idnits 2.17.1
draft-ietf-netconf-https-notif-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** There is 1 instance of too long lines in the document, the longest one
being 11 characters in excess of 72.
== There are 4 instances of lines with non-RFC2606-compliant FQDNs in the
document.
-- The document has examples using IPv4 documentation addresses according
to RFC6890, but does not use any IPv6 documentation addresses. Maybe
there should be IPv6 examples, too?
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 245 has weird spacing: '...address ine...'
-- The document date (October 30, 2019) is 1639 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-08) exists of
draft-ietf-netconf-notification-messages-07
Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF M. Jethanandani
3 Internet-Draft VMware
4 Intended status: Standards Track K. Watsen
5 Expires: May 2, 2020 Watsen Networks
6 October 30, 2019
8 An HTTPS-based Transport for Configured Subscriptions
9 draft-ietf-netconf-https-notif-01
11 Abstract
13 This document defines a YANG data module for configuring HTTPS based
14 configured subscription, as defined in Subscribed Notifications
15 (RFC8639). The use of HTTPS maximizes transport-level
16 interoperability, while allowing for encoding selection from text,
17 e.g. XML or JSON, to binary.
19 Status of This Memo
21 This Internet-Draft is submitted in full conformance with the
22 provisions of BCP 78 and BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF). Note that other groups may also distribute
26 working documents as Internet-Drafts. The list of current Internet-
27 Drafts is at https://datatracker.ietf.org/drafts/current/.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 This Internet-Draft will expire on May 2, 2020.
36 Copyright Notice
38 Copyright (c) 2019 IETF Trust and the persons identified as the
39 document authors. All rights reserved.
41 This document is subject to BCP 78 and the IETF Trust's Legal
42 Provisions Relating to IETF Documents
43 (https://trustee.ietf.org/license-info) in effect on the date of
44 publication of this document. Please review these documents
45 carefully, as they describe your rights and restrictions with respect
46 to this document. Code Components extracted from this document must
47 include Simplified BSD License text as described in Section 4.e of
48 the Trust Legal Provisions and are provided without warranty as
49 described in the Simplified BSD License.
51 Table of Contents
53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
54 1.1. Note to RFC Editor . . . . . . . . . . . . . . . . . . . 3
55 1.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 3
56 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
57 1.3.1. Subscribed Notifications . . . . . . . . . . . . . . 3
58 1.4. Receiver and Publisher Interaction . . . . . . . . . . . 3
59 1.4.1. Pipelining of messages . . . . . . . . . . . . . . . 4
60 2. YANG module . . . . . . . . . . . . . . . . . . . . . . . . . 6
61 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
62 2.2. YANG module . . . . . . . . . . . . . . . . . . . . . . . 7
63 3. Security Considerations . . . . . . . . . . . . . . . . . . . 11
64 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
65 4.1. URI Registration . . . . . . . . . . . . . . . . . . . . 11
66 4.2. YANG Module Name Registration . . . . . . . . . . . . . . 12
67 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 12
68 5.1. HTTPS Configured Subscription . . . . . . . . . . . . . . 12
69 6. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14
70 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
71 8. Normative references . . . . . . . . . . . . . . . . . . . . 14
72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
74 1. Introduction
76 Subscribed Notifications [RFC8639] defines a YANG data module for
77 configuring subscribed notifications. It even defines a
78 subscriptions container that contains a list of receivers. But it
79 defers the configuration and management of those receivers to other
80 documents. This document defines a YANG [RFC7950] data module for
81 configuring and managing HTTPS based receivers for the notifications.
82 Such a configured receiver can be a third party collector, collecting
83 events on behalf of receivers that want to correlate events from
84 different publishers. Configured subscriptions enable a server,
85 acting as a publisher of notifications, to proactively push
86 notifications to external receivers without the receivers needing to
87 first connect to the server, as is the case with dynamic
88 subscriptions.
90 This document describes how to enable the transmission of YANG
91 modeled notifications, in the configured encoding (i.e., XML, JSON)
92 over HTTPS. It comes in the form of a HTTPS POST. The use of HTTPS
93 maximizes transport-level interoperability, while the encoding
94 selection pivots between implementation simplicity (XML, JSON) and
95 throughput (text versus binary).
97 1.1. Note to RFC Editor
99 This document uses several placeholder values throughout the
100 document. Please replace them as follows and remove this section
101 before publication.
103 RFC XXXX, where XXXX is the number assigned to this document at the
104 time of publication.
106 2019-10-30 with the actual date of the publication of this document.
108 1.2. Abbreviations
110 +---------+-------------------------------+
111 | Acronym | Expansion |
112 +---------+-------------------------------+
113 | HTTP | Hyper Text Transport Protocol |
114 | | |
115 | TCP | Transmission Control Protocol |
116 | | |
117 | TLS | Transport Layer Security |
118 +---------+-------------------------------+
120 1.3. Terminology
122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
124 "OPTIONAL" in this document are to be interpreted as described in BCP
125 14 [RFC2119] [RFC8174] when, and only when, they appear in all
126 capitals, as shown here.
128 1.3.1. Subscribed Notifications
130 The following terms are defined in Subscribed Notifications
131 [RFC8639].
133 o Subscribed Notifications
135 1.4. Receiver and Publisher Interaction
137 The interaction between the receiver and the publisher can be of type
138 "pipelining" or send multiple notifications as part of a "bundled-
139 message", as defined in Notification Message Headers and Bundles
140 [I-D.ietf-netconf-notification-messages]
142 1.4.1. Pipelining of messages
144 In the case of "pipelining", the flow of messages would look
145 something like this.
147 ------------- --------------
148 | Publisher | | Receiver |
149 ------------- --------------
151 Establish TCP ------>
153 Establish TLS ------>
155 Send HTTPS POST message
156 with YANG defined ------>
157 notification #1
159 Send HTTPS POST message
160 with YANG defined ------>
161 notification #2
162 Send 204 (No Content)
163 <------ for notification #1
165 Send 204 (No Content)
166 <------ for notification #2
168 Send HTTPS POST message
169 with YANG defined ------->
170 notification #3
172 Send 204 (No Content)
173 <------ for notification #3
175 The content of the exchange would look something like this.
177 Request:
179 POST /some/path HTTP/1.1
180 Host: my-receiver.my-domain.com
181 Content-Type: application/yang-data+xml
183
185 2019-03-22T12:35:00Z
186
187 ...
188
189
191
193 2019-03-22T12:35:00Z
194
195 ...
196
197
199
201 2019-03-22T12:35:01Z
202
203 ...
204
205
207 Response:
209 HTTP/1.1 204 No Content
210 Date: Fri, 03 Mar 2019 12:35:00 GMT
211 Server: my-receiver.my-domain.com
213 HTTP/1.1 204 No Content
214 Date: Fri, 03 Mar 2019 12:35:00 GMT
215 Server: my-receiver.my-domain.com
217 HTTP/1.1 204 No Content
218 Date: Fri, 03 Mar 2019 12:35:01 GMT
219 Server: my-receiver.my-domain.com
221 2. YANG module
223 2.1. Overview
225 The YANG module is a definition of a set of receivers that are
226 interested in the notifications published by the publisher. The
227 module contains the TCP, TLS and HTTPS parameters that are needed to
228 communicate with the receiver. The module augments the Subscribed
229 Notifications [RFC8639] receiver container to create a reference to a
230 receiver defined by the YANG module. As mentioned earlier, it uses
231 POST method to deliver the notification. The attribute 'path'
232 defines the absolute path for the resource on the receiver, as
233 defined by 'path-absolute' in URI Generic Syntax [RFC3986]. The
234 user-id used by Network Configuration Access Control Model [RFC8341],
235 is that of the receiver and is derived from the certificate presented
236 by the receiver.
238 An abridged tree diagram representing the module is shown below.
240 module: ietf-https-notif
241 +--rw receivers
242 +--rw receiver* [name]
243 +--rw name string
244 +--rw tcp-params
245 | +--rw remote-address inet:host
246 | +--rw remote-port? inet:port-number
247 | +--rw local-address? inet:ip-address
248 | +--rw local-port? inet:port-number
249 | +--rw keepalives!
250 | ...
251 +--rw tls-params
252 | +--rw client-identity
253 | | ...
254 | +--rw server-authentication
255 | | ...
256 | +--rw hello-params {tls-client-hello-params-config}?
257 | | ...
258 | +--rw keepalives! {tls-client-keepalives}?
259 | ...
260 +--rw http-params
261 | +--rw protocol-version? enumeration
262 | +--rw client-identity
263 | | ...
264 | +--rw proxy-server! {proxy-connect}?
265 | | ...
266 | +--rw path? inet:uri
267 +--rw receiver-identity
268 +--rw cert-maps
269 ...
271 augment /sn:subscriptions/sn:subscription/sn:receivers/sn:receiver:
272 +--rw receiver-ref? -> /receivers/receiver/name
274 2.2. YANG module
276 The YANG module imports Common YANG Data Types [RFC6991], A YANG Data
277 Model for SNMP Configuration [RFC7407], and Subscription to YANG
278 Notifcations [RFC8639].
280 file "ietf-https-notif@2019-10-30.yang"
281 module ietf-https-notif {
282 yang-version 1.1;
283 namespace "urn:ietf:params:xml:ns:yang:ietf-https-notif";
284 prefix "hsn";
286 import ietf-inet-types {
287 prefix inet;
288 reference
289 "RFC 6991: Common YANG Data Types.";
290 }
292 import ietf-subscribed-notifications {
293 prefix sn;
294 reference
295 "I-D.ietf-netconf-subscribed-notifications";
296 }
298 import ietf-x509-cert-to-name {
299 prefix x509c2n;
300 reference
301 "RFC 7407: A YANG Data Model for SNMP Configuration";
302 }
304 import ietf-tcp-client {
305 prefix tcpc;
306 }
308 import ietf-tls-client {
309 prefix tlsc;
310 }
312 import ietf-http-client {
313 prefix httpc;
314 }
316 organization
317 "IETF NETCONF Working Group";
319 contact
320 "WG Web:
321 WG List:
323 Authors: Mahesh Jethanandani (mjethanandani at gmail dot com)
324 Kent Watsen (kent plus ietf at watsen dot net)";
325 description
326 "YANG module for configuring HTTPS base configuration.
328 Copyright (c) 2018 IETF Trust and the persons identified as
329 the document authors. All rights reserved.
330 Redistribution and use in source and binary forms, with or
331 without modification, is permitted pursuant to, and subject
332 to the license terms contained in, the Simplified BSD
333 License set forth in Section 4.c of the IETF Trust's Legal
334 Provisions Relating to IETF Documents
335 (http://trustee.ietf.org/license-info).
337 This version of this YANG module is part of RFC XXXX; see
338 the RFC itself for full legal notices.";
340 revision "2019-10-30" {
341 description
342 "Initial Version.";
343 reference
344 "RFC XXXX, YANG Data Module for HTTPS Notifications.";
345 }
347 identity https {
348 base sn:transport;
349 description
350 "HTTPS transport for notifications.";
351 }
353 container receivers {
354 list receiver {
355 key "name";
357 leaf name {
358 type string;
359 description
360 "A name that uniquely identifies this receiver.";
361 }
363 container tcp-params {
364 uses tcpc:tcp-client-grouping;
365 description
366 "TCP client parameters.";
367 }
369 container tls-params {
370 description
371 "TLS client parameters.";
373 uses tlsc:tls-client-grouping;
374 }
376 container http-params {
377 description
378 "HTTP client parameters.";
380 uses httpc:http-client-grouping;
382 leaf path {
383 type inet:uri;
384 description
385 "The absolute path for the resource on the remote
386 HTTPS server. The absolute path as specified in
387 RFC 3986 as 'path-absolute'.";
388 reference
389 "RFC 3986: URI Generic Syntax.";
390 }
391 }
393 container receiver-identity {
394 description
395 "Specifies mechanism for identifying the receiver. The
396 publisher MUST NOT include any content in a notification
397 that the user is not authorized to view.";
399 container cert-maps {
400 uses x509c2n:cert-to-name;
401 description
402 "The cert-maps container is used by a TLS-based HTTP
403 server to map the HTTPS client's presented X.509
404 certificate to a 'local' username. If no matching and
405 valid cert-to-name list entry is found, the publisher
406 MUST close the connection, and MUST NOT
407 not send any notifications over it.";
408 reference
409 "RFC 7407: A YANG Data Model for SNMP Configuration.";
410 }
411 }
412 description
413 "All receivers interested in this notification.";
414 }
415 description
416 "HTTPS based notifications.";
417 }
419 augment "/sn:subscriptions/sn:subscription/sn:receivers/sn:receiver" {
420 leaf receiver-ref {
421 type leafref {
422 path "/receivers/receiver/name";
423 }
424 description
425 "Reference to a receiver.";
426 }
427 description
428 "Augment the subscriptions container to define the receiver.";
429 }
430 }
431
433 3. Security Considerations
435 The YANG module specified in this document defines a schema for data
436 that is designed to be accessed via network management protocols such
437 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
438 is the secure transport layer, and the mandatory-to-implement secure
439 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
440 is HTTPS, and the mandatory-to-implement secure transport is TLS
441 [RFC8446]. The NETCONF Access Control Model (NACM) [RFC8341]
442 provides the means to restrict access for particular NETCONF or
443 RESTCONF users to a preconfigured subset of all available NETCONF or
444 RESTCONF protocol operations and content.
446 There are a number of data nodes defined in this YANG module that are
447 writable/creatable/deletable (i.e., config true, which is the
448 default). These data nodes may be considered sensitive or vulnerable
449 in some network environments. Write operations (e.g., edit-config)
450 to these data nodes without proper protection can have a negative
451 effect on network operations. These are the subtrees and data nodes
452 and their sensitivity/vulnerability:
454 Some of the readable data nodes in this YANG module may be considered
455 sensitive or vulnerable in some network environments. It is thus
456 important to control read access (e.g., via get, get-config, or
457 notification) to these data nodes. These are the subtrees and data
458 nodes and their sensitivity/vulnerability:
460 Some of the RPC operations in this YANG module may be considered
461 sensitive or vulnerable in some network environments. It is thus
462 important to control access to these operations. These are the
463 operations and their sensitivity/vulnerability:
465 4. IANA Considerations
467 This document registers one URI and one YANG module.
469 4.1. URI Registration
471 in the IETF XML registry [RFC3688] [RFC3688]. Following the format
472 in RFC 3688, the following registration is requested to be made:
474 URI: urn:ietf:params:xml:ns:yang:ietf-http-notif
476 Registrant Contact: The IESG. XML: N/A, the requested URI is an XML
477 namespace.
479 4.2. YANG Module Name Registration
481 This document registers one YANG module in the YANG Module Names
482 registry YANG [RFC6020].
484 name: ietf-https-notif
485 namespace: urn:ietf:params:xml:ns:yang:ietf-https-notif
486 prefix: hn
487 reference: RFC XXXX
489 5. Examples
491 This section tries to show some examples in how the model can be
492 used.
494 5.1. HTTPS Configured Subscription
496 This example shows how a HTTPS client can be configured to send
497 notifications to a receiver at address 192.0.2.1, port 443, a 'path',
498 with server certificates, and the corresponding trust store that is
499 used to authenticate a connection.
501 [note: '\' line wrapping for formatting only]
503
504
505
509
510 foo
511
512 my-receiver.my-domain.com
513 443
514
515
516
517 explicitly-trusted-server-ca-certs
518 explicitly-trusted-server-certs
520
521
522
523
524
525 my-name
526 my-password
528
529
530 /some/path
531
532
533
534
535 1
536 11:0A:05:11:00
537 x509c2n:san-any
538
539
540
541
542
544
547
548 6666
549 foo
550 some-stream
551
552
553 my-receiver
554 foo
557
558
559
560
562
563
564 explicitly-trusted-server-certs
565
566 Specific server authentication certificates for explicitly
567 trusted servers. These are needed for server certificates
568 that are not signed by a pinned CA.
569
570
571 Fred Flintstone
572 base64encodedvalue==
573
574
575
576 explicitly-trusted-server-ca-certs
577
578 Trust anchors (i.e. CA certs) that are used to authenticate\
580 server connections. Servers are authenticated if their
581 certificate has a chain of trust to one of these CA
582 certificates.
583
584
585 ca.example.com
586 base64encodedvalue==
587
588
589
590
592 6. Contributors
594 7. Acknowledgements
596 8. Normative references
598 [I-D.ietf-netconf-notification-messages]
599 Voit, E., Birkholz, H., Bierman, A., Clemm, A., and T.
600 Jenkins, "Notification Message Headers and Bundles",
601 draft-ietf-netconf-notification-messages-07 (work in
602 progress), August 2019.
604 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
605 Requirement Levels", BCP 14, RFC 2119,
606 DOI 10.17487/RFC2119, March 1997,
607 .
609 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
610 DOI 10.17487/RFC3688, January 2004,
611 .
613 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
614 Resource Identifier (URI): Generic Syntax", STD 66,
615 RFC 3986, DOI 10.17487/RFC3986, January 2005,
616 .
618 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
619 the Network Configuration Protocol (NETCONF)", RFC 6020,
620 DOI 10.17487/RFC6020, October 2010,
621 .
623 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
624 and A. Bierman, Ed., "Network Configuration Protocol
625 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
626 .
628 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
629 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
630 .
632 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
633 RFC 6991, DOI 10.17487/RFC6991, July 2013,
634 .
636 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
637 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
638 December 2014, .
640 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
641 RFC 7950, DOI 10.17487/RFC7950, August 2016,
642 .
644 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
645 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
646 .
648 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
649 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
650 May 2017, .
652 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
653 Access Control Model", STD 91, RFC 8341,
654 DOI 10.17487/RFC8341, March 2018,
655 .
657 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
658 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
659 .
661 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard,
662 E., and A. Tripathy, "Subscription to YANG Notifications",
663 RFC 8639, DOI 10.17487/RFC8639, September 2019,
664 .
666 Authors' Addresses
667 Mahesh Jethanandani
668 VMware
670 Email: mjethanandani@gmail.com
672 Kent Watsen
673 Watsen Networks
674 USA
676 Email: kent+ietf@watsen.net