A YANG Data Module for Dual-Stack Lite (DS-Lite)

A YANG Data Module for Dual-Stack Lite (DS-Lite) Orange

Rennes 35000 France mohamed.boucadair@orange.com

Orange

Rennes 35000 France christian.jacquenet@orange.com

Cisco Systems

7100-8 Kit Creek Road Research Triangle Park North Carolina 27709 USA +1 919 392 5158 ssenthil@cisco.com

Internet IPv4 service continuity IPv4 address exhaustion Service Availability Address sharing IPv6 Reliability IPv4 over IPv6 This document defines a YANG module for the DS-Lite Address Family Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements. Please update these statements with the RFC number to be assigned to this document: "This version of this YANG module is part of RFC XXXX;" "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; "reference: RFC XXXX"

This document defines a data model for DS-Lite , using the YANG data modeling language . Both the Address Family Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements are covered by this specification. As a reminder, illustrates an overview of the DS-Lite architecture that involves AFTR and B4 elements.

DS-Lite deployment considerations are discussed in . This document follows the guidelines of , uses the common YANG types defined in , and adopts the Network Management Datastore Architecture (NMDA).

This document makes use of the terms defined in Section 3 of . The terminology for describing YANG data modules is defined in . The meaning of the symbols in tree diagrams is defined in .

As shown in : The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a NAPT function (Section 2.2 of ). The B4 element is an IPv4-in-IPv6 tunnel. Therefore, the DS-Lite YANG module is designed to augment both the Interfaces YANG module and the NAT YANG module with DS-Lite specific features. The YANG "feature" statement is used to distinguish which of the DS-Lite elements ('aftr' or 'b4') is relevant for a specific data node. Concretely, the DS-Lite YANG module () augments the Interfaces YANG module with the following: An IPv6 address used by the tunnel endpoint (AFTR or B4) for sending and receiving IPv4-in-IPv6 packets (ipv6-address). An IPv4 address that is used by the tunnel endpoint (AFTR or B4) for troubleshooting purposes (ipv4-address). An IPv6 address used by a B4 element to reach its AFTR (aftr-ipv6-addr). The tunnel MTU used to avoid fragmentation (tunnel-mtu). A policy to instruct the tunnel endpoint (AFTR or B4) whether it must preserve DSCP marking when encapsulating/decapsulating packets (v6-v4-dscp-preservation). In addition, the DS-Lite YANG module augments the NAT YANG module (policy, in particular) with the following: A policy to limit the number of DS-Lite softwires per subscriber (max-softwire-per-subscriber). A policy to instruct the AFTR whether a state can be automatically migrated (state-migrate). Further, in order to prevent a denial-of-service by frequently changing the source IPv6 address, 'b4-address-change-limit' is used to rate-lmite such changes. An instruction to rewrite the TCP Maximum Segment Size (MSS) option (mss-clamping) to avoid TCP fragmentation. Given that the NAPT table of the AFTR element is extended to include the source IPv6 address of incoming packets, the DS-Lite YANG module augments the NAPT44 mapping-entry with the following: b4-ipv6-address which is used to record the source IPv6 address of a packet received from a B4 element. This IPv6 address is required to disambiguate between the overlapping IPv4 address space of subscribers. The value of the Traffic Class field in the IPv6 header as received from a B4 element (v6-dscp): This information is used to preserve DSCP marking when encapsulating/decapsulationg at the AFTR. The IPv4 DSCP marking of the IPv4 packet received from a B4 element (internal-v4-dscp): This information can be used by the AFTR for setting the DSCP of packets relayed to a B4 element. The IPv4 DSCP marking as set by the AFTR in its external interface (external-v4-dscp): An AFTR can be instructed to preserve the same marking or to set it to another value when forwarding an IPv4 packet upstream. Access Control List (ACL) and Quality of Service (QoS) policies discussed in Section 2.5 of are out of scope. A YANG module for ACLs is documented in . Likewise, PCP-related considerations discussed in Section 8.5 of are out of scope. A YANG module for PCP is documented in .

/nat:nat/instances/instance/id +--ro policy-id -> /nat:nat/instances/instance/policy/id +--ro address inet:ipv6-address ]]> Examples to illustrate the use of this module are provided in and .

file "ietf-dslite@2018-01-10.yang" module ietf-dslite { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dslite"; prefix dslite; import ietf-inet-types { prefix inet; } import ietf-interfaces { prefix if; } import iana-if-type { prefix ianaift; } import ietf-nat {prefix nat;} import ietf-yang-types { prefix yang; } organization "IETF Softwire Working Group"; contact "WG Web: WG List: Editor: Mohamed Boucadair Editor: Christian Jacquenet Editor: Senthil Sivakumar "; description "This module is a YANG module for DS-Lite AFTR and B4 implementations. Copyright (c) 2017 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2018-01-10 { description "Initial revision."; reference "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; } /* * Features */ feature b4 { description "The B4 element is a function implemented on a dual-stack-capable node, either a directly connected device or a CPE, that creates a tunnel to an AFTR."; reference "Section 5 of RFC 6333."; } feature aftr { description "An AFTR element is the combination of an IPv4-in-IPv6 tunnel endpoint and an IPv4-IPv4 NAT implemented on the same node."; reference "Section 6 of RFC 6333."; } /* * Augments */ augment "/if:interfaces/if:interface" { when 'derived-from(if:type, "ianaift:tunnel")'; description "Augments Interface module with DS-Lite parameters. IANA interface types are maintained at this registry: https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib. tunnel (131), -- Encapsulation interface"; leaf ipv6-address { type inet:ipv6-address; description "IPv6 address of the local DS-Lite endpoint (AFTR or B4)."; reference "RFC 6333: Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion"; } leaf ipv4-address { type inet:ipv4-address; description "IPv4 address of the local DS-Lite AFTR or B4. 192.0.0.1 is reserved for the AFTR element, while 192.0.0.0/29 is reserved for the B4 element. This address can be used to report ICMP problems and will appear in traceroute outputs."; reference "RFC 6333: Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion"; } leaf aftr-ipv6-addr { if-feature b4; type inet:ipv6-address; description "Indicates the AFTR's IPv6 address to be used by a B4 element."; reference "RFC 6333: Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion"; } leaf tunnel-mtu { type uint16; description "Configures a tunnel MTU. [RFC6908] specifies that since fragmentation and reassembly is not optimal, the operator should do everything possible to eliminate the need for it. If the operator uses simple IPv4-in-IPv6 softwire, it is recommended that the MTU size of the IPv6 network between the B4 and the AFTR accounts for the additional overhead (40 bytes)."; reference "RFC 6908: Deployment Considerations for Dual-Stack Lite"; } leaf v6-v4-dscp-preservation { type boolean; description "Copies the DSCP value from the IPv6 header and vice versa. According to Section 2.10 of [RFC6908], operators should use this model by provisioning the network such that the AFTR/B4 copies the DSCP value in the IPv4 header to the Traffic Class field in the IPv6 header, after the encapsulation for the downstream traffic."; reference "Section 2.10 of RFC 6908."; } } augment "/nat:nat/nat:instances/nat:instance/nat:policy" { when "derived-from-or-self(/nat:nat/nat:instances/nat:instance/" + "nat:type, 'nat:napt44')" + " and /nat:nat/nat:instances/nat:instance/" + "nat:per-interface-binding='dslite'"; if-feature aftr; description "Augments the NAPT44 module with AFTR parameters."; leaf max-softwires-per-subscriber { type uint8; default 1; description "Configures the maximum softwires per subscriber feature. A subscriber is uniquely identified by means of a subscriber mask (subscriber-mask-v6). This policy aims to prevent a misbehaving subscriber from mounting several DS-Lite softwires that would consume additional AFTR resources (e.g., get more external ports if the quota were enforced on a per-softwire basis, consume extra processing due to a large number of active softwires)."; reference "Section 4 of RFC 7785."; } leaf state-migrate { type boolean; default true; description "State migration is enabled by default. In the event a new IPv6 address is assigned to the B4 element, the AFTR should migrate existing state to be bound to the new IPv6 address. This operation ensures that traffic destined to the previous B4's IPv6 address will be redirected to the newer B4's IPv6 address. The destination IPv6 address for tunneling return traffic from the AFTR should be the last seen as the B4's IPv6 source address from the user device (e.g., CPE). The AFTR uses the subscriber-mask-v6 to determine whether two IPv6 addresses belong to the same CPE (e.g., if the subscriber-mask-v6 is set to 56, the AFTR concludes that 2001:db8:100:100::1 and 2001:db8:100:100::2 belong to the same CPE assigned with 2001:db8:100:100::/56)."; reference "RFC 7785: Recommendations for Prefix Binding in the Context of Softwire Dual-Stack Lite"; } leaf b4-address-change-limit { type uint32; units "seconds"; default '1800'; description "Minimum number of seconds between successive B4's IPv6 address change from the same prefix. Changing the source B4's IPv6 address may be used as an attack vector. Packets with a new B4's IPv6 address from the same prefix should be rate-limited. It is recommended to set this rate limit to 30 minutes; other values can be set on a per-deployment basis."; reference "RFC 7785: Recommendations for Prefix Binding in the Context of Softwire Dual-Stack Lite"; } container mss-clamping { description "MSS rewriting configuration to avoid IPv6 fragmentation."; leaf enable { type boolean; description "Enable/disable MSS rewriting feature."; } leaf mss-value { type uint16; units "octets"; description "Sets the MSS value to be used for MSS rewriting."; } } } augment "/nat:nat/nat:instances/nat:instance/"+ "nat:mapping-table/nat:mapping-entry" { when "derived-from-or-self(/nat:nat/nat:instances/nat:instance/" + "nat:type, 'nat:napt44')" + " and /nat:nat/nat:instances/nat:instance/" + "nat:per-interface-binding='dslite'"; if-feature aftr; description "Augments the NAPT44 mapping table with DS-Lite specifics."; container b4-ipv6-address { description "Records the IPv6 address used by a B4 element and the last time that address changed."; leaf address { type inet:ipv6-address; description "Corresponds to the IPv6 address used by a B4 element."; reference "RFC 6333: Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion"; } leaf last-address-change { type yang:date-and-time; description "Records the last time when the address changed."; } } leaf v6-dscp { when "/if:interfaces/if:interface/" + "dslite:v6-v4-dscp-preservation='true'"; type uint8; description "DSCP value used at the softwire level (i.e., IPv6 header)."; } leaf internal-v4-dscp { when "/if:interfaces/if:interface/" + "dslite:v6-v4-dscp-preservation='true'"; type uint8; description "DSCP value of the encapsulated IPv4 packet."; } leaf external-v4-dscp { when "/if:interfaces/if:interface/" + "dslite:v6-v4-dscp-preservation='true'"; type uint8; description "DSCP value of the translated IPv4 packet as marked by the AFTR."; } } augment "/nat:nat/nat:instances/nat:instance/nat:statistics/" + "nat:mappings-statistics" { if-feature aftr; description "Indicates the number of active softwires."; leaf active-softwires{ type yang:gauge32; description "The number of currently active softwires on the AFTR instance."; } } /* * Notifications */ notification b4-address-change-limit-policy-violation { if-feature aftr; description "Generates notifications when a B4 unsuccessfully attempts to change IPv6 address in a time shorter than the value of b4-address-change-limit. Notifications are rate-limited (notify-interval)."; leaf id { type leafref { path "/nat:nat/nat:instances/nat:instance/nat:id"; } mandatory true; description "NAT instance identifier."; } leaf policy-id { type leafref { path "/nat:nat/nat:instances/nat:instance/nat:policy/nat:id"; } mandatory true; description "Policy Identifier."; } leaf address { type inet:ipv6-address; mandatory true; description "B4's IPv6 address."; } } } ]]>



    
      The YANG module defined in this document is designed to be accessed
      via network management protocols such as NETCONF  or RESTCONF . The
      lowest NETCONF layer is the secure transport layer, and the
      mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the
      mandatory-to-implement secure transport is TLS .

      The NETCONF access control model 
      provides the means to restrict access for particular NETCONF or RESTCONF
      users to a preconfigured subset of all available NETCONF or RESTCONF
      protocol operations and content.

      All data nodes defined in the YANG module which can be created,
      modified and deleted (i.e., config true, which is the default) are
      considered sensitive. Write operations (e.g., edit-config) applied to
      these data nodes without proper protection can negatively affect network
      operations. An attacker who is able to access to the B4/AFTR can
      undertake various attacks, such as:
          Set the value of 'aftr-ipv6-addr' on the B4 to point to an
          illegitimate AFTR so that it can intercept all the traffic sent by a
          B4. Illegitimately intercepting users' traffic is a attack with
          severe implications on privacy.

          Set the MTU to a low value which may increase the number of
          fragments ('tunnel-mtu' for both B4 and AFTR).

          Set 'max-softwire-per-subscriber' to an arbitrary high value,
          which will be exploited by a misbehaving user to grab more resources
          (by mounting as many softwires as required to get more external IP
          addresses/ports) or to perform a Denial-of-Service on the AFTR by
          mounting a massive number of softwires.

          Set 'state-migrate' to 'false' on the AFTR. This action may lead
          to a service degradation for the users.

          Set 'b4-address-change-limit" to an arbitrary low value can ease
          DoS attacks based on frequent change of B4 IPv6 address.

          Set 'v6-v4-dscp-preservation' to 'false" may lead to a service
          degradation if some policies are applied on the network based on the
          DSCP value.
        

      Additional security considerations are discussed in .

      Security considerations related to DS-Lite are discussed in .
    

    
      This document requests IANA to register the following URI in the
      "IETF XML Registry" : 
          
         This document requests IANA to register the following YANG
      module in the "YANG Module Names" registry .
          
        
    

    
      Thanks to Qin Wu, Benoit Claise, and Andy Bierman who helped for
      identifying compiling errors. Mahesh Jethanandani provided an early
      yangdoctors review; many thanks to him.

      Many thanks to Ian Farrer for the review and comments.



  
    
      

      

      

      

      

      

      

      

      

      

      
    

    
      

      

      

      

      

      

      
    

    
      The following example shows a B4 element (2001:db8:0:1::1) that is
      configured with an AFTR element (2001:db8:0:2::1). The B4 element is
      also instructed to preserve the DSCP marking.

      
          
  
    myB4
    ianaift:tunnel
    true
    2001:db8:0:1::1
    2001:db8:0:2::1
    true
  

]]>
        

      
    

    
      The following example shows an AFTR that is reachable at
      2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is
      provided with an IPv4 address (192.0.0.1) to be used for troubleshooting
      purposes such as reporting problems to B4s.

      Note that a subscriber is identified by a subscriber mask () that can be configured by means of .

      
          
  
    myAFTR
    ianaift:tunnel
    true
    2001:db8:0:2::1
    192.0.0.1
  

]]>
        

      The following shows an XML excerpt depicting a dynamic UDP mapping
      entry maintained by a DS-Lite AFTR for a packet received from the B4
      element introduced in . Concretely,
      this UDP packet received with a source IPv6 address (2001:db8:0:1::1), a
      source IPv4 address (192.0.2.1), and source port number (1568) is
      translated into a UDP packet having a source IPv4 address (198.51.100.1)
      and source port number (15000). The remaining lifetime of this mapping
      is 300 seconds.

      
          
  15
  
    dynamic-explicit
  
  
    17
  
  
    
      2001:db8:0:1::1
    
  
  
    192.0.2.1
  
  
    
      1568
    
  
  
    198.51.100.1
  
  
    
      15000
    
  
  
    300
  
]]>