<?xml version="1.0" encoding="UTF-8"?>
<rfc category="info"
     docName="draft-fu-onsen-update-l3sm-service-models-02"
     ipr="trust200902"
     submissionType="IETF"
     xml:lang="en">
  <front>
    <title abbrev="Extensions to L3SM">Extensions to the YANG Data Model for L3VPN Service Delivery</title>
    
    <author fullname="Fengchao Fu" initials="F." surname="Fu">
      <organization>China Telecom</organization>
      <address><email>fufengc@chinatelecom.cn</email></address>
    </author>
    <author fullname="Cancan Huang" initials="C." surname="Huang">
      <organization>China Telecom</organization>
      <address><email>huangcanc@chinatelecom.cn</email></address>
    </author>
    <author fullname="Bo Wu" initials="B." surname="Wu">
      <organization>Huawei</organization>
      <address><email>lana.wubo@huawei.com</email></address>
    </author>


    <date year="2026" month="July" day="5"/>
    <workgroup>ONSEN Working Group</workgroup>
    <abstract>
      <t>RFC8299 defines a YANG data model for L3VPN service delivery. This document 
      defines a set of extensions 
      that address the limitations of the L3VPN Service Model (L3SM). 
        The extensions enable (1)dynamic network provisioning
with temporary connectivity, (2) dynamic bandwidth adjustment, 
(3)  integration
        of isolation in Slice Service Templates to enhance QoS provisioning, (4) performance monitoring
         for enriching service quality visibility, (5)quantum-safe encryption 
       integrating both PQC and QKD.  </t>
    </abstract>
<!--
    <note title="First Submission">
      <t>This is the second submission of this document to the IETF, submitted 
        on February 11, 2026. No pre-RFC5378 disclaimer is required as this 
        submission is post-RFC5378.</t>
    </note>
-->
  </front>

  <middle>
    <section title="Status of This Memo">
      <t>This Internet-Draft is submitted in full conformance with the provisions 
        of BCP 78 and BCP 79. Internet-Drafts are working documents of the 
        Internet Engineering Task Force (IETF). Note that other groups may also 
        distribute working documents. The list of current Internet-Drafts is at 
        https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft 
        documents valid for a maximum of six months and may be updated, replaced, 
        or obsoleted by other documents at any time. It is inappropriate to use 
        Internet-Drafts as reference material or to cite them other than as 
        "work in progress." This Internet-Draft will expire on 7 January 2027.</t>
    </section>

    <section title="Copyright Notice">
      <t>Copyright (c) 2026 IETF Trust and the persons identified as the document 
        authors. All rights reserved. This document is subject to BCP 78 and the 
        IETF Trust's Legal Provisions Relating to IETF Documents 
        (https://trustee.ietf.org/license-info) in effect on the date of 
        publication of this document. Please review these documents carefully, 
        as they describe your rights and restrictions with respect to this 
        document. Code Components extracted from this document must include 
        Revised BSD License text as described in Section 4.e of the Trust Legal 
        Provisions and are provided without warranty as described in the Revised 
        BSD License.</t>
    </section>

    <section anchor="sec-intro" title="Introduction">
      <t>   RFC 8299 defines the Layer 3 VPN Service Model (L3SM), which
   provides a customer-facing abstraction for Layer 3 VPN services.
   L3SM assumes relatively static service characteristics: persistent
   connectivity between fixed sites with bandwidth parameters specified
   at service creation time.</t>
      <t> Operational experience with data-intensive workloads (e.g., large-
   scale data transfer, temporary compute clusters) has identified
   requirements not addressed by the base L3SM model:</t>
      <list style="symbols">
        <t>Dynamic network provisioning: The ability to establish and tear
      down connectivity on demand, rather than maintaining persistent
      connections. Conventional L3VPN services must
perform frequent network reconfigurations to support such dynamic networking. Frequent
reconfigurations for dynamic networking may introduce potential risks to network stability
and are generally unacceptable for network operations.</t>
        <t>Dynamic bandwidth adjustment: The ability to modify bandwidth
      allocations within specific provisioning delay.</t>
      </list>
      <t>These operational requirements create corresponding gaps in the
service model. Furthermore, large-scale SRv6 deployments expose additional
technical limitations in the original L3SM data model:</t>
      <list style="numbers">
        <t>L3SM does not support temporary connectivity with explicit
       activation/deactivation time windows.</t>
        <t>L3SM does not provide parameters for bandwidth adjustment with spefic bandwidth 
        adjustment ranges and 
       adjustment time constraints.</t>
        <t>L3SM lacks integration with network slicing constructs  required to deliver differentiated service tiers over SRv6 transport.</t>
         <t>L3SM lacks support for performance monitoring, limiting end-to-end
    service quality visibility.</t>
       <t>L3SM does not provide parameters for quantum-safe encryption.</t>
       <t>Most of the existing L3SM functional modules
        (eg., qos, security) are configured 
       under site and site-network-access nodes,
        without unified global VPN-service  settings. 
        This results in extensive duplicated configurations across 
        individual sites and increases overall operational complexity.</t>
      </list>
      <t>This document defines YANG augmentations to RFC 8299 to address these
   gaps.  The extensions are designed to be backward compatible:
   implementations that do not require these capabilities can ignore
   the new parameters.</t>
      <t>The scope of this document is limited to service model extensions.
   Implementation details of underlying mechanisms (e.g., signaling
   protocols, encryption algorithms, security mechanisms ) are out of scope. </t>
    </section>

    <section title="Terminology">
      <t> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 in <xref target="RFC2119"/> and <xref target="RFC8174"/>  when, and only when, they appear in all
   capitals, as shown here.</t>
      <t>This document uses the following terms:</t>
      <t>AC: Attachment Circuit, as defined in <xref target="RFC9833"/>.</t>     
      <t>CE: Customer Edge, as defined in <xref target="RFC4026"/>.</t>
      <t>COA: Change of Authorization, as defined in <xref target="RFC5176"/>.</t>
      <t>Dynamic-L3VPN: A Layer 3 VPN service supporting dynamic network
      provisioning and/or dynamic bandwidth adjustment.</t>
      <t>L3SM: Layer 3 VPN Service Model, as defined in <xref target="RFC8299"/>.</t>
      <t>L3VPN: Layer 3 Virtual Private Network, as defined in <xref target="RFC4026"/>.</t>
      <t>PE: Provider Edge, as defined in <xref target="RFC4026"/>.</t>
      <t>PQC:Post Quantum Cryptography.</t>
      <t>QKD:Quantum key distribution.</t>
      <t>Slice Service Template (SST): A reusable policy container defining
      Service Level Objectives (SLOs) and Service Level Expectations
      (SLEs) for network slices, as defined in
      [I-D.ietf-teas-ietf-network-slice-nbi-yang].</t>
    </section>
    <section title="Service Data Model Usage">
       <t>The L3VPN service model defined in <xref target="RFC8299"/>
provides a service-level abstraction 
   for L3VPN services, decoupling
service intent from device configuration.
The extensions in this document follow the same service data model usage
as the base L3VPN Service Model (L3SM). A typical scenario is also to use this model as input 
to an orchestration layer
responsible for translating service intent into device configurations.
An example of extended L3VPN service delivery is shown in Figure 1. </t>
       <t>The main difference  is that these extensions introduce additional service-level 
attributes and policy constructs to support newer,
 more dynamic service delivery models.</t>    
      <t> The usage of this service model is not limited to this example.
    The extended data model continues to be applicable for any component of management systems
     and northbound consumers, 
    but not directly by network elements.      </t>        
        <figure anchor="fig-extended-l3vpn-arch">
          <name>Extended L3VPN Service Delivery Example</name>
          <artwork align="center"><![CDATA[
               +----------+
               | Customer |
               +-----+----+
                     |
       L3vpn-svc-ext |
            Models   |
             +-------+-------+
             | Service       |
             | Orchestrator  |
             +-------+-------+
                     |
      Network Models |
                     |
             +-------+-----+
             | Network     |
             | Controller  |
             +-----+-+-+---+
            Device | | |
     Configuration | | |
            Models | | |
   +---------------+ | +-----------+
   |      +----------+-------+     |  +---------+ 
+--+--+   |                  |     |  |         |
| CE1 +---+ +-----+   +----+ |  +--+--+-+       |
+-----+   | | PE1 |   |PE2 | +--+ DC-GW |  DC   |
+-----+   | +-----+   +----+ |  +-----+-+       |
| CE2 +---+                  |        |         |
+-----+   +------------------+        +---------+                                     
          ]]></artwork> 
        </figure>
    </section>
    <section title="Overall Structure of the Extended L3VPN Service Module">
    <!--
      <section title="Existing service model">
        <t>Several IETF Working Groups have developed multiple YANG modules in 
          order to communicate between customers and network operators and to 
          deliver VPN service. A set of these models is listed here:</t>
        <list style="symbols">
          <t><xref target="RFC8299"/> defines the Layer 3 Virtual Private Network 
            Service Model (L3SM), which is used for communication between customers 
            and service providers. This model provides an abstracted view of the 
            Layer 3 IP VPN service configuration components. It will be up to the 
            management system to take this model as input and use specific 
            configuration models to configure the different network elements to 
            deliver the service.</t>
          <t><xref target="RFC9834"/> documents a YANG Data Models for Bearers and 
            Attachment Circuits as a Service for managing ACs that are exposed by 
            a network to its customers. Exposing Attachment Circuits as a Service 
            (ACaaS) greatly simplifies the provisioning of services delivered over 
            an AC.</t>
          <t><xref target="RFC9061"/> defines YANG Data Models for Network Resource 
            Partition (NRP), which is closely related to network slicing technology. 
            The model provides a standardized way to model, provision and manage 
            isolated network resource partitions, supporting the requirement of 
            service-specific resource isolation, and is highly relevant to the 
            network slicing capability designed in this document.</t>
        </list>
      </section>
-->
     
      <section title="Tree Structure">
        <t>The extensions are defined in the module
   ietf-l3vpn-svc-ext, which augments the base L3SM module
   (ietf-l3vpn-svc) at the following locations:</t>
          <list style="symbols">
          <t>/l3vpn-svc/vpn-profiles: Adds profiles for bandwidth adjustment
      ranges, provisioning delay SLOs and performance 
      monitoring policies. All such profiles are predefined 
      and standardized by the provider and 
      the provider can propose these profiles to the customer.</t>
          <t>/l3vpn-svc/vpn-services/vpn-service: Adds four containers (dynamic-attribute
           container,
          qos container, perf-mon container, security container) for globle 
          VPN service configuration that apply across all sites.</t>
          <t>/l3vpn-svc/sites/site:  Traffic classification policies defined
            in <xref target="RFC8299"/> are nested solely under the QOS container 
            and cannot be reused by other functional modules, 
            resulting in insufficient flexibility.
          Adds a site-level unified classification-policy container  that
           defines a set of ordered rules to classify customer traffic
           and generates a set of 
          class-id values, which can be reused 
           accross various service functions modules including QoS, security, 
           and performance monitoring.  
           When different modules
            process identical traffic flows, they  adopt the same class-id values to match traffic. 
             When different modules
            process distinct traffic flows, they  adopt different class-id values to match traffic. 
           Add site-level functional containers  (dynamic-attribute
           container,
          qos container, perf-mon container, security container).
          When a site carries  service requirements
           that cannot be fully covered by the global vpn-service settings, relevant parameters 
           may be configured within the containers under the corresponding site node.</t>
          <t>/l3vpn-svc/sites/site/site-network-accesses/site-network-access/
      service: Add site-network-access-level functional containers  (dynamic-attribute
           container,
          qos container, perf-mon container, security container)
          . When a site-network-access carries  service requirements
           that cannot be fully covered by the site-level vpn-service settings, relevant parameters 
           may be configured within the containers under the corresponding site-network-access 
           node.</t>         
          </list>
        <t>The parameter inheritance mechanism defined in <xref target="RFC8299"/> for site-level and site-network-access-level
         nodes also applies to this document. Furthermore, this document
          additionally introduce an 
         inheritance mechanism at the global vpn-service level. Overall, this document defines 
         a three-level hierarchy for service configuration.
         Some parameters can be configured at vpn-service level, the site level and the
site-network-access level, e.g., services, security.
Inheritance applies when parameters are defined at the vpn-service level and site level.
If a parameter is configured at the global vpn-service level,  the site-level
parameter MUST override the global vpn-service  parameter. If a parameter is 
configured at the site-level,
and the access-level parameter MUST override the site-level
parameter. Those parameters will be described later in this
document.</t>  
         <t>Figure 2 illustrates the module augmentation tree structure.</t>
        <figure anchor="fig-tree">
          <name>Augmentation Tree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
module: ietf-l3vpn-svc-ext

augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles
               /l3vpn-svc:valid-provider-identifiers:
  |    ...

augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-service:
  +--rw dynamic-attribute
  |  ...
  +--rw qos {qos}?
  |   ....
  +--rw perf-mon {perf-mon}?
  |    ...
    +--rw security
  |    ...

augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site:
  +--rw classification-policy* [rule-id]
  |  ...
  +--rw dynamic-attribute
  |  ...
  +--rw qos {qos}?
  |   ....
  +--rw perf-mon {perf-mon}?
  |    ...
    +--rw security
  |    ...

 
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
              /l3vpn-svc:site-network-accesses
             /l3vpn-svc:site-network-access:
  +--rw classification-policy* [rule-id]
  |  ...
  +--rw dynamic-attribute
  |  ...
  +--rw qos {qos}?
  |   ....
  +--rw perf-mon {perf-mon}?
  |    ...
    +--rw security
  |    ...

  

          ]]></artwork>
        </figure>
  
      </section>

      <section title="L3SM Augmentations  Description for extended-L3VPN Requirements">
        <section title="Dynamic networking provisioning">
          <t>Requirement: </t> 
          <list style="symbols">
          <t>Customers with workloads including, but not limited to,  data computation offloaded to cloud DCs,
           periodic data circulation for audit or other purpose and temporary event organization 
           demand task-based connectivity: 
          VPN tunnels are set up only when data transmission tasks start and torn down upon task completion.
           This avoids the extra costs incurred by persistent long-term VPN subscriptions from operators.
          </t>
          <t>Customers require connection 
 provisioning latency to be provided as an SLO attribute, 
 which quantifies the time offset between the requested-start and actual-start timestamps.</t>
          </list>
          <t>Gap in <xref target="RFC8299"/>: L3SM assumes persistent connectivity; it doesn't provide
   parameters to specify the requested-start time and requested-stop time of AC connections or activation time
   constraints.</t>
             <t>Gap in <xref target="RFC9834"/>: The ietf-bearer-svc data yang model defined in <xref target="RFC9834"/> 
             provides the requested-start and requested-stop nodes
             to specify the expected activation and deactivation date and time of a bearer; 
         but  it lacks nodes to indicate whether the connection remains always-on throughout the requested period. 
           In certain scenarios, the connection does not operate in always-on mode over the requested time window;
            its activation is limited to specific time slots on designated calendar days. A list-type node for L3VPN activation times
             shall be provided to allow customers to specify multiple connection periods in a single configuration. </t>
          <t> Extensions:</t>
           <t> In L3SM, a site refers to a physical location and associated customer premises equipment.
          AC represents a logical VPN access channel provided by the operator for customers.
          After configured by the operator, an AC can be bound to a VPN instance to implement end-to-end VPN networking services.
          From operational practice,sites are typically static and seldom rebuilt or dismantled,
           while logic access links may be established and bounded to VPN instanceon demand. 
           As an implementation example, dynamic networking mainly refers to the 
           on-demand establishment, association and teardown of ACs. This document is not limited to any specific implementation approach.
         </t>
         <t>This YANG data model defines support for on-demand establishment, association and release of VPN
   connectivity , with specified provisioning delay constraints.
   The detailed implementation mechanisms for fast activation and deactivation of L3VPN 
   connections are implementation-specific and out of scope of this document.</t>


           <t>Figure 3 illustrates the module augmentation subtree structure of dynamic networking.</t>
        <figure anchor="fig-dynamic-networking-subtree">
          <name>Augmentation Dynamic Networking Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
        /l3vpn-svc:site-network-accesses
        /l3vpn-svc:site-network-access:
  +--rw service
  |  +--rw requested-start? yang:date-and-time
  |     when "../dynamic-attribute/always-on = true";
  |  +--rw requested-stop? yang:date-and-time
  |     when "../dynamic-attribute/always-on = true";
  |  +--rw svc-input-bandwidth uint64
  |  +--rw svc-output-bandwidth uint64
  |  +--rw dynamic-attribute /
   {dynamic networking and/or bandwidth adjustment}
  |  |  +--rw always-on? boolean
  |  |  +--rw active-networking-policy {not-always-on}?
  |  |     +--rw connection-provisioning-delay-ref? leafref
  |  |     +--rw (policy-mode)
  |  |        +--:(immediate)
  |  |        |  +--rw duration-hours uint16
  |  |        |  +--ro actual-start-time yang:date-and-time
  |  |        |  +--ro actual-stop-time yang:date-and-time
  |  |        +--:(scheduled)
  |  |           +--rw time-period* [period-id]
  |  |              +--rw period-id string
  |  |              +--rw date-list* [date-id]
  |  |                 +--rw date-id string
  |  |                 +--rw target-date yang:date
  |  |              +--rw time-slot* [slot-id]
  |  |                 +--rw slot-id string
  |  |                 +--rw start-time yang:time-of-day
  |  |                 +--rw stop-time yang:time-of-day
  |  |                 +--ro actual-start-time yang:date-and-time
  |  |                 +--ro actual-stop-time yang:date-and-time


          ]]></artwork>
        </figure>
          <list style="symbols">
           <t>dynamic-attribute: The dynamic-attribute container groups all parameters associated with 
           dynamic service provisioning.
           This parameter is 
      configurable only when the dynamic networking and/or bandwidth adjustment feature is enabled.
      If this feature is not enabled, the service shall adopt the conventional L3SM model which assumes persistent connectivity. </t>
            <t>always-on: Boolean flag indicating whether the
      connection is consistent (default true) . The requested-start and requested-stop parameters 
      are only configurable when always-on is enabled.
      If always-on is false, the customer need to specify the exact time slots.</t>          
            <t>connection-provisioning-delay: Latency parameter specifying 
            the time offset between requested activation and actual activation of the connection. 
            Network operators may predefine a set of latency-related templates, 
      from which customers may select the one matching their service requirements. The connection-provisioning-delay 
      attribute can reference a predefined latency template.  </t>
            <t>active-networking-policy:The active-networking-policy container groups 
           parameters associated with 
           dynamic networking service capabilities, including  connection-provisioning-delay and specify exact time slots for networking service
           ,which is only valid when the always-on attribute is set to false.

            <list style="symbols">
               <t> policy-mode: There are two types of requirements for specifying exact time slots: immediate activation and scheduled activation.  Upon reaching the scheduled active time, the network controller should deploy relevant configurations to bring up 
      the specified connections, and when  reaching the scheduled tear-down time, 
      the network controller should deploy corresponding configurations to tear down this connection. 
      In addition to bring up or tearing down the target access link, 
      the controller should simultaneously add or remove all relevant configurations 
      associated with the VPN service  that reference this access link from other access links. 
                         <list style="symbols">
                     <t>Immediate activation means 
      that service configurations are deployed right after customer subscription. Under the immediate activation mode, the start time does not need to be specified, 
      and the end time is derived from the reserved duration.</t>

                      <t> Scheduled activation means supports for explicit calendar date-specific activation, 
            allowing customers to suscribe a list of exact valid dates(YYYY-MM-DD)  and corresponding intra-day time slots 
             on which the dynamic networking service takes effect.</t>   
                    </list>       
                     </t>
                <t>connection-provisioning-delay monitoring: The read-write start-time and end-time are 
                configured to express customers' expected time to enable/ disable
            the connection, 
            while the corresponding read-only actual-start-time and actual-end-time reports
             the actual date and time when the bearer was enable/ disable. The difference between the actual 
             timestamps and the expected  timestamps  represents the actual service provisioning delay.
             This value is used by customers to check whether the service meets the connection-provisioning-delay SLO constraints.</t>
             </list> 
            </t>
          </list>
        </section>

        <section title="Dynamic bandwidth adjustment">
          <t>Requirement: </t>
            <list style="symbols">
              <t> Customers maintain a low-bandwidth persistent connection
          for regular use.
           When special requirements arise (such as large data transmission workloads), 
           higher-bandwidth connections may be provisioned temporarily.   </t>
              <t>Customers require bandwidth adjustment
 provisioning latency to be provided as an SLO attribute, 
 which quantifies the adjustment time offset between the requested-start/stop time and actual-start/end timestamps.</t>
           </list>
          <t> Gap in <xref target="RFC8299"/>: L3SM specifies static bandwidth parameters
   (svc-input-bandwidth, svc-output-bandwidth) without support for elastic bandwidth
   adjustment and adjustment provisioning delay constraints.</t>
          <t> Extensions:</t>
          <t>This YANG data model defines support for
            adjustment of bandwidth allocations. Figure 4 illustrates the module augmentation subtree structure of dynamic bandwidth adjustment.</t>
        <figure anchor="fig-dynamic-bandwidth-subtree">
          <name>Augmentation Dynamic bandwidth Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
        /l3vpn-svc:site-network-accesses
        /l3vpn-svc:site-network-access:
  +--rw service
  |  +--rw requested-start? yang:date-and-time
  |     when "../dynamic-attribute/always-on = true";
  |  +--rw requested-stop? yang:date-and-time
  |     when "../dynamic-attribute/always-on = true";
  |  +--rw svc-input-bandwidth uint64
  |  +--rw svc-output-bandwidth uint64
  |  +--rw dynamic-attribute   /
   {dynamic networking and/or bandwidth adjustment}
  |  |  +--rw always-on? boolean
  |  |  +--rw active-networking-policy {not-always-on}?
  |  |            ...
  |  |  +--rw dynamic-bandwidth-attribute 
  |  |     +--rw dynamic-bandwidth-indicator? boolean
  |  |     +--rw bandwidth-adjustment-provisioning-delay-ref  leafref
  |  |     +--rw max-adjustment-bandwidth-range?   leafref
  |  |        +--rw (policy-mode)
  |  |           +--:(immediate)
  |  |           |  +--rw duration-hours uint16
  |  |           |  +--rw svc-input-bandwidth uint64
  |  |           |  +--rw svc-output-bandwidth uint64
  |  |           |  +--ro actual-start-time yang:date-and-time
  |  |           |  +--ro actual-stop-time yang:date-and-time
  |  |           +--:(scheduled)
  |  |              +--rw time-period* [period-id]
  |  |                 +--rw period-id string
  |  |                 +--rw date-list* [date-id]
  |  |                    +--rw date-id string
  |  |                    +--rw target-date yang:date
  |  |                 +--rw time-slot* [slot-id]
  |  |                    +--rw slot-id string
  |  |                    +--rw start-time yang:time-of-day
  |  |                    +--rw stop-time yang:time-of-day
  |  |                    +--ro actual-start-time yang:date-and-time
  |  |                    +--ro actual-stop-time yang:date-and-time
  |  |                    +--rw svc-input-bandwidth uint64
  |  |                    +--rw svc-output-bandwidth uint64

          ]]></artwork>
        </figure>
          <list style="symbols">
           <t>dynamic-bandwidth-attribute: The dynamic-bandwidth-attribute container groups 
            parameters associated with 
           dynamic bandwidth adjustment service including  
           bandwidth-provisioning-delay, max-adjustment-bandwidth-range and specify exact time slots for bandwidth adjustment service.
           When alway-on is true, the svc-input-bandwidth node and the svc-output-bandwidth node under /site-network-access/service indicates 
       the base bandwidth value applicable to the access link.
       
           <list style="symbols">
            <t>dynamic-bandwidth-enabled: Boolean flag indicating whether
      bandwidth adjustment is enabledd (default false).</t>
            <t>maximum-bandwidth-adjustment-profile: Maximum range allowed
      for a bandwidth modification. This parameter is a factor that operators take into account 
      when selecting appropriate bearer solution for access links.
  As an illustration, operators may deploy GE links between CE and PE when the maximum bandwidth is less than 1 Gbps. 
      If the required bandwidth exceeds 10 Gbps, 50G-PON or 100G interfaces can be adopted as the access medium instead.
      The exact approach to be adopted is implementation-specific and determined by the actual deployment. </t>
            <t>bandwidth-adjustment-provisioning-delay: Maximum allowed
      delay to complete a bandwidth modification. Network operators may predefine a set of latency-related templates, 
      from which customers may select the one matching their service requirements.  </t>
            <t> bandwidth-flex-policy:There are two types of requirements  to specify exact time slots: 
      immediate activation and scheduled activation. Immediate activation means 
      that service configurations are deployed right after customer subscription.
      scheduled activation means supports for explicit calendar date-specific activation, 
            allowing customers to suscribe a list of exact valid dates(YYYY-MM-DD)  and corresponding intra-day time slots 
             on which the dynamic bandwidth service takes effect.
      
      Upon reaching the scheduled adjustment time, the network controller should deploy relevant configurations to adjust the bandwidth to a new value, 
      and when the scheduled bandwidth restoration time arrives, 
     the controller shall revert the bandwidth of the access link to its baseline value. 
      Operators may adopt different bandwidth adjustment implementation mechanisms 
      according to distinct SLO requirements for adjustment latency.</t>   
            <t>bandwidth-adjustment-provisioning-delay monitoring: The read-write start-time and 
            stop-time are configured to express customers' expected time to adjust the bandwidth of
            the connection, 
            while the corresponding read-only actual-start-time and actual-end-time reports
             the actual date and time when the bandwidth adjustment  was completed. The offset between the actual 
             timestamps and the expected  timestamps  represents the actual service provisioning delay.
             This value is used by customers to check whether the service meets the bandwidth-adjustment-provisioning-delay
              SLO constraints.</t>
              </list>
              </t>
          </list>
        </section>

        <section title="Enhanced qos">
          <t>Requirement: </t>
          <list style="symbols">
             <t>
   With the widespread deployment of SRv6 network slicing, L3VPN services require slicing-specific SLO/SLE parameters including isolation.
L3SM shall support binding L3VPN instances to dedicated slicing SLO/SLE guarantees.</t>
          <t> Customers expect QoS flow classification policies to be reusable across other functional modules in the same L3VPN service, 
          such as security and performance monitoring, to reduce the complexity of flow classification definitions.</t>
          
          
          <t>The provisioning of QoS functionality consists of traffic classification policies and QoS policies. As noted above,
           reusable flow classification policies are required. For QoS policies, 
          customers require a globally applicable QoS policy to eliminate the high complexity of separate configurations per site and per link.
           Sites or links with special requirements may be assigned customized settings individually.  </t>
          </list>
          <t>Gap in <xref target="RFC8299"/>: </t>
          <list style="symbols">
            <t>L3SM provides basic QoS profiles but lacks
   integration with network slicing constructs and parameterized SLO/SLE
   specifications.</t>
            <t>Traffic classification policies reside under the QoS container, making them inconvenient to be reused by other functional modules.</t>
          <t><xref target="RFC8299"/> defines QoS policies at the site and site-network-access levels,
           without support for the vpn-service level. This results in extensive duplicated configurations 
           across individual sites and increases operational complexity. </t>
          
           </list>
          <t> Extensions:</t>
          <t>This YANG data model defines support for
            enhanced qos. Figure 5 illustrates the module augmentation subtree structure of enhanced qos.</t>
        <figure anchor="fig-qos-subtree">
          <name>Augmentation Qos Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
  |  +--rw qos {qos}?
  |     +--rw (qos-profile)
  |        +--:(custom) {qos-custom}?
  |           +--rw classes {qos-custom}?
  |              +--rw class* [class-id]
  |                 +--rw class-id string
  |                 +--rw isolation* identityref

          ]]></artwork>
        </figure>
          <list style="symbols">
            <t>isolation: Specify the requirement that the L3VPN Service is not impacted
       by the existence of other customers or services in the same
       network. The definition of isolation aligns with
   [I-D.ietf-teas-ietf-network-slice-nbi-yang], enabling consistent
   policy application across VPN and slice services. </t>
          </list>
   <t>As mentioned above, the provisioning of QoS functionality consists of traffic classification policies and QoS policies. 
   QoS profiles serve as containers for QoS policies. QoS profiles can be supplied as standardized templates by the operators, 
          or customized independently by customers. QoS policies are appropriate for global definition under the vpn-service node and applicable
          accross all sites and access links. Traffic classification policies ought to be tied to specific sites and access links, 
          and therefore should be defined at the site level and access link level to enable  reuse across different functional modules.</t>
      
          <t> Traffic-classification subtree structure is shown in Figure 6.</t>

             <figure anchor="fig-classID-subtree">
          <name>Traffic-classification Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
  augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site:
  
  +--rw classification-policy* [rule-id]
  |  +--rw rule-id yt:uint32
  |  +--rw (match-type)
  |     +--:(match-flow)
  |        +--rw dscp? inet:dscp
  |        +--rw dot1p? uint8
  |        +--rw protocol-field? uint8
  |        +--rw ipv4-src-prefix? inet:ipv4-prefix
  |        +--rw ipv4-dst-prefix? inet:ipv4-prefix
  |        +--rw ipv6-src-prefix? inet:ipv6-prefix
  |        +--rw ipv6-dst-prefix? inet:ipv6-prefix
  |        +--rw l4-src-port? inet:port-number
  |        +--rw target-sites* [svc-id] {target-sites}?
  |        +--rw l4-src-port-range?
  |        |  +--rw lower-port? inet:port-number
  |        |  +--rw upper-port? inet:port-number
  |        +--rw l4-dst-port-range?
  |        |  +--rw lower-port? inet:port-number
  |        |  +--rw upper-port? inet:port-number
  |     +--:(match-application)
  |        +--rw match-application? identityref
  |  +--rw target-class-id? string
  +--rw security
  |     +--rw class* [class-id]  
  |              ...   
  +--rw service  
  |     +--rw (qos-profile)
  |        +--:(custom)
  |           +--rw classes {qos-custom}?
  |              +--rw class* [class-id]
  |              ...   

          ]]></artwork>
        </figure> 

          <t> The global qos policy  subtree structure is shown in Figure 7.</t>

 <figure anchor="fig-vpn-service-qos-subtree">
          <name>Global qos policy Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
  augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-service:

  +--rw qos {qos}?
  |   ....
 
          ]]></artwork>
        </figure> 


        </section>
<!--
        <section title="Enhanced access type and enhanced site definition">
          <t>To enhance the convenience for customers to access computing resources, 
            the network should have the capability of ubiquitous access and extensive 
            coverage, supporting flexible customer access through diverse means.</t>
          <t>Overlay access methods (e.g., PPPoEo6) can enhance convenience through 
            decoupling customer-side service logic from the underlying network. 
            TO DO the detailed parameters.</t>
          <t>In addition, a customer site may change location frequently. For example, 
            a photographer may carry out shooting at various locations while requiring 
            timely data transmission over the VPN service. Roaming access can be 
            supported through multiple approaches, including cellular access, Wi-Fi 
            access, and deployment of data ferry point. The selection of the 
            appropriate approach is determined by the roaming requirements of the 
            customer.</t>
          <t>The following parameters should be incorporated to L3SM.</t>
          <list style="symbols">
            <t>site-roaming-indicator: this new parameter is used to indicates 
              whether the physical location of the customer site changes frequently, 
              for example, on an hourly or daily basis.</t>
            <t>site-roaming-frequency: this new parameter indicates how often the 
              user moves the site, for example, on an hourly or daily basis.</t>
            <t>site-roaming-scope: this new parameter indicates the geographic 
              range within which the customer moves the site, for example, within 
              local or regional.</t>
          </list>
        </section>
-->
        <section title="Performance Monitoring">
          <t>Requirement: Provide end-to-end service quality visibility.</t>
          <t>Gap in <xref target="RFC8299"/>:The base L3SM lacks native monitoring
configuration options and service-level performance metrics.</t>
          <t> Extensions:</t>
                   <t>Figure 8 illustrates the module augmentation subtree structure of perf-mon.      </t>
        <figure anchor="fig-pf-subtree">
          <name>Augmentation Performance Monitoring Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
  
  +--rw perf-mon {perf-mon}?
  |  +--rw enable? boolean
  |  +--rw perf-mon-profile
  |     +--rw (perf-mon-profile)
  |        +--:(standard)
  |        |  +--rw profile? 
  |        +--:(custom) {perf-mon-custom}?
  |           +--rw measurement-interval yt:uint32 units seconds
  |           +--rw pm-attributes
  |              +--ro one-way-min-delay? yang:gauge64
  |              +--ro one-way-max-delay? yang:gauge64
  |              +--ro one-way-delay-variation? yang:gauge64
  |              +--ro one-way-packet-loss? decimal64
  |              +--ro two-way-min-delay? yang:gauge64
  |              +--ro two-way-max-delay? yang:gauge64
  |              +--ro two-way-delay-variation? yang:gauge64
  |              +--ro two-way-packet-loss? decimal64

          ]]></artwork>
        </figure>
          <list style="symbols">
            <t>monitoring-enabled: Boolean flag to enable performance
monitoring for the L3VPN service (default false).</t>
            <t>measurement-interval: Specifies the performance measurement interval, in seconds.</t>
            <t>pm-attributes (read-only): A set of operational state and service-level performance
metrics, including delay, packet loss and jitter, to enrich
operational state data and enhance end-to-end quality visibility.</t>
          </list>
        </section>
        <section title="Enhanced security">
          <t>Requirement: </t>
          <list style="symbols">
          <t>Support quantum-safe encryption for high-security data
   transmission scenarios, defending data against potential cracking threats brought by future cryptographically relevant quantum computers 
   and providing long-term transmission confidentiality.</t>
          <t>Support ce-ce encryption to safeguard security throughout the full data transmission process.</t>
          <t>Support fine-grained traffic encryption to encrypt designated flows instead of full-traffic encryption. Driven by service charges
           and forwarding 
          performance constraints, customers demand flow-granular encryption.</t>
    
          </list>
          <t>Gap in <xref target="RFC8299"/>: </t>
          <list style="symbols">
             <t>L3SM defines basic encryption enablement,
           including specifying the encryption algorithm applied to ESP payloads and 
         specifying PSK applied for peer authentication during the IKE negotiation phase.
         But L3SM lacks    parameters for quantum key distribution (QKD) and post-quantum
   cryptography (PQC) integration.</t>
          <t> The current specification only supports encryption across the CE-to-PE segment.
     For scenarios where CEs are managed by the operator, customers require encryption service across the whole CE-to-CE path.</t>
           <t>The encryption mechanism defined in <xref target="RFC8299"/> only applies to full traffic on access links and operates at a  relatively coarse granularity. </t>
          <t>Editor's Note: The ce-ce/PE-PE quantum-safe encryption  service type for quantum-safe security is TBD. </t>
          </list>
          <t> Extensions:</t>
          <t>Figure 9 illustrates the module augmentation subtree structure of enhanced security. </t>
        <figure anchor="fig-secutiry-subtree">
          <name>Augmentation security Subtree Structure </name>
          <artwork type="yang" align="left" ><![CDATA[
+--rw security
  |  +--rw authentication? string
  |  +--rw encryption {encryption}?
  |  |  +--rw enabled? boolean
  |  |  +--rw layer? enumeration
  |  |  +--rw encryption-profile
  |  |     +--rw (profile)?
  |  |        +--:(provider-profile)
  |  |        |  +--rw profile-name? 
  |  |        +--:(customer-profile)* [class-id]
  |  |           +--rw class-id string
  |  |           +--rw algorithm? string
  |  |           +--rw (key-type)?
  |  |           |  +--:(psk)
  |  |           |     +--rw pre-shared-key? string
  |  |           +--rw post-quantum-encryption-config /
                        {post-quantum-encryption}
  |  |              +--rw enable? boolean
  |  |              +--rw quantum-failover-mode? identityref
  |  |              +--ro quantum-encryption-status? identityref
  |  |              +--rw pqc-config
  |  |              |  +--rw enable? boolean
  |  |              +--rw qkd-config
  |  |                 +--rw enable? boolean
  |  |                 +--rw qkd-key-pool-id? string
  |  |                 +--rw key-refresh-interval? uint32 

          ]]></artwork>
        </figure>
  

          <list style="symbols">
            <t>fine-grained traffic matching: Class-id distinguishes different traffic classification rules for customers.
            slist contains  traffic classification entries for customers,
            which .The customer-profile container is defined as a list with class-id serving as its list key.
             Each entry  defines the mapping between a class-id and its associated
             encryption policy.</t> 
             <t>post-quantum-encryption-config: The post-quantum-encryption-config container aggregates all configuration items 
             associated with post-quantum-encryption and it is gated by the post-quantum-encryption feature.
             <list style="symbols">
             <t> The post-quantum-encryption-config 
             container unifies configuration for the two primary categories of quantum-resistant security services: 
             Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD).</t>
              <t>If a customer requires both QKD and PQC services simultaneously,
              operators need to integrate the two quantum-resistant mechanisms.
A typical implementation leverages PQC during IKE negotiation, and combines key material derived from PQC with QKD keys to produce 
the final session symmetric key.
This document merely provides an illustrative example and imposes no restrictions on operator-specific implementations.
The detailed deployment approach is left to operator.</t>
              </list>
              </t>
            
          
            
             <t>post-quantum-encryption-enable: Boolean flag for post-quantum-encryption  activation, including activation of PQC, QKD, or both.
             The specific activation policy is left to the operators. For instance, some operators may deploy only PQC,
              while others adopt QKD or a combination of both.</t>
             <t> quantum-failover-mode:Failover behavior when quantum ike-key generation fails (fallback to conventional crypto or terminate).</t>
             <t> quantum-encryption-status: a read-only parameter, reports the current operational state of post-quantum encryption.</t>
             <t> PQC-config: The PQC-config container aggregates all configuration items associated with PQC-based encryption.
              At present, only a boolean enable leaf is specified to turn PQC encryption on or off. The PQC-config container  can easily
be augmented with other configuration parameters in future. </t>
             <t>qkd-config: The qkd-config container aggregates all configuration items associated with QKD-based encryption, and can easily
be augmented with other configuration parameters.  
               <list style="symbols">
             <t>qkd-enable:  Boolean flag for QKD-based encryption  activation. </t>
              <t>key-refresh-interval: this leaf specifies the time interval, measured in seconds, 
                at which the quantum key pool shall automatically refresh its stored quantum keys.</t>
              <t>qkd-key-pool-id: this leaf specify the identifier of a QKD key pool managed by the QKD key management entity (KME).
  A QKD key pool stores pre-generated symmetric quantum keys shared between paired QKD endpoints. Identical qkd-key-pool-id values 
  shall be configured on both endpoints of any QKD link.
For QKD-based encryption deployed over either the CE-to-PE or CE-to-CE segment, 
the paired endpoints (CE and PE, or CE and CE) shall share the same qkd-key-pool-id.</t>
                </list>
                </t>
            
          </list>
        </section>

      </section>
    </section>

    <section title="Extended L3SM YANG Module">
      <t>Editor's note: This modules augments the L3SM. The l3vpn-svc-ext is TBD.</t>
      <!--
      <sourcecode type="yang" name="ietf-l3vpn-svc-ext.yang">
  module ietf-l3vpn-svc-ext {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext";
  prefix l3vpn-svc-ext;

  import ietf-l3vpn-svc {
    prefix l3vpn-svc;
    revision-date 2018-01-19;
  }

  import ietf-yang-types {
    prefix yang;
    revision-date 2013-07-15;
  }

  organization
    "IETF ONSEN Working Group";

  contact
    "Editor:  Fengchao Fu 
              &lt;fufengc@chinatelecom.cn&gt;
              Cancan Huang 
              &lt;huangcanc@chinatelecom.cn&gt;
              Bo Wu 
              &lt;lana.wubo@huawei.com&gt;
              Chongfeng Xie 
              &lt;xiechf@chinatelecom.cn&gt;";

  description
    "This module defines extensions to the L3VPN service model 
    for supporting
     dynamic bandwidth adjustment, SLO/SLE profile binding, 
     quantum-safe encryption, 
     performance  monitoring, and QoS enhancement.

     Copyright (c) 2026 IETF Trust and the persons identified as 
     authors of the code.
     All rights reserved.

     Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, Simplified BSD License
    set forth in Section 4.c of the IETF Trust's Legal Provisions
    Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of 
    I-D:draft-fu-onsen-update-L3SM-service-models-00; see
    the I-D itself for full legal notices.";

  revision 2026-04-26 {
    description
      "Added performance  monitoring for service 
      quality visibility. ";
    reference "I-D: draft-fu-onsen-L3SM-extensions-01";
  }

  revision 2026-02-10 {
    description
      "Initial revision with dynamic networking and 
      bandwidth adjustment, SLO/SLE, 
      and quantum encryption extensions.
       Compatible with RFC 7950 (YANG 1.1).";
    reference "I-D: draft-ietf-l3vpn-dynamic-ext-00";
  }

  identity metric-type-base {
    description "Base identity for performance metric types";
  }

  identity latency {
    base metric-type-base;
    description "End-to-end latency metric";
  }

  identity bandwidth {
    base metric-type-base;
    description "Available bandwidth metric";
  }

  identity availability-level-base {
    description "Base identity for service availability levels";
  }

  identity security-policy-base {
    description "Base identity for security policy types";
  }

  identity isolation-level-base {
    description "Base identity for isolation levels";
  }

  identity te-link-disjoint {
    description "Link-disjoint path diversity 
    (IETF TE type semantics)";
  }

  augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles {
    container maximum-bandwidth-adjustment-profiles {
      description "Collection of maximum bandwidth
      adjustment profiles for dynamic bandwidth";

      list maximum-bandwidth-adjustment-profile {
        key "id";
        description "Single maximum bandwidth adjustment 
        profile for dynamic bandwidth";

        leaf id {
          type string;
          description "Unique identifier 
          for the maximum bandwidth adjustment profile";
        }
      }
    }

    container slo-sle-profiles {
      description "Reusable SLO/SLE profiles for 
      Dynamic-L3VPN QoS binding";

      list slo-sle-profile {
        key "id";
        description "SLO/SLE profile defining performance 
        and experience constraints";

        leaf id {
          type string;
          description "Unique identifier for the SLO/SLE profile";
        }

        leaf description {
          type string;
          mandatory false;
          description "Human-readable description 
          of the SLO/SLE profile";
        }

        leaf profile-ref {
          type leafref {
            path "/l3vpn-svc:l3vpn-svc
                 /l3vpn-svc:vpn-profiles
                 /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
                 /l3vpn-svc-ext:maximum-bandwidth-adjustment-profile
                 /id";
          }
          mandatory false;
          description "Reference to an associated network
          slice profile";
        }

        container slo-policy {
          description "Service Level Objective (SLO) 
          policy constraints";

          list metric-bound {
            key "metric-type";
            description "Bound on a specific performance metric";

            leaf metric-type {
              type identityref {
                base metric-type-base;
              }
              description "Type of performance metric 
              (latency, bandwidth, etc.)";
            }

            leaf metric-unit {
              type string;
              description "Unit of measurement for 
              the metric (ms, Mbps, %)";
            }

            leaf value-description {
              type string;
              mandatory false;
              description "Additional context for the metric value";
            }

            leaf percentile-value {
              type uint8;
              mandatory false;
              description "Percentile for the metric bound (0-100)";
            }

            leaf bound {
              type uint64;
              mandatory false;
              description "Threshold value for the 
              performance metric";
            }
          }

          leaf availability {
            type identityref {
              base availability-level-base;
            }
            mandatory false;
            description "Required service availability level 
            (99.999%, etc.)";
          }

          leaf mtu {
            type uint32;
            mandatory false;
            description "Maximum Transmission Unit 
            (bytes) for the service";
          }
        }

        container sle-policy {
          description "Service Level Experience (SLE) 
          policy constraints";

          leaf-list security {
            type identityref {
              base security-policy-base;
            }
            description "Security policies applied 
            (TLS 1.3, IPsec, etc.)";
          }

          leaf-list isolation {
            type identityref {
              base isolation-level-base;
            }
            description "Isolation requirements 
            (network, tenant, etc.)";
          }

          leaf max-occupancy-level {
            type uint8;
            mandatory false;
            description "Maximum resource occupancy level
             (0-255, percentage scale)";
          }

          container path-constraints {
            description "Constraints on data path selection";

            leaf service-functions {
              type string;
              description "Required service functions on the
               path (firewall, IDS, etc.)";
            }

            container diversity {
              description "Path diversity requirements 
              for redundancy";

              leaf diversity-type {
                type identityref {
                  base te-link-disjoint;
                }
                mandatory false;
                description "Type of path disjointness 
                (link-disjoint)";
              }
            }
          }
        }
      }
    }
  }

  augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site {
    leaf temporary-connection-indicator {
      type boolean;
      default false;
      description "Indicator if this site has a 
      temporary connection";
    }

    leaf effective-time-window {
      type yang:date-and-time;
      mandatory false;
      when "../l3vpn-svc-ext:temporary-connection-indicator 
           = 'true'";
      description "Time window for temporary connection validity";
    }

    container service {
      container qos {
        container qos-profile {
          leaf slo-sle-profile {
            type leafref {
              path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles
                    /l3vpn-svc-ext:slo-sle-profiles
                    /l3vpn-svc-ext:slo-sle-profile
                    /id";
            }
            mandatory false;
            when "../qos-profile-enabled = 'true'";
            description "Reference to SLO/SLE profile 
            for site-level QoS binding";
          }

          leaf qos-profile-enabled {
            type boolean;
            default false;
            description "QoS profile enable flag";
          }
        }
      }
    }

    container security-encryption {
      leaf quantum-encryption-enable {
        type boolean;
        default false;
        description "Enable quantum-resistant encryption 
        for site security";
      }

      leaf quantum-encryption-mode {
        type uint8;
        default 1;
        mandatory false;
        when "../quantum-encryption-enable = 'true'";
        description "Quantum encryption mode 
        (1=default, 2=enhanced)";
      }

      leaf quantum-encryption-status {
        type enumeration {
          enum idle {
            description "Quantum encryption not active";
          }
          enum active {
            description "Quantum encryption in use";
          }
          enum error {
            description "Quantum encryption error state";
          }
        }
        config false;
        description "Operational status of quantum 
        encryption (read-only)";
      }
    }
  }

  augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites"
        +"/l3vpn-svc:site/l3vpn-svc:site-network-accesses"
        +"/l3vpn-svc:site-network-access" {
    container service {
      leaf dynamic-bandwidth-indicator {
        type boolean;
        default false;
        description "Enable dynamic bandwidth adjustment
         for this service";
      }

      leaf effective-time-window {
        type yang:date-and-time;
        mandatory false;
        when "../dynamic-bandwidth-indicator = 'true'";
        description "Time window for dynamic bandwidth validity";
      }
      leaf maximum-bandwidth-adjustment-profile-ref {
        type leafref {
          path "/l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles
                /l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles
                /l3vpn-svc-ext:maximum-bandwidth-adjustment-profile
                /id";
        }
        mandatory false;
        when "../dynamic-bandwidth-indicator = 'true'";
        description "Reference to 
        a maximum bandwidth adjustment profile.";
      }

      container performance-monitoring {
        description "Service-level performance monitoring.";

        leaf monitoring-enabled {
          type boolean;
          default false;
          description "Enable performance monitoring.";
        }

        leaf monitoring-mode {
          type enumeration {
            enum end-to-end;
          }
          default end-to-end;
          description "Performance monitoring mode.";
        }

        container operational-state {
          config false;
          description "Operational state and performance metrics.";

          leaf monitor-status {
            type enumeration {
              enum active;
              enum inactive;
              enum degraded;
              enum fault;
            }
            description "Current monitoring status.";
          }

          leaf average-delay {
            type uint32;
            units milliseconds;
            description "Average end-to-end packet delay.";
          }

          leaf packet-loss-rate {
            type decimal64 {
              fraction-digits 2;
              range "0 .. 100";
            }
            units percent;
            description "Packet loss rate.";
          }

          leaf jitter {
            type uint32;
            units milliseconds;
            description "Packet delay jitter.";

          }
        }
      }
   
    }

    container ip-connection-security {
      leaf quantum-encryption-enable {
        type boolean;
        default false;
        description "Enable quantum-resistant 
        encryption for IP connection security";
      }

      leaf quantum-encryption-mode {
        type uint8;
        default 1;
        mandatory false;
        when "../quantum-encryption-enable = 'true'";
        description "Quantum encryption mode 
        (1=default, 2=enhanced)";
      }

      leaf quantum-encryption-status {
        type enumeration {
          enum idle {
            description "Quantum encryption not active";
          }
          enum active {
            description "Quantum encryption in use";
          }
          enum error {
            description "Quantum encryption error state";
          }
        }
        config false;
        description "Operational status of quantum 
        encryption (read-only)";
      }

      container service {
        container qos {
          container qos-profile {
            leaf slo-sle-profile {
              type leafref {
                path "/l3vpn-svc:l3vpn-svc
                      /l3vpn-svc:vpn-profiles
                      /l3vpn-svc-ext:slo-sle-profiles
                      /l3vpn-svc-ext:slo-sle-profile/id";
              }
              mandatory false;
              when "../qos-profile-enabled = 'true'";
              description "Reference to SLO/SLE profile 
              for IP connection-level QoS binding";
            }

            leaf qos-profile-enabled {
              type boolean;
              default false;
              description "QoS profile enable flag";
            }
          }
        }
      }
    }
  }
}
      </sourcecode>
-->
    </section>
  
    <section title="Service Model Usage Example">
     
    <t>Editor's note:The Service Model Usage Example is TBD.</t>

<!--
<figure>
    <artwork type="xml">
<![CDATA[
<l3vpn-svc:l3vpn-svc
  xmlns:l3vpn-svc="urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc"
  xmlns:l3vpn-svc-ext=
    "urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext">

  <l3vpn-svc:vpn-profiles>
    <l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles>
      <l3vpn-svc-ext:maximum-bandwidth-adjustment-profile>
        <l3vpn-svc-ext:id>bw-1000m</l3vpn-svc-ext:id>
      </l3vpn-svc-ext:maximum-bandwidth-adjustment-profile>
    </l3vpn-svc-ext:maximum-bandwidth-adjustment-profiles>

    <l3vpn-svc-ext:slo-sle-profiles>
      <l3vpn-svc-ext:slo-sle-profile>
        <l3vpn-svc-ext:id>slo-gold</l3vpn-svc-ext:id>
        <l3vpn-svc-ext:profile-ref>
          bw-1000m
        </l3vpn-svc-ext:profile-ref>
        <l3vpn-svc-ext:slo-policy>
          <l3vpn-svc-ext:metric-bound>
            <l3vpn-svc-ext:metric-type>
              bandwidth
            </l3vpn-svc-ext:metric-type>
            <l3vpn-svc-ext:metric-unit>
              Mbps
            </l3vpn-svc-ext:metric-unit>
            <l3vpn-svc-ext:bound>1000</l3vpn-svc-ext:bound>
          </l3vpn-svc-ext:metric-bound>
          <l3vpn-svc-ext:metric-bound>
            <l3vpn-svc-ext:metric-type>
              latency
            </l3vpn-svc-ext:metric-type>
            <l3vpn-svc-ext:metric-unit>ms</l3vpn-svc-ext:metric-unit>
            <l3vpn-svc-ext:bound>50</l3vpn-svc-ext:bound>
          </l3vpn-svc-ext:metric-bound>
          <l3vpn-svc-ext:mtu>9214</l3vpn-svc-ext:mtu>
        </l3vpn-svc-ext:slo-policy>
      </l3vpn-svc-ext:slo-sle-profile>
    </l3vpn-svc-ext:slo-sle-profiles>
  </l3vpn-svc:vpn-profiles>

  <l3vpn-svc:sites>
    <l3vpn-svc:site>
      <l3vpn-svc:site-id>site-a</l3vpn-svc:site-id>
      <l3vpn-svc:site-role>hub</l3vpn-svc:site-role>
      <l3vpn-svc-ext:service>
        <l3vpn-svc-ext:qos>
          <l3vpn-svc-ext:qos-profile>
            <l3vpn-svc-ext:qos-profile-enabled>
              true
            </l3vpn-svc-ext:qos-profile-enabled>
            <l3vpn-svc-ext:slo-sle-profile>
              slo-gold
            </l3vpn-svc-ext:slo-sle-profile>
          </l3vpn-svc-ext:qos-profile>
        </l3vpn-svc-ext:qos>
      </l3vpn-svc-ext:service>
      <l3vpn-svc-ext:security-encryption>
        <l3vpn-svc-ext:quantum-encryption-enable>
          true
        </l3vpn-svc-ext:quantum-encryption-enable>
        <l3vpn-svc-ext:quantum-encryption-mode>
          1
        </l3vpn-svc-ext:quantum-encryption-mode>
      </l3vpn-svc-ext:security-encryption>
      <l3vpn-svc:site-network-accesses>
        <l3vpn-svc:site-network-access>
          <l3vpn-svc:access-id>to-b</l3vpn-svc:access-id>
          <l3vpn-svc-ext:service>
            <l3vpn-svc-ext:dynamic-bandwidth-indicator>
              true
            </l3vpn-svc-ext:dynamic-bandwidth-indicator>
            <l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
              bw-1000m
            </l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
          </l3vpn-svc-ext:service>
          <l3vpn-svc-ext:ip-connection-security>
            <l3vpn-svc-ext:quantum-encryption-enable>
              true
            </l3vpn-svc-ext:quantum-encryption-enable>
            <l3vpn-svc-ext:quantum-encryption-mode>
              1
            </l3vpn-svc-ext:quantum-encryption-mode>
          </l3vpn-svc-ext:ip-connection-security>
        </l3vpn-svc:site-network-access>
        <l3vpn-svc:site-network-access>
          <l3vpn-svc:access-id>to-c</l3vpn-svc:access-id>
          <l3vpn-svc-ext:service>
            <l3vpn-svc-ext:dynamic-bandwidth-indicator>
              true
            </l3vpn-svc-ext:dynamic-bandwidth-indicator>
            <l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
              bw-1000m
            </l3vpn-svc-ext:maximum-bandwidth-adjustment-profile-ref>
          </l3vpn-svc-ext:service>
          <l3vpn-svc-ext:ip-connection-security>
            <l3vpn-svc-ext:quantum-encryption-enable>
              true
            </l3vpn-svc-ext:quantum-encryption-enable>
            <l3vpn-svc-ext:quantum-encryption-mode>
              1
            </l3vpn-svc-ext:quantum-encryption-mode>
          </l3vpn-svc-ext:ip-connection-security>
        </l3vpn-svc:site-network-access>
      </l3vpn-svc:site-network-accesses>
    </l3vpn-svc:site>

    <l3vpn-svc:site>
      <l3vpn-svc:site-id>site-b</l3vpn-svc:site-id>
      <l3vpn-svc:site-role>spoke</l3vpn-svc:site-role>
      <l3vpn-svc-ext:service>
        <l3vpn-svc-ext:qos>
          <l3vpn-svc-ext:qos-profile>
            <l3vpn-svc-ext:qos-profile-enabled>
              true
            </l3vpn-svc-ext:qos-profile-enabled>
            <l3vpn-svc-ext:slo-sle-profile>
              slo-gold
            </l3vpn-svc-ext:slo-sle-profile>
          </l3vpn-svc-ext:qos-profile>
        </l3vpn-svc-ext:qos>
      </l3vpn-svc-ext:service>
      <l3vpn-svc:site-network-accesses>
        <l3vpn-svc:site-network-access>
          <l3vpn-svc:access-id>to-a</l3vpn-svc:access-id>
          <l3vpn-svc-ext:service>
            <l3vpn-svc-ext:performance-monitoring>
              <l3vpn-svc-ext:monitoring-enabled>
              true
              </l3vpn-svc-ext:monitoring-enabled>
              <l3vpn-svc-ext:monitoring-mode>
              end-to-end
              </l3vpn-svc-ext:monitoring-mode>
            </l3vpn-svc-ext:performance-monitoring>
          </l3vpn-svc-ext:service>
        </l3vpn-svc:site-network-access>
      </l3vpn-svc:site-network-accesses>
    </l3vpn-svc:site>

    <l3vpn-svc:site>
      <l3vpn-svc:site-id>site-c</l3vpn-svc:site-id>
      <l3vpn-svc:site-role>spoke</l3vpn-svc:site-role>
      <l3vpn-svc-ext:service>
        <l3vpn-svc-ext:qos>
          <l3vpn-svc-ext:qos-profile>
            <l3vpn-svc-ext:qos-profile-enabled>
              true
            </l3vpn-svc-ext:qos-profile-enabled>
            <l3vpn-svc-ext:slo-sle-profile>
              slo-gold
            </l3vpn-svc-ext:slo-sle-profile>
          </l3vpn-svc-ext:qos-profile>
        </l3vpn-svc-ext:qos>
      </l3vpn-svc-ext:service>
      <l3vpn-svc:site-network-accesses>
        <l3vpn-svc:site-network-access>
          <l3vpn-svc:access-id>to-a</l3vpn-svc:access-id>
          <l3vpn-svc-ext:service>
            <l3vpn-svc-ext:performance-monitoring>
              <l3vpn-svc-ext:monitoring-enabled>
                true
              </l3vpn-svc-ext:monitoring-enabled>
              <l3vpn-svc-ext:monitoring-mode>
                end-to-end
              </l3vpn-svc-ext:monitoring-mode>
            </l3vpn-svc-ext:performance-monitoring>
          </l3vpn-svc-ext:service>
        </l3vpn-svc:site-network-access>
      </l3vpn-svc:site-network-accesses>
    </l3vpn-svc:site>
  </l3vpn-svc:sites>
</l3vpn-svc:l3vpn-svc>
]]>
    </artwork>
  </figure>
  -->
    </section>

    <section title="IANA Considerations">
      <t>This document requests IANA to register the following URI in the
   "IETF XML Registry":</t>
      <t>URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext
   Registrant Contact: The IESG
   XML: N/A; the requested URI is an XML namespace.</t>
      <t> This document requests IANA to register the following YANG module in
   the "YANG Module Names" registry:</t>
      <t>Name: ietf-l3vpn-svc-ext
   Namespace: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-ext
   Prefix: l3vpn-svc-ext
   Reference: RFC XXXX</t>
    </section>

    <section title="Security Considerations">
      <t>The extensions defined in this document inherit the security
   considerations of RFC 8299.</t>
      <t>Additional considerations:</t>
      <list style="symbols">
        <t>Dynamic provisioning mechanisms (e.g., RADIUS COA) MUST be
      secured using mutual authentication and integrity protection.</t>
        <t>Quantum encryption parameters are sensitive; access to these
      configuration nodes SHOULD be restricted to authorized
      administrators.</t>
        <t>Communication between customers and service orchestrators SHOULD
      use TLS 1.3 or equivalent encryption.</t>     
        <t>Dynamic networking capabilities require appropriate security mechanisms 
        to prevent customers from establishing L3VPNs with untrusted peers.
         The specific implementation details of  the mutual trust mechanisms are 
   out of scope.</t>
        <!--
        <t> The extent of dynamic operations should be limited to the session level rather than the
   device level, so as to reduce the risk of failures caused by frequent
   configurations or signaling.  The specific implementation details are  out of scope.</t>
        -->
      </list>  
    </section>
  </middle>

  <back>
    <references title="Normative References">
       <reference anchor="RFC2119" target="https://www.rfc-editor.org/rfc/rfc2119.txt">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author initials="S." surname="Bradner" fullname="Scott Bradner">
            <organization>Harvard University</organization>
          </author>
          <date year="1997" month="March"/>
        </front>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/> 
      </reference>

      <reference anchor="RFC4026">
        <front>
          <title>BGP/MPLS VPN Terminology</title>
          <author initials="E." surname="Rosen" role="editor"/>
          <author initials="Y." surname="Rekhter" role="editor"/>
          <date month="June" year="2005"/>
        </front>
        <seriesInfo name="RFC" value="4026"/>
      </reference>

      <reference anchor="RFC4364">
        <front>
          <title>BGP/MPLS IP Virtual Private Networks (VPNs)</title>
          <author initials="E." surname="Rosen" role="editor"/>
          <author initials="Y." surname="Rekhter" role="editor"/>
          <date month="February" year="2006"/>
        </front>
        <seriesInfo name="RFC" value="4364"/>
      </reference>

      <reference anchor="RFC5176">
        <front>
          <title>Dynamic Authorization Extensions to RADIUS</title>
          <author initials="G." surname="Zorn" role="editor"/>
          <author initials="B." surname="Aboba" role="editor"/>
          <date month="January" year="2008"/>
        </front>
        <seriesInfo name="RFC" value="5176"/>
      </reference>
      
      <reference anchor="RFC8174" target="https://www.rfc-editor.org/rfc/rfc8174.txt">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author initials="B." surname="Leiba" fullname="Barry Leiba">
            <organization>IBM</organization>
          </author>
          <date year="2017" month="May"/>
        </front>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>

      <reference anchor="RFC8299">
        <front>
          <title>A YANG Data Model for Layer 3 VPN Services (L3SM)</title>
          <author initials="M." surname="Bjorklund" role="editor"/>
          <author initials="J." surname="Medved" role="editor"/>
          <author initials="S." surname="Vissicchio" role="editor"/>
          <date month="November" year="2017"/>
        </front>
        <seriesInfo name="RFC" value="8299"/>
      </reference>

      <reference anchor="RFC9833">
        <front>
          <title>A Common YANG Data Model for Attachment Circuits</title>
          <author initials="M." surname="Boucadair" role="editor"/>
          <date month="September" year="2025"/>
        </front>
        <seriesInfo name="RFC" value="9833"/>
      </reference>

      <reference anchor="RFC9834">
        <front>
          <title>A YANG Data Model for Ethernet Transport Bearer Services</title>
          <author initials="M." surname="Boucadair" role="editor"/>
          <date month="October" year="2025"/>
        </front>
        <seriesInfo name="RFC" value="9834"/>
      </reference>

    </references>

    <references title="Informative References">
      <reference anchor="RFC8986">
        <front>
          <title>Segment Routing over IPv6 (SRv6) Network Programming</title>
          <author initials="C." surname="Filsfils" role="editor"/>
          <author initials="S." surname="Previdi" role="editor"/>
          <author initials="D." surname="Dukes" role="editor"/>
          <author initials="S." surname="Matsushima" role="editor"/>
          <author initials="Z." surname="Li" role="editor"/>
          <date month="March" year="2021"/>
        </front>
        <seriesInfo name="RFC" value="8986"/>
      </reference>
<!--
      <reference anchor="RFC9061">
        <front>
          <title>YANG Data Models for Network Resource Partition (NRP)</title>
          <author initials="G." surname="Dawra" role="editor"/>
          <date month="July" year="2021"/>
        </front>
        <seriesInfo name="RFC" value="9061"/>
      </reference>
-->
      <reference anchor="RFC9252">
        <front>
          <title>BGP Overlay Services Based on Segment Routing over IPv6 (SRv6)</title>
          <author initials="G." surname="Dawra" role="editor"/>
          <author initials="K." surname="Talaulikar" role="editor"/>
          <author initials="R." surname="Raszuk"/>
          <author initials="B." surname="Decraene"/>
          <author initials="S." surname="Zhuang"/>
          <author initials="J." surname="Rabadan"/>
          <date month="July" year="2022"/>
        </front>
        <seriesInfo name="RFC" value="9252"/>
      </reference>
    </references>
    <section anchor="appendix-a" pn="section-appendix.a" title="Dynamic-L3VPN service provisioning and lifecycle procedure">
      <t>The VPN instances on the PE devices may be pre-configured as defined in 
          <xref target="RFC4364"/>, with the VPN instance bound to an AC only when 
          establishing end-to-end VPN connectivity. Alternatively, the VPN instance 
          may also be dynamically configured via configuration commands based on 
          customer requirements.</t>
      <t>The dynamic-L3VPN service provisioning and lifecycle procedure is as 
          follows, and we take customer A ordering dynamic-L3VPN service as an example.</t>
      <figure anchor="fig-dynamic-l3vpn-proce">
        <name>Dynamic-L3VPN Service Orchestration Procedure</name>
        <artwork type="ascii-art" align="center"><![CDATA[
+------------+  +---------+      +----+      +----+      +----------+
| Customer-A |  | Ordering|      | CE |      | PE |      | Network  |
|            |  |  System |      |    |      |    |      |Controller|
+------------+  +---------+      +----+      +----+      +----+-----+
      |              |              |           |              |
      | 1. Register  |              |           |              |
      +------------->|              |           |              |
      |              |              |           |              |
      | 2. Submit VPN Service Info  |           |              |
      | (Peer, BW, Start, End)      |           |              |
      +------------->|              |           |              |
      |              |              |           |              |
      |              | 3. Configure CE          |              |
      |              +------------->|           |              |
      |              |              |           |              |
      |              |              | 4. Connect to PE         |
      |              |              +---------->|              |
      |              |              |           |              |
      |              |              |           5. Bind AC to VPN  
      |              |              |           |<-------------+
      |              |              |           |              |
      | 6. Submit Dynamic BW Request|           |              |
      +------------->|              |           |              |
      |              |              |           |              |
      |              | 7. Update Bandwidth (PE) |              |
      |              +------------------------->|              |
      |              |              |           |              |
      | 8. Request Add User to VPN  |           |              |
      +------------->|              |           |              |
      |              |              |           |              |
      |              | 9. Config New CE & PE    |              |
      |              +------------------------->|              |
      |              |              |           |              |
      | 10. Request Remove User     |           |              |
      +------------->|              |           |              |
      |              |              |           |              |
      |              | 11. Config: Remove  AC   |              |
      |              +------------->|           |              |
      |              |              |           |              |
      |              | 12. Config:Remove AC from PE            |
      |              +------------------------->|              |
      |              |              |           |              | 
          ]]></artwork>
        </figure>
        <t>The procedure consists of 12 key steps covering the full lifecycle of 
          dynamic-L3VPN: registration, initial service provisioning, dynamic 
          bandwidth adjustment, peer addition/removal, and resource cleanup. The 
          Network Controller coordinates configuration across CEs and PEs to ensure 
          end-to-end service delivery, while the Ordering System acts as the 
          interface between customers and the network infrastructure. SRv6 (defined 
          in <xref target="RFC8986"/> and <xref target="RFC9252"/>) may be used for 
          path optimization in dynamic-L3VPN.</t>
        <list style="numbers">
          <t>Customer A registers in the service ordering system.</t>
          <t>Customer A enters VPN service parameters into the ordering system, 
            including peer VPN customers, bandwidth requirement, start time, and 
            end time, etc.</t>
          <t>The Network controller provisions configuration to the CE devices of 
            the involved customers.</t>
          <t>Each CE device establishes a connection to its attached PE device.</t>
          <t>The Network controller sends configuration or signaling to the PE 
            devices to bind the customer's AC to the VPN instance.</t>
          <t>Customer A submits an elastic bandwidth adjustment request via the 
            ordering system.</t>
          <t>The Network controller delivers configuration or signaling to the PE 
            devices to modify the bandwidth of the VPN service.</t>
          <t>Customer A submits a request via the ordering system to add one or 
            more new customers to the VPN.</t>
          <t>The Network controller provisions the new customers' CE device and 
            sends configuration or signaling to the corresponding PE devices.</t>
          <t>Customer A submits a request via the ordering system to remove one 
            or more existing customers from the VPN.</t>
          <t>The Network controller updates the configuration of the removed 
            customers' CE devices.</t>
          <t>The Network controller sends configuration or signaling to the 
            corresponding PE devices to delete the associated AC from the VPN.</t>
        </list>
      
    </section>    
    <section title="Acknowledgments" numbered="false">
      <t>The authors wish to thank Mingjiang Fu,  Zhenlin Tan, 
        Wenkuan Qu of China Telecom for their contributions to the
   dynamic L3VPN operational requirements.</t>
    </section>


    <section title="Contributors" numbered="false">
      <t>The following authors contributed significantly to this document.</t>    
      <figure>
<artwork>
<![CDATA[ 
Chongfeng Xie 
China Telecom 
Email: xiechf@chinatelecom.cn  ]]>
</artwork>
</figure>
    </section>
  </back>
</rfc>