RFC 9825: Extensions to OSPF for Advertising Prefix Administrative Tags

A. Lindem, Ed.,
P. Psenak,
Y. Qu

Proposed Standard

Abstract

It is useful for routers in OSPFv2 and OSPFv3 routing domains to be able to associate tags with prefixes. Previously, OSPFv2 and OSPFv3 were relegated to a single tag and only for Autonomous System (AS) External and Not-So-Stubby-Area (NSSA) prefixes. With the flexible encodings provided by OSPFv2 Prefix/Link Attribute Advertisement and OSPFv3 Extended Link State Advertisements (LSAs), multiple administrative tags may be advertised for all types of prefixes. These administrative tags can be used for many applications including route redistribution policy, selective prefix prioritization, selective IP Fast Reroute (IPFRR) prefix protection, and many others.¶

Status of This Memo

This is an Internet Standards Track document.¶

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9825.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶

1. Introduction

It is useful for routers in OSPFv2 [RFC2328] and OSPFv3 [RFC5340] routing domains to be able to associate tags with prefixes. Previously, OSPFv2 and OSPFv3 were relegated to a single tag and only for Autonomous System (AS) External and Not-So-Stubby-Area (NSSA) prefixes. With the flexible encodings provided by OSPFv2 Prefix/Link Attribute Advertisement [RFC7684] and OSPFv3 Extended Link State Advertisement (LSA) [RFC8362], multiple administrative tags may be advertised for all types of prefixes. These administrative tags can be used in many applications including (but not limited to):¶

Controlling which routes are redistributed into other protocols for re-advertisement.¶
Prioritizing selected prefixes for faster convergence and installation in the forwarding plane.¶
Identifying selected prefixes for Loop-Free Alternative (LFA) protection.¶

Throughout this document, "OSPF" is used when the text applies to both OSPFv2 and OSPFv3. "OSPFv2" or "OSPFv3" is used when the text is specific to one version of the OSPF protocol.¶

The definition of the 64-bit tag was considered but discarded, given that there is no strong requirement or use case.¶

The IS-IS protocol supports a similar mechanism that is described in [RFC5130].¶

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

2. Administrative Tag Sub-TLV

This document creates a new Administrative Tag Sub-TLV for OSPFv2 and OSPFv3. This sub-TLV specifies one or more 32-bit unsigned integers that may be associated with an OSPF advertised prefix. The precise usage of these tags is beyond the scope of this document.¶

The format of the Administrative Tag Sub-TLV is as follows:¶

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |              Type             |             Length            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             First Administrative Tag                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             o                                 |
                                 o
   |                             o                                 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             Last Administrative Tag                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 1: Administrative Tag Sub-TLV

Type:

A 16-bit field set to:¶

13:: "OSPFv2 Extended Prefix TLV Sub-TLVs" registry¶
39:: "OSPFv3 Extended-LSA Sub-TLVs" registry¶
6:: "OSPFv3 SRv6 Locator LSA Sub-TLVs" registry¶

Length:

A 16-bit field that indicates the length of the value portion in octets and MUST be a multiple of 4 octets dependent on the number of administrative tags advertised. At least one administrative tag MUST be advertised.¶

Value:

A variable length list of one or more administrative tags.¶

This sub-TLV will carry one or more 32-bit unsigned integer values that will be used as administrative tags. If the length is 0 or not a multiple of 4 octets, the sub-TLV MUST be ignored, and the reception SHOULD be logged for further analysis (subject to rate-limiting).¶

3. Administrative Tag Applicability

The Administrative Tag Sub-TLV specified herein will be valid as a sub-TLV of the following TLVs specified in [RFC7684]:¶

Extended Prefix TLV advertised in the OSPFv2 Extended Prefix Opaque LSA¶

The Administrative Tag Sub-TLV specified herein will be valid as a sub-TLV of the following TLVs specified in [RFC8362]:¶

Inter-Area-Prefix TLV advertised in the E-Inter-Area-Prefix-LSA¶
Intra-Area-Prefix TLV advertised in the E-Intra-Area-Prefix-LSA¶
External-Prefix TLV advertised in the E-AS-External-LSA and the E-NSSA-LSA¶

The Administrative Tag Sub-TLV specified herein will be valid as a sub-TLV of the following TLVs specified in [RFC9513]:¶

SRv6 Locator TLV advertised in the SRv6 Locator LSA¶

4. Protocol Operation

An OSPF router supporting this specification MUST be able to advertise and interpret at least one tag for all types of prefixes. An OSPF router supporting this specification MAY be able to advertise prefixes with multiple tags and propagate prefixes with multiple tags between areas. The maximum tags that an implementation supports is a local matter depending upon supported applications using prefix tags. Depending on the application, the number of tags supported by the OSPF routers in the OSPF routing domain may limit the deployment of that application.¶

When tags are advertised for AS External or NSSA LSA prefixes, the existing tag in the OSPFv2 and OSPFv3 AS-External-LSA and NSSA-LSA encodings MUST be utilized for the first tag. Additional tags MAY be advertised using the Administrative Tag Sub-TLV specified in this document. This will facilitate backward compatibility with implementations that do not support this specification.¶

An OSPF router supporting this specification SHOULD propagate administrative tags when acting as an Area Border Router (ABR) and when originating summary advertisements into other areas (unless inhibited by local policy (Section 6)). Similarly, an OSPF router supporting this specification and acting as an ABR for a NSSA SHOULD propagate tags when translating NSSA routes to AS External advertisements [RFC3101] (also subject to local policy (Section 6)).¶

There is no implied meaning to the ordering of the tags that indicates a certain operation or set of operations need to be performed based on the order of the tags. Each tag SHOULD be treated as an autonomous identifier that MAY be used in policy to perform a policy action. Whether or not tag A precedes or succeeds, tag B SHOULD NOT change the meaning of the tags. The number of tags supported by an ABR MAY limit the number of tags that are propagated. When propagating multiple tags between areas as previously described, the order of the tags MUST be preserved so that implementations supporting fewer tags will have a consistent view across areas.¶

For configured area ranges, NSSA ranges, and configured aggregation of redistributed routes, tags from component routes SHOULD NOT be propagated to the summary. Implementations SHOULD provide a mechanism to configure multiple tags for area ranges, NSSA ranges, and redistributed route summaries.¶

4.1. Equal-Cost Multipath Applicability

When multiple LSAs contribute to an OSPF route, it is possible that these LSAs will all have different tags. In this situation, the OSPF ABR propagating the route to other areas with inter-area LSAs MUST associate the tags from one of the LSAs contributing a path and, if the implementation supports multiple tags, MAY associate tags from multiple contributing LSAs up to the maximum number of tags supported. It is RECOMMENDED that tags from LSAs are added to the path in ascending order of the LSA originator Router-ID.¶

5. BGP-LS Advertisement

Border Gateway Protocol - Link State (BGP-LS) [RFC9552] introduced the support for advertising administrative tags associated with prefixes using the BGP-LS IGP Route Tag TLV (TLV 1153). This BGP-LS TLV is used to advertise the OSPF Administrative Tags specified in this document.¶

6. Management Considerations

Implementations MAY include configuration of policies to modify the advertisement of tags for redistributed prefixes. Implementations MAY also include configuration of policies to modify the propagation of administrative tags between areas (OSPFv2 Extended Prefix Opaque LSAs, OSPFv3 E-Inter-Area-Prefix-LSAs, and translated OSPFv3 E-AS-External-LSAs). However, the default behavior SHOULD be to advertise or propagate the lesser number of all the tags associated with the prefix or the maximum number of tags supported by the implementation.¶

Both the support of this specification and the number of tags supported by OSPF routers within an OSPF routing domain will limit the usefulness and deployment of applications utilizing tags.¶

7. YANG Data Model

YANG [RFC7950] is a data definition language used to define the contents of a conceptual data store that allows networked devices to be managed using Network Configuration Protocol (NETCONF) [RFC6241] or RESTCONF [RFC8040].¶

This section defines a YANG data model that can be used to configure and manage the prefix administrative tags defined in this document, which augments the OSPF YANG data model [RFC9129], the OSPFv3 Extended LSA YANG data model [RFC9587], and the Routing Management YANG data model [RFC8349]. Additionally, the YANG data models defined in [RFC6991] are imported.¶

7.1. Tree for the YANG Data Model

This document uses the graphical representation of data models per [RFC8340].¶

The following shows the tree diagram of the module:¶

module: ietf-ospf-admin-tags

  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:ranges/ospf:range:
    +--rw admin-tags
       +--rw admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:interfaces/ospf:interface:
    +--rw local-prefix-admin-tags
       +--rw default-admin-tag*           uint32
       +--rw specific-prefix-admin-tag* [prefix]
          +--rw prefix       inet:ip-prefix
          +--rw admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:local-rib
            /ospf:route/ospf:next-hops/ospf:next-hop:
    +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:interfaces/ospf:interface/ospf:database
            /ospf:link-scope-lsa-type/ospf:link-scope-lsas
            /ospf:link-scope-lsa/ospf:version/ospf:ospfv2/ospf:ospfv2
            /ospf:body/ospf:opaque/ospf:extended-prefix-opaque
            /ospf:extended-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:database/ospf:area-scope-lsa-type
            /ospf:area-scope-lsas/ospf:area-scope-lsa/ospf:version
            /ospf:ospfv2/ospf:ospfv2/ospf:body/ospf:opaque
            /ospf:extended-prefix-opaque/ospf:extended-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:database
            /ospf:as-scope-lsa-type/ospf:as-scope-lsas
            /ospf:as-scope-lsa/ospf:version/ospf:ospfv2/ospf:ospfv2
            /ospf:body/ospf:opaque/ospf:extended-prefix-opaque
            /ospf:extended-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:database/ospf:area-scope-lsa-type
            /ospf:area-scope-lsas/ospf:area-scope-lsa/ospf:version
            /ospf:ospfv3/ospf:ospfv3/ospf:body
            /ospfv3-e-lsa:e-inter-area-prefix
            /ospfv3-e-lsa:e-inter-prefix-tlvs
            /ospfv3-e-lsa:inter-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:database/ospf:area-scope-lsa-type
            /ospf:area-scope-lsas/ospf:area-scope-lsa/ospf:version
            /ospf:ospfv3/ospf:ospfv3/ospf:body
            /ospfv3-e-lsa:e-intra-area-prefix
            /ospfv3-e-lsa:e-intra-prefix-tlvs
            /ospfv3-e-lsa:intra-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:database
            /ospf:as-scope-lsa-type/ospf:as-scope-lsas
            /ospf:as-scope-lsa/ospf:version/ospf:ospfv3/ospf:ospfv3
            /ospf:body/ospfv3-e-lsa:e-as-external
            /ospfv3-e-lsa:e-external-tlvs
            /ospfv3-e-lsa:external-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32
  augment /rt:routing/rt:control-plane-protocols
            /rt:control-plane-protocol/ospf:ospf/ospf:areas/ospf:area
            /ospf:database/ospf:area-scope-lsa-type
            /ospf:area-scope-lsas/ospf:area-scope-lsa/ospf:version
            /ospf:ospfv3/ospf:ospfv3/ospf:body/ospfv3-e-lsa:e-nssa
            /ospfv3-e-lsa:e-external-tlvs
            /ospfv3-e-lsa:external-prefix-tlv:
    +--ro prefix-admin-tag-sub-tlv
       +--ro admin-tag*   uint32

7.2. YANG Data Model for OSPF Prefix Administrative Tags

The following is the YANG module:¶

<CODE BEGINS> file "ietf-ospf-admin-tags@2025-07-31.yang"

module ietf-ospf-admin-tags {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-ospf-admin-tags";
  prefix ospf-admin-tags;

  import ietf-routing {
    prefix rt;
    reference
      "RFC 8349: A YANG Data Model for Routing
       Management (NMDA Version)";
  }
  import ietf-ospf {
    prefix ospf;
    reference
      "RFC 9129: YANG Data Model for the OSPF Protocol";
  }
  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991: Common YANG Data Types";
  }
  import ietf-ospfv3-extended-lsa {
    prefix ospfv3-e-lsa;
    reference
      "RFC 9587: YANG Data Model for OSPFv3 Extended Link
                 State Advertisements (LSAs)";
  }

  organization
    "IETF LSR - Link State Routing Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/lsr/>
     WG List:  <mailto:lsr@ietf.org>

     Author:   Yingzhen Qu
               <mailto:yingzhen.ietf@gmail.com>
     Author:   Acee Lindem
               <mailto:acee.ietf@gmail.com>
     Author:   Peter Psenak
               <mailto:ppsenak@cisco.com>";
  description
    "This YANG module defines the configuration
     and operational state for OSPF administrative tags.

     This YANG data model conforms to the Network Management
     Datastore Architecture (NMDA) as described in RFC 8342.

     Copyright (c) 2025 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC 9825;
     see the RFC itself for full legal notices.";
  reference
    "RFC 9825: Extensions to OSPF for Advertising Prefix
               Administrative Tags.";

  revision 2025-07-31 {
    description
      "Initial revision.";
    reference
      "RFC 9825: Extensions to OSPF for Advertising Prefix
                 Administrative Tags.";
  }

  grouping prefix-admin-tag-sub-tlv {
    description
      "Prefix Administrative Tag Sub-TLVs.";
    container prefix-admin-tag-sub-tlv {
      config false;
      description
        "Prefix Administrative Tag Sub-TLV.";
      leaf-list admin-tag {
        type uint32;
        description
          "Administrative tags.";
      }
    }
  }

  /* Configuration */

  augment "/rt:routing/rt:control-plane-protocols"
        + "/rt:control-plane-protocol/ospf:ospf"
        + "/ospf:areas/ospf:area/ospf:ranges/ospf:range" {
    when "derived-from-or-self(../../../../.."
       + "/rt:type, 'ospf:ospf')" {
      description
        "This augments the OSPF routing protocol area range
         configuration.";
    }
    description
      "This augments the OSPF protocol area range configuration
       with administrative tags.  The configured tags will be
       advertised with summary prefix when it is active.";
    container admin-tags {
      when "../ospf:advertise = 'true'";
      leaf-list admin-tag {
        type uint32;
        description
          "Administrative tags.";
      }
      description
        "OSPF prefix administrative tags.";
    }
  }

  augment "/rt:routing/rt:control-plane-protocols"
        + "/rt:control-plane-protocol/ospf:ospf"
        + "/ospf:areas/ospf:area/ospf:interfaces/ospf:interface" {
    when "derived-from-or-self(../../../../.."
       + "/rt:type, 'ospf:ospf')" {
      description
        "This augments the OSPF routing protocol interface
         configuration.";
    }
    description
      "This augments the OSPF protocol interface configuration
       with Administrative Tags.  The configured tags will be
       advertised with local prefixes configured for the interface.";
    container local-prefix-admin-tags {
      leaf-list default-admin-tag {
        type uint32;
        description
          "Administrative tags that will be associated with
           local prefixes if the prefix is not specified explicitly.
           If omitted, no administrative tags are associated with
           local prefixes by default.";
      }
      list specific-prefix-admin-tag {
        key "prefix";
        leaf prefix {
          type inet:ip-prefix;
          description
            "IPv4 or IPv6 prefix.";
        }
        leaf-list admin-tag {
          type uint32;
          description
            "Administrative tags that will be associated with
             the specified local prefix.  If omitted, no
             administrative tags are associated with the specified
             local prefix.";
        }
        description
          "Administrative tags that are explicitly associated with
           the specified prefix.";
      }
      description
        "List of administrative tags that are to be advertised
         with interface local prefixes.";
    }
  }

  /* Local-RIB */

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:local-rib/ospf:route/ospf:next-hops"
        + "/ospf:next-hop" {
    description
      "This augments local-rib next-hop with administrative tags.";
    leaf-list admin-tag {
      type uint32;
      description
        "Administrative tags.";
    }
  }

  /* Database */

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:areas/ospf:area"
        + "/ospf:interfaces/ospf:interface/ospf:database"
        + "/ospf:link-scope-lsa-type/ospf:link-scope-lsas"
        + "/ospf:link-scope-lsa/ospf:version/ospf:ospfv2"
        + "/ospf:ospfv2/ospf:body/ospf:opaque"
        + "/ospf:extended-prefix-opaque/ospf:extended-prefix-tlv" {
    when "derived-from-or-self(../../../../../../../../../.."
       + "/../../../../rt:type, 'ospf:ospfv2')" {
      description
        "This augmentation is only valid for OSPFv2.";
    }
    description
      "Prefix Administrative Tag Sub-TLVs for OSPFv2 extended prefix
       TLV in type 9 opaque LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:areas"
        + "/ospf:area/ospf:database"
        + "/ospf:area-scope-lsa-type/ospf:area-scope-lsas"
        + "/ospf:area-scope-lsa/ospf:version/ospf:ospfv2"
        + "/ospf:ospfv2/ospf:body/ospf:opaque"
        + "/ospf:extended-prefix-opaque/ospf:extended-prefix-tlv" {
    when "derived-from-or-self(../../../../../../../../../.."
       + "/../../rt:type, 'ospf:ospfv2')" {
      description
        "This augmentation is only valid for OSPFv2.";
    }
    description
      "Prefix Administrative Tag Sub-TLVs for OSPFv2 extended prefix
       TLV in type 10 opaque LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:database"
        + "/ospf:as-scope-lsa-type/ospf:as-scope-lsas"
        + "/ospf:as-scope-lsa/ospf:version/ospf:ospfv2"
        + "/ospf:ospfv2/ospf:body/ospf:opaque"
        + "/ospf:extended-prefix-opaque/ospf:extended-prefix-tlv" {
    when "derived-from-or-self(../../../../../../../.."
       + "/../../rt:type, 'ospf:ospfv2')" {
      description
        "This augmentation is only valid for OSPFv2.";
    }
    description
      "Prefix Administrative Tag Sub-TLVs for OSPFv2 extended prefix
       TLV in type 11 opaque LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:areas/ospf:area/ospf:database"
        + "/ospf:area-scope-lsa-type/ospf:area-scope-lsas"
        + "/ospf:area-scope-lsa/ospf:version/ospf:ospfv3"
        + "/ospf:ospfv3/ospf:body/ospfv3-e-lsa:e-inter-area-prefix"
        + "/ospfv3-e-lsa:e-inter-prefix-tlvs"
        + "/ospfv3-e-lsa:inter-prefix-tlv" {
    when "derived-from-or-self(../../../../../../../../../.."
       + "/../../rt:type, 'ospf:ospfv3')" {
      description
        "This augmentation is only valid for OSPFv3.";
    }
    description
      "Augment OSPFv3 Inter-Area-Prefix TLV in the
       E-Inter-Area-Prefix-LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:areas/ospf:area/ospf:database"
        + "/ospf:area-scope-lsa-type/ospf:area-scope-lsas"
        + "/ospf:area-scope-lsa/ospf:version/ospf:ospfv3"
        + "/ospf:ospfv3/ospf:body/ospfv3-e-lsa:e-intra-area-prefix"
        + "/ospfv3-e-lsa:e-intra-prefix-tlvs"
        + "/ospfv3-e-lsa:intra-prefix-tlv" {
    when "/rt:routing/rt:control-plane-protocols"
       + "/rt:control-plane-protocol/rt:type = 'ospf:ospfv3'" {
      description
        "This augmentation is only valid for OSPFv3.";
    }
    description
      "Augment OSPFv3 Intra-Area-Prefix TLV in the
       E-Intra-Area-Prefix-LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:database"
        + "/ospf:as-scope-lsa-type/ospf:as-scope-lsas"
        + "/ospf:as-scope-lsa/ospf:version/ospf:ospfv3"
        + "/ospf:ospfv3/ospf:body/ospfv3-e-lsa:e-as-external"
        + "/ospfv3-e-lsa:e-external-tlvs"
        + "/ospfv3-e-lsa:external-prefix-tlv" {
    when "derived-from-or-self(../../../../../../../.."
       + "/../../rt:type, 'ospf:ospfv3')" {
      description
        "This augmentation is only valid for OSPFv3.";
    }
    description
      "Augment OSPFv3 External-Prefix TLV in the E-AS-External-LSA.";
    uses prefix-admin-tag-sub-tlv;
  }

  augment "/rt:routing"
        + "/rt:control-plane-protocols/rt:control-plane-protocol"
        + "/ospf:ospf/ospf:areas/ospf:area/ospf:database"
        + "/ospf:area-scope-lsa-type/ospf:area-scope-lsas"
        + "/ospf:area-scope-lsa/ospf:version/ospf:ospfv3"
        + "/ospf:ospfv3/ospf:body/ospfv3-e-lsa:e-nssa"
        + "/ospfv3-e-lsa:e-external-tlvs"
        + "/ospfv3-e-lsa:external-prefix-tlv" {
    when "/rt:routing/rt:control-plane-protocols"
       + "/rt:control-plane-protocol/rt:type = 'ospf:ospfv3'" {
      description
        "This augmentation is only valid for OSPFv3.";
    }
    description
      "Augment OSPFv3 External-Prefix TLV in the E-NSSA-LSA.";
    uses prefix-admin-tag-sub-tlv;
  }
}
<CODE ENDS>

8. Security Considerations

This document describes a generic mechanism for advertising administrative tags for OSPF prefixes. The administrative tags are generally less critical than the topology information currently advertised by the base OSPF protocol. The security considerations for the generic mechanism are dependent on their application. One such application is to control leaking of OSPF routes to other protocols (e.g., BGP [RFC4271]). If an attacker were able to modify the administrative tags associated with OSPF routes, and they were being used for this application, such routes could be prevented from being advertised in routing domains where they are required (subtle denial of service) or they could be advertised into routing domains where they shouldn't be advertised (routing vulnerability). Security considerations for the base OSPF protocol are covered in [RFC2328] and [RFC5340].¶

The "ietf-ospf-admin-tag" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These YANG-based management protocols (1) have to use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and (2) have to use mutual authentication.¶

The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.¶

There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:¶

/ospf:ospf/ospf:areas/ospf:area/ospf:interfaces/ospf:interface/local-prefix-admin-tags¶
/ospf:ospf/ospf:areas/ospf:area/ospf:ranges/ospf:range/admin-tags¶

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. Thus, it is important to control read access (e.g., via get, get-config, or notification) to these data nodes. Exposure of the OSPF link state database may be useful in mounting a Denial-of-Service (DoS) attack. Specifically, the following subtrees and data nodes have particular sensitivities:¶

/ospf:ospf/ospf:areas/ospf:area/ospf:interfaces/ospf:interface/local-prefix-admin-tags¶
/ospf:ospf/ospf:areas/ospf:area/ospf:ranges/ospf:range/admin-tags¶
/prefix-admin-tag-sub-tlv¶

9. IANA Considerations

The following value has been allocated in the "OSPFv2 Extended Prefix TLV Sub-TLVs" registry [RFC7684] in the "Open Shortest Path First v2 (OSPFv2) Parameters" registry group:¶

13:: Administrative Tag¶

The following value has been allocated in the "OSPFv3 Extended-LSA Sub-TLVs" registry [RFC8362] in the "Open Shortest Path First v3 (OSPFv3) Parameters" registry group:¶

39:

Administrative Tag¶

Since this sub-TLV only applies to prefixes and not links, the value of the Layer-2 Bundle Member (L2BM) field will be "X".¶

The following value has been allocated in the "OSPFv3 SRv6 Locator LSA Sub-TLVs" registry [RFC9513] in the "Open Shortest Path First v3 (OSPFv3) Parameters" registry group:¶

6:: Administrative Tag¶

IANA has assigned one new URI in the "IETF XML Registry" [RFC3688]:¶

URI:: urn:ietf:params:xml:ns:yang:ietf-ospf-admin-tags¶
Registrant Contact:: The IESG.¶
XML:: N/A; the requested URI is an XML namespace.¶

This document also registers one new YANG module name in the "YANG Module Names" registry [RFC6020] with the following:¶

Name:: ietf-ospf-admin-tags¶
Namespace:: urn:ietf:params:xml:ns:yang:ietf-ospf-admin-tags¶
Prefix:: ospf-admin-tags¶
Reference:: RFC 9825¶

10. References

10.1. Normative References

[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2328]: Moy, J., "OSPF Version 2", STD 54, RFC 2328, DOI 10.17487/RFC2328, April 1998, <https://www.rfc-editor.org/info/rfc2328>.
[RFC3688]: Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <https://www.rfc-editor.org/info/rfc3688>.
[RFC5340]: Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, <https://www.rfc-editor.org/info/rfc5340>.
[RFC6020]: Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc-editor.org/info/rfc6020>.
[RFC6991]: Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc-editor.org/info/rfc6991>.
[RFC7684]: Psenak, P., Gredler, H., Shakir, R., Henderickx, W., Tantsura, J., and A. Lindem, "OSPFv2 Prefix/Link Attribute Advertisement", RFC 7684, DOI 10.17487/RFC7684, November 2015, <https://www.rfc-editor.org/info/rfc7684>.
[RFC7950]: Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8341]: Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>.
[RFC8349]: Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for Routing Management (NMDA Version)", RFC 8349, DOI 10.17487/RFC8349, March 2018, <https://www.rfc-editor.org/info/rfc8349>.
[RFC8362]: Lindem, A., Roy, A., Goethals, D., Reddy Vallem, V., and F. Baker, "OSPFv3 Link State Advertisement (LSA) Extensibility", RFC 8362, DOI 10.17487/RFC8362, April 2018, <https://www.rfc-editor.org/info/rfc8362>.
[RFC9129]: Yeung, D., Qu, Y., Zhang, Z., Chen, I., and A. Lindem, "YANG Data Model for the OSPF Protocol", RFC 9129, DOI 10.17487/RFC9129, October 2022, <https://www.rfc-editor.org/info/rfc9129>.
[RFC9513]: Li, Z., Hu, Z., Talaulikar, K., Ed., and P. Psenak, "OSPFv3 Extensions for Segment Routing over IPv6 (SRv6)", RFC 9513, DOI 10.17487/RFC9513, December 2023, <https://www.rfc-editor.org/info/rfc9513>.
[RFC9552]: Talaulikar, K., Ed., "Distribution of Link-State and Traffic Engineering Information Using BGP", RFC 9552, DOI 10.17487/RFC9552, December 2023, <https://www.rfc-editor.org/info/rfc9552>.
[RFC9587]: Lindem, A., Palani, S., and Y. Qu, "YANG Data Model for OSPFv3 Extended Link State Advertisements (LSAs)", RFC 9587, DOI 10.17487/RFC9587, June 2024, <https://www.rfc-editor.org/info/rfc9587>.

10.2. Informative References

[RFC3101]: Murphy, P., "The OSPF Not-So-Stubby Area (NSSA) Option", RFC 3101, DOI 10.17487/RFC3101, January 2003, <https://www.rfc-editor.org/info/rfc3101>.
[RFC4252]: Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, January 2006, <https://www.rfc-editor.org/info/rfc4252>.
[RFC4271]: Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, <https://www.rfc-editor.org/info/rfc4271>.
[RFC5130]: Previdi, S., Shand, M., Ed., and C. Martin, "A Policy Control Mechanism in IS-IS Using Administrative Tags", RFC 5130, DOI 10.17487/RFC5130, February 2008, <https://www.rfc-editor.org/info/rfc5130>.
[RFC6241]: Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>.
[RFC8040]: Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>.
[RFC8340]: Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, <https://www.rfc-editor.org/info/rfc8340>.
[RFC8446]: Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>.
[RFC9000]: Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, May 2021, <https://www.rfc-editor.org/info/rfc9000>.

Acknowledgments

The authors of [RFC5130] are acknowledged, since this document draws upon both the IS-IS specification and deployment experience. The text in Section 4 is adopted from [RFC5130].¶

Thanks to Donnie Savage for his comments and questions.¶

Thanks to Ketan Talaulikar for his comments and providing the BGP-LS text.¶

Thanks to Tony Przygienda and Les Ginsberg for discussions on tag selection.¶

Thanks to Russ White for his Routing Directorate review.¶

Thanks to Bruno Decraene and Changwang Lin for working group last call comments.¶

Thanks to Gunter Van de Velde for has AD review and comments.¶

Thanks to David Dong for IANA review and comments.¶

Thanks to Deb Cooley, Roman Danyliw, and John Scudder for IESG review and comments.¶

Thanks to Mahesh Jethanandani for an extensive IESG review of the YANG data model.¶

Authors' Addresses

Acee Lindem (editor)

LabN Consulting, L.L.C.

301 Midenhall Way

Cary, NC 27513

United States of America

Email: acee.ietf@gmail.com

Peter Psenak

Cisco Systems

Apollo Business Center
Mlynske nivy 43

821 09 Bratislava

Slovakia

Email: ppsenak@cisco.com

Yingzhen Qu

Futurewei Technologies

2330 Central Expressway

Santa Clara, CA 95050

United States of America

Email: yingzhen.ietf@gmail.com

RFC 9825: Extensions to OSPF for Advertising Prefix Administrative Tags

Proposed Standard

In this section

RFC 9825: Extensions to OSPF for Advertising Prefix Administrative Tags