idnits 2.17.1
draft-ietf-netconf-netconf-client-server-16.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2096 has weird spacing: '...address ine...'
== Line 2106 has weird spacing: '...nterval uin...'
== Line 2340 has weird spacing: '...address ine...'
== Line 2350 has weird spacing: '...nterval uin...'
== Line 2491 has weird spacing: '...address ine...'
== (11 more instances...)
-- The document date (November 1, 2019) is 1610 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-13
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-15
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-15
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-06
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track November 1, 2019
5 Expires: May 4, 2020
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-16
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-11-02" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on May 4, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 40
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 41
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 42
110 7.2. Informative References . . . . . . . . . . . . . . . . . 43
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 60
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 78
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 78
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 79
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 79
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 79
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 79
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 79
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 80
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 80
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 80
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 80
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 80
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 81
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 81
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 81
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 81
130 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 82
131 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 82
132 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 82
134 1. Introduction
136 This document defines two YANG [RFC7950] modules, one module to
137 configure a NETCONF [RFC6241] client and the other module to
138 configure a NETCONF server. Both modules support both NETCONF over
139 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
140 connections [RFC8071].
142 2. Terminology
144 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
145 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
146 "OPTIONAL" in this document are to be interpreted as described in BCP
147 14 [RFC2119] [RFC8174] when, and only when, they appear in all
148 capitals, as shown here.
150 3. The NETCONF Client Model
152 The NETCONF client model presented in this section supports both
153 clients initiating connections to servers, as well as clients
154 listening for connections from servers calling home, using either the
155 SSH and TLS transport protocols.
157 YANG feature statements are used to enable implementations to
158 advertise which potentially uncommon parts of the model the NETCONF
159 client supports.
161 3.1. Tree Diagram
163 The following tree diagram [RFC8340] provides an overview of the data
164 model for the "ietf-netconf-client" module.
166 This tree diagram only shows the nodes defined in this module; it
167 does show the nodes defined by "grouping" statements used by this
168 module.
170 Please see Appendix A.1 for a tree diagram that illustrates what the
171 module looks like with all the "grouping" statements expanded.
173 module: ietf-netconf-client
174 +--rw netconf-client
175 +---u netconf-client-app-grouping
177 grouping netconf-client-grouping
178 grouping netconf-client-initiate-stack-grouping
179 +-- (transport)
180 +--:(ssh) {ssh-initiate}?
181 | +-- ssh
182 | +-- tcp-client-parameters
183 | | +---u tcpc:tcp-client-grouping
184 | +-- ssh-client-parameters
185 | | +---u sshc:ssh-client-grouping
186 | +-- netconf-client-parameters
187 +--:(tls) {tls-initiate}?
188 +-- tls
189 +-- tcp-client-parameters
190 | +---u tcpc:tcp-client-grouping
191 +-- tls-client-parameters
192 | +---u tlsc:tls-client-grouping
193 +-- netconf-client-parameters
194 grouping netconf-client-listen-stack-grouping
195 +-- (transport)
196 +--:(ssh) {ssh-listen}?
197 | +-- ssh
198 | +-- tcp-server-parameters
199 | | +---u tcps:tcp-server-grouping
200 | +-- ssh-client-parameters
201 | | +---u sshc:ssh-client-grouping
202 | +-- netconf-client-parameters
203 +--:(tls) {tls-listen}?
204 +-- tls
205 +-- tcp-server-parameters
206 | +---u tcps:tcp-server-grouping
207 +-- tls-client-parameters
208 | +---u tlsc:tls-client-grouping
209 +-- netconf-client-parameters
210 grouping netconf-client-app-grouping
211 +-- initiate! {ssh-initiate or tls-initiate}?
212 | +-- netconf-server* [name]
213 | +-- name? string
214 | +-- endpoints
215 | | +-- endpoint* [name]
216 | | +-- name? string
217 | | +---u netconf-client-initiate-stack-grouping
218 | +-- connection-type
219 | | +-- (connection-type)
220 | | +--:(persistent-connection)
221 | | | +-- persistent!
222 | | +--:(periodic-connection)
223 | | +-- periodic!
224 | | +-- period? uint16
225 | | +-- anchor-time? yang:date-and-time
226 | | +-- idle-timeout? uint16
227 | +-- reconnect-strategy
228 | +-- start-with? enumeration
229 | +-- max-attempts? uint8
230 +-- listen! {ssh-listen or tls-listen}?
231 +-- idle-timeout? uint16
232 +-- endpoint* [name]
233 +-- name? string
234 +---u netconf-client-listen-stack-grouping
236 3.2. Example Usage
238 The following example illustrates configuring a NETCONF client to
239 initiate connections, using both the SSH and TLS transport protocols,
240 as well as listening for call-home connections, again using both the
241 SSH and TLS transport protocols.
243 This example is consistent with the examples presented in Section 2
244 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
245 [I-D.ietf-netconf-keystore].
247 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
249
252
253
254
255 corp-fw1
256
257
258 corp-fw1.example.com
259
260
261 corp-fw1.example.com
262
263 15
264 3
265 30
266
267
268
269
270 foobar
271
272
273 rsa2048
274 base64encodedvalue==
275 base64encodedvalue==
276
277
278
279
280
281 explicitly-trusted-server-ca\
282 -certs
283
284
285 explicitly-trusted-server-ce\
286 rts
287
288
289
290 30
291 3
292
293
294
295
296
297
298
299
300 corp-fw2.example.com
301
302
303 corp-fw2.example.com
304
305 15
306 3
307 30
308
309
310
311
312
313 rsa2048
314 base64encodedvalue==
315 base64encodedvalue==
316 base64encodedvalue==
317
318
319
320
321 explicitly-trusted-server-ca\
322 -certs
323
324
325 explicitly-trusted-server-ce\
326 rts
327
328
329
330 30
331 3
333
334
335
336
337
338
339
340
341
342
343
344
345 last-connected
346
347
348
350
351
352
353 Intranet-facing listener
354
355
356 192.0.2.7
357
358
359
360 foobar
361
362
363 rsa2048
364 base64encodedvalue==
365 base64encodedvalue==
366
367
368
369
370
371 explicitly-trusted-server-ca-cer\
372 ts
373
374
375 explicitly-trusted-server-certs<\
376 /truststore-reference>
377
378
379 explicitly-trusted-ssh-host-keys\
380
381
382
383
384
385
386
387
388
389
390
392 3.3. YANG Module
394 This YANG module has normative references to [RFC6242], [RFC6991],
395 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
396 [I-D.ietf-netconf-ssh-client-server], and
397 [I-D.ietf-netconf-tls-client-server].
399 file "ietf-netconf-client@2019-11-02.yang"
401 module ietf-netconf-client {
402 yang-version 1.1;
403 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
404 prefix ncc;
406 import ietf-yang-types {
407 prefix yang;
408 reference
409 "RFC 6991: Common YANG Data Types";
410 }
412 import ietf-tcp-client {
413 prefix tcpc;
414 reference
415 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
416 }
417 import ietf-tcp-server {
418 prefix tcps;
419 reference
420 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
421 }
423 import ietf-ssh-client {
424 prefix sshc;
425 revision-date 2019-11-02; // stable grouping definitions
426 reference
427 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
428 }
429 import ietf-tls-client {
430 prefix tlsc;
431 revision-date 2019-11-02; // stable grouping definitions
432 reference
433 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
434 }
436 organization
437 "IETF NETCONF (Network Configuration) Working Group";
439 contact
440 "WG Web:
441 WG List:
442 Author: Kent Watsen
443 Author: Gary Wu ";
445 description
446 "This module contains a collection of YANG definitions
447 for configuring NETCONF clients.
449 Copyright (c) 2019 IETF Trust and the persons identified
450 as authors of the code. All rights reserved.
452 Redistribution and use in source and binary forms, with
453 or without modification, is permitted pursuant to, and
454 subject to the license terms contained in, the Simplified
455 BSD License set forth in Section 4.c of the IETF Trust's
456 Legal Provisions Relating to IETF Documents
457 (https://trustee.ietf.org/license-info).
459 This version of this YANG module is part of RFC XXXX
460 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
461 itself for full legal notices.;
463 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
464 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
465 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
466 are to be interpreted as described in BCP 14 (RFC 2119)
467 (RFC 8174) when, and only when, they appear in all
468 capitals, as shown here.";
470 revision 2019-11-02 {
471 description
472 "Initial version";
473 reference
474 "RFC XXXX: NETCONF Client and Server Models";
475 }
476 // Features
478 feature ssh-initiate {
479 description
480 "The 'ssh-initiate' feature indicates that the NETCONF client
481 supports initiating SSH connections to NETCONF servers.";
482 reference
483 "RFC 6242:
484 Using the NETCONF Protocol over Secure Shell (SSH)";
485 }
487 feature tls-initiate {
488 description
489 "The 'tls-initiate' feature indicates that the NETCONF client
490 supports initiating TLS connections to NETCONF servers.";
491 reference
492 "RFC 7589: Using the NETCONF Protocol over Transport
493 Layer Security (TLS) with Mutual X.509 Authentication";
494 }
496 feature ssh-listen {
497 description
498 "The 'ssh-listen' feature indicates that the NETCONF client
499 supports opening a port to listen for incoming NETCONF
500 server call-home SSH connections.";
501 reference
502 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
503 }
505 feature tls-listen {
506 description
507 "The 'tls-listen' feature indicates that the NETCONF client
508 supports opening a port to listen for incoming NETCONF
509 server call-home TLS connections.";
510 reference
511 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
512 }
514 // Groupings
516 grouping netconf-client-grouping {
517 description
518 "A reusable grouping for configuring a NETCONF client
519 without any consideration for how underlying transport
520 sessions are established.
522 This grouping currently doesn't define any nodes.";
523 }
524 grouping netconf-client-initiate-stack-grouping {
525 description
526 "A reusable grouping for configuring a NETCONF client
527 'initiate' protocol stack for a single connection.";
528 choice transport {
529 mandatory true;
530 description
531 "Selects between available transports.";
532 case ssh {
533 if-feature "ssh-initiate";
534 container ssh {
535 description
536 "Specifies IP and SSH specific configuration
537 for the connection.";
538 container tcp-client-parameters {
539 description
540 "A wrapper around the TCP client parameters
541 to avoid name collisions.";
542 uses tcpc:tcp-client-grouping {
543 refine "remote-port" {
544 default "830";
545 description
546 "The NETCONF client will attempt to connect
547 to the IANA-assigned well-known port value
548 for 'netconf-ssh' (443) if no value is
549 specified.";
550 }
551 }
552 }
553 container ssh-client-parameters {
554 description
555 "A wrapper around the SSH client parameters to
556 avoid name collisions.";
557 uses sshc:ssh-client-grouping;
558 }
559 container netconf-client-parameters {
560 description
561 "A wrapper around the NETCONF client parameters
562 to avoid name collisions.";
563 uses ncc:netconf-client-grouping;
564 }
565 }
566 }
567 case tls {
568 if-feature "tls-initiate";
569 container tls {
570 description
571 "Specifies IP and TLS specific configuration
572 for the connection.";
573 container tcp-client-parameters {
574 description
575 "A wrapper around the TCP client parameters
576 to avoid name collisions.";
577 uses tcpc:tcp-client-grouping {
578 refine "remote-port" {
579 default "6513";
580 description
581 "The NETCONF client will attempt to connect
582 to the IANA-assigned well-known port value
583 for 'netconf-tls' (6513) if no value is
584 specified.";
585 }
586 }
587 }
588 container tls-client-parameters {
589 must "client-identity" {
590 description
591 "NETCONF/TLS clients MUST pass some
592 authentication credentials.";
593 }
594 description
595 "A wrapper around the TLS client parameters
596 to avoid name collisions.";
597 uses tlsc:tls-client-grouping;
598 }
599 container netconf-client-parameters {
600 description
601 "A wrapper around the NETCONF client parameters
602 to avoid name collisions.";
603 uses ncc:netconf-client-grouping;
604 }
605 }
606 }
607 }
608 } // netconf-client-initiate-stack-grouping
610 grouping netconf-client-listen-stack-grouping {
611 description
612 "A reusable grouping for configuring a NETCONF client
613 'listen' protocol stack for a single connection.";
614 choice transport {
615 mandatory true;
616 description
617 "Selects between available transports.";
618 case ssh {
619 if-feature "ssh-listen";
620 container ssh {
621 description
622 "SSH-specific listening configuration for inbound
623 connections.";
624 container tcp-server-parameters {
625 description
626 "A wrapper around the TCP server parameters
627 to avoid name collisions.";
628 uses tcps:tcp-server-grouping {
629 refine "local-port" {
630 default "4334";
631 description
632 "The NETCONF client will listen on the IANA-
633 assigned well-known port for 'netconf-ch-ssh'
634 (4334) if no value is specified.";
635 }
636 }
637 }
638 container ssh-client-parameters {
639 description
640 "A wrapper around the SSH client parameters
641 to avoid name collisions.";
642 uses sshc:ssh-client-grouping;
643 }
644 container netconf-client-parameters {
645 description
646 "A wrapper around the NETCONF client parameters
647 to avoid name collisions.";
648 uses ncc:netconf-client-grouping;
649 }
650 }
651 }
652 case tls {
653 if-feature "tls-listen";
654 container tls {
655 description
656 "TLS-specific listening configuration for inbound
657 connections.";
658 container tcp-server-parameters {
659 description
660 "A wrapper around the TCP server parameters
661 to avoid name collisions.";
662 uses tcps:tcp-server-grouping {
663 refine "local-port" {
664 default "4334";
665 description
666 "The NETCONF client will listen on the IANA-
667 assigned well-known port for 'netconf-ch-ssh'
668 (4334) if no value is specified.";
669 }
670 }
671 }
672 container tls-client-parameters {
673 must "client-identity" {
674 description
675 "NETCONF/TLS clients MUST pass some
676 authentication credentials.";
677 }
678 description
679 "A wrapper around the TLS client parameters
680 to avoid name collisions.";
681 uses tlsc:tls-client-grouping;
682 }
683 container netconf-client-parameters {
684 description
685 "A wrapper around the NETCONF client parameters
686 to avoid name collisions.";
687 uses ncc:netconf-client-grouping;
688 }
689 }
690 }
691 }
692 } // netconf-client-listen-stack-grouping
694 grouping netconf-client-app-grouping {
695 description
696 "A reusable grouping for configuring a NETCONF client
697 application that supports both 'initiate' and 'listen'
698 protocol stacks for a multiplicity of connections.";
699 container initiate {
700 if-feature "ssh-initiate or tls-initiate";
701 presence "Enables client to initiate TCP connections";
702 description
703 "Configures client initiating underlying TCP connections.";
704 list netconf-server {
705 key "name";
706 min-elements 1;
707 description
708 "List of NETCONF servers the NETCONF client is to
709 maintain simultaneous connections with.";
710 leaf name {
711 type string;
712 description
713 "An arbitrary name for the NETCONF server.";
714 }
715 container endpoints {
716 description
717 "Container for the list of endpoints.";
718 list endpoint {
719 key "name";
720 min-elements 1;
721 ordered-by user;
722 description
723 "A user-ordered list of endpoints that the NETCONF
724 client will attempt to connect to in the specified
725 sequence. Defining more than one enables
726 high-availability.";
727 leaf name {
728 type string;
729 description
730 "An arbitrary name for the endpoint.";
731 }
732 uses netconf-client-initiate-stack-grouping;
733 } // list endpoint
734 } // container endpoints
736 container connection-type {
737 description
738 "Indicates the NETCONF client's preference for how the
739 NETCONF connection is maintained.";
740 choice connection-type {
741 mandatory true;
742 description
743 "Selects between available connection types.";
744 case persistent-connection {
745 container persistent {
746 presence "Indicates that a persistent connection is
747 to be maintained.";
748 description
749 "Maintain a persistent connection to the NETCONF
750 server. If the connection goes down, immediately
751 start trying to reconnect to the NETCONF server,
752 using the reconnection strategy.
754 This connection type minimizes any NETCONF server
755 to NETCONF client data-transfer delay, albeit at
756 the expense of holding resources longer.";
757 }
758 }
759 case periodic-connection {
760 container periodic {
761 presence "Indicates that a periodic connection is
762 to be maintained.";
763 description
764 "Periodically connect to the NETCONF server.
766 This connection type increases resource
767 utilization, albeit with increased delay in
768 NETCONF server to NETCONF client interactions.
770 The NETCONF client should close the underlying
771 TCP connection upon completing planned activities.
773 In the case that the previous connection is still
774 active, establishing a new connection is NOT
775 RECOMMENDED.";
776 leaf period {
777 type uint16;
778 units "minutes";
779 default "60";
780 description
781 "Duration of time between periodic connections.";
782 }
783 leaf anchor-time {
784 type yang:date-and-time {
785 // constrained to minute-level granularity
786 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
787 + '(Z|[\+\-]\d{2}:\d{2})';
788 }
789 description
790 "Designates a timestamp before or after which a
791 series of periodic connections are determined.
792 The periodic connections occur at a whole
793 multiple interval from the anchor time. For
794 example, for an anchor time is 15 minutes past
795 midnight and a period interval of 24 hours, then
796 a periodic connection will occur 15 minutes past
797 midnight everyday.";
798 }
799 leaf idle-timeout {
800 type uint16;
801 units "seconds";
802 default 120; // two minutes
803 description
804 "Specifies the maximum number of seconds that
805 a NETCONF session may remain idle. A NETCONF
806 session will be dropped if it is idle for an
807 interval longer then this number of seconds.
808 If set to zero, then the NETCONF client will
809 never drop a session because it is idle.";
810 }
811 }
813 }
814 }
815 }
816 container reconnect-strategy {
817 description
818 "The reconnection strategy directs how a NETCONF client
819 reconnects to a NETCONF server, after discovering its
820 connection to the server has dropped, even if due to a
821 reboot. The NETCONF client starts with the specified
822 endpoint and tries to connect to it max-attempts times
823 before trying the next endpoint in the list (round
824 robin).";
825 leaf start-with {
826 type enumeration {
827 enum first-listed {
828 description
829 "Indicates that reconnections should start with
830 the first endpoint listed.";
831 }
832 enum last-connected {
833 description
834 "Indicates that reconnections should start with
835 the endpoint last connected to. If no previous
836 connection has ever been established, then the
837 first endpoint configured is used. NETCONF
838 clients SHOULD be able to remember the last
839 endpoint connected to across reboots.";
840 }
841 enum random-selection {
842 description
843 "Indicates that reconnections should start with
844 a random endpoint.";
845 }
846 }
847 default "first-listed";
848 description
849 "Specifies which of the NETCONF server's endpoints
850 the NETCONF client should start with when trying
851 to connect to the NETCONF server.";
852 }
853 leaf max-attempts {
854 type uint8 {
855 range "1..max";
856 }
857 default "3";
858 description
859 "Specifies the number times the NETCONF client tries
860 to connect to a specific endpoint before moving on
861 to the next endpoint in the list (round robin).";
862 }
863 }
864 } // netconf-server
865 } // initiate
867 container listen {
868 if-feature "ssh-listen or tls-listen";
869 presence "Enables client to accept call-home connections";
870 description
871 "Configures client accepting call-home TCP connections.";
872 leaf idle-timeout {
873 type uint16;
874 units "seconds";
875 default "3600"; // one hour
876 description
877 "Specifies the maximum number of seconds that a NETCONF
878 session may remain idle. A NETCONF session will be
879 dropped if it is idle for an interval longer than this
880 number of seconds. If set to zero, then the server
881 will never drop a session because it is idle. Sessions
882 that have a notification subscription active are never
883 dropped.";
884 }
885 list endpoint {
886 key "name";
887 min-elements 1;
888 description
889 "List of endpoints to listen for NETCONF connections.";
890 leaf name {
891 type string;
892 description
893 "An arbitrary name for the NETCONF listen endpoint.";
894 }
895 uses netconf-client-listen-stack-grouping;
896 } // endpoint
897 } // listen
898 } // netconf-client-app-grouping
900 // Protocol accessible node, for servers that implement this
901 // module.
903 container netconf-client {
904 uses netconf-client-app-grouping;
905 description
906 "Top-level container for NETCONF client configuration.";
907 }
908 }
909
911 4. The NETCONF Server Model
913 The NETCONF server model presented in this section supports both
914 listening for connections as well as initiating call-home
915 connections, using either the SSH and TLS transport protocols.
917 YANG feature statements are used to enable implementations to
918 advertise which potentially uncommon parts of the model the NETCONF
919 server supports.
921 4.1. Tree Diagram
923 The following tree diagram [RFC8340] provides an overview of the data
924 model for the "ietf-netconf-server" module.
926 This tree diagram only shows the nodes defined in this module; it
927 does show the nodes defined by "grouping" statements used by this
928 module.
930 Please see Appendix A.2 for a tree diagram that illustrates what the
931 module looks like with all the "grouping" statements expanded.
933 module: ietf-netconf-server
934 +--rw netconf-server
935 +---u netconf-server-app-grouping
937 grouping netconf-server-grouping
938 +-- client-identification
939 +-- cert-maps
940 +---u x509c2n:cert-to-name
941 grouping netconf-server-listen-stack-grouping
942 +-- (transport)
943 +--:(ssh) {ssh-listen}?
944 | +-- ssh
945 | +-- tcp-server-parameters
946 | | +---u tcps:tcp-server-grouping
947 | +-- ssh-server-parameters
948 | | +---u sshs:ssh-server-grouping
949 | +-- netconf-server-parameters
950 | +---u ncs:netconf-server-grouping
951 +--:(tls) {tls-listen}?
952 +-- tls
953 +-- tcp-server-parameters
954 | +---u tcps:tcp-server-grouping
955 +-- tls-server-parameters
956 | +---u tlss:tls-server-grouping
957 +-- netconf-server-parameters
958 +---u ncs:netconf-server-grouping
959 grouping netconf-server-callhome-stack-grouping
960 +-- (transport)
961 +--:(ssh) {ssh-call-home}?
962 | +-- ssh
963 | +-- tcp-client-parameters
964 | | +---u tcpc:tcp-client-grouping
965 | +-- ssh-server-parameters
966 | | +---u sshs:ssh-server-grouping
967 | +-- netconf-server-parameters
968 | +---u ncs:netconf-server-grouping
969 +--:(tls) {tls-call-home}?
970 +-- tls
971 +-- tcp-client-parameters
972 | +---u tcpc:tcp-client-grouping
973 +-- tls-server-parameters
974 | +---u tlss:tls-server-grouping
975 +-- netconf-server-parameters
976 +---u ncs:netconf-server-grouping
977 grouping netconf-server-app-grouping
978 +-- listen! {ssh-listen or tls-listen}?
979 | +-- idle-timeout? uint16
980 | +-- endpoint* [name]
981 | +-- name? string
982 | +---u netconf-server-listen-stack-grouping
983 +-- call-home! {ssh-call-home or tls-call-home}?
984 +-- netconf-client* [name]
985 +-- name? string
986 +-- endpoints
987 | +-- endpoint* [name]
988 | +-- name? string
989 | +---u netconf-server-callhome-stack-grouping
990 +-- connection-type
991 | +-- (connection-type)
992 | +--:(persistent-connection)
993 | | +-- persistent!
994 | +--:(periodic-connection)
995 | +-- periodic!
996 | +-- period? uint16
997 | +-- anchor-time? yang:date-and-time
998 | +-- idle-timeout? uint16
999 +-- reconnect-strategy
1000 +-- start-with? enumeration
1001 +-- max-attempts? uint8
1003 4.2. Example Usage
1005 The following example illustrates configuring a NETCONF server to
1006 listen for NETCONF client connections using both the SSH and TLS
1007 transport protocols, as well as configuring call-home to two NETCONF
1008 clients, one using SSH and the other using TLS.
1010 This example is consistent with the examples presented in Section 2
1011 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
1012 [I-D.ietf-netconf-keystore].
1014 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
1016
1020
1021
1022
1023 netconf/ssh
1024
1025
1026 192.0.2.7
1027
1028
1029
1030
1031 deployment-specific-certificate
1032
1033
1034 rsa2048
1035 base64encodedvalue==
1036 base64encodedvalue==
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1052
1053
1054
1055 netconf/tls
1056
1057
1058 192.0.2.7
1059
1060
1061
1062
1063 rsa2048
1064 base64encodedvalue==
1065 base64encodedvalue==
1066 base64encodedvalue==
1067
1068
1069
1070
1071
1072 explicitly-trusted-client-ca-cer\
1073 ts
1074
1075
1076 explicitly-trusted-client-certs<\
1077 /truststore-reference>
1078
1079
1080
1081
1082
1083
1084
1085 1
1086 11:0A:05:11:00
1087 x509c2n:specified
1088 scooby-doo
1089
1090
1091 2
1092 x509c2n:san-any
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103 config-mgr
1104
1105
1106 east-data-center
1107
1108
1109 east.config-mgr.example.com
1111
1112
1113
1114
1115 deployment-specific-certificate
1116
1117
1118 rsa2048
1119 base64encodedvalue==
1120 base64encodedvalue==
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138 west-data-center
1139
1140
1141 west.config-mgr.example.com
1143
1144
1145
1146
1147 deployment-specific-certificate
1148
1149
1150 rsa2048
1151 base64encodedvalue==
1152 base64encodedvalue==
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172 300
1173 60
1174
1175
1176
1177 last-connected
1178 3
1179
1180
1181
1182 data-collector
1183
1184
1185 east-data-center
1186
1187
1188 east.analytics.example.com
1190
1191 15
1192 3
1193 30
1194
1195
1196
1197
1198
1199 rsa2048
1200 base64encodedvalue==
1201 base64encodedvalue==
1202 base64encodedvalue==
1203
1204
1205
1206
1207
1208 explicitly-trusted-client-ca\
1209 -certs
1210
1211
1212 explicitly-trusted-client-ce\
1213 rts
1214
1215
1216
1217 30
1218 3
1219
1220
1221
1222
1223
1224
1225 1
1226 11:0A:05:11:00
1227 x509c2n:specified
1228 scooby-doo
1229
1230
1231 2
1232 x509c2n:san-any
1233
1234
1235
1236
1237
1238
1239
1240 west-data-center
1241
1242
1243 west.analytics.example.com
1246
1247 15
1248 3
1249 30
1250
1251
1252
1253
1254
1255 rsa2048
1256 base64encodedvalue==
1257 base64encodedvalue==
1258 base64encodedvalue==
1259
1260
1261
1262
1263
1264 explicitly-trusted-client-ca\
1265 -certs
1266
1267
1268 explicitly-trusted-client-ce\
1269 rts
1270
1271
1272
1273 30
1274 3
1275
1276
1277
1278
1279
1280
1281 1
1282 11:0A:05:11:00
1283 x509c2n:specified
1284 scooby-doo
1285
1286
1287 2
1288 x509c2n:san-any
1289
1290
1291
1292
1294
1295
1296
1297
1298
1299
1300
1301 first-listed
1302 3
1303
1304
1305
1306
1308 4.3. YANG Module
1310 This YANG module has normative references to [RFC6242], [RFC6991],
1311 [RFC7407], [RFC7589], [RFC8071],
1312 [I-D.kwatsen-netconf-tcp-client-server],
1313 [I-D.ietf-netconf-ssh-client-server], and
1314 [I-D.ietf-netconf-tls-client-server].
1316 file "ietf-netconf-server@2019-11-02.yang"
1318 module ietf-netconf-server {
1319 yang-version 1.1;
1320 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1321 prefix ncs;
1323 import ietf-yang-types {
1324 prefix yang;
1325 reference
1326 "RFC 6991: Common YANG Data Types";
1327 }
1329 import ietf-x509-cert-to-name {
1330 prefix x509c2n;
1331 reference
1332 "RFC 7407: A YANG Data Model for SNMP Configuration";
1333 }
1335 import ietf-tcp-client {
1336 prefix tcpc;
1337 reference
1338 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1339 }
1341 import ietf-tcp-server {
1342 prefix tcps;
1343 reference
1344 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1345 }
1347 import ietf-ssh-server {
1348 prefix sshs;
1349 revision-date 2019-11-02; // stable grouping definitions
1350 reference
1351 "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers";
1352 }
1354 import ietf-tls-server {
1355 prefix tlss;
1356 revision-date 2019-11-02; // stable grouping definitions
1357 reference
1358 "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers";
1359 }
1361 organization
1362 "IETF NETCONF (Network Configuration) Working Group";
1364 contact
1365 "WG Web:
1366 WG List:
1367 Author: Kent Watsen
1368 Author: Gary Wu
1369 Author: Juergen Schoenwaelder
1370 ";
1372 description
1373 "This module contains a collection of YANG definitions
1374 for configuring NETCONF servers.
1376 Copyright (c) 2019 IETF Trust and the persons identified
1377 as authors of the code. All rights reserved.
1379 Redistribution and use in source and binary forms, with
1380 or without modification, is permitted pursuant to, and
1381 subject to the license terms contained in, the Simplified
1382 BSD License set forth in Section 4.c of the IETF Trust's
1383 Legal Provisions Relating to IETF Documents
1384 (https://trustee.ietf.org/license-info).
1386 This version of this YANG module is part of RFC XXXX
1387 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1388 itself for full legal notices.;
1389 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1390 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1391 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1392 are to be interpreted as described in BCP 14 (RFC 2119)
1393 (RFC 8174) when, and only when, they appear in all
1394 capitals, as shown here.";
1396 revision 2019-11-02 {
1397 description
1398 "Initial version";
1399 reference
1400 "RFC XXXX: NETCONF Client and Server Models";
1401 }
1403 // Features
1405 feature ssh-listen {
1406 description
1407 "The 'ssh-listen' feature indicates that the NETCONF server
1408 supports opening a port to accept NETCONF over SSH
1409 client connections.";
1410 reference
1411 "RFC 6242:
1412 Using the NETCONF Protocol over Secure Shell (SSH)";
1413 }
1415 feature tls-listen {
1416 description
1417 "The 'tls-listen' feature indicates that the NETCONF server
1418 supports opening a port to accept NETCONF over TLS
1419 client connections.";
1420 reference
1421 "RFC 7589: Using the NETCONF Protocol over Transport
1422 Layer Security (TLS) with Mutual X.509
1423 Authentication";
1424 }
1426 feature ssh-call-home {
1427 description
1428 "The 'ssh-call-home' feature indicates that the NETCONF
1429 server supports initiating a NETCONF over SSH call
1430 home connection to NETCONF clients.";
1431 reference
1432 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1433 }
1435 feature tls-call-home {
1436 description
1437 "The 'tls-call-home' feature indicates that the NETCONF
1438 server supports initiating a NETCONF over TLS call
1439 home connection to NETCONF clients.";
1440 reference
1441 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1442 }
1444 // Groupings
1446 grouping netconf-server-grouping {
1447 description
1448 "A reusable grouping for configuring a NETCONF server
1449 without any consideration for how underlying transport
1450 sessions are established.
1452 Note that this grouping uses a fairly typical descendent
1453 node name such that a stack of 'uses' statements will
1454 have name conflicts. It is intended that the consuming
1455 data model will resolve the issue by wrapping the 'uses'
1456 statement in a container called, e.g.,
1457 'netconf-server-parameters'. This model purposely does
1458 not do this itself so as to provide maximum flexibility
1459 to consuming models.";
1461 container client-identification {
1462 description
1463 "Specifies a mapping through which clients MAY be identified
1464 (i.e., the NETCONF username) from a supplied certificate.
1465 Note that a client MAY alternatively be identified via an
1466 alternate authentication scheme.";
1467 container cert-maps {
1468 when "../../../../tls";
1469 uses x509c2n:cert-to-name {
1470 refine "cert-to-name/fingerprint" {
1471 mandatory false;
1472 description
1473 "A 'fingerprint' value does not need to be specified
1474 when the 'cert-to-name' mapping is independent of
1475 fingerprint matching. A 'cert-to-name' having no
1476 fingerprint value will match any client certificate
1477 and therefore should only be present at the end of
1478 the user-ordered 'cert-to-name' list.";
1479 }
1480 }
1481 description
1482 "The cert-maps container is used by TLS-based NETCONF
1483 servers (even if the TLS sessions are terminated
1484 externally) to map the NETCONF client's presented
1485 X.509 certificate to a NETCONF username. If no
1486 matching and valid cert-to-name list entry can be
1487 found, then the NETCONF server MUST close the
1488 connection, and MUST NOT accept NETCONF messages
1489 over it.";
1490 reference
1491 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1492 }
1493 }
1494 }
1496 grouping netconf-server-listen-stack-grouping {
1497 description
1498 "A reusable grouping for configuring a NETCONF server
1499 'listen' protocol stack for a single connection.";
1500 choice transport {
1501 mandatory true;
1502 description
1503 "Selects between available transports.";
1504 case ssh {
1505 if-feature "ssh-listen";
1506 container ssh {
1507 description
1508 "SSH-specific listening configuration for inbound
1509 connections.";
1510 container tcp-server-parameters {
1511 description
1512 "A wrapper around the TCP client parameters
1513 to avoid name collisions.";
1514 uses tcps:tcp-server-grouping {
1515 refine "local-port" {
1516 default "830";
1517 description
1518 "The NETCONF server will listen on the
1519 IANA-assigned well-known port value
1520 for 'netconf-ssh' (830) if no value
1521 is specified.";
1522 }
1523 }
1524 }
1525 container ssh-server-parameters {
1526 description
1527 "A wrapper around the SSH server parameters
1528 to avoid name collisions.";
1529 uses sshs:ssh-server-grouping;
1530 }
1531 container netconf-server-parameters {
1532 description
1533 "A wrapper around the NETCONF server parameters
1534 to avoid name collisions.";
1535 uses ncs:netconf-server-grouping;
1536 }
1537 }
1538 }
1539 case tls {
1540 if-feature "tls-listen";
1541 container tls {
1542 description
1543 "TLS-specific listening configuration for inbound
1544 connections.";
1545 container tcp-server-parameters {
1546 description
1547 "A wrapper around the TCP client parameters
1548 to avoid name collisions.";
1549 uses tcps:tcp-server-grouping {
1550 refine "local-port" {
1551 default "6513";
1552 description
1553 "The NETCONF server will listen on the
1554 IANA-assigned well-known port value
1555 for 'netconf-tls' (6513) if no value
1556 is specified.";
1557 }
1558 }
1559 }
1560 container tls-server-parameters {
1561 description
1562 "A wrapper around the TLS server parameters to
1563 avoid name collisions.";
1564 uses tlss:tls-server-grouping; /* {
1565 FIXME: commented out since auth could also be external.
1566 ^-- need a better 'must' expression?
1567 refine "client-authentication" {
1568 must 'ca-certs or client-certs';
1569 description
1570 "NETCONF/TLS servers MUST validate client
1571 certificates.";
1572 }
1573 }*/
1574 }
1575 container netconf-server-parameters {
1576 description
1577 "A wrapper around the NETCONF server parameters
1578 to avoid name collisions.";
1579 uses ncs:netconf-server-grouping;
1580 }
1582 }
1583 }
1584 }
1585 }
1587 grouping netconf-server-callhome-stack-grouping {
1588 description
1589 "A reusable grouping for configuring a NETCONF server
1590 'call-home' protocol stack, for a single connection.";
1591 choice transport {
1592 mandatory true;
1593 description
1594 "Selects between available transports.";
1595 case ssh {
1596 if-feature "ssh-call-home";
1597 container ssh {
1598 description
1599 "Specifies SSH-specific call-home transport
1600 configuration.";
1601 container tcp-client-parameters {
1602 description
1603 "A wrapper around the TCP client parameters
1604 to avoid name collisions.";
1605 uses tcpc:tcp-client-grouping {
1606 refine "remote-port" {
1607 default "4334";
1608 description
1609 "The NETCONF server will attempt to connect
1610 to the IANA-assigned well-known port for
1611 'netconf-ch-tls' (4334) if no value is
1612 specified.";
1613 }
1614 }
1615 }
1616 container ssh-server-parameters {
1617 description
1618 "A wrapper around the SSH server parameters
1619 to avoid name collisions.";
1620 uses sshs:ssh-server-grouping;
1621 }
1622 container netconf-server-parameters {
1623 description
1624 "A wrapper around the NETCONF server parameters
1625 to avoid name collisions.";
1626 uses ncs:netconf-server-grouping;
1627 }
1628 }
1629 }
1630 case tls {
1631 if-feature "tls-call-home";
1632 container tls {
1633 description
1634 "Specifies TLS-specific call-home transport
1635 configuration.";
1636 container tcp-client-parameters {
1637 description
1638 "A wrapper around the TCP client parameters
1639 to avoid name collisions.";
1640 uses tcpc:tcp-client-grouping {
1641 refine "remote-port" {
1642 default "4335";
1643 description
1644 "The NETCONF server will attempt to connect
1645 to the IANA-assigned well-known port for
1646 'netconf-ch-tls' (4335) if no value is
1647 specified.";
1648 }
1649 }
1650 }
1651 container tls-server-parameters {
1652 description
1653 "A wrapper around the TLS server parameters to
1654 avoid name collisions.";
1655 uses tlss:tls-server-grouping; /* {
1656 FIXME: commented out since auth could also be external.
1657 ^-- need a better 'must' expression?
1658 refine "client-authentication" {
1659 must 'ca-certs or client-certs';
1660 description
1661 "NETCONF/TLS servers MUST validate client
1662 certificates.";
1663 }
1664 }*/
1665 }
1666 container netconf-server-parameters {
1667 description
1668 "A wrapper around the NETCONF server parameters
1669 to avoid name collisions.";
1670 uses ncs:netconf-server-grouping;
1671 }
1672 }
1673 }
1674 }
1675 }
1677 grouping netconf-server-app-grouping {
1678 description
1679 "A reusable grouping for configuring a NETCONF server
1680 application that supports both 'listen' and 'call-home'
1681 protocol stacks for a multiplicity of connections.";
1682 container listen {
1683 if-feature "ssh-listen or tls-listen";
1684 presence
1685 "Enables server to listen for NETCONF client connections.";
1686 description
1687 "Configures listen behavior";
1688 leaf idle-timeout {
1689 type uint16;
1690 units "seconds";
1691 default 3600; // one hour
1692 description
1693 "Specifies the maximum number of seconds that a NETCONF
1694 session may remain idle. A NETCONF session will be
1695 dropped if it is idle for an interval longer than this
1696 number of seconds. If set to zero, then the server
1697 will never drop a session because it is idle. Sessions
1698 that have a notification subscription active are never
1699 dropped.";
1700 }
1701 list endpoint {
1702 key "name";
1703 min-elements 1;
1704 description
1705 "List of endpoints to listen for NETCONF connections.";
1706 leaf name {
1707 type string;
1708 description
1709 "An arbitrary name for the NETCONF listen endpoint.";
1710 }
1711 uses netconf-server-listen-stack-grouping;
1712 }
1713 }
1714 container call-home {
1715 if-feature "ssh-call-home or tls-call-home";
1716 presence
1717 "Enables the NETCONF server to initiate the underlying
1718 transport connection to NETCONF clients.";
1719 description "Configures call home behavior.";
1720 list netconf-client {
1721 key "name";
1722 min-elements 1;
1723 description
1724 "List of NETCONF clients the NETCONF server is to
1725 maintain simultaneous call-home connections with.";
1727 leaf name {
1728 type string;
1729 description
1730 "An arbitrary name for the remote NETCONF client.";
1731 }
1732 container endpoints {
1733 description
1734 "Container for the list of endpoints.";
1735 list endpoint {
1736 key "name";
1737 min-elements 1;
1738 ordered-by user;
1739 description
1740 "A non-empty user-ordered list of endpoints for this
1741 NETCONF server to try to connect to in sequence.
1742 Defining more than one enables high-availability.";
1743 leaf name {
1744 type string;
1745 description
1746 "An arbitrary name for this endpoint.";
1747 }
1748 uses netconf-server-callhome-stack-grouping;
1749 }
1750 }
1751 container connection-type {
1752 description
1753 "Indicates the NETCONF server's preference for how the
1754 NETCONF connection is maintained.";
1755 choice connection-type {
1756 mandatory true;
1757 description
1758 "Selects between available connection types.";
1759 case persistent-connection {
1760 container persistent {
1761 presence "Indicates that a persistent connection is
1762 to be maintained.";
1763 description
1764 "Maintain a persistent connection to the NETCONF
1765 client. If the connection goes down, immediately
1766 start trying to reconnect to the NETCONF client,
1767 using the reconnection strategy.
1769 This connection type minimizes any NETCONF client
1770 to NETCONF server data-transfer delay, albeit at
1771 the expense of holding resources longer.";
1772 }
1773 }
1774 case periodic-connection {
1775 container periodic {
1776 presence "Indicates that a periodic connection is
1777 to be maintained.";
1778 description
1779 "Periodically connect to the NETCONF client.
1781 This connection type increases resource
1782 utilization, albeit with increased delay in
1783 NETCONF client to NETCONF client interactions.
1785 The NETCONF client SHOULD gracefully close the
1786 connection using upon completing
1787 planned activities. If the NETCONF session is
1788 not closed gracefully, the NETCONF server MUST
1789 immediately attempt to reestablish the connection.
1791 In the case that the previous connection is still
1792 active (i.e., the NETCONF client has not closed
1793 it yet), establishing a new connection is NOT
1794 RECOMMENDED.";
1795 leaf period {
1796 type uint16;
1797 units "minutes";
1798 default "60";
1799 description
1800 "Duration of time between periodic connections.";
1801 }
1802 leaf anchor-time {
1803 type yang:date-and-time {
1804 // constrained to minute-level granularity
1805 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1806 + '(Z|[\+\-]\d{2}:\d{2})';
1807 }
1808 description
1809 "Designates a timestamp before or after which a
1810 series of periodic connections are determined.
1811 The periodic connections occur at a whole
1812 multiple interval from the anchor time. For
1813 example, for an anchor time is 15 minutes past
1814 midnight and a period interval of 24 hours, then
1815 a periodic connection will occur 15 minutes past
1816 midnight everyday.";
1817 }
1818 leaf idle-timeout {
1819 type uint16;
1820 units "seconds";
1821 default 120; // two minutes
1822 description
1823 "Specifies the maximum number of seconds that
1824 a NETCONF session may remain idle. A NETCONF
1825 session will be dropped if it is idle for an
1826 interval longer than this number of seconds.
1827 If set to zero, then the server will never
1828 drop a session because it is idle.";
1829 }
1830 }
1831 } // case periodic-connection
1832 } // choice connection-type
1833 } // container connection-type
1834 container reconnect-strategy {
1835 description
1836 "The reconnection strategy directs how a NETCONF server
1837 reconnects to a NETCONF client, after discovering its
1838 connection to the client has dropped, even if due to a
1839 reboot. The NETCONF server starts with the specified
1840 endpoint and tries to connect to it max-attempts times
1841 before trying the next endpoint in the list (round
1842 robin).";
1843 leaf start-with {
1844 type enumeration {
1845 enum first-listed {
1846 description
1847 "Indicates that reconnections should start with
1848 the first endpoint listed.";
1849 }
1850 enum last-connected {
1851 description
1852 "Indicates that reconnections should start with
1853 the endpoint last connected to. If no previous
1854 connection has ever been established, then the
1855 first endpoint configured is used. NETCONF
1856 servers SHOULD be able to remember the last
1857 endpoint connected to across reboots.";
1858 }
1859 enum random-selection {
1860 description
1861 "Indicates that reconnections should start with
1862 a random endpoint.";
1863 }
1864 }
1865 default "first-listed";
1866 description
1867 "Specifies which of the NETCONF client's endpoints
1868 the NETCONF server should start with when trying
1869 to connect to the NETCONF client.";
1870 }
1871 leaf max-attempts {
1872 type uint8 {
1873 range "1..max";
1874 }
1875 default "3";
1876 description
1877 "Specifies the number times the NETCONF server tries
1878 to connect to a specific endpoint before moving on
1879 to the next endpoint in the list (round robin).";
1880 }
1881 } // container reconnect-strategy
1882 } // list netconf-client
1883 } // container call-home
1884 } // grouping netconf-server-app-grouping
1886 // Protocol accessible node, for servers that implement this
1887 // module.
1889 container netconf-server {
1890 uses netconf-server-app-grouping;
1891 description
1892 "Top-level container for NETCONF server configuration.";
1893 }
1894 }
1896
1898 5. Security Considerations
1900 The YANG module defined in this document uses groupings defined in
1901 [I-D.kwatsen-netconf-tcp-client-server],
1902 [I-D.ietf-netconf-ssh-client-server], and
1903 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1904 Considerations section in those documents for concerns related those
1905 groupings.
1907 The YANG modules defined in this document are designed to be accessed
1908 via YANG based management protocols, such as NETCONF [RFC6241] and
1909 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1910 implement secure transport layers (e.g., SSH, TLS) with mutual
1911 authentication.
1913 The NETCONF access control model (NACM) [RFC8341] provides the means
1914 to restrict access for particular users to a pre-configured subset of
1915 all available protocol operations and content.
1917 There are a number of data nodes defined in the YANG modules that are
1918 writable/creatable/deletable (i.e., config true, which is the
1919 default). Some of these data nodes may be considered sensitive or
1920 vulnerable in some network environments. Write operations (e.g.,
1921 edit-config) to these data nodes without proper protection can have a
1922 negative effect on network operations. These are the subtrees and
1923 data nodes and their sensitivity/vulnerability:
1925 None of the subtrees or data nodes in the modules defined in this
1926 document need to be protected from write operations.
1928 Some of the readable data nodes in the YANG modules may be considered
1929 sensitive or vulnerable in some network environments. It is thus
1930 important to control read access (e.g., via get, get-config, or
1931 notification) to these data nodes. These are the subtrees and data
1932 nodes and their sensitivity/vulnerability:
1934 None of the subtrees or data nodes in the modules defined in this
1935 document need to be protected from read operations.
1937 Some of the RPC operations in the YANG modules may be considered
1938 sensitive or vulnerable in some network environments. It is thus
1939 important to control access to these operations. These are the
1940 operations and their sensitivity/vulnerability:
1942 The modules defined in this document do not define any 'RPC' or
1943 'action' statements.
1945 6. IANA Considerations
1947 6.1. The IETF XML Registry
1949 This document registers two URIs in the "ns" subregistry of the IETF
1950 XML Registry [RFC3688]. Following the format in [RFC3688], the
1951 following registrations are requested:
1953 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1954 Registrant Contact: The NETCONF WG of the IETF.
1955 XML: N/A, the requested URI is an XML namespace.
1957 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1958 Registrant Contact: The NETCONF WG of the IETF.
1959 XML: N/A, the requested URI is an XML namespace.
1961 6.2. The YANG Module Names Registry
1963 This document registers two YANG modules in the YANG Module Names
1964 registry [RFC6020]. Following the format in [RFC6020], the the
1965 following registrations are requested:
1967 name: ietf-netconf-client
1968 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1969 prefix: ncc
1970 reference: RFC XXXX
1972 name: ietf-netconf-server
1973 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1974 prefix: ncs
1975 reference: RFC XXXX
1977 7. References
1979 7.1. Normative References
1981 [I-D.ietf-netconf-keystore]
1982 Watsen, K., "A YANG Data Model for a Keystore", draft-
1983 ietf-netconf-keystore-13 (work in progress), October 2019.
1985 [I-D.ietf-netconf-ssh-client-server]
1986 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
1987 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
1988 server-15 (work in progress), October 2019.
1990 [I-D.ietf-netconf-tls-client-server]
1991 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1992 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1993 server-15 (work in progress), October 2019.
1995 [I-D.kwatsen-netconf-tcp-client-server]
1996 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1997 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1998 server-02 (work in progress), April 2019.
2000 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2001 Requirement Levels", BCP 14, RFC 2119,
2002 DOI 10.17487/RFC2119, March 1997,
2003 .
2005 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
2006 the Network Configuration Protocol (NETCONF)", RFC 6020,
2007 DOI 10.17487/RFC6020, October 2010,
2008 .
2010 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
2011 and A. Bierman, Ed., "Network Configuration Protocol
2012 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
2013 .
2015 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
2016 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
2017 .
2019 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
2020 RFC 6991, DOI 10.17487/RFC6991, July 2013,
2021 .
2023 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
2024 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
2025 December 2014, .
2027 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
2028 NETCONF Protocol over Transport Layer Security (TLS) with
2029 Mutual X.509 Authentication", RFC 7589,
2030 DOI 10.17487/RFC7589, June 2015,
2031 .
2033 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
2034 RFC 7950, DOI 10.17487/RFC7950, August 2016,
2035 .
2037 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2038 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
2039 May 2017, .
2041 7.2. Informative References
2043 [I-D.ietf-netconf-trust-anchors]
2044 Watsen, K., "A YANG Data Model for a Truststore", draft-
2045 ietf-netconf-trust-anchors-06 (work in progress), October
2046 2019.
2048 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2049 DOI 10.17487/RFC3688, January 2004,
2050 .
2052 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
2053 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
2054 .
2056 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
2057 RFC 8071, DOI 10.17487/RFC8071, February 2017,
2058 .
2060 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
2061 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
2062 .
2064 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
2065 Access Control Model", STD 91, RFC 8341,
2066 DOI 10.17487/RFC8341, March 2018,
2067 .
2069 Appendix A. Expanded Tree Diagrams
2071 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
2073 The following tree diagram [RFC8340] provides an overview of the data
2074 model for the "ietf-netconf-client" module.
2076 This tree diagram shows all the nodes defined in this module,
2077 including those defined by "grouping" statements used by this module.
2079 Please see Section 3.1 for a tree diagram that illustrates what the
2080 module looks like without all the "grouping" statements expanded.
2082 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2084 module: ietf-netconf-client
2085 +--rw netconf-client
2086 +--rw initiate! {ssh-initiate or tls-initiate}?
2087 | +--rw netconf-server* [name]
2088 | +--rw name string
2089 | +--rw endpoints
2090 | | +--rw endpoint* [name]
2091 | | +--rw name string
2092 | | +--rw (transport)
2093 | | +--:(ssh) {ssh-initiate}?
2094 | | | +--rw ssh
2095 | | | +--rw tcp-client-parameters
2096 | | | | +--rw remote-address inet:host
2097 | | | | +--rw remote-port? inet:port-number
2098 | | | | +--rw local-address? inet:ip-address
2099 | | | | | {local-binding-supported}?
2100 | | | | +--rw local-port? inet:port-number
2101 | | | | | {local-binding-supported}?
2102 | | | | +--rw keepalives!
2103 | | | | {keepalives-supported}?
2104 | | | | +--rw idle-time uint16
2105 | | | | +--rw max-probes uint16
2106 | | | | +--rw probe-interval uint16
2107 | | | +--rw ssh-client-parameters
2108 | | | | +--rw client-identity
2109 | | | | | +--rw username? string
2110 | | | | | +--rw (auth-type)
2111 | | | | | +--:(password)
2112 | | | | | | +--rw password? string
2113 | | | | | +--:(public-key)
2114 | | | | | | +--rw public-key
2115 | | | | | | +--rw (local-or-keystore)
2116 | | | | | | +--:(local)
2117 | | | | | | | {local-definiti\
2118 \ons-supported}?
2119 | | | | | | | +--rw local-definition
2120 | | | | | | | +--rw algorithm
2121 | | | | | | | | iasa:asymm\
2122 \etric-algorithm-type
2123 | | | | | | | +--rw public-key-f\
2124 \ormat?
2125 | | | | | | | | identityref
2126 | | | | | | | +--rw public-key
2127 | | | | | | | | binary
2128 | | | | | | | +--rw private-key-\
2129 \format?
2130 | | | | | | | | identityref
2131 | | | | | | | +--rw (private-key\
2132 \-type)
2133 | | | | | | | +--:(private-ke\
2134 \y)
2135 | | | | | | | | +--rw privat\
2136 \e-key?
2137 | | | | | | | | bina\
2138 \ry
2139 | | | | | | | +--:(hidden-pri\
2140 \vate-key)
2141 | | | | | | | | +--rw hidden\
2142 \-private-key?
2143 | | | | | | | | empty
2144 | | | | | | | +--:(encrypted-\
2145 \private-key)
2146 | | | | | | | +--rw encryp\
2147 \ted-private-key
2148 | | | | | | | +--rw (ke\
2149 \y-type)
2150 | | | | | | | | +--:(s\
2151 \ymmetric-key-ref)
2152 | | | | | | | | | +--\
2153 \rw symmetric-key-ref? leafref
2154 | | | | | | | | | \
2155 \ {keystore-supported}?
2156 | | | | | | | | +--:(a\
2157 \symmetric-key-ref)
2158 | | | | | | | | +--\
2159 \rw asymmetric-key-ref? leafref
2160 | | | | | | | | \
2161 \ {keystore-supported}?
2162 | | | | | | | +--rw val\
2163 \ue?
2164 | | | | | | | b\
2166 \inary
2167 | | | | | | +--:(keystore)
2168 | | | | | | {keystore-suppo\
2169 \rted}?
2170 | | | | | | +--rw keystore-refere\
2171 \nce?
2172 | | | | | | ks:asymmetric\
2173 \-key-ref
2174 | | | | | +--:(certificate)
2175 | | | | | +--rw certificate
2176 | | | | | {sshcmn:ssh-x509-certs\
2177 \}?
2178 | | | | | +--rw (local-or-keystore)
2179 | | | | | +--:(local)
2180 | | | | | | {local-definiti\
2181 \ons-supported}?
2182 | | | | | | +--rw local-definition
2183 | | | | | | +--rw algorithm
2184 | | | | | | | iasa:asymm\
2185 \etric-algorithm-type
2186 | | | | | | +--rw public-key-f\
2187 \ormat?
2188 | | | | | | | identityref
2189 | | | | | | +--rw public-key
2190 | | | | | | | binary
2191 | | | | | | +--rw private-key-\
2192 \format?
2193 | | | | | | | identityref
2194 | | | | | | +--rw (private-key\
2195 \-type)
2196 | | | | | | | +--:(private-ke\
2197 \y)
2198 | | | | | | | | +--rw privat\
2199 \e-key?
2200 | | | | | | | | bina\
2201 \ry
2202 | | | | | | | +--:(hidden-pri\
2203 \vate-key)
2204 | | | | | | | | +--rw hidden\
2205 \-private-key?
2206 | | | | | | | | empty
2207 | | | | | | | +--:(encrypted-\
2208 \private-key)
2209 | | | | | | | +--rw encryp\
2210 \ted-private-key
2211 | | | | | | | +--rw (ke\
2212 \y-type)
2213 | | | | | | | | +--:(s\
2215 \ymmetric-key-ref)
2216 | | | | | | | | | +--\
2217 \rw symmetric-key-ref? leafref
2218 | | | | | | | | | \
2219 \ {keystore-supported}?
2220 | | | | | | | | +--:(a\
2221 \symmetric-key-ref)
2222 | | | | | | | | +--\
2223 \rw asymmetric-key-ref? leafref
2224 | | | | | | | | \
2225 \ {keystore-supported}?
2226 | | | | | | | +--rw val\
2227 \ue?
2228 | | | | | | | b\
2229 \inary
2230 | | | | | | +--rw cert?
2231 | | | | | | | end-entity\
2232 \-cert-cms
2233 | | | | | | +---n certificate-\
2234 \expiration
2235 | | | | | | | +-- expiration-\
2236 \date
2237 | | | | | | | yang:da\
2238 \te-and-time
2239 | | | | | | +---x generate-cer\
2240 \tificate-signing-request
2241 | | | | | | +---w input
2242 | | | | | | | +---w subject
2243 | | | | | | | | bina\
2244 \ry
2245 | | | | | | | +---w attrib\
2246 \utes?
2247 | | | | | | | bina\
2248 \ry
2249 | | | | | | +--ro output
2250 | | | | | | +--ro certif\
2251 \icate-signing-request
2252 | | | | | | bina\
2253 \ry
2254 | | | | | +--:(keystore)
2255 | | | | | {keystore-suppo\
2256 \rted}?
2257 | | | | | +--rw keystore-refere\
2258 \nce
2259 | | | | | +--rw asymmetric-k\
2260 \ey?
2261 | | | | | | ks:asymmet\
2262 \ric-key-ref
2263 | | | | | +--rw certificate?\
2264 \ leafref
2265 | | | | +--rw server-authentication
2266 | | | | | +--rw ssh-host-keys!
2267 | | | | | | +--rw (local-or-truststore)
2268 | | | | | | +--:(local)
2269 | | | | | | | {local-definitions-su\
2270 \pported}?
2271 | | | | | | | +--rw local-definition
2272 | | | | | | | +--rw host-key*
2273 | | | | | | | ct:ssh-host-key
2274 | | | | | | +--:(truststore)
2275 | | | | | | {truststore-supported\
2276 \,ssh-host-keys}?
2277 | | | | | | +--rw truststore-reference?
2278 | | | | | | ts:host-keys-ref
2279 | | | | | +--rw ca-certs!
2280 | | | | | | {sshcmn:ssh-x509-certs}?
2281 | | | | | | +--rw (local-or-truststore)
2282 | | | | | | +--:(local)
2283 | | | | | | | {local-definitions-su\
2284 \pported}?
2285 | | | | | | | +--rw local-definition
2286 | | | | | | | +--rw cert*
2287 | | | | | | | | trust-anchor-cer\
2288 \t-cms
2289 | | | | | | | +---n certificate-expira\
2290 \tion
2291 | | | | | | | +-- expiration-date
2292 | | | | | | | yang:date-and\
2293 \-time
2294 | | | | | | +--:(truststore)
2295 | | | | | | {truststore-supported\
2296 \,x509-certificates}?
2297 | | | | | | +--rw truststore-reference?
2298 | | | | | | ts:certificates-ref
2299 | | | | | +--rw server-certs!
2300 | | | | | {sshcmn:ssh-x509-certs}?
2301 | | | | | +--rw (local-or-truststore)
2302 | | | | | +--:(local)
2303 | | | | | | {local-definitions-su\
2304 \pported}?
2305 | | | | | | +--rw local-definition
2306 | | | | | | +--rw cert*
2307 | | | | | | | trust-anchor-cer\
2308 \t-cms
2309 | | | | | | +---n certificate-expira\
2310 \tion
2311 | | | | | | +-- expiration-date
2312 | | | | | | yang:date-and\
2313 \-time
2314 | | | | | +--:(truststore)
2315 | | | | | {truststore-supported\
2316 \,x509-certificates}?
2317 | | | | | +--rw truststore-reference?
2318 | | | | | ts:certificates-ref
2319 | | | | +--rw transport-params
2320 | | | | | {ssh-client-transport-params-co\
2321 \nfig}?
2322 | | | | | +--rw host-key
2323 | | | | | | +--rw host-key-alg* identityref
2324 | | | | | +--rw key-exchange
2325 | | | | | | +--rw key-exchange-alg*
2326 | | | | | | identityref
2327 | | | | | +--rw encryption
2328 | | | | | | +--rw encryption-alg*
2329 | | | | | | identityref
2330 | | | | | +--rw mac
2331 | | | | | +--rw mac-alg* identityref
2332 | | | | +--rw keepalives!
2333 | | | | {ssh-client-keepalives}?
2334 | | | | +--rw max-wait? uint16
2335 | | | | +--rw max-attempts? uint8
2336 | | | +--rw netconf-client-parameters
2337 | | +--:(tls) {tls-initiate}?
2338 | | +--rw tls
2339 | | +--rw tcp-client-parameters
2340 | | | +--rw remote-address inet:host
2341 | | | +--rw remote-port? inet:port-number
2342 | | | +--rw local-address? inet:ip-address
2343 | | | | {local-binding-supported}?
2344 | | | +--rw local-port? inet:port-number
2345 | | | | {local-binding-supported}?
2346 | | | +--rw keepalives!
2347 | | | {keepalives-supported}?
2348 | | | +--rw idle-time uint16
2349 | | | +--rw max-probes uint16
2350 | | | +--rw probe-interval uint16
2351 | | +--rw tls-client-parameters
2352 | | | +--rw client-identity
2353 | | | | +--rw (local-or-keystore)
2354 | | | | +--:(local)
2355 | | | | | {local-definitions-suppo\
2356 \rted}?
2357 | | | | | +--rw local-definition
2358 | | | | | +--rw algorithm
2359 | | | | | | iasa:asymmetric-alg\
2360 \orithm-type
2361 | | | | | +--rw public-key-format?
2362 | | | | | | identityref
2363 | | | | | +--rw public-key
2364 | | | | | | binary
2365 | | | | | +--rw private-key-format?
2366 | | | | | | identityref
2367 | | | | | +--rw (private-key-type)
2368 | | | | | | +--:(private-key)
2369 | | | | | | | +--rw private-key?
2370 | | | | | | | binary
2371 | | | | | | +--:(hidden-private-key)
2372 | | | | | | | +--rw hidden-private-\
2373 \key?
2374 | | | | | | | empty
2375 | | | | | | +--:(encrypted-private-k\
2376 \ey)
2377 | | | | | | +--rw encrypted-priva\
2378 \te-key
2379 | | | | | | +--rw (key-type)
2380 | | | | | | | +--:(symmetric-\
2381 \key-ref)
2382 | | | | | | | | +--rw symmet\
2383 \ric-key-ref? leafref
2384 | | | | | | | | {key\
2385 \store-supported}?
2386 | | | | | | | +--:(asymmetric\
2387 \-key-ref)
2388 | | | | | | | +--rw asymme\
2389 \tric-key-ref? leafref
2390 | | | | | | | {key\
2391 \store-supported}?
2392 | | | | | | +--rw value?
2393 | | | | | | binary
2394 | | | | | +--rw cert?
2395 | | | | | | end-entity-cert-cms
2396 | | | | | +---n certificate-expiration
2397 | | | | | | +-- expiration-date
2398 | | | | | | yang:date-and-ti\
2399 \me
2400 | | | | | +---x generate-certificate-\
2401 \signing-request
2402 | | | | | +---w input
2403 | | | | | | +---w subject
2404 | | | | | | | binary
2405 | | | | | | +---w attributes?
2406 | | | | | | binary
2407 | | | | | +--ro output
2408 | | | | | +--ro certificate-sig\
2409 \ning-request
2410 | | | | | binary
2411 | | | | +--:(keystore)
2412 | | | | {keystore-supported}?
2413 | | | | +--rw keystore-reference
2414 | | | | +--rw asymmetric-key?
2415 | | | | | ks:asymmetric-key-r\
2416 \ef
2417 | | | | +--rw certificate? lea\
2418 \fref
2419 | | | +--rw server-authentication
2420 | | | | +--rw ca-certs!
2421 | | | | | +--rw (local-or-truststore)
2422 | | | | | +--:(local)
2423 | | | | | | {local-definitions-su\
2424 \pported}?
2425 | | | | | | +--rw local-definition
2426 | | | | | | +--rw cert*
2427 | | | | | | | trust-anchor-cer\
2428 \t-cms
2429 | | | | | | +---n certificate-expira\
2430 \tion
2431 | | | | | | +-- expiration-date
2432 | | | | | | yang:date-and\
2433 \-time
2434 | | | | | +--:(truststore)
2435 | | | | | {truststore-supported\
2436 \,x509-certificates}?
2437 | | | | | +--rw truststore-reference?
2438 | | | | | ts:certificates-ref
2439 | | | | +--rw server-certs!
2440 | | | | +--rw (local-or-truststore)
2441 | | | | +--:(local)
2442 | | | | | {local-definitions-su\
2443 \pported}?
2444 | | | | | +--rw local-definition
2445 | | | | | +--rw cert*
2446 | | | | | | trust-anchor-cer\
2447 \t-cms
2448 | | | | | +---n certificate-expira\
2449 \tion
2450 | | | | | +-- expiration-date
2451 | | | | | yang:date-and\
2452 \-time
2453 | | | | +--:(truststore)
2454 | | | | {truststore-supported\
2456 \,x509-certificates}?
2457 | | | | +--rw truststore-reference?
2458 | | | | ts:certificates-ref
2459 | | | +--rw hello-params
2460 | | | | {tls-client-hello-params-config\
2461 \}?
2462 | | | | +--rw tls-versions
2463 | | | | | +--rw tls-version* identityref
2464 | | | | +--rw cipher-suites
2465 | | | | +--rw cipher-suite* identityref
2466 | | | +--rw keepalives!
2467 | | | {tls-client-keepalives}?
2468 | | | +--rw max-wait? uint16
2469 | | | +--rw max-attempts? uint8
2470 | | +--rw netconf-client-parameters
2471 | +--rw connection-type
2472 | | +--rw (connection-type)
2473 | | +--:(persistent-connection)
2474 | | | +--rw persistent!
2475 | | +--:(periodic-connection)
2476 | | +--rw periodic!
2477 | | +--rw period? uint16
2478 | | +--rw anchor-time? yang:date-and-time
2479 | | +--rw idle-timeout? uint16
2480 | +--rw reconnect-strategy
2481 | +--rw start-with? enumeration
2482 | +--rw max-attempts? uint8
2483 +--rw listen! {ssh-listen or tls-listen}?
2484 +--rw idle-timeout? uint16
2485 +--rw endpoint* [name]
2486 +--rw name string
2487 +--rw (transport)
2488 +--:(ssh) {ssh-listen}?
2489 | +--rw ssh
2490 | +--rw tcp-server-parameters
2491 | | +--rw local-address inet:ip-address
2492 | | +--rw local-port? inet:port-number
2493 | | +--rw keepalives! {keepalives-supported}?
2494 | | +--rw idle-time uint16
2495 | | +--rw max-probes uint16
2496 | | +--rw probe-interval uint16
2497 | +--rw ssh-client-parameters
2498 | | +--rw client-identity
2499 | | | +--rw username? string
2500 | | | +--rw (auth-type)
2501 | | | +--:(password)
2502 | | | | +--rw password? string
2503 | | | +--:(public-key)
2504 | | | | +--rw public-key
2505 | | | | +--rw (local-or-keystore)
2506 | | | | +--:(local)
2507 | | | | | {local-definitions-su\
2508 \pported}?
2509 | | | | | +--rw local-definition
2510 | | | | | +--rw algorithm
2511 | | | | | | iasa:asymmetric-\
2512 \algorithm-type
2513 | | | | | +--rw public-key-format?
2514 | | | | | | identityref
2515 | | | | | +--rw public-key
2516 | | | | | | binary
2517 | | | | | +--rw private-key-format?
2518 | | | | | | identityref
2519 | | | | | +--rw (private-key-type)
2520 | | | | | +--:(private-key)
2521 | | | | | | +--rw private-key?
2522 | | | | | | binary
2523 | | | | | +--:(hidden-private-k\
2524 \ey)
2525 | | | | | | +--rw hidden-priva\
2526 \te-key?
2527 | | | | | | empty
2528 | | | | | +--:(encrypted-privat\
2529 \e-key)
2530 | | | | | +--rw encrypted-pr\
2531 \ivate-key
2532 | | | | | +--rw (key-type)
2533 | | | | | | +--:(symmetr\
2534 \ic-key-ref)
2535 | | | | | | | +--rw sym\
2536 \metric-key-ref? leafref
2537 | | | | | | | {\
2538 \keystore-supported}?
2539 | | | | | | +--:(asymmet\
2540 \ric-key-ref)
2541 | | | | | | +--rw asy\
2542 \mmetric-key-ref? leafref
2543 | | | | | | {\
2544 \keystore-supported}?
2545 | | | | | +--rw value?
2546 | | | | | binary
2547 | | | | +--:(keystore)
2548 | | | | {keystore-supported}?
2549 | | | | +--rw keystore-reference?
2550 | | | | ks:asymmetric-key-r\
2551 \ef
2552 | | | +--:(certificate)
2553 | | | +--rw certificate
2554 | | | {sshcmn:ssh-x509-certs}?
2555 | | | +--rw (local-or-keystore)
2556 | | | +--:(local)
2557 | | | | {local-definitions-su\
2558 \pported}?
2559 | | | | +--rw local-definition
2560 | | | | +--rw algorithm
2561 | | | | | iasa:asymmetric-\
2562 \algorithm-type
2563 | | | | +--rw public-key-format?
2564 | | | | | identityref
2565 | | | | +--rw public-key
2566 | | | | | binary
2567 | | | | +--rw private-key-format?
2568 | | | | | identityref
2569 | | | | +--rw (private-key-type)
2570 | | | | | +--:(private-key)
2571 | | | | | | +--rw private-key?
2572 | | | | | | binary
2573 | | | | | +--:(hidden-private-k\
2574 \ey)
2575 | | | | | | +--rw hidden-priva\
2576 \te-key?
2577 | | | | | | empty
2578 | | | | | +--:(encrypted-privat\
2579 \e-key)
2580 | | | | | +--rw encrypted-pr\
2581 \ivate-key
2582 | | | | | +--rw (key-type)
2583 | | | | | | +--:(symmetr\
2584 \ic-key-ref)
2585 | | | | | | | +--rw sym\
2586 \metric-key-ref? leafref
2587 | | | | | | | {\
2588 \keystore-supported}?
2589 | | | | | | +--:(asymmet\
2590 \ric-key-ref)
2591 | | | | | | +--rw asy\
2592 \mmetric-key-ref? leafref
2593 | | | | | | {\
2594 \keystore-supported}?
2595 | | | | | +--rw value?
2596 | | | | | binary
2597 | | | | +--rw cert?
2598 | | | | | end-entity-cert-\
2599 \cms
2600 | | | | +---n certificate-expira\
2601 \tion
2602 | | | | | +-- expiration-date
2603 | | | | | yang:date-and\
2604 \-time
2605 | | | | +---x generate-certifica\
2606 \te-signing-request
2607 | | | | +---w input
2608 | | | | | +---w subject
2609 | | | | | | binary
2610 | | | | | +---w attributes?
2611 | | | | | binary
2612 | | | | +--ro output
2613 | | | | +--ro certificate-\
2614 \signing-request
2615 | | | | binary
2616 | | | +--:(keystore)
2617 | | | {keystore-supported}?
2618 | | | +--rw keystore-reference
2619 | | | +--rw asymmetric-key?
2620 | | | | ks:asymmetric-ke\
2621 \y-ref
2622 | | | +--rw certificate? \
2623 \leafref
2624 | | +--rw server-authentication
2625 | | | +--rw ssh-host-keys!
2626 | | | | +--rw (local-or-truststore)
2627 | | | | +--:(local)
2628 | | | | | {local-definitions-supporte\
2629 \d}?
2630 | | | | | +--rw local-definition
2631 | | | | | +--rw host-key*
2632 | | | | | ct:ssh-host-key
2633 | | | | +--:(truststore)
2634 | | | | {truststore-supported,ssh-h\
2635 \ost-keys}?
2636 | | | | +--rw truststore-reference?
2637 | | | | ts:host-keys-ref
2638 | | | +--rw ca-certs! {sshcmn:ssh-x509-certs}?
2639 | | | | +--rw (local-or-truststore)
2640 | | | | +--:(local)
2641 | | | | | {local-definitions-supporte\
2642 \d}?
2643 | | | | | +--rw local-definition
2644 | | | | | +--rw cert*
2645 | | | | | | trust-anchor-cert-cms
2646 | | | | | +---n certificate-expiration
2647 | | | | | +-- expiration-date
2648 | | | | | yang:date-and-time
2649 | | | | +--:(truststore)
2650 | | | | {truststore-supported,x509-\
2651 \certificates}?
2652 | | | | +--rw truststore-reference?
2653 | | | | ts:certificates-ref
2654 | | | +--rw server-certs!
2655 | | | {sshcmn:ssh-x509-certs}?
2656 | | | +--rw (local-or-truststore)
2657 | | | +--:(local)
2658 | | | | {local-definitions-supporte\
2659 \d}?
2660 | | | | +--rw local-definition
2661 | | | | +--rw cert*
2662 | | | | | trust-anchor-cert-cms
2663 | | | | +---n certificate-expiration
2664 | | | | +-- expiration-date
2665 | | | | yang:date-and-time
2666 | | | +--:(truststore)
2667 | | | {truststore-supported,x509-\
2668 \certificates}?
2669 | | | +--rw truststore-reference?
2670 | | | ts:certificates-ref
2671 | | +--rw transport-params
2672 | | | {ssh-client-transport-params-config}?
2673 | | | +--rw host-key
2674 | | | | +--rw host-key-alg* identityref
2675 | | | +--rw key-exchange
2676 | | | | +--rw key-exchange-alg* identityref
2677 | | | +--rw encryption
2678 | | | | +--rw encryption-alg* identityref
2679 | | | +--rw mac
2680 | | | +--rw mac-alg* identityref
2681 | | +--rw keepalives! {ssh-client-keepalives}?
2682 | | +--rw max-wait? uint16
2683 | | +--rw max-attempts? uint8
2684 | +--rw netconf-client-parameters
2685 +--:(tls) {tls-listen}?
2686 +--rw tls
2687 +--rw tcp-server-parameters
2688 | +--rw local-address inet:ip-address
2689 | +--rw local-port? inet:port-number
2690 | +--rw keepalives! {keepalives-supported}?
2691 | +--rw idle-time uint16
2692 | +--rw max-probes uint16
2693 | +--rw probe-interval uint16
2694 +--rw tls-client-parameters
2695 | +--rw client-identity
2696 | | +--rw (local-or-keystore)
2697 | | +--:(local)
2698 | | | {local-definitions-supported}?
2699 | | | +--rw local-definition
2700 | | | +--rw algorithm
2701 | | | | iasa:asymmetric-algorithm\
2702 \-type
2703 | | | +--rw public-key-format?
2704 | | | | identityref
2705 | | | +--rw public-key
2706 | | | | binary
2707 | | | +--rw private-key-format?
2708 | | | | identityref
2709 | | | +--rw (private-key-type)
2710 | | | | +--:(private-key)
2711 | | | | | +--rw private-key?
2712 | | | | | binary
2713 | | | | +--:(hidden-private-key)
2714 | | | | | +--rw hidden-private-key?
2715 | | | | | empty
2716 | | | | +--:(encrypted-private-key)
2717 | | | | +--rw encrypted-private-key
2718 | | | | +--rw (key-type)
2719 | | | | | +--:(symmetric-key-re\
2720 \f)
2721 | | | | | | +--rw symmetric-ke\
2722 \y-ref? leafref
2723 | | | | | | {keystore-\
2724 \supported}?
2725 | | | | | +--:(asymmetric-key-r\
2726 \ef)
2727 | | | | | +--rw asymmetric-k\
2728 \ey-ref? leafref
2729 | | | | | {keystore-\
2730 \supported}?
2731 | | | | +--rw value?
2732 | | | | binary
2733 | | | +--rw cert?
2734 | | | | end-entity-cert-cms
2735 | | | +---n certificate-expiration
2736 | | | | +-- expiration-date
2737 | | | | yang:date-and-time
2738 | | | +---x generate-certificate-signin\
2739 \g-request
2740 | | | +---w input
2741 | | | | +---w subject binary
2742 | | | | +---w attributes? binary
2743 | | | +--ro output
2744 | | | +--ro certificate-signing-r\
2745 \equest
2746 | | | binary
2747 | | +--:(keystore) {keystore-supported}?
2748 | | +--rw keystore-reference
2749 | | +--rw asymmetric-key?
2750 | | | ks:asymmetric-key-ref
2751 | | +--rw certificate? leafref
2752 | +--rw server-authentication
2753 | | +--rw ca-certs!
2754 | | | +--rw (local-or-truststore)
2755 | | | +--:(local)
2756 | | | | {local-definitions-supporte\
2757 \d}?
2758 | | | | +--rw local-definition
2759 | | | | +--rw cert*
2760 | | | | | trust-anchor-cert-cms
2761 | | | | +---n certificate-expiration
2762 | | | | +-- expiration-date
2763 | | | | yang:date-and-time
2764 | | | +--:(truststore)
2765 | | | {truststore-supported,x509-\
2766 \certificates}?
2767 | | | +--rw truststore-reference?
2768 | | | ts:certificates-ref
2769 | | +--rw server-certs!
2770 | | +--rw (local-or-truststore)
2771 | | +--:(local)
2772 | | | {local-definitions-supporte\
2773 \d}?
2774 | | | +--rw local-definition
2775 | | | +--rw cert*
2776 | | | | trust-anchor-cert-cms
2777 | | | +---n certificate-expiration
2778 | | | +-- expiration-date
2779 | | | yang:date-and-time
2780 | | +--:(truststore)
2781 | | {truststore-supported,x509-\
2782 \certificates}?
2783 | | +--rw truststore-reference?
2784 | | ts:certificates-ref
2785 | +--rw hello-params
2786 | | {tls-client-hello-params-config}?
2787 | | +--rw tls-versions
2788 | | | +--rw tls-version* identityref
2789 | | +--rw cipher-suites
2790 | | +--rw cipher-suite* identityref
2791 | +--rw keepalives! {tls-client-keepalives}?
2792 | +--rw max-wait? uint16
2793 | +--rw max-attempts? uint8
2794 +--rw netconf-client-parameters
2796 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
2798 The following tree diagram [RFC8340] provides an overview of the data
2799 model for the "ietf-netconf-server" module.
2801 This tree diagram shows all the nodes defined in this module,
2802 including those defined by "grouping" statements used by this module.
2804 Please see Section 4.1 for a tree diagram that illustrates what the
2805 module looks like without all the "grouping" statements expanded.
2807 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2809 module: ietf-netconf-server
2810 +--rw netconf-server
2811 +--rw listen! {ssh-listen or tls-listen}?
2812 | +--rw idle-timeout? uint16
2813 | +--rw endpoint* [name]
2814 | +--rw name string
2815 | +--rw (transport)
2816 | +--:(ssh) {ssh-listen}?
2817 | | +--rw ssh
2818 | | +--rw tcp-server-parameters
2819 | | | +--rw local-address inet:ip-address
2820 | | | +--rw local-port? inet:port-number
2821 | | | +--rw keepalives! {keepalives-supported}?
2822 | | | +--rw idle-time uint16
2823 | | | +--rw max-probes uint16
2824 | | | +--rw probe-interval uint16
2825 | | +--rw ssh-server-parameters
2826 | | | +--rw server-identity
2827 | | | | +--rw host-key* [name]
2828 | | | | +--rw name string
2829 | | | | +--rw (host-key-type)
2830 | | | | +--:(public-key)
2831 | | | | | +--rw public-key
2832 | | | | | +--rw (local-or-keystore)
2833 | | | | | +--:(local)
2834 | | | | | | {local-definitions\
2835 \-supported}?
2836 | | | | | | +--rw local-definition
2837 | | | | | | +--rw algorithm
2838 | | | | | | | iasa:asymmetr\
2839 \ic-algorithm-type
2840 | | | | | | +--rw public-key-form\
2841 \at?
2842 | | | | | | | identityref
2843 | | | | | | +--rw public-key
2844 | | | | | | | binary
2845 | | | | | | +--rw private-key-for\
2846 \mat?
2847 | | | | | | | identityref
2848 | | | | | | +--rw (private-key-ty\
2849 \pe)
2850 | | | | | | +--:(private-key)
2851 | | | | | | | +--rw private-k\
2852 \ey?
2853 | | | | | | | binary
2854 | | | | | | +--:(hidden-privat\
2855 \e-key)
2856 | | | | | | | +--rw hidden-pr\
2857 \ivate-key?
2858 | | | | | | | empty
2859 | | | | | | +--:(encrypted-pri\
2860 \vate-key)
2861 | | | | | | +--rw encrypted\
2862 \-private-key
2863 | | | | | | +--rw (key-t\
2864 \ype)
2865 | | | | | | | +--:(symm\
2866 \etric-key-ref)
2867 | | | | | | | | +--rw \
2868 \symmetric-key-ref? leafref
2869 | | | | | | | | \
2870 \ {keystore-supported}?
2871 | | | | | | | +--:(asym\
2872 \metric-key-ref)
2873 | | | | | | | +--rw \
2874 \asymmetric-key-ref? leafref
2875 | | | | | | | \
2876 \ {keystore-supported}?
2877 | | | | | | +--rw value?
2878 | | | | | | bina\
2879 \ry
2880 | | | | | +--:(keystore)
2881 | | | | | {keystore-supporte\
2882 \d}?
2883 | | | | | +--rw keystore-reference?
2884 | | | | | ks:asymmetric-ke\
2885 \y-ref
2886 | | | | +--:(certificate)
2887 | | | | +--rw certificate
2888 | | | | {sshcmn:ssh-x509-certs}?
2889 | | | | +--rw (local-or-keystore)
2890 | | | | +--:(local)
2891 | | | | | {local-definitions\
2892 \-supported}?
2893 | | | | | +--rw local-definition
2894 | | | | | +--rw algorithm
2895 | | | | | | iasa:asymmetr\
2896 \ic-algorithm-type
2897 | | | | | +--rw public-key-form\
2898 \at?
2899 | | | | | | identityref
2900 | | | | | +--rw public-key
2901 | | | | | | binary
2902 | | | | | +--rw private-key-for\
2903 \mat?
2904 | | | | | | identityref
2905 | | | | | +--rw (private-key-ty\
2906 \pe)
2907 | | | | | | +--:(private-key)
2908 | | | | | | | +--rw private-k\
2909 \ey?
2910 | | | | | | | binary
2911 | | | | | | +--:(hidden-privat\
2912 \e-key)
2913 | | | | | | | +--rw hidden-pr\
2914 \ivate-key?
2915 | | | | | | | empty
2916 | | | | | | +--:(encrypted-pri\
2917 \vate-key)
2918 | | | | | | +--rw encrypted\
2919 \-private-key
2920 | | | | | | +--rw (key-t\
2921 \ype)
2922 | | | | | | | +--:(symm\
2923 \etric-key-ref)
2924 | | | | | | | | +--rw \
2925 \symmetric-key-ref? leafref
2926 | | | | | | | | \
2927 \ {keystore-supported}?
2928 | | | | | | | +--:(asym\
2929 \metric-key-ref)
2930 | | | | | | | +--rw \
2931 \asymmetric-key-ref? leafref
2932 | | | | | | | \
2933 \ {keystore-supported}?
2934 | | | | | | +--rw value?
2935 | | | | | | bina\
2937 \ry
2938 | | | | | +--rw cert?
2939 | | | | | | end-entity-ce\
2940 \rt-cms
2941 | | | | | +---n certificate-exp\
2942 \iration
2943 | | | | | | +-- expiration-date
2944 | | | | | | yang:date-\
2945 \and-time
2946 | | | | | +---x generate-certif\
2947 \icate-signing-request
2948 | | | | | +---w input
2949 | | | | | | +---w subject
2950 | | | | | | | binary
2951 | | | | | | +---w attribute\
2952 \s?
2953 | | | | | | binary
2954 | | | | | +--ro output
2955 | | | | | +--ro certifica\
2956 \te-signing-request
2957 | | | | | binary
2958 | | | | +--:(keystore)
2959 | | | | {keystore-supporte\
2960 \d}?
2961 | | | | +--rw keystore-reference
2962 | | | | +--rw asymmetric-key?
2963 | | | | | ks:asymmetric\
2964 \-key-ref
2965 | | | | +--rw certificate? \
2966 \ leafref
2967 | | | +--rw client-authentication
2968 | | | | +--rw supported-authentication-methods
2969 | | | | | +--rw publickey? empty
2970 | | | | | +--rw passsword? empty
2971 | | | | | +--rw hostbased? empty
2972 | | | | | +--rw none? empty
2973 | | | | | +--rw other* string
2974 | | | | +--rw (local-or-external)
2975 | | | | +--:(local)
2976 | | | | | {local-client-auth-supported}?
2977 | | | | | +--rw users
2978 | | | | | +--rw user* [name]
2979 | | | | | +--rw name string
2980 | | | | | +--rw password?
2981 | | | | | | ianach:crypt-hash
2982 | | | | | +--rw host-keys!
2983 | | | | | | +--rw (local-or-truststore)
2984 | | | | | | +--:(local)
2985 | | | | | | | {local-definiti\
2986 \ons-supported}?
2987 | | | | | | | +--rw local-definition
2988 | | | | | | | +--rw host-key*
2989 | | | | | | | ct:ssh-hos\
2990 \t-key
2991 | | | | | | +--:(truststore)
2992 | | | | | | {truststore-sup\
2993 \ported,ssh-host-keys}?
2994 | | | | | | +--rw truststore-refe\
2995 \rence?
2996 | | | | | | ts:host-keys-\
2997 \ref
2998 | | | | | +--rw ca-certs!
2999 | | | | | | {sshcmn:ssh-x509-certs\
3000 \}?
3001 | | | | | | +--rw (local-or-truststore)
3002 | | | | | | +--:(local)
3003 | | | | | | | {local-definiti\
3004 \ons-supported}?
3005 | | | | | | | +--rw local-definition
3006 | | | | | | | +--rw cert*
3007 | | | | | | | | trust-anch\
3008 \or-cert-cms
3009 | | | | | | | +---n certificate-\
3010 \expiration
3011 | | | | | | | +-- expiration-\
3012 \date
3013 | | | | | | | yang:da\
3014 \te-and-time
3015 | | | | | | +--:(truststore)
3016 | | | | | | {truststore-sup\
3017 \ported,x509-certificates}?
3018 | | | | | | +--rw truststore-refe\
3019 \rence?
3020 | | | | | | ts:certificat\
3021 \es-ref
3022 | | | | | +--rw client-certs!
3023 | | | | | {sshcmn:ssh-x509-certs\
3024 \}?
3025 | | | | | +--rw (local-or-truststore)
3026 | | | | | +--:(local)
3027 | | | | | | {local-definiti\
3028 \ons-supported}?
3029 | | | | | | +--rw local-definition
3030 | | | | | | +--rw cert*
3031 | | | | | | | trust-anch\
3032 \or-cert-cms
3033 | | | | | | +---n certificate-\
3034 \expiration
3035 | | | | | | +-- expiration-\
3036 \date
3037 | | | | | | yang:da\
3038 \te-and-time
3039 | | | | | +--:(truststore)
3040 | | | | | {truststore-sup\
3041 \ported,x509-certificates}?
3042 | | | | | +--rw truststore-refe\
3043 \rence?
3044 | | | | | ts:certificat\
3045 \es-ref
3046 | | | | +--:(external)
3047 | | | | {external-client-auth-supporte\
3048 \d}?
3049 | | | | +--rw client-auth-defined-elsewhere?
3050 | | | | empty
3051 | | | +--rw transport-params
3052 | | | | {ssh-server-transport-params-config}?
3053 | | | | +--rw host-key
3054 | | | | | +--rw host-key-alg* identityref
3055 | | | | +--rw key-exchange
3056 | | | | | +--rw key-exchange-alg* identityref
3057 | | | | +--rw encryption
3058 | | | | | +--rw encryption-alg* identityref
3059 | | | | +--rw mac
3060 | | | | +--rw mac-alg* identityref
3061 | | | +--rw keepalives! {ssh-server-keepalives}?
3062 | | | +--rw max-wait? uint16
3063 | | | +--rw max-attempts? uint8
3064 | | +--rw netconf-server-parameters
3065 | | +--rw client-identification
3066 | | +--rw cert-maps
3067 | | +--rw cert-to-name* [id]
3068 | | +--rw id uint32
3069 | | +--rw fingerprint?
3070 | | | x509c2n:tls-fingerprint
3071 | | +--rw map-type identityref
3072 | | +--rw name string
3073 | +--:(tls) {tls-listen}?
3074 | +--rw tls
3075 | +--rw tcp-server-parameters
3076 | | +--rw local-address inet:ip-address
3077 | | +--rw local-port? inet:port-number
3078 | | +--rw keepalives! {keepalives-supported}?
3079 | | +--rw idle-time uint16
3080 | | +--rw max-probes uint16
3081 | | +--rw probe-interval uint16
3082 | +--rw tls-server-parameters
3083 | | +--rw server-identity
3084 | | | +--rw (local-or-keystore)
3085 | | | +--:(local)
3086 | | | | {local-definitions-supported}?
3087 | | | | +--rw local-definition
3088 | | | | +--rw algorithm
3089 | | | | | iasa:asymmetric-algorithm\
3090 \-type
3091 | | | | +--rw public-key-format?
3092 | | | | | identityref
3093 | | | | +--rw public-key
3094 | | | | | binary
3095 | | | | +--rw private-key-format?
3096 | | | | | identityref
3097 | | | | +--rw (private-key-type)
3098 | | | | | +--:(private-key)
3099 | | | | | | +--rw private-key?
3100 | | | | | | binary
3101 | | | | | +--:(hidden-private-key)
3102 | | | | | | +--rw hidden-private-key?
3103 | | | | | | empty
3104 | | | | | +--:(encrypted-private-key)
3105 | | | | | +--rw encrypted-private-key
3106 | | | | | +--rw (key-type)
3107 | | | | | | +--:(symmetric-key-re\
3108 \f)
3109 | | | | | | | +--rw symmetric-ke\
3110 \y-ref? leafref
3111 | | | | | | | {keystore-\
3112 \supported}?
3113 | | | | | | +--:(asymmetric-key-r\
3114 \ef)
3115 | | | | | | +--rw asymmetric-k\
3116 \ey-ref? leafref
3117 | | | | | | {keystore-\
3118 \supported}?
3119 | | | | | +--rw value?
3120 | | | | | binary
3121 | | | | +--rw cert?
3122 | | | | | end-entity-cert-cms
3123 | | | | +---n certificate-expiration
3124 | | | | | +-- expiration-date
3125 | | | | | yang:date-and-time
3126 | | | | +---x generate-certificate-signin\
3127 \g-request
3128 | | | | +---w input
3129 | | | | | +---w subject binary
3130 | | | | | +---w attributes? binary
3131 | | | | +--ro output
3132 | | | | +--ro certificate-signing-r\
3133 \equest
3134 | | | | binary
3135 | | | +--:(keystore) {keystore-supported}?
3136 | | | +--rw keystore-reference
3137 | | | +--rw asymmetric-key?
3138 | | | | ks:asymmetric-key-ref
3139 | | | +--rw certificate? leafref
3140 | | +--rw client-authentication!
3141 | | | +--rw (required-or-optional)
3142 | | | | +--:(required)
3143 | | | | | +--rw required?
3144 | | | | | empty
3145 | | | | +--:(optional)
3146 | | | | +--rw optional?
3147 | | | | empty
3148 | | | +--rw (local-or-external)
3149 | | | +--:(local)
3150 | | | | {local-client-auth-supported}?
3151 | | | | +--rw ca-certs!
3152 | | | | | +--rw (local-or-truststore)
3153 | | | | | +--:(local)
3154 | | | | | | {local-definitions-su\
3155 \pported}?
3156 | | | | | | +--rw local-definition
3157 | | | | | | +--rw cert*
3158 | | | | | | | trust-anchor-cer\
3159 \t-cms
3160 | | | | | | +---n certificate-expira\
3161 \tion
3162 | | | | | | +-- expiration-date
3163 | | | | | | yang:date-and\
3164 \-time
3165 | | | | | +--:(truststore)
3166 | | | | | {truststore-supported\
3167 \,x509-certificates}?
3168 | | | | | +--rw truststore-reference?
3169 | | | | | ts:certificates-ref
3170 | | | | +--rw client-certs!
3171 | | | | +--rw (local-or-truststore)
3172 | | | | +--:(local)
3173 | | | | | {local-definitions-su\
3174 \pported}?
3175 | | | | | +--rw local-definition
3176 | | | | | +--rw cert*
3177 | | | | | | trust-anchor-cer\
3178 \t-cms
3179 | | | | | +---n certificate-expira\
3180 \tion
3181 | | | | | +-- expiration-date
3182 | | | | | yang:date-and\
3183 \-time
3184 | | | | +--:(truststore)
3185 | | | | {truststore-supported\
3186 \,x509-certificates}?
3187 | | | | +--rw truststore-reference?
3188 | | | | ts:certificates-ref
3189 | | | +--:(external)
3190 | | | {external-client-auth-supporte\
3191 \d}?
3192 | | | +--rw client-auth-defined-elsewhere?
3193 | | | empty
3194 | | +--rw hello-params
3195 | | | {tls-server-hello-params-config}?
3196 | | | +--rw tls-versions
3197 | | | | +--rw tls-version* identityref
3198 | | | +--rw cipher-suites
3199 | | | +--rw cipher-suite* identityref
3200 | | +--rw keepalives! {tls-server-keepalives}?
3201 | | +--rw max-wait? uint16
3202 | | +--rw max-attempts? uint8
3203 | +--rw netconf-server-parameters
3204 | +--rw client-identification
3205 | +--rw cert-maps
3206 | +--rw cert-to-name* [id]
3207 | +--rw id uint32
3208 | +--rw fingerprint?
3209 | | x509c2n:tls-fingerprint
3210 | +--rw map-type identityref
3211 | +--rw name string
3212 +--rw call-home! {ssh-call-home or tls-call-home}?
3213 +--rw netconf-client* [name]
3214 +--rw name string
3215 +--rw endpoints
3216 | +--rw endpoint* [name]
3217 | +--rw name string
3218 | +--rw (transport)
3219 | +--:(ssh) {ssh-call-home}?
3220 | | +--rw ssh
3221 | | +--rw tcp-client-parameters
3222 | | | +--rw remote-address inet:host
3223 | | | +--rw remote-port? inet:port-number
3224 | | | +--rw local-address? inet:ip-address
3225 | | | | {local-binding-supported}?
3226 | | | +--rw local-port? inet:port-number
3227 | | | | {local-binding-supported}?
3228 | | | +--rw keepalives!
3229 | | | {keepalives-supported}?
3230 | | | +--rw idle-time uint16
3231 | | | +--rw max-probes uint16
3232 | | | +--rw probe-interval uint16
3233 | | +--rw ssh-server-parameters
3234 | | | +--rw server-identity
3235 | | | | +--rw host-key* [name]
3236 | | | | +--rw name string
3237 | | | | +--rw (host-key-type)
3238 | | | | +--:(public-key)
3239 | | | | | +--rw public-key
3240 | | | | | +--rw (local-or-keystore)
3241 | | | | | +--:(local)
3242 | | | | | | {local-defin\
3243 \itions-supported}?
3244 | | | | | | +--rw local-defini\
3245 \tion
3246 | | | | | | +--rw algorithm
3247 | | | | | | | iasa:as\
3248 \ymmetric-algorithm-type
3249 | | | | | | +--rw public-ke\
3250 \y-format?
3251 | | | | | | | identit\
3252 \yref
3253 | | | | | | +--rw public-key
3254 | | | | | | | binary
3255 | | | | | | +--rw private-k\
3256 \ey-format?
3257 | | | | | | | identit\
3258 \yref
3259 | | | | | | +--rw (private-\
3260 \key-type)
3261 | | | | | | +--:(private\
3262 \-key)
3263 | | | | | | | +--rw pri\
3264 \vate-key?
3265 | | | | | | | b\
3266 \inary
3267 | | | | | | +--:(hidden-\
3268 \private-key)
3269 | | | | | | | +--rw hid\
3270 \den-private-key?
3271 | | | | | | | e\
3272 \mpty
3273 | | | | | | +--:(encrypt\
3274 \ed-private-key)
3275 | | | | | | +--rw enc\
3276 \rypted-private-key
3277 | | | | | | +--rw \
3278 \(key-type)
3279 | | | | | | | +--\
3280 \:(symmetric-key-ref)
3281 | | | | | | | | \
3282 \+--rw symmetric-key-ref? leafref
3283 | | | | | | | | \
3284 \ {keystore-supported}?
3285 | | | | | | | +--\
3286 \:(asymmetric-key-ref)
3287 | | | | | | | \
3288 \+--rw asymmetric-key-ref? leafref
3289 | | | | | | | \
3290 \ {keystore-supported}?
3291 | | | | | | +--rw \
3292 \value?
3293 | | | | | | \
3294 \ binary
3295 | | | | | +--:(keystore)
3296 | | | | | {keystore-su\
3297 \pported}?
3298 | | | | | +--rw keystore-ref\
3299 \erence?
3300 | | | | | ks:asymmet\
3301 \ric-key-ref
3302 | | | | +--:(certificate)
3303 | | | | +--rw certificate
3304 | | | | {sshcmn:ssh-x509-ce\
3305 \rts}?
3306 | | | | +--rw (local-or-keystore)
3307 | | | | +--:(local)
3308 | | | | | {local-defin\
3309 \itions-supported}?
3310 | | | | | +--rw local-defini\
3311 \tion
3312 | | | | | +--rw algorithm
3313 | | | | | | iasa:as\
3314 \ymmetric-algorithm-type
3315 | | | | | +--rw public-ke\
3316 \y-format?
3317 | | | | | | identit\
3318 \yref
3319 | | | | | +--rw public-key
3320 | | | | | | binary
3321 | | | | | +--rw private-k\
3322 \ey-format?
3323 | | | | | | identit\
3324 \yref
3325 | | | | | +--rw (private-\
3326 \key-type)
3327 | | | | | | +--:(private\
3328 \-key)
3329 | | | | | | | +--rw pri\
3330 \vate-key?
3331 | | | | | | | b\
3332 \inary
3333 | | | | | | +--:(hidden-\
3334 \private-key)
3335 | | | | | | | +--rw hid\
3336 \den-private-key?
3337 | | | | | | | e\
3338 \mpty
3339 | | | | | | +--:(encrypt\
3340 \ed-private-key)
3341 | | | | | | +--rw enc\
3342 \rypted-private-key
3343 | | | | | | +--rw \
3344 \(key-type)
3345 | | | | | | | +--\
3346 \:(symmetric-key-ref)
3347 | | | | | | | | \
3348 \+--rw symmetric-key-ref? leafref
3349 | | | | | | | | \
3350 \ {keystore-supported}?
3351 | | | | | | | +--\
3352 \:(asymmetric-key-ref)
3353 | | | | | | | \
3354 \+--rw asymmetric-key-ref? leafref
3355 | | | | | | | \
3356 \ {keystore-supported}?
3357 | | | | | | +--rw \
3358 \value?
3359 | | | | | | \
3360 \ binary
3361 | | | | | +--rw cert?
3362 | | | | | | end-ent\
3363 \ity-cert-cms
3364 | | | | | +---n certifica\
3365 \te-expiration
3366 | | | | | | +-- expirati\
3367 \on-date
3368 | | | | | | yang\
3370 \:date-and-time
3371 | | | | | +---x generate-\
3372 \certificate-signing-request
3373 | | | | | +---w input
3374 | | | | | | +---w sub\
3375 \ject
3376 | | | | | | | b\
3377 \inary
3378 | | | | | | +---w att\
3379 \ributes?
3380 | | | | | | b\
3381 \inary
3382 | | | | | +--ro output
3383 | | | | | +--ro cer\
3384 \tificate-signing-request
3385 | | | | | b\
3386 \inary
3387 | | | | +--:(keystore)
3388 | | | | {keystore-su\
3389 \pported}?
3390 | | | | +--rw keystore-ref\
3391 \erence
3392 | | | | +--rw asymmetri\
3393 \c-key?
3394 | | | | | ks:asym\
3395 \metric-key-ref
3396 | | | | +--rw certifica\
3397 \te? leafref
3398 | | | +--rw client-authentication
3399 | | | | +--rw supported-authentication-metho\
3400 \ds
3401 | | | | | +--rw publickey? empty
3402 | | | | | +--rw passsword? empty
3403 | | | | | +--rw hostbased? empty
3404 | | | | | +--rw none? empty
3405 | | | | | +--rw other* string
3406 | | | | +--rw (local-or-external)
3407 | | | | +--:(local)
3408 | | | | | {local-client-auth-suppo\
3409 \rted}?
3410 | | | | | +--rw users
3411 | | | | | +--rw user* [name]
3412 | | | | | +--rw name
3413 | | | | | | string
3414 | | | | | +--rw password?
3415 | | | | | | ianach:crypt-hash
3416 | | | | | +--rw host-keys!
3417 | | | | | | +--rw (local-or-trust\
3419 \store)
3420 | | | | | | +--:(local)
3421 | | | | | | | {local-de\
3422 \finitions-supported}?
3423 | | | | | | | +--rw local-def\
3424 \inition
3425 | | | | | | | +--rw host-k\
3426 \ey*
3427 | | | | | | | ct:s\
3428 \sh-host-key
3429 | | | | | | +--:(truststore)
3430 | | | | | | {truststo\
3431 \re-supported,ssh-host-keys}?
3432 | | | | | | +--rw truststor\
3433 \e-reference?
3434 | | | | | | ts:host\
3435 \-keys-ref
3436 | | | | | +--rw ca-certs!
3437 | | | | | | {sshcmn:ssh-x509\
3438 \-certs}?
3439 | | | | | | +--rw (local-or-trust\
3440 \store)
3441 | | | | | | +--:(local)
3442 | | | | | | | {local-de\
3443 \finitions-supported}?
3444 | | | | | | | +--rw local-def\
3445 \inition
3446 | | | | | | | +--rw cert*
3447 | | | | | | | | trus\
3448 \t-anchor-cert-cms
3449 | | | | | | | +---n certif\
3450 \icate-expiration
3451 | | | | | | | +-- expir\
3452 \ation-date
3453 | | | | | | | y\
3454 \ang:date-and-time
3455 | | | | | | +--:(truststore)
3456 | | | | | | {truststo\
3457 \re-supported,x509-certificates}?
3458 | | | | | | +--rw truststor\
3459 \e-reference?
3460 | | | | | | ts:cert\
3461 \ificates-ref
3462 | | | | | +--rw client-certs!
3463 | | | | | {sshcmn:ssh-x509\
3464 \-certs}?
3465 | | | | | +--rw (local-or-trust\
3466 \store)
3467 | | | | | +--:(local)
3468 | | | | | | {local-de\
3469 \finitions-supported}?
3470 | | | | | | +--rw local-def\
3471 \inition
3472 | | | | | | +--rw cert*
3473 | | | | | | | trus\
3474 \t-anchor-cert-cms
3475 | | | | | | +---n certif\
3476 \icate-expiration
3477 | | | | | | +-- expir\
3478 \ation-date
3479 | | | | | | y\
3480 \ang:date-and-time
3481 | | | | | +--:(truststore)
3482 | | | | | {truststo\
3483 \re-supported,x509-certificates}?
3484 | | | | | +--rw truststor\
3485 \e-reference?
3486 | | | | | ts:cert\
3487 \ificates-ref
3488 | | | | +--:(external)
3489 | | | | {external-client-auth-su\
3490 \pported}?
3491 | | | | +--rw client-auth-defined-else\
3492 \where?
3493 | | | | empty
3494 | | | +--rw transport-params
3495 | | | | {ssh-server-transport-params-co\
3496 \nfig}?
3497 | | | | +--rw host-key
3498 | | | | | +--rw host-key-alg* identityref
3499 | | | | +--rw key-exchange
3500 | | | | | +--rw key-exchange-alg*
3501 | | | | | identityref
3502 | | | | +--rw encryption
3503 | | | | | +--rw encryption-alg*
3504 | | | | | identityref
3505 | | | | +--rw mac
3506 | | | | +--rw mac-alg* identityref
3507 | | | +--rw keepalives!
3508 | | | {ssh-server-keepalives}?
3509 | | | +--rw max-wait? uint16
3510 | | | +--rw max-attempts? uint8
3511 | | +--rw netconf-server-parameters
3512 | | +--rw client-identification
3513 | | +--rw cert-maps
3514 | | +--rw cert-to-name* [id]
3515 | | +--rw id uint32
3516 | | +--rw fingerprint?
3517 | | | x509c2n:tls-fingerprint
3518 | | +--rw map-type
3519 | | | identityref
3520 | | +--rw name string
3521 | +--:(tls) {tls-call-home}?
3522 | +--rw tls
3523 | +--rw tcp-client-parameters
3524 | | +--rw remote-address inet:host
3525 | | +--rw remote-port? inet:port-number
3526 | | +--rw local-address? inet:ip-address
3527 | | | {local-binding-supported}?
3528 | | +--rw local-port? inet:port-number
3529 | | | {local-binding-supported}?
3530 | | +--rw keepalives!
3531 | | {keepalives-supported}?
3532 | | +--rw idle-time uint16
3533 | | +--rw max-probes uint16
3534 | | +--rw probe-interval uint16
3535 | +--rw tls-server-parameters
3536 | | +--rw server-identity
3537 | | | +--rw (local-or-keystore)
3538 | | | +--:(local)
3539 | | | | {local-definitions-suppo\
3540 \rted}?
3541 | | | | +--rw local-definition
3542 | | | | +--rw algorithm
3543 | | | | | iasa:asymmetric-alg\
3544 \orithm-type
3545 | | | | +--rw public-key-format?
3546 | | | | | identityref
3547 | | | | +--rw public-key
3548 | | | | | binary
3549 | | | | +--rw private-key-format?
3550 | | | | | identityref
3551 | | | | +--rw (private-key-type)
3552 | | | | | +--:(private-key)
3553 | | | | | | +--rw private-key?
3554 | | | | | | binary
3555 | | | | | +--:(hidden-private-key)
3556 | | | | | | +--rw hidden-private-\
3557 \key?
3558 | | | | | | empty
3559 | | | | | +--:(encrypted-private-k\
3560 \ey)
3561 | | | | | +--rw encrypted-priva\
3562 \te-key
3563 | | | | | +--rw (key-type)
3564 | | | | | | +--:(symmetric-\
3565 \key-ref)
3566 | | | | | | | +--rw symmet\
3567 \ric-key-ref? leafref
3568 | | | | | | | {key\
3569 \store-supported}?
3570 | | | | | | +--:(asymmetric\
3571 \-key-ref)
3572 | | | | | | +--rw asymme\
3573 \tric-key-ref? leafref
3574 | | | | | | {key\
3575 \store-supported}?
3576 | | | | | +--rw value?
3577 | | | | | binary
3578 | | | | +--rw cert?
3579 | | | | | end-entity-cert-cms
3580 | | | | +---n certificate-expiration
3581 | | | | | +-- expiration-date
3582 | | | | | yang:date-and-ti\
3583 \me
3584 | | | | +---x generate-certificate-\
3585 \signing-request
3586 | | | | +---w input
3587 | | | | | +---w subject
3588 | | | | | | binary
3589 | | | | | +---w attributes?
3590 | | | | | binary
3591 | | | | +--ro output
3592 | | | | +--ro certificate-sig\
3593 \ning-request
3594 | | | | binary
3595 | | | +--:(keystore)
3596 | | | {keystore-supported}?
3597 | | | +--rw keystore-reference
3598 | | | +--rw asymmetric-key?
3599 | | | | ks:asymmetric-key-r\
3600 \ef
3601 | | | +--rw certificate? lea\
3602 \fref
3603 | | +--rw client-authentication!
3604 | | | +--rw (required-or-optional)
3605 | | | | +--:(required)
3606 | | | | | +--rw required?
3607 | | | | | empty
3608 | | | | +--:(optional)
3609 | | | | +--rw optional?
3610 | | | | empty
3611 | | | +--rw (local-or-external)
3612 | | | +--:(local)
3613 | | | | {local-client-auth-suppo\
3614 \rted}?
3615 | | | | +--rw ca-certs!
3616 | | | | | +--rw (local-or-truststore)
3617 | | | | | +--:(local)
3618 | | | | | | {local-definiti\
3619 \ons-supported}?
3620 | | | | | | +--rw local-definition
3621 | | | | | | +--rw cert*
3622 | | | | | | | trust-anch\
3623 \or-cert-cms
3624 | | | | | | +---n certificate-\
3625 \expiration
3626 | | | | | | +-- expiration-\
3627 \date
3628 | | | | | | yang:da\
3629 \te-and-time
3630 | | | | | +--:(truststore)
3631 | | | | | {truststore-sup\
3632 \ported,x509-certificates}?
3633 | | | | | +--rw truststore-refe\
3634 \rence?
3635 | | | | | ts:certificat\
3636 \es-ref
3637 | | | | +--rw client-certs!
3638 | | | | +--rw (local-or-truststore)
3639 | | | | +--:(local)
3640 | | | | | {local-definiti\
3641 \ons-supported}?
3642 | | | | | +--rw local-definition
3643 | | | | | +--rw cert*
3644 | | | | | | trust-anch\
3645 \or-cert-cms
3646 | | | | | +---n certificate-\
3647 \expiration
3648 | | | | | +-- expiration-\
3649 \date
3650 | | | | | yang:da\
3651 \te-and-time
3652 | | | | +--:(truststore)
3653 | | | | {truststore-sup\
3654 \ported,x509-certificates}?
3655 | | | | +--rw truststore-refe\
3656 \rence?
3657 | | | | ts:certificat\
3658 \es-ref
3659 | | | +--:(external)
3660 | | | {external-client-auth-su\
3661 \pported}?
3662 | | | +--rw client-auth-defined-else\
3663 \where?
3664 | | | empty
3665 | | +--rw hello-params
3666 | | | {tls-server-hello-params-config\
3667 \}?
3668 | | | +--rw tls-versions
3669 | | | | +--rw tls-version* identityref
3670 | | | +--rw cipher-suites
3671 | | | +--rw cipher-suite* identityref
3672 | | +--rw keepalives!
3673 | | {tls-server-keepalives}?
3674 | | +--rw max-wait? uint16
3675 | | +--rw max-attempts? uint8
3676 | +--rw netconf-server-parameters
3677 | +--rw client-identification
3678 | +--rw cert-maps
3679 | +--rw cert-to-name* [id]
3680 | +--rw id uint32
3681 | +--rw fingerprint?
3682 | | x509c2n:tls-fingerprint
3683 | +--rw map-type
3684 | | identityref
3685 | +--rw name string
3686 +--rw connection-type
3687 | +--rw (connection-type)
3688 | +--:(persistent-connection)
3689 | | +--rw persistent!
3690 | +--:(periodic-connection)
3691 | +--rw periodic!
3692 | +--rw period? uint16
3693 | +--rw anchor-time? yang:date-and-time
3694 | +--rw idle-timeout? uint16
3695 +--rw reconnect-strategy
3696 +--rw start-with? enumeration
3697 +--rw max-attempts? uint8
3699 Appendix B. Change Log
3701 B.1. 00 to 01
3703 o Renamed "keychain" to "keystore".
3705 B.2. 01 to 02
3707 o Added to ietf-netconf-client ability to connected to a cluster of
3708 endpoints, including a reconnection-strategy.
3710 o Added to ietf-netconf-client the ability to configure connection-
3711 type and also keep-alive strategy.
3713 o Updated both modules to accommodate new groupings in the ssh/tls
3714 drafts.
3716 B.3. 02 to 03
3718 o Refined use of tls-client-grouping to add a must statement
3719 indicating that the TLS client must specify a client-certificate.
3721 o Changed 'netconf-client' to be a grouping (not a container).
3723 B.4. 03 to 04
3725 o Added RFC 8174 to Requirements Language Section.
3727 o Replaced refine statement in ietf-netconf-client to add a
3728 mandatory true.
3730 o Added refine statement in ietf-netconf-server to add a must
3731 statement.
3733 o Now there are containers and groupings, for both the client and
3734 server models.
3736 B.5. 04 to 05
3738 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
3740 o Updated examples to inline key and certificates (no longer a
3741 leafref to keystore)
3743 B.6. 05 to 06
3745 o Fixed change log missing section issue.
3747 o Updated examples to match latest updates to the crypto-types,
3748 trust-anchors, and keystore drafts.
3750 o Reduced line length of the YANG modules to fit within 69 columns.
3752 B.7. 06 to 07
3754 o Removed "idle-timeout" from "persistent" connection config.
3756 o Added "random-selection" for reconnection-strategy's "starts-with"
3757 enum.
3759 o Replaced "connection-type" choice default (persistent) with
3760 "mandatory true".
3762 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
3763 minutes.
3765 o Replaced reconnect-timeout with period/anchor-time combo.
3767 B.8. 07 to 08
3769 o Modified examples to be compatible with new crypto-types algs
3771 B.9. 08 to 09
3773 o Corrected use of "mandatory true" for "address" leafs.
3775 o Updated examples to reflect update to groupings defined in the
3776 keystore draft.
3778 o Updated to use groupings defined in new TCP and HTTP drafts.
3780 o Updated copyright date, boilerplate template, affiliation, and
3781 folding algorithm.
3783 B.10. 09 to 10
3785 o Reformatted YANG modules.
3787 B.11. 10 to 11
3789 o Adjusted for the top-level "demux container" added to groupings
3790 imported from other modules.
3792 o Added "must" expressions to ensure that keepalives are not
3793 configured for "periodic" connections.
3795 o Updated the boilerplate text in module-level "description"
3796 statement to match copyeditor convention.
3798 o Moved "expanded" tree diagrams to the Appendix.
3800 B.12. 11 to 12
3802 o Removed the "Design Considerations" section.
3804 o Removed the 'must' statement limiting keepalives in periodic
3805 connections.
3807 o Updated models and examples to reflect removal of the "demux"
3808 containers in the imported models.
3810 o Updated the "periodic-connnection" description statements to be
3811 more like the RESTCONF draft, especially where it described
3812 dropping the underlying TCP connection.
3814 o Updated text to better reference where certain examples come from
3815 (e.g., which Section in which draft).
3817 o In the server model, commented out the "must 'pinned-ca-certs or
3818 pinned-client-certs'" statement to reflect change made in the TLS
3819 draft whereby the trust anchors MAY be defined externally.
3821 o Replaced the 'listen', 'initiate', and 'call-home' features with
3822 boolean expressions.
3824 B.13. 12 to 13
3826 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
3827 anchors/truststore/g + s/pinned.//)
3829 B.14. 13 to 14
3831 o Adjusting from change in TLS client model (removing the top-level
3832 'certificate' container), by swapping refining-in a 'mandatory
3833 true' statement with a 'must' statement outside the 'uses'
3834 statement.
3836 o Updated examples to reflect ietf-crypto-types change (e.g.,
3837 identities --> enumerations)
3839 B.15. 14 to 15
3841 o Refactored both the client and server modules similar to how the
3842 ietf-restconf-server module was refactored in -13 of that draft,
3843 and the ietf-restconf-client grouping.
3845 B.16. 15 to 16
3847 o Added refinement to make "cert-to-name/fingerprint" be mandatory
3848 false.
3850 o Commented out refinement to "tls-server-grouping/client-
3851 authentication" until a better "must" expression is defined.
3853 Acknowledgements
3855 The authors would like to thank for following for lively discussions
3856 on list and in the halls (ordered by last name): Andy Bierman, Martin
3857 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
3858 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
3859 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
3860 Wijnen.
3862 Author's Address
3864 Kent Watsen
3865 Watsen Networks
3867 EMail: kent+ietf@watsen.net