3 namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
4 //namespace to be assigned by IANA
6 import ietf-inet-types {
10 organization "IETF NetMod Working Group";
12 "Senthil Sivakumar <ssenthil@cisco.com>
13 Mohamed Boucadair <mohamed.boucadair@orange.com>
14 Suresh Vinapamula <sureshk@juniper.net>";
17 "This module is a YANG module for NAT implementations
18 (including both NAT44 and NAT64 flavors.
20 Copyright (c) 2015 IETF Trust and the persons identified as
21 authors of the code. All rights reserved.
23 Redistribution and use in source and binary forms, with or
24 without modification, is permitted pursuant to, and subject
25 to the license terms contained in, the Simplified BSD License
26 set forth in Section 4.c of the IETF Trust's Legal Provisions
27 Relating to IETF Documents
28 (http://trustee.ietf.org/license-info).
30 This version of this YANG module is part of RFC XXXX; see
31 the RFC itself for full legal notices.";
34 description "Fixes few YANG errors.";
39 description "Completes the NAT64 model.";
44 description "Initial version.";
62 "Configure values of various timeouts.";
68 "UDP inactivity timeout.";
71 leaf tcp-idle-timeout {
75 "TCP Idle timeout, as per RFC 5382 should be no
76 2 hours and 4 minutes.";
79 leaf tcp-trans-open-timeout {
83 "The value of the transitory open connection
87 leaf tcp-trans-close-timeout {
91 "The value of the transitory close connection
95 leaf tcp-in-syn-timeout {
99 "6 seconds, as defined in [RFC5382].";
102 leaf fragment-min-timeout {
106 "As long as the NAT has available resources,
107 the NAT allows the fragments to arrive
108 over fragment-min-timeout interval.
109 The default value is inspired from RFC6146.";
116 "60 seconds, as defined in [RFC5508].";
120 // port numbers: single or port range
122 grouping port-number {
124 "Individual port or a range of ports.";
127 default single-port-number;
129 "Port type: single or port-range.";
131 case single-port-number {
132 leaf single-port-number {
133 type inet:port-number;
135 "Used for single port numbers.";
140 leaf start-port-number {
141 type inet:port-number;
143 "Begining of the port range.";
146 leaf end-port-number {
147 type inet:port-number;
149 "End of the port range.";
155 grouping mapping-entry {
157 "NAT mapping entry.";
162 "A unique identifier of a mapping entry.";
169 "The mapping entry is manually configured.";
174 "This mapping is created by an outgoing
179 "Indicates the type of a mapping entry. E.g.,
180 a mapping can be: static or dynamic";
183 leaf internal-src-address {
184 type inet:ip-address;
187 "Corresponds to the source IPv4/IPv6 address
191 container internal-src-port {
193 "Corresponds to the source port of the
198 leaf external-src-address {
199 type inet:ipv4-address;
202 "External IPv4 address assigned by NAT";
205 container external-src-port {
207 "External source port number assigned by NAT.";
211 leaf transport-protocol {
215 "Upper-layer protocol associated with this mapping.
216 Values are taken from the IANA protocol registry.
217 For example, this field contains 6 (TCP) for a TCP
218 mapping or 17 (UDP) for a UDP mapping.";
221 leaf internal-dst-address {
222 type inet:ipv4-prefix;
224 "Corresponds to the destination IPv4 address
225 of the IPv4 packet, for example, some NAT
226 implementation support translating both source
227 and destination address and ports referred to as
231 container internal-dst-port {
233 "Corresponds to the destination port of the
238 leaf external-dst-address {
239 type inet:ipv4-address;
241 "External destination IPv4 address";
244 container external-dst-port {
246 "External source port number.";
254 "Lifetime of the mapping.";
258 grouping nat-parameters {
260 "NAT parameters for a given instance";
262 list external-ip-address-pool {
267 "Pool of external IP addresses used to service
269 Both contiguous and non-contiguous pools
270 can be configured for NAT.";
275 "An identifier of the address pool.";
278 leaf external-ip-pool {
279 type inet:ipv4-prefix;
281 "An IPv4 prefix used for NAT purposes.";
286 leaf subscriber-mask-v6 {
291 "The subscriber-mask is an integer that indicates
292 the length of significant bits to be applied on
293 the source IP address (internal side) to
294 unambiguously identify a CPE.
296 Subscriber-mask is a system-wide configuration
297 parameter that is used to enforce generic
298 per-subscriberpolicies (e.g., port-quota).
300 The enforcement of these generic policies does not
301 require the configuration of every subscriber's
304 Example: suppose the 2001:db8:100:100::/56 prefix
305 is assigned to a NAT64 serviced CPE. Suppose also
306 that 2001:db8:100:100::1 is the IPv6 address used
307 by the client that resides in that CPE. When the
308 NAT64 receives a packet from this client,
309 it applies the subscriber-mask (e.g., 56) on
310 the source IPv6 address to compute the associated
311 prefix for this client (2001:db8:100:100::/56).
312 Then, the NAT64 enforces policies based on that
313 prefix (2001:db8:100:100::/56), not on the exact
314 source IPv6 address.";
318 list subscriber-mask-v4 {
323 "IPv4 subscriber mask.";
328 "An identifier of the subscriber masks.";
331 type inet:ipv4-prefix;
334 "The IP address subnets that matches
335 should be translated. E.g., If the
336 private realms that are to be translated
337 by NAT would be 192.0.2.0/24";
341 leaf paired-address-pooling {
345 "Paired address pooling is indicating to NAT
346 that all the flows from an internal IP
347 address must be assigned the same external
348 address. This is defined in RFC 4007.";
351 leaf nat-mapping-type {
355 "endpoint-independent-mapping.
356 Refer section 4 of RFC 4787.";
361 "address-dependent-mapping.
362 Refer section 4 of RFC 4787.";
367 "address-and-port-dependent-mapping.
368 Refer section 4 of RFC 4787.";
372 "Indicates the type of a NAT mapping.";
374 leaf nat-filtering-type {
378 "endpoint-independent- filtering.
379 Refer section 5 of RFC 4787.";
384 "address-dependent- filtering.
385 Refer section 5 of RFC 4787.";
390 "address-and-port-dependent- filtering.
391 Refer section 5 of RFC 4787.";
395 "Indicates the type of a NAT filtering.";
401 "Configures a port quota to be assigned per
407 "Manages port-set assignments.";
409 leaf port-set-enable {
412 "Enable/Disable port set assignment.";
418 "Indicates the size of assigned port
422 leaf port-set-timeout {
425 "Inactivty timeout for port sets.";
429 leaf port-randomization-enable {
432 "Enable/disable port randomization
436 leaf port-preservation-enable {
439 "Indicates whether the PCP server should
440 preserve the internal port number.";
443 leaf port-range-preservation-enable {
446 "Indicates whether the NAT device should
447 preserve the internal port range.";
450 leaf port-parity-preservation-enable {
453 "Indicates whether the PCP server should
454 preserve the port parity of the
455 internal port number.";
457 leaf address-roundrobin-enable {
460 "Enable/disable address allocation
465 container logging-info {
467 "Information about Logging NAT events";
469 leaf destination-address {
470 type inet:ipv4-prefix;
473 "Address of the collector that receives
476 leaf destination-port {
477 type inet:port-number;
480 "Destination port of the collector.";
484 container connection-limit {
486 "Information on the config parameters that
487 rate limit the translations based on various
490 leaf limit-per-subscriber {
493 "Maximum number of NAT mappings per
499 "Maximum number of NAT mappings per
502 leaf limit-per-subnet {
503 type inet:ipv4-prefix;
505 "Maximum number of NAT mappings per
508 leaf limit-per-instance {
512 "Maximum number of NAT mappings per
516 container mapping-limit {
518 "Information on the config parameters that
519 rate limit the mappings based on various
522 leaf limit-per-subscriber {
525 "Maximum number of NAT mappings per
531 "Maximum number of NAT mappings per
534 leaf limit-per-subnet {
535 type inet:ipv4-prefix;
537 "Maximum number of NAT mappings per
540 leaf limit-per-instance {
544 "Maximum number of NAT mappings per
548 leaf ftp-alg-enable {
551 "Enable/Disable FTP ALG";
554 leaf dns-alg-enable {
557 "Enable/Disable DNSALG";
560 leaf tftp-alg-enable {
563 "Enable/Disable TFTP ALG";
566 leaf msrpc-alg-enable {
569 "Enable/Disable MS-RPC ALG";
572 leaf netbios-alg-enable {
575 "Enable/Disable NetBIOS ALG";
578 leaf rcmd-alg-enable {
581 "Enable/Disable rcmd ALG";
584 leaf ldap-alg-enable {
587 "Enable/Disable LDAP ALG";
590 leaf sip-alg-enable {
593 "Enable/Disable SIP ALG";
596 leaf rtsp-alg-enable {
599 "Enable/Disable RTSP ALG";
602 leaf h323-alg-enable {
605 "Enable/Disable H323 ALG";
608 leaf all-algs-enable {
611 "Enable/Disable all the ALGs";
614 container notify-pool-usage {
616 "Notification of Pool usage when certain criteria
622 "Pool-ID for which the notification
623 criteria is defined";
626 leaf notify-pool-hi-threshold {
630 "Notification must be generated when the
631 defined high threshold is reached.
632 For example, if a notification is
633 required when the pool utilization reaches
634 90%, this configuration parameter must
638 leaf notify-pool-low-threshold {
641 "Notification must be generated when the defined
642 low threshold is reached.
643 For example, if a notification is required when
644 the pool utilization reaches below 10%,
645 this configuration parameter must be set to
649 list nat64-prefixes {
653 "Provides one or a list of NAT64 prefixes
654 With or without a list of destination IPv4 prefixes.
656 Destination-based Pref64::/n is discussed in
657 Section 5.1 of [RFC7050]). For example:
658 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
659 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
661 leaf nat64-prefix-id {
664 "An identifier of the NAT64 prefix.";
668 type inet:ipv6-prefix;
669 default "64:ff9b::/96";
671 "A NAT64 prefix. Can be NSP or WKP [RFC6052].";
674 list destination-ipv4-prefix {
679 "An IPv4 prefix/address.";
681 leaf ipv4-prefix-id {
684 "An identifier of the IPv4 prefix/address.";
688 type inet:ipv4-prefix;
690 "An IPv4 address/prefix. ";
694 } //nat-parameters group
696 container nat-config {
700 container nat-instances {
714 "NAT instance identifier.";
720 "Status of the the NAT instance.";
725 container mapping-table {
727 "NAT dynamic mapping table used to track
733 "NAT mapping entry.";
745 container nat-state {
752 container nat-instances {
763 // FIXME changed int32 to uint32 to align with nat-config (authors of draft notified)
766 "The identifier of the nat instance.";
769 container nat-capabilities {
776 "Indicates NAT44 support";
782 "Indicates NAT64 support";
785 leaf static-mapping-support {
788 "Indicates whether static mappings are
792 leaf port-set-support {
795 "Indicates port set assignment
799 leaf port-randomization-support {
802 "Indicates whether port randomization is
806 leaf port-range-preservation-support {
809 "Indicates whether port range
810 preservation is supported.";
813 leaf port-preservation-suport {
816 "Indicates whether port preservation
820 leaf port-parity-preservation-support {
823 "Indicates whether port parity
824 preservation is supported.";
827 leaf address-roundrobin-support {
830 "Indicates whether address allocation
831 round robin is supported.";
834 leaf ftp-alg-support {
837 "Indicates whether FTP ALG is supported";
840 leaf dns-alg-support {
843 "Indicates whether DNSALG is supported";
849 "Indicates whether TFTP ALG is supported";
852 leaf msrpc-alg-support {
855 "Indicates whether MS-RPC ALG is supported";
858 leaf netbios-alg-support {
861 "Indicates whether NetBIOS ALG is supported";
864 leaf rcmd-alg-support {
867 "Indicates whether rcmd ALG is supported";
870 leaf ldap-alg-support {
873 "Indicates whether LDAP ALG is supported";
876 leaf sip-alg-support {
879 "Indicates whether SIP ALG is supported";
882 leaf rtsp-alg-support {
885 "Indicates whether RTSP ALG is supported";
888 leaf h323-alg-support {
891 "Indicates whether H323 ALG is supported";
894 leaf paired-address-pooling-support {
897 "Indicates whether paired-address-pooling is
901 leaf endpoint-independent-mapping-support {
904 "Indicates whether endpoint-independent-mapping
905 in Section 4 of RFC 4787 is supported.";
908 leaf address-dependent-mapping-support {
911 "Indicates whether endpoint-independent-mapping
912 in Section 4 of RFC 4787 is supported.";
915 leaf address-and-port-dependent-mapping-support {
918 "Indicates whether endpoint-independent-mapping in
919 section 4 of RFC 4787 is supported.";
922 leaf endpoint-independent-filtering-support {
925 "Indicates whether endpoint-independent-mapping in
926 section 5 of RFC 4787 is supported.";
929 leaf address-dependent-filtering {
932 "Indicates whether endpoint-independent-mapping in
933 section 5 of RFC 4787 is supported.";
936 leaf address-and-port-dependent-filtering {
939 "Indicates whether endpoint-independent-mapping in
940 section 5 of RFC 4787 is supported.";
943 leaf stealth-mode-support {
946 "Indicates whether to respond for unsolicited
952 container nat-current-config {
959 container mapping-table {
970 container statistics {
972 "Statistics related to the NAT instance";
974 leaf total-mappings {
977 "Total number of NAT Mappings present
978 at the time. This includes all the
979 static and dynamic mappings";
981 leaf total-tcp-mappings {
984 "Total number of TCP Mappings present
987 leaf total-udp-mappings {
990 "Total number of UDP Mappings present
993 leaf total-icmp-mappings {
996 "Total number of ICMP Mappings present
999 container pool-stats {
1001 "Statistics related to Pool usage";
1005 "Unique Identifier that represents
1008 leaf address-allocated {
1011 "Number of allocated addresses in
1017 "Number of free addresses in
1018 the pool.The sum of free
1019 addresses and allocated
1020 addresses are the total
1021 addresses in the pool";
1023 container port-stats {
1025 "Statistics related to port
1028 leaf ports-allocated {
1031 "Number of allocated ports
1038 "Number of free addresses
1050 notification nat-event {
1052 "Notifications must be generated when the defined
1053 high/low threshold is reached. Related configuration
1054 parameters must be provided to trigger
1055 the notifications.";
1060 "/nat-state/nat-instances/"
1061 + "nat-instance/id";
1067 leaf notify-pool-threshold {
1071 "A treshhold has been fired.";