ietf-nat@2018-09-27.yang   ietf-nat@2018-12-14.yang 
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
prefix "nat"; prefix nat;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"Section 3 of RFC 6991"; "Section 3 of RFC 6991";
} }
import ietf-interfaces { import ietf-interfaces {
prefix if; prefix if;
reference reference
"RFC 8343: A YANG Data Model for Interface Management"; "RFC 8343: A YANG Data Model for Interface Management";
} }
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
Author: Senthil Sivakumar Author: Senthil Sivakumar
<mailto:ssenthil@cisco.com> <mailto:ssenthil@cisco.com>
Author: Christian Jacquenet Author: Christian Jacquenet
skipping to change at line 46 skipping to change at line 42
<mailto:ssenthil@cisco.com> <mailto:ssenthil@cisco.com>
Author: Christian Jacquenet Author: Christian Jacquenet
<mailto:christian.jacquenet@orange.com> <mailto:christian.jacquenet@orange.com>
Author: Suresh Vinapamula Author: Suresh Vinapamula
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Author: Qin Wu Author: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations. "This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6 NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Clients to IPv4 Servers (NAT64), customer-side translator
Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings (CLAT), Stateless IP/ICMP Translation (SIIT), Explicit
for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network Address Mappings (EAM) for SIIT, IPv6 Network Prefix
Prefix Translation (NPTv6), and Destination NAT are covered. Translation (NPTv6), and Destination NAT are covered.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 8512; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-09-27 { revision 2018-12-14 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for Network Address Translation "RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
description description
"Percentage"; "Percentage";
skipping to change at line 93 skipping to change at line 87
range "0 .. 100"; range "0 .. 100";
} }
description description
"Percentage"; "Percentage";
} }
/* /*
* Features * Features
*/ */
feature basic-nat44{ feature basic-nat44 {
description description
"Basic NAT44 translation is limited to IP addresses alone."; "Basic NAT44 translation is limited to IP addresses alone.";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature napt44 { feature napt44 {
description description
"Network Address/Port Translator (NAPT): translation is "Network Address Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID). (such as a TCP/UDP port or ICMP query ID).
If the internal IP address is not sufficient to uniquely If the internal IP address is not sufficient to uniquely
disambiguate NAPT44 mappings, an additional attribute is disambiguate NAPT44 mappings, an additional attribute is
required. For example, that additional attribute may required. For example, that additional attribute may
be an IPv6 address (a.k.a., DS-Lite) or be an IPv6 address (a.k.a., DS-Lite) or
a Layer 2 identifier (a.k.a., Per-Interface NAT)"; a Layer 2 identifier (a.k.a., Per-Interface NAT)";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature dst-nat { feature dst-nat {
description description
"Destination NAT is a translation that acts on the destination "Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices usually deployed in load balancers or at devices
in front of public servers."; in front of public servers.";
} }
feature nat64 { feature nat64 {
description description
"NAT64 translation allows IPv6-only clients to contact IPv4 "NAT64 translation allows IPv6-only clients to contact IPv4
servers using, e.g., UDP, TCP, or ICMP. One or more servers using, e.g., UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients."; shared among several IPv6-only clients.";
reference reference
"RFC 6146: Stateful NAT64: Network Address and Protocol "RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers"; Translation from IPv6 Clients to IPv4 Servers";
} }
feature siit { feature siit {
description description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which "The Stateless IP/ICMP Translation Algorithm (SIIT), which
translates between IPv4 and IPv6 packet headers (including translates between IPv4 and IPv6 packet headers (including
ICMP headers). ICMP headers).
In the stateless mode, an IP/ICMP translator converts IPv4 In the stateless mode, an IP/ICMP translator converts IPv4
addresses to IPv6 and vice versa solely based on the addresses to IPv6, and vice versa, solely based on the
configuration of the stateless IP/ICMP translator and configuration of the stateless IP/ICMP translator and
information contained within the packet being translated. information contained within the packet being translated.
The translator must support the stateless address mapping The translator must support the stateless address mapping
algorithm defined in RFC6052, which is the default behavior."; algorithm defined in RFC 6052, which is the default behavior.";
reference reference
"RFC 7915: IP/ICMP Translation Algorithm"; "RFC 7915: IP/ICMP Translation Algorithm";
} }
feature clat { feature clat {
description description
"CLAT is customer-side translator that algorithmically "CLAT is customer-side translator that algorithmically
translates 1:1 private IPv4 addresses to global IPv6 addresses, translates 1:1 private IPv4 addresses to global IPv6
and vice versa. addresses, and vice versa.
When a dedicated /64 prefix is not available for translation When a dedicated /64 prefix is not available for translation
from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4 packets appear packets so that all the LAN-originated IPv4 packets appear
from a single IPv4 address and are then statelessly translated from a single IPv4 address and are then statelessly translated
to one interface IPv6 address that is claimed by the CLAT via to one interface IPv6 address that is claimed by the CLAT via
the Neighbor Discovery Protocol (NDP) and defended with the Neighbor Discovery Protocol (NDP) and defended with
Duplicate Address Detection."; Duplicate Address Detection.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and
Translation"; Stateless Translation";
} }
feature eam { feature eam {
description description
"Explicit Address Mapping (EAM) is a bidirectional coupling "Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 Prefix and an IPv6 Prefix."; between an IPv4 prefix and an IPv6 prefix.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
feature nptv6 { feature nptv6 {
description description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation."; prefix translation.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
skipping to change at line 251 skipping to change at line 246
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
identity nptv6 { identity nptv6 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for NPTv6 support.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
/*
* Grouping /*
*/ * Grouping
*/
grouping port-number { grouping port-number {
description description
"An individual port number or a range of ports. "An individual port number or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port number."; it represents a single port number.";
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"Beginning of the port range."; "Beginning of the port range.";
reference reference
"Section 3.2.9 of RFC 8045."; "Section 3.2.9 of RFC 8045";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
must '. >= ../start-port-number' {
must ". >= ../start-port-number" error-message
{ "The end-port-number must be greater than or
error-message equal to start-port-number.";
"The end-port-number must be greater than or }
equal to start-port-number.";
}
description description
"End of the port range."; "End of the port range.";
reference reference
"Section 3.2.10 of RFC 8045."; "Section 3.2.10 of RFC 8045";
} }
} }
grouping port-set { grouping port-set {
description description
"Indicates a set of port numbers. "Indicates a set of port numbers.
It may be a simple port range, or use the Port Set ID (PSID) It may be a simple port range, or use the Port Set
algorithm to represent a range of transport layer Identifier (PSID) algorithm to represent a range of
port numbers which will be used by a NAPT."; transport-layer port numbers that will be used by a
NAPT.";
choice port-type { choice port-type {
default port-range; default "port-range";
description description
"Port type: port-range or port-set-algo."; "Port type: port-range or port-set-algo.";
case port-range { case port-range {
uses port-number; uses port-number;
} }
case port-set-algo { case port-set-algo {
leaf psid-offset { leaf psid-offset {
type uint8 { type uint8 {
range 0..15; range "0..15";
} }
description description
"The number of offset bits (a.k.a., 'a' bits). "The number of offset bits (a.k.a., 'a' bits).
Specifies the numeric value for the excluded port Specifies the numeric value for the excluded port
range/offset bits. range/offset bits.
Allowed values are between 0 and 15."; Allowed values are between 0 and 15.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
leaf psid-len { leaf psid-len {
type uint8 { type uint8 {
range 0..15; range "0..15";
} }
mandatory true; mandatory true;
description
"The length of PSID, representing the sharing
ratio for an IPv4 address.
description (also known as 'k').
"The length of PSID, representing the sharing
ratio for an IPv4 address.
(also known as 'k').
The address-sharing ratio would be 2^k."; The address-sharing ratio would be 2^k.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
leaf psid { leaf psid {
type uint16; type uint16;
mandatory true; mandatory true;
description description
"Port Set Identifier (PSID) value, which "PSID value, which identifies a set
identifies a set of ports algorithmically."; of ports algorithmically.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
} }
reference reference
"Section 7597: Mapping of Address and Port with "RFC 7597: Mapping of Address and Port with
Encapsulation (MAP-E)"; Encapsulation (MAP-E)";
} }
} }
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry. "NAT mapping entry.
If an attribute is not stored in the mapping/session table, If an attribute is not stored in the mapping/session table,
this means the corresponding field of a packet that it means the corresponding field of a packet that
matches this entry is not rewritten by the NAT or this matches this entry is not rewritten by the NAT or this
information is not required for NAT filtering purposes."; information is not required for NAT filtering purposes.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry. This identifier can be "A unique identifier of a mapping entry. This identifier
automatically assigned by the NAT instance or be explicitly can be automatically assigned by the NAT instance or be
configured."; explicitly configured.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum "static" { enum static {
description description
"The mapping entry is explicitly configured "The mapping entry is explicitly configured
(e.g., via command-line interface)."; (e.g., via a command-line interface).";
} }
enum dynamic-implicit {
enum "dynamic-implicit" {
description description
"This mapping is created implicitly as a side effect "This mapping is created implicitly as a side effect
of processing a packet that requires a new mapping."; of processing a packet that requires a new mapping.";
} }
enum dynamic-explicit {
enum "dynamic-explicit" {
description description
"This mapping is created as a result of an explicit "This mapping is created as a result of an explicit
request, e.g., a PCP message."; request, e.g., a PCP message.";
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of mapping entry. For example,
a mapping can be: static, implicit dynamic, a mapping can be: static, implicit dynamic,
or explicit dynamic."; or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this mapping. "The upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:: Values are taken from the IANA Protocol Numbers registry:
https://www.iana.org/assignments/protocol-numbers/ <https://www.iana.org/assignments/protocol-numbers/>.
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP. 17 for UDP, 33 for DCCP, or 132 for SCTP.
If this leaf is not instantiated, then the mapping If this leaf is not instantiated, then the mapping
applies to any protocol."; applies to any protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal interface."; of the packet received on an internal interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the packet received "Corresponds to the source port of the packet received
on an internal interface. on an internal interface.
It is used also to indicate the internal source ICMP It is also used to indicate the internal source ICMP
identifier. identifier.
As a reminder, all the ICMP Query messages contain As a reminder, all the ICMP Query messages contain
an 'Identifier' field, which is referred to in this an 'Identifier' field, which is referred to in this
document as the 'ICMP Identifier'."; document as the 'ICMP Identifier'.";
uses port-number;
uses port-number;
} }
leaf external-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Source IP address/prefix of the packet sent on an "Source IP address/prefix of the packet sent on an
external interface of the NAT."; external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent on an external "Source port of the packet sent on an external
interface of the NAT. interface of the NAT.
It is used also to indicate the external source ICMP It is also used to indicate the external source ICMP
identifier."; identifier.";
uses port-number; uses port-number;
} }
leaf internal-dst-address { leaf internal-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and port numbers, sometimes referred to addresses and port numbers, sometimes referred to
skipping to change at line 474 skipping to change at line 445
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and port numbers, sometimes referred to addresses and port numbers, sometimes referred to
as 'Twice NAT'."; as 'Twice NAT'.";
} }
container internal-dst-port { container internal-dst-port {
description description
"Corresponds to the destination port of the "Corresponds to the destination port of the
IP packet received on the internal interface. IP packet received on the internal interface.
It is used also to include the internal It is also used to include the internal
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf external-dst-address { leaf external-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet sent on an external interface of the packet sent on an external interface
of the NAT."; of the NAT.";
} }
container external-dst-port { container external-dst-port {
description description
"Corresponds to the destination port number of "Corresponds to the destination port number of
the packet sent on the external interface the packet sent on the external interface
of the NAT. of the NAT.
It is used also to include the external It is also used to include the external
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf lifetime { leaf lifetime {
type uint32; type uint32;
units "seconds"; units "seconds";
description description
"When specified, it is used to track the connection that is "When specified, it is used to track the connection that is
fully-formed (e.g., once the three-way handshake fully formed (e.g., once the three-way handshake
TCP is completed) or the duration for maintaining TCP is completed) or the duration for maintaining
an explicit mapping alive. The mapping entry will be an explicit mapping alive. The mapping entry will be
removed by the NAT instance once this lifetime is expired. removed by the NAT instance once this lifetime is expired.
When reported in a get operation, the lifetime indicates When reported in a get operation, the lifetime indicates
the remaining validity lifetime. the remaining validity lifetime.
Static mappings may not be associated with a Static mappings may not be associated with a
lifetime. If no lifetime is associated with a lifetime. If no lifetime is associated with a
static mapping, an explicit action is required to static mapping, an explicit action is required to
remove that mapping."; remove that mapping.";
} }
} }
/* /*
* NAT Module * NAT Module
*/ */
container nat { container nat {
description description
"NAT module"; "NAT module";
container instances { container instances {
description description
"NAT instances"; "NAT instances";
list instance { list instance {
key "id"; key "id";
description description
"A NAT instance. This identifier can be automatically assigned "A NAT instance. This identifier can be automatically
or explicitly configured."; assigned or explicitly configured.";
leaf id { leaf id {
type uint32; type uint32;
must ". >= 1"; must '. >= 1';
description description
"NAT instance identifier. "NAT instance identifier.
The identifier must be greater than zero."; The identifier must be greater than zero.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"Status of the NAT instance."; "Status of the NAT instance.";
} }
container capabilities { container capabilities {
config false; config false;
description description
"NAT capabilities"; "NAT capabilities.";
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
} }
description description
"Supported translation type(s)."; "Supported translation type(s).";
} }
leaf-list per-interface-binding { leaf-list per-interface-binding {
type enumeration { type enumeration {
enum "unsupported" { enum unsupported {
description description
"No capability to associate a NAT binding with "No capability to associate a NAT binding with
an extra identifier."; an extra identifier.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
} }
enum "layer-2" {
description
"The NAT instance is able to associate a mapping with
a layer-2 identifier.";
}
enum "dslite" {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"Indicates the capability of a NAT to associate a particular
NAT session not only with the five tuples used for the
transport connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.";
reference
"Section 4 of RFC 6619";
}
list transport-protocols {
key protocol-id;
description
"List of supported protocols.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Upper-layer protocol associated with a mapping. "Indicates the capability of a NAT to associate a
particular NAT session not only with the five
Values are taken from the IANA protocol registry. tuples used for the transport connection on both
sides of the NAT but also with the internal
For example, this field contains 6 for TCP, interface on which the user device is
17 for UDP, 33 for DCCP, or 132 for SCTP."; connected to the NAT.";
reference
"Section 4 of RFC 6619";
} }
list transport-protocols {
leaf protocol-name { key "protocol-id";
type string;
description description
"The name of the Upper-layer protocol associated "List of supported protocols.";
with this mapping. leaf protocol-id {
type uint8;
For example, TCP, UDP, DCCP, and SCTP."; mandatory true;
}
}
leaf restricted-port-support {
type boolean;
description
"Indicates source port NAT restriction support.";
reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture.";
}
leaf static-mapping-support {
type boolean;
description
"Indicates whether static mappings are supported.";
}
leaf port-randomization-support {
type boolean;
description
"Indicates whether port randomization is supported.";
reference
"Section 4.2.1 of RFC 4787.";
}
leaf port-range-allocation-support {
type boolean;
description
"Indicates whether port range allocation is supported.";
reference
"Section 1.1 of RFC 7753.";
}
leaf port-preservation-suport {
type boolean;
description
"Indicates whether port preservation is supported.";
reference
"Section 4.2.1 of RFC 4787.";
}
leaf port-parity-preservation-support {
type boolean;
description
"Indicates whether port parity preservation is
supported.";
reference
"Section 8 of RFC 7857.";
}
leaf address-roundrobin-support {
type boolean;
description
"Indicates whether address allocation round robin is
supported.";
}
leaf paired-address-pooling-support {
type boolean;
description
"Indicates whether paired-address-pooling is
supported";
reference
"REQ-2 of RFC 4787.";
}
leaf endpoint-independent-mapping-support {
type boolean;
description
"Indicates whether endpoint-independent-
mapping is supported.";
reference
"Section 4 of RFC 4787.";
}
leaf address-dependent-mapping-support {
type boolean;
description
"Indicates whether address-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787.";
}
leaf address-and-port-dependent-mapping-support {
type boolean;
description
"Indicates whether address-and-port-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787.";
}
leaf endpoint-independent-filtering-support {
type boolean;
description
"Indicates whether endpoint-independent-filtering is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent-filtering is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port-dependent is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf fragment-behavior {
type enumeration {
enum "unsupported" {
description description
"No capability to translate incoming fragments. "The upper-layer protocol associated with a mapping.
All received fragments are dropped.";
}
enum "in-order" { Values are taken from the IANA Protocol Numbers
description registry.
"The NAT instance is able to translate fragments only if
they are received in order. That is, in particular the
header is in the first packet. Fragments received
out of order are dropped. ";
}
enum "out-of-order" { For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description description
"The NAT instance is able to translate a fragment even "The name of the upper-layer protocol associated
if it is received out of order. with this mapping.
This behavior is recommended."; For example, TCP, UDP, DCCP, and SCTP.";
reference
"REQ-14 of RFC 4787";
} }
} }
description leaf restricted-port-support {
"The fragment behavior is the NAT instance's capability to type boolean;
translate fragments received on the external interface of
the NAT.";
}
}
leaf type {
type identityref {
base nat-type;
}
description
"Specify the translation type. Particularly useful when
multiple translation flavors are supported.
If one type is supported by a NAT, this parameter is by
default set to that type.";
}
leaf per-interface-binding {
type enumeration {
enum "disabled" {
description description
"Disable the capability to associate an extra identifier "Indicates source port NAT restriction support.";
with NAT mappings."; reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture";
} }
leaf static-mapping-support {
enum "layer-2" { type boolean;
description description
"The NAT instance is able to associate a mapping with "Indicates whether static mappings are supported.";
a layer-2 identifier.";
} }
leaf port-randomization-support {
enum "dslite" { type boolean;
description description
"The NAT instance is able to associate a mapping with "Indicates whether port randomization is supported.";
an IPv6 address (a.k.a., DS-Lite)."; reference
"Section 4.2.1 of RFC 4787";
} }
} leaf port-range-allocation-support {
description type boolean;
"A NAT that associates a particular NAT session not only with description
the five tuples used for the transport connection on both "Indicates whether port range allocation is supported.";
sides of the NAT but also with the internal interface on
which the user device is connected to the NAT.
If supported, this mode of operation should be configurable,
and it should be disabled by default in general-purpose NAT
devices.
If one single per-interface binding behavior is supported by
a NAT, this parameter is by default set to that behavior.";
reference
"Section 4 of RFC 6619";
}
list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat";
key id;
description
"IP prefix NAT pass through.";
leaf id {
type uint32;
description
"An identifier of the IP prefix pass through.";
}
leaf prefix {
type inet:ip-prefix;
mandatory true;
description
"The IP addresses that match should not be translated.
It must be possible to administratively turn
off translation for specific destination addresses
and/or ports.";
reference
"REQ#6 of RFC 6888.";
}
leaf port {
type inet:port-number;
description
"It must be possible to administratively turn off
translation for specific destination addresses
and/or ports.
If no prefix is defined, the NAT pass through bound
to a given port applies for any destination address.";
reference
"REQ#6 of RFC 6888.";
}
}
list policy {
key id;
description
"NAT parameters for a given instance";
leaf id {
type uint32;
description
"An identifier of the NAT policy. It must be unique
within the NAT instance.";
}
container clat-parameters {
if-feature clat;
description
"CLAT parameters.";
list clat-ipv6-prefixes {
key ipv6-prefix;
description
"464XLAT double translation treatment is stateless when a
dedicated /64 is available for translation on the CLAT.
Otherwise, the CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to a single IPv4
address and then stateless translation to a single
IPv6 address.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "Section 1.1 of RFC 7753";
Translation";
leaf ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
} }
leaf port-preservation-suport {
list ipv4-prefixes { type boolean;
key ipv4-prefix;
description description
"Pool of IPv4 addresses used for CLAT. "Indicates whether port preservation is supported.";
192.0.0.0/29 is the IPv4 service continuity prefix.";
reference reference
"RFC 7335: IPv4 Service Continuity Prefix"; "Section 4.2.1 of RFC 4787";
}
leaf ipv4-prefix { leaf port-parity-preservation-support {
type inet:ipv4-prefix; type boolean;
description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
}
}
}
list nptv6-prefixes {
if-feature nptv6;
key internal-ipv6-prefix ;
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link
attached to a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"An IPv6 prefix used by an internal interface of NPTv6."; "Indicates whether port parity preservation is
supported.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "Section 8 of RFC 7857";
}
leaf external-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by the external interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
}
list eam {
if-feature eam;
key ipv4-prefix;
description
"The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference
"Section 3.1 of RFC 7757.";
leaf ipv4-prefix {
type inet:ipv4-prefix;
mandatory true;
description
"The IPv4 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757.";
}
leaf ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"The IPv6 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757.";
}
}
list nat64-prefixes {
if-feature "siit or nat64 or clat";
key nat64-prefix;
description
"Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference
"Section 5.1 of RFC 7050.";
leaf nat64-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"A NAT64 prefix. Can be Network-Specific Prefix (NSP) or
Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation
should assign a Network-Specific Prefix to their
IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6 addresses
must use the selected Network-Specific Prefix.
Both IPv4-translatable IPv6 addresses and IPv4-converted
IPv6 addresses should use the same prefix.";
reference
"Sections 3.3 and 3.4 of RFC 6052.";
}
list destination-ipv4-prefix {
key ipv4-prefix;
description
"An IPv4 prefix/address.";
leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
} }
leaf address-roundrobin-support {
leaf stateless-enable {
type boolean; type boolean;
default false;
description description
"Enable explicitly stateless NAT64."; "Indicates whether address allocation round robin is
} supported.";
} }
leaf paired-address-pooling-support {
list external-ip-address-pool { type boolean;
if-feature "basic-nat44 or napt44 or nat64";
key pool-id;
description
"Pool of external IP addresses used to service internal
hosts.
A pool is a set of IP prefixes.";
leaf pool-id {
type uint32;
must ". >= 1";
description
"An identifier that uniquely identifies the address pool
within a NAT instance.
The identifier must be greater than zero.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
leaf external-ip-pool {
type inet:ipv4-prefix;
mandatory true;
description
"An IPv4 prefix used for NAT purposes.";
}
}
container port-set-restrict {
if-feature "napt44 or nat64";
description
"Configures contiguous and non-contiguous port ranges.
The port set is used to restrict the external source
port numbers used by the translator.";
uses port-set;
}
leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean;
default false;
description
"Enable/Disable destination NAT.
A NAT44 may be configured to enable Destination
NAT, too.";
}
list dst-ip-address-pool {
if-feature dst-nat;
key pool-id;
description
"Pool of IP addresses used for destination NAT.";
leaf pool-id {
type uint32;
description description
"An identifier of the address pool."; "Indicates whether paired-address-pooling is
supported";
reference
"REQ-2 of RFC 4787";
} }
leaf endpoint-independent-mapping-support {
leaf dst-in-ip-pool { type boolean;
type inet:ip-prefix;
description description
"Is used to identify an internal destination "Indicates whether endpoint-independent-
IP prefix/address to be translated."; mapping is supported.";
reference
"Section 4 of RFC 4787";
} }
leaf address-dependent-mapping-support {
leaf dst-out-ip-pool { type boolean;
type inet:ip-prefix;
mandatory true;
description description
"IP address/prefix used for destination NAT."; "Indicates whether address-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787";
} }
} leaf address-and-port-dependent-mapping-support {
type boolean;
list transport-protocols {
if-feature "napt44 or nat64 or dst-nat";
key protocol-id;
description
"Configure the transport protocols to be handled by
the translator.
TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Indicates whether address-and-port-dependent-mapping is
supported.";
Values are taken from the IANA protocol registry. reference
"Section 4 of RFC 4787";
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf endpoint-independent-filtering-support {
leaf protocol-name { type boolean;
type string;
description description
"The name of the Upper-layer protocol associated "Indicates whether endpoint-independent-filtering is
with this mapping. supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent-filtering is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port-dependent is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf fragment-behavior {
type enumeration {
enum unsupported {
description
"No capability to translate incoming fragments.
All received fragments are dropped.";
}
enum in-order {
description
"The NAT instance is able to translate fragments
only if they are received in order. That is, in
particular the header is in the first packet.
Fragments received out of order are dropped. ";
}
enum out-of-order {
description
"The NAT instance is able to translate a fragment even
if it is received out of order.
For example, TCP, UDP, DCCP, and SCTP."; This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of
the NAT.";
} }
} }
leaf type {
leaf subscriber-mask-v6 { type identityref {
type uint8 { base nat-type;
range "0 .. 128";
} }
description description
"The subscriber mask is an integer that indicates "Specify the translation type. Particularly useful when
the length of significant bits to be applied on multiple translation flavors are supported.
the source IPv6 address (internal side) to
unambiguously identify a user device (e.g., CPE).
Subscriber mask is a system-wide configuration
parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not
require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix If one type is supported by a NAT, this parameter is by
is assigned to a NAT64 serviced CPE. Suppose also default set to that type.";
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
} }
leaf per-interface-binding {
type enumeration {
enum disabled {
description
"Disable the capability to associate an extra identifier
with NAT mappings.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"A NAT that associates a particular NAT session not
only with the five tuples used for the transport
connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.
list subscriber-match { If supported, this mode of operation should be
configurable, and it should be disabled by default in
general-purpose NAT devices.
If one single per-interface binding behavior is
supported by a NAT, this parameter is by default set to
that behavior.";
reference
"Section 4 of RFC 6619";
}
list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat"; if-feature "basic-nat44 or napt44 or dst-nat";
key match-id; key "id";
description description
"IP prefix match. "IP prefix NAT pass-through.";
A subscriber is identified by a subnet."; leaf id {
leaf match-id {
type uint32; type uint32;
description description
"An identifier of the subscriber match."; "An identifier of the IP prefix pass-through.";
} }
leaf prefix {
leaf subnet {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP address subnets that match "The IP addresses that match should not be translated.
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
}
leaf address-allocation-type { It must be possible to administratively turn
type enumeration { off translation for specific destination addresses
enum "arbitrary" { and/or ports.";
if-feature "basic-nat44 or napt44 or nat64"; reference
description "REQ-6 of RFC 6888";
"Arbitrary pooling behavior means that the NAT }
instance may create the new port mapping using any leaf port {
address in the pool that has a free port for the type inet:port-number;
protocol concerned."; description
} "It must be possible to administratively turn off
translation for specific destination addresses
and/or ports.
enum "roundrobin" { If no prefix is defined, the NAT pass-through bound
if-feature "basic-nat44 or napt44 or nat64"; to a given port applies for any destination address.";
reference
"REQ-6 of RFC 6888";
}
}
list policy {
key "id";
description
"NAT parameters for a given instance";
leaf id {
type uint32;
description
"An identifier of the NAT policy. It must be unique
within the NAT instance.";
}
container clat-parameters {
if-feature "clat";
description
"CLAT parameters.";
list clat-ipv6-prefixes {
key "ipv6-prefix";
description description
"Round robin allocation."; "464XLAT double-translation treatment is stateless
when a dedicated /64 is available for translation
on the CLAT. Otherwise, the CLAT will have both
stateful and stateless translation since it requires
NAT44 from the LAN to a single IPv4 address and then
stateless translation to a single IPv6 address.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
leaf ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
} }
list ipv4-prefixes {
enum "paired" { key "ipv4-prefix";
if-feature "napt44 or nat64";
description description
"Paired address pooling informs the NAT "Pool of IPv4 addresses used for CLAT.
that all the flows from an internal IP 192.0.0.0/29 is the IPv4 service continuity prefix.";
address must be assigned the same external
address. This is the recommended behavior for
NAPT/NAT64.";
reference reference
"RFC 4787: Network Address Translation (NAT) "RFC 7335: IPv4 Service Continuity Prefix";
Behavioral Requirements for Unicast UDP"; leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"464XLAT double-translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
translation since it requires NAT44 from the
LAN to a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
}
} }
} }
description list nptv6-prefixes {
"Specifies how external IP addresses are allocated."; if-feature "nptv6";
} key "internal-ipv6-prefix";
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
leaf port-allocation-type { In its simplest form, NPTv6 interconnects two
if-feature "napt44 or nat64"; network links: one is an 'internal' network
type enumeration { link attached to a leaf network within a single
enum "random" { administrative domain, and the other is an
'external' network with connectivity to the
global Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"Port randomization is enabled. A NAT port allocation "An IPv6 prefix used by an internal interface of
scheme should make it hard for attackers to guess NPTv6.";
port numbers";
reference reference
"REQ-15 of RFC 6888"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
leaf external-ipv6-prefix {
enum "port-preservation" { type inet:ipv6-prefix;
mandatory true;
description description
"Indicates whether the NAT should preserve the internal "An IPv6 prefix used by the external interface of
port number."; NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
}
list eam {
if-feature "eam";
key "ipv4-prefix";
description
"The Explicit Address Mapping Table is a conceptual
table in which each row represents an EAM.
enum "port-parity-preservation" { Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference
"Section 3.1 of RFC 7757";
leaf ipv4-prefix {
type inet:ipv4-prefix;
mandatory true;
description description
"Indicates whether the NAT should preserve the port "The IPv4 prefix of an EAM.";
parity of the internal port number."; reference
"Section 3.2 of RFC 7757";
} }
leaf ipv6-prefix {
enum "port-range-allocation" { type inet:ipv6-prefix;
mandatory true;
description description
"Indicates whether the NAT assigns a range of ports "The IPv6 prefix of an EAM.";
for an internal host. This scheme allows to minimize
log volume.";
reference reference
"REQ-14 of RFC 6888"; "Section 3.2 of RFC 7757";
} }
} }
list nat64-prefixes {
if-feature "siit or nat64 or clat";
key "nat64-prefix";
description description
"Indicates the type of port allocation."; "Provides one or a list of NAT64 prefixes
} with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
leaf mapping-type { For example:
if-feature "napt44 or nat64"; 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
type enumeration { 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
enum "eim" { reference
"Section 5.1 of RFC 7050";
leaf nat64-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"endpoint-independent-mapping."; "A NAT64 prefix. Can be a Network-Specific Prefix (NSP)
or a Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation
should assign an NSP to their IPv4/IPv6 translation
service.
For stateless NAT64, IPv4-translatable IPv6 addresses
must use the selected NSP.
Both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses should use
the same prefix.";
reference reference
"Section 4 of RFC 4787."; "Sections 3.3 and 3.4 of RFC 6052";
} }
list destination-ipv4-prefix {
enum "adm" { key "ipv4-prefix";
description description
"address-dependent-mapping."; "An IPv4 prefix/address.";
reference leaf ipv4-prefix {
"Section 4 of RFC 4787."; type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
} }
leaf stateless-enable {
enum "edm" { type boolean;
default "false";
description description
"address-and-port-dependent-mapping."; "Enable explicitly stateless NAT64.";
reference
"Section 4 of RFC 4787.";
} }
} }
description list external-ip-address-pool {
"Indicates the type of a NAT mapping."; if-feature "basic-nat44 or napt44 or nat64";
} key "pool-id";
description
"Pool of external IP addresses used to service internal
hosts.
leaf filtering-type { A pool is a set of IP prefixes.";
if-feature "napt44 or nat64"; leaf pool-id {
type enumeration { type uint32;
enum "eif" { must '. >= 1';
description description
"endpoint-independent-filtering."; "An identifier that uniquely identifies the address pool
reference within a NAT instance.
"Section 5 of RFC 4787.";
}
enum "adf" { The identifier must be greater than zero.";
description
"address-dependent-filtering.";
reference reference
"Section 5 of RFC 4787."; "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
} }
leaf external-ip-pool {
enum "edf" { type inet:ipv4-prefix;
mandatory true;
description description
"address-and-port-dependent-filtering"; "An IPv4 prefix used for NAT purposes.";
reference
"Section 5 of RFC 4787.";
} }
} }
container port-set-restrict {
if-feature "napt44 or nat64";
description description
"Indicates the type of a NAT filtering."; "Configures contiguous and non-contiguous port ranges.
}
leaf fragment-behavior { The port set is used to restrict the external source
if-feature "napt44 or nat64"; port numbers used by the translator.";
type enumeration { uses port-set;
enum "drop-all" { }
leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean;
default "false";
description
"Enable/disable Destination NAT.
A NAT44 may be configured to enable Destination
NAT, too.";
}
list dst-ip-address-pool {
if-feature "dst-nat";
key "pool-id";
description
"Pool of IP addresses used for Destination NAT.";
leaf pool-id {
type uint32;
description description
"All received fragments are dropped."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool {
enum "in-order" { type inet:ip-prefix;
description description
"Translate fragments only if they are received "Is used to identify an internal destination
in order."; IP prefix/address to be translated.";
} }
leaf dst-out-ip-pool {
type inet:ip-prefix;
mandatory true;
description
"IP address/prefix used for Destination NAT.";
}
}
list transport-protocols {
if-feature "napt44 or nat64 or dst-nat";
key "protocol-id";
description
"Configure the transport protocols to be handled by
the translator.
enum "out-of-order" { TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Translate a fragment even if it is received out "The upper-layer protocol associated with this
of order. mapping.
This behavior is recommended."; Values are taken from the IANA Protocol Numbers
reference registry.
"REQ-14 of RFC 4787";
} For example, this field contains 6 for TCP,
} 17 for UDP, 33 for DCCP, or 132 for SCTP.";
description }
"The fragment behavior instructs the NAT about the leaf protocol-name {
behavior to follow to translate fragments received type string;
on the external interface of the NAT."; description
"The name of the upper-layer protocol associated
with this mapping.
For example, TCP, UDP, DCCP, and SCTP.";
}
} }
leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
description
"The subscriber mask is an integer that indicates
the length of significant bits to be applied on
the source IPv6 address (internal side) to
unambiguously identify a user device (e.g., CPE).
list port-quota { Subscriber mask is a system-wide configuration
if-feature "napt44 or nat64"; parameter that is used to enforce generic
key quota-type; per-subscriber policies (e.g., port-quota).
description
"Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be
used by a subscriber.";
leaf port-limit { The enforcement of these generic policies does not
type uint16; require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64-serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
}
list subscriber-match {
if-feature "basic-nat44 or napt44 or dst-nat";
key "match-id";
description
"IP prefix match.
A subscriber is identified by a subnet.";
leaf match-id {
type uint32;
description
"An identifier of the subscriber match.";
}
leaf subnet {
type inet:ip-prefix;
mandatory true;
description
"The IP address subnets that match
should be translated. For example, all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
}
leaf address-allocation-type {
type enumeration {
enum arbitrary {
if-feature "basic-nat44 or napt44 or nat64";
description
"Arbitrary pooling behavior means that the NAT
instance may create the new port mapping using any
address in the pool that has a free port for the
protocol concerned.";
}
enum roundrobin {
if-feature "basic-nat44 or napt44 or nat64";
description
"Round-robin allocation.";
}
enum paired {
if-feature "napt44 or nat64";
description
"Paired address pooling informs the NAT
that all the flows from an internal IP
address must be assigned the same external
address. This is the recommended behavior
for NAPT/NAT64.";
reference
"RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP";
}
}
description
"Specifies how external IP addresses are allocated.";
}
leaf port-allocation-type {
if-feature "napt44 or nat64";
type enumeration {
enum random {
description
"Port randomization is enabled. A NAT port allocation
scheme should make it hard for attackers to guess
port numbers";
reference
"REQ-15 of RFC 6888";
}
enum port-preservation {
description
"Indicates whether the NAT should preserve the
internal port number.";
}
enum port-parity-preservation {
description
"Indicates whether the NAT should preserve the port
parity of the internal port number.";
}
enum port-range-allocation {
description
"Indicates whether the NAT assigns a range of ports
for an internal host. This scheme allows the
minimizing of the log volume.";
reference
"REQ-14 of RFC 6888";
}
}
description
"Indicates the type of port allocation.";
}
leaf mapping-type {
if-feature "napt44 or nat64";
type enumeration {
enum eim {
description
"endpoint-independent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum adm {
description
"address-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum edm {
description
"address-and-port-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
}
description
"Indicates the type of NAT mapping.";
}
leaf filtering-type {
if-feature "napt44 or nat64";
type enumeration {
enum eif {
description
"endpoint-independent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum adf {
description
"address-dependent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum edf {
description
"address-and-port-dependent-filtering";
reference
"Section 5 of RFC 4787";
}
}
description
"Indicates the type of NAT filtering.";
}
leaf fragment-behavior {
if-feature "napt44 or nat64";
type enumeration {
enum drop-all {
description
"All received fragments are dropped.";
}
enum in-order {
description
"Translate fragments only if they are received
in order.";
}
enum out-of-order {
description
"Translate a fragment even if it is received out
of order.
This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior instructs the NAT about the
behavior to follow to translate fragments received
on the external interface of the NAT.";
}
list port-quota {
if-feature "napt44 or nat64";
key "quota-type";
description description
"Configures a port quota to be assigned per subscriber. "Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be It corresponds to the maximum number of ports to be
used by a subscriber."; used by a subscriber.";
reference leaf port-limit {
"REQ-4 of RFC 6888."; type uint16;
} description
"Configures a port quota to be assigned per subscriber.
leaf quota-type { It corresponds to the maximum number of ports to be
used by a subscriber.";
reference
"REQ-4 of RFC 6888";
}
leaf quota-type {
type uint8; type uint8;
description description
"Indicates whether the port quota applies to "Indicates whether the port quota applies to
all protocols (0) or to a specific protocol."; all protocols (0) or to a specific protocol.";
}
} }
} container port-set {
when "../port-allocation-type = 'port-range-allocation'";
container port-set { if-feature "napt44 or nat64";
when "../port-allocation-type = 'port-range-allocation'";
if-feature "napt44 or nat64";
description
"Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description description
"Indicates the size of assigned port sets."; "Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description
"Indicates the size of assigned port sets.";
}
leaf port-set-timeout {
type uint32;
units "seconds";
description
"inactivity timeout for port sets.";
}
} }
container timers {
leaf port-set-timeout { if-feature "napt44 or nat64";
type uint32;
units "seconds";
description description
"inactivity timeout for port sets."; "Configure values of various timeouts.";
}
}
container timers {
if-feature "napt44 or nat64";
description
"Configure values of various timeouts.";
leaf udp-timeout { leaf udp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 300; default "300";
description description
"UDP inactivity timeout. That is the time a mapping "UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT."; will stay active without packets traversing the NAT.";
reference reference
"RFC 4787: Network Address Translation (NAT) "RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP"; Behavioral Requirements for Unicast UDP";
} }
leaf tcp-idle-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 7440; default "7440";
description description
"TCP Idle timeout should be 2 hours and 4 minutes."; "TCP idle timeout should be 2 hours and 4 minutes.";
reference reference
"RFC 5382: NAT Behavioral Requirements for TCP"; "RFC 5382: NAT Behavioral Requirements for TCP";
} }
leaf tcp-trans-open-timeout { leaf tcp-trans-open-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default "240";
description description
"The value of the transitory open connection "The value of the transitory open connection
idle-timeout. idle-timeout.
A NAT should provide different configurable A NAT should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts. closing idle timeouts.
To accommodate deployments that consider To accommodate deployments that consider
a partially open timeout of 4 minutes as being a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may excessive from a security standpoint, a NAT may
allow the configured timeout to be less than allow the configured timeout to be less than
4 minutes. 4 minutes.
However, a minimum default transitory connection However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended."; idle-timeout of 4 minutes is recommended.";
reference reference
"Section 2.1 of RFC 7857."; "Section 2.1 of RFC 7857";
} }
leaf tcp-trans-close-timeout { leaf tcp-trans-close-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default "240";
description description
"The value of the transitory close connection "The value of the transitory close connection
idle-timeout. idle-timeout.
A NAT should provide different configurable A NAT should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts."; closing idle timeouts.";
reference reference
"Section 2.1 of RFC 7857."; "Section 2.1 of RFC 7857";
} }
leaf tcp-in-syn-timeout { leaf tcp-in-syn-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 6; default "6";
description description
"A NAT must not respond to an unsolicited "A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds inbound SYN packet for at least 6 seconds
after the packet is received. If during after the packet is received. If during
this interval the NAT receives and translates this interval the NAT receives and translates
an outbound SYN for the connection the NAT an outbound SYN for the connection the NAT
must silently drop the original unsolicited must silently drop the original unsolicited
inbound SYN packet."; inbound SYN packet.";
reference reference
"RFC 5382 NAT Behavioral Requirements for TCP"; "RFC 5382 NAT Behavioral Requirements for TCP";
} }
leaf fragment-min-timeout { leaf fragment-min-timeout {
when "../../fragment-behavior='out-of-order'"; when "../../fragment-behavior='out-of-order'";
type uint32; type uint32;
units "seconds"; units "seconds";
default 2; default "2";
description description
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over the fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC 6146.";
} }
leaf icmp-timeout { leaf icmp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 60; default "60";
description description
"An ICMP Query session timer must not expire "An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended in less than 60 seconds. It is recommended
that the ICMP Query session timer be made that the ICMP Query session timer be made
configurable"; configurable";
reference reference
"RFC 5508: NAT Behavioral Requirements for ICMP"; "RFC 5508: NAT Behavioral Requirements for ICMP";
} }
list per-port-timeout { list per-port-timeout {
key port-number; key "port-number";
description description
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and 123 (NTP) and longer timeouts port 53 (DNS) and 123 (NTP), and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf protocol { leaf protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this port. "The upper-layer protocol associated with this port.
Values are taken from the IANA protocol registry. Values are taken from the IANA Protocol Numbers
registry.
If no protocol is indicated, this means 'any If no protocol is indicated, it means 'any
protocol'."; protocol'.";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
mandatory true; mandatory true;
description description
"Timeout for this port number"; "Timeout for this port number";
} }
} }
leaf hold-down-timeout { leaf hold-down-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 120; default "120";
description description
"Hold down timer. "Hold-down timer.
Ports in the hold down pool are not reassigned until Ports in the hold-down pool are not reassigned until
hold-down-timeout expires. hold-down-timeout expires.
The length of time and the maximum number of ports in The length of time and the maximum number of ports in
this state must be configurable by the administrator. this state must be configurable by the administrator.
This is necessary in order to prevent collisions This is necessary in order to prevent collisions
between old and new mappings and sessions. It ensures between old and new mappings and sessions. It ensures
that all established sessions are broken instead of that all established sessions are broken instead of
redirected to a different peer."; redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ-8 of RFC 6888";
} }
leaf hold-down-max { leaf hold-down-max {
type uint32; type uint32;
description description
"Maximum ports in the hold down port pool."; "Maximum ports in the hold-down port pool.";
reference reference
"REQ#8 of RFC 6888."; "REQ-8 of RFC 6888";
} }
} }
leaf fragments-limit {
leaf fragments-limit{
when "../fragment-behavior='out-of-order'"; when "../fragment-behavior='out-of-order'";
type uint32; type uint32;
description description
"Limits the number of out of order fragments that can "Limits the number of out-of-order fragments that can
be handled."; be handled.";
reference reference
"Section 11 of RFC 4787."; "Section 11 of RFC 4787";
} }
list algs { list algs {
key name; key "name";
description description
"ALG-related features."; "Features related to the Application Layer
Gateway (ALG).";
leaf name { leaf name {
type string; type string;
description description
"The name of the ALG."; "The name of the ALG.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint32; type uint32;
description description
"The transport protocol used by the ALG "The transport protocol used by the ALG
(e.g., TCP, UDP)."; (e.g., TCP and UDP).";
} }
container dst-transport-port { container dst-transport-port {
uses port-number; uses port-number;
description description
"The destination port number(s) used by the ALG. "The destination port number(s) used by the ALG.
For example, For example,
- 21 for the FTP ALG - 21 for the FTP ALG
- 53 for the DNS ALG."; - 53 for the DNS ALG.";
} }
container src-transport-port { container src-transport-port {
uses port-number; uses port-number;
description description
"The source port number(s) used by the ALG."; "The source port number(s) used by the ALG.";
} }
leaf status { leaf status {
type boolean; type boolean;
description description
"Enable/disable the ALG."; "Enable/disable the ALG.";
} }
} }
leaf all-algs-enable { leaf all-algs-enable {
type boolean; type boolean;
description description
"Disable/enable all ALGs. "Disable/enable all ALGs.
When specified, this parameter overrides the one When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status' that may be indicated, eventually, by the 'status'
of an individual ALG."; of an individual ALG.";
} }
container notify-pool-usage { container notify-pool-usage {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notification of pool usage when certain criteria "Notification of pool usage when certain criteria
are met."; are met.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Pool-ID for which the notification criteria "Pool-ID for which the notification criteria
is defined"; is defined";
} }
leaf low-threshold { leaf low-threshold {
type percent; type percent;
description description
"Notification must be generated when the defined low "Notification must be generated when the defined low
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches below 10%, this pool utilization reaches below 10%, this
configuration parameter must be set to 10. configuration parameter must be set to 10.
skipping to change at line 1708 skipping to change at line 1552
"Notification must be generated when the defined low "Notification must be generated when the defined low
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches below 10%, this pool utilization reaches below 10%, this
configuration parameter must be set to 10. configuration parameter must be set to 10.
0% indicates that low-threshold notification is 0% indicates that low-threshold notification is
disabled."; disabled.";
} }
leaf high-threshold { leaf high-threshold {
type percent; type percent;
must ". >= ../low-threshold" { must '. >= ../low-threshold' {
error-message error-message
"The high threshold must be greater than or equal "The high threshold must be greater than or equal
to the low threshold."; to the low threshold.";
} }
description description
"Notification must be generated when the defined high "Notification must be generated when the defined high
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches 90%, this configuration pool utilization reaches 90%, this configuration
skipping to change at line 1727 skipping to change at line 1570
"Notification must be generated when the defined high "Notification must be generated when the defined high
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches 90%, this configuration pool utilization reaches 90%, this configuration
parameter must be set to 90. parameter must be set to 90.
Setting the same value as low-threshold is equivalent Setting the same value as low-threshold is equivalent
to disabling high-threshold notification."; to disabling high-threshold notification.";
} }
leaf notify-interval { leaf notify-interval {
type uint32 { type uint32 {
range "1 .. 3600"; range "1 .. 3600";
} }
units "seconds"; units "seconds";
default '20'; default "20";
description description
"Minimum number of seconds between successive "Minimum number of seconds between successive
notifications for this pool."; notifications for this pool.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
} }
container external-realm { container external-realm {
description description
"Identifies the external realm of the NAT instance."; "Identifies the external realm of the NAT instance.";
choice realm-type { choice realm-type {
description description
"Can be an interface, VRF instance, etc."; "Can be an interface, VRF instance, etc.";
case interface { case interface {
description description
"External interface."; "External interface.";
leaf external-interface { leaf external-interface {
type if:interface-ref; type if:interface-ref;
description description
"Name of the external interface."; "Name of the external interface.";
} }
} }
} }
} }
} }
container mapping-limits { container mapping-limits {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
limits the mappings based upon various criteria."; limits the mappings based upon various criteria.";
leaf limit-subscribers { leaf limit-subscribers {
type uint32; type uint32;
description description
"Maximum number of subscribers that can be serviced "Maximum number of subscribers that can be serviced
by a NAT instance. by a NAT instance.
A subscriber is identified by a given prefix."; A subscriber is identified by a given prefix.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
leaf limit-address-mappings { leaf limit-address-mappings {
type uint32; type uint32;
description description
"Maximum number of address mappings that can be "Maximum number of address mappings that can be
handled by a NAT instance. handled by a NAT instance.
When this limit is reached, packets that would When this limit is reached, packets that would
normally trigger translation, will be dropped."; normally trigger translation will be dropped.";
reference reference
"RFC 7659: Definitions of Managed Objects "RFC 7659: Definitions of Managed Objects for
for Network Address Translators Network Address Translators (NATs)";
(NATs)";
} }
leaf limit-port-mappings { leaf limit-port-mappings {
type uint32; type uint32;
description description
"Maximum number of port mappings that can be handled "Maximum number of port mappings that can be handled
by a NAT instance. by a NAT instance.
When this limit is reached, packets that would When this limit is reached, packets that would
normally trigger translation, will be dropped."; normally trigger translation will be dropped.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
list limit-per-protocol { list limit-per-protocol {
if-feature "napt44 or nat64 or dst-nat"; if-feature "napt44 or nat64 or dst-nat";
key protocol-id; key "protocol-id";
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
Values are taken from the IANA protocol registry.
Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Maximum number of protocol-specific NAT mappings "Maximum number of protocol-specific NAT mappings
per instance."; per instance.";
} }
} }
} }
container connection-limits { container connection-limits {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
rate limit the translation based upon various criteria."; rate-limit the translation based upon various criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per subscriber."; per subscriber.";
} }
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per instance."; per instance.";
} }
list limit-per-protocol { list limit-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key "protocol-id";
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
Values are taken from the IANA protocol registry. Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Limit the number of protocol-specific mappings "Limit the number of protocol-specific mappings
and sessions per instance."; and sessions per instance.";
} }
} }
} }
container notification-limits { container notification-limits {
description "Sets notification limits."; description
"Sets notification limits.";
leaf notify-interval { leaf notify-interval {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type uint32 { type uint32 {
range "1 .. 3600"; range "1 .. 3600";
} }
units "seconds"; units "seconds";
default '10'; default "10";
description description
"Minimum number of seconds between successive "Minimum number of seconds between successive
notifications for this NAT instance."; notifications for this NAT instance.";
reference reference
"RFC 7659: Definitions of Managed Objects "RFC 7659: Definitions of Managed Objects for
for Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
leaf notify-addresses-usage {
leaf notify-addresses-usage {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type percent; type percent;
description description
"Notification of address mappings usage over "Notification of address mappings usage over
the whole NAT instance. the whole NAT instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the address mappings utilization reaches 90%, the address mappings utilization reaches 90%,
this configuration parameter must be set this configuration parameter must be set
to 90."; to 90.";
} }
leaf notify-ports-usage {
leaf notify-ports-usage {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type percent; type percent;
description description
"Notification of port mappings usage over the "Notification of port mappings usage over the
whole NAT instance. whole NAT instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the port mappings utilization reaches 90%, this the port mappings utilization reaches 90%, this
configuration parameter must be set to 90."; configuration parameter must be set to 90.";
} }
leaf notify-subscribers-limit {
leaf notify-subscribers-limit {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type uint32; type uint32;
description description
"Notification of active subscribers per NAT "Notification of active subscribers per NAT
instance. instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached."; threshold is reached.";
} }
} }
container mapping-table { container mapping-table {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 or nat64 " +
"or nat64 or clat or dst-nat"; "or clat or dst-nat";
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions that maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description "NAT mapping entry."; description
"NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
} }
container statistics { container statistics {
config false; config false;
description description
"Statistics related to the NAT instance."; "Statistics related to the NAT instance.";
leaf discontinuity-time { leaf discontinuity-time {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"The time on the most recent occasion at which the NAT "The time on the most recent occasion at which the NAT
instance suffered a discontinuity. This must be instance suffered a discontinuity. This must be
initialized when the NAT instance is configured initialized when the NAT instance is configured
or rebooted."; or rebooted.";
} }
container traffic-statistics { container traffic-statistics {
description description
"Generic traffic statistics."; "Generic traffic statistics.";
leaf sent-packets { leaf sent-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Number of packets sent.";
} }
leaf sent-bytes { leaf sent-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for sent traffic in bytes."; "Counter for sent traffic in bytes.";
} }
leaf rcvd-packets { leaf rcvd-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of received packets."; "Number of received packets.";
} }
leaf rcvd-bytes { leaf rcvd-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for received traffic in bytes."; "Counter for received traffic in bytes.";
} }
leaf dropped-packets { leaf dropped-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Number of dropped packets.";
} }
leaf dropped-bytes { leaf dropped-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for dropped traffic in bytes."; "Counter for dropped traffic in bytes.";
} }
leaf dropped-fragments { leaf dropped-fragments {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped fragments on the external realm."; "Number of dropped fragments on the external realm.";
} }
leaf dropped-address-limit-packets { leaf dropped-address-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because an address limit "Number of dropped packets because an address limit
is reached."; is reached.";
} }
leaf dropped-address-limit-bytes { leaf dropped-address-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because an address limit "Counter of dropped packets because an address limit
is reached, in bytes."; is reached, in bytes.";
} }
leaf dropped-address-packets { leaf dropped-address-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because no address is "Number of dropped packets because no address is
available for allocation."; available for allocation.";
} }
leaf dropped-address-bytes { leaf dropped-address-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because no address is "Counter of dropped packets because no address is
available for allocation, in bytes."; available for allocation, in bytes.";
} }
leaf dropped-port-limit-packets { leaf dropped-port-limit-packets {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because a port limit "Number of dropped packets because a port limit
is reached."; is reached.";
} }
leaf dropped-port-limit-bytes { leaf dropped-port-limit-bytes {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because a port limit "Counter of dropped packets because a port limit
is reached, in bytes."; is reached, in bytes.";
} }
leaf dropped-port-packets { leaf dropped-port-packets {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because no port is "Number of dropped packets because no port is
available for allocation."; available for allocation.";
} }
leaf dropped-port-bytes { leaf dropped-port-bytes {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because no port is "Counter of dropped packets because no port is
available for allocation, in bytes."; available for allocation, in bytes.";
} }
leaf dropped-subscriber-limit-packets { leaf dropped-subscriber-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because the subscriber "Number of dropped packets because the subscriber
limit per instance is reached."; limit per instance is reached.";
} }
leaf dropped-subscriber-limit-bytes { leaf dropped-subscriber-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because the subscriber "Counter of dropped packets because the subscriber
limit per instance is reached, in bytes."; limit per instance is reached, in bytes.";
} }
} }
container mappings-statistics { container mappings-statistics {
description description
"Mappings statistics."; "Mappings statistics.";
leaf total-active-subscribers { leaf total-active-subscribers {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of active subscribers (that is, "Total number of active subscribers (that is,
subscribers for which the NAT maintains active subscribers for which the NAT maintains active
mappings. mappings).
A subscriber is identified by a subnet, A subscriber is identified by a subnet,
subscriber-mask, etc."; subscriber-mask, etc.";
} }
leaf total-address-mappings { leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 or nat64 " +
"or nat64 or clat or dst-nat"; "or clat or dst-nat";
type yang:gauge32; type yang:gauge32;
description description
"Total number of address mappings present at a given "Total number of address mappings present at a given
time. It includes both static and dynamic mappings."; time. It includes both static and dynamic mappings.";
reference reference
"Section 3.3.8 of RFC 7659"; "Section 3.3.8 of RFC 7659";
} }
leaf total-port-mappings { leaf total-port-mappings {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of NAT port mappings present at "Total number of NAT port mappings present at
a given time. It includes both static and dynamic a given time. It includes both static and dynamic
mappings."; mappings.";
reference reference
"Section 3.3.9 of RFC 7659"; "Section 3.3.9 of RFC 7659";
} }
list total-per-protocol { list total-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key "protocol-id";
description description
"Total mappings for each enabled/supported protocol."; "Total mappings for each enabled/supported protocol.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf total { leaf total {
type yang:gauge32; type yang:gauge32;
description description
"Total number of a protocol-specific mappings present "Total number of a protocol-specific mappings present
at a given time. The protocol is identified by at a given time. The protocol is identified by
protocol-id."; protocol-id.";
} }
} }
} }
container pools-stats { container pools-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Statistics related to address/prefix pools "Statistics related to address/prefix pools
usage"; usage";
leaf addresses-allocated { leaf addresses-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of all allocated addresses."; "Number of all allocated addresses.";
} }
leaf addresses-free { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses of all pools at "Number of unallocated addresses of all pools at
a given time. The sum of unallocated and allocated a given time. The sum of unallocated and allocated
addresses is the total number of addresses of addresses is the total number of addresses of
the pools."; the pools.";
} }
container ports-stats { container ports-stats {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Statistics related to port numbers usage."; "Statistics related to port numbers usage.";
leaf ports-allocated { leaf ports-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports from all pools."; "Number of allocated ports from all pools.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses from all pools."; "Number of unallocated addresses from all pools.";
} }
} }
list per-pool-stats { list per-pool-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
key "pool-id"; key "pool-id";
description description
"Statistics related to address/prefix pool usage"; "Statistics related to address/prefix pool usage";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Unique Identifier that represents a pool of "Unique identifier that represents a pool of
addresses/prefixes."; addresses/prefixes.";
} }
leaf discontinuity-time { leaf discontinuity-time {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"The time on the most recent occasion at which this "The time on the most recent occasion at which this
pool counters suffered a discontinuity. This must pool counter suffered a discontinuity. This must
be initialized when the address pool is be initialized when the address pool is
configured."; configured.";
} }
container pool-stats { container pool-stats {
description description
"Statistics related to address/prefix pool usage"; "Statistics related to address/prefix pool usage";
leaf addresses-allocated { leaf addresses-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated addresses from this pool."; "Number of allocated addresses from this pool.";
} }
leaf addresses-free { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses in this pool."; "Number of unallocated addresses in this pool.";
} }
} }
container port-stats { container port-stats {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Statistics related to port numbers usage."; "Statistics related to port numbers usage.";
leaf ports-allocated { leaf ports-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports from this pool."; "Number of allocated ports from this pool.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses from this pool."; "Number of unallocated addresses from this pool.";
} }
} }
} }
} }
} }
} }
skipping to change at line 2291 skipping to change at line 2064
} }
/* /*
* Notifications * Notifications
*/ */
notification nat-pool-event { notification nat-pool-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when the defined high/low "Notifications must be generated when the defined high/low
threshold is reached. Related configuration parameters threshold is reached. Related configuration parameters
must be provided to trigger the notifications."; must be provided to trigger the notifications.";
leaf id { leaf id {
type leafref { type leafref {
path "/nat/instances/instance/id"; path "/nat/instances/instance/id";
} }
mandatory true; mandatory true;
description description
"NAT instance Identifier."; "NAT instance identifier.";
} }
leaf policy-id { leaf policy-id {
type leafref { type leafref {
path "/nat/instances/instance/policy/id"; path "/nat/instances/instance/policy/id";
} }
description description
"Policy Identifier."; "Policy identifier.";
} }
leaf pool-id { leaf pool-id {
type leafref { type leafref {
path "/nat/instances/instance/policy/" + path "/nat/instances/instance/policy/" +
"external-ip-address-pool/pool-id"; "external-ip-address-pool/pool-id";
} }
mandatory true; mandatory true;
description description
"Pool Identifier."; "Pool Identifier.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"A threshold (high-threshold or low-threshold) has "A threshold (high threshold or low threshold) has
been fired."; been fired.";
} }
} }
notification nat-instance-event { notification nat-instance-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when notify-addresses-usage "Notifications must be generated when notify-addresses-usage
and/or notify-ports-usage threshold are reached."; and/or notify-ports-usage thresholds are reached.";
leaf id { leaf id {
type leafref { type leafref {
path "/nat/instances/instance/id"; path "/nat/instances/instance/id";
} }
mandatory true; mandatory true;
description description
"NAT instance Identifier."; "NAT instance identifier.";
} }
leaf notify-subscribers-threshold { leaf notify-subscribers-threshold {
type uint32; type uint32;
description description
"The notify-subscribers-limit threshold has been fired."; "The notify-subscribers-limit threshold has been fired.";
} }
leaf notify-addresses-threshold { leaf notify-addresses-threshold {
type percent; type percent;
description description
"The notify-addresses-usage threshold has been fired."; "The notify-addresses-usage threshold has been fired.";
} }
leaf notify-ports-threshold { leaf notify-ports-threshold {
type percent; type percent;
description description
"The notify-ports-usage threshold has been fired."; "The notify-ports-usage threshold has been fired.";
} }
} }
} }
 End of changes. 372 change blocks. 
1112 lines changed or deleted 874 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/