RFC 8512
A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)
Pages: 94
Proposed Standard
Proposed Standard
Part 4 of 8 – Pages 37 to 48
leaf port-preservation-suport {
type boolean;
description
"Indicates whether port preservation is supported.";
reference
"Section 4.2.1 of RFC 4787";
}
leaf port-parity-preservation-support {
type boolean;
description
"Indicates whether port parity preservation is
supported.";
reference
"Section 8 of RFC 7857";
}
leaf address-roundrobin-support {
type boolean;
description
"Indicates whether address allocation round robin is
supported.";
}
leaf paired-address-pooling-support {
type boolean;
description
"Indicates whether paired-address-pooling is
supported";
reference
"REQ-2 of RFC 4787";
}
leaf endpoint-independent-mapping-support {
type boolean;
description
"Indicates whether endpoint-independent-
mapping is supported.";
reference
"Section 4 of RFC 4787";
}
leaf address-dependent-mapping-support {
type boolean;
description
"Indicates whether address-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787";
}
leaf address-and-port-dependent-mapping-support {
type boolean;
description
"Indicates whether address-and-port-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787";
}
leaf endpoint-independent-filtering-support {
type boolean;
description
"Indicates whether endpoint-independent-filtering is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent-filtering is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port-dependent is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf fragment-behavior {
type enumeration {
enum unsupported {
description
"No capability to translate incoming fragments.
All received fragments are dropped.";
}
enum in-order {
description
"The NAT instance is able to translate fragments
only if they are received in order. That is, in
particular the header is in the first packet.
Fragments received out of order are dropped. ";
}
enum out-of-order {
description
"The NAT instance is able to translate a fragment even
if it is received out of order.
This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of
the NAT.";
}
}
leaf type {
type identityref {
base nat-type;
}
description
"Specify the translation type. Particularly useful when
multiple translation flavors are supported.
If one type is supported by a NAT, this parameter is by
default set to that type.";
}
leaf per-interface-binding {
type enumeration {
enum disabled {
description
"Disable the capability to associate an extra identifier
with NAT mappings.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"A NAT that associates a particular NAT session not
only with the five tuples used for the transport
connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.
If supported, this mode of operation should be
configurable, and it should be disabled by default in
general-purpose NAT devices.
If one single per-interface binding behavior is
supported by a NAT, this parameter is by default set to
that behavior.";
reference
"Section 4 of RFC 6619";
}
list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat";
key "id";
description
"IP prefix NAT pass-through.";
leaf id {
type uint32;
description
"An identifier of the IP prefix pass-through.";
}
leaf prefix {
type inet:ip-prefix;
mandatory true;
description
"The IP addresses that match should not be translated.
It must be possible to administratively turn
off translation for specific destination addresses
and/or ports.";
reference
"REQ-6 of RFC 6888";
}
leaf port {
type inet:port-number;
description
"It must be possible to administratively turn off
translation for specific destination addresses
and/or ports.
If no prefix is defined, the NAT pass-through bound
to a given port applies for any destination address.";
reference
"REQ-6 of RFC 6888";
}
}
list policy {
key "id";
description
"NAT parameters for a given instance";
leaf id {
type uint32;
description
"An identifier of the NAT policy. It must be unique
within the NAT instance.";
}
container clat-parameters {
if-feature "clat";
description
"CLAT parameters.";
list clat-ipv6-prefixes {
key "ipv6-prefix";
description
"464XLAT double-translation treatment is stateless
when a dedicated /64 is available for translation
on the CLAT. Otherwise, the CLAT will have both
stateful and stateless translation since it requires
NAT44 from the LAN to a single IPv4 address and then
stateless translation to a single IPv6 address.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
leaf ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
}
list ipv4-prefixes {
key "ipv4-prefix";
description
"Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity prefix.";
reference
"RFC 7335: IPv4 Service Continuity Prefix";
leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"464XLAT double-translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
translation since it requires NAT44 from the
LAN to a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
}
}
}
list nptv6-prefixes {
if-feature "nptv6";
key "internal-ipv6-prefix";
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two
network links: one is an 'internal' network
link attached to a leaf network within a single
administrative domain, and the other is an
'external' network with connectivity to the
global Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by an internal interface of
NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
leaf external-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by the external interface of
NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
}
list eam {
if-feature "eam";
key "ipv4-prefix";
description
"The Explicit Address Mapping Table is a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference
"Section 3.1 of RFC 7757";
leaf ipv4-prefix {
type inet:ipv4-prefix;
mandatory true;
description
"The IPv4 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757";
}
leaf ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"The IPv6 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757";
}
}
list nat64-prefixes {
if-feature "siit or nat64 or clat";
key "nat64-prefix";
description
"Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference
"Section 5.1 of RFC 7050";
leaf nat64-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"A NAT64 prefix. Can be a Network-Specific Prefix (NSP)
or a Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation
should assign an NSP to their IPv4/IPv6 translation
service.
For stateless NAT64, IPv4-translatable IPv6 addresses
must use the selected NSP.
Both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses should use
the same prefix.";
reference
"Sections 3.3 and 3.4 of RFC 6052";
}
list destination-ipv4-prefix {
key "ipv4-prefix";
description
"An IPv4 prefix/address.";
leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
}
leaf stateless-enable {
type boolean;
default "false";
description
"Enable explicitly stateless NAT64.";
}
}
list external-ip-address-pool {
if-feature "basic-nat44 or napt44 or nat64";
key "pool-id";
description
"Pool of external IP addresses used to service internal
hosts.
A pool is a set of IP prefixes.";
leaf pool-id {
type uint32;
must '. >= 1';
description
"An identifier that uniquely identifies the address pool
within a NAT instance.
The identifier must be greater than zero.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
leaf external-ip-pool {
type inet:ipv4-prefix;
mandatory true;
description
"An IPv4 prefix used for NAT purposes.";
}
}
container port-set-restrict {
if-feature "napt44 or nat64";
description
"Configures contiguous and non-contiguous port ranges.
The port set is used to restrict the external source
port numbers used by the translator.";
uses port-set;
}
leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean;
default "false";
description
"Enable/disable Destination NAT.
A NAT44 may be configured to enable Destination
NAT, too.";
}
list dst-ip-address-pool {
if-feature "dst-nat";
key "pool-id";
description
"Pool of IP addresses used for Destination NAT.";
leaf pool-id {
type uint32;
description
"An identifier of the address pool.";
}
leaf dst-in-ip-pool {
type inet:ip-prefix;
description
"Is used to identify an internal destination
IP prefix/address to be translated.";
}
leaf dst-out-ip-pool {
type inet:ip-prefix;
mandatory true;
description
"IP address/prefix used for Destination NAT.";
}
}
list transport-protocols {
if-feature "napt44 or nat64 or dst-nat";
key "protocol-id";
description
"Configure the transport protocols to be handled by
the translator.
TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description
"The upper-layer protocol associated with this
mapping.
Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description
"The name of the upper-layer protocol associated
with this mapping.
For example, TCP, UDP, DCCP, and SCTP.";
}
}
leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
description
"The subscriber mask is an integer that indicates
the length of significant bits to be applied on
the source IPv6 address (internal side) to
unambiguously identify a user device (e.g., CPE).
Subscriber mask is a system-wide configuration
parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not
require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64-serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
}
list subscriber-match {
if-feature "basic-nat44 or napt44 or dst-nat";
key "match-id";
description
"IP prefix match.
A subscriber is identified by a subnet.";
leaf match-id {
type uint32;
description
"An identifier of the subscriber match.";
}
leaf subnet {
type inet:ip-prefix;
mandatory true;
description
"The IP address subnets that match
should be translated. For example, all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
}
leaf address-allocation-type {
type enumeration {
enum arbitrary {
if-feature "basic-nat44 or napt44 or nat64";
description
"Arbitrary pooling behavior means that the NAT
instance may create the new port mapping using any
address in the pool that has a free port for the
protocol concerned.";
}
enum roundrobin {
if-feature "basic-nat44 or napt44 or nat64";
description
"Round-robin allocation.";
}
enum paired {
if-feature "napt44 or nat64";
description
"Paired address pooling informs the NAT
that all the flows from an internal IP
address must be assigned the same external
address. This is the recommended behavior
for NAPT/NAT64.";
reference
"RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP";
}
}
description
"Specifies how external IP addresses are allocated.";
}
leaf port-allocation-type {
if-feature "napt44 or nat64";
type enumeration {
enum random {
description
"Port randomization is enabled. A NAT port allocation
scheme should make it hard for attackers to guess
port numbers";
reference
"REQ-15 of RFC 6888";
}
enum port-preservation {
description
"Indicates whether the NAT should preserve the
internal port number.";
}
enum port-parity-preservation {
description
"Indicates whether the NAT should preserve the port
parity of the internal port number.";
}
enum port-range-allocation {
description
"Indicates whether the NAT assigns a range of ports
for an internal host. This scheme allows the
minimizing of the log volume.";
reference
"REQ-14 of RFC 6888";
}
}
description
"Indicates the type of port allocation.";
}
(next page on part 5)