A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-17
The information below is for an old version of the document that is already published as an RFC.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8512.
|
|
|---|---|---|---|
| Authors | Mohamed Boucadair , Senthil Sivakumar , Christian Jacquenet , Suresh Vinapamula , Qin Wu | ||
| Last updated | 2019-01-15 (Latest revision 2018-09-27) | ||
| Replaces | draft-sivakumar-yang-nat | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Yang Validation | ☯ 0 errors, 0 warnings | ||
| Reviews |
TSVART Telechat review
(of
-16)
by Joerg Ott
Ready w/nits
|
||
| Additional resources |
Yang catalog entry for ietf-nat@2018-09-27.yang
Yang impact analysis for draft-ietf-opsawg-nat-yang Mailing list discussion |
||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Joe Clarke | ||
| Shepherd write-up | Show Last changed 2018-03-04 | ||
| IESG | IESG state | Became RFC 8512 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Ignas Bagdonas | ||
| Send notices to | Joe Clarke <jclarke@cisco.com> | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
| IANA action state | RFC-Ed-Ack |
draft-ietf-opsawg-nat-yang-17
gt;
198.51.100.0/24
</external-ip-pool>
</external-ip-address-pool>
<port-quota>
<port-limit>
1024
</port-limit>
<quota-type >
all
</quota-type >
</port-quota>
<port-allocation-type>
port-range-allocation
</port-allocation-type>
<port-set>
<port-set-size>
256
</port-set-size>
</port-set>
....
</instance>
</instances>
An administrator may decide to allocate one single port range per
subscriber (e.g., port range of 1024 ports) as shown below:
Boucadair, et al. Expires March 31, 2019 [Page 82]
Internet-Draft YANG Module for NAT September 2018
<instances>
<instance>
<id>1</id>
<name>myCGN</name>
....
<external-ip-address-pool>
<pool-id>1</pool-id>
<external-ip-pool>
198.51.100.0/24
</external-ip-pool>
</external-ip-address-pool>
<port-quota>
<port-limit>
1024
</port-limit>
<quota-type >
all
</quota-type >
</port-quota>
<port-allocation-type>
port-range-allocation
</port-allocation-type>
<port-set>
<port-set-size>
1024
</port-set-size>
</port-set>
....
</instance>
</instances>
A.3. CGN Pass-Through
Figure 1 illustrates an example of the CGN pass-through feature.
X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r |
| e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
| n |from X2:x2 | |from X2:x2 | e |
| t | to X1:x1 | | to X1:x1 | r |
+---+ +---+ +---+
Figure 1: CGN Pass-Through
Boucadair, et al. Expires March 31, 2019 [Page 83]
Internet-Draft YANG Module for NAT September 2018
For example, in order to disable NAT for communications issued by the
client (192.0.2.1), the following configuration parameter must be
set:
<nat-pass-through>
...
<prefix>192.0.2.1/32</prefix>
...
</nat-pass-through>
A.4. NAT64
Let's consider the example of a NAT64 that should use
2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052].
The XML snippet to configure the NAT64 prefix in such case is
depicted below:
<nat64-prefixes>
<nat64-prefix>
2001:db8:122:300::/56
</nat64-prefix>
</nat64-prefixes>
Let's now consider the example of a NAT64 that should use
2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if
the destination address matches 198.51.100.0/24. The XML snippet to
configure the NAT64 prefix in such case is shown below:
<nat64-prefixes>
<nat64-prefix>
2001:db8:122::/48
</nat64-prefix>
<destination-ipv4-prefix>
<ipv4-prefix>
198.51.100.0/24
</ipv4-prefix>
</destination-ipv4-prefix>
</nat64-prefixes>
A.5. Stateless IP/ICMP Translation (SIIT)
Let's consider the example of a stateless translator that is
configured with 2001:db8:100::/40 to perform IPv6 address synthesis
[RFC6052]. Similar to the NAT64 case, the XML snippet to configure
the NAT64 prefix in such case is depicted below:
Boucadair, et al. Expires March 31, 2019 [Page 84]
Internet-Draft YANG Module for NAT September 2018
<nat64-prefixes>
<nat64-prefix>
2001:db8:100::/40
</nat64-prefix>
</nat64-prefixes>
When the translator receives an IPv6 packet, for example, with a
source address (2001:db8:1c0:2:21::) and destination address
(2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses
following RFC6052 rules with 2001:db8:100::/40 as the NSP:
o 192.0.2.33 is extracted from 2001:db8:1c0:2:21::
o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2::
The translator transforms the IPv6 header into an IPv4 header using
the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will
include 192.0.2.33 as the source address and 198.51.100.2 as the
destination address.
Also, a NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:122:300::/56
</nat64-prefix>
<stateless-enable>
true
</stateless-enable>
</nat64-prefixes>
A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM
SIIT)
As specified in [RFC7757], an EAM consists of an IPv4 prefix and an
IPv6 prefix. Let's consider the set of EAM examples in Table 8.
Boucadair, et al. Expires March 31, 2019 [Page 85]
Internet-Draft YANG Module for NAT September 2018
+----------------+----------------------+
| IPv4 Prefix | IPv6 Prefix |
+----------------+----------------------+
| 192.0.2.1 | 2001:db8:aaaa:: |
| 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 192.0.2.224/31 | 64:ff9b::/127 |
+----------------+----------------------+
Table 8: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module:
Boucadair, et al. Expires March 31, 2019 [Page 86]
Internet-Draft YANG Module for NAT September 2018
<eam>
<ipv4-prefix>
192.0.2.1/32
</ipv4-prefix>
<ipv6-prefix>
2001:db8:aaaa::/128
</ipv6-prefix>
</eam>
<eam>
<ipv4-prefix>
192.0.2.2/32
</ipv4-prefix>
<ipv6-prefix>
2001:db8:bbbb::b/128
</ipv6-prefix>
</eam>
<eam>
<ipv4-prefix>
192.0.2.16/28
</ipv4-prefix>
<ipv6-prefix>
2001:db8:cccc::/124
</ipv6-prefix>
</eam>
<eam>
<ipv4-prefix>
192.0.2.128/26
</ipv4-prefix>
<ipv6-prefix>
2001:db8:dddd::/64
</ipv6-prefix>
</eam>
<eam>
<ipv4-prefix>
192.0.2.192/29
</ipv4-prefix>
<ipv6-prefix>
2001:db8:eeee:8::/62
</ipv6-prefix>
</eam>
<eam>
<ipv4-prefix>
192.0.2.224/31
</ipv4-prefix>
<ipv6-prefix>
64:ff9b::/127
</ipv6-prefix>
</eam>
Boucadair, et al. Expires March 31, 2019 [Page 87]
Internet-Draft YANG Module for NAT September 2018
EAMs may be enabled jointly with stateful NAT64. This example shows
a NAT64 function that supports static mappings:
<capabilities
<nat-flavor>
nat64
</nat-flavor>
<static-mapping-support>
true
</static-mapping-support>
<port-randomization-support>
true
</port-randomization-support>
<port-range-allocation-support>
true
</port-range-allocation-support>
<port-preservation-suport>
true
</port-preservation-suport>
<address-roundrobin-support>
true
</address-roundrobin-support>
<paired-address-pooling-support>
true
</paired-address-pooling-support>
<endpoint-independent-mapping-support>
true
</endpoint-independent-mapping-support>
<endpoint-independent-filtering-support>
true
</endpoint-independent-filtering-support>
</capabilities>
A.7. Static Mappings with Port Ranges
The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500.
Boucadair, et al. Expires March 31, 2019 [Page 88]
Internet-Draft YANG Module for NAT September 2018
<mapping-entry>
<index>1</index>
<type>
static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-src-address>
192.0.2.1/32
</internal-src-address>
<internal-src-port>
<start-port-number>
100
</start-port-number>
<end-port-number>
500
</end-port-number>
</internal-dst-port>
<external-src-address>
198.51.100.1/32
</external-src-address>
<external-src-port>
<start-port-number>
1100
</start-port-number>
<end-port-number>
1500
</end-port-number>
</external-src-port>
...
</mapping-entry>
A.8. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to
translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24.
Boucadair, et al. Expires March 31, 2019 [Page 89]
Internet-Draft YANG Module for NAT September 2018
<mapping-entry>
<index>1</index>
<type>
static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-src-address>
192.0.2.0/24
</internal-src-address>
<external-src-address>
198.51.100.0/24
</external-src-address>
...
</mapping-entry>
A.9. Destination NAT
The following XML snippet shows an example of a destination NAT that
is instructed to translate all packets having 192.0.2.1 as a
destination IP address to 198.51.100.1.
<dst-ip-address-pool>
<pool-id>1</pool-id>
<dst-in-ip-pool>
192.0.2.1/32
</dst-in-ip-pool>
<dst-out-ip-pool>
198.51.100.1/32
</dst-out-ip-pool>
</dst-ip-address-pool>
In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet
shows the static mapping configured on the NAT:
Boucadair, et al. Expires March 31, 2019 [Page 90]
Internet-Draft YANG Module for NAT September 2018
<mapping-entry>
<index>1568</index>
<type>
static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-dst-address>
192.0.2.1/32
</internal-dst-address>
<internal-dst-port>
<start-port-number>
80
</start-port-number>
</internal-dst-port>
<external-dst-address>
198.51.100.1/32
</external-dst-address>
<external-dst-port>
<start-port-number>
8080
</start-port-number>
</external-dst-port>
</mapping-entry>
In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh
traffic) to 198.51.100.2, the following XML snippet shows the static
mappings configured on the NAT:
Boucadair, et al. Expires March 31, 2019 [Page 91]
Internet-Draft YANG Module for NAT September 2018
<mapping-entry>
<index>123</index>
<type>
static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-dst-address>
192.0.2.1/32
</internal-dst-address>
<internal-dst-port>
<start-port-number>
80
</start-port-number>
</internal-dst-port>
<external-dst-address>
198.51.100.1/32
</external-dst-address>
...
</mapping-entry>
<mapping-entry>
<index>1236</index>
<type>
static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-dst-address>
192.0.2.1/32
</internal-dst-address>
<internal-dst-port>
<start-port-number>
22
</start-port-number>
</internal-dst-port>
<external-dst-address>
198.51.100.2/32
</external-dst-address>
...
</mapping-entry>
The NAT may also be instructed to proceed with both source and
destination NAT. To do so, in addition to the above sample to
configure destination NAT, the NAT may be provided, for example with
a pool of external IP addresses (198.51.100.0/24) to use for source
Boucadair, et al. Expires March 31, 2019 [Page 92]
Internet-Draft YANG Module for NAT September 2018
address translation. An example of the corresponding XML snippet is
provided hereafter:
<external-ip-address-pool>
<pool-id>1</pool-id>
<external-ip-pool>
198.51.100.0/24
</external-ip-pool>
</external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modify the internal IP
address and/or port number.
A.10. Customer-side Translator (CLAT)
The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]).
<clat-ipv6-prefixes>
<ipv6-prefix>
2001:db8:aaaa::/96
</ipv6-prefix>
</clat-ipv6-prefixes>
<clat-ipv4-prefixes>
<ipv4-prefix>
192.0.0.1/32
</ipv4-prefix>
</clat-ipv4-prefixes>
<nat64-prefixes>
<nat64-prefix>
2001:db8:1234::/96
</nat64-prefix>
</nat64-prefixes>
A.11. IPv6 Network Prefix Translation (NPTv6)
Let's consider the example of an NPTv6 translator that should rewrite
packets with the source prefix (fd03:c03a:ecab::/48) with the
external prefix (2001:db8:1::/48). The internal interface is "eth0"
while the external interface is "eth1" (Figure 2).
Boucadair, et al. Expires March 31, 2019 [Page 93]
Internet-Draft YANG Module for NAT September 2018
External Network: Prefix = 2001:db8:1::/48
--------------------------------------
|
|eth1
+-------------+
eth4| NPTv6 |eth2
...-----| |------...
+-------------+
|eth0
|
--------------------------------------
Internal Network: Prefix = fd03:c03a:ecab::/48
Figure 2: Example of NPTv6
The XML snippet to configure NPTv6 prefixes in such case is depicted
below:
<nptv6-prefixes>
<internal-ipv6-prefix>
fd03:c03a:ecab::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1::/48
</external-ipv6-prefix>
</nptv6-prefixes>
...
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
Figure 3 shows an example of an NPTv6 translator that interconnects
two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48);
each is translated using a dedicated prefix (2001:db8:1::/48 and
2001:db8:6666::/48, respectively).
Boucadair, et al. Expires March 31, 2019 [Page 94]
Internet-Draft YANG Module for NAT September 2018
Internal Prefix = fda8:d5cb:14f3::/48
--------------------------------------
V | External Prefix
V |eth1 2001:db8:1::/48
V +---------+ ^
V | NPTv6 | ^
V | | ^
V +---------+ ^
External Prefix |eth0 ^
2001:db8:6666::/48 | ^
--------------------------------------
Internal Prefix = fd03:c03a:ecab::/48
Figure 3: Connecting two Peer Networks
To that aim, the following configuration is provided to the NPTv6
translator:
Boucadair, et al. Expires March 31, 2019 [Page 95]
Internet-Draft YANG Module for NAT September 2018
<policy>
<id>1</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fd03:c03a:ecab::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1::/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
</policy>
<policy>
<id>2</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fda8:d5cb:14f3::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:6666::/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth0
</external-interface>
</external-realm>
</policy>
Authors' Addresses
Mohamed Boucadair (editor)
Orange
Rennes 35000
France
Email: mohamed.boucadair@orange.com
Boucadair, et al. Expires March 31, 2019 [Page 96]
Internet-Draft YANG Module for NAT September 2018
Senthil Sivakumar
Cisco Systems
7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709
USA
Phone: +1 919 392 5158
Email: ssenthil@cisco.com
Christian Jacquenet
Orange
Rennes 35000
France
Email: christian.jacquenet@orange.com
Suresh Vinapamula
Juniper Networks
1133 Innovation Way
Sunnyvale 94089
USA
Email: sureshk@juniper.net
Qin Wu
Huawei
101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012
China
Email: bill.wu@huawei.com
Boucadair, et al. Expires March 31, 2019 [Page 97]