4. Security Considerations

The YANG module defined in this document with "config true" is writable/creatable/deletable (i.e., they provide write access to configuration information).

Sensitive Writable Data Nodes

These data nodes may be considered sensitive or vulnerable in some network environments and require special consideration:

• Write access should only be granted to trusted entities
• Appropriate access control mechanisms should be implemented

NETCONF Access Control

It is recommended to implement the "Network Configuration Access Control Model" (NACM) [RFC8341]:

• Restrict access by specific NETCONF or RESTCONF users to specific pre-configured operations
• Provide fine-grained access control policies

OSPF-Specific Security Considerations

Segment Routing Configuration Integrity

Prefix-SID Protection:

• Unauthorized modification of Prefix-SIDs can lead to traffic misdirection
• May cause black-hole routing or traffic hijacking

Adjacency-SID Protection:

• Adjacency-SID modifications can affect traffic engineering paths
• May break fast reroute protection

SRGB/SRLB Conflicts

Improperly configured SRGB may lead to:

• Label space conflicts
• Interoperability issues with other nodes
• Segment Routing functionality failure

LSA Flooding Attacks

Malicious configuration may trigger:

• Massive LSA updates
• Network bandwidth consumption
• Router CPU resource exhaustion

Recommended Security Measures

1. Strong Authentication:

   • Use OSPF authentication mechanisms to protect protocol messages
   • OSPFv2: MD5 or cryptographic authentication
   • OSPFv3: IPsec

2. Management Interface Protection:

   • Use TLS/SSH encryption for NETCONF/RESTCONF sessions
   • Implement strong password policies
   • Multi-factor authentication

3. Access Control Lists (ACL):

   • Restrict management interface access source addresses
   • Implement role-based access control (RBAC)

4. Configuration Validation:

   • Implement pre-commit validation mechanisms
   • Detect SID conflicts
   • Validate SRGB range reasonableness

5. Auditing and Monitoring:

   • Log all configuration changes
   • Monitor abnormal LSA activity
   • Establish baselines and detect deviations

---

5. IANA Considerations

YANG Module Name Registration

IANA has registered the following URI in the "YANG Module Names" registry [RFC6020]:

URI: urn:ietf:params:xml:ns:yang:ietf-ospf-sr-mpls
Registrant Contact: OSPF Working Group ([email protected])
XML: N/A; the requested URI is an XML namespace

YANG Module Registration

This document registers the following YANG module in the "YANG Module Names" registry [RFC6020]:

Name: ietf-ospf-sr-mpls
Namespace: urn:ietf:params:xml:ns:yang:ietf-ospf-sr-mpls
Prefix: ospf-sr-mpls
Reference: RFC 9903

---

6. References

6.1. Normative References

• [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

• [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, DOI 10.17487/RFC2328, April 1998.

• [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, Ed., "OSPF for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008.

• [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010.

• [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013.

• [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016.

• [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.

• [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018.

• [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for Routing Management (NMDA Version)", RFC 8349, DOI 10.17487/RFC8349, March 2018.

• [RFC8665] Psenak, P., Ed., Previdi, S., Ed., Filsfils, C., Gredler, H., Shakir, R., Henderickx, W., and J. Tantsura, "OSPF Extensions for Segment Routing", RFC 8665, DOI 10.17487/RFC8665, December 2019.

• [RFC8666] Psenak, P., Ed. and S. Previdi, Ed., "OSPFv3 Extensions for Segment Routing", RFC 8666, DOI 10.17487/RFC8666, December 2019.

• [RFC9129] Yeung, D., Qu, Y., Zhang, J., Chen, I., and A. Lindem, "YANG Data Model for the OSPF Protocol", RFC 9129, DOI 10.17487/RFC9129, October 2022.

6.2. Informative References

• [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018.

• [RFC8660] Bashandy, A., Ed., Filsfils, C., Ed., Previdi, S., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing with the MPLS Data Plane", RFC 8660, DOI 10.17487/RFC8660, December 2019.