A YANG Data Model for Network Address Translation (NAT) and Network Prefix Translation (NPT)

A YANG Data Model for Network Address Translation (NAT) and Network Prefix Translation (NPT) Orange

Rennes 35000 France mohamed.boucadair@orange.com

Cisco Systems

7100-8 Kit Creek Road Research Triangle Park North Carolina 27709 USA +1 919 392 5158 ssenthil@cisco.com

Orange

Rennes 35000 France christian.jacquenet@orange.com

Juniper Networks

1133 Innovation Way Sunnyvale 94089 USA sureshk@juniper.net

Huawei

101 Software Avenue, Yuhua District Nanjing Jiangsu 210012 China bill.wu@huawei.com

opsawg address sharing address depletion IPv4 service continuity NETCONF programmability automation service automation For the sake of network automation and the need for programming Network Address Translation (NAT) function in particular, a data model for configuring and managing the NAT is essential. This document defines a YANG module for the NAT function. NAT44, Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation (NPTv6) are covered in this document. Please update this statement with the RFC number to be assigned to ths document: "This version of this YANG module is part of RFC XXXX;"

This document defines a data model for Network Address Translation (NAT) and Network Prefix Translation (NPT) capabilities using the YANG data modeling language . Traditional NAT is defined in , while Carrier Grade NAT (CGN) is defined in . Unlike traditional NAT, the CGN is used to optimize the usage of global IP address space at the scale of a domain: a CGN is not managed by end users, but by service providers instead. This document covers both traditional NATs and CGNs. This document also covers NAT64 , customer-side translator (CLAT) , Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) , and IPv6 Network Prefix Translation (NPTv6) . The full set of translation schemes that are in scope is included in . Sample examples are provided in . These examples are not intended to be exhaustive.

This document makes use of the following terms: Basic NAT44: translation is limited to IP addresses alone (Section 2.1 of ). Network Address/Port Translator (NAPT): translation in NAPT is extended to include IP addresses and transport identifiers (such as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of . Destination NAT: is a translation that acts on the destination IP address and/or destination port number. This flavor is usually deployed in load balancers or at devices in front of public servers. Port-restricted IPv4 address: An IPv4 address with a restricted port set. Multiple hosts may share the same IPv4 address; however, their port sets must not overlap . Restricted port set: A non-overlapping range of allowed external ports to use for NAT operation. Source ports of IPv4 packets translated by a NAT must belong to the assigned port set. The port set is used for all port-aware IP protocols . Internal Host: A host that may solicit a NAT or an NPTv6 (or both) capability to send to and receive traffic from the Internet. Internal Address/prefix: The IP address/prefix of an internal host. External Address: The IP address/prefix assigned by a NAT/NPTv6 to an internal host; this is the address that will be seen by a remote host on the Internet. Mapping: denotes a state at the NAT that is necessary for network address and/or port translation. Dynamic implicit mapping: is created implicitly as a side effect of traffic such as an outgoing TCP SYN or an outgoing UDP packet. A validity lifetime is associated with this mapping. Dynamic explicit mapping: is created as a result of an explicit request, e.g., PCP message . A validity lifetime is associated with this mapping. Static explicit mapping: is created manually. This mapping is likely to be maintained by the NAT function till an explicit action is executed to remove it. The usage of the term NAT in this document refers to any NAT flavor (NAT44, NAT64, etc.) indifferently. This document uses the term "session" as defined in and for NAT64.

The meaning of the symbols in these diagrams is as follows: Brackets "[" and "]" enclose list keys. Curly braces "{" and "}" contain names of optional features that make the corresponding node conditional. Abbreviations before data node names: "rw" means configuration (read-write), "ro" state data (read-only). Symbols after data node names: "?" means an optional node, "!" a container with presence, and "*" denotes a "list" or "leaf-list". Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). Ellipsis ("...") stands for contents of subtrees that are not shown.

The NAT YANG module is designed to cover dynamic implicit mappings and static explicit mappings. The required functionality to instruct dynamic explicit mappings is defined in separate documents such as . Considerations about instructing explicit dynamic means (e.g., , , or ) are out of scope. A single NAT device can have multiple NAT instances (nat-instance); each of these instances can be provided with its own policies (e.g., be responsible for serving a group of hosts). This document does not make any assumption about how internal hosts or flows are associated with a given NAT instance. The NAT YANG module assumes that each NAT instance can be enabled/disabled, be provisioned with a specific set of configuration data, and maintains its own mapping tables. Further, the NAT YANG module allows for a NAT instance to be provided with multiple NAT policies (nat-policy). The document does not make any assumption about how flows are associated with a given NAT policy of a given NAT instance. Classification filters are out of scope. Defining multiple NAT instances or configuring multiple NAT policies within one single NAT instance is implementation- and deployment-specific. To accommodate deployments where is not enabled, this YANG module allows to instruct a NAT function to log the destination port number. The reader may refer to which provides the templates to log the destination ports.

The following modes are supported: Basic NAT44 NAPT Destination NAT Port-restricted NAT Stateful and stateless NAT64 EAM SIIT CLAT NPTv6 Combination of Basic NAT/NAPT and Destination NAT Combination of port-restricted and Destination NAT Combination of NAT64 and EAM specifies an extension to support DS-Lite.

This document assumes are enabled by default. Furthermore, the NAT YANG module relies upon the recommendations detailed in and .

The module is structured to support other protocols than UDP, TCP, and ICMP. The mapping table is designed so that it can indicate any transport protocol. For example, this module may be used to manage a DCCP-capable NAT that adheres to . Future extensions can be defined to cover NAT-related considerations that are specific to other transport protocols such as SCTP . Typically, the mapping entry can be extended to record two optional SCTP-specific parameters: Internal Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag).

The NAT YANG module assumes that blocks of IP external addresses (external-ip-address-pool) can be provisioned to the NAT function. These blocks may be contiguous or not. This behavior is aligned with which specifies that a NAT function should not have any limitations on the size or the contiguity of the external address pool. In particular, the NAT function must be configurable with contiguous or non-contiguous external IPv4 address ranges. Likewise, one or multiple IP address pools may be configured for Destination NAT (dst-ip-address-pool).

Port numbers can be assigned by a NAT individually (that is, a single port is a assigned on a per session basis). Nevertheless, this port allocation scheme may not be optimal for logging purposes. Therefore, a NAT function should be able to assign port sets (e.g., ) to optimize the volume of the logging data (REQ-14 of ). Both features are supported in the NAT YANG module. When port set assignment is activated (i.e., port-allocation-type==port-range-allocation), the NAT can be provided with the size of the port set to be assigned (port-set-size).

Some NATs require to restrict the port numbers (e.g., Lightweight 4over6 , MAP-E ). Two schemes of port set assignments (port-set-restrict) are supported in this document: Simple port range: is defined by two port values, the start and the end of the port range . Algorithmic: an algorithm is defined in to characterize the set of ports that can be used.

A TCP/UDP mapping entry maintains an association between the following information: (internal-src-address, internal-src-port) (internal-dst-address, internal-dst-port) <=> (external-src-address, external-src-port) (external-dst-address, external-dst-port) An ICMP mapping entry maintains an association between the following information: (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 identifier) <=> (external-src-address, external-dst-address, external ICMP/ICMPv6 identifier) To cover TCP, UDP, and ICMP, the NAT YANG module assumes the following structure of a mapping entry: Indicates how the mapping was instantiated. For example, it may indicate whether a mapping is dynamically instantiated by a packet or statically configured. Indicates the transport protocol (e.g., UDP, TCP, ICMP) of a given mapping. Indicates the source IP address as used by an internal host. Indicates the source port number (or ICMP identifier) as used by an internal host. Indicates the source IP address as assigned by the NAT. Indicates the source port number (or ICMP identifier) as assigned by the NAT. Indicates the destination IP address as used by an internal host when sending a packet to a remote host. Indicates the destination IP address as used by an internal host when sending a packet to a remote host. Indicates the destination IP address used by a NAT when processing a packet issued by an internal host towards a remote host. Indicates the destination port number used by a NAT when processing a packet issued by an internal host towards a remote host. In order to cover both NAT64 and NAT44 flavors in particular, the NAT mapping structure allows to include an IPv4 or an IPv6 address as an internal IP address. Remaining fields are common to both NAT schemes. For example, the mapping that will be created by a NAT64 upon receipt of a TCP SYN from source address 2001:db8:aaaa::1 and source port number 25636 to destination IP address 2001:db8:1234::198.51.100.1 and destination port number 8080 is characterized as follows: type: dynamic implicit mapping. transport-protocol: TCP (6) internal-src-address: 2001:db8:aaaa::1 internal-src-port: 25636 external-src-address: T (an IPv4 address configured on the NAT64) external-src-port: t (a port number that is chosen by the NAT64) internal-dst-address: 2001:db8:1234::198.51.100.1 internal-dst-port: 8080 external-dst-address: 198.51.100.1 external-dst-port: 8080 The mapping that will be created by a NAT44 upon receipt of an ICMP request from source address 198.51.100.1 and ICMP identifier (ID1) to destination IP address 198.51.100.11 is characterized as follows: type: dynamic implicit mapping. transport-protocol: ICMP (1) internal-src-address: 198.51.100.1 internal-src-port: ID1 external-src-address: T (an IPv4 address configured on the NAT44) external-src-port: ID2 (an ICMP identifier that is chosen by the NAT44) internal-dst-address: 198.51.100.11 The mapping that will be created by a NAT64 upon receipt of an ICMP request from source address 2001:db8:aaaa::1 and ICMP identifier (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is characterized as follows: type: dynamic implicit mapping. transport-protocol: ICMPv6 (58) internal-src-address: 2001:db8:aaaa::1 internal-src-port: ID1 external-src-address: T (an IPv4 address configured on the NAT64) external-src-port: ID2 (an ICMP identifier that is chosen by the NAT64) internal-dst-address: 2001:db8:1234::198.51.100.1 external-dst-address: 198.51.100.1 Note that a mapping table is maintained only for stateful NAT functions. Particularly: No mapping table is maintained for NPTv6 given that it is stateless and transport-agnostic. The double translations are stateless in CLAT if a dedicated IPv6 prefix is provided for CLAT. If not, a stateful NAT44 will be required. No per-flow mapping is maintained for EAM . No mapping table is maintained for stateless NAT64. As a reminder, in such deployments internal IPv6 nodes are addressed using IPv4-translatable IPv6 addresses, which enable them to be accessed by IPv4 nodes .

In order to comply with CGN deployments in particular, the NAT YANG module allows limiting the number of external ports per subscriber (port-quota) and the amount of state memory allocated per mapping and per subscriber (mapping-limit and connection-limit). According to , the model allows for the following: Per-subscriber limits are configurable by the NAT administrator. Per-subscriber limits are configurable independently per transport protocol. Administrator-adjustable thresholds to prevent a single subscriber from consuming excessive CPU resources from the NAT (e.g., rate-limit the subscriber's creation of new mappings) can be configured.

The model allows to specify the interface or Virtual Routing and Forwarding (VRF) instance on which the NAT function must be applied (external-realm). Distinct interfaces/VRFs can be provided as a function of the NAT policy (see for example, Section 4 of ). If no external interface/VRF is provided, this assumes that the system is able to determine the external interface/VRF instance on which the NAT will be applied. Typically, the WAN and LAN interfaces of a CPE is determined by the CPE.

The tree structure of the NAT YANG module is provided below:

/nat-module/nat-instances/nat-instance/id +--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id +--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id +--ro notify-pool-threshold percent ]]>

file "ietf-nat@2017-10-12.yang" module ietf-nat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; //namespace to be assigned by IANA prefix "nat"; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } import ietf-interfaces { prefix if; } organization "IETF OPSAWG Working Group"; contact "Mohamed Boucadair Senthil Sivakumar Chritsian Jacquenet Suresh Vinapamula Qin Wu "; description "This module is a YANG module for NAT implementations (including NAT44 and NAT64 flavors). Copyright (c) 2017 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2017-10-12 { description "Comments from Mahesh Jethanandani."; reference "-ietf-05"; } revision 2017-10-02 { description "Comments from Rajiv Asati to call out explicitly stateless NAT64."; reference "-ietf-04"; } revision 2017-09-27 { description "Comments from Kris Poscic about NAT44, mainly: - Allow for multiple NAT policies within the same instance. - Associate an external interface/vrf per NAT policy."; reference "-ietf-04"; } revision 2017-09-18 { description "Comments from Tore Anderson about EAM-SIIT."; reference "-ietf-03"; } revision 2017-08-23 { description "Comments from F. Baker about NPTv6."; reference "-ietf-02"; } revision 2017-08-21 { description " Includes CLAT (Lee/Jordi)."; reference "-ietf-01"; } revision 2017-08-03 { description "Integrates comments from OPSAWG CFA."; reference "-ietf-00"; } revision 2017-07-03 { description "Integrates comments from D. Wing and T. Zhou."; reference "-07"; } revision 2015-09-08 { description "Fixes few YANG errors."; reference "-02"; } revision 2015-09-07 { description "Completes the NAT64 model."; reference "01"; } revision 2015-08-29 { description "Initial version."; reference "00"; } /* * Definitions */ typedef percent { type uint8 { range "0 .. 100"; } description "Percentage"; } /* * Identities */ identity nat-type { description "Base identity for nat type."; } identity nat44 { base nat:nat-type; description "Identity for traditional NAT support."; reference "RFC 3022."; } identity basic-nat { base nat:nat44; description "Identity for Basic NAT support."; reference "RFC 3022."; } identity napt { base nat:nat44; description "Identity for NAPT support."; reference "RFC 3022."; } identity restricted-nat { base nat:nat44; description "Identity for Port-Restricted NAT support."; reference "RFC 7596."; } identity dst-nat { base nat:nat-type; description "Identity for Destination NAT support."; } identity nat64 { base nat:nat-type; description "Identity for NAT64 support."; reference "RFC 6146."; } identity clat { base nat:nat-type; description "Identity for CLAT support."; reference "RFC 6877."; } identity eam { base nat:nat-type; description "Identity for EAM support."; reference "RFC 7757."; } identity nptv6 { base nat:nat-type; description "Identity for NPTv6 support."; reference "RFC 6296."; } identity vrf-routing-instance { description "This identity represents a VRF routing instance."; reference "Section 8.9 of RFC 4026."; } /* * Grouping */ // port numbers: single or port-range grouping port-number { description "Individual port or a range of ports. When only start-port-numbert is present, it represents a single port."; leaf start-port-number { type inet:port-number; description "Begining of the port range."; reference "Section 3.2.9 of RFC 8045."; } leaf end-port-number { type inet:port-number; must ". >= ../start-port-number" { error-message "The end-port-number must be greater than or equal to start-port-number."; } description "End of the port range."; reference "Section 3.2.10 of RFC 8045."; } } // Set of ports grouping port-set { description "Indicates a set of ports. It may be a simple port range, or use the PSID algorithm to represent a range of transport layer ports which will be used by a NAPT."; choice port-type { default port-range; description "Port type: port-range or port-set-algo."; case port-range { /*leaf start-port-number { type inet:port-number; description "Begining of the port range."; reference "Section 3.2.9 of RFC 8045."; } leaf end-port-number { type inet:port-number; description "End of the port range."; reference "Section 3.2.10 of RFC 8045."; }*/ uses port-number; } case port-set-algo { leaf psid-offset { type uint8 { range 0..16; } description "The number of offset bits. In Lightweight 4over6, the default value is 0 for assigning one contiguous port range. In MAP-E/T, the default value is 6, which excludes system ports by default and assigns port ranges distributed across the entire port space."; } leaf psid-len { type uint8 { range 0..15; } mandatory true; description "The length of PSID, representing the sharing ratio for an IPv4 address."; } leaf psid { type uint16; mandatory true; description "Port Set Identifier (PSID) value, which identifies a set of ports algorithmically."; } } } } // Mapping Entry grouping mapping-entry { description "NAT mapping entry."; leaf index { type uint32; description "A unique identifier of a mapping entry."; } leaf type { type enumeration { enum "static" { description "The mapping entry is manually configured."; } enum "dynamic-explicit" { description "This mapping is created by an outgoing packet."; } enum "dynamic-implicit" { description "This mapping is created by an explicit dynamic message."; } } description "Indicates the type of a mapping entry. E.g., a mapping can be: static, implicit dynamic or explicit dynamic."; } leaf transport-protocol { type uint8; description "Upper-layer protocol associated with this mapping. Values are taken from the IANA protocol registry. For example, this field contains 6 (TCP) for a TCP mapping or 17 (UDP) for a UDP mapping. No transport protocol is indicated if a mapping applies for any protocol."; } leaf internal-src-address { type inet:ip-prefix; description "Corresponds to the source IPv4/IPv6 address/prefix of the packet received on an internal interface."; } container internal-src-port { description "Corresponds to the source port of the packet received on an internal interface. It is used also to carry the internal source ICMP identifier."; uses port-number; } leaf external-src-address { type inet:ip-prefix; description "Source IP address/prefix of the packet sent on an external interface of the NAT."; } container external-src-port { description "Source port of the packet sent on an external interafce of the NAT. It is used also to carry the external source ICMP identifier."; uses port-number; } leaf internal-dst-address { type inet:ip-prefix; description "Corresponds to the destination IP address/prefix of the packet received on an internal interface of the NAT. For example, some NAT implementations support the translation of both source and destination addresses and ports, sometimes referred to as 'Twice NAT'."; } container internal-dst-port { description "Corresponds to the destination port of the IP packet received on the internal interface. It is used also to carry the internal destination ICMP identifier."; uses port-number; } leaf external-dst-address { type inet:ip-prefix; description "Corresponds to the destination IP address/prefix of the packet sent on an external interface of the NAT."; } container external-dst-port { description "Corresponds to the destination port number of the packet sent on the external interface of the NAT. It is used also to carry the external destination ICMP identifier."; uses port-number; } leaf lifetime { type uint32; description "When specified, it tracks the connection that is fully-formed (e.g., once the 3WHS TCP is completed) or the duration for maintaining an explicit mapping alive. Static mappings may not be associated with a lifetime. If no lifetime is associated with a static mapping, an explicit action is requried to remove that mapping."; } } /* * NAT Module */ container nat-module { description "NAT module"; container nat-instances { description "NAT instances"; list nat-instance { key "id"; description "A NAT instance."; leaf id { type uint32; description "NAT instance identifier."; reference "RFC 7659."; } leaf name { type string; description "A name associated with the NAT instance."; } leaf enable { type boolean; description "Status of the the NAT instance."; } container nat-capabilities { description "NAT capabilities"; leaf-list nat-flavor { type identityref { base nat-type; } description "Type of NAT."; } leaf-list nat44-flavor { when "../nat-flavor = 'nat44'"; type identityref { base nat44; } description "Type of NAT44: Basic NAT or NAPT."; } leaf restricted-port-support { type boolean; description "Indicates source port NAT restriction support."; } leaf static-mapping-support { type boolean; description "Indicates whether static mappings are supported."; } leaf port-randomization-support { type boolean; description "Indicates whether port randomization is supported."; } leaf port-range-allocation-support { type boolean; description "Indicates whether port range allocation is supported."; } leaf port-preservation-suport { type boolean; description "Indicates whether port preservation is supported."; } leaf port-parity-preservation-support { type boolean; description "Indicates whether port parity preservation is supported."; } leaf address-roundrobin-support { type boolean; description "Indicates whether address allocation round robin is supported."; } leaf paired-address-pooling-support { type boolean; description "Indicates whether paired-address-pooling is supported"; } leaf endpoint-independent-mapping-support { type boolean; description "Indicates whether endpoint-independent- mapping in Section 4 of RFC 4787 is supported."; } leaf address-dependent-mapping-support { type boolean; description "Indicates whether address-dependent-mapping is supported."; } leaf address-and-port-dependent-mapping-support { type boolean; description "Indicates whether address-and-port-dependent-mapping is supported."; } leaf endpoint-independent-filtering-support { type boolean; description "Indicates whether endpoint-independent-filtering is supported."; } leaf address-dependent-filtering { type boolean; description "Indicates whether address-dependent-filtering is supported."; } leaf address-and-port-dependent-filtering { type boolean; description "Indicates whether address-and-port-dependent is supported."; } } // Parameters for NAT pass through list nat-pass-through { key nat-pass-through-id; description "IP prefix NAT pass through."; leaf nat-pass-through-id { type uint32; description "An identifier of the IP prefix pass through."; } leaf nat-pass-through-pref { type inet:ip-prefix; description "The IP address subnets that match should not be translated. According to REQ#6 of RFC6888, it must be possible to administratively turn off translation for specific destination addresses and/or ports."; reference "REQ#6 of RFC6888."; } leaf nat-pass-through-port { type inet:port-number; description "The IP address subnets that match should not be translated. According to REQ#6 of RFC6888, it must be possible to administratively turn off translation for specific destination addresses and/or ports."; reference "REQ#6 of RFC6888."; } } // NAT Policies: Multiple policies per NAT instance list nat-policy { key policy-id; description "NAT parameters for a given instance"; leaf policy-id { type uint32; description "An identifier of the NAT policy."; } // CLAT Parameters container clat-parameters { description "CLAT parameters."; list clat-ipv6-prefixes { when "../../../nat-capabilities/nat-flavor = 'clat' "; key clat-ipv6-prefix; description "464XLAT double translation treatment is stateless when a dedicated /64 is available for translation on the CLAT. Otherwise, the CLAT will have both stateful and stateless since it requires NAT44 from the LAN to a single IPv4 address and then stateless translation to a single IPv6 address."; reference "RFC 6877."; leaf clat-ipv6-prefix { type inet:ipv6-prefix; description "An IPv6 prefix used for CLAT."; } } list clat-ipv4-prefixes { when "../../../nat-capabilities/nat-flavor = 'clat'"; key clat-ipv4-prefix; description "Pool of IPv4 addresses used for CLAT. 192.0.0.0/29 is the IPv4 service continuity prefix."; reference "RFC 7335."; leaf clat-ipv4-prefix { type inet:ipv4-prefix; description "464XLAT double translation treatment is stateless when a dedicated /64 is available for translation on the CLAT. Otherwise, the CLAT will have both stateful and stateless since it requires NAT44 from the LAN to a single IPv4 address and then stateless translation to a single IPv6 address. The CLAT performs NAT44 for all IPv4 LAN packets so that all the LAN-originated IPv4 packets appear from a single IPv4 address and are then statelessly translated to one interface IPv6 address that is claimed by the CLAT. An IPv4 address from this pool is also provided to an application that makes use of literals."; reference "RFC 6877."; } } } // NPTv6 Parameters list nptv6-prefixes { when "../../nat-capabilities/nat-flavor = 'nptv6' "; key translation-id; description "Provides one or a list of (internal IPv6 prefix, external IPv6 prefix) required for NPTv6. In its simplest form, NPTv6 interconnects two network links, one of which is an 'internal' network link attachedto a leaf network within a single administrative domain and the other of which is an 'external' network with connectivity to the global Internet."; reference "RFC 6296."; leaf translation-id { type uint32; description "An identifier of the NPTv6 prefixs."; } leaf internal-ipv6-prefix { type inet:ipv6-prefix; description "An IPv6 prefix used by an internal interface of NPTv6."; reference "RFC 6296."; } leaf external-ipv6-prefix { type inet:ipv6-prefix; description "An IPv6 prefix used by the external interface of NPTv6."; reference "RFC 6296."; } } // EAM SIIT Parameters list eam { when "../../nat-capabilities/nat-flavor = 'eam' "; key eam-ipv4-prefix; description "The Explicit Address Mapping Table, a conceptual table in which each row represents an EAM. Each EAM describes a mapping between IPv4 and IPv6 prefixes/addresses."; reference "Section 3.1 of RFC 7757."; leaf eam-ipv4-prefix { type inet:ipv4-prefix; description "The IPv4 prefix of an EAM."; reference "Section 3.2 of RFC 7757."; } leaf eam-ipv6-prefix { type inet:ipv6-prefix; description "The IPv6 prefix of an EAM."; reference "Section 3.2 of RFC 7757."; } } //NAT64 IPv6 Prefixes list nat64-prefixes { when "../../nat-capabilities/nat-flavor = 'nat64' " + " or ../../nat-capabilities/nat-flavor = 'clat'"; key nat64-prefix; description "Provides one or a list of NAT64 prefixes with or without a list of destination IPv4 prefixes. Destination-based Pref64::/n is discussed in Section 5.1 of [RFC7050]). For example: 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 198.51.100.0/24 is mapped to 2001:db8:122::/48."; reference "Section 5.1 of RFC7050."; leaf nat64-prefix { type inet:ipv6-prefix; //default "64:ff9b::/96"; description "A NAT64 prefix. Can be NSP or a Well-Known Prefix (WKP). Organizations deploying stateless IPv4/IPv6 translation should assign a Network-Specific Prefix to their IPv4/IPv6 translation service. For stateless NAT64, IPv4-translatable IPv6 addresses must use the selected Network-Specific Prefix. Both IPv4-translatable IPv6 addresses and IPv4-converted IPv6 addresses should use the same prefix."; reference "Sections 3.3 and 3.4 of RFC 6052."; } list destination-ipv4-prefix { key ipv4-prefix; description "An IPv4 prefix/address."; leaf ipv4-prefix { type inet:ipv4-prefix; description "An IPv4 address/prefix."; } } leaf stateless-enable { type boolean; description "Enable explicitly statless NAT64."; } } list external-ip-address-pool { key pool-id; description "Pool of external IP addresses used to service internal hosts. Both contiguous and non-contiguous pools can be configured for NAT purposes."; leaf pool-id { type uint32; description "An identifier of the address pool."; } leaf external-ip-pool { type inet:ipv4-prefix; description "An IPv4 prefix used for NAT purposes."; } } container port-set-restrict { when "../../nat-capabilities/restricted-port-support = 'true'"; description "Configures contiguous and non-contiguous port ranges."; uses port-set; } leaf dst-nat-enable { type boolean; default false; description "Enable/Disable destination NAT. A NAT44 may be configured to enable Destination NAT, too."; } list dst-ip-address-pool { when "../../nat-capabilities/nat-flavor = 'dst-nat' "; key pool-id; description "Pool of IP addresses used for destination NAT."; leaf pool-id { type uint32; description "An identifier of the address pool."; } leaf dst-in-ip-pool { type inet:ip-prefix; description "Internal IP prefix/address"; } leaf dst-out-ip-pool { type inet:ip-prefix; description "IP address/prefix used for destination NAT."; } } list supported-transport-protocols { key transport-protocol-id; description "Supported transport protocols. TCP and UDP are supported by default."; leaf transport-protocol-id { type uint8; mandatory true; description "Upper-layer protocol associated with this mapping. Values are taken from the IANA protocol registry. For example, this field contains 6 (TCP) for a TCP mapping or 17 (UDP) for a UDP mapping."; } leaf transport-protocol-name { type string; description "For example, TCP, UDP, DCCP, and SCTP."; } } leaf subscriber-mask-v6 { type uint8 { range "0 .. 128"; } description "The subscriber-mask is an integer that indicates the length of significant bits to be applied on the source IP address (internal side) to unambiguously identify a CPE. Subscriber-mask is a system-wide configuration parameter that is used to enforce generic per-subscriber policies (e.g., port-quota). The enforcement of these generic policies does not require the configuration of every subscriber's prefix. Example: suppose the 2001:db8:100:100::/56 prefix is assigned to a NAT64 serviced CPE. Suppose also that 2001:db8:100:100::1 is the IPv6 address used by the client that resides in that CPE. When the NAT64 receives a packet from this client, it applies the subscriber-mask (e.g., 56) on the source IPv6 address to compute the associated prefix for this client (2001:db8:100:100::/56). Then, the NAT64 enforces policies based on that prefix (2001:db8:100:100::/56), not on the exact source IPv6 address."; } list subscriber-match { key sub-match-id; description "IP prefix match."; leaf sub-match-id { type uint32; description "An identifier of the subscriber masck."; } leaf sub-mask { type inet:ip-prefix; mandatory true; description "The IP address subnets that match should be translated. E.g., all addresses that belong to the 192.0.2.0/24 prefix must be processed by the NAT."; } } leaf paired-address-pooling { type boolean; default true; description "Paired address pooling informs the NAT that all the flows from an internal IP address must be assigned the same external address."; reference "RFC 4007."; } leaf nat-mapping-type { type enumeration { enum "eim" { description "endpoint-independent-mapping."; reference "Section 4 of RFC 4787."; } enum "adm" { description "address-dependent-mapping."; reference "Section 4 of RFC 4787."; } enum "edm" { description "address-and-port-dependent-mapping."; reference "Section 4 of RFC 4787."; } } description "Indicates the type of a NAT mapping."; } leaf nat-filtering-type { type enumeration { enum "eif" { description "endpoint-independent- filtering."; reference "Section 5 of RFC 4787."; } enum "adf" { description "address-dependent-filtering."; reference "Section 5 of RFC 4787."; } enum "edf" { description "address-and-port-dependent-filtering"; reference "Section 5 of RFC 4787."; } } description "Indicates the type of a NAT filtering."; } list port-quota { when "../../nat-capabilities/nat44-flavor = "+ "'napt' or "+ "../../nat-capabilities/nat-flavor = "+ "'nat64'"; key quota-type; description "Configures a port quota to be assigned per subscriber. It corresponds to the maximum number of ports to be used by a subscriber."; leaf port-limit { type uint16; description "Configures a port quota to be assigned per subscriber. It corresponds to the maximum number of ports to be used by a subscriber."; reference "REQ-4 of RFC 6888."; } leaf quota-type { type enumeration { enum "all" { description "The limit applies to all protocols."; reference "REQ-4 of RFC 6888."; } enum "tcp" { description "TCP quota."; reference "REQ-4 of RFC 6888."; } enum "udp" { description "UDP quota."; reference "REQ-4 of RFC 6888."; } enum "icmp" { description "ICMP quota."; reference "REQ-4 of RFC 6888."; } } description "Indicates whether the port quota applies to all protocols or to a specific transport."; } } leaf port-allocation-type { type enumeration { enum "random" { description "Port randomization is enabled."; } enum "port-preservation" { description "Indicates whether the NAT should preserve the internal port number."; } enum "port-parity-preservation" { description "Indicates whether the NAT should preserve the port parity of the internal port number."; } enum "port-range-allocation" { description "Indicates whether the NAT assigns a range of ports for an internal host."; } } description "Indicates the type of a port allocation."; } leaf address-roundrobin-enable { type boolean; description "Enable/disable address allocation round robin."; } container port-set { when "../port-allocation-type='port-range-allocation'"; description "Manages port-set assignments."; leaf port-set-size { type uint16; description "Indicates the size of assigned port sets."; } leaf port-set-timeout { type uint32; description "Inactivty timeout for port sets."; } } container timers { description "Configure values of various timeouts."; leaf udp-timeout { type uint32; units "seconds"; default 300; description "UDP inactivity timeout. That is the time a mapping will stay active without packets traversing the NAT."; reference "RFC 4787."; } leaf tcp-idle-timeout { type uint32; units "seconds"; default 7440; description "TCP Idle timeout should be 2 hours and 4 minutes."; reference "RFC 5382."; } leaf tcp-trans-open-timeout { type uint32; units "seconds"; default 240; description "The value of the transitory open connection idle-timeout. Section 2.1 of [RFC7857] clarifies that a NAT should provide different configurable parameters for configuring the open and closing idle timeouts. To accommodate deployments that consider a partially open timeout of 4 minutes as being excessive from a security standpoint, a NAT may allow the configured timeout to be less than 4 minutes. However, a minimum default transitory connection idle-timeout of 4 minutes is recommended."; reference "Section 2.1 of RFC 7857."; } leaf tcp-trans-close-timeout { type uint32; units "seconds"; default 240; description "The value of the transitory close connection idle-timeout. Section 2.1 of [RFC7857] clarifies that a NAT should provide different configurable parameters for configuring the open and closing idle timeouts."; reference "Section 2.1 of RFC 7857."; } leaf tcp-in-syn-timeout { type uint32; units "seconds"; default 6; description "A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the packet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited inbound SYN packet."; reference "RFC 5382."; } leaf fragment-min-timeout { type uint32; units "seconds"; default 2; description "As long as the NAT has available resources, the NAT allows the fragments to arrive over fragment-min-timeout interval. The default value is inspired from RFC6146."; } leaf icmp-timeout { type uint32; units "seconds"; default 60; description "An ICMP Query session timer must not expire in less than 60 seconds. It is recommended that the ICMP Query session timer be made configurable"; reference "RFC 5508."; } list per-port-timeout { key port-number; description "Some NATs are configurable with short timeouts for some ports, e.g., as 10 seconds on port 53 (DNS) and NTP (123) and longer timeouts on other ports."; leaf port-number { type inet:port-number; description "A port number."; } leaf port-timeout { type inet:port-number; mandatory true; description "Timeout for this port"; } } leaf hold-down-timeout { type uint32; units "seconds"; default 120; description "Hold down timer. Ports in the hold down pool are not reassigned until hold-down-timeout expires. The length of time and the maximum number of ports in this state must be configurable by the administrator. This is necessary in order to prevent collisions between old and new mappings and sessions. It ensures that all established sessions are broken instead of redirected to a different peer."; reference "REQ#8 of RFC 6888."; } leaf hold-down-max { type uint32; description "Maximum ports in the Hold down timer pool. Ports in the hold down pool are not reassigned until hold-down-timeout expires. The length of time and the maximum number of ports in this state must be configurable by the administrator. This is necessary in order to prevent collisions between old and new mappings and sessions. It ensures that all established sessions are broken instead of redirected to a different peer."; reference "REQ#8 of RFC 6888."; } } list algs { key alg-name; description "ALG-related features."; leaf alg-name { type string; description "The name of the ALG"; } leaf alg-transport-protocol { type uint32; description "The transport protocol used by the ALG."; } leaf alg-transport-port { type inet:port-number; description "The port number used by the ALG."; } leaf alg-status { type boolean; description "Enable/disable the ALG."; } } leaf all-algs-enable { type boolean; description "Enable/disable all ALGs."; } container notify-pool-usage { description "Notification of pool usage when certain criteria are met."; leaf pool-id { type uint32; description "Pool-ID for which the notification criteria is defined"; } leaf notify-pool-hi-threshold { type percent; mandatory true; description "Notification must be generated when the defined high threshold is reached. For example, if a notification is required when the pool utilization reaches 90%, this configuration parameter must be set to 90%."; } leaf notify-pool-low-threshold { type percent; description "Notification must be generated when the defined low threshold is reached. For example, if a notification is required when the pool utilization reaches below 10%, this configuration parameter must be set to 10%."; } } container external-realm { description "Identifies the external realm of the NAT."; choice realm-type { description "Interface or VRF."; case interface { description "External interface."; leaf external-interface { type if:interface-ref; description "Name of an external interface."; } } case vrf { description "External VRF instance."; leaf external-vrf-instance { type identityref { base vrf-routing-instance; } description "A VRF instance."; } } } } } //nat-policy container mapping-limit { description "Information about the configuration parameters that limits the mappings based upon various criteria."; leaf limit-per-subscriber { type uint32; description "Maximum number of NAT mappings per subscriber."; } leaf limit-per-vrf { type uint32; description "Maximum number of NAT mappings per VLAN/VRF."; } leaf limit-per-subnet { type inet:ip-prefix; description "Maximum number of NAT mappings per subnet."; } leaf limit-per-instance { type uint32; mandatory true; description "Maximum number of NAT mappings per instance."; } leaf limit-per-udp { type uint32; mandatory true; description "Maximum number of UDP NAT mappings per subscriber."; } leaf limit-per-tcp { type uint32; mandatory true; description "Maximum number of TCP NAT mappings per subscriber."; } leaf limit-per-icmp { type uint32; mandatory true; description "Maximum number of ICMP NAT mappings per subscriber."; } } container connection-limit { description "Information about the configuration parameters that rate limit the translation based upon various criteria."; leaf limit-per-subscriber { type uint32; description "Rate-limit the number of new mappings and sessions per subscriber."; } leaf limit-per-vrf { type uint32; description "Rate-limit the number of new mappings and sessions per VLAN/VRF."; } leaf limit-per-subnet { type inet:ip-prefix; description "Rate-limit the number of new mappings and sessions per subnet."; } leaf limit-per-instance { type uint32; mandatory true; description "Rate-limit the number of new mappings and sessions per instance."; } leaf limit-per-udp { type uint32; mandatory true; description "Rate-limit the number of new UDP mappings and sessions per subscriber."; } leaf limit-per-tcp { type uint32; mandatory true; description "Rate-limit the number of new TCP mappings and sessions per subscriber."; } leaf limit-per-icmp { type uint32; mandatory true; description "Rate-limit the number of new ICMP mappings and sessions per subscriber."; } } container logging-info { description "Information about logging NAT events"; leaf logging-enable { type boolean; description "Enable logging features."; reference "Section 2.3 of RFC 6908."; } leaf destination-address { type inet:ip-prefix; mandatory true; description "Address of the collector that receives the logs"; } leaf destination-port { type inet:port-number; mandatory true; description "Destination port of the collector."; } choice protocol { description "Enable the protocol to be used for the retrieval of logging entries."; case syslog { leaf syslog { type boolean; description "If SYSLOG is in use."; } } case ipfix { leaf ipfix { type boolean; description "If IPFIX is in use."; } } case ftp { leaf ftp { type boolean; description "If FTP is in use."; } } } } container mapping-table { when "../nat-capabilities/nat-flavor = "+ "'nat44' or "+ "../nat-capabilities/nat-flavor = "+ "'nat64'or "+ "../nat-capabilities/nat-flavor = "+ "'clat'or "+ "../nat-capabilities/nat-flavor = 'dst-nat'"; description "NAT mapping table. Applicable for functions which maintains static and/or dynamic mappings, such as NAT44, Destination NAT, NAT64, or CLAT."; list mapping-entry { key "index"; description "NAT mapping entry."; uses mapping-entry; } } container statistics { config false; description "Statistics related to the NAT instance."; container traffic-statistics { description "Generic traffic statistics."; leaf sent-packet { type yang:zero-based-counter64; description "Number of packets sent."; } leaf sent-byte { type yang:zero-based-counter64; description "Counter for sent traffic in bytes."; } leaf rcvd-packet { type yang:zero-based-counter64; description "Number of received packets."; } leaf rcvd-byte { type yang:zero-based-counter64; description "Counter for received traffic in bytes."; } leaf dropped-packet { type yang:zero-based-counter64; description "Number of dropped packets."; } leaf dropped-byte { type yang:zero-based-counter64; description "Counter for dropped traffic in bytes."; } } container mapping-statistics { when "../../nat-capabilities/nat-flavor = "+ "'nat44' or "+ "../../nat-capabilities/nat-flavor = "+ "'nat64'or "+ "../../nat-capabilities/nat-flavor = 'dst-nat'"; description "Mapping statistics."; leaf total-mappings { type uint32; description "Total number of NAT mappings present at a given time. This variable includes all the static and dynamic mappings."; } leaf total-tcp-mappings { type uint32; description "Total number of TCP mappings present at a given time."; } leaf total-udp-mappings { type uint32; description "Total number of UDP mappings present at a given time."; } leaf total-icmp-mappings { type uint32; description "Total number of ICMP mappings present at a given time."; } } container pool-stats { when "../../nat-capabilities/nat-flavor = "+ "'nat44' or "+ "../../nat-capabilities/nat-flavor = "+ "'nat64'"; description "Statistics related to address/prefix pool usage"; leaf pool-id { type uint32; description "Unique Identifier that represents a pool of addresses/prefixes."; } leaf address-allocated { type uint32; description "Number of allocated addresses in the pool"; } leaf address-free { type uint32; description "Number of unallocated addresses in the pool at a given time.The sum of unallocated and allocated addresses is the total number of addresses of the pool."; } container port-stats { description "Statistics related to port usage."; leaf ports-allocated { type uint32; description "Number of allocated ports in the pool."; } leaf ports-free { type uint32; description "Number of unallocated addresses in the pool."; } } } }//statistics } } } /* * Notifications */ notification nat-event { description "Notifications must be generated when the defined high/low threshold is reached. Related configuration parameters must be provided to trigger the notifications."; leaf id { type leafref { path "/nat-module/nat-instances/" + "nat-instance/id"; } description "NAT instance ID."; } leaf policy-id { type leafref { path "/nat-module/nat-instances/" + "nat-instance/nat-policy/policy-id"; } description "Policy ID."; } leaf pool-id { type leafref { path "/nat-module/nat-instances/" + "nat-instance/nat-policy/" + "external-ip-address-pool/pool-id"; } description "Pool ID."; } leaf notify-pool-threshold { type percent; mandatory true; description "A treshhold has been fired."; } } }

]]>



    
      The YANG module defined in this memo is designed to be accessed via
      the NETCONF protocol . The lowest NETCONF
      layer is the secure transport layer and the support of SSH is mandatory
      to implement secure transport . The
      NETCONF access control model  provides
      means to restrict access by some users to a pre-configured subset of all
      available NETCONF protocol operations and data.

      All data nodes defined in the YANG module which can be created,
      modified and deleted (i.e., config true, which is the default). These
      data nodes are considered sensitive. Write operations (e.g.,
      edit-config) applied to these data nodes without proper protection can
      negatively affect network operations.
    

    
      This document requests IANA to register the following URI in the
      "IETF XML Registry" : 
          
         This document requests IANA to register the following YANG
      module in the "YANG Module Names" registry .
          
        
    

    
      Many thanks to Dan Wing and Tianran Zhou for the review.

      Thanks to Juergen Schoenwaelder for the comments on the YANG
      structure and the suggestion to use NMDA.

      Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
      Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
      Kristian Poscic for the CGN review.

      Special thanks to Maros Marsalek and Marek Gradzki for sharing their
      comments based on the FD.io implementation of an earlier version of this
      module.

      Rajiv Asati suggested to clarify how the module applies for both
      stateless and stateful NAT64.



  

  
    
      

      

      

      

      

      

      

      

      

      

      

      

      
    

    
      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      
    

    
      This section provides a non-exhaustive set of examples to illustrate
      the use of the NAT YANG module.

      
        Traditional NAT44 is a Basic NAT44 or NAPT that is used to share
        the same IPv4 address among hosts that are owned by the same
        subscriber. This is typically the NAT that is embedded in CPE
        devices.

        This NAT is usually provided with one single external IPv4 address;
        disambiguating connections is achieved by rewriting the source port
        number. The XML snippet to configure the external IPv4 address in such
        case together with a mapping entry is depicted below:

        
            
     
       1
       NAT_Subscriber_A
        ....
       
           1
           
              192.0.2.1
           
       
        ....
       
           ....
           
              192.0.2.1
           
           ....
       
     


]]>
          

        The following shows the XML excerpt depicting a dynamic UDP mapping
        entry maintained by a traditional NAT44. In reference to this example,
        the UDP packet received with a source IPv4 address (192.0.2.1) and
        source port number (1568) is translated into a UDP packet having a
        source IPv4 address (198.51.100.1) and source port (15000). The
        lifetime of this mapping is 300 seconds.

        
            
  15
  
     dynamic-explicit
  
  
     17
  
  
     192.0.2.1
  
  
     
        1568
     
  
  
     198.51.100.1
  
  
     
        15000
     
  
  
     300
  

]]>
          
      

      
        The following XML snippet shows the example of the capabilities
        supported by a CGN as retrieved using NETCONF.

        
            
   nat44
  
  
   false
  
  
    true
  
  
    true
  
  
    true
  
  
    true
  
  
    false
  
  
    true
  
  
    true
  
  
    true
  
  
    false
  
  
    false
  
  
    true
  
  
    false
  
  
    false
  

]]>
          The following XML snippet shows the example of a CGN that
        is provisioned with one contiguous pool of external IPv4 addresses
        (192.0.2.0/24). Further, the CGN is instructed to limit the number of
        allocated ports per subscriber to 1024. Ports can be allocated by the
        CGN by assigning ranges of 256 ports (that is, a subscriber can be
        allocated up to four port ranges of 256 ports each).

        
            
     
       1
       myCGN
        ....
       
           1
           
               192.0.2.0/24
           
       
       
         
           1024
         
         
           all
         
       
       
           port-range-allocation
       
       
          
             256
          
       
        ....
     

]]>
          An administrator may decide to allocate one single port
        range per subscriber (port range of 1024 ports) as shown below:

        
            
     
       1
       myotherCGN
        ....
       
           1
           
               192.0.2.0/24
           
       
       
         
           1024
         
         
           all
         
       
       
           port-range-allocation
       
       
          
               1024
          
          ....
       
        ....
     


]]>
          

        
      

      
         illustrates an example of the CGN
        pass-through feature.

        
            >>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
                  | i |            | G |              | r |
                  | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
                  | n |from X2:x2  |   |from X2:x2    | e |
                  | t |  to X1:x1  |   |  to X1:x1    | r |
                  +---+            +---+              +---+
]]>
          For example, in order to disable NAT for communications
        issued by the client (192.0.2.25), the following configuration
        parameter must be set:

        
            
     ...
     192.0.2.25
     ...

]]>
          
      

      
        Let's consider the example of a NAT64 that should use
        2001:db8:122:300::/56 to perform IPv6 address synthesis . The XML snippet to configure the NAT64
        prefix in such case is depicted below:

        
            
   
     2001:db8:122:300::/56
   

]]>
          

        A NAT64 can be instructed to behave in the stateless mode by
        providing the following configuration. The same NAT64 prefix is used
        for constructing both IPv4- translatable IPv6 addresses and
        IPv4-converted IPv6 addresses (Section 3.3 of ).

        
            
   
     2001:db8:122:300::/56
   
   
    true
   

]]>
          

        Let's now consider the example of a NAT64 that should use
        2001:db8:122::/48 to perform IPv6 address synthesis  only if the destination address matches
        198.51.100.0/24. The XML snippet to configure the NAT64 prefix in such
        case is shown below:

        
            
   
      2001:db8:122::/48
   
   
      
          198.51.100.0/24  
      
   

]]>
          
      

      
        As specified in , an EAM consists of
        an IPv4 prefix and an IPv6 prefix. Let's consider the set of EAM
        examples in .

        
            
          The following XML excerpt illustrates how these EAMs can be
        configured using the YANG NAT module:
            
  
     192.0.2.1
  
  
     2001:db8:aaaa::
  


  
     192.0.2.2/32
  
  
     2001:db8:bbbb::b/128
  


  
     192.0.2.16/28
  
  
     2001:db8:cccc::/124
  


  
     192.0.2.128/26
  
  
     2001:db8:dddd::/64
  


  
     192.0.2.192/29
  
  
     2001:db8:eeee:8::/62
  


  
     192.0.2.224/31
  
  
     64:ff9b::/127
  

]]>
          

        EAMs may be enabled jointly with statefull NAT64. This example
        shows a NAT64 fucntion that supports static mappings:

        
            
   nat64
  
  
    true
  
  
    true
  
  
    true
  
  
    true
  
  
    false
  
  
    true
  
  
    true
  
  
    true
  
  
    false
  
  
    false
  
  
    true
  
  
    false
  
  
    false
  

]]>
          
      

      
        The following example shows a static mapping that instructs a NAT
        to translate packets issued from 192.0.2.1 and with source ports in
        the 100-500 range to 198.51.100.1:1100-1500.

        
            
  1
  static
  6
  
     192.0.2.1
  
  
    
       100
    
    
      500
    
  
  
     198.51.100.1
  
  
     
       1100
     
     
       1500
     
  
  ...
]]>
          
      

      
        The following example shows a static mapping that instructs a NAT
        to translate packets issued from 192.0.2.1/24 to 198.51.100.1/24.

        
            
  1
  static
  6
  
     192.0.2.1/24
  
  
     198.51.100.1/24
  
  ...
]]>
          
      

      
        The following XML snippet shows an example a destination NAT that
        is instructed to translate packets having 192.0.2.1 as a destination
        IP address to 198.51.100.1.

        
            
   1
   
     192.0.2.1
   
   
     198.51.100.1
   

]]>
          

        In order to instruct a NAT to translate TCP packets destined to
        192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows the
        static mapping to be configured on the NAT:

        
            
  1
  static
  6
  
     192.0.2.1
  
  
      80
  
  
      198.51.100.1
  
  
      8080
  
]]>
          

        In order to instruct a NAT to translate TCP packets destined to
        192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh
        traffic) to 198.51.100.2, the following XML snippet shows the static
        mappings to be configured on the NAT:

        
            
  1
  static
  6
  
    192.0.2.1
  
  
    
      80
    
  
  
    198.51.100.1
  
  ...


  2
  static
  
     6
  
  
    192.0.2.1
  
  
    
      22
    
  
  
    198.51.100.2
  
  ...


]]>
          

        The NAT may also be instructed to proceed with both source and
        destination NAT. To do so, in addition to the above sample to
        configure destination NAT, the NAT may be provided, for example with a
        pool of external IP addresses (198.51.100.0/24) to use for source
        address translation. An example of the corresponding XML snippet is
        provided hereafter:

        
            
  1
  
     198.51.100.0/24
  
]]>
          Instead of providing an external IP address to share, the
        NAT may be configured with static mapping entries that modifies the
        internal IP address and/or port number.
      

      
        The following XML snippet shows the example of a CLAT that is
        configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
        2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also provided
        with 192.0.0.1/32 (which is selected from the IPv4 service continuity
        prefix defined in ).

        
            
   
     2001:db8:aaaa::/96
   


   
     192.0.0.1/32
   


   
     2001:db8:1234::/96
   


]]>
          
      

      
        Let's consider the example of a NPTv6 translator that should
        rewrite packets with the source prefix (fd01:203:405:/48) with the
        external prefix (2001:db8:1:/48). The internal interface is "eth0"
        while the external interface is "eth1".

        
            
          The XML snippet to configure NPTv6 prefixes in such case is
        depicted below:

        
            
  1
  
    fd01:203:405:/48
  
  
    2001:db8:1:/48
  

...

 
   eth1
 


]]>
          

         shows an example of an NPTv6 that
        interconnects two internal networks (fd01:203:405:/48 and
        fd01:4444:5555:/48); each is translated using a dedicated prefix
        (2001:db8:1:/48 and 2001:db8:6666:/48, respectively).

        
            
          To that aim, the following configuration is provided to the
        NPTv6:

        
            
 1
 
  1
  
    fd01:203:405:/48
  
  
    2001:db8:1:/48
  
  
   
    eth1
   


 2
 
  2
  
      fd01:4444:5555:/48
  
  
      2001:db8:6666:/48
  
 
 
   eth0
 

]]>