draft-ietf-opsawg-l3sm-l3nm-12.txt   draft-ietf-opsawg-l3sm-l3nm-13.txt 
skipping to change at page 1, line 15 skipping to change at page 1, line 15
Intended status: Standards Track Telefonica Intended status: Standards Track Telefonica
Expires: 31 March 2022 M. Boucadair, Ed. Expires: 31 March 2022 M. Boucadair, Ed.
Orange Orange
L. Munoz L. Munoz
Vodafone Vodafone
A. Aguado A. Aguado
Nokia Nokia
27 September 2021 27 September 2021
A Layer 3 VPN Network YANG Model A Layer 3 VPN Network YANG Model
draft-ietf-opsawg-l3sm-l3nm-12 draft-ietf-opsawg-l3sm-l3nm-13
Abstract Abstract
As a complement to the Layer 3 Virtual Private Network Service YANG As a complement to the Layer 3 Virtual Private Network Service YANG
data Model (L3SM), used for communication between customers and data Model (L3SM), used for communication between customers and
service providers, this document defines an L3VPN Network YANG Model service providers, this document defines an L3VPN Network YANG Model
(L3NM) that can be used for the provisioning of Layer 3 Virtual (L3NM) that can be used for the provisioning of Layer 3 Virtual
Private Network (VPN) services within a service provider network. Private Network (VPN) services within a service provider network.
The model provides a network-centric view of L3VPN services. The model provides a network-centric view of L3VPN services.
skipping to change at page 3, line 6 skipping to change at page 3, line 6
6.2. Multi-Domain Resource Management . . . . . . . . . . . . 13 6.2. Multi-Domain Resource Management . . . . . . . . . . . . 13
6.3. Management of Multicast Services . . . . . . . . . . . . 13 6.3. Management of Multicast Services . . . . . . . . . . . . 13
7. Description of the L3NM YANG Module . . . . . . . . . . . . . 13 7. Description of the L3NM YANG Module . . . . . . . . . . . . . 13
7.1. Overall Structure of the Module . . . . . . . . . . . . . 14 7.1. Overall Structure of the Module . . . . . . . . . . . . . 14
7.2. VPN Profiles . . . . . . . . . . . . . . . . . . . . . . 15 7.2. VPN Profiles . . . . . . . . . . . . . . . . . . . . . . 15
7.3. VPN Services . . . . . . . . . . . . . . . . . . . . . . 16 7.3. VPN Services . . . . . . . . . . . . . . . . . . . . . . 16
7.4. VPN Instance Profiles . . . . . . . . . . . . . . . . . . 20 7.4. VPN Instance Profiles . . . . . . . . . . . . . . . . . . 20
7.5. VPN Nodes . . . . . . . . . . . . . . . . . . . . . . . . 22 7.5. VPN Nodes . . . . . . . . . . . . . . . . . . . . . . . . 22
7.6. VPN Network Accesses . . . . . . . . . . . . . . . . . . 25 7.6. VPN Network Accesses . . . . . . . . . . . . . . . . . . 25
7.6.1. Connection . . . . . . . . . . . . . . . . . . . . . 28 7.6.1. Connection . . . . . . . . . . . . . . . . . . . . . 28
7.6.2. IP Connection . . . . . . . . . . . . . . . . . . . . 29 7.6.2. IP Connection . . . . . . . . . . . . . . . . . . . . 30
7.6.3. CE-PE Routing Protocols . . . . . . . . . . . . . . . 33 7.6.3. CE-PE Routing Protocols . . . . . . . . . . . . . . . 33
7.6.3.1. Static Routing . . . . . . . . . . . . . . . . . 35 7.6.3.1. Static Routing . . . . . . . . . . . . . . . . . 35
7.6.3.2. BGP . . . . . . . . . . . . . . . . . . . . . . . 37 7.6.3.2. BGP . . . . . . . . . . . . . . . . . . . . . . . 37
7.6.3.3. OSPF . . . . . . . . . . . . . . . . . . . . . . 40 7.6.3.3. OSPF . . . . . . . . . . . . . . . . . . . . . . 40
7.6.3.4. IS-IS . . . . . . . . . . . . . . . . . . . . . . 42 7.6.3.4. IS-IS . . . . . . . . . . . . . . . . . . . . . . 42
7.6.3.5. RIP . . . . . . . . . . . . . . . . . . . . . . . 44 7.6.3.5. RIP . . . . . . . . . . . . . . . . . . . . . . . 44
7.6.3.6. VRRP . . . . . . . . . . . . . . . . . . . . . . 45 7.6.3.6. VRRP . . . . . . . . . . . . . . . . . . . . . . 45
7.6.4. OAM . . . . . . . . . . . . . . . . . . . . . . . . . 46 7.6.4. OAM . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.6.5. Security . . . . . . . . . . . . . . . . . . . . . . 48 7.6.5. Security . . . . . . . . . . . . . . . . . . . . . . 48
7.6.6. Services . . . . . . . . . . . . . . . . . . . . . . 48 7.6.6. Services . . . . . . . . . . . . . . . . . . . . . . 48
7.6.6.1. Overview . . . . . . . . . . . . . . . . . . . . 48 7.6.6.1. Overview . . . . . . . . . . . . . . . . . . . . 48
7.6.6.2. QoS . . . . . . . . . . . . . . . . . . . . . . . 50 7.6.6.2. QoS . . . . . . . . . . . . . . . . . . . . . . . 50
7.7. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 55 7.7. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 55
8. L3NM YANG Module . . . . . . . . . . . . . . . . . . . . . . 59 8. L3NM YANG Module . . . . . . . . . . . . . . . . . . . . . . 59
9. Security Considerations . . . . . . . . . . . . . . . . . . . 120 9. Security Considerations . . . . . . . . . . . . . . . . . . . 121
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 122 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 122
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 122 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 123
11.1. Normative References . . . . . . . . . . . . . . . . . . 122 11.1. Normative References . . . . . . . . . . . . . . . . . . 123
11.2. Informative References . . . . . . . . . . . . . . . . . 126 11.2. Informative References . . . . . . . . . . . . . . . . . 127
Appendix A. L3VPN Examples . . . . . . . . . . . . . . . . . . . 131 Appendix A. L3VPN Examples . . . . . . . . . . . . . . . . . . . 132
A.1. 4G VPN Provisioning Example . . . . . . . . . . . . . . . 131 A.1. 4G VPN Provisioning Example . . . . . . . . . . . . . . . 132
A.2. Loopback Interface . . . . . . . . . . . . . . . . . . . 137 A.2. Loopback Interface . . . . . . . . . . . . . . . . . . . 137
A.3. Overriding VPN Instance Profile Parameters . . . . . . . 138 A.3. Overriding VPN Instance Profile Parameters . . . . . . . 138
A.4. Multicast VPN Provisioning Example . . . . . . . . . . . 141 A.4. Multicast VPN Provisioning Example . . . . . . . . . . . 141
Appendix B. Implementation Status . . . . . . . . . . . . . . . 145 Appendix B. Implementation Status . . . . . . . . . . . . . . . 145
B.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 145 B.1. Nokia Implementation . . . . . . . . . . . . . . . . . . 145
B.2. Huawei Implementation . . . . . . . . . . . . . . . . . . 145 B.2. Huawei Implementation . . . . . . . . . . . . . . . . . . 145
B.3. Infinera Implementation . . . . . . . . . . . . . . . . . 145 B.3. Infinera Implementation . . . . . . . . . . . . . . . . . 145
B.4. Ribbon-ECI Implementation . . . . . . . . . . . . . . . . 145 B.4. Ribbon-ECI Implementation . . . . . . . . . . . . . . . . 145
B.5. Juniper Implementation . . . . . . . . . . . . . . . . . 146 B.5. Juniper Implementation . . . . . . . . . . . . . . . . . 146
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 146 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 146
skipping to change at page 29, line 5 skipping to change at page 29, line 5
connected to the service provider network via a CE-PE link, which can connected to the service provider network via a CE-PE link, which can
access at least one VPN. The connection from the site to the service access at least one VPN. The connection from the site to the service
provider network is the bearer. Every site is associated with a list provider network is the bearer. Every site is associated with a list
of bearers. A bearer is the layer two connection with the site. In of bearers. A bearer is the layer two connection with the site. In
the L3NM, it is assumed that the bearer has been allocated by the the L3NM, it is assumed that the bearer has been allocated by the
service provider at the service orchestration stage. The bearer is service provider at the service orchestration stage. The bearer is
associated to a network element and a port. Hence, a bearer is just associated to a network element and a port. Hence, a bearer is just
a 'bearer-reference' to allow the association between a service a 'bearer-reference' to allow the association between a service
request (e.g., L3SM) and L3NM. request (e.g., L3SM) and L3NM.
The L3NM can be used to create a LAG interface for a given L3VPN
service ('lag-interface') [IEEE802.1AX]. Such a LAG interface can be
referenced under 'interface-id' (Section 7.6).
... ...
+--rw connection +--rw connection
| +--rw encapsulation | +--rw encapsulation
| | +--rw type? identityref | | +--rw type? identityref
| | +--rw dot1q {vpn-common:dot1q}? | | +--rw dot1q {vpn-common:dot1q}?
| | | +--rw tag-type? identityref | | | +--rw tag-type? identityref
| | | +--rw cvlan-id? uint16 | | | +--rw cvlan-id? uint16
| | +--rw priority-tagged | | +--rw priority-tagged
| | | +--rw tag-type? identityref | | | +--rw tag-type? identityref
| | +--rw qinq {vpn-common:qinq}? | | +--rw qinq {vpn-common:qinq}?
skipping to change at page 29, line 37 skipping to change at page 29, line 41
| | | | +--rw far-end* union | | | | +--rw far-end* union
| | | +--rw vxlan {vpn-common:vxlan}? | | | +--rw vxlan {vpn-common:vxlan}?
| | | +--rw vni-id uint32 | | | +--rw vni-id uint32
| | | +--rw peer-mode? identityref | | | +--rw peer-mode? identityref
| | | +--rw peer-ip-address* inet:ip-address | | | +--rw peer-ip-address* inet:ip-address
| | +--:(l2vpn) | | +--:(l2vpn)
| | +--rw l2vpn-id? vpn-common:vpn-id | | +--rw l2vpn-id? vpn-common:vpn-id
| +--rw l2-termination-point? string | +--rw l2-termination-point? string
| +--rw local-bridge-reference? string | +--rw local-bridge-reference? string
| +--rw bearer-reference? string | +--rw bearer-reference? string
{vpn-common:bearer-reference}? | | {vpn-common:bearer-reference}?
| +--rw lag-interface {vpn-common:lag-interface}?
| +--rw lag-interface-id? string
| +--rw member-link-list
| +--rw member-link* [name]
| +--rw name string
... ...
Figure 9: Connection Subtree Structure Figure 9: Connection Subtree Structure
7.6.2. IP Connection 7.6.2. IP Connection
This container is used to group Layer 3 connectivity information, This container is used to group Layer 3 connectivity information,
particularly the IP addressing information, of a VPN network access. particularly the IP addressing information, of a VPN network access.
The allocated address represents the PE interface address The allocated address represents the PE interface address
configuration. Note that a distinct layer 3 interface other than the configuration. Note that a distinct layer 3 interface other than the
skipping to change at page 80, line 37 skipping to change at page 80, line 37
A reference may be a local bridge domain."; A reference may be a local bridge domain.";
} }
leaf bearer-reference { leaf bearer-reference {
if-feature "vpn-common:bearer-reference"; if-feature "vpn-common:bearer-reference";
type string; type string;
description description
"This is an internal reference for the service "This is an internal reference for the service
provider to identify the bearer associated provider to identify the bearer associated
with this VPN."; with this VPN.";
} }
container lag-interface {
if-feature "vpn-common:lag-interface";
description
"Container of LAG interface attributes
configuration.";
leaf lag-interface-id {
type string;
description
"LAG interface identifier.";
}
container member-link-list {
description
"Container of Member link list.";
list member-link {
key "name";
description
"Member link.";
leaf name {
type string;
description
"Member link name.";
}
}
}
}
} }
container ip-connection { container ip-connection {
description description
"Defines IP connection parameters."; "Defines IP connection parameters.";
leaf l3-termination-point { leaf l3-termination-point {
type string; type string;
description description
"Specifies a reference to a local layer 3 "Specifies a reference to a local layer 3
termination point such as a bridge domain termination point such as a bridge domain
interface."; interface.";
skipping to change at page 121, line 21 skipping to change at page 121, line 47
These are the subtrees and data nodes and their sensitivity/ These are the subtrees and data nodes and their sensitivity/
vulnerability in the "ietf-l3vpn-ntw" module: vulnerability in the "ietf-l3vpn-ntw" module:
* 'vpn-profiles': This container includes a set of sensitive data * 'vpn-profiles': This container includes a set of sensitive data
that influence how the L3VPN service is delivered. For example, that influence how the L3VPN service is delivered. For example,
an attacker who has access to these data nodes may be able to an attacker who has access to these data nodes may be able to
manipulate routing policies, QoS policies, or encryption manipulate routing policies, QoS policies, or encryption
properties. These data nodes are defined with "nacm:default-deny- properties. These data nodes are defined with "nacm:default-deny-
write" tagging [I-D.ietf-opsawg-vpn-common]. write" tagging [I-D.ietf-opsawg-vpn-common].
* ''vpn-services': An attacker who is able to access network nodes * 'vpn-services': An attacker who is able to access network nodes
can undertake various attacks, such as deleting a running L3VPN can undertake various attacks, such as deleting a running L3VPN
service, interrupting all the traffic of a client. In addition, service, interrupting all the traffic of a client. In addition,
an attacker may modify the attributes of a running service (e.g., an attacker may modify the attributes of a running service (e.g.,
QoS, bandwidth, routing protocols), leading to malfunctioning of QoS, bandwidth, routing protocols), leading to malfunctioning of
the service and therefore to SLA violations. In addition, an the service and therefore to SLA violations. In addition, an
attacker could attempt to create an L3VPN service or adding a new attacker could attempt to create an L3VPN service or add a new
network access. In addition to using NACM to prevent authorized network access. In addition to using NACM to prevent authorized
access, such activity can be detected by adequately monitoring and access, such activity can be detected by adequately monitoring and
tracking network configuration changes. tracking network configuration changes.
Some readable data nodes in this YANG module may be considered Some readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability: nodes and their sensitivity/vulnerability:
skipping to change at page 128, line 21 skipping to change at page 128, line 45
teas-ietf-network-slices-04.txt>. teas-ietf-network-slices-04.txt>.
[I-D.ogondio-opsawg-uni-topology] [I-D.ogondio-opsawg-uni-topology]
Dios, O. G. D., Barguil, S., Wu, Q., and M. Boucadair, "A Dios, O. G. D., Barguil, S., Wu, Q., and M. Boucadair, "A
YANG Model for User-Network Interface (UNI) Topologies", YANG Model for User-Network Interface (UNI) Topologies",
Work in Progress, Internet-Draft, draft-ogondio-opsawg- Work in Progress, Internet-Draft, draft-ogondio-opsawg-
uni-topology-01, 2 April 2020, uni-topology-01, 2 April 2020,
<https://www.ietf.org/archive/id/draft-ogondio-opsawg-uni- <https://www.ietf.org/archive/id/draft-ogondio-opsawg-uni-
topology-01.txt>. topology-01.txt>.
[IEEE802.1AX]
"Link Aggregation", IEEE Std 802.1AX-2020, 2020.
[PYANG] "pyang", November 2020, [PYANG] "pyang", November 2020,
<https://github.com/mbj4668/pyang>. <https://github.com/mbj4668/pyang>.
[RFC3618] Fenner, B., Ed. and D. Meyer, Ed., "Multicast Source [RFC3618] Fenner, B., Ed. and D. Meyer, Ed., "Multicast Source
Discovery Protocol (MSDP)", RFC 3618, Discovery Protocol (MSDP)", RFC 3618,
DOI 10.17487/RFC3618, October 2003, DOI 10.17487/RFC3618, October 2003,
<https://www.rfc-editor.org/info/rfc3618>. <https://www.rfc-editor.org/info/rfc3618>.
[RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B. [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B.
Moore, "Policy Quality of Service (QoS) Information Moore, "Policy Quality of Service (QoS) Information
 End of changes. 10 change blocks. 
11 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/