RFC 8349
A YANG Data Model for Routing Management (NMDA Version)
9. IPv6 Unicast Routing Management YANG Module
<CODE BEGINS> file "ietf-ipv6-unicast-routing@2018-03-13.yang" module ietf-ipv6-unicast-routing { yang-version "1.1"; namespace "urn:ietf:params:xml:ns:yang:ietf-ipv6-unicast-routing"; prefix "v6ur"; import ietf-routing { prefix "rt"; description "An 'ietf-routing' module version that is compatible with the Network Management Datastore Architecture (NMDA) is required."; } import ietf-inet-types { prefix "inet"; description "An 'ietf-interfaces' module version that is compatible with the Network Management Datastore Architecture (NMDA) is required."; } include ietf-ipv6-router-advertisements { revision-date 2018-03-13; }
organization
"IETF NETMOD (Network Modeling) Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/netmod/>
WG List: <mailto:rtgwg@ietf.org>
Editor: Ladislav Lhotka
<mailto:lhotka@nic.cz>
Acee Lindem
<mailto:acee@cisco.com>
Yingzhen Qu
<mailto:yingzhen.qu@huawei.com>";
description
"This YANG module augments the 'ietf-routing' module with basic
parameters for IPv6 unicast routing. The model fully conforms
to the Network Management Datastore Architecture (NMDA).
Copyright (c) 2018 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8349; see
the RFC itself for full legal notices.";
revision 2018-03-13 {
description
"Network Management Datastore Architecture (NMDA) revision.";
reference
"RFC 8349: A YANG Data Model for Routing Management
(NMDA Version)";
}
/* Identities */
revision 2016-11-04 {
description
"Initial revision.";
reference
"RFC 8022: A YANG Data Model for Routing Management";
}
identity ipv6-unicast {
base rt:ipv6;
description
"This identity represents the IPv6 unicast address family.";
}
augment "/rt:routing/rt:ribs/rt:rib/rt:routes/rt:route" {
when "derived-from-or-self(../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"This leaf augments an IPv6 unicast route.";
leaf destination-prefix {
type inet:ipv6-prefix;
description
"IPv6 destination prefix.";
}
}
augment "/rt:routing/rt:ribs/rt:rib/rt:routes/rt:route/"
+ "rt:next-hop/rt:next-hop-options/rt:simple-next-hop" {
when "derived-from-or-self(../../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"Augments the 'simple-next-hop' case in IPv6 unicast routes.";
leaf next-hop-address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
augment "/rt:routing/rt:ribs/rt:rib/rt:routes/rt:route/"
+ "rt:next-hop/rt:next-hop-options/rt:next-hop-list/"
+ "rt:next-hop-list/rt:next-hop" {
when "derived-from-or-self(../../../../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"This leaf augments the 'next-hop-list' case of IPv6 unicast
routes.";
leaf address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
augment
"/rt:routing/rt:ribs/rt:rib/rt:active-route/rt:input" {
when "derived-from-or-self(../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast RIBs.";
}
description
"This augment adds the input parameter of the 'active-route'
action.";
leaf destination-address {
type inet:ipv6-address;
description
"IPv6 destination address.";
}
}
augment "/rt:routing/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route" {
when "derived-from-or-self(../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"This augment adds the destination prefix to the reply of the
'active-route' action.";
leaf destination-prefix {
type inet:ipv6-prefix;
description
"IPv6 destination prefix.";
}
}
augment "/rt:routing/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route/rt:next-hop/rt:next-hop-options/"
+ "rt:simple-next-hop" {
when "derived-from-or-self(../../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"Augments the 'simple-next-hop' case in the reply to the
'active-route' action.";
leaf next-hop-address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
augment "/rt:routing/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route/rt:next-hop/rt:next-hop-options/"
+ "rt:next-hop-list/rt:next-hop-list/rt:next-hop" {
when "derived-from-or-self(../../../../../rt:address-family, "
+ "'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
description
"Augments the 'next-hop-list' case in the reply to the
'active-route' action.";
leaf next-hop-address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
/* Data node augmentations */
augment "/rt:routing/rt:control-plane-protocols/"
+ "rt:control-plane-protocol/rt:static-routes" {
description
"This augment defines the 'static' pseudo-protocol
with data specific to IPv6 unicast.";
container ipv6 {
description
"Support for a 'static' pseudo-protocol instance
consists of a list of routes.";
list route {
key "destination-prefix";
description
"A list of static routes.";
leaf destination-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"IPv6 destination prefix.";
}
leaf description {
type string;
description
"Textual description of the route.";
}
container next-hop {
description
"Next hop for the route.";
uses rt:next-hop-content {
augment "next-hop-options/simple-next-hop" {
description
"Augments the 'simple-next-hop' case in IPv6 static
routes.";
leaf next-hop-address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
augment "next-hop-options/next-hop-list/next-hop-list/"
+ "next-hop" {
description
"Augments the 'next-hop-list' case in IPv6 static
routes.";
leaf next-hop-address {
type inet:ipv6-address;
description
"IPv6 address of the next hop.";
}
}
}
}
}
}
}
/*
* The subsequent data nodes are obviated and obsoleted
* by the Network Management Datastore Architecture
* as described in RFC 8342.
*/
augment "/rt:routing-state/rt:ribs/rt:rib/rt:routes/rt:route" {
when "derived-from-or-self(../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"This leaf augments an IPv6 unicast route.";
leaf destination-prefix {
type inet:ipv6-prefix;
status obsolete;
description
"IPv6 destination prefix.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/rt:routes/rt:route/"
+ "rt:next-hop/rt:next-hop-options/rt:simple-next-hop" {
when "derived-from-or-self(../../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"Augments the 'simple-next-hop' case in IPv6 unicast routes.";
leaf next-hop-address {
type inet:ipv6-address;
status obsolete;
description
"IPv6 address of the next hop.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/rt:routes/rt:route/"
+ "rt:next-hop/rt:next-hop-options/rt:next-hop-list/"
+ "rt:next-hop-list/rt:next-hop" {
when "derived-from-or-self(../../../../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"This leaf augments the 'next-hop-list' case of IPv6 unicast
routes.";
leaf address {
type inet:ipv6-address;
status obsolete;
description
"IPv6 address of the next hop.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/"
+ "rt:active-route/rt:input" {
when "derived-from-or-self(../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast RIBs.";
}
status obsolete;
description
"This augment adds the input parameter of the 'active-route'
action.";
leaf destination-address {
type inet:ipv6-address;
status obsolete;
description
"IPv6 destination address.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route" {
when "derived-from-or-self(../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"This augment adds the destination prefix to the reply of the
'active-route' action.";
leaf destination-prefix {
type inet:ipv6-prefix;
status obsolete;
description
"IPv6 destination prefix.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route/rt:next-hop/rt:next-hop-options/"
+ "rt:simple-next-hop" {
when "derived-from-or-self(../../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"Augments the 'simple-next-hop' case in the reply to the
'active-route' action.";
leaf next-hop-address {
type inet:ipv6-address;
status obsolete;
description
"IPv6 address of the next hop.";
}
}
augment "/rt:routing-state/rt:ribs/rt:rib/rt:active-route/"
+ "rt:output/rt:route/rt:next-hop/rt:next-hop-options/"
+ "rt:next-hop-list/rt:next-hop-list/rt:next-hop" {
when "derived-from-or-self(../../../../../rt:address-family,
'v6ur:ipv6-unicast')" {
description
"This augment is valid only for IPv6 unicast.";
}
status obsolete;
description
"Augments the 'next-hop-list' case in the reply to the
'active-route' action.";
leaf next-hop-address {
type inet:ipv6-address;
status obsolete;
description
"IPv6 address of the next hop.";
}
}
}
<CODE ENDS>
9.1. IPv6 Router Advertisements Submodule
<CODE BEGINS> file "ietf-ipv6-router-advertisements@2018-03-13.yang"
submodule ietf-ipv6-router-advertisements {
yang-version "1.1";
belongs-to ietf-ipv6-unicast-routing {
prefix "v6ur";
}
import ietf-inet-types {
prefix "inet";
}
import ietf-interfaces {
prefix "if";
description
"An 'ietf-interfaces' module version that is compatible with
the Network Management Datastore Architecture (NMDA)
is required.";
}
import ietf-ip {
prefix "ip";
description
"An 'ietf-ip' module version that is compatible with
the Network Management Datastore Architecture (NMDA)
is required.";
}
organization
"IETF NETMOD (Network Modeling) Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/netmod/>
WG List: <mailto:rtgwg@ietf.org>
Editor: Ladislav Lhotka
<mailto:lhotka@nic.cz>
Acee Lindem
<mailto:acee@cisco.com>
Yingzhen Qu
<mailto:yingzhen.qu@huawei.com>";
description
"This YANG module augments the 'ietf-ip' module with
parameters for IPv6 Router Advertisements. The model fully
conforms to the Network Management Datastore
Architecture (NMDA).
Copyright (c) 2018 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8349; see
the RFC itself for full legal notices.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)";
revision 2018-03-13 {
description
"Network Management Datastore Architecture (NMDA) revision.";
reference
"RFC 8349: A YANG Data Model for Routing Management
(NMDA Version)";
}
revision 2016-11-04 {
description
"Initial revision.";
reference
"RFC 8022: A YANG Data Model for Routing Management";
}
augment "/if:interfaces/if:interface/ip:ipv6" {
description
"Augments interface configuration with parameters of IPv6
Router Advertisements.";
container ipv6-router-advertisements {
description
"Support for IPv6 Router Advertisements.";
leaf send-advertisements {
type boolean;
default "false";
description
"A flag indicating whether or not the router sends
periodic Router Advertisements and responds to
Router Solicitations.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvSendAdvertisements";
}
leaf max-rtr-adv-interval {
type uint16 {
range "4..65535";
}
units "seconds";
default "600";
description
"The maximum time allowed between sending unsolicited
multicast Router Advertisements from the interface.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- MaxRtrAdvInterval";
}
leaf min-rtr-adv-interval {
type uint16 {
range "3..1350";
}
units "seconds";
must ". <= 0.75 * ../max-rtr-adv-interval" {
description
"The value MUST NOT be greater than 75% of
'max-rtr-adv-interval'.";
}
description
"The minimum time allowed between sending unsolicited
multicast Router Advertisements from the interface.
The default value to be used operationally if this
leaf is not configured is determined as follows:
- if max-rtr-adv-interval >= 9 seconds, the default
value is 0.33 * max-rtr-adv-interval;
- otherwise, it is 0.75 * max-rtr-adv-interval.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- MinRtrAdvInterval";
}
leaf managed-flag {
type boolean;
default "false";
description
"The value to be placed in the 'Managed address
configuration' flag field in the Router
Advertisement.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvManagedFlag";
}
leaf other-config-flag {
type boolean;
default "false";
description
"The value to be placed in the 'Other configuration'
flag field in the Router Advertisement.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvOtherConfigFlag";
}
leaf link-mtu {
type uint32;
default "0";
description
"The value to be placed in MTU options sent by the
router. A value of zero indicates that no MTU options
are sent.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvLinkMTU";
}
leaf reachable-time {
type uint32 {
range "0..3600000";
}
units "milliseconds";
default "0";
description
"The value to be placed in the Reachable Time field in
the Router Advertisement messages sent by the router.
A value of zero means unspecified (by this router).";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvReachableTime";
}
leaf retrans-timer {
type uint32;
units "milliseconds";
default "0";
description
"The value to be placed in the Retrans Timer field in
the Router Advertisement messages sent by the router.
A value of zero means unspecified (by this router).";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvRetransTimer";
}
leaf cur-hop-limit {
type uint8;
description
"The value to be placed in the Cur Hop Limit field in
the Router Advertisement messages sent by the router.
A value of zero means unspecified (by this router).
If this parameter is not configured, the device SHOULD
use the IANA-specified value for the default IPv4
Time to Live (TTL) parameter that was in effect at the
time of implementation.";
reference
"RFC 3232: Assigned Numbers: RFC 1700 is Replaced by
an On-line Database
RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvCurHopLimit
IANA: IP Parameters
(https://www.iana.org/assignments/ip-parameters)";
}
leaf default-lifetime {
type uint16 {
range "0..65535";
}
units "seconds";
description
"The value to be placed in the Router Lifetime field of
Router Advertisements sent from the interface, in
seconds. It MUST be either zero or between
max-rtr-adv-interval and 9000 seconds. A value of zero
indicates that the router is not to be used as a
default router. These limits may be overridden by
specific documents that describe how IPv6 operates over
different link layers.
If this parameter is not configured, the device SHOULD
use a value of 3 * max-rtr-adv-interval.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvDefaultLifetime";
}
container prefix-list {
description
"Support for prefixes to be placed in Prefix
Information options in Router Advertisement messages
sent from the interface.
Prefixes that are advertised by default but do not
have their entries in the child 'prefix' list are
advertised with the default values of all parameters.
The link-local prefix SHOULD NOT be included in the
list of advertised prefixes.";
reference
"RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- AdvPrefixList";
list prefix {
key "prefix-spec";
description
"Support for an advertised prefix entry.";
leaf prefix-spec {
type inet:ipv6-prefix;
description
"IPv6 address prefix.";
}
choice control-adv-prefixes {
default "advertise";
description
"Either (1) the prefix is explicitly removed from the
set of advertised prefixes or (2) the parameters with
which the prefix is advertised are specified (default
case).";
leaf no-advertise {
type empty;
description
"The prefix will not be advertised.
This can be used for removing the prefix from
the default set of advertised prefixes.";
}
case advertise {
leaf valid-lifetime {
type uint32;
units "seconds";
default "2592000";
description
"The value to be placed in the Valid Lifetime
in the Prefix Information option. The
designated value of all 1's (0xffffffff)
represents infinity.";
reference
"RFC 4861: Neighbor Discovery for IP version 6
(IPv6) - AdvValidLifetime";
}
leaf on-link-flag {
type boolean;
default "true";
description
"The value to be placed in the on-link flag
('L-bit') field in the Prefix Information
option.";
reference
"RFC 4861: Neighbor Discovery for IP version 6
(IPv6) - AdvOnLinkFlag";
}
leaf preferred-lifetime {
type uint32;
units "seconds";
must ". <= ../valid-lifetime" {
description
"This value MUST NOT be greater than
valid-lifetime.";
}
default "604800";
description
"The value to be placed in the Preferred
Lifetime in the Prefix Information option.
The designated value of all 1's (0xffffffff)
represents infinity.";
reference
"RFC 4861: Neighbor Discovery for IP version 6
(IPv6) - AdvPreferredLifetime";
}
leaf autonomous-flag {
type boolean;
default "true";
description
"The value to be placed in the Autonomous Flag
field in the Prefix Information option.";
reference
"RFC 4861: Neighbor Discovery for IP version 6
(IPv6) - AdvAutonomousFlag";
}
}
}
}
}
}
}
/*
* The subsequent data nodes are obviated and obsoleted
* by the Network Management Datastore Architecture
* as described in RFC 8342.
*/
augment "/if:interfaces-state/if:interface/ip:ipv6" {
status obsolete;
description
"Augments interface state data with parameters of IPv6
Router Advertisements.";
container ipv6-router-advertisements {
status obsolete;
description
"Parameters of IPv6 Router Advertisements.";
leaf send-advertisements {
type boolean;
status obsolete;
description
"A flag indicating whether or not the router sends
periodic Router Advertisements and responds to
Router Solicitations.";
}
leaf max-rtr-adv-interval {
type uint16 {
range "4..1800";
}
units "seconds";
status obsolete;
description
"The maximum time allowed between sending unsolicited
multicast Router Advertisements from the interface.";
}
leaf min-rtr-adv-interval {
type uint16 {
range "3..1350";
}
units "seconds";
status obsolete;
description
"The minimum time allowed between sending unsolicited
multicast Router Advertisements from the interface.";
}
leaf managed-flag {
type boolean;
status obsolete;
description
"The value that is placed in the 'Managed address
configuration' flag field in the Router Advertisement.";
}
leaf other-config-flag {
type boolean;
status obsolete;
description
"The value that is placed in the 'Other configuration' flag
field in the Router Advertisement.";
}
leaf link-mtu {
type uint32;
status obsolete;
description
"The value that is placed in MTU options sent by the
router. A value of zero indicates that no MTU options
are sent.";
}
leaf reachable-time {
type uint32 {
range "0..3600000";
}
units "milliseconds";
status obsolete;
description
"The value that is placed in the Reachable Time field in
the Router Advertisement messages sent by the router. A
value of zero means unspecified (by this router).";
}
leaf retrans-timer {
type uint32;
units "milliseconds";
status obsolete;
description
"The value that is placed in the Retrans Timer field in the
Router Advertisement messages sent by the router. A value
of zero means unspecified (by this router).";
}
leaf cur-hop-limit {
type uint8;
status obsolete;
description
"The value that is placed in the Cur Hop Limit field in the
Router Advertisement messages sent by the router. A value
of zero means unspecified (by this router).";
}
leaf default-lifetime {
type uint16 {
range "0..9000";
}
units "seconds";
status obsolete;
description
"The value that is placed in the Router Lifetime field of
Router Advertisements sent from the interface, in seconds.
A value of zero indicates that the router is not to be
used as a default router.";
}
container prefix-list {
status obsolete;
description
"A list of prefixes that are placed in Prefix Information
options in Router Advertisement messages sent from the
interface.
By default, these are all prefixes that the router
advertises via routing protocols as being on-link for the
interface from which the advertisement is sent.";
list prefix {
key "prefix-spec";
status obsolete;
description
"Advertised prefix entry and its parameters.";
leaf prefix-spec {
type inet:ipv6-prefix;
status obsolete;
description
"IPv6 address prefix.";
}
leaf valid-lifetime {
type uint32;
units "seconds";
status obsolete;
description
"The value that is placed in the Valid Lifetime in the
Prefix Information option. The designated value of
all 1's (0xffffffff) represents infinity.
An implementation SHOULD keep this value constant in
consecutive advertisements, except when it is
explicitly changed in configuration.";
}
leaf on-link-flag {
type boolean;
status obsolete;
description
"The value that is placed in the on-link flag ('L-bit')
field in the Prefix Information option.";
}
leaf preferred-lifetime {
type uint32;
units "seconds";
status obsolete;
description
"The value that is placed in the Preferred Lifetime in
the Prefix Information option, in seconds. The
designated value of all 1's (0xffffffff) represents
infinity.
An implementation SHOULD keep this value constant in
consecutive advertisements, except when it is
explicitly changed in configuration.";
}
leaf autonomous-flag {
type boolean;
status obsolete;
description
"The value that is placed in the Autonomous Flag field
in the Prefix Information option.";
}
}
}
}
}
}
<CODE ENDS>
10. IANA Considerations
[RFC8022] registered the following namespace URIs in the "IETF XML
Registry" [RFC3688]. IANA has updated the references to refer to
this document.
URI: urn:ietf:params:xml:ns:yang:ietf-routing
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-ipv4-unicast-routing
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-ipv6-unicast-routing
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
[RFC8022] registered the following YANG modules in the "YANG Module
Names" registry [RFC6020]. IANA has updated (1) the modules per this
document and (2) the references to refer to this document.
Name: ietf-routing
Namespace: urn:ietf:params:xml:ns:yang:ietf-routing
Prefix: rt
Reference: RFC 8349
Name: ietf-ipv4-unicast-routing
Namespace: urn:ietf:params:xml:ns:yang:ietf-ipv4-unicast-routing
Prefix: v4ur
Reference: RFC 8349
Name: ietf-ipv6-unicast-routing
Namespace: urn:ietf:params:xml:ns:yang:ietf-ipv6-unicast-routing
Prefix: v6ur
Reference: RFC 8349
This document registers the following YANG submodule in the "YANG Module Names" registry [RFC6020]: Name: ietf-ipv6-router-advertisements Module: ietf-ipv6-unicast-routing Reference: RFC 834911. Security Considerations
The YANG modules specified in this document define a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246]. The NETCONF access control model [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in these YANG modules that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: /routing/control-plane-protocols/control-plane-protocol: This list specifies the control-plane protocols configured on a device. /routing/ribs/rib: This list specifies the RIBs configured for the device. Some of the readable data nodes in these YANG modules may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: /routing/control-plane-protocols/control-plane-protocol: This list specifies the control-plane protocols configured on a device. Refer to the control-plane models for a list of sensitive information.
/routing/ribs/rib: This list specifies the RIBs and their contents
for the device. Access to this information may disclose the
network topology and/or other information.
Some of the RPC operations in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control access to these operations. These are the
operations and their sensitivity/vulnerability:
/routing/ribs/rib/active-route: The output from this RPC operation
returns the route that is being used for a specified destination.
Access to this information may disclose the network topology or
relationship (e.g., client/provider). Additionally, the routes
used by a network device may be used to mount a subsequent attack
on traffic traversing the network device.
(page 58 continued on part 4)
