idnits 2.17.1
draft-ietf-netconf-netconf-client-server-17.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2132 has weird spacing: '...address ine...'
== Line 2142 has weird spacing: '...nterval uin...'
== Line 2376 has weird spacing: '...address ine...'
== Line 2386 has weird spacing: '...nterval uin...'
== Line 2690 has weird spacing: '...address ine...'
== (11 more instances...)
-- The document date (November 20, 2019) is 1612 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-14
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-16
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-16
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-07
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track November 20, 2019
5 Expires: May 23, 2020
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-17
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-11-20" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on May 23, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 29
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 41
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 42
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 42
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 43
110 7.2. Informative References . . . . . . . . . . . . . . . . . 44
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 66
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 89
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 89
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 89
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 89
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 90
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 90
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 90
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 90
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 90
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 91
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 91
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 91
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 92
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 92
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 92
130 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 92
131 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 92
132 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 92
133 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 93
135 1. Introduction
137 This document defines two YANG [RFC7950] modules, one module to
138 configure a NETCONF [RFC6241] client and the other module to
139 configure a NETCONF server. Both modules support both NETCONF over
140 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
141 connections [RFC8071].
143 2. Terminology
145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
147 "OPTIONAL" in this document are to be interpreted as described in BCP
148 14 [RFC2119] [RFC8174] when, and only when, they appear in all
149 capitals, as shown here.
151 3. The NETCONF Client Model
153 The NETCONF client model presented in this section supports both
154 clients initiating connections to servers, as well as clients
155 listening for connections from servers calling home, using either the
156 SSH and TLS transport protocols.
158 YANG feature statements are used to enable implementations to
159 advertise which potentially uncommon parts of the model the NETCONF
160 client supports.
162 3.1. Tree Diagram
164 The following tree diagram [RFC8340] provides an overview of the data
165 model for the "ietf-netconf-client" module.
167 This tree diagram only shows the nodes defined in this module; it
168 does show the nodes defined by "grouping" statements used by this
169 module.
171 Please see Appendix A.1 for a tree diagram that illustrates what the
172 module looks like with all the "grouping" statements expanded.
174 module: ietf-netconf-client
175 +--rw netconf-client
176 +---u netconf-client-app-grouping
178 grouping netconf-client-grouping
179 grouping netconf-client-initiate-stack-grouping
180 +-- (transport)
181 +--:(ssh) {ssh-initiate}?
182 | +-- ssh
183 | +-- tcp-client-parameters
184 | | +---u tcpc:tcp-client-grouping
185 | +-- ssh-client-parameters
186 | | +---u sshc:ssh-client-grouping
187 | +-- netconf-client-parameters
188 +--:(tls) {tls-initiate}?
189 +-- tls
190 +-- tcp-client-parameters
191 | +---u tcpc:tcp-client-grouping
192 +-- tls-client-parameters
193 | +---u tlsc:tls-client-grouping
194 +-- netconf-client-parameters
195 grouping netconf-client-listen-stack-grouping
196 +-- (transport)
197 +--:(ssh) {ssh-listen}?
198 | +-- ssh
199 | +-- tcp-server-parameters
200 | | +---u tcps:tcp-server-grouping
201 | +-- ssh-client-parameters
202 | | +---u sshc:ssh-client-grouping
203 | +-- netconf-client-parameters
204 +--:(tls) {tls-listen}?
205 +-- tls
206 +-- tcp-server-parameters
207 | +---u tcps:tcp-server-grouping
208 +-- tls-client-parameters
209 | +---u tlsc:tls-client-grouping
210 +-- netconf-client-parameters
211 grouping netconf-client-app-grouping
212 +-- initiate! {ssh-initiate or tls-initiate}?
213 | +-- netconf-server* [name]
214 | +-- name? string
215 | +-- endpoints
216 | | +-- endpoint* [name]
217 | | +-- name? string
218 | | +---u netconf-client-initiate-stack-grouping
219 | +-- connection-type
220 | | +-- (connection-type)
221 | | +--:(persistent-connection)
222 | | | +-- persistent!
223 | | +--:(periodic-connection)
224 | | +-- periodic!
225 | | +-- period? uint16
226 | | +-- anchor-time? yang:date-and-time
227 | | +-- idle-timeout? uint16
228 | +-- reconnect-strategy
229 | +-- start-with? enumeration
230 | +-- max-attempts? uint8
231 +-- listen! {ssh-listen or tls-listen}?
232 +-- idle-timeout? uint16
233 +-- endpoint* [name]
234 +-- name? string
235 +---u netconf-client-listen-stack-grouping
237 3.2. Example Usage
239 The following example illustrates configuring a NETCONF client to
240 initiate connections, using both the SSH and TLS transport protocols,
241 as well as listening for call-home connections, again using both the
242 SSH and TLS transport protocols.
244 This example is consistent with the examples presented in Section 2
245 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
246 [I-D.ietf-netconf-keystore].
248 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
250
254
255
256
257 corp-fw1
258
259
260 corp-fw1.example.com
261
262
263 corp-fw1.example.com
264
265 15
266 3
267 30
268
269
270
271
272 foobar
273
274
275 rsa2048
276 ct:ssh-public-key-format
278 base64encodedvalue==
279 ct:rsa-private-key-format
281 base64encodedvalue==
282
283
284
285
286
287 explicitly-trusted-server-ca\
288 -certs
289
290
291 explicitly-trusted-server-ce\
292 rts
293
294
295
296 30
297 3
298
299
300
301
302
303
304
305
306 corp-fw2.example.com
307
308
309 corp-fw2.example.com
310
311 15
312 3
313 30
314
315
316
317
318
319
320 rsa2048
321 ct:subject-public-key-info-fo\
322 rmat
323 base64encodedvalue==
324 ct:rsa-private-key-format
326 base64encodedvalue==
327 base64encodedvalue==
328
329
330
331
332
333 explicitly-trusted-server-ca\
334 -certs
335
336
337 explicitly-trusted-server-ce\
338 rts
339
340
341
342 30
343 3
344
345
346
347
348
349
350
351
352
353
354
355
356 last-connected
357
358
359
361
362
363
364 Intranet-facing listener
365
366
367 192.0.2.7
368
369
370
371 foobar
372
373
374 rsa2048
375 ct:ssh-public-key-format
377 base64encodedvalue==
378 ct:rsa-private-key-format
380 base64encodedvalue==
382
383
384
385
386
387 explicitly-trusted-server-ca-cer\
388 ts
389
390
391 explicitly-trusted-server-certs<\
392 /truststore-reference>
393
394
395 explicitly-trusted-ssh-host-keys\
396
397
398
399
400
401
402
403
404
405
406
408 3.3. YANG Module
410 This YANG module has normative references to [RFC6242], [RFC6991],
411 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
412 [I-D.ietf-netconf-ssh-client-server], and
413 [I-D.ietf-netconf-tls-client-server].
415 file "ietf-netconf-client@2019-11-20.yang"
417 module ietf-netconf-client {
418 yang-version 1.1;
419 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
420 prefix ncc;
422 import ietf-yang-types {
423 prefix yang;
424 reference
425 "RFC 6991: Common YANG Data Types";
426 }
428 import ietf-tcp-client {
429 prefix tcpc;
430 reference
431 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
432 }
434 import ietf-tcp-server {
435 prefix tcps;
436 reference
437 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
438 }
440 import ietf-ssh-client {
441 prefix sshc;
442 revision-date 2019-11-20; // stable grouping definitions
443 reference
444 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
445 }
447 import ietf-tls-client {
448 prefix tlsc;
449 revision-date 2019-11-20; // stable grouping definitions
450 reference
451 "RFC DDDD: YANG Groupings for TLS Clients and TLS Servers";
452 }
454 organization
455 "IETF NETCONF (Network Configuration) Working Group";
457 contact
458 "WG Web:
459 WG List:
460 Author: Kent Watsen
461 Author: Gary Wu ";
463 description
464 "This module contains a collection of YANG definitions
465 for configuring NETCONF clients.
467 Copyright (c) 2019 IETF Trust and the persons identified
468 as authors of the code. All rights reserved.
470 Redistribution and use in source and binary forms, with
471 or without modification, is permitted pursuant to, and
472 subject to the license terms contained in, the Simplified
473 BSD License set forth in Section 4.c of the IETF Trust's
474 Legal Provisions Relating to IETF Documents
475 (https://trustee.ietf.org/license-info).
477 This version of this YANG module is part of RFC XXXX
478 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
479 itself for full legal notices.;
481 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
482 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
483 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
484 are to be interpreted as described in BCP 14 (RFC 2119)
485 (RFC 8174) when, and only when, they appear in all
486 capitals, as shown here.";
488 revision 2019-11-20 {
489 description
490 "Initial version";
491 reference
492 "RFC XXXX: NETCONF Client and Server Models";
493 }
495 // Features
497 feature ssh-initiate {
498 description
499 "The 'ssh-initiate' feature indicates that the NETCONF client
500 supports initiating SSH connections to NETCONF servers.";
501 reference
502 "RFC 6242:
503 Using the NETCONF Protocol over Secure Shell (SSH)";
504 }
506 feature tls-initiate {
507 description
508 "The 'tls-initiate' feature indicates that the NETCONF client
509 supports initiating TLS connections to NETCONF servers.";
510 reference
511 "RFC 7589: Using the NETCONF Protocol over Transport
512 Layer Security (TLS) with Mutual X.509 Authentication";
513 }
515 feature ssh-listen {
516 description
517 "The 'ssh-listen' feature indicates that the NETCONF client
518 supports opening a port to listen for incoming NETCONF
519 server call-home SSH connections.";
520 reference
521 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
522 }
524 feature tls-listen {
525 description
526 "The 'tls-listen' feature indicates that the NETCONF client
527 supports opening a port to listen for incoming NETCONF
528 server call-home TLS connections.";
529 reference
530 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
531 }
533 // Groupings
535 grouping netconf-client-grouping {
536 description
537 "A reusable grouping for configuring a NETCONF client
538 without any consideration for how underlying transport
539 sessions are established.
541 This grouping currently doesn't define any nodes.";
542 }
544 grouping netconf-client-initiate-stack-grouping {
545 description
546 "A reusable grouping for configuring a NETCONF client
547 'initiate' protocol stack for a single connection.";
548 choice transport {
549 mandatory true;
550 description
551 "Selects between available transports.";
552 case ssh {
553 if-feature "ssh-initiate";
554 container ssh {
555 description
556 "Specifies IP and SSH specific configuration
557 for the connection.";
558 container tcp-client-parameters {
559 description
560 "A wrapper around the TCP client parameters
561 to avoid name collisions.";
562 uses tcpc:tcp-client-grouping {
563 refine "remote-port" {
564 default "830";
565 description
566 "The NETCONF client will attempt to connect
567 to the IANA-assigned well-known port value
568 for 'netconf-ssh' (443) if no value is
569 specified.";
570 }
571 }
572 }
573 container ssh-client-parameters {
574 description
575 "A wrapper around the SSH client parameters to
576 avoid name collisions.";
577 uses sshc:ssh-client-grouping;
578 }
579 container netconf-client-parameters {
580 description
581 "A wrapper around the NETCONF client parameters
582 to avoid name collisions.";
583 uses ncc:netconf-client-grouping;
584 }
585 }
586 }
587 case tls {
588 if-feature "tls-initiate";
589 container tls {
590 description
591 "Specifies IP and TLS specific configuration
592 for the connection.";
593 container tcp-client-parameters {
594 description
595 "A wrapper around the TCP client parameters
596 to avoid name collisions.";
597 uses tcpc:tcp-client-grouping {
598 refine "remote-port" {
599 default "6513";
600 description
601 "The NETCONF client will attempt to connect
602 to the IANA-assigned well-known port value
603 for 'netconf-tls' (6513) if no value is
604 specified.";
605 }
606 }
607 }
608 container tls-client-parameters {
609 must "client-identity" {
610 description
611 "NETCONF/TLS clients MUST pass some
612 authentication credentials.";
613 }
614 description
615 "A wrapper around the TLS client parameters
616 to avoid name collisions.";
617 uses tlsc:tls-client-grouping;
618 }
619 container netconf-client-parameters {
620 description
621 "A wrapper around the NETCONF client parameters
622 to avoid name collisions.";
623 uses ncc:netconf-client-grouping;
624 }
625 }
626 }
627 }
628 } // netconf-client-initiate-stack-grouping
630 grouping netconf-client-listen-stack-grouping {
631 description
632 "A reusable grouping for configuring a NETCONF client
633 'listen' protocol stack for a single connection.";
634 choice transport {
635 mandatory true;
636 description
637 "Selects between available transports.";
638 case ssh {
639 if-feature "ssh-listen";
640 container ssh {
641 description
642 "SSH-specific listening configuration for inbound
643 connections.";
644 container tcp-server-parameters {
645 description
646 "A wrapper around the TCP server parameters
647 to avoid name collisions.";
648 uses tcps:tcp-server-grouping {
649 refine "local-port" {
650 default "4334";
651 description
652 "The NETCONF client will listen on the IANA-
653 assigned well-known port for 'netconf-ch-ssh'
654 (4334) if no value is specified.";
655 }
656 }
657 }
658 container ssh-client-parameters {
659 description
660 "A wrapper around the SSH client parameters
661 to avoid name collisions.";
662 uses sshc:ssh-client-grouping;
663 }
664 container netconf-client-parameters {
665 description
666 "A wrapper around the NETCONF client parameters
667 to avoid name collisions.";
668 uses ncc:netconf-client-grouping;
669 }
671 }
672 }
673 case tls {
674 if-feature "tls-listen";
675 container tls {
676 description
677 "TLS-specific listening configuration for inbound
678 connections.";
679 container tcp-server-parameters {
680 description
681 "A wrapper around the TCP server parameters
682 to avoid name collisions.";
683 uses tcps:tcp-server-grouping {
684 refine "local-port" {
685 default "4334";
686 description
687 "The NETCONF client will listen on the IANA-
688 assigned well-known port for 'netconf-ch-ssh'
689 (4334) if no value is specified.";
690 }
691 }
692 }
693 container tls-client-parameters {
694 must "client-identity" {
695 description
696 "NETCONF/TLS clients MUST pass some
697 authentication credentials.";
698 }
699 description
700 "A wrapper around the TLS client parameters
701 to avoid name collisions.";
702 uses tlsc:tls-client-grouping;
703 }
704 container netconf-client-parameters {
705 description
706 "A wrapper around the NETCONF client parameters
707 to avoid name collisions.";
708 uses ncc:netconf-client-grouping;
709 }
710 }
711 }
712 }
713 } // netconf-client-listen-stack-grouping
715 grouping netconf-client-app-grouping {
716 description
717 "A reusable grouping for configuring a NETCONF client
718 application that supports both 'initiate' and 'listen'
719 protocol stacks for a multiplicity of connections.";
720 container initiate {
721 if-feature "ssh-initiate or tls-initiate";
722 presence "Enables client to initiate TCP connections";
723 description
724 "Configures client initiating underlying TCP connections.";
725 list netconf-server {
726 key "name";
727 min-elements 1;
728 description
729 "List of NETCONF servers the NETCONF client is to
730 maintain simultaneous connections with.";
731 leaf name {
732 type string;
733 description
734 "An arbitrary name for the NETCONF server.";
735 }
736 container endpoints {
737 description
738 "Container for the list of endpoints.";
739 list endpoint {
740 key "name";
741 min-elements 1;
742 ordered-by user;
743 description
744 "A user-ordered list of endpoints that the NETCONF
745 client will attempt to connect to in the specified
746 sequence. Defining more than one enables
747 high-availability.";
748 leaf name {
749 type string;
750 description
751 "An arbitrary name for the endpoint.";
752 }
753 uses netconf-client-initiate-stack-grouping;
754 } // list endpoint
755 } // container endpoints
757 container connection-type {
758 description
759 "Indicates the NETCONF client's preference for how the
760 NETCONF connection is maintained.";
761 choice connection-type {
762 mandatory true;
763 description
764 "Selects between available connection types.";
765 case persistent-connection {
766 container persistent {
767 presence "Indicates that a persistent connection is
768 to be maintained.";
769 description
770 "Maintain a persistent connection to the NETCONF
771 server. If the connection goes down, immediately
772 start trying to reconnect to the NETCONF server,
773 using the reconnection strategy.
775 This connection type minimizes any NETCONF server
776 to NETCONF client data-transfer delay, albeit at
777 the expense of holding resources longer.";
778 }
779 }
780 case periodic-connection {
781 container periodic {
782 presence "Indicates that a periodic connection is
783 to be maintained.";
784 description
785 "Periodically connect to the NETCONF server.
787 This connection type increases resource
788 utilization, albeit with increased delay in
789 NETCONF server to NETCONF client interactions.
791 The NETCONF client should close the underlying
792 TCP connection upon completing planned activities.
794 In the case that the previous connection is still
795 active, establishing a new connection is NOT
796 RECOMMENDED.";
797 leaf period {
798 type uint16;
799 units "minutes";
800 default "60";
801 description
802 "Duration of time between periodic connections.";
803 }
804 leaf anchor-time {
805 type yang:date-and-time {
806 // constrained to minute-level granularity
807 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
808 + '(Z|[\+\-]\d{2}:\d{2})';
809 }
810 description
811 "Designates a timestamp before or after which a
812 series of periodic connections are determined.
813 The periodic connections occur at a whole
814 multiple interval from the anchor time. For
815 example, for an anchor time is 15 minutes past
816 midnight and a period interval of 24 hours, then
817 a periodic connection will occur 15 minutes past
818 midnight everyday.";
819 }
820 leaf idle-timeout {
821 type uint16;
822 units "seconds";
823 default 120; // two minutes
824 description
825 "Specifies the maximum number of seconds that
826 a NETCONF session may remain idle. A NETCONF
827 session will be dropped if it is idle for an
828 interval longer then this number of seconds.
829 If set to zero, then the NETCONF client will
830 never drop a session because it is idle.";
831 }
832 }
833 }
834 }
835 }
836 container reconnect-strategy {
837 description
838 "The reconnection strategy directs how a NETCONF client
839 reconnects to a NETCONF server, after discovering its
840 connection to the server has dropped, even if due to a
841 reboot. The NETCONF client starts with the specified
842 endpoint and tries to connect to it max-attempts times
843 before trying the next endpoint in the list (round
844 robin).";
845 leaf start-with {
846 type enumeration {
847 enum first-listed {
848 description
849 "Indicates that reconnections should start with
850 the first endpoint listed.";
851 }
852 enum last-connected {
853 description
854 "Indicates that reconnections should start with
855 the endpoint last connected to. If no previous
856 connection has ever been established, then the
857 first endpoint configured is used. NETCONF
858 clients SHOULD be able to remember the last
859 endpoint connected to across reboots.";
860 }
861 enum random-selection {
862 description
863 "Indicates that reconnections should start with
864 a random endpoint.";
865 }
866 }
867 default "first-listed";
868 description
869 "Specifies which of the NETCONF server's endpoints
870 the NETCONF client should start with when trying
871 to connect to the NETCONF server.";
872 }
873 leaf max-attempts {
874 type uint8 {
875 range "1..max";
876 }
877 default "3";
878 description
879 "Specifies the number times the NETCONF client tries
880 to connect to a specific endpoint before moving on
881 to the next endpoint in the list (round robin).";
882 }
883 }
884 } // netconf-server
885 } // initiate
887 container listen {
888 if-feature "ssh-listen or tls-listen";
889 presence "Enables client to accept call-home connections";
890 description
891 "Configures client accepting call-home TCP connections.";
892 leaf idle-timeout {
893 type uint16;
894 units "seconds";
895 default "3600"; // one hour
896 description
897 "Specifies the maximum number of seconds that a NETCONF
898 session may remain idle. A NETCONF session will be
899 dropped if it is idle for an interval longer than this
900 number of seconds. If set to zero, then the server
901 will never drop a session because it is idle. Sessions
902 that have a notification subscription active are never
903 dropped.";
904 }
905 list endpoint {
906 key "name";
907 min-elements 1;
908 description
909 "List of endpoints to listen for NETCONF connections.";
910 leaf name {
911 type string;
912 description
913 "An arbitrary name for the NETCONF listen endpoint.";
914 }
915 uses netconf-client-listen-stack-grouping;
916 } // endpoint
917 } // listen
918 } // netconf-client-app-grouping
920 // Protocol accessible node, for servers that implement this
921 // module.
923 container netconf-client {
924 uses netconf-client-app-grouping;
925 description
926 "Top-level container for NETCONF client configuration.";
927 }
928 }
930
932 4. The NETCONF Server Model
934 The NETCONF server model presented in this section supports both
935 listening for connections as well as initiating call-home
936 connections, using either the SSH and TLS transport protocols.
938 YANG feature statements are used to enable implementations to
939 advertise which potentially uncommon parts of the model the NETCONF
940 server supports.
942 4.1. Tree Diagram
944 The following tree diagram [RFC8340] provides an overview of the data
945 model for the "ietf-netconf-server" module.
947 This tree diagram only shows the nodes defined in this module; it
948 does show the nodes defined by "grouping" statements used by this
949 module.
951 Please see Appendix A.2 for a tree diagram that illustrates what the
952 module looks like with all the "grouping" statements expanded.
954 module: ietf-netconf-server
955 +--rw netconf-server
956 +---u netconf-server-app-grouping
958 grouping netconf-server-grouping
959 +-- client-identity-mappings
960 {tls-listen or tls-call-home or sshcmn:ssh-x509-certs}?
961 +---u x509c2n:cert-to-name
962 grouping netconf-server-listen-stack-grouping
963 +-- (transport)
964 +--:(ssh) {ssh-listen}?
965 | +-- ssh
966 | +-- tcp-server-parameters
967 | | +---u tcps:tcp-server-grouping
968 | +-- ssh-server-parameters
969 | | +---u sshs:ssh-server-grouping
970 | +-- netconf-server-parameters
971 | +---u ncs:netconf-server-grouping
972 +--:(tls) {tls-listen}?
973 +-- tls
974 +-- tcp-server-parameters
975 | +---u tcps:tcp-server-grouping
976 +-- tls-server-parameters
977 | +---u tlss:tls-server-grouping
978 +-- netconf-server-parameters
979 +---u ncs:netconf-server-grouping
980 grouping netconf-server-callhome-stack-grouping
981 +-- (transport)
982 +--:(ssh) {ssh-call-home}?
983 | +-- ssh
984 | +-- tcp-client-parameters
985 | | +---u tcpc:tcp-client-grouping
986 | +-- ssh-server-parameters
987 | | +---u sshs:ssh-server-grouping
988 | +-- netconf-server-parameters
989 | +---u ncs:netconf-server-grouping
990 +--:(tls) {tls-call-home}?
991 +-- tls
992 +-- tcp-client-parameters
993 | +---u tcpc:tcp-client-grouping
994 +-- tls-server-parameters
995 | +---u tlss:tls-server-grouping
996 +-- netconf-server-parameters
997 +---u ncs:netconf-server-grouping
998 grouping netconf-server-app-grouping
999 +-- listen! {ssh-listen or tls-listen}?
1000 | +-- idle-timeout? uint16
1001 | +-- endpoint* [name]
1002 | +-- name? string
1003 | +---u netconf-server-listen-stack-grouping
1004 +-- call-home! {ssh-call-home or tls-call-home}?
1005 +-- netconf-client* [name]
1006 +-- name? string
1007 +-- endpoints
1008 | +-- endpoint* [name]
1009 | +-- name? string
1010 | +---u netconf-server-callhome-stack-grouping
1011 +-- connection-type
1012 | +-- (connection-type)
1013 | +--:(persistent-connection)
1014 | | +-- persistent!
1015 | +--:(periodic-connection)
1016 | +-- periodic!
1017 | +-- period? uint16
1018 | +-- anchor-time? yang:date-and-time
1019 | +-- idle-timeout? uint16
1020 +-- reconnect-strategy
1021 +-- start-with? enumeration
1022 +-- max-attempts? uint8
1024 4.2. Example Usage
1026 The following example illustrates configuring a NETCONF server to
1027 listen for NETCONF client connections using both the SSH and TLS
1028 transport protocols, as well as configuring call-home to two NETCONF
1029 clients, one using SSH and the other using TLS.
1031 This example is consistent with the examples presented in Section 2
1032 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
1033 [I-D.ietf-netconf-keystore].
1035 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
1037
1042
1043
1044
1045 netconf/ssh
1046
1047
1048 192.0.2.7
1049
1050
1051
1052
1053 deployment-specific-certificate
1054
1055
1056 rsa2048
1057 ct:ssh-public-key-format
1059 base64encodedvalue==
1060 ct:rsa-private-key-format
1062 base64encodedvalue==
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079 netconf/tls
1080
1081
1082 192.0.2.7
1083
1084
1085
1086
1087
1088 rsa2048
1089 ct:subject-public-key-info-format\
1090
1091 base64encodedvalue==
1092 ct:rsa-private-key-format
1094 base64encodedvalue==
1095 base64encodedvalue==
1096
1097
1098
1099
1100
1101 explicitly-trusted-client-ca-cer\
1102 ts
1103
1104
1105 explicitly-trusted-client-certs<\
1106 /truststore-reference>
1107
1108
1109
1110
1111
1112
1113 1
1114 11:0A:05:11:00
1115 x509c2n:specified
1116 scooby-doo
1117
1118
1119 2
1120 x509c2n:san-any
1121
1122
1123
1124
1125
1126
1128
1129
1130
1131 config-mgr
1132
1133
1134 east-data-center
1135
1136
1137 east.config-mgr.example.com
1139
1140
1141
1142
1143 deployment-specific-certificate
1144
1145
1146 rsa2048
1147 ct:ssh-public-key-format
1149 base64encodedvalue==
1150 ct:rsa-private-key-format<\
1152 /private-key-format>
1153 base64encodedvalue==
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170 west-data-center
1171
1172
1173 west.config-mgr.example.com
1175
1176
1177
1178
1179 deployment-specific-certificate
1180
1181
1182 rsa2048
1183 ct:ssh-public-key-format
1185 base64encodedvalue==
1186 ct:rsa-private-key-format<\
1187 /private-key-format>
1188 base64encodedvalue==
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207 300
1208 60
1209
1210
1211
1212 last-connected
1213 3
1214
1215
1216
1217 data-collector
1218
1219
1220 east-data-center
1221
1222
1223 east.analytics.example.com
1225
1226 15
1227 3
1228 30
1229
1230
1231
1232
1233
1234
1235 rsa2048
1236 ct:subject-public-key-info-fo\
1237 rmat
1238 base64encodedvalue==
1239 ct:rsa-private-key-format
1241 base64encodedvalue==
1242 base64encodedvalue==
1243
1244
1245
1246
1247
1248 explicitly-trusted-client-ca\
1249 -certs
1250
1251
1252 explicitly-trusted-client-ce\
1253 rts
1254
1255
1256
1257 30
1258 3
1259
1260
1261
1262
1263
1264 1
1265 11:0A:05:11:00
1266 x509c2n:specified
1267 scooby-doo
1268
1269
1270 2
1271 x509c2n:san-any
1272
1273
1274
1275
1276
1277
1278 west-data-center
1279
1280
1281 west.analytics.example.com
1283
1284 15
1285 3
1286 30
1287
1288
1289
1290
1291
1292
1293 rsa2048
1294 ct:subject-public-key-info-fo\
1295 rmat
1296 base64encodedvalue==
1297 ct:rsa-private-key-format
1299 base64encodedvalue==
1300 base64encodedvalue==
1301
1302
1303
1304
1305
1306 explicitly-trusted-client-ca\
1307 -certs
1308
1309
1310 explicitly-trusted-client-ce\
1311 rts
1312
1313
1314
1315 30
1316 3
1317
1318
1319
1320
1321
1322 1
1323 11:0A:05:11:00
1324 x509c2n:specified
1325 scooby-doo
1326
1327
1328 2
1329 x509c2n:san-any
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340 first-listed
1341 3
1342
1343
1345
1346
1348 4.3. YANG Module
1350 This YANG module has normative references to [RFC6242], [RFC6991],
1351 [RFC7407], [RFC7589], [RFC8071],
1352 [I-D.kwatsen-netconf-tcp-client-server],
1353 [I-D.ietf-netconf-ssh-client-server], and
1354 [I-D.ietf-netconf-tls-client-server].
1356 file "ietf-netconf-server@2019-11-20.yang"
1358 module ietf-netconf-server {
1359 yang-version 1.1;
1360 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1361 prefix ncs;
1363 import ietf-yang-types {
1364 prefix yang;
1365 reference
1366 "RFC 6991: Common YANG Data Types";
1367 }
1369 import ietf-x509-cert-to-name {
1370 prefix x509c2n;
1371 reference
1372 "RFC 7407: A YANG Data Model for SNMP Configuration";
1373 }
1375 import ietf-tcp-client {
1376 prefix tcpc;
1377 reference
1378 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
1379 }
1381 import ietf-tcp-server {
1382 prefix tcps;
1383 reference
1384 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
1385 }
1387 import ietf-ssh-common {
1388 prefix sshcmn;
1389 revision-date 2019-11-20; // stable grouping definitions
1390 reference
1391 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
1392 }
1393 import ietf-ssh-server {
1394 prefix sshs;
1395 revision-date 2019-11-20; // stable grouping definitions
1396 reference
1397 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
1398 }
1400 import ietf-tls-server {
1401 prefix tlss;
1402 revision-date 2019-11-20; // stable grouping definitions
1403 reference
1404 "RFC DDDD: YANG Groupings for TLS Clients and TLS Servers";
1405 }
1407 organization
1408 "IETF NETCONF (Network Configuration) Working Group";
1410 contact
1411 "WG Web:
1412 WG List:
1413 Author: Kent Watsen
1414 Author: Gary Wu
1415 Author: Juergen Schoenwaelder
1416 ";
1418 description
1419 "This module contains a collection of YANG definitions
1420 for configuring NETCONF servers.
1422 Copyright (c) 2019 IETF Trust and the persons identified
1423 as authors of the code. All rights reserved.
1425 Redistribution and use in source and binary forms, with
1426 or without modification, is permitted pursuant to, and
1427 subject to the license terms contained in, the Simplified
1428 BSD License set forth in Section 4.c of the IETF Trust's
1429 Legal Provisions Relating to IETF Documents
1430 (https://trustee.ietf.org/license-info).
1432 This version of this YANG module is part of RFC XXXX
1433 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1434 itself for full legal notices.;
1436 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1437 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1438 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1439 are to be interpreted as described in BCP 14 (RFC 2119)
1440 (RFC 8174) when, and only when, they appear in all
1441 capitals, as shown here.";
1443 revision 2019-11-20 {
1444 description
1445 "Initial version";
1446 reference
1447 "RFC XXXX: NETCONF Client and Server Models";
1448 }
1450 // Features
1452 feature ssh-listen {
1453 description
1454 "The 'ssh-listen' feature indicates that the NETCONF server
1455 supports opening a port to accept NETCONF over SSH
1456 client connections.";
1457 reference
1458 "RFC 6242:
1459 Using the NETCONF Protocol over Secure Shell (SSH)";
1460 }
1462 feature tls-listen {
1463 description
1464 "The 'tls-listen' feature indicates that the NETCONF server
1465 supports opening a port to accept NETCONF over TLS
1466 client connections.";
1467 reference
1468 "RFC 7589: Using the NETCONF Protocol over Transport
1469 Layer Security (TLS) with Mutual X.509
1470 Authentication";
1471 }
1473 feature ssh-call-home {
1474 description
1475 "The 'ssh-call-home' feature indicates that the NETCONF
1476 server supports initiating a NETCONF over SSH call
1477 home connection to NETCONF clients.";
1478 reference
1479 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1480 }
1482 feature tls-call-home {
1483 description
1484 "The 'tls-call-home' feature indicates that the NETCONF
1485 server supports initiating a NETCONF over TLS call
1486 home connection to NETCONF clients.";
1487 reference
1488 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1490 }
1492 // Groupings
1494 grouping netconf-server-grouping {
1495 description
1496 "A reusable grouping for configuring a NETCONF server
1497 without any consideration for how underlying transport
1498 sessions are established.
1500 Note that this grouping uses a fairly typical descendent
1501 node name such that a stack of 'uses' statements will
1502 have name conflicts. It is intended that the consuming
1503 data model will resolve the issue by wrapping the 'uses'
1504 statement in a container called, e.g.,
1505 'netconf-server-parameters'. This model purposely does
1506 not do this itself so as to provide maximum flexibility
1507 to consuming models.";
1509 container client-identity-mappings {
1510 if-feature
1511 "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
1512 description
1513 "Specifies mappings through which NETCONF client X.509
1514 certificates are used to determine a NETCONF username.
1515 If no matching and valid cert-to-name list entry can be
1516 found, then the NETCONF server MUST close the connection,
1517 and MUST NOT accept NETCONF messages over it.";
1518 reference
1519 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1520 uses x509c2n:cert-to-name {
1521 refine "cert-to-name/fingerprint" {
1522 mandatory false;
1523 description
1524 "A 'fingerprint' value does not need to be specified
1525 when the 'cert-to-name' mapping is independent of
1526 fingerprint matching. A 'cert-to-name' having no
1527 fingerprint value will match any client certificate
1528 and therefore should only be present at the end of
1529 the user-ordered 'cert-to-name' list.";
1530 }
1531 }
1532 }
1533 }
1535 grouping netconf-server-listen-stack-grouping {
1536 description
1537 "A reusable grouping for configuring a NETCONF server
1538 'listen' protocol stack for a single connection.";
1539 choice transport {
1540 mandatory true;
1541 description
1542 "Selects between available transports.";
1543 case ssh {
1544 if-feature "ssh-listen";
1545 container ssh {
1546 description
1547 "SSH-specific listening configuration for inbound
1548 connections.";
1549 container tcp-server-parameters {
1550 description
1551 "A wrapper around the TCP client parameters
1552 to avoid name collisions.";
1553 uses tcps:tcp-server-grouping {
1554 refine "local-port" {
1555 default "830";
1556 description
1557 "The NETCONF server will listen on the
1558 IANA-assigned well-known port value
1559 for 'netconf-ssh' (830) if no value
1560 is specified.";
1561 }
1562 }
1563 }
1564 container ssh-server-parameters {
1565 description
1566 "A wrapper around the SSH server parameters
1567 to avoid name collisions.";
1568 uses sshs:ssh-server-grouping;
1569 }
1570 container netconf-server-parameters {
1571 description
1572 "A wrapper around the NETCONF server parameters
1573 to avoid name collisions.";
1574 uses ncs:netconf-server-grouping;
1575 }
1576 }
1577 }
1578 case tls {
1579 if-feature "tls-listen";
1580 container tls {
1581 description
1582 "TLS-specific listening configuration for inbound
1583 connections.";
1584 container tcp-server-parameters {
1585 description
1586 "A wrapper around the TCP client parameters
1587 to avoid name collisions.";
1588 uses tcps:tcp-server-grouping {
1589 refine "local-port" {
1590 default "6513";
1591 description
1592 "The NETCONF server will listen on the
1593 IANA-assigned well-known port value
1594 for 'netconf-tls' (6513) if no value
1595 is specified.";
1596 }
1597 }
1598 }
1599 container tls-server-parameters {
1600 description
1601 "A wrapper around the TLS server parameters to
1602 avoid name collisions.";
1603 uses tlss:tls-server-grouping; /* {
1604 FIXME: commented out since auth could also be external.
1605 ^-- need a better 'must' expression?
1606 refine "client-authentication" {
1607 must 'ca-certs or client-certs';
1608 description
1609 "NETCONF/TLS servers MUST validate client
1610 certificates.";
1611 }
1612 }*/
1613 }
1614 container netconf-server-parameters {
1615 description
1616 "A wrapper around the NETCONF server parameters
1617 to avoid name collisions.";
1618 uses ncs:netconf-server-grouping;
1619 }
1620 }
1621 }
1622 }
1623 }
1625 grouping netconf-server-callhome-stack-grouping {
1626 description
1627 "A reusable grouping for configuring a NETCONF server
1628 'call-home' protocol stack, for a single connection.";
1629 choice transport {
1630 mandatory true;
1631 description
1632 "Selects between available transports.";
1633 case ssh {
1634 if-feature "ssh-call-home";
1635 container ssh {
1636 description
1637 "Specifies SSH-specific call-home transport
1638 configuration.";
1639 container tcp-client-parameters {
1640 description
1641 "A wrapper around the TCP client parameters
1642 to avoid name collisions.";
1643 uses tcpc:tcp-client-grouping {
1644 refine "remote-port" {
1645 default "4334";
1646 description
1647 "The NETCONF server will attempt to connect
1648 to the IANA-assigned well-known port for
1649 'netconf-ch-tls' (4334) if no value is
1650 specified.";
1651 }
1652 }
1653 }
1654 container ssh-server-parameters {
1655 description
1656 "A wrapper around the SSH server parameters
1657 to avoid name collisions.";
1658 uses sshs:ssh-server-grouping;
1659 }
1660 container netconf-server-parameters {
1661 description
1662 "A wrapper around the NETCONF server parameters
1663 to avoid name collisions.";
1664 uses ncs:netconf-server-grouping;
1665 }
1666 }
1667 }
1668 case tls {
1669 if-feature "tls-call-home";
1670 container tls {
1671 description
1672 "Specifies TLS-specific call-home transport
1673 configuration.";
1674 container tcp-client-parameters {
1675 description
1676 "A wrapper around the TCP client parameters
1677 to avoid name collisions.";
1678 uses tcpc:tcp-client-grouping {
1679 refine "remote-port" {
1680 default "4335";
1681 description
1682 "The NETCONF server will attempt to connect
1683 to the IANA-assigned well-known port for
1684 'netconf-ch-tls' (4335) if no value is
1685 specified.";
1686 }
1687 }
1688 }
1689 container tls-server-parameters {
1690 description
1691 "A wrapper around the TLS server parameters to
1692 avoid name collisions.";
1693 uses tlss:tls-server-grouping; /* {
1694 FIXME: commented out since auth could also be external.
1695 ^-- need a better 'must' expression?
1696 refine "client-authentication" {
1697 must 'ca-certs or client-certs';
1698 description
1699 "NETCONF/TLS servers MUST validate client
1700 certificates.";
1701 }
1702 }*/
1703 }
1704 container netconf-server-parameters {
1705 description
1706 "A wrapper around the NETCONF server parameters
1707 to avoid name collisions.";
1708 uses ncs:netconf-server-grouping;
1709 }
1710 }
1711 }
1712 }
1713 }
1715 grouping netconf-server-app-grouping {
1716 description
1717 "A reusable grouping for configuring a NETCONF server
1718 application that supports both 'listen' and 'call-home'
1719 protocol stacks for a multiplicity of connections.";
1720 container listen {
1721 if-feature "ssh-listen or tls-listen";
1722 presence
1723 "Enables server to listen for NETCONF client connections.";
1724 description
1725 "Configures listen behavior";
1726 leaf idle-timeout {
1727 type uint16;
1728 units "seconds";
1729 default 3600; // one hour
1730 description
1731 "Specifies the maximum number of seconds that a NETCONF
1732 session may remain idle. A NETCONF session will be
1733 dropped if it is idle for an interval longer than this
1734 number of seconds. If set to zero, then the server
1735 will never drop a session because it is idle. Sessions
1736 that have a notification subscription active are never
1737 dropped.";
1738 }
1739 list endpoint {
1740 key "name";
1741 min-elements 1;
1742 description
1743 "List of endpoints to listen for NETCONF connections.";
1744 leaf name {
1745 type string;
1746 description
1747 "An arbitrary name for the NETCONF listen endpoint.";
1748 }
1749 uses netconf-server-listen-stack-grouping;
1750 }
1751 }
1752 container call-home {
1753 if-feature "ssh-call-home or tls-call-home";
1754 presence
1755 "Enables the NETCONF server to initiate the underlying
1756 transport connection to NETCONF clients.";
1757 description "Configures call home behavior.";
1758 list netconf-client {
1759 key "name";
1760 min-elements 1;
1761 description
1762 "List of NETCONF clients the NETCONF server is to
1763 maintain simultaneous call-home connections with.";
1764 leaf name {
1765 type string;
1766 description
1767 "An arbitrary name for the remote NETCONF client.";
1768 }
1769 container endpoints {
1770 description
1771 "Container for the list of endpoints.";
1772 list endpoint {
1773 key "name";
1774 min-elements 1;
1775 ordered-by user;
1776 description
1777 "A non-empty user-ordered list of endpoints for this
1778 NETCONF server to try to connect to in sequence.
1779 Defining more than one enables high-availability.";
1780 leaf name {
1781 type string;
1782 description
1783 "An arbitrary name for this endpoint.";
1784 }
1785 uses netconf-server-callhome-stack-grouping;
1786 }
1787 }
1788 container connection-type {
1789 description
1790 "Indicates the NETCONF server's preference for how the
1791 NETCONF connection is maintained.";
1792 choice connection-type {
1793 mandatory true;
1794 description
1795 "Selects between available connection types.";
1796 case persistent-connection {
1797 container persistent {
1798 presence "Indicates that a persistent connection is
1799 to be maintained.";
1800 description
1801 "Maintain a persistent connection to the NETCONF
1802 client. If the connection goes down, immediately
1803 start trying to reconnect to the NETCONF client,
1804 using the reconnection strategy.
1806 This connection type minimizes any NETCONF client
1807 to NETCONF server data-transfer delay, albeit at
1808 the expense of holding resources longer.";
1809 }
1810 }
1811 case periodic-connection {
1812 container periodic {
1813 presence "Indicates that a periodic connection is
1814 to be maintained.";
1815 description
1816 "Periodically connect to the NETCONF client.
1818 This connection type increases resource
1819 utilization, albeit with increased delay in
1820 NETCONF client to NETCONF client interactions.
1822 The NETCONF client SHOULD gracefully close the
1823 connection using upon completing
1824 planned activities. If the NETCONF session is
1825 not closed gracefully, the NETCONF server MUST
1826 immediately attempt to reestablish the connection.
1828 In the case that the previous connection is still
1829 active (i.e., the NETCONF client has not closed
1830 it yet), establishing a new connection is NOT
1831 RECOMMENDED.";
1832 leaf period {
1833 type uint16;
1834 units "minutes";
1835 default "60";
1836 description
1837 "Duration of time between periodic connections.";
1838 }
1839 leaf anchor-time {
1840 type yang:date-and-time {
1841 // constrained to minute-level granularity
1842 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1843 + '(Z|[\+\-]\d{2}:\d{2})';
1844 }
1845 description
1846 "Designates a timestamp before or after which a
1847 series of periodic connections are determined.
1848 The periodic connections occur at a whole
1849 multiple interval from the anchor time. For
1850 example, for an anchor time is 15 minutes past
1851 midnight and a period interval of 24 hours, then
1852 a periodic connection will occur 15 minutes past
1853 midnight everyday.";
1854 }
1855 leaf idle-timeout {
1856 type uint16;
1857 units "seconds";
1858 default 120; // two minutes
1859 description
1860 "Specifies the maximum number of seconds that
1861 a NETCONF session may remain idle. A NETCONF
1862 session will be dropped if it is idle for an
1863 interval longer than this number of seconds.
1864 If set to zero, then the server will never
1865 drop a session because it is idle.";
1866 }
1867 }
1868 } // case periodic-connection
1869 } // choice connection-type
1870 } // container connection-type
1871 container reconnect-strategy {
1872 description
1873 "The reconnection strategy directs how a NETCONF server
1874 reconnects to a NETCONF client, after discovering its
1875 connection to the client has dropped, even if due to a
1876 reboot. The NETCONF server starts with the specified
1877 endpoint and tries to connect to it max-attempts times
1878 before trying the next endpoint in the list (round
1879 robin).";
1880 leaf start-with {
1881 type enumeration {
1882 enum first-listed {
1883 description
1884 "Indicates that reconnections should start with
1885 the first endpoint listed.";
1886 }
1887 enum last-connected {
1888 description
1889 "Indicates that reconnections should start with
1890 the endpoint last connected to. If no previous
1891 connection has ever been established, then the
1892 first endpoint configured is used. NETCONF
1893 servers SHOULD be able to remember the last
1894 endpoint connected to across reboots.";
1895 }
1896 enum random-selection {
1897 description
1898 "Indicates that reconnections should start with
1899 a random endpoint.";
1900 }
1901 }
1902 default "first-listed";
1903 description
1904 "Specifies which of the NETCONF client's endpoints
1905 the NETCONF server should start with when trying
1906 to connect to the NETCONF client.";
1907 }
1908 leaf max-attempts {
1909 type uint8 {
1910 range "1..max";
1911 }
1912 default "3";
1913 description
1914 "Specifies the number times the NETCONF server tries
1915 to connect to a specific endpoint before moving on
1916 to the next endpoint in the list (round robin).";
1917 }
1918 } // container reconnect-strategy
1919 } // list netconf-client
1920 } // container call-home
1921 } // grouping netconf-server-app-grouping
1922 // Protocol accessible node, for servers that implement this
1923 // module.
1925 container netconf-server {
1926 uses netconf-server-app-grouping;
1927 description
1928 "Top-level container for NETCONF server configuration.";
1929 }
1930 }
1932
1934 5. Security Considerations
1936 The YANG module defined in this document uses groupings defined in
1937 [I-D.kwatsen-netconf-tcp-client-server],
1938 [I-D.ietf-netconf-ssh-client-server], and
1939 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1940 Considerations section in those documents for concerns related those
1941 groupings.
1943 The YANG modules defined in this document are designed to be accessed
1944 via YANG based management protocols, such as NETCONF [RFC6241] and
1945 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1946 implement secure transport layers (e.g., SSH, TLS) with mutual
1947 authentication.
1949 The NETCONF access control model (NACM) [RFC8341] provides the means
1950 to restrict access for particular users to a pre-configured subset of
1951 all available protocol operations and content.
1953 There are a number of data nodes defined in the YANG modules that are
1954 writable/creatable/deletable (i.e., config true, which is the
1955 default). Some of these data nodes may be considered sensitive or
1956 vulnerable in some network environments. Write operations (e.g.,
1957 edit-config) to these data nodes without proper protection can have a
1958 negative effect on network operations. These are the subtrees and
1959 data nodes and their sensitivity/vulnerability:
1961 None of the subtrees or data nodes in the modules defined in this
1962 document need to be protected from write operations.
1964 Some of the readable data nodes in the YANG modules may be considered
1965 sensitive or vulnerable in some network environments. It is thus
1966 important to control read access (e.g., via get, get-config, or
1967 notification) to these data nodes. These are the subtrees and data
1968 nodes and their sensitivity/vulnerability:
1970 None of the subtrees or data nodes in the modules defined in this
1971 document need to be protected from read operations.
1973 Some of the RPC operations in the YANG modules may be considered
1974 sensitive or vulnerable in some network environments. It is thus
1975 important to control access to these operations. These are the
1976 operations and their sensitivity/vulnerability:
1978 The modules defined in this document do not define any 'RPC' or
1979 'action' statements.
1981 6. IANA Considerations
1983 6.1. The IETF XML Registry
1985 This document registers two URIs in the "ns" subregistry of the IETF
1986 XML Registry [RFC3688]. Following the format in [RFC3688], the
1987 following registrations are requested:
1989 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1990 Registrant Contact: The NETCONF WG of the IETF.
1991 XML: N/A, the requested URI is an XML namespace.
1993 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1994 Registrant Contact: The NETCONF WG of the IETF.
1995 XML: N/A, the requested URI is an XML namespace.
1997 6.2. The YANG Module Names Registry
1999 This document registers two YANG modules in the YANG Module Names
2000 registry [RFC6020]. Following the format in [RFC6020], the the
2001 following registrations are requested:
2003 name: ietf-netconf-client
2004 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
2005 prefix: ncc
2006 reference: RFC XXXX
2008 name: ietf-netconf-server
2009 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
2010 prefix: ncs
2011 reference: RFC XXXX
2013 7. References
2014 7.1. Normative References
2016 [I-D.ietf-netconf-keystore]
2017 Watsen, K., "A YANG Data Model for a Keystore", draft-
2018 ietf-netconf-keystore-14 (work in progress), November
2019 2019.
2021 [I-D.ietf-netconf-ssh-client-server]
2022 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
2023 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
2024 server-16 (work in progress), November 2019.
2026 [I-D.ietf-netconf-tls-client-server]
2027 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
2028 Clients and TLS Servers", draft-ietf-netconf-tls-client-
2029 server-16 (work in progress), November 2019.
2031 [I-D.kwatsen-netconf-tcp-client-server]
2032 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
2033 and TCP Servers", draft-kwatsen-netconf-tcp-client-
2034 server-02 (work in progress), April 2019.
2036 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2037 Requirement Levels", BCP 14, RFC 2119,
2038 DOI 10.17487/RFC2119, March 1997,
2039 .
2041 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
2042 the Network Configuration Protocol (NETCONF)", RFC 6020,
2043 DOI 10.17487/RFC6020, October 2010,
2044 .
2046 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
2047 and A. Bierman, Ed., "Network Configuration Protocol
2048 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
2049 .
2051 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
2052 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
2053 .
2055 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
2056 RFC 6991, DOI 10.17487/RFC6991, July 2013,
2057 .
2059 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
2060 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
2061 December 2014, .
2063 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
2064 NETCONF Protocol over Transport Layer Security (TLS) with
2065 Mutual X.509 Authentication", RFC 7589,
2066 DOI 10.17487/RFC7589, June 2015,
2067 .
2069 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
2070 RFC 7950, DOI 10.17487/RFC7950, August 2016,
2071 .
2073 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2074 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
2075 May 2017, .
2077 7.2. Informative References
2079 [I-D.ietf-netconf-trust-anchors]
2080 Watsen, K. and H. Birkholz, "A YANG Data Model for a
2081 Truststore", draft-ietf-netconf-trust-anchors-07 (work in
2082 progress), November 2019.
2084 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2085 DOI 10.17487/RFC3688, January 2004,
2086 .
2088 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
2089 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
2090 .
2092 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
2093 RFC 8071, DOI 10.17487/RFC8071, February 2017,
2094 .
2096 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
2097 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
2098 .
2100 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
2101 Access Control Model", STD 91, RFC 8341,
2102 DOI 10.17487/RFC8341, March 2018,
2103 .
2105 Appendix A. Expanded Tree Diagrams
2107 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
2109 The following tree diagram [RFC8340] provides an overview of the data
2110 model for the "ietf-netconf-client" module.
2112 This tree diagram shows all the nodes defined in this module,
2113 including those defined by "grouping" statements used by this module.
2115 Please see Section 3.1 for a tree diagram that illustrates what the
2116 module looks like without all the "grouping" statements expanded.
2118 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2120 module: ietf-netconf-client
2121 +--rw netconf-client
2122 +--rw initiate! {ssh-initiate or tls-initiate}?
2123 | +--rw netconf-server* [name]
2124 | +--rw name string
2125 | +--rw endpoints
2126 | | +--rw endpoint* [name]
2127 | | +--rw name string
2128 | | +--rw (transport)
2129 | | +--:(ssh) {ssh-initiate}?
2130 | | | +--rw ssh
2131 | | | +--rw tcp-client-parameters
2132 | | | | +--rw remote-address inet:host
2133 | | | | +--rw remote-port? inet:port-number
2134 | | | | +--rw local-address? inet:ip-address
2135 | | | | | {local-binding-supported}?
2136 | | | | +--rw local-port? inet:port-number
2137 | | | | | {local-binding-supported}?
2138 | | | | +--rw keepalives!
2139 | | | | {keepalives-supported}?
2140 | | | | +--rw idle-time uint16
2141 | | | | +--rw max-probes uint16
2142 | | | | +--rw probe-interval uint16
2143 | | | +--rw ssh-client-parameters
2144 | | | | +--rw client-identity
2145 | | | | | +--rw username? string
2146 | | | | | +--rw (auth-type)
2147 | | | | | +--:(password)
2148 | | | | | | +--rw password? string
2149 | | | | | +--:(public-key)
2150 | | | | | | +--rw public-key
2151 | | | | | | +--rw (local-or-keystore)
2152 | | | | | | +--:(local)
2153 | | | | | | | {local-definiti\
2154 \ons-supported}?
2155 | | | | | | | +--rw local-definition
2156 | | | | | | | +--rw algorithm
2157 | | | | | | | | iasa:asymm\
2158 \etric-algorithm-type
2159 | | | | | | | +--rw public-key-f\
2160 \ormat?
2161 | | | | | | | | identityref
2162 | | | | | | | +--rw public-key
2163 | | | | | | | | binary
2164 | | | | | | | +--rw private-key-\
2165 \format?
2166 | | | | | | | | identityref
2167 | | | | | | | +--rw (private-key\
2168 \-type)
2169 | | | | | | | +--:(private-ke\
2170 \y)
2171 | | | | | | | | +--rw privat\
2172 \e-key?
2173 | | | | | | | | bina\
2174 \ry
2175 | | | | | | | +--:(hidden-pri\
2176 \vate-key)
2177 | | | | | | | | +--rw hidden\
2178 \-private-key?
2179 | | | | | | | | empty
2180 | | | | | | | +--:(encrypted-\
2181 \private-key)
2182 | | | | | | | +--rw encryp\
2183 \ted-private-key
2184 | | | | | | | +--rw (ke\
2185 \y-type)
2186 | | | | | | | | +--:(s\
2187 \ymmetric-key-ref)
2188 | | | | | | | | | +--\
2189 \rw symmetric-key-ref? leafref
2190 | | | | | | | | | \
2191 \ {keystore-supported}?
2192 | | | | | | | | +--:(a\
2193 \symmetric-key-ref)
2194 | | | | | | | | +--\
2195 \rw asymmetric-key-ref? leafref
2196 | | | | | | | | \
2197 \ {keystore-supported}?
2198 | | | | | | | +--rw val\
2199 \ue?
2200 | | | | | | | b\
2202 \inary
2203 | | | | | | +--:(keystore)
2204 | | | | | | {keystore-suppo\
2205 \rted}?
2206 | | | | | | +--rw keystore-refere\
2207 \nce?
2208 | | | | | | ks:asymmetric\
2209 \-key-ref
2210 | | | | | +--:(certificate)
2211 | | | | | +--rw certificate
2212 | | | | | {sshcmn:ssh-x509-certs\
2213 \}?
2214 | | | | | +--rw (local-or-keystore)
2215 | | | | | +--:(local)
2216 | | | | | | {local-definiti\
2217 \ons-supported}?
2218 | | | | | | +--rw local-definition
2219 | | | | | | +--rw algorithm
2220 | | | | | | | iasa:asymm\
2221 \etric-algorithm-type
2222 | | | | | | +--rw public-key-f\
2223 \ormat?
2224 | | | | | | | identityref
2225 | | | | | | +--rw public-key
2226 | | | | | | | binary
2227 | | | | | | +--rw private-key-\
2228 \format?
2229 | | | | | | | identityref
2230 | | | | | | +--rw (private-key\
2231 \-type)
2232 | | | | | | | +--:(private-ke\
2233 \y)
2234 | | | | | | | | +--rw privat\
2235 \e-key?
2236 | | | | | | | | bina\
2237 \ry
2238 | | | | | | | +--:(hidden-pri\
2239 \vate-key)
2240 | | | | | | | | +--rw hidden\
2241 \-private-key?
2242 | | | | | | | | empty
2243 | | | | | | | +--:(encrypted-\
2244 \private-key)
2245 | | | | | | | +--rw encryp\
2246 \ted-private-key
2247 | | | | | | | +--rw (ke\
2248 \y-type)
2249 | | | | | | | | +--:(s\
2251 \ymmetric-key-ref)
2252 | | | | | | | | | +--\
2253 \rw symmetric-key-ref? leafref
2254 | | | | | | | | | \
2255 \ {keystore-supported}?
2256 | | | | | | | | +--:(a\
2257 \symmetric-key-ref)
2258 | | | | | | | | +--\
2259 \rw asymmetric-key-ref? leafref
2260 | | | | | | | | \
2261 \ {keystore-supported}?
2262 | | | | | | | +--rw val\
2263 \ue?
2264 | | | | | | | b\
2265 \inary
2266 | | | | | | +--rw cert?
2267 | | | | | | | end-entity\
2268 \-cert-cms
2269 | | | | | | +---n certificate-\
2270 \expiration
2271 | | | | | | | +-- expiration-\
2272 \date
2273 | | | | | | | yang:da\
2274 \te-and-time
2275 | | | | | | +---x generate-cer\
2276 \tificate-signing-request
2277 | | | | | | +---w input
2278 | | | | | | | +---w subject
2279 | | | | | | | | bina\
2280 \ry
2281 | | | | | | | +---w attrib\
2282 \utes?
2283 | | | | | | | bina\
2284 \ry
2285 | | | | | | +--ro output
2286 | | | | | | +--ro certif\
2287 \icate-signing-request
2288 | | | | | | bina\
2289 \ry
2290 | | | | | +--:(keystore)
2291 | | | | | {keystore-suppo\
2292 \rted}?
2293 | | | | | +--rw keystore-refere\
2294 \nce
2295 | | | | | +--rw asymmetric-k\
2296 \ey?
2297 | | | | | | ks:asymmet\
2298 \ric-key-ref
2299 | | | | | +--rw certificate?\
2300 \ leafref
2301 | | | | +--rw server-authentication
2302 | | | | | +--rw ssh-host-keys!
2303 | | | | | | +--rw (local-or-truststore)
2304 | | | | | | +--:(local)
2305 | | | | | | | {local-definitions-su\
2306 \pported}?
2307 | | | | | | | +--rw local-definition
2308 | | | | | | | +--rw host-key*
2309 | | | | | | | ct:ssh-host-key
2310 | | | | | | +--:(truststore)
2311 | | | | | | {truststore-supported\
2312 \,ssh-host-keys}?
2313 | | | | | | +--rw truststore-reference?
2314 | | | | | | ts:host-keys-ref
2315 | | | | | +--rw ca-certs!
2316 | | | | | | {sshcmn:ssh-x509-certs}?
2317 | | | | | | +--rw (local-or-truststore)
2318 | | | | | | +--:(local)
2319 | | | | | | | {local-definitions-su\
2320 \pported}?
2321 | | | | | | | +--rw local-definition
2322 | | | | | | | +--rw cert*
2323 | | | | | | | | trust-anchor-cer\
2324 \t-cms
2325 | | | | | | | +---n certificate-expira\
2326 \tion
2327 | | | | | | | +-- expiration-date
2328 | | | | | | | yang:date-and\
2329 \-time
2330 | | | | | | +--:(truststore)
2331 | | | | | | {truststore-supported\
2332 \,x509-certificates}?
2333 | | | | | | +--rw truststore-reference?
2334 | | | | | | ts:certificates-ref
2335 | | | | | +--rw server-certs!
2336 | | | | | {sshcmn:ssh-x509-certs}?
2337 | | | | | +--rw (local-or-truststore)
2338 | | | | | +--:(local)
2339 | | | | | | {local-definitions-su\
2340 \pported}?
2341 | | | | | | +--rw local-definition
2342 | | | | | | +--rw cert*
2343 | | | | | | | trust-anchor-cer\
2344 \t-cms
2345 | | | | | | +---n certificate-expira\
2346 \tion
2347 | | | | | | +-- expiration-date
2348 | | | | | | yang:date-and\
2349 \-time
2350 | | | | | +--:(truststore)
2351 | | | | | {truststore-supported\
2352 \,x509-certificates}?
2353 | | | | | +--rw truststore-reference?
2354 | | | | | ts:certificates-ref
2355 | | | | +--rw transport-params
2356 | | | | | {ssh-client-transport-params-co\
2357 \nfig}?
2358 | | | | | +--rw host-key
2359 | | | | | | +--rw host-key-alg* identityref
2360 | | | | | +--rw key-exchange
2361 | | | | | | +--rw key-exchange-alg*
2362 | | | | | | identityref
2363 | | | | | +--rw encryption
2364 | | | | | | +--rw encryption-alg*
2365 | | | | | | identityref
2366 | | | | | +--rw mac
2367 | | | | | +--rw mac-alg* identityref
2368 | | | | +--rw keepalives!
2369 | | | | {ssh-client-keepalives}?
2370 | | | | +--rw max-wait? uint16
2371 | | | | +--rw max-attempts? uint8
2372 | | | +--rw netconf-client-parameters
2373 | | +--:(tls) {tls-initiate}?
2374 | | +--rw tls
2375 | | +--rw tcp-client-parameters
2376 | | | +--rw remote-address inet:host
2377 | | | +--rw remote-port? inet:port-number
2378 | | | +--rw local-address? inet:ip-address
2379 | | | | {local-binding-supported}?
2380 | | | +--rw local-port? inet:port-number
2381 | | | | {local-binding-supported}?
2382 | | | +--rw keepalives!
2383 | | | {keepalives-supported}?
2384 | | | +--rw idle-time uint16
2385 | | | +--rw max-probes uint16
2386 | | | +--rw probe-interval uint16
2387 | | +--rw tls-client-parameters
2388 | | | +--rw client-identity
2389 | | | | +--rw (auth-type)
2390 | | | | +--:(certificate)
2391 | | | | | +--rw certificate
2392 | | | | | {x509-certificate-auth\
2393 \}?
2394 | | | | | +--rw (local-or-keystore)
2395 | | | | | +--:(local)
2396 | | | | | | {local-definiti\
2397 \ons-supported}?
2398 | | | | | | +--rw local-definition
2399 | | | | | | +--rw algorithm
2400 | | | | | | | iasa:asymm\
2401 \etric-algorithm-type
2402 | | | | | | +--rw public-key-f\
2403 \ormat?
2404 | | | | | | | identityref
2405 | | | | | | +--rw public-key
2406 | | | | | | | binary
2407 | | | | | | +--rw private-key-\
2408 \format?
2409 | | | | | | | identityref
2410 | | | | | | +--rw (private-key\
2411 \-type)
2412 | | | | | | | +--:(private-ke\
2413 \y)
2414 | | | | | | | | +--rw privat\
2415 \e-key?
2416 | | | | | | | | bina\
2417 \ry
2418 | | | | | | | +--:(hidden-pri\
2419 \vate-key)
2420 | | | | | | | | +--rw hidden\
2421 \-private-key?
2422 | | | | | | | | empty
2423 | | | | | | | +--:(encrypted-\
2424 \private-key)
2425 | | | | | | | +--rw encryp\
2426 \ted-private-key
2427 | | | | | | | +--rw (ke\
2428 \y-type)
2429 | | | | | | | | +--:(s\
2430 \ymmetric-key-ref)
2431 | | | | | | | | | +--\
2432 \rw symmetric-key-ref? leafref
2433 | | | | | | | | | \
2434 \ {keystore-supported}?
2435 | | | | | | | | +--:(a\
2436 \symmetric-key-ref)
2437 | | | | | | | | +--\
2438 \rw asymmetric-key-ref? leafref
2439 | | | | | | | | \
2440 \ {keystore-supported}?
2441 | | | | | | | +--rw val\
2442 \ue?
2443 | | | | | | | b\
2444 \inary
2445 | | | | | | +--rw cert?
2446 | | | | | | | end-entity\
2447 \-cert-cms
2448 | | | | | | +---n certificate-\
2449 \expiration
2450 | | | | | | | +-- expiration-\
2451 \date
2452 | | | | | | | yang:da\
2453 \te-and-time
2454 | | | | | | +---x generate-cer\
2455 \tificate-signing-request
2456 | | | | | | +---w input
2457 | | | | | | | +---w subject
2458 | | | | | | | | bina\
2459 \ry
2460 | | | | | | | +---w attrib\
2461 \utes?
2462 | | | | | | | bina\
2463 \ry
2464 | | | | | | +--ro output
2465 | | | | | | +--ro certif\
2466 \icate-signing-request
2467 | | | | | | bina\
2468 \ry
2469 | | | | | +--:(keystore)
2470 | | | | | {keystore-suppo\
2471 \rted}?
2472 | | | | | +--rw keystore-refere\
2473 \nce
2474 | | | | | +--rw asymmetric-k\
2475 \ey?
2476 | | | | | | ks:asymmet\
2477 \ric-key-ref
2478 | | | | | +--rw certificate?\
2479 \ leafref
2480 | | | | +--:(raw-public-key)
2481 | | | | | +--rw raw-public-key
2482 | | | | | {raw-public-key-auth}?
2483 | | | | | +--rw (local-or-keystore)
2484 | | | | | +--:(local)
2485 | | | | | | {local-definiti\
2486 \ons-supported}?
2487 | | | | | | +--rw local-definition
2488 | | | | | | +--rw algorithm
2489 | | | | | | | iasa:asymm\
2490 \etric-algorithm-type
2491 | | | | | | +--rw public-key-f\
2492 \ormat?
2493 | | | | | | | identityref
2494 | | | | | | +--rw public-key
2495 | | | | | | | binary
2496 | | | | | | +--rw private-key-\
2497 \format?
2498 | | | | | | | identityref
2499 | | | | | | +--rw (private-key\
2500 \-type)
2501 | | | | | | +--:(private-ke\
2502 \y)
2503 | | | | | | | +--rw privat\
2504 \e-key?
2505 | | | | | | | bina\
2506 \ry
2507 | | | | | | +--:(hidden-pri\
2508 \vate-key)
2509 | | | | | | | +--rw hidden\
2510 \-private-key?
2511 | | | | | | | empty
2512 | | | | | | +--:(encrypted-\
2513 \private-key)
2514 | | | | | | +--rw encryp\
2515 \ted-private-key
2516 | | | | | | +--rw (ke\
2517 \y-type)
2518 | | | | | | | +--:(s\
2519 \ymmetric-key-ref)
2520 | | | | | | | | +--\
2521 \rw symmetric-key-ref? leafref
2522 | | | | | | | | \
2523 \ {keystore-supported}?
2524 | | | | | | | +--:(a\
2525 \symmetric-key-ref)
2526 | | | | | | | +--\
2527 \rw asymmetric-key-ref? leafref
2528 | | | | | | | \
2529 \ {keystore-supported}?
2530 | | | | | | +--rw val\
2531 \ue?
2532 | | | | | | b\
2533 \inary
2534 | | | | | +--:(keystore)
2535 | | | | | {keystore-suppo\
2536 \rted}?
2537 | | | | | +--rw keystore-refere\
2538 \nce?
2539 | | | | | ks:asymmetric\
2540 \-key-ref
2541 | | | | +--:(psk)
2542 | | | | +--rw psk {psk-auth}?
2543 | | | | +--rw (local-or-keystore)
2544 | | | | +--:(local)
2545 | | | | | {local-definiti\
2546 \ons-supported}?
2547 | | | | | +--rw local-definition
2548 | | | | | +--rw algorithm
2549 | | | | | | isa:symmet\
2550 \ric-algorithm-type
2551 | | | | | +--rw key-format?
2552 | | | | | | identityref
2553 | | | | | +--rw (key-type)
2554 | | | | | +--:(key)
2555 | | | | | | +--rw key?
2556 | | | | | | bina\
2557 \ry
2558 | | | | | +--:(hidden-key)
2559 | | | | | | +--rw hidden\
2560 \-key?
2561 | | | | | | empty
2562 | | | | | +--:(encrypted-\
2563 \key)
2564 | | | | | +--rw encryp\
2565 \ted-key
2566 | | | | | +--rw (ke\
2567 \y-type)
2568 | | | | | | +--:(s\
2569 \ymmetric-key-ref)
2570 | | | | | | | +--\
2571 \rw symmetric-key-ref? leafref
2572 | | | | | | | \
2573 \ {keystore-supported}?
2574 | | | | | | +--:(a\
2575 \symmetric-key-ref)
2576 | | | | | | +--\
2577 \rw asymmetric-key-ref? leafref
2578 | | | | | | \
2579 \ {keystore-supported}?
2580 | | | | | +--rw val\
2581 \ue?
2582 | | | | | b\
2583 \inary
2584 | | | | +--:(keystore)
2585 | | | | {keystore-suppo\
2586 \rted}?
2587 | | | | +--rw keystore-refere\
2588 \nce?
2589 | | | | ks:symmetric-\
2590 \key-ref
2591 | | | +--rw server-authentication
2592 | | | | +--rw ca-certs!
2593 | | | | | {x509-certificate-auth}?
2594 | | | | | +--rw (local-or-truststore)
2595 | | | | | +--:(local)
2596 | | | | | | {local-definitions-su\
2597 \pported}?
2598 | | | | | | +--rw local-definition
2599 | | | | | | +--rw cert*
2600 | | | | | | | trust-anchor-cer\
2601 \t-cms
2602 | | | | | | +---n certificate-expira\
2603 \tion
2604 | | | | | | +-- expiration-date
2605 | | | | | | yang:date-and\
2606 \-time
2607 | | | | | +--:(truststore)
2608 | | | | | {truststore-supported\
2609 \,x509-certificates}?
2610 | | | | | +--rw truststore-reference?
2611 | | | | | ts:certificates-ref
2612 | | | | +--rw server-certs!
2613 | | | | | {x509-certificate-auth}?
2614 | | | | | +--rw (local-or-truststore)
2615 | | | | | +--:(local)
2616 | | | | | | {local-definitions-su\
2617 \pported}?
2618 | | | | | | +--rw local-definition
2619 | | | | | | +--rw cert*
2620 | | | | | | | trust-anchor-cer\
2621 \t-cms
2622 | | | | | | +---n certificate-expira\
2623 \tion
2624 | | | | | | +-- expiration-date
2625 | | | | | | yang:date-and\
2626 \-time
2627 | | | | | +--:(truststore)
2628 | | | | | {truststore-supported\
2629 \,x509-certificates}?
2630 | | | | | +--rw truststore-reference?
2631 | | | | | ts:certificates-ref
2632 | | | | +--rw raw-public-keys!
2633 | | | | | {raw-public-key-auth}?
2634 | | | | | +--rw (local-or-truststore)
2635 | | | | | +--:(local)
2636 | | | | | | {local-definitions-su\
2637 \pported}?
2638 | | | | | | +--rw local-definition
2639 | | | | | | +--rw raw-public-key*
2640 | | | | | | [name]
2641 | | | | | | +--rw name
2642 | | | | | | | string
2643 | | | | | | +--rw algorithm
2644 | | | | | | | iasa:asymmetr\
2645 \ic-algorithm-type
2646 | | | | | | +--rw public-key-form\
2647 \at?
2648 | | | | | | | identityref
2649 | | | | | | +--rw public-key
2650 | | | | | | binary
2651 | | | | | +--:(truststore)
2652 | | | | | {truststore-supported\
2653 \,raw-public-keys}?
2654 | | | | | +--rw truststore-reference?
2655 | | | | | ts:raw-public-keys-\
2656 \ref
2657 | | | | +--rw psks! {psk-auth}?
2658 | | | +--rw hello-params
2659 | | | | {tls-client-hello-params-config\
2660 \}?
2661 | | | | +--rw tls-versions
2662 | | | | | +--rw tls-version* identityref
2663 | | | | +--rw cipher-suites
2664 | | | | +--rw cipher-suite* identityref
2665 | | | +--rw keepalives!
2666 | | | {tls-client-keepalives}?
2667 | | | +--rw max-wait? uint16
2668 | | | +--rw max-attempts? uint8
2669 | | +--rw netconf-client-parameters
2670 | +--rw connection-type
2671 | | +--rw (connection-type)
2672 | | +--:(persistent-connection)
2673 | | | +--rw persistent!
2674 | | +--:(periodic-connection)
2675 | | +--rw periodic!
2676 | | +--rw period? uint16
2677 | | +--rw anchor-time? yang:date-and-time
2678 | | +--rw idle-timeout? uint16
2679 | +--rw reconnect-strategy
2680 | +--rw start-with? enumeration
2681 | +--rw max-attempts? uint8
2682 +--rw listen! {ssh-listen or tls-listen}?
2683 +--rw idle-timeout? uint16
2684 +--rw endpoint* [name]
2685 +--rw name string
2686 +--rw (transport)
2687 +--:(ssh) {ssh-listen}?
2688 | +--rw ssh
2689 | +--rw tcp-server-parameters
2690 | | +--rw local-address inet:ip-address
2691 | | +--rw local-port? inet:port-number
2692 | | +--rw keepalives! {keepalives-supported}?
2693 | | +--rw idle-time uint16
2694 | | +--rw max-probes uint16
2695 | | +--rw probe-interval uint16
2696 | +--rw ssh-client-parameters
2697 | | +--rw client-identity
2698 | | | +--rw username? string
2699 | | | +--rw (auth-type)
2700 | | | +--:(password)
2701 | | | | +--rw password? string
2702 | | | +--:(public-key)
2703 | | | | +--rw public-key
2704 | | | | +--rw (local-or-keystore)
2705 | | | | +--:(local)
2706 | | | | | {local-definitions-su\
2707 \pported}?
2708 | | | | | +--rw local-definition
2709 | | | | | +--rw algorithm
2710 | | | | | | iasa:asymmetric-\
2711 \algorithm-type
2712 | | | | | +--rw public-key-format?
2713 | | | | | | identityref
2714 | | | | | +--rw public-key
2715 | | | | | | binary
2716 | | | | | +--rw private-key-format?
2717 | | | | | | identityref
2718 | | | | | +--rw (private-key-type)
2719 | | | | | +--:(private-key)
2720 | | | | | | +--rw private-key?
2721 | | | | | | binary
2722 | | | | | +--:(hidden-private-k\
2723 \ey)
2724 | | | | | | +--rw hidden-priva\
2725 \te-key?
2726 | | | | | | empty
2727 | | | | | +--:(encrypted-privat\
2728 \e-key)
2729 | | | | | +--rw encrypted-pr\
2730 \ivate-key
2731 | | | | | +--rw (key-type)
2732 | | | | | | +--:(symmetr\
2733 \ic-key-ref)
2734 | | | | | | | +--rw sym\
2735 \metric-key-ref? leafref
2736 | | | | | | | {\
2737 \keystore-supported}?
2738 | | | | | | +--:(asymmet\
2739 \ric-key-ref)
2740 | | | | | | +--rw asy\
2741 \mmetric-key-ref? leafref
2742 | | | | | | {\
2743 \keystore-supported}?
2744 | | | | | +--rw value?
2745 | | | | | binary
2746 | | | | +--:(keystore)
2747 | | | | {keystore-supported}?
2748 | | | | +--rw keystore-reference?
2749 | | | | ks:asymmetric-key-r\
2750 \ef
2751 | | | +--:(certificate)
2752 | | | +--rw certificate
2753 | | | {sshcmn:ssh-x509-certs}?
2754 | | | +--rw (local-or-keystore)
2755 | | | +--:(local)
2756 | | | | {local-definitions-su\
2757 \pported}?
2758 | | | | +--rw local-definition
2759 | | | | +--rw algorithm
2760 | | | | | iasa:asymmetric-\
2761 \algorithm-type
2762 | | | | +--rw public-key-format?
2763 | | | | | identityref
2764 | | | | +--rw public-key
2765 | | | | | binary
2766 | | | | +--rw private-key-format?
2767 | | | | | identityref
2768 | | | | +--rw (private-key-type)
2769 | | | | | +--:(private-key)
2770 | | | | | | +--rw private-key?
2771 | | | | | | binary
2772 | | | | | +--:(hidden-private-k\
2773 \ey)
2774 | | | | | | +--rw hidden-priva\
2775 \te-key?
2776 | | | | | | empty
2777 | | | | | +--:(encrypted-privat\
2778 \e-key)
2779 | | | | | +--rw encrypted-pr\
2780 \ivate-key
2781 | | | | | +--rw (key-type)
2782 | | | | | | +--:(symmetr\
2783 \ic-key-ref)
2784 | | | | | | | +--rw sym\
2785 \metric-key-ref? leafref
2786 | | | | | | | {\
2787 \keystore-supported}?
2788 | | | | | | +--:(asymmet\
2789 \ric-key-ref)
2790 | | | | | | +--rw asy\
2791 \mmetric-key-ref? leafref
2792 | | | | | | {\
2793 \keystore-supported}?
2794 | | | | | +--rw value?
2795 | | | | | binary
2796 | | | | +--rw cert?
2797 | | | | | end-entity-cert-\
2798 \cms
2799 | | | | +---n certificate-expira\
2800 \tion
2801 | | | | | +-- expiration-date
2802 | | | | | yang:date-and\
2803 \-time
2804 | | | | +---x generate-certifica\
2805 \te-signing-request
2806 | | | | +---w input
2807 | | | | | +---w subject
2808 | | | | | | binary
2809 | | | | | +---w attributes?
2810 | | | | | binary
2811 | | | | +--ro output
2812 | | | | +--ro certificate-\
2813 \signing-request
2814 | | | | binary
2815 | | | +--:(keystore)
2816 | | | {keystore-supported}?
2817 | | | +--rw keystore-reference
2818 | | | +--rw asymmetric-key?
2819 | | | | ks:asymmetric-ke\
2820 \y-ref
2821 | | | +--rw certificate? \
2822 \leafref
2823 | | +--rw server-authentication
2824 | | | +--rw ssh-host-keys!
2825 | | | | +--rw (local-or-truststore)
2826 | | | | +--:(local)
2827 | | | | | {local-definitions-supporte\
2828 \d}?
2829 | | | | | +--rw local-definition
2830 | | | | | +--rw host-key*
2831 | | | | | ct:ssh-host-key
2832 | | | | +--:(truststore)
2833 | | | | {truststore-supported,ssh-h\
2834 \ost-keys}?
2835 | | | | +--rw truststore-reference?
2836 | | | | ts:host-keys-ref
2837 | | | +--rw ca-certs! {sshcmn:ssh-x509-certs}?
2838 | | | | +--rw (local-or-truststore)
2839 | | | | +--:(local)
2840 | | | | | {local-definitions-supporte\
2841 \d}?
2842 | | | | | +--rw local-definition
2843 | | | | | +--rw cert*
2844 | | | | | | trust-anchor-cert-cms
2845 | | | | | +---n certificate-expiration
2846 | | | | | +-- expiration-date
2847 | | | | | yang:date-and-time
2848 | | | | +--:(truststore)
2849 | | | | {truststore-supported,x509-\
2850 \certificates}?
2851 | | | | +--rw truststore-reference?
2852 | | | | ts:certificates-ref
2853 | | | +--rw server-certs!
2854 | | | {sshcmn:ssh-x509-certs}?
2855 | | | +--rw (local-or-truststore)
2856 | | | +--:(local)
2857 | | | | {local-definitions-supporte\
2858 \d}?
2859 | | | | +--rw local-definition
2860 | | | | +--rw cert*
2861 | | | | | trust-anchor-cert-cms
2862 | | | | +---n certificate-expiration
2863 | | | | +-- expiration-date
2864 | | | | yang:date-and-time
2865 | | | +--:(truststore)
2866 | | | {truststore-supported,x509-\
2867 \certificates}?
2868 | | | +--rw truststore-reference?
2869 | | | ts:certificates-ref
2870 | | +--rw transport-params
2871 | | | {ssh-client-transport-params-config}?
2872 | | | +--rw host-key
2873 | | | | +--rw host-key-alg* identityref
2874 | | | +--rw key-exchange
2875 | | | | +--rw key-exchange-alg* identityref
2876 | | | +--rw encryption
2877 | | | | +--rw encryption-alg* identityref
2878 | | | +--rw mac
2879 | | | +--rw mac-alg* identityref
2880 | | +--rw keepalives! {ssh-client-keepalives}?
2881 | | +--rw max-wait? uint16
2882 | | +--rw max-attempts? uint8
2883 | +--rw netconf-client-parameters
2884 +--:(tls) {tls-listen}?
2885 +--rw tls
2886 +--rw tcp-server-parameters
2887 | +--rw local-address inet:ip-address
2888 | +--rw local-port? inet:port-number
2889 | +--rw keepalives! {keepalives-supported}?
2890 | +--rw idle-time uint16
2891 | +--rw max-probes uint16
2892 | +--rw probe-interval uint16
2893 +--rw tls-client-parameters
2894 | +--rw client-identity
2895 | | +--rw (auth-type)
2896 | | +--:(certificate)
2897 | | | +--rw certificate
2898 | | | {x509-certificate-auth}?
2899 | | | +--rw (local-or-keystore)
2900 | | | +--:(local)
2901 | | | | {local-definitions-su\
2902 \pported}?
2903 | | | | +--rw local-definition
2904 | | | | +--rw algorithm
2905 | | | | | iasa:asymmetric-\
2906 \algorithm-type
2907 | | | | +--rw public-key-format?
2908 | | | | | identityref
2909 | | | | +--rw public-key
2910 | | | | | binary
2911 | | | | +--rw private-key-format?
2912 | | | | | identityref
2913 | | | | +--rw (private-key-type)
2914 | | | | | +--:(private-key)
2915 | | | | | | +--rw private-key?
2916 | | | | | | binary
2917 | | | | | +--:(hidden-private-k\
2918 \ey)
2919 | | | | | | +--rw hidden-priva\
2920 \te-key?
2921 | | | | | | empty
2922 | | | | | +--:(encrypted-privat\
2924 \e-key)
2925 | | | | | +--rw encrypted-pr\
2926 \ivate-key
2927 | | | | | +--rw (key-type)
2928 | | | | | | +--:(symmetr\
2929 \ic-key-ref)
2930 | | | | | | | +--rw sym\
2931 \metric-key-ref? leafref
2932 | | | | | | | {\
2933 \keystore-supported}?
2934 | | | | | | +--:(asymmet\
2935 \ric-key-ref)
2936 | | | | | | +--rw asy\
2937 \mmetric-key-ref? leafref
2938 | | | | | | {\
2939 \keystore-supported}?
2940 | | | | | +--rw value?
2941 | | | | | binary
2942 | | | | +--rw cert?
2943 | | | | | end-entity-cert-\
2944 \cms
2945 | | | | +---n certificate-expira\
2946 \tion
2947 | | | | | +-- expiration-date
2948 | | | | | yang:date-and\
2949 \-time
2950 | | | | +---x generate-certifica\
2951 \te-signing-request
2952 | | | | +---w input
2953 | | | | | +---w subject
2954 | | | | | | binary
2955 | | | | | +---w attributes?
2956 | | | | | binary
2957 | | | | +--ro output
2958 | | | | +--ro certificate-\
2959 \signing-request
2960 | | | | binary
2961 | | | +--:(keystore)
2962 | | | {keystore-supported}?
2963 | | | +--rw keystore-reference
2964 | | | +--rw asymmetric-key?
2965 | | | | ks:asymmetric-ke\
2966 \y-ref
2967 | | | +--rw certificate? \
2968 \leafref
2969 | | +--:(raw-public-key)
2970 | | | +--rw raw-public-key
2971 | | | {raw-public-key-auth}?
2972 | | | +--rw (local-or-keystore)
2973 | | | +--:(local)
2974 | | | | {local-definitions-su\
2975 \pported}?
2976 | | | | +--rw local-definition
2977 | | | | +--rw algorithm
2978 | | | | | iasa:asymmetric-\
2979 \algorithm-type
2980 | | | | +--rw public-key-format?
2981 | | | | | identityref
2982 | | | | +--rw public-key
2983 | | | | | binary
2984 | | | | +--rw private-key-format?
2985 | | | | | identityref
2986 | | | | +--rw (private-key-type)
2987 | | | | +--:(private-key)
2988 | | | | | +--rw private-key?
2989 | | | | | binary
2990 | | | | +--:(hidden-private-k\
2991 \ey)
2992 | | | | | +--rw hidden-priva\
2993 \te-key?
2994 | | | | | empty
2995 | | | | +--:(encrypted-privat\
2996 \e-key)
2997 | | | | +--rw encrypted-pr\
2998 \ivate-key
2999 | | | | +--rw (key-type)
3000 | | | | | +--:(symmetr\
3001 \ic-key-ref)
3002 | | | | | | +--rw sym\
3003 \metric-key-ref? leafref
3004 | | | | | | {\
3005 \keystore-supported}?
3006 | | | | | +--:(asymmet\
3007 \ric-key-ref)
3008 | | | | | +--rw asy\
3009 \mmetric-key-ref? leafref
3010 | | | | | {\
3011 \keystore-supported}?
3012 | | | | +--rw value?
3013 | | | | binary
3014 | | | +--:(keystore)
3015 | | | {keystore-supported}?
3016 | | | +--rw keystore-reference?
3017 | | | ks:asymmetric-key-r\
3018 \ef
3019 | | +--:(psk)
3020 | | +--rw psk {psk-auth}?
3021 | | +--rw (local-or-keystore)
3022 | | +--:(local)
3023 | | | {local-definitions-su\
3024 \pported}?
3025 | | | +--rw local-definition
3026 | | | +--rw algorithm
3027 | | | | isa:symmetric-al\
3028 \gorithm-type
3029 | | | +--rw key-format?
3030 | | | | identityref
3031 | | | +--rw (key-type)
3032 | | | +--:(key)
3033 | | | | +--rw key?
3034 | | | | binary
3035 | | | +--:(hidden-key)
3036 | | | | +--rw hidden-key?
3037 | | | | empty
3038 | | | +--:(encrypted-key)
3039 | | | +--rw encrypted-key
3040 | | | +--rw (key-type)
3041 | | | | +--:(symmetr\
3042 \ic-key-ref)
3043 | | | | | +--rw sym\
3044 \metric-key-ref? leafref
3045 | | | | | {\
3046 \keystore-supported}?
3047 | | | | +--:(asymmet\
3048 \ric-key-ref)
3049 | | | | +--rw asy\
3050 \mmetric-key-ref? leafref
3051 | | | | {\
3052 \keystore-supported}?
3053 | | | +--rw value?
3054 | | | binary
3055 | | +--:(keystore)
3056 | | {keystore-supported}?
3057 | | +--rw keystore-reference?
3058 | | ks:symmetric-key-ref
3059 | +--rw server-authentication
3060 | | +--rw ca-certs! {x509-certificate-auth}?
3061 | | | +--rw (local-or-truststore)
3062 | | | +--:(local)
3063 | | | | {local-definitions-supporte\
3064 \d}?
3065 | | | | +--rw local-definition
3066 | | | | +--rw cert*
3067 | | | | | trust-anchor-cert-cms
3068 | | | | +---n certificate-expiration
3069 | | | | +-- expiration-date
3070 | | | | yang:date-and-time
3071 | | | +--:(truststore)
3072 | | | {truststore-supported,x509-\
3073 \certificates}?
3074 | | | +--rw truststore-reference?
3075 | | | ts:certificates-ref
3076 | | +--rw server-certs!
3077 | | | {x509-certificate-auth}?
3078 | | | +--rw (local-or-truststore)
3079 | | | +--:(local)
3080 | | | | {local-definitions-supporte\
3081 \d}?
3082 | | | | +--rw local-definition
3083 | | | | +--rw cert*
3084 | | | | | trust-anchor-cert-cms
3085 | | | | +---n certificate-expiration
3086 | | | | +-- expiration-date
3087 | | | | yang:date-and-time
3088 | | | +--:(truststore)
3089 | | | {truststore-supported,x509-\
3090 \certificates}?
3091 | | | +--rw truststore-reference?
3092 | | | ts:certificates-ref
3093 | | +--rw raw-public-keys!
3094 | | | {raw-public-key-auth}?
3095 | | | +--rw (local-or-truststore)
3096 | | | +--:(local)
3097 | | | | {local-definitions-supporte\
3098 \d}?
3099 | | | | +--rw local-definition
3100 | | | | +--rw raw-public-key* [name]
3101 | | | | +--rw name
3102 | | | | | string
3103 | | | | +--rw algorithm
3104 | | | | | iasa:asymmetric-alg\
3105 \orithm-type
3106 | | | | +--rw public-key-format?
3107 | | | | | identityref
3108 | | | | +--rw public-key
3109 | | | | binary
3110 | | | +--:(truststore)
3111 | | | {truststore-supported,raw-p\
3112 \ublic-keys}?
3113 | | | +--rw truststore-reference?
3114 | | | ts:raw-public-keys-ref
3115 | | +--rw psks! {psk-auth}?
3116 | +--rw hello-params
3117 | | {tls-client-hello-params-config}?
3118 | | +--rw tls-versions
3119 | | | +--rw tls-version* identityref
3120 | | +--rw cipher-suites
3121 | | +--rw cipher-suite* identityref
3122 | +--rw keepalives! {tls-client-keepalives}?
3123 | +--rw max-wait? uint16
3124 | +--rw max-attempts? uint8
3125 +--rw netconf-client-parameters
3127 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
3129 The following tree diagram [RFC8340] provides an overview of the data
3130 model for the "ietf-netconf-server" module.
3132 This tree diagram shows all the nodes defined in this module,
3133 including those defined by "grouping" statements used by this module.
3135 Please see Section 4.1 for a tree diagram that illustrates what the
3136 module looks like without all the "grouping" statements expanded.
3138 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
3140 module: ietf-netconf-server
3141 +--rw netconf-server
3142 +--rw listen! {ssh-listen or tls-listen}?
3143 | +--rw idle-timeout? uint16
3144 | +--rw endpoint* [name]
3145 | +--rw name string
3146 | +--rw (transport)
3147 | +--:(ssh) {ssh-listen}?
3148 | | +--rw ssh
3149 | | +--rw tcp-server-parameters
3150 | | | +--rw local-address inet:ip-address
3151 | | | +--rw local-port? inet:port-number
3152 | | | +--rw keepalives! {keepalives-supported}?
3153 | | | +--rw idle-time uint16
3154 | | | +--rw max-probes uint16
3155 | | | +--rw probe-interval uint16
3156 | | +--rw ssh-server-parameters
3157 | | | +--rw server-identity
3158 | | | | +--rw host-key* [name]
3159 | | | | +--rw name string
3160 | | | | +--rw (host-key-type)
3161 | | | | +--:(public-key)
3162 | | | | | +--rw public-key
3163 | | | | | +--rw (local-or-keystore)
3164 | | | | | +--:(local)
3165 | | | | | | {local-definitions\
3166 \-supported}?
3167 | | | | | | +--rw local-definition
3168 | | | | | | +--rw algorithm
3169 | | | | | | | iasa:asymmetr\
3170 \ic-algorithm-type
3171 | | | | | | +--rw public-key-form\
3172 \at?
3173 | | | | | | | identityref
3174 | | | | | | +--rw public-key
3175 | | | | | | | binary
3176 | | | | | | +--rw private-key-for\
3177 \mat?
3178 | | | | | | | identityref
3179 | | | | | | +--rw (private-key-ty\
3180 \pe)
3181 | | | | | | +--:(private-key)
3182 | | | | | | | +--rw private-k\
3183 \ey?
3184 | | | | | | | binary
3185 | | | | | | +--:(hidden-privat\
3186 \e-key)
3187 | | | | | | | +--rw hidden-pr\
3188 \ivate-key?
3189 | | | | | | | empty
3190 | | | | | | +--:(encrypted-pri\
3191 \vate-key)
3192 | | | | | | +--rw encrypted\
3193 \-private-key
3194 | | | | | | +--rw (key-t\
3195 \ype)
3196 | | | | | | | +--:(symm\
3197 \etric-key-ref)
3198 | | | | | | | | +--rw \
3199 \symmetric-key-ref? leafref
3200 | | | | | | | | \
3201 \ {keystore-supported}?
3202 | | | | | | | +--:(asym\
3203 \metric-key-ref)
3204 | | | | | | | +--rw \
3205 \asymmetric-key-ref? leafref
3206 | | | | | | | \
3207 \ {keystore-supported}?
3208 | | | | | | +--rw value?
3209 | | | | | | bina\
3210 \ry
3211 | | | | | +--:(keystore)
3212 | | | | | {keystore-supporte\
3213 \d}?
3214 | | | | | +--rw keystore-reference?
3215 | | | | | ks:asymmetric-ke\
3216 \y-ref
3217 | | | | +--:(certificate)
3218 | | | | +--rw certificate
3219 | | | | {sshcmn:ssh-x509-certs}?
3220 | | | | +--rw (local-or-keystore)
3221 | | | | +--:(local)
3222 | | | | | {local-definitions\
3223 \-supported}?
3224 | | | | | +--rw local-definition
3225 | | | | | +--rw algorithm
3226 | | | | | | iasa:asymmetr\
3227 \ic-algorithm-type
3228 | | | | | +--rw public-key-form\
3229 \at?
3230 | | | | | | identityref
3231 | | | | | +--rw public-key
3232 | | | | | | binary
3233 | | | | | +--rw private-key-for\
3234 \mat?
3235 | | | | | | identityref
3236 | | | | | +--rw (private-key-ty\
3237 \pe)
3238 | | | | | | +--:(private-key)
3239 | | | | | | | +--rw private-k\
3240 \ey?
3241 | | | | | | | binary
3242 | | | | | | +--:(hidden-privat\
3243 \e-key)
3244 | | | | | | | +--rw hidden-pr\
3245 \ivate-key?
3246 | | | | | | | empty
3247 | | | | | | +--:(encrypted-pri\
3248 \vate-key)
3249 | | | | | | +--rw encrypted\
3250 \-private-key
3251 | | | | | | +--rw (key-t\
3252 \ype)
3253 | | | | | | | +--:(symm\
3254 \etric-key-ref)
3255 | | | | | | | | +--rw \
3256 \symmetric-key-ref? leafref
3257 | | | | | | | | \
3258 \ {keystore-supported}?
3259 | | | | | | | +--:(asym\
3261 \metric-key-ref)
3262 | | | | | | | +--rw \
3263 \asymmetric-key-ref? leafref
3264 | | | | | | | \
3265 \ {keystore-supported}?
3266 | | | | | | +--rw value?
3267 | | | | | | bina\
3268 \ry
3269 | | | | | +--rw cert?
3270 | | | | | | end-entity-ce\
3271 \rt-cms
3272 | | | | | +---n certificate-exp\
3273 \iration
3274 | | | | | | +-- expiration-date
3275 | | | | | | yang:date-\
3276 \and-time
3277 | | | | | +---x generate-certif\
3278 \icate-signing-request
3279 | | | | | +---w input
3280 | | | | | | +---w subject
3281 | | | | | | | binary
3282 | | | | | | +---w attribute\
3283 \s?
3284 | | | | | | binary
3285 | | | | | +--ro output
3286 | | | | | +--ro certifica\
3287 \te-signing-request
3288 | | | | | binary
3289 | | | | +--:(keystore)
3290 | | | | {keystore-supporte\
3291 \d}?
3292 | | | | +--rw keystore-reference
3293 | | | | +--rw asymmetric-key?
3294 | | | | | ks:asymmetric\
3295 \-key-ref
3296 | | | | +--rw certificate? \
3297 \ leafref
3298 | | | +--rw client-authentication
3299 | | | | +--rw supported-authentication-methods
3300 | | | | | +--rw publickey? empty
3301 | | | | | +--rw passsword? empty
3302 | | | | | +--rw hostbased? empty
3303 | | | | | +--rw none? empty
3304 | | | | | +--rw other* string
3305 | | | | +--rw users {client-auth-config-supported}?
3306 | | | | | +--rw user* [name]
3307 | | | | | +--rw name string
3308 | | | | | +--rw password? ianach:crypt-hash
3309 | | | | | +--rw host-keys!
3310 | | | | | +--rw (local-or-truststore)
3311 | | | | | +--:(local)
3312 | | | | | | {local-definitions-su\
3313 \pported}?
3314 | | | | | | +--rw local-definition
3315 | | | | | | +--rw host-key*
3316 | | | | | | ct:ssh-host-key
3317 | | | | | +--:(truststore)
3318 | | | | | {truststore-supported\
3319 \,ssh-host-keys}?
3320 | | | | | +--rw truststore-reference?
3321 | | | | | ts:host-keys-ref
3322 | | | | +--rw ca-certs!
3323 | | | | | {client-auth-config-supported,sshc\
3324 \mn:ssh-x509-certs}?
3325 | | | | | +--rw (local-or-truststore)
3326 | | | | | +--:(local)
3327 | | | | | | {local-definitions-supporte\
3328 \d}?
3329 | | | | | | +--rw local-definition
3330 | | | | | | +--rw cert*
3331 | | | | | | | trust-anchor-cert-cms
3332 | | | | | | +---n certificate-expiration
3333 | | | | | | +-- expiration-date
3334 | | | | | | yang:date-and-time
3335 | | | | | +--:(truststore)
3336 | | | | | {truststore-supported,x509-\
3337 \certificates}?
3338 | | | | | +--rw truststore-reference?
3339 | | | | | ts:certificates-ref
3340 | | | | +--rw client-certs!
3341 | | | | {client-auth-config-supported,sshc\
3342 \mn:ssh-x509-certs}?
3343 | | | | +--rw (local-or-truststore)
3344 | | | | +--:(local)
3345 | | | | | {local-definitions-supporte\
3346 \d}?
3347 | | | | | +--rw local-definition
3348 | | | | | +--rw cert*
3349 | | | | | | trust-anchor-cert-cms
3350 | | | | | +---n certificate-expiration
3351 | | | | | +-- expiration-date
3352 | | | | | yang:date-and-time
3353 | | | | +--:(truststore)
3354 | | | | {truststore-supported,x509-\
3355 \certificates}?
3356 | | | | +--rw truststore-reference?
3357 | | | | ts:certificates-ref
3358 | | | +--rw transport-params
3359 | | | | {ssh-server-transport-params-config}?
3360 | | | | +--rw host-key
3361 | | | | | +--rw host-key-alg* identityref
3362 | | | | +--rw key-exchange
3363 | | | | | +--rw key-exchange-alg* identityref
3364 | | | | +--rw encryption
3365 | | | | | +--rw encryption-alg* identityref
3366 | | | | +--rw mac
3367 | | | | +--rw mac-alg* identityref
3368 | | | +--rw keepalives! {ssh-server-keepalives}?
3369 | | | +--rw max-wait? uint16
3370 | | | +--rw max-attempts? uint8
3371 | | +--rw netconf-server-parameters
3372 | | +--rw client-identity-mappings
3373 | | {tls-listen or tls-call-home or sshcm\
3374 \n:ssh-x509-certs}?
3375 | | +--rw cert-to-name* [id]
3376 | | +--rw id uint32
3377 | | +--rw fingerprint?
3378 | | | x509c2n:tls-fingerprint
3379 | | +--rw map-type identityref
3380 | | +--rw name string
3381 | +--:(tls) {tls-listen}?
3382 | +--rw tls
3383 | +--rw tcp-server-parameters
3384 | | +--rw local-address inet:ip-address
3385 | | +--rw local-port? inet:port-number
3386 | | +--rw keepalives! {keepalives-supported}?
3387 | | +--rw idle-time uint16
3388 | | +--rw max-probes uint16
3389 | | +--rw probe-interval uint16
3390 | +--rw tls-server-parameters
3391 | | +--rw server-identity
3392 | | | +--rw (auth-type)
3393 | | | +--:(certificate)
3394 | | | | +--rw certificate
3395 | | | | {x509-certificate-auth}?
3396 | | | | +--rw (local-or-keystore)
3397 | | | | +--:(local)
3398 | | | | | {local-definitions-su\
3399 \pported}?
3400 | | | | | +--rw local-definition
3401 | | | | | +--rw algorithm
3402 | | | | | | iasa:asymmetric-\
3403 \algorithm-type
3404 | | | | | +--rw public-key-format?
3405 | | | | | | identityref
3406 | | | | | +--rw public-key
3407 | | | | | | binary
3408 | | | | | +--rw private-key-format?
3409 | | | | | | identityref
3410 | | | | | +--rw (private-key-type)
3411 | | | | | | +--:(private-key)
3412 | | | | | | | +--rw private-key?
3413 | | | | | | | binary
3414 | | | | | | +--:(hidden-private-k\
3415 \ey)
3416 | | | | | | | +--rw hidden-priva\
3417 \te-key?
3418 | | | | | | | empty
3419 | | | | | | +--:(encrypted-privat\
3420 \e-key)
3421 | | | | | | +--rw encrypted-pr\
3422 \ivate-key
3423 | | | | | | +--rw (key-type)
3424 | | | | | | | +--:(symmetr\
3425 \ic-key-ref)
3426 | | | | | | | | +--rw sym\
3427 \metric-key-ref? leafref
3428 | | | | | | | | {\
3429 \keystore-supported}?
3430 | | | | | | | +--:(asymmet\
3431 \ric-key-ref)
3432 | | | | | | | +--rw asy\
3433 \mmetric-key-ref? leafref
3434 | | | | | | | {\
3435 \keystore-supported}?
3436 | | | | | | +--rw value?
3437 | | | | | | binary
3438 | | | | | +--rw cert?
3439 | | | | | | end-entity-cert-\
3440 \cms
3441 | | | | | +---n certificate-expira\
3442 \tion
3443 | | | | | | +-- expiration-date
3444 | | | | | | yang:date-and\
3445 \-time
3446 | | | | | +---x generate-certifica\
3447 \te-signing-request
3448 | | | | | +---w input
3449 | | | | | | +---w subject
3450 | | | | | | | binary
3451 | | | | | | +---w attributes?
3452 | | | | | | binary
3453 | | | | | +--ro output
3454 | | | | | +--ro certificate-\
3455 \signing-request
3456 | | | | | binary
3457 | | | | +--:(keystore)
3458 | | | | {keystore-supported}?
3459 | | | | +--rw keystore-reference
3460 | | | | +--rw asymmetric-key?
3461 | | | | | ks:asymmetric-ke\
3462 \y-ref
3463 | | | | +--rw certificate? \
3464 \leafref
3465 | | | +--:(raw-private-key)
3466 | | | | +--rw raw-private-key
3467 | | | | {raw-public-key-auth}?
3468 | | | | +--rw (local-or-keystore)
3469 | | | | +--:(local)
3470 | | | | | {local-definitions-su\
3471 \pported}?
3472 | | | | | +--rw local-definition
3473 | | | | | +--rw algorithm
3474 | | | | | | iasa:asymmetric-\
3475 \algorithm-type
3476 | | | | | +--rw public-key-format?
3477 | | | | | | identityref
3478 | | | | | +--rw public-key
3479 | | | | | | binary
3480 | | | | | +--rw private-key-format?
3481 | | | | | | identityref
3482 | | | | | +--rw (private-key-type)
3483 | | | | | +--:(private-key)
3484 | | | | | | +--rw private-key?
3485 | | | | | | binary
3486 | | | | | +--:(hidden-private-k\
3487 \ey)
3488 | | | | | | +--rw hidden-priva\
3489 \te-key?
3490 | | | | | | empty
3491 | | | | | +--:(encrypted-privat\
3492 \e-key)
3493 | | | | | +--rw encrypted-pr\
3494 \ivate-key
3495 | | | | | +--rw (key-type)
3496 | | | | | | +--:(symmetr\
3497 \ic-key-ref)
3498 | | | | | | | +--rw sym\
3499 \metric-key-ref? leafref
3500 | | | | | | | {\
3502 \keystore-supported}?
3503 | | | | | | +--:(asymmet\
3504 \ric-key-ref)
3505 | | | | | | +--rw asy\
3506 \mmetric-key-ref? leafref
3507 | | | | | | {\
3508 \keystore-supported}?
3509 | | | | | +--rw value?
3510 | | | | | binary
3511 | | | | +--:(keystore)
3512 | | | | {keystore-supported}?
3513 | | | | +--rw keystore-reference?
3514 | | | | ks:asymmetric-key-r\
3515 \ef
3516 | | | +--:(psk)
3517 | | | +--rw psk {psk-auth}?
3518 | | | +--rw (local-or-keystore)
3519 | | | +--:(local)
3520 | | | | {local-definitions-su\
3521 \pported}?
3522 | | | | +--rw local-definition
3523 | | | | +--rw algorithm
3524 | | | | | isa:symmetric-al\
3525 \gorithm-type
3526 | | | | +--rw key-format?
3527 | | | | | identityref
3528 | | | | +--rw (key-type)
3529 | | | | +--:(key)
3530 | | | | | +--rw key?
3531 | | | | | binary
3532 | | | | +--:(hidden-key)
3533 | | | | | +--rw hidden-key?
3534 | | | | | empty
3535 | | | | +--:(encrypted-key)
3536 | | | | +--rw encrypted-key
3537 | | | | +--rw (key-type)
3538 | | | | | +--:(symmetr\
3539 \ic-key-ref)
3540 | | | | | | +--rw sym\
3541 \metric-key-ref? leafref
3542 | | | | | | {\
3543 \keystore-supported}?
3544 | | | | | +--:(asymmet\
3545 \ric-key-ref)
3546 | | | | | +--rw asy\
3547 \mmetric-key-ref? leafref
3548 | | | | | {\
3549 \keystore-supported}?
3550 | | | | +--rw value?
3551 | | | | binary
3552 | | | +--:(keystore)
3553 | | | {keystore-supported}?
3554 | | | +--rw keystore-reference?
3555 | | | ks:symmetric-key-ref
3556 | | +--rw client-authentication!
3557 | | | {client-auth-config-supported}?
3558 | | | +--rw ca-certs! {x509-certificate-auth}?
3559 | | | | +--rw (local-or-truststore)
3560 | | | | +--:(local)
3561 | | | | | {local-definitions-supporte\
3562 \d}?
3563 | | | | | +--rw local-definition
3564 | | | | | +--rw cert*
3565 | | | | | | trust-anchor-cert-cms
3566 | | | | | +---n certificate-expiration
3567 | | | | | +-- expiration-date
3568 | | | | | yang:date-and-time
3569 | | | | +--:(truststore)
3570 | | | | {truststore-supported,x509-\
3571 \certificates}?
3572 | | | | +--rw truststore-reference?
3573 | | | | ts:certificates-ref
3574 | | | +--rw client-certs!
3575 | | | | {x509-certificate-auth}?
3576 | | | | +--rw (local-or-truststore)
3577 | | | | +--:(local)
3578 | | | | | {local-definitions-supporte\
3579 \d}?
3580 | | | | | +--rw local-definition
3581 | | | | | +--rw cert*
3582 | | | | | | trust-anchor-cert-cms
3583 | | | | | +---n certificate-expiration
3584 | | | | | +-- expiration-date
3585 | | | | | yang:date-and-time
3586 | | | | +--:(truststore)
3587 | | | | {truststore-supported,x509-\
3588 \certificates}?
3589 | | | | +--rw truststore-reference?
3590 | | | | ts:certificates-ref
3591 | | | +--rw raw-public-keys!
3592 | | | {raw-public-key-auth}?
3593 | | | +--rw (local-or-truststore)
3594 | | | +--:(local)
3595 | | | | {local-definitions-supporte\
3596 \d}?
3597 | | | | +--rw local-definition
3598 | | | | +--rw raw-public-key* [name]
3599 | | | | +--rw name
3600 | | | | | string
3601 | | | | +--rw algorithm
3602 | | | | | iasa:asymmetric-alg\
3603 \orithm-type
3604 | | | | +--rw public-key-format?
3605 | | | | | identityref
3606 | | | | +--rw public-key
3607 | | | | binary
3608 | | | +--:(truststore)
3609 | | | {truststore-supported,raw-p\
3610 \ublic-keys}?
3611 | | | +--rw truststore-reference?
3612 | | | ts:raw-public-keys-ref
3613 | | +--rw hello-params
3614 | | | {tls-server-hello-params-config}?
3615 | | | +--rw tls-versions
3616 | | | | +--rw tls-version* identityref
3617 | | | +--rw cipher-suites
3618 | | | +--rw cipher-suite* identityref
3619 | | +--rw keepalives! {tls-server-keepalives}?
3620 | | +--rw max-wait? uint16
3621 | | +--rw max-attempts? uint8
3622 | +--rw netconf-server-parameters
3623 | +--rw client-identity-mappings
3624 | {tls-listen or tls-call-home or sshcm\
3625 \n:ssh-x509-certs}?
3626 | +--rw cert-to-name* [id]
3627 | +--rw id uint32
3628 | +--rw fingerprint?
3629 | | x509c2n:tls-fingerprint
3630 | +--rw map-type identityref
3631 | +--rw name string
3632 +--rw call-home! {ssh-call-home or tls-call-home}?
3633 +--rw netconf-client* [name]
3634 +--rw name string
3635 +--rw endpoints
3636 | +--rw endpoint* [name]
3637 | +--rw name string
3638 | +--rw (transport)
3639 | +--:(ssh) {ssh-call-home}?
3640 | | +--rw ssh
3641 | | +--rw tcp-client-parameters
3642 | | | +--rw remote-address inet:host
3643 | | | +--rw remote-port? inet:port-number
3644 | | | +--rw local-address? inet:ip-address
3645 | | | | {local-binding-supported}?
3646 | | | +--rw local-port? inet:port-number
3647 | | | | {local-binding-supported}?
3648 | | | +--rw keepalives!
3649 | | | {keepalives-supported}?
3650 | | | +--rw idle-time uint16
3651 | | | +--rw max-probes uint16
3652 | | | +--rw probe-interval uint16
3653 | | +--rw ssh-server-parameters
3654 | | | +--rw server-identity
3655 | | | | +--rw host-key* [name]
3656 | | | | +--rw name string
3657 | | | | +--rw (host-key-type)
3658 | | | | +--:(public-key)
3659 | | | | | +--rw public-key
3660 | | | | | +--rw (local-or-keystore)
3661 | | | | | +--:(local)
3662 | | | | | | {local-defin\
3663 \itions-supported}?
3664 | | | | | | +--rw local-defini\
3665 \tion
3666 | | | | | | +--rw algorithm
3667 | | | | | | | iasa:as\
3668 \ymmetric-algorithm-type
3669 | | | | | | +--rw public-ke\
3670 \y-format?
3671 | | | | | | | identit\
3672 \yref
3673 | | | | | | +--rw public-key
3674 | | | | | | | binary
3675 | | | | | | +--rw private-k\
3676 \ey-format?
3677 | | | | | | | identit\
3678 \yref
3679 | | | | | | +--rw (private-\
3680 \key-type)
3681 | | | | | | +--:(private\
3682 \-key)
3683 | | | | | | | +--rw pri\
3684 \vate-key?
3685 | | | | | | | b\
3686 \inary
3687 | | | | | | +--:(hidden-\
3688 \private-key)
3689 | | | | | | | +--rw hid\
3690 \den-private-key?
3691 | | | | | | | e\
3692 \mpty
3693 | | | | | | +--:(encrypt\
3695 \ed-private-key)
3696 | | | | | | +--rw enc\
3697 \rypted-private-key
3698 | | | | | | +--rw \
3699 \(key-type)
3700 | | | | | | | +--\
3701 \:(symmetric-key-ref)
3702 | | | | | | | | \
3703 \+--rw symmetric-key-ref? leafref
3704 | | | | | | | | \
3705 \ {keystore-supported}?
3706 | | | | | | | +--\
3707 \:(asymmetric-key-ref)
3708 | | | | | | | \
3709 \+--rw asymmetric-key-ref? leafref
3710 | | | | | | | \
3711 \ {keystore-supported}?
3712 | | | | | | +--rw \
3713 \value?
3714 | | | | | | \
3715 \ binary
3716 | | | | | +--:(keystore)
3717 | | | | | {keystore-su\
3718 \pported}?
3719 | | | | | +--rw keystore-ref\
3720 \erence?
3721 | | | | | ks:asymmet\
3722 \ric-key-ref
3723 | | | | +--:(certificate)
3724 | | | | +--rw certificate
3725 | | | | {sshcmn:ssh-x509-ce\
3726 \rts}?
3727 | | | | +--rw (local-or-keystore)
3728 | | | | +--:(local)
3729 | | | | | {local-defin\
3730 \itions-supported}?
3731 | | | | | +--rw local-defini\
3732 \tion
3733 | | | | | +--rw algorithm
3734 | | | | | | iasa:as\
3735 \ymmetric-algorithm-type
3736 | | | | | +--rw public-ke\
3737 \y-format?
3738 | | | | | | identit\
3739 \yref
3740 | | | | | +--rw public-key
3741 | | | | | | binary
3742 | | | | | +--rw private-k\
3744 \ey-format?
3745 | | | | | | identit\
3746 \yref
3747 | | | | | +--rw (private-\
3748 \key-type)
3749 | | | | | | +--:(private\
3750 \-key)
3751 | | | | | | | +--rw pri\
3752 \vate-key?
3753 | | | | | | | b\
3754 \inary
3755 | | | | | | +--:(hidden-\
3756 \private-key)
3757 | | | | | | | +--rw hid\
3758 \den-private-key?
3759 | | | | | | | e\
3760 \mpty
3761 | | | | | | +--:(encrypt\
3762 \ed-private-key)
3763 | | | | | | +--rw enc\
3764 \rypted-private-key
3765 | | | | | | +--rw \
3766 \(key-type)
3767 | | | | | | | +--\
3768 \:(symmetric-key-ref)
3769 | | | | | | | | \
3770 \+--rw symmetric-key-ref? leafref
3771 | | | | | | | | \
3772 \ {keystore-supported}?
3773 | | | | | | | +--\
3774 \:(asymmetric-key-ref)
3775 | | | | | | | \
3776 \+--rw asymmetric-key-ref? leafref
3777 | | | | | | | \
3778 \ {keystore-supported}?
3779 | | | | | | +--rw \
3780 \value?
3781 | | | | | | \
3782 \ binary
3783 | | | | | +--rw cert?
3784 | | | | | | end-ent\
3785 \ity-cert-cms
3786 | | | | | +---n certifica\
3787 \te-expiration
3788 | | | | | | +-- expirati\
3789 \on-date
3790 | | | | | | yang\
3791 \:date-and-time
3792 | | | | | +---x generate-\
3793 \certificate-signing-request
3794 | | | | | +---w input
3795 | | | | | | +---w sub\
3796 \ject
3797 | | | | | | | b\
3798 \inary
3799 | | | | | | +---w att\
3800 \ributes?
3801 | | | | | | b\
3802 \inary
3803 | | | | | +--ro output
3804 | | | | | +--ro cer\
3805 \tificate-signing-request
3806 | | | | | b\
3807 \inary
3808 | | | | +--:(keystore)
3809 | | | | {keystore-su\
3810 \pported}?
3811 | | | | +--rw keystore-ref\
3812 \erence
3813 | | | | +--rw asymmetri\
3814 \c-key?
3815 | | | | | ks:asym\
3816 \metric-key-ref
3817 | | | | +--rw certifica\
3818 \te? leafref
3819 | | | +--rw client-authentication
3820 | | | | +--rw supported-authentication-metho\
3821 \ds
3822 | | | | | +--rw publickey? empty
3823 | | | | | +--rw passsword? empty
3824 | | | | | +--rw hostbased? empty
3825 | | | | | +--rw none? empty
3826 | | | | | +--rw other* string
3827 | | | | +--rw users
3828 | | | | | {client-auth-config-supporte\
3829 \d}?
3830 | | | | | +--rw user* [name]
3831 | | | | | +--rw name string
3832 | | | | | +--rw password?
3833 | | | | | | ianach:crypt-hash
3834 | | | | | +--rw host-keys!
3835 | | | | | +--rw (local-or-truststore)
3836 | | | | | +--:(local)
3837 | | | | | | {local-definiti\
3838 \ons-supported}?
3839 | | | | | | +--rw local-definition
3840 | | | | | | +--rw host-key*
3841 | | | | | | ct:ssh-hos\
3842 \t-key
3843 | | | | | +--:(truststore)
3844 | | | | | {truststore-sup\
3845 \ported,ssh-host-keys}?
3846 | | | | | +--rw truststore-refe\
3847 \rence?
3848 | | | | | ts:host-keys-\
3849 \ref
3850 | | | | +--rw ca-certs!
3851 | | | | | {client-auth-config-supporte\
3852 \d,sshcmn:ssh-x509-certs}?
3853 | | | | | +--rw (local-or-truststore)
3854 | | | | | +--:(local)
3855 | | | | | | {local-definitions-su\
3856 \pported}?
3857 | | | | | | +--rw local-definition
3858 | | | | | | +--rw cert*
3859 | | | | | | | trust-anchor-cer\
3860 \t-cms
3861 | | | | | | +---n certificate-expira\
3862 \tion
3863 | | | | | | +-- expiration-date
3864 | | | | | | yang:date-and\
3865 \-time
3866 | | | | | +--:(truststore)
3867 | | | | | {truststore-supported\
3868 \,x509-certificates}?
3869 | | | | | +--rw truststore-reference?
3870 | | | | | ts:certificates-ref
3871 | | | | +--rw client-certs!
3872 | | | | {client-auth-config-supporte\
3873 \d,sshcmn:ssh-x509-certs}?
3874 | | | | +--rw (local-or-truststore)
3875 | | | | +--:(local)
3876 | | | | | {local-definitions-su\
3877 \pported}?
3878 | | | | | +--rw local-definition
3879 | | | | | +--rw cert*
3880 | | | | | | trust-anchor-cer\
3881 \t-cms
3882 | | | | | +---n certificate-expira\
3883 \tion
3884 | | | | | +-- expiration-date
3885 | | | | | yang:date-and\
3886 \-time
3887 | | | | +--:(truststore)
3888 | | | | {truststore-supported\
3889 \,x509-certificates}?
3890 | | | | +--rw truststore-reference?
3891 | | | | ts:certificates-ref
3892 | | | +--rw transport-params
3893 | | | | {ssh-server-transport-params-co\
3894 \nfig}?
3895 | | | | +--rw host-key
3896 | | | | | +--rw host-key-alg* identityref
3897 | | | | +--rw key-exchange
3898 | | | | | +--rw key-exchange-alg*
3899 | | | | | identityref
3900 | | | | +--rw encryption
3901 | | | | | +--rw encryption-alg*
3902 | | | | | identityref
3903 | | | | +--rw mac
3904 | | | | +--rw mac-alg* identityref
3905 | | | +--rw keepalives!
3906 | | | {ssh-server-keepalives}?
3907 | | | +--rw max-wait? uint16
3908 | | | +--rw max-attempts? uint8
3909 | | +--rw netconf-server-parameters
3910 | | +--rw client-identity-mappings
3911 | | {tls-listen or tls-call-home or\
3912 \ sshcmn:ssh-x509-certs}?
3913 | | +--rw cert-to-name* [id]
3914 | | +--rw id uint32
3915 | | +--rw fingerprint?
3916 | | | x509c2n:tls-fingerprint
3917 | | +--rw map-type identityref
3918 | | +--rw name string
3919 | +--:(tls) {tls-call-home}?
3920 | +--rw tls
3921 | +--rw tcp-client-parameters
3922 | | +--rw remote-address inet:host
3923 | | +--rw remote-port? inet:port-number
3924 | | +--rw local-address? inet:ip-address
3925 | | | {local-binding-supported}?
3926 | | +--rw local-port? inet:port-number
3927 | | | {local-binding-supported}?
3928 | | +--rw keepalives!
3929 | | {keepalives-supported}?
3930 | | +--rw idle-time uint16
3931 | | +--rw max-probes uint16
3932 | | +--rw probe-interval uint16
3933 | +--rw tls-server-parameters
3934 | | +--rw server-identity
3935 | | | +--rw (auth-type)
3936 | | | +--:(certificate)
3937 | | | | +--rw certificate
3938 | | | | {x509-certificate-auth\
3939 \}?
3940 | | | | +--rw (local-or-keystore)
3941 | | | | +--:(local)
3942 | | | | | {local-definiti\
3943 \ons-supported}?
3944 | | | | | +--rw local-definition
3945 | | | | | +--rw algorithm
3946 | | | | | | iasa:asymm\
3947 \etric-algorithm-type
3948 | | | | | +--rw public-key-f\
3949 \ormat?
3950 | | | | | | identityref
3951 | | | | | +--rw public-key
3952 | | | | | | binary
3953 | | | | | +--rw private-key-\
3954 \format?
3955 | | | | | | identityref
3956 | | | | | +--rw (private-key\
3957 \-type)
3958 | | | | | | +--:(private-ke\
3959 \y)
3960 | | | | | | | +--rw privat\
3961 \e-key?
3962 | | | | | | | bina\
3963 \ry
3964 | | | | | | +--:(hidden-pri\
3965 \vate-key)
3966 | | | | | | | +--rw hidden\
3967 \-private-key?
3968 | | | | | | | empty
3969 | | | | | | +--:(encrypted-\
3970 \private-key)
3971 | | | | | | +--rw encryp\
3972 \ted-private-key
3973 | | | | | | +--rw (ke\
3974 \y-type)
3975 | | | | | | | +--:(s\
3976 \ymmetric-key-ref)
3977 | | | | | | | | +--\
3978 \rw symmetric-key-ref? leafref
3979 | | | | | | | | \
3980 \ {keystore-supported}?
3981 | | | | | | | +--:(a\
3982 \symmetric-key-ref)
3983 | | | | | | | +--\
3985 \rw asymmetric-key-ref? leafref
3986 | | | | | | | \
3987 \ {keystore-supported}?
3988 | | | | | | +--rw val\
3989 \ue?
3990 | | | | | | b\
3991 \inary
3992 | | | | | +--rw cert?
3993 | | | | | | end-entity\
3994 \-cert-cms
3995 | | | | | +---n certificate-\
3996 \expiration
3997 | | | | | | +-- expiration-\
3998 \date
3999 | | | | | | yang:da\
4000 \te-and-time
4001 | | | | | +---x generate-cer\
4002 \tificate-signing-request
4003 | | | | | +---w input
4004 | | | | | | +---w subject
4005 | | | | | | | bina\
4006 \ry
4007 | | | | | | +---w attrib\
4008 \utes?
4009 | | | | | | bina\
4010 \ry
4011 | | | | | +--ro output
4012 | | | | | +--ro certif\
4013 \icate-signing-request
4014 | | | | | bina\
4015 \ry
4016 | | | | +--:(keystore)
4017 | | | | {keystore-suppo\
4018 \rted}?
4019 | | | | +--rw keystore-refere\
4020 \nce
4021 | | | | +--rw asymmetric-k\
4022 \ey?
4023 | | | | | ks:asymmet\
4024 \ric-key-ref
4025 | | | | +--rw certificate?\
4026 \ leafref
4027 | | | +--:(raw-private-key)
4028 | | | | +--rw raw-private-key
4029 | | | | {raw-public-key-auth}?
4030 | | | | +--rw (local-or-keystore)
4031 | | | | +--:(local)
4032 | | | | | {local-definiti\
4034 \ons-supported}?
4035 | | | | | +--rw local-definition
4036 | | | | | +--rw algorithm
4037 | | | | | | iasa:asymm\
4038 \etric-algorithm-type
4039 | | | | | +--rw public-key-f\
4040 \ormat?
4041 | | | | | | identityref
4042 | | | | | +--rw public-key
4043 | | | | | | binary
4044 | | | | | +--rw private-key-\
4045 \format?
4046 | | | | | | identityref
4047 | | | | | +--rw (private-key\
4048 \-type)
4049 | | | | | +--:(private-ke\
4050 \y)
4051 | | | | | | +--rw privat\
4052 \e-key?
4053 | | | | | | bina\
4054 \ry
4055 | | | | | +--:(hidden-pri\
4056 \vate-key)
4057 | | | | | | +--rw hidden\
4058 \-private-key?
4059 | | | | | | empty
4060 | | | | | +--:(encrypted-\
4061 \private-key)
4062 | | | | | +--rw encryp\
4063 \ted-private-key
4064 | | | | | +--rw (ke\
4065 \y-type)
4066 | | | | | | +--:(s\
4067 \ymmetric-key-ref)
4068 | | | | | | | +--\
4069 \rw symmetric-key-ref? leafref
4070 | | | | | | | \
4071 \ {keystore-supported}?
4072 | | | | | | +--:(a\
4073 \symmetric-key-ref)
4074 | | | | | | +--\
4075 \rw asymmetric-key-ref? leafref
4076 | | | | | | \
4077 \ {keystore-supported}?
4078 | | | | | +--rw val\
4079 \ue?
4080 | | | | | b\
4081 \inary
4082 | | | | +--:(keystore)
4083 | | | | {keystore-suppo\
4084 \rted}?
4085 | | | | +--rw keystore-refere\
4086 \nce?
4087 | | | | ks:asymmetric\
4088 \-key-ref
4089 | | | +--:(psk)
4090 | | | +--rw psk {psk-auth}?
4091 | | | +--rw (local-or-keystore)
4092 | | | +--:(local)
4093 | | | | {local-definiti\
4094 \ons-supported}?
4095 | | | | +--rw local-definition
4096 | | | | +--rw algorithm
4097 | | | | | isa:symmet\
4098 \ric-algorithm-type
4099 | | | | +--rw key-format?
4100 | | | | | identityref
4101 | | | | +--rw (key-type)
4102 | | | | +--:(key)
4103 | | | | | +--rw key?
4104 | | | | | bina\
4105 \ry
4106 | | | | +--:(hidden-key)
4107 | | | | | +--rw hidden\
4108 \-key?
4109 | | | | | empty
4110 | | | | +--:(encrypted-\
4111 \key)
4112 | | | | +--rw encryp\
4113 \ted-key
4114 | | | | +--rw (ke\
4115 \y-type)
4116 | | | | | +--:(s\
4117 \ymmetric-key-ref)
4118 | | | | | | +--\
4119 \rw symmetric-key-ref? leafref
4120 | | | | | | \
4121 \ {keystore-supported}?
4122 | | | | | +--:(a\
4123 \symmetric-key-ref)
4124 | | | | | +--\
4125 \rw asymmetric-key-ref? leafref
4126 | | | | | \
4127 \ {keystore-supported}?
4128 | | | | +--rw val\
4129 \ue?
4130 | | | | b\
4131 \inary
4132 | | | +--:(keystore)
4133 | | | {keystore-suppo\
4134 \rted}?
4135 | | | +--rw keystore-refere\
4136 \nce?
4137 | | | ks:symmetric-\
4138 \key-ref
4139 | | +--rw client-authentication!
4140 | | | {client-auth-config-supported}?
4141 | | | +--rw ca-certs!
4142 | | | | {x509-certificate-auth}?
4143 | | | | +--rw (local-or-truststore)
4144 | | | | +--:(local)
4145 | | | | | {local-definitions-su\
4146 \pported}?
4147 | | | | | +--rw local-definition
4148 | | | | | +--rw cert*
4149 | | | | | | trust-anchor-cer\
4150 \t-cms
4151 | | | | | +---n certificate-expira\
4152 \tion
4153 | | | | | +-- expiration-date
4154 | | | | | yang:date-and\
4155 \-time
4156 | | | | +--:(truststore)
4157 | | | | {truststore-supported\
4158 \,x509-certificates}?
4159 | | | | +--rw truststore-reference?
4160 | | | | ts:certificates-ref
4161 | | | +--rw client-certs!
4162 | | | | {x509-certificate-auth}?
4163 | | | | +--rw (local-or-truststore)
4164 | | | | +--:(local)
4165 | | | | | {local-definitions-su\
4166 \pported}?
4167 | | | | | +--rw local-definition
4168 | | | | | +--rw cert*
4169 | | | | | | trust-anchor-cer\
4170 \t-cms
4171 | | | | | +---n certificate-expira\
4172 \tion
4173 | | | | | +-- expiration-date
4174 | | | | | yang:date-and\
4175 \-time
4176 | | | | +--:(truststore)
4177 | | | | {truststore-supported\
4179 \,x509-certificates}?
4180 | | | | +--rw truststore-reference?
4181 | | | | ts:certificates-ref
4182 | | | +--rw raw-public-keys!
4183 | | | {raw-public-key-auth}?
4184 | | | +--rw (local-or-truststore)
4185 | | | +--:(local)
4186 | | | | {local-definitions-su\
4187 \pported}?
4188 | | | | +--rw local-definition
4189 | | | | +--rw raw-public-key*
4190 | | | | [name]
4191 | | | | +--rw name
4192 | | | | | string
4193 | | | | +--rw algorithm
4194 | | | | | iasa:asymmetr\
4195 \ic-algorithm-type
4196 | | | | +--rw public-key-form\
4197 \at?
4198 | | | | | identityref
4199 | | | | +--rw public-key
4200 | | | | binary
4201 | | | +--:(truststore)
4202 | | | {truststore-supported\
4203 \,raw-public-keys}?
4204 | | | +--rw truststore-reference?
4205 | | | ts:raw-public-keys-\
4206 \ref
4207 | | +--rw hello-params
4208 | | | {tls-server-hello-params-config\
4209 \}?
4210 | | | +--rw tls-versions
4211 | | | | +--rw tls-version* identityref
4212 | | | +--rw cipher-suites
4213 | | | +--rw cipher-suite* identityref
4214 | | +--rw keepalives!
4215 | | {tls-server-keepalives}?
4216 | | +--rw max-wait? uint16
4217 | | +--rw max-attempts? uint8
4218 | +--rw netconf-server-parameters
4219 | +--rw client-identity-mappings
4220 | {tls-listen or tls-call-home or\
4221 \ sshcmn:ssh-x509-certs}?
4222 | +--rw cert-to-name* [id]
4223 | +--rw id uint32
4224 | +--rw fingerprint?
4225 | | x509c2n:tls-fingerprint
4226 | +--rw map-type identityref
4227 | +--rw name string
4228 +--rw connection-type
4229 | +--rw (connection-type)
4230 | +--:(persistent-connection)
4231 | | +--rw persistent!
4232 | +--:(periodic-connection)
4233 | +--rw periodic!
4234 | +--rw period? uint16
4235 | +--rw anchor-time? yang:date-and-time
4236 | +--rw idle-timeout? uint16
4237 +--rw reconnect-strategy
4238 +--rw start-with? enumeration
4239 +--rw max-attempts? uint8
4241 Appendix B. Change Log
4243 B.1. 00 to 01
4245 o Renamed "keychain" to "keystore".
4247 B.2. 01 to 02
4249 o Added to ietf-netconf-client ability to connected to a cluster of
4250 endpoints, including a reconnection-strategy.
4252 o Added to ietf-netconf-client the ability to configure connection-
4253 type and also keep-alive strategy.
4255 o Updated both modules to accommodate new groupings in the ssh/tls
4256 drafts.
4258 B.3. 02 to 03
4260 o Refined use of tls-client-grouping to add a must statement
4261 indicating that the TLS client must specify a client-certificate.
4263 o Changed 'netconf-client' to be a grouping (not a container).
4265 B.4. 03 to 04
4267 o Added RFC 8174 to Requirements Language Section.
4269 o Replaced refine statement in ietf-netconf-client to add a
4270 mandatory true.
4272 o Added refine statement in ietf-netconf-server to add a must
4273 statement.
4275 o Now there are containers and groupings, for both the client and
4276 server models.
4278 B.5. 04 to 05
4280 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
4282 o Updated examples to inline key and certificates (no longer a
4283 leafref to keystore)
4285 B.6. 05 to 06
4287 o Fixed change log missing section issue.
4289 o Updated examples to match latest updates to the crypto-types,
4290 trust-anchors, and keystore drafts.
4292 o Reduced line length of the YANG modules to fit within 69 columns.
4294 B.7. 06 to 07
4296 o Removed "idle-timeout" from "persistent" connection config.
4298 o Added "random-selection" for reconnection-strategy's "starts-with"
4299 enum.
4301 o Replaced "connection-type" choice default (persistent) with
4302 "mandatory true".
4304 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
4305 minutes.
4307 o Replaced reconnect-timeout with period/anchor-time combo.
4309 B.8. 07 to 08
4311 o Modified examples to be compatible with new crypto-types algs
4313 B.9. 08 to 09
4315 o Corrected use of "mandatory true" for "address" leafs.
4317 o Updated examples to reflect update to groupings defined in the
4318 keystore draft.
4320 o Updated to use groupings defined in new TCP and HTTP drafts.
4322 o Updated copyright date, boilerplate template, affiliation, and
4323 folding algorithm.
4325 B.10. 09 to 10
4327 o Reformatted YANG modules.
4329 B.11. 10 to 11
4331 o Adjusted for the top-level "demux container" added to groupings
4332 imported from other modules.
4334 o Added "must" expressions to ensure that keepalives are not
4335 configured for "periodic" connections.
4337 o Updated the boilerplate text in module-level "description"
4338 statement to match copyeditor convention.
4340 o Moved "expanded" tree diagrams to the Appendix.
4342 B.12. 11 to 12
4344 o Removed the "Design Considerations" section.
4346 o Removed the 'must' statement limiting keepalives in periodic
4347 connections.
4349 o Updated models and examples to reflect removal of the "demux"
4350 containers in the imported models.
4352 o Updated the "periodic-connnection" description statements to be
4353 more like the RESTCONF draft, especially where it described
4354 dropping the underlying TCP connection.
4356 o Updated text to better reference where certain examples come from
4357 (e.g., which Section in which draft).
4359 o In the server model, commented out the "must 'pinned-ca-certs or
4360 pinned-client-certs'" statement to reflect change made in the TLS
4361 draft whereby the trust anchors MAY be defined externally.
4363 o Replaced the 'listen', 'initiate', and 'call-home' features with
4364 boolean expressions.
4366 B.13. 12 to 13
4368 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
4369 anchors/truststore/g + s/pinned.//)
4371 B.14. 13 to 14
4373 o Adjusting from change in TLS client model (removing the top-level
4374 'certificate' container), by swapping refining-in a 'mandatory
4375 true' statement with a 'must' statement outside the 'uses'
4376 statement.
4378 o Updated examples to reflect ietf-crypto-types change (e.g.,
4379 identities --> enumerations)
4381 B.15. 14 to 15
4383 o Refactored both the client and server modules similar to how the
4384 ietf-restconf-server module was refactored in -13 of that draft,
4385 and the ietf-restconf-client grouping.
4387 B.16. 15 to 16
4389 o Added refinement to make "cert-to-name/fingerprint" be mandatory
4390 false.
4392 o Commented out refinement to "tls-server-grouping/client-
4393 authentication" until a better "must" expression is defined.
4395 B.17. 16 to 17
4397 o Updated examples to include the "*-key-format" nodes.
4399 o Updated examples to remove the "required" nodes.
4401 o Updated examples to remove the "client-auth-defined-elsewhere"
4402 nodes.
4404 Acknowledgements
4406 The authors would like to thank for following for lively discussions
4407 on list and in the halls (ordered by last name): Andy Bierman, Martin
4408 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
4409 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
4410 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
4411 Wijnen.
4413 Author's Address
4415 Kent Watsen
4416 Watsen Networks
4418 EMail: kent+ietf@watsen.net