A YANG Network Data Model for Service Attachment Points (SAPs) Orange
France mohamed.boucadair@orange.com
Telefonica
Madrid Spain oscar.gonzalezdedios@telefonica.com
Nokia
Madrid Spain samier.barguil_giraldo@nokia.com
Huawei
Yuhua District 101 Software Avenue Nanjing Jiangsu 210012 China bill.wu@huawei.com
Nokia
Spain victor.lopez@nokia.com
ops opsawg Service Infrastructure User Network Interface UNI NNI Network-to-Network Interface Inter-AS VPN CE PE Attachment Circuit Service Delivery Point Automation Service Delivery This document defines a YANG data model for representing an abstract view of the provider network topology that contains the points from which its services can be attached (e.g., basic connectivity, VPN, network slices). Also, the model can be used to retrieve the points where the services are actually being delivered to customers (including peer networks). This document augments the 'ietf-network' data model defined in RFC 8345 by adding the concept of Service Attachment Points (SAPs). The SAPs are the network reference points to which network services, such as Layer 3 Virtual Private Network (L3VPN) or Layer 2 Virtual Private Network (L2VPN), can be attached. One or multiple services can be bound to the same SAP. Both User-to-Network Interface (UNI) and Network-to-Network Interface (NNI) are supported in the SAP data model.
Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
  • .  Terminology
  • .  Sample SAP Network Model Usage
  • .  Relationship to Other YANG Data Models
  • .  SAP Module Tree Structure
  • .  SAP YANG Module
  • .  IANA Considerations
  • .  Security Considerations
  • .  References
    • .  Normative References
    • .  Informative References
  • .  A Simplified SAP Network Example
  • .  A Simple Example of the SAP Network Model: Node Filter
  • .  An Example of an NNI SAP: Inter-AS VPN Option A
  • .  Examples of Using the SAP Network Model in Service Creation
  • Acknowledgements
  • Authors' Addresses
Introduction Service providers offer a variety of network services to their customers. Such services include, but are not limited to, Virtual Private Networks (VPNs), Software-Defined Wide-Area Network (SD-WAN) overlay networks , and network slices . In order to rationalize the overall service operations and allow for more automated service provisioning procedures, service providers need to maintain a view on where services can be delivered to customers. For example, such a view can be used to feed an intelligence entity that is responsible for service order handling, service feasibility checks, tracking per-service coverage, etc. (e.g., ). To that aim, this document introduces the concept of Service Attachment Points (SAPs). The SAPs represent the network reference points where network services can be delivered to customers. For example, this concept is used to decide where to attach and thus deliver the service in the Layer 3 VPN Service Model (L3SM) and the Layer 2 VPN Service Model (L2SM) . It can also be used to retrieve where such services are delivered to customers through the network configuration described in the Layer 3 VPN Network Model (L3NM) and the Layer 2 VPN Network Model (L2NM) . This document defines a YANG network model () for representing, managing, and controlling the SAPs. The data model augments the 'ietf-network' module by adding the concept of SAPs. provides a sample usage of the model. This document explains the scope and purpose of a SAP network model and its relationship to other models (). A network may support multiple services, potentially of different types. Whether a SAP topology is dedicated to services of a specific service type or an individual service, or is shared among many services of different types, is deployment specific. This document supports all of these deployment schemes. This document does not make any assumptions about the services provided by a network to its users. VPN services (e.g., Layer 3 Virtual Private Network (L3VPN) or Layer 2 Virtual Private Network (L2VPN)) are used for illustration purposes (Appendices  and ). Given that User-to-Network Interface (UNI) and Network-to-Network Interface (NNI) are reference points that are widely used by operators to indicate the demarcation points when delivering services, both UNI and NNI SAPs are supported in this document. The reader may refer to , , , or for examples of discussions regarding the use of UNI and NNI reference points. An example of NNI usage in a VPN context is provided in . The YANG data model in conforms to the Network Management Datastore Architecture (NMDA) .
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document assumes that the reader is familiar with the contents of , , , and , as it uses terms from those RFCs. The meanings of the symbols in tree diagrams are defined in . This document uses the term "network model" as defined in . This document uses the following terms:
Service provider:
The organization responsible for operating the network that offers a service (e.g., a VPN) to customers.
Attachment Circuit (AC):
A channel that connects a Customer Edge (CE) to a Provider Edge (PE).
Customer Edge (CE):
Equipment that is dedicated to a particular customer and is directly connected to one or more PEs via ACs. A CE is usually located at the customer premises. A CE may be dedicated to a single service (e.g., an L3VPN), although it may support multiple VPNs if each one has separate ACs. A CE can be a router, a bridge, a switch, etc.
Provider Edge (PE):
Equipment owned and managed by the service provider that can support multiple services (e.g., VPNs) for different customers. A PE is directly connected to one or more CEs via ACs.
Service Attachment Points (SAPs):
An abstraction of the network reference points (e.g., the PE side of an AC, or the CE side of an AC for a provider-managed CE) where network services can be delivered and/or are delivered to customers. A SAP can be bound to one or multiple ACs.
Sample SAP Network Model Usage A service provider network's management operations can be automated using a variety of means such as interfaces based on YANG modules . From that standpoint, and considering the architecture depicted in , a goal of this document is to provide a mechanism to show, via a YANG-based interface, an abstracted network view from the network controller to the service orchestration layer with a focus on where a service can be delivered to customers. The model is also used to retrieve the network reference points where a service is being delivered to customers. For services that require resources from peer networks, the model can also be used to expose NNIs.
SAP Network Model Usage +-----------------+ | Customer | +--------+--------+ Customer Service Models | (e.g., L3SM, L2SM) | +--------+--------+ | Service | | Orchestration | +------+---+------+ Network Models | | SAP Network Model (e.g., L3NM, L2NM) | | +------+---+------+ | Network | | Controller | +--------+--------+ | +---------------------+---------------------+ | Network | +-------------------------------------------+
The reader may refer to for an overview of the building blocks that are usually invoked when characterizing a service provider network. The service orchestration layer does not need to know about all the internals of the underlying network (e.g., P nodes ()). shows the abstract network view as seen by a service orchestrator. However, this view is not enough to provide to the service orchestration layer the information to create services in the network. The service topology needs to be able to expose the set of nodes and the attachment points associated with the nodes from which network services can be grafted (delivered).
Abstract Network Topology .---------. .---------. | PE1 | | PE2 | '---------' '---------' \ / \------/ ( ) ( ) ( ) /------\ / \ .---------. .---------. | PE3 | | PE4 | '---------' '---------'
Typically, and focusing on the UNIs, the service orchestration layer would see a set of PEs and a set of client-facing interfaces (physical or logical) to which CEs can be connected (or are actually connected). Such interfaces are also referred to as UNI-N (User-to-Network Interface, Network side) . The service orchestration layer can use these interfaces to set up the requested services or to commit the delivery of a service. depicts a sample SAP network topology that is maintained by the network controller and exposed to the service orchestration.
A SAP Network Topology .-+-. .-+-. .-+-. .-+-. .-+-. .-|sap|-|sap|-|sap|-. .-|sap|-------|sap|-. | '---' '---' '---' | | '---' '---' | .---. | | | |sap| PE1 | | PE2 | '---' | | | | | | | '-------------------' '-------------------' .-------------------. .-------------------. | | | | | | | .---. | PE3 | | PE4 |sap| | | | '---' | .---. .---. .---. | | .---. .---. .---. | '-|sap|-|sap|-|sap|-' '-|sap|-|sap|-|sap|-' '-+-' '-+-' '-+-' '-+-' '-+-' '-+-'
A single SAP network topology can be used for one or multiple service types (e.g., L3VPN, Ethernet VPN (EVPN)). The network controller can then expose the service types and associated interfaces via the SAPs. As shown in , the service orchestration layer will also have access to a set of customer service models (e.g., the L3SM or the L2SM) in the customer-facing interface and a set of network models (e.g., the L3NM and network topology data models) in the resource-facing interface. In this use case, it is assumed that the network controller is unaware of what happens beyond the PEs towards the CEs; it is only responsible for the management and control of the SAPs and the network between PEs. In order to correlate between delivery points expressed in service requests and SAPs, the SAP model may include a peer customer point identifier. That identifier can be a CE identifier, a site identifier, etc.
Network Topology with CEs and ACs .---. |CE2| '-+-' | .-+-. .-+-. .-+-. .-+-. .-+-. .-|sap|-|sap|-|sap|-. .-|sap|-------|sap|-. | '---' '---' '---' | | '---' '---' | .---. .---. | | | |CE1+--+sap| PE1 | | PE2 | '---' '---' | | | | | | | '-------------------' '-------------------' .-------------------. .-------------------. | | | | | | | .---. .---. | PE3 | | PE4 |sap+--+CE5| | | | '---' '---' | .---. .---. .---. | | .---. .---. .---. | '-|sap|-|sap|-|sap|-' '-|sap|-|sap|-|sap|-' '-+-' '-+-' '-+-' '-+-' '-+-' '-+-' | | | .-+-. | .-+-. |CE3+---------------' |CE4| '---' '---'
Refer to for an example echoing the topology depicted in .
Relationship to Other YANG Data Models The SAP network model can be seen as inventory data associated with SAPs. The model maintains an inventory of customer-facing nodes contained in a network relying upon . depicts the relationship of the SAP network model to other models. The SAP network model augments the network model defined in and imports the network topology model defined in , while other technology-specific topology models (e.g., the model for Traffic Engineering (TE) topologies or the model for Layer 3 topologies ) augment the network topology model defined in .
Relationship of SAP Network Model to Other Models +-------------------------+ | | | Abstract Network Model | | | +------------+------------+ | +---------+---------+ | | +------V------+ +------V------+ | Abstract | | Inventory | | Network | | Models | | Topology | | (e.g., SAP | | Model | | Network | | | | Model) | +-----+-------+ +-------------+ | +-----------+-----------+ | | | +----V----+ +----V----+ +----V----+ |TE Topo | |L3 Topo | |L2 Topo | | Model | | Model | | Model | ... +---------+ +---------+ +---------+
SAPs can be seen as customer-facing termination points (TPs) with specific service provisions. However, one difference between SAPs and TPs is that links are terminated by a single TP () while an AC can be terminated by multiple SAPs. Also, a SAP is neither a tunnel termination point (TTP) () nor a link. In the context of Software-Defined Networking (SDN) , the SAP YANG data model can be used to exchange information between control elements, so as to support VPN service provision and resource management as discussed in and . Through this data model, the service orchestration layer can learn the available endpoints (i.e., SAPs) of interconnection resources of the underlying network. The service orchestration layer can determine which interconnection endpoints to add to an L2VPN or L3VPN service. With the help of other data models (e.g., the L3SM or the L2SM ), hierarchical control elements can also assess the feasibility of end-to-end IP connectivity or L2VPN connectivity and therefore can derive the sequence of domains and the points of interconnection to use. Advanced interface-specific data nodes are not included in the SAP model. The interface identifiers listed in the SAP model can be used as filters to set or get such data using device models (e.g., ).
SAP Module Tree Structure The SAP network model 'ietf-sap-ntw' builds on the 'ietf-network' module by augmenting the nodes with SAPs. The structure of the 'ietf-sap-ntw' module is shown in .
SAP YANG Module Tree Structure module: ietf-sap-ntw augment /nw:networks/nw:network/nw:network-types: +--rw sap-network! +--rw service-type* identityref augment /nw:networks/nw:network/nw:node: +--rw service* [service-type] +--rw service-type identityref +--rw sap* [sap-id] +--rw sap-id string +--rw description? string +--rw parent-termination-point? nt:tp-id +--rw attachment-interface? string +--rw interface-type? identityref +--rw encapsulation-type? identityref +--rw role? identityref +--rw allows-child-saps? boolean +--rw peer-sap-id* string +--ro sap-status | +--ro status? identityref | +--ro last-change? yang:date-and-time +--rw service-status +--rw admin-status | +--rw status? identityref | +--rw last-change? yang:date-and-time +--ro oper-status +--ro status? identityref +--ro last-change? yang:date-and-time
A SAP network topology can be used for one or multiple service types ('service-type'). Examples of supported service types are as follows:
  • L3VPN
  • Virtual Private LAN Service (VPLS)
  • Virtual Private Wire Service (VPWS)
  • BGP MPLS-based Ethernet VPN
  • VPWS in Ethernet VPN
  • Provider Backbone Bridging combined with Ethernet VPN (PBB-EVPN)
  • VXLAN-based EVPN ("VXLAN" stands for "Virtual eXtensible Local Area Network")
  • Virtual Network
  • Enhanced VPN (VPN+)
  • Network slice service
  • SD-WAN
  • Basic IP connectivity
These service types build on the types that are already defined in and additional types that are defined in this document. Other service types can be defined in future YANG modules (including future revisions of the YANG module defined in this document), if needed. Filters based on the service type can be used to access per-service SAP topology. An example is depicted in in . A node in the topology can support one or multiple service types ('service-type') among those listed under the 'sap-network' container. A list of SAPs is then bound to each service type that is supported by a given node. Each SAP is characterized as follows:
'sap-id':
Includes an identifier that uniquely identifies a SAP within a node. The same SAP may appear under distinct service types. In such a case, the same identifier is used for a shared SAP for each of these service types. SAPs that are associated with the interfaces that are directly hosting services, interfaces that are ready to host per-service sub-interfaces (but are not yet activated), or services that are already instantiated on sub-interfaces are listed as SAPs. For illustration purposes, in depicts how to indicate interfaces that are capable of hosting per-service sub-interfaces. For example, 'sap-id' may be the VPN network access identifier defined in . An example that illustrates the use of this attribute during service creation is provided in .
'description':
Includes a textual description of the SAP.
'parent-termination-point':
Includes a reference to the parent termination point to which the SAP is bound. As per , a termination point terminates a link in a node. A termination point can be a physical port, an interface, etc. The referenced parent termination point is expected to be a customer-facing termination point, not a core-facing termination point. For example, this attribute is used to associate an interface with its sub-interfaces, as all these interfaces may be listed under the SAPs of a node. It is also used to link a SAP with the physical topology. For example, this data node can be used to map the IETF Network Slice endpoints to the service/tunnel/path endpoints in the underlay network.
'attachment-interface':
Indicates a reference to the interface to which the SAP is bound. The same interface may host multiple services. Whether the attachment identifier echoes the content of the attachment interface is deployment specific. For example, this reference may be any of the identifiers ('l2-termination-point', 'local-bridge-reference', 'bearer-reference', or 'lag-interface-id') defined in or 'l3-termination-point' as defined in . The controller is responsible for ensuring that consistent references are used in the SAP and underlying device models or any other device inventory mechanism.
'interface-type':
Indicates whether a SAP is bound to a physical port, a loopback interface, a Link Aggregation Group (LAG) interface , an Integrated Routing and Bridging (IRB) interface (e.g., ), a local bridge reference, etc. The mapping to the detailed interface types as per is maintained by the controller. That mapping is used, for example, when the controller translates this SAP network model into device models ().
'encapsulation-type':
Indicates the encapsulation type for the interface indicated in the 'attachment-interface' attribute. The types are taken from . This data node can be used, for example, to decide whether an existing SAP can be (re)used to host a service or if a new sub-interface has to be instantiated.
'role':
Specifies the role of a SAP (e.g., a UNI or NNI). A SAP inherits the role of its parent interface ('parent-termination-point').
'allows-child-saps':
When set to 'true', indicates that the attachment interface for this SAP is capable of hosting per-service sub-interfaces. Whether a service can be directly attached to the parent SAP in addition to child SAPs depends on the service.
'peer-sap-id':
Includes references to the remote endpoints of an AC. This identifier may or may not be the same as the SAP identifier used in the peer's configuration. Note that the use of identical identifiers eases the correlation between a peer's service request and a local SAP. Examples of such a reference are a site identifier (), a Service Demarcation Point (SDP) identifier (Section "Core Terminology" of ), and the IP address of a peer Autonomous System Border Router (ASBR).
'sap-status':
Indicates the operational status of a SAP. Values are taken from the values defined in . When both a sub-interface and its parent interface are present but the parent interface is disabled, the status of the parent interface takes precedence over the status indicated for the sub-interface.
'service-status':
Indicates the administrative and operational status of the service for a given SAP. This information is particularly useful when many services are provisioned for the same SAP but only a subset of these services is activated. As such, the administrative 'service-status' MUST NOT be influenced by the value of the operational 'sap-status'. The service 'oper-status' reflects the operational status of the service only as observed at a specific SAP, not the overall network-level status of the service connecting many SAPs. The network-level service status can be retrieved using specific network models, e.g., those listed in or . In order to assess the service delivery status for a given SAP, it is recommended to check both the administrative and operational service status ('service-status') in addition to the 'sap-status'. In doing so, a network controller (or operator) can detect anomalies. For example, if a service is administratively enabled for a SAP and the 'sap-status' of that SAP is reported as being down, the service 'oper-status' is also expected to be down. Retrieving a distinct service operational status under these conditions can be used as a trigger to detect an anomaly. Likewise, administrative status and operational status can be compared to detect service-specific SAP activation anomalies. For example, a service that is administratively declared as inactive for a SAP but reported as operationally active for that SAP is an indication that some service provision actions are needed to align the observed service status with the expected service status.
SAP YANG Module This module imports types from , , and . The 'sap-entry' and 'sap-list' are defined as groupings for the reuse of these nodes in service-specific YANG modules. module ietf-sap-ntw { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-sap-ntw"; prefix sap; import ietf-network-topology { prefix nt; reference "RFC 8345: A YANG Data Model for Network Topologies, Section 6.2"; } import ietf-network { prefix nw; reference "RFC 8345: A YANG Data Model for Network Topologies, Section 6.1"; } import ietf-vpn-common { prefix vpn-common; reference "RFC 9181: A Common YANG Data Model for Layer 2 and Layer 3 VPNs"; } import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types, Section 3"; } organization "IETF OPSA (Operations and Management Area) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/opsawg/> WG List: <mailto:opsawg@ietf.org> Editor: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Author: Oscar Gonzalez de Dios <mailto:oscar.gonzalezdedios@telefonica.com> Author: Samier Barguil <mailto:samier.barguil_giraldo@nokia.com> Author: Qin Wu <mailto:bill.wu@huawei.com> Author: Victor Lopez <mailto:victor.lopez@nokia.com>"; description "This YANG module defines a model for representing, managing, and controlling the Service Attachment Points (SAPs) in the network topology. Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9408; see the RFC itself for full legal notices."; revision 2023-06-20 { description "Initial version."; reference "RFC 9408: A YANG Network Data Model for Service Attachment Points (SAPs)"; } identity virtual-network { base vpn-common:service-type; description "Virtual network. Refers to a logical network instance that is built over a physical network."; reference "RFC 8453: Framework for Abstraction and Control of TE Networks (ACTN)"; } identity enhanced-vpn { base vpn-common:service-type; description "Enhanced VPN (VPN+). VPN+ is an approach that is based on existing VPN and Traffic Engineering (TE) technologies but adds characteristics that specific services require over and above conventional VPNs."; reference "draft-ietf-teas-enhanced-vpn: A Framework for Enhanced Virtual Private Network (VPN+)"; } identity network-slice { base vpn-common:service-type; description "IETF Network Slice. An IETF Network Slice is a logical network topology connecting a number of endpoints using a set of shared or dedicated network resources that are used to satisfy specific service objectives."; reference "draft-ietf-teas-ietf-network-slices: A Framework for IETF Network Slices"; } identity sdwan { base vpn-common:service-type; description "PE-based Software-Defined Wide-Area Network (SD-WAN)."; reference "draft-ietf-bess-bgp-sdwan-usage: BGP Usage for SD-WAN Overlay Networks"; } identity basic-connectivity { base vpn-common:service-type; description "Basic IP connectivity. This is, for example, a plain form of connectivity offered to enterprises over a dedicated or shared MPLS infrastructure."; } identity interface-role { description "Base identity for the network role of an interface."; } identity uni { base interface-role; description "User-to-Network Interface (UNI)."; } identity nni { base interface-role; description "Network-to-Network Interface (NNI)."; } identity interface-type { description "Base identity for the interface type."; } identity phy { base interface-type; description "Physical port."; } identity loopback { base interface-type; description "Loopback interface."; } identity lag { base interface-type; description "Link Aggregation Group (LAG) interface."; } identity irb { base interface-type; description "Integrated Routing and Bridging (IRB) interface. An IRB interface typically connects an IP Virtual Routing and Forwarding (IP-VRF) entity to a bridge domain."; } identity local-bridge { base interface-type; description "A local bridge reference to accommodate (for example) implementations that require internal bridging. When such a type is used, a reference to a local bridge domain is used to identify the interface."; } identity logical { base interface-type; description "Refers to a logical sub-interface that is typically used to bind a service. This type is used only if none of the other more specific types (i.e., 'loopback', 'lag', 'irb', or 'local-bridge') can be used."; } grouping sap-entry { description "Service Attachment Point (SAP) entry information."; leaf sap-id { type string; description "Indicates an identifier that uniquely identifies a SAP."; } leaf description { type string; description "A textual description of the SAP."; } leaf parent-termination-point { type nt:tp-id; description "Indicates the parent termination point to which the SAP is attached. A termination point can be a physical port, an interface, etc."; } leaf attachment-interface { type string; description "Indicates the interface to which the SAP is bound."; } leaf interface-type { type identityref { base interface-type; } description "The type of the interface to which the SAP is bound."; } leaf encapsulation-type { type identityref { base vpn-common:encapsulation-type; } description "Encapsulation type of the interface to which the SAP is bound."; } leaf role { type identityref { base interface-role; } description "Indicates the role of a SAP."; } leaf allows-child-saps { type boolean; description "Indicates whether the attachment interface of this SAP is capable of hosting per-service sub-interfaces."; } leaf-list peer-sap-id { type string; description "Indicates an identifier of the peer's termination identifier (e.g., a Customer Edge (CE)). This information can be used for correlation purposes, such as identifying the SAP that is attached to an endpoint that is provided in a service request."; } } grouping sap-list { description "SAP information."; list sap { key "sap-id"; description "The SAPs are an abstraction of the points to which network services such as L3VPNs, L2VPNs, or network slices can be attached."; uses sap-entry; container sap-status { config false; description "Indicates the operational status of the SAP, independent of any service provisioned over it."; uses vpn-common:oper-status-timestamp; } container service-status { description "Indicates the service status."; container admin-status { description "Administrative service status."; leaf status { type identityref { base vpn-common:administrative-status; } description "Administrative status of the service provisioned at the SAP."; } leaf last-change { type yang:date-and-time; description "Indicates the actual date and time of the service status change."; } } container oper-status { config false; description "Operational status of the service provisioned at the SAP."; uses vpn-common:oper-status-timestamp; } } } } augment "/nw:networks/nw:network/nw:network-types" { description "Introduces a new network type for a SAP network."; container sap-network { presence "Indicates the SAP network type."; description "The presence of the container node indicates the SAP network type."; leaf-list service-type { type identityref { base vpn-common:service-type; } description "Indicates the set of supported service types."; } } } augment "/nw:networks/nw:network/nw:node" { when '../nw:network-types/sap:sap-network' { description "Augmentation parameters apply only for SAP networks."; } description "SAP parameters for the node level."; list service { key "service-type"; description "A list of supported service types for the node."; leaf service-type { type identityref { base vpn-common:service-type; } description "Indicates a service type."; } uses sap-list; } } }
IANA Considerations This document registers the following namespace URI in the "ns" subregistry within the "IETF XML Registry" :
URI:
urn:ietf:params:xml:ns:yang:ietf-sap-ntw
Registrant Contact:
The IESG.
XML:
N/A; the requested URI is an XML namespace.
This document registers the following YANG module in the "YANG Module Names" subregistry within the "YANG Parameters" registry:
Name:
ietf-sap-ntw
Namespace:
urn:ietf:params:xml:ns:yang:ietf-sap-ntw
Maintained by IANA?
N
Prefix:
sap
Reference:
RFC 9408
Security Considerations The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF or RESTCONF . The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS . The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:
/nw:networks/nw:network/nw:node/sap:service/sap:sap
This subtree specifies the configurations of the nodes in a SAP network model. Unexpected changes to this subtree (e.g., associating a SAP with another parent termination point) could lead to service disruption and/or network misbehavior. Such network misbehavior results mainly from a network configuration that is inconsistent with the intended behavior as defined by the operator (e.g., ).
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:
/nw:networks/nw:network/nw:node/sap:service/sap:sap
Unauthorized access to this subtree can disclose the operational state information of the nodes in a SAP network model (e.g., can disclose the identity of a customer 'peer-sap-id').
 References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The IETF XML Registry This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Using the NETCONF Protocol over Secure Shell (SSH) This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK] Common YANG Data Types This document introduces a collection of common data types to be used with the YANG data modeling language. This document obsoletes RFC 6021. The YANG 1.1 Data Modeling Language YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). RESTCONF Protocol This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Network Configuration Access Control Model The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. A YANG Data Model for Network Topologies This document defines an abstract (generic, or base) YANG data model for network/service topologies and inventories. The data model serves as a base model that is augmented with technology-specific details in other, more specific topology and inventory data models. A YANG Data Model for Layer 3 Topologies This document defines a YANG data model for Layer 3 network topologies. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. YANG Data Model for Traffic Engineering (TE) Topologies This document defines a YANG data model for representing, retrieving, and manipulating Traffic Engineering (TE) Topologies. The model serves as a base model that other technology-specific TE topology models can augment. A Common YANG Data Model for Layer 2 and Layer 3 VPNs This document defines a common YANG module that is meant to be reused by various VPN-related modules such as Layer 3 VPN and Layer 2 VPN network models. Informative References BGP Usage for SD-WAN Overlay Networks Work in Progress A Framework for Enhanced Virtual Private Network (VPN+) Huawei University of Surrey China Mobile KDDI Corporation Samsung This document describes the framework for Enhanced Virtual Private Network (VPN+) to support the needs of applications with specific traffic performance requirements (e.g., low latency, bounded jitter). VPN+ leverages the VPN and Traffic Engineering (TE) technologies and adds characteristics that specific services require beyond those provided by conventional VPNs. Typically, VPN+ will be used to underpin network slicing, but could also be of use in its own right providing enhanced connectivity services between customer sites. This document also provides an overview of relevant technologies in different network layers, and identifies some areas for potential new work. Work in Progress IEEE Standard for Local and Metropolitan Area Networks--Link Aggregation IEEE A Framework for IETF Network Slices Work in Progress Technical Specification MEF 17, Service OAM Requirements & Framework - Phase 1 The Metro Ethernet Forum Technical Specification MEF 6, Ethernet Services Definitions - Phase I The Metro Ethernet Forum Provider Provisioned Virtual Private Network (VPN) Terminology The widespread interest in provider-provisioned Virtual Private Network (VPN) solutions lead to memos proposing different and overlapping solutions. The IETF working groups (first Provider Provisioned VPNs and later Layer 2 VPNs and Layer 3 VPNs) have discussed these proposals and documented specifications. This has lead to the development of a partially new set of concepts used to describe the set of VPN services. To a certain extent, more than one term covers the same concept, and sometimes the same term covers more than one concept. This document seeks to make the terminology in the area clearer and more intuitive. This memo provides information for the Internet community. BGP/MPLS IP Virtual Private Networks (VPNs) This document describes a method by which a Service Provider may use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a "peer model", in which the customers' edge routers (CE routers) send their routes to the Service Provider's edge routers (PE routers); there is no "overlay" visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone, so that the core routers do not need to know the VPN routes. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful Service Provider offering. The service offers a Layer 2 Virtual Private Network (VPN); however, in the case of VPLS, the customers in the VPN are connected by a multipoint Ethernet LAN, in contrast to the usual Layer 2 VPNs, which are point-to-point in nature. This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched network. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling This document describes a Virtual Private LAN Service (VPLS) solution using pseudowires, a service previously implemented over other tunneling technologies and known as Transparent LAN Services (TLS). A VPLS creates an emulated LAN segment for a given set of users; i.e., it creates a Layer 2 broadcast domain that is fully capable of learning and forwarding on Ethernet MAC addresses and that is closed to a given set of users. Multiple VPLS services can be supported from a single Provider Edge (PE) node. This document describes the control plane functions of signaling pseudowire labels using Label Distribution Protocol (LDP), extending RFC 4447. It is agnostic to discovery protocols. The data plane functions of forwarding are also described, focusing in particular on the learning of MAC addresses. The encapsulation of VPLS packets is described by RFC 4448. [STANDARDS-TRACK] Generalized MPLS (GMPLS) Support for Metro Ethernet Forum and G.8011 Ethernet Service Switching MPLS Transport Profile User-to-Network and Network-to-Network Interfaces The framework for MPLS in transport networks (RFC 5921) provides reference models for the MPLS Transport Profile (MPLS-TP) Transport Service Interfaces, which are a User-to-Network Interface (UNI), and a Network-to-Network Interface (NNI). This document updates those reference models to show detailed reference points for these interfaces, along with further clarification of the functional architecture of MPLS-TP at a UNI and NNI. This document is a product of a joint Internet Engineering Task Force (IETF) / International Telecommunication Union Telecommunication Standardization Sector (ITU-T) effort to include an MPLS Transport Profile within the IETF MPLS and Pseudowire Emulation Edge-to-Edge (PWE3) architectures to support the capabilities and functionalities of a packet transport network as defined by the ITU-T. This document is not an Internet Standards Track specification; it is published for informational purposes. Software-Defined Networking: A Perspective from within a Service Provider Environment Software-Defined Networking (SDN) has been one of the major buzz words of the networking industry for the past couple of years. And yet, no clear definition of what SDN actually covers has been broadly admitted so far. This document aims to clarify the SDN landscape by providing a perspective on requirements, issues, and other considerations about SDN, as seen from within a service provider environment. It is not meant to endlessly discuss what SDN truly means but rather to suggest a functional taxonomy of the techniques that can be used under an SDN umbrella and to elaborate on the various pending issues the combined activation of such techniques inevitably raises. As such, a definition of SDN is only mentioned for the sake of clarification. IANA Interface Type YANG Module This document defines the initial version of the iana-if-type YANG module. Software-Defined Networking (SDN): Layers and Architecture Terminology Software-Defined Networking (SDN) refers to a new approach for network programmability, that is, the capacity to initialize, control, change, and manage network behavior dynamically via open interfaces. SDN emphasizes the role of software in running networks through the introduction of an abstraction for the data forwarding plane and, by doing so, separates it from the control plane. This separation allows faster innovation cycles at both planes as experience has already shown. However, there is increasing confusion as to what exactly SDN is, what the layer structure is in an SDN architecture, and how layers interface with each other. This document, a product of the IRTF Software-Defined Networking Research Group (SDNRG), addresses these questions and provides a concise reference for the SDN research community based on relevant peer-reviewed literature, the RFC series, and relevant documents by other standards organizations. BGP MPLS-Based Ethernet VPN This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN). The procedures described here meet the requirements specified in RFC 7209 -- "Requirements for Ethernet VPN (EVPN)". Provider Backbone Bridging Combined with Ethernet VPN (PBB-EVPN) This document discusses how Ethernet Provider Backbone Bridging (PBB) can be combined with Ethernet VPN (EVPN) in order to reduce the number of BGP MAC Advertisement routes by aggregating Customer/Client MAC (C-MAC) addresses via Provider Backbone MAC (B-MAC) address, provide client MAC address mobility using C-MAC aggregation, confine the scope of C-MAC learning to only active flows, offer per-site policies, and avoid C-MAC address flushing on topology changes. The combined solution is referred to as PBB-EVPN. JSON Encoding of Data Modeled with YANG This document defines encoding rules for representing configuration data, state data, parameters of Remote Procedure Call (RPC) operations or actions, and notifications defined using YANG as JavaScript Object Notation (JSON) text. Virtual Private Wire Service Support in Ethernet VPN This document describes how Ethernet VPN (EVPN) can be used to support the Virtual Private Wire Service (VPWS) in MPLS/IP networks. EVPN accomplishes the following for VPWS: provides Single-Active as well as All-Active multihoming with flow-based load-balancing, eliminates the need for Pseudowire (PW) signaling, and provides fast protection convergence upon node or link failure. YANG Data Model for L3VPN Service Delivery This document defines a YANG data model that can be used for communication between customers and network operators and to deliver a Layer 3 provider-provisioned VPN service. This document is limited to BGP PE-based VPNs as described in RFCs 4026, 4110, and 4364. This model is intended to be instantiated at the management system to deliver the overall service. It is not a configuration model to be used directly on network elements. This model provides an abstracted view of the Layer 3 IP VPN service configuration components. It will be up to the management system to take this model as input and use specific configuration models to configure the different network elements to deliver the service. How the configuration of network elements is done is out of scope for this document. This document obsoletes RFC 8049; it replaces the unimplementable module in that RFC with a new module with the same name that is not backward compatible. The changes are a series of small fixes to the YANG module and some clarifications to the text. Service Models Explained The IETF has produced many modules in the YANG modeling language. The majority of these modules are used to construct data models to model devices or monolithic functions. A small number of YANG modules have been defined to model services (for example, the Layer 3 Virtual Private Network Service Model (L3SM) produced by the L3SM working group and documented in RFC 8049). This document describes service models as used within the IETF and also shows where a service model might fit into a software-defined networking architecture. Note that service models do not make any assumption of how a service is actually engineered and delivered for a customer; details of how network protocols and devices are engineered to deliver a service are captured in other modules that are not exposed through the interface between the customer and the provider. YANG Tree Diagrams This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language. Network Management Datastore Architecture (NMDA) Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950. A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN) This document specifies how Ethernet VPN (EVPN) can be used as a Network Virtualization Overlay (NVO) solution and explores the various tunnel encapsulation options over IP and their impact on the EVPN control plane and procedures. In particular, the following encapsulation options are analyzed: Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), and MPLS over GRE. This specification is also applicable to Generic Network Virtualization Encapsulation (GENEVE); however, some incremental work is required, which will be covered in a separate document. This document also specifies new multihoming procedures for split-horizon filtering and mass withdrawal. It also specifies EVPN route constructions for VXLAN/NVGRE encapsulations and Autonomous System Border Router (ASBR) procedures for multihoming of Network Virtualization Edge (NVE) devices. Framework for Abstraction and Control of TE Networks (ACTN) Traffic Engineered (TE) networks have a variety of mechanisms to facilitate the separation of the data plane and control plane. They also have a range of management and provisioning protocols to configure and activate network resources. These mechanisms represent key technologies for enabling flexible and dynamic networking. The term "Traffic Engineered network" refers to a network that uses any connection-oriented technology under the control of a distributed or centralized control plane to support dynamic provisioning of end-to- end connectivity. Abstraction of network resources is a technique that can be applied to a single network domain or across multiple domains to create a single virtualized network that is under the control of a network operator or the customer of the operator that actually owns the network resources. This document provides a framework for Abstraction and Control of TE Networks (ACTN) to support virtual network services and connectivity services. A YANG Data Model for Layer 2 Virtual Private Network (L2VPN) Service Delivery This document defines a YANG data model that can be used to configure a Layer 2 provider-provisioned VPN service. It is up to a management system to take this as an input and generate specific configuration models to configure the different network elements to deliver the service. How this configuration of network elements is done is out of scope for this document. The YANG data model defined in this document includes support for point-to-point Virtual Private Wire Services (VPWSs) and multipoint Virtual Private LAN Services (VPLSs) that use Pseudowires signaled using the Label Distribution Protocol (LDP) and the Border Gateway Protocol (BGP) as described in RFCs 4761 and 6624. The YANG data model defined in this document conforms to the Network Management Datastore Architecture defined in RFC 8342. A Framework for Automating Service and Network Management with YANG Data models provide a programmatic approach to represent services and networks. Concretely, they can be used to derive configuration information for network and service components, and state information that will be monitored and tracked. Data models can be used during the service and network management life cycle (e.g., service instantiation, service provisioning, service optimization, service monitoring, service diagnosing, and service assurance). Data models are also instrumental in the automation of network management, and they can provide closed-loop control for adaptive and deterministic service creation, delivery, and maintenance. This document describes a framework for service and network management automation that takes advantage of YANG modeling technologies. This framework is drawn from a network operator perspective irrespective of the origin of a data model; thus, it can accommodate YANG modules that are developed outside the IETF. Integrated Routing and Bridging in Ethernet VPN (EVPN) Ethernet VPN (EVPN) provides an extensible and flexible multihoming VPN solution over an MPLS/IP network for intra-subnet connectivity among Tenant Systems and end devices that can be physical or virtual. However, there are scenarios for which there is a need for a dynamic and efficient inter-subnet connectivity among these Tenant Systems and end devices while maintaining the multihoming capabilities of EVPN. This document describes an Integrated Routing and Bridging (IRB) solution based on EVPN to address such requirements. A YANG Network Data Model for Layer 3 VPNs As a complement to the Layer 3 Virtual Private Network Service Model (L3SM), which is used for communication between customers and service providers, this document defines an L3VPN Network Model (L3NM) that can be used for the provisioning of Layer 3 Virtual Private Network (L3VPN) services within a service provider network. The model provides a network-centric view of L3VPN services. The L3NM is meant to be used by a network controller to derive the configuration information that will be sent to relevant network devices. The model can also facilitate communication between a service orchestrator and a network controller/orchestrator. A YANG Network Data Model for Layer 2 VPNs This document defines an L2VPN Network Model (L2NM) that can be used to manage the provisioning of Layer 2 Virtual Private Network (L2VPN) services within a network (e.g., a service provider network). The L2NM complements the L2VPN Service Model (L2SM) by providing a network-centric view of the service that is internal to a service provider. The L2NM is particularly meant to be used by a network controller to derive the configuration information that will be sent to relevant network devices. Also, this document defines a YANG module to manage Ethernet segments and the initial versions of two IANA-maintained modules that include a set of identities of BGP Layer 2 encapsulation types and pseudowire types.
A Simplified SAP Network Example An example of a SAP topology that is reported by a network controller is depicted in . This example echoes the topology shown in . Only a minimum information set is provided for each SAP. Particularly, 'parent-termination-point', 'attachment-interface', 'interface-type', 'encapsulation-type', and 'role' are not shown in the example. SAPs that are capable of hosting a service but are not yet activated are identified by 'sap-status/status' set to 'ietf-vpn-common:op-down' and 'service-status/admin-status/status' set to 'ietf-vpn-common:admin-down'. SAPs that are enabled to deliver a service are identified by 'service-status/admin-status/status' set to 'ietf-vpn-common:admin-up' and 'service-status/oper-status/status' set to 'ietf-vpn-common:op-up'. Note that none of the anomalies discussed in are detected for these SAPs. The message body depicted in the figures below is encoded following the JSON encoding of YANG-modeled data as per .
A Simplified SAP Network Example { "ietf-network:networks": { "network": [ { "network-types": { "ietf-sap-ntw:sap-network": { "service-type": [ "ietf-vpn-common:l3vpn", "ietf-vpn-common:vpls" ] } }, "network-id": "example:an-id", "node": [ { "node-id": "example:pe1", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#11", "peer-sap-id": ["ce-1"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } }, { "sap-id": "sap#12", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#13", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#14", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } } ] } ] }, { "node-id": "example:pe2", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#21", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#22", "peer-sap-id": ["ce-2"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] }, { "node-id": "example:pe3", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#31", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#32", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#33", "peer-sap-id": ["ce-3"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] }, { "node-id": "example:pe4", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#41", "peer-sap-id": ["ce-3"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } }, { "sap-id": "sap#42", "peer-sap-id": ["ce-4"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } }, { "sap-id": "sap#43", "sap-status": { "status": "ietf-vpn-common:op-down" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-down" } } }, { "sap-id": "sap#44", "peer-sap-id": ["ce-5"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] } ] } ] } }
A Simple Example of the SAP Network Model: Node Filter In the example shown in , PE1 (with a "node-id" set to "example:pe1", as shown in ) has two physical interfaces "GE0/6/1" and "GE0/6/4". Two sub-interfaces "GE0/6/4.1" and "GE0/6/4.2" are associated with the physical interface "GE0/6/4". Let us consider that four SAPs are exposed to the service orchestrator and mapped to these physical interfaces and sub-interfaces.
An Example of a PE and Its Physical/Logical Interfaces .-------------------------. | GE0/6/4 | | PE1 .----+----. | |sap#2 |GE0/6/4.1 | | .--+--. | | |sap#3| | | '--+--' | | |GE0/6/4.2 | | .--+--. | | |sap#4| | | '--+--' | | | | +----+----+ | | | GE0/6/1| | .----+----. | |sap#1 | | '----+----' | | '-------------------------'
Let us assume that no service is enabled yet for the SAP associated with the physical interface "GE0/6/1". Also, let us assume that, for the SAPs that are associated with the physical interface "GE0/6/4", VPLS and L3VPN services are activated on the two sub-interfaces "GE0/6/4.1" and "GE0/6/4.2", respectively. Both "sap#1" and "sap#2" are tagged as being capable of hosting per-service sub-interfaces ('allows-child-saps' is set to 'true'). For example, a service orchestrator can query what services are provided on which SAPs of PE1 from the network controller by sending a RESTCONF GET request. shows an example of the body of the RESTCONF response that is received from the network controller.
An Example of a Response Body to a Request with a Node Filter { "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#1", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/1", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#2", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/4", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#3", "description": "A first SAP description", "parent-termination-point": "GE0/6/4", "attachment-interface": "GE0/6/4.1", "interface-type": "ietf-sap-ntw:logical", "encapsulation-type": "ietf-vpn-common:vlan-type", "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] }, { "service-type": "ietf-vpn-common:vpls", "sap": [ { "sap-id": "sap#1", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/1", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#2", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/4", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#4", "description": "Another description", "parent-termination-point": "GE0/6/4", "attachment-interface": "GE0/6/4.2", "interface-type": "ietf-sap-ntw:logical", "encapsulation-type": "ietf-vpn-common:vlan-type", "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] }
shows an example of the response message body that is received from the network controller if the request includes a filter on the service type for a particular node:
An Example of a Response Body to a Request with a Service Filter { "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#1", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/1", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#2", "description": "Ready to host SAPs", "attachment-interface": "GE0/6/4", "interface-type": "ietf-sap-ntw:phy", "role": "ietf-sap-ntw:uni", "allows-child-saps": true, "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#3", "description": "A first SAP description", "parent-termination-point": "GE0/6/4", "attachment-interface": "GE0/6/4.1", "interface-type": "ietf-sap-ntw:logical", "encapsulation-type": "ietf-vpn-common:vlan-type", "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] }
An Example of an NNI SAP: Inter-AS VPN Option A discusses several options to extend a VPN service beyond the scope of a single Autonomous System (AS). For illustration purposes, this section focuses on the so-called "Option A", but similar examples can be considered for other options. In this option, an AS Border Router (ASBR) of an AS is directly connected to an ASBR of a neighboring AS. These two ASBRs are connected by multiple physical or logical interfaces. Also, at least one sub-interface is maintained by these ASBRs for each of the VPNs that require their routes to be passed from one AS to the other AS. Each ASBR behaves as a PE and treats the other as if it were a CE. shows a simplified (excerpt) topology of two ASes A and B with a focus on the interconnection links between these two ASes.
An Example of an Inter-AS VPN (Option A) .--------------------. .--------------------. | | | | | A .--+--. .--+--. A | | S | +================+ | S | | B | (VRF1)----(VPN1)----(VRF1) | B | | R | | | | R | | | (VRF2)----(VPN2)----(VRF2) | | | a | +================+ | b | | 1 '--+--' '--+--' 1 | | AS A | | AS B | | A .--+--. .--+--. A | | S | +================+ | S | | B | (VRF1)----(VPN1)----(VRF1) | B | | R | | | | R | | | (VRF2)----(VPN2)----(VRF2) | | | a | +================+ | b | | 2 '--+--' '--+--' 2 | | | | | '--------------------' '--------------------'
shows an example of a message body that is received from the network controller of AS A (with a focus on the NNIs shown in ).
An Example of SAP Usage for an NNI { "ietf-network:networks": { "network": [ { "network-types": { "ietf-sap-ntw:sap-network": { "service-type": [ "ietf-vpn-common:l3vpn" ] } }, "network-id": "example:an-id", "node": [ { "node-id": "example:asbr-a1", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#11", "description": "parent inter-as link#1", "role": "ietf-sap-ntw:nni", "allows-child-saps": true, "peer-sap-id": ["asbr-b1"], "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#12", "description": "parent inter-as link#2", "role": "ietf-sap-ntw:nni", "allows-child-saps": true, "peer-sap-id": ["asbr-b1"], "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#13", "description": "vpn1", "role": "ietf-sap-ntw:nni", "peer-sap-id": ["asbr-b1"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } }, { "sap-id": "sap#14", "description": "vpn2", "role": "ietf-sap-ntw:nni", "peer-sap-id": ["asbr-b1"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] }, { "node-id": "example:asbr-a2", "ietf-sap-ntw:service": [ { "service-type": "ietf-vpn-common:l3vpn", "sap": [ { "sap-id": "sap#11", "description": "parent inter-as link#1", "role": "ietf-sap-ntw:nni", "allows-child-saps": true, "peer-sap-id": ["asbr-b2"], "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#12", "description": "parent inter-as link#2", "role": "ietf-sap-ntw:nni", "allows-child-saps": true, "peer-sap-id": ["asbr-b2"], "sap-status": { "status": "ietf-vpn-common:op-up" } }, { "sap-id": "sap#21", "description": "vpn1", "role": "ietf-sap-ntw:nni", "peer-sap-id": ["asbr-b2"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } }, { "sap-id": "sap#22", "description": "vpn2", "role": "ietf-sap-ntw:nni", "peer-sap-id": ["asbr-b2"], "sap-status": { "status": "ietf-vpn-common:op-up" }, "service-status": { "admin-status": { "status": "ietf-vpn-common:admin-up" }, "oper-status": { "status": "ietf-vpn-common:op-up" } } } ] } ] } ] } ] } }
Examples of Using the SAP Network Model in Service Creation This section describes examples that illustrate the use of the SAP model for service creation purposes. An example of a SAP topology is presented in . This example includes four PEs with their SAPs, as well as the customer information. Let us assume that an operator wants to create an L3VPN service between two PEs (PE3 and PE4) that are servicing two CEs (CE6 and CE7). To that aim, the operator would query the SAP topology and would obtain a response similar to what is depicted in . That response indicates that the SAPs having "sap#31" and "sap#43" as attachment identifiers do not have any installed services. This is particularly inferred from (1) the administrative 'service-status' that is set to 'ietf-vpn-common:admin-down' for all the services that are supported by these two SAPs and (2) the absence of the anomalies discussed in . Note that none of the anomalies discussed in are detected. Once the "free" SAPs are identified, the 'interface-type' and 'encapsulation-type' are checked to see if the requested L3VPN service is compatible with the SAP characteristics. If they are compatible, the 'attachment-id' value can be used as the VPN network access identifier in an L3NM "create" query. A similar process can be followed for creating the so-called "Inter-AS VPN Option A" services. Unlike the previous example, let us assume that an operator wants to create an L3VPN service between two PEs (PE3 and PE4) but these PEs are not in the same AS: PE3 belongs to AS A while PE4 belongs to AS B. The NNIs between these ASes are represented in . The operator of AS A would query, via the controller of its AS, the SAP topology and would obtain not only the information that is depicted in but also the information shown in representing the NNIs. The operator would create the service in the AS A between PE3 and a free, compatible SAP in the ASBR A1. The same procedure is followed by the operator of AS B to create the service in the AS B between a free, compatible SAP in the ASBR B1 and PE4. The services can be provisioned in each of these ASes using the L3NM. Let us now assume that, instead of the L3VPN service, the operator wants to set up an L2VPN service. If the 'interface-type' is a physical port, a new logical SAP can be created using the SAP model to cope with the service's needs (e.g., the 'encapsulation-type' attribute can be set to 'ietf-vpn-common:vlan-type'). Once the logical SAP is created, the 'attachment-id' of the new SAP is used to create an L2NM instance ().
Acknowledgements Thanks to , , , , , , , , , , , and for their comments. Thanks to for the YANG Doctors review, for the opsdir review, for the rtgdir review, for the genart review, and for the secdir review. Special thanks to for the Shepherd review and for the careful AD review. Thanks to , , and for their comments during the IESG review.
Authors' Addresses Orange
France mohamed.boucadair@orange.com
Telefonica
Madrid Spain oscar.gonzalezdedios@telefonica.com
Nokia
Madrid Spain samier.barguil_giraldo@nokia.com
Huawei
Yuhua District 101 Software Avenue Nanjing Jiangsu 210012 China bill.wu@huawei.com
Nokia
Spain victor.lopez@nokia.com