idnits 2.17.1 draft-ietf-netconf-netconf-client-server-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 2096 has weird spacing: '...address ine...' == Line 2106 has weird spacing: '...nterval uin...' == Line 2340 has weird spacing: '...address ine...' == Line 2350 has weird spacing: '...nterval uin...' == Line 2491 has weird spacing: '...address ine...' == (11 more instances...) -- The document date (November 1, 2019) is 1610 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-13 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-15 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-15 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-06 Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track November 1, 2019 5 Expires: May 4, 2020 7 NETCONF Client and Server Models 8 draft-ietf-netconf-netconf-client-server-16 10 Abstract 12 This document defines two YANG modules, one module to configure a 13 NETCONF client and the other module to configure a NETCONF server. 14 Both modules support both the SSH and TLS transport protocols, and 15 support both standard NETCONF and NETCONF Call Home connections. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains many placeholder values that need to be replaced 20 with finalized values at the time of publication. This note 21 summarizes all of the substitutions that are needed. No other RFC 22 Editor instructions are specified elsewhere in this document. 24 This document contains references to other drafts in progress, both 25 in the Normative References section, as well as in body text 26 throughout. Please update the following references to reflect their 27 final RFC assignments: 29 o I-D.ietf-netconf-keystore 31 o I-D.ietf-netconf-tcp-client-server 33 o I-D.ietf-netconf-ssh-client-server 35 o I-D.ietf-netconf-tls-client-server 37 Artwork in this document contains shorthand references to drafts in 38 progress. Please apply the following replacements: 40 o "XXXX" --> the assigned RFC value for this draft 42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client- 43 server 45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client- 46 server 48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client- 49 server 51 Artwork in this document contains placeholder values for the date of 52 publication of this draft. Please apply the following replacement: 54 o "2019-11-02" --> the publication date of this draft 56 The following Appendix section is to be removed prior to publication: 58 o Appendix B. Change Log 60 Status of This Memo 62 This Internet-Draft is submitted in full conformance with the 63 provisions of BCP 78 and BCP 79. 65 Internet-Drafts are working documents of the Internet Engineering 66 Task Force (IETF). Note that other groups may also distribute 67 working documents as Internet-Drafts. The list of current Internet- 68 Drafts is at https://datatracker.ietf.org/drafts/current/. 70 Internet-Drafts are draft documents valid for a maximum of six months 71 and may be updated, replaced, or obsoleted by other documents at any 72 time. It is inappropriate to use Internet-Drafts as reference 73 material or to cite them other than as "work in progress." 75 This Internet-Draft will expire on May 4, 2020. 77 Copyright Notice 79 Copyright (c) 2019 IETF Trust and the persons identified as the 80 document authors. All rights reserved. 82 This document is subject to BCP 78 and the IETF Trust's Legal 83 Provisions Relating to IETF Documents 84 (https://trustee.ietf.org/license-info) in effect on the date of 85 publication of this document. Please review these documents 86 carefully, as they describe your rights and restrictions with respect 87 to this document. Code Components extracted from this document must 88 include Simplified BSD License text as described in Section 4.e of 89 the Trust Legal Provisions and are provided without warranty as 90 described in the Simplified BSD License. 92 Table of Contents 94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4 97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6 99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20 101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20 102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22 103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28 104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 40 105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41 107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 41 108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 109 7.1. Normative References . . . . . . . . . . . . . . . . . . 42 110 7.2. Informative References . . . . . . . . . . . . . . . . . 43 111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45 112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45 113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 60 114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 78 115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 78 116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 79 117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 79 118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 79 119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 79 120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 79 121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 80 122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 80 123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 80 124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 80 125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 80 126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 81 127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 81 128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 81 129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 81 130 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 82 131 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 82 132 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 82 134 1. Introduction 136 This document defines two YANG [RFC7950] modules, one module to 137 configure a NETCONF [RFC6241] client and the other module to 138 configure a NETCONF server. Both modules support both NETCONF over 139 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home 140 connections [RFC8071]. 142 2. Terminology 144 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 145 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 146 "OPTIONAL" in this document are to be interpreted as described in BCP 147 14 [RFC2119] [RFC8174] when, and only when, they appear in all 148 capitals, as shown here. 150 3. The NETCONF Client Model 152 The NETCONF client model presented in this section supports both 153 clients initiating connections to servers, as well as clients 154 listening for connections from servers calling home, using either the 155 SSH and TLS transport protocols. 157 YANG feature statements are used to enable implementations to 158 advertise which potentially uncommon parts of the model the NETCONF 159 client supports. 161 3.1. Tree Diagram 163 The following tree diagram [RFC8340] provides an overview of the data 164 model for the "ietf-netconf-client" module. 166 This tree diagram only shows the nodes defined in this module; it 167 does show the nodes defined by "grouping" statements used by this 168 module. 170 Please see Appendix A.1 for a tree diagram that illustrates what the 171 module looks like with all the "grouping" statements expanded. 173 module: ietf-netconf-client 174 +--rw netconf-client 175 +---u netconf-client-app-grouping 177 grouping netconf-client-grouping 178 grouping netconf-client-initiate-stack-grouping 179 +-- (transport) 180 +--:(ssh) {ssh-initiate}? 181 | +-- ssh 182 | +-- tcp-client-parameters 183 | | +---u tcpc:tcp-client-grouping 184 | +-- ssh-client-parameters 185 | | +---u sshc:ssh-client-grouping 186 | +-- netconf-client-parameters 187 +--:(tls) {tls-initiate}? 188 +-- tls 189 +-- tcp-client-parameters 190 | +---u tcpc:tcp-client-grouping 191 +-- tls-client-parameters 192 | +---u tlsc:tls-client-grouping 193 +-- netconf-client-parameters 194 grouping netconf-client-listen-stack-grouping 195 +-- (transport) 196 +--:(ssh) {ssh-listen}? 197 | +-- ssh 198 | +-- tcp-server-parameters 199 | | +---u tcps:tcp-server-grouping 200 | +-- ssh-client-parameters 201 | | +---u sshc:ssh-client-grouping 202 | +-- netconf-client-parameters 203 +--:(tls) {tls-listen}? 204 +-- tls 205 +-- tcp-server-parameters 206 | +---u tcps:tcp-server-grouping 207 +-- tls-client-parameters 208 | +---u tlsc:tls-client-grouping 209 +-- netconf-client-parameters 210 grouping netconf-client-app-grouping 211 +-- initiate! {ssh-initiate or tls-initiate}? 212 | +-- netconf-server* [name] 213 | +-- name? string 214 | +-- endpoints 215 | | +-- endpoint* [name] 216 | | +-- name? string 217 | | +---u netconf-client-initiate-stack-grouping 218 | +-- connection-type 219 | | +-- (connection-type) 220 | | +--:(persistent-connection) 221 | | | +-- persistent! 222 | | +--:(periodic-connection) 223 | | +-- periodic! 224 | | +-- period? uint16 225 | | +-- anchor-time? yang:date-and-time 226 | | +-- idle-timeout? uint16 227 | +-- reconnect-strategy 228 | +-- start-with? enumeration 229 | +-- max-attempts? uint8 230 +-- listen! {ssh-listen or tls-listen}? 231 +-- idle-timeout? uint16 232 +-- endpoint* [name] 233 +-- name? string 234 +---u netconf-client-listen-stack-grouping 236 3.2. Example Usage 238 The following example illustrates configuring a NETCONF client to 239 initiate connections, using both the SSH and TLS transport protocols, 240 as well as listening for call-home connections, again using both the 241 SSH and TLS transport protocols. 243 This example is consistent with the examples presented in Section 2 244 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 245 [I-D.ietf-netconf-keystore]. 247 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 249 252 253 254 255 corp-fw1 256 257 258 corp-fw1.example.com 259 260 261 corp-fw1.example.com 262 263 15 264 3 265 30 266 267 268 269 270 foobar 271 272 273 rsa2048 274 base64encodedvalue== 275 base64encodedvalue== 276 277 278 279 280 281 explicitly-trusted-server-ca\ 282 -certs 283 284 285 explicitly-trusted-server-ce\ 286 rts 287 288 289 290 30 291 3 292 293 294 295 296 297 298 299 300 corp-fw2.example.com 301 302 303 corp-fw2.example.com 304 305 15 306 3 307 30 308 309 310 311 312 313 rsa2048 314 base64encodedvalue== 315 base64encodedvalue== 316 base64encodedvalue== 317 318 319 320 321 explicitly-trusted-server-ca\ 322 -certs 323 324 325 explicitly-trusted-server-ce\ 326 rts 327 328 329 330 30 331 3 333 334 335 336 337 338 339 340 341 342 343 344 345 last-connected 346 347 348 350 351 352 353 Intranet-facing listener 354 355 356 192.0.2.7 357 358 359 360 foobar 361 362 363 rsa2048 364 base64encodedvalue== 365 base64encodedvalue== 366 367 368 369 370 371 explicitly-trusted-server-ca-cer\ 372 ts 373 374 375 explicitly-trusted-server-certs<\ 376 /truststore-reference> 377 378 379 explicitly-trusted-ssh-host-keys\ 380 381 382 383 384 385 386 387 388 389 390 392 3.3. YANG Module 394 This YANG module has normative references to [RFC6242], [RFC6991], 395 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], 396 [I-D.ietf-netconf-ssh-client-server], and 397 [I-D.ietf-netconf-tls-client-server]. 399 file "ietf-netconf-client@2019-11-02.yang" 401 module ietf-netconf-client { 402 yang-version 1.1; 403 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client"; 404 prefix ncc; 406 import ietf-yang-types { 407 prefix yang; 408 reference 409 "RFC 6991: Common YANG Data Types"; 410 } 412 import ietf-tcp-client { 413 prefix tcpc; 414 reference 415 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 416 } 417 import ietf-tcp-server { 418 prefix tcps; 419 reference 420 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 421 } 423 import ietf-ssh-client { 424 prefix sshc; 425 revision-date 2019-11-02; // stable grouping definitions 426 reference 427 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; 428 } 429 import ietf-tls-client { 430 prefix tlsc; 431 revision-date 2019-11-02; // stable grouping definitions 432 reference 433 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; 434 } 436 organization 437 "IETF NETCONF (Network Configuration) Working Group"; 439 contact 440 "WG Web: 441 WG List: 442 Author: Kent Watsen 443 Author: Gary Wu "; 445 description 446 "This module contains a collection of YANG definitions 447 for configuring NETCONF clients. 449 Copyright (c) 2019 IETF Trust and the persons identified 450 as authors of the code. All rights reserved. 452 Redistribution and use in source and binary forms, with 453 or without modification, is permitted pursuant to, and 454 subject to the license terms contained in, the Simplified 455 BSD License set forth in Section 4.c of the IETF Trust's 456 Legal Provisions Relating to IETF Documents 457 (https://trustee.ietf.org/license-info). 459 This version of this YANG module is part of RFC XXXX 460 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC 461 itself for full legal notices.; 463 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 464 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 465 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 466 are to be interpreted as described in BCP 14 (RFC 2119) 467 (RFC 8174) when, and only when, they appear in all 468 capitals, as shown here."; 470 revision 2019-11-02 { 471 description 472 "Initial version"; 473 reference 474 "RFC XXXX: NETCONF Client and Server Models"; 475 } 476 // Features 478 feature ssh-initiate { 479 description 480 "The 'ssh-initiate' feature indicates that the NETCONF client 481 supports initiating SSH connections to NETCONF servers."; 482 reference 483 "RFC 6242: 484 Using the NETCONF Protocol over Secure Shell (SSH)"; 485 } 487 feature tls-initiate { 488 description 489 "The 'tls-initiate' feature indicates that the NETCONF client 490 supports initiating TLS connections to NETCONF servers."; 491 reference 492 "RFC 7589: Using the NETCONF Protocol over Transport 493 Layer Security (TLS) with Mutual X.509 Authentication"; 494 } 496 feature ssh-listen { 497 description 498 "The 'ssh-listen' feature indicates that the NETCONF client 499 supports opening a port to listen for incoming NETCONF 500 server call-home SSH connections."; 501 reference 502 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 503 } 505 feature tls-listen { 506 description 507 "The 'tls-listen' feature indicates that the NETCONF client 508 supports opening a port to listen for incoming NETCONF 509 server call-home TLS connections."; 510 reference 511 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 512 } 514 // Groupings 516 grouping netconf-client-grouping { 517 description 518 "A reusable grouping for configuring a NETCONF client 519 without any consideration for how underlying transport 520 sessions are established. 522 This grouping currently doesn't define any nodes."; 523 } 524 grouping netconf-client-initiate-stack-grouping { 525 description 526 "A reusable grouping for configuring a NETCONF client 527 'initiate' protocol stack for a single connection."; 528 choice transport { 529 mandatory true; 530 description 531 "Selects between available transports."; 532 case ssh { 533 if-feature "ssh-initiate"; 534 container ssh { 535 description 536 "Specifies IP and SSH specific configuration 537 for the connection."; 538 container tcp-client-parameters { 539 description 540 "A wrapper around the TCP client parameters 541 to avoid name collisions."; 542 uses tcpc:tcp-client-grouping { 543 refine "remote-port" { 544 default "830"; 545 description 546 "The NETCONF client will attempt to connect 547 to the IANA-assigned well-known port value 548 for 'netconf-ssh' (443) if no value is 549 specified."; 550 } 551 } 552 } 553 container ssh-client-parameters { 554 description 555 "A wrapper around the SSH client parameters to 556 avoid name collisions."; 557 uses sshc:ssh-client-grouping; 558 } 559 container netconf-client-parameters { 560 description 561 "A wrapper around the NETCONF client parameters 562 to avoid name collisions."; 563 uses ncc:netconf-client-grouping; 564 } 565 } 566 } 567 case tls { 568 if-feature "tls-initiate"; 569 container tls { 570 description 571 "Specifies IP and TLS specific configuration 572 for the connection."; 573 container tcp-client-parameters { 574 description 575 "A wrapper around the TCP client parameters 576 to avoid name collisions."; 577 uses tcpc:tcp-client-grouping { 578 refine "remote-port" { 579 default "6513"; 580 description 581 "The NETCONF client will attempt to connect 582 to the IANA-assigned well-known port value 583 for 'netconf-tls' (6513) if no value is 584 specified."; 585 } 586 } 587 } 588 container tls-client-parameters { 589 must "client-identity" { 590 description 591 "NETCONF/TLS clients MUST pass some 592 authentication credentials."; 593 } 594 description 595 "A wrapper around the TLS client parameters 596 to avoid name collisions."; 597 uses tlsc:tls-client-grouping; 598 } 599 container netconf-client-parameters { 600 description 601 "A wrapper around the NETCONF client parameters 602 to avoid name collisions."; 603 uses ncc:netconf-client-grouping; 604 } 605 } 606 } 607 } 608 } // netconf-client-initiate-stack-grouping 610 grouping netconf-client-listen-stack-grouping { 611 description 612 "A reusable grouping for configuring a NETCONF client 613 'listen' protocol stack for a single connection."; 614 choice transport { 615 mandatory true; 616 description 617 "Selects between available transports."; 618 case ssh { 619 if-feature "ssh-listen"; 620 container ssh { 621 description 622 "SSH-specific listening configuration for inbound 623 connections."; 624 container tcp-server-parameters { 625 description 626 "A wrapper around the TCP server parameters 627 to avoid name collisions."; 628 uses tcps:tcp-server-grouping { 629 refine "local-port" { 630 default "4334"; 631 description 632 "The NETCONF client will listen on the IANA- 633 assigned well-known port for 'netconf-ch-ssh' 634 (4334) if no value is specified."; 635 } 636 } 637 } 638 container ssh-client-parameters { 639 description 640 "A wrapper around the SSH client parameters 641 to avoid name collisions."; 642 uses sshc:ssh-client-grouping; 643 } 644 container netconf-client-parameters { 645 description 646 "A wrapper around the NETCONF client parameters 647 to avoid name collisions."; 648 uses ncc:netconf-client-grouping; 649 } 650 } 651 } 652 case tls { 653 if-feature "tls-listen"; 654 container tls { 655 description 656 "TLS-specific listening configuration for inbound 657 connections."; 658 container tcp-server-parameters { 659 description 660 "A wrapper around the TCP server parameters 661 to avoid name collisions."; 662 uses tcps:tcp-server-grouping { 663 refine "local-port" { 664 default "4334"; 665 description 666 "The NETCONF client will listen on the IANA- 667 assigned well-known port for 'netconf-ch-ssh' 668 (4334) if no value is specified."; 669 } 670 } 671 } 672 container tls-client-parameters { 673 must "client-identity" { 674 description 675 "NETCONF/TLS clients MUST pass some 676 authentication credentials."; 677 } 678 description 679 "A wrapper around the TLS client parameters 680 to avoid name collisions."; 681 uses tlsc:tls-client-grouping; 682 } 683 container netconf-client-parameters { 684 description 685 "A wrapper around the NETCONF client parameters 686 to avoid name collisions."; 687 uses ncc:netconf-client-grouping; 688 } 689 } 690 } 691 } 692 } // netconf-client-listen-stack-grouping 694 grouping netconf-client-app-grouping { 695 description 696 "A reusable grouping for configuring a NETCONF client 697 application that supports both 'initiate' and 'listen' 698 protocol stacks for a multiplicity of connections."; 699 container initiate { 700 if-feature "ssh-initiate or tls-initiate"; 701 presence "Enables client to initiate TCP connections"; 702 description 703 "Configures client initiating underlying TCP connections."; 704 list netconf-server { 705 key "name"; 706 min-elements 1; 707 description 708 "List of NETCONF servers the NETCONF client is to 709 maintain simultaneous connections with."; 710 leaf name { 711 type string; 712 description 713 "An arbitrary name for the NETCONF server."; 714 } 715 container endpoints { 716 description 717 "Container for the list of endpoints."; 718 list endpoint { 719 key "name"; 720 min-elements 1; 721 ordered-by user; 722 description 723 "A user-ordered list of endpoints that the NETCONF 724 client will attempt to connect to in the specified 725 sequence. Defining more than one enables 726 high-availability."; 727 leaf name { 728 type string; 729 description 730 "An arbitrary name for the endpoint."; 731 } 732 uses netconf-client-initiate-stack-grouping; 733 } // list endpoint 734 } // container endpoints 736 container connection-type { 737 description 738 "Indicates the NETCONF client's preference for how the 739 NETCONF connection is maintained."; 740 choice connection-type { 741 mandatory true; 742 description 743 "Selects between available connection types."; 744 case persistent-connection { 745 container persistent { 746 presence "Indicates that a persistent connection is 747 to be maintained."; 748 description 749 "Maintain a persistent connection to the NETCONF 750 server. If the connection goes down, immediately 751 start trying to reconnect to the NETCONF server, 752 using the reconnection strategy. 754 This connection type minimizes any NETCONF server 755 to NETCONF client data-transfer delay, albeit at 756 the expense of holding resources longer."; 757 } 758 } 759 case periodic-connection { 760 container periodic { 761 presence "Indicates that a periodic connection is 762 to be maintained."; 763 description 764 "Periodically connect to the NETCONF server. 766 This connection type increases resource 767 utilization, albeit with increased delay in 768 NETCONF server to NETCONF client interactions. 770 The NETCONF client should close the underlying 771 TCP connection upon completing planned activities. 773 In the case that the previous connection is still 774 active, establishing a new connection is NOT 775 RECOMMENDED."; 776 leaf period { 777 type uint16; 778 units "minutes"; 779 default "60"; 780 description 781 "Duration of time between periodic connections."; 782 } 783 leaf anchor-time { 784 type yang:date-and-time { 785 // constrained to minute-level granularity 786 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 787 + '(Z|[\+\-]\d{2}:\d{2})'; 788 } 789 description 790 "Designates a timestamp before or after which a 791 series of periodic connections are determined. 792 The periodic connections occur at a whole 793 multiple interval from the anchor time. For 794 example, for an anchor time is 15 minutes past 795 midnight and a period interval of 24 hours, then 796 a periodic connection will occur 15 minutes past 797 midnight everyday."; 798 } 799 leaf idle-timeout { 800 type uint16; 801 units "seconds"; 802 default 120; // two minutes 803 description 804 "Specifies the maximum number of seconds that 805 a NETCONF session may remain idle. A NETCONF 806 session will be dropped if it is idle for an 807 interval longer then this number of seconds. 808 If set to zero, then the NETCONF client will 809 never drop a session because it is idle."; 810 } 811 } 813 } 814 } 815 } 816 container reconnect-strategy { 817 description 818 "The reconnection strategy directs how a NETCONF client 819 reconnects to a NETCONF server, after discovering its 820 connection to the server has dropped, even if due to a 821 reboot. The NETCONF client starts with the specified 822 endpoint and tries to connect to it max-attempts times 823 before trying the next endpoint in the list (round 824 robin)."; 825 leaf start-with { 826 type enumeration { 827 enum first-listed { 828 description 829 "Indicates that reconnections should start with 830 the first endpoint listed."; 831 } 832 enum last-connected { 833 description 834 "Indicates that reconnections should start with 835 the endpoint last connected to. If no previous 836 connection has ever been established, then the 837 first endpoint configured is used. NETCONF 838 clients SHOULD be able to remember the last 839 endpoint connected to across reboots."; 840 } 841 enum random-selection { 842 description 843 "Indicates that reconnections should start with 844 a random endpoint."; 845 } 846 } 847 default "first-listed"; 848 description 849 "Specifies which of the NETCONF server's endpoints 850 the NETCONF client should start with when trying 851 to connect to the NETCONF server."; 852 } 853 leaf max-attempts { 854 type uint8 { 855 range "1..max"; 856 } 857 default "3"; 858 description 859 "Specifies the number times the NETCONF client tries 860 to connect to a specific endpoint before moving on 861 to the next endpoint in the list (round robin)."; 862 } 863 } 864 } // netconf-server 865 } // initiate 867 container listen { 868 if-feature "ssh-listen or tls-listen"; 869 presence "Enables client to accept call-home connections"; 870 description 871 "Configures client accepting call-home TCP connections."; 872 leaf idle-timeout { 873 type uint16; 874 units "seconds"; 875 default "3600"; // one hour 876 description 877 "Specifies the maximum number of seconds that a NETCONF 878 session may remain idle. A NETCONF session will be 879 dropped if it is idle for an interval longer than this 880 number of seconds. If set to zero, then the server 881 will never drop a session because it is idle. Sessions 882 that have a notification subscription active are never 883 dropped."; 884 } 885 list endpoint { 886 key "name"; 887 min-elements 1; 888 description 889 "List of endpoints to listen for NETCONF connections."; 890 leaf name { 891 type string; 892 description 893 "An arbitrary name for the NETCONF listen endpoint."; 894 } 895 uses netconf-client-listen-stack-grouping; 896 } // endpoint 897 } // listen 898 } // netconf-client-app-grouping 900 // Protocol accessible node, for servers that implement this 901 // module. 903 container netconf-client { 904 uses netconf-client-app-grouping; 905 description 906 "Top-level container for NETCONF client configuration."; 907 } 908 } 909 911 4. The NETCONF Server Model 913 The NETCONF server model presented in this section supports both 914 listening for connections as well as initiating call-home 915 connections, using either the SSH and TLS transport protocols. 917 YANG feature statements are used to enable implementations to 918 advertise which potentially uncommon parts of the model the NETCONF 919 server supports. 921 4.1. Tree Diagram 923 The following tree diagram [RFC8340] provides an overview of the data 924 model for the "ietf-netconf-server" module. 926 This tree diagram only shows the nodes defined in this module; it 927 does show the nodes defined by "grouping" statements used by this 928 module. 930 Please see Appendix A.2 for a tree diagram that illustrates what the 931 module looks like with all the "grouping" statements expanded. 933 module: ietf-netconf-server 934 +--rw netconf-server 935 +---u netconf-server-app-grouping 937 grouping netconf-server-grouping 938 +-- client-identification 939 +-- cert-maps 940 +---u x509c2n:cert-to-name 941 grouping netconf-server-listen-stack-grouping 942 +-- (transport) 943 +--:(ssh) {ssh-listen}? 944 | +-- ssh 945 | +-- tcp-server-parameters 946 | | +---u tcps:tcp-server-grouping 947 | +-- ssh-server-parameters 948 | | +---u sshs:ssh-server-grouping 949 | +-- netconf-server-parameters 950 | +---u ncs:netconf-server-grouping 951 +--:(tls) {tls-listen}? 952 +-- tls 953 +-- tcp-server-parameters 954 | +---u tcps:tcp-server-grouping 955 +-- tls-server-parameters 956 | +---u tlss:tls-server-grouping 957 +-- netconf-server-parameters 958 +---u ncs:netconf-server-grouping 959 grouping netconf-server-callhome-stack-grouping 960 +-- (transport) 961 +--:(ssh) {ssh-call-home}? 962 | +-- ssh 963 | +-- tcp-client-parameters 964 | | +---u tcpc:tcp-client-grouping 965 | +-- ssh-server-parameters 966 | | +---u sshs:ssh-server-grouping 967 | +-- netconf-server-parameters 968 | +---u ncs:netconf-server-grouping 969 +--:(tls) {tls-call-home}? 970 +-- tls 971 +-- tcp-client-parameters 972 | +---u tcpc:tcp-client-grouping 973 +-- tls-server-parameters 974 | +---u tlss:tls-server-grouping 975 +-- netconf-server-parameters 976 +---u ncs:netconf-server-grouping 977 grouping netconf-server-app-grouping 978 +-- listen! {ssh-listen or tls-listen}? 979 | +-- idle-timeout? uint16 980 | +-- endpoint* [name] 981 | +-- name? string 982 | +---u netconf-server-listen-stack-grouping 983 +-- call-home! {ssh-call-home or tls-call-home}? 984 +-- netconf-client* [name] 985 +-- name? string 986 +-- endpoints 987 | +-- endpoint* [name] 988 | +-- name? string 989 | +---u netconf-server-callhome-stack-grouping 990 +-- connection-type 991 | +-- (connection-type) 992 | +--:(persistent-connection) 993 | | +-- persistent! 994 | +--:(periodic-connection) 995 | +-- periodic! 996 | +-- period? uint16 997 | +-- anchor-time? yang:date-and-time 998 | +-- idle-timeout? uint16 999 +-- reconnect-strategy 1000 +-- start-with? enumeration 1001 +-- max-attempts? uint8 1003 4.2. Example Usage 1005 The following example illustrates configuring a NETCONF server to 1006 listen for NETCONF client connections using both the SSH and TLS 1007 transport protocols, as well as configuring call-home to two NETCONF 1008 clients, one using SSH and the other using TLS. 1010 This example is consistent with the examples presented in Section 2 1011 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1012 [I-D.ietf-netconf-keystore]. 1014 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 1016 1020 1021 1022 1023 netconf/ssh 1024 1025 1026 192.0.2.7 1027 1028 1029 1030 1031 deployment-specific-certificate 1032 1033 1034 rsa2048 1035 base64encodedvalue== 1036 base64encodedvalue== 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1052 1053 1054 1055 netconf/tls 1056 1057 1058 192.0.2.7 1059 1060 1061 1062 1063 rsa2048 1064 base64encodedvalue== 1065 base64encodedvalue== 1066 base64encodedvalue== 1067 1068 1069 1070 1071 1072 explicitly-trusted-client-ca-cer\ 1073 ts 1074 1075 1076 explicitly-trusted-client-certs<\ 1077 /truststore-reference> 1078 1079 1080 1081 1082 1083 1084 1085 1 1086 11:0A:05:11:00 1087 x509c2n:specified 1088 scooby-doo 1089 1090 1091 2 1092 x509c2n:san-any 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 config-mgr 1104 1105 1106 east-data-center 1107 1108 1109 east.config-mgr.example.com 1111 1112 1113 1114 1115 deployment-specific-certificate 1116 1117 1118 rsa2048 1119 base64encodedvalue== 1120 base64encodedvalue== 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 west-data-center 1139 1140 1141 west.config-mgr.example.com 1143 1144 1145 1146 1147 deployment-specific-certificate 1148 1149 1150 rsa2048 1151 base64encodedvalue== 1152 base64encodedvalue== 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 300 1173 60 1174 1175 1176 1177 last-connected 1178 3 1179 1180 1181 1182 data-collector 1183 1184 1185 east-data-center 1186 1187 1188 east.analytics.example.com 1190 1191 15 1192 3 1193 30 1194 1195 1196 1197 1198 1199 rsa2048 1200 base64encodedvalue== 1201 base64encodedvalue== 1202 base64encodedvalue== 1203 1204 1205 1206 1207 1208 explicitly-trusted-client-ca\ 1209 -certs 1210 1211 1212 explicitly-trusted-client-ce\ 1213 rts 1214 1215 1216 1217 30 1218 3 1219 1220 1221 1222 1223 1224 1225 1 1226 11:0A:05:11:00 1227 x509c2n:specified 1228 scooby-doo 1229 1230 1231 2 1232 x509c2n:san-any 1233 1234 1235 1236 1237 1238 1239 1240 west-data-center 1241 1242 1243 west.analytics.example.com 1246 1247 15 1248 3 1249 30 1250 1251 1252 1253 1254 1255 rsa2048 1256 base64encodedvalue== 1257 base64encodedvalue== 1258 base64encodedvalue== 1259 1260 1261 1262 1263 1264 explicitly-trusted-client-ca\ 1265 -certs 1266 1267 1268 explicitly-trusted-client-ce\ 1269 rts 1270 1271 1272 1273 30 1274 3 1275 1276 1277 1278 1279 1280 1281 1 1282 11:0A:05:11:00 1283 x509c2n:specified 1284 scooby-doo 1285 1286 1287 2 1288 x509c2n:san-any 1289 1290 1291 1292 1294 1295 1296 1297 1298 1299 1300 1301 first-listed 1302 3 1303 1304 1305 1306 1308 4.3. YANG Module 1310 This YANG module has normative references to [RFC6242], [RFC6991], 1311 [RFC7407], [RFC7589], [RFC8071], 1312 [I-D.kwatsen-netconf-tcp-client-server], 1313 [I-D.ietf-netconf-ssh-client-server], and 1314 [I-D.ietf-netconf-tls-client-server]. 1316 file "ietf-netconf-server@2019-11-02.yang" 1318 module ietf-netconf-server { 1319 yang-version 1.1; 1320 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; 1321 prefix ncs; 1323 import ietf-yang-types { 1324 prefix yang; 1325 reference 1326 "RFC 6991: Common YANG Data Types"; 1327 } 1329 import ietf-x509-cert-to-name { 1330 prefix x509c2n; 1331 reference 1332 "RFC 7407: A YANG Data Model for SNMP Configuration"; 1333 } 1335 import ietf-tcp-client { 1336 prefix tcpc; 1337 reference 1338 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 1339 } 1341 import ietf-tcp-server { 1342 prefix tcps; 1343 reference 1344 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 1345 } 1347 import ietf-ssh-server { 1348 prefix sshs; 1349 revision-date 2019-11-02; // stable grouping definitions 1350 reference 1351 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; 1352 } 1354 import ietf-tls-server { 1355 prefix tlss; 1356 revision-date 2019-11-02; // stable grouping definitions 1357 reference 1358 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; 1359 } 1361 organization 1362 "IETF NETCONF (Network Configuration) Working Group"; 1364 contact 1365 "WG Web: 1366 WG List: 1367 Author: Kent Watsen 1368 Author: Gary Wu 1369 Author: Juergen Schoenwaelder 1370 "; 1372 description 1373 "This module contains a collection of YANG definitions 1374 for configuring NETCONF servers. 1376 Copyright (c) 2019 IETF Trust and the persons identified 1377 as authors of the code. All rights reserved. 1379 Redistribution and use in source and binary forms, with 1380 or without modification, is permitted pursuant to, and 1381 subject to the license terms contained in, the Simplified 1382 BSD License set forth in Section 4.c of the IETF Trust's 1383 Legal Provisions Relating to IETF Documents 1384 (https://trustee.ietf.org/license-info). 1386 This version of this YANG module is part of RFC XXXX 1387 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC 1388 itself for full legal notices.; 1389 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1390 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1391 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1392 are to be interpreted as described in BCP 14 (RFC 2119) 1393 (RFC 8174) when, and only when, they appear in all 1394 capitals, as shown here."; 1396 revision 2019-11-02 { 1397 description 1398 "Initial version"; 1399 reference 1400 "RFC XXXX: NETCONF Client and Server Models"; 1401 } 1403 // Features 1405 feature ssh-listen { 1406 description 1407 "The 'ssh-listen' feature indicates that the NETCONF server 1408 supports opening a port to accept NETCONF over SSH 1409 client connections."; 1410 reference 1411 "RFC 6242: 1412 Using the NETCONF Protocol over Secure Shell (SSH)"; 1413 } 1415 feature tls-listen { 1416 description 1417 "The 'tls-listen' feature indicates that the NETCONF server 1418 supports opening a port to accept NETCONF over TLS 1419 client connections."; 1420 reference 1421 "RFC 7589: Using the NETCONF Protocol over Transport 1422 Layer Security (TLS) with Mutual X.509 1423 Authentication"; 1424 } 1426 feature ssh-call-home { 1427 description 1428 "The 'ssh-call-home' feature indicates that the NETCONF 1429 server supports initiating a NETCONF over SSH call 1430 home connection to NETCONF clients."; 1431 reference 1432 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 1433 } 1435 feature tls-call-home { 1436 description 1437 "The 'tls-call-home' feature indicates that the NETCONF 1438 server supports initiating a NETCONF over TLS call 1439 home connection to NETCONF clients."; 1440 reference 1441 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 1442 } 1444 // Groupings 1446 grouping netconf-server-grouping { 1447 description 1448 "A reusable grouping for configuring a NETCONF server 1449 without any consideration for how underlying transport 1450 sessions are established. 1452 Note that this grouping uses a fairly typical descendent 1453 node name such that a stack of 'uses' statements will 1454 have name conflicts. It is intended that the consuming 1455 data model will resolve the issue by wrapping the 'uses' 1456 statement in a container called, e.g., 1457 'netconf-server-parameters'. This model purposely does 1458 not do this itself so as to provide maximum flexibility 1459 to consuming models."; 1461 container client-identification { 1462 description 1463 "Specifies a mapping through which clients MAY be identified 1464 (i.e., the NETCONF username) from a supplied certificate. 1465 Note that a client MAY alternatively be identified via an 1466 alternate authentication scheme."; 1467 container cert-maps { 1468 when "../../../../tls"; 1469 uses x509c2n:cert-to-name { 1470 refine "cert-to-name/fingerprint" { 1471 mandatory false; 1472 description 1473 "A 'fingerprint' value does not need to be specified 1474 when the 'cert-to-name' mapping is independent of 1475 fingerprint matching. A 'cert-to-name' having no 1476 fingerprint value will match any client certificate 1477 and therefore should only be present at the end of 1478 the user-ordered 'cert-to-name' list."; 1479 } 1480 } 1481 description 1482 "The cert-maps container is used by TLS-based NETCONF 1483 servers (even if the TLS sessions are terminated 1484 externally) to map the NETCONF client's presented 1485 X.509 certificate to a NETCONF username. If no 1486 matching and valid cert-to-name list entry can be 1487 found, then the NETCONF server MUST close the 1488 connection, and MUST NOT accept NETCONF messages 1489 over it."; 1490 reference 1491 "RFC 7407: A YANG Data Model for SNMP Configuration."; 1492 } 1493 } 1494 } 1496 grouping netconf-server-listen-stack-grouping { 1497 description 1498 "A reusable grouping for configuring a NETCONF server 1499 'listen' protocol stack for a single connection."; 1500 choice transport { 1501 mandatory true; 1502 description 1503 "Selects between available transports."; 1504 case ssh { 1505 if-feature "ssh-listen"; 1506 container ssh { 1507 description 1508 "SSH-specific listening configuration for inbound 1509 connections."; 1510 container tcp-server-parameters { 1511 description 1512 "A wrapper around the TCP client parameters 1513 to avoid name collisions."; 1514 uses tcps:tcp-server-grouping { 1515 refine "local-port" { 1516 default "830"; 1517 description 1518 "The NETCONF server will listen on the 1519 IANA-assigned well-known port value 1520 for 'netconf-ssh' (830) if no value 1521 is specified."; 1522 } 1523 } 1524 } 1525 container ssh-server-parameters { 1526 description 1527 "A wrapper around the SSH server parameters 1528 to avoid name collisions."; 1529 uses sshs:ssh-server-grouping; 1530 } 1531 container netconf-server-parameters { 1532 description 1533 "A wrapper around the NETCONF server parameters 1534 to avoid name collisions."; 1535 uses ncs:netconf-server-grouping; 1536 } 1537 } 1538 } 1539 case tls { 1540 if-feature "tls-listen"; 1541 container tls { 1542 description 1543 "TLS-specific listening configuration for inbound 1544 connections."; 1545 container tcp-server-parameters { 1546 description 1547 "A wrapper around the TCP client parameters 1548 to avoid name collisions."; 1549 uses tcps:tcp-server-grouping { 1550 refine "local-port" { 1551 default "6513"; 1552 description 1553 "The NETCONF server will listen on the 1554 IANA-assigned well-known port value 1555 for 'netconf-tls' (6513) if no value 1556 is specified."; 1557 } 1558 } 1559 } 1560 container tls-server-parameters { 1561 description 1562 "A wrapper around the TLS server parameters to 1563 avoid name collisions."; 1564 uses tlss:tls-server-grouping; /* { 1565 FIXME: commented out since auth could also be external. 1566 ^-- need a better 'must' expression? 1567 refine "client-authentication" { 1568 must 'ca-certs or client-certs'; 1569 description 1570 "NETCONF/TLS servers MUST validate client 1571 certificates."; 1572 } 1573 }*/ 1574 } 1575 container netconf-server-parameters { 1576 description 1577 "A wrapper around the NETCONF server parameters 1578 to avoid name collisions."; 1579 uses ncs:netconf-server-grouping; 1580 } 1582 } 1583 } 1584 } 1585 } 1587 grouping netconf-server-callhome-stack-grouping { 1588 description 1589 "A reusable grouping for configuring a NETCONF server 1590 'call-home' protocol stack, for a single connection."; 1591 choice transport { 1592 mandatory true; 1593 description 1594 "Selects between available transports."; 1595 case ssh { 1596 if-feature "ssh-call-home"; 1597 container ssh { 1598 description 1599 "Specifies SSH-specific call-home transport 1600 configuration."; 1601 container tcp-client-parameters { 1602 description 1603 "A wrapper around the TCP client parameters 1604 to avoid name collisions."; 1605 uses tcpc:tcp-client-grouping { 1606 refine "remote-port" { 1607 default "4334"; 1608 description 1609 "The NETCONF server will attempt to connect 1610 to the IANA-assigned well-known port for 1611 'netconf-ch-tls' (4334) if no value is 1612 specified."; 1613 } 1614 } 1615 } 1616 container ssh-server-parameters { 1617 description 1618 "A wrapper around the SSH server parameters 1619 to avoid name collisions."; 1620 uses sshs:ssh-server-grouping; 1621 } 1622 container netconf-server-parameters { 1623 description 1624 "A wrapper around the NETCONF server parameters 1625 to avoid name collisions."; 1626 uses ncs:netconf-server-grouping; 1627 } 1628 } 1629 } 1630 case tls { 1631 if-feature "tls-call-home"; 1632 container tls { 1633 description 1634 "Specifies TLS-specific call-home transport 1635 configuration."; 1636 container tcp-client-parameters { 1637 description 1638 "A wrapper around the TCP client parameters 1639 to avoid name collisions."; 1640 uses tcpc:tcp-client-grouping { 1641 refine "remote-port" { 1642 default "4335"; 1643 description 1644 "The NETCONF server will attempt to connect 1645 to the IANA-assigned well-known port for 1646 'netconf-ch-tls' (4335) if no value is 1647 specified."; 1648 } 1649 } 1650 } 1651 container tls-server-parameters { 1652 description 1653 "A wrapper around the TLS server parameters to 1654 avoid name collisions."; 1655 uses tlss:tls-server-grouping; /* { 1656 FIXME: commented out since auth could also be external. 1657 ^-- need a better 'must' expression? 1658 refine "client-authentication" { 1659 must 'ca-certs or client-certs'; 1660 description 1661 "NETCONF/TLS servers MUST validate client 1662 certificates."; 1663 } 1664 }*/ 1665 } 1666 container netconf-server-parameters { 1667 description 1668 "A wrapper around the NETCONF server parameters 1669 to avoid name collisions."; 1670 uses ncs:netconf-server-grouping; 1671 } 1672 } 1673 } 1674 } 1675 } 1677 grouping netconf-server-app-grouping { 1678 description 1679 "A reusable grouping for configuring a NETCONF server 1680 application that supports both 'listen' and 'call-home' 1681 protocol stacks for a multiplicity of connections."; 1682 container listen { 1683 if-feature "ssh-listen or tls-listen"; 1684 presence 1685 "Enables server to listen for NETCONF client connections."; 1686 description 1687 "Configures listen behavior"; 1688 leaf idle-timeout { 1689 type uint16; 1690 units "seconds"; 1691 default 3600; // one hour 1692 description 1693 "Specifies the maximum number of seconds that a NETCONF 1694 session may remain idle. A NETCONF session will be 1695 dropped if it is idle for an interval longer than this 1696 number of seconds. If set to zero, then the server 1697 will never drop a session because it is idle. Sessions 1698 that have a notification subscription active are never 1699 dropped."; 1700 } 1701 list endpoint { 1702 key "name"; 1703 min-elements 1; 1704 description 1705 "List of endpoints to listen for NETCONF connections."; 1706 leaf name { 1707 type string; 1708 description 1709 "An arbitrary name for the NETCONF listen endpoint."; 1710 } 1711 uses netconf-server-listen-stack-grouping; 1712 } 1713 } 1714 container call-home { 1715 if-feature "ssh-call-home or tls-call-home"; 1716 presence 1717 "Enables the NETCONF server to initiate the underlying 1718 transport connection to NETCONF clients."; 1719 description "Configures call home behavior."; 1720 list netconf-client { 1721 key "name"; 1722 min-elements 1; 1723 description 1724 "List of NETCONF clients the NETCONF server is to 1725 maintain simultaneous call-home connections with."; 1727 leaf name { 1728 type string; 1729 description 1730 "An arbitrary name for the remote NETCONF client."; 1731 } 1732 container endpoints { 1733 description 1734 "Container for the list of endpoints."; 1735 list endpoint { 1736 key "name"; 1737 min-elements 1; 1738 ordered-by user; 1739 description 1740 "A non-empty user-ordered list of endpoints for this 1741 NETCONF server to try to connect to in sequence. 1742 Defining more than one enables high-availability."; 1743 leaf name { 1744 type string; 1745 description 1746 "An arbitrary name for this endpoint."; 1747 } 1748 uses netconf-server-callhome-stack-grouping; 1749 } 1750 } 1751 container connection-type { 1752 description 1753 "Indicates the NETCONF server's preference for how the 1754 NETCONF connection is maintained."; 1755 choice connection-type { 1756 mandatory true; 1757 description 1758 "Selects between available connection types."; 1759 case persistent-connection { 1760 container persistent { 1761 presence "Indicates that a persistent connection is 1762 to be maintained."; 1763 description 1764 "Maintain a persistent connection to the NETCONF 1765 client. If the connection goes down, immediately 1766 start trying to reconnect to the NETCONF client, 1767 using the reconnection strategy. 1769 This connection type minimizes any NETCONF client 1770 to NETCONF server data-transfer delay, albeit at 1771 the expense of holding resources longer."; 1772 } 1773 } 1774 case periodic-connection { 1775 container periodic { 1776 presence "Indicates that a periodic connection is 1777 to be maintained."; 1778 description 1779 "Periodically connect to the NETCONF client. 1781 This connection type increases resource 1782 utilization, albeit with increased delay in 1783 NETCONF client to NETCONF client interactions. 1785 The NETCONF client SHOULD gracefully close the 1786 connection using upon completing 1787 planned activities. If the NETCONF session is 1788 not closed gracefully, the NETCONF server MUST 1789 immediately attempt to reestablish the connection. 1791 In the case that the previous connection is still 1792 active (i.e., the NETCONF client has not closed 1793 it yet), establishing a new connection is NOT 1794 RECOMMENDED."; 1795 leaf period { 1796 type uint16; 1797 units "minutes"; 1798 default "60"; 1799 description 1800 "Duration of time between periodic connections."; 1801 } 1802 leaf anchor-time { 1803 type yang:date-and-time { 1804 // constrained to minute-level granularity 1805 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 1806 + '(Z|[\+\-]\d{2}:\d{2})'; 1807 } 1808 description 1809 "Designates a timestamp before or after which a 1810 series of periodic connections are determined. 1811 The periodic connections occur at a whole 1812 multiple interval from the anchor time. For 1813 example, for an anchor time is 15 minutes past 1814 midnight and a period interval of 24 hours, then 1815 a periodic connection will occur 15 minutes past 1816 midnight everyday."; 1817 } 1818 leaf idle-timeout { 1819 type uint16; 1820 units "seconds"; 1821 default 120; // two minutes 1822 description 1823 "Specifies the maximum number of seconds that 1824 a NETCONF session may remain idle. A NETCONF 1825 session will be dropped if it is idle for an 1826 interval longer than this number of seconds. 1827 If set to zero, then the server will never 1828 drop a session because it is idle."; 1829 } 1830 } 1831 } // case periodic-connection 1832 } // choice connection-type 1833 } // container connection-type 1834 container reconnect-strategy { 1835 description 1836 "The reconnection strategy directs how a NETCONF server 1837 reconnects to a NETCONF client, after discovering its 1838 connection to the client has dropped, even if due to a 1839 reboot. The NETCONF server starts with the specified 1840 endpoint and tries to connect to it max-attempts times 1841 before trying the next endpoint in the list (round 1842 robin)."; 1843 leaf start-with { 1844 type enumeration { 1845 enum first-listed { 1846 description 1847 "Indicates that reconnections should start with 1848 the first endpoint listed."; 1849 } 1850 enum last-connected { 1851 description 1852 "Indicates that reconnections should start with 1853 the endpoint last connected to. If no previous 1854 connection has ever been established, then the 1855 first endpoint configured is used. NETCONF 1856 servers SHOULD be able to remember the last 1857 endpoint connected to across reboots."; 1858 } 1859 enum random-selection { 1860 description 1861 "Indicates that reconnections should start with 1862 a random endpoint."; 1863 } 1864 } 1865 default "first-listed"; 1866 description 1867 "Specifies which of the NETCONF client's endpoints 1868 the NETCONF server should start with when trying 1869 to connect to the NETCONF client."; 1870 } 1871 leaf max-attempts { 1872 type uint8 { 1873 range "1..max"; 1874 } 1875 default "3"; 1876 description 1877 "Specifies the number times the NETCONF server tries 1878 to connect to a specific endpoint before moving on 1879 to the next endpoint in the list (round robin)."; 1880 } 1881 } // container reconnect-strategy 1882 } // list netconf-client 1883 } // container call-home 1884 } // grouping netconf-server-app-grouping 1886 // Protocol accessible node, for servers that implement this 1887 // module. 1889 container netconf-server { 1890 uses netconf-server-app-grouping; 1891 description 1892 "Top-level container for NETCONF server configuration."; 1893 } 1894 } 1896 1898 5. Security Considerations 1900 The YANG module defined in this document uses groupings defined in 1901 [I-D.kwatsen-netconf-tcp-client-server], 1902 [I-D.ietf-netconf-ssh-client-server], and 1903 [I-D.ietf-netconf-tls-client-server]. Please see the Security 1904 Considerations section in those documents for concerns related those 1905 groupings. 1907 The YANG modules defined in this document are designed to be accessed 1908 via YANG based management protocols, such as NETCONF [RFC6241] and 1909 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1910 implement secure transport layers (e.g., SSH, TLS) with mutual 1911 authentication. 1913 The NETCONF access control model (NACM) [RFC8341] provides the means 1914 to restrict access for particular users to a pre-configured subset of 1915 all available protocol operations and content. 1917 There are a number of data nodes defined in the YANG modules that are 1918 writable/creatable/deletable (i.e., config true, which is the 1919 default). Some of these data nodes may be considered sensitive or 1920 vulnerable in some network environments. Write operations (e.g., 1921 edit-config) to these data nodes without proper protection can have a 1922 negative effect on network operations. These are the subtrees and 1923 data nodes and their sensitivity/vulnerability: 1925 None of the subtrees or data nodes in the modules defined in this 1926 document need to be protected from write operations. 1928 Some of the readable data nodes in the YANG modules may be considered 1929 sensitive or vulnerable in some network environments. It is thus 1930 important to control read access (e.g., via get, get-config, or 1931 notification) to these data nodes. These are the subtrees and data 1932 nodes and their sensitivity/vulnerability: 1934 None of the subtrees or data nodes in the modules defined in this 1935 document need to be protected from read operations. 1937 Some of the RPC operations in the YANG modules may be considered 1938 sensitive or vulnerable in some network environments. It is thus 1939 important to control access to these operations. These are the 1940 operations and their sensitivity/vulnerability: 1942 The modules defined in this document do not define any 'RPC' or 1943 'action' statements. 1945 6. IANA Considerations 1947 6.1. The IETF XML Registry 1949 This document registers two URIs in the "ns" subregistry of the IETF 1950 XML Registry [RFC3688]. Following the format in [RFC3688], the 1951 following registrations are requested: 1953 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client 1954 Registrant Contact: The NETCONF WG of the IETF. 1955 XML: N/A, the requested URI is an XML namespace. 1957 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server 1958 Registrant Contact: The NETCONF WG of the IETF. 1959 XML: N/A, the requested URI is an XML namespace. 1961 6.2. The YANG Module Names Registry 1963 This document registers two YANG modules in the YANG Module Names 1964 registry [RFC6020]. Following the format in [RFC6020], the the 1965 following registrations are requested: 1967 name: ietf-netconf-client 1968 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client 1969 prefix: ncc 1970 reference: RFC XXXX 1972 name: ietf-netconf-server 1973 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server 1974 prefix: ncs 1975 reference: RFC XXXX 1977 7. References 1979 7.1. Normative References 1981 [I-D.ietf-netconf-keystore] 1982 Watsen, K., "A YANG Data Model for a Keystore", draft- 1983 ietf-netconf-keystore-13 (work in progress), October 2019. 1985 [I-D.ietf-netconf-ssh-client-server] 1986 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH 1987 Clients and SSH Servers", draft-ietf-netconf-ssh-client- 1988 server-15 (work in progress), October 2019. 1990 [I-D.ietf-netconf-tls-client-server] 1991 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS 1992 Clients and TLS Servers", draft-ietf-netconf-tls-client- 1993 server-15 (work in progress), October 2019. 1995 [I-D.kwatsen-netconf-tcp-client-server] 1996 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 1997 and TCP Servers", draft-kwatsen-netconf-tcp-client- 1998 server-02 (work in progress), April 2019. 2000 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2001 Requirement Levels", BCP 14, RFC 2119, 2002 DOI 10.17487/RFC2119, March 1997, 2003 . 2005 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2006 the Network Configuration Protocol (NETCONF)", RFC 6020, 2007 DOI 10.17487/RFC6020, October 2010, 2008 . 2010 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2011 and A. Bierman, Ed., "Network Configuration Protocol 2012 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2013 . 2015 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2016 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2017 . 2019 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 2020 RFC 6991, DOI 10.17487/RFC6991, July 2013, 2021 . 2023 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for 2024 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, 2025 December 2014, . 2027 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the 2028 NETCONF Protocol over Transport Layer Security (TLS) with 2029 Mutual X.509 Authentication", RFC 7589, 2030 DOI 10.17487/RFC7589, June 2015, 2031 . 2033 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2034 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2035 . 2037 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2038 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2039 May 2017, . 2041 7.2. Informative References 2043 [I-D.ietf-netconf-trust-anchors] 2044 Watsen, K., "A YANG Data Model for a Truststore", draft- 2045 ietf-netconf-trust-anchors-06 (work in progress), October 2046 2019. 2048 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2049 DOI 10.17487/RFC3688, January 2004, 2050 . 2052 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2053 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2054 . 2056 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 2057 RFC 8071, DOI 10.17487/RFC8071, February 2017, 2058 . 2060 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2061 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2062 . 2064 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2065 Access Control Model", STD 91, RFC 8341, 2066 DOI 10.17487/RFC8341, March 2018, 2067 . 2069 Appendix A. Expanded Tree Diagrams 2071 A.1. Expanded Tree Diagram for 'ietf-netconf-client' 2073 The following tree diagram [RFC8340] provides an overview of the data 2074 model for the "ietf-netconf-client" module. 2076 This tree diagram shows all the nodes defined in this module, 2077 including those defined by "grouping" statements used by this module. 2079 Please see Section 3.1 for a tree diagram that illustrates what the 2080 module looks like without all the "grouping" statements expanded. 2082 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ========== 2084 module: ietf-netconf-client 2085 +--rw netconf-client 2086 +--rw initiate! {ssh-initiate or tls-initiate}? 2087 | +--rw netconf-server* [name] 2088 | +--rw name string 2089 | +--rw endpoints 2090 | | +--rw endpoint* [name] 2091 | | +--rw name string 2092 | | +--rw (transport) 2093 | | +--:(ssh) {ssh-initiate}? 2094 | | | +--rw ssh 2095 | | | +--rw tcp-client-parameters 2096 | | | | +--rw remote-address inet:host 2097 | | | | +--rw remote-port? inet:port-number 2098 | | | | +--rw local-address? inet:ip-address 2099 | | | | | {local-binding-supported}? 2100 | | | | +--rw local-port? inet:port-number 2101 | | | | | {local-binding-supported}? 2102 | | | | +--rw keepalives! 2103 | | | | {keepalives-supported}? 2104 | | | | +--rw idle-time uint16 2105 | | | | +--rw max-probes uint16 2106 | | | | +--rw probe-interval uint16 2107 | | | +--rw ssh-client-parameters 2108 | | | | +--rw client-identity 2109 | | | | | +--rw username? string 2110 | | | | | +--rw (auth-type) 2111 | | | | | +--:(password) 2112 | | | | | | +--rw password? string 2113 | | | | | +--:(public-key) 2114 | | | | | | +--rw public-key 2115 | | | | | | +--rw (local-or-keystore) 2116 | | | | | | +--:(local) 2117 | | | | | | | {local-definiti\ 2118 \ons-supported}? 2119 | | | | | | | +--rw local-definition 2120 | | | | | | | +--rw algorithm 2121 | | | | | | | | iasa:asymm\ 2122 \etric-algorithm-type 2123 | | | | | | | +--rw public-key-f\ 2124 \ormat? 2125 | | | | | | | | identityref 2126 | | | | | | | +--rw public-key 2127 | | | | | | | | binary 2128 | | | | | | | +--rw private-key-\ 2129 \format? 2130 | | | | | | | | identityref 2131 | | | | | | | +--rw (private-key\ 2132 \-type) 2133 | | | | | | | +--:(private-ke\ 2134 \y) 2135 | | | | | | | | +--rw privat\ 2136 \e-key? 2137 | | | | | | | | bina\ 2138 \ry 2139 | | | | | | | +--:(hidden-pri\ 2140 \vate-key) 2141 | | | | | | | | +--rw hidden\ 2142 \-private-key? 2143 | | | | | | | | empty 2144 | | | | | | | +--:(encrypted-\ 2145 \private-key) 2146 | | | | | | | +--rw encryp\ 2147 \ted-private-key 2148 | | | | | | | +--rw (ke\ 2149 \y-type) 2150 | | | | | | | | +--:(s\ 2151 \ymmetric-key-ref) 2152 | | | | | | | | | +--\ 2153 \rw symmetric-key-ref? leafref 2154 | | | | | | | | | \ 2155 \ {keystore-supported}? 2156 | | | | | | | | +--:(a\ 2157 \symmetric-key-ref) 2158 | | | | | | | | +--\ 2159 \rw asymmetric-key-ref? leafref 2160 | | | | | | | | \ 2161 \ {keystore-supported}? 2162 | | | | | | | +--rw val\ 2163 \ue? 2164 | | | | | | | b\ 2166 \inary 2167 | | | | | | +--:(keystore) 2168 | | | | | | {keystore-suppo\ 2169 \rted}? 2170 | | | | | | +--rw keystore-refere\ 2171 \nce? 2172 | | | | | | ks:asymmetric\ 2173 \-key-ref 2174 | | | | | +--:(certificate) 2175 | | | | | +--rw certificate 2176 | | | | | {sshcmn:ssh-x509-certs\ 2177 \}? 2178 | | | | | +--rw (local-or-keystore) 2179 | | | | | +--:(local) 2180 | | | | | | {local-definiti\ 2181 \ons-supported}? 2182 | | | | | | +--rw local-definition 2183 | | | | | | +--rw algorithm 2184 | | | | | | | iasa:asymm\ 2185 \etric-algorithm-type 2186 | | | | | | +--rw public-key-f\ 2187 \ormat? 2188 | | | | | | | identityref 2189 | | | | | | +--rw public-key 2190 | | | | | | | binary 2191 | | | | | | +--rw private-key-\ 2192 \format? 2193 | | | | | | | identityref 2194 | | | | | | +--rw (private-key\ 2195 \-type) 2196 | | | | | | | +--:(private-ke\ 2197 \y) 2198 | | | | | | | | +--rw privat\ 2199 \e-key? 2200 | | | | | | | | bina\ 2201 \ry 2202 | | | | | | | +--:(hidden-pri\ 2203 \vate-key) 2204 | | | | | | | | +--rw hidden\ 2205 \-private-key? 2206 | | | | | | | | empty 2207 | | | | | | | +--:(encrypted-\ 2208 \private-key) 2209 | | | | | | | +--rw encryp\ 2210 \ted-private-key 2211 | | | | | | | +--rw (ke\ 2212 \y-type) 2213 | | | | | | | | +--:(s\ 2215 \ymmetric-key-ref) 2216 | | | | | | | | | +--\ 2217 \rw symmetric-key-ref? leafref 2218 | | | | | | | | | \ 2219 \ {keystore-supported}? 2220 | | | | | | | | +--:(a\ 2221 \symmetric-key-ref) 2222 | | | | | | | | +--\ 2223 \rw asymmetric-key-ref? leafref 2224 | | | | | | | | \ 2225 \ {keystore-supported}? 2226 | | | | | | | +--rw val\ 2227 \ue? 2228 | | | | | | | b\ 2229 \inary 2230 | | | | | | +--rw cert? 2231 | | | | | | | end-entity\ 2232 \-cert-cms 2233 | | | | | | +---n certificate-\ 2234 \expiration 2235 | | | | | | | +-- expiration-\ 2236 \date 2237 | | | | | | | yang:da\ 2238 \te-and-time 2239 | | | | | | +---x generate-cer\ 2240 \tificate-signing-request 2241 | | | | | | +---w input 2242 | | | | | | | +---w subject 2243 | | | | | | | | bina\ 2244 \ry 2245 | | | | | | | +---w attrib\ 2246 \utes? 2247 | | | | | | | bina\ 2248 \ry 2249 | | | | | | +--ro output 2250 | | | | | | +--ro certif\ 2251 \icate-signing-request 2252 | | | | | | bina\ 2253 \ry 2254 | | | | | +--:(keystore) 2255 | | | | | {keystore-suppo\ 2256 \rted}? 2257 | | | | | +--rw keystore-refere\ 2258 \nce 2259 | | | | | +--rw asymmetric-k\ 2260 \ey? 2261 | | | | | | ks:asymmet\ 2262 \ric-key-ref 2263 | | | | | +--rw certificate?\ 2264 \ leafref 2265 | | | | +--rw server-authentication 2266 | | | | | +--rw ssh-host-keys! 2267 | | | | | | +--rw (local-or-truststore) 2268 | | | | | | +--:(local) 2269 | | | | | | | {local-definitions-su\ 2270 \pported}? 2271 | | | | | | | +--rw local-definition 2272 | | | | | | | +--rw host-key* 2273 | | | | | | | ct:ssh-host-key 2274 | | | | | | +--:(truststore) 2275 | | | | | | {truststore-supported\ 2276 \,ssh-host-keys}? 2277 | | | | | | +--rw truststore-reference? 2278 | | | | | | ts:host-keys-ref 2279 | | | | | +--rw ca-certs! 2280 | | | | | | {sshcmn:ssh-x509-certs}? 2281 | | | | | | +--rw (local-or-truststore) 2282 | | | | | | +--:(local) 2283 | | | | | | | {local-definitions-su\ 2284 \pported}? 2285 | | | | | | | +--rw local-definition 2286 | | | | | | | +--rw cert* 2287 | | | | | | | | trust-anchor-cer\ 2288 \t-cms 2289 | | | | | | | +---n certificate-expira\ 2290 \tion 2291 | | | | | | | +-- expiration-date 2292 | | | | | | | yang:date-and\ 2293 \-time 2294 | | | | | | +--:(truststore) 2295 | | | | | | {truststore-supported\ 2296 \,x509-certificates}? 2297 | | | | | | +--rw truststore-reference? 2298 | | | | | | ts:certificates-ref 2299 | | | | | +--rw server-certs! 2300 | | | | | {sshcmn:ssh-x509-certs}? 2301 | | | | | +--rw (local-or-truststore) 2302 | | | | | +--:(local) 2303 | | | | | | {local-definitions-su\ 2304 \pported}? 2305 | | | | | | +--rw local-definition 2306 | | | | | | +--rw cert* 2307 | | | | | | | trust-anchor-cer\ 2308 \t-cms 2309 | | | | | | +---n certificate-expira\ 2310 \tion 2311 | | | | | | +-- expiration-date 2312 | | | | | | yang:date-and\ 2313 \-time 2314 | | | | | +--:(truststore) 2315 | | | | | {truststore-supported\ 2316 \,x509-certificates}? 2317 | | | | | +--rw truststore-reference? 2318 | | | | | ts:certificates-ref 2319 | | | | +--rw transport-params 2320 | | | | | {ssh-client-transport-params-co\ 2321 \nfig}? 2322 | | | | | +--rw host-key 2323 | | | | | | +--rw host-key-alg* identityref 2324 | | | | | +--rw key-exchange 2325 | | | | | | +--rw key-exchange-alg* 2326 | | | | | | identityref 2327 | | | | | +--rw encryption 2328 | | | | | | +--rw encryption-alg* 2329 | | | | | | identityref 2330 | | | | | +--rw mac 2331 | | | | | +--rw mac-alg* identityref 2332 | | | | +--rw keepalives! 2333 | | | | {ssh-client-keepalives}? 2334 | | | | +--rw max-wait? uint16 2335 | | | | +--rw max-attempts? uint8 2336 | | | +--rw netconf-client-parameters 2337 | | +--:(tls) {tls-initiate}? 2338 | | +--rw tls 2339 | | +--rw tcp-client-parameters 2340 | | | +--rw remote-address inet:host 2341 | | | +--rw remote-port? inet:port-number 2342 | | | +--rw local-address? inet:ip-address 2343 | | | | {local-binding-supported}? 2344 | | | +--rw local-port? inet:port-number 2345 | | | | {local-binding-supported}? 2346 | | | +--rw keepalives! 2347 | | | {keepalives-supported}? 2348 | | | +--rw idle-time uint16 2349 | | | +--rw max-probes uint16 2350 | | | +--rw probe-interval uint16 2351 | | +--rw tls-client-parameters 2352 | | | +--rw client-identity 2353 | | | | +--rw (local-or-keystore) 2354 | | | | +--:(local) 2355 | | | | | {local-definitions-suppo\ 2356 \rted}? 2357 | | | | | +--rw local-definition 2358 | | | | | +--rw algorithm 2359 | | | | | | iasa:asymmetric-alg\ 2360 \orithm-type 2361 | | | | | +--rw public-key-format? 2362 | | | | | | identityref 2363 | | | | | +--rw public-key 2364 | | | | | | binary 2365 | | | | | +--rw private-key-format? 2366 | | | | | | identityref 2367 | | | | | +--rw (private-key-type) 2368 | | | | | | +--:(private-key) 2369 | | | | | | | +--rw private-key? 2370 | | | | | | | binary 2371 | | | | | | +--:(hidden-private-key) 2372 | | | | | | | +--rw hidden-private-\ 2373 \key? 2374 | | | | | | | empty 2375 | | | | | | +--:(encrypted-private-k\ 2376 \ey) 2377 | | | | | | +--rw encrypted-priva\ 2378 \te-key 2379 | | | | | | +--rw (key-type) 2380 | | | | | | | +--:(symmetric-\ 2381 \key-ref) 2382 | | | | | | | | +--rw symmet\ 2383 \ric-key-ref? leafref 2384 | | | | | | | | {key\ 2385 \store-supported}? 2386 | | | | | | | +--:(asymmetric\ 2387 \-key-ref) 2388 | | | | | | | +--rw asymme\ 2389 \tric-key-ref? leafref 2390 | | | | | | | {key\ 2391 \store-supported}? 2392 | | | | | | +--rw value? 2393 | | | | | | binary 2394 | | | | | +--rw cert? 2395 | | | | | | end-entity-cert-cms 2396 | | | | | +---n certificate-expiration 2397 | | | | | | +-- expiration-date 2398 | | | | | | yang:date-and-ti\ 2399 \me 2400 | | | | | +---x generate-certificate-\ 2401 \signing-request 2402 | | | | | +---w input 2403 | | | | | | +---w subject 2404 | | | | | | | binary 2405 | | | | | | +---w attributes? 2406 | | | | | | binary 2407 | | | | | +--ro output 2408 | | | | | +--ro certificate-sig\ 2409 \ning-request 2410 | | | | | binary 2411 | | | | +--:(keystore) 2412 | | | | {keystore-supported}? 2413 | | | | +--rw keystore-reference 2414 | | | | +--rw asymmetric-key? 2415 | | | | | ks:asymmetric-key-r\ 2416 \ef 2417 | | | | +--rw certificate? lea\ 2418 \fref 2419 | | | +--rw server-authentication 2420 | | | | +--rw ca-certs! 2421 | | | | | +--rw (local-or-truststore) 2422 | | | | | +--:(local) 2423 | | | | | | {local-definitions-su\ 2424 \pported}? 2425 | | | | | | +--rw local-definition 2426 | | | | | | +--rw cert* 2427 | | | | | | | trust-anchor-cer\ 2428 \t-cms 2429 | | | | | | +---n certificate-expira\ 2430 \tion 2431 | | | | | | +-- expiration-date 2432 | | | | | | yang:date-and\ 2433 \-time 2434 | | | | | +--:(truststore) 2435 | | | | | {truststore-supported\ 2436 \,x509-certificates}? 2437 | | | | | +--rw truststore-reference? 2438 | | | | | ts:certificates-ref 2439 | | | | +--rw server-certs! 2440 | | | | +--rw (local-or-truststore) 2441 | | | | +--:(local) 2442 | | | | | {local-definitions-su\ 2443 \pported}? 2444 | | | | | +--rw local-definition 2445 | | | | | +--rw cert* 2446 | | | | | | trust-anchor-cer\ 2447 \t-cms 2448 | | | | | +---n certificate-expira\ 2449 \tion 2450 | | | | | +-- expiration-date 2451 | | | | | yang:date-and\ 2452 \-time 2453 | | | | +--:(truststore) 2454 | | | | {truststore-supported\ 2456 \,x509-certificates}? 2457 | | | | +--rw truststore-reference? 2458 | | | | ts:certificates-ref 2459 | | | +--rw hello-params 2460 | | | | {tls-client-hello-params-config\ 2461 \}? 2462 | | | | +--rw tls-versions 2463 | | | | | +--rw tls-version* identityref 2464 | | | | +--rw cipher-suites 2465 | | | | +--rw cipher-suite* identityref 2466 | | | +--rw keepalives! 2467 | | | {tls-client-keepalives}? 2468 | | | +--rw max-wait? uint16 2469 | | | +--rw max-attempts? uint8 2470 | | +--rw netconf-client-parameters 2471 | +--rw connection-type 2472 | | +--rw (connection-type) 2473 | | +--:(persistent-connection) 2474 | | | +--rw persistent! 2475 | | +--:(periodic-connection) 2476 | | +--rw periodic! 2477 | | +--rw period? uint16 2478 | | +--rw anchor-time? yang:date-and-time 2479 | | +--rw idle-timeout? uint16 2480 | +--rw reconnect-strategy 2481 | +--rw start-with? enumeration 2482 | +--rw max-attempts? uint8 2483 +--rw listen! {ssh-listen or tls-listen}? 2484 +--rw idle-timeout? uint16 2485 +--rw endpoint* [name] 2486 +--rw name string 2487 +--rw (transport) 2488 +--:(ssh) {ssh-listen}? 2489 | +--rw ssh 2490 | +--rw tcp-server-parameters 2491 | | +--rw local-address inet:ip-address 2492 | | +--rw local-port? inet:port-number 2493 | | +--rw keepalives! {keepalives-supported}? 2494 | | +--rw idle-time uint16 2495 | | +--rw max-probes uint16 2496 | | +--rw probe-interval uint16 2497 | +--rw ssh-client-parameters 2498 | | +--rw client-identity 2499 | | | +--rw username? string 2500 | | | +--rw (auth-type) 2501 | | | +--:(password) 2502 | | | | +--rw password? string 2503 | | | +--:(public-key) 2504 | | | | +--rw public-key 2505 | | | | +--rw (local-or-keystore) 2506 | | | | +--:(local) 2507 | | | | | {local-definitions-su\ 2508 \pported}? 2509 | | | | | +--rw local-definition 2510 | | | | | +--rw algorithm 2511 | | | | | | iasa:asymmetric-\ 2512 \algorithm-type 2513 | | | | | +--rw public-key-format? 2514 | | | | | | identityref 2515 | | | | | +--rw public-key 2516 | | | | | | binary 2517 | | | | | +--rw private-key-format? 2518 | | | | | | identityref 2519 | | | | | +--rw (private-key-type) 2520 | | | | | +--:(private-key) 2521 | | | | | | +--rw private-key? 2522 | | | | | | binary 2523 | | | | | +--:(hidden-private-k\ 2524 \ey) 2525 | | | | | | +--rw hidden-priva\ 2526 \te-key? 2527 | | | | | | empty 2528 | | | | | +--:(encrypted-privat\ 2529 \e-key) 2530 | | | | | +--rw encrypted-pr\ 2531 \ivate-key 2532 | | | | | +--rw (key-type) 2533 | | | | | | +--:(symmetr\ 2534 \ic-key-ref) 2535 | | | | | | | +--rw sym\ 2536 \metric-key-ref? leafref 2537 | | | | | | | {\ 2538 \keystore-supported}? 2539 | | | | | | +--:(asymmet\ 2540 \ric-key-ref) 2541 | | | | | | +--rw asy\ 2542 \mmetric-key-ref? leafref 2543 | | | | | | {\ 2544 \keystore-supported}? 2545 | | | | | +--rw value? 2546 | | | | | binary 2547 | | | | +--:(keystore) 2548 | | | | {keystore-supported}? 2549 | | | | +--rw keystore-reference? 2550 | | | | ks:asymmetric-key-r\ 2551 \ef 2552 | | | +--:(certificate) 2553 | | | +--rw certificate 2554 | | | {sshcmn:ssh-x509-certs}? 2555 | | | +--rw (local-or-keystore) 2556 | | | +--:(local) 2557 | | | | {local-definitions-su\ 2558 \pported}? 2559 | | | | +--rw local-definition 2560 | | | | +--rw algorithm 2561 | | | | | iasa:asymmetric-\ 2562 \algorithm-type 2563 | | | | +--rw public-key-format? 2564 | | | | | identityref 2565 | | | | +--rw public-key 2566 | | | | | binary 2567 | | | | +--rw private-key-format? 2568 | | | | | identityref 2569 | | | | +--rw (private-key-type) 2570 | | | | | +--:(private-key) 2571 | | | | | | +--rw private-key? 2572 | | | | | | binary 2573 | | | | | +--:(hidden-private-k\ 2574 \ey) 2575 | | | | | | +--rw hidden-priva\ 2576 \te-key? 2577 | | | | | | empty 2578 | | | | | +--:(encrypted-privat\ 2579 \e-key) 2580 | | | | | +--rw encrypted-pr\ 2581 \ivate-key 2582 | | | | | +--rw (key-type) 2583 | | | | | | +--:(symmetr\ 2584 \ic-key-ref) 2585 | | | | | | | +--rw sym\ 2586 \metric-key-ref? leafref 2587 | | | | | | | {\ 2588 \keystore-supported}? 2589 | | | | | | +--:(asymmet\ 2590 \ric-key-ref) 2591 | | | | | | +--rw asy\ 2592 \mmetric-key-ref? leafref 2593 | | | | | | {\ 2594 \keystore-supported}? 2595 | | | | | +--rw value? 2596 | | | | | binary 2597 | | | | +--rw cert? 2598 | | | | | end-entity-cert-\ 2599 \cms 2600 | | | | +---n certificate-expira\ 2601 \tion 2602 | | | | | +-- expiration-date 2603 | | | | | yang:date-and\ 2604 \-time 2605 | | | | +---x generate-certifica\ 2606 \te-signing-request 2607 | | | | +---w input 2608 | | | | | +---w subject 2609 | | | | | | binary 2610 | | | | | +---w attributes? 2611 | | | | | binary 2612 | | | | +--ro output 2613 | | | | +--ro certificate-\ 2614 \signing-request 2615 | | | | binary 2616 | | | +--:(keystore) 2617 | | | {keystore-supported}? 2618 | | | +--rw keystore-reference 2619 | | | +--rw asymmetric-key? 2620 | | | | ks:asymmetric-ke\ 2621 \y-ref 2622 | | | +--rw certificate? \ 2623 \leafref 2624 | | +--rw server-authentication 2625 | | | +--rw ssh-host-keys! 2626 | | | | +--rw (local-or-truststore) 2627 | | | | +--:(local) 2628 | | | | | {local-definitions-supporte\ 2629 \d}? 2630 | | | | | +--rw local-definition 2631 | | | | | +--rw host-key* 2632 | | | | | ct:ssh-host-key 2633 | | | | +--:(truststore) 2634 | | | | {truststore-supported,ssh-h\ 2635 \ost-keys}? 2636 | | | | +--rw truststore-reference? 2637 | | | | ts:host-keys-ref 2638 | | | +--rw ca-certs! {sshcmn:ssh-x509-certs}? 2639 | | | | +--rw (local-or-truststore) 2640 | | | | +--:(local) 2641 | | | | | {local-definitions-supporte\ 2642 \d}? 2643 | | | | | +--rw local-definition 2644 | | | | | +--rw cert* 2645 | | | | | | trust-anchor-cert-cms 2646 | | | | | +---n certificate-expiration 2647 | | | | | +-- expiration-date 2648 | | | | | yang:date-and-time 2649 | | | | +--:(truststore) 2650 | | | | {truststore-supported,x509-\ 2651 \certificates}? 2652 | | | | +--rw truststore-reference? 2653 | | | | ts:certificates-ref 2654 | | | +--rw server-certs! 2655 | | | {sshcmn:ssh-x509-certs}? 2656 | | | +--rw (local-or-truststore) 2657 | | | +--:(local) 2658 | | | | {local-definitions-supporte\ 2659 \d}? 2660 | | | | +--rw local-definition 2661 | | | | +--rw cert* 2662 | | | | | trust-anchor-cert-cms 2663 | | | | +---n certificate-expiration 2664 | | | | +-- expiration-date 2665 | | | | yang:date-and-time 2666 | | | +--:(truststore) 2667 | | | {truststore-supported,x509-\ 2668 \certificates}? 2669 | | | +--rw truststore-reference? 2670 | | | ts:certificates-ref 2671 | | +--rw transport-params 2672 | | | {ssh-client-transport-params-config}? 2673 | | | +--rw host-key 2674 | | | | +--rw host-key-alg* identityref 2675 | | | +--rw key-exchange 2676 | | | | +--rw key-exchange-alg* identityref 2677 | | | +--rw encryption 2678 | | | | +--rw encryption-alg* identityref 2679 | | | +--rw mac 2680 | | | +--rw mac-alg* identityref 2681 | | +--rw keepalives! {ssh-client-keepalives}? 2682 | | +--rw max-wait? uint16 2683 | | +--rw max-attempts? uint8 2684 | +--rw netconf-client-parameters 2685 +--:(tls) {tls-listen}? 2686 +--rw tls 2687 +--rw tcp-server-parameters 2688 | +--rw local-address inet:ip-address 2689 | +--rw local-port? inet:port-number 2690 | +--rw keepalives! {keepalives-supported}? 2691 | +--rw idle-time uint16 2692 | +--rw max-probes uint16 2693 | +--rw probe-interval uint16 2694 +--rw tls-client-parameters 2695 | +--rw client-identity 2696 | | +--rw (local-or-keystore) 2697 | | +--:(local) 2698 | | | {local-definitions-supported}? 2699 | | | +--rw local-definition 2700 | | | +--rw algorithm 2701 | | | | iasa:asymmetric-algorithm\ 2702 \-type 2703 | | | +--rw public-key-format? 2704 | | | | identityref 2705 | | | +--rw public-key 2706 | | | | binary 2707 | | | +--rw private-key-format? 2708 | | | | identityref 2709 | | | +--rw (private-key-type) 2710 | | | | +--:(private-key) 2711 | | | | | +--rw private-key? 2712 | | | | | binary 2713 | | | | +--:(hidden-private-key) 2714 | | | | | +--rw hidden-private-key? 2715 | | | | | empty 2716 | | | | +--:(encrypted-private-key) 2717 | | | | +--rw encrypted-private-key 2718 | | | | +--rw (key-type) 2719 | | | | | +--:(symmetric-key-re\ 2720 \f) 2721 | | | | | | +--rw symmetric-ke\ 2722 \y-ref? leafref 2723 | | | | | | {keystore-\ 2724 \supported}? 2725 | | | | | +--:(asymmetric-key-r\ 2726 \ef) 2727 | | | | | +--rw asymmetric-k\ 2728 \ey-ref? leafref 2729 | | | | | {keystore-\ 2730 \supported}? 2731 | | | | +--rw value? 2732 | | | | binary 2733 | | | +--rw cert? 2734 | | | | end-entity-cert-cms 2735 | | | +---n certificate-expiration 2736 | | | | +-- expiration-date 2737 | | | | yang:date-and-time 2738 | | | +---x generate-certificate-signin\ 2739 \g-request 2740 | | | +---w input 2741 | | | | +---w subject binary 2742 | | | | +---w attributes? binary 2743 | | | +--ro output 2744 | | | +--ro certificate-signing-r\ 2745 \equest 2746 | | | binary 2747 | | +--:(keystore) {keystore-supported}? 2748 | | +--rw keystore-reference 2749 | | +--rw asymmetric-key? 2750 | | | ks:asymmetric-key-ref 2751 | | +--rw certificate? leafref 2752 | +--rw server-authentication 2753 | | +--rw ca-certs! 2754 | | | +--rw (local-or-truststore) 2755 | | | +--:(local) 2756 | | | | {local-definitions-supporte\ 2757 \d}? 2758 | | | | +--rw local-definition 2759 | | | | +--rw cert* 2760 | | | | | trust-anchor-cert-cms 2761 | | | | +---n certificate-expiration 2762 | | | | +-- expiration-date 2763 | | | | yang:date-and-time 2764 | | | +--:(truststore) 2765 | | | {truststore-supported,x509-\ 2766 \certificates}? 2767 | | | +--rw truststore-reference? 2768 | | | ts:certificates-ref 2769 | | +--rw server-certs! 2770 | | +--rw (local-or-truststore) 2771 | | +--:(local) 2772 | | | {local-definitions-supporte\ 2773 \d}? 2774 | | | +--rw local-definition 2775 | | | +--rw cert* 2776 | | | | trust-anchor-cert-cms 2777 | | | +---n certificate-expiration 2778 | | | +-- expiration-date 2779 | | | yang:date-and-time 2780 | | +--:(truststore) 2781 | | {truststore-supported,x509-\ 2782 \certificates}? 2783 | | +--rw truststore-reference? 2784 | | ts:certificates-ref 2785 | +--rw hello-params 2786 | | {tls-client-hello-params-config}? 2787 | | +--rw tls-versions 2788 | | | +--rw tls-version* identityref 2789 | | +--rw cipher-suites 2790 | | +--rw cipher-suite* identityref 2791 | +--rw keepalives! {tls-client-keepalives}? 2792 | +--rw max-wait? uint16 2793 | +--rw max-attempts? uint8 2794 +--rw netconf-client-parameters 2796 A.2. Expanded Tree Diagram for 'ietf-netconf-server' 2798 The following tree diagram [RFC8340] provides an overview of the data 2799 model for the "ietf-netconf-server" module. 2801 This tree diagram shows all the nodes defined in this module, 2802 including those defined by "grouping" statements used by this module. 2804 Please see Section 4.1 for a tree diagram that illustrates what the 2805 module looks like without all the "grouping" statements expanded. 2807 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ========== 2809 module: ietf-netconf-server 2810 +--rw netconf-server 2811 +--rw listen! {ssh-listen or tls-listen}? 2812 | +--rw idle-timeout? uint16 2813 | +--rw endpoint* [name] 2814 | +--rw name string 2815 | +--rw (transport) 2816 | +--:(ssh) {ssh-listen}? 2817 | | +--rw ssh 2818 | | +--rw tcp-server-parameters 2819 | | | +--rw local-address inet:ip-address 2820 | | | +--rw local-port? inet:port-number 2821 | | | +--rw keepalives! {keepalives-supported}? 2822 | | | +--rw idle-time uint16 2823 | | | +--rw max-probes uint16 2824 | | | +--rw probe-interval uint16 2825 | | +--rw ssh-server-parameters 2826 | | | +--rw server-identity 2827 | | | | +--rw host-key* [name] 2828 | | | | +--rw name string 2829 | | | | +--rw (host-key-type) 2830 | | | | +--:(public-key) 2831 | | | | | +--rw public-key 2832 | | | | | +--rw (local-or-keystore) 2833 | | | | | +--:(local) 2834 | | | | | | {local-definitions\ 2835 \-supported}? 2836 | | | | | | +--rw local-definition 2837 | | | | | | +--rw algorithm 2838 | | | | | | | iasa:asymmetr\ 2839 \ic-algorithm-type 2840 | | | | | | +--rw public-key-form\ 2841 \at? 2842 | | | | | | | identityref 2843 | | | | | | +--rw public-key 2844 | | | | | | | binary 2845 | | | | | | +--rw private-key-for\ 2846 \mat? 2847 | | | | | | | identityref 2848 | | | | | | +--rw (private-key-ty\ 2849 \pe) 2850 | | | | | | +--:(private-key) 2851 | | | | | | | +--rw private-k\ 2852 \ey? 2853 | | | | | | | binary 2854 | | | | | | +--:(hidden-privat\ 2855 \e-key) 2856 | | | | | | | +--rw hidden-pr\ 2857 \ivate-key? 2858 | | | | | | | empty 2859 | | | | | | +--:(encrypted-pri\ 2860 \vate-key) 2861 | | | | | | +--rw encrypted\ 2862 \-private-key 2863 | | | | | | +--rw (key-t\ 2864 \ype) 2865 | | | | | | | +--:(symm\ 2866 \etric-key-ref) 2867 | | | | | | | | +--rw \ 2868 \symmetric-key-ref? leafref 2869 | | | | | | | | \ 2870 \ {keystore-supported}? 2871 | | | | | | | +--:(asym\ 2872 \metric-key-ref) 2873 | | | | | | | +--rw \ 2874 \asymmetric-key-ref? leafref 2875 | | | | | | | \ 2876 \ {keystore-supported}? 2877 | | | | | | +--rw value? 2878 | | | | | | bina\ 2879 \ry 2880 | | | | | +--:(keystore) 2881 | | | | | {keystore-supporte\ 2882 \d}? 2883 | | | | | +--rw keystore-reference? 2884 | | | | | ks:asymmetric-ke\ 2885 \y-ref 2886 | | | | +--:(certificate) 2887 | | | | +--rw certificate 2888 | | | | {sshcmn:ssh-x509-certs}? 2889 | | | | +--rw (local-or-keystore) 2890 | | | | +--:(local) 2891 | | | | | {local-definitions\ 2892 \-supported}? 2893 | | | | | +--rw local-definition 2894 | | | | | +--rw algorithm 2895 | | | | | | iasa:asymmetr\ 2896 \ic-algorithm-type 2897 | | | | | +--rw public-key-form\ 2898 \at? 2899 | | | | | | identityref 2900 | | | | | +--rw public-key 2901 | | | | | | binary 2902 | | | | | +--rw private-key-for\ 2903 \mat? 2904 | | | | | | identityref 2905 | | | | | +--rw (private-key-ty\ 2906 \pe) 2907 | | | | | | +--:(private-key) 2908 | | | | | | | +--rw private-k\ 2909 \ey? 2910 | | | | | | | binary 2911 | | | | | | +--:(hidden-privat\ 2912 \e-key) 2913 | | | | | | | +--rw hidden-pr\ 2914 \ivate-key? 2915 | | | | | | | empty 2916 | | | | | | +--:(encrypted-pri\ 2917 \vate-key) 2918 | | | | | | +--rw encrypted\ 2919 \-private-key 2920 | | | | | | +--rw (key-t\ 2921 \ype) 2922 | | | | | | | +--:(symm\ 2923 \etric-key-ref) 2924 | | | | | | | | +--rw \ 2925 \symmetric-key-ref? leafref 2926 | | | | | | | | \ 2927 \ {keystore-supported}? 2928 | | | | | | | +--:(asym\ 2929 \metric-key-ref) 2930 | | | | | | | +--rw \ 2931 \asymmetric-key-ref? leafref 2932 | | | | | | | \ 2933 \ {keystore-supported}? 2934 | | | | | | +--rw value? 2935 | | | | | | bina\ 2937 \ry 2938 | | | | | +--rw cert? 2939 | | | | | | end-entity-ce\ 2940 \rt-cms 2941 | | | | | +---n certificate-exp\ 2942 \iration 2943 | | | | | | +-- expiration-date 2944 | | | | | | yang:date-\ 2945 \and-time 2946 | | | | | +---x generate-certif\ 2947 \icate-signing-request 2948 | | | | | +---w input 2949 | | | | | | +---w subject 2950 | | | | | | | binary 2951 | | | | | | +---w attribute\ 2952 \s? 2953 | | | | | | binary 2954 | | | | | +--ro output 2955 | | | | | +--ro certifica\ 2956 \te-signing-request 2957 | | | | | binary 2958 | | | | +--:(keystore) 2959 | | | | {keystore-supporte\ 2960 \d}? 2961 | | | | +--rw keystore-reference 2962 | | | | +--rw asymmetric-key? 2963 | | | | | ks:asymmetric\ 2964 \-key-ref 2965 | | | | +--rw certificate? \ 2966 \ leafref 2967 | | | +--rw client-authentication 2968 | | | | +--rw supported-authentication-methods 2969 | | | | | +--rw publickey? empty 2970 | | | | | +--rw passsword? empty 2971 | | | | | +--rw hostbased? empty 2972 | | | | | +--rw none? empty 2973 | | | | | +--rw other* string 2974 | | | | +--rw (local-or-external) 2975 | | | | +--:(local) 2976 | | | | | {local-client-auth-supported}? 2977 | | | | | +--rw users 2978 | | | | | +--rw user* [name] 2979 | | | | | +--rw name string 2980 | | | | | +--rw password? 2981 | | | | | | ianach:crypt-hash 2982 | | | | | +--rw host-keys! 2983 | | | | | | +--rw (local-or-truststore) 2984 | | | | | | +--:(local) 2985 | | | | | | | {local-definiti\ 2986 \ons-supported}? 2987 | | | | | | | +--rw local-definition 2988 | | | | | | | +--rw host-key* 2989 | | | | | | | ct:ssh-hos\ 2990 \t-key 2991 | | | | | | +--:(truststore) 2992 | | | | | | {truststore-sup\ 2993 \ported,ssh-host-keys}? 2994 | | | | | | +--rw truststore-refe\ 2995 \rence? 2996 | | | | | | ts:host-keys-\ 2997 \ref 2998 | | | | | +--rw ca-certs! 2999 | | | | | | {sshcmn:ssh-x509-certs\ 3000 \}? 3001 | | | | | | +--rw (local-or-truststore) 3002 | | | | | | +--:(local) 3003 | | | | | | | {local-definiti\ 3004 \ons-supported}? 3005 | | | | | | | +--rw local-definition 3006 | | | | | | | +--rw cert* 3007 | | | | | | | | trust-anch\ 3008 \or-cert-cms 3009 | | | | | | | +---n certificate-\ 3010 \expiration 3011 | | | | | | | +-- expiration-\ 3012 \date 3013 | | | | | | | yang:da\ 3014 \te-and-time 3015 | | | | | | +--:(truststore) 3016 | | | | | | {truststore-sup\ 3017 \ported,x509-certificates}? 3018 | | | | | | +--rw truststore-refe\ 3019 \rence? 3020 | | | | | | ts:certificat\ 3021 \es-ref 3022 | | | | | +--rw client-certs! 3023 | | | | | {sshcmn:ssh-x509-certs\ 3024 \}? 3025 | | | | | +--rw (local-or-truststore) 3026 | | | | | +--:(local) 3027 | | | | | | {local-definiti\ 3028 \ons-supported}? 3029 | | | | | | +--rw local-definition 3030 | | | | | | +--rw cert* 3031 | | | | | | | trust-anch\ 3032 \or-cert-cms 3033 | | | | | | +---n certificate-\ 3034 \expiration 3035 | | | | | | +-- expiration-\ 3036 \date 3037 | | | | | | yang:da\ 3038 \te-and-time 3039 | | | | | +--:(truststore) 3040 | | | | | {truststore-sup\ 3041 \ported,x509-certificates}? 3042 | | | | | +--rw truststore-refe\ 3043 \rence? 3044 | | | | | ts:certificat\ 3045 \es-ref 3046 | | | | +--:(external) 3047 | | | | {external-client-auth-supporte\ 3048 \d}? 3049 | | | | +--rw client-auth-defined-elsewhere? 3050 | | | | empty 3051 | | | +--rw transport-params 3052 | | | | {ssh-server-transport-params-config}? 3053 | | | | +--rw host-key 3054 | | | | | +--rw host-key-alg* identityref 3055 | | | | +--rw key-exchange 3056 | | | | | +--rw key-exchange-alg* identityref 3057 | | | | +--rw encryption 3058 | | | | | +--rw encryption-alg* identityref 3059 | | | | +--rw mac 3060 | | | | +--rw mac-alg* identityref 3061 | | | +--rw keepalives! {ssh-server-keepalives}? 3062 | | | +--rw max-wait? uint16 3063 | | | +--rw max-attempts? uint8 3064 | | +--rw netconf-server-parameters 3065 | | +--rw client-identification 3066 | | +--rw cert-maps 3067 | | +--rw cert-to-name* [id] 3068 | | +--rw id uint32 3069 | | +--rw fingerprint? 3070 | | | x509c2n:tls-fingerprint 3071 | | +--rw map-type identityref 3072 | | +--rw name string 3073 | +--:(tls) {tls-listen}? 3074 | +--rw tls 3075 | +--rw tcp-server-parameters 3076 | | +--rw local-address inet:ip-address 3077 | | +--rw local-port? inet:port-number 3078 | | +--rw keepalives! {keepalives-supported}? 3079 | | +--rw idle-time uint16 3080 | | +--rw max-probes uint16 3081 | | +--rw probe-interval uint16 3082 | +--rw tls-server-parameters 3083 | | +--rw server-identity 3084 | | | +--rw (local-or-keystore) 3085 | | | +--:(local) 3086 | | | | {local-definitions-supported}? 3087 | | | | +--rw local-definition 3088 | | | | +--rw algorithm 3089 | | | | | iasa:asymmetric-algorithm\ 3090 \-type 3091 | | | | +--rw public-key-format? 3092 | | | | | identityref 3093 | | | | +--rw public-key 3094 | | | | | binary 3095 | | | | +--rw private-key-format? 3096 | | | | | identityref 3097 | | | | +--rw (private-key-type) 3098 | | | | | +--:(private-key) 3099 | | | | | | +--rw private-key? 3100 | | | | | | binary 3101 | | | | | +--:(hidden-private-key) 3102 | | | | | | +--rw hidden-private-key? 3103 | | | | | | empty 3104 | | | | | +--:(encrypted-private-key) 3105 | | | | | +--rw encrypted-private-key 3106 | | | | | +--rw (key-type) 3107 | | | | | | +--:(symmetric-key-re\ 3108 \f) 3109 | | | | | | | +--rw symmetric-ke\ 3110 \y-ref? leafref 3111 | | | | | | | {keystore-\ 3112 \supported}? 3113 | | | | | | +--:(asymmetric-key-r\ 3114 \ef) 3115 | | | | | | +--rw asymmetric-k\ 3116 \ey-ref? leafref 3117 | | | | | | {keystore-\ 3118 \supported}? 3119 | | | | | +--rw value? 3120 | | | | | binary 3121 | | | | +--rw cert? 3122 | | | | | end-entity-cert-cms 3123 | | | | +---n certificate-expiration 3124 | | | | | +-- expiration-date 3125 | | | | | yang:date-and-time 3126 | | | | +---x generate-certificate-signin\ 3127 \g-request 3128 | | | | +---w input 3129 | | | | | +---w subject binary 3130 | | | | | +---w attributes? binary 3131 | | | | +--ro output 3132 | | | | +--ro certificate-signing-r\ 3133 \equest 3134 | | | | binary 3135 | | | +--:(keystore) {keystore-supported}? 3136 | | | +--rw keystore-reference 3137 | | | +--rw asymmetric-key? 3138 | | | | ks:asymmetric-key-ref 3139 | | | +--rw certificate? leafref 3140 | | +--rw client-authentication! 3141 | | | +--rw (required-or-optional) 3142 | | | | +--:(required) 3143 | | | | | +--rw required? 3144 | | | | | empty 3145 | | | | +--:(optional) 3146 | | | | +--rw optional? 3147 | | | | empty 3148 | | | +--rw (local-or-external) 3149 | | | +--:(local) 3150 | | | | {local-client-auth-supported}? 3151 | | | | +--rw ca-certs! 3152 | | | | | +--rw (local-or-truststore) 3153 | | | | | +--:(local) 3154 | | | | | | {local-definitions-su\ 3155 \pported}? 3156 | | | | | | +--rw local-definition 3157 | | | | | | +--rw cert* 3158 | | | | | | | trust-anchor-cer\ 3159 \t-cms 3160 | | | | | | +---n certificate-expira\ 3161 \tion 3162 | | | | | | +-- expiration-date 3163 | | | | | | yang:date-and\ 3164 \-time 3165 | | | | | +--:(truststore) 3166 | | | | | {truststore-supported\ 3167 \,x509-certificates}? 3168 | | | | | +--rw truststore-reference? 3169 | | | | | ts:certificates-ref 3170 | | | | +--rw client-certs! 3171 | | | | +--rw (local-or-truststore) 3172 | | | | +--:(local) 3173 | | | | | {local-definitions-su\ 3174 \pported}? 3175 | | | | | +--rw local-definition 3176 | | | | | +--rw cert* 3177 | | | | | | trust-anchor-cer\ 3178 \t-cms 3179 | | | | | +---n certificate-expira\ 3180 \tion 3181 | | | | | +-- expiration-date 3182 | | | | | yang:date-and\ 3183 \-time 3184 | | | | +--:(truststore) 3185 | | | | {truststore-supported\ 3186 \,x509-certificates}? 3187 | | | | +--rw truststore-reference? 3188 | | | | ts:certificates-ref 3189 | | | +--:(external) 3190 | | | {external-client-auth-supporte\ 3191 \d}? 3192 | | | +--rw client-auth-defined-elsewhere? 3193 | | | empty 3194 | | +--rw hello-params 3195 | | | {tls-server-hello-params-config}? 3196 | | | +--rw tls-versions 3197 | | | | +--rw tls-version* identityref 3198 | | | +--rw cipher-suites 3199 | | | +--rw cipher-suite* identityref 3200 | | +--rw keepalives! {tls-server-keepalives}? 3201 | | +--rw max-wait? uint16 3202 | | +--rw max-attempts? uint8 3203 | +--rw netconf-server-parameters 3204 | +--rw client-identification 3205 | +--rw cert-maps 3206 | +--rw cert-to-name* [id] 3207 | +--rw id uint32 3208 | +--rw fingerprint? 3209 | | x509c2n:tls-fingerprint 3210 | +--rw map-type identityref 3211 | +--rw name string 3212 +--rw call-home! {ssh-call-home or tls-call-home}? 3213 +--rw netconf-client* [name] 3214 +--rw name string 3215 +--rw endpoints 3216 | +--rw endpoint* [name] 3217 | +--rw name string 3218 | +--rw (transport) 3219 | +--:(ssh) {ssh-call-home}? 3220 | | +--rw ssh 3221 | | +--rw tcp-client-parameters 3222 | | | +--rw remote-address inet:host 3223 | | | +--rw remote-port? inet:port-number 3224 | | | +--rw local-address? inet:ip-address 3225 | | | | {local-binding-supported}? 3226 | | | +--rw local-port? inet:port-number 3227 | | | | {local-binding-supported}? 3228 | | | +--rw keepalives! 3229 | | | {keepalives-supported}? 3230 | | | +--rw idle-time uint16 3231 | | | +--rw max-probes uint16 3232 | | | +--rw probe-interval uint16 3233 | | +--rw ssh-server-parameters 3234 | | | +--rw server-identity 3235 | | | | +--rw host-key* [name] 3236 | | | | +--rw name string 3237 | | | | +--rw (host-key-type) 3238 | | | | +--:(public-key) 3239 | | | | | +--rw public-key 3240 | | | | | +--rw (local-or-keystore) 3241 | | | | | +--:(local) 3242 | | | | | | {local-defin\ 3243 \itions-supported}? 3244 | | | | | | +--rw local-defini\ 3245 \tion 3246 | | | | | | +--rw algorithm 3247 | | | | | | | iasa:as\ 3248 \ymmetric-algorithm-type 3249 | | | | | | +--rw public-ke\ 3250 \y-format? 3251 | | | | | | | identit\ 3252 \yref 3253 | | | | | | +--rw public-key 3254 | | | | | | | binary 3255 | | | | | | +--rw private-k\ 3256 \ey-format? 3257 | | | | | | | identit\ 3258 \yref 3259 | | | | | | +--rw (private-\ 3260 \key-type) 3261 | | | | | | +--:(private\ 3262 \-key) 3263 | | | | | | | +--rw pri\ 3264 \vate-key? 3265 | | | | | | | b\ 3266 \inary 3267 | | | | | | +--:(hidden-\ 3268 \private-key) 3269 | | | | | | | +--rw hid\ 3270 \den-private-key? 3271 | | | | | | | e\ 3272 \mpty 3273 | | | | | | +--:(encrypt\ 3274 \ed-private-key) 3275 | | | | | | +--rw enc\ 3276 \rypted-private-key 3277 | | | | | | +--rw \ 3278 \(key-type) 3279 | | | | | | | +--\ 3280 \:(symmetric-key-ref) 3281 | | | | | | | | \ 3282 \+--rw symmetric-key-ref? leafref 3283 | | | | | | | | \ 3284 \ {keystore-supported}? 3285 | | | | | | | +--\ 3286 \:(asymmetric-key-ref) 3287 | | | | | | | \ 3288 \+--rw asymmetric-key-ref? leafref 3289 | | | | | | | \ 3290 \ {keystore-supported}? 3291 | | | | | | +--rw \ 3292 \value? 3293 | | | | | | \ 3294 \ binary 3295 | | | | | +--:(keystore) 3296 | | | | | {keystore-su\ 3297 \pported}? 3298 | | | | | +--rw keystore-ref\ 3299 \erence? 3300 | | | | | ks:asymmet\ 3301 \ric-key-ref 3302 | | | | +--:(certificate) 3303 | | | | +--rw certificate 3304 | | | | {sshcmn:ssh-x509-ce\ 3305 \rts}? 3306 | | | | +--rw (local-or-keystore) 3307 | | | | +--:(local) 3308 | | | | | {local-defin\ 3309 \itions-supported}? 3310 | | | | | +--rw local-defini\ 3311 \tion 3312 | | | | | +--rw algorithm 3313 | | | | | | iasa:as\ 3314 \ymmetric-algorithm-type 3315 | | | | | +--rw public-ke\ 3316 \y-format? 3317 | | | | | | identit\ 3318 \yref 3319 | | | | | +--rw public-key 3320 | | | | | | binary 3321 | | | | | +--rw private-k\ 3322 \ey-format? 3323 | | | | | | identit\ 3324 \yref 3325 | | | | | +--rw (private-\ 3326 \key-type) 3327 | | | | | | +--:(private\ 3328 \-key) 3329 | | | | | | | +--rw pri\ 3330 \vate-key? 3331 | | | | | | | b\ 3332 \inary 3333 | | | | | | +--:(hidden-\ 3334 \private-key) 3335 | | | | | | | +--rw hid\ 3336 \den-private-key? 3337 | | | | | | | e\ 3338 \mpty 3339 | | | | | | +--:(encrypt\ 3340 \ed-private-key) 3341 | | | | | | +--rw enc\ 3342 \rypted-private-key 3343 | | | | | | +--rw \ 3344 \(key-type) 3345 | | | | | | | +--\ 3346 \:(symmetric-key-ref) 3347 | | | | | | | | \ 3348 \+--rw symmetric-key-ref? leafref 3349 | | | | | | | | \ 3350 \ {keystore-supported}? 3351 | | | | | | | +--\ 3352 \:(asymmetric-key-ref) 3353 | | | | | | | \ 3354 \+--rw asymmetric-key-ref? leafref 3355 | | | | | | | \ 3356 \ {keystore-supported}? 3357 | | | | | | +--rw \ 3358 \value? 3359 | | | | | | \ 3360 \ binary 3361 | | | | | +--rw cert? 3362 | | | | | | end-ent\ 3363 \ity-cert-cms 3364 | | | | | +---n certifica\ 3365 \te-expiration 3366 | | | | | | +-- expirati\ 3367 \on-date 3368 | | | | | | yang\ 3370 \:date-and-time 3371 | | | | | +---x generate-\ 3372 \certificate-signing-request 3373 | | | | | +---w input 3374 | | | | | | +---w sub\ 3375 \ject 3376 | | | | | | | b\ 3377 \inary 3378 | | | | | | +---w att\ 3379 \ributes? 3380 | | | | | | b\ 3381 \inary 3382 | | | | | +--ro output 3383 | | | | | +--ro cer\ 3384 \tificate-signing-request 3385 | | | | | b\ 3386 \inary 3387 | | | | +--:(keystore) 3388 | | | | {keystore-su\ 3389 \pported}? 3390 | | | | +--rw keystore-ref\ 3391 \erence 3392 | | | | +--rw asymmetri\ 3393 \c-key? 3394 | | | | | ks:asym\ 3395 \metric-key-ref 3396 | | | | +--rw certifica\ 3397 \te? leafref 3398 | | | +--rw client-authentication 3399 | | | | +--rw supported-authentication-metho\ 3400 \ds 3401 | | | | | +--rw publickey? empty 3402 | | | | | +--rw passsword? empty 3403 | | | | | +--rw hostbased? empty 3404 | | | | | +--rw none? empty 3405 | | | | | +--rw other* string 3406 | | | | +--rw (local-or-external) 3407 | | | | +--:(local) 3408 | | | | | {local-client-auth-suppo\ 3409 \rted}? 3410 | | | | | +--rw users 3411 | | | | | +--rw user* [name] 3412 | | | | | +--rw name 3413 | | | | | | string 3414 | | | | | +--rw password? 3415 | | | | | | ianach:crypt-hash 3416 | | | | | +--rw host-keys! 3417 | | | | | | +--rw (local-or-trust\ 3419 \store) 3420 | | | | | | +--:(local) 3421 | | | | | | | {local-de\ 3422 \finitions-supported}? 3423 | | | | | | | +--rw local-def\ 3424 \inition 3425 | | | | | | | +--rw host-k\ 3426 \ey* 3427 | | | | | | | ct:s\ 3428 \sh-host-key 3429 | | | | | | +--:(truststore) 3430 | | | | | | {truststo\ 3431 \re-supported,ssh-host-keys}? 3432 | | | | | | +--rw truststor\ 3433 \e-reference? 3434 | | | | | | ts:host\ 3435 \-keys-ref 3436 | | | | | +--rw ca-certs! 3437 | | | | | | {sshcmn:ssh-x509\ 3438 \-certs}? 3439 | | | | | | +--rw (local-or-trust\ 3440 \store) 3441 | | | | | | +--:(local) 3442 | | | | | | | {local-de\ 3443 \finitions-supported}? 3444 | | | | | | | +--rw local-def\ 3445 \inition 3446 | | | | | | | +--rw cert* 3447 | | | | | | | | trus\ 3448 \t-anchor-cert-cms 3449 | | | | | | | +---n certif\ 3450 \icate-expiration 3451 | | | | | | | +-- expir\ 3452 \ation-date 3453 | | | | | | | y\ 3454 \ang:date-and-time 3455 | | | | | | +--:(truststore) 3456 | | | | | | {truststo\ 3457 \re-supported,x509-certificates}? 3458 | | | | | | +--rw truststor\ 3459 \e-reference? 3460 | | | | | | ts:cert\ 3461 \ificates-ref 3462 | | | | | +--rw client-certs! 3463 | | | | | {sshcmn:ssh-x509\ 3464 \-certs}? 3465 | | | | | +--rw (local-or-trust\ 3466 \store) 3467 | | | | | +--:(local) 3468 | | | | | | {local-de\ 3469 \finitions-supported}? 3470 | | | | | | +--rw local-def\ 3471 \inition 3472 | | | | | | +--rw cert* 3473 | | | | | | | trus\ 3474 \t-anchor-cert-cms 3475 | | | | | | +---n certif\ 3476 \icate-expiration 3477 | | | | | | +-- expir\ 3478 \ation-date 3479 | | | | | | y\ 3480 \ang:date-and-time 3481 | | | | | +--:(truststore) 3482 | | | | | {truststo\ 3483 \re-supported,x509-certificates}? 3484 | | | | | +--rw truststor\ 3485 \e-reference? 3486 | | | | | ts:cert\ 3487 \ificates-ref 3488 | | | | +--:(external) 3489 | | | | {external-client-auth-su\ 3490 \pported}? 3491 | | | | +--rw client-auth-defined-else\ 3492 \where? 3493 | | | | empty 3494 | | | +--rw transport-params 3495 | | | | {ssh-server-transport-params-co\ 3496 \nfig}? 3497 | | | | +--rw host-key 3498 | | | | | +--rw host-key-alg* identityref 3499 | | | | +--rw key-exchange 3500 | | | | | +--rw key-exchange-alg* 3501 | | | | | identityref 3502 | | | | +--rw encryption 3503 | | | | | +--rw encryption-alg* 3504 | | | | | identityref 3505 | | | | +--rw mac 3506 | | | | +--rw mac-alg* identityref 3507 | | | +--rw keepalives! 3508 | | | {ssh-server-keepalives}? 3509 | | | +--rw max-wait? uint16 3510 | | | +--rw max-attempts? uint8 3511 | | +--rw netconf-server-parameters 3512 | | +--rw client-identification 3513 | | +--rw cert-maps 3514 | | +--rw cert-to-name* [id] 3515 | | +--rw id uint32 3516 | | +--rw fingerprint? 3517 | | | x509c2n:tls-fingerprint 3518 | | +--rw map-type 3519 | | | identityref 3520 | | +--rw name string 3521 | +--:(tls) {tls-call-home}? 3522 | +--rw tls 3523 | +--rw tcp-client-parameters 3524 | | +--rw remote-address inet:host 3525 | | +--rw remote-port? inet:port-number 3526 | | +--rw local-address? inet:ip-address 3527 | | | {local-binding-supported}? 3528 | | +--rw local-port? inet:port-number 3529 | | | {local-binding-supported}? 3530 | | +--rw keepalives! 3531 | | {keepalives-supported}? 3532 | | +--rw idle-time uint16 3533 | | +--rw max-probes uint16 3534 | | +--rw probe-interval uint16 3535 | +--rw tls-server-parameters 3536 | | +--rw server-identity 3537 | | | +--rw (local-or-keystore) 3538 | | | +--:(local) 3539 | | | | {local-definitions-suppo\ 3540 \rted}? 3541 | | | | +--rw local-definition 3542 | | | | +--rw algorithm 3543 | | | | | iasa:asymmetric-alg\ 3544 \orithm-type 3545 | | | | +--rw public-key-format? 3546 | | | | | identityref 3547 | | | | +--rw public-key 3548 | | | | | binary 3549 | | | | +--rw private-key-format? 3550 | | | | | identityref 3551 | | | | +--rw (private-key-type) 3552 | | | | | +--:(private-key) 3553 | | | | | | +--rw private-key? 3554 | | | | | | binary 3555 | | | | | +--:(hidden-private-key) 3556 | | | | | | +--rw hidden-private-\ 3557 \key? 3558 | | | | | | empty 3559 | | | | | +--:(encrypted-private-k\ 3560 \ey) 3561 | | | | | +--rw encrypted-priva\ 3562 \te-key 3563 | | | | | +--rw (key-type) 3564 | | | | | | +--:(symmetric-\ 3565 \key-ref) 3566 | | | | | | | +--rw symmet\ 3567 \ric-key-ref? leafref 3568 | | | | | | | {key\ 3569 \store-supported}? 3570 | | | | | | +--:(asymmetric\ 3571 \-key-ref) 3572 | | | | | | +--rw asymme\ 3573 \tric-key-ref? leafref 3574 | | | | | | {key\ 3575 \store-supported}? 3576 | | | | | +--rw value? 3577 | | | | | binary 3578 | | | | +--rw cert? 3579 | | | | | end-entity-cert-cms 3580 | | | | +---n certificate-expiration 3581 | | | | | +-- expiration-date 3582 | | | | | yang:date-and-ti\ 3583 \me 3584 | | | | +---x generate-certificate-\ 3585 \signing-request 3586 | | | | +---w input 3587 | | | | | +---w subject 3588 | | | | | | binary 3589 | | | | | +---w attributes? 3590 | | | | | binary 3591 | | | | +--ro output 3592 | | | | +--ro certificate-sig\ 3593 \ning-request 3594 | | | | binary 3595 | | | +--:(keystore) 3596 | | | {keystore-supported}? 3597 | | | +--rw keystore-reference 3598 | | | +--rw asymmetric-key? 3599 | | | | ks:asymmetric-key-r\ 3600 \ef 3601 | | | +--rw certificate? lea\ 3602 \fref 3603 | | +--rw client-authentication! 3604 | | | +--rw (required-or-optional) 3605 | | | | +--:(required) 3606 | | | | | +--rw required? 3607 | | | | | empty 3608 | | | | +--:(optional) 3609 | | | | +--rw optional? 3610 | | | | empty 3611 | | | +--rw (local-or-external) 3612 | | | +--:(local) 3613 | | | | {local-client-auth-suppo\ 3614 \rted}? 3615 | | | | +--rw ca-certs! 3616 | | | | | +--rw (local-or-truststore) 3617 | | | | | +--:(local) 3618 | | | | | | {local-definiti\ 3619 \ons-supported}? 3620 | | | | | | +--rw local-definition 3621 | | | | | | +--rw cert* 3622 | | | | | | | trust-anch\ 3623 \or-cert-cms 3624 | | | | | | +---n certificate-\ 3625 \expiration 3626 | | | | | | +-- expiration-\ 3627 \date 3628 | | | | | | yang:da\ 3629 \te-and-time 3630 | | | | | +--:(truststore) 3631 | | | | | {truststore-sup\ 3632 \ported,x509-certificates}? 3633 | | | | | +--rw truststore-refe\ 3634 \rence? 3635 | | | | | ts:certificat\ 3636 \es-ref 3637 | | | | +--rw client-certs! 3638 | | | | +--rw (local-or-truststore) 3639 | | | | +--:(local) 3640 | | | | | {local-definiti\ 3641 \ons-supported}? 3642 | | | | | +--rw local-definition 3643 | | | | | +--rw cert* 3644 | | | | | | trust-anch\ 3645 \or-cert-cms 3646 | | | | | +---n certificate-\ 3647 \expiration 3648 | | | | | +-- expiration-\ 3649 \date 3650 | | | | | yang:da\ 3651 \te-and-time 3652 | | | | +--:(truststore) 3653 | | | | {truststore-sup\ 3654 \ported,x509-certificates}? 3655 | | | | +--rw truststore-refe\ 3656 \rence? 3657 | | | | ts:certificat\ 3658 \es-ref 3659 | | | +--:(external) 3660 | | | {external-client-auth-su\ 3661 \pported}? 3662 | | | +--rw client-auth-defined-else\ 3663 \where? 3664 | | | empty 3665 | | +--rw hello-params 3666 | | | {tls-server-hello-params-config\ 3667 \}? 3668 | | | +--rw tls-versions 3669 | | | | +--rw tls-version* identityref 3670 | | | +--rw cipher-suites 3671 | | | +--rw cipher-suite* identityref 3672 | | +--rw keepalives! 3673 | | {tls-server-keepalives}? 3674 | | +--rw max-wait? uint16 3675 | | +--rw max-attempts? uint8 3676 | +--rw netconf-server-parameters 3677 | +--rw client-identification 3678 | +--rw cert-maps 3679 | +--rw cert-to-name* [id] 3680 | +--rw id uint32 3681 | +--rw fingerprint? 3682 | | x509c2n:tls-fingerprint 3683 | +--rw map-type 3684 | | identityref 3685 | +--rw name string 3686 +--rw connection-type 3687 | +--rw (connection-type) 3688 | +--:(persistent-connection) 3689 | | +--rw persistent! 3690 | +--:(periodic-connection) 3691 | +--rw periodic! 3692 | +--rw period? uint16 3693 | +--rw anchor-time? yang:date-and-time 3694 | +--rw idle-timeout? uint16 3695 +--rw reconnect-strategy 3696 +--rw start-with? enumeration 3697 +--rw max-attempts? uint8 3699 Appendix B. Change Log 3701 B.1. 00 to 01 3703 o Renamed "keychain" to "keystore". 3705 B.2. 01 to 02 3707 o Added to ietf-netconf-client ability to connected to a cluster of 3708 endpoints, including a reconnection-strategy. 3710 o Added to ietf-netconf-client the ability to configure connection- 3711 type and also keep-alive strategy. 3713 o Updated both modules to accommodate new groupings in the ssh/tls 3714 drafts. 3716 B.3. 02 to 03 3718 o Refined use of tls-client-grouping to add a must statement 3719 indicating that the TLS client must specify a client-certificate. 3721 o Changed 'netconf-client' to be a grouping (not a container). 3723 B.4. 03 to 04 3725 o Added RFC 8174 to Requirements Language Section. 3727 o Replaced refine statement in ietf-netconf-client to add a 3728 mandatory true. 3730 o Added refine statement in ietf-netconf-server to add a must 3731 statement. 3733 o Now there are containers and groupings, for both the client and 3734 server models. 3736 B.5. 04 to 05 3738 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 3740 o Updated examples to inline key and certificates (no longer a 3741 leafref to keystore) 3743 B.6. 05 to 06 3745 o Fixed change log missing section issue. 3747 o Updated examples to match latest updates to the crypto-types, 3748 trust-anchors, and keystore drafts. 3750 o Reduced line length of the YANG modules to fit within 69 columns. 3752 B.7. 06 to 07 3754 o Removed "idle-timeout" from "persistent" connection config. 3756 o Added "random-selection" for reconnection-strategy's "starts-with" 3757 enum. 3759 o Replaced "connection-type" choice default (persistent) with 3760 "mandatory true". 3762 o Reduced the periodic-connection's "idle-timeout" from 5 to 2 3763 minutes. 3765 o Replaced reconnect-timeout with period/anchor-time combo. 3767 B.8. 07 to 08 3769 o Modified examples to be compatible with new crypto-types algs 3771 B.9. 08 to 09 3773 o Corrected use of "mandatory true" for "address" leafs. 3775 o Updated examples to reflect update to groupings defined in the 3776 keystore draft. 3778 o Updated to use groupings defined in new TCP and HTTP drafts. 3780 o Updated copyright date, boilerplate template, affiliation, and 3781 folding algorithm. 3783 B.10. 09 to 10 3785 o Reformatted YANG modules. 3787 B.11. 10 to 11 3789 o Adjusted for the top-level "demux container" added to groupings 3790 imported from other modules. 3792 o Added "must" expressions to ensure that keepalives are not 3793 configured for "periodic" connections. 3795 o Updated the boilerplate text in module-level "description" 3796 statement to match copyeditor convention. 3798 o Moved "expanded" tree diagrams to the Appendix. 3800 B.12. 11 to 12 3802 o Removed the "Design Considerations" section. 3804 o Removed the 'must' statement limiting keepalives in periodic 3805 connections. 3807 o Updated models and examples to reflect removal of the "demux" 3808 containers in the imported models. 3810 o Updated the "periodic-connnection" description statements to be 3811 more like the RESTCONF draft, especially where it described 3812 dropping the underlying TCP connection. 3814 o Updated text to better reference where certain examples come from 3815 (e.g., which Section in which draft). 3817 o In the server model, commented out the "must 'pinned-ca-certs or 3818 pinned-client-certs'" statement to reflect change made in the TLS 3819 draft whereby the trust anchors MAY be defined externally. 3821 o Replaced the 'listen', 'initiate', and 'call-home' features with 3822 boolean expressions. 3824 B.13. 12 to 13 3826 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 3827 anchors/truststore/g + s/pinned.//) 3829 B.14. 13 to 14 3831 o Adjusting from change in TLS client model (removing the top-level 3832 'certificate' container), by swapping refining-in a 'mandatory 3833 true' statement with a 'must' statement outside the 'uses' 3834 statement. 3836 o Updated examples to reflect ietf-crypto-types change (e.g., 3837 identities --> enumerations) 3839 B.15. 14 to 15 3841 o Refactored both the client and server modules similar to how the 3842 ietf-restconf-server module was refactored in -13 of that draft, 3843 and the ietf-restconf-client grouping. 3845 B.16. 15 to 16 3847 o Added refinement to make "cert-to-name/fingerprint" be mandatory 3848 false. 3850 o Commented out refinement to "tls-server-grouping/client- 3851 authentication" until a better "must" expression is defined. 3853 Acknowledgements 3855 The authors would like to thank for following for lively discussions 3856 on list and in the halls (ordered by last name): Andy Bierman, Martin 3857 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs 3858 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, 3859 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert 3860 Wijnen. 3862 Author's Address 3864 Kent Watsen 3865 Watsen Networks 3867 EMail: kent+ietf@watsen.net