idnits 2.17.1 draft-bryskin-teas-service-tunnel-steering-model-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 321 has weird spacing: '...n-point str...' -- The document date (July 5, 2019) is 1755 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-36) exists of draft-ietf-teas-yang-te-21 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group I. Bryskin 3 Internet-Draft Futurewei 4 Intended status: Informational V. Beeram 5 Expires: January 6, 2020 T. Saad 6 Juniper Networks 7 X. Liu 8 Volta Networks 9 Y. Lee 10 Huawei Technologies 11 A. Guo 12 Futurewei 13 July 5, 2019 15 Basic YANG Model for Steering Client Services To Server Tunnels 16 draft-bryskin-teas-service-tunnel-steering-model-03 18 Abstract 20 This document describes a YANG data model for managing pools of 21 transport tunnels and steering client services on them. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 6, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 59 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 60 1.3. Prefixes in Data Node Names . . . . . . . . . . . . . . . 4 61 2. Explicit vs. Implicit Service2tunnel Mapping. Steering 62 Services to Transport Tunnel Pools . . . . . . . . . . . . . 5 63 3. The purpose of the model . . . . . . . . . . . . . . . . . . 5 64 4. Model Design . . . . . . . . . . . . . . . . . . . . . . . . 6 65 5. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 7 66 6. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 8 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 68 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 70 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 71 9.2. Informative References . . . . . . . . . . . . . . . . . 19 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 74 1. Introduction 76 Client layer services/signals are normally mapped onto carrying them 77 across the network transport tunnels via client/server layer 78 adaptation relationships. Such relationships are usually modeled as 79 multi-layer topologies, whereas tunnels set up in underlay (server) 80 topologies support links in respective overlay (client) topologies. 81 In this respect having a link in a client topology means that the 82 client layer traffic could be forwarded between link termination 83 points (LTPs) terminating the link on opposite sides by the 84 supporting tunnel(s) provisioned in the server layer topology. 86 This said there are numerous use cases in which describing the client 87 service to server tunnel bindings via the topology formalism is 88 impractical. Below are some examples of such use cases: 90 o Mapping client services onto tunnels within the same network 91 layer, for example, mapping L3 VPNs or MPLS-SR services onto IP 92 MPLS tunnels; 94 o Mapping client services onto tunnels provisioned in the highest 95 layer topology supported by the network. For example, mapping 96 L2VPNs or E(V)PL services onto IP MPLS tunnels provisioned in an 97 IP network; 99 o Mapping client services to tunnels provisioned in separate network 100 layers at the network's access points. Consider, for example, an 101 OTN/ODUk network that is used to carry client signals of, say, 20 102 different types (e.g. Ethernet, SDH, FKON, etc.) entering and 103 exiting the network over client facing interfaces. Although it is 104 possible to describe such a network as a 21-layer TE topology with 105 the OTN/ODUk topology serving each of the 20 client layer 106 topologies [I-D.ietf-teas-yang-te-topo], such a description would 107 be verbose, cumbersome, difficult to expand to accommodate 108 additional client signals and unnecessary, because the client 109 layer topologies would have zero switching flexibility inside the 110 network (i.e. contain only unrelated links connecting access 111 points across respective layer networks), and all what is required 112 to know from the point of view of a management application is what 113 ODUk tunnels are established or required, which client signals the 114 tunnels could carry and at which network border nodes and how the 115 client signals could be bound (i.e. adopted) to the tunnels. 117 It is worth noting that such non-topological client-service-to- 118 server-tunnel mapping almost always happens on network border nodes. 119 However, there are also important use cases where such a mapping is 120 required in the middle of the network. One such use case is 121 controlling on IP/MPLS FRR PLRs which LSPs are mapped onto which 122 backup tunnels. 124 It is important to bear in mind that service2tunnel mappings could be 125 very complex: large number of instances of services of the same or 126 different types (possibly governed by different models) could be 127 mapped on the same set of tunnels, with the latter being set in 128 different network layers and of either TE or non-TE nature, P2P or 129 P2MP or MP2MP type. Furthermore, the mappings could be hierarchical: 130 tunnels carrying services could be clients of other tunnels. 132 Despite of the differences of transport tunnels and of services they 133 carry the srvice2tunnel mappings could be modeled in a simple uniform 134 way. Access to a data store of such mappings could be beneficial to 135 network management applications. It would be possible, for example, 136 to discover which services depend on which tunnels, which services 137 will be affected if a given tunnel goes out of service, how many more 138 services could be placed onto a given TE tunnel without the latter 139 violating its TE commitments (such as bandwidth and delay). It would 140 be also possible to demand in a single request moving numerous 141 (ranges of) service instances from one set of tunnels to another. 143 This document defines a YANG data model for facilitating said 144 xervice2tunnel mappings. 146 The YANG model in this document conforms to the Network Management 147 Datastore Architecture (NMDA) [RFC8342]. 149 1.1. Terminology 151 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 153 "OPTIONAL" in this document are to be interpreted as described in BCP 154 14, [RFC2119]. 156 The following terms are defined in [RFC7950] and are not redefined 157 here: 159 o augment 161 o data model 163 o data node 165 1.2. Tree Diagrams 167 A simplified graphical representation of the data model is presented 168 in this document, by using the tree format defined in [RFC8340]. 170 1.3. Prefixes in Data Node Names 172 In this document, names of data nodes, actions, and other data model 173 objects are often used without a prefix, as long as it is clear from 174 the context in which YANG module each name is defined. Otherwise, 175 names are prefixed using the standard prefix associated with the 176 corresponding YANG module, as shown in Table 1. 178 +----------+-----------------+-------------------------+ 179 | Prefix | YANG module | Reference | 180 +----------+-----------------+-------------------------+ 181 | inet | ietf-inet-types | [RFC6991] | 182 | te-types | ietf-te-types | [I-D.ietf-teas-yang-te] | 183 +----------+-----------------+-------------------------+ 185 Table 1: Prefixes and Corresponding YANG Modules 187 2. Explicit vs. Implicit Service2tunnel Mapping. Steering Services to 188 Transport Tunnel Pools 190 There are use cases in which client services require hard separation 191 of the transport carrying them from the transport carrying other 192 services. However, environment in which the services may share the 193 same transport tunnels is far more common. For this reason the model 194 defined in this document suggests replacing (or at least augmenting) 195 the explicit service2tunnel mapping configuration (in which the 196 tunnels are referred to by their IDs/names) with an implicit mapping. 197 Specifically, the model introduces the notion of tunnel pool. A 198 tunnel pool could be referred to by its network unique color and 199 requires a service2tunnel mapping configuration to specify the tunnel 200 pool color(s) instead of tunnel IDs/names. The model governs tunnel 201 pool data store independently from the services steered on the 202 tunnels. It is assumed (although not required) that the tunnels - 203 constituents/components of a tunnel pool - are of the same type, 204 provisioned using a common template. Importantly they could be 205 dynamically added to/removed from the pool without necessitating 206 service2tunnel mapping re-configuration. Such a service to tunnel 207 pool steering approach has the following advantages: 209 o Scalability and efficiency: pool component bandwidth utilization 210 could be monitored, tunnels could be added to/removed from the 211 pool if/when detected that current component bandwidth utilization 212 has crossed certain thresholds. This allows for a very efficient 213 network resource utilization and obviates the network management 214 application from a very difficult task of service to tunnel 215 mapping planning; 217 o Automation and elasticity: pool component attributes could be 218 modified - bandwidth auto-adjusted, protection added, delay 219 constrained, etc.. The tunnels could be completely or partially 220 replaced with tunnels of different types (e.g. TE vs. non-TE, P2P 221 vs. P2MP, etc.) or even provisioned in different network layers 222 (OTN/ODUk tunnels replacing IP TE tunnels). Importantly, all such 223 modifications do not require service2tunell mapping re- 224 configurations as long as the modified or new tunnels remain 225 within the same tunnel pool(s); 227 o Transparency: new service sites supported by additional PEs could 228 be added without service2tunnel mapping re-configuration. 230 3. The purpose of the model 232 The model is targeted to facilitate for network management 233 applications, such as service orchestrators, the control of pools of 234 transport tunnels and steering onto them client services 235 independently of network technology/layer specifics of both the 236 services and the tunnels. The model could be applied to/implemented 237 on physical devices, such as IP routers, as well as on abstract 238 topology nodes. Furthermore, the model could be supported by a 239 network (domain) controller, such as ACTN PNC, to act as a proxy 240 server on behalf of any network element/node (physical or abstract) 241 under its control. 243 4. Model Design 245 The data store described/governed by the model is comprised of a 246 single top level list - TunnelPools. A TunnelPool, list element, is 247 a container describing a set of transport tunnels (presumably with 248 similar characteristics) identified by a network unique ID (color). 249 A given TunnelPool could be generic to the entire network or specific 250 to a particular netwrok slice or network abstract topology. 251 Furthermore, a TunnelPool may have no tunnels (i.e. may have empty 252 Tunnels list). Service steered onto such a TunnelPool will be 253 carried by best effort forwarding technique and flexibility available 254 in the slice/topology the TunnelPool is assigned to or generally in 255 the network 257 The TunnelPool container has the following fields: 259 o Color [uint32 list key]; 261 o Slice/Abstract topology ID (if zero, the TunnelPool is generic to 262 the network). 264 o Tunnels list; 266 o Services list. 268 The Tunnels list describes the pool constituents - active transport 269 tunnels. The list members - Tunnel containers - include the 270 following information: 272 o tunnel type [e.g. P2P-TE, P2MP-TE, SR-TE, SR P2P, LDP P2P, LDP 273 MP2MP, GRE, PBB, etc] 275 o tunnel type specific tunnel ID [provided that a data store of the 276 tunnel type, e.g. TE tunnels, is supported, the tunnelID allows 277 for the management application to look up the tunnel in question 278 to obtain detailed information about the tunnel]; 280 o tunnel encapsulation [e.g. MPLS label stack, Ethernet STAGs, GRE 281 header, PBB header, etc]. 283 The Services list describes services currently steered on the tunnel 284 pool. The list members - Service containers - have the following 285 attributes: 287 o service type [e.g. fixed/transparent, L3VPN, L2VPN, EVPN, ELINE, 288 EPL, EVPL, L1VPN, ACTN VN, etc.]; 290 o service type specific service ID [provided that a data store of 291 the service type, e.g. L2VPN, is supported, the service ID allows 292 for the management application to look up the service in question 293 to obtain detailed information about the service]; 295 o client ports (source/destination node LTPs over which the service 296 enters/exits the node/network, relevant only for fixed/transparent 297 services); 299 o service encapsulation [e.g. MPLS label stack, Ethernet CTAGs, 300 etc.] - for service multiplexing/de-multiplexing on/from a 301 statistically shared tunnel]. 303 5. Tree Structure 304 module: ietf-tunnel-steering 305 +--rw tunnel-pools 306 +--rw tunnel-pool* [color] 307 +--rw color uint32 308 +--rw description? string 309 +--rw te-topology-identifier 310 | +--rw provider-id? te-types:te-global-id 311 | +--rw client-id? te-types:te-global-id 312 | +--rw topology-id? te-types:te-topology-id 313 +--rw service* [service-type id] 314 | +--rw service-type identityref 315 | +--rw id string 316 | +--rw encapsulation 317 | | +--rw type? identityref 318 | | +--rw value? binary 319 | +--rw access-point* [node-address link-termination-point] 320 | +--rw node-address inet:ip-address 321 | +--rw link-termination-point string 322 | +--rw direction? enumeration 323 +--rw tunnel* [tunnel-type source destination tunnel-id] 324 +--rw tunnel-type identityref 325 +--rw source inet:ip-address 326 +--rw destination inet:ip-address 327 +--rw tunnel-id binary 328 +--rw encapsulation 329 +--rw type? identityref 330 +--rw value? binary 332 6. YANG Modules 334 file "ietf-tunnel-steering@2019-07-05.yang" 335 module ietf-tunnel-steering { 336 yang-version 1; 337 namespace "urn:ietf:params:xml:ns:yang:ietf-tunnel-steering"; 339 prefix "tnl-steer"; 341 import ietf-inet-types { 342 prefix inet; 343 } 345 import ietf-te-types { 346 prefix "te-types"; 347 } 348 organization 349 "IETF Traffic Engineering Architecture and Signaling (TEAS) 350 Working Group"; 352 contact 353 "WG Web: 354 WG List: 356 Editors: Igor Bryskin 357 359 Editor: Vishnu Pavan Beeram 360 362 Editor: Tarek Saad 363 365 Editor: Xufeng Liu 366 368 Editor: Young Lee 369 "; 371 description 372 "This data model is for steering client service to server 373 tunnels. 375 Copyright (c) 2018 IETF Trust and the persons identified as 376 authors of the code. All rights reserved. 378 Redistribution and use in source and binary forms, with or 379 without modification, is permitted pursuant to, and subject to 380 the license terms contained in, the Simplified BSD License set 381 forth in Section 4.c of the IETF Trust's Legal Provisions 382 Relating to IETF Documents 383 (http://trustee.ietf.org/license-info)."; 385 revision 2019-07-05 { 386 description "Initial revision"; 387 reference "TBD"; 388 } 390 /* 391 * Typedefs 392 */ 394 /* 395 * Identities 396 */ 397 identity service-type { 398 description "Base identity for client service type."; 399 } 400 identity service-type-l3vpn { 401 base service-type; 402 description 403 "L3VPN service."; 404 } 405 identity service-type-l2vpn { 406 base service-type; 407 description 408 "L2VPN service."; 409 } 410 identity service-type-evpn { 411 base service-type; 412 description 413 "EVPN service."; 414 } 415 identity service-type-eline { 416 base service-type; 417 description 418 "ELINE service."; 419 } 420 identity service-type-epl { 421 base service-type; 422 description 423 "EPL service."; 424 } 425 identity service-type-evpl { 426 base service-type; 427 description 428 "EVPL service."; 429 } 430 identity service-type-l1vpn { 431 base service-type; 432 description 433 "L1VPN service."; 434 } 435 identity service-type-actn-vn { 436 base service-type; 437 description 438 "ACTN VN service."; 439 } 440 identity service-type-transparent { 441 base service-type; 442 description 443 "Transparent LAN service."; 445 } 447 identity tunnel-type { 448 description "Base identity for tunnel type."; 449 } 450 identity tunnel-type-te-p2p { 451 base tunnel-type; 452 description 453 "TE point-to-point tunnel type."; 454 } 455 identity tunnel-type-te-p2mp { 456 base tunnel-type; 457 description 458 "TE point-to-multipoint tunnel type."; 459 reference "RFC4875"; 460 } 461 identity tunnel-type-te-sr { 462 base tunnel-type; 463 description 464 "Segment Rouging TE tunnel type."; 465 } 466 identity tunnel-type-sr { 467 base tunnel-type; 468 description 469 "Segment Rouging tunnel type."; 470 } 471 identity tunnel-type-ldp-p2p { 472 base tunnel-type; 473 description 474 "LDP point-to-point tunnel type."; 475 } 476 identity tunnel-type-ldp-mp2mp { 477 base tunnel-type; 478 description 479 "Multicast LDP multipoint-to-multipoint tunnel type."; 480 } 481 identity tunnel-type-gre { 482 base tunnel-type; 483 description 484 "GRE tunnel type."; 485 } 486 identity tunnel-type-pbb { 487 base tunnel-type; 488 description 489 "PBB tunnel type."; 490 } 492 identity service-encapsulation-type { 493 description "Base identity for tunnel encapsulation."; 494 } 495 identity service-encapsulation-type-mpls-label { 496 base service-encapsulation-type; 497 description 498 "Encapsulated by MPLS label stack, as an inner lable to 499 identify the customer service."; 500 } 501 identity service-encapsulation-type-ethernet-c-tag { 502 base service-encapsulation-type; 503 description 504 "Encapsulated by Ethernet C-TAG, to identify the customer 505 service."; 506 } 508 identity tunnel-encapsulation-type { 509 description "Base identity for tunnel encapsulation."; 510 } 511 identity tunnel-encapsulation-type-mpls-label { 512 base tunnel-encapsulation-type; 513 description 514 "Encapsulated by MPLS label stack, as an outer label to 515 be pushed into the tunnel."; 516 } 517 identity tunnel-encapsulation-type-ethernet-s-tag { 518 base tunnel-encapsulation-type; 519 description 520 "Encapsulated by Ethernet S-TAG."; 521 } 522 identity tunnel-encapsulation-type-pbb { 523 base tunnel-encapsulation-type; 524 description 525 "Encapsulated by PBB header."; 526 } 527 identity tunnel-encapsulation-type-gre { 528 base tunnel-encapsulation-type; 529 description 530 "Encapsulated by GRE header."; 531 } 533 /* 534 * Groupings 535 */ 537 /* 538 * Configuration data and operational state data nodes 539 */ 540 container tunnel-pools { 541 description 542 "A list of mappings that steer client services to transport 543 tunnel pools. The tunnel pools are managed independently from 544 the services steered on them."; 546 list tunnel-pool { 547 key "color"; 548 description 549 "A set of transport tunnels (presumably with similar 550 characteristics) identified by a network unique ID, named 551 'color'."; 552 leaf color { 553 type uint32; 554 description 555 "Unique ID of a tunnel pool."; 556 } 557 leaf description { 558 type string; 559 description 560 "Client provided description of the tunnel pool."; 561 } 562 uses te-types:te-topology-identifier; 564 list service { 565 key "service-type id"; 566 description 567 "A list of client services that are steered on this tunnel 568 pool."; 569 leaf service-type { 570 type identityref { 571 base service-type; 572 } 573 description 574 "Service type required by the client."; 575 } 576 leaf id { 577 type string; 578 description 579 "Unique ID of a client service for the specified 580 service type."; 581 } 582 container encapsulation { 583 description 584 "The encapsulation information used to identify the 585 customer service for multiplexing over shared tunnels."; 586 leaf type { 587 type identityref { 588 base service-encapsulation-type; 590 } 591 description 592 "The encapsulation type used to identify the customer 593 service for multiplexing over shared tunnels."; 594 } 595 leaf value { 596 type binary; 597 description 598 "The encapsulation value pushed to the tunnel to 599 identify this service. 600 If not specified, the system decides what 601 value to be used for multiplexing."; 602 } 603 } 604 list access-point { 605 key "node-address link-termination-point"; 606 description 607 "A list of client ports (Link Termination Points) for the 608 service to enter or exist."; 609 leaf node-address { 610 type inet:ip-address; 611 description 612 "Node over which the service enters or exists."; 613 } 614 leaf link-termination-point { 615 type string; 616 description 617 "Client port (Link Termination Point) over which the 618 service enters or exits."; 619 } 620 leaf direction { 621 type enumeration { 622 enum "in" { 623 description "The service enters to the network."; 624 } 625 enum "out" { 626 description "The service exists from the network."; 627 } 628 enum "in-out" { 629 description 630 "The service enters to and exists from the 631 network."; 632 } 633 } 634 description 635 "Whether the service enters to or exits from the 636 network."; 637 } 639 } 640 } 641 list tunnel { 642 key "tunnel-type source destination tunnel-id"; 643 description 644 "A list of tunnels in the tunnel pool."; 646 leaf tunnel-type { 647 type identityref { 648 base tunnel-type; 649 } 650 description 651 "Tunnel type based on constructing technologies and 652 multipoint types, including P2P-TE, P2MP-TE, SR-TE, 653 SR P2P, LDP P2P, LDP MP2MP, GRE, PBB, etc"; 654 } 655 leaf source { 656 type inet:ip-address; 657 description 658 "For a p2p or p2mp tunnel, this is the source address; 659 for a mp2mp tunnel, this is the root address."; 660 reference "RFC3209, RFC4875, RFC6388, RFC7582."; 661 } 662 leaf destination { 663 type inet:ip-address; 664 description 665 "For a p2p tunnel, this is the tunnel endpoint address 666 extracted from SESSION object; 667 for a p2mp tunnel, this identifies the destination 668 group, or p2mp-id; 669 for a mp2mp tunnel identified by root and opaque-value, 670 this value is set to '0.0.0.0'."; 671 reference "RFC3209, RFC4875, RFC6388, RFC7582."; 672 } 673 leaf tunnel-id { 674 type binary; 675 description 676 "For a p2p or p2mp tunnel, this is the tunnel identifier 677 used in the SESSION that remains constant over the life 678 of the tunnel; 679 for a mp2mp tunnel, this is the opaque-value in the 680 FEC element."; 681 reference "RFC3209, RFC4875, RFC6388, RFC7582."; 682 } 683 container encapsulation { 684 description 685 "The encapsulation information used by the tunnel."; 686 leaf type { 687 type identityref { 688 base service-encapsulation-type; 689 } 690 description 691 "The encapsulation type used by the tunnel."; 692 } 693 leaf value { 694 type binary; 695 description 696 "The encapsulation value pushed to the tunnel data to 697 identify the traffic in this tunnel. 698 If not specified, the system decides what 699 value to be used."; 700 } 701 } 702 } 703 } 704 } 705 } 706 708 7. IANA Considerations 710 RFC Ed.: In this section, replace all occurrences of 'XXXX' with the 711 actual RFC number (and remove this note). 713 This document registers the following namespace URIs in the IETF XML 714 registry [RFC3688]: 716 -------------------------------------------------------------------- 717 URI: urn:ietf:params:xml:ns:yang:ietf-tunnel-steering 718 Registrant Contact: The IESG. 719 XML: N/A, the requested URI is an XML namespace. 720 -------------------------------------------------------------------- 722 This document registers the following YANG modules in the YANG Module 723 Names registry [RFC7950]: 725 -------------------------------------------------------------------- 726 name: ietf-tunnel-steering 727 namespace: urn:ietf:params:xml:ns:yang:ietf-tunnel-steering 728 prefix: tnl-steer 729 reference: RFC XXXX 730 -------------------------------------------------------------------- 732 8. Security Considerations 734 The YANG module specified in this document defines a schema for data 735 that is designed to be accessed via network management protocols such 736 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 737 is the secure transport layer, and the mandatory-to-implement secure 738 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 739 is HTTPS, and the mandatory-to-implement secure transport is TLS 740 [RFC8446]. 742 The NETCONF access control model [RFC8341] provides the means to 743 restrict access for particular NETCONF or RESTCONF users to a 744 preconfigured subset of all available NETCONF or RESTCONF protocol 745 operations and content. 747 There are a number of data nodes defined in this YANG module that are 748 writable/creatable/deletable (i.e., config true, which is the 749 default). These data nodes may be considered sensitive or vulnerable 750 in some network environments. Write operations (e.g., edit-config) 751 to these data nodes without proper protection can have a negative 752 effect on network operations. These are the subtrees and data nodes 753 and their sensitivity/vulnerability: 755 /tunnel-pools/tunnel-pool 756 This subtree specifies a list of tunnel pools. Modifying the 757 configurations cause interruption to related services and tunnels. 759 Some of the readable data nodes in this YANG module may be considered 760 sensitive or vulnerable in some network environments. It is thus 761 important to control read access (e.g., via get, get-config, or 762 notification) to these data nodes. These are the subtrees and data 763 nodes and their sensitivity/vulnerability: 765 /tunnel-pools/tunnel-pool 766 Unauthorized access to this subtree can disclose the information 767 of related services and tunnels. 769 9. References 771 9.1. Normative References 773 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 774 Requirement Levels", BCP 14, RFC 2119, 775 DOI 10.17487/RFC2119, March 1997, 776 . 778 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 779 DOI 10.17487/RFC3688, January 2004, 780 . 782 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 783 and A. Bierman, Ed., "Network Configuration Protocol 784 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 785 . 787 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 788 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 789 . 791 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 792 RFC 6991, DOI 10.17487/RFC6991, July 2013, 793 . 795 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 796 RFC 7950, DOI 10.17487/RFC7950, August 2016, 797 . 799 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 800 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 801 . 803 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 804 Access Control Model", STD 91, RFC 8341, 805 DOI 10.17487/RFC8341, March 2018, 806 . 808 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 809 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 810 . 812 [I-D.ietf-teas-yang-te-topo] 813 Liu, X., Bryskin, I., Beeram, V., Saad, T., Shah, H., and 814 O. Dios, "YANG Data Model for Traffic Engineering (TE) 815 Topologies", draft-ietf-teas-yang-te-topo-22 (work in 816 progress), June 2019. 818 [I-D.ietf-teas-yang-te] 819 Saad, T., Gandhi, R., Liu, X., Beeram, V., and I. Bryskin, 820 "A YANG Data Model for Traffic Engineering Tunnels and 821 Interfaces", draft-ietf-teas-yang-te-21 (work in 822 progress), April 2019. 824 9.2. Informative References 826 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 827 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 828 . 830 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 831 and R. Wilton, "Network Management Datastore Architecture 832 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 833 . 835 Authors' Addresses 837 Igor Bryskin 838 Futurewei 840 EMail: igor.bryskin@futurewei.com 842 Vishnu Pavan Beeram 843 Juniper Networks 845 EMail: vbeeram@juniper.net 847 Tarek Saad 848 Juniper Networks 850 EMail: tsaad@juniper.net 852 Xufeng Liu 853 Volta Networks 855 EMail: xufeng.liu.ietf@gmail.com 857 Young Lee 858 Huawei Technologies 860 EMail: leeyoung@huawei.com 862 Aihua Guo 863 Futurewei 865 EMail: aihuaguo@futurewei.com