + "Port randomization is enabled. A NAT port allocation + scheme should make it hard for attackers to guess + port numbers"; + reference + "REQ-15 of RFC 6888"; + } + enum port-preservation { + description + "Indicates whether the NAT should preserve the + internal port number."; + } + enum port-parity-preservation { + description + "Indicates whether the NAT should preserve the port + parity of the internal port number."; + } + enum port-range-allocation { + description + "Indicates whether the NAT assigns a range of ports + for an internal host. This scheme allows the + minimizing of the log volume."; + reference + "REQ-14 of RFC 6888"; + } + } + description + "Indicates the type of port allocation."; + } + + + +Boucadair, et al. Standards Track [Page 48] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf mapping-type { + if-feature "napt44 or nat64"; + type enumeration { + enum eim { + description + "endpoint-independent-mapping."; + reference + "Section 4 of RFC 4787"; + } + enum adm { + description + "address-dependent-mapping."; + reference + "Section 4 of RFC 4787"; + } + enum edm { + description + "address-and-port-dependent-mapping."; + reference + "Section 4 of RFC 4787"; + } + } + description + "Indicates the type of NAT mapping."; + } + leaf filtering-type { + if-feature "napt44 or nat64"; + type enumeration { + enum eif { + description + "endpoint-independent-filtering."; + reference + "Section 5 of RFC 4787"; + } + enum adf { + description + "address-dependent-filtering."; + reference + "Section 5 of RFC 4787"; + } + enum edf { + description + "address-and-port-dependent-filtering"; + reference + "Section 5 of RFC 4787"; + } + } + description + + + +Boucadair, et al. Standards Track [Page 49] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Indicates the type of NAT filtering."; + } + leaf fragment-behavior { + if-feature "napt44 or nat64"; + type enumeration { + enum drop-all { + description + "All received fragments are dropped."; + } + enum in-order { + description + "Translate fragments only if they are received + in order."; + } + enum out-of-order { + description + "Translate a fragment even if it is received out + of order. + + This behavior is recommended."; + reference + "REQ-14 of RFC 4787"; + } + } + description + "The fragment behavior instructs the NAT about the + behavior to follow to translate fragments received + on the external interface of the NAT."; + } + list port-quota { + if-feature "napt44 or nat64"; + key "quota-type"; + description + "Configures a port quota to be assigned per subscriber. + It corresponds to the maximum number of ports to be + used by a subscriber."; + leaf port-limit { + type uint16; + description + "Configures a port quota to be assigned per subscriber. + It corresponds to the maximum number of ports to be + used by a subscriber."; + reference + "REQ-4 of RFC 6888"; + } + leaf quota-type { + type uint8; + description + + + +Boucadair, et al. Standards Track [Page 50] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Indicates whether the port quota applies to + all protocols (0) or to a specific protocol."; + } + } + container port-set { + when "../port-allocation-type = 'port-range-allocation'"; + if-feature "napt44 or nat64"; + description + "Manages port-set assignments."; + leaf port-set-size { + type uint16; + mandatory true; + description + "Indicates the size of assigned port sets."; + } + leaf port-set-timeout { + type uint32; + units "seconds"; + description + "inactivity timeout for port sets."; + } + } + container timers { + if-feature "napt44 or nat64"; + description + "Configure values of various timeouts."; + leaf udp-timeout { + type uint32; + units "seconds"; + default "300"; + description + "UDP inactivity timeout. That is the time a mapping + will stay active without packets traversing the NAT."; + reference + "RFC 4787: Network Address Translation (NAT) + Behavioral Requirements for Unicast UDP"; + } + leaf tcp-idle-timeout { + type uint32; + units "seconds"; + default "7440"; + description + "TCP idle timeout should be 2 hours and 4 minutes."; + reference + "RFC 5382: NAT Behavioral Requirements for TCP"; + } + leaf tcp-trans-open-timeout { + type uint32; + + + +Boucadair, et al. Standards Track [Page 51] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + units "seconds"; + default "240"; + description + "The value of the transitory open connection + idle-timeout. + + A NAT should provide different configurable + parameters for configuring the open and + closing idle timeouts. + + To accommodate deployments that consider + a partially open timeout of 4 minutes as being + excessive from a security standpoint, a NAT may + allow the configured timeout to be less than + 4 minutes. + + However, a minimum default transitory connection + idle-timeout of 4 minutes is recommended."; + reference + "Section 2.1 of RFC 7857"; + } + leaf tcp-trans-close-timeout { + type uint32; + units "seconds"; + default "240"; + description + "The value of the transitory close connection + idle-timeout. + + A NAT should provide different configurable + parameters for configuring the open and + closing idle timeouts."; + reference + "Section 2.1 of RFC 7857"; + } + leaf tcp-in-syn-timeout { + type uint32; + units "seconds"; + default "6"; + description + "A NAT must not respond to an unsolicited + inbound SYN packet for at least 6 seconds + after the packet is received. If during + this interval the NAT receives and translates + an outbound SYN for the connection the NAT + must silently drop the original unsolicited + inbound SYN packet."; + reference + + + +Boucadair, et al. Standards Track [Page 52] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "RFC 5382 NAT Behavioral Requirements for TCP"; + } + leaf fragment-min-timeout { + when "../../fragment-behavior='out-of-order'"; + type uint32; + units "seconds"; + default "2"; + description + "As long as the NAT has available resources, + the NAT allows the fragments to arrive + over the fragment-min-timeout interval. + The default value is inspired from RFC 6146."; + } + leaf icmp-timeout { + type uint32; + units "seconds"; + default "60"; + description + "An ICMP Query session timer must not expire + in less than 60 seconds. It is recommended + that the ICMP Query session timer be made + configurable"; + reference + "RFC 5508: NAT Behavioral Requirements for ICMP"; + } + list per-port-timeout { + key "port-number"; + description + "Some NATs are configurable with short timeouts + for some ports, e.g., as 10 seconds on + port 53 (DNS) and 123 (NTP), and longer timeouts + on other ports."; + leaf port-number { + type inet:port-number; + description + "A port number."; + } + leaf protocol { + type uint8; + description + "The upper-layer protocol associated with this port. + + Values are taken from the IANA Protocol Numbers + registry. + + If no protocol is indicated, it means 'any + protocol'."; + } + + + +Boucadair, et al. Standards Track [Page 53] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf timeout { + type uint32; + units "seconds"; + mandatory true; + description + "Timeout for this port number"; + } + } + leaf hold-down-timeout { + type uint32; + units "seconds"; + default "120"; + description + "Hold-down timer. + + Ports in the hold-down pool are not reassigned until + hold-down-timeout expires. + + The length of time and the maximum number of ports in + this state must be configurable by the administrator. + + This is necessary in order to prevent collisions + between old and new mappings and sessions. It ensures + that all established sessions are broken instead of + redirected to a different peer."; + reference + "REQ-8 of RFC 6888"; + } + leaf hold-down-max { + type uint32; + description + "Maximum ports in the hold-down port pool."; + reference + "REQ-8 of RFC 6888"; + } + } + leaf fragments-limit { + when "../fragment-behavior='out-of-order'"; + type uint32; + description + "Limits the number of out-of-order fragments that can + be handled."; + reference + "Section 11 of RFC 4787"; + } + list algs { + key "name"; + description + + + +Boucadair, et al. Standards Track [Page 54] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Features related to the Application Layer + Gateway (ALG)."; + leaf name { + type string; + description + "The name of the ALG."; + } + leaf transport-protocol { + type uint32; + description + "The transport protocol used by the ALG + (e.g., TCP and UDP)."; + } + container dst-transport-port { + uses port-number; + description + "The destination port number(s) used by the ALG. + For example, + - 21 for the FTP ALG + - 53 for the DNS ALG."; + } + container src-transport-port { + uses port-number; + description + "The source port number(s) used by the ALG."; + } + leaf status { + type boolean; + description + "Enable/disable the ALG."; + } + } + leaf all-algs-enable { + type boolean; + description + "Disable/enable all ALGs. + + When specified, this parameter overrides the one + that may be indicated, eventually, by the 'status' + of an individual ALG."; + } + container notify-pool-usage { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notification of pool usage when certain criteria + are met."; + leaf pool-id { + type uint32; + + + +Boucadair, et al. Standards Track [Page 55] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + description + "Pool-ID for which the notification criteria + is defined"; + } + leaf low-threshold { + type percent; + description + "Notification must be generated when the defined low + threshold is reached. + + For example, if a notification is required when the + pool utilization reaches below 10%, this + configuration parameter must be set to 10. + + 0% indicates that low-threshold notification is + disabled."; + } + leaf high-threshold { + type percent; + must '. >= ../low-threshold' { + error-message + "The high threshold must be greater than or equal + to the low threshold."; + } + description + "Notification must be generated when the defined high + threshold is reached. + + For example, if a notification is required when the + pool utilization reaches 90%, this configuration + parameter must be set to 90. + + Setting the same value as low-threshold is equivalent + to disabling high-threshold notification."; + } + leaf notify-interval { + type uint32 { + range "1 .. 3600"; + } + units "seconds"; + default "20"; + description + "Minimum number of seconds between successive + notifications for this pool."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + + + +Boucadair, et al. Standards Track [Page 56] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + } + container external-realm { + description + "Identifies the external realm of the NAT instance."; + choice realm-type { + description + "Can be an interface, VRF instance, etc."; + case interface { + description + "External interface."; + leaf external-interface { + type if:interface-ref; + description + "Name of the external interface."; + } + } + } + } + } + container mapping-limits { + if-feature "napt44 or nat64"; + description + "Information about the configuration parameters that + limits the mappings based upon various criteria."; + leaf limit-subscribers { + type uint32; + description + "Maximum number of subscribers that can be serviced + by a NAT instance. + + A subscriber is identified by a given prefix."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + leaf limit-address-mappings { + type uint32; + description + "Maximum number of address mappings that can be + handled by a NAT instance. + + When this limit is reached, packets that would + normally trigger translation will be dropped."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + leaf limit-port-mappings { + + + +Boucadair, et al. Standards Track [Page 57] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + type uint32; + description + "Maximum number of port mappings that can be handled + by a NAT instance. + + When this limit is reached, packets that would + normally trigger translation will be dropped."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + list limit-per-protocol { + if-feature "napt44 or nat64 or dst-nat"; + key "protocol-id"; + description + "Configure limits per transport protocol"; + leaf protocol-id { + type uint8; + mandatory true; + description + "The upper-layer protocol. + + Values are taken from the IANA Protocol Numbers + registry. + + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP."; + } + leaf limit { + type uint32; + description + "Maximum number of protocol-specific NAT mappings + per instance."; + } + } + } + container connection-limits { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Information about the configuration parameters that + rate-limit the translation based upon various criteria."; + leaf limit-per-subscriber { + type uint32; + units "bits/second"; + description + "Rate-limit the number of new mappings and sessions + per subscriber."; + } + + + +Boucadair, et al. Standards Track [Page 58] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + leaf limit-per-instance { + type uint32; + units "bits/second"; + description + "Rate-limit the number of new mappings and sessions + per instance."; + } + list limit-per-protocol { + if-feature "napt44 or nat64"; + key "protocol-id"; + description + "Configure limits per transport protocol"; + leaf protocol-id { + type uint8; + mandatory true; + description + "The upper-layer protocol. + + Values are taken from the IANA Protocol Numbers + registry. + + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP."; + } + leaf limit { + type uint32; + description + "Limit the number of protocol-specific mappings + and sessions per instance."; + } + } + } + container notification-limits { + description + "Sets notification limits."; + leaf notify-interval { + if-feature "basic-nat44 or napt44 or nat64"; + type uint32 { + range "1 .. 3600"; + } + units "seconds"; + default "10"; + description + "Minimum number of seconds between successive + notifications for this NAT instance."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + + + +Boucadair, et al. Standards Track [Page 59] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + } + leaf notify-addresses-usage { + if-feature "basic-nat44 or napt44 or nat64"; + type percent; + description + "Notification of address mappings usage over + the whole NAT instance. + + Notification must be generated when the defined + threshold is reached. + + For example, if a notification is required when + the address mappings utilization reaches 90%, + this configuration parameter must be set + to 90."; + } + leaf notify-ports-usage { + if-feature "napt44 or nat64"; + type percent; + description + "Notification of port mappings usage over the + whole NAT instance. + + Notification must be generated when the defined + threshold is reached. + + For example, if a notification is required when + the port mappings utilization reaches 90%, this + configuration parameter must be set to 90."; + } + leaf notify-subscribers-limit { + if-feature "basic-nat44 or napt44 or nat64"; + type uint32; + description + "Notification of active subscribers per NAT + instance. + + Notification must be generated when the defined + threshold is reached."; + } + } + container mapping-table { + if-feature "basic-nat44 or napt44 or nat64 " + + "or clat or dst-nat"; + description + "NAT mapping table. Applicable for functions that maintain + static and/or dynamic mappings, such as NAT44, Destination + NAT, NAT64, or CLAT."; + + + +Boucadair, et al. Standards Track [Page 60] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + list mapping-entry { + key "index"; + description + "NAT mapping entry."; + uses mapping-entry; + } + } + container statistics { + config false; + description + "Statistics related to the NAT instance."; + leaf discontinuity-time { + type yang:date-and-time; + mandatory true; + description + "The time on the most recent occasion at which the NAT + instance suffered a discontinuity. This must be + initialized when the NAT instance is configured + or rebooted."; + } + container traffic-statistics { + description + "Generic traffic statistics."; + leaf sent-packets { + type yang:zero-based-counter64; + description + "Number of packets sent."; + } + leaf sent-bytes { + type yang:zero-based-counter64; + units "bytes"; + description + "Counter for sent traffic in bytes."; + } + leaf rcvd-packets { + type yang:zero-based-counter64; + description + "Number of received packets."; + } + leaf rcvd-bytes { + type yang:zero-based-counter64; + units "bytes"; + description + "Counter for received traffic in bytes."; + } + leaf dropped-packets { + type yang:zero-based-counter64; + description + + + +Boucadair, et al. Standards Track [Page 61] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Number of dropped packets."; + } + leaf dropped-bytes { + type yang:zero-based-counter64; + units "bytes"; + description + "Counter for dropped traffic in bytes."; + } + leaf dropped-fragments { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped fragments on the external realm."; + } + leaf dropped-address-limit-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because an address limit + is reached."; + } + leaf dropped-address-limit-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units "bytes"; + description + "Counter of dropped packets because an address limit + is reached, in bytes."; + } + leaf dropped-address-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because no address is + available for allocation."; + } + leaf dropped-address-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units "bytes"; + description + "Counter of dropped packets because no address is + available for allocation, in bytes."; + } + leaf dropped-port-limit-packets { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + + + +Boucadair, et al. Standards Track [Page 62] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + "Number of dropped packets because a port limit + is reached."; + } + leaf dropped-port-limit-bytes { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + units "bytes"; + description + "Counter of dropped packets because a port limit + is reached, in bytes."; + } + leaf dropped-port-packets { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because no port is + available for allocation."; + } + leaf dropped-port-bytes { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + units "bytes"; + description + "Counter of dropped packets because no port is + available for allocation, in bytes."; + } + leaf dropped-subscriber-limit-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because the subscriber + limit per instance is reached."; + } + leaf dropped-subscriber-limit-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units "bytes"; + description + "Counter of dropped packets because the subscriber + limit per instance is reached, in bytes."; + } + } + container mappings-statistics { + description + "Mappings statistics."; + leaf total-active-subscribers { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:gauge32; + + + +Boucadair, et al. Standards Track [Page 63] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + description + "Total number of active subscribers (that is, + subscribers for which the NAT maintains active + mappings). + + A subscriber is identified by a subnet, + subscriber-mask, etc."; + } + leaf total-address-mappings { + if-feature "basic-nat44 or napt44 or nat64 " + + "or clat or dst-nat"; + type yang:gauge32; + description + "Total number of address mappings present at a given + time. It includes both static and dynamic mappings."; + reference + "Section 3.3.8 of RFC 7659"; + } + leaf total-port-mappings { + if-feature "napt44 or nat64"; + type yang:gauge32; + description + "Total number of NAT port mappings present at + a given time. It includes both static and dynamic + mappings."; + reference + "Section 3.3.9 of RFC 7659"; + } + list total-per-protocol { + if-feature "napt44 or nat64"; + key "protocol-id"; + description + "Total mappings for each enabled/supported protocol."; + leaf protocol-id { + type uint8; + mandatory true; + description + "The upper-layer protocol. + For example, this field contains 6 for TCP, + 17 for UDP, 33 for DCCP, or 132 for SCTP."; + } + leaf total { + type yang:gauge32; + description + "Total number of a protocol-specific mappings present + at a given time. The protocol is identified by + protocol-id."; + } + + + +Boucadair, et al. Standards Track [Page 64] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + } + } + container pools-stats { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Statistics related to address/prefix pools + usage"; + leaf addresses-allocated { + type yang:gauge32; + description + "Number of all allocated addresses."; + } + leaf addresses-free { + type yang:gauge32; + description + "Number of unallocated addresses of all pools at + a given time. The sum of unallocated and allocated + addresses is the total number of addresses of + the pools."; + } + container ports-stats { + if-feature "napt44 or nat64"; + description + "Statistics related to port numbers usage."; + leaf ports-allocated { + type yang:gauge32; + description + "Number of allocated ports from all pools."; + } + leaf ports-free { + type yang:gauge32; + description + "Number of unallocated addresses from all pools."; + } + } + list per-pool-stats { + if-feature "basic-nat44 or napt44 or nat64"; + key "pool-id"; + description + "Statistics related to address/prefix pool usage"; + leaf pool-id { + type uint32; + description + "Unique identifier that represents a pool of + addresses/prefixes."; + } + leaf discontinuity-time { + type yang:date-and-time; + + + +Boucadair, et al. Standards Track [Page 65] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + mandatory true; + description + "The time on the most recent occasion at which this + pool counter suffered a discontinuity. This must + be initialized when the address pool is + configured."; + } + container pool-stats { + description + "Statistics related to address/prefix pool usage"; + leaf addresses-allocated { + type yang:gauge32; + description + "Number of allocated addresses from this pool."; + } + leaf addresses-free { + type yang:gauge32; + description + "Number of unallocated addresses in this pool."; + } + } + container port-stats { + if-feature "napt44 or nat64"; + description + "Statistics related to port numbers usage."; + leaf ports-allocated { + type yang:gauge32; + description + "Number of allocated ports from this pool."; + } + leaf ports-free { + type yang:gauge32; + description + "Number of unallocated addresses from this pool."; + } + } + } + } + } + } + } + } + + /* + * Notifications + */ + + notification nat-pool-event { + + + +Boucadair, et al. Standards Track [Page 66] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notifications must be generated when the defined high/low + threshold is reached. Related configuration parameters + must be provided to trigger the notifications."; + leaf id { + type leafref { + path "/nat/instances/instance/id"; + } + mandatory true; + description + "NAT instance identifier."; + } + leaf policy-id { + type leafref { + path "/nat/instances/instance/policy/id"; + } + description + "Policy identifier."; + } + leaf pool-id { + type leafref { + path "/nat/instances/instance/policy" + + "/external-ip-address-pool/pool-id"; + } + mandatory true; + description + "Pool Identifier."; + } + leaf notify-pool-threshold { + type percent; + mandatory true; + description + "A threshold (high threshold or low threshold) has + been fired."; + } + } + + notification nat-instance-event { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notifications must be generated when notify-addresses-usage + and/or notify-ports-usage thresholds are reached."; + leaf id { + type leafref { + path "/nat/instances/instance/id"; + } + mandatory true; + + + +Boucadair, et al. Standards Track [Page 67] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + description + "NAT instance identifier."; + } + leaf notify-subscribers-threshold { + type uint32; + description + "The notify-subscribers-limit threshold has been fired."; + } + leaf notify-addresses-threshold { + type percent; + description + "The notify-addresses-usage threshold has been fired."; + } + leaf notify-ports-threshold { + type percent; + description + "The notify-ports-usage threshold has been fired."; + } + } + } + + + +4. Security Considerations + + Security considerations related to address and prefix translation are + discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and + [RFC7757]. + + The YANG module specified in this document defines a schema for data + that is designed to be accessed via network management protocols such + as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer + is the secure transport layer, and the mandatory-to-implement secure + transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer + is HTTPS, and the mandatory-to-implement secure transport is TLS + [RFC8446]. + + The Network Configuration Access Control Model (NACM) [RFC8341] + provides the means to restrict access for particular NETCONF or + RESTCONF users to a preconfigured subset of all available NETCONF or + RESTCONF protocol operations and content. + + All data nodes defined in the YANG module that can be created, + modified, and deleted (i.e., config true, which is the default) are + considered sensitive. Write operations (e.g., edit-config) applied + to these data nodes without proper protection can negatively affect + network operations. The NAT YANG module provides a method to set + parameters to prevent a user from aggressively using NAT resources + + + +Boucadair, et al. Standards Track [Page 68] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + (port-quota), rate-limit connections as a guard against DoS, or to + enable notifications so that appropriate measures are enforced to + anticipate traffic drops. Nevertheless, an attacker who is able to + access the NAT can undertake various attacks, such as: + + o Set a high or low resource limit to cause a DoS attack: + + * /nat/instances/instance/policy/port-quota + + * /nat/instances/instance/policy/fragments-limit + + * /nat/instances/instance/mapping-limits + + * /nat/instances/instance/connection-limits + + o Set a low notification threshold to cause useless notifications to + be generated: + + * /nat/instances/instance/policy/notify-pool-usage/high-threshold + + * /nat/instances/instance/notification-limits/notify-addresses- + usage + + * /nat/instances/instance/notification-limits/notify-ports-usage + + * /nat/instances/instance/notification-limits/notify-subscribers- + limit + + o Set an arbitrarily high threshold, which may lead to the + deactivation of notifications: + + * /nat/instances/instance/policy/notify-pool-usage/high-threshold + + * /nat/instances/instance/notification-limits/notify-addresses- + usage + + * /nat/instances/instance/notification-limits/notify-ports-usage + + * /nat/instances/instance/notification-limits/notify-subscribers- + limit + + o Set a low notification interval and a low notification threshold + to induce useless notifications to be generated: + + * /nat/instances/instance/policy/notify-pool-usage/notify- + interval + + + + + +Boucadair, et al. Standards Track [Page 69] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + * /nat/instances/instance/notification-limits/notify-interval + + o Access to privacy data maintained in the mapping table. Such data + can be misused to track the activity of a host: + + * /nat/instances/instance/mapping-table + +5. IANA Considerations + + IANA has registered the following URI in the "ns" subregistry within + the "IETF XML Registry" [RFC3688]: + + URI: urn:ietf:params:xml:ns:yang:ietf-nat + Registrant Contact: The IESG. + XML: N/A; the requested URI is an XML namespace. + + IANA has registered the following YANG module in the "YANG Module + Names" subregistry [RFC7950] within the "YANG Parameters" registry. + + name: ietf-nat + namespace: urn:ietf:params:xml:ns:yang:ietf-nat + prefix: nat + reference: RFC 8512 + +6. References + +6.1. Normative References + + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, + DOI 10.17487/RFC3688, January 2004, + . + + [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address + Translation (NAT) Behavioral Requirements for Unicast + UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January + 2007, . + + [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and + P. Srisuresh, "NAT Behavioral Requirements for TCP", + BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008, + . + + [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT + Behavioral Requirements for ICMP", BCP 148, RFC 5508, + DOI 10.17487/RFC5508, April 2009, + . + + + + + +Boucadair, et al. Standards Track [Page 70] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and + X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", + RFC 6052, DOI 10.17487/RFC6052, October 2010, + . + + [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful + NAT64: Network Address and Protocol Translation from IPv6 + Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, + April 2011, . + + [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., + and A. Bierman, Ed., "Network Configuration Protocol + (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, + . + + [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure + Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, + . + + [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix + Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, + . + + [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable + Operation of Address Translators with Per-Interface + Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, + . + + [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: + Combination of Stateful and Stateless Translation", + RFC 6877, DOI 10.17487/RFC6877, April 2013, + . + + [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, + A., and H. Ashida, "Common Requirements for Carrier-Grade + NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, + April 2013, . + + [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", + RFC 6991, DOI 10.17487/RFC6991, July 2013, + . + + [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and + I. Farrer, "Lightweight 4over6: An Extension to the Dual- + Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, + July 2015, . + + + + + +Boucadair, et al. Standards Track [Page 71] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., + Murakami, T., and T. Taylor, Ed., "Mapping of Address and + Port with Encapsulation (MAP-E)", RFC 7597, + DOI 10.17487/RFC7597, July 2015, + . + + [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address + Mappings for Stateless IP/ICMP Translation", RFC 7757, + DOI 10.17487/RFC7757, February 2016, + . + + [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, + S., and K. Naito, "Updates to Network Address Translation + (NAT) Behavioral Requirements", BCP 127, RFC 7857, + DOI 10.17487/RFC7857, April 2016, + . + + [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, + "IP/ICMP Translation Algorithm", RFC 7915, + DOI 10.17487/RFC7915, June 2016, + . + + [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", + RFC 7950, DOI 10.17487/RFC7950, August 2016, + . + + [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF + Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, + . + + [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration + Access Control Model", STD 91, RFC 8341, + DOI 10.17487/RFC8341, March 2018, + . + + [RFC8343] Bjorklund, M., "A YANG Data Model for Interface + Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, + . + + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + . + + + + + + + + + +Boucadair, et al. Standards Track [Page 72] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +6.2. Informative References + + [NAT-SUPP] + Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control + Transmission Protocol (SCTP) Network Address Translation + Support", Work in Progress, draft-ietf-tsvwg-natsupp-12, + July 2018. + + [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address + Translator (NAT) Terminology and Considerations", + RFC 2663, DOI 10.17487/RFC2663, August 1999, + . + + [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network + Address Translator (Traditional NAT)", RFC 3022, + DOI 10.17487/RFC3022, January 2001, + . + + [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) + Behavioral Requirements for the Datagram Congestion + Control Protocol", BCP 150, RFC 5597, + DOI 10.17487/RFC5597, September 2009, + . + + [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and + P. Roberts, "Issues with IP Address Sharing", RFC 6269, + DOI 10.17487/RFC6269, June 2011, + . + + [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, + "Diameter Network Address and Port Translation Control + Application", RFC 6736, DOI 10.17487/RFC6736, October + 2012, . + + [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and + P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, + DOI 10.17487/RFC6887, April 2013, + . + + [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and + M. Boucadair, "Deployment Considerations for Dual-Stack + Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, + . + + [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of + the IPv6 Prefix Used for IPv6 Address Synthesis", + RFC 7050, DOI 10.17487/RFC7050, November 2013, + . + + + +Boucadair, et al. Standards Track [Page 73] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT + (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, + DOI 10.17487/RFC7289, June 2014, + . + + [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, + DOI 10.17487/RFC7335, August 2014, + . + + [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, + "Definitions of Managed Objects for Network Address + Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, + October 2015, . + + [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., + and S. Perreault, "Port Control Protocol (PCP) Extension + for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, + February 2016, . + + [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, + "RADIUS Extensions for IP Port Configuration and + Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, + . + + [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", + BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, + . + + [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of + Documents Containing YANG Data Models", BCP 216, RFC 8407, + DOI 10.17487/RFC8407, October 2018, + . + + [RFC8513] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG + Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513, + DOI 10.17487/RFC8513, January 2019, + . + + [YANG-PCP] Boucadair, M., Jacquenet, C., Sivakumar, S., and + S. Vinapamula, "YANG Modules for the Port Control Protocol + (PCP)", Work in Progress, draft-boucadair-pcp-yang-05, + October 2017. + + + + + + + + + +Boucadair, et al. Standards Track [Page 74] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +Appendix A. Some Examples + + This section provides a non-exhaustive set of examples to illustrate + the use of the NAT YANG module. + +A.1. Traditional NAT44 + + Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the + same IPv4 address among hosts that are owned by the same subscriber. + This is typically the NAT that is embedded in CPE devices. + + This NAT is usually provided with one single external IPv4 address; + disambiguating connections is achieved by rewriting the source port + number. The XML snippet to configure the external IPv4 address in + such case together with a mapping entry is depicted below: + + + + 1 + NAT_Subscriber_A + .... + + 1 + + 198.51.100.1/32 + + + .... + + .... + + 198.51.100.1/32 + + .... + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 75] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + The following shows the XML excerpt depicting a dynamic UDP mapping + entry maintained by a traditional NAPT44. In reference to this + example, the UDP packet received with a source IPv4 address + (192.0.2.1) and source port number (1568) is translated into a UDP + packet having a source IPv4 address (198.51.100.1) and source port + (15000). The remaining lifetime of this mapping is 300 seconds. + + + 15 + + dynamic-explicit + + + 17 + + + 192.0.2.1/32 + + + + 1568 + + + + 198.51.100.1/32 + + + + 15000 + + + + 300 + + + +A.2. Carrier Grade NAT (CGN) + + The following XML snippet shows the example of the capabilities + supported by a CGN as retrieved using NETCONF. + + + napt44 + + 1 + + + 6 + + + +Boucadair, et al. Standards Track [Page 76] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + + + 17 + + + false + + + true + + + true + + + true + + + true + + + false + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + + + + +Boucadair, et al. Standards Track [Page 77] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + The following XML snippet shows the example of a CGN that is + provisioned with one contiguous pool of external IPv4 addresses + (198.51.100.0/24). Further, the CGN is instructed to limit the + number of allocated ports per subscriber to 1024. Ports can be + allocated by the CGN by assigning ranges of 256 ports (that is, a + subscriber can be allocated up to four port ranges of 256 ports + each). + + + + 1 + myCGN + .... + + 1 + + 198.51.100.0/24 + + + + + 1024 + + + all + + + + port-range-allocation + + + + 256 + + + .... + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 78] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + An administrator may decide to allocate one single port range per + subscriber (e.g., a port range of 1024 ports) as shown below: + + + + 1 + myCGN + .... + + 1 + + 198.51.100.0/24 + + + + + 1024 + + + all + + + + port-range-allocation + + + + 1024 + + + .... + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 79] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +A.3. CGN Pass-Through + + Figure 1 illustrates an example of the CGN pass-through feature. + + X1:x1 X1':x1' X2:x2 + +---+from X1:x1 +---+from X1:x1 +---+ + | C | to X2:x2 | | to X2:x2 | S | + | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | + | i | | G | | r | + | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | + | n |from X2:x2 | |from X2:x2 | e | + | t | to X1:x1 | | to X1:x1 | r | + +---+ +---+ +---+ + + Figure 1: CGN Pass-Through + + For example, in order to disable NAT for communications issued by the + client (192.0.2.1), the following configuration parameter must be + set: + + + ... + 192.0.2.1/32 + ... + + +A.4. NAT64 + + Let's consider the example of a NAT64 that should use + 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. + The XML snippet to configure the NAT64 prefix in such case is + depicted below: + + + + 2001:db8:122:300::/56 + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 80] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + Let's now consider the example of a NAT64 that should use + 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if + the destination address matches 198.51.100.0/24. The XML snippet to + configure the NAT64 prefix in such case is shown below: + + + + 2001:db8:122::/48 + + + + 198.51.100.0/24 + + + + +A.5. Stateless IP/ICMP Translation (SIIT) + + Let's consider the example of a stateless translator that is + configured with 2001:db8:100::/40 to perform IPv6 address synthesis + [RFC6052]. Similar to the NAT64 case, the XML snippet to configure + the NAT64 prefix in such case is depicted below: + + + + 2001:db8:100::/40 + + + + When the translator receives an IPv6 packet, for example, with a + source address (2001:db8:1c0:2:21::) and destination address + (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses + following rules per RFC 6052 with 2001:db8:100::/40 as the NSP: + + o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: + + o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: + + The translator transforms the IPv6 header into an IPv4 header using + the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will + include 192.0.2.33 as the source address and 198.51.100.2 as the + destination address. + + Also, a NAT64 can be instructed to behave in the stateless mode by + providing the following configuration. The same NAT64 prefix is used + for constructing both IPv4-translatable IPv6 addresses and + IPv4-converted IPv6 addresses (see Section 3.3 of [RFC6052]). + + + + +Boucadair, et al. Standards Track [Page 81] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + + + 2001:db8:122:300::/56 + + + true + + + +A.6. Explicit Address Mappings (EAM) for Stateless IP/ICMP Translation + (SIIT) + + As specified in [RFC7757], an EAM consists of an IPv4 prefix and an + IPv6 prefix. Let's consider the set of EAM examples in Table 8. + + +----------------+----------------------+ + | IPv4 Prefix | IPv6 Prefix | + +----------------+----------------------+ + | 192.0.2.1 | 2001:db8:aaaa:: | + | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | + | 192.0.2.16/28 | 2001:db8:cccc::/124 | + | 192.0.2.128/26 | 2001:db8:dddd::/64 | + | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | + | 192.0.2.224/31 | 64:ff9b::/127 | + +----------------+----------------------+ + + Table 8: EAM Examples (RFC 7757) + + The following XML excerpt illustrates how these EAMs can be + configured using the NAT YANG module: + + + + 192.0.2.1/32 + + + 2001:db8:aaaa::/128 + + + + + 192.0.2.2/32 + + + 2001:db8:bbbb::b/128 + + + + + + +Boucadair, et al. Standards Track [Page 82] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + + + 192.0.2.16/28 + + + 2001:db8:cccc::/124 + + + + + 192.0.2.128/26 + + + 2001:db8:dddd::/64 + + + + + 192.0.2.192/29 + + + 2001:db8:eeee:8::/62 + + + + + 192.0.2.224/31 + + + 64:ff9b::/127 + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 83] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + EAMs may be enabled jointly with stateful NAT64. This example shows + a NAT64 function that supports static mappings: + + + + nat64 + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 84] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +A.7. Static Mappings with Port Ranges + + The following example shows a static mapping that instructs a NAT to + translate packets issued from 192.0.2.1 and with source ports in the + 100-500 range to 198.51.100.1:1100-1500. + + + 1 + + static + + + 6 + + + 192.0.2.1/32 + + + + 100 + + + 500 + + + + 198.51.100.1/32 + + + + 1100 + + + 1500 + + + ... + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 85] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +A.8. Static Mappings with IP Prefixes + + The following example shows a static mapping that instructs a NAT to + translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. + + + 1 + + static + + + 6 + + + 192.0.2.0/24 + + + 198.51.100.0/24 + + ... + + +A.9. Destination NAT + + The following XML snippet shows an example of a Destination NAT that + is instructed to translate all packets having 192.0.2.1 as a + destination IP address to 198.51.100.1. + + + 1 + + 192.0.2.1/32 + + + 198.51.100.1/32 + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 86] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + In order to instruct a NAT to translate TCP packets destined to + '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet + shows the static mapping configured on the NAT: + + + 1568 + + static + + + 6 + + + 192.0.2.1/32 + + + + 80 + + + + 198.51.100.1/32 + + + + 8080 + + + + + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 87] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + In order to instruct a NAT to translate TCP packets destined to + '192.0.2.1:80' (HTTP traffic) to 198.51.100.1 and '192.0.2.1:22' (SSH + traffic) to 198.51.100.2, the following XML snippet shows the static + mappings configured on the NAT: + + + 123 + + static + + + 6 + + + 192.0.2.1/32 + + + + 80 + + + + 198.51.100.1/32 + + ... + + + 1236 + + static + + + 6 + + + 192.0.2.1/32 + + + + 22 + + + + 198.51.100.2/32 + + ... + + + + + +Boucadair, et al. Standards Track [Page 88] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + The NAT may also be instructed to proceed with both source and + Destination NAT. To do so, in addition to the above example to + configure Destination NAT, the NAT may be provided, for example with + a pool of external IP addresses (198.51.100.0/24) to use for source + address translation. An example of the corresponding XML snippet is + provided hereafter: + + + 1 + + 198.51.100.0/24 + + + + Instead of providing an external IP address to share, the NAT may be + configured with static mapping entries that modify the internal IP + address and/or port number. + +A.10. Customer-Side Translator (CLAT) + + The following XML snippet shows the example of a CLAT that is + configured with 2001:db8:1234::/96 as a PLAT-side IPv6 prefix and + 2001:db8:aaaa::/96 as a CLAT-side IPv6 prefix. The CLAT is also + provided with 192.0.0.1/32 (which is selected from the IPv4 service + continuity prefix defined in [RFC7335]). + + + + 2001:db8:aaaa::/96 + + + + + 192.0.0.1/32 + + + + + 2001:db8:1234::/96 + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 89] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +A.11. IPv6 Network Prefix Translation (NPTv6) + + Let's consider the example of an NPTv6 translator that should rewrite + packets with the source prefix (fd03:c03a:ecab::/48) with the + external prefix (2001:db8:1::/48). The internal interface is "eth0" + while the external interface is "eth1" (Figure 2). + + External Network: Prefix = 2001:db8:1::/48 + -------------------------------------- + | + |eth1 + +-------------+ + eth4| NPTv6 |eth2 + ...-----| |------... + +-------------+ + |eth0 + | + -------------------------------------- + Internal Network: Prefix = fd03:c03a:ecab::/48 + + Figure 2: Example of NPTv6 + + The XML snippet to configure NPTv6 prefixes in such case is depicted + below: + + + + fd03:c03a:ecab::/48 + + + 2001:db8:1::/48 + + + ... + + + eth1 + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 90] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + Figure 3 shows an example of an NPTv6 translator that interconnects + two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48); + each is translated using a dedicated prefix (2001:db8:1::/48 and + 2001:db8:6666::/48, respectively). + + Internal Prefix = fda8:d5cb:14f3::/48 + -------------------------------------- + V | External Prefix + V |eth1 2001:db8:1::/48 + V +---------+ ^ + V | NPTv6 | ^ + V | | ^ + V +---------+ ^ + External Prefix |eth0 ^ + 2001:db8:6666::/48 | ^ + -------------------------------------- + Internal Prefix = fd03:c03a:ecab::/48 + + Figure 3: Connecting Two Peer Networks + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 91] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + + To that aim, the following configuration is provided to the NPTv6 + translator: + + + 1 + + + fd03:c03a:ecab::/48 + + + 2001:db8:1::/48 + + + + + eth1 + + + + + 2 + + + fda8:d5cb:14f3::/48 + + + 2001:db8:6666::/48 + + + + + eth0 + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 92] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +Acknowledgements + + Many thanks to Dan Wing, Tianran Zhou, Tom Petch, Warren Kumari, and + Benjamin Kaduk for their review. + + Thanks to Juergen Schoenwaelder for the comments on the YANG + structure and the suggestion to use NMDA. Mahesh Jethanandani + provided useful comments. + + Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred + Baker for the NPTv6 comments, Tore Anderson for the EAM SIIT review, + and Kristian Poscic for the CGN review. + + Special thanks to Maros Marsalek and Marek Gradzki for sharing their + comments based on the FD.io implementation of this module + (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang). + + Rajiv Asati suggested clarifying how the module applies for both + stateless and stateful NAT64. + + Juergen Schoenwaelder provided an early YANG Doctors review. Many + thanks to him. + + Thanks to Roni Even, Mach(Guoyi) Chen, Tim Chown, and Stephen Farrell + for the directorates review. Igor Ryzhov identified a nit in one + example. + + Mirja Kuehlewind made a comment about the reuse of some TCP timers + for any connection-oriented protocol. + + + + + + + + + + + + + + + + + + + + + + +Boucadair, et al. Standards Track [Page 93] + +RFC 8512 YANG Module for NAT and NPT January 2019 + + +Authors' Addresses + + Mohamed Boucadair (editor) + Orange + Rennes 35000 + France + + Email: mohamed.boucadair@orange.com + + + Senthil Sivakumar + Cisco Systems + 7100-8 Kit Creek Road + Research Triangle Park, North Carolina 27709 + United States of America + + Phone: +1 919 392 5158 + Email: ssenthil@cisco.com + + + Christian Jacquenet + Orange + Rennes 35000 + France + + Email: christian.jacquenet@orange.com + + + Suresh Vinapamula + Juniper Networks + 1133 Innovation Way + Sunnyvale 94089 + United States of America + + Email: sureshk@juniper.net + + + Qin Wu + Huawei + 101 Software Avenue, Yuhua District + Nanjing, Jiangsu 210012 + China + + Email: bill.wu@huawei.com + + + + + + + +Boucadair, et al. Standards Track [Page 94] + -- cgit v1.2.3