| draft-ietf-opsawg-l3sm-l3nm-12.txt | draft-ietf-opsawg-l3sm-l3nm-13.txt | |||
|---|---|---|---|---|
| skipping to change at page 1, line 15 ¶ | skipping to change at page 1, line 15 ¶ | |||
| Intended status: Standards Track Telefonica | Intended status: Standards Track Telefonica | |||
| Expires: 31 March 2022 M. Boucadair, Ed. | Expires: 31 March 2022 M. Boucadair, Ed. | |||
| Orange | Orange | |||
| L. Munoz | L. Munoz | |||
| Vodafone | Vodafone | |||
| A. Aguado | A. Aguado | |||
| Nokia | Nokia | |||
| 27 September 2021 | 27 September 2021 | |||
| A Layer 3 VPN Network YANG Model | A Layer 3 VPN Network YANG Model | |||
| draft-ietf-opsawg-l3sm-l3nm-12 | draft-ietf-opsawg-l3sm-l3nm-13 | |||
| Abstract | Abstract | |||
| As a complement to the Layer 3 Virtual Private Network Service YANG | As a complement to the Layer 3 Virtual Private Network Service YANG | |||
| data Model (L3SM), used for communication between customers and | data Model (L3SM), used for communication between customers and | |||
| service providers, this document defines an L3VPN Network YANG Model | service providers, this document defines an L3VPN Network YANG Model | |||
| (L3NM) that can be used for the provisioning of Layer 3 Virtual | (L3NM) that can be used for the provisioning of Layer 3 Virtual | |||
| Private Network (VPN) services within a service provider network. | Private Network (VPN) services within a service provider network. | |||
| The model provides a network-centric view of L3VPN services. | The model provides a network-centric view of L3VPN services. | |||
| skipping to change at page 3, line 6 ¶ | skipping to change at page 3, line 6 ¶ | |||
| 6.2. Multi-Domain Resource Management . . . . . . . . . . . . 13 | 6.2. Multi-Domain Resource Management . . . . . . . . . . . . 13 | |||
| 6.3. Management of Multicast Services . . . . . . . . . . . . 13 | 6.3. Management of Multicast Services . . . . . . . . . . . . 13 | |||
| 7. Description of the L3NM YANG Module . . . . . . . . . . . . . 13 | 7. Description of the L3NM YANG Module . . . . . . . . . . . . . 13 | |||
| 7.1. Overall Structure of the Module . . . . . . . . . . . . . 14 | 7.1. Overall Structure of the Module . . . . . . . . . . . . . 14 | |||
| 7.2. VPN Profiles . . . . . . . . . . . . . . . . . . . . . . 15 | 7.2. VPN Profiles . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.3. VPN Services . . . . . . . . . . . . . . . . . . . . . . 16 | 7.3. VPN Services . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7.4. VPN Instance Profiles . . . . . . . . . . . . . . . . . . 20 | 7.4. VPN Instance Profiles . . . . . . . . . . . . . . . . . . 20 | |||
| 7.5. VPN Nodes . . . . . . . . . . . . . . . . . . . . . . . . 22 | 7.5. VPN Nodes . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.6. VPN Network Accesses . . . . . . . . . . . . . . . . . . 25 | 7.6. VPN Network Accesses . . . . . . . . . . . . . . . . . . 25 | |||
| 7.6.1. Connection . . . . . . . . . . . . . . . . . . . . . 28 | 7.6.1. Connection . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 7.6.2. IP Connection . . . . . . . . . . . . . . . . . . . . 29 | 7.6.2. IP Connection . . . . . . . . . . . . . . . . . . . . 30 | |||
| 7.6.3. CE-PE Routing Protocols . . . . . . . . . . . . . . . 33 | 7.6.3. CE-PE Routing Protocols . . . . . . . . . . . . . . . 33 | |||
| 7.6.3.1. Static Routing . . . . . . . . . . . . . . . . . 35 | 7.6.3.1. Static Routing . . . . . . . . . . . . . . . . . 35 | |||
| 7.6.3.2. BGP . . . . . . . . . . . . . . . . . . . . . . . 37 | 7.6.3.2. BGP . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 7.6.3.3. OSPF . . . . . . . . . . . . . . . . . . . . . . 40 | 7.6.3.3. OSPF . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 7.6.3.4. IS-IS . . . . . . . . . . . . . . . . . . . . . . 42 | 7.6.3.4. IS-IS . . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 7.6.3.5. RIP . . . . . . . . . . . . . . . . . . . . . . . 44 | 7.6.3.5. RIP . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 7.6.3.6. VRRP . . . . . . . . . . . . . . . . . . . . . . 45 | 7.6.3.6. VRRP . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.6.4. OAM . . . . . . . . . . . . . . . . . . . . . . . . . 46 | 7.6.4. OAM . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 7.6.5. Security . . . . . . . . . . . . . . . . . . . . . . 48 | 7.6.5. Security . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 7.6.6. Services . . . . . . . . . . . . . . . . . . . . . . 48 | 7.6.6. Services . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 7.6.6.1. Overview . . . . . . . . . . . . . . . . . . . . 48 | 7.6.6.1. Overview . . . . . . . . . . . . . . . . . . . . 48 | |||
| 7.6.6.2. QoS . . . . . . . . . . . . . . . . . . . . . . . 50 | 7.6.6.2. QoS . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 7.7. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 55 | 7.7. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 8. L3NM YANG Module . . . . . . . . . . . . . . . . . . . . . . 59 | 8. L3NM YANG Module . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 120 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 121 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 122 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 122 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 122 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 123 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 122 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 123 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 126 | 11.2. Informative References . . . . . . . . . . . . . . . . . 127 | |||
| Appendix A. L3VPN Examples . . . . . . . . . . . . . . . . . . . 131 | Appendix A. L3VPN Examples . . . . . . . . . . . . . . . . . . . 132 | |||
| A.1. 4G VPN Provisioning Example . . . . . . . . . . . . . . . 131 | A.1. 4G VPN Provisioning Example . . . . . . . . . . . . . . . 132 | |||
| A.2. Loopback Interface . . . . . . . . . . . . . . . . . . . 137 | A.2. Loopback Interface . . . . . . . . . . . . . . . . . . . 137 | |||
| A.3. Overriding VPN Instance Profile Parameters . . . . . . . 138 | A.3. Overriding VPN Instance Profile Parameters . . . . . . . 138 | |||
| A.4. Multicast VPN Provisioning Example . . . . . . . . . . . 141 | A.4. Multicast VPN Provisioning Example . . . . . . . . . . . 141 | |||
| Appendix B. Implementation Status . . . . . . . . . . . . . . . 145 | Appendix B. Implementation Status . . . . . . . . . . . . . . . 145 | |||
| B.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 145 | B.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 145 | |||
| B.2. Huawei Implementation . . . . . . . . . . . . . . . . . . 145 | B.2. Huawei Implementation . . . . . . . . . . . . . . . . . . 145 | |||
| B.3. Infinera Implementation . . . . . . . . . . . . . . . . . 145 | B.3. Infinera Implementation . . . . . . . . . . . . . . . . . 145 | |||
| B.4. Ribbon-ECI Implementation . . . . . . . . . . . . . . . . 145 | B.4. Ribbon-ECI Implementation . . . . . . . . . . . . . . . . 145 | |||
| B.5. Juniper Implementation . . . . . . . . . . . . . . . . . 146 | B.5. Juniper Implementation . . . . . . . . . . . . . . . . . 146 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 146 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 146 | |||
| skipping to change at page 29, line 5 ¶ | skipping to change at page 29, line 5 ¶ | |||
| connected to the service provider network via a CE-PE link, which can | connected to the service provider network via a CE-PE link, which can | |||
| access at least one VPN. The connection from the site to the service | access at least one VPN. The connection from the site to the service | |||
| provider network is the bearer. Every site is associated with a list | provider network is the bearer. Every site is associated with a list | |||
| of bearers. A bearer is the layer two connection with the site. In | of bearers. A bearer is the layer two connection with the site. In | |||
| the L3NM, it is assumed that the bearer has been allocated by the | the L3NM, it is assumed that the bearer has been allocated by the | |||
| service provider at the service orchestration stage. The bearer is | service provider at the service orchestration stage. The bearer is | |||
| associated to a network element and a port. Hence, a bearer is just | associated to a network element and a port. Hence, a bearer is just | |||
| a 'bearer-reference' to allow the association between a service | a 'bearer-reference' to allow the association between a service | |||
| request (e.g., L3SM) and L3NM. | request (e.g., L3SM) and L3NM. | |||
| The L3NM can be used to create a LAG interface for a given L3VPN | ||||
| service ('lag-interface') [IEEE802.1AX]. Such a LAG interface can be | ||||
| referenced under 'interface-id' (Section 7.6). | ||||
| ... | ... | |||
| +--rw connection | +--rw connection | |||
| | +--rw encapsulation | | +--rw encapsulation | |||
| | | +--rw type? identityref | | | +--rw type? identityref | |||
| | | +--rw dot1q {vpn-common:dot1q}? | | | +--rw dot1q {vpn-common:dot1q}? | |||
| | | | +--rw tag-type? identityref | | | | +--rw tag-type? identityref | |||
| | | | +--rw cvlan-id? uint16 | | | | +--rw cvlan-id? uint16 | |||
| | | +--rw priority-tagged | | | +--rw priority-tagged | |||
| | | | +--rw tag-type? identityref | | | | +--rw tag-type? identityref | |||
| | | +--rw qinq {vpn-common:qinq}? | | | +--rw qinq {vpn-common:qinq}? | |||
| skipping to change at page 29, line 37 ¶ | skipping to change at page 29, line 41 ¶ | |||
| | | | | +--rw far-end* union | | | | | +--rw far-end* union | |||
| | | | +--rw vxlan {vpn-common:vxlan}? | | | | +--rw vxlan {vpn-common:vxlan}? | |||
| | | | +--rw vni-id uint32 | | | | +--rw vni-id uint32 | |||
| | | | +--rw peer-mode? identityref | | | | +--rw peer-mode? identityref | |||
| | | | +--rw peer-ip-address* inet:ip-address | | | | +--rw peer-ip-address* inet:ip-address | |||
| | | +--:(l2vpn) | | | +--:(l2vpn) | |||
| | | +--rw l2vpn-id? vpn-common:vpn-id | | | +--rw l2vpn-id? vpn-common:vpn-id | |||
| | +--rw l2-termination-point? string | | +--rw l2-termination-point? string | |||
| | +--rw local-bridge-reference? string | | +--rw local-bridge-reference? string | |||
| | +--rw bearer-reference? string | | +--rw bearer-reference? string | |||
| {vpn-common:bearer-reference}? | | | {vpn-common:bearer-reference}? | |||
| | +--rw lag-interface {vpn-common:lag-interface}? | ||||
| | +--rw lag-interface-id? string | ||||
| | +--rw member-link-list | ||||
| | +--rw member-link* [name] | ||||
| | +--rw name string | ||||
| ... | ... | |||
| Figure 9: Connection Subtree Structure | Figure 9: Connection Subtree Structure | |||
| 7.6.2. IP Connection | 7.6.2. IP Connection | |||
| This container is used to group Layer 3 connectivity information, | This container is used to group Layer 3 connectivity information, | |||
| particularly the IP addressing information, of a VPN network access. | particularly the IP addressing information, of a VPN network access. | |||
| The allocated address represents the PE interface address | The allocated address represents the PE interface address | |||
| configuration. Note that a distinct layer 3 interface other than the | configuration. Note that a distinct layer 3 interface other than the | |||
| skipping to change at page 80, line 37 ¶ | skipping to change at page 80, line 37 ¶ | |||
| A reference may be a local bridge domain."; | A reference may be a local bridge domain."; | |||
| } | } | |||
| leaf bearer-reference { | leaf bearer-reference { | |||
| if-feature "vpn-common:bearer-reference"; | if-feature "vpn-common:bearer-reference"; | |||
| type string; | type string; | |||
| description | description | |||
| "This is an internal reference for the service | "This is an internal reference for the service | |||
| provider to identify the bearer associated | provider to identify the bearer associated | |||
| with this VPN."; | with this VPN."; | |||
| } | } | |||
| container lag-interface { | ||||
| if-feature "vpn-common:lag-interface"; | ||||
| description | ||||
| "Container of LAG interface attributes | ||||
| configuration."; | ||||
| leaf lag-interface-id { | ||||
| type string; | ||||
| description | ||||
| "LAG interface identifier."; | ||||
| } | ||||
| container member-link-list { | ||||
| description | ||||
| "Container of Member link list."; | ||||
| list member-link { | ||||
| key "name"; | ||||
| description | ||||
| "Member link."; | ||||
| leaf name { | ||||
| type string; | ||||
| description | ||||
| "Member link name."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | } | |||
| container ip-connection { | container ip-connection { | |||
| description | description | |||
| "Defines IP connection parameters."; | "Defines IP connection parameters."; | |||
| leaf l3-termination-point { | leaf l3-termination-point { | |||
| type string; | type string; | |||
| description | description | |||
| "Specifies a reference to a local layer 3 | "Specifies a reference to a local layer 3 | |||
| termination point such as a bridge domain | termination point such as a bridge domain | |||
| interface."; | interface."; | |||
| skipping to change at page 121, line 21 ¶ | skipping to change at page 121, line 47 ¶ | |||
| These are the subtrees and data nodes and their sensitivity/ | These are the subtrees and data nodes and their sensitivity/ | |||
| vulnerability in the "ietf-l3vpn-ntw" module: | vulnerability in the "ietf-l3vpn-ntw" module: | |||
| * 'vpn-profiles': This container includes a set of sensitive data | * 'vpn-profiles': This container includes a set of sensitive data | |||
| that influence how the L3VPN service is delivered. For example, | that influence how the L3VPN service is delivered. For example, | |||
| an attacker who has access to these data nodes may be able to | an attacker who has access to these data nodes may be able to | |||
| manipulate routing policies, QoS policies, or encryption | manipulate routing policies, QoS policies, or encryption | |||
| properties. These data nodes are defined with "nacm:default-deny- | properties. These data nodes are defined with "nacm:default-deny- | |||
| write" tagging [I-D.ietf-opsawg-vpn-common]. | write" tagging [I-D.ietf-opsawg-vpn-common]. | |||
| * ''vpn-services': An attacker who is able to access network nodes | * 'vpn-services': An attacker who is able to access network nodes | |||
| can undertake various attacks, such as deleting a running L3VPN | can undertake various attacks, such as deleting a running L3VPN | |||
| service, interrupting all the traffic of a client. In addition, | service, interrupting all the traffic of a client. In addition, | |||
| an attacker may modify the attributes of a running service (e.g., | an attacker may modify the attributes of a running service (e.g., | |||
| QoS, bandwidth, routing protocols), leading to malfunctioning of | QoS, bandwidth, routing protocols), leading to malfunctioning of | |||
| the service and therefore to SLA violations. In addition, an | the service and therefore to SLA violations. In addition, an | |||
| attacker could attempt to create an L3VPN service or adding a new | attacker could attempt to create an L3VPN service or add a new | |||
| network access. In addition to using NACM to prevent authorized | network access. In addition to using NACM to prevent authorized | |||
| access, such activity can be detected by adequately monitoring and | access, such activity can be detected by adequately monitoring and | |||
| tracking network configuration changes. | tracking network configuration changes. | |||
| Some readable data nodes in this YANG module may be considered | Some readable data nodes in this YANG module may be considered | |||
| sensitive or vulnerable in some network environments. It is thus | sensitive or vulnerable in some network environments. It is thus | |||
| important to control read access (e.g., via get, get-config, or | important to control read access (e.g., via get, get-config, or | |||
| notification) to these data nodes. These are the subtrees and data | notification) to these data nodes. These are the subtrees and data | |||
| nodes and their sensitivity/vulnerability: | nodes and their sensitivity/vulnerability: | |||
| skipping to change at page 128, line 21 ¶ | skipping to change at page 128, line 45 ¶ | |||
| teas-ietf-network-slices-04.txt>. | teas-ietf-network-slices-04.txt>. | |||
| [I-D.ogondio-opsawg-uni-topology] | [I-D.ogondio-opsawg-uni-topology] | |||
| Dios, O. G. D., Barguil, S., Wu, Q., and M. Boucadair, "A | Dios, O. G. D., Barguil, S., Wu, Q., and M. Boucadair, "A | |||
| YANG Model for User-Network Interface (UNI) Topologies", | YANG Model for User-Network Interface (UNI) Topologies", | |||
| Work in Progress, Internet-Draft, draft-ogondio-opsawg- | Work in Progress, Internet-Draft, draft-ogondio-opsawg- | |||
| uni-topology-01, 2 April 2020, | uni-topology-01, 2 April 2020, | |||
| <https://www.ietf.org/archive/id/draft-ogondio-opsawg-uni- | <https://www.ietf.org/archive/id/draft-ogondio-opsawg-uni- | |||
| topology-01.txt>. | topology-01.txt>. | |||
| [IEEE802.1AX] | ||||
| "Link Aggregation", IEEE Std 802.1AX-2020, 2020. | ||||
| [PYANG] "pyang", November 2020, | [PYANG] "pyang", November 2020, | |||
| <https://github.com/mbj4668/pyang>. | <https://github.com/mbj4668/pyang>. | |||
| [RFC3618] Fenner, B., Ed. and D. Meyer, Ed., "Multicast Source | [RFC3618] Fenner, B., Ed. and D. Meyer, Ed., "Multicast Source | |||
| Discovery Protocol (MSDP)", RFC 3618, | Discovery Protocol (MSDP)", RFC 3618, | |||
| DOI 10.17487/RFC3618, October 2003, | DOI 10.17487/RFC3618, October 2003, | |||
| <https://www.rfc-editor.org/info/rfc3618>. | <https://www.rfc-editor.org/info/rfc3618>. | |||
| [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B. | [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B. | |||
| Moore, "Policy Quality of Service (QoS) Information | Moore, "Policy Quality of Service (QoS) Information | |||
| End of changes. 10 change blocks. | ||||
| 11 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||