RFC 8512
A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)
Pages: 94
Proposed Standard
Proposed Standard
Part 7 of 8 – Pages 68 to 79
4. Security Considerations
Security considerations related to address and prefix translation are discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and [RFC7757]. The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446]. The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. All data nodes defined in the YANG module that can be created, modified, and deleted (i.e., config true, which is the default) are considered sensitive. Write operations (e.g., edit-config) applied to these data nodes without proper protection can negatively affect network operations. The NAT YANG module provides a method to set parameters to prevent a user from aggressively using NAT resources
(port-quota), rate-limit connections as a guard against DoS, or to
enable notifications so that appropriate measures are enforced to
anticipate traffic drops. Nevertheless, an attacker who is able to
access the NAT can undertake various attacks, such as:
o Set a high or low resource limit to cause a DoS attack:
* /nat/instances/instance/policy/port-quota
* /nat/instances/instance/policy/fragments-limit
* /nat/instances/instance/mapping-limits
* /nat/instances/instance/connection-limits
o Set a low notification threshold to cause useless notifications to
be generated:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses-
usage
* /nat/instances/instance/notification-limits/notify-ports-usage
* /nat/instances/instance/notification-limits/notify-subscribers-
limit
o Set an arbitrarily high threshold, which may lead to the
deactivation of notifications:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses-
usage
* /nat/instances/instance/notification-limits/notify-ports-usage
* /nat/instances/instance/notification-limits/notify-subscribers-
limit
o Set a low notification interval and a low notification threshold
to induce useless notifications to be generated:
* /nat/instances/instance/policy/notify-pool-usage/notify-
interval
* /nat/instances/instance/notification-limits/notify-interval
o Access to privacy data maintained in the mapping table. Such data
can be misused to track the activity of a host:
* /nat/instances/instance/mapping-table
5. IANA Considerations
IANA has registered the following URI in the "ns" subregistry within
the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-nat
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
IANA has registered the following YANG module in the "YANG Module
Names" subregistry [RFC7950] within the "YANG Parameters" registry.
name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat
reference: RFC 8512
6. References
6.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and
P. Srisuresh, "NAT Behavioral Requirements for TCP",
BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, DOI 10.17487/RFC6052, October 2010, <https://www.rfc-editor.org/info/rfc6052>. [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011, <https://www.rfc-editor.org/info/rfc6146>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, <https://www.rfc-editor.org/info/rfc6296>. [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable Operation of Address Translators with Per-Interface Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, <https://www.rfc-editor.org/info/rfc6619>. [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: Combination of Stateful and Stateless Translation", RFC 6877, DOI 10.17487/RFC6877, April 2013, <https://www.rfc-editor.org/info/rfc6877>. [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, <https://www.rfc-editor.org/info/rfc6888>. [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc-editor.org/info/rfc6991>. [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. Farrer, "Lightweight 4over6: An Extension to the Dual- Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., Murakami, T., and T. Taylor, Ed., "Mapping of Address and Port with Encapsulation (MAP-E)", RFC 7597, DOI 10.17487/RFC7597, July 2015, <https://www.rfc-editor.org/info/rfc7597>. [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address Mappings for Stateless IP/ICMP Translation", RFC 7757, DOI 10.17487/RFC7757, February 2016, <https://www.rfc-editor.org/info/rfc7757>. [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, S., and K. Naito, "Updates to Network Address Translation (NAT) Behavioral Requirements", BCP 127, RFC 7857, DOI 10.17487/RFC7857, April 2016, <https://www.rfc-editor.org/info/rfc7857>. [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, "IP/ICMP Translation Algorithm", RFC 7915, DOI 10.17487/RFC7915, June 2016, <https://www.rfc-editor.org/info/rfc7915>. [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>. [RFC8343] Bjorklund, M., "A YANG Data Model for Interface Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, <https://www.rfc-editor.org/info/rfc8343>. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>.
6.2. Informative References
[NAT-SUPP] Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Transmission Protocol (SCTP) Network Address Translation Support", Work in Progress, draft-ietf-tsvwg-natsupp-12, July 2018. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999, <https://www.rfc-editor.org/info/rfc2663>. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, <https://www.rfc-editor.org/info/rfc3022>. [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol", BCP 150, RFC 5597, DOI 10.17487/RFC5597, September 2009, <https://www.rfc-editor.org/info/rfc5597>. [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and P. Roberts, "Issues with IP Address Sharing", RFC 6269, DOI 10.17487/RFC6269, June 2011, <https://www.rfc-editor.org/info/rfc6269>. [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, "Diameter Network Address and Port Translation Control Application", RFC 6736, DOI 10.17487/RFC6736, October 2012, <https://www.rfc-editor.org/info/rfc6736>. [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, DOI 10.17487/RFC6887, April 2013, <https://www.rfc-editor.org/info/rfc6887>. [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. Boucadair, "Deployment Considerations for Dual-Stack Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, <https://www.rfc-editor.org/info/rfc6908>. [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis", RFC 7050, DOI 10.17487/RFC7050, November 2013, <https://www.rfc-editor.org/info/rfc7050>.
[RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, DOI 10.17487/RFC7289, June 2014, <https://www.rfc-editor.org/info/rfc7289>. [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, DOI 10.17487/RFC7335, August 2014, <https://www.rfc-editor.org/info/rfc7335>. [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, "Definitions of Managed Objects for Network Address Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, October 2015, <https://www.rfc-editor.org/info/rfc7659>. [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., and S. Perreault, "Port Control Protocol (PCP) Extension for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, February 2016, <https://www.rfc-editor.org/info/rfc7753>. [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, "RADIUS Extensions for IP Port Configuration and Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, <https://www.rfc-editor.org/info/rfc8045>. [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, <https://www.rfc-editor.org/info/rfc8340>. [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of Documents Containing YANG Data Models", BCP 216, RFC 8407, DOI 10.17487/RFC8407, October 2018, <https://www.rfc-editor.org/info/rfc8407>. [RFC8513] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513, DOI 10.17487/RFC8513, January 2019, <https://www.rfc-editor.org/info/rfc8513>. [YANG-PCP] Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Vinapamula, "YANG Modules for the Port Control Protocol (PCP)", Work in Progress, draft-boucadair-pcp-yang-05, October 2017.
Appendix A. Some Examples
This section provides a non-exhaustive set of examples to illustrate the use of the NAT YANG module.A.1. Traditional NAT44
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the same IPv4 address among hosts that are owned by the same subscriber. This is typically the NAT that is embedded in CPE devices. This NAT is usually provided with one single external IPv4 address; disambiguating connections is achieved by rewriting the source port number. The XML snippet to configure the external IPv4 address in such case together with a mapping entry is depicted below: <instances> <instance> <id>1</id> <name>NAT_Subscriber_A</name> .... <external-ip-address-pool> <pool-id>1</pool-id> <external-ip-pool> 198.51.100.1/32 </external-ip-pool> </external-ip-address-pool> .... <mapping-table> .... <external-src-address> 198.51.100.1/32 </external-src-address> .... </mapping-table> </instance> </instances>
The following shows the XML excerpt depicting a dynamic UDP mapping
entry maintained by a traditional NAPT44. In reference to this
example, the UDP packet received with a source IPv4 address
(192.0.2.1) and source port number (1568) is translated into a UDP
packet having a source IPv4 address (198.51.100.1) and source port
(15000). The remaining lifetime of this mapping is 300 seconds.
<mapping-entry>
<index>15</index>
<type>
dynamic-explicit
</type>
<transport-protocol>
17
</transport-protocol>
<internal-src-address>
192.0.2.1/32
</internal-src-address>
<internal-src-port>
<start-port-number>
1568
</start-port-number>
</internal-src-port>
<external-src-address>
198.51.100.1/32
</external-src-address>
<external-src-port>
<start-port-number>
15000
</start-port-number>
</external-src-port>
<lifetime>
300
</lifetime>
</mapping-entry>
A.2. Carrier Grade NAT (CGN)
The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF.
<capabilities>
<nat-flavor>napt44</nat-flavor>
<transport-protocols>
<protocol-id>1</protocol-id>
</transport-protocols>
<transport-protocols>
<protocol-id>6</protocol-id>
</transport-protocols>
<transport-protocols>
<protocol-id>17</protocol-id>
</transport-protocols>
<restricted-port-support>
false
</restricted-port-support>
<static-mapping-support>
true
</static-mapping-support>
<port-randomization-support>
true
</port-randomization-support>
<port-range-allocation-support>
true
</port-range-allocation-support>
<port-preservation-suport>
true
</port-preservation-suport>
<port-parity-preservation-support>
false
</port-parity-preservation-support>
<address-roundrobin-support>
true
</address-roundrobin-support>
<paired-address-pooling-support>
true
</paired-address-pooling-support>
<endpoint-independent-mapping-support>
true
</endpoint-independent-mapping-support>
<address-dependent-mapping-support>
true
</address-dependent-mapping-support>
<address-and-port-dependent-mapping-support>
true
</address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support>
true
</endpoint-independent-filtering-support>
<address-dependent-filtering>
true
</address-dependent-filtering>
<address-and-port-dependent-filtering>
true
</address-and-port-dependent-filtering>
</capabilities>
The following XML snippet shows the example of a CGN that is
provisioned with one contiguous pool of external IPv4 addresses
(198.51.100.0/24). Further, the CGN is instructed to limit the
number of allocated ports per subscriber to 1024. Ports can be
allocated by the CGN by assigning ranges of 256 ports (that is, a
subscriber can be allocated up to four port ranges of 256 ports
each).
<instances>
<instance>
<id>1</id>
<name>myCGN</name>
....
<external-ip-address-pool>
<pool-id>1</pool-id>
<external-ip-pool>
198.51.100.0/24
</external-ip-pool>
</external-ip-address-pool>
<port-quota>
<port-limit>
1024
</port-limit>
<quota-type >
all
</quota-type >
</port-quota>
<port-allocation-type>
port-range-allocation
</port-allocation-type>
<port-set>
<port-set-size>
256
</port-set-size>
</port-set>
....
</instance>
</instances>
An administrator may decide to allocate one single port range per
subscriber (e.g., a port range of 1024 ports) as shown below:
<instances>
<instance>
<id>1</id>
<name>myCGN</name>
....
<external-ip-address-pool>
<pool-id>1</pool-id>
<external-ip-pool>
198.51.100.0/24
</external-ip-pool>
</external-ip-address-pool>
<port-quota>
<port-limit>
1024
</port-limit>
<quota-type >
all
</quota-type >
</port-quota>
<port-allocation-type>
port-range-allocation
</port-allocation-type>
<port-set>
<port-set-size>
1024
</port-set-size>
</port-set>
....
</instance>
</instances>
(next page on part 8)