A YANG Data Model for In Situ Operations, Administration, and Maintenance (IOAM) Integrity Protected Options

A YANG Data Model for In Situ Operations, Administration, and Maintenance (IOAM) Integrity Protected Options University of Liege

10, Allee de la decouverte (B28) 4000 Sart-Tilman Belgium justin.iurman@uliege.be

Huawei

156 Beiqing Rd. Beijing 100095 China zhoutianran@huawei.com

ops ippm OAM In Situ OAM IOAM Integrity Configuration YANG In Situ Operations, Administration, and Maintenance (IOAM) is an example of an on-path hybrid measurement method to collect operational and telemetry information. The collected data may then be exported to systems that will use it to, e.g., monitor, measure, or (re)configure the network. Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields (RFC YYYY) defines IOAM Options with integrity protection, also called Integrity Protected Options. This document defines a YANG module for the management of these Integrity Protected Options.

In Situ Operations, Administration, and Maintenance (IOAM) is an example of an on-path hybrid measurement method to collect operational and telemetry information. The collected data may then be exported to systems that will use it to, e.g., monitor, measure, or (re)configure the network. defines IOAM Options with integrity protection, also called Integrity Protected Options. This document defines a data model for the management of these Integrity Protected Options using the YANG data modeling language . This YANG data model supports four IOAM Integrity Protected Options, which are as follows:

Integrity Protected Incremental Trace-Option (Section 4.1 of )
Integrity Protected Pre-allocated Trace-Option (Section 4.1 of )
Integrity Protected Proof of Transit (POT) Option (Section 4.2 of )
Integrity Protected Edge-to-Edge (E2E) Option (Section 4.3 of )

Note to the RFC Editor: this section is to be removed prior to publication. This document contains placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. No other RFC Editor instructions are specified elsewhere in this document, except in . Please apply the following replacements:

XXXX --> the assigned RFC number for this document
YYYY --> the assigned RFC number for
2026-01-12 --> the actual date of the publication of this document

Abbreviations used in this document:

OAM:: Operations, Administration, and Maintenance
IOAM:: In Situ OAM
POT:: Proof of Transit
E2E:: Edge to Edge

The following terms are defined in and are used in this specification:

augment
data model
data node

The terminology for describing YANG data models is found in .

Tree diagrams used in this document follow the notation defined in .

The IOAM Integrity model is organized as a list of profiles, as shown in . In this model, the "int" prefix refers to "INTegrity protection".

This document defines augmentations to the "ietf-ioam" YANG module by adding integrity-related profiles. Each profile is associated with one flow and the corresponding IOAM information. These integrity-related profiles are indicated by four defined features, i.e., "int-incremental-trace", "int-preallocated-trace", "int-proof-of-transit", and "int-edge-to-edge". The structures of the new profiles follow what is defined in , but for distinct purposes.

As illustrated in , the "int-preallocated-tracing-profile" container provides the detailed information for the pre-allocated tracing data with integrity protection. This information has the same structure as the Pre-allocated Tracing Profile (Section 3.2 of ), but has the following additional data node:

int-method:: indicates which Integrity Protection Method is used, as defined in the "IOAM Integrity Protection Methods" IANA registry . It is only defined at the encapsulating node because the Integrity Protection Method is selected and initialized when IOAM data is encapsulated.

As illustrated in , the "int-incremental-tracing-profile" container provides the detailed information for the incremental tracing data with integrity protection. This information has the same structure as the Incremental Tracing Profile (Section 3.3 of ), but has the following additional data node:

int-method:: indicates which Integrity Protection Method is used, as defined in the "IOAM Integrity Protection Methods" IANA registry . It is only defined at the encapsulating node because the Integrity Protection Method is selected and initialized when IOAM data is encapsulated.

As illustrated in , the "int-pot-profile" container is intended to provide the detailed information for the proof of transit data with integrity protection. This information has the same structure as the Proof of Transit Profile (Section 3.5 of ), but has the following additional data nodes:

node-action:: imported from the "ietf-ioam" YANG module with the same definition.
int-method:: indicates which Integrity Protection Method is used, as defined in the "IOAM Integrity Protection Methods" IANA registry . It is only defined at the encapsulating node because the Integrity Protection Method is selected and initialized when IOAM data is encapsulated.

As illustrated in , the "int-e2e-profile" container provides the detailed information for the edge-to-edge data with integrity protection. This information has the same structure as the Edge-to-Edge Profile (Section 3.6 of ), but has the following additional data node:

int-method:: indicates which Integrity Protection Method is used, as defined in the "IOAM Integrity Protection Methods" IANA registry . It is only defined at the encapsulating node because the Integrity Protection Method is selected and initialized when IOAM data is encapsulated.

The "ietf-ioam-integrity" module defined in this document imports the "ietf-ioam" module defined in . This document also references . WG List: Editor: Tianran Zhou Editor: Justin Iurman "; description "This YANG module specifies a vendor-independent data model for In Situ Operations, Administration, and Maintenance (IOAM) Integrity Protected Options. Copyright (c) 2026 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). All revisions of IETF and IANA published modules can be found at the YANG Parameters registry group (https://www.iana.org/assignments/yang-parameters). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices. Operational Considerations: - This model does not treat as mutually exclusive an IOAM Option and its integrity protected equivalent (i.e., an IOAM Integrity Protected Option). For example, an implementation may support the simultaneous configuration of an IOAM-Namespace with the Pre-allocated Trace Option and another IOAM-Namespace with the Integrity Protected Pre-allocated Trace Option. Therefore, the model does not impose constraints that would prevent such use cases."; revision 2026-01-12 { description "Initial version."; reference "RFC XXXX: A YANG Data Model for In Situ Operations, Administration, and Maintenance (IOAM) Integrity Protected Options"; } /* * FEATURES */ feature int-incremental-trace { description "This feature indicates that the Integrity Protected Incremental Trace-Option is supported."; reference "RFC YYYY: Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields, Section 4.1"; } feature int-preallocated-trace { description "This feature indicates that the Integrity Protected Pre-allocated Trace-Option is supported."; reference "RFC YYYY: Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields, Section 4.1"; } feature int-proof-of-transit { description "This feature indicates that the Integrity Protected Proof of Transit Option is supported."; reference "RFC YYYY: Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields, Section 4.2"; } feature int-edge-to-edge { description "This feature indicates that the Integrity Protected Edge-to-Edge Option is supported."; reference "RFC YYYY: Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields, Section 4.3"; } /* * GROUP DEFINITIONS */ grouping int-method-grouping { description "A grouping for Integrity Protection Methods."; leaf int-method { when "derived-from-or-self(../node-action, 'ioam:action-encapsulate')"; type iana-ioam-ipm:method-id; description "This object indicates the Integrity Protection Method for this profile. 'int-method' is only defined at the encapsulating node."; } } /* * DATA NODES */ augment "/ioam:ioam/ioam:profiles/ioam:profile" { description "This augmentation adds 4 profiles for the Integrity Protected Options."; container int-incremental-tracing-profile { if-feature "int-incremental-trace"; presence "Enables the Integrity Protected Incremental Trace-Option."; description "This container describes the profile for the Integrity Protected Incremental Trace-Option."; uses ioam:ioam-incremental-tracing-profile; uses int-method-grouping; } container int-preallocated-tracing-profile { if-feature "int-preallocated-trace"; presence "Enables the Integrity Protected Pre-allocated Trace-Option."; description "This container describes the profile for the Integrity Protected Pre-allocated Trace-Option."; uses ioam:ioam-preallocated-tracing-profile; uses int-method-grouping; } container int-pot-profile { if-feature "int-proof-of-transit"; presence "Enables the Integrity Protected Proof of Transit Option."; description "This container describes the profile for the Integrity Protected Proof of Transit Option."; leaf use-namespace { type ioam:ioam-namespace; default "ioam:default-namespace"; description "This object indicates the namespace used for the POT types."; } leaf pot-type { type ioam:ioam-pot-type; description "The type of a particular POT variant that specifies the POT data that is included."; } leaf node-action { type ioam:ioam-node-action; default "ioam:action-transit"; description "This object indicates the action the node needs to take, e.g., encapsulation."; } uses int-method-grouping; } container int-e2e-profile { if-feature "int-edge-to-edge"; presence "Enables the Integrity Protected Edge-to-Edge Option."; description "This container describes the profile for the Integrity Protected Edge-to-Edge Option."; uses ioam:ioam-e2e-profile; uses int-method-grouping; } } } ]]>

This section is modeled after the template described in Section 3.7 of . The "ietf-ioam-integrity" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF and RESTCONF . These YANG-based management protocols (1) have to use a secure transport layer (e.g., SSH , TLS , and QUIC ) and (2) have to use mutual authentication. The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:

/ioam:ioam/ioam:profiles/ioam:profile:: The entries in the "profile" list include the whole IOAM profile configurations. Unexpected changes to these entries could lead to incorrect IOAM behavior for the corresponding flows. Consequently, such changes would impact performance monitoring, data analytics, and associated interactions with network services. Also, unauthorized access to integrity-related parameters may impact the integrity protection service, thus preventing the interpretation and validation of IOAM data.

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:

/ioam:ioam/ioam:profiles/ioam:profile:: The information contained in this subtree might reveal information about the services deployed for customers. For instance, a customer might be given access to monitor the status of their services. In this scenario, the customer's access should be restricted to nodes representing their services so as not to divulge information about the underlying network structure or services.

This YANG module uses groupings from other YANG modules that define nodes that may be considered sensitive or vulnerable in network environments. Refer to the Security Considerations of for information as to which nodes may be considered sensitive or vulnerable in network environments.

IANA is requested to register the following URIs in the "ns" registry within the "IETF XML Registry" group :

URI:: urn:ietf:params:xml:ns:yang:ietf-ioam-integrity
Registrant Contact:: The IESG.
XML:: N/A; the requested URI is an XML namespace.

URI:: urn:ietf:params:xml:ns:yang:iana-ioam-integrity-protection-methods
Registrant Contact:: The IESG.
XML:: N/A; the requested URI is an XML namespace.

IANA is requested to register the following YANG modules in the "YANG Module Names" registry within the "YANG Parameters" registry group:

Name:: ietf-ioam-integrity
Maintained by IANA?:: N
Namespace:: urn:ietf:params:xml:ns:yang:ietf-ioam-integrity
Prefix:: ioam-int
Reference:: RFC XXXX

Name:: iana-ioam-integrity-protection-methods
Maintained by IANA?:: Y
Namespace:: urn:ietf:params:xml:ns:yang:iana-ioam-integrity-protection-methods
Prefix:: iana-ioam-ipm
Reference:: RFC XXXX

This document defines the initial version of the IANA-maintained "iana-ioam-integrity-protection-methods" YANG module. The most recent version of the YANG module is available from the "YANG Parameters" registry group . IANA is requested to add this note to the registry:

New values must not be directly added to the "iana-ioam-integrity-protection-methods" YANG module. They must instead be added to the "IOAM Integrity Protection Methods" registry.

When a value is added to the "IOAM Integrity Protection Methods" registry, a new "enum" statement must be added to the "iana-ioam-integrity-protection-methods" YANG module. The "enum" statement, and sub-statements thereof, should be defined:

"enum":: Prefix "method-" to the decimal value of the ID from the registry.
"value":: Contains the decimal value of the IANA-assigned ID value.
"status":: Is included only if a registration has been deprecated or obsoleted. IANA "deprecated" maps to YANG status "deprecated", and IANA "obsolete" maps to YANG status "obsolete".
"description":: Replicates the description from the registry.
"reference":: Replicates the reference(s) from the registry with the title of the document(s) added.

Unassigned or reserved values are not present in the module. When the "iana-ioam-integrity-protection-methods" YANG module is updated, a new "revision" statement with a unique revision date needs to be added in front of the existing revision statements. IANA is requested to add this note to [reference-to-the-iana-foo-registry]:

When this registry is modified, the YANG module "iana-ioam-integrity-protection-methods" [IANA_FOO_URL] must be updated as defined in RFC XXXX.

The authors would like to thank Alex Huang Feng, Will Hawkins, and Mohamed Boucadair for their valuable feedback.

&RFC3688; &RFC6020; &RFC7950; &RFC7951; &RFC8341; &RFC9617; &I-D.ietf-ippm-ioam-data-integrity; In Situ OAM (IOAM) n.d. &RFC4252; &RFC6241; &RFC7799; &RFC8040; &RFC8340; &RFC8446; &RFC9000; &I-D.ietf-netmod-rfc8407bis; YANG Parameters n.d.

RFC Ed.: please remove this section. "; description "This YANG module is maintained by IANA and reflects the 'IOAM Integrity Protection Methods' registry. Copyright (c) 2026 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). All revisions of IETF and IANA published modules can be found at the YANG Parameters registry group (https://www.iana.org/assignments/yang-parameters). The initial version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices. // RFC Ed.: replace the IANA_FOO_URL and remove this note The latest version of this YANG module is available at ."; reference "IOAM Integrity Protection Methods (https://www.iana.org/assignments/ioam/ioam.xhtml)"; revision 2026-01-12 { description "Initial version."; reference "URL of the published initial version of the module // RFC Ed.: replace above with the URL of the module // and remove this note RFC XXXX: A YANG Data Model for In Situ Operations, Administration, and Maintenance (IOAM) Integrity Protected Options"; } /* * Type definitions */ typedef method-id { type enumeration { enum method-0 { value 0; description "IPM 0: AES-GMAC, 16-octet (full) Authentication Tag, 12-octet Initialization Vector."; reference "RFC YYYY: Integrity Protection of In Situ Operations, Administration, and Maintenance (IOAM) Data Fields, Section 5"; } } description "Identifier for an IOAM Integrity Protection Method, matching the 'IOAM Integrity Protection Methods' IANA registry."; reference "https://www.iana.org/assignments/ioam/ioam.xhtml"; } } ]]>

illustrates the full tree of the IOAM Integrity YANG Data Model.

A JSON example of the Integrity Protected Incremental Tracing Profile is depicted in . This configuration is received by an IOAM ingress node. This node encapsulates the IOAM data in the IPv6 Hop-by-Hop option header. The Integrity Protection Method to be used is method 0. The trace type indicates that each on-path node needs to capture the transit delay and add the data to the IOAM node data list. The incremental tracing data space is variable; however, the node data list must not exceed 512 bytes.

A JSON example of the Integrity Protected Pre-allocated Tracing Profile is depicted in . This configuration is received by an IOAM ingress node. This node first identifies the target flow by using the ACL parameter "test-acl" and then encapsulates the IOAM data in the NSH. The Integrity Protection Method to be used is method 0. The trace type indicates that each on-path node needs to capture the namespace-specific data in short format and add the data to the IOAM node data list. This node pre-allocates the node data list in the packet with 512 bytes.

A JSON example of the Integrity Protected Proof of Transit Profile, combined with the Integrity Protected Edge-to-Edge Profile, is depicted in . This configuration is received by an IOAM ingress node. This node encapsulates the Integrity Protected Proof of Transit Type 0 in an IPv6 Hop-by-Hop Options header, and also encapsulates the Integrity Protected Edge-to-Edge in an IPv6 Destination Options header. The Edge-to-Edge type indicates the presence of a 64-bit sequence number. The Integrity Protection Method to be used for both is method 0.