idnits 2.17.1
draft-ietf-netconf-netconf-client-server-12.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1925 has weird spacing: '...address ine...'
== Line 1932 has weird spacing: '...nterval uin...'
== Line 2068 has weird spacing: '...address ine...'
== Line 2075 has weird spacing: '...nterval uin...'
== Line 2169 has weird spacing: '...address ine...'
== (12 more instances...)
-- The document date (April 29, 2019) is 1817 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-08
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-12
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-11
== Outdated reference: A later version (-02) exists of
draft-kwatsen-netconf-tcp-client-server-01
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-03
Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track April 29, 2019
5 Expires: October 31, 2019
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-12
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-04-29" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on October 31, 2019.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 8
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 18
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 26
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 38
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 38
110 7.2. Informative References . . . . . . . . . . . . . . . . . 40
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 41
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 41
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 50
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 61
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 61
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 61
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 61
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 61
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 62
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 62
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 62
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 62
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 62
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 63
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 63
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 63
127 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 63
128 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 64
130 1. Introduction
132 This document defines two YANG [RFC7950] modules, one module to
133 configure a NETCONF [RFC6241] client and the other module to
134 configure a NETCONF server. Both modules support both NETCONF over
135 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
136 connections [RFC8071].
138 2. Terminology
140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
142 "OPTIONAL" in this document are to be interpreted as described in BCP
143 14 [RFC2119] [RFC8174] when, and only when, they appear in all
144 capitals, as shown here.
146 3. The NETCONF Client Model
148 The NETCONF client model presented in this section supports both
149 clients initiating connections to servers, as well as clients
150 listening for connections from servers calling home, using either the
151 SSH and TLS transport protocols.
153 YANG feature statements are used to enable implementations to
154 advertise which potentially uncommon parts of the model the NETCONF
155 client supports.
157 3.1. Tree Diagram
159 The following tree diagram [RFC8340] provides an overview of the data
160 model for the "ietf-netconf-client" module.
162 This tree diagram only shows the nodes defined in this module; it
163 does show the nodes defined by "grouping" statements used by this
164 module.
166 Please see Appendix A.1 for a tree diagram that illustrates what the
167 module looks like with all the "grouping" statements expanded.
169 module: ietf-netconf-client
170 +--rw netconf-client
171 +---u netconf-client-grouping
173 grouping netconf-client-grouping
174 +-- initiate! {ssh-initiate or tls-initiate}?
175 | +-- netconf-server* [name]
176 | +-- name? string
177 | +-- endpoints
178 | | +-- endpoint* [name]
179 | | +-- name? string
180 | | +-- (transport)
181 | | +--:(ssh) {ssh-initiate}?
182 | | | +-- ssh
183 | | | +-- tcp-client-parameters
184 | | | | +---u netconf-client-grouping
185 | | | +-- ssh-client-parameters
186 | | | +---u netconf-client-grouping
187 | | +--:(tls) {tls-initiate}?
188 | | +-- tls
189 | | +-- tcp-client-parameters
190 | | | +---u netconf-client-grouping
191 | | +-- tls-client-parameters
192 | | +---u netconf-client-grouping
193 | +-- connection-type
194 | | +-- (connection-type)
195 | | +--:(persistent-connection)
196 | | | +-- persistent!
197 | | +--:(periodic-connection)
198 | | +-- periodic!
199 | | +-- period? uint16
200 | | +-- anchor-time? yang:date-and-time
201 | | +-- idle-timeout? uint16
202 | +-- reconnect-strategy
203 | +-- start-with? enumeration
204 | +-- max-attempts? uint8
205 +-- listen! {ssh-listen or tls-listen}?
206 +-- idle-timeout? uint16
207 +-- endpoint* [name]
208 +-- name? string
209 +-- (transport)
210 +--:(ssh) {ssh-listen}?
211 | +-- ssh
212 | +-- tcp-server-parameters
213 | | +---u netconf-client-grouping
214 | +-- ssh-client-parameters
215 | +---u netconf-client-grouping
216 +--:(tls) {tls-listen}?
217 +-- tls
218 +-- tcp-server-parameters
219 | +---u netconf-client-grouping
220 +-- tls-client-parameters
221 +---u netconf-client-grouping
223 3.2. Example Usage
225 The following example illustrates configuring a NETCONF client to
226 initiate connections, using both the SSH and TLS transport protocols,
227 as well as listening for call-home connections, again using both the
228 SSH and TLS transport protocols.
230 This example is consistent with the examples presented in Section 2
231 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
232 [I-D.ietf-netconf-keystore].
234 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
236
239
240
241
242 corp-fw1
243
244
245 corp-fw1.example.com
246
247
248 corp-fw1.example.com
249
250 15
251 3
252 30
253
254
255
256
257 foobar
258
259
260 ct:rsa2048
262 base64encodedvalue==
263 base64encodedvalue==
264
265
266
267
268 explicitly-trusted-server-ca-certs<\
269 /pinned-ca-certs>
270 explicitly-trusted-server-certs\
271
272
273
274 30
275 3
276
277
278
279
280
281 corp-fw2.example.com
282
283
284 corp-fw2.example.com
285
286 15
287 3
288 30
289
290
291
292
293 foobar
294
295
296 ct:rsa2048
298 base64encodedvalue==
299 base64encodedvalue==
300
301
302
303
304 explicitly-trusted-server-ca-certs<\
305 /pinned-ca-certs>
306 explicitly-trusted-server-certs\
307
308
309
310 30
311 3
312
313
314
315
316
317
318
319
320
321 last-connected
322
323
324
326
327
328
329 Intranet-facing listener
330
331
332 192.0.2.7
333
334
335
336 foobar
337
338
339 ct:rsa2048
341 base64encodedvalue==
342 base64encodedvalue==
343
344
345
346
347 explicitly-trusted-server-ca-certs
349 explicitly-trusted-server-certs
351 explicitly-trusted-ssh-host-keys
353
354
355
356
357
358
360 3.3. YANG Module
362 This YANG module has normative references to [RFC6242], [RFC6991],
363 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
364 [I-D.ietf-netconf-ssh-client-server], and
365 [I-D.ietf-netconf-tls-client-server].
367 file "ietf-netconf-client@2019-04-29.yang"
368 module ietf-netconf-client {
369 yang-version 1.1;
370 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
371 prefix ncc;
373 import ietf-yang-types {
374 prefix yang;
375 reference
376 "RFC 6991: Common YANG Data Types";
377 }
378 import ietf-tcp-client {
379 prefix tcpc;
380 reference
381 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
382 }
383 import ietf-tcp-server {
384 prefix tcps;
385 reference
386 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
387 }
389 import ietf-ssh-client {
390 prefix sshc;
391 revision-date 2019-04-29; // stable grouping definitions
392 reference
393 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
394 }
396 import ietf-tls-client {
397 prefix tlsc;
398 revision-date 2019-04-29; // stable grouping definitions
399 reference
400 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
401 }
403 organization
404 "IETF NETCONF (Network Configuration) Working Group";
406 contact
407 "WG Web:
408 WG List:
409 Author: Kent Watsen
410 Author: Gary Wu ";
412 description
413 "This module contains a collection of YANG definitions
414 for configuring NETCONF clients.
416 Copyright (c) 2019 IETF Trust and the persons identified
417 as authors of the code. All rights reserved.
419 Redistribution and use in source and binary forms, with
420 or without modification, is permitted pursuant to, and
421 subject to the license terms contained in, the Simplified
422 BSD License set forth in Section 4.c of the IETF Trust's
423 Legal Provisions Relating to IETF Documents
424 (https://trustee.ietf.org/license-info).
426 This version of this YANG module is part of RFC XXXX
427 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
428 itself for full legal notices.;
430 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
431 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
432 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
433 are to be interpreted as described in BCP 14 (RFC 2119)
434 (RFC 8174) when, and only when, they appear in all
435 capitals, as shown here.";
437 revision 2019-04-29 {
438 description
439 "Initial version";
440 reference
441 "RFC XXXX: NETCONF Client and Server Models";
442 }
444 // Features
446 feature ssh-initiate {
447 description
448 "The 'ssh-initiate' feature indicates that the NETCONF client
449 supports initiating SSH connections to NETCONF servers.";
450 reference
451 "RFC 6242:
452 Using the NETCONF Protocol over Secure Shell (SSH)";
453 }
455 feature tls-initiate {
456 description
457 "The 'tls-initiate' feature indicates that the NETCONF client
458 supports initiating TLS connections to NETCONF servers.";
459 reference
460 "RFC 7589: Using the NETCONF Protocol over Transport
461 Layer Security (TLS) with Mutual X.509 Authentication";
462 }
464 feature ssh-listen {
465 description
466 "The 'ssh-listen' feature indicates that the NETCONF client
467 supports opening a port to listen for incoming NETCONF
468 server call-home SSH connections.";
469 reference
470 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
471 }
473 feature tls-listen {
474 description
475 "The 'tls-listen' feature indicates that the NETCONF client
476 supports opening a port to listen for incoming NETCONF
477 server call-home TLS connections.";
478 reference
479 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
480 }
482 // Groupings
484 grouping netconf-client-grouping {
485 description
486 "Top-level grouping for NETCONF client configuration.";
487 container initiate {
488 if-feature "ssh-initiate or tls-initiate";
489 presence "Enables client to initiate TCP connections";
490 description
491 "Configures client initiating underlying TCP connections.";
492 list netconf-server {
493 key "name";
494 min-elements 1;
495 description
496 "List of NETCONF servers the NETCONF client is to
497 initiate connections to in parallel.";
498 leaf name {
499 type string;
500 description
501 "An arbitrary name for the NETCONF server.";
502 }
503 container endpoints {
504 description
505 "Container for the list of endpoints.";
506 list endpoint {
507 key "name";
508 min-elements 1;
509 ordered-by user;
510 description
511 "A user-ordered list of endpoints that the NETCONF
512 client will attempt to connect to in the specified
513 sequence. Defining more than one enables
514 high-availability.";
515 leaf name {
516 type string;
517 description
518 "An arbitrary name for the endpoint.";
519 }
520 choice transport {
521 mandatory true;
522 description
523 "Selects between available transports.";
524 case ssh {
525 if-feature "ssh-initiate";
526 container ssh {
527 description
528 "Specifies IP and SSH specific configuration
529 for the connection.";
530 container tcp-client-parameters {
531 description
532 "A wrapper around the TCP client parameters
533 to avoid name collisions.";
534 uses tcpc:tcp-client-grouping {
535 refine "remote-port" {
536 default "830";
537 description
538 "The NETCONF client will attempt to connect
539 to the IANA-assigned well-known port value
540 for 'netconf-ssh' (443) if no value is
541 specified.";
542 }
543 }
544 }
545 container ssh-client-parameters {
546 description
547 "A wrapper around the SSH client parameters to
548 avoid name collisions.";
549 uses sshc:ssh-client-grouping;
550 }
551 }
552 }
553 case tls {
554 if-feature "tls-initiate";
555 container tls {
556 description
557 "Specifies IP and TLS specific configuration
558 for the connection.";
559 container tcp-client-parameters {
560 description
561 "A wrapper around the TCP client parameters
562 to avoid name collisions.";
563 uses tcpc:tcp-client-grouping {
564 refine "remote-port" {
565 default "6513";
566 description
567 "The NETCONF client will attempt to connect
568 to the IANA-assigned well-known port value
569 for 'netconf-tls' (6513) if no value is
570 specified.";
571 }
572 }
573 }
574 container tls-client-parameters {
575 description
576 "A wrapper around the TLS client parameters
577 to avoid name collisions.";
578 uses tlsc:tls-client-grouping {
579 refine "client-identity"
580 + "/auth-type" {
581 mandatory true;
582 description
583 "NETCONF/TLS clients MUST pass some
584 authentication credentials.";
585 }
586 }
587 }
588 }
589 }
590 } // choice transport
591 } // list endpoint
592 } // container endpoints
594 container connection-type {
595 description
596 "Indicates the NETCONF client's preference for how the
597 NETCONF connection is maintained.";
598 choice connection-type {
599 mandatory true;
600 description
601 "Selects between available connection types.";
602 case persistent-connection {
603 container persistent {
604 presence "Indicates that a persistent connection is
605 to be maintained.";
606 description
607 "Maintain a persistent connection to the NETCONF
608 server. If the connection goes down, immediately
609 start trying to reconnect to the NETCONF server,
610 using the reconnection strategy.
612 This connection type minimizes any NETCONF server
613 to NETCONF client data-transfer delay, albeit at
614 the expense of holding resources longer.";
615 }
616 }
617 case periodic-connection {
618 container periodic {
619 presence "Indicates that a periodic connection is
620 to be maintained.";
621 description
622 "Periodically connect to the NETCONF server.
624 This connection type increases resource
625 utilization, albeit with increased delay in
626 NETCONF server to NETCONF client interactions.
628 The NETCONF client should close the underlying
629 TCP connection upon completing planned activities.
631 In the case that the previous connection is still
632 active, establishing a new connection is NOT
633 RECOMMENDED.";
634 leaf period {
635 type uint16;
636 units "minutes";
637 default "60";
638 description
639 "Duration of time between periodic connections.";
640 }
641 leaf anchor-time {
642 type yang:date-and-time {
643 // constrained to minute-level granularity
644 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
645 + '(Z|[\+\-]\d{2}:\d{2})';
646 }
647 description
648 "Designates a timestamp before or after which a
649 series of periodic connections are determined.
650 The periodic connections occur at a whole
651 multiple interval from the anchor time. For
652 example, for an anchor time is 15 minutes past
653 midnight and a period interval of 24 hours, then
654 a periodic connection will occur 15 minutes past
655 midnight everyday.";
656 }
657 leaf idle-timeout {
658 type uint16;
659 units "seconds";
660 default 120; // two minutes
661 description
662 "Specifies the maximum number of seconds that
663 a NETCONF session may remain idle. A NETCONF
664 session will be dropped if it is idle for an
665 interval longer then this number of seconds.
667 If set to zero, then the NETCONF client will
668 never drop a session because it is idle.";
669 }
670 }
671 }
672 }
673 }
674 container reconnect-strategy {
675 description
676 "The reconnection strategy directs how a NETCONF client
677 reconnects to a NETCONF server, after discovering its
678 connection to the server has dropped, even if due to a
679 reboot. The NETCONF client starts with the specified
680 endpoint and tries to connect to it max-attempts times
681 before trying the next endpoint in the list (round
682 robin).";
683 leaf start-with {
684 type enumeration {
685 enum first-listed {
686 description
687 "Indicates that reconnections should start with
688 the first endpoint listed.";
689 }
690 enum last-connected {
691 description
692 "Indicates that reconnections should start with
693 the endpoint last connected to. If no previous
694 connection has ever been established, then the
695 first endpoint configured is used. NETCONF
696 clients SHOULD be able to remember the last
697 endpoint connected to across reboots.";
698 }
699 enum random-selection {
700 description
701 "Indicates that reconnections should start with
702 a random endpoint.";
703 }
704 }
705 default "first-listed";
706 description
707 "Specifies which of the NETCONF server's endpoints
708 the NETCONF client should start with when trying
709 to connect to the NETCONF server.";
710 }
711 leaf max-attempts {
712 type uint8 {
713 range "1..max";
714 }
715 default "3";
716 description
717 "Specifies the number times the NETCONF client tries
718 to connect to a specific endpoint before moving on
719 to the next endpoint in the list (round robin).";
720 }
721 }
722 } // netconf-server
723 } // initiate
725 container listen {
726 if-feature "ssh-listen or tls-listen";
727 presence "Enables client to accept call-home connections";
728 description
729 "Configures client accepting call-home TCP connections.";
730 leaf idle-timeout {
731 type uint16;
732 units "seconds";
733 default "3600"; // one hour
734 description
735 "Specifies the maximum number of seconds that a NETCONF
736 session may remain idle. A NETCONF session will be
737 dropped if it is idle for an interval longer than this
738 number of seconds. If set to zero, then the server
739 will never drop a session because it is idle. Sessions
740 that have a notification subscription active are never
741 dropped.";
742 }
743 list endpoint {
744 key "name";
745 min-elements 1;
746 description
747 "List of endpoints to listen for NETCONF connections.";
748 leaf name {
749 type string;
750 description
751 "An arbitrary name for the NETCONF listen endpoint.";
752 }
753 choice transport {
754 mandatory true;
755 description
756 "Selects between available transports.";
757 case ssh {
758 if-feature "ssh-listen";
759 container ssh {
760 description
761 "SSH-specific listening configuration for inbound
762 connections.";
764 container tcp-server-parameters {
765 description
766 "A wrapper around the TCP server parameters
767 to avoid name collisions.";
768 uses tcps:tcp-server-grouping {
769 refine "local-port" {
770 default "4334";
771 description
772 "The NETCONF client will listen on the IANA-
773 assigned well-known port for 'netconf-ch-ssh'
774 (4334) if no value is specified.";
775 }
776 }
777 }
778 container ssh-client-parameters {
779 description
780 "A wrapper around the SSH client parameters
781 to avoid name collisions.";
782 uses sshc:ssh-client-grouping;
783 }
784 }
785 }
786 case tls {
787 if-feature "tls-listen";
788 container tls {
789 description
790 "TLS-specific listening configuration for inbound
791 connections.";
792 container tcp-server-parameters {
793 description
794 "A wrapper around the TCP server parameters
795 to avoid name collisions.";
796 uses tcps:tcp-server-grouping {
797 refine "local-port" {
798 default "4334";
799 description
800 "The NETCONF client will listen on the IANA-
801 assigned well-known port for 'netconf-ch-ssh'
802 (4334) if no value is specified.";
803 }
804 }
805 }
806 container tls-client-parameters {
807 description
808 "A wrapper around the TLS client parameters
809 to avoid name collisions.";
810 uses tlsc:tls-client-grouping {
811 refine "client-identity/auth-type" {
812 mandatory true;
813 description
814 "NETCONF/TLS clients MUST pass some
815 authentication credentials.";
816 }
817 }
818 }
819 }
820 }
821 } // transport
822 } // endpoint
823 } // listen
824 } // netconf-client
826 // Protocol accessible node, for servers that implement this
827 // module.
829 container netconf-client {
830 uses netconf-client-grouping;
831 description
832 "Top-level container for NETCONF client configuration.";
833 }
834 }
835
837 4. The NETCONF Server Model
839 The NETCONF server model presented in this section supports both
840 listening for connections as well as initiating call-home
841 connections, using either the SSH and TLS transport protocols.
843 YANG feature statements are used to enable implementations to
844 advertise which potentially uncommon parts of the model the NETCONF
845 server supports.
847 4.1. Tree Diagram
849 The following tree diagram [RFC8340] provides an overview of the data
850 model for the "ietf-netconf-server" module.
852 This tree diagram only shows the nodes defined in this module; it
853 does show the nodes defined by "grouping" statements used by this
854 module.
856 Please see Appendix A.2 for a tree diagram that illustrates what the
857 module looks like with all the "grouping" statements expanded.
859 module: ietf-netconf-server
860 +--rw netconf-server
861 +---u netconf-server-grouping
863 grouping netconf-server-grouping
864 +-- listen! {ssh-listen or tls-listen}?
865 | +-- idle-timeout? uint16
866 | +-- endpoint* [name]
867 | +-- name? string
868 | +-- (transport)
869 | +--:(ssh) {ssh-listen}?
870 | | +-- ssh
871 | | +-- tcp-server-parameters
872 | | | +---u netconf-server-grouping
873 | | +-- ssh-server-parameters
874 | | +---u netconf-server-grouping
875 | +--:(tls) {tls-listen}?
876 | +-- tls
877 | +-- tcp-server-parameters
878 | | +---u netconf-server-grouping
879 | +-- tls-server-parameters
880 | +---u netconf-server-grouping
881 +-- call-home! {ssh-call-home or tls-call-home}?
882 +-- netconf-client* [name]
883 +-- name? string
884 +-- endpoints
885 | +-- endpoint* [name]
886 | +-- name? string
887 | +-- (transport)
888 | +--:(ssh) {ssh-call-home}?
889 | | +-- ssh
890 | | +-- tcp-client-parameters
891 | | | +---u netconf-server-grouping
892 | | +-- ssh-server-parameters
893 | | +---u netconf-server-grouping
894 | +--:(tls) {tls-call-home}?
895 | +-- tls
896 | +-- tcp-client-parameters
897 | | +---u netconf-server-grouping
898 | +-- tls-server-parameters
899 | +---u netconf-server-grouping
900 +-- connection-type
901 | +-- (connection-type)
902 | +--:(persistent-connection)
903 | | +-- persistent!
904 | +--:(periodic-connection)
905 | +-- periodic!
906 | +-- period? uint16
907 | +-- anchor-time? yang:date-and-time
908 | +-- idle-timeout? uint16
909 +-- reconnect-strategy
910 +-- start-with? enumeration
911 +-- max-attempts? uint8
913 4.2. Example Usage
915 The following example illustrates configuring a NETCONF server to
916 listen for NETCONF client connections using both the SSH and TLS
917 transport protocols, as well as configuring call-home to two NETCONF
918 clients, one using SSH and the other using TLS.
920 This example is consistent with the examples presented in Section 2
921 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
922 [I-D.ietf-netconf-keystore].
924 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
926
930
931
932
933 netconf/ssh
934
935
936 192.0.2.7
937
938
939
940
941 deployment-specific-certificate
942
943
944 ct:rsa2048
946 base64encodedvalue==
947 base64encodedvalue==
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962 netconf/tls
963
964
965 192.0.2.7
966
967
968
969
970 ct:rsa2048
972 base64encodedvalue==
973 base64encodedvalue==
974 base64encodedvalue==
975
976
977
978
979 explicitly-trusted-client-ca-certs
981 explicitly-trusted-client-certs
983
984
985 1
986 11:0A:05:11:00
987 x509c2n:san-any
988
989
990 2
991 B3:4F:A1:8C:54
992 x509c2n:specified
993 scooby-doo
994
995
996
997
998
999
1000
1002
1003
1004
1005 config-mgr
1006
1007
1008 east-data-center
1009
1010
1011 east.config-mgr.example.com
1013
1014
1015
1016
1017 deployment-specific-certificate
1018
1019
1020 ct:rsa2048
1022 base64encodedvalue==
1023 base64encodedvalue==
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038 west-data-center
1039
1040
1041 west.config-mgr.example.com
1043
1044
1045
1046
1047 deployment-specific-certificate
1048
1049
1050 ct:rsa2048
1052 base64encodedvalue==
1053 base64encodedvalue==
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070 300
1071 60
1072
1073
1074
1075 last-connected
1076 3
1077
1078
1079
1080 data-collector
1081
1082
1083 east-data-center
1084
1085
1086 east.analytics.example.com
1088
1089 15
1090 3
1091 30
1092
1093
1094
1095
1096
1097 ct:rsa2048
1099 base64encodedvalue==
1100 base64encodedvalue==
1101 base64encodedvalue==
1102
1103
1104
1105
1106 explicitly-trusted-client-ca-certs<\
1107 /pinned-ca-certs>
1108 explicitly-trusted-client-certs\
1109
1110
1111
1112 1
1113 11:0A:05:11:00
1114 x509c2n:san-any
1115
1116
1117 2
1118 B3:4F:A1:8C:54
1119 x509c2n:specified
1120 scooby-doo
1121
1122
1123
1124
1125 30
1126 3
1127
1128
1129
1130
1131
1132 west-data-center
1133
1134
1135 west.analytics.example.com
1137
1138 15
1139 3
1140 30
1141
1142
1143
1144
1145
1146 ct:rsa2048
1148 base64encodedvalue==
1149 base64encodedvalue==
1150 base64encodedvalue==
1151
1152
1153
1154
1155 explicitly-trusted-client-ca-certs<\
1156 /pinned-ca-certs>
1157 explicitly-trusted-client-certs\
1158
1159
1160
1161 1
1162 11:0A:05:11:00
1163 x509c2n:san-any
1164
1165
1166 2
1167 B3:4F:A1:8C:54
1168 x509c2n:specified
1169 scooby-doo
1170
1171
1172
1173
1174 30
1175 3
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185 first-listed
1186 3
1187
1188
1189
1190
1192 4.3. YANG Module
1194 This YANG module has normative references to [RFC6242], [RFC6991],
1195 [RFC7407], [RFC7589], [RFC8071],
1196 [I-D.kwatsen-netconf-tcp-client-server],
1197 [I-D.ietf-netconf-ssh-client-server], and
1198 [I-D.ietf-netconf-tls-client-server].
1200 file "ietf-netconf-server@2019-04-29.yang"
1201 module ietf-netconf-server {
1202 yang-version 1.1;
1203 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1204 prefix ncs;
1206 import ietf-yang-types {
1207 prefix yang;
1208 reference
1209 "RFC 6991: Common YANG Data Types";
1210 }
1212 import ietf-x509-cert-to-name {
1213 prefix x509c2n;
1214 reference
1215 "RFC 7407: A YANG Data Model for SNMP Configuration";
1216 }
1218 import ietf-tcp-client {
1219 prefix tcpc;
1220 reference
1221 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1222 }
1224 import ietf-tcp-server {
1225 prefix tcps;
1226 reference
1227 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1228 }
1230 import ietf-ssh-server {
1231 prefix sshs;
1232 revision-date 2019-04-29; // stable grouping definitions
1233 reference
1234 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
1235 }
1237 import ietf-tls-server {
1238 prefix tlss;
1239 revision-date 2019-04-29; // stable grouping definitions
1240 reference
1241 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
1242 }
1244 organization
1245 "IETF NETCONF (Network Configuration) Working Group";
1247 contact
1248 "WG Web:
1249 WG List:
1250 Author: Kent Watsen
1251 Author: Gary Wu
1252 Author: Juergen Schoenwaelder
1253 ";
1254 description
1255 "This module contains a collection of YANG definitions
1256 for configuring NETCONF servers.
1258 Copyright (c) 2019 IETF Trust and the persons identified
1259 as authors of the code. All rights reserved.
1261 Redistribution and use in source and binary forms, with
1262 or without modification, is permitted pursuant to, and
1263 subject to the license terms contained in, the Simplified
1264 BSD License set forth in Section 4.c of the IETF Trust's
1265 Legal Provisions Relating to IETF Documents
1266 (https://trustee.ietf.org/license-info).
1268 This version of this YANG module is part of RFC XXXX
1269 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1270 itself for full legal notices.;
1272 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1273 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1274 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1275 are to be interpreted as described in BCP 14 (RFC 2119)
1276 (RFC 8174) when, and only when, they appear in all
1277 capitals, as shown here.";
1279 revision 2019-04-29 {
1280 description
1281 "Initial version";
1282 reference
1283 "RFC XXXX: NETCONF Client and Server Models";
1284 }
1286 // Features
1287 feature ssh-listen {
1288 description
1289 "The 'ssh-listen' feature indicates that the NETCONF server
1290 supports opening a port to accept NETCONF over SSH
1291 client connections.";
1292 reference
1293 "RFC 6242:
1294 Using the NETCONF Protocol over Secure Shell (SSH)";
1295 }
1297 feature tls-listen {
1298 description
1299 "The 'tls-listen' feature indicates that the NETCONF server
1300 supports opening a port to accept NETCONF over TLS
1301 client connections.";
1302 reference
1303 "RFC 7589: Using the NETCONF Protocol over Transport
1304 Layer Security (TLS) with Mutual X.509
1305 Authentication";
1306 }
1308 feature ssh-call-home {
1309 description
1310 "The 'ssh-call-home' feature indicates that the NETCONF
1311 server supports initiating a NETCONF over SSH call
1312 home connection to NETCONF clients.";
1313 reference
1314 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1315 }
1317 feature tls-call-home {
1318 description
1319 "The 'tls-call-home' feature indicates that the NETCONF
1320 server supports initiating a NETCONF over TLS call
1321 home connection to NETCONF clients.";
1322 reference
1323 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1324 }
1326 // Groupings
1328 grouping netconf-server-grouping {
1329 description
1330 "Top-level grouping for NETCONF server configuration.";
1331 container listen {
1332 if-feature "ssh-listen or tls-listen";
1333 presence
1334 "Enables server to listen for NETCONF client connections.";
1336 description
1337 "Configures listen behavior";
1338 leaf idle-timeout {
1339 type uint16;
1340 units "seconds";
1341 default 3600; // one hour
1342 description
1343 "Specifies the maximum number of seconds that a NETCONF
1344 session may remain idle. A NETCONF session will be
1345 dropped if it is idle for an interval longer than this
1346 number of seconds. If set to zero, then the server
1347 will never drop a session because it is idle. Sessions
1348 that have a notification subscription active are never
1349 dropped.";
1350 }
1351 list endpoint {
1352 key "name";
1353 min-elements 1;
1354 description
1355 "List of endpoints to listen for NETCONF connections.";
1356 leaf name {
1357 type string;
1358 description
1359 "An arbitrary name for the NETCONF listen endpoint.";
1360 }
1361 choice transport {
1362 mandatory true;
1363 description
1364 "Selects between available transports.";
1365 case ssh {
1366 if-feature "ssh-listen";
1367 container ssh {
1368 description
1369 "SSH-specific listening configuration for inbound
1370 connections.";
1371 container tcp-server-parameters {
1372 description
1373 "A wrapper around the TCP client parameters
1374 to avoid name collisions.";
1375 uses tcps:tcp-server-grouping {
1376 refine "local-port" {
1377 default "830";
1378 description
1379 "The NETCONF server will listen on the
1380 IANA-assigned well-known port value
1381 for 'netconf-ssh' (830) if no value
1382 is specified.";
1383 }
1385 }
1386 }
1387 container ssh-server-parameters {
1388 description
1389 "A wrapper around the SSH server parameters
1390 to avoid name collisions.";
1391 uses sshs:ssh-server-grouping;
1392 }
1393 }
1394 }
1395 case tls {
1396 if-feature "tls-listen";
1397 container tls {
1398 description
1399 "TLS-specific listening configuration for inbound
1400 connections.";
1401 container tcp-server-parameters {
1402 description
1403 "A wrapper around the TCP client parameters
1404 to avoid name collisions.";
1405 uses tcps:tcp-server-grouping {
1406 refine "local-port" {
1407 default "6513";
1408 description
1409 "The NETCONF server will listen on the
1410 IANA-assigned well-known port value
1411 for 'netconf-tls' (6513) if no value
1412 is specified.";
1413 }
1414 }
1415 }
1416 container tls-server-parameters {
1417 description
1418 "A wrapper around the TLS server parameters to
1419 avoid name collisions.";
1420 uses tlss:tls-server-grouping {
1421 refine "client-authentication" {
1422 //must 'pinned-ca-certs or pinned-client-certs';
1423 description
1424 "NETCONF/TLS servers MUST validate client
1425 certificates.";
1426 }
1427 augment "client-authentication" {
1428 description
1429 "Augments in the cert-to-name structure.";
1430 container cert-maps {
1431 uses x509c2n:cert-to-name;
1432 description
1433 "The cert-maps container is used by a TLS-
1434 based NETCONF server to map the NETCONF
1435 client's presented X.509 certificate to
1436 a NETCONF username. If no matching and
1437 valid cert-to-name list entry can be found,
1438 then the NETCONF server MUST close the
1439 connection, and MUST NOT accept NETCONF
1440 messages over it.";
1441 reference
1442 "RFC WWWW: NETCONF over TLS, Section 7";
1443 }
1444 }
1445 }
1446 }
1447 }
1448 }
1449 }
1450 }
1451 }
1452 container call-home {
1453 if-feature "ssh-call-home or tls-call-home";
1454 presence
1455 "Enables the NETCONF server to initiate the underlying
1456 transport connection to NETCONF clients.";
1457 description "Configures call home behavior.";
1458 list netconf-client {
1459 key "name";
1460 min-elements 1;
1461 description
1462 "List of NETCONF clients the NETCONF server is to
1463 initiate call-home connections to in parallel.";
1464 leaf name {
1465 type string;
1466 description
1467 "An arbitrary name for the remote NETCONF client.";
1468 }
1469 container endpoints {
1470 description
1471 "Container for the list of endpoints.";
1472 list endpoint {
1473 key "name";
1474 min-elements 1;
1475 ordered-by user;
1476 description
1477 "A non-empty user-ordered list of endpoints for this
1478 NETCONF server to try to connect to in sequence.
1479 Defining more than one enables high-availability.";
1480 leaf name {
1481 type string;
1482 description
1483 "An arbitrary name for this endpoint.";
1484 }
1485 choice transport {
1486 mandatory true;
1487 description
1488 "Selects between available transports.";
1489 case ssh {
1490 if-feature "ssh-call-home";
1491 container ssh {
1492 description
1493 "Specifies SSH-specific call-home transport
1494 configuration.";
1495 container tcp-client-parameters {
1496 description
1497 "A wrapper around the TCP client parameters
1498 to avoid name collisions.";
1499 uses tcpc:tcp-client-grouping {
1500 refine "remote-port" {
1501 default "4334";
1502 description
1503 "The NETCONF server will attempt to connect
1504 to the IANA-assigned well-known port for
1505 'netconf-ch-tls' (4334) if no value is
1506 specified.";
1507 }
1508 }
1509 }
1510 container ssh-server-parameters {
1511 description
1512 "A wrapper around the SSH server parameters
1513 to avoid name collisions.";
1514 uses sshs:ssh-server-grouping;
1515 }
1516 }
1517 }
1518 case tls {
1519 if-feature "tls-call-home";
1520 container tls {
1521 description
1522 "Specifies TLS-specific call-home transport
1523 configuration.";
1524 container tcp-client-parameters {
1525 description
1526 "A wrapper around the TCP client parameters
1527 to avoid name collisions.";
1528 uses tcpc:tcp-client-grouping {
1529 refine "remote-port" {
1530 default "4335";
1531 description
1532 "The NETCONF server will attempt to connect
1533 to the IANA-assigned well-known port for
1534 'netconf-ch-tls' (4335) if no value is
1535 specified.";
1536 }
1537 }
1538 }
1539 container tls-server-parameters {
1540 description
1541 "A wrapper around the TLS server parameters
1542 to avoid name collisions.";
1543 uses tlss:tls-server-grouping {
1544 refine "client-authentication" {
1545 /* commented out since auth could be external
1546 must 'pinned-ca-certs or pinned-client-certs';
1547 */
1548 description
1549 "NETCONF/TLS servers MUST validate client
1550 certificates.";
1551 }
1552 augment "client-authentication" {
1553 description
1554 "Augments in the cert-to-name structure.";
1555 container cert-maps {
1556 uses x509c2n:cert-to-name;
1557 description
1558 "The cert-maps container is used by a
1559 TLS-based NETCONF server to map the
1560 NETCONF client's presented X.509
1561 certificate to a NETCONF username. If
1562 no matching and valid cert-to-name list
1563 entry can be found, then the NETCONF
1564 server MUST close the connection, and
1565 MUST NOT accept NETCONF messages over
1566 it.";
1567 reference
1568 "RFC WWWW: NETCONF over TLS, Section 7";
1569 }
1570 }
1571 }
1572 }
1573 }
1574 } // tls
1575 } // choice
1576 } // endpoint
1578 } // endpoints
1579 container connection-type {
1580 description
1581 "Indicates the NETCONF server's preference for how the
1582 NETCONF connection is maintained.";
1583 choice connection-type {
1584 mandatory true;
1585 description
1586 "Selects between available connection types.";
1587 case persistent-connection {
1588 container persistent {
1589 presence "Indicates that a persistent connection is
1590 to be maintained.";
1591 description
1592 "Maintain a persistent connection to the NETCONF
1593 client. If the connection goes down, immediately
1594 start trying to reconnect to the NETCONF client,
1595 using the reconnection strategy.
1597 This connection type minimizes any NETCONF client
1598 to NETCONF server data-transfer delay, albeit at
1599 the expense of holding resources longer.";
1600 } // container persistent
1601 } // case persistent-connection
1602 case periodic-connection {
1603 container periodic {
1604 presence "Indicates that a periodic connection is
1605 to be maintained.";
1606 description
1607 "Periodically connect to the NETCONF client.
1609 This connection type increases resource
1610 utilization, albeit with increased delay in
1611 NETCONF client to NETCONF client interactions.
1613 The NETCONF client SHOULD gracefully close the
1614 connection using upon completing
1615 planned activities. If the NETCONF session is
1616 not closed gracefully, the NETCONF server MUST
1617 immediately attempt to reestablish the connection.
1619 In the case that the previous connection is still
1620 active (i.e., the NETCONF client has not closed
1621 it yet), establishing a new connection is NOT
1622 RECOMMENDED.";
1623 leaf period {
1624 type uint16;
1625 units "minutes";
1626 default "60";
1627 description
1628 "Duration of time between periodic connections.";
1629 }
1630 leaf anchor-time {
1631 type yang:date-and-time {
1632 // constrained to minute-level granularity
1633 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1634 + '(Z|[\+\-]\d{2}:\d{2})';
1635 }
1636 description
1637 "Designates a timestamp before or after which a
1638 series of periodic connections are determined.
1639 The periodic connections occur at a whole
1640 multiple interval from the anchor time. For
1641 example, for an anchor time is 15 minutes past
1642 midnight and a period interval of 24 hours, then
1643 a periodic connection will occur 15 minutes past
1644 midnight everyday.";
1645 }
1646 leaf idle-timeout {
1647 type uint16;
1648 units "seconds";
1649 default 120; // two minutes
1650 description
1651 "Specifies the maximum number of seconds that
1652 a NETCONF session may remain idle. A NETCONF
1653 session will be dropped if it is idle for an
1654 interval longer than this number of seconds.
1655 If set to zero, then the server will never
1656 drop a session because it is idle.";
1657 }
1658 } // container periodic
1659 } // case periodic-connection
1660 } // choice connection-type
1661 } // container connection-type
1662 container reconnect-strategy {
1663 description
1664 "The reconnection strategy directs how a NETCONF server
1665 reconnects to a NETCONF client, after discovering its
1666 connection to the client has dropped, even if due to a
1667 reboot. The NETCONF server starts with the specified
1668 endpoint and tries to connect to it max-attempts times
1669 before trying the next endpoint in the list (round
1670 robin).";
1671 leaf start-with {
1672 type enumeration {
1673 enum first-listed {
1674 description
1675 "Indicates that reconnections should start with
1676 the first endpoint listed.";
1677 }
1678 enum last-connected {
1679 description
1680 "Indicates that reconnections should start with
1681 the endpoint last connected to. If no previous
1682 connection has ever been established, then the
1683 first endpoint configured is used. NETCONF
1684 servers SHOULD be able to remember the last
1685 endpoint connected to across reboots.";
1686 }
1687 enum random-selection {
1688 description
1689 "Indicates that reconnections should start with
1690 a random endpoint.";
1691 }
1692 }
1693 default "first-listed";
1694 description
1695 "Specifies which of the NETCONF client's endpoints
1696 the NETCONF server should start with when trying
1697 to connect to the NETCONF client.";
1698 }
1699 leaf max-attempts {
1700 type uint8 {
1701 range "1..max";
1702 }
1703 default "3";
1704 description
1705 "Specifies the number times the NETCONF server tries
1706 to connect to a specific endpoint before moving on
1707 to the next endpoint in the list (round robin).";
1708 }
1709 } // container reconnect-strategy
1710 } // list netconf-client
1711 } // container call-home
1712 } // grouping netconf-server-grouping
1714 // Protocol accessible node, for servers that implement this
1715 // module.
1717 container netconf-server {
1718 uses netconf-server-grouping;
1719 description
1720 "Top-level container for NETCONF server configuration.";
1721 }
1723 }
1724
1726 5. Security Considerations
1728 The YANG module defined in this document uses groupings defined in
1729 [I-D.kwatsen-netconf-tcp-client-server],
1730 [I-D.ietf-netconf-ssh-client-server], and
1731 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1732 Considerations section in those documents for concerns related those
1733 groupings.
1735 The YANG modules defined in this document are designed to be accessed
1736 via YANG based management protocols, such as NETCONF [RFC6241] and
1737 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1738 implement secure transport layers (e.g., SSH, TLS) with mutual
1739 authentication.
1741 The NETCONF access control model (NACM) [RFC8341] provides the means
1742 to restrict access for particular users to a pre-configured subset of
1743 all available protocol operations and content.
1745 There are a number of data nodes defined in the YANG modules that are
1746 writable/creatable/deletable (i.e., config true, which is the
1747 default). Some of these data nodes may be considered sensitive or
1748 vulnerable in some network environments. Write operations (e.g.,
1749 edit-config) to these data nodes without proper protection can have a
1750 negative effect on network operations. These are the subtrees and
1751 data nodes and their sensitivity/vulnerability:
1753 None of the subtrees or data nodes in the modules defined in this
1754 document need to be protected from write operations.
1756 Some of the readable data nodes in the YANG modules may be considered
1757 sensitive or vulnerable in some network environments. It is thus
1758 important to control read access (e.g., via get, get-config, or
1759 notification) to these data nodes. These are the subtrees and data
1760 nodes and their sensitivity/vulnerability:
1762 None of the subtrees or data nodes in the modules defined in this
1763 document need to be protected from read operations.
1765 Some of the RPC operations in the YANG modules may be considered
1766 sensitive or vulnerable in some network environments. It is thus
1767 important to control access to these operations. These are the
1768 operations and their sensitivity/vulnerability:
1770 The modules defined in this document do not define any 'RPC' or
1771 'action' statements.
1773 6. IANA Considerations
1775 6.1. The IETF XML Registry
1777 This document registers two URIs in the "ns" subregistry of the IETF
1778 XML Registry [RFC3688]. Following the format in [RFC3688], the
1779 following registrations are requested:
1781 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1782 Registrant Contact: The NETCONF WG of the IETF.
1783 XML: N/A, the requested URI is an XML namespace.
1785 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1786 Registrant Contact: The NETCONF WG of the IETF.
1787 XML: N/A, the requested URI is an XML namespace.
1789 6.2. The YANG Module Names Registry
1791 This document registers two YANG modules in the YANG Module Names
1792 registry [RFC6020]. Following the format in [RFC6020], the the
1793 following registrations are requested:
1795 name: ietf-netconf-client
1796 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1797 prefix: ncc
1798 reference: RFC XXXX
1800 name: ietf-netconf-server
1801 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1802 prefix: ncs
1803 reference: RFC XXXX
1805 7. References
1807 7.1. Normative References
1809 [I-D.ietf-netconf-keystore]
1810 Watsen, K., "YANG Data Model for a Centralized Keystore
1811 Mechanism", draft-ietf-netconf-keystore-08 (work in
1812 progress), March 2019.
1814 [I-D.ietf-netconf-ssh-client-server]
1815 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
1816 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
1817 server-12 (work in progress), April 2019.
1819 [I-D.ietf-netconf-tls-client-server]
1820 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1821 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1822 server-11 (work in progress), April 2019.
1824 [I-D.kwatsen-netconf-tcp-client-server]
1825 Watsen, K., "YANG Groupings for TCP Clients and TCP
1826 Servers", draft-kwatsen-netconf-tcp-client-server-01 (work
1827 in progress), April 2019.
1829 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1830 Requirement Levels", BCP 14, RFC 2119,
1831 DOI 10.17487/RFC2119, March 1997,
1832 .
1834 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1835 the Network Configuration Protocol (NETCONF)", RFC 6020,
1836 DOI 10.17487/RFC6020, October 2010,
1837 .
1839 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1840 and A. Bierman, Ed., "Network Configuration Protocol
1841 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1842 .
1844 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
1845 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
1846 .
1848 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1849 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1850 .
1852 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1853 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1854 December 2014, .
1856 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
1857 NETCONF Protocol over Transport Layer Security (TLS) with
1858 Mutual X.509 Authentication", RFC 7589,
1859 DOI 10.17487/RFC7589, June 2015,
1860 .
1862 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1863 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1864 .
1866 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1867 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1868 May 2017, .
1870 7.2. Informative References
1872 [I-D.ietf-netconf-trust-anchors]
1873 Watsen, K., "YANG Data Model for Global Trust Anchors",
1874 draft-ietf-netconf-trust-anchors-03 (work in progress),
1875 March 2019.
1877 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1878 DOI 10.17487/RFC3688, January 2004,
1879 .
1881 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1882 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1883 .
1885 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1886 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1887 .
1889 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1890 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1891 .
1893 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1894 Access Control Model", STD 91, RFC 8341,
1895 DOI 10.17487/RFC8341, March 2018,
1896 .
1898 Appendix A. Expanded Tree Diagrams
1900 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
1902 The following tree diagram [RFC8340] provides an overview of the data
1903 model for the "ietf-netconf-client" module.
1905 This tree diagram shows all the nodes defined in this module,
1906 including those defined by "grouping" statements used by this module.
1908 Please see Section 3.1 for a tree diagram that illustrates what the
1909 module looks like without all the "grouping" statements expanded.
1911 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
1913 module: ietf-netconf-client
1914 +--rw netconf-client
1915 +--rw initiate! {ssh-initiate or tls-initiate}?
1916 | +--rw netconf-server* [name]
1917 | +--rw name string
1918 | +--rw endpoints
1919 | | +--rw endpoint* [name]
1920 | | +--rw name string
1921 | | +--rw (transport)
1922 | | +--:(ssh) {ssh-initiate}?
1923 | | | +--rw ssh
1924 | | | +--rw tcp-client-parameters
1925 | | | | +--rw remote-address inet:host
1926 | | | | +--rw remote-port? inet:port-number
1927 | | | | +--rw local-address? inet:ip-address
1928 | | | | +--rw local-port? inet:port-number
1929 | | | | +--rw keepalives!
1930 | | | | +--rw idle-time uint16
1931 | | | | +--rw max-probes uint16
1932 | | | | +--rw probe-interval uint16
1933 | | | +--rw ssh-client-parameters
1934 | | | +--rw client-identity
1935 | | | | +--rw username? string
1936 | | | | +--rw (auth-type)
1937 | | | | +--:(password)
1938 | | | | | +--rw password? string
1939 | | | | +--:(public-key)
1940 | | | | | +--rw public-key
1941 | | | | | +--rw (local-or-keystore)
1942 | | | | | +--:(local)
1943 | | | | | | {local-keys-sup\
1944 ported}?
1945 | | | | | | +--rw local-definition
1946 | | | | | | +--rw algorithm?
1947 | | | | | | | asymmetric\
1948 -key-algorithm-ref
1949 | | | | | | +--rw public-key?
1950 | | | | | | | binary
1951 | | | | | | +--rw private-key?
1952 | | | | | | | union
1953 | | | | | | +---x generate-hid\
1954 den-key
1955 | | | | | | | +---w input
1956 | | | | | | | +---w algori\
1957 thm
1958 | | | | | | | asym\
1959 metric-key-algorithm-ref
1960 | | | | | | +---x install-hidd\
1961 en-key
1962 | | | | | | +---w input
1963 | | | | | | +---w algori\
1964 thm
1965 | | | | | | | asym\
1966 metric-key-algorithm-ref
1967 | | | | | | +---w public\
1968 -key?
1969 | | | | | | | bina\
1970 ry
1971 | | | | | | +---w privat\
1972 e-key?
1973 | | | | | | bina\
1974 ry
1975 | | | | | +--:(keystore)
1976 | | | | | {keystore-suppo\
1977 rted}?
1978 | | | | | +--rw keystore-refere\
1979 nce?
1980 | | | | | ks:asymmetric\
1981 -key-ref
1982 | | | | +--:(certificate)
1983 | | | | +--rw certificate
1984 | | | | {sshcmn:ssh-x509-certs\
1985 }?
1986 | | | | +--rw (local-or-keystore)
1987 | | | | +--:(local)
1988 | | | | | {local-keys-sup\
1989 ported}?
1990 | | | | | +--rw local-definition
1991 | | | | | +--rw algorithm?
1992 | | | | | | asymmetric\
1993 -key-algorithm-ref
1994 | | | | | +--rw public-key?
1995 | | | | | | binary
1996 | | | | | +--rw private-key?
1997 | | | | | | union
1998 | | | | | +---x generate-hid\
1999 den-key
2000 | | | | | | +---w input
2001 | | | | | | +---w algori\
2002 thm
2003 | | | | | | asym\
2004 metric-key-algorithm-ref
2005 | | | | | +---x install-hidd\
2006 en-key
2007 | | | | | | +---w input
2008 | | | | | | +---w algori\
2009 thm
2010 | | | | | | | asym\
2011 metric-key-algorithm-ref
2012 | | | | | | +---w public\
2013 -key?
2014 | | | | | | | bina\
2015 ry
2016 | | | | | | +---w privat\
2017 e-key?
2018 | | | | | | bina\
2019 ry
2020 | | | | | +--rw cert?
2021 | | | | | | end-entity\
2022 -cert-cms
2023 | | | | | +---n certificate-\
2024 expiration
2025 | | | | | +-- expiration-\
2026 date
2027 | | | | | yang:da\
2028 te-and-time
2029 | | | | +--:(keystore)
2030 | | | | {keystore-suppo\
2031 rted}?
2032 | | | | +--rw keystore-refere\
2033 nce?
2034 | | | | ks:asymmetric\
2035 -key-certificate-ref
2036 | | | +--rw server-authentication
2037 | | | | +--rw pinned-ssh-host-keys?
2038 | | | | | ta:pinned-host-keys-ref
2039 | | | | | {ta:ssh-host-keys}?
2040 | | | | +--rw pinned-ca-certs?
2041 | | | | | ta:pinned-certificates-ref
2042 | | | | | {sshcmn:ssh-x509-certs,ta:x5\
2043 09-certificates}?
2044 | | | | +--rw pinned-server-certs?
2045 | | | | ta:pinned-certificates-ref
2046 | | | | {sshcmn:ssh-x509-certs,ta:x5\
2047 09-certificates}?
2048 | | | +--rw transport-params
2049 | | | | {ssh-client-transport-params-co\
2050 nfig}?
2051 | | | | +--rw host-key
2052 | | | | | +--rw host-key-alg* identityref
2053 | | | | +--rw key-exchange
2054 | | | | | +--rw key-exchange-alg*
2055 | | | | | identityref
2056 | | | | +--rw encryption
2057 | | | | | +--rw encryption-alg*
2058 | | | | | identityref
2059 | | | | +--rw mac
2060 | | | | +--rw mac-alg* identityref
2061 | | | +--rw keepalives!
2062 | | | {ssh-client-keepalives}?
2063 | | | +--rw max-wait? uint16
2064 | | | +--rw max-attempts? uint8
2065 | | +--:(tls) {tls-initiate}?
2066 | | +--rw tls
2067 | | +--rw tcp-client-parameters
2068 | | | +--rw remote-address inet:host
2069 | | | +--rw remote-port? inet:port-number
2070 | | | +--rw local-address? inet:ip-address
2071 | | | +--rw local-port? inet:port-number
2072 | | | +--rw keepalives!
2073 | | | +--rw idle-time uint16
2074 | | | +--rw max-probes uint16
2075 | | | +--rw probe-interval uint16
2076 | | +--rw tls-client-parameters
2077 | | +--rw client-identity
2078 | | | +--rw (auth-type)
2079 | | | +--:(certificate)
2080 | | | +--rw certificate
2081 | | | +--rw (local-or-keystore)
2082 | | | +--:(local)
2083 | | | | {local-keys-sup\
2084 ported}?
2085 | | | | +--rw local-definition
2086 | | | | +--rw algorithm?
2087 | | | | | asymmetric\
2088 -key-algorithm-ref
2089 | | | | +--rw public-key?
2090 | | | | | binary
2091 | | | | +--rw private-key?
2092 | | | | | union
2093 | | | | +---x generate-hid\
2094 den-key
2095 | | | | | +---w input
2096 | | | | | +---w algori\
2097 thm
2098 | | | | | asym\
2099 metric-key-algorithm-ref
2100 | | | | +---x install-hidd\
2101 en-key
2102 | | | | | +---w input
2103 | | | | | +---w algori\
2104 thm
2105 | | | | | | asym\
2106 metric-key-algorithm-ref
2107 | | | | | +---w public\
2108 -key?
2109 | | | | | | bina\
2110 ry
2111 | | | | | +---w privat\
2112 e-key?
2113 | | | | | bina\
2114 ry
2115 | | | | +--rw cert?
2116 | | | | | end-entity\
2117 -cert-cms
2118 | | | | +---n certificate-\
2119 expiration
2120 | | | | +-- expiration-\
2121 date
2122 | | | | yang:da\
2123 te-and-time
2124 | | | +--:(keystore)
2125 | | | {keystore-suppo\
2126 rted}?
2127 | | | +--rw keystore-refere\
2128 nce?
2129 | | | ks:asymmetric\
2130 -key-certificate-ref
2131 | | +--rw server-authentication
2132 | | | +--rw pinned-ca-certs?
2133 | | | | ta:pinned-certificates-ref
2134 | | | | {ta:x509-certificates}?
2135 | | | +--rw pinned-server-certs?
2136 | | | ta:pinned-certificates-ref
2137 | | | {ta:x509-certificates}?
2138 | | +--rw hello-params
2139 | | | {tls-client-hello-params-config\
2140 }?
2141 | | | +--rw tls-versions
2142 | | | | +--rw tls-version* identityref
2143 | | | +--rw cipher-suites
2144 | | | +--rw cipher-suite* identityref
2145 | | +--rw keepalives!
2146 | | {tls-client-keepalives}?
2147 | | +--rw max-wait? uint16
2148 | | +--rw max-attempts? uint8
2149 | +--rw connection-type
2150 | | +--rw (connection-type)
2151 | | +--:(persistent-connection)
2152 | | | +--rw persistent!
2153 | | +--:(periodic-connection)
2154 | | +--rw periodic!
2155 | | +--rw period? uint16
2156 | | +--rw anchor-time? yang:date-and-time
2157 | | +--rw idle-timeout? uint16
2158 | +--rw reconnect-strategy
2159 | +--rw start-with? enumeration
2160 | +--rw max-attempts? uint8
2161 +--rw listen! {ssh-listen or tls-listen}?
2162 +--rw idle-timeout? uint16
2163 +--rw endpoint* [name]
2164 +--rw name string
2165 +--rw (transport)
2166 +--:(ssh) {ssh-listen}?
2167 | +--rw ssh
2168 | +--rw tcp-server-parameters
2169 | | +--rw local-address inet:ip-address
2170 | | +--rw local-port? inet:port-number
2171 | | +--rw keepalives!
2172 | | +--rw idle-time uint16
2173 | | +--rw max-probes uint16
2174 | | +--rw probe-interval uint16
2175 | +--rw ssh-client-parameters
2176 | +--rw client-identity
2177 | | +--rw username? string
2178 | | +--rw (auth-type)
2179 | | +--:(password)
2180 | | | +--rw password? string
2181 | | +--:(public-key)
2182 | | | +--rw public-key
2183 | | | +--rw (local-or-keystore)
2184 | | | +--:(local)
2185 | | | | {local-keys-supported\
2187 }?
2188 | | | | +--rw local-definition
2189 | | | | +--rw algorithm?
2190 | | | | | asymmetric-key-a\
2191 lgorithm-ref
2192 | | | | +--rw public-key?
2193 | | | | | binary
2194 | | | | +--rw private-key?
2195 | | | | | union
2196 | | | | +---x generate-hidden-key
2197 | | | | | +---w input
2198 | | | | | +---w algorithm
2199 | | | | | asymmetric\
2200 -key-algorithm-ref
2201 | | | | +---x install-hidden-key
2202 | | | | +---w input
2203 | | | | +---w algorithm
2204 | | | | | asymmetric\
2205 -key-algorithm-ref
2206 | | | | +---w public-key?
2207 | | | | | binary
2208 | | | | +---w private-key?
2209 | | | | binary
2210 | | | +--:(keystore)
2211 | | | {keystore-supported}?
2212 | | | +--rw keystore-reference?
2213 | | | ks:asymmetric-key-r\
2214 ef
2215 | | +--:(certificate)
2216 | | +--rw certificate
2217 | | {sshcmn:ssh-x509-certs}?
2218 | | +--rw (local-or-keystore)
2219 | | +--:(local)
2220 | | | {local-keys-supported\
2221 }?
2222 | | | +--rw local-definition
2223 | | | +--rw algorithm?
2224 | | | | asymmetric-key-a\
2225 lgorithm-ref
2226 | | | +--rw public-key?
2227 | | | | binary
2228 | | | +--rw private-key?
2229 | | | | union
2230 | | | +---x generate-hidden-key
2231 | | | | +---w input
2232 | | | | +---w algorithm
2233 | | | | asymmetric\
2234 -key-algorithm-ref
2235 | | | +---x install-hidden-key
2236 | | | | +---w input
2237 | | | | +---w algorithm
2238 | | | | | asymmetric\
2239 -key-algorithm-ref
2240 | | | | +---w public-key?
2241 | | | | | binary
2242 | | | | +---w private-key?
2243 | | | | binary
2244 | | | +--rw cert?
2245 | | | | end-entity-cert-\
2246 cms
2247 | | | +---n certificate-expira\
2248 tion
2249 | | | +-- expiration-date
2250 | | | yang:date-and\
2251 -time
2252 | | +--:(keystore)
2253 | | {keystore-supported}?
2254 | | +--rw keystore-reference?
2255 | | ks:asymmetric-key-c\
2256 ertificate-ref
2257 | +--rw server-authentication
2258 | | +--rw pinned-ssh-host-keys?
2259 | | | ta:pinned-host-keys-ref
2260 | | | {ta:ssh-host-keys}?
2261 | | +--rw pinned-ca-certs?
2262 | | | ta:pinned-certificates-ref
2263 | | | {sshcmn:ssh-x509-certs,ta:x509-cer\
2264 tificates}?
2265 | | +--rw pinned-server-certs?
2266 | | ta:pinned-certificates-ref
2267 | | {sshcmn:ssh-x509-certs,ta:x509-cer\
2268 tificates}?
2269 | +--rw transport-params
2270 | | {ssh-client-transport-params-config}?
2271 | | +--rw host-key
2272 | | | +--rw host-key-alg* identityref
2273 | | +--rw key-exchange
2274 | | | +--rw key-exchange-alg* identityref
2275 | | +--rw encryption
2276 | | | +--rw encryption-alg* identityref
2277 | | +--rw mac
2278 | | +--rw mac-alg* identityref
2279 | +--rw keepalives! {ssh-client-keepalives}?
2280 | +--rw max-wait? uint16
2281 | +--rw max-attempts? uint8
2282 +--:(tls) {tls-listen}?
2283 +--rw tls
2284 +--rw tcp-server-parameters
2285 | +--rw local-address inet:ip-address
2286 | +--rw local-port? inet:port-number
2287 | +--rw keepalives!
2288 | +--rw idle-time uint16
2289 | +--rw max-probes uint16
2290 | +--rw probe-interval uint16
2291 +--rw tls-client-parameters
2292 +--rw client-identity
2293 | +--rw (auth-type)
2294 | +--:(certificate)
2295 | +--rw certificate
2296 | +--rw (local-or-keystore)
2297 | +--:(local)
2298 | | {local-keys-supported\
2299 }?
2300 | | +--rw local-definition
2301 | | +--rw algorithm?
2302 | | | asymmetric-key-a\
2303 lgorithm-ref
2304 | | +--rw public-key?
2305 | | | binary
2306 | | +--rw private-key?
2307 | | | union
2308 | | +---x generate-hidden-key
2309 | | | +---w input
2310 | | | +---w algorithm
2311 | | | asymmetric\
2312 -key-algorithm-ref
2313 | | +---x install-hidden-key
2314 | | | +---w input
2315 | | | +---w algorithm
2316 | | | | asymmetric\
2317 -key-algorithm-ref
2318 | | | +---w public-key?
2319 | | | | binary
2320 | | | +---w private-key?
2321 | | | binary
2322 | | +--rw cert?
2323 | | | end-entity-cert-\
2324 cms
2325 | | +---n certificate-expira\
2326 tion
2327 | | +-- expiration-date
2328 | | yang:date-and\
2329 -time
2330 | +--:(keystore)
2331 | {keystore-supported}?
2332 | +--rw keystore-reference?
2333 | ks:asymmetric-key-c\
2334 ertificate-ref
2335 +--rw server-authentication
2336 | +--rw pinned-ca-certs?
2337 | | ta:pinned-certificates-ref
2338 | | {ta:x509-certificates}?
2339 | +--rw pinned-server-certs?
2340 | ta:pinned-certificates-ref
2341 | {ta:x509-certificates}?
2342 +--rw hello-params
2343 | {tls-client-hello-params-config}?
2344 | +--rw tls-versions
2345 | | +--rw tls-version* identityref
2346 | +--rw cipher-suites
2347 | +--rw cipher-suite* identityref
2348 +--rw keepalives! {tls-client-keepalives}?
2349 +--rw max-wait? uint16
2350 +--rw max-attempts? uint8
2352 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
2354 The following tree diagram [RFC8340] provides an overview of the data
2355 model for the "ietf-netconf-server" module.
2357 This tree diagram shows all the nodes defined in this module,
2358 including those defined by "grouping" statements used by this module.
2360 Please see Section 4.1 for a tree diagram that illustrates what the
2361 module looks like without all the "grouping" statements expanded.
2363 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
2365 module: ietf-netconf-server
2366 +--rw netconf-server
2367 +--rw listen! {ssh-listen or tls-listen}?
2368 | +--rw idle-timeout? uint16
2369 | +--rw endpoint* [name]
2370 | +--rw name string
2371 | +--rw (transport)
2372 | +--:(ssh) {ssh-listen}?
2373 | | +--rw ssh
2374 | | +--rw tcp-server-parameters
2375 | | | +--rw local-address inet:ip-address
2376 | | | +--rw local-port? inet:port-number
2377 | | | +--rw keepalives!
2378 | | | +--rw idle-time uint16
2379 | | | +--rw max-probes uint16
2380 | | | +--rw probe-interval uint16
2381 | | +--rw ssh-server-parameters
2382 | | +--rw server-identity
2383 | | | +--rw host-key* [name]
2384 | | | +--rw name string
2385 | | | +--rw (host-key-type)
2386 | | | +--:(public-key)
2387 | | | | +--rw public-key
2388 | | | | +--rw (local-or-keystore)
2389 | | | | +--:(local)
2390 | | | | | {local-keys-suppor\
2391 ted}?
2392 | | | | | +--rw local-definition
2393 | | | | | +--rw algorithm?
2394 | | | | | | asymmetric-ke\
2395 y-algorithm-ref
2396 | | | | | +--rw public-key?
2397 | | | | | | binary
2398 | | | | | +--rw private-key?
2399 | | | | | | union
2400 | | | | | +---x generate-hidden\
2401 -key
2402 | | | | | | +---w input
2403 | | | | | | +---w algorithm
2404 | | | | | | asymmet\
2405 ric-key-algorithm-ref
2406 | | | | | +---x install-hidden-\
2407 key
2408 | | | | | +---w input
2409 | | | | | +---w algorithm
2410 | | | | | | asymmet\
2411 ric-key-algorithm-ref
2412 | | | | | +---w public-ke\
2413 y?
2414 | | | | | | binary
2415 | | | | | +---w private-k\
2416 ey?
2417 | | | | | binary
2418 | | | | +--:(keystore)
2419 | | | | {keystore-supporte\
2420 d}?
2421 | | | | +--rw keystore-reference?
2422 | | | | ks:asymmetric-ke\
2423 y-ref
2424 | | | +--:(certificate)
2425 | | | +--rw certificate
2426 | | | {sshcmn:ssh-x509-certs}?
2427 | | | +--rw (local-or-keystore)
2428 | | | +--:(local)
2429 | | | | {local-keys-suppor\
2430 ted}?
2431 | | | | +--rw local-definition
2432 | | | | +--rw algorithm?
2433 | | | | | asymmetric-ke\
2434 y-algorithm-ref
2435 | | | | +--rw public-key?
2436 | | | | | binary
2437 | | | | +--rw private-key?
2438 | | | | | union
2439 | | | | +---x generate-hidden\
2440 -key
2441 | | | | | +---w input
2442 | | | | | +---w algorithm
2443 | | | | | asymmet\
2444 ric-key-algorithm-ref
2445 | | | | +---x install-hidden-\
2446 key
2447 | | | | | +---w input
2448 | | | | | +---w algorithm
2449 | | | | | | asymmet\
2450 ric-key-algorithm-ref
2451 | | | | | +---w public-ke\
2452 y?
2453 | | | | | | binary
2454 | | | | | +---w private-k\
2455 ey?
2456 | | | | | binary
2457 | | | | +--rw cert?
2458 | | | | | end-entity-ce\
2459 rt-cms
2460 | | | | +---n certificate-exp\
2461 iration
2462 | | | | +-- expiration-date
2463 | | | | yang:date-\
2464 and-time
2465 | | | +--:(keystore)
2466 | | | {keystore-supporte\
2467 d}?
2468 | | | +--rw keystore-reference?
2469 | | | ks:asymmetric-ke\
2470 y-certificate-ref
2471 | | +--rw client-authentication
2472 | | | +--rw supported-authentication-methods
2473 | | | | +--rw publickey? empty
2474 | | | | +--rw passsword? empty
2475 | | | | +--rw hostbased? empty
2476 | | | | +--rw none? empty
2477 | | | | +--rw other* string
2478 | | | +--rw (local-or-external)
2479 | | | +--:(local)
2480 | | | | {local-client-auth-supported}?
2481 | | | | +--rw users
2482 | | | | +--rw user* [name]
2483 | | | | +--rw name string
2484 | | | | +--rw password?
2485 | | | | | ianach:crypt-hash
2486 | | | | +--rw authorized-key* [name]
2487 | | | | +--rw name string
2488 | | | | +--rw algorithm string
2489 | | | | +--rw key-data binary
2490 | | | +--:(external)
2491 | | | {external-client-auth-supporte\
2492 d}?
2493 | | | +--rw client-auth-defined-elsewhere?
2494 | | | empty
2495 | | +--rw transport-params
2496 | | | {ssh-server-transport-params-config}?
2497 | | | +--rw host-key
2498 | | | | +--rw host-key-alg* identityref
2499 | | | +--rw key-exchange
2500 | | | | +--rw key-exchange-alg* identityref
2501 | | | +--rw encryption
2502 | | | | +--rw encryption-alg* identityref
2503 | | | +--rw mac
2504 | | | +--rw mac-alg* identityref
2505 | | +--rw keepalives! {ssh-server-keepalives}?
2506 | | +--rw max-wait? uint16
2507 | | +--rw max-attempts? uint8
2508 | +--:(tls) {tls-listen}?
2509 | +--rw tls
2510 | +--rw tcp-server-parameters
2511 | | +--rw local-address inet:ip-address
2512 | | +--rw local-port? inet:port-number
2513 | | +--rw keepalives!
2514 | | +--rw idle-time uint16
2515 | | +--rw max-probes uint16
2516 | | +--rw probe-interval uint16
2517 | +--rw tls-server-parameters
2518 | +--rw server-identity
2519 | | +--rw (local-or-keystore)
2520 | | +--:(local) {local-keys-supported}?
2521 | | | +--rw local-definition
2522 | | | +--rw algorithm?
2523 | | | | asymmetric-key-algorithm-\
2524 ref
2525 | | | +--rw public-key?
2526 | | | | binary
2527 | | | +--rw private-key?
2528 | | | | union
2529 | | | +---x generate-hidden-key
2530 | | | | +---w input
2531 | | | | +---w algorithm
2532 | | | | asymmetric-key-algo\
2533 rithm-ref
2534 | | | +---x install-hidden-key
2535 | | | | +---w input
2536 | | | | +---w algorithm
2537 | | | | | asymmetric-key-algo\
2538 rithm-ref
2539 | | | | +---w public-key? binary
2540 | | | | +---w private-key? binary
2541 | | | +--rw cert?
2542 | | | | end-entity-cert-cms
2543 | | | +---n certificate-expiration
2544 | | | +-- expiration-date
2545 | | | yang:date-and-time
2546 | | +--:(keystore) {keystore-supported}?
2547 | | +--rw keystore-reference?
2548 | | ks:asymmetric-key-certificat\
2549 e-ref
2550 | +--rw client-authentication!
2551 | | +--rw (required-or-optional)
2552 | | | +--:(required)
2553 | | | | +--rw required?
2554 | | | | empty
2555 | | | +--:(optional)
2556 | | | +--rw optional?
2557 | | | empty
2558 | | +--rw (local-or-external)
2559 | | | +--:(local)
2560 | | | | {local-client-auth-supported}?
2561 | | | | +--rw pinned-ca-certs?
2562 | | | | | ta:pinned-certificates-ref
2563 | | | | | {ta:x509-certificates}?
2564 | | | | +--rw pinned-client-certs?
2565 | | | | ta:pinned-certificates-ref
2566 | | | | {ta:x509-certificates}?
2567 | | | +--:(external)
2568 | | | {external-client-auth-supporte\
2569 d}?
2570 | | | +--rw client-auth-defined-elsewhere?
2571 | | | empty
2572 | | +--rw cert-maps
2573 | | +--rw cert-to-name* [id]
2574 | | +--rw id uint32
2575 | | +--rw fingerprint
2576 | | | x509c2n:tls-fingerprint
2577 | | +--rw map-type identityref
2578 | | +--rw name string
2579 | +--rw hello-params
2580 | | {tls-server-hello-params-config}?
2581 | | +--rw tls-versions
2582 | | | +--rw tls-version* identityref
2583 | | +--rw cipher-suites
2584 | | +--rw cipher-suite* identityref
2585 | +--rw keepalives! {tls-server-keepalives}?
2586 | +--rw max-wait? uint16
2587 | +--rw max-attempts? uint8
2588 +--rw call-home! {ssh-call-home or tls-call-home}?
2589 +--rw netconf-client* [name]
2590 +--rw name string
2591 +--rw endpoints
2592 | +--rw endpoint* [name]
2593 | +--rw name string
2594 | +--rw (transport)
2595 | +--:(ssh) {ssh-call-home}?
2596 | | +--rw ssh
2597 | | +--rw tcp-client-parameters
2598 | | | +--rw remote-address inet:host
2599 | | | +--rw remote-port? inet:port-number
2600 | | | +--rw local-address? inet:ip-address
2601 | | | +--rw local-port? inet:port-number
2602 | | | +--rw keepalives!
2603 | | | +--rw idle-time uint16
2604 | | | +--rw max-probes uint16
2605 | | | +--rw probe-interval uint16
2606 | | +--rw ssh-server-parameters
2607 | | +--rw server-identity
2608 | | | +--rw host-key* [name]
2609 | | | +--rw name string
2610 | | | +--rw (host-key-type)
2611 | | | +--:(public-key)
2612 | | | | +--rw public-key
2613 | | | | +--rw (local-or-keystore)
2614 | | | | +--:(local)
2615 | | | | | {local-keys-\
2616 supported}?
2617 | | | | | +--rw local-defini\
2618 tion
2619 | | | | | +--rw algorithm?
2620 | | | | | | asymmet\
2621 ric-key-algorithm-ref
2622 | | | | | +--rw public-ke\
2623 y?
2624 | | | | | | binary
2625 | | | | | +--rw private-k\
2626 ey?
2627 | | | | | | union
2628 | | | | | +---x generate-\
2629 hidden-key
2630 | | | | | | +---w input
2631 | | | | | | +---w alg\
2632 orithm
2633 | | | | | | a\
2634 symmetric-key-algorithm-ref
2635 | | | | | +---x install-h\
2636 idden-key
2637 | | | | | +---w input
2638 | | | | | +---w alg\
2639 orithm
2640 | | | | | | a\
2641 symmetric-key-algorithm-ref
2642 | | | | | +---w pub\
2643 lic-key?
2644 | | | | | | b\
2645 inary
2646 | | | | | +---w pri\
2647 vate-key?
2648 | | | | | b\
2649 inary
2650 | | | | +--:(keystore)
2651 | | | | {keystore-su\
2652 pported}?
2653 | | | | +--rw keystore-ref\
2654 erence?
2655 | | | | ks:asymmet\
2656 ric-key-ref
2657 | | | +--:(certificate)
2658 | | | +--rw certificate
2659 | | | {sshcmn:ssh-x509-ce\
2660 rts}?
2661 | | | +--rw (local-or-keystore)
2662 | | | +--:(local)
2663 | | | | {local-keys-\
2664 supported}?
2665 | | | | +--rw local-defini\
2666 tion
2667 | | | | +--rw algorithm?
2668 | | | | | asymmet\
2669 ric-key-algorithm-ref
2670 | | | | +--rw public-ke\
2671 y?
2672 | | | | | binary
2673 | | | | +--rw private-k\
2674 ey?
2675 | | | | | union
2676 | | | | +---x generate-\
2677 hidden-key
2678 | | | | | +---w input
2679 | | | | | +---w alg\
2680 orithm
2681 | | | | | a\
2682 symmetric-key-algorithm-ref
2683 | | | | +---x install-h\
2684 idden-key
2685 | | | | | +---w input
2686 | | | | | +---w alg\
2687 orithm
2688 | | | | | | a\
2689 symmetric-key-algorithm-ref
2690 | | | | | +---w pub\
2691 lic-key?
2692 | | | | | | b\
2693 inary
2694 | | | | | +---w pri\
2695 vate-key?
2696 | | | | | b\
2697 inary
2698 | | | | +--rw cert?
2699 | | | | | end-ent\
2700 ity-cert-cms
2701 | | | | +---n certifica\
2702 te-expiration
2703 | | | | +-- expirati\
2704 on-date
2705 | | | | yang\
2706 :date-and-time
2707 | | | +--:(keystore)
2708 | | | {keystore-su\
2709 pported}?
2710 | | | +--rw keystore-ref\
2711 erence?
2712 | | | ks:asymmet\
2713 ric-key-certificate-ref
2714 | | +--rw client-authentication
2715 | | | +--rw supported-authentication-metho\
2716 ds
2717 | | | | +--rw publickey? empty
2718 | | | | +--rw passsword? empty
2719 | | | | +--rw hostbased? empty
2720 | | | | +--rw none? empty
2721 | | | | +--rw other* string
2722 | | | +--rw (local-or-external)
2723 | | | +--:(local)
2724 | | | | {local-client-auth-suppo\
2725 rted}?
2726 | | | | +--rw users
2727 | | | | +--rw user* [name]
2728 | | | | +--rw name
2729 | | | | | string
2730 | | | | +--rw password?
2731 | | | | | ianach:crypt-hash
2732 | | | | +--rw authorized-key*
2733 | | | | [name]
2734 | | | | +--rw name
2735 | | | | | string
2736 | | | | +--rw algorithm
2737 | | | | | string
2738 | | | | +--rw key-data
2739 | | | | binary
2740 | | | +--:(external)
2741 | | | {external-client-auth-su\
2742 pported}?
2743 | | | +--rw client-auth-defined-else\
2744 where?
2745 | | | empty
2746 | | +--rw transport-params
2747 | | | {ssh-server-transport-params-co\
2748 nfig}?
2749 | | | +--rw host-key
2750 | | | | +--rw host-key-alg* identityref
2751 | | | +--rw key-exchange
2752 | | | | +--rw key-exchange-alg*
2753 | | | | identityref
2754 | | | +--rw encryption
2755 | | | | +--rw encryption-alg*
2756 | | | | identityref
2757 | | | +--rw mac
2758 | | | +--rw mac-alg* identityref
2759 | | +--rw keepalives!
2760 | | {ssh-server-keepalives}?
2761 | | +--rw max-wait? uint16
2762 | | +--rw max-attempts? uint8
2763 | +--:(tls) {tls-call-home}?
2764 | +--rw tls
2765 | +--rw tcp-client-parameters
2766 | | +--rw remote-address inet:host
2767 | | +--rw remote-port? inet:port-number
2768 | | +--rw local-address? inet:ip-address
2769 | | +--rw local-port? inet:port-number
2770 | | +--rw keepalives!
2771 | | +--rw idle-time uint16
2772 | | +--rw max-probes uint16
2773 | | +--rw probe-interval uint16
2774 | +--rw tls-server-parameters
2775 | +--rw server-identity
2776 | | +--rw (local-or-keystore)
2777 | | +--:(local)
2778 | | | {local-keys-supported}?
2779 | | | +--rw local-definition
2780 | | | +--rw algorithm?
2781 | | | | asymmetric-key-algo\
2782 rithm-ref
2783 | | | +--rw public-key?
2784 | | | | binary
2785 | | | +--rw private-key?
2786 | | | | union
2787 | | | +---x generate-hidden-key
2788 | | | | +---w input
2789 | | | | +---w algorithm
2790 | | | | asymmetric-ke\
2791 y-algorithm-ref
2792 | | | +---x install-hidden-key
2793 | | | | +---w input
2794 | | | | +---w algorithm
2795 | | | | | asymmetric-ke\
2796 y-algorithm-ref
2797 | | | | +---w public-key?
2798 | | | | | binary
2799 | | | | +---w private-key?
2800 | | | | binary
2801 | | | +--rw cert?
2802 | | | | end-entity-cert-cms
2803 | | | +---n certificate-expiration
2804 | | | +-- expiration-date
2805 | | | yang:date-and-ti\
2806 me
2807 | | +--:(keystore)
2808 | | {keystore-supported}?
2809 | | +--rw keystore-reference?
2810 | | ks:asymmetric-key-cert\
2812 ificate-ref
2813 | +--rw client-authentication!
2814 | | +--rw (required-or-optional)
2815 | | | +--:(required)
2816 | | | | +--rw required?
2817 | | | | empty
2818 | | | +--:(optional)
2819 | | | +--rw optional?
2820 | | | empty
2821 | | +--rw (local-or-external)
2822 | | | +--:(local)
2823 | | | | {local-client-auth-suppo\
2824 rted}?
2825 | | | | +--rw pinned-ca-certs?
2826 | | | | | ta:pinned-certificates\
2827 -ref
2828 | | | | | {ta:x509-certificates}?
2829 | | | | +--rw pinned-client-certs?
2830 | | | | ta:pinned-certificates\
2831 -ref
2832 | | | | {ta:x509-certificates}?
2833 | | | +--:(external)
2834 | | | {external-client-auth-su\
2835 pported}?
2836 | | | +--rw client-auth-defined-else\
2837 where?
2838 | | | empty
2839 | | +--rw cert-maps
2840 | | +--rw cert-to-name* [id]
2841 | | +--rw id uint32
2842 | | +--rw fingerprint
2843 | | | x509c2n:tls-fingerprint
2844 | | +--rw map-type
2845 | | | identityref
2846 | | +--rw name string
2847 | +--rw hello-params
2848 | | {tls-server-hello-params-config\
2849 }?
2850 | | +--rw tls-versions
2851 | | | +--rw tls-version* identityref
2852 | | +--rw cipher-suites
2853 | | +--rw cipher-suite* identityref
2854 | +--rw keepalives!
2855 | {tls-server-keepalives}?
2856 | +--rw max-wait? uint16
2857 | +--rw max-attempts? uint8
2858 +--rw connection-type
2859 | +--rw (connection-type)
2860 | +--:(persistent-connection)
2861 | | +--rw persistent!
2862 | +--:(periodic-connection)
2863 | +--rw periodic!
2864 | +--rw period? uint16
2865 | +--rw anchor-time? yang:date-and-time
2866 | +--rw idle-timeout? uint16
2867 +--rw reconnect-strategy
2868 +--rw start-with? enumeration
2869 +--rw max-attempts? uint8
2871 Appendix B. Change Log
2873 B.1. 00 to 01
2875 o Renamed "keychain" to "keystore".
2877 B.2. 01 to 02
2879 o Added to ietf-netconf-client ability to connected to a cluster of
2880 endpoints, including a reconnection-strategy.
2882 o Added to ietf-netconf-client the ability to configure connection-
2883 type and also keep-alive strategy.
2885 o Updated both modules to accommodate new groupings in the ssh/tls
2886 drafts.
2888 B.3. 02 to 03
2890 o Refined use of tls-client-grouping to add a must statement
2891 indicating that the TLS client must specify a client-certificate.
2893 o Changed 'netconf-client' to be a grouping (not a container).
2895 B.4. 03 to 04
2897 o Added RFC 8174 to Requirements Language Section.
2899 o Replaced refine statement in ietf-netconf-client to add a
2900 mandatory true.
2902 o Added refine statement in ietf-netconf-server to add a must
2903 statement.
2905 o Now there are containers and groupings, for both the client and
2906 server models.
2908 B.5. 04 to 05
2910 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2912 o Updated examples to inline key and certificates (no longer a
2913 leafref to keystore)
2915 B.6. 05 to 06
2917 o Fixed change log missing section issue.
2919 o Updated examples to match latest updates to the crypto-types,
2920 trust-anchors, and keystore drafts.
2922 o Reduced line length of the YANG modules to fit within 69 columns.
2924 B.7. 06 to 07
2926 o Removed "idle-timeout" from "persistent" connection config.
2928 o Added "random-selection" for reconnection-strategy's "starts-with"
2929 enum.
2931 o Replaced "connection-type" choice default (persistent) with
2932 "mandatory true".
2934 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
2935 minutes.
2937 o Replaced reconnect-timeout with period/anchor-time combo.
2939 B.8. 07 to 08
2941 o Modified examples to be compatible with new crypto-types algs
2943 B.9. 08 to 09
2945 o Corrected use of "mandatory true" for "address" leafs.
2947 o Updated examples to reflect update to groupings defined in the
2948 keystore draft.
2950 o Updated to use groupings defined in new TCP and HTTP drafts.
2952 o Updated copyright date, boilerplate template, affiliation, and
2953 folding algorithm.
2955 B.10. 09 to 10
2957 o Reformatted YANG modules.
2959 B.11. 10 to 11
2961 o Adjusted for the top-level "demux container" added to groupings
2962 imported from other modules.
2964 o Added "must" expressions to ensure that keepalives are not
2965 configured for "periodic" connections.
2967 o Updated the boilerplate text in module-level "description"
2968 statement to match copyeditor convention.
2970 o Moved "expanded" tree diagrams to the Appendix.
2972 B.12. 11 to 12
2974 o Removed the "Design Considerations" section.
2976 o Removed the 'must' statement limiting keepalives in periodic
2977 connections.
2979 o Updated models and examples to reflect removal of the "demux"
2980 containers in the imported models.
2982 o Updated the "periodic-connnection" description statements to be
2983 more like the RESTCONF draft, especially where it described
2984 dropping the underlying TCP connection.
2986 o Updated text to better reference where certain examples come from
2987 (e.g., which Section in which draft).
2989 o In the server model, commented out the "must 'pinned-ca-certs or
2990 pinned-client-certs'" statement to reflect change made in the TLS
2991 draft whereby the trust anchors MAY be defined externally.
2993 o Replaced the 'listen', 'initiate', and 'call-home' features with
2994 boolean expressions.
2996 Acknowledgements
2998 The authors would like to thank for following for lively discussions
2999 on list and in the halls (ordered by last name): Andy Bierman, Martin
3000 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
3001 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
3002 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
3003 Wijnen.
3005 Author's Address
3007 Kent Watsen
3008 Watsen Networks
3010 EMail: kent+ietf@watsen.net