idnits 2.17.1
draft-ietf-netconf-netconf-client-server-18.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 2136 has weird spacing: '...address ine...'
== Line 2146 has weird spacing: '...nterval uin...'
== Line 2460 has weird spacing: '...address ine...'
== Line 2470 has weird spacing: '...nterval uin...'
== Line 2782 has weird spacing: '...address ine...'
== (11 more instances...)
-- The document date (March 8, 2020) is 1509 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-15
== Outdated reference: A later version (-40) exists of
draft-ietf-netconf-ssh-client-server-17
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-17
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-08
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track March 8, 2020
5 Expires: September 9, 2020
7 NETCONF Client and Server Models
8 draft-ietf-netconf-netconf-client-server-18
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 NETCONF client and the other module to configure a NETCONF server.
14 Both modules support both the SSH and TLS transport protocols, and
15 support both standard NETCONF and NETCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-ssh-client-server
35 o I-D.ietf-netconf-tls-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client-
46 server
48 o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
49 server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2020-03-08" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on September 9, 2020.
77 Copyright Notice
79 Copyright (c) 2020 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
96 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20
101 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20
102 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22
103 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 29
104 5. Security Considerations . . . . . . . . . . . . . . . . . . . 41
105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
106 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 42
107 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 42
108 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
109 7.1. Normative References . . . . . . . . . . . . . . . . . . 43
110 7.2. Informative References . . . . . . . . . . . . . . . . . 44
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45
112 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45
113 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 69
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 94
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 94
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 94
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 94
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 94
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 95
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 95
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 95
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 95
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 95
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 96
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 96
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 96
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 97
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 97
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 97
130 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 97
131 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 97
132 B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 97
133 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 97
134 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 98
136 1. Introduction
138 This document defines two YANG [RFC7950] modules, one module to
139 configure a NETCONF [RFC6241] client and the other module to
140 configure a NETCONF server. Both modules support both NETCONF over
141 SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home
142 connections [RFC8071].
144 2. Terminology
146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
148 "OPTIONAL" in this document are to be interpreted as described in BCP
149 14 [RFC2119] [RFC8174] when, and only when, they appear in all
150 capitals, as shown here.
152 3. The NETCONF Client Model
154 The NETCONF client model presented in this section supports both
155 clients initiating connections to servers, as well as clients
156 listening for connections from servers calling home, using either the
157 SSH and TLS transport protocols.
159 YANG feature statements are used to enable implementations to
160 advertise which potentially uncommon parts of the model the NETCONF
161 client supports.
163 3.1. Tree Diagram
165 The following tree diagram [RFC8340] provides an overview of the data
166 model for the "ietf-netconf-client" module.
168 This tree diagram only shows the nodes defined in this module; it
169 does show the nodes defined by "grouping" statements used by this
170 module.
172 Please see Appendix A.1 for a tree diagram that illustrates what the
173 module looks like with all the "grouping" statements expanded.
175 module: ietf-netconf-client
176 +--rw netconf-client
177 +---u netconf-client-app-grouping
179 grouping netconf-client-grouping
180 grouping netconf-client-initiate-stack-grouping
181 +-- (transport)
182 +--:(ssh) {ssh-initiate}?
183 | +-- ssh
184 | +-- tcp-client-parameters
185 | | +---u tcpc:tcp-client-grouping
186 | +-- ssh-client-parameters
187 | | +---u sshc:ssh-client-grouping
188 | +-- netconf-client-parameters
189 +--:(tls) {tls-initiate}?
190 +-- tls
191 +-- tcp-client-parameters
192 | +---u tcpc:tcp-client-grouping
193 +-- tls-client-parameters
194 | +---u tlsc:tls-client-grouping
195 +-- netconf-client-parameters
196 grouping netconf-client-listen-stack-grouping
197 +-- (transport)
198 +--:(ssh) {ssh-listen}?
199 | +-- ssh
200 | +-- tcp-server-parameters
201 | | +---u tcps:tcp-server-grouping
202 | +-- ssh-client-parameters
203 | | +---u sshc:ssh-client-grouping
204 | +-- netconf-client-parameters
205 +--:(tls) {tls-listen}?
206 +-- tls
207 +-- tcp-server-parameters
208 | +---u tcps:tcp-server-grouping
209 +-- tls-client-parameters
210 | +---u tlsc:tls-client-grouping
211 +-- netconf-client-parameters
212 grouping netconf-client-app-grouping
213 +-- initiate! {ssh-initiate or tls-initiate}?
214 | +-- netconf-server* [name]
215 | +-- name? string
216 | +-- endpoints
217 | | +-- endpoint* [name]
218 | | +-- name? string
219 | | +---u netconf-client-initiate-stack-grouping
220 | +-- connection-type
221 | | +-- (connection-type)
222 | | +--:(persistent-connection)
223 | | | +-- persistent!
224 | | +--:(periodic-connection)
225 | | +-- periodic!
226 | | +-- period? uint16
227 | | +-- anchor-time? yang:date-and-time
228 | | +-- idle-timeout? uint16
229 | +-- reconnect-strategy
230 | +-- start-with? enumeration
231 | +-- max-attempts? uint8
232 +-- listen! {ssh-listen or tls-listen}?
233 +-- idle-timeout? uint16
234 +-- endpoint* [name]
235 +-- name? string
236 +---u netconf-client-listen-stack-grouping
238 3.2. Example Usage
240 The following example illustrates configuring a NETCONF client to
241 initiate connections, using both the SSH and TLS transport protocols,
242 as well as listening for call-home connections, again using both the
243 SSH and TLS transport protocols.
245 This example is consistent with the examples presented in Section 2
246 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
247 [I-D.ietf-netconf-keystore].
249 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
251
255
256
257
258 corp-fw1
259
260
261 corp-fw1.example.com
262
263
264 corp-fw1.example.com
265
266 15
267 3
268 30
269
270
271
272
273 foobar
274
275
276 rsa2048
277 ct:ssh-public-key-format
279 base64encodedvalue==
280 ct:rsa-private-key-format
282 base64encodedvalue==
283
284
285
286
287
288 trusted-server-ca-certs
290
291
292 trusted-server-ee-certs
294
295
296
297 30
298 3
299
300
301
302
303
304
305
306
307 corp-fw2.example.com
308
309
310 corp-fw2.example.com
311
312 15
313 3
314 30
315
316
317
318
319
320
321 rsa2048
322 ct:subject-public-key-info-fo\
323 rmat
324 base64encodedvalue==
325 ct:rsa-private-key-format
327 base64encodedvalue==
328 base64encodedvalue==
329
330
331
332
333
334 trusted-server-ca-certs
336
337
338 trusted-server-ee-certs
340
341
342
343 30
344 3
345
346
347
348
349
350
351
352
353
354
355
356
357 last-connected
358
359
360
362
363
364
365 Intranet-facing listener
366
367
368 192.0.2.7
369
370
371
372 foobar
373
374
375 rsa2048
376 ct:ssh-public-key-format
378 base64encodedvalue==
379 ct:rsa-private-key-format
381 base64encodedvalue==
382
383
384
385
386
387 trusted-server-ca-certs
389
390
391 trusted-server-ee-certs
393
394
395 trusted-ssh-public-keys
397
398
399
400
401
402
403
404
405
406
408 3.3. YANG Module
410 This YANG module has normative references to [RFC6242], [RFC6991],
411 [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
412 [I-D.ietf-netconf-ssh-client-server], and
413 [I-D.ietf-netconf-tls-client-server].
415 file "ietf-netconf-client@2020-03-08.yang"
417 module ietf-netconf-client {
418 yang-version 1.1;
419 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
420 prefix ncc;
422 import ietf-yang-types {
423 prefix yang;
424 reference
425 "RFC 6991: Common YANG Data Types";
426 }
428 import ietf-tcp-client {
429 prefix tcpc;
430 reference
431 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
432 }
434 import ietf-tcp-server {
435 prefix tcps;
436 reference
437 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
438 }
440 import ietf-ssh-client {
441 prefix sshc;
442 revision-date 2020-03-08; // stable grouping definitions
443 reference
444 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
445 }
447 import ietf-tls-client {
448 prefix tlsc;
449 revision-date 2020-03-08; // stable grouping definitions
450 reference
451 "RFC DDDD: YANG Groupings for TLS Clients and TLS Servers";
452 }
454 organization
455 "IETF NETCONF (Network Configuration) Working Group";
457 contact
458 "WG Web:
459 WG List:
460 Author: Kent Watsen
461 Author: Gary Wu ";
463 description
464 "This module contains a collection of YANG definitions
465 for configuring NETCONF clients.
467 Copyright (c) 2019 IETF Trust and the persons identified
468 as authors of the code. All rights reserved.
470 Redistribution and use in source and binary forms, with
471 or without modification, is permitted pursuant to, and
472 subject to the license terms contained in, the Simplified
473 BSD License set forth in Section 4.c of the IETF Trust's
474 Legal Provisions Relating to IETF Documents
475 (https://trustee.ietf.org/license-info).
477 This version of this YANG module is part of RFC XXXX
478 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
479 itself for full legal notices.;
481 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
482 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
483 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
484 are to be interpreted as described in BCP 14 (RFC 2119)
485 (RFC 8174) when, and only when, they appear in all
486 capitals, as shown here.";
488 revision 2020-03-08 {
489 description
490 "Initial version";
491 reference
492 "RFC XXXX: NETCONF Client and Server Models";
493 }
495 // Features
497 feature ssh-initiate {
498 description
499 "The 'ssh-initiate' feature indicates that the NETCONF client
500 supports initiating SSH connections to NETCONF servers.";
501 reference
502 "RFC 6242:
503 Using the NETCONF Protocol over Secure Shell (SSH)";
504 }
506 feature tls-initiate {
507 description
508 "The 'tls-initiate' feature indicates that the NETCONF client
509 supports initiating TLS connections to NETCONF servers.";
510 reference
511 "RFC 7589: Using the NETCONF Protocol over Transport
512 Layer Security (TLS) with Mutual X.509 Authentication";
513 }
515 feature ssh-listen {
516 description
517 "The 'ssh-listen' feature indicates that the NETCONF client
518 supports opening a port to listen for incoming NETCONF
519 server call-home SSH connections.";
521 reference
522 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
523 }
525 feature tls-listen {
526 description
527 "The 'tls-listen' feature indicates that the NETCONF client
528 supports opening a port to listen for incoming NETCONF
529 server call-home TLS connections.";
530 reference
531 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
532 }
534 // Groupings
536 grouping netconf-client-grouping {
537 description
538 "A reusable grouping for configuring a NETCONF client
539 without any consideration for how underlying transport
540 sessions are established.
542 This grouping currently doesn't define any nodes.";
543 }
545 grouping netconf-client-initiate-stack-grouping {
546 description
547 "A reusable grouping for configuring a NETCONF client
548 'initiate' protocol stack for a single connection.";
549 choice transport {
550 mandatory true;
551 description
552 "Selects between available transports.";
553 case ssh {
554 if-feature "ssh-initiate";
555 container ssh {
556 description
557 "Specifies IP and SSH specific configuration
558 for the connection.";
559 container tcp-client-parameters {
560 description
561 "A wrapper around the TCP client parameters
562 to avoid name collisions.";
563 uses tcpc:tcp-client-grouping {
564 refine "remote-port" {
565 default "830";
566 description
567 "The NETCONF client will attempt to connect
568 to the IANA-assigned well-known port value
569 for 'netconf-ssh' (830) if no value is
570 specified.";
571 }
572 }
573 }
574 container ssh-client-parameters {
575 description
576 "A wrapper around the SSH client parameters to
577 avoid name collisions.";
578 uses sshc:ssh-client-grouping;
579 }
580 container netconf-client-parameters {
581 description
582 "A wrapper around the NETCONF client parameters
583 to avoid name collisions.";
584 uses ncc:netconf-client-grouping;
585 }
586 }
587 }
588 case tls {
589 if-feature "tls-initiate";
590 container tls {
591 description
592 "Specifies IP and TLS specific configuration
593 for the connection.";
594 container tcp-client-parameters {
595 description
596 "A wrapper around the TCP client parameters
597 to avoid name collisions.";
598 uses tcpc:tcp-client-grouping {
599 refine "remote-port" {
600 default "6513";
601 description
602 "The NETCONF client will attempt to connect
603 to the IANA-assigned well-known port value
604 for 'netconf-tls' (6513) if no value is
605 specified.";
606 }
607 }
608 }
609 container tls-client-parameters {
610 must "client-identity" {
611 description
612 "NETCONF/TLS clients MUST pass some
613 authentication credentials.";
614 }
615 description
616 "A wrapper around the TLS client parameters
617 to avoid name collisions.";
618 uses tlsc:tls-client-grouping;
619 }
620 container netconf-client-parameters {
621 description
622 "A wrapper around the NETCONF client parameters
623 to avoid name collisions.";
624 uses ncc:netconf-client-grouping;
625 }
626 }
627 }
628 }
629 } // netconf-client-initiate-stack-grouping
631 grouping netconf-client-listen-stack-grouping {
632 description
633 "A reusable grouping for configuring a NETCONF client
634 'listen' protocol stack for a single connection.";
635 choice transport {
636 mandatory true;
637 description
638 "Selects between available transports.";
639 case ssh {
640 if-feature "ssh-listen";
641 container ssh {
642 description
643 "SSH-specific listening configuration for inbound
644 connections.";
645 container tcp-server-parameters {
646 description
647 "A wrapper around the TCP server parameters
648 to avoid name collisions.";
649 uses tcps:tcp-server-grouping {
650 refine "local-port" {
651 default "4334";
652 description
653 "The NETCONF client will listen on the IANA-
654 assigned well-known port for 'netconf-ch-ssh'
655 (4334) if no value is specified.";
656 }
657 }
658 }
659 container ssh-client-parameters {
660 description
661 "A wrapper around the SSH client parameters
662 to avoid name collisions.";
663 uses sshc:ssh-client-grouping;
664 }
665 container netconf-client-parameters {
666 description
667 "A wrapper around the NETCONF client parameters
668 to avoid name collisions.";
669 uses ncc:netconf-client-grouping;
670 }
671 }
672 }
673 case tls {
674 if-feature "tls-listen";
675 container tls {
676 description
677 "TLS-specific listening configuration for inbound
678 connections.";
679 container tcp-server-parameters {
680 description
681 "A wrapper around the TCP server parameters
682 to avoid name collisions.";
683 uses tcps:tcp-server-grouping {
684 refine "local-port" {
685 default "4334";
686 description
687 "The NETCONF client will listen on the IANA-
688 assigned well-known port for 'netconf-ch-ssh'
689 (4334) if no value is specified.";
690 }
691 }
692 }
693 container tls-client-parameters {
694 must "client-identity" {
695 description
696 "NETCONF/TLS clients MUST pass some
697 authentication credentials.";
698 }
699 description
700 "A wrapper around the TLS client parameters
701 to avoid name collisions.";
702 uses tlsc:tls-client-grouping;
703 }
704 container netconf-client-parameters {
705 description
706 "A wrapper around the NETCONF client parameters
707 to avoid name collisions.";
708 uses ncc:netconf-client-grouping;
709 }
710 }
711 }
712 }
714 } // netconf-client-listen-stack-grouping
716 grouping netconf-client-app-grouping {
717 description
718 "A reusable grouping for configuring a NETCONF client
719 application that supports both 'initiate' and 'listen'
720 protocol stacks for a multiplicity of connections.";
721 container initiate {
722 if-feature "ssh-initiate or tls-initiate";
723 presence "Enables client to initiate TCP connections";
724 description
725 "Configures client initiating underlying TCP connections.";
726 list netconf-server {
727 key "name";
728 min-elements 1;
729 description
730 "List of NETCONF servers the NETCONF client is to
731 maintain simultaneous connections with.";
732 leaf name {
733 type string;
734 description
735 "An arbitrary name for the NETCONF server.";
736 }
737 container endpoints {
738 description
739 "Container for the list of endpoints.";
740 list endpoint {
741 key "name";
742 min-elements 1;
743 ordered-by user;
744 description
745 "A user-ordered list of endpoints that the NETCONF
746 client will attempt to connect to in the specified
747 sequence. Defining more than one enables
748 high-availability.";
749 leaf name {
750 type string;
751 description
752 "An arbitrary name for the endpoint.";
753 }
754 uses netconf-client-initiate-stack-grouping;
755 } // list endpoint
756 } // container endpoints
758 container connection-type {
759 description
760 "Indicates the NETCONF client's preference for how the
761 NETCONF connection is maintained.";
763 choice connection-type {
764 mandatory true;
765 description
766 "Selects between available connection types.";
767 case persistent-connection {
768 container persistent {
769 presence "Indicates that a persistent connection is
770 to be maintained.";
771 description
772 "Maintain a persistent connection to the NETCONF
773 server. If the connection goes down, immediately
774 start trying to reconnect to the NETCONF server,
775 using the reconnection strategy.
777 This connection type minimizes any NETCONF server
778 to NETCONF client data-transfer delay, albeit at
779 the expense of holding resources longer.";
780 }
781 }
782 case periodic-connection {
783 container periodic {
784 presence "Indicates that a periodic connection is
785 to be maintained.";
786 description
787 "Periodically connect to the NETCONF server.
789 This connection type increases resource
790 utilization, albeit with increased delay in
791 NETCONF server to NETCONF client interactions.
793 The NETCONF client should close the underlying
794 TCP connection upon completing planned activities.
796 In the case that the previous connection is still
797 active, establishing a new connection is NOT
798 RECOMMENDED.";
799 leaf period {
800 type uint16;
801 units "minutes";
802 default "60";
803 description
804 "Duration of time between periodic connections.";
805 }
806 leaf anchor-time {
807 type yang:date-and-time {
808 // constrained to minute-level granularity
809 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
810 + '(Z|[\+\-]\d{2}:\d{2})';
812 }
813 description
814 "Designates a timestamp before or after which a
815 series of periodic connections are determined.
816 The periodic connections occur at a whole
817 multiple interval from the anchor time. For
818 example, for an anchor time is 15 minutes past
819 midnight and a period interval of 24 hours, then
820 a periodic connection will occur 15 minutes past
821 midnight everyday.";
822 }
823 leaf idle-timeout {
824 type uint16;
825 units "seconds";
826 default 120; // two minutes
827 description
828 "Specifies the maximum number of seconds that
829 a NETCONF session may remain idle. A NETCONF
830 session will be dropped if it is idle for an
831 interval longer then this number of seconds.
832 If set to zero, then the NETCONF client will
833 never drop a session because it is idle.";
834 }
835 }
836 }
837 }
838 }
839 container reconnect-strategy {
840 description
841 "The reconnection strategy directs how a NETCONF client
842 reconnects to a NETCONF server, after discovering its
843 connection to the server has dropped, even if due to a
844 reboot. The NETCONF client starts with the specified
845 endpoint and tries to connect to it max-attempts times
846 before trying the next endpoint in the list (round
847 robin).";
848 leaf start-with {
849 type enumeration {
850 enum first-listed {
851 description
852 "Indicates that reconnections should start with
853 the first endpoint listed.";
854 }
855 enum last-connected {
856 description
857 "Indicates that reconnections should start with
858 the endpoint last connected to. If no previous
859 connection has ever been established, then the
860 first endpoint configured is used. NETCONF
861 clients SHOULD be able to remember the last
862 endpoint connected to across reboots.";
863 }
864 enum random-selection {
865 description
866 "Indicates that reconnections should start with
867 a random endpoint.";
868 }
869 }
870 default "first-listed";
871 description
872 "Specifies which of the NETCONF server's endpoints
873 the NETCONF client should start with when trying
874 to connect to the NETCONF server.";
875 }
876 leaf max-attempts {
877 type uint8 {
878 range "1..max";
879 }
880 default "3";
881 description
882 "Specifies the number times the NETCONF client tries
883 to connect to a specific endpoint before moving on
884 to the next endpoint in the list (round robin).";
885 }
886 }
887 } // netconf-server
888 } // initiate
890 container listen {
891 if-feature "ssh-listen or tls-listen";
892 presence "Enables client to accept call-home connections";
893 description
894 "Configures client accepting call-home TCP connections.";
895 leaf idle-timeout {
896 type uint16;
897 units "seconds";
898 default "3600"; // one hour
899 description
900 "Specifies the maximum number of seconds that a NETCONF
901 session may remain idle. A NETCONF session will be
902 dropped if it is idle for an interval longer than this
903 number of seconds. If set to zero, then the server
904 will never drop a session because it is idle. Sessions
905 that have a notification subscription active are never
906 dropped.";
907 }
908 list endpoint {
909 key "name";
910 min-elements 1;
911 description
912 "List of endpoints to listen for NETCONF connections.";
913 leaf name {
914 type string;
915 description
916 "An arbitrary name for the NETCONF listen endpoint.";
917 }
918 uses netconf-client-listen-stack-grouping;
919 } // endpoint
920 } // listen
921 } // netconf-client-app-grouping
923 // Protocol accessible node, for servers that implement this
924 // module.
926 container netconf-client {
927 uses netconf-client-app-grouping;
928 description
929 "Top-level container for NETCONF client configuration.";
930 }
931 }
933
935 4. The NETCONF Server Model
937 The NETCONF server model presented in this section supports both
938 listening for connections as well as initiating call-home
939 connections, using either the SSH and TLS transport protocols.
941 YANG feature statements are used to enable implementations to
942 advertise which potentially uncommon parts of the model the NETCONF
943 server supports.
945 4.1. Tree Diagram
947 The following tree diagram [RFC8340] provides an overview of the data
948 model for the "ietf-netconf-server" module.
950 This tree diagram only shows the nodes defined in this module; it
951 does show the nodes defined by "grouping" statements used by this
952 module.
954 Please see Appendix A.2 for a tree diagram that illustrates what the
955 module looks like with all the "grouping" statements expanded.
957 module: ietf-netconf-server
958 +--rw netconf-server
959 +---u netconf-server-app-grouping
961 grouping netconf-server-grouping
962 +-- client-identity-mappings
963 {tls-listen or tls-call-home or sshcmn:ssh-x509-certs}?
964 +---u x509c2n:cert-to-name
965 grouping netconf-server-listen-stack-grouping
966 +-- (transport)
967 +--:(ssh) {ssh-listen}?
968 | +-- ssh
969 | +-- tcp-server-parameters
970 | | +---u tcps:tcp-server-grouping
971 | +-- ssh-server-parameters
972 | | +---u sshs:ssh-server-grouping
973 | +-- netconf-server-parameters
974 | +---u ncs:netconf-server-grouping
975 +--:(tls) {tls-listen}?
976 +-- tls
977 +-- tcp-server-parameters
978 | +---u tcps:tcp-server-grouping
979 +-- tls-server-parameters
980 | +---u tlss:tls-server-grouping
981 +-- netconf-server-parameters
982 +---u ncs:netconf-server-grouping
983 grouping netconf-server-callhome-stack-grouping
984 +-- (transport)
985 +--:(ssh) {ssh-call-home}?
986 | +-- ssh
987 | +-- tcp-client-parameters
988 | | +---u tcpc:tcp-client-grouping
989 | +-- ssh-server-parameters
990 | | +---u sshs:ssh-server-grouping
991 | +-- netconf-server-parameters
992 | +---u ncs:netconf-server-grouping
993 +--:(tls) {tls-call-home}?
994 +-- tls
995 +-- tcp-client-parameters
996 | +---u tcpc:tcp-client-grouping
997 +-- tls-server-parameters
998 | +---u tlss:tls-server-grouping
999 +-- netconf-server-parameters
1000 +---u ncs:netconf-server-grouping
1001 grouping netconf-server-app-grouping
1002 +-- listen! {ssh-listen or tls-listen}?
1003 | +-- idle-timeout? uint16
1004 | +-- endpoint* [name]
1005 | +-- name? string
1006 | +---u netconf-server-listen-stack-grouping
1007 +-- call-home! {ssh-call-home or tls-call-home}?
1008 +-- netconf-client* [name]
1009 +-- name? string
1010 +-- endpoints
1011 | +-- endpoint* [name]
1012 | +-- name? string
1013 | +---u netconf-server-callhome-stack-grouping
1014 +-- connection-type
1015 | +-- (connection-type)
1016 | +--:(persistent-connection)
1017 | | +-- persistent!
1018 | +--:(periodic-connection)
1019 | +-- periodic!
1020 | +-- period? uint16
1021 | +-- anchor-time? yang:date-and-time
1022 | +-- idle-timeout? uint16
1023 +-- reconnect-strategy
1024 +-- start-with? enumeration
1025 +-- max-attempts? uint8
1027 4.2. Example Usage
1029 The following example illustrates configuring a NETCONF server to
1030 listen for NETCONF client connections using both the SSH and TLS
1031 transport protocols, as well as configuring call-home to two NETCONF
1032 clients, one using SSH and the other using TLS.
1034 This example is consistent with the examples presented in Section 2
1035 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
1036 [I-D.ietf-netconf-keystore].
1038 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
1040
1045
1046
1047
1048 netconf/ssh
1049
1050
1051 192.0.2.7
1052
1053
1054
1055
1056 deployment-specific-certificate
1057
1058
1059 rsa2048
1060 ct:ssh-public-key-format
1062 base64encodedvalue==
1063 ct:rsa-private-key-format
1065 base64encodedvalue==
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082 netconf/tls
1083
1084
1085 192.0.2.7
1086
1087
1088
1089
1090
1091 rsa2048
1092 ct:subject-public-key-info-format\
1093
1094 base64encodedvalue==
1095 ct:rsa-private-key-format
1097 base64encodedvalue==
1098 base64encodedvalue==
1099
1100
1102
1103
1104
1105 trusted-client-ca-certs
1107
1108
1109 trusted-client-ee-certs
1111
1112
1113
1114
1115
1116
1117 1
1118 11:0A:05:11:00
1119 x509c2n:specified
1120 scooby-doo
1121
1122
1123 2
1124 x509c2n:san-any
1125
1126
1127
1128
1129
1130
1132
1133
1134
1135 config-mgr
1136
1137
1138 east-data-center
1139
1140
1141 east.config-mgr.example.com
1143
1144
1145
1146
1147 deployment-specific-certificate
1148
1149
1150 rsa2048
1151 ct:ssh-public-key-format
1153 base64encodedvalue==
1154 ct:rsa-private-key-format<\
1155 /private-key-format>
1156 base64encodedvalue==
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173 west-data-center
1174
1175
1176 west.config-mgr.example.com
1178
1179
1180
1181
1182 deployment-specific-certificate
1183
1184
1185 rsa2048
1186 ct:ssh-public-key-format
1188 base64encodedvalue==
1189 ct:rsa-private-key-format<\
1190 /private-key-format>
1191 base64encodedvalue==
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210 300
1211 60
1212
1213
1214
1215 last-connected
1216 3
1217
1218
1219
1220 data-collector
1221
1222
1223 east-data-center
1224
1225
1226 east.analytics.example.com
1228
1229 15
1230 3
1231 30
1232
1233
1234
1235
1236
1237
1238 rsa2048
1239 ct:subject-public-key-info-fo\
1240 rmat
1241 base64encodedvalue==
1242 ct:rsa-private-key-format
1244 base64encodedvalue==
1245 base64encodedvalue==
1247
1248
1249
1250
1251
1252 trusted-client-ca-certs
1254
1255
1256 trusted-client-ee-certs
1258
1259
1260
1261 30
1262 3
1263
1264
1265
1266
1267
1268 1
1269 11:0A:05:11:00
1270 x509c2n:specified
1271 scooby-doo
1272
1273
1274 2
1275 x509c2n:san-any
1276
1277
1278
1279
1280
1281
1282 west-data-center
1283
1284
1285 west.analytics.example.com
1287
1288 15
1289 3
1290 30
1291
1292
1293
1294
1295
1296
1297 rsa2048
1298 ct:subject-public-key-info-fo\
1299 rmat
1300 base64encodedvalue==
1301 ct:rsa-private-key-format
1303 base64encodedvalue==
1304 base64encodedvalue==
1305
1306
1307
1308
1309
1310 trusted-client-ca-certs
1312
1313
1314 trusted-client-ee-certs
1316
1317
1318
1319 30
1320 3
1321
1322
1323
1324
1325
1326 1
1327 11:0A:05:11:00
1328 x509c2n:specified
1329 scooby-doo
1330
1331
1332 2
1333 x509c2n:san-any
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344 first-listed
1345 3
1346
1347
1348
1349
1351 4.3. YANG Module
1353 This YANG module has normative references to [RFC6242], [RFC6991],
1354 [RFC7407], [RFC7589], [RFC8071],
1355 [I-D.kwatsen-netconf-tcp-client-server],
1356 [I-D.ietf-netconf-ssh-client-server], and
1357 [I-D.ietf-netconf-tls-client-server].
1359 file "ietf-netconf-server@2020-03-08.yang"
1361 module ietf-netconf-server {
1362 yang-version 1.1;
1363 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
1364 prefix ncs;
1366 import ietf-yang-types {
1367 prefix yang;
1368 reference
1369 "RFC 6991: Common YANG Data Types";
1370 }
1372 import ietf-x509-cert-to-name {
1373 prefix x509c2n;
1374 reference
1375 "RFC 7407: A YANG Data Model for SNMP Configuration";
1376 }
1378 import ietf-tcp-client {
1379 prefix tcpc;
1380 reference
1381 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
1382 }
1384 import ietf-tcp-server {
1385 prefix tcps;
1386 reference
1387 "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
1388 }
1390 import ietf-ssh-common {
1391 prefix sshcmn;
1392 revision-date 2020-03-08; // stable grouping definitions
1393 reference
1394 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
1395 }
1397 import ietf-ssh-server {
1398 prefix sshs;
1399 revision-date 2020-03-08; // stable grouping definitions
1400 reference
1401 "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
1402 }
1404 import ietf-tls-server {
1405 prefix tlss;
1406 revision-date 2020-03-08; // stable grouping definitions
1407 reference
1408 "RFC DDDD: YANG Groupings for TLS Clients and TLS Servers";
1409 }
1411 organization
1412 "IETF NETCONF (Network Configuration) Working Group";
1414 contact
1415 "WG Web:
1416 WG List:
1417 Author: Kent Watsen
1418 Author: Gary Wu
1419 Author: Juergen Schoenwaelder
1420 ";
1422 description
1423 "This module contains a collection of YANG definitions
1424 for configuring NETCONF servers.
1426 Copyright (c) 2019 IETF Trust and the persons identified
1427 as authors of the code. All rights reserved.
1429 Redistribution and use in source and binary forms, with
1430 or without modification, is permitted pursuant to, and
1431 subject to the license terms contained in, the Simplified
1432 BSD License set forth in Section 4.c of the IETF Trust's
1433 Legal Provisions Relating to IETF Documents
1434 (https://trustee.ietf.org/license-info).
1436 This version of this YANG module is part of RFC XXXX
1437 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1438 itself for full legal notices.;
1439 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1440 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1441 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1442 are to be interpreted as described in BCP 14 (RFC 2119)
1443 (RFC 8174) when, and only when, they appear in all
1444 capitals, as shown here.";
1446 revision 2020-03-08 {
1447 description
1448 "Initial version";
1449 reference
1450 "RFC XXXX: NETCONF Client and Server Models";
1451 }
1453 // Features
1455 feature ssh-listen {
1456 description
1457 "The 'ssh-listen' feature indicates that the NETCONF server
1458 supports opening a port to accept NETCONF over SSH
1459 client connections.";
1460 reference
1461 "RFC 6242:
1462 Using the NETCONF Protocol over Secure Shell (SSH)";
1463 }
1465 feature tls-listen {
1466 description
1467 "The 'tls-listen' feature indicates that the NETCONF server
1468 supports opening a port to accept NETCONF over TLS
1469 client connections.";
1470 reference
1471 "RFC 7589: Using the NETCONF Protocol over Transport
1472 Layer Security (TLS) with Mutual X.509
1473 Authentication";
1474 }
1476 feature ssh-call-home {
1477 description
1478 "The 'ssh-call-home' feature indicates that the NETCONF
1479 server supports initiating a NETCONF over SSH call
1480 home connection to NETCONF clients.";
1481 reference
1482 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1483 }
1485 feature tls-call-home {
1486 description
1487 "The 'tls-call-home' feature indicates that the NETCONF
1488 server supports initiating a NETCONF over TLS call
1489 home connection to NETCONF clients.";
1490 reference
1491 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1492 }
1494 // Groupings
1496 grouping netconf-server-grouping {
1497 description
1498 "A reusable grouping for configuring a NETCONF server
1499 without any consideration for how underlying transport
1500 sessions are established.
1502 Note that this grouping uses a fairly typical descendent
1503 node name such that a stack of 'uses' statements will
1504 have name conflicts. It is intended that the consuming
1505 data model will resolve the issue by wrapping the 'uses'
1506 statement in a container called, e.g.,
1507 'netconf-server-parameters'. This model purposely does
1508 not do this itself so as to provide maximum flexibility
1509 to consuming models.";
1511 container client-identity-mappings {
1512 if-feature
1513 "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
1514 description
1515 "Specifies mappings through which NETCONF client X.509
1516 certificates are used to determine a NETCONF username.
1517 If no matching and valid cert-to-name list entry can be
1518 found, then the NETCONF server MUST close the connection,
1519 and MUST NOT accept NETCONF messages over it.";
1520 reference
1521 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1522 uses x509c2n:cert-to-name {
1523 refine "cert-to-name/fingerprint" {
1524 mandatory false;
1525 description
1526 "A 'fingerprint' value does not need to be specified
1527 when the 'cert-to-name' mapping is independent of
1528 fingerprint matching. A 'cert-to-name' having no
1529 fingerprint value will match any client certificate
1530 and therefore should only be present at the end of
1531 the user-ordered 'cert-to-name' list.";
1532 }
1533 }
1534 }
1536 }
1538 grouping netconf-server-listen-stack-grouping {
1539 description
1540 "A reusable grouping for configuring a NETCONF server
1541 'listen' protocol stack for a single connection.";
1542 choice transport {
1543 mandatory true;
1544 description
1545 "Selects between available transports.";
1546 case ssh {
1547 if-feature "ssh-listen";
1548 container ssh {
1549 description
1550 "SSH-specific listening configuration for inbound
1551 connections.";
1552 container tcp-server-parameters {
1553 description
1554 "A wrapper around the TCP client parameters
1555 to avoid name collisions.";
1556 uses tcps:tcp-server-grouping {
1557 refine "local-port" {
1558 default "830";
1559 description
1560 "The NETCONF server will listen on the
1561 IANA-assigned well-known port value
1562 for 'netconf-ssh' (830) if no value
1563 is specified.";
1564 }
1565 }
1566 }
1567 container ssh-server-parameters {
1568 description
1569 "A wrapper around the SSH server parameters
1570 to avoid name collisions.";
1571 uses sshs:ssh-server-grouping;
1572 }
1573 container netconf-server-parameters {
1574 description
1575 "A wrapper around the NETCONF server parameters
1576 to avoid name collisions.";
1577 uses ncs:netconf-server-grouping;
1578 }
1579 }
1580 }
1581 case tls {
1582 if-feature "tls-listen";
1583 container tls {
1584 description
1585 "TLS-specific listening configuration for inbound
1586 connections.";
1587 container tcp-server-parameters {
1588 description
1589 "A wrapper around the TCP client parameters
1590 to avoid name collisions.";
1591 uses tcps:tcp-server-grouping {
1592 refine "local-port" {
1593 default "6513";
1594 description
1595 "The NETCONF server will listen on the
1596 IANA-assigned well-known port value
1597 for 'netconf-tls' (6513) if no value
1598 is specified.";
1599 }
1600 }
1601 }
1602 container tls-server-parameters {
1603 description
1604 "A wrapper around the TLS server parameters to
1605 avoid name collisions.";
1606 uses tlss:tls-server-grouping {
1607 refine "client-authentication" {
1608 must 'ca-certs or client-certs';
1609 description
1610 "NETCONF/TLS servers MUST validate client
1611 certificates.";
1612 }
1613 }
1614 }
1615 container netconf-server-parameters {
1616 description
1617 "A wrapper around the NETCONF server parameters
1618 to avoid name collisions.";
1619 uses ncs:netconf-server-grouping;
1620 }
1621 }
1622 }
1623 }
1624 }
1626 grouping netconf-server-callhome-stack-grouping {
1627 description
1628 "A reusable grouping for configuring a NETCONF server
1629 'call-home' protocol stack, for a single connection.";
1630 choice transport {
1631 mandatory true;
1632 description
1633 "Selects between available transports.";
1634 case ssh {
1635 if-feature "ssh-call-home";
1636 container ssh {
1637 description
1638 "Specifies SSH-specific call-home transport
1639 configuration.";
1640 container tcp-client-parameters {
1641 description
1642 "A wrapper around the TCP client parameters
1643 to avoid name collisions.";
1644 uses tcpc:tcp-client-grouping {
1645 refine "remote-port" {
1646 default "4334";
1647 description
1648 "The NETCONF server will attempt to connect
1649 to the IANA-assigned well-known port for
1650 'netconf-ch-tls' (4334) if no value is
1651 specified.";
1652 }
1653 }
1654 }
1655 container ssh-server-parameters {
1656 description
1657 "A wrapper around the SSH server parameters
1658 to avoid name collisions.";
1659 uses sshs:ssh-server-grouping;
1660 }
1661 container netconf-server-parameters {
1662 description
1663 "A wrapper around the NETCONF server parameters
1664 to avoid name collisions.";
1665 uses ncs:netconf-server-grouping;
1666 }
1667 }
1668 }
1669 case tls {
1670 if-feature "tls-call-home";
1671 container tls {
1672 description
1673 "Specifies TLS-specific call-home transport
1674 configuration.";
1675 container tcp-client-parameters {
1676 description
1677 "A wrapper around the TCP client parameters
1678 to avoid name collisions.";
1679 uses tcpc:tcp-client-grouping {
1680 refine "remote-port" {
1681 default "4335";
1682 description
1683 "The NETCONF server will attempt to connect
1684 to the IANA-assigned well-known port for
1685 'netconf-ch-tls' (4335) if no value is
1686 specified.";
1687 }
1688 }
1689 }
1690 container tls-server-parameters {
1691 description
1692 "A wrapper around the TLS server parameters to
1693 avoid name collisions.";
1694 uses tlss:tls-server-grouping; /* {
1695 FIXME: commented out since auth could also be external.
1696 ^-- need a better 'must' expression?
1697 refine "client-authentication" {
1698 must 'ca-certs or client-certs';
1699 description
1700 "NETCONF/TLS servers MUST validate client
1701 certificates.";
1702 }
1703 }*/
1704 }
1705 container netconf-server-parameters {
1706 description
1707 "A wrapper around the NETCONF server parameters
1708 to avoid name collisions.";
1709 uses ncs:netconf-server-grouping;
1710 }
1711 }
1712 }
1713 }
1714 }
1716 grouping netconf-server-app-grouping {
1717 description
1718 "A reusable grouping for configuring a NETCONF server
1719 application that supports both 'listen' and 'call-home'
1720 protocol stacks for a multiplicity of connections.";
1721 container listen {
1722 if-feature "ssh-listen or tls-listen";
1723 presence
1724 "Enables server to listen for NETCONF client connections.";
1725 description
1726 "Configures listen behavior";
1727 leaf idle-timeout {
1728 type uint16;
1729 units "seconds";
1730 default 3600; // one hour
1731 description
1732 "Specifies the maximum number of seconds that a NETCONF
1733 session may remain idle. A NETCONF session will be
1734 dropped if it is idle for an interval longer than this
1735 number of seconds. If set to zero, then the server
1736 will never drop a session because it is idle. Sessions
1737 that have a notification subscription active are never
1738 dropped.";
1739 }
1740 list endpoint {
1741 key "name";
1742 min-elements 1;
1743 description
1744 "List of endpoints to listen for NETCONF connections.";
1745 leaf name {
1746 type string;
1747 description
1748 "An arbitrary name for the NETCONF listen endpoint.";
1749 }
1750 uses netconf-server-listen-stack-grouping;
1751 }
1752 }
1753 container call-home {
1754 if-feature "ssh-call-home or tls-call-home";
1755 presence
1756 "Enables the NETCONF server to initiate the underlying
1757 transport connection to NETCONF clients.";
1758 description "Configures call home behavior.";
1759 list netconf-client {
1760 key "name";
1761 min-elements 1;
1762 description
1763 "List of NETCONF clients the NETCONF server is to
1764 maintain simultaneous call-home connections with.";
1765 leaf name {
1766 type string;
1767 description
1768 "An arbitrary name for the remote NETCONF client.";
1769 }
1770 container endpoints {
1771 description
1772 "Container for the list of endpoints.";
1773 list endpoint {
1774 key "name";
1775 min-elements 1;
1776 ordered-by user;
1777 description
1778 "A non-empty user-ordered list of endpoints for this
1779 NETCONF server to try to connect to in sequence.
1780 Defining more than one enables high-availability.";
1781 leaf name {
1782 type string;
1783 description
1784 "An arbitrary name for this endpoint.";
1785 }
1786 uses netconf-server-callhome-stack-grouping;
1787 }
1788 }
1789 container connection-type {
1790 description
1791 "Indicates the NETCONF server's preference for how the
1792 NETCONF connection is maintained.";
1793 choice connection-type {
1794 mandatory true;
1795 description
1796 "Selects between available connection types.";
1797 case persistent-connection {
1798 container persistent {
1799 presence "Indicates that a persistent connection is
1800 to be maintained.";
1801 description
1802 "Maintain a persistent connection to the NETCONF
1803 client. If the connection goes down, immediately
1804 start trying to reconnect to the NETCONF client,
1805 using the reconnection strategy.
1807 This connection type minimizes any NETCONF client
1808 to NETCONF server data-transfer delay, albeit at
1809 the expense of holding resources longer.";
1810 }
1811 }
1812 case periodic-connection {
1813 container periodic {
1814 presence "Indicates that a periodic connection is
1815 to be maintained.";
1816 description
1817 "Periodically connect to the NETCONF client.
1819 This connection type increases resource
1820 utilization, albeit with increased delay in
1821 NETCONF client to NETCONF client interactions.
1823 The NETCONF client SHOULD gracefully close the
1824 connection using upon completing
1825 planned activities. If the NETCONF session is
1826 not closed gracefully, the NETCONF server MUST
1827 immediately attempt to reestablish the connection.
1829 In the case that the previous connection is still
1830 active (i.e., the NETCONF client has not closed
1831 it yet), establishing a new connection is NOT
1832 RECOMMENDED.";
1833 leaf period {
1834 type uint16;
1835 units "minutes";
1836 default "60";
1837 description
1838 "Duration of time between periodic connections.";
1839 }
1840 leaf anchor-time {
1841 type yang:date-and-time {
1842 // constrained to minute-level granularity
1843 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1844 + '(Z|[\+\-]\d{2}:\d{2})';
1845 }
1846 description
1847 "Designates a timestamp before or after which a
1848 series of periodic connections are determined.
1849 The periodic connections occur at a whole
1850 multiple interval from the anchor time. For
1851 example, for an anchor time is 15 minutes past
1852 midnight and a period interval of 24 hours, then
1853 a periodic connection will occur 15 minutes past
1854 midnight everyday.";
1855 }
1856 leaf idle-timeout {
1857 type uint16;
1858 units "seconds";
1859 default 120; // two minutes
1860 description
1861 "Specifies the maximum number of seconds that
1862 a NETCONF session may remain idle. A NETCONF
1863 session will be dropped if it is idle for an
1864 interval longer than this number of seconds.
1865 If set to zero, then the server will never
1866 drop a session because it is idle.";
1867 }
1868 }
1869 } // case periodic-connection
1870 } // choice connection-type
1871 } // container connection-type
1872 container reconnect-strategy {
1873 description
1874 "The reconnection strategy directs how a NETCONF server
1875 reconnects to a NETCONF client, after discovering its
1876 connection to the client has dropped, even if due to a
1877 reboot. The NETCONF server starts with the specified
1878 endpoint and tries to connect to it max-attempts times
1879 before trying the next endpoint in the list (round
1880 robin).";
1881 leaf start-with {
1882 type enumeration {
1883 enum first-listed {
1884 description
1885 "Indicates that reconnections should start with
1886 the first endpoint listed.";
1887 }
1888 enum last-connected {
1889 description
1890 "Indicates that reconnections should start with
1891 the endpoint last connected to. If no previous
1892 connection has ever been established, then the
1893 first endpoint configured is used. NETCONF
1894 servers SHOULD be able to remember the last
1895 endpoint connected to across reboots.";
1896 }
1897 enum random-selection {
1898 description
1899 "Indicates that reconnections should start with
1900 a random endpoint.";
1901 }
1902 }
1903 default "first-listed";
1904 description
1905 "Specifies which of the NETCONF client's endpoints
1906 the NETCONF server should start with when trying
1907 to connect to the NETCONF client.";
1908 }
1909 leaf max-attempts {
1910 type uint8 {
1911 range "1..max";
1912 }
1913 default "3";
1914 description
1915 "Specifies the number times the NETCONF server tries
1916 to connect to a specific endpoint before moving on
1917 to the next endpoint in the list (round robin).";
1918 }
1919 } // container reconnect-strategy
1921 } // list netconf-client
1922 } // container call-home
1923 } // grouping netconf-server-app-grouping
1925 // Protocol accessible node, for servers that implement this
1926 // module.
1928 container netconf-server {
1929 uses netconf-server-app-grouping;
1930 description
1931 "Top-level container for NETCONF server configuration.";
1932 }
1933 }
1935
1937 5. Security Considerations
1939 The YANG module defined in this document uses groupings defined in
1940 [I-D.kwatsen-netconf-tcp-client-server],
1941 [I-D.ietf-netconf-ssh-client-server], and
1942 [I-D.ietf-netconf-tls-client-server]. Please see the Security
1943 Considerations section in those documents for concerns related those
1944 groupings.
1946 The YANG modules defined in this document are designed to be accessed
1947 via YANG based management protocols, such as NETCONF [RFC6241] and
1948 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1949 implement secure transport layers (e.g., SSH, TLS) with mutual
1950 authentication.
1952 The NETCONF access control model (NACM) [RFC8341] provides the means
1953 to restrict access for particular users to a pre-configured subset of
1954 all available protocol operations and content.
1956 There are a number of data nodes defined in the YANG modules that are
1957 writable/creatable/deletable (i.e., config true, which is the
1958 default). Some of these data nodes may be considered sensitive or
1959 vulnerable in some network environments. Write operations (e.g.,
1960 edit-config) to these data nodes without proper protection can have a
1961 negative effect on network operations. These are the subtrees and
1962 data nodes and their sensitivity/vulnerability:
1964 None of the subtrees or data nodes in the modules defined in this
1965 document need to be protected from write operations.
1967 Some of the readable data nodes in the YANG modules may be considered
1968 sensitive or vulnerable in some network environments. It is thus
1969 important to control read access (e.g., via get, get-config, or
1970 notification) to these data nodes. These are the subtrees and data
1971 nodes and their sensitivity/vulnerability:
1973 None of the subtrees or data nodes in the modules defined in this
1974 document need to be protected from read operations.
1976 Some of the RPC operations in the YANG modules may be considered
1977 sensitive or vulnerable in some network environments. It is thus
1978 important to control access to these operations. These are the
1979 operations and their sensitivity/vulnerability:
1981 The modules defined in this document do not define any 'RPC' or
1982 'action' statements.
1984 6. IANA Considerations
1986 6.1. The IETF XML Registry
1988 This document registers two URIs in the "ns" subregistry of the IETF
1989 XML Registry [RFC3688]. Following the format in [RFC3688], the
1990 following registrations are requested:
1992 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client
1993 Registrant Contact: The NETCONF WG of the IETF.
1994 XML: N/A, the requested URI is an XML namespace.
1996 URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server
1997 Registrant Contact: The NETCONF WG of the IETF.
1998 XML: N/A, the requested URI is an XML namespace.
2000 6.2. The YANG Module Names Registry
2002 This document registers two YANG modules in the YANG Module Names
2003 registry [RFC6020]. Following the format in [RFC6020], the the
2004 following registrations are requested:
2006 name: ietf-netconf-client
2007 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client
2008 prefix: ncc
2009 reference: RFC XXXX
2011 name: ietf-netconf-server
2012 namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server
2013 prefix: ncs
2014 reference: RFC XXXX
2016 7. References
2018 7.1. Normative References
2020 [I-D.ietf-netconf-keystore]
2021 Watsen, K., "A YANG Data Model for a Keystore", draft-
2022 ietf-netconf-keystore-15 (work in progress), November
2023 2019.
2025 [I-D.ietf-netconf-ssh-client-server]
2026 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH
2027 Clients and SSH Servers", draft-ietf-netconf-ssh-client-
2028 server-17 (work in progress), November 2019.
2030 [I-D.ietf-netconf-tls-client-server]
2031 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
2032 Clients and TLS Servers", draft-ietf-netconf-tls-client-
2033 server-17 (work in progress), November 2019.
2035 [I-D.kwatsen-netconf-tcp-client-server]
2036 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
2037 and TCP Servers", draft-kwatsen-netconf-tcp-client-
2038 server-02 (work in progress), April 2019.
2040 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2041 Requirement Levels", BCP 14, RFC 2119,
2042 DOI 10.17487/RFC2119, March 1997,
2043 .
2045 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
2046 the Network Configuration Protocol (NETCONF)", RFC 6020,
2047 DOI 10.17487/RFC6020, October 2010,
2048 .
2050 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
2051 and A. Bierman, Ed., "Network Configuration Protocol
2052 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
2053 .
2055 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
2056 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
2057 .
2059 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
2060 RFC 6991, DOI 10.17487/RFC6991, July 2013,
2061 .
2063 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
2064 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
2065 December 2014, .
2067 [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
2068 NETCONF Protocol over Transport Layer Security (TLS) with
2069 Mutual X.509 Authentication", RFC 7589,
2070 DOI 10.17487/RFC7589, June 2015,
2071 .
2073 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
2074 RFC 7950, DOI 10.17487/RFC7950, August 2016,
2075 .
2077 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2078 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
2079 May 2017, .
2081 7.2. Informative References
2083 [I-D.ietf-netconf-trust-anchors]
2084 Watsen, K., "A YANG Data Model for a Truststore", draft-
2085 ietf-netconf-trust-anchors-08 (work in progress), November
2086 2019.
2088 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2089 DOI 10.17487/RFC3688, January 2004,
2090 .
2092 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
2093 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
2094 .
2096 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
2097 RFC 8071, DOI 10.17487/RFC8071, February 2017,
2098 .
2100 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
2101 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
2102 .
2104 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
2105 Access Control Model", STD 91, RFC 8341,
2106 DOI 10.17487/RFC8341, March 2018,
2107 .
2109 Appendix A. Expanded Tree Diagrams
2111 A.1. Expanded Tree Diagram for 'ietf-netconf-client'
2113 The following tree diagram [RFC8340] provides an overview of the data
2114 model for the "ietf-netconf-client" module.
2116 This tree diagram shows all the nodes defined in this module,
2117 including those defined by "grouping" statements used by this module.
2119 Please see Section 3.1 for a tree diagram that illustrates what the
2120 module looks like without all the "grouping" statements expanded.
2122 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2124 module: ietf-netconf-client
2125 +--rw netconf-client
2126 +--rw initiate! {ssh-initiate or tls-initiate}?
2127 | +--rw netconf-server* [name]
2128 | +--rw name string
2129 | +--rw endpoints
2130 | | +--rw endpoint* [name]
2131 | | +--rw name string
2132 | | +--rw (transport)
2133 | | +--:(ssh) {ssh-initiate}?
2134 | | | +--rw ssh
2135 | | | +--rw tcp-client-parameters
2136 | | | | +--rw remote-address inet:host
2137 | | | | +--rw remote-port? inet:port-number
2138 | | | | +--rw local-address? inet:ip-address
2139 | | | | | {local-binding-supported}?
2140 | | | | +--rw local-port? inet:port-number
2141 | | | | | {local-binding-supported}?
2142 | | | | +--rw keepalives!
2143 | | | | {keepalives-supported}?
2144 | | | | +--rw idle-time uint16
2145 | | | | +--rw max-probes uint16
2146 | | | | +--rw probe-interval uint16
2147 | | | +--rw ssh-client-parameters
2148 | | | | +--rw client-identity
2149 | | | | | +--rw username? string
2150 | | | | | +--rw (auth-type)
2151 | | | | | +--:(public-key)
2152 | | | | | | +--rw public-key
2153 | | | | | | +--rw (local-or-keystore)
2154 | | | | | | +--:(local)
2155 | | | | | | | {local-definiti\
2156 \ons-supported}?
2157 | | | | | | | +--rw local-definition
2158 | | | | | | | +--rw algorithm
2159 | | | | | | | | iasa:asymm\
2160 \etric-algorithm-type
2161 | | | | | | | +--rw public-key-f\
2162 \ormat
2163 | | | | | | | | identityref
2164 | | | | | | | +--rw public-key
2165 | | | | | | | | binary
2166 | | | | | | | +--rw private-key-\
2167 \format?
2168 | | | | | | | | identityref
2169 | | | | | | | +--rw (private-key\
2170 \-type)
2171 | | | | | | | +--:(private-ke\
2172 \y)
2173 | | | | | | | | +--rw privat\
2174 \e-key?
2175 | | | | | | | | bina\
2176 \ry
2177 | | | | | | | +--:(hidden-pri\
2178 \vate-key)
2179 | | | | | | | | +--rw hidden\
2180 \-private-key?
2181 | | | | | | | | empty
2182 | | | | | | | +--:(encrypted-\
2183 \private-key)
2184 | | | | | | | +--rw encryp\
2185 \ted-private-key
2186 | | | | | | | +--rw (ke\
2187 \y-type)
2188 | | | | | | | | +--:(s\
2189 \ymmetric-key-ref)
2190 | | | | | | | | | +--\
2191 \rw symmetric-key-ref? leafref
2192 | | | | | | | | | \
2193 \ {keystore-supported}?
2194 | | | | | | | | +--:(a\
2195 \symmetric-key-ref)
2196 | | | | | | | | +--\
2197 \rw asymmetric-key-ref? leafref
2198 | | | | | | | | \
2199 \ {keystore-supported}?
2200 | | | | | | | +--rw val\
2201 \ue?
2202 | | | | | | | b\
2203 \inary
2204 | | | | | | +--:(keystore)
2205 | | | | | | {keystore-suppo\
2206 \rted}?
2207 | | | | | | +--rw keystore-refere\
2208 \nce?
2209 | | | | | | ks:asymmetric\
2210 \-key-ref
2211 | | | | | +--:(password)
2212 | | | | | | +--rw password? string
2213 | | | | | | {client-identity-passw\
2214 \ord}?
2215 | | | | | +--:(hostbased)
2216 | | | | | | +--rw hostbased
2217 | | | | | | {client-identity-hostb\
2218 \ased}?
2219 | | | | | | +--rw (local-or-keystore)
2220 | | | | | | +--:(local)
2221 | | | | | | | {local-definiti\
2222 \ons-supported}?
2223 | | | | | | | +--rw local-definition
2224 | | | | | | | +--rw algorithm
2225 | | | | | | | | iasa:asymm\
2226 \etric-algorithm-type
2227 | | | | | | | +--rw public-key-f\
2228 \ormat
2229 | | | | | | | | identityref
2230 | | | | | | | +--rw public-key
2231 | | | | | | | | binary
2232 | | | | | | | +--rw private-key-\
2233 \format?
2234 | | | | | | | | identityref
2235 | | | | | | | +--rw (private-key\
2236 \-type)
2237 | | | | | | | +--:(private-ke\
2238 \y)
2239 | | | | | | | | +--rw privat\
2240 \e-key?
2241 | | | | | | | | bina\
2242 \ry
2243 | | | | | | | +--:(hidden-pri\
2244 \vate-key)
2245 | | | | | | | | +--rw hidden\
2246 \-private-key?
2247 | | | | | | | | empty
2248 | | | | | | | +--:(encrypted-\
2249 \private-key)
2250 | | | | | | | +--rw encryp\
2251 \ted-private-key
2252 | | | | | | | +--rw (ke\
2254 \y-type)
2255 | | | | | | | | +--:(s\
2256 \ymmetric-key-ref)
2257 | | | | | | | | | +--\
2258 \rw symmetric-key-ref? leafref
2259 | | | | | | | | | \
2260 \ {keystore-supported}?
2261 | | | | | | | | +--:(a\
2262 \symmetric-key-ref)
2263 | | | | | | | | +--\
2264 \rw asymmetric-key-ref? leafref
2265 | | | | | | | | \
2266 \ {keystore-supported}?
2267 | | | | | | | +--rw val\
2268 \ue?
2269 | | | | | | | b\
2270 \inary
2271 | | | | | | +--:(keystore)
2272 | | | | | | {keystore-suppo\
2273 \rted}?
2274 | | | | | | +--rw keystore-refere\
2275 \nce?
2276 | | | | | | ks:asymmetric\
2277 \-key-ref
2278 | | | | | +--:(none)
2279 | | | | | | +--rw none? empty
2280 | | | | | | {client-identity-none}?
2281 | | | | | +--:(certificate)
2282 | | | | | +--rw certificate
2283 | | | | | {sshcmn:ssh-x509-certs\
2284 \}?
2285 | | | | | +--rw (local-or-keystore)
2286 | | | | | +--:(local)
2287 | | | | | | {local-definiti\
2288 \ons-supported}?
2289 | | | | | | +--rw local-definition
2290 | | | | | | +--rw algorithm
2291 | | | | | | | iasa:asymm\
2292 \etric-algorithm-type
2293 | | | | | | +--rw public-key-f\
2294 \ormat
2295 | | | | | | | identityref
2296 | | | | | | +--rw public-key
2297 | | | | | | | binary
2298 | | | | | | +--rw private-key-\
2299 \format?
2300 | | | | | | | identityref
2301 | | | | | | +--rw (private-key\
2303 \-type)
2304 | | | | | | | +--:(private-ke\
2305 \y)
2306 | | | | | | | | +--rw privat\
2307 \e-key?
2308 | | | | | | | | bina\
2309 \ry
2310 | | | | | | | +--:(hidden-pri\
2311 \vate-key)
2312 | | | | | | | | +--rw hidden\
2313 \-private-key?
2314 | | | | | | | | empty
2315 | | | | | | | +--:(encrypted-\
2316 \private-key)
2317 | | | | | | | +--rw encryp\
2318 \ted-private-key
2319 | | | | | | | +--rw (ke\
2320 \y-type)
2321 | | | | | | | | +--:(s\
2322 \ymmetric-key-ref)
2323 | | | | | | | | | +--\
2324 \rw symmetric-key-ref? leafref
2325 | | | | | | | | | \
2326 \ {keystore-supported}?
2327 | | | | | | | | +--:(a\
2328 \symmetric-key-ref)
2329 | | | | | | | | +--\
2330 \rw asymmetric-key-ref? leafref
2331 | | | | | | | | \
2332 \ {keystore-supported}?
2333 | | | | | | | +--rw val\
2334 \ue?
2335 | | | | | | | b\
2336 \inary
2337 | | | | | | +--rw cert?
2338 | | | | | | | end-entity\
2339 \-cert-cms
2340 | | | | | | +---n certificate-\
2341 \expiration
2342 | | | | | | | +-- expiration-\
2343 \date
2344 | | | | | | | yang:da\
2345 \te-and-time
2346 | | | | | | +---x generate-cer\
2347 \tificate-signing-request
2348 | | | | | | +---w input
2349 | | | | | | | +---w subject
2350 | | | | | | | | bina\
2352 \ry
2353 | | | | | | | +---w attrib\
2354 \utes?
2355 | | | | | | | bina\
2356 \ry
2357 | | | | | | +--ro output
2358 | | | | | | +--ro certif\
2359 \icate-signing-request
2360 | | | | | | bina\
2361 \ry
2362 | | | | | +--:(keystore)
2363 | | | | | {keystore-suppo\
2364 \rted}?
2365 | | | | | +--rw keystore-refere\
2366 \nce
2367 | | | | | +--rw asymmetric-k\
2368 \ey?
2369 | | | | | | ks:asymmet\
2370 \ric-key-ref
2371 | | | | | +--rw certificate?\
2372 \ leafref
2373 | | | | +--rw server-authentication
2374 | | | | | +--rw ssh-host-keys!
2375 | | | | | | +--rw (local-or-truststore)
2376 | | | | | | +--:(local)
2377 | | | | | | | {local-definitions-su\
2378 \pported}?
2379 | | | | | | | +--rw local-definition
2380 | | | | | | | +--rw public-key* [name]
2381 | | | | | | | +--rw name
2382 | | | | | | | | string
2383 | | | | | | | +--rw algorithm
2384 | | | | | | | | iasa:asymmetr\
2385 \ic-algorithm-type
2386 | | | | | | | +--rw public-key-form\
2387 \at
2388 | | | | | | | | identityref
2389 | | | | | | | +--rw public-key
2390 | | | | | | | binary
2391 | | | | | | +--:(truststore)
2392 | | | | | | {truststore-supported\
2393 \,public-keys}?
2394 | | | | | | +--rw truststore-reference?
2395 | | | | | | ts:public-key-bag-r\
2396 \ef
2397 | | | | | +--rw ca-certs!
2398 | | | | | | {sshcmn:ssh-x509-certs}?
2399 | | | | | | +--rw (local-or-truststore)
2400 | | | | | | +--:(local)
2401 | | | | | | | {local-definitions-su\
2402 \pported}?
2403 | | | | | | | +--rw local-definition
2404 | | | | | | | +--rw cert*
2405 | | | | | | | | trust-anchor-cer\
2406 \t-cms
2407 | | | | | | | +---n certificate-expira\
2408 \tion
2409 | | | | | | | +-- expiration-date
2410 | | | | | | | yang:date-and\
2411 \-time
2412 | | | | | | +--:(truststore)
2413 | | | | | | {truststore-supported\
2414 \,x509-certificates}?
2415 | | | | | | +--rw truststore-reference?
2416 | | | | | | ts:certificate-bag-\
2417 \ref
2418 | | | | | +--rw server-certs!
2419 | | | | | {sshcmn:ssh-x509-certs}?
2420 | | | | | +--rw (local-or-truststore)
2421 | | | | | +--:(local)
2422 | | | | | | {local-definitions-su\
2423 \pported}?
2424 | | | | | | +--rw local-definition
2425 | | | | | | +--rw cert*
2426 | | | | | | | trust-anchor-cer\
2427 \t-cms
2428 | | | | | | +---n certificate-expira\
2429 \tion
2430 | | | | | | +-- expiration-date
2431 | | | | | | yang:date-and\
2432 \-time
2433 | | | | | +--:(truststore)
2434 | | | | | {truststore-supported\
2435 \,x509-certificates}?
2436 | | | | | +--rw truststore-reference?
2437 | | | | | ts:certificate-bag-\
2438 \ref
2439 | | | | +--rw transport-params
2440 | | | | | {ssh-client-transport-params-co\
2441 \nfig}?
2442 | | | | | +--rw host-key
2443 | | | | | | +--rw host-key-alg* identityref
2444 | | | | | +--rw key-exchange
2445 | | | | | | +--rw key-exchange-alg*
2446 | | | | | | identityref
2447 | | | | | +--rw encryption
2448 | | | | | | +--rw encryption-alg*
2449 | | | | | | identityref
2450 | | | | | +--rw mac
2451 | | | | | +--rw mac-alg* identityref
2452 | | | | +--rw keepalives!
2453 | | | | {ssh-client-keepalives}?
2454 | | | | +--rw max-wait? uint16
2455 | | | | +--rw max-attempts? uint8
2456 | | | +--rw netconf-client-parameters
2457 | | +--:(tls) {tls-initiate}?
2458 | | +--rw tls
2459 | | +--rw tcp-client-parameters
2460 | | | +--rw remote-address inet:host
2461 | | | +--rw remote-port? inet:port-number
2462 | | | +--rw local-address? inet:ip-address
2463 | | | | {local-binding-supported}?
2464 | | | +--rw local-port? inet:port-number
2465 | | | | {local-binding-supported}?
2466 | | | +--rw keepalives!
2467 | | | {keepalives-supported}?
2468 | | | +--rw idle-time uint16
2469 | | | +--rw max-probes uint16
2470 | | | +--rw probe-interval uint16
2471 | | +--rw tls-client-parameters
2472 | | | +--rw client-identity
2473 | | | | +--rw (auth-type)?
2474 | | | | +--:(certificate)
2475 | | | | | {x509-certificate-auth}?
2476 | | | | | +--rw certificate
2477 | | | | | +--rw (local-or-keystore)
2478 | | | | | +--:(local)
2479 | | | | | | {local-definiti\
2480 \ons-supported}?
2481 | | | | | | +--rw local-definition
2482 | | | | | | +--rw algorithm
2483 | | | | | | | iasa:asymm\
2484 \etric-algorithm-type
2485 | | | | | | +--rw public-key-f\
2486 \ormat
2487 | | | | | | | identityref
2488 | | | | | | +--rw public-key
2489 | | | | | | | binary
2490 | | | | | | +--rw private-key-\
2491 \format?
2492 | | | | | | | identityref
2493 | | | | | | +--rw (private-key\
2494 \-type)
2495 | | | | | | | +--:(private-ke\
2497 \y)
2498 | | | | | | | | +--rw privat\
2499 \e-key?
2500 | | | | | | | | bina\
2501 \ry
2502 | | | | | | | +--:(hidden-pri\
2503 \vate-key)
2504 | | | | | | | | +--rw hidden\
2505 \-private-key?
2506 | | | | | | | | empty
2507 | | | | | | | +--:(encrypted-\
2508 \private-key)
2509 | | | | | | | +--rw encryp\
2510 \ted-private-key
2511 | | | | | | | +--rw (ke\
2512 \y-type)
2513 | | | | | | | | +--:(s\
2514 \ymmetric-key-ref)
2515 | | | | | | | | | +--\
2516 \rw symmetric-key-ref? leafref
2517 | | | | | | | | | \
2518 \ {keystore-supported}?
2519 | | | | | | | | +--:(a\
2520 \symmetric-key-ref)
2521 | | | | | | | | +--\
2522 \rw asymmetric-key-ref? leafref
2523 | | | | | | | | \
2524 \ {keystore-supported}?
2525 | | | | | | | +--rw val\
2526 \ue?
2527 | | | | | | | b\
2528 \inary
2529 | | | | | | +--rw cert?
2530 | | | | | | | end-entity\
2531 \-cert-cms
2532 | | | | | | +---n certificate-\
2533 \expiration
2534 | | | | | | | +-- expiration-\
2535 \date
2536 | | | | | | | yang:da\
2537 \te-and-time
2538 | | | | | | +---x generate-cer\
2539 \tificate-signing-request
2540 | | | | | | +---w input
2541 | | | | | | | +---w subject
2542 | | | | | | | | bina\
2543 \ry
2544 | | | | | | | +---w attrib\
2546 \utes?
2547 | | | | | | | bina\
2548 \ry
2549 | | | | | | +--ro output
2550 | | | | | | +--ro certif\
2551 \icate-signing-request
2552 | | | | | | bina\
2553 \ry
2554 | | | | | +--:(keystore)
2555 | | | | | {keystore-suppo\
2556 \rted}?
2557 | | | | | +--rw keystore-refere\
2558 \nce
2559 | | | | | +--rw asymmetric-k\
2560 \ey?
2561 | | | | | | ks:asymmet\
2562 \ric-key-ref
2563 | | | | | +--rw certificate?\
2564 \ leafref
2565 | | | | +--:(raw-public-key)
2566 | | | | | {raw-public-key-auth}?
2567 | | | | | +--rw raw-private-key
2568 | | | | | +--rw (local-or-keystore)
2569 | | | | | +--:(local)
2570 | | | | | | {local-definiti\
2571 \ons-supported}?
2572 | | | | | | +--rw local-definition
2573 | | | | | | +--rw algorithm
2574 | | | | | | | iasa:asymm\
2575 \etric-algorithm-type
2576 | | | | | | +--rw public-key-f\
2577 \ormat
2578 | | | | | | | identityref
2579 | | | | | | +--rw public-key
2580 | | | | | | | binary
2581 | | | | | | +--rw private-key-\
2582 \format?
2583 | | | | | | | identityref
2584 | | | | | | +--rw (private-key\
2585 \-type)
2586 | | | | | | +--:(private-ke\
2587 \y)
2588 | | | | | | | +--rw privat\
2589 \e-key?
2590 | | | | | | | bina\
2591 \ry
2592 | | | | | | +--:(hidden-pri\
2593 \vate-key)
2594 | | | | | | | +--rw hidden\
2595 \-private-key?
2596 | | | | | | | empty
2597 | | | | | | +--:(encrypted-\
2598 \private-key)
2599 | | | | | | +--rw encryp\
2600 \ted-private-key
2601 | | | | | | +--rw (ke\
2602 \y-type)
2603 | | | | | | | +--:(s\
2604 \ymmetric-key-ref)
2605 | | | | | | | | +--\
2606 \rw symmetric-key-ref? leafref
2607 | | | | | | | | \
2608 \ {keystore-supported}?
2609 | | | | | | | +--:(a\
2610 \symmetric-key-ref)
2611 | | | | | | | +--\
2612 \rw asymmetric-key-ref? leafref
2613 | | | | | | | \
2614 \ {keystore-supported}?
2615 | | | | | | +--rw val\
2616 \ue?
2617 | | | | | | b\
2618 \inary
2619 | | | | | +--:(keystore)
2620 | | | | | {keystore-suppo\
2621 \rted}?
2622 | | | | | +--rw keystore-refere\
2623 \nce?
2624 | | | | | ks:asymmetric\
2625 \-key-ref
2626 | | | | +--:(psk) {psk-auth}?
2627 | | | | +--rw psk
2628 | | | | +--rw (local-or-keystore)
2629 | | | | +--:(local)
2630 | | | | | {local-definiti\
2631 \ons-supported}?
2632 | | | | | +--rw local-definition
2633 | | | | | +--rw algorithm
2634 | | | | | | isa:symmet\
2635 \ric-algorithm-type
2636 | | | | | +--rw key-format?
2637 | | | | | | identityref
2638 | | | | | +--rw (key-type)
2639 | | | | | | +--:(key)
2640 | | | | | | | +--rw key?
2641 | | | | | | | bina\
2643 \ry
2644 | | | | | | +--:(hidden-key)
2645 | | | | | | | +--rw hidden\
2646 \-key?
2647 | | | | | | | empty
2648 | | | | | | +--:(encrypted-\
2649 \key)
2650 | | | | | | +--rw encryp\
2651 \ted-key
2652 | | | | | | +--rw (ke\
2653 \y-type)
2654 | | | | | | | +--:(s\
2655 \ymmetric-key-ref)
2656 | | | | | | | | +--\
2657 \rw symmetric-key-ref? leafref
2658 | | | | | | | | \
2659 \ {keystore-supported}?
2660 | | | | | | | +--:(a\
2661 \symmetric-key-ref)
2662 | | | | | | | +--\
2663 \rw asymmetric-key-ref? leafref
2664 | | | | | | | \
2665 \ {keystore-supported}?
2666 | | | | | | +--rw val\
2667 \ue?
2668 | | | | | | b\
2669 \inary
2670 | | | | | +--rw id?
2671 | | | | | string
2672 | | | | | {ks:local-\
2673 \definitions-supported}?
2674 | | | | +--:(keystore)
2675 | | | | {keystore-suppo\
2676 \rted}?
2677 | | | | +--rw keystore-refere\
2678 \nce?
2679 | | | | ks:symmetric-\
2680 \key-ref
2681 | | | +--rw server-authentication
2682 | | | | +--rw ca-certs!
2683 | | | | | {x509-certificate-auth}?
2684 | | | | | +--rw (local-or-truststore)
2685 | | | | | +--:(local)
2686 | | | | | | {local-definitions-su\
2687 \pported}?
2688 | | | | | | +--rw local-definition
2689 | | | | | | +--rw cert*
2690 | | | | | | | trust-anchor-cer\
2692 \t-cms
2693 | | | | | | +---n certificate-expira\
2694 \tion
2695 | | | | | | +-- expiration-date
2696 | | | | | | yang:date-and\
2697 \-time
2698 | | | | | +--:(truststore)
2699 | | | | | {truststore-supported\
2700 \,x509-certificates}?
2701 | | | | | +--rw truststore-reference?
2702 | | | | | ts:certificate-bag-\
2703 \ref
2704 | | | | +--rw server-certs!
2705 | | | | | {x509-certificate-auth}?
2706 | | | | | +--rw (local-or-truststore)
2707 | | | | | +--:(local)
2708 | | | | | | {local-definitions-su\
2709 \pported}?
2710 | | | | | | +--rw local-definition
2711 | | | | | | +--rw cert*
2712 | | | | | | | trust-anchor-cer\
2713 \t-cms
2714 | | | | | | +---n certificate-expira\
2715 \tion
2716 | | | | | | +-- expiration-date
2717 | | | | | | yang:date-and\
2718 \-time
2719 | | | | | +--:(truststore)
2720 | | | | | {truststore-supported\
2721 \,x509-certificates}?
2722 | | | | | +--rw truststore-reference?
2723 | | | | | ts:certificate-bag-\
2724 \ref
2725 | | | | +--rw raw-public-keys!
2726 | | | | | {raw-public-key-auth}?
2727 | | | | | +--rw (local-or-truststore)
2728 | | | | | +--:(local)
2729 | | | | | | {local-definitions-su\
2730 \pported}?
2731 | | | | | | +--rw local-definition
2732 | | | | | | +--rw public-key* [name]
2733 | | | | | | +--rw name
2734 | | | | | | | string
2735 | | | | | | +--rw algorithm
2736 | | | | | | | iasa:asymmetr\
2737 \ic-algorithm-type
2738 | | | | | | +--rw public-key-form\
2739 \at
2740 | | | | | | | identityref
2741 | | | | | | +--rw public-key
2742 | | | | | | binary
2743 | | | | | +--:(truststore)
2744 | | | | | {truststore-supported\
2745 \,public-keys}?
2746 | | | | | +--rw truststore-reference?
2747 | | | | | ts:public-key-bag-r\
2748 \ef
2749 | | | | +--rw psks! {psk-auth}?
2750 | | | +--rw hello-params
2751 | | | | {tls-client-hello-params-config\
2752 \}?
2753 | | | | +--rw tls-versions
2754 | | | | | +--rw tls-version* identityref
2755 | | | | +--rw cipher-suites
2756 | | | | +--rw cipher-suite* identityref
2757 | | | +--rw keepalives!
2758 | | | {tls-client-keepalives}?
2759 | | | +--rw max-wait? uint16
2760 | | | +--rw max-attempts? uint8
2761 | | +--rw netconf-client-parameters
2762 | +--rw connection-type
2763 | | +--rw (connection-type)
2764 | | +--:(persistent-connection)
2765 | | | +--rw persistent!
2766 | | +--:(periodic-connection)
2767 | | +--rw periodic!
2768 | | +--rw period? uint16
2769 | | +--rw anchor-time? yang:date-and-time
2770 | | +--rw idle-timeout? uint16
2771 | +--rw reconnect-strategy
2772 | +--rw start-with? enumeration
2773 | +--rw max-attempts? uint8
2774 +--rw listen! {ssh-listen or tls-listen}?
2775 +--rw idle-timeout? uint16
2776 +--rw endpoint* [name]
2777 +--rw name string
2778 +--rw (transport)
2779 +--:(ssh) {ssh-listen}?
2780 | +--rw ssh
2781 | +--rw tcp-server-parameters
2782 | | +--rw local-address inet:ip-address
2783 | | +--rw local-port? inet:port-number
2784 | | +--rw keepalives! {keepalives-supported}?
2785 | | +--rw idle-time uint16
2786 | | +--rw max-probes uint16
2787 | | +--rw probe-interval uint16
2788 | +--rw ssh-client-parameters
2789 | | +--rw client-identity
2790 | | | +--rw username? string
2791 | | | +--rw (auth-type)
2792 | | | +--:(public-key)
2793 | | | | +--rw public-key
2794 | | | | +--rw (local-or-keystore)
2795 | | | | +--:(local)
2796 | | | | | {local-definitions-su\
2797 \pported}?
2798 | | | | | +--rw local-definition
2799 | | | | | +--rw algorithm
2800 | | | | | | iasa:asymmetric-\
2801 \algorithm-type
2802 | | | | | +--rw public-key-format
2803 | | | | | | identityref
2804 | | | | | +--rw public-key
2805 | | | | | | binary
2806 | | | | | +--rw private-key-format?
2807 | | | | | | identityref
2808 | | | | | +--rw (private-key-type)
2809 | | | | | +--:(private-key)
2810 | | | | | | +--rw private-key?
2811 | | | | | | binary
2812 | | | | | +--:(hidden-private-k\
2813 \ey)
2814 | | | | | | +--rw hidden-priva\
2815 \te-key?
2816 | | | | | | empty
2817 | | | | | +--:(encrypted-privat\
2818 \e-key)
2819 | | | | | +--rw encrypted-pr\
2820 \ivate-key
2821 | | | | | +--rw (key-type)
2822 | | | | | | +--:(symmetr\
2823 \ic-key-ref)
2824 | | | | | | | +--rw sym\
2825 \metric-key-ref? leafref
2826 | | | | | | | {\
2827 \keystore-supported}?
2828 | | | | | | +--:(asymmet\
2829 \ric-key-ref)
2830 | | | | | | +--rw asy\
2831 \mmetric-key-ref? leafref
2832 | | | | | | {\
2833 \keystore-supported}?
2834 | | | | | +--rw value?
2835 | | | | | binary
2836 | | | | +--:(keystore)
2837 | | | | {keystore-supported}?
2838 | | | | +--rw keystore-reference?
2839 | | | | ks:asymmetric-key-r\
2840 \ef
2841 | | | +--:(password)
2842 | | | | +--rw password? string
2843 | | | | {client-identity-password}?
2844 | | | +--:(hostbased)
2845 | | | | +--rw hostbased
2846 | | | | {client-identity-hostbased}?
2847 | | | | +--rw (local-or-keystore)
2848 | | | | +--:(local)
2849 | | | | | {local-definitions-su\
2850 \pported}?
2851 | | | | | +--rw local-definition
2852 | | | | | +--rw algorithm
2853 | | | | | | iasa:asymmetric-\
2854 \algorithm-type
2855 | | | | | +--rw public-key-format
2856 | | | | | | identityref
2857 | | | | | +--rw public-key
2858 | | | | | | binary
2859 | | | | | +--rw private-key-format?
2860 | | | | | | identityref
2861 | | | | | +--rw (private-key-type)
2862 | | | | | +--:(private-key)
2863 | | | | | | +--rw private-key?
2864 | | | | | | binary
2865 | | | | | +--:(hidden-private-k\
2866 \ey)
2867 | | | | | | +--rw hidden-priva\
2868 \te-key?
2869 | | | | | | empty
2870 | | | | | +--:(encrypted-privat\
2871 \e-key)
2872 | | | | | +--rw encrypted-pr\
2873 \ivate-key
2874 | | | | | +--rw (key-type)
2875 | | | | | | +--:(symmetr\
2876 \ic-key-ref)
2877 | | | | | | | +--rw sym\
2878 \metric-key-ref? leafref
2879 | | | | | | | {\
2880 \keystore-supported}?
2881 | | | | | | +--:(asymmet\
2882 \ric-key-ref)
2883 | | | | | | +--rw asy\
2885 \mmetric-key-ref? leafref
2886 | | | | | | {\
2887 \keystore-supported}?
2888 | | | | | +--rw value?
2889 | | | | | binary
2890 | | | | +--:(keystore)
2891 | | | | {keystore-supported}?
2892 | | | | +--rw keystore-reference?
2893 | | | | ks:asymmetric-key-r\
2894 \ef
2895 | | | +--:(none)
2896 | | | | +--rw none? empty
2897 | | | | {client-identity-none}?
2898 | | | +--:(certificate)
2899 | | | +--rw certificate
2900 | | | {sshcmn:ssh-x509-certs}?
2901 | | | +--rw (local-or-keystore)
2902 | | | +--:(local)
2903 | | | | {local-definitions-su\
2904 \pported}?
2905 | | | | +--rw local-definition
2906 | | | | +--rw algorithm
2907 | | | | | iasa:asymmetric-\
2908 \algorithm-type
2909 | | | | +--rw public-key-format
2910 | | | | | identityref
2911 | | | | +--rw public-key
2912 | | | | | binary
2913 | | | | +--rw private-key-format?
2914 | | | | | identityref
2915 | | | | +--rw (private-key-type)
2916 | | | | | +--:(private-key)
2917 | | | | | | +--rw private-key?
2918 | | | | | | binary
2919 | | | | | +--:(hidden-private-k\
2920 \ey)
2921 | | | | | | +--rw hidden-priva\
2922 \te-key?
2923 | | | | | | empty
2924 | | | | | +--:(encrypted-privat\
2925 \e-key)
2926 | | | | | +--rw encrypted-pr\
2927 \ivate-key
2928 | | | | | +--rw (key-type)
2929 | | | | | | +--:(symmetr\
2930 \ic-key-ref)
2931 | | | | | | | +--rw sym\
2932 \metric-key-ref? leafref
2933 | | | | | | | {\
2934 \keystore-supported}?
2935 | | | | | | +--:(asymmet\
2936 \ric-key-ref)
2937 | | | | | | +--rw asy\
2938 \mmetric-key-ref? leafref
2939 | | | | | | {\
2940 \keystore-supported}?
2941 | | | | | +--rw value?
2942 | | | | | binary
2943 | | | | +--rw cert?
2944 | | | | | end-entity-cert-\
2945 \cms
2946 | | | | +---n certificate-expira\
2947 \tion
2948 | | | | | +-- expiration-date
2949 | | | | | yang:date-and\
2950 \-time
2951 | | | | +---x generate-certifica\
2952 \te-signing-request
2953 | | | | +---w input
2954 | | | | | +---w subject
2955 | | | | | | binary
2956 | | | | | +---w attributes?
2957 | | | | | binary
2958 | | | | +--ro output
2959 | | | | +--ro certificate-\
2960 \signing-request
2961 | | | | binary
2962 | | | +--:(keystore)
2963 | | | {keystore-supported}?
2964 | | | +--rw keystore-reference
2965 | | | +--rw asymmetric-key?
2966 | | | | ks:asymmetric-ke\
2967 \y-ref
2968 | | | +--rw certificate? \
2969 \leafref
2970 | | +--rw server-authentication
2971 | | | +--rw ssh-host-keys!
2972 | | | | +--rw (local-or-truststore)
2973 | | | | +--:(local)
2974 | | | | | {local-definitions-supporte\
2975 \d}?
2976 | | | | | +--rw local-definition
2977 | | | | | +--rw public-key* [name]
2978 | | | | | +--rw name
2979 | | | | | | string
2980 | | | | | +--rw algorithm
2981 | | | | | | iasa:asymmetric-alg\
2982 \orithm-type
2983 | | | | | +--rw public-key-format
2984 | | | | | | identityref
2985 | | | | | +--rw public-key
2986 | | | | | binary
2987 | | | | +--:(truststore)
2988 | | | | {truststore-supported,publi\
2989 \c-keys}?
2990 | | | | +--rw truststore-reference?
2991 | | | | ts:public-key-bag-ref
2992 | | | +--rw ca-certs! {sshcmn:ssh-x509-certs}?
2993 | | | | +--rw (local-or-truststore)
2994 | | | | +--:(local)
2995 | | | | | {local-definitions-supporte\
2996 \d}?
2997 | | | | | +--rw local-definition
2998 | | | | | +--rw cert*
2999 | | | | | | trust-anchor-cert-cms
3000 | | | | | +---n certificate-expiration
3001 | | | | | +-- expiration-date
3002 | | | | | yang:date-and-time
3003 | | | | +--:(truststore)
3004 | | | | {truststore-supported,x509-\
3005 \certificates}?
3006 | | | | +--rw truststore-reference?
3007 | | | | ts:certificate-bag-ref
3008 | | | +--rw server-certs!
3009 | | | {sshcmn:ssh-x509-certs}?
3010 | | | +--rw (local-or-truststore)
3011 | | | +--:(local)
3012 | | | | {local-definitions-supporte\
3013 \d}?
3014 | | | | +--rw local-definition
3015 | | | | +--rw cert*
3016 | | | | | trust-anchor-cert-cms
3017 | | | | +---n certificate-expiration
3018 | | | | +-- expiration-date
3019 | | | | yang:date-and-time
3020 | | | +--:(truststore)
3021 | | | {truststore-supported,x509-\
3022 \certificates}?
3023 | | | +--rw truststore-reference?
3024 | | | ts:certificate-bag-ref
3025 | | +--rw transport-params
3026 | | | {ssh-client-transport-params-config}?
3027 | | | +--rw host-key
3028 | | | | +--rw host-key-alg* identityref
3029 | | | +--rw key-exchange
3030 | | | | +--rw key-exchange-alg* identityref
3031 | | | +--rw encryption
3032 | | | | +--rw encryption-alg* identityref
3033 | | | +--rw mac
3034 | | | +--rw mac-alg* identityref
3035 | | +--rw keepalives! {ssh-client-keepalives}?
3036 | | +--rw max-wait? uint16
3037 | | +--rw max-attempts? uint8
3038 | +--rw netconf-client-parameters
3039 +--:(tls) {tls-listen}?
3040 +--rw tls
3041 +--rw tcp-server-parameters
3042 | +--rw local-address inet:ip-address
3043 | +--rw local-port? inet:port-number
3044 | +--rw keepalives! {keepalives-supported}?
3045 | +--rw idle-time uint16
3046 | +--rw max-probes uint16
3047 | +--rw probe-interval uint16
3048 +--rw tls-client-parameters
3049 | +--rw client-identity
3050 | | +--rw (auth-type)?
3051 | | +--:(certificate)
3052 | | | {x509-certificate-auth}?
3053 | | | +--rw certificate
3054 | | | +--rw (local-or-keystore)
3055 | | | +--:(local)
3056 | | | | {local-definitions-su\
3057 \pported}?
3058 | | | | +--rw local-definition
3059 | | | | +--rw algorithm
3060 | | | | | iasa:asymmetric-\
3061 \algorithm-type
3062 | | | | +--rw public-key-format
3063 | | | | | identityref
3064 | | | | +--rw public-key
3065 | | | | | binary
3066 | | | | +--rw private-key-format?
3067 | | | | | identityref
3068 | | | | +--rw (private-key-type)
3069 | | | | | +--:(private-key)
3070 | | | | | | +--rw private-key?
3071 | | | | | | binary
3072 | | | | | +--:(hidden-private-k\
3073 \ey)
3074 | | | | | | +--rw hidden-priva\
3075 \te-key?
3076 | | | | | | empty
3077 | | | | | +--:(encrypted-privat\
3078 \e-key)
3079 | | | | | +--rw encrypted-pr\
3080 \ivate-key
3081 | | | | | +--rw (key-type)
3082 | | | | | | +--:(symmetr\
3083 \ic-key-ref)
3084 | | | | | | | +--rw sym\
3085 \metric-key-ref? leafref
3086 | | | | | | | {\
3087 \keystore-supported}?
3088 | | | | | | +--:(asymmet\
3089 \ric-key-ref)
3090 | | | | | | +--rw asy\
3091 \mmetric-key-ref? leafref
3092 | | | | | | {\
3093 \keystore-supported}?
3094 | | | | | +--rw value?
3095 | | | | | binary
3096 | | | | +--rw cert?
3097 | | | | | end-entity-cert-\
3098 \cms
3099 | | | | +---n certificate-expira\
3100 \tion
3101 | | | | | +-- expiration-date
3102 | | | | | yang:date-and\
3103 \-time
3104 | | | | +---x generate-certifica\
3105 \te-signing-request
3106 | | | | +---w input
3107 | | | | | +---w subject
3108 | | | | | | binary
3109 | | | | | +---w attributes?
3110 | | | | | binary
3111 | | | | +--ro output
3112 | | | | +--ro certificate-\
3113 \signing-request
3114 | | | | binary
3115 | | | +--:(keystore)
3116 | | | {keystore-supported}?
3117 | | | +--rw keystore-reference
3118 | | | +--rw asymmetric-key?
3119 | | | | ks:asymmetric-ke\
3120 \y-ref
3121 | | | +--rw certificate? \
3122 \leafref
3123 | | +--:(raw-public-key)
3124 | | | {raw-public-key-auth}?
3125 | | | +--rw raw-private-key
3126 | | | +--rw (local-or-keystore)
3127 | | | +--:(local)
3128 | | | | {local-definitions-su\
3129 \pported}?
3130 | | | | +--rw local-definition
3131 | | | | +--rw algorithm
3132 | | | | | iasa:asymmetric-\
3133 \algorithm-type
3134 | | | | +--rw public-key-format
3135 | | | | | identityref
3136 | | | | +--rw public-key
3137 | | | | | binary
3138 | | | | +--rw private-key-format?
3139 | | | | | identityref
3140 | | | | +--rw (private-key-type)
3141 | | | | +--:(private-key)
3142 | | | | | +--rw private-key?
3143 | | | | | binary
3144 | | | | +--:(hidden-private-k\
3145 \ey)
3146 | | | | | +--rw hidden-priva\
3147 \te-key?
3148 | | | | | empty
3149 | | | | +--:(encrypted-privat\
3150 \e-key)
3151 | | | | +--rw encrypted-pr\
3152 \ivate-key
3153 | | | | +--rw (key-type)
3154 | | | | | +--:(symmetr\
3155 \ic-key-ref)
3156 | | | | | | +--rw sym\
3157 \metric-key-ref? leafref
3158 | | | | | | {\
3159 \keystore-supported}?
3160 | | | | | +--:(asymmet\
3161 \ric-key-ref)
3162 | | | | | +--rw asy\
3163 \mmetric-key-ref? leafref
3164 | | | | | {\
3165 \keystore-supported}?
3166 | | | | +--rw value?
3167 | | | | binary
3168 | | | +--:(keystore)
3169 | | | {keystore-supported}?
3170 | | | +--rw keystore-reference?
3171 | | | ks:asymmetric-key-r\
3172 \ef
3173 | | +--:(psk) {psk-auth}?
3174 | | +--rw psk
3175 | | +--rw (local-or-keystore)
3176 | | +--:(local)
3177 | | | {local-definitions-su\
3178 \pported}?
3179 | | | +--rw local-definition
3180 | | | +--rw algorithm
3181 | | | | isa:symmetric-al\
3182 \gorithm-type
3183 | | | +--rw key-format?
3184 | | | | identityref
3185 | | | +--rw (key-type)
3186 | | | | +--:(key)
3187 | | | | | +--rw key?
3188 | | | | | binary
3189 | | | | +--:(hidden-key)
3190 | | | | | +--rw hidden-key?
3191 | | | | | empty
3192 | | | | +--:(encrypted-key)
3193 | | | | +--rw encrypted-key
3194 | | | | +--rw (key-type)
3195 | | | | | +--:(symmetr\
3196 \ic-key-ref)
3197 | | | | | | +--rw sym\
3198 \metric-key-ref? leafref
3199 | | | | | | {\
3200 \keystore-supported}?
3201 | | | | | +--:(asymmet\
3202 \ric-key-ref)
3203 | | | | | +--rw asy\
3204 \mmetric-key-ref? leafref
3205 | | | | | {\
3206 \keystore-supported}?
3207 | | | | +--rw value?
3208 | | | | binary
3209 | | | +--rw id?
3210 | | | string
3211 | | | {ks:local-defini\
3212 \tions-supported}?
3213 | | +--:(keystore)
3214 | | {keystore-supported}?
3215 | | +--rw keystore-reference?
3216 | | ks:symmetric-key-ref
3217 | +--rw server-authentication
3218 | | +--rw ca-certs! {x509-certificate-auth}?
3219 | | | +--rw (local-or-truststore)
3220 | | | +--:(local)
3221 | | | | {local-definitions-supporte\
3222 \d}?
3223 | | | | +--rw local-definition
3224 | | | | +--rw cert*
3225 | | | | | trust-anchor-cert-cms
3226 | | | | +---n certificate-expiration
3227 | | | | +-- expiration-date
3228 | | | | yang:date-and-time
3229 | | | +--:(truststore)
3230 | | | {truststore-supported,x509-\
3231 \certificates}?
3232 | | | +--rw truststore-reference?
3233 | | | ts:certificate-bag-ref
3234 | | +--rw server-certs!
3235 | | | {x509-certificate-auth}?
3236 | | | +--rw (local-or-truststore)
3237 | | | +--:(local)
3238 | | | | {local-definitions-supporte\
3239 \d}?
3240 | | | | +--rw local-definition
3241 | | | | +--rw cert*
3242 | | | | | trust-anchor-cert-cms
3243 | | | | +---n certificate-expiration
3244 | | | | +-- expiration-date
3245 | | | | yang:date-and-time
3246 | | | +--:(truststore)
3247 | | | {truststore-supported,x509-\
3248 \certificates}?
3249 | | | +--rw truststore-reference?
3250 | | | ts:certificate-bag-ref
3251 | | +--rw raw-public-keys!
3252 | | | {raw-public-key-auth}?
3253 | | | +--rw (local-or-truststore)
3254 | | | +--:(local)
3255 | | | | {local-definitions-supporte\
3256 \d}?
3257 | | | | +--rw local-definition
3258 | | | | +--rw public-key* [name]
3259 | | | | +--rw name
3260 | | | | | string
3261 | | | | +--rw algorithm
3262 | | | | | iasa:asymmetric-alg\
3263 \orithm-type
3264 | | | | +--rw public-key-format
3265 | | | | | identityref
3266 | | | | +--rw public-key
3267 | | | | binary
3268 | | | +--:(truststore)
3269 | | | {truststore-supported,publi\
3270 \c-keys}?
3271 | | | +--rw truststore-reference?
3272 | | | ts:public-key-bag-ref
3273 | | +--rw psks! {psk-auth}?
3274 | +--rw hello-params
3275 | | {tls-client-hello-params-config}?
3276 | | +--rw tls-versions
3277 | | | +--rw tls-version* identityref
3278 | | +--rw cipher-suites
3279 | | +--rw cipher-suite* identityref
3280 | +--rw keepalives! {tls-client-keepalives}?
3281 | +--rw max-wait? uint16
3282 | +--rw max-attempts? uint8
3283 +--rw netconf-client-parameters
3285 A.2. Expanded Tree Diagram for 'ietf-netconf-server'
3287 The following tree diagram [RFC8340] provides an overview of the data
3288 model for the "ietf-netconf-server" module.
3290 This tree diagram shows all the nodes defined in this module,
3291 including those defined by "grouping" statements used by this module.
3293 Please see Section 4.1 for a tree diagram that illustrates what the
3294 module looks like without all the "grouping" statements expanded.
3296 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
3298 module: ietf-netconf-server
3299 +--rw netconf-server
3300 +--rw listen! {ssh-listen or tls-listen}?
3301 | +--rw idle-timeout? uint16
3302 | +--rw endpoint* [name]
3303 | +--rw name string
3304 | +--rw (transport)
3305 | +--:(ssh) {ssh-listen}?
3306 | | +--rw ssh
3307 | | +--rw tcp-server-parameters
3308 | | | +--rw local-address inet:ip-address
3309 | | | +--rw local-port? inet:port-number
3310 | | | +--rw keepalives! {keepalives-supported}?
3311 | | | +--rw idle-time uint16
3312 | | | +--rw max-probes uint16
3313 | | | +--rw probe-interval uint16
3314 | | +--rw ssh-server-parameters
3315 | | | +--rw server-identity
3316 | | | | +--rw host-key* [name]
3317 | | | | +--rw name string
3318 | | | | +--rw (host-key-type)
3319 | | | | +--:(public-key)
3320 | | | | | +--rw public-key
3321 | | | | | +--rw (local-or-keystore)
3322 | | | | | +--:(local)
3323 | | | | | | {local-definitions\
3324 \-supported}?
3325 | | | | | | +--rw local-definition
3326 | | | | | | +--rw algorithm
3327 | | | | | | | iasa:asymmetr\
3328 \ic-algorithm-type
3329 | | | | | | +--rw public-key-form\
3330 \at
3331 | | | | | | | identityref
3332 | | | | | | +--rw public-key
3333 | | | | | | | binary
3334 | | | | | | +--rw private-key-for\
3335 \mat?
3336 | | | | | | | identityref
3337 | | | | | | +--rw (private-key-ty\
3338 \pe)
3339 | | | | | | +--:(private-key)
3340 | | | | | | | +--rw private-k\
3341 \ey?
3342 | | | | | | | binary
3343 | | | | | | +--:(hidden-privat\
3344 \e-key)
3345 | | | | | | | +--rw hidden-pr\
3346 \ivate-key?
3347 | | | | | | | empty
3348 | | | | | | +--:(encrypted-pri\
3349 \vate-key)
3350 | | | | | | +--rw encrypted\
3351 \-private-key
3352 | | | | | | +--rw (key-t\
3353 \ype)
3354 | | | | | | | +--:(symm\
3355 \etric-key-ref)
3356 | | | | | | | | +--rw \
3357 \symmetric-key-ref? leafref
3358 | | | | | | | | \
3359 \ {keystore-supported}?
3360 | | | | | | | +--:(asym\
3361 \metric-key-ref)
3362 | | | | | | | +--rw \
3363 \asymmetric-key-ref? leafref
3364 | | | | | | | \
3366 \ {keystore-supported}?
3367 | | | | | | +--rw value?
3368 | | | | | | bina\
3369 \ry
3370 | | | | | +--:(keystore)
3371 | | | | | {keystore-supporte\
3372 \d}?
3373 | | | | | +--rw keystore-reference?
3374 | | | | | ks:asymmetric-ke\
3375 \y-ref
3376 | | | | +--:(certificate)
3377 | | | | +--rw certificate
3378 | | | | {sshcmn:ssh-x509-certs}?
3379 | | | | +--rw (local-or-keystore)
3380 | | | | +--:(local)
3381 | | | | | {local-definitions\
3382 \-supported}?
3383 | | | | | +--rw local-definition
3384 | | | | | +--rw algorithm
3385 | | | | | | iasa:asymmetr\
3386 \ic-algorithm-type
3387 | | | | | +--rw public-key-form\
3388 \at
3389 | | | | | | identityref
3390 | | | | | +--rw public-key
3391 | | | | | | binary
3392 | | | | | +--rw private-key-for\
3393 \mat?
3394 | | | | | | identityref
3395 | | | | | +--rw (private-key-ty\
3396 \pe)
3397 | | | | | | +--:(private-key)
3398 | | | | | | | +--rw private-k\
3399 \ey?
3400 | | | | | | | binary
3401 | | | | | | +--:(hidden-privat\
3402 \e-key)
3403 | | | | | | | +--rw hidden-pr\
3404 \ivate-key?
3405 | | | | | | | empty
3406 | | | | | | +--:(encrypted-pri\
3407 \vate-key)
3408 | | | | | | +--rw encrypted\
3409 \-private-key
3410 | | | | | | +--rw (key-t\
3411 \ype)
3412 | | | | | | | +--:(symm\
3413 \etric-key-ref)
3414 | | | | | | | | +--rw \
3415 \symmetric-key-ref? leafref
3416 | | | | | | | | \
3417 \ {keystore-supported}?
3418 | | | | | | | +--:(asym\
3419 \metric-key-ref)
3420 | | | | | | | +--rw \
3421 \asymmetric-key-ref? leafref
3422 | | | | | | | \
3423 \ {keystore-supported}?
3424 | | | | | | +--rw value?
3425 | | | | | | bina\
3426 \ry
3427 | | | | | +--rw cert?
3428 | | | | | | end-entity-ce\
3429 \rt-cms
3430 | | | | | +---n certificate-exp\
3431 \iration
3432 | | | | | | +-- expiration-date
3433 | | | | | | yang:date-\
3434 \and-time
3435 | | | | | +---x generate-certif\
3436 \icate-signing-request
3437 | | | | | +---w input
3438 | | | | | | +---w subject
3439 | | | | | | | binary
3440 | | | | | | +---w attribute\
3441 \s?
3442 | | | | | | binary
3443 | | | | | +--ro output
3444 | | | | | +--ro certifica\
3445 \te-signing-request
3446 | | | | | binary
3447 | | | | +--:(keystore)
3448 | | | | {keystore-supporte\
3449 \d}?
3450 | | | | +--rw keystore-reference
3451 | | | | +--rw asymmetric-key?
3452 | | | | | ks:asymmetric\
3453 \-key-ref
3454 | | | | +--rw certificate? \
3455 \ leafref
3456 | | | +--rw client-authentication
3457 | | | | +--rw supported-authentication-methods
3458 | | | | | +--rw publickey? empty
3459 | | | | | +--rw passsword? empty
3460 | | | | | | {client-auth-password}?
3461 | | | | | +--rw hostbased? empty
3462 | | | | | | {client-auth-hostbased}?
3463 | | | | | +--rw none? empty
3464 | | | | | {client-auth-none}?
3465 | | | | +--rw users {client-auth-config-supported}?
3466 | | | | | +--rw user* [name]
3467 | | | | | +--rw name string
3468 | | | | | +--rw public-keys!
3469 | | | | | | +--rw (local-or-truststore)
3470 | | | | | | +--:(local)
3471 | | | | | | | {local-definitions-su\
3472 \pported}?
3473 | | | | | | | +--rw local-definition
3474 | | | | | | | +--rw public-key* [name]
3475 | | | | | | | +--rw name
3476 | | | | | | | | string
3477 | | | | | | | +--rw algorithm
3478 | | | | | | | | iasa:asymmetr\
3479 \ic-algorithm-type
3480 | | | | | | | +--rw public-key-form\
3481 \at
3482 | | | | | | | | identityref
3483 | | | | | | | +--rw public-key
3484 | | | | | | | binary
3485 | | | | | | +--:(truststore)
3486 | | | | | | {truststore-supported\
3487 \,public-keys}?
3488 | | | | | | +--rw truststore-reference?
3489 | | | | | | ts:public-key-bag-r\
3490 \ef
3491 | | | | | +--rw password?
3492 | | | | | | ianach:crypt-hash
3493 | | | | | | {client-auth-password}?
3494 | | | | | +--rw hostbased!
3495 | | | | | | {client-auth-hostbased}?
3496 | | | | | | +--rw (local-or-truststore)
3497 | | | | | | +--:(local)
3498 | | | | | | | {local-definitions-su\
3499 \pported}?
3500 | | | | | | | +--rw local-definition
3501 | | | | | | | +--rw public-key* [name]
3502 | | | | | | | +--rw name
3503 | | | | | | | | string
3504 | | | | | | | +--rw algorithm
3505 | | | | | | | | iasa:asymmetr\
3506 \ic-algorithm-type
3507 | | | | | | | +--rw public-key-form\
3508 \at
3509 | | | | | | | | identityref
3510 | | | | | | | +--rw public-key
3511 | | | | | | | binary
3512 | | | | | | +--:(truststore)
3513 | | | | | | {truststore-supported\
3514 \,public-keys}?
3515 | | | | | | +--rw truststore-reference?
3516 | | | | | | ts:public-key-bag-r\
3517 \ef
3518 | | | | | +--rw none? empty
3519 | | | | | {client-auth-none}?
3520 | | | | +--rw ca-certs!
3521 | | | | | {client-auth-config-supported,sshc\
3522 \mn:ssh-x509-certs}?
3523 | | | | | +--rw (local-or-truststore)
3524 | | | | | +--:(local)
3525 | | | | | | {local-definitions-supporte\
3526 \d}?
3527 | | | | | | +--rw local-definition
3528 | | | | | | +--rw cert*
3529 | | | | | | | trust-anchor-cert-cms
3530 | | | | | | +---n certificate-expiration
3531 | | | | | | +-- expiration-date
3532 | | | | | | yang:date-and-time
3533 | | | | | +--:(truststore)
3534 | | | | | {truststore-supported,x509-\
3535 \certificates}?
3536 | | | | | +--rw truststore-reference?
3537 | | | | | ts:certificate-bag-ref
3538 | | | | +--rw client-certs!
3539 | | | | {client-auth-config-supported,sshc\
3540 \mn:ssh-x509-certs}?
3541 | | | | +--rw (local-or-truststore)
3542 | | | | +--:(local)
3543 | | | | | {local-definitions-supporte\
3544 \d}?
3545 | | | | | +--rw local-definition
3546 | | | | | +--rw cert*
3547 | | | | | | trust-anchor-cert-cms
3548 | | | | | +---n certificate-expiration
3549 | | | | | +-- expiration-date
3550 | | | | | yang:date-and-time
3551 | | | | +--:(truststore)
3552 | | | | {truststore-supported,x509-\
3553 \certificates}?
3554 | | | | +--rw truststore-reference?
3555 | | | | ts:certificate-bag-ref
3556 | | | +--rw transport-params
3557 | | | | {ssh-server-transport-params-config}?
3558 | | | | +--rw host-key
3559 | | | | | +--rw host-key-alg* identityref
3560 | | | | +--rw key-exchange
3561 | | | | | +--rw key-exchange-alg* identityref
3562 | | | | +--rw encryption
3563 | | | | | +--rw encryption-alg* identityref
3564 | | | | +--rw mac
3565 | | | | +--rw mac-alg* identityref
3566 | | | +--rw keepalives! {ssh-server-keepalives}?
3567 | | | +--rw max-wait? uint16
3568 | | | +--rw max-attempts? uint8
3569 | | +--rw netconf-server-parameters
3570 | | +--rw client-identity-mappings
3571 | | {tls-listen or tls-call-home or sshcm\
3572 \n:ssh-x509-certs}?
3573 | | +--rw cert-to-name* [id]
3574 | | +--rw id uint32
3575 | | +--rw fingerprint?
3576 | | | x509c2n:tls-fingerprint
3577 | | +--rw map-type identityref
3578 | | +--rw name string
3579 | +--:(tls) {tls-listen}?
3580 | +--rw tls
3581 | +--rw tcp-server-parameters
3582 | | +--rw local-address inet:ip-address
3583 | | +--rw local-port? inet:port-number
3584 | | +--rw keepalives! {keepalives-supported}?
3585 | | +--rw idle-time uint16
3586 | | +--rw max-probes uint16
3587 | | +--rw probe-interval uint16
3588 | +--rw tls-server-parameters
3589 | | +--rw server-identity
3590 | | | +--rw (auth-type)
3591 | | | +--:(certificate)
3592 | | | | {x509-certificate-auth}?
3593 | | | | +--rw certificate
3594 | | | | +--rw (local-or-keystore)
3595 | | | | +--:(local)
3596 | | | | | {local-definitions-su\
3597 \pported}?
3598 | | | | | +--rw local-definition
3599 | | | | | +--rw algorithm
3600 | | | | | | iasa:asymmetric-\
3601 \algorithm-type
3602 | | | | | +--rw public-key-format
3603 | | | | | | identityref
3604 | | | | | +--rw public-key
3605 | | | | | | binary
3606 | | | | | +--rw private-key-format?
3607 | | | | | | identityref
3608 | | | | | +--rw (private-key-type)
3609 | | | | | | +--:(private-key)
3610 | | | | | | | +--rw private-key?
3611 | | | | | | | binary
3612 | | | | | | +--:(hidden-private-k\
3613 \ey)
3614 | | | | | | | +--rw hidden-priva\
3615 \te-key?
3616 | | | | | | | empty
3617 | | | | | | +--:(encrypted-privat\
3618 \e-key)
3619 | | | | | | +--rw encrypted-pr\
3620 \ivate-key
3621 | | | | | | +--rw (key-type)
3622 | | | | | | | +--:(symmetr\
3623 \ic-key-ref)
3624 | | | | | | | | +--rw sym\
3625 \metric-key-ref? leafref
3626 | | | | | | | | {\
3627 \keystore-supported}?
3628 | | | | | | | +--:(asymmet\
3629 \ric-key-ref)
3630 | | | | | | | +--rw asy\
3631 \mmetric-key-ref? leafref
3632 | | | | | | | {\
3633 \keystore-supported}?
3634 | | | | | | +--rw value?
3635 | | | | | | binary
3636 | | | | | +--rw cert?
3637 | | | | | | end-entity-cert-\
3638 \cms
3639 | | | | | +---n certificate-expira\
3640 \tion
3641 | | | | | | +-- expiration-date
3642 | | | | | | yang:date-and\
3643 \-time
3644 | | | | | +---x generate-certifica\
3645 \te-signing-request
3646 | | | | | +---w input
3647 | | | | | | +---w subject
3648 | | | | | | | binary
3649 | | | | | | +---w attributes?
3650 | | | | | | binary
3651 | | | | | +--ro output
3652 | | | | | +--ro certificate-\
3653 \signing-request
3654 | | | | | binary
3655 | | | | +--:(keystore)
3656 | | | | {keystore-supported}?
3657 | | | | +--rw keystore-reference
3658 | | | | +--rw asymmetric-key?
3659 | | | | | ks:asymmetric-ke\
3660 \y-ref
3661 | | | | +--rw certificate? \
3662 \leafref
3663 | | | +--:(raw-private-key)
3664 | | | | {raw-public-key-auth}?
3665 | | | | +--rw raw-private-key
3666 | | | | +--rw (local-or-keystore)
3667 | | | | +--:(local)
3668 | | | | | {local-definitions-su\
3669 \pported}?
3670 | | | | | +--rw local-definition
3671 | | | | | +--rw algorithm
3672 | | | | | | iasa:asymmetric-\
3673 \algorithm-type
3674 | | | | | +--rw public-key-format
3675 | | | | | | identityref
3676 | | | | | +--rw public-key
3677 | | | | | | binary
3678 | | | | | +--rw private-key-format?
3679 | | | | | | identityref
3680 | | | | | +--rw (private-key-type)
3681 | | | | | +--:(private-key)
3682 | | | | | | +--rw private-key?
3683 | | | | | | binary
3684 | | | | | +--:(hidden-private-k\
3685 \ey)
3686 | | | | | | +--rw hidden-priva\
3687 \te-key?
3688 | | | | | | empty
3689 | | | | | +--:(encrypted-privat\
3690 \e-key)
3691 | | | | | +--rw encrypted-pr\
3692 \ivate-key
3693 | | | | | +--rw (key-type)
3694 | | | | | | +--:(symmetr\
3695 \ic-key-ref)
3696 | | | | | | | +--rw sym\
3697 \metric-key-ref? leafref
3698 | | | | | | | {\
3699 \keystore-supported}?
3700 | | | | | | +--:(asymmet\
3701 \ric-key-ref)
3702 | | | | | | +--rw asy\
3703 \mmetric-key-ref? leafref
3704 | | | | | | {\
3705 \keystore-supported}?
3706 | | | | | +--rw value?
3707 | | | | | binary
3708 | | | | +--:(keystore)
3709 | | | | {keystore-supported}?
3710 | | | | +--rw keystore-reference?
3711 | | | | ks:asymmetric-key-r\
3712 \ef
3713 | | | +--:(psk) {psk-auth}?
3714 | | | +--rw psk
3715 | | | +--rw (local-or-keystore)
3716 | | | +--:(local)
3717 | | | | {local-definitions-su\
3718 \pported}?
3719 | | | | +--rw local-definition
3720 | | | | +--rw algorithm
3721 | | | | | isa:symmetric-al\
3722 \gorithm-type
3723 | | | | +--rw key-format?
3724 | | | | | identityref
3725 | | | | +--rw (key-type)
3726 | | | | | +--:(key)
3727 | | | | | | +--rw key?
3728 | | | | | | binary
3729 | | | | | +--:(hidden-key)
3730 | | | | | | +--rw hidden-key?
3731 | | | | | | empty
3732 | | | | | +--:(encrypted-key)
3733 | | | | | +--rw encrypted-key
3734 | | | | | +--rw (key-type)
3735 | | | | | | +--:(symmetr\
3736 \ic-key-ref)
3737 | | | | | | | +--rw sym\
3738 \metric-key-ref? leafref
3739 | | | | | | | {\
3740 \keystore-supported}?
3741 | | | | | | +--:(asymmet\
3742 \ric-key-ref)
3743 | | | | | | +--rw asy\
3744 \mmetric-key-ref? leafref
3745 | | | | | | {\
3746 \keystore-supported}?
3747 | | | | | +--rw value?
3748 | | | | | binary
3749 | | | | +--rw id?
3750 | | | | string
3751 | | | | {ks:local-defini\
3752 \tions-supported}?
3753 | | | +--:(keystore)
3754 | | | {keystore-supported}?
3755 | | | +--rw keystore-reference?
3756 | | | ks:symmetric-key-ref
3757 | | +--rw client-authentication!
3758 | | | {client-auth-config-supported}?
3759 | | | +--rw ca-certs! {x509-certificate-auth}?
3760 | | | | +--rw (local-or-truststore)
3761 | | | | +--:(local)
3762 | | | | | {local-definitions-supporte\
3763 \d}?
3764 | | | | | +--rw local-definition
3765 | | | | | +--rw cert*
3766 | | | | | | trust-anchor-cert-cms
3767 | | | | | +---n certificate-expiration
3768 | | | | | +-- expiration-date
3769 | | | | | yang:date-and-time
3770 | | | | +--:(truststore)
3771 | | | | {truststore-supported,x509-\
3772 \certificates}?
3773 | | | | +--rw truststore-reference?
3774 | | | | ts:certificate-bag-ref
3775 | | | +--rw client-certs!
3776 | | | | {x509-certificate-auth}?
3777 | | | | +--rw (local-or-truststore)
3778 | | | | +--:(local)
3779 | | | | | {local-definitions-supporte\
3780 \d}?
3781 | | | | | +--rw local-definition
3782 | | | | | +--rw cert*
3783 | | | | | | trust-anchor-cert-cms
3784 | | | | | +---n certificate-expiration
3785 | | | | | +-- expiration-date
3786 | | | | | yang:date-and-time
3787 | | | | +--:(truststore)
3788 | | | | {truststore-supported,x509-\
3789 \certificates}?
3790 | | | | +--rw truststore-reference?
3791 | | | | ts:certificate-bag-ref
3792 | | | +--rw raw-public-keys!
3793 | | | | {raw-public-key-auth}?
3794 | | | | +--rw (local-or-truststore)
3795 | | | | +--:(local)
3796 | | | | | {local-definitions-supporte\
3797 \d}?
3798 | | | | | +--rw local-definition
3799 | | | | | +--rw public-key* [name]
3800 | | | | | +--rw name
3801 | | | | | | string
3802 | | | | | +--rw algorithm
3803 | | | | | | iasa:asymmetric-alg\
3804 \orithm-type
3805 | | | | | +--rw public-key-format
3806 | | | | | | identityref
3807 | | | | | +--rw public-key
3808 | | | | | binary
3809 | | | | +--:(truststore)
3810 | | | | {truststore-supported,publi\
3811 \c-keys}?
3812 | | | | +--rw truststore-reference?
3813 | | | | ts:public-key-bag-ref
3814 | | | +--rw psks! {psk-auth}?
3815 | | +--rw hello-params
3816 | | | {tls-server-hello-params-config}?
3817 | | | +--rw tls-versions
3818 | | | | +--rw tls-version* identityref
3819 | | | +--rw cipher-suites
3820 | | | +--rw cipher-suite* identityref
3821 | | +--rw keepalives! {tls-server-keepalives}?
3822 | | +--rw max-wait? uint16
3823 | | +--rw max-attempts? uint8
3824 | +--rw netconf-server-parameters
3825 | +--rw client-identity-mappings
3826 | {tls-listen or tls-call-home or sshcm\
3827 \n:ssh-x509-certs}?
3828 | +--rw cert-to-name* [id]
3829 | +--rw id uint32
3830 | +--rw fingerprint?
3831 | | x509c2n:tls-fingerprint
3832 | +--rw map-type identityref
3833 | +--rw name string
3834 +--rw call-home! {ssh-call-home or tls-call-home}?
3835 +--rw netconf-client* [name]
3836 +--rw name string
3837 +--rw endpoints
3838 | +--rw endpoint* [name]
3839 | +--rw name string
3840 | +--rw (transport)
3841 | +--:(ssh) {ssh-call-home}?
3842 | | +--rw ssh
3843 | | +--rw tcp-client-parameters
3844 | | | +--rw remote-address inet:host
3845 | | | +--rw remote-port? inet:port-number
3846 | | | +--rw local-address? inet:ip-address
3847 | | | | {local-binding-supported}?
3848 | | | +--rw local-port? inet:port-number
3849 | | | | {local-binding-supported}?
3850 | | | +--rw keepalives!
3851 | | | {keepalives-supported}?
3852 | | | +--rw idle-time uint16
3853 | | | +--rw max-probes uint16
3854 | | | +--rw probe-interval uint16
3855 | | +--rw ssh-server-parameters
3856 | | | +--rw server-identity
3857 | | | | +--rw host-key* [name]
3858 | | | | +--rw name string
3859 | | | | +--rw (host-key-type)
3860 | | | | +--:(public-key)
3861 | | | | | +--rw public-key
3862 | | | | | +--rw (local-or-keystore)
3863 | | | | | +--:(local)
3864 | | | | | | {local-defin\
3865 \itions-supported}?
3866 | | | | | | +--rw local-defini\
3867 \tion
3868 | | | | | | +--rw algorithm
3869 | | | | | | | iasa:as\
3870 \ymmetric-algorithm-type
3871 | | | | | | +--rw public-ke\
3872 \y-format
3873 | | | | | | | identit\
3874 \yref
3875 | | | | | | +--rw public-key
3876 | | | | | | | binary
3877 | | | | | | +--rw private-k\
3878 \ey-format?
3879 | | | | | | | identit\
3880 \yref
3881 | | | | | | +--rw (private-\
3882 \key-type)
3883 | | | | | | +--:(private\
3884 \-key)
3885 | | | | | | | +--rw pri\
3886 \vate-key?
3887 | | | | | | | b\
3888 \inary
3889 | | | | | | +--:(hidden-\
3890 \private-key)
3891 | | | | | | | +--rw hid\
3892 \den-private-key?
3893 | | | | | | | e\
3895 \mpty
3896 | | | | | | +--:(encrypt\
3897 \ed-private-key)
3898 | | | | | | +--rw enc\
3899 \rypted-private-key
3900 | | | | | | +--rw \
3901 \(key-type)
3902 | | | | | | | +--\
3903 \:(symmetric-key-ref)
3904 | | | | | | | | \
3905 \+--rw symmetric-key-ref? leafref
3906 | | | | | | | | \
3907 \ {keystore-supported}?
3908 | | | | | | | +--\
3909 \:(asymmetric-key-ref)
3910 | | | | | | | \
3911 \+--rw asymmetric-key-ref? leafref
3912 | | | | | | | \
3913 \ {keystore-supported}?
3914 | | | | | | +--rw \
3915 \value?
3916 | | | | | | \
3917 \ binary
3918 | | | | | +--:(keystore)
3919 | | | | | {keystore-su\
3920 \pported}?
3921 | | | | | +--rw keystore-ref\
3922 \erence?
3923 | | | | | ks:asymmet\
3924 \ric-key-ref
3925 | | | | +--:(certificate)
3926 | | | | +--rw certificate
3927 | | | | {sshcmn:ssh-x509-ce\
3928 \rts}?
3929 | | | | +--rw (local-or-keystore)
3930 | | | | +--:(local)
3931 | | | | | {local-defin\
3932 \itions-supported}?
3933 | | | | | +--rw local-defini\
3934 \tion
3935 | | | | | +--rw algorithm
3936 | | | | | | iasa:as\
3937 \ymmetric-algorithm-type
3938 | | | | | +--rw public-ke\
3939 \y-format
3940 | | | | | | identit\
3941 \yref
3942 | | | | | +--rw public-key
3943 | | | | | | binary
3944 | | | | | +--rw private-k\
3945 \ey-format?
3946 | | | | | | identit\
3947 \yref
3948 | | | | | +--rw (private-\
3949 \key-type)
3950 | | | | | | +--:(private\
3951 \-key)
3952 | | | | | | | +--rw pri\
3953 \vate-key?
3954 | | | | | | | b\
3955 \inary
3956 | | | | | | +--:(hidden-\
3957 \private-key)
3958 | | | | | | | +--rw hid\
3959 \den-private-key?
3960 | | | | | | | e\
3961 \mpty
3962 | | | | | | +--:(encrypt\
3963 \ed-private-key)
3964 | | | | | | +--rw enc\
3965 \rypted-private-key
3966 | | | | | | +--rw \
3967 \(key-type)
3968 | | | | | | | +--\
3969 \:(symmetric-key-ref)
3970 | | | | | | | | \
3971 \+--rw symmetric-key-ref? leafref
3972 | | | | | | | | \
3973 \ {keystore-supported}?
3974 | | | | | | | +--\
3975 \:(asymmetric-key-ref)
3976 | | | | | | | \
3977 \+--rw asymmetric-key-ref? leafref
3978 | | | | | | | \
3979 \ {keystore-supported}?
3980 | | | | | | +--rw \
3981 \value?
3982 | | | | | | \
3983 \ binary
3984 | | | | | +--rw cert?
3985 | | | | | | end-ent\
3986 \ity-cert-cms
3987 | | | | | +---n certifica\
3988 \te-expiration
3989 | | | | | | +-- expirati\
3990 \on-date
3991 | | | | | | yang\
3992 \:date-and-time
3993 | | | | | +---x generate-\
3994 \certificate-signing-request
3995 | | | | | +---w input
3996 | | | | | | +---w sub\
3997 \ject
3998 | | | | | | | b\
3999 \inary
4000 | | | | | | +---w att\
4001 \ributes?
4002 | | | | | | b\
4003 \inary
4004 | | | | | +--ro output
4005 | | | | | +--ro cer\
4006 \tificate-signing-request
4007 | | | | | b\
4008 \inary
4009 | | | | +--:(keystore)
4010 | | | | {keystore-su\
4011 \pported}?
4012 | | | | +--rw keystore-ref\
4013 \erence
4014 | | | | +--rw asymmetri\
4015 \c-key?
4016 | | | | | ks:asym\
4017 \metric-key-ref
4018 | | | | +--rw certifica\
4019 \te? leafref
4020 | | | +--rw client-authentication
4021 | | | | +--rw supported-authentication-metho\
4022 \ds
4023 | | | | | +--rw publickey? empty
4024 | | | | | +--rw passsword? empty
4025 | | | | | | {client-auth-password}?
4026 | | | | | +--rw hostbased? empty
4027 | | | | | | {client-auth-hostbased}?
4028 | | | | | +--rw none? empty
4029 | | | | | {client-auth-none}?
4030 | | | | +--rw users
4031 | | | | | {client-auth-config-supporte\
4032 \d}?
4033 | | | | | +--rw user* [name]
4034 | | | | | +--rw name string
4035 | | | | | +--rw public-keys!
4036 | | | | | | +--rw (local-or-truststore)
4037 | | | | | | +--:(local)
4038 | | | | | | | {local-definiti\
4040 \ons-supported}?
4041 | | | | | | | +--rw local-definition
4042 | | | | | | | +--rw public-key*
4043 | | | | | | | [name]
4044 | | | | | | | +--rw name
4045 | | | | | | | | string
4046 | | | | | | | +--rw algorithm
4047 | | | | | | | | iasa:as\
4048 \ymmetric-algorithm-type
4049 | | | | | | | +--rw public-ke\
4050 \y-format
4051 | | | | | | | | identit\
4052 \yref
4053 | | | | | | | +--rw public-key
4054 | | | | | | | binary
4055 | | | | | | +--:(truststore)
4056 | | | | | | {truststore-sup\
4057 \ported,public-keys}?
4058 | | | | | | +--rw truststore-refe\
4059 \rence?
4060 | | | | | | ts:public-key\
4061 \-bag-ref
4062 | | | | | +--rw password?
4063 | | | | | | ianach:crypt-hash
4064 | | | | | | {client-auth-password}?
4065 | | | | | +--rw hostbased!
4066 | | | | | | {client-auth-hostbased\
4067 \}?
4068 | | | | | | +--rw (local-or-truststore)
4069 | | | | | | +--:(local)
4070 | | | | | | | {local-definiti\
4071 \ons-supported}?
4072 | | | | | | | +--rw local-definition
4073 | | | | | | | +--rw public-key*
4074 | | | | | | | [name]
4075 | | | | | | | +--rw name
4076 | | | | | | | | string
4077 | | | | | | | +--rw algorithm
4078 | | | | | | | | iasa:as\
4079 \ymmetric-algorithm-type
4080 | | | | | | | +--rw public-ke\
4081 \y-format
4082 | | | | | | | | identit\
4083 \yref
4084 | | | | | | | +--rw public-key
4085 | | | | | | | binary
4086 | | | | | | +--:(truststore)
4087 | | | | | | {truststore-sup\
4089 \ported,public-keys}?
4090 | | | | | | +--rw truststore-refe\
4091 \rence?
4092 | | | | | | ts:public-key\
4093 \-bag-ref
4094 | | | | | +--rw none? empty
4095 | | | | | {client-auth-none}?
4096 | | | | +--rw ca-certs!
4097 | | | | | {client-auth-config-supporte\
4098 \d,sshcmn:ssh-x509-certs}?
4099 | | | | | +--rw (local-or-truststore)
4100 | | | | | +--:(local)
4101 | | | | | | {local-definitions-su\
4102 \pported}?
4103 | | | | | | +--rw local-definition
4104 | | | | | | +--rw cert*
4105 | | | | | | | trust-anchor-cer\
4106 \t-cms
4107 | | | | | | +---n certificate-expira\
4108 \tion
4109 | | | | | | +-- expiration-date
4110 | | | | | | yang:date-and\
4111 \-time
4112 | | | | | +--:(truststore)
4113 | | | | | {truststore-supported\
4114 \,x509-certificates}?
4115 | | | | | +--rw truststore-reference?
4116 | | | | | ts:certificate-bag-\
4117 \ref
4118 | | | | +--rw client-certs!
4119 | | | | {client-auth-config-supporte\
4120 \d,sshcmn:ssh-x509-certs}?
4121 | | | | +--rw (local-or-truststore)
4122 | | | | +--:(local)
4123 | | | | | {local-definitions-su\
4124 \pported}?
4125 | | | | | +--rw local-definition
4126 | | | | | +--rw cert*
4127 | | | | | | trust-anchor-cer\
4128 \t-cms
4129 | | | | | +---n certificate-expira\
4130 \tion
4131 | | | | | +-- expiration-date
4132 | | | | | yang:date-and\
4133 \-time
4134 | | | | +--:(truststore)
4135 | | | | {truststore-supported\
4136 \,x509-certificates}?
4137 | | | | +--rw truststore-reference?
4138 | | | | ts:certificate-bag-\
4139 \ref
4140 | | | +--rw transport-params
4141 | | | | {ssh-server-transport-params-co\
4142 \nfig}?
4143 | | | | +--rw host-key
4144 | | | | | +--rw host-key-alg* identityref
4145 | | | | +--rw key-exchange
4146 | | | | | +--rw key-exchange-alg*
4147 | | | | | identityref
4148 | | | | +--rw encryption
4149 | | | | | +--rw encryption-alg*
4150 | | | | | identityref
4151 | | | | +--rw mac
4152 | | | | +--rw mac-alg* identityref
4153 | | | +--rw keepalives!
4154 | | | {ssh-server-keepalives}?
4155 | | | +--rw max-wait? uint16
4156 | | | +--rw max-attempts? uint8
4157 | | +--rw netconf-server-parameters
4158 | | +--rw client-identity-mappings
4159 | | {tls-listen or tls-call-home or\
4160 \ sshcmn:ssh-x509-certs}?
4161 | | +--rw cert-to-name* [id]
4162 | | +--rw id uint32
4163 | | +--rw fingerprint?
4164 | | | x509c2n:tls-fingerprint
4165 | | +--rw map-type identityref
4166 | | +--rw name string
4167 | +--:(tls) {tls-call-home}?
4168 | +--rw tls
4169 | +--rw tcp-client-parameters
4170 | | +--rw remote-address inet:host
4171 | | +--rw remote-port? inet:port-number
4172 | | +--rw local-address? inet:ip-address
4173 | | | {local-binding-supported}?
4174 | | +--rw local-port? inet:port-number
4175 | | | {local-binding-supported}?
4176 | | +--rw keepalives!
4177 | | {keepalives-supported}?
4178 | | +--rw idle-time uint16
4179 | | +--rw max-probes uint16
4180 | | +--rw probe-interval uint16
4181 | +--rw tls-server-parameters
4182 | | +--rw server-identity
4183 | | | +--rw (auth-type)
4184 | | | +--:(certificate)
4185 | | | | {x509-certificate-auth}?
4186 | | | | +--rw certificate
4187 | | | | +--rw (local-or-keystore)
4188 | | | | +--:(local)
4189 | | | | | {local-definiti\
4190 \ons-supported}?
4191 | | | | | +--rw local-definition
4192 | | | | | +--rw algorithm
4193 | | | | | | iasa:asymm\
4194 \etric-algorithm-type
4195 | | | | | +--rw public-key-f\
4196 \ormat
4197 | | | | | | identityref
4198 | | | | | +--rw public-key
4199 | | | | | | binary
4200 | | | | | +--rw private-key-\
4201 \format?
4202 | | | | | | identityref
4203 | | | | | +--rw (private-key\
4204 \-type)
4205 | | | | | | +--:(private-ke\
4206 \y)
4207 | | | | | | | +--rw privat\
4208 \e-key?
4209 | | | | | | | bina\
4210 \ry
4211 | | | | | | +--:(hidden-pri\
4212 \vate-key)
4213 | | | | | | | +--rw hidden\
4214 \-private-key?
4215 | | | | | | | empty
4216 | | | | | | +--:(encrypted-\
4217 \private-key)
4218 | | | | | | +--rw encryp\
4219 \ted-private-key
4220 | | | | | | +--rw (ke\
4221 \y-type)
4222 | | | | | | | +--:(s\
4223 \ymmetric-key-ref)
4224 | | | | | | | | +--\
4225 \rw symmetric-key-ref? leafref
4226 | | | | | | | | \
4227 \ {keystore-supported}?
4228 | | | | | | | +--:(a\
4229 \symmetric-key-ref)
4230 | | | | | | | +--\
4231 \rw asymmetric-key-ref? leafref
4232 | | | | | | | \
4234 \ {keystore-supported}?
4235 | | | | | | +--rw val\
4236 \ue?
4237 | | | | | | b\
4238 \inary
4239 | | | | | +--rw cert?
4240 | | | | | | end-entity\
4241 \-cert-cms
4242 | | | | | +---n certificate-\
4243 \expiration
4244 | | | | | | +-- expiration-\
4245 \date
4246 | | | | | | yang:da\
4247 \te-and-time
4248 | | | | | +---x generate-cer\
4249 \tificate-signing-request
4250 | | | | | +---w input
4251 | | | | | | +---w subject
4252 | | | | | | | bina\
4253 \ry
4254 | | | | | | +---w attrib\
4255 \utes?
4256 | | | | | | bina\
4257 \ry
4258 | | | | | +--ro output
4259 | | | | | +--ro certif\
4260 \icate-signing-request
4261 | | | | | bina\
4262 \ry
4263 | | | | +--:(keystore)
4264 | | | | {keystore-suppo\
4265 \rted}?
4266 | | | | +--rw keystore-refere\
4267 \nce
4268 | | | | +--rw asymmetric-k\
4269 \ey?
4270 | | | | | ks:asymmet\
4271 \ric-key-ref
4272 | | | | +--rw certificate?\
4273 \ leafref
4274 | | | +--:(raw-private-key)
4275 | | | | {raw-public-key-auth}?
4276 | | | | +--rw raw-private-key
4277 | | | | +--rw (local-or-keystore)
4278 | | | | +--:(local)
4279 | | | | | {local-definiti\
4280 \ons-supported}?
4281 | | | | | +--rw local-definition
4282 | | | | | +--rw algorithm
4283 | | | | | | iasa:asymm\
4284 \etric-algorithm-type
4285 | | | | | +--rw public-key-f\
4286 \ormat
4287 | | | | | | identityref
4288 | | | | | +--rw public-key
4289 | | | | | | binary
4290 | | | | | +--rw private-key-\
4291 \format?
4292 | | | | | | identityref
4293 | | | | | +--rw (private-key\
4294 \-type)
4295 | | | | | +--:(private-ke\
4296 \y)
4297 | | | | | | +--rw privat\
4298 \e-key?
4299 | | | | | | bina\
4300 \ry
4301 | | | | | +--:(hidden-pri\
4302 \vate-key)
4303 | | | | | | +--rw hidden\
4304 \-private-key?
4305 | | | | | | empty
4306 | | | | | +--:(encrypted-\
4307 \private-key)
4308 | | | | | +--rw encryp\
4309 \ted-private-key
4310 | | | | | +--rw (ke\
4311 \y-type)
4312 | | | | | | +--:(s\
4313 \ymmetric-key-ref)
4314 | | | | | | | +--\
4315 \rw symmetric-key-ref? leafref
4316 | | | | | | | \
4317 \ {keystore-supported}?
4318 | | | | | | +--:(a\
4319 \symmetric-key-ref)
4320 | | | | | | +--\
4321 \rw asymmetric-key-ref? leafref
4322 | | | | | | \
4323 \ {keystore-supported}?
4324 | | | | | +--rw val\
4325 \ue?
4326 | | | | | b\
4327 \inary
4328 | | | | +--:(keystore)
4329 | | | | {keystore-suppo\
4331 \rted}?
4332 | | | | +--rw keystore-refere\
4333 \nce?
4334 | | | | ks:asymmetric\
4335 \-key-ref
4336 | | | +--:(psk) {psk-auth}?
4337 | | | +--rw psk
4338 | | | +--rw (local-or-keystore)
4339 | | | +--:(local)
4340 | | | | {local-definiti\
4341 \ons-supported}?
4342 | | | | +--rw local-definition
4343 | | | | +--rw algorithm
4344 | | | | | isa:symmet\
4345 \ric-algorithm-type
4346 | | | | +--rw key-format?
4347 | | | | | identityref
4348 | | | | +--rw (key-type)
4349 | | | | | +--:(key)
4350 | | | | | | +--rw key?
4351 | | | | | | bina\
4352 \ry
4353 | | | | | +--:(hidden-key)
4354 | | | | | | +--rw hidden\
4355 \-key?
4356 | | | | | | empty
4357 | | | | | +--:(encrypted-\
4358 \key)
4359 | | | | | +--rw encryp\
4360 \ted-key
4361 | | | | | +--rw (ke\
4362 \y-type)
4363 | | | | | | +--:(s\
4364 \ymmetric-key-ref)
4365 | | | | | | | +--\
4366 \rw symmetric-key-ref? leafref
4367 | | | | | | | \
4368 \ {keystore-supported}?
4369 | | | | | | +--:(a\
4370 \symmetric-key-ref)
4371 | | | | | | +--\
4372 \rw asymmetric-key-ref? leafref
4373 | | | | | | \
4374 \ {keystore-supported}?
4375 | | | | | +--rw val\
4376 \ue?
4377 | | | | | b\
4378 \inary
4379 | | | | +--rw id?
4380 | | | | string
4381 | | | | {ks:local-\
4382 \definitions-supported}?
4383 | | | +--:(keystore)
4384 | | | {keystore-suppo\
4385 \rted}?
4386 | | | +--rw keystore-refere\
4387 \nce?
4388 | | | ks:symmetric-\
4389 \key-ref
4390 | | +--rw client-authentication!
4391 | | | {client-auth-config-supported}?
4392 | | | +--rw ca-certs!
4393 | | | | {x509-certificate-auth}?
4394 | | | | +--rw (local-or-truststore)
4395 | | | | +--:(local)
4396 | | | | | {local-definitions-su\
4397 \pported}?
4398 | | | | | +--rw local-definition
4399 | | | | | +--rw cert*
4400 | | | | | | trust-anchor-cer\
4401 \t-cms
4402 | | | | | +---n certificate-expira\
4403 \tion
4404 | | | | | +-- expiration-date
4405 | | | | | yang:date-and\
4406 \-time
4407 | | | | +--:(truststore)
4408 | | | | {truststore-supported\
4409 \,x509-certificates}?
4410 | | | | +--rw truststore-reference?
4411 | | | | ts:certificate-bag-\
4412 \ref
4413 | | | +--rw client-certs!
4414 | | | | {x509-certificate-auth}?
4415 | | | | +--rw (local-or-truststore)
4416 | | | | +--:(local)
4417 | | | | | {local-definitions-su\
4418 \pported}?
4419 | | | | | +--rw local-definition
4420 | | | | | +--rw cert*
4421 | | | | | | trust-anchor-cer\
4422 \t-cms
4423 | | | | | +---n certificate-expira\
4424 \tion
4425 | | | | | +-- expiration-date
4426 | | | | | yang:date-and\
4428 \-time
4429 | | | | +--:(truststore)
4430 | | | | {truststore-supported\
4431 \,x509-certificates}?
4432 | | | | +--rw truststore-reference?
4433 | | | | ts:certificate-bag-\
4434 \ref
4435 | | | +--rw raw-public-keys!
4436 | | | | {raw-public-key-auth}?
4437 | | | | +--rw (local-or-truststore)
4438 | | | | +--:(local)
4439 | | | | | {local-definitions-su\
4440 \pported}?
4441 | | | | | +--rw local-definition
4442 | | | | | +--rw public-key* [name]
4443 | | | | | +--rw name
4444 | | | | | | string
4445 | | | | | +--rw algorithm
4446 | | | | | | iasa:asymmetr\
4447 \ic-algorithm-type
4448 | | | | | +--rw public-key-form\
4449 \at
4450 | | | | | | identityref
4451 | | | | | +--rw public-key
4452 | | | | | binary
4453 | | | | +--:(truststore)
4454 | | | | {truststore-supported\
4455 \,public-keys}?
4456 | | | | +--rw truststore-reference?
4457 | | | | ts:public-key-bag-r\
4458 \ef
4459 | | | +--rw psks! {psk-auth}?
4460 | | +--rw hello-params
4461 | | | {tls-server-hello-params-config\
4462 \}?
4463 | | | +--rw tls-versions
4464 | | | | +--rw tls-version* identityref
4465 | | | +--rw cipher-suites
4466 | | | +--rw cipher-suite* identityref
4467 | | +--rw keepalives!
4468 | | {tls-server-keepalives}?
4469 | | +--rw max-wait? uint16
4470 | | +--rw max-attempts? uint8
4471 | +--rw netconf-server-parameters
4472 | +--rw client-identity-mappings
4473 | {tls-listen or tls-call-home or\
4474 \ sshcmn:ssh-x509-certs}?
4475 | +--rw cert-to-name* [id]
4476 | +--rw id uint32
4477 | +--rw fingerprint?
4478 | | x509c2n:tls-fingerprint
4479 | +--rw map-type identityref
4480 | +--rw name string
4481 +--rw connection-type
4482 | +--rw (connection-type)
4483 | +--:(persistent-connection)
4484 | | +--rw persistent!
4485 | +--:(periodic-connection)
4486 | +--rw periodic!
4487 | +--rw period? uint16
4488 | +--rw anchor-time? yang:date-and-time
4489 | +--rw idle-timeout? uint16
4490 +--rw reconnect-strategy
4491 +--rw start-with? enumeration
4492 +--rw max-attempts? uint8
4494 Appendix B. Change Log
4496 B.1. 00 to 01
4498 o Renamed "keychain" to "keystore".
4500 B.2. 01 to 02
4502 o Added to ietf-netconf-client ability to connected to a cluster of
4503 endpoints, including a reconnection-strategy.
4505 o Added to ietf-netconf-client the ability to configure connection-
4506 type and also keep-alive strategy.
4508 o Updated both modules to accommodate new groupings in the ssh/tls
4509 drafts.
4511 B.3. 02 to 03
4513 o Refined use of tls-client-grouping to add a must statement
4514 indicating that the TLS client must specify a client-certificate.
4516 o Changed 'netconf-client' to be a grouping (not a container).
4518 B.4. 03 to 04
4520 o Added RFC 8174 to Requirements Language Section.
4522 o Replaced refine statement in ietf-netconf-client to add a
4523 mandatory true.
4525 o Added refine statement in ietf-netconf-server to add a must
4526 statement.
4528 o Now there are containers and groupings, for both the client and
4529 server models.
4531 B.5. 04 to 05
4533 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
4535 o Updated examples to inline key and certificates (no longer a
4536 leafref to keystore)
4538 B.6. 05 to 06
4540 o Fixed change log missing section issue.
4542 o Updated examples to match latest updates to the crypto-types,
4543 trust-anchors, and keystore drafts.
4545 o Reduced line length of the YANG modules to fit within 69 columns.
4547 B.7. 06 to 07
4549 o Removed "idle-timeout" from "persistent" connection config.
4551 o Added "random-selection" for reconnection-strategy's "starts-with"
4552 enum.
4554 o Replaced "connection-type" choice default (persistent) with
4555 "mandatory true".
4557 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
4558 minutes.
4560 o Replaced reconnect-timeout with period/anchor-time combo.
4562 B.8. 07 to 08
4564 o Modified examples to be compatible with new crypto-types algs
4566 B.9. 08 to 09
4568 o Corrected use of "mandatory true" for "address" leafs.
4570 o Updated examples to reflect update to groupings defined in the
4571 keystore draft.
4573 o Updated to use groupings defined in new TCP and HTTP drafts.
4575 o Updated copyright date, boilerplate template, affiliation, and
4576 folding algorithm.
4578 B.10. 09 to 10
4580 o Reformatted YANG modules.
4582 B.11. 10 to 11
4584 o Adjusted for the top-level "demux container" added to groupings
4585 imported from other modules.
4587 o Added "must" expressions to ensure that keepalives are not
4588 configured for "periodic" connections.
4590 o Updated the boilerplate text in module-level "description"
4591 statement to match copyeditor convention.
4593 o Moved "expanded" tree diagrams to the Appendix.
4595 B.12. 11 to 12
4597 o Removed the "Design Considerations" section.
4599 o Removed the 'must' statement limiting keepalives in periodic
4600 connections.
4602 o Updated models and examples to reflect removal of the "demux"
4603 containers in the imported models.
4605 o Updated the "periodic-connnection" description statements to be
4606 more like the RESTCONF draft, especially where it described
4607 dropping the underlying TCP connection.
4609 o Updated text to better reference where certain examples come from
4610 (e.g., which Section in which draft).
4612 o In the server model, commented out the "must 'pinned-ca-certs or
4613 pinned-client-certs'" statement to reflect change made in the TLS
4614 draft whereby the trust anchors MAY be defined externally.
4616 o Replaced the 'listen', 'initiate', and 'call-home' features with
4617 boolean expressions.
4619 B.13. 12 to 13
4621 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
4622 anchors/truststore/g + s/pinned.//)
4624 B.14. 13 to 14
4626 o Adjusting from change in TLS client model (removing the top-level
4627 'certificate' container), by swapping refining-in a 'mandatory
4628 true' statement with a 'must' statement outside the 'uses'
4629 statement.
4631 o Updated examples to reflect ietf-crypto-types change (e.g.,
4632 identities --> enumerations)
4634 B.15. 14 to 15
4636 o Refactored both the client and server modules similar to how the
4637 ietf-restconf-server module was refactored in -13 of that draft,
4638 and the ietf-restconf-client grouping.
4640 B.16. 15 to 16
4642 o Added refinement to make "cert-to-name/fingerprint" be mandatory
4643 false.
4645 o Commented out refinement to "tls-server-grouping/client-
4646 authentication" until a better "must" expression is defined.
4648 B.17. 16 to 17
4650 o Updated examples to include the "*-key-format" nodes.
4652 o Updated examples to remove the "required" nodes.
4654 o Updated examples to remove the "client-auth-defined-elsewhere"
4655 nodes.
4657 B.18. 17 to 18
4659 o Updated examples to reflect new "bag" addition to truststore.
4661 Acknowledgements
4663 The authors would like to thank for following for lively discussions
4664 on list and in the halls (ordered by last name): Andy Bierman, Martin
4665 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
4666 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
4667 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
4668 Wijnen.
4670 Author's Address
4672 Kent Watsen
4673 Watsen Networks
4675 EMail: kent+ietf@watsen.net