idnits 2.17.00 (12 Aug 2021) /tmp/idnits1373/draft-sun-opsawg-sdwan-service-model-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 547 has weird spacing: '... app-id svc...' == Line 565 has weird spacing: '...roup-id svc...' == Line 585 has weird spacing: '...roup-id lea...' == Line 594 has weird spacing: '...rw name str...' == Line 607 has weird spacing: '...vlan-id uin...' == (1 more instance...) -- The document date (July 3, 2019) is 1046 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-01) exists of draft-wood-rtgwg-sdwan-ose-yang-00 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Operations and Management Area Working Group Q. Sun 3 Internet-Draft H. Xu 4 Intended status: Standards Track China Telecom 5 Expires: January 4, 2020 B. Wu, Ed. 6 Q. Wu, Ed. 7 Huawei 8 C. Eckel, Ed. 9 Cisco Systems 10 July 3, 2019 12 A YANG Data Model for SD-WAN Service Delivery 13 draft-sun-opsawg-sdwan-service-model-04 15 Abstract 17 This document provides a YANG data model for an SD-WAN service. An 18 SD-WAN service is a connectivity service offered by a service 19 provider network to provide connectivity across different locations 20 of a customer network or between a customer network and an external 21 network, such as the Internet or a private/public cloud network. 22 This connectivity is provided as an overlay constructed using one of 23 more underlay networks. The model can be used by a service 24 orchestrator of a service provider to request, configure, and manage 25 the components of an SD-WAN service. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on January 4, 2020. 44 Copyright Notice 46 Copyright (c) 2019 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 63 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. High Level Overview of SD-WAN Service . . . . . . . . . . . . 4 65 3. Service Data Model Usage . . . . . . . . . . . . . . . . . . 6 66 4. Design of the Data Model . . . . . . . . . . . . . . . . . . 7 67 4.1. SD-WAN connectivity service . . . . . . . . . . . . . . . 8 68 4.1.1. VPNs . . . . . . . . . . . . . . . . . . . . . . . . 8 69 4.1.2. Sites . . . . . . . . . . . . . . . . . . . . . . . . 9 70 4.2. Application based Policy Service . . . . . . . . . . . . 10 71 5. Modules Tree Structure . . . . . . . . . . . . . . . . . . . 12 72 6. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 17 73 7. Security Considerations . . . . . . . . . . . . . . . . . . . 43 74 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 75 9. Appendix 1: Terminology Mapping between MEF SD-WAN Service 76 Attributes and IETF SD-WAN model . . . . . . . . . . . . . . 44 77 10. Appendix 2: IETF OSE model vs IETF SD-WAN model . . . . . . . 44 78 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 45 79 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 45 80 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 81 13.1. Normative References . . . . . . . . . . . . . . . . . . 45 82 13.2. Informative References . . . . . . . . . . . . . . . . . 46 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 85 1. Introduction 87 An SD-WAN service is a connectivity service offered by a service 88 provider network to provide connectivity across different locations 89 of a customer network or between a customer network and an external 90 network. Compared to a conventional PE-based connectivity service as 91 defined in Layer 3 VPN Service Model [RFC8299] and Layer 2 VPN 92 Service Model [RFC8466], an SD-WAN service is a CE-based connectivity 93 service that uses the Internet or PE-based connectivity services as 94 underlay connectivity services. More specially, an SD-WAN service is 95 an overlay connectivity service that provides the flexibility of 96 adding, removing, or moving services without needing to change the 97 underlay networks. 99 Besides being an overlay service, an SD-WAN Service has the following 100 characteristics: 102 o Hybrid WAN access: The CE could connect to a variety of Internet 103 access technologies, including fiber, cable, DSL-based, WiFi, or 104 4G/Long Term Evolution (LTE), which implies wider reachability and 105 shorter provisioning cycles. It can also use private VPN 106 connectivity services defined in [RFC4364] and [RFC4664], or 107 Operator Ethernet Services, as defined in [MEF51.1], to take 108 advantage of better performance. 110 o Application based traffic forwarding: There are diverse 111 applications used in enterprises, such as VoIP calling, video 112 conferencing, streaming media, etc. Application traffic across 113 the WAN will be forwarded based on business priorities, SLA 114 requirements, or other enterprise requirements. 116 o Centralized service management: Subscribers of the service need to 117 be provided a single point (such as a web portal) from which to 118 dynamically add or modify services, such as configuring 119 application policies, adding new sites, or adding new underlay 120 connectivity services. 122 This draft specifies the SD-WAN service YANG model which is modelled 123 from a customer perspective. The model parameters can be used as an 124 input to automated control and configuration applications to manage 125 SD-WAN services. 127 1.1. Terminology 129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 131 document are to be interpreted as described in RFC2119 [RFC2119]. 133 1.2. Definitions 135 CE Device: Customer Edge Device , as per Provider Provisioned VPN 136 Terminology [RFC4026] . 138 CE-based VPN: Refers to Provider Provisioned VPN Terminology 139 [RFC4026] 141 PE Device: Provider Edge Device, as per Provider Provisioned VPN 142 Terminology [RFC4026] 143 PE-Based VPNs: Refers to Provider Provisioned VPN Terminology 144 [RFC4026] 146 SD-WAN: An automated, programmatic approach to managing enterprise 147 network connectivity and circuit usage. It extends software-defined 148 networking (SDN) into an application that businesses can use to 149 quickly create a hybrid WAN, which comprises business-grade IP VPN, 150 broadband Internet, and wireless services or multiple WANs of the 151 same or different types. SD-WAN is also deemed as extended CE-based 152 VPN. 154 SD-WAN Controller: Refers to the abstract entity that combines 155 Control Plane (CP) and Management Plane (MP) defined in SDN: Layers 156 and Architecture Terminology [RFC7426], to configure, manage and 157 control the CEs and other corresponding SD-WAN components. 159 Underlay network: A network that provides connectivity across SD-WAN 160 sites and over which customer network packets are tunnelled. An 161 underlay network does not need to be aware that it is carrying 162 overlay customer network packets. Addresses on an underlay network 163 appear as "outer addresses" in encapsulated overlay packets. In 164 general, an underlay network can use a completely different protocol 165 (and address family) from that of the overlay network. 167 Overlay network: A virtual network in which the separation of 168 customer networks is hidden from the underlying physical 169 infrastructure. That is, the underlying transport networks do not 170 need to know about customer separation to correctly forward traffic. 171 IPsec tunnels [RFC6071] are an example of an L3 overlay network. 173 2. High Level Overview of SD-WAN Service 175 From a customer perspective, an example of SD-WAN service network is 176 shown in figure 1. 178 +-------------+ 179 +------------+ | +---+ | 180 | Controller +----+ | |CN | | Legend:Customer Network 181 +------------+ | | +---+ | 182 | | | site3| 183 | | +--+--+ | 184 +--|---|CE 4 | | 185 | | +--+--+ | 186 | +-------------+ 187 | | 188 +------------------- ----+ 189 | ----- | 190 +---------------+ / MPLS \ +-----------------+ 191 | | | | WAN |__| | | 192 | | | /\ /\ \ +--+--+ | 193 | | | / +-----+ \ |\|CE 1 +-+ | 194 | +---+ +----++|/ \|/+--+--+ | +---+| 195 | |CN +--+ CE 3|| \ +--+CN || 196 | +---+ +-----+| ------ /|\+--+--+ | +---+| 197 | | |\ /Internet\ / |/|CE 2 +-+ | 198 | | | --| WAN |__/ +--+--+ | 199 | site 2| | \ / | site 1 | 200 +---------------+ ------ +-----------------+ 201 | | 202 | +-------------+ 203 | | +----+ | 204 +----|---+ CE5| | 205 | +----+ | 206 |site 4| | 207 | | | 208 | +---+ | 209 | |CN | | 210 | +---+ | 211 +-------------+ 213 figure 1 SD-WAN network example 215 As shown in figure 1, the SD-WAN network consists of a number of 216 sites, which are connected through Internet or MPLS VPN. 218 Within each site, a CE is connected with customer's network on one 219 side, and is also connected to Internet, or to private WAN, or to 220 both on the other side. The customer network could be an L2 or L3 221 network. For the WAN side, Internet provides ubiquitous IP 222 connectivity via access network like Broadband access or LTE access, 223 while MPLS WAN, like conventional VPN, provides secure and committed 224 connectivity. The boundary between the customer and the service 225 provider is between customer node and the CE device. 227 Additionally, a site could deploy one or more CEs to improve 228 availability. 230 The controller is a centralized entity that manages all the CEs 231 involved in the SD-WAN. The controller could provide bootstrapping 232 of the CEs, ongoing CE configuration, and establishment of secured 233 tunnels between CEs to support the SD-WAN service and application 234 policy enforcement. Various IP tunnelling options (e.g., GRE 235 [RFC2784] and IPSec [RFC6071]), could be used depending on whether 236 traffic from the site is across underlying private VPN or public 237 Internet, and the specific definition is out of scope of this 238 document. 240 Besides basic connectivity between the sites, the SD-WAN service 241 could be extended by providing direct Internet connectivity, cloud 242 network connectivity, or conventional MPLS VPN interoperability. 244 3. Service Data Model Usage 246 The SD-WAN service model provides an abstracted interface to request, 247 configure, and manage the components of an SD-WAN service. 249 A typical usage for this model is as an input to a service 250 orchestrator that is responsible for service management. Based on 251 the user's service request, the service orchestrator can instruct the 252 SD-WAN controller to add a new site,VPN or application policy in 253 real-time. The orchestrator could orchestrator the other network, 254 such as legacy MPLS VPN network to interconnect with SD-WAN network 255 where Layer 2 VPN Service Mode [RFC8466] or Layer 3 VPN Service Model 256 [RFC8299] could be used. 258 ---------------------------- 259 | Customer Service Requester | 260 ---------------------------- 261 | 262 SD-WAN | 263 Service | 264 Model | 265 | 266 ------------------------- 267 | Service Orchestrator | 268 -----------+---------+--- 269 | | 270 ---------------------+- ----+---- 271 | SD-WAN Controller | | NMS | 272 --------*------------*- ----*---- 273 / \ / 274 / \ / 275 / \ / 276 ----------------/- -----------------X ------------------------ 277 / / \ 278 / --- / \ 279 / / \/ \ 280 ++++++++ | MPLS | \++++++++ 281 + CE A + \ VPN/ + CE B + 282 ++++++++ \---/ ++++++++ 283 /---\ 284 Site A / \ Site B 285 |Internet 286 \ / 287 \---/ 289 Reference Architecture for the Use of SD-WAN Service Model Usage 291 For an SD-WAN to be established under the SP's control, the customer 292 informs the Service Provider of which sites should become part of the 293 requested service and what types of policy will provide. And then 294 the SP configures and updates the service base on the service model 295 and the available resources derived from the SD-WAN controller, and 296 then provisions and manages the customer's service through the SD-WAN 297 controller. How the SD-WAN controller to control and manage the CEs 298 is out of scope of the document. 300 4. Design of the Data Model 302 An SD-WAN service consist of two service components: 304 1. SD-WAN connectivity service 305 2. SD-WAN application policy service 307 4.1. SD-WAN connectivity service 309 SD-WAN connectivity service is the basic component of the SD-WAN 310 service that represents a virtual connection between two or more 311 customer sites. In this model, each virtual connection is defined as 312 a VPN. Each customer can have one or more VPNs, and each VPN can be 313 established between a subset of sites. The association of sites and 314 VPNs is modelled by VPN endpoints. 316 4.1.1. VPNs 318 The "sdwan-vpn" list item contains service parameters that apply to 319 an SD-WAN VPN. These parameters are specified as follows: 321 o The "vpn-id" leaf is under the vpn-service list, and providers a 322 unique ID for a VPN. 324 o The "endpoints" list is under the vpn-service list. Each 325 "endpoint" is a logical point associated with a site. The two 326 main functions of the endpoint are the association of a VPN with a 327 site and per site application based policy enforcement. 329 o The "topology" leaf is under the vpn-service list, which refers to 330 a specific topology of the VPN service. Different VPN connection 331 topology can be used. For a VPN with a few sites, simple 332 topologies such as hub-and-spoke or full-mesh can be used. For a 333 large VPN, a hierarchical topology may be taken. 335 o The "performance-objectives" container specifies the performance- 336 related properties of an SD-WAN VPN that can be measured. System 337 uptime is the only performance objective defined currently. It 338 indicates the proportion of time, during a given time period that 339 the service is working from the customer perspective. Three 340 parameters are defined, including the start time of the 341 evaluation, the time interval of the evaluation, and the service 342 uptime defined by a percentage. 344 o The "reserved-prefixes" container specifies the IP Prefixes that 345 need to be reserved for Service Provider management purposes, such 346 as diagnostics, so as to ensure they are not overlapping with IP 347 Prefixes used by the customer network. 349 ------ 350 / MPLS \ 351 | VPN | 352 +----------------+ \ / +----------------+ 353 ----+ --- | VPN1 ------ + --- +------ 354 | |EP1+--------+----------------------+-----+EP1| | 355 | --- | | --- | 356 | --- | VPN2 | --- | 357 ----+ |EP2+--------+----------------------+-----+EP2| +------ 358 | --- Site 1 | ------ | --- Site2| 359 +-- -------------+ / \ +----------------+ 360 | Internet | 361 \ / 362 ------ 364 figure 3 SD-WAN VPN example 366 4.1.2. Sites 368 A site represents a customer office located at a specific geographic 369 location. The "sites" container specifies the following parameters: 371 o "site-id: uniquely identifies the site within the overall network 372 infrastructure. 374 o "device" specifies the device type (physical or virtual device) 375 and the number of the devices. 377 o "lan-accesses": Specifies the customer network access link 378 parameters. A "site" is composed of at least one "lan-access" 379 where one or more subnets can reside.The "lan-access" consists of 380 the following categories of parameters: 382 * "bearer": defines requirements of the attachment (below Layer 383 3), bearer type including Ethernet, etc. 385 * IP Connection: defines Layer 3 parameters of the attachment, 386 including IPv4 connection parameters and IPv6 connection 387 parameters. 389 o "wan-accesses": Specifies the WAN access link parameters. A 390 "site" is composed of at least one "wan-access". The WAN access 391 can be further specified by access type, service provider name, 392 and bandwidth of the WAN connectivity. The "wan-access" consists 393 of the following categories of parameters: 395 * "access-type":specifies whether the access is Broadband 396 Internet, Wireless Internet or private circuit. 398 * "access-provider": specifies the service provider name. 400 * bandwidth: specifies the WAN link bandwidth including input and 401 output bandwidth. 403 * "bearer": defines requirements of the attachment (below Layer 404 3), bearer type including Ethernet, etc. 406 * IP Connection: defines Layer 3 parameters of the attachment, 407 including IPv4 connection parameters and IPv6 connection 408 parameters. 410 +---------------------------------+ 411 | site | 412 | | | | | | 413 | | | | | | 414 | LAN1 LAN2 LAN3 LAN4 | 415 | +--------+ +--------+ | 416 | | | | | | 417 | |Device 1| |Device 2| | 418 | +---+----+ +----+---+ | 419 | WAN1| WAN2 WAN3 | WAN4 | 420 | | \ / | | 421 +------+-----------------+--------+ 422 | \ / | 423 | \ / | 424 ----- /\ ----- 425 / \ / \ / \ 426 | MPLS VPN |- -| Internet | 427 \ / \ / 428 ----- ----- 430 figure 4 Site example 432 4.2. Application based Policy Service 434 The connectivity service establishes a virtual connection for the 435 enterprise network, and the Application based Policy Service is 436 designed to ensure business-critical and real-time application 437 experience while also ensuring the security and corporate policies. 439 Typically, application policies common to each VPN can be defined and 440 then enforced when traffic from a customer's network at a particular 441 site is sent over the WAN. 443 The application policy assignment is defined under the VPN endpoint 444 container to specify the mapping of application flow name or 445 application group name and their associated policy list names. If an 446 application flow and the application flow group in which the 447 Application Flow is a member are both assigned a policy at an VPN End 448 Point, the policy assigned to the application flow will supersedes 449 the group policy. 451 The application policy per VPN consist of three lists under the VPN 452 container: 454 o application flow list: Describes the characteristics of an 455 enterprise application and is used to identify applications, e.g., 456 based on layer 3 source and destination addresses, layer 4 ports, 457 layer 4 protocol, etc. 459 o application group list: Describes application flow aggregation, 460 which is used to deliver aggregation policies, such as bandwidth 461 restrictions for a group of applications. 463 o policy list: Defines the application's policy set. Since SD-WAN 464 has more than one WAN connectivity and various encrypted or 465 unencrypted overlay tunnels, there could be multiple tunnel or 466 link selection combination. In this model, different path 467 selection policies are combined to meet different needs based on 468 application SLA, security, cost, and so on. For example, when 469 different applications in a branch need to pass over the WAN, 470 according to the application-aware policy requirements and the IP 471 forwarding table, the Internet application or the SaaS application 472 can be accessed through the Internet, and the data center FTP 473 application can use the Internet encrypted tunnel as the primary 474 path, and the tunnel could only be over broadband Internet instead 475 of wireless internet. This policy combination is not an 476 exhaustive list and could be augmented according to business 477 needs. 479 An example of a classification of application flows is as follows: 481 The HTTP traffic from the 192.0.2.0/24 LAN destined for port 80 482 will be classified in app-id 1. 484 The FTP traffic from the 192.0.2.0/24 LAN destined for 203.0.113.1/32 485 will be classified in app-id 2. 487 An example of a policy list is as follows: 489 "policy": [ 490 { 491 "policy-id": "pol-a", 492 "policy-package": 493 { 494 "encryption": "false", 495 "internet-breakout": "true" 496 "public-private": "public", 497 "billing-method": "flat-only" 498 "backup": "false", 499 "bandwidth": "20","50" 500 } 501 }, 502 { 503 "policy-id": "pol-b", 504 "policy-package": 505 { 506 "encryption": "true", 507 "internet-breakout": "false" 508 "public-private": "public", 509 "billing-method": "flat-only" 510 "backup": "false", 511 "bandwidth": "50","none" 512 } 513 } 514 ] 516 An example of an application policy list is as follows: 518 "app-policy": [ 519 { 520 "app-id": "1" 521 "policy-id": "pol-a", 522 }, 523 { 524 "app-id": "1" 525 "policy-id": "pol-b", 526 } 527 ] 529 5. Modules Tree Structure 531 This document defines an SD-WAN service YANG data model. 533 module: ietf-sdwan-svc 534 +--rw sdwan-svc 535 +--rw vpn-services 536 | +--rw vpn-service* [vpn-id] 537 | +--rw vpn-id svc-id 538 | +--rw topology? identityref 539 | +--rw performance-objective 540 | | +--rw start-time? yang:date-and-time 541 | | +--rw duration? string 542 | | +--rw uptime-objective 543 | | +--rw duration? decimal64 544 | +--rw reserved-prefixes 545 | | +--rw prefix* inet:ip-prefix 546 | +--rw application* [app-id] 547 | | +--rw app-id svc-id 548 | | +--rw ac* [name] 549 | | +--rw name string 550 | | +--rw (match-type)? 551 | | +--:(match-flow) 552 | | | +--rw match-flow 553 | | | +--rw ethertype? uint16 554 | | | +--rw cvlan? uint8 555 | | | +--rw ipv4-src-prefix? inet:ipv4-prefix 556 | | | +--rw ipv4-dst-prefix? inet:ipv4-prefix 557 | | | +--rw l4-src-port? inet:port-number 558 | | | +--rw l4-dst-port? inet:port-number 559 | | | +--rw ipv6-src-prefix? inet:ipv6-prefix 560 | | | +--rw ipv6-dst-prefix? inet:ipv6-prefix 561 | | | +--rw protocol-field? union 562 | | +--:(match-application) 563 | | +--rw match-application? identityref 564 | +--rw application-group* [app-group-id] 565 | | +--rw app-group-id svc-id 566 | | +--rw app-id* -> ../../application/app-id 567 | +--rw policy* [policy-id] 568 | | +--rw policy-id svc-id 569 | | +--rw policy-package 570 | | +--rw encryption? enumeration 571 | | +--rw public-private? enumeration 572 | | +--rw local-breakout? boolean 573 | | +--rw billing-method? enumeration 574 | | +--rw backup-path? enumeration 575 | | +--rw bandwidth 576 | | +--rw commit? uint32 577 | | +--rw max? uint32 578 | +--rw endpoints* [endpoint-id] 579 | +--rw endpoint-id svc-id 580 | +--rw site-role? identityref 581 | +--rw site-attachment 582 | | +--rw site-id? -> /sdwan-svc/sites/site/site-id 583 | +--rw endpoint-policy-map 584 | +--rw app-group-policy* [app-group-id] 585 | | +--rw app-group-id leafref 586 | | +--rw policy-id? leafref 587 | +--rw app-policy* [app-id] 588 | +--rw app-id leafref 589 | +--rw policy-id? leafref 590 +--rw sites 591 +--rw site* [site-id] 592 +--rw site-id svc-id 593 +--rw device* [name] 594 | +--rw name string 595 | +--rw type? identityref 596 +--rw lan-access* [name] 597 | +--rw name string 598 | +--rw l2-technology 599 | | +--rw l2-type? identityref 600 | | +--rw untagged-interface 601 | | | +--rw speed? uint32 602 | | | +--rw mode? neg-mode 603 | | +--rw tagged-interface 604 | | | +--rw type? identityref 605 | | | +--rw dot1q-vlan-tagged 606 | | | | +--rw tg-type? identityref 607 | | | | +--rw cvlan-id uint16 608 | | | +--rw priority-tagged 609 | | | +--rw tag-type? identityref 610 | | +--rw l2-mtu? uint32 611 | +--rw ip-connection 612 | +--rw ipv4 613 | | +--rw address-allocation-type? identityref 614 | | +--rw dhcp 615 | | | +--rw primary-subnet 616 | | | | +--rw ip-prefix? 617 | | | | | inet:ipv4-prefix 618 | | | | +--rw default-router? inet:ip-address 619 | | | | +--rw provider-addresses* 620 | | | | | inet:ipv4-address 621 | | | | +--rw subscriber-address? inet:ip-address 622 | | | | +--rw reserved-ip-prefix* inet:ip-prefix 623 | | | +--rw secondary-subnet* [ip-prefix] 624 | | | +--rw ip-prefix 625 | | | | inet:ipv4-prefix 626 | | | +--rw provider-addresses* 627 | | | | inet:ipv4-address 628 | | | +--rw reserved-ip-prefix* 629 | | | inet:ipv4-prefix 630 | | +--rw static 631 | | +--rw primary-subnet 632 | | | +--rw ip-prefix? 633 | | | | inet:ipv4-prefix 634 | | | +--rw default-router? inet:ip-address 635 | | | +--rw provider-addresses* 636 | | | | inet:ipv4-address 637 | | | +--rw subscriber-address? inet:ip-address 638 | | | +--rw reserved-ip-prefix* inet:ip-prefix 639 | | +--rw secondary-subnet* [ip-prefix] 640 | | +--rw ip-prefix 641 | | | inet:ipv4-prefix 642 | | +--rw provider-addresses* 643 | | | inet:ipv4-address 644 | | +--rw reserved-ip-prefix* 645 | | inet:ipv4-prefix 646 | +--rw ipv6 647 | +--rw address-allocation-type? identityref 648 | +--rw dhcp 649 | | +--rw subnet* [ip-prefix] 650 | | +--rw ip-prefix 651 | | | inet:ipv6-prefix 652 | | +--rw provider-addresses* 653 | | | inet:ipv6-address 654 | | +--rw reserved-ip-prefix* 655 | | inet:ipv6-prefix 656 | +--rw slaac 657 | | +--rw subnet* [ip-prefix] 658 | | +--rw ip-prefix 659 | | | inet:ipv6-prefix 660 | | +--rw provider-addresses* 661 | | | inet:ipv6-address 662 | | +--rw reserved-ip-prefix* 663 | | inet:ipv6-prefix 664 | +--rw static 665 | +--rw subnet* [ip-prefix] 666 | | +--rw ip-prefix 667 | | | inet:ipv6-prefix 668 | | +--rw provider-addresses* 669 | | | inet:ipv6-address 670 | | +--rw reserved-ip-prefix* 671 | | inet:ipv6-prefix 672 | +--rw subscriber-address? inet:ipv6-address 673 +--rw wan-access* [name] 674 +--rw name string 675 +--rw access-type? identityref 676 +--rw access-provider? string 677 +--rw bandwidth 678 | +--rw input-bandwidth? uint64 679 | +--rw output-bandwidth? uint64 680 +--rw l2-technology 681 | +--rw l2-type? identityref 682 | +--rw untagged-interface 683 | | +--rw speed? uint32 684 | | +--rw mode? neg-mode 685 | +--rw tagged-interface 686 | | +--rw type? identityref 687 | | +--rw dot1q-vlan-tagged 688 | | | +--rw tg-type? identityref 689 | | | +--rw cvlan-id uint16 690 | | +--rw priority-tagged 691 | | +--rw tag-type? identityref 692 | +--rw l2-mtu? uint32 693 +--rw ip-connection 694 +--rw ipv4 695 | +--rw address-allocation-type? identityref 696 | +--rw dhcp 697 | | +--rw primary-subnet 698 | | | +--rw ip-prefix? 699 | | | | inet:ipv4-prefix 700 | | | +--rw default-router? inet:ip-address 701 | | | +--rw provider-addresses* 702 | | | | inet:ipv4-address 703 | | | +--rw subscriber-address? inet:ip-address 704 | | | +--rw reserved-ip-prefix* inet:ip-prefix 705 | | +--rw secondary-subnet* [ip-prefix] 706 | | +--rw ip-prefix 707 | | | inet:ipv4-prefix 708 | | +--rw provider-addresses* 709 | | | inet:ipv4-address 710 | | +--rw reserved-ip-prefix* 711 | | inet:ipv4-prefix 712 | +--rw static 713 | +--rw primary-subnet 714 | | +--rw ip-prefix? 715 | | | inet:ipv4-prefix 716 | | +--rw default-router? inet:ip-address 717 | | +--rw provider-addresses* 718 | | | inet:ipv4-address 719 | | +--rw subscriber-address? inet:ip-address 720 | | +--rw reserved-ip-prefix* inet:ip-prefix 721 | +--rw secondary-subnet* [ip-prefix] 722 | +--rw ip-prefix 723 | | inet:ipv4-prefix 724 | +--rw provider-addresses* 725 | | inet:ipv4-address 726 | +--rw reserved-ip-prefix* 727 | inet:ipv4-prefix 728 +--rw ipv6 729 +--rw address-allocation-type? identityref 730 +--rw dhcp 731 | +--rw subnet* [ip-prefix] 732 | +--rw ip-prefix 733 | | inet:ipv6-prefix 734 | +--rw provider-addresses* 735 | | inet:ipv6-address 736 | +--rw reserved-ip-prefix* 737 | inet:ipv6-prefix 738 +--rw slaac 739 | +--rw subnet* [ip-prefix] 740 | +--rw ip-prefix 741 | | inet:ipv6-prefix 742 | +--rw provider-addresses* 743 | | inet:ipv6-address 744 | +--rw reserved-ip-prefix* 745 | inet:ipv6-prefix 746 +--rw static 747 +--rw subnet* [ip-prefix] 748 | +--rw ip-prefix 749 | | inet:ipv6-prefix 750 | +--rw provider-addresses* 751 | | inet:ipv6-address 752 | +--rw reserved-ip-prefix* 753 | inet:ipv6-prefix 754 +--rw subscriber-address? inet:ipv6-address 756 6. YANG Modules 758 file "ietf-sdwan-svc@2019-06-06.yang" 760 module ietf-sdwan-svc { 761 yang-version 1.1; 762 namespace "urn:ietf:params:xml:ns:yang:ietf-sdwan-svc"; 763 prefix sdwan-svc; 765 import ietf-inet-types { 766 prefix inet; 767 } 768 import ietf-yang-types { 769 prefix yang; 770 } 772 organization 773 "IETF foo Working Group."; 774 contact 775 "WG List: foo@ietf.org 776 Editor: "; 778 description 779 "The YANG module defines a generic service configuration 780 model for Managed SD-WAN."; 782 revision 2019-06-06 { 783 description 784 "Initial revision"; 785 reference "A YANG Data Model for SD-WAN service."; 786 } 788 typedef svc-id { 789 type string; 790 description 791 "Type definition for service identifier"; 792 } 794 typedef address-family { 795 type enumeration { 796 enum ipv4 { 797 description 798 "IPv4 address family."; 799 } 800 enum ipv6 { 801 description 802 "IPv6 address family."; 803 } 804 } 805 description 806 "Defines a type for the address family."; 807 } 809 typedef neg-mode { 810 type enumeration { 811 enum full-duplex { 812 description 813 "Defining Full duplex mode"; 814 } 815 enum auto-neg { 816 description 817 "Defining Auto negotiation mode"; 818 } 819 } 820 description 821 "Defining a type of the negotiation mode"; 822 } 824 typedef device-type { 825 type enumeration { 826 enum physical { 827 description 828 "Physical device"; 829 } 830 enum virtual { 831 description 832 "Virtual device"; 833 } 834 } 835 description 836 "Defines device types."; 837 } 839 identity device-type { 840 description 841 "Base identity for device type."; 842 } 844 identity virtual-ce { 845 base device-type; 846 description 847 "Identity for virtual-ce."; 848 } 850 identity physical-ce { 851 base device-type; 852 description 853 "Identity for physical-ce."; 854 } 856 identity customer-application { 857 description 858 "Base identity for customer application."; 859 } 861 identity web { 862 base customer-application; 863 description 864 "Identity for Web application (e.g., HTTP, HTTPS)."; 865 } 867 identity mail { 868 base customer-application; 869 description 870 "Identity for mail application."; 871 } 873 identity file-transfer { 874 base customer-application; 875 description 876 "Identity for file transfer application (e.g., FTP, SFTP)."; 877 } 879 identity database { 880 base customer-application; 881 description 882 "Identity for database application."; 883 } 885 identity social { 886 base customer-application; 887 description 888 "Identity for social-network application."; 889 } 891 identity games { 892 base customer-application; 893 description 894 "Identity for gaming application."; 895 } 897 identity p2p { 898 base customer-application; 899 description 900 "Identity for peer-to-peer application."; 901 } 903 identity network-management { 904 base customer-application; 905 description 906 "Identity for management application 907 (e.g., Telnet, syslog, SNMP)."; 908 } 910 identity voice { 911 base customer-application; 912 description 913 "Identity for voice application."; 914 } 916 identity video { 917 base customer-application; 918 description 919 "Identity for video conference application."; 920 } 921 identity eth-inf-type { 922 description 923 "Identity of the Ethernet interface type."; 924 } 926 identity tagged { 927 base eth-inf-type; 928 description 929 "Identity of the tagged interface type."; 930 } 932 identity untagged { 933 base eth-inf-type; 934 description 935 "Identity of the untagged interface type."; 936 } 938 identity lag { 939 base eth-inf-type; 940 description 941 "Identity of the LAG interface type."; 942 } 944 identity tag-type { 945 description 946 "Base identity from which all tag types 947 are derived from"; 948 } 950 identity c-vlan { 951 base tag-type; 952 description 953 "A Customer-VLAN tag, normally using the 0x8100 954 Ethertype"; 955 } 957 identity tagged-inf-type { 958 description 959 "Identity for the tagged 960 interface type."; 961 } 963 identity dot1q { 964 base tagged-inf-type; 965 description 966 "Identity for dot1q vlan tagged interface."; 967 } 968 identity priority-tagged { 969 base tagged-inf-type; 970 description 971 "This identity the priority-tagged interface."; 972 } 974 identity vpn-topology { 975 description 976 "Base identity for vpn topology."; 977 } 979 identity any-to-any { 980 base vpn-topology; 981 description 982 "Identity for any-to-any VPN topology."; 983 } 985 identity hub-spoke { 986 base vpn-topology; 987 description 988 "Identity for Hub-and-Spoke VPN topology."; 989 } 991 identity site-role { 992 description 993 "Site Role in a VPN topology "; 994 } 996 identity any-to-any-role { 997 base site-role; 998 description 999 "Site in an any-to-any IP VPN."; 1000 } 1002 identity hub { 1003 base site-role; 1004 description 1005 "Hub Role in Hub-and-Spoke IP VPN."; 1006 } 1008 identity spoke { 1009 base site-role; 1010 description 1011 "Spoke Role in Hub-and-Spoke IP VPN."; 1012 } 1014 identity access-type { 1015 description 1016 "Access type of a site in a connection to different WAN"; 1017 } 1019 identity commodity { 1020 base access-type; 1021 description 1022 "Internet access"; 1023 } 1025 identity cellular { 1026 base access-type; 1027 description 1028 "Refers to a subset of 3G/4G/LTE and 5G"; 1029 } 1031 identity private { 1032 base access-type; 1033 description 1034 "Refers to private circuits such as Ethernet, T1, etc"; 1035 } 1037 identity routing-protocol-type { 1038 description 1039 "Base identity for routing protocol type."; 1040 } 1042 identity ospf { 1043 base routing-protocol-type; 1044 description 1045 "Identity for OSPF protocol type."; 1046 } 1048 identity bgp { 1049 base routing-protocol-type; 1050 description 1051 "Identity for BGP protocol type."; 1052 } 1054 identity static { 1055 base routing-protocol-type; 1056 description 1057 "Identity for static routing protocol type."; 1058 } 1060 identity address-allocation-type { 1061 description 1062 "Base identity for address-allocation-type for PE-CE link."; 1063 } 1064 identity dhcp { 1065 base address-allocation-type; 1066 description 1067 "Provider network provides DHCP service to customer."; 1068 } 1070 identity static-address { 1071 base address-allocation-type; 1072 description 1073 "Provider-to-customer addressing is static."; 1074 } 1076 identity slaac { 1077 base address-allocation-type; 1078 description 1079 "Use IPv6 SLAAC."; 1080 } 1082 identity ll-only { 1083 base address-allocation-type; 1084 description 1085 "Use IPv6 Link Local."; 1086 } 1088 identity traffic-direction { 1089 description 1090 "Base identity for traffic direction"; 1091 } 1093 identity inbound { 1094 base traffic-direction; 1095 description 1096 "Identity for inbound"; 1097 } 1099 identity outbound { 1100 base traffic-direction; 1101 description 1102 "Identity for outbound"; 1103 } 1105 identity both { 1106 base traffic-direction; 1107 description 1108 "Identity for both"; 1109 } 1111 identity traffic-action { 1112 description 1113 "Base identity for traffic action"; 1114 } 1116 identity permit { 1117 base traffic-action; 1118 description 1119 "Identity for permit action"; 1120 } 1122 identity deny { 1123 base traffic-action; 1124 description 1125 "Identity for deny action"; 1126 } 1128 identity bd-limit-type { 1129 description 1130 "base identity for bd limit type"; 1131 } 1133 identity percent { 1134 base bd-limit-type; 1135 description 1136 "Identity for percent"; 1137 } 1139 identity value { 1140 base bd-limit-type; 1141 description 1142 "Identity for value"; 1143 } 1145 identity protocol-type { 1146 description 1147 "Base identity for protocol field type."; 1148 } 1150 identity tcp { 1151 base protocol-type; 1152 description 1153 "TCP protocol type."; 1154 } 1156 identity udp { 1157 base protocol-type; 1158 description 1159 "UDP protocol type."; 1161 } 1163 identity icmp { 1164 base protocol-type; 1165 description 1166 "ICMP protocol type."; 1167 } 1169 identity icmp6 { 1170 base protocol-type; 1171 description 1172 "ICMPv6 protocol type."; 1173 } 1175 identity gre { 1176 base protocol-type; 1177 description 1178 "GRE protocol type."; 1179 } 1181 identity ipip { 1182 base protocol-type; 1183 description 1184 "IP-in-IP protocol type."; 1185 } 1187 identity hop-by-hop { 1188 base protocol-type; 1189 description 1190 "Hop-by-Hop IPv6 header type."; 1191 } 1193 identity routing { 1194 base protocol-type; 1195 description 1196 "Routing IPv6 header type."; 1197 } 1199 identity esp { 1200 base protocol-type; 1201 description 1202 "ESP header type."; 1203 } 1205 identity ah { 1206 base protocol-type; 1207 description 1208 "AH header type."; 1210 } 1212 grouping vpn-endpoint { 1213 leaf endpoint-id { 1214 type svc-id; 1215 description 1216 "Identity for the vpn endpoint"; 1217 } 1218 leaf site-role { 1219 type identityref { 1220 base site-role; 1221 } 1222 default "any-to-any-role"; 1223 description 1224 "Role of the site in the VPN."; 1225 } 1226 container site-attachment { 1227 leaf site-id { 1228 type leafref { 1229 path "/sdwan-svc/sites/site/site-id"; 1230 } 1231 description 1232 "Defines site id attached."; 1233 } 1234 description 1235 "Defines site attachment to a vpn endpoint."; 1236 } 1237 container endpoint-policy-map { 1238 list app-group-policy { 1239 key "app-group-id"; 1240 leaf app-group-id { 1241 type leafref { 1242 path "/sdwan-svc/vpn-services/vpn-service"+ 1243 "/application-group/app-group-id"; 1244 } 1245 description 1246 "Identity for application"; 1247 } 1248 leaf policy-id { 1249 type leafref { 1250 path "/sdwan-svc/vpn-services/vpn-service/policy/policy-id"; 1251 } 1252 description 1253 "Identity for value"; 1254 } 1255 description 1256 "list for application group policy"; 1257 } 1258 list app-policy { 1259 key "app-id"; 1260 leaf app-id { 1261 type leafref { 1262 path "/sdwan-svc/vpn-services/vpn-service"+ 1263 "/application/app-id"; 1264 } 1265 description 1266 "Identity for application"; 1267 } 1268 leaf policy-id { 1269 type leafref { 1270 path "/sdwan-svc/vpn-services/vpn-service/policy/policy-id"; 1271 } 1272 description 1273 "Identity for value"; 1274 } 1275 description 1276 "list for application policy"; 1277 } 1278 description 1279 "Identity for policy maps"; 1280 } 1281 description 1282 "grouping for vpn endpoint"; 1283 } 1285 grouping flow-definition { 1286 container match-flow { 1287 leaf ethertype { 1288 type uint16; 1289 description 1290 "Ethertype value, e.g. 0800 for IPv4."; 1291 } 1292 leaf cvlan { 1293 type uint8 { 1294 range "0..7"; 1295 } 1296 description 1297 "802.1Q matching."; 1298 } 1299 leaf ipv4-src-prefix { 1300 type inet:ipv4-prefix; 1301 description 1302 "Match on IPv4 src address."; 1303 } 1304 leaf ipv4-dst-prefix { 1305 type inet:ipv4-prefix; 1306 description 1307 "Match on IPv4 dst address."; 1308 } 1309 leaf l4-src-port { 1310 type inet:port-number; 1311 description 1312 "Match on Layer 4 src port."; 1313 } 1314 leaf l4-dst-port { 1315 type inet:port-number; 1316 description 1317 "Match on Layer 4 dst port."; 1318 } 1319 leaf ipv6-src-prefix { 1320 type inet:ipv6-prefix; 1321 description 1322 "Match on IPv6 src address."; 1323 } 1324 leaf ipv6-dst-prefix { 1325 type inet:ipv6-prefix; 1326 description 1327 "Match on IPv6 dst address."; 1328 } 1329 leaf protocol-field { 1330 type union { 1331 type uint8; 1332 type identityref { 1333 base protocol-type; 1334 } 1335 } 1336 description 1337 "Match on IPv4 protocol or IPv6 Next Header field."; 1338 } 1339 description 1340 "Describes flow-matching criteria."; 1341 } 1342 description 1343 "Grouping for flow definition."; 1344 } 1346 grouping application-criteria { 1347 list ac { 1348 key "name"; 1349 ordered-by user; 1350 leaf name { 1351 type string; 1352 description 1353 "A description identifying application classification 1354 criteria."; 1355 } 1356 choice match-type { 1357 default "match-flow"; 1358 case match-flow { 1359 uses flow-definition; 1360 } 1361 case match-application { 1362 leaf match-application { 1363 type identityref { 1364 base customer-application; 1365 } 1366 description 1367 "Defines the application to match."; 1368 } 1369 } 1370 description 1371 "Choice for classification."; 1372 } 1373 description 1374 "List of marking rules."; 1375 } 1376 description 1377 "This grouping defines QoS parameters for a site."; 1378 } 1380 grouping vpn-service { 1381 leaf vpn-id { 1382 type svc-id; 1383 description 1384 "Identity for VPN."; 1385 } 1386 leaf topology { 1387 type identityref { 1388 base vpn-topology; 1389 } 1390 description 1391 "vpn topology: hub-and-spoke or any-to-any"; 1392 } 1393 container performance-objective { 1394 leaf start-time { 1395 type yang:date-and-time; 1396 description 1397 "start-time indicates date and time."; 1398 } 1399 leaf duration { 1400 type string; 1401 description 1402 "Time duration."; 1403 } 1404 container uptime-objective { 1405 leaf duration { 1406 type decimal64 { 1407 fraction-digits 5; 1408 range "0..100"; 1409 } 1410 units "percent"; 1411 description 1412 "To be used to define the a percentage of the available 1413 service."; 1414 } 1415 description 1416 "Uptime objective."; 1417 } 1418 description 1419 "The performance objective."; 1420 } 1421 container reserved-prefixes { 1422 leaf-list prefix { 1423 type inet:ip-prefix; 1424 description 1425 "ip prefix reserved for SP management purpose."; 1426 } 1427 description 1428 "ip prefix list reserved for SP management purpose."; 1429 } 1430 list application { 1431 key "app-id"; 1432 leaf app-id { 1433 type svc-id; 1434 description 1435 "application name"; 1436 } 1437 uses application-criteria; 1438 description 1439 "list for application"; 1440 } 1441 list application-group { 1442 key "app-group-id"; 1443 leaf app-group-id { 1444 type svc-id; 1445 description 1446 "application name"; 1447 } 1448 leaf-list app-id { 1449 type leafref { 1450 path "../../application/app-id"; 1451 } 1452 description 1453 "application member list in an application group"; 1454 } 1455 description 1456 "list for application group"; 1457 } 1458 list policy { 1459 key "policy-id"; 1460 leaf policy-id { 1461 type svc-id; 1462 description 1463 "Policy names"; 1464 } 1465 container policy-package { 1466 leaf encryption { 1467 type enumeration { 1468 enum yes { 1469 description 1470 "Indicates whether or not the application flow requires 1471 to send over encrypted overlay tunnel."; 1472 } 1473 enum either { 1474 description 1475 " Either means this policy is not applied"; 1476 } 1477 } 1478 description 1479 "Indicates whether or not the application flow requires 1480 encryption."; 1481 } 1482 leaf public-private { 1483 type enumeration { 1484 enum private-only { 1485 description 1486 "The private WAN underlay is specified."; 1487 } 1488 enum either { 1489 description 1490 "Both public WAN or private WAN could be used"; 1491 } 1492 } 1493 description 1494 "Indicates whether the Application Flow can traverse 1495 Public or Private Underlay Connectivity Services 1496 (or both).Either means this policy is not applied."; 1497 } 1498 leaf local-breakout { 1499 type boolean; 1500 description 1501 "indicates whether the Application Flow should be 1502 routed directly to the Internet using Local Internet 1503 Breakout.It can have values Yes and No."; 1504 } 1505 leaf billing-method { 1506 type enumeration { 1507 enum flat-only { 1508 description 1509 "Only flat-rate underlay could be used for the 1510 traffic."; 1511 } 1512 enum either { 1513 description 1514 "Either flat-rate or usage based underlay could 1515 be used for the traffic."; 1516 } 1517 } 1518 description 1519 "billing policy."; 1520 } 1521 leaf backup-path { 1522 type enumeration { 1523 enum yes { 1524 description 1525 "Only the primary tunnel overlay could be used for 1526 the traffic."; 1527 } 1528 enum no { 1529 description 1530 "Either the primary or backup overlay tunnel could be 1531 used for the traffic."; 1532 } 1533 } 1534 description 1535 "overlay connection as Primary or both Primary and 1536 Backup."; 1537 } 1538 container bandwidth { 1539 leaf commit { 1540 type uint32; 1541 description 1542 "CIR"; 1543 } 1544 leaf max { 1545 type uint32; 1546 description 1547 "max speed "; 1548 } 1549 description 1550 "Container for the bandwidth policy"; 1551 } 1552 description 1553 "Container for policy package"; 1554 } 1555 description 1556 "List for policy"; 1557 } 1558 list endpoints { 1559 key "endpoint-id"; 1560 uses vpn-endpoint; 1561 description 1562 "List of endpoints."; 1563 } 1564 description 1565 "Grouping of vpn service"; 1566 } 1568 grouping site-l2-technology { 1569 container l2-technology { 1570 leaf l2-type { 1571 type identityref { 1572 base eth-inf-type; 1573 } 1574 default "untagged"; 1575 description 1576 "Defines physical properties of an interface. By default, the 1577 Ethernet interface type is set to 'untagged'."; 1578 } 1579 container untagged-interface { 1580 leaf speed { 1581 type uint32; 1582 units "mbps"; 1583 default "10"; 1584 description 1585 "Port speed."; 1586 } 1587 leaf mode { 1588 type neg-mode; 1589 default "auto-neg"; 1590 description 1591 "Negotiation mode."; 1592 } 1593 description 1594 "Container of Untagged Interface Attributes 1595 configurations."; 1596 } 1597 container tagged-interface { 1598 leaf type { 1599 type identityref { 1600 base tagged-inf-type; 1601 } 1602 default "dot1q"; 1603 description 1604 "Tagged interface type. By default, 1605 the Tagged interface type is dot1q interface. "; 1606 } 1607 container dot1q-vlan-tagged { 1608 leaf tg-type { 1609 type identityref { 1610 base tag-type; 1611 } 1612 default "c-vlan"; 1613 description 1614 "TAG type.By default, Tag type is Customer-VLAN tag."; 1615 } 1616 leaf cvlan-id { 1617 type uint16; 1618 mandatory true; 1619 description 1620 "VLAN identifier."; 1621 } 1622 description 1623 "Tagged interface."; 1624 } 1625 container priority-tagged { 1626 leaf tag-type { 1627 type identityref { 1628 base tag-type; 1629 } 1630 default "c-vlan"; 1631 description 1632 "TAG type.By default, the TAG type is 1633 Customer-VLAN tag."; 1634 } 1635 description 1636 "Priority tagged."; 1637 } 1638 description 1639 "Container for tagged Interface."; 1640 } 1641 leaf l2-mtu { 1642 type uint32; 1643 units "bytes"; 1644 description 1645 " L2 Maximum Frame Size MUST be an integer number of bytes 1646 >= 1522MTU."; 1647 } 1648 description 1649 "Container for l2 technology."; 1650 } 1651 description 1652 "grouping for l2 technology."; 1653 } 1655 grouping site-ip-connection { 1656 container ip-connection { 1657 container ipv4 { 1658 leaf address-allocation-type { 1659 type identityref { 1660 base address-allocation-type; 1661 } 1662 description 1663 "Defines how addresses are allocated. 1664 If there is no value for address 1665 allocation type, then the ipv4 is not enabled."; 1666 } 1667 container dhcp { 1668 container primary-subnet { 1669 leaf ip-prefix { 1670 type inet:ipv4-prefix; 1671 description 1672 "IPv4 address prefix and mask length between 0 and 31, 1673 in bits."; 1674 } 1675 leaf default-router { 1676 type inet:ip-address; 1677 description 1678 "Address of default router."; 1679 } 1680 leaf-list provider-addresses { 1681 type inet:ipv4-address; 1682 description 1683 "the Service Provider IPv4 Addresses MUST be within the 1684 specified IPv4 Prefix."; 1685 } 1686 leaf subscriber-address { 1687 type inet:ip-address; 1688 description 1689 "subscriber IPv4 Addresses: Non-empty list 1690 of IPv4 addresses"; 1691 } 1692 leaf-list reserved-ip-prefix { 1693 type inet:ip-prefix; 1694 description 1695 "List of IPv4 Prefixes, possibly empty"; 1696 } 1697 description 1698 "Primary Subnet List"; 1699 } 1700 list secondary-subnet { 1701 key "ip-prefix"; 1702 leaf ip-prefix { 1703 type inet:ipv4-prefix; 1704 description 1705 "IPv4 address prefix and mask length between 0 and 31, 1706 in bits"; 1707 } 1708 leaf-list provider-addresses { 1709 type inet:ipv4-address; 1710 description 1711 "Service Provider IPv4 Addresses: Non-empty list 1712 of IPv4 addresses"; 1713 } 1714 leaf-list reserved-ip-prefix { 1715 type inet:ipv4-prefix; 1716 description 1717 "List of IPv4 Prefixes, possibly empty"; 1718 } 1719 description 1720 "Secondary Subnet List"; 1721 } 1722 description 1723 "DHCP allocated addresses related parameters."; 1724 } 1725 container static { 1726 container primary-subnet { 1727 leaf ip-prefix { 1728 type inet:ipv4-prefix; 1729 description 1730 "IPv4 address prefix and mask length between 0 and 31, 1731 in bits."; 1732 } 1733 leaf default-router { 1734 type inet:ip-address; 1735 description 1736 "Address of default router."; 1737 } 1738 leaf-list provider-addresses { 1739 type inet:ipv4-address; 1740 description 1741 "the Service Provider IPv4 Addresses MUST be within the 1742 specified IPv4 Prefix."; 1743 } 1744 leaf subscriber-address { 1745 type inet:ip-address; 1746 description 1747 "subscriber IPv4 Addresses: Non-empty list 1748 of IPv4 addresses"; 1749 } 1750 leaf-list reserved-ip-prefix { 1751 type inet:ip-prefix; 1752 description 1753 "List of IPv4 Prefixes, possibly empty"; 1754 } 1755 description 1756 "Primary Subnet List"; 1757 } 1758 list secondary-subnet { 1759 key "ip-prefix"; 1760 leaf ip-prefix { 1761 type inet:ipv4-prefix; 1762 description 1763 "IPv4 address prefix and mask length between 0 and 31, 1764 in bits"; 1765 } 1766 leaf-list provider-addresses { 1767 type inet:ipv4-address; 1768 description 1769 "Service Provider IPv4 Addresses: Non-empty list 1770 of IPv4 addresses"; 1771 } 1772 leaf-list reserved-ip-prefix { 1773 type inet:ipv4-prefix; 1774 description 1775 "List of IPv4 Prefixes, possibly empty"; 1776 } 1777 description 1778 "Secondary Subnet List"; 1779 } 1780 description 1781 "Static configuration related parameters."; 1782 } 1783 description 1784 "IPv4-specific parameters."; 1785 } 1786 container ipv6 { 1787 leaf address-allocation-type { 1788 type identityref { 1789 base address-allocation-type; 1790 } 1791 description 1792 "Defines how addresses are allocated. 1793 If there is no value for address 1794 allocation type, then the ipv6 is not enabled."; 1795 } 1796 container dhcp { 1797 list subnet { 1798 key "ip-prefix"; 1799 leaf ip-prefix { 1800 type inet:ipv6-prefix; 1801 description 1802 "IPv6 address prefix and prefix length between 0 and 1803 128"; 1804 } 1805 leaf-list provider-addresses { 1806 type inet:ipv6-address; 1807 description 1808 "Non-empty list of IPv6 addresses"; 1809 } 1810 leaf-list reserved-ip-prefix { 1811 type inet:ipv6-prefix; 1812 description 1813 "List of IPv6 Prefixes, possibly empty"; 1814 } 1815 description 1816 "Subnet List"; 1817 } 1818 description 1819 "DHCP allocated addresses related parameters."; 1820 } 1821 container slaac { 1822 list subnet { 1823 key "ip-prefix"; 1824 leaf ip-prefix { 1825 type inet:ipv6-prefix; 1826 description 1827 "IPv6 address prefix and prefix length of 64 "; 1828 } 1829 leaf-list provider-addresses { 1830 type inet:ipv6-address; 1831 description 1832 "Non-empty list of IPv6 addresses"; 1833 } 1834 leaf-list reserved-ip-prefix { 1835 type inet:ipv6-prefix; 1836 description 1837 "List of IPv6 Prefixes, possibly empty"; 1838 } 1839 description 1840 "Subnet List"; 1841 } 1842 description 1843 "DHCP allocated addresses related parameters."; 1844 } 1845 container static { 1846 list subnet { 1847 key "ip-prefix"; 1848 leaf ip-prefix { 1849 type inet:ipv6-prefix; 1850 description 1851 "IPv6 address prefix and prefix length between 0 and 1852 128"; 1853 } 1854 leaf-list provider-addresses { 1855 type inet:ipv6-address; 1856 description 1857 "Non-empty list of IPv6 addresses"; 1858 } 1859 leaf-list reserved-ip-prefix { 1860 type inet:ipv6-prefix; 1861 description 1862 "List of IPv6 Prefixes, possibly empty"; 1863 } 1864 description 1865 "Subnet List"; 1866 } 1867 leaf subscriber-address { 1868 type inet:ipv6-address; 1869 description 1870 "IPv6 address or Not Specified."; 1871 } 1872 description 1873 "Static configuration related parameters."; 1874 } 1875 description 1876 "Describes IPv6 addresses used."; 1877 } 1878 description 1879 "IPv6-specific parameters."; 1880 } 1881 description 1882 "This grouping defines IP connection parameters."; 1883 } 1885 container sdwan-svc { 1886 container vpn-services { 1887 list vpn-service { 1888 key "vpn-id"; 1889 uses vpn-service; 1890 description 1891 "List for SD-WAN"; 1892 } 1893 description 1894 "Container for SD-WAN VPN service"; 1895 } 1896 container sites { 1897 list site { 1898 key "site-id"; 1899 leaf site-id { 1900 type svc-id; 1901 description 1902 "Site Name"; 1903 } 1904 list device { 1905 key "name"; 1906 leaf name { 1907 type string; 1908 description 1909 "Device Name"; 1910 } 1911 leaf type { 1912 type identityref { 1913 base device-type; 1914 } 1915 description 1916 "Device Type: virtual or physical CE"; 1917 } 1918 description 1919 "List for device"; 1920 } 1921 list lan-access { 1922 key "name"; 1923 leaf name { 1924 type string; 1925 description 1926 "lan access link name"; 1927 } 1928 uses site-l2-technology; 1929 uses site-ip-connection; 1930 description 1931 "container for lan access"; 1932 } 1933 list wan-access { 1934 key "name"; 1935 leaf name { 1936 type string; 1937 description 1938 "wan access link name"; 1939 } 1940 leaf access-type { 1941 type identityref { 1942 base access-type; 1943 } 1944 description 1945 "Access type: Internet, private VPN or cellular"; 1946 } 1947 leaf access-provider { 1948 type string; 1949 description 1950 "Specifies the name of provider"; 1951 } 1952 container bandwidth { 1953 leaf input-bandwidth { 1954 type uint64; 1955 description 1956 "input bandwidth"; 1957 } 1958 leaf output-bandwidth { 1959 type uint64; 1960 description 1961 "output bandwidth"; 1962 } 1963 description 1964 "Container for bandwidth"; 1965 } 1966 uses site-l2-technology; 1967 uses site-ip-connection; 1968 description 1969 "container for wan access"; 1970 } 1971 description 1972 "List for site"; 1973 } 1974 description 1975 "Container for sites"; 1976 } 1977 description 1978 "Top-level container for the SD-WAN services."; 1979 } 1980 } 1982 1984 7. Security Considerations 1986 The YANG module specified in this document defines a schema for data 1987 that is designed to be accessed via network management protocols such 1988 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 1989 is the secure transport layer, and the mandatory-to-implement secure 1990 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 1991 is HTTPS, and the mandatory-to-implement secure transport is TLS 1992 [RFC8446]. 1994 The NETCONF access control model [RFC8341] provides the means to 1995 restrict access for particular NETCONF or RESTCONF users to a 1996 preconfigured subset of all available NETCONF or RESTCONF protocol 1997 operations and content. 1999 There are a number of data nodes defined in this YANG module that are 2000 writable/creatable/deletable (i.e., config true, which is the 2001 default). These data nodes may be considered sensitive or vulnerable 2002 in some network environments. Write operations (e.g., edit-config) 2003 to these data nodes without proper protection can have a negative 2004 effect on network operations. These are the subtrees and data nodes 2005 and their sensitivity/vulnerability. 2007 8. IANA Considerations 2009 IANA has assigned a new URI from the "IETF XML Registry" [RFC3688]. 2011 URI: urn:ietf:params:xml:ns:yang:ietf-sdwan-svc 2012 Registrant Contact: The IESG 2013 XML: N/A; the requested URI is an XML namespace. 2015 IANA has recorded a YANG module name in the "YANG Module Names" 2016 registry [RFC6020] as follows: 2018 Name: ietf-sdwan-svc 2019 Namespace: urn:ietf:params:xml:ns:yang:ietf-sdwan-svc 2020 Prefix: sdwan-svc 2021 Reference: RFC xxxx 2023 9. Appendix 1: Terminology Mapping between MEF SD-WAN Service 2024 Attributes and IETF SD-WAN model 2026 SD-WAN Service Attributes and Services [MEF70-Draft-R1], defines the 2027 SD-WAN service attributes and services for SD-WAN service delivery. 2028 These service attributes can be used for communication between 2029 subscribers and services to deliver SD-WAN services while this draft 2030 defines a YANG data model for SD-WAN service delivery communicated 2031 between customer and service provider. The purpose of both work is 2032 very similar. 2034 The below table shows the terminology mapping. The YANG model 2035 retains most parameter definition name but adjusts some of the 2036 structure to reserve space for future augmentation. For example, the 2037 model defines "vpn-service" and "lan-access" as a list, which can 2038 accommodate the case where the current MEF service attribute 2039 restricts only one VPN per customer and one LAN access and future 2040 extension to multiple VPN or LAN accesses per customer. 2042 +----------------------------+----------------------------------+ 2043 | IETF SD-WAN Service model | MEF70 R1 SD-WAN Services Term | 2044 +----------------------------+----------------------------------+ 2045 | SD-WAN VPN | SD-WAN Virtual Connection (SWVC) | 2046 +----------------------------+----------------------------------+ 2047 | SD-WAN VPN Endpoint | SWVC End Point | 2048 +----------------------------+----------------------------------+ 2049 | Site | User Network Interface(UNI) | 2050 +----------------------------+----------------------------------+ 2051 | lan-access | UNI link Attributes | 2052 +----------------------------+----------------------------------+ 2053 | wan-access | TBD( Underlay connectivity) | 2054 +----------------------------+----------------------------------+ 2056 10. Appendix 2: IETF OSE model vs IETF SD-WAN model 2058 SD-WAN OSE service delivery model [I-D.wood-rtgwg-sdwan-ose-yang] 2059 defines two SD-WAN OSE Open SD-WAN Exchange (OSE) service YANG 2060 modules to enable the orchestrator in the enterprise network to 2061 implement SD-WAN inter-domain reachability and connectivity services 2062 and application aware traffic steering services. Although the OSE 2063 YANG model is also a service model instead of being a device model, 2064 this model is mainly used for interoperability between multiple SD- 2065 WAN domains and service consistency. The differences are shown as 2066 follows: 2068 +----------------------------------+-------------------------------+ 2069 | IETF OSE service model | IETF SD-WAN Service model | 2070 +----------------------------------+-------------------------------+ 2071 | Domain SD-WAN controller facing | customer-facing | 2072 | | | 2073 +----------------------------------+-------------------------------+ 2074 | Inter OSE GW connectivity service|unaware of SD-WAN domain in | 2075 | |one SP network | 2076 | Inter SD-WAN domain |Inter-SD-WAN Service Provider | 2077 | |TBD | 2078 +----------------------------------+-------------------------------+ 2079 | SLA aware dynamic Path selection |static Primary/Backup selection| 2080 +----------------------------------+-------------------------------+ 2082 For the SLA based dynamic path selection policy, the OSE service 2083 model uses a similar application classification criteria, but at the 2084 same time it will collect the relevant status of the traffic SLA 2085 profiles and, based on the measurements calculated from the collected 2086 information, the primary or secondary path will be selected. 2088 +--primary-backup 2089 +--rw path-values 2090 +--rw sla-values 2091 +--rw latency? uint32 2092 +--rw jitter? uint32 2093 +--rw packet-loss-rate? uint32 2095 11. Acknowledgments 2097 This work has benefited from the discussions of with Jack 2098 Pugaczewski, Larry S Samberg, and Pascal Menezes from MEF community. 2100 12. Contributors 2102 The authors would like to thank Zitao Wang for his major 2103 contributions to the initial modelling. 2105 13. References 2107 13.1. Normative References 2109 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2110 Requirement Levels", BCP 14, RFC 2119, 2111 DOI 10.17487/RFC2119, March 1997, 2112 . 2114 13.2. Informative References 2116 [I-D.wood-rtgwg-sdwan-ose-yang] 2117 Wood, S., Bo, W., Wu, Q., and C. Menezes, "YANG Data Model 2118 for SD-WAN OSE service delivery", draft-wood-rtgwg-sdwan- 2119 ose-yang-00 (work in progress), March 2019. 2121 [MEF51.1] MEF, Ed., "Operator Ethernet Service Definition", December 2122 2018, . 2125 [MEF70-Draft-R1] 2126 MEF, Ed., "SD-WAN Service Attributes and Services", May 2127 2019, . 2130 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 2131 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 2132 DOI 10.17487/RFC2784, March 2000, 2133 . 2135 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2136 DOI 10.17487/RFC3688, January 2004, 2137 . 2139 [RFC4026] Andersson, L. and T. Madsen, "Provider Provisioned Virtual 2140 Private Network (VPN) Terminology", RFC 4026, 2141 DOI 10.17487/RFC4026, March 2005, 2142 . 2144 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 2145 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 2146 2006, . 2148 [RFC4664] Andersson, L., Ed. and E. Rosen, Ed., "Framework for Layer 2149 2 Virtual Private Networks (L2VPNs)", RFC 4664, 2150 DOI 10.17487/RFC4664, September 2006, 2151 . 2153 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2154 the Network Configuration Protocol (NETCONF)", RFC 6020, 2155 DOI 10.17487/RFC6020, October 2010, 2156 . 2158 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 2159 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 2160 DOI 10.17487/RFC6071, February 2011, 2161 . 2163 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2164 and A. Bierman, Ed., "Network Configuration Protocol 2165 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2166 . 2168 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2169 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2170 . 2172 [RFC7426] Haleplidis, E., Ed., Pentikousis, K., Ed., Denazis, S., 2173 Hadi Salim, J., Meyer, D., and O. Koufopavlou, "Software- 2174 Defined Networking (SDN): Layers and Architecture 2175 Terminology", RFC 7426, DOI 10.17487/RFC7426, January 2176 2015, . 2178 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2179 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2180 . 2182 [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki, 2183 "YANG Data Model for L3VPN Service Delivery", RFC 8299, 2184 DOI 10.17487/RFC8299, January 2018, 2185 . 2187 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2188 Access Control Model", STD 91, RFC 8341, 2189 DOI 10.17487/RFC8341, March 2018, 2190 . 2192 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2193 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2194 . 2196 [RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG 2197 Data Model for Layer 2 Virtual Private Network (L2VPN) 2198 Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October 2199 2018, . 2201 Authors' Addresses 2203 Qiong Sun 2204 China Telecom 2205 Beijing 2206 China 2208 Email: sunqiong.bri@chinatelecom.cn 2209 Honglei Xu 2210 China Telecom 2211 Beijing 2212 China 2214 Email: xuhl.bri@chinatelecom.cn 2216 Bo Wu (editor) 2217 Huawei 2218 Nanjing 2219 China 2221 Email: lana.wubo@huawei.com 2223 Qin Wu (editor) 2224 Huawei 2225 Nanjing 2226 China 2228 Email: bill.wu@huawei.com 2230 Charles Eckel (editor) 2231 Cisco Systems 2232 170 W. Tasman Drive 2233 San Jose, CA 2234 United States 2236 Email: eckelcu@cisco.com