Tech-invite   3GPPspecs   Glossaries   IETFRFCs   Groups   SIP   ABNFs   Ti+   Search in Tech-invite

in Index   Prev   Next
in Index   Prev   Next  Group: OPSAWG

RFC 8512

A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)

Pages: 94
Proposed STD
Part 7 of 8 – Pages 68 to 79
First   Prev   Next

Top   ToC   RFC8512 - Page 68   prevText
4.  Security Considerations

   Security considerations related to address and prefix translation are
   discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and
   [RFC7757].

   The YANG module specified in this document defines a schema for data
   that is designed to be accessed via network management protocols such
   as NETCONF [RFC6241] or RESTCONF [RFC8040].  The lowest NETCONF layer
   is the secure transport layer, and the mandatory-to-implement secure
   transport is Secure Shell (SSH) [RFC6242].  The lowest RESTCONF layer
   is HTTPS, and the mandatory-to-implement secure transport is TLS
   [RFC8446].

   The Network Configuration Access Control Model (NACM) [RFC8341]
   provides the means to restrict access for particular NETCONF or
   RESTCONF users to a preconfigured subset of all available NETCONF or
   RESTCONF protocol operations and content.

   All data nodes defined in the YANG module that can be created,
   modified, and deleted (i.e., config true, which is the default) are
   considered sensitive.  Write operations (e.g., edit-config) applied
   to these data nodes without proper protection can negatively affect
   network operations.  The NAT YANG module provides a method to set
   parameters to prevent a user from aggressively using NAT resources
Top   ToC   RFC8512 - Page 69
   (port-quota), rate-limit connections as a guard against DoS, or to
   enable notifications so that appropriate measures are enforced to
   anticipate traffic drops.  Nevertheless, an attacker who is able to
   access the NAT can undertake various attacks, such as:

   o  Set a high or low resource limit to cause a DoS attack:

      *  /nat/instances/instance/policy/port-quota

      *  /nat/instances/instance/policy/fragments-limit

      *  /nat/instances/instance/mapping-limits

      *  /nat/instances/instance/connection-limits

   o  Set a low notification threshold to cause useless notifications to
      be generated:

      *  /nat/instances/instance/policy/notify-pool-usage/high-threshold

      *  /nat/instances/instance/notification-limits/notify-addresses-
         usage

      *  /nat/instances/instance/notification-limits/notify-ports-usage

      *  /nat/instances/instance/notification-limits/notify-subscribers-
         limit

   o  Set an arbitrarily high threshold, which may lead to the
      deactivation of notifications:

      *  /nat/instances/instance/policy/notify-pool-usage/high-threshold

      *  /nat/instances/instance/notification-limits/notify-addresses-
         usage

      *  /nat/instances/instance/notification-limits/notify-ports-usage

      *  /nat/instances/instance/notification-limits/notify-subscribers-
         limit

   o  Set a low notification interval and a low notification threshold
      to induce useless notifications to be generated:

      *  /nat/instances/instance/policy/notify-pool-usage/notify-
         interval
Top   ToC   RFC8512 - Page 70
      *  /nat/instances/instance/notification-limits/notify-interval

   o  Access to privacy data maintained in the mapping table.  Such data
      can be misused to track the activity of a host:

      *  /nat/instances/instance/mapping-table

5.  IANA Considerations

   IANA has registered the following URI in the "ns" subregistry within
   the "IETF XML Registry" [RFC3688]:

            URI: urn:ietf:params:xml:ns:yang:ietf-nat
            Registrant Contact: The IESG.
            XML: N/A; the requested URI is an XML namespace.

   IANA has registered the following YANG module in the "YANG Module
   Names" subregistry [RFC7950] within the "YANG Parameters" registry.

            name: ietf-nat
            namespace: urn:ietf:params:xml:ns:yang:ietf-nat
            prefix: nat
            reference: RFC 8512

6.  References

6.1.  Normative References

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <https://www.rfc-editor.org/info/rfc3688>.

   [RFC4787]  Audet, F., Ed. and C. Jennings, "Network Address
              Translation (NAT) Behavioral Requirements for Unicast
              UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
              2007, <https://www.rfc-editor.org/info/rfc4787>.

   [RFC5382]  Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and
              P. Srisuresh, "NAT Behavioral Requirements for TCP",
              BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008,
              <https://www.rfc-editor.org/info/rfc5382>.

   [RFC5508]  Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
              Behavioral Requirements for ICMP", BCP 148, RFC 5508,
              DOI 10.17487/RFC5508, April 2009,
              <https://www.rfc-editor.org/info/rfc5508>.
Top   ToC   RFC8512 - Page 71
   [RFC6052]  Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and
              X. Li, "IPv6 Addressing of IPv4/IPv6 Translators",
              RFC 6052, DOI 10.17487/RFC6052, October 2010,
              <https://www.rfc-editor.org/info/rfc6052>.

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
              April 2011, <https://www.rfc-editor.org/info/rfc6146>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <https://www.rfc-editor.org/info/rfc6241>.

   [RFC6242]  Wasserman, M., "Using the NETCONF Protocol over Secure
              Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
              <https://www.rfc-editor.org/info/rfc6242>.

   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
              Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
              <https://www.rfc-editor.org/info/rfc6296>.

   [RFC6619]  Arkko, J., Eggert, L., and M. Townsley, "Scalable
              Operation of Address Translators with Per-Interface
              Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012,
              <https://www.rfc-editor.org/info/rfc6619>.

   [RFC6877]  Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
              Combination of Stateful and Stateless Translation",
              RFC 6877, DOI 10.17487/RFC6877, April 2013,
              <https://www.rfc-editor.org/info/rfc6877>.

   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <https://www.rfc-editor.org/info/rfc6888>.

   [RFC6991]  Schoenwaelder, J., Ed., "Common YANG Data Types",
              RFC 6991, DOI 10.17487/RFC6991, July 2013,
              <https://www.rfc-editor.org/info/rfc6991>.

   [RFC7596]  Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and
              I. Farrer, "Lightweight 4over6: An Extension to the Dual-
              Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
              July 2015, <https://www.rfc-editor.org/info/rfc7596>.
Top   ToC   RFC8512 - Page 72
   [RFC7597]  Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
              Murakami, T., and T. Taylor, Ed., "Mapping of Address and
              Port with Encapsulation (MAP-E)", RFC 7597,
              DOI 10.17487/RFC7597, July 2015,
              <https://www.rfc-editor.org/info/rfc7597>.

   [RFC7757]  Anderson, T. and A. Leiva Popper, "Explicit Address
              Mappings for Stateless IP/ICMP Translation", RFC 7757,
              DOI 10.17487/RFC7757, February 2016,
              <https://www.rfc-editor.org/info/rfc7757>.

   [RFC7857]  Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
              S., and K. Naito, "Updates to Network Address Translation
              (NAT) Behavioral Requirements", BCP 127, RFC 7857,
              DOI 10.17487/RFC7857, April 2016,
              <https://www.rfc-editor.org/info/rfc7857>.

   [RFC7915]  Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont,
              "IP/ICMP Translation Algorithm", RFC 7915,
              DOI 10.17487/RFC7915, June 2016,
              <https://www.rfc-editor.org/info/rfc7915>.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/info/rfc7950>.

   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
              <https://www.rfc-editor.org/info/rfc8040>.

   [RFC8341]  Bierman, A. and M. Bjorklund, "Network Configuration
              Access Control Model", STD 91, RFC 8341,
              DOI 10.17487/RFC8341, March 2018,
              <https://www.rfc-editor.org/info/rfc8341>.

   [RFC8343]  Bjorklund, M., "A YANG Data Model for Interface
              Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
              <https://www.rfc-editor.org/info/rfc8343>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.
Top   ToC   RFC8512 - Page 73
6.2.  Informative References

   [NAT-SUPP]
              Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
              Transmission Protocol (SCTP) Network Address Translation
              Support", Work in Progress, draft-ietf-tsvwg-natsupp-12,
              July 2018.

   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
              Translator (NAT) Terminology and Considerations",
              RFC 2663, DOI 10.17487/RFC2663, August 1999,
              <https://www.rfc-editor.org/info/rfc2663>.

   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
              Address Translator (Traditional NAT)", RFC 3022,
              DOI 10.17487/RFC3022, January 2001,
              <https://www.rfc-editor.org/info/rfc3022>.

   [RFC5597]  Denis-Courmont, R., "Network Address Translation (NAT)
              Behavioral Requirements for the Datagram Congestion
              Control Protocol", BCP 150, RFC 5597,
              DOI 10.17487/RFC5597, September 2009,
              <https://www.rfc-editor.org/info/rfc5597>.

   [RFC6269]  Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
              P. Roberts, "Issues with IP Address Sharing", RFC 6269,
              DOI 10.17487/RFC6269, June 2011,
              <https://www.rfc-editor.org/info/rfc6269>.

   [RFC6736]  Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
              "Diameter Network Address and Port Translation Control
              Application", RFC 6736, DOI 10.17487/RFC6736, October
              2012, <https://www.rfc-editor.org/info/rfc6736>.

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,
              <https://www.rfc-editor.org/info/rfc6887>.

   [RFC6908]  Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and
              M. Boucadair, "Deployment Considerations for Dual-Stack
              Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013,
              <https://www.rfc-editor.org/info/rfc6908>.

   [RFC7050]  Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
              the IPv6 Prefix Used for IPv6 Address Synthesis",
              RFC 7050, DOI 10.17487/RFC7050, November 2013,
              <https://www.rfc-editor.org/info/rfc7050>.
Top   ToC   RFC8512 - Page 74
   [RFC7289]  Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT
              (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289,
              DOI 10.17487/RFC7289, June 2014,
              <https://www.rfc-editor.org/info/rfc7289>.

   [RFC7335]  Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
              DOI 10.17487/RFC7335, August 2014,
              <https://www.rfc-editor.org/info/rfc7335>.

   [RFC7659]  Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,
              "Definitions of Managed Objects for Network Address
              Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659,
              October 2015, <https://www.rfc-editor.org/info/rfc7659>.

   [RFC7753]  Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T.,
              and S. Perreault, "Port Control Protocol (PCP) Extension
              for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753,
              February 2016, <https://www.rfc-editor.org/info/rfc7753>.

   [RFC8045]  Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar,
              "RADIUS Extensions for IP Port Configuration and
              Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017,
              <https://www.rfc-editor.org/info/rfc8045>.

   [RFC8340]  Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
              BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
              <https://www.rfc-editor.org/info/rfc8340>.

   [RFC8407]  Bierman, A., "Guidelines for Authors and Reviewers of
              Documents Containing YANG Data Models", BCP 216, RFC 8407,
              DOI 10.17487/RFC8407, October 2018,
              <https://www.rfc-editor.org/info/rfc8407>.

   [RFC8513]  Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
              Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513,
              DOI 10.17487/RFC8513, January 2019,
              <https://www.rfc-editor.org/info/rfc8513>.

   [YANG-PCP] Boucadair, M., Jacquenet, C., Sivakumar, S., and
              S. Vinapamula, "YANG Modules for the Port Control Protocol
              (PCP)", Work in Progress, draft-boucadair-pcp-yang-05,
              October 2017.
Top   ToC   RFC8512 - Page 75
Appendix A.  Some Examples

   This section provides a non-exhaustive set of examples to illustrate
   the use of the NAT YANG module.

A.1.  Traditional NAT44

   Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
   same IPv4 address among hosts that are owned by the same subscriber.
   This is typically the NAT that is embedded in CPE devices.

   This NAT is usually provided with one single external IPv4 address;
   disambiguating connections is achieved by rewriting the source port
   number.  The XML snippet to configure the external IPv4 address in
   such case together with a mapping entry is depicted below:

   <instances>
     <instance>
       <id>1</id>
       <name>NAT_Subscriber_A</name>
        ....
       <external-ip-address-pool>
         <pool-id>1</pool-id>
           <external-ip-pool>
             198.51.100.1/32
           </external-ip-pool>
         </external-ip-address-pool>
         ....
       <mapping-table>
         ....
         <external-src-address>
           198.51.100.1/32
         </external-src-address>
           ....
       </mapping-table>
     </instance>
   </instances>
Top   ToC   RFC8512 - Page 76
   The following shows the XML excerpt depicting a dynamic UDP mapping
   entry maintained by a traditional NAPT44.  In reference to this
   example, the UDP packet received with a source IPv4 address
   (192.0.2.1) and source port number (1568) is translated into a UDP
   packet having a source IPv4 address (198.51.100.1) and source port
   (15000).  The remaining lifetime of this mapping is 300 seconds.

   <mapping-entry>
     <index>15</index>
     <type>
       dynamic-explicit
     </type>
     <transport-protocol>
       17
     </transport-protocol>
     <internal-src-address>
       192.0.2.1/32
     </internal-src-address>
     <internal-src-port>
       <start-port-number>
         1568
       </start-port-number>
     </internal-src-port>
     <external-src-address>
       198.51.100.1/32
     </external-src-address>
     <external-src-port>
       <start-port-number>
         15000
       </start-port-number>
     </external-src-port>
     <lifetime>
       300
     </lifetime>
   </mapping-entry>

A.2.  Carrier Grade NAT (CGN)

   The following XML snippet shows the example of the capabilities
   supported by a CGN as retrieved using NETCONF.

   <capabilities>
     <nat-flavor>napt44</nat-flavor>
     <transport-protocols>
       <protocol-id>1</protocol-id>
     </transport-protocols>
     <transport-protocols>
       <protocol-id>6</protocol-id>
Top   ToC   RFC8512 - Page 77
     </transport-protocols>
     <transport-protocols>
       <protocol-id>17</protocol-id>
     </transport-protocols>
     <restricted-port-support>
       false
     </restricted-port-support>
     <static-mapping-support>
       true
     </static-mapping-support>
     <port-randomization-support>
       true
     </port-randomization-support>
     <port-range-allocation-support>
       true
     </port-range-allocation-support>
     <port-preservation-suport>
       true
     </port-preservation-suport>
     <port-parity-preservation-support>
       false
     </port-parity-preservation-support>
     <address-roundrobin-support>
       true
     </address-roundrobin-support>
     <paired-address-pooling-support>
       true
     </paired-address-pooling-support>
     <endpoint-independent-mapping-support>
       true
     </endpoint-independent-mapping-support>
     <address-dependent-mapping-support>
       true
     </address-dependent-mapping-support>
     <address-and-port-dependent-mapping-support>
       true
     </address-and-port-dependent-mapping-support>
     <endpoint-independent-filtering-support>
       true
     </endpoint-independent-filtering-support>
     <address-dependent-filtering>
       true
     </address-dependent-filtering>
     <address-and-port-dependent-filtering>
       true
     </address-and-port-dependent-filtering>
   </capabilities>
Top   ToC   RFC8512 - Page 78
   The following XML snippet shows the example of a CGN that is
   provisioned with one contiguous pool of external IPv4 addresses
   (198.51.100.0/24).  Further, the CGN is instructed to limit the
   number of allocated ports per subscriber to 1024.  Ports can be
   allocated by the CGN by assigning ranges of 256 ports (that is, a
   subscriber can be allocated up to four port ranges of 256 ports
   each).

   <instances>
     <instance>
       <id>1</id>
       <name>myCGN</name>
       ....
       <external-ip-address-pool>
         <pool-id>1</pool-id>
         <external-ip-pool>
           198.51.100.0/24
         </external-ip-pool>
       </external-ip-address-pool>
       <port-quota>
         <port-limit>
           1024
         </port-limit>
         <quota-type >
           all
         </quota-type >
       </port-quota>
         <port-allocation-type>
           port-range-allocation
         </port-allocation-type>
         <port-set>
           <port-set-size>
             256
           </port-set-size>
         </port-set>
       ....
     </instance>
   </instances>
Top   ToC   RFC8512 - Page 79
   An administrator may decide to allocate one single port range per
   subscriber (e.g., a port range of 1024 ports) as shown below:

   <instances>
     <instance>
       <id>1</id>
       <name>myCGN</name>
       ....
       <external-ip-address-pool>
         <pool-id>1</pool-id>
         <external-ip-pool>
           198.51.100.0/24
         </external-ip-pool>
       </external-ip-address-pool>
       <port-quota>
         <port-limit>
           1024
         </port-limit>
         <quota-type >
           all
         </quota-type >
       </port-quota>
         <port-allocation-type>
           port-range-allocation
         </port-allocation-type>
         <port-set>
           <port-set-size>
             1024
           </port-set-size>
         </port-set>
       ....
     </instance>
   </instances>


Next Section