Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8512

A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)

Pages: 94
Proposed Standard
Part 3 of 8 – Pages 24 to 36
First   Prev   Next

Top   ToC   RFC8512 - Page 24   prevText

3. NAT YANG Module

<CODE BEGINS> file "ietf-nat@2019-01-10.yang" module ietf-nat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; prefix nat; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } import ietf-interfaces { prefix if; reference "RFC 8343: A YANG Data Model for Interface Management"; } organization "IETF OPSAWG (Operations and Management Area Working Group)"; contact "WG Web: <https://datatracker.ietf.org/wg/opsawg/> WG List: <mailto:opsawg@ietf.org> Editor: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Author: Senthil Sivakumar <mailto:ssenthil@cisco.com> Author: Christian Jacquenet <mailto:christian.jacquenet@orange.com> Author: Suresh Vinapamula <mailto:sureshk@juniper.net> Author: Qin Wu <mailto:bill.wu@huawei.com>"; description "This module is a YANG module for NAT implementations.
Top   ToC   RFC8512 - Page 25
     NAT44, Network Address and Protocol Translation from IPv6
     Clients to IPv4 Servers (NAT64), customer-side translator
     (CLAT), Stateless IP/ICMP Translation (SIIT), Explicit
     Address Mappings (EAM) for SIIT, IPv6 Network Prefix
     Translation (NPTv6), and Destination NAT are covered.

     Copyright (c) 2018 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD License
     set forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (http://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC 8512; see
     the RFC itself for full legal notices.";

  revision 2019-01-10 {
    description
      "Initial revision.";
    reference
      "RFC 8512: A YANG Module for Network Address Translation
                 (NAT) and Network Prefix Translation (NPT)";
  }

  /*
   * Definitions
   */

  typedef percent {
    type uint8 {
      range "0 .. 100";
    }
    description
      "Percentage";
  }

  /*
   * Features
   */

  feature basic-nat44 {
    description
      "Basic NAT44 translation is limited to IP addresses alone.";
    reference
      "RFC 3022: Traditional IP Network Address Translator
Top   ToC   RFC8512 - Page 26
                 (Traditional NAT)";
  }

  feature napt44 {
    description
      "Network Address Port Translator (NAPT): translation is
       extended to include IP addresses and transport identifiers
       (such as a TCP/UDP port or ICMP query ID).

       If the internal IP address is not sufficient to uniquely
       disambiguate NAPT44 mappings, an additional attribute is
       required.  For example, that additional attribute may
       be an IPv6 address (a.k.a., DS-Lite) or
       a Layer 2 identifier (a.k.a., Per-Interface NAT)";
    reference
      "RFC 3022: Traditional IP Network Address Translator
                 (Traditional NAT)";
  }

  feature dst-nat {
    description
      "Destination NAT is a translation that acts on the destination
       IP address and/or destination port number.  This flavor is
       usually deployed in load balancers or at devices
       in front of public servers.";
  }

  feature nat64 {
    description
      "NAT64 translation allows IPv6-only clients to contact IPv4
       servers using, e.g., UDP, TCP, or ICMP.  One or more
       public IPv4 addresses assigned to a NAT64 translator are
       shared among several IPv6-only clients.";
    reference
      "RFC 6146: Stateful NAT64: Network Address and Protocol
                 Translation from IPv6 Clients to IPv4 Servers";
  }

  feature siit {
    description
      "The Stateless IP/ICMP Translation Algorithm (SIIT), which
       translates between IPv4 and IPv6 packet headers (including
       ICMP headers).

       In the stateless mode, an IP/ICMP translator converts IPv4
       addresses to IPv6, and vice versa, solely based on the
       configuration of the stateless IP/ICMP translator and
       information contained within the packet being translated.
Top   ToC   RFC8512 - Page 27
       The translator must support the stateless address mapping
       algorithm defined in RFC 6052, which is the default behavior.";
    reference
      "RFC 7915: IP/ICMP Translation Algorithm";
  }

  feature clat {
    description
      "CLAT is customer-side translator that algorithmically
       translates 1:1 private IPv4 addresses to global IPv6
       addresses, and vice versa.

       When a dedicated /64 prefix is not available for translation
       from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
       packets so that all the LAN-originated IPv4 packets appear
       from a single IPv4 address and are then statelessly translated
       to one interface IPv6 address that is claimed by the CLAT via
       the Neighbor Discovery Protocol (NDP) and defended with
       Duplicate Address Detection.";
    reference
      "RFC 6877: 464XLAT: Combination of Stateful and
                 Stateless Translation";
  }

  feature eam {
    description
      "Explicit Address Mapping (EAM) is a bidirectional coupling
       between an IPv4 prefix and an IPv6 prefix.";
    reference
      "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
                 Translation";
  }

  feature nptv6 {
    description
      "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
       prefix translation.";
    reference
      "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
  }

  /*
   * Identities
   */

  identity nat-type {
    description
      "Base identity for nat type.";
Top   ToC   RFC8512 - Page 28
  }

  identity basic-nat44 {
    base nat:nat-type;
    description
      "Identity for Basic NAT support.";
    reference
      "RFC 3022: Traditional IP Network Address Translator
                 (Traditional NAT)";
  }

  identity napt44 {
    base nat:nat-type;
    description
      "Identity for NAPT support.";
    reference
      "RFC 3022: Traditional IP Network Address Translator
                 (Traditional NAT)";
  }

  identity dst-nat {
    base nat:nat-type;
    description
      "Identity for Destination NAT support.";
  }

  identity nat64 {
    base nat:nat-type;
    description
      "Identity for NAT64 support.";
    reference
      "RFC 6146: Stateful NAT64: Network Address and Protocol
                 Translation from IPv6 Clients to IPv4 Servers";
  }

  identity siit {
    base nat:nat-type;
    description
      "Identity for SIIT support.";
    reference
      "RFC 7915: IP/ICMP Translation Algorithm";
  }

  identity clat {
    base nat:nat-type;
    description
      "Identity for CLAT support.";
    reference
Top   ToC   RFC8512 - Page 29
      "RFC 6877: 464XLAT: Combination of Stateful and Stateless
                 Translation";
  }

  identity eam {
    base nat:nat-type;
    description
      "Identity for EAM support.";
    reference
      "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
                 Translation";
  }

  identity nptv6 {
    base nat:nat-type;
    description
      "Identity for NPTv6 support.";
    reference
      "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
  }

  /*
   * Grouping
   */

  grouping port-number {
    description
      "An individual port number or a range of ports.
       When only start-port-number is present,
       it represents a single port number.";
    leaf start-port-number {
      type inet:port-number;
      description
        "Beginning of the port range.";
      reference
        "Section 3.2.9 of RFC 8045";
    }
    leaf end-port-number {
      type inet:port-number;
      must '. >= ../start-port-number' {
        error-message
          "The end-port-number must be greater than or
           equal to start-port-number.";
      }
      description
        "End of the port range.";
      reference
        "Section 3.2.10 of RFC 8045";
Top   ToC   RFC8512 - Page 30
    }
  }

  grouping port-set {
    description
      "Indicates a set of port numbers.

       It may be a simple port range, or use the Port Set
       Identifier (PSID) algorithm to represent a range of
       transport-layer port numbers that will be used by a
       NAPT.";
    choice port-type {
      default "port-range";
      description
        "Port type: port-range or port-set-algo.";
      case port-range {
        uses port-number;
      }
      case port-set-algo {
        leaf psid-offset {
          type uint8 {
            range "0..15";
          }
          description
            "The number of offset bits (a.k.a., 'a' bits).
             Specifies the numeric value for the excluded port
             range/offset bits.

             Allowed values are between 0 and 15.";
          reference
            "Section 5.1 of RFC 7597";
        }
        leaf psid-len {
          type uint8 {
            range "0..15";
          }
          mandatory true;
          description
            "The length of PSID, representing the sharing
             ratio for an IPv4 address.

             (also known as 'k').

             The address-sharing ratio would be 2^k.";
          reference
            "Section 5.1 of RFC 7597";
        }
        leaf psid {
Top   ToC   RFC8512 - Page 31
          type uint16;
          mandatory true;
          description
            "PSID value, which identifies a set
             of ports algorithmically.";
          reference
            "Section 5.1 of RFC 7597";
        }
      }
      reference
        "RFC 7597: Mapping of Address and Port with
                   Encapsulation (MAP-E)";
    }
  }

  grouping mapping-entry {
    description
      "NAT mapping entry.

       If an attribute is not stored in the mapping/session table,
       it means the corresponding field of a packet that
       matches this entry is not rewritten by the NAT or this
       information is not required for NAT filtering purposes.";
    leaf index {
      type uint32;
      description
        "A unique identifier of a mapping entry.  This identifier
         can be automatically assigned by the NAT instance or be
         explicitly configured.";
    }
    leaf type {
      type enumeration {
        enum static {
          description
            "The mapping entry is explicitly configured
             (e.g., via a command-line interface).";
        }
        enum dynamic-implicit {
          description
            "This mapping is created implicitly as a side effect
             of processing a packet that requires a new mapping.";
        }
        enum dynamic-explicit {
          description
            "This mapping is created as a result of an explicit
             request, e.g., a PCP message.";
        }
      }
Top   ToC   RFC8512 - Page 32
      description
        "Indicates the type of a mapping entry.  For example,
         a mapping can be: static, implicit dynamic,
         or explicit dynamic.";
    }
    leaf transport-protocol {
      type uint8;
      description
        "The upper-layer protocol associated with this mapping.
         Values are taken from the IANA Protocol Numbers registry:
         <https://www.iana.org/assignments/protocol-numbers/>.

         For example, this field contains 6 for TCP,
         17 for UDP, 33 for DCCP, or 132 for SCTP.

         If this leaf is not instantiated, then the mapping
         applies to any protocol.";
    }
    leaf internal-src-address {
      type inet:ip-prefix;
      description
        "Corresponds to the source IPv4/IPv6 address/prefix
         of the packet received on an internal interface.";
    }
    container internal-src-port {
      description
        "Corresponds to the source port of the packet received
         on an internal interface.

         It is also used to indicate the internal source ICMP
         identifier.

         As a reminder, all the ICMP Query messages contain
         an 'Identifier' field, which is referred to in this
         document as the 'ICMP Identifier'.";
      uses port-number;
    }
    leaf external-src-address {
      type inet:ip-prefix;
      description
        "Source IP address/prefix of the packet sent on an
         external interface of the NAT.";
    }
    container external-src-port {
      description
        "Source port of the packet sent on an external
         interface of the NAT.
Top   ToC   RFC8512 - Page 33
         It is also used to indicate the external source ICMP
         identifier.";
      uses port-number;
    }
    leaf internal-dst-address {
      type inet:ip-prefix;
      description
        "Corresponds to the destination IP address/prefix
         of the packet received on an internal interface
         of the NAT.

         For example, some NAT implementations support
         the translation of both source and destination
         addresses and port numbers, sometimes referred to
         as 'Twice NAT'.";
    }
    container internal-dst-port {
      description
        "Corresponds to the destination port of the
         IP packet received on the internal interface.

         It is also used to include the internal
         destination ICMP identifier.";
      uses port-number;
    }
    leaf external-dst-address {
      type inet:ip-prefix;
      description
        "Corresponds to the destination IP address/prefix
         of the packet sent on an external interface
         of the NAT.";
    }
    container external-dst-port {
      description
        "Corresponds to the destination port number of
         the packet sent on the external interface
         of the NAT.

         It is also used to include the external
         destination ICMP identifier.";
      uses port-number;
    }
    leaf lifetime {
      type uint32;
      units "seconds";
      description
        "When specified, it is used to track the connection that is
         fully formed (e.g., once the three-way handshake
Top   ToC   RFC8512 - Page 34
         TCP is completed) or the duration for maintaining
         an explicit mapping alive.  The mapping entry will be
         removed by the NAT instance once this lifetime is expired.

         When reported in a get operation, the lifetime indicates
         the remaining validity lifetime.

         Static mappings may not be associated with a
         lifetime.  If no lifetime is associated with a
         static mapping, an explicit action is required to
         remove that mapping.";
    }
  }

  /*
   * NAT Module
   */

  container nat {
    description
      "NAT module";
    container instances {
      description
        "NAT instances";
      list instance {
        key "id";
        description
          "A NAT instance.  This identifier can be automatically
           assigned or explicitly configured.";
        leaf id {
          type uint32;
          must '. >= 1';
          description
            "NAT instance identifier.

             The identifier must be greater than zero.";
          reference
            "RFC 7659: Definitions of Managed Objects for Network
                       Address Translators (NATs)";
        }
        leaf name {
          type string;
          description
            "A name associated with the NAT instance.";
          reference
            "RFC 7659: Definitions of Managed Objects for Network
                       Address Translators (NATs)";
        }
Top   ToC   RFC8512 - Page 35
        leaf enable {
          type boolean;
          description
            "Status of the NAT instance.";
        }
        container capabilities {
          config false;
          description
            "NAT capabilities.";
          leaf-list nat-flavor {
            type identityref {
              base nat-type;
            }
            description
              "Supported translation type(s).";
          }
          leaf-list per-interface-binding {
            type enumeration {
              enum unsupported {
                description
                  "No capability to associate a NAT binding with
                   an extra identifier.";
              }
              enum layer-2 {
                description
                  "The NAT instance is able to associate a mapping with
                   a Layer 2 identifier.";
              }
              enum dslite {
                description
                  "The NAT instance is able to associate a mapping with
                   an IPv6 address (a.k.a., DS-Lite).";
              }
            }
            description
              "Indicates the capability of a NAT to associate a
               particular NAT session not only with the five
               tuples used for the transport connection on both
               sides of the NAT but also with the internal
               interface on which the user device is
               connected to the NAT.";
            reference
              "Section 4 of RFC 6619";
          }
          list transport-protocols {
            key "protocol-id";
            description
              "List of supported protocols.";
Top   ToC   RFC8512 - Page 36
            leaf protocol-id {
              type uint8;
              mandatory true;
              description
                "The upper-layer protocol associated with a mapping.

                 Values are taken from the IANA Protocol Numbers
                 registry.

                 For example, this field contains 6 for TCP,
                 17 for UDP, 33 for DCCP, or 132 for SCTP.";
            }
            leaf protocol-name {
              type string;
              description
                "The name of the upper-layer protocol associated
                 with this mapping.

                 For example, TCP, UDP, DCCP, and SCTP.";
            }
          }
          leaf restricted-port-support {
            type boolean;
            description
              "Indicates source port NAT restriction support.";
            reference
              "RFC 7596: Lightweight 4over6: An Extension to
                         the Dual-Stack Lite Architecture";
          }
          leaf static-mapping-support {
            type boolean;
            description
              "Indicates whether static mappings are supported.";
          }
          leaf port-randomization-support {
            type boolean;
            description
              "Indicates whether port randomization is supported.";
            reference
              "Section 4.2.1 of RFC 4787";
          }
          leaf port-range-allocation-support {
            type boolean;
            description
              "Indicates whether port range allocation is supported.";
            reference
              "Section 1.1 of RFC 7753";
          }


(next page on part 4)

Next Section