idnits 2.17.1
draft-ietf-netconf-netconf-client-server-13.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1924 has weird spacing: '...address ine...'
== Line 1934 has weird spacing: '...nterval uin...'
== Line 2041 has weird spacing: '...address ine...'
== Line 2051 has weird spacing: '...nterval uin...'
== Line 2145 has weird spacing: '...nterval uin...'
== (12 more instances...)
-- The document date (June 7, 2019) is 1785 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-09
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-13
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-12
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-04
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track June 7, 2019
5 Expires: December 9, 2019
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-13
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-06-07" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on December 9, 2019.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 8
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 18
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 38
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 38
110 7.2. Informative References . . . . . . . . . . . . . . . . . 40
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 41
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 41
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 49
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 59
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 59
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 59
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 59
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 60
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 60
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 60
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 60
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 61
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 61
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 61
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 61
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 61
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 62
128 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 62
129 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 62
131 1. Introduction
133 This document defines two YANG [RFC7950] modules, one module to
134 configure a NETCONF [RFC6241] client and the other module to
135 configure a NETCONF server. Both modules support both NETCONF over
136 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
137 connections [RFC8071].
139 2. Terminology
141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
143 "OPTIONAL" in this document are to be interpreted as described in BCP
144 14 [RFC2119] [RFC8174] when, and only when, they appear in all
145 capitals, as shown here.
147 3. The NETCONF Client Model
149 The NETCONF client model presented in this section supports both
150 clients initiating connections to servers, as well as clients
151 listening for connections from servers calling home, using either the
152 SSH and TLS transport protocols.
154 YANG feature statements are used to enable implementations to
155 advertise which potentially uncommon parts of the model the NETCONF
156 client supports.
158 3.1. Tree Diagram
160 The following tree diagram [RFC8340] provides an overview of the data
161 model for the "ietf-netconf-client" module.
163 This tree diagram only shows the nodes defined in this module; it
164 does show the nodes defined by "grouping" statements used by this
165 module.
167 Please see Appendix A.1 for a tree diagram that illustrates what the
168 module looks like with all the "grouping" statements expanded.
170 module: ietf-netconf-client
171 +--rw netconf-client
172 +---u netconf-client-grouping
174 grouping netconf-client-grouping
175 +-- initiate! {ssh-initiate or tls-initiate}?
176 | +-- netconf-server* [name]
177 | +-- name? string
178 | +-- endpoints
179 | | +-- endpoint* [name]
180 | | +-- name? string
181 | | +-- (transport)
182 | | +--:(ssh) {ssh-initiate}?
183 | | | +-- ssh
184 | | | +-- tcp-client-parameters
185 | | | | +---u tcpc:tcp-client-grouping
186 | | | +-- ssh-client-parameters
187 | | | +---u sshc:ssh-client-grouping
188 | | +--:(tls) {tls-initiate}?
189 | | +-- tls
190 | | +-- tcp-client-parameters
191 | | | +---u tcpc:tcp-client-grouping
192 | | +-- tls-client-parameters
193 | | +---u tlsc:tls-client-grouping
194 | +-- connection-type
195 | | +-- (connection-type)
196 | | +--:(persistent-connection)
197 | | | +-- persistent!
198 | | +--:(periodic-connection)
199 | | +-- periodic!
200 | | +-- period? uint16
201 | | +-- anchor-time? yang:date-and-time
202 | | +-- idle-timeout? uint16
203 | +-- reconnect-strategy
204 | +-- start-with? enumeration
205 | +-- max-attempts? uint8
206 +-- listen! {ssh-listen or tls-listen}?
207 +-- idle-timeout? uint16
208 +-- endpoint* [name]
209 +-- name? string
210 +-- (transport)
211 +--:(ssh) {ssh-listen}?
212 | +-- ssh
213 | +-- tcp-server-parameters
214 | | +---u tcps:tcp-server-grouping
215 | +-- ssh-client-parameters
216 | +---u sshc:ssh-client-grouping
217 +--:(tls) {tls-listen}?
218 +-- tls
219 +-- tcp-server-parameters
220 | +---u tcps:tcp-server-grouping
221 +-- tls-client-parameters
222 +---u tlsc:tls-client-grouping
224 3.2. Example Usage
226 The following example illustrates configuring a NETCONF client to
227 initiate connections, using both the SSH and TLS transport protocols,
228 as well as listening for call-home connections, again using both the
229 SSH and TLS transport protocols.
231 This example is consistent with the examples presented in Section 2
232 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
233 [I-D.ietf-netconf-keystore].
235 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
237
240
241
242
243 corp-fw1
244
245
246 corp-fw1.example.com
247
248
249 corp-fw1.example.com
250
251 15
252 3
253 30
254
255
256
257
258 foobar
259
260
261 ct:rsa2048
263 base64encodedvalue==
264 base64encodedvalue==
265
266
267
268
269 explicitly-trusted-server-ca-certs
271 explicitly-trusted-server-certs
273
274
275 30
276 3
277
278
279
280
281
282 corp-fw2.example.com
283
284
285 corp-fw2.example.com
286
287 15
288 3
289 30
290
291
292
293
294 foobar
295
296
297 ct:rsa2048
299 base64encodedvalue==
300 base64encodedvalue==
301
302
303
304
305 explicitly-trusted-server-ca-certs
307 explicitly-trusted-server-certs
309
310
311 30
312 3
313
314
315
316
317
318
319
320
321
322 last-connected
323
324
325
327
328
329
330 Intranet-facing listener
331
332
333 192.0.2.7
334
335
336
337 foobar
338
339
340 ct:rsa2048
342 base64encodedvalue==
343 base64encodedvalue==
344
345
346
347
348 explicitly-trusted-server-ca-certs
349 explicitly-trusted-server-certs
351 explicitly-trusted-ssh-host-keys
353
354
355
356
357
358
360 3.3. YANG Module
362 This YANG module has normative references to [RFC6242], [RFC6991],
363 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
364 [I-D.ietf-netconf-ssh-client-server], and
365 [I-D.ietf-netconf-tls-client-server].
367 file "ietf-netconf-client@2019-06-07.yang"
368 module ietf-netconf-client {
369 yang-version 1.1;
370 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
371 prefix ncc;
373 import ietf-yang-types {
374 prefix yang;
375 reference
376 "RFC 6991: Common YANG Data Types";
377 }
378 import ietf-tcp-client {
379 prefix tcpc;
380 reference
381 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
382 }
383 import ietf-tcp-server {
384 prefix tcps;
385 reference
386 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
387 }
389 import ietf-ssh-client {
390 prefix sshc;
391 revision-date 2019-06-07; // stable grouping definitions
392 reference
393 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
394 }
396 import ietf-tls-client {
397 prefix tlsc;
398 revision-date 2019-06-07; // stable grouping definitions
399 reference
400 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
401 }
403 organization
404 "IETF NETCONF (Network Configuration) Working Group";
406 contact
407 "WG Web:
408 WG List:
409 Author: Kent Watsen
410 Author: Gary Wu ";
412 description
413 "This module contains a collection of YANG definitions
414 for configuring NETCONF clients.
416 Copyright (c) 2019 IETF Trust and the persons identified
417 as authors of the code. All rights reserved.
419 Redistribution and use in source and binary forms, with
420 or without modification, is permitted pursuant to, and
421 subject to the license terms contained in, the Simplified
422 BSD License set forth in Section 4.c of the IETF Trust's
423 Legal Provisions Relating to IETF Documents
424 (https://trustee.ietf.org/license-info).
426 This version of this YANG module is part of RFC XXXX
427 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
428 itself for full legal notices.;
430 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
431 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
432 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
433 are to be interpreted as described in BCP 14 (RFC 2119)
434 (RFC 8174) when, and only when, they appear in all
435 capitals, as shown here.";
437 revision 2019-06-07 {
438 description
439 "Initial version";
440 reference
441 "RFC XXXX: NETCONF Client and Server Models";
442 }
444 // Features
446 feature ssh-initiate {
447 description
448 "The 'ssh-initiate' feature indicates that the NETCONF client
449 supports initiating SSH connections to NETCONF servers.";
450 reference
451 "RFC 6242:
452 Using the NETCONF Protocol over Secure Shell (SSH)";
453 }
455 feature tls-initiate {
456 description
457 "The 'tls-initiate' feature indicates that the NETCONF client
458 supports initiating TLS connections to NETCONF servers.";
459 reference
460 "RFC 7589: Using the NETCONF Protocol over Transport
461 Layer Security (TLS) with Mutual X.509 Authentication";
462 }
464 feature ssh-listen {
465 description
466 "The 'ssh-listen' feature indicates that the NETCONF client
467 supports opening a port to listen for incoming NETCONF
468 server call-home SSH connections.";
469 reference
470 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
471 }
473 feature tls-listen {
474 description
475 "The 'tls-listen' feature indicates that the NETCONF client
476 supports opening a port to listen for incoming NETCONF
477 server call-home TLS connections.";
478 reference
479 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
480 }
482 // Groupings
484 grouping netconf-client-grouping {
485 description
486 "Top-level grouping for NETCONF client configuration.";
487 container initiate {
488 if-feature "ssh-initiate or tls-initiate";
489 presence "Enables client to initiate TCP connections";
490 description
491 "Configures client initiating underlying TCP connections.";
492 list netconf-server {
493 key "name";
494 min-elements 1;
495 description
496 "List of NETCONF servers the NETCONF client is to
497 initiate connections to in parallel.";
498 leaf name {
499 type string;
500 description
501 "An arbitrary name for the NETCONF server.";
502 }
503 container endpoints {
504 description
505 "Container for the list of endpoints.";
506 list endpoint {
507 key "name";
508 min-elements 1;
509 ordered-by user;
510 description
511 "A user-ordered list of endpoints that the NETCONF
512 client will attempt to connect to in the specified
513 sequence. Defining more than one enables
514 high-availability.";
515 leaf name {
516 type string;
517 description
518 "An arbitrary name for the endpoint.";
519 }
520 choice transport {
521 mandatory true;
522 description
523 "Selects between available transports.";
524 case ssh {
525 if-feature "ssh-initiate";
526 container ssh {
527 description
528 "Specifies IP and SSH specific configuration
529 for the connection.";
530 container tcp-client-parameters {
531 description
532 "A wrapper around the TCP client parameters
533 to avoid name collisions.";
534 uses tcpc:tcp-client-grouping {
535 refine "remote-port" {
536 default "830";
537 description
538 "The NETCONF client will attempt to connect
539 to the IANA-assigned well-known port value
540 for 'netconf-ssh' (443) if no value is
541 specified.";
542 }
543 }
544 }
545 container ssh-client-parameters {
546 description
547 "A wrapper around the SSH client parameters to
548 avoid name collisions.";
549 uses sshc:ssh-client-grouping;
550 }
551 }
552 }
553 case tls {
554 if-feature "tls-initiate";
555 container tls {
556 description
557 "Specifies IP and TLS specific configuration
558 for the connection.";
559 container tcp-client-parameters {
560 description
561 "A wrapper around the TCP client parameters
562 to avoid name collisions.";
563 uses tcpc:tcp-client-grouping {
564 refine "remote-port" {
565 default "6513";
566 description
567 "The NETCONF client will attempt to connect
568 to the IANA-assigned well-known port value
569 for 'netconf-tls' (6513) if no value is
570 specified.";
571 }
572 }
573 }
574 container tls-client-parameters {
575 description
576 "A wrapper around the TLS client parameters
577 to avoid name collisions.";
578 uses tlsc:tls-client-grouping {
579 refine "client-identity"
580 + "/auth-type" {
581 mandatory true;
582 description
583 "NETCONF/TLS clients MUST pass some
584 authentication credentials.";
585 }
586 }
587 }
588 }
589 }
590 } // choice transport
591 } // list endpoint
592 } // container endpoints
594 container connection-type {
595 description
596 "Indicates the NETCONF client's preference for how the
597 NETCONF connection is maintained.";
598 choice connection-type {
599 mandatory true;
600 description
601 "Selects between available connection types.";
602 case persistent-connection {
603 container persistent {
604 presence "Indicates that a persistent connection is
605 to be maintained.";
606 description
607 "Maintain a persistent connection to the NETCONF
608 server. If the connection goes down, immediately
609 start trying to reconnect to the NETCONF server,
610 using the reconnection strategy.
612 This connection type minimizes any NETCONF server
613 to NETCONF client data-transfer delay, albeit at
614 the expense of holding resources longer.";
615 }
616 }
617 case periodic-connection {
618 container periodic {
619 presence "Indicates that a periodic connection is
620 to be maintained.";
621 description
622 "Periodically connect to the NETCONF server.
624 This connection type increases resource
625 utilization, albeit with increased delay in
626 NETCONF server to NETCONF client interactions.
628 The NETCONF client should close the underlying
629 TCP connection upon completing planned activities.
631 In the case that the previous connection is still
632 active, establishing a new connection is NOT
633 RECOMMENDED.";
634 leaf period {
635 type uint16;
636 units "minutes";
637 default "60";
638 description
639 "Duration of time between periodic connections.";
640 }
641 leaf anchor-time {
642 type yang:date-and-time {
643 // constrained to minute-level granularity
644 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
645 + '(Z|[\+\-]\d{2}:\d{2})';
646 }
647 description
648 "Designates a timestamp before or after which a
649 series of periodic connections are determined.
650 The periodic connections occur at a whole
651 multiple interval from the anchor time. For
652 example, for an anchor time is 15 minutes past
653 midnight and a period interval of 24 hours, then
654 a periodic connection will occur 15 minutes past
655 midnight everyday.";
656 }
657 leaf idle-timeout {
658 type uint16;
659 units "seconds";
660 default 120; // two minutes
661 description
662 "Specifies the maximum number of seconds that
663 a NETCONF session may remain idle. A NETCONF
664 session will be dropped if it is idle for an
665 interval longer then this number of seconds.
667 If set to zero, then the NETCONF client will
668 never drop a session because it is idle.";
669 }
670 }
671 }
672 }
673 }
674 container reconnect-strategy {
675 description
676 "The reconnection strategy directs how a NETCONF client
677 reconnects to a NETCONF server, after discovering its
678 connection to the server has dropped, even if due to a
679 reboot. The NETCONF client starts with the specified
680 endpoint and tries to connect to it max-attempts times
681 before trying the next endpoint in the list (round
682 robin).";
683 leaf start-with {
684 type enumeration {
685 enum first-listed {
686 description
687 "Indicates that reconnections should start with
688 the first endpoint listed.";
689 }
690 enum last-connected {
691 description
692 "Indicates that reconnections should start with
693 the endpoint last connected to. If no previous
694 connection has ever been established, then the
695 first endpoint configured is used. NETCONF
696 clients SHOULD be able to remember the last
697 endpoint connected to across reboots.";
698 }
699 enum random-selection {
700 description
701 "Indicates that reconnections should start with
702 a random endpoint.";
703 }
704 }
705 default "first-listed";
706 description
707 "Specifies which of the NETCONF server's endpoints
708 the NETCONF client should start with when trying
709 to connect to the NETCONF server.";
710 }
711 leaf max-attempts {
712 type uint8 {
713 range "1..max";
714 }
715 default "3";
716 description
717 "Specifies the number times the NETCONF client tries
718 to connect to a specific endpoint before moving on
719 to the next endpoint in the list (round robin).";
720 }
721 }
722 } // netconf-server
723 } // initiate
725 container listen {
726 if-feature "ssh-listen or tls-listen";
727 presence "Enables client to accept call-home connections";
728 description
729 "Configures client accepting call-home TCP connections.";
730 leaf idle-timeout {
731 type uint16;
732 units "seconds";
733 default "3600"; // one hour
734 description
735 "Specifies the maximum number of seconds that a NETCONF
736 session may remain idle. A NETCONF session will be
737 dropped if it is idle for an interval longer than this
738 number of seconds. If set to zero, then the server
739 will never drop a session because it is idle. Sessions
740 that have a notification subscription active are never
741 dropped.";
742 }
743 list endpoint {
744 key "name";
745 min-elements 1;
746 description
747 "List of endpoints to listen for NETCONF connections.";
748 leaf name {
749 type string;
750 description
751 "An arbitrary name for the NETCONF listen endpoint.";
752 }
753 choice transport {
754 mandatory true;
755 description
756 "Selects between available transports.";
757 case ssh {
758 if-feature "ssh-listen";
759 container ssh {
760 description
761 "SSH-specific listening configuration for inbound
762 connections.";
764 container tcp-server-parameters {
765 description
766 "A wrapper around the TCP server parameters
767 to avoid name collisions.";
768 uses tcps:tcp-server-grouping {
769 refine "local-port" {
770 default "4334";
771 description
772 "The NETCONF client will listen on the IANA-
773 assigned well-known port for 'netconf-ch-ssh'
774 (4334) if no value is specified.";
775 }
776 }
777 }
778 container ssh-client-parameters {
779 description
780 "A wrapper around the SSH client parameters
781 to avoid name collisions.";
782 uses sshc:ssh-client-grouping;
783 }
784 }
785 }
786 case tls {
787 if-feature "tls-listen";
788 container tls {
789 description
790 "TLS-specific listening configuration for inbound
791 connections.";
792 container tcp-server-parameters {
793 description
794 "A wrapper around the TCP server parameters
795 to avoid name collisions.";
796 uses tcps:tcp-server-grouping {
797 refine "local-port" {
798 default "4334";
799 description
800 "The NETCONF client will listen on the IANA-
801 assigned well-known port for 'netconf-ch-ssh'
802 (4334) if no value is specified.";
803 }
804 }
805 }
806 container tls-client-parameters {
807 description
808 "A wrapper around the TLS client parameters
809 to avoid name collisions.";
810 uses tlsc:tls-client-grouping {
811 refine "client-identity/auth-type" {
812 mandatory true;
813 description
814 "NETCONF/TLS clients MUST pass some
815 authentication credentials.";
816 }
817 }
818 }
819 }
820 }
821 } // transport
822 } // endpoint
823 } // listen
824 } // netconf-client
826 // Protocol accessible node, for servers that implement this
827 // module.
829 container netconf-client {
830 uses netconf-client-grouping;
831 description
832 "Top-level container for NETCONF client configuration.";
833 }
834 }
835
837 4. The NETCONF Server Model
839 The NETCONF server model presented in this section supports both
840 listening for connections as well as initiating call-home
841 connections, using either the SSH and TLS transport protocols.
843 YANG feature statements are used to enable implementations to
844 advertise which potentially uncommon parts of the model the NETCONF
845 server supports.
847 4.1. Tree Diagram
849 The following tree diagram [RFC8340] provides an overview of the data
850 model for the "ietf-netconf-server" module.
852 This tree diagram only shows the nodes defined in this module; it
853 does show the nodes defined by "grouping" statements used by this
854 module.
856 Please see Appendix A.2 for a tree diagram that illustrates what the
857 module looks like with all the "grouping" statements expanded.
859 module: ietf-netconf-server
860 +--rw netconf-server
861 +---u netconf-server-grouping
863 grouping netconf-server-grouping
864 +-- listen! {ssh-listen or tls-listen}?
865 | +-- idle-timeout? uint16
866 | +-- endpoint* [name]
867 | +-- name? string
868 | +-- (transport)
869 | +--:(ssh) {ssh-listen}?
870 | | +-- ssh
871 | | +-- tcp-server-parameters
872 | | | +---u tcps:tcp-server-grouping
873 | | +-- ssh-server-parameters
874 | | +---u sshs:ssh-server-grouping
875 | +--:(tls) {tls-listen}?
876 | +-- tls
877 | +-- tcp-server-parameters
878 | | +---u tcps:tcp-server-grouping
879 | +-- tls-server-parameters
880 | +---u tlss:tls-server-grouping
881 +-- call-home! {ssh-call-home or tls-call-home}?
882 +-- netconf-client* [name]
883 +-- name? string
884 +-- endpoints
885 | +-- endpoint* [name]
886 | +-- name? string
887 | +-- (transport)
888 | +--:(ssh) {ssh-call-home}?
889 | | +-- ssh
890 | | +-- tcp-client-parameters
891 | | | +---u tcpc:tcp-client-grouping
892 | | +-- ssh-server-parameters
893 | | +---u sshs:ssh-server-grouping
894 | +--:(tls) {tls-call-home}?
895 | +-- tls
896 | +-- tcp-client-parameters
897 | | +---u tcpc:tcp-client-grouping
898 | +-- tls-server-parameters
899 | +---u tlss:tls-server-grouping
900 +-- connection-type
901 | +-- (connection-type)
902 | +--:(persistent-connection)
903 | | +-- persistent!
904 | +--:(periodic-connection)
905 | +-- periodic!
906 | +-- period? uint16
907 | +-- anchor-time? yang:date-and-time
908 | +-- idle-timeout? uint16
909 +-- reconnect-strategy
910 +-- start-with? enumeration
911 +-- max-attempts? uint8
913 4.2. Example Usage
915 The following example illustrates configuring a NETCONF server to
916 listen for NETCONF client connections using both the SSH and TLS
917 transport protocols, as well as configuring call-home to two NETCONF
918 clients, one using SSH and the other using TLS.
920 This example is consistent with the examples presented in Section 2
921 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
922 [I-D.ietf-netconf-keystore].
924 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
926
930
931
932
933 netconf/ssh
934
935
936 192.0.2.7
937
938
939
940
941 deployment-specific-certificate
942
943
944 ct:rsa2048
946 base64encodedvalue==
947 base64encodedvalue==
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962 netconf/tls
963
964
965 192.0.2.7
966
967
968
969
970 ct:rsa2048
972 base64encodedvalue==
973 base64encodedvalue==
974 base64encodedvalue==
975
976
977
978
979 explicitly-trusted-client-ca-certs
980 explicitly-trusted-client-certs
982
983
984 1
985 11:0A:05:11:00
986 x509c2n:san-any
987
988
989 2
990 B3:4F:A1:8C:54
991 x509c2n:specified
992 scooby-doo
993
994
995
996
997
998
999
1001
1002
1003
1004 config-mgr
1005
1006
1007 east-data-center
1008
1009
1010 east.config-mgr.example.com
1012
1013
1014
1015
1016 deployment-specific-certificate
1017
1018
1019 ct:rsa2048
1021 base64encodedvalue==
1022 base64encodedvalue==
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037 west-data-center
1038
1039
1040 west.config-mgr.example.com
1042
1043
1044
1045
1046 deployment-specific-certificate
1047
1048
1049 ct:rsa2048
1051 base64encodedvalue==
1052 base64encodedvalue==
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069 300
1070 60
1071
1072
1073
1074 last-connected
1075 3
1076
1077
1078
1079 data-collector
1080
1081
1082 east-data-center
1083
1084
1085 east.analytics.example.com
1087
1088 15
1089 3
1090 30
1091
1092
1093
1094
1095
1096 ct:rsa2048
1098 base64encodedvalue==
1099 base64encodedvalue==
1100 base64encodedvalue==
1101
1102
1103
1104
1105 explicitly-trusted-client-ca-certs
1107 explicitly-trusted-client-certs
1109
1110
1111 1
1112 11:0A:05:11:00
1113 x509c2n:san-any
1114
1115
1116 2
1117 B3:4F:A1:8C:54
1118 x509c2n:specified
1119 scooby-doo
1120
1121
1122
1123
1124 30
1125 3
1126
1127
1128
1129
1130
1131 west-data-center
1132
1133
1134 west.analytics.example.com
1136
1137 15
1138 3
1139 30
1140
1141
1142
1143
1144
1145 ct:rsa2048
1147 base64encodedvalue==
1148 base64encodedvalue==
1149 base64encodedvalue==
1150
1151
1152
1153
1154 explicitly-trusted-client-ca-certs
1156 explicitly-trusted-client-certs
1158
1159
1160 1
1161 11:0A:05:11:00
1162 x509c2n:san-any
1163
1164
1165 2
1166 B3:4F:A1:8C:54
1167 x509c2n:specified
1168 scooby-doo
1169
1170
1171
1172
1173 30
1174 3
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184 first-listed
1185 3
1186
1187
1188
1189
1191 4.3. YANG Module
1193 This YANG module has normative references to [RFC6242], [RFC6991],
1194 [RFC7407], [RFC7589], [RFC8071],
1195 [I-D.kwatsen-netconf-tcp-client-server],
1197 [I-D.ietf-netconf-ssh-client-server], and
1198 [I-D.ietf-netconf-tls-client-server].
1200 file "ietf-netconf-server@2019-06-07.yang"
1201 module ietf-netconf-server {
1202 yang-version 1.1;
1203 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1204 prefix ncs;
1206 import ietf-yang-types {
1207 prefix yang;
1208 reference
1209 "RFC 6991: Common YANG Data Types";
1210 }
1212 import ietf-x509-cert-to-name {
1213 prefix x509c2n;
1214 reference
1215 "RFC 7407: A YANG Data Model for SNMP Configuration";
1216 }
1218 import ietf-tcp-client {
1219 prefix tcpc;
1220 reference
1221 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1222 }
1224 import ietf-tcp-server {
1225 prefix tcps;
1226 reference
1227 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1228 }
1230 import ietf-ssh-server {
1231 prefix sshs;
1232 revision-date 2019-06-07; // stable grouping definitions
1233 reference
1234 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
1235 }
1237 import ietf-tls-server {
1238 prefix tlss;
1239 revision-date 2019-06-07; // stable grouping definitions
1240 reference
1241 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
1242 }
1244 organization
1245 "IETF NETCONF (Network Configuration) Working Group";
1247 contact
1248 "WG Web:
1249 WG List:
1250 Author: Kent Watsen
1251 Author: Gary Wu
1252 Author: Juergen Schoenwaelder
1253 ";
1254 description
1255 "This module contains a collection of YANG definitions
1256 for configuring NETCONF servers.
1258 Copyright (c) 2019 IETF Trust and the persons identified
1259 as authors of the code. All rights reserved.
1261 Redistribution and use in source and binary forms, with
1262 or without modification, is permitted pursuant to, and
1263 subject to the license terms contained in, the Simplified
1264 BSD License set forth in Section 4.c of the IETF Trust's
1265 Legal Provisions Relating to IETF Documents
1266 (https://trustee.ietf.org/license-info).
1268 This version of this YANG module is part of RFC XXXX
1269 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1270 itself for full legal notices.;
1272 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1273 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1274 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1275 are to be interpreted as described in BCP 14 (RFC 2119)
1276 (RFC 8174) when, and only when, they appear in all
1277 capitals, as shown here.";
1279 revision 2019-06-07 {
1280 description
1281 "Initial version";
1282 reference
1283 "RFC XXXX: NETCONF Client and Server Models";
1284 }
1286 // Features
1288 feature ssh-listen {
1289 description
1290 "The 'ssh-listen' feature indicates that the NETCONF server
1291 supports opening a port to accept NETCONF over SSH
1292 client connections.";
1294 reference
1295 "RFC 6242:
1296 Using the NETCONF Protocol over Secure Shell (SSH)";
1297 }
1299 feature tls-listen {
1300 description
1301 "The 'tls-listen' feature indicates that the NETCONF server
1302 supports opening a port to accept NETCONF over TLS
1303 client connections.";
1304 reference
1305 "RFC 7589: Using the NETCONF Protocol over Transport
1306 Layer Security (TLS) with Mutual X.509
1307 Authentication";
1308 }
1310 feature ssh-call-home {
1311 description
1312 "The 'ssh-call-home' feature indicates that the NETCONF
1313 server supports initiating a NETCONF over SSH call
1314 home connection to NETCONF clients.";
1315 reference
1316 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1317 }
1319 feature tls-call-home {
1320 description
1321 "The 'tls-call-home' feature indicates that the NETCONF
1322 server supports initiating a NETCONF over TLS call
1323 home connection to NETCONF clients.";
1324 reference
1325 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1326 }
1328 // Groupings
1330 grouping netconf-server-grouping {
1331 description
1332 "Top-level grouping for NETCONF server configuration.";
1333 container listen {
1334 if-feature "ssh-listen or tls-listen";
1335 presence
1336 "Enables server to listen for NETCONF client connections.";
1337 description
1338 "Configures listen behavior";
1339 leaf idle-timeout {
1340 type uint16;
1341 units "seconds";
1342 default 3600; // one hour
1343 description
1344 "Specifies the maximum number of seconds that a NETCONF
1345 session may remain idle. A NETCONF session will be
1346 dropped if it is idle for an interval longer than this
1347 number of seconds. If set to zero, then the server
1348 will never drop a session because it is idle. Sessions
1349 that have a notification subscription active are never
1350 dropped.";
1351 }
1352 list endpoint {
1353 key "name";
1354 min-elements 1;
1355 description
1356 "List of endpoints to listen for NETCONF connections.";
1357 leaf name {
1358 type string;
1359 description
1360 "An arbitrary name for the NETCONF listen endpoint.";
1361 }
1362 choice transport {
1363 mandatory true;
1364 description
1365 "Selects between available transports.";
1366 case ssh {
1367 if-feature "ssh-listen";
1368 container ssh {
1369 description
1370 "SSH-specific listening configuration for inbound
1371 connections.";
1372 container tcp-server-parameters {
1373 description
1374 "A wrapper around the TCP client parameters
1375 to avoid name collisions.";
1376 uses tcps:tcp-server-grouping {
1377 refine "local-port" {
1378 default "830";
1379 description
1380 "The NETCONF server will listen on the
1381 IANA-assigned well-known port value
1382 for 'netconf-ssh' (830) if no value
1383 is specified.";
1384 }
1385 }
1386 }
1387 container ssh-server-parameters {
1388 description
1389 "A wrapper around the SSH server parameters
1390 to avoid name collisions.";
1391 uses sshs:ssh-server-grouping;
1392 }
1393 }
1394 }
1395 case tls {
1396 if-feature "tls-listen";
1397 container tls {
1398 description
1399 "TLS-specific listening configuration for inbound
1400 connections.";
1401 container tcp-server-parameters {
1402 description
1403 "A wrapper around the TCP client parameters
1404 to avoid name collisions.";
1405 uses tcps:tcp-server-grouping {
1406 refine "local-port" {
1407 default "6513";
1408 description
1409 "The NETCONF server will listen on the
1410 IANA-assigned well-known port value
1411 for 'netconf-tls' (6513) if no value
1412 is specified.";
1413 }
1414 }
1415 }
1416 container tls-server-parameters {
1417 description
1418 "A wrapper around the TLS server parameters to
1419 avoid name collisions.";
1420 uses tlss:tls-server-grouping {
1421 refine "client-authentication" {
1422 //must 'ca-certs or client-certs';
1423 description
1424 "NETCONF/TLS servers MUST validate client
1425 certificates.";
1426 }
1427 augment "client-authentication" {
1428 description
1429 "Augments in the cert-to-name structure.";
1430 container cert-maps {
1431 uses x509c2n:cert-to-name;
1432 description
1433 "The cert-maps container is used by a TLS-
1434 based NETCONF server to map the NETCONF
1435 client's presented X.509 certificate to
1436 a NETCONF username. If no matching and
1437 valid cert-to-name list entry can be found,
1438 then the NETCONF server MUST close the
1439 connection, and MUST NOT accept NETCONF
1440 messages over it.";
1441 reference
1442 "RFC WWWW: NETCONF over TLS, Section 7";
1443 }
1444 }
1445 }
1446 }
1447 }
1448 }
1449 }
1450 }
1451 }
1452 container call-home {
1453 if-feature "ssh-call-home or tls-call-home";
1454 presence
1455 "Enables the NETCONF server to initiate the underlying
1456 transport connection to NETCONF clients.";
1457 description "Configures call home behavior.";
1458 list netconf-client {
1459 key "name";
1460 min-elements 1;
1461 description
1462 "List of NETCONF clients the NETCONF server is to
1463 initiate call-home connections to in parallel.";
1464 leaf name {
1465 type string;
1466 description
1467 "An arbitrary name for the remote NETCONF client.";
1468 }
1469 container endpoints {
1470 description
1471 "Container for the list of endpoints.";
1472 list endpoint {
1473 key "name";
1474 min-elements 1;
1475 ordered-by user;
1476 description
1477 "A non-empty user-ordered list of endpoints for this
1478 NETCONF server to try to connect to in sequence.
1479 Defining more than one enables high-availability.";
1480 leaf name {
1481 type string;
1482 description
1483 "An arbitrary name for this endpoint.";
1484 }
1485 choice transport {
1486 mandatory true;
1487 description
1488 "Selects between available transports.";
1489 case ssh {
1490 if-feature "ssh-call-home";
1491 container ssh {
1492 description
1493 "Specifies SSH-specific call-home transport
1494 configuration.";
1495 container tcp-client-parameters {
1496 description
1497 "A wrapper around the TCP client parameters
1498 to avoid name collisions.";
1499 uses tcpc:tcp-client-grouping {
1500 refine "remote-port" {
1501 default "4334";
1502 description
1503 "The NETCONF server will attempt to connect
1504 to the IANA-assigned well-known port for
1505 'netconf-ch-tls' (4334) if no value is
1506 specified.";
1507 }
1508 }
1509 }
1510 container ssh-server-parameters {
1511 description
1512 "A wrapper around the SSH server parameters
1513 to avoid name collisions.";
1514 uses sshs:ssh-server-grouping;
1515 }
1516 }
1517 }
1518 case tls {
1519 if-feature "tls-call-home";
1520 container tls {
1521 description
1522 "Specifies TLS-specific call-home transport
1523 configuration.";
1524 container tcp-client-parameters {
1525 description
1526 "A wrapper around the TCP client parameters
1527 to avoid name collisions.";
1528 uses tcpc:tcp-client-grouping {
1529 refine "remote-port" {
1530 default "4335";
1531 description
1532 "The NETCONF server will attempt to connect
1533 to the IANA-assigned well-known port for
1534 'netconf-ch-tls' (4335) if no value is
1535 specified.";
1536 }
1537 }
1538 }
1539 container tls-server-parameters {
1540 description
1541 "A wrapper around the TLS server parameters
1542 to avoid name collisions.";
1543 uses tlss:tls-server-grouping {
1544 refine "client-authentication" {
1545 /* commented out since auth could be external
1546 must 'ca-certs or client-certs';
1547 */
1548 description
1549 "NETCONF/TLS servers MUST validate client
1550 certificates.";
1551 }
1552 augment "client-authentication" {
1553 description
1554 "Augments in the cert-to-name structure.";
1555 container cert-maps {
1556 uses x509c2n:cert-to-name;
1557 description
1558 "The cert-maps container is used by a
1559 TLS-based NETCONF server to map the
1560 NETCONF client's presented X.509
1561 certificate to a NETCONF username. If
1562 no matching and valid cert-to-name list
1563 entry can be found, then the NETCONF
1564 server MUST close the connection, and
1565 MUST NOT accept NETCONF messages over
1566 it.";
1567 reference
1568 "RFC WWWW: NETCONF over TLS, Section 7";
1569 }
1570 }
1571 }
1572 }
1573 }
1574 } // tls
1575 } // choice
1576 } // endpoint
1577 } // endpoints
1578 container connection-type {
1579 description
1580 "Indicates the NETCONF server's preference for how the
1581 NETCONF connection is maintained.";
1583 choice connection-type {
1584 mandatory true;
1585 description
1586 "Selects between available connection types.";
1587 case persistent-connection {
1588 container persistent {
1589 presence "Indicates that a persistent connection is
1590 to be maintained.";
1591 description
1592 "Maintain a persistent connection to the NETCONF
1593 client. If the connection goes down, immediately
1594 start trying to reconnect to the NETCONF client,
1595 using the reconnection strategy.
1597 This connection type minimizes any NETCONF client
1598 to NETCONF server data-transfer delay, albeit at
1599 the expense of holding resources longer.";
1600 } // container persistent
1601 } // case persistent-connection
1602 case periodic-connection {
1603 container periodic {
1604 presence "Indicates that a periodic connection is
1605 to be maintained.";
1606 description
1607 "Periodically connect to the NETCONF client.
1609 This connection type increases resource
1610 utilization, albeit with increased delay in
1611 NETCONF client to NETCONF client interactions.
1613 The NETCONF client SHOULD gracefully close the
1614 connection using upon completing
1615 planned activities. If the NETCONF session is
1616 not closed gracefully, the NETCONF server MUST
1617 immediately attempt to reestablish the connection.
1619 In the case that the previous connection is still
1620 active (i.e., the NETCONF client has not closed
1621 it yet), establishing a new connection is NOT
1622 RECOMMENDED.";
1623 leaf period {
1624 type uint16;
1625 units "minutes";
1626 default "60";
1627 description
1628 "Duration of time between periodic connections.";
1629 }
1630 leaf anchor-time {
1631 type yang:date-and-time {
1632 // constrained to minute-level granularity
1633 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1634 + '(Z|[\+\-]\d{2}:\d{2})';
1635 }
1636 description
1637 "Designates a timestamp before or after which a
1638 series of periodic connections are determined.
1639 The periodic connections occur at a whole
1640 multiple interval from the anchor time. For
1641 example, for an anchor time is 15 minutes past
1642 midnight and a period interval of 24 hours, then
1643 a periodic connection will occur 15 minutes past
1644 midnight everyday.";
1645 }
1646 leaf idle-timeout {
1647 type uint16;
1648 units "seconds";
1649 default 120; // two minutes
1650 description
1651 "Specifies the maximum number of seconds that
1652 a NETCONF session may remain idle. A NETCONF
1653 session will be dropped if it is idle for an
1654 interval longer than this number of seconds.
1655 If set to zero, then the server will never
1656 drop a session because it is idle.";
1657 }
1658 } // container periodic
1659 } // case periodic-connection
1660 } // choice connection-type
1661 } // container connection-type
1662 container reconnect-strategy {
1663 description
1664 "The reconnection strategy directs how a NETCONF server
1665 reconnects to a NETCONF client, after discovering its
1666 connection to the client has dropped, even if due to a
1667 reboot. The NETCONF server starts with the specified
1668 endpoint and tries to connect to it max-attempts times
1669 before trying the next endpoint in the list (round
1670 robin).";
1671 leaf start-with {
1672 type enumeration {
1673 enum first-listed {
1674 description
1675 "Indicates that reconnections should start with
1676 the first endpoint listed.";
1677 }
1678 enum last-connected {
1679 description
1680 "Indicates that reconnections should start with
1681 the endpoint last connected to. If no previous
1682 connection has ever been established, then the
1683 first endpoint configured is used. NETCONF
1684 servers SHOULD be able to remember the last
1685 endpoint connected to across reboots.";
1686 }
1687 enum random-selection {
1688 description
1689 "Indicates that reconnections should start with
1690 a random endpoint.";
1691 }
1692 }
1693 default "first-listed";
1694 description
1695 "Specifies which of the NETCONF client's endpoints
1696 the NETCONF server should start with when trying
1697 to connect to the NETCONF client.";
1698 }
1699 leaf max-attempts {
1700 type uint8 {
1701 range "1..max";
1702 }
1703 default "3";
1704 description
1705 "Specifies the number times the NETCONF server tries
1706 to connect to a specific endpoint before moving on
1707 to the next endpoint in the list (round robin).";
1708 }
1709 } // container reconnect-strategy
1710 } // list netconf-client
1711 } // container call-home
1712 } // grouping netconf-server-grouping
1714 // Protocol accessible node, for servers that implement this
1715 // module.
1717 container netconf-server {
1718 uses netconf-server-grouping;
1719 description
1720 "Top-level container for NETCONF server configuration.";
1721 }
1722 }
1723
1725 5. Security Considerations
1727 The YANG module defined in this document uses groupings defined in
1728 [I-D.kwatsen-netconf-tcp-client-server],
1729 [I-D.ietf-netconf-ssh-client-server], and
1730 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1731 Considerations section in those documents for concerns related those
1732 groupings.
1734 The YANG modules defined in this document are designed to be accessed
1735 via YANG based management protocols, such as NETCONF [RFC6241] and
1736 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1737 implement secure transport layers (e.g., SSH, TLS) with mutual
1738 authentication.
1740 The NETCONF access control model (NACM) [RFC8341] provides the means
1741 to restrict access for particular users to a pre-configured subset of
1742 all available protocol operations and content.
1744 There are a number of data nodes defined in the YANG modules that are
1745 writable/creatable/deletable (i.e., config true, which is the
1746 default). Some of these data nodes may be considered sensitive or
1747 vulnerable in some network environments. Write operations (e.g.,
1748 edit-config) to these data nodes without proper protection can have a
1749 negative effect on network operations. These are the subtrees and
1750 data nodes and their sensitivity/vulnerability:
1752 None of the subtrees or data nodes in the modules defined in this
1753 document need to be protected from write operations.
1755 Some of the readable data nodes in the YANG modules may be considered
1756 sensitive or vulnerable in some network environments. It is thus
1757 important to control read access (e.g., via get, get-config, or
1758 notification) to these data nodes. These are the subtrees and data
1759 nodes and their sensitivity/vulnerability:
1761 None of the subtrees or data nodes in the modules defined in this
1762 document need to be protected from read operations.
1764 Some of the RPC operations in the YANG modules may be considered
1765 sensitive or vulnerable in some network environments. It is thus
1766 important to control access to these operations. These are the
1767 operations and their sensitivity/vulnerability:
1769 The modules defined in this document do not define any 'RPC' or
1770 'action' statements.
1772 6. IANA Considerations
1774 6.1. The IETF XML Registry
1776 This document registers two URIs in the "ns" subregistry of the IETF
1777 XML Registry [RFC3688]. Following the format in [RFC3688], the
1778 following registrations are requested:
1780 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1781 Registrant Contact: The NETCONF WG of the IETF.
1782 XML: N/A, the requested URI is an XML namespace.
1784 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1785 Registrant Contact: The NETCONF WG of the IETF.
1786 XML: N/A, the requested URI is an XML namespace.
1788 6.2. The YANG Module Names Registry
1790 This document registers two YANG modules in the YANG Module Names
1791 registry [RFC6020]. Following the format in [RFC6020], the the
1792 following registrations are requested:
1794 name: ietf-netconf-client
1795 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1796 prefix: ncc
1797 reference: RFC XXXX
1799 name: ietf-netconf-server
1800 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1801 prefix: ncs
1802 reference: RFC XXXX
1804 7. References
1806 7.1. Normative References
1808 [I-D.ietf-netconf-keystore]
1809 Watsen, K., "YANG Data Model for a Centralized Keystore
1810 Mechanism", draft-ietf-netconf-keystore-09 (work in
1811 progress), April 2019.
1813 [I-D.ietf-netconf-ssh-client-server]
1814 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
1815 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
1816 server-13 (work in progress), April 2019.
1818 [I-D.ietf-netconf-tls-client-server]
1819 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1820 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1821 server-12 (work in progress), April 2019.
1823 [I-D.kwatsen-netconf-tcp-client-server]
1824 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1825 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1826 server-02 (work in progress), April 2019.
1828 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1829 Requirement Levels", BCP 14, RFC 2119,
1830 DOI 10.17487/RFC2119, March 1997,
1831 .
1833 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1834 the Network Configuration Protocol (NETCONF)", RFC 6020,
1835 DOI 10.17487/RFC6020, October 2010,
1836 .
1838 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1839 and A. Bierman, Ed., "Network Configuration Protocol
1840 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1841 .
1843 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
1844 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
1845 .
1847 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1848 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1849 .
1851 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1852 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1853 December 2014, .
1855 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
1856 NETCONF Protocol over Transport Layer Security (TLS) with
1857 Mutual X.509 Authentication", RFC 7589,
1858 DOI 10.17487/RFC7589, June 2015,
1859 .
1861 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1862 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1863 .
1865 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1866 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1867 May 2017, .
1869 7.2. Informative References
1871 [I-D.ietf-netconf-trust-anchors]
1872 Watsen, K., "YANG Data Model for Global Trust Anchors",
1873 draft-ietf-netconf-trust-anchors-04 (work in progress),
1874 April 2019.
1876 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1877 DOI 10.17487/RFC3688, January 2004,
1878 .
1880 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1881 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1882 .
1884 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1885 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1886 .
1888 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1889 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1890 .
1892 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1893 Access Control Model", STD 91, RFC 8341,
1894 DOI 10.17487/RFC8341, March 2018,
1895 .
1897 Appendix A. Expanded Tree Diagrams
1899 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
1901 The following tree diagram [RFC8340] provides an overview of the data
1902 model for the "ietf-netconf-client" module.
1904 This tree diagram shows all the nodes defined in this module,
1905 including those defined by "grouping" statements used by this module.
1907 Please see Section 3.1 for a tree diagram that illustrates what the
1908 module looks like without all the "grouping" statements expanded.
1910 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
1912 module: ietf-netconf-client
1913 +--rw netconf-client
1914 +--rw initiate! {ssh-initiate or tls-initiate}?
1915 | +--rw netconf-server* [name]
1916 | +--rw name string
1917 | +--rw endpoints
1918 | | +--rw endpoint* [name]
1919 | | +--rw name string
1920 | | +--rw (transport)
1921 | | +--:(ssh) {ssh-initiate}?
1922 | | | +--rw ssh
1923 | | | +--rw tcp-client-parameters
1924 | | | | +--rw remote-address inet:host
1925 | | | | +--rw remote-port? inet:port-number
1926 | | | | +--rw local-address? inet:ip-address
1927 | | | | | {local-binding-supported}?
1928 | | | | +--rw local-port? inet:port-number
1929 | | | | | {local-binding-supported}?
1930 | | | | +--rw keepalives!
1931 | | | | {keepalives-supported}?
1932 | | | | +--rw idle-time uint16
1933 | | | | +--rw max-probes uint16
1934 | | | | +--rw probe-interval uint16
1935 | | | +--rw ssh-client-parameters
1936 | | | +--rw client-identity
1937 | | | | +--rw username? string
1938 | | | | +--rw (auth-type)
1939 | | | | +--:(password)
1940 | | | | | +--rw password? string
1941 | | | | +--:(public-key)
1942 | | | | | +--rw public-key
1943 | | | | | +--rw (local-or-keystore)
1944 | | | | | +--:(local)
1945 | | | | | | {local-definiti\
1946 ons-supported}?
1947 | | | | | | +--rw local-definition
1948 | | | | | | +--rw algorithm
1949 | | | | | | | asymmetric\
1950 -key-algorithm-ref
1951 | | | | | | +--rw public-key
1952 | | | | | | | binary
1953 | | | | | | +--rw private-key
1954 | | | | | | union
1955 | | | | | +--:(keystore)
1956 | | | | | {keystore-suppo\
1957 rted}?
1958 | | | | | +--rw keystore-refere\
1959 nce?
1960 | | | | | ks:asymmetric\
1961 -key-ref
1962 | | | | +--:(certificate)
1963 | | | | +--rw certificate
1964 | | | | {sshcmn:ssh-x509-certs\
1965 }?
1966 | | | | +--rw (local-or-keystore)
1967 | | | | +--:(local)
1968 | | | | | {local-definiti\
1969 ons-supported}?
1970 | | | | | +--rw local-definition
1971 | | | | | +--rw algorithm
1972 | | | | | | asymmetric\
1973 -key-algorithm-ref
1974 | | | | | +--rw public-key
1975 | | | | | | binary
1976 | | | | | +--rw private-key
1977 | | | | | | union
1978 | | | | | +--rw cert?
1979 | | | | | | end-entity\
1980 -cert-cms
1981 | | | | | +---n certificate-\
1982 expiration
1983 | | | | | | +-- expiration-\
1984 date
1985 | | | | | | yang:da\
1986 te-and-time
1987 | | | | | +---x generate-cer\
1988 tificate-signing-request
1989 | | | | | +---w input
1990 | | | | | | +---w subject
1991 | | | | | | | bina\
1992 ry
1993 | | | | | | +---w attrib\
1994 utes?
1995 | | | | | | bina\
1996 ry
1997 | | | | | +--ro output
1998 | | | | | +--ro certif\
1999 icate-signing-request
2000 | | | | | bina\
2001 ry
2002 | | | | +--:(keystore)
2003 | | | | {keystore-suppo\
2004 rted}?
2005 | | | | +--rw keystore-refere\
2006 nce?
2007 | | | | ks:asymmetric\
2008 -key-certificate-ref
2009 | | | +--rw server-authentication
2010 | | | | +--rw ssh-host-keys?
2011 | | | | | ts:host-keys-ref
2012 | | | | | {ts:ssh-host-keys}?
2013 | | | | +--rw ca-certs?
2014 | | | | | ts:certificates-ref
2015 | | | | | {sshcmn:ssh-x509-certs,ts:x5\
2016 09-certificates}?
2017 | | | | +--rw server-certs?
2018 | | | | ts:certificates-ref
2019 | | | | {sshcmn:ssh-x509-certs,ts:x5\
2020 09-certificates}?
2021 | | | +--rw transport-params
2022 | | | | {ssh-client-transport-params-co\
2023 nfig}?
2024 | | | | +--rw host-key
2025 | | | | | +--rw host-key-alg* identityref
2026 | | | | +--rw key-exchange
2027 | | | | | +--rw key-exchange-alg*
2028 | | | | | identityref
2029 | | | | +--rw encryption
2030 | | | | | +--rw encryption-alg*
2031 | | | | | identityref
2032 | | | | +--rw mac
2033 | | | | +--rw mac-alg* identityref
2034 | | | +--rw keepalives!
2035 | | | {ssh-client-keepalives}?
2036 | | | +--rw max-wait? uint16
2037 | | | +--rw max-attempts? uint8
2038 | | +--:(tls) {tls-initiate}?
2039 | | +--rw tls
2040 | | +--rw tcp-client-parameters
2041 | | | +--rw remote-address inet:host
2042 | | | +--rw remote-port? inet:port-number
2043 | | | +--rw local-address? inet:ip-address
2044 | | | | {local-binding-supported}?
2045 | | | +--rw local-port? inet:port-number
2046 | | | | {local-binding-supported}?
2047 | | | +--rw keepalives!
2048 | | | {keepalives-supported}?
2049 | | | +--rw idle-time uint16
2050 | | | +--rw max-probes uint16
2051 | | | +--rw probe-interval uint16
2052 | | +--rw tls-client-parameters
2053 | | +--rw client-identity
2054 | | | +--rw (auth-type)
2055 | | | +--:(certificate)
2056 | | | +--rw certificate
2057 | | | +--rw (local-or-keystore)
2058 | | | +--:(local)
2059 | | | | {local-definiti\
2060 ons-supported}?
2061 | | | | +--rw local-definition
2062 | | | | +--rw algorithm
2063 | | | | | asymmetric\
2064 -key-algorithm-ref
2065 | | | | +--rw public-key
2066 | | | | | binary
2067 | | | | +--rw private-key
2068 | | | | | union
2069 | | | | +--rw cert?
2070 | | | | | end-entity\
2071 -cert-cms
2072 | | | | +---n certificate-\
2073 expiration
2074 | | | | | +-- expiration-\
2075 date
2076 | | | | | yang:da\
2077 te-and-time
2078 | | | | +---x generate-cer\
2079 tificate-signing-request
2080 | | | | +---w input
2081 | | | | | +---w subject
2082 | | | | | | bina\
2083 ry
2084 | | | | | +---w attrib\
2085 utes?
2086 | | | | | bina\
2087 ry
2088 | | | | +--ro output
2089 | | | | +--ro certif\
2090 icate-signing-request
2091 | | | | bina\
2092 ry
2093 | | | +--:(keystore)
2094 | | | {keystore-suppo\
2095 rted}?
2096 | | | +--rw keystore-refere\
2097 nce?
2098 | | | ks:asymmetric\
2099 -key-certificate-ref
2100 | | +--rw server-authentication
2101 | | | +--rw ca-certs?
2102 | | | | ts:certificates-ref
2103 | | | | {ts:x509-certificates}?
2104 | | | +--rw server-certs?
2105 | | | ts:certificates-ref
2106 | | | {ts:x509-certificates}?
2107 | | +--rw hello-params
2108 | | | {tls-client-hello-params-config\
2109 }?
2110 | | | +--rw tls-versions
2111 | | | | +--rw tls-version* identityref
2112 | | | +--rw cipher-suites
2113 | | | +--rw cipher-suite* identityref
2114 | | +--rw keepalives!
2115 | | {tls-client-keepalives}?
2116 | | +--rw max-wait? uint16
2117 | | +--rw max-attempts? uint8
2118 | +--rw connection-type
2119 | | +--rw (connection-type)
2120 | | +--:(persistent-connection)
2121 | | | +--rw persistent!
2122 | | +--:(periodic-connection)
2123 | | +--rw periodic!
2124 | | +--rw period? uint16
2125 | | +--rw anchor-time? yang:date-and-time
2126 | | +--rw idle-timeout? uint16
2127 | +--rw reconnect-strategy
2128 | +--rw start-with? enumeration
2129 | +--rw max-attempts? uint8
2130 +--rw listen! {ssh-listen or tls-listen}?
2131 +--rw idle-timeout? uint16
2132 +--rw endpoint* [name]
2133 +--rw name string
2134 +--rw (transport)
2135 +--:(ssh) {ssh-listen}?
2136 | +--rw ssh
2137 | +--rw tcp-server-parameters
2138 | | +--rw local-address
2139 | | | inet:ip-address
2140 | | +--rw local-port?
2141 | | | inet:port-number
2142 | | +--rw keepalives! {keepalives-supported}?
2143 | | | +--rw idle-time uint16
2144 | | | +--rw max-probes uint16
2145 | | | +--rw probe-interval uint16
2146 | | +--rw external-endpoint-values!
2147 | | {external-endpoints}?
2148 | | +--rw address inet:ip-address
2149 | | +--rw port? inet:port-number
2150 | +--rw ssh-client-parameters
2151 | +--rw client-identity
2152 | | +--rw username? string
2153 | | +--rw (auth-type)
2154 | | +--:(password)
2155 | | | +--rw password? string
2156 | | +--:(public-key)
2157 | | | +--rw public-key
2158 | | | +--rw (local-or-keystore)
2159 | | | +--:(local)
2160 | | | | {local-definitions-su\
2161 pported}?
2162 | | | | +--rw local-definition
2163 | | | | +--rw algorithm
2164 | | | | | asymmetric-key-a\
2165 lgorithm-ref
2166 | | | | +--rw public-key
2167 | | | | | binary
2168 | | | | +--rw private-key
2169 | | | | union
2170 | | | +--:(keystore)
2171 | | | {keystore-supported}?
2172 | | | +--rw keystore-reference?
2173 | | | ks:asymmetric-key-r\
2174 ef
2175 | | +--:(certificate)
2176 | | +--rw certificate
2177 | | {sshcmn:ssh-x509-certs}?
2178 | | +--rw (local-or-keystore)
2179 | | +--:(local)
2180 | | | {local-definitions-su\
2181 pported}?
2182 | | | +--rw local-definition
2183 | | | +--rw algorithm
2184 | | | | asymmetric-key-a\
2186 lgorithm-ref
2187 | | | +--rw public-key
2188 | | | | binary
2189 | | | +--rw private-key
2190 | | | | union
2191 | | | +--rw cert?
2192 | | | | end-entity-cert-\
2193 cms
2194 | | | +---n certificate-expira\
2195 tion
2196 | | | | +-- expiration-date
2197 | | | | yang:date-and\
2198 -time
2199 | | | +---x generate-certifica\
2200 te-signing-request
2201 | | | +---w input
2202 | | | | +---w subject
2203 | | | | | binary
2204 | | | | +---w attributes?
2205 | | | | binary
2206 | | | +--ro output
2207 | | | +--ro certificate-\
2208 signing-request
2209 | | | binary
2210 | | +--:(keystore)
2211 | | {keystore-supported}?
2212 | | +--rw keystore-reference?
2213 | | ks:asymmetric-key-c\
2214 ertificate-ref
2215 | +--rw server-authentication
2216 | | +--rw ssh-host-keys? ts:host-keys-ref
2217 | | | {ts:ssh-host-keys}?
2218 | | +--rw ca-certs? ts:certificates-ref
2219 | | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2220 tificates}?
2221 | | +--rw server-certs? ts:certificates-ref
2222 | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2223 tificates}?
2224 | +--rw transport-params
2225 | | {ssh-client-transport-params-config}?
2226 | | +--rw host-key
2227 | | | +--rw host-key-alg* identityref
2228 | | +--rw key-exchange
2229 | | | +--rw key-exchange-alg* identityref
2230 | | +--rw encryption
2231 | | | +--rw encryption-alg* identityref
2232 | | +--rw mac
2233 | | +--rw mac-alg* identityref
2234 | +--rw keepalives! {ssh-client-keepalives}?
2235 | +--rw max-wait? uint16
2236 | +--rw max-attempts? uint8
2237 +--:(tls) {tls-listen}?
2238 +--rw tls
2239 +--rw tcp-server-parameters
2240 | +--rw local-address
2241 | | inet:ip-address
2242 | +--rw local-port?
2243 | | inet:port-number
2244 | +--rw keepalives! {keepalives-supported}?
2245 | | +--rw idle-time uint16
2246 | | +--rw max-probes uint16
2247 | | +--rw probe-interval uint16
2248 | +--rw external-endpoint-values!
2249 | {external-endpoints}?
2250 | +--rw address inet:ip-address
2251 | +--rw port? inet:port-number
2252 +--rw tls-client-parameters
2253 +--rw client-identity
2254 | +--rw (auth-type)
2255 | +--:(certificate)
2256 | +--rw certificate
2257 | +--rw (local-or-keystore)
2258 | +--:(local)
2259 | | {local-definitions-su\
2260 pported}?
2261 | | +--rw local-definition
2262 | | +--rw algorithm
2263 | | | asymmetric-key-a\
2264 lgorithm-ref
2265 | | +--rw public-key
2266 | | | binary
2267 | | +--rw private-key
2268 | | | union
2269 | | +--rw cert?
2270 | | | end-entity-cert-\
2271 cms
2272 | | +---n certificate-expira\
2273 tion
2274 | | | +-- expiration-date
2275 | | | yang:date-and\
2276 -time
2277 | | +---x generate-certifica\
2278 te-signing-request
2279 | | +---w input
2280 | | | +---w subject
2281 | | | | binary
2282 | | | +---w attributes?
2283 | | | binary
2284 | | +--ro output
2285 | | +--ro certificate-\
2286 signing-request
2287 | | binary
2288 | +--:(keystore)
2289 | {keystore-supported}?
2290 | +--rw keystore-reference?
2291 | ks:asymmetric-key-c\
2292 ertificate-ref
2293 +--rw server-authentication
2294 | +--rw ca-certs? ts:certificates-ref
2295 | | {ts:x509-certificates}?
2296 | +--rw server-certs? ts:certificates-ref
2297 | {ts:x509-certificates}?
2298 +--rw hello-params
2299 | {tls-client-hello-params-config}?
2300 | +--rw tls-versions
2301 | | +--rw tls-version* identityref
2302 | +--rw cipher-suites
2303 | +--rw cipher-suite* identityref
2304 +--rw keepalives! {tls-client-keepalives}?
2305 +--rw max-wait? uint16
2306 +--rw max-attempts? uint8
2308 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
2310 The following tree diagram [RFC8340] provides an overview of the data
2311 model for the "ietf-netconf-server" module.
2313 This tree diagram shows all the nodes defined in this module,
2314 including those defined by "grouping" statements used by this module.
2316 Please see Section 4.1 for a tree diagram that illustrates what the
2317 module looks like without all the "grouping" statements expanded.
2319 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
2321 module: ietf-netconf-server
2322 +--rw netconf-server
2323 +--rw listen! {ssh-listen or tls-listen}?
2324 | +--rw idle-timeout? uint16
2325 | +--rw endpoint* [name]
2326 | +--rw name string
2327 | +--rw (transport)
2328 | +--:(ssh) {ssh-listen}?
2329 | | +--rw ssh
2330 | | +--rw tcp-server-parameters
2331 | | | +--rw local-address
2332 | | | | inet:ip-address
2333 | | | +--rw local-port?
2334 | | | | inet:port-number
2335 | | | +--rw keepalives! {keepalives-supported}?
2336 | | | | +--rw idle-time uint16
2337 | | | | +--rw max-probes uint16
2338 | | | | +--rw probe-interval uint16
2339 | | | +--rw external-endpoint-values!
2340 | | | {external-endpoints}?
2341 | | | +--rw address inet:ip-address
2342 | | | +--rw port? inet:port-number
2343 | | +--rw ssh-server-parameters
2344 | | +--rw server-identity
2345 | | | +--rw host-key* [name]
2346 | | | +--rw name string
2347 | | | +--rw (host-key-type)
2348 | | | +--:(public-key)
2349 | | | | +--rw public-key
2350 | | | | +--rw (local-or-keystore)
2351 | | | | +--:(local)
2352 | | | | | {local-definitions\
2353 -supported}?
2354 | | | | | +--rw local-definition
2355 | | | | | +--rw algorithm
2356 | | | | | | asymmetric-ke\
2357 y-algorithm-ref
2358 | | | | | +--rw public-key
2359 | | | | | | binary
2360 | | | | | +--rw private-key
2361 | | | | | union
2362 | | | | +--:(keystore)
2363 | | | | {keystore-supporte\
2364 d}?
2365 | | | | +--rw keystore-reference?
2366 | | | | ks:asymmetric-ke\
2367 y-ref
2368 | | | +--:(certificate)
2369 | | | +--rw certificate
2370 | | | {sshcmn:ssh-x509-certs}?
2371 | | | +--rw (local-or-keystore)
2372 | | | +--:(local)
2373 | | | | {local-definitions\
2374 -supported}?
2375 | | | | +--rw local-definition
2376 | | | | +--rw algorithm
2377 | | | | | asymmetric-ke\
2379 y-algorithm-ref
2380 | | | | +--rw public-key
2381 | | | | | binary
2382 | | | | +--rw private-key
2383 | | | | | union
2384 | | | | +--rw cert?
2385 | | | | | end-entity-ce\
2386 rt-cms
2387 | | | | +---n certificate-exp\
2388 iration
2389 | | | | | +-- expiration-date
2390 | | | | | yang:date-\
2391 and-time
2392 | | | | +---x generate-certif\
2393 icate-signing-request
2394 | | | | +---w input
2395 | | | | | +---w subject
2396 | | | | | | binary
2397 | | | | | +---w attribute\
2398 s?
2399 | | | | | binary
2400 | | | | +--ro output
2401 | | | | +--ro certifica\
2402 te-signing-request
2403 | | | | binary
2404 | | | +--:(keystore)
2405 | | | {keystore-supporte\
2406 d}?
2407 | | | +--rw keystore-reference?
2408 | | | ks:asymmetric-ke\
2409 y-certificate-ref
2410 | | +--rw client-authentication
2411 | | | +--rw supported-authentication-methods
2412 | | | | +--rw publickey? empty
2413 | | | | +--rw passsword? empty
2414 | | | | +--rw hostbased? empty
2415 | | | | +--rw none? empty
2416 | | | | +--rw other* string
2417 | | | +--rw (local-or-external)
2418 | | | +--:(local)
2419 | | | | {local-client-auth-supported}?
2420 | | | | +--rw users
2421 | | | | +--rw user* [name]
2422 | | | | +--rw name string
2423 | | | | +--rw password?
2424 | | | | | ianach:crypt-hash
2425 | | | | +--rw authorized-key* [name]
2426 | | | | +--rw name string
2427 | | | | +--rw algorithm string
2428 | | | | +--rw key-data binary
2429 | | | +--:(external)
2430 | | | {external-client-auth-supporte\
2431 d}?
2432 | | | +--rw client-auth-defined-elsewhere?
2433 | | | empty
2434 | | +--rw transport-params
2435 | | | {ssh-server-transport-params-config}?
2436 | | | +--rw host-key
2437 | | | | +--rw host-key-alg* identityref
2438 | | | +--rw key-exchange
2439 | | | | +--rw key-exchange-alg* identityref
2440 | | | +--rw encryption
2441 | | | | +--rw encryption-alg* identityref
2442 | | | +--rw mac
2443 | | | +--rw mac-alg* identityref
2444 | | +--rw keepalives! {ssh-server-keepalives}?
2445 | | +--rw max-wait? uint16
2446 | | +--rw max-attempts? uint8
2447 | +--:(tls) {tls-listen}?
2448 | +--rw tls
2449 | +--rw tcp-server-parameters
2450 | | +--rw local-address
2451 | | | inet:ip-address
2452 | | +--rw local-port?
2453 | | | inet:port-number
2454 | | +--rw keepalives! {keepalives-supported}?
2455 | | | +--rw idle-time uint16
2456 | | | +--rw max-probes uint16
2457 | | | +--rw probe-interval uint16
2458 | | +--rw external-endpoint-values!
2459 | | {external-endpoints}?
2460 | | +--rw address inet:ip-address
2461 | | +--rw port? inet:port-number
2462 | +--rw tls-server-parameters
2463 | +--rw server-identity
2464 | | +--rw (local-or-keystore)
2465 | | +--:(local)
2466 | | | {local-definitions-supported}?
2467 | | | +--rw local-definition
2468 | | | +--rw algorithm
2469 | | | | asymmetric-key-algorithm-\
2470 ref
2471 | | | +--rw public-key
2472 | | | | binary
2473 | | | +--rw private-key
2474 | | | | union
2475 | | | +--rw cert?
2476 | | | | end-entity-cert-cms
2477 | | | +---n certificate-expiration
2478 | | | | +-- expiration-date
2479 | | | | yang:date-and-time
2480 | | | +---x generate-certificate-signin\
2481 g-request
2482 | | | +---w input
2483 | | | | +---w subject binary
2484 | | | | +---w attributes? binary
2485 | | | +--ro output
2486 | | | +--ro certificate-signing-r\
2487 equest
2488 | | | binary
2489 | | +--:(keystore) {keystore-supported}?
2490 | | +--rw keystore-reference?
2491 | | ks:asymmetric-key-certificat\
2492 e-ref
2493 | +--rw client-authentication!
2494 | | +--rw (required-or-optional)
2495 | | | +--:(required)
2496 | | | | +--rw required?
2497 | | | | empty
2498 | | | +--:(optional)
2499 | | | +--rw optional?
2500 | | | empty
2501 | | +--rw (local-or-external)
2502 | | | +--:(local)
2503 | | | | {local-client-auth-supported}?
2504 | | | | +--rw ca-certs?
2505 | | | | | ts:certificates-ref
2506 | | | | | {ts:x509-certificates}?
2507 | | | | +--rw client-certs?
2508 | | | | ts:certificates-ref
2509 | | | | {ts:x509-certificates}?
2510 | | | +--:(external)
2511 | | | {external-client-auth-supporte\
2512 d}?
2513 | | | +--rw client-auth-defined-elsewhere?
2514 | | | empty
2515 | | +--rw cert-maps
2516 | | +--rw cert-to-name* [id]
2517 | | +--rw id uint32
2518 | | +--rw fingerprint
2519 | | | x509c2n:tls-fingerprint
2520 | | +--rw map-type identityref
2521 | | +--rw name string
2522 | +--rw hello-params
2523 | | {tls-server-hello-params-config}?
2524 | | +--rw tls-versions
2525 | | | +--rw tls-version* identityref
2526 | | +--rw cipher-suites
2527 | | +--rw cipher-suite* identityref
2528 | +--rw keepalives! {tls-server-keepalives}?
2529 | +--rw max-wait? uint16
2530 | +--rw max-attempts? uint8
2531 +--rw call-home! {ssh-call-home or tls-call-home}?
2532 +--rw netconf-client* [name]
2533 +--rw name string
2534 +--rw endpoints
2535 | +--rw endpoint* [name]
2536 | +--rw name string
2537 | +--rw (transport)
2538 | +--:(ssh) {ssh-call-home}?
2539 | | +--rw ssh
2540 | | +--rw tcp-client-parameters
2541 | | | +--rw remote-address inet:host
2542 | | | +--rw remote-port? inet:port-number
2543 | | | +--rw local-address? inet:ip-address
2544 | | | | {local-binding-supported}?
2545 | | | +--rw local-port? inet:port-number
2546 | | | | {local-binding-supported}?
2547 | | | +--rw keepalives!
2548 | | | {keepalives-supported}?
2549 | | | +--rw idle-time uint16
2550 | | | +--rw max-probes uint16
2551 | | | +--rw probe-interval uint16
2552 | | +--rw ssh-server-parameters
2553 | | +--rw server-identity
2554 | | | +--rw host-key* [name]
2555 | | | +--rw name string
2556 | | | +--rw (host-key-type)
2557 | | | +--:(public-key)
2558 | | | | +--rw public-key
2559 | | | | +--rw (local-or-keystore)
2560 | | | | +--:(local)
2561 | | | | | {local-defin\
2562 itions-supported}?
2563 | | | | | +--rw local-defini\
2564 tion
2565 | | | | | +--rw algorithm
2566 | | | | | | asymmet\
2567 ric-key-algorithm-ref
2568 | | | | | +--rw public-key
2569 | | | | | | binary
2570 | | | | | +--rw private-k\
2572 ey
2573 | | | | | union
2574 | | | | +--:(keystore)
2575 | | | | {keystore-su\
2576 pported}?
2577 | | | | +--rw keystore-ref\
2578 erence?
2579 | | | | ks:asymmet\
2580 ric-key-ref
2581 | | | +--:(certificate)
2582 | | | +--rw certificate
2583 | | | {sshcmn:ssh-x509-ce\
2584 rts}?
2585 | | | +--rw (local-or-keystore)
2586 | | | +--:(local)
2587 | | | | {local-defin\
2588 itions-supported}?
2589 | | | | +--rw local-defini\
2590 tion
2591 | | | | +--rw algorithm
2592 | | | | | asymmet\
2593 ric-key-algorithm-ref
2594 | | | | +--rw public-key
2595 | | | | | binary
2596 | | | | +--rw private-k\
2597 ey
2598 | | | | | union
2599 | | | | +--rw cert?
2600 | | | | | end-ent\
2601 ity-cert-cms
2602 | | | | +---n certifica\
2603 te-expiration
2604 | | | | | +-- expirati\
2605 on-date
2606 | | | | | yang\
2607 :date-and-time
2608 | | | | +---x generate-\
2609 certificate-signing-request
2610 | | | | +---w input
2611 | | | | | +---w sub\
2612 ject
2613 | | | | | | b\
2614 inary
2615 | | | | | +---w att\
2616 ributes?
2617 | | | | | b\
2618 inary
2619 | | | | +--ro output
2620 | | | | +--ro cer\
2621 tificate-signing-request
2622 | | | | b\
2623 inary
2624 | | | +--:(keystore)
2625 | | | {keystore-su\
2626 pported}?
2627 | | | +--rw keystore-ref\
2628 erence?
2629 | | | ks:asymmet\
2630 ric-key-certificate-ref
2631 | | +--rw client-authentication
2632 | | | +--rw supported-authentication-metho\
2633 ds
2634 | | | | +--rw publickey? empty
2635 | | | | +--rw passsword? empty
2636 | | | | +--rw hostbased? empty
2637 | | | | +--rw none? empty
2638 | | | | +--rw other* string
2639 | | | +--rw (local-or-external)
2640 | | | +--:(local)
2641 | | | | {local-client-auth-suppo\
2642 rted}?
2643 | | | | +--rw users
2644 | | | | +--rw user* [name]
2645 | | | | +--rw name
2646 | | | | | string
2647 | | | | +--rw password?
2648 | | | | | ianach:crypt-hash
2649 | | | | +--rw authorized-key*
2650 | | | | [name]
2651 | | | | +--rw name
2652 | | | | | string
2653 | | | | +--rw algorithm
2654 | | | | | string
2655 | | | | +--rw key-data
2656 | | | | binary
2657 | | | +--:(external)
2658 | | | {external-client-auth-su\
2659 pported}?
2660 | | | +--rw client-auth-defined-else\
2661 where?
2662 | | | empty
2663 | | +--rw transport-params
2664 | | | {ssh-server-transport-params-co\
2665 nfig}?
2666 | | | +--rw host-key
2667 | | | | +--rw host-key-alg* identityref
2668 | | | +--rw key-exchange
2669 | | | | +--rw key-exchange-alg*
2670 | | | | identityref
2671 | | | +--rw encryption
2672 | | | | +--rw encryption-alg*
2673 | | | | identityref
2674 | | | +--rw mac
2675 | | | +--rw mac-alg* identityref
2676 | | +--rw keepalives!
2677 | | {ssh-server-keepalives}?
2678 | | +--rw max-wait? uint16
2679 | | +--rw max-attempts? uint8
2680 | +--:(tls) {tls-call-home}?
2681 | +--rw tls
2682 | +--rw tcp-client-parameters
2683 | | +--rw remote-address inet:host
2684 | | +--rw remote-port? inet:port-number
2685 | | +--rw local-address? inet:ip-address
2686 | | | {local-binding-supported}?
2687 | | +--rw local-port? inet:port-number
2688 | | | {local-binding-supported}?
2689 | | +--rw keepalives!
2690 | | {keepalives-supported}?
2691 | | +--rw idle-time uint16
2692 | | +--rw max-probes uint16
2693 | | +--rw probe-interval uint16
2694 | +--rw tls-server-parameters
2695 | +--rw server-identity
2696 | | +--rw (local-or-keystore)
2697 | | +--:(local)
2698 | | | {local-definitions-suppo\
2699 rted}?
2700 | | | +--rw local-definition
2701 | | | +--rw algorithm
2702 | | | | asymmetric-key-algo\
2703 rithm-ref
2704 | | | +--rw public-key
2705 | | | | binary
2706 | | | +--rw private-key
2707 | | | | union
2708 | | | +--rw cert?
2709 | | | | end-entity-cert-cms
2710 | | | +---n certificate-expiration
2711 | | | | +-- expiration-date
2712 | | | | yang:date-and-ti\
2713 me
2714 | | | +---x generate-certificate-\
2715 signing-request
2716 | | | +---w input
2717 | | | | +---w subject
2718 | | | | | binary
2719 | | | | +---w attributes?
2720 | | | | binary
2721 | | | +--ro output
2722 | | | +--ro certificate-sig\
2723 ning-request
2724 | | | binary
2725 | | +--:(keystore)
2726 | | {keystore-supported}?
2727 | | +--rw keystore-reference?
2728 | | ks:asymmetric-key-cert\
2729 ificate-ref
2730 | +--rw client-authentication!
2731 | | +--rw (required-or-optional)
2732 | | | +--:(required)
2733 | | | | +--rw required?
2734 | | | | empty
2735 | | | +--:(optional)
2736 | | | +--rw optional?
2737 | | | empty
2738 | | +--rw (local-or-external)
2739 | | | +--:(local)
2740 | | | | {local-client-auth-suppo\
2741 rted}?
2742 | | | | +--rw ca-certs?
2743 | | | | | ts:certificates-ref
2744 | | | | | {ts:x509-certificates}?
2745 | | | | +--rw client-certs?
2746 | | | | ts:certificates-ref
2747 | | | | {ts:x509-certificates}?
2748 | | | +--:(external)
2749 | | | {external-client-auth-su\
2750 pported}?
2751 | | | +--rw client-auth-defined-else\
2752 where?
2753 | | | empty
2754 | | +--rw cert-maps
2755 | | +--rw cert-to-name* [id]
2756 | | +--rw id uint32
2757 | | +--rw fingerprint
2758 | | | x509c2n:tls-fingerprint
2759 | | +--rw map-type
2760 | | | identityref
2761 | | +--rw name string
2762 | +--rw hello-params
2763 | | {tls-server-hello-params-config\
2765 }?
2766 | | +--rw tls-versions
2767 | | | +--rw tls-version* identityref
2768 | | +--rw cipher-suites
2769 | | +--rw cipher-suite* identityref
2770 | +--rw keepalives!
2771 | {tls-server-keepalives}?
2772 | +--rw max-wait? uint16
2773 | +--rw max-attempts? uint8
2774 +--rw connection-type
2775 | +--rw (connection-type)
2776 | +--:(persistent-connection)
2777 | | +--rw persistent!
2778 | +--:(periodic-connection)
2779 | +--rw periodic!
2780 | +--rw period? uint16
2781 | +--rw anchor-time? yang:date-and-time
2782 | +--rw idle-timeout? uint16
2783 +--rw reconnect-strategy
2784 +--rw start-with? enumeration
2785 +--rw max-attempts? uint8
2787 Appendix B. Change Log
2789 B.1. 00 to 01
2791 o Renamed "keychain" to "keystore".
2793 B.2. 01 to 02
2795 o Added to ietf-netconf-client ability to connected to a cluster of
2796 endpoints, including a reconnection-strategy.
2798 o Added to ietf-netconf-client the ability to configure connection-
2799 type and also keep-alive strategy.
2801 o Updated both modules to accommodate new groupings in the ssh/tls
2802 drafts.
2804 B.3. 02 to 03
2806 o Refined use of tls-client-grouping to add a must statement
2807 indicating that the TLS client must specify a client-certificate.
2809 o Changed 'netconf-client' to be a grouping (not a container).
2811 B.4. 03 to 04
2813 o Added RFC 8174 to Requirements Language Section.
2815 o Replaced refine statement in ietf-netconf-client to add a
2816 mandatory true.
2818 o Added refine statement in ietf-netconf-server to add a must
2819 statement.
2821 o Now there are containers and groupings, for both the client and
2822 server models.
2824 B.5. 04 to 05
2826 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2828 o Updated examples to inline key and certificates (no longer a
2829 leafref to keystore)
2831 B.6. 05 to 06
2833 o Fixed change log missing section issue.
2835 o Updated examples to match latest updates to the crypto-types,
2836 trust-anchors, and keystore drafts.
2838 o Reduced line length of the YANG modules to fit within 69 columns.
2840 B.7. 06 to 07
2842 o Removed "idle-timeout" from "persistent" connection config.
2844 o Added "random-selection" for reconnection-strategy's "starts-with"
2845 enum.
2847 o Replaced "connection-type" choice default (persistent) with
2848 "mandatory true".
2850 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
2851 minutes.
2853 o Replaced reconnect-timeout with period/anchor-time combo.
2855 B.8. 07 to 08
2857 o Modified examples to be compatible with new crypto-types algs
2859 B.9. 08 to 09
2861 o Corrected use of "mandatory true" for "address" leafs.
2863 o Updated examples to reflect update to groupings defined in the
2864 keystore draft.
2866 o Updated to use groupings defined in new TCP and HTTP drafts.
2868 o Updated copyright date, boilerplate template, affiliation, and
2869 folding algorithm.
2871 B.10. 09 to 10
2873 o Reformatted YANG modules.
2875 B.11. 10 to 11
2877 o Adjusted for the top-level "demux container" added to groupings
2878 imported from other modules.
2880 o Added "must" expressions to ensure that keepalives are not
2881 configured for "periodic" connections.
2883 o Updated the boilerplate text in module-level "description"
2884 statement to match copyeditor convention.
2886 o Moved "expanded" tree diagrams to the Appendix.
2888 B.12. 11 to 12
2890 o Removed the "Design Considerations" section.
2892 o Removed the 'must' statement limiting keepalives in periodic
2893 connections.
2895 o Updated models and examples to reflect removal of the "demux"
2896 containers in the imported models.
2898 o Updated the "periodic-connnection" description statements to be
2899 more like the RESTCONF draft, especially where it described
2900 dropping the underlying TCP connection.
2902 o Updated text to better reference where certain examples come from
2903 (e.g., which Section in which draft).
2905 o In the server model, commented out the "must 'pinned-ca-certs or
2906 pinned-client-certs'" statement to reflect change made in the TLS
2907 draft whereby the trust anchors MAY be defined externally.
2909 o Replaced the 'listen', 'initiate', and 'call-home' features with
2910 boolean expressions.
2912 B.13. 12 to 13
2914 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
2915 anchors/truststore/g + s/pinned.//)
2917 Acknowledgements
2919 The authors would like to thank for following for lively discussions
2920 on list and in the halls (ordered by last name): Andy Bierman, Martin
2921 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
2922 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
2923 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
2924 Wijnen.
2926 Author's Address
2928 Kent Watsen
2929 Watsen Networks
2931 EMail: kent+ietf@watsen.net