idnits 2.17.1
draft-ietf-opsawg-l3sm-l3nm-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 500 has weird spacing: '...vlan-id uin...'
== Line 501 has weird spacing: '...vlan-id uin...'
== Line 504 has weird spacing: '...vlan-id uin...'
== Line 509 has weird spacing: '...peer-ip ine...'
== Line 688 has weird spacing: '...--rw id str...'
== (22 more instances...)
-- The document date (November 17, 2019) is 1616 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'I-D.evenwu-opsawg-yang-composed-vpn' is mentioned on
line 165, but not defined
Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 OPSAWG A. Aguado
3 Internet-Draft Nokia
4 Intended status: Standards Track O. Gonzalez de Dios, Ed.
5 Expires: May 20, 2020 V. Lopez
6 Telefonica
7 D. Voyer
8 Bell Canada
9 L. Munoz
10 Vodafone
11 November 17, 2019
13 A Layer 3 VPN Network YANG Model
14 draft-ietf-opsawg-l3sm-l3nm-01
16 Abstract
18 RFC8299 defines a L3VPN Service YANG data Model (L3SM) that can be
19 used for communication between customers and VPN service providers.
20 That data model plays the role of a Customer Service Model, according
21 to the terminology defined in RFC8309, and is as such adequate for
22 service negotiation and order handling matters.
24 There is a need for a more network-centric YANG data model to be used
25 in the communication between the entity that interacts directly with
26 the customer, the service orchestrator, (either fully automated or a
27 human operator) and the entity in charge of network orchestration and
28 control (a.k.a., network controller/orchestrator).
30 This document specifies a L3VPN Network YANG Model (L3NM) to
31 facilitate communication between a service orchestrator and a network
32 controller/orchestrator. Such data model provides a network-centric
33 view of the L3VPN services. The Yang model proposed is limited to
34 BGP PE-based VPNs as described in RFCs 4026, 4110, and 4364.
36 Editorial Note (To be removed by RFC Editor)
38 Please update these statements within the document with the RFC
39 number to be assigned to this document:
41 o "This version of this YANG module is part of RFC XXXX;"
43 o "RFC XXXX: Layer 3 VPN Network Model";
45 o reference: RFC XXXX
47 Also, please update the "revision" date of the YANG module.
49 Status of This Memo
51 This Internet-Draft is submitted in full conformance with the
52 provisions of BCP 78 and BCP 79.
54 Internet-Drafts are working documents of the Internet Engineering
55 Task Force (IETF). Note that other groups may also distribute
56 working documents as Internet-Drafts. The list of current Internet-
57 Drafts is at https://datatracker.ietf.org/drafts/current/.
59 Internet-Drafts are draft documents valid for a maximum of six months
60 and may be updated, replaced, or obsoleted by other documents at any
61 time. It is inappropriate to use Internet-Drafts as reference
62 material or to cite them other than as "work in progress."
64 This Internet-Draft will expire on May 20, 2020.
66 Copyright Notice
68 Copyright (c) 2019 IETF Trust and the persons identified as the
69 document authors. All rights reserved.
71 This document is subject to BCP 78 and the IETF Trust's Legal
72 Provisions Relating to IETF Documents
73 (https://trustee.ietf.org/license-info) in effect on the date of
74 publication of this document. Please review these documents
75 carefully, as they describe your rights and restrictions with respect
76 to this document. Code Components extracted from this document must
77 include Simplified BSD License text as described in Section 4.e of
78 the Trust Legal Provisions and are provided without warranty as
79 described in the Simplified BSD License.
81 Table of Contents
83 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
84 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
85 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5
86 2. Reference Architecture . . . . . . . . . . . . . . . . . . . 6
87 3. Description of the L3NM YANG Module . . . . . . . . . . . . . 8
88 3.1. Structure of the Module . . . . . . . . . . . . . . . . . 9
89 3.2. Modeling a L3 VPN Service . . . . . . . . . . . . . . . . 9
90 3.2.1. VPN node . . . . . . . . . . . . . . . . . . . . . . 10
91 3.2.1.1. VPN Network Access . . . . . . . . . . . . . . . 11
92 3.2.1.1.1. Connection . . . . . . . . . . . . . . . . . 11
93 3.2.1.1.2. IP Connection . . . . . . . . . . . . . . . . 13
94 3.2.1.1.3. Routing Protocols . . . . . . . . . . . . . . 14
95 3.2.2. Concept of Import/Export Profiles . . . . . . . . . . 15
96 3.2.3. Multicast . . . . . . . . . . . . . . . . . . . . . . 16
98 3.3. VPN profiles . . . . . . . . . . . . . . . . . . . . . . 16
99 3.4. Model tree . . . . . . . . . . . . . . . . . . . . . . . 17
100 4. Use of the Data Model . . . . . . . . . . . . . . . . . . . . 23
101 4.1. Multi-Domain Resource Management . . . . . . . . . . . . 23
102 5. Relation with other Yang Models . . . . . . . . . . . . . . . 23
103 5.1. Relation with L3SM . . . . . . . . . . . . . . . . . . . 23
104 5.2. Relation with Network Topology . . . . . . . . . . . . . 24
105 5.3. Relation with Device Models . . . . . . . . . . . . . . . 24
106 6. L3VPN Examples . . . . . . . . . . . . . . . . . . . . . . . 24
107 6.1. 4G VPN Provissioning Example . . . . . . . . . . . . . . 24
108 7. Yang Module . . . . . . . . . . . . . . . . . . . . . . . . . 26
109 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89
110 9. Security Considerations . . . . . . . . . . . . . . . . . . . 90
111 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 91
112 10.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 91
113 10.2. Huawei Implementation . . . . . . . . . . . . . . . . . 92
114 10.3. Infinera Implementation . . . . . . . . . . . . . . . . 96
115 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 96
116 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 96
117 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 97
118 13.1. Normative References . . . . . . . . . . . . . . . . . . 97
119 13.2. Informative References . . . . . . . . . . . . . . . . . 98
120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 99
122 1. Introduction
124 [RFC8299] defines an L3VPN Service YANG data Model (L3SM) that can be
125 used for communication between customers and network operators. Such
126 model is focused on describing the customer view of the VPN services,
127 and provides an abstracted view of the customer's requested services.
128 That aproach limits the usage of the L3SM module to the role of a
129 Customer Service Model, according to the terminology defined in
130 [RFC8309].
132 The YANG data model defined in this document is called L3VPN Network
133 Model (L3NM). The L3NM module is aimed at providing a network-
134 centric view of L3 VPN Services. The data model can be used to
135 facilitate communication between the service orchestrator (or a
136 network operator) and the network controller/orchestrator by allowing
137 for more network-centric information to be included. It enables
138 further capabilities, such as resource management or to serve as a
139 multi-domain orchestration interface, where logical resources (such
140 as route targets or route distinguishers) must be synchronized.
142 This document does not obsolete, but uses, the definitions in
143 [RFC8299]. These two modules are used for similar objectives but
144 with differents scopes and views.
146 The L3NM YANG module is initially built with a prune and extend
147 approach, taking as a starting points the YANG module described in
148 [RFC8299]. Nevertheless, this module is not defined as an augment to
149 L3SM because a specific structure is required to meet network-
150 oriented L3 needs.
152 Some of the information captured in the L3SM can be passed by the
153 Orchestrator in the L3NM (e.g., customer) or be used to fed some of
154 the L3NM attribute (e.g., actual forwarding policies). Some of the
155 information captured in L3SM may be maintained locally within the
156 Orchestrator; which is supposed to maintain a "glue" between a
157 Customer view and its network instantiation.
159 The L3NM module does not attempt to address all deployment cases
160 especially those where the L3VPN connectivity is supported through
161 the coordination of different VPNs in different underlying networks.
162 More complex deployment scenarios involving the coordination of
163 different VPN instances and different technologies to provide end-to-
164 end VPN connectivity are addressed by a complementary YANG model
165 defined in [I-D.evenwu-opsawg-yang-composed-vpn].
167 1.1. Terminology
169 This document assumes that the reader is familiar with the contents
170 of [RFC6241], [RFC7950], [RFC8299], [RFC8309], and [RFC8453] and uses
171 the terminology defined in those documents.
173 The meaning of the symbols in tree diagrams is defined in in
174 [RFC8340].
176 The document is aimed at modeling BGP PE-based VPNs in a Service
177 Provider Network, so the terms defined in [RFC4026] and [RFC4076] are
178 used.
180 This document makes use of the following terms:
182 o L3 VPN Customer Service Model (L3SM): Describes the requirements
183 of a L3 VPN that interconnects a set of sites from the point of
184 view of the customer. The customer service model does not provide
185 details on the Service Provider Network. The L3 VPN Customer
186 Service model is defined in [RFC8299].
188 o L3 VPN Service Network Model (L3NM): A YANG module that describes
189 a VPN Service in the Service Provider Network. It containts
190 information of the Service Provider network and might include
191 allocated resources. It can be used by network controllers to
192 manage and control the VPN Service configuration in the Service
193 Provider network. The YANG module can be consumed by a Service
194 Orchestrator to request a VPN Service to a Network controller.
196 o Service Orchestrator: A functional entity that interacts with the
197 customer of a L3 VPN. The Service Orchestrator interacts with the
198 customer using L3SM. The Service Orchestrator is responsible of
199 the CE-PE attachment circuits, the PE selection, and requesting
200 the VPN service to the network controller.
202 o Network Controller: A functional entity responsible for the
203 control and management of the service provider network.
205 o VPN node (vpn-node): An abstraction that represents a set of
206 policies applied to a PE and that belong to a single VPN service
207 (vpn-service). A vpn-service involves one or more vpn-nodes. As
208 it is an abstraction, the network controller will take on how to
209 implement a vpn-node. For example, typically, in a BGP-based VPN,
210 a vpn-node could be mapped into a VRF.
212 o VPN network access (vpn-network-access): An abstraction that
213 represents the network interfaces that are associated to a given
214 vpn-node. Traffic coming from the vpn-network-access belongs to
215 the VPN. The attachment circuits (bearers) between CEs and PEs
216 are terminated in the vpn-network-access. A reference to the
217 bearer is maintained to allow keeping the link between L3SM and
218 L3NM.
220 o VPN Site (vpn-site): A VPN customer's location that is connected
221 to the Service Provider network via a CE-PE link, which can access
222 at least one VPN [RFC4176].
224 o VPN Service Provider (SP): A Service Provider offers VPN-related
225 services [RFC4176].
227 o Service Provider (SP) Network: A network able to provide VPN-
228 related services.
230 1.2. Requirements Language
232 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
233 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
234 "OPTIONAL" in this document are to be interpreted as described in BCP
235 14 [RFC2119] [RFC8174] when, and only when, they appear in all
236 capitals, as shown here.
238 2. Reference Architecture
240 Figure 1 depices the reference architecture for L3NM. The figure is
241 an expansion of the architecture presented in Section 5 of [RFC8299]
242 and decomposes the box marked "orchestration" in that figure into
243 three separate functional components called "Service Orchestration",
244 "Network Orchestration", and "Domain Orchestration".
246 Although some deployments may choose to construct a monolithic
247 orchestration component (covering both service and network matters),
248 this document advocates for a clear separation between service and
249 network orchestration components for the sake of better flexibility.
250 Such design adheres to the L3VPN reference architecture defined in
251 Section 1.3 of [RFC4176]. The above separation relies upon a
252 dediciated communication interface between these components and
253 appropriate YANG module that reflect network-related information
254 (that is hidden to customers).
256 The intelligence for translating customer-facing information into
257 network-centric one is implementation-specific.
259 The terminology from [RFC8309] is introduced to show the distinction
260 between the "Customer Service Model", the "Service Delivery Model",
261 the "Network Configuration Model", and the "Device Configuration
262 Model". In that context, the "Domain Orchestration" and "Config
263 Manager" roles may be performed by "Controllers".
265 +---------------+
266 | Customer |
267 +---------------+
268 Customer Service Model |
269 l3vpn-svc |
270 +---------------+
271 | Service |
272 | Orchestration |
273 +---------------+
274 L3NM Network Model |
275 l3vpn-ntw |
276 +---------------+
277 | Network |
278 | Orchestration |
279 +---------------+
280 Network Configuration Model |
281 __________|____________
282 | |
283 +---------------+ +---------------+
284 | Domain | | Domain |
285 | Orchestration | | Orchestration |
286 +---------------+ +---------------+
287 Device | | |
288 Configuration | | |
289 Model | | |
290 +---------+ | |
291 | Config | | |
292 | Manager | | |
293 +---------+ | |
294 | | |
295 | NETCONF/CLI..................
296 | | |
297 +------------------------------------------------+
298 Network
300 Figure 1: L3SM and L3NM
302 The L3SM and L3NM modules may also be set in the context of the ACTN
303 architecture [RFC8453]. Figure 2 shows the Customer Network
304 Controller (CNC), the Multi-Domain Service Coordinator (MDSC), and
305 the Provisioning Network Controller (PNC). It also shows the
306 interfaces between these functional blocks: the CNC-MDSC Interface
307 (CMI), the MDSC-PNC Interface (MPI), and the Southbound Interface
308 (SBI).
310 +----------------------------------+
311 | Customer |
312 | +-----------------------------+ |
313 | | CNC | |
314 | +-----------------------------+ |
315 +----:-----------------------:-----+
316 : :
317 : L3SM : L3SM
318 : :
319 +---------:---------+ +-------------------+
320 | MDSC : | | MDSC |
321 | +---------------+ | | (parent) |
322 | | Service | | +-------------------+
323 | | Orchestration | | :
324 | +---------------+ | : L3NM
325 | : | :
326 | : L3NM | +-------------------+
327 | : | | MDSC |
328 | +---------------+ | | (child) |
329 | | Network | | +-------------------+
330 | | Orchestration | | :
331 | +---------------+ | :
332 ---------:--------- :
333 : :
334 : Network Configuration :
335 : :
336 +------------:-------+ +---------:------------+
337 | Domain : | | : Domain |
338 | Controller : | | : Controller |
339 | +---------+ | | +---------+ |
340 | | PNC | | | | PNC | |
341 | +---------+ | | +---------+ |
342 +------------:-------+ +---------:------------+
343 : :
344 : Device Configuration :
345 : :
346 +--------+ +--------+
347 | Device | | Device |
348 +--------+ +--------+
350 Figure 2: L3SM and L3NM in the Context of ACTN
352 3. Description of the L3NM YANG Module
354 The L3NM module ('ietf-l3vpn-ntw') is meant to manage L3 VPNs in a
355 service provider network. In particular, the 'ietf-l3vpn-ntw' module
356 can be used to create, modify, and retrieve L3VPN Services of a
357 network.
359 3.1. Structure of the Module
361 The 'ietf-l3vpn-ntw' module uses two main containers: 'vpn-services'
362 and 'vpn-profiles' (see Figure 3). The 'vpn-services' container
363 maintains the set of VPN Services managed in the service provider
364 network. The module allows to create a new VPN service by adding a
365 new instance of 'vpn-service'. The 'vpn-service' is the data
366 structure that abstracts the VPN Service.
368 The 'vpn-profiles' container allows the provider to maintain a set of
369 commmon VPN profiles that apply to several VPN Services.
371 module: ietf-l3vpn-ntw
372 +--rw l3vpn-ntw
373 +--rw vpn-profiles
374 | .......
375 +--rw vpn-services
376 +--rw vpn-service* [vpn-id]
377 ........
379 Figure 3
381 3.2. Modeling a L3 VPN Service
383 The 'vpn-service' is the data structure that abstracts a VPN Service
384 in the Service Provider Network. Every 'vpn-service' has a unique
385 identifier: vpn-id. Such vpn-id is only meaningful locally within
386 the Network controller. In order to facilitate the recognition of
387 the service, a 'customer-name' and a 'description' may be included.
388 The topology of the VPN service is expressed in the 'vpn-service-
389 topology' leaf.
391 A VPN Service is built by adding instances of 'vpn-node' to the 'vpn-
392 nodes' container. The 'vpn-node' is an abstractions that represent a
393 set of policies applied to a network node and that belong to a single
394 'vpn-service'. A 'vpn-node' contains 'vpn_network_accesses', which
395 are the interfaces involved in the creation of the VPN. The customer
396 sites are connected to the 'vpn_network_accesses'. Note that, as
397 this is a network data model, the information about customers site is
398 not needed. Such information, is relevant in the L3SM model.
400 +--rw vpn-service* [vpn-id]
401 +--rw vpn-id svc-id
402 +--rw customer-name? string
403 +--rw vpn-service-topology? identityref
404 +--rw description? string
405 +--rw ie-profiles
406 | ...
407 +--rw vpn-nodes
408 | ...
409 +--rw multicast
411 Figure 4
413 3.2.1. VPN node
415 The 'vpn-node' is an abstraction that represents a set of common
416 policies applied in a given network node (tipcally a PE) and belong
417 to one L3 VPN Service. In order to indicate the network node where
418 the 'vpn-node' applies the the ne-id MUST be facilitated. The 'vpn-
419 node' includes a parameter to indicate in which network node it is
420 applied. In the case that the ne-id points to a specific PE, the
421 vpn_node will likely be mapped into a vrf in the node. However, the
422 model also allows to point to an abstract node. In this case, the
423 network controller will decide how to split the vpn_node into vrfs.
424 For the cases the logical resources are managed outside the network
425 controller, the model allows to explicitely indicate the logical
426 resources such as Route targets and Route distinguishers (RT,RD).
428 Under the VPN Node container, VPN Network Acesses can be created.
429 The VPN Network Acess represents the point to which sites are
430 connected. Note that, unlike in L3SM, the L3NM does not need to
431 model the customer site, only the points where the traffic from the
432 site are received. Hence, the VPN Network access contains the
433 connectivity information between the provider's Network and the
434 customer premises. The VPN profiles have a set of routing policies
435 than can be applied during the service creation.
437 +--rw vpn-node* [vpn-node-id ne-id]
438 +--rw vpn-node-id string
439 +--rw description? string
440 +--rw ne-id string
441 +--rw router-id? inet:ip-address
442 +--rw address-family? address-family
443 +--rw node-role? identityref
444 +--rw rd? rt-types:route-distinguisher
445 +--rw vpn-targets
446 ....
447 +--rw vpn-network-accesses
448 ....
450 Figure 5
452 3.2.1.1. VPN Network Access
454 A 'vpn-network-access' represents an entry point to a VPN service.
455 In other words, this container encloses the parameters that describe
456 the access information for the traffic that belongs to a particular
457 L3 VPN. As such, every vpn-network-access belongs to one and only
458 one vpn-node. As an example, a vpn-network-access includes
459 information such as the connection on which the access is defined
460 (see the section below), the encapsulation of the traffic, policies
461 that are applied on the access, etc.
463 A provisioning network controller (PNC) [RFC8453] will accept VPN
464 requests containing this construct, using the enclosed data to:
465 configure the router's interface to include the parameters described
466 at the vpn-network-access, include the given interface into a VRF,
467 configuring policies or schedulers for the incoming traffic, etc.
469 3.2.1.1.1. Connection
471 The definition of a L3VPN is commonly specified not only at the IP
472 layer, but also requires to identify parameters at the Ethernet
473 layer, such as encapsulation type (e.g., VLAN, QinQ, QinAny, VxLAN,
474 etc.). The 'connection' container represents and groups the set of
475 L2 connectivity from where the traffic of the L3VPN in a particular
476 VPN Network access is coming.
478 Additionally, the bearer-reference (Section 3.2.1.1.1.3) and the
479 pseudowire termination (Section 3.2.1.1.1.2) is supported.
481 3.2.1.1.1.1. Encapsulation options
483 Ethernet encapsulation description is not supported in [RFC8299].
484 However, this parameters are mandatory to configure the PE
485 interfaces. Thus, In the L3NM, these parameters uses the connection
486 container inside the vpn-network-access. This container defines
487 protocols and parameters to enable connectivity at Layer 2.
489 +--rw connection
490 +--rw encapsulation-type? identityref
491 +--rw tagged-interface
492 +--rw type? identityref
493 +--rw dot1q-vlan-tagged {dot1q}?
494 | +--rw tag-type? identityref
495 | +--rw cvlan-id? uint16
496 +--rw priority-tagged
497 | +--rw tag-type? identityref
498 +--rw qinq {qinq}?
499 | +--rw tag-type? identityref
500 | +--rw svlan-id uint16
501 | +--rw cvlan-id uint16
502 +--rw qinany {qinany}?
503 | +--rw tag-type? identityref
504 | +--rw svlan-id uint16
505 +--rw vxlan {vxlan}?
506 +--rw vni-id uint32
507 +--rw peer-mode? identityref
508 +--rw peer-list* [peer-ip]
509 +--rw peer-ip inet:ip-address
511 Figure 6
513 3.2.1.1.1.2. Remote Far End Configuration
515 Depending on the control plane implementation, different network
516 scenarios might require additional information for the L3VPN service
517 to be configured and active. For example, an L3VPN Option C service,
518 if no reflection of IPv4 VPN routes is configured via ASBR or route
519 reflector, may require additional configuration (e.g. a new BGP
520 neighbor) to be coordinated between both management systems. This
521 definition requires for every management system participant in the
522 VPN to receive not just their own sites and site-network-accesses,
523 but also to receive information about external ones, identified as an
524 external site-network-access-type. In addition, this particular
525 site-network-access is augmented to include the loopback address of
526 the far-end (remote/external) PE router.
528 +--rw bearer
529 +--rw connection
530 ...
531 +--rw pseudowire
532 +--rw vcid? uint32
534 Figure 7
536 3.2.1.1.1.3. Bearers
538 A site, as per [RFC4176] represents a VPN customer's location that is
539 connected to the Service Provider network via a CE-PE link, which can
540 access at least one VPN. The connection from the site to the Service
541 Provider network is the bearer. Every site is associated with a list
542 of bearers. A bearer is the layer two connections with the site. In
543 the module it is assumed that the bearer has been allocated by the
544 Service Provider at the service orchestration step. The bearer is
545 associated to a network element and a port. Hence, a bearer is just
546 a bearer-reference to allow the translation between L3SM and L3NM.
548 3.2.1.1.2. IP Connection
550 IP Connection container has the parameters of the vpn-network-access
551 addressing information. The address allocated in this container
552 would represent the PE interface address configuration. The IP
553 Connection container is designed to support dual stack (IPv4/IPv6)
554 and three options to set the ip address: Provider DHCP, DHCP relay or
555 static addressing.
557 In the case of the static addressing the model supports the
558 assignation of several IP addresses in the same vpn-network-access.
559 To identify which of the addresses is the primary address of the
560 connection the "primary-address" reference must be set with the
561 corresponding address-id.
563 +--rw ip-connection
564 +--rw ipv4 {ipv4}?
565 +--rw address-allocation-type? identityref
566 +--rw provider-dhcp
567 ...
568 +--rw dhcp-relay
569 ...
570 +--rw static-addresses
571 +--rw primary-address? leafref
572 +--rw address* [address-id]
573 ...
574 +--rw ipv6 {ipv6}?
575 +--rw address-allocation-type? identityref
576 +--rw provider-dhcp
577 ...
578 +--rw dhcp-relay
579 ...
580 +--rw static-addresses
581 +--rw primary-address? leafref
582 +--rw address* [address-id]
583 ...
585 Figure 8
587 3.2.1.1.3. Routing Protocols
589 The model allows the Network Operator to configure one or more
590 routing protocols associated with a particular vpn-network-access.
591 This protocol will run between the PE and the CE. A routing protocol
592 instance MUST have a type (e.g. bgp, ospf, etc.) and an identifier.
593 The identifier is necessary when multiple instances of the same
594 protocol need to be configured.
596 The model uses an abstracted view of routing protocols. When
597 configuring multiple instances of the same protocol, this does not
598 automatically imply that, from a device configuration perspective,
599 there will be parallel instances (multiple processes) running. It
600 will be up to the implementation to use the most appropriate
601 deployment model. As an example, when multiple BGP peers need to be
602 implemented, multiple instances of BGP must be configured as part of
603 this model. However from a device configuration point of view, this
604 could be implemented as:
606 o Multiple BGP processes with a single neighbor running in each
607 process.
609 o A single BGP process with multiple neighbors running.
611 o A combination of both.
613 To be aligned with [RFC8299], this model supports the following
614 protocols:
616 o vrrp: takes only a list of address-family as parameter. VRRP
617 instance is expected to run on the vpn-network-access interface.
619 o rip: takes only a list of address-family as parameter. RIP
620 instance is expected to run on the vpn-network-access interface.
622 o static: allows user to configure one or more IPv4 and IPv6 static
623 routes.
625 o bgp: allows the user to configure a BGP neighbor including
626 parameters like authentication using a key. The authentication
627 type will be driven by the implementation but the model supports
628 any authentication that uses a key as a parameter. A BGP neighbor
629 can support ipv4, ipv6, or both address-families. Again, it is up
630 to the implementation to drive the device configuration (e.g.
631 separate BGP sessions for Dual Stack, single session for Dual
632 Stack, etc.).
634 o ospf: allows the user to configure OSPF to run on the vpn-network-
635 access interface. An OSPF instance can run ipv4, ipv6 or both.
636 When only ipv4 address-family is requested, it will be up to the
637 implementation to drive if OSPFv2 or v3 is used.
639 Routing protocol configuration do not have any routing policy
640 configuration. Routing policies are low level device configurations
641 that must not be part of an abstracted model. Service Provider
642 internal policies (such as security filters) will be implemented as
643 part of the device configuration but does not require any input from
644 this model. Some policies like primary/backup, load-balancing can be
645 inferred from access-priority.
647 3.2.2. Concept of Import/Export Profiles
649 The import and export profiles construct contains a list with
650 information related with route target and distinguishers (RTs and
651 RDs), grouped and identified by ie-profile-id. The identifier is
652 then referenced in one or multiple vpn-nodes, so the PNC can identify
653 RTs and RDs to be configured in the VRF.
655 3.2.3. Multicast
657 Multicast can be optionally enabled for a particular vpn-network-
658 access.
660 The model supports a single type of tree (ASM, SSM or bidirectional).
662 When ASM is used, the model supports configuration of rendez-vous
663 points. RP discovery could be static, bsr-rp or auto-rp. When
664 static is used RP to multicast grouping mapping must be configured as
665 part of the rp-group-mappings container. The RP may be a provider
666 node or a customer node. When the RP is a customer node, the RP
667 address must be configured using the rp-address leaf otherwise no RP
668 address is needed. The model supports RP redundancy through the rp-
669 redundancy leaf. How the redundancy is achieved is out of scope and
670 is up to the implementation. When a particular VPN using ASM
671 requires a more optimal traffic delivery, the leaf optimal-traffic-
672 delivery can be used. When set to true, the implementation must use
673 any mechanism to provide a more optimal traffic delivery for the
674 customer. As an example, the implementation can use RP tree to
675 Shortest Path tree switchover or simply deploy additional RPs working
676 in an anycast mode.
678 3.3. VPN profiles
680 The vpn-profiles containers allow the network operator to maintain a
681 set of commmon VPN Profiles that apply to several VPN Services.
682 Through this container these common profiles can be created, modified
683 and deleted.
685 +--rw vpn-profiles
686 | +--rw valid-provider-identifiers
687 | +--rw cloud-identifier* [id] {cloud-access}?
688 | | +--rw id string
689 | +--rw encryption-profile-identifier* [id]
690 | | +--rw id string
691 | +--rw qos-profile-identifier* [id]
692 | | +--rw id string
693 | +--rw bfd-profile-identifier* [id]
694 | | +--rw id string
695 | +--rw routing-profile-identifier* [id]
696 | +--rw id string
698 Figure 9
700 3.4. Model tree
702 The high-level model structure defined by this document is as shown
703 below:
705 module: ietf-l3vpn-ntw
706 +--rw l3vpn-ntw
707 +--rw vpn-profiles
708 | +--rw valid-provider-identifiers
709 | +--rw cloud-identifier* [id] {cloud-access}?
710 | | +--rw id string
711 | +--rw encryption-profile-identifier* [id]
712 | | +--rw id string
713 | +--rw qos-profile-identifier* [id]
714 | | +--rw id string
715 | +--rw bfd-profile-identifier* [id]
716 | | +--rw id string
717 | +--rw routing-profile-identifier* [id]
718 | +--rw id string
719 +--rw vpn-services
720 +--rw vpn-service* [vpn-id]
721 +--rw vpn-id svc-id
722 +--rw customer-name? string
723 +--rw vpn-service-topology? identityref
724 +--rw description? string
725 +--rw ie-profiles
726 | +--rw ie-profile* [ie-profile-id]
727 | +--rw ie-profile-id string
728 | +--rw rd?
729 | | rt-types:route-distinguisher
730 | +--rw vpn-targets
731 | +--rw vpn-target* [route-target]
732 | +--rw route-target
733 | | rt-types:route-target
734 | +--rw route-target-type
735 | rt-types:route-target-type
736 +--rw vpn-nodes
737 | +--rw vpn-node* [vpn-node-id ne-id]
738 | +--rw vpn-node-id string
739 | +--rw autonomous-system? uint32
740 | +--rw description? string
741 | +--rw ne-id string
742 | +--rw router-id? inet:ip-address
743 | +--rw address-family? address-family
744 | +--rw node-role? identityref
745 | +--rw rd?
746 | | rt-types:route-distinguisher
747 | +--rw vpn-targets
748 | | +--rw vpn-target* [route-target]
749 | | +--rw route-target
750 | | | rt-types:route-target
751 | | +--rw route-target-type
752 | | rt-types:route-target-type
753 | +--rw status
754 | | +--rw admin-enabled? boolean
755 | | +--ro oper-status? operational-type
756 | +--rw vpn-network-accesses
757 | | +--rw vpn-network-access*
758 | | [vpn-network-access-id]
759 | | +--rw vpn-network-access-id svc-id
760 | | +--rw description? string
761 | | +--rw status
762 | | | +--rw admin-enabled? boolean
763 | | | +--ro oper-status? operational-type
764 | | +--rw vpn-network-access-type?
765 | | | identityref
766 | | +--rw connection
767 | | | +--rw encapsulation-type? identityref
768 | | | +--rw tagged-interface
769 | | | | +--rw type?
770 | | | | | identityref
771 | | | | +--rw dot1q-vlan-tagged {dot1q}?
772 | | | | | +--rw tag-type? identityref
773 | | | | | +--rw cvlan-id? uint16
774 | | | | +--rw priority-tagged
775 | | | | | +--rw tag-type? identityref
776 | | | | +--rw qinq {qinq}?
777 | | | | | +--rw tag-type? identityref
778 | | | | | +--rw svlan-id uint16
779 | | | | | +--rw cvlan-id uint16
780 | | | | +--rw qinany {qinany}?
781 | | | | | +--rw tag-type? identityref
782 | | | | | +--rw svlan-id uint16
783 | | | | +--rw vxlan {vxlan}?
784 | | | | +--rw vni-id uint32
785 | | | | +--rw peer-mode? identityref
786 | | | | +--rw peer-list* [peer-ip]
787 | | | | +--rw peer-ip
788 | | | | inet:ip-address
789 | | | +--rw bearer
790 | | | +--rw bearer-reference? string
791 | | | | {bearer-reference}?
792 | | | +--rw pseudowire
793 | | | +--rw vcid? uint32
794 | | +--rw ip-connection
795 | | | +--rw ipv4 {ipv4}?
796 | | | | +--rw address-allocation-type?
797 | | | | | identityref
798 | | | | +--rw provider-dhcp
799 | | | | | +--rw provider-address?
800 | | | | | | inet:ipv4-address
801 | | | | | +--rw prefix-length?
802 | | | | | | uint8
803 | | | | | +--rw (address-assign)?
804 | | | | | +--:(number)
805 | | | | | | +--rw number-of-dynamic-address?
806 | | | | | | uint16
807 | | | | | +--:(explicit)
808 | | | | | +--rw customer-addresses
809 | | | | | +--rw address-group*
810 | | | | | [group-id]
811 | | | | | +--rw group-id
812 | | | | | | string
813 | | | | | +--rw start-address?
814 | | | | | | inet:ipv4-address
815 | | | | | +--rw end-address?
816 | | | | | inet:ipv4-address
817 | | | | +--rw dhcp-relay
818 | | | | | +--rw provider-address?
819 | | | | | | inet:ipv4-address
820 | | | | | +--rw prefix-length?
821 | | | | | | uint8
822 | | | | | +--rw customer-dhcp-servers
823 | | | | | +--rw server-ip-address*
824 | | | | | inet:ipv4-address
825 | | | | +--rw static-addresses
826 | | | | +--rw primary-address? leafref
827 | | | | +--rw address* [address-id]
828 | | | | +--rw address-id
829 | | | | | string
830 | | | | +--rw provider-address?
831 | | | | | inet:ipv4-address
832 | | | | +--rw customer-address?
833 | | | | | inet:ipv4-address
834 | | | | +--rw prefix-length?
835 | | | | uint8
836 | | | +--rw ipv6 {ipv6}?
837 | | | | +--rw address-allocation-type?
838 | | | | | identityref
839 | | | | +--rw provider-dhcp
840 | | | | | +--rw provider-address?
841 | | | | | | inet:ipv6-address
842 | | | | | +--rw prefix-length?
843 | | | | | | uint8
844 | | | | | +--rw (address-assign)?
845 | | | | | +--:(number)
846 | | | | | | +--rw number-of-dynamic-address?
847 | | | | | | uint16
848 | | | | | +--:(explicit)
849 | | | | | +--rw customer-addresses
850 | | | | | +--rw address-group*
851 | | | | | [group-id]
852 | | | | | +--rw group-id
853 | | | | | | string
854 | | | | | +--rw start-address?
855 | | | | | | inet:ipv6-address
856 | | | | | +--rw end-address?
857 | | | | | inet:ipv6-address
858 | | | | +--rw dhcp-relay
859 | | | | | +--rw provider-address?
860 | | | | | | inet:ipv6-address
861 | | | | | +--rw prefix-length?
862 | | | | | | uint8
863 | | | | | +--rw customer-dhcp-servers
864 | | | | | +--rw server-ip-address*
865 | | | | | inet:ipv6-address
866 | | | | +--rw static-addresses
867 | | | | +--rw primary-address? leafref
868 | | | | +--rw address* [address-id]
869 | | | | +--rw address-id
870 | | | | | string
871 | | | | +--rw provider-address?
872 | | | | | inet:ipv6-address
873 | | | | +--rw customer-address?
874 | | | | | inet:ipv6-address
875 | | | | +--rw prefix-length?
876 | | | | uint8
877 | | | +--rw oam
878 | | | +--rw bfd {bfd}?
879 | | | +--rw enabled?
880 | | | | boolean
881 | | | +--rw (holdtime)?
882 | | | +--:(fixed)
883 | | | | +--rw fixed-value?
884 | | | | uint32
885 | | | +--:(profile)
886 | | | +--rw profile-name? leafref
887 | | +--rw security
888 | | | +--rw authentication
889 | | | +--rw encryption {encryption}?
890 | | | | +--rw enabled? boolean
891 | | | | +--rw layer? enumeration
892 | | | +--rw encryption-profile
893 | | | +--rw (profile)?
894 | | | | +--:(provider-profile)
895 | | | | | +--rw profile-name? leafref
896 | | | | +--:(customer-profile)
897 | | | | +--rw algorithm? string
898 | | | +--rw (key-type)?
899 | | | +--:(psk)
900 | | | +--rw preshared-key? string
901 | | +--rw routing-protocols
902 | | +--rw routing-protocol* [id]
903 | | +--rw id string
904 | | +--rw type?
905 | | | identityref
906 | | +--rw routing-profiles* [id]
907 | | | +--rw id leafref
908 | | | +--rw type? ie-type
909 | | +--rw ospf {rtg-ospf}?
910 | | | +--rw address-family*
911 | | | | address-family
912 | | | +--rw area-address
913 | | | | yang:dotted-quad
914 | | | +--rw metric? uint16
915 | | | +--rw mtu? uint16
916 | | | +--rw process-id? uint16
917 | | | +--rw security
918 | | | | +--rw auth-key? string
919 | | | +--rw sham-links
920 | | | {rtg-ospf-sham-link}?
921 | | | +--rw sham-link* [target-site]
922 | | | +--rw target-site svc-id
923 | | | +--rw metric? uint16
924 | | +--rw bgp {rtg-bgp}?
925 | | | +--rw autonomous-system uint32
926 | | | +--rw address-family*
927 | | | | address-family
928 | | | +--rw neighbor?
929 | | | | inet:ip-address
930 | | | +--rw multihop? uint8
931 | | | +--rw security
932 | | | +--rw auth-key? string
933 | | +--rw static
934 | | | +--rw cascaded-lan-prefixes
935 | | | +--rw ipv4-lan-prefixes*
936 | | | | [lan next-hop] {ipv4}?
937 | | | | +--rw lan
938 | | | | | inet:ipv4-prefix
939 | | | | +--rw lan-tag? string
940 | | | | +--rw next-hop
941 | | | | inet:ipv4-address
942 | | | +--rw ipv6-lan-prefixes*
943 | | | [lan next-hop] {ipv6}?
944 | | | +--rw lan
945 | | | | inet:ipv6-prefix
946 | | | +--rw lan-tag? string
947 | | | +--rw next-hop
948 | | | inet:ipv6-address
949 | | +--rw rip {rtg-rip}?
950 | | | +--rw address-family*
951 | | | address-family
952 | | +--rw vrrp {rtg-vrrp}?
953 | | +--rw address-family*
954 | | address-family
955 | +--rw maximum-routes
956 | | +--rw address-family* [af]
957 | | +--rw af address-family
958 | | +--rw maximum-routes? uint32
959 | +--rw node-ie-profile? leafref
960 +--rw multicast {multicast}?
961 +--rw enabled? boolean
962 +--rw customer-tree-flavors
963 | +--rw tree-flavor* identityref
964 +--rw rp
965 +--rw rp-group-mappings
966 | +--rw rp-group-mapping* [id]
967 | +--rw id uint16
968 | +--rw provider-managed
969 | | +--rw enabled?
970 | | | boolean
971 | | +--rw rp-redundancy?
972 | | | boolean
973 | | +--rw optimal-traffic-delivery?
974 | | boolean
975 | +--rw rp-address inet:ip-address
976 | +--rw groups
977 | +--rw group* [id]
978 | +--rw id uint16
979 | +--rw (group-format)
980 | +--:(singleaddress)
981 | | +--rw group-address?
982 | | inet:ip-address
983 | +--:(startend)
984 | +--rw group-start?
985 | | inet:ip-address
986 | +--rw group-end?
987 | inet:ip-address
988 +--rw rp-discovery
989 +--rw rp-discovery-type? identityref
990 +--rw bsr-candidates
991 +--rw bsr-candidate-address*
992 inet:ip-address
994 Figure 10
996 4. Use of the Data Model
998 4.1. Multi-Domain Resource Management
1000 The implementation of L3VPN services which span across
1001 administratively separated domains (i.e., that are under the
1002 administration of different management systems or controllers)
1003 requires some network resources to be synchronized between systems.
1004 Particularly, there are two resources that must be orchestrated and
1005 manage to avoid asymmetric (non-functional) configuration, or the
1006 usage of unavailable resources. For example, RTs shall be
1007 synchronized between PEs. When every PE is controlled by the same
1008 management system, RT allocation can be performed by the system. In
1009 cases where the service spans across multiple management systems,
1010 this task of allocating RTs has to be aligned across the domains,
1011 therefore, the service model must provide a way to specify RTs. In
1012 addition, RDs must also be synchronized to avoid collisions in RD
1013 allocation between separate systems. An incorrect allocation might
1014 lead to the same RD and IP prefixes being exported by different PE
1015 routers.
1017 5. Relation with other Yang Models
1019 The L3NM model, aimed at managing the L3VPN Services in a Service
1020 Provider Network controller/orchestrator has relations with other
1021 Yang modules.
1023 5.1. Relation with L3SM
1025 [RFC8299] defines a L3VPN Service YANG data Model (L3SM) that can be
1026 used for communication between customers and VPN service providers.
1027 Hence, the model provides inputs to the Network Operator to deliver
1028 such service to the customer. Hence, some parts of the model can be
1029 directly mapped into L3NM.
1031 o Routing protocols requested by the client at PE-CE interface. In
1032 sake of alignment, the same protocols are supported.
1034 5.2. Relation with Network Topology
1036 The L3NM model manages VPN Services running over Service Provider
1037 Backbone network. The set of nodes over which it is possible to
1038 deploy a L3 VPN Service MAY be part of the topology contained in an
1039 ietf-network module.
1041 5.3. Relation with Device Models
1043 Creating services in the l3vpn-ntw module will will lead at some
1044 point to the configuration of devices. Hence, it is foreseen that
1045 the data for the device yang modules will be derived partially from
1046 the L3NM vpn-service container. Note that L3NM is NOT a device
1047 model.
1049 6. L3VPN Examples
1051 6.1. 4G VPN Provissioning Example
1053 The L3VPN service defined in this draft provides a multipoint, routed
1054 service to the customer over an IP/MPLS core. The L3VPNs are widely
1055 used to deploy 3G/4G, fixed and enterprise services principally due
1056 to the fact that several traffic discrimination policies can be
1057 applied in the network to transport and guarantee the right SLAs to
1058 the mobile customers.
1060 As it is shown in the Figure 11, commonly the eNODEB (CE) is directly
1061 connected to the access routers (DCSG) of the mobile backhaul and
1062 their logical interfaces (one or many according to the Service type)
1063 are configured in a VPN that transport the packets to the mobile core
1064 platforms.
1066 +--------------+
1067 +------+ +-----+ +-----+ +-----+ | Platforms |
1068 |eNODEB|--/-| PE |----| P |----| PE |----| (SGW/MME) |
1069 +------+ +-----+ +-----+ +-----+ | ... |
1070 +--------------+
1072 Figure 11: Mobile Backhaul Example
1074 To configure a L3VPN service using the L3NM model the procedure and
1075 the JSON with the data structure is the following:
1077 Create VPN Service
1078
1079
1080 1
1081 4G
1082 hub-spoke
1083 4G
1084
1085
1086
1088 Figure 12: Create VPN Service
1090 Create VPN Node: For this type of service the VPN Node is equivalent
1091 with the VRF configured in the physical device.
1093
1094
1095 1
1096 10.0.0.1
1097 65000
1098 4G
1099 10.0.0.1
1100 ipv4
1101 any-to-any-role
1102 1:1
1103
1104
1106 Figure 13: Create VPN Node
1108 Create VPN Network Access
1110
1111
1112 1/1/1
1113 4G
1114
1115 true
1116
1117 point-to-point
1118
1119
1120 static-address
1121
1122 1
1123
1124 1
1125 192.168.0.1
1126 192.168.0.2
1127 30
1128
1129
1130
1131
1132
1133
1134 1
1135 direct
1136
1137
1138
1139
1141 Figure 14: Create VPN Network Access
1143 7. Yang Module
1145 file "ietf-l3vpn-ntw@2019-11-17.yang"
1146 module ietf-l3vpn-ntw {
1147 yang-version 1.1;
1148 namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw";
1149 prefix l3vpn-ntw;
1150 import ietf-inet-types {
1151 prefix inet;
1152 }
1153 import ietf-yang-types {
1154 prefix yang;
1155 }
1156 import ietf-netconf-acm {
1157 prefix nacm;
1158 }
1159 import ietf-routing-types {
1160 prefix rt-types;
1161 }
1162 organization
1163 "IETF OPSA (Operations and Management Area) Working Group ";
1164 contact
1165 "WG Web:
1166 WG List:
1167 Editor: Oscar Gonzalez de Dios
1168
1169 Editor: Alejandro Aguado
1170
1171 Editor: Victor Lopez
1172
1173 Editor: Daniel Voyer
1174
1175 Editor: Luis Angel Munoz
1176
1177 ";
1179 description
1180 "This YANG module defines a generic network-oriented model
1181 for the management of Layer 3 VPNs in a Service Provider
1182 backbone network.
1183 Copyright (c) 2019 IETF Trust and the persons identified as
1184 authors of the code. All rights reserved.
1186 Redistribution and use in source and binary forms, with or
1187 without modification, is permitted pursuant to, and subject to
1188 the license terms contained in, the Simplified BSD License set
1189 forth in Section 4.c of the IETF Trust's Legal Provisions
1190 Relating to IETF Documents
1191 (https://trustee.ietf.org/license-info).
1193 This version of this YANG module is part of RFC XXXX
1194 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
1195 for full legal notices.
1197 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
1198 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
1199 'MAY', and 'OPTIONAL' in this document are to be interpreted as
1200 described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
1201 they appear in all capitals, as shown here.";
1203 revision 2019-11-17 {
1204 description
1205 "Network centric hierarchy. Customer unused parameters prunned.
1206 Site removal";
1207 reference
1208 "draft-ietf-opsawg-l3sm-l3nm-01";
1209 }
1211 revision 2019-09-13 {
1212 description
1213 "Initial document. The document as a whole is based on L3SM
1214 module, defined in RFC 8299, modified to fit the requirements
1215 of the platforms at the network layer.";
1216 reference
1217 "RFC 8049.";
1218 }
1219 /* Features */
1220 feature cloud-access {
1221 description
1222 "Allows the VPN to connect to a CSP.";
1223 }
1224 feature multicast {
1225 description
1226 "Enables multicast capabilities in a VPN.";
1227 }
1228 feature ipv4 {
1229 description
1230 "Enables IPv4 support in a VPN.";
1231 }
1232 feature ipv6 {
1233 description
1234 "Enables IPv6 support in a VPN.";
1235 }
1236 feature lan-tag {
1237 description
1238 "Enables LAN Tag support in a VPN Policy filter.";
1239 }
1240 feature carrierscarrier {
1241 description
1242 "Enables support of CsC.";
1243 }
1244 feature extranet-vpn {
1245 description
1246 "Enables support of extranet VPNs.";
1247 }
1248 feature encryption {
1249 description
1250 "Enables support of encryption.";
1251 }
1252 feature qos {
1253 description
1254 "Enables support of classes of services.";
1255 }
1256 feature qos-custom {
1257 description
1258 "Enables support of the custom QoS profile.";
1259 }
1260 feature rtg-bgp {
1261 description
1262 "Enables support of the BGP routing protocol.";
1263 }
1264 feature rtg-rip {
1265 description
1266 "Enables support of the RIP routing protocol.";
1267 }
1268 feature rtg-ospf {
1269 description
1270 "Enables support of the OSPF routing protocol.";
1271 }
1272 feature rtg-ospf-sham-link {
1273 description
1274 "Enables support of OSPF sham links.";
1275 }
1276 feature rtg-vrrp {
1277 description
1278 "Enables support of the VRRP routing protocol.";
1279 }
1280 feature fast-reroute {
1281 description
1282 "Enables support of Fast Reroute.";
1283 }
1284 feature bfd {
1285 description
1286 "Enables support of BFD.";
1287 }
1288 feature bearer-reference {
1289 description
1290 "Enables support of the 'bearer-reference' access constraint.";
1291 }
1292 feature target-sites {
1293 description
1294 "Enables support of the 'target-sites' match flow parameter.";
1295 }
1296 feature input-bw {
1297 description
1298 "Enables support of the 'input-bw' limit.";
1299 }
1300 feature dot1q {
1301 description
1302 "Enables support of the 'dot1q' encapsulation.";
1303 }
1304 feature qinq {
1305 description
1306 "Enables support of the 'qinq' encapsulation.";
1307 }
1308 feature qinany {
1309 description
1310 "Enables support of the 'qinany' encapsulation.";
1311 }
1312 feature vxlan {
1313 description
1314 "Enables support of the 'vxlan' encapsulation.";
1315 }
1317 /* Typedefs */
1318 typedef svc-id {
1319 type string;
1320 description
1321 "Defines a type of service component identifier.";
1322 }
1323 typedef template-id {
1324 type string;
1325 description
1326 "Defines a type of service template identifier.";
1327 }
1328 typedef address-family {
1329 type enumeration {
1330 enum ipv4 {
1331 description
1332 "IPv4 address family.";
1333 }
1334 enum ipv6 {
1335 description
1336 "IPv6 address family.";
1337 }
1338 enum ipv4/ipv6 {
1339 description
1340 "IPv4/IPv6 address family.";
1341 }
1342 }
1343 description
1344 "Defines a type for the address family.";
1345 }
1347 typedef ie-type {
1348 type enumeration {
1349 enum "import" {
1350 value 0;
1351 description "Import routing profile.";
1352 }
1353 enum "export" {
1354 value 1;
1355 description "Export routing profile";
1356 }
1357 enum "both" {
1358 value 2;
1359 description "Import/Export routing profile";
1360 }
1361 }
1362 description
1363 "Defines Import-Export routing profiles.
1364 Those are able to be reused between vpn-nodes";
1365 }
1367 typedef operational-type {
1368 type enumeration {
1369 enum "up" {
1370 value 0;
1371 description "Operational status UP.";
1372 }
1373 enum "down" {
1374 value 1;
1375 description "Operational status DOWN";
1376 }
1377 enum "unknown" {
1378 value 2;
1379 description "Operational status UNKNOWN";
1380 }
1381 }
1382 description
1383 "This is a read-only attribute used to determine the
1384 status of a particular element";
1385 }
1387 /* Identities */
1388 identity site-network-access-type {
1389 description
1390 "Base identity for site-network-access type.";
1391 }
1392 identity point-to-point {
1393 base site-network-access-type;
1394 description
1395 "Identity for point-to-point connection.";
1396 }
1397 /* Extension */
1398 identity pseudowire {
1399 base site-network-access-type;
1400 description
1401 "Identity for pseudowire connection.";
1402 }
1403 /* End of Extension */
1404 identity multipoint {
1405 base site-network-access-type;
1406 description
1407 "Identity for multipoint connection.
1408 Example: Ethernet broadcast segment.";
1409 }
1410 identity customer-application {
1411 description
1412 "Base identity for customer application.";
1413 }
1414 identity web {
1415 base customer-application;
1416 description
1417 "Identity for Web application (e.g., HTTP, HTTPS).";
1418 }
1419 identity mail {
1420 base customer-application;
1421 description
1422 "Identity for mail application.";
1423 }
1424 identity file-transfer {
1425 base customer-application;
1426 description
1427 "Identity for file transfer application (e.g., FTP, SFTP).";
1428 }
1429 identity database {
1430 base customer-application;
1431 description
1432 "Identity for database application.";
1433 }
1434 identity social {
1435 base customer-application;
1436 description
1437 "Identity for social-network application.";
1438 }
1439 identity games {
1440 base customer-application;
1441 description
1442 "Identity for gaming application.";
1443 }
1444 identity p2p {
1445 base customer-application;
1446 description
1447 "Identity for peer-to-peer application.";
1448 }
1449 identity network-management {
1450 base customer-application;
1451 description
1452 "Identity for management application
1453 (e.g., Telnet, syslog, SNMP).";
1454 }
1455 identity voice {
1456 base customer-application;
1457 description
1458 "Identity for voice application.";
1459 }
1460 identity video {
1461 base customer-application;
1462 description
1463 "Identity for video conference application.";
1464 }
1465 identity embb {
1466 base customer-application;
1467 description
1468 "Identity for an enhanced Mobile Broadband (eMBB)
1469 application. Note that an eMBB application demands
1470 network performance with a wide variety of
1471 characteristics, such as data rate, latency,
1472 loss rate, reliability, and many other parameters.";
1473 }
1474 identity urllc {
1475 base customer-application;
1476 description
1477 "Identity for an Ultra-Reliable and Low Latency
1478 Communications (URLLC) application. Note that a
1479 URLLC application demands network performance
1480 with a wide variety of characteristics, such as latency,
1481 reliability, and many other parameters.";
1482 }
1483 identity mmtc {
1484 base customer-application;
1485 description
1486 "Identity for a massive Machine Type
1487 Communications (mMTC) application. Note that an
1488 mMTC application demands network performance
1489 with a wide variety of characteristics, such as data
1490 rate, latency, loss rate, reliability, and many
1491 other parameters.";
1492 }
1493 identity address-allocation-type {
1494 description
1495 "Base identity for address-allocation-type for PE-CE link.";
1496 }
1497 identity provider-dhcp {
1498 base address-allocation-type;
1499 description
1500 "Provider network provides DHCP service to customer.";
1501 }
1502 identity provider-dhcp-relay {
1503 base address-allocation-type;
1504 description
1505 "Provider network provides DHCP relay service to customer.";
1506 }
1507 identity provider-dhcp-slaac {
1508 base address-allocation-type;
1509 description
1510 "Provider network provides DHCP service to customer,
1511 as well as SLAAC.";
1512 }
1513 identity static-address {
1514 base address-allocation-type;
1515 description
1516 "Provider-to-customer addressing is static.";
1517 }
1518 identity slaac {
1519 base address-allocation-type;
1520 description
1521 "Use IPv6 SLAAC.";
1522 }
1523 identity site-role {
1524 description
1525 "Base identity for site type.";
1526 }
1527 identity any-to-any-role {
1528 base site-role;
1529 description
1530 "Site in an any-to-any IP VPN.";
1531 }
1532 identity spoke-role {
1533 base site-role;
1534 description
1535 "Spoke site in a Hub-and-Spoke IP VPN.";
1536 }
1537 identity hub-role {
1538 base site-role;
1539 description
1540 "Hub site in a Hub-and-Spoke IP VPN.";
1542 }
1543 identity vpn-topology {
1544 description
1545 "Base identity for VPN topology.";
1546 }
1547 identity any-to-any {
1548 base vpn-topology;
1549 description
1550 "Identity for any-to-any VPN topology.";
1551 }
1552 identity hub-spoke {
1553 base vpn-topology;
1554 description
1555 "Identity for Hub-and-Spoke VPN topology.";
1556 }
1557 identity hub-spoke-disjoint {
1558 base vpn-topology;
1559 description
1560 "Identity for Hub-and-Spoke VPN topology
1561 where Hubs cannot communicate with each other.";
1562 }
1563 identity multicast-tree-type {
1564 description
1565 "Base identity for multicast tree type.";
1566 }
1567 identity ssm-tree-type {
1568 base multicast-tree-type;
1569 description
1570 "Identity for SSM tree type.";
1571 }
1572 identity asm-tree-type {
1573 base multicast-tree-type;
1574 description
1575 "Identity for ASM tree type.";
1576 }
1577 identity bidir-tree-type {
1578 base multicast-tree-type;
1579 description
1580 "Identity for bidirectional tree type.";
1581 }
1582 identity multicast-rp-discovery-type {
1583 description
1584 "Base identity for RP discovery type.";
1585 }
1586 identity auto-rp {
1587 base multicast-rp-discovery-type;
1588 description
1589 "Base identity for Auto-RP discovery type.";
1591 }
1592 identity static-rp {
1593 base multicast-rp-discovery-type;
1594 description
1595 "Base identity for static type.";
1596 }
1597 identity bsr-rp {
1598 base multicast-rp-discovery-type;
1599 description
1600 "Base identity for BSR discovery type.";
1601 }
1602 identity routing-protocol-type {
1603 description
1604 "Base identity for routing protocol type.";
1605 }
1606 identity ospf {
1607 base routing-protocol-type;
1608 description
1609 "Identity for OSPF protocol type.";
1610 }
1611 identity bgp {
1612 base routing-protocol-type;
1613 description
1614 "Identity for BGP protocol type.";
1615 }
1616 identity static {
1617 base routing-protocol-type;
1618 description
1619 "Identity for static routing protocol type.";
1620 }
1621 identity rip {
1622 base routing-protocol-type;
1623 description
1624 "Identity for RIP protocol type.";
1625 }
1626 identity vrrp {
1627 base routing-protocol-type;
1628 description
1629 "Identity for VRRP protocol type.
1630 This is to be used when LANs are directly connected
1631 to PE routers.";
1632 }
1633 identity direct {
1634 base routing-protocol-type;
1635 description
1636 "Identity for direct protocol type.";
1637 }
1638 identity protocol-type {
1639 description
1640 "Base identity for protocol field type.";
1641 }
1642 identity tcp {
1643 base protocol-type;
1644 description
1645 "TCP protocol type.";
1646 }
1647 identity udp {
1648 base protocol-type;
1649 description
1650 "UDP protocol type.";
1651 }
1653 identity icmp {
1654 base protocol-type;
1655 description
1656 "ICMP protocol type.";
1657 }
1658 identity icmp6 {
1659 base protocol-type;
1660 description
1661 "ICMPv6 protocol type.";
1662 }
1663 identity gre {
1664 base protocol-type;
1665 description
1666 "GRE protocol type.";
1667 }
1668 identity ipip {
1669 base protocol-type;
1670 description
1671 "IP-in-IP protocol type.";
1672 }
1673 identity hop-by-hop {
1674 base protocol-type;
1675 description
1676 "Hop-by-Hop IPv6 header type.";
1677 }
1678 identity routing {
1679 base protocol-type;
1680 description
1681 "Routing IPv6 header type.";
1682 }
1683 identity esp {
1684 base protocol-type;
1685 description
1686 "ESP header type.";
1688 }
1689 identity ah {
1690 base protocol-type;
1691 description
1692 "AH header type.";
1693 }
1694 identity vpn-policy-filter-type {
1695 description
1696 "Base identity for VPN Policy filter type.";
1697 }
1698 identity ipv4 {
1699 base vpn-policy-filter-type;
1700 description
1701 "Identity for IPv4 Prefix filter type.";
1702 }
1703 identity ipv6 {
1704 base vpn-policy-filter-type;
1705 description
1706 "Identity for IPv6 Prefix filter type.";
1707 }
1708 identity lan {
1709 base vpn-policy-filter-type;
1710 description
1711 "Identity for LAN Tag filter type.";
1712 }
1714 identity qos-profile-direction {
1715 description
1716 "Base identity for QoS profile direction.";
1717 }
1719 identity site-to-wan {
1720 base qos-profile-direction;
1721 description
1722 "Identity for Site-to-WAN direction.";
1723 }
1724 identity wan-to-site {
1725 base qos-profile-direction;
1726 description
1727 "Identity for WAN-to-Site direction.";
1728 }
1729 identity both {
1730 base qos-profile-direction;
1731 description
1732 "Identity for both WAN-to-Site direction
1733 and Site-to-WAN direction.";
1734 }
1735 /* Extended Identities */
1737 identity encapsulation-type {
1738 description
1739 "Identity for the encapsulation type.";
1740 }
1742 identity untagged-int {
1743 base encapsulation-type;
1744 description
1745 "Identity for Ethernet type.";
1746 }
1748 identity tagged-int {
1749 base encapsulation-type;
1750 description
1751 "Identity for the VLAN type.";
1752 }
1754 identity eth-inf-type {
1755 description
1756 "Identity of the Ethernet interface type.";
1757 }
1759 identity tagged {
1760 base eth-inf-type;
1761 description
1762 "Identity of the tagged interface type.";
1763 }
1765 identity untagged {
1766 base eth-inf-type;
1767 description
1768 "Identity of the untagged interface type.";
1769 }
1771 identity lag {
1772 base eth-inf-type;
1773 description
1774 "Identity of the LAG interface type.";
1775 }
1776 identity bearer-inf-type {
1777 description
1778 "Identity for the bearer interface type.";
1779 }
1781 identity port-id {
1782 base bearer-inf-type;
1783 description
1784 "Identity for the priority-tagged interface.";
1785 }
1787 identity lag-id {
1788 base bearer-inf-type;
1789 description
1790 "Identity for the priority-tagged interface.";
1791 }
1793 identity tagged-inf-type {
1794 description
1795 "Identity for the tagged interface type.";
1796 }
1798 identity priority-tagged {
1799 base tagged-inf-type;
1800 description
1801 "Identity for the priority-tagged interface.";
1802 }
1804 identity qinq {
1805 base tagged-inf-type;
1806 description
1807 "Identity for the QinQ tagged interface.";
1808 }
1810 identity dot1q {
1811 base tagged-inf-type;
1812 description
1813 "Identity for the dot1Q VLAN tagged interface.";
1814 }
1816 identity qinany {
1817 base tagged-inf-type;
1818 description
1819 "Identity for the QinAny tagged interface.";
1820 }
1822 identity vxlan {
1823 base tagged-inf-type;
1824 description
1825 "Identity for the VXLAN tagged interface.";
1826 }
1828 identity tag-type {
1829 description
1830 "Base identity from which all tag types are derived.";
1832 }
1834 identity c-vlan {
1835 base tag-type;
1836 description
1837 "A CVLAN tag, normally using the 0x8100 Ethertype.";
1838 }
1840 identity s-vlan {
1841 base tag-type;
1842 description
1843 "An SVLAN tag.";
1844 }
1846 identity c-s-vlan {
1847 base tag-type;
1848 description
1849 "Using both a CVLAN tag and an SVLAN tag.";
1850 }
1852 identity vxlan-peer-mode {
1853 description
1854 "Base identity for the VXLAN peer mode.";
1855 }
1857 identity static-mode {
1858 base vxlan-peer-mode;
1859 description
1860 "Identity for VXLAN access in the static mode.";
1861 }
1863 identity bgp-mode {
1864 base vxlan-peer-mode;
1865 description
1866 "Identity for VXLAN access by BGP EVPN learning.";
1867 }
1869 identity bw-direction {
1870 description
1871 "Identity for the bandwidth direction.";
1872 }
1874 identity input-bw {
1875 base bw-direction;
1876 description
1877 "Identity for the input bandwidth.";
1878 }
1879 identity output-bw {
1880 base bw-direction;
1881 description
1882 "Identity for the output bandwidth.";
1883 }
1885 identity bw-type {
1886 description
1887 "Identity of the bandwidth type.";
1888 }
1890 identity bw-per-cos {
1891 base bw-type;
1892 description
1893 "Bandwidth is per CoS.";
1894 }
1896 identity bw-per-port {
1897 base bw-type;
1898 description
1899 "Bandwidth is per site network access.";
1900 }
1902 identity bw-per-site {
1903 base bw-type;
1904 description
1905 "Bandwidth is per site. It is applicable to
1906 all the site network accesses within the site.";
1907 }
1909 identity bw-per-svc {
1910 base bw-type;
1911 description
1912 "Bandwidth is per VPN service.";
1913 }
1915 /* Groupings */
1916 grouping multicast-rp-group-cfg {
1917 choice group-format {
1918 mandatory true;
1919 case singleaddress {
1920 leaf group-address {
1921 type inet:ip-address;
1922 description
1923 "A single multicast group address.";
1924 }
1925 }
1926 case startend {
1927 leaf group-start {
1928 type inet:ip-address;
1929 description
1930 "The first multicast group address in
1931 the multicast group address range.";
1932 }
1933 leaf group-end {
1934 type inet:ip-address;
1935 description
1936 "The last multicast group address in
1937 the multicast group address range.";
1938 }
1939 }
1940 description
1941 "Choice for multicast group format.";
1942 }
1943 description
1944 "This grouping defines multicast group or
1945 multicast groups for RP-to-group mapping.";
1946 }
1947 grouping vpn-service-multicast {
1948 container multicast {
1949 if-feature multicast;
1950 leaf enabled {
1951 type boolean;
1952 default false;
1953 description
1954 "Enables multicast.";
1955 }
1956 container customer-tree-flavors {
1957 leaf-list tree-flavor {
1958 type identityref {
1959 base multicast-tree-type;
1960 }
1961 description
1962 "Type of tree to be used.";
1963 }
1964 description
1965 "Type of trees used by customer.";
1966 }
1967 container rp {
1968 container rp-group-mappings {
1969 list rp-group-mapping {
1970 key id;
1971 leaf id {
1972 type uint16;
1973 description
1974 "Unique identifier for the mapping.";
1976 }
1977 container provider-managed {
1978 leaf enabled {
1979 type boolean;
1980 default false;
1981 description
1982 "Set to true if the Rendezvous Point (RP)
1983 must be a provider-managed node. Set to false
1984 if it is a customer-managed node.";
1985 }
1986 leaf rp-redundancy {
1987 type boolean;
1988 default false;
1989 description
1990 "If true, a redundancy mechanism for the RP
1991 is required.";
1992 }
1993 leaf optimal-traffic-delivery {
1994 type boolean;
1995 default false;
1996 description
1997 "If true, the SP must ensure that
1998 traffic uses an optimal path. An SP may use
1999 Anycast RP or RP-tree-to-SPT switchover
2000 architectures.";
2001 }
2002 description
2003 "Parameters for a provider-managed RP.";
2004 }
2005 leaf rp-address {
2006 when "../provider-managed/enabled = 'false'" {
2007 description
2008 "Relevant when the RP is not provider-managed.";
2009 }
2010 type inet:ip-address;
2011 mandatory true;
2012 description
2013 "Defines the address of the RP.
2014 Used if the RP is customer-managed.";
2015 }
2016 container groups {
2017 list group {
2018 key id;
2019 leaf id {
2020 type uint16;
2021 description
2022 "Identifier for the group.";
2023 }
2024 uses multicast-rp-group-cfg;
2025 description
2026 "List of multicast groups.";
2027 }
2028 description
2029 "Multicast groups associated with the RP.";
2030 }
2031 description
2032 "List of RP-to-group mappings.";
2033 }
2034 description
2035 "RP-to-group mappings parameters.";
2036 }
2037 container rp-discovery {
2038 leaf rp-discovery-type {
2039 type identityref {
2040 base multicast-rp-discovery-type;
2041 }
2042 default static-rp;
2043 description
2044 "Type of RP discovery used.";
2045 }
2046 container bsr-candidates {
2047 when "derived-from-or-self(../rp-discovery-type, "+
2048 "'l3vpn-ntw:bsr-rp')" {
2049 description
2050 "Only applicable if discovery type
2051 is BSR-RP.";
2052 }
2053 leaf-list bsr-candidate-address {
2054 type inet:ip-address;
2055 description
2056 "Address of BSR candidate.";
2057 }
2058 description
2059 "Container for List of Customer
2060 BSR candidate's addresses.";
2061 }
2062 description
2063 "RP discovery parameters.";
2064 }
2065 description
2066 "RP parameters.";
2067 }
2068 description
2069 "Multicast global parameters for the VPN service.";
2070 }
2071 description
2072 "Grouping for multicast VPN definition.";
2073 }
2074 grouping vpn-service-mpls {
2075 leaf carrierscarrier {
2076 if-feature carrierscarrier;
2077 type boolean;
2078 default false;
2079 description
2080 "The VPN is using CsC, and so MPLS is required.";
2081 }
2082 description
2083 "Grouping for MPLS CsC definition.";
2084 }
2085 grouping operational-requirements {
2086 leaf requested-site-start {
2087 type yang:date-and-time;
2088 description
2089 "Optional leaf indicating requested date and
2090 time when the service at a particular site is
2091 expected to start.";
2092 }
2093 leaf requested-site-stop {
2094 type yang:date-and-time;
2095 description
2096 "Optional leaf indicating requested date and
2097 time when the service at a particular site is
2098 expected to stop.";
2099 }
2100 description
2101 "This grouping defines some operational
2102 parameters.";
2103 }
2104 grouping operational-requirements-ops {
2105 leaf actual-site-start {
2106 type yang:date-and-time;
2107 config false;
2108 description
2109 "Optional leaf indicating actual date and
2110 time when the service at a particular site
2111 actually started.";
2112 }
2113 leaf actual-site-stop {
2114 type yang:date-and-time;
2115 config false;
2116 description
2117 "Optional leaf indicating actual date and
2118 time when the service at a particular site
2119 actually stopped.";
2121 }
2122 description
2123 "This grouping defines some operational
2124 parameters.";
2125 }
2126 grouping flow-definition {
2127 container match-flow {
2128 leaf dscp {
2129 type inet:dscp;
2130 description
2131 "DSCP value.";
2132 }
2133 leaf dot1p {
2134 type uint8 {
2135 range "0..7";
2136 }
2137 description
2138 "802.1p matching.";
2139 }
2140 leaf ipv4-src-prefix {
2141 type inet:ipv4-prefix;
2142 description
2143 "Match on IPv4 src address.";
2144 }
2145 leaf ipv6-src-prefix {
2146 type inet:ipv6-prefix;
2147 description
2148 "Match on IPv6 src address.";
2149 }
2150 leaf ipv4-dst-prefix {
2151 type inet:ipv4-prefix;
2152 description
2153 "Match on IPv4 dst address.";
2154 }
2155 leaf ipv6-dst-prefix {
2156 type inet:ipv6-prefix;
2157 description
2158 "Match on IPv6 dst address.";
2159 }
2160 leaf l4-src-port {
2161 type inet:port-number;
2162 must "current() < ../l4-src-port-range/lower-port or "+
2163 "current() > ../l4-src-port-range/upper-port" {
2164 description
2165 "If l4-src-port and l4-src-port-range/lower-port and
2166 upper-port are set at the same time, l4-src-port
2167 should not overlap with l4-src-port-range.";
2168 }
2169 description
2170 "Match on Layer 4 src port.";
2171 }
2172 leaf-list target-sites {
2173 if-feature target-sites;
2174 type svc-id;
2175 description
2176 "Identify a site as traffic destination.";
2177 }
2178 container l4-src-port-range {
2179 leaf lower-port {
2180 type inet:port-number;
2181 description
2182 "Lower boundary for port.";
2183 }
2184 leaf upper-port {
2185 type inet:port-number;
2186 must ". >= ../lower-port" {
2187 description
2188 "Upper boundary for port. If it
2189 exists, the upper boundary must be
2190 higher than the lower boundary.";
2191 }
2192 description
2193 "Upper boundary for port.";
2194 }
2195 description
2196 "Match on Layer 4 src port range. When
2197 only the lower-port is present, it represents
2198 a single port. When both the lower-port and
2199 upper-port are specified, it implies
2200 a range inclusive of both values.";
2201 }
2202 leaf l4-dst-port {
2203 type inet:port-number;
2204 must "current() < ../l4-dst-port-range/lower-port or "+
2205 "current() > ../l4-dst-port-range/upper-port" {
2206 description
2207 "If l4-dst-port and l4-dst-port-range/lower-port
2208 and upper-port are set at the same time,
2209 l4-dst-port should not overlap with
2210 l4-src-port-range.";
2211 }
2212 description
2213 "Match on Layer 4 dst port.";
2214 }
2215 container l4-dst-port-range {
2216 leaf lower-port {
2217 type inet:port-number;
2218 description
2219 "Lower boundary for port.";
2220 }
2221 leaf upper-port {
2222 type inet:port-number;
2223 must ". >= ../lower-port" {
2224 description
2225 "Upper boundary must be
2226 higher than lower boundary.";
2227 }
2228 description
2229 "Upper boundary for port. If it exists,
2230 upper boundary must be higher than lower
2231 boundary.";
2232 }
2233 description
2234 "Match on Layer 4 dst port range. When only
2235 lower-port is present, it represents a single
2236 port. When both lower-port and upper-port are
2237 specified, it implies a range inclusive of both
2238 values.";
2239 }
2240 leaf protocol-field {
2241 type union {
2242 type uint8;
2243 type identityref {
2244 base protocol-type;
2245 }
2246 }
2247 description
2248 "Match on IPv4 protocol or IPv6 Next Header field.";
2249 }
2250 description
2251 "Describes flow-matching criteria.";
2252 }
2253 description
2254 "Flow definition based on criteria.";
2255 }
2256 grouping site-service-basic {
2257 leaf svc-input-bandwidth {
2258 type uint64;
2259 units bps;
2260 mandatory true;
2261 description
2262 "From the customer site's perspective, the service
2263 input bandwidth of the connection or download
2264 bandwidth from the SP to the site.";
2266 }
2267 leaf svc-output-bandwidth {
2268 type uint64;
2269 units bps;
2270 mandatory true;
2271 description
2272 "From the customer site's perspective, the service
2273 output bandwidth of the connection or upload
2274 bandwidth from the site to the SP.";
2275 }
2276 leaf svc-mtu {
2277 type uint16;
2278 units bytes;
2279 mandatory true;
2280 description
2281 "MTU at service level. If the service is IP,
2282 it refers to the IP MTU. If CsC is enabled,
2283 the requested 'svc-mtu' leaf will refer to the
2284 MPLS MTU and not to the IP MTU.";
2285 }
2286 description
2287 "Defines basic service parameters for a site.";
2288 }
2289 grouping site-protection {
2290 container traffic-protection {
2291 if-feature fast-reroute;
2292 leaf enabled {
2293 type boolean;
2294 default false;
2295 description
2296 "Enables traffic protection of access link.";
2297 }
2298 description
2299 "Fast Reroute service parameters for the site.";
2300 }
2301 description
2302 "Defines protection service parameters for a site.";
2303 }
2304 grouping site-service-mpls {
2305 container carrierscarrier {
2306 if-feature carrierscarrier;
2307 leaf signalling-type {
2308 type enumeration {
2309 enum ldp {
2310 description
2311 "Use LDP as the signalling protocol
2312 between the PE and the CE. In this case,
2313 an IGP routing protocol must also be activated.";
2314 }
2315 enum bgp {
2316 description
2317 "Use BGP (as per RFC 8277) as the signalling protocol
2318 between the PE and the CE.
2319 In this case, BGP must also be configured as
2320 the routing protocol.";
2321 }
2322 }
2323 default bgp;
2324 description
2325 "MPLS signalling type.";
2326 }
2327 description
2328 "This container is used when the customer provides
2329 MPLS-based services. This is only used in the case
2330 of CsC (i.e., a customer builds an MPLS service using
2331 an IP VPN to carry its traffic).";
2332 }
2333 description
2334 "Defines MPLS service parameters for a site.";
2335 }
2336 grouping site-service-qos-profile {
2337 container qos {
2338 if-feature qos;
2339 container qos-classification-policy {
2340 list rule {
2341 key id;
2342 ordered-by user;
2343 leaf id {
2344 type string;
2345 description
2346 "A description identifying the
2347 qos-classification-policy rule.";
2348 }
2349 choice match-type {
2350 default match-flow;
2351 case match-flow {
2352 uses flow-definition;
2353 }
2354 case match-application {
2355 leaf match-application {
2356 type identityref {
2357 base customer-application;
2358 }
2359 description
2360 "Defines the application to match.";
2361 }
2363 }
2364 description
2365 "Choice for classification.";
2366 }
2367 leaf target-class-id {
2368 type string;
2369 description
2370 "Identification of the class of service.
2371 This identifier is internal to the administration.";
2372 }
2373 description
2374 "List of marking rules.";
2375 }
2376 description
2377 "Configuration of the traffic classification policy.";
2378 }
2379 container qos-profile {
2380 choice qos-profile {
2381 description
2382 "Choice for QoS profile.
2383 Can be standard profile or customized profile.";
2384 case standard {
2385 description
2386 "Standard QoS profile.";
2387 leaf profile {
2388 type leafref {
2389 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers"+
2390 "/qos-profile-identifier/id";
2391 }
2392 description
2393 "QoS profile to be used.";
2394 }
2395 leaf direction {
2396 type identityref {
2397 base qos-profile-direction;}
2398 default both;
2399 description
2400 "The direction to which the QoS profile
2401 is applied.";
2402 }
2403 }
2404 case custom {
2405 description
2406 "Customized QoS profile.";
2407 container classes {
2408 if-feature qos-custom;
2409 list class {
2410 key class-id;
2411 leaf class-id {
2412 type string;
2413 description
2414 "Identification of the class of service.
2415 This identifier is internal to the
2416 administration.";
2417 }
2418 leaf direction {
2419 type identityref {
2420 base qos-profile-direction;
2421 }
2422 default both;
2423 description
2424 "The direction to which the QoS profile
2425 is applied.";
2426 }
2427 leaf rate-limit {
2428 type decimal64 {
2429 fraction-digits 5;
2430 range "0..100";
2431 }
2432 units percent;
2433 description
2434 "To be used if the class must be rate-limited.
2435 Expressed as percentage of the service
2436 bandwidth.";
2437 }
2439 container latency {
2440 choice flavor {
2441 case lowest {
2442 leaf use-lowest-latency {
2443 type empty;
2444 description
2445 "The traffic class should use the path with the
2446 lowest latency.";
2447 }
2448 }
2449 case boundary {
2450 leaf jitter-boundary {
2451 type uint16;
2452 units msec;
2453 default 400;
2454 description
2455 "The traffic class should use a path with a
2456 defined maximum latency.";
2457 }
2458 }
2459 description
2460 "Latency constraint on the traffic class.";
2461 }
2462 description
2463 "Latency constraint on the traffic class.";
2464 }
2465 container jitter {
2466 choice flavor {
2467 case lowest {
2468 leaf use-lowest-jitter {
2469 type empty;
2470 description
2471 "The traffic class should use the path with the
2472 lowest jitter.";
2473 }
2474 }
2475 case boundary {
2476 leaf latency-boundary {
2477 type uint32;
2478 units usec;
2479 default 40000;
2480 description
2481 "The traffic class should use a path with a
2482 defined maximum jitter.";
2483 }
2484 }
2485 description
2486 "Jitter constraint on the traffic class.";
2487 }
2488 description
2489 "Jitter constraint on the traffic class.";
2490 }
2491 container bandwidth {
2492 leaf guaranteed-bw-percent {
2493 type decimal64 {
2494 fraction-digits 5;
2495 range "0..100";
2496 }
2497 units percent;
2498 mandatory true;
2499 description
2500 "To be used to define the guaranteed bandwidth
2501 as a percentage of the available service bandwidth.";
2502 }
2503 leaf end-to-end {
2504 type empty;
2505 description
2506 "Used if the bandwidth reservation
2507 must be done on the MPLS network too.";
2508 }
2509 description
2510 "Bandwidth constraint on the traffic class.";
2511 }
2512 description
2513 "List of classes of services.";
2514 }
2515 description
2516 "Container for list of classes of services.";
2517 }
2518 }
2519 }
2520 description
2521 "QoS profile configuration.";
2522 }
2523 description
2524 "QoS configuration.";
2525 }
2526 description
2527 "This grouping defines QoS parameters for a site.";
2528 }
2529 grouping site-security-authentication {
2530 container authentication {
2531 description
2532 "Authentication parameters.";
2533 }
2534 description
2535 "This grouping defines authentication parameters for a site.";
2536 }
2537 grouping site-security-encryption {
2538 container encryption {
2539 if-feature encryption;
2540 leaf enabled {
2541 type boolean;
2542 default false;
2543 description
2544 "If true, traffic encryption on the connection is required.";
2545 }
2546 leaf layer {
2547 when "../enabled = 'true'" {
2548 description
2549 "Require a value for layer when enabled is true.";
2550 }
2551 type enumeration {
2552 enum layer2 {
2553 description
2554 "Encryption will occur at Layer 2.";
2555 }
2556 enum layer3 {
2557 description
2558 "Encryption will occur at Layer 3.
2559 For example, IPsec may be used when
2560 a customer requests Layer 3 encryption.";
2561 }
2562 }
2563 description
2564 "Layer on which encryption is applied.";
2565 }
2566 description
2567 "";
2568 }
2569 container encryption-profile {
2570 choice profile {
2571 case provider-profile {
2572 leaf profile-name {
2573 type leafref {
2574 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers"+
2575 "/encryption-profile-identifier/id";
2576 }
2577 description
2578 "Name of the SP profile to be applied.";
2579 }
2580 }
2581 case customer-profile {
2582 leaf algorithm {
2583 type string;
2584 description
2585 "Encryption algorithm to be used.";
2586 }
2587 }
2588 description
2589 "";
2590 }
2591 choice key-type {
2592 default psk;
2593 case psk {
2594 leaf preshared-key {
2595 type string;
2596 description
2597 "Pre-Shared Key (PSK) coming from the customer.";
2598 }
2599 }
2600 description
2601 "Choice of encryption profile.
2602 The encryption profile can be the provider profile
2603 or customer profile.";
2604 }
2605 description
2606 "This grouping defines encryption parameters for a site.";
2607 }
2608 description
2609 "";
2610 }
2612 grouping site-routing {
2613 container routing-protocols {
2614 list routing-protocol {
2615 key id;
2616 leaf id{
2617 type string;
2618 description
2619 "";
2620 }
2621 leaf type {
2622 type identityref {
2623 base routing-protocol-type;
2624 }
2625 description
2626 "Type of routing protocol.";
2627 }
2629 list routing-profiles {
2630 key "id";
2632 leaf id {
2633 type leafref {
2634 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers"+
2635 "/routing-profile-identifier/id";
2636 }
2637 description
2638 "Routing profile to be used.";
2639 }
2641 leaf type {
2642 type ie-type;
2643 description
2644 "Import, export or both.";
2645 }
2647 description
2648 "Import or Export profile reference";
2649 }
2650 container ospf {
2651 when "derived-from-or-self(../type, 'l3vpn-ntw:ospf')" {
2652 description
2653 "Only applies when protocol is OSPF.";
2654 }
2655 if-feature rtg-ospf;
2656 leaf-list address-family {
2657 type address-family;
2658 min-elements "1";
2659 description
2660 "If OSPF is used on this site, this node
2661 contains a configured value. This node
2662 contains at least one address family
2663 to be activated.";
2664 }
2665 leaf area-address {
2666 type yang:dotted-quad;
2667 mandatory true;
2668 description
2669 "Area address.";
2670 }
2671 leaf metric {
2672 type uint16;
2673 default 1;
2674 description
2675 "Metric of the PE-CE link. It is used
2676 in the routing state calculation and
2677 path selection.";
2678 }
2680 /* Extension */
2682 leaf mtu {
2683 type uint16;
2684 description "Maximum transmission unit for a given
2685 OSPF link.";
2686 }
2688 leaf process-id {
2689 type uint16;
2690 description
2691 "Process id of the OSPF CE-PE connection.";
2692 }
2693 uses security-params;
2695 /* End of Extension */
2696 container sham-links {
2697 if-feature rtg-ospf-sham-link;
2698 list sham-link {
2699 key target-site;
2700 leaf target-site {
2701 type svc-id;
2702 description
2703 "Target site for the sham link connection.
2704 The site is referred to by its ID.";
2705 }
2706 leaf metric {
2707 type uint16;
2708 default 1;
2709 description
2710 "Metric of the sham link. It is used in
2711 the routing state calculation and path
2712 selection. The default value is set
2713 to 1.";
2714 }
2715 description
2716 "Creates a sham link with another site.";
2717 }
2718 description
2719 "List of sham links.";
2720 }
2721 description
2722 "OSPF-specific configuration.";
2723 }
2724 container bgp {
2725 when "derived-from-or-self(../type, 'l3vpn-ntw:bgp')" {
2726 description
2727 "Only applies when protocol is BGP.";
2728 }
2729 if-feature rtg-bgp;
2730 leaf autonomous-system {
2731 type uint32;
2732 mandatory true;
2733 description
2734 "Customer AS number in case the customer
2735 requests BGP routing.";
2736 }
2737 leaf-list address-family {
2738 type address-family;
2739 min-elements "1";
2740 description
2741 "If BGP is used on this site, this node
2742 contains a configured value. This node
2743 contains at least one address family
2744 to be activated.";
2745 }
2746 /* Extension */
2747 leaf neighbor {
2748 type inet:ip-address;
2749 description
2750 "IP address of the BGP neighbor.";
2751 }
2753 leaf multihop {
2754 type uint8;
2755 description
2756 "Describes the number of hops allowed between the
2757 given BGP neighbor and the PE router.";
2758 }
2760 uses security-params;
2762 description
2763 "BGP-specific configuration.";
2764 }
2765 container static {
2766 when "derived-from-or-self(../type, 'l3vpn-ntw:static')" {
2767 description
2768 "Only applies when protocol is static.
2769 BGP activation requires the SP to know
2770 the address of the customer peer. When
2771 BGP is enabled, the 'static-address'
2772 allocation type for the IP connection
2773 MUST be used.";
2774 }
2775 container cascaded-lan-prefixes {
2776 list ipv4-lan-prefixes {
2777 if-feature ipv4;
2778 key "lan next-hop";
2779 leaf lan {
2780 type inet:ipv4-prefix;
2781 description
2782 "LAN prefixes.";
2783 }
2784 leaf lan-tag {
2785 type string;
2786 description
2787 "Internal tag to be used in VPN policies.";
2788 }
2789 leaf next-hop {
2790 type inet:ipv4-address;
2791 description
2792 "Next-hop address to use on the customer side.";
2793 }
2794 description
2795 "List of LAN prefixes for the site.";
2796 }
2797 list ipv6-lan-prefixes {
2798 if-feature ipv6;
2799 key "lan next-hop";
2800 leaf lan {
2801 type inet:ipv6-prefix;
2802 description
2803 "LAN prefixes.";
2804 }
2805 leaf lan-tag {
2806 type string;
2807 description
2808 "Internal tag to be used in VPN policies.";
2809 }
2810 leaf next-hop {
2811 type inet:ipv6-address;
2812 description
2813 "Next-hop address to use on the customer side.";
2814 }
2815 description
2816 "List of LAN prefixes for the site.";
2817 }
2818 description
2819 "LAN prefixes from the customer.";
2820 }
2821 description
2822 "Configuration specific to static routing.";
2823 }
2824 container rip {
2825 when "derived-from-or-self(../type, 'l3vpn-ntw:rip')" {
2826 description
2827 "Only applies when the protocol is RIP. For IPv4,
2828 the model assumes that RIP version 2 is used.";
2829 }
2830 if-feature rtg-rip;
2831 leaf-list address-family {
2832 type address-family;
2833 min-elements "1";
2834 description
2835 "If RIP is used on this site, this node
2836 contains a configured value. This node
2837 contains at least one address family
2838 to be activated.";
2839 }
2840 description
2841 "Configuration specific to RIP routing.";
2842 }
2843 container vrrp {
2844 when "derived-from-or-self(../type, 'l3vpn-ntw:vrrp')" {
2845 description
2846 "Only applies when protocol is VRRP.";
2847 }
2848 if-feature rtg-vrrp;
2849 leaf-list address-family {
2850 type address-family;
2851 min-elements "1";
2852 description
2853 "If VRRP is used on this site, this node
2854 contains a configured value. This node contains
2855 at least one address family to be activated.";
2856 }
2857 description
2858 "Configuration specific to VRRP routing.";
2859 }
2860 description
2861 "List of routing protocols used on
2862 the site. This list can be augmented.";
2863 }
2864 description
2865 "Defines routing protocols.";
2866 }
2867 description
2868 "Grouping for routing protocols.";
2869 }
2870 grouping site-attachment-ip-connection {
2872 container ip-connection {
2873 container ipv4 {
2874 if-feature ipv4;
2875 leaf address-allocation-type {
2876 type identityref {
2877 base address-allocation-type;
2878 }
2879 must "not(derived-from-or-self(current(), 'l3vpn-ntw:slaac') or "+
2880 "derived-from-or-self(current(), "+
2881 "'l3vpn-ntw:provider-dhcp-slaac'))" {
2882 error-message "SLAAC is only applicable to IPv6";
2883 }
2884 description
2885 "Defines how addresses are allocated.
2886 If there is no value for the address
2887 allocation type, then IPv4 is not enabled.";
2889 }
2890 container provider-dhcp {
2891 when "derived-from-or-self(../address-allocation-type, "+
2892 "'l3vpn-ntw:provider-dhcp')" {
2893 description
2894 "Only applies when addresses are allocated by DHCP.";
2895 }
2896 leaf provider-address {
2897 type inet:ipv4-address;
2898 description
2899 "Address of provider side. If provider-address is not
2900 specified, then prefix length should not be specified
2901 either. It also implies provider-dhcp allocation is
2902 not enabled. If provider-address is specified, then
2903 the prefix length may or may not be specified.";
2904 }
2905 leaf prefix-length {
2906 type uint8 {
2907 range "0..32";
2908 }
2909 must "(../provider-address)" {
2910 error-message
2911 "If the prefix length is specified, provider-address
2912 must also be specified.";
2913 description
2914 "If the prefix length is specified, provider-address
2915 must also be specified.";
2916 }
2917 description
2918 "Subnet prefix length expressed in bits.
2919 If not specified, or specified as zero,
2920 this means the customer leaves the actual
2921 prefix length value to the provider.";
2922 }
2923 choice address-assign {
2924 default number;
2925 case number {
2926 leaf number-of-dynamic-address {
2927 type uint16;
2928 default 1;
2929 description
2930 "Describes the number of IP addresses
2931 the customer requires.";
2932 }
2933 }
2934 case explicit {
2935 container customer-addresses {
2936 list address-group {
2937 key "group-id";
2938 leaf group-id {
2939 type string;
2940 description
2941 "Group-id for the address range from
2942 start-address to end-address.";
2943 }
2944 leaf start-address {
2945 type inet:ipv4-address;
2946 description
2947 "First address.";
2948 }
2949 leaf end-address {
2950 type inet:ipv4-address;
2951 description
2952 "Last address.";
2953 }
2954 description
2955 "Describes IP addresses allocated by DHCP.
2956 When only start-address or only end-address
2957 is present, it represents a single address.
2958 When both start-address and end-address are
2959 specified, it implies a range inclusive of both
2960 addresses. If no address is specified, it implies
2961 customer addresses group is not supported.";
2962 }
2963 description
2964 "Container for customer addresses is allocated by DHCP.";
2965 }
2966 }
2967 description
2968 "Choice for the way to assign addresses.";
2969 }
2970 description
2971 "DHCP allocated addresses related parameters.";
2972 }
2973 container dhcp-relay {
2974 when "derived-from-or-self(../address-allocation-type, "+
2975 "'l3vpn-ntw:provider-dhcp-relay')" {
2976 description
2977 "Only applies when provider is required to implement
2978 DHCP relay function.";
2979 }
2980 leaf provider-address {
2981 type inet:ipv4-address;
2982 description
2983 "Address of provider side. If provider-address is not
2984 specified, then prefix length should not be specified
2985 either. It also implies provider-dhcp allocation is
2986 not enabled. If provider-address is specified, then
2987 prefix length may or may not be specified.";
2988 }
2989 leaf prefix-length {
2990 type uint8 {
2991 range "0..32";
2992 }
2993 must "(../provider-address)" {
2994 error-message
2995 "If prefix length is specified, provider-address
2996 must also be specified.";
2997 description
2998 "If prefix length is specified, provider-address
2999 must also be specified.";
3000 }
3001 description
3002 "Subnet prefix length expressed in bits. If not
3003 specified, or specified as zero, this means the
3004 customer leaves the actual prefix length value
3005 to the provider.";
3006 }
3007 container customer-dhcp-servers {
3008 leaf-list server-ip-address {
3009 type inet:ipv4-address;
3010 description
3011 "IP address of customer DHCP server.";
3012 }
3013 description
3014 "Container for list of customer DHCP servers.";
3015 }
3016 description
3017 "DHCP relay provided by operator.";
3018 }
3019 container static-addresses {
3020 when "derived-from-or-self(../address-allocation-type, "+
3021 "'l3vpn-ntw:static-address')" {
3022 description
3023 "Only applies when protocol allocation type is static.";
3024 }
3025 leaf primary-address{
3026 type leafref {
3027 path "/l3vpn-ntw/vpn-services/vpn-service/vpn-nodes/"+
3028 "vpn-node/vpn-network-accesses/vpn-network-access/"+
3029 "ip-connection/ipv4/static-addresses/address/address-id";
3030 }
3031 description
3032 "Principal address of the connection.";
3033 }
3034 list address{
3035 key address-id;
3036 leaf address-id {
3037 type string;
3038 description
3039 "IPv4 Address";
3040 }
3041 leaf provider-address {
3042 type inet:ipv4-address;
3043 description
3044 "IPv4 Address List of the provider side.
3045 When the protocol allocation type is static,
3046 the provider address must be configured.";
3047 }
3048 leaf customer-address {
3049 type inet:ipv4-address;
3050 description
3051 "IPv4 Address of customer side.";
3052 }
3053 leaf prefix-length {
3054 type uint8 {
3055 range "0..32";
3056 }
3057 description
3058 "Subnet prefix length expressed in bits.
3059 It is applied to both provider-address
3060 and customer-address.";
3061 }
3062 description
3063 "Describes IPv4 addresses used.";
3064 }
3065 description
3066 "Describes IPv4 addresses used.";
3067 }
3068 description
3069 "IPv4-specific parameters.";
3070 }
3071 container ipv6 {
3072 if-feature ipv6;
3073 leaf address-allocation-type {
3074 type identityref {
3075 base address-allocation-type;
3076 }
3077 description
3078 "Defines how addresses are allocated.
3079 If there is no value for the address
3080 allocation type, then IPv6 is
3081 not enabled.";
3082 }
3084 container provider-dhcp {
3085 when "derived-from-or-self(../address-allocation-type, "+
3086 "'l3vpn-ntw:provider-dhcp') "+
3087 "or derived-from-or-self(../address-allocation-type, "+
3088 "'l3vpn-ntw:provider-dhcp-slaac')" {
3089 description
3090 "Only applies when addresses are allocated by DHCP.";
3091 }
3092 leaf provider-address {
3093 type inet:ipv6-address;
3094 description
3095 "Address of the provider side. If provider-address
3096 is not specified, then prefix length should not be
3097 specified either. It also implies provider-dhcp
3098 allocation is not enabled. If provider-address is
3099 specified, then prefix length may or may
3100 not be specified.";
3101 }
3102 leaf prefix-length {
3103 type uint8 {
3104 range "0..128";
3105 }
3106 must "(../provider-address)" {
3107 error-message
3108 "If prefix length is specified, provider-address
3109 must also be specified.";
3110 description
3111 "If prefix length is specified, provider-address
3112 must also be specified.";
3113 }
3114 description
3115 "Subnet prefix length expressed in bits. If not
3116 specified, or specified as zero, this means the
3117 customer leaves the actual prefix length value
3118 to the provider.";
3119 }
3120 choice address-assign {
3121 default number;
3122 case number {
3123 leaf number-of-dynamic-address {
3124 type uint16;
3125 default 1;
3126 description
3127 "Describes the number of IP addresses the customer
3128 requires.";
3130 }
3131 }
3132 case explicit {
3133 container customer-addresses {
3134 list address-group {
3135 key "group-id";
3136 leaf group-id {
3137 type string;
3138 description
3139 "Group-id for the address range from
3140 start-address to end-address.";
3141 }
3142 leaf start-address {
3143 type inet:ipv6-address;
3144 description
3145 "First address.";
3146 }
3147 leaf end-address {
3148 type inet:ipv6-address;
3149 description
3150 "Last address.";
3151 }
3152 description
3153 "Describes IP addresses allocated by DHCP. When only
3154 start-address or only end-address is present, it
3155 represents a single address. When both start-address
3156 and end-address are specified, it implies a range
3157 inclusive of both addresses. If no address is
3158 specified, it implies customer addresses group is
3159 not supported.";
3160 }
3161 description
3162 "Container for customer addresses allocated by DHCP.";
3163 }
3164 }
3165 description
3166 "Choice for the way to assign addresses.";
3167 }
3168 description
3169 "DHCP allocated addresses related parameters.";
3170 }
3171 container dhcp-relay {
3172 when "derived-from-or-self(../address-allocation-type, "+
3173 "'l3vpn-ntw:provider-dhcp-relay')" {
3174 description
3175 "Only applies when the provider is required
3176 to implement DHCP relay function.";
3177 }
3178 leaf provider-address {
3179 type inet:ipv6-address;
3180 description
3181 "Address of the provider side. If provider-address is
3182 not specified, then prefix length should not be
3183 specified either. It also implies provider-dhcp
3184 allocation is not enabled. If provider address
3185 is specified, then prefix length may or may
3186 not be specified.";
3187 }
3188 leaf prefix-length {
3189 type uint8 {
3190 range "0..128";
3191 }
3192 must "(../provider-address)" {
3193 error-message
3194 "If prefix length is specified, provider-address
3195 must also be specified.";
3196 description
3197 "If prefix length is specified, provider-address
3198 must also be specified.";
3199 }
3200 description
3201 "Subnet prefix length expressed in bits. If not
3202 specified, or specified as zero, this means the
3203 customer leaves the actual prefix length value
3204 to the provider.";
3205 }
3206 container customer-dhcp-servers {
3207 leaf-list server-ip-address {
3208 type inet:ipv6-address;
3209 description
3210 "This node contains the IP address of
3211 the customer DHCP server. If the DHCP relay
3212 function is implemented by the
3213 provider, this node contains the
3214 configured value.";
3215 }
3216 description
3217 "Container for list of customer DHCP servers.";
3218 }
3219 description
3220 "DHCP relay provided by operator.";
3221 }
3222 container static-addresses {
3223 when "derived-from-or-self(../address-allocation-type, "+
3224 "'l3vpn-ntw:static-address')" {
3225 description
3226 "Only applies when protocol allocation type is static.";
3227 }
3228 leaf primary-address{
3229 type leafref {
3230 path "/l3vpn-ntw/vpn-services/vpn-service/vpn-nodes/"+
3231 "vpn-node/vpn-network-accesses/vpn-network-access/"+
3232 "ip-connection/ipv6/static-addresses/address/address-id";
3233 }
3234 description
3235 "Principal address of the connection";
3236 }
3237 list address{
3238 key address-id;
3239 leaf address-id {
3240 type string;
3241 description
3242 "IPv4 Address";
3243 }
3244 leaf provider-address {
3245 type inet:ipv6-address;
3246 description
3247 "IPv6 Address of the provider side. When the protocol
3248 allocation type is static, the provider address
3249 must be configured.";
3250 }
3251 leaf customer-address {
3252 type inet:ipv6-address;
3253 description
3254 "The IPv6 Address of the customer side.";
3255 }
3256 leaf prefix-length {
3257 type uint8 {
3258 range "0..128";
3259 }
3260 description
3261 "Subnet prefix length expressed in bits.
3262 It is applied to both provider-address and
3263 customer-address.";
3264 }
3265 description
3266 "Describes IPv6 addresses used.";
3267 }
3268 description
3269 "IPv6-specific parameters.";
3270 }
3271 description
3272 "IPv6-specific parameters.";
3273 }
3274 container oam {
3275 container bfd {
3276 if-feature bfd;
3277 leaf enabled {
3278 type boolean;
3279 default false;
3280 description
3281 "If true, BFD activation is required.";
3282 }
3283 choice holdtime {
3284 default fixed;
3285 case fixed {
3286 leaf fixed-value {
3287 type uint32;
3288 units msec;
3289 description
3290 "Expected BFD holdtime expressed in msec. The customer
3291 may impose some fixed values for the holdtime period
3292 if the provider allows the customer use this function.
3293 If the provider doesn't allow the customer to use this
3294 function, the fixed-value will not be set.";
3295 }
3296 }
3297 case profile {
3298 leaf profile-name {
3299 type leafref {
3300 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers/"+
3301 "bfd-profile-identifier/id";
3302 }
3303 description
3304 "Well-known SP profile name. The provider can propose
3305 some profiles to the customer, depending on the service
3306 level the customer wants to achieve. Profile names
3307 must be communicated to the customer.";
3308 }
3309 description
3310 "Well-known SP profile.";
3311 }
3312 description
3313 "Choice for holdtime flavor.";
3314 }
3315 description
3316 "Container for BFD.";
3317 }
3318 description
3319 "Defines the Operations, Administration, and Maintenance (OAM)
3320 mechanisms used on the connection. BFD is set as a fault
3321 detection mechanism, but the 'oam' container can easily
3322 be augmented by other mechanisms";
3323 }
3324 description
3325 "Defines connection parameters.";
3326 }
3327 description
3328 "This grouping defines IP connection parameters.";
3329 }
3330 grouping site-service-multicast {
3331 container multicast {
3332 if-feature multicast;
3333 leaf multicast-site-type {
3334 type enumeration {
3335 enum receiver-only {
3336 description
3337 "The site only has receivers.";
3338 }
3339 enum source-only {
3340 description
3341 "The site only has sources.";
3342 }
3343 enum source-receiver {
3344 description
3345 "The site has both sources and receivers.";
3346 }
3347 }
3348 default source-receiver;
3349 description
3350 "Type of multicast site.";
3351 }
3352 container multicast-address-family {
3353 leaf ipv4 {
3354 if-feature ipv4;
3355 type boolean;
3356 default false;
3357 description
3358 "Enables IPv4 multicast.";
3359 }
3360 leaf ipv6 {
3361 if-feature ipv6;
3362 type boolean;
3363 default false;
3364 description
3365 "Enables IPv6 multicast.";
3366 }
3367 description
3368 "Defines protocol to carry multicast.";
3369 }
3371 leaf protocol-type {
3372 type enumeration {
3373 enum host {
3374 description
3375 "Hosts are directly connected to the provider network.
3376 Host protocols such as IGMP or MLD are required.";
3377 }
3378 enum router {
3379 description
3380 "Hosts are behind a customer router.
3381 PIM will be implemented.";
3382 }
3383 enum both {
3384 description
3385 "Some hosts are behind a customer router, and
3386 some others are directly connected to the
3387 provider network. Both host and routing protocols
3388 must be used. Typically, IGMP and PIM will be
3389 implemented.";
3390 }
3391 }
3392 default "both";
3393 description
3394 "Multicast protocol type to be used with the customer site.";
3395 }
3396 description
3397 "Multicast parameters for the site.";
3398 }
3399 description
3400 "Multicast parameters for the site.";
3401 }
3402 grouping site-maximum-routes {
3403 container maximum-routes {
3404 list address-family {
3405 key af;
3406 leaf af {
3407 type address-family;
3408 description
3409 "Address family.";
3410 }
3411 leaf maximum-routes {
3412 type uint32;
3413 description
3414 "Maximum prefixes the VRF can accept
3415 for this address family.";
3416 }
3417 description
3418 "List of address families.";
3420 }
3421 description
3422 "Defines 'maximum-routes' for the VRF.";
3423 }
3424 description
3425 "Defines 'maximum-routes' for the site.";
3426 }
3427 grouping site-security {
3428 container security {
3429 uses site-security-authentication;
3430 uses site-security-encryption;
3431 description
3432 "Site-specific security parameters.";
3433 }
3434 description
3435 "Grouping for security parameters.";
3436 }
3437 grouping network-access-service {
3438 container service {
3439 uses site-service-basic;
3440 /* Extension */
3441 /* uses svc-bandwidth-params; */
3442 /* EoExt */
3443 uses site-service-qos-profile;
3444 uses site-service-mpls;
3445 uses site-service-multicast;
3446 description
3447 "Service parameters on the attachment.";
3448 }
3449 description
3450 "Grouping for service parameters.";
3451 }
3452 grouping vpn-extranet {
3453 container extranet-vpns {
3454 if-feature extranet-vpn;
3455 list extranet-vpn {
3456 key vpn-id;
3457 leaf vpn-id {
3458 type svc-id;
3459 description
3460 "Identifies the target VPN the local VPN want to access.";
3461 }
3462 leaf local-sites-role {
3463 type identityref {
3464 base site-role;
3465 }
3466 default any-to-any-role;
3467 description
3468 "This describes the role of the
3469 local sites in the target VPN topology. In the any-to-any VPN
3470 service topology, the local sites must have the same role, which
3471 will be 'any-to-any-role'. In the Hub-and-Spoke VPN service
3472 topology or the Hub-and-Spoke disjoint VPN service topology,
3473 the local sites must have a Hub role or a Spoke role.";
3474 }
3475 description
3476 "List of extranet VPNs or target VPNs the local VPN is
3477 attached to.";
3478 }
3479 description
3480 "Container for extranet VPN configuration.";
3481 }
3482 description
3483 "Grouping for extranet VPN configuration.
3484 This provides an easy way to interconnect
3485 all sites from two VPNs.";
3486 }
3487 grouping vpn-profile-cfg {
3488 container valid-provider-identifiers {
3489 list cloud-identifier {
3490 if-feature cloud-access;
3491 key id;
3492 leaf id {
3493 type string;
3494 description
3495 "Identification of cloud service.
3496 Local administration meaning.";
3497 }
3498 description
3499 "List for Cloud Identifiers.";
3500 }
3501 list encryption-profile-identifier {
3502 key id;
3503 leaf id {
3504 type string;
3505 description
3506 "Identification of the SP encryption profile
3507 to be used. Local administration meaning.";
3508 }
3509 description
3510 "List for encryption profile identifiers.";
3511 }
3512 list qos-profile-identifier {
3513 key id;
3514 leaf id {
3515 type string;
3516 description
3517 "Identification of the QoS Profile to be used.
3518 Local administration meaning.";
3519 }
3520 description
3521 "List for QoS Profile Identifiers.";
3522 }
3523 list bfd-profile-identifier {
3524 key id;
3525 leaf id {
3526 type string;
3527 description
3528 "Identification of the SP BFD Profile to be used.
3529 Local administration meaning.";
3530 }
3531 description
3532 "List for BFD Profile identifiers.";
3533 }
3535 list routing-profile-identifier {
3536 key id;
3537 leaf id {
3538 type string;
3539 description
3540 "Identification of the routing Profile to be used
3541 by the routing-protocols within sites and vpn-
3542 network-accesses. Local administration meaning.";
3543 }
3544 description
3545 "List for Routing Profile Identifiers.";
3546 }
3548 nacm:default-deny-write;
3549 description
3550 "Container for Valid Provider Identifies.";
3551 }
3553 description
3554 "Grouping for VPN Profile configuration.";
3555 }
3556 grouping vpn-svc-cfg {
3557 leaf vpn-id {
3558 type svc-id;
3559 description
3560 "VPN identifier. Local administration meaning.";
3561 }
3562 leaf customer-name {
3563 type string;
3564 description
3565 "Name of the customer that actually uses the VPN service.
3566 In the case that any intermediary (e.g., Tier-2 provider
3567 or partner) sells the VPN service to their end user
3568 on behalf of the original service provider (e.g., Tier-1
3569 provider), the original service provider may require the
3570 customer name to provide smooth activation/commissioning
3571 and operation for the service.";
3572 }
3573 leaf vpn-service-topology {
3574 type identityref {
3575 base vpn-topology;
3576 }
3577 default any-to-any;
3578 description
3579 "VPN service topology.";
3580 }
3582 leaf description {
3583 type string;
3584 description
3585 "Textual description of a VPN service.";
3586 }
3588 uses ie-profiles-params;
3589 uses vpn-nodes-params;
3590 uses vpn-service-multicast;
3591 /* uses vpn-service-mpls; */
3592 /* uses vpn-extranet;*/
3593 description
3594 "Grouping for VPN service configuration.";
3595 }
3596 grouping site-network-access-top-level-cfg {
3597 uses status-params;
3598 leaf vpn-network-access-type {
3599 type identityref {
3600 base site-network-access-type;
3601 }
3602 default point-to-point;
3603 description
3604 "Describes the type of connection, e.g.,
3605 point-to-point or multipoint.";
3606 }
3607 uses ethernet-params;
3608 uses site-attachment-ip-connection;
3609 uses site-security;
3610 uses site-routing;
3611 description
3612 "Grouping for site network access top-level configuration.";
3613 }
3615 /* Bearers in a site */
3616 grouping site-bearer-params {
3617 container site-bearers {
3618 list bearer {
3619 key "bearer-id";
3620 leaf bearer-id {
3621 type string;
3622 description "";
3623 }
3624 leaf BearerType {
3625 type identityref {
3626 base bearer-inf-type;
3627 }
3628 description
3629 "Request for an Bearer access type.
3630 Choose between port or lag connection type.";
3631 }
3633 leaf ne-id {
3634 type string;
3635 description
3636 "NE-id reference.";
3637 }
3639 leaf port-id {
3640 type string;
3641 description
3642 "Port-id in format slot/ card /port.";
3643 }
3644 leaf lag-id {
3645 type string;
3646 description
3647 "lag-id in format id.";
3648 }
3649 description
3650 "Parameters used to identify each bearer";
3651 }
3652 description
3653 "Grouping to reuse the site bearer assigment";
3654 }
3655 description
3656 "Grouping to reuse the site bearer assigment";
3657 }
3659 /* UNUSED */
3660 grouping svc-bandwidth-params {
3661 container svc-bandwidth {
3662 if-feature "input-bw";
3663 list bandwidth {
3664 key "direction type";
3665 leaf direction {
3666 type identityref {
3667 base bw-direction;
3668 }
3669 description
3670 "Indicates the bandwidth direction. It can be
3671 the bandwidth download direction from the SP to
3672 the site or the bandwidth upload direction from
3673 the site to the SP.";
3674 }
3675 leaf type {
3676 type identityref {
3677 base bw-type;
3678 }
3679 description
3680 "Bandwidth type. By default, the bandwidth type
3681 is set to 'bw-per-cos'.";
3682 }
3683 leaf cos-id {
3684 when "derived-from-or-self(../type, "
3685 + "'l3vpn-ntw:bw-per-cos')" {
3686 description
3687 "Relevant when the bandwidth type is set to
3688 'bw-per-cos'.";
3689 }
3690 type uint8;
3691 description
3692 "Identifier of the CoS, indicated by DSCP or a
3693 CE-VLAN CoS (802.1p) value in the service frame.
3694 If the bandwidth type is set to 'bw-per-cos',
3695 the CoS ID MUST also be specified.";
3696 }
3697 leaf vpn-id {
3698 when "derived-from-or-self(../type, "
3699 + "'l3vpn-ntw:bw-per-svc')" {
3700 description
3701 "Relevant when the bandwidth type is
3702 set as bandwidth per VPN service.";
3703 }
3704 type svc-id;
3705 description
3706 "Identifies the target VPN. If the bandwidth
3707 type is set as bandwidth per VPN service, the
3708 vpn-id MUST be specified.";
3709 }
3710 leaf cir {
3711 type uint64;
3712 units "bps";
3713 mandatory true;
3714 description
3715 "Committed Information Rate. The maximum number
3716 of bits that a port can receive or send over
3717 an interface in one second.";
3718 }
3719 leaf cbs {
3720 type uint64;
3721 units "bps";
3722 mandatory true;
3723 description
3724 "Committed Burst Size (CBS). Controls the bursty
3725 nature of the traffic. Traffic that does not
3726 use the configured Committed Information Rate
3727 (CIR) accumulates credits until the credits
3728 reach the configured CBS.";
3729 }
3730 leaf eir {
3731 type uint64;
3732 units "bps";
3733 description
3734 "Excess Information Rate (EIR), i.e., excess frame
3735 delivery allowed that is not subject to an SLA.
3736 The traffic rate can be limited by the EIR.";
3737 }
3738 leaf ebs {
3739 type uint64;
3740 units "bps";
3741 description
3742 "Excess Burst Size (EBS). The bandwidth available
3743 for burst traffic from the EBS is subject to the
3744 amount of bandwidth that is accumulated during
3745 periods when traffic allocated by the EIR
3746 policy is not used.";
3747 }
3748 leaf pir {
3749 type uint64;
3750 units "bps";
3751 description
3752 "Peak Information Rate, i.e., maximum frame
3753 delivery allowed. It is equal to or less
3754 than the sum of the CIR and the EIR.";
3755 }
3756 leaf pbs {
3757 type uint64;
3758 units "bps";
3759 description
3760 "Peak Burst Size. It is measured in bytes per
3761 second.";
3762 }
3763 description
3764 "List of bandwidth values (e.g., per CoS,
3765 per vpn-id).";
3766 }
3767 description
3768 "From the customer site's perspective, the service
3769 input/output bandwidth of the connection or
3770 download/upload bandwidth from the SP/site
3771 to the site/SP.";
3772 }
3773 description
3774 " ";
3775 }
3777 grouping status-params {
3778 container status {
3779 leaf admin-enabled {
3780 type boolean;
3781 description
3782 "Administrative Status UP/DOWN";
3783 }
3784 leaf oper-status {
3785 type operational-type;
3786 config false;
3787 description
3788 "Operations status";
3789 }
3790 description "";
3791 }
3792 description
3793 "Grouping used to join operational and administrative status
3794 is re used in the Site Network Acess and in the VPN-Node";
3795 }
3797 /* Parameters related to vpn-nodes (VRF config.) */
3798 grouping vpn-nodes-params {
3799 container vpn-nodes {
3800 description "";
3801 list vpn-node {
3802 key "vpn-node-id ne-id";
3804 leaf vpn-node-id {
3805 type string;
3806 description "";
3807 }
3809 leaf autonomous-system {
3810 type uint32;
3811 description
3812 "Provider AS number in case the customer
3813 requests BGP routing.";
3814 }
3816 leaf description {
3817 type string;
3818 description
3819 "Textual description of a VPN node.";
3820 }
3821 leaf ne-id {
3822 type string;
3823 description "";
3824 }
3826 leaf router-id {
3827 type inet:ip-address;
3828 description
3829 "router-id information can be ipv4/6 addresses";
3830 }
3832 leaf address-family {
3833 type address-family;
3834 description
3835 "Address family used for router-id information.";
3836 }
3838 leaf node-role {
3839 type identityref {
3840 base site-role;
3841 }
3842 default any-to-any-role;
3843 description
3844 "Role of the vpn-node in the IP VPN.";
3845 }
3846 uses rt-rd;
3847 uses status-params;
3848 uses net-acc;
3849 uses site-maximum-routes;
3851 leaf node-ie-profile {
3852 type leafref {
3853 path "/l3vpn-ntw/vpn-services/"+
3854 "vpn-service/ie-profiles/ie-profile/ie-profile-id";
3855 }
3856 description "";
3857 }
3858 description "";
3859 }
3860 }
3861 description "Grouping to define VRF-specific configuration.";
3862 }
3864 /* Parameters related to import and export profiles (RTs RDs.) */
3865 grouping ie-profiles-params {
3866 container ie-profiles {
3867 list ie-profile {
3868 key "ie-profile-id";
3869 leaf ie-profile-id {
3870 type string;
3871 description
3872 "";
3873 }
3874 uses rt-rd;
3875 description
3876 "";
3877 }
3878 description
3879 "";
3880 }
3881 description
3882 "Grouping to specify rules for route import and export";
3883 }
3885 grouping pseudowire-params {
3886 container pseudowire {
3887 /*leaf far-end {*/
3888 /* description "IP of the remote peer of the pseudowire.";*/
3889 /* type inet:ip-address;*/
3890 /*}*/
3891 leaf vcid {
3892 type uint32;
3893 description
3894 "PW or VC identifier.";
3895 }
3896 description
3897 "Pseudowire termination parameters";
3898 }
3899 description
3900 "Grouping pseudowire termination parameters";
3901 }
3903 grouping security-params {
3904 container security {
3905 leaf auth-key {
3906 type string;
3907 description
3908 "MD5 authentication password for the connection towards the
3909 customer edge.";
3910 }
3911 description
3912 "Container for aggregating any security parameter for routing
3913 sessions between a PE and a CE.";
3914 }
3915 description
3916 "Grouping to define security parameters";
3917 }
3919 grouping ethernet-params {
3920 container connection {
3921 leaf encapsulation-type {
3922 type identityref {
3923 base encapsulation-type;
3924 }
3925 default "untagged-int";
3926 description
3927 "Encapsulation type. By default, the
3928 encapsulation type is set to 'untagged'.";
3929 }
3930 container tagged-interface {
3931 leaf type {
3932 type identityref {
3933 base tagged-inf-type;
3934 }
3935 default "priority-tagged";
3936 description
3937 "Tagged interface type. By default,
3938 the type of the tagged interface is
3939 'priority-tagged'.";
3940 }
3941 container dot1q-vlan-tagged {
3942 when "derived-from-or-self(../type, "
3943 + "'l3vpn-ntw:dot1q')" {
3944 description
3945 "Only applies when the type of the tagged
3946 interface is 'dot1q'.";
3947 }
3948 if-feature "dot1q";
3949 leaf tag-type {
3950 type identityref {
3951 base tag-type;
3952 }
3953 default "c-vlan";
3954 description
3955 "Tag type. By default, the tag type is
3956 'c-vlan'.";
3957 }
3958 leaf cvlan-id {
3959 type uint16;
3960 description
3961 "VLAN identifier.";
3962 }
3963 description
3964 "Tagged interface.";
3965 }
3966 container priority-tagged {
3967 when "derived-from-or-self(../type, "
3968 + "'l3vpn-ntw:priority-tagged')" {
3969 description
3970 "Only applies when the type of the tagged
3971 interface is 'priority-tagged'.";
3972 }
3973 leaf tag-type {
3974 type identityref {
3975 base tag-type;
3976 }
3977 default "c-vlan";
3978 description
3979 "Tag type. By default, the tag type is
3980 'c-vlan'.";
3981 }
3982 description
3983 "Priority tagged.";
3984 }
3985 container qinq {
3986 when "derived-from-or-self(../type, "
3987 + "'l3vpn-ntw:qinq')" {
3988 description
3989 "Only applies when the type of the tagged
3990 interface is 'qinq'.";
3991 }
3992 if-feature "qinq";
3993 leaf tag-type {
3994 type identityref {
3995 base tag-type;
3996 }
3997 default "c-s-vlan";
3998 description
3999 "Tag type. By default, the tag type is
4000 'c-s-vlan'.";
4001 }
4002 leaf svlan-id {
4003 type uint16;
4004 mandatory true;
4005 description
4006 "SVLAN identifier.";
4007 }
4008 leaf cvlan-id {
4009 type uint16;
4010 mandatory true;
4011 description
4012 "CVLAN identifier.";
4013 }
4014 description
4015 "QinQ.";
4016 }
4017 container qinany {
4018 when "derived-from-or-self(../type, "
4019 + "'l3vpn-ntw:qinany')" {
4020 description
4021 "Only applies when the type of the tagged
4022 interface is 'qinany'.";
4023 }
4024 if-feature "qinany";
4025 leaf tag-type {
4026 type identityref {
4027 base tag-type;
4028 }
4029 default "s-vlan";
4030 description
4031 "Tag type. By default, the tag type is
4032 's-vlan'.";
4033 }
4034 leaf svlan-id {
4035 type uint16;
4036 mandatory true;
4037 description
4038 "Service VLAN ID.";
4039 }
4040 description
4041 "Container for QinAny.";
4042 }
4043 container vxlan {
4044 when "derived-from-or-self(../type, "
4045 + "'l3vpn-ntw:vxlan')" {
4046 description
4047 "Only applies when the type of the tagged
4048 interface is 'vxlan'.";
4049 }
4050 if-feature "vxlan";
4051 leaf vni-id {
4052 type uint32;
4053 mandatory true;
4054 description
4055 "VXLAN Network Identifier (VNI).";
4056 }
4057 leaf peer-mode {
4058 type identityref {
4059 base vxlan-peer-mode;
4060 }
4061 default "static-mode";
4062 description
4063 "Specifies the VXLAN access mode. By default,
4064 the peer mode is set to 'static-mode'.";
4065 }
4066 list peer-list {
4067 key "peer-ip";
4068 leaf peer-ip {
4069 type inet:ip-address;
4070 description
4071 "Peer IP.";
4072 }
4073 description
4074 "List of peer IP addresses.";
4075 }
4076 description
4077 "QinQ.";
4078 }
4079 description
4080 "Container for tagged interfaces.";
4081 }
4082 container bearer {
4083 leaf bearer-reference {
4084 if-feature bearer-reference;
4085 type string;
4086 description
4087 "This is an internal reference for the SP.";
4088 }
4089 uses pseudowire-params {
4090 when "/l3vpn-ntw/vpn-services/vpn-service/vpn-nodes/"+
4091 "vpn-node/vpn-network-accesses/vpn-network-access/"+
4092 "vpn-network-access-type ='pseudowire'"
4093 {
4094 description "pseudowire specific parameters";
4095 }
4096 }
4097 description
4098 "Defines physical properties of a site attachment.";
4099 }
4100 description
4101 "Encapsulation types";
4102 }
4103 description
4104 "Grouping to define encapsulation types";
4105 }
4107 grouping rt-rd {
4108 leaf rd {
4109 type rt-types:route-distinguisher;
4110 description
4111 "";
4112 }
4113 container vpn-targets {
4114 description
4115 "Set of route-targets to match for import and export routes
4116 to/from VRF";
4117 uses rt-types:vpn-route-targets;
4118 }
4119 description
4120 "";
4121 }
4123 grouping net-acc{
4124 container vpn-network-accesses {
4125 list vpn-network-access {
4126 key vpn-network-access-id;
4127 leaf vpn-network-access-id {
4128 type svc-id;
4129 description
4130 "Identifier for the access.";
4131 }
4132 leaf description {
4133 type string;
4134 description
4135 "Textual description of a VPN service.";
4136 }
4137 uses site-network-access-top-level-cfg;
4138 description
4139 "List of accesses for a site.";
4140 }
4141 description
4142 "List of accesses for a site.";
4143 }
4144 description
4145 "Main block of the Network Access.";
4146 }
4148 /* Main blocks */
4149 container l3vpn-ntw {
4150 container vpn-profiles {
4151 uses vpn-profile-cfg;
4152 description
4153 "Container for VPN Profiles.";
4154 }
4155 container vpn-services {
4156 list vpn-service {
4157 key vpn-id;
4158 uses vpn-svc-cfg;
4159 description
4160 "List of VPN services.";
4161 }
4162 description
4163 "Top-level container for the VPN services.";
4164 }
4165 description
4166 "Main container for L3VPN service configuration.";
4167 }
4168 }
4169
4171 Figure 15
4173 8. IANA Considerations
4175 This document requests IANA to register the following URI in the "ns"
4176 subregistry within the "IETF XML Registry" [RFC3688]:
4178 URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw
4180 Registrant Contact: The IESG.
4182 XML: N/A; the requested URI is an XML namespace.
4184 This document requests IANA to register the following YANG module in
4185 the "YANG Module Names" subregistry [RFC6020] within the "YANG
4186 Parameters" registry.
4188 name: ietf-l3vpn-ntw
4190 namespace: urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw
4192 maintained by IANA: N
4194 prefix: l3nm
4196 reference: RFC XXXX
4198 9. Security Considerations
4200 The YANG module specified in this document defines a schema for data
4201 that is designed to be accessed via network management protocols such
4202 as NETCONF [RFC6241] or RESTCONF [RFC8040] . The lowest NETCONF
4203 layer is the secure transport layer, and the mandatory-to-implement
4204 secure transport is Secure Shell (SSH) [RFC6242]. The lowest
4205 RESTCONF layer is HTTPS, and the mandatory-to-implement secure
4206 transport is TLS [RFC8466].
4208 The Network Configuration Access Control Model (NACM) [RFC8341]
4209 provides the means to restrict access for particular NETCONF or
4210 RESTCONF users to a preconfigured subset of all available NETCONF or
4211 RESTCONF protocol operations and content.
4213 The ietf-l3vpn-ntw module is used to manage L3 VPNs in a service
4214 provider backbone network. Hence, the module can be used to request,
4215 modify, or retrieve L3VPN services. For example, the creation of a
4216 vpn-service leaf instance triggers the creation of an L3 VPN Service
4217 in a Service Provider Network.
4219 Due to the foreseen use of the YANG module, there are a number of
4220 data nodes defined in this YANG module that are writable/creatable/
4221 deletable (i.e., config true, which is the default). These data
4222 nodes MAY be considered sensitive or vulnerable in some network
4223 environments. Write operations (e.g., edit-config) and delete
4224 operations to these data nodes without proper protection or
4225 authentication can have a negative effect on network operations.
4226 These are the subtrees and data nodes and their sensitivity/
4227 vulnerability in the ietf-l3vpn-ntw module:
4229 o vpn-service: An attacker who is able to access network nodes can
4230 undertake various attacks, such as deleting a running L3 VPN
4231 Service, interrupting all the traffic of a client. In addition,
4232 an attacker may modify the attributes of a running service (e.g.,
4233 QoS, bandwidth, routing protocols), leading to malfunctioning of
4234 the service and therefore to SLA violations. In addition, an
4235 attacker could attempt to create a L3 VPN Service. Such activity
4236 can be detected by monitoring and tracking network configuration
4237 changes.
4239 o COMPLETE rest of critical data nodes and subtrees
4241 Some of the readable data nodes in this YANG module may be considered
4242 sensitive or vulnerable in some network environments. It is thus
4243 important to control read access (e.g., via get, get-config, or
4244 notification) to these data nodes. These are the subtrees and data
4245 nodes and their sensitivity/vulnerability:
4247 o customer-name and ip-connection: An attacker can retrieve privacy-
4248 related information which can be used to track a customer.
4249 Disclosing such information may be considered as a violation of
4250 the customer-provider trust relationship.
4252 Summing up, the foreseen risks of using the l3vpn-ntw module can be
4253 clasified into:
4255 o Malicious clients attempting to delete or modify services
4257 o Unauthorized clients attempting to create/modify/delete a service
4259 o Unauthorized clients attempting to read service information
4261 10. Implementation Status
4263 10.1. Nokia Implementation
4265 Nokia has a draft implementation of the IETF L3NM model.
4267 The implementation is a prototype and is currently being planned for
4268 production.
4270 Nokia NSP (Network Services Platform) supports integration of
4271 standard models with the Intent Manager framework. NSP platform
4272 provides hot pluggable model definitions and implementations which
4273 would enable defining models where standardization is in progress or
4274 non-existent. With pluggable architecture for model and
4275 implementation injections, NSP also serves as a Multi-Layer, Multi-
4276 Domain controller.
4278 The Nokia implementation of L3NM covers, the following
4279 a) RESTConf support
4281 b) Configuration of L3 IP VPN Services. Create/Get/Query/Delete
4282 supported on the following operations.
4284 * Site
4286 * Site-Bearer
4288 * VpnService
4290 * IEProfile
4292 * VpnNode
4294 * Site Network Access
4296 * Site Attachments
4298 c) Supports translations to the Device Model (Standard /
4299 Properietary)
4301 draft-ietf-opsawg-l3sm-l3nm-00
4303 The current implementation is proprietary, so under no terms the
4304 current implementation can be used.
4306 Contact information: Sriram Krishnamurthy
4307 (sriram.krishnamurthy@nokia.com)
4309 10.2. Huawei Implementation
4311 The organization responsible for the implementation, if any.
4313 Huawei Technologies Co.,Ltd.
4315 The implementation's name and/or a link to a web page where the
4316 implementation or a description of it can be found.
4318 NCE V1R19C00
4320 A brief general description.
4322 This section provides an implementation report summary for Layer 3
4323 VPN Network Model. Layer 3 VPN Network Model is available at:
4324 https://tools.ietf.org/html/draft-ietf-opsawg-l3sm-l3nm-00
4325 The implementation's level of maturity: research, prototype, alpha,
4326 beta, production, widely used, etc.
4328 Right now, the data model is still subject to change, therefore it is
4329 still a Prototype, not put into production yet.
4331 Coverage: which parts of the protocol specification are implemented.
4333 We have implemented pruned L3NM model with the following parameters
4335 module: ietf-l3vpn-ntw
4336 +--rw l3vpn-ntw
4337 +--rw vpn-profiles
4338 | +--rw valid-provider-identifiers
4339 | +--rw qos-profile-identifier* [id]
4340 | | +--rw id string
4341 +--rw vpn-services
4342 | +--rw vpn-service* [vpn-id]
4343 | +--rw vpn-id svc-id
4344 | +--rw vpn-service-topology? identityref
4345 | +--rw description? string
4346 | +--rw vpn-nodes
4347 | | +--rw vpn-node* [vpn-node-id ne-id]
4348 | | +--rw vpn-node-id string
4349 | | +--rw description? string
4350 | | +--rw ne-id string
4351 | | +--rw node-role? identityref
4352 | | +--rw rd? rt-types:route-distinguisher
4353 | | +--rw vpn-targets
4354 | | +--rw maximum-routes
4355 | | | +--rw address-family* [af]
4356 | | | +--rw af address-family
4357 | | | +--rw maximum-routes? uint32
4358 +--rw sites
4359 +--rw site* [site-id]
4360 +--rw site-id svc-id
4361 +--rw locations
4362 | +--rw location* [location-id]
4363 | +--rw location-id svc-id
4364 +--rw site-bearers
4365 | +--rw bearer* [bearer-id]
4366 | +--rw bearer-id string
4367 | +--rw ne-id? string
4368 | +--rw port-id? string
4369 +--rw site-network-accesses
4370 +--rw site-network-access* [site-network-access-id]
4371 +--rw site-network-access-id svc-id
4372 +--rw site-network-access-type? ref
4373 +--rw bearer
4374 | +--rw bearer-reference? {bearer-reference}?
4375 | +--rw connection
4376 | | +--rw encapsulation-type? identityref
4377 | | +--rw tagged-interface
4378 | | +--rw type? identityref
4379 | | +--rw dot1q-vlan-tagged {dot1q}?
4380 | | | +--rw cvlan-id uint16
4381 | | +--rw qinq {qinq}?
4382 | | | +--rw svlan-id uint16
4383 | | | +--rw cvlan-id uint16
4384 +--rw ip-connection
4385 | +--rw ipv4 {ipv4}?
4386 | | +--rw dhcp-relay
4387 | | | +--rw customer-dhcp-servers
4388 | | | +--rw server-ip-address* inet
4389 | | +--rw addresses
4390 | | +--rw provider-address? inet:ipv4-address
4391 | | +--rw customer-address? inet:ipv4-address
4392 | | +--rw prefix-length? uint8
4393 +--rw service
4394 | +--rw qos {qos}?
4395 | | +--rw qos-profile
4396 | | +--rw (qos-profile)?
4397 | | +--:(standard)
4398 | | | +--rw profile? leafreaf
4399 +--rw routing-protocols
4400 | +--rw routing-protocol* [type]
4401 | +--rw type identityref
4402 | +--rw ospf {rtg-ospf}?
4403 | | +--rw address-family* address-family
4404 | | +--rw area-address yang:dotted-quad
4405 | | +--rw metric? uint16
4406 | | +--rw security
4407 | | | +--rw auth-key? string
4408 | +--rw bgp {rtg-bgp}?
4409 | | +--rw autonomous-system uint32
4410 | | +--rw address-family* address-family
4411 | | +--rw neighbor? inet:ip-address
4412 | | +--rw multihop? uint8
4413 | | +--rw security
4414 | | +--rw auth-key? string
4415 | +--rw static
4416 | | +--rw cascaded-lan-prefixes
4417 | | +--rw ipv4-lan-prefixes* {ipv4}?
4418 | | | +--rw lan inet:ipv4-prefix
4419 | | | +--rw lan-tag? string
4420 | | | +--rw next-hop inet:ipv4-address
4421 +--rw node-id? leafreaf
4422 +--rw service-id? leafreaf
4423 +--rw access-group-id? yang:uuid
4425 Figure 16
4427 Use Cases we have implemented include:
4429 (a).Create VPN
4431 (b).Create Site
4433 (c).Create/add bearers to an existing Site
4435 (d).Create/Include Site Network Access into VPN nodes.
4437 Version compatibility: what version/versions of the Internet-Draft
4438 are known to be implemented.
4440 draft-ietf-opsawg-l3sm-l3nm-00
4442 Licensing: the terms under which the implementation can be used. For
4443 example: proprietary, royalty licensing, freely distributable with
4444 acknowledgement (BSD style), freely distributable with requirement to
4445 redistribute source (General Public License (GPL) style), and other
4446 (specify).
4448 Not available yet.
4450 Implementation experience: any useful information the implementers
4451 want to share with the community.
4453 Contact information: ideally a person's name and email address, but
4454 possibly just a URL or mailing list.
4456 Qin Wu (bill.wu@huawei.com)
4458 The date when information about this particular implementation was
4459 last updated.
4461 2019-09-30
4463 List other implementations that have been tested for
4464 interoperability.
4466 Nokia
4468 10.3. Infinera Implementation
4470 Infinera has a draft implementation of the IETF L3NM model. The
4471 implementation is in beta state and is currently being tested and
4472 integrated with other suppliers controllers supporting this same
4473 model. Infinera is supporting the L3NM model in its Transcend
4474 Maestro Multi-layer, Multi-domain Controller.
4476 The Infinera implementation of L3NM covers discovery and
4477 configuration of IP VPN services, and is supporting both North-Bound
4478 (server) and South-Bound (client) functionality. Versions 01 and 02
4479 of the model are supported.
4481 The current implementation is proprietary, so under no terms the
4482 current implementation can be used.
4484 Contact information: Janne Karvonen (JKarvonen@infinera.com)
4486 26 October is the date when information about this particular
4487 implementation was last updated.
4489 11. Acknowledgements
4491 Thanks to Adrian Farrel and Miguel Cros for the suggestions on the
4492 document. Thanks to Philip Eardlay for the review. Lots of thanks
4493 for the discussions on opsawg mailing list and at IETF meeting.
4495 This work was supported in part by the European Commission funded
4496 H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727).
4498 12. Contributors
4500 Samier Barguil
4501 Telefonica
4502 Email: samier.barguilgiraldo.ext@telefonica.com
4504 Daniel King
4505 Old Dog Consulting
4506 Email: daniel@olddog.co.uk
4508 Luay Jalil
4509 Verizon
4510 Email: luay.jalil@verizon.com
4512 Qin Wu
4513 Huawei
4514 Email: bill.wu@huawei.com>
4515 Mohamed Boucadair
4516 Orange
4517 Email: mohamed.boucadair@orange.com>
4519 Stephane Litkowski
4520 Cisco
4521 Email: slitkows@cisco.com>
4523 13. References
4525 13.1. Normative References
4527 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
4528 Requirement Levels", BCP 14, RFC 2119,
4529 DOI 10.17487/RFC2119, March 1997,
4530 .
4532 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
4533 DOI 10.17487/RFC3688, January 2004,
4534 .
4536 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
4537 the Network Configuration Protocol (NETCONF)", RFC 6020,
4538 DOI 10.17487/RFC6020, October 2010,
4539 .
4541 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
4542 and A. Bierman, Ed., "Network Configuration Protocol
4543 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
4544 .
4546 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
4547 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
4548 .
4550 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
4551 RFC 7950, DOI 10.17487/RFC7950, August 2016,
4552 .
4554 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
4555 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
4556 .
4558 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
4559 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
4560 May 2017, .
4562 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
4563 Access Control Model", STD 91, RFC 8341,
4564 DOI 10.17487/RFC8341, March 2018,
4565 .
4567 [RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG
4568 Data Model for Layer 2 Virtual Private Network (L2VPN)
4569 Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October
4570 2018, .
4572 13.2. Informative References
4574 [RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual
4575 Private Network (VPN) Terminology", RFC 4026,
4576 DOI 10.17487/RFC4026, March 2005,
4577 .
4579 [RFC4076] Chown, T., Venaas, S., and A. Vijayabhaskar, "Renumbering
4580 Requirements for Stateless Dynamic Host Configuration
4581 Protocol for IPv6 (DHCPv6)", RFC 4076,
4582 DOI 10.17487/RFC4076, May 2005,
4583 .
4585 [RFC4176] El Mghazli, Y., Ed., Nadeau, T., Boucadair, M., Chan, K.,
4586 and A. Gonguet, "Framework for Layer 3 Virtual Private
4587 Networks (L3VPN) Operations and Management", RFC 4176,
4588 DOI 10.17487/RFC4176, October 2005,
4589 .
4591 [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki,
4592 "YANG Data Model for L3VPN Service Delivery", RFC 8299,
4593 DOI 10.17487/RFC8299, January 2018,
4594 .
4596 [RFC8309] Wu, Q., Liu, W., and A. Farrel, "Service Models
4597 Explained", RFC 8309, DOI 10.17487/RFC8309, January 2018,
4598 .
4600 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
4601 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
4602 .
4604 [RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for
4605 Abstraction and Control of TE Networks (ACTN)", RFC 8453,
4606 DOI 10.17487/RFC8453, August 2018,
4607 .
4609 Authors' Addresses
4611 Alejandro Aguado
4612 Nokia
4613 Madrid
4614 ES
4616 Email: alejandro.aguado_martin@nokia.com
4618 Oscar Gonzalez de Dios (editor)
4619 Telefonica
4620 Madrid
4621 ES
4623 Email: oscar.gonzalezdedios@telefonica.com
4625 Victor Lopez
4626 Telefonica
4627 Madrid
4628 ES
4630 Email: victor.lopezalvarez@telefonica.com
4632 Daniel Voyer
4633 Bell Canada
4634 CA
4636 Email: daniel.voyer@bell.ca
4638 Luis Angel Munoz
4639 Vodafone
4640 ES
4642 Email: luis-angel.munoz@vodafone.com