idnits 2.17.1 draft-sun-opsawg-sdwan-service-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 19 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 445 has weird spacing: '... app-id svc...' == Line 469 has weird spacing: '...roup-id svc...' == Line 473 has weird spacing: '...licy-id svc...' == Line 529 has weird spacing: '...vlan-id uin...' -- The document date (March 10, 2019) is 1875 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC6241' is mentioned on line 1846, but not defined == Missing Reference: 'RFC8040' is mentioned on line 1846, but not defined == Missing Reference: 'RFC6242' is mentioned on line 1848, but not defined == Missing Reference: 'RFC5246' is mentioned on line 1850, but not defined ** Obsolete undefined reference: RFC 5246 (Obsoleted by RFC 8446) == Missing Reference: 'RFC3688' is mentioned on line 1867, but not defined == Unused Reference: 'I-D.carrel-ipsecme-controller-ike' is defined on line 1999, but no explicit reference was found in the text == Unused Reference: 'I-D.rosen-bess-secure-l3vpn' is defined on line 2004, but no explicit reference was found in the text == Unused Reference: 'RFC4110' is defined on line 2021, but no explicit reference was found in the text == Unused Reference: 'RFC7364' is defined on line 2026, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 4026 ** Downref: Normative reference to an Informational RFC: RFC 4664 ** Downref: Normative reference to an Informational RFC: RFC 6071 Summary: 5 errors (**), 0 flaws (~~), 14 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operations and Management Area Working Group Q. Sun 3 Internet-Draft H. Xu 4 Intended status: Standards Track China Telecom 5 Expires: September 11, 2019 B. Wu 6 Q. Wu 7 Huawei 8 March 10, 2019 10 A YANG Data Model for SD-WAN VPN Service Delivery 11 draft-sun-opsawg-sdwan-service-model-02 13 Abstract 15 This document provides a YANG data model for SD-WAN VPN service. A 16 SD-WAN VPN service is a service offered by a Service Provider network 17 to provide an overlay connectivity between different locations of a 18 customer network or between a customer network and an external 19 network, such as Internet or Private Cloud network. The model can be 20 utilized by an service orchestrator of a Service Provider to initiate 21 a connectivity request. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 11, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. High Level Overview of SD-WAN VPN Service . . . . . . . . . . 4 61 3. Service Data Model Usage . . . . . . . . . . . . . . . . . . 6 62 4. Design of the Data Model . . . . . . . . . . . . . . . . . . 7 63 4.1. SD-WAN VPN . . . . . . . . . . . . . . . . . . . . . . . 8 64 4.1.1. VPN Endpoint . . . . . . . . . . . . . . . . . . . . 8 65 4.1.2. Application Classification and Policy Map . . . . . . 8 66 4.2. Site . . . . . . . . . . . . . . . . . . . . . . . . . . 10 67 5. Modules Tree Structure . . . . . . . . . . . . . . . . . . . 10 68 6. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 14 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 70 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 71 9. Appendix 1: MEF SD-WAN Service Attributes Terminology Mapping 41 72 10. Appendix 2: Site Augmentation and Policy Augmentation . . . . 41 73 10.1. Site Augmentation . . . . . . . . . . . . . . . . . . . 41 74 10.2. Path Selection Policy Augmentation . . . . . . . . . . . 42 75 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42 76 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 42 77 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 78 13.1. Normative References . . . . . . . . . . . . . . . . . . 43 79 13.2. Informative References . . . . . . . . . . . . . . . . . 43 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 82 1. Introduction 84 By comparison with conventional PE-based VPN service defined in 85 [RFC8299] and [RFC8446], the SD-WAN VPN is a type of CE-based VPN 86 which uses the Internet or a PE based VPN as underlay connectivity 87 service. SD-WAN uses an overlay-based approach to provide the 88 flexibility of adding, removing, or moving services without 89 dependence of the underlay network. 91 Besides being a CE-based overlay service, a SD-WAN VPN Service has 92 the following characteristics: 94 o Hybrid WAN accesses: The CE could connect to variety of Internet 95 access, including fiber, cable, DSL-based, WiFi, or 4G/Long Term 96 Evolution (LTE) access, which implies wider reachability and 97 shorter provisioning cycles. It can also use private VPN 98 connectivity defined in [RFC4364] or [RFC4664] to take advantage 99 of better performance. 101 o Policy based traffic forwarding: SD-WAN VPN can provide optimizing 102 forwarding from a network scope and deploy service as needed. 103 Specifically, it can apply policies to prioritize traffic for 104 diverse applications used in enterprises, such as VoIP calling, 105 videoconferencing, streaming media etc. depending different 106 business needs. 108 o Centralized service management and orchestration: The CE router is 109 usually managed by the provider; in addition, the SP allows 110 customers to access the CE for configuration/monitoring purposes, 111 so a portal can enable the customer to modify the SD-WAN VPN 112 service such as configuring application policies or adding a new 113 site. 115 This draft specifies the SD-WAN VPN service YANG model which is 116 modeled from a customer perspective and have been aligned with the 117 objects identified in MEF SD-WAN service attributes draft document 118 [MEF70]. The model parameters can be used as a input to automated 119 control and configuration applications to manage SD-WAN VPN services. 121 1.1. Terminology 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in RFC2119 [RFC2119]. 127 1.2. Definitions 129 CE Device: Customer Edge Device , as per Provider Provisioned VPN 130 Terminology [RFC4026] . 132 PE Device: Provider Edge Device, as per Provider Provisioned VPN 133 Terminology [RFC4026] 135 CE-based VPN: Refers to Provider Provisioned VPN Terminology 136 [RFC4026] 138 PE-Based VPNs: Refers to Provider Provisioned VPN Terminology 139 [RFC4026] 141 SD-WAN:An automated, programmatic approach to managing enterprise 142 network connectivity and circuit usage. It extends software-defined 143 networking (SDN) into an application that businesses can use to 144 quickly create a smart "hybrid WAN"- a WAN that comprises business- 145 grade IP VPN, broadband Internet, and wireless services. SD-WAN is 146 also deemed as extended CE-based VPN. 148 Underlay network: The network that provides the connectivity among 149 SD-WAN VPN sites and that the customer network packets are tunneled 150 over. The underlay network does not need to be aware that it is 151 carrying overlay customer network packets. Addresses on the underlay 152 network appear as "outer addresses" in encapsulated overlay packets. 153 In general, the underlay network can use a completely different 154 protocol (and address family) from that of the overlay network. 156 Overlay network: A virtual network in which the separation of 157 customer networks is hidden from the underlying physical 158 infrastructure. That is, the underlying transport network does not 159 need to know about customer separation to correctly forward traffic. 160 IPsec tunnels [RFC6071] is an example of an L3 overlay network. 162 2. High Level Overview of SD-WAN VPN Service 164 From a customer perspective, an example of SD-WAN VPN network is 165 shown in figure 1. 167 +-------------+ 168 +------------+ | +---+ | 169 | Controller +----+ | |CN | | Legend:Customer Network 170 +------------+ | | +---+ | 171 | | | site3| 172 | | +--+--+ | 173 +--|---|CE 4 | | 174 | | +--+--+ | 175 | +-------------+ 176 | | 177 +------------------- ----+ 178 | ----- | 179 +---------------+ / MPLS \ +-----------------+ 180 | | | | WAN |__| | | 181 | | | /\ /\ \ +--+--+ | 182 | | | / +-----+ \ |\|CE 1 +-+ | 183 | +---+ +----++|/ \|/+--+--+ | +---+| 184 | |CN +--+ CE 3|| \ +--+CN || 185 | +---+ +-----+| ------ /|\+--+--+ | +---+| 186 | | |\ /Internet\ / |/|CE 2 +-+ | 187 | | | --| WAN |__/ +--+--+ | 188 | site 2| | \ / | site 1 | 189 +---------------+ ------ +-----------------+ 190 | | 191 | +-------------+ 192 | | +----+ | 193 +----|---+ CE5| | 194 | +----+ | 195 |site 4| | 196 | | | 197 | +---+ | 198 | |CN | | 199 | +---+ | 200 +-------------+ 202 figure 1 204 As shown in figure 1, the SD-WAN network is composed of a set of 205 sites, which are connected through Internet or MPLS VPN. 207 Within each site, a CE is connected with customer's network on one 208 side, and is also connected to Internet or private WAN or both on the 209 other side. The customer networks could be L2 or L3 network. For 210 the WAN side, Internet provides ubiquitous IP connectivity via access 211 network like Broadband access or LTE access, while MPLS WAN, like 212 conventional VPN, provides secure and committed connectivity while 213 attached. The demarcation point (i.e., UNI) between the customer and 214 the SP is placed between customer nodes and the CE device. 216 Additionally, a site could deploy one or more CEs to improve 217 availability. 219 The establishment of the SD-WAN VPN is done at each CE device, with 220 various IP tunneling options (e.g., Generic Routing Encapsulation 221 (GRE) [RFC2784] , and IPSec [RFC6071] could be used, and the specific 222 definition is out of scope of this document. Either Internet or 223 private WAN is regarded as underlay of the tunneling, the 224 communication between Customer Network of the four sites, known as 225 the overlay network, is agnostic of the underlying network 226 infrastructure within the SP. 228 Besides connectivity between the sites, the subset of sites could 229 also provide direct Internet connectivity, cloud network connectivity 230 or conventional MPLS VPN connectivity. 232 3. Service Data Model Usage 234 The SD-WAN VPN service model provides an abstracted interface to 235 request, configure, and manage the components of an SD-WAN VPN 236 service. The model is used by a customer to request connectivity and 237 other services from an SP. 239 A typical usage for this model is as an input to an orchestration 240 layer that is responsible for service management. The Metro Ethernet 241 Forum (MEF)[MEF55] has developed a LSO(Lifecycle Service 242 Orchestration) Reference Architecture and Framework architecture to 243 automate network management and operations for service provider with 244 a SP's SOF (Service Orchestration Functionality) , which are used for 245 orchestrating/automating the lifecycle of end-to-end service. The 246 SD-WAN Managed service is one of the services that LSO will support. 248 ---------------------------- 249 | Customer Service Requester | 250 ---------------------------- 251 | 252 SD-WAN | 253 Service | 254 Model | 255 | 256 ----------------------- 257 | Service Orchestration | 258 -----------+----------- 259 | 260 | 261 ----------------------- 262 | SD-WAN Controller | 263 -+-------------------+- 264 | | 265 | | 266 ------------------+-------------------+-------------------------- 268 /---\ 269 / \ 270 ++++++++ | MPLS | ++++++++ 271 + CE A + \ VPN/ + CE B + 272 ++++++++ \---/ ++++++++ 273 /---\ 274 Site A / \ Site B 275 |Internet 276 \ / 277 \---/ 279 Reference Architecture for the Use of SD-WAN Service Model Usage 281 For a SD-WAN VPN to be established under the SP's control, the 282 customer informs the Service Provider of which sites should become 283 part of the requested VPN VPN and what types of services the VPN will 284 provide. And then the SP configures and updates the service base on 285 the service model and the available resources derived from the SD-WAN 286 controller, and then provisions and manages the customer's VPN 287 through the SD-WAN controller. How the SD-WAN controller to control 288 and manage the CEs is out of scope of the document. 290 4. Design of the Data Model 292 The elements of the SD-WAN VPN YANG model in this document have been 293 aligned with the objects identified in MEF SD-WAN service attributes 294 [MEF70], but with IETF compliant terminology. The SD-WAN VPN 295 Services are specified by three major nodes: 297 1. vpn: Each list node represents an end-to-end connection between 298 two or more customer locations, which is an association of vpn- 299 endpoints reference to site nodes. 301 2. sites: This list is used to indicate sites that are involved to 302 join the SD-WAN VPN service in different geographic locations of 303 a customer network. 305 3. vpn-endpoint: The endpoint list is under the vpn list, which 306 indicates per site policy parameters pertaining to VPN are added. 308 4.1. SD-WAN VPN 310 The "sdwpn-vpn" list item contains service parameters that apply to a 311 SD-WAN VPN, which is further specified by the following ones: 313 o The "vpn-id" leaf is under the vpn-service list, which refers to 314 an internal reference for this VPN service. 316 o The "performance-objectives" container refers the performance- 317 related properties of a SD-WAN VPN that can be measured. System 318 uptime is the only one performance objective currently, which 319 indicates the proportion of time, during a given time period, that 320 the service is working from the customer perspective. Three 321 parameters are defined, including the start time of the 322 evaluation, the time interval of the evaluation, and the service 323 uptime defined by the percentage. 325 o The "reserved-ipaddress" container refers to the IP Prefixes need 326 to be agreed for Service Provider management purposes, such as 327 diagnostics so as to ensure they are not overlapping with IP 328 Prefixes used by the customer network. 330 4.1.1. VPN Endpoint 332 The SD-WAN VPN End Point is the logical point associated with a 333 particular site. The two main functions of the endpoint are: 335 o The association of a VPN with a Site. 337 o Per site application based policy can be enforced. 339 4.1.2. Application Classification and Policy Map 341 The model has defined the following components to describe 342 application based policy. 344 o "Application flow: an order list for IP packets from site or to 345 the site to match. Three parameters are further specified which 346 are application ID, application criteria list and application 347 group. 349 * "application-id": is under the vpn-service list, which refers 350 to an internal reference for this application service. 352 * "application-criteria": is under the "application list", which 353 describes a set of characteristics of the packet stream that 354 can be identified at the site, including standard layer 2 and 355 layer 3 fields such as addresses, ports, and protocols. 357 o "application-group": "app-group-id" refers to an internal 358 reference for this application group service, which describes the 359 application categories, e.g. VOIP, email, games etc. 361 o "policy": is a rule list. At present, path selection policy, QoS 362 bandwidth policy and Internet local break out policy have been 363 defined. A policy can be assigned to an application group or an 364 application. 366 * path selection policies: primary-backup, billing-policy and 367 encription policy can be applied to the application. 369 * The "internet-access" container internet access option, which 370 include local break-out for Internet access or alternative 371 route for the traffic. 373 * The "qos-bandwidth" policy container is used to describe 374 parameter to guarantee bandwidth for specific traffic flowing 375 through a VPN connection. It has two categories parameters, 376 including traffic rate limit and time for evaluation. 378 o "application-group-policy-map": the list specifies the mapping of 379 application group names and their associated policy names. The 380 policy assignment to application group serves two purposes: first, 381 a policy can be applied to all members of the application flow 382 group; second, it allows application flows in the group to share 383 bandwidth resources. 385 o "endpoint-policy-map": the policy assignment is under "endpoints" 386 list, which specifies the mapping of application names and their 387 associated policy names. Each Application Flow can have an 388 explicit policy assignment that supersedes the group policy. 390 4.2. Site 392 A site represents a customer office located at a specific location. 393 The "sites" container specifies three main parameters: 395 o "site-id: uniquely identifies the site within the overall network 396 infrastructure. 398 o "lan-accesses": specifies the customer network access link 399 parameters. A "site" is composed of at least one "lan-access" 400 and, in the case of multihoming, may have multiple links. 402 +---------------------------------+ 403 | site | 404 | | | | | | 405 | | | | | | 406 | LAN1 LAN2 LAN3 LAN4 | 407 | +--------+ +--------+ | 408 | | | | | | 409 | |Device 1| |Device 2| | 410 | +--------+ +--------+ | 411 +---------------------------------+ 413 figure 3 415 The "lan-access" consists of the following categories of parameters: 417 o "bearer": defines requirements of the attachment (below Layer 3), 418 bearer type including Ethernet and etc.. 420 o "device-type": specifies the device type, including physical or 421 virtual device. 423 o IP Connection: defines Layer 3 parameters of the attachment, 424 including IPv4 connection parameters and IPv4 connection 425 parameters respectively. 427 5. Modules Tree Structure 429 This document defines sd-wan-vpn yang data model. 431 module: ietf-sdwan-vpn-svc 432 +--rw sdwan-vpn-svc 433 +--rw vpn-services 434 | +--rw vpn-service* [vpn-id] 435 | +--rw vpn-id svc-id 436 | +--rw performance-objective 437 | | +--rw start-time? yang:date-and-time 438 | | +--rw duration? string 439 | | +--rw uptime-objective 440 | | +--rw duration? decimal64 441 | +--rw reserved-prefixes 442 | | +--rw prefix* inet:ip-prefix 443 | +--rw applications 444 | | +--rw application* [app-id] 445 | | +--rw app-id svc-id 446 | | +--rw ac* [name] 447 | | +--rw name string 448 | | +--rw (match-type)? 449 | | +--:(match-flow) 450 | | | +--rw match-flow 451 | | | +--rw ethertype? uint16 452 | | | +--rw cvlan? uint8 453 | | | +--rw ipv4-src-prefix? 454 | | | | inet:ipv4-prefix 455 | | | +--rw ipv4-dst-prefix? 456 | | | | inet:ipv4-prefix 457 | | | +--rw l4-src-port? 458 | | | | inet:port-number 459 | | | +--rw l4-dst-port? 460 | | | | inet:port-number 461 | | | +--rw ipv6-src-prefix? 462 | | | | inet:ipv6-prefix 463 | | | +--rw ipv6-dst-prefix? 464 | | | | inet:ipv6-prefix 465 | | | +--rw protocol-field? union 466 | | +--:(match-application) 467 | | +--rw match-application? identityref 468 | +--rw application-group* [app-group-id] 469 | | +--rw app-group-id svc-id 470 | | +--rw app-id* 471 | | -> ../../applications/application/app-id 472 | +--rw policy* [policy-id] 473 | | +--rw policy-id svc-id 474 | | +--rw direction? enumeration 475 | | +--rw criterias* [pc-name] 476 | | +--rw pc-name string 477 | | +--rw (policy-type)? 478 | | +--:(encryption) 479 | | | +--rw enable? boolean 480 | | +--:(public-private) 481 | | | +--rw underlay-values? enumeration 482 | | +--:(internet-breakout) 483 | | | +--rw internet-policy 484 | | | +--rw local-breakout? boolean 485 | | | +--rw alter-route? boolean 486 | | +--:(billing-method) 487 | | | +--rw billing-values? enumeration 488 | | +--:(primary-backup) 489 | | | +--rw path-values 490 | | | +--rw overlay-values? enumeration 491 | | | +--rw sla-values 492 | | | +--rw latency? uint32 493 | | | +--rw jitter? uint32 494 | | | +--rw packet-loss-rate? uint32 495 | | +--:(bandwidth) 496 | | +--rw bandwith-values 497 | | +--rw commit? uint32 498 | | +--rw max? uint32 499 | | +--rw time? uint32 500 | +--rw app-group-policy-map 501 | | +--rw mapping* [app-group-id] 502 | | +--rw app-group-id 503 | | | -> ../../../application-group/app-group-id 504 | | +--rw policy-id? -> ../../../policy/policy-id 505 | +--rw endpoints* [endpoint-id] 506 | +--rw endpoint-id svc-id 507 | +--rw site-attachment 508 | | +--rw site-id? 509 | | -> /sdwan-vpn-svc/sites/site/site-id 510 | +--rw endpoint-policy-map 511 | +--rw app-policy* [app-id] 512 | +--rw app-id leafref 513 | +--rw policy-id? leafref 514 +--rw sites 515 +--rw site* [site-id] 516 +--rw site-id svc-id 517 +--rw device-type? device-type 518 +--rw lan-access* [name] 519 +--rw name string 520 +--rw l2-technology 521 | +--rw l2-type? identityref 522 | +--rw untagged-interface 523 | | +--rw speed? uint32 524 | | +--rw mode? neg-mode 525 | +--rw tagged-interface 526 | +--rw type? identityref 527 | +--rw dot1q-vlan-tagged 528 | +--rw tg-type? identityref 529 | +--rw cvlan-id uint16 530 +--rw ip-connection 531 +--rw ipv4 532 | +--rw address-allocation-type? identityref 533 | +--rw dhcp 534 | | +--rw primary-subnet 535 | | | +--rw ip-prefix? 536 | | | | inet:ipv4-prefix 537 | | | +--rw default-router? inet:ip-address 538 | | | +--rw provider-addresses* 539 | | | | inet:ipv4-address 540 | | | +--rw subscriber-address? inet:ip-address 541 | | | +--rw reserved-ip-prefix* inet:ip-prefix 542 | | +--rw secondary-subnet* [ip-prefix] 543 | | +--rw ip-prefix 544 | | | inet:ipv4-prefix 545 | | +--rw provider-addresses* 546 | | | inet:ipv4-address 547 | | +--rw reserved-ip-prefix* 548 | | inet:ipv4-prefix 549 | +--rw static 550 | +--rw primary-subnet 551 | | +--rw ip-prefix? 552 | | | inet:ipv4-prefix 553 | | +--rw default-router? inet:ip-address 554 | | +--rw provider-addresses* 555 | | | inet:ipv4-address 556 | | +--rw subscriber-address? inet:ip-address 557 | | +--rw reserved-ip-prefix* inet:ip-prefix 558 | +--rw secondary-subnet* [ip-prefix] 559 | +--rw ip-prefix 560 | | inet:ipv4-prefix 561 | +--rw provider-addresses* 562 | | inet:ipv4-address 563 | +--rw reserved-ip-prefix* 564 | inet:ipv4-prefix 565 +--rw ipv6 566 +--rw address-allocation-type? identityref 567 +--rw dhcp 568 | +--rw subnet* [ip-prefix] 569 | +--rw ip-prefix 570 | | inet:ipv6-prefix 571 | +--rw provider-addresses* 572 | | inet:ipv6-address 573 | +--rw reserved-ip-prefix* 574 | inet:ipv6-prefix 575 +--rw slaac 576 | +--rw subnet* [ip-prefix] 577 | +--rw ip-prefix 578 | | inet:ipv6-prefix 579 | +--rw provider-addresses* 580 | | inet:ipv6-address 581 | +--rw reserved-ip-prefix* 582 | inet:ipv6-prefix 583 +--rw static 584 +--rw subnet* [ip-prefix] 585 | +--rw ip-prefix 586 | | inet:ipv6-prefix 587 | +--rw provider-addresses* 588 | | inet:ipv6-address 589 | +--rw reserved-ip-prefix* 590 | inet:ipv6-prefix 591 +--rw subscriber-address? inet:ipv6-address 593 6. YANG Modules 595 file "ietf-sdwan-vpn-svc@2019-03-10.yang" 597 module ietf-sdwan-vpn-svc { 598 yang-version 1.1; 599 namespace "urn:ietf:params:xml:ns:yang:ietf-sdwan-vpn-svc"; 600 prefix sdwan-vpn-svc; 602 import ietf-inet-types { 603 prefix inet; 604 } 605 import ietf-yang-types { 606 prefix yang; 607 } 609 organization 610 "IETF foo Working Group."; 611 contact 612 "WG List: foo@ietf.org 613 Editor: "; 614 description 615 "The YANG module defines a generic service configuration 616 model for SD-WAN VPN."; 618 revision 2019-03-10 { 619 description 620 "Initial revision"; 621 reference "A YANG Data Model for SD-WAN VPN."; 622 } 624 typedef svc-id { 625 type string; 626 description 627 "Type definition for servicer identifier"; 628 } 629 typedef address-family { 630 type enumeration { 631 enum ipv4 { 632 description 633 "IPv4 address family."; 634 } 635 enum ipv6 { 636 description 637 "IPv6 address family."; 638 } 639 } 640 description 641 "Defines a type for the address family."; 642 } 644 typedef neg-mode { 645 type enumeration { 646 enum full-duplex { 647 description 648 "Defining Full duplex mode"; 649 } 650 enum auto-neg { 651 description 652 "Defining Auto negotiation mode"; 653 } 654 } 655 description 656 "Defining a type of the negotiation mode"; 657 } 659 typedef device-type { 660 type enumeration { 661 enum physical { 662 description 663 "Physical device"; 664 } 665 enum virtual { 666 description 667 "Virtual device"; 668 } 669 } 670 description 671 "Defines device types."; 672 } 674 identity customer-application { 675 description 676 "Base identity for customer application."; 678 } 680 identity web { 681 base customer-application; 682 description 683 "Identity for Web application (e.g., HTTP, HTTPS)."; 684 } 686 identity mail { 687 base customer-application; 688 description 689 "Identity for mail application."; 690 } 692 identity file-transfer { 693 base customer-application; 694 description 695 "Identity for file transfer application (e.g., FTP, SFTP)."; 696 } 698 identity database { 699 base customer-application; 700 description 701 "Identity for database application."; 702 } 704 identity social { 705 base customer-application; 706 description 707 "Identity for social-network application."; 708 } 710 identity games { 711 base customer-application; 712 description 713 "Identity for gaming application."; 714 } 716 identity p2p { 717 base customer-application; 718 description 719 "Identity for peer-to-peer application."; 720 } 722 identity network-management { 723 base customer-application; 724 description 725 "Identity for management application 726 (e.g., Telnet, syslog, SNMP)."; 727 } 729 identity voice { 730 base customer-application; 731 description 732 "Identity for voice application."; 733 } 735 identity video { 736 base customer-application; 737 description 738 "Identity for video conference application."; 739 } 741 identity eth-inf-type { 742 description 743 "Identity of the Ethernet interface type."; 744 } 746 identity tagged { 747 base eth-inf-type; 748 description 749 "Identity of the tagged interface type."; 750 } 752 identity untagged { 753 base eth-inf-type; 754 description 755 "Identity of the untagged interface type."; 756 } 758 identity lag { 759 base eth-inf-type; 760 description 761 "Identity of the LAG interface type."; 762 } 764 identity tag-type { 765 description 766 "Base identity from which all tag types 767 are derived from"; 768 } 770 identity c-vlan { 771 base tag-type; 772 description 773 "A Customer-VLAN tag, normally using the 0x8100 774 Ethertype"; 775 } 777 identity s-vlan { 778 base tag-type; 779 description 780 "A Service-VLAN tag."; 781 } 783 identity c-s-vlan { 784 base tag-type; 785 description 786 "Using both Customer-VLAN tag and Service-VLAN tag."; 787 } 789 identity tagged-inf-type { 790 description 791 "Identity for the tagged 792 interface type."; 793 } 795 identity qinq { 796 base tagged-inf-type; 797 description 798 "Identity for the qinq tagged interface."; 799 } 801 identity dot1q { 802 base tagged-inf-type; 803 description 804 "Identity for dot1q vlan tagged interface."; 805 } 807 identity vpn-topology { 808 description 809 "Base identity for vpn topology."; 810 } 812 identity any-to-any { 813 base vpn-topology; 814 description 815 "Identity for any-to-any VPN topology."; 816 } 818 identity hub-spoke { 819 base vpn-topology; 820 description 821 "Identity for Hub-and-Spoke VPN topology."; 823 } 825 identity site-role { 826 description 827 "Site Role in a VPN topology "; 828 } 830 identity any-to-any-role { 831 base site-role; 832 description 833 "Site in an any-to-any IP VPN."; 834 } 836 identity hub { 837 base site-role; 838 description 839 "Hub Role in Hub-and-Spoke IP VPN."; 840 } 842 identity spoke { 843 base site-role; 844 description 845 "Spoke Role in Hub-and-Spoke IP VPN."; 846 } 848 identity access-type { 849 description 850 "Access type of a site in a connection to a customer network or 851 WAN network"; 852 } 854 identity ge { 855 base access-type; 856 description 857 "GE"; 858 } 860 identity ef { 861 base access-type; 862 description 863 "EF"; 864 } 866 identity xge { 867 base access-type; 868 description 869 "XGE"; 870 } 871 identity lte { 872 base access-type; 873 description 874 "LTE"; 875 } 877 identity xdsl-atm { 878 base access-type; 879 description 880 "xDSL(ATM)"; 881 } 883 identity xdsl-ptm { 884 base access-type; 885 description 886 "xDSL(PTM)"; 887 } 889 identity routing-protocol-type { 890 description 891 "Base identity for routing protocol type."; 892 } 894 identity ospf { 895 base routing-protocol-type; 896 description 897 "Identity for OSPF protocol type."; 898 } 900 identity bgp { 901 base routing-protocol-type; 902 description 903 "Identity for BGP protocol type."; 904 } 906 identity static { 907 base routing-protocol-type; 908 description 909 "Identity for static routing protocol type."; 910 } 912 identity address-allocation-type { 913 description 914 "Base identity for address-allocation-type for PE-CE link."; 915 } 917 identity dhcp { 918 base address-allocation-type; 919 description 920 "Provider network provides DHCP service to customer."; 921 } 923 identity static-address { 924 base address-allocation-type; 925 description 926 "Provider-to-customer addressing is static."; 927 } 929 identity slaac { 930 base address-allocation-type; 931 description 932 "Use IPv6 SLAAC."; 933 } 935 identity ll-only { 936 base address-allocation-type; 937 description 938 "Use IPv6 Link Local."; 939 } 941 identity traffic-direction { 942 description 943 "Base identity for traffic direction"; 944 } 946 identity inbound { 947 base traffic-direction; 948 description 949 "Identity for inbound"; 950 } 952 identity outbound { 953 base traffic-direction; 954 description 955 "Identity for outbound"; 956 } 958 identity both { 959 base traffic-direction; 960 description 961 "Identity for both"; 962 } 964 identity traffic-action { 965 description 966 "Base identity for traffic action"; 968 } 970 identity permit { 971 base traffic-action; 972 description 973 "Identity for permit action"; 974 } 976 identity deny { 977 base traffic-action; 978 description 979 "Identity for deny action"; 980 } 982 identity bd-limit-type { 983 description 984 "base identity for bd limit type"; 985 } 987 identity percent { 988 base bd-limit-type; 989 description 990 "Identity for percent"; 991 } 993 identity value { 994 base bd-limit-type; 995 description 996 "Identity for value"; 997 } 999 identity protocol-type { 1000 description 1001 "Base identity for protocol field type."; 1002 } 1004 identity tcp { 1005 base protocol-type; 1006 description 1007 "TCP protocol type."; 1008 } 1010 identity udp { 1011 base protocol-type; 1012 description 1013 "UDP protocol type."; 1014 } 1015 identity icmp { 1016 base protocol-type; 1017 description 1018 "ICMP protocol type."; 1019 } 1021 identity icmp6 { 1022 base protocol-type; 1023 description 1024 "ICMPv6 protocol type."; 1025 } 1027 identity gre { 1028 base protocol-type; 1029 description 1030 "GRE protocol type."; 1031 } 1033 identity ipip { 1034 base protocol-type; 1035 description 1036 "IP-in-IP protocol type."; 1037 } 1039 identity hop-by-hop { 1040 base protocol-type; 1041 description 1042 "Hop-by-Hop IPv6 header type."; 1043 } 1045 identity routing { 1046 base protocol-type; 1047 description 1048 "Routing IPv6 header type."; 1049 } 1051 identity esp { 1052 base protocol-type; 1053 description 1054 "ESP header type."; 1055 } 1057 identity ah { 1058 base protocol-type; 1059 description 1060 "AH header type."; 1061 } 1062 grouping vpn-endpoint { 1063 leaf endpoint-id { 1064 type svc-id; 1065 description 1066 "Identity for the vpn endpoint"; 1067 } 1068 container site-attachment { 1069 leaf site-id { 1070 type leafref { 1071 path "/sdwan-vpn-svc/sites/site/site-id"; 1072 } 1073 description 1074 "Defines site id attached."; 1075 } 1076 description 1077 "Defines site attachment to a vpn endpoint."; 1078 } 1079 container endpoint-policy-map { 1080 list app-policy { 1081 key "app-id"; 1082 leaf app-id { 1083 type leafref { 1084 path "/sdwan-vpn-svc/vpn-services/vpn-service/applications/application/app-id"; 1085 } 1086 description 1087 "Identity for application"; 1088 } 1089 leaf policy-id { 1090 type leafref { 1091 path "/sdwan-vpn-svc/vpn-services/vpn-service/policy/policy-id"; 1092 } 1093 description 1094 "Identity for value"; 1095 } 1096 description 1097 "list for application policy"; 1098 } 1099 description 1100 "Identity for policy maps"; 1101 } 1102 description 1103 "grouping for vpn endpoint"; 1104 } 1106 grouping flow-definition { 1107 container match-flow { 1108 leaf ethertype { 1109 type uint16; 1110 description 1111 "Ethertype value, e.g. 0800 for IPv4."; 1112 } 1113 leaf cvlan { 1114 type uint8 { 1115 range "0..7"; 1116 } 1117 description 1118 "802.1Q matching."; 1119 } 1120 leaf ipv4-src-prefix { 1121 type inet:ipv4-prefix; 1122 description 1123 "Match on IPv4 src address."; 1124 } 1125 leaf ipv4-dst-prefix { 1126 type inet:ipv4-prefix; 1127 description 1128 "Match on IPv4 dst address."; 1129 } 1130 leaf l4-src-port { 1131 type inet:port-number; 1132 description 1133 "Match on Layer 4 src port."; 1134 } 1135 leaf l4-dst-port { 1136 type inet:port-number; 1137 description 1138 "Match on Layer 4 dst port."; 1139 } 1140 leaf ipv6-src-prefix { 1141 type inet:ipv6-prefix; 1142 description 1143 "Match on IPv6 src address."; 1144 } 1145 leaf ipv6-dst-prefix { 1146 type inet:ipv6-prefix; 1147 description 1148 "Match on IPv6 dst address."; 1149 } 1150 leaf protocol-field { 1151 type union { 1152 type uint8; 1153 type identityref { 1154 base protocol-type; 1155 } 1156 } 1157 description 1158 "Match on IPv4 protocol or IPv6 Next Header field."; 1159 } 1160 description 1161 "Describes flow-matching criteria."; 1162 } 1163 description 1164 "groupin flow definition."; 1165 } 1167 grouping application-criteria { 1168 list ac { 1169 key "name"; 1170 ordered-by user; 1171 leaf name { 1172 type string; 1173 description 1174 "A description identifying qos classification 1175 policy rule."; 1176 } 1177 choice match-type { 1178 default "match-flow"; 1179 case match-flow { 1180 uses flow-definition; 1181 } 1182 case match-application { 1183 leaf match-application { 1184 type identityref { 1185 base customer-application; 1186 } 1187 description 1188 "Defines the application to match."; 1189 } 1190 } 1191 description 1192 "Choice for classification."; 1193 } 1194 description 1195 "List of marking rules."; 1196 } 1197 description 1198 "This grouping defines QoS parameters for a site."; 1199 } 1201 grouping vpn-service { 1202 leaf vpn-id { 1203 type svc-id; 1204 description 1205 "Identity for VPN."; 1207 } 1208 container performance-objective { 1209 leaf start-time { 1210 type yang:date-and-time; 1211 description 1212 "start-time indicats date and time."; 1213 } 1214 leaf duration { 1215 type string; 1216 description 1217 "Time duration."; 1218 } 1219 container uptime-objective { 1220 leaf duration { 1221 type decimal64 { 1222 fraction-digits 5; 1223 range "0..100"; 1224 } 1225 units "percent"; 1226 description 1227 "To be used to define the a percentage of the available 1228 service."; 1229 } 1230 description 1231 "Uptime objective."; 1232 } 1233 description 1234 "The performance objective."; 1235 } 1236 container reserved-prefixes { 1237 leaf-list prefix { 1238 type inet:ip-prefix; 1239 description 1240 "ip prefix reserved for SP managment purpose."; 1241 } 1242 description 1243 "ip prefix list reserved for SP managment purpose."; 1244 } 1245 container applications { 1246 list application { 1247 key "app-id"; 1248 leaf app-id { 1249 type svc-id; 1250 description 1251 "application name"; 1252 } 1253 uses application-criteria; 1254 description 1255 "list for application"; 1256 } 1257 description 1258 "container for application"; 1259 } 1260 list application-group { 1261 key "app-group-id"; 1262 leaf app-group-id { 1263 type svc-id; 1264 description 1265 "application name"; 1266 } 1267 leaf-list app-id { 1268 type leafref { 1269 path "../../applications/application/app-id"; 1270 } 1271 description 1272 "application member list in an application group"; 1273 } 1274 description 1275 "list for application group"; 1276 } 1277 list policy { 1278 key "policy-id"; 1279 leaf policy-id { 1280 type svc-id; 1281 description 1282 "Policy names"; 1283 } 1284 leaf direction { 1285 type enumeration { 1286 enum inbound { 1287 description 1288 "specify the wan-to-site direction to which the policy 1289 criteria is applied"; 1290 } 1291 enum oubound { 1292 description 1293 "specify the site-to-wan direction to which the policy 1294 criteria is applied"; 1295 } 1296 enum both { 1297 description 1298 "specify both the site-to-wan or wan-to-site direction to 1299 which the policy criteria is applied"; 1300 } 1301 } 1302 description 1303 "Traffic direction"; 1304 } 1305 list criterias { 1306 key "pc-name"; 1307 leaf pc-name { 1308 type string; 1309 description 1310 "Policy criteria name"; 1311 } 1312 choice policy-type { 1313 case encryption { 1314 leaf enable { 1315 type boolean; 1316 description 1317 "yes,no."; 1318 } 1319 description 1320 "TVC encrypted or not."; 1321 } 1322 case public-private { 1323 leaf underlay-values { 1324 type enumeration { 1325 enum private-only { 1326 description 1327 "The private WAN underlay is specified."; 1328 } 1329 enum public-only { 1330 description 1331 "The public WAN underlay is specified."; 1332 } 1333 enum either { 1334 description 1335 "Both public WAN or private WAN could be used"; 1336 } 1337 } 1338 description 1339 "yes,no,either."; 1340 } 1341 description 1342 "public-private."; 1343 } 1344 case internet-breakout { 1345 container internet-policy { 1346 leaf local-breakout { 1347 type boolean; 1348 description 1349 "indicates whether the Application Flow should be 1350 routed directly to the Internet using Local Internet 1351 Breakout.It can have values Yes and No."; 1352 } 1353 leaf alter-route { 1354 type boolean; 1355 description 1356 "whether an alternate route to the Internet can be 1357 used."; 1358 } 1359 description 1360 "lib,alt."; 1361 } 1362 description 1363 "lib,alt."; 1364 } 1365 case billing-method { 1366 leaf billing-values { 1367 type enumeration { 1368 enum flat-only { 1369 description 1370 "Only flat-rate underlay could be used for the 1371 traffic."; 1372 } 1373 enum either { 1374 description 1375 "Either flat-rate or usage based underlay could be 1376 used for the traffic."; 1377 } 1378 } 1379 description 1380 "billing policy."; 1381 } 1382 } 1383 case primary-backup { 1384 container path-values { 1385 leaf overlay-values { 1386 type enumeration { 1387 enum primary { 1388 description 1389 "Only the primary tunnel overlay could be used for 1390 the traffic."; 1391 } 1392 enum either { 1393 description 1394 "Either the primary or backup overlay tunnel could 1395 be used for the traffic."; 1396 } 1397 } 1398 description 1399 "overlay connection as Primary or both Primary and 1400 Backup."; 1401 } 1402 container sla-values { 1403 leaf latency { 1404 type uint32; 1405 description 1406 "latency"; 1407 } 1408 leaf jitter { 1409 type uint32; 1410 description 1411 "jitter"; 1412 } 1413 leaf packet-loss-rate { 1414 type uint32; 1415 description 1416 "packet loss rate"; 1417 } 1418 description 1419 "traffic sla"; 1420 } 1421 description 1422 "path values"; 1423 } 1424 description 1425 "primary-backup policy"; 1426 } 1427 case bandwidth { 1428 container bandwith-values { 1429 leaf commit { 1430 type uint32; 1431 description 1432 "CIR"; 1433 } 1434 leaf max { 1435 type uint32; 1436 description 1437 "max speed "; 1438 } 1439 leaf time { 1440 type uint32; 1441 description 1442 "the averaging period (in milliseconds) for 1443 determining the information rates "; 1444 } 1445 description 1446 "Container for value"; 1448 } 1449 description 1450 "case for bandwidth policy."; 1451 } 1452 description 1453 "Choice for policy criteria."; 1454 } 1455 description 1456 "List for pc criteria"; 1457 } 1458 description 1459 "List for policy"; 1460 } 1461 container app-group-policy-map { 1462 list mapping { 1463 key "app-group-id"; 1464 leaf app-group-id { 1465 type leafref { 1466 path "../../../application-group/app-group-id"; 1467 } 1468 description 1469 "List for policy"; 1470 } 1471 leaf policy-id { 1472 type leafref { 1473 path "../../../policy/policy-id"; 1474 } 1475 description 1476 "policy reference"; 1477 } 1478 description 1479 "List for policy mapping"; 1480 } 1481 description 1482 "container for policy mapping "; 1483 } 1484 list endpoints { 1485 key "endpoint-id"; 1486 uses vpn-endpoint; 1487 description 1488 "List of endpoints."; 1489 } 1490 description 1491 "List of vpn service"; 1492 } 1494 grouping site-l2-technology { 1495 container l2-technology { 1496 leaf l2-type { 1497 type identityref { 1498 base eth-inf-type; 1499 } 1500 default "untagged"; 1501 description 1502 "Defines physical properties of an interface. By default, the 1503 Ethernet interface type is set to 'untagged'."; 1504 } 1505 container untagged-interface { 1506 leaf speed { 1507 type uint32; 1508 units "mbps"; 1509 default "10"; 1510 description 1511 "Port speed."; 1512 } 1513 leaf mode { 1514 type neg-mode; 1515 default "auto-neg"; 1516 description 1517 "Negotiation mode."; 1518 } 1519 description 1520 "Container of Untagged Interface Attributes 1521 configurations."; 1522 } 1523 container tagged-interface { 1524 leaf type { 1525 type identityref { 1526 base tagged-inf-type; 1527 } 1528 default "dot1q"; 1529 description 1530 "Tagged interface type. By default, 1531 the Tagged interface type is dot1q interface. "; 1532 } 1533 container dot1q-vlan-tagged { 1534 leaf tg-type { 1535 type identityref { 1536 base tag-type; 1537 } 1538 default "c-vlan"; 1539 description 1540 "TAG type.By default, Tag type is Customer-VLAN tag."; 1541 } 1542 leaf cvlan-id { 1543 type uint16; 1544 mandatory true; 1545 description 1546 "VLAN identifier."; 1547 } 1548 description 1549 "Tagged interface."; 1550 } 1551 description 1552 "Container for tagged Interface."; 1553 } 1554 description 1555 "Container for l2 technology."; 1556 } 1557 description 1558 "grouping for l2 technology."; 1559 } 1561 grouping site-ip-connection { 1562 container ip-connection { 1563 container ipv4 { 1564 leaf address-allocation-type { 1565 type identityref { 1566 base address-allocation-type; 1567 } 1568 description 1569 "Defines how addresses are allocated. 1570 If there is no value for address 1571 allocation type, then the ipv4 is not enabled."; 1572 } 1573 container dhcp { 1574 container primary-subnet { 1575 leaf ip-prefix { 1576 type inet:ipv4-prefix; 1577 description 1578 "IPv4 address prefix and mask length between 0 and 31, 1579 in bits."; 1580 } 1581 leaf default-router { 1582 type inet:ip-address; 1583 description 1584 "Address of default router."; 1585 } 1586 leaf-list provider-addresses { 1587 type inet:ipv4-address; 1588 description 1589 "the Service Provider IPv4 Addresses MUST be within the 1590 specified IPv4 Prefix."; 1591 } 1592 leaf subscriber-address { 1593 type inet:ip-address; 1594 description 1595 "subscriber IPv4 Addresses: Non-empty list 1596 of IPv4 addresses"; 1597 } 1598 leaf-list reserved-ip-prefix { 1599 type inet:ip-prefix; 1600 description 1601 "List of IPv4 Prefixes, possibly empty"; 1602 } 1603 description 1604 "Primary Subnet List"; 1605 } 1606 list secondary-subnet { 1607 key "ip-prefix"; 1608 leaf ip-prefix { 1609 type inet:ipv4-prefix; 1610 description 1611 "IPv4 address prefix and mask length between 0 and 31, 1612 in bits"; 1613 } 1614 leaf-list provider-addresses { 1615 type inet:ipv4-address; 1616 description 1617 "Service Provider IPv4 Addresses: Non-empty list 1618 of IPv4 addresses"; 1619 } 1620 leaf-list reserved-ip-prefix { 1621 type inet:ipv4-prefix; 1622 description 1623 "List of IPv4 Prefixes, possibly empty"; 1624 } 1625 description 1626 "Secondary Subnet List"; 1627 } 1628 description 1629 "DHCP allocated addresses related parameters."; 1630 } 1631 container static { 1632 container primary-subnet { 1633 leaf ip-prefix { 1634 type inet:ipv4-prefix; 1635 description 1636 "IPv4 address prefix and mask length between 0 and 31, 1637 in bits."; 1638 } 1639 leaf default-router { 1640 type inet:ip-address; 1641 description 1642 "Address of default router."; 1643 } 1644 leaf-list provider-addresses { 1645 type inet:ipv4-address; 1646 description 1647 "the Service Provider IPv4 Addresses MUST be within the 1648 specified IPv4 Prefix."; 1649 } 1650 leaf subscriber-address { 1651 type inet:ip-address; 1652 description 1653 "subscriber IPv4 Addresses: Non-empty list 1654 of IPv4 addresses"; 1655 } 1656 leaf-list reserved-ip-prefix { 1657 type inet:ip-prefix; 1658 description 1659 "List of IPv4 Prefixes, possibly empty"; 1660 } 1661 description 1662 "Primary Subnet List"; 1663 } 1664 list secondary-subnet { 1665 key "ip-prefix"; 1666 leaf ip-prefix { 1667 type inet:ipv4-prefix; 1668 description 1669 "IPv4 address prefix and mask length between 0 and 31, 1670 in bits"; 1671 } 1672 leaf-list provider-addresses { 1673 type inet:ipv4-address; 1674 description 1675 "Service Provider IPv4 Addresses: Non-empty list 1676 of IPv4 addresses"; 1677 } 1678 leaf-list reserved-ip-prefix { 1679 type inet:ipv4-prefix; 1680 description 1681 "List of IPv4 Prefixes, possibly empty"; 1682 } 1683 description 1684 "Secondary Subnet List"; 1685 } 1686 description 1687 "Static configuration related parameters."; 1689 } 1690 description 1691 "IPv4-specific parameters."; 1692 } 1693 container ipv6 { 1694 leaf address-allocation-type { 1695 type identityref { 1696 base address-allocation-type; 1697 } 1698 description 1699 "Defines how addresses are allocated. 1700 If there is no value for address 1701 allocation type, then the ipv6 is not enabled."; 1702 } 1703 container dhcp { 1704 list subnet { 1705 key "ip-prefix"; 1706 leaf ip-prefix { 1707 type inet:ipv6-prefix; 1708 description 1709 "IPv6 address prefix and prefix length between 0 and 1710 128"; 1711 } 1712 leaf-list provider-addresses { 1713 type inet:ipv6-address; 1714 description 1715 "Non-empty list of IPv6 addresses"; 1716 } 1717 leaf-list reserved-ip-prefix { 1718 type inet:ipv6-prefix; 1719 description 1720 "List of IPv6 Prefixes, possibly empty"; 1721 } 1722 description 1723 "Subnet List"; 1724 } 1725 description 1726 "DHCP allocated addresses related parameters."; 1727 } 1728 container slaac { 1729 list subnet { 1730 key "ip-prefix"; 1731 leaf ip-prefix { 1732 type inet:ipv6-prefix; 1733 description 1734 "IPv6 address prefix and prefix length of 64 "; 1735 } 1736 leaf-list provider-addresses { 1737 type inet:ipv6-address; 1738 description 1739 "Non-empty list of IPv6 addresses"; 1740 } 1741 leaf-list reserved-ip-prefix { 1742 type inet:ipv6-prefix; 1743 description 1744 "List of IPv6 Prefixes, possibly empty"; 1745 } 1746 description 1747 "Subnet List"; 1748 } 1749 description 1750 "DHCP allocated addresses related parameters."; 1751 } 1752 container static { 1753 list subnet { 1754 key "ip-prefix"; 1755 leaf ip-prefix { 1756 type inet:ipv6-prefix; 1757 description 1758 "IPv6 address prefix and prefix length between 0 and 1759 128"; 1760 } 1761 leaf-list provider-addresses { 1762 type inet:ipv6-address; 1763 description 1764 "Non-empty list of IPv6 addresses"; 1765 } 1766 leaf-list reserved-ip-prefix { 1767 type inet:ipv6-prefix; 1768 description 1769 "List of IPv6 Prefixes, possibly empty"; 1770 } 1771 description 1772 "Subnet List"; 1773 } 1774 leaf subscriber-address { 1775 type inet:ipv6-address; 1776 description 1777 "IPv6 address or Not Specified."; 1778 } 1779 description 1780 "Static configuration related parameters."; 1781 } 1782 description 1783 "Describes IPv6 addresses used."; 1784 } 1785 description 1786 "IPv6-specific parameters."; 1787 } 1788 description 1789 "This grouping defines IP connection parameters."; 1790 } 1792 container sdwan-vpn-svc { 1793 container vpn-services { 1794 list vpn-service { 1795 key "vpn-id"; 1796 uses vpn-service; 1797 description 1798 "List for SD-WAN"; 1799 } 1800 description 1801 "Container for SD-WAN VPN service"; 1802 } 1803 container sites { 1804 list site { 1805 key "site-id"; 1806 leaf site-id { 1807 type svc-id; 1808 description 1809 "Site Name"; 1810 } 1811 leaf device-type { 1812 type device-type; 1813 description 1814 "device type"; 1815 } 1816 list lan-access { 1817 key "name"; 1818 leaf name { 1819 type string; 1820 description 1821 "lan access link name"; 1822 } 1823 uses site-l2-technology; 1824 uses site-ip-connection; 1825 description 1826 "container for lan access"; 1827 } 1828 description 1829 "List for site"; 1830 } 1831 description 1832 "Container for sites"; 1834 } 1835 description 1836 "Top-level container for the VPN services."; 1837 } 1838 } 1840 1842 7. Security Considerations 1844 The YANG module specified in this document defines a schema for data 1845 that is designed to be accessed via network management protocols such 1846 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 1847 is the secure transport layer, and the mandatory-to-implement secure 1848 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1849 is HTTPS, and the mandatory-to-implement secure transport is TLS 1850 [RFC5246]. 1852 The NETCONF access control model [RFC6536]provides the means to 1853 restrict access for particular NETCONF or RESTCONF users to a 1854 preconfigured subset of all available NETCONF or RESTCONF protocol 1855 operations and content. 1857 There are a number of data nodes defined in this YANG module that are 1858 writable/creatable/deletable (i.e., config true, which is the 1859 default). These data nodes may be considered sensitive or vulnerable 1860 in some network environments. Write operations (e.g., edit-config) 1861 to these data nodes without proper protection can have a negative 1862 effect on network operations. These are the subtrees and data nodes 1863 and their sensitivity/vulnerability. 1865 8. IANA Considerations 1867 IANA has assigned a new URI from the "IETF XML Registry" [RFC3688]. 1869 URI: urn:ietf:params:xml:ns:yang:ietf-sdwan-vpn-svc 1870 Registrant Contact: The IESG 1871 XML: N/A; the requested URI is an XML namespace. 1873 IANA has recorded a YANG module name in the "YANG Module Names" 1874 registry [RFC6020] as follows: 1876 Name: ietf-sdwan-vpn-svc 1877 Namespace: urn:ietf:params:xml:ns:yang:ietf-sdwan-vpn-svc 1878 Prefix: sdwan-svc 1879 Reference: RFC xxxx 1881 9. Appendix 1: MEF SD-WAN Service Attributes Terminology Mapping 1883 The below table shows the terminology mapping. Besides the 1884 difference, the MEF defines the service attribute of the UNI or SWVC 1885 object in a parallel approach. However, in order to reflect the 1886 relevance of the parameters, the YANG model retains the parameter 1887 name but adjusts some of the structure. Additionally, in order to 1888 preserve the space for future augmentation, the model defines "lan- 1889 access" as a list, which can also accommodate the case where the 1890 current MEF service attribute restricts only one LAN access. 1892 +----------------------------+----------------------------------+ 1893 | IETF SD-WAN Service model | MEF70 SD-WAN Services Term | 1894 +----------------------------+----------------------------------+ 1895 | SD-WAN VPN | SD-WAN Virtual Connection (SWVC) | 1896 +----------------------------+----------------------------------+ 1897 | SD-WAN VPN Endpoint | SWVC End Point | 1898 +----------------------------+----------------------------------+ 1899 | Site | User Network Interface(UNI) | 1900 +----------------------------+----------------------------------+ 1901 | lan access | UNI Service Attributes | 1902 +----------------------------+----------------------------------+ 1904 10. Appendix 2: Site Augmentation and Policy Augmentation 1906 In some cases, a customer needs to have a whole view of site network 1907 connection which not only includes customer network but also includes 1908 WAN connectivity. 1910 10.1. Site Augmentation 1912 A Site node could be augmentated with WAN access list to show the 1913 underlay network information. 1915 +---------------------------------+ 1916 | site | 1917 | | | | | | 1918 | | | | | | 1919 | LAN1 LAN2 LAN3 LAN4 | 1920 | +--------+ +--------+ | 1921 | | | | | | 1922 | |Device 1| |Device 2| | 1923 | +---+----+ +----+---+ | 1924 | WAN | \ / | WAN | 1925 | | \ / | | 1926 +------+-----------------+--------+ 1927 | \ / | 1928 | \ / | 1929 ----- /\ ----- 1930 / \ / \ / \ 1931 | MPLS VPN |- -| Internet | 1932 \ / \ / 1933 ----- ----- 1935 10.2. Path Selection Policy Augmentation 1937 For the traffic specified by the flow classification rule, traffic 1938 SLA profile related status will be collected and based on the 1939 measurement result calculated from the collected information, primary 1940 path or secondary path will be selected. 1942 +--:(primary-backup) 1943 +--rw path-values 1944 +--rw overlay-values? enumeration 1945 +--rw sla-values 1946 +--rw latency? uint32 1947 +--rw jitter? uint32 1948 +--rw packet-loss-rate? uint32 1950 11. Acknowledgments 1952 This work has benefited from the discussions of xxxx. 1954 12. Contributors 1956 The authors would like to thank Zitao Wang and Qin Wu for their major 1957 contributions to the initial modeling. 1959 13. References 1961 13.1. Normative References 1963 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1964 Requirement Levels", BCP 14, RFC 2119, 1965 DOI 10.17487/RFC2119, March 1997, 1966 . 1968 [RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual 1969 Private Network (VPN) Terminology", RFC 4026, 1970 DOI 10.17487/RFC4026, March 2005, 1971 . 1973 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 1974 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 1975 2006, . 1977 [RFC4664] Andersson, L., Ed. and E. Rosen, Ed., "Framework for Layer 1978 2 Virtual Private Networks (L2VPNs)", RFC 4664, 1979 DOI 10.17487/RFC4664, September 2006, 1980 . 1982 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1983 the Network Configuration Protocol (NETCONF)", RFC 6020, 1984 DOI 10.17487/RFC6020, October 2010, 1985 . 1987 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 1988 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 1989 DOI 10.17487/RFC6071, February 2011, 1990 . 1992 [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki, 1993 "YANG Data Model for L3VPN Service Delivery", RFC 8299, 1994 DOI 10.17487/RFC8299, January 2018, 1995 . 1997 13.2. Informative References 1999 [I-D.carrel-ipsecme-controller-ike] 2000 Carrel, D. and B. Weis, "IPsec Key Exchange using a 2001 Controller", draft-carrel-ipsecme-controller-ike-01 (work 2002 in progress), March 2019. 2004 [I-D.rosen-bess-secure-l3vpn] 2005 Rosen, E. and R. Bonica, "Augmenting RFC 4364 Technology 2006 to Provide Secure Layer L3VPNs over Public 2007 Infrastructure", draft-rosen-bess-secure-l3vpn-01 (work in 2008 progress), June 2018. 2010 [MEF55] MEF, Ed., "Lifecycle Service Orchestration (LSO): 2011 Reference Architecture and Framework". 2013 [MEF70] MEF, Ed., "SD-WAN Service Attributes and Service 2014 Description". 2016 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 2017 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 2018 DOI 10.17487/RFC2784, March 2000, 2019 . 2021 [RFC4110] Callon, R. and M. Suzuki, "A Framework for Layer 3 2022 Provider-Provisioned Virtual Private Networks (PPVPNs)", 2023 RFC 4110, DOI 10.17487/RFC4110, July 2005, 2024 . 2026 [RFC7364] Narten, T., Ed., Gray, E., Ed., Black, D., Fang, L., 2027 Kreeger, L., and M. Napierala, "Problem Statement: 2028 Overlays for Network Virtualization", RFC 7364, 2029 DOI 10.17487/RFC7364, October 2014, 2030 . 2032 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2033 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2034 . 2036 Authors' Addresses 2038 Qiong Sun 2039 China Telecom 2040 Beijing 2041 China 2043 Email: sunqiong.bri@chinatelecom.cn 2045 Honglei Xu 2046 China Telecom 2047 Beijing 2048 China 2050 Email: sunqiong.bri@chinatelecom.cn 2051 Bo Wu 2052 Huawei 2053 Nanjing 2054 China 2056 Email: lana.wubo@huawei.com 2058 Qin Wu 2059 Huawei 2060 Nanjing 2061 China 2063 Email: bill.wu@huawei.com