idnits 2.17.1
draft-ietf-netconf-netconf-client-server-15.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2107 has weird spacing: '...address ine...'
== Line 2117 has weird spacing: '...nterval uin...'
== Line 2355 has weird spacing: '...address ine...'
== Line 2365 has weird spacing: '...nterval uin...'
== Line 2508 has weird spacing: '...address ine...'
== (11 more instances...)
-- The document date (October 18, 2019) is 1645 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-12
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-14
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-14
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-05
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track October 18, 2019
5 Expires: April 20, 2020
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-15
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-10-18" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on April 20, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 40
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 42
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 42
110 7.2. Informative References . . . . . . . . . . . . . . . . . 43
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 60
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 79
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 79
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 79
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 79
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 79
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 80
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 80
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 80
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 80
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 80
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 81
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 81
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 81
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 82
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 82
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 82
130 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 82
131 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 82
133 1. Introduction
135 This document defines two YANG [RFC7950] modules, one module to
136 configure a NETCONF [RFC6241] client and the other module to
137 configure a NETCONF server. Both modules support both NETCONF over
138 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
139 connections [RFC8071].
141 2. Terminology
143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
145 "OPTIONAL" in this document are to be interpreted as described in BCP
146 14 [RFC2119] [RFC8174] when, and only when, they appear in all
147 capitals, as shown here.
149 3. The NETCONF Client Model
151 The NETCONF client model presented in this section supports both
152 clients initiating connections to servers, as well as clients
153 listening for connections from servers calling home, using either the
154 SSH and TLS transport protocols.
156 YANG feature statements are used to enable implementations to
157 advertise which potentially uncommon parts of the model the NETCONF
158 client supports.
160 3.1. Tree Diagram
162 The following tree diagram [RFC8340] provides an overview of the data
163 model for the "ietf-netconf-client" module.
165 This tree diagram only shows the nodes defined in this module; it
166 does show the nodes defined by "grouping" statements used by this
167 module.
169 Please see Appendix A.1 for a tree diagram that illustrates what the
170 module looks like with all the "grouping" statements expanded.
172 module: ietf-netconf-client
173 +--rw netconf-client
174 +---u netconf-client-app-grouping
176 grouping netconf-client-grouping
177 grouping netconf-client-initiate-stack-grouping
178 +-- (transport)
179 +--:(ssh) {ssh-initiate}?
180 | +-- ssh
181 | +-- tcp-client-parameters
182 | | +---u tcpc:tcp-client-grouping
183 | +-- ssh-client-parameters
184 | | +---u sshc:ssh-client-grouping
185 | +-- netconf-client-parameters
186 +--:(tls) {tls-initiate}?
187 +-- tls
188 +-- tcp-client-parameters
189 | +---u tcpc:tcp-client-grouping
190 +-- tls-client-parameters
191 | +---u tlsc:tls-client-grouping
192 +-- netconf-client-parameters
193 grouping netconf-client-listen-stack-grouping
194 +-- (transport)
195 +--:(ssh) {ssh-listen}?
196 | +-- ssh
197 | +-- tcp-server-parameters
198 | | +---u tcps:tcp-server-grouping
199 | +-- ssh-client-parameters
200 | | +---u sshc:ssh-client-grouping
201 | +-- netconf-client-parameters
202 +--:(tls) {tls-listen}?
203 +-- tls
204 +-- tcp-server-parameters
205 | +---u tcps:tcp-server-grouping
206 +-- tls-client-parameters
207 | +---u tlsc:tls-client-grouping
208 +-- netconf-client-parameters
209 grouping netconf-client-app-grouping
210 +-- initiate! {ssh-initiate or tls-initiate}?
211 | +-- netconf-server* [name]
212 | +-- name? string
213 | +-- endpoints
214 | | +-- endpoint* [name]
215 | | +-- name? string
216 | | +---u netconf-client-initiate-stack-grouping
217 | +-- connection-type
218 | | +-- (connection-type)
219 | | +--:(persistent-connection)
220 | | | +-- persistent!
221 | | +--:(periodic-connection)
222 | | +-- periodic!
223 | | +-- period? uint16
224 | | +-- anchor-time? yang:date-and-time
225 | | +-- idle-timeout? uint16
226 | +-- reconnect-strategy
227 | +-- start-with? enumeration
228 | +-- max-attempts? uint8
229 +-- listen! {ssh-listen or tls-listen}?
230 +-- idle-timeout? uint16
231 +-- endpoint* [name]
232 +-- name? string
233 +---u netconf-client-listen-stack-grouping
235 3.2. Example Usage
237 The following example illustrates configuring a NETCONF client to
238 initiate connections, using both the SSH and TLS transport protocols,
239 as well as listening for call-home connections, again using both the
240 SSH and TLS transport protocols.
242 This example is consistent with the examples presented in Section 2
243 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
244 [I-D.ietf-netconf-keystore].
246 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
248
251
252
253
254 corp-fw1
255
256
257 corp-fw1.example.com
258
259
260 corp-fw1.example.com
261
262 15
263 3
264 30
265
266
267
268
269 foobar
270
271
272 rsa2048
273 base64encodedvalue==
274 base64encodedvalue==
275
276
277
278
279
280 explicitly-trusted-server-ca\
281 -certs
282
283
284 explicitly-trusted-server-ce\
285 rts
286
287
288
289 30
290 3
291
292
293
294
295
296
297
298
299 corp-fw2.example.com
300
301
302 corp-fw2.example.com
303
304 15
305 3
306 30
307
308
309
310
311
312 rsa2048
313 base64encodedvalue==
314 base64encodedvalue==
315 base64encodedvalue==
316
317
318
319
320 explicitly-trusted-server-ca\
321 -certs
322
323
324 explicitly-trusted-server-ce\
325 rts
326
327
328
329 30
330 3
332
333
334
335
336
337
338
339
340
341
342
343
344 last-connected
345
346
347
349
350
351
352 Intranet-facing listener
353
354
355 192.0.2.7
356
357
358
359 foobar
360
361
362 rsa2048
363 base64encodedvalue==
364 base64encodedvalue==
365
366
367
368
369
370 explicitly-trusted-server-ca-cer\
371 ts
372
373
374 explicitly-trusted-server-certs<\
375 /truststore-reference>
376
377
378 explicitly-trusted-ssh-host-keys\
379
380
381
382
383
384
385
386
387
388
389
391 3.3. YANG Module
393 This YANG module has normative references to [RFC6242], [RFC6991],
394 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
395 [I-D.ietf-netconf-ssh-client-server], and
396 [I-D.ietf-netconf-tls-client-server].
398 file "ietf-netconf-client@2019-10-18.yang"
400 module ietf-netconf-client {
401 yang-version 1.1;
402 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
403 prefix ncc;
405 import ietf-yang-types {
406 prefix yang;
407 reference
408 "RFC 6991: Common YANG Data Types";
409 }
411 import ietf-tcp-client {
412 prefix tcpc;
413 reference
414 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
415 }
416 import ietf-tcp-server {
417 prefix tcps;
418 reference
419 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
420 }
422 import ietf-ssh-client {
423 prefix sshc;
424 revision-date 2019-10-18; // stable grouping definitions
425 reference
426 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
427 }
428 import ietf-tls-client {
429 prefix tlsc;
430 revision-date 2019-10-18; // stable grouping definitions
431 reference
432 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
433 }
435 organization
436 "IETF NETCONF (Network Configuration) Working Group";
438 contact
439 "WG Web:
440 WG List:
441 Author: Kent Watsen
442 Author: Gary Wu ";
444 description
445 "This module contains a collection of YANG definitions
446 for configuring NETCONF clients.
448 Copyright (c) 2019 IETF Trust and the persons identified
449 as authors of the code. All rights reserved.
451 Redistribution and use in source and binary forms, with
452 or without modification, is permitted pursuant to, and
453 subject to the license terms contained in, the Simplified
454 BSD License set forth in Section 4.c of the IETF Trust's
455 Legal Provisions Relating to IETF Documents
456 (https://trustee.ietf.org/license-info).
458 This version of this YANG module is part of RFC XXXX
459 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
460 itself for full legal notices.;
462 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
463 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
464 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
465 are to be interpreted as described in BCP 14 (RFC 2119)
466 (RFC 8174) when, and only when, they appear in all
467 capitals, as shown here.";
469 revision 2019-10-18 {
470 description
471 "Initial version";
472 reference
473 "RFC XXXX: NETCONF Client and Server Models";
474 }
475 // Features
477 feature ssh-initiate {
478 description
479 "The 'ssh-initiate' feature indicates that the NETCONF client
480 supports initiating SSH connections to NETCONF servers.";
481 reference
482 "RFC 6242:
483 Using the NETCONF Protocol over Secure Shell (SSH)";
484 }
486 feature tls-initiate {
487 description
488 "The 'tls-initiate' feature indicates that the NETCONF client
489 supports initiating TLS connections to NETCONF servers.";
490 reference
491 "RFC 7589: Using the NETCONF Protocol over Transport
492 Layer Security (TLS) with Mutual X.509 Authentication";
493 }
495 feature ssh-listen {
496 description
497 "The 'ssh-listen' feature indicates that the NETCONF client
498 supports opening a port to listen for incoming NETCONF
499 server call-home SSH connections.";
500 reference
501 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
502 }
504 feature tls-listen {
505 description
506 "The 'tls-listen' feature indicates that the NETCONF client
507 supports opening a port to listen for incoming NETCONF
508 server call-home TLS connections.";
509 reference
510 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
511 }
513 // Groupings
515 grouping netconf-client-grouping {
516 description
517 "A reusable grouping for configuring a NETCONF client
518 without any consideration for how underlying transport
519 sessions are established.
521 This grouping currently doesn't define any nodes.";
522 }
523 grouping netconf-client-initiate-stack-grouping {
524 description
525 "A reusable grouping for configuring a NETCONF client
526 'initiate' protocol stack for a single connection.";
527 choice transport {
528 mandatory true;
529 description
530 "Selects between available transports.";
531 case ssh {
532 if-feature "ssh-initiate";
533 container ssh {
534 description
535 "Specifies IP and SSH specific configuration
536 for the connection.";
537 container tcp-client-parameters {
538 description
539 "A wrapper around the TCP client parameters
540 to avoid name collisions.";
541 uses tcpc:tcp-client-grouping {
542 refine "remote-port" {
543 default "830";
544 description
545 "The NETCONF client will attempt to connect
546 to the IANA-assigned well-known port value
547 for 'netconf-ssh' (443) if no value is
548 specified.";
549 }
550 }
551 }
552 container ssh-client-parameters {
553 description
554 "A wrapper around the SSH client parameters to
555 avoid name collisions.";
556 uses sshc:ssh-client-grouping;
557 }
558 container netconf-client-parameters {
559 description
560 "A wrapper around the NETCONF client parameters
561 to avoid name collisions.";
562 uses ncc:netconf-client-grouping;
563 }
564 }
565 }
566 case tls {
567 if-feature "tls-initiate";
568 container tls {
569 description
570 "Specifies IP and TLS specific configuration
571 for the connection.";
572 container tcp-client-parameters {
573 description
574 "A wrapper around the TCP client parameters
575 to avoid name collisions.";
576 uses tcpc:tcp-client-grouping {
577 refine "remote-port" {
578 default "6513";
579 description
580 "The NETCONF client will attempt to connect
581 to the IANA-assigned well-known port value
582 for 'netconf-tls' (6513) if no value is
583 specified.";
584 }
585 }
586 }
587 container tls-client-parameters {
588 must "client-identity" {
589 description
590 "NETCONF/TLS clients MUST pass some
591 authentication credentials.";
592 }
593 description
594 "A wrapper around the TLS client parameters
595 to avoid name collisions.";
596 uses tlsc:tls-client-grouping;
597 }
598 container netconf-client-parameters {
599 description
600 "A wrapper around the NETCONF client parameters
601 to avoid name collisions.";
602 uses ncc:netconf-client-grouping;
603 }
604 }
605 }
606 }
607 } // netconf-client-initiate-stack-grouping
609 grouping netconf-client-listen-stack-grouping {
610 description
611 "A reusable grouping for configuring a NETCONF client
612 'listen' protocol stack for a single connection.";
613 choice transport {
614 mandatory true;
615 description
616 "Selects between available transports.";
617 case ssh {
618 if-feature "ssh-listen";
619 container ssh {
620 description
621 "SSH-specific listening configuration for inbound
622 connections.";
623 container tcp-server-parameters {
624 description
625 "A wrapper around the TCP server parameters
626 to avoid name collisions.";
627 uses tcps:tcp-server-grouping {
628 refine "local-port" {
629 default "4334";
630 description
631 "The NETCONF client will listen on the IANA-
632 assigned well-known port for 'netconf-ch-ssh'
633 (4334) if no value is specified.";
634 }
635 }
636 }
637 container ssh-client-parameters {
638 description
639 "A wrapper around the SSH client parameters
640 to avoid name collisions.";
641 uses sshc:ssh-client-grouping;
642 }
643 container netconf-client-parameters {
644 description
645 "A wrapper around the NETCONF client parameters
646 to avoid name collisions.";
647 uses ncc:netconf-client-grouping;
648 }
649 }
650 }
651 case tls {
652 if-feature "tls-listen";
653 container tls {
654 description
655 "TLS-specific listening configuration for inbound
656 connections.";
657 container tcp-server-parameters {
658 description
659 "A wrapper around the TCP server parameters
660 to avoid name collisions.";
661 uses tcps:tcp-server-grouping {
662 refine "local-port" {
663 default "4334";
664 description
665 "The NETCONF client will listen on the IANA-
666 assigned well-known port for 'netconf-ch-ssh'
667 (4334) if no value is specified.";
668 }
669 }
670 }
671 container tls-client-parameters {
672 must "client-identity" {
673 description
674 "NETCONF/TLS clients MUST pass some
675 authentication credentials.";
676 }
677 description
678 "A wrapper around the TLS client parameters
679 to avoid name collisions.";
680 uses tlsc:tls-client-grouping;
681 }
682 container netconf-client-parameters {
683 description
684 "A wrapper around the NETCONF client parameters
685 to avoid name collisions.";
686 uses ncc:netconf-client-grouping;
687 }
688 }
689 }
690 }
691 } // netconf-client-listen-stack-grouping
693 grouping netconf-client-app-grouping {
694 description
695 "A reusable grouping for configuring a NETCONF client
696 application that supports both 'initiate' and 'listen'
697 protocol stacks for a multiplicity of connections.";
698 container initiate {
699 if-feature "ssh-initiate or tls-initiate";
700 presence "Enables client to initiate TCP connections";
701 description
702 "Configures client initiating underlying TCP connections.";
703 list netconf-server {
704 key "name";
705 min-elements 1;
706 description
707 "List of NETCONF servers the NETCONF client is to
708 maintain simultaneous connections with.";
709 leaf name {
710 type string;
711 description
712 "An arbitrary name for the NETCONF server.";
713 }
714 container endpoints {
715 description
716 "Container for the list of endpoints.";
717 list endpoint {
718 key "name";
719 min-elements 1;
720 ordered-by user;
721 description
722 "A user-ordered list of endpoints that the NETCONF
723 client will attempt to connect to in the specified
724 sequence. Defining more than one enables
725 high-availability.";
726 leaf name {
727 type string;
728 description
729 "An arbitrary name for the endpoint.";
730 }
731 uses netconf-client-initiate-stack-grouping;
732 } // list endpoint
733 } // container endpoints
735 container connection-type {
736 description
737 "Indicates the NETCONF client's preference for how the
738 NETCONF connection is maintained.";
739 choice connection-type {
740 mandatory true;
741 description
742 "Selects between available connection types.";
743 case persistent-connection {
744 container persistent {
745 presence "Indicates that a persistent connection is
746 to be maintained.";
747 description
748 "Maintain a persistent connection to the NETCONF
749 server. If the connection goes down, immediately
750 start trying to reconnect to the NETCONF server,
751 using the reconnection strategy.
753 This connection type minimizes any NETCONF server
754 to NETCONF client data-transfer delay, albeit at
755 the expense of holding resources longer.";
756 }
757 }
758 case periodic-connection {
759 container periodic {
760 presence "Indicates that a periodic connection is
761 to be maintained.";
762 description
763 "Periodically connect to the NETCONF server.
765 This connection type increases resource
766 utilization, albeit with increased delay in
767 NETCONF server to NETCONF client interactions.
769 The NETCONF client should close the underlying
770 TCP connection upon completing planned activities.
772 In the case that the previous connection is still
773 active, establishing a new connection is NOT
774 RECOMMENDED.";
775 leaf period {
776 type uint16;
777 units "minutes";
778 default "60";
779 description
780 "Duration of time between periodic connections.";
781 }
782 leaf anchor-time {
783 type yang:date-and-time {
784 // constrained to minute-level granularity
785 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
786 + '(Z|[\+\-]\d{2}:\d{2})';
787 }
788 description
789 "Designates a timestamp before or after which a
790 series of periodic connections are determined.
791 The periodic connections occur at a whole
792 multiple interval from the anchor time. For
793 example, for an anchor time is 15 minutes past
794 midnight and a period interval of 24 hours, then
795 a periodic connection will occur 15 minutes past
796 midnight everyday.";
797 }
798 leaf idle-timeout {
799 type uint16;
800 units "seconds";
801 default 120; // two minutes
802 description
803 "Specifies the maximum number of seconds that
804 a NETCONF session may remain idle. A NETCONF
805 session will be dropped if it is idle for an
806 interval longer then this number of seconds.
807 If set to zero, then the NETCONF client will
808 never drop a session because it is idle.";
809 }
810 }
812 }
813 }
814 }
815 container reconnect-strategy {
816 description
817 "The reconnection strategy directs how a NETCONF client
818 reconnects to a NETCONF server, after discovering its
819 connection to the server has dropped, even if due to a
820 reboot. The NETCONF client starts with the specified
821 endpoint and tries to connect to it max-attempts times
822 before trying the next endpoint in the list (round
823 robin).";
824 leaf start-with {
825 type enumeration {
826 enum first-listed {
827 description
828 "Indicates that reconnections should start with
829 the first endpoint listed.";
830 }
831 enum last-connected {
832 description
833 "Indicates that reconnections should start with
834 the endpoint last connected to. If no previous
835 connection has ever been established, then the
836 first endpoint configured is used. NETCONF
837 clients SHOULD be able to remember the last
838 endpoint connected to across reboots.";
839 }
840 enum random-selection {
841 description
842 "Indicates that reconnections should start with
843 a random endpoint.";
844 }
845 }
846 default "first-listed";
847 description
848 "Specifies which of the NETCONF server's endpoints
849 the NETCONF client should start with when trying
850 to connect to the NETCONF server.";
851 }
852 leaf max-attempts {
853 type uint8 {
854 range "1..max";
855 }
856 default "3";
857 description
858 "Specifies the number times the NETCONF client tries
859 to connect to a specific endpoint before moving on
860 to the next endpoint in the list (round robin).";
861 }
862 }
863 } // netconf-server
864 } // initiate
866 container listen {
867 if-feature "ssh-listen or tls-listen";
868 presence "Enables client to accept call-home connections";
869 description
870 "Configures client accepting call-home TCP connections.";
871 leaf idle-timeout {
872 type uint16;
873 units "seconds";
874 default "3600"; // one hour
875 description
876 "Specifies the maximum number of seconds that a NETCONF
877 session may remain idle. A NETCONF session will be
878 dropped if it is idle for an interval longer than this
879 number of seconds. If set to zero, then the server
880 will never drop a session because it is idle. Sessions
881 that have a notification subscription active are never
882 dropped.";
883 }
884 list endpoint {
885 key "name";
886 min-elements 1;
887 description
888 "List of endpoints to listen for NETCONF connections.";
889 leaf name {
890 type string;
891 description
892 "An arbitrary name for the NETCONF listen endpoint.";
893 }
894 uses netconf-client-listen-stack-grouping;
895 } // endpoint
896 } // listen
897 } // netconf-client-app-grouping
899 // Protocol accessible node, for servers that implement this
900 // module.
902 container netconf-client {
903 uses netconf-client-app-grouping;
904 description
905 "Top-level container for NETCONF client configuration.";
906 }
907 }
908
910 4. The NETCONF Server Model
912 The NETCONF server model presented in this section supports both
913 listening for connections as well as initiating call-home
914 connections, using either the SSH and TLS transport protocols.
916 YANG feature statements are used to enable implementations to
917 advertise which potentially uncommon parts of the model the NETCONF
918 server supports.
920 4.1. Tree Diagram
922 The following tree diagram [RFC8340] provides an overview of the data
923 model for the "ietf-netconf-server" module.
925 This tree diagram only shows the nodes defined in this module; it
926 does show the nodes defined by "grouping" statements used by this
927 module.
929 Please see Appendix A.2 for a tree diagram that illustrates what the
930 module looks like with all the "grouping" statements expanded.
932 module: ietf-netconf-server
933 +--rw netconf-server
934 +---u netconf-server-app-grouping
936 grouping netconf-server-grouping
937 +-- client-identification
938 +-- cert-maps
939 +---u x509c2n:cert-to-name
940 grouping netconf-server-listen-stack-grouping
941 +-- (transport)
942 +--:(ssh) {ssh-listen}?
943 | +-- ssh
944 | +-- tcp-server-parameters
945 | | +---u tcps:tcp-server-grouping
946 | +-- ssh-server-parameters
947 | | +---u sshs:ssh-server-grouping
948 | +-- netconf-server-parameters
949 | +---u ncs:netconf-server-grouping
950 +--:(tls) {tls-listen}?
951 +-- tls
952 +-- tcp-server-parameters
953 | +---u tcps:tcp-server-grouping
954 +-- tls-server-parameters
955 | +---u tlss:tls-server-grouping
956 +-- netconf-server-parameters
957 +---u ncs:netconf-server-grouping
958 grouping netconf-server-callhome-stack-grouping
959 +-- (transport)
960 +--:(ssh) {ssh-call-home}?
961 | +-- ssh
962 | +-- tcp-client-parameters
963 | | +---u tcpc:tcp-client-grouping
964 | +-- ssh-server-parameters
965 | | +---u sshs:ssh-server-grouping
966 | +-- netconf-server-parameters
967 | +---u ncs:netconf-server-grouping
968 +--:(tls) {tls-call-home}?
969 +-- tls
970 +-- tcp-client-parameters
971 | +---u tcpc:tcp-client-grouping
972 +-- tls-server-parameters
973 | +---u tlss:tls-server-grouping
974 +-- netconf-server-parameters
975 +---u ncs:netconf-server-grouping
976 grouping netconf-server-app-grouping
977 +-- listen! {ssh-listen or tls-listen}?
978 | +-- idle-timeout? uint16
979 | +-- endpoint* [name]
980 | +-- name? string
981 | +---u netconf-server-listen-stack-grouping
982 +-- call-home! {ssh-call-home or tls-call-home}?
983 +-- netconf-client* [name]
984 +-- name? string
985 +-- endpoints
986 | +-- endpoint* [name]
987 | +-- name? string
988 | +---u netconf-server-callhome-stack-grouping
989 +-- connection-type
990 | +-- (connection-type)
991 | +--:(persistent-connection)
992 | | +-- persistent!
993 | +--:(periodic-connection)
994 | +-- periodic!
995 | +-- period? uint16
996 | +-- anchor-time? yang:date-and-time
997 | +-- idle-timeout? uint16
998 +-- reconnect-strategy
999 +-- start-with? enumeration
1000 +-- max-attempts? uint8
1002 4.2. Example Usage
1004 The following example illustrates configuring a NETCONF server to
1005 listen for NETCONF client connections using both the SSH and TLS
1006 transport protocols, as well as configuring call-home to two NETCONF
1007 clients, one using SSH and the other using TLS.
1009 This example is consistent with the examples presented in Section 2
1010 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
1011 [I-D.ietf-netconf-keystore].
1013 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
1015
1019
1020
1021
1022 netconf/ssh
1023
1024
1025 192.0.2.7
1026
1027
1028
1029
1030 deployment-specific-certificate
1031
1032
1033 rsa2048
1034 base64encodedvalue==
1035 base64encodedvalue==
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1051
1052
1053
1054 netconf/tls
1055
1056
1057 192.0.2.7
1058
1059
1060
1061
1062 rsa2048
1063 base64encodedvalue==
1064 base64encodedvalue==
1065 base64encodedvalue==
1066
1067
1068
1069
1070
1071 explicitly-trusted-client-ca-cer\
1072 ts
1073
1074
1075 explicitly-trusted-client-certs<\
1076 /truststore-reference>
1077
1078
1079
1080
1081
1082
1083
1084 1
1085 11:0A:05:11:00
1086 x509c2n:san-any
1087
1088
1089 2
1090 B3:4F:A1:8C:54
1091 x509c2n:specified
1092 scooby-doo
1093
1094
1095
1096
1097
1098
1100
1102
1103
1104
1105 config-mgr
1106
1107
1108 east-data-center
1109
1110
1111 east.config-mgr.example.com
1113
1114
1115
1116
1117 deployment-specific-certificate
1118
1119
1120 rsa2048
1121 base64encodedvalue==
1122 base64encodedvalue==
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140 west-data-center
1141
1142
1143 west.config-mgr.example.com
1145
1146
1147
1148
1149 deployment-specific-certificate
1150
1151
1152 rsa2048
1153 base64encodedvalue==
1154 base64encodedvalue==
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174 300
1175 60
1176
1177
1178
1179 last-connected
1180 3
1181
1182
1183
1184 data-collector
1185
1186
1187 east-data-center
1188
1189
1190 east.analytics.example.com
1192
1193 15
1194 3
1195 30
1197
1198
1199
1200
1201
1202 rsa2048
1203 base64encodedvalue==
1204 base64encodedvalue==
1205 base64encodedvalue==
1206
1207
1208
1209
1210
1211 explicitly-trusted-client-ca\
1212 -certs
1213
1214
1215 explicitly-trusted-client-ce\
1216 rts
1217
1218
1219
1220 30
1221 3
1222
1223
1224
1225
1226
1227
1228 1
1229 11:0A:05:11:00
1230 x509c2n:san-any
1231
1232
1233 2
1234 B3:4F:A1:8C:54
1235 x509c2n:specified
1236 scooby-doo
1237
1238
1239
1240
1241
1242
1243
1244 west-data-center
1245
1246
1247 west.analytics.example.com
1249
1250 15
1251 3
1252 30
1253
1254
1255
1256
1257
1258 rsa2048
1259 base64encodedvalue==
1260 base64encodedvalue==
1261 base64encodedvalue==
1262
1263
1264
1265
1266
1267 explicitly-trusted-client-ca\
1268 -certs
1269
1270
1271 explicitly-trusted-client-ce\
1272 rts
1273
1274
1275
1276 30
1277 3
1278
1279
1280
1281
1282
1283
1284 1
1285 11:0A:05:11:00
1286 x509c2n:san-any
1287
1288
1289 2
1290 B3:4F:A1:8C:54
1291 x509c2n:specified
1292 scooby-doo
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305 first-listed
1306 3
1307
1308
1309
1310
1312 4.3. YANG Module
1314 This YANG module has normative references to [RFC6242], [RFC6991],
1315 [RFC7407], [RFC7589], [RFC8071],
1316 [I-D.kwatsen-netconf-tcp-client-server],
1317 [I-D.ietf-netconf-ssh-client-server], and
1318 [I-D.ietf-netconf-tls-client-server].
1320 file "ietf-netconf-server@2019-10-18.yang"
1322 module ietf-netconf-server {
1323 yang-version 1.1;
1324 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1325 prefix ncs;
1327 import ietf-yang-types {
1328 prefix yang;
1329 reference
1330 "RFC 6991: Common YANG Data Types";
1331 }
1333 import ietf-x509-cert-to-name {
1334 prefix x509c2n;
1335 reference
1336 "RFC 7407: A YANG Data Model for SNMP Configuration";
1337 }
1339 import ietf-tcp-client {
1340 prefix tcpc;
1341 reference
1342 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1343 }
1345 import ietf-tcp-server {
1346 prefix tcps;
1347 reference
1348 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1349 }
1351 import ietf-ssh-server {
1352 prefix sshs;
1353 revision-date 2019-10-18; // stable grouping definitions
1354 reference
1355 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
1356 }
1358 import ietf-tls-server {
1359 prefix tlss;
1360 revision-date 2019-10-18; // stable grouping definitions
1361 reference
1362 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
1363 }
1365 organization
1366 "IETF NETCONF (Network Configuration) Working Group";
1368 contact
1369 "WG Web:
1370 WG List:
1371 Author: Kent Watsen
1372 Author: Gary Wu
1373 Author: Juergen Schoenwaelder
1374 ";
1375 description
1376 "This module contains a collection of YANG definitions
1377 for configuring NETCONF servers.
1379 Copyright (c) 2019 IETF Trust and the persons identified
1380 as authors of the code. All rights reserved.
1382 Redistribution and use in source and binary forms, with
1383 or without modification, is permitted pursuant to, and
1384 subject to the license terms contained in, the Simplified
1385 BSD License set forth in Section 4.c of the IETF Trust's
1386 Legal Provisions Relating to IETF Documents
1387 (https://trustee.ietf.org/license-info).
1389 This version of this YANG module is part of RFC XXXX
1390 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1391 itself for full legal notices.;
1393 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1394 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1395 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1396 are to be interpreted as described in BCP 14 (RFC 2119)
1397 (RFC 8174) when, and only when, they appear in all
1398 capitals, as shown here.";
1400 revision 2019-10-18 {
1401 description
1402 "Initial version";
1403 reference
1404 "RFC XXXX: NETCONF Client and Server Models";
1405 }
1407 // Features
1409 feature ssh-listen {
1410 description
1411 "The 'ssh-listen' feature indicates that the NETCONF server
1412 supports opening a port to accept NETCONF over SSH
1413 client connections.";
1414 reference
1415 "RFC 6242:
1416 Using the NETCONF Protocol over Secure Shell (SSH)";
1417 }
1419 feature tls-listen {
1420 description
1421 "The 'tls-listen' feature indicates that the NETCONF server
1422 supports opening a port to accept NETCONF over TLS
1423 client connections.";
1424 reference
1425 "RFC 7589: Using the NETCONF Protocol over Transport
1426 Layer Security (TLS) with Mutual X.509
1427 Authentication";
1428 }
1430 feature ssh-call-home {
1431 description
1432 "The 'ssh-call-home' feature indicates that the NETCONF
1433 server supports initiating a NETCONF over SSH call
1434 home connection to NETCONF clients.";
1435 reference
1436 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1437 }
1438 feature tls-call-home {
1439 description
1440 "The 'tls-call-home' feature indicates that the NETCONF
1441 server supports initiating a NETCONF over TLS call
1442 home connection to NETCONF clients.";
1443 reference
1444 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1445 }
1447 // Groupings
1449 grouping netconf-server-grouping {
1450 description
1451 "A reusable grouping for configuring a NETCONF server
1452 without any consideration for how underlying transport
1453 sessions are established.
1455 Note that this grouping uses a fairly typical descendent
1456 node name such that a stack of 'uses' statements will
1457 have name conflicts. It is intended that the consuming
1458 data model will resolve the issue by wrapping the 'uses'
1459 statement in a container called, e.g.,
1460 'netconf-server-parameters'. This model purposely does
1461 not do this itself so as to provide maximum flexibility
1462 to consuming models.";
1464 container client-identification {
1465 description
1466 "Specifies a mapping through which clients MAY be identified
1467 (i.e., the NETCONF username) from a supplied certificate.
1468 Note that a client MAY alternatively be identified via an
1469 HTTP-level authentication schema. This configuration does
1470 not necessitate clients send a certificate (that can be
1471 controlled via the ietf-netconf-server module).";
1472 container cert-maps {
1473 when "../../../../tls";
1474 uses x509c2n:cert-to-name;
1475 description
1476 "The cert-maps container is used by TLS-based NETCONF
1477 servers (even if the TLS sessions are terminated
1478 externally) to map the NETCONF client's presented
1479 X.509 certificate to a NETCONF username. If no
1480 matching and valid cert-to-name list entry can be
1481 found, then the NETCONF server MUST close the
1482 connection, and MUST NOT accept NETCONF messages
1483 over it.";
1484 reference
1485 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1487 }
1488 }
1489 }
1491 grouping netconf-server-listen-stack-grouping {
1492 description
1493 "A reusable grouping for configuring a NETCONF server
1494 'listen' protocol stack for a single connection.";
1495 choice transport {
1496 mandatory true;
1497 description
1498 "Selects between available transports.";
1499 case ssh {
1500 if-feature "ssh-listen";
1501 container ssh {
1502 description
1503 "SSH-specific listening configuration for inbound
1504 connections.";
1505 container tcp-server-parameters {
1506 description
1507 "A wrapper around the TCP client parameters
1508 to avoid name collisions.";
1509 uses tcps:tcp-server-grouping {
1510 refine "local-port" {
1511 default "830";
1512 description
1513 "The NETCONF server will listen on the
1514 IANA-assigned well-known port value
1515 for 'netconf-ssh' (830) if no value
1516 is specified.";
1517 }
1518 }
1519 }
1520 container ssh-server-parameters {
1521 description
1522 "A wrapper around the SSH server parameters
1523 to avoid name collisions.";
1524 uses sshs:ssh-server-grouping;
1525 }
1526 container netconf-server-parameters {
1527 description
1528 "A wrapper around the NETCONF server parameters
1529 to avoid name collisions.";
1530 uses ncs:netconf-server-grouping;
1531 }
1532 }
1533 }
1534 case tls {
1535 if-feature "tls-listen";
1536 container tls {
1537 description
1538 "TLS-specific listening configuration for inbound
1539 connections.";
1540 container tcp-server-parameters {
1541 description
1542 "A wrapper around the TCP client parameters
1543 to avoid name collisions.";
1544 uses tcps:tcp-server-grouping {
1545 refine "local-port" {
1546 default "6513";
1547 description
1548 "The NETCONF server will listen on the
1549 IANA-assigned well-known port value
1550 for 'netconf-tls' (6513) if no value
1551 is specified.";
1552 }
1553 }
1554 }
1555 container tls-server-parameters {
1556 description
1557 "A wrapper around the TLS server parameters to
1558 avoid name collisions.";
1559 uses tlss:tls-server-grouping {
1560 refine "client-authentication" {
1561 //must 'ca-certs or client-certs';
1562 description
1563 "NETCONF/TLS servers MUST validate client
1564 certificates.";
1565 }
1566 }
1567 }
1568 container netconf-server-parameters {
1569 description
1570 "A wrapper around the NETCONF server parameters
1571 to avoid name collisions.";
1572 uses ncs:netconf-server-grouping;
1573 }
1574 }
1575 }
1576 }
1577 }
1579 grouping netconf-server-callhome-stack-grouping {
1580 description
1581 "A reusable grouping for configuring a NETCONF server
1582 'call-home' protocol stack, for a single connection.";
1584 choice transport {
1585 mandatory true;
1586 description
1587 "Selects between available transports.";
1588 case ssh {
1589 if-feature "ssh-call-home";
1590 container ssh {
1591 description
1592 "Specifies SSH-specific call-home transport
1593 configuration.";
1594 container tcp-client-parameters {
1595 description
1596 "A wrapper around the TCP client parameters
1597 to avoid name collisions.";
1598 uses tcpc:tcp-client-grouping {
1599 refine "remote-port" {
1600 default "4334";
1601 description
1602 "The NETCONF server will attempt to connect
1603 to the IANA-assigned well-known port for
1604 'netconf-ch-tls' (4334) if no value is
1605 specified.";
1606 }
1607 }
1608 }
1609 container ssh-server-parameters {
1610 description
1611 "A wrapper around the SSH server parameters
1612 to avoid name collisions.";
1613 uses sshs:ssh-server-grouping;
1614 }
1615 container netconf-server-parameters {
1616 description
1617 "A wrapper around the NETCONF server parameters
1618 to avoid name collisions.";
1619 uses ncs:netconf-server-grouping;
1620 }
1621 }
1622 }
1623 case tls {
1624 if-feature "tls-call-home";
1625 container tls {
1626 description
1627 "Specifies TLS-specific call-home transport
1628 configuration.";
1629 container tcp-client-parameters {
1630 description
1631 "A wrapper around the TCP client parameters
1632 to avoid name collisions.";
1633 uses tcpc:tcp-client-grouping {
1634 refine "remote-port" {
1635 default "4335";
1636 description
1637 "The NETCONF server will attempt to connect
1638 to the IANA-assigned well-known port for
1639 'netconf-ch-tls' (4335) if no value is
1640 specified.";
1641 }
1642 }
1643 }
1644 container tls-server-parameters {
1645 description
1646 "A wrapper around the TLS server parameters
1647 to avoid name collisions.";
1648 uses tlss:tls-server-grouping {
1649 refine "client-authentication" {
1650 /* commented out since auth could be external
1651 must 'ca-certs or client-certs';
1652 */
1653 description
1654 "NETCONF/TLS servers MUST validate client
1655 certificates.";
1656 }
1657 augment "client-authentication" {
1658 description
1659 "Augments in the cert-to-name structure.";
1660 container cert-maps {
1661 uses x509c2n:cert-to-name;
1662 description
1663 "The cert-maps container is used by a
1664 TLS-based NETCONF server to map the
1665 NETCONF client's presented X.509
1666 certificate to a NETCONF username. If
1667 no matching and valid cert-to-name list
1668 entry can be found, then the NETCONF
1669 server MUST close the connection, and
1670 MUST NOT accept NETCONF messages over
1671 it.";
1672 reference
1673 "RFC WWWW: NETCONF over TLS, Section 7";
1674 }
1675 }
1676 }
1677 }
1678 container netconf-server-parameters {
1679 description
1680 "A wrapper around the NETCONF server parameters
1681 to avoid name collisions.";
1682 uses ncs:netconf-server-grouping;
1683 }
1684 }
1685 }
1686 }
1687 }
1689 grouping netconf-server-app-grouping {
1690 description
1691 "A reusable grouping for configuring a NETCONF server
1692 application that supports both 'listen' and 'call-home'
1693 protocol stacks for a multiplicity of connections.";
1694 container listen {
1695 if-feature "ssh-listen or tls-listen";
1696 presence
1697 "Enables server to listen for NETCONF client connections.";
1698 description
1699 "Configures listen behavior";
1700 leaf idle-timeout {
1701 type uint16;
1702 units "seconds";
1703 default 3600; // one hour
1704 description
1705 "Specifies the maximum number of seconds that a NETCONF
1706 session may remain idle. A NETCONF session will be
1707 dropped if it is idle for an interval longer than this
1708 number of seconds. If set to zero, then the server
1709 will never drop a session because it is idle. Sessions
1710 that have a notification subscription active are never
1711 dropped.";
1712 }
1713 list endpoint {
1714 key "name";
1715 min-elements 1;
1716 description
1717 "List of endpoints to listen for NETCONF connections.";
1718 leaf name {
1719 type string;
1720 description
1721 "An arbitrary name for the NETCONF listen endpoint.";
1722 }
1723 uses netconf-server-listen-stack-grouping;
1724 }
1725 }
1726 container call-home {
1727 if-feature "ssh-call-home or tls-call-home";
1728 presence
1729 "Enables the NETCONF server to initiate the underlying
1730 transport connection to NETCONF clients.";
1731 description "Configures call home behavior.";
1732 list netconf-client {
1733 key "name";
1734 min-elements 1;
1735 description
1736 "List of NETCONF clients the NETCONF server is to
1737 maintain simultaneous call-home connections with.";
1738 leaf name {
1739 type string;
1740 description
1741 "An arbitrary name for the remote NETCONF client.";
1742 }
1743 container endpoints {
1744 description
1745 "Container for the list of endpoints.";
1746 list endpoint {
1747 key "name";
1748 min-elements 1;
1749 ordered-by user;
1750 description
1751 "A non-empty user-ordered list of endpoints for this
1752 NETCONF server to try to connect to in sequence.
1753 Defining more than one enables high-availability.";
1754 leaf name {
1755 type string;
1756 description
1757 "An arbitrary name for this endpoint.";
1758 }
1759 uses netconf-server-callhome-stack-grouping;
1760 }
1761 }
1762 container connection-type {
1763 description
1764 "Indicates the NETCONF server's preference for how the
1765 NETCONF connection is maintained.";
1766 choice connection-type {
1767 mandatory true;
1768 description
1769 "Selects between available connection types.";
1770 case persistent-connection {
1771 container persistent {
1772 presence "Indicates that a persistent connection is
1773 to be maintained.";
1774 description
1775 "Maintain a persistent connection to the NETCONF
1776 client. If the connection goes down, immediately
1777 start trying to reconnect to the NETCONF client,
1778 using the reconnection strategy.
1780 This connection type minimizes any NETCONF client
1781 to NETCONF server data-transfer delay, albeit at
1782 the expense of holding resources longer.";
1783 }
1784 }
1785 case periodic-connection {
1786 container periodic {
1787 presence "Indicates that a periodic connection is
1788 to be maintained.";
1789 description
1790 "Periodically connect to the NETCONF client.
1792 This connection type increases resource
1793 utilization, albeit with increased delay in
1794 NETCONF client to NETCONF client interactions.
1796 The NETCONF client SHOULD gracefully close the
1797 connection using upon completing
1798 planned activities. If the NETCONF session is
1799 not closed gracefully, the NETCONF server MUST
1800 immediately attempt to reestablish the connection.
1802 In the case that the previous connection is still
1803 active (i.e., the NETCONF client has not closed
1804 it yet), establishing a new connection is NOT
1805 RECOMMENDED.";
1806 leaf period {
1807 type uint16;
1808 units "minutes";
1809 default "60";
1810 description
1811 "Duration of time between periodic connections.";
1812 }
1813 leaf anchor-time {
1814 type yang:date-and-time {
1815 // constrained to minute-level granularity
1816 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1817 + '(Z|[\+\-]\d{2}:\d{2})';
1818 }
1819 description
1820 "Designates a timestamp before or after which a
1821 series of periodic connections are determined.
1822 The periodic connections occur at a whole
1823 multiple interval from the anchor time. For
1824 example, for an anchor time is 15 minutes past
1825 midnight and a period interval of 24 hours, then
1826 a periodic connection will occur 15 minutes past
1827 midnight everyday.";
1828 }
1829 leaf idle-timeout {
1830 type uint16;
1831 units "seconds";
1832 default 120; // two minutes
1833 description
1834 "Specifies the maximum number of seconds that
1835 a NETCONF session may remain idle. A NETCONF
1836 session will be dropped if it is idle for an
1837 interval longer than this number of seconds.
1838 If set to zero, then the server will never
1839 drop a session because it is idle.";
1840 }
1841 }
1842 } // case periodic-connection
1843 } // choice connection-type
1844 } // container connection-type
1845 container reconnect-strategy {
1846 description
1847 "The reconnection strategy directs how a NETCONF server
1848 reconnects to a NETCONF client, after discovering its
1849 connection to the client has dropped, even if due to a
1850 reboot. The NETCONF server starts with the specified
1851 endpoint and tries to connect to it max-attempts times
1852 before trying the next endpoint in the list (round
1853 robin).";
1854 leaf start-with {
1855 type enumeration {
1856 enum first-listed {
1857 description
1858 "Indicates that reconnections should start with
1859 the first endpoint listed.";
1860 }
1861 enum last-connected {
1862 description
1863 "Indicates that reconnections should start with
1864 the endpoint last connected to. If no previous
1865 connection has ever been established, then the
1866 first endpoint configured is used. NETCONF
1867 servers SHOULD be able to remember the last
1868 endpoint connected to across reboots.";
1869 }
1870 enum random-selection {
1871 description
1872 "Indicates that reconnections should start with
1873 a random endpoint.";
1874 }
1875 }
1876 default "first-listed";
1877 description
1878 "Specifies which of the NETCONF client's endpoints
1879 the NETCONF server should start with when trying
1880 to connect to the NETCONF client.";
1881 }
1882 leaf max-attempts {
1883 type uint8 {
1884 range "1..max";
1885 }
1886 default "3";
1887 description
1888 "Specifies the number times the NETCONF server tries
1889 to connect to a specific endpoint before moving on
1890 to the next endpoint in the list (round robin).";
1891 }
1892 } // container reconnect-strategy
1893 } // list netconf-client
1894 } // container call-home
1895 } // grouping netconf-server-app-grouping
1897 // Protocol accessible node, for servers that implement this
1898 // module.
1900 container netconf-server {
1901 uses netconf-server-app-grouping;
1902 description
1903 "Top-level container for NETCONF server configuration.";
1904 }
1905 }
1907
1909 5. Security Considerations
1911 The YANG module defined in this document uses groupings defined in
1912 [I-D.kwatsen-netconf-tcp-client-server],
1913 [I-D.ietf-netconf-ssh-client-server], and
1914 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1915 Considerations section in those documents for concerns related those
1916 groupings.
1918 The YANG modules defined in this document are designed to be accessed
1919 via YANG based management protocols, such as NETCONF [RFC6241] and
1920 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1921 implement secure transport layers (e.g., SSH, TLS) with mutual
1922 authentication.
1924 The NETCONF access control model (NACM) [RFC8341] provides the means
1925 to restrict access for particular users to a pre-configured subset of
1926 all available protocol operations and content.
1928 There are a number of data nodes defined in the YANG modules that are
1929 writable/creatable/deletable (i.e., config true, which is the
1930 default). Some of these data nodes may be considered sensitive or
1931 vulnerable in some network environments. Write operations (e.g.,
1932 edit-config) to these data nodes without proper protection can have a
1933 negative effect on network operations. These are the subtrees and
1934 data nodes and their sensitivity/vulnerability:
1936 None of the subtrees or data nodes in the modules defined in this
1937 document need to be protected from write operations.
1939 Some of the readable data nodes in the YANG modules may be considered
1940 sensitive or vulnerable in some network environments. It is thus
1941 important to control read access (e.g., via get, get-config, or
1942 notification) to these data nodes. These are the subtrees and data
1943 nodes and their sensitivity/vulnerability:
1945 None of the subtrees or data nodes in the modules defined in this
1946 document need to be protected from read operations.
1948 Some of the RPC operations in the YANG modules may be considered
1949 sensitive or vulnerable in some network environments. It is thus
1950 important to control access to these operations. These are the
1951 operations and their sensitivity/vulnerability:
1953 The modules defined in this document do not define any 'RPC' or
1954 'action' statements.
1956 6. IANA Considerations
1958 6.1. The IETF XML Registry
1960 This document registers two URIs in the "ns" subregistry of the IETF
1961 XML Registry [RFC3688]. Following the format in [RFC3688], the
1962 following registrations are requested:
1964 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1965 Registrant Contact: The NETCONF WG of the IETF.
1966 XML: N/A, the requested URI is an XML namespace.
1968 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1969 Registrant Contact: The NETCONF WG of the IETF.
1970 XML: N/A, the requested URI is an XML namespace.
1972 6.2. The YANG Module Names Registry
1974 This document registers two YANG modules in the YANG Module Names
1975 registry [RFC6020]. Following the format in [RFC6020], the the
1976 following registrations are requested:
1978 name: ietf-netconf-client
1979 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1980 prefix: ncc
1981 reference: RFC XXXX
1983 name: ietf-netconf-server
1984 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1985 prefix: ncs
1986 reference: RFC XXXX
1988 7. References
1990 7.1. Normative References
1992 [I-D.ietf-netconf-keystore]
1993 Watsen, K., "A YANG Data Model for a Keystore", draft-
1994 ietf-netconf-keystore-12 (work in progress), July 2019.
1996 [I-D.ietf-netconf-ssh-client-server]
1997 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
1998 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
1999 server-14 (work in progress), June 2019.
2001 [I-D.ietf-netconf-tls-client-server]
2002 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
2003 Clients and TLS Servers", draft-ietf-netconf-tls-client-
2004 server-14 (work in progress), July 2019.
2006 [I-D.kwatsen-netconf-tcp-client-server]
2007 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
2008 and TCP Servers", draft-kwatsen-netconf-tcp-client-
2009 server-02 (work in progress), April 2019.
2011 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2012 Requirement Levels", BCP 14, RFC 2119,
2013 DOI 10.17487/RFC2119, March 1997,
2014 .
2016 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
2017 the Network Configuration Protocol (NETCONF)", RFC 6020,
2018 DOI 10.17487/RFC6020, October 2010,
2019 .
2021 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
2022 and A. Bierman, Ed., "Network Configuration Protocol
2023 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
2024 .
2026 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
2027 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
2028 .
2030 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
2031 RFC 6991, DOI 10.17487/RFC6991, July 2013,
2032 .
2034 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
2035 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
2036 December 2014, .
2038 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
2039 NETCONF Protocol over Transport Layer Security (TLS) with
2040 Mutual X.509 Authentication", RFC 7589,
2041 DOI 10.17487/RFC7589, June 2015,
2042 .
2044 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
2045 RFC 7950, DOI 10.17487/RFC7950, August 2016,
2046 .
2048 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2049 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
2050 May 2017, .
2052 7.2. Informative References
2054 [I-D.ietf-netconf-trust-anchors]
2055 Watsen, K., "A YANG Data Model for a Truststore", draft-
2056 ietf-netconf-trust-anchors-05 (work in progress), June
2057 2019.
2059 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2060 DOI 10.17487/RFC3688, January 2004,
2061 .
2063 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
2064 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
2065 .
2067 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
2068 RFC 8071, DOI 10.17487/RFC8071, February 2017,
2069 .
2071 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
2072 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
2073 .
2075 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
2076 Access Control Model", STD 91, RFC 8341,
2077 DOI 10.17487/RFC8341, March 2018,
2078 .
2080 Appendix A. Expanded Tree Diagrams
2082 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
2084 The following tree diagram [RFC8340] provides an overview of the data
2085 model for the "ietf-netconf-client" module.
2087 This tree diagram shows all the nodes defined in this module,
2088 including those defined by "grouping" statements used by this module.
2090 Please see Section 3.1 for a tree diagram that illustrates what the
2091 module looks like without all the "grouping" statements expanded.
2093 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2095 module: ietf-netconf-client
2096 +--rw netconf-client
2097 +--rw initiate! {ssh-initiate or tls-initiate}?
2098 | +--rw netconf-server* [name]
2099 | +--rw name string
2100 | +--rw endpoints
2101 | | +--rw endpoint* [name]
2102 | | +--rw name string
2103 | | +--rw (transport)
2104 | | +--:(ssh) {ssh-initiate}?
2105 | | | +--rw ssh
2106 | | | +--rw tcp-client-parameters
2107 | | | | +--rw remote-address inet:host
2108 | | | | +--rw remote-port? inet:port-number
2109 | | | | +--rw local-address? inet:ip-address
2110 | | | | | {local-binding-supported}?
2111 | | | | +--rw local-port? inet:port-number
2112 | | | | | {local-binding-supported}?
2113 | | | | +--rw keepalives!
2114 | | | | {keepalives-supported}?
2115 | | | | +--rw idle-time uint16
2116 | | | | +--rw max-probes uint16
2117 | | | | +--rw probe-interval uint16
2118 | | | +--rw ssh-client-parameters
2119 | | | | +--rw client-identity
2120 | | | | | +--rw username? string
2121 | | | | | +--rw (auth-type)
2122 | | | | | +--:(password)
2123 | | | | | | +--rw password? string
2124 | | | | | +--:(public-key)
2125 | | | | | | +--rw public-key
2126 | | | | | | +--rw (local-or-keystore)
2127 | | | | | | +--:(local)
2128 | | | | | | | {local-definiti\
2129 \ons-supported}?
2130 | | | | | | | +--rw local-definition
2131 | | | | | | | +--rw algorithm
2132 | | | | | | | | asymmetric\
2133 \-key-algorithm-t
2134 | | | | | | | +--rw public-key-f\
2135 \ormat?
2136 | | | | | | | | identityref
2137 | | | | | | | +--rw public-key
2138 | | | | | | | | binary
2139 | | | | | | | +--rw private-key-\
2140 \format?
2141 | | | | | | | | identityref
2142 | | | | | | | +--rw (private-key\
2143 \-type)
2144 | | | | | | | +--:(private-ke\
2145 \y)
2146 | | | | | | | | +--rw privat\
2147 \e-key?
2148 | | | | | | | | bina\
2149 \ry
2150 | | | | | | | +--:(hidden-pri\
2151 \vate-key)
2152 | | | | | | | | +--rw hidden\
2153 \-private-key?
2154 | | | | | | | | empty
2155 | | | | | | | +--:(encrypted-\
2156 \private-key)
2157 | | | | | | | +--rw encryp\
2158 \ted-private-key
2159 | | | | | | | +--rw (ke\
2160 \y-type)
2161 | | | | | | | | +--:(s\
2162 \ymmetric-key-ref)
2163 | | | | | | | | | +--\
2164 \rw symmetric-key-ref? leafref
2165 | | | | | | | | | \
2166 \ {keystore-supported}?
2167 | | | | | | | | +--:(a\
2168 \symmetric-key-ref)
2169 | | | | | | | | +--\
2170 \rw asymmetric-key-ref? leafref
2171 | | | | | | | | \
2172 \ {keystore-supported}?
2173 | | | | | | | +--rw val\
2174 \ue?
2175 | | | | | | | b\
2177 \inary
2178 | | | | | | +--:(keystore)
2179 | | | | | | {keystore-suppo\
2180 \rted}?
2181 | | | | | | +--rw keystore-refere\
2182 \nce?
2183 | | | | | | ks:asymmetric\
2184 \-key-ref
2185 | | | | | +--:(certificate)
2186 | | | | | +--rw certificate
2187 | | | | | {sshcmn:ssh-x509-certs\
2188 \}?
2189 | | | | | +--rw (local-or-keystore)
2190 | | | | | +--:(local)
2191 | | | | | | {local-definiti\
2192 \ons-supported}?
2193 | | | | | | +--rw local-definition
2194 | | | | | | +--rw algorithm
2195 | | | | | | | asymmetric\
2196 \-key-algorithm-t
2197 | | | | | | +--rw public-key-f\
2198 \ormat?
2199 | | | | | | | identityref
2200 | | | | | | +--rw public-key
2201 | | | | | | | binary
2202 | | | | | | +--rw private-key-\
2203 \format?
2204 | | | | | | | identityref
2205 | | | | | | +--rw (private-key\
2206 \-type)
2207 | | | | | | | +--:(private-ke\
2208 \y)
2209 | | | | | | | | +--rw privat\
2210 \e-key?
2211 | | | | | | | | bina\
2212 \ry
2213 | | | | | | | +--:(hidden-pri\
2214 \vate-key)
2215 | | | | | | | | +--rw hidden\
2216 \-private-key?
2217 | | | | | | | | empty
2218 | | | | | | | +--:(encrypted-\
2219 \private-key)
2220 | | | | | | | +--rw encryp\
2221 \ted-private-key
2222 | | | | | | | +--rw (ke\
2223 \y-type)
2224 | | | | | | | | +--:(s\
2226 \ymmetric-key-ref)
2227 | | | | | | | | | +--\
2228 \rw symmetric-key-ref? leafref
2229 | | | | | | | | | \
2230 \ {keystore-supported}?
2231 | | | | | | | | +--:(a\
2232 \symmetric-key-ref)
2233 | | | | | | | | +--\
2234 \rw asymmetric-key-ref? leafref
2235 | | | | | | | | \
2236 \ {keystore-supported}?
2237 | | | | | | | +--rw val\
2238 \ue?
2239 | | | | | | | b\
2240 \inary
2241 | | | | | | +--rw cert?
2242 | | | | | | | end-entity\
2243 \-cert-cms
2244 | | | | | | +---n certificate-\
2245 \expiration
2246 | | | | | | | +-- expiration-\
2247 \date
2248 | | | | | | | yang:da\
2249 \te-and-time
2250 | | | | | | +---x generate-cer\
2251 \tificate-signing-request
2252 | | | | | | +---w input
2253 | | | | | | | +---w subject
2254 | | | | | | | | bina\
2255 \ry
2256 | | | | | | | +---w attrib\
2257 \utes?
2258 | | | | | | | bina\
2259 \ry
2260 | | | | | | +--ro output
2261 | | | | | | +--ro certif\
2262 \icate-signing-request
2263 | | | | | | bina\
2264 \ry
2265 | | | | | +--:(keystore)
2266 | | | | | {keystore-suppo\
2267 \rted}?
2268 | | | | | +--rw keystore-refere\
2269 \nce
2270 | | | | | +--rw asymmetric-k\
2271 \ey?
2272 | | | | | | ks:asymmet\
2273 \ric-key-ref
2274 | | | | | +--rw certificate?\
2275 \ leafref
2276 | | | | +--rw server-authentication
2277 | | | | | +--rw ssh-host-keys!
2278 | | | | | | {ts:ssh-host-keys}?
2279 | | | | | | +--rw (local-or-truststore)
2280 | | | | | | +--:(local)
2281 | | | | | | | {local-definitions-su\
2282 \pported}?
2283 | | | | | | | +--rw local-definition
2284 | | | | | | | +--rw host-key*
2285 | | | | | | | ct:ssh-host-key
2286 | | | | | | +--:(truststore)
2287 | | | | | | {truststore-supported\
2288 \,ssh-host-keys}?
2289 | | | | | | +--rw truststore-reference?
2290 | | | | | | ts:host-keys-ref
2291 | | | | | +--rw ca-certs!
2292 | | | | | | {sshcmn:ssh-x509-certs,ts:x5\
2293 \09-certificates}?
2294 | | | | | | +--rw (local-or-truststore)
2295 | | | | | | +--:(local)
2296 | | | | | | | {local-definitions-su\
2297 \pported}?
2298 | | | | | | | +--rw local-definition
2299 | | | | | | | +--rw cert*
2300 | | | | | | | | trust-anchor-cer\
2301 \t-cms
2302 | | | | | | | +---n certificate-expira\
2303 \tion
2304 | | | | | | | +-- expiration-date
2305 | | | | | | | yang:date-and\
2306 \-time
2307 | | | | | | +--:(truststore)
2308 | | | | | | {truststore-supported\
2309 \,x509-certificates}?
2310 | | | | | | +--rw truststore-reference?
2311 | | | | | | ts:certificates-ref
2312 | | | | | +--rw server-certs!
2313 | | | | | {sshcmn:ssh-x509-certs,ts:x5\
2314 \09-certificates}?
2315 | | | | | +--rw (local-or-truststore)
2316 | | | | | +--:(local)
2317 | | | | | | {local-definitions-su\
2318 \pported}?
2319 | | | | | | +--rw local-definition
2320 | | | | | | +--rw cert*
2321 | | | | | | | trust-anchor-cer\
2323 \t-cms
2324 | | | | | | +---n certificate-expira\
2325 \tion
2326 | | | | | | +-- expiration-date
2327 | | | | | | yang:date-and\
2328 \-time
2329 | | | | | +--:(truststore)
2330 | | | | | {truststore-supported\
2331 \,x509-certificates}?
2332 | | | | | +--rw truststore-reference?
2333 | | | | | ts:certificates-ref
2334 | | | | +--rw transport-params
2335 | | | | | {ssh-client-transport-params-co\
2336 \nfig}?
2337 | | | | | +--rw host-key
2338 | | | | | | +--rw host-key-alg* identityref
2339 | | | | | +--rw key-exchange
2340 | | | | | | +--rw key-exchange-alg*
2341 | | | | | | identityref
2342 | | | | | +--rw encryption
2343 | | | | | | +--rw encryption-alg*
2344 | | | | | | identityref
2345 | | | | | +--rw mac
2346 | | | | | +--rw mac-alg* identityref
2347 | | | | +--rw keepalives!
2348 | | | | {ssh-client-keepalives}?
2349 | | | | +--rw max-wait? uint16
2350 | | | | +--rw max-attempts? uint8
2351 | | | +--rw netconf-client-parameters
2352 | | +--:(tls) {tls-initiate}?
2353 | | +--rw tls
2354 | | +--rw tcp-client-parameters
2355 | | | +--rw remote-address inet:host
2356 | | | +--rw remote-port? inet:port-number
2357 | | | +--rw local-address? inet:ip-address
2358 | | | | {local-binding-supported}?
2359 | | | +--rw local-port? inet:port-number
2360 | | | | {local-binding-supported}?
2361 | | | +--rw keepalives!
2362 | | | {keepalives-supported}?
2363 | | | +--rw idle-time uint16
2364 | | | +--rw max-probes uint16
2365 | | | +--rw probe-interval uint16
2366 | | +--rw tls-client-parameters
2367 | | | +--rw client-identity
2368 | | | | +--rw (local-or-keystore)
2369 | | | | +--:(local)
2370 | | | | | {local-definitions-suppo\
2372 \rted}?
2373 | | | | | +--rw local-definition
2374 | | | | | +--rw algorithm
2375 | | | | | | asymmetric-key-algo\
2376 \rithm-t
2377 | | | | | +--rw public-key-format?
2378 | | | | | | identityref
2379 | | | | | +--rw public-key
2380 | | | | | | binary
2381 | | | | | +--rw private-key-format?
2382 | | | | | | identityref
2383 | | | | | +--rw (private-key-type)
2384 | | | | | | +--:(private-key)
2385 | | | | | | | +--rw private-key?
2386 | | | | | | | binary
2387 | | | | | | +--:(hidden-private-key)
2388 | | | | | | | +--rw hidden-private-\
2389 \key?
2390 | | | | | | | empty
2391 | | | | | | +--:(encrypted-private-k\
2392 \ey)
2393 | | | | | | +--rw encrypted-priva\
2394 \te-key
2395 | | | | | | +--rw (key-type)
2396 | | | | | | | +--:(symmetric-\
2397 \key-ref)
2398 | | | | | | | | +--rw symmet\
2399 \ric-key-ref? leafref
2400 | | | | | | | | {key\
2401 \store-supported}?
2402 | | | | | | | +--:(asymmetric\
2403 \-key-ref)
2404 | | | | | | | +--rw asymme\
2405 \tric-key-ref? leafref
2406 | | | | | | | {key\
2407 \store-supported}?
2408 | | | | | | +--rw value?
2409 | | | | | | binary
2410 | | | | | +--rw cert?
2411 | | | | | | end-entity-cert-cms
2412 | | | | | +---n certificate-expiration
2413 | | | | | | +-- expiration-date
2414 | | | | | | yang:date-and-ti\
2415 \me
2416 | | | | | +---x generate-certificate-\
2417 \signing-request
2418 | | | | | +---w input
2419 | | | | | | +---w subject
2420 | | | | | | | binary
2421 | | | | | | +---w attributes?
2422 | | | | | | binary
2423 | | | | | +--ro output
2424 | | | | | +--ro certificate-sig\
2425 \ning-request
2426 | | | | | binary
2427 | | | | +--:(keystore)
2428 | | | | {keystore-supported}?
2429 | | | | +--rw keystore-reference
2430 | | | | +--rw asymmetric-key?
2431 | | | | | ks:asymmetric-key-r\
2432 \ef
2433 | | | | +--rw certificate? lea\
2434 \fref
2435 | | | +--rw server-authentication
2436 | | | | +--rw ca-certs!
2437 | | | | | {ts:x509-certificates}?
2438 | | | | | +--rw (local-or-truststore)
2439 | | | | | +--:(local)
2440 | | | | | | {local-definitions-su\
2441 \pported}?
2442 | | | | | | +--rw local-definition
2443 | | | | | | +--rw cert*
2444 | | | | | | | trust-anchor-cer\
2445 \t-cms
2446 | | | | | | +---n certificate-expira\
2447 \tion
2448 | | | | | | +-- expiration-date
2449 | | | | | | yang:date-and\
2450 \-time
2451 | | | | | +--:(truststore)
2452 | | | | | {truststore-supported\
2453 \,x509-certificates}?
2454 | | | | | +--rw truststore-reference?
2455 | | | | | ts:certificates-ref
2456 | | | | +--rw server-certs!
2457 | | | | {ts:x509-certificates}?
2458 | | | | +--rw (local-or-truststore)
2459 | | | | +--:(local)
2460 | | | | | {local-definitions-su\
2461 \pported}?
2462 | | | | | +--rw local-definition
2463 | | | | | +--rw cert*
2464 | | | | | | trust-anchor-cer\
2465 \t-cms
2466 | | | | | +---n certificate-expira\
2467 \tion
2468 | | | | | +-- expiration-date
2469 | | | | | yang:date-and\
2470 \-time
2471 | | | | +--:(truststore)
2472 | | | | {truststore-supported\
2473 \,x509-certificates}?
2474 | | | | +--rw truststore-reference?
2475 | | | | ts:certificates-ref
2476 | | | +--rw hello-params
2477 | | | | {tls-client-hello-params-config\
2478 \}?
2479 | | | | +--rw tls-versions
2480 | | | | | +--rw tls-version* identityref
2481 | | | | +--rw cipher-suites
2482 | | | | +--rw cipher-suite* identityref
2483 | | | +--rw keepalives!
2484 | | | {tls-client-keepalives}?
2485 | | | +--rw max-wait? uint16
2486 | | | +--rw max-attempts? uint8
2487 | | +--rw netconf-client-parameters
2488 | +--rw connection-type
2489 | | +--rw (connection-type)
2490 | | +--:(persistent-connection)
2491 | | | +--rw persistent!
2492 | | +--:(periodic-connection)
2493 | | +--rw periodic!
2494 | | +--rw period? uint16
2495 | | +--rw anchor-time? yang:date-and-time
2496 | | +--rw idle-timeout? uint16
2497 | +--rw reconnect-strategy
2498 | +--rw start-with? enumeration
2499 | +--rw max-attempts? uint8
2500 +--rw listen! {ssh-listen or tls-listen}?
2501 +--rw idle-timeout? uint16
2502 +--rw endpoint* [name]
2503 +--rw name string
2504 +--rw (transport)
2505 +--:(ssh) {ssh-listen}?
2506 | +--rw ssh
2507 | +--rw tcp-server-parameters
2508 | | +--rw local-address inet:ip-address
2509 | | +--rw local-port? inet:port-number
2510 | | +--rw keepalives! {keepalives-supported}?
2511 | | +--rw idle-time uint16
2512 | | +--rw max-probes uint16
2513 | | +--rw probe-interval uint16
2514 | +--rw ssh-client-parameters
2515 | | +--rw client-identity
2516 | | | +--rw username? string
2517 | | | +--rw (auth-type)
2518 | | | +--:(password)
2519 | | | | +--rw password? string
2520 | | | +--:(public-key)
2521 | | | | +--rw public-key
2522 | | | | +--rw (local-or-keystore)
2523 | | | | +--:(local)
2524 | | | | | {local-definitions-su\
2525 \pported}?
2526 | | | | | +--rw local-definition
2527 | | | | | +--rw algorithm
2528 | | | | | | asymmetric-key-a\
2529 \lgorithm-t
2530 | | | | | +--rw public-key-format?
2531 | | | | | | identityref
2532 | | | | | +--rw public-key
2533 | | | | | | binary
2534 | | | | | +--rw private-key-format?
2535 | | | | | | identityref
2536 | | | | | +--rw (private-key-type)
2537 | | | | | +--:(private-key)
2538 | | | | | | +--rw private-key?
2539 | | | | | | binary
2540 | | | | | +--:(hidden-private-k\
2541 \ey)
2542 | | | | | | +--rw hidden-priva\
2543 \te-key?
2544 | | | | | | empty
2545 | | | | | +--:(encrypted-privat\
2546 \e-key)
2547 | | | | | +--rw encrypted-pr\
2548 \ivate-key
2549 | | | | | +--rw (key-type)
2550 | | | | | | +--:(symmetr\
2551 \ic-key-ref)
2552 | | | | | | | +--rw sym\
2553 \metric-key-ref? leafref
2554 | | | | | | | {\
2555 \keystore-supported}?
2556 | | | | | | +--:(asymmet\
2557 \ric-key-ref)
2558 | | | | | | +--rw asy\
2559 \mmetric-key-ref? leafref
2560 | | | | | | {\
2561 \keystore-supported}?
2562 | | | | | +--rw value?
2563 | | | | | binary
2564 | | | | +--:(keystore)
2565 | | | | {keystore-supported}?
2566 | | | | +--rw keystore-reference?
2567 | | | | ks:asymmetric-key-r\
2568 \ef
2569 | | | +--:(certificate)
2570 | | | +--rw certificate
2571 | | | {sshcmn:ssh-x509-certs}?
2572 | | | +--rw (local-or-keystore)
2573 | | | +--:(local)
2574 | | | | {local-definitions-su\
2575 \pported}?
2576 | | | | +--rw local-definition
2577 | | | | +--rw algorithm
2578 | | | | | asymmetric-key-a\
2579 \lgorithm-t
2580 | | | | +--rw public-key-format?
2581 | | | | | identityref
2582 | | | | +--rw public-key
2583 | | | | | binary
2584 | | | | +--rw private-key-format?
2585 | | | | | identityref
2586 | | | | +--rw (private-key-type)
2587 | | | | | +--:(private-key)
2588 | | | | | | +--rw private-key?
2589 | | | | | | binary
2590 | | | | | +--:(hidden-private-k\
2591 \ey)
2592 | | | | | | +--rw hidden-priva\
2593 \te-key?
2594 | | | | | | empty
2595 | | | | | +--:(encrypted-privat\
2596 \e-key)
2597 | | | | | +--rw encrypted-pr\
2598 \ivate-key
2599 | | | | | +--rw (key-type)
2600 | | | | | | +--:(symmetr\
2601 \ic-key-ref)
2602 | | | | | | | +--rw sym\
2603 \metric-key-ref? leafref
2604 | | | | | | | {\
2605 \keystore-supported}?
2606 | | | | | | +--:(asymmet\
2607 \ric-key-ref)
2608 | | | | | | +--rw asy\
2609 \mmetric-key-ref? leafref
2610 | | | | | | {\
2611 \keystore-supported}?
2612 | | | | | +--rw value?
2613 | | | | | binary
2614 | | | | +--rw cert?
2615 | | | | | end-entity-cert-\
2616 \cms
2617 | | | | +---n certificate-expira\
2618 \tion
2619 | | | | | +-- expiration-date
2620 | | | | | yang:date-and\
2621 \-time
2622 | | | | +---x generate-certifica\
2623 \te-signing-request
2624 | | | | +---w input
2625 | | | | | +---w subject
2626 | | | | | | binary
2627 | | | | | +---w attributes?
2628 | | | | | binary
2629 | | | | +--ro output
2630 | | | | +--ro certificate-\
2631 \signing-request
2632 | | | | binary
2633 | | | +--:(keystore)
2634 | | | {keystore-supported}?
2635 | | | +--rw keystore-reference
2636 | | | +--rw asymmetric-key?
2637 | | | | ks:asymmetric-ke\
2638 \y-ref
2639 | | | +--rw certificate? \
2640 \leafref
2641 | | +--rw server-authentication
2642 | | | +--rw ssh-host-keys! {ts:ssh-host-keys}?
2643 | | | | +--rw (local-or-truststore)
2644 | | | | +--:(local)
2645 | | | | | {local-definitions-supporte\
2646 \d}?
2647 | | | | | +--rw local-definition
2648 | | | | | +--rw host-key*
2649 | | | | | ct:ssh-host-key
2650 | | | | +--:(truststore)
2651 | | | | {truststore-supported,ssh-h\
2652 \ost-keys}?
2653 | | | | +--rw truststore-reference?
2654 | | | | ts:host-keys-ref
2655 | | | +--rw ca-certs!
2656 | | | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2657 \tificates}?
2658 | | | | +--rw (local-or-truststore)
2659 | | | | +--:(local)
2660 | | | | | {local-definitions-supporte\
2661 \d}?
2662 | | | | | +--rw local-definition
2663 | | | | | +--rw cert*
2664 | | | | | | trust-anchor-cert-cms
2665 | | | | | +---n certificate-expiration
2666 | | | | | +-- expiration-date
2667 | | | | | yang:date-and-time
2668 | | | | +--:(truststore)
2669 | | | | {truststore-supported,x509-\
2670 \certificates}?
2671 | | | | +--rw truststore-reference?
2672 | | | | ts:certificates-ref
2673 | | | +--rw server-certs!
2674 | | | {sshcmn:ssh-x509-certs,ts:x509-cer\
2675 \tificates}?
2676 | | | +--rw (local-or-truststore)
2677 | | | +--:(local)
2678 | | | | {local-definitions-supporte\
2679 \d}?
2680 | | | | +--rw local-definition
2681 | | | | +--rw cert*
2682 | | | | | trust-anchor-cert-cms
2683 | | | | +---n certificate-expiration
2684 | | | | +-- expiration-date
2685 | | | | yang:date-and-time
2686 | | | +--:(truststore)
2687 | | | {truststore-supported,x509-\
2688 \certificates}?
2689 | | | +--rw truststore-reference?
2690 | | | ts:certificates-ref
2691 | | +--rw transport-params
2692 | | | {ssh-client-transport-params-config}?
2693 | | | +--rw host-key
2694 | | | | +--rw host-key-alg* identityref
2695 | | | +--rw key-exchange
2696 | | | | +--rw key-exchange-alg* identityref
2697 | | | +--rw encryption
2698 | | | | +--rw encryption-alg* identityref
2699 | | | +--rw mac
2700 | | | +--rw mac-alg* identityref
2701 | | +--rw keepalives! {ssh-client-keepalives}?
2702 | | +--rw max-wait? uint16
2703 | | +--rw max-attempts? uint8
2704 | +--rw netconf-client-parameters
2705 +--:(tls) {tls-listen}?
2706 +--rw tls
2707 +--rw tcp-server-parameters
2708 | +--rw local-address inet:ip-address
2709 | +--rw local-port? inet:port-number
2710 | +--rw keepalives! {keepalives-supported}?
2711 | +--rw idle-time uint16
2712 | +--rw max-probes uint16
2713 | +--rw probe-interval uint16
2714 +--rw tls-client-parameters
2715 | +--rw client-identity
2716 | | +--rw (local-or-keystore)
2717 | | +--:(local)
2718 | | | {local-definitions-supported}?
2719 | | | +--rw local-definition
2720 | | | +--rw algorithm
2721 | | | | asymmetric-key-algorithm-t
2722 | | | +--rw public-key-format?
2723 | | | | identityref
2724 | | | +--rw public-key
2725 | | | | binary
2726 | | | +--rw private-key-format?
2727 | | | | identityref
2728 | | | +--rw (private-key-type)
2729 | | | | +--:(private-key)
2730 | | | | | +--rw private-key?
2731 | | | | | binary
2732 | | | | +--:(hidden-private-key)
2733 | | | | | +--rw hidden-private-key?
2734 | | | | | empty
2735 | | | | +--:(encrypted-private-key)
2736 | | | | +--rw encrypted-private-key
2737 | | | | +--rw (key-type)
2738 | | | | | +--:(symmetric-key-re\
2739 \f)
2740 | | | | | | +--rw symmetric-ke\
2741 \y-ref? leafref
2742 | | | | | | {keystore-\
2743 \supported}?
2744 | | | | | +--:(asymmetric-key-r\
2745 \ef)
2746 | | | | | +--rw asymmetric-k\
2747 \ey-ref? leafref
2748 | | | | | {keystore-\
2749 \supported}?
2750 | | | | +--rw value?
2751 | | | | binary
2752 | | | +--rw cert?
2753 | | | | end-entity-cert-cms
2754 | | | +---n certificate-expiration
2755 | | | | +-- expiration-date
2756 | | | | yang:date-and-time
2757 | | | +---x generate-certificate-signin\
2758 \g-request
2759 | | | +---w input
2760 | | | | +---w subject binary
2761 | | | | +---w attributes? binary
2762 | | | +--ro output
2763 | | | +--ro certificate-signing-r\
2764 \equest
2765 | | | binary
2766 | | +--:(keystore) {keystore-supported}?
2767 | | +--rw keystore-reference
2768 | | +--rw asymmetric-key?
2769 | | | ks:asymmetric-key-ref
2770 | | +--rw certificate? leafref
2771 | +--rw server-authentication
2772 | | +--rw ca-certs! {ts:x509-certificates}?
2773 | | | +--rw (local-or-truststore)
2774 | | | +--:(local)
2775 | | | | {local-definitions-supporte\
2776 \d}?
2777 | | | | +--rw local-definition
2778 | | | | +--rw cert*
2779 | | | | | trust-anchor-cert-cms
2780 | | | | +---n certificate-expiration
2781 | | | | +-- expiration-date
2782 | | | | yang:date-and-time
2783 | | | +--:(truststore)
2784 | | | {truststore-supported,x509-\
2785 \certificates}?
2786 | | | +--rw truststore-reference?
2787 | | | ts:certificates-ref
2788 | | +--rw server-certs! {ts:x509-certificates}?
2789 | | +--rw (local-or-truststore)
2790 | | +--:(local)
2791 | | | {local-definitions-supporte\
2792 \d}?
2793 | | | +--rw local-definition
2794 | | | +--rw cert*
2795 | | | | trust-anchor-cert-cms
2796 | | | +---n certificate-expiration
2797 | | | +-- expiration-date
2798 | | | yang:date-and-time
2799 | | +--:(truststore)
2800 | | {truststore-supported,x509-\
2801 \certificates}?
2802 | | +--rw truststore-reference?
2803 | | ts:certificates-ref
2804 | +--rw hello-params
2805 | | {tls-client-hello-params-config}?
2806 | | +--rw tls-versions
2807 | | | +--rw tls-version* identityref
2808 | | +--rw cipher-suites
2809 | | +--rw cipher-suite* identityref
2810 | +--rw keepalives! {tls-client-keepalives}?
2811 | +--rw max-wait? uint16
2812 | +--rw max-attempts? uint8
2813 +--rw netconf-client-parameters
2815 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
2817 The following tree diagram [RFC8340] provides an overview of the data
2818 model for the "ietf-netconf-server" module.
2820 This tree diagram shows all the nodes defined in this module,
2821 including those defined by "grouping" statements used by this module.
2823 Please see Section 4.1 for a tree diagram that illustrates what the
2824 module looks like without all the "grouping" statements expanded.
2826 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2828 module: ietf-netconf-server
2829 +--rw netconf-server
2830 +--rw listen! {ssh-listen or tls-listen}?
2831 | +--rw idle-timeout? uint16
2832 | +--rw endpoint* [name]
2833 | +--rw name string
2834 | +--rw (transport)
2835 | +--:(ssh) {ssh-listen}?
2836 | | +--rw ssh
2837 | | +--rw tcp-server-parameters
2838 | | | +--rw local-address inet:ip-address
2839 | | | +--rw local-port? inet:port-number
2840 | | | +--rw keepalives! {keepalives-supported}?
2841 | | | +--rw idle-time uint16
2842 | | | +--rw max-probes uint16
2843 | | | +--rw probe-interval uint16
2844 | | +--rw ssh-server-parameters
2845 | | | +--rw server-identity
2846 | | | | +--rw host-key* [name]
2847 | | | | +--rw name string
2848 | | | | +--rw (host-key-type)
2849 | | | | +--:(public-key)
2850 | | | | | +--rw public-key
2851 | | | | | +--rw (local-or-keystore)
2852 | | | | | +--:(local)
2853 | | | | | | {local-definitions\
2854 \-supported}?
2855 | | | | | | +--rw local-definition
2856 | | | | | | +--rw algorithm
2857 | | | | | | | asymmetric-ke\
2858 \y-algorithm-t
2859 | | | | | | +--rw public-key-form\
2860 \at?
2861 | | | | | | | identityref
2862 | | | | | | +--rw public-key
2863 | | | | | | | binary
2864 | | | | | | +--rw private-key-for\
2865 \mat?
2866 | | | | | | | identityref
2867 | | | | | | +--rw (private-key-ty\
2868 \pe)
2869 | | | | | | +--:(private-key)
2870 | | | | | | | +--rw private-k\
2871 \ey?
2872 | | | | | | | binary
2873 | | | | | | +--:(hidden-privat\
2874 \e-key)
2875 | | | | | | | +--rw hidden-pr\
2876 \ivate-key?
2877 | | | | | | | empty
2878 | | | | | | +--:(encrypted-pri\
2879 \vate-key)
2880 | | | | | | +--rw encrypted\
2881 \-private-key
2882 | | | | | | +--rw (key-t\
2883 \ype)
2884 | | | | | | | +--:(symm\
2885 \etric-key-ref)
2886 | | | | | | | | +--rw \
2887 \symmetric-key-ref? leafref
2888 | | | | | | | | \
2889 \ {keystore-supported}?
2890 | | | | | | | +--:(asym\
2891 \metric-key-ref)
2892 | | | | | | | +--rw \
2893 \asymmetric-key-ref? leafref
2894 | | | | | | | \
2895 \ {keystore-supported}?
2896 | | | | | | +--rw value?
2897 | | | | | | bina\
2898 \ry
2899 | | | | | +--:(keystore)
2900 | | | | | {keystore-supporte\
2901 \d}?
2902 | | | | | +--rw keystore-reference?
2903 | | | | | ks:asymmetric-ke\
2904 \y-ref
2905 | | | | +--:(certificate)
2906 | | | | +--rw certificate
2907 | | | | {sshcmn:ssh-x509-certs}?
2908 | | | | +--rw (local-or-keystore)
2909 | | | | +--:(local)
2910 | | | | | {local-definitions\
2911 \-supported}?
2912 | | | | | +--rw local-definition
2913 | | | | | +--rw algorithm
2914 | | | | | | asymmetric-ke\
2915 \y-algorithm-t
2916 | | | | | +--rw public-key-form\
2917 \at?
2918 | | | | | | identityref
2919 | | | | | +--rw public-key
2920 | | | | | | binary
2921 | | | | | +--rw private-key-for\
2922 \mat?
2923 | | | | | | identityref
2924 | | | | | +--rw (private-key-ty\
2925 \pe)
2926 | | | | | | +--:(private-key)
2927 | | | | | | | +--rw private-k\
2928 \ey?
2929 | | | | | | | binary
2930 | | | | | | +--:(hidden-privat\
2931 \e-key)
2932 | | | | | | | +--rw hidden-pr\
2933 \ivate-key?
2934 | | | | | | | empty
2935 | | | | | | +--:(encrypted-pri\
2936 \vate-key)
2937 | | | | | | +--rw encrypted\
2938 \-private-key
2939 | | | | | | +--rw (key-t\
2940 \ype)
2941 | | | | | | | +--:(symm\
2942 \etric-key-ref)
2943 | | | | | | | | +--rw \
2944 \symmetric-key-ref? leafref
2945 | | | | | | | | \
2946 \ {keystore-supported}?
2947 | | | | | | | +--:(asym\
2949 \metric-key-ref)
2950 | | | | | | | +--rw \
2951 \asymmetric-key-ref? leafref
2952 | | | | | | | \
2953 \ {keystore-supported}?
2954 | | | | | | +--rw value?
2955 | | | | | | bina\
2956 \ry
2957 | | | | | +--rw cert?
2958 | | | | | | end-entity-ce\
2959 \rt-cms
2960 | | | | | +---n certificate-exp\
2961 \iration
2962 | | | | | | +-- expiration-date
2963 | | | | | | yang:date-\
2964 \and-time
2965 | | | | | +---x generate-certif\
2966 \icate-signing-request
2967 | | | | | +---w input
2968 | | | | | | +---w subject
2969 | | | | | | | binary
2970 | | | | | | +---w attribute\
2971 \s?
2972 | | | | | | binary
2973 | | | | | +--ro output
2974 | | | | | +--ro certifica\
2975 \te-signing-request
2976 | | | | | binary
2977 | | | | +--:(keystore)
2978 | | | | {keystore-supporte\
2979 \d}?
2980 | | | | +--rw keystore-reference
2981 | | | | +--rw asymmetric-key?
2982 | | | | | ks:asymmetric\
2983 \-key-ref
2984 | | | | +--rw certificate? \
2985 \ leafref
2986 | | | +--rw client-authentication
2987 | | | | +--rw supported-authentication-methods
2988 | | | | | +--rw publickey? empty
2989 | | | | | +--rw passsword? empty
2990 | | | | | +--rw hostbased? empty
2991 | | | | | +--rw none? empty
2992 | | | | | +--rw other* string
2993 | | | | +--rw (local-or-external)
2994 | | | | +--:(local)
2995 | | | | | {local-client-auth-supported}?
2996 | | | | | +--rw users
2997 | | | | | +--rw user* [name]
2998 | | | | | +--rw name string
2999 | | | | | +--rw password?
3000 | | | | | | ianach:crypt-hash
3001 | | | | | +--rw host-keys!
3002 | | | | | | {ts:ssh-host-keys}?
3003 | | | | | | +--rw (local-or-truststore)
3004 | | | | | | +--:(local)
3005 | | | | | | | {local-definiti\
3006 \ons-supported}?
3007 | | | | | | | +--rw local-definition
3008 | | | | | | | +--rw host-key*
3009 | | | | | | | ct:ssh-hos\
3010 \t-key
3011 | | | | | | +--:(truststore)
3012 | | | | | | {truststore-sup\
3013 \ported,ssh-host-keys}?
3014 | | | | | | +--rw truststore-refe\
3015 \rence?
3016 | | | | | | ts:host-keys-\
3017 \ref
3018 | | | | | +--rw ca-certs!
3019 | | | | | | {sshcmn:ssh-x509-certs\
3020 \,ts:x509-certificates}?
3021 | | | | | | +--rw (local-or-truststore)
3022 | | | | | | +--:(local)
3023 | | | | | | | {local-definiti\
3024 \ons-supported}?
3025 | | | | | | | +--rw local-definition
3026 | | | | | | | +--rw cert*
3027 | | | | | | | | trust-anch\
3028 \or-cert-cms
3029 | | | | | | | +---n certificate-\
3030 \expiration
3031 | | | | | | | +-- expiration-\
3032 \date
3033 | | | | | | | yang:da\
3034 \te-and-time
3035 | | | | | | +--:(truststore)
3036 | | | | | | {truststore-sup\
3037 \ported,x509-certificates}?
3038 | | | | | | +--rw truststore-refe\
3039 \rence?
3040 | | | | | | ts:certificat\
3041 \es-ref
3042 | | | | | +--rw client-certs!
3043 | | | | | {sshcmn:ssh-x509-certs\
3044 \,ts:x509-certificates}?
3045 | | | | | +--rw (local-or-truststore)
3046 | | | | | +--:(local)
3047 | | | | | | {local-definiti\
3048 \ons-supported}?
3049 | | | | | | +--rw local-definition
3050 | | | | | | +--rw cert*
3051 | | | | | | | trust-anch\
3052 \or-cert-cms
3053 | | | | | | +---n certificate-\
3054 \expiration
3055 | | | | | | +-- expiration-\
3056 \date
3057 | | | | | | yang:da\
3058 \te-and-time
3059 | | | | | +--:(truststore)
3060 | | | | | {truststore-sup\
3061 \ported,x509-certificates}?
3062 | | | | | +--rw truststore-refe\
3063 \rence?
3064 | | | | | ts:certificat\
3065 \es-ref
3066 | | | | +--:(external)
3067 | | | | {external-client-auth-supporte\
3068 \d}?
3069 | | | | +--rw client-auth-defined-elsewhere?
3070 | | | | empty
3071 | | | +--rw transport-params
3072 | | | | {ssh-server-transport-params-config}?
3073 | | | | +--rw host-key
3074 | | | | | +--rw host-key-alg* identityref
3075 | | | | +--rw key-exchange
3076 | | | | | +--rw key-exchange-alg* identityref
3077 | | | | +--rw encryption
3078 | | | | | +--rw encryption-alg* identityref
3079 | | | | +--rw mac
3080 | | | | +--rw mac-alg* identityref
3081 | | | +--rw keepalives! {ssh-server-keepalives}?
3082 | | | +--rw max-wait? uint16
3083 | | | +--rw max-attempts? uint8
3084 | | +--rw netconf-server-parameters
3085 | | +--rw client-identification
3086 | | +--rw cert-maps
3087 | | +--rw cert-to-name* [id]
3088 | | +--rw id uint32
3089 | | +--rw fingerprint
3090 | | | x509c2n:tls-fingerprint
3091 | | +--rw map-type identityref
3092 | | +--rw name string
3093 | +--:(tls) {tls-listen}?
3094 | +--rw tls
3095 | +--rw tcp-server-parameters
3096 | | +--rw local-address inet:ip-address
3097 | | +--rw local-port? inet:port-number
3098 | | +--rw keepalives! {keepalives-supported}?
3099 | | +--rw idle-time uint16
3100 | | +--rw max-probes uint16
3101 | | +--rw probe-interval uint16
3102 | +--rw tls-server-parameters
3103 | | +--rw server-identity
3104 | | | +--rw (local-or-keystore)
3105 | | | +--:(local)
3106 | | | | {local-definitions-supported}?
3107 | | | | +--rw local-definition
3108 | | | | +--rw algorithm
3109 | | | | | asymmetric-key-algorithm-t
3110 | | | | +--rw public-key-format?
3111 | | | | | identityref
3112 | | | | +--rw public-key
3113 | | | | | binary
3114 | | | | +--rw private-key-format?
3115 | | | | | identityref
3116 | | | | +--rw (private-key-type)
3117 | | | | | +--:(private-key)
3118 | | | | | | +--rw private-key?
3119 | | | | | | binary
3120 | | | | | +--:(hidden-private-key)
3121 | | | | | | +--rw hidden-private-key?
3122 | | | | | | empty
3123 | | | | | +--:(encrypted-private-key)
3124 | | | | | +--rw encrypted-private-key
3125 | | | | | +--rw (key-type)
3126 | | | | | | +--:(symmetric-key-re\
3127 \f)
3128 | | | | | | | +--rw symmetric-ke\
3129 \y-ref? leafref
3130 | | | | | | | {keystore-\
3131 \supported}?
3132 | | | | | | +--:(asymmetric-key-r\
3133 \ef)
3134 | | | | | | +--rw asymmetric-k\
3135 \ey-ref? leafref
3136 | | | | | | {keystore-\
3137 \supported}?
3138 | | | | | +--rw value?
3139 | | | | | binary
3140 | | | | +--rw cert?
3141 | | | | | end-entity-cert-cms
3142 | | | | +---n certificate-expiration
3143 | | | | | +-- expiration-date
3144 | | | | | yang:date-and-time
3145 | | | | +---x generate-certificate-signin\
3146 \g-request
3147 | | | | +---w input
3148 | | | | | +---w subject binary
3149 | | | | | +---w attributes? binary
3150 | | | | +--ro output
3151 | | | | +--ro certificate-signing-r\
3152 \equest
3153 | | | | binary
3154 | | | +--:(keystore) {keystore-supported}?
3155 | | | +--rw keystore-reference
3156 | | | +--rw asymmetric-key?
3157 | | | | ks:asymmetric-key-ref
3158 | | | +--rw certificate? leafref
3159 | | +--rw client-authentication!
3160 | | | +--rw (required-or-optional)
3161 | | | | +--:(required)
3162 | | | | | +--rw required?
3163 | | | | | empty
3164 | | | | +--:(optional)
3165 | | | | +--rw optional?
3166 | | | | empty
3167 | | | +--rw (local-or-external)
3168 | | | +--:(local)
3169 | | | | {local-client-auth-supported}?
3170 | | | | +--rw ca-certs!
3171 | | | | | {ts:x509-certificates}?
3172 | | | | | +--rw (local-or-truststore)
3173 | | | | | +--:(local)
3174 | | | | | | {local-definitions-su\
3175 \pported}?
3176 | | | | | | +--rw local-definition
3177 | | | | | | +--rw cert*
3178 | | | | | | | trust-anchor-cer\
3179 \t-cms
3180 | | | | | | +---n certificate-expira\
3181 \tion
3182 | | | | | | +-- expiration-date
3183 | | | | | | yang:date-and\
3184 \-time
3185 | | | | | +--:(truststore)
3186 | | | | | {truststore-supported\
3187 \,x509-certificates}?
3188 | | | | | +--rw truststore-reference?
3189 | | | | | ts:certificates-ref
3190 | | | | +--rw client-certs!
3191 | | | | {ts:x509-certificates}?
3192 | | | | +--rw (local-or-truststore)
3193 | | | | +--:(local)
3194 | | | | | {local-definitions-su\
3195 \pported}?
3196 | | | | | +--rw local-definition
3197 | | | | | +--rw cert*
3198 | | | | | | trust-anchor-cer\
3199 \t-cms
3200 | | | | | +---n certificate-expira\
3201 \tion
3202 | | | | | +-- expiration-date
3203 | | | | | yang:date-and\
3204 \-time
3205 | | | | +--:(truststore)
3206 | | | | {truststore-supported\
3207 \,x509-certificates}?
3208 | | | | +--rw truststore-reference?
3209 | | | | ts:certificates-ref
3210 | | | +--:(external)
3211 | | | {external-client-auth-supporte\
3212 \d}?
3213 | | | +--rw client-auth-defined-elsewhere?
3214 | | | empty
3215 | | +--rw hello-params
3216 | | | {tls-server-hello-params-config}?
3217 | | | +--rw tls-versions
3218 | | | | +--rw tls-version* identityref
3219 | | | +--rw cipher-suites
3220 | | | +--rw cipher-suite* identityref
3221 | | +--rw keepalives! {tls-server-keepalives}?
3222 | | +--rw max-wait? uint16
3223 | | +--rw max-attempts? uint8
3224 | +--rw netconf-server-parameters
3225 | +--rw client-identification
3226 | +--rw cert-maps
3227 | +--rw cert-to-name* [id]
3228 | +--rw id uint32
3229 | +--rw fingerprint
3230 | | x509c2n:tls-fingerprint
3231 | +--rw map-type identityref
3232 | +--rw name string
3233 +--rw call-home! {ssh-call-home or tls-call-home}?
3234 +--rw netconf-client* [name]
3235 +--rw name string
3236 +--rw endpoints
3237 | +--rw endpoint* [name]
3238 | +--rw name string
3239 | +--rw (transport)
3240 | +--:(ssh) {ssh-call-home}?
3241 | | +--rw ssh
3242 | | +--rw tcp-client-parameters
3243 | | | +--rw remote-address inet:host
3244 | | | +--rw remote-port? inet:port-number
3245 | | | +--rw local-address? inet:ip-address
3246 | | | | {local-binding-supported}?
3247 | | | +--rw local-port? inet:port-number
3248 | | | | {local-binding-supported}?
3249 | | | +--rw keepalives!
3250 | | | {keepalives-supported}?
3251 | | | +--rw idle-time uint16
3252 | | | +--rw max-probes uint16
3253 | | | +--rw probe-interval uint16
3254 | | +--rw ssh-server-parameters
3255 | | | +--rw server-identity
3256 | | | | +--rw host-key* [name]
3257 | | | | +--rw name string
3258 | | | | +--rw (host-key-type)
3259 | | | | +--:(public-key)
3260 | | | | | +--rw public-key
3261 | | | | | +--rw (local-or-keystore)
3262 | | | | | +--:(local)
3263 | | | | | | {local-defin\
3264 \itions-supported}?
3265 | | | | | | +--rw local-defini\
3266 \tion
3267 | | | | | | +--rw algorithm
3268 | | | | | | | asymmet\
3269 \ric-key-algorithm-t
3270 | | | | | | +--rw public-ke\
3271 \y-format?
3272 | | | | | | | identit\
3273 \yref
3274 | | | | | | +--rw public-key
3275 | | | | | | | binary
3276 | | | | | | +--rw private-k\
3277 \ey-format?
3278 | | | | | | | identit\
3279 \yref
3280 | | | | | | +--rw (private-\
3281 \key-type)
3282 | | | | | | +--:(private\
3283 \-key)
3284 | | | | | | | +--rw pri\
3286 \vate-key?
3287 | | | | | | | b\
3288 \inary
3289 | | | | | | +--:(hidden-\
3290 \private-key)
3291 | | | | | | | +--rw hid\
3292 \den-private-key?
3293 | | | | | | | e\
3294 \mpty
3295 | | | | | | +--:(encrypt\
3296 \ed-private-key)
3297 | | | | | | +--rw enc\
3298 \rypted-private-key
3299 | | | | | | +--rw \
3300 \(key-type)
3301 | | | | | | | +--\
3302 \:(symmetric-key-ref)
3303 | | | | | | | | \
3304 \+--rw symmetric-key-ref? leafref
3305 | | | | | | | | \
3306 \ {keystore-supported}?
3307 | | | | | | | +--\
3308 \:(asymmetric-key-ref)
3309 | | | | | | | \
3310 \+--rw asymmetric-key-ref? leafref
3311 | | | | | | | \
3312 \ {keystore-supported}?
3313 | | | | | | +--rw \
3314 \value?
3315 | | | | | | \
3316 \ binary
3317 | | | | | +--:(keystore)
3318 | | | | | {keystore-su\
3319 \pported}?
3320 | | | | | +--rw keystore-ref\
3321 \erence?
3322 | | | | | ks:asymmet\
3323 \ric-key-ref
3324 | | | | +--:(certificate)
3325 | | | | +--rw certificate
3326 | | | | {sshcmn:ssh-x509-ce\
3327 \rts}?
3328 | | | | +--rw (local-or-keystore)
3329 | | | | +--:(local)
3330 | | | | | {local-defin\
3331 \itions-supported}?
3332 | | | | | +--rw local-defini\
3333 \tion
3334 | | | | | +--rw algorithm
3335 | | | | | | asymmet\
3336 \ric-key-algorithm-t
3337 | | | | | +--rw public-ke\
3338 \y-format?
3339 | | | | | | identit\
3340 \yref
3341 | | | | | +--rw public-key
3342 | | | | | | binary
3343 | | | | | +--rw private-k\
3344 \ey-format?
3345 | | | | | | identit\
3346 \yref
3347 | | | | | +--rw (private-\
3348 \key-type)
3349 | | | | | | +--:(private\
3350 \-key)
3351 | | | | | | | +--rw pri\
3352 \vate-key?
3353 | | | | | | | b\
3354 \inary
3355 | | | | | | +--:(hidden-\
3356 \private-key)
3357 | | | | | | | +--rw hid\
3358 \den-private-key?
3359 | | | | | | | e\
3360 \mpty
3361 | | | | | | +--:(encrypt\
3362 \ed-private-key)
3363 | | | | | | +--rw enc\
3364 \rypted-private-key
3365 | | | | | | +--rw \
3366 \(key-type)
3367 | | | | | | | +--\
3368 \:(symmetric-key-ref)
3369 | | | | | | | | \
3370 \+--rw symmetric-key-ref? leafref
3371 | | | | | | | | \
3372 \ {keystore-supported}?
3373 | | | | | | | +--\
3374 \:(asymmetric-key-ref)
3375 | | | | | | | \
3376 \+--rw asymmetric-key-ref? leafref
3377 | | | | | | | \
3378 \ {keystore-supported}?
3379 | | | | | | +--rw \
3380 \value?
3381 | | | | | | \
3383 \ binary
3384 | | | | | +--rw cert?
3385 | | | | | | end-ent\
3386 \ity-cert-cms
3387 | | | | | +---n certifica\
3388 \te-expiration
3389 | | | | | | +-- expirati\
3390 \on-date
3391 | | | | | | yang\
3392 \:date-and-time
3393 | | | | | +---x generate-\
3394 \certificate-signing-request
3395 | | | | | +---w input
3396 | | | | | | +---w sub\
3397 \ject
3398 | | | | | | | b\
3399 \inary
3400 | | | | | | +---w att\
3401 \ributes?
3402 | | | | | | b\
3403 \inary
3404 | | | | | +--ro output
3405 | | | | | +--ro cer\
3406 \tificate-signing-request
3407 | | | | | b\
3408 \inary
3409 | | | | +--:(keystore)
3410 | | | | {keystore-su\
3411 \pported}?
3412 | | | | +--rw keystore-ref\
3413 \erence
3414 | | | | +--rw asymmetri\
3415 \c-key?
3416 | | | | | ks:asym\
3417 \metric-key-ref
3418 | | | | +--rw certifica\
3419 \te? leafref
3420 | | | +--rw client-authentication
3421 | | | | +--rw supported-authentication-metho\
3422 \ds
3423 | | | | | +--rw publickey? empty
3424 | | | | | +--rw passsword? empty
3425 | | | | | +--rw hostbased? empty
3426 | | | | | +--rw none? empty
3427 | | | | | +--rw other* string
3428 | | | | +--rw (local-or-external)
3429 | | | | +--:(local)
3430 | | | | | {local-client-auth-suppo\
3432 \rted}?
3433 | | | | | +--rw users
3434 | | | | | +--rw user* [name]
3435 | | | | | +--rw name
3436 | | | | | | string
3437 | | | | | +--rw password?
3438 | | | | | | ianach:crypt-hash
3439 | | | | | +--rw host-keys!
3440 | | | | | | {ts:ssh-host-key\
3441 \s}?
3442 | | | | | | +--rw (local-or-trust\
3443 \store)
3444 | | | | | | +--:(local)
3445 | | | | | | | {local-de\
3446 \finitions-supported}?
3447 | | | | | | | +--rw local-def\
3448 \inition
3449 | | | | | | | +--rw host-k\
3450 \ey*
3451 | | | | | | | ct:s\
3452 \sh-host-key
3453 | | | | | | +--:(truststore)
3454 | | | | | | {truststo\
3455 \re-supported,ssh-host-keys}?
3456 | | | | | | +--rw truststor\
3457 \e-reference?
3458 | | | | | | ts:host\
3459 \-keys-ref
3460 | | | | | +--rw ca-certs!
3461 | | | | | | {sshcmn:ssh-x509\
3462 \-certs,ts:x509-certificates}?
3463 | | | | | | +--rw (local-or-trust\
3464 \store)
3465 | | | | | | +--:(local)
3466 | | | | | | | {local-de\
3467 \finitions-supported}?
3468 | | | | | | | +--rw local-def\
3469 \inition
3470 | | | | | | | +--rw cert*
3471 | | | | | | | | trus\
3472 \t-anchor-cert-cms
3473 | | | | | | | +---n certif\
3474 \icate-expiration
3475 | | | | | | | +-- expir\
3476 \ation-date
3477 | | | | | | | y\
3478 \ang:date-and-time
3479 | | | | | | +--:(truststore)
3480 | | | | | | {truststo\
3481 \re-supported,x509-certificates}?
3482 | | | | | | +--rw truststor\
3483 \e-reference?
3484 | | | | | | ts:cert\
3485 \ificates-ref
3486 | | | | | +--rw client-certs!
3487 | | | | | {sshcmn:ssh-x509\
3488 \-certs,ts:x509-certificates}?
3489 | | | | | +--rw (local-or-trust\
3490 \store)
3491 | | | | | +--:(local)
3492 | | | | | | {local-de\
3493 \finitions-supported}?
3494 | | | | | | +--rw local-def\
3495 \inition
3496 | | | | | | +--rw cert*
3497 | | | | | | | trus\
3498 \t-anchor-cert-cms
3499 | | | | | | +---n certif\
3500 \icate-expiration
3501 | | | | | | +-- expir\
3502 \ation-date
3503 | | | | | | y\
3504 \ang:date-and-time
3505 | | | | | +--:(truststore)
3506 | | | | | {truststo\
3507 \re-supported,x509-certificates}?
3508 | | | | | +--rw truststor\
3509 \e-reference?
3510 | | | | | ts:cert\
3511 \ificates-ref
3512 | | | | +--:(external)
3513 | | | | {external-client-auth-su\
3514 \pported}?
3515 | | | | +--rw client-auth-defined-else\
3516 \where?
3517 | | | | empty
3518 | | | +--rw transport-params
3519 | | | | {ssh-server-transport-params-co\
3520 \nfig}?
3521 | | | | +--rw host-key
3522 | | | | | +--rw host-key-alg* identityref
3523 | | | | +--rw key-exchange
3524 | | | | | +--rw key-exchange-alg*
3525 | | | | | identityref
3526 | | | | +--rw encryption
3527 | | | | | +--rw encryption-alg*
3528 | | | | | identityref
3529 | | | | +--rw mac
3530 | | | | +--rw mac-alg* identityref
3531 | | | +--rw keepalives!
3532 | | | {ssh-server-keepalives}?
3533 | | | +--rw max-wait? uint16
3534 | | | +--rw max-attempts? uint8
3535 | | +--rw netconf-server-parameters
3536 | | +--rw client-identification
3537 | | +--rw cert-maps
3538 | | +--rw cert-to-name* [id]
3539 | | +--rw id uint32
3540 | | +--rw fingerprint
3541 | | | x509c2n:tls-fingerprint
3542 | | +--rw map-type
3543 | | | identityref
3544 | | +--rw name string
3545 | +--:(tls) {tls-call-home}?
3546 | +--rw tls
3547 | +--rw tcp-client-parameters
3548 | | +--rw remote-address inet:host
3549 | | +--rw remote-port? inet:port-number
3550 | | +--rw local-address? inet:ip-address
3551 | | | {local-binding-supported}?
3552 | | +--rw local-port? inet:port-number
3553 | | | {local-binding-supported}?
3554 | | +--rw keepalives!
3555 | | {keepalives-supported}?
3556 | | +--rw idle-time uint16
3557 | | +--rw max-probes uint16
3558 | | +--rw probe-interval uint16
3559 | +--rw tls-server-parameters
3560 | | +--rw server-identity
3561 | | | +--rw (local-or-keystore)
3562 | | | +--:(local)
3563 | | | | {local-definitions-suppo\
3564 \rted}?
3565 | | | | +--rw local-definition
3566 | | | | +--rw algorithm
3567 | | | | | asymmetric-key-algo\
3568 \rithm-t
3569 | | | | +--rw public-key-format?
3570 | | | | | identityref
3571 | | | | +--rw public-key
3572 | | | | | binary
3573 | | | | +--rw private-key-format?
3574 | | | | | identityref
3575 | | | | +--rw (private-key-type)
3576 | | | | | +--:(private-key)
3577 | | | | | | +--rw private-key?
3578 | | | | | | binary
3579 | | | | | +--:(hidden-private-key)
3580 | | | | | | +--rw hidden-private-\
3581 \key?
3582 | | | | | | empty
3583 | | | | | +--:(encrypted-private-k\
3584 \ey)
3585 | | | | | +--rw encrypted-priva\
3586 \te-key
3587 | | | | | +--rw (key-type)
3588 | | | | | | +--:(symmetric-\
3589 \key-ref)
3590 | | | | | | | +--rw symmet\
3591 \ric-key-ref? leafref
3592 | | | | | | | {key\
3593 \store-supported}?
3594 | | | | | | +--:(asymmetric\
3595 \-key-ref)
3596 | | | | | | +--rw asymme\
3597 \tric-key-ref? leafref
3598 | | | | | | {key\
3599 \store-supported}?
3600 | | | | | +--rw value?
3601 | | | | | binary
3602 | | | | +--rw cert?
3603 | | | | | end-entity-cert-cms
3604 | | | | +---n certificate-expiration
3605 | | | | | +-- expiration-date
3606 | | | | | yang:date-and-ti\
3607 \me
3608 | | | | +---x generate-certificate-\
3609 \signing-request
3610 | | | | +---w input
3611 | | | | | +---w subject
3612 | | | | | | binary
3613 | | | | | +---w attributes?
3614 | | | | | binary
3615 | | | | +--ro output
3616 | | | | +--ro certificate-sig\
3617 \ning-request
3618 | | | | binary
3619 | | | +--:(keystore)
3620 | | | {keystore-supported}?
3621 | | | +--rw keystore-reference
3622 | | | +--rw asymmetric-key?
3623 | | | | ks:asymmetric-key-r\
3625 \ef
3626 | | | +--rw certificate? lea\
3627 \fref
3628 | | +--rw client-authentication!
3629 | | | +--rw (required-or-optional)
3630 | | | | +--:(required)
3631 | | | | | +--rw required?
3632 | | | | | empty
3633 | | | | +--:(optional)
3634 | | | | +--rw optional?
3635 | | | | empty
3636 | | | +--rw (local-or-external)
3637 | | | | +--:(local)
3638 | | | | | {local-client-auth-suppo\
3639 \rted}?
3640 | | | | | +--rw ca-certs!
3641 | | | | | | {ts:x509-certificates}?
3642 | | | | | | +--rw (local-or-truststore)
3643 | | | | | | +--:(local)
3644 | | | | | | | {local-definiti\
3645 \ons-supported}?
3646 | | | | | | | +--rw local-definition
3647 | | | | | | | +--rw cert*
3648 | | | | | | | | trust-anch\
3649 \or-cert-cms
3650 | | | | | | | +---n certificate-\
3651 \expiration
3652 | | | | | | | +-- expiration-\
3653 \date
3654 | | | | | | | yang:da\
3655 \te-and-time
3656 | | | | | | +--:(truststore)
3657 | | | | | | {truststore-sup\
3658 \ported,x509-certificates}?
3659 | | | | | | +--rw truststore-refe\
3660 \rence?
3661 | | | | | | ts:certificat\
3662 \es-ref
3663 | | | | | +--rw client-certs!
3664 | | | | | {ts:x509-certificates}?
3665 | | | | | +--rw (local-or-truststore)
3666 | | | | | +--:(local)
3667 | | | | | | {local-definiti\
3668 \ons-supported}?
3669 | | | | | | +--rw local-definition
3670 | | | | | | +--rw cert*
3671 | | | | | | | trust-anch\
3672 \or-cert-cms
3673 | | | | | | +---n certificate-\
3674 \expiration
3675 | | | | | | +-- expiration-\
3676 \date
3677 | | | | | | yang:da\
3678 \te-and-time
3679 | | | | | +--:(truststore)
3680 | | | | | {truststore-sup\
3681 \ported,x509-certificates}?
3682 | | | | | +--rw truststore-refe\
3683 \rence?
3684 | | | | | ts:certificat\
3685 \es-ref
3686 | | | | +--:(external)
3687 | | | | {external-client-auth-su\
3688 \pported}?
3689 | | | | +--rw client-auth-defined-else\
3690 \where?
3691 | | | | empty
3692 | | | +--rw cert-maps
3693 | | | +--rw cert-to-name* [id]
3694 | | | +--rw id uint32
3695 | | | +--rw fingerprint
3696 | | | | x509c2n:tls-fingerprint
3697 | | | +--rw map-type
3698 | | | | identityref
3699 | | | +--rw name string
3700 | | +--rw hello-params
3701 | | | {tls-server-hello-params-config\
3702 \}?
3703 | | | +--rw tls-versions
3704 | | | | +--rw tls-version* identityref
3705 | | | +--rw cipher-suites
3706 | | | +--rw cipher-suite* identityref
3707 | | +--rw keepalives!
3708 | | {tls-server-keepalives}?
3709 | | +--rw max-wait? uint16
3710 | | +--rw max-attempts? uint8
3711 | +--rw netconf-server-parameters
3712 | +--rw client-identification
3713 | +--rw cert-maps
3714 | +--rw cert-to-name* [id]
3715 | +--rw id uint32
3716 | +--rw fingerprint
3717 | | x509c2n:tls-fingerprint
3718 | +--rw map-type
3719 | | identityref
3720 | +--rw name string
3721 +--rw connection-type
3722 | +--rw (connection-type)
3723 | +--:(persistent-connection)
3724 | | +--rw persistent!
3725 | +--:(periodic-connection)
3726 | +--rw periodic!
3727 | +--rw period? uint16
3728 | +--rw anchor-time? yang:date-and-time
3729 | +--rw idle-timeout? uint16
3730 +--rw reconnect-strategy
3731 +--rw start-with? enumeration
3732 +--rw max-attempts? uint8
3734 Appendix B. Change Log
3736 B.1. 00 to 01
3738 o Renamed "keychain" to "keystore".
3740 B.2. 01 to 02
3742 o Added to ietf-netconf-client ability to connected to a cluster of
3743 endpoints, including a reconnection-strategy.
3745 o Added to ietf-netconf-client the ability to configure connection-
3746 type and also keep-alive strategy.
3748 o Updated both modules to accommodate new groupings in the ssh/tls
3749 drafts.
3751 B.3. 02 to 03
3753 o Refined use of tls-client-grouping to add a must statement
3754 indicating that the TLS client must specify a client-certificate.
3756 o Changed 'netconf-client' to be a grouping (not a container).
3758 B.4. 03 to 04
3760 o Added RFC 8174 to Requirements Language Section.
3762 o Replaced refine statement in ietf-netconf-client to add a
3763 mandatory true.
3765 o Added refine statement in ietf-netconf-server to add a must
3766 statement.
3768 o Now there are containers and groupings, for both the client and
3769 server models.
3771 B.5. 04 to 05
3773 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
3775 o Updated examples to inline key and certificates (no longer a
3776 leafref to keystore)
3778 B.6. 05 to 06
3780 o Fixed change log missing section issue.
3782 o Updated examples to match latest updates to the crypto-types,
3783 trust-anchors, and keystore drafts.
3785 o Reduced line length of the YANG modules to fit within 69 columns.
3787 B.7. 06 to 07
3789 o Removed "idle-timeout" from "persistent" connection config.
3791 o Added "random-selection" for reconnection-strategy's "starts-with"
3792 enum.
3794 o Replaced "connection-type" choice default (persistent) with
3795 "mandatory true".
3797 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
3798 minutes.
3800 o Replaced reconnect-timeout with period/anchor-time combo.
3802 B.8. 07 to 08
3804 o Modified examples to be compatible with new crypto-types algs
3806 B.9. 08 to 09
3808 o Corrected use of "mandatory true" for "address" leafs.
3810 o Updated examples to reflect update to groupings defined in the
3811 keystore draft.
3813 o Updated to use groupings defined in new TCP and HTTP drafts.
3815 o Updated copyright date, boilerplate template, affiliation, and
3816 folding algorithm.
3818 B.10. 09 to 10
3820 o Reformatted YANG modules.
3822 B.11. 10 to 11
3824 o Adjusted for the top-level "demux container" added to groupings
3825 imported from other modules.
3827 o Added "must" expressions to ensure that keepalives are not
3828 configured for "periodic" connections.
3830 o Updated the boilerplate text in module-level "description"
3831 statement to match copyeditor convention.
3833 o Moved "expanded" tree diagrams to the Appendix.
3835 B.12. 11 to 12
3837 o Removed the "Design Considerations" section.
3839 o Removed the 'must' statement limiting keepalives in periodic
3840 connections.
3842 o Updated models and examples to reflect removal of the "demux"
3843 containers in the imported models.
3845 o Updated the "periodic-connnection" description statements to be
3846 more like the RESTCONF draft, especially where it described
3847 dropping the underlying TCP connection.
3849 o Updated text to better reference where certain examples come from
3850 (e.g., which Section in which draft).
3852 o In the server model, commented out the "must 'pinned-ca-certs or
3853 pinned-client-certs'" statement to reflect change made in the TLS
3854 draft whereby the trust anchors MAY be defined externally.
3856 o Replaced the 'listen', 'initiate', and 'call-home' features with
3857 boolean expressions.
3859 B.13. 12 to 13
3861 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
3862 anchors/truststore/g + s/pinned.//)
3864 B.14. 13 to 14
3866 o Adjusting from change in TLS client model (removing the top-level
3867 'certificate' container), by swapping refining-in a 'mandatory
3868 true' statement with a 'must' statement outside the 'uses'
3869 statement.
3871 o Updated examples to reflect ietf-crypto-types change (e.g.,
3872 identities --> enumerations)
3874 B.15. 14 to 15
3876 o Refactored both the client and server modules similar to how the
3877 ietf-restconf-server module was refactored in -13 of that draft,
3878 and the ietf-restconf-client grouping.
3880 Acknowledgements
3882 The authors would like to thank for following for lively discussions
3883 on list and in the halls (ordered by last name): Andy Bierman, Martin
3884 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
3885 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
3886 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
3887 Wijnen.
3889 Author's Address
3891 Kent Watsen
3892 Watsen Networks
3894 EMail: kent+ietf@watsen.net