



ONSEN Working Group                                                F. Fu
Internet-Draft                                                  C. Huang
Intended status: Informational                             China Telecom
Expires: 15 August 2026                                            B. Wu
                                                                  Huawei
                                                                  C. Xie
                                                           China Telecom
                                                        11 February 2026


              A Service YANG Data Model for dynamic-L3VPN
              draft-fu-onsen-update-l3sm-service-models-00

Abstract

   This document defines extensions to the Layer 3 VPN Service Model
   (L3SM) defined in RFC8299 to support dynamic L3VPN services.  The
   extensions enable (1) dynamic network provisioning with temporary
   connectivity, (2) dynamic bandwidth adjustment, and (3) integration
   of Slice Service Templates for enhanced Service Level Objective (SLO)
   specification.  These capabilities address operational requirements
   for data-intensive workloads that are not supported by the base L3SM
   model, which assumes static connectivity and fixed bandwidth
   allocations.

First Submission

   This is the first submission of this document to the IETF, submitted
   on February 11, 2026.  No pre-RFC5378 disclaimer is required as this
   submission is post-RFC5378.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 15 August 2026.




Fu, et al.               Expires 15 August 2026                 [Page 1]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Status of This Memo . . . . . . . . . . . . . . . . . . . . .   3
   2.  Copyright Notice  . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Service Model Structure for dynamic-L3VPN . . . . . . . . . .   5
     5.1.  Existing service model  . . . . . . . . . . . . . . . . .   5
     5.2.  Overall composition of the dynamic-L3VPN  . . . . . . . .   5
     5.3.  Overall tree structure  . . . . . . . . . . . . . . . . .   6
     5.4.  L3SM Augmentations for dynamic-L3VPN Requirements . . . .   8
       5.4.1.  Dynamic networking provisioning . . . . . . . . . . .   8
       5.4.2.  Dynamic bandwidth adjustment  . . . . . . . . . . . .   9
       5.4.3.  Slice SLO Template Integration  . . . . . . . . . . .   9
       5.4.4.  Enhanced security . . . . . . . . . . . . . . . . . .  10
   6.  The dynamic-L3VPN ("ietf-l3vpn-svc-dynamic-ext") YANG
           Module  . . . . . . . . . . . . . . . . . . . . . . . . .  10
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  19
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  19
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  19
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  20
   Appendix A.  Dynamic-L3VPN service provisioning and lifecycle
           procedure . . . . . . . . . . . . . . . . . . . . . . . .  20
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  23
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  23











Fu, et al.               Expires 15 August 2026                 [Page 2]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


1.  Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF).  Note that
   other groups may also distribute working documents.  The list of
   current Internet-Drafts is at https://datatracker.ietf.org/drafts/
   current/. Internet-Drafts are draft documents valid for a maximum of
   six months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."
   This Internet-Draft will expire on 14 August 2026.

2.  Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.  This document is subject to
   BCP 78 and the IETF Trust's Legal Provisions Relating to IETF
   Documents (https://trustee.ietf.org/license-info) in effect on the
   date of publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

3.  Introduction

   RFC 8299 defines the Layer 3 VPN Service Model (L3SM), which provides
   a customer-facing abstraction for Layer 3 VPN services.  L3SM assumes
   relatively static service characteristics: persistent connectivity
   between fixed sites with bandwidth parameters specified at service
   creation time.

   Operational experience with data-intensive workloads (e.g., large-
   scale data transfer, temporary compute clusters) has identified
   requirements not addressed by the base L3SM model:

   *  Dynamic network provisioning: The ability to establish and tear
      down connectivity on demand, rather than maintaining persistent
      connections.  Conventional L3VPN services must perform frequent
      network reconfigurations to support such dynamic networking.
      Frequent reconfigurations for dynamic networking may introduce
      potential risks to network stability and are generally
      unacceptable for network operations.






Fu, et al.               Expires 15 August 2026                 [Page 3]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   *  Dynamic bandwidth adjustment: The ability to modify bandwidth
      allocations within seconds or minutes, rather than through
      configuration changes that may take hours or days.

   These operational requirements create corresponding gaps in the
   service model:

   1.  L3SM does not support temporary connectivity with explicit
       activation/deactivation time windows.

   2.  L3SM does not provide parameters for elastic bandwidth ranges or
       adjustment time constraints.

   3.  L3SM lacks integration with network slicing constructs (Slice
       Service Templates) needed for differentiated service tiers.

   This document defines YANG augmentations to RFC 8299 to address these
   gaps.  The extensions are designed to be backward compatible:
   implementations that do not require dynamic capabilities can ignore
   the new parameters.

   The scope of this document is limited to service model extensions.
   Implementation details of underlying mechanisms (e.g., signaling
   protocols, encryption algorithms) are out of scope.

4.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document uses the following terms:

   AC: Attachment Circuit, as defined in [RFC9833].

   CE: Customer Edge, as defined in [RFC4026].

   COA: Change of Authorization, as defined in [RFC5176].

   Dynamic-L3VPN: A Layer 3 VPN service supporting dynamic network
   provisioning and/or dynamic bandwidth adjustment.

   L3SM: Layer 3 VPN Service Model, as defined in [RFC8299].

   L3VPN: Layer 3 Virtual Private Network, as defined in [RFC4026].




Fu, et al.               Expires 15 August 2026                 [Page 4]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   PE: Provider Edge, as defined in [RFC4026].

   Slice Service Template (SST): A reusable policy container defining
   Service Level Objectives (SLOs) and Service Level Expectations (SLEs)
   for network slices, as defined in [I-D.ietf-teas-ietf-network-slice-
   nbi-yang].

5.  Service Model Structure for dynamic-L3VPN

5.1.  Existing service model

   Several IETF Working Groups have developed multiple YANG modules in
   order to communicate between customers and network operators and to
   deliver VPN service.  A set of these models is listed here:

   *  [RFC8299] defines the Layer 3 Virtual Private Network Service
      Model (L3SM), which is used for communication between customers
      and service providers.  This model provides an abstracted view of
      the Layer 3 IP VPN service configuration components.  It will be
      up to the management system to take this model as input and use
      specific configuration models to configure the different network
      elements to deliver the service.

   *  [RFC9834] documents a YANG Data Models for Bearers and Attachment
      Circuits as a Service for managing ACs that are exposed by a
      network to its customers.  Exposing Attachment Circuits as a
      Service (ACaaS) greatly simplifies the provisioning of services
      delivered over an AC.

   *  [RFC9061] defines YANG Data Models for Network Resource Partition
      (NRP), which is closely related to network slicing technology.
      The model provides a standardized way to model, provision and
      manage isolated network resource partitions, supporting the
      requirement of service-specific resource isolation, and is highly
      relevant to the network slicing capability designed in this
      document.

5.2.  Overall composition of the dynamic-L3VPN

   The dynamic-L3VPN service delivery example is shown in Figure 1.  As
   an end-to-end service, dynamic-L3VPN connection may consist of
   multiple segments, which may be defined by different RFCs.

   The dynamic-L3VPN can be established either between CEs or between
   CEs and DC-GWs.






Fu, et al.               Expires 15 August 2026                 [Page 5]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


                            +----------+
                            | Customer |
                            +-----+----+
                                  |
                   Dynamic-L3VPN  |
                   Service Models |
                          +-------+-------+
                          | Service       |
                          | Orchestrator  |
                          +-------+-------+
                                  |
                   Network Models |
                                  |
                          +-------+-----+
                          | Network     |
                          | Controller  |
                          +-----+-+-+---+
                         Device | | |
                  Configuration | | |
                         Models | | |
                +---------------+ | +-----------+
                |      +----------+-------+     |  +---------+
             +--+--+   |                  |     |  |         |
             | CE1 +---+ +-----+   +----+ |  +--+--+-+       |
             +-----+   | | PE1 |   |PE2 | +--+ DC-GW |  DC   |
             +-----+   | +-----+   +----+ |  +-----+-+       |
             | CE2 +---+                  |        |         |
             +-----+   +------------------+        +---------+

              Figure 1: Dynamic-L3VPN Service Delivery Example

5.3.  Overall tree structure

   The extensions are defined in the module ietf-l3vpn-svc-dynamic-ext,
   which augments the base L3SM module (ietf-l3vpn-svc) at the following
   locations:

   *  /l3vpn-svc/vpn-profiles: Adds profiles for bandwidth adjustment
      ranges, and SLO/SLE templates.

   *  /l3vpn-svc/sites/site: Adds temporary connection indicators, and
      effective time windows.

   *  /l3vpn-svc/sites/site/site-network-accesses/site-network-access/
      service: Adds dynamic bandwidth indicators and adjustment ranges.

   *  /l3vpn-svc/sites/site/security/encryption: Adds quantum encryption
      parameters.



Fu, et al.               Expires 15 August 2026                 [Page 6]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   Figure 2 illustrates the module augmentation structure.

   module: ietf-l3vpn-svc-dynamic-ext

     augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles:
       +--rw maximum-adjustment-profiles
       |  +--rw maximum-adjustment-profile* [id]
       |     +--rw id    string
       +--rw slo-sle-profiles
          +--rw slo-sle-profile* [id]
             +--rw id    string
             +--rw description?   string
             +--rw profile-ref?   ->
                             /l3vpn-svc:l3vpn-svc
                             /vpn-profiles
                             /l3vpn-svc-dyn:maximum-adjustment-profiles
                             /maximum-adjustment-profile/id
             +--rw slo-policy
             |  +--rw metric-bound* [metric-type]
             |  |  +--rw metric-type          identityref
             |  |  +--rw metric-unit?         string
             |  |  +--rw value-description?   string
             |  |  +--rw percentile-value?    uint8
             |  |  +--rw bound?               uint64
             |  +--rw availability?   identityref
             |  +--rw mtu?            uint32
             +--rw sle-policy
                +--rw security*              identityref
                +--rw isolation*             identityref
                +--rw max-occupancy-level?   uint8
                +--rw path-constraints
                   +--rw service-functions?   string
                   +--rw diversity
                      +--rw diversity-type?   identityref
     augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site:
       +--rw temporary-connection-indicator?   boolean
       +--rw effective-time-window?            yang:date-and-time
       +--rw service
       |  +--rw qos
       |     +--rw qos-profile
       |        +--rw slo-sle-profile?       ->
                               /l3vpn-svc:l3vpn-svc
                               /vpn-profiles
                               /l3vpn-svc-dyn:slo-sle-profiles
                               /slo-sle-profile/id
       |        +--rw qos-profile-enabled?   boolean
       +--rw security-encryption
          +--rw quantum-encryption-enable?   boolean



Fu, et al.               Expires 15 August 2026                 [Page 7]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


          +--rw quantum-encryption-mode?     uint8
          +--ro quantum-encryption-status?   enumeration
     augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site
               /l3vpn-svc:site-network-accesses
               /l3vpn-svc:site-network-access:
       +--rw service
       |  +--rw dynamic-bandwidth-indicator?          boolean
       |  +--rw effective-time-window?                yang:date-and-time
       |  +--rw maximum-adjustment-bandwidth-range?   ->
                             /l3vpn-svc:l3vpn-svc
                             /vpn-profiles
                             /l3vpn-svc-dyn:maximum-adjustment-profiles
                             /maximum-adjustment-profile/id
       +--rw ip-connection-security
          +--rw quantum-encryption-enable?   boolean
          +--rw quantum-encryption-mode?     uint8
          +--ro quantum-encryption-status?   enumeration
          +--rw service
             +--rw qos
                +--rw qos-profile
                   +--rw slo-sle-profile?       ->
                                 /l3vpn-svc:l3vpn-svc
                                 /vpn-profiles
                                 /l3vpn-svc-dyn:slo-sle-profiles
                                 /slo-sle-profile/id
                   +--rw qos-profile-enabled?   boolean

       Figure 2: Augmentation Structure of ietf-l3vpn-svc-dynamic-ext

5.4.  L3SM Augmentations for dynamic-L3VPN Requirements

5.4.1.  Dynamic networking provisioning

   Requirement: Support on-demand establishment and release of VPN
   connectivity between specified endpoints, with activation times
   ranging from seconds (for pre-configured tunnels) to minutes (for
   configuration-driven setup).

   Gap in [RFC8299]: L3SM assumes persistent connectivity; it provides
   no mechanism to specify temporary connections or activation time
   constraints.

   Extensions:

   *  temporary-connection-indicator: Boolean flag indicating whether a
      site connection is temporary (default false).





Fu, et al.               Expires 15 August 2026                 [Page 8]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   *  effective-time-window: Time range parameter specifying when the
      connection must be active.  When sub-minute activation is
      required, this indicates that pre-configured tunnels with dynamic
      authorization (e.g., RADIUS COA [RFC5176]) should be used.

5.4.2.  Dynamic bandwidth adjustment

   Requirement: Support modification of bandwidth allocations within
   customer-specified time windows, ranging from seconds to hours.

   Gap in [RFC8299]: L3SM specifies static bandwidth parameters (input-
   bandwidth, output-bandwidth) without support for elastic ranges or
   adjustment constraints.

   Extensions:

   *  dynamic-bandwidth-indicator: Boolean flag indicating whether
      bandwidth adjustment is supported (default false).

   *  maximum-adjustment-bandwidth-range (bandwidth context): Maximum
      allowed duration to complete a bandwidth modification

   *  effective-time-window (bandwidth context): Maximum allowed
      duration to complete a bandwidth modification

5.4.3.  Slice SLO Template Integration

   Requirement: Enable binding of L3VPN services to predefined service
   tiers with specific performance guarantees (latency, bandwidth,
   isolation), decoupling service catalog definition from resource
   allocation.

   Gap in [RFC8299]: L3SM provides basic QoS profiles but lacks
   integration with network slicing constructs and parameterized SLO/SLE
   specifications.

   Extensions:

   *  slo-sle-profile: Reference to a Slice Service Template defining
      quantitative SLOs (metric bounds, availability) and qualitative
      SLEs (security, isolation, path constraints).

   The SLO/SLE profile structure aligns with [I-D.ietf-teas-ietf-
   network-slice-nbi-yang], enabling consistent policy application
   across VPN and slice services.






Fu, et al.               Expires 15 August 2026                 [Page 9]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


5.4.4.  Enhanced security

   Requirement: Support quantum-safe encryption for high-security data
   transmission scenarios.

   Gap in [RFC8299]: L3SM defines basic encryption enablement but lacks
   parameters for quantum key distribution (QKD) and post-quantum
   cryptography (PQC) integration.

   Extensions:

   *  quantum-encryption-enable: Boolean flag for quantum-enhanced
      security activation.

   *  quantum-encryption-mode: Failover behavior when quantum key
      acquisition fails (fallback to conventional crypto or terminate).

   *  quantum-encryption-status: Operational state monitoring (read-
      only).

6.  The dynamic-L3VPN ("ietf-l3vpn-svc-dynamic-ext") YANG Module

   This modules augments the L3SM.

     module ietf-l3vpn-svc-dynamic-ext {
     yang-version 1.1;
     namespace "urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-dynamic-ext";
     prefix l3vpn-svc-dyn;

     import ietf-l3vpn-svc {
       prefix l3vpn-svc;
       revision-date 2018-01-19;
     }

     import ietf-yang-types {
       prefix yang;
       revision-date 2013-07-15;
     }

     organization
       "IETF ONSEN Working Group";

     contact
       "Editor:  Fengchao Fu
                 <fufengc@chinatelecom.cn>
                 Cancan Huang
                 <huangcanc@chinatelecom.cn>
                 Bo Wu



Fu, et al.               Expires 15 August 2026                [Page 10]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


                 <lana.wubo@huawei.com>
                 Chongfeng Xie
                 <xiechf@chinatelecom.cn>";

     description
       "This module defines extensions to the L3VPN service model
       for supporting dynamic bandwidth adjustment, SLO/SLE profile
       binding, quantum-safe encryption, and QoS enhancement.

        Copyright (c) 2026 IETF Trust and the persons identified
        as authors of the code.
        All rights reserved.";

     revision 2026-02-11 {
       description
         "Initial revision with dynamic bandwidth, SLO/SLE,
         and quantum encryption extensions.
          Compatible with RFC 7950 (YANG 1.1).";
       reference "I-D: draft-fu-onions-update-l3sm-service-models-00";
     }

     identity metric-type-base {
       description "Base identity for performance metric types";
     }

     identity latency {
       base metric-type-base;
       description "End-to-end latency metric";
     }

     identity bandwidth {
       base metric-type-base;
       description "Available bandwidth metric";
     }

     identity availability-level-base {
       description "Base identity for service availability levels";
     }

     identity security-policy-base {
       description "Base identity for security policy types";
     }

     identity isolation-level-base {
       description "Base identity for isolation levels";
     }

     identity te-link-disjoint {



Fu, et al.               Expires 15 August 2026                [Page 11]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


       description "Link-disjoint path diversity
       (IETF TE type semantics)";
     }

     augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:vpn-profiles {
       container maximum-adjustment-profiles {
         description "Collection of maximum adjustment profiles
         for dynamic bandwidth";

         list maximum-adjustment-profile {
           key "id";
           description "Single maximum adjustment profile
           for dynamic bandwidth";

           leaf id {
             type string;
             description "Unique identifier
             for the maximum adjustment profile";
           }
         }
       }

       container slo-sle-profiles {
         description "Reusable SLO/SLE profiles
         for Dynamic-L3VPN QoS binding";

         list slo-sle-profile {
           key "id";
           description "SLO/SLE profile defining performance
           and experience constraints";

           leaf id {
             type string;
             description "Unique identifier for the SLO/SLE profile";
           }

           leaf description {
             type string;
             mandatory false;
             description "Human-readable description
             of the SLO/SLE profile";
           }

           leaf profile-ref {
             type leafref {
               path "/l3vpn-svc:l3vpn-svc/
                 l3vpn-svc:vpn-profiles/
                 l3vpn-svc-dyn:maximum-adjustment-profiles/



Fu, et al.               Expires 15 August 2026                [Page 12]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


                 l3vpn-svc-dyn:maximum-adjustment-profile/id";
             }
             mandatory false;
             description "Reference to an associated
             network slice profile";
           }

           container slo-policy {
             description "Service Level Objective (SLO)
             policy constraints";

             list metric-bound {
               key "metric-type";
               description "Bound on a specific performance metric";

               leaf metric-type {
                 type identityref {
                   base metric-type-base;
                 }
                 description "Type of performance metric
                 (latency, bandwidth, etc.)";
               }

               leaf metric-unit {
                 type string;
                 description "Unit of measurement for the metric
                 (ms, Mbps, %)";
               }

               leaf value-description {
                 type string;
                 mandatory false;
                 description "Additional context for the metric value";
               }

               leaf percentile-value {
                 type uint8;
                 mandatory false;
                 description "Percentile for the metric bound (0-100)";
               }

               leaf bound {
                 type uint64;
                 mandatory false;
                 description "Threshold value
                 for the performance metric";
               }
             }



Fu, et al.               Expires 15 August 2026                [Page 13]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


             leaf availability {
               type identityref {
                 base availability-level-base;
               }
               mandatory false;
               description "Required service availability level
               (99.999%, etc.)";
             }

             leaf mtu {
               type uint32;
               mandatory false;
               description "Maximum Transmission Unit (bytes)
               for the service";
             }
           }

           container sle-policy {
             description "Service Level Experience
             (SLE) policy constraints";

             leaf-list security {
               type identityref {
                 base security-policy-base;
               }
               description "Security policies applied
               (TLS 1.3, IPsec, etc.)";
             }

             leaf-list isolation {
               type identityref {
                 base isolation-level-base;
               }
               description "Isolation requirements
               (network, tenant, etc.)";
             }

             leaf max-occupancy-level {
               type uint8;
               mandatory false;
               description "Maximum resource occupancy level
               (0-255, percentage scale)";
             }

             container path-constraints {
               description "Constraints on data path selection";

               leaf service-functions {



Fu, et al.               Expires 15 August 2026                [Page 14]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


                 type string;
                 description "Required service functions on the path
                 (firewall, IDS, etc.)";
               }

               container diversity {
                 description "Path diversity requirements
                 for redundancy";

                 leaf diversity-type {
                   type identityref {
                     base te-link-disjoint;
                   }
                   mandatory false;
                   description "Type of path disjointness
                   (link-disjoint)";
                 }
               }
             }
           }
         }
       }
     }

     augment /l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site {
       leaf temporary-connection-indicator {
         type boolean;
         default false;
         description "Indicator if this site has
         a temporary connection";
       }

       leaf effective-time-window {
         type yang:date-and-time;
         mandatory false;
         when "../l3vpn-svc-dyn:temporary-connection-indicator
         = 'true'";
         description "Time window for temporary connection validity";
       }

       container service {
         container qos {
           container qos-profile {
             leaf slo-sle-profile {
               type leafref {
                 path "/l3vpn-svc:l3vpn-svc/
                   l3vpn-svc:vpn-profiles/
                   l3vpn-svc-dyn:slo-sle-profiles/



Fu, et al.               Expires 15 August 2026                [Page 15]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


                   l3vpn-svc-dyn:slo-sle-profile/id";
               }
               mandatory false;
               when "../qos-profile-enabled = 'true'";
               description "Reference to SLO/SLE profile
               for site-level QoS binding";
             }

             leaf qos-profile-enabled {
               type boolean;
               default false;
               description "QoS profile enable flag";
             }
           }
         }
       }

       container security-encryption {
         leaf quantum-encryption-enable {
           type boolean;
           default false;
           description "Enable quantum-resistant encryption
           for site security";
         }

         leaf quantum-encryption-mode {
           type uint8;
           default 1;
           mandatory false;
           when "../quantum-encryption-enable = 'true'";
           description "Quantum encryption mode
           (1=default, 2=enhanced)";
         }

         leaf quantum-encryption-status {
           type enumeration {
             enum idle {
               description "Quantum encryption not active";
             }
             enum active {
               description "Quantum encryption in use";
             }
             enum error {
               description "Quantum encryption error state";
             }
           }
           config false;
           description "Operational status of quantum encryption



Fu, et al.               Expires 15 August 2026                [Page 16]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


           (read-only)";
         }
       }
     }

     augment "/l3vpn-svc:l3vpn-svc/l3vpn-svc:sites/l3vpn-svc:site"
           +"/l3vpn-svc:site-network-accesses"
           +"/l3vpn-svc:site-network-access" {
       container service {
         leaf dynamic-bandwidth-indicator {
           type boolean;
           default false;
           description "Enable dynamic bandwidth adjustment
           for this service";
         }

         leaf effective-time-window {
           type yang:date-and-time;
           mandatory false;
           when "../dynamic-bandwidth-indicator = 'true'";
           description "Time window for dynamic bandwidth validity";
         }

         leaf maximum-adjustment-bandwidth-range {
           type leafref {
             path "/l3vpn-svc:l3vpn-svc
               /l3vpn-svc:vpn-profiles
               /l3vpn-svc-dyn:maximum-adjustment-profiles
               /l3vpn-svc-dyn:maximum-adjustment-profile/id";
           }
           mandatory false;
           when "../dynamic-bandwidth-indicator = 'true'";
           description "Reference to maximum adjustment
           bandwidth profile";
         }
       }

       container ip-connection-security {
         leaf quantum-encryption-enable {
           type boolean;
           default false;
           description "Enable quantum-resistant encryption
           for IP connection security";
         }

         leaf quantum-encryption-mode {
           type uint8;
           default 1;



Fu, et al.               Expires 15 August 2026                [Page 17]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


           mandatory false;
           when "../quantum-encryption-enable = 'true'";
           description "Quantum encryption mode
           (1=default, 2=enhanced)";
         }

         leaf quantum-encryption-status {
           type enumeration {
             enum idle {
               description "Quantum encryption not active";
             }
             enum active {
               description "Quantum encryption in use";
             }
             enum error {
               description "Quantum encryption error state";
             }
           }
           config false;
           description "Operational status of quantum encryption
           (read-only)";
         }

         container service {
           container qos {
             container qos-profile {
               leaf slo-sle-profile {
                 type leafref {
                   path "/l3vpn-svc:l3vpn-svc
                     /l3vpn-svc:vpn-profiles
                     /l3vpn-svc-dyn:slo-sle-profiles
                     /l3vpn-svc-dyn:slo-sle-profile/id";
                 }
                 mandatory false;
                 when "../qos-profile-enabled = 'true'";
                 description "Reference to SLO/SLE profile
                 for IP connection-level QoS binding";
               }

               leaf qos-profile-enabled {
                 type boolean;
                 default false;
                 description "QoS profile enable flag";
               }
             }
           }
         }
       }



Fu, et al.               Expires 15 August 2026                [Page 18]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


     }
   }

7.  IANA Considerations

   This document requests IANA to register the following URI in the
   "IETF XML Registry":

   URI: urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-dynamic-ext
   Registrant Contact: The IESG XML: N/A; the requested URI is an XML
   namespace.

   This document requests IANA to register the following YANG module in
   the "YANG Module Names" registry:

   Name: ietf-l3vpn-svc-dynamic-ext Namespace:
   urn:ietf:params:xml:ns:yang:ietf-l3vpn-svc-dynamic-ext Prefix: l3vpn-
   svc-dyn Reference: RFC XXXX

8.  Security Considerations

   The extensions defined in this document inherit the security
   considerations of RFC 8299.

   Additional considerations:

   *  Dynamic provisioning mechanisms (e.g., RADIUS COA) MUST be secured
      using mutual authentication and integrity protection.

   *  Quantum encryption parameters are sensitive; access to these
      configuration nodes SHOULD be restricted to authorized
      administrators.

   *  Communication between customers and service orchestrators SHOULD
      use TLS 1.3 or equivalent encryption.

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, DOI 10.17487/RFC2119, March
              1997, <https://www.rfc-editor.org/rfc/rfc2119.txt>.

   [RFC4026]  Rosen, E., Ed. and Y. Rekhter, Ed., "BGP/MPLS VPN
              Terminology", RFC 4026, June 2005,
              <https://www.rfc-editor.org/rfc/rfc4026>.




Fu, et al.               Expires 15 August 2026                [Page 19]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   [RFC4364]  Rosen, E., Ed. and Y. Rekhter, Ed., "BGP/MPLS IP Virtual
              Private Networks (VPNs)", RFC 4364, February 2006,
              <https://www.rfc-editor.org/rfc/rfc4364>.

   [RFC5176]  Zorn, G., Ed. and B. Aboba, Ed., "Dynamic Authorization
              Extensions to RADIUS", RFC 5176, January 2008,
              <https://www.rfc-editor.org/rfc/rfc5176>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", RFC 8174, DOI 10.17487/RFC8174, May 2017,
              <https://www.rfc-editor.org/rfc/rfc8174.txt>.

   [RFC8299]  Bjorklund, M., Ed., Medved, J., Ed., and S. Vissicchio,
              Ed., "A YANG Data Model for Layer 3 VPN Services (L3SM)",
              RFC 8299, November 2017,
              <https://www.rfc-editor.org/rfc/rfc8299>.

   [RFC9833]  Boucadair, M., Ed., "A Common YANG Data Model for
              Attachment Circuits", RFC 9833, September 2025,
              <https://www.rfc-editor.org/rfc/rfc9833>.

   [RFC9834]  Boucadair, M., Ed., "A Service YANG Data Model for
              Attachment Circuits", RFC 9834, September 2025,
              <https://www.rfc-editor.org/rfc/rfc9834>.

9.2.  Informative References

   [RFC8986]  Filsfils, C., Ed., Previdi, S., Ed., Dukes, D., Ed.,
              Matsushima, S., Ed., and Z. Li, Ed., "Segment Routing over
              IPv6 (SRv6) Network Programming", RFC 8986, March 2021,
              <https://www.rfc-editor.org/rfc/rfc8986>.

   [RFC9061]  Dawra, G., Ed., "YANG Data Models for Network Resource
              Partition (NRP)", RFC 9061, July 2021,
              <https://www.rfc-editor.org/rfc/rfc9061>.

   [RFC9252]  Dawra, G., Ed., Talaulikar, K., Ed., Raszuk, R., Decraene,
              B., Zhuang, S., and J. Rabadan, "BGP Overlay Services
              Based on Segment Routing over IPv6 (SRv6)", RFC 9252, July
              2022, <https://www.rfc-editor.org/rfc/rfc9252>.

Appendix A.  Dynamic-L3VPN service provisioning and lifecycle procedure

   The VPN instances on the PE devices may be pre-configured as defined
   in [RFC4364], with the VPN instance bound to an AC only when
   establishing end-to-end VPN connectivity.  Alternatively, the VPN
   instance may also be dynamically configured via configuration
   commands based on customer requirements.



Fu, et al.               Expires 15 August 2026                [Page 20]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   The dynamic-L3VPN service provisioning and lifecycle procedure is as
   follows, and we take customer A ordering dynamic-L3VPN service as an
   example.

   +------------+  +---------+      +----+      +----+      +----------+
   | Customer-A |  | Ordering|      | CE |      | PE |      | Network  |
   |            |  |  System |      |    |      |    |      |Controller|
   +------------+  +---------+      +----+      +----+      +----+-----+
         |              |              |           |              |
         | 1. Register  |              |           |              |
         +------------->|              |           |              |
         |              |              |           |              |
         | 2. Submit VPN Service Info  |           |              |
         | (Peer, BW, Start, End)      |           |              |
         +------------->|              |           |              |
         |              |              |           |              |
         |              | 3. Configure CE          |              |
         |              +------------->|           |              |
         |              |              |           |              |
         |              |              | 4. Connect to PE         |
         |              |              +---------->|              |
         |              |              |           |              |
         |              |              |           5. Bind AC to VPN
         |              |              |           |<-------------+
         |              |              |           |              |
         | 6. Submit Dynamic BW Request|           |              |
         +------------->|              |           |              |
         |              |              |           |              |
         |              | 7. Update Bandwidth (PE) |              |
         |              +------------------------->|              |
         |              |              |           |              |
         | 8. Request Add User to VPN  |           |              |
         +------------->|              |           |              |
         |              |              |           |              |
         |              | 9. Config New CE & PE    |              |
         |              +------------------------->|              |
         |              |              |           |              |
         | 10. Request Remove User     |           |              |
         +------------->|              |           |              |
         |              |              |           |              |
         |              | 11. Config: Remove  AC   |              |
         |              +------------->|           |              |
         |              |              |           |              |
         |              | 12. Config:Remove AC from PE            |
         |              +------------------------->|              |
         |              |              |           |              |

          Figure 3: Dynamic-L3VPN Service Orchestration Procedure



Fu, et al.               Expires 15 August 2026                [Page 21]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


   The procedure consists of 12 key steps covering the full lifecycle of
   dynamic-L3VPN: registration, initial service provisioning, dynamic
   bandwidth adjustment, peer addition/removal, and resource cleanup.
   The Network Controller coordinates configuration across CEs and PEs
   to ensure end-to-end service delivery, while the Ordering System acts
   as the interface between customers and the network infrastructure.
   SRv6 (defined in [RFC8986] and [RFC9252]) may be used for path
   optimization in dynamic-L3VPN.

   1.   Customer A registers in the service ordering system.

   2.   Customer A enters VPN service parameters into the ordering
        system, including peer VPN customers, bandwidth requirement,
        start time, and end time, etc.

   3.   The Network controller provisions configuration to the CE
        devices of the involved customers.

   4.   Each CE device establishes a connection to its attached PE
        device.

   5.   The Network controller sends configuration or signaling to the
        PE devices to bind the customer's AC to the VPN instance.

   6.   Customer A submits an elastic bandwidth adjustment request via
        the ordering system.

   7.   The Network controller delivers configuration or signaling to
        the PE devices to modify the bandwidth of the VPN service.

   8.   Customer A submits a request via the ordering system to add one
        or more new customers to the VPN.

   9.   The Network controller provisions the new customers' CE device
        and sends configuration or signaling to the corresponding PE
        devices.

   10.  Customer A submits a request via the ordering system to remove
        one or more existing customers from the VPN.

   11.  The Network controller updates the configuration of the removed
        customers' CE devices.

   12.  The Network controller sends configuration or signaling to the
        corresponding PE devices to delete the associated AC from the
        VPN.





Fu, et al.               Expires 15 August 2026                [Page 22]

Internet-Draft       Enhanced L3SM for dynamic-L3VPN       February 2026


Acknowledgments

   The authors wish to thank Mingjiang Fu, Zhuojun Huang, Zhenlin Tan,
   Wenkuan Qu of China Telecom for their contributions to the dynamic
   L3VPN operational requirements.

Authors' Addresses

   Fengchao Fu
   China Telecom
   Email: fufengc@chinatelecom.cn


   Cancan Huang
   China Telecom
   Email: huangcanc@chinatelecom.cn


   Bo Wu
   Huawei
   Email: lana.wubo@huawei.com


   Chongfeng Xie
   China Telecom
   Email: xiechf@chinatelecom.cn

























Fu, et al.               Expires 15 August 2026                [Page 23]
