RFC 8512
A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)
Pages: 94
Proposed Standard
Proposed Standard
Part 3 of 8 – Pages 24 to 36
3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2019-01-10.yang" module ietf-nat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; prefix nat; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } import ietf-interfaces { prefix if; reference "RFC 8343: A YANG Data Model for Interface Management"; } organization "IETF OPSAWG (Operations and Management Area Working Group)"; contact "WG Web: <https://datatracker.ietf.org/wg/opsawg/> WG List: <mailto:opsawg@ietf.org> Editor: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Author: Senthil Sivakumar <mailto:ssenthil@cisco.com> Author: Christian Jacquenet <mailto:christian.jacquenet@orange.com> Author: Suresh Vinapamula <mailto:sureshk@juniper.net> Author: Qin Wu <mailto:bill.wu@huawei.com>"; description "This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), customer-side translator
(CLAT), Stateless IP/ICMP Translation (SIIT), Explicit
Address Mappings (EAM) for SIIT, IPv6 Network Prefix
Translation (NPTv6), and Destination NAT are covered.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8512; see
the RFC itself for full legal notices.";
revision 2019-01-10 {
description
"Initial revision.";
reference
"RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)";
}
/*
* Definitions
*/
typedef percent {
type uint8 {
range "0 .. 100";
}
description
"Percentage";
}
/*
* Features
*/
feature basic-nat44 {
description
"Basic NAT44 translation is limited to IP addresses alone.";
reference
"RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
}
feature napt44 {
description
"Network Address Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID).
If the internal IP address is not sufficient to uniquely
disambiguate NAPT44 mappings, an additional attribute is
required. For example, that additional attribute may
be an IPv6 address (a.k.a., DS-Lite) or
a Layer 2 identifier (a.k.a., Per-Interface NAT)";
reference
"RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
}
feature dst-nat {
description
"Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices
in front of public servers.";
}
feature nat64 {
description
"NAT64 translation allows IPv6-only clients to contact IPv4
servers using, e.g., UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients.";
reference
"RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers";
}
feature siit {
description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which
translates between IPv4 and IPv6 packet headers (including
ICMP headers).
In the stateless mode, an IP/ICMP translator converts IPv4
addresses to IPv6, and vice versa, solely based on the
configuration of the stateless IP/ICMP translator and
information contained within the packet being translated.
The translator must support the stateless address mapping
algorithm defined in RFC 6052, which is the default behavior.";
reference
"RFC 7915: IP/ICMP Translation Algorithm";
}
feature clat {
description
"CLAT is customer-side translator that algorithmically
translates 1:1 private IPv4 addresses to global IPv6
addresses, and vice versa.
When a dedicated /64 prefix is not available for translation
from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4 packets appear
from a single IPv4 address and are then statelessly translated
to one interface IPv6 address that is claimed by the CLAT via
the Neighbor Discovery Protocol (NDP) and defended with
Duplicate Address Detection.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
}
feature eam {
description
"Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 prefix and an IPv6 prefix.";
reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation";
}
feature nptv6 {
description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/*
* Identities
*/
identity nat-type {
description
"Base identity for nat type.";
}
identity basic-nat44 {
base nat:nat-type;
description
"Identity for Basic NAT support.";
reference
"RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
}
identity napt44 {
base nat:nat-type;
description
"Identity for NAPT support.";
reference
"RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
}
identity dst-nat {
base nat:nat-type;
description
"Identity for Destination NAT support.";
}
identity nat64 {
base nat:nat-type;
description
"Identity for NAT64 support.";
reference
"RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers";
}
identity siit {
base nat:nat-type;
description
"Identity for SIIT support.";
reference
"RFC 7915: IP/ICMP Translation Algorithm";
}
identity clat {
base nat:nat-type;
description
"Identity for CLAT support.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
}
identity eam {
base nat:nat-type;
description
"Identity for EAM support.";
reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation";
}
identity nptv6 {
base nat:nat-type;
description
"Identity for NPTv6 support.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/*
* Grouping
*/
grouping port-number {
description
"An individual port number or a range of ports.
When only start-port-number is present,
it represents a single port number.";
leaf start-port-number {
type inet:port-number;
description
"Beginning of the port range.";
reference
"Section 3.2.9 of RFC 8045";
}
leaf end-port-number {
type inet:port-number;
must '. >= ../start-port-number' {
error-message
"The end-port-number must be greater than or
equal to start-port-number.";
}
description
"End of the port range.";
reference
"Section 3.2.10 of RFC 8045";
}
}
grouping port-set {
description
"Indicates a set of port numbers.
It may be a simple port range, or use the Port Set
Identifier (PSID) algorithm to represent a range of
transport-layer port numbers that will be used by a
NAPT.";
choice port-type {
default "port-range";
description
"Port type: port-range or port-set-algo.";
case port-range {
uses port-number;
}
case port-set-algo {
leaf psid-offset {
type uint8 {
range "0..15";
}
description
"The number of offset bits (a.k.a., 'a' bits).
Specifies the numeric value for the excluded port
range/offset bits.
Allowed values are between 0 and 15.";
reference
"Section 5.1 of RFC 7597";
}
leaf psid-len {
type uint8 {
range "0..15";
}
mandatory true;
description
"The length of PSID, representing the sharing
ratio for an IPv4 address.
(also known as 'k').
The address-sharing ratio would be 2^k.";
reference
"Section 5.1 of RFC 7597";
}
leaf psid {
type uint16;
mandatory true;
description
"PSID value, which identifies a set
of ports algorithmically.";
reference
"Section 5.1 of RFC 7597";
}
}
reference
"RFC 7597: Mapping of Address and Port with
Encapsulation (MAP-E)";
}
}
grouping mapping-entry {
description
"NAT mapping entry.
If an attribute is not stored in the mapping/session table,
it means the corresponding field of a packet that
matches this entry is not rewritten by the NAT or this
information is not required for NAT filtering purposes.";
leaf index {
type uint32;
description
"A unique identifier of a mapping entry. This identifier
can be automatically assigned by the NAT instance or be
explicitly configured.";
}
leaf type {
type enumeration {
enum static {
description
"The mapping entry is explicitly configured
(e.g., via a command-line interface).";
}
enum dynamic-implicit {
description
"This mapping is created implicitly as a side effect
of processing a packet that requires a new mapping.";
}
enum dynamic-explicit {
description
"This mapping is created as a result of an explicit
request, e.g., a PCP message.";
}
}
description
"Indicates the type of a mapping entry. For example,
a mapping can be: static, implicit dynamic,
or explicit dynamic.";
}
leaf transport-protocol {
type uint8;
description
"The upper-layer protocol associated with this mapping.
Values are taken from the IANA Protocol Numbers registry:
<https://www.iana.org/assignments/protocol-numbers/>.
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.
If this leaf is not instantiated, then the mapping
applies to any protocol.";
}
leaf internal-src-address {
type inet:ip-prefix;
description
"Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal interface.";
}
container internal-src-port {
description
"Corresponds to the source port of the packet received
on an internal interface.
It is also used to indicate the internal source ICMP
identifier.
As a reminder, all the ICMP Query messages contain
an 'Identifier' field, which is referred to in this
document as the 'ICMP Identifier'.";
uses port-number;
}
leaf external-src-address {
type inet:ip-prefix;
description
"Source IP address/prefix of the packet sent on an
external interface of the NAT.";
}
container external-src-port {
description
"Source port of the packet sent on an external
interface of the NAT.
It is also used to indicate the external source ICMP
identifier.";
uses port-number;
}
leaf internal-dst-address {
type inet:ip-prefix;
description
"Corresponds to the destination IP address/prefix
of the packet received on an internal interface
of the NAT.
For example, some NAT implementations support
the translation of both source and destination
addresses and port numbers, sometimes referred to
as 'Twice NAT'.";
}
container internal-dst-port {
description
"Corresponds to the destination port of the
IP packet received on the internal interface.
It is also used to include the internal
destination ICMP identifier.";
uses port-number;
}
leaf external-dst-address {
type inet:ip-prefix;
description
"Corresponds to the destination IP address/prefix
of the packet sent on an external interface
of the NAT.";
}
container external-dst-port {
description
"Corresponds to the destination port number of
the packet sent on the external interface
of the NAT.
It is also used to include the external
destination ICMP identifier.";
uses port-number;
}
leaf lifetime {
type uint32;
units "seconds";
description
"When specified, it is used to track the connection that is
fully formed (e.g., once the three-way handshake
TCP is completed) or the duration for maintaining
an explicit mapping alive. The mapping entry will be
removed by the NAT instance once this lifetime is expired.
When reported in a get operation, the lifetime indicates
the remaining validity lifetime.
Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is required to
remove that mapping.";
}
}
/*
* NAT Module
*/
container nat {
description
"NAT module";
container instances {
description
"NAT instances";
list instance {
key "id";
description
"A NAT instance. This identifier can be automatically
assigned or explicitly configured.";
leaf id {
type uint32;
must '. >= 1';
description
"NAT instance identifier.
The identifier must be greater than zero.";
reference
"RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)";
}
leaf name {
type string;
description
"A name associated with the NAT instance.";
reference
"RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)";
}
leaf enable {
type boolean;
description
"Status of the NAT instance.";
}
container capabilities {
config false;
description
"NAT capabilities.";
leaf-list nat-flavor {
type identityref {
base nat-type;
}
description
"Supported translation type(s).";
}
leaf-list per-interface-binding {
type enumeration {
enum unsupported {
description
"No capability to associate a NAT binding with
an extra identifier.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"Indicates the capability of a NAT to associate a
particular NAT session not only with the five
tuples used for the transport connection on both
sides of the NAT but also with the internal
interface on which the user device is
connected to the NAT.";
reference
"Section 4 of RFC 6619";
}
list transport-protocols {
key "protocol-id";
description
"List of supported protocols.";
leaf protocol-id {
type uint8;
mandatory true;
description
"The upper-layer protocol associated with a mapping.
Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description
"The name of the upper-layer protocol associated
with this mapping.
For example, TCP, UDP, DCCP, and SCTP.";
}
}
leaf restricted-port-support {
type boolean;
description
"Indicates source port NAT restriction support.";
reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture";
}
leaf static-mapping-support {
type boolean;
description
"Indicates whether static mappings are supported.";
}
leaf port-randomization-support {
type boolean;
description
"Indicates whether port randomization is supported.";
reference
"Section 4.2.1 of RFC 4787";
}
leaf port-range-allocation-support {
type boolean;
description
"Indicates whether port range allocation is supported.";
reference
"Section 1.1 of RFC 7753";
}
(next page on part 4)