draft-ietf-softwire-dslite-yang-08.txt   draft-ietf-softwire-dslite-yang-09.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft C. Jacquenet Internet-Draft C. Jacquenet
Intended status: Standards Track Orange Intended status: Standards Track Orange
Expires: May 16, 2018 S. Sivakumar Expires: May 17, 2018 S. Sivakumar
Cisco Systems Cisco Systems
November 12, 2017 November 13, 2017
YANG Data Modules for Dual-Stack Lite (DS-Lite) YANG Data Modules for Dual-Stack Lite (DS-Lite)
draft-ietf-softwire-dslite-yang-08 draft-ietf-softwire-dslite-yang-09
Abstract Abstract
This document defines YANG modules for the DS-Lite Address Family This document defines YANG modules for the DS-Lite Address Family
Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements. Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document:
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2018. This Internet-Draft will expire on May 17, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2. DS-Lite YANG Modules: An Overview . . . . . . . . . . . . . . 4 2. DS-Lite YANG Modules: An Overview . . . . . . . . . . . . . . 4
3. DS-Lite AFTR YANG Module . . . . . . . . . . . . . . . . . . 7 3. DS-Lite AFTR YANG Module . . . . . . . . . . . . . . . . . . 7
4. DS-Lite B4 YANG Module . . . . . . . . . . . . . . . . . . . 12 4. DS-Lite B4 YANG Module . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative references . . . . . . . . . . . . . . . . . . 17 8.1. Normative references . . . . . . . . . . . . . . . . . . 18
8.2. Informative references . . . . . . . . . . . . . . . . . 18 8.2. Informative references . . . . . . . . . . . . . . . . . 19
Appendix A. B4 Example . . . . . . . . . . . . . . . . . . . . . 19 Appendix A. B4 Example . . . . . . . . . . . . . . . . . . . . . 21
Appendix B. AFTR Examples . . . . . . . . . . . . . . . . . . . 19 Appendix B. AFTR Examples . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This document defines data models for DS-Lite [RFC6333], using the This document defines data models for DS-Lite [RFC6333], using the
YANG data modeling language [RFC7950]. Both the Address Family YANG data modeling language [RFC7950]. Both the Address Family
Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements
are covered by this specification. are covered by this specification.
As a reminder, Figure 1 illustrates an overview of the DS-Lite As a reminder, Figure 1 illustrates an overview of the DS-Lite
architecture that involves AFTR and B4 elements. architecture that involves AFTR and B4 elements.
skipping to change at page 4, line 19 skipping to change at page 4, line 19
Datastore Architecture (NMDA). Datastore Architecture (NMDA).
1.1. Terminology 1.1. Terminology
This document makes use of the terms defined in Section 3 of This document makes use of the terms defined in Section 3 of
[RFC6333]. [RFC6333].
The terminology for describing YANG data modules is defined in The terminology for describing YANG data modules is defined in
[RFC7950]. [RFC7950].
1.2. Tree Diagrams The meaning of the symbols in tree diagrams is defined in
[I-D.ietf-netmod-yang-tree-diagrams].
The meaning of the symbols in these diagrams is as follows:
o Brackets "[" and "]" enclose list keys.
o Curly braces "{" and "}" contain names of optional features that
make the corresponding node conditional.
o Abbreviations before data node names: "rw" means configuration
(read-write), "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node, "!" a
container with presence, and "*" denotes a "list" or "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
2. DS-Lite YANG Modules: An Overview 2. DS-Lite YANG Modules: An Overview
As shown in Figure 1: As shown in Figure 1:
o The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a o The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a
NAPT function (Section 2.2 of [RFC3022]). NAPT function (Section 2.2 of [RFC3022]).
o The B4 element is an IPv4-in-IPv6 tunnel. o The B4 element is an IPv4-in-IPv6 tunnel.
skipping to change at page 5, line 16 skipping to change at page 4, line 47
YANG module with the following: YANG module with the following:
o An IPv6 address used by the AFTR for sending and receiving IPv4- o An IPv6 address used by the AFTR for sending and receiving IPv4-
in-IPv6 packets (aftr-ipv6-address). in-IPv6 packets (aftr-ipv6-address).
o An IPv4 address that is used by the AFTR for troubleshooting o An IPv4 address that is used by the AFTR for troubleshooting
purposes (aftr-ipv4-address). purposes (aftr-ipv4-address).
o The tunnel MTU, used to avoid fragmentation (tunnel-mtu). o The tunnel MTU, used to avoid fragmentation (tunnel-mtu).
o A policy to limit the number of DS-Lite softwires per subscriber
(max-softwire-per-subscriber).
o A policy to instruct the AFTR whether it must preserve DSCP o A policy to instruct the AFTR whether it must preserve DSCP
marking when encapsulating/decapsulating packets (v6-v4-dscp- marking when encapsulating/decapsulating packets (v6-v4-dscp-
preservation). preservation).
In addition, the AFTR YANG module augments the NAT YANG module In addition, the AFTR YANG module augments the NAT YANG module
(policy, in particular) with the following: (policy, in particular) with the following:
o A policy to limit the number of DS-Lite softwires per subscriber
(max-softwire-per-subscriber).
o A policy to instruct the AFTR whether a state can be automatically o A policy to instruct the AFTR whether a state can be automatically
migrated (state-migrate). migrated (state-migrate).
o Further, in order to prevent a denial-of-service by frequently o Further, in order to prevent a denial-of-service by frequently
changing the source IPv6 address, 'b4-address-change-limit' is changing the source IPv6 address, 'b4-address-change-limit' is
used to rate-lmite such changes. used to rate-lmite such changes.
o An instruction to rewrite the TCP Maximum Segment Size (MSS) o An instruction to rewrite the TCP Maximum Segment Size (MSS)
option (mss-clamping) to avoid TCP fragmentation. option (mss-clamping) to avoid TCP fragmentation.
skipping to change at page 6, line 20 skipping to change at page 6, line 7
Access Control List (ACL) and Quality of Service (QoS) policies Access Control List (ACL) and Quality of Service (QoS) policies
discussed in Section 2.5 of [RFC6908] are out of scope. A YANG discussed in Section 2.5 of [RFC6908] are out of scope. A YANG
module for ACLs is documented in [I-D.ietf-netmod-acl-model]. module for ACLs is documented in [I-D.ietf-netmod-acl-model].
Likewise, PCP-related considerations discussed in Section 8.5 of Likewise, PCP-related considerations discussed in Section 8.5 of
[RFC6333] are out of scope. A YANG module for PCP is documented in [RFC6333] are out of scope. A YANG module for PCP is documented in
[I-D.boucadair-pcp-yang]. [I-D.boucadair-pcp-yang].
module: ietf-dslite-aftr module: ietf-dslite-aftr
augment /if:interfaces/if:interface: augment /if:interfaces/if:interface:
+--rw aftr-ipv6-address? inet:ipv6-address +--rw aftr-ipv6-address? inet:ipv6-address
+--rw aftr-ipv4-address? inet:ipv4-address +--rw aftr-ipv4-address? inet:ipv4-address
+--rw tunnel-mtu? uint16 +--rw tunnel-mtu? uint16
+--rw max-softwire-per-subscriber? uint8 +--rw v6-v4-dscp-preservation? boolean
+--rw v6-v4-dscp-preservation? boolean
augment /nat:nat/nat:instances/nat:instance/nat:policy: augment /nat:nat/nat:instances/nat:instance/nat:policy:
+--rw state-migrate? boolean +--rw max-softwires-per-subscriber? uint8
+--rw b4-address-change-limit? uint32 +--rw state-migrate? boolean
+--rw b4-address-change-limit? uint32
+--rw mss-clamping +--rw mss-clamping
+--rw enable? boolean +--rw enable? boolean
+--rw mss-value? uint16 +--rw mss-value? uint16
augment /nat:nat/nat:instances/nat:instance/nat:mapping-table/nat:mapping-entry: augment /nat:nat/nat:instances/nat:instance/nat:mapping-table/nat:mapping-entry:
+--rw b4-ipv6-address? inet:ipv6-address +--rw b4-ipv6-address
| +--rw address? inet:ipv6-address
| +--rw last-address-change? yang:date-and-time
+--rw v6-dscp? uint8 +--rw v6-dscp? uint8
+--rw internal-v4-dscp? uint8 +--rw internal-v4-dscp? uint8
+--rw external-v4-dscp? uint8 +--rw external-v4-dscp? uint8
augment /nat:nat/nat:instances/nat:instance/nat:statistics/nat:mappings-statistics:
+--ro active-softwires? yang:gauge32
notifications:
+---n b4-address-change-limit-policy-violation
+--ro id -> /nat:nat/instances/instance/id
+--ro policy-id -> /nat:nat/instances/instance/policy/id
+--ro address inet:ipv6-address
Figure 2: YANG Module for DS-Lite AFTR Figure 2: YANG Module for DS-Lite AFTR
Examples to illustrate the use of this module are provided in Examples to illustrate the use of this module are provided in
Appendix B. Appendix B.
The B4 YANG module (Figure 3) augments the Interfaces YANG module The B4 YANG module (Figure 3) augments the Interfaces YANG module
with the following: with the following:
o An IPv6 address used by a B4 element for sending and receiving o An IPv6 address used by a B4 element for sending and receiving
skipping to change at page 7, line 26 skipping to change at page 7, line 24
+--rw tunnel-mtu? uint16 +--rw tunnel-mtu? uint16
+--rw v6-v4-dscp-preservation? boolean +--rw v6-v4-dscp-preservation? boolean
Figure 3: YANG Module for DS-Lite B4 Figure 3: YANG Module for DS-Lite B4
An example to illustrate the use of this module is provided in An example to illustrate the use of this module is provided in
Appendix A. Appendix A.
3. DS-Lite AFTR YANG Module 3. DS-Lite AFTR YANG Module
<CODE BEGINS> file "ietf-dslite-aftr@2017-11-13.yang" <CODE BEGINS> file "ietf-dslite-aftr@2017-11-14.yang"
module ietf-dslite-aftr { module ietf-dslite-aftr {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-aftr"; namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-aftr";
prefix dslite-aftr; prefix dslite-aftr;
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-interfaces { prefix if; } import ietf-interfaces { prefix if; }
import iana-if-type { prefix ianaift; } import iana-if-type { prefix ianaift; }
import ietf-nat {prefix nat;} import ietf-nat {prefix nat;}
import ietf-yang-types { prefix yang; }
organization "IETF Softwire Working Group"; organization "IETF Softwire Working Group";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/softwire/> "WG Web: <https://datatracker.ietf.org/wg/softwire/>
WG List: <mailto:softwires@ietf.org> WG List: <mailto:softwires@ietf.org>
WG Chair: Ian Farrer WG Chair: Ian Farrer
<mailto:ianfarrer@gmx.com> <mailto:ianfarrer@gmx.com>
skipping to change at page 8, line 29 skipping to change at page 8, line 28
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-11-13 { revision 2017-11-14 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: YANG Data Modules for Dual-Stack Lite (DS-Lite)"; "RFC XXXX: YANG Data Modules for Dual-Stack Lite (DS-Lite)";
} }
augment "/if:interfaces/if:interface" { augment "/if:interfaces/if:interface" {
when "if:type = 'ianaift:tunnel'"; when "if:type = 'ianaift:tunnel'";
description description
"Augments Interface module with AFTR parameters. "Augments Interface module with AFTR parameters.
skipping to change at page 9, line 36 skipping to change at page 9, line 33
[RFC6908] specifies that since fragmentation and reassembly [RFC6908] specifies that since fragmentation and reassembly
is not optimal, the operator should do everything possible is not optimal, the operator should do everything possible
to eliminate the need for it. If the operator uses simple to eliminate the need for it. If the operator uses simple
IPv4-in-IPv6 softwire, it is recommended that the MTU size IPv4-in-IPv6 softwire, it is recommended that the MTU size
of the IPv6 network between the B4 and the AFTR accounts for of the IPv6 network between the B4 and the AFTR accounts for
the additional overhead (40 bytes)."; the additional overhead (40 bytes).";
reference reference
"RFC 6908: Deployment Considerations for Dual-Stack Lite"; "RFC 6908: Deployment Considerations for Dual-Stack Lite";
} }
leaf max-softwire-per-subscriber { leaf v6-v4-dscp-preservation {
type boolean;
description
"Copies the DSCP value from the IPv6 header and vice versa.
According to Section 2.10 of [RFC6908], operators should
use this model by provisioning the network such that the AFTR
copies the DSCP value in the IPv4 header to the Traffic Class
field in the IPv6 header, after the encapsulation for
the downstream traffic.";
reference
"Section 2.10 of RFC 6908.";
}
}
augment "/nat:nat/nat:instances/nat:instance/nat:policy" {
description
"Augments the NAPT44 module with AFTR parameters.";
leaf max-softwires-per-subscriber {
type uint8; type uint8;
default 1; default 1;
description description
"Configures the maximum softwires per subscriber feature. "Configures the maximum softwires per subscriber feature.
A subscriber is uniquely identified by means A subscriber is uniquely identified by means
of subscriber-mask. of subscriber-mask.
This policy aims to prevent a misbehaving subscriber from This policy aims to prevent a misbehaving subscriber from
mounting several DS-Lite softwires that would consume mounting several DS-Lite softwires that would consume
additional AFTR resources (e.g., get more external ports additional AFTR resources (e.g., get more external ports
if the quota were enforced on a per-softwire basis, if the quota were enforced on a per-softwire basis,
consume extra processing due to a large number of active consume extra processing due to a large number of active
softwires)."; softwires).";
reference reference
"Section 4 of RFC 7785."; "Section 4 of RFC 7785.";
} }
leaf v6-v4-dscp-preservation {
type boolean;
description
"Copies the DSCP value from the IPv6 header and vice versa.
According to Section 2.10 of [RFC6908], operators should
use this model by provisioning the network such that the AFTR
copies the DSCP value in the IPv4 header to the Traffic Class
field in the IPv6 header, after the encapsulation for
the downstream traffic.";
reference
"Section 2.10 of RFC 6908.";
}
}
augment "/nat:nat/nat:instances/"+
"nat:instance/nat:policy" {
description
"Augments the NAPT44 module with AFTR parameters.";
leaf state-migrate { leaf state-migrate {
type boolean; type boolean;
default true; default true;
description description
"State migration is enabled by default. "State migration is enabled by default.
In the event a new IPv6 address is assigned to the B4 element, In the event a new IPv6 address is assigned to the B4 element,
the AFTR should migrate existing state to be bound to the new the AFTR should migrate existing state to be bound to the new
IPv6 address. This operation ensures that traffic destined to IPv6 address. This operation ensures that traffic destined to
the previous B4's IPv6 address will be redirected to the newer the previous B4's IPv6 address will be redirected to the newer
skipping to change at page 11, line 48 skipping to change at page 11, line 45
"Sets the MSS value to be used for MSS rewriting."; "Sets the MSS value to be used for MSS rewriting.";
} }
} }
} }
augment "/nat:nat/nat:instances/nat:instance/"+ augment "/nat:nat/nat:instances/nat:instance/"+
"nat:mapping-table/nat:mapping-entry"{ "nat:mapping-table/nat:mapping-entry"{
description description
"Augments the NAPT44 mapping table with DS-Lite specifics."; "Augments the NAPT44 mapping table with DS-Lite specifics.";
leaf b4-ipv6-address { container b4-ipv6-address {
type inet:ipv6-address;
description description
"Corresponds to the IPv6 address used by the B4 element."; "Records the IPv6 address used by the B4 element and the last
time that address changed.";
reference leaf address {
"RFC 6333: Dual-Stack Lite Broadband Deployments Following type inet:ipv6-address;
IPv4 Exhaustion"; description
"Corresponds to the IPv6 address used by the B4 element.";
reference
"RFC 6333: Dual-Stack Lite Broadband Deployments Following
IPv4 Exhaustion";
}
leaf last-address-change {
type yang:date-and-time;
description
"Records the last time when the address changed.";
}
} }
leaf v6-dscp { leaf v6-dscp {
when "/if:interfaces/if:interface/" + when "/if:interfaces/if:interface/" +
"dslite-aftr:v6-v4-dscp-preservation='true'"; "dslite-aftr:v6-v4-dscp-preservation='true'";
type uint8; type uint8;
description description
"DSCP value used at the softwire level (i.e., IPv6 header)."; "DSCP value used at the softwire level (i.e., IPv6 header).";
} }
skipping to change at page 12, line 35 skipping to change at page 12, line 43
leaf external-v4-dscp { leaf external-v4-dscp {
when "/if:interfaces/if:interface/" + when "/if:interfaces/if:interface/" +
"dslite-aftr:v6-v4-dscp-preservation='true'"; "dslite-aftr:v6-v4-dscp-preservation='true'";
type uint8; type uint8;
description description
"DSCP value of the translated IPv4 packet as marked by "DSCP value of the translated IPv4 packet as marked by
the AFTR."; the AFTR.";
} }
} }
augment "/nat:nat/nat:instances/nat:instance/nat:statistics/" +
"nat:mappings-statistics" {
description
"Indicates the number of active softwires.";
leaf active-softwires{
type yang:gauge32;
description
"The number of currently active softwires on the AFTR
instance.";
}
}
/*
* Notifications
*/
notification b4-address-change-limit-policy-violation {
description
"Generates notifications when a B4 unsuccessfully attempts
to change IPv6 address in a time shorter than the value of
b4-address-change-limit.
Notifications are rate-limited (notify-interval).";
leaf id {
type leafref {
path "/nat:nat/nat:instances/nat:instance/nat:id";
}
mandatory true;
description
"NAT instance identifier.";
}
leaf policy-id {
type leafref {
path "/nat:nat/nat:instances/nat:instance/nat:policy/nat:id";
}
mandatory true;
description
"Policy Identifier.";
}
leaf address {
type inet:ipv6-address;
mandatory true;
description
"B4's IPv6 address.";
}
}
} }
<CODE ENDS> <CODE ENDS>
4. DS-Lite B4 YANG Module 4. DS-Lite B4 YANG Module
<CODE BEGINS> file "ietf-dslite-b4@2017-11-13.yang" <CODE BEGINS> file "ietf-dslite-b4@2017-11-13.yang"
module ietf-dslite-b4 { module ietf-dslite-b4 {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-b4"; namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-b4";
skipping to change at page 15, line 52 skipping to change at page 17, line 18
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
network operations. An attacker who is able to access to the B4/AFTR network operations. An attacker who is able to access to the B4/AFTR
can undertake various attacks, such as: can undertake various attacks, such as:
o Set the value of 'aftr-ipv6-addr' on the B4 to point to an o Set the value of 'aftr-ipv6-addr' on the B4 to point to an
illegitimate AFTR so that it can intercept all the traffic sent by illegitimate AFTR so that it can intercept all the traffic sent by
a B4. Illegitimately intercepting users' traffic is a attack with a B4. Illegitimately intercepting users' traffic is a attack with
severe implications on privacy. severe implications on privacy.
o Set the MTU to a low value which may increase the number of o Set the MTU to a low value which may increase the number of
fragments (tunnel-mtu for both B4 and AFTR). fragments ('tunnel-mtu' for both B4 and AFTR).
o Set 'max-softwire-per-subscriber' to an arbitrary high value, o Set 'max-softwire-per-subscriber' to an arbitrary high value,
which will be exploited by a misbehaving user to grab more which will be exploited by a misbehaving user to grab more
resources (by mounting as many softwires as required to get more resources (by mounting as many softwires as required to get more
external IP addresses/ports) or to perform a Denial-of-Service on external IP addresses/ports) or to perform a Denial-of-Service on
the AFTR by mounting a massive number of softwires. the AFTR by mounting a massive number of softwires.
o Set 'state-migrate' to 'false' on the AFTR. This action may lead o Set 'state-migrate' to 'false' on the AFTR. This action may lead
to a service degradation for the users. to a service degradation for the users.
skipping to change at page 17, line 21 skipping to change at page 18, line 42
Many thanks to Ian Farrer for the review and comments. Many thanks to Ian Farrer for the review and comments.
8. References 8. References
8.1. Normative references 8.1. Normative references
[I-D.ietf-opsawg-nat-yang] [I-D.ietf-opsawg-nat-yang]
Boucadair, M., Sivakumar, S., Jacquenet, C., Vinapamula, Boucadair, M., Sivakumar, S., Jacquenet, C., Vinapamula,
S., and Q. Wu, "A YANG Data Model for Network Address S., and Q. Wu, "A YANG Data Model for Network Address
Translation (NAT) and Network Prefix Translation (NPT)", Translation (NAT) and Network Prefix Translation (NPT)",
draft-ietf-opsawg-nat-yang-06 (work in progress), October draft-ietf-opsawg-nat-yang-08 (work in progress), November
2017. 2017.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
skipping to change at page 18, line 35 skipping to change at page 20, line 11
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-netmod-acl-model] [I-D.ietf-netmod-acl-model]
Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, Jethanandani, M., Huang, L., Agarwal, S., and D. Blair,
"Network Access Control List (ACL) YANG Data Model", "Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-14 (work in progress), October draft-ietf-netmod-acl-model-14 (work in progress), October
2017. 2017.
[I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-02 (work in progress),
October 2017.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
January 2011, <https://www.rfc-editor.org/info/rfc6087>. January 2011, <https://www.rfc-editor.org/info/rfc6087>.
[RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M.
skipping to change at page 19, line 26 skipping to change at page 21, line 26
<aftr-ipv6-addr>2001:db8:0:2::1</aftr-ipv6-addr> <aftr-ipv6-addr>2001:db8:0:2::1</aftr-ipv6-addr>
<v6-v4-dscp-preservation>true</v6-v4-dscp-preservation> <v6-v4-dscp-preservation>true</v6-v4-dscp-preservation>
</interface> </interface>
Appendix B. AFTR Examples Appendix B. AFTR Examples
The following example shows an AFTR that is reachable at The following example shows an AFTR that is reachable at
2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is 2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is
provided with an IPv4 address (192.0.0.1) to be used for provided with an IPv4 address (192.0.0.1) to be used for
troubleshooting purposes such as reporting problems to B4s. troubleshooting purposes such as reporting problems to B4s.
Moreover, the AFTR is instructed to limit the number of softwires per
subscriber to '1'.
Note that a subscriber is identified by a subscriber-mask ([RFC7785]) Note that a subscriber is identified by a subscriber-mask ([RFC7785])
that can be configured by means of [I-D.ietf-opsawg-nat-yang]. that can be configured by means of [I-D.ietf-opsawg-nat-yang].
<interface> <interface>
<name>myAFTR</name> <name>myAFTR</name>
<type>ianaift:tunnel</type> <type>ianaift:tunnel</type>
<enabled>true</enabled> <enabled>true</enabled>
<aftr-ipv6-address>2001:db8:0:2::1</aftr-ipv6-address> <aftr-ipv6-address>2001:db8:0:2::1</aftr-ipv6-address>
<aftr-ipv4-address>192.0.0.1</aftr-ipv4-address> <aftr-ipv4-address>192.0.0.1</aftr-ipv4-address>
<max-softwire-per-subscriber>1</max-softwire-per-subscriber>
</interface> </interface>
The following shows an XML excerpt depicting a dynamic UDP mapping The following shows an XML excerpt depicting a dynamic UDP mapping
entry maintained by a DS-Lite AFTR for a packet received from the B4 entry maintained by a DS-Lite AFTR for a packet received from the B4
element introduced in Appendix A. Concretely, this UDP packet element introduced in Appendix A. Concretely, this UDP packet
received with a source IPv6 address (2001:db8:0:1::1), a source IPv4 received with a source IPv6 address (2001:db8:0:1::1), a source IPv4
address (192.0.2.1), and source port number (1568) is translated into address (192.0.2.1), and source port number (1568) is translated into
a UDP packet having a source IPv4 address (198.51.100.1) and source a UDP packet having a source IPv4 address (198.51.100.1) and source
port number (15000). The remaining lifetime of this mapping is 300 port number (15000). The remaining lifetime of this mapping is 300
seconds. seconds.
<mapping-entry> <mapping-entry>
<index>15</index> <index>15</index>
<type> <type>
dynamic-explicit dynamic-explicit
</type> </type>
<transport-protocol> <transport-protocol>
17 17
</transport-protocol> </transport-protocol>
<b4-ipv6-address> <b4-ipv6-address>
<address>
2001:db8:0:1::1 2001:db8:0:1::1
</address>
</b4-ipv6-address> </b4-ipv6-address>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1
</internal-src-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
1568 1568
</start-port-number> </start-port-number>
</internal-src-port> </internal-src-port>
<external-src-address> <external-src-address>
 End of changes. 29 change blocks. 
80 lines changed or deleted 137 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/