idnits 2.17.1 draft-ietf-opsawg-l3sm-l3nm-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 9 instances of too long lines in the document, the longest one being 5 characters in excess of 72. == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 452 has weird spacing: '...--rw id str...' == Line 454 has weird spacing: '...--rw id str...' == Line 456 has weird spacing: '...--rw id str...' == Line 458 has weird spacing: '...--rw id str...' == Line 460 has weird spacing: '...--rw id str...' == (22 more instances...) -- The document date (March 09, 2020) is 1502 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4364' is mentioned on line 1815, but not defined == Outdated reference: A later version (-17) exists of draft-ietf-idr-bgp-model-08 == Outdated reference: A later version (-12) exists of draft-ietf-rtgwg-qos-model-00 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPSAWG S. Barguil 3 Internet-Draft O. Gonzalez de Dios, Ed. 4 Intended status: Standards Track Telefonica 5 Expires: September 10, 2020 M. Boucadair 6 Orange 7 L. Munoz 8 Vodafone 9 A. Aguado 10 Nokia 11 March 09, 2020 13 A Layer 3 VPN Network YANG Model 14 draft-ietf-opsawg-l3sm-l3nm-02 16 Abstract 18 This document defines a L3 VPN Network YANG Data model, called L3NM 19 that can be used to manage the provisioning of Layer 3 VPN services 20 within a Service Provider Network. The module is meant to be used by 21 a Network Controller to derive the configuration information that 22 will be sent to relevant network devices. 24 The L3VPN Network YANG Model (L3NM) can also facilitates the 25 communication between a service orchestrator and a network 26 controller/orchestrator. The model provides a network-centric view 27 of the L3VPN services. 29 The L3NM YANG module is aimed at managing BGP PE-based Layer 3 VPNs 30 as described in RFCs 4026, 4110 and 4364 and Multicast VPNs as 31 described in RFCs 6037, 6513 and 7988. 33 Editorial Note (To be removed by RFC Editor) 35 Please update these statements within the document with the RFC 36 number to be assigned to this document: 38 o "This version of this YANG module is part of RFC XXXX;" 40 o "RFC XXXX: Layer 3 VPN Network Model"; 42 o reference: RFC XXXX 44 Also, please update the "revision" date of the YANG module. 46 Status of This Memo 48 This Internet-Draft is submitted in full conformance with the 49 provisions of BCP 78 and BCP 79. 51 Internet-Drafts are working documents of the Internet Engineering 52 Task Force (IETF). Note that other groups may also distribute 53 working documents as Internet-Drafts. The list of current Internet- 54 Drafts is at https://datatracker.ietf.org/drafts/current/. 56 Internet-Drafts are draft documents valid for a maximum of six months 57 and may be updated, replaced, or obsoleted by other documents at any 58 time. It is inappropriate to use Internet-Drafts as reference 59 material or to cite them other than as "work in progress." 61 This Internet-Draft will expire on September 10, 2020. 63 Copyright Notice 65 Copyright (c) 2020 IETF Trust and the persons identified as the 66 document authors. All rights reserved. 68 This document is subject to BCP 78 and the IETF Trust's Legal 69 Provisions Relating to IETF Documents 70 (https://trustee.ietf.org/license-info) in effect on the date of 71 publication of this document. Please review these documents 72 carefully, as they describe your rights and restrictions with respect 73 to this document. Code Components extracted from this document must 74 include Simplified BSD License text as described in Section 4.e of 75 the Trust Legal Provisions and are provided without warranty as 76 described in the Simplified BSD License. 78 Table of Contents 80 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 81 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 82 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 83 4. Reference Architecture . . . . . . . . . . . . . . . . . . . 6 84 5. Relation with other YANG Models . . . . . . . . . . . . . . . 8 85 6. Description of the L3NM YANG Module . . . . . . . . . . . . . 10 86 6.1. Overall Structure of the Module . . . . . . . . . . . . . 10 87 6.2. VPN Profiles . . . . . . . . . . . . . . . . . . . . . . 10 88 6.3. Modeling a Layer 3 VPN Service . . . . . . . . . . . . . 11 89 6.3.1. Service Status . . . . . . . . . . . . . . . . . . . 12 90 6.3.2. VPN Node . . . . . . . . . . . . . . . . . . . . . . 13 91 6.3.2.1. Node Status . . . . . . . . . . . . . . . . . . . 15 92 6.3.2.2. VPN Network Access . . . . . . . . . . . . . . . 15 93 6.3.2.2.1. Connection . . . . . . . . . . . . . . . . . 17 94 6.3.2.2.2. IP Connections . . . . . . . . . . . . . . . 20 95 6.3.2.2.3. CE PE Routing Protocols . . . . . . . . . . . 22 96 6.3.2.3. Multicast . . . . . . . . . . . . . . . . . . . . 26 97 6.3.3. Concept of Import/Export Profiles . . . . . . . . . . 28 98 6.3.4. Underlay Transport . . . . . . . . . . . . . . . . . 28 99 7. L3NM Module Tree Structure . . . . . . . . . . . . . . . . . 28 100 8. Sample Uses of the L3NM Data Model . . . . . . . . . . . . . 39 101 8.1. Enterprise L3 VPN Services . . . . . . . . . . . . . . . 39 102 8.2. Multi-Domain Resource Management . . . . . . . . . . . . 39 103 8.3. Management of Multicast services . . . . . . . . . . . . 39 104 9. L3VPN Examples . . . . . . . . . . . . . . . . . . . . . . . 40 105 9.1. 4G VPN Provissioning Example . . . . . . . . . . . . . . 40 106 9.2. Multicast VPN Provisioning Example . . . . . . . . . . . 44 107 10. L3NM YANG Module . . . . . . . . . . . . . . . . . . . . . . 46 108 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 108 109 12. Security Considerations . . . . . . . . . . . . . . . . . . . 109 110 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 110 111 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 110 112 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 111 113 15.1. Normative References . . . . . . . . . . . . . . . . . . 111 114 15.2. Informative References . . . . . . . . . . . . . . . . . 112 115 Appendix A. Implementation Status . . . . . . . . . . . . . . . 113 116 A.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 113 117 A.2. Huawei Implementation . . . . . . . . . . . . . . . . . . 114 118 A.3. Infinera Implementation . . . . . . . . . . . . . . . . . 118 119 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 118 121 1. Introduction 123 [RFC8299] defines an L3VPN Service YANG data Model (L3SM) that can be 124 used for communication between customers and network operators. Such 125 model is focused on describing the customer view of the VPN services, 126 and provides an abstracted view of the customer's requested services. 127 That approach limits the usage of the L3SM module to the role of a 128 Customer Service Model, according to the terminology defined in 129 [RFC8309]. 131 The YANG data model defined in this document is called L3VPN Network 132 Model (L3NM). The L3NM module is aimed at providing a network- 133 centric view of L3 VPN Services. The data model can be used to 134 facilitate communication between the service orchestrator (or a 135 network operator) and the network controller/orchestrator by allowing 136 for more network-centric information to be included. It enables 137 further capabilities, such as resource management or to serve as a 138 multi-domain orchestration interface, where logical resources (such 139 as route targets or route distinguishers) must be synchronized. 141 This document does not obsolete, but uses, the definitions in 142 [RFC8299]. These two modules are used for similar objectives but 143 with different scopes and views. 145 The L3NM YANG module is initially built with a prune and extend 146 approach, taking as a starting points the YANG module described in 147 [RFC8299]. Nevertheless, this module is not defined as an augment to 148 L3SM because a specific structure is required to meet network- 149 oriented L3 needs. 151 Some of the information captured in the L3SM can be passed by the 152 Orchestrator in the L3NM (e.g., customer) or be used to fed some of 153 the L3NM attributes (e.g., actual forwarding policies). Some of the 154 information captured in L3SM may be maintained locally within the 155 Orchestrator; which is supposed to maintain a "glue" between a 156 Customer view and its network instantiation. Likewise, some of the 157 information captured and exposed using L3NM can fed the service layer 158 (e.g., capabilities) to derive L3SM and drive VPN service order 159 handling. 161 The L3NM module does not attempt to address all deployment cases 162 especially those where the L3VPN connectivity is supported through 163 the coordination of different VPNs in different underlying networks. 164 More complex deployment scenarios involving the coordination of 165 different VPN instances and different technologies to provide end-to- 166 end VPN connectivity are addressed by a complementary YANG model 167 defined in [I-D.evenwu-opsawg-yang-composed-vpn]. 169 2. Requirements Language 171 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 172 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 173 "OPTIONAL" in this document are to be interpreted as described in BCP 174 14 [RFC2119] [RFC8174] when, and only when, they appear in all 175 capitals, as shown here. 177 3. Terminology 179 This document assumes that the reader is familiar with the contents 180 of [RFC6241], [RFC7950], [RFC8299], [RFC8309], and [RFC8453] and uses 181 the terminology defined in those documents. 183 The meaning of the symbols in tree diagrams is defined in [RFC8340]. 185 The document is aimed at modeling BGP PE-based VPNs in a Service 186 Provider Network, so the terms defined in [RFC4026] and [RFC4176] are 187 used. 189 This document makes use of the following terms: 191 o L3 VPN Customer Service Model (L3SM): Describes the requirements 192 of a L3 VPN that interconnects a set of sites from the point of 193 view of the customer. The customer service model does not provide 194 details on the Service Provider Network. The L3 VPN Customer 195 Service model is defined in [RFC8299]. 197 o L3 VPN Service Network Model (L3NM): A YANG module that describes 198 a VPN Service in the Service Provider Network. It contains 199 information of the Service Provider network and might include 200 allocated resources. It can be used by network controllers to 201 manage and control the VPN Service configuration in the Service 202 Provider network. The YANG module can be consumed by a Service 203 Orchestrator to request a VPN Service to a Network controller. 205 o Service Orchestrator: A functional entity that interacts with the 206 customer of a L3 VPN. The Service Orchestrator interacts with the 207 customer using L3SM. The Service Orchestrator is responsible of 208 the CE-PE attachment circuits, the PE selection, and requesting 209 the VPN service to the network controller. 211 o Network Controller: A functional entity responsible for the 212 control and management of the service provider network. 214 o VPN node (vpn-node): An abstraction that represents a set of 215 policies applied to a PE and that belong to a single VPN service 216 (vpn-service). A vpn-service involves one or more vpn-nodes. As 217 it is an abstraction, the network controller will take on how to 218 implement a vpn-node. For example, typically, in a BGP-based VPN, 219 a vpn-node could be mapped into a VRF. 221 o VPN network access (vpn-network-access): An abstraction that 222 represents the network interfaces that are associated to a given 223 vpn-node. Traffic coming from the vpn-network-access belongs to 224 the VPN. The attachment circuits (bearers) between CEs and PEs 225 are terminated in the vpn-network-access. A reference to the 226 bearer is maintained to allow keeping the link between L3SM and 227 L3NM. 229 o VPN Site (vpn-site): A VPN customer's location that is connected 230 to the Service Provider network via a CE-PE link, which can access 231 at least one VPN [RFC4176]. 233 o VPN Service Provider (SP): A Service Provider offers VPN-related 234 services [RFC4176]. 236 o Service Provider (SP) Network: A network able to provide VPN- 237 related services. 239 4. Reference Architecture 241 Figure 1 depicts the reference architecture for L3NM. The figure is 242 an expansion of the architecture presented in Section 5 of [RFC8299] 243 and decomposes the box marked "orchestration" in that figure into 244 three separate functional components called "Service Orchestration", 245 "Network Orchestration", and "Domain Orchestration". 247 Although some deployments may choose to construct a monolithic 248 orchestration component (covering both service and network matters), 249 this document advocates for a clear separation between service and 250 network orchestration components for the sake of better flexibility. 251 Such design adheres to the L3VPN reference architecture defined in 252 Section 1.3 of [RFC4176]. The above separation relies upon a 253 dedicated communication interface between these components and 254 appropriate YANG module that reflect network-related information 255 (that is hidden to customers). 257 The intelligence for translating customer-facing information into 258 network-centric one is implementation-specific. 260 The terminology from [RFC8309] is introduced to show the distinction 261 between the "Customer Service Model", the "Service Delivery Model", 262 the "Network Configuration Model", and the "Device Configuration 263 Model". In that context, the "Domain Orchestration" and "Config 264 Manager" roles may be performed by "Controllers". 266 +---------------+ 267 | Customer | 268 +---------------+ 269 Customer Service Model | 270 l3vpn-svc | 271 +---------------+ 272 | Service | 273 | Orchestration | 274 +---------------+ 275 L3NM Network Model | 276 l3vpn-ntw | 277 +---------------+ 278 | Network | 279 | Orchestration | 280 +---------------+ 281 Network Configuration Model | 282 __________|____________ 283 | | 284 +---------------+ +---------------+ 285 | Domain | | Domain | 286 | Orchestration | | Orchestration | 287 +---------------+ +---------------+ 288 Device | | | 289 Configuration | | | 290 Model | | | 291 +---------+ | | 292 | Config | | | 293 | Manager | | | 294 +---------+ | | 295 | | | 296 | NETCONF/CLI.................. 297 | | | 298 +------------------------------------------------+ 299 Network 301 Figure 1: L3SM and L3NM 303 The L3SM and L3NM modules may also be set in the context of the ACTN 304 architecture [RFC8453]. Figure 2 shows the Customer Network 305 Controller (CNC), the Multi-Domain Service Coordinator (MDSC), and 306 the Provisioning Network Controller (PNC). It also shows the 307 interfaces between these functional blocks: the CNC-MDSC Interface 308 (CMI), the MDSC-PNC Interface (MPI), and the Southbound Interface 309 (SBI). 311 +----------------------------------+ 312 | Customer | 313 | +-----------------------------+ | 314 | | CNC | | 315 | +-----------------------------+ | 316 +----:-----------------------:-----+ 317 : : 318 : L3SM : L3SM 319 : : 320 +---------:---------+ +-------------------+ 321 | MDSC : | | MDSC | 322 | +---------------+ | | (parent) | 323 | | Service | | +-------------------+ 324 | | Orchestration | | : 325 | +---------------+ | : L3NM 326 | : | : 327 | : L3NM | +-------------------+ 328 | : | | MDSC | 329 | +---------------+ | | (child) | 330 | | Network | | +-------------------+ 331 | | Orchestration | | : 332 | +---------------+ | : 333 ---------:--------- : 334 : : 335 : Network Configuration : 336 : : 337 +------------:-------+ +---------:------------+ 338 | Domain : | | : Domain | 339 | Controller : | | : Controller | 340 | +---------+ | | +---------+ | 341 | | PNC | | | | PNC | | 342 | +---------+ | | +---------+ | 343 +------------:-------+ +---------:------------+ 344 : : 345 : Device Configuration : 346 : : 347 +--------+ +--------+ 348 | Device | | Device | 349 +--------+ +--------+ 351 Figure 2: L3SM and L3NM in the Context of ACTN 353 5. Relation with other YANG Models 355 As discussed in the previous section, the L3NM YANG module is meant 356 to manage L3VPN Services within a Service Provider network. The 357 module provides a network-wise view of the service. Such view is 358 only visible within the Service Provider and is not exposed outside. 359 The following discusses how L3NM interfaces with other YANG modules: 361 L3SM: L3NM is not a Customer Service Model. 363 The internal view of the service (L3NM) may be mapped to an 364 external view which is visible to Customers : L3VPN Service YANG 365 data Model (L3SM) [RFC8299]. 367 Typically, the L3NM module can be fed with inputs that are 368 requested by Customers, typically, relying upon a L3SM template. 369 Concretely, some parts of the L3SM module can be directly mapped 370 into L3NM while other parts are generated as a function of the 371 requested service and local guidelines. Some other parts are 372 local to the Service Provider and do not map directly to L3SM. 374 Note that the use of L3NM within a Service Provider does assume 375 nor preclude exposing the VPN service via L3SM. This is 376 deployment-specific. Nevertheless, the design of L3NM tries to 377 align as much as possible with the features supported by the L3SM 378 to ease grafting both L3NM and L3SM for the sake of highly 379 automated VPN service provisioning and delivery. 381 Network Topology Modules: A L3VPN involves nodes that are part of a 382 topology managed by the Service Provider Backbone network. Such 383 topology can be represented as using the network topology module 384 in [RFC8345]. 386 Device Modules: L3NM is not a device model. 388 Once a global VPN service is captured by means of L3NM, the actual 389 activation and provisioning of the VPN service will involve a 390 variety of device modules to tweak the required functions for the 391 delivery of the service. These functions are supported by the VPN 392 nodes and can be managed using device YANG modules. A non- 393 comprehensive list of such device YANG modules is provided below: 395 * Routing management ([RFC8349]) 397 * BGP ([I-D.ietf-idr-bgp-model]) 399 * PIM ([I-D.liu-pim-yang]) 401 * NAT management ([RFC8512]) 403 * QoS management ([I-D.ietf-rtgwg-qos-model]) 405 * ACL ([RFC8519]) 406 How L3NM is used to derive device-specific actions is 407 implementation-specific. 409 6. Description of the L3NM YANG Module 411 The L3NM module ('ietf-l3vpn-ntw') is meant to manage L3 VPNs in a 412 service provider network. In particular, the 'ietf-l3vpn-ntw' module 413 can be used to create, modify, and retrieve L3VPN Services of a 414 network. 416 The detailed tree structure is provided in Figure 15. 418 6.1. Overall Structure of the Module 420 The 'ietf-l3vpn-ntw' module uses two main containers: 'vpn-services' 421 and 'vpn-profiles' (see Figure 3). 423 The 'vpn-services' container maintains the set of VPN services 424 managed within the service provider's network. 'vpn-service' is the 425 data structure that abstracts a VPN service (Section 6.3). 427 The 'vpn-profiles' container is used by the provider to maintain a 428 set of common VPN profiles that apply to several VPN services 429 (Section 6.2). 431 module: ietf-l3vpn-ntw 432 +--rw l3vpn-ntw 433 +--rw vpn-profiles 434 | ... 435 +--rw vpn-services 436 +--rw vpn-service* [vpn-id] 437 ... 439 Figure 3: Overall L3NM Tree Structure 441 6.2. VPN Profiles 443 The 'vpn-profiles' containers (Figure 4) allow the network provider 444 to define and maintain a set of common VPN profiles that apply to 445 several VPN services. The exaact definition of the profiles is local 446 to each network provider. 448 +--rw l3vpn-ntw 449 +--rw vpn-profiles 450 | +--rw valid-provider-identifiers 451 | +--rw cloud-identifier* [id] {l3vpn-svc:cloud-access}? 452 | | +--rw id string 453 | +--rw encryption-profile-identifier* [id] 454 | | +--rw id string 455 | +--rw qos-profile-identifier* [id] 456 | | +--rw id string 457 | +--rw bfd-profile-identifier* [id] 458 | | +--rw id string 459 | +--rw routing-profile-identifier* [id] 460 | +--rw id string 461 +--rw vpn-services 462 +--rw vpn-service* [vpn-id] 463 ... 465 Figure 4: VPN Profiles Tree Structure 467 6.3. Modeling a Layer 3 VPN Service 469 The 'vpn-service' is the data structure that abstracts a VPN Service 470 in the Service Provider Network. Each 'vpn-service' is uniquely 471 identified by an identifier: 'vpn-id'. Such 'vpn-id' is only 472 meaningful locally within the Network controller. 474 In order to facilitate the identification of the service, 'customer- 475 name' and 'description' attributes may be provided. 477 The 'vpn-service' parameters are: 479 o service-status: Allows the control of the operative and 480 administrative status of the service as a whole. 482 o vpn-id: Unique identifier of the L3VPN Service within L3NM scope. 484 o l3sm-vpn-id: Refers to the L3SNM Id of this service. This 485 identifier allows to easily correlate the service as built in the 486 network with a service request. 488 o vpn-service-topology: Typical network topologies are supported. 489 Hub-Spoke, Any-to-Any, and Custom. Real deployment on the network 490 is defined by the correct usage of import and export profiles 492 o ie-profiles: Define reusable import/export policies for the same 493 VPN-Service. Described in detail in Section 6.3.3 495 o Underlay-Transport: Describes the preference for the transport 496 technology to carry the traffic of the VPN-Service. 498 A VPN service is typically built by adding instances of 'vpn-node' to 499 the 'vpn-nodes' container. The 'vpn-node' is an abstraction that 500 represents a set of policies applied to a network node and that 501 belong to a single 'vpn-service'. 503 A 'vpn-node' contains 'vpn-network-accesses', which are the 504 interfaces attached to the VPN by which the customer traffic is 505 received. Therefore, the customer sites are connected to the 'vpn- 506 network-accesses'. Note that, as this is a network data model, the 507 information about customers sites is not required in the model. Such 508 information, is rather relevant in the L3SM model. 510 +--rw vpn-service* [vpn-id] 511 +--rw service-status 512 | ... 513 +--rw vpn-id l3vpn-svc:svc-id 514 +--rw l3sm-vpn-id? l3vpn-svc:svc-id 515 +--rw customer-name? string 516 +--rw vpn-service-topology? identityref 517 +--rw description? string 518 +--rw ie-profiles 519 | ... 520 +--rw underlay-transport 521 | ... 523 Figure 5: vpn-service tree structure 525 6.3.1. Service Status 527 The L3NM module allows to track service status ('service-status') of 528 a given VPN service (Figure 6). Both operational and administrative 529 status are maintained together with a timestamp. For example, a 530 service can be created but not put into effect. 532 'admin' and 'ops' status can be used as trigger to detect service 533 anomalies. For example, a service that is declared at the service 534 layer as active but still inactive at the network layer is an 535 indication that network provision actions are needed to align the 536 observed service with the expected service status. 538 +--rw l3vpn-ntw 539 +--rw vpn-profiles 540 | ... 541 +--rw vpn-services 542 +--rw vpn-service* [vpn-id] 543 +--rw service-status 544 | +--rw admin 545 | | +--rw status? operational-type 546 | | +--rw timestamp? yang:date-and-time 547 | +--ro ops 548 | +--ro status? operational-type 549 | +--ro timestamp? yang:date-and-time 550 ... 552 Figure 6: VPN Service Status Tree Structure 554 6.3.2. VPN Node 556 The 'vpn-node' is an abstraction that represents a set of common 557 policies applied on a given network node (tipcally, a PE) and belong 558 to one L3 VPN Service. In order to indicate the network node where 559 the 'vpn-node' applies the 'ne-id' must be indicated. The 'vpn-node' 560 includes a parameter to indicate in which network node it is applied. 561 In the case that the 'ne-id' points to a specific PE, the 'vpn-node' 562 will likely be mapped into a VRF in the node. However, the model 563 also allows to point to an abstract node. In this case, the network 564 controller will decide how to split the 'vpn-node' into VRFs. 565 Additionally the 'vpn-node' parameters are: 567 o status: Allows the control of the operative and administrative 568 status of the 'vpn-node'. 570 o local-autonomous-system: Autonomous system of locally configured 571 in the instance. It can be overwritten for specific purposes in 572 the CE-PE BGP session. 574 o maximum-routes: Max-number of prefixes allowed in the vpn-node 575 instance. 577 o rd and vpn-targets: For the cases the logical resources are 578 managed outside the network controller, the model allows to 579 explicitely indicate the logical resources such as Route targets 580 (RTs) and Route Distinguishers (RDs) (RT,RD). 582 o Multicast: Enable multicast traffic inside the vpn. Detailed 583 description in Section 6.3.2.3 585 Under the VPN Node ('vpn-node') container, VPN Network Acesses ('vpn- 586 network-access') can be created. The VPN Network Acess represents 587 the point to which sites are connected. Note that, unlike in L3SM, 588 the L3NM does not need to model the customer site, only the points 589 where the traffic from the site are received. Hence, the VPN Network 590 access contains the connectivity information between the provider's 591 network and the customer premises. The VPN profiles ('vpn-profiles') 592 have a set of routing policies than can be applied during the service 593 creation. 595 module: ietf-l3vpn-ntw 596 +--rw l3vpn-ntw 597 +--rw vpn-profiles 598 | ... 599 +--rw vpn-services 600 +--rw vpn-service* [vpn-id] 601 +--rw vpn-id l3vpn-svc:svc-id 602 + ... 603 +--rw vpn-nodes 604 +--rw vpn-node* [ne-id] 605 +--rw vpn-node-id? union 606 +--rw local-autonomous-system? inet:as-number 607 +--rw description? string 608 +--rw ne-id string 609 +--rw router-id? inet:ip-address 610 +--rw address-family? 611 | l3vpn-svc:address-family 612 +--rw node-role? identityref 613 +--rw rd? 614 | rt-types:route-distinguisher 615 +--rw vpn-targets 616 | +--rw vpn-target* [id] 617 | | +--rw id int8 618 | | +--rw route-targets* [route-target] 619 | | | +--rw route-target 620 | | | rt-types:route-target 621 | | +--rw route-target-type 622 | | rt-types:route-target-type 623 | +--rw vpn-policies 624 | +--rw import-policy? leafref 625 | +--rw export-policy? leafref 626 +--rw status 627 | +--rw admin-enabled? boolean 628 | +--ro oper-status? operational-type 629 +--rw vpn-network-accesses 630 | +--rw vpn-network-access* [id] 631 | +--rw id 632 | | l3vpn-svc:svc-id 633 | ... 634 +--rw maximum-routes 635 | +--rw address-family* [af] 636 | +--rw af 637 | | l3vpn-svc:address-family 638 | +--rw maximum-routes? uint32 639 +--rw multicast {l3vpn-svc:multicast}? 640 | ... 641 +--rw node-ie-profile? leafref 643 Figure 7: VPN Node Tree Structure 645 6.3.2.1. Node Status 647 The L3NM module allows to track the status ('status') of the nodes 648 involved in a VPN service (Figure 8). Both operational and 649 administrative status are maintained. Mismatch between an 650 administrative status vs. the operational status can be used as 651 trigger to detect anomalies. 653 +--rw l3vpn-ntw 654 +--rw vpn-profiles 655 | ... 656 +--rw vpn-services 657 +--rw vpn-service* [vpn-id] 658 +--rw vpn-id l3vpn-svc:svc-id 659 ... 660 +--rw vpn-nodes 661 | +--rw vpn-node* [ne-id] 662 | +--rw ne-id string 663 | ... 664 | +--rw status 665 | | +--rw admin-enabled? boolean 666 | | +--ro oper-status? operational-type 668 Figure 8: Node Status Tree Structure 670 6.3.2.2. VPN Network Access 672 A 'vpn-network-access' represents an entry point to a VPN service 673 (Figure 9). In other words, this container encloses the parameters 674 that describe the access information for the traffic that belongs to 675 a particular L3VPN. As such, every 'vpn-network-access' MUST belong 676 to one and only one 'vpn-node'. 678 A 'vpn-network-access' includes information such as the connection on 679 which the access is defined (see Section 6.3.2.2.1), the 680 encapsulation of the traffic, policies that are applied on the 681 access, etc. 683 A provisioning Network Controller (PNC) [RFC8453] will accept VPN 684 requests containing this construct, using the enclosed data to: 685 configure the router's interface to include the parameters described 686 at the 'vpn-network-access', include the given interface into a VRF, 687 configuring policies or schedulers for processing the incoming 688 traffic, etc. 690 module: ietf-l3vpn-ntw 691 +--rw l3vpn-ntw 692 +--rw vpn-profiles 693 | ... 694 +--rw vpn-services 695 +--rw vpn-service* [vpn-id] 696 +--rw vpn-id l3vpn-svc:svc-id 697 + ... 698 +--rw vpn-node* [ne-id] 699 +--rw ne-id string 700 + ... 701 +--rw vpn-network-accesses 702 | +--rw vpn-network-access* [id] 703 | +--rw id 704 | | l3vpn-svc:svc-id 705 | +--rw port-id? 706 | | l3vpn-svc:svc-id 707 | +--rw description? string 708 | +--rw status 709 | | +--rw admin-enabled? boolean 710 | | +--ro oper-status? operational-type 711 | +--rw vpn-network-access-type? identityref 712 | +--rw connection 713 | | ... 714 | | +--rw bearer 715 | | ... 716 | +--rw ip-connection 717 | | ... 718 | +--rw security 719 | | ... 720 | +--rw routing-protocols 721 | | ... 722 | +--rw service 723 | ... 724 | ... 726 Figure 9: VPN Network Access Tree Structure 728 6.3.2.2.1. Connection 730 The definition of a L3VPN is commonly specified not only at the IP 731 layer, but also requires to identify parameters at the Ethernet 732 layer, such as encapsulation type (e.g., VLAN, QinQ, QinAny, VxLAN, 733 etc.). The 'connection' container represents and groups the set of 734 L2 connectivity from where the traffic of the L3VPN in a particular 735 VPN Network access is coming. 737 Additionally, the bearer-reference and the pseudowire termination are 738 supported. 740 Ethernet encapsulation description is not supported in [RFC8299]. 741 However, this parameters are mandatory to configure the PE 742 interfaces. Thus, In the L3NM, these parameters uses the connection 743 container inside the vpn-network-access. This container defines 744 protocols and parameters to enable connectivity at Layer 2. 746 module: ietf-l3vpn-ntw 747 +--rw l3vpn-ntw 748 +--rw vpn-profiles 749 | ... 750 +--rw vpn-services 751 +--rw vpn-service* [vpn-id] 752 +--rw vpn-id l3vpn-svc:svc-id 753 + ... 754 +--rw vpn-node* [ne-id] 755 +--rw ne-id string 756 + ... 757 +--rw vpn-network-accesses 758 | +--rw vpn-network-access* [id] 759 | +--rw id 760 | | l3vpn-svc:svc-id 761 | + ... 762 | +--rw connection 763 | | +--rw encapsulation-type? identityref 764 | | +--rw logical-interface 765 | | | +--rw peer-reference? uint32 766 | | +--rw tagged-interface 767 | | | +--rw type? identityref 768 | | | +--rw dot1q-vlan-tagged {dot1q}? 769 | | | | +--rw tag-type? identityref 770 | | | | +--rw cvlan-id? uint16 771 | | | +--rw priority-tagged 772 | | | | +--rw tag-type? identityref 773 | | | +--rw qinq {qinq}? 774 | | | | +--rw tag-type? identityref 775 | | | | +--rw svlan-id uint16 776 | | | | +--rw cvlan-id uint16 777 | | | +--rw qinany {qinany}? 778 | | | | +--rw tag-type? identityref 779 | | | | +--rw svlan-id uint16 780 | | | +--rw vxlan {vxlan}? 781 | | | +--rw vni-id uint32 782 | | | +--rw peer-mode? identityref 783 | | | +--rw peer-list* [peer-ip] 784 | | | +--rw peer-ip inet:ip-address 785 | | +--rw bearer 786 | | ... 787 | +--rw ip-connection 788 | | ... 789 | +--rw security 790 | | ... 791 | +--rw routing-protocols 792 | | ... 793 | +--rw service 794 | ... 795 | ... 797 Figure 10: Encapsulation Tree Structure 799 Depending on the control plane implementation, different network 800 scenarios might require additional information for the L3VPN service 801 to be configured and active. For example, an L3VPN Option C service, 802 if no reflection of IPv4 VPN routes is configured via ASBR or route 803 reflector, may require additional configuration (e.g., a new BGP 804 neighbor) to be coordinated between both management systems. This 805 definition requires for every management system participant in the 806 VPN to receive not just their own sites and site-network-accesses, 807 but also to receive information about external ones, identified as an 808 external site-network-access-type. In addition, this particular 809 site-network-access is augmented to include the loopback address of 810 the far-end (remote/external) PE router. 812 module: ietf-l3vpn-ntw 813 +--rw l3vpn-ntw 814 +--rw vpn-profiles 815 | ... 816 +--rw vpn-services 817 +--rw vpn-service* [vpn-id] 818 +--rw vpn-id l3vpn-svc:svc-id 819 + ... 820 +--rw vpn-node* [ne-id] 821 +--rw ne-id string 822 + ... 823 +--rw vpn-network-accesses 824 | +--rw vpn-network-access* [id] 825 | +--rw id 826 | | l3vpn-svc:svc-id 827 | + ... 828 | +--rw connection 829 | | ... 830 | | +--rw bearer 831 | | +--rw bearer-reference? string 832 | | | {l3vpn-svc:bearer-reference}? 833 | | +--rw pseudowire 834 | | | +--rw vcid? uint32 835 | | | +--rw far-end? union 836 | | +--rw vpls 837 | | +--rw vcid? union 838 | | +--rw far-end? union 839 | +--rw ip-connection 840 | | ... 841 | +--rw security 842 | | ... 843 | +--rw routing-protocols 844 | | ... 845 | +--rw service 846 | ... 847 | ... 849 Figure 11: Bearer Tree Structure 851 A site, as per [RFC4176] represents a VPN customer's location that is 852 connected to the Service Provider network via a CE-PE link, which can 853 access at least one VPN. The connection from the site to the Service 854 Provider network is the bearer. Every site is associated with a list 855 of bearers. A bearer is the layer two connections with the site. In 856 the module it is assumed that the bearer has been allocated by the 857 Service Provider at the service orchestration step. The bearer is 858 associated to a network element and a port. Hence, a bearer is just 859 a bearer-reference to allow the translation between L3SM and L3NM. 861 6.3.2.2.2. IP Connections 863 IP connection container (Figure 12) has the parameters of the 'vpn- 864 network-access' addressing information. The address allocated in 865 this container would represent the PE interface address 866 configuration. The IP connection container is designed to support 867 both IPv4 and IPv6. It also supports three options for IP address 868 assignment: Provider DHCP, DHCP relay, and static addressing. 870 In the case of the static addressing, the model supports the 871 assignment of several IP addresses in the same 'vpn-network-access'. 872 To identify which of the addresses is the primary address of a 873 connection ,the "primary-address" reference MUST be set with the 874 corresponding 'address-id'. 876 module: ietf-l3vpn-ntw 877 +--rw l3vpn-ntw 878 +--rw vpn-profiles 879 | ... 880 +--rw vpn-services 881 +--rw vpn-service* [vpn-id] 882 +--rw vpn-id l3vpn-svc:svc-id 883 + ... 884 +--rw vpn-nodes 885 +--rw vpn-node* [ne-id] 886 +--rw ne-id string 887 + ... 888 +--rw status 889 | +--rw admin-enabled? boolean 890 | +--ro oper-status? operational-type 891 +--rw vpn-network-accesses 892 | +--rw vpn-network-access* [id] 893 | +--rw id 894 | | l3vpn-svc:svc-id 895 | + ... 896 | +--rw connection 897 | | ... 898 | +--rw ip-connection 899 | | +--rw ipv4 {l3vpn-svc:ipv4}? 900 | | | +--rw address-allocation-type? 901 | | | | identityref 902 | | | +--rw provider-dhcp 903 | | | | +--rw provider-address? 904 | | | | | inet:ipv4-address 905 | | | | +--rw prefix-length? 906 | | | | | uint8 907 | | | | +--rw (address-assign)? 908 | | | | +--:(number) 909 | | | | | +--rw number-of-dynamic-address? 910 | | | | | uint16 911 | | | | +--:(explicit) 912 | | | | +--rw customer-addresses 913 | | | | +--rw address-group* 914 | | | | [group-id] 915 | | | | +--rw group-id 916 | | | | | string 917 | | | | +--rw start-address? 918 | | | | | inet:ipv4-address 919 | | | | +--rw end-address? 920 | | | | inet:ipv4-address 921 | | | +--rw dhcp-relay 922 | | | | +--rw provider-address? 923 | | | | | inet:ipv4-address 924 | | | | +--rw prefix-length? uint8 925 | | | | +--rw customer-dhcp-servers 926 | | | | +--rw server-ip-address* 927 | | | | inet:ipv4-address 928 | | | +--rw static-addresses 929 | | | +--rw primary-address? leafref 930 | | | +--rw address* [address-id] 931 | | | +--rw address-id string 932 | | | +--rw provider-address? 933 | | | | inet:ipv4-address 934 | | | +--rw customer-address? 935 | | | | inet:ipv4-address 936 | | | +--rw prefix-length? uint8 937 | | +--rw ipv6 {l3vpn-svc:ipv6}? 938 | | | +--rw address-allocation-type? 939 | | | | identityref 940 | | | +--rw provider-dhcp 941 | | | | +--rw provider-address? 942 | | | | | inet:ipv6-address 943 | | | | +--rw prefix-length? 944 | | | | | uint8 945 | | | | +--rw (address-assign)? 946 | | | | +--:(number) 947 | | | | | +--rw number-of-dynamic-address? 948 | | | | | uint16 949 | | | | +--:(explicit) 950 | | | | +--rw customer-addresses 951 | | | | +--rw address-group* 952 | | | | [group-id] 953 | | | | +--rw group-id 954 | | | | | string 955 | | | | +--rw start-address? 956 | | | | | inet:ipv6-address 957 | | | | +--rw end-address? 958 | | | | inet:ipv6-address 959 | | | +--rw dhcp-relay 960 | | | | +--rw provider-address? 961 | | | | | inet:ipv6-address 962 | | | | +--rw prefix-length? uint8 963 | | | | +--rw customer-dhcp-servers 964 | | | | +--rw server-ip-address* 965 | | | | inet:ipv6-address 966 | | | +--rw static-addresses 967 | | | +--rw primary-address? leafref 968 | | | +--rw address* [address-id] 969 | | | +--rw address-id string 970 | | | +--rw provider-address? 971 | | | | inet:ipv6-address 972 | | | +--rw customer-address? 973 | | | | inet:ipv6-address 974 | | | +--rw prefix-length? uint8 975 | | +--rw oam 976 | | +--rw bfd {l3vpn-svc:bfd}? 977 | | +--rw enabled? boolean 978 | | +--rw (holdtime)? 979 | | +--:(fixed) 980 | | | +--rw fixed-value? uint32 981 | | +--:(profile) 982 | | +--rw profile-name? leafref 983 | +--rw security 984 | | ... 985 | +--rw routing-protocols 986 | | ... 987 | +--rw service 988 | ... 990 Figure 12: IP Connection Tree Structure 992 6.3.2.2.3. CE PE Routing Protocols 994 The model allows the Provider to configure one or more routing 995 protocols associated with a particular 'vpn-network-access' 996 (Figure 13). This protocol will run between the PE and the CE. A 997 routing protocol instance MUST have a type (e.g., bgp, ospf) and an 998 identifier. The identifier is necessary when multiple instances of 999 the same protocol have to be configured. 1001 When configuring multiple instances of the same routing protocol, 1002 this does not automatically imply that, from a device configuration 1003 perspective, there will be parallel instances (multiple processes) 1004 running. It will be up to the implementation to use the most 1005 appropriate deployment model. As an example, when multiple BGP peers 1006 need to be implemented, multiple instances of BGP must be configured 1007 as part of this model. However, from a device configuration point of 1008 view, this could be implemented as: 1010 o Multiple BGP processes with a single neighbor running in each 1011 process. 1013 o A single BGP process with multiple neighbors running. 1015 o A combination of both. 1017 To be aligned with [RFC8299], this model supports the following 1018 protocols: 1020 o VRRP: takes only a list of address-family as parameter. VRRP 1021 instance is expected to run on the 'vpn-network-access' interface. 1023 o RIP: takes only a list of address-family as parameter. RIP 1024 instance is expected to run on the 'vpn-network-access' interface. 1026 o BGP: allows to configure a BGP neighbor including parameters like 1027 authentication using a key. The authentication type will be 1028 driven by the implementation but the module supports any 1029 authentication that uses a key as a parameter. A BGP neighbor can 1030 support IPv4, IPv6, or both address families. The module supports 1031 supplying two neighbors (each for a given address family) or one 1032 neighbor (for both IPv4 and IPv6 of "address-family" attribute is 1033 set to both). It is then up to the implementation to drive the 1034 device configuration. 1036 o OSPF: allows the user to configure OSPF to run on the vpn-network- 1037 access interface. An OSPF instance can run ipv4, ipv6 or both. 1038 When only ipv4 address-family is requested, it will be up to the 1039 implementation to drive if OSPFv2 or v3 is used. 1041 o IS-IS: allows the user to configure IS-IS to run on the vpn- 1042 network-access interface. An IS-IS instance can run L1, L2 or 1043 both levels. 1045 The module allows a user to configure one or more IPv4 and/or IPv6 1046 static routes. 1048 Routing configuration does not include low-level policies. These 1049 policies are low level device configurations that must not be part of 1050 an abstracted model. A provider's internal policies (such as 1051 security filters) will be implemented as part of the device 1052 configuration but does not require any input from this model. Some 1053 policies like primary/backup or load-balancing can be inferred from 1054 'access-priority'. 1056 module: ietf-l3vpn-ntw 1057 +--rw l3vpn-ntw 1058 +--rw vpn-profiles 1059 | ... 1060 +--rw vpn-services 1061 +--rw vpn-service* [vpn-id] 1062 +--rw vpn-id l3vpn-svc:svc-id 1063 + ... 1064 +--rw vpn-nodes 1065 +--rw vpn-node* [ne-id] 1066 +--rw ne-id string 1067 + ... 1068 +--rw status 1069 | +--rw admin-enabled? boolean 1070 | +--ro oper-status? operational-type 1071 +--rw vpn-network-accesses 1072 | +--rw vpn-network-access* [id] 1073 | +--rw id 1074 | | l3vpn-svc:svc-id 1075 | + ... 1076 | +--rw connection 1077 | | ... 1078 | +--rw ip-connection 1079 | | ... 1080 | | +--rw oam 1081 | | ... 1082 | +--rw security 1083 | | ... 1084 | +--rw routing-protocols 1085 | | +--rw routing-protocol* [id] 1086 | | +--rw id string 1087 | | +--rw type? identityref 1088 | | +--rw routing-profiles* [id] 1089 | | | +--rw id leafref 1090 | | | +--rw type? ie-type 1091 | | +--rw ospf {l3vpn-svc:rtg-ospf}? 1092 | | | +--rw address-family* 1093 | | | | l3vpn-svc:address-family 1094 | | | +--rw area-address 1095 | | | | yang:dotted-quad 1096 | | | +--rw metric? uint16 1097 | | | +--rw mtu? uint16 1098 | | | +--rw process-id? uint16 1099 | | | +--rw security 1100 | | | | +--rw auth-key? string 1101 | | | +--rw sham-links 1102 | | | {rtg-ospf-sham-link}? 1103 | | | +--rw sham-link* [target-site] 1104 | | | +--rw target-site 1105 | | | | l3vpn-svc:svc-id 1106 | | | +--rw metric? uint16 1107 | | +--rw bgp {l3vpn-svc:rtg-bgp}? 1108 | | | +--rw peer-autonomous-system 1109 | | | | inet:as-number 1110 | | | +--rw local-autonomous-system? 1111 | | | | inet:as-number 1112 | | | +--rw address-family* 1113 | | | | l3vpn-svc:address-family 1114 | | | +--rw neighbor* 1115 | | | | inet:ip-address 1116 | | | +--rw multihop? 1117 | | | | uint8 1118 | | | +--rw security 1119 | | | | +--rw auth-key? string 1120 | | | +--rw status 1121 | | | | +--rw admin-enabled? boolean 1122 | | | | +--ro oper-status? 1123 | | | | operational-type 1124 | | | +--rw description? 1125 | | | string 1126 | | +--rw isis {rtg-isis}? 1127 | | | +--rw address-family* 1128 | | | | l3vpn-svc:address-family 1129 | | | +--rw area-address area-address 1130 | | | +--rw level? isis-level 1131 | | | +--rw metric? uint16 1132 | | | +--rw process-id? uint16 1133 | | | +--rw mode? enumeration 1134 | | | +--rw status 1135 | | | +--rw admin-enabled? boolean 1136 | | | +--ro oper-status? 1137 | | | operational-type 1138 | | +--rw static 1139 | | | +--rw cascaded-lan-prefixes 1140 | | | +--rw ipv4-lan-prefixes* 1141 | | | | [lan next-hop] 1142 | | | | {l3vpn-svc:ipv4}? 1143 | | | | +--rw lan 1144 | | | | | inet:ipv4-prefix 1145 | | | | +--rw lan-tag? string 1146 | | | | +--rw next-hop 1147 | | | | inet:ipv4-address 1148 | | | +--rw ipv6-lan-prefixes* 1149 | | | [lan next-hop] 1150 | | | {l3vpn-svc:ipv6}? 1151 | | | +--rw lan 1152 | | | | inet:ipv6-prefix 1153 | | | +--rw lan-tag? string 1154 | | | +--rw next-hop 1155 | | | inet:ipv6-address 1156 | | +--rw rip {l3vpn-svc:rtg-rip}? 1157 | | | +--rw address-family* 1158 | | | l3vpn-svc:address-family 1159 | | +--rw vrrp {l3vpn-svc:rtg-vrrp}? 1160 | | +--rw address-family* 1161 | | l3vpn-svc:address-family 1162 | +--rw service 1163 | ... 1165 Figure 13: Routing Tree Structure 1167 6.3.2.3. Multicast 1169 Multicast MAY be enabled for a particular vpn-network-node (see 1170 Figure 14). 1172 The model supports a single type of tree (Any-Source Multicast (ASM), 1173 Source-Specific Multicast (SSM), or bidirectional). 1175 When ASM is used, the model supports the configuration of rendez-vous 1176 points (RPs). RP discovery may be 'static', 'bsr-rp', or 'auto-rp'. 1177 When set to 'static', RP to multicast grouping mapping MUST be 1178 configured as part of the 'rp-group-mappings' container. The RP MAY 1179 be a provider node or a customer node. When the RP is a customer 1180 node, the RP address must be configured using the 'rp-address' leaf 1181 otherwise no RP address is needed. 1183 The model supports RP redundancy through the 'rp-redundancy' leaf. 1184 How the redundancy is achieved is out of scope and is up to the 1185 implementation. 1187 When a particular VPN using ASM requires a more optimal traffic 1188 delivery, 'optimal-traffic-delivery' can be set. When set to 'true', 1189 the implementation must use any mechanism to provide a more optimal 1190 traffic delivery for the customer. Anycast is one of the mechanisms 1191 to enhance RPs redundancy, resilience against failures, and to 1192 recover from failures quickly. 1194 For redundancy purposes, Multicast Source Discovery Protocol (MSDP) 1195 may be enabled and used to share the state about sources between 1196 multiple RPs. The purpose of MSDP in this context is to enhance the 1197 robustness of the multicast service. MSDP may be configured on Non- 1198 RP routers, which is useful in a domain that does not support 1199 multicast sources, but does support multicast transit. 1201 module: ietf-l3vpn-ntw 1202 +--rw l3vpn-ntw 1203 +--rw vpn-profiles 1204 | ... 1205 +--rw vpn-service* [vpn-id] 1206 +--rw vpn-id l3vpn-svc:svc-id 1207 + .. 1208 +--rw vpn-nodes 1209 +--rw vpn-node* [ne-id] 1210 +--rw ne-id string 1211 + ... 1212 +--rw vpn-network-accesses 1213 | ... 1214 +--rw multicast {l3vpn-svc:multicast}? 1215 | +--rw enabled? boolean 1216 | +--rw tree-flavor* identityref 1217 | +--rw rp 1218 | | +--rw rp-group-mappings 1219 | | | +--rw rp-group-mapping* [id] 1220 | | | +--rw id uint16 1221 | | | +--rw provider-managed 1222 | | | | +--rw enabled? 1223 | | | | | boolean 1224 | | | | +--rw rp-redundancy? 1225 | | | | | boolean 1226 | | | | +--rw optimal-traffic-delivery? 1227 | | | | | boolean 1228 | | | | +--rw anycast 1229 | | | | +--rw local-address? 1230 | | | | | inet:ip-address 1231 | | | | +--rw rp-set-address* 1232 | | | | inet:ip-address 1233 | | | +--rw rp-address 1234 | | | | inet:ip-address 1235 | | | +--rw groups 1236 | | | +--rw group* [id] 1237 | | | +--rw id 1238 | | | | uint16 1239 | | | +--rw (group-format) 1240 | | | +--:(group-prefix) 1241 | | | | +--rw group-address? 1242 | | | | inet:ip-prefix 1243 | | | +--:(startend) 1244 | | | +--rw group-start? 1245 | | | | inet:ip-address 1246 | | | +--rw group-end? 1247 | | | inet:ip-address 1248 | | +--rw rp-discovery 1249 | | +--rw rp-discovery-type? identityref 1250 | | +--rw bsr-candidates 1251 | | +--rw bsr-candidate-address* 1252 | | inet:ip-address 1253 | +--rw msdp {msdp}? 1254 | +--rw enabled? boolean 1255 | +--rw peer? inet:ip-address 1256 | +--rw local-address? inet:ip-address 1257 + ... 1259 Figure 14: Multicast Tree Structure 1261 6.3.3. Concept of Import/Export Profiles 1263 The import and export profiles construct contains a list with 1264 information related with route target and distinguishers (RTs and 1265 RDs), grouped and identified by ie-profile-id. The identifier is 1266 then referenced in one or multiple vpn-nodes, so the PNC can identify 1267 RTs and RDs to be configured in the VRF. 1269 6.3.4. Underlay Transport 1271 The model allows to indicate a preference for the underlay transport 1272 technology when activating a L3VPN service. This preference is 1273 especially useful in networks with multiple domains and NNI types. 1274 The model supports these option: BGP, LDP, GRE, SR, SR-TE, and RSVP- 1275 TE as possible underlay transport. 1277 Other profiles can be defined in the future. 1279 This document does not make any assumption about the exact definition 1280 of these profiles. How such profiles are defined is deployment- 1281 specific. 1283 7. L3NM Module Tree Structure 1285 The L3NM Module Tree Structure is depicted in Figure 15. 1287 module: ietf-l3vpn-ntw 1288 +--rw l3vpn-ntw 1289 +--rw vpn-profiles 1290 | +--rw valid-provider-identifiers 1291 | +--rw cloud-identifier* [id] {l3vpn-svc:cloud-access}? 1292 | | +--rw id string 1293 | +--rw encryption-profile-identifier* [id] 1294 | | +--rw id string 1295 | +--rw qos-profile-identifier* [id] 1296 | | +--rw id string 1297 | +--rw bfd-profile-identifier* [id] 1298 | | +--rw id string 1299 | +--rw routing-profile-identifier* [id] 1300 | +--rw id string 1301 +--rw vpn-services 1302 +--rw vpn-service* [vpn-id] 1303 +--rw service-status 1304 | +--rw admin 1305 | | +--rw status? operational-type 1306 | | +--rw timestamp? yang:date-and-time 1307 | +--ro ops 1308 | +--ro status? operational-type 1309 | +--ro timestamp? yang:date-and-time 1310 +--rw vpn-id l3vpn-svc:svc-id 1311 +--rw l3sm-vpn-id? l3vpn-svc:svc-id 1312 +--rw customer-name? string 1313 +--rw vpn-service-topology? identityref 1314 +--rw description? string 1315 +--rw ie-profiles 1316 | +--rw ie-profile* [ie-profile-id] 1317 | +--rw ie-profile-id string 1318 | +--rw rd? rt-types:route-distinguisher 1319 | +--rw vpn-targets 1320 | +--rw vpn-target* [id] 1321 | | +--rw id int8 1322 | | +--rw route-targets* [route-target] 1323 | | | +--rw route-target 1324 | | | rt-types:route-target 1325 | | +--rw route-target-type 1326 | | rt-types:route-target-type 1327 | +--rw vpn-policies 1328 | +--rw import-policy? leafref 1329 | +--rw export-policy? leafref 1330 +--rw underlay-transport 1331 | +--rw type? protocols-type 1332 +--rw vpn-nodes 1333 +--rw vpn-node* [ne-id] 1334 +--rw vpn-node-id? union 1335 +--rw local-autonomous-system? inet:as-number 1336 +--rw description? string 1337 +--rw ne-id string 1338 +--rw router-id? inet:ip-address 1339 +--rw address-family? 1340 | l3vpn-svc:address-family 1341 +--rw node-role? identityref 1342 +--rw rd? 1343 | rt-types:route-distinguisher 1344 +--rw vpn-targets 1345 | +--rw vpn-target* [id] 1346 | | +--rw id int8 1347 | | +--rw route-targets* [route-target] 1348 | | | +--rw route-target 1349 | | | rt-types:route-target 1350 | | +--rw route-target-type 1351 | | rt-types:route-target-type 1352 | +--rw vpn-policies 1353 | +--rw import-policy? leafref 1354 | +--rw export-policy? leafref 1355 +--rw status 1356 | +--rw admin-enabled? boolean 1357 | +--ro oper-status? operational-type 1358 +--rw vpn-network-accesses 1359 | +--rw vpn-network-access* [id] 1360 | +--rw id 1361 | | l3vpn-svc:svc-id 1362 | +--rw port-id? 1363 | | l3vpn-svc:svc-id 1364 | +--rw description? string 1365 | +--rw status 1366 | | +--rw admin-enabled? boolean 1367 | | +--ro oper-status? operational-type 1368 | +--rw vpn-network-access-type? identityref 1369 | +--rw connection 1370 | | +--rw encapsulation-type? identityref 1371 | | +--rw logical-interface 1372 | | | +--rw peer-reference? uint32 1373 | | +--rw tagged-interface 1374 | | | +--rw type? identityref 1375 | | | +--rw dot1q-vlan-tagged {dot1q}? 1376 | | | | +--rw tag-type? identityref 1377 | | | | +--rw cvlan-id? uint16 1378 | | | +--rw priority-tagged 1379 | | | | +--rw tag-type? identityref 1380 | | | +--rw qinq {qinq}? 1381 | | | | +--rw tag-type? identityref 1382 | | | | +--rw svlan-id uint16 1383 | | | | +--rw cvlan-id uint16 1384 | | | +--rw qinany {qinany}? 1385 | | | | +--rw tag-type? identityref 1386 | | | | +--rw svlan-id uint16 1387 | | | +--rw vxlan {vxlan}? 1388 | | | +--rw vni-id uint32 1389 | | | +--rw peer-mode? identityref 1390 | | | +--rw peer-list* [peer-ip] 1391 | | | +--rw peer-ip inet:ip-address 1392 | | +--rw bearer 1393 | | +--rw bearer-reference? string 1394 | | | {l3vpn-svc:bearer-reference}? 1395 | | +--rw pseudowire 1396 | | | +--rw vcid? uint32 1397 | | | +--rw far-end? union 1398 | | +--rw vpls 1399 | | +--rw vcid? union 1400 | | +--rw far-end? union 1401 | +--rw ip-connection 1402 | | +--rw ipv4 {l3vpn-svc:ipv4}? 1403 | | | +--rw address-allocation-type? 1404 | | | | identityref 1405 | | | +--rw provider-dhcp 1406 | | | | +--rw provider-address? 1407 | | | | | inet:ipv4-address 1408 | | | | +--rw prefix-length? 1409 | | | | | uint8 1410 | | | | +--rw (address-assign)? 1411 | | | | +--:(number) 1412 | | | | | +--rw number-of-dynamic-address? 1413 | | | | | uint16 1414 | | | | +--:(explicit) 1415 | | | | +--rw customer-addresses 1416 | | | | +--rw address-group* 1417 | | | | [group-id] 1418 | | | | +--rw group-id 1419 | | | | | string 1420 | | | | +--rw start-address? 1421 | | | | | inet:ipv4-address 1422 | | | | +--rw end-address? 1423 | | | | inet:ipv4-address 1424 | | | +--rw dhcp-relay 1425 | | | | +--rw provider-address? 1426 | | | | | inet:ipv4-address 1427 | | | | +--rw prefix-length? uint8 1428 | | | | +--rw customer-dhcp-servers 1429 | | | | +--rw server-ip-address* 1430 | | | | inet:ipv4-address 1431 | | | +--rw static-addresses 1432 | | | +--rw primary-address? leafref 1433 | | | +--rw address* [address-id] 1434 | | | +--rw address-id string 1435 | | | +--rw provider-address? 1436 | | | | inet:ipv4-address 1437 | | | +--rw customer-address? 1438 | | | | inet:ipv4-address 1439 | | | +--rw prefix-length? uint8 1440 | | +--rw ipv6 {l3vpn-svc:ipv6}? 1441 | | | +--rw address-allocation-type? 1442 | | | | identityref 1443 | | | +--rw provider-dhcp 1444 | | | | +--rw provider-address? 1445 | | | | | inet:ipv6-address 1446 | | | | +--rw prefix-length? 1447 | | | | | uint8 1448 | | | | +--rw (address-assign)? 1449 | | | | +--:(number) 1450 | | | | | +--rw number-of-dynamic-address? 1451 | | | | | uint16 1452 | | | | +--:(explicit) 1453 | | | | +--rw customer-addresses 1454 | | | | +--rw address-group* 1455 | | | | [group-id] 1456 | | | | +--rw group-id 1457 | | | | | string 1458 | | | | +--rw start-address? 1459 | | | | | inet:ipv6-address 1460 | | | | +--rw end-address? 1461 | | | | inet:ipv6-address 1462 | | | +--rw dhcp-relay 1463 | | | | +--rw provider-address? 1464 | | | | | inet:ipv6-address 1465 | | | | +--rw prefix-length? uint8 1466 | | | | +--rw customer-dhcp-servers 1467 | | | | +--rw server-ip-address* 1468 | | | | inet:ipv6-address 1469 | | | +--rw static-addresses 1470 | | | +--rw primary-address? leafref 1471 | | | +--rw address* [address-id] 1472 | | | +--rw address-id string 1473 | | | +--rw provider-address? 1474 | | | | inet:ipv6-address 1475 | | | +--rw customer-address? 1476 | | | | inet:ipv6-address 1477 | | | +--rw prefix-length? uint8 1478 | | +--rw oam 1479 | | +--rw bfd {l3vpn-svc:bfd}? 1480 | | +--rw enabled? boolean 1481 | | +--rw (holdtime)? 1482 | | +--:(fixed) 1483 | | | +--rw fixed-value? uint32 1484 | | +--:(profile) 1485 | | +--rw profile-name? leafref 1486 | +--rw security 1487 | | +--rw authentication 1488 | | +--rw encryption {l3vpn-svc:encryption}? 1489 | | | +--rw enabled? boolean 1490 | | | +--rw layer? enumeration 1491 | | +--rw encryption-profile 1492 | | +--rw (profile)? 1493 | | | +--:(provider-profile) 1494 | | | | +--rw profile-name? leafref 1495 | | | +--:(customer-profile) 1496 | | | +--rw algorithm? string 1497 | | +--rw (key-type)? 1498 | | +--:(psk) 1499 | | +--rw preshared-key? string 1500 | +--rw routing-protocols 1501 | | +--rw routing-protocol* [id] 1502 | | +--rw id string 1503 | | +--rw type? identityref 1504 | | +--rw routing-profiles* [id] 1505 | | | +--rw id leafref 1506 | | | +--rw type? ie-type 1507 | | +--rw ospf {l3vpn-svc:rtg-ospf}? 1508 | | | +--rw address-family* 1509 | | | | l3vpn-svc:address-family 1510 | | | +--rw area-address 1511 | | | | yang:dotted-quad 1512 | | | +--rw metric? uint16 1513 | | | +--rw mtu? uint16 1514 | | | +--rw process-id? uint16 1515 | | | +--rw security 1516 | | | | +--rw auth-key? string 1517 | | | +--rw sham-links 1518 | | | {rtg-ospf-sham-link}? 1519 | | | +--rw sham-link* [target-site] 1520 | | | +--rw target-site 1521 | | | | l3vpn-svc:svc-id 1522 | | | +--rw metric? uint16 1523 | | +--rw bgp {l3vpn-svc:rtg-bgp}? 1524 | | | +--rw peer-autonomous-system 1525 | | | | inet:as-number 1526 | | | +--rw local-autonomous-system? 1527 | | | | inet:as-number 1528 | | | +--rw address-family* 1529 | | | | l3vpn-svc:address-family 1530 | | | +--rw neighbor* 1531 | | | | inet:ip-address 1532 | | | +--rw multihop? 1533 | | | | uint8 1534 | | | +--rw security 1535 | | | | +--rw auth-key? string 1536 | | | +--rw status 1537 | | | | +--rw admin-enabled? boolean 1538 | | | | +--ro oper-status? 1539 | | | | operational-type 1540 | | | +--rw description? 1541 | | | string 1542 | | +--rw isis {rtg-isis}? 1543 | | | +--rw address-family* 1544 | | | | l3vpn-svc:address-family 1545 | | | +--rw area-address area-address 1546 | | | +--rw level? isis-level 1547 | | | +--rw metric? uint16 1548 | | | +--rw process-id? uint16 1549 | | | +--rw mode? enumeration 1550 | | | +--rw status 1551 | | | +--rw admin-enabled? boolean 1552 | | | +--ro oper-status? 1553 | | | operational-type 1554 | | +--rw static 1555 | | | +--rw cascaded-lan-prefixes 1556 | | | +--rw ipv4-lan-prefixes* 1557 | | | | [lan next-hop] 1558 | | | | {l3vpn-svc:ipv4}? 1559 | | | | +--rw lan 1560 | | | | | inet:ipv4-prefix 1561 | | | | +--rw lan-tag? string 1562 | | | | +--rw next-hop 1563 | | | | inet:ipv4-address 1564 | | | +--rw ipv6-lan-prefixes* 1565 | | | [lan next-hop] 1566 | | | {l3vpn-svc:ipv6}? 1567 | | | +--rw lan 1568 | | | | inet:ipv6-prefix 1569 | | | +--rw lan-tag? string 1570 | | | +--rw next-hop 1571 | | | inet:ipv6-address 1572 | | +--rw rip {l3vpn-svc:rtg-rip}? 1573 | | | +--rw address-family* 1574 | | | l3vpn-svc:address-family 1575 | | +--rw vrrp {l3vpn-svc:rtg-vrrp}? 1576 | | +--rw address-family* 1577 | | l3vpn-svc:address-family 1578 | +--rw service 1579 | +--rw svc-input-bandwidth uint64 1580 | +--rw svc-output-bandwidth uint64 1581 | +--rw svc-mtu uint16 1582 | +--rw qos {l3vpn-svc:qos}? 1583 | | +--rw qos-classification-policy 1584 | | | +--rw rule* [id] 1585 | | | +--rw id 1586 | | | | string 1587 | | | +--rw (match-type)? 1588 | | | | +--:(match-flow) 1589 | | | | | +--rw (l3)? 1590 | | | | | | +--:(ipv4) 1591 | | | | | | | +--rw ipv4 1592 | | | | | | | +--rw dscp? 1593 | | | | | | | | inet:dscp 1594 | | | | | | | +--rw ecn? 1595 | | | | | | | | uint8 1596 | | | | | | | +--rw length? 1597 | | | | | | | | uint16 1598 | | | | | | | +--rw ttl? 1599 | | | | | | | | uint8 1600 | | | | | | | +--rw protocol? 1601 | | | | | | | | uint8 1602 | | | | | | | +--rw ihl? 1603 | | | | | | | | uint8 1604 | | | | | | | +--rw flags? 1605 | | | | | | | | bits 1606 | | | | | | | +--rw offset? 1607 | | | | | | | | uint16 1608 | | | | | | | +--rw identification? 1609 | | | | | | | | uint16 1610 | | | | | | | +--rw (dst-network)? 1611 | | | | | | | | +--:(dst-ipv4-network) 1612 | | | | | | | | +--rw dst-ipv4-network? 1613 | | | | | | | | inet:ipv4-prefix 1614 | | | | | | | +--rw (source-network)? 1615 | | | | | | | +--:(src-ipv4-network) 1616 | | | | | | | +--rw src-ipv4-network? 1617 | | | | | | | inet:ipv4-prefix 1618 | | | | | | +--:(ipv6) 1619 | | | | | | +--rw ipv6 1620 | | | | | | +--rw dscp? 1621 | | | | | | | inet:dscp 1622 | | | | | | +--rw ecn? 1623 | | | | | | | uint8 1624 | | | | | | +--rw length? 1625 | | | | | | | uint16 1626 | | | | | | +--rw ttl? 1627 | | | | | | | uint8 1628 | | | | | | +--rw protocol? 1629 | | | | | | | uint8 1630 | | | | | | +--rw (destination-network)? 1631 | | | | | | | +--:(dst-ipv6-network) 1632 | | | | | | | +--rw dst-ipv6-network? 1633 | | | | | | | inet:ipv6-prefix 1634 | | | | | | +--rw (src-network)? 1635 | | | | | | | +--:(src-ipv6-network) 1636 | | | | | | | +--rw src-ipv6-network? 1637 | | | | | | | inet:ipv6-prefix 1638 | | | | | | +--rw flow-label? 1639 | | | | | | inet:ipv6-flow-label 1640 | | | | | +--rw (l4)? 1641 | | | | | +--:(tcp) 1642 | | | | | | +--rw tcp 1643 | | | | | | +--rw sequence-number? 1644 | | | | | | | uint32 1645 | | | | | | +--rw ack-number? 1646 | | | | | | | uint32 1647 | | | | | | +--rw data-offset? 1648 | | | | | | | uint8 1649 | | | | | | +--rw reserved? 1650 | | | | | | | uint8 1651 | | | | | | +--rw flags? 1652 | | | | | | | bits 1653 | | | | | | +--rw window-size? 1654 | | | | | | | uint16 1655 | | | | | | +--rw urgent-pointer? 1656 | | | | | | | uint16 1657 | | | | | | +--rw options? 1658 | | | | | | | binary 1659 | | | | | | +--rw (source-port)? 1660 | | | | | | | ... 1661 | | | | | | +--rw (destination-port)? 1662 | | | | | | | ... 1663 | | | | | +--:(udp) 1664 | | | | | +--rw udp 1665 | | | | | +--rw length? 1666 | | | | | | uint16 1667 | | | | | +--rw (source-port)? 1668 | | | | | | ... 1669 | | | | | +--rw (destination-port)? 1670 | | | | | | ... 1671 | | | | +--:(match-application) 1672 | | | | +--rw match-application? 1673 | | | | identityref 1674 | | | +--rw target-class-id? 1675 | | | string 1676 | | +--rw qos-profile 1677 | | +--rw (qos-profile)? 1678 | | +--:(standard) 1679 | | | +--rw profile? leafref 1680 | | | +--rw direction? identityref 1681 | | +--:(custom) 1682 | | +--rw classes 1683 | | {l3vpn-svc:qos-custom}? 1684 | | +--rw class* [class-id] 1685 | | +--rw class-id 1686 | | | string 1687 | | +--rw direction? 1688 | | | identityref 1689 | | +--rw rate-limit? 1690 | | | decimal64 1691 | | +--rw latency 1692 | | | +--rw (flavor)? 1693 | | | +--:(lowest) 1694 | | | | +--rw use-lowest-latency? 1695 | | | | empty 1696 | | | +--:(boundary) 1697 | | | +--rw jitter-boundary? 1698 | | | uint16 1699 | | +--rw jitter 1700 | | | +--rw (flavor)? 1701 | | | +--:(lowest) 1702 | | | | +--rw use-lowest-jitter? 1703 | | | | empty 1704 | | | +--:(boundary) 1705 | | | +--rw latency-boundary? 1706 | | | uint32 1707 | | +--rw bandwidth 1708 | | +--rw guaranteed-bw-percent 1709 | | | decimal64 1710 | | +--rw end-to-end? 1711 | | empty 1712 | +--rw carrierscarrier 1713 | | {l3vpn-svc:carrierscarrier}? 1714 | | +--rw signalling-type? enumeration 1715 | +--rw multicast {l3vpn-svc:multicast}? 1716 | +--rw site-type? enumeration 1717 | +--rw address-family 1718 | | +--rw ipv4? boolean 1719 | | | {l3vpn-svc:ipv4}? 1720 | | +--rw ipv6? boolean 1721 | | {l3vpn-svc:ipv6}? 1722 | +--rw protocol-type? enumeration 1723 | +--rw remote-source? boolean 1724 +--rw maximum-routes 1725 | +--rw address-family* [af] 1726 | +--rw af 1727 | | l3vpn-svc:address-family 1728 | +--rw maximum-routes? uint32 1729 +--rw multicast {l3vpn-svc:multicast}? 1730 | +--rw enabled? boolean 1731 | +--rw tree-flavor* identityref 1732 | +--rw rp 1733 | | +--rw rp-group-mappings 1734 | | | +--rw rp-group-mapping* [id] 1735 | | | +--rw id uint16 1736 | | | +--rw provider-managed 1737 | | | | +--rw enabled? 1738 | | | | | boolean 1739 | | | | +--rw rp-redundancy? 1740 | | | | | boolean 1741 | | | | +--rw optimal-traffic-delivery? 1742 | | | | | boolean 1743 | | | | +--rw anycast 1744 | | | | +--rw local-address? 1745 | | | | | inet:ip-address 1746 | | | | +--rw rp-set-address* 1747 | | | | inet:ip-address 1748 | | | +--rw rp-address 1749 | | | | inet:ip-address 1750 | | | +--rw groups 1751 | | | +--rw group* [id] 1752 | | | +--rw id 1753 | | | | uint16 1754 | | | +--rw (group-format) 1755 | | | +--:(group-prefix) 1756 | | | | +--rw group-address? 1757 | | | | inet:ip-prefix 1758 | | | +--:(startend) 1759 | | | +--rw group-start? 1760 | | | | inet:ip-address 1761 | | | +--rw group-end? 1762 | | | inet:ip-address 1763 | | +--rw rp-discovery 1764 | | +--rw rp-discovery-type? identityref 1765 | | +--rw bsr-candidates 1766 | | +--rw bsr-candidate-address* 1767 | | inet:ip-address 1768 | +--rw msdp {msdp}? 1769 | +--rw enabled? boolean 1770 | +--rw peer? inet:ip-address 1771 | +--rw local-address? inet:ip-address 1772 +--rw node-ie-profile? leafref 1774 Figure 15 1776 8. Sample Uses of the L3NM Data Model 1778 8.1. Enterprise L3 VPN Services 1780 Enterprise L3VPNs are one of the most demanded services for carriers, 1781 and therefore, L3NM can be useful to automate the tasks of 1782 provisioning and maintenance of these VPNs. Templates and batch 1783 processes can be built, and as a result many parameters are needed 1784 for the creation from scratch of a VPN that can be abstracted to the 1785 upper SDN layer and little manual intervention will be still 1786 required. 1788 Also common addition/removal of sites of an existing customer VPN can 1789 benefit of using L3NM, by creation of workflows that either prune or 1790 add nodes as required from the network data model object. 1792 8.2. Multi-Domain Resource Management 1794 The implementation of L3VPN services which span across 1795 administratively separated domains (i.e., that are under the 1796 administration of different management systems or controllers) 1797 requires some network resources to be synchronized between systems. 1798 Particularly, there are two resources that must be orchestrated and 1799 manage to avoid asymmetric (non-functional) configuration, or the 1800 usage of unavailable resources. 1802 For example, RTs shall be synchronized between PEs. When every PE is 1803 controlled by the same management system, RT allocation can be 1804 performed by the system. In cases where the service spans across 1805 multiple management systems, this task of allocating RTs has to be 1806 aligned across the domains, therefore, the service model must provide 1807 a way to specify RTs. In addition, RDs must also be synchronized to 1808 avoid collisions in RD allocation between separate systems. An 1809 incorrect allocation might lead to the same RD and IP prefixes being 1810 exported by different PE routers. 1812 8.3. Management of Multicast services 1814 Multicast services over L3VPN can be implemented either using dual 1815 PIM MVPNs (also known as Draft Rosen model) [RFC 4364] or 1816 multiprotocol BGP (MBGP)-based MVPNs called Next Generation Multicast 1817 VPN (ng-MVPN) [RFC 6513/6514]. Both methods are supported and 1818 equally effective, but the main difference is that MBGP-based MVPN 1819 does not require multicast configuration on the service provider 1820 backbone. Multiprotocol BGP multicast VPNs employ the intra- 1821 autonomous system (AS) next-generation BGP control plane and PIM 1822 sparse mode as the data plane. The PIM state information is 1823 maintained between the PE routers using the same architecture that is 1824 used for unicast VPNs. 1826 On the other hand, Draft Rosen has limitations such as reduced 1827 options for transport, control plane scalability, availability, 1828 operational inconsistency and the need of maintaining state in the 1829 backbone. Because of this, ng-MNPN is the architectural model that 1830 has been taken as the base for implementing multicast service on 1831 L3VPN. In this scenario, BGP auto discovery is used to discover MVPN 1832 PE members and the customer PIM signaling is sent across provider 1833 core through MP-BGP. The multicast traffic is transported on MPLS 1834 P2MP LSPs. All of the previous information is carried in the MCAST- 1835 VPN BGP NRLI. 1837 9. L3VPN Examples 1839 9.1. 4G VPN Provissioning Example 1841 L3VPNs are widely used to deploy 3G/4G, fixed, and enterprise 1842 services mainly because several traffic discrimination policies can 1843 be applied within the network to deliver to the mobile customers a 1844 service that meets the SLA requiremets. 1846 As it is shown in the Figure 16, typically, an eNodeB (CE) is 1847 directly connected to the access routers of the mobile backhaul and 1848 their logical interfaces (one or many according to the Service type) 1849 are configured in a VPN that transports the packets to the mobile 1850 core platforms. In this example, a 'vpn-node' is created with two 1851 'vpn-network-accesses'. 1853 +-------------+ +------------------+ 1854 | | | PE | 1855 | | 192.168.0.2 | 10.0.0.1 | 1856 | eNodeB |>--------/------->|........... | 1857 | | Vlan 1 | | | 1858 | |>--------/------->|...... | | 1859 | | Vlan 2 | | | | 1860 | | Direct | +-------------+ | 1861 +-------------+ Routing | | vpn-node-id | | 1862 | | 44 | | 1863 | +-------------+ | 1864 | | 1865 +------------------+ 1867 Figure 16: Mobile Backhaul Example 1869 To create a L3VPN service using the L3NM model, the followng sample 1870 steps can be followed: 1872 First: Create the 4G VPN Service (Figure 17). 1874 POST: /restconf/data/ietf-l3vpn-ntw:l3vpn-ntw/vpn-services 1875 Host: example.com 1876 Content-Type: application/yang-data+json 1878 { 1879 "ietf-l3vpn-ntw:vpn-services": { 1880 "vpn-service": [ 1881 "vpn-id": "4G", 1882 "customer-name": "mycustomer", 1883 "vpn-service-topology": "custom", 1884 "description": "VPN to deploy 4G services" 1885 ] 1886 } 1887 } 1889 Figure 17: Create VPN Service 1891 Second: Create a VPN Node as depicted in Figure 18. In this type of 1892 service, the VPN Node is equivalent to the VRF configured in the 1893 physical device ('ne-id'=10.0.0.1). 1895 POST: /restconf/data/ietf-l3vpn-ntw:l3vpn-ntw/\ 1896 vpn-services/vpn-service=4G 1897 Host: example.com 1898 Content-Type: application/yang-data+json 1900 { 1901 "ietf-l3vpn-ntw:vpn-nodes": { 1902 "vpn-node": [ 1903 "vpn-node-id": "44", 1904 "ne-id": "10.0.0.1", 1905 "local-autonomous-system": "65550", 1906 "rd": "0:65550:1", 1907 "vpn-targets": { 1908 "vpn-target": [ 1909 "id": "1", 1910 "route-targets": ["route-target": "0:65550:1"], 1911 "route-target-type": "both" 1912 } 1913 } 1914 ] 1915 } 1916 } 1918 Figure 18: Create VPN Node 1920 Finally, two VPN Network Accesses are created using the same physical 1921 port ('port-id'=1/1/1). Each 'vpn-network-access' has a particular 1922 VLAN (1,2) to differentiante the traffic between: Sync and data 1923 (Figure 19). 1925 POST: /restconf/data/ietf-l3vpn-ntw:l3vpn-ntw/\ 1926 vpn-services/vpn-service=4G/vpn-nodes/vpn-node=44 1927 content-type: application/yang-data+json 1928 { 1929 "ietf-l3vpn-ntw:vpn-network-accesses": { 1930 "vpn-network-access": [ 1931 { 1932 "vpn-network-access-id": "1/1/1.1", 1933 "port-id": "1/1/1", 1934 "description": "Interface SYNC to eNODE-B", 1935 "status": {"admin-enabled": "true"}, 1936 "vpn-network-access-type": "l3vpn-svc:point-to-point", 1937 "ip-connection": { 1938 "ipv4": { 1939 "address-allocation-type": "l3vpn-svc:static-address", 1940 "static-addresses": { 1941 "primary-address": "1", 1942 "address": [ 1943 "address-id": "1", 1944 "provider-address": "192.168.0.1", 1945 "customer-address": "192.168.0.1", 1946 "prefix-length": "32" 1947 ] 1948 } 1949 } 1950 }, 1951 "routing-protocols": { 1952 "routing-protocol": [ 1953 "id": "1", 1954 "type": "l3vpn-svc:direct" 1955 ] 1956 } 1957 }, 1958 { 1959 "vpn-network-access-id": "1/1/1.2", 1960 "port-id": "1/1/1", 1961 "description": "Interface DATA to eNODE-B", 1962 "status": {"admin-enabled": "true"}, 1963 "ip-connection": { 1964 "ipv4": { 1965 "static-addresses": { 1966 "primary-address": "1", 1967 "address": [ 1968 "address-id": "1", 1969 "provider-address": "192.168.1.1", 1970 "customer-address": "192.168.1.2", 1971 "prefix-length": "32" 1972 ] 1973 } 1974 } 1975 }, 1976 "routing-protocols": { 1977 "routing-protocol": [ 1978 "id": "1", 1979 "type": "l3vpn-svc:direct" 1980 ] 1981 } 1982 } 1983 ] 1984 } 1985 } 1987 Figure 19: Create VPN Network Access 1989 9.2. Multicast VPN Provisioning Example 1991 IPTV is mainly distributed through multicast over the LANs. In the 1992 following example, PIM-SM is enabled and functional between the PE 1993 and the CE. The PE receives multicast traffic from a CE that is 1994 directly connected to the multicast source. The signaling between PE 1995 and CE is achieved using BGP. Also, RP is statically configured for 1996 a multicast group. 1998 +-----------+ +------+ +------+ +-----------+ 1999 | Multicast |---| CE |--/--| PE |----| Backbone | 2000 | source | +------+ +------+ | IP/MPLS | 2001 +-----------+ +-----------+ 2003 Figure 20: Multicast L3VPN Service Example 2005 To configure a Multicast L3VPN service using the L3NM model the 2006 procedure and the JSON with the data structure is the following: 2008 First, the multicast service is created (see the excerpt of the 2009 request message body shown in Figure 21) 2011 "vpn-services": { 2012 "vpn-service": { 2013 "vpn-id": "Multicast_IPTV", 2014 "customer-name": "310", 2015 "vpn-service-topology": "hub-spoke", 2016 "description": "Multicast IPTV VPN service" 2017 } 2018 } 2020 Figure 21: Create Multicast VPN Service (Excerpt of the Message 2021 Request Body) 2023 Then, the VPN nodes are created (see the excerpt of the request 2024 message body shown in Figure 22). In this example, the VPN Node will 2025 represent VRF configured in the physical device. 2027 "vpn-node": [ 2028 "vpn-node-id": "500003105", 2029 "ne-id": "10.250.2.202", 2030 "autonomous-system": "3816", 2031 "description": "VRF_IPTV_MULTICAST", 2032 "router-id": "10.250.2.202", 2033 "address-family": "ipv4", 2034 "node-role": { 2035 "l3vpn-svc:hub-role" 2036 }, 2037 "rd": "3816:31050202", 2038 "multicast": { 2039 "enabled": "true", 2040 "rp": { 2041 "rp-group-mappings": { 2042 "rp-group-mapping": { 2043 "id": "1", 2044 "rp-address": "172.19.48.17", 2045 "groups": { 2046 "group": { 2047 "id": "1", 2048 "group-address": "239.130.0.0/15" 2049 } 2050 } 2051 } 2052 }, 2053 "rp-discovery": { 2054 "rp-discovery-type": { 2055 "l3vpn-svc:static-rp" 2056 } 2057 } 2058 } 2059 } 2060 ] 2062 Figure 22: Create Multicast VPN Node (Excerpt of the Message Request 2063 Body) 2065 Finally, create the VPN Network Access with Multicast enabled (see 2066 the excerpt of the request message body shown in Figure 23) 2068 "vpn-network-access": { 2069 "vpn-network-access-id": "1/1/1", 2070 "description": "Connected_to_source", 2071 "status": { "admin-enabled": "true" }, 2072 "vpn-network-access-type": { 2073 "l3vpn-svc:point-to-point" 2074 }, 2075 "ip-connection": { 2076 "ipv4": { 2077 "address-allocation-type": { 2078 "l3vpn-svc:static-address" 2079 }, 2080 "static-addresses": { 2081 "primary-address": "1", 2082 "address": { 2083 "address-id": "1", 2084 "provider-address": "172.19.48.1", 2085 "prefix-length": "30" 2086 } 2087 } 2088 } 2089 }, 2090 "routing-protocols": { 2091 "routing-protocol": { 2092 "id": "1", 2093 "type": { 2094 "l3vpn-svc:bgp" 2095 }, 2096 "bgp": { 2097 "peer-autonomous-system": "6500", 2098 "local-autonomous-system": "3816", 2099 "address-family": "ipv4", 2100 "neighbor": "172.19.48.2", 2101 "description": "Connected_to_CE" 2102 } 2103 } 2104 }, 2105 "service": { 2106 "multicast": { 2107 "multicast-site-type": "source-only", 2108 "multicast-address-family": { "ipv4": "true" }, 2109 "protocol-type": "router" 2110 } 2111 } 2112 } 2114 Figure 23: Create VPN Network Access (Excerpt of the Message Request 2115 Body) 2117 10. L3NM YANG Module 2119 file "ietf-l3vpn-ntw@2020-03.09.yang" 2120 module ietf-l3vpn-ntw { 2121 yang-version 1.1; 2122 namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw"; 2123 prefix l3vpn-ntw; 2125 import ietf-inet-types { 2126 prefix inet; 2127 reference 2128 "Section 4 of RFC 6991"; 2129 } 2130 import ietf-yang-types { 2131 prefix yang; 2132 reference 2133 "Section 3 of RFC 6991"; 2134 } 2135 import ietf-netconf-acm { 2136 prefix nacm; 2137 reference 2138 "RFC 8341: Network Configuration Access Control Model"; 2139 } 2140 import ietf-routing-types { 2141 prefix rt-types; 2142 reference 2143 "RFC 8294: Common YANG Data Types for the Routing Area"; 2144 } 2145 import ietf-l3vpn-svc { 2146 prefix l3vpn-svc; 2147 reference 2148 "RFC 8299: YANG Data Model for L3VPN Service Delivery"; 2149 } 2150 import ietf-packet-fields { 2151 prefix packet-fields; 2152 reference 2153 "RFC 8519: YANG Data Model for Network Access 2154 Control Lists (ACLs)"; 2155 } 2157 organization 2158 "IETF OPSA (Operations and Management Area) Working Group "; 2159 contact 2160 "WG Web: 2161 WG List: 2162 Author: Samier Barguil 2163 2164 Editor: Oscar Gonzalez de Dios 2165 2166 Author: Mohamed Boucadair 2167 2168 Author: Luis Angel Munoz 2169 2171 Author: Alejandro Aguado 2172 2173 "; 2174 description 2175 "This YANG module defines a generic network-oriented model 2176 for the configuration of Layer 3 Virtual Private Networks. 2177 Copyright (c) 2020 IETF Trust and the persons identified as 2178 authors of the code. All rights reserved. 2180 Redistribution and use in source and binary forms, with or 2181 without modification, is permitted pursuant to, and subject to 2182 the license terms contained in, the Simplified BSD License set 2183 forth in Section 4.c of the IETF Trust's Legal Provisions 2184 Relating to IETF Documents 2185 (https://trustee.ietf.org/license-info). 2187 This version of this YANG module is part of RFC XXXX 2188 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 2189 for full legal notices."; 2191 revision 2020-03-09 { 2192 description 2193 "Initial revision."; 2194 reference 2195 "RFC XXXX: A Layer 3 VPN Network YANG Model"; 2196 } 2198 /* Features */ 2200 feature msdp { 2201 description 2202 "This feature indicates that msdp capabilities 2203 are supported by the VPN."; 2204 } 2206 feature rtg-isis { 2207 description 2208 "This features indicates the support of the ISIS 2209 routing protocol."; 2210 } 2212 feature rtg-ospf-sham-link { 2213 description 2214 "This feature indicates the support of OSPF sham links."; 2215 } 2217 feature input-bw { 2218 description 2219 "This feature indicates the support of 2220 the 'input-bw' limit."; 2221 } 2223 feature dot1q { 2224 description 2225 "This feature indicates the support of 2226 the 'dot1q' encapsulation."; 2227 } 2229 feature qinq { 2230 description 2231 "This feature indicates the support of 2232 the 'qinq' encapsulation."; 2233 } 2235 feature qinany { 2236 description 2237 "This feature indicates the support of 2238 the 'qinany' encapsulation."; 2239 } 2241 feature vxlan { 2242 description 2243 "This feature indicates the support of 2244 the 'vxlan' encapsulation."; 2245 } 2247 /* Typedefs */ 2249 typedef protocols-type { 2250 type enumeration { 2251 enum GRE { 2252 value 0; 2253 description 2254 "Transport based on GRE."; 2255 } 2256 enum LDP { 2257 value 1; 2258 description 2259 "Transport based on LDP."; 2260 } 2261 enum BGP { 2262 value 2; 2263 description 2264 "Transport based on BGP."; 2265 } 2266 enum SR { 2267 value 3; 2268 description 2269 "Transport based on Segment Routing (SR)"; 2270 } 2271 enum SR-TE { 2272 value 4; 2273 description 2274 "Transport based on SR for Traffic Engineering."; 2275 } 2276 enum RSVP-TE { 2277 value 5; 2278 description 2279 "Transport based on RSVP for Traffic Engineering"; 2280 } 2281 enum unknown { 2282 value 6; 2283 description 2284 "Transport UNKNOWN"; 2285 } 2286 } 2287 description 2288 "These attributes are used to identify underlying 2289 protocols when activating an L3VPN service."; 2290 } 2292 typedef area-address { 2293 type string { 2294 pattern '[0-9A-Fa-f]{2}(\.[0-9A-Fa-f]{4}){0,6}'; 2295 } 2296 description 2297 "This type defines the area address format."; 2298 } 2300 typedef isis-level { 2301 type enumeration { 2302 enum level1 { 2303 value 0; 2304 description 2305 "ISIS level 1"; 2306 } 2307 enum level2 { 2308 value 1; 2309 description 2310 "ISIS level 2"; 2311 } 2312 enum level1-2 { 2313 value 2; 2314 description 2315 "ISIS level 1 and 2"; 2316 } 2317 } 2318 description 2319 "Defines the ISIS level for interface and system."; 2320 } 2322 typedef ie-type { 2323 type enumeration { 2324 enum import { 2325 value 0; 2326 description 2327 "Import a routing profile."; 2328 } 2329 enum export { 2330 value 1; 2331 description 2332 "Export a routing profile."; 2333 } 2334 enum both { 2335 value 2; 2336 description 2337 "Import/Export a routing profile."; 2338 } 2339 } 2340 description 2341 "Defines Import-Export routing profiles. 2342 Those profiles can be reused between VPN nodes."; 2343 } 2345 typedef operational-type { 2346 type enumeration { 2347 enum up { 2348 value 0; 2349 description 2350 "Operational status UP/Enabled."; 2351 } 2352 enum down { 2353 value 1; 2354 description 2355 "Operational status DOWN/Disabled."; 2356 } 2357 enum unknown { 2358 value 2; 2359 description 2360 "Operational status UNKNOWN."; 2361 } 2362 } 2363 description 2364 "This attribute is used to determine the 2365 status of a particular element."; 2366 } 2368 /* Identities */ 2370 identity vpn-topology { 2371 description 2372 "Base identity for VPN topology."; 2373 } 2375 identity any-to-any { 2376 base vpn-topology; 2377 description 2378 "Identity for any-to-any VPN topology."; 2379 } 2381 identity hub-spoke { 2382 base vpn-topology; 2383 description 2384 "Identity for Hub-and-Spoke VPN topology."; 2385 } 2387 identity hub-spoke-disjoint { 2388 base vpn-topology; 2389 description 2390 "Identity for Hub-and-Spoke VPN topology 2391 where Hubs cannot communicate with each other."; 2392 } 2394 identity custom { 2395 base vpn-topology; 2396 description 2397 "Identity for CUSTOM VPN topology 2398 where Hubs can act as Spoke for certain part of 2399 the network or Spokes as Hubs."; 2400 } 2402 identity isis { 2403 base l3vpn-svc:routing-protocol-type; 2404 description 2405 "Identity for ISIS protocol type."; 2406 } 2408 identity pseudowire { 2409 base l3vpn-svc:site-network-access-type; 2410 description 2411 "Identity for pseudowire connections."; 2412 } 2414 identity loopback { 2415 base l3vpn-svc:site-network-access-type; 2416 description 2417 "Identity for loopback connections."; 2418 } 2420 identity encapsulation-type { 2421 description 2422 "Identity for the encapsulation type."; 2423 } 2425 identity untagged-int { 2426 base encapsulation-type; 2427 description 2428 "Identity for Ethernet type."; 2429 } 2431 identity tagged-int { 2432 base encapsulation-type; 2433 description 2434 "Identity for the VLAN type."; 2435 } 2437 identity eth-inf-type { 2438 description 2439 "Identity of the Ethernet interface type."; 2440 } 2442 identity tagged { 2443 base eth-inf-type; 2444 description 2445 "Identity of the tagged interface type."; 2446 } 2448 identity untagged { 2449 base eth-inf-type; 2450 description 2451 "Identity of the untagged interface type."; 2452 } 2454 identity lag { 2455 base eth-inf-type; 2456 description 2457 "Identity of the LAG interface type."; 2458 } 2459 identity bearer-inf-type { 2460 description 2461 "Identity for the bearer interface type."; 2462 } 2464 identity port-id { 2465 base bearer-inf-type; 2466 description 2467 "Identity for the priority-tagged interface."; 2468 } 2470 identity lag-id { 2471 base bearer-inf-type; 2472 description 2473 "Identity for the priority-tagged interface."; 2474 } 2476 identity tagged-inf-type { 2477 description 2478 "Identity for the tagged interface type."; 2479 } 2481 identity priority-tagged { 2482 base tagged-inf-type; 2483 description 2484 "Identity for the priority-tagged interface."; 2485 } 2487 identity qinq { 2488 base tagged-inf-type; 2489 description 2490 "Identity for the QinQ tagged interface."; 2491 } 2493 identity dot1q { 2494 base tagged-inf-type; 2495 description 2496 "Identity for the dot1Q VLAN tagged interface."; 2497 } 2499 identity qinany { 2500 base tagged-inf-type; 2501 description 2502 "Identity for the QinAny tagged interface."; 2503 } 2505 identity vxlan { 2506 base tagged-inf-type; 2507 description 2508 "Identity for the VXLAN tagged interface."; 2509 } 2511 identity tag-type { 2512 description 2513 "Base identity from which all tag types are derived."; 2514 } 2516 identity c-vlan { 2517 base tag-type; 2518 description 2519 "A CVLAN tag, normally using the 0x8100 Ethertype."; 2520 } 2522 identity s-vlan { 2523 base tag-type; 2524 description 2525 "An SVLAN tag."; 2526 } 2528 identity c-s-vlan { 2529 base tag-type; 2530 description 2531 "Using both a CVLAN tag and an SVLAN tag."; 2532 } 2534 identity vxlan-peer-mode { 2535 description 2536 "Base identity for the VXLAN peer mode."; 2537 } 2539 identity static-mode { 2540 base vxlan-peer-mode; 2541 description 2542 "Identity for VXLAN access in the static mode."; 2543 } 2545 identity bgp-mode { 2546 base vxlan-peer-mode; 2547 description 2548 "Identity for VXLAN access using BGP EVPN."; 2549 } 2551 identity bw-direction { 2552 description 2553 "Identity for the bandwidth direction."; 2554 } 2555 identity input-bw { 2556 base bw-direction; 2557 description 2558 "Identity for the input bandwidth."; 2559 } 2561 identity output-bw { 2562 base bw-direction; 2563 description 2564 "Identity for the output bandwidth."; 2565 } 2567 identity bw-type { 2568 description 2569 "Identity of the bandwidth type."; 2570 } 2572 identity bw-per-cos { 2573 base bw-type; 2574 description 2575 "Bandwidth is per Class of Service (CoS)."; 2576 } 2578 identity bw-per-port { 2579 base bw-type; 2580 description 2581 "Bandwidth is per site network access."; 2582 } 2584 identity bw-per-site { 2585 base bw-type; 2586 description 2587 "Bandwidth is per site. It is applicable to 2588 all the site network accesses within a site."; 2589 } 2591 identity bw-per-svc { 2592 base bw-type; 2593 description 2594 "Bandwidth is per VPN service."; 2595 } 2597 /* Groupings */ 2599 grouping svc-transport-encapsulation { 2600 container underlay-transport { 2601 leaf type { 2602 type protocols-type; 2603 description 2604 "Protocols used to deliver an L3VPN service."; 2605 } 2606 description 2607 ""; 2608 } 2609 description 2610 ""; 2611 } 2613 grouping multicast-rp-group-cfg { 2614 choice group-format { 2615 mandatory true; 2616 case group-prefix { 2617 leaf group-address { 2618 type inet:ip-prefix; 2619 description 2620 "A single multicast group prefix."; 2621 } 2622 } 2623 case startend { 2624 leaf group-start { 2625 type inet:ip-address; 2626 description 2627 "The first multicast group address in 2628 the multicast group address range."; 2629 } 2630 leaf group-end { 2631 type inet:ip-address; 2632 description 2633 "The last multicast group address in 2634 the multicast group address range."; 2635 } 2636 } 2637 description 2638 "Choice for multicast group format."; 2639 } 2640 description 2641 "This grouping defines multicast group or 2642 multicast groups for RP-to-group mapping."; 2643 } 2645 grouping vpn-service-multicast { 2646 container multicast { 2647 if-feature "l3vpn-svc:multicast"; 2648 leaf enabled { 2649 type boolean; 2650 default "false"; 2651 description 2652 "Enables multicast."; 2653 } 2654 leaf-list tree-flavor { 2655 type identityref { 2656 base l3vpn-svc:multicast-tree-type; 2657 } 2658 description 2659 "Type of tree to be used."; 2660 } 2661 container rp { 2662 container rp-group-mappings { 2663 list rp-group-mapping { 2664 key "id"; 2665 leaf id { 2666 type uint16; 2667 description 2668 "Unique identifier for the mapping."; 2669 } 2670 container provider-managed { 2671 leaf enabled { 2672 type boolean; 2673 default "false"; 2674 description 2675 "Set to true if the Rendezvous Point (RP) 2676 must be a provider-managed node. Set to false 2677 if it is a customer-managed node."; 2678 } 2679 leaf rp-redundancy { 2680 type boolean; 2681 default "false"; 2682 description 2683 "If true, a redundancy mechanism for the RP 2684 is required."; 2685 } 2686 leaf optimal-traffic-delivery { 2687 type boolean; 2688 default "false"; 2689 description 2690 "If true, the SP must ensure that 2691 traffic uses an optimal path. An SP may use 2692 Anycast RP or RP-tree-to-SPT switchover 2693 architectures."; 2694 } 2695 container anycast { 2696 when "../rp-redundancy = 'true' and 2697 ../optimal-traffic-delivery = 'true'" { 2698 description 2699 "Only applicable if 2700 RP redundancy is 2701 enabled and delivery through 2702 optimal path is activated."; 2703 } 2704 leaf local-address { 2705 type inet:ip-address; 2706 description 2707 "IP local address for PIM RP. 2708 Usually, it corresponds to router 2709 ID or primary address"; 2710 } 2711 leaf-list rp-set-address { 2712 type inet:ip-address; 2713 description 2714 "Address other RP routers 2715 that share the same RP IP address."; 2716 } 2717 description 2718 "PIM Anycast-RP parameters."; 2719 } 2720 description 2721 "Parameters for a provider-managed RP."; 2722 } 2723 leaf rp-address { 2724 when "../provider-managed/enabled = 'false'" { 2725 description 2726 "Relevant when the RP is not provider-managed."; 2727 } 2728 type inet:ip-address; 2729 mandatory true; 2730 description 2731 "Defines the address of the RP. 2732 Used if the RP is customer-managed."; 2733 } 2734 container groups { 2735 list group { 2736 key "id"; 2737 leaf id { 2738 type uint16; 2739 description 2740 "Identifier for the group."; 2741 } 2742 uses multicast-rp-group-cfg; 2743 description 2744 "List of multicast groups."; 2745 } 2746 description 2747 "Multicast groups associated with the RP."; 2748 } 2749 description 2750 "List of RP-to-group mappings."; 2751 } 2752 description 2753 "RP-to-group mappings parameters."; 2754 } 2755 container rp-discovery { 2756 leaf rp-discovery-type { 2757 type identityref { 2758 base l3vpn-svc:multicast-rp-discovery-type; 2759 } 2760 default "l3vpn-svc:static-rp"; 2761 description 2762 "Type of RP discovery used."; 2763 } 2764 container bsr-candidates { 2765 when "derived-from-or-self(../rp-discovery-type, " 2766 + "'l3vpn-ntw:bsr-rp')" { 2767 description 2768 "Only applicable if discovery type 2769 is BSR-RP."; 2770 } 2771 leaf-list bsr-candidate-address { 2772 type inet:ip-address; 2773 description 2774 "Address of candidate Bootstrap Router (BSR)."; 2775 } 2776 description 2777 "Container for List of Customer 2778 BSR candidate's addresses."; 2779 } 2780 description 2781 "RP discovery parameters."; 2782 } 2783 description 2784 "RP parameters."; 2785 } 2786 container msdp { 2787 if-feature "msdp"; 2788 leaf enabled { 2789 type boolean; 2790 default "false"; 2791 description 2792 "If true, Multicast Source Discovery Protocol (MSDP) 2793 protocol is activated."; 2794 } 2795 leaf peer { 2796 type inet:ip-address; 2797 description 2798 "IP address of the MSDP peer."; 2799 } 2800 leaf local-address { 2801 type inet:ip-address; 2802 description 2803 "IP address of the local end. This local address 2804 must be configured on the node."; 2805 } 2806 description 2807 "MSDP parameters."; 2808 } 2809 description 2810 "Multicast global parameters for the VPN service."; 2811 } 2812 description 2813 "Grouping for multicast VPN definition."; 2814 } 2816 grouping vpn-service-mpls { 2817 leaf carrierscarrier { 2818 if-feature "l3vpn-svc:carrierscarrier"; 2819 type boolean; 2820 default "false"; 2821 description 2822 "The VPN is using CsC, and so MPLS is required."; 2823 } 2824 description 2825 "Grouping for MPLS Carriers'Carrier definition."; 2826 } 2828 grouping operational-requirements { 2829 leaf requested-site-start { 2830 type yang:date-and-time; 2831 description 2832 "Optional leaf indicating requested date and 2833 time when the service at a particular site is 2834 expected to start."; 2835 } 2836 leaf requested-site-stop { 2837 type yang:date-and-time; 2838 description 2839 "Optional leaf indicating requested date and 2840 time when the service at a particular site is 2841 expected to stop."; 2842 } 2843 description 2844 "This grouping defines some operational 2845 parameters."; 2846 } 2848 grouping status-timestamp { 2849 leaf status { 2850 type operational-type; 2851 description 2852 "Operations status"; 2853 } 2854 leaf timestamp { 2855 type yang:date-and-time; 2856 description 2857 "Indicates the actual date and time when 2858 the service actually started (UP) or 2859 stopped (DOWN)."; 2860 } 2861 description 2862 "This grouping defines some operational 2863 parameters for the service."; 2864 } 2866 grouping service-status { 2867 container service-status { 2868 container admin { 2869 uses status-timestamp; 2870 description 2871 "Administrative service status."; 2872 } 2873 container ops { 2874 config false; 2875 uses status-timestamp; 2876 description 2877 "Operational service status."; 2878 } 2879 description 2880 "Service status."; 2881 } 2882 description 2883 "Service status grouping. Reused in 2884 vpn-node and vpn-network-access."; 2885 } 2887 grouping site-service-basic { 2888 leaf svc-input-bandwidth { 2889 type uint64; 2890 units "bps"; 2891 mandatory true; 2892 description 2893 "From the customer site's perspective, the service 2894 input bandwidth of the connection or download 2895 bandwidth from the SP to the site."; 2896 } 2897 leaf svc-output-bandwidth { 2898 type uint64; 2899 units "bps"; 2900 mandatory true; 2901 description 2902 "From the customer site's perspective, the service 2903 output bandwidth of the connection or upload 2904 bandwidth from the site to the SP."; 2905 } 2906 leaf svc-mtu { 2907 type uint16; 2908 units "bytes"; 2909 mandatory true; 2910 description 2911 "MTU at service level. If the service is IP, 2912 it refers to the IP MTU. If CsC is enabled, 2913 the requested 'svc-mtu' leaf will refer to the 2914 MPLS MTU and not to the IP MTU."; 2915 } 2916 description 2917 "Defines basic service parameters for a site."; 2918 } 2920 grouping site-protection { 2921 container traffic-protection { 2922 if-feature "l3vpn-svc:fast-reroute"; 2923 leaf enabled { 2924 type boolean; 2925 default "false"; 2926 description 2927 "Enables traffic protection of access link."; 2928 } 2929 description 2930 "Fast Reroute service parameters for the site."; 2931 } 2932 description 2933 "Defines protection service parameters for a site."; 2934 } 2936 grouping site-service-mpls { 2937 container carrierscarrier { 2938 if-feature "l3vpn-svc:carrierscarrier"; 2939 leaf signalling-type { 2940 type enumeration { 2941 enum ldp { 2942 description 2943 "Use LDP as the signalling protocol 2944 between the PE and the CE. In this case, 2945 an IGP routing protocol must also be activated."; 2946 } 2947 enum bgp { 2948 description 2949 "Use BGP as the signalling protocol 2950 between the PE and the CE. 2951 In this case, BGP must also be configured as 2952 the routing protocol."; 2953 reference 2954 "RFC 8277: Using BGP to Bind MPLS Labels to 2955 Address Prefixes"; 2956 } 2957 } 2958 default "bgp"; 2959 description 2960 "MPLS signalling type."; 2961 } 2962 description 2963 "This container is used when the customer provides 2964 MPLS-based services. This is only used in the case 2965 of CsC (i.e., a customer builds an MPLS service using 2966 an IP VPN to carry its traffic)."; 2967 } 2968 description 2969 "Defines MPLS service parameters for a site."; 2970 } 2972 grouping ports { 2973 choice source-port { 2974 container source-port-range-or-operator { 2975 uses packet-fields:port-range-or-operator; 2976 description 2977 "Source port definition."; 2978 } 2979 description 2980 "Choice of specifying the source port or referring to 2981 a group of source port numbers."; 2982 } 2983 choice destination-port { 2984 container destination-port-range-or-operator { 2985 uses packet-fields:port-range-or-operator; 2986 description 2987 "Destination port definition."; 2988 } 2989 description 2990 "Choice of specifying a destination port or referring 2991 to a group of destination port numbers."; 2992 } 2993 description 2994 "Choice of specifying a source or destination port numbers."; 2995 } 2997 grouping site-service-qos-profile { 2998 container qos { 2999 if-feature "l3vpn-svc:qos"; 3000 container qos-classification-policy { 3001 list rule { 3002 key "id"; 3003 ordered-by user; 3004 leaf id { 3005 type string; 3006 description 3007 "A description identifying the 3008 qos-classification-policy rule."; 3009 } 3010 choice match-type { 3011 default "match-flow"; 3012 case match-flow { 3013 //uses l3vpn-svc:flow-definition; 3014 choice l3 { 3015 container ipv4 { 3016 uses packet-fields:acl-ip-header-fields; 3017 uses packet-fields:acl-ipv4-header-fields; 3018 description 3019 "Rule set that matches IPv4 header."; 3020 } 3021 container ipv6 { 3022 uses packet-fields:acl-ip-header-fields; 3023 uses packet-fields:acl-ipv6-header-fields; 3024 description 3025 "Rule set that matches IPv6 header."; 3026 } 3027 description 3028 "Either IPv4 or IPv6."; 3029 } 3030 choice l4 { 3031 container tcp { 3032 uses packet-fields:acl-tcp-header-fields; 3033 uses ports; 3034 description 3035 "Rule set that matches TCP header."; 3036 } 3037 container udp { 3038 uses packet-fields:acl-udp-header-fields; 3039 uses ports; 3040 description 3041 "Rule set that matches UDP header."; 3042 } 3043 description 3044 "Can be TCP or UDP"; 3045 } 3046 } 3047 case match-application { 3048 leaf match-application { 3049 type identityref { 3050 base l3vpn-svc:customer-application; 3051 } 3052 description 3053 "Defines the application to match."; 3054 } 3055 } 3056 description 3057 "Choice for classification."; 3058 } 3059 leaf target-class-id { 3060 type string; 3061 description 3062 "Identification of the class of service. 3063 This identifier is internal to the administration."; 3064 } 3065 description 3066 "List of marking rules."; 3067 } 3068 description 3069 "Configuration of the traffic classification policy."; 3070 } 3071 container qos-profile { 3072 choice qos-profile { 3073 description 3074 "Choice for QoS profile. 3075 Can be standard profile or customized profile."; 3076 case standard { 3077 description 3078 "Standard QoS profile."; 3079 leaf profile { 3080 type leafref { 3081 path "/l3vpn-ntw/vpn-profiles/" 3082 + "valid-provider-identifiers" 3083 + "/qos-profile-identifier/id"; 3084 } 3085 description 3086 "QoS profile to be used."; 3087 } 3088 leaf direction { 3089 type identityref { 3090 base l3vpn-svc:qos-profile-direction; 3091 } 3092 default "l3vpn-svc:both"; 3093 description 3094 "The direction to which the QoS profile 3095 is applied."; 3096 } 3097 } 3098 case custom { 3099 description 3100 "Customized QoS profile."; 3101 container classes { 3102 if-feature "l3vpn-svc:qos-custom"; 3103 list class { 3104 key "class-id"; 3105 leaf class-id { 3106 type string; 3107 description 3108 "Identification of the class of service. 3109 This identifier is internal to the 3110 administration."; 3111 } 3112 leaf direction { 3113 type identityref { 3114 base l3vpn-svc:qos-profile-direction; 3115 } 3116 default "l3vpn-svc:both"; 3117 description 3118 "The direction to which the QoS profile 3119 is applied."; 3120 } 3121 leaf rate-limit { 3122 type decimal64 { 3123 fraction-digits 5; 3124 range "0..100"; 3125 } 3126 units "percent"; 3127 description 3128 "To be used if the class must be rate-limited. 3129 Expressed as percentage of the service 3130 bandwidth."; 3132 } 3133 container latency { 3134 choice flavor { 3135 case lowest { 3136 leaf use-lowest-latency { 3137 type empty; 3138 description 3139 "The traffic class should 3140 use the path with the 3141 lowest latency."; 3142 } 3143 } 3144 case boundary { 3145 leaf jitter-boundary { 3146 type uint16; 3147 units "msec"; 3148 default "400"; 3149 description 3150 "The traffic class 3151 should use a path with a 3152 defined maximum latency."; 3153 } 3154 } 3155 description 3156 "Latency constraint 3157 on the traffic class."; 3158 } 3159 description 3160 "Latency constraint 3161 on the traffic class."; 3162 } 3163 container jitter { 3164 choice flavor { 3165 case lowest { 3166 leaf use-lowest-jitter { 3167 type empty; 3168 description 3169 "The traffic class 3170 should use the path with the 3171 lowest jitter."; 3172 } 3173 } 3174 case boundary { 3175 leaf latency-boundary { 3176 type uint32; 3177 units "usec"; 3178 default "40000"; 3179 description 3180 "The traffic class 3181 should use a path with a 3182 defined maximum jitter."; 3183 } 3184 } 3185 description 3186 "Jitter constraint on the traffic class."; 3187 } 3188 description 3189 "Jitter constraint on the traffic class."; 3190 } 3191 container bandwidth { 3192 leaf guaranteed-bw-percent { 3193 type decimal64 { 3194 fraction-digits 5; 3195 range "0..100"; 3196 } 3197 units "percent"; 3198 mandatory true; 3199 description 3200 "To be used to define the guaranteed bandwidth 3201 as a percentage of the available service 3202 bandwidth."; 3203 } 3204 leaf end-to-end { 3205 type empty; 3206 description 3207 "Used if the bandwidth reservation 3208 must be done on the MPLS network too."; 3209 } 3210 description 3211 "Bandwidth constraint on the traffic class."; 3212 } 3213 description 3214 "List of classes of services."; 3215 } 3216 description 3217 "Container for list of classes of services."; 3218 } 3219 } 3220 } 3221 description 3222 "QoS profile configuration."; 3223 } 3224 description 3225 "QoS configuration."; 3226 } 3227 description 3228 "This grouping defines QoS parameters for a site."; 3229 } 3231 grouping site-security-authentication { 3232 container authentication { 3233 description 3234 "Authentication parameters."; 3235 } 3236 description 3237 "This grouping defines authentication parameters 3238 for a site."; 3239 } 3241 grouping site-security-encryption { 3242 container encryption { 3243 if-feature "l3vpn-svc:encryption"; 3244 leaf enabled { 3245 type boolean; 3246 default "false"; 3247 description 3248 "If true, traffic encryption on the connection 3249 is required. It is disabled, otherwise."; 3250 } 3251 leaf layer { 3252 when "../enabled = 'true'" { 3253 description 3254 "Require a value for layer when enabled 3255 is true."; 3256 } 3257 type enumeration { 3258 enum layer2 { 3259 description 3260 "Encryption will occur at Layer 2."; 3261 } 3262 enum layer3 { 3263 description 3264 "Encryption will occur at Layer 3. 3265 For example, IPsec may be used when 3266 a customer requests Layer 3 encryption."; 3267 } 3268 } 3269 description 3270 "Layer on which encryption is applied."; 3271 } 3272 description 3273 ""; 3274 } 3275 container encryption-profile { 3276 choice profile { 3277 case provider-profile { 3278 leaf profile-name { 3279 type leafref { 3280 path "/l3vpn-ntw/vpn-profiles/" 3281 + "valid-provider-identifiers" 3282 + "/encryption-profile-identifier/id"; 3283 } 3284 description 3285 "Name of the SP profile to be applied."; 3286 } 3287 } 3288 case customer-profile { 3289 leaf algorithm { 3290 type string; 3291 description 3292 "Encryption algorithm to be used."; 3293 } 3294 } 3295 description 3296 ""; 3297 } 3298 choice key-type { 3299 default "psk"; 3300 case psk { 3301 leaf preshared-key { 3302 type string; 3303 description 3304 "Pre-Shared Key (PSK) coming from the customer."; 3305 } 3306 } 3307 description 3308 "Choice of encryption profile. 3309 The encryption profile can be the provider profile 3310 or customer profile."; 3311 } 3312 description 3313 "This grouping defines encryption parameters for 3314 a site."; 3315 } 3316 description 3317 ""; 3318 } 3320 grouping site-routing { 3321 container routing-protocols { 3322 list routing-protocol { 3323 key "id"; 3324 leaf id { 3325 type string; 3326 description 3327 ""; 3328 } 3329 leaf type { 3330 type identityref { 3331 base l3vpn-svc:routing-protocol-type; 3332 } 3333 description 3334 "Type of routing protocol."; 3335 } 3336 list routing-profiles { 3337 key "id"; 3338 leaf id { 3339 type leafref { 3340 path "/l3vpn-ntw/vpn-profiles/" 3341 + "valid-provider-identifiers" 3342 + "/routing-profile-identifier/id"; 3343 } 3344 description 3345 "Routing profile to be used."; 3346 } 3347 leaf type { 3348 type ie-type; 3349 description 3350 "Import, export or both."; 3351 } 3352 description 3353 "Import or Export profile reference"; 3354 } 3355 container ospf { 3356 when "derived-from-or-self(../type, 'l3vpn-ntw:ospf')" { 3357 description 3358 "Only applies when protocol is OSPF."; 3359 } 3360 if-feature "l3vpn-svc:rtg-ospf"; 3361 leaf-list address-family { 3362 type l3vpn-svc:address-family; 3363 min-elements 1; 3364 description 3365 "If OSPF is used on this site, this node 3366 contains a configured value. This node 3367 contains at least one address family 3368 to be activated."; 3369 } 3370 leaf area-address { 3371 type yang:dotted-quad; 3372 mandatory true; 3373 description 3374 "Area address."; 3375 } 3376 leaf metric { 3377 type uint16; 3378 default "1"; 3379 description 3380 "Metric of the PE-CE link. It is used 3381 in the routing state calculation and 3382 path selection."; 3383 } 3384 /* Extension */ 3385 leaf mtu { 3386 type uint16; 3387 description 3388 "Maximum transmission unit for a given 3389 OSPF link."; 3390 } 3391 leaf process-id { 3392 type uint16; 3393 description 3394 "Process id of the OSPF CE-PE connection."; 3395 } 3396 uses security-params; 3397 /* End of Extension */ 3398 container sham-links { 3399 if-feature "rtg-ospf-sham-link"; 3400 list sham-link { 3401 key "target-site"; 3402 leaf target-site { 3403 type l3vpn-svc:svc-id; 3404 description 3405 "Target site for the sham link connection. 3406 The site is referred to by its ID."; 3407 } 3408 leaf metric { 3409 type uint16; 3410 default "1"; 3411 description 3412 "Metric of the sham link. It is used in 3413 the routing state calculation and path 3414 selection. The default value is set 3415 to 1."; 3416 } 3417 description 3418 "Creates a sham link with another site."; 3419 } 3420 description 3421 "List of sham links."; 3422 } 3423 description 3424 "OSPF-specific configuration."; 3425 } 3426 container bgp { 3427 when "derived-from-or-self(../type, 'l3vpn-ntw:bgp')" { 3428 description 3429 "Only applies when protocol is BGP."; 3430 } 3431 if-feature "l3vpn-svc:rtg-bgp"; 3432 leaf peer-autonomous-system { 3433 type inet:as-number; 3434 mandatory true; 3435 description 3436 "Customer AS number in case the customer 3437 requests BGP routing."; 3438 } 3439 leaf local-autonomous-system { 3440 type inet:as-number; 3441 description 3442 "Local-AS overwrite."; 3443 } 3444 leaf-list address-family { 3445 type l3vpn-svc:address-family; 3446 min-elements 1; 3447 description 3448 "If BGP is used on this site, this node 3449 contains a configured value. This node 3450 contains at least one address family 3451 to be activated."; 3452 } 3453 /* Extension */ 3454 leaf-list neighbor { 3455 type inet:ip-address; 3456 description 3457 "IP address(es) of the BGP neighbor. An IPv4 3458 and IPv6 neighbors may be indicated if 3459 two sessions will be used for IPv4 and IPv6."; 3460 } 3461 leaf multihop { 3462 type uint8; 3463 description 3464 "Describes the number of hops allowed between 3465 a given BGP neighbor and the PE router."; 3466 } 3467 uses security-params; 3468 uses status-params; 3469 leaf description { 3470 type string; 3471 description 3472 "Includes a description of the BGP session. 3473 Such description is meant to be used for 3474 diagnosis purposes. The semantic of the description 3475 is local to an implementation."; 3476 } 3477 /* End- Extension */ 3478 description 3479 "BGP-specific configuration."; 3480 } 3481 container isis { 3482 when "derived-from-or-self(../type, 'l3vpn-ntw:isis')" { 3483 description 3484 "Only applies when protocol is ISIS."; 3485 } 3486 if-feature "rtg-isis"; 3487 leaf-list address-family { 3488 type l3vpn-svc:address-family; 3489 min-elements 1; 3490 description 3491 "If ISIS is used on this site, this node 3492 contains a configured value. This node 3493 contains at least one address family 3494 to be activated."; 3495 } 3496 leaf area-address { 3497 type area-address; 3498 mandatory true; 3499 description 3500 "Area address."; 3501 } 3502 leaf level { 3503 type isis-level; 3504 description 3505 "level1, level2 or level1-2"; 3506 } 3507 leaf metric { 3508 type uint16; 3509 default "1"; 3510 description 3511 "Metric of the PE-CE link. It is used 3512 in the routing state calculation and 3513 path selection."; 3514 } 3515 leaf process-id { 3516 type uint16; 3517 description 3518 "Process id of the ISIS CE-PE connection."; 3519 } 3520 leaf mode { 3521 type enumeration { 3522 enum active { 3523 description 3524 "Interface sends or receives ISIS protocol 3525 control packets."; 3526 } 3527 enum passive { 3528 description 3529 "Suppresses the sending of ISIS routing updates 3530 through the specified interface."; 3531 } 3532 } 3533 default "active"; 3534 description 3535 "ISIS interface mode type."; 3536 } 3537 uses status-params; 3538 description 3539 "ISIS-specific configuration."; 3540 } 3541 container static { 3542 when "derived-from-or-self(../type, 'l3vpn-ntw:static')" { 3543 description 3544 "Only applies when protocol is static. 3545 BGP activation requires the SP to know 3546 the address of the customer peer. When 3547 BGP is enabled, the 'static-address' 3548 allocation type for the IP connection 3549 MUST be used."; 3550 } 3551 container cascaded-lan-prefixes { 3552 list ipv4-lan-prefixes { 3553 if-feature "l3vpn-svc:ipv4"; 3554 key "lan next-hop"; 3555 leaf lan { 3556 type inet:ipv4-prefix; 3557 description 3558 "LAN prefixes."; 3559 } 3560 leaf lan-tag { 3561 type string; 3562 description 3563 "Internal tag to be used in VPN policies."; 3565 } 3566 leaf next-hop { 3567 type inet:ipv4-address; 3568 description 3569 "Next-hop address to use on the customer side."; 3570 } 3571 description 3572 "List of LAN prefixes for the site."; 3573 } 3574 list ipv6-lan-prefixes { 3575 if-feature "l3vpn-svc:ipv6"; 3576 key "lan next-hop"; 3577 leaf lan { 3578 type inet:ipv6-prefix; 3579 description 3580 "LAN prefixes."; 3581 } 3582 leaf lan-tag { 3583 type string; 3584 description 3585 "Internal tag to be used in VPN policies."; 3586 } 3587 leaf next-hop { 3588 type inet:ipv6-address; 3589 description 3590 "Next-hop address to use on the customer side."; 3591 } 3592 description 3593 "List of LAN prefixes for the site."; 3594 } 3595 description 3596 "LAN prefixes from the customer."; 3597 } 3598 description 3599 "Configuration specific to static routing."; 3600 } 3601 container rip { 3602 when "derived-from-or-self(../type, 'l3vpn-ntw:rip')" { 3603 description 3604 "Only applies when the protocol is RIP. For IPv4, 3605 the model assumes that RIP version 2 is used."; 3606 } 3607 if-feature "l3vpn-svc:rtg-rip"; 3608 leaf-list address-family { 3609 type l3vpn-svc:address-family; 3610 min-elements 1; 3611 description 3612 "If RIP is used on this site, this node 3613 contains a configured value. This node 3614 contains at least one address family 3615 to be activated."; 3616 } 3617 description 3618 "Configuration specific to RIP routing."; 3619 } 3620 container vrrp { 3621 when "derived-from-or-self(../type, 'l3vpn-ntw:vrrp')" { 3622 description 3623 "Only applies when protocol is VRRP."; 3624 } 3625 if-feature "l3vpn-svc:rtg-vrrp"; 3626 leaf-list address-family { 3627 type l3vpn-svc:address-family; 3628 min-elements 1; 3629 description 3630 "If VRRP is used on this site, this node 3631 contains a configured value. This node contains 3632 at least one address family to be activated."; 3633 } 3634 description 3635 "Configuration specific to VRRP routing."; 3636 } 3637 description 3638 "List of routing protocols used on 3639 the site. This list can be augmented."; 3640 } 3641 description 3642 "Defines routing protocols."; 3643 } 3644 description 3645 "Grouping for routing protocols."; 3646 } 3648 grouping site-attachment-ip-connection { 3649 container ip-connection { 3650 container ipv4 { 3651 if-feature "l3vpn-svc:ipv4"; 3652 leaf address-allocation-type { 3653 type identityref { 3654 base l3vpn-svc:address-allocation-type; 3655 } 3656 must "not(derived-from-or-self(current(), 'l3vpn-ntw:slaac')" 3657 + " or derived-from-or-self(current(), " 3658 + "'l3vpn-ntw:provider-dhcp-slaac'))" { 3659 error-message "SLAAC is only applicable to IPv6"; 3660 } 3661 description 3662 "Defines how addresses are allocated. 3663 If there is no value for the address 3664 allocation type, then IPv4 is not enabled."; 3665 } 3666 container provider-dhcp { 3667 when "derived-from-or-self(../address-allocation-type, " 3668 + "'l3vpn-ntw:provider-dhcp')" { 3669 description 3670 "Only applies when addresses are allocated by DHCP."; 3671 } 3672 leaf provider-address { 3673 type inet:ipv4-address; 3674 description 3675 "Address of provider side. If provider-address is not 3676 specified, then prefix length should not be specified 3677 either. It also implies provider-dhcp allocation is 3678 not enabled. If provider-address is specified, then 3679 the prefix length may or may not be specified."; 3680 } 3681 leaf prefix-length { 3682 type uint8 { 3683 range "0..32"; 3684 } 3685 must '(../provider-address)' { 3686 error-message 3687 "If the prefix length is specified, provider-address 3688 must also be specified."; 3689 description 3690 "If the prefix length is specified, provider-address 3691 must also be specified."; 3692 } 3693 description 3694 "Subnet prefix length expressed in bits. 3695 If not specified, or specified as zero, 3696 this means the customer leaves the actual 3697 prefix length value to the provider."; 3698 } 3699 choice address-assign { 3700 default "number"; 3701 case number { 3702 leaf number-of-dynamic-address { 3703 type uint16; 3704 default "1"; 3705 description 3706 "Describes the number of IP addresses 3707 the customer requires."; 3708 } 3710 } 3711 case explicit { 3712 container customer-addresses { 3713 list address-group { 3714 key "group-id"; 3715 leaf group-id { 3716 type string; 3717 description 3718 "Group-id for the address range from 3719 start-address to end-address."; 3720 } 3721 leaf start-address { 3722 type inet:ipv4-address; 3723 description 3724 "First address."; 3725 } 3726 leaf end-address { 3727 type inet:ipv4-address; 3728 description 3729 "Last address."; 3730 } 3731 description 3732 "Describes IP addresses allocated by DHCP. 3733 When only start-address or only end-address 3734 is present, it represents a single address. 3735 When both start-address and end-address are 3736 specified, it implies a range inclusive of both 3737 addresses. If no address is specified, it implies 3738 customer addresses group is not supported."; 3739 } 3740 description 3741 "Container for customer addresses is allocated by 3742 DHCP."; 3743 } 3744 } 3745 description 3746 "Choice for the way to assign addresses."; 3747 } 3748 description 3749 "DHCP allocated addresses related parameters."; 3750 } 3751 container dhcp-relay { 3752 when "derived-from-or-self(../address-allocation-type, " 3753 + "'l3vpn-ntw:provider-dhcp-relay')" { 3754 description 3755 "Only applies when provider is required to implement 3756 DHCP relay function."; 3757 } 3758 leaf provider-address { 3759 type inet:ipv4-address; 3760 description 3761 "Address of provider side. If provider-address is not 3762 specified, then prefix length should not be specified 3763 either. It also implies provider-dhcp allocation is 3764 not enabled. If provider-address is specified, then 3765 prefix length may or may not be specified."; 3766 } 3767 leaf prefix-length { 3768 type uint8 { 3769 range "0..32"; 3770 } 3771 must '(../provider-address)' { 3772 error-message 3773 "If prefix length is specified, provider-address 3774 must also be specified."; 3775 description 3776 "If prefix length is specified, provider-address 3777 must also be specified."; 3778 } 3779 description 3780 "Subnet prefix length expressed in bits. If not 3781 specified, or specified as zero, this means the 3782 customer leaves the actual prefix length value 3783 to the provider."; 3784 } 3785 container customer-dhcp-servers { 3786 leaf-list server-ip-address { 3787 type inet:ipv4-address; 3788 description 3789 "IP address of customer DHCP server."; 3790 } 3791 description 3792 "Container for list of customer DHCP servers."; 3793 } 3794 description 3795 "DHCP relay provided by operator."; 3796 } 3797 container static-addresses { 3798 when "derived-from-or-self(../address-allocation-type, " 3799 + "'l3vpn-ntw:static-address')" { 3800 description 3801 "Only applies when protocol allocation type is static."; 3802 } 3803 leaf primary-address { 3804 type leafref { 3805 path "/l3vpn-ntw/vpn-services/vpn-service/vpn-nodes/" 3806 + "vpn-node/vpn-network-accesses/vpn-network-access/" 3807 + "ip-connection/ipv4/static-addresses/address/" 3808 + "address-id"; 3809 } 3810 description 3811 "Principal address of the connection."; 3812 } 3813 list address { 3814 key "address-id"; 3815 leaf address-id { 3816 type string; 3817 description 3818 "IPv4 Address"; 3819 } 3820 leaf provider-address { 3821 type inet:ipv4-address; 3822 description 3823 "IPv4 Address List of the provider side. 3824 When the protocol allocation type is static, 3825 the provider address must be configured."; 3826 } 3827 leaf customer-address { 3828 type inet:ipv4-address; 3829 description 3830 "IPv4 Address of customer side."; 3831 } 3832 leaf prefix-length { 3833 type uint8 { 3834 range "0..32"; 3835 } 3836 description 3837 "Subnet prefix length expressed in bits. 3838 It is applied to both provider-address 3839 and customer-address."; 3840 } 3841 description 3842 "Describes IPv4 addresses used."; 3843 } 3844 description 3845 "Describes IPv4 addresses used."; 3846 } 3847 description 3848 "IPv4-specific parameters."; 3849 } 3850 container ipv6 { 3851 if-feature "l3vpn-svc:ipv6"; 3852 leaf address-allocation-type { 3853 type identityref { 3854 base l3vpn-svc:address-allocation-type; 3855 } 3856 description 3857 "Defines how addresses are allocated. 3858 If there is no value for the address 3859 allocation type, then IPv6 is 3860 not enabled."; 3861 } 3862 container provider-dhcp { 3863 when "derived-from-or-self(../address-allocation-type, " 3864 + "'l3vpn-ntw:provider-dhcp') " 3865 + "or derived-from-or-self(../address-allocation-type, " 3866 + "'l3vpn-ntw:provider-dhcp-slaac')" { 3867 description 3868 "Only applies when addresses are allocated by DHCP."; 3869 } 3870 leaf provider-address { 3871 type inet:ipv6-address; 3872 description 3873 "Address of the provider side. If provider-address 3874 is not specified, then prefix length should not be 3875 specified either. It also implies provider-dhcp 3876 allocation is not enabled. If provider-address is 3877 specified, then prefix length may or may 3878 not be specified."; 3879 } 3880 leaf prefix-length { 3881 type uint8 { 3882 range "0..128"; 3883 } 3884 must '(../provider-address)' { 3885 error-message 3886 "If prefix length is specified, provider-address 3887 must also be specified."; 3888 description 3889 "If prefix length is specified, provider-address 3890 must also be specified."; 3891 } 3892 description 3893 "Subnet prefix length expressed in bits. If not 3894 specified, or specified as zero, this means the 3895 customer leaves the actual prefix length value 3896 to the provider."; 3897 } 3898 choice address-assign { 3899 default "number"; 3900 case number { 3901 leaf number-of-dynamic-address { 3902 type uint16; 3903 default "1"; 3904 description 3905 "Describes the number of IP addresses the customer 3906 requires."; 3907 } 3908 } 3909 case explicit { 3910 container customer-addresses { 3911 list address-group { 3912 key "group-id"; 3913 leaf group-id { 3914 type string; 3915 description 3916 "Group-id for the address range from 3917 start-address to end-address."; 3918 } 3919 leaf start-address { 3920 type inet:ipv6-address; 3921 description 3922 "First address."; 3923 } 3924 leaf end-address { 3925 type inet:ipv6-address; 3926 description 3927 "Last address."; 3928 } 3929 description 3930 "Describes IP addresses allocated by DHCP. 3931 When only start-address or only end-address 3932 is present, it represents a single address. 3933 When both start-addressand end-address are 3934 specified, it implies a range 3935 inclusive of both addresses. 3936 If no address is specified, it implies 3937 customer addresses group is 3938 not supported."; 3939 } 3940 description 3941 "Container for customer addresses allocated 3942 by DHCP."; 3943 } 3944 } 3945 description 3946 "Choice for the way to assign addresses."; 3947 } 3948 description 3949 "DHCP allocated addresses related parameters."; 3951 } 3952 container dhcp-relay { 3953 when "derived-from-or-self(../address-allocation-type, " 3954 + "'l3vpn-ntw:provider-dhcp-relay')" { 3955 description 3956 "Only applies when the provider is required 3957 to implement DHCP relay function."; 3958 } 3959 leaf provider-address { 3960 type inet:ipv6-address; 3961 description 3962 "Address of the provider side. If provider-address 3963 is not specified, then prefix length should not be 3964 specified either. It also implies provider-dhcp 3965 allocation is not enabled. If provider address 3966 is specified, then prefix length may or may 3967 not be specified."; 3968 } 3969 leaf prefix-length { 3970 type uint8 { 3971 range "0..128"; 3972 } 3973 must '(../provider-address)' { 3974 error-message 3975 "If prefix length is specified, provider-address 3976 must also be specified."; 3977 description 3978 "If prefix length is specified, provider-address 3979 must also be specified."; 3980 } 3981 description 3982 "Subnet prefix length expressed in bits. If not 3983 specified, or specified as zero, this means the 3984 customer leaves the actual prefix length value 3985 to the provider."; 3986 } 3987 container customer-dhcp-servers { 3988 leaf-list server-ip-address { 3989 type inet:ipv6-address; 3990 description 3991 "This node contains the IP address of 3992 the customer DHCP server. If the DHCP relay 3993 function is implemented by the 3994 provider, this node contains the 3995 configured value."; 3996 } 3997 description 3998 "Container for list of customer DHCP servers."; 4000 } 4001 description 4002 "DHCP relay provided by operator."; 4003 } 4004 container static-addresses { 4005 when "derived-from-or-self(../address-allocation-type, " 4006 + "'l3vpn-ntw:static-address')" { 4007 description 4008 "Only applies when protocol allocation type is static."; 4009 } 4010 leaf primary-address { 4011 type leafref { 4012 path "/l3vpn-ntw/vpn-services/vpn-service/vpn-nodes/" 4013 + "vpn-node/vpn-network-accesses/vpn-network-access/" 4014 + "ip-connection/ipv6/static-addresses/address/" 4015 + "address-id"; 4016 } 4017 description 4018 "Principal address of the connection"; 4019 } 4020 list address { 4021 key "address-id"; 4022 leaf address-id { 4023 type string; 4024 description 4025 "IPv4 Address"; 4026 } 4027 leaf provider-address { 4028 type inet:ipv6-address; 4029 description 4030 "IPv6 Address of the provider side. When the protocol 4031 allocation type is static, the provider address 4032 must be configured."; 4033 } 4034 leaf customer-address { 4035 type inet:ipv6-address; 4036 description 4037 "The IPv6 Address of the customer side."; 4038 } 4039 leaf prefix-length { 4040 type uint8 { 4041 range "0..128"; 4042 } 4043 description 4044 "Subnet prefix length expressed in bits. 4045 It is applied to both provider-address and 4046 customer-address."; 4047 } 4048 description 4049 "Describes IPv6 addresses used."; 4050 } 4051 description 4052 "IPv6-specific parameters."; 4053 } 4054 description 4055 "IPv6-specific parameters."; 4056 } 4057 container oam { 4058 container bfd { 4059 if-feature "l3vpn-svc:bfd"; 4060 leaf enabled { 4061 type boolean; 4062 default "false"; 4063 description 4064 "If true, BFD activation is required."; 4065 } 4066 choice holdtime { 4067 default "fixed"; 4068 case fixed { 4069 leaf fixed-value { 4070 type uint32; 4071 units "msec"; 4072 description 4073 "Expected BFD holdtime expressed in msec. The customer 4074 may impose some fixed values for the holdtime period 4075 if the provider allows the customer use this function. 4076 If the provider doesn't allow the customer to use this 4077 function, the fixed-value will not be set."; 4078 } 4079 } 4080 case profile { 4081 leaf profile-name { 4082 type leafref { 4083 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers/" 4084 + "bfd-profile-identifier/id"; 4085 } 4086 description 4087 "Well-known SP profile name. The provider can propose 4088 some profiles to the customer, depending on the service 4089 level the customer wants to achieve. Profile names 4090 must be communicated to the customer."; 4091 } 4092 description 4093 "Well-known SP profile."; 4094 } 4095 description 4096 "Choice for holdtime flavor."; 4097 } 4098 description 4099 "Container for BFD."; 4100 } 4101 description 4102 "Defines the Operations, Administration, and Maintenance (OAM) 4103 mechanisms used on the connection. BFD is set as a fault 4104 detection mechanism, but the 'oam' container can easily 4105 be augmented by other mechanisms"; 4106 } 4107 description 4108 "Defines connection parameters."; 4109 } 4110 description 4111 "This grouping defines IP connection parameters."; 4112 } 4114 grouping site-service-multicast { 4115 container multicast { 4116 if-feature "l3vpn-svc:multicast"; 4117 leaf site-type { 4118 type enumeration { 4119 enum receiver-only { 4120 description 4121 "The site only has receivers."; 4122 } 4123 enum source-only { 4124 description 4125 "The site only has sources."; 4126 } 4127 enum source-receiver { 4128 description 4129 "The site has both sources and receivers."; 4130 } 4131 } 4132 default "source-receiver"; 4133 description 4134 "Type of multicast site."; 4135 } 4136 container address-family { 4137 leaf ipv4 { 4138 if-feature "l3vpn-svc:ipv4"; 4139 type boolean; 4140 default "false"; 4141 description 4142 "Enables IPv4 multicast."; 4143 } 4144 leaf ipv6 { 4145 if-feature "l3vpn-svc:ipv6"; 4146 type boolean; 4147 default "false"; 4148 description 4149 "Enables IPv6 multicast."; 4150 } 4151 description 4152 "Defines protocol to carry multicast."; 4153 } 4154 leaf protocol-type { 4155 type enumeration { 4156 enum host { 4157 description 4158 "Hosts are directly connected to the provider network. 4159 Host protocols such as IGMP or MLD are required."; 4160 } 4161 enum router { 4162 description 4163 "Hosts are behind a customer router. 4164 PIM will be implemented."; 4165 } 4166 enum both { 4167 description 4168 "Some hosts are behind a customer router, and 4169 some others are directly connected to the 4170 provider network. Both host and routing protocols 4171 must be used. Typically, IGMP and PIM will be 4172 implemented."; 4173 } 4174 } 4175 default "both"; 4176 description 4177 "Multicast protocol type to be used with the customer site."; 4178 } 4179 leaf remote-source { 4180 type boolean; 4181 default "false"; 4182 description 4183 "When true, there is no PIM adjacency on the interface."; 4184 } 4185 description 4186 "Multicast parameters for the site."; 4187 } 4188 description 4189 "Multicast parameters for the site."; 4190 } 4191 grouping site-maximum-routes { 4192 container maximum-routes { 4193 list address-family { 4194 key "af"; 4195 leaf af { 4196 type l3vpn-svc:address-family; 4197 description 4198 "Address family."; 4199 } 4200 leaf maximum-routes { 4201 type uint32; 4202 description 4203 "Maximum prefixes the VRF can accept 4204 for this address family."; 4205 } 4206 description 4207 "List of address families."; 4208 } 4209 description 4210 "Defines 'maximum-routes' for the VRF."; 4211 } 4212 description 4213 "Defines 'maximum-routes' for the site."; 4214 } 4216 grouping site-security { 4217 container security { 4218 uses site-security-authentication; 4219 uses site-security-encryption; 4220 description 4221 "Site-specific security parameters."; 4222 } 4223 description 4224 "Grouping for security parameters."; 4225 } 4227 grouping network-access-service { 4228 container service { 4229 uses site-service-basic; 4230 /* Extension */ 4231 /* uses svc-bandwidth-params; */ 4232 /* EoExt */ 4233 uses site-service-qos-profile; 4234 uses site-service-mpls; 4235 uses site-service-multicast; 4236 description 4237 "Service parameters on the attachment."; 4238 } 4239 description 4240 "Grouping for service parameters."; 4241 } 4243 grouping vpn-extranet { 4244 container extranet-vpns { 4245 if-feature "l3vpn-svc:extranet-vpn"; 4246 list extranet-vpn { 4247 key "vpn-id"; 4248 leaf vpn-id { 4249 type l3vpn-svc:svc-id; 4250 description 4251 "Identifies the target VPN the local VPN want to access."; 4252 } 4253 leaf local-sites-role { 4254 type identityref { 4255 base l3vpn-svc:site-role; 4256 } 4257 default "l3vpn-svc:any-to-any-role"; 4258 description 4259 "This describes the role of the 4260 local sites in the target VPN topology. In the any-to-any VPN 4261 service topology, the local sites must have the same role, which 4262 will be 'any-to-any-role'. In the Hub-and-Spoke VPN service 4263 topology or the Hub-and-Spoke disjoint VPN service topology, 4264 the local sites must have a Hub role or a Spoke role."; 4265 } 4266 description 4267 "List of extranet VPNs or target VPNs the local VPN is 4268 attached to."; 4269 } 4270 description 4271 "Container for extranet VPN configuration."; 4272 } 4273 description 4274 "Grouping for extranet VPN configuration. 4275 This provides an easy way to interconnect 4276 all sites from two VPNs."; 4277 } 4279 grouping vpn-profile-cfg { 4280 container valid-provider-identifiers { 4281 list cloud-identifier { 4282 if-feature "l3vpn-svc:cloud-access"; 4283 key "id"; 4284 leaf id { 4285 type string; 4286 description 4287 "Identification of cloud service. 4288 Local administration meaning."; 4289 } 4290 description 4291 "List for Cloud Identifiers."; 4292 } 4293 list encryption-profile-identifier { 4294 key "id"; 4295 leaf id { 4296 type string; 4297 description 4298 "Identification of the SP encryption profile 4299 to be used. Local administration meaning."; 4300 } 4301 description 4302 "List for encryption profile identifiers."; 4303 } 4304 list qos-profile-identifier { 4305 key "id"; 4306 leaf id { 4307 type string; 4308 description 4309 "Identification of the QoS Profile to be used. 4310 Local administration meaning."; 4311 } 4312 description 4313 "List for QoS Profile Identifiers."; 4314 } 4315 list bfd-profile-identifier { 4316 key "id"; 4317 leaf id { 4318 type string; 4319 description 4320 "Identification of the SP BFD Profile to be used. 4321 Local administration meaning."; 4322 } 4323 description 4324 "List for BFD Profile identifiers."; 4325 } 4326 list routing-profile-identifier { 4327 key "id"; 4328 leaf id { 4329 type string; 4330 description 4331 "Identification of the routing Profile to be used 4332 by the routing-protocols within sites, vpn- 4333 network-accesses or vpn-nodes for refering 4334 vrf-import/export policies. 4336 This identifier has a local meaning."; 4337 } 4338 description 4339 "List for Routing Profile Identifiers."; 4340 } 4341 nacm:default-deny-write; 4342 description 4343 "Container for Valid Provider Identifies."; 4344 } 4345 description 4346 "Grouping for VPN Profile configuration."; 4347 } 4349 grouping vpn-svc-cfg { 4350 leaf vpn-id { 4351 type l3vpn-svc:svc-id; 4352 description 4353 "VPN identifier. 4354 This identifier has a local meaning."; 4355 } 4356 leaf l3sm-vpn-id { 4357 type l3vpn-svc:svc-id; 4358 description 4359 "Pointer to the L3SM service."; 4360 } 4361 leaf customer-name { 4362 type string; 4363 description 4364 "Name of the customer that actually uses the VPN service. 4365 In the case that any intermediary (e.g., Tier-2 provider 4366 or partner) sells the VPN service to their end user 4367 on behalf of the original service provider (e.g., Tier-1 4368 provider), the original service provider may require the 4369 customer name to provide smooth activation/commissioning 4370 and operation for the service."; 4371 } 4372 leaf vpn-service-topology { 4373 type identityref { 4374 base vpn-topology; 4375 } 4376 default "any-to-any"; 4377 description 4378 "VPN service topology."; 4379 } 4380 leaf description { 4381 type string; 4382 description 4383 "Textual description of a VPN service."; 4385 } 4386 uses ie-profiles-params; 4387 uses svc-transport-encapsulation; 4388 uses vpn-nodes-params; 4389 /* uses vpn-service-multicast; */ 4390 /* uses vpn-service-mpls; */ 4391 /* uses vpn-extranet;*/ 4392 description 4393 "Grouping for VPN service configuration."; 4394 } 4396 grouping site-network-access-top-level-cfg { 4397 uses status-params; 4398 leaf vpn-network-access-type { 4399 type identityref { 4400 base l3vpn-svc:site-network-access-type; 4401 } 4402 default "l3vpn-svc:point-to-point"; 4403 description 4404 "Describes the type of connection, e.g., 4405 point-to-point or multipoint."; 4406 } 4407 uses ethernet-params; 4408 uses site-attachment-ip-connection; 4409 uses site-security; 4410 uses site-routing; 4411 uses network-access-service; 4412 description 4413 "Grouping for site network access top-level configuration."; 4414 } 4416 /* Bearers in a site */ 4418 grouping site-bearer-params { 4419 container site-bearers { 4420 list bearer { 4421 key "bearer-id"; 4422 leaf bearer-id { 4423 type string; 4424 description 4425 ""; 4426 } 4427 leaf BearerType { 4428 type identityref { 4429 base bearer-inf-type; 4430 } 4431 description 4432 "Request for an Bearer access type. 4434 Choose between port or lag connection type."; 4435 } 4436 leaf ne-id { 4437 type string; 4438 description 4439 "NE-id reference."; 4440 } 4441 leaf port-id { 4442 type string; 4443 description 4444 "Reference to the Port-id. 4445 The semantic of the Port-Id depends on the vendor's 4446 semantic. i.e ge-X/Y/Z , xe-X/Y/Z , et-X/Y/Z,AeXXX.YYY, 4447 aeXXX,GigabitEthernetX/Y/Z"; 4448 } 4449 leaf lag-id { 4450 type string; 4451 description 4452 "lag-id in format id."; 4453 } 4454 description 4455 "Parameters used to identify each bearer"; 4456 } 4457 description 4458 "Grouping to reuse the site bearer assigment"; 4459 } 4460 description 4461 "Grouping to reuse the site bearer assigment"; 4462 } 4464 /* UNUSED */ 4466 grouping svc-bandwidth-params { 4467 container svc-bandwidth { 4468 if-feature "input-bw"; 4469 list bandwidth { 4470 key "direction type"; 4471 leaf direction { 4472 type identityref { 4473 base bw-direction; 4474 } 4475 description 4476 "Indicates the bandwidth direction. It can be 4477 the bandwidth download direction from the SP to 4478 the site or the bandwidth upload direction from 4479 the site to the SP."; 4480 } 4481 leaf type { 4482 type identityref { 4483 base bw-type; 4484 } 4485 description 4486 "Bandwidth type. By default, the bandwidth type 4487 is set to 'bw-per-cos'."; 4488 } 4489 leaf cos-id { 4490 when "derived-from-or-self(../type, " 4491 + "'l3vpn-ntw:bw-per-cos')" { 4492 description 4493 "Relevant when the bandwidth type is set to 4494 'bw-per-cos'."; 4495 } 4496 type uint8; 4497 description 4498 "Identifier of the CoS, indicated by DSCP or a 4499 CE-VLAN CoS (802.1p) value in the service frame. 4500 If the bandwidth type is set to 'bw-per-cos', 4501 the CoS ID MUST also be specified."; 4502 } 4503 leaf vpn-id { 4504 when "derived-from-or-self(../type, " 4505 + "'l3vpn-ntw:bw-per-svc')" { 4506 description 4507 "Relevant when the bandwidth type is 4508 set as bandwidth per VPN service."; 4509 } 4510 type l3vpn-svc:svc-id; 4511 description 4512 "Identifies the target VPN. If the bandwidth 4513 type is set as bandwidth per VPN service, the 4514 vpn-id MUST be specified."; 4515 } 4516 leaf cir { 4517 type uint64; 4518 units "bps"; 4519 mandatory true; 4520 description 4521 "Committed Information Rate. The maximum number 4522 of bits that a port can receive or send over 4523 an interface in one second."; 4524 } 4525 leaf cbs { 4526 type uint64; 4527 units "bps"; 4528 mandatory true; 4529 description 4530 "Committed Burst Size (CBS). Controls the bursty 4531 nature of the traffic. Traffic that does not 4532 use the configured Committed Information Rate 4533 (CIR) accumulates credits until the credits 4534 reach the configured CBS."; 4535 } 4536 leaf eir { 4537 type uint64; 4538 units "bps"; 4539 description 4540 "Excess Information Rate (EIR), i.e., excess frame 4541 delivery allowed that is not subject to an SLA. 4542 The traffic rate can be limited by the EIR."; 4543 } 4544 leaf ebs { 4545 type uint64; 4546 units "bps"; 4547 description 4548 "Excess Burst Size (EBS). The bandwidth available 4549 for burst traffic from the EBS is subject to the 4550 amount of bandwidth that is accumulated during 4551 periods when traffic allocated by the EIR 4552 policy is not used."; 4553 } 4554 leaf pir { 4555 type uint64; 4556 units "bps"; 4557 description 4558 "Peak Information Rate, i.e., maximum frame 4559 delivery allowed. It is equal to or less 4560 than the sum of the CIR and the EIR."; 4561 } 4562 leaf pbs { 4563 type uint64; 4564 units "bps"; 4565 description 4566 "Peak Burst Size. It is measured in bytes per 4567 second."; 4568 } 4569 description 4570 "List of bandwidth values (e.g., per CoS, 4571 per vpn-id)."; 4572 } 4573 description 4574 "From the customer site's perspective, the service 4575 input/output bandwidth of the connection or 4576 download/upload bandwidth from the SP/site 4577 to the site/SP."; 4579 } 4580 description 4581 " "; 4582 } 4584 grouping status-params { 4585 container status { 4586 leaf admin-enabled { 4587 type boolean; 4588 description 4589 "Administrative Status UP/DOWN"; 4590 } 4591 leaf oper-status { 4592 type operational-type; 4593 config false; 4594 description 4595 "Operations status"; 4596 } 4597 description 4598 ""; 4599 } 4600 description 4601 "Grouping used to join operational and administrative status 4602 is re used in the Site Network Acess and in the VPN-Node"; 4603 } 4605 /* Parameters related to vpn-nodes (VRF config.) */ 4607 grouping vpn-nodes-params { 4608 container vpn-nodes { 4609 description 4610 ""; 4611 list vpn-node { 4612 key "ne-id"; 4613 leaf vpn-node-id { 4614 type union { 4615 type l3vpn-svc:svc-id; 4616 type uint32; 4617 } 4618 description 4619 "Type STRING or NUMBER Serivice-Id"; 4620 } 4621 leaf local-autonomous-system { 4622 type inet:as-number; 4623 description 4624 "Provider AS number in case the customer 4625 requests BGP routing."; 4626 } 4627 leaf description { 4628 type string; 4629 description 4630 "Textual description of a VPN node."; 4631 } 4632 leaf ne-id { 4633 type string; 4634 description 4635 ""; 4636 } 4637 leaf router-id { 4638 type inet:ip-address; 4639 description 4640 "router-id information can be ipv4/6 addresses"; 4641 } 4642 leaf address-family { 4643 type l3vpn-svc:address-family; 4644 description 4645 "Address family used for router-id information."; 4646 } 4647 leaf node-role { 4648 type identityref { 4649 base l3vpn-svc:site-role; 4650 } 4651 default "l3vpn-svc:any-to-any-role"; 4652 description 4653 "Role of the vpn-node in the IP VPN."; 4654 } 4655 uses rt-rd; 4656 uses status-params; 4657 uses net-acc; 4658 uses site-maximum-routes; 4659 uses vpn-service-multicast; 4660 leaf node-ie-profile { 4661 type leafref { 4662 path "/l3vpn-ntw/vpn-services/" 4663 + "vpn-service/ie-profiles/ie-profile/ie-profile-id"; 4664 } 4665 description 4666 ""; 4667 } 4668 description 4669 ""; 4670 } 4671 } 4672 description 4673 "Grouping to define VRF-specific configuration."; 4674 } 4675 /* Parameters related to import and export profiles (RTs RDs.) */ 4677 grouping ie-profiles-params { 4678 container ie-profiles { 4679 list ie-profile { 4680 key "ie-profile-id"; 4681 leaf ie-profile-id { 4682 type string; 4683 description 4684 ""; 4685 } 4686 uses rt-rd; 4687 description 4688 ""; 4689 } 4690 description 4691 ""; 4692 } 4693 description 4694 "Grouping to specify rules for route import and export"; 4695 } 4697 grouping pseudowire-params { 4698 container pseudowire { 4699 /*leaf far-end {*/ 4700 /* description "IP of the remote peer of the pseudowire.";*/ 4701 /* type inet:ip-address;*/ 4702 /*}*/ 4703 leaf vcid { 4704 type uint32; 4705 description 4706 "PW or VC identifier."; 4707 } 4708 leaf far-end { 4709 type union { 4710 type uint32; 4711 type inet:ipv4-address; 4712 } 4713 description 4714 "SDP/Far End/LDP Neighbour reference."; 4715 } 4716 description 4717 "Pseudowire termination parameters"; 4718 } 4719 container vpls { 4720 leaf vcid { 4721 type union { 4722 type uint32; 4723 type string; 4724 } 4725 description 4726 "VCID identifier,IRB/RVPPLs interface 4727 supported using string 4728 format."; 4729 } 4730 leaf far-end { 4731 type union { 4732 type uint32; 4733 type inet:ipv4-address; 4734 } 4735 description 4736 "SDP/Far End/LDP Neighbour reference."; 4737 } 4738 description 4739 "Pseudowire termination parameters"; 4740 } 4741 description 4742 "Grouping pseudowire termination parameters"; 4743 } 4745 grouping security-params { 4746 container security { 4747 leaf auth-key { 4748 type string; 4749 description 4750 "MD5 authentication password for the connection towards the 4751 customer edge."; 4752 } 4753 description 4754 "Container for aggregating any security parameter for routing 4755 sessions between a PE and a CE."; 4756 } 4757 description 4758 "Grouping to define security parameters"; 4759 } 4761 grouping ethernet-params { 4762 container connection { 4763 leaf encapsulation-type { 4764 type identityref { 4765 base encapsulation-type; 4766 } 4767 default "untagged-int"; 4768 description 4769 "Encapsulation type. By default, the 4770 encapsulation type is set to 'untagged'."; 4772 } 4773 container logical-interface { 4774 leaf peer-reference { 4775 type uint32; 4776 description 4777 "Specify the associated logical peer interface."; 4778 } 4779 description 4780 "Reference of a logical interface type."; 4781 } 4782 container tagged-interface { 4783 leaf type { 4784 type identityref { 4785 base tagged-inf-type; 4786 } 4787 default "priority-tagged"; 4788 description 4789 "Tagged interface type. By default, 4790 the type of the tagged interface is 4791 'priority-tagged'."; 4792 } 4793 container dot1q-vlan-tagged { 4794 when "derived-from-or-self(../type, " 4795 + "'l3vpn-ntw:dot1q')" { 4796 description 4797 "Only applies when the type of the tagged 4798 interface is 'dot1q'."; 4799 } 4800 if-feature "dot1q"; 4801 leaf tag-type { 4802 type identityref { 4803 base tag-type; 4804 } 4805 default "c-vlan"; 4806 description 4807 "Tag type. By default, the tag type is 4808 'c-vlan'."; 4809 } 4810 leaf cvlan-id { 4811 type uint16; 4812 description 4813 "VLAN identifier."; 4814 } 4815 description 4816 "Tagged interface."; 4817 } 4818 container priority-tagged { 4819 when "derived-from-or-self(../type, " 4820 + "'l3vpn-ntw:priority-tagged')" { 4821 description 4822 "Only applies when the type of the tagged 4823 interface is 'priority-tagged'."; 4824 } 4825 leaf tag-type { 4826 type identityref { 4827 base tag-type; 4828 } 4829 default "c-vlan"; 4830 description 4831 "Tag type. By default, the tag type is 4832 'c-vlan'."; 4833 } 4834 description 4835 "Priority tagged."; 4836 } 4837 container qinq { 4838 when "derived-from-or-self(../type, " 4839 + "'l3vpn-ntw:qinq')" { 4840 description 4841 "Only applies when the type of the tagged 4842 interface is 'qinq'."; 4843 } 4844 if-feature "qinq"; 4845 leaf tag-type { 4846 type identityref { 4847 base tag-type; 4848 } 4849 default "c-s-vlan"; 4850 description 4851 "Tag type. By default, the tag type is 4852 'c-s-vlan'."; 4853 } 4854 leaf svlan-id { 4855 type uint16; 4856 mandatory true; 4857 description 4858 "SVLAN identifier."; 4859 } 4860 leaf cvlan-id { 4861 type uint16; 4862 mandatory true; 4863 description 4864 "CVLAN identifier."; 4865 } 4866 description 4867 "QinQ."; 4869 } 4870 container qinany { 4871 when "derived-from-or-self(../type, " 4872 + "'l3vpn-ntw:qinany')" { 4873 description 4874 "Only applies when the type of the tagged 4875 interface is 'qinany'."; 4876 } 4877 if-feature "qinany"; 4878 leaf tag-type { 4879 type identityref { 4880 base tag-type; 4881 } 4882 default "s-vlan"; 4883 description 4884 "Tag type. By default, the tag type is 4885 's-vlan'."; 4886 } 4887 leaf svlan-id { 4888 type uint16; 4889 mandatory true; 4890 description 4891 "Service VLAN ID."; 4892 } 4893 description 4894 "Container for QinAny."; 4895 } 4896 container vxlan { 4897 when "derived-from-or-self(../type, " 4898 + "'l3vpn-ntw:vxlan')" { 4899 description 4900 "Only applies when the type of the tagged 4901 interface is 'vxlan'."; 4902 } 4903 if-feature "vxlan"; 4904 leaf vni-id { 4905 type uint32; 4906 mandatory true; 4907 description 4908 "VXLAN Network Identifier (VNI)."; 4909 } 4910 leaf peer-mode { 4911 type identityref { 4912 base vxlan-peer-mode; 4913 } 4914 default "static-mode"; 4915 description 4916 "Specifies the VXLAN access mode. By default, 4917 the peer mode is set to 'static-mode'."; 4918 } 4919 list peer-list { 4920 key "peer-ip"; 4921 leaf peer-ip { 4922 type inet:ip-address; 4923 description 4924 "Peer IP."; 4925 } 4926 description 4927 "List of peer IP addresses."; 4928 } 4929 description 4930 "QinQ."; 4931 } 4932 description 4933 "Container for tagged interfaces."; 4934 } 4935 container bearer { 4936 leaf bearer-reference { 4937 if-feature "l3vpn-svc:bearer-reference"; 4938 type string; 4939 description 4940 "This is an internal reference for the SP."; 4941 } 4942 uses pseudowire-params; 4943 description 4944 "Defines physical properties of a site attachment."; 4945 } 4946 description 4947 "Encapsulation types"; 4948 } 4949 description 4950 "Grouping to define encapsulation types"; 4951 } 4953 grouping rt-rd { 4954 leaf rd { 4955 type rt-types:route-distinguisher; 4956 description 4957 ""; 4958 } 4959 container vpn-targets { 4960 description 4961 "Set of route-targets to match for import and export routes 4962 to/from VRF"; 4963 //uses rt-types:vpn-route-targets; 4964 uses vpn-route-targets; 4966 } 4967 description 4968 ""; 4969 } 4971 grouping vpn-route-targets { 4972 description 4973 "A grouping that specifies Route Target import-export rules 4974 used in a BGP-enabled VPN."; 4975 list vpn-target { 4976 key "id"; 4977 leaf id { 4978 type int8; 4979 description 4980 "Identifies each VPN Target"; 4981 } 4982 list route-targets { 4983 key "route-target"; 4984 leaf route-target { 4985 type rt-types:route-target; 4986 description 4987 "Route Target value"; 4988 } 4989 description 4990 "List of Route Targets."; 4991 } 4992 leaf route-target-type { 4993 type rt-types:route-target-type; 4994 mandatory true; 4995 description 4996 "Import/export type of the Route Target."; 4997 } 4998 description 4999 "l3vpn route targets. AND/OR Operations are available 5000 based on the RTs assigment"; 5001 } 5002 reference 5003 "RFC4364: BGP/MPLS IP Virtual Private Networks (VPNs) 5004 RFC4664: Framework for Layer 2 Virtual Private Networks 5005 (L2VPNs)"; 5006 container vpn-policies { 5007 description 5008 ""; 5009 leaf import-policy { 5010 type leafref { 5011 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers/" 5012 + "routing-profile-identifier/id"; 5013 } 5014 description 5015 "Reference to a VRF import policy."; 5016 } 5017 leaf export-policy { 5018 type leafref { 5019 path "/l3vpn-ntw/vpn-profiles/valid-provider-identifiers/" 5020 + "routing-profile-identifier/id"; 5021 } 5022 description 5023 "Reference to a VRF export policy."; 5024 } 5025 } 5026 } 5028 grouping net-acc { 5029 container vpn-network-accesses { 5030 list vpn-network-access { 5031 key "id"; 5032 leaf id { 5033 type l3vpn-svc:svc-id; 5034 description 5035 "Identifier for the access."; 5036 } 5037 leaf port-id { 5038 type l3vpn-svc:svc-id; 5039 description 5040 "Identifier for the network access."; 5041 } 5042 leaf description { 5043 type string; 5044 description 5045 "Textual description of a VPN service."; 5046 } 5047 uses site-network-access-top-level-cfg; 5048 description 5049 "List of accesses for a site."; 5050 } 5051 description 5052 "List of accesses for a site."; 5053 } 5054 description 5055 "Main block of the Network Access."; 5056 } 5058 /* Main Blocks */ 5060 container l3vpn-ntw { 5061 container vpn-profiles { 5062 uses vpn-profile-cfg; 5063 description 5064 "Container for VPN Profiles."; 5065 } 5066 container vpn-services { 5067 list vpn-service { 5068 key "vpn-id"; 5069 uses service-status; 5070 uses vpn-svc-cfg; 5071 description 5072 "List of VPN services."; 5073 } 5074 description 5075 "Top-level container for the VPN services."; 5076 } 5077 description 5078 "Main container for L3VPN service configuration."; 5079 } 5080 } 5081 5083 Figure 24 5085 11. IANA Considerations 5087 This document requests IANA to register the following URI in the "ns" 5088 subregistry within the "IETF XML Registry" [RFC3688]: 5090 URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw 5092 Registrant Contact: The IESG. 5094 XML: N/A; the requested URI is an XML namespace. 5096 This document requests IANA to register the following YANG module in 5097 the "YANG Module Names" subregistry [RFC6020] within the "YANG 5098 Parameters" registry. 5100 name: ietf-l3vpn-ntw 5102 namespace: urn:ietf:params:xml:ns:yang:ietf-l3vpn-ntw 5104 maintained by IANA: N 5106 prefix: l3nm 5108 reference: RFC XXXX 5110 12. Security Considerations 5112 The YANG module specified in this document defines a schema for data 5113 that is designed to be accessed via network management protocols such 5114 as NETCONF [RFC6241] or RESTCONF [RFC8040] . The lowest NETCONF layer 5115 is the secure transport layer, and the mandatory-to-implement secure 5116 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 5117 is HTTPS, and the mandatory-to-implement secure transport is TLS 5118 [RFC8466]. 5120 The Network Configuration Access Control Model (NACM) [RFC8341] 5121 provides the means to restrict access for particular NETCONF or 5122 RESTCONF users to a preconfigured subset of all available NETCONF or 5123 RESTCONF protocol operations and content. 5125 The ietf-l3vpn-ntw module is used to manage L3 VPNs in a service 5126 provider backbone network. Hence, the module can be used to request, 5127 modify, or retrieve L3VPN services. For example, the creation of a 5128 vpn-service leaf instance triggers the creation of an L3 VPN Service 5129 in a Service Provider Network. 5131 Due to the foreseen use of the YANG module, there are a number of 5132 data nodes defined in this YANG module that are writable/creatable/ 5133 deletable (i.e., config true, which is the default). These data 5134 nodes MAY be considered sensitive or vulnerable in some network 5135 environments. Write operations (e.g., edit-config) and delete 5136 operations to these data nodes without proper protection or 5137 authentication can have a negative effect on network operations. 5138 These are the subtrees and data nodes and their sensitivity/ 5139 vulnerability in the ietf-l3vpn-ntw module: 5141 o vpn-service: An attacker who is able to access network nodes can 5142 undertake various attacks, such as deleting a running L3 VPN 5143 Service, interrupting all the traffic of a client. In addition, 5144 an attacker may modify the attributes of a running service (e.g., 5145 QoS, bandwidth, routing protocols), leading to malfunctioning of 5146 the service and therefore to SLA violations. In addition, an 5147 attacker could attempt to create a L3 VPN Service. Such activity 5148 can be detected by monitoring and tracking network configuration 5149 changes. 5151 o COMPLETE rest of critical data nodes and subtrees 5153 Some of the readable data nodes in this YANG module may be considered 5154 sensitive or vulnerable in some network environments. It is thus 5155 important to control read access (e.g., via get, get-config, or 5156 notification) to these data nodes. These are the subtrees and data 5157 nodes and their sensitivity/vulnerability: 5159 o customer-name and ip-connection: An attacker can retrieve privacy- 5160 related information which can be used to track a customer. 5161 Disclosing such information may be considered as a violation of 5162 the customer-provider trust relationship. 5164 Summing up, the foreseen risks of using the l3vpn-ntw module can be 5165 clasified into: 5167 o Malicious clients attempting to delete or modify services 5169 o Unauthorized clients attempting to create/modify/delete a service 5171 o Unauthorized clients attempting to read service information 5173 13. Acknowledgements 5175 Thanks to Adrian Farrel and Miguel Cros for the suggestions on the 5176 document. Thanks to Philip Eardlay for the review. Lots of thanks 5177 for the discussions on opsawg mailing list and at IETF meeting. 5179 This work was supported in part by the European Commission funded 5180 H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727). 5182 14. Contributors 5184 Victor Lopez 5185 Telefonica 5186 Email: victor.lopezalvarez@telefonica.com 5188 Daniel King 5189 Old Dog Consulting 5190 Email: daniel@olddog.co.uk 5192 Daniel Voyer 5193 Bell Canada 5194 Email: daniel.voyer@bell.ca 5196 Luay Jalil 5197 Verizon 5198 Email: luay.jalil@verizon.com 5200 Qin Wu 5201 Huawei 5202 Email: bill.wu@huawei.com> 5204 Stephane Litkowski 5205 Cisco 5206 Email: slitkows@cisco.com> 5207 Manuel Julian 5208 Vodafone 5209 Email: manuel-julian.lopez@vodafone.com> 5211 Lucia Oliva Ballega 5212 Telefonica 5213 Email: lucia.olivaballega.ext@telefonica.com> 5215 Erez Segev 5216 ECI Telecom 5217 Email: erez.segev@ecitele.com> 5219 15. References 5221 15.1. Normative References 5223 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 5224 Requirement Levels", BCP 14, RFC 2119, 5225 DOI 10.17487/RFC2119, March 1997, 5226 . 5228 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 5229 DOI 10.17487/RFC3688, January 2004, 5230 . 5232 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 5233 the Network Configuration Protocol (NETCONF)", RFC 6020, 5234 DOI 10.17487/RFC6020, October 2010, 5235 . 5237 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 5238 and A. Bierman, Ed., "Network Configuration Protocol 5239 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 5240 . 5242 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 5243 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 5244 . 5246 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 5247 RFC 7950, DOI 10.17487/RFC7950, August 2016, 5248 . 5250 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 5251 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 5252 . 5254 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 5255 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 5256 May 2017, . 5258 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 5259 Access Control Model", STD 91, RFC 8341, 5260 DOI 10.17487/RFC8341, March 2018, 5261 . 5263 [RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG 5264 Data Model for Layer 2 Virtual Private Network (L2VPN) 5265 Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October 5266 2018, . 5268 15.2. Informative References 5270 [I-D.evenwu-opsawg-yang-composed-vpn] 5271 Even, R., Bo, W., Wu, Q., and Y. Cheng, "YANG Data Model 5272 for Composed VPN Service Delivery", draft-evenwu-opsawg- 5273 yang-composed-vpn-03 (work in progress), March 2019. 5275 [I-D.ietf-idr-bgp-model] 5276 Jethanandani, M., Patel, K., Hares, S., and J. Haas, "BGP 5277 YANG Model for Service Provider Networks", draft-ietf-idr- 5278 bgp-model-08 (work in progress), February 2020. 5280 [I-D.ietf-rtgwg-qos-model] 5281 Choudhary, A., Jethanandani, M., Strahle, N., Aries, E., 5282 and I. Chen, "YANG Model for QoS", draft-ietf-rtgwg-qos- 5283 model-00 (work in progress), October 2019. 5285 [I-D.liu-pim-yang] 5286 Liu, Y., Guo, F., and M. Sivakumar, "YANG Data Model for 5287 PIM", draft-liu-pim-yang-01 (work in progress), March 5288 2015. 5290 [RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual 5291 Private Network (VPN) Terminology", RFC 4026, 5292 DOI 10.17487/RFC4026, March 2005, 5293 . 5295 [RFC4176] El Mghazli, Y., Ed., Nadeau, T., Boucadair, M., Chan, K., 5296 and A. Gonguet, "Framework for Layer 3 Virtual Private 5297 Networks (L3VPN) Operations and Management", RFC 4176, 5298 DOI 10.17487/RFC4176, October 2005, 5299 . 5301 [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki, 5302 "YANG Data Model for L3VPN Service Delivery", RFC 8299, 5303 DOI 10.17487/RFC8299, January 2018, 5304 . 5306 [RFC8309] Wu, Q., Liu, W., and A. Farrel, "Service Models 5307 Explained", RFC 8309, DOI 10.17487/RFC8309, January 2018, 5308 . 5310 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 5311 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 5312 . 5314 [RFC8345] Clemm, A., Medved, J., Varga, R., Bahadur, N., 5315 Ananthakrishnan, H., and X. Liu, "A YANG Data Model for 5316 Network Topologies", RFC 8345, DOI 10.17487/RFC8345, March 5317 2018, . 5319 [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for 5320 Routing Management (NMDA Version)", RFC 8349, 5321 DOI 10.17487/RFC8349, March 2018, 5322 . 5324 [RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for 5325 Abstraction and Control of TE Networks (ACTN)", RFC 8453, 5326 DOI 10.17487/RFC8453, August 2018, 5327 . 5329 [RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C., 5330 Vinapamula, S., and Q. Wu, "A YANG Module for Network 5331 Address Translation (NAT) and Network Prefix Translation 5332 (NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019, 5333 . 5335 [RFC8519] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, 5336 "YANG Data Model for Network Access Control Lists (ACLs)", 5337 RFC 8519, DOI 10.17487/RFC8519, March 2019, 5338 . 5340 Appendix A. Implementation Status 5342 A.1. Nokia Implementation 5344 Nokia has a draft implementation of the IETF L3NM model. 5346 The implementation is a prototype and is currently being planned for 5347 production. 5349 Nokia NSP (Network Services Platform) supports integration of 5350 standard models with the Intent Manager framework. NSP platform 5351 provides hot pluggable model definitions and implementations which 5352 would enable defining models where standardization is in progress or 5353 non-existent. With pluggable architecture for model and 5354 implementation injections, NSP also serves as a Multi-Layer, Multi- 5355 Domain controller. 5357 The Nokia implementation of L3NM covers, the following 5359 a) RESTConf support 5361 b) Configuration of L3 IP VPN Services. Create/Get/Query/Delete 5362 supported on the following operations. 5364 * Site 5366 * Site-Bearer 5368 * VpnService 5370 * IEProfile 5372 * VpnNode 5374 * Site Network Access 5376 * Site Attachments 5378 c) Supports translations to the Device Model (Standard / 5379 Properietary) 5381 draft-ietf-opsawg-l3sm-l3nm-00 5383 The current implementation is proprietary, so under no terms the 5384 current implementation can be used. 5386 Contact information: Sriram Krishnamurthy 5387 (sriram.krishnamurthy@nokia.com) 5389 A.2. Huawei Implementation 5391 The organization responsible for the implementation, if any. 5393 Huawei Technologies Co.,Ltd. 5395 The implementation's name and/or a link to a web page where the 5396 implementation or a description of it can be found. 5398 NCE V1R19C00 5400 A brief general description. 5402 This section provides an implementation report summary for Layer 3 5403 VPN Network Model. Layer 3 VPN Network Model is available at: 5404 https://tools.ietf.org/html/draft-ietf-opsawg-l3sm-l3nm-00 5406 The implementation's level of maturity: research, prototype, alpha, 5407 beta, production, widely used, etc. 5409 Right now, the data model is still subject to change, therefore it is 5410 still a Prototype, not put into production yet. 5412 Coverage: which parts of the protocol specification are implemented. 5414 We have implemented pruned L3NM model with the following parameters 5416 module: ietf-l3vpn-ntw 5417 +--rw l3vpn-ntw 5418 +--rw vpn-profiles 5419 | +--rw valid-provider-identifiers 5420 | +--rw qos-profile-identifier* [id] 5421 | | +--rw id string 5422 +--rw vpn-services 5423 | +--rw vpn-service* [vpn-id] 5424 | +--rw vpn-id svc-id 5425 | +--rw vpn-service-topology? identityref 5426 | +--rw description? string 5427 | +--rw vpn-nodes 5428 | | +--rw vpn-node* [vpn-node-id ne-id] 5429 | | +--rw vpn-node-id string 5430 | | +--rw description? string 5431 | | +--rw ne-id string 5432 | | +--rw node-role? identityref 5433 | | +--rw rd? rt-types:route-distinguisher 5434 | | +--rw vpn-targets 5435 | | +--rw maximum-routes 5436 | | | +--rw address-family* [af] 5437 | | | +--rw af address-family 5438 | | | +--rw maximum-routes? uint32 5439 +--rw sites 5440 +--rw site* [site-id] 5441 +--rw site-id svc-id 5442 +--rw locations 5443 | +--rw location* [location-id] 5444 | +--rw location-id svc-id 5445 +--rw site-bearers 5446 | +--rw bearer* [bearer-id] 5447 | +--rw bearer-id string 5448 | +--rw ne-id? string 5449 | +--rw port-id? string 5450 +--rw site-network-accesses 5451 +--rw site-network-access* [site-network-access-id] 5452 +--rw site-network-access-id svc-id 5453 +--rw site-network-access-type? ref 5454 +--rw bearer 5455 | +--rw bearer-reference? {bearer-reference}? 5456 | +--rw connection 5457 | | +--rw encapsulation-type? identityref 5458 | | +--rw tagged-interface 5459 | | +--rw type? identityref 5460 | | +--rw dot1q-vlan-tagged {dot1q}? 5461 | | | +--rw cvlan-id uint16 5462 | | +--rw qinq {qinq}? 5463 | | | +--rw svlan-id uint16 5464 | | | +--rw cvlan-id uint16 5465 +--rw ip-connection 5466 | +--rw ipv4 {ipv4}? 5467 | | +--rw dhcp-relay 5468 | | | +--rw customer-dhcp-servers 5469 | | | +--rw server-ip-address* inet 5470 | | +--rw addresses 5471 | | +--rw provider-address? inet:ipv4-address 5472 | | +--rw customer-address? inet:ipv4-address 5473 | | +--rw prefix-length? uint8 5474 +--rw service 5475 | +--rw qos {qos}? 5476 | | +--rw qos-profile 5477 | | +--rw (qos-profile)? 5478 | | +--:(standard) 5479 | | | +--rw profile? leafreaf 5480 +--rw routing-protocols 5481 | +--rw routing-protocol* [type] 5482 | +--rw type identityref 5483 | +--rw ospf {rtg-ospf}? 5484 | | +--rw address-family* address-family 5485 | | +--rw area-address yang:dotted-quad 5486 | | +--rw metric? uint16 5487 | | +--rw security 5488 | | | +--rw auth-key? string 5489 | +--rw bgp {rtg-bgp}? 5490 | | +--rw autonomous-system uint32 5491 | | +--rw address-family* address-family 5492 | | +--rw neighbor? inet:ip-address 5493 | | +--rw multihop? uint8 5494 | | +--rw security 5495 | | +--rw auth-key? string 5496 | +--rw static 5497 | | +--rw cascaded-lan-prefixes 5498 | | +--rw ipv4-lan-prefixes* {ipv4}? 5499 | | | +--rw lan inet:ipv4-prefix 5500 | | | +--rw lan-tag? string 5501 | | | +--rw next-hop inet:ipv4-address 5502 +--rw node-id? leafreaf 5503 +--rw service-id? leafreaf 5504 +--rw access-group-id? yang:uuid 5506 Figure 25 5508 Use Cases we have implemented include: 5510 (a).Create VPN 5512 (b).Create Site 5514 (c).Create/add bearers to an existing Site 5516 (d).Create/Include Site Network Access into VPN nodes. 5518 Version compatibility: what version/versions of the Internet-Draft 5519 are known to be implemented. 5521 draft-ietf-opsawg-l3sm-l3nm-00 5523 Licensing: the terms under which the implementation can be used. For 5524 example: proprietary, royalty licensing, freely distributable with 5525 acknowledgement (BSD style), freely distributable with requirement to 5526 redistribute source (General Public License (GPL) style), and other 5527 (specify). 5529 Not available yet. 5531 Implementation experience: any useful information the implementers 5532 want to share with the community. 5534 Contact information: ideally a person's name and email address, but 5535 possibly just a URL or mailing list. 5537 Qin Wu (bill.wu@huawei.com) 5539 The date when information about this particular implementation was 5540 last updated. 5542 2019-09-30 5544 List other implementations that have been tested for 5545 interoperability. 5547 Nokia 5549 A.3. Infinera Implementation 5551 Infinera has a draft implementation of the IETF L3NM model. The 5552 implementation is in beta state and is currently being tested and 5553 integrated with other suppliers controllers supporting this same 5554 model. Infinera is supporting the L3NM model in its Transcend 5555 Maestro Multi-layer, Multi-domain Controller. 5557 The Infinera implementation of L3NM covers discovery and 5558 configuration of IP VPN services, and is supporting both North-Bound 5559 (server) and South-Bound (client) functionality. Versions 01 and 02 5560 of the model are supported. 5562 The current implementation is proprietary, so under no terms the 5563 current implementation can be used. 5565 Contact information: Janne Karvonen (JKarvonen@infinera.com) 5567 26 October is the date when information about this particular 5568 implementation was last updated. 5570 Authors' Addresses 5572 Samier Barguil 5573 Telefonica 5574 Madrid 5575 ES 5577 Email: samier.barguilgiraldo.ext@telefonica.com 5579 Oscar Gonzalez de Dios (editor) 5580 Telefonica 5581 Madrid 5582 ES 5584 Email: oscar.gonzalezdedios@telefonica.com 5585 Mohamed Boucadair 5586 Orange 5587 FR 5589 Email: "mohamed.boucadair@orange.com 5591 Luis Angel Munoz 5592 Vodafone 5593 ES 5595 Email: luis-angel.munoz@vodafone.com 5597 Alejandro Aguado 5598 Nokia 5599 Madrid 5600 ES 5602 Email: alejandro.aguado_martin@nokia.com