OPSAWG
Internet Engineering Task Force (IETF) M. Boucadair, Ed.
Internet-Draft
Request for Comments: 9836 Orange
Intended status:
Category: Standards Track R. Roberts
Expires: 27 July 2025
ISSN: 2070-1721 Juniper
S. B. Barguil Giraldo
Nokia
O. G. D. Gonzalez de Dios
Telefonica
23 January
August 2025
A YANG Data Model for Augmenting VPN Service and Network Models with
Attachment Circuits
draft-ietf-opsawg-ac-lxsm-lxnm-glue-14
Abstract
This document defines a YANG data model, referred to as the "AC Glue"
model, to augment the Layer 2/3 Service Model (LxSM) and Layer 2/3
Network Model (LxNM) with references to attachment circuits (ACs).
The AC Glue model enables a provider to associate Layer 2/3 VPN
(LxVPN) services (LxVPNs) with the underlying AC infrastructure, thereby
facilitating consistent provisioning and management of new or
existing ACs in conjunction with LxVPN services. Specifically, by
introducing an integrated approach to AC and LxVPN management, this
model supports Attachment Circuit-as-a-Service (ACaaS) and provides a
standardized mechanism for aligning AC/VPN requests with the network
configurations required to deliver them.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Operations and
Management Area Working Group Working Group mailing list
(opsawg@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/opsawg/.
Source for this draft and an issue tracker can be found at
https://github.com/boucadair/attachment-circuit-model.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of six months RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 July 2025.
https://www.rfc-editor.org/info/rfc9836.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info)
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Editorial Note (To be removed by RFC Editor) . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
3. Relationship to Other AC Data Models . . . . . . . . . . . . 5
4. Sample Uses of the Data Models . . . . . . . . . . . . . . . 6
4.1. ACs Terminated by One or Multiple Customer Edges (CEs) . 6
4.2. Separate AC Provisioning From from Actual VPN Service
Provisioning . . . . . . . . . . . . . . . . . . . . . . 8
5. Module Tree Structure . . . . . . . . . . . . . . . . . . . . 10
6. The AC Glue ("ietf-ac-glue") YANG Module . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22
A.1. A Service AC Reference within The Within the VPN Network Access . . 22
A.2. Network and Service AC References . . . . . . . . . . . . 26
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction
To facilitate data transfer within the provider network, it is
assumed that the appropriate setup is provisioned over the links that
connect customer termination points and a provider network (usually
via a Provider Edge (PE)), allowing successfully data to be successfully exchanged
over these links. The required setup is referred to in this document
as an attachment circuit (AC), while the underlying link is referred
to as "bearer".
The document specifies a YANG module ("ietf-ac-glue", Section 6) that
updates existing service and network Virtual Private Network (VPN)
modules with the required information to bind specific services to
ACs that are created using the AC service model
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834].
Specifically, the following modules are augmented:
* The Layer 2 Service Model (L2SM) [RFC8466]
* The Layer 3 Service Model (L3SM) [RFC8299]
* The Layer 2 Network Model (L2NM) [RFC9291]
* The Layer 3 Network Model (L3NM) [RFC9182]
Likewise, the document augments the L2NM and L3NM with references to
the ACs that are managed using the AC network model
[I-D.ietf-opsawg-ntw-attachment-circuit]. [RFC9835].
This approach allows operators to separate AC provisioning from
actual VPN service provisioning. Refer to Section 4.2 for more
discussion.
The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in [RFC8342].
Examples to illustrate the use of the "ietf-ac-glue" model module are
provided in Appendix A.
1.1. Editorial Note (To be removed by RFC Editor)
Note to the RFC Editor: This section is to be removed prior to
publication.
This document contains placeholder values that need to be replaced
with finalized values at the time of publication. This note
summarizes all of the substitutions that are needed.
Please apply the following replacements:
* XXXX --> the assigned RFC number for this I-D
* SSSS --> the assigned RFC number for
[I-D.ietf-opsawg-teas-attachment-circuit]
* NNNN --> the assigned RFC number for
[I-D.ietf-opsawg-ntw-attachment-circuit]
* 2025-01-07 --> the actual date of the publication of this document
2. Conventions and Definitions
The meanings of the symbols in the YANG tree diagrams are defined in
[RFC8340].
This document uses terms defined in
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834].
LxSM refers to both the L2SM and the L3SM.
LxNM refers to both the L2NM and the L3NM.
The following terms are used in the modules module's prefixes:
ac: Attachment circuit
ntw: Network
ref: Reference
svc: Service
The names of data nodes are prefixed using the prefix associated with
the corresponding imported YANG module as shown in Table 1:
+===========+================+=========================+
+===========+================+==========================+
| Prefix | Module | Reference |
+===========+================+=========================+
+===========+================+==========================+
| ac-svc | ietf-ac-svc | Section 5.2 of RFC SSSS [RFC9834] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
| ac-ntw | ietf-ac-ntw | RFC NNNN [RFC9835] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
| l2nm | ietf-l3vpn-ntw ietf-l2vpn-ntw | [RFC9291] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
| l2vpn-svc | ietf-l2vpn-svc | [RFC8466] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
| l3nm | ietf-l3vpn-ntw | [RFC9182] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
| l3vpn-svc | ietf-l3vpn-svc | [RFC8299] |
+-----------+----------------+-------------------------+
+-----------+----------------+--------------------------+
Table 1: Modules and Their Associated Prefixes
3. Relationship to Other AC Data Models
Figure 1 depicts the relationship between the various AC data models:
* "ietf-ac-common" ([I-D.ietf-opsawg-teas-common-ac]) [RFC9833]
* "ietf-bearer-svc" (Section 5.1 6.1 of
[I-D.ietf-opsawg-teas-attachment-circuit]) [RFC9834])
* "ietf-ac-svc" (Section 5.2 6.2 of
[I-D.ietf-opsawg-teas-attachment-circuit]) [RFC9834])
* "ietf-ac-ntw" ([I-D.ietf-opsawg-ntw-attachment-circuit]) [RFC9835]
* "ietf-ac-glue" (Section 6)
ietf-ac-common
^ ^ ^
| | |
.----------' | '----------.
| | |
| | |
ietf-ac-svc <--- ietf-bearer-svc |
^ ^ |
| | |
| '------------------------ ietf-ac-ntw
| ^
| |
| |
'------------ ietf-ac-glue ----------'
X --> Y: X imports Y
Figure 1: AC Data Models
The "ietf-ac-common" module is imported by the "ietf-bearer-svc",
"ietf-ac-svc", and "ietf-ac-ntw" modules. Bearers managed using the
"ietf-bearer-svc" module may be referenced by service ACs managed
using the "ietf-ac-svc" module. Similarly, a bearer managed using
the "ietf-bearer-svc" module may list the set of ACs that use that
bearer. To facilitate correlation between an AC service request and
the actual AC provisioned in the network, "ietf-ac-ntw" leverages the
AC references exposed by the "ietf-ac-svc" module. Furthermore, to
bind Layer 2 VPN (L2VPN) or Layer 3 VPN (L3VPN) services with ACs,
the "ietf-ac-glue" module augments the LxSM and LxNM with AC service
references exposed by the "ietf-ac-svc" module and AC network
references exposed by the "ietf-ac-ntw" module.
4. Sample Uses of the Data Models
4.1. ACs Terminated by One or Multiple Customer Edges (CEs)
Figure 2 depicts two target topology flavors that involve ACs. These
topologies have the following characteristics:
* A Customer Edge (CE) can be either a physical device or a logical
entity. Such logical entity is typically a software component
(e.g., a virtual service function that is hosted within the
provider's network or a third-party infrastructure). A CE is seen
by the network as a peer Service Attachment Point (SAP) [RFC9408].
* CEs may be either dedicated to one single connectivity service or
host multiple connectivity services (e.g., CEs with roles of
service functions [RFC7665]).
* A network provider may bind a single AC to one or multiple peer
SAPs (e.g., CE1 and CE2 are tagged as peer SAPs for the same AC).
For example, and as discussed in [RFC4364], multiple CEs can be
attached to a PE over the same attachment circuit. This scenario
is typically implemented when the Layer 2 infrastructure between
the CE and the network is a multipoint service.
* A single CE may terminate multiple ACs, which can be associated
with the same bearer or distinct bearers (e.g., CE4).
* Customers may request protection schemes in which the ACs
associated with their endpoints are terminated by the same PE
(e.g., CE3), distinct PEs (e.g., CE4), etc. The network provider
uses this request to decide where to terminate the AC in the
service provider network and also whether to enable specific
capabilities (e.g., Virtual Router Redundancy Protocol (VRRP)).
.--------------------.
| |
.------. | .--. (b1) .-----.
| +----. | | +---AC---+ |
| CE1 | | | |PE+---AC---+ CE3 |
'------' | .--. '--' (b2) '-----'
+---AC--+PE| Network |
.------. | '--' .--. (b3) .-----.
| | | | | +---AC---+ |
| CE2 +----' | |PE+---AC---+ CE4 |
'------' | '--' (b3) '---+-'
| .--. | |
'----------+PE+------' |
'--' |
| |
'-----------AC----------'
(bx) = bearer Id x
Figure 2: Examples of ACs
These ACs can be referenced when creating VPN services. Refer to the
examples provided in Appendix A to illustrate how VPN services can be
bound to ACs.
4.2. Separate AC Provisioning From from Actual VPN Service Provisioning
The procedure to provision a service in a service provider network
may depend on the practices adopted by a service provider. This
includes the flow put in place for the provisioning of advanced
network services and how they are bound to an attachment circuit.
For example, a single attachment circuit may be used to host multiple
connectivity services (e.g., Layer 2 VPN ("ietf-l2vpn-svc"), Layer 3
VPN ("ietf-l3vpn-svc"), Network Slice Service ("ietf-network-slice-
service")). In order to avoid service interference and redundant
information in various locations, a service provider may expose an
interface to manage ACs network-wide using
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834]. Customers can
request for an attachment circuit ("ietf-ac-svc") to be put in place, place
and then refer to that AC when requesting VPN services that are bound
to the AC ("ietf-ac-glue").
Also, internal references ("ietf-ac-ntw") used within a service
provider network to implement ACs can be used by network controllers
to glue the L2NM ("ietf-l2vpn-ntw") or the L3NM ("ietf-l3vpn-ntw")
services with relevant ACs.
Figure 3 shows the positioning of the AC models in the overall
service delivery process.
.-------------.
| Customer |
'------+------'
Customer Service Models |
ietf-l2vpn-svc, ietf-l3vpn-svc, | ietf-network-slice-service,
ietf-ac-svc, ietf-ac-glue, | and ietf-bearer-svc
.------+------.
| Service |
| Orchestration |
'------+------'
Network Models |
ietf-l2vpn-ntw, ietf-l3vpn-ntw, | ietf-sap-ntw, ietf-ac-glue,
and ietf-ac-ntw |
.------+------.
| Network |
| Orchestration |
'------+------'
Network Configuration Model |
.-----------+-----------.
| |
.-------+-----. .-------+-----.
| Domain | | Domain |
| Orchestration | | Orchestration |
'--+--------+-' '-------+-----'
Device | | |
Configuration | | |
Models | | |
.---+---. | |
| Config | | |
| Manager | | |
'---+---' | |
| | |
NETCONF/CLI.......................
| | |
.--------------------------------.
.---. Bearer | | Bearer .---.
|CE#1+--------+ Network +--------+CE#2|
'---' | | '---'
'--------------------------------'
Site A Site B
Figure 3: An Example of AC Models Usage
5. Module Tree Structure
[RFC8299] specifies that a 'site-network-access' attachment is
achieved through a 'bearer' with an 'ip-connection' on top. From
that standpoint, a 'site-network-access' is mapped to an attachment
circuit with both Layers Layer 2 and 3 properties per
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834]. [RFC8466]
specifies that a 'site-network-access' represents a logical Layer 2
connection to a site. A 'site-network-access' can thus be mapped to
an attachment circuit with Layer 2 properties
[I-D.ietf-opsawg-teas-attachment-circuit]. [RFC9834]. Similarly, 'vpn-network-
access'
'vpn-network-access' defined in both [RFC9182] and [RFC9291] is
mapped to an attachment circuit per [I-D.ietf-opsawg-teas-attachment-circuit] [RFC9834] or
[I-D.ietf-opsawg-ntw-attachment-circuit]. [RFC9835].
As such, ACs created using the "ietf-ac-svc" module
[I-D.ietf-opsawg-teas-attachment-circuit] [RFC9834] can be
referenced in other VPN-related modules (e.g., LxSM and LxNM). Also,
ACs managed using the "ietf-ac-ntw" module [I-D.ietf-opsawg-ntw-attachment-circuit] [RFC9835] can be
referenced in VPN-related network modules (mainly, the LxNM). The
required augmentations to that aim are shown in Figure 4.
module: ietf-ac-glue
augment /l2vpn-svc:l2vpn-svc/l2vpn-svc:sites/l2vpn-svc:site
/l2vpn-svc:site-network-accesses:
+--rw ac-svc-ref* ac-svc:attachment-circuit-reference
augment /l2vpn-svc:l2vpn-svc/l2vpn-svc:sites/l2vpn-svc:site
/l2vpn-svc:site-network-accesses
/l2vpn-svc:site-network-access:
+--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}?
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
/l3vpn-svc:site-network-accesses:
+--rw ac-svc-ref* ac-svc:attachment-circuit-reference
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
/l3vpn-svc:site-network-accesses
/l3vpn-svc:site-network-access:
+--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}?
augment /l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service
/l2nm:vpn-nodes/l2nm:vpn-node/l2nm:vpn-network-accesses:
+--rw ac-svc-ref* ac-svc:attachment-circuit-reference
+--rw ac-ntw-ref* [ac-ref]
+--rw ac-ref leafref
+--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id
augment /l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service
/l2nm:vpn-nodes/l2nm:vpn-node/l2nm:vpn-network-accesses
/l2nm:vpn-network-access:
+--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}?
+--rw ac-ntw-ref {ac-glue}?
+--rw ac-ref? leafref
+--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id
augment /l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service
/l3nm:vpn-nodes/l3nm:vpn-node/l3nm:vpn-network-accesses:
+--rw ac-svc-ref* ac-svc:attachment-circuit-reference
+--rw ac-ntw-ref* [ac-ref]
+--rw ac-ref leafref
+--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id
augment /l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service
/l3nm:vpn-nodes/l3nm:vpn-node/l3nm:vpn-network-accesses
/l3nm:vpn-network-access:
+--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}?
+--rw ac-ntw-ref {ac-glue}?
+--rw ac-ref? leafref
+--rw node-ref? leafref
+--rw network-ref? -> /nw:networks/network/network-id
Figure 4: AC Glue Tree Structure
When an AC is referenced within a specific network access, then that AC
information takes precedence over any overlapping information that is
also enclosed for this network access.
This approach is consistent with the design in
[I-D.ietf-teas-ietf-network-slice-nbi-yang] [YANG-NSS] where an AC
service reference, called 'ac-svc-name', is used to indicate the
names of AC services. As per [I-D.ietf-teas-ietf-network-slice-nbi-yang], [YANG-NSS], when both 'ac-svc-name' and
the attributes of 'attachment-
circuits' 'attachment-circuits' are defined, the 'ac-svc-name' 'ac-svc-
name' takes precedence.
The "ietf-ac-glue" module includes provisions to reference ACs within
or outside a VPN network access to accommodate deployment contexts
where an AC reference may be created before or after a VPN instance
is created. Appendix A.1 illustrates how an AC reference can be
included as part of a specific VPN network access, while Appendix A.2
shows how AC references can be indicated outside individual VPN
network access entries.
6. The AC Glue ("ietf-ac-glue") YANG Module
This modules augments the L2SM [RFC8466], the L3SM [RFC8299], the
L2NM [RFC9291], and the L3NM [RFC9182].
This module uses references defined in
[I-D.ietf-opsawg-teas-attachment-circuit] [RFC9834] and
[I-D.ietf-opsawg-ntw-attachment-circuit]. [RFC9835].
<CODE BEGINS> file "ietf-ac-glue@2025-01-07.yang" "ietf-ac-glue@2025-08-11.yang"
module ietf-ac-glue {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ac-glue";
prefix ac-glue;
import ietf-l3vpn-svc {
prefix l3vpn-svc;
reference
"RFC 8299: YANG Data Model for L3VPN Service Delivery";
}
import ietf-l2vpn-svc {
prefix l2vpn-svc;
reference
"RFC 8466: A YANG Data Model for Layer 2 Virtual Private
Network (L2VPN) Service Delivery";
}
import ietf-l3vpn-ntw {
prefix l3nm;
reference
"RFC 9182: A YANG Network Data Model for Layer 3 VPNs";
}
import ietf-l2vpn-ntw {
prefix l2nm;
reference
"RFC 9291: A YANG Network Data Model for Layer 2 VPNs";
}
import ietf-ac-svc {
prefix ac-svc;
reference
"RFC SSSS: 9834: YANG Data Models for Bearers and 'Attachment
Circuits'-as-a-Service Attachment
Circuits-as-a-Service (ACaaS)";
}
import ietf-ac-ntw {
prefix ac-ntw;
reference
"RFC NNNN: 9835: A Network YANG Data Model for Attachment Circuits";
}
organization
"IETF OPSAWG (Operations and Management Area Working Group)";
contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org>
Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com>
Author: Richard Roberts
<mailto:rroberts@juniper.net>
Author: Samier Barguil
<mailto:ssamier.barguil_giraldo@nokia.com>
Author: Oscar Gonzalez de Dios
<mailto:oscar.gonzalezdedios@telefonica.com>";
description
"This YANG module defines a YANG data model for augmenting the
LxSM and the LxNM with attachment circuit references.
Copyright (c) 2025 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; 9836; see the
RFC itself for full legal notices.";
revision 2025-01-07 2025-08-11 {
description
"Initial revision.";
reference
"RFC XXXX: 9836: A YANG Data Model for Augmenting VPN Service
and Network Models with Attachment Circuits";
}
feature ac-glue {
description
"The VPN implementation supports binding a specific VPN
network access or site access to an attachment circuit.";
}
grouping single-ac-svc-ref {
description
"A grouping with a single reference to a service AC.";
leaf ac-svc-ref {
type ac-svc:attachment-circuit-reference;
description
"A reference to the AC as exposed at the service that was
provisioned using the ACaaS module.";
}
}
grouping single-ac-svc-ntw-ref {
description
"A grouping with single AC references.";
leaf ac-svc-ref {
type ac-svc:attachment-circuit-reference;
description
"A reference to the AC as exposed at the service that was
provisioned using the ACaaS module.";
}
container ac-ntw-ref {
description
"A reference to the AC that was provisioned using the AC
network module.";
uses ac-ntw:attachment-circuit-reference;
}
}
grouping ac-svc-ref {
description
"A set of service-specific AC-related data.";
leaf-list ac-svc-ref {
type ac-svc:attachment-circuit-reference;
description
"A reference to the AC as exposed at the service that was
provisioned using the ACaaS module.";
}
}
grouping ac-svc-ntw-ref {
description
"A set of AC-related data.";
leaf-list ac-svc-ref {
type ac-svc:attachment-circuit-reference;
description
"A reference to the AC as exposed at the service that was
provisioned using the ACaaS module.";
}
list ac-ntw-ref {
key "ac-ref";
description
"A reference to the AC that was provisioned using the AC
network module.";
uses ac-ntw:attachment-circuit-reference;
}
}
augment "/l2vpn-svc:l2vpn-svc"
+ "/l2vpn-svc:sites/l2vpn-svc:site"
+ "/l2vpn-svc:site-network-accesses" {
description
"Augments VPN site network accesses with AC provisioning
details. Concretely, it binds a site to a set of
attachment circuits with Layer 2 properties that were
created using the ACaaS module.";
uses ac-svc-ref;
}
augment "/l2vpn-svc:l2vpn-svc"
+ "/l2vpn-svc:sites/l2vpn-svc:site"
+ "/l2vpn-svc:site-network-accesses"
+ "/l2vpn-svc:site-network-access" {
if-feature "ac-glue";
description
"Augments VPN site network access with AC provisioning
details. Concretely, it glues a 'site-network-access'
to an attachment circuit with Layer 2 properties that was
created using the ACaaS module.
The ACaaS information takes precedence over any overlapping
information that is also provided for a site network access.";
uses single-ac-svc-ref;
}
augment "/l3vpn-svc:l3vpn-svc"
+ "/l3vpn-svc:sites/l3vpn-svc:site"
+ "/l3vpn-svc:site-network-accesses" {
description
"Augments VPN site network accesses with AC provisioning
details. Concretely, it binds a site to a set of attachment
circuits with both Layers Layer 2 and Layer 3 properties that were
created using the ACaaS module.";
uses ac-svc-ref;
}
augment "/l3vpn-svc:l3vpn-svc"
+ "/l3vpn-svc:sites/l3vpn-svc:site"
+ "/l3vpn-svc:site-network-accesses"
+ "/l3vpn-svc:site-network-access" {
if-feature "ac-glue";
description
"Augments VPN site network access with AC provisioning
details. Concretely, it glues a 'site-network-access' to an
attachment circuit with both Layer 2 and Layer 3 properties
that was created using the ACaaS module.
The ACaaS information takes precedence over any overlapping
information that is also provided for a site network access.";
uses single-ac-svc-ref;
}
augment "/l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service"
+ "/l2nm:vpn-nodes/l2nm:vpn-node"
+ "/l2nm:vpn-network-accesses" {
description
"Augments VPN network accesses with both service and network
AC provisioning details. Concretely, it binds a site to (1)
a set of attachment circuits with Layer 2 properties that were
created using the ACaaS module and (2) a set of attachment
circuits with Layer 2 properties that were provisioned using
the AC network model.";
uses ac-svc-ntw-ref;
}
augment "/l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service"
+ "/l2nm:vpn-nodes/l2nm:vpn-node"
+ "/l2nm:vpn-network-accesses"
+ "/l2nm:vpn-network-access" {
if-feature "ac-glue";
description
"Augments VPN network access with service and network
references to an AC. Concretely, it glues a VPN network
access to (1) an attachment circuit with Layer 2 properties
that was created using the ACaaS module and (2) an attachment
circuit with Layer 2 properties that was created using the AC
network module.
The AC service and network information takes precedence over
any overlapping information that is also provided for a VPN
network access.";
uses single-ac-svc-ntw-ref;
}
augment "/l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service"
+ "/l3nm:vpn-nodes/l3nm:vpn-node"
+ "/l3nm:vpn-network-accesses" {
description
"Augments VPN network accesses with both service and network
AC provisioning details. Concretely, it binds a site to (1)
a set of attachment circuits with both Layer 2 and Layer 3
properties that were created using the ACaaS module and (2)
a set of attachment circuits with both Layer 2 and Layer 3
properties that were provisioned using the AC network model.";
uses ac-svc-ntw-ref;
}
augment "/l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service"
+ "/l3nm:vpn-nodes/l3nm:vpn-node"
+ "/l3nm:vpn-network-accesses"
+ "/l3nm:vpn-network-access" {
if-feature "ac-glue";
description
"Augments VPN network access with service and network
references to an AC. Concretely, it glues a VPN network
access to (1) an attachment circuit with both Layer 2 and
Layer 3 properties that was created using the ACaaS module
and (2) an attachment circuit with both Layer 2 and Layer 3
properties that was created using the AC network module.
The AC service and network information takes precedence over
any overlapping information that is also provided for a VPN
network access.";
uses single-ac-svc-ntw-ref;
}
}
<CODE ENDS>
7. Security Considerations
This section is modeled after the template described in Section 3.7
of [I-D.ietf-netmod-rfc8407bis]. [YANG-GUIDELINES].
The "ietf-ac-common" YANG module defines a data model that is
designed to be accessed via YANG-based management protocols, such as
NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have to
use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and
QUIC [RFC9000]) and have to use mutual authentication.
The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, "config true", which is the
default). These All writable data nodes may are likely to be considered reasonably
sensitive or vulnerable in some network environments. Write
operations (e.g., edit-config) and delete operations to these data
nodes without proper protection or authentication can have a negative
effect on network operations.
Specifically, the The following subtrees and data nodes
have particular sensitivities/vulnerabilities:
'ac-svc-ref' and 'ac-ntw-ref': An attacker who is able to access
network nodes can undertake various attacks, such as deleting a
running VPN service, interrupting all the traffic of a client.
Specifically, an attacker may modify (including delete) the ACs
that are bound to a running service, leading to malfunctioning of
the service and therefore to Service Level Agreement (SLA)
violations. : Such activity can be detected by adequately
monitoring and tracking network configuration changes.
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. Specifically, the following
subtrees and data nodes have particular sensitivities/
vulnerabilities:
'ac-svc-ref' and 'ac-ntw-ref': These references do not expose per se
privacy-related information, however information per se; however, 'ac-svc-ref' may be
used to track the set of VPN instances in which a given customer
is involved.
Note that, unlike 'ac-svc-ref', 'ac-ntw-ref' is unique within the
scope of a node and may multiplex many peer CEs.
8. IANA Considerations
IANA is requested to register has registered the following URI in the "ns" subregistry within
the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-ac-glue
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
IANA is requested to register has registered the following YANG module in the "YANG Module
Names" registry [RFC6020] within the "YANG Parameters" registry
group:
Name: ietf-ac-glue
Namespace: urn:ietf:params:xml:ns:yang:ietf-ac-glue
Prefix: ac-glue
Maintained by IANA? N
Namespace: urn:ietf:params:xml:ns:yang:ietf-ac-glue
Prefix: ac-glue
Reference: RFC XXXX 9836
9. References
9.1. Normative References
[I-D.ietf-opsawg-ntw-attachment-circuit]
Boucadair, M., Roberts, R., de Dios, O. G., Barguil, S.,
and B. Wu, "A Network YANG Data Model for Attachment
Circuits", Work in Progress, Internet-Draft, draft-ietf-
opsawg-ntw-attachment-circuit-15, 9 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
ntw-attachment-circuit-15>.
[I-D.ietf-opsawg-teas-attachment-circuit]
Boucadair, M., Roberts, R., de Dios, O. G., Barguil, S.,
and B. Wu, "YANG Data Models for Bearers and 'Attachment
Circuits'-as-a-Service (ACaaS)", Work in Progress,
Internet-Draft, draft-ietf-opsawg-teas-attachment-circuit-
19, 9 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
teas-attachment-circuit-19>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/rfc/rfc3688>.
<https://www.rfc-editor.org/info/rfc3688>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/info/rfc4252>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/rfc/rfc6020>.
<https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki,
"YANG Data Model for L3VPN Service Delivery", RFC 8299,
DOI 10.17487/RFC8299, January 2018,
<https://www.rfc-editor.org/rfc/rfc8299>.
<https://www.rfc-editor.org/info/rfc8299>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/rfc/rfc8341>.
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/rfc/rfc8342>.
<https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG
Data Model for Layer 2 Virtual Private Network (L2VPN)
Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October
2018, <https://www.rfc-editor.org/rfc/rfc8466>. <https://www.rfc-editor.org/info/rfc8466>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>.
[RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M.,
Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model
for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182,
February 2022, <https://www.rfc-editor.org/rfc/rfc9182>. <https://www.rfc-editor.org/info/rfc9182>.
[RFC9291] Boucadair, M., Ed., Gonzalez de Dios, O., Ed., Barguil,
S., and L. Munoz, "A YANG Network Data Model for Layer 2
VPNs", RFC 9291, DOI 10.17487/RFC9291, September 2022,
<https://www.rfc-editor.org/rfc/rfc9291>.
9.2. Informative References
[I-D.ietf-netmod-rfc8407bis]
Bierman, A.,
<https://www.rfc-editor.org/info/rfc9291>.
[RFC9834] Boucadair, M., Ed., Roberts, R., Ed., Gonzalez de Dios,
O., Barguil, S., and Q. B. Wu, "Guidelines "YANG Data Models for
Authors Bearers
and Reviewers of Documents Containing YANG Data
Models", Work in Progress, Internet-Draft, draft-ietf-
netmod-rfc8407bis-22, 14 January Attachment Circuits-as-a-Service (ACaaS)", RFC 9834,
DOI 10.17487/RFC9834, August 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod-
rfc8407bis-22>.
[I-D.ietf-opsawg-teas-common-ac]
<https://www.rfc-editor.org/info/rfc9834>.
[RFC9835] Boucadair, M., Ed., Roberts, R., Gonzalez de Dios, O. G., O.,
Barguil, S., and B. Wu, "A Common Network YANG Data Model for
Attachment Circuits", Work in Progress, Internet-Draft, draft-ietf-
opsawg-teas-common-ac-15, 23 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-
teas-common-ac-15>.
[I-D.ietf-teas-ietf-network-slice-nbi-yang]
Wu, B., Dhody, D., Rokui, R., Saad, T., and J. Mullooly,
"A YANG Data Model for the RFC 9543 Network Slice
Service", Work in Progress, Internet-Draft, draft-ietf-
teas-ietf-network-slice-nbi-yang-18, 21 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas-
ietf-network-slice-nbi-yang-18>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, 9835, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/rfc/rfc4252>. 10.17487/RFC9835,
August 2025, <https://www.rfc-editor.org/info/rfc9835>.
9.2. Informative References
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <https://www.rfc-editor.org/rfc/rfc4364>. <https://www.rfc-editor.org/info/rfc4364>.
[RFC4664] Andersson, L., Ed. and E. Rosen, Ed., "Framework for Layer
2 Virtual Private Networks (L2VPNs)", RFC 4664,
DOI 10.17487/RFC4664, September 2006,
<https://www.rfc-editor.org/rfc/rfc4664>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/rfc/rfc6241>.
<https://www.rfc-editor.org/info/rfc4664>.
[RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
Chaining (SFC) Architecture", RFC 7665,
DOI 10.17487/RFC7665, October 2015,
<https://www.rfc-editor.org/rfc/rfc7665>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/rfc/rfc8040>.
<https://www.rfc-editor.org/info/rfc7665>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/rfc/rfc8340>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/rfc/rfc9000>.
<https://www.rfc-editor.org/info/rfc8340>.
[RFC9408] Boucadair, M., Ed., Gonzalez de Dios, O., Barguil, S., Wu,
Q., and V. Lopez, "A YANG Network Data Model for Service
Attachment Points (SAPs)", RFC 9408, DOI 10.17487/RFC9408,
June 2023, <https://www.rfc-editor.org/rfc/rfc9408>. <https://www.rfc-editor.org/info/rfc9408>.
[RFC9833] Boucadair, M., Ed., Roberts, R., Ed., Gonzalez de Dios,
O., Barguil, S., and B. Wu, "A Common YANG Data Model for
Attachment Circuits", RFC 9833, DOI 10.17487/RFC9833,
August 2025, <https://www.rfc-editor.org/info/rfc9833>.
[YANG-GUIDELINES]
Bierman, A., Boucadair, M., Ed., and Q. Wu, "Guidelines
for Authors and Reviewers of Documents Containing YANG
Data Models", Work in Progress, Internet-Draft, draft-
ietf-netmod-rfc8407bis-22, 14 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod-
rfc8407bis-22>.
[YANG-NSS] Wu, B., Dhody, D., Rokui, R., Saad, T., and J. Mullooly,
"A YANG Data Model for the RFC 9543 Network Slice
Service", Work in Progress, Internet-Draft, draft-ietf-
teas-ietf-network-slice-nbi-yang-25, 9 May 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas-
ietf-network-slice-nbi-yang-25>.
Appendix A. Examples
A.1. A Service AC Reference within The Within the VPN Network Access
Let us consider the example depicted in Figure 5 5, which is inspired
from Section 2.1 of [RFC4664]. Each PE is servicing two CEs. Let us
also assume that the service references to identify attachment
circuits with these CEs are shown in the figure. Figure 5.
.----. .----.
| | AC1 AC2 | |
| CE1 |--+ 2001:db8:100::1 2001:db8:200::1 +--| CE2 |
| | | .-----. .-----. .-----. | | |
'----' +----|---- | | P | | ----+----+ '----'
|VPWS\----|-----|-----|/VPWS|
| PE1 |===|=====|=====| PE2 |
| /|---|-----|-----|\\ |
.----. +----|---- | | | | ----|----+ .----.
| | | '-----' '-----' '-----' | | |
| CE3 |--+ +--| CE4 |
| | AC3 AC4 | |
'----' '----'
Figure 5: VPWS Topology Example
As shown in Figure 6, the service AC references can be explicitly
indicated in the L2NM query for the realization of the Virtual
Private Wire Service (VPWS) (Section 3.1.1 of [RFC4664]).
=============== NOTE: '\' line wrapping per RFC 8792 ================
{
"ietf-l2vpn-ntw:l2vpn-ntw":{
"vpn-services":{
"vpn-service":[
{
"vpn-id":"vpws12345",
"vpn-description":"Sample VPWS with AC service \
references",
"customer-name":"customer-12345",
"vpn-type":"ietf-vpn-common:vpws",
"bgp-ad-enabled":true,
"signaling-type":"ietf-vpn-common:ldp-signaling",
"global-parameters-profiles":{
"global-parameters-profile":[
{
"profile-id":"simple-profile",
"local-autonomous-system":65550,
"rd-auto":{
"auto":[
null
]
},
"vpn-target":[
{
"id":1,
"route-targets":[
{
"route-target":"0:65535:1"
}
],
"route-target-type":"both"
}
]
}
]
},
"vpn-nodes":{
"vpn-node":[
{
"vpn-node-id":"pe1",
"ne-id":"2001:db8:100::1",
"active-global-parameters-profiles":{
"global-parameters-profile":[
{
"profile-id":"simple-profile"
}
]
},
"bgp-auto-discovery":{
"vpn-id":"587"
},
"signaling-option":{
"advertise-mtu":true,
"ldp-or-l2tp":{
"saii":1,
"remote-targets":[
{
"taii":2
}
],
"t-ldp-pw-type":"ethernet"
}
},
"vpn-network-accesses":{
"vpn-network-access":[
{
"id":"1/1/1.1",
"interface-id":"1/1/1",
"description":"Interface to CE1",
"active-vpn-node-profile":"simple-\
profile",
"status":{
"admin-status":{
"status":"ietf-vpn-common:\
admin-up"
},
"ietf-ac-glue:ac-svc-ref":"AC1"
}
},
{
"id":"1/1/3.1",
"interface-id":"1/1/3",
"description":"Interface to CE3",
"active-vpn-node-profile":"simple-\
profile",
"status":{
"admin-status":{
"status":"ietf-vpn-common:\
admin-up"
},
"ietf-ac-glue:ac-svc-ref":"AC3"
}
}
]
}
},
{
"vpn-node-id":"pe2",
"ne-id":"2001:db8:200::1",
"active-global-parameters-profiles":{
"global-parameters-profile":[
{
"profile-id":"simple-profile"
}
]
},
"bgp-auto-discovery":{
"vpn-id":"587"
},
"signaling-option":{
"advertise-mtu":true,
"ldp-or-l2tp":{
"saii":2,
"remote-targets":[
{
"taii":1
}
],
"t-ldp-pw-type":"ethernet"
}
},
"vpn-network-accesses":{
"vpn-network-access":[
{
"id":"2/1/2.1",
"interface-id":"2/1/2",
"description":"Interface to CE2",
"active-vpn-node-profile":"simple-\
profile",
"status":{
"admin-status":{
"status":"ietf-vpn-common:\
admin-up"
},
"ietf-ac-glue:ac-svc-ref":"AC2"
}
},
{
"id":"2/1/4.1",
"interface-id":"2/1/4",
"description":"Interface to CE4",
"active-vpn-node-profile":"simple-\
profile",
"status":{
"admin-status":{
"status":"ietf-vpn-common:\
admin-up"
},
"ietf-ac-glue:ac-svc-ref":"AC4"
}
}
]
}
}
]
}
}
]
}
}
}
Figure 6: Example of VPWS Creation with AC Service References
A.2. Network and Service AC References
Let us consider the example depicted in Figure 7 with two customer
termination points (CE1 and CE2). Let us also assume that the
bearers to attach these CEs to the service provider network are
already in place. References to identify these bearers are shown in
the figure.
Figure 7.
.-----. .--------------. .-----.
.---. | PE1 +===+ +===+ PE2 | .---.
| CE1+------+"450"| | MPLS | |"451"+------+ CE2|
'---' ^ '-----' | | '-----' ^ '---'
| | Core | |
Bearer:1234 '--------------' Bearer:5678
Figure 7: Topology Example
The AC service model [I-D.ietf-opsawg-teas-attachment-circuit] [RFC9834] can be used by the provider to manage
and expose the ACs over existing bearers as shown in Figure 8.
{
"ietf-ac-svc:attachment-circuits": {
"ac-group-profile": [
{
"name": "an-ac-profile",
"l2-connection": {
"encapsulation": {
"type": "ietf-vpn-common:dot1q",
"dot1q": {
"tag-type": "ietf-vpn-common:c-vlan",
"cvlan-id": 550
}
}
},
"service": {
"mtu": 1550,
"svc-pe-to-ce-bandwidth": {
"bandwidth": [
{
"bw-type": "ietf-vpn-common:bw-per-port",
"cir": "20480000"
}
]
},
"svc-ce-to-pe-bandwidth": {
"bandwidth": [
{
"bw-type": "ietf-vpn-common:bw-per-port",
"cir": "20480000"
}
]
},
"qos": {
"qos-profiles": {
"qos-profile": [
{
"profile": "QoS_Profile_A",
"direction": "ietf-vpn-common:both"
}
]
}
}
}
}
],
"ac": [
{
"name": "ac-1",
"description": "First attachment",
"ac-group-profile": [
"an-ac-profile"
],
"l2-connection": {
"bearer-reference": "1234"
}
},
{
"name": "ac-2",
"description": "Second attachment",
"ac-group-profile": [
"an-ac-profile"
],
"l2-connection": {
"bearer-reference": "5678"
}
}
]
}
}
Figure 8: ACs Created Using ACaaS
Let us now consider that the customer wants to request a VPLS Virtual
Private LAN Service (VPLS) instance between the sites as shown in
Figure 9.
|---------- VPLS "1543" ----------|
.-----. .--------------. .-----.
.---. AC1 | PE1 +===+ +===+ PE2 | AC2 .---.
| CE1+------+"450"| | MPLS | |"451"+------+ CE2|
'---' ^ '-----' | | '-----' ^ '---'
| | Core | |
Bearer:1234 '--------------' Bearer:5678
Figure 9: Example of VPLS
To that aim, existing ACs are referenced during the creation of the
VPLS instance using the L2NM [RFC9291] and the "ietf-ac-glue" module
as shown in Figure 10.
{
"ietf-l2vpn-ntw:l2vpn-ntw": {
"vpn-services": {
"vpn-service": [
{
"vpn-id": "1543",
"vpn-name": "CORPO-EXAMPLE",
"customer-name": "EXAMPLE",
"vpn-type": "ietf-vpn-common:vpls",
"vpn-service-topology": "ietf-vpn-common:hub-spoke",
"bgp-ad-enabled": false,
"signaling-type": "ietf-vpn-common:ldp-signaling",
"global-parameters-profiles": {
"global-parameters-profile": [
{
"profile-id": "simple-profile",
"ce-vlan-preservation": true,
"ce-vlan-cos-preservation": true
}
]
},
"vpn-nodes": {
"vpn-node": [
{
"vpn-node-id": "450",
"ne-id": "2001:db8:5::1",
"role": "ietf-vpn-common:hub-role",
"status": {
"admin-status": {
"status": "ietf-vpn-common:admin-up"
}
},
"active-global-parameters-profiles": {
"global-parameters-profile": [
{
"profile-id": "simple-profile"
}
]
},
"signaling-option": {
"ldp-or-l2tp": {
"t-ldp-pw-type": "vpls-type",
"pw-peer-list": [
{
"peer-addr": "2001:db8:50::1",
"vc-id": "1543"
}
]
}
},
"vpn-network-accesses": {
"ietf-ac-glue:ac-svc-ref": ["ac-1"]
}
},
{
"vpn-node-id": "451",
"ne-id": "2001:db8:50::1",
"role": "ietf-vpn-common:spoke-role",
"status": {
"admin-status": {
"status": "ietf-vpn-common:admin-up"
}
},
"active-global-parameters-profiles": {
"global-parameters-profile": [
{
"profile-id": "simple-profile"
}
]
},
"signaling-option": {
"ldp-or-l2tp": {
"t-ldp-pw-type": "vpls-type",
"pw-peer-list": [
{
"peer-addr": "2001:db8:5::1",
"vc-id": "1543"
}
]
}
},
"vpn-network-accesses": {
"ietf-ac-glue:ac-svc-ref": ["ac-2"]
}
}
]
}
}
]
}
}
}
Figure 10: Example of a VPLS Request Using L2NM and AC Glue
(Message Body)
Note that before implementing the VPLS instance creation request, the
provider service orchestrator may first check if the VPLS service can
be provided to the customer using the target delivery locations. The
orchestrator uses the SAP model [RFC9408] as exemplified in
Figure 11. This example assumes that the query concerns only PE1. A
similar query can be issued for PE2.
{
"ietf-sap-ntw:service":[
{
"service-type":"ietf-vpn-common:vpls",
"sap":[
{
"sap-id":"sap#1",
"peer-sap-id":[
"ce-1"
],
"description":"A parent SAP",
"attachment-interface":"GE0/6/1",
"interface-type":"ietf-sap-ntw:phy",
"role":"ietf-sap-ntw:uni",
"allows-child-saps":true,
"sap-status":{
"status":"ietf-vpn-common:op-up"
}
}
]
}
]
}
Figure 11: Example of SAP Response (Message Body)
The response in Figure 11 indicates that the VPLS service can be
delivered to CE1. [I-D.ietf-opsawg-ntw-attachment-circuit] [RFC9835] can be also used to access AC-related
details that are bound to the target SAP (Figure 12).
{
"ietf-sap-ntw:service":[
{
"service-type":"ietf-vpn-common:vpls",
"sap":[
{
"sap-id":"sap#1",
"peer-sap-id":[
"ce-1"
],
"description":"A parent SAP",
"attachment-interface":"GE0/6/1",
"interface-type":"ietf-sap-ntw:phy",
"role":"ietf-sap-ntw:uni",
"allows-child-saps":true,
"sap-status":{
"status":"ietf-vpn-common:op-up"
}
},
{
"sap-id":"sap#11",
"description":"A child SAP",
"parent-termination-point":"GE0/6/4",
"attachment-interface":"GE0/6/4.2",
"interface-type":"ietf-sap-ntw:logical",
"encapsulation-type":"ietf-vpn-common:vlan-type",
"sap-status":{
"status":"ietf-vpn-common:op-up"
},
"ietf-ac-ntw:ac":[
{
"ac-ref":"ac-1",
"node-ref":"example:pe2",
"network-ref":"example:an-id"
}
]
}
]
}
]
}
Figure 12: Example of AC Network Response with SAP (Message Body)
The provisioned AC at PE1 can be retrieved using the AC network model
[I-D.ietf-opsawg-ntw-attachment-circuit]
[RFC9835] as depicted in Figure 13.
{
"ietf-ac-ntw:ac":[
{
"name":"ac-11",
"svc-ref":"ac-1",
"peer-sap-id":[
"ce-1"
],
"status":{
"admin-status":{
"status":"ietf-vpn-common:admin-up"
},
"oper-status":{
"status":"ietf-vpn-common:op-up"
}
},
"l2-connection":{
"encapsulation":{
"encap-type":"ietf-vpn-common:dot1q",
"dot1q":{
"tag-type":"ietf-vpn-common:c-vlan",
"cvlan-id":550
}
},
"bearer-reference":"1234"
},
"service":{
"mtu":1550,
"svc-pe-to-ce-bandwidth":{
"bandwidth":[
{
"bw-type": "ietf-vpn-common:bw-per-port",
"cir":"20480000"
}
]
},
"svc-ce-to-pe-bandwidth":{
"bandwidth":[
{
"bw-type": "ietf-vpn-common:bw-per-port",
"cir":"20480000"
}
]
},
"qos":{
"qos-profiles":{
"qos-profile":[
{
"qos-profile-ref":"QoS_Profile_A",
"network-ref":"example:an-id",
"direction":"ietf-vpn-common:both"
}
]
}
}
}
}
]
}
Figure 13: Example of AC Network Response (Message Body)
Acknowledgments
Thanks to Bo Wu and Qin Wu for the review and comments.
Thanks to Martin Björklund for the yangdoctors YANG Doctors review, Gyan Mishra
for the rtg-dir RTGDIR review, Ron Bonica for the opsdir OPSDIR review, Reese
Enghardt for the genart GENART review, and Prachi Jain for the sec-dir SECDIR
review.
Thanks to Mahesh Jethanandani for the AD review.
Thanks to Gunter Van de Velde for the IESG review.
Authors' Addresses
Mohamed Boucadair (editor)
Orange
Email: mohamed.boucadair@orange.com
Richard Roberts
Juniper
Email: rroberts@juniper.net
Samier Barguil Giraldo
Nokia
Email: samier.barguil_giraldo@nokia.com
Oscar Gonzalez de Dios
Telefonica
Email: oscar.gonzalezdedios@telefonica.com