diff options
author | Marek Gradzki <mgradzki@cisco.com> | 2018-05-10 08:41:03 +0200 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2018-05-17 05:20:09 +0000 |
commit | 58bb277ee19627abbf5d8c7e77aeacfe8b63995f (patch) | |
tree | 274497583238d25fbcdc3b827d18adecf2597144 /nat/nat-api/src | |
parent | 03f6001049d60c59c81408c472996cba4e703a75 (diff) |
HC2VPP-321: bump nat model to ietf-nat@2018-02-23.yang
Uses ietf-nat module as defined in
https://tools.ietf.org/html/draft-ietf-opsawg-nat-yang-14
Modifications to original model:
- ip-address is used instead of ip-prefix
(draft is not clear, see HC2VPP-325).
API changes relevant to HC/VPP:
- nat-config and nat-state merged into nat container
- nat-instances and nat-instace renamed
to instances and instance respectively
- external-ip-address-pool has new parent - policy list
- port-type choice was removed, port is now defined using
start-port-number and end-port-number leaves.
Missing end is equivalent to single-port-number case from
the older version.
TODOs:
- HC2VPP-322: single nat64Prefix per NAT instance
- HC2VPP-323: update postman collection
- HC2VPP-324: update CSIT tests.
Out of the scope of NAT model update:
- HC2VPP-326: support for nat-type handling
(vpp-nat model might become obsolete)
- HC2VPP-327: support external-realm container
(requires adding augmentations
that are alredy present in the interface-nat model).
Change-Id: Ie229a55b0a3f6ee3f8c97f4fd13c54a797a62438
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'nat/nat-api/src')
-rw-r--r-- | nat/nat-api/src/main/yang/ietf-nat@2015-09-08.yang | 1074 | ||||
-rw-r--r-- | nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang | 2392 | ||||
-rw-r--r-- | nat/nat-api/src/main/yang/vpp-nat@2018-05-10.yang (renamed from nat/nat-api/src/main/yang/vpp-nat@2017-08-04.yang) | 16 |
3 files changed, 2399 insertions, 1083 deletions
diff --git a/nat/nat-api/src/main/yang/ietf-nat@2015-09-08.yang b/nat/nat-api/src/main/yang/ietf-nat@2015-09-08.yang deleted file mode 100644 index 54707708c..000000000 --- a/nat/nat-api/src/main/yang/ietf-nat@2015-09-08.yang +++ /dev/null @@ -1,1074 +0,0 @@ -module ietf-nat { - - namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; - //namespace to be assigned by IANA - prefix "nat"; - import ietf-inet-types { - prefix "inet"; - } - - organization "IETF NetMod Working Group"; - contact - "Senthil Sivakumar <ssenthil@cisco.com> - Mohamed Boucadair <mohamed.boucadair@orange.com> - Suresh Vinapamula <sureshk@juniper.net>"; - - description - "This module is a YANG module for NAT implementations - (including both NAT44 and NAT64 flavors. - - Copyright (c) 2015 IETF Trust and the persons identified as - authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD License - set forth in Section 4.c of the IETF Trust's Legal Provisions - Relating to IETF Documents - (http://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX; see - the RFC itself for full legal notices."; - - revision 2015-09-08 { - description "Fixes few YANG errors."; - reference "-02"; - } - - revision 2015-09-07 { - description "Completes the NAT64 model."; - reference "01"; - } - - revision 2015-08-29 { - description "Initial version."; - reference "00"; - } - - typedef percent { - type uint8 { - range "0 .. 100"; - } - description - "Percentage"; - } - - /* - * Grouping - */ - - grouping timeouts { - description - "Configure values of various timeouts."; - - leaf udp-timeouts { - type uint32; - default 300; - description - "UDP inactivity timeout."; - } - - leaf tcp-idle-timeout { - type uint32; - default 7440; - description - "TCP Idle timeout, as per RFC 5382 should be no - 2 hours and 4 minutes."; - } - - leaf tcp-trans-open-timeout { - type uint32; - default 240; - description - "The value of the transitory open connection - idle-timeout."; - } - - leaf tcp-trans-close-timeout { - type uint32; - default 240; - description - "The value of the transitory close connection - idle-timeout."; - } - - leaf tcp-in-syn-timeout { - type uint32; - default 6; - description - "6 seconds, as defined in [RFC5382]."; - } - - leaf fragment-min-timeout { - type uint32; - default 2; - description - "As long as the NAT has available resources, - the NAT allows the fragments to arrive - over fragment-min-timeout interval. - The default value is inspired from RFC6146."; - } - - leaf icmp-timeout { - type uint32; - default 60; - description - "60 seconds, as defined in [RFC5508]."; - } - } - - // port numbers: single or port range - - grouping port-number { - description - "Individual port or a range of ports."; - - choice port-type { - default single-port-number; - description - "Port type: single or port-range."; - - case single-port-number { - leaf single-port-number { - type inet:port-number; - description - "Used for single port numbers."; - } - } - - case port-range { - leaf start-port-number { - type inet:port-number; - description - "Begining of the port range."; - } - - leaf end-port-number { - type inet:port-number; - description - "End of the port range."; - } - } - } - } - - grouping mapping-entry { - description - "NAT mapping entry."; - - leaf index { - type uint32; - description - "A unique identifier of a mapping entry."; - } - - leaf type { - type enumeration { - enum "static" { - description - "The mapping entry is manually configured."; - } - - enum "dynamic" { - description - "This mapping is created by an outgoing - packet."; - } - } - description - "Indicates the type of a mapping entry. E.g., - a mapping can be: static or dynamic"; - } - - leaf internal-src-address { - type inet:ip-address; - mandatory true; - description - "Corresponds to the source IPv4/IPv6 address - of the IPv4 packet"; - } - - container internal-src-port { - description - "Corresponds to the source port of the - IPv4 packet."; - uses port-number; - } - - leaf external-src-address { - type inet:ipv4-address; - mandatory true; - description - "External IPv4 address assigned by NAT"; - } - - container external-src-port { - description - "External source port number assigned by NAT."; - uses port-number; - } - - leaf transport-protocol { - type uint8; - // mandatory true; - description - "Upper-layer protocol associated with this mapping. - Values are taken from the IANA protocol registry. - For example, this field contains 6 (TCP) for a TCP - mapping or 17 (UDP) for a UDP mapping."; - } - - leaf internal-dst-address { - type inet:ipv4-prefix; - description - "Corresponds to the destination IPv4 address - of the IPv4 packet, for example, some NAT - implementation support translating both source - and destination address and ports referred to as - Twice NAT"; - } - - container internal-dst-port { - description - "Corresponds to the destination port of the - IPv4 packet."; - uses port-number; - } - - leaf external-dst-address { - type inet:ipv4-address; - description - "External destination IPv4 address"; - } - - container external-dst-port { - description - "External source port number."; - uses port-number; - } - - leaf lifetime { - type uint32; - // mandatory true; - description - "Lifetime of the mapping."; - } - } - - grouping nat-parameters { - description - "NAT parameters for a given instance"; - - list external-ip-address-pool { - key pool-id; - - - description - "Pool of external IP addresses used to service - internal hosts. - Both contiguous and non-contiguous pools - can be configured for NAT."; - - leaf pool-id { - type uint32; - description - "An identifier of the address pool."; - } - - leaf external-ip-pool { - type inet:ipv4-prefix; - description - "An IPv4 prefix used for NAT purposes."; - } - } - - - leaf subscriber-mask-v6 { - type uint8 { - range "0 .. 128"; - } - description - "The subscriber-mask is an integer that indicates - the length of significant bits to be applied on - the source IP address (internal side) to - unambiguously identify a CPE. - - Subscriber-mask is a system-wide configuration - parameter that is used to enforce generic - per-subscriberpolicies (e.g., port-quota). - - The enforcement of these generic policies does not - require the configuration of every subscriber's - prefix. - - Example: suppose the 2001:db8:100:100::/56 prefix - is assigned to a NAT64 serviced CPE. Suppose also - that 2001:db8:100:100::1 is the IPv6 address used - by the client that resides in that CPE. When the - NAT64 receives a packet from this client, - it applies the subscriber-mask (e.g., 56) on - the source IPv6 address to compute the associated - prefix for this client (2001:db8:100:100::/56). - Then, the NAT64 enforces policies based on that - prefix (2001:db8:100:100::/56), not on the exact - source IPv6 address."; - } - - - list subscriber-mask-v4 { - - key sub-mask-id; - - description - "IPv4 subscriber mask."; - - leaf sub-mask-id { - type uint32; - description - "An identifier of the subscriber masks."; - } - leaf sub-mask { - type inet:ipv4-prefix; - // mandatory true; - description - "The IP address subnets that matches - should be translated. E.g., If the - private realms that are to be translated - by NAT would be 192.0.2.0/24"; - } - } - - leaf paired-address-pooling { - type boolean; - default true; - description - "Paired address pooling is indicating to NAT - that all the flows from an internal IP - address must be assigned the same external - address. This is defined in RFC 4007."; - } - - leaf nat-mapping-type { - type enumeration { - enum "eim" { - description - "endpoint-independent-mapping. - Refer section 4 of RFC 4787."; - } - - enum "adm" { - description - "address-dependent-mapping. - Refer section 4 of RFC 4787."; - } - - enum "edm" { - description - "address-and-port-dependent-mapping. - Refer section 4 of RFC 4787."; - } - } - description - "Indicates the type of a NAT mapping."; - } - leaf nat-filtering-type { - type enumeration { - enum "eif" { - description - "endpoint-independent- filtering. - Refer section 5 of RFC 4787."; - } - - enum "adf" { - description - "address-dependent- filtering. - Refer section 5 of RFC 4787."; - } - - enum "edf" { - description - "address-and-port-dependent- filtering. - Refer section 5 of RFC 4787."; - } - } - description - "Indicates the type of a NAT filtering."; - } - - leaf port-quota { - type uint16; - description - "Configures a port quota to be assigned per - subscriber."; - } - - container port-set { - description - "Manages port-set assignments."; - - leaf port-set-enable { - type boolean; - description - "Enable/Disable port set assignment."; - } - - leaf port-set-size { - type uint16; - description - "Indicates the size of assigned port - sets."; - } - - leaf port-set-timeout { - type uint32; - description - "Inactivty timeout for port sets."; - } - } - - leaf port-randomization-enable { - type boolean; - description - "Enable/disable port randomization - feature."; - } - - leaf port-preservation-enable { - type boolean; - description - "Indicates whether the PCP server should - preserve the internal port number."; - } - - leaf port-range-preservation-enable { - type boolean; - description - "Indicates whether the NAT device should - preserve the internal port range."; - } - - leaf port-parity-preservation-enable { - type boolean; - description - "Indicates whether the PCP server should - preserve the port parity of the - internal port number."; - } - leaf address-roundrobin-enable { - type boolean; - description - "Enable/disable address allocation - round robin."; - } - - uses timeouts; - container logging-info { - description - "Information about Logging NAT events"; - - leaf destination-address { - type inet:ipv4-prefix; - // mandatory true; - description - "Address of the collector that receives - the logs"; - } - leaf destination-port { - type inet:port-number; - // mandatory true; - description - "Destination port of the collector."; - } - - } - container connection-limit { - description - "Information on the config parameters that - rate limit the translations based on various - criteria"; - - leaf limit-per-subscriber { - type uint32; - description - "Maximum number of NAT mappings per - subscriber."; - } - leaf limit-per-vrf { - type uint32; - description - "Maximum number of NAT mappings per - VLAN/VRF."; - } - leaf limit-per-subnet { - type inet:ipv4-prefix; - description - "Maximum number of NAT mappings per - subnet."; - } - leaf limit-per-instance { - type uint32; - // mandatory true; - description - "Maximum number of NAT mappings per - instance."; - } - } - container mapping-limit { - description - "Information on the config parameters that - rate limit the mappings based on various - criteria"; - - leaf limit-per-subscriber { - type uint32; - description - "Maximum number of NAT mappings per - subscriber."; - } - leaf limit-per-vrf { - type uint32; - description - "Maximum number of NAT mappings per - VLAN/VRF."; - } - leaf limit-per-subnet { - type inet:ipv4-prefix; - description - "Maximum number of NAT mappings per - subnet."; - } - leaf limit-per-instance { - type uint32; - // mandatory true; - description - "Maximum number of NAT mappings per - instance."; - } - } - leaf ftp-alg-enable { - type boolean; - description - "Enable/Disable FTP ALG"; - } - - leaf dns-alg-enable { - type boolean; - description - "Enable/Disable DNSALG"; - } - - leaf tftp-alg-enable { - type boolean; - description - "Enable/Disable TFTP ALG"; - } - - leaf msrpc-alg-enable { - type boolean; - description - "Enable/Disable MS-RPC ALG"; - } - - leaf netbios-alg-enable { - type boolean; - description - "Enable/Disable NetBIOS ALG"; - } - - leaf rcmd-alg-enable { - type boolean; - description - "Enable/Disable rcmd ALG"; - } - - leaf ldap-alg-enable { - type boolean; - description - "Enable/Disable LDAP ALG"; - } - - leaf sip-alg-enable { - type boolean; - description - "Enable/Disable SIP ALG"; - } - - leaf rtsp-alg-enable { - type boolean; - description - "Enable/Disable RTSP ALG"; - } - - leaf h323-alg-enable { - type boolean; - description - "Enable/Disable H323 ALG"; - } - - leaf all-algs-enable { - type boolean; - description - "Enable/Disable all the ALGs"; - } - - container notify-pool-usage { - description - "Notification of Pool usage when certain criteria - is met"; - - leaf pool-id { - type uint32; - description - "Pool-ID for which the notification - criteria is defined"; - } - - leaf notify-pool-hi-threshold { - type percent; - // mandatory true; - description - "Notification must be generated when the - defined high threshold is reached. - For example, if a notification is - required when the pool utilization reaches - 90%, this configuration parameter must - be set to 90%"; - } - - leaf notify-pool-low-threshold { - type percent; - description - "Notification must be generated when the defined - low threshold is reached. - For example, if a notification is required when - the pool utilization reaches below 10%, - this configuration parameter must be set to - 10%"; - } - } - list nat64-prefixes { - key nat64-prefix-id; - - description - "Provides one or a list of NAT64 prefixes - With or without a list of destination IPv4 prefixes. - - Destination-based Pref64::/n is discussed in - Section 5.1 of [RFC7050]). For example: - 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. - 198.51.100.0/24 is mapped to 2001:db8:122::/48."; - - leaf nat64-prefix-id { - type uint32; - description - "An identifier of the NAT64 prefix."; - } - - leaf nat64-prefix { - type inet:ipv6-prefix; - default "64:ff9b::/96"; - description - "A NAT64 prefix. Can be NSP or WKP [RFC6052]."; - } - - list destination-ipv4-prefix { - - key ipv4-prefix-id; - - description - "An IPv4 prefix/address."; - - leaf ipv4-prefix-id { - type uint32; - description - "An identifier of the IPv4 prefix/address."; - } - - leaf ipv4-prefix { - type inet:ipv4-prefix; - description - "An IPv4 address/prefix. "; - } - } - } - } //nat-parameters group - - container nat-config { - description - "NAT"; - - container nat-instances { - description - "nat instances"; - - list nat-instance { - - key "id"; - - description - "A NAT instance."; - - leaf id { - type uint32; - description - "NAT instance identifier."; - } - - leaf enable { - type boolean; - description - "Status of the the NAT instance."; - } - - uses nat-parameters; - - container mapping-table { - description - "NAT dynamic mapping table used to track - sessions"; - - list mapping-entry { - key "index"; - description - "NAT mapping entry."; - uses mapping-entry; - } - } - } - } - } - - /* - * NAT State - */ - - container nat-state { - - config false; - - description - "nat-state"; - - container nat-instances { - description - "nat instances"; - - list nat-instance { - key "id"; - - description - "nat instance"; - - leaf id { - // FIXME changed int32 to uint32 to align with nat-config (authors of draft notified) - type uint32; - description - "The identifier of the nat instance."; - } - - container nat-capabilities { - description - "NAT Capabilities"; - - leaf nat44-support { - type boolean; - description - "Indicates NAT44 support"; - } - - leaf nat64-support { - type boolean; - description - "Indicates NAT64 support"; - } - - leaf static-mapping-support { - type boolean; - description - "Indicates whether static mappings are - supported."; - } - - leaf port-set-support { - type boolean; - description - "Indicates port set assignment - support "; - } - - leaf port-randomization-support { - type boolean; - description - "Indicates whether port randomization is - supported."; - } - - leaf port-range-preservation-support { - type boolean; - description - "Indicates whether port range - preservation is supported."; - } - - leaf port-preservation-suport { - type boolean; - description - "Indicates whether port preservation - is supported."; - } - - leaf port-parity-preservation-support { - type boolean; - description - "Indicates whether port parity - preservation is supported."; - } - - leaf address-roundrobin-support { - type boolean; - description - "Indicates whether address allocation - round robin is supported."; - } - - leaf ftp-alg-support { - type boolean; - description - "Indicates whether FTP ALG is supported"; - } - - leaf dns-alg-support { - type boolean; - description - "Indicates whether DNSALG is supported"; - } - - leaf tftp-support { - type boolean; - description - "Indicates whether TFTP ALG is supported"; - } - - leaf msrpc-alg-support { - type boolean; - description - "Indicates whether MS-RPC ALG is supported"; - } - - leaf netbios-alg-support { - type boolean; - description - "Indicates whether NetBIOS ALG is supported"; - } - - leaf rcmd-alg-support { - type boolean; - description - "Indicates whether rcmd ALG is supported"; - } - - leaf ldap-alg-support { - type boolean; - description - "Indicates whether LDAP ALG is supported"; - } - - leaf sip-alg-support { - type boolean; - description - "Indicates whether SIP ALG is supported"; - } - - leaf rtsp-alg-support { - type boolean; - description - "Indicates whether RTSP ALG is supported"; - } - - leaf h323-alg-support { - type boolean; - description - "Indicates whether H323 ALG is supported"; - } - - leaf paired-address-pooling-support { - type boolean; - description - "Indicates whether paired-address-pooling is - supported"; - } - - leaf endpoint-independent-mapping-support { - type boolean; - description - "Indicates whether endpoint-independent-mapping - in Section 4 of RFC 4787 is supported."; - } - - leaf address-dependent-mapping-support { - type boolean; - description - "Indicates whether endpoint-independent-mapping - in Section 4 of RFC 4787 is supported."; - } - - leaf address-and-port-dependent-mapping-support { - type boolean; - description - "Indicates whether endpoint-independent-mapping in - section 4 of RFC 4787 is supported."; - } - - leaf endpoint-independent-filtering-support { - type boolean; - description - "Indicates whether endpoint-independent-mapping in - section 5 of RFC 4787 is supported."; - } - - leaf address-dependent-filtering { - type boolean; - description - "Indicates whether endpoint-independent-mapping in - section 5 of RFC 4787 is supported."; - } - - leaf address-and-port-dependent-filtering { - type boolean; - description - "Indicates whether endpoint-independent-mapping in - section 5 of RFC 4787 is supported."; - } - - leaf stealth-mode-support { - type boolean; - description - "Indicates whether to respond for unsolicited - traffic."; - } - - } - - container nat-current-config { - description - "current config"; - - uses nat-parameters; - } - - container mapping-table { - description - "Mapping table"; - list mapping-entry { - key "index"; - description - "mapping entry"; - uses mapping-entry; - } - } - - container statistics { - description - "Statistics related to the NAT instance"; - - leaf total-mappings { - type uint32; - description - "Total number of NAT Mappings present - at the time. This includes all the - static and dynamic mappings"; - } - leaf total-tcp-mappings { - type uint32; - description - "Total number of TCP Mappings present - at the time."; - } - leaf total-udp-mappings { - type uint32; - description - "Total number of UDP Mappings present - at the time."; - } - leaf total-icmp-mappings { - type uint32; - description - "Total number of ICMP Mappings present - at the time."; - } - container pool-stats { - description - "Statistics related to Pool usage"; - leaf pool-id { - type uint32; - description - "Unique Identifier that represents - a pool"; - } - leaf address-allocated { - type uint32; - description - "Number of allocated addresses in - the pool"; - } - leaf address-free { - type uint32; - description - "Number of free addresses in - the pool.The sum of free - addresses and allocated - addresses are the total - addresses in the pool"; - } - container port-stats { - description - "Statistics related to port - usage."; - - leaf ports-allocated { - type uint32; - description - "Number of allocated ports - in the pool"; - } - - leaf ports-free { - type uint32; - description - "Number of free addresses - in the pool"; - } - } - } - } //statistics - } //nat-instance - } //nat-instances - } //nat-state - /* - * Notifications - */ - notification nat-event { - description - "Notifications must be generated when the defined - high/low threshold is reached. Related configuration - parameters must be provided to trigger - the notifications."; - - leaf id { - type leafref { - path - "/nat-state/nat-instances/" - + "nat-instance/id"; - } - description - "NAT instance ID."; - } - - leaf notify-pool-threshold { - type percent; - // mandatory true; - description - "A treshhold has been fired."; - } - } -} //module nat
\ No newline at end of file diff --git a/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang b/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang new file mode 100644 index 000000000..77e2d7be7 --- /dev/null +++ b/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang @@ -0,0 +1,2392 @@ +module ietf-nat { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; + prefix "nat"; + + import ietf-inet-types { + prefix inet; + reference + "Section 4 of RFC 6991"; + } + + import ietf-yang-types { + prefix yang; + reference + "Section 3 of RFC 6991"; + } + + import ietf-interfaces { + prefix if; + reference + "RFC 8343: A YANG Data Model for Interface Management"; + } + + organization + "IETF OPSAWG (Operations and Management Area Working Group)"; + + contact + + "WG Web: <https://datatracker.ietf.org/wg/opsawg/> + WG List: <mailto:opsawg@ietf.org> + + Editor: Mohamed Boucadair + <mailto:mohamed.boucadair@orange.com> + + Editor: Senthil Sivakumar + <mailto:ssenthil@cisco.com> + + Editor: Christian Jacquenet + <mailto:christian.jacquenet@orange.com> + + Editor: Suresh Vinapamula + <mailto:sureshk@juniper.net> + + Editor: Qin Wu + <mailto:bill.wu@huawei.com>"; + + description + "This module is a YANG module for NAT implementations. + + NAT44, Network Address and Protocol Translation from IPv6 + Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), + Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings + for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network + Prefix Translation (NPTv6), and Destination NAT are covered. + + Copyright (c) 2018 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + + revision 2018-02-23 { + description + "Initial revision."; + reference + "RFC XXXX: A YANG Module for Network Address Translation + (NAT) and Network Prefix Translation (NPT)"; + } + + /* + * Definitions + */ + + typedef percent { + type uint8 { + range "0 .. 100"; + } + description + "Percentage"; + } + + /* + * Features + */ + + feature basic-nat44{ + description + "Basic NAT44 translation is limited to IP addresses alone."; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + feature napt44 { + description + "Network Address/Port Translator (NAPT): translation is + extended to include IP addresses and transport identifiers + (such as a TCP/UDP port or ICMP query ID). + + If the internal IP address is not sufficient to uniquely + disambiguate NAPT44 mappings, an additional attribute is + required. For example, that additional attribute may + be an IPv6 address (a.k.a., DS-Lite) or + a Layer 2 identifier (a.k.a., Per-Interface NAT)"; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + feature dst-nat { + description + "Destination NAT is a translation that acts on the destination + IP address and/or destination port number. This flavor is + usually deployed in load balancers or at devices + in front of public servers."; + } + + feature nat64 { + description + "NAT64 translation allows IPv6-only clients to contact IPv4 + servers using unicast UDP, TCP, or ICMP. One or more + public IPv4 addresses assigned to a NAT64 translator are + shared among several IPv6-only clients."; + reference + "RFC 6146: Stateful NAT64: Network Address and Protocol + Translation from IPv6 Clients to IPv4 Servers"; + } + + feature siit { + description + "The Stateless IP/ICMP Translation Algorithm (SIIT), which + translates between IPv4 and IPv6 packet headers (including + ICMP headers). + + In the stateless mode, an IP/ICMP translator converts IPv4 + addresses to IPv6 and vice versa solely based on the + configuration of the stateless IP/ICMP translator and + information contained within the packet being translated. + + The translator must support the stateless address mapping + algorithm defined in RFC6052, which is the default behavior."; + reference + "RFC 7915: IP/ICMP Translation Algorithm"; + } + + feature clat { + description + "CLAT is customer-side translator that algorithmically + translates 1:1 private IPv4 addresses to global IPv6 addresses, + and vice versa. + + When a dedicated /64 prefix is not available for translation + from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN + packets so that all the LAN-originated IPv4 packets appear + from a single IPv4 address and are then statelessly translated + to one interface IPv6 address that is claimed by the CLAT via + the Neighbor Discovery Protocol (NDP) and defended with + Duplicate Address Detection."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and Stateless + Translation"; + } + + feature eam { + description + "Explicit Address Mapping (EAM) is a bidirectional coupling + between an IPv4 Prefix and an IPv6 Prefix."; + reference + "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP + Translation"; + } + + feature nptv6 { + description + "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 + prefix translation."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + + /* + * Identities + */ + + identity nat-type { + description + "Base identity for nat type."; + } + + identity basic-nat44 { + base nat:nat-type; + description + "Identity for Basic NAT support."; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + identity napt44 { + base nat:nat-type; + description + "Identity for NAPT support."; + reference + "RFC 3022: Traditional IP Network Address Translator + (Traditional NAT)"; + } + + identity dst-nat { + base nat:nat-type; + description + "Identity for Destination NAT support."; + } + + identity nat64 { + base nat:nat-type; + description + "Identity for NAT64 support."; + reference + "RFC 6146: Stateful NAT64: Network Address and Protocol + Translation from IPv6 Clients to IPv4 Servers"; + } + + identity siit { + base nat:nat-type; + description + "Identity for SIIT support."; + reference + "RFC 7915: IP/ICMP Translation Algorithm"; + } + + identity clat { + base nat:nat-type; + description + "Identity for CLAT support."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and Stateless + Translation"; + } + + identity eam { + base nat:nat-type; + description + "Identity for EAM support."; + reference + "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP + Translation"; + } + + identity nptv6 { + base nat:nat-type; + description + "Identity for NPTv6 support."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + + /* + * Grouping + */ + + grouping port-number { + description + "Individual port or a range of ports. + When only start-port-number is present, + it represents a single port number."; + + leaf start-port-number { + type inet:port-number; + description + "Beginning of the port range."; + reference + "Section 3.2.9 of RFC 8045."; + } + + leaf end-port-number { + type inet:port-number; + + must ". >= ../start-port-number" + { + error-message + "The end-port-number must be greater than or + equal to start-port-number."; + } + description + "End of the port range."; + reference + "Section 3.2.10 of RFC 8045."; + } + } + + grouping port-set { + description + "Indicates a set of ports. + + It may be a simple port range, or use the Port Set ID (PSID) + algorithm to represent a range of transport layer + ports which will be used by a NAPT."; + + choice port-type { + default port-range; + description + "Port type: port-range or port-set-algo."; + case port-range { + uses port-number; + } + + case port-set-algo { + leaf psid-offset { + type uint8 { + range 0..15; + } + + description + "The number of offset bits (a.k.a., 'a' bits). + + Specifies the numeric value for the excluded port + range/offset bits. + + Allowed values are between 0 and 15 "; + + reference + "Section 5.1 of RFC 7597"; + } + + leaf psid-len { + type uint8 { + range 0..15; + } + mandatory true; + + description + "The length of PSID, representing the sharing + ratio for an IPv4 address. + + (also known as 'k'). + + The address-sharing ratio would be 2^k."; + reference + "Section 5.1 of RFC 7597"; + } + + leaf psid { + type uint16; + mandatory true; + description + "Port Set Identifier (PSID) value, which + identifies a set of ports algorithmically."; + reference + "Section 5.1 of RFC 7597"; + } + } + reference + "Section 7597: Mapping of Address and Port with + Encapsulation (MAP-E)"; + } + } + + grouping mapping-entry { + description + "NAT mapping entry. + + If an attribute is not stored in the mapping/session table, + this means the corresponding fields of a packet that + matches this entry is not rewritten by the NAT or this + information is not required for NAT filtering purposes."; + + leaf index { + type uint32; + description + "A unique identifier of a mapping entry. This identifier can be + automatically assigned by the NAT instance or be explicitly + configured."; + } + + leaf type { + type enumeration { + enum "static" { + description + "The mapping entry is explicitly configured + (e.g., via command-line interface)."; + } + + enum "dynamic-implicit" { + description + "This mapping is created implicitly as a side effect + of processing a packet that requires a new mapping."; + + } + + enum "dynamic-explicit" { + description + "This mapping is created as a result of an explicit + request, e.g., a PCP message."; + + } + } + description + "Indicates the type of a mapping entry. E.g., + a mapping can be: static, implicit dynamic + or explicit dynamic."; + } + + leaf transport-protocol { + type uint8; + description + "Upper-layer protocol associated with this mapping. + Values are taken from the IANA protocol registry. + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping. + + If this leaf is not instantiated, then the mapping + applies to any protocol."; + } + + leaf internal-src-address { + // TODO(HC2VPP-325): original model uses inet:ip-prefix; + type inet:ip-address; + description + "Corresponds to the source IPv4/IPv6 address/prefix + of the packet received on an internal + interface."; + } + + container internal-src-port { + description + "Corresponds to the source port of the packet received + on an internal interface. + + It is used also to indicate the internal source ICMP + identifier. + + As a reminder, all the ICMP Query messages contain + an 'Identifier' field, which is referred to in this + document as the 'ICMP Identifier'."; + + uses port-number; + } + + leaf external-src-address { + // TODO(HC2VPP-325): original model uses inet:ip-prefix; + type inet:ipv4-address; + description + "Source IP address/prefix of the packet sent on an + external interface of the NAT."; + } + + container external-src-port { + description + "Source port of the packet sent on an external + interface of the NAT. + It is used also to indicate the external source ICMP + identifier."; + + uses port-number; + } + + leaf internal-dst-address { + // TODO(HC2VPP-325): original model uses inet:ip-prefix; + type inet:ipv4-prefix; + description + "Corresponds to the destination IP address/prefix + of the packet received on an internal interface + of the NAT. + + For example, some NAT implementations support + the translation of both source and destination + addresses and ports, sometimes referred to + as 'Twice NAT'."; + } + + container internal-dst-port { + description + "Corresponds to the destination port of the + IP packet received on the internal interface. + + It is used also to include the internal + destination ICMP identifier."; + + uses port-number; + } + + leaf external-dst-address { + // TODO(HC2VPP-325): original model uses inet:ip-prefix; + type inet:ipv4-address; + description + "Corresponds to the destination IP address/prefix + of the packet sent on an external interface + of the NAT."; + } + + container external-dst-port { + description + "Corresponds to the destination port number of + the packet sent on the external interface + of the NAT. + + It is used also to include the external + destination ICMP identifier."; + + uses port-number; + } + + leaf lifetime { + type uint32; + units "seconds"; + description + "When specified, it is used to track the connection that is + fully-formed (e.g., once the three-way handshake + TCP is completed) or the duration for maintaining + an explicit mapping alive. The mapping entry will be + removed by the NAT instance once this lifetime is expired. + + When reported in a get operation, the lifetime indicates + the remaining validity lifetime. + + Static mappings may not be associated with a + lifetime. If no lifetime is associated with a + static mapping, an explicit action is required to + remove that mapping."; + } + } + + /* + * NAT Module + */ + + container nat { + description + "NAT module"; + + container instances { + description + "NAT instances"; + + list instance { + key "id"; + + description + "A NAT instance. This identifier can be automatically assigned + or explicitly configured."; + + leaf id { + type uint32; + must ". >= 1"; + description + "NAT instance identifier. + + The identifier must be greater than zero."; + reference + "RFC 7659: Definitions of Managed Objects for Network + Address Translators (NATs)"; + } + + leaf name { + type string; + description + "A name associated with the NAT instance."; + reference + "RFC 7659: Definitions of Managed Objects for Network + Address Translators (NATs)"; + } + + leaf enable { + type boolean; + description + "Status of the NAT instance."; + } + + container capabilities { + config false; + + description + "NAT capabilities"; + + leaf-list nat-flavor { + type identityref { + base nat-type; + } + description + "Supported translation type(s)."; + } + + leaf-list per-interface-binding { + type enumeration { + enum "unsupported" { + description + "No capability to associate a NAT binding with + an extra identifier."; + } + + enum "layer-2" { + description + "The NAT instance is able to associate a mapping with + a layer-2 identifier."; + } + + enum "dslite" { + description + "The NAT instance is able to associate a mapping with + an IPv6 address (a.k.a., DS-Lite)."; + } + } + description + "Indicates the capability of a NAT to associate a particular + NAT session not only with the five tuples used for the + transport connection on both sides of the NAT but also with + the internal interface on which the user device is + connected to the NAT."; + reference + "Section 4 of RFC 6619"; + } + + list transport-protocols { + key protocol-id; + + description + "List of supported protocols."; + + leaf protocol-id { + type uint8; + mandatory true; + description + "Upper-layer protocol associated with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping."; + } + + leaf protocol-name { + type string; + description + "The name of the Upper-layer protocol associated + with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, TCP, UDP, DCCP, and SCTP."; + } + } + + leaf restricted-port-support { + type boolean; + description + "Indicates source port NAT restriction support."; + reference + "RFC 7596: Lightweight 4over6: An Extension to + the Dual-Stack Lite Architecture."; + } + + leaf static-mapping-support { + type boolean; + description + "Indicates whether static mappings are supported."; + } + + leaf port-randomization-support { + type boolean; + description + "Indicates whether port randomization is supported."; + reference + "Section 4.2.1 of RFC 4787."; + } + + leaf port-range-allocation-support { + type boolean; + description + "Indicates whether port range allocation is supported."; + reference + "Section 1.1 of RFC 7753."; + } + + leaf port-preservation-suport { + type boolean; + description + "Indicates whether port preservation is supported."; + reference + "Section 4.2.1 of RFC 4787."; + } + + leaf port-parity-preservation-support { + type boolean; + description + "Indicates whether port parity preservation is + supported."; + reference + "Section 8 of RFC 7857."; + } + + leaf address-roundrobin-support { + type boolean; + description + "Indicates whether address allocation round robin is + supported."; + } + + leaf paired-address-pooling-support { + type boolean; + description + "Indicates whether paired-address-pooling is + supported"; + reference + "REQ-2 of RFC 4787."; + } + + leaf endpoint-independent-mapping-support { + type boolean; + description + "Indicates whether endpoint-independent- + mapping is supported."; + reference + "Section 4 of RFC 4787."; + } + + leaf address-dependent-mapping-support { + type boolean; + description + "Indicates whether address-dependent-mapping is + supported."; + reference + "Section 4 of RFC 4787."; + } + + leaf address-and-port-dependent-mapping-support { + type boolean; + description + "Indicates whether address-and-port-dependent-mapping is + supported."; + reference + "Section 4 of RFC 4787."; + } + + leaf endpoint-independent-filtering-support { + type boolean; + description + "Indicates whether endpoint-independent-filtering is + supported."; + reference + "Section 5 of RFC 4787."; + } + + leaf address-dependent-filtering { + type boolean; + description + "Indicates whether address-dependent-filtering is + supported."; + reference + "Section 5 of RFC 4787."; + } + + leaf address-and-port-dependent-filtering { + type boolean; + description + "Indicates whether address-and-port-dependent is + supported."; + reference + "Section 5 of RFC 4787."; + } + + leaf fragment-behavior { + type enumeration { + enum "unsupported" { + description + "No capability to translate incoming fragments. + All received fragments are dropped."; + } + + enum "in-order" { + description + "The NAT instance is able to translate fragments only if + they are received in order. That is, in particular the + header is in the first packet. Fragments received + out of order are dropped. "; + } + + enum "out-of-order" { + description + "The NAT instance is able to translate a fragment even + if it is received out of order. + + This behavior is recommended."; + reference + "REQ-14 of RFC 4787"; + } + } + description + "The fragment behavior is the NAT instance's capability to + translate fragments received on the external interface of + the NAT."; + } + } + + leaf type { + type identityref { + base nat-type; + } + description + "Specify the translation type. Particularly useful when + multiple translation flavors are supported. + + If one type is supported by a NAT, this parameter is by + default set to that type."; + } + + leaf per-interface-binding { + type enumeration { + enum "disabled" { + description + "Disable the capability to associate an extra identifier + with NAT mappings."; + } + + enum "layer-2" { + description + "The NAT instance is able to associate a mapping with + a layer-2 identifier."; + } + + enum "dslite" { + description + "The NAT instance is able to associate a mapping with + an IPv6 address (a.k.a., DS-Lite)."; + } + } + description + "A NAT that associates a particular NAT session not only with + the five tuples used for the transport connection on both + sides of the NAT but also with the internal interface on + which the user device is connected to the NAT. + + If supported, this mode of operation should be configurable, + and it should be disabled by default in general-purpose NAT + devices. + + If one single per-interface binding behavior is supported by + a NAT, this parameter is by default set to that behavior."; + reference + "Section 4 of RFC 6619"; + } + + list nat-pass-through { + if-feature "basic-nat44 or napt44 or dst-nat"; + key id; + + description + "IP prefix NAT pass through."; + + leaf id { + type uint32; + description + "An identifier of the IP prefix pass through."; + } + + leaf prefix { + type inet:ip-prefix; + mandatory true; + description + "The IP addresses that match should not be translated. + + It must be possible to administratively turn + off translation for specific destination addresses + and/or ports."; + reference + "REQ#6 of RFC 6888."; + } + + leaf port { + type inet:port-number; + description + "It must be possible to administratively turn off + translation for specific destination addresses + and/or ports. + + If no prefix is defined, the NAT pass through bound + to a given port applies for any destination address."; + reference + "REQ#6 of RFC 6888."; + } + } + + list policy { + key id; + description + "NAT parameters for a given instance"; + + leaf id { + type uint32; + description + "An identifier of the NAT policy. It must be unique + within the NAT instance."; + } + + container clat-parameters { + if-feature clat; + description + "CLAT parameters."; + + list clat-ipv6-prefixes { + key ipv6-prefix; + description + "464XLAT double translation treatment is stateless when a + dedicated /64 is available for translation on the CLAT. + Otherwise, the CLAT will have both stateful and stateless + since it requires NAT44 from the LAN to a single IPv4 + address and then stateless translation to a single + IPv6 address."; + reference + "RFC 6877: 464XLAT: Combination of Stateful and Stateless + Translation"; + + leaf ipv6-prefix { + type inet:ipv6-prefix; + description + "An IPv6 prefix used for CLAT."; + } + } + + list ipv4-prefixes { + key ipv4-prefix; + description + "Pool of IPv4 addresses used for CLAT. + 192.0.0.0/29 is the IPv4 service continuity prefix."; + reference + "RFC 7335: IPv4 Service Continuity Prefix"; + + leaf ipv4-prefix { + type inet:ipv4-prefix; + description + "464XLAT double translation treatment is + stateless when a dedicated /64 is available + for translation on the CLAT. Otherwise, the + CLAT will have both stateful and stateless + since it requires NAT44 from the LAN to + a single IPv4 address and then stateless + translation to a single IPv6 address. + The CLAT performs NAT44 for all IPv4 LAN + packets so that all the LAN-originated IPv4 + packets appear from a single IPv4 address + and are then statelessly translated to one + interface IPv6 address that is claimed by + the CLAT. + + An IPv4 address from this pool is also + provided to an application that makes + use of literals."; + + reference + "RFC 6877: 464XLAT: Combination of Stateful and Stateless + Translation"; + } + } + } + + list nptv6-prefixes { + if-feature nptv6; + key internal-ipv6-prefix ; + description + "Provides one or a list of (internal IPv6 prefix, + external IPv6 prefix) required for NPTv6. + + In its simplest form, NPTv6 interconnects two network + links, one of which is an 'internal' network link + attached to a leaf network within a single + administrative domain and the other of which is an + 'external' network with connectivity to the global + Internet."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + + leaf internal-ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "An IPv6 prefix used by an internal interface of NPTv6."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + + leaf external-ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "An IPv6 prefix used by the external interface of NPTv6."; + reference + "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; + } + } + + list eam { + if-feature eam; + key ipv4-prefix; + description + "The Explicit Address Mapping Table, a conceptual + table in which each row represents an EAM. + + Each EAM describes a mapping between IPv4 and IPv6 + prefixes/addresses."; + reference + "Section 3.1 of RFC 7757."; + + leaf ipv4-prefix { + type inet:ipv4-prefix; + mandatory true; + description + "The IPv4 prefix of an EAM."; + reference + "Section 3.2 of RFC 7757."; + } + + leaf ipv6-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "The IPv6 prefix of an EAM."; + reference + "Section 3.2 of RFC 7757."; + } + } + + list nat64-prefixes { + if-feature "siit or nat64 or clat"; + key nat64-prefix; + description + "Provides one or a list of NAT64 prefixes + with or without a list of destination IPv4 prefixes. + It allows mapping IPv4 address ranges to IPv6 prefixes. + + For example: + 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. + 198.51.100.0/24 is mapped to 2001:db8:122::/48."; + reference + "Section 5.1 of RFC 7050."; + + leaf nat64-prefix { + type inet:ipv6-prefix; + mandatory true; + description + "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or + Well-Known Prefix (WKP). + + Organizations deploying stateless IPv4/IPv6 translation + should assign a Network-Specific Prefix to their + IPv4/IPv6 translation service. + + For stateless NAT64, IPv4-translatable IPv6 addresses + must use the selected Network-Specific Prefix. + + Both IPv4-translatable IPv6 addresses and IPv4-converted + IPv6 addresses should use the same prefix."; + reference + "Sections 3.3 and 3.4 of RFC 6052."; + } + + list destination-ipv4-prefix { + key ipv4-prefix; + description + "An IPv4 prefix/address."; + + leaf ipv4-prefix { + type inet:ipv4-prefix; + description + "An IPv4 address/prefix."; + } + } + + leaf stateless-enable { + type boolean; + default false; + description + "Enable explicitly stateless NAT64."; + } + } + + list external-ip-address-pool { + if-feature "basic-nat44 or napt44 or nat64"; + key pool-id; + + description + "Pool of external IP addresses used to service internal + hosts. + + A pool is a set of IP prefixes."; + + leaf pool-id { + type uint32; + must ". >= 1"; + description + "An identifier that uniquely identifies the address pool + within a NAT instance. + + The identifier must be greater than zero."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + + leaf external-ip-pool { + type inet:ipv4-prefix; + mandatory true; + description + "An IPv4 prefix used for NAT purposes."; + } + } + + container port-set-restrict { + if-feature "napt44 or nat64"; + description + "Configures contiguous and non-contiguous port ranges. + + The port set is used to restrict the external source + port numbers used by the translator."; + + uses port-set; + } + + leaf dst-nat-enable { + if-feature "basic-nat44 or napt44"; + type boolean; + default false; + description + "Enable/Disable destination NAT. + A NAT44 may be configured to enable Destination + NAT, too."; + } + + list dst-ip-address-pool { + if-feature dst-nat; + key pool-id; + description + "Pool of IP addresses used for destination NAT."; + + leaf pool-id { + type uint32; + description + "An identifier of the address pool."; + } + + leaf dst-in-ip-pool { + type inet:ip-prefix; + description + "Is used to identify an internal destination + IP prefix/address to be translated."; + } + + leaf dst-out-ip-pool { + type inet:ip-prefix; + mandatory true; + description + "IP address/prefix used for destination NAT."; + } + } + + list transport-protocols { + if-feature "napt44 or nat64 or dst-nat"; + key protocol-id; + + description + "Configure the transport protocols to be handled by + the translator. + + TCP and UDP are supported by default."; + + leaf protocol-id { + type uint8; + mandatory true; + description + "Upper-layer protocol associated with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping."; + } + + leaf protocol-name { + type string; + description + "The name of the Upper-layer protocol associated + with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, TCP, UDP, DCCP, and SCTP."; + } + } + + leaf subscriber-mask-v6 { + type uint8 { + range "0 .. 128"; + } + + description + "The subscriber mask is an integer that indicates + the length of significant bits to be applied on + the source IPv6 address (internal side) to + unambiguously identify a user device (e.g., CPE). + + Subscriber mask is a system-wide configuration + parameter that is used to enforce generic + per-subscriber policies (e.g., port-quota). + + The enforcement of these generic policies does not + require the configuration of every subscriber's + prefix. + + Example: suppose the 2001:db8:100:100::/56 prefix + is assigned to a NAT64 serviced CPE. Suppose also + that 2001:db8:100:100::1 is the IPv6 address used + by the client that resides in that CPE. When the + NAT64 receives a packet from this client, + it applies the subscriber-mask-v6 (e.g., 56) on + the source IPv6 address to compute the associated + prefix for this client (2001:db8:100:100::/56). + Then, the NAT64 enforces policies based on that + prefix (2001:db8:100:100::/56), not on the exact + source IPv6 address."; + } + + list subscriber-match { + if-feature "basic-nat44 or napt44 or dst-nat"; + key match-id; + + description + "IP prefix match. + A subscriber is identified by a subnet."; + + leaf match-id { + type uint32; + description + "An identifier of the subscriber match."; + } + + leaf subnet { + type inet:ip-prefix; + mandatory true; + description + "The IP address subnets that match + should be translated. E.g., all addresses + that belong to the 192.0.2.0/24 prefix must + be processed by the NAT."; + } + } + + leaf address-allocation-type { + type enumeration { + enum "arbitrary" { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Arbitrary pooling behavior means that the NAT + instance may create the new port mapping using any + address in the pool that has a free port for the + protocol concerned."; + } + + enum "roundrobin" { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Round robin allocation."; + } + + enum "paired" { + if-feature "napt44 or nat64"; + description + "Paired address pooling informs the NAT + that all the flows from an internal IP + address must be assigned the same external + address. This is the recommended behavior for + NAPT/NAT64."; + reference + "RFC 4787: Network Address Translation (NAT) + Behavioral Requirements for Unicast UDP"; + } + } + description + "Specifies how external IP addresses are allocated."; + } + + leaf port-allocation-type { + if-feature "napt44 or nat64"; + type enumeration { + enum "random" { + description + "Port randomization is enabled. A NAT port allocation + scheme should make it hard for attackers to guess + port numbers"; + reference + "REQ-15 of RFC 6888"; + } + + enum "port-preservation" { + description + "Indicates whether the NAT should preserve the internal + port number."; + } + + enum "port-parity-preservation" { + description + "Indicates whether the NAT should preserve the port + parity of the internal port number."; + } + + enum "port-range-allocation" { + description + "Indicates whether the NAT assigns a range of ports + for an internal host. This scheme allows to minimize + log volume."; + reference + "REQ-14 of RFC 6888"; + } + } + description + "Indicates the type of port allocation."; + } + + leaf mapping-type { + if-feature "napt44 or nat64"; + type enumeration { + enum "eim" { + description + "endpoint-independent-mapping."; + reference + "Section 4 of RFC 4787."; + } + + enum "adm" { + description + "address-dependent-mapping."; + reference + "Section 4 of RFC 4787."; + } + + enum "edm" { + description + "address-and-port-dependent-mapping."; + reference + "Section 4 of RFC 4787."; + } + } + description + "Indicates the type of a NAT mapping."; + } + + leaf filtering-type { + if-feature "napt44 or nat64"; + type enumeration { + enum "eif" { + description + "endpoint-independent-filtering."; + reference + "Section 5 of RFC 4787."; + } + + enum "adf" { + description + "address-dependent-filtering."; + reference + "Section 5 of RFC 4787."; + } + + enum "edf" { + description + "address-and-port-dependent-filtering"; + reference + "Section 5 of RFC 4787."; + } + } + description + "Indicates the type of a NAT filtering."; + } + + leaf fragment-behavior { + if-feature "napt44 or nat64"; + type enumeration { + enum "drop-all" { + description + "All received fragments are dropped."; + } + + enum "in-order" { + description + "Translate fragments only if they are received + in order."; + } + + enum "out-of-order" { + description + "Translate a fragment even if it is received out + of order. + + This behavior is recommended."; + reference + "REQ-14 of RFC 4787"; + } + } + description + "The fragment behavior instructs the NAT about the + behavior to follow to translate fragments received + on the external interface of the NAT."; + } + + list port-quota { + if-feature "napt44 or nat64"; + key quota-type; + description + "Configures a port quota to be assigned per subscriber. + It corresponds to the maximum number of ports to be + used by a subscriber."; + + leaf port-limit { + type uint16; + description + "Configures a port quota to be assigned per subscriber. + It corresponds to the maximum number of ports to be + used by a subscriber."; + reference + "REQ-4 of RFC 6888."; + } + + leaf quota-type { + type uint8; + description + "Indicates whether the port quota applies to + all protocols (0) or to a specific protocol."; + } + } + + container port-set { + + when "../port-allocation-type = 'port-range-allocation'"; + + if-feature "napt44 or nat64"; + description + "Manages port-set assignments."; + + leaf port-set-size { + type uint16; + // TODO(HC2VPP-328) + // mandatory true; + description + "Indicates the size of assigned port sets."; + } + + leaf port-set-timeout { + type uint32; + units "seconds"; + description + "inactivity timeout for port sets."; + } + } + + container timers { + if-feature "napt44 or nat64"; + description + "Configure values of various timeouts."; + + leaf udp-timeout { + type uint32; + units "seconds"; + default 300; + description + "UDP inactivity timeout. That is the time a mapping + will stay active without packets traversing the NAT."; + reference + "RFC 4787: Network Address Translation (NAT) + Behavioral Requirements for Unicast UDP"; + } + + leaf tcp-idle-timeout { + type uint32; + units "seconds"; + default 7440; + description + "TCP Idle timeout should be 2 hours and 4 minutes."; + reference + "RFC 5382: NAT Behavioral Requirements for TCP"; + } + + leaf tcp-trans-open-timeout { + type uint32; + units "seconds"; + default 240; + description + "The value of the transitory open connection + idle-timeout. + + A NAT should provide different configurable + parameters for configuring the open and + closing idle timeouts. + + To accommodate deployments that consider + a partially open timeout of 4 minutes as being + excessive from a security standpoint, a NAT may + allow the configured timeout to be less than + 4 minutes. + + However, a minimum default transitory connection + idle-timeout of 4 minutes is recommended."; + reference + "Section 2.1 of RFC 7857."; + } + + leaf tcp-trans-close-timeout { + type uint32; + units "seconds"; + default 240; + description + "The value of the transitory close connection + idle-timeout. + + A NAT should provide different configurable + parameters for configuring the open and + closing idle timeouts."; + reference + "Section 2.1 of RFC 7857."; + } + + leaf tcp-in-syn-timeout { + type uint32; + units "seconds"; + default 6; + description + "A NAT must not respond to an unsolicited + inbound SYN packet for at least 6 seconds + after the packet is received. If during + this interval the NAT receives and translates + an outbound SYN for the connection the NAT + must silently drop the original unsolicited + inbound SYN packet."; + reference + "RFC 5382 NAT Behavioral Requirements for TCP"; + } + + leaf fragment-min-timeout { + when "../../fragment-behavior='out-of-order'"; + type uint32; + units "seconds"; + default 2; + description + "As long as the NAT has available resources, + the NAT allows the fragments to arrive + over fragment-min-timeout interval. + The default value is inspired from RFC6146."; + } + + leaf icmp-timeout { + type uint32; + units "seconds"; + default 60; + description + "An ICMP Query session timer must not expire + in less than 60 seconds. It is recommended + that the ICMP Query session timer be made + configurable"; + reference + "RFC 5508: NAT Behavioral Requirements for ICMP"; + } + + list per-port-timeout { + key port-number; + description + "Some NATs are configurable with short timeouts + for some ports, e.g., as 10 seconds on + port 53 (DNS) and 123 (NTP) and longer timeouts + on other ports."; + + leaf port-number { + type inet:port-number; + description + "A port number."; + } + + leaf timeout { + type uint32; + units "seconds"; + mandatory true; + description + "Timeout for this port number"; + } + } + + leaf hold-down-timeout { + type uint32; + units "seconds"; + default 120; + description + "Hold down timer. + + Ports in the hold down pool are not reassigned until + hold-down-timeout expires. + + The length of time and the maximum number of ports in + this state must be configurable by the administrator. + + This is necessary in order to prevent collisions + between old and new mappings and sessions. It ensures + that all established sessions are broken instead of + redirected to a different peer."; + reference + "REQ#8 of RFC 6888."; + } + + leaf hold-down-max { + type uint32; + description + "Maximum ports in the Hold down timer pool. + + Ports in the hold down pool are not reassigned + until hold-down-timeout expires. + + The length of time and the maximum + number of ports in this state must be + configurable by the administrator. + This is necessary in order + to prevent collisions between old + and new mappings and sessions. It ensures + that all established sessions are broken + instead of redirected to a different peer."; + reference + "REQ#8 of RFC 6888."; + } + } + + leaf fragments-limit{ + when "../fragment-behavior='out-of-order'"; + type uint32; + description + "Limits the number of out of order fragments that can + be handled."; + reference + "Section 11 of RFC 4787."; + } + + list algs { + key name; + description + "ALG-related features."; + + leaf name { + type string; + description + "The name of the ALG."; + } + + leaf transport-protocol { + type uint32; + description + "The transport protocol used by the ALG + (e.g., TCP, UDP)."; + } + + container dst-transport-port { + uses port-number; + description + "The destination port number(s) used by the ALG. + For example, + - 21 for the FTP ALG + - 53 for the DNS ALG."; + } + + container src-transport-port { + uses port-number; + description + "The source port number(s) used by the ALG."; + } + + leaf status { + type boolean; + description + "Enable/disable the ALG."; + } + } + + leaf all-algs-enable { + type boolean; + description + "Enable/disable all ALGs. + + When specified, this parameter overrides the one + that may be indicated, eventually, by the 'status' + of an individual ALG."; + } + + container notify-pool-usage { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notification of pool usage when certain criteria + are met."; + + leaf pool-id { + type uint32; + description + "Pool-ID for which the notification criteria + is defined"; + } + + leaf high-threshold { + type percent; + description + "Notification must be generated when the defined high + threshold is reached. + + For example, if a notification is required when the + pool utilization reaches 90%, this configuration + parameter must be set to 90. + + 0% indicates that no high threshold is enabled."; + } + + leaf low-threshold { + type percent; + must ". >= ../high-threshold" { + error-message + "The upper port number must be greater than or + equal to lower port number."; + } + description + "Notification must be generated when the defined low + threshold is reached. + + For example, if a notification is required when the + pool utilization reaches below 10%, this + configuration parameter must be set to 10"; + } + + leaf notify-interval { + type uint32 { + range "1 .. 3600"; + } + units "seconds"; + default '20'; + description + "Minimum number of seconds between successive + notifications for this pool."; + + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + } + + container external-realm { + description + "Identifies the external realm of the NAT instance."; + + choice realm-type { + description + "Can be an interface, VRF instance, etc."; + + case interface { + description + "External interface."; + + leaf external-interface { + type if:interface-ref; + description + "Name of the external interface."; + } + } + } + } + } + + container mapping-limits { + if-feature "napt44 or nat64"; + description + "Information about the configuration parameters that + limits the mappings based upon various criteria."; + + leaf limit-subscribers { + type uint32; + description + "Maximum number of subscribers that can be serviced + by a NAT instance. + + A subscriber is identified by a given prefix."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + + leaf limit-address-mappings { + type uint32; + description + "Maximum number of address mappings that can be + handled by a NAT instance. + + When this limit is reached, packets that would + normally trigger translation, will be dropped."; + reference + "RFC 7659: Definitions of Managed Objects + for Network Address Translators + (NATs)"; + } + + leaf limit-port-mappings { + type uint32; + description + "Maximum number of port mappings that can be handled + by a NAT instance. + + When this limit is reached, packets that would + normally trigger translation, will be dropped."; + reference + "RFC 7659: Definitions of Managed Objects for + Network Address Translators (NATs)"; + } + + list limit-per-protocol { + if-feature "napt44 or nat64 or dst-nat"; + key protocol-id; + + description + "Configure limits per transport protocol"; + + leaf protocol-id { + type uint8; + mandatory true; + description + "Upper-layer protocol associated with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping."; + } + + leaf limit { + type uint32; + description + "Maximum number of protocol-specific NAT mappings + per instance."; + } + } + } + + container connection-limits { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Information about the configuration parameters that + rate limit the translation based upon various criteria."; + + leaf limit-per-subscriber { + type uint32; + units "bits/second"; + description + "Rate-limit the number of new mappings and sessions + per subscriber."; + } + + leaf limit-per-instance { + type uint32; + units "bits/second"; + // TODO(HC2VPP-328) + // mandatory true; + description + "Rate-limit the number of new mappings and sessions + per instance."; + } + + list limit-per-protocol { + if-feature "napt44 or nat64"; + key protocol-id; + description + "Configure limits per transport protocol"; + + leaf protocol-id { + type uint8; + mandatory true; + description + "Upper-layer protocol associated with this mapping. + + Values are taken from the IANA protocol registry: + https://www.iana.org/assignments/protocol-numbers/ + protocol-numbers.xhtml + + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping."; + } + + leaf limit { + type uint32; + description + "Rate-limit the number of protocol-specific mappings + and sessions per instance."; + } + } + } + + container notification-limits { + description "Sets notification limits."; + + leaf notify-interval { + if-feature "basic-nat44 or napt44 or nat64"; + type uint32 { + range "1 .. 3600"; + } + units "seconds"; + default '10'; + description + "Minimum number of seconds between successive + notifications for this NAT instance."; + reference + "RFC 7659: Definitions of Managed Objects + for Network Address Translators (NATs)"; + } + + leaf notify-addresses-usage { + if-feature "basic-nat44 or napt44 or nat64"; + type percent; + description + "Notification of address mappings usage over + the whole NAT instance. + + Notification must be generated when the defined + threshold is reached. + + For example, if a notification is required when + the address mappings utilization reaches 90%, + this configuration parameter must be set + to 90."; + } + + leaf notify-ports-usage { + if-feature "napt44 or nat64"; + type percent; + description + "Notification of port mappings usage over the + whole NAT instance. + + Notification must be generated when the defined + threshold is reached. + + For example, if a notification is required when + the port mappings utilization reaches 90%, this + configuration parameter must be set to 90."; + } + + leaf notify-subscribers-limit { + if-feature "basic-nat44 or napt44 or nat64"; + type uint32; + description + "Notification of active subscribers per NAT + instance. + + Notification must be generated when the defined + threshold is reached."; + } + } + + leaf logging-enable { + if-feature "basic-nat44 or napt44 or nat64"; + type boolean; + description + "Enable logging features."; + reference + "Section 2.3 of RFC 6908 and REQ-12 of RFC 6888."; + } + + container mapping-table { + if-feature "basic-nat44 or napt44 " + + "or nat64 or clat or dst-nat"; + description + "NAT mapping table. Applicable for functions which maintain + static and/or dynamic mappings, such as NAT44, Destination + NAT, NAT64, or CLAT."; + + list mapping-entry { + key "index"; + description "NAT mapping entry."; + uses mapping-entry; + } + } + + container statistics { + config false; + + description + "Statistics related to the NAT instance."; + + leaf discontinuity-time { + type yang:date-and-time; + mandatory true; + description + "The time on the most recent occasion at which the NAT + instance suffered a discontinuity. This must be + initialized when the NAT instance is configured + or rebooted."; + } + + container traffic-statistics { + description + "Generic traffic statistics."; + + leaf sent-packets { + type yang:zero-based-counter64; + description + "Number of packets sent."; + } + + leaf sent-bytes { + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter for sent traffic in bytes."; + } + + leaf rcvd-packets { + type yang:zero-based-counter64; + description + "Number of received packets."; + } + + leaf rcvd-bytes { + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter for received traffic in bytes."; + } + + leaf dropped-packets { + type yang:zero-based-counter64; + description + "Number of dropped packets."; + } + + leaf dropped-bytes { + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter for dropped traffic in bytes."; + } + + leaf dropped-fragments { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped fragments on the external realm."; + } + + leaf dropped-address-limit-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because an address limit + is reached."; + } + + leaf dropped-address-limit-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter of dropped packets because an address limit + is reached, in bytes."; + } + + leaf dropped-address-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because no address is + available for allocation."; + } + + leaf dropped-address-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter of dropped packets because no address is + available for allocation, in bytes."; + } + + leaf dropped-port-limit-packets { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because a port limit + is reached."; + } + + leaf dropped-port-limit-bytes { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter of dropped packets because a port limit + is reached, in bytes."; + } + + leaf dropped-port-packets { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because no port is + available for allocation."; + } + + leaf dropped-port-bytes { + if-feature "napt44 or nat64"; + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter of dropped packets because no port is + available for allocation, in bytes."; + } + + leaf dropped-subscriber-limit-packets { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + description + "Number of dropped packets because the subscriber + limit per instance is reached."; + } + + leaf dropped-subscriber-limit-bytes { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:zero-based-counter64; + units 'bytes'; + description + "Counter of dropped packets because the subscriber + limit per instance is reached, in bytes."; + } + } + + container mappings-statistics { + description + "Mappings statistics."; + + leaf total-active-subscribers { + if-feature "basic-nat44 or napt44 or nat64"; + type yang:gauge32; + description + "Total number of active subscribers (that is, + subscribers for which the NAT maintains active + mappings. + + A subscriber is identified by a subnet, + subscriber-mask, etc."; + } + + leaf total-address-mappings { + if-feature "basic-nat44 or napt44 " + + "or nat64 or clat or dst-nat"; + type yang:gauge32; + description + "Total number of address mappings present at a given + time. It includes both static and dynamic mappings."; + reference + "Section 3.3.8 of RFC 7659"; + } + + leaf total-port-mappings { + if-feature "napt44 or nat64"; + type yang:gauge32; + description + "Total number of NAT port mappings present at + a given time. It includes both static and dynamic + mappings."; + reference + "Section 3.3.9 of RFC 7659"; + } + + list total-per-protocol { + if-feature "napt44 or nat64"; + key protocol-id; + description + "Total mappings for each enabled/supported protocol."; + + leaf protocol-id { + type uint8; + mandatory true; + description + "Upper-layer protocol associated with this mapping. + For example, this field contains 6 (TCP) for a TCP + mapping or 17 (UDP) for a UDP mapping."; + } + + leaf total { + type yang:gauge32; + description + "Total number of a protocol-specific mappings present + at a given time. The protocol is identified by + protocol-id."; + } + } + } + + container pools-stats { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Statistics related to address/prefix pools + usage"; + + leaf addresses-allocated { + type yang:gauge32; + description + "Number of all allocated addresses."; + } + + leaf addresses-free { + type yang:gauge32; + description + "Number of unallocated addresses of all pools at + a given time. The sum of unallocated and allocated + addresses is the total number of addresses of + the pools."; + } + + container ports-stats { + if-feature "napt44 or nat64"; + + description + "Statistics related to port numbers usage."; + + leaf ports-allocated { + type yang:gauge32; + description + "Number of allocated ports from all pools."; + } + + leaf ports-free { + type yang:gauge32; + description + "Number of unallocated addresses from all pools."; + } + } + + list per-pool-stats { + if-feature "basic-nat44 or napt44 or nat64"; + key "pool-id"; + description + "Statistics related to address/prefix pool usage"; + + leaf pool-id { + type uint32; + description + "Unique Identifier that represents a pool of + addresses/prefixes."; + } + + leaf discontinuity-time { + type yang:date-and-time; + mandatory true; + description + "The time on the most recent occasion at which this + pool counters suffered a discontinuity. This must + be initialized when the address pool is + configured."; + } + + container pool-stats { + description + "Statistics related to address/prefix pool usage"; + + leaf addresses-allocated { + type yang:gauge32; + description + "Number of allocated addresses from this pool."; + } + + leaf addresses-free { + type yang:gauge32; + description + "Number of unallocated addresses in this pool."; + } + } + + container port-stats { + if-feature "napt44 or nat64"; + description + "Statistics related to port numbers usage."; + + leaf ports-allocated { + type yang:gauge32; + description + "Number of allocated ports from this pool."; + } + + leaf ports-free { + type yang:gauge32; + description + "Number of unallocated addresses from this pool."; + } + } + } + } + } + } + } + } + + /* + * Notifications + */ + + notification nat-pool-event { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notifications must be generated when the defined high/low + threshold is reached. Related configuration parameters + must be provided to trigger the notifications."; + + leaf id { + type leafref { + path "/nat/instances/instance/id"; + } + mandatory true; + description + "NAT instance Identifier."; + } + + leaf policy-id { + type leafref { + path "/nat/instances/instance/policy/id"; + } + + description + "Policy Identifier."; + } + + leaf pool-id { + type leafref { + path "/nat/instances/instance/policy/" + + "external-ip-address-pool/pool-id"; + } + mandatory true; + description + "Pool Identifier."; + } + + leaf notify-pool-threshold { + type percent; + mandatory true; + description + "A threshold (high-threshold or low-threshold) has + been fired."; + } + } + + notification nat-instance-event { + if-feature "basic-nat44 or napt44 or nat64"; + description + "Notifications must be generated when notify-addresses-usage + and/or notify-ports-usage threshold are reached."; + + leaf id { + type leafref { + path "/nat/instances/instance/id"; + } + mandatory true; + description + "NAT instance Identifier."; + } + + leaf notify-subscribers-threshold { + type uint32; + description + "The notify-subscribers-limit threshold has been fired."; + } + + leaf notify-addresses-threshold { + type percent; + description + "The notify-addresses-usage threshold has been fired."; + } + + leaf notify-ports-threshold { + type percent; + description + "The notify-ports-usage threshold has been fired."; + } + } +} diff --git a/nat/nat-api/src/main/yang/vpp-nat@2017-08-04.yang b/nat/nat-api/src/main/yang/vpp-nat@2018-05-10.yang index 6f4215a21..375d89936 100644 --- a/nat/nat-api/src/main/yang/vpp-nat@2017-08-04.yang +++ b/nat/nat-api/src/main/yang/vpp-nat@2018-05-10.yang @@ -21,7 +21,7 @@ module vpp-nat { "This module contains a collection of YANG definitions that extend ietf-nat module with VPP specific features provided by the VPP NAT plugin. - Copyright (c) 2017 Cisco and/or its affiliates. + Copyright (c) 2018 Cisco and/or its affiliates. Licensed under the Apache License, Version 2.0 (the 'License'); you may not use this file except in compliance with the License. @@ -35,6 +35,10 @@ module vpp-nat { See the License for the specific language governing permissions and limitations under the License."; + revision "2018-05-10" { + description "Adapt to ietf-nat@2018-02-23."; + } + revision "2017-08-04" { description "Initial revision of vpp-nat model."; } @@ -56,14 +60,8 @@ module vpp-nat { } } - augment /nat:nat-config/nat:nat-instances/nat:nat-instance/nat:external-ip-address-pool { - ext:augment-identifier "external-ip-address-pool-config-augmentation"; - - uses external-ip-address-pool-vpp-attributes; - } - - augment /nat:nat-state/nat:nat-instances/nat:nat-instance/nat:nat-current-config/nat:external-ip-address-pool { - ext:augment-identifier "external-ip-address-pool-state-augmentation"; + augment /nat:nat/nat:instances/nat:instance/nat:policy/nat:external-ip-address-pool { + ext:augment-identifier "external-ip-address-pool-augmentation"; uses external-ip-address-pool-vpp-attributes; } |