A YANG Data Model for Augmenting VPN Service and Network Models with Attachment Circuits

A YANG Data Model for Augmenting VPN Service and Network Models with Attachment Circuits Orange

mohamed.boucadair@orange.com

Juniper

rroberts@juniper.net

Nokia

samier.barguil_giraldo@nokia.com

Telefonica

oscar.gonzalezdedios@telefonica.com

Operations and Management OPSAWG Slice Service L3VPN L2VPN Automation Network Automation Orchestration service delivery Service provisioning service segmentation service flexibility service simplification Network Service 3GPP Network Slicing The document specifies a module that updates existing service (i.e., the Layer 2 Service Model (L2SM) and the Layer 3 Service Model (L3SM)) and network (i.e., the Layer 2 Network Model (L2NM) and the Layer 3 Network Model (L3NM)) Virtual Private Network (VPN) modules with the required information to bind specific VPN services to Attachment Circuits (ACs) that are created using the AC service ("ietf-ac-svc") and network ("ietf-ac-ntw") models. Discussion Venues Discussion of this document takes place on the Operations and Management Area Working Group Working Group mailing list (opsawg@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction The document specifies a YANG module ("ietf-ac-glue", ) that updates existing service and network Virtual Private Network (VPN) modules with the required information to bind specific services to Attachment Circuits (ACs) that are created using the AC service model . Specifically, the following modules are augmented:

The Layer 2 Service Model (L2SM)
The Layer 3 Service Model (L3SM)
The Layer 2 Network Model (L2NM)
The Layer 3 Network Model (L3NM)

Likewise, the document augments the L2NM and L3NM with references to the ACs that are managed using the AC network model . The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in . An example to illustrate the use of the "ietf-ac-glue" model is provided in .

Editorial Note (To be removed by RFC Editor) Note to the RFC Editor: This section is to be removed prior to publication. This document contains placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. Please apply the following replacements:

XXXX --> the assigned RFC number for this I-D
SSSS --> the assigned RFC number for
NNNN --> the assigned RFC number for
2023-11-13 --> the actual date of the publication of this document

Conventions and Definitions The meanings of the symbols in the YANG tree diagrams are defined in . This document uses terms defined in . LxSM refers to both the L2SM and the L3SM. LxNM refers to both the L2NM and the L3NM. The following terms are used in the modules prefixes:

ac:: Attachment circuit
ntw:: Network
ref:: Reference
svc:: Service

The names of data nodes are prefixed using the prefix associated with the corresponding imported YANG module as shown in : Modules and Their Associated Prefixes

Prefix	Module	Reference
ac-svc	ietf-ac-svc	Section 5.2 of RFC SSSS
ac-ntw	ietf-ac-ntw	RFC NNNN
l2nm	ietf-l3vpn-ntw
l2vpn-svc	ietf-l2vpn-svc
l3nm	ietf-l3vpn-ntw
l3vpn-svc	ietf-l3vpn-svc

Relationship to Other AC Data Models depicts the relationship between the various AC data models:

"ietf-ac-common" ()
"ietf-bearer-svc" ()
"ietf-ac-svc" ()
"ietf-ac-ntw" ()
"ietf-ac-glue" ()

AC Data Models ietf-bearer-svc | ^ ^ | | | | | +------------------------ ietf-ac-ntw | ^ | | | | +----------- ietf-ac-glue -----------+ ]]> "ietf-ac-common" is imported by "ietf-bearer-svc", "ietf-ac-svc", and "ietf-ac-ntw". Bearers managed using "ietf-bearer-svc" may be referenced in the service ACs managed using "ietf-ac-svc". Similarly, a bearer managed using "ietf-bearer-svc" may list the set of ACs that use that bearer. In order to ease correlation between an AC service request and the actual AC provisioned in the network, "ietf-ac-ntw" uses the AC references exposed by "ietf-ac-svc". To bind Layer 2 VPN or Layer 3 VPN services with ACs, "ietf-ac-glue" augments the LxSM and LxNM with AC service references exposed by "ietf-ac-svc" and AC network references exposed by "ietf-ac-ntw".

Sample Uses of the Data Models

ACs Terminated by One or Multiple Customer Edges (CEs) depicts two target topology flavors that involve ACs. These topologies have the following characteristics:

A Customer Edge (CE) can be either a physical device or a logical entity. Such logical entity is typically a software component (e.g., a virtual service function that is hosted within the provider's network or a third-party infrastructure). A CE is seen by the network as a peer Service Attachment Point (SAP) .
CEs may be either dedicated to one single connectivity service or host multiple connectivity services (e.g., CEs with roles of service functions ).
A network provider may bind a single AC to one or multiple peer SAPs (e.g., CE1 and CE2 are tagged as peer SAPs for the same AC). For example, and as discussed in , multiple CEs can be attached to a PE over the same attachment circuit. This scenario is typically implemented when the Layer 2 infrastructure between the CE and the network is a multipoint service.
A single CE may terminate multiple ACs, which can be associated with the same bearer or distinct bearers (e.g., CE4).
Customers may request protection schemes in which the ACs associated with their endpoints are terminated by the same PE (e.g., CE3), distinct PEs (e.g., CE4), etc. The network provider uses this request to decide where to terminate the AC in the service provider network and also whether to enable specific capabilities (e.g., Virtual Router Redundancy Protocol (VRRP)).

Examples of ACs

Separate AC Provisioning From Actual VPN Service Provisioning The procedure to provision a service in a service provider network may depend on the practices adopted by a service provider. This includes the flow put in place for the provisioning of advanced network services and how they are bound to an attachment circuit. For example, a single attachment circuit may be used to host multiple connectivity services (e.g., Layer 2 VPN ("ietf-l2vpn-svc"), Layer 3 VPN ("ietf-l3vpn-svc"), Network Slice Service ("ietf-network-slice-service")). In order to avoid service interference and redundant information in various locations, a service provider may expose an interface to manage ACs network-wide using . Customers can request a bearer ("ietf-bearer-svc") or an attachment circuit ("ietf-ac-svc") to be put in place, and then refer to that bearer or AC when requesting VPN services that are bound to the bearer or AC ("ietf-ac-glue"). Also, internal references ("ietf-ac-ntw") used within a service provider network to implement ACs can be used by network controllers to glue the L2NM ("ietf-l2vpn-ntw") or the L3NM ("ietf-l3vpn-ntw") services with relevant ACs. shows the positioning of the AC models in the overall service delivery process.

An Example of AC Models Usage

Module Tree Structure specifies that a 'site-network-access' attachment is achieved through a 'bearer' with an 'ip-connection' on top. From that standpoint, a 'site-network-access' is mapped to an attachment circuit with both Layers 2 and 3 properties as per . specifies that a 'site-network-access' represents a logical Layer 2 connection to a site. A 'site-network-access' can thus be mapped to an attachment circuit with Layer 2 properties . Similarly, 'vpn-network-access' defined in both and is mapped to an attachment circuit as per or . As such, ACs created using the "ietf-ac-svc" module can be referenced in other VPN-related modules (e.g., L2SM, L3SM, L2NM, and L3NM). Also, ACs managed using the "ietf-ac-ntw" module can be referenced in VPN-related network modules (mainly, the L2NM and the L3NM). The required augmentations to that aim are shown in .

AC Glue Tree Structure /nw:networks/network/network-id augment /l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service /l2nm:vpn-nodes/l2nm:vpn-node/l2nm:vpn-network-accesses /l2nm:vpn-network-access: +--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}? +--rw ac-ntw-ref {ac-glue}? +--rw ac-ref? leafref +--rw node-ref? leafref +--rw network-ref? -> /nw:networks/network/network-id augment /l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service /l3nm:vpn-nodes/l3nm:vpn-node/l3nm:vpn-network-accesses: +--rw ac-svc-ref* ac-svc:attachment-circuit-reference +--rw ac-ntw-ref* [ac-ref] +--rw ac-ref leafref +--rw node-ref? leafref +--rw network-ref? -> /nw:networks/network/network-id augment /l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service /l3nm:vpn-nodes/l3nm:vpn-node/l3nm:vpn-network-accesses /l3nm:vpn-network-access: +--rw ac-svc-ref? ac-svc:attachment-circuit-reference {ac-glue}? +--rw ac-ntw-ref {ac-glue}? +--rw ac-ref? leafref +--rw node-ref? leafref +--rw network-ref? -> /nw:networks/network/network-id ]]> When an AC is referenced within a specific network access, then that AC information takes precedence over any overlapping information that is also enclosed for this network access.

This approach is consistent with the design in where an AC service reference, called 'ac-svc-name', is used to indicate the names of AC services. As per , when both 'ac-svc-name' and the attributes of 'attachment-circuits' are defined, the 'ac-svc-name' takes precedence.

The "ietf-ac-glue" module includes provisions to reference ACs within or outside a VPN network access to accommodate deployment contexts where an AC reference may be created before or after a VPN instance is created. illustrates how an AC reference can be included as part of a specific VPN network access, while shows how AC references can be indicated outside individual VPN network access entries.

The AC Glue ("ietf-ac-glue") YANG Module This modules augments the L2SM , the L3SM , the L2NM , and the L3NM . This module uses references defined in and . WG List: Editor: Mohamed Boucadair Author: Richard Roberts Author: Samier Barguil Author: Oscar Gonzalez de Dios "; description "This YANG module defines a YANG model for augmenting the LxSM and the LxNM with attachment circuit references. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2023-11-13 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for Augmenting VPN Service and Network Models with Attachment Circuits"; } feature ac-glue { description "The VPN implementation supports binding a specific VPN network access or site access to an attachment circuit."; } grouping single-ac-svc-ref { description "A grouping with single reference to a service AC."; leaf ac-svc-ref { type ac-svc:attachment-circuit-reference; description "A reference to the AC as exposed at the service that was provisioned using the ACaaS module."; } } grouping single-ac-svc-ntw-ref { description "A grouping with single AC references."; leaf ac-svc-ref { type ac-svc:attachment-circuit-reference; description "A reference to the AC as exposed at the service that was provisioned using the ACaaS module."; } container ac-ntw-ref { description "A reference to the AC that was provisioned using the AC network module."; uses ac-ntw:attachment-circuit-reference; } } grouping ac-svc-ref { description "A set of service-specific AC-related data."; leaf-list ac-svc-ref { type ac-svc:attachment-circuit-reference; description "A reference to the AC as exposed at the service that was provisioned using the ACaaS module."; } } grouping ac-svc-ntw-ref { description "A set of AC-related data."; leaf-list ac-svc-ref { type ac-svc:attachment-circuit-reference; description "A reference to the AC as exposed at the service that was provisioned using the ACaaS module."; } list ac-ntw-ref { key "ac-ref"; description "A reference to the AC that was provisioned using the AC network module."; uses ac-ntw:attachment-circuit-reference; } } augment "/l2vpn-svc:l2vpn-svc" + "/l2vpn-svc:sites/l2vpn-svc:site" + "/l2vpn-svc:site-network-accesses" { description "Augments VPN site network accesses with AC provisioning details. Concretely, it binds a site to a set of attachment circuits with Layer 2 properties that were created using the ACaaS module."; uses ac-svc-ref; } augment "/l2vpn-svc:l2vpn-svc" + "/l2vpn-svc:sites/l2vpn-svc:site" + "/l2vpn-svc:site-network-accesses" + "/l2vpn-svc:site-network-access" { if-feature "ac-glue"; description "Augments VPN site network access with AC provisioning details. Concretely, it glues a 'site-network-access' to an attachment circuit with Layer 2 properties that was created using the ACaaS module. The ACaaS information takes precedence over any overlapping information that is also provided for a site network access."; uses single-ac-svc-ref; } augment "/l3vpn-svc:l3vpn-svc" + "/l3vpn-svc:sites/l3vpn-svc:site" + "/l3vpn-svc:site-network-accesses" { description "Augments VPN site network accesses with AC provisioning details. Concretely, it binds a site to a set of attachment circuits with both Layers 2 and 3 properties that were created using the ACaaS module."; uses ac-svc-ref; } augment "/l3vpn-svc:l3vpn-svc" + "/l3vpn-svc:sites/l3vpn-svc:site" + "/l3vpn-svc:site-network-accesses" + "/l3vpn-svc:site-network-access" { if-feature "ac-glue"; description "Augments VPN site network access with AC provisioning details. Concretely, it glues a 'site-network-access' to an attachment circuit with both Layer 2 and Layer 3 properties that was created using the ACaaS module. The ACaaS information takes precedence over any overlapping information that is also provided for a site network access."; uses single-ac-svc-ref; } augment "/l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service" + "/l2nm:vpn-nodes/l2nm:vpn-node" + "/l2nm:vpn-network-accesses" { description "Augments VPN network accesses with both service and network AC provisioning details. Concretely, it binds a site to (1) a set of attachment circuits with Layer 2 properties that were created using the ACaaS module and (2) a set of attachment circuits with Layer 2 properties that were provisioned using the AC network model."; uses ac-svc-ntw-ref; } augment "/l2nm:l2vpn-ntw/l2nm:vpn-services/l2nm:vpn-service" + "/l2nm:vpn-nodes/l2nm:vpn-node" + "/l2nm:vpn-network-accesses" + "/l2nm:vpn-network-access" { if-feature "ac-glue"; description "Augments VPN network access with service and network references to an AC. Concretely, it glues a VPN network access to (1) an attachment circuit with Layer 2 properties that was created using the ACaaS module and (2) an attachment circuit with Layer 2 properties that was created using the AC network module. The AC service and network information takes precedence over any overlapping information that is also provided for a VPN network access."; uses single-ac-svc-ntw-ref; } augment "/l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service" + "/l3nm:vpn-nodes/l3nm:vpn-node" + "/l3nm:vpn-network-accesses" { description "Augments VPN network accesses with both service and network AC provisioning details. Concretely, it binds a site to (1) a set of attachment circuits with both Layer 2 and Layer 3 properties that were created using the ACaaS module and (2) a set of attachment circuits with both Layer 2 and Layer 3 properties that were provisioned using the AC network model."; uses ac-svc-ntw-ref; } augment "/l3nm:l3vpn-ntw/l3nm:vpn-services/l3nm:vpn-service" + "/l3nm:vpn-nodes/l3nm:vpn-node" + "/l3nm:vpn-network-accesses" + "/l3nm:vpn-network-access" { if-feature "ac-glue"; description "Augments VPN network access with service and network references to an AC. Concretely, it glues a VPN network access to (1) an attachment circuit with both Layer 2 and Layer 3 properties that was created using the ACaaS module and (2) an attachment circuit with both Layer 2 and Layer 3 properties that was created using the AC network module. The AC service and network information takes precedence over any overlapping information that is also provided for a VPN network access."; uses single-ac-svc-ntw-ref; } } ]]>

Security Considerations This section uses the template described in . The YANG module specified in this document defines schema for data that is designed to be accessed via network management protocols such as NETCONF or RESTCONF . The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS . The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:

'ac-svc-ref' and 'ac-ntw-ref':: An attacker who is able to access network nodes can undertake various attacks, such as deleting a running VPN service, interrupting all the traffic of a client. Specifically, an attacker may modify (including delete) the ACs that are bound to a running service, leading to malfunctioning of the service and therefore to Service Level Agreement (SLA) violations. : Such activity can be detected by adequately monitoring and tracking network configuration changes.

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:

'ac-svc-ref' and 'ac-ntw-ref':: These references do not expose per se privacy-related information, however 'ac-svc-ref' may be used to track the set of VPN instances in which a given customer is involved.
: Note that, unlike 'ac-svc-ref', 'ac-ntw-ref' is unique within the scope of a node and may multiplex many peer CEs.

IANA Considerations IANA is requested to register the following URI in the "ns" subregistry within the "IETF XML Registry" : IANA is requested to register the following YANG module in the "YANG Module Names" registry within the "YANG Parameters" registry group:

References Normative References YANG Data Models for Bearers and 'Attachment Circuits'-as-a-Service (ACaaS) Orange Juniper Telefonica Nokia Huawei Technologies This document specifies a YANG service data model for Attachment Circuits (ACs). This model can be used for the provisioning of ACs before or during service provisioning (e.g., Network Slice Service). The document also specifies a service model for managing bearers over which ACs are established. Also, the document specifies a set of reusable groupings. Whether other service models reuse structures defined in the AC models or simply include an AC reference is a design choice of these service models. Utilizing the AC service model to manage ACs over which a service is delivered has the advantage of decoupling service management from upgrading AC components to incorporate recent AC technologies or features. A YANG Data Model for Layer 2 Virtual Private Network (L2VPN) Service Delivery This document defines a YANG data model that can be used to configure a Layer 2 provider-provisioned VPN service. It is up to a management system to take this as an input and generate specific configuration models to configure the different network elements to deliver the service. How this configuration of network elements is done is out of scope for this document. The YANG data model defined in this document includes support for point-to-point Virtual Private Wire Services (VPWSs) and multipoint Virtual Private LAN Services (VPLSs) that use Pseudowires signaled using the Label Distribution Protocol (LDP) and the Border Gateway Protocol (BGP) as described in RFCs 4761 and 6624. The YANG data model defined in this document conforms to the Network Management Datastore Architecture defined in RFC 8342. YANG Data Model for L3VPN Service Delivery This document defines a YANG data model that can be used for communication between customers and network operators and to deliver a Layer 3 provider-provisioned VPN service. This document is limited to BGP PE-based VPNs as described in RFCs 4026, 4110, and 4364. This model is intended to be instantiated at the management system to deliver the overall service. It is not a configuration model to be used directly on network elements. This model provides an abstracted view of the Layer 3 IP VPN service configuration components. It will be up to the management system to take this model as input and use specific configuration models to configure the different network elements to deliver the service. How the configuration of network elements is done is out of scope for this document. This document obsoletes RFC 8049; it replaces the unimplementable module in that RFC with a new module with the same name that is not backward compatible. The changes are a series of small fixes to the YANG module and some clarifications to the text. A YANG Network Data Model for Layer 2 VPNs This document defines an L2VPN Network Model (L2NM) that can be used to manage the provisioning of Layer 2 Virtual Private Network (L2VPN) services within a network (e.g., a service provider network). The L2NM complements the L2VPN Service Model (L2SM) by providing a network-centric view of the service that is internal to a service provider. The L2NM is particularly meant to be used by a network controller to derive the configuration information that will be sent to relevant network devices. Also, this document defines a YANG module to manage Ethernet segments and the initial versions of two IANA-maintained modules that include a set of identities of BGP Layer 2 encapsulation types and pseudowire types. A YANG Network Data Model for Layer 3 VPNs As a complement to the Layer 3 Virtual Private Network Service Model (L3SM), which is used for communication between customers and service providers, this document defines an L3VPN Network Model (L3NM) that can be used for the provisioning of Layer 3 Virtual Private Network (L3VPN) services within a service provider network. The model provides a network-centric view of L3VPN services. The L3NM is meant to be used by a network controller to derive the configuration information that will be sent to relevant network devices. The model can also facilitate communication between a service orchestrator and a network controller/orchestrator. A Network YANG Data Model for Attachment Circuits Orange Juniper Telefonica Nokia Huawei Technologies This document specifies a network model for attachment circuits. The model can be used for the provisioning of attachment circuits prior or during service provisioning (e.g., VPN, Network Slice Service). A companion service model is specified in the YANG Data Models for Bearers and 'Attachment Circuits'-as-a-Service (ACaaS) (I-D.ietf- opsawg-teas-attachment-circuit). The module augments the base network ('ietf-network') and the Service Attachment Point (SAP) models with the detailed information for the provisioning of attachment circuits in Provider Edges (PEs). Network Management Datastore Architecture (NMDA) Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950. Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] RESTCONF Protocol This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). Using the NETCONF Protocol over Secure Shell (SSH) This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK] The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Network Configuration Access Control Model The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. The IETF XML Registry This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] Informative References YANG Tree Diagrams This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language. A Common YANG Data Model for Attachment Circuits Orange Juniper Telefonica Nokia Huawei Technologies The document specifies a common Attachment Circuits (ACs) YANG module, which is designed with the intent to be reusable by other models. For example, this common model can be reused by service models to expose ACs as a service, service models that require binding a service to a set of ACs, network and device models to provision ACs, etc. A YANG Network Data Model for Service Attachment Points (SAPs) This document defines a YANG data model for representing an abstract view of the provider network topology that contains the points from which its services can be attached (e.g., basic connectivity, VPN, network slices). Also, the model can be used to retrieve the points where the services are actually being delivered to customers (including peer networks). This document augments the 'ietf-network' data model defined in RFC 8345 by adding the concept of Service Attachment Points (SAPs). The SAPs are the network reference points to which network services, such as Layer 3 Virtual Private Network (L3VPN) or Layer 2 Virtual Private Network (L2VPN), can be attached. One or multiple services can be bound to the same SAP. Both User-to-Network Interface (UNI) and Network-to-Network Interface (NNI) are supported in the SAP data model. Service Function Chaining (SFC) Architecture This document describes an architecture for the specification, creation, and ongoing maintenance of Service Function Chains (SFCs) in a network. It includes architectural concepts, principles, and components used in the construction of composite services through deployment of SFCs, with a focus on those to be standardized in the IETF. This document does not propose solutions, protocols, or extensions to existing protocols. BGP/MPLS IP Virtual Private Networks (VPNs) This document describes a method by which a Service Provider may use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a "peer model", in which the customers' edge routers (CE routers) send their routes to the Service Provider's edge routers (PE routers); there is no "overlay" visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone, so that the core routers do not need to know the VPN routes. [STANDARDS-TRACK] A YANG Data Model for the RFC 9543 Network Slice Service Huawei Technologies Huawei Technologies Ciena Cisco Systems, Inc Cisco Systems, Inc This document defines a YANG data model for RFC 9543 Network Slice Service. The model can be used in the Network Slice Service interface between a customer and a provider that offers RFC 9543 Network Slice Services. Guidelines for Authors and Reviewers of Documents Containing YANG Data Models YumaWorks Orange Huawei This memo provides guidelines for authors and reviewers of specifications containing YANG modules, including IANA-maintained modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 8407. Also, this document updates RFC 8126 by providing additional guidelines for writing the IANA considerations for RFCs that specify IANA-maintained modules. Framework for Layer 2 Virtual Private Networks (L2VPNs) This document provides a framework for Layer 2 Provider Provisioned Virtual Private Networks (L2VPNs). This framework is intended to aid in standardizing protocols and mechanisms to support interoperable L2VPNs. This memo provides information for the Internet community.

Examples

A Service AC Reference within The VPN Network Access Let us consider the example depicted in which is inspired from . Each PE is servicing two CEs. Let us also assume that the service references to identify attachment circuits with these CEs are shown in the figure.

VPWS Topology Example As shown in , the service AC references can be explicitly indicated in the L2NM query for the realization of the Virtual Private Wire Service (VPWS) ).

Example of VPWS Creation with AC Service References

Network and Service AC References Let us consider the example depicted in with two customer terminating points (CE1 and CE2). Let us also assume that the bearers to attach these CEs to the service provider network are already in place. References to identify these bearers are shown in the figure.

Topology Example The AC service model can be used by the provider to manage and expose the ACs over existing bearers as shown in .

ACs Created Using ACaaS Let us now consider that the customer wants to request a VPLS instance between the sites as shown in .

Example of VPLS To that aim, existing ACs are referenced during the creation of the VPLS instance using the L2NM and the "ietf-ac-glue" as shown in .

Example of a VPLS Request Using L2NM and AC Glue (Message Body) Note that before implementing the VPLS instance creation request, the provider service orchestrator may first check if the VPLS service can be provided to the customer using the target delivery locations. The orchestrator uses the SAP model as exemplified in . This example assumes that the query concerns only PE1. A similar query can be issued for PE2.

Example of SAP Response (Message Body) The response in indicates that the VPLS service can be delivered to CE1. can be also used to access AC-related details that are bound to the target SAP ().

Example of AC Network Response with SAP (Message Body) The provisioned AC at PE1 can be retrieved using the AC network model as depicted in .

Example of AC Network Response (Message Body)

Acknowledgments Thanks to Bo Wu and Qin Wu for the review and comments. Thanks to Martin Björklund for the yangdoctors review and Gyan Mishra for the rtg-dir review. Thanks to Mahesh Jethanandani for the AD review.