<?xml version="1.0" encoding="US-ASCII"?>
<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com)
     by Daniel M Kohn (private) -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<rfc category="std"
     docName="draft-wu-opsawg-network-overlay-resource-model-00"
     ipr="trust200902">
  <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>

  <?rfc toc="yes" ?>

  <?rfc symrefs="yes" ?>

  <?rfc sortrefs="yes"?>

  <?rfc iprnotified="no" ?>

  <?rfc strict="yes" ?>

  <front>
    <title abbrev="Network Overlay Resource Model">A YANG Data Module for
    Network Virtualization Overlay Resource Management</title>

    <author fullname="Qin Wu" initials="Q." surname="Wu">
      <organization>Huawei</organization>

      <address>
        <postal>
          <street>101 Software Avenue, Yuhua District</street>

          <city>Nanjing</city>

          <region>Jiangsu</region>

          <code>210012</code>

          <country>China</country>
        </postal>

        <email>bill.wu@huawei.com</email>
      </address>
    </author>

    <author fullname="Michael Wang" initials="M." surname="Wang">
      <organization abbrev="Huawei">Huawei Technologies,Co.,Ltd</organization>

      <address>
        <postal>
          <street>101 Software Avenue, Yuhua District</street>

          <street></street>

          <city>Nanjing</city>

          <region></region>

          <code>210012</code>

          <country>China</country>
        </postal>

        <email>wangzitao@huawei.com</email>
      </address>
    </author>

    <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
      <organization>Orange</organization>

      <address>
        <postal>
          <street></street>

          <city>Rennes</city>

          <code>35000</code>

          <country>France</country>
        </postal>

        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>

    <date year="2018" />

    <area>OPS Area</area>

    <workgroup>OPSAWG Working Group</workgroup>

    <keyword>RFC</keyword>

    <keyword>Request for Comments</keyword>

    <keyword>I-D</keyword>

    <keyword>Internet-Draft</keyword>

    <keyword>Routing Policy</keyword>

    <abstract>
      <t>This document defines a YANG data module for Network Virtualization
      Overlay Resource Management. It is a resource facing model independent
      of control plane protocols and captures topological and resource related
      information pertaining to Network Virtualization Overlay. </t>

      <t>This module enables clients, which interact with a network
      orchestrator or controller via a REST interface, for Network
      Virtualization Overlay topology related operations such as obtaining and
      allocating the relevant topology resource information.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="intro" title="Introduction">
      <t>[RFC8299] defines customer service model for L3VPN service that can
      be used to describe a service as offered or delivered to a customer by a
      network operator. As described in [RFC8309], a customer service model is
      not resource facing model and does not describes how a network operator
      realizes and delivers the service described by the module since it is
      not used to directly configure network devices, protocols, or functions
      or something sent to network devices (i.e., routers or switches) for
      processing.</t>

      <t>This document defines a YANG module for Network Virtualization
      Overlay Management. It is a resource facing model independent of control
      plane protocols and captures topological and resource related
      information pertaining to Network Virtualization Overlay. </t>

      <t>This module enables clients to interact with a network orchestrator
      or controller via a RESTful interface, for providing connectivity
      services over a Network Virtualization Overlay topology. In particular,
      this module supports operations such as exposing abstract service
      topology, retrieving, and allocating the relevant topology resource
      information.</t>

      <t>As a reminder, and as defined in <xref target="RFC7297"></xref>, the
      IP connectivity service is the IP transfer capability characterized by a
      (Source Nets, Destination Nets, Guarantees, Scope) tuple where "Source
      Nets" is a group of unicast IP addresses, "Destination Nets" is a group
      of IP unicast and/or multicast addresses, and "Guarantees" reflects the
      guarantees (expressed in terms of Quality Of Service (QoS), performance,
      and availability, for example) to properly forward traffic to the said
      "Destination". Finally, the "Scope" denotes the (network) perimeter
      (e.g., between Provider Edge (PE) routers or Customer Nodes) where the
      said guarantees need to be provided. These requirements include:
      reachability scope (e.g., limited scope, Internet-wide), direction
      (in/ou), bandwidth requirements, QoS parameters (e.g., one-way delay
      <xref target="RFC7679"></xref>, loss <xref target="RFC7680"></xref>, or
      one-way delay variation (jitter) <xref target="RFC3393"></xref>),
      protection, and high-availability guidelines (e.g., restoration in less
      than 50 ms, 100 ms, or 1 second).</t>

      <t>The module includes flow identification and classification rules that
      are required for traffic conformance purposes.</t>

      <t>How the data captured using this YANG module is tranlated into
      network-spefic clauses is out of scope. </t>
    </section>

    <section title="Conventions used in this document">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in [RFC2119]. In this
      document, these words will appear with that interpretation only when in
      ALL CAPS. Lower case uses of these words are not to be interpreted as
      carrying [RFC2119] significance.</t>

      <t>The following notations are used within the data tree and carry the
      meaning as below.</t>

      <t>Each node is printed as:<figure>
          <artwork><![CDATA[   <status> <flags> <name> <opts> <type>

   <status> is one of:
        +  for current

   <flags> is one of:

       rw for configuration data
       ro for non-configuration data
       -x for rpcs
       -n for notifications
       -w for writable

   <name> is the name of the node

   If the node is augmented into the tree from another module, its name
   is printed as <prefix>:<name>.

   <opts> is one of:

        ?  for an optional leaf or choice
        !  for a presence container
        *  for a leaf-list or list
        [<keys>] for a list's keys
        (choice)/:(case) Parentheses enclose choice and case nodes,
        and case nodes are also marked with a colon (":")
        <type> is the name of the type for leafs and leaf-lists
]]></artwork>
        </figure></t>
    </section>

    <section title="Overview of Network Virtualization Overlay Resource Management Model">
      <figure>
        <artwork><![CDATA[   ----------- l3vpn-svc
                 Model   |
 Customer      l2vpn-svc |
 Facing Model    Model   |
                  +----------------------+
   ---------------|   Service component  |
                  +-----------+----------+
                              |
                   VN Overlay |
                   Resource   |
 Resource          Model      |
 Facing Model                 |
                              |
                              |
                   +----------+-----------+
------------  +----|   Config component   |-------+
             /     +----------------------+        \   Network
            /             /            \            \  Configuration
           /             /              \             \ models
          /             /                \             \
  +------+   Bearer    +------+           +------+      +------+
  | CE A + ----------- + PE A |           | PE B + ---- + CE B |
  +------+  Connection +------+           +------+      +------+

             Site A                               Site B]]></artwork>
      </figure>

      <t>L3VPN and L2VPN service models provide an abstracted view of the
      Layer 3 and Layer 2 VPN service configuration components. Services are
      built from a combination of network elements and protocols
      configuration, but are specified for service users in more abstract
      terms, e.g., these models will specify where to create site and
      establish site-network-access of a particular site to the provider
      network (e.g., PE, aggregation switch) and what service requirements of
      each site-network-access are.</t>

      <t>Site location can be determined based on proposed location parameters
      and constraints in these service models and service requirements of each
      site-network-access can be determined based on traffic performance
      metrics (e.g., one-way delay, one-way delay variation, bandwidth) of
      each PE-CE link connectivity and traffic performance metrics of each
      service flow or application. The management system will use service
      models as an input to select appropriate PEs and CEs, allocate interface
      on the node, generate PE and CE configuration associated with each PE-CE
      link.</t>

      <t>Based on selected PE and CE configuration on each site-network-access
      of a particular site, the management system can use L3VPN service model
      and L2VPN service model as inputs and translate it into resource facing
      model, i.e., the network virtualization overlay resource model. </t>

      <t>This resource facing model can be seen as the projection model of
      L3VPN service and L2VPN service model and is used to compute path
      elements and the network access connectivity list when two sites
      belonging to one VPN spanning across several domains. It also can be
      combined with other performance measurement or warning models to expose
      abstract service topology and resource distribution in the network
      re-optimization cases.</t>

      <section title="VN Service Configuration">
        <t>The YANG module is divided into two main containers: "vn-services"
        and "sites".</t>

        <t>The "vn-service" list under the vn-services container defines
        global parameters for the VN service for a specific customer. The
        "vn-id" provided in the vn-service list refers to an internal
        reference for this VN service, while the customer name refers to a
        more-explicit reference to the customer. The &ldquo;vn-type&rdquo; in
        the vn-service list refers to a set of basic VPN type. In addition,
        each "vn-service" also include a list of "site-network-access". </t>

        <t>The service requirements on each "site-network-access" or site to
        site service requirements is specified in details in the service
        container under &ldquo;sites/site&rdquo; or
        "sites/site/site-network-access".</t>

        <section title="VN and Network Access Association Configuration">
          <t>Within a given VN service there can be one or more VN and Network
          Access Associations(VNAAs). VNAAs are represented as a list and
          indexed by the vn-id and vn-type.</t>

          <figure title="Snippet of data hierarchy related to VN and Network Access Associations (VNAA)">
            <artwork><![CDATA[      module: ietf-vn-rsc
     +--rw vn-rsc
      +--rw vn-services
      | +--rw vn-service* [vn-id]
      |   +--rw vn-id         svc-id
      |   +--rw vn-type       identityref
      .
      .
      |   +--rw site-network-accesses
      |   +--rw site-network-access* [site-network-access-id]
      |     +--rw site-network-access-id   svc-id]]></artwork>
          </figure>
        </section>

        <section title="Traffic Performance Requirements Configuration">
          <section title="Per-Site Network Access Requirements">
            <t>Per-Site network access traffic performance requirements are
            represented as a list within the data hierarchy and indexed by the
            key site-network-access-id. </t>

            <t>Traffic Performance requirements include latency, jitter, and
            bandwidth utilization. Upload bandwidth and download bandwidth are
            performance parameters associated each domain-network-access.</t>

            <t>Latency, jitter, and bandwidth utilization are performance
            requirements associated with each service flow or application.</t>

            <figure title="Snippet of data hierarchy related to Per Site network access QoS requirements">
              <artwork><![CDATA[      module: ietf-vn-rsc
         +--rw site-network-accesses
           +--rw site-network-access* [site-network-access-id]
            +--rw site-network-access-id   leafref
            +--rw device-id   leafref
            +--rw access-diversity {site-diversity}?
            | +--rw groups
            | | +--rw group* [group-id]
            | |   +--rw group-id  string
            | +--rw constraints
            |   +--rw constraint* [constraint-type]
            |    +--rw constraint-type  identityref
            |    +--rw target
            |      +--rw (target-flavor)?
            |       +--:(id)
            |       | +--rw group* [group-id]
            |       |    ...
            |       +--:(all-accesses)
            |       | +--rw all-other-accesses?  empty
            |       +--:(all-groups)
            |         +--rw all-other-groups?   empty
            +--rw service
            | +--rw svc-input-bandwidth?  uint32
            | +--rw svc-output-bandwidth?  uint32
            | +--rw svc-mtu?        uint16
            | +--rw qos {qos}?
            | | +--rw qos-classification-policy
            | | | +--rw rule* [id]
            | | |   +--rw id          uint16
            | | |   +--rw (match-type)?
            | | |   | +--:(match-flow)
            | | |   | | +--rw match-flow
            | | |   | |    ...
            | | |   | +--:(match-application)
            | | |   |   +--rw match-application?  identityref
            | | |   +--rw target-class-id?   string
            | | +--rw qos-profile
            | |   +--rw (qos-profile)?
            | |    +--:(standard)
            | |    | +--rw profile?  string
            | |    +--:(custom)
            | |      +--rw classes {qos-custom}?
            | |       +--rw class* [class-id]]]></artwork>
            </figure>
          </section>

          <section title="Site-to-Site Traffic Performance Requirements">
            <t>QoS guarantees denote a set of transfer performance metrics
            that characterize the quality of the transfer treatment to be
            experienced (when crossing a transport infrastructure) by a flow
            issued from or forwarded to a (set of) sites.</t>

            <t>Suppose one VPN has multiple sites and any two sites span
            across multiple domains, site-to-site network access QoS
            requirements can be used to describe QoS requirements across
            sites. </t>

            <t>Site-to-site network access traffic performance requirements
            are represented as a list within the data hierarchy and indexed by
            the key 'site-id'. The source site is specified as 'site-id' under
            site list, the 'target-site' is specified under match-flow case.
            </t>

            <t>Traffic performance requirements include latency, jitter, and
            bandwidth utilization.</t>

            <t>Shaping/policing filters may be applied so as to assess whether
            traffic is within the capacity profile or out of profile. Out-of-
            profile traffic may be discarded or assigned another class.</t>

            <figure title="Snippet of data hierarchy related to Site to Site QoS requirements">
              <artwork><![CDATA[      module: ietf-vn-rsc
      +--rw sites
        +--rw site* [site-id]
         +--rw site-id         svc-id
         +--rw service
         | +--rw qos {qos}?
         | | +--rw qos-classification-policy
         | | | +--rw rule* [id]
         | | |   +--rw id          uint16
         | | |   +--rw (match-type)?
         | | |   | +--:(match-flow)
         | | |   | | +--rw match-flow
         | | |   | |   +--rw target-sites*    svc-id
         | | |   +--rw target-class-id?   string
         | | +--rw qos-profile
         | |   +--rw (qos-profile)?
         | |    +--:(standard)
         | |    | +--rw profile?  string
         | |    +--:(custom)
         | |      +--rw classes {qos-custom}?
         | |       +--rw class* [class-id]
         | |         +--rw class-id   string
         | |         +--rw rate-limit?  uint8
         | |         +--rw latency
         | |         | +--rw (flavor)?
         | |         |    ...
         | |         +--rw jitter
         | |         | +--rw (flavor)?
         | |         |    ...
         | |         +--rw bandwidth
         | |          +--rw guaranteed-bw-percent?  uint8
         | |          +--rw end-to-end?       empty]]></artwork>
            </figure>
          </section>
        </section>
      </section>

      <section title="VN Service Topology Resource Distribution configuration">
        <t>A 'site' is composed of at least one "site-network-access" and, in
        the case of multihoming, may have multiple site-network-access points.
        </t>

        <t>For each "site-network-access", the ingress device/customer device
        and/or egress device has been selected to connect to the provider
        network, ingress device list is specified under site and egress device
        is specified under vn-attachment container. </t>

        <t>With selected ingress device and egress device and VN membership,
        VN service topology can be constructed. Resource allocation for Site
        to Site connectivity or connectivity within site can be further
        calculated based on this VN service topology.</t>

        <figure>
          <artwork><![CDATA[
            VPN1-Site1                               VPN1-Site2
      +------------------------------------------------------------+
     /   [CE1]..                              [PE2______[CE3]     /
    /    /  \  :                              : \_       / :     /
   /    /    \  :                             :   \_    /  :    /
  /    /      \  :                           :      \  /   :   /
 /   [CE2]___[PE1]:                         :       [CE4]  :  /
+------:-------:---:---------------------------------:-----:-+
         :        :   :         :          :     :
         :         :   :       :           :     :
         :  +-------:---:-----:------------:-----:-----+
         : /       [X1]__:___:___________[X2]   :     /
         :/         / \_  : :       _____/ /   :     /
         :         /    \_ :  _____/      /   :     /
        /:        /       \: /           /   :     /
       / :       /        [X5]          /   :     /
      /   :     /       __/ \__        /   :     /
     /     :   /    ___/       \__    /   :     /
    /       : / ___/              \  /   :     /
   /        [X4]__________________[X3]..:     /
  +------------------------------------------+
                                 L3 Topology]]></artwork>
        </figure>
      </section>
    </section>

    <section title="RPC Definitions for Computation of TE Path Element List and Network Access Connectivity List">
      <t>The RPC model facilitates issuing commands to a NETCONF server (in
      this case to the device that need to execute the path computation API
      command or path computation algorithm) and obtain a response. RPC model
      defined here abstracts path computation specific commands in a
      technology independent manner.</t>

      <t>There are two RPC commands defined for the purpose of computation of
      path element list and network access connectivity list respectively. In
      this section we present a snippet of the path element list computation
      command and network access connectivity list computation for
      illustration purposes. Please refer to Section 3.4 for the complete data
      hierarchy and Section 4 for the YANG model.</t>

      <figure>
        <artwork><![CDATA[  rpcs:
    +---x vn-path-element-compute
    |  +---w input
    |  |  +---w vn-member-list* [vn-member-id]
    |  |     +---w vn-member-id          -> /vn-svc/vn-services/vn-service/vn-id
    |  |     +---w constraint
    |  |     |  +---w path-element* [path-element-id]
    |  |     |     +---w path-element-id        
    |  |     |     +---w address?           
    |  |     +---w objective-function?   identityref
    |  |     +---w metric* [metric-type]
    |  |        +---w metric-type     identityref
    |  |        +---w metric-value?   uint32
    |  +--ro output
    |     +--ro vn-member-list* [vn-member-id]
    |        +--ro vn-member-id    -> /vn-svc/vn-services/vn-service/vn-id
    |        +--ro metric* [metric-type]
    |        |  +--ro metric-type     identityref
    |        |  +--ro metric-value?   uint32
    |        +--ro path
    |           +--ro path-element* [path-element-id]
    |              +--ro path-element-id    
    +---x vn-network-connectivity-stitch
       +---w input
       |  +---w vn-member-list* [vn-id]
       |     +---w vn-id            -> /vn-svc/vn-services/vn-service/vn-id        
       |     +---w source-access* [access-id]
       |     |  +---w access-id                     
       |     |  +---w destination-access* [access-id]
       |     +---w objective-function?   identityref
       |     +---w metric* [metric-type]
       |        +---w metric-type     identityref
       |        +---w metric-value?   uint32
       +--ro output
          +--ro vn-access-list* [index]
             +--ro index        uint32
             +--ro source-access -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
             +--ro destination-access-> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
             +--ro multi-domain-network-access-list * [domain-id]
                +--ro domain-id                 svc-id
                +--ro network-access-id         svc-id  ]]></artwork>
      </figure>

      <t>With these two RPC commands, we can calculate<list>
          <t>Path element list that is applied to network access connectivity
          within the site, or Site to Site connectivity or end to end
          connectivity.</t>

          <t>Network access connectivity list that is applied to site to site
          connectivity and end to end connectivity spanning across multiple
          domains.</t>
        </list></t>
    </section>

    <section title="Data Hierarchy">
      <t>The figure below describes the overall structure of the YANG
      module:</t>

      <figure>
        <artwork><![CDATA[module: ietf-vn-rsc
    +--rw vn-rsc
       +--rw vn-services
       |  +--rw vn-service* [vn-id]
       |     +--rw vn-id                    svc-id
       |     +--rw customer-name?           string
       |     +--rw service-topology?        identityref
       |     +--rw site-network-accesses
       |        +--rw site-network-access* [site-network-access-id]
       |           +--rw site-network-access-id    svc-id
       +--rw sites
          +--rw site* [site-id]
             +--rw site-id                  svc-id
             +--rw cpe-devices
             |  +--rw cpe-device* [device-id]
             |     +--rw device-id         svc-id
             |     +--rw address-family?   address-family
             |     +--rw address?          inet:ip-address
             |     +--rw interfaces
             |        +--rw interface?        if:interface-ref
             |        +--rw sub-interfaces*   if:interface-ref
             +--rw service
             |  +--rw qos {qos}?
             |     +--rw qos-classification-policy
             |     |  +--rw rule* [id]
             |     |     +--rw id                   string
             |     |     +--rw (match-type)?
             |     |     |  +--:(match-flow)
             |     |     |  |  +--rw match-flow
             |     |     |  |     +--rw dscp?                inet:dscp
             |     |     |  |     +--rw dot1p?               uint8
             |     |     |  |     +--rw ipv4-src-prefix?     inet:ipv4-prefix
             |     |     |  |     +--rw ipv6-src-prefix?     inet:ipv6-prefix
             |     |     |  |     +--rw ipv4-dst-prefix?     inet:ipv4-prefix
             |     |     |  |     +--rw ipv6-dst-prefix?     inet:ipv6-prefix
             |     |     |  |     +--rw l4-src-port?         inet:port-number
             |     |     |  |     +--rw target-sites*        svc-id {target-sites}?
             |     |     |  |     +--rw l4-src-port-range
             |     |     |  |     |  +--rw lower-port?   inet:port-number
             |     |     |  |     |  +--rw upper-port?   inet:port-number
             |     |     |  |     +--rw l4-dst-port?         inet:port-number
             |     |     |  |     +--rw l4-dst-port-range
             |     |     |  |     |  +--rw lower-port?   inet:port-number
             |     |     |  |     |  +--rw upper-port?   inet:port-number
             |     |     |  |     +--rw protocol-field?      union
             |     |     |  +--:(match-application)
             |     |     |     +--rw match-application?   identityref
             |     |     +--rw target-class-id?     string
             |     +--rw qos-profile
             |        +--rw (qos-profile)?
             |           +--:(standard)
             |           |  +--rw profile?   
                               -> /vn-svc/vpn-profiles/valid-provider-identifiers/qos-profile-identifier/id
             |           +--:(custom)
             |              +--rw classes {qos-custom}?
             |                 +--rw class* [class-id]
             |                    +--rw class-id      string
             |                    +--rw direction?    identityref
             |                    +--rw rate-limit?   uint8
             |                    +--rw latency
             |                    |  +--rw (flavor)?
             |                    |     +--:(lowest)
             |                    |     |  +--rw use-lowest-latency?   empty
             |                    |     +--:(boundary)
             |                    |        +--rw latency-boundary?     uint16
             |                    +--rw jitter
             |                    |  +--rw (flavor)?
             |                    |     +--:(lowest)
             |                    |     |  +--rw use-lowest-jitter?   empty
             |                    |     +--:(boundary)
             |                    |        +--rw latency-boundary?    uint32
             |                    +--rw bandwidth
             |                       +--rw guaranteed-bw-percent    uint8
             |                       +--rw end-to-end?              empty
             +--rw site-network-accesses
                +--rw site-network-access* [site-network-access-id]
                   +--rw site-network-access-id   
                           -> /vn-svc/vn-services/vn-service/site-network-accesses/site-network-access/site-network-access-id
                   +--rw ingress-device-id?                -> /vn-svc/sites/site/cpe-devices/cpe-device/device-id
                   +--rw access-diversity {site-diversity}?
                   |  +--rw groups
                   |  |  +--rw group* [group-id]
                   |  |     +--rw group-id    string
                   |  +--rw constraints
                   |     +--rw constraint* [constraint-type]
                   |        +--rw constraint-type    identityref
                   |        +--rw target
                   |           +--rw (target-flavor)?
                   |              +--:(id)
                   |              |  +--rw group* [group-id]
                   |              |     +--rw group-id    string
                   |              +--:(all-accesses)
                   |              |  +--rw all-other-accesses?   empty
                   |              +--:(all-groups)
                   |                 +--rw all-other-groups?     empty
                   +--rw service
                   |  +--rw svc-input-bandwidth?    uint32
                   |  +--rw svc-output-bandwidth?   uint32
                   |  +--rw svc-mtu?                uint16
                   |  +--rw qos {qos}?
                   |     +--rw qos-classification-policy
                   |     |  +--rw rule* [id]
                   |     |     +--rw id                   string
                   |     |     +--rw (match-type)?
                   |     |     |  +--:(match-flow)
                   |     |     |  |  +--rw match-flow
                   |     |     |  |     +--rw dscp?                inet:dscp
                   |     |     |  |     +--rw dot1p?               uint8
                   |     |     |  |     +--rw ipv4-src-prefix?     inet:ipv4-prefix
                   |     |     |  |     +--rw ipv6-src-prefix?     inet:ipv6-prefix
                   |     |     |  |     +--rw ipv4-dst-prefix?     inet:ipv4-prefix
                   |     |     |  |     +--rw ipv6-dst-prefix?     inet:ipv6-prefix
                   |     |     |  |     +--rw l4-src-port?         inet:port-number
                   |     |     |  |     +--rw target-sites*        svc-id {target-sites}?
                   |     |     |  |     +--rw l4-src-port-range
                   |     |     |  |     |  +--rw lower-port?   inet:port-number
                   |     |     |  |     |  +--rw upper-port?   inet:port-number
                   |     |     |  |     +--rw l4-dst-port?         inet:port-number
                   |     |     |  |     +--rw l4-dst-port-range
                   |     |     |  |     |  +--rw lower-port?   inet:port-number
                   |     |     |  |     |  +--rw upper-port?   inet:port-number
                   |     |     |  |     +--rw protocol-field?      union
                   |     |     |  +--:(match-application)
                   |     |     |     +--rw match-application?   identityref
                   |     |     +--rw target-class-id?     string
                   |     +--rw qos-profile
                   |        +--rw (qos-profile)?
                   |           +--:(standard)
                   |           |  +--rw profile?   
                                          -> /vn-svc/vpn-profiles/valid-provider-identifiers/qos-profile-identifier/id
                   |           +--:(custom)
                   |              +--rw classes {qos-custom}?
                   |                 +--rw class* [class-id]
                   |                    +--rw class-id      string
                   |                    +--rw direction?    identityref
                   |                    +--rw rate-limit?   uint8
                   |                    +--rw latency
                   |                    |  +--rw (flavor)?
                   |                    |     +--:(lowest)
                   |                    |     |  +--rw use-lowest-latency?   empty
                   |                    |     +--:(boundary)
                   |                    |        +--rw latency-boundary?     uint16
                   |                    +--rw jitter
                   |                    |  +--rw (flavor)?
                   |                    |     +--:(lowest)
                   |                    |     |  +--rw use-lowest-jitter?   empty
                   |                    |     +--:(boundary)
                   |                    |        +--rw latency-boundary?    uint32
                   |                    +--rw bandwidth
                   |                       +--rw guaranteed-bw-percent    uint8
                   |                       +--rw end-to-end?              empty
                   +--rw vn-attachments
                      +--rw vn-attachment* [vn-id]
                         +--rw vn-id               svc-id
                         +--rw vn-type?            identityref
                         +--rw attachment-point
                            +--rw egress-device-id?     svc-id
                            +--rw address-family?   address-family
                            +--rw address?          inet:ip-address
                            +--rw interfaces
                               +--rw interface?        if:interface-ref
                               +--rw sub-interfaces*   if:interface-ref

  rpcs:
    +---x vn-path-element-compute
    |  +---w input
    |  |  +---w vn-member-list* [vn-member-id]
    |  |     +---w vn-member-id          -> /vn-svc/vn-services/vn-service/vn-id
    |  |     +---w src
    |  |     |  +---w src-address?              -> /vn-svc/sites/site/site-id
    |  |     |  +---w site-network-access-id?   
                        -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
    |  |     +---w dst
    |  |     |  +---w dst-address?              -> /vn-svc/sites/site/site-id
    |  |     |  +---w site-network-access-id?   
                        -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
    |  |     +---w constraint
    |  |     |  +---w path-element* [path-element-id]
    |  |     |     +---w path-element-id    -> /vn-svc/sites/site/site-network-accesses/site-network-access/vn-attachments/vn-attachment/attachment-point/pe-device-id
    |  |     |     +---w address?           -> /vn-svc/sites/site/site-network-accesses/site-network-access/vn-attachments/vn-attachment/attachment-point/address
    |  |     +---w objective-function?   identityref
    |  |     +---w metric* [metric-type]
    |  |        +---w metric-type     identityref
    |  |        +---w metric-value?   uint32
    |  +--ro output
    |     +--ro vn-member-list* [vn-member-id]
    |        +--ro vn-member-id    uint32
    |        +--ro src
    |        |  +--ro src-address?              -> /vn-svc/sites/site/site-id
    |        |  +--ro site-network-access-id?   -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
    |        +--ro dst
    |        |  +--ro dst-address?              -> /vn-svc/sites/site/site-id
    |        |  +--ro site-network-access-id?   -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
    |        +--ro metric* [metric-type]
    |        |  +--ro metric-type     identityref
    |        |  +--ro metric-value?   uint32
    |        +--ro path
    |           +--ro path-element* [path-element-id]
    |              +--ro path-element-id    -> /vn-svc/sites/site/site-network-accesses/site-network-access/vn-attachments/vn-attachment/attachment-point/pe-device-id
    |              +--ro index?             uint32
    |              +--ro address?           -> /vn-svc/sites/site/site-network-accesses/site-network-access/vn-attachments/vn-attachment/attachment-point/address
    |              +--ro hop-type?          identityref
    +---x vn-network-connectivity-stitch
       +---w input
       |  +---w vn-list* [vn-id]
       |     +---w vn-id                 -> /vn-svc/vn-services/vn-service/vn-id
       |     +---w source-access* [access-id]
       |     |  +---w access-id             -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
       |     |  +---w destination-access* [access-id]
       |     |     +---w access-id    -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
       |     +---w objective-function?   identityref
       |     +---w metric* [metric-type]
       |        +---w metric-type     identityref
       |        +---w metric-value?   uint32
       +--ro output
          +--ro vn-access-list* [index]
             +--ro index        uint32
             +--ro source-access -> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
             +--ro destination-access-> /vn-svc/sites/site/site-network-accesses/site-network-access/site-network-access-id
             +--ro multi-domain-network-access-list *
                +--ro domain-id                 svc-id
                +--ro network-access-id         svc-id  ]]></artwork>
      </figure>
    </section>

    <section title="Network Virtualization Overlay Management YANG Module">
      <figure>
        <artwork><![CDATA[<CODE BEGINS> file "ietf-vn-rsc@2018-02-03.yang"
module ietf-vn-rsc {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-vn-rsc";
  prefix vnrsc;

  import ietf-inet-types {
    prefix inet;
  }
  import ietf-l3vpn-svc {
    prefix l3vpn-svc;
  }
  import ietf-interfaces{
    prefix if;
  }

  organization
    "IETF OPSAWG Working Group.";
  contact
    "WG List: foo@ietf.org
    Editor:  Qin Wu <mailto:bill.wu@huawei.com>
    Editor:  Zitao Wang <mailto:wangzitao@huawei.com>";

  description
    "The YANG module defines a generic service configuration
    model for Layer VN services common across all of the
    vendor implementations.";

revision 2018-02-03{
description
"Initial revision";
reference
"A YANG Data Model for VN Service Delivery.";
}
/* Features */


/* Typedefs */
typedef svc-id {
 type string;
 description
 "Type definition for servicer identifier";
}
 typedef address-family {
  type enumeration {
   enum ipv4 {
    description
     "IPv4 address family.";
   }
   enum ipv6 {
    description
     "IPv6 address family.";
   }
  }
  description
   "Defines a type for the address family.";
 }
 /*

/* Identities */
 identity vn-type {
  description
  "Base identity for VN type";
 }
 identity l2vpn {
  base vn-type;
  description
  "Identity for Layer 2 vpn";
 }
 identity l3vpn {
  base vn-type;
  description
  "Identity for Layer 3 vpn";
 }
 identity evpn {
  base l2vpn;
  description
  "Identity for evpn";
 }
 identity vpls {
  base l2vpn;
  description
  "Identity for vpls";  
 }
 identity vpw {
  base l2vpn;
  description
  "Identity for vpw";  
 }
 identity vpn-topology {
  description
   "Base identity for VPN topology.";
 }
 identity any-to-any {
  base vpn-topology;
  description
   "Identity for any-to-any VPN topology.";
 }
 identity hub-spoke {
  base vpn-topology;
  description

   "Identity for Hub-and-Spoke VPN topology.";
 }
 identity hub-spoke-disjoint {
  base vpn-topology;
  description
   "Identity for Hub-and-Spoke VPN topology
    where Hubs cannot communicate with each other.";
 }

 identity objective-function{
  description
  "Identity for objective function";
 }
 
 identity metric-type{
  description
  "Identity for metric type";
 }

 identity hop-type{
  description
  "Identity for hop-type";
 }
 identity loose{
  base hop-type;
  description
  "loose hop in an explicit path";
 }
 identity strict{
  base hop-type;
  description
  "strict hop in an explicit path";
 } 
/* Grouping */
grouping vn-service-list {
 list vn-service {
  key "vn-id";
  leaf vn-id {
   type svc-id;
   description
   "VN id";
  }
  leaf customer-name {
   type string;
   description
   "Customer name";
  }
  leaf service-topology {
   type identityref {
    base vpn-topology;
   }
   default any-to-any;
   description
    "VPN service topology.";
  }
  container site-network-accesses{
   list site-network-access{
    key "site-network-access-id";
    leaf site-network-access-id{
     type svc-id;
     description
     "Site network access identifier";
    }
    description
    "List for site-network access"; 
   }   
   description
   "Container for site network accesses";
  } 
  
  description
  "List for vn service";
 }
 description
 "Grouping for vn service list";
}
grouping vn-services-grouping{
 container vn-services{
  uses vn-service-list;
  description
  "Container for virtual network service";
 }
 description
 "Grouping for vn services";
}

grouping interfaces-grouping{
 container interfaces{
  leaf interface{
   type if:interface-ref;
   description
   "Base interface";
  }
  leaf-list sub-interfaces{
   type if:interface-ref;
   description
   "Sub interfaces";
  }
  description
  "Container for interfaces";
 }
 description
 "Grouping for interfaces";
}

grouping cpe-device-list{
 list cpe-device{
  key "device-id";
  leaf device-id {
   type svc-id;
   description
   "Device identifier";
  }
  leaf address-family{
   type address-family;
   description
    "Address family used for management. If address-family
    is specified, the address may or may not be specified
   (by the customer).";
  }
  leaf address{
   type inet:ip-address;
   description
   "IP address";
  }
  uses interfaces-grouping;
  description
  "List for devices";
 }
 description
 "Grouping for cpe device list";

}
grouping cpe-devices-grouping{
 container cpe-devices{
  uses cpe-device-list;
  description
  "Container for cpe devices";
 }
 description
 "grouping for cpe-devices-grouping";
}

grouping bandwidth-grouping {
 leaf svc-input-bandwidth{
  type uint32;
  description
  "Service input bandwidth";
 }
 leaf svc-output-bandwidth{
  type uint32;
  description
  "Service output bandwidth";
 }
 description
 "Grouping for bandwidth";
}

grouping attachment-point-grouping{
 container attachment-point{
   leaf pe-device-id {
   type svc-id;
   description
   "PE Device identifier";
  }
  leaf address-family{
   type address-family;
   description
    "Address family used for management. If address-family
    is specified, the address may or may not be specified
   (by the customer).";
  }
  leaf address{
   type inet:ip-address;
   description
   "IP address";
  }
  uses interfaces-grouping; 
  description
  "Container for attachment point";
 }
 description
 "Grouping for attachment points";
}

grouping vn-attachment-list{
 list vn-attachment{
  key "vn-id";
  leaf vn-id{
   type svc-id;
   description
   "Virtual network identifier";
  }
  leaf vn-type{
   type identityref{
    base vn-type;
   }
   description
   "VN type";
  }
  uses attachment-point-grouping;
  description
  "List for VN attachments";
 }
 description
 "Grouping for VN attachment list";
}

grouping vn-attachments-grouping{
 container vn-attachments{
  uses vn-attachment-list;
  description
  "Container for VN attachments";
 }
 description
 "Grouping for VN attachments";
}

grouping site-network-access-list{
 list site-network-access{
  key "site-network-access-id";
  leaf site-network-access-id{
   type leafref{
    path "/vn-svc/vn-services/vn-service"
 +"/site-network-accesses/site-network-access"
 +"/site-network-access-id";
   }
   description
   "Site network access identifier";
  }
  leaf device-id {
   type leafref{
    path "/vn-svc/sites/site/cpe-devices"
 +"/cpe-device/device-id";
   }
   description
   "Device id";
  }
  uses l3vpn-svc:access-diversity;
  container service {
   uses bandwidth-grouping;
   leaf svc-mtu {
    type uint16;
 description
 "Service-mtu";
   }
   uses l3vpn-svc:site-service-qos-profile;
   description
   "Container for service";
  }
  uses vn-attachments-grouping;
  description
  "List for site-network access";
 
  
 }
 description
 "Grouping for site-network access list";
}

grouping site-network-accesses-grouping{
 container site-network-accesses{
  uses site-network-access-list;
  description
  "Container for site network accesses";
 }
 description
 "Grouping for site network accesses";
}

grouping site-list-grouping{
 list site {
  key "site-id";
  leaf site-id {
   type svc-id;
   description
   "Site identifier";
  }
  uses cpe-devices-grouping;
  container service {
   uses l3vpn-svc:site-service-qos-profile;
   description
   "Site service";
  }
  uses site-network-accesses-grouping;
  description
  "List for sites";
 }
 description
 "Grouping for site list";
}

grouping sites-grouping {
 container sites{
  uses site-list-grouping;
  description
  "Container for sites";
 }
 description
 "Grouping for sites";
}

grouping src-grouping{
   container src{
    leaf src-address{
  type leafref {
   path "/vn-svc/sites/site/site-id";
  }
  description
  "Leaf list for source address";
 }
 leaf site-network-access-id{
  type leafref {
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/site-network-access-id";
  }
  description
  "Leaf list for site-network-access id";
 }
    description
 "Container for source id";
   }
 description
 "Grouping for source site";
}   

grouping dst-grouping{  
  container dst{
    leaf dst-address{
  type leafref {
   path "/vn-svc/sites/site/site-id";
  }
  description
  "Leaf list for source address";
 }
 leaf site-network-access-id{
  type leafref {
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/site-network-access-id";
  }
  description
  "Leaf list for site-network-access id";
 }
    description
 "Container for destination id";
   }  
 description
 "Grouping for source site";
}  

grouping objective-function-group{
 leaf objective-function {
  type identityref{
   base objective-function;
  }
  description
  "operational state of the objective function";
  }
  description
  "Grouping for objective functions";
}           


grouping path-element-list{
 list path-element{
  key "path-element-id";
  leaf path-element-id{
   type leafref{
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/vn-attachments/vn-attachment"+
   "/attachment-point/pe-device-id";
   }
   description
   "Path element identifier";
  }
  leaf address{
   type leafref{
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/vn-attachments/vn-attachment"+
   "/attachment-point/address";
   }  
   description
   "Path element address";
  }
  description
  "List for path elements";
 }
 description
 "Grouping for path elements";
}

grouping constraint-grouping{
 container constraint{
  config false;
  uses path-element-list;
  description
  "Container for constraint";
 }
 description
 "Grouping for constraint";
}

grouping metric-grouping{
 list metric {
  key metric-type;
  leaf metric-type {
   type identityref{
    base metric-type;
   }
   description
   "Metric type";
  }
  leaf metric-value {
   type uint32;
   description
   "Metric value";
  }
  description
  "List for metric";
 }
 description
 "Grouping for metric";
}

grouping path-list{
 list path-element{
  key "path-element-id";
  leaf path-element-id{
   type leafref{
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/vn-attachments/vn-attachment"+
   "/attachment-point/pe-device-id";
   }
   description
   "Path element identifier";
  }
  leaf index{
   type uint32;
   description
   "Index";
  }
  leaf address{
   type leafref{
   path "/vn-svc/sites/site/site-network-accesses"+
   "/site-network-access/vn-attachments/vn-attachment"+
   "/attachment-point/address";
   }  
   description
   "Path element address";
  }
  leaf hop-type{
   type identityref {
    base hop-type;
   }
   description
   "Hop type";
  }
  description
  "List for path elements";
 } 
 description
 "Grouping for path list";
}

grouping path-grouping{
 container path{
 uses path-list;
 description
 "Container for path";
 }
 description
 "Grouping for path";
}
grouping access-grouping{
 list source-access{
  key "access-id";
  leaf access-id {
    type leafref{
  path "/vn-svc/sites/site/site-network-accesses"
  +"/site-network-access/site-network-access-id";
 }
   description
   "Access id";
  }
  list destination-access{
  key "access-id";
  leaf access-id {
    type leafref{
  path "/vn-svc/sites/site/site-network-accesses"
  +"/site-network-access/site-network-access-id";
 }
   description
   "Access id";
  }
  description
  "List for destination access id";
 }
 description
 "List for source access id";
 }
 description
 "Grouping for access";
}
/* .....................................*/

container vn-svc{
 uses vn-services-grouping;
 uses sites-grouping;
 description
 "Container for vn service"; 
}

rpc vn-compute{
 description
 "RPC for VN compute";
 input {
  list vn-member-list {
   key "vn-member-id";
   leaf vn-member-id{
    type leafref{
  path "/vn-svc/vn-services/vn-service/vn-id";
 }
 description
 "VN member identifier";
   }
   uses src-grouping;
   uses dst-grouping;
   uses constraint-grouping;
   uses objective-function-group;
   uses metric-grouping;
   description
   "List for vn member";
  }

 }
 output{
  list vn-member-list {
   key "vn-member-id";
   leaf vn-member-id{
    type uint32;
 description
 "VN member identifier";
   }
   uses src-grouping;
   uses dst-grouping;
   uses metric-grouping;
   uses path-grouping;
   description
   "List for vn member";
  }
 }
}

rpc vn-stitch{
 description
 "RPC for VN compute";
 input {
  list vn-list {
   key "vn-id";
   leaf vn-id{
    type leafref{
  path "/vn-svc/vn-services/vn-service/vn-id";
 }
 description
 "VN identifier";
   }
   uses access-grouping;
   uses objective-function-group;
   uses metric-grouping;
   description
   "List for vn";
  }

 }
 output{
  list vn-access-list {
   key "index";
   leaf index{
    type uint32;
 description
 "Index for VN access";
   }
   leaf source-access {
    type leafref{
  path "/vn-svc/sites/site/site-network-accesses"
  +"/site-network-access/site-network-access-id";
 }
 description
 "Source Access ID";
   }
   leaf destination-access {
    type leafref{
  path "/vn-svc/sites/site/site-network-accesses"
  +"/site-network-access/site-network-access-id";
 }
 description
 "Destination Access ID";
   }
   list multi-domain-network-access-list {
    key "domain-id network-access-id";
    leaf domain-id {
    type string;
    description
    "Domain ID";
 }
 leaf network-access-id {
  type leafref{
  path "/vn-svc/sites/site/site-network-accesses"
  +"/site-network-access/site-network-access-id";
  }
   description
  "Network access ID";
 }
   description
   "List for multiple domain network access";   
   }
   description
   "List for vn access";
  }
 }
}
}
<CODE ENDS>]]></artwork>
      </figure>
    </section>

    <section title="Security Considerations">
      <t>The YANG modules defined in this document MAY be accessed via the
      RESTCONF protocol [RFC8040] or NETCONF protocol ([RFC6241]). The lowest
      RESTCONF or NETCONF layer requires that the transport-layer protocol
      provides both data integrity and confidentiality, see Section 2 in
      [RFC8040] and [RFC6241]. The lowest NETCONF layer is the secure
      transport layer, and the mandatory-to-implement secure transport is
      Secure Shell (SSH)[RFC6242] . The lowest RESTCONF layer is HTTPS, and
      the mandatory-to-implement secure transport is TLS [RFC5246].</t>

      <t>The NETCONF access control model [RFC6536] provides the means to
      restrict access for particular NETCONF or RESTCONF users to a
      preconfigured subset of all available NETCONF or RESTCONF protocol
      operations and content.</t>

      <t>There are a number of data nodes defined in this YANG module that are
      writable/creatable/deletable (i.e., config true, which is the default).
      These data nodes may be considered sensitive or vulnerable in some
      network environments. Write operations (e.g., edit-config) to these data
      nodes without proper protection can have a negative effect on network
      operations. These are the subtrees and data nodes and their
      sensitivity/vulnerability: <list style="symbols">
          <t>/vn-svc/vn-services/vn-service<vspace blankLines="1" />The
          entries in this list include the whole vn service configurations to
          which the customer subscribed, and indirectly create or modify the
          egress and ingress device configurations. Unexpected changes to
          these entries could lead to the service disruption and/or network
          misbehavior.</t>

          <t>/vn-svc/sites/site<vspace blankLines="1" />The entries in this
          list include the customer site configurations. Unexpected changes to
          these entries could lead to the service disruption and/or network
          misbehavior.</t>
        </list></t>

      <t>Some of the readable data nodes in this YANG module may be considered
      sensitive or vulnerable in some network environments. It is thus
      important to control read access (e.g., via get, get-config, or
      notification) to these data nodes. These are the subtrees and data nodes
      and their sensitivity/vulnerability: <list style="symbols">
          <t>/vn-svc/vn-services/vn-service</t>

          <t>/vn-svc/sites/site</t>
        </list>The entries in these lists include customer-proprietary or
      confidential information, e.g., customer-name, site location, what
      service the customer subscribes.</t>
    </section>

    <section title="IANA Considerations">
      <t>This document registers a URI in the IETF XML registry <xref
      target="RFC3688"></xref>. Following the format in <xref
      target="RFC3688"></xref>, the following registration is requested to be
      made:</t>

      <figure>
        <artwork><![CDATA[---------------------------------------------------------------------
   URI: urn:ietf:params:xml:ns:yang:ietf-vn-rsc

   Registrant Contact: The IESG.

   XML: N/A, the requested URI is an XML namespace.
---------------------------------------------------------------------]]></artwork>
      </figure>

      <t>This document registers a YANG module in the YANG Module Names
      registry <xref target="RFC7950"></xref>.</t>

      <figure>
        <artwork><![CDATA[---------------------------------------------------------------------
   Name:         ietf-vn-rsc
   Namespace:    urn:ietf:params:xml:ns:yang:ietf-vn-rsc
   Prefix:       vnrsc
   Reference:    RFC xxxx
---------------------------------------------------------------------]]></artwork>
      </figure>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <reference anchor="RFC2119">
        <front>
          <title abbrev="RFC Key Words">Key words for use in RFCs to Indicate
          Requirement Levels</title>

          <author fullname="Scott Bradner" initials="S." surname="Bradner">
            <organization>Harvard University</organization>

            <address>
              <postal>
                <street>1350 Mass. Ave.</street>

                <street>Cambridge</street>

                <street>MA 02138</street>
              </postal>

              <phone>+1 617 495 3864</phone>

              <email>sob@harvard.edu</email>
            </address>
          </author>

          <date month="March" year="1997" />

          <area>General</area>

          <keyword>keyword</keyword>

          <abstract>
            <t>In many standards track documents several words are used to
            signify the requirements in the specification. These words are
            often capitalized. This document defines these words as they
            should be interpreted in IETF documents. Authors who follow these
            guidelines should incorporate this phrase near the beginning of
            their document: <list>
                <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
                "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
                "OPTIONAL" in this document are to be interpreted as described
                in RFC 2119.</t>
              </list></t>

            <t>Note that the force of these words is modified by the
            requirement level of the document in which they are used.</t>
          </abstract>
        </front>
      </reference>

      <?rfc include="reference.RFC.7950"?>

      <?rfc include="reference.RFC.7952"?>

      <?rfc include="reference.RFC.3688"?>

      <?rfc include="reference.RFC.6241"?>

      <?rfc include="reference.RFC.6242"?>

      <?rfc include="reference.RFC.6370"?>

      <?rfc include="reference.RFC.6536"?>
    </references>

    <references title="Informative References">
      <?rfc include='reference.RFC.7297'?>

      <?rfc include='reference.RFC.7679'?>

      <?rfc include='reference.RFC.7680'?>

      <?rfc include='reference.RFC.3393'?>
    </references>
  </back>
</rfc>
