RFC 8512
A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)
Pages: 94
Proposed Standard
Proposed Standard
Part 5 of 8 – Pages 49 to 58
leaf mapping-type {
if-feature "napt44 or nat64";
type enumeration {
enum eim {
description
"endpoint-independent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum adm {
description
"address-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum edm {
description
"address-and-port-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
}
description
"Indicates the type of NAT mapping.";
}
leaf filtering-type {
if-feature "napt44 or nat64";
type enumeration {
enum eif {
description
"endpoint-independent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum adf {
description
"address-dependent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum edf {
description
"address-and-port-dependent-filtering";
reference
"Section 5 of RFC 4787";
}
}
description
"Indicates the type of NAT filtering.";
}
leaf fragment-behavior {
if-feature "napt44 or nat64";
type enumeration {
enum drop-all {
description
"All received fragments are dropped.";
}
enum in-order {
description
"Translate fragments only if they are received
in order.";
}
enum out-of-order {
description
"Translate a fragment even if it is received out
of order.
This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior instructs the NAT about the
behavior to follow to translate fragments received
on the external interface of the NAT.";
}
list port-quota {
if-feature "napt44 or nat64";
key "quota-type";
description
"Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be
used by a subscriber.";
leaf port-limit {
type uint16;
description
"Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be
used by a subscriber.";
reference
"REQ-4 of RFC 6888";
}
leaf quota-type {
type uint8;
description
"Indicates whether the port quota applies to
all protocols (0) or to a specific protocol.";
}
}
container port-set {
when "../port-allocation-type = 'port-range-allocation'";
if-feature "napt44 or nat64";
description
"Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description
"Indicates the size of assigned port sets.";
}
leaf port-set-timeout {
type uint32;
units "seconds";
description
"inactivity timeout for port sets.";
}
}
container timers {
if-feature "napt44 or nat64";
description
"Configure values of various timeouts.";
leaf udp-timeout {
type uint32;
units "seconds";
default "300";
description
"UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT.";
reference
"RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP";
}
leaf tcp-idle-timeout {
type uint32;
units "seconds";
default "7440";
description
"TCP idle timeout should be 2 hours and 4 minutes.";
reference
"RFC 5382: NAT Behavioral Requirements for TCP";
}
leaf tcp-trans-open-timeout {
type uint32;
units "seconds";
default "240";
description
"The value of the transitory open connection
idle-timeout.
A NAT should provide different configurable
parameters for configuring the open and
closing idle timeouts.
To accommodate deployments that consider
a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may
allow the configured timeout to be less than
4 minutes.
However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended.";
reference
"Section 2.1 of RFC 7857";
}
leaf tcp-trans-close-timeout {
type uint32;
units "seconds";
default "240";
description
"The value of the transitory close connection
idle-timeout.
A NAT should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
reference
"Section 2.1 of RFC 7857";
}
leaf tcp-in-syn-timeout {
type uint32;
units "seconds";
default "6";
description
"A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds
after the packet is received. If during
this interval the NAT receives and translates
an outbound SYN for the connection the NAT
must silently drop the original unsolicited
inbound SYN packet.";
reference
"RFC 5382 NAT Behavioral Requirements for TCP";
}
leaf fragment-min-timeout {
when "../../fragment-behavior='out-of-order'";
type uint32;
units "seconds";
default "2";
description
"As long as the NAT has available resources,
the NAT allows the fragments to arrive
over the fragment-min-timeout interval.
The default value is inspired from RFC 6146.";
}
leaf icmp-timeout {
type uint32;
units "seconds";
default "60";
description
"An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended
that the ICMP Query session timer be made
configurable";
reference
"RFC 5508: NAT Behavioral Requirements for ICMP";
}
list per-port-timeout {
key "port-number";
description
"Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on
port 53 (DNS) and 123 (NTP), and longer timeouts
on other ports.";
leaf port-number {
type inet:port-number;
description
"A port number.";
}
leaf protocol {
type uint8;
description
"The upper-layer protocol associated with this port.
Values are taken from the IANA Protocol Numbers
registry.
If no protocol is indicated, it means 'any
protocol'.";
}
leaf timeout {
type uint32;
units "seconds";
mandatory true;
description
"Timeout for this port number";
}
}
leaf hold-down-timeout {
type uint32;
units "seconds";
default "120";
description
"Hold-down timer.
Ports in the hold-down pool are not reassigned until
hold-down-timeout expires.
The length of time and the maximum number of ports in
this state must be configurable by the administrator.
This is necessary in order to prevent collisions
between old and new mappings and sessions. It ensures
that all established sessions are broken instead of
redirected to a different peer.";
reference
"REQ-8 of RFC 6888";
}
leaf hold-down-max {
type uint32;
description
"Maximum ports in the hold-down port pool.";
reference
"REQ-8 of RFC 6888";
}
}
leaf fragments-limit {
when "../fragment-behavior='out-of-order'";
type uint32;
description
"Limits the number of out-of-order fragments that can
be handled.";
reference
"Section 11 of RFC 4787";
}
list algs {
key "name";
description
"Features related to the Application Layer
Gateway (ALG).";
leaf name {
type string;
description
"The name of the ALG.";
}
leaf transport-protocol {
type uint32;
description
"The transport protocol used by the ALG
(e.g., TCP and UDP).";
}
container dst-transport-port {
uses port-number;
description
"The destination port number(s) used by the ALG.
For example,
- 21 for the FTP ALG
- 53 for the DNS ALG.";
}
container src-transport-port {
uses port-number;
description
"The source port number(s) used by the ALG.";
}
leaf status {
type boolean;
description
"Enable/disable the ALG.";
}
}
leaf all-algs-enable {
type boolean;
description
"Disable/enable all ALGs.
When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status'
of an individual ALG.";
}
container notify-pool-usage {
if-feature "basic-nat44 or napt44 or nat64";
description
"Notification of pool usage when certain criteria
are met.";
leaf pool-id {
type uint32;
description
"Pool-ID for which the notification criteria
is defined";
}
leaf low-threshold {
type percent;
description
"Notification must be generated when the defined low
threshold is reached.
For example, if a notification is required when the
pool utilization reaches below 10%, this
configuration parameter must be set to 10.
0% indicates that low-threshold notification is
disabled.";
}
leaf high-threshold {
type percent;
must '. >= ../low-threshold' {
error-message
"The high threshold must be greater than or equal
to the low threshold.";
}
description
"Notification must be generated when the defined high
threshold is reached.
For example, if a notification is required when the
pool utilization reaches 90%, this configuration
parameter must be set to 90.
Setting the same value as low-threshold is equivalent
to disabling high-threshold notification.";
}
leaf notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
default "20";
description
"Minimum number of seconds between successive
notifications for this pool.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
}
container external-realm {
description
"Identifies the external realm of the NAT instance.";
choice realm-type {
description
"Can be an interface, VRF instance, etc.";
case interface {
description
"External interface.";
leaf external-interface {
type if:interface-ref;
description
"Name of the external interface.";
}
}
}
}
}
container mapping-limits {
if-feature "napt44 or nat64";
description
"Information about the configuration parameters that
limits the mappings based upon various criteria.";
leaf limit-subscribers {
type uint32;
description
"Maximum number of subscribers that can be serviced
by a NAT instance.
A subscriber is identified by a given prefix.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
leaf limit-address-mappings {
type uint32;
description
"Maximum number of address mappings that can be
handled by a NAT instance.
When this limit is reached, packets that would
normally trigger translation will be dropped.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
leaf limit-port-mappings {
type uint32;
description
"Maximum number of port mappings that can be handled
by a NAT instance.
When this limit is reached, packets that would
normally trigger translation will be dropped.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
list limit-per-protocol {
if-feature "napt44 or nat64 or dst-nat";
key "protocol-id";
description
"Configure limits per transport protocol";
leaf protocol-id {
type uint8;
mandatory true;
description
"The upper-layer protocol.
Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf limit {
type uint32;
description
"Maximum number of protocol-specific NAT mappings
per instance.";
}
}
}
container connection-limits {
if-feature "basic-nat44 or napt44 or nat64";
description
"Information about the configuration parameters that
rate-limit the translation based upon various criteria.";
leaf limit-per-subscriber {
type uint32;
units "bits/second";
description
"Rate-limit the number of new mappings and sessions
per subscriber.";
}
(next page on part 6)