| Internet-Draft | YANG Model for IOAM Integrity Options | November 2025 |
| Iurman & Zhou | Expires 17 May 2026 | [Page] |
In Situ Operations, Administration, and Maintenance (IOAM) is an example of an on-path hybrid measurement method to collect operational and telemetry information. The collected data may then be exported to systems that will use it to, e.g., monitor, measure, or (re)configure the network. I-D.ietf-ippm-ioam-data-integrity (RFC Ed.: to be replaced by RFC YYYY) defines IOAM Options with integrity protection, also called Integrity Protected Options. This document defines a YANG module for the configuration of these Integrity Protected Options.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 May 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In Situ Operations, Administration, and Maintenance (IOAM) is an example of an on-path hybrid measurement method [RFC7799] to collect operational and telemetry information. The collected data may then be exported to systems that will use it to, e.g., monitor, measure, or (re)configure the network. [I-D.ietf-ippm-ioam-data-integrity] defines IOAM Options with integrity protection, also called Integrity Protected Options. This document defines a data model for the configuration of these Integirty Protected Options using the YANG data modeling language [RFC7950]. This YANG data model supports four IOAM Integrity Protected Options, which are as follows:¶
Abbreviations used in this document:¶
The following terms are defined in [RFC7950] and are used in this specification:¶
The terminology for describing YANG data models is found in [RFC7950].¶
Tree diagrams used in this document follow the notation defined in [RFC8340].¶
The IOAM Integrity model is organized as a list of profiles, as shown in the following figure.¶
module: ietf-ioam-integrity
augment /ioam:ioam/ioam:profiles/ioam:profile:
+--rw int-incremental-tracing-profile! {int-incremental-trace}?
| ...
+--rw int-preallocated-tracing-profile! {int-preallocated-trace}?
| ...
+--rw int-pot-profile! {int-proof-of-transit}?
| ...
+--rw int-e2e-profile! {int-edge-to-edge}?
¶
This document uses the "ietf-ioam" YANG module [RFC9617] and augments its definition of a profile. The supported profiles are indicated by four defined features, i.e., "int-incremental-trace", "int-preallocated-trace", "int-proof-of-transit", and "int-edge-to-edge" (i.e., "int" prefix for "INTegrity protection"). Although these four new profiles resemble those defined in [RFC9617], they are distinct profiles since they represent different IOAM Option-Type code points.¶
The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in [RFC8342].¶
The "int-preallocated-tracing-profile" parameter contains the detailed information for the pre-allocated tracing data with integrity protection. This information is the same as for the Pre-allocated Tracing Profile; see [RFC9617], Sec. 3.2. This information also includes:¶
+--rw int-preallocated-tracing-profile! {int-preallocated-trace}?
+--rw node-action? ioam-node-action
+--rw trace-types
| +--rw use-namespace? ioam-namespace
| +--rw trace-type* ioam-trace-type
+--rw max-length? uint32
+--rw int-method? method-type
¶
The "int-incremental-tracing-profile" parameter contains the detailed information for the incremental tracing data with integrity protection. This information is the same as for the Incremental Tracing Profile; see [RFC9617], Sec. 3.3. This information also includes:¶
+--rw int-incremental-tracing-profile! {int-incremental-trace}?
+--rw node-action? ioam-node-action
+--rw trace-types
| +--rw use-namespace? ioam-namespace
| +--rw trace-type* ioam-trace-type
+--rw max-length? uint32
+--rw int-method? method-type
¶
The "int-pot-profile" parameter is intended to contain the detailed information for the proof of transit data with integrity protection. This information is the same as for the Proof of Transit Profile; see [RFC9617], Sec. 3.5. This information also includes:¶
+--rw int-pot-profile! {int-proof-of-transit}?
+--rw use-namespace? ioam:ioam-namespace
+--rw pot-type? ioam:ioam-pot-type
+--rw node-action? ioam:ioam-node-action
+--rw int-method? method-type
¶
The "int-e2e-profile" parameter contains the detailed information for the edge-to-edge data with integrity protection. This information is the same as for the Edge-to-Edge Profile; see [RFC9617], Sec. 3.6. This information also includes:¶
+--rw int-e2e-profile! {int-edge-to-edge}?
+--rw node-action? ioam-node-action
+--rw e2e-types
| +--rw use-namespace? ioam-namespace
| +--rw e2e-type* ioam-e2e-type
+--rw int-method? method-type
¶
The "ietf-ioam-integrity" module defined in this document imports the "ietf-ioam" module defined in [RFC9617]. This document also references [I-D.ietf-ippm-ioam-data-integrity].¶
<CODE BEGINS> file "ietf-ioam-integrity@2025-11-13.yang"
module ietf-ioam-integrity {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ioam-integrity";
prefix "ioam-int";
import ietf-ioam {
prefix ioam;
reference
"RFC 9617: A YANG Data Model for In Situ Operations,
Administration, and Maintenance (IOAM)";
}
organization
"IETF IPPM (IP Performance Measurement) Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/ippm>
WG List: <mailto:ippm@ietf.org>
Author: Tianran Zhou
<mailto:zhoutianran@huawei.com>
Author: Justin Iurman
<mailto:justin.iurman@uliege.be>";
description
"This YANG module specifies a vendor-independent data model for
In Situ Operations, Administration, and Maintenance (IOAM)
Integrity Protected Options.
Copyright (c) 2025 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2025-11-13 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for In Situ Operations,
Administration, and Maintenance (IOAM) Integrity Protected
Options";
}
/*
* FEATURES
*/
feature int-incremental-trace
{
description
"This feature indicates that the Integrity Protected
Incremental Trace-Option is supported.";
reference
"RFC YYYY: Integrity Protection of In Situ Operations,
Administration, and Maintenance (IOAM) Data Fields";
}
feature int-preallocated-trace
{
description
"This feature indicates that the Integrity Protected
Pre-allocated Trace-Option is supported.";
reference
"RFC YYYY: Integrity Protection of In Situ Operations,
Administration, and Maintenance (IOAM) Data Fields";
}
feature int-proof-of-transit
{
description
"This feature indicates that the Integrity Protected Proof of
Transit Option is supported.";
reference
"RFC YYYY: Integrity Protection of In Situ Operations,
Administration, and Maintenance (IOAM) Data Fields";
}
feature int-edge-to-edge
{
description
"This feature indicates that the Integrity Protected
Edge-to-Edge Option is supported.";
reference
"RFC YYYY: Integrity Protection of In Situ Operations,
Administration, and Maintenance (IOAM) Data Fields";
}
/*
* IDENTITIES
*/
identity method {
description
"Base identity to represent the Integrity Protection Method.";
}
identity method-0 {
base method;
description
"The Integrity Protection Method 0 uses AES-GMAC with a 12-byte
Nonce and a 16-byte ICV.";
reference
"RFC YYYY: Integrity Protection of In Situ Operations,
Administration, and Maintenance (IOAM) Data Fields";
}
/*
* TYPE DEFINITIONS
*/
typedef method-type {
type identityref {
base method;
}
description
"It specifies the Integrity Protection Method.";
}
/*
* DATA NODES
*/
augment "/ioam:ioam/ioam:profiles/ioam:profile" {
description
"This augmentation adds 4 profiles for the Integrity Protected
Options.";
container int-incremental-tracing-profile {
if-feature "int-incremental-trace";
presence
"Enables the Integrity Protected Incremental Trace-Option.";
description
"This container describes the profile for the Integrity
Protected Incremental Trace-Option.";
uses ioam:ioam-incremental-tracing-profile;
leaf int-method {
when "derived-from-or-self(../node-action,
'ioam:action-encapsulate')";
type method-type;
default "method-0";
description
"This object indicates the Integrity Protection Method for
this profile.";
}
}
container int-preallocated-tracing-profile {
if-feature "int-preallocated-trace";
presence
"Enables the Integrity Protected Pre-allocated
Trace-Option.";
description
"This container describes the profile for the Integrity
Protected Pre-allocated Trace-Option.";
uses ioam:ioam-preallocated-tracing-profile;
leaf int-method {
when "derived-from-or-self(../node-action,
'ioam:action-encapsulate')";
type method-type;
default "method-0";
description
"This object indicates the Integrity Protection Method for
this profile.";
}
}
container int-pot-profile {
if-feature "int-proof-of-transit";
presence
"Enables the Integrity Protected Proof of Transit Option.";
description
"This container describes the profile for the Integrity
Protected Proof of Transit Option.";
leaf use-namespace {
type ioam:ioam-namespace;
default "ioam:default-namespace";
description
"This object indicates the namespace used for the
POT types.";
}
leaf pot-type {
type ioam:ioam-pot-type;
description
"The type of a particular POT variant that specifies
the POT data that is included.";
}
leaf node-action {
type ioam:ioam-node-action;
default "ioam:action-transit";
description
"This object indicates the action the node needs to
take, e.g., encapsulation.";
}
leaf int-method {
when "derived-from-or-self(../node-action,
'ioam:action-encapsulate')";
type method-type;
default "method-0";
description
"This object indicates the Integrity Protection Method for
this profile.";
}
}
container int-e2e-profile {
if-feature "int-edge-to-edge";
presence
"Enables the Integrity Protected Edge-to-Edge Option.";
description
"This container describes the profile for the Integrity
Protected Edge-to-Edge Option.";
uses ioam:ioam-e2e-profile;
leaf int-method {
when "derived-from-or-self(../node-action,
'ioam:action-encapsulate')";
type method-type;
default "method-0";
description
"This object indicates the Integrity Protection Method for
this profile.";
}
}
}
}
<CODE ENDS>¶
This section is modeled after the template described in Section 3.7.1 of [I-D.ietf-netmod-rfc8407bis].¶
The "ietf-ioam-integrity" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have to use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and have to use mutual authentication.¶
The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.¶
There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:¶
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:¶
This YANG module uses groupings from other YANG modules that define nodes that may be considered sensitive or vulnerable in network environments. Refer to the Security Considerations of [RFC9617] for information as to which nodes may be considered sensitive or vulnerable in network environments.¶
RFC Ed.: In this section and in Section 4, please replace all occurrences of 'RFC XXXX' with the actual RFC number. Also in Section 4 and in the Abstract, please replace all occurrences of 'RFC YYYY' with the actual RFC number of [I-D.ietf-ippm-ioam-data-integrity] (and remove this note).¶
IANA is requested to assign a new URI from the "IETF XML Registry" [RFC3688]. The following URI is suggested:¶
This document also requests a new YANG module name in the "YANG Module Names" registry [RFC6020] with the following suggestion:¶
The authors would like to thank Alex Huang Feng and Will Hawkins for their valuable feedback.¶
An example of the Integrity Protected Incremental Tracing Profile is depicted in the following figure. This configuration is received by an IOAM ingress node. This node encapsulates the IOAM data in the IPv6 Hop-by-Hop option header. The Integrity Protection Method to be used is method 0. The trace type indicates that each on-path node needs to capture the transit delay and add the data to the IOAM node data list. The incremental tracing data space is variable; however, the node data list must not exceed 512 bytes.¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<edit-config>
<target>
<candidate/>
</target>
<config>
<ioam xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam">
<admin-config>
<enabled>true</enabled>
</admin-config>
<profiles>
<profile>
<profile-name>ietf-test-profile</profile-name>
<protocol-type>ipv6</protocol-type>
<int-incremental-tracing-profile
xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam-integrity">
<node-action>action-encapsulate</node-action>
<trace-types>
<use-namespace>default-namespace</use-namespace>
<trace-type>trace-transit-delay</trace-type>
</trace-types>
<max-length>512</max-length>
<int-method>method-0</int-method>
</int-incremental-tracing-profile>
</profile>
</profiles>
</ioam>
</config>
</edit-config>
</rpc>
¶
An example of the Integrity Protected Pre-allocated Tracing Profile is depicted in the following figure. This configuration is received by an IOAM ingress node. This node first identifies the target flow by using the ACL parameter "test-acl" and then encapsulates the IOAM data in the NSH. The Integrity Protection Method to be used is method 0. The trace type indicates that each on-path node needs to capture the namespace-specific data in short format and add the data to the IOAM node data list. This node pre-allocates the node data list in the packet with 512 bytes.¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<edit-config>
<target>
<candidate/>
</target>
<config>
<ioam xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam">
<admin-config>
<enabled>true</enabled>
</admin-config>
<profiles>
<profile>
<profile-name>ietf-test-profile</profile-name>
<filter>
<filter-type>acl-filter</filter-type>
<ace-name>test-acl</ace-name>
</filter>
<protocol-type>nsh</protocol-type>
<int-preallocated-tracing-profile
xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam-integrity">
<node-action>action-encapsulate</node-action>
<trace-types>
<use-namespace>default-namespace</use-namespace>
<trace-type>trace-namespace-data</trace-type>
</trace-types>
<max-length>512</max-length>
<int-method>method-0</int-method>
</int-preallocated-tracing-profile>
</profile>
</profiles>
</ioam>
</config>
</edit-config>
</rpc>
¶
An example of the Integrity Protected Proof of Transit Profile is depicted in the following figure. This configuration is received by an IOAM ingress node. This node encapsulates the IOAM data (POT Type 0) in the IPv6 Hop-by-Hop option header. The Integrity Protection Method to be used is method 0.¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<edit-config>
<target>
<candidate/>
</target>
<config>
<ioam xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam">
<admin-config>
<enabled>true</enabled>
</admin-config>
<profiles>
<profile>
<profile-name>ietf-test-profile</profile-name>
<protocol-type>ipv6</protocol-type>
<int-pot-profile
xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam-integrity">
<pot-type>pot-type-0</pot-type>
<node-action>action-encapsulate</node-action>
<int-method>method-0</int-method>
</int-pot-profile>
</profile>
</profiles>
</ioam>
</config>
</edit-config>
</rpc>
¶
An example of the Integrity Protected Edge-to-Edge Profile is depicted in the following figure. This configuration is received by an IOAM ingress node. This node encapsulates the IOAM data in the IPv6 Destination option header. The Integrity Protection Method to be used is method 0. The Edge-to-Edge type indicates the presence of a 64-bit sequence number.¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<edit-config>
<target>
<candidate/>
</target>
<config>
<ioam xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam">
<admin-config>
<enabled>true</enabled>
</admin-config>
<profiles>
<profile>
<profile-name>ietf-test-profile</profile-name>
<protocol-type>ipv6</protocol-type>
<int-e2e-profile
xmlns="urn:ietf:params:xml:ns:yang:ietf-ioam-integrity">
<node-action>action-encapsulate</node-action>
<e2e-types>
<use-namespace>default-namespace</use-namespace>
<e2e-type>e2e-seq-num-64</e2e-type>
</e2e-types>
<int-method>method-0</int-method>
</int-e2e-profile>
</profile>
</profiles>
</ioam>
</config>
</edit-config>
</rpc>
¶