A Layer 2 VPN Network YANG Model

A Layer 2 VPN Network YANG Model Telefonica

Madrid ES samier.barguilgiraldo.ext@telefonica.com

Telefonica

Madrid ES oscar.gonzalezdedios@telefonica.com

Orange

France mohamed.boucadair@orange.com

Vodafone

ES luis-angel.munoz@vodafone.com

ops OPSAWG automation network model service provider VPN service provisionning network automation service delivery This document defines a YANG data model (called, L2NM) that can be used to manage the provisioning of Layer 2 VPN services within a service provider Network. The L2NM provides representation of the Layer 2 VPN services from a network standpoint. The L2NM is meant to be used by a network controller to derive the configuration information that will be sent to relevant network devices. The L2NM complements the Layer 2 Service Model by providing a network-centric view of the service that is internal to a service providers. Please update these statements within the document with the RFC number to be assigned to this document: "This version of this YANG module is part of RFC XXXX;" "RFC XXXX: Layer 2 VPN Network Model"; reference: RFC XXXX Please update "RFC CCCC" to the RFC number to be assigned to I-D.ietf-opsawg-vpn-common. Also, please update the "revision" date of the YANG module.

defines an L2VPN Service Model (L2SM) YANG data model that can be used for L2VPN service ordering matters between customers and service providers (SPs). This document complements the L2SM by creating a network-centric view of the service which can be exposed by a network to a service controller within the service providers network. In particular, the model can be used in the communication between the entity that interacts directly with the customer, the service orchestrator, (either fully automated or a human operator) and the entity in charge of network orchestration and control (a.k.a., network controller/orchestrator). The data model defined in this document is called the L2VPN Network Model (L2NM), playing the role of Service Delivery Model (Figure 3 of ). The module supports additional capabilities, such as exposing operational parameters, transport protocols selection and precedence. It also serves as a multi-domain orchestration interface, because this model can transport resources (i.e., VCID) between domains. The data model keeps minimum customer-related information. This document uses the common VPN YANG module defined in . The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document assumes that the reader is familiar with the contents of , , , , and uses terminology from those documents. This document uses the term "network model" defined in Section 2.1 of . The meaning of the symbols in YANG tree diagrams is . This document uses the term "network model" defined in Section 2.1 of . This document makes use of the following terms: Describes the service characterization of an L2VPN that interconnects a set of sites from the perspective of the customer. The customer service model does not provide details on the service provider network. The L2VPN customer service model is defined in . Refers to the YANG module that describes an L2VPN service with a network-centric view. It contains information of the service providers network and might include allocated resources. It can be used by network controllers to manage the Layer 2 VPN service configuration in the service providers network. The YANG module can be consumed by a service orchestrator to request a VPN service to a network controller or to expose the list of active L2VPN services. Refers to a functional entity that interacts with the customer of an L2VPN relying upon, e.g., L2SM. The service orchestrator is responsible of the CE-PE attachment circuits, the PE selection, and requesting the activation of the L2VPN service to a network controller. Denotes a functional entity responsible for the management of the service providers network. Is an abstraction that represents a set of policies applied on a PE and that belong to a single VPN service. A VPN service involves one or more VPN nodes. The VPN node will identify the service providers node on which the VPN is deployed. Is an abstraction that represents the network interfaces that are associated to a given VPN node. Traffic coming from the VPN network access belongs to the VPN. The attachment circuits (bearers) between CEs and PEs are terminated in the VPN network access. Is a service providers that offers L2VPN-related services. Is a network able to provide L2VPN-related services.

The following acronyms are used in the document: Access Control List Border Gateway Protocol Customer Edge Layer 2 Virtual Private Network L2VPN Service Model L2VPN Network Model Provider Edge Quality of Service Route Distinguisher Route Target Virtual Private Network Virtual Routing and Forwarding

illustrates how L2NM is used. As a reminder, this figure is an expansion of the architecture presented in Section 3 of and decomposes the box marked "orchestration" in that figure into three separate functional components called "Service Orchestration", "Network Orchestration", and "Domain Orchestration". The reader may refer to for the distinction between the "Customer Service Model", the "Service Delivery Model", the "Network Configuration Model", and the "Device Configuration Model". The "Domain Orchestration" and "Config Manager" roles may be performed by "SDN Controllers".

The customer may use a variety of means to request a service that may trigger the instantiation of a L2NM. The customer may use the L2SM or may rely upon more abstract models to request a service that relies upon an L3VPN service. For example, the customer may supply an IP Connectivity Provisioning Profile (CPP) , an enhanced VPN (VPN+) service , or an IETF network slice . Note also that both the L2SM and the L2NM may be used in the context of the Abstraction and Control of TE Networks (ACTN) architecture . shows the Customer Network Controller (CNC), the Multi-Domain Service Coordinator (MDSC), and the Provisioning Network Controller (PNC).

The "ietf-vpn-common" module includes a set of identities, types, and groupings that are meant to be reused by VPN-related YANG modules independently of the layer (e.g., Layer 2, Layer 3) and the type of the module (e.g., network model, service model) including future revisions of existing models (e.g., ). The L2NM reuses these common types and groupings. As discussed in , the L2NM is meant to manage L2VPN services within a service provider network. The module provides a network view of the service. Such a view is only visible within the service provider and is not exposed outside (to customers, for example). The following discusses how L2NM interfaces with other YANG modules: L2NM is not a customer service model.The internal view of the service (i.e., L2NM) may be mapped to an external view which is visible to customers: L2VPN Service YANG data Model (L2SM) . The L2NM can be fed with inputs that are requested by customers, typically, relying upon an L2SM template. Concretely, some parts of the L2SM module can be directly mapped into L2NM while other parts are generated as a function of the requested service and local guidelines. Some other parts are local to the service provider and do not map directly to L2SM.Note that the use of L2NM within a service provider does not assume nor preclude exposing the VPN service via the L2SM. This is deployment-specific. Nevertheless, the design of L2NM tries to align as much as possible with the features supported by the L2SM to ease grafting both L2NM and L2SM for the sake of highly automated VPN service provisioning and delivery. An L2VPN involves nodes that are part of a topology managed by the service provider network. Such topology can be represented using the network topology module in . L2NM is not a device model. Once a global VPN service is captured by means of the L2NM, the actual activation and provisioning of the VPN service will involve a variety of device modules to tweak the required functions for the delivery of the service. These functions are supported by the VPN nodes and can be managed using device YANG modules. How the L2NM is used to derive device-specific actions is implementation-specific.

The L2NM module ('ietf-l2vpn-ntw') is meant to manage L2VPNs within a service provider network. In particular, the 'ietf-l2vpn-ntw' module can be used to create, modify, and retrieve L2VPN services in a network controller. The module is not aimed at maintaining customer-related information. Editor's note: Next version of the document will include the full description of the parameters. When the parameters match with L2SM, the exact reference will be done

The 'ietf-l2vpn-ntw' module uses two main containers: 'vpn-services' and 'vpn-profiles'. The 'vpn-services' container maintains a set of L2VPN services managed in the service providers network. The module allows to create a new L2VPN service by adding a new instance of 'vpn-service'. The 'vpn-service' is the data structure that abstracts the VPN Service.

The 'vpn-profiles' container () allows the VPN service provider to define and maintain a set of VPN profiles that apply to one or several VPN services. This document does not make any assumption about the exact definition of these profiles. The exact definition of the profiles is local to each VPN service provider. The model only includes an identifier to these profiles in order to ease identifying and binding local policies when building a VPN service. As shown in , the following identifiers can be included: This identifier refers to a profile that defines the external connectivity provided to a VPN service (or a subset of VPN sites). An external connectivity may be an access to the Internet or a restricted connectivity such as access to a public/private cloud. An encryption profile refers to a set of policies related to the encryption schemes and setup that can be applied when building and offering a VPN service. A Quality of Service (QoS) profile refers to as set of policies such as classification, marking, and actions (e.g., ). A Bidirectional Forwarding Detection (BFD) profile refers to a set of BFD policies that can be invoked when building a VPN service. A forwarding profile refers to the policies that apply to the forwarding of packets conveyed within a VPN. Such policies may consist, for example, at applying Access Control Lists (ACLs). A routing profile refers to a set of routing policies that will be invoked (e.g., BGP policies) when delivering the VPN service.

The 'vpn-service' is the data structure that abstracts a VPN service in the service provider network. Each 'vpn-service' is uniquely identified by an identifier: 'vpn-id'. Such 'vpn-id' is only meaningful locally within the network controller. The subtree of the 'vpn-services' is shown in .

The description of the VPN service data nodes that are depicted in are as follows: Is an identifier that is used to uniquely identify the L2VPN service within L2NM scope. Associates a name with the service in order to facilitate the identification of the service. Includes a textual description of the service. The internal structure of a VPN description is local to each VPN service provider. Indicates the name of the customer who ordered the service. Refers to an identifier of the parent service (e.g, L2SM, IETF network slice, VPN+) that triggered the creation of the VPN service. This identifier is used to easily correlate the (network) service as built in the network with a service order. A controller can use that correlation to enrich or populate some fields (e.g., description fields) as a function of local deployments. Indicates the VPN type. Typically, the following types can be used for the L2NM : Virtual Private LAN Service (VPLS) as defined in or . Point-to-point Virtual Private Wire Service (VPWS) as defined in . Provider Backbone Bridging (PBB) EVPNs as defined in . MPLS-based EVPNs . VXLAN based EVPNs . Indicates the network topology for the service: hub-spoke, any-to-any, or custom. Defines reusable parameters for the same 'vpn-service'. More details are provided in . Describes the preference for the transport technology to carry the traffic of the VPN service. This preference is especially useful in networks with multiple domains and Network-to-Network Interface (NNI) types. The underlay transport can be expressed as an abstract transport instance (e.g., an identifier of a VPN+ instance, a virtual network identifier, or a network slice name) or as an ordered list of the actual protocols to be enabled in the network. A rich set of protocol identifiers that can be used to refer to an underlay transport are defined in . Is used to track the service status of a given VPN service. Both operational and administrative status are maintained together with a timestamp. For example, a service can be created, but not put into effect.Administrative and operational status can be used as a trigger to detect service anomalies. For example, a service that is declared at the service layer as being active but still inactive at the network layer is an indication that network provision actions are needed to align the observed service status with the expected service status. Is an abstraction that represents a set of policies applied to a network node and that belong to a single 'vpn-service'. A VPN service is typically built by adding instances of 'vpn-node' to the 'vpn-nodes' container. A 'vpn-node' contains 'vpn-network-accesses', which are the interfaces attached to the VPN by which the customer traffic is received. Therefore, the customer sites are connected to the 'vpn-network-accesses'.Note that, as this is a network data model, the information about customers sites is not required in the model. Such information is rather relevant in the L2SM. Whether that information is included in the L2NM, e.g., to populate the various 'description' data node is implementation specific. More details are provided in .

TBC

The 'vpn-node' is an abstraction that represents a set of policies/configurations applied to a network node and that belong to a single 'vpn-service'. A 'vpn-node' contains 'vpn-network-accesses', which are the interfaces involved in the creation of the VPN. The customer sites are connected to the 'vpn_network_accesses'.

In reference to the subtree shown in , the description of VPN node data nodes is as follows: Is an identifier that uniquely identifies a node that enables a VPN network access. Provides a textual description of the VPN node. Includes a unique identifier of the network element where the VPN node is deployed. Lists the set of active global VPN parameters profiles for this VPN node. Concretely, one or more global profiles that are defined at the VPN service level can be activated at the VPN node level; each of these profiles is uniquely identified by means of 'profile-id'. The structure of 'active-global-parameters-profiles' is the same as the one discussed in .Values defined in 'active-global-parameters-profiles' overrides the ones defined in the VPN service level. See . Tracks the status of a node involved in a VPN service. Both operational and administrative status are maintained. A mismatch between the administrative status vs. the operational status can be used as a trigger to detect anomalies. Represents the point to which sites are connected. Note that, unlike in L2SM, the L2NM does not need to model the customer site, only the points where the traffic from the site are received (i.e., the PE side of PE-CE connections). Hence, the VPN network access contains the connectivity information between the provider's network and the customer premises. The VPN profiles ('vpn-profiles') have a set of routing policies that can be applied during the service creation. See for more details.

This sub-tree defines the L2VPN service type, according to the several signalling options to exchange membership information between PEs of an L2VPN. The following signaling options are supported: Refers to the BGP control plane as described in and . Refers to the BGP control plane as described in and . Refers to LDP-signaled Pseudowires . Refers to L2TP-signaled Pseudowires . Service Type Signaling Options vpls t-ldp-pwe, l2tp-pwe vpws-evpn evpn-bgp pbb-evpn evpn-bgp mpls-evpn l2vpn-bgp, evpn-bgp vxlan-evpn evpn-bgp

A 'vpn-network-access' represents an entry point to a VPN service . In other words, this container encloses the parameters that describe the access information for the traffic that belongs to a particular L2VPN. As such, every 'vpn-network-access' MUST belong to one and only one 'vpn-node'. A 'vpn-network-access' includes information such as the connection on which the access is defined , the specific layer 2 service requirements, etc. The VPN network access is comprised of: Identifier of the VPN network access. Text describing the VPN network access. Administrative and operational status of the service. Carries information about the service OAM.

The connection container is used to configure the relevant properties of the interface that is attached to the VPN, for example the encapsulation type, the physical interface or creating a lag.

This container is used to indicate the details of the ethernet service such as bandwidth or qos.

file "ietf-l2vpn-ntw@2021-04-29.yang" module ietf-l2vpn-ntw { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-l2vpn-ntw"; prefix l2vpn-ntw; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } import ietf-vpn-common { prefix vpn-common; reference "RFC CCCC: A Layer 2/3 VPN Common YANG Model"; } organization "IETF OPSA (Operations and Management Area) Working Group"; contact "WG Web: WG List: Editor: Samier Barguil Editor: Oscar Gonzalez de Dios Editor: Mohamed Boucadair "; description "This YANG module defines a generic network model for Layer 2 VPN services. Copyright (c) 2021 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2021-04-29 { description "Initial version."; reference "RFC XXXX: A Layer 2 VPN Network YANG Model."; } /* Features */ feature multicast-like { description "Indicates the support of multicast-like capabilities in a L2VPN."; } feature target-sites { description "Indicates the support of 'target-sites' match flow parameter."; } feature l2cp-control { description "Indicates the support of L2CP control."; } feature output-bw { description "Indicates the support of Output Bandwidth in a VPN"; } feature uni-list { description "Indicates thesupport of UNI list in a VPN."; } feature oam-3ah { description "Indicates the support of OAM 802.3ah."; } feature micro-bfd { description "Indicates the support of Micro-BFD."; } feature signaling-options { description "Indicates the support of signalling option."; } feature always-on { description "Indicates the support for always-on access constraint."; } feature requested-type { description "Indicates the support for requested-type access constraint."; } feature vlan { description "Indicates the support of VLAN."; } feature sub-inf { description "Indicates the support of Sub Interface."; } feature atm { description "Indicates the support of ATM."; } feature vxlan { description "Indicates the support of VxLAN."; } feature lan-tag { description "Indicates the LAN Tag support in a VPN."; } /* Typedefs */ /* Identities */ identity evpn-redundancy-mode { description "Base identity for EVPN redundancy modes."; } identity single-active { base evpn-redundancy-mode; description "Indicates Single-Active redundancy mode for a given Ethernet Segment (ES)."; reference "RFC 7432: BGP MPLS-Based Ethernet VPN, Section 14.1.1"; } identity all-active { base evpn-redundancy-mode; description "Indicates All-Active redundancy mode for a given Ethernet Segment (ES)."; reference "RFC 7432: BGP MPLS-Based Ethernet VPN, Section 14.1.2"; } identity evpn-service-type { description "Base identity for EVPN service type."; } identity vlan-based-service-interface { base evpn-redundancy-mode; description "VLAN-Based Service Interface."; reference "RFC 7432: BGP MPLS-Based Ethernet VPN, Section 6.1"; } identity vlan-bundle-service-interface { base evpn-redundancy-mode; description "VLAN Bundle Service Interface."; reference "RFC 7432: BGP MPLS-Based Ethernet VPN, Section 6.2"; } identity vlan-aware-bundle-service-interface { base evpn-redundancy-mode; description "VLAN-Aware Bundle Service Interface."; reference "RFC 7432: BGP MPLS-Based Ethernet VPN, Section 6.3"; } identity mapping-type { base vpn-common:multicast-gp-address-mapping; description "Identity for mapping type."; } identity protection-mode { description "Identity of protection mode"; } identity oneplusone { base protection-mode; description "In this scheme, the primary circuit will be protected by a backup circuit, typically meeting certain diverse path/fiber/site/node criteria. Both primary and protection circuits are provisioned to be in the active forward ing state. The subscriber may choose to send the same service frames across both circuits simultaneously."; } identity one-to-one { base protection-mode; description "In this scheme, a backup circuit to the primary circuit is provisioned. Depending on the implementation agreement, the protection circuits may either always be in active forwarding state, or may only become active when a faulty state is detected on the primary circuit."; } identity bundling-type { description "The base identity for the bundling type. It supports multiple CE-VLANs associated with an L2VPN service or all CE-VLANs associated with an L2VPN service."; } identity multi-svc-bundling { base bundling-type; description "Identity for multi-service bundling, i.e., multiple CE-VLAN IDs can be associated with an L2VPN service at a site."; } identity one2one-bundling { base bundling-type; description "Identity for one-to-one service bundling, i.e., each L2VPN can be associated with only one CE-VLAN ID at a site."; } identity all2one-bundling { base bundling-type; description "Identity for all-to-one bundling, i.e., all CE-VLAN IDs are mapped to one L2VPN service."; } identity color-id { description "Base identity of the color ID."; } identity color-id-cvlan { base color-id; description "Identity of the color ID based on a CVLAN."; } identity color-type { description "Identity of color types."; } identity green { base color-type; description "Identity of the 'green' color type."; } identity yellow { base color-type; description "Identity of the 'yellow' color type."; } identity red { base color-type; description "Identity of the 'red' color type."; } identity perf-tier-opt { description "Identity of performance tier option."; } identity metro { base perf-tier-opt; description "Identity of metro"; } identity regional { base perf-tier-opt; description "Identity of regional"; } identity continental { base perf-tier-opt; description "Identity of continental"; } identity global { base perf-tier-opt; description "Identity of global"; } identity policing { description "Identity of policing type"; } identity one-rate-two-color { base policing; description "Identity of one-rate, two-color (1R2C)"; } identity two-rate-three-color { base policing; description "Identity of two-rate, three-color (2R3C)"; } identity loop-prevention-type { description "Identity of loop prevention."; } identity shut { base loop-prevention-type; description "Identity of shut protection."; } identity trap { base loop-prevention-type; description "Identity of trap protection."; } identity t-ldp-pwe-type { description "Identity for t-ldp-pwe-type."; } identity vpws-type { base t-ldp-pwe-type; description "Identity for VPWS"; } identity vpls-type { base t-ldp-pwe-type; description "Identity for vpls"; } identity hvpls { base t-ldp-pwe-type; description "Identity for h-vpls"; } identity l2vpn-type { description "Layer 2 VPN types"; } identity l2vpn-vpws { base l2vpn-type; description "VPWS L2VPN type."; } identity l2vpn-vpls { base l2vpn-type; description "VPLS L2VPN type."; } identity distribute-vpls { base l2vpn-type; description "distribute VPLS L2VPN type."; } identity evpn-type { description "Ethernet VPN types"; } identity evpn-vpws { base evpn-type; description "VPWS support in EVPN."; } identity evpn-pbb { base evpn-type; description " Provider Backbone Bridging Support in EVPN."; } identity pm-type { description "Performance-monitoring type."; } identity loss { base pm-type; description "Loss measurement."; } identity delay { base pm-type; description "Delay measurement."; } identity mac-learning-mode { description "MAC learning mode."; } identity data-plane { base mac-learning-mode; description "User MAC addresses are learned through ARP broadcast."; } identity control-plane { base mac-learning-mode; description "User MAC addresses are advertised through EVPN-BGP."; } identity mac-action { description "Base identity for a MAC action."; } identity drop { base mac-action; description "Identity for dropping a packet."; } identity flood { base mac-action; description "Identity for packet flooding."; } identity warning { base mac-action; description "Identity for sending a warning log message."; } identity load-balance-method { description "Base identity for load balance method."; } identity fat-pw { base load-balance-method; description "Identity for Fat PW. Fat label is applied to Pseudowires across MPLS network."; } identity entropy-label { base load-balance-method; description "Identity for entropy label.Entropy label is applied to IP forwarding, L2VPN or L3VPN across MPLS network"; } identity vxlan-source-port { base load-balance-method; description "Identity for vxlan source port.VxLAN Source Port is one load balancing method."; } identity precedence-type { description "Redundancy type. The service can be created with active and bakcup signalization."; } identity primary { base precedence-type; description "Identifies the Main L2VPN."; } identity backup { base precedence-type; description "Identifies the Backup L2VPN."; } /* Groupings */ grouping cfm-802-grouping { description "Grouping for 802.1ag CFM attribute"; leaf maid { type string; description "MA ID"; } leaf mep-id { type uint32; description "Local MEP ID"; } leaf mep-level { type uint32; description "MEP level"; } leaf mep-up-down { type enumeration { enum up { description "MEP up"; } enum down { description "MEP down"; } } description "MEP up/down"; } leaf remote-mep-id { type uint32; description "Remote MEP ID"; } leaf cos-for-cfm-pdus { type uint32; description "COS for CFM PDUs"; } leaf ccm-interval { type uint32; description "CCM interval"; } leaf ccm-holdtime { type uint32; description "CCM hold time"; } leaf ccm-p-bits-pri { type vpn-common:ccm-priority-type; description "The priority parameter for CCMs transmitted by the MEP"; } } grouping y-1731 { description "Grouping for y.1731"; list y-1731 { key "maid"; description "List for y-1731."; leaf maid { type string; description "MA ID "; } leaf mep-id { type uint32; description "Local MEP ID"; } leaf type { type identityref { base pm-type; } description "Performance monitor types"; } leaf remote-mep-id { type uint32; description "Remote MEP ID"; } leaf message-period { type uint32; description "Defines the interval between OAM messages. The message period is expressed in milliseconds"; } leaf measurement-interval { type uint32; description "Specifies the measurement interval for statistics. The measurement interval is expressed in seconds"; } leaf cos { type uint32; description "Class of service"; } leaf loss-measurement { type boolean; description "Whether enable loss measurement"; } leaf synthethic-loss-measurement { type boolean; description "Indicate whether enable synthetic loss measurement"; } container delay-measurement { description "Container for delay measurement"; leaf enable-dm { type boolean; description "Whether to enable delay measurement"; } leaf two-way { type boolean; description "Whether delay measurement is two-way (true) of one- way (false)"; } } leaf frame-size { type uint32; description "Frame size"; } leaf session-type { type enumeration { enum proactive { description "Proactive mode"; } enum on-demand { description "On demand mode"; } } description "Session type"; } } } /// grouping global-parameters-profile { description "Container for per-service paramters."; leaf svc-mtu { type uint32; description "SVC MTU, it is also known as the maximum transmission unit or maximum frame size,When a frame is larger than the MTU, it is broken down, or fragmented, into smaller pieces by the network protocol to accommodate the MTU of the network"; } leaf ce-vlan-preservation { type boolean; description "Preserve the CE-VLAN ID from ingress to egress,i.e., CE-VLAN tag of the egress frame are identical to those of the ingress frame that yielded this egress service frame. If All-to-One bundling within a site is Enabled, then preservation applies to all Ingress service frames. If All-to-One bundling is Disabled, then preservation applies to tagged Ingress service frames having CE-VLAN ID 1 through 4094."; } leaf ce-vlan-cos-perservation { type boolean; description "CE vlan CoS preservation. PCP bits in the CE-VLAN tag of the egress frame are identical to those of the ingress frame that yielded this egress service frame."; } leaf control-word-negotiation { type boolean; description "Controls whether Control-word negotiation is enabled (if set to true) or not (if set to false)."; reference "Section 7 of RFC8077"; } container mac-policies { description "Container of MAC policies."; container mac-addr-limit { description "Container of MAC-Addr limit configuration."; leaf mac-num-limit { type uint16; description "Maximum number of MAC addresses learned from the customer for a single service instance."; } leaf time-interval { type uint32; units "milliseconds"; description "The aging time of the mac address."; } leaf action { type identityref { base mac-action; } description "Specifies the action when the upper limit is exceeded: drop the packet, flood the packet, or simply send a warning log message."; } } container mac-loop-prevention { description "Container of MAC loop prevention."; leaf frequency { type uint32; description "Frequency"; } leaf protection-type { type identityref { base loop-prevention-type; } description "Protection type"; } leaf number-retries { type uint32; description "Number of retries"; } } } container multicast-like { if-feature "vpn-common:multicast"; description "Multicast like container"; leaf enabled { type boolean; default "false"; description "Enables multicast."; } container customer-tree-flavors { description "Type of trees used by customer."; leaf-list tree-flavor { type identityref { base vpn-common:multicast-tree-type; } description "Type of tree to be used."; } } } } /* Main L2NM Container */ container l2vpn-ntw { description "Container for L2NM."; container vpn-profiles { description "Container for VPN profiles."; uses vpn-common:vpn-profile-cfg; } container vpn-services { description "Container for L2VPN service"; list vpn-service { key "vpn-id"; description "Container of port configurations"; uses vpn-common:vpn-description; leaf parent-service-id { type vpn-common:vpn-id; description "Pointer to the parent service that triggered the L2NM."; } leaf vpn-svc-type { type identityref { base vpn-common:service-type; } description "Service type"; } leaf svc-topo { type identityref { base vpn-common:vpn-topology; } description "Defining service topology, such as any-to-any, hub-spoke, etc."; } container global-parameters-profiles { description "Container for a list of VPN instance profiles."; list global-parameters-profile { key "profile-id"; description "List of XXX."; leaf profile-id { type string; description "profile identifier."; } uses global-parameters-profile; } } container underlay-transport { description "Container for underlay transport."; uses vpn-common:underlay-transport; } uses vpn-common:service-status; container vpn-nodes { description "Set fo VPN nodes that are involved in the L2NM."; list vpn-node { key "vpn-node-id"; description "Container of VPN Nodes."; leaf vpn-node-id { type vpn-common:vpn-id; description "VPN Node indentifier"; } leaf description { type string; description "Textual description of a VPN node."; } leaf ne-id { type string; description "NE IP address"; } leaf role { type identityref { base vpn-common:role; } default "vpn-common:any-to-any-role"; description "Role of the VPN node in the VPN."; } container active-global-parameters-profiles { description "Container for a list of VPN instance profiles."; list global-parameters-profile { key "profile-id"; description "List of XXX."; leaf profile-id { type leafref { path "/l2vpn-ntw/vpn-services/vpn-service" + "/global-parameters-profiles" + "/global-parameters-profile/profile-id"; } description "XXXX."; } uses global-parameters-profile; } } uses vpn-common:service-status; list signaling-options { key "type"; description "List of VPN signaling options."; leaf type { type identityref { base vpn-common:vpn-signaling-type; } description "VPN signaling types."; } choice signaling-option { description "Choice for the signaling-option."; case bgp { when "./type = 'vpn-common:bgp-signaling'" { description "Only applies when VPN signaling type is BGP."; } description "xxx."; uses vpn-common:route-distinguisher; uses vpn-common:vpn-route-targets; choice l2vpn-bgp { description "Container for MP BGP L2VPN."; leaf pwe-encapsulation-type { type identityref { base vpn-common:encapsulation-type; } description "PWE encapsulation type."; } container pwe-mtu { description "Container of PWE MTU configurations."; leaf allow-mtu-mismatch { type boolean; description "When set to true, it allows MTU mismatch."; } } } choice evpn-bgp { description "Container for MP BGP L2VPN."; leaf evpn-type { type identityref { base evpn-type; } description "EVPN type."; } leaf service-interface-type { type identityref { base evpn-service-type; } description "EVPN service interface type."; } container common { description "MAC address managment attributes in the EVPN configuration"; leaf mac-learning-mode { type identityref { base mac-learning-mode; } description "Indicates through which plane MAC addresses are advertised."; } leaf ingress-replication { type boolean; description "ingress-replication"; } leaf p2mp-replication { type boolean; description "p2mp-replication"; } leaf arp-proxy { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) ARP proxy"; } leaf arp-suppression { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) ARP suppression"; } leaf nd-proxy { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) ND proxy"; } leaf nd-suppression { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) ND suppression"; } leaf underlay-multicast { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) underlay multicast"; } leaf flood-unknown-unicast-supression { type boolean; default "false"; description "Enable (TRUE) or disable (FALSE) flood unknown unicast suppression"; } leaf vpws-vlan-aware { type boolean; default "false"; description "Enable (True) or disable (False) VPWS VLAN aware"; } container bum-management { description "broadcast-unknown-unicast-multicast management"; leaf discard-broadcast { type boolean; description "Broadcast management."; } leaf discard-unknown-multicast { type boolean; description "Broadcast management."; } leaf discard-unknown-unicast { type boolean; description "Unicast management."; } } container pbb { description "PBB parameters container"; reference "IEEE 802.1ah Provider Backbone Bridge"; leaf backbone-src-mac { type yang:mac-address; description "backbone-src-mac"; } } } } } case ldp { when "./type = 'ldp-signaling'" { description "Only applies when vpn signaling type is Target LDP."; } description "Container of T-LDP PWE configurations"; leaf t-ldp-pwe-type { type identityref { base t-ldp-pwe-type; } description "T-LDP PWE type"; } leaf encapsulation-type { type identityref { base vpn-common:encapsulation-type; } description "PWE encapsulation type."; } leaf mtu-pwe { type uint16; description "Allow MTU mismatch: TO BE CHECKED"; } list ac-pw-list { key "peer-addr vc-id"; description "List of AC and PW bindings."; leaf peer-addr { type inet:ip-address; description "Indicates the peer's IP address."; } leaf vc-id { type vpn-common:vpn-id; description "VC lable used to identify PW."; } leaf pw-type { type identityref { base vpn-common:vpn-topology; } description "PW topology type."; } leaf pw-priority { type uint32; description "Defines the priority for the PW. The higher the pw-priority value, the higher the preference of the PW will be."; } } container qinq { when "../type = 'vpn-common:h-vpls'" { description "Only applies when t-ldp pwe type is h-vpls."; } description "Container for QinQ"; leaf s-tag { type uint32; description "S-TAG"; } leaf c-tag { type uint32; description "C-TAG"; } } } case l2tp-pwe { when "./type = 'l2tp-signaling'" { description "Applies when VPN signaling type is L2TP protocol."; } description "Container for l2tp pw"; leaf TBD-type { type identityref { base t-ldp-pwe-type; } description "T-LDP PWE type."; } leaf XXXencapsulation-type { type identityref { base vpn-common:encapsulation-type; } description "Encapsulation type."; } list XXXXac-pw-list { key "peer-addr vc-id"; description "List of AC and PW bindings."; leaf peer-addr { type inet:ip-address; description "Indicates the peer's IP address."; } leaf vc-id { type string; description "VC lable used to identify PW."; } leaf pw-priority { type uint32; description "PW priority."; } } } } } container vpn-network-accesses { description "List of VPN Nodes."; list vpn-network-access { key "id"; description "List of VPN Network Accesses."; leaf id { type vpn-common:vpn-id; description "Identifier of network access"; } leaf description { type string; description "String to describe the element."; } leaf port-id { type vpn-common:vpn-id; description "NE Port-id"; } leaf global-parameters-profile { type leafref { path "/l2vpn-ntw/vpn-services/vpn-service/vpn-nodes" + "/vpn-node/active-global-parameters-profiles" + "/global-parameters-profile/profile-id"; } description "An identifier of an active VPN instance profile."; } uses vpn-common:service-status; container connection { description "Container for bearer"; leaf encapsulation-type { type identityref { base vpn-common:encapsulation-type; } description "Encapsulation Type"; } leaf-list eth-inf-type { type identityref { base vpn-common:encapsulation-type; } description "Ethernet interface type."; } container encapsulation { description "Container for dot1Q Interface"; leaf l2-access-type { type identityref { base vpn-common:encapsulation-type; } description "L2 Access encapsulation type."; } container dot1q { when "../l2-access-type='vpn-common:dot1q'"; if-feature "vpn-common:dot1q"; description "Qot1q"; leaf physical-inf { type string; description "Physical Interface"; } leaf c-vlan-id { type uint32; description "VLAN identifier"; } } container qinq { when "../l2-access-type='vpn-common:qinq'"; if-feature "vpn-common:qinq"; description "QinQ"; leaf s-vlan-id { type uint32; description "S-VLAN Identifier"; } leaf c-vlan-id { type uint32; description "C-VLAN Identifier"; } } container qinany { if-feature "vpn-common:qinany"; description "Container for Q in Any"; leaf s-vlan-id { type uint32; description "S-Vlan ID"; } } container vxlan { when "../l2-access-type='vpn-common:vxlan'"; if-feature "vxlan"; description "QinQ"; leaf vni-id { type uint32; description "VNI Identifier"; } leaf peer-mode { type identityref { base vpn-common:vxlan-peer-mode; } description "specify the vxlan access mode"; } leaf-list peer-list { type inet:ip-address; description "Peer IP address."; } } } container phy-interface { description "Container of PHY Interface Attributes configurations"; leaf port-number { type uint32; description "Port number"; } leaf port-speed { type uint32; description "Port speed"; } leaf mode { type identityref { base vpn-common:neg-mode; } description "Negotiation mode"; } leaf phy-mtu { type uint32; description "PHY MTU"; } leaf flow-control { type string; description "Flow control"; } container oam-802.3ah-link { if-feature "oam-3ah"; description "Container for oam 802.3 ah link."; leaf enable { type boolean; description "Indicate whether support oam 802.3 ah link"; } } leaf uni-loop-prevention { type boolean; description "If this leaf set to truth that the port automatically goes down when a physical loopback is detect."; } } container lag-interface { if-feature "vpn-common:lag-interface"; description "Container of LAG interface attributes configuration"; list lag-interface { key "lag-interface-number"; description "List of LAG interfaces"; leaf lag-interface-number { type uint32; description "LAG interface number"; } container lacp { description "LACP"; leaf lacp-state { type boolean; description "LACP on/off"; } leaf lacp-mode { type boolean; description "LACP mode"; } leaf lacp-speed { type boolean; description "LACP speed"; } leaf mini-link { type uint32; description "The minimum aggregate bandwidth for a LAG"; } leaf system-id { type yang:mac-address; description "Indicates the System ID used by LACP."; } leaf admin-key { type uint16; description "Indicates the value of the key used for the aggregate interface."; } leaf system-priority { type uint16 { range "0..65535"; } default "32768"; description "Indicates the LACP priority for the system."; } container member-link-list { description "Container of Member link list"; list member-link { key "name"; description "Member link"; leaf name { type string; description "Member link name"; } leaf port-speed { type uint32; description "Port speed"; } leaf mode { type identityref { base vpn-common:neg-mode; } description "Negotiation mode"; } leaf link-mtu { type uint32; description "Link MTU size."; } container oam-802.3ah-link { if-feature "oam-3ah"; description "Container for oam 802.3 ah link."; leaf enable { type boolean; description "Indicate whether support oam 802.3 ah link"; } } } } leaf flow-control { type string; description "Flow control"; } leaf lldp { type boolean; description "LLDP"; } } } } list cvlan-id-to-svc-map { key "svc-id"; description "List for cvlan-id to L2VPn Service map configurations"; leaf svc-id { type leafref { path "/l2vpn-ntw/vpn-services/vpn-service/vpn-id"; } description "VPN Service identifier"; } list cvlan-id { key "vid"; description "List of CVLAN-ID to SVC Map configurations"; leaf vid { type uint32; description "CVLAN ID"; } } } container split-horizon { description "Configuration with split horizon enabled"; leaf group-name { type string; description "group-name of the Split Horizon"; } } } container TO-SIMPLFY-diversity-redundancy-TO-SIMPLFY { description "placeholder. TO BE FURTHER WORKED OUT."; container access-diversity { if-feature "vpn-common:placement-diversity"; description "Diversity parameters."; container groups { description "Groups the fate sharing group member is belonging to"; list group { key "group-id"; description "List of group-ids."; leaf group-id { type string; description "Indicates the Group-id to which the network access belongs to."; } leaf fate-sharing-group-size { type uint16; description "Fate sharing group size."; } leaf group-color { type string; description "Group color associated with a particular VPN."; } leaf ethernet-segment-identifier { type yang:hex-string { length "29"; } description "10-octet Ethernet Segment Identifier (ESI)."; } leaf esi-redundancy-mode { type identityref { base evpn-redundancy-mode; } description "Indicates the EVPN redundancy mode for a multihomed CE."; } } } } container constraints { description "Constraints for placing this site network access."; list constraint { key "constraint-type"; description "List of constraints."; leaf constraint-type { type identityref { base vpn-common:placement-diversity; } description "Diversity constraint type."; } container target { description "The constraint will apply against this list of groups."; choice target-flavor { description "Choice for the group definition."; case id { list group { key "group-id"; description "List of groups"; leaf group-id { type string; description "The constraint will apply against this particular group-id."; } } } case all-accesses { leaf all-other-accesses { type empty; description "The constraint will apply against all other site network access of this site."; } } case all-groups { leaf all-other-groups { type empty; description "The constraint will apply against all other groups the customer is managing."; } } } } } } container availability { description "Container of availability optional configurations"; leaf access-priority { type uint32; description "Access priority"; } choice redundancy-mode { description "Redundancy mode choice"; case single-active { description "Single active case"; leaf single-active { type boolean; description "Single active"; } } case all-active { description "All active case"; leaf all-active { type boolean; description "All active"; } } } } container precedence { description "Transport netowrk precedence selector Primary or Secondary tunnel."; leaf precedence { type identityref { base precedence-type; } description "Defining service redundancy in transport network."; } } } container ethernet-service-oam { description "Container for Ethernet service OAM."; leaf md-name { type string; description "Maintenance domain name"; } leaf md-level { type uint8; description "Maintenance domain level"; } container cfm-802.1-ag { description "Container of 802.1ag CFM configurations."; list n2-uni-c { key "maid"; description "List of UNI-N to UNI-C"; uses cfm-802-grouping; } list n2-uni-n { key "maid"; description "List of UNI-N to UNI-N"; uses cfm-802-grouping; } } uses y-1731; } container service { description "Container for service"; leaf mtu { type uint32; description "MTU, it is also known as the maximum transmission unit or maximum frame size. When a frame is larger than the MTU, it is broken down, or fragmented, into smaller pieces by the network protocol to accommodate the MTU of the network"; } container svc-input-bandwidth { if-feature "vpn-common:input-bw"; description "From the PE perspective, the service input bandwidth of the connection."; list input-bandwidth { key "type"; description "List for input bandwidth"; leaf type { type identityref { base vpn-common:bw-type; } description "Bandwidth Type"; } leaf cos-id { type uint8; description "Identifier of Class of Service , indicated by DSCP or a CE-CLAN CoS(802.1p)value in the service frame."; } leaf cir { type uint64; description "Committed Information Rate. The maximum number of bits that a port can receive or send during one-second over an interface."; } leaf cbs { type uint64; description "Committed Burst Size.CBS controls the bursty nature of the traffic. Traffic that does not use the configured CIR accumulates credits until the credits reach the configured CBS."; } leaf eir { type uint64; description "Excess Information Rate,i.e.,Excess frame delivery allowed not subject to SLA.The traffic rate can be limited by eir."; } leaf ebs { type uint64; description "Excess Burst Size. The bandwidth available for burst traffic from the EBS is subject to the amount of bandwidth that is accumulated during periods when traffic allocated by the EIR policy is not used."; } leaf pir { type uint64; description "Peak Information Rate, i.e., maixmum frame delivery allowed. It is equal to or less than sum of cir and eir."; } leaf pbs { type uint64; description "Peak Burst Size. It is measured in bytes per second."; } } } container svc-output-bandwidth { if-feature "output-bw"; description "From the PE perspective, the service output bandwidth of the connection."; list output-bandwidth { key "type"; description "List for output bandwidth"; leaf type { type identityref { base vpn-common:bw-type; } description "Bandwidth Type"; } leaf cos-id { type uint8; description "Identifier of Class of Service , indicated by DSCP or a CE-CLAN CoS(802.1p)value in the service frame."; } leaf cir { type uint64; description "Committed Information Rate. The maximum number of bits that a port can receive or send during one-second over an interface."; } leaf cbs { type uint64; description "Committed Burst Size.CBS controls the bursty nature of the traffic. Traffic that does not use the configured CIR accumulates credits until the credits reach the configured CBS."; } leaf eir { type uint64; description "Excess Information Rate,i.e.,Excess frame delivery allowed not subject to SLA.The traffic rate can be limited by eir."; } leaf ebs { type uint64; description "Excess Burst Size. The bandwidth available for burst traffic from the EBS is subject to the amount of bandwidth that is accumulated during periods when traffic allocated by the EIR policy is not used."; } leaf pir { type uint64; description "Peak Information Rate, i.e., maixmum frame delivery allowed. It is equal to or less than sum of cir and eir."; } leaf pbs { type uint64; description "Peak Burst Size. It is measured in bytes per second."; } } } container qos { if-feature "vpn-common:qos"; description "QoS configuration."; container qos-classification-policy { description "Configuration of the traffic classification policy."; list rule { key "id"; ordered-by user; description "List of classification rules."; leaf id { type string; description "A description identifying the QoS classification policy rule."; } choice match-type { default "match-flow"; description "Choice for classification."; case match-flow { container match-flow { description "Describes flow-matching criteria."; leaf dscp { type inet:dscp; description "DSCP value."; } leaf dot1q { type uint16; description "802.1Q matching. It is a VLAN tag added into a frame."; } leaf pcp { type uint8 { range "0..7"; } description "PCP value."; } leaf src-mac { type yang:mac-address; description "Source MAC address."; } leaf dst-mac { type yang:mac-address; description "Destination MAC address."; } leaf color-type { type identityref { base color-type; } description "Color types."; } leaf any { type empty; description "Allow all."; } } } case match-application { leaf match-application { type identityref { base vpn-common:customer-application; } description "Defines the application to match."; } } } leaf target-class-id { type string; description "Identification of the CoS. This identifier is internal to the administration."; } } } container qos-profile { description "QoS profile configuration."; list qos-profile { key "profile"; description "QoS profile. Can be standard profile or customized profile."; leaf profile { type leafref { path "/l2vpn-ntw/vpn-profiles" + "/valid-provider-identifiers" + "/qos-profile-identifier/id"; } description "QoS profile to be used."; } leaf direction { type identityref { base vpn-common:qos-profile-direction; } default "vpn-common:both"; description "The direction to which the QoS profile is applied."; } } } } container mac-policies { description "Container for MAC-related policies."; container access-control-list { description "Container for access control List."; list mac { key "mac-address"; description "List for MAC addresses."; leaf mac-address { type yang:mac-address; description "Specifies a MAC address."; } } } container mac-loop-prevention { description "Container of MAC loop prevention."; leaf frequency { type uint32; description "Frequency"; } leaf protection-type { type identityref { base loop-prevention-type; } description "Protection type"; } leaf number-retries { type uint32; description "Number of retries"; } } container mac-addr-limit { description "Container of MAC-Addr limit configurations"; leaf mac-num-limit { type uint16; description "maximum number of MAC addresses learned from the subscriber for a single service instance."; } leaf time-interval { type uint32; units "milliseconds"; description "The aging time of the mac address."; } leaf action { type identityref { base mac-action; } description "specify the action when the upper limit is exceeded: drop the packet, flood the packet, or simply send a warning log message."; } } } container broadcast-unknown-unicast-multicast { description "Container of broadcast, unknown unicast, and multicast configurations"; leaf multicast-site-type { type enumeration { enum receiver-only { description "The site only has receivers."; } enum source-only { description "The site only has sources."; } enum source-receiver { description "The site has both sources and receivers."; } } default "source-receiver"; description "Type of multicast site."; } list multicast-gp-address-mapping { key "id"; description "List of Port to group mappings."; leaf id { type uint16; description "Unique identifier for the mapping."; } leaf vlan-id { type uint32; description "The VLAN ID of the Multicast group."; } leaf mac-gp-address { type yang:mac-address; description "The MAC address of the Multicast group."; } leaf port-lag-number { type uint32; description "The ports/LAGs belonging to the Multicast group."; } } leaf bum-overall-rate { type uint32; description "overall rate for BUM"; } } } } } } } } } } } ]]>



    
      The YANG module specified in this document defines schema for data
      that is designed to be accessed via network management protocols such as
      NETCONF  or RESTCONF  . The lowest NETCONF layer is the secure
      transport layer, and the mandatory-to-implement secure transport is
      Secure Shell (SSH) . The lowest RESTCONF
      layer is HTTPS, and the mandatory-to-implement secure transport is TLS
      .

      The Network Configuration Access Control Model (NACM)  provides the means to restrict access for
      particular NETCONF or RESTCONF users to a preconfigured subset of all
      available NETCONF or RESTCONF protocol operations and content.

      There are a number of data nodes defined in this YANG module that are
      writable/creatable/deletable (i.e., config true, which is the default).
      These data nodes may be considered sensitive or vulnerable in some
      network environments. Write operations (e.g., edit-config) and delete
      operations to these data nodes without proper protection or
      authentication can have a negative effect on network operations. These
      are the subtrees and data nodes and their sensitivity/vulnerability in
      the "ietf-l2vpn-ntw" module: 
          'vpn-service': An attacker who is able to access network nodes
          can undertake various attacks, such as deleting a running L2VPN
          service, interrupting all the traffic of a client. In addition, an
          attacker may modify the attributes of a running service (e.g., QoS,
          bandwidth), leading to malfunctioning of the service and therefore
          to SLA violations. In addition, an attacker could attempt to create
          an L2VPN service or adding a new network access. Such activity can
          be detected by adequately monitoring and tracking network
          configuration changes.
        

      Some of the readable data nodes in this YANG module may be considered
      sensitive or vulnerable in some network environments. It is thus
      important to control read access (e.g., via get, get-config, or
      notification) to these data nodes. These are the subtrees and data nodes
      and their sensitivity/vulnerability:

      
          'customer-name' and 'ip-connection': An attacker can retrieve
          privacy-related information which can be used to track a customer.
          Disclosing such information may be considered as a violation of the
          customer-provider trust relationship.
        

      The following summarizes the foreseen risks of using the
      "ietf-l2vpn-ntw" module can be classified into: 
          Malicious clients attempting to delete or modify VPN
          services.

          Unauthorized clients attempting to create/modify/delete a VPN
          service.

          Unauthorized clients attempting to read VPN service related
          information.
        
    

    
      This document requests IANA to register the following URI in the "ns"
      subregistry within the "IETF XML Registry" :

      
        
      

      This document requests IANA to register the following YANG module in
      the "YANG Module Names" subregistry 
      within the "YANG Parameters" registry:



  

  
    

    

    
      

      &RFC2119;

      &RFC3688;

      &RFC6242;

      &RFC8341;

      &RFC6020;

      &RFC6241;

      &RFC7950;

      &RFC8040;

      &RFC8466;

      &RFC8174;

      &RFC8214;

      &RFC7432;

      

      

      

      

      

      

      

      

      

      
    

    
      

      &RFC8309;

      &RFC8340;

      &RFC8453;

      

      

      

      

      

      

      
    

    
      To be completed
    

    
      During the discussions of this work, helpful comments, suggestions,
      and reviews were received from: Sergio Belotti, Italo Busi, Miguel Cros
      Cecilia, Joe Clarke, Dhruv Dhody, Adrian Farrel, Roque Gagliano,
      Christian Jacquenet, Kireeti Kompella, Julian Lucek, Erez Segev and Tom
      Petch. Many thanks to them.Luay Jalil, Jichun
      Ma, Daniel King, and Zhang Guiyu contributed to an early version of this
      document.Thanks to Yingzhen Qu for the rtgdir
      review.
    

    
      Victor Lopez Telefonica Email: victor.lopezalvarez@telefonica.com

      Qin Wu Huawei
      Email: bill.wu@huawei.comRaul Arco Nokia Email:
      raul.arco@nokia.com