Aalyria Technologies

ashesh@aalyria.com

Arrcus, Inc.

United States of America mjethanandani@gmail.com

Ciena Corporation

3939 North 1st Street San Jose CA 95134 United States of America ankurpsaxena@gmail.com www.ciena.com

Zscaler

Bangalore Karnataka 560103 India santosh.pallagatti@gmail.com

Huawei

mach.chen@huawei.com

RTG bfd packet loss lost packet loss measurement dropped packets out-of-order packets data loss datapath failure fault detection meticulously increasing sequence number This document describes extensions to the Bidirectional Forwarding Detection (BFD) protocol to measure BFD Stability. Specifically, it describes a mechanism for the detection of BFD packet loss.

Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
• .  Terminology
• .  Use Cases
• .  Functionality
• .  NULL Auth Type
• .  Theory of Operation
  • .  Loss Measurement
  • .  Out-of-Order Packets
• .  Stability YANG Module
  • .  Data Model Overview
  • .  YANG Module
• .  IANA Considerations
  • .  Auth Type
  • .  IETF XML Registry
  • .  The "YANG Module Names" Registry
• .  Security Considerations
  • .  BFD NULL Auth Type Security Considerations
  • .  YANG Security Considerations
• . References
  • .  Normative References
  • .  Informative References
• .  Experimental Status
• .  Examples
  • .  Single Hop BFD Configuration
  • .  Use of the NULL Auth Type
• Acknowledgements
• Contributors
• Authors' Addresses

Introduction The Bidirectional Forwarding Detection (BFD) protocol operates by transmitting and receiving BFD control packets, generally at a high frequency, over the datapath being monitored. In order to prevent significant data loss due to a datapath failure, BFD session Detection Time as defined in is set to the smallest feasible value. A BFD session will remain in the Up state as long as it receives at least one BFD packet within the Detection Time interval. However, additional packet loss within that time interval is not noted by the BFD state machinery. Noting the other missed packets provides a valuable indicator of systemic issues or a deteriorating network that may warrant preventive action. This document proposes an experimental mechanism to detect packet loss in a BFD session and describes the datapath fault detection mechanisms of BFD. Such a mechanism, combined with 'receive-packet-count' defined in "YANG Data Model for Bidirectional Forwarding Detection (BFD)" permits operators to measure the stability of BFD sessions. The details of the motivation for the Experimental status of this document can be found in . Implementations may also do additional analysis of the packet loss over a time interval. Such an analysis is outside the scope of this document. This document does not propose any BFD extension to measure data traffic loss or delay on a link or tunnel, and the scope is limited to BFD packets.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The reader is expected to be familiar with BFD . In particular, the term "meticulous" as specified in "Meticulous Keyed ISAAC for Bidirectional Forwarding Detection (BFD) Optimized Authentication" means that the sequence number is incremented on every new packet that is sent.

Use Cases Bidirectional Forwarding Detection (BFD), as defined in , cannot detect any BFD packet loss if the loss does not last for the Detection Time. This document proposes a method to detect dropped packets on the receiver. For example, if the receiver receives BFD control packet k at time t, but receives packet k+3 at time t+10 ms, and never receives packet k+1 and/or k+2, then it has experienced a packet loss. This proposal enables BFD implementations to generate diagnostic information on the health of each BFD session. This information could be used to preempt the probability of a failure on a datapath that BFD was monitoring by allowing time for a corrective action to be taken. In a faulty datapath scenario, an operator can use BFD health information to trigger the delay and loss measurement Operations, Administration, and Maintenance (OAM) protocol Connectivity Fault Management (CFM) or packet loss and delay measurement for MPLS networks to further isolate the issue.

Functionality BFD Stability measurement requires that a BFD Meticulous authentication type be configured. The "ietf-bfd-stability" YANG data model, defined in this document, provides the ability to configure the BFD Stability measurement for BFD sessions by configuring the 'stability' flag. The 'lost‑packet‑count' leaf permits monitoring of stability issues as defined in this document for BFD sessions that have the 'stability' flag enabled. The configuration of the BFD Stability measurement and monitoring using other methods than the attached YANG data model is out of scope of this document.

NULL Auth Type The NULL Auth Type, defined in this document, can be used to provide a meticulously increasing sequence number for stability measurement. It provides none of the protections desired for authentication and is used only to provide BFD Stability services to BFD sessions that otherwise have no authentication in use. If the Authentication Present (A) bit is set in the header as defined in , and the Authentication Type field contains 6, the Authentication Section has the following format:

NULL Auth Type 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Type | Auth Len | Auth Key ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

where:

Auth Type (8 bits):

The Authentication Type, which in this case is 6 (NULL).

Auth Len (8 bits):

The length of the NULL Auth Type in bytes (i.e., 8 bytes).

Auth Key ID (8 bits):

The authentication key ID in use for this packet. It MUST be set to zero and MUST be ignored on receipt.

Reserved (8 bits):

This byte MUST be set to zero on transmit and MUST be ignored on receipt.

Sequence Number (32 bits):

The sequence number for this packet. This value is incremented for each successive packet transmitted for a session. Implementations will use sequence numbers (bfd.XmitAuthSeq) as defined in .

If bfd.AuthSeqKnown is 1, and the received Sequence Number field is not equal to bfd.RcvAuthSeq + 1 (in a circular number space), then the loss count is incremented by the difference between the received sequence number and bfd.RcvAuthSeq, and bfd.RcvAuthSeq is set to the received sequence number. Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be set to 1, and bfd.RcvAuthSeq MUST be set to the value of the received Sequence Number field as defined in , and the packet MUST be accepted. According to , a receiver MUST discard a received packet that lies outside the range of bfd.RcvAuthSeq and bfd.RcvAuthSeq + (3 * Detect Multi). If it is within that range, but is missing a packet, it can be used to detect a loss. In case of NULL authentication where packets containing sequence numbers are accepted on receipt, an attacker with an unauthenticated sequence number could move the sequence number forward. Meanwhile, the actual BFD neighbor that continues to send packets will find them discarded and the session would drop. To prevent such an attack, the received sequence number MUST NOT be compared with bfd.RcvAuthSeq for the purpose of discarding the BFD packets.

Theory of Operation This mechanism allows operators to measure the loss of BFD control packets. A BFD authentication type carrying a meticulously increasing sequence number is required to support this loss measurement. Authentication types that provide for meticulously increasing sequence numbers include:

• Meticulously Keyed MD5 and SHA1, defined in .
• Meticulously Keyed ISAAC, defined in .
• The NULL authentication mechanism, which does not provide for authentication but carries a meticulously increasing sequence number, is defined in this document.

Other authentication types that provide for meticulously increasing sequence numbers appropriate for this mechanism may be defined in future specifications.

Loss Measurement Loss measurement counts the number of BFD control packets missed at the receiver during any Detection Time period (see ). The loss is detected by comparing the Sequence Number field in successive BFD control packets. The sequence number in each successive control packet generated on a BFD session by the transmitter is incremented by one. This loss count can then be exposed using the YANG module defined in the subsequent section. See discussion on out-of-order packets in of this document. The first BFD Authentication Section with a non-zero sequence number, in a valid BFD control packet, processed by the receiver, is used for bootstrapping the logic.

Out-of-Order Packets Some transmission mechanisms, for example, Link Aggregate Groups (LAGs) or Equal Cost Multipath (ECMP), can result in out-of-order packet delivery. In circumstances where BFD packets are not lost, but are delivered out of order, strict comparison of increasing sequence numbers may result in classifying the out-of-order packets as packet loss. Implementations MAY provide mechanisms wherein all expected packets received across an expected interval, but delivered out of order, are not considered lost packets.

Stability YANG Module

Data Model Overview This YANG module augments the base BFD YANG module to add attributes such as the 'stability' flag related to the experiment of BFD Stability. The feature statement 'stability' needs to be enabled to indicate that BFD Stability is supported by the implementation. In addition, a loss count per-session or a Label Switched Path (LSP) for BFD packets that are lost has also been added in this model. module: ietf-bfd-stability augment /rt:routing/rt:control-plane-protocols </rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh /bfd-ip-sh:sessions/bfd-ip-sh:session: +--rw stability? boolean {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh /bfd-ip-mh:session-groups/bfd-ip-mh:session-group: +--rw stability? boolean {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-lag:lag /bfd-lag:sessions/bfd-lag:session: +--rw stability? boolean {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls /bfd-mpls:session-groups/bfd-mpls:session-group: +--rw stability? boolean {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh /bfd-ip-sh:sessions/bfd-ip-sh:session /bfd-ip-sh:session-statistics: +--ro lost-packet-count? yang:counter64 {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh /bfd-ip-mh:session-groups/bfd-ip-mh:session-group /bfd-ip-mh:sessions/bfd-ip-mh:session-statistics: +--ro lost-packet-count? yang:counter64 {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-lag:lag /bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links /bfd-lag:micro-bfd-ipv4/bfd-lag:session-statistics: +--ro lost-packet-count? yang:counter64 {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-lag:lag /bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links /bfd-lag:micro-bfd-ipv6/bfd-lag:session-statistics: +--ro lost-packet-count? yang:counter64 {stability}? augment /rt:routing/rt:control-plane-protocols /rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls /bfd-mpls:session-groups/bfd-mpls:session-group /bfd-mpls:sessions/bfd-mpls:session-statistics: +--ro lost-packet-count? yang:counter64 {stability}?

YANG Module This YANG module imports modules defined in "Common YANG Data Types" , "YANG Data Model for Key Chains" , "A YANG Data Model for Routing Management (NMDA Version)" , and "YANG Data Model for Bidirectional Forwarding Detection (BFD)" . module ietf-bfd-stability { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-bfd-stability"; prefix bfd-s; import ietf-yang-types { prefix yang; reference "RFC 9911: Common YANG Data Types"; } import ietf-routing { prefix rt; reference "RFC 8349: A YANG Data Model for Routing Management (NMDA Version)"; } import ietf-bfd { prefix bfd; reference "RFC 9314: YANG Data Model for Bidirectional Forwarding Detection."; } import ietf-bfd-ip-sh { prefix bfd-ip-sh; reference "RFC 9314: YANG Data Model for Bidirectional Forwarding Detection (BFD)"; } import ietf-bfd-ip-mh { prefix bfd-ip-mh; reference "RFC 9314: YANG Data Model for Bidirectional Forwarding Detection (BFD)"; } import ietf-bfd-lag { prefix bfd-lag; reference "RFC 9314: YANG Data Model for Bidirectional Forwarding Detection (BFD)"; } import ietf-bfd-mpls { prefix bfd-mpls; reference "RFC 9314: YANG Data Model for Bidirectional Forwarding Detection (BFD)"; } import ietf-key-chain { prefix key-chain; reference "RFC 8177: YANG Data Model for Key Chains"; } organization "IETF BFD Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/bfd> WG List: <rtg-bfd@ietf.org> Authors: Mahesh Jethanandani (mjethanandani@gmail.com) Ashesh Mishra (mishra.ashesh@gmail.com) Ankur Saxena (ankurpsaxena@gmail.com) Santosh Pallagatti (santosh.pallagati@gmail.com) Mach(Guoyi) Chen (mach.chen@huawei.com)."; description "This YANG module augments the base BFD YANG data model to add experimental attributes related to BFD Stability. In particular, it adds a per-session count for BFD packets that are lost. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2026 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9978; see the RFC itself for full legal notices."; revision 2026-06-29 { description "Initial version."; reference "RFC 9978: Bidirectional Forwarding Detection (BFD) Stability"; } feature stability { description "This feature enables BFD sessions to be monitored for lost packets."; } identity null-auth { base key-chain:crypto-algorithm; description "BFD NULL Auth Type defined in this document."; reference "RFC 9978: Bidirectional Forwarding Detection (BFD) Stability"; } grouping lost-packet-count { leaf lost-packet-count { if-feature "stability"; type yang:counter64; description "Number of BFD packets that were lost, where loss is determined by the fact that the sequence number is not consecutive. This counter should be present only if stability is configured."; } description "Grouping of statistics related to BFD Stability."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh/" + "bfd-ip-sh:sessions/bfd-ip-sh:session" { leaf stability { if-feature "stability"; type boolean; must "../bfd-ip-sh:authentication/bfd-ip-sh:meticulous = " + "'true'"; default "false"; description "If set to true, this enables the BFD session to monitor for stability, i.e., to watch how many packets are getting dropped."; } description "Augment the 'bfd' container to add attributes related to BFD Stability for IP Single Hop sessions."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh/" + "bfd-ip-mh:session-groups/bfd-ip-mh:session-group" { leaf stability { if-feature "stability"; type boolean; must "../bfd-ip-mh:authentication/bfd-ip-mh:meticulous = " + "'true'"; default "false"; description "If set to true, this enables the BFD session to monitor for stability, i.e., to watch how many packets are getting dropped."; } description "Augment the 'bfd' container to add attributes related to BFD Stability for Multi Hop sessions."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" + "bfd-lag:sessions/bfd-lag:session" { leaf stability { if-feature "stability"; type boolean; must "../bfd-lag:authentication/bfd-lag:meticulous = " + "'true'"; default "false"; description "If set to true, this enables the BFD session to monitor for stability, i.e., to watch how many packets are getting dropped."; } description "Augment the 'bfd' container to add attributes related to BFD Stability for LAG session."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls/" + "bfd-mpls:session-groups/bfd-mpls:session-group" { leaf stability { if-feature "stability"; type boolean; must "../bfd-mpls:authentication/bfd-mpls:meticulous = " + "'true'"; default "false"; description "If set to true, this enables the BFD session to monitor for stability, i.e., to watch how many packets are getting dropped."; } description "Augment the 'bfd' container to add attributes related to BFD Stability for MPLS."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh/" + "bfd-ip-sh:sessions/bfd-ip-sh:session/" + "bfd-ip-sh:session-statistics" { uses lost-packet-count; description "Augment the 'bfd' container to add statistics related to BFD Stability for IP Single Hop sessions."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh/" + "bfd-ip-mh:session-groups/bfd-ip-mh:session-group/" + "bfd-ip-mh:sessions/bfd-ip-mh:session-statistics" { uses lost-packet-count; description "Augment the 'bfd' container to add statistics related to BFD Stability for IP Multi Hop sessions."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" + "bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links/" + "bfd-lag:micro-bfd-ipv4/bfd-lag:session-statistics" { uses lost-packet-count; description "Augment the 'bfd' container to add statistics related to BFD Stability for Micro BFD sessions for IPv4."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" + "bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links/" + "bfd-lag:micro-bfd-ipv6/bfd-lag:session-statistics" { uses lost-packet-count; description "Augment the 'bfd' container to add statistics related to BFD Stability for Micro BFD sessions for IPv6."; } augment "/rt:routing/rt:control-plane-protocols/" + "rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls/" + "bfd-mpls:session-groups/bfd-mpls:session-group/" + "bfd-mpls:sessions/bfd-mpls:session-statistics" { uses lost-packet-count; description "Augment the 'bfd' container to add statistics related to BFD Stability for MPLS sessions."; } }

IANA Considerations This document registers a new authentication type in the "BFD Authentication Types" registry, a new URI in the "ns" registry within the "IETF XML" registry group , and a YANG module in the "YANG Module Names" registry.

Auth Type IANA has registered the following BFD Auth Type in the "BFD Authentication Types" registry:

Address:

6

BFD Authentication Type Name:

NULL

Reference

RFC 9978

IETF XML Registry IANA has registered the following URI in the "ns" registry :

URI:

urn:ietf:params:xml:ns:yang:ietf-bfd-stability

Registrant Contact:

The IESG

XML:

N/A; the requested URI is an XML namespace.

The "YANG Module Names" Registry IANA has registered the following YANG module in the "YANG Module Names" registry :

Name:

ietf-bfd-stability

Namespace:

urn:ietf:params:xml:ns:yang:ietf-bfd-stability

Prefix:

bfd-s

Reference:

RFC 9978

Security Considerations

BFD NULL Auth Type Security Considerations The use of a BFD authentication mechanism that protects the BFD packets is RECOMMENDED. The security considerations of for unauthenticated BFD all apply to the new NULL Auth Type. The NULL Auth Type, defined in this document, provides none of the properties desired for authenticating BFD packets. It is intended to provide BFD sessions that otherwise would not use authentication with a sequence number that can be used for the purpose of detecting packet loss. The lack of a computed AuthKey/Digest over the BFD packet, but the presence of a sequence number, makes this authentication type susceptible to injection attacks. BFD without authentication is vulnerable to session resets; the NULL Auth Type does not change this. When the NULL Auth Type is used for BFD Stability purposes, maliciously injected packets that do not reset the BFD session can resemble high packet loss. Sessions such as multi-hop routed paths, tunnels without authentication, or MPLS Label Switched Paths (LSPs), therefore, have security guarantees that are identical to situations where BFD is run without authentication.

YANG Security Considerations This section is modeled after the template described in . The "ietf-bfd-stability" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as Network Configuration Protocol (NETCONF) and RESTCONF . These YANG-based management protocols (1) have to use a secure transport layer (e.g., Secure Shell (SSH) , TLS , and QUIC ) and (2) have to use mutual authentication. The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. The YANG module does not define any writable/creatable/deletable data nodes that can have an adverse impact on a BFD session. Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities: The model defines a read-only node to indicate the number of packets that were lost. Access to this information may allow a malicious user information on which links are experiencing issues. In addition, and as stated in , on links such as LAG or ECMP, there is a possibility of packets being delivered out-of-order. A strict comparison of increasing sequence numbers may result in classifying those out-of-order packets as packet loss. The YANG module does not define any RPC operations.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. This document describes the SSH authentication protocol framework and public key, password, and host-based client authentication methods. Additional authentication methods are described in separate documents. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol. [STANDARDS-TRACK] This document describes a protocol intended to detect faults in the bidirectional path between two forwarding engines, including interfaces, data link(s), and to the extent possible the forwarding engines themselves, with potentially very low latency. It operates independently of media, data protocols, and routing protocols. [STANDARDS-TRACK] YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. This document specifies three YANG modules and one submodule. Together, they form the core routing data model that serves as a framework for configuring and managing a routing subsystem. It is expected that these modules will be augmented by additional YANG modules defining data models for control-plane protocols, route filters, and other functions. The core routing data model provides common building blocks for such extensions -- routes, Routing Information Bases (RIBs), and control-plane protocols. The YANG modules in this document conform to the Network Management Datastore Architecture (NMDA). This document obsoletes RFC 8022. This document defines a YANG data model that can be used to configure and manage Bidirectional Forwarding Detection (BFD). The YANG modules in this document conform to the Network Management Datastore Architecture (NMDA) (RFC 8342). This document updates "YANG Data Model for Bidirectional Forwarding Detection (BFD)" (RFC 9127). This document defines a collection of common data types to be used with the YANG data modeling language. It includes several new type definitions and obsoletes RFC 6991. Informative References The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Many service provider service level agreements (SLAs) depend on the ability to measure and monitor performance metrics for packet loss and one-way and two-way delay, as well as related metrics such as delay variation and channel throughput. This measurement capability also provides operators with greater visibility into the performance characteristics of their networks, thereby facilitating planning, troubleshooting, and network performance evaluation. This document specifies protocol mechanisms to enable the efficient and accurate measurement of these performance metrics in MPLS networks. [STANDARDS-TRACK] This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). This document describes the key chain YANG data model. Key chains are commonly used for routing protocol authentication and other applications requiring symmetric keys. A key chain is a list containing one or more elements containing a Key ID, key string, send/accept lifetimes, and the associated authentication or encryption algorithm. By properly overlapping the send and accept lifetimes of multiple key chain elements, key strings and algorithms may be gracefully updated. By representing them in a YANG data model, key distribution can be automated. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. This document provides guidelines for authors and reviewers of specifications containing YANG data models, including IANA-maintained YANG modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 8407; it also updates RFC 8126 by providing additional guidelines for writing the IANA considerations for RFCs that specify IANA-maintained YANG modules. This document describes a Bidirectional Forwarding Detection (BFD) Optimized Authentication Mode known as Meticulous Keyed ISAAC Authentication. This mode can be used to authenticate some BFD packets with less CPU time cost than using MD5 or SHA-1 with the trade-off of decreased security. This mechanism cannot be used to signal state changes, but it can be used to maintain a session in the Up state. ITU-T

Experimental Status This document describes an experiment that will present a candidate solution to predict whether a given BFD session will continue to be stable. The experiment will use the packet lost count and the 'receive-packet-count' defined in "YANG Data Model for Bidirectional Forwarding Detection (BFD)" to determine how stable the session is. The reason this document is on the Experimental track is because there are no known implementations or proof of concept. As a result, the authors are not clear whether a simple lost count is enough to predict the stability or if there will be a need to be a more granular count. This document is classified as Experimental and is not part of the IETF Standards Track.

Examples This section tries to show some examples of how the model can be configured for stability.

Single Hop BFD Configuration This example demonstrates how a single hop BFD session can be configured to enable monitoring of a session for stability. =============== NOTE: '\' line wrapping per RFC 8792 =============== <?xml version="1.0" encoding="UTF-8"?> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain" xmlns:kc="urn:ietf:params:xml:ns:yang:ietf-key-chain"> <key-chain> <name>bfd-stability-config</name> <description>"An example for BFD Stability configuration."</de\ scription> <key> <key-id>55</key-id> <lifetime> <send-lifetime> <start-date-time>2025-01-01T00:00:00Z</start-date-time> <end-date-time>2025-02-01T00:00:00Z</end-date-time> </send-lifetime> <accept-lifetime> <start-date-time>2024-12-31T23:59:55Z</start-date-time> <end-date-time>2025-02-01T00:00:05Z</end-date-time> </accept-lifetime> </lifetime> <crypto-algorithm>kc:sha-1</crypto-algorithm> </key> </key-chain> </key-chains> <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xmlns:if-type="urn:ietf:params:xml:ns:yang:iana-if-type"> <interface> <name>eth0</name> <type>if-type:ethernetCsmacd</type> </interface> </interfaces> <routing xmlns="urn:ietf:params:xml:ns:yang:ietf-routing" xmlns:bfd-types="urn:ietf:params:xml:ns:yang:ietf-bfd-types" xmlns:stability="urn:ietf:params:xml:ns:yang:ietf-bfd-stability\ "> <control-plane-protocols> <control-plane-protocol> <type>bfd-types:bfdv1</type> <name>name:BFD</name> <bfd xmlns="urn:ietf:params:xml:ns:yang:ietf-bfd"> <ip-sh xmlns="urn:ietf:params:xml:ns:yang:ietf-bfd-ip-sh"> <sessions> <session> <interface>eth0</interface> <dest-addr>2001:db8:0:113::101</dest-addr> <desired-min-tx-interval>10000</desired-min-tx-interv\ al> <required-min-rx-interval> 10000 </required-min-rx-interval> <stability:stability>true</stability:stability> <authentication> <key-chain>bfd-stability-config</key-chain> <meticulous>true</meticulous> </authentication> </session> </sessions> </ip-sh> </bfd> </control-plane-protocol> </control-plane-protocols> </routing>

Use of the NULL Auth Type This example demonstrates how to configure the NULL Auth Type to enable monitoring of a session for stability. =============== NOTE: '\' line wrapping per RFC 8792 =============== <?xml version="1.0" encoding="UTF-8"?> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain" xmlns:stability="urn:ietf:params:xml:ns:yang:ietf-bfd-stability\ "> <key-chain> <name>bfd-stability-config</name> <description>"An example for BFD Stability configuration."</des\ cription> <key> <key-id>55</key-id> <lifetime> <send-lifetime> <start-date-time>2025-01-01T00:00:00Z</start-date-time> <end-date-time>2025-02-01T00:00:00Z</end-date-time> </send-lifetime> <accept-lifetime> <start-date-time>2024-12-31T23:59:55Z</start-date-time> <end-date-time>2025-02-01T00:00:05Z</end-date-time> </accept-lifetime> </lifetime> <crypto-algorithm>stability:null-auth</crypto-algorithm> </key> </key-chain> </key-chains> <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces" xmlns:if-type="urn:ietf:params:xml:ns:yang:iana-if-type"> <interface> <name>eth0</name> <type>if-type:ethernetCsmacd</type> </interface> </interfaces> <routing xmlns="urn:ietf:params:xml:ns:yang:ietf-routing" xmlns:bfd-types="urn:ietf:params:xml:ns:yang:ietf-bfd-types" xmlns:stability="urn:ietf:params:xml:ns:yang:ietf-bfd-stability\ "> <control-plane-protocols> <control-plane-protocol> <type>bfd-types:bfdv1</type> <name>name:BFD</name> <bfd xmlns="urn:ietf:params:xml:ns:yang:ietf-bfd"> <ip-sh xmlns="urn:ietf:params:xml:ns:yang:ietf-bfd-ip-sh"> <sessions> <session> <interface>eth0</interface> <dest-addr>2001:db8:0:113::101</dest-addr> <desired-min-tx-interval>10000</desired-min-tx-interv\ al> <required-min-rx-interval> 10000 </required-min-rx-interval> <stability:stability>true</stability:stability> <authentication> <key-chain>bfd-stability-config</key-chain> <meticulous>true</meticulous> </authentication> </session> </sessions> </ip-sh> </bfd> </control-plane-protocol> </control-plane-protocols> </routing>

Acknowledgements The authors would like to thank , , , , , , and for contributing to this document. Thanks to for the SECDIR review and for the YANG Doctors review. Thanks to for being the shepherd of the document.

Contributors The authors would like to acknowledge as a contributor to this document. His contribution lead to significant improvements of the document. In addition, contributed to this document.

Authors' Addresses Aalyria Technologies

ashesh@aalyria.com

Arrcus, Inc.

United States of America mjethanandani@gmail.com

Ciena Corporation

3939 North 1st Street San Jose CA 95134 United States of America ankurpsaxena@gmail.com www.ciena.com

Zscaler

Bangalore Karnataka 560103 India santosh.pallagatti@gmail.com

Huawei

mach.chen@huawei.com