Tech-invite   World Map
3GPPspecs     Glossaries     T+       IETF     RFCs     Groups     SIP     ABNFs

RFC 8299

 
 
 

YANG Data Model for L3VPN Service Delivery

Part 8 of 8, p. 160 to 188
Prev Section

 


prevText      Top      ToC       Page 160 
        leaf next-hop {
         type inet:ipv4-address;
          description
          "Next-hop address to use on the customer side.";
        }
        description
        "List of LAN prefixes for the site.";
       }
       list ipv6-lan-prefixes {
        if-feature ipv6;
        key "lan next-hop";
        leaf lan {
         type inet:ipv6-prefix;
          description
          "LAN prefixes.";
        }
        leaf lan-tag {
         type string;
         description
         "Internal tag to be used in VPN policies.";
        }
        leaf next-hop {
         type inet:ipv6-address;
          description
          "Next-hop address to use on the customer side.";
        }
        description
        "List of LAN prefixes for the site.";
       }
       description
       "LAN prefixes from the customer.";
      }
      description
      "Configuration specific to static routing.";
     }
     container rip {
      when "derived-from-or-self(../type, 'l3vpn-svc:rip')" {
       description
       "Only applies when the protocol is RIP.  For IPv4,
       the model assumes that RIP version 2 is used.";
      }
      if-feature rtg-rip;
      leaf-list address-family {
       type address-family;
           min-elements "1";
          description
          "If RIP is used on this site, this node
          contains a configured value.  This node

Top      Up      ToC       Page 161 
          contains at least one address family
          to be activated.";
      }
      description
      "Configuration specific to RIP routing.";
     }
     container vrrp {
      when "derived-from-or-self(../type, 'l3vpn-svc:vrrp')" {
       description
       "Only applies when protocol is VRRP.";
      }
      if-feature rtg-vrrp;
      leaf-list address-family {
       type address-family;
           min-elements "1";
          description
          "If VRRP is used on this site, this node
          contains a configured value.  This node contains
          at least one address family to be activated.";
      }
      description
      "Configuration specific to VRRP routing.";
     }
     description
     "List of routing protocols used on
     the site.  This list can be augmented.";
    }
    description
    "Defines routing protocols.";
   }
   description
   "Grouping for routing protocols.";
  }
  grouping site-attachment-ip-connection {
    container ip-connection {
      container ipv4 {
      if-feature ipv4;
       leaf address-allocation-type {
       type identityref {
        base address-allocation-type;
      }
      must "not(derived-from-or-self(current(), 'l3vpn-svc:slaac') or "+
          "derived-from-or-self(current(), "+
          "'l3vpn-svc:provider-dhcp-slaac'))" {
      error-message "SLAAC is only applicable to IPv6";
      }
      description
      "Defines how addresses are allocated.

Top      Up      ToC       Page 162 
      If there is no value for the address
      allocation type, then IPv4 is not enabled.";
     }
    container provider-dhcp {
      when "derived-from-or-self(../address-allocation-type, "+
      "'l3vpn-svc:provider-dhcp')" {
      description
      "Only applies when addresses are allocated by DHCP.";
    }
      leaf provider-address {
       type inet:ipv4-address;
          description
          "Address of provider side.  If provider-address is not
          specified, then prefix length should not be specified
          either.  It also implies provider-dhcp allocation is
          not enabled.  If provider-address is specified, then
          the prefix length may or may not be specified.";
      }
      leaf prefix-length {
       type uint8 {
       range "0..32";
       }
          must "(../provider-address)" {
           error-message
           "If the prefix length is specified, provider-address
           must also be specified.";
              description
              "If the prefix length is specified, provider-address
              must also be specified.";
         }
      description
      "Subnet prefix length expressed in bits.
      If not specified, or specified as zero,
      this means the customer leaves the actual
      prefix length value to the provider.";
      }
      choice address-assign {
       default number;
       case number {
        leaf number-of-dynamic-address {
         type uint16;
         default 1;
          description
          "Describes the number of IP addresses
          the customer requires.";
        }
       }
       case explicit {

Top      Up      ToC       Page 163 
        container customer-addresses {
         list address-group {
          key "group-id";
          leaf group-id {
          type string;
          description
          "Group-id for the address range from
          start-address to end-address.";
          }
         leaf start-address {
          type inet:ipv4-address;
           description
           "First address.";
          }
         leaf end-address {
          type inet:ipv4-address;
          description
          "Last address.";
          }
          description
          "Describes IP addresses allocated by DHCP.
          When only start-address or only end-address
          is present, it represents a single address.
          When both start-address and end-address are
          specified, it implies a range inclusive of both
          addresses.  If no address is specified, it implies
          customer addresses group is not supported.";
         }
          description
          "Container for customer addresses is allocated by DHCP.";
        }
      }
          description
          "Choice for the way to assign addresses.";
      }
          description
          "DHCP allocated addresses related parameters.";
     }
  container dhcp-relay {
    when "derived-from-or-self(../address-allocation-type, "+
    "'l3vpn-svc:provider-dhcp-relay')" {
      description
      "Only applies when provider is required to implement
      DHCP relay function.";
   }
  leaf provider-address {
   type inet:ipv4-address;
      description

Top      Up      ToC       Page 164 
      "Address of provider side.  If provider-address is not
      specified, then prefix length should not be specified
      either.  It also implies provider-dhcp allocation is
      not enabled.  If provider-address is specified, then
      prefix length may or may not be specified.";
  }
  leaf prefix-length {
   type uint8 {
   range "0..32";
   }
  must "(../provider-address)" {
   error-message
      "If prefix length is specified, provider-address
       must also be specified.";
      description
      "If prefix length is specified, provider-address
      must also be specified.";
 }
      description
      "Subnet prefix length expressed in bits.  If not
      specified, or specified as zero, this means the
      customer leaves the actual prefix length value
      to the provider.";
  }
  container customer-dhcp-servers {
   leaf-list server-ip-address {
   type inet:ipv4-address;
      description
      "IP address of customer DHCP server.";
  }
  description
  "Container for list of customer DHCP servers.";
  }
  description
  "DHCP relay provided by operator.";
 }
  container addresses {
    when "derived-from-or-self(../address-allocation-type, "+
    "'l3vpn-svc:static-address')" {
    description
    "Only applies when protocol allocation type is static.";
     }
      leaf provider-address {
       type inet:ipv4-address;
          description
          "IPv4 Address List of the provider side.
          When the protocol allocation type is static,
          the provider address must be configured.";

Top      Up      ToC       Page 165 
      }
      leaf customer-address {
       type inet:ipv4-address;
          description
          "IPv4 Address of customer side.";
      }
      leaf prefix-length {
       type uint8 {
        range "0..32";
       }
      description
      "Subnet prefix length expressed in bits.
      It is applied to both provider-address
      and customer-address.";
      }
      description
      "Describes IPv4 addresses used.";
     }
     description
     "IPv4-specific parameters.";
    }
    container ipv6 {
     if-feature ipv6;
     leaf address-allocation-type {
      type identityref {
       base address-allocation-type;
      }
      description
      "Defines how addresses are allocated.
      If there is no value for the address
      allocation type, then IPv6 is
      not enabled.";
     }

    container provider-dhcp {
       when "derived-from-or-self(../address-allocation-type, "+
       "'l3vpn-svc:provider-dhcp') "+
       "or derived-from-or-self(../address-allocation-type, "+
       "'l3vpn-svc:provider-dhcp-slaac')" {
       description
       "Only applies when addresses are allocated by DHCP.";
        }
           leaf provider-address {
            type inet:ipv6-address;
            description
            "Address of the provider side.  If provider-address
            is not specified, then prefix length should not be
            specified either.  It also implies provider-dhcp

Top      Up      ToC       Page 166 
            allocation is not enabled.  If provider-address is
            specified, then prefix length may or may
            not be specified.";
          }
       leaf prefix-length {
        type uint8 {
        range "0..128";
        }
            must "(../provider-address)" {
              error-message
              "If prefix length is specified, provider-address
              must also be specified.";
              description
              "If prefix length is specified, provider-address
              must also be specified.";
             }
        description
        "Subnet prefix length expressed in bits.  If not
        specified, or specified as zero, this means the
        customer leaves the actual prefix length value
        to the provider.";
      }
         choice address-assign {
          default number;
          case number {
           leaf number-of-dynamic-address {
            type uint16;
            default 1;
            description
            "Describes the number of IP addresses the customer
            requires.";
           }
          }
          case explicit {
           container customer-addresses {
            list address-group {
                  key "group-id";
                  leaf group-id {
                  type string;
                  description
                  "Group-id for the address range from
                  start-address to end-address.";
              }
                  leaf start-address {
                   type inet:ipv6-address;
                   description
                   "First address.";
                   }

Top      Up      ToC       Page 167 
                  leaf end-address {
                   type inet:ipv6-address;
                   description
                   "Last address.";
                   }
                  description
                  "Describes IP addresses allocated by DHCP.  When only
                  start-address or only end-address is present, it
                  represents a single address.  When both start-address
                  and end-address are specified, it implies a range
                  inclusive of both addresses.  If no address is
                  specified, it implies customer addresses group is
                  not supported.";
           }
            description
            "Container for customer addresses allocated by DHCP.";
          }
         }
          description
          "Choice for the way to assign addresses.";
         }
          description
          "DHCP allocated addresses related parameters.";
         }
    container dhcp-relay {
     when "derived-from-or-self(../address-allocation-type, "+
          "'l3vpn-svc:provider-dhcp-relay')" {
       description
       "Only applies when the provider is required
       to implement DHCP relay function.";
       }
         leaf provider-address {
          type inet:ipv6-address;
           description
           "Address of the provider side.  If provider-address is
           not specified, then prefix length should not be
           specified either.  It also implies provider-dhcp
           allocation is not enabled.  If provider address
           is specified, then prefix length may or may
           not be specified.";
           }
         leaf prefix-length {
          type uint8 {
           range "0..128";
           }
          must "(../provider-address)" {
           error-message
            "If prefix length is specified, provider-address

Top      Up      ToC       Page 168 
            must also be specified.";
           description
           "If prefix length is specified, provider-address
           must also be specified.";
            }
          description
          "Subnet prefix length expressed in bits.  If not
          specified, or specified as zero, this means the
          customer leaves the actual prefix length value
          to the provider.";
          }
     container customer-dhcp-servers {
      leaf-list server-ip-address {
       type inet:ipv6-address;
        description
        "This node contains the IP address of
        the customer DHCP server.  If the DHCP relay
        function is implemented by the
        provider, this node contains the
        configured value.";
      }
       description
       "Container for list of customer DHCP servers.";
      }
     description
     "DHCP relay provided by operator.";
     }
    container addresses {
     when "derived-from-or-self(../address-allocation-type, "+
         "'l3vpn-svc:static-address')" {
      description
      "Only applies when protocol allocation type is static.";
      }
     leaf provider-address {
      type inet:ipv6-address;
       description
       "IPv6 Address of the provider side.  When the protocol
       allocation type is static, the provider address
       must be configured.";
      }
     leaf customer-address {
      type inet:ipv6-address;
       description
       "The IPv6 Address of the customer side.";
      }
     leaf prefix-length {
      type uint8 {
       range "0..128";

Top      Up      ToC       Page 169 
      }
      description
      "Subnet prefix length expressed in bits.
      It is applied to both provider-address and
      customer-address.";
     }
     description
     "Describes IPv6 addresses used.";
     }
     description
     "IPv6-specific parameters.";
    }
    container oam {
     container bfd {
      if-feature bfd;
      leaf enabled {
       type boolean;
       default false;
       description
       "If true, BFD activation is required.";
      }
      choice holdtime {
       default fixed;
       case fixed {
        leaf fixed-value {
         type uint32;
         units msec;
          description
          "Expected BFD holdtime expressed in msec.  The customer
          may impose some fixed values for the holdtime period
          if the provider allows the customer use this function.
          If the provider doesn't allow the customer to use this
          function, the fixed-value will not be set.";
        }
       }
       case profile {
        leaf profile-name {
         type leafref {
          path "/l3vpn-svc/vpn-profiles/valid-provider-identifiers/"+
                  "bfd-profile-identifier/id";
         }
         description
         "Well-known SP profile name.  The provider can propose
         some profiles to the customer, depending on the service
         level the customer wants to achieve.  Profile names
         must be communicated to the customer.";
        }
        description

Top      Up      ToC       Page 170 
        "Well-known SP profile.";
       }
       description
       "Choice for holdtime flavor.";
      }
      description
      "Container for BFD.";
     }
     description
     "Defines the Operations, Administration, and Maintenance (OAM)
     mechanisms used on the connection.  BFD is set as a fault
     detection mechanism, but the 'oam' container can easily
     be augmented by other mechanisms";
    }
    description
    "Defines connection parameters.";
   }
   description
   "This grouping defines IP connection parameters.";
  }
  grouping site-service-multicast {
   container multicast {
    if-feature multicast;
    leaf multicast-site-type {
     type enumeration {
      enum receiver-only {
       description
       "The site only has receivers.";
      }
      enum source-only {
       description
       "The site only has sources.";
      }
      enum source-receiver {
       description
       "The site has both sources and receivers.";
      }
     }
     default source-receiver;
     description
     "Type of multicast site.";
    }
    container multicast-address-family {
     leaf ipv4 {
      if-feature ipv4;
      type boolean;
      default false;
      description

Top      Up      ToC       Page 171 
      "Enables IPv4 multicast.";
     }
     leaf ipv6 {
      if-feature ipv6;
      type boolean;
      default false;
      description
      "Enables IPv6 multicast.";
     }
     description
     "Defines protocol to carry multicast.";
     }
    leaf protocol-type {
     type enumeration {
      enum host {
       description
       "Hosts are directly connected to the provider network.
       Host protocols such as IGMP or MLD are required.";
      }
      enum router {
       description
       "Hosts are behind a customer router.
       PIM will be implemented.";
      }
      enum both {
       description
       "Some hosts are behind a customer router, and
       some others are directly connected to the
       provider network.  Both host and routing protocols
       must be used.  Typically, IGMP and PIM will be
       implemented.";
      }
     }
     default "both";
     description
     "Multicast protocol type to be used with the customer site.";
    }
    description
    "Multicast parameters for the site.";
   }
   description
   "Multicast parameters for the site.";
  }
  grouping site-management {
   container management {
    leaf type {
     type identityref {
      base management;

Top      Up      ToC       Page 172 
     }
     mandatory true;
     description
     "Management type of the connection.";
    }
    description
    "Management configuration.";
   }
   description
   "Management parameters for the site.";
  }
  grouping site-devices {
   container devices {
    when "derived-from-or-self(../management/type, "+
    "'l3vpn-svc:provider-managed') or "+
    "derived-from-or-self(../management/type, 'l3vpn-svc:co-managed')" {
    description
    "Applicable only for provider-managed or
    co-managed device.";
   }
   list device {
    key device-id;
    leaf device-id {
     type svc-id;
     description
     "Identifier for the device.";
    }
    leaf location {
     type leafref {
      path "../../../locations/"+
      "location/location-id";
     }
     mandatory true;
     description
      "Location of the device.";
     }
    container management {
     when "derived-from-or-self(../../../management/type,"+
       "'l3vpn-svc:co-managed')" {
       description
        "Applicable only for co-managed device.";
      }
     leaf address-family {
      type address-family;
      description
      "Address family used for management.";
     }
     leaf address {

Top      Up      ToC       Page 173 
          when "(../address-family)" {
            description
            "If address-family is specified, then address should
            also be specified.  If address-family is not specified,
            then address should also not be specified.";
            }
          type inet:ip-address;
          mandatory true;
      description
      "Management address.";
      }
     description
      "Management configuration.  Applicable only for
       co-managed device.";
     }
     description
     "List of devices requested by customer.";
    }
    description
    "Device configuration.";
   }
   description
   "Grouping for device allocation.";
  }
  grouping site-vpn-flavor {
   leaf site-vpn-flavor {
    type identityref {
     base site-vpn-flavor;
    }
    default site-vpn-flavor-single;
    description
    "Defines the way the VPN multiplexing is done, e.g., whether
    the site belongs to a single VPN site or a multiVPN; or, in the case
    of a multiVPN, whether the logical accesses of the sites belong
    to the same set of VPNs or each logical access maps to
    different VPNs.";
   }
   description
   "Grouping for site VPN flavor.";
  }
  grouping site-vpn-policy {
   container vpn-policies {
    list vpn-policy {
     key vpn-policy-id;
     leaf vpn-policy-id {
      type svc-id;
      description
      "Unique identifier for the VPN policy.";

Top      Up      ToC       Page 174 
     }
     list entries {
      key id;
      leaf id {
       type svc-id;
       description
       "Unique identifier for the policy entry.";
      }
      container filters {
       list filter {
        key type;
        ordered-by user;
        leaf type {
         type identityref {
          base vpn-policy-filter-type;
          }
         description
         "Type of VPN Policy filter.";
         }
         leaf-list lan-tag {
         when "derived-from-or-self(../type, 'l3vpn-svc:lan')" {
          description
          "Only applies when the VPN Policy filter is a
          LAN Tag filter.";
         }
          if-feature lan-tag;
          type string;
          description
          "List of 'lan-tag' items to be matched.  LAN Tag
          is an Internal tag to be used in VPN policies ";
         }
         leaf-list ipv4-lan-prefix {
         when "derived-from-or-self(../type, 'l3vpn-svc:ipv4')" {
           description
           "Only applies when VPN Policy filter is IPv4 Prefix filter.";
          }
          if-feature ipv4;
          type inet:ipv4-prefix;
          description
          "List of IPv4 prefixes as LAN Prefixes to be matched.";
         }
         leaf-list ipv6-lan-prefix {
         when "derived-from-or-self(../type, 'l3vpn-svc:ipv6')" {
         description
         "Only applies when VPN Policy filter is IPv6 Prefix filter.";
          }
          if-feature ipv6;
          type inet:ipv6-prefix;

Top      Up      ToC       Page 175 
          description
          "List of IPv6 prefixes as LAN prefixes to be matched.";
         }
          description
          "List of filters used on the site.  This list can
          be augmented.";
       }
       description
       "If a more-granular VPN attachment is necessary, filtering can
       be used.  If used, it permits the splitting of site LANs among
       multiple VPNs.  The Site LAN can be split based on either LAN
       Tag or LAN prefix.  If no filter is used, all the LANs will be
       part of the same VPNs with the same role.";
      }
      list vpn {
       key vpn-id;
       leaf vpn-id {
        type leafref {
         path "/l3vpn-svc/vpn-services/"+
          "vpn-service/vpn-id";
        }
        mandatory true;
        description
        "Reference to an IP VPN.";
       }
       leaf site-role {
        type identityref {
         base site-role;
        }
        default any-to-any-role;
        description
        "Role of the site in the IP VPN.";
       }
       description
       "List of VPNs the LAN is associated with.";
      }
      description
      "List of entries for export policy.";
     }
     description
     "List of VPN policies.";
    }
    description
    "VPN policy.";
   }
   description
   "VPN policy parameters for the site.";
  }

Top      Up      ToC       Page 176 
  grouping site-maximum-routes {
   container maximum-routes {
    list address-family {
     key af;
     leaf af {
      type address-family;
      description
      "Address family.";
     }
     leaf maximum-routes {
      type uint32;
      description
      "Maximum prefixes the VRF can accept
      for this address family.";
     }
     description
     "List of address families.";
    }
    description
    "Defines 'maximum-routes' for the VRF.";
   }
   description
   "Defines 'maximum-routes' for the site.";
  }
  grouping site-security {
   container security {
    uses site-security-authentication;
    uses site-security-encryption;
    description
    "Site-specific security parameters.";
   }
   description
   "Grouping for security parameters.";
  }
  grouping site-service {
   container service {
    uses site-service-qos-profile;
    uses site-service-mpls;
    uses site-service-multicast;
    description
    "Service parameters on the attachment.";
   }
   description
   "Grouping for service parameters.";
  }
  grouping site-network-access-service {
   container service {
    uses site-service-basic;

Top      Up      ToC       Page 177 
    uses site-service-qos-profile;
    uses site-service-mpls;
    uses site-service-multicast;
    description
    "Service parameters on the attachment.";
   }
   description
   "Grouping for service parameters.";
  }
  grouping vpn-extranet {
   container extranet-vpns {
    if-feature extranet-vpn;
    list extranet-vpn {
     key vpn-id;
     leaf vpn-id {
      type svc-id;
      description
      "Identifies the target VPN the local VPN want to access.";
     }
     leaf local-sites-role {
      type identityref {
       base site-role;
      }
      default any-to-any-role;
      description
      "This describes the role of the
      local sites in the target VPN topology.  In the any-to-any VPN
      service topology, the local sites must have the same role, which
      will be 'any-to-any-role'.  In the Hub-and-Spoke VPN service
      topology or the Hub-and-Spoke disjoint VPN service topology,
      the local sites must have a Hub role or a Spoke role.";
     }
     description
     "List of extranet VPNs or target VPNs the local VPN is
     attached to.";
    }
    description
    "Container for extranet VPN configuration.";
   }
   description
   "Grouping for extranet VPN configuration.
   This provides an easy way to interconnect
   all sites from two VPNs.";
  }
  grouping site-attachment-availability {
   container availability {
    leaf access-priority {
     type uint32;

Top      Up      ToC       Page 178 
     default 100;
     description
     "Defines the priority for the access.
     The higher the access-priority value,
     the higher the preference of the
     access will be.";
    }
    description
    "Availability parameters (used for multihoming).";
   }
   description
   "Defines availability parameters for a site.";
  }
  grouping access-vpn-policy {
   container vpn-attachment {
    choice attachment-flavor {
     case vpn-policy-id {
      leaf vpn-policy-id {
       type leafref {
        path "../../../../"+
         "vpn-policies/vpn-policy/"+
         "vpn-policy-id";
       }
       description
       "Reference to a VPN policy.  When referencing VPN
       policy for attachment, the vpn-policy-id must be
       configured.";
      }
     }
     case vpn-id {
      leaf vpn-id {
       type leafref {
        path "/l3vpn-svc/vpn-services"+
         "/vpn-service/vpn-id";
       }
       description
       "Reference to an IP VPN.  Referencing a vpn-id provides
       an easy way to attach a particular logical access to
       a VPN.  In this case, vpn-id must be configured.";
      }
      leaf site-role {
       type identityref {
        base site-role;
       }
       default any-to-any-role;
       description
       "Role of the site in the IP VPN.  When referencing a vpn-id,
       the site-role setting must be added to express the role of

Top      Up      ToC       Page 179 
       the site in the target VPN service topology.";
      }
     }
     mandatory true;
     description
     "Choice for VPN attachment flavor.  A choice is implemented
     to allow the user to choose the flavor that provides the
     best fit.";
    }
    description
    "Defines VPN attachment of a site.";
   }
   description
   "Defines the VPN attachment rules for
   a site's logical access.";
  }
  grouping vpn-profile-cfg {
   container valid-provider-identifiers {
    list cloud-identifier {
     if-feature cloud-access;
     key id;
     leaf id {
      type string;
      description
      "Identification of cloud service.
      Local administration meaning.";
     }
     description
     "List for Cloud Identifiers.";
    }
    list encryption-profile-identifier {
     key id;
     leaf id {
      type string;
      description
      "Identification of the SP encryption profile
      to be used.  Local administration meaning.";
     }
     description
     "List for encryption profile identifiers.";
    }
    list qos-profile-identifier {
     key id;
     leaf id {
      type string;
      description
      "Identification of the QoS Profile to be used.
      Local administration meaning.";

Top      Up      ToC       Page 180 
     }
     description
     "List for QoS Profile Identifiers.";
    }
    list bfd-profile-identifier {
     key id;
     leaf id {
      type string;
      description
      "Identification of the SP BFD Profile to be used.
      Local administration meaning.";
     }
     description
     "List for BFD Profile identifiers.";
    }
      nacm:default-deny-write;
      description
      "Container for Valid Provider Identifies.";
   }
    description
    "Grouping for VPN Profile configuration.";
  }
  grouping vpn-svc-cfg {
   leaf vpn-id {
    type svc-id;
    description
    "VPN identifier.  Local administration meaning.";
   }
   leaf customer-name {
    type string;
    description
    "Name of the customer that actually uses the VPN service.
    In the case that any intermediary (e.g., Tier-2 provider
    or partner) sells the VPN service to their end user
    on behalf of the original service provider (e.g., Tier-1
    provider), the original service provider may require the
    customer name to provide smooth activation/commissioning
    and operation for the service.";
   }
   leaf vpn-service-topology {
    type identityref {
     base vpn-topology;
    }
    default any-to-any;
    description
    "VPN service topology.";
   }
   uses vpn-service-cloud-access;

Top      Up      ToC       Page 181 
   uses vpn-service-multicast;
   uses vpn-service-mpls;
   uses vpn-extranet;
   description
   "Grouping for VPN service configuration.";
  }
  grouping site-top-level-cfg {
   uses operational-requirements;
   uses customer-location-info;
   uses site-devices;
   uses site-diversity;
   uses site-management;
   uses site-vpn-policy;
   uses site-vpn-flavor;
   uses site-maximum-routes;
   uses site-security;
   uses site-service;
   uses site-protection;
   uses site-routing;
   description
   "Grouping for site top-level configuration.";
  }
  grouping site-network-access-top-level-cfg {
   leaf site-network-access-type {
    type identityref {
     base site-network-access-type;
    }
    default point-to-point;
    description
    "Describes the type of connection, e.g.,
    point-to-point or multipoint.";
   }
   choice location-flavor {
    case location {
     when "derived-from-or-self(../../management/type, "+
      "'l3vpn-svc:customer-managed')" {
      description
      "Applicable only for customer-managed device.";
     }
     leaf location-reference {
      type leafref {
       path "../../../locations/location/location-id";
      }
      description
      "Location of the site-network-access.";
     }
    }
    case device {

Top      Up      ToC       Page 182 
     when "derived-from-or-self(../../management/type, "+
      "'l3vpn-svc:provider-managed') or "+
      "derived-from-or-self(../../management/type, "+
      "'l3vpn-svc:co-managed')" {
      description
      "Applicable only for provider-managed or co-managed device.";
     }
     leaf device-reference {
      type leafref {
       path "../../../devices/device/device-id";
      }
      description
      "Identifier of CE to use.";
     }
    }
    mandatory true;
    description
    "Choice of how to describe the site's location.";
   }
   uses access-diversity;
   uses site-attachment-bearer;
   uses site-attachment-ip-connection;
   uses site-security;
   uses site-network-access-service;
   uses site-routing;
   uses site-attachment-availability;
   uses access-vpn-policy;
   description
   "Grouping for site network access top-level configuration.";
  }
  /* Main blocks */
  container l3vpn-svc {
   container vpn-profiles {
    uses vpn-profile-cfg;
     description
     "Container for VPN Profiles.";
   }
   container vpn-services {
    list vpn-service {
     key vpn-id;
     uses vpn-svc-cfg;
     description
     "List of VPN services.";
    }
    description
    "Top-level container for the VPN services.";
   }
   container sites {

Top      Up      ToC       Page 183 
    list site {
     key site-id;
     leaf site-id {
      type svc-id;
      description
      "Identifier of the site.";
     }
     uses site-top-level-cfg;
     uses operational-requirements-ops;
     container site-network-accesses {
      list site-network-access {
       key site-network-access-id;
       leaf site-network-access-id {
        type svc-id;
        description
        "Identifier for the access.";
       }
       uses site-network-access-top-level-cfg;
       description
       "List of accesses for a site.";
      }
      description
      "List of accesses for a site.";
     }
     description
     "List of sites.";
    }
    description
    "Container for sites.";
   }
   description
   "Main container for L3VPN service configuration.";
  }
 }
 <CODE ENDS>

Top      Up      ToC       Page 184 
10.  Security Considerations

   The YANG module specified in this document defines a schema for data
   that is designed to be accessed via network management protocols such
   as NETCONF [RFC6241] or RESTCONF [RFC8040].  The lowest NETCONF layer
   is the secure transport layer, and the mandatory-to-implement secure
   transport is Secure Shell (SSH) [RFC6242].  The lowest RESTCONF layer
   is HTTPS, and the mandatory-to-implement secure transport is TLS
   [RFC5246].

   The NETCONF access control model [RFC6536]provides the means to
   restrict access for particular NETCONF or RESTCONF users to a
   preconfigured subset of all available NETCONF or RESTCONF protocol
   operations and content.

   There are a number of data nodes defined in this YANG module that are
   writable/creatable/deletable (i.e., config true, which is the
   default).  These data nodes may be considered sensitive or vulnerable
   in some network environments.  Write operations (e.g., edit-config)
   to these data nodes without proper protection can have a negative
   effect on network operations.  These are the subtrees and data nodes
   and their sensitivity/vulnerability:

   o  /l3vpn-svc/vpn-services/vpn-service

      The entries in the list above include the whole vpn service
      configurations which the customer subscribes, and indirectly
      create or modify the PE and CE device configurations.  Unexpected
      changes to these entries could lead to service disruption and/or
      network misbehavior.

   o  /l3vpn-svc/sites/site

      The entries in the list above include the customer site
      configurations.  As above, unexpected changes to these entries
      could lead to service disruption and/or network misbehavior.

   Some of the readable data nodes in this YANG module may be considered
   sensitive or vulnerable in some network environments.  It is thus
   important to control read access (e.g., via get, get-config, or
   notification) to these data nodes.  These are the subtrees and data
   nodes and their sensitivity/vulnerability:

   o  /l3vpn-svc/vpn-services/vpn-service

   o  /l3vpn-svc/sites/site

Top      Up      ToC       Page 185 
   The entries in the lists above include customer-proprietary or
   confidential information, e.g., customer-name, site location, what
   service the customer subscribes.

   The data model defines some security parameters than can be extended
   via augmentation as part of the customer service request; those
   parameters are described in Section 6.9.

11.  IANA Considerations

   IANA has assigned a new URI from the "IETF XML Registry" [RFC3688].

             URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc
             Registrant Contact: The IESG
             XML: N/A; the requested URI is an XML namespace.

   IANA has recorded a YANG module name in the "YANG Module Names"
   registry [RFC6020] as follows:

           Name: ietf-l3vpn-svc
           Namespace: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc
           Prefix: l3vpn-svc
           Reference: RFC 8299

   IANA previously assigned the URI and YANG module as described in
   [RFC8049].  IANA has updated the references for these entries to
   refer to this document.

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
              Address Translator (Traditional NAT)", RFC 3022,
              DOI 10.17487/RFC3022, January 2001,
              <https://www.rfc-editor.org/info/rfc3022>.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <https://www.rfc-editor.org/info/rfc3688>.

Top      Up      ToC       Page 186 
   [RFC4364]  Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
              Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
              2006, <https://www.rfc-editor.org/info/rfc4364>.

   [RFC4577]  Rosen, E., Psenak, P., and P. Pillay-Esnault, "OSPF as the
              Provider/Customer Edge Protocol for BGP/MPLS IP Virtual
              Private Networks (VPNs)", RFC 4577, DOI 10.17487/RFC4577,
              June 2006, <https://www.rfc-editor.org/info/rfc4577>.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
              Address Autoconfiguration", RFC 4862,
              DOI 10.17487/RFC4862, September 2007,
              <https://www.rfc-editor.org/info/rfc4862>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC6020]  Bjorklund, M., Ed., "YANG - A Data Modeling Language for
              the Network Configuration Protocol (NETCONF)", RFC 6020,
              DOI 10.17487/RFC6020, October 2010,
              <https://www.rfc-editor.org/info/rfc6020>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <https://www.rfc-editor.org/info/rfc6241>.

   [RFC6242]  Wasserman, M., "Using the NETCONF Protocol over Secure
              Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
              <https://www.rfc-editor.org/info/rfc6242>.

   [RFC6513]  Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/
              BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February
              2012, <https://www.rfc-editor.org/info/rfc6513>.

   [RFC6536]  Bierman, A. and M. Bjorklund, "Network Configuration
              Protocol (NETCONF) Access Control Model", RFC 6536,
              DOI 10.17487/RFC6536, March 2012,
              <https://www.rfc-editor.org/info/rfc6536>.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/info/rfc7950>.

Top      Up      ToC       Page 187 
   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
              <https://www.rfc-editor.org/info/rfc8040>.

   [RFC8049]  Litkowski, S., Tomotaki, L., and K. Ogaki, "YANG Data
              Model for L3VPN Service Delivery", RFC 8049,
              DOI 10.17487/RFC8049, February 2017,
              <https://www.rfc-editor.org/info/rfc8049>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

12.2.  Informative References

   [ACL-YANG] Jethanandani, M., Huang, L., Agarwal, S., and D. Blair,
              "Network Access Control List (ACL) YANG Data Model", Work
              in Progress, draft-ietf-netmod-acl-model-14, October 2017.

   [RFC4026]  Andersson, L. and T. Madsen, "Provider Provisioned Virtual
              Private Network (VPN) Terminology", RFC 4026,
              DOI 10.17487/RFC4026, March 2005,
              <https://www.rfc-editor.org/info/rfc4026>.

   [RFC4110]  Callon, R. and M. Suzuki, "A Framework for Layer 3
              Provider-Provisioned Virtual Private Networks (PPVPNs)",
              RFC 4110, DOI 10.17487/RFC4110, July 2005,
              <https://www.rfc-editor.org/info/rfc4110>.

   [RFC4760]  Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
              "Multiprotocol Extensions for BGP-4", RFC 4760,
              DOI 10.17487/RFC4760, January 2007,
              <https://www.rfc-editor.org/info/rfc4760>.

   [RFC8277]  Rosen, E., "Using BGP to Bind MPLS Labels to Address
              Prefixes", RFC 8277, DOI 10.17487/RFC8277, October 2017,
              <https://www.rfc-editor.org/info/rfc8277>.

Top      Up      ToC       Page 188 
Acknowledgements

   Maxim Klyus, Luis Miguel Contreras, Gregory Mirsky, Zitao Wang, Jing
   Zhao, Kireeti Kompella, Eric Rosen, Aijun Wang, Michael Scharf,
   Xufeng Liu, David Ball, Lucy Yong, Jean-Philippe Landry, and Andrew
   Leu provided useful review to this document.

   Jan Lindblad reviewed RFC 8049 and found some bugs, and his thorough
   YANG Doctor review on the YANG Module is valuable input.  David Ball
   also provided a second review on RFC 8049.

   Many thanks to these people.

Contributors

   The authors would like to thank Rob Shakir for his major
   contributions to the initial modeling and use cases.

   Adrian Farrel prepared the editorial revisions for this document.

Authors' Addresses

   Qin Wu (editor)
   Huawei Technologies

   Email: bill.wu@huawei.com


   Stephane Litkowski
   Orange Business Services

   Email: stephane.litkowski@orange.com


   Luis Tomotaki
   Verizon

   Email: luis.tomotaki@verizon.com


   Kenichi Ogaki
   KDDI Corporation

   Email: ke-oogaki@kddi.com