4. Security Considerations

This section is modeled after the template described in Section 3.7 of [YANG-GUIDE].

The "ietf-isis-sr-mpls" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These YANG-based management protocols (1) have to use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and (2) have to use mutual authentication.

The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.

Writable Data Nodes

There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:

• /isis:isis/segment-routing
• /isis:isis/protocol-srgb
• /isis:isis/isis:interfaces/isis:interface/segment-routing
• /isis:isis/isis:interfaces/isis:interface/isis:fast-reroute/ti-lfa

The ability to disable or enable IS-IS SR support and/or change SR configurations can result in a Denial-of-Service (DoS) attack, as this may cause traffic to be dropped or misrouted. Please refer to Section 5 of [RFC8667] for more information on SR extensions.

Readable Data Nodes

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:

• /isis:router-capabilities/sr-capability
• /isis:router-capabilities/sr-algorithms
• /isis:router-capabilities/local-blocks
• /isis:router-capabilities/srms-preference
• and the augmentations to the IS-IS LSDB.

Unauthorized access to any data node of these subtrees can disclose the operational state information of the IS-IS protocol on a device.

There are no particularly sensitive RPC or action operations.

---

5. IANA Considerations

The IANA has assigned one new URI in the "IETF XML Registry" [RFC3688]:

URI:  urn:ietf:params:xml:ns:yang:ietf-isis-sr-mpls
Registrant Contact:  The IESG.
XML:  N/A; the requested URI is an XML namespace

This document also registers one new YANG module name in the "YANG Module Names" registry [RFC6020]:

Name:  ietf-isis-sr-mpls
Maintained by IANA?  N
Namespace:  urn:ietf:params:xml:ns:yang:ietf-isis-sr-mpls
Prefix:  isis-sr-mpls
Reference:  RFC 9902

---

6. References

6.1. Normative References

• [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, ````https://www.rfc-editor.org/info/rfc3688\````.

• [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, ````https://www.rfc-editor.org/info/rfc6020\````.

• [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, ````https://www.rfc-editor.org/info/rfc6991\````.

• [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, ````https://www.rfc-editor.org/info/rfc7950\````.

• [RFC8102] Sarkar, P., Ed., Hegde, S., Bowers, C., Gredler, H., and S. Litkowski, "Remote-LFA Node Protection and Manageability", RFC 8102, DOI 10.17487/RFC8102, March 2017, ````https://www.rfc-editor.org/info/rfc8102\````.

• [RFC8294] Liu, X., Qu, Y., Lindem, A., Hopps, C., and L. Berger, "Common YANG Data Types for the Routing Area", RFC 8294, DOI 10.17487/RFC8294, December 2017, ````https://www.rfc-editor.org/info/rfc8294\````.

• [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, ````https://www.rfc-editor.org/info/rfc8341\````.

• [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for Routing Management (NMDA Version)", RFC 8349, DOI 10.17487/RFC8349, March 2018, ````https://www.rfc-editor.org/info/rfc8349\````.

• [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, July 2018, ````https://www.rfc-editor.org/info/rfc8402\````.

• [RFC8667] Previdi, S., Ed., Ginsberg, L., Ed., Filsfils, C., Bashandy, A., Gredler, H., and B. Decraene, "IS-IS Extensions for Segment Routing", RFC 8667, DOI 10.17487/RFC8667, December 2019, ````https://www.rfc-editor.org/info/rfc8667\````.

• [RFC9020] Litkowski, S., Qu, Y., Lindem, A., Sarkar, P., and J. Tantsura, "YANG Data Model for Segment Routing", RFC 9020, DOI 10.17487/RFC9020, May 2021, ````https://www.rfc-editor.org/info/rfc9020\````.

• [RFC9130] Litkowski, S., Ed., Yeung, D., Lindem, A., Zhang, J., and L. Lhotka, "YANG Data Model for the IS-IS Protocol", RFC 9130, DOI 10.17487/RFC9130, October 2022, ````https://www.rfc-editor.org/info/rfc9130\````.

• [RFC9855] Bashandy, A., Litkowski, S., Filsfils, C., Francois, P., Decraene, B., and D. Voyer, "Topology Independent Fast Reroute Using Segment Routing", RFC 9855, DOI 10.17487/RFC9855, October 2025, ````https://www.rfc-editor.org/info/rfc9855\````.

6.2. Informative References

• [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, January 2006, ````https://www.rfc-editor.org/info/rfc4252\````.

• [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, ````https://www.rfc-editor.org/info/rfc6241\````.

• [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, ````https://www.rfc-editor.org/info/rfc8040\````.

• [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, ````https://www.rfc-editor.org/info/rfc8340\````.

• [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, ````https://www.rfc-editor.org/info/rfc8446\````.

• [RFC8660] Bashandy, A., Ed., Filsfils, C., Ed., Previdi, S., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing with the MPLS Data Plane", RFC 8660, DOI 10.17487/RFC8660, December 2019, ````https://www.rfc-editor.org/info/rfc8660\````.

• [RFC8661] Bashandy, A., Ed., Filsfils, C., Ed., Previdi, S., Decraene, B., and S. Litkowski, "Segment Routing MPLS Interworking with LDP", RFC 8661, DOI 10.17487/RFC8661, December 2019, ````https://www.rfc-editor.org/info/rfc8661\````.

• [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, May 2021, ````https://www.rfc-editor.org/info/rfc9000\````.

• [YANG-GUIDE] Bierman, A., "Guidelines for Authors and Reviewers of Documents Containing YANG Data Models", Work in Progress, Internet-Draft, draft-ietf-netmod-rfc8407bis-05, 22 August 2024, ````https://datatracker.ietf.org/doc/html/draft-ietf-netmod-rfc8407bis-05\````.

---