Markdown Version | Transcript | Recording 1 | Recording 2 | Session Materials

Session Date/Time: 18 Mar 2026 03:30

NMOP

IETF 125 - Session B Date: Tuesday, March 25, 2025 Chairs: Benoit Claise, Reshad Rahman Secretary: Thomas Graf Note-takers: Dan Bogdanovic, Mike

Summary

The NMOP working group held its first of two sessions at IETF 125, focusing on network anomaly detection and incident management. The session included status updates on active working group drafts, technical presentations on anomaly detection frameworks and YANG data models for incident management, and two significant operator presentations from China Mobile and China Unicom sharing real-world automated traffic steering practices and network incident case studies.

Key Discussion Points

1. Administrivia and Status Update

• Draft Status:
  • [draft-ietf-nmop-yang-message-broker-message-key] was recently adopted.
  • [draft-ietf-nmop-simap-concept] has completed Working Group Last Call (WGLC).
  • The terminology document is currently in the RFC Editor queue.
• Milestones: The next targets are submitting SIMAP to the IESG, followed by the message broker integration and anomaly detection documents.

2. Network Anomaly Detection Framework

Presenter: Wanting Du Slides: An Architecture for a Network Anomaly Detection Framework

Wanting Du presented updates on three inter-related drafts addressing service interruption detection, symptom semantics, and the operational lifecycle:

• [draft-ietf-nmop-network-anomaly-architecture]:
  • Focused on automated, holistic monitoring across network planes.
  • Updates include refined terminology (changing "customer profile" to "service profile" to align with RFC 8969), explicit definition of "rules" to distinguish between knowledge-based and machine learning approaches, and out-scoping "service degradation" based on prior feedback.
  • A Swisscom case study regarding a TV service impairment was shared to demonstrate the effectiveness of multi-plane detection.
• [draft-ietf-nmop-network-anomaly-semantics]:
  • Provides a standardized metadata schema for anomaly exchange.
  • Updates involve refined VPN node termination groupings (adding VRF names and VPN IDs) and dedicated Layer 2 and Layer 3 groupings for services.
• [draft-ietf-nmop-network-anomaly-lifecycle]:
  • Defines an iterative lifecycle for human-in-the-loop feedback to improve detection systems.
  • Updates include changing "state/phase" to "stage" to avoid confusion with protocol states and adding a message-broker grouping to link analytical data to operational data.

Discussion:

• Dan Bogdanovic inquired about the percentage of incidents where root causes are found without manual login. Wanting Du clarified that while exact statistics aren't finalized, the system significantly reduces manual effort by eliminating "false choices" and directing engineers to the specific problematic nodes.
• Tongfeng (China Unicom) asked about the integration of AI agents. Wanting Du agreed that defining interfaces for AI agents to perform automated analysis is a valid future direction.

3. YANG Data Model for Network Incident Management

Presenter: Qin Wu Slides: A YANG Data Model for Network Incident Management

Qin Wu presented updates to [draft-ietf-nmop-network-incident-yang] (version 08):

• Clarified the roles of "incident client" (with control/resolution authority) and "incident handler" (monitoring/observation).
• Added alignment with OAM test scheduling and clarified the relationship with the network anomaly detection architecture.
• The model now includes a section (4.5) explaining how anomalies (symptoms) are upgraded to "incidents" when they cause disruptive service changes.

Discussion:

• Reshad Rahman and Thomas Graf discussed the proposed interaction between the Incident YANG and Anomaly Architecture. Thomas Graf (as an author of the architecture draft) committed to reviewing the text on the mailing list.
• Benoit Claise noted that the reusable components (like L2VPN/L3VPN groupings) should be examined in the context of the potential ON-SEM work.

4. Operator Practice: Automatic IP Network Traffic Steering

Presenter: Zhengqiang Li Slides: Sharing your incident with China Mobile

Zhengqiang Li shared China Mobile’s evolution toward a "Dark NOC" for IP traffic steering:

• The system is now fully automated, covering perception, simulation, deployment, verification, and revocation of steering policies without human intervention.
• The solution has been in production for over five years across 31 provinces.
• Enabling Technologies: BGP-LS, TWAMP (every 100ms), gRPC-based Telemetry (30s intervals), SRv6, and Digital Twins for policy verification.

Discussion:

• Dan Bogdanovic noted the significance of the "Dark NOC" being a current reality.
• Benoit Claise asked if NMOP work is useful to China Mobile. Zhengqiang Li noted that while their current focus is often on IDR-related protocols, the management operations aspects are relevant.

5. Operator Practice: Network Incident Case Studies

Presenter: Jing Zhao Slides: Sharing your incident with China Unicom

Jing Zhao presented four distinct incident types observed at China Unicom:

1. Physical: Optical cable cuts causing dual OTN loop failures due to shared physical nodes.
2. Configuration: Script conflicts overwriting VPN loopback interfaces during cutovers.
3. Resource: Traffic surges during equipment upgrades causing congestion.
4. Correlated: Rapid BFD flapping causing synchronization issues between the control plane and hardware FIB.

Discussion:

• Reshad Rahman asked if the BFD issue was a vendor bug; Jing Zhao confirmed it was.
• Niels (Deutsche Telekom) asked about the use of simulations to identify shared physical risks. Jing Zhao suggested continuing the detailed technical discussion offline/via email.

Decisions and Action Items

• [draft-ietf-nmop-network-incident-yang]: Authors to ensure the proposed relationship with the anomaly architecture is reviewed by the [draft-ietf-nmop-network-anomaly-architecture] authors.
• Thomas Graf to review the proposed integration text in the Incident YANG draft and provide feedback on the list.

Next Steps

• Request YANG Doctor reviews for [draft-ietf-nmop-network-anomaly-semantics] and [draft-ietf-nmop-network-anomaly-lifecycle].
• Advance [draft-ietf-nmop-simap-concept] to the IESG.
• Address editorial comments from Reshad Rahman on the anomaly detection document suite.
• Prepare for the second NMOP session (Friday), which will focus on the Hackathon and experiment-related aspects of the charter.

Session Date/Time: 20 Mar 2026 01:00

NMOP

Summary

The NMOP (Network Management Operations) working group met to discuss progress on its core projects, including the Network Anomaly Detection framework, YANG-Push to Message Broker integration, and updated operator requirements. A significant portion of the session was dedicated to reporting results from the IETF 125 Hackathon, which demonstrated multiple interoperable implementations of the YANG message broker architecture. The group also discussed new work regarding BMP (BGP Monitoring Protocol) YANG models and the integration of AI-based agents in network management.

Key Discussion Points

SIMAP: Concept, Requirements, and Use Cases

• Olga Havel presented an update on draft-ietf-nmop-simap-concept. The draft has reached version 09 following a shepherd review.
• Hackathon Results: Testing was conducted to integrate SIMAP into Knowledge Graphs and align with Inventory Management (IV).
• Discussion: Med Boucadair and the Chairs discussed the need to converge on a modeling approach for SIMAP (either extending base topology or profiling TEAS models) early in the process to avoid fragmented development.

YANG-Push to Message Broker Integration

• Thomas Graf reported on draft-ietf-nmop-yang-message-broker-integration. The implementation has expanded to include ArgoOS, Cisco Crosswork, and 6WIND.
• Hackathon Progress: Focus was on schema registry validation using libyang and YANG Kit. Progress was made on Anydata and structure validation.
• Publication Strategy: Reshad Rahman and Med Boucadair discussed the "goal line" for this experimental work. The consensus was to freeze and publish a stable version while continuing iterative experiments in future iterations.

YANG Message Keys and Topic Naming

• Thomas Graf updated the group on draft-ietf-nmop-yang-message-broker-message-key.
• Maxance presented an analysis of the Hackathon PoC regarding message keys.
• Technical Constraints: Kafka has a 249-character limit for topic names and restricts certain characters (like colons used in YANG prefixes).
• XPath Complexity: The current reliance on XPath for topic derivation is problematic due to its expressiveness. There is a suggestion to move toward a simpler "YANG Path" approach as suggested by Rob Wilton and Alex Huang Feng.

BMP YANG Model for Message Broker Integration

• Paolo Lucente presented the concept of transforming binary BMP messages into YANG for message broker ingestion.
• Scope: Med Boucadair (AD) indicated that this work belongs in NMOP rather than GROW because the primary expertise and use case (message broker integration) reside here.
• Coordination: Mahesh Jethanandani noted that the IETF BGP base module may need adjustments to support this work without delaying other industry requirements (e.g., Broadband Forum).

Operator Requirements: 20 Years After RFC 3535

• Med Boucadair presented draft-ietf-nmop-rfc3535-20years-later. The document contains 24 prioritized requirements from a broad spectrum of operators.
• Actionability: The goal is to move from "paper to code," focusing on "YANG Push Lite" and trimming protocol complexity to improve velocity.
• Implementation Focus: There was a strong call for vendors and operators to prioritize interoperability and functional profiles over "perfect" but unimplemented specifications.

AI-Based Network Management Agent

• Xin presented draft-ietf-nmop-network-anomaly-architecture (referenced in the context of AI-Agent frameworks).
• Framework: The draft aligns with TMF closed-loop architectures (Intent, Aware, Analyze, Decide, Execute).
• Charter Constraints: Mahesh Jethanandani (AD) clarified that while the work is technically relevant, the current NMOP charter does not explicitly cover AI. This is an IESG-level discussion on how to handle AI-related proposals across the Ops Area.

Generalized Capability Principles

• Nigel Davis provided an update on the framework for expressing capabilities. Recent updates include collaboration with LLMs for specification language and enhanced recursion/pruning definitions.

Applicability of RFC 8795 to SIMAP

• Italo Busi discussed the trade-offs between creating a "simple" new model for SIMAP vs. profiling existing TE topology models (RFC 8795).
• The "Elephant in the Room": Busi argued that creating new models for "simplicity" creates vendor silos and breaks multi-vendor interoperability. He urged the working group to decide whether to reuse established TE models or commit to a new, potentially divergent path.

Decisions and Action Items

• Decision: The BMP YANG work for message broker integration will proceed within NMOP, coordinating with the GROW working group for BGP specifics.
• Action Item: Thomas Graf to add Security and Operations Considerations sections to draft-ietf-nmop-yang-message-broker-integration.
• Action Item (Chairs/ADs): Facilitate a convergence discussion between the SIMAP authors and the TEAS profiling proponents (Italo Busi et al.) to select a primary modeling path for SIMAP.
• Action Item: Thomas Graf to revert the change from "module name" to "prefix" in the Message Key draft after Hackathon results showed prefixes are not globally unique.

Next Steps

• SIMAP: Transition to modeling the requirements agreed upon in draft-ietf-nmop-simap-concept.
• Message Broker: Focus on optimizing the Netconf session queuing during schema retrieval and implementing dynamic Kafka topic creation.
• Operator Requirements: The authors will further filter the 24 requirements into a focused set of IETF-actionable recommendations.

Session Slides

1. Chairs Slides
2. An Architecture for a Network Anomaly Detection Framework
3. A YANG Data Model for Network Incident Management
4. Sharing your incident with China Mobile
5. Sharing your incident with China Unicom

Related Documents

draft-ietf-nmop-network-anomaly-architecture, draft-ietf-nmop-network-anomaly-lifecycle, draft-ietf-nmop-network-anomaly-semantics, draft-ietf-nmop-network-incident-yang, draft-ietf-nmop-rfc3535-20years-later, draft-ietf-nmop-simap-concept, draft-ietf-nmop-yang-message-broker-integration, draft-ietf-nmop-yang-message-broker-message-key