idnits 2.17.1
draft-ietf-netconf-netconf-client-server-14.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1911 has weird spacing: '...address ine...'
== Line 1921 has weird spacing: '...nterval uin...'
== Line 2099 has weird spacing: '...address ine...'
== Line 2109 has weird spacing: '...nterval uin...'
== Line 2213 has weird spacing: '...address ine...'
== (12 more instances...)
-- The document date (July 2, 2019) is 1753 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-11
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-14
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-13
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-05
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track July 2, 2019
5 Expires: January 3, 2020
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-14
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-07-02" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on January 3, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 8
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 18
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 36
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 37
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 38
110 7.2. Informative References . . . . . . . . . . . . . . . . . 39
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 41
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 41
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 52
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 66
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 66
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 66
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 66
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 66
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 66
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 67
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 67
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 67
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 67
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 67
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 68
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 68
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 68
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 68
129 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 69
130 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 69
132 1. Introduction
134 This document defines two YANG [RFC7950] modules, one module to
135 configure a NETCONF [RFC6241] client and the other module to
136 configure a NETCONF server. Both modules support both NETCONF over
137 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
138 connections [RFC8071].
140 2. Terminology
142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
144 "OPTIONAL" in this document are to be interpreted as described in BCP
145 14 [RFC2119] [RFC8174] when, and only when, they appear in all
146 capitals, as shown here.
148 3. The NETCONF Client Model
150 The NETCONF client model presented in this section supports both
151 clients initiating connections to servers, as well as clients
152 listening for connections from servers calling home, using either the
153 SSH and TLS transport protocols.
155 YANG feature statements are used to enable implementations to
156 advertise which potentially uncommon parts of the model the NETCONF
157 client supports.
159 3.1. Tree Diagram
161 The following tree diagram [RFC8340] provides an overview of the data
162 model for the "ietf-netconf-client" module.
164 This tree diagram only shows the nodes defined in this module; it
165 does show the nodes defined by "grouping" statements used by this
166 module.
168 Please see Appendix A.1 for a tree diagram that illustrates what the
169 module looks like with all the "grouping" statements expanded.
171 module: ietf-netconf-client
172 +--rw netconf-client
173 +---u netconf-client-grouping
175 grouping netconf-client-grouping
176 +-- initiate! {ssh-initiate or tls-initiate}?
177 | +-- netconf-server* [name]
178 | +-- name? string
179 | +-- endpoints
180 | | +-- endpoint* [name]
181 | | +-- name? string
182 | | +-- (transport)
183 | | +--:(ssh) {ssh-initiate}?
184 | | | +-- ssh
185 | | | +-- tcp-client-parameters
186 | | | | +---u tcpc:tcp-client-grouping
187 | | | +-- ssh-client-parameters
188 | | | +---u sshc:ssh-client-grouping
189 | | +--:(tls) {tls-initiate}?
190 | | +-- tls
191 | | +-- tcp-client-parameters
192 | | | +---u tcpc:tcp-client-grouping
193 | | +-- tls-client-parameters
194 | | +---u tlsc:tls-client-grouping
195 | +-- connection-type
196 | | +-- (connection-type)
197 | | +--:(persistent-connection)
198 | | | +-- persistent!
199 | | +--:(periodic-connection)
200 | | +-- periodic!
201 | | +-- period? uint16
202 | | +-- anchor-time? yang:date-and-time
203 | | +-- idle-timeout? uint16
204 | +-- reconnect-strategy
205 | +-- start-with? enumeration
206 | +-- max-attempts? uint8
207 +-- listen! {ssh-listen or tls-listen}?
208 +-- idle-timeout? uint16
209 +-- endpoint* [name]
210 +-- name? string
211 +-- (transport)
212 +--:(ssh) {ssh-listen}?
213 | +-- ssh
214 | +-- tcp-server-parameters
215 | | +---u tcps:tcp-server-grouping
216 | +-- ssh-client-parameters
217 | +---u sshc:ssh-client-grouping
218 +--:(tls) {tls-listen}?
219 +-- tls
220 +-- tcp-server-parameters
221 | +---u tcps:tcp-server-grouping
222 +-- tls-client-parameters
223 +---u tlsc:tls-client-grouping
225 3.2. Example Usage
227 The following example illustrates configuring a NETCONF client to
228 initiate connections, using both the SSH and TLS transport protocols,
229 as well as listening for call-home connections, again using both the
230 SSH and TLS transport protocols.
232 This example is consistent with the examples presented in Section 2
233 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
234 [I-D.ietf-netconf-keystore].
236 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
238
241
242
243
244 corp-fw1
245
246
247 corp-fw1.example.com
248
249
250 corp-fw1.example.com
251
252 15
253 3
254 30
255
256
257
258
259 foobar
260
261
262 rsa2048
263 base64encodedvalue==
264 base64encodedvalue==
265
266
267
268
269 explicitly-trusted-server-ca-certs
271 explicitly-trusted-server-certs
273
274
275 30
276 3
277
278
279
280
281
282 corp-fw2.example.com
283
284
285 corp-fw2.example.com
286
287 15
288 3
289 30
290
291
292
293
294 foobar
295
296
297 rsa2048
298 base64encodedvalue==
299 base64encodedvalue==
300
301
302
303
304 explicitly-trusted-server-ca-certs
306 explicitly-trusted-server-certs
308
309
310 30
311 3
312
313
314
315
316
317
318
319
320
321 last-connected
322
323
324
326
327
328
329 Intranet-facing listener
330
331
332 192.0.2.7
333
334
335
336 foobar
337
338
339 rsa2048
340 base64encodedvalue==
341 base64encodedvalue==
342
343
344
345
346 explicitly-trusted-server-ca-certs
347 explicitly-trusted-server-certs
349 explicitly-trusted-ssh-host-keys
351
352
353
354
355
356
358 3.3. YANG Module
360 This YANG module has normative references to [RFC6242], [RFC6991],
361 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
362 [I-D.ietf-netconf-ssh-client-server], and
363 [I-D.ietf-netconf-tls-client-server].
365 file "ietf-netconf-client@2019-07-02.yang"
366 module ietf-netconf-client {
367 yang-version 1.1;
368 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
369 prefix ncc;
371 import ietf-yang-types {
372 prefix yang;
373 reference
374 "RFC 6991: Common YANG Data Types";
375 }
377 import ietf-tcp-client {
378 prefix tcpc;
379 reference
380 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
381 }
382 import ietf-tcp-server {
383 prefix tcps;
384 reference
385 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
386 }
388 import ietf-ssh-client {
389 prefix sshc;
390 revision-date 2019-07-02; // stable grouping definitions
391 reference
392 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
393 }
395 import ietf-tls-client {
396 prefix tlsc;
397 revision-date 2019-07-02; // stable grouping definitions
398 reference
399 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
400 }
402 organization
403 "IETF NETCONF (Network Configuration) Working Group";
405 contact
406 "WG Web:
407 WG List:
408 Author: Kent Watsen
409 Author: Gary Wu ";
411 description
412 "This module contains a collection of YANG definitions
413 for configuring NETCONF clients.
415 Copyright (c) 2019 IETF Trust and the persons identified
416 as authors of the code. All rights reserved.
418 Redistribution and use in source and binary forms, with
419 or without modification, is permitted pursuant to, and
420 subject to the license terms contained in, the Simplified
421 BSD License set forth in Section 4.c of the IETF Trust's
422 Legal Provisions Relating to IETF Documents
423 (https://trustee.ietf.org/license-info).
425 This version of this YANG module is part of RFC XXXX
426 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
427 itself for full legal notices.;
428 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
429 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
430 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
431 are to be interpreted as described in BCP 14 (RFC 2119)
432 (RFC 8174) when, and only when, they appear in all
433 capitals, as shown here.";
435 revision 2019-07-02 {
436 description
437 "Initial version";
438 reference
439 "RFC XXXX: NETCONF Client and Server Models";
440 }
442 // Features
444 feature ssh-initiate {
445 description
446 "The 'ssh-initiate' feature indicates that the NETCONF client
447 supports initiating SSH connections to NETCONF servers.";
448 reference
449 "RFC 6242:
450 Using the NETCONF Protocol over Secure Shell (SSH)";
451 }
453 feature tls-initiate {
454 description
455 "The 'tls-initiate' feature indicates that the NETCONF client
456 supports initiating TLS connections to NETCONF servers.";
457 reference
458 "RFC 7589: Using the NETCONF Protocol over Transport
459 Layer Security (TLS) with Mutual X.509 Authentication";
460 }
462 feature ssh-listen {
463 description
464 "The 'ssh-listen' feature indicates that the NETCONF client
465 supports opening a port to listen for incoming NETCONF
466 server call-home SSH connections.";
467 reference
468 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
469 }
471 feature tls-listen {
472 description
473 "The 'tls-listen' feature indicates that the NETCONF client
474 supports opening a port to listen for incoming NETCONF
475 server call-home TLS connections.";
477 reference
478 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
479 }
481 // Groupings
483 grouping netconf-client-grouping {
484 description
485 "Top-level grouping for NETCONF client configuration.";
486 container initiate {
487 if-feature "ssh-initiate or tls-initiate";
488 presence "Enables client to initiate TCP connections";
489 description
490 "Configures client initiating underlying TCP connections.";
491 list netconf-server {
492 key "name";
493 min-elements 1;
494 description
495 "List of NETCONF servers the NETCONF client is to
496 initiate connections to in parallel.";
497 leaf name {
498 type string;
499 description
500 "An arbitrary name for the NETCONF server.";
501 }
502 container endpoints {
503 description
504 "Container for the list of endpoints.";
505 list endpoint {
506 key "name";
507 min-elements 1;
508 ordered-by user;
509 description
510 "A user-ordered list of endpoints that the NETCONF
511 client will attempt to connect to in the specified
512 sequence. Defining more than one enables
513 high-availability.";
514 leaf name {
515 type string;
516 description
517 "An arbitrary name for the endpoint.";
518 }
519 choice transport {
520 mandatory true;
521 description
522 "Selects between available transports.";
523 case ssh {
524 if-feature "ssh-initiate";
525 container ssh {
526 description
527 "Specifies IP and SSH specific configuration
528 for the connection.";
529 container tcp-client-parameters {
530 description
531 "A wrapper around the TCP client parameters
532 to avoid name collisions.";
533 uses tcpc:tcp-client-grouping {
534 refine "remote-port" {
535 default "830";
536 description
537 "The NETCONF client will attempt to connect
538 to the IANA-assigned well-known port value
539 for 'netconf-ssh' (443) if no value is
540 specified.";
541 }
542 }
543 }
544 container ssh-client-parameters {
545 description
546 "A wrapper around the SSH client parameters to
547 avoid name collisions.";
548 uses sshc:ssh-client-grouping;
549 }
550 }
551 }
552 case tls {
553 if-feature "tls-initiate";
554 container tls {
555 description
556 "Specifies IP and TLS specific configuration
557 for the connection.";
558 container tcp-client-parameters {
559 description
560 "A wrapper around the TCP client parameters
561 to avoid name collisions.";
562 uses tcpc:tcp-client-grouping {
563 refine "remote-port" {
564 default "6513";
565 description
566 "The NETCONF client will attempt to connect
567 to the IANA-assigned well-known port value
568 for 'netconf-tls' (6513) if no value is
569 specified.";
570 }
571 }
572 }
573 container tls-client-parameters {
574 must "client-identity" {
575 description
576 "NETCONF/TLS clients MUST pass some
577 authentication credentials.";
578 }
579 description
580 "A wrapper around the TLS client parameters
581 to avoid name collisions.";
582 uses tlsc:tls-client-grouping;
583 }
584 }
585 }
586 } // choice transport
587 } // list endpoint
588 } // container endpoints
590 container connection-type {
591 description
592 "Indicates the NETCONF client's preference for how the
593 NETCONF connection is maintained.";
594 choice connection-type {
595 mandatory true;
596 description
597 "Selects between available connection types.";
598 case persistent-connection {
599 container persistent {
600 presence "Indicates that a persistent connection is
601 to be maintained.";
602 description
603 "Maintain a persistent connection to the NETCONF
604 server. If the connection goes down, immediately
605 start trying to reconnect to the NETCONF server,
606 using the reconnection strategy.
608 This connection type minimizes any NETCONF server
609 to NETCONF client data-transfer delay, albeit at
610 the expense of holding resources longer.";
611 }
612 }
613 case periodic-connection {
614 container periodic {
615 presence "Indicates that a periodic connection is
616 to be maintained.";
617 description
618 "Periodically connect to the NETCONF server.
620 This connection type increases resource
621 utilization, albeit with increased delay in
622 NETCONF server to NETCONF client interactions.
624 The NETCONF client should close the underlying
625 TCP connection upon completing planned activities.
627 In the case that the previous connection is still
628 active, establishing a new connection is NOT
629 RECOMMENDED.";
630 leaf period {
631 type uint16;
632 units "minutes";
633 default "60";
634 description
635 "Duration of time between periodic connections.";
636 }
637 leaf anchor-time {
638 type yang:date-and-time {
639 // constrained to minute-level granularity
640 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
641 + '(Z|[\+\-]\d{2}:\d{2})';
642 }
643 description
644 "Designates a timestamp before or after which a
645 series of periodic connections are determined.
646 The periodic connections occur at a whole
647 multiple interval from the anchor time. For
648 example, for an anchor time is 15 minutes past
649 midnight and a period interval of 24 hours, then
650 a periodic connection will occur 15 minutes past
651 midnight everyday.";
652 }
653 leaf idle-timeout {
654 type uint16;
655 units "seconds";
656 default 120; // two minutes
657 description
658 "Specifies the maximum number of seconds that
659 a NETCONF session may remain idle. A NETCONF
660 session will be dropped if it is idle for an
661 interval longer then this number of seconds.
662 If set to zero, then the NETCONF client will
663 never drop a session because it is idle.";
664 }
665 }
666 }
667 }
668 }
669 container reconnect-strategy {
670 description
671 "The reconnection strategy directs how a NETCONF client
672 reconnects to a NETCONF server, after discovering its
673 connection to the server has dropped, even if due to a
674 reboot. The NETCONF client starts with the specified
675 endpoint and tries to connect to it max-attempts times
676 before trying the next endpoint in the list (round
677 robin).";
678 leaf start-with {
679 type enumeration {
680 enum first-listed {
681 description
682 "Indicates that reconnections should start with
683 the first endpoint listed.";
684 }
685 enum last-connected {
686 description
687 "Indicates that reconnections should start with
688 the endpoint last connected to. If no previous
689 connection has ever been established, then the
690 first endpoint configured is used. NETCONF
691 clients SHOULD be able to remember the last
692 endpoint connected to across reboots.";
693 }
694 enum random-selection {
695 description
696 "Indicates that reconnections should start with
697 a random endpoint.";
698 }
699 }
700 default "first-listed";
701 description
702 "Specifies which of the NETCONF server's endpoints
703 the NETCONF client should start with when trying
704 to connect to the NETCONF server.";
705 }
706 leaf max-attempts {
707 type uint8 {
708 range "1..max";
709 }
710 default "3";
711 description
712 "Specifies the number times the NETCONF client tries
713 to connect to a specific endpoint before moving on
714 to the next endpoint in the list (round robin).";
715 }
716 }
718 } // netconf-server
719 } // initiate
721 container listen {
722 if-feature "ssh-listen or tls-listen";
723 presence "Enables client to accept call-home connections";
724 description
725 "Configures client accepting call-home TCP connections.";
726 leaf idle-timeout {
727 type uint16;
728 units "seconds";
729 default "3600"; // one hour
730 description
731 "Specifies the maximum number of seconds that a NETCONF
732 session may remain idle. A NETCONF session will be
733 dropped if it is idle for an interval longer than this
734 number of seconds. If set to zero, then the server
735 will never drop a session because it is idle. Sessions
736 that have a notification subscription active are never
737 dropped.";
738 }
739 list endpoint {
740 key "name";
741 min-elements 1;
742 description
743 "List of endpoints to listen for NETCONF connections.";
744 leaf name {
745 type string;
746 description
747 "An arbitrary name for the NETCONF listen endpoint.";
748 }
749 choice transport {
750 mandatory true;
751 description
752 "Selects between available transports.";
753 case ssh {
754 if-feature "ssh-listen";
755 container ssh {
756 description
757 "SSH-specific listening configuration for inbound
758 connections.";
759 container tcp-server-parameters {
760 description
761 "A wrapper around the TCP server parameters
762 to avoid name collisions.";
763 uses tcps:tcp-server-grouping {
764 refine "local-port" {
765 default "4334";
766 description
767 "The NETCONF client will listen on the IANA-
768 assigned well-known port for 'netconf-ch-ssh'
769 (4334) if no value is specified.";
770 }
771 }
772 }
773 container ssh-client-parameters {
774 description
775 "A wrapper around the SSH client parameters
776 to avoid name collisions.";
777 uses sshc:ssh-client-grouping;
778 }
779 }
780 }
781 case tls {
782 if-feature "tls-listen";
783 container tls {
784 description
785 "TLS-specific listening configuration for inbound
786 connections.";
787 container tcp-server-parameters {
788 description
789 "A wrapper around the TCP server parameters
790 to avoid name collisions.";
791 uses tcps:tcp-server-grouping {
792 refine "local-port" {
793 default "4334";
794 description
795 "The NETCONF client will listen on the IANA-
796 assigned well-known port for 'netconf-ch-ssh'
797 (4334) if no value is specified.";
798 }
799 }
800 }
801 container tls-client-parameters {
802 must "client-identity" {
803 description
804 "NETCONF/TLS clients MUST pass some
805 authentication credentials.";
806 }
807 description
808 "A wrapper around the TLS client parameters
809 to avoid name collisions.";
810 uses tlsc:tls-client-grouping;
811 }
812 }
813 }
815 } // transport
816 } // endpoint
817 } // listen
818 } // netconf-client
820 // Protocol accessible node, for servers that implement this
821 // module.
823 container netconf-client {
824 uses netconf-client-grouping;
825 description
826 "Top-level container for NETCONF client configuration.";
827 }
828 }
829
831 4. The NETCONF Server Model
833 The NETCONF server model presented in this section supports both
834 listening for connections as well as initiating call-home
835 connections, using either the SSH and TLS transport protocols.
837 YANG feature statements are used to enable implementations to
838 advertise which potentially uncommon parts of the model the NETCONF
839 server supports.
841 4.1. Tree Diagram
843 The following tree diagram [RFC8340] provides an overview of the data
844 model for the "ietf-netconf-server" module.
846 This tree diagram only shows the nodes defined in this module; it
847 does show the nodes defined by "grouping" statements used by this
848 module.
850 Please see Appendix A.2 for a tree diagram that illustrates what the
851 module looks like with all the "grouping" statements expanded.
853 module: ietf-netconf-server
854 +--rw netconf-server
855 +---u netconf-server-grouping
857 grouping netconf-server-grouping
858 +-- listen! {ssh-listen or tls-listen}?
859 | +-- idle-timeout? uint16
860 | +-- endpoint* [name]
861 | +-- name? string
862 | +-- (transport)
863 | +--:(ssh) {ssh-listen}?
864 | | +-- ssh
865 | | +-- tcp-server-parameters
866 | | | +---u tcps:tcp-server-grouping
867 | | +-- ssh-server-parameters
868 | | +---u sshs:ssh-server-grouping
869 | +--:(tls) {tls-listen}?
870 | +-- tls
871 | +-- tcp-server-parameters
872 | | +---u tcps:tcp-server-grouping
873 | +-- tls-server-parameters
874 | +---u tlss:tls-server-grouping
875 +-- call-home! {ssh-call-home or tls-call-home}?
876 +-- netconf-client* [name]
877 +-- name? string
878 +-- endpoints
879 | +-- endpoint* [name]
880 | +-- name? string
881 | +-- (transport)
882 | +--:(ssh) {ssh-call-home}?
883 | | +-- ssh
884 | | +-- tcp-client-parameters
885 | | | +---u tcpc:tcp-client-grouping
886 | | +-- ssh-server-parameters
887 | | +---u sshs:ssh-server-grouping
888 | +--:(tls) {tls-call-home}?
889 | +-- tls
890 | +-- tcp-client-parameters
891 | | +---u tcpc:tcp-client-grouping
892 | +-- tls-server-parameters
893 | +---u tlss:tls-server-grouping
894 +-- connection-type
895 | +-- (connection-type)
896 | +--:(persistent-connection)
897 | | +-- persistent!
898 | +--:(periodic-connection)
899 | +-- periodic!
900 | +-- period? uint16
901 | +-- anchor-time? yang:date-and-time
902 | +-- idle-timeout? uint16
903 +-- reconnect-strategy
904 +-- start-with? enumeration
905 +-- max-attempts? uint8
907 4.2. Example Usage
909 The following example illustrates configuring a NETCONF server to
910 listen for NETCONF client connections using both the SSH and TLS
911 transport protocols, as well as configuring call-home to two NETCONF
912 clients, one using SSH and the other using TLS.
914 This example is consistent with the examples presented in Section 2
915 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
916 [I-D.ietf-netconf-keystore].
918 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
920
924
925
926
927 netconf/ssh
928
929
930 192.0.2.7
931
932
933
934
935 deployment-specific-certificate
936
937
938 rsa2048
939 base64encodedvalue==
940 base64encodedvalue==
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955 netconf/tls
956
957
958 192.0.2.7
959
960
961
962
963 rsa2048
964 base64encodedvalue==
965 base64encodedvalue==
966 base64encodedvalue==
967
968
969
970
971 explicitly-trusted-client-ca-certs
972 explicitly-trusted-client-certs
974
975
976 1
977 11:0A:05:11:00
978 x509c2n:san-any
979
980
981 2
982 B3:4F:A1:8C:54
983 x509c2n:specified
984 scooby-doo
985
986
987
988
989
990
991
993
994
995
996 config-mgr
997
998
999 east-data-center
1000
1001
1002 east.config-mgr.example.com
1005
1006
1007
1008
1009 deployment-specific-certificate
1010
1011
1012 rsa2048
1013 base64encodedvalue==
1014 base64encodedvalue==
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029 west-data-center
1030
1031
1032 west.config-mgr.example.com
1034
1035
1036
1037
1038 deployment-specific-certificate
1039
1040
1041 rsa2048
1042 base64encodedvalue==
1043 base64encodedvalue==
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060 300
1061 60
1062
1063
1064
1065 last-connected
1066 3
1067
1068
1069
1070 data-collector
1071
1072
1073 east-data-center
1074
1075
1076 east.analytics.example.com
1078
1079 15
1080 3
1081 30
1082
1083
1084
1085
1086
1087 rsa2048
1088 base64encodedvalue==
1089 base64encodedvalue==
1090 base64encodedvalue==
1091
1092
1093
1094
1095 explicitly-trusted-client-ca-certs
1097 explicitly-trusted-client-certs
1099
1100
1101 1
1102 11:0A:05:11:00
1103 x509c2n:san-any
1104
1105
1106 2
1107 B3:4F:A1:8C:54
1108 x509c2n:specified
1109 scooby-doo
1110
1111
1112
1113
1114 30
1115 3
1116
1117
1118
1119
1120
1121 west-data-center
1122
1123
1124 west.analytics.example.com
1126
1127 15
1128 3
1129 30
1130
1131
1132
1133
1134
1135 rsa2048
1136 base64encodedvalue==
1137 base64encodedvalue==
1138 base64encodedvalue==
1139
1140
1141
1142
1143 explicitly-trusted-client-ca-certs
1145 explicitly-trusted-client-certs
1147
1148
1149 1
1150 11:0A:05:11:00
1151 x509c2n:san-any
1152
1153
1154 2
1155 B3:4F:A1:8C:54
1156 x509c2n:specified
1157 scooby-doo
1158
1159
1160
1161
1162 30
1163 3
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173 first-listed
1174 3
1175
1176
1177
1178
1180 4.3. YANG Module
1182 This YANG module has normative references to [RFC6242], [RFC6991],
1183 [RFC7407], [RFC7589], [RFC8071],
1184 [I-D.kwatsen-netconf-tcp-client-server],
1185 [I-D.ietf-netconf-ssh-client-server], and
1186 [I-D.ietf-netconf-tls-client-server].
1188 file "ietf-netconf-server@2019-07-02.yang"
1189 module ietf-netconf-server {
1190 yang-version 1.1;
1191 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1192 prefix ncs;
1194 import ietf-yang-types {
1195 prefix yang;
1196 reference
1197 "RFC 6991: Common YANG Data Types";
1198 }
1200 import ietf-x509-cert-to-name {
1201 prefix x509c2n;
1202 reference
1203 "RFC 7407: A YANG Data Model for SNMP Configuration";
1204 }
1206 import ietf-tcp-client {
1207 prefix tcpc;
1208 reference
1209 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1210 }
1212 import ietf-tcp-server {
1213 prefix tcps;
1214 reference
1215 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1216 }
1218 import ietf-ssh-server {
1219 prefix sshs;
1220 revision-date 2019-07-02; // stable grouping definitions
1221 reference
1222 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
1223 }
1225 import ietf-tls-server {
1226 prefix tlss;
1227 revision-date 2019-07-02; // stable grouping definitions
1228 reference
1229 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
1230 }
1232 organization
1233 "IETF NETCONF (Network Configuration) Working Group";
1235 contact
1236 "WG Web:
1237 WG List:
1238 Author: Kent Watsen
1239 Author: Gary Wu
1240 Author: Juergen Schoenwaelder
1241 ";
1242 description
1243 "This module contains a collection of YANG definitions
1244 for configuring NETCONF servers.
1246 Copyright (c) 2019 IETF Trust and the persons identified
1247 as authors of the code. All rights reserved.
1249 Redistribution and use in source and binary forms, with
1250 or without modification, is permitted pursuant to, and
1251 subject to the license terms contained in, the Simplified
1252 BSD License set forth in Section 4.c of the IETF Trust's
1253 Legal Provisions Relating to IETF Documents
1254 (https://trustee.ietf.org/license-info).
1256 This version of this YANG module is part of RFC XXXX
1257 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1258 itself for full legal notices.;
1260 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1261 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1262 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1263 are to be interpreted as described in BCP 14 (RFC 2119)
1264 (RFC 8174) when, and only when, they appear in all
1265 capitals, as shown here.";
1267 revision 2019-07-02 {
1268 description
1269 "Initial version";
1270 reference
1271 "RFC XXXX: NETCONF Client and Server Models";
1272 }
1274 // Features
1276 feature ssh-listen {
1277 description
1278 "The 'ssh-listen' feature indicates that the NETCONF server
1279 supports opening a port to accept NETCONF over SSH
1280 client connections.";
1281 reference
1282 "RFC 6242:
1283 Using the NETCONF Protocol over Secure Shell (SSH)";
1284 }
1286 feature tls-listen {
1287 description
1288 "The 'tls-listen' feature indicates that the NETCONF server
1289 supports opening a port to accept NETCONF over TLS
1290 client connections.";
1291 reference
1292 "RFC 7589: Using the NETCONF Protocol over Transport
1293 Layer Security (TLS) with Mutual X.509
1294 Authentication";
1295 }
1297 feature ssh-call-home {
1298 description
1299 "The 'ssh-call-home' feature indicates that the NETCONF
1300 server supports initiating a NETCONF over SSH call
1301 home connection to NETCONF clients.";
1302 reference
1303 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1304 }
1306 feature tls-call-home {
1307 description
1308 "The 'tls-call-home' feature indicates that the NETCONF
1309 server supports initiating a NETCONF over TLS call
1310 home connection to NETCONF clients.";
1311 reference
1312 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1313 }
1315 // Groupings
1317 grouping netconf-server-grouping {
1318 description
1319 "Top-level grouping for NETCONF server configuration.";
1320 container listen {
1321 if-feature "ssh-listen or tls-listen";
1322 presence
1323 "Enables server to listen for NETCONF client connections.";
1324 description
1325 "Configures listen behavior";
1326 leaf idle-timeout {
1327 type uint16;
1328 units "seconds";
1329 default 3600; // one hour
1330 description
1331 "Specifies the maximum number of seconds that a NETCONF
1332 session may remain idle. A NETCONF session will be
1333 dropped if it is idle for an interval longer than this
1334 number of seconds. If set to zero, then the server
1335 will never drop a session because it is idle. Sessions
1336 that have a notification subscription active are never
1337 dropped.";
1338 }
1339 list endpoint {
1340 key "name";
1341 min-elements 1;
1342 description
1343 "List of endpoints to listen for NETCONF connections.";
1344 leaf name {
1345 type string;
1346 description
1347 "An arbitrary name for the NETCONF listen endpoint.";
1348 }
1349 choice transport {
1350 mandatory true;
1351 description
1352 "Selects between available transports.";
1353 case ssh {
1354 if-feature "ssh-listen";
1355 container ssh {
1356 description
1357 "SSH-specific listening configuration for inbound
1358 connections.";
1359 container tcp-server-parameters {
1360 description
1361 "A wrapper around the TCP client parameters
1362 to avoid name collisions.";
1363 uses tcps:tcp-server-grouping {
1364 refine "local-port" {
1365 default "830";
1366 description
1367 "The NETCONF server will listen on the
1368 IANA-assigned well-known port value
1369 for 'netconf-ssh' (830) if no value
1370 is specified.";
1371 }
1372 }
1373 }
1374 container ssh-server-parameters {
1375 description
1376 "A wrapper around the SSH server parameters
1377 to avoid name collisions.";
1378 uses sshs:ssh-server-grouping;
1379 }
1380 }
1381 }
1382 case tls {
1383 if-feature "tls-listen";
1384 container tls {
1385 description
1386 "TLS-specific listening configuration for inbound
1387 connections.";
1389 container tcp-server-parameters {
1390 description
1391 "A wrapper around the TCP client parameters
1392 to avoid name collisions.";
1393 uses tcps:tcp-server-grouping {
1394 refine "local-port" {
1395 default "6513";
1396 description
1397 "The NETCONF server will listen on the
1398 IANA-assigned well-known port value
1399 for 'netconf-tls' (6513) if no value
1400 is specified.";
1401 }
1402 }
1403 }
1404 container tls-server-parameters {
1405 description
1406 "A wrapper around the TLS server parameters to
1407 avoid name collisions.";
1408 uses tlss:tls-server-grouping {
1409 refine "client-authentication" {
1410 //must 'ca-certs or client-certs';
1411 description
1412 "NETCONF/TLS servers MUST validate client
1413 certificates.";
1414 }
1415 augment "client-authentication" {
1416 description
1417 "Augments in the cert-to-name structure.";
1418 container cert-maps {
1419 uses x509c2n:cert-to-name;
1420 description
1421 "The cert-maps container is used by a TLS-
1422 based NETCONF server to map the NETCONF
1423 client's presented X.509 certificate to
1424 a NETCONF username. If no matching and
1425 valid cert-to-name list entry can be found,
1426 then the NETCONF server MUST close the
1427 connection, and MUST NOT accept NETCONF
1428 messages over it.";
1429 reference
1430 "RFC WWWW: NETCONF over TLS, Section 7";
1431 }
1432 }
1433 }
1434 }
1435 }
1436 }
1438 }
1439 }
1440 }
1441 container call-home {
1442 if-feature "ssh-call-home or tls-call-home";
1443 presence
1444 "Enables the NETCONF server to initiate the underlying
1445 transport connection to NETCONF clients.";
1446 description "Configures call home behavior.";
1447 list netconf-client {
1448 key "name";
1449 min-elements 1;
1450 description
1451 "List of NETCONF clients the NETCONF server is to
1452 initiate call-home connections to in parallel.";
1453 leaf name {
1454 type string;
1455 description
1456 "An arbitrary name for the remote NETCONF client.";
1457 }
1458 container endpoints {
1459 description
1460 "Container for the list of endpoints.";
1461 list endpoint {
1462 key "name";
1463 min-elements 1;
1464 ordered-by user;
1465 description
1466 "A non-empty user-ordered list of endpoints for this
1467 NETCONF server to try to connect to in sequence.
1468 Defining more than one enables high-availability.";
1469 leaf name {
1470 type string;
1471 description
1472 "An arbitrary name for this endpoint.";
1473 }
1474 choice transport {
1475 mandatory true;
1476 description
1477 "Selects between available transports.";
1478 case ssh {
1479 if-feature "ssh-call-home";
1480 container ssh {
1481 description
1482 "Specifies SSH-specific call-home transport
1483 configuration.";
1484 container tcp-client-parameters {
1485 description
1486 "A wrapper around the TCP client parameters
1487 to avoid name collisions.";
1488 uses tcpc:tcp-client-grouping {
1489 refine "remote-port" {
1490 default "4334";
1491 description
1492 "The NETCONF server will attempt to connect
1493 to the IANA-assigned well-known port for
1494 'netconf-ch-tls' (4334) if no value is
1495 specified.";
1496 }
1497 }
1498 }
1499 container ssh-server-parameters {
1500 description
1501 "A wrapper around the SSH server parameters
1502 to avoid name collisions.";
1503 uses sshs:ssh-server-grouping;
1504 }
1505 }
1506 }
1507 case tls {
1508 if-feature "tls-call-home";
1509 container tls {
1510 description
1511 "Specifies TLS-specific call-home transport
1512 configuration.";
1513 container tcp-client-parameters {
1514 description
1515 "A wrapper around the TCP client parameters
1516 to avoid name collisions.";
1517 uses tcpc:tcp-client-grouping {
1518 refine "remote-port" {
1519 default "4335";
1520 description
1521 "The NETCONF server will attempt to connect
1522 to the IANA-assigned well-known port for
1523 'netconf-ch-tls' (4335) if no value is
1524 specified.";
1525 }
1526 }
1527 }
1528 container tls-server-parameters {
1529 description
1530 "A wrapper around the TLS server parameters
1531 to avoid name collisions.";
1532 uses tlss:tls-server-grouping {
1533 refine "client-authentication" {
1534 /* commented out since auth could be external
1535 must 'ca-certs or client-certs';
1536 */
1537 description
1538 "NETCONF/TLS servers MUST validate client
1539 certificates.";
1540 }
1541 augment "client-authentication" {
1542 description
1543 "Augments in the cert-to-name structure.";
1544 container cert-maps {
1545 uses x509c2n:cert-to-name;
1546 description
1547 "The cert-maps container is used by a
1548 TLS-based NETCONF server to map the
1549 NETCONF client's presented X.509
1550 certificate to a NETCONF username. If
1551 no matching and valid cert-to-name list
1552 entry can be found, then the NETCONF
1553 server MUST close the connection, and
1554 MUST NOT accept NETCONF messages over
1555 it.";
1556 reference
1557 "RFC WWWW: NETCONF over TLS, Section 7";
1558 }
1559 }
1560 }
1561 }
1562 }
1563 } // tls
1564 } // choice
1565 } // endpoint
1566 } // endpoints
1567 container connection-type {
1568 description
1569 "Indicates the NETCONF server's preference for how the
1570 NETCONF connection is maintained.";
1571 choice connection-type {
1572 mandatory true;
1573 description
1574 "Selects between available connection types.";
1575 case persistent-connection {
1576 container persistent {
1577 presence "Indicates that a persistent connection is
1578 to be maintained.";
1579 description
1580 "Maintain a persistent connection to the NETCONF
1581 client. If the connection goes down, immediately
1582 start trying to reconnect to the NETCONF client,
1583 using the reconnection strategy.
1585 This connection type minimizes any NETCONF client
1586 to NETCONF server data-transfer delay, albeit at
1587 the expense of holding resources longer.";
1588 } // container persistent
1589 } // case persistent-connection
1590 case periodic-connection {
1591 container periodic {
1592 presence "Indicates that a periodic connection is
1593 to be maintained.";
1594 description
1595 "Periodically connect to the NETCONF client.
1597 This connection type increases resource
1598 utilization, albeit with increased delay in
1599 NETCONF client to NETCONF client interactions.
1601 The NETCONF client SHOULD gracefully close the
1602 connection using upon completing
1603 planned activities. If the NETCONF session is
1604 not closed gracefully, the NETCONF server MUST
1605 immediately attempt to reestablish the connection.
1607 In the case that the previous connection is still
1608 active (i.e., the NETCONF client has not closed
1609 it yet), establishing a new connection is NOT
1610 RECOMMENDED.";
1611 leaf period {
1612 type uint16;
1613 units "minutes";
1614 default "60";
1615 description
1616 "Duration of time between periodic connections.";
1617 }
1618 leaf anchor-time {
1619 type yang:date-and-time {
1620 // constrained to minute-level granularity
1621 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1622 + '(Z|[\+\-]\d{2}:\d{2})';
1623 }
1624 description
1625 "Designates a timestamp before or after which a
1626 series of periodic connections are determined.
1627 The periodic connections occur at a whole
1628 multiple interval from the anchor time. For
1629 example, for an anchor time is 15 minutes past
1630 midnight and a period interval of 24 hours, then
1631 a periodic connection will occur 15 minutes past
1632 midnight everyday.";
1633 }
1634 leaf idle-timeout {
1635 type uint16;
1636 units "seconds";
1637 default 120; // two minutes
1638 description
1639 "Specifies the maximum number of seconds that
1640 a NETCONF session may remain idle. A NETCONF
1641 session will be dropped if it is idle for an
1642 interval longer than this number of seconds.
1643 If set to zero, then the server will never
1644 drop a session because it is idle.";
1645 }
1646 } // container periodic
1647 } // case periodic-connection
1648 } // choice connection-type
1649 } // container connection-type
1650 container reconnect-strategy {
1651 description
1652 "The reconnection strategy directs how a NETCONF server
1653 reconnects to a NETCONF client, after discovering its
1654 connection to the client has dropped, even if due to a
1655 reboot. The NETCONF server starts with the specified
1656 endpoint and tries to connect to it max-attempts times
1657 before trying the next endpoint in the list (round
1658 robin).";
1659 leaf start-with {
1660 type enumeration {
1661 enum first-listed {
1662 description
1663 "Indicates that reconnections should start with
1664 the first endpoint listed.";
1665 }
1666 enum last-connected {
1667 description
1668 "Indicates that reconnections should start with
1669 the endpoint last connected to. If no previous
1670 connection has ever been established, then the
1671 first endpoint configured is used. NETCONF
1672 servers SHOULD be able to remember the last
1673 endpoint connected to across reboots.";
1674 }
1675 enum random-selection {
1676 description
1677 "Indicates that reconnections should start with
1678 a random endpoint.";
1679 }
1680 }
1681 default "first-listed";
1682 description
1683 "Specifies which of the NETCONF client's endpoints
1684 the NETCONF server should start with when trying
1685 to connect to the NETCONF client.";
1686 }
1687 leaf max-attempts {
1688 type uint8 {
1689 range "1..max";
1690 }
1691 default "3";
1692 description
1693 "Specifies the number times the NETCONF server tries
1694 to connect to a specific endpoint before moving on
1695 to the next endpoint in the list (round robin).";
1696 }
1697 } // container reconnect-strategy
1698 } // list netconf-client
1699 } // container call-home
1700 } // grouping netconf-server-grouping
1702 // Protocol accessible node, for servers that implement this
1703 // module.
1705 container netconf-server {
1706 uses netconf-server-grouping;
1707 description
1708 "Top-level container for NETCONF server configuration.";
1709 }
1710 }
1711
1713 5. Security Considerations
1715 The YANG module defined in this document uses groupings defined in
1716 [I-D.kwatsen-netconf-tcp-client-server],
1717 [I-D.ietf-netconf-ssh-client-server], and
1718 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1719 Considerations section in those documents for concerns related those
1720 groupings.
1722 The YANG modules defined in this document are designed to be accessed
1723 via YANG based management protocols, such as NETCONF [RFC6241] and
1724 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1725 implement secure transport layers (e.g., SSH, TLS) with mutual
1726 authentication.
1728 The NETCONF access control model (NACM) [RFC8341] provides the means
1729 to restrict access for particular users to a pre-configured subset of
1730 all available protocol operations and content.
1732 There are a number of data nodes defined in the YANG modules that are
1733 writable/creatable/deletable (i.e., config true, which is the
1734 default). Some of these data nodes may be considered sensitive or
1735 vulnerable in some network environments. Write operations (e.g.,
1736 edit-config) to these data nodes without proper protection can have a
1737 negative effect on network operations. These are the subtrees and
1738 data nodes and their sensitivity/vulnerability:
1740 None of the subtrees or data nodes in the modules defined in this
1741 document need to be protected from write operations.
1743 Some of the readable data nodes in the YANG modules may be considered
1744 sensitive or vulnerable in some network environments. It is thus
1745 important to control read access (e.g., via get, get-config, or
1746 notification) to these data nodes. These are the subtrees and data
1747 nodes and their sensitivity/vulnerability:
1749 None of the subtrees or data nodes in the modules defined in this
1750 document need to be protected from read operations.
1752 Some of the RPC operations in the YANG modules may be considered
1753 sensitive or vulnerable in some network environments. It is thus
1754 important to control access to these operations. These are the
1755 operations and their sensitivity/vulnerability:
1757 The modules defined in this document do not define any 'RPC' or
1758 'action' statements.
1760 6. IANA Considerations
1762 6.1. The IETF XML Registry
1764 This document registers two URIs in the "ns" subregistry of the IETF
1765 XML Registry [RFC3688]. Following the format in [RFC3688], the
1766 following registrations are requested:
1768 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1769 Registrant Contact: The NETCONF WG of the IETF.
1770 XML: N/A, the requested URI is an XML namespace.
1772 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1773 Registrant Contact: The NETCONF WG of the IETF.
1774 XML: N/A, the requested URI is an XML namespace.
1776 6.2. The YANG Module Names Registry
1778 This document registers two YANG modules in the YANG Module Names
1779 registry [RFC6020]. Following the format in [RFC6020], the the
1780 following registrations are requested:
1782 name: ietf-netconf-client
1783 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1784 prefix: ncc
1785 reference: RFC XXXX
1787 name: ietf-netconf-server
1788 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1789 prefix: ncs
1790 reference: RFC XXXX
1792 7. References
1794 7.1. Normative References
1796 [I-D.ietf-netconf-keystore]
1797 Watsen, K., "A YANG Data Model for a Keystore", draft-
1798 ietf-netconf-keystore-11 (work in progress), June 2019.
1800 [I-D.ietf-netconf-ssh-client-server]
1801 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
1802 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
1803 server-14 (work in progress), June 2019.
1805 [I-D.ietf-netconf-tls-client-server]
1806 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1807 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1808 server-13 (work in progress), June 2019.
1810 [I-D.kwatsen-netconf-tcp-client-server]
1811 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1812 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1813 server-02 (work in progress), April 2019.
1815 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1816 Requirement Levels", BCP 14, RFC 2119,
1817 DOI 10.17487/RFC2119, March 1997,
1818 .
1820 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1821 the Network Configuration Protocol (NETCONF)", RFC 6020,
1822 DOI 10.17487/RFC6020, October 2010,
1823 .
1825 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1826 and A. Bierman, Ed., "Network Configuration Protocol
1827 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1828 .
1830 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
1831 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
1832 .
1834 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1835 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1836 .
1838 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1839 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1840 December 2014, .
1842 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
1843 NETCONF Protocol over Transport Layer Security (TLS) with
1844 Mutual X.509 Authentication", RFC 7589,
1845 DOI 10.17487/RFC7589, June 2015,
1846 .
1848 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1849 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1850 .
1852 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1853 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1854 May 2017, .
1856 7.2. Informative References
1858 [I-D.ietf-netconf-trust-anchors]
1859 Watsen, K., "A YANG Data Model for a Truststore", draft-
1860 ietf-netconf-trust-anchors-05 (work in progress), June
1861 2019.
1863 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1864 DOI 10.17487/RFC3688, January 2004,
1865 .
1867 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1868 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1869 .
1871 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1872 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1873 .
1875 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1876 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1877 .
1879 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1880 Access Control Model", STD 91, RFC 8341,
1881 DOI 10.17487/RFC8341, March 2018,
1882 .
1884 Appendix A. Expanded Tree Diagrams
1886 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
1888 The following tree diagram [RFC8340] provides an overview of the data
1889 model for the "ietf-netconf-client" module.
1891 This tree diagram shows all the nodes defined in this module,
1892 including those defined by "grouping" statements used by this module.
1894 Please see Section 3.1 for a tree diagram that illustrates what the
1895 module looks like without all the "grouping" statements expanded.
1897 ========== NOTE: '\\' line wrapping per BCP XX (RFC XXXX) ===========
1899 module: ietf-netconf-client
1900 +--rw netconf-client
1901 +--rw initiate! {ssh-initiate or tls-initiate}?
1902 | +--rw netconf-server* [name]
1903 | +--rw name string
1904 | +--rw endpoints
1905 | | +--rw endpoint* [name]
1906 | | +--rw name string
1907 | | +--rw (transport)
1908 | | +--:(ssh) {ssh-initiate}?
1909 | | | +--rw ssh
1910 | | | +--rw tcp-client-parameters
1911 | | | | +--rw remote-address inet:host
1912 | | | | +--rw remote-port? inet:port-number
1913 | | | | +--rw local-address? inet:ip-address
1914 | | | | | {local-binding-supported}?
1915 | | | | +--rw local-port? inet:port-number
1916 | | | | | {local-binding-supported}?
1917 | | | | +--rw keepalives!
1918 | | | | {keepalives-supported}?
1919 | | | | +--rw idle-time uint16
1920 | | | | +--rw max-probes uint16
1921 | | | | +--rw probe-interval uint16
1922 | | | +--rw ssh-client-parameters
1923 | | | +--rw client-identity
1924 | | | | +--rw username? string
1925 | | | | +--rw (auth-type)
1926 | | | | +--:(password)
1927 | | | | | +--rw password? string
1928 | | | | +--:(public-key)
1929 | | | | | +--rw public-key
1930 | | | | | +--rw (local-or-keystore)
1931 | | | | | +--:(local)
1932 | | | | | | {local-definiti\
1933 \ons-supported}?
1934 | | | | | | +--rw local-definition
1935 | | | | | | +--rw algorithm
1936 | | | | | | | asymmetric\
1937 \-key-algorithm-t
1938 | | | | | | +--rw public-key
1939 | | | | | | | binary
1940 | | | | | | +--rw (private-key\
1941 \-type)
1942 | | | | | | +--:(private-ke\
1943 \y)
1944 | | | | | | | +--rw privat\
1945 \e-key?
1946 | | | | | | | bina\
1947 \ry
1948 | | | | | | +--:(hidden-pri\
1949 \vate-key)
1950 | | | | | | | +--rw hidden\
1951 \-private-key?
1952 | | | | | | | empty
1953 | | | | | | +--:(encrypted-\
1954 \private-key)
1955 | | | | | | +--rw encryp\
1956 \ted-private-key
1957 | | | | | | +--rw (ke\
1958 \y-type)
1959 | | | | | | | +--:(s\
1960 \ymmetric-key-ref)
1961 | | | | | | | | +--\
1962 \rw symmetric-key-ref? leafref
1963 | | | | | | | | \
1964 \ {keystore-supported}?
1965 | | | | | | | +--:(a\
1966 \symmetric-key-ref)
1967 | | | | | | | +--\
1968 \rw asymmetric-key-ref? leafref
1969 | | | | | | | \
1970 \ {keystore-supported}?
1971 | | | | | | +--rw val\
1972 \ue?
1973 | | | | | | b\
1974 \inary
1975 | | | | | +--:(keystore)
1976 | | | | | {keystore-suppo\
1977 \rted}?
1978 | | | | | +--rw keystore-refere\
1979 \nce?
1980 | | | | | ks:asymmetric\
1981 \-key-ref
1982 | | | | +--:(certificate)
1983 | | | | +--rw certificate
1984 | | | | {sshcmn:ssh-x509-certs\
1985 \}?
1986 | | | | +--rw (local-or-keystore)
1987 | | | | +--:(local)
1988 | | | | | {local-definiti\
1989 \ons-supported}?
1990 | | | | | +--rw local-definition
1991 | | | | | +--rw algorithm
1992 | | | | | | asymmetric\
1993 \-key-algorithm-t
1994 | | | | | +--rw public-key
1995 | | | | | | binary
1996 | | | | | +--rw (private-key\
1997 \-type)
1998 | | | | | | +--:(private-ke\
1999 \y)
2000 | | | | | | | +--rw privat\
2001 \e-key?
2002 | | | | | | | bina\
2003 \ry
2004 | | | | | | +--:(hidden-pri\
2005 \vate-key)
2006 | | | | | | | +--rw hidden\
2007 \-private-key?
2008 | | | | | | | empty
2009 | | | | | | +--:(encrypted-\
2010 \private-key)
2011 | | | | | | +--rw encryp\
2012 \ted-private-key
2013 | | | | | | +--rw (ke\
2014 \y-type)
2015 | | | | | | | +--:(s\
2016 \ymmetric-key-ref)
2017 | | | | | | | | +--\
2018 \rw symmetric-key-ref? leafref
2019 | | | | | | | | \
2020 \ {keystore-supported}?
2021 | | | | | | | +--:(a\
2022 \symmetric-key-ref)
2023 | | | | | | | +--\
2024 \rw asymmetric-key-ref? leafref
2025 | | | | | | | \
2026 \ {keystore-supported}?
2027 | | | | | | +--rw val\
2029 \ue?
2030 | | | | | | b\
2031 \inary
2032 | | | | | +--rw cert?
2033 | | | | | | end-entity\
2034 \-cert-cms
2035 | | | | | +---n certificate-\
2036 \expiration
2037 | | | | | | +-- expiration-\
2038 \date
2039 | | | | | | yang:da\
2040 \te-and-time
2041 | | | | | +---x generate-cer\
2042 \tificate-signing-request
2043 | | | | | +---w input
2044 | | | | | | +---w subject
2045 | | | | | | | bina\
2046 \ry
2047 | | | | | | +---w attrib\
2048 \utes?
2049 | | | | | | bina\
2050 \ry
2051 | | | | | +--ro output
2052 | | | | | +--ro certif\
2053 \icate-signing-request
2054 | | | | | bina\
2055 \ry
2056 | | | | +--:(keystore)
2057 | | | | {keystore-suppo\
2058 \rted}?
2059 | | | | +--rw keystore-refere\
2060 \nce
2061 | | | | +--rw asymmetric-k\
2062 \ey?
2063 | | | | | ks:asymmet\
2064 \ric-key-ref
2065 | | | | +--rw certificate?\
2066 \ leafref
2067 | | | +--rw server-authentication
2068 | | | | +--rw ssh-host-keys?
2069 | | | | | ts:host-keys-ref
2070 | | | | | {ts:ssh-host-keys}?
2071 | | | | +--rw ca-certs?
2072 | | | | | ts:certificates-ref
2073 | | | | | {sshcmn:ssh-x509-certs,ts:x5\
2074 \09-certificates}?
2075 | | | | +--rw server-certs?
2076 | | | | ts:certificates-ref
2077 | | | | {sshcmn:ssh-x509-certs,ts:x5\
2078 \09-certificates}?
2079 | | | +--rw transport-params
2080 | | | | {ssh-client-transport-params-co\
2081 \nfig}?
2082 | | | | +--rw host-key
2083 | | | | | +--rw host-key-alg* identityref
2084 | | | | +--rw key-exchange
2085 | | | | | +--rw key-exchange-alg*
2086 | | | | | identityref
2087 | | | | +--rw encryption
2088 | | | | | +--rw encryption-alg*
2089 | | | | | identityref
2090 | | | | +--rw mac
2091 | | | | +--rw mac-alg* identityref
2092 | | | +--rw keepalives!
2093 | | | {ssh-client-keepalives}?
2094 | | | +--rw max-wait? uint16
2095 | | | +--rw max-attempts? uint8
2096 | | +--:(tls) {tls-initiate}?
2097 | | +--rw tls
2098 | | +--rw tcp-client-parameters
2099 | | | +--rw remote-address inet:host
2100 | | | +--rw remote-port? inet:port-number
2101 | | | +--rw local-address? inet:ip-address
2102 | | | | {local-binding-supported}?
2103 | | | +--rw local-port? inet:port-number
2104 | | | | {local-binding-supported}?
2105 | | | +--rw keepalives!
2106 | | | {keepalives-supported}?
2107 | | | +--rw idle-time uint16
2108 | | | +--rw max-probes uint16
2109 | | | +--rw probe-interval uint16
2110 | | +--rw tls-client-parameters
2111 | | +--rw client-identity
2112 | | | +--rw (local-or-keystore)
2113 | | | +--:(local)
2114 | | | | {local-definitions-suppo\
2115 \rted}?
2116 | | | | +--rw local-definition
2117 | | | | +--rw algorithm
2118 | | | | | asymmetric-key-algo\
2119 \rithm-t
2120 | | | | +--rw public-key
2121 | | | | | binary
2122 | | | | +--rw (private-key-type)
2123 | | | | | +--:(private-key)
2124 | | | | | | +--rw private-key?
2125 | | | | | | binary
2126 | | | | | +--:(hidden-private-key)
2127 | | | | | | +--rw hidden-private-\
2128 \key?
2129 | | | | | | empty
2130 | | | | | +--:(encrypted-private-k\
2131 \ey)
2132 | | | | | +--rw encrypted-priva\
2133 \te-key
2134 | | | | | +--rw (key-type)
2135 | | | | | | +--:(symmetric-\
2136 \key-ref)
2137 | | | | | | | +--rw symmet\
2138 \ric-key-ref? leafref
2139 | | | | | | | {key\
2140 \store-supported}?
2141 | | | | | | +--:(asymmetric\
2142 \-key-ref)
2143 | | | | | | +--rw asymme\
2144 \tric-key-ref? leafref
2145 | | | | | | {key\
2146 \store-supported}?
2147 | | | | | +--rw value?
2148 | | | | | binary
2149 | | | | +--rw cert?
2150 | | | | | end-entity-cert-cms
2151 | | | | +---n certificate-expiration
2152 | | | | | +-- expiration-date
2153 | | | | | yang:date-and-ti\
2154 \me
2155 | | | | +---x generate-certificate-\
2156 \signing-request
2157 | | | | +---w input
2158 | | | | | +---w subject
2159 | | | | | | binary
2160 | | | | | +---w attributes?
2161 | | | | | binary
2162 | | | | +--ro output
2163 | | | | +--ro certificate-sig\
2164 \ning-request
2165 | | | | binary
2166 | | | +--:(keystore)
2167 | | | {keystore-supported}?
2168 | | | +--rw keystore-reference
2169 | | | +--rw asymmetric-key?
2170 | | | | ks:asymmetric-key-r\
2171 \ef
2172 | | | +--rw certificate? lea\
2174 \fref
2175 | | +--rw server-authentication
2176 | | | +--rw ca-certs?
2177 | | | | ts:certificates-ref
2178 | | | | {ts:x509-certificates}?
2179 | | | +--rw server-certs?
2180 | | | ts:certificates-ref
2181 | | | {ts:x509-certificates}?
2182 | | +--rw hello-params
2183 | | | {tls-client-hello-params-config\
2184 \}?
2185 | | | +--rw tls-versions
2186 | | | | +--rw tls-version* identityref
2187 | | | +--rw cipher-suites
2188 | | | +--rw cipher-suite* identityref
2189 | | +--rw keepalives!
2190 | | {tls-client-keepalives}?
2191 | | +--rw max-wait? uint16
2192 | | +--rw max-attempts? uint8
2193 | +--rw connection-type
2194 | | +--rw (connection-type)
2195 | | +--:(persistent-connection)
2196 | | | +--rw persistent!
2197 | | +--:(periodic-connection)
2198 | | +--rw periodic!
2199 | | +--rw period? uint16
2200 | | +--rw anchor-time? yang:date-and-time
2201 | | +--rw idle-timeout? uint16
2202 | +--rw reconnect-strategy
2203 | +--rw start-with? enumeration
2204 | +--rw max-attempts? uint8
2205 +--rw listen! {ssh-listen or tls-listen}?
2206 +--rw idle-timeout? uint16
2207 +--rw endpoint* [name]
2208 +--rw name string
2209 +--rw (transport)
2210 +--:(ssh) {ssh-listen}?
2211 | +--rw ssh
2212 | +--rw tcp-server-parameters
2213 | | +--rw local-address inet:ip-address
2214 | | +--rw local-port? inet:port-number
2215 | | +--rw keepalives! {keepalives-supported}?
2216 | | +--rw idle-time uint16
2217 | | +--rw max-probes uint16
2218 | | +--rw probe-interval uint16
2219 | +--rw ssh-client-parameters
2220 | +--rw client-identity
2221 | | +--rw username? string
2222 | | +--rw (auth-type)
2223 | | +--:(password)
2224 | | | +--rw password? string
2225 | | +--:(public-key)
2226 | | | +--rw public-key
2227 | | | +--rw (local-or-keystore)
2228 | | | +--:(local)
2229 | | | | {local-definitions-su\
2230 \pported}?
2231 | | | | +--rw local-definition
2232 | | | | +--rw algorithm
2233 | | | | | asymmetric-key-a\
2234 \lgorithm-t
2235 | | | | +--rw public-key
2236 | | | | | binary
2237 | | | | +--rw (private-key-type)
2238 | | | | +--:(private-key)
2239 | | | | | +--rw private-key?
2240 | | | | | binary
2241 | | | | +--:(hidden-private-k\
2242 \ey)
2243 | | | | | +--rw hidden-priva\
2244 \te-key?
2245 | | | | | empty
2246 | | | | +--:(encrypted-privat\
2247 \e-key)
2248 | | | | +--rw encrypted-pr\
2249 \ivate-key
2250 | | | | +--rw (key-type)
2251 | | | | | +--:(symmetr\
2252 \ic-key-ref)
2253 | | | | | | +--rw sym\
2254 \metric-key-ref? leafref
2255 | | | | | | {\
2256 \keystore-supported}?
2257 | | | | | +--:(asymmet\
2258 \ric-key-ref)
2259 | | | | | +--rw asy\
2260 \mmetric-key-ref? leafref
2261 | | | | | {\
2262 \keystore-supported}?
2263 | | | | +--rw value?
2264 | | | | binary
2265 | | | +--:(keystore)
2266 | | | {keystore-supported}?
2267 | | | +--rw keystore-reference?
2268 | | | ks:asymmetric-key-r\
2269 \ef
2270 | | +--:(certificate)
2271 | | +--rw certificate
2272 | | {sshcmn:ssh-x509-certs}?
2273 | | +--rw (local-or-keystore)
2274 | | +--:(local)
2275 | | | {local-definitions-su\
2276 \pported}?
2277 | | | +--rw local-definition
2278 | | | +--rw algorithm
2279 | | | | asymmetric-key-a\
2280 \lgorithm-t
2281 | | | +--rw public-key
2282 | | | | binary
2283 | | | +--rw (private-key-type)
2284 | | | | +--:(private-key)
2285 | | | | | +--rw private-key?
2286 | | | | | binary
2287 | | | | +--:(hidden-private-k\
2288 \ey)
2289 | | | | | +--rw hidden-priva\
2290 \te-key?
2291 | | | | | empty
2292 | | | | +--:(encrypted-privat\
2293 \e-key)
2294 | | | | +--rw encrypted-pr\
2295 \ivate-key
2296 | | | | +--rw (key-type)
2297 | | | | | +--:(symmetr\
2298 \ic-key-ref)
2299 | | | | | | +--rw sym\
2300 \metric-key-ref? leafref
2301 | | | | | | {\
2302 \keystore-supported}?
2303 | | | | | +--:(asymmet\
2304 \ric-key-ref)
2305 | | | | | +--rw asy\
2306 \mmetric-key-ref? leafref
2307 | | | | | {\
2308 \keystore-supported}?
2309 | | | | +--rw value?
2310 | | | | binary
2311 | | | +--rw cert?
2312 | | | | end-entity-cert-\
2313 \cms
2314 | | | +---n certificate-expira\
2315 \tion
2316 | | | | +-- expiration-date
2317 | | | | yang:date-and\
2319 \-time
2320 | | | +---x generate-certifica\
2321 \te-signing-request
2322 | | | +---w input
2323 | | | | +---w subject
2324 | | | | | binary
2325 | | | | +---w attributes?
2326 | | | | binary
2327 | | | +--ro output
2328 | | | +--ro certificate-\
2329 \signing-request
2330 | | | binary
2331 | | +--:(keystore)
2332 | | {keystore-supported}?
2333 | | +--rw keystore-reference
2334 | | +--rw asymmetric-key?
2335 | | | ks:asymmetric-ke\
2336 \y-ref
2337 | | +--rw certificate? \
2338 \leafref
2339 | +--rw server-authentication
2340 | | +--rw ssh-host-keys? ts:host-keys-ref
2341 | | | {ts:ssh-host-keys}?
2342 | | +--rw ca-certs? ts:certificates-ref
2343 | | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2344 \tificates}?
2345 | | +--rw server-certs? ts:certificates-ref
2346 | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2347 \tificates}?
2348 | +--rw transport-params
2349 | | {ssh-client-transport-params-config}?
2350 | | +--rw host-key
2351 | | | +--rw host-key-alg* identityref
2352 | | +--rw key-exchange
2353 | | | +--rw key-exchange-alg* identityref
2354 | | +--rw encryption
2355 | | | +--rw encryption-alg* identityref
2356 | | +--rw mac
2357 | | +--rw mac-alg* identityref
2358 | +--rw keepalives! {ssh-client-keepalives}?
2359 | +--rw max-wait? uint16
2360 | +--rw max-attempts? uint8
2361 +--:(tls) {tls-listen}?
2362 +--rw tls
2363 +--rw tcp-server-parameters
2364 | +--rw local-address inet:ip-address
2365 | +--rw local-port? inet:port-number
2366 | +--rw keepalives! {keepalives-supported}?
2367 | +--rw idle-time uint16
2368 | +--rw max-probes uint16
2369 | +--rw probe-interval uint16
2370 +--rw tls-client-parameters
2371 +--rw client-identity
2372 | +--rw (local-or-keystore)
2373 | +--:(local)
2374 | | {local-definitions-supported}?
2375 | | +--rw local-definition
2376 | | +--rw algorithm
2377 | | | asymmetric-key-algorithm-t
2378 | | +--rw public-key
2379 | | | binary
2380 | | +--rw (private-key-type)
2381 | | | +--:(private-key)
2382 | | | | +--rw private-key?
2383 | | | | binary
2384 | | | +--:(hidden-private-key)
2385 | | | | +--rw hidden-private-key?
2386 | | | | empty
2387 | | | +--:(encrypted-private-key)
2388 | | | +--rw encrypted-private-key
2389 | | | +--rw (key-type)
2390 | | | | +--:(symmetric-key-re\
2391 \f)
2392 | | | | | +--rw symmetric-ke\
2393 \y-ref? leafref
2394 | | | | | {keystore-\
2395 \supported}?
2396 | | | | +--:(asymmetric-key-r\
2397 \ef)
2398 | | | | +--rw asymmetric-k\
2399 \ey-ref? leafref
2400 | | | | {keystore-\
2401 \supported}?
2402 | | | +--rw value?
2403 | | | binary
2404 | | +--rw cert?
2405 | | | end-entity-cert-cms
2406 | | +---n certificate-expiration
2407 | | | +-- expiration-date
2408 | | | yang:date-and-time
2409 | | +---x generate-certificate-signin\
2410 \g-request
2411 | | +---w input
2412 | | | +---w subject binary
2413 | | | +---w attributes? binary
2414 | | +--ro output
2415 | | +--ro certificate-signing-r\
2416 \equest
2417 | | binary
2418 | +--:(keystore) {keystore-supported}?
2419 | +--rw keystore-reference
2420 | +--rw asymmetric-key?
2421 | | ks:asymmetric-key-ref
2422 | +--rw certificate? leafref
2423 +--rw server-authentication
2424 | +--rw ca-certs? ts:certificates-ref
2425 | | {ts:x509-certificates}?
2426 | +--rw server-certs? ts:certificates-ref
2427 | {ts:x509-certificates}?
2428 +--rw hello-params
2429 | {tls-client-hello-params-config}?
2430 | +--rw tls-versions
2431 | | +--rw tls-version* identityref
2432 | +--rw cipher-suites
2433 | +--rw cipher-suite* identityref
2434 +--rw keepalives! {tls-client-keepalives}?
2435 +--rw max-wait? uint16
2436 +--rw max-attempts? uint8
2438 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
2440 The following tree diagram [RFC8340] provides an overview of the data
2441 model for the "ietf-netconf-server" module.
2443 This tree diagram shows all the nodes defined in this module,
2444 including those defined by "grouping" statements used by this module.
2446 Please see Section 4.1 for a tree diagram that illustrates what the
2447 module looks like without all the "grouping" statements expanded.
2449 ========== NOTE: '\\' line wrapping per BCP XX (RFC XXXX) ===========
2451 module: ietf-netconf-server
2452 +--rw netconf-server
2453 +--rw listen! {ssh-listen or tls-listen}?
2454 | +--rw idle-timeout? uint16
2455 | +--rw endpoint* [name]
2456 | +--rw name string
2457 | +--rw (transport)
2458 | +--:(ssh) {ssh-listen}?
2459 | | +--rw ssh
2460 | | +--rw tcp-server-parameters
2461 | | | +--rw local-address inet:ip-address
2462 | | | +--rw local-port? inet:port-number
2463 | | | +--rw keepalives! {keepalives-supported}?
2464 | | | +--rw idle-time uint16
2465 | | | +--rw max-probes uint16
2466 | | | +--rw probe-interval uint16
2467 | | +--rw ssh-server-parameters
2468 | | +--rw server-identity
2469 | | | +--rw host-key* [name]
2470 | | | +--rw name string
2471 | | | +--rw (host-key-type)
2472 | | | +--:(public-key)
2473 | | | | +--rw public-key
2474 | | | | +--rw (local-or-keystore)
2475 | | | | +--:(local)
2476 | | | | | {local-definitions\
2477 \-supported}?
2478 | | | | | +--rw local-definition
2479 | | | | | +--rw algorithm
2480 | | | | | | asymmetric-ke\
2481 \y-algorithm-t
2482 | | | | | +--rw public-key
2483 | | | | | | binary
2484 | | | | | +--rw (private-key-ty\
2485 \pe)
2486 | | | | | +--:(private-key)
2487 | | | | | | +--rw private-k\
2488 \ey?
2489 | | | | | | binary
2490 | | | | | +--:(hidden-privat\
2491 \e-key)
2492 | | | | | | +--rw hidden-pr\
2493 \ivate-key?
2494 | | | | | | empty
2495 | | | | | +--:(encrypted-pri\
2496 \vate-key)
2497 | | | | | +--rw encrypted\
2498 \-private-key
2499 | | | | | +--rw (key-t\
2500 \ype)
2501 | | | | | | +--:(symm\
2502 \etric-key-ref)
2503 | | | | | | | +--rw \
2504 \symmetric-key-ref? leafref
2505 | | | | | | | \
2506 \ {keystore-supported}?
2507 | | | | | | +--:(asym\
2508 \metric-key-ref)
2509 | | | | | | +--rw \
2510 \asymmetric-key-ref? leafref
2511 | | | | | | \
2512 \ {keystore-supported}?
2513 | | | | | +--rw value?
2514 | | | | | bina\
2515 \ry
2516 | | | | +--:(keystore)
2517 | | | | {keystore-supporte\
2518 \d}?
2519 | | | | +--rw keystore-reference?
2520 | | | | ks:asymmetric-ke\
2521 \y-ref
2522 | | | +--:(certificate)
2523 | | | +--rw certificate
2524 | | | {sshcmn:ssh-x509-certs}?
2525 | | | +--rw (local-or-keystore)
2526 | | | +--:(local)
2527 | | | | {local-definitions\
2528 \-supported}?
2529 | | | | +--rw local-definition
2530 | | | | +--rw algorithm
2531 | | | | | asymmetric-ke\
2532 \y-algorithm-t
2533 | | | | +--rw public-key
2534 | | | | | binary
2535 | | | | +--rw (private-key-ty\
2536 \pe)
2537 | | | | | +--:(private-key)
2538 | | | | | | +--rw private-k\
2539 \ey?
2540 | | | | | | binary
2541 | | | | | +--:(hidden-privat\
2542 \e-key)
2543 | | | | | | +--rw hidden-pr\
2544 \ivate-key?
2545 | | | | | | empty
2546 | | | | | +--:(encrypted-pri\
2547 \vate-key)
2548 | | | | | +--rw encrypted\
2549 \-private-key
2550 | | | | | +--rw (key-t\
2551 \ype)
2552 | | | | | | +--:(symm\
2553 \etric-key-ref)
2554 | | | | | | | +--rw \
2555 \symmetric-key-ref? leafref
2556 | | | | | | | \
2557 \ {keystore-supported}?
2558 | | | | | | +--:(asym\
2560 \metric-key-ref)
2561 | | | | | | +--rw \
2562 \asymmetric-key-ref? leafref
2563 | | | | | | \
2564 \ {keystore-supported}?
2565 | | | | | +--rw value?
2566 | | | | | bina\
2567 \ry
2568 | | | | +--rw cert?
2569 | | | | | end-entity-ce\
2570 \rt-cms
2571 | | | | +---n certificate-exp\
2572 \iration
2573 | | | | | +-- expiration-date
2574 | | | | | yang:date-\
2575 \and-time
2576 | | | | +---x generate-certif\
2577 \icate-signing-request
2578 | | | | +---w input
2579 | | | | | +---w subject
2580 | | | | | | binary
2581 | | | | | +---w attribute\
2582 \s?
2583 | | | | | binary
2584 | | | | +--ro output
2585 | | | | +--ro certifica\
2586 \te-signing-request
2587 | | | | binary
2588 | | | +--:(keystore)
2589 | | | {keystore-supporte\
2590 \d}?
2591 | | | +--rw keystore-reference
2592 | | | +--rw asymmetric-key?
2593 | | | | ks:asymmetric\
2594 \-key-ref
2595 | | | +--rw certificate? \
2596 \ leafref
2597 | | +--rw client-authentication
2598 | | | +--rw supported-authentication-methods
2599 | | | | +--rw publickey? empty
2600 | | | | +--rw passsword? empty
2601 | | | | +--rw hostbased? empty
2602 | | | | +--rw none? empty
2603 | | | | +--rw other* string
2604 | | | +--rw (local-or-external)
2605 | | | +--:(local)
2606 | | | | {local-client-auth-supported}?
2607 | | | | +--rw users
2608 | | | | +--rw user* [name]
2609 | | | | +--rw name string
2610 | | | | +--rw password?
2611 | | | | | ianach:crypt-hash
2612 | | | | +--rw authorized-key* [name]
2613 | | | | +--rw name string
2614 | | | | +--rw algorithm string
2615 | | | | +--rw key-data binary
2616 | | | +--:(external)
2617 | | | {external-client-auth-supporte\
2618 \d}?
2619 | | | +--rw client-auth-defined-elsewhere?
2620 | | | empty
2621 | | +--rw transport-params
2622 | | | {ssh-server-transport-params-config}?
2623 | | | +--rw host-key
2624 | | | | +--rw host-key-alg* identityref
2625 | | | +--rw key-exchange
2626 | | | | +--rw key-exchange-alg* identityref
2627 | | | +--rw encryption
2628 | | | | +--rw encryption-alg* identityref
2629 | | | +--rw mac
2630 | | | +--rw mac-alg* identityref
2631 | | +--rw keepalives! {ssh-server-keepalives}?
2632 | | +--rw max-wait? uint16
2633 | | +--rw max-attempts? uint8
2634 | +--:(tls) {tls-listen}?
2635 | +--rw tls
2636 | +--rw tcp-server-parameters
2637 | | +--rw local-address inet:ip-address
2638 | | +--rw local-port? inet:port-number
2639 | | +--rw keepalives! {keepalives-supported}?
2640 | | +--rw idle-time uint16
2641 | | +--rw max-probes uint16
2642 | | +--rw probe-interval uint16
2643 | +--rw tls-server-parameters
2644 | +--rw server-identity
2645 | | +--rw (local-or-keystore)
2646 | | +--:(local)
2647 | | | {local-definitions-supported}?
2648 | | | +--rw local-definition
2649 | | | +--rw algorithm
2650 | | | | asymmetric-key-algorithm-t
2651 | | | +--rw public-key
2652 | | | | binary
2653 | | | +--rw (private-key-type)
2654 | | | | +--:(private-key)
2655 | | | | | +--rw private-key?
2656 | | | | | binary
2657 | | | | +--:(hidden-private-key)
2658 | | | | | +--rw hidden-private-key?
2659 | | | | | empty
2660 | | | | +--:(encrypted-private-key)
2661 | | | | +--rw encrypted-private-key
2662 | | | | +--rw (key-type)
2663 | | | | | +--:(symmetric-key-re\
2664 \f)
2665 | | | | | | +--rw symmetric-ke\
2666 \y-ref? leafref
2667 | | | | | | {keystore-\
2668 \supported}?
2669 | | | | | +--:(asymmetric-key-r\
2670 \ef)
2671 | | | | | +--rw asymmetric-k\
2672 \ey-ref? leafref
2673 | | | | | {keystore-\
2674 \supported}?
2675 | | | | +--rw value?
2676 | | | | binary
2677 | | | +--rw cert?
2678 | | | | end-entity-cert-cms
2679 | | | +---n certificate-expiration
2680 | | | | +-- expiration-date
2681 | | | | yang:date-and-time
2682 | | | +---x generate-certificate-signin\
2683 \g-request
2684 | | | +---w input
2685 | | | | +---w subject binary
2686 | | | | +---w attributes? binary
2687 | | | +--ro output
2688 | | | +--ro certificate-signing-r\
2689 \equest
2690 | | | binary
2691 | | +--:(keystore) {keystore-supported}?
2692 | | +--rw keystore-reference
2693 | | +--rw asymmetric-key?
2694 | | | ks:asymmetric-key-ref
2695 | | +--rw certificate? leafref
2696 | +--rw client-authentication!
2697 | | +--rw (required-or-optional)
2698 | | | +--:(required)
2699 | | | | +--rw required?
2700 | | | | empty
2701 | | | +--:(optional)
2702 | | | +--rw optional?
2703 | | | empty
2704 | | +--rw (local-or-external)
2705 | | | +--:(local)
2706 | | | | {local-client-auth-supported}?
2707 | | | | +--rw ca-certs?
2708 | | | | | ts:certificates-ref
2709 | | | | | {ts:x509-certificates}?
2710 | | | | +--rw client-certs?
2711 | | | | ts:certificates-ref
2712 | | | | {ts:x509-certificates}?
2713 | | | +--:(external)
2714 | | | {external-client-auth-supporte\
2715 \d}?
2716 | | | +--rw client-auth-defined-elsewhere?
2717 | | | empty
2718 | | +--rw cert-maps
2719 | | +--rw cert-to-name* [id]
2720 | | +--rw id uint32
2721 | | +--rw fingerprint
2722 | | | x509c2n:tls-fingerprint
2723 | | +--rw map-type identityref
2724 | | +--rw name string
2725 | +--rw hello-params
2726 | | {tls-server-hello-params-config}?
2727 | | +--rw tls-versions
2728 | | | +--rw tls-version* identityref
2729 | | +--rw cipher-suites
2730 | | +--rw cipher-suite* identityref
2731 | +--rw keepalives! {tls-server-keepalives}?
2732 | +--rw max-wait? uint16
2733 | +--rw max-attempts? uint8
2734 +--rw call-home! {ssh-call-home or tls-call-home}?
2735 +--rw netconf-client* [name]
2736 +--rw name string
2737 +--rw endpoints
2738 | +--rw endpoint* [name]
2739 | +--rw name string
2740 | +--rw (transport)
2741 | +--:(ssh) {ssh-call-home}?
2742 | | +--rw ssh
2743 | | +--rw tcp-client-parameters
2744 | | | +--rw remote-address inet:host
2745 | | | +--rw remote-port? inet:port-number
2746 | | | +--rw local-address? inet:ip-address
2747 | | | | {local-binding-supported}?
2748 | | | +--rw local-port? inet:port-number
2749 | | | | {local-binding-supported}?
2750 | | | +--rw keepalives!
2751 | | | {keepalives-supported}?
2752 | | | +--rw idle-time uint16
2753 | | | +--rw max-probes uint16
2754 | | | +--rw probe-interval uint16
2755 | | +--rw ssh-server-parameters
2756 | | +--rw server-identity
2757 | | | +--rw host-key* [name]
2758 | | | +--rw name string
2759 | | | +--rw (host-key-type)
2760 | | | +--:(public-key)
2761 | | | | +--rw public-key
2762 | | | | +--rw (local-or-keystore)
2763 | | | | +--:(local)
2764 | | | | | {local-defin\
2765 \itions-supported}?
2766 | | | | | +--rw local-defini\
2767 \tion
2768 | | | | | +--rw algorithm
2769 | | | | | | asymmet\
2770 \ric-key-algorithm-t
2771 | | | | | +--rw public-key
2772 | | | | | | binary
2773 | | | | | +--rw (private-\
2774 \key-type)
2775 | | | | | +--:(private\
2776 \-key)
2777 | | | | | | +--rw pri\
2778 \vate-key?
2779 | | | | | | b\
2780 \inary
2781 | | | | | +--:(hidden-\
2782 \private-key)
2783 | | | | | | +--rw hid\
2784 \den-private-key?
2785 | | | | | | e\
2786 \mpty
2787 | | | | | +--:(encrypt\
2788 \ed-private-key)
2789 | | | | | +--rw enc\
2790 \rypted-private-key
2791 | | | | | +--rw \
2792 \(key-type)
2793 | | | | | | +--\
2794 \:(symmetric-key-ref)
2795 | | | | | | | \
2796 \+--rw symmetric-key-ref? leafref
2797 | | | | | | | \
2798 \ {keystore-supported}?
2799 | | | | | | +--\
2801 \:(asymmetric-key-ref)
2802 | | | | | | \
2803 \+--rw asymmetric-key-ref? leafref
2804 | | | | | | \
2805 \ {keystore-supported}?
2806 | | | | | +--rw \
2807 \value?
2808 | | | | | \
2809 \ binary
2810 | | | | +--:(keystore)
2811 | | | | {keystore-su\
2812 \pported}?
2813 | | | | +--rw keystore-ref\
2814 \erence?
2815 | | | | ks:asymmet\
2816 \ric-key-ref
2817 | | | +--:(certificate)
2818 | | | +--rw certificate
2819 | | | {sshcmn:ssh-x509-ce\
2820 \rts}?
2821 | | | +--rw (local-or-keystore)
2822 | | | +--:(local)
2823 | | | | {local-defin\
2824 \itions-supported}?
2825 | | | | +--rw local-defini\
2826 \tion
2827 | | | | +--rw algorithm
2828 | | | | | asymmet\
2829 \ric-key-algorithm-t
2830 | | | | +--rw public-key
2831 | | | | | binary
2832 | | | | +--rw (private-\
2833 \key-type)
2834 | | | | | +--:(private\
2835 \-key)
2836 | | | | | | +--rw pri\
2837 \vate-key?
2838 | | | | | | b\
2839 \inary
2840 | | | | | +--:(hidden-\
2841 \private-key)
2842 | | | | | | +--rw hid\
2843 \den-private-key?
2844 | | | | | | e\
2845 \mpty
2846 | | | | | +--:(encrypt\
2847 \ed-private-key)
2848 | | | | | +--rw enc\
2850 \rypted-private-key
2851 | | | | | +--rw \
2852 \(key-type)
2853 | | | | | | +--\
2854 \:(symmetric-key-ref)
2855 | | | | | | | \
2856 \+--rw symmetric-key-ref? leafref
2857 | | | | | | | \
2858 \ {keystore-supported}?
2859 | | | | | | +--\
2860 \:(asymmetric-key-ref)
2861 | | | | | | \
2862 \+--rw asymmetric-key-ref? leafref
2863 | | | | | | \
2864 \ {keystore-supported}?
2865 | | | | | +--rw \
2866 \value?
2867 | | | | | \
2868 \ binary
2869 | | | | +--rw cert?
2870 | | | | | end-ent\
2871 \ity-cert-cms
2872 | | | | +---n certifica\
2873 \te-expiration
2874 | | | | | +-- expirati\
2875 \on-date
2876 | | | | | yang\
2877 \:date-and-time
2878 | | | | +---x generate-\
2879 \certificate-signing-request
2880 | | | | +---w input
2881 | | | | | +---w sub\
2882 \ject
2883 | | | | | | b\
2884 \inary
2885 | | | | | +---w att\
2886 \ributes?
2887 | | | | | b\
2888 \inary
2889 | | | | +--ro output
2890 | | | | +--ro cer\
2891 \tificate-signing-request
2892 | | | | b\
2893 \inary
2894 | | | +--:(keystore)
2895 | | | {keystore-su\
2896 \pported}?
2897 | | | +--rw keystore-ref\
2899 \erence
2900 | | | +--rw asymmetri\
2901 \c-key?
2902 | | | | ks:asym\
2903 \metric-key-ref
2904 | | | +--rw certifica\
2905 \te? leafref
2906 | | +--rw client-authentication
2907 | | | +--rw supported-authentication-metho\
2908 \ds
2909 | | | | +--rw publickey? empty
2910 | | | | +--rw passsword? empty
2911 | | | | +--rw hostbased? empty
2912 | | | | +--rw none? empty
2913 | | | | +--rw other* string
2914 | | | +--rw (local-or-external)
2915 | | | +--:(local)
2916 | | | | {local-client-auth-suppo\
2917 \rted}?
2918 | | | | +--rw users
2919 | | | | +--rw user* [name]
2920 | | | | +--rw name
2921 | | | | | string
2922 | | | | +--rw password?
2923 | | | | | ianach:crypt-hash
2924 | | | | +--rw authorized-key*
2925 | | | | [name]
2926 | | | | +--rw name
2927 | | | | | string
2928 | | | | +--rw algorithm
2929 | | | | | string
2930 | | | | +--rw key-data
2931 | | | | binary
2932 | | | +--:(external)
2933 | | | {external-client-auth-su\
2934 \pported}?
2935 | | | +--rw client-auth-defined-else\
2936 \where?
2937 | | | empty
2938 | | +--rw transport-params
2939 | | | {ssh-server-transport-params-co\
2940 \nfig}?
2941 | | | +--rw host-key
2942 | | | | +--rw host-key-alg* identityref
2943 | | | +--rw key-exchange
2944 | | | | +--rw key-exchange-alg*
2945 | | | | identityref
2946 | | | +--rw encryption
2947 | | | | +--rw encryption-alg*
2948 | | | | identityref
2949 | | | +--rw mac
2950 | | | +--rw mac-alg* identityref
2951 | | +--rw keepalives!
2952 | | {ssh-server-keepalives}?
2953 | | +--rw max-wait? uint16
2954 | | +--rw max-attempts? uint8
2955 | +--:(tls) {tls-call-home}?
2956 | +--rw tls
2957 | +--rw tcp-client-parameters
2958 | | +--rw remote-address inet:host
2959 | | +--rw remote-port? inet:port-number
2960 | | +--rw local-address? inet:ip-address
2961 | | | {local-binding-supported}?
2962 | | +--rw local-port? inet:port-number
2963 | | | {local-binding-supported}?
2964 | | +--rw keepalives!
2965 | | {keepalives-supported}?
2966 | | +--rw idle-time uint16
2967 | | +--rw max-probes uint16
2968 | | +--rw probe-interval uint16
2969 | +--rw tls-server-parameters
2970 | +--rw server-identity
2971 | | +--rw (local-or-keystore)
2972 | | +--:(local)
2973 | | | {local-definitions-suppo\
2974 \rted}?
2975 | | | +--rw local-definition
2976 | | | +--rw algorithm
2977 | | | | asymmetric-key-algo\
2978 \rithm-t
2979 | | | +--rw public-key
2980 | | | | binary
2981 | | | +--rw (private-key-type)
2982 | | | | +--:(private-key)
2983 | | | | | +--rw private-key?
2984 | | | | | binary
2985 | | | | +--:(hidden-private-key)
2986 | | | | | +--rw hidden-private-\
2987 \key?
2988 | | | | | empty
2989 | | | | +--:(encrypted-private-k\
2990 \ey)
2991 | | | | +--rw encrypted-priva\
2992 \te-key
2993 | | | | +--rw (key-type)
2994 | | | | | +--:(symmetric-\
2996 \key-ref)
2997 | | | | | | +--rw symmet\
2998 \ric-key-ref? leafref
2999 | | | | | | {key\
3000 \store-supported}?
3001 | | | | | +--:(asymmetric\
3002 \-key-ref)
3003 | | | | | +--rw asymme\
3004 \tric-key-ref? leafref
3005 | | | | | {key\
3006 \store-supported}?
3007 | | | | +--rw value?
3008 | | | | binary
3009 | | | +--rw cert?
3010 | | | | end-entity-cert-cms
3011 | | | +---n certificate-expiration
3012 | | | | +-- expiration-date
3013 | | | | yang:date-and-ti\
3014 \me
3015 | | | +---x generate-certificate-\
3016 \signing-request
3017 | | | +---w input
3018 | | | | +---w subject
3019 | | | | | binary
3020 | | | | +---w attributes?
3021 | | | | binary
3022 | | | +--ro output
3023 | | | +--ro certificate-sig\
3024 \ning-request
3025 | | | binary
3026 | | +--:(keystore)
3027 | | {keystore-supported}?
3028 | | +--rw keystore-reference
3029 | | +--rw asymmetric-key?
3030 | | | ks:asymmetric-key-r\
3031 \ef
3032 | | +--rw certificate? lea\
3033 \fref
3034 | +--rw client-authentication!
3035 | | +--rw (required-or-optional)
3036 | | | +--:(required)
3037 | | | | +--rw required?
3038 | | | | empty
3039 | | | +--:(optional)
3040 | | | +--rw optional?
3041 | | | empty
3042 | | +--rw (local-or-external)
3043 | | | +--:(local)
3044 | | | | {local-client-auth-suppo\
3045 \rted}?
3046 | | | | +--rw ca-certs?
3047 | | | | | ts:certificates-ref
3048 | | | | | {ts:x509-certificates}?
3049 | | | | +--rw client-certs?
3050 | | | | ts:certificates-ref
3051 | | | | {ts:x509-certificates}?
3052 | | | +--:(external)
3053 | | | {external-client-auth-su\
3054 \pported}?
3055 | | | +--rw client-auth-defined-else\
3056 \where?
3057 | | | empty
3058 | | +--rw cert-maps
3059 | | +--rw cert-to-name* [id]
3060 | | +--rw id uint32
3061 | | +--rw fingerprint
3062 | | | x509c2n:tls-fingerprint
3063 | | +--rw map-type
3064 | | | identityref
3065 | | +--rw name string
3066 | +--rw hello-params
3067 | | {tls-server-hello-params-config\
3068 \}?
3069 | | +--rw tls-versions
3070 | | | +--rw tls-version* identityref
3071 | | +--rw cipher-suites
3072 | | +--rw cipher-suite* identityref
3073 | +--rw keepalives!
3074 | {tls-server-keepalives}?
3075 | +--rw max-wait? uint16
3076 | +--rw max-attempts? uint8
3077 +--rw connection-type
3078 | +--rw (connection-type)
3079 | +--:(persistent-connection)
3080 | | +--rw persistent!
3081 | +--:(periodic-connection)
3082 | +--rw periodic!
3083 | +--rw period? uint16
3084 | +--rw anchor-time? yang:date-and-time
3085 | +--rw idle-timeout? uint16
3086 +--rw reconnect-strategy
3087 +--rw start-with? enumeration
3088 +--rw max-attempts? uint8
3090 Appendix B. Change Log
3092 B.1. 00 to 01
3094 o Renamed "keychain" to "keystore".
3096 B.2. 01 to 02
3098 o Added to ietf-netconf-client ability to connected to a cluster of
3099 endpoints, including a reconnection-strategy.
3101 o Added to ietf-netconf-client the ability to configure connection-
3102 type and also keep-alive strategy.
3104 o Updated both modules to accommodate new groupings in the ssh/tls
3105 drafts.
3107 B.3. 02 to 03
3109 o Refined use of tls-client-grouping to add a must statement
3110 indicating that the TLS client must specify a client-certificate.
3112 o Changed 'netconf-client' to be a grouping (not a container).
3114 B.4. 03 to 04
3116 o Added RFC 8174 to Requirements Language Section.
3118 o Replaced refine statement in ietf-netconf-client to add a
3119 mandatory true.
3121 o Added refine statement in ietf-netconf-server to add a must
3122 statement.
3124 o Now there are containers and groupings, for both the client and
3125 server models.
3127 B.5. 04 to 05
3129 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
3131 o Updated examples to inline key and certificates (no longer a
3132 leafref to keystore)
3134 B.6. 05 to 06
3136 o Fixed change log missing section issue.
3138 o Updated examples to match latest updates to the crypto-types,
3139 trust-anchors, and keystore drafts.
3141 o Reduced line length of the YANG modules to fit within 69 columns.
3143 B.7. 06 to 07
3145 o Removed "idle-timeout" from "persistent" connection config.
3147 o Added "random-selection" for reconnection-strategy's "starts-with"
3148 enum.
3150 o Replaced "connection-type" choice default (persistent) with
3151 "mandatory true".
3153 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
3154 minutes.
3156 o Replaced reconnect-timeout with period/anchor-time combo.
3158 B.8. 07 to 08
3160 o Modified examples to be compatible with new crypto-types algs
3162 B.9. 08 to 09
3164 o Corrected use of "mandatory true" for "address" leafs.
3166 o Updated examples to reflect update to groupings defined in the
3167 keystore draft.
3169 o Updated to use groupings defined in new TCP and HTTP drafts.
3171 o Updated copyright date, boilerplate template, affiliation, and
3172 folding algorithm.
3174 B.10. 09 to 10
3176 o Reformatted YANG modules.
3178 B.11. 10 to 11
3180 o Adjusted for the top-level "demux container" added to groupings
3181 imported from other modules.
3183 o Added "must" expressions to ensure that keepalives are not
3184 configured for "periodic" connections.
3186 o Updated the boilerplate text in module-level "description"
3187 statement to match copyeditor convention.
3189 o Moved "expanded" tree diagrams to the Appendix.
3191 B.12. 11 to 12
3193 o Removed the "Design Considerations" section.
3195 o Removed the 'must' statement limiting keepalives in periodic
3196 connections.
3198 o Updated models and examples to reflect removal of the "demux"
3199 containers in the imported models.
3201 o Updated the "periodic-connnection" description statements to be
3202 more like the RESTCONF draft, especially where it described
3203 dropping the underlying TCP connection.
3205 o Updated text to better reference where certain examples come from
3206 (e.g., which Section in which draft).
3208 o In the server model, commented out the "must 'pinned-ca-certs or
3209 pinned-client-certs'" statement to reflect change made in the TLS
3210 draft whereby the trust anchors MAY be defined externally.
3212 o Replaced the 'listen', 'initiate', and 'call-home' features with
3213 boolean expressions.
3215 B.13. 12 to 13
3217 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
3218 anchors/truststore/g + s/pinned.//)
3220 B.14. 13 to 14
3222 o Adjusting from change in TLS client model (removing the top-level
3223 'certificate' container), by swapping refining-in a 'mandatory
3224 true' statement with a 'must' statement outside the 'uses'
3225 statement.
3227 o Updated examples to reflect ietf-crypto-types change (e.g.,
3228 identities --> enumerations)
3230 Acknowledgements
3232 The authors would like to thank for following for lively discussions
3233 on list and in the halls (ordered by last name): Andy Bierman, Martin
3234 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
3235 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
3236 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
3237 Wijnen.
3239 Author's Address
3241 Kent Watsen
3242 Watsen Networks
3244 EMail: kent+ietf@watsen.net