




OPSAWG                                                      L. Melegassi
Internet-Draft                                                  Catellix
Intended status: Standards Track                            28 May 2026
Expires: 29 November 2026


                  A YANG Data Model for Multi-Vantage
                         Path Snapshots (MVPS)
                draft-melegassi-opsawg-mvps-yang-model-00

Abstract

   This document defines a YANG data model for Multi-Vantage Path
   Snapshots (MVPS): vendor-neutral, multi-vantage enriched traceroute
   observations whose reporting model is aligned with RFC 9198
   (Advanced Unidirectional Route Assessment).  The model is the
   normative publication of the MVPS bundle as a YANG module and is the
   subtree that the MVPS telemetry-export specification subscribes to
   over YANG-Push.

   The module is CORE-neutral: it carries measurement facts only.  It
   makes no performance, scoring, or detection claim.  All properties
   stated in this document are structural and are backed by a
   machine-checkable receipt.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current
   Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   This Internet-Draft will expire on 29 November 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.





Melegassi                Expires 29 Nov 2026                   [Page 1]

Internet-Draft               MVPS YANG Model                  May 2026


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document.  Code Components extracted from this
   document must include Revised BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Design Principles . . . . . . . . . . . . . . . . . . . . .   3
   4.  Model Overview (Tree Diagram) . . . . . . . . . . . . . . .   4
   5.  Structural Properties . . . . . . . . . . . . . . . . . . .   5
   6.  Relationship to Other MVPS Documents  . . . . . . . . . . .   6
   7.  The YANG Module . . . . . . . . . . . . . . . . . . . . . .   6
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . .   7
   9.  Security Considerations . . . . . . . . . . . . . . . . . .   7
   10. References  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Multi-Vantage Path Snapshots (MVPS) collect enriched traceroute
   observations from several vantages and bind them into a single
   canonical bundle.  The bundle format, its JSON-Schema sibling, and
   the coherence detection mathematics are specified elsewhere in the
   MVPS family.  A telemetry-export specification additionally maps
   MVPS observations onto standard carriers, including YANG-Push
   [RFC8641].

   That export mapping presumes a published YANG subtree to subscribe
   to.  This document supplies it: it publishes the MVPS YANG module
   normatively, defines its instance-identifier structure, and states
   the structural properties on which interoperable configuration,
   retrieval (NETCONF/RESTCONF), and subscription (YANG-Push) depend.

   This is a data-model document.  It deliberately makes NO performance
   or detection-latency claim.  Every property in Section 5 is
   structural: a deterministic fact about the module text or about any
   conformant instance, verifiable by the companion receipt and
   independent of any measurement.

   The module models measurement facts only (CORE neutrality).  Any
   analytic verdict, score, or machine-learning output is OUT OF SCOPE
   for this module and MUST be carried in the namespaced extension slot
   defined by the MVPS extension mechanism.




Melegassi                Expires 29 Nov 2026                   [Page 2]

Internet-Draft               MVPS YANG Model                  May 2026


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119]
   [RFC8174] when, and only when, they appear in all capitals.

   Vantage:  one observation origin (an active server or an edge
      network element) that contributes a Member Route or a
      consolidated Route Ensemble, per [RFC9198] Section 4.1.

   Hop:  a single hop singleton h(i,j) along the observed path, per
      [RFC9198] Section 3.4.

   Bundle:  the top-level MVPS container for one snapshot, encoded in
      JSON per [RFC7951].

   CORE-neutral:  carrying measurement facts only, with no analytic
      verdict, score, or inference.

3.  Design Principles

   P1  CORE neutrality.  The module carries only measurement facts.
       No analytic verdict, score, or AI/ML output is part of this
       canonical model.

   P2  Externalized vendor signals.  Vendor-specific or analytic
       signals MUST live outside this module, under reverse-DNS
       namespaced keys in an extension slot.  Consumers MUST tolerate
       unknown keys (the spirit of [RFC6648]).

   P3  Reproducible fingerprints.  Each vantage carries three path
       fingerprints that are deterministic functions of its hop list.
       Recomputation reproduces them exactly, so any silent edit is
       detectable.

   P4  Standards alignment.  Per-hop fields materialise the AURA Hop
       singleton ([RFC9198] Section 3.4) with optional ICMP interface
       identifiers ([RFC5837]) and Round-Trip Delay quartiles computed
       via the P^2 algorithm referenced by [RFC9198].

   P5  Incremental implementability.  The top-level node is a presence
       container and carries no mandatory child leaf, per [RFC8407]
       Section 4.10.

4.  Model Overview (Tree Diagram)

   The following tree diagram uses the notation of [RFC8340].





Melegassi                Expires 29 Nov 2026                   [Page 3]

Internet-Draft               MVPS YANG Model                  May 2026


   module: catellix-mvps
     +--rw mvps!
        +--rw mvps-schema?                 string
        +--rw mvps-version?                string
        +--rw catellix-platform-release?   string
        +--rw document-generated-at?       yang:date-and-time
        +--rw destination?                 string
        +--rw vantage-count?               uint32
        +--rw vantages* [origin-label]
           +--rw vantage-role             identityref
           +--rw origin-label             string
           +--rw observed-at?             yang:date-and-time
           +--rw path-fingerprints
           |  +--rw path-fp-ip-chain-sha256-trunc128     sha256-hex
           |  +--rw path-fp-as-path-sha256-trunc64        sha256-hex
           |  +--rw path-fp-country-path-sha256-trunc64   sha256-hex
           +--rw as-path-inferred*        union
           +--rw country-path-inferred*   string
           +--rw hop-count?               uint8
           +--rw hops* [hop-number]
              +--rw hop-number            uint8
              +--rw ip-reported           inet:ip-address
              +--rw rtt-reported?         string
              +--rw rpki-origin-validation?  rpki-validation-state
              +--rw routing-snapshot
              +--rw rtd-quartiles
              +--rw mpls-labels* [label]
              +--rw rtt-samples-ms*       decimal64
              +--rw geo-hint!

   The full set of leaves is defined by the module in Section 7.

5.  Structural Properties

   The properties below are proven, not asserted.  Each maps to a check
   in the companion validator (scripts/validate_yang_model.py, 8/8
   PASS) whose result is recorded in the receipt
   (evidence/yang_model_receipt.json).

   T-YANG-WF (Well-formedness):  the module is YANG 1.1 with a single
      namespace, a rooted presence container "mvps", keyed lists
      "vantages" (key origin-label) and "hops" (key hop-number) each
      with min-elements 1, ordered-by user collections, and mandatory
      list keys.

   T-YANG-8407 (RFC 8407 Section 4.10):  the top-level node is a
      presence container and has no mandatory child leaf, so the module
      can be implemented incrementally.





Melegassi                Expires 29 Nov 2026                   [Page 4]

Internet-Draft               MVPS YANG Model                  May 2026


   T-YANG-RT (Round-trip losslessness):  for any conformant instance I,
      decode(encode(I)) = I under [RFC7951], and the order of every
      ordered-by user collection is preserved.

   T-YANG-FP (Fingerprint determinism):  the three path fingerprints
      are deterministic functions of the modeled fields; recomputation
      reproduces the stored values exactly, and the canonical JSON
      ([RFC8785]) of the encoding is stable.  This carries the bundle's
      tamper-evidence property into the model.

   T-YANG-SENT (Sentinel bijection):  the AS-path union sentinel
      "unknown" maps to the JSON-Schema sibling token "?" by a
      bijection on (AS-number) union {sentinel}; no real AS number
      collides with the sentinel.

   T-YANG-CORE (CORE neutrality):  the module contains no analytic
      verdict/score/ML leaf; vendor signals are externalized to the
      extension slot; and the core detection inputs (hop-number,
      ip-reported, rtt-samples) are invariant to the presence or
      absence of optional hint containers.

   T-YANG-PUSH (Addressability):  the module is a single rooted subtree
      whose every list is fully keyed, so every node has a unique
      instance-identifier and a YANG-Push [RFC8641] subtree or xpath
      subscription onto /catellix-mvps:mvps is well-defined.

   T-YANG-PARITY (Schema parity):  on the load-bearing constraints
      (version pattern, vantage cardinality, min-elements), the YANG
      module and the JSON-Schema sibling agree.

6.  Relationship to Other MVPS Documents

   This module publishes the data model that the MVPS bundle format
   defines.  The fingerprint method (T-YANG-FP) is the bundle's method.
   The CORE-neutrality and externalized-extension rule (T-YANG-CORE)
   are the model-level form of the MVPS extension mechanism's
   core-invariance property.  The addressability property
   (T-YANG-PUSH) discharges the precondition that the MVPS
   telemetry-export specification assumes when it maps events onto
   YANG-Push.

7.  The YANG Module

   The normative module is "catellix-mvps", revision 2026-05-14,
   namespace "https://catellix.com/yang/catellix-mvps".  For length, the
   complete module text is maintained in the source repository file
   schema/catellix-mvps.yang and will be inlined verbatim in the next
   revision of this document.  Implementers MUST use the module exactly
   as published there; the tree diagram in Section 4 is informative.




Melegassi                Expires 29 Nov 2026                   [Page 5]

Internet-Draft               MVPS YANG Model                  May 2026


   The module imports ietf-inet-types and ietf-yang-types [RFC6991].
   It defines the identities vantage-role (with derived
   catellix-aurix-server and edge-network-element), and the typedefs
   sha256-hex, latency-class, rpki-validation-state, and holder-kind.

   On WG adoption, the module is expected to be renamed to an "ietf-"
   prefixed module under an IANA-assigned namespace; the structural
   properties of Section 5 are invariant to that rename.

8.  IANA Considerations

   This document requests that IANA register the following URI in the
   "ns" subregistry of the "IETF XML Registry" [RFC3688] on adoption
   (placeholder until the module is renamed to an ietf- module):

      URI:  urn:ietf:params:xml:ns:yang:ietf-mvps
      Registrant Contact:  The IESG.
      XML:  N/A; the requested URI is a YANG module namespace.

   This document requests that IANA register the following YANG module
   in the "YANG Module Names" registry [RFC6020]:

      name:       ietf-mvps
      namespace:  urn:ietf:params:xml:ns:yang:ietf-mvps
      prefix:     mvps
      reference:  This document

   Until adoption, the module ships under the vendor name
   "catellix-mvps" and namespace
   "https://catellix.com/yang/catellix-mvps".

9.  Security Considerations

   The model is to be accessed via a secure transport with mutual
   authentication, for example NETCONF over SSH or RESTCONF over TLS,
   and YANG-Push subscriptions over the same.

   The data nodes are operational measurement facts.  None carries a
   subscriber-precise location or payload; geographic fields are coarse
   hints only, and flow identity is republished as an anonymous
   fingerprint rather than the underlying values.

   Because the path fingerprints are deterministic (T-YANG-FP), a
   reader can detect tampering of the hop, AS, or country lists by
   recomputation.  This model does not, by itself, provide
   confidentiality, integrity, or origin authentication of a bundle in
   transit; those are provided by the transport and by the MVPS
   signing/anchoring documents.





Melegassi                Expires 29 Nov 2026                   [Page 6]

Internet-Draft               MVPS YANG Model                  May 2026


   The module is CORE-neutral (T-YANG-CORE): it cannot, by
   construction, carry an analytic verdict that an attacker could spoof
   inside the canonical model.  Such signals are confined to the
   namespaced extension slot and are out of scope here.

10. References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              January 2004.

   [RFC6020]  Bjorklund, M., Ed., "YANG - A Data Modeling Language for
              the Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC6991]  Schoenwaelder, J., Ed., "Common YANG Data Types",
              RFC 6991, July 2013.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling
              Language", RFC 7950, August 2016.

   [RFC7951]  Lhotka, L., "JSON Encoding of Data Modeled with YANG",
              RFC 7951, August 2016.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in
              RFC 2119 Key Words", BCP 14, RFC 8174, May 2017.

   [RFC8341]  Bierman, A. and M. Bjorklund, "Network Configuration
              Access Control Model", STD 91, RFC 8341, March 2018.

   [RFC8641]  Clemm, A. and E. Voit, "Subscription to YANG
              Notifications for Datastore Updates", RFC 8641,
              September 2019.

10.2.  Informative References

   [RFC5837]  Atlas, A., Ed., Bonica, R., Ed., Pignataro, C., Ed.,
              Shen, N., and JR. Rivers, "Extending ICMP for Interface
              and Next-Hop Identification", RFC 5837, April 2010.

   [RFC6648]  Saint-Andre, P., Crocker, D., and M. Nottingham,
              "Deprecating the 'X-' Prefix and Similar Constructs in
              Application Protocols", BCP 178, RFC 6648, June 2012.

   [RFC8340]  Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
              BCP 215, RFC 8340, March 2018.




Melegassi                Expires 29 Nov 2026                   [Page 7]

Internet-Draft               MVPS YANG Model                  May 2026


   [RFC8342]  Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
              and R. Wilton, "Network Management Datastore Architecture
              (NMDA)", RFC 8342, March 2018.

   [RFC8407]  Bierman, A., "Guidelines for Authors and Reviewers of
              Documents Containing YANG Data Models", BCP 216,
              RFC 8407, October 2018.

   [RFC8785]  Rundgren, A., Jordan, B., and S. Erdtman, "JSON
              Canonicalization Scheme (JCS)", RFC 8785, June 2020.

   [RFC9198]  Alvarez-Hamelin, J., Morton, A., Fabini, J., Pignataro,
              C., and R. Geib, "Advanced Unidirectional Route
              Assessment (AURA)", RFC 9198, May 2022.

Author's Address

   Leonardo Melegassi
   Catellix
   Email: melegassi@catellix.com

































Melegassi                Expires 29 Nov 2026                   [Page 8]
