| Internet-Draft | ORF YANG model | July 2026 |
| Zhang, et al. | Expires 3 January 2027 | [Page] |
This document defines YANG data models for managing BGP Outbound Route Filter (ORF), including Address Prefix ORF and VPN Prefix ORF.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
[RFC5291] defines a BGP-based mechanism that allows a BGP speaker to send Outbound Route Filters (ORFs) to a peer so that the peer can constrain outbound route advertisements to that speaker. The Outbound Route Filtering Capability, defined in Section 5 of [RFC5291], is negotiated per AFI/SAFI and per ORF Type.¶
Existing ORF types include Address Prefix ORF and VPN Prefix ORF. The Address Prefix ORF can be used to perform address-prefix-based route filtering. The VPN Prefix ORF introduces VPN-specific semantics including Route Distinguisher, Route Target, Source PE, per-VRF quota, and overload handling.¶
This document defines YANG data models to manage BGP ORF mechanism.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are defined in [RFC4760]:¶
The following terms are defined in [RFC5291]:¶
The following terms are defined in [RFC5292]:¶
The following terms are defined in [I-D.ietf-idr-vpn-prefix-orf]:¶
Tree diagrams used in this document follow the notation defined in [RFC8340].¶
The BGP ORF data models provides methods to manage BGP ORF mechanism for address families, covering both generic ORF capabilities and specific ORF types (Address Prefix ORF and VPN Prefix ORF).¶
This document defines two YANG modules: "ietf-bgp-orf" and "ietf-bgp-vpn-prefix-orf".¶
The YANG module "ietf-bgp-orf" contains generic ORF capability [RFC5291] and Address Prefix ORF [RFC5292] function.¶
The YANG module "ietf-bgp-vpn-prefix-orf" contains only VPN Prefix ORF [I-D.ietf-idr-vpn-prefix-orf] function, including the VPN Prefix ORF quotas and entries.¶
The tree structure of the YANG module "ietf-bgp-orf" is shown below.¶
The "ietf-bgp-orf" YANG module augments the YANG module "ietf-bgp" specified in [I-D.ietf-idr-bgp-model].¶
module: ietf-bgp-orf
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi/bgp:ipv4-unicast:
+--rw capability* [orf-type] {address-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw address-prefix-orf-entries-sent {address-prefix-orf}?
| +--rw address-prefix-orf-entry* [sequence]
| +--rw sequence uint32
| +--rw match? enumeration
| +--rw prefix? inet:ip-prefix
| +--rw minlen? uint8
| +--rw maxlen? uint8
+--ro address-prefix-orf-entries-received {address-prefix-orf}?
+--ro address-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro prefix? inet:ip-prefix
+--ro minlen? uint8
+--ro maxlen? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi/bgp:ipv6-unicast:
+--rw capability* [orf-type] {address-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw address-prefix-orf-entries-sent {address-prefix-orf}?
| +--rw address-prefix-orf-entry* [sequence]
| +--rw sequence uint32
| +--rw match? enumeration
| +--rw prefix? inet:ip-prefix
| +--rw minlen? uint8
| +--rw maxlen? uint8
+--ro address-prefix-orf-entries-received {address-prefix-orf}?
+--ro address-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro prefix? inet:ip-prefix
+--ro minlen? uint8
+--ro maxlen? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:ipv4-unicast:
+--rw capability* [orf-type] {address-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw address-prefix-orf-entry* [sequence] {address-prefix-orf}?
| +--rw sequence uint32
| +--rw match? enumeration
| +--rw prefix? inet:ip-prefix
| +--rw minlen? uint8
| +--rw maxlen? uint8
+--rw address-prefix-orf-entries-sent {address-prefix-orf}?
+--rw address-prefix-orf-entry* [sequence]
+--rw sequence uint32
+--rw match? enumeration
+--rw prefix? inet:ip-prefix
+--rw minlen? uint8
+--rw maxlen? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:ipv6-unicast:
+--rw capability* [orf-type] {address-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw address-prefix-orf-entries-sent {address-prefix-orf}?
+--rw address-prefix-orf-entry* [sequence]
+--rw sequence uint32
+--rw match? enumeration
+--rw prefix? inet:ip-prefix
+--rw minlen? uint8
+--rw maxlen? uint8
¶
The tree structure of the YANG module "ietf-bgp-vpn-prefix-orf" is shown below.¶
The "ietf-bgp-vpn-prefix-orf" YANG module also augments the YANG module "ietf-bgp" specified in [I-D.ietf-idr-bgp-model].¶
module: ietf-bgp-vpn-prefix-orf
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv4-unicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-sent {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv6-unicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-send {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv4-multicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-sent {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv6-multicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-send {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-vpls:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-sent {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:neighbors
/bgp:neighbor/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-evpn:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
| +--rw vpn-prefix-orf-quota* [rd source-pe]
| +--rw rd rt-types:route-distinguisher
| +--rw source-pe union
| +--rw quota-value? uint32
| +--rw overload-process-method?
| overload-process-method-type
+--ro vpn-prefix-orf-entries-send {vpn-prefix-orf}?
| +--ro vpn-prefix-orf-entry* [sequence]
| +--ro sequence uint32
| +--ro match? enumeration
| +--ro rd? rt-types:route-distinguisher
| +--ro overload-process-method?
| | overload-process-method-type
| +--ro (source-pe)?
| | +--:(ipv4)
| | | +--ro ipv4-address? inet:ipv4-address
| | +--:(ipv6)
| | | +--ro ipv6-address? inet:ipv6-address
| | +--:(identifier)
| | +--ro source-pe-identifier? source-pe-identifier
| +--ro route-target* rt-types:route-target
| +--ro route-type? uint8
+--ro vpn-prefix-orf-entries-received {vpn-prefix-orf}?
+--ro vpn-prefix-orf-entry* [sequence]
+--ro sequence uint32
+--ro match? enumeration
+--ro rd? rt-types:route-distinguisher
+--ro overload-process-method?
| overload-process-method-type
+--ro (source-pe)?
| +--:(ipv4)
| | +--ro ipv4-address? inet:ipv4-address
| +--:(ipv6)
| | +--ro ipv6-address? inet:ipv6-address
| +--:(identifier)
| +--ro source-pe-identifier? source-pe-identifier
+--ro route-target* rt-types:route-target
+--ro route-type? uint8
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv4-unicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv6-unicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv4-multicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi
/bgp:l3vpn-ipv6-multicast:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-vpls:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups
/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-evpn:
+--rw capability* [orf-type] {vpn-prefix-orf}?
| +--rw orf-type identityref
| +--rw send-receive? orf-send-receive
+--rw vpn-prefix-orf-quotas {vpn-prefix-orf}?
+--rw vpn-prefix-orf-quota* [rd source-pe]
+--rw rd rt-types:route-distinguisher
+--rw source-pe union
+--rw quota-value? uint32
+--rw overload-process-method?
overload-process-method-type
¶
The Generic ORF YANG Module imports modules defined in [RFC9911], [RFC8349], and [I-D.ietf-idr-bgp-model].¶
<CODE BEGINS> file "ietf-bgp-orf@2026-06-18.yang"
module ietf-bgp-orf {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-bgp-orf";
prefix orf;
import ietf-routing {
prefix rt;
reference
"RFC 8349: A YANG Data Model for Routing Management
(NMDA Version)";
}
import ietf-inet-types {
prefix inet;
reference
"RFC 9911: Common YANG Data Types";
}
import ietf-bgp {
prefix bgp;
reference
"RFC XXXX: YANG Model for Border Gateway Protocol (BGP-4)";
}
organization
"IETF Inter-Domain Routing (IDR) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/idr
WG List: IDR <mailto:idr@ietf.org>
Editor: Fan Zhang
<mailto:zhangf52@chinatelecom.cn>
Editor: Aijun Wang
<mailto:wangaj3@chinatelecom.cn>
Editor: Changwang Lin
<mailto:linchangwang.04414@h3c.com>";
description
"This YANG module defines a generic configurtion and management
for the BGP Outbound Route Filtering (ORF). Type-specific ORF
modules may augment this module.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2026 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
All revisions of IETF and IANA published modules can be found
at the YANG Parameters registry group
(https://www.iana.org/assignments/yang-parameters).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2026-06-18 {
description
"Initial revision.";
reference
"RFC 5291: Outbound Route Filtering Capability for BGP-4
RFC 5292: Address-Prefix-Based Outbound Route Filter for
BGP-4";
}
/*
* Features
*/
feature address-prefix-orf {
description
"Support for Address Prefix ORF for BGP-4.";
reference
"RFC 5292: Address-Prefix-Based Outbound Route Filter for
BGP-4";
}
/*
* Identities
*/
identity orf-type {
description
"Base ORF type.";
reference
"RFC 5291: Outbound Route Filtering Capability for BGP-4";
}
identity address-prefix-orf {
base orf-type;
description
"Address Prefix ORF.";
reference
"RFC 5292: Address-Prefix-Based Outbound Route Filter for
BGP-4";
}
identity vpn-prefix-orf {
base orf-type;
description
"VPN Prefix ORF.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter (VPN Prefix ORF)
for BGP-4";
}
/*
* Typedefs
*/
typedef orf-send-receive {
type enumeration {
enum receive {
value 1;
description
"The local speaker is willing to receive ORF entries from
its peer.";
}
enum send {
value 2;
description
"The local speaker would like to send ORF entries to its
peer.";
}
enum both {
value 3;
description
"The local speaker supports both sending and receiving ORF
entries.";
}
}
description
"ORF Send/Receive field.";
reference
"RFC 5291: Outbound Route Filtering Capability for BGP-4,
Section 5";
}
/*
* Groupings
*/
grouping orf-capability {
description
"Grouping for ORF Capabilities for a bgp speaker.";
list capability {
key "orf-type";
description
"List of ORF capabilities for each ORF types.";
leaf orf-type {
type identityref {
base orf-type;
}
description
"The ORF type supoorted by the BGP speaker.";
}
leaf send-receive {
type orf-send-receive;
default "both";
description
"Indicating whether the sender supports receiving ORF
entries, or sending ORF entries, or both.";
}
}
reference
"RFC 5291: Outbound Route Filtering Capability for BGP-4,
Section 5";
}
grouping address-prefix-orf-entries {
description
"Grouping for Address Prefix ORF entries for BGP";
list address-prefix-orf-entry {
key "sequence";
description
"List of Address Prefix ORF entries of an address family.";
leaf sequence {
type uint32;
description
"Sequence number of the Address Prefix ORF entries.";
}
leaf match {
type enumeration {
enum permit {
description
"Permit the peer to pass updates for the set of routes
that match the ORF entry.";
}
enum deny {
description
"Deny the peer to pass the updates for the set of
routes that match the ORF entry.";
}
}
description
"Specifiying whether this entry is PERMIT or DENY.";
}
leaf prefix {
type inet:ip-prefix;
description
"IP prefix to be matched by the Address Prefix ORF entry.";
}
leaf minlen {
type uint8;
description
"Minimum prefix length (in bits) for matching.
A value of 0 indicates that the field is unspecified.";
}
leaf maxlen {
type uint8;
description
"Maximum prefix length (in bits) for matching.
A value of 0 indicates that the field is unspecified.";
}
reference
"RFC 5292: Address-Prefix-Based Outbound Route Filter for
BGP-4, Section 2";
}
}
/*
* Data nodes
*/
augment
"/rt:routing/rt:control-plane-protocols"
+ "/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+ "/bgp:afi-safis/bgp:afi-safi/bgp:ipv4-unicast" {
if-feature "address-prefix-orf";
description
"Address Prefix ORF augmentation for the IPv4 unicast address
family of a BGP neighbor.";
uses orf-capability;
container address-prefix-orf-entries-sent {
description
"Address Prefix ORF entries sent";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 32';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 32';
}
}
}
container address-prefix-orf-entries-received {
config false;
description
"Address Prefix ORF entries received";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 32';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 32';
}
}
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+ "/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+ "/bgp:afi-safis/bgp:afi-safi/bgp:ipv6-unicast" {
if-feature "address-prefix-orf";
description
"Address Prefix ORF augmentation for the IPv6 unicast address
family of a BGP neighbor.";
uses orf-capability;
container address-prefix-orf-entries-sent {
description
"Address Prefix ORF entries sent";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 128';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 128';
}
}
}
container address-prefix-orf-entries-received {
config false;
description
"Address Prefix ORF entries received";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 128';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 128';
}
}
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+ "/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+ "/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:ipv4-unicast" {
if-feature "address-prefix-orf";
description
"Address Prefix ORF augmentation for the IPv4 unicast address
family of a BGP peer group.";
uses orf-capability;
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 32';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 32';
}
}
container address-prefix-orf-entries-sent {
description
"Address Prefix ORF entries sent";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 32';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 32';
}
}
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+ "/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+ "/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:ipv6-unicast" {
if-feature "address-prefix-orf";
description
"Address Prefix ORF augmentation for the IPv6 unicast address
family of a BGP peer group.";
uses orf-capability;
container address-prefix-orf-entries-sent {
description
"Address Prefix ORF entries sent";
uses address-prefix-orf-entries {
refine "address-prefix-orf-entry/minlen" {
must '. <= 128';
}
refine "address-prefix-orf-entry/maxlen" {
must '. <= 128';
}
}
}
}
}
<CODE ENDS>¶
The VPN Prefix ORF YANG Module imports modules defined in [RFC9911], [RFC8349], [RFC8529], [RFC8294], [I-D.ietf-idr-bgp-model], and [I-D.ietf-idr-vpn-prefix-orf].¶
<CODE BEGINS> file "ietf-bgp-vpn-prefix-orf@2026-06-18.yang"
module ietf-bgp-vpn-prefix-orf {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-bgp-vpn-prefix-orf";
prefix vporf;
import ietf-routing-types {
prefix rt-types;
reference
"RFC 8294: Common YANG Data Types for the Routing Area";
}
import ietf-routing {
prefix rt;
reference
"RFC 8349: A YANG Data Model for Routing Management
(NMDA Version)";
}
import ietf-inet-types {
prefix inet;
reference
"RFC 9911: Common YANG Data Types";
}
import ietf-bgp {
prefix bgp;
reference
"RFC XXXX: YANG Model for Border Gateway Protocol (BGP-4)";
}
import ietf-bgp-orf {
prefix orf;
reference
"RFC XXXX: YANG Data Model for BGP Outbound Route Filtering";
}
organization
"IETF Inter-Domain Routing (IDR) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/idr
WG List: IDR <mailto:idr@ietf.org>
Editor: Fan Zhang
<mailto:zhangf52@chinatelecom.cn>
Editor: Aijun Wang
<mailto:wangaj3@chinatelecom.cn>
Editor: Changwang Lin
<mailto:linchangwang.04414@h3c.com>";
description
"This YANG module defines a generic configuration and operational
state for VPN Prefix ORF, including VPN Prefix ORF quota and
overload handling.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2026 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
All revisions of IETF and IANA published modules can be found
at the YANG Parameters registry group
(https://www.iana.org/assignments/yang-parameters).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2026-06-18 {
description
"Initial revision.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter (VPN Prefix ORF)
for BGP-4";
}
/*
* Features
*/
feature vpn-prefix-orf {
description
"Support for VPN Prefix ORF for BGP-4.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter (VPN Prefix ORF)
for BGP-4";
}
/*
* Identities
*/
identity vpn-prefix-orf {
base orf:orf-type;
description
"VPN Prefix ORF.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter (VPN Prefix ORF)
for BGP-4";
}
/*
* Typedefs
*/
typedef source-pe-identifier {
type uint32;
description
"Source PE identifier carried by VPN Prefix ORF.";
}
typedef overload-process-method-type {
type enumeration {
enum withdraw-overload-routes {
value 0;
description
"The receiver of VPN Prefix ORF message MUST withdraw all
previously advertised overload VPN routes that match the
ORF's type-specific part.";
}
enum refuse-overload-routes {
value 1;
description
"The sender of the VPN Prefix ORF message will refuse to
accept VPN routes matching the overload criteria and that
the receiver of the VPN Prefix ORF message MUST NOT
announce VPN routes matching the overload criteria.";
}
}
description
"Overload VPN routes process method";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter (VPN Prefix ORF)
for BGP-4,Section 4";
}
/*
* Groupings
*/
grouping vpn-prefix-orf-quotas {
description
"Grouping of VPN Prefix ORF quotas.";
container vpn-prefix-orf-quotas {
description
"Quota configuration for granular mode.
If no quota entries are configured, VPN Prefix ORF operates
in basic mode.";
list vpn-prefix-orf-quota {
key "rd source-pe";
description
"List of quotas per <RD, Source PE>.";
leaf rd {
type rt-types:route-distinguisher;
description
"Route distinguisher for which the quota applies.";
}
leaf source-pe {
type union {
type inet:ip-address;
type uint32;
}
description
"Source PE for which the quota applies.";
}
leaf quota-value {
type uint32;
description
"Threshold to limit the number of VPN routes";
}
leaf overload-process-method {
type overload-process-method-type;
default "withdraw-overload-routes";
description
"Overload VPN routes process method";
}
reference
"RFC XXXX: VPN Prefix Outbound Route Filter
(VPN Prefix ORF) for BGP-4, Section 7.2";
}
}
}
grouping vpn-prefix-orf-entries {
description
"Grouping of VPN Prefix ORF entries";
list vpn-prefix-orf-entry {
key "sequence";
description
"List of VPN Prefix ORF entries of an address family.";
leaf sequence {
type uint32;
description
"The relative ordering of the entry among all the VPN
Prefix ORF entries.";
}
leaf match {
type enumeration {
enum permit {
description
"Permit the peer to pass updates for the set of routes
that match the ORF entry.";
}
enum deny {
description
"Deny the peer to pass updates for the set of routes
that match the ORF entry.";
}
}
description
"Specifiying whether this entry is PERMIT or DENY. VPN
Prefix ORF entry is only valid when its Match field is
DENY.";
}
leaf rd {
type rt-types:route-distinguisher;
description "Route distinguisher";
}
leaf overload-process-method {
type overload-process-method-type;
description
"Overload VPN routes process method";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter
(VPN Prefix ORF) for BGP-4, Section 4";
}
choice source-pe {
description
"Source PE information associated with the ORF entry.";
case ipv4 {
leaf ipv4-address {
type inet:ipv4-address;
description
"IPv4 Source PE TLV.";
}
}
case ipv6 {
leaf ipv6-address {
type inet:ipv6-address;
description
"IPv6 Source PE TLV.";
}
}
case identifier {
leaf source-pe-identifier {
type source-pe-identifier;
description
"Source PE identifier TLV.";
}
}
reference
"RFC XXXX: VPN Prefix Outbound Route Filter
(VPN Prefix ORF) for BGP-4, Section 4.1";
}
leaf-list route-target {
type rt-types:route-target;
description
"Optional Route Target match criteria of the VPN Prefix
ORF entry. When present, only VPN routes carrying one
of the specified Route Target values are matched.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter
(VPN Prefix ORF) for BGP-4, Section 4.2";
}
leaf route-type {
type uint8;
description
"The route type value carried in the Route Type TLV.";
reference
"RFC XXXX: VPN Prefix Outbound Route Filter
(VPN Prefix ORF) for BGP-4, Section 4.3";
}
}
}
/*
* Data nodes
*/
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l3vpn-ipv4-unicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv4 unicast
address family of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-sent {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l3vpn-ipv6-unicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv6 unicast
address family of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-send {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l3vpn-ipv4-multicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv4 multicast
address family of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-sent {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l3vpn-ipv6-multicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv6 multicast
address family of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-send {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-vpls" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L2VPN VPLS address family
of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-sent {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:neighbors/bgp:neighbor"
+"/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-evpn" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L2VPN EVPN address family
of a BGP neighbor.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
container vpn-prefix-orf-entries-send {
config false;
description
"VPN Prefix ORF entries sent";
uses vpn-prefix-orf-entries;
}
container vpn-prefix-orf-entries-received {
config false;
description
"VPN Prefix ORF entries received";
uses vpn-prefix-orf-entries;
}
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi"
+"/bgp:l3vpn-ipv4-unicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv4 unicast
address family of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi"
+"/bgp:l3vpn-ipv6-unicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv6 unicast
address family of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi"
+"/bgp:l3vpn-ipv4-multicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv4 multicast
address family of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi"
+"/bgp:l3vpn-ipv6-multicast" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L3VPN IPv6 multicast
address family of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-vpls" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L2VPN VPLS address family
of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
augment
"/rt:routing/rt:control-plane-protocols"
+"/rt:control-plane-protocol/bgp:bgp/bgp:peer-groups"
+"/bgp:peer-group/bgp:afi-safis/bgp:afi-safi/bgp:l2vpn-evpn" {
if-feature "vpn-prefix-orf";
description
"VPN Prefix ORF augmentation for the L2VPN EVPN address family
of a BGP peer group.";
uses orf:orf-capability;
uses vpn-prefix-orf-quotas;
}
}
<CODE ENDS>¶
IANA is requested to register the following URIs in the "ns" registry within the "IETF XML Registry" group [RFC3688]:¶
URI: urn:ietf:params:xml:ns:yang:ietf-bgp-orf
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-bgp-vpn-prefix-orf
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
¶
IANA is requested to register the following YANG module in the "YANG Module Names" registry [RFC6020] within the "YANG Parameters" registry group.¶
name: ietf-bgp-orf
Maintained by IANA? N
namespace: urn:ietf:params:xml:ns:yang:ietf-bgp-orf
prefix: orf
reference: RFC XXXX
name: ietf-bgp-vpn-prefix-orf
Maintained by IANA? N
namespace: urn:ietf:params:xml:ns:yang:ietf-bgp-vpn-prefix-orf
prefix: vporf
reference: RFC XXXX
¶
This section is modeled after the template described in Section 3.7.1 of [RFC9907].¶
The "ietf-bgp-orf" and "ietf-bgp-vpn-prefix-orf" YANG modules define data models that are designed to be accessed via YANG-based management protocols, such as the Network Configuration Protocol (NETCONF) [RFC6241] and RESTCONF [RFC8040]. These YANG-based management protocols (1) have to use a secure transport layer (e.g., Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and (2) have to use mutual authentication.¶
The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.¶
TBD.¶
TBD.¶