rfc9835.original   rfc9835.txt 
Operations and Management Area Working Group M. Boucadair, Ed. Internet Engineering Task Force (IETF) M. Boucadair, Ed.
Internet-Draft Orange Request for Comments: 9835 Orange
Intended status: Standards Track R. Roberts Category: Standards Track R. Roberts
Expires: 27 July 2025 Juniper ISSN: 2070-1721 Juniper
O. G. D. Dios O. Gonzalez de Dios
Telefonica Telefonica
S. B. Giraldo S. Barguil Giraldo
Nokia Nokia
B. Wu B. Wu
Huawei Technologies Huawei Technologies
23 January 2025 August 2025
A Network YANG Data Model for Attachment Circuits A Network YANG Data Model for Attachment Circuits
draft-ietf-opsawg-ntw-attachment-circuit-16
Abstract Abstract
This document specifies a network model for attachment circuits. The This document specifies a network model for attachment circuits. The
model can be used for the provisioning of attachment circuits prior model can be used for the provisioning of attachment circuits prior
or during service provisioning (e.g., VPN, Network Slice Service). A to or during service provisioning (e.g., VPN, Network Slice Service).
companion service model is specified in the YANG Data Models for A companion service model is specified in "YANG Data Models for
Bearers and 'Attachment Circuits'-as-a-Service (ACaaS) (I-D.ietf- Bearers and 'Attachment Circuits'-as-a-Service (ACaaS)" (RFC9834).
opsawg-teas-attachment-circuit).
The module augments the base network ('ietf-network') and the Service The module augments the base network ('ietf-network') and the Service
Attachment Point (SAP) models with the detailed information for the Attachment Point (SAP) models with the detailed information for the
provisioning of attachment circuits in Provider Edges (PEs). provisioning of attachment circuits in Provider Edges (PEs).
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Operations and
Management Area Working Group Working Group mailing list
(opsawg@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/opsawg/.
Source for this draft and an issue tracker can be found at
https://github.com/boucadair/attachment-circuit-model.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 27 July 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9835.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Editorial Note (To be removed by RFC Editor) . . . . . . 5 2. Conventions and Definitions
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 5 3. Relationship to Other AC Data Models
3. Relationship to Other AC Data Models . . . . . . . . . . . . 7 4. Sample Uses of the Attachment Circuit Data Models
4. Sample Uses of the Attachment Circuit Data Models . . . . . . 8 4.1. ACs Terminated by One or Multiple Customer Edges (CEs)
4.1. ACs Terminated by One or Multiple Customer Edges (CEs) . 8
4.2. Positioning the AC Network Model in the Overall Service 4.2. Positioning the AC Network Model in the Overall Service
Delivery Process . . . . . . . . . . . . . . . . . . . . 10 Delivery Process
5. Description of the Attachment Circuit YANG Module . . . . . . 12 5. Description of the Attachment Circuit YANG Module
5.1. Overall Structure of the Module . . . . . . . . . . . . . 12 5.1. Overall Structure of the Module
5.2. References . . . . . . . . . . . . . . . . . . . . . . . 15 5.2. References
5.3. Provisioning Profiles . . . . . . . . . . . . . . . . . . 16 5.3. Provisioning Profiles
5.4. L2 Connection . . . . . . . . . . . . . . . . . . . . . . 18 5.4. L2 Connection
5.5. IP Connection . . . . . . . . . . . . . . . . . . . . . . 21 5.5. IP Connection
5.6. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.6. Routing
5.6.1. Static Routing . . . . . . . . . . . . . . . . . . . 25 5.6.1. Static Routing
5.6.2. BGP . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.6.2. BGP
5.6.3. OSPF . . . . . . . . . . . . . . . . . . . . . . . . 34 5.6.3. OSPF
5.6.4. IS-IS . . . . . . . . . . . . . . . . . . . . . . . . 37 5.6.4. IS-IS
5.6.5. RIP . . . . . . . . . . . . . . . . . . . . . . . . . 39 5.6.5. RIP
5.6.6. VRRP . . . . . . . . . . . . . . . . . . . . . . . . 42 5.6.6. VRRP
5.7. OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.7. OAM
5.8. Security . . . . . . . . . . . . . . . . . . . . . . . . 46 5.8. Security
5.9. Service . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.9. Service
6. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 50 6. YANG Module
7. Security Considerations . . . . . . . . . . . . . . . . . . . 92 7. Security Considerations
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 93 8. IANA Considerations
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 94 9. References
9.1. Normative References . . . . . . . . . . . . . . . . . . 94 9.1. Normative References
9.2. Informative References . . . . . . . . . . . . . . . . . 97 9.2. Informative References
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 99 Appendix A. Examples
A.1. VPLS . . . . . . . . . . . . . . . . . . . . . . . . . . 100 A.1. VPLS
A.2. Parent AC . . . . . . . . . . . . . . . . . . . . . . . . 105 A.2. Parent AC
Appendix B. Full Tree . . . . . . . . . . . . . . . . . . . . . 106 Appendix B. Full Tree
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 119 Acknowledgments
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Contributors
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 120 Authors' Addresses
1. Introduction 1. Introduction
Connectivity services are provided by networks to customers via Connectivity services are provided by networks to customers via
dedicated terminating points, such as Service Functions [RFC7665], dedicated terminating points, such as Service Functions [RFC7665],
customer edges (CEs), peer Autonomous System Border Routers (ASBRs), Customer Edges (CEs), peer Autonomous System Border Routers (ASBRs),
data centers gateways, or Internet Exchange Points. data center gateways, or Internet Exchange Points.
The procedure to provision a service in a service provider network The procedure to provision a service in a service provider network
may depend on the practices adopted by a service provider, including may depend on the practices adopted by a service provider, including
the flow put in place for the provisioning of advanced network the flow put in place for the provisioning of advanced network
services and how they are bound to an attachment circuit (AC). For services and how they are bound to an attachment circuit (AC). For
example, the same attachment circuit may host multiple services example, the same attachment circuit may host multiple services
(e.g., Layer 2 Virtual Private Network (VPN), or Layer 3 VPN, or (e.g., Layer 2 VPN (L2VPN), Layer 3 VPN (L3VPN), or Network Slice
Network Slice Service [RFC9543]). In order to avoid service Service [RFC9543]). In order to avoid service interference and
interference and redundant information in various locations, a redundant information in various locations, a service provider may
service provider may expose an interface to manage ACs network-wide. expose an interface to manage ACs network-wide. Customers can then
Customers can then request a standalone attachment circuit to be put request a standalone attachment circuit to be put in place and refer
in place, and then refer to that attachment circuit when requesting to that attachment circuit when requesting services to be bound to
services to be bound to that AC. that AC. [RFC9834] specifies a data model for managing Attachment
[I-D.ietf-opsawg-teas-attachment-circuit] specifies a data model for Circuits as a Service (ACaaS).
managing attachment circuits as a service.
Section 6 specifies a network model for attachment circuits ("ietf- Section 6 specifies a network model for attachment circuits ("ietf-
ac-ntw"). The model can be used for the provisioning of ACs in a ac-ntw"). The model can be used for the provisioning of ACs in a
provider network prior or during service provisioning. For example, provider network prior to or during service provisioning. For
[I-D.ietf-opsawg-ac-lxsm-lxnm-glue] specifies augmentations to the example, [RFC9836] specifies augmentations to the L2VPN Network Model
L2VPN Network Model (L2NM) [RFC9291] and the L3VPN Network Model (L2NM) [RFC9291] and the L3VPN Network Model (L3NM) [RFC9182] to bind
(L3NM) [RFC9182] to bind LxVPNs to ACs that are provisioned using the LxVPNs to ACs that are provisioned using the procedure defined in
procedure defined in this document. this document.
The document leverages [RFC9182] and [RFC9291] by adopting an AC This document leverages [RFC9182] and [RFC9291] by adopting an AC
provisioning structure that uses data nodes that are defined in those provisioning structure that uses data nodes that are defined in those
RFCs. Some refinements were introduced to cover not only RFCs. Some refinements were introduced to cover not only
conventional service provider networks, but also specifics of other conventional service provider networks but also specifics of other
target deployments (e.g., cloud network). target deployments (e.g., cloud network).
The AC network model is designed as augmentations of both the 'ietf- The AC network model is designed as augmentations of both the 'ietf-
network' model [RFC8345] and the Service Attachment Point (SAP) model network' model [RFC8345] and the Service Attachment Point (SAP) model
[RFC9408]. An attachment circuit can be bound to a single or [RFC9408]. An attachment circuit can be bound to a single or
multiple SAPs. Likewise, the model is designed to accommodate multiple SAPs. Likewise, the model is designed to accommodate
deployments where a SAP can be bound to one or multiple ACs (e.g., a deployments where a SAP can be bound to one or multiple ACs (e.g., a
parent AC and its child ACs). parent AC and its child ACs).
.--. .--.
skipping to change at page 4, line 50 skipping to change at line 170
| .-. | | .-. .-. .-. | | .-. | | .-. .-. .-. |
'-------------+sap+-' '-+sap+-+sap+-+sap+-' '-------------+sap+-' '-+sap+-+sap+-+sap+-'
'+' '+' '+' '+' '+' '+' '+' '+'
|ac | |ac |ac |ac | |ac |ac
.+-. | .+-. | .+-. | .+-. |
|CE3+-----ac-----' |CE4+---' |CE3+-----ac-----' |CE4+---'
'--' '--' '--' '--'
Figure 1: Attachment Circuits Examples Figure 1: Attachment Circuits Examples
The AC network model uses the AC common model defined in The AC network model uses the AC common model defined in [RFC9833].
[I-D.ietf-opsawg-teas-common-ac].
The YANG 1.1 [RFC7950] data model in this document conforms to the The YANG 1.1 [RFC7950] data model in this document conforms to the
Network Management Datastore Architecture (NMDA) defined in Network Management Datastore Architecture (NMDA) defined in
[RFC8342]. [RFC8342].
Sample examples are provided in Appendix A. Some examples are provided in Appendix A.
1.1. Editorial Note (To be removed by RFC Editor)
Note to the RFC Editor: This section is to be removed prior to
publication.
This document contains placeholder values that need to be replaced
with finalized values at the time of publication. This note
summarizes all of the substitutions that are needed.
Please apply the following replacements:
* CCCC --> the assigned RFC number for
[I-D.ietf-opsawg-teas-common-ac]
* SSSS --> the assigned RFC number for
[I-D.ietf-opsawg-teas-attachment-circuit]
* XXXX --> the assigned RFC number for this I-D
* 2025-01-07 --> the actual date of the publication of this document
2. Conventions and Definitions 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The reader should be familiar with the terms defined in Section 2 of The reader should be familiar with the terms defined in Section 2 of
skipping to change at page 6, line 16 skipping to change at line 209
L3VPN Network Model (L3NM) [RFC9182]. L3VPN Network Model (L3NM) [RFC9182].
LxVPN refers to both L2VPN and L3VPN. LxVPN refers to both L2VPN and L3VPN.
The following are used in the module prefixes: The following are used in the module prefixes:
ac: Attachment circuit ac: Attachment circuit
ntw: Network ntw: Network
sap: Service Attchment Point sap: Service Attachment Point
svc: Service svc: Service
In addition, this document uses the following terms: In addition, this document uses the following terms:
Bearer: A physical or logical link that connects a customer node (or Bearer: A physical or logical link that connects a customer node (or
site) to a provider network. site) to a provider network.
A bearer can be a wireless or wired link. One or multiple A bearer can be a wireless or wired link. One or multiple
technologies can be used to build a bearer. The bearer type can technologies can be used to build a bearer. The bearer type can
be specified by a customer. be specified by a customer.
The operator allocates a unique bearer reference to identify a The operator allocates a unique bearer reference to identify a
bearer within its network (e.g., customer line identifier). Such bearer within its network (e.g., customer line identifier). Such
a reference can be retrieved by a customer and then used in a reference can be retrieved by a customer and then used in
subsequent service placement requests to unambiguously identify subsequent service placement requests to unambiguously identify
where a service is to be bound. where a service is to be bound.
The concept of bearer can be generalized to refer to the required The concept of a bearer can be generalized to refer to the
underlying connection for the provisioning of an attachment required underlying connection for the provisioning of an
circuit. attachment circuit.
One or multiple attachment circuits may be hosted over the same One or multiple attachment circuits may be hosted over the same
bearer (e.g., multiple Virtual Local Area Networks (VLANs) on the bearer (e.g., multiple Virtual Local Area Networks (VLANs) on the
same bearer that is provided by a physical link). same bearer that is provided by a physical link).
Network controller: Denotes a functional entity responsible for the Network controller: Denotes a functional entity responsible for the
management of the service provider network. One or multiple management of the service provider network. One or multiple
network controllers can be deployed in a service provider network. network controllers can be deployed in a service provider network.
Service orchestrator: Refers to a functional entity that interacts Service orchestrator: Refers to a functional entity that interacts
skipping to change at page 7, line 17 skipping to change at line 259
Service provider network: A network that is able to provide network Service provider network: A network that is able to provide network
services (e.g., LxVPN or Network Slice Services). services (e.g., LxVPN or Network Slice Services).
Service provider: An entity that offers network services (e.g., Service provider: An entity that offers network services (e.g.,
LxVPN or Network Slice Services). LxVPN or Network Slice Services).
The names of data nodes are prefixed using the prefix associated with The names of data nodes are prefixed using the prefix associated with
the corresponding imported YANG module as shown in Table 1: the corresponding imported YANG module as shown in Table 1:
+=============+=====================+=========================+ +=============+=====================+==========================+
| Prefix | Module | Reference | | Prefix | Module | Reference |
+=============+=====================+=========================+ +=============+=====================+==========================+
| ac-common | ietf-ac-common | RFC CCCC | | ac-common | ietf-ac-common | [RFC9833] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| ac-svc | ietf-ac-svc | Section 5.2 of RFC SSSS | | ac-svc | ietf-ac-svc | Section 5.2 of [RFC9834] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| dot1q-types | ieee802-dot1q-types | [IEEE802.1Qcp] | | dot1q-types | ieee802-dot1q-types | [IEEE802.1Qcp] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| if | ietf-interfaces | [RFC8343] | | if | ietf-interfaces | [RFC8343] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| inet | ietf-inet-types | Section 4 of [RFC6991] | | inet | ietf-inet-types | Section 4 of [RFC6991] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| key-chain | ietf-key-chain | [RFC8177] | | key-chain | ietf-key-chain | [RFC8177] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| nacm | ietf-netconf-acm | [RFC8341] | | nacm | ietf-netconf-acm | [RFC8341] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| nw | ietf-network | [RFC8345] | | nw | ietf-network | [RFC8345] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| rt-types | ietf-routing-types | [RFC8294] | | rt-types | ietf-routing-types | [RFC8294] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| rt-pol | ietf-routing-policy | [RFC9067] | | rt-pol | ietf-routing-policy | [RFC9067] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| sap | ietf-sap-ntw | [RFC9408] | | sap | ietf-sap-ntw | [RFC9408] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
| vpn-common | ietf-vpn-common | [RFC9181] | | vpn-common | ietf-vpn-common | [RFC9181] |
+-------------+---------------------+-------------------------+ +-------------+---------------------+--------------------------+
Table 1: Modules and Their Associated Prefixes Table 1: Modules and Their Associated Prefixes
3. Relationship to Other AC Data Models 3. Relationship to Other AC Data Models
Figure 2 depicts the relationship between the various AC data models: Figure 2 depicts the relationship between the various AC data models:
* "ietf-ac-common" ([I-D.ietf-opsawg-teas-common-ac]) * "ietf-ac-common" [RFC9833]
* "ietf-bearer-svc" (Section 5.1 of
[I-D.ietf-opsawg-teas-attachment-circuit])
* "ietf-ac-svc" (Section 5.2 of * "ietf-bearer-svc" (Section 6.1 of [RFC9834])
[I-D.ietf-opsawg-teas-attachment-circuit])
* "ietf-ac-svc" (Section 6.2 of [RFC9834])
* "ietf-ac-ntw" (Section 6) * "ietf-ac-ntw" (Section 6)
* "ietf-ac-glue" ([I-D.ietf-opsawg-ac-lxsm-lxnm-glue]) * "ietf-ac-glue" [RFC9836]
ietf-ac-common ietf-ac-common
^ ^ ^ ^ ^ ^
| | | | | |
.----------' | '----------. .----------' | '----------.
| | | | | |
| | | | | |
ietf-ac-svc <--- ietf-bearer-svc | ietf-ac-svc <--- ietf-bearer-svc |
^ ^ | ^ ^ |
| | | | | |
skipping to change at page 9, line 8 skipping to change at line 344
4. Sample Uses of the Attachment Circuit Data Models 4. Sample Uses of the Attachment Circuit Data Models
4.1. ACs Terminated by One or Multiple Customer Edges (CEs) 4.1. ACs Terminated by One or Multiple Customer Edges (CEs)
Figure 3 depicts a sample target topology that involve ACs: Figure 3 depicts a sample target topology that involve ACs:
* ACs are terminated by a SAP at the network side. See Figure 1 for * ACs are terminated by a SAP at the network side. See Figure 1 for
an example of SAPs within a PE. an example of SAPs within a PE.
* A CE can be either a physical device or a logical entity. Such * A CE can be either a physical device or a logical entity. Such a
logical entity is typically a software component (e.g., a virtual logical entity is typically a software component (e.g., a virtual
service function that is hosted within the provider's network or a Service Function that is hosted within the provider's network or a
third-party infrastructure). A CE is seen by the network as a third-party infrastructure). A CE is seen by the network as a
peer SAP [RFC9408]. peer SAP [RFC9408].
* CEs may be either dedicated to one single connectivity service or * CEs may be either dedicated to one single connectivity service or
host multiple connectivity services (e.g., CEs with roles of host multiple connectivity services (e.g., CEs with roles of
service functions [RFC7665]). Service Functions [RFC7665]).
* A network provider may bind a single AC to one or multiple peer * A network provider may bind a single AC to one or multiple peer
SAPs (e.g., CE1 and CE2 are tagged as peer SAPs for the same AC). SAPs (e.g., CE1 and CE2 are tagged as peer SAPs for the same AC).
For example, and as discussed in [RFC4364], multiple CEs can be For example, and as discussed in [RFC4364], multiple CEs can be
attached to a PE over the same attachment circuit. This scenario attached to a PE over the same attachment circuit. This scenario
is typically implemented when the Layer 2 infrastructure between is typically implemented when the Layer 2 infrastructure between
the CE and the network is a multipoint service. the CE and the network is a multipoint service.
* A single CE may terminate multiple ACs, which can be associated * A single CE may terminate multiple ACs, which can be associated
with the same bearer or distinct bearers (e.g., CE4). with the same bearer or distinct bearers (e.g., CE4).
* Customers may request protection schemes in which the ACs * Customers may request protection schemes in which the ACs
associated with their endpoints are terminated by the same PE associated with their endpoints are terminated by the same PE
(e.g., CE3), distinct PEs (e.g., CE4), etc. The network provider (e.g., CE3), distinct PEs (e.g., CE4), etc. The network provider
uses this request to decide where to terminate the AC in the uses this request to decide where to terminate the AC in the
service provider network and also whether to enable specific service provider network and also whether to enable specific
capabilities (e.g., Virtual Router Redundancy Protocol (VRRP)). capabilities (e.g., Virtual Router Redundancy Protocol (VRRP)).
The "ietf-ac-ntw" is a network model that is used to manage the PE "ietf-ac-ntw" is a network model that is used to manage the PE side
side of ACs at a provider network. of ACs at a provider network.
.--------------------. .--------------------.
| | | |
.------. | .--. (b1) .-----. .------. | .--. (b1) .-----.
| +----. | | +---AC---+ | | +----. | | +---AC---+ |
| CE1 | | | |PE+---AC---+ CE3 | | CE1 | | | |PE+---AC---+ CE3 |
'------' | .--. '--' (b2) '-----' '------' | .--. '--' (b2) '-----'
+---AC--+PE| Network | +---AC--+PE| Network |
.------. | '--' .--. (b3) .-----. .------. | '--' .--. (b3) .-----.
| | | | | +---AC---+ | | | | | | +---AC---+ |
skipping to change at page 10, line 30 skipping to change at line 399
'-----------AC----------' '-----------AC----------'
(bx) = bearer Id x (bx) = bearer Id x
Figure 3: Examples of ACs Figure 3: Examples of ACs
4.2. Positioning the AC Network Model in the Overall Service Delivery 4.2. Positioning the AC Network Model in the Overall Service Delivery
Process Process
Figure 4 shows the positioning of the AC network model in the overall Figure 4 shows the positioning of the AC network model in the overall
service delivery process. The "ietf-ac-ntw" module is a network service delivery process. The "ietf-ac-ntw" module is a network
model which augments the SAP with a comprehensive set of parameters model that augments the SAP with a comprehensive set of parameters to
to reflect the attachment circuits that are in place in a network. reflect the attachment circuits that are in place in a network. The
The model also maintains the mapping with the service references that model also maintains the mapping with the service references that are
are used to expose those ACs to customer using the 'ietf-ac-svc' used to expose those ACs to customers using the "ietf-ac-svc" module
module defined in [I-D.ietf-opsawg-teas-attachment-circuit]. Whether defined in [RFC9834]. Whether the same naming conventions to
the same naming conventions to reference an AC are used in the reference an AC are used in the service and network layers is
service and network layers is deployment-specific. deployment-specific.
.-------------. .-------------.
| Customer | | Customer |
'------+------' '------+------'
Customer Service Models | Customer Service Models |
ietf-l2vpn-svc, ietf-l3vpn-svc, | ietf-network-slice-service, ietf-l2vpn-svc, ietf-l3vpn-svc, | ietf-network-slice-service,
ietf-ac-svc, ietf-ac-glue, | and ietf-bearer-svc ietf-ac-svc, ietf-ac-glue, | and ietf-bearer-svc
.------+------. .------+------.
| Service | | Service |
| Orchestration | | Orchestration |
skipping to change at page 12, line 41 skipping to change at line 486
The full tree diagram of the "ietf-ac-ntw" module is provided in The full tree diagram of the "ietf-ac-ntw" module is provided in
Appendix B. Subtrees are provided in the following subsections for Appendix B. Subtrees are provided in the following subsections for
the reader's convenience. the reader's convenience.
5.1. Overall Structure of the Module 5.1. Overall Structure of the Module
The overall tree structure of the "ietf-ac-ntw" module is shown in The overall tree structure of the "ietf-ac-ntw" module is shown in
Figure 6. Figure 6.
augment /nw:networks/nw:network: augment /nw:networks/nw:network:
+--rw specific-provisioning-profiles +--rw specific-provisioning-profiles
| ... | ...
+--rw ac-profile* [name] +--rw ac-profile* [name]
... ...
augment /nw:networks/nw:network/nw:node: augment /nw:networks/nw:network/nw:node:
+--rw ac* [name] +--rw ac* [name]
+--rw name string +--rw name string
+--rw svc-ref? ac-svc:attachment-circuit-reference +--rw svc-ref? ac-svc:attachment-circuit-reference
+--rw profile* [ac-profile-ref] +--rw profile* [ac-profile-ref]
| +--rw ac-profile-ref leafref | +--rw ac-profile-ref leafref
| +--rw network-ref? -> /nw:networks/network/network-id | +--rw network-ref? -> /nw:networks/network/network-id
+--rw parent-ref +--rw parent-ref
| +--rw ac-ref? leafref | +--rw ac-ref? leafref
| +--rw node-ref? leafref | +--rw node-ref? leafref
| +--rw network-ref? -> /nw:networks/network/network-id | +--rw network-ref? -> /nw:networks/network/network-id
+--ro child-ref +--ro child-ref
| +--ro ac-ref* leafref | +--ro ac-ref* leafref
| +--ro node-ref? leafref | +--ro node-ref? leafref
| +--ro network-ref? -> /nw:networks/network/network-id | +--ro network-ref? -> /nw:networks/network/network-id
+--rw peer-sap-id* string +--rw peer-sap-id* string
+--rw group* [group-id] +--rw group* [group-id]
| +--rw group-id string | +--rw group-id string
| +--rw precedence? identityref | +--rw precedence? identityref
+--rw status +--rw status
| +--rw admin-status | +--rw admin-status
| | +--rw status? identityref | | +--rw status? identityref
| | +--ro last-change? yang:date-and-time | | +--ro last-change? yang:date-and-time
| +--ro oper-status | +--ro oper-status
| +--ro status? identityref | +--ro status? identityref
| +--ro last-change? yang:date-and-time | +--ro last-change? yang:date-and-time
+--rw description? string +--rw description? string
+--rw l2-connection {ac-common:layer2-ac}? +--rw l2-connection {ac-common:layer2-ac}?
| ... | ...
+--rw ip-connection {ac-common:layer3-ac}? +--rw ip-connection {ac-common:layer3-ac}?
| ... | ...
+--rw routing-protocols +--rw routing-protocols
| ... | ...
+--rw oam +--rw oam
| ... | ...
+--rw security +--rw security
| ... | ...
+--rw service +--rw service
... ...
augment /nw:networks/nw:network/nw:node/sap:service/sap:sap: augment /nw:networks/nw:network/nw:node/sap:service/sap:sap:
+--rw ac* [ac-ref] +--rw ac* [ac-ref]
+--rw ac-ref leafref +--rw ac-ref leafref
+--rw node-ref? leafref +--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id +--rw network-ref? -> /nw:networks/network/network-id
Figure 6: Overall Tree Structure Figure 6: Overall Tree Structure
A node can host one or more SAPs. Per [RFC9408], a SAP is an A node can host one or more SAPs. Per [RFC9408], a SAP is an
abstraction of the network reference point (the PE side of an AC, in abstraction of the network reference point (the PE side of an AC, in
the context of this document) where network services can be delivered the context of this document) where network services can be and/or
and/or are delivered to customers. Each SAP terminates one or are delivered to customers. Each SAP terminates one or multiple ACs.
multiple ACs. Each AC in turn may be terminated by one or more peer In turn, each AC may be terminated by one or more peer SAPs ('peer-
SAPs ('peer-sap'). In order to expose such AC/SAP binding sap'). In order to expose such AC/SAP binding information, the SAP
information, the SAP model [RFC9408] is augmented with required AC- model [RFC9408] is augmented with the required AC-related
related information. information.
Unlike the AC service model Unlike the AC service model [RFC9834], an AC is uniquely identified
[I-D.ietf-opsawg-teas-attachment-circuit], an AC is uniquely by a name within the scope of a node, not a network. A textual
identified by a name within the scope of a node, not a network. A description of the AC may be provided ('description').
textual description of the AC may be provided ('description').
Also, in order to ease the correlation between the AC exposed at the Also, in order to ease the correlation between the AC exposed at the
service layer and the AC that is actually provisioned in the network service layer and the AC that is actually provisioned in the network
operation, a reference to the AC exposed to the customer ('svc-ref') operation, a reference to the AC exposed to the customer ('svc-ref')
is stored in the "ietf-ac-ntw" module. is stored in the "ietf-ac-ntw" module.
ACs that are terminated by a SAP are listed in the 'ac' container ACs that are terminated by a SAP are listed in the 'ac' container
under '/nw:networks/nw:network/nw:node/sap:service/sap:sap'. A under '/nw:networks/nw:network/nw:node/sap:service/sap:sap'. A
controller may indicate a filter based on the service type (e.g., controller may indicate a filter based on the service type (e.g.,
Network Slice or L3VPN) to retrieve the list of available SAPs, and Network Slice or L3VPN) to retrieve the list of available SAPs, and
thus ACs, for that service. thus ACs, for that service.
In order to factorize common data that is provisioned for a group of In order to factorize common data that is provisioned for a group of
ACs, a set of profiles (Section 5.3) can be defined at the network ACs, a set of profiles (Section 5.3) can be defined at the network
level, and then called under the node level. The information level and then called under the node level. The information
contained in a profile is thus inherited, unless the corresponding contained in a profile is thus inherited, unless the corresponding
data node is refined at the AC level. In such a case, the value data node is refined at the AC level. In such a case, the value
provided at the AC level takes precedence over the global one. provided at the AC level takes precedence over the global one.
In contexts where the same AC is terminated by multiple peer SAPs In contexts where the same AC is terminated by multiple peer SAPs
(e.g., an AC with multiple CEs) but a subset of them have specific (e.g., an AC with multiple CEs) but a subset of them have specific
information, the module allows operators to: information, the module allows operators to:
* Define a parent AC that may list all these CEs as peer SAPs. * Define a parent AC that may list all these CEs as peer SAPs.
skipping to change at page 15, line 9 skipping to change at line 598
The status of an AC can be tracked using 'status'. Both operational The status of an AC can be tracked using 'status'. Both operational
status and administrative status are maintained. A mismatch between status and administrative status are maintained. A mismatch between
the administrative status vs. the operational status can be used as a the administrative status vs. the operational status can be used as a
trigger to detect anomalies. trigger to detect anomalies.
An AC can be characterized using Layer 2 connectivity (Section 5.4), An AC can be characterized using Layer 2 connectivity (Section 5.4),
Layer 3 connectivity (Section 5.5), routing protocols (Section 5.6), Layer 3 connectivity (Section 5.5), routing protocols (Section 5.6),
Operations, Administration, and Maintenance (OAM) (Section 5.7), Operations, Administration, and Maintenance (OAM) (Section 5.7),
security (Section 5.8), and service (Section 5.9) considerations. security (Section 5.8), and service (Section 5.9) considerations.
Features are used to tag conditional protions to accomodate various Features are used to tag conditional portions to accommodate various
deployments (support of layer 2 ACs, Layer 3 ACs, IPv4, IPv6, routing deployments (support of Layer 2 ACs, Layer 3 ACs, IPv4, IPv6, routing
protocols, BFD, etc.). protocols, Bidirectional Forwarding Detection (BFD), etc.).
5.2. References 5.2. References
The AC network module defines a set of groupings depicted in Figure 7 The AC network module defines a set of groupings depicted in Figure 7
for referencing purposes. These references are used within or for referencing purposes. These references are used within or
outside the AC network module. The use of such groupings is outside the AC network module. The use of such groupings is
consistent with the design in [RFC8345]. consistent with the design in [RFC8345].
grouping attachment-circuit-reference: grouping attachment-circuit-reference:
+-- ac-ref? leafref +-- ac-ref? leafref
skipping to change at page 18, line 31 skipping to change at line 764
to a set of policies such as classification, marking, and actions to a set of policies such as classification, marking, and actions
(e.g., [RFC3644]). See also Section 5.9. (e.g., [RFC3644]). See also Section 5.9.
'failure-detection-profile-identifier': A failure detection profile 'failure-detection-profile-identifier': A failure detection profile
refers to a set of failure detection policies such as refers to a set of failure detection policies such as
Bidirectional Forwarding Detection (BFD) policies [RFC5880] that Bidirectional Forwarding Detection (BFD) policies [RFC5880] that
can be invoked when building an AC. Such a profile can be, for can be invoked when building an AC. Such a profile can be, for
example, referenced in static routes (Section 5.6.1) or under the example, referenced in static routes (Section 5.6.1) or under the
OAM level (Section 5.7). The use of this profile is similar to OAM level (Section 5.7). The use of this profile is similar to
the detailed examples depicted in Appendices A.11.3 and A.12 of the detailed examples depicted in Appendices A.11.3 and A.12 of
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834].
'forwarding-profile-identifier': A forwarding profile refers to the 'forwarding-profile-identifier': A forwarding profile refers to the
policies that apply to the forwarding of packets conveyed over an policies that apply to the forwarding of packets conveyed over an
AC. Such policies may consist of, for example, applying Access AC. Such policies may consist of, for example, applying Access
Control Lists (ACLs) as in Section 5.9. Control Lists (ACLs) as in Section 5.9.
'routing-profile-identifier': A routing profile refers to a set of 'routing-profile-identifier': A routing profile refers to a set of
routing policies that will be invoked (e.g., BGP policies) for an routing policies that will be invoked (e.g., BGP policies) for an
AC. Refer to Section 5.6. AC. Refer to Section 5.6.
The 'ac-profile' defines parameters that can be factorized among a The 'ac-profile' defines parameters that can be factorized among a
set of ACs. Each profile is identified by 'name' that is unique in a set of ACs. Each profile is identified by a 'name' that is unique in
network. Some of the data nodes can be adjusted at the node level. a network. Some of the data nodes can be adjusted at the node level.
These adjusted values take precedence over the values in the profile. These adjusted values take precedence over the values in the profile.
5.4. L2 Connection 5.4. L2 Connection
The 'l2-connection' container is used to manage the Layer 2 The 'l2-connection' container is used to manage the Layer 2
properties of an AC (mainly, the PE side of an AC). The Layer 2 properties of an AC (mainly, the PE side of an AC). The Layer 2
connection tree structure is shown in Figure 9. connection tree structure is shown in Figure 9.
augment /nw:networks/nw:network/nw:node: augment /nw:networks/nw:network/nw:node:
+--rw ac* [name] +--rw ac* [name]
skipping to change at page 27, line 29 skipping to change at line 1194
| ... | ...
+--rw security +--rw security
| ... | ...
+--rw service +--rw service
... ...
Figure 12: Static Routing Tree Structure Figure 12: Static Routing Tree Structure
The following data nodes can be defined for a given IP prefix: The following data nodes can be defined for a given IP prefix:
'lan-tag': Indicates a local tag (e.g., "myfavorite-lan") that is 'lan-tag': Indicates a local tag (e.g., 'myfavorite-lan') that is
used to enforce local policies. used to enforce local policies.
'next-hop': Indicates the next hop to be used for the static route. 'next-hop': Indicates the next hop to be used for the static route.
It can be identified by an IP address, a predefined next-hop type It can be identified by an IP address, a predefined next-hop type
(e.g., 'discard' or 'local-link'), etc. (e.g., 'discard' or 'local-link'), etc.
'bfd': Indicates whether BFD is enabled or disabled for this static 'bfd': Indicates whether BFD is enabled or disabled for this static
route entry. A BFD profile may also be provided. route entry. A BFD profile may also be provided.
skipping to change at page 33, line 42 skipping to change at line 1493
routing loops (Section 7 of [RFC4364]). The Site of Origin routing loops (Section 7 of [RFC4364]). The Site of Origin
attribute is encoded as a Route Origin Extended Community. attribute is encoded as a Route Origin Extended Community.
'ipv6-site-of-origin': Carries an IPv6 Address Specific BGP Extended 'ipv6-site-of-origin': Carries an IPv6 Address Specific BGP Extended
Community that is used to indicate the Site of Origin [RFC5701]. Community that is used to indicate the Site of Origin [RFC5701].
It is used to prevent routing loops. It is used to prevent routing loops.
'redistribute-connected': Controls whether the AC is advertised to 'redistribute-connected': Controls whether the AC is advertised to
other PEs. other PEs.
'bgp-max-prefix': Controls the behavior when a prefix maximum is 'bgp-max-prefix': Controls the behavior when a prefix maximum is
reached. reached.
'max-prefix': Indicates the maximum number of BGP prefixes allowed 'max-prefix': Indicates the maximum number of BGP prefixes allowed
in a session for this group. If the limit is reached, the action in a session for this group. If the limit is reached, the action
indicated in 'violate-action' will be followed. indicated in 'violate-action' will be followed.
'warning-threshold': A warning notification is triggered when this 'warning-threshold': A warning notification is triggered when this
limit is reached. limit is reached.
'violate-action': Indicates which action to execute when the maximum 'violate-action': Indicates which action to execute when the maximum
number of BGP prefixes is reached. Examples of such actions number of BGP prefixes is reached. Examples of such actions
skipping to change at page 34, line 21 skipping to change at line 1521
'bgp-timers': Two timers can be captured in this container: (1) 'bgp-timers': Two timers can be captured in this container: (1)
'hold-time', which is the time interval that will be used for the 'hold-time', which is the time interval that will be used for the
Hold Timer (Section 4.2 of [RFC4271]) when establishing a BGP Hold Timer (Section 4.2 of [RFC4271]) when establishing a BGP
session and (2) 'keepalive', which is the time interval for the session and (2) 'keepalive', which is the time interval for the
KeepaliveTimer between a PE and a BGP peer (Section 4.4 of KeepaliveTimer between a PE and a BGP peer (Section 4.4 of
[RFC4271]). [RFC4271]).
Both timers are expressed in seconds. Both timers are expressed in seconds.
'bfd': Indicates whether BFD is enabled or disabled for this 'bfd': Indicates whether BFD is enabled or disabled for this
nighbor. A BFD profile to apply may also be provided. neighbor. A BFD profile to apply may also be provided.
'authentication': The module adheres to the recommendations in 'authentication': The module adheres to the recommendations in
Section 13.2 of [RFC4364], as it allows enabling the TCP Section 13.2 of [RFC4364], as it allows enabling the TCP
Authentication Option (TCP-AO) [RFC5925] and accommodates the Authentication Option (TCP-AO) [RFC5925] and accommodates the
installed base that makes use of MD5. installed base that makes use of MD5.
This version of the model assumes that parameters specific to the This version of the model assumes that parameters specific to the
TCP-AO are preconfigured as part of the key chain that is TCP-AO are preconfigured as part of the key chain that is
referenced in the model. No assumption is made about how such a referenced in the model. No assumption is made about how such a
key chain is preconfigured. However, the structure of the key key chain is preconfigured. However, the structure of the key
chain should cover data nodes beyond those in [RFC8177], mainly chain should cover data nodes beyond those in [RFC8177], mainly
SendID and RecvID (Section 3.1 of [RFC5925]). SendID and RecvID (Section 3.1 of [RFC5925]).
For each neighbor, the following data nodes are supported in addition For each neighbor, the following data nodes are supported in addition
to similar parameters that are provided for a peer group: to similar parameters that are provided for a peer group:
'remote-address': Specifies the remote IP address of a BGP neighbor. 'remote-address': Specifies the remote IP address of a BGP neighbor.
'peer-group': A name of a peer group. 'peer-group': A name of a peer group.
Parameters that are provided at the 'neighbor' level takes Parameters that are provided at the 'neighbor' level take
precedence over the ones provided in the peer group. precedence over the ones provided in the peer group.
'status': Indicates the status of the BGP session. 'status': Indicates the status of the BGP session.
5.6.3. OSPF 5.6.3. OSPF
The OSPF routing subtree structure is shown in Figure 14. The OSPF routing subtree structure is shown in Figure 14.
module: ietf-ac-ntw module: ietf-ac-ntw
augment /nw:networks/nw:network: augment /nw:networks/nw:network:
skipping to change at page 41, line 41 skipping to change at line 1877
The following RIP data nodes are supported: The following RIP data nodes are supported:
'address-family': Indicates whether IPv4, IPv6, or both address 'address-family': Indicates whether IPv4, IPv6, or both address
families are to be activated. This parameter is used to determine families are to be activated. This parameter is used to determine
whether RIPv2 [RFC2453], RIP Next Generation (RIPng) [RFC2080], or whether RIPv2 [RFC2453], RIP Next Generation (RIPng) [RFC2080], or
both are to be enabled. both are to be enabled.
'timers': Indicates the following timers (expressed in seconds): 'timers': Indicates the following timers (expressed in seconds):
* 'update-interval': The interval at which RIP updates are sent. 'update-interval': The interval at which RIP updates are sent.
* 'invalid-interval': The interval before a RIP route is 'invalid-interval': The interval before a RIP route is declared
declared invalid. invalid.
* 'holddown-interval': The interval before better RIP routes are 'holddown-interval': The interval before better RIP routes are
released. released.
* 'flush-interval': The interval before a route is removed from 'flush-interval': The interval before a route is removed from the
the routing table. routing table.
'default-metric': Sets the default RIP metric. 'default-metric': Sets the default RIP metric.
'authentication': Controls the authentication schemes to be enabled 'authentication': Controls the authentication schemes to be enabled
for the RIP instance. for the RIP instance.
'status': Indicates the status of the RIP routing instance. 'status': Indicates the status of the RIP routing instance.
5.6.6. VRRP 5.6.6. VRRP
skipping to change at page 45, line 26 skipping to change at line 2054
+--rw security +--rw security
| ... | ...
+--rw service +--rw service
... ...
Figure 18: OAM Tree Structure Figure 18: OAM Tree Structure
The following OAM data nodes can be specified for each BFD session: The following OAM data nodes can be specified for each BFD session:
'dest-addr': Specifies the BFD peer address. This data node is 'dest-addr': Specifies the BFD peer address. This data node is
mapped to 'remote-address' of BFD container in mapped to 'remote-address' of the BFD container in [RFC9834].
[I-D.ietf-opsawg-teas-attachment-circuit]. 'dest-address' is used 'dest-address' is used here to ease the mapping with the
here to ease the mapping with the underlying device model defind underlying device model defined in [RFC9127].
in [RFC9127].
'source-address': Specifies the local IP address or interface to use 'source-address': Specifies the local IP address or interface to use
for the session. This data node is mapped to 'local-address' of for the session. This data node is mapped to 'local-address' of
BFD container in [I-D.ietf-opsawg-teas-attachment-circuit]. the BFD container in [RFC9834]. 'source-address' is used here to
'source-address' is used here to ease the mapping with the ease the mapping with the underlying device model defined in
underlying device model defind in [RFC9127]. [RFC9127].
'failure-detection-profile-ref': Refers to a BFD profile in 'failure-detection-profile-ref': Refers to a BFD profile in
Section 5.3. Section 5.3.
'network-ref': Includes a network reference to uniquely identify a 'network-ref': Includes a network reference to uniquely identify a
BFD profile. BFD profile.
'session-type': Indicates which BFD flavor is used to set up the 'session-type': Indicates which BFD flavor is used to set up the
session (e.g., classic BFD [RFC5880], Seamless BFD [RFC7880]). By session (e.g., classic BFD [RFC5880], Seamless BFD [RFC7880]). By
default, it is assumed that the BFD session will follow the default, it is assumed that the BFD session will follow the
behavior specified in [RFC5880]. behavior specified in [RFC5880].
'desired-min-tx-interval': The minimum interval, in microseconds, to 'desired-min-tx-interval': The minimum interval, in microseconds, to
use when transmitting BFD Control packets, less any jitter use when transmitting BFD Control packets, less any jitter
applied. applied.
'required-min-rx-interval': The minimum interval, in microseconds, 'required-min-rx-interval': The minimum interval, in microseconds,
between received BFD Control packets less any jitter applied by between received BFD Control packets, less any jitter applied by
the sender. the sender.
'local-multiplier': The negotiated transmit interval, multiplied by 'local-multiplier': The negotiated transmit interval, multiplied by
this value, provides the detection time for the peer. this value, provides the detection time for the peer.
'holdtime': Used to indicate the expected BFD holddown time, in 'holdtime': Used to indicate the expected BFD holddown time, in
milliseconds. milliseconds.
'authentication': Includes the required information to enable the 'authentication': Includes the required information to enable the
BFD authentication modes discussed in Section 6.7 of [RFC5880]. BFD authentication modes discussed in Section 6.7 of [RFC5880].
In particular, 'meticulous' controls the activation of meticulous In particular, 'meticulous' controls the activation of meticulous
mode as discussed in Sections 6.7.3 and 6.7.4 of [RFC5880]. mode as discussed in Sections 6.7.3 and 6.7.4 of [RFC5880].
'status': Indicates the status of BFD. 'status': Indicates the status of BFD.
5.8. Security 5.8. Security
The security subtree structure is shown in Figure 19. The 'security' The security subtree structure is shown in Figure 19. The 'security'
container specifies the the encryption to be applied to traffic for a container specifies the encryption to be applied to traffic for a
given AC. The model can be used to directly control the encryption given AC. The model can be used to directly control the encryption
to be applied (e.g., Layer 2 or Layer 3 encryption) or invoke a local to be applied (e.g., Layer 2 or Layer 3 encryption) or invoke a local
encryption profile. encryption profile.
augment /nw:networks/nw:network/nw:node: augment /nw:networks/nw:network/nw:node:
+--rw ac* [name] +--rw ac* [name]
+--rw name string +--rw name string
+ ... + ...
+--rw l2-connection {ac-common:layer2-ac}? +--rw l2-connection {ac-common:layer2-ac}?
| ... | ...
+--rw ip-connection {ac-common:layer3-ac}? +--rw ip-connection {ac-common:layer3-ac}?
| ... | ...
+--rw routing-protocols +--rw routing-protocols
| ... | ...
+--rw oam +--rw oam
| ... | ...
+--rw security +--rw security
| +--rw encryption {vpn-common:encryption}? | +--rw encryption {vpn-common:encryption}?
| | +--rw enabled? boolean | | +--rw enabled? boolean
| | +--rw layer? enumeration | | +--rw layer? enumeration
| +--rw encryption-profile | +--rw encryption-profile
| +--rw (profile)? | +--rw (profile)?
| +--:(provider-profile) | +--:(provider-profile)
| | +--rw encryption-profile-ref? leafref | | +--rw encryption-profile-ref? leafref
| | +--rw network-ref? | | +--rw network-ref?
| | -> /nw:networks/network/network-id | | -> /nw:networks/network/network-id
| +--:(customer-profile) | +--:(customer-profile)
| +--rw customer-key-chain? key-chain:key-chain-ref | +--rw customer-key-chain? key-chain:key-chain-ref
+--rw service +--rw service
... ...
Figure 19: Security Tree Structure Figure 19: Security Tree Structure
5.9. Service 5.9. Service
The service subtree structure is shown in Figure 20. The service subtree structure is shown in Figure 20.
augment /nw:networks/nw:network/nw:node: augment /nw:networks/nw:network/nw:node:
+--rw ac* [name] +--rw ac* [name]
+--rw name string +--rw name string
+ ... + ...
+--rw l2-connection {ac-common:layer2-ac}? +--rw l2-connection {ac-common:layer2-ac}?
skipping to change at page 49, line 13 skipping to change at line 2209
| +--rw direction? identityref | +--rw direction? identityref
+--rw access-control-list +--rw access-control-list
+--rw acl-profiles +--rw acl-profiles
+--rw acl-profile* [forwarding-profile-ref] +--rw acl-profile* [forwarding-profile-ref]
+--rw forwarding-profile-ref leafref +--rw forwarding-profile-ref leafref
+--rw network-ref? +--rw network-ref?
-> /nw:networks/network/network-id -> /nw:networks/network/network-id
Figure 20: Service Tree Structure Figure 20: Service Tree Structure
The description of the service data nodes is as follows: The service data nodes are defined as follows:
'mtu': Specifies the Layer 2 MTU, in bytes, for the AC. 'mtu': Specifies the Layer 2 MTU, in bytes, for the AC.
'svc-pe-to-ce-bandwidth' and 'svc-ce-to-pe-bandwidth': Specify the 'svc-pe-to-ce-bandwidth' and 'svc-ce-to-pe-bandwidth': Specify the
service bandwidth for the AC. service bandwidth for the AC.
'svc-pe-to-ce-bandwidth' indicates the inbound bandwidth of the 'svc-pe-to-ce-bandwidth': Indicates the inbound bandwidth of the
connection (i.e., download bandwidth from the service provider to connection (i.e., download bandwidth from the service provider
the site). to the site).
'svc-ce-to-pe-bandwidth' indicates the outbound bandwidth of the 'svc-ce-to-pe-bandwidth': Indicates the outbound bandwidth of the
connection (i.e., upload bandwidth from the site to the service connection (i.e., upload bandwidth from the site to the service
provider). provider).
'svc-pe-to-ce-bandwidth' and 'svc-ce-to-pe-bandwidth' can be 'svc-pe-to-ce-bandwidth' and 'svc-ce-to-pe-bandwidth' can be
represented using the Committed Information Rate (CIR), the represented using the Committed Information Rate (CIR), the
Committed Burst Size (CBS), the Excess Information Rate (EIR), the Committed Burst Size (CBS), the Excess Information Rate (EIR), the
Excess Burst Size (EBS), the Peak Information Rate (PIR), and the Excess Burst Size (EBS), the Peak Information Rate (PIR), and the
Peak Burst Size (PBS). CIR, EIR, and PIR are expressed in bps, Peak Burst Size (PBS). CIR, EIR, and PIR are expressed in bps,
while CBS, EBS, and PBS are expressed in bytes. while CBS, EBS, and PBS are expressed in bytes.
The following types, defined in [RFC9181], can be used to indicate The following types, defined in [RFC9181], can be used to indicate
the bandwidth type: the bandwidth type:
'bw-per-cos': The bandwidth is per CoS. 'bw-per-cos': The bandwidth is per Class of Service (CoS).
'bw-per-port': The bandwidth is per port. 'bw-per-port': The bandwidth is per port.
'bw-per-site': The bandwidth is to all peer SAPs that belong to 'bw-per-site': The bandwidth is to all peer SAPs that belong to
the same site. the same site.
'bw-per-service': The bandwidth is per service instance that is 'bw-per-service': The bandwidth is per service instance that is
bound to an AC. bound to an AC.
'qos': Specifies a list of QoS profiles to apply for this AC. 'qos': Specifies a list of QoS profiles to apply for this AC.
'access-control-list': Specifies a list of ACL profiles to apply for 'access-control-list': Specifies a list of ACL profiles to apply for
this AC. this AC.
6. YANG Module 6. YANG Module
This module uses types defined in [RFC6991], [RFC8177], [RFC8294], This module uses types defined in [RFC6991], [RFC8177], [RFC8294],
[RFC8343], [RFC9067], [RFC9181], [I-D.ietf-opsawg-teas-common-ac], [RFC8343], [RFC9067], [RFC9181], [RFC9833], and [IEEE802.1Qcp].
and [IEEE802.1Qcp].
<CODE BEGINS> file "ietf-ac-ntw@2025-01-07.yang" <CODE BEGINS> file "ietf-ac-ntw@2025-08-11.yang"
module ietf-ac-ntw { module ietf-ac-ntw {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ac-ntw"; namespace "urn:ietf:params:xml:ns:yang:ietf-ac-ntw";
prefix ac-ntw; prefix ac-ntw;
import ietf-vpn-common { import ietf-vpn-common {
prefix vpn-common; prefix vpn-common;
reference reference
"RFC 9181: A Common YANG Data Model for Layer 2 and Layer 3 "RFC 9181: A Common YANG Data Model for Layer 2 and Layer 3
VPNs"; VPNs";
skipping to change at page 51, line 4 skipping to change at line 2296
import ietf-interfaces { import ietf-interfaces {
prefix if; prefix if;
reference reference
"RFC 8343: A YANG Data Model for Interface Management"; "RFC 8343: A YANG Data Model for Interface Management";
} }
import ieee802-dot1q-types { import ieee802-dot1q-types {
prefix dot1q-types; prefix dot1q-types;
reference reference
"IEEE Std 802.1Qcp: Bridges and Bridged Networks-- "IEEE Std 802.1Qcp: Bridges and Bridged Networks--
Amendment 30: YANG Data Model"; Amendment 30: YANG Data Model";
} }
import ietf-network { import ietf-network {
prefix nw; prefix nw;
reference reference
"RFC 8345: A YANG Data Model for Network Topologies, "RFC 8345: A YANG Data Model for Network Topologies,
Section 6.1"; Section 6.1";
} }
import ietf-sap-ntw { import ietf-sap-ntw {
prefix sap; prefix sap;
reference reference
"RFC 9408: A YANG Network Model for Service Attachment "RFC 9408: A YANG Network Data Model for Service Attachment
Points (SAPs)"; Points (SAPs)";
} }
import ietf-ac-common { import ietf-ac-common {
prefix ac-common; prefix ac-common;
reference reference
"RFC CCCC: A Common YANG Data Model for Attachment Circuits"; "RFC 9833: A Common YANG Data Model for Attachment Circuits";
} }
import ietf-ac-svc { import ietf-ac-svc {
prefix ac-svc; prefix ac-svc;
reference reference
"RFC SSSS: YANG Data Models for Bearers and 'Attachment "RFC 9834: YANG Data Models for Bearers and 'Attachment
Circuits'-as-a-Service (ACaaS)"; Circuits'-as-a-Service (ACaaS)";
} }
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
skipping to change at page 52, line 12 skipping to change at line 2351
Copyright (c) 2025 IETF Trust and the persons identified as Copyright (c) 2025 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the This version of this YANG module is part of RFC 9835; see the
RFC itself for full legal notices."; RFC itself for full legal notices.";
revision 2025-01-07 { revision 2025-08-11 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Network Data Model for Attachment Circuits"; "RFC 9835: A YANG Network Data Model for Attachment Circuits";
} }
// References // References
/* A set of groupings to ease referencing cross-modules */ /* A set of groupings to ease referencing cross-modules */
grouping attachment-circuit-reference { grouping attachment-circuit-reference {
description description
"This grouping can be used to reference an attachment circuit "This grouping can be used to reference an attachment circuit
in a specific node."; in a specific node.";
leaf ac-ref { leaf ac-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]/nw:node[nw:node-id=current()/../" + "network-ref]/nw:node[nw:node-id=current()/../"
+ "node-ref]/ac-ntw:ac/ac-ntw:name"; + "node-ref]/ac-ntw:ac/ac-ntw:name";
require-instance false; require-instance false;
} }
description description
"An absolute reference to an attachment circuit."; "An absolute reference to an attachment circuit.";
} }
uses nw:node-ref; uses nw:node-ref;
} }
grouping attachment-circuit-references { grouping attachment-circuit-references {
description description
"This grouping can be used to reference a list of attachment "This grouping can be used to reference a list of attachment
circuits in a specific node."; circuits in a specific node.";
leaf-list ac-ref { leaf-list ac-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]/nw:node[nw:node-id=current()/../" + "network-ref]/nw:node[nw:node-id=current()/../"
+ "node-ref]/ac-ntw:ac/ac-ntw:name"; + "node-ref]/ac-ntw:ac/ac-ntw:name";
require-instance false; require-instance false;
} }
description description
"An absolute reference to an attachment circuit."; "An absolute reference to an attachment circuit.";
} }
uses nw:node-ref; uses nw:node-ref;
} }
grouping ac-profile-reference { grouping ac-profile-reference {
description description
"This grouping can be used to reference an attachment circuit "This grouping can be used to reference an attachment circuit
profile."; profile.";
leaf ac-profile-ref { leaf ac-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]/ac-ntw:ac-profile/ac-ntw:name"; + "network-ref]/ac-ntw:ac-profile/ac-ntw:name";
require-instance false; require-instance false;
} }
description description
"An absolute reference to an attachment circuit."; "An absolute reference to an attachment circuit.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
grouping encryption-profile-reference { grouping encryption-profile-reference {
description description
"This grouping can be used to reference encryption "This grouping can be used to reference an encryption
profile."; profile.";
leaf encryption-profile-ref { leaf encryption-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]" + "network-ref]"
+ "/ac-ntw:specific-provisioning-profiles" + "/ac-ntw:specific-provisioning-profiles"
+ "/ac-ntw:valid-provider-identifiers" + "/ac-ntw:valid-provider-identifiers"
+ "/ac-ntw:encryption-profile-identifier/ac-ntw:id"; + "/ac-ntw:encryption-profile-identifier/ac-ntw:id";
require-instance false; require-instance false;
} }
description description
"An absolute reference to an encryption profile."; "An absolute reference to an encryption profile.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
grouping qos-profile-reference { grouping qos-profile-reference {
description description
"This grouping can be used to reference a QoS profile."; "This grouping can be used to reference a QoS profile.";
leaf qos-profile-ref { leaf qos-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]" + "network-ref]"
+ "/ac-ntw:specific-provisioning-profiles" + "/ac-ntw:specific-provisioning-profiles"
+ "/ac-ntw:valid-provider-identifiers" + "/ac-ntw:valid-provider-identifiers"
+ "/ac-ntw:qos-profile-identifier/ac-ntw:id"; + "/ac-ntw:qos-profile-identifier/ac-ntw:id";
require-instance false; require-instance false;
} }
description description
"An absolute reference to a QoS profile."; "An absolute reference to a QoS profile.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
grouping failure-detection-profile-reference { grouping failure-detection-profile-reference {
description description
"This grouping can be used to reference a failure detection "This grouping can be used to reference a failure detection
profile."; profile.";
leaf failure-detection-profile-ref { leaf failure-detection-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]" + "network-ref]"
+ "/ac-ntw:specific-provisioning-profiles" + "/ac-ntw:specific-provisioning-profiles"
+ "/ac-ntw:valid-provider-identifiers" + "/ac-ntw:valid-provider-identifiers"
+ "/ac-ntw:failure-detection-profile-identifier/ac-ntw:id"; + "/ac-ntw:failure-detection-profile-identifier/ac-ntw:id";
require-instance false; require-instance false;
} }
description description
"An absolute reference to a failure detection profile."; "An absolute reference to a failure detection profile.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
grouping forwarding-profile-reference { grouping forwarding-profile-reference {
description description
"This grouping can be used to reference a forwarding profile."; "This grouping can be used to reference a forwarding profile.";
leaf forwarding-profile-ref { leaf forwarding-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]" + "network-ref]"
+ "/ac-ntw:specific-provisioning-profiles" + "/ac-ntw:specific-provisioning-profiles"
+ "/ac-ntw:valid-provider-identifiers" + "/ac-ntw:valid-provider-identifiers"
+ "/ac-ntw:forwarding-profile-identifier/ac-ntw:id"; + "/ac-ntw:forwarding-profile-identifier/ac-ntw:id";
require-instance false; require-instance false;
} }
description description
"An absolute reference to a forwarding profile."; "An absolute reference to a forwarding profile.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
grouping routing-profile-reference { grouping routing-profile-reference {
description description
"This grouping can be used to reference a routing profile."; "This grouping can be used to reference a routing profile.";
leaf routing-profile-ref { leaf routing-profile-ref {
type leafref { type leafref {
path "/nw:networks/nw:network[nw:network-id=current()/../" path "/nw:networks/nw:network[nw:network-id=current()/../"
+ "network-ref]" + "network-ref]"
+ "/ac-ntw:specific-provisioning-profiles" + "/ac-ntw:specific-provisioning-profiles"
+ "/ac-ntw:valid-provider-identifiers" + "/ac-ntw:valid-provider-identifiers"
+ "/ac-ntw:routing-profile-identifier/ac-ntw:id"; + "/ac-ntw:routing-profile-identifier/ac-ntw:id";
require-instance false; require-instance false;
} }
description description
"An absolute reference to a routing profile."; "An absolute reference to a routing profile.";
} }
uses nw:network-ref; uses nw:network-ref;
} }
// Layer 2 connection // Layer 2 connection
skipping to change at page 55, line 50 skipping to change at line 2535
+ "'vpn-common:dot1q')" { + "'vpn-common:dot1q')" {
description description
"Only applies when the type of the tagged interface is "Only applies when the type of the tagged interface is
'dot1q'."; 'dot1q'.";
} }
description description
"Tagged interface."; "Tagged interface.";
uses ac-common:dot1q; uses ac-common:dot1q;
container tag-operations { container tag-operations {
description description
"Sets the tag manipulation policy for this AC. It defines "Sets the tag manipulation policy for this AC. It
a set of tag manipulations that allow for the insertion, defines a set of tag manipulations that allow for the
removal, or rewriting of 802.1Q VLAN tags. These insertion, removal, or rewriting of 802.1Q VLAN tags.
operations are indicated for the CE-PE direction. These operations are indicated for the CE-PE direction.
By default, tag operations are symmetric. As such, the By default, tag operations are symmetric. As such, the
reverse tag operation is assumed on the PE-CE reverse tag operation is assumed on the PE-CE
direction."; direction.";
choice op-choice { choice op-choice {
description description
"Selects the tag rewriting policy for an AC."; "Selects the tag rewriting policy for an AC.";
leaf pop { leaf pop {
type empty; type empty;
description description
"Pop the outer tag."; "Pop the outer tag.";
} }
skipping to change at page 56, line 28 skipping to change at line 2561
type empty; type empty;
description description
"Pushes one or two tags defined by the tag-1 and "Pushes one or two tags defined by the tag-1 and
tag-2 leaves. It is assumed that, absent any tag-2 leaves. It is assumed that, absent any
policy, the default value of 0 will be used for policy, the default value of 0 will be used for
the Priority Code Point (PCP) setting."; the Priority Code Point (PCP) setting.";
} }
leaf translate { leaf translate {
type empty; type empty;
description description
"Translates the outer tag to one or two tags. PCP "Translates the outer tag to one or two tags. PCP
bits are preserved."; bits are preserved.";
} }
} }
leaf tag-1 { leaf tag-1 {
when 'not(../pop)'; when 'not(../pop)';
type dot1q-types:vlanid; type dot1q-types:vlanid;
description description
"A first tag to be used for push or translate "A first tag to be used for push or translate
operations. This tag will be used as the outermost tag operations. This tag will be used as the outermost
as a result of the tag operation."; tag as a result of the tag operation.";
} }
leaf tag-1-type { leaf tag-1-type {
type dot1q-types:dot1q-tag-type; type dot1q-types:dot1q-tag-type;
default "dot1q-types:s-vlan"; default "dot1q-types:s-vlan";
description description
"Specifies a specific 802.1Q tag type of tag-1."; "Specifies a specific 802.1Q tag type of tag-1.";
} }
leaf tag-2 { leaf tag-2 {
when '(../translate)'; when '(../translate)';
type dot1q-types:vlanid; type dot1q-types:vlanid;
skipping to change at page 57, line 35 skipping to change at line 2616
+ "'vpn-common:qinq')" { + "'vpn-common:qinq')" {
description description
"Only applies when the type of the tagged interface is "Only applies when the type of the tagged interface is
'QinQ'."; 'QinQ'.";
} }
description description
"Includes QinQ parameters."; "Includes QinQ parameters.";
uses ac-common:qinq; uses ac-common:qinq;
container tag-operations { container tag-operations {
description description
"Sets the tag manipulation policy for this AC. It defines "Sets the tag manipulation policy for this AC. It
a set of tag manipulations that allow for the insertion, defines a set of tag manipulations that allow for the
removal, or rewriting of 802.1Q VLAN tags. These insertion, removal, or rewriting of 802.1Q VLAN tags.
operations are indicated for the CE-PE direction. These operations are indicated for the CE-PE direction.
By default, tag operations are symmetric. As such, the By default, tag operations are symmetric. As such, the
reverse tag operation is assumed on the PE-CE reverse tag operation is assumed on the PE-CE
direction."; direction.";
choice op-choice { choice op-choice {
description description
"Selects the tag rewriting policy for a AC."; "Selects the tag rewriting policy for an AC.";
leaf pop { leaf pop {
type uint8 { type uint8 {
range "1|2"; range "1|2";
} }
description description
"Pops one or two tags as a function of the indicated "Pops one or two tags as a function of the indicated
pop value."; pop value.";
} }
leaf push { leaf push {
type empty; type empty;
description description
"Pushes one or two tags defined by the tag-1 and "Pushes one or two tags defined by the tag-1 and
tag-2 leaves. It is assumed that, absent any tag-2 leaves. It is assumed that, absent any
policy, the default value of 0 will be used for policy, the default value of 0 will be used for
PCP setting."; PCP setting.";
} }
leaf translate { leaf translate {
type uint8 { type uint8 {
range "1|2"; range "1|2";
} }
description description
"Translates one or two outer tags. PCP bits are "Translates one or two outer tags. PCP bits are
preserved. The following operations are supported: preserved. The following operations are supported:
- translate 1 with tag-1 leaf is provided: only the - translate 1 with tag-1 leaf is provided: only the
outermost tag is translated to the value in tag-1. outermost tag is translated to the value in tag-1.
- translate 2 with both tag-1 and tag-2 leaves are - translate 2 with both tag-1 and tag-2 leaves are
provided: both outer and inner tags are translated provided: both outer and inner tags are translated
to the values in tag-1 and tag-2, respectively. to the values in tag-1 and tag-2, respectively.
- translate 2 with tag-1 leaf is provided: the - translate 2 with tag-1 leaf is provided: the
outer tag is popped while the inner tag is outer tag is popped while the inner tag is
translated to the value in tag-1."; translated to the value in tag-1.";
} }
} }
leaf tag-1 { leaf tag-1 {
when 'not(../pop)'; when 'not(../pop)';
type dot1q-types:vlanid; type dot1q-types:vlanid;
description description
"A first tag to be used for push or translate "A first tag to be used for push or translate
operations. This tag will be used as the outermost tag operations. This tag will be used as the outermost
as a result of the tag operation."; tag as a result of the tag operation.";
} }
leaf tag-1-type { leaf tag-1-type {
type dot1q-types:dot1q-tag-type; type dot1q-types:dot1q-tag-type;
default "dot1q-types:s-vlan"; default "dot1q-types:s-vlan";
description description
"Specifies a specific 802.1Q tag type of tag-1."; "Specifies a specific 802.1Q tag type of tag-1.";
} }
leaf tag-2 { leaf tag-2 {
when 'not(../pop)'; when 'not(../pop)';
type dot1q-types:vlanid; type dot1q-types:vlanid;
skipping to change at page 62, line 24 skipping to change at line 2845
IP addresses are allocated by DHCP, which is provided IP addresses are allocated by DHCP, which is provided
by the operator."; by the operator.";
leaf dhcp-service-type { leaf dhcp-service-type {
type enumeration { type enumeration {
enum server { enum server {
description description
"Local DHCP server."; "Local DHCP server.";
} }
enum relay { enum relay {
description description
"Local DHCP relay. DHCP requests are relayed to a "Local DHCP relay. DHCP requests are relayed to a
provider's server."; provider's server.";
} }
} }
description description
"Indicates the type of DHCP service to be enabled on "Indicates the type of DHCP service to be enabled on
this access."; this access.";
} }
choice service-type { choice service-type {
description description
"Choice based on the DHCP service type."; "Choice based on the DHCP service type.";
skipping to change at page 63, line 21 skipping to change at line 2890
} }
} }
} }
case static-addresses { case static-addresses {
description description
"Lists the static IPv4 addresses that are used."; "Lists the static IPv4 addresses that are used.";
list address { list address {
key "address-id"; key "address-id";
ordered-by user; ordered-by user;
description description
"Lists the IPv4 addresses that are used. The first "Lists the IPv4 addresses that are used. The first
address of the list is the primary address of the address of the list is the primary address of the
connection."; connection.";
leaf address-id { leaf address-id {
type string; type string;
description description
"An identifier of the static IPv4 address."; "An identifier of the static IPv4 address.";
} }
leaf customer-address { leaf customer-address {
type inet:ipv4-address; type inet:ipv4-address;
description description
skipping to change at page 65, line 4 skipping to change at line 2969
leaf start-address { leaf start-address {
type inet:ipv6-address; type inet:ipv6-address;
mandatory true; mandatory true;
description description
"Indicates the first address in the pool."; "Indicates the first address in the pool.";
} }
leaf end-address { leaf end-address {
type inet:ipv6-address; type inet:ipv6-address;
description description
"Indicates the last address in the pool."; "Indicates the last address in the pool.";
} }
} }
} }
} }
} }
choice provider-dhcp { choice provider-dhcp {
description description
"Parameters related to DHCP-allocated addresses. "Parameters related to DHCP-allocated addresses.
IP addresses are allocated by DHCP, which is provided IP addresses are allocated by DHCP, which is provided
by the operator."; by the operator.";
leaf dhcp-service-type { leaf dhcp-service-type {
type enumeration { type enumeration {
enum server { enum server {
description description
"Local DHCP server."; "Local DHCP server.";
} }
enum relay { enum relay {
description description
"Local DHCP relay. DHCP requests are relayed to "Local DHCP relay. DHCP requests are relayed to
a provider's server."; a provider's server.";
} }
} }
description description
"Indicates the type of DHCP service to be enabled on "Indicates the type of DHCP service to be enabled on
this access."; this access.";
} }
choice service-type { choice service-type {
description description
"Choice based on the DHCP service type."; "Choice based on the DHCP service type.";
skipping to change at page 66, line 4 skipping to change at line 3017
} }
} }
} }
} }
choice dhcp-relay { choice dhcp-relay {
description description
"The DHCP relay is provided by the operator."; "The DHCP relay is provided by the operator.";
container customer-dhcp-servers { container customer-dhcp-servers {
description description
"Container for a list of the customer's DHCP servers."; "Container for a list of the customer's DHCP servers.";
leaf-list server-ip-address { leaf-list server-ip-address {
type inet:ipv6-address; type inet:ipv6-address;
description description
"IPv6 addresses of the customer's DHCP servers."; "IPv6 addresses of the customer's DHCP servers.";
} }
} }
} }
} }
case static-addresses { case static-addresses {
description description
"Lists the static IPv6 addresses that are used."; "Lists the static IPv6 addresses that are used.";
list address { list address {
key "address-id"; key "address-id";
ordered-by user; ordered-by user;
description description
"Lists the IPv6 addresses that are used. The first "Lists the IPv6 addresses that are used. The first
address of the list is the primary address of address of the list is the primary address of
the connection."; the connection.";
leaf address-id { leaf address-id {
type string; type string;
description description
"An identifier of the static IPv6 address."; "An identifier of the static IPv6 address.";
} }
leaf customer-address { leaf customer-address {
type inet:ipv6-address; type inet:ipv6-address;
description description
skipping to change at page 67, line 4 skipping to change at line 3065
type string; type string;
description description
"Specifies a reference to a local Layer 3 termination point, "Specifies a reference to a local Layer 3 termination point,
such as a bridge domain interface."; such as a bridge domain interface.";
} }
container ipv4 { container ipv4 {
if-feature "vpn-common:ipv4"; if-feature "vpn-common:ipv4";
description description
"IPv4-specific connection parameters."; "IPv4-specific connection parameters.";
uses ipv4-connection; uses ipv4-connection;
} }
container ipv6 { container ipv6 {
if-feature "vpn-common:ipv6"; if-feature "vpn-common:ipv6";
description description
"IPv6-specific connection parameters."; "IPv6-specific connection parameters.";
uses ipv6-connection; uses ipv6-connection;
} }
} }
/* Routing */ /* Routing */
//BGP base parameters //BGP base parameters
grouping bgp-base { grouping bgp-base {
description description
"Configuration specific to BGP."; "Configuration specific to BGP.";
leaf description { leaf description {
type string; type string;
description description
"Includes a description of the BGP session. This description "Includes a description of the BGP session. This description
is meant to be used for diagnostic purposes. The semantic is meant to be used for diagnostic purposes. The semantics
of the description is local to an implementation."; of the description are local to an implementation.";
} }
uses rt-pol:apply-policy-group; uses rt-pol:apply-policy-group;
leaf local-as { leaf local-as {
type inet:as-number; type inet:as-number;
description description
"Indicates a local AS Number (ASN), if an ASN distinct from "Indicates a local AS Number (ASN), if an ASN distinct from
the ASN configured at the AC level is needed."; the ASN configured at the AC level is needed.";
} }
leaf peer-as { leaf peer-as {
type inet:as-number; type inet:as-number;
skipping to change at page 68, line 35 skipping to change at line 3143
"If set, specifies the maximum number of occurrences of the "If set, specifies the maximum number of occurrences of the
provider's ASN that are permitted within the AS_PATH provider's ASN that are permitted within the AS_PATH
before it is rejected."; before it is rejected.";
} }
leaf prepend-global-as { leaf prepend-global-as {
type boolean; type boolean;
description description
"In some situations, the ASN that is provided at the node "In some situations, the ASN that is provided at the node
level may be distinct from the ASN configured at the AC. level may be distinct from the ASN configured at the AC.
When such ASNs are provided, they are both prepended to the When such ASNs are provided, they are both prepended to the
BGP route updates for this AC. To disable that behavior, BGP route updates for this AC. To disable that behavior,
'prepend-global-as' must be set to 'false'. In such a 'prepend-global-as' must be set to 'false'. In such a
case, the ASN that is provided at the node level is not case, the ASN that is provided at the node level is not
prepended to the BGP route updates for this access."; prepended to the BGP route updates for this access.";
} }
leaf send-default-route { leaf send-default-route {
type boolean; type boolean;
description description
"Defines whether default routes can be advertised to a peer. "Defines whether default routes can be advertised to a peer.
If set to 'true', the default routes are advertised to If set to 'true', the default routes are advertised to
a peer."; a peer.";
} }
leaf site-of-origin { leaf site-of-origin {
when "derived-from-or-self(../address-family, " when "derived-from-or-self(../address-family, "
+ "'vpn-common:ipv4' or 'vpn-common:dual-stack')" { + "'vpn-common:ipv4' or 'vpn-common:dual-stack')" {
description description
"Only applies if IPv4 is activated."; "Only applies if IPv4 is activated.";
} }
type rt-types:route-origin; type rt-types:route-origin;
description description
"The Site of Origin attribute is encoded as a Route Origin "The Site of Origin attribute is encoded as a Route Origin
Extended Community. It is meant to uniquely identify the Extended Community. It is meant to uniquely identify the
set of routes learned from a site via a particular AC and set of routes learned from a site via a particular AC and
is used to prevent routing loops."; is used to prevent routing loops.";
reference reference
"RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs), "RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs),
Section 7"; Section 7";
} }
leaf ipv6-site-of-origin { leaf ipv6-site-of-origin {
when "derived-from-or-self(../address-family, " when "derived-from-or-self(../address-family, "
+ "'vpn-common:ipv6' or 'vpn-common:dual-stack')" { + "'vpn-common:ipv6' or 'vpn-common:dual-stack')" {
description description
skipping to change at page 69, line 45 skipping to change at line 3202
type identityref { type identityref {
base vpn-common:address-family; base vpn-common:address-family;
} }
description description
"Indicates the address family."; "Indicates the address family.";
} }
leaf enabled { leaf enabled {
type boolean; type boolean;
description description
"Enables, when set to 'true', the redistribution of "Enables, when set to 'true', the redistribution of
Connected routes."; connected routes.";
} }
} }
container bgp-max-prefix { container bgp-max-prefix {
description description
"Controls the behavior when a prefix maximum is reached."; "Controls the behavior when a prefix maximum is reached.";
leaf max-prefix { leaf max-prefix {
type uint32; type uint32;
description description
"Indicates the maximum number of BGP prefixes allowed in "Indicates the maximum number of BGP prefixes allowed in
the BGP session. the BGP session.
skipping to change at page 72, line 4 skipping to change at line 3305
reference reference
"RFC 4271: A Border Gateway Protocol 4 (BGP-4), "RFC 4271: A Border Gateway Protocol 4 (BGP-4),
Section 4.2"; Section 4.2";
} }
} }
} }
grouping bgp-base-peer-group { grouping bgp-base-peer-group {
description description
"Grouping for a basic BGP peer group."; "Grouping for a basic BGP peer group.";
leaf name { leaf name {
type string; type string;
description description
"Name of the BGP peer group."; "Name of the BGP peer group.";
} }
uses bgp-base; uses bgp-base;
} }
grouping bgp-base-peer-group-list { grouping bgp-base-peer-group-list {
description description
"Grouping for a list of basic BGP peer groups."; "Grouping for a list of basic BGP peer groups.";
list peer-group { list peer-group {
key "name"; key "name";
description description
"List of BGP peer groups uniquely identified by a name."; "List of BGP peer groups uniquely identified by a name.";
uses bgp-base-peer-group; uses bgp-base-peer-group;
} }
} }
grouping bgp-peer-group { grouping bgp-peer-group {
description description
"Grouping for BGP peer group."; "Grouping for BGP peer group.";
leaf name { leaf name {
type string; type string;
description description
"Name of the BGP peer group"; "Name of the BGP peer group";
} }
leaf local-address { leaf local-address {
type union { type union {
type inet:ip-address; type inet:ip-address;
type if:interface-ref; type if:interface-ref;
} }
description description
"Sets the local IP address to use for the BGP transport "Sets the local IP address to use for the BGP transport
session. This may be expressed as either an IP address session. This may be expressed as either an IP
or a reference to an interface."; address or a reference to an interface.";
} }
uses bgp-base; uses bgp-base;
uses ac-common:bgp-authentication; uses ac-common:bgp-authentication;
} }
grouping bgp-peer-group-list { grouping bgp-peer-group-list {
description description
"Grouping for a list of BGP peer groups."; "Grouping for a list of BGP peer groups.";
list peer-group { list peer-group {
key "name"; key "name";
description description
"List of BGP peer groups uniquely identified by a name."; "List of BGP peer groups uniquely identified by a name.";
uses bgp-peer-group;
uses bgp-peer-group;
} }
} }
// RIP base parameters // RIP base parameters
grouping rip-base { grouping rip-base {
description description
"Configuration specific to RIP routing."; "Configuration specific to RIP routing.";
leaf address-family { leaf address-family {
type identityref { type identityref {
skipping to change at page 73, line 44 skipping to change at line 3392
"Indicates the RIP update time, i.e., the amount of time "Indicates the RIP update time, i.e., the amount of time
for which RIP updates are sent."; for which RIP updates are sent.";
} }
leaf invalid-interval { leaf invalid-interval {
type uint16 { type uint16 {
range "1..32767"; range "1..32767";
} }
units "seconds"; units "seconds";
description description
"The interval before a route is declared invalid after no "The interval before a route is declared invalid after no
updates are received. This value is at least three times updates are received. This value is at least three times
the value for the 'update-interval' argument."; the value for the 'update-interval' argument.";
} }
leaf holddown-interval { leaf holddown-interval {
type uint16 { type uint16 {
range "1..32767"; range "1..32767";
} }
units "seconds"; units "seconds";
description description
"Specifies the interval before better routes released."; "Specifies the interval before better routes are
released.";
} }
leaf flush-interval { leaf flush-interval {
type uint16 { type uint16 {
range "1..32767"; range "1..32767";
} }
units "seconds"; units "seconds";
description description
"Indicates the RIP flush timer, i.e., the amount of time "Indicates the RIP flush timer, i.e., the amount of time
that must elapse before a route is removed from the that must elapse before a route is removed from the
routing table."; routing table.";
skipping to change at page 75, line 36 skipping to change at line 3481
type uint32 { type uint32 {
range "1..4294967294"; range "1..4294967294";
} }
description description
"Maximum number of allowed Link State Advertisements "Maximum number of allowed Link State Advertisements
(LSAs) that the OSPF instance will accept."; (LSAs) that the OSPF instance will accept.";
} }
leaf passive { leaf passive {
type boolean; type boolean;
description description
"Enables when set to 'true' a passive interface. It is "When set to 'true', enables a passive interface. It is
active when set to 'false'. A passive interface's prefix active when set to 'false'. A passive interface's
will be advertised, but no neighbor adjacencies will be prefix will be advertised, but no neighbor adjacencies
formed on the interface."; will be formed on the interface.";
} }
} }
container isis { container isis {
when "derived-from-or-self(../type, " when "derived-from-or-self(../type, "
+ "'vpn-common:isis-routing')" { + "'vpn-common:isis-routing')" {
description description
"Only applies when the protocol is IS-IS."; "Only applies when the protocol is IS-IS.";
} }
if-feature "vpn-common:rtg-isis"; if-feature "vpn-common:rtg-isis";
description description
skipping to change at page 76, line 18 skipping to change at line 3512
"Can be 'level-1', 'level-2', or 'level-1-2'."; "Can be 'level-1', 'level-2', or 'level-1-2'.";
reference reference
"RFC 9181: A Common YANG Data Model for Layer 2 "RFC 9181: A Common YANG Data Model for Layer 2
and Layer 3 VPNs"; and Layer 3 VPNs";
} }
leaf metric { leaf metric {
type uint32 { type uint32 {
range "0 .. 16777215"; range "0 .. 16777215";
} }
description description
"Metric of the AC. It is used in the routing state "Metric of the AC. It is used in the routing state
calculation and path selection."; calculation and path selection.";
} }
leaf passive { leaf passive {
type boolean; type boolean;
description description
"When set to 'false', the interface is active. In such "When set to 'false', the interface is active. In such
mode, the interface sends or receives IS-IS protocol mode, the interface sends or receives IS-IS protocol
control packets. control packets.
When set to 'true', the interface is passive. That is, When set to 'true', the interface is passive. That
it suppresses the sending of IS-IS updates through the is, it suppresses the sending of IS-IS updates through
specified interface."; the specified interface.";
} }
} }
container rip { container rip {
when "derived-from-or-self(../type, " when "derived-from-or-self(../type, "
+ "'vpn-common:rip-routing')" { + "'vpn-common:rip-routing')" {
description description
"Only applies when the protocol is RIP."; "Only applies when the protocol is RIP.";
} }
if-feature "vpn-common:rtg-rip"; if-feature "vpn-common:rtg-rip";
description description
skipping to change at page 77, line 21 skipping to change at line 3563
base vpn-common:address-family; base vpn-common:address-family;
} }
description description
"Indicates whether IPv4, IPv6, or both address families "Indicates whether IPv4, IPv6, or both address families
are to be enabled."; are to be enabled.";
} }
leaf ping-reply { leaf ping-reply {
type boolean; type boolean;
description description
"Controls whether the VRRP speaker should reply to ping "Controls whether the VRRP speaker should reply to ping
requests. Such behavior is enabled, if set to 'true'."; requests. Such behavior is enabled, if set to 'true'.";
} }
} }
} }
} }
grouping routing { grouping routing {
description description
"Defines routing protocols."; "Defines routing protocols.";
list routing-protocol { list routing-protocol {
key "id"; key "id";
skipping to change at page 79, line 37 skipping to change at line 3674
description description
"The remote IP address of this entry's BGP peer."; "The remote IP address of this entry's BGP peer.";
} }
leaf local-address { leaf local-address {
type union { type union {
type inet:ip-address; type inet:ip-address;
type if:interface-ref; type if:interface-ref;
} }
description description
"Sets the local IP address to use for the BGP transport "Sets the local IP address to use for the BGP transport
session. This may be expressed as either an IP address session. This may be expressed as either an IP
or a reference to an interface."; address or a reference to an interface.";
} }
leaf peer-group { leaf peer-group {
type leafref { type leafref {
path "../../peer-groups/peer-group/name"; path "../../peer-groups/peer-group/name";
} }
description description
"The peer group with which this neighbor is "The peer group with which this neighbor is
associated."; associated.";
} }
uses bgp-base; uses bgp-base;
skipping to change at page 80, line 33 skipping to change at line 3718
(VPNs), Section 4.2.7 (VPNs), Section 4.2.7
RFC 6565: OSPFv3 as a Provider Edge to Customer Edge RFC 6565: OSPFv3 as a Provider Edge to Customer Edge
(PE-CE) Routing Protocol, Section 5"; (PE-CE) Routing Protocol, Section 5";
list sham-link { list sham-link {
key "target-site"; key "target-site";
description description
"Creates a sham link with another site."; "Creates a sham link with another site.";
leaf target-site { leaf target-site {
type string; type string;
description description
"Target site for the sham link connection. The site "Target site for the sham link connection. The site
is referred to by its identifier."; is referred to by its identifier.";
} }
leaf metric { leaf metric {
type uint16; type uint16;
description description
"Metric of the sham link. It is used in the routing "Metric of the sham link. It is used in the routing
state calculation and path selection."; state calculation and path selection.";
reference reference
"RFC 4577: OSPF as the Provider/Customer Edge "RFC 4577: OSPF as the Provider/Customer Edge
Protocol for BGP/MPLS IP Virtual Private Protocol for BGP/MPLS IP Virtual Private
Networks (VPNs), Section 4.2.7.3 Networks (VPNs), Section 4.2.7.3
RFC 6565: OSPFv3 as a Provider Edge to Customer Edge RFC 6565: OSPFv3 as a Provider Edge to Customer Edge
(PE-CE) Routing Protocol, Section 5.2"; (PE-CE) Routing Protocol, Section 5.2";
} }
} }
} }
skipping to change at page 81, line 4 skipping to change at line 3738
Protocol for BGP/MPLS IP Virtual Private Protocol for BGP/MPLS IP Virtual Private
Networks (VPNs), Section 4.2.7.3 Networks (VPNs), Section 4.2.7.3
RFC 6565: OSPFv3 as a Provider Edge to Customer Edge RFC 6565: OSPFv3 as a Provider Edge to Customer Edge
(PE-CE) Routing Protocol, Section 5.2"; (PE-CE) Routing Protocol, Section 5.2";
} }
} }
} }
leaf max-lsa { leaf max-lsa {
type uint32 { type uint32 {
range "1..4294967294"; range "1..4294967294";
} }
description description
"Maximum number of allowed Link State Advertisements "Maximum number of allowed Link State Advertisements
(LSAs) that the OSPF instance will accept."; (LSAs) that the OSPF instance will accept.";
} }
leaf passive { leaf passive {
type boolean; type boolean;
description description
"Enables when set to 'true' a passive interface. It is "When set to 'true', enables a passive interface. It is
active when set to 'false'. A passive interface's prefix active when set to 'false'. A passive interface's
will be advertised, but no neighbor adjacencies will be prefix will be advertised, but no neighbor adjacencies
formed on the interface."; will be formed on the interface.";
} }
uses ac-common:ospf-authentication; uses ac-common:ospf-authentication;
uses ac-common:service-status; uses ac-common:service-status;
} }
container isis { container isis {
when "derived-from-or-self(../type, " when "derived-from-or-self(../type, "
+ "'vpn-common:isis-routing')" { + "'vpn-common:isis-routing')" {
description description
"Only applies when the protocol is IS-IS."; "Only applies when the protocol is IS-IS.";
} }
skipping to change at page 81, line 46 skipping to change at line 3779
"Can be 'level-1', 'level-2', or 'level-1-2'."; "Can be 'level-1', 'level-2', or 'level-1-2'.";
reference reference
"RFC 9181: A Common YANG Data Model for Layer 2 and "RFC 9181: A Common YANG Data Model for Layer 2 and
Layer 3 VPNs"; Layer 3 VPNs";
} }
leaf metric { leaf metric {
type uint32 { type uint32 {
range "0 .. 16777215"; range "0 .. 16777215";
} }
description description
"Metric of the AC. It is used in the routing state "Metric of the AC. It is used in the routing state
calculation and path selection."; calculation and path selection.";
} }
leaf passive { leaf passive {
type boolean; type boolean;
description description
"When set to 'false', the interface is active. In such "When set to 'false', the interface is active. In such
mode, the interface sends or receives IS-IS protocol mode, the interface sends or receives IS-IS protocol
control packets. control packets.
When set to 'true', the interface is passive. That is, When set to 'true', the interface is passive. That
it suppresses the sending of IS-IS updates through the is, it suppresses the sending of IS-IS updates through
specified interface."; the specified interface.";
} }
uses ac-common:isis-authentication; uses ac-common:isis-authentication;
uses ac-common:service-status; uses ac-common:service-status;
} }
container rip { container rip {
when "derived-from-or-self(../type, " when "derived-from-or-self(../type, "
+ "'vpn-common:rip-routing')" { + "'vpn-common:rip-routing')" {
description description
"Only applies when the protocol is RIP. "Only applies when the protocol is RIP.
For IPv4, the model assumes that RIP version 2 For IPv4, the model assumes that RIP version 2
skipping to change at page 82, line 33 skipping to change at line 3815
description description
"Configuration specific to RIP routing."; "Configuration specific to RIP routing.";
uses rip-base; uses rip-base;
uses ac-common:rip-authentication; uses ac-common:rip-authentication;
uses ac-common:service-status; uses ac-common:service-status;
} }
container vrrp { container vrrp {
when "derived-from-or-self(../type, " when "derived-from-or-self(../type, "
+ "'vpn-common:vrrp-routing')" { + "'vpn-common:vrrp-routing')" {
description description
"Only applies when the protocol is the VRRP."; "Only applies when the protocol is VRRP.";
} }
if-feature "vpn-common:rtg-vrrp"; if-feature "vpn-common:rtg-vrrp";
description description
"Configuration specific to VRRP."; "Configuration specific to VRRP.";
reference reference
"RFC 9568: Virtual Router Redundancy Protocol (VRRP) "RFC 9568: Virtual Router Redundancy Protocol (VRRP)
Version 3 for IPv4 and IPv6"; Version 3 for IPv4 and IPv6";
leaf address-family { leaf address-family {
type identityref { type identityref {
base vpn-common:address-family; base vpn-common:address-family;
skipping to change at page 85, line 4 skipping to change at line 3930
units "milliseconds"; units "milliseconds";
description description
"Expected BFD holdtime. "Expected BFD holdtime.
The customer may impose some fixed values for the holdtime The customer may impose some fixed values for the holdtime
period if the provider allows the customer to use this period if the provider allows the customer to use this
function."; function.";
reference reference
"RFC 5880: Bidirectional Forwarding Detection (BFD), "RFC 5880: Bidirectional Forwarding Detection (BFD),
Section 6.8.18"; Section 6.8.18";
} }
} }
grouping bfd-routing { grouping bfd-routing {
description description
"Defines a basic BFD grouping for routing configuration."; "Defines a basic BFD grouping for routing configuration.";
container bfd { container bfd {
if-feature "vpn-common:bfd"; if-feature "vpn-common:bfd";
description description
"BFD control for this neighbor."; "BFD control for this neighbor.";
leaf enabled { leaf enabled {
type boolean; type boolean;
description description
"Enables BFD if set to 'true'. BFD is disabled of set to "Enables BFD if set to 'true'. BFD is disabled if set to
'false'."; 'false'.";
} }
uses failure-detection-profile-reference; uses failure-detection-profile-reference;
} }
} }
grouping oam { grouping oam {
description description
"Defines the Operations, Administration, and Maintenance "Defines the Operations, Administration, and Maintenance
(OAM) mechanisms used."; (OAM) mechanisms used.";
container bfd { container bfd {
if-feature "vpn-common:bfd"; if-feature "vpn-common:bfd";
description description
"Container for BFD."; "Container for BFD.";
list session { list session {
key "dest-addr"; key "dest-addr";
description description
"List of IP sessions."; "List of IP sessions.";
leaf dest-addr { leaf dest-addr {
type inet:ip-address; type inet:ip-address;
description description
"IP address of the peer."; "IP address of the peer.";
} }
leaf source-address { leaf source-address {
type union { type union {
type inet:ip-address; type inet:ip-address;
type if:interface-ref; type if:interface-ref;
} }
description description
"Sets the local IP address to use for the BFD session. "Sets the local IP address to use for the BFD session.
This may be expressed as either an IP address or This may be expressed as either an IP address or
a reference to an interface."; a reference to an interface.";
} }
uses failure-detection-profile-reference; uses failure-detection-profile-reference;
uses bfd; uses bfd;
container authentication { container authentication {
presence "Enables BFD authentication"; presence "Enables BFD authentication";
description description
"Parameters for BFD authentication."; "Parameters for BFD authentication.";
leaf key-chain { leaf key-chain {
type key-chain:key-chain-ref; type key-chain:key-chain-ref;
description description
skipping to change at page 86, line 41 skipping to change at line 4015
description description
"Security parameters for an AC."; "Security parameters for an AC.";
container encryption { container encryption {
if-feature "vpn-common:encryption"; if-feature "vpn-common:encryption";
description description
"Container for AC encryption."; "Container for AC encryption.";
leaf enabled { leaf enabled {
type boolean; type boolean;
description description
"If set to 'true', traffic encryption on the connection is "If set to 'true', traffic encryption on the connection is
required. Otherwise, it is disabled."; required. Otherwise, it is disabled.";
} }
leaf layer { leaf layer {
when "../enabled = 'true'" { when "../enabled = 'true'" {
description description
"Included only when encryption is enabled."; "Included only when encryption is enabled.";
} }
type enumeration { type enumeration {
enum layer2 { enum layer2 {
description description
"Encryption occurs at Layer 2."; "Encryption occurs at Layer 2.";
skipping to change at page 87, line 4 skipping to change at line 4026
} }
leaf layer { leaf layer {
when "../enabled = 'true'" { when "../enabled = 'true'" {
description description
"Included only when encryption is enabled."; "Included only when encryption is enabled.";
} }
type enumeration { type enumeration {
enum layer2 { enum layer2 {
description description
"Encryption occurs at Layer 2."; "Encryption occurs at Layer 2.";
} }
enum layer3 { enum layer3 {
description description
"Encryption occurs at Layer 3. For example, IPsec "Encryption occurs at Layer 3. For example, IPsec
may be used when a customer requests Layer 3 may be used when a customer requests Layer 3
encryption."; encryption.";
} }
} }
description description
"Indicates the layer on which encryption is applied."; "Indicates the layer on which encryption is applied.";
} }
} }
container encryption-profile { container encryption-profile {
when "../encryption/enabled = 'true'" { when "../encryption/enabled = 'true'" {
skipping to change at page 92, line 4 skipping to change at line 4266
description description
"Augmentation parameters apply only for SAP networks."; "Augmentation parameters apply only for SAP networks.";
} }
description description
"Augments SAPs with AC provisioning details."; "Augments SAPs with AC provisioning details.";
list ac { list ac {
key "ac-ref"; key "ac-ref";
description description
"Specifies the ACs that are terminated by the SAP."; "Specifies the ACs that are terminated by the SAP.";
uses ac-ntw:attachment-circuit-reference; uses ac-ntw:attachment-circuit-reference;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
7. Security Considerations 7. Security Considerations
This section is modeled after the template described in in This section is modeled after the template described in Section 3.7
Section 3.7 of [I-D.ietf-netmod-rfc8407bis]. of [YANG-GUIDELINES].
The "ietf-ac-ntw" YANG module defines a data model that is designed The "ietf-ac-ntw" YANG module defines a data model that is designed
to be accessed via YANG-based management protocols, such as NETCONF to be accessed via YANG-based management protocols, such as NETCONF
[RFC6241] and RESTCONF [RFC8040]. These protocols have to use a [RFC6241] and RESTCONF [RFC8040]. These protocols have to use a
secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC
[RFC9000]) and have to use mutual authentication. [RFC9000]) and have to use mutual authentication.
The Network Configuration Access Control Model (NACM) [RFC8341] The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and content. RESTCONF protocol operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., "config true", which is the
default). These data nodes may be considered sensitive or vulnerable default). All writable data nodes are likely to be reasonably
in some network environments. Write operations (e.g., edit-config) sensitive or vulnerable in some network environments. Write
and delete operations to these data nodes without proper protection operations (e.g., edit-config) and delete operations to these data
or authentication can have a negative effect on network operations. nodes without proper protection or authentication can have a negative
Specifically, the following subtrees and data nodes have particular effect on network operations. The following subtrees and data nodes
sensitivities/vulnerabilities: have particular sensitivities/vulnerabilities:
'specific-provisioning-profiles': This container includes a set of 'specific-provisioning-profiles': This container includes a set of
sensitive data that influence how an AC is delivered. For sensitive data that influences how an AC is delivered. For
example, an attacker who has access to these data nodes may be example, an attacker who has access to these data nodes may be
able to manipulate routing policies, QoS policies, or encryption able to manipulate routing policies, QoS policies, or encryption
properties. These data nodes are defined with "nacm:default-deny- properties. These data nodes are defined with "nacm:default-deny-
write" tagging [I-D.ietf-opsawg-teas-common-ac]. write" tagging [RFC9833].
'ac': An attacker who is able to access network nodes can undertake 'ac': An attacker who is able to access network nodes can undertake
various attacks, such as modify the attributes of an AC (e.g., various attacks, such as modify the attributes of an AC (e.g.,
QoS, bandwidth, routing protocols, keying material), leading to QoS, bandwidth, routing protocols, keying material), leading to
malfunctioning of services that are delivered over that AC and malfunctioning of services that are delivered over that AC and
therefore to Service Level Agreement (SLA) violations. In therefore to Service Level Agreement (SLA) violations. In
addition, an attacker could attempt to add a new AC. : In addition, an attacker could attempt to add a new AC. By also
addition to using NACM to prevent unauthorized access, such using NACM to prevent unauthorized access, such activity can be
activity can be detected by adequately monitoring and tracking detected by adequately monitoring and tracking network
network configuration changes. configuration changes.
Some of the readable data nodes in this YANG module may be considered Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or important to control read access (e.g., via get, get-config, or
notification) to these data nodes. Specifically, the following notification) to these data nodes. Specifically, the following
subtrees and data nodes have particular sensitivities/ subtrees and data nodes have particular sensitivities/
vulnerabilities: vulnerabilities:
'ac': Unauthorized access to this subtree can disclose the identity 'ac': Unauthorized access to this subtree can disclose the identity
of a customer 'peer-sap-id'. of a customer 'peer-sap-id'.
skipping to change at page 93, line 34 skipping to change at line 4342
Several data nodes ('bgp', 'ospf', 'isis', 'rip', and 'customer-key- Several data nodes ('bgp', 'ospf', 'isis', 'rip', and 'customer-key-
chain') rely upon [RFC8177] for authentication purposes. As such, chain') rely upon [RFC8177] for authentication purposes. As such,
the AC network module inherits the security considerations discussed the AC network module inherits the security considerations discussed
in Section 5 of [RFC8177]. Also, these data nodes support supplying in Section 5 of [RFC8177]. Also, these data nodes support supplying
explicit keys as strings in ASCII format. The use of keys in explicit keys as strings in ASCII format. The use of keys in
hexadecimal string format would afford greater key entropy with the hexadecimal string format would afford greater key entropy with the
same number of key-string octets. However, such a format is not same number of key-string octets. However, such a format is not
included in this version of the AC network model, because it is not included in this version of the AC network model, because it is not
supported by the underlying device modules (e.g., [RFC8695]). supported by the underlying device modules (e.g., [RFC8695]).
Section 5.8 specifies the the encryption to be applied to traffic for Section 5.8 specifies the encryption to be applied to traffic for a
a given AC. given AC.
8. IANA Considerations 8. IANA Considerations
IANA is requested to register the following URI in the "ns" IANA has registered the following URI in the "ns" subregistry within
subregistry within the "IETF XML Registry" [RFC3688]: the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-ac-ntw URI: urn:ietf:params:xml:ns:yang:ietf-ac-ntw
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
IANA is requested to register the following YANG module in the "YANG IANA has registered the following YANG module in the "YANG Module
Module Names" subregistry [RFC6020] within the "YANG Parameters" Names" registry [RFC6020] within the "YANG Parameters" registry
registry: group:
Name: ietf-ac-ntw Name: ietf-ac-ntw
Namespace: urn:ietf:params:xml:ns:yang:ietf-ac-ntw Maintained by IANA? N
Prefix: ac-ntw Namespace: urn:ietf:params:xml:ns:yang:ietf-ac-ntw
Maintained by IANA? N Prefix: ac-ntw
Reference: RFC XXXX Reference: RFC 9835
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-opsawg-teas-attachment-circuit]
Boucadair, M., Roberts, R., de Dios, O. G., Barguil, S.,
and B. Wu, "YANG Data Models for Bearers and 'Attachment
Circuits'-as-a-Service (ACaaS)", Work in Progress,
Internet-Draft, draft-ietf-opsawg-teas-attachment-circuit-
20, 23 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
teas-attachment-circuit-20>.
[I-D.ietf-opsawg-teas-common-ac]
Boucadair, M., Roberts, R., de Dios, O. G., Barguil, S.,
and B. Wu, "A Common YANG Data Model for Attachment
Circuits", Work in Progress, Internet-Draft, draft-ietf-
opsawg-teas-common-ac-15, 23 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
teas-common-ac-15>.
[IEEE802.1Qcp] [IEEE802.1Qcp]
IEEE, "IEEE Standard for Local and metropolitan area IEEE, "IEEE Standard for Local and metropolitan area
networks--Bridges and Bridged Networks--Amendment 30: YANG networks--Bridges and Bridged Networks--Amendment 30: YANG
Data Model", September 2018, Data Model", IEEE Std 802.1Qcp-2018,
DOI 10.1109/IEEESTD.2018.8467507, September 2018,
<https://doi.org/10.1109/IEEESTD.2018.8467507>. <https://doi.org/10.1109/IEEESTD.2018.8467507>.
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
DOI 10.17487/RFC2080, January 1997, DOI 10.17487/RFC2080, January 1997,
<https://www.rfc-editor.org/rfc/rfc2080>. <https://www.rfc-editor.org/info/rfc2080>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
DOI 10.17487/RFC2453, November 1998, DOI 10.17487/RFC2453, November 1998,
<https://www.rfc-editor.org/rfc/rfc2453>. <https://www.rfc-editor.org/info/rfc2453>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/rfc/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/info/rfc4252>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006, DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/rfc/rfc4271>. <https://www.rfc-editor.org/info/rfc4271>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <https://www.rfc-editor.org/rfc/rfc4364>. 2006, <https://www.rfc-editor.org/info/rfc4364>.
[RFC4577] Rosen, E., Psenak, P., and P. Pillay-Esnault, "OSPF as the [RFC4577] Rosen, E., Psenak, P., and P. Pillay-Esnault, "OSPF as the
Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Provider/Customer Edge Protocol for BGP/MPLS IP Virtual
Private Networks (VPNs)", RFC 4577, DOI 10.17487/RFC4577, Private Networks (VPNs)", RFC 4577, DOI 10.17487/RFC4577,
June 2006, <https://www.rfc-editor.org/rfc/rfc4577>. June 2006, <https://www.rfc-editor.org/info/rfc4577>.
[RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community
Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009, Attribute", RFC 5701, DOI 10.17487/RFC5701, November 2009,
<https://www.rfc-editor.org/rfc/rfc5701>. <https://www.rfc-editor.org/info/rfc5701>.
[RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M., [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M.,
Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic
Authentication", RFC 5709, DOI 10.17487/RFC5709, October Authentication", RFC 5709, DOI 10.17487/RFC5709, October
2009, <https://www.rfc-editor.org/rfc/rfc5709>. 2009, <https://www.rfc-editor.org/info/rfc5709>.
[RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
<https://www.rfc-editor.org/rfc/rfc5880>. <https://www.rfc-editor.org/info/rfc5880>.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925, Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/rfc/rfc5925>. June 2010, <https://www.rfc-editor.org/info/rfc5925>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/rfc/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6565] Pillay-Esnault, P., Moyer, P., Doyle, J., Ertekin, E., and [RFC6565] Pillay-Esnault, P., Moyer, P., Doyle, J., Ertekin, E., and
M. Lundberg, "OSPFv3 as a Provider Edge to Customer Edge M. Lundberg, "OSPFv3 as a Provider Edge to Customer Edge
(PE-CE) Routing Protocol", RFC 6565, DOI 10.17487/RFC6565, (PE-CE) Routing Protocol", RFC 6565, DOI 10.17487/RFC6565,
June 2012, <https://www.rfc-editor.org/rfc/rfc6565>. June 2012, <https://www.rfc-editor.org/info/rfc6565>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/rfc/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7166] Bhatia, M., Manral, V., and A. Lindem, "Supporting [RFC7166] Bhatia, M., Manral, V., and A. Lindem, "Supporting
Authentication Trailer for OSPFv3", RFC 7166, Authentication Trailer for OSPFv3", RFC 7166,
DOI 10.17487/RFC7166, March 2014, DOI 10.17487/RFC7166, March 2014,
<https://www.rfc-editor.org/rfc/rfc7166>. <https://www.rfc-editor.org/info/rfc7166>.
[RFC7474] Bhatia, M., Hartman, S., Zhang, D., and A. Lindem, Ed., [RFC7474] Bhatia, M., Hartman, S., Zhang, D., and A. Lindem, Ed.,
"Security Extension for OSPFv2 When Using Manual Key "Security Extension for OSPFv2 When Using Manual Key
Management", RFC 7474, DOI 10.17487/RFC7474, April 2015, Management", RFC 7474, DOI 10.17487/RFC7474, April 2015,
<https://www.rfc-editor.org/rfc/rfc7474>. <https://www.rfc-editor.org/info/rfc7474>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/rfc/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8077] Martini, L., Ed. and G. Heron, Ed., "Pseudowire Setup and [RFC8077] Martini, L., Ed. and G. Heron, Ed., "Pseudowire Setup and
Maintenance Using the Label Distribution Protocol (LDP)", Maintenance Using the Label Distribution Protocol (LDP)",
STD 84, RFC 8077, DOI 10.17487/RFC8077, February 2017, STD 84, RFC 8077, DOI 10.17487/RFC8077, February 2017,
<https://www.rfc-editor.org/rfc/rfc8077>. <https://www.rfc-editor.org/info/rfc8077>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8177] Lindem, A., Ed., Qu, Y., Yeung, D., Chen, I., and J. [RFC8177] Lindem, A., Ed., Qu, Y., Yeung, D., Chen, I., and J.
Zhang, "YANG Data Model for Key Chains", RFC 8177, Zhang, "YANG Data Model for Key Chains", RFC 8177,
DOI 10.17487/RFC8177, June 2017, DOI 10.17487/RFC8177, June 2017,
<https://www.rfc-editor.org/rfc/rfc8177>. <https://www.rfc-editor.org/info/rfc8177>.
[RFC8294] Liu, X., Qu, Y., Lindem, A., Hopps, C., and L. Berger, [RFC8294] Liu, X., Qu, Y., Lindem, A., Hopps, C., and L. Berger,
"Common YANG Data Types for the Routing Area", RFC 8294, "Common YANG Data Types for the Routing Area", RFC 8294,
DOI 10.17487/RFC8294, December 2017, DOI 10.17487/RFC8294, December 2017,
<https://www.rfc-editor.org/rfc/rfc8294>. <https://www.rfc-editor.org/info/rfc8294>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/rfc/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/rfc/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface [RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/rfc/rfc8343>. <https://www.rfc-editor.org/info/rfc8343>.
[RFC8345] Clemm, A., Medved, J., Varga, R., Bahadur, N., [RFC8345] Clemm, A., Medved, J., Varga, R., Bahadur, N.,
Ananthakrishnan, H., and X. Liu, "A YANG Data Model for Ananthakrishnan, H., and X. Liu, "A YANG Data Model for
Network Topologies", RFC 8345, DOI 10.17487/RFC8345, March Network Topologies", RFC 8345, DOI 10.17487/RFC8345, March
2018, <https://www.rfc-editor.org/rfc/rfc8345>. 2018, <https://www.rfc-editor.org/info/rfc8345>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>.
[RFC9067] Qu, Y., Tantsura, J., Lindem, A., and X. Liu, "A YANG Data [RFC9067] Qu, Y., Tantsura, J., Lindem, A., and X. Liu, "A YANG Data
Model for Routing Policy", RFC 9067, DOI 10.17487/RFC9067, Model for Routing Policy", RFC 9067, DOI 10.17487/RFC9067,
October 2021, <https://www.rfc-editor.org/rfc/rfc9067>. October 2021, <https://www.rfc-editor.org/info/rfc9067>.
[RFC9181] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M., [RFC9181] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M.,
Ed., and Q. Wu, "A Common YANG Data Model for Layer 2 and Ed., and Q. Wu, "A Common YANG Data Model for Layer 2 and
Layer 3 VPNs", RFC 9181, DOI 10.17487/RFC9181, February Layer 3 VPNs", RFC 9181, DOI 10.17487/RFC9181, February
2022, <https://www.rfc-editor.org/rfc/rfc9181>. 2022, <https://www.rfc-editor.org/info/rfc9181>.
[RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M., [RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M.,
Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model
for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182, for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182,
February 2022, <https://www.rfc-editor.org/rfc/rfc9182>. February 2022, <https://www.rfc-editor.org/info/rfc9182>.
[RFC9291] Boucadair, M., Ed., Gonzalez de Dios, O., Ed., Barguil, [RFC9291] Boucadair, M., Ed., Gonzalez de Dios, O., Ed., Barguil,
S., and L. Munoz, "A YANG Network Data Model for Layer 2 S., and L. Munoz, "A YANG Network Data Model for Layer 2
VPNs", RFC 9291, DOI 10.17487/RFC9291, September 2022, VPNs", RFC 9291, DOI 10.17487/RFC9291, September 2022,
<https://www.rfc-editor.org/rfc/rfc9291>. <https://www.rfc-editor.org/info/rfc9291>.
[RFC9408] Boucadair, M., Ed., Gonzalez de Dios, O., Barguil, S., Wu, [RFC9408] Boucadair, M., Ed., Gonzalez de Dios, O., Barguil, S., Wu,
Q., and V. Lopez, "A YANG Network Data Model for Service Q., and V. Lopez, "A YANG Network Data Model for Service
Attachment Points (SAPs)", RFC 9408, DOI 10.17487/RFC9408, Attachment Points (SAPs)", RFC 9408, DOI 10.17487/RFC9408,
June 2023, <https://www.rfc-editor.org/rfc/rfc9408>. June 2023, <https://www.rfc-editor.org/info/rfc9408>.
[RFC9568] Lindem, A. and A. Dogra, "Virtual Router Redundancy [RFC9568] Lindem, A. and A. Dogra, "Virtual Router Redundancy
Protocol (VRRP) Version 3 for IPv4 and IPv6", RFC 9568, Protocol (VRRP) Version 3 for IPv4 and IPv6", RFC 9568,
DOI 10.17487/RFC9568, April 2024, DOI 10.17487/RFC9568, April 2024,
<https://www.rfc-editor.org/rfc/rfc9568>. <https://www.rfc-editor.org/info/rfc9568>.
9.2. Informative References [RFC9833] Boucadair, M., Ed., Roberts, R., Ed., Gonzalez de Dios,
O., Barguil Giraldo, S., and B. Wu, "A Common YANG Data
Model for Attachment Circuits", RFC 9833,
DOI 10.17487/RFC9833, August 2025,
<https://www.rfc-editor.org/info/rfc9833>.
[I-D.ietf-netmod-rfc8407bis] [RFC9834] Boucadair, M., Ed., Roberts, R., Ed., Gonzalez de Dios,
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for O., Barguil, S., and B. Wu, "YANG Data Models for Bearers
Authors and Reviewers of Documents Containing YANG Data and 'Attachment Circuits'-as-a-Service (ACaaS)", RFC 9834,
Models", Work in Progress, Internet-Draft, draft-ietf- DOI 10.17487/RFC9834, August 2025,
netmod-rfc8407bis-22, 14 January 2025, <https://www.rfc-editor.org/info/rfc9834>.
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod-
rfc8407bis-22>.
[I-D.ietf-opsawg-ac-lxsm-lxnm-glue] 9.2. Informative References
Boucadair, M., Roberts, R., Barguil, S., and O. G. de
Dios, "A YANG Data Model for Augmenting VPN Service and
Network Models with Attachment Circuits", Work in
Progress, Internet-Draft, draft-ietf-opsawg-ac-lxsm-lxnm-
glue-13, 9 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
ac-lxsm-lxnm-glue-13>.
[RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B. [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B.
Moore, "Policy Quality of Service (QoS) Information Moore, "Policy Quality of Service (QoS) Information
Model", RFC 3644, DOI 10.17487/RFC3644, November 2003, Model", RFC 3644, DOI 10.17487/RFC3644, November 2003,
<https://www.rfc-editor.org/rfc/rfc3644>. <https://www.rfc-editor.org/info/rfc3644>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/rfc/rfc4252>.
[RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality [RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality
for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006, for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006,
<https://www.rfc-editor.org/rfc/rfc4552>. <https://www.rfc-editor.org/info/rfc4552>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007, DOI 10.17487/RFC4862, September 2007,
<https://www.rfc-editor.org/rfc/rfc4862>. <https://www.rfc-editor.org/info/rfc4862>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/rfc/rfc6241>.
[RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
Chaining (SFC) Architecture", RFC 7665, Chaining (SFC) Architecture", RFC 7665,
DOI 10.17487/RFC7665, October 2015, DOI 10.17487/RFC7665, October 2015,
<https://www.rfc-editor.org/rfc/rfc7665>. <https://www.rfc-editor.org/info/rfc7665>.
[RFC7880] Pignataro, C., Ward, D., Akiya, N., Bhatia, M., and S. [RFC7880] Pignataro, C., Ward, D., Akiya, N., Bhatia, M., and S.
Pallagatti, "Seamless Bidirectional Forwarding Detection Pallagatti, "Seamless Bidirectional Forwarding Detection
(S-BFD)", RFC 7880, DOI 10.17487/RFC7880, July 2016, (S-BFD)", RFC 7880, DOI 10.17487/RFC7880, July 2016,
<https://www.rfc-editor.org/rfc/rfc7880>. <https://www.rfc-editor.org/info/rfc7880>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/rfc/rfc8040>.
[RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki, [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki,
"YANG Data Model for L3VPN Service Delivery", RFC 8299, "YANG Data Model for L3VPN Service Delivery", RFC 8299,
DOI 10.17487/RFC8299, January 2018, DOI 10.17487/RFC8299, January 2018,
<https://www.rfc-editor.org/rfc/rfc8299>. <https://www.rfc-editor.org/info/rfc8299>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/rfc/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
[RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG [RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG
Data Model for Layer 2 Virtual Private Network (L2VPN) Data Model for Layer 2 Virtual Private Network (L2VPN)
Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October
2018, <https://www.rfc-editor.org/rfc/rfc8466>. 2018, <https://www.rfc-editor.org/info/rfc8466>.
[RFC8695] Liu, X., Sarda, P., and V. Choudhary, "A YANG Data Model [RFC8695] Liu, X., Sarda, P., and V. Choudhary, "A YANG Data Model
for the Routing Information Protocol (RIP)", RFC 8695, for the Routing Information Protocol (RIP)", RFC 8695,
DOI 10.17487/RFC8695, February 2020, DOI 10.17487/RFC8695, February 2020,
<https://www.rfc-editor.org/rfc/rfc8695>. <https://www.rfc-editor.org/info/rfc8695>.
[RFC8969] Wu, Q., Ed., Boucadair, M., Ed., Lopez, D., Xie, C., and [RFC8969] Wu, Q., Ed., Boucadair, M., Ed., Lopez, D., Xie, C., and
L. Geng, "A Framework for Automating Service and Network L. Geng, "A Framework for Automating Service and Network
Management with YANG", RFC 8969, DOI 10.17487/RFC8969, Management with YANG", RFC 8969, DOI 10.17487/RFC8969,
January 2021, <https://www.rfc-editor.org/rfc/rfc8969>. January 2021, <https://www.rfc-editor.org/info/rfc8969>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/rfc/rfc9000>.
[RFC9127] Rahman, R., Ed., Zheng, L., Ed., Jethanandani, M., Ed., [RFC9127] Rahman, R., Ed., Zheng, L., Ed., Jethanandani, M., Ed.,
Pallagatti, S., and G. Mirsky, "YANG Data Model for Pallagatti, S., and G. Mirsky, "YANG Data Model for
Bidirectional Forwarding Detection (BFD)", RFC 9127, Bidirectional Forwarding Detection (BFD)", RFC 9127,
DOI 10.17487/RFC9127, October 2021, DOI 10.17487/RFC9127, October 2021,
<https://www.rfc-editor.org/rfc/rfc9127>. <https://www.rfc-editor.org/info/rfc9127>.
[RFC9234] Azimov, A., Bogomazov, E., Bush, R., Patel, K., and K. [RFC9234] Azimov, A., Bogomazov, E., Bush, R., Patel, K., and K.
Sriram, "Route Leak Prevention and Detection Using Roles Sriram, "Route Leak Prevention and Detection Using Roles
in UPDATE and OPEN Messages", RFC 9234, in UPDATE and OPEN Messages", RFC 9234,
DOI 10.17487/RFC9234, May 2022, DOI 10.17487/RFC9234, May 2022,
<https://www.rfc-editor.org/rfc/rfc9234>. <https://www.rfc-editor.org/info/rfc9234>.
[RFC9543] Farrel, A., Ed., Drake, J., Ed., Rokui, R., Homma, S., [RFC9543] Farrel, A., Ed., Drake, J., Ed., Rokui, R., Homma, S.,
Makhijani, K., Contreras, L., and J. Tantsura, "A Makhijani, K., Contreras, L., and J. Tantsura, "A
Framework for Network Slices in Networks Built from IETF Framework for Network Slices in Networks Built from IETF
Technologies", RFC 9543, DOI 10.17487/RFC9543, March 2024, Technologies", RFC 9543, DOI 10.17487/RFC9543, March 2024,
<https://www.rfc-editor.org/rfc/rfc9543>. <https://www.rfc-editor.org/info/rfc9543>.
[RFC9836] Boucadair, M., Ed., Roberts, R., Barguil, S., and O.
Gonzalez de Dios, "A YANG Data Model for Augmenting VPN
Service and Network Models with Attachment Circuits",
RFC 9836, DOI 10.17487/RFC9836, August 2025,
<https://www.rfc-editor.org/info/rfc9836>.
[YANG-GUIDELINES]
Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for
Authors and Reviewers of Documents Containing YANG Data
Models", Work in Progress, Internet-Draft, draft-ietf-
netmod-rfc8407bis-28, 5 June 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod-
rfc8407bis-28>.
Appendix A. Examples Appendix A. Examples
A.1. VPLS A.1. VPLS
Let us consider the example depicted in Figure 21 with two customer Let us consider the example depicted in Figure 21 with two customer
terminating points (CE1 and CE2). Let us also assume that the terminating points (CE1 and CE2). Let us also assume that the
bearers to attach these CEs to the provider network are already in bearers to attach these CEs to the provider network are already in
place. References to the identify these bearers are shown in the place. References to identify these bearers are shown in the figure.
figure.
.-----. .--------------. .-----. .-----. .--------------. .-----.
.---. | PE1 +===+ +===+ PE2 | .---. .---. | PE1 +===+ +===+ PE2 | .---.
| CE1+------+"450"| | MPLS | |"451"+------+ CE2| | CE1+------+"450"| | MPLS | |"451"+------+ CE2|
'---' ^ '-----' | | '-----' ^ '---' '---' ^ '-----' | | '-----' ^ '---'
| | Core | | | | Core | |
Bearer:1234 '--------------' Bearer:5678 Bearer:1234 '--------------' Bearer:5678
Figure 21: Topology Example Figure 21: Topology Example
The AC service model [I-D.ietf-opsawg-teas-attachment-circuit] can be The AC service model [RFC9834] can be used by the provider to manage
used by the provider to manage and expose the ACs over existing and expose the ACs over existing bearers as shown in Figure 22.
bearers as shown in Figure 22.
{ {
"ietf-ac-svc:attachment-circuits": { "ietf-ac-svc:attachment-circuits": {
"ac-group-profile": [ "ac-group-profile": [
{ {
"name": "an-ac-profile", "name": "an-ac-profile",
"l2-connection": { "l2-connection": {
"encapsulation": { "encapsulation": {
"type": "ietf-vpn-common:dot1q", "type": "ietf-vpn-common:dot1q",
"dot1q": { "dot1q": {
skipping to change at page 105, line 7 skipping to change at line 4843
] ]
} }
] ]
} }
Figure 24: Example of AC Network Response to Retrieve the SAP Figure 24: Example of AC Network Response to Retrieve the SAP
(Message Body) (Message Body)
A.2. Parent AC A.2. Parent AC
In reference to the topology depicted in Figure 1, PE2 has a SAP In reference to the topology depicted in Figure 1, PE2 has a SAP that
which terminates an AC with two peer SAPs (CE2 and CE5). In order to terminates an AC with two peer SAPs (CE2 and CE5). In order to
control data that is specific to each of these peer SAPs over the control data that is specific to each of these peer SAPs over the
same AC, child ACs can be instantiated as depicted in Figure 25. same AC, child ACs can be instantiated as depicted in Figure 25.
{ {
"ietf-ac-ntw:ac":[ "ietf-ac-ntw:ac":[
{ {
"name":"ac-1", "name":"ac-1",
"peer-sap-id":[ "peer-sap-id":[
"CE2", "CE2",
"CE5" "CE5"
skipping to change at page 106, line 47 skipping to change at line 4932
"node-ref":"example:pe2", "node-ref":"example:pe2",
"network-ref":"example:an-id" "network-ref":"example:an-id"
} }
] ]
} }
] ]
} }
] ]
} }
Figure 26: Example of Binding Parent AC to SAPs Figure 26: Example of Binding Parent ACs to SAPs
Appendix B. Full Tree Appendix B. Full Tree
module: ietf-ac-ntw module: ietf-ac-ntw
augment /nw:networks/nw:network: augment /nw:networks/nw:network:
+--rw specific-provisioning-profiles +--rw specific-provisioning-profiles
| +--rw valid-provider-identifiers | +--rw valid-provider-identifiers
| +--rw encryption-profile-identifier* [id] | +--rw encryption-profile-identifier* [id]
| | +--rw id string | | +--rw id string
| +--rw qos-profile-identifier* [id] | +--rw qos-profile-identifier* [id]
| | +--rw id string | | +--rw id string
| +--rw failure-detection-profile-identifier* [id] | +--rw failure-detection-profile-identifier* [id]
skipping to change at page 120, line 5 skipping to change at line 5559
+--rw ac-ref leafref +--rw ac-ref leafref
+--rw node-ref? leafref +--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id +--rw network-ref? -> /nw:networks/network/network-id
Acknowledgments Acknowledgments
This document builds on [RFC9182] and [RFC9291]. This document builds on [RFC9182] and [RFC9291].
Thanks to Moti Morgenstern for the review and comments. Thanks to Moti Morgenstern for the review and comments.
Thanks to Martin Björklund for the yangdoctors review, Gyan Mishra Thanks to Martin Björklund for the YANG Doctors review, Gyan Mishra
for an early rtg-dir review, Joel Halpern for the rtg-dir review, for an early RTGDIR review, Joel Halpern for the RTGDIR review,
Giuseppe Fioccola for the ops-dir review, and Russ Housley for the Giuseppe Fioccola for the OPSDIR review, and Russ Housley for the
sec-dir review. SECDIR review.
Thanks to Krzysztof Szarkowicz for the Shepherd review. Thanks to Krzysztof Szarkowicz for the shepherd review.
Thanks for Mahesh Jethanandani for the AD review. Thanks for Mahesh Jethanandani for the AD review.
Contributors Contributors
Victor Lopez Victor Lopez
Nokia Nokia
Email: victor.lopez@nokia.com Email: victor.lopez@nokia.com
Ivan Bykov Ivan Bykov
 End of changes. 191 change blocks. 
559 lines changed or deleted 498 lines changed or added

This html diff was produced by rfcdiff 1.48.