[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00

NAT Working Group                                           P. Srisuresh
INTERNET-DRAFT                                       Lucent Technologies
Category: Informational                                   November, 1998
Expire in six months


     IP Network Address Translator Application Programming Interface
                     <draft-ietf-nat-api-00.txt>

Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as
   "work in progress."

   To view the entire list of current Internet-Drafts, please check
   the "1id-abstracts.txt" listing contained in the Internet-Drafts
   Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
   (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
   (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
   (US West Coast).


Abstract

   NAT provides routing transparency for hosts in disparate routing
   realms to communicate with each other. However, external agents
   such as Application Level Gateways (ALGs), Host-NAT-clients and
   Management applications need to interact with NAT and influence
   its operations. The document identifies the resources and other
   elements controlled by a NAT device, with specific focus on areas
   subject to influence from external agents. An Application
   Programming Interface (API) framework by which external agents
   could interact with NAT is presented. The intent of this document
   is to leverage the API specification as a base to identify
   requirements for the development of one or more protocols by which
   external agents could interact with NAT.





Srisuresh & Rekhter                                             [Page 1]


Internet Draft    NAT Application Programming Interface    November 1998


1. Introduction

   NAT provides routing transparency for hosts in disparate routing
   realms to communicate with each other. [Ref 1] details the various
   flavors of NAT that abound. Many of the internet applications use
   IP address as host identifier rather than just as a way to locate a
   host.  For this reason, routing transparency by NAT alone is not
   sufficient to provide end-to-end transparency for applications
   operating across realms.  Application specific ALGs are required
   in conjunction with NAT to provide end-to-end transparency for
   some applications.

   In addition to ALGs, there are other kinds of external agents that
   may like to influence NAT operation. Section 2 below is devoted to
   describing the resources and other elements controlled by NAT.
   Section 3 below outlines a selected list of external agents that
   may likely interface with NAT. Together, the requirements by a
   selected set of external agents and  the nature of NAT resources
   are used as the basis to derive an  API framework, described in
   section 4.

   The intent of the document is two-fold. First, the document
   suggests an Application programming Interface (API) by which
   external agents could programmatically interface with NAT.
   This does not assume or require external agents to reside on the
   same physical device as NAT, even though assuming they reside on
   the same physical device does help in understanding. In reality,
   it is likely to be a combination of both.  Some agents are
   co-located with NAT on the same device and others reside on
   external devices.  The API is merely a suggestion and may vary from
   vendor to vendor.

   Second, the API provides a framework to identify requirements for
   the development of one or more protocols by which external agents
   (specified in section 3 below) could communicate with NAT. Such
   a protocol would need to authenticate clients, locate NAT devices
   and exchange data elements. The API specified in the document
   assumes a trusted environment and does not address the first two
   issues, namely authentication and Service location. The document
   also does not cover any communication protocol that may be used by
   external agents to interface with NAT using the API described here.
   These issues will need to be addressed independently outside the
   purview of this document.


2. Elements of NAT operation

   In order to identify an API for use by external agents, it is



Srisuresh & Rekhter                                             [Page 2]


Internet Draft    NAT Application Programming Interface    November 1998


   important to understand the resources and other elments managed
   by NAT. This would help identify the extent to which an external
   agent may influence NAT operation. This section describes objects
   within NAT, that could be externalized via Management Information
   Base (MIB).

2.1. NAT Descriptor

   All flavors of NAT are designed to provide routing transparency
   to hosts in disparate routing realms. A physical device may have
   multiple NAT instances or there may be multiple NAT devices
   associated with a specific realm. The following list of attributes
   identify a specific instance of NAT.

      a. NAT IDentifier:

         A NAT Identifier uniquely identifies a NAT instantiation.
         The External interface address may be one way to specify
         NAT Identifier.

      b. Private and External realm types:

         Every NAT device will have a minimum of two routing
         interfaces, one connecting to a private realm and one
         connecting to external realm. An IPv4 NAT device will
         have both its realm types set to IPv4.

      c. NAT type

         NAT type could be one of Basic-NAT, NAPT, Bi-directional-NAT,
         Twice-NAT, Host-NAT server, Host-NAPT-server or a combination
         of the above.  NAT type is an indication of the direction in
         which NAT sessions are allowed and the extent of translation
         within the IP and transport headers. [Ref 1] has a discussion
         on the nature of various NAT flavors and the extent of their
         translations.

      d. Address(and transport ID) maps

         Address map on a NAT device could consist of one or more of
         static and dynamic Address maps. Likewise, Transport ID mapping
         could consists of one or more of static and dynamic Transport
         ID maps. Transport ID mapping is more specific than address
         mapping in that a specific TCP/UDP port (or port range)
         pertaining to an address in external realm is mapped to a
         specific TCP/UDP port (or port range) in private realm or vice
         versa. Address (and Transport ID) maps may be defined for both
         inbound and outbound directions. Outbound address map refers



Srisuresh & Rekhter                                             [Page 3]


Internet Draft    NAT Application Programming Interface    November 1998


         to mapping a selected set of addresses from private realm to a
         selected set of addresses in external realm; whereas inbound
         address map refers to mapping a set of addresses from the
         external realm to private realm.

      e. Miscellaneous parameters

         NAT may optionally provide TCP, UDP and other types of session
         Idle-times used to terminate sessions. It may also provide the
         current range (and, the maximum range) of session IDs and
         Bind IDs (to be covered in the follow on sub-sections); and
         the actual count of session IDs and BIND IDs. Specifically,
         this information will be of relevance to another NAT (backup
         NAT) that intends to emulate this NAT, in case of failure.
         Lastly, NAT may choose to supply any other vendor specific
         parameters such as log options, session direction failure
         actions and so forth.

      f. Host-NAT (and Host-NAPT) specific parameters

         If the NAT device were to provide Host-NAT-Server capability;
         optionally, the  NAT device could specify the Host-NAT
         tunneling type it supports.


2.2. Address (and Transport-ID) BINDing Descriptor

   These bindings can be static or dynamic. Hereafter, the term BIND
   will be referred in place of BINDing, for ease of use. When external
   agents do not intervene, dynamic address(and transport-ID) binding
   is determined by NAT based on the first packet of a session, as
   described in [Ref 1].  Address binding is between an address in
   private realm and an address from external realm. Transport-ID BIND
   is extension of the same concept to the tuple of Address and
   transport ID (such as TCP/UDP port no.). The following list of
   attributes identify a BIND within a NAT.

      a. Bind ID

         A number (say, in the range of 1 through 0xFFFFFFFF) assigned
         to BIND to uniquely identify this BIND from a different BIND
         on the same NAT.

      b. Direction of Bind

         A bind can be uni-directional or bi-directional, same as the
         orientation of address map based on which this BIND is formed.
         As before, the direction is with reference to private realm.



Srisuresh & Rekhter                                             [Page 4]


Internet Draft    NAT Application Programming Interface    November 1998



      c. Bind type

         Indicates whether the BIND is Address-BIND (between a pair of
         addresses) or Transport-ID-Bind (between a pair of Address,
         transport ID tuples). Note, a transport-ID bind intrinsically
         assumes an address bind between the addresses specified in
         the tuples. This also indicates if the Bind is static or
         dynamic.

      d. Private and External addresses (and Transport IDs)

         The pair described here essentially identify the BINDing
         items between private and external realms.

      e. Maximum leased time

         The validity of a BIND may be limited by the maximum length of
         leased time it is allowed. Unless the leased time is renewed,
         the BIND will no longer be valid past this time. As a special
         case, a value of 0 may be assumed to indicate no lease time
         limit. Typically, this attribute is of relevance in conjunction
         with Host-NAT operation.

      f. Available leased time

         This parameter is of relevance only when Maximum Leased time is
         set to a non-zero value. At any given instance of time, this
         parameter indicates the real-time left for the BIND to remain
         valid. Typically, this attribute is of relevance in conjunction
         with Host-NAT operation.

      g. Maximum Idle time

         This parameter indicates maximum amount of time a dynamic BIND
         is allowed to remain valid, with no NAT session hanging off this
         BIND. Typically, a dynamic Bind is established when NAT notices
         the first session that needs such a binding. Subsequent to
         this, multiple NAT sessions can be maintained using the same
         binding. When the last of these sessions is terminated, the
         bind is also terminated. In other words, Maximum Idle time is 0,
         by default, for native NAT. External agents could control this
         parameter differently. Static Binds and lease time limited BINDs
         are not effected by this parameter.

      h. Current Idle time

         This parameter is of relevance only when Maximum Idle time is



Srisuresh & Rekhter                                             [Page 5]


Internet Draft    NAT Application Programming Interface    November 1998


         set to a non-zero value. At any given instance of time, this
         parameter indicates the real-time the BIND has been idle with
         no sessions attached to it.

      i. Controlling Agent IDentification

         This indicates the last external Agent  who has tried to
         control (i.e., set) parameters for this BIND. A value of 0
         indicates that native NAT is the responsible agent.

2.3. Session State descriptor

   NAT maintains soft state for the sessions it tracks.  These states
   are created dynamically during NAT operation and are responsible
   for translation of packets pertaining to the session. The translation
   element of a state is based on address (or Transport ID) bind (two
   binds in case of twice-nat).  The following list of attributes
   identify a session (or session State) within NAT.

      a. Session IDentifier

         A number (say, in the range of 1 through 0xFFFFFFFF) assigned
         to session to uniquely identify this from other sessions on
         the same NAT.

      b. Direction of Session.

         Direction of first packet of the session. As specified
         earlier, direction is with reference to private realm.

      c. Bind IDentifier

         Identifies the Bind based on which this session is created.
         The Direction of BIND must be same as that of the session,
         if the BIND is uni-directional. Typically, if a Bind supporting
         the session translation does not already exist, a Bind is
         created prior to creating new session state. However, this
         Identifier may be set to 0, when BIND creation is unnecessary
         for the session. For example, there can be no more than one
         ICMP Query session using am ICMP Query based transport-ID-bind.
         In such a case, it suffices to do away with BIND and keep all
         requisite information within the session state itself.

      d. Second Bind IDentifier

         This is of relevance only to Twice-NAT. For all other flavors
         of NAT, this parameter may be set to zero. If the session is
         outbound, this parameter refers to binding of the target



Srisuresh & Rekhter                                             [Page 6]


Internet Draft    NAT Application Programming Interface    November 1998


         destination address from private realm to external realm.

      e. Original Session parameters

         These parameters identify the session level parameters as
         they appear in the first packet of session. These parameters
         include src and dest IP addresses, IP protocol and transport
         IDentifier info (such as TCP/UDP port numbers or ICMP Query
         Identifier).

      f. Translated Session parameters

         These parameters identify the session level parameters as
         the first packet of session is translated. These parameters
         are derived from the BIND ID(s) off which this session hangs.

      g. Session tag

         NAT managed sessions are assigned a session tag, so that
         sessions  bearing the same tag are handled the same way.
         The tag value is of significance only to the processing
         agent. Native NAT maintains four types of session tags for
         TCP, UDP, ICMP QUERY and all other sessions. So, tag
         numbers selected by the agents will need to be different
         from the native tags, if the processing were to be done
         differently.

      h. Session Termination heuristic

         Session-Idle-time is typically used as a heuristic means by NAT
         to determine if the session has ended. There may other heuristic
         approaches. A value of zero is an indication that NAT would not
         use any heuristic to session termination, unless it is a TCP
         session and the session has noticeable ended with FIN or RST
         options. The agent may take the responsibility for terminating
         the session.

      i. Maximum Idle time

         This parameter indicates maximum amount of time this session
         is allowed to remain valid, even as there is no activity.
         Idle time is typically used as a heuristic means to determine
         session termination. There may be other heuristic approaches.
         As a special case, a value of 0 implies that NAT should run
         the same timer as used for native sessions.

      j. Current Idle Time




Srisuresh & Rekhter                                             [Page 7]


Internet Draft    NAT Application Programming Interface    November 1998


         This parameter is of relevance only when session termination
         heuristic is set to session-idle-time.  Typically, NAT would
         examine the idle time on the sessions it manages periodically
         and updates this variable. When the idle time exceeds the
         maximum allowed idle time, the session is terminated.

      k. Packet modifier functions

         Typically, NAT modifies IP header and optionally, the
         transport header. External agents could choose to assume
         responsibility for payload modification alone, or the entire
         packet modification.  In the case an external agent assumes
         responsibility for the entire packet modification, NAT will
         simply redirect the original packet as is to external agent
         modifier.

      l. Bundle ID

         Applications that deal with a bundle of sessions may cause
         multiple sessions to be managed by NAT. Even though these
         sessions constitute a single session from application stand
         point, NAT is not congnizant of the relation. In such cases,
         it is not uncommon for external agents to store a unique
         application ID (say, the session ID of the first NAT session
         the application originated) in all sessions it spawns in its
         incarnation.

      m. Controlling Agent IDentification

         This indicates the last external Agent  who has tried to
         control parameters for this session. A value of 0 indicates
         that native NAT is the responsible agent.


3. External agents interfacing with NAT

   Many network applications assume the IP address of their host to be
   host Identifier and embed the Identifier information in application
   specific payload. When packets from such an application traverse
   NAT, the IP address of private host remains uncorrected in the
   payload, as the packet is delivered to hosts in external realm. An
   Application Level Gateway (ALG) is required to re-interpret such a
   payload as the payload traverses realms.

   In addition, there are applications such as H.323 that use
   out-of-band signaling to dynamically create newer sessions. While
   a signaling session itself may be directed to a well-known port,
   sessions created by it need not be that way. Once again, an ALG may



Srisuresh & Rekhter                                             [Page 8]


Internet Draft    NAT Application Programming Interface    November 1998


   be required to process payload in the signaling sessions and notify
   NAT to recognize the newly created sessions.

   There may be other instances where an ALG may be required to
   provide application level transparency.  Clearly, there is a need
   for a variety of ALGs to interface with NAT. The ALGs may reside
   on the same NAT device or an external device. Independent of this,
   the NAT interface requirement will remain the same.

   In a multi-homed NAT configuration, there is a need for a backup NAT
   to communicate with the primary and keep in sync, so that when the
   primary goes away, the backup NAT could instantly assume support for
   the sessions that primary NAT was responsible for. This is yet
   another case where an external agent (i.e., backup NAT) has a need
   to interface with NAT.

   A NAT device is uniquely qualified to serve as host-NAT-Server
   (or host-NAPT-Server) for host-NAT-clients (or host-NAPT-clients).
   [Ref 1] has a description of Host-NAT terminology.  Host-NAT
   (and Host-NAPT) clients need to interface with the server node to
   obtain an external address (or a tuple of address and TCP/UDP port)
   while communicating with hosts in external realms. In addition,
   if NAT were to act as tunnel end-point, host-NAT clients will
   need to interface with NAT to setup tunnel state  for the lifetime
   of Host-NAT-client address assignment.  So, once again, there is a
   need for an API for use by an external agent(i.e., host-NAT-client)
   to communicate with NAT, acting as host-NAT-server.

   Lastly, a mangement utility would be useful to interface with NAT
   for configuration and monitor purposes and to enforce NAT policies.
   For example, reconfigure a NAT device to switch over from NAPT to
   Basic-NAT configuration or vice versa. Or, add, terminate and
   monitor ALGs and other external agents on a NAT box. Such a program
   would also be useful to notify NAT about the status and setup
   information concerning ALGs, backup NATs and Host-NAT clients.

   Clearly, agents such as Host-NAT-clients and Backup-NATs are likely
   to reside on a different physical device than the NAT device. Some
   of the ALG agents may also reside on an external device. The API
   presented in the follow-on section will provide a base to identify
   requirements for the development of one or more protocols by which
   each of these external agents could communicate with NAT. It may be
   a single protocol applicable to all external agents (or) multiple
   protocols, specific to each agent type.

   The following diagram identifies a selected list of external agents
   that might interact with NAT using its API.




Srisuresh & Rekhter                                             [Page 9]


Internet Draft    NAT Application Programming Interface    November 1998


   +------------------+  +------+  +-------------+  +------------------+
   | Host-NAT-Clients |  | ALGs |  | Pri/Sec NAT |  | Management Appl. |
   +-----+------------+  +------+  +-------------+  +------------------+
                  ^        ^              ^                ^
                  |        |              |                |
                  |        |              |                |
                  v        v              v                v
                +---------------------------------------------+
                | NAT Application Program Interface (NAT-API) |
                +---------------------------------------------+
                |                     N A T                   |
                +---------------------------------------------+

    figure 1. External agents interfacing with NAT using NAT-API.


   The following list of attributes uniquely identify an external
   agent with reference to a NAT.

      a. Agent IDentifier

         A number (say, in the range of 1 through 0xFFFFFFFF) assigned
         to the agent by the NAT device to distinguish from other
         agents. Typically, this handle may be assigned when the
         agent registers with NAT.

      b. Agent type

         Based on the categories of external agents described thus far,
         it is clear that the API requirements differ considerably
         amongst them. A native NAT API may or may not be able to
         support the requirements of all these agents. It is beneficial
         for NAT to know the agent type to be one of ALG or
         Host-NAT-Client or Backup-NAT or Management Application or
         something else, so it can accept or deny registration.

      c. Agent call-back requirements

         The agents will typically require NAT to invoke a call-back
         function within the agent when NAT notices the occurrence of
         an external event. But, the call-back requirements across
         the agents vary. For example, an ALG might require NAT to
         call back when a data packet is received on a session with
         a certain session-tag. But, other agents do not have such
         a requirement. There may , however, be some common
         requirements for call-back upon events such as termination
         of a session, termination of a Bind and termination of NAT
         itself. In addition, management applications and Backup-NAT



Srisuresh & Rekhter                                            [Page 10]


Internet Draft    NAT Application Programming Interface    November 1998


         may have a requirement to have NAT periodically invoke a
         call-back function.

      d. Agent call-back functions

         Depending upon call-back requirements, the agent will be
         required to register one or more call-back function entry
         points with NAT. Below are three different call-back
         function prototypes.

         Event notification - void agent_callback_event(nat_id,
                                    agent_id, event_type, event_status)

         Periodic notification - void agent_callback_periodic(nat_id,
                                    agent_id, info_type, info_length,
                                                        information)

         Packet notification - void agent_callback_packet(nat_id,
                                    agent_id, session_id,
                                    pkt_direction, packet)

      e. Periodic Notification interval

         This parameter would be required only when the agent calls
         for periodic notification. This may be specified in units of
         seconds.

      f. Host-NAT-Server tunnel type requirement

         A Host-NAT-client may have a requirement for NAT, acting as
         Host-NAT-server to support a certain type of tunneling. In
         such a case, the agent will specify the tunneling
         requirement through this parameter.

      g. Agent access information

         In the case the agent is resident on a different physical
         device than NAT, this parameter is used by the agent to
         specify a means by which NAT can access the agent. This
         will include a combination of Agent's IP address,
         IP protocol (e.g., TCP or UDP), well-known port etc.
         As a special case, a value of 0 to agent_ip_address would
         indicate that the agent is on the same device as NAT.


4. NAT Application Programming Interface (NAT API)

   The following API is specified in pseudo C language and is by no



Srisuresh & Rekhter                                            [Page 11]


Internet Draft    NAT Application Programming Interface    November 1998


   means exhaustive in coverage. The API may vary from vendor to
   vendor. The intent is to provide a framework that could be
   expanded upon as required in the future. This section is divided
   into two sub-sections. The first sub-section  lists function
   calls available to external agents. These calls are synchronous
   and require NAT to return back a value. The second sub-section
   lists functions that are expected to be provided by external
   agents in order for NAT to call-back upon some events.

4.1. NAT API functions

4.1.1. int nat_enquire_IDentity(nat_type, &natid_info)

   Purpose:

      This function is used by external agents to obtain NAT-ID
      and its characteristics, as described in section 2.1

   Input parameters:

      nat_type  - This parameter is specified to verify if NAT
                  device supports a certain flavor of NAT.

   Output Parameters:

      natid_info - NAT will fill up the natid_info data structure
                   with its characteristics, as described in
                   section 2.1. Also returned in this block would be
                   an Identifier (nat_id) to uniquely identify this NAT.

                   Multiple pieces of this information may be returned,
                   if NAT supports multiple instances of the same NAT
                   type.

   Return Value:

      No-Error(0)            - A return value of 0 implies success
                               and that natid_info may be examined
                               for NAT description.

      NAT-TYPE-NOT-SUPPORTED - Notify the client that the
                               requested NAT device does not
                               support the specified NAT type.

4.1.2. int nat_enquire_address_bind (nat_id, pvt_address,
                                        ext_address, &bind_info)

   Purpose:



Srisuresh & Rekhter                                            [Page 12]


Internet Draft    NAT Application Programming Interface    November 1998



      This function is used by external agents to obtain
      Address BIND information.

   Input parameters:

      nat_id - The identifier that uniquely identifies the NAT instance.

      pvt_address, ext_address - The caller might specify both or just
               one of either private address or external address and
               set the other to zero.

   Output Parameters:

      bind_info - NAT will fill up the bind_info data structure
                  with info as described in section 2.2, if NAT were
                  to find a match for the addresses specified.

   Return Value:

      No-Error(0)       - A return value of 0 implies success
                          in finding a match.

      NO-MATCHING_BIND  - Notify the client that there isn't a BIND
                          matching the specified addresses.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

4.1.3.  int nat_enquire_transport_bind(nat_id, pvt_address, pvt_port,
                transport_protocol, ext_address, ext_port, &bind_info)

   Purpose:

      This function is used by external agents to obtain
      Transport ID BIND information.

   Input parameters:

      nat_id - The identifier that uniquely identifies the NAT instance.

      pvt_address, pvt_port,
      ext_address, ext_port - The caller might specify both or just
               one of either (private address and the port no.) or
               external address and the port number.

      transport_protocol - This must be one of TCP, UDP or ICMP Query




Srisuresh & Rekhter                                            [Page 13]


Internet Draft    NAT Application Programming Interface    November 1998


   Output Parameters:

      bind_info - NAT will fill up the bind_info data structure
                  with info as described in section 2.2, if NAT were
                  to find a match for the addresses specified.

   Return Value:

      No-Error(0)       - A return value of 0 implies success
                          in finding a match.

      NO-MATCHING_BIND  - Notify the client that there isn't a BIND
                          matching the specified addresses.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

4.1.4. int nat_enquire_sess_range(nat_id, agent_id, sessid_min,
                          sessid_max, &sess_count, &sess_info)

   Purpose:

      This function is used by external agents to request NAT to
      send all valid session information for sessions with an
      ID in the range of sessid_min through sessid_max.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      sessid_min,
      sessid_max - The range of session IDs that the agent is
                   interested in knowing about.

   Output Parameters:

      sess_count - Number of sessions being returned through
                   sess_info pointer.

      sess_info  - Return one or more sessions maintained by NAT,
                   with an ID in the given range.

   Return Value:




Srisuresh & Rekhter                                            [Page 14]


Internet Draft    NAT Application Programming Interface    November 1998


      No-Error(0)       - A return value of 0 implies successful
                          session termination.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently
                          registered with NAT.

4.1.5. int nat_register_agent (nat_id, &agent_info)

   Purpose:

      This function is used by external agents to register
      with NAT.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_info - The agent is required to provide all the requisite
                   information (with the exception of agent_id) as
                   described in section 3.0. This ID may be used by
                   the caller to control and influence NAT operation.

   Output Parameters:

      agent_info - NAT will return the agent_id in agent_info structure
                   when registration is successful.

   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          registration.

      AGENT-TYPE-NOT-SUPPORTED - Notify the caller that NAT does not
                                 support API requirements of the agent.

      TUNNEL-TYPE-NOT-SUPPORTED - Notify the caller that NAT does not
                                  support Host-NAT tunnel type
                                  requested.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

4.1.6.  int nat_set_bind (nat_id, agent_id, &bind_info)




Srisuresh & Rekhter                                            [Page 15]


Internet Draft    NAT Application Programming Interface    November 1998


   Purpose:

      This function is used by external agents to create a new Address
      Bind or set certain parameters of an existing Bind.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      bind_info  - The caller supplies the specifics of a new BIND or
                   sets a selected number of parameters of an existing
                   BIND to influence NAT operation. The BIND can be
                   an address BIND or transport BIND. A new BIND
                   request is made by setting the BIND ID within
                   bind_info structure to 0. A non-Zero Bind-ID would
                   be interpreted by NAT to mean that the agent is
                   attempting to set some BIND parameters.

   Output Parameters:

      bind_info  - If the caller requested for a BIND creation and NAT
                   was successful in creating a new BIND, NAT will
                   fill the structure with the assigned BIND ID and
                   any other NAT assigned parameter values. If the
                   caller requested to set some BIND parameters and
                   NAT succeeded in doing so, the bind_info would
                   be filled with the values that NAT holds.

   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          BIND creation or parameter setting.

      BIND-MAKE-FAILED  - When NAT was unable to create BIND
                          or was unable to set the requested
                          parameter(s).

      INVALID-BIND-INFO - When NAT finds that one or all of the
                          parameters specified is not valid.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently



Srisuresh & Rekhter                                            [Page 16]


Internet Draft    NAT Application Programming Interface    November 1998


                          registered with NAT.

4.1.7. int nat_set_sess(nat_id, agent_id, &sess_info)

   Purpose:

      This function is used by external agents to create a new session
      state or set certain parameters of an existing session.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      sess_info  - The caller supplies the specifics of a new session
                   parameters or sets a selected number of parameters
                   of an existing session to influence NAT operation.
                   A new session request is made by setting the
                   session-ID within sess_info structure to 0. A
                   non-Zero session-ID would be interpreted by NAT to
                   mean that the agent is attempting to set some
                   session specific parameters.

   Output Parameters:

      sess_info  - If the caller requested for a session creation and
                   NAT was successful in creating a new session, NAT
                   will fill the structure with the assigned session-ID
                   and any other NAT assigned parameter values. If the
                   caller requested to set some session parameters and
                   NAT succeeded in doing so, the sess_info would
                   be filled with the values that NAT holds.

   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          session creation or parameter setting.

      SESS-MAKE-FAILED  - When NAT was unable to create session
                          or was unable to set the requested
                          parameter(s).

      INVALID-SESS-INFO - When NAT finds that one or all of the
                          parameters specified is not valid.




Srisuresh & Rekhter                                            [Page 17]


Internet Draft    NAT Application Programming Interface    November 1998


      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently
                          registered with NAT.

4.1.8.  int nat_free_bind(nat_id, agent_id, bind_id)

   Purpose:

      This function is used by external agents to terminate
      the specified BIND and any sessions that are based on
      this BIND.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      bind_id    - The ID of the BIND that needs to be terminated.

   Output Parameters:

      none.

   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          BIND termination.

      INVALID-BIND-ID   - The specified BIND ID does not exist.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently
                          registered with NAT.

4.1.9.  int nat_free_sess(nat_id, agent_id, sess_id)

   Purpose:

      This function is used by external agents to terminate
      the specified session.




Srisuresh & Rekhter                                            [Page 18]


Internet Draft    NAT Application Programming Interface    November 1998


   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      sess_id    - The ID of the session that needs to be terminated.

   Output Parameters:

      none.

   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          session termination.

      INVALID-SESS-ID   - The specified session ID does not exist.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently
                          registered with NAT.

4.1.10. int nat_free_sess_bundle(nat_id, agent_id, bundle_id)

   Purpose:

      This function is used by external agents to terminate
      a bundle of sessions identified by the same bundle ID.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      bundle_id  - The ID of the session bundle (group of sessions)
                   that needs to be terminated.

   Output Parameters:

      none.



Srisuresh & Rekhter                                            [Page 19]


Internet Draft    NAT Application Programming Interface    November 1998



   Return Value:

      No-Error(0)       - A return value of 0 implies successful
                          session termination.

      INVALID-BUNDLE-ID   - The specified bundle ID does not exist.

      INVALID-NAT-ID    - The specified NAT-ID is not operational
                          or is incorrect.

      INVALID-AGENT-ID  - The specified Agent-ID is not currently
                          registered with NAT.

4.2. Call-back functions within an external agent

4.2.1. void agent_callback_event(nat_id, agent_id, event_type,
                                          &event_info)

   Purpose:

      This function is used by NAT to notify an agent of an
      event status.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      event_type - The event can be one of BIND creation, BIND
                   termination, session Creation, and session
                   termination.

      event_info - This will return the BIND or session description
                   structure that contains the specific instance
                   identifier and other pertinent information.

4.2.2. void agent_callback_periodic(nat_id, agent_id, info_type,
                                    info_length, &periodic_info)

   Purpose:

      This function is used by NAT to notify an agent of a
      certain piece of information periodically.




Srisuresh & Rekhter                                            [Page 20]


Internet Draft    NAT Application Programming Interface    November 1998


   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      info_type  - NAT may have been requested to periodically
                   notify the agent many types of information.
                   Possible values for this parameter would be
                   statistics update, Incremental BIND update
                   Incremental session update, Incremental
                   BIND termination, Incremental session
                   termination etc..

      info_length- Number of bytes included in periodic info block.

      periodic_info - This point to the actual periodic information
                      being sent to the agent.



4.2.3. void agent_callback_packet(nat_id, agent_id, sess_id,
                                  pkt_direction, packet)

   Purpose:

      This function is used by NAT to notify an agent of a
      data packet for processing. The agent is expected to
      process the packet and forward to the actual destination
      in the first-in-first-out (FIFO) order. The processing
      performed by the agent may be limited to just the payload
      or the entire packet, as set by the agent at session
      setup time.

   Input parameters:

      nat_id     - The identifier that uniquely identifies the NAT
                   instance.

      agent_id   - The agent Identifier that uniquely identifies the
                   agent to NAT.

      sess_id    - The Identifier if NAT session to which the packet
                   belongs.

      pkt_direction - This can be inbound or outbound.



Srisuresh & Rekhter                                            [Page 21]


Internet Draft    NAT Application Programming Interface    November 1998



      packet     - IP packet that needs to be processed by the agent.
                   If NAT was required to perform header translation,
                   this packet is post-NAT-translated version of
                   the packet. In the case the agent selected to
                   perform the entire translation, the original
                   packet is sent as is to the agent, without any
                   NAT transformation.


5. Acknowledgement

   The author would like to express sincere appreciation and thanks
   to Yakov Rekhter for his valuable advice and contribution in the
   presentation of this document.


6. Security considerations.

   The security considerations described in [Ref 1] for all variations
   of NATs are applicable here.


REFERENCES

   [1] P. Srisuresh, M. Holdrege, "IP Network Address Translator
       (NAT) Terminology and Considerations",
       <draft-ietf-nat-terminology-01.txt> - Work in progress.

   [2] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. de Groot, and,
       E. Lear,  "Address Allocation for Private Internets", RFC 1918

   [3] J. Reynolds and J. Postel, "Assigned Numbers", RFC 1700

   [4] R. Braden, "Requirements for Internet Hosts -- Communication
       Layers", RFC 1122

   [5] R. Braden, "Requirements for Internet Hosts -- Application
       and Support", RFC 1123

   [6] F. Baker, "Requirements for IP Version 4 Routers",  RFC 1812

   [7] J. Postel, J. Reynolds, "FILE TRANSFER PROTOCOL (FTP)",
       RFC 959

   [8] "TRANSMISSION CONTROL PROTOCOL (TCP) SPECIFICATION",  RFC 793

   [9] J. Postel, "INTERNET CONTROL MESSAGE (ICMP) SPECIFICATION",



Srisuresh & Rekhter                                            [Page 22]


Internet Draft    NAT Application Programming Interface    November 1998


       RFC 792

   [10] J. Postel, "User Datagram Protocol (UDP)",  RFC 768

   [11] J. Mogul, J. Postel, "Internet Standard Subnetting Procedure",
        RFC 950

   [12] Brian carpenter, Jon Crowcroft, Yakov Rekhter, "IPv4 Address
        Behaviour Today", RFC 2101


Author's Address:

   Pyda Srisuresh
   Lucent technologies
   4464 Willow Road
   Pleasanton, CA 94588-8519
   U.S.A.

   Voice: (925) 737-2153
   Fax:   (925) 737-2110
   EMail: suresh@ra.lucent.com





























Srisuresh & Rekhter                                            [Page 23]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/