China Telecom

fufengc@chinatelecom.cn

China Telecom

huangcanc@chinatelecom.cn

Huawei

lana.wubo@huawei.com

China Telecom

xiechf@chinatelecom.cn

ONSEN Working Group RFC8299 defines a YANG data model for L3VPN service delivery. This document defines a set of extensions that address the limitations of the L3VPN Service Model (L3SM) as initially defined in RFC 8299, which assumes static connectivity and fixed bandwidth allocations. Based on field deployment feedback, the extensions enable dynamic L3VPN capabilities including dynamic network provisioning and bandwidth adjustment. This document further supplements technical deficiencies by providing (1) integration of Slice Service Templates for SRv6 VPN scenarios, (2) performance monitoring to enrich operational state data and service quality visibility, (3)quantum-safe encryption. This is the second submission of this document to the IETF, submitted on February 11, 2026. No pre-RFC5378 disclaimer is required as this submission is post-RFC5378.

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 30 October 2026.

Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

RFC 8299 defines the Layer 3 VPN Service Model (L3SM), which provides a customer-facing abstraction for Layer 3 VPN services. L3SM assumes relatively static service characteristics: persistent connectivity between fixed sites with bandwidth parameters specified at service creation time. Operational experience with data-intensive workloads (e.g., large- scale data transfer, temporary compute clusters) has identified requirements not addressed by the base L3SM model: Dynamic network provisioning: The ability to establish and tear down connectivity on demand, rather than maintaining persistent connections. Conventional L3VPN services must perform frequent network reconfigurations to support such dynamic networking. Frequent reconfigurations for dynamic networking may introduce potential risks to network stability and are generally unacceptable for network operations. Dynamic bandwidth adjustment: The ability to modify bandwidth allocations within seconds or minutes, rather than through configuration changes that may take hours or days. These operational requirements create corresponding gaps in the service model. In addition, large-scale SRv6 and network slicing deployments reveal further technical deficiencies in the original L3SM: L3SM does not support temporary connectivity with explicit activation/deactivation time windows. L3SM does not provide parameters for elastic bandwidth ranges or adjustment time constraints. L3SM lacks integration with network slicing constructs (Slice Service Templates) needed for differentiated service tiers over SRv6 transport. L3SM lacks standardized operational state definitions and native support for performance monitoring (such as IFIT), limiting end-to-end service quality visibility and operational oversight. L3SM does not provide parameters for quantum-safe encryption. This document defines YANG augmentations to RFC 8299 to address these gaps. The extensions are designed to be backward compatible: implementations that do not require these capabilities can ignore the new parameters. The scope of this document is limited to service model extensions. Implementation details of underlying mechanisms (e.g., signaling protocols, encryption algorithms, security mechanisms ) are out of scope.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 in and when, and only when, they appear in all capitals, as shown here. This document uses the following terms: AC: Attachment Circuit, as defined in . CE: Customer Edge, as defined in . COA: Change of Authorization, as defined in . Dynamic-L3VPN: A Layer 3 VPN service supporting dynamic network provisioning and/or dynamic bandwidth adjustment. L3SM: Layer 3 VPN Service Model, as defined in . L3VPN: Layer 3 Virtual Private Network, as defined in . PE: Provider Edge, as defined in . Slice Service Template (SST): A reusable policy container defining Service Level Objectives (SLOs) and Service Level Expectations (SLEs) for network slices, as defined in [I-D.ietf-teas-ietf-network-slice-nbi-yang].

The L3VPN service model defined in provides a service-level abstraction for L3VPN services, decoupling service intent from device configuration. The extensions in this document follow the same service data model usage as the base L3VPN Service Model (L3SM). A typical scenario is also to use this model as input to an orchestration layer responsible for translating service intent into device configurations. An example of extended L3VPN service delivery is shown in Figure 1. The main gap is that these extensions introduce additional service-level attributes and policy constructs to support newer, more dynamic service delivery models. The usage of this service model is not limited to this example. The extended data model continues to be applicable for any component of management systems and northbound consumers, but not directly by network elements.

Extended L3VPN Service Delivery Example

The extensions are defined in the module ietf-l3vpn-svc-ext, which augments the base L3SM module (ietf-l3vpn-svc) at the following locations: /l3vpn-svc/vpn-profiles: Adds profiles for bandwidth adjustment ranges, and SLO/SLE templates. /l3vpn-svc/sites/site: Adds temporary connection indicators, and effective time windows. /l3vpn-svc/sites/site/site-network-accesses/site-network-access/ service: Adds dynamic bandwidth indicators and adjustment ranges. /l3vpn-svc/sites/site/security/encryption: Adds quantum encryption parameters. Figure 2 illustrates the module augmentation structure.

Augmentation Structure of ietf-l3vpn-svc-ext /l3vpn-svc:l3vpn-svc /vpn-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles /maximum-bandwidth-adjustment-profile/id +--rw slo-policy | +--rw metric-bound* [metric-type] | | +--rw metric-type identityref | | +--rw metric-unit? string | | +--rw value-description? string | | +--rw percentile-value? uint8 | | +--rw bound? uint64 | +--rw availability? identityref | +--rw mtu? uint32 +--rw sle-policy +--rw security* identityref +--rw isolation* identityref +--rw max-occupancy-level? uint8 +--rw path-constraints +--rw service-functions? string +--rw diversity +--rw diversity-type? identityref augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site: +--rw temporary-connection-indicator? boolean +--rw effective-time-window? yang:date-and-time +--rw service | +--rw qos | +--rw qos-profile | +--rw slo-sle-profile? -> /l3vpn-svc:l3vpn-svc /vpn-profiles /l3vpn-svc-ext:slo-sle-profiles /slo-sle-profile/id | +--rw qos-profile-enabled? boolean +--rw security-encryption +--rw quantum-encryption-enable? boolean +--rw quantum-encryption-mode? uint8 +--ro quantum-encryption-status? enumeration augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites" +"/l3vpn-svc:site/l3vpn-svc:site-network-accesses" +"/l3vpn-svc:site-network-access": +--rw service | +--rw dynamic-bandwidth-indicator? boolean | +--rw effective-time-window? yang:date-and-time | +--rw maximum-bandwidth-adjustment-profile-ref? -> /l3vpn-svc:l3vpn-svc /vpn-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles /maximum-bandwidth-adjustment-profile/id | +--rw performance-monitoring | +--rw monitoring-enabled? boolean | +--rw monitoring-mode? enumeration | +--ro operational-state | +--ro monitor-status? enumeration | +--ro average-delay? uint32 | +--ro packet-loss-rate? decimal64 | +--ro jitter? uint32 +--rw ip-connection-security +--rw quantum-encryption-enable? boolean +--rw quantum-encryption-mode? uint8 +--ro quantum-encryption-status? enumeration +--rw service +--rw qos +--rw qos-profile +--rw slo-sle-profile? -> /l3vpn-svc:l3vpn-svc/vpn-profiles /l3vpn-svc-ext:slo-sle-profiles /slo-sle-profile/id +--rw qos-profile-enabled? boolean ]]>

Requirement: Support on-demand establishment and release of VPN connectivity between specified endpoints, with activation times ranging from seconds (for pre-configured tunnels) to minutes (for configuration-driven setup). Gap in : L3SM assumes persistent connectivity; it provides no mechanism to specify temporary connections or activation time constraints. Extensions: temporary-connection-indicator: Boolean flag indicating whether a site connection is temporary (default false). effective-time-window: Time range parameter specifying when the connection must be active. When sub-minute activation is required, this indicates that pre-configured tunnels with dynamic authorization (e.g., RADIUS COA ) should be used.

Requirement: Support modification of bandwidth allocations within customer-specified time windows, ranging from seconds to hours. Gap in : L3SM specifies static bandwidth parameters (input-bandwidth, output-bandwidth) without support for elastic ranges or adjustment constraints. Extensions: dynamic-bandwidth-indicator: Boolean flag indicating whether bandwidth adjustment is supported (default false). maximum-bandwidth-adjustment-profile (bandwidth context): Maximum range allowed for a bandwidth modification effective-time-window (bandwidth context): Maximum allowed duration to complete a bandwidth modification

Requirement: Enable binding of L3VPN services to predefined service tiers with specific performance guarantees (latency, bandwidth, isolation), decoupling service catalog definition from resource allocation. Gap in : L3SM provides basic QoS profiles but lacks integration with network slicing constructs and parameterized SLO/SLE specifications. Extensions: slo-sle-profile: Reference to a Slice Service Template defining quantitative SLOs (metric bounds, availability) and qualitative SLEs (security, isolation, path constraints). The SLO/SLE profile structure aligns with [I-D.ietf-teas-ietf-network-slice-nbi-yang], enabling consistent policy application across VPN and slice services.

Requirement: Provide end-to-end service quality visibility. Gap in :The base L3SM lacks native monitoring configuration options and service-level performance metrics. Extensions: monitoring-enabled: Boolean flag to enable performance monitoring for the L3VPN service (default false). performance-state (read-only): A set of operational state and service-level performance metrics, including delay, packet loss and jitter, to enrich operational state data and enhance end-to-end quality visibility.

Requirement: Support quantum-safe encryption for high-security data transmission scenarios. Gap in : L3SM defines basic encryption enablement but lacks parameters for quantum key distribution (QKD) and post-quantum cryptography (PQC) integration. Extensions: quantum-encryption-enable: Boolean flag for quantum-enhanced security activation. quantum-encryption-mode: Failover behavior when quantum key acquisition fails (fallback to conventional crypto or terminate). quantum-encryption-status: Operational state monitoring (read-only).

This modules augments the L3SM. module ietf-l3vpn-svc-ext { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext"; prefix l3vpn-svc-ext; import ietf-l3vpn-svc { prefix l3vpn-svc; revision-date 2018-01-19; } import ietf-yang-types { prefix yang; revision-date 2013-07-15; } organization "IETF ONSEN Working Group"; contact "Editor: Fengchao Fu <fufengc@chinatelecom.cn> Cancan Huang <huangcanc@chinatelecom.cn> Bo Wu <lana.wubo@huawei.com> Chongfeng Xie <xiechf@chinatelecom.cn>"; description "This module defines extensions to the L3VPN service model for supporting dynamic bandwidth adjustment, SLO/SLE profile binding, quantum-safe encryption, performance monitoring, and QoS enhancement. Copyright (c) 2026 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of I-D:draft-fu-onsen-update-L3SM-service-models-00; see the I-D itself for full legal notices."; revision 2026-04-26 { description "Added performance monitoring for service quality visibility. "; reference "I-D: draft-fu-onsen-L3SM-extensions-01"; } revision 2026-02-10 { description "Initial revision with dynamic networking and bandwidth adjustment, SLO/SLE, and quantum encryption extensions. Compatible with RFC 7950 (YANG 1.1)."; reference "I-D: draft-ietf-l3vpn-dynamic-ext-00"; } identity metric-type-base { description "Base identity for performance metric types"; } identity latency { base metric-type-base; description "End-to-end latency metric"; } identity bandwidth { base metric-type-base; description "Available bandwidth metric"; } identity availability-level-base { description "Base identity for service availability levels"; } identity security-policy-base { description "Base identity for security policy types"; } identity isolation-level-base { description "Base identity for isolation levels"; } identity te-link-disjoint { description "Link-disjoint path diversity (IETF TE type semantics)"; } augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles { container maximum-bandwidth-adjustment-profiles { description "Collection of maximum bandwidth adjustment profiles for dynamic bandwidth"; list maximum-bandwidth-adjustment-profile { key "id"; description "Single maximum bandwidth adjustment profile for dynamic bandwidth"; leaf id { type string; description "Unique identifier for the maximum bandwidth adjustment profile"; } } } container slo-sle-profiles { description "Reusable SLO/SLE profiles for Dynamic-L3VPN QoS binding"; list slo-sle-profile { key "id"; description "SLO/SLE profile defining performance and experience constraints"; leaf id { type string; description "Unique identifier for the SLO/SLE profile"; } leaf description { type string; mandatory false; description "Human-readable description of the SLO/SLE profile"; } leaf profile-ref { type leafref { path "/l3vpn-svc:l3vpn-svc /l3vpn-svc:vpn-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profile /id"; } mandatory false; description "Reference to an associated network slice profile"; } container slo-policy { description "Service Level Objective (SLO) policy constraints"; list metric-bound { key "metric-type"; description "Bound on a specific performance metric"; leaf metric-type { type identityref { base metric-type-base; } description "Type of performance metric (latency, bandwidth, etc.)"; } leaf metric-unit { type string; description "Unit of measurement for the metric (ms, Mbps, %)"; } leaf value-description { type string; mandatory false; description "Additional context for the metric value"; } leaf percentile-value { type uint8; mandatory false; description "Percentile for the metric bound (0-100)"; } leaf bound { type uint64; mandatory false; description "Threshold value for the performance metric"; } } leaf availability { type identityref { base availability-level-base; } mandatory false; description "Required service availability level (99.999%, etc.)"; } leaf mtu { type uint32; mandatory false; description "Maximum Transmission Unit (bytes) for the service"; } } container sle-policy { description "Service Level Experience (SLE) policy constraints"; leaf-list security { type identityref { base security-policy-base; } description "Security policies applied (TLS 1.3, IPsec, etc.)"; } leaf-list isolation { type identityref { base isolation-level-base; } description "Isolation requirements (network, tenant, etc.)"; } leaf max-occupancy-level { type uint8; mandatory false; description "Maximum resource occupancy level (0-255, percentage scale)"; } container path-constraints { description "Constraints on data path selection"; leaf service-functions { type string; description "Required service functions on the path (firewall, IDS, etc.)"; } container diversity { description "Path diversity requirements for redundancy"; leaf diversity-type { type identityref { base te-link-disjoint; } mandatory false; description "Type of path disjointness (link-disjoint)"; } } } } } } } augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site { leaf temporary-connection-indicator { type boolean; default false; description "Indicator if this site has a temporary connection"; } leaf effective-time-window { type yang:date-and-time; mandatory false; when "../l3vpn-svc-ext:temporary-connection-indicator = 'true'"; description "Time window for temporary connection validity"; } container service { container qos { container qos-profile { leaf slo-sle-profile { type leafref { path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles /l3vpn-svc-ext:slo-sle-profiles /l3vpn-svc-ext:slo-sle-profile /id"; } mandatory false; when "../qos-profile-enabled = 'true'"; description "Reference to SLO/SLE profile for site-level QoS binding"; } leaf qos-profile-enabled { type boolean; default false; description "QoS profile enable flag"; } } } } container security-encryption { leaf quantum-encryption-enable { type boolean; default false; description "Enable quantum-resistant encryption for site security"; } leaf quantum-encryption-mode { type uint8; default 1; mandatory false; when "../quantum-encryption-enable = 'true'"; description "Quantum encryption mode (1=default, 2=enhanced)"; } leaf quantum-encryption-status { type enumeration { enum idle { description "Quantum encryption not active"; } enum active { description "Quantum encryption in use"; } enum error { description "Quantum encryption error state"; } } config false; description "Operational status of quantum encryption (read-only)"; } } } augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites" +"/l3vpn-svc:site/l3vpn-svc:site-network-accesses" +"/l3vpn-svc:site-network-access" { container service { leaf dynamic-bandwidth-indicator { type boolean; default false; description "Enable dynamic bandwidth adjustment for this service"; } leaf effective-time-window { type yang:date-and-time; mandatory false; when "../dynamic-bandwidth-indicator = 'true'"; description "Time window for dynamic bandwidth validity"; } leaf maximum-bandwidth-adjustment-profile-ref { type leafref { path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles /l3vpn-svc-ext:maximum-bandwidth-adjustment-profile /id"; } mandatory false; when "../dynamic-bandwidth-indicator = 'true'"; description "Reference to a maximum bandwidth adjustment profile."; } container performance-monitoring { description "Service-level performance monitoring."; leaf monitoring-enabled { type boolean; default false; description "Enable performance monitoring."; } leaf monitoring-mode { type enumeration { enum end-to-end; } default end-to-end; description "Performance monitoring mode."; } container operational-state { config false; description "Operational state and performance metrics."; leaf monitor-status { type enumeration { enum active; enum inactive; enum degraded; enum fault; } description "Current monitoring status."; } leaf average-delay { type uint32; units milliseconds; description "Average end-to-end packet delay."; } leaf packet-loss-rate { type decimal64 { fraction-digits 2; range "0 .. 100"; } units percent; description "Packet loss rate."; } leaf jitter { type uint32; units milliseconds; description "Packet delay jitter."; } } } } container ip-connection-security { leaf quantum-encryption-enable { type boolean; default false; description "Enable quantum-resistant encryption for IP connection security"; } leaf quantum-encryption-mode { type uint8; default 1; mandatory false; when "../quantum-encryption-enable = 'true'"; description "Quantum encryption mode (1=default, 2=enhanced)"; } leaf quantum-encryption-status { type enumeration { enum idle { description "Quantum encryption not active"; } enum active { description "Quantum encryption in use"; } enum error { description "Quantum encryption error state"; } } config false; description "Operational status of quantum encryption (read-only)"; } container service { container qos { container qos-profile { leaf slo-sle-profile { type leafref { path "/l3vpn-svc:l3vpn-svc /l3vpn-svc:vpn-profiles /l3vpn-svc-ext:slo-sle-profiles /l3vpn-svc-ext:slo-sle-profile/id"; } mandatory false; when "../qos-profile-enabled = 'true'"; description "Reference to SLO/SLE profile for IP connection-level QoS binding"; } leaf qos-profile-enabled { type boolean; default false; description "QoS profile enable flag"; } } } } } } }

This section provides a comprehensive end-to-end configuration example for the ietf-l3vpn-svc-ext extensions. The example illustrates a typical dynamic L3VPN deployment: site A acts as the hub node, dynamic bandwidth adjustment and quantum-resistant encryption is deployed between Site A and Site B. SLO/SLE profile based QoS enhancement and in-situ flow detect are applied for the service between Site A and Site C.

Typical Extended L3SM Deployment

The following XML snippet describes the overall simplified service configuration of this VPN.

bw-1000m slo-gold bw-1000m bandwidth Mbps 1000 latency ms 50 9214 site-a hub true slo-gold true 1 to-b true bw-1000m true 1 to-c true bw-1000m true 1 site-b spoke true slo-gold to-a true end-to-end site-c spoke true slo-gold to-a true end-to-end ]]>

This document requests IANA to register the following URI in the "IETF XML Registry": URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext Registrant Contact: The IESG XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry: Name: ietf-l3vpn-svc-ext Namespace: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext Prefix: l3vpn-svc-ext Reference: RFC XXXX

The extensions defined in this document inherit the security considerations of RFC 8299. Additional considerations: Dynamic provisioning mechanisms (e.g., RADIUS COA) MUST be secured using mutual authentication and integrity protection. Quantum encryption parameters are sensitive; access to these configuration nodes SHOULD be restricted to authorized administrators. Communication between customers and service orchestrators SHOULD use TLS 1.3 or equivalent encryption. Dynamic networking capabilities require appropriate security mechanisms to prevent customers from establishing L3VPNs with untrusted peers. The specific implementation details of the mutual trust mechanisms are out of scope. The extent of dynamic operations should be limited to the session level rather than the device level, so as to reduce the risk of failures caused by frequent configurations or signaling. The specific implementation details are out of scope.

Harvard University IBM

The VPN instances on the PE devices may be pre-configured as defined in , with the VPN instance bound to an AC only when establishing end-to-end VPN connectivity. Alternatively, the VPN instance may also be dynamically configured via configuration commands based on customer requirements. The dynamic-L3VPN service provisioning and lifecycle procedure is as follows, and we take customer A ordering dynamic-L3VPN service as an example.

Dynamic-L3VPN Service Orchestration Procedure | | | | | | | | | | 2. Submit VPN Service Info | | | | (Peer, BW, Start, End) | | | +------------->| | | | | | | | | | | 3. Configure CE | | | +------------->| | | | | | | | | | | 4. Connect to PE | | | +---------->| | | | | | | | | | 5. Bind AC to VPN | | | |<-------------+ | | | | | | 6. Submit Dynamic BW Request| | | +------------->| | | | | | | | | | | 7. Update Bandwidth (PE) | | | +------------------------->| | | | | | | | 8. Request Add User to VPN | | | +------------->| | | | | | | | | | | 9. Config New CE & PE | | | +------------------------->| | | | | | | | 10. Request Remove User | | | +------------->| | | | | | | | | | | 11. Config: Remove AC | | | +------------->| | | | | | | | | | 12. Config:Remove AC from PE | | +------------------------->| | | | | | | ]]>

The procedure consists of 12 key steps covering the full lifecycle of dynamic-L3VPN: registration, initial service provisioning, dynamic bandwidth adjustment, peer addition/removal, and resource cleanup. The Network Controller coordinates configuration across CEs and PEs to ensure end-to-end service delivery, while the Ordering System acts as the interface between customers and the network infrastructure. SRv6 (defined in and ) may be used for path optimization in dynamic-L3VPN. Customer A registers in the service ordering system. Customer A enters VPN service parameters into the ordering system, including peer VPN customers, bandwidth requirement, start time, and end time, etc. The Network controller provisions configuration to the CE devices of the involved customers. Each CE device establishes a connection to its attached PE device. The Network controller sends configuration or signaling to the PE devices to bind the customer's AC to the VPN instance. Customer A submits an elastic bandwidth adjustment request via the ordering system. The Network controller delivers configuration or signaling to the PE devices to modify the bandwidth of the VPN service. Customer A submits a request via the ordering system to add one or more new customers to the VPN. The Network controller provisions the new customers' CE device and sends configuration or signaling to the corresponding PE devices. Customer A submits a request via the ordering system to remove one or more existing customers from the VPN. The Network controller updates the configuration of the removed customers' CE devices. The Network controller sends configuration or signaling to the corresponding PE devices to delete the associated AC from the VPN.

The authors wish to thank Mingjiang Fu, Zhuojun Huang, Zhenlin Tan, Wenkuan Qu of China Telecom for their contributions to the dynamic L3VPN operational requirements.