Extensions to the YANG Data Model for L3VPN Service Delivery
draft-fu-onsen-update-l3sm-service-models-01
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Fengchao Fu , Cancan Huang , Bo Wu , Chongfeng Xie | ||
| Last updated | 2026-04-28 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-fu-onsen-update-l3sm-service-models-01
ONSEN Working Group F. Fu
Internet-Draft C. Huang
Intended status: Informational China Telecom
Expires: 30 October 2026 B. Wu
Huawei
C. Xie
China Telecom
28 April 2026
Extensions to the YANG Data Model for L3VPN Service Delivery
draft-fu-onsen-update-l3sm-service-models-01
Abstract
RFC8299 defines a YANG data model for L3VPN service delivery. This
document defines a set of extensions that address the limitations of
the L3VPN Service Model (L3SM) as initially defined in RFC 8299,
which assumes static connectivity and fixed bandwidth allocations.
Based on field deployment feedback, the extensions enable dynamic
L3VPN capabilities including dynamic network provisioning and
bandwidth adjustment. This document further supplements technical
deficiencies by providing (1) integration of Slice Service Templates
for SRv6 VPN scenarios, (2) performance monitoring to enrich
operational state data and service quality visibility, (3)quantum-
safe encryption.
First Submission
This is the second submission of this document to the IETF, submitted
on February 11, 2026. No pre-RFC5378 disclaimer is required as this
submission is post-RFC5378.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Fu, et al. Expires 30 October 2026 [Page 1]
Internet-Draft Extensions to L3SM April 2026
This Internet-Draft will expire on 30 October 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Status of This Memo . . . . . . . . . . . . . . . . . . . . . 3
2. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Service Data Model Usage . . . . . . . . . . . . . . . . . . 5
6. Overall Structure of the Extended L3VPN Service Module . . . 6
6.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 6
6.2. L3SM Augmentations for extended-L3VPN Requirements . . . 8
6.2.1. Dynamic networking provisioning . . . . . . . . . . . 8
6.2.2. Dynamic bandwidth adjustment . . . . . . . . . . . . 9
6.2.3. Slice SLO Template Integration . . . . . . . . . . . 9
6.2.4. Performance Monitoring . . . . . . . . . . . . . . . 10
6.2.5. Enhanced security . . . . . . . . . . . . . . . . . . 10
7. Extended L3SM YANG Module . . . . . . . . . . . . . . . . . . 11
8. Service Model Usage Example . . . . . . . . . . . . . . . . . 21
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
10. Security Considerations . . . . . . . . . . . . . . . . . . . 25
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
11.1. Normative References . . . . . . . . . . . . . . . . . . 26
11.2. Informative References . . . . . . . . . . . . . . . . . 27
Appendix A. Dynamic-L3VPN service provisioning and lifecycle
procedure . . . . . . . . . . . . . . . . . . . . . . . . 27
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
Fu, et al. Expires 30 October 2026 [Page 2]
Internet-Draft Extensions to L3SM April 2026
1. Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF). Note that
other groups may also distribute working documents. The list of
current Internet-Drafts is at https://datatracker.ietf.org/drafts/
current/. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 October 2026.
2. Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved. This document is subject to
BCP 78 and the IETF Trust's Legal Provisions Relating to IETF
Documents (https://trustee.ietf.org/license-info) in effect on the
date of publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
3. Introduction
RFC 8299 defines the Layer 3 VPN Service Model (L3SM), which provides
a customer-facing abstraction for Layer 3 VPN services. L3SM assumes
relatively static service characteristics: persistent connectivity
between fixed sites with bandwidth parameters specified at service
creation time.
Operational experience with data-intensive workloads (e.g., large-
scale data transfer, temporary compute clusters) has identified
requirements not addressed by the base L3SM model:
* Dynamic network provisioning: The ability to establish and tear
down connectivity on demand, rather than maintaining persistent
connections. Conventional L3VPN services must perform frequent
network reconfigurations to support such dynamic networking.
Frequent reconfigurations for dynamic networking may introduce
potential risks to network stability and are generally
unacceptable for network operations.
Fu, et al. Expires 30 October 2026 [Page 3]
Internet-Draft Extensions to L3SM April 2026
* Dynamic bandwidth adjustment: The ability to modify bandwidth
allocations within seconds or minutes, rather than through
configuration changes that may take hours or days.
These operational requirements create corresponding gaps in the
service model. In addition, large-scale SRv6 and network slicing
deployments reveal further technical deficiencies in the original
L3SM:
1. L3SM does not support temporary connectivity with explicit
activation/deactivation time windows.
2. L3SM does not provide parameters for elastic bandwidth ranges or
adjustment time constraints.
3. L3SM lacks integration with network slicing constructs (Slice
Service Templates) needed for differentiated service tiers over
SRv6 transport.
4. L3SM lacks standardized operational state definitions and native
support for performance monitoring (such as IFIT), limiting end-
to-end service quality visibility and operational oversight.
5. L3SM does not provide parameters for quantum-safe encryption.
This document defines YANG augmentations to RFC 8299 to address these
gaps. The extensions are designed to be backward compatible:
implementations that do not require these capabilities can ignore the
new parameters.
The scope of this document is limited to service model extensions.
Implementation details of underlying mechanisms (e.g., signaling
protocols, encryption algorithms, security mechanisms ) are out of
scope.
4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 in [RFC2119] and [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the following terms:
AC: Attachment Circuit, as defined in [RFC9833].
CE: Customer Edge, as defined in [RFC4026].
Fu, et al. Expires 30 October 2026 [Page 4]
Internet-Draft Extensions to L3SM April 2026
COA: Change of Authorization, as defined in [RFC5176].
Dynamic-L3VPN: A Layer 3 VPN service supporting dynamic network
provisioning and/or dynamic bandwidth adjustment.
L3SM: Layer 3 VPN Service Model, as defined in [RFC8299].
L3VPN: Layer 3 Virtual Private Network, as defined in [RFC4026].
PE: Provider Edge, as defined in [RFC4026].
Slice Service Template (SST): A reusable policy container defining
Service Level Objectives (SLOs) and Service Level Expectations (SLEs)
for network slices, as defined in [I-D.ietf-teas-ietf-network-slice-
nbi-yang].
5. Service Data Model Usage
The L3VPN service model defined in [RFC8299] provides a service-level
abstraction for L3VPN services, decoupling service intent from device
configuration. The extensions in this document follow the same
service data model usage as the base L3VPN Service Model (L3SM). A
typical scenario is also to use this model as input to an
orchestration layer responsible for translating service intent into
device configurations. An example of extended L3VPN service delivery
is shown in Figure 1.
The main gap is that these extensions introduce additional service-
level attributes and policy constructs to support newer, more dynamic
service delivery models.
The usage of this service model is not limited to this example. The
extended data model continues to be applicable for any component of
management systems and northbound consumers, but not directly by
network elements.
Fu, et al. Expires 30 October 2026 [Page 5]
Internet-Draft Extensions to L3SM April 2026
+----------+
| Customer |
+-----+----+
|
L3vpn-svc-ext |
Models |
+-------+-------+
| Service |
| Orchestrator |
+-------+-------+
|
Network Models |
|
+-------+-----+
| Network |
| Controller |
+-----+-+-+---+
Device | | |
Configuration | | |
Models | | |
+---------------+ | +-----------+
| +----------+-------+ | +---------+
+--+--+ | | | | |
| CE1 +---+ +-----+ +----+ | +--+--+-+ |
+-----+ | | PE1 | |PE2 | +--+ DC-GW | DC |
+-----+ | +-----+ +----+ | +-----+-+ |
| CE2 +---+ | | |
+-----+ +------------------+ +---------+
Figure 1: Extended L3VPN Service Delivery Example
6. Overall Structure of the Extended L3VPN Service Module
6.1. Tree Structure
The extensions are defined in the module ietf-l3vpn-svc-ext, which
augments the base L3SM module (ietf-l3vpn-svc) at the following
locations:
* /l3vpn-svc/vpn-profiles: Adds profiles for bandwidth adjustment
ranges, and SLO/SLE templates.
* /l3vpn-svc/sites/site: Adds temporary connection indicators, and
effective time windows.
* /l3vpn-svc/sites/site/site-network-accesses/site-network-access/
service: Adds dynamic bandwidth indicators and adjustment ranges.
Fu, et al. Expires 30 October 2026 [Page 6]
Internet-Draft Extensions to L3SM April 2026
* /l3vpn-svc/sites/site/security/encryption: Adds quantum encryption
parameters.
Figure 2 illustrates the module augmentation structure.
module: ietf-l3vpn-svc-ext
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles:
+--rw maximum-bandwidth-adjustment-profiles
| +--rw maximum-bandwidth-adjustment-profile* [id]
| +--rw id string
+--rw slo-sle-profiles
+--rw slo-sle-profile* [id]
+--rw id string
+--rw description? string
+--rw profile-ref? -> /l3vpn-svc:l3vpn-svc
/vpn-profiles
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
/maximum-bandwidth-adjustment-profile/id
+--rw slo-policy
| +--rw metric-bound* [metric-type]
| | +--rw metric-type identityref
| | +--rw metric-unit? string
| | +--rw value-description? string
| | +--rw percentile-value? uint8
| | +--rw bound? uint64
| +--rw availability? identityref
| +--rw mtu? uint32
+--rw sle-policy
+--rw security* identityref
+--rw isolation* identityref
+--rw max-occupancy-level? uint8
+--rw path-constraints
+--rw service-functions? string
+--rw diversity
+--rw diversity-type? identityref
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site:
+--rw temporary-connection-indicator? boolean
+--rw effective-time-window? yang:date-and-time
+--rw service
| +--rw qos
| +--rw qos-profile
| +--rw slo-sle-profile? -> /l3vpn-svc:l3vpn-svc
/vpn-profiles
/l3vpn-svc-ext:slo-sle-profiles
/slo-sle-profile/id
| +--rw qos-profile-enabled? boolean
+--rw security-encryption
Fu, et al. Expires 30 October 2026 [Page 7]
Internet-Draft Extensions to L3SM April 2026
+--rw quantum-encryption-enable? boolean
+--rw quantum-encryption-mode? uint8
+--ro quantum-encryption-status? enumeration
augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites"
+"/l3vpn-svc:site/l3vpn-svc:site-network-accesses"
+"/l3vpn-svc:site-network-access":
+--rw service
| +--rw dynamic-bandwidth-indicator? boolean
| +--rw effective-time-window? yang:date-and-time
| +--rw maximum-bandwidth-adjustment-profile-ref? ->
/l3vpn-svc:l3vpn-svc
/vpn-profiles
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
/maximum-bandwidth-adjustment-profile/id
| +--rw performance-monitoring
| +--rw monitoring-enabled? boolean
| +--rw monitoring-mode? enumeration
| +--ro operational-state
| +--ro monitor-status? enumeration
| +--ro average-delay? uint32
| +--ro packet-loss-rate? decimal64
| +--ro jitter? uint32
+--rw ip-connection-security
+--rw quantum-encryption-enable? boolean
+--rw quantum-encryption-mode? uint8
+--ro quantum-encryption-status? enumeration
+--rw service
+--rw qos
+--rw qos-profile
+--rw slo-sle-profile? ->
/l3vpn-svc:l3vpn-svc/vpn-profiles
/l3vpn-svc-ext:slo-sle-profiles
/slo-sle-profile/id
+--rw qos-profile-enabled? boolean
Figure 2: Augmentation Structure of ietf-l3vpn-svc-ext
6.2. L3SM Augmentations for extended-L3VPN Requirements
6.2.1. Dynamic networking provisioning
Requirement: Support on-demand establishment and release of VPN
connectivity between specified endpoints, with activation times
ranging from seconds (for pre-configured tunnels) to minutes (for
configuration-driven setup).
Fu, et al. Expires 30 October 2026 [Page 8]
Internet-Draft Extensions to L3SM April 2026
Gap in [RFC8299]: L3SM assumes persistent connectivity; it provides
no mechanism to specify temporary connections or activation time
constraints.
Extensions:
* temporary-connection-indicator: Boolean flag indicating whether a
site connection is temporary (default false).
* effective-time-window: Time range parameter specifying when the
connection must be active. When sub-minute activation is
required, this indicates that pre-configured tunnels with dynamic
authorization (e.g., RADIUS COA [RFC5176]) should be used.
6.2.2. Dynamic bandwidth adjustment
Requirement: Support modification of bandwidth allocations within
customer-specified time windows, ranging from seconds to hours.
Gap in [RFC8299]: L3SM specifies static bandwidth parameters (input-
bandwidth, output-bandwidth) without support for elastic ranges or
adjustment constraints.
Extensions:
* dynamic-bandwidth-indicator: Boolean flag indicating whether
bandwidth adjustment is supported (default false).
* maximum-bandwidth-adjustment-profile (bandwidth context): Maximum
range allowed for a bandwidth modification
* effective-time-window (bandwidth context): Maximum allowed
duration to complete a bandwidth modification
6.2.3. Slice SLO Template Integration
Requirement: Enable binding of L3VPN services to predefined service
tiers with specific performance guarantees (latency, bandwidth,
isolation), decoupling service catalog definition from resource
allocation.
Gap in [RFC8299]: L3SM provides basic QoS profiles but lacks
integration with network slicing constructs and parameterized SLO/SLE
specifications.
Extensions:
Fu, et al. Expires 30 October 2026 [Page 9]
Internet-Draft Extensions to L3SM April 2026
* slo-sle-profile: Reference to a Slice Service Template defining
quantitative SLOs (metric bounds, availability) and qualitative
SLEs (security, isolation, path constraints).
The SLO/SLE profile structure aligns with [I-D.ietf-teas-ietf-
network-slice-nbi-yang], enabling consistent policy application
across VPN and slice services.
6.2.4. Performance Monitoring
Requirement: Provide end-to-end service quality visibility.
Gap in [RFC8299]:The base L3SM lacks native monitoring configuration
options and service-level performance metrics.
Extensions:
* monitoring-enabled: Boolean flag to enable performance monitoring
for the L3VPN service (default false).
* performance-state (read-only): A set of operational state and
service-level performance metrics, including delay, packet loss
and jitter, to enrich operational state data and enhance end-to-
end quality visibility.
6.2.5. Enhanced security
Requirement: Support quantum-safe encryption for high-security data
transmission scenarios.
Gap in [RFC8299]: L3SM defines basic encryption enablement but lacks
parameters for quantum key distribution (QKD) and post-quantum
cryptography (PQC) integration.
Extensions:
* quantum-encryption-enable: Boolean flag for quantum-enhanced
security activation.
* quantum-encryption-mode: Failover behavior when quantum key
acquisition fails (fallback to conventional crypto or terminate).
* quantum-encryption-status: Operational state monitoring (read-
only).
Fu, et al. Expires 30 October 2026 [Page 10]
Internet-Draft Extensions to L3SM April 2026
7. Extended L3SM YANG Module
This modules augments the L3SM.
module ietf-l3vpn-svc-ext {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext";
prefix l3vpn-svc-ext;
import ietf-l3vpn-svc {
prefix l3vpn-svc;
revision-date 2018-01-19;
}
import ietf-yang-types {
prefix yang;
revision-date 2013-07-15;
}
organization
"IETF ONSEN Working Group";
contact
"Editor: Fengchao Fu
<fufengc@chinatelecom.cn>
Cancan Huang
<huangcanc@chinatelecom.cn>
Bo Wu
<lana.wubo@huawei.com>
Chongfeng Xie
<xiechf@chinatelecom.cn>";
description
"This module defines extensions to the L3VPN service model
for supporting
dynamic bandwidth adjustment, SLO/SLE profile binding,
quantum-safe encryption,
performance monitoring, and QoS enhancement.
Copyright (c) 2026 IETF Trust and the persons identified as
authors of the code.
All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
Fu, et al. Expires 30 October 2026 [Page 11]
Internet-Draft Extensions to L3SM April 2026
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of
I-D:draft-fu-onsen-update-L3SM-service-models-00; see
the I-D itself for full legal notices.";
revision 2026-04-26 {
description
"Added performance monitoring for service
quality visibility. ";
reference "I-D: draft-fu-onsen-L3SM-extensions-01";
}
revision 2026-02-10 {
description
"Initial revision with dynamic networking and
bandwidth adjustment, SLO/SLE,
and quantum encryption extensions.
Compatible with RFC 7950 (YANG 1.1).";
reference "I-D: draft-ietf-l3vpn-dynamic-ext-00";
}
identity metric-type-base {
description "Base identity for performance metric types";
}
identity latency {
base metric-type-base;
description "End-to-end latency metric";
}
identity bandwidth {
base metric-type-base;
description "Available bandwidth metric";
}
identity availability-level-base {
description "Base identity for service availability levels";
}
identity security-policy-base {
description "Base identity for security policy types";
}
identity isolation-level-base {
description "Base identity for isolation levels";
}
Fu, et al. Expires 30 October 2026 [Page 12]
Internet-Draft Extensions to L3SM April 2026
identity te-link-disjoint {
description "Link-disjoint path diversity
(IETF TE type semantics)";
}
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles {
container maximum-bandwidth-adjustment-profiles {
description "Collection of maximum bandwidth
adjustment profiles for dynamic bandwidth";
list maximum-bandwidth-adjustment-profile {
key "id";
description "Single maximum bandwidth adjustment
profile for dynamic bandwidth";
leaf id {
type string;
description "Unique identifier
for the maximum bandwidth adjustment profile";
}
}
}
container slo-sle-profiles {
description "Reusable SLO/SLE profiles for
Dynamic-L3VPN QoS binding";
list slo-sle-profile {
key "id";
description "SLO/SLE profile defining performance
and experience constraints";
leaf id {
type string;
description "Unique identifier for the SLO/SLE profile";
}
leaf description {
type string;
mandatory false;
description "Human-readable description
of the SLO/SLE profile";
}
leaf profile-ref {
type leafref {
path "/l3vpn-svc:l3vpn-svc
/l3vpn-svc:vpn-profiles
Fu, et al. Expires 30 October 2026 [Page 13]
Internet-Draft Extensions to L3SM April 2026
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profile
/id";
}
mandatory false;
description "Reference to an associated network
slice profile";
}
container slo-policy {
description "Service Level Objective (SLO)
policy constraints";
list metric-bound {
key "metric-type";
description "Bound on a specific performance metric";
leaf metric-type {
type identityref {
base metric-type-base;
}
description "Type of performance metric
(latency, bandwidth, etc.)";
}
leaf metric-unit {
type string;
description "Unit of measurement for
the metric (ms, Mbps, %)";
}
leaf value-description {
type string;
mandatory false;
description "Additional context for the metric value";
}
leaf percentile-value {
type uint8;
mandatory false;
description "Percentile for the metric bound (0-100)";
}
leaf bound {
type uint64;
mandatory false;
description "Threshold value for the
performance metric";
Fu, et al. Expires 30 October 2026 [Page 14]
Internet-Draft Extensions to L3SM April 2026
}
}
leaf availability {
type identityref {
base availability-level-base;
}
mandatory false;
description "Required service availability level
(99.999%, etc.)";
}
leaf mtu {
type uint32;
mandatory false;
description "Maximum Transmission Unit
(bytes) for the service";
}
}
container sle-policy {
description "Service Level Experience (SLE)
policy constraints";
leaf-list security {
type identityref {
base security-policy-base;
}
description "Security policies applied
(TLS 1.3, IPsec, etc.)";
}
leaf-list isolation {
type identityref {
base isolation-level-base;
}
description "Isolation requirements
(network, tenant, etc.)";
}
leaf max-occupancy-level {
type uint8;
mandatory false;
description "Maximum resource occupancy level
(0-255, percentage scale)";
}
container path-constraints {
Fu, et al. Expires 30 October 2026 [Page 15]
Internet-Draft Extensions to L3SM April 2026
description "Constraints on data path selection";
leaf service-functions {
type string;
description "Required service functions on the
path (firewall, IDS, etc.)";
}
container diversity {
description "Path diversity requirements
for redundancy";
leaf diversity-type {
type identityref {
base te-link-disjoint;
}
mandatory false;
description "Type of path disjointness
(link-disjoint)";
}
}
}
}
}
}
}
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site {
leaf temporary-connection-indicator {
type boolean;
default false;
description "Indicator if this site has a
temporary connection";
}
leaf effective-time-window {
type yang:date-and-time;
mandatory false;
when "../l3vpn-svc-ext:temporary-connection-indicator
= 'true'";
description "Time window for temporary connection validity";
}
container service {
container qos {
container qos-profile {
leaf slo-sle-profile {
type leafref {
Fu, et al. Expires 30 October 2026 [Page 16]
Internet-Draft Extensions to L3SM April 2026
path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles
/l3vpn-svc-ext:slo-sle-profiles
/l3vpn-svc-ext:slo-sle-profile
/id";
}
mandatory false;
when "../qos-profile-enabled = 'true'";
description "Reference to SLO/SLE profile
for site-level QoS binding";
}
leaf qos-profile-enabled {
type boolean;
default false;
description "QoS profile enable flag";
}
}
}
}
container security-encryption {
leaf quantum-encryption-enable {
type boolean;
default false;
description "Enable quantum-resistant encryption
for site security";
}
leaf quantum-encryption-mode {
type uint8;
default 1;
mandatory false;
when "../quantum-encryption-enable = 'true'";
description "Quantum encryption mode
(1=default, 2=enhanced)";
}
leaf quantum-encryption-status {
type enumeration {
enum idle {
description "Quantum encryption not active";
}
enum active {
description "Quantum encryption in use";
}
enum error {
description "Quantum encryption error state";
}
Fu, et al. Expires 30 October 2026 [Page 17]
Internet-Draft Extensions to L3SM April 2026
}
config false;
description "Operational status of quantum
encryption (read-only)";
}
}
}
augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites"
+"/l3vpn-svc:site/l3vpn-svc:site-network-accesses"
+"/l3vpn-svc:site-network-access" {
container service {
leaf dynamic-bandwidth-indicator {
type boolean;
default false;
description "Enable dynamic bandwidth adjustment
for this service";
}
leaf effective-time-window {
type yang:date-and-time;
mandatory false;
when "../dynamic-bandwidth-indicator = 'true'";
description "Time window for dynamic bandwidth validity";
}
leaf maximum-bandwidth-adjustment-profile-ref {
type leafref {
path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
/l3vpn-svc-ext:maximum-bandwidth-adjustment-profile
/id";
}
mandatory false;
when "../dynamic-bandwidth-indicator = 'true'";
description "Reference to
a maximum bandwidth adjustment profile.";
}
container performance-monitoring {
description "Service-level performance monitoring.";
leaf monitoring-enabled {
type boolean;
default false;
description "Enable performance monitoring.";
}
leaf monitoring-mode {
Fu, et al. Expires 30 October 2026 [Page 18]
Internet-Draft Extensions to L3SM April 2026
type enumeration {
enum end-to-end;
}
default end-to-end;
description "Performance monitoring mode.";
}
container operational-state {
config false;
description "Operational state and performance metrics.";
leaf monitor-status {
type enumeration {
enum active;
enum inactive;
enum degraded;
enum fault;
}
description "Current monitoring status.";
}
leaf average-delay {
type uint32;
units milliseconds;
description "Average end-to-end packet delay.";
}
leaf packet-loss-rate {
type decimal64 {
fraction-digits 2;
range "0 .. 100";
}
units percent;
description "Packet loss rate.";
}
leaf jitter {
type uint32;
units milliseconds;
description "Packet delay jitter.";
}
}
}
}
container ip-connection-security {
Fu, et al. Expires 30 October 2026 [Page 19]
Internet-Draft Extensions to L3SM April 2026
leaf quantum-encryption-enable {
type boolean;
default false;
description "Enable quantum-resistant
encryption for IP connection security";
}
leaf quantum-encryption-mode {
type uint8;
default 1;
mandatory false;
when "../quantum-encryption-enable = 'true'";
description "Quantum encryption mode
(1=default, 2=enhanced)";
}
leaf quantum-encryption-status {
type enumeration {
enum idle {
description "Quantum encryption not active";
}
enum active {
description "Quantum encryption in use";
}
enum error {
description "Quantum encryption error state";
}
}
config false;
description "Operational status of quantum
encryption (read-only)";
}
container service {
container qos {
container qos-profile {
leaf slo-sle-profile {
type leafref {
path "/l3vpn-svc:l3vpn-svc
/l3vpn-svc:vpn-profiles
/l3vpn-svc-ext:slo-sle-profiles
/l3vpn-svc-ext:slo-sle-profile/id";
}
mandatory false;
when "../qos-profile-enabled = 'true'";
description "Reference to SLO/SLE profile
for IP connection-level QoS binding";
}
Fu, et al. Expires 30 October 2026 [Page 20]
Internet-Draft Extensions to L3SM April 2026
leaf qos-profile-enabled {
type boolean;
default false;
description "QoS profile enable flag";
}
}
}
}
}
}
}
8. Service Model Usage Example
This section provides a comprehensive end-to-end configuration
example for the ietf-l3vpn-svc-ext extensions. The example
illustrates a typical dynamic L3VPN deployment:
* site A acts as the hub node, dynamic bandwidth adjustment and
quantum-resistant encryption is deployed between Site A and Site
B.
* SLO/SLE profile based QoS enhancement and in-situ flow detect are
applied for the service between Site A and Site C.
+---------+
| | +------------+
| | dynamic bandwidth adjustment | Site B |
| +------------------------------+ Spoke |
| Site A | quantum-encryption +------------+
| |
| Hub |
| | +------------+
| | SLO/SLE profile | Site C |
| +------------------------------+ Spoke |
+---------+ performance monitoring +------------+
Figure 3: Typical Extended L3SM Deployment
The following XML snippet describes the overall simplified service
configuration of this VPN.
<l3vpn-svc:l3vpn-svc
xmlns:l3vpn-svc="urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc"
xmlns:l3vpn-svc-ext=
"urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext">
<l3vpn-svc:vpn-profiles>
Fu, et al. Expires 30 October 2026 [Page 21]
Internet-Draft Extensions to L3SM April 2026
<l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles>
<l3vpn-svc-ext:maximum-bandwidth-adjustment-profile>
<l3vpn-svc-ext:id>bw-1000m</l3vpn-svc-ext:id>
</l3vpn-svc-ext:maximum-bandwidth-adjustment-profile>
</l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles>
<l3vpn-svc-ext:slo-sle-profiles>
<l3vpn-svc-ext:slo-sle-profile>
<l3vpn-svc-ext:id>slo-gold</l3vpn-svc-ext:id>
<l3vpn-svc-ext:profile-ref>
bw-1000m
</l3vpn-svc-ext:profile-ref>
<l3vpn-svc-ext:slo-policy>
<l3vpn-svc-ext:metric-bound>
<l3vpn-svc-ext:metric-type>
bandwidth
</l3vpn-svc-ext:metric-type>
<l3vpn-svc-ext:metric-unit>
Mbps
</l3vpn-svc-ext:metric-unit>
<l3vpn-svc-ext:bound>1000</l3vpn-svc-ext:bound>
</l3vpn-svc-ext:metric-bound>
<l3vpn-svc-ext:metric-bound>
<l3vpn-svc-ext:metric-type>
latency
</l3vpn-svc-ext:metric-type>
<l3vpn-svc-ext:metric-unit>ms</l3vpn-svc-ext:metric-unit>
<l3vpn-svc-ext:bound>50</l3vpn-svc-ext:bound>
</l3vpn-svc-ext:metric-bound>
<l3vpn-svc-ext:mtu>9214</l3vpn-svc-ext:mtu>
</l3vpn-svc-ext:slo-policy>
</l3vpn-svc-ext:slo-sle-profile>
</l3vpn-svc-ext:slo-sle-profiles>
</l3vpn-svc:vpn-profiles>
<l3vpn-svc:sites>
<l3vpn-svc:site>
<l3vpn-svc:site-id>site-a</l3vpn-svc:site-id>
<l3vpn-svc:site-role>hub</l3vpn-svc:site-role>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:qos>
<l3vpn-svc-ext:qos-profile>
<l3vpn-svc-ext:qos-profile-enabled>
true
</l3vpn-svc-ext:qos-profile-enabled>
<l3vpn-svc-ext:slo-sle-profile>
slo-gold
</l3vpn-svc-ext:slo-sle-profile>
Fu, et al. Expires 30 October 2026 [Page 22]
Internet-Draft Extensions to L3SM April 2026
</l3vpn-svc-ext:qos-profile>
</l3vpn-svc-ext:qos>
</l3vpn-svc-ext:service>
<l3vpn-svc-ext:security-encryption>
<l3vpn-svc-ext:quantum-encryption-enable>
true
</l3vpn-svc-ext:quantum-encryption-enable>
<l3vpn-svc-ext:quantum-encryption-mode>
1
</l3vpn-svc-ext:quantum-encryption-mode>
</l3vpn-svc-ext:security-encryption>
<l3vpn-svc:site-network-accesses>
<l3vpn-svc:site-network-access>
<l3vpn-svc:access-id>to-b</l3vpn-svc:access-id>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:dynamic-bandwidth-indicator>
true
</l3vpn-svc-ext:dynamic-bandwidth-indicator>
<l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
bw-1000m
</l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
</l3vpn-svc-ext:service>
<l3vpn-svc-ext:ip-connection-security>
<l3vpn-svc-ext:quantum-encryption-enable>
true
</l3vpn-svc-ext:quantum-encryption-enable>
<l3vpn-svc-ext:quantum-encryption-mode>
1
</l3vpn-svc-ext:quantum-encryption-mode>
</l3vpn-svc-ext:ip-connection-security>
</l3vpn-svc:site-network-access>
<l3vpn-svc:site-network-access>
<l3vpn-svc:access-id>to-c</l3vpn-svc:access-id>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:dynamic-bandwidth-indicator>
true
</l3vpn-svc-ext:dynamic-bandwidth-indicator>
<l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
bw-1000m
</l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
</l3vpn-svc-ext:service>
<l3vpn-svc-ext:ip-connection-security>
<l3vpn-svc-ext:quantum-encryption-enable>
true
</l3vpn-svc-ext:quantum-encryption-enable>
<l3vpn-svc-ext:quantum-encryption-mode>
1
</l3vpn-svc-ext:quantum-encryption-mode>
Fu, et al. Expires 30 October 2026 [Page 23]
Internet-Draft Extensions to L3SM April 2026
</l3vpn-svc-ext:ip-connection-security>
</l3vpn-svc:site-network-access>
</l3vpn-svc:site-network-accesses>
</l3vpn-svc:site>
<l3vpn-svc:site>
<l3vpn-svc:site-id>site-b</l3vpn-svc:site-id>
<l3vpn-svc:site-role>spoke</l3vpn-svc:site-role>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:qos>
<l3vpn-svc-ext:qos-profile>
<l3vpn-svc-ext:qos-profile-enabled>
true
</l3vpn-svc-ext:qos-profile-enabled>
<l3vpn-svc-ext:slo-sle-profile>
slo-gold
</l3vpn-svc-ext:slo-sle-profile>
</l3vpn-svc-ext:qos-profile>
</l3vpn-svc-ext:qos>
</l3vpn-svc-ext:service>
<l3vpn-svc:site-network-accesses>
<l3vpn-svc:site-network-access>
<l3vpn-svc:access-id>to-a</l3vpn-svc:access-id>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:performance-monitoring>
<l3vpn-svc-ext:monitoring-enabled>
true
</l3vpn-svc-ext:monitoring-enabled>
<l3vpn-svc-ext:monitoring-mode>
end-to-end
</l3vpn-svc-ext:monitoring-mode>
</l3vpn-svc-ext:performance-monitoring>
</l3vpn-svc-ext:service>
</l3vpn-svc:site-network-access>
</l3vpn-svc:site-network-accesses>
</l3vpn-svc:site>
<l3vpn-svc:site>
<l3vpn-svc:site-id>site-c</l3vpn-svc:site-id>
<l3vpn-svc:site-role>spoke</l3vpn-svc:site-role>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:qos>
<l3vpn-svc-ext:qos-profile>
<l3vpn-svc-ext:qos-profile-enabled>
true
</l3vpn-svc-ext:qos-profile-enabled>
<l3vpn-svc-ext:slo-sle-profile>
slo-gold
Fu, et al. Expires 30 October 2026 [Page 24]
Internet-Draft Extensions to L3SM April 2026
</l3vpn-svc-ext:slo-sle-profile>
</l3vpn-svc-ext:qos-profile>
</l3vpn-svc-ext:qos>
</l3vpn-svc-ext:service>
<l3vpn-svc:site-network-accesses>
<l3vpn-svc:site-network-access>
<l3vpn-svc:access-id>to-a</l3vpn-svc:access-id>
<l3vpn-svc-ext:service>
<l3vpn-svc-ext:performance-monitoring>
<l3vpn-svc-ext:monitoring-enabled>
true
</l3vpn-svc-ext:monitoring-enabled>
<l3vpn-svc-ext:monitoring-mode>
end-to-end
</l3vpn-svc-ext:monitoring-mode>
</l3vpn-svc-ext:performance-monitoring>
</l3vpn-svc-ext:service>
</l3vpn-svc:site-network-access>
</l3vpn-svc:site-network-accesses>
</l3vpn-svc:site>
</l3vpn-svc:sites>
</l3vpn-svc:l3vpn-svc>
9. IANA Considerations
This document requests IANA to register the following URI in the
"IETF XML Registry":
URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext Registrant
Contact: The IESG XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in
the "YANG Module Names" registry:
Name: ietf-l3vpn-svc-ext Namespace: urn:ietf:params:xml:ns:yang:ietf-
l3vpn-svc-ext Prefix: l3vpn-svc-ext Reference: RFC XXXX
10. Security Considerations
The extensions defined in this document inherit the security
considerations of RFC 8299.
Additional considerations:
* Dynamic provisioning mechanisms (e.g., RADIUS COA) MUST be secured
using mutual authentication and integrity protection.
Fu, et al. Expires 30 October 2026 [Page 25]
Internet-Draft Extensions to L3SM April 2026
* Quantum encryption parameters are sensitive; access to these
configuration nodes SHOULD be restricted to authorized
administrators.
* Communication between customers and service orchestrators SHOULD
use TLS 1.3 or equivalent encryption.
* Dynamic networking capabilities require appropriate security
mechanisms to prevent customers from establishing L3VPNs with
untrusted peers. The specific implementation details of the
mutual trust mechanisms are out of scope.
* The extent of dynamic operations should be limited to the session
level rather than the device level, so as to reduce the risk of
failures caused by frequent configurations or signaling. The
specific implementation details are out of scope.
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, DOI 10.17487/RFC2119, March
1997, <https://www.rfc-editor.org/rfc/rfc2119.txt>.
[RFC4026] Rosen, E., Ed. and Y. Rekhter, Ed., "BGP/MPLS VPN
Terminology", RFC 4026, June 2005,
<https://www.rfc-editor.org/rfc/rfc4026>.
[RFC4364] Rosen, E., Ed. and Y. Rekhter, Ed., "BGP/MPLS IP Virtual
Private Networks (VPNs)", RFC 4364, February 2006,
<https://www.rfc-editor.org/rfc/rfc4364>.
[RFC5176] Zorn, G., Ed. and B. Aboba, Ed., "Dynamic Authorization
Extensions to RADIUS", RFC 5176, January 2008,
<https://www.rfc-editor.org/rfc/rfc5176>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/rfc/rfc8174.txt>.
[RFC8299] Bjorklund, M., Ed., Medved, J., Ed., and S. Vissicchio,
Ed., "A YANG Data Model for Layer 3 VPN Services (L3SM)",
RFC 8299, November 2017,
<https://www.rfc-editor.org/rfc/rfc8299>.
Fu, et al. Expires 30 October 2026 [Page 26]
Internet-Draft Extensions to L3SM April 2026
[RFC9833] Boucadair, M., Ed., "A Common YANG Data Model for
Attachment Circuits", RFC 9833, September 2025,
<https://www.rfc-editor.org/rfc/rfc9833>.
11.2. Informative References
[RFC8986] Filsfils, C., Ed., Previdi, S., Ed., Dukes, D., Ed.,
Matsushima, S., Ed., and Z. Li, Ed., "Segment Routing over
IPv6 (SRv6) Network Programming", RFC 8986, March 2021,
<https://www.rfc-editor.org/rfc/rfc8986>.
[RFC9252] Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene,
B., Zhuang, S., and J. Rabadan, "BGP Overlay Services
Based on Segment Routing over IPv6 (SRv6)", RFC 9252, July
2022, <https://www.rfc-editor.org/rfc/rfc9252>.
Appendix A. Dynamic-L3VPN service provisioning and lifecycle procedure
The VPN instances on the PE devices may be pre-configured as defined
in [RFC4364], with the VPN instance bound to an AC only when
establishing end-to-end VPN connectivity. Alternatively, the VPN
instance may also be dynamically configured via configuration
commands based on customer requirements.
The dynamic-L3VPN service provisioning and lifecycle procedure is as
follows, and we take customer A ordering dynamic-L3VPN service as an
example.
Fu, et al. Expires 30 October 2026 [Page 27]
Internet-Draft Extensions to L3SM April 2026
+------------+ +---------+ +----+ +----+ +----------+
| Customer-A | | Ordering| | CE | | PE | | Network |
| | | System | | | | | |Controller|
+------------+ +---------+ +----+ +----+ +----+-----+
| | | | |
| 1. Register | | | |
+------------->| | | |
| | | | |
| 2. Submit VPN Service Info | | |
| (Peer, BW, Start, End) | | |
+------------->| | | |
| | | | |
| | 3. Configure CE | |
| +------------->| | |
| | | | |
| | | 4. Connect to PE |
| | +---------->| |
| | | | |
| | | 5. Bind AC to VPN
| | | |<-------------+
| | | | |
| 6. Submit Dynamic BW Request| | |
+------------->| | | |
| | | | |
| | 7. Update Bandwidth (PE) | |
| +------------------------->| |
| | | | |
| 8. Request Add User to VPN | | |
+------------->| | | |
| | | | |
| | 9. Config New CE & PE | |
| +------------------------->| |
| | | | |
| 10. Request Remove User | | |
+------------->| | | |
| | | | |
| | 11. Config: Remove AC | |
| +------------->| | |
| | | | |
| | 12. Config:Remove AC from PE |
| +------------------------->| |
| | | | |
Figure 4: Dynamic-L3VPN Service Orchestration Procedure
The procedure consists of 12 key steps covering the full lifecycle of
dynamic-L3VPN: registration, initial service provisioning, dynamic
bandwidth adjustment, peer addition/removal, and resource cleanup.
Fu, et al. Expires 30 October 2026 [Page 28]
Internet-Draft Extensions to L3SM April 2026
The Network Controller coordinates configuration across CEs and PEs
to ensure end-to-end service delivery, while the Ordering System acts
as the interface between customers and the network infrastructure.
SRv6 (defined in [RFC8986] and [RFC9252]) may be used for path
optimization in dynamic-L3VPN.
1. Customer A registers in the service ordering system.
2. Customer A enters VPN service parameters into the ordering
system, including peer VPN customers, bandwidth requirement,
start time, and end time, etc.
3. The Network controller provisions configuration to the CE
devices of the involved customers.
4. Each CE device establishes a connection to its attached PE
device.
5. The Network controller sends configuration or signaling to the
PE devices to bind the customer's AC to the VPN instance.
6. Customer A submits an elastic bandwidth adjustment request via
the ordering system.
7. The Network controller delivers configuration or signaling to
the PE devices to modify the bandwidth of the VPN service.
8. Customer A submits a request via the ordering system to add one
or more new customers to the VPN.
9. The Network controller provisions the new customers' CE device
and sends configuration or signaling to the corresponding PE
devices.
10. Customer A submits a request via the ordering system to remove
one or more existing customers from the VPN.
11. The Network controller updates the configuration of the removed
customers' CE devices.
12. The Network controller sends configuration or signaling to the
corresponding PE devices to delete the associated AC from the
VPN.
Fu, et al. Expires 30 October 2026 [Page 29]
Internet-Draft Extensions to L3SM April 2026
Acknowledgments
The authors wish to thank Mingjiang Fu, Zhuojun Huang, Zhenlin Tan,
Wenkuan Qu of China Telecom for their contributions to the dynamic
L3VPN operational requirements.
Authors' Addresses
Fengchao Fu
China Telecom
Email: fufengc@chinatelecom.cn
Cancan Huang
China Telecom
Email: huangcanc@chinatelecom.cn
Bo Wu
Huawei
Email: lana.wubo@huawei.com
Chongfeng Xie
China Telecom
Email: xiechf@chinatelecom.cn
Fu, et al. Expires 30 October 2026 [Page 30]