idnits 2.17.1 draft-ietf-netconf-restconf-client-server-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1646 has weird spacing: '...address ine...' == Line 1763 has weird spacing: '...address ine...' == Line 1883 has weird spacing: '...address ine...' == Line 1981 has weird spacing: '...address ine...' == Line 2089 has weird spacing: '...address ine...' == (1 more instance...) -- The document date (April 7, 2019) is 1846 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-08 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-10 == Outdated reference: A later version (-05) exists of draft-kwatsen-netconf-http-client-server-00 == Outdated reference: A later version (-02) exists of draft-kwatsen-netconf-tcp-client-server-00 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-03 Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track April 7, 2019 5 Expires: October 9, 2019 7 RESTCONF Client and Server Models 8 draft-ietf-netconf-restconf-client-server-11 10 Abstract 12 This document defines two YANG modules, one module to configure a 13 RESTCONF client and the other module to configure a RESTCONF server. 14 Both modules support the TLS transport protocol with both standard 15 RESTCONF and RESTCONF Call Home connections. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains many placeholder values that need to be replaced 20 with finalized values at the time of publication. This note 21 summarizes all of the substitutions that are needed. No other RFC 22 Editor instructions are specified elsewhere in this document. 24 This document contains references to other drafts in progress, both 25 in the Normative References section, as well as in body text 26 throughout. Please update the following references to reflect their 27 final RFC assignments: 29 o I-D.ietf-netconf-keystore 31 o I-D.ietf-netconf-tcp-client-server 33 o I-D.ietf-netconf-tls-client-server 35 o I-D.ietf-netconf-http-client-server 37 Artwork in this document contains shorthand references to drafts in 38 progress. Please apply the following replacements: 40 o "XXXX" --> the assigned RFC value for this draft 42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client- 43 server 45 o "BBBB" --> the assigned RFC value for I-D.ietf-netconf-tls-client- 46 server 48 o "CCCC" --> the assigned RFC value for I-D.ietf-netconf-http- 49 client-server 51 Artwork in this document contains placeholder values for the date of 52 publication of this draft. Please apply the following replacement: 54 o "2019-04-07" --> the publication date of this draft 56 The following Appendix section is to be removed prior to publication: 58 o Appendix B. Change Log 60 Status of This Memo 62 This Internet-Draft is submitted in full conformance with the 63 provisions of BCP 78 and BCP 79. 65 Internet-Drafts are working documents of the Internet Engineering 66 Task Force (IETF). Note that other groups may also distribute 67 working documents as Internet-Drafts. The list of current Internet- 68 Drafts is at https://datatracker.ietf.org/drafts/current/. 70 Internet-Drafts are draft documents valid for a maximum of six months 71 and may be updated, replaced, or obsoleted by other documents at any 72 time. It is inappropriate to use Internet-Drafts as reference 73 material or to cite them other than as "work in progress." 75 This Internet-Draft will expire on October 9, 2019. 77 Copyright Notice 79 Copyright (c) 2019 IETF Trust and the persons identified as the 80 document authors. All rights reserved. 82 This document is subject to BCP 78 and the IETF Trust's Legal 83 Provisions Relating to IETF Documents 84 (https://trustee.ietf.org/license-info) in effect on the date of 85 publication of this document. Please review these documents 86 carefully, as they describe your rights and restrictions with respect 87 to this document. Code Components extracted from this document must 88 include Simplified BSD License text as described in Section 4.e of 89 the Trust Legal Provisions and are provided without warranty as 90 described in the Simplified BSD License. 92 Table of Contents 94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 95 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 96 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 4 97 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 98 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5 99 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 100 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 17 101 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 17 102 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 18 103 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 104 4. Security Considerations . . . . . . . . . . . . . . . . . . . 31 105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 106 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 32 107 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 33 108 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 109 6.1. Normative References . . . . . . . . . . . . . . . . . . 33 110 6.2. Informative References . . . . . . . . . . . . . . . . . 34 111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 36 112 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 36 113 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 45 114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49 115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49 116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49 117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 49 118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 49 119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 50 120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 50 121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 50 122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 50 123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 50 124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 51 125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 51 126 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 127 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 51 129 1. Introduction 131 This document defines two YANG [RFC7950] modules, one module to 132 configure a RESTCONF client and the other module to configure a 133 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446] 134 transport protocol with both standard RESTCONF and RESTCONF Call Home 135 connections [RFC8071]. 137 1.1. Terminology 139 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 140 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 141 "OPTIONAL" in this document are to be interpreted as described in BCP 142 14 [RFC2119] [RFC8174] when, and only when, they appear in all 143 capitals, as shown here. 145 2. The RESTCONF Client Model 147 The RESTCONF client model presented in this section supports both 148 clients initiating connections to servers, as well as clients 149 listening for connections from servers calling home. 151 YANG feature statements are used to enable implementations to 152 advertise which potentially uncommon parts of the model the RESTCONF 153 client supports. 155 2.1. Tree Diagram 157 The following tree diagram [RFC8340] provides an overview of the data 158 model for the "ietf-restconf-client" module. 160 This tree diagram only shows the nodes defined in this module; it 161 does show the nodes defined by "grouping" statements used by this 162 module. 164 Please see Appendix A.1 for a tree diagram that illustrates what the 165 module looks like with all the "grouping" statements expanded. 167 module: ietf-restconf-client 168 +--rw restconf-client 169 +---u restconf-client-grouping 171 grouping restconf-client-grouping 172 +-- initiate! {initiate}? 173 | +-- restconf-server* [name] 174 | +-- name? string 175 | +-- endpoints 176 | | +-- endpoint* [name] 177 | | +-- name? string 178 | | +-- (transport) 179 | | +--:(https) {https-initiate}? 180 | | +-- https 181 | | +---u restconf-client-grouping 182 | +-- connection-type 183 | | +-- (connection-type) 184 | | +--:(persistent-connection) 185 | | | +-- persistent! 186 | | +--:(periodic-connection) 187 | | +-- periodic! 188 | | +-- period? uint16 189 | | +-- anchor-time? yang:date-and-time 190 | | +-- idle-timeout? uint16 191 | +-- reconnect-strategy 192 | +-- start-with? enumeration 193 | +-- max-attempts? uint8 194 +-- listen! {listen}? 195 +-- idle-timeout? uint16 196 +-- endpoint* [name] 197 +-- name? string 198 +-- (transport) 199 +--:(https) {https-listen}? 200 +-- https 201 +---u restconf-client-grouping 203 2.2. Example Usage 205 The following example illustrates configuring a RESTCONF client to 206 initiate connections, as well as listening for call-home connections. 208 This example is consistent with the examples presented in Section 2 209 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 210 [I-D.ietf-netconf-keystore]. 212 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) =========== 214 217 218 219 220 corp-fw1 221 222 223 corp-fw1.example.com 224 225 226 corp-fw1.example.com 227 228 15 229 3 230 30 231 232 233 234 235 236 237 ct:rsa2048 239 base64encodedvalue== 240 base64encodedvalue== 241 base64encodedvalue== 242 243 244 245 246 explicitly-trusted-server-ca-certs<\ 247 /pinned-ca-certs> 248 explicitly-trusted-server-certs\ 249 250 251 252 30 253 3 254 255 256 257 HTTP/1.1 258 259 260 bob 261 secret 262 264 265 266 267 268 269 corp-fw2.example.com 270 271 272 corp-fw2.example.com 273 274 15 275 3 276 30 277 278 279 280 281 282 283 ct:rsa2048 285 base64encodedvalue== 286 base64encodedvalue== 287 base64encodedvalue== 288 289 290 291 292 explicitly-trusted-server-ca-certs<\ 293 /pinned-ca-certs> 294 explicitly-trusted-server-certs\ 295 296 297 298 30 299 3 300 301 302 303 HTTP/1.1 304 305 306 bob 307 secret 308 309 310 311 313 314 315 316 317 318 319 321 322 323 324 Intranet-facing listener 325 326 327 11.22.33.44 328 329 330 331 332 333 ct:rsa2048 335 base64encodedvalue== 336 base64encodedvalue== 337 base64encodedvalue== 338 339 340 341 342 explicitly-trusted-server-ca-certs 344 explicitly-trusted-server-certs 346 347 348 349 HTTP/1.1 350 351 352 bob 353 secret 354 355 356 357 358 359 360 362 2.3. YANG Module 364 This YANG module has normative references to [RFC6991], [RFC8040], 365 and [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], 366 [I-D.ietf-netconf-tls-client-server], and 367 [I-D.kwatsen-netconf-http-client-server]. 369 file "ietf-restconf-client@2019-04-07.yang" 370 module ietf-restconf-client { 371 yang-version 1.1; 372 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client"; 373 prefix rcc; 375 import ietf-yang-types { 376 prefix yang; 377 reference 378 "RFC 6991: Common YANG Data Types"; 379 } 381 import ietf-tcp-client { 382 prefix tcpc; 383 reference 384 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 385 } 387 import ietf-tcp-server { 388 prefix tcps; 389 reference 390 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 391 } 393 import ietf-tls-client { 394 prefix tlsc; 395 reference 396 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers"; 397 } 399 import ietf-http-client { 400 prefix httpc; 401 reference 402 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers"; 403 } 405 organization 406 "IETF NETCONF (Network Configuration) Working Group"; 408 contact 409 "WG Web: 410 WG List: 411 Author: Kent Watsen 412 Author: Gary Wu "; 414 description 415 "This module contains a collection of YANG definitions 416 for configuring RESTCONF clients. 418 Copyright (c) 2019 IETF Trust and the persons identified 419 as authors of the code. All rights reserved. 421 Redistribution and use in source and binary forms, with 422 or without modification, is permitted pursuant to, and 423 subject to the license terms contained in, the Simplified 424 BSD License set forth in Section 4.c of the IETF Trust's 425 Legal Provisions Relating to IETF Documents 426 (https://trustee.ietf.org/license-info). 428 This version of this YANG module is part of RFC XXXX 429 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC 430 itself for full legal notices.; 432 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 433 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 434 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 435 are to be interpreted as described in BCP 14 (RFC 2119) 436 (RFC 8174) when, and only when, they appear in all 437 capitals, as shown here."; 439 revision 2019-04-07 { 440 description 441 "Initial version"; 442 reference 443 "RFC XXXX: RESTCONF Client and Server Models"; 444 } 446 // Features 448 feature initiate { 449 description 450 "The 'initiate' feature indicates that the RESTCONF client 451 supports initiating RESTCONF connections to RESTCONF servers 452 using at least one transport (e.g., HTTPS, etc.)."; 453 } 455 feature https-initiate { 456 if-feature "initiate"; 457 description 458 "The 'https-initiate' feature indicates that the RESTCONF 459 client supports initiating HTTPS connections to RESTCONF 460 servers. This feature exists as HTTPS might not be a 461 mandatory to implement transport in the future."; 462 reference 463 "RFC 8040: RESTCONF Protocol"; 464 } 466 feature listen { 467 description 468 "The 'listen' feature indicates that the RESTCONF client 469 supports opening a port to accept RESTCONF server call 470 home connections using at least one transport (e.g., 471 HTTPS, etc.)."; 472 } 474 feature https-listen { 475 if-feature "listen"; 476 description 477 "The 'https-listen' feature indicates that the RESTCONF client 478 supports opening a port to listen for incoming RESTCONF 479 server call-home connections. This feature exists as not 480 all RESTCONF clients may support RESTCONF call home."; 481 reference 482 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 483 } 485 // Groupings 487 grouping restconf-client-grouping { 488 description 489 "Top-level grouping for RESTCONF client configuration."; 490 container initiate { 491 if-feature "initiate"; 492 presence "Enables client to initiate TCP connections"; 493 description 494 "Configures client initiating underlying TCP connections."; 495 list restconf-server { 496 key "name"; 497 min-elements 1; 498 description 499 "List of RESTCONF servers the RESTCONF client is to 500 initiate connections to in parallel."; 501 leaf name { 502 type string; 503 description 504 "An arbitrary name for the RESTCONF server."; 505 } 506 container endpoints { 507 description 508 "Container for the list of endpoints."; 509 list endpoint { 510 key "name"; 511 min-elements 1; 512 ordered-by user; 513 description 514 "A non-empty user-ordered list of endpoints for this 515 RESTCONF client to try to connect to in sequence. 516 Defining more than one enables high-availability."; 517 leaf name { 518 type string; 519 description 520 "An arbitrary name for this endpoint."; 521 } 522 choice transport { 523 mandatory true; 524 description 525 "Selects between available transports. This is a 526 'choice' statement so as to support additional 527 transport options to be augmented in."; 528 case https { 529 if-feature "https-initiate"; 530 container https { 531 description 532 "Specifies HTTPS-specific transport 533 configuration."; 534 uses tcpc:tcp-client-grouping { 535 refine "tcp-client-parameters/remote-port" { 536 default "443"; 537 description 538 "The RESTCONF client will attempt to 539 connect to the IANA-assigned well-known 540 port value for 'https' (443) if no value 541 is specified."; 542 } 543 } 544 uses tlsc:tls-client-grouping { 545 refine "tls-client-parameters/client-identity" 546 + "/auth-type" { 547 mandatory true; 548 description 549 "RESTCONF clients MUST pass some 550 authentication credentials."; 551 } 552 } 553 uses httpc:http-client-grouping; 555 } 556 } // https 557 } // transport 558 } // endpoint 559 } // endpoints 560 container connection-type { 561 description 562 "Indicates the RESTCONF client's preference for how 563 the RESTCONF connection is maintained."; 564 choice connection-type { 565 mandatory true; 566 description 567 "Selects between available connection types."; 568 case persistent-connection { 569 container persistent { 570 presence "Indicates that a persistent connection 571 is to be maintained."; 572 description 573 "Maintain a persistent connection to the 574 RESTCONF server. If the connection goes down, 575 immediately start trying to reconnect to it, 576 using the reconnection strategy. This 577 connection type minimizes any RESTCONF server 578 to RESTCONF client data-transfer delay, albeit 579 at the expense of holding resources longer."; 580 } 581 } 582 case periodic-connection { 583 container periodic { 584 must 'not (../../endpoints/endpoint/https/' 585 + 'tcp-client-parameters/keepalives ' 586 + 'or ../../endpoints/endpoint/https/' 587 + 'tls-client-parameters/keepalives)'; 588 presence "Indicates that a periodic connection is 589 to be maintained."; 590 description 591 "Periodically connect to the RESTCONF server. 592 The RESTCONF server should close the 593 underlying TCP connection upon completing 594 planned activities. 596 This connection type increases resource 597 utilization, albeit with increased delay in 598 RESTCONF server to RESTCONF client 599 interactions."; 600 leaf period { 601 type uint16; 602 units "minutes"; 603 default "60"; 604 description 605 "Duration of time between periodic 606 connections."; 607 } 608 leaf anchor-time { 609 type yang:date-and-time { 610 // constrained to minute-level granularity 611 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 612 + '(Z|[\+\-]\d{2}:\d{2})'; 613 } 614 description 615 "Designates a timestamp before or after which 616 a series of periodic connections are 617 determined. The periodic connections occur 618 at a whole multiple interval from the anchor 619 time. For example, for an anchor time is 15 620 minutes past midnight and a period interval 621 of 24 hours, then a periodic connection will 622 occur 15 minutes past midnight everyday."; 623 } 624 leaf idle-timeout { 625 type uint16; 626 units "seconds"; 627 default 120; // two minutes 628 description 629 "Specifies the maximum number of seconds 630 that the underlying TCP session may remain 631 idle. A TCP session will be dropped if it 632 is idle for an interval longer than this 633 number of seconds If set to zero, then the 634 RESTCONF client will never drop a session 635 because it is idle."; 636 } 637 } 638 } // periodic-connection 639 } // connection-type 640 } // connection-type 641 container reconnect-strategy { 642 description 643 "The reconnection strategy directs how a RESTCONF 644 client reconnects to a RESTCONF server, after 645 discovering its connection to the server has 646 dropped, even if due to a reboot. The RESTCONF 647 client starts with the specified endpoint and 648 tries to connect to it max-attempts times before 649 trying the next endpoint in the list (round 650 robin)."; 652 leaf start-with { 653 type enumeration { 654 enum first-listed { 655 description 656 "Indicates that reconnections should start 657 with the first endpoint listed."; 658 } 659 enum last-connected { 660 description 661 "Indicates that reconnections should start 662 with the endpoint last connected to. If 663 no previous connection has ever been 664 established, then the first endpoint 665 configured is used. RESTCONF clients 666 SHOULD be able to remember the last 667 endpoint connected to across reboots."; 668 } 669 enum random-selection { 670 description 671 "Indicates that reconnections should start with 672 a random endpoint."; 673 } 674 } 675 default "first-listed"; 676 description 677 "Specifies which of the RESTCONF server's 678 endpoints the RESTCONF client should start 679 with when trying to connect to the RESTCONF 680 server."; 681 } 682 leaf max-attempts { 683 type uint8 { 684 range "1..max"; 685 } 686 default "3"; 687 description 688 "Specifies the number times the RESTCONF client 689 tries to connect to a specific endpoint before 690 moving on to the next endpoint in the list 691 (round robin)."; 692 } 693 } // reconnect-strategy 694 } // restconf-server 695 } // initiate 697 container listen { 698 if-feature "listen"; 699 presence "Enables client to accept call-home connections"; 700 description 701 "Configures client accepting call-home TCP connections."; 702 leaf idle-timeout { 703 type uint16; 704 units "seconds"; 705 default 3600; // one hour 706 description 707 "Specifies the maximum number of seconds that an 708 underlying TCP session may remain idle. A TCP session 709 will be dropped if it is idle for an interval longer 710 then this number of seconds. If set to zero, then 711 the server will never drop a session because it is 712 idle. Sessions that have a notification subscription 713 active are never dropped."; 714 } 715 list endpoint { 716 key "name"; 717 min-elements 1; 718 description 719 "List of endpoints to listen for RESTCONF connections."; 720 leaf name { 721 type string; 722 description 723 "An arbitrary name for the RESTCONF listen endpoint."; 724 } 725 choice transport { 726 mandatory true; 727 description 728 "Selects between available transports. This is a 729 'choice' statement so as to support additional 730 transport options to be augmented in."; 731 case https { 732 if-feature "https-listen"; 733 container https { 734 description 735 "HTTPS-specific listening configuration for inbound 736 connections."; 737 uses tcps:tcp-server-grouping { 738 refine "tcp-server-parameters/local-port" { 739 default "4336"; 740 description 741 "The RESTCONF client will listen on the IANA- 742 assigned well-known port for 'restconf-ch-tls' 743 (4336) if no value is specified."; 744 } 745 } 746 uses tlsc:tls-client-grouping { 747 refine 748 "tls-client-parameters/client-identity/auth-type" { 749 mandatory true; 750 description 751 "RESTCONF clients MUST pass some authentication 752 credentials."; 753 } 754 } 755 uses httpc:http-client-grouping; 756 } 757 } // case https 758 } // transport 759 } // endpoint 760 } // listen 761 } // restconf-client 763 // Protocol accessible node, for servers that implement this 764 // module. 766 container restconf-client { 767 uses restconf-client-grouping; 768 description 769 "Top-level container for RESTCONF client configuration."; 770 } 771 } 772 774 3. The RESTCONF Server Model 776 The RESTCONF server model presented in this section supports both 777 listening for connections as well as initiating call-home 778 connections. 780 YANG feature statements are used to enable implementations to 781 advertise which potentially uncommon parts of the model the RESTCONF 782 server supports. 784 3.1. Tree Diagram 786 The following tree diagram [RFC8340] provides an overview of the data 787 model for the "ietf-restconf-server" module. 789 This tree diagram only shows the nodes defined in this module; it 790 does show the nodes defined by "grouping" statements used by this 791 module. 793 Please see Appendix A.2 for a tree diagram that illustrates what the 794 module looks like with all the "grouping" statements expanded. 796 module: ietf-restconf-server 797 +--rw restconf-server 798 +---u restconf-server-grouping 800 grouping restconf-server-grouping 801 +-- listen! {listen}? 802 | +-- endpoint* [name] 803 | +-- name? string 804 | +-- (transport) 805 | +--:(https) {https-listen}? 806 | +-- https 807 | +---u restconf-server-grouping 808 +-- call-home! {call-home}? 809 +-- restconf-client* [name] 810 +-- name? string 811 +-- endpoints 812 | +-- endpoint* [name] 813 | +-- name? string 814 | +-- (transport) 815 | +--:(https) {https-call-home}? 816 | +-- https 817 | +---u restconf-server-grouping 818 +-- connection-type 819 | +-- (connection-type) 820 | +--:(persistent-connection) 821 | | +-- persistent! 822 | +--:(periodic-connection) 823 | +-- periodic! 824 | +-- period? uint16 825 | +-- anchor-time? yang:date-and-time 826 | +-- idle-timeout? uint16 827 +-- reconnect-strategy 828 +-- start-with? enumeration 829 +-- max-attempts? uint8 831 3.2. Example Usage 833 The following example illustrates configuring a RESTCONF server to 834 listen for RESTCONF client connections, as well as configuring call- 835 home to one RESTCONF client. 837 This example is consistent with the examples presented in Section 2 838 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 839 [I-D.ietf-netconf-keystore]. 841 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) =========== 843 847 848 849 850 netconf/tls 851 852 853 11.22.33.44 854 855 856 857 858 ct:rsa2048 860 base64encodedvalue== 861 base64encodedvalue== 862 base64encodedvalue== 863 864 865 866 explicitly-trusted-client-ca-certs 868 explicitly-trusted-client-certs 870 871 872 1 873 11:0A:05:11:00 874 x509c2n:san-any 875 876 877 2 878 B3:4F:A1:8C:54 879 x509c2n:specified 880 scooby-doo 881 882 883 884 885 886 foo.example.com 887 888 HTTP/1.1 889 HTTP/2.0 890 891 893 894 895 897 898 899 900 config-manager 901 902 903 east-data-center 904 905 906 east.example.com 907 908 909 910 911 ct:rsa2048 913 base64encodedvalue== 914 base64encodedvalue== 915 base64encodedvalue== 916 917 918 919 explicitly-trusted-client-ca-certs<\ 920 /pinned-ca-certs> 921 explicitly-trusted-client-certs\ 922 923 924 925 1 926 11:0A:05:11:00 927 x509c2n:san-any 928 929 930 2 931 B3:4F:A1:8C:54 932 x509c2n:specified 933 scooby-doo 934 935 936 937 938 939 foo.example.com 940 941 HTTP/1.1 942 HTTP/2.0 943 944 945 946 947 948 west-data-center 949 950 951 west.example.com 952 953 954 955 956 ct:rsa2048 958 base64encodedvalue== 959 base64encodedvalue== 960 base64encodedvalue== 961 962 963 964 explicitly-trusted-client-ca-certs<\ 965 /pinned-ca-certs> 966 explicitly-trusted-client-certs\ 967 968 969 970 1 971 11:0A:05:11:00 972 x509c2n:san-any 973 974 975 2 976 B3:4F:A1:8C:54 977 x509c2n:specified 978 scooby-doo 979 980 981 982 983 984 foo.example.com 985 986 HTTP/1.1 987 HTTP/2.0 988 990 991 992 993 994 995 996 300 997 60 998 999 1000 1001 last-connected 1002 3 1003 1004 1005 1006 1008 3.3. YANG Module 1010 This YANG module has normative references to [RFC6991], [RFC7407], 1011 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], 1012 [I-D.ietf-netconf-tls-client-server], and 1013 [I-D.kwatsen-netconf-http-client-server]. 1015 file "ietf-restconf-server@2019-04-07.yang" 1016 module ietf-restconf-server { 1017 yang-version 1.1; 1018 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server"; 1019 prefix rcs; 1021 import ietf-yang-types { 1022 prefix yang; 1023 reference 1024 "RFC 6991: Common YANG Data Types"; 1025 } 1027 import ietf-x509-cert-to-name { 1028 prefix x509c2n; 1029 reference 1030 "RFC 7407: A YANG Data Model for SNMP Configuration"; 1031 } 1033 import ietf-tcp-client { 1034 prefix tcpc; 1035 reference 1036 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 1037 } 1038 import ietf-tcp-server { 1039 prefix tcps; 1040 reference 1041 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; 1042 } 1044 import ietf-tls-server { 1045 prefix tlss; 1046 reference 1047 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers"; 1048 } 1050 import ietf-http-server { 1051 prefix https; 1052 reference 1053 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers"; 1054 } 1056 organization 1057 "IETF NETCONF (Network Configuration) Working Group"; 1059 contact 1060 "WG Web: 1061 WG List: 1062 Author: Kent Watsen 1063 Author: Gary Wu 1064 Author: Juergen Schoenwaelder 1065 "; 1067 description 1068 "This module contains a collection of YANG definitions 1069 for configuring RESTCONF servers. 1071 Copyright (c) 2019 IETF Trust and the persons identified 1072 as authors of the code. All rights reserved. 1074 Redistribution and use in source and binary forms, with 1075 or without modification, is permitted pursuant to, and 1076 subject to the license terms contained in, the Simplified 1077 BSD License set forth in Section 4.c of the IETF Trust's 1078 Legal Provisions Relating to IETF Documents 1079 (https://trustee.ietf.org/license-info). 1081 This version of this YANG module is part of RFC XXXX 1082 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC 1083 itself for full legal notices.; 1085 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1086 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1087 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1088 are to be interpreted as described in BCP 14 (RFC 2119) 1089 (RFC 8174) when, and only when, they appear in all 1090 capitals, as shown here."; 1092 revision 2019-04-07 { 1093 description 1094 "Initial version"; 1095 reference 1096 "RFC XXXX: RESTCONF Client and Server Models"; 1097 } 1099 // Features 1101 feature listen { 1102 description 1103 "The 'listen' feature indicates that the RESTCONF server 1104 supports opening a port to accept RESTCONF client connections 1105 using at least one transport (e.g., HTTPS, etc.)."; 1106 } 1108 feature https-listen { 1109 if-feature "listen"; 1110 description 1111 "The 'https-listen' feature indicates that the RESTCONF server 1112 supports opening a port to listen for incoming RESTCONF 1113 client connections. This feature exists as HTTPS might not 1114 be a mandatory to implement transport in the future."; 1115 reference 1116 "RFC 8040: RESTCONF Protocol"; 1117 } 1119 feature call-home { 1120 description 1121 "The 'call-home' feature indicates that the RESTCONF 1122 server supports initiating RESTCONF call home connections 1123 to RESTCONF clients using at least one transport (e.g., 1124 HTTPS, etc.)."; 1125 reference 1126 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 1127 } 1129 feature https-call-home { 1130 if-feature "call-home"; 1131 description 1132 "The 'https-call-home' feature indicates that the RESTCONF 1133 server supports initiating connections to RESTCONF clients. 1135 This feature exists as not all RESTCONF servers may 1136 support RESTCONF call home."; 1137 reference 1138 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 1139 } 1141 // Groupings 1143 grouping restconf-server-grouping { 1144 description 1145 "Top-level grouping for RESTCONF server configuration."; 1146 container listen { 1147 if-feature "listen"; 1148 presence "Enables server to listen for TCP connections"; 1149 description "Configures listen behavior"; 1150 list endpoint { 1151 key "name"; 1152 min-elements 1; 1153 description 1154 "List of endpoints to listen for RESTCONF connections."; 1155 leaf name { 1156 type string; 1157 description 1158 "An arbitrary name for the RESTCONF listen endpoint."; 1159 } 1160 choice transport { 1161 mandatory true; 1162 description 1163 "Selects between available transports. This is a 1164 'choice' statement so as to support additional 1165 transport options to be augmented in."; 1166 case https { 1167 if-feature "https-listen"; 1168 container https { 1169 description 1170 "HTTPS-specific listening configuration for inbound 1171 connections."; 1172 uses tcps:tcp-server-grouping { 1173 refine "tcp-server-parameters/local-port" { 1174 default "443"; 1175 description 1176 "The RESTCONF server will listen on the IANA- 1177 assigned well-known port value for 'https' 1178 (443) if no value is specified."; 1179 } 1180 } 1181 uses tlss:tls-server-grouping { 1182 refine 1183 "tls-server-parameters/client-authentication" { 1184 must 'pinned-ca-certs or pinned-client-certs'; 1185 description 1186 "RESTCONF servers MUST be able to validate 1187 clients."; 1188 } 1189 augment 1190 "tls-server-parameters/client-authentication" { 1191 description 1192 "Augments in the cert-to-name structure, 1193 so the RESTCONF server can map TLS-layer 1194 client certificates to RESTCONF usernames."; 1195 container cert-maps { 1196 uses x509c2n:cert-to-name; 1197 description 1198 "The cert-maps container is used by a TLS- 1199 based RESTCONF server to map the RESTCONF 1200 client's presented X.509 certificate to 1201 a RESTCONF username. If no matching and 1202 valid cert-to-name list entry can be found, 1203 then the RESTCONF server MUST close the 1204 connection, and MUST NOT accept RESTCONF 1205 messages over it."; 1206 reference 1207 "RFC 7407: A YANG Data Model for SNMP 1208 Configuration."; 1209 } 1210 } 1211 } 1212 uses https:http-server-grouping; 1213 } // https container 1214 } // tls case 1215 } // transport 1216 } // endpoint 1217 } // listen 1219 container call-home { 1220 if-feature "call-home"; 1221 presence "Enables server to initiate TCP connections"; 1222 description "Configures call-home behavior"; 1223 list restconf-client { 1224 key "name"; 1225 min-elements 1; 1226 description 1227 "List of RESTCONF clients the RESTCONF server is to 1228 initiate call-home connections to in parallel."; 1229 leaf name { 1230 type string; 1231 description 1232 "An arbitrary name for the remote RESTCONF client."; 1233 } 1234 container endpoints { 1235 description 1236 "Container for the list of endpoints."; 1237 list endpoint { 1238 key "name"; 1239 min-elements 1; 1240 ordered-by user; 1241 description 1242 "User-ordered list of endpoints for this RESTCONF 1243 client. Defining more than one enables high- 1244 availability."; 1245 leaf name { 1246 type string; 1247 description 1248 "An arbitrary name for this endpoint."; 1249 } 1250 choice transport { 1251 mandatory true; 1252 description 1253 "Selects between available transports. This is a 1254 'choice' statement so as to support additional 1255 transport options to be augmented in."; 1256 case https { 1257 if-feature "https-call-home"; 1258 container https { 1259 description 1260 "Specifies HTTPS-specific call-home transport 1261 configuration."; 1262 uses tcpc:tcp-client-grouping { 1263 refine "tcp-client-parameters/remote-port" { 1264 default "4336"; 1265 description 1266 "The RESTCONF server will attempt to connect 1267 to the IANA-assigned well-known port for 1268 'restconf-ch-tls' (4336) if no value is 1269 specified."; 1270 } 1271 } 1272 uses tlss:tls-server-grouping { 1273 refine 1274 "tls-server-parameters/client-authentication" { 1275 must 'pinned-ca-certs or pinned-client-certs'; 1276 description 1277 "RESTCONF servers MUST be able to validate 1278 clients."; 1280 } 1281 augment 1282 "tls-server-parameters/client-authentication" { 1283 description 1284 "Augments in the cert-to-name structure, 1285 so the RESTCONF server can map TLS-layer 1286 client certificates to RESTCONF usernames."; 1287 container cert-maps { 1288 uses x509c2n:cert-to-name; 1289 description 1290 "The cert-maps container is used by a 1291 TLS-based RESTCONF server to map the 1292 RESTCONF client's presented X.509 1293 certificate to a RESTCONF username. If 1294 no matching and valid cert-to-name list 1295 entry can be found, then the RESTCONF 1296 server MUST close the connection, and 1297 MUST NOT accept RESTCONF messages over 1298 it."; 1299 reference 1300 "RFC 7407: A YANG Data Model for SNMP 1301 Configuration."; 1302 } 1303 } 1304 } 1305 uses https:http-server-grouping; 1306 } 1307 } 1308 } // transport 1309 } // endpoint 1310 } // endpoints 1311 container connection-type { 1312 description 1313 "Indicates the RESTCONF server's preference for how the 1314 RESTCONF connection is maintained."; 1315 choice connection-type { 1316 mandatory true; 1317 description 1318 "Selects between available connection types."; 1319 case persistent-connection { 1320 container persistent { 1321 presence "Indicates that a persistent connection is 1322 to be maintained."; 1323 description 1324 "Maintain a persistent connection to the RESTCONF 1325 client. If the connection goes down, immediately 1326 start trying to reconnect to it, using the 1327 reconnection strategy. 1329 This connection type minimizes any RESTCONF 1330 client to RESTCONF server data-transfer delay, 1331 albeit at the expense of holding resources 1332 longer."; 1333 } 1334 } 1335 case periodic-connection { 1336 container periodic { 1337 must 'not (../../endpoints/endpoint/https/' 1338 + 'tcp-client-parameters/keepalives ' 1339 + 'or ../../endpoints/endpoint/https/' 1340 + 'tls-server-parameters/keepalives)'; 1341 presence "Indicates that a periodic connection is 1342 to be maintained."; 1343 description 1344 "Periodically connect to the RESTCONF client. The 1345 RESTCONF client should close the underlying TCP 1346 connection upon completing planned activities. 1348 This connection type increases resource 1349 utilization, albeit with increased delay in 1350 RESTCONF client to RESTCONF client interactions."; 1351 leaf period { 1352 type uint16; 1353 units "minutes"; 1354 default "60"; 1355 description 1356 "Duration of time between periodic connections."; 1357 } 1358 leaf anchor-time { 1359 type yang:date-and-time { 1360 // constrained to minute-level granularity 1361 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 1362 + '(Z|[\+\-]\d{2}:\d{2})'; 1363 } 1364 description 1365 "Designates a timestamp before or after which a 1366 series of periodic connections are determined. 1367 The periodic connections occur at a whole 1368 multiple interval from the anchor time. For 1369 example, for an anchor time is 15 minutes past 1370 midnight and a period interval of 24 hours, then 1371 a periodic connection will occur 15 minutes past 1372 midnight everyday."; 1373 } 1374 leaf idle-timeout { 1375 type uint16; 1376 units "seconds"; 1377 default 120; // two minutes 1378 description 1379 "Specifies the maximum number of seconds that 1380 the underlying TCP session may remain idle. 1381 A TCP session will be dropped if it is idle 1382 for an interval longer than this number of 1383 seconds. If set to zero, then the server 1384 will never drop a session because it is idle."; 1385 } 1386 } 1387 } 1388 } 1389 } 1390 container reconnect-strategy { 1391 description 1392 "The reconnection strategy directs how a RESTCONF server 1393 reconnects to a RESTCONF client after discovering its 1394 connection to the client has dropped, even if due to a 1395 reboot. The RESTCONF server starts with the specified 1396 endpoint and tries to connect to it max-attempts times 1397 before trying the next endpoint in the list (round 1398 robin)."; 1399 leaf start-with { 1400 type enumeration { 1401 enum first-listed { 1402 description 1403 "Indicates that reconnections should start with 1404 the first endpoint listed."; 1405 } 1406 enum last-connected { 1407 description 1408 "Indicates that reconnections should start with 1409 the endpoint last connected to. If no previous 1410 connection has ever been established, then the 1411 first endpoint configured is used. RESTCONF 1412 servers SHOULD be able to remember the last 1413 endpoint connected to across reboots."; 1414 } 1415 enum random-selection { 1416 description 1417 "Indicates that reconnections should start with 1418 a random endpoint."; 1419 } 1420 } 1421 default "first-listed"; 1422 description 1423 "Specifies which of the RESTCONF client's endpoints 1424 the RESTCONF server should start with when trying 1425 to connect to the RESTCONF client."; 1426 } 1427 leaf max-attempts { 1428 type uint8 { 1429 range "1..max"; 1430 } 1431 default "3"; 1432 description 1433 "Specifies the number times the RESTCONF server tries 1434 to connect to a specific endpoint before moving on to 1435 the next endpoint in the list (round robin)."; 1436 } 1437 } 1438 } // restconf-client 1439 } // call-home 1440 } // restconf-server-grouping 1442 // Protocol accessible node, for servers that implement this 1443 // module. 1445 container restconf-server { 1446 uses restconf-server-grouping; 1447 description 1448 "Top-level container for RESTCONF server configuration."; 1449 } 1450 } 1451 1453 4. Security Considerations 1455 The YANG module defined in this document uses groupings defined in 1456 [I-D.kwatsen-netconf-tcp-client-server], 1457 [I-D.ietf-netconf-tls-client-server], and 1458 [I-D.kwatsen-netconf-http-client-server]. Please see the Security 1459 Considerations section in those documents for concerns related those 1460 groupings. 1462 The YANG modules defined in this document are designed to be accessed 1463 via YANG based management protocols, such as NETCONF [RFC6241] and 1464 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1465 implement secure transport layers (e.g., SSH, TLS) with mutual 1466 authentication. 1468 The NETCONF access control model (NACM) [RFC8341] provides the means 1469 to restrict access for particular users to a pre-configured subset of 1470 all available protocol operations and content. 1472 There are a number of data nodes defined in the YANG modules that are 1473 writable/creatable/deletable (i.e., config true, which is the 1474 default). Some of these data nodes may be considered sensitive or 1475 vulnerable in some network environments. Write operations (e.g., 1476 edit-config) to these data nodes without proper protection can have a 1477 negative effect on network operations. These are the subtrees and 1478 data nodes and their sensitivity/vulnerability: 1480 None of the subtrees or data nodes in the modules defined in this 1481 document need to be protected from write operations. 1483 Some of the readable data nodes in the YANG modules may be considered 1484 sensitive or vulnerable in some network environments. It is thus 1485 important to control read access (e.g., via get, get-config, or 1486 notification) to these data nodes. These are the subtrees and data 1487 nodes and their sensitivity/vulnerability: 1489 None of the subtrees or data nodes in the modules defined in this 1490 document need to be protected from read operations. 1492 Some of the RPC operations in the YANG modules may be considered 1493 sensitive or vulnerable in some network environments. It is thus 1494 important to control access to these operations. These are the 1495 operations and their sensitivity/vulnerability: 1497 The modules defined in this document do not define any 'RPC' or 1498 'action' statements. 1500 5. IANA Considerations 1502 5.1. The IETF XML Registry 1504 This document registers two URIs in the "ns" subregistry of the IETF 1505 XML Registry [RFC3688]. Following the format in [RFC3688], the 1506 following registrations are requested: 1508 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client 1509 Registrant Contact: The NETCONF WG of the IETF. 1510 XML: N/A, the requested URI is an XML namespace. 1512 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server 1513 Registrant Contact: The NETCONF WG of the IETF. 1514 XML: N/A, the requested URI is an XML namespace. 1516 5.2. The YANG Module Names Registry 1518 This document registers two YANG modules in the YANG Module Names 1519 registry [RFC6020]. Following the format in [RFC6020], the the 1520 following registrations are requested: 1522 name: ietf-restconf-client 1523 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client 1524 prefix: ncc 1525 reference: RFC XXXX 1527 name: ietf-restconf-server 1528 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server 1529 prefix: ncs 1530 reference: RFC XXXX 1532 6. References 1534 6.1. Normative References 1536 [I-D.ietf-netconf-keystore] 1537 Watsen, K., "YANG Data Model for a Centralized Keystore 1538 Mechanism", draft-ietf-netconf-keystore-08 (work in 1539 progress), March 2019. 1541 [I-D.ietf-netconf-tls-client-server] 1542 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS 1543 Clients and TLS Servers", draft-ietf-netconf-tls-client- 1544 server-10 (work in progress), March 2019. 1546 [I-D.kwatsen-netconf-http-client-server] 1547 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 1548 Servers", draft-kwatsen-netconf-http-client-server-00 1549 (work in progress), March 2019. 1551 [I-D.kwatsen-netconf-tcp-client-server] 1552 Watsen, K., "YANG Groupings for TCP Clients and TCP 1553 Servers", draft-kwatsen-netconf-tcp-client-server-00 (work 1554 in progress), March 2019. 1556 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1557 Requirement Levels", BCP 14, RFC 2119, 1558 DOI 10.17487/RFC2119, March 1997, 1559 . 1561 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1562 the Network Configuration Protocol (NETCONF)", RFC 6020, 1563 DOI 10.17487/RFC6020, October 2010, 1564 . 1566 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1567 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1568 . 1570 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for 1571 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, 1572 December 2014, . 1574 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1575 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1576 . 1578 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1579 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1580 . 1582 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 1583 RFC 8071, DOI 10.17487/RFC8071, February 2017, 1584 . 1586 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1587 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1588 May 2017, . 1590 6.2. Informative References 1592 [I-D.ietf-netconf-trust-anchors] 1593 Watsen, K., "YANG Data Model for Global Trust Anchors", 1594 draft-ietf-netconf-trust-anchors-03 (work in progress), 1595 March 2019. 1597 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1598 DOI 10.17487/RFC3688, January 2004, 1599 . 1601 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1602 and A. Bierman, Ed., "Network Configuration Protocol 1603 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1604 . 1606 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1607 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1608 . 1610 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1611 Access Control Model", STD 91, RFC 8341, 1612 DOI 10.17487/RFC8341, March 2018, 1613 . 1615 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1616 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1617 . 1619 Appendix A. Expanded Tree Diagrams 1621 A.1. Expanded Tree Diagram for 'ietf-restconf-client' 1623 The following tree diagram [RFC8340] provides an overview of the data 1624 model for the "ietf-restconf-client" module. 1626 This tree diagram shows all the nodes defined in this module, 1627 including those defined by "grouping" statements used by this module. 1629 Please see Section 2.1 for a tree diagram that illustrates what the 1630 module looks like without all the "grouping" statements expanded. 1632 ========== NOTE: '\\' line wrapping per BCP XX (RFC XXXX) =========== 1634 module: ietf-restconf-client 1635 +--rw restconf-client 1636 +--rw initiate! {initiate}? 1637 | +--rw restconf-server* [name] 1638 | +--rw name string 1639 | +--rw endpoints 1640 | | +--rw endpoint* [name] 1641 | | +--rw name string 1642 | | +--rw (transport) 1643 | | +--:(https) {https-initiate}? 1644 | | +--rw https 1645 | | +--rw tcp-client-parameters 1646 | | | +--rw remote-address inet:host 1647 | | | +--rw remote-port? inet:port-number 1648 | | | +--rw local-address? inet:ip-address 1649 | | | +--rw local-port? inet:port-number 1650 | | | +--rw keepalives! 1651 | | | {tcp-client-keepalives}? 1652 | | | +--rw idle-time uint16 1653 | | | +--rw max-probes? uint16 1654 | | | +--rw probe-interval? uint16 1655 | | +--rw tls-client-parameters 1656 | | | +--rw client-identity 1657 | | | | +--rw (auth-type) 1658 | | | | +--:(certificate) 1659 | | | | +--rw certificate 1660 | | | | +--rw (local-or-keystore) 1661 | | | | +--:(local) 1662 | | | | | {local-keys-sup\ 1663 \ported}? 1664 | | | | | +--rw local-definition 1665 | | | | | +--rw algorithm? 1666 | | | | | | asymmetric\ 1668 \-key-algorithm-ref 1669 | | | | | +--rw public-key? 1670 | | | | | | binary 1671 | | | | | +--rw private-key? 1672 | | | | | | union 1673 | | | | | +---x generate-hid\ 1674 \den-key 1675 | | | | | | +---w input 1676 | | | | | | +---w algori\ 1677 \thm 1678 | | | | | | asym\ 1679 \metric-key-algorithm-ref 1680 | | | | | +---x install-hidd\ 1681 \en-key 1682 | | | | | | +---w input 1683 | | | | | | +---w algori\ 1684 \thm 1685 | | | | | | | asym\ 1686 \metric-key-algorithm-ref 1687 | | | | | | +---w public\ 1688 \-key? 1689 | | | | | | | bina\ 1690 \ry 1691 | | | | | | +---w privat\ 1692 \e-key? 1693 | | | | | | bina\ 1694 \ry 1695 | | | | | +--rw cert? 1696 | | | | | | end-entity\ 1697 \-cert-cms 1698 | | | | | +---n certificate-\ 1699 \expiration 1700 | | | | | +-- expiration-\ 1701 \date 1702 | | | | | yang:da\ 1703 \te-and-time 1704 | | | | +--:(keystore) 1705 | | | | {keystore-suppo\ 1706 \rted}? 1707 | | | | +--rw keystore-refere\ 1708 \nce? 1709 | | | | ks:asymmetric\ 1710 \-key-certificate-ref 1711 | | | +--rw server-authentication 1712 | | | | +--rw pinned-ca-certs? 1713 | | | | | ta:pinned-certificates-ref 1714 | | | | | {ta:x509-certificates}? 1715 | | | | +--rw pinned-server-certs? 1716 | | | | ta:pinned-certificates-ref 1717 | | | | {ta:x509-certificates}? 1718 | | | +--rw hello-params 1719 | | | | {tls-client-hello-params-config\ 1720 \}? 1721 | | | | +--rw tls-versions 1722 | | | | | +--rw tls-version* identityref 1723 | | | | +--rw cipher-suites 1724 | | | | +--rw cipher-suite* identityref 1725 | | | +--rw keepalives! 1726 | | | {tls-client-keepalives}? 1727 | | | +--rw max-wait? uint16 1728 | | | +--rw max-attempts? uint8 1729 | | +--rw http-client-parameters 1730 | | +--rw protocol-version? enumeration 1731 | | +--rw client-identity 1732 | | | +--rw (auth-type)? 1733 | | | +--:(basic) 1734 | | | | +--rw basic {basic-auth}? 1735 | | | | +--rw user-id? string 1736 | | | | +--rw password? string 1737 | | | +--:(bearer) 1738 | | | | +--rw bearer {bearer-auth}? 1739 | | | | +--rw token? string 1740 | | | +--:(digest) 1741 | | | | +--rw digest {digest-auth}? 1742 | | | | +--rw username? string 1743 | | | | +--rw password? string 1744 | | | +--:(hoba) 1745 | | | | +--rw hoba {hoba-auth}? 1746 | | | +--:(mutual) 1747 | | | | +--rw mutual {mutual-auth}? 1748 | | | +--:(negotiate) 1749 | | | | +--rw negotiate 1750 | | | | {negotiate-auth}? 1751 | | | +--:(oauth) 1752 | | | | +--rw oauth {oauth-auth}? 1753 | | | +--:(scram-sha-1) 1754 | | | | +--rw scram-sha-1 1755 | | | | {scram-sha-1-auth}? 1756 | | | +--:(scram-sha-256) 1757 | | | | +--rw scram-sha-256 1758 | | | | {scram-sha-256-auth}? 1759 | | | +--:(vapid) 1760 | | | +--rw vapid {vapid-auth}? 1761 | | +--rw proxy-server! {proxy-connect}? 1762 | | +--rw tcp-client-parameters 1763 | | | +--rw remote-address inet:host 1764 | | | +--rw remote-port? 1765 | | | | inet:port-number 1766 | | | +--rw local-address? 1767 | | | | inet:ip-address 1768 | | | +--rw local-port? 1769 | | | | inet:port-number 1770 | | | +--rw keepalives! 1771 | | | {tcp-client-keepalives}? 1772 | | | +--rw idle-time uint16 1773 | | | +--rw max-probes? uint16 1774 | | | +--rw probe-interval? uint16 1775 | | +--rw tls-client-parameters 1776 | | | +--rw client-identity 1777 | | | | +--rw (auth-type)? 1778 | | | | +--:(certificate) 1779 | | | | +--rw certificate 1780 | | | | +--rw (local-or-keyst\ 1781 \ore) 1782 | | | | +--:(local) 1783 | | | | | {local-ke\ 1784 \ys-supported}? 1785 | | | | | +--rw local-def\ 1786 \inition 1787 | | | | | +--rw algori\ 1788 \thm? 1789 | | | | | | asym\ 1790 \metric-key-algorithm-ref 1791 | | | | | +--rw public\ 1792 \-key? 1793 | | | | | | bina\ 1794 \ry 1795 | | | | | +--rw privat\ 1796 \e-key? 1797 | | | | | | union 1798 | | | | | +---x genera\ 1799 \te-hidden-key 1800 | | | | | | +---w inp\ 1801 \ut 1802 | | | | | | +---w \ 1803 \algorithm 1804 | | | | | | \ 1805 \ asymmetric-key-algorithm-ref 1806 | | | | | +---x instal\ 1807 \l-hidden-key 1808 | | | | | | +---w inp\ 1809 \ut 1810 | | | | | | +---w \ 1811 \algorithm 1812 | | | | | | | \ 1813 \ asymmetric-key-algorithm-ref 1814 | | | | | | +---w \ 1815 \public-key? 1816 | | | | | | | \ 1817 \ binary 1818 | | | | | | +---w \ 1819 \private-key? 1820 | | | | | | \ 1821 \ binary 1822 | | | | | +--rw cert? 1823 | | | | | | end-\ 1824 \entity-cert-cms 1825 | | | | | +---n certif\ 1826 \icate-expiration 1827 | | | | | +-- expir\ 1828 \ation-date 1829 | | | | | y\ 1830 \ang:date-and-time 1831 | | | | +--:(keystore) 1832 | | | | {keystore\ 1833 \-supported}? 1834 | | | | +--rw keystore-\ 1835 \reference? 1836 | | | | ks:asym\ 1837 \metric-key-certificate-ref 1838 | | | +--rw server-authentication 1839 | | | | +--rw pinned-ca-certs? 1840 | | | | | ta:pinned-certificates\ 1841 \-ref 1842 | | | | | {ta:x509-certificates}? 1843 | | | | +--rw pinned-server-certs? 1844 | | | | ta:pinned-certificates\ 1845 \-ref 1846 | | | | {ta:x509-certificates}? 1847 | | | +--rw hello-params 1848 | | | | {tls-client-hello-params-\ 1849 \config}? 1850 | | | | +--rw tls-versions 1851 | | | | | +--rw tls-version* 1852 | | | | | identityref 1853 | | | | +--rw cipher-suites 1854 | | | | +--rw cipher-suite* 1855 | | | | identityref 1856 | | | +--rw keepalives! 1857 | | | {tls-client-keepalives}? 1858 | | | +--rw max-wait? uint16 1859 | | | +--rw max-attempts? uint8 1860 | | +--rw proxy-client-identity 1861 | | +--rw user-id? string 1862 | | +--rw password? string 1863 | +--rw connection-type 1864 | | +--rw (connection-type) 1865 | | +--:(persistent-connection) 1866 | | | +--rw persistent! 1867 | | +--:(periodic-connection) 1868 | | +--rw periodic! 1869 | | +--rw period? uint16 1870 | | +--rw anchor-time? yang:date-and-time 1871 | | +--rw idle-timeout? uint16 1872 | +--rw reconnect-strategy 1873 | +--rw start-with? enumeration 1874 | +--rw max-attempts? uint8 1875 +--rw listen! {listen}? 1876 +--rw idle-timeout? uint16 1877 +--rw endpoint* [name] 1878 +--rw name string 1879 +--rw (transport) 1880 +--:(https) {https-listen}? 1881 +--rw https 1882 +--rw tcp-server-parameters 1883 | +--rw local-address inet:ip-address 1884 | +--rw local-port? inet:port-number 1885 | +--rw keepalives! {tcp-server-keepalives}? 1886 | +--rw idle-time uint16 1887 | +--rw max-probes? uint16 1888 | +--rw probe-interval? uint16 1889 +--rw tls-client-parameters 1890 | +--rw client-identity 1891 | | +--rw (auth-type) 1892 | | +--:(certificate) 1893 | | +--rw certificate 1894 | | +--rw (local-or-keystore) 1895 | | +--:(local) 1896 | | | {local-keys-supported\ 1897 \}? 1898 | | | +--rw local-definition 1899 | | | +--rw algorithm? 1900 | | | | asymmetric-key-a\ 1901 \lgorithm-ref 1902 | | | +--rw public-key? 1903 | | | | binary 1904 | | | +--rw private-key? 1905 | | | | union 1906 | | | +---x generate-hidden-key 1907 | | | | +---w input 1908 | | | | +---w algorithm 1909 | | | | asymmetric\ 1910 \-key-algorithm-ref 1911 | | | +---x install-hidden-key 1912 | | | | +---w input 1913 | | | | +---w algorithm 1914 | | | | | asymmetric\ 1915 \-key-algorithm-ref 1916 | | | | +---w public-key? 1917 | | | | | binary 1918 | | | | +---w private-key? 1919 | | | | binary 1920 | | | +--rw cert? 1921 | | | | end-entity-cert-\ 1922 \cms 1923 | | | +---n certificate-expira\ 1924 \tion 1925 | | | +-- expiration-date 1926 | | | yang:date-and\ 1927 \-time 1928 | | +--:(keystore) 1929 | | {keystore-supported}? 1930 | | +--rw keystore-reference? 1931 | | ks:asymmetric-key-c\ 1932 \ertificate-ref 1933 | +--rw server-authentication 1934 | | +--rw pinned-ca-certs? 1935 | | | ta:pinned-certificates-ref 1936 | | | {ta:x509-certificates}? 1937 | | +--rw pinned-server-certs? 1938 | | ta:pinned-certificates-ref 1939 | | {ta:x509-certificates}? 1940 | +--rw hello-params 1941 | | {tls-client-hello-params-config}? 1942 | | +--rw tls-versions 1943 | | | +--rw tls-version* identityref 1944 | | +--rw cipher-suites 1945 | | +--rw cipher-suite* identityref 1946 | +--rw keepalives! {tls-client-keepalives}? 1947 | +--rw max-wait? uint16 1948 | +--rw max-attempts? uint8 1949 +--rw http-client-parameters 1950 +--rw protocol-version? enumeration 1951 +--rw client-identity 1952 | +--rw (auth-type)? 1953 | +--:(basic) 1954 | | +--rw basic {basic-auth}? 1955 | | +--rw user-id? string 1956 | | +--rw password? string 1957 | +--:(bearer) 1958 | | +--rw bearer {bearer-auth}? 1959 | | +--rw token? string 1960 | +--:(digest) 1961 | | +--rw digest {digest-auth}? 1962 | | +--rw username? string 1963 | | +--rw password? string 1964 | +--:(hoba) 1965 | | +--rw hoba {hoba-auth}? 1966 | +--:(mutual) 1967 | | +--rw mutual {mutual-auth}? 1968 | +--:(negotiate) 1969 | | +--rw negotiate {negotiate-auth}? 1970 | +--:(oauth) 1971 | | +--rw oauth {oauth-auth}? 1972 | +--:(scram-sha-1) 1973 | | +--rw scram-sha-1 {scram-sha-1-auth}? 1974 | +--:(scram-sha-256) 1975 | | +--rw scram-sha-256 1976 | | {scram-sha-256-auth}? 1977 | +--:(vapid) 1978 | +--rw vapid {vapid-auth}? 1979 +--rw proxy-server! {proxy-connect}? 1980 +--rw tcp-client-parameters 1981 | +--rw remote-address inet:host 1982 | +--rw remote-port? inet:port-number 1983 | +--rw local-address? inet:ip-address 1984 | +--rw local-port? inet:port-number 1985 | +--rw keepalives! 1986 | {tcp-client-keepalives}? 1987 | +--rw idle-time uint16 1988 | +--rw max-probes? uint16 1989 | +--rw probe-interval? uint16 1990 +--rw tls-client-parameters 1991 | +--rw client-identity 1992 | | +--rw (auth-type)? 1993 | | +--:(certificate) 1994 | | +--rw certificate 1995 | | +--rw (local-or-keystore) 1996 | | +--:(local) 1997 | | | {local-keys-sup\ 1998 \ported}? 1999 | | | +--rw local-definition 2000 | | | +--rw algorithm? 2001 | | | | asymmetric\ 2002 \-key-algorithm-ref 2003 | | | +--rw public-key? 2004 | | | | binary 2005 | | | +--rw private-key? 2006 | | | | union 2007 | | | +---x generate-hid\ 2008 \den-key 2009 | | | | +---w input 2010 | | | | +---w algori\ 2011 \thm 2012 | | | | asym\ 2013 \metric-key-algorithm-ref 2014 | | | +---x install-hidd\ 2015 \en-key 2016 | | | | +---w input 2017 | | | | +---w algori\ 2018 \thm 2019 | | | | | asym\ 2020 \metric-key-algorithm-ref 2021 | | | | +---w public\ 2022 \-key? 2023 | | | | | bina\ 2024 \ry 2025 | | | | +---w privat\ 2026 \e-key? 2027 | | | | bina\ 2028 \ry 2029 | | | +--rw cert? 2030 | | | | end-entity\ 2031 \-cert-cms 2032 | | | +---n certificate-\ 2033 \expiration 2034 | | | +-- expiration-\ 2035 \date 2036 | | | yang:da\ 2037 \te-and-time 2038 | | +--:(keystore) 2039 | | {keystore-suppo\ 2040 \rted}? 2041 | | +--rw keystore-refere\ 2042 \nce? 2043 | | ks:asymmetric\ 2044 \-key-certificate-ref 2045 | +--rw server-authentication 2046 | | +--rw pinned-ca-certs? 2047 | | | ta:pinned-certificates-ref 2048 | | | {ta:x509-certificates}? 2049 | | +--rw pinned-server-certs? 2050 | | ta:pinned-certificates-ref 2051 | | {ta:x509-certificates}? 2052 | +--rw hello-params 2053 | | {tls-client-hello-params-config\ 2054 \}? 2055 | | +--rw tls-versions 2056 | | | +--rw tls-version* identityref 2057 | | +--rw cipher-suites 2058 | | +--rw cipher-suite* identityref 2059 | +--rw keepalives! 2060 | {tls-client-keepalives}? 2061 | +--rw max-wait? uint16 2062 | +--rw max-attempts? uint8 2063 +--rw proxy-client-identity 2064 +--rw user-id? string 2065 +--rw password? string 2067 A.2. Expanded Tree Diagram for 'ietf-restconf-server' 2069 The following tree diagram [RFC8340] provides an overview of the data 2070 model for the "ietf-restconf-server" module. 2072 This tree diagram shows all the nodes defined in this module, 2073 including those defined by "grouping" statements used by this module. 2075 Please see Section 3.1 for a tree diagram that illustrates what the 2076 module looks like without all the "grouping" statements expanded. 2078 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) =========== 2080 module: ietf-restconf-server 2081 +--rw restconf-server 2082 +--rw listen! {listen}? 2083 | +--rw endpoint* [name] 2084 | +--rw name string 2085 | +--rw (transport) 2086 | +--:(https) {https-listen}? 2087 | +--rw https 2088 | +--rw tcp-server-parameters 2089 | | +--rw local-address inet:ip-address 2090 | | +--rw local-port? inet:port-number 2091 | | +--rw keepalives! {tcp-server-keepalives}? 2092 | | +--rw idle-time uint16 2093 | | +--rw max-probes? uint16 2094 | | +--rw probe-interval? uint16 2095 | +--rw tls-server-parameters 2096 | | +--rw server-identity 2097 | | | +--rw (local-or-keystore) 2098 | | | +--:(local) {local-keys-supported}? 2099 | | | | +--rw local-definition 2100 | | | | +--rw algorithm? 2101 | | | | | asymmetric-key-algorithm-\ 2102 ref 2103 | | | | +--rw public-key? 2104 | | | | | binary 2105 | | | | +--rw private-key? 2106 | | | | | union 2107 | | | | +---x generate-hidden-key 2108 | | | | | +---w input 2109 | | | | | +---w algorithm 2110 | | | | | asymmetric-key-algo\ 2111 rithm-ref 2112 | | | | +---x install-hidden-key 2113 | | | | | +---w input 2114 | | | | | +---w algorithm 2115 | | | | | | asymmetric-key-algo\ 2116 rithm-ref 2117 | | | | | +---w public-key? binary 2118 | | | | | +---w private-key? binary 2119 | | | | +--rw cert? 2120 | | | | | end-entity-cert-cms 2121 | | | | +---n certificate-expiration 2122 | | | | +-- expiration-date 2123 | | | | yang:date-and-time 2124 | | | +--:(keystore) {keystore-supported}? 2125 | | | +--rw keystore-reference? 2126 | | | ks:asymmetric-key-certificat\ 2127 e-ref 2128 | | +--rw client-authentication 2129 | | | +--rw pinned-ca-certs? 2130 | | | | ta:pinned-certificates-ref 2131 | | | | {ta:x509-certificates}? 2132 | | | +--rw pinned-client-certs? 2133 | | | | ta:pinned-certificates-ref 2134 | | | | {ta:x509-certificates}? 2135 | | | +--rw cert-maps 2136 | | | +--rw cert-to-name* [id] 2137 | | | +--rw id uint32 2138 | | | +--rw fingerprint 2139 | | | | x509c2n:tls-fingerprint 2140 | | | +--rw map-type identityref 2141 | | | +--rw name string 2142 | | +--rw hello-params 2143 | | | {tls-server-hello-params-config}? 2144 | | | +--rw tls-versions 2145 | | | | +--rw tls-version* identityref 2146 | | | +--rw cipher-suites 2147 | | | +--rw cipher-suite* identityref 2148 | | +--rw keepalives! {tls-server-keepalives}? 2149 | | +--rw max-wait? uint16 2150 | | +--rw max-attempts? uint8 2151 | +--rw http-server-parameters 2152 | +--rw server-name? string 2153 | +--rw protocol-versions 2154 | +--rw protocol-version* enumeration 2155 +--rw call-home! {call-home}? 2156 +--rw restconf-client* [name] 2157 +--rw name string 2158 +--rw endpoints 2159 | +--rw endpoint* [name] 2160 | +--rw name string 2161 | +--rw (transport) 2162 | +--:(https) {https-call-home}? 2163 | +--rw https 2164 | +--rw tcp-client-parameters 2165 | | +--rw remote-address inet:host 2166 | | +--rw remote-port? inet:port-number 2167 | | +--rw local-address? inet:ip-address 2168 | | +--rw local-port? inet:port-number 2169 | | +--rw keepalives! 2170 | | {tcp-client-keepalives}? 2171 | | +--rw idle-time uint16 2172 | | +--rw max-probes? uint16 2173 | | +--rw probe-interval? uint16 2174 | +--rw tls-server-parameters 2175 | | +--rw server-identity 2176 | | | +--rw (local-or-keystore) 2177 | | | +--:(local) 2178 | | | | {local-keys-supported}? 2179 | | | | +--rw local-definition 2180 | | | | +--rw algorithm? 2181 | | | | | asymmetric-key-algo\ 2182 rithm-ref 2183 | | | | +--rw public-key? 2184 | | | | | binary 2185 | | | | +--rw private-key? 2186 | | | | | union 2187 | | | | +---x generate-hidden-key 2188 | | | | | +---w input 2189 | | | | | +---w algorithm 2190 | | | | | asymmetric-ke\ 2191 y-algorithm-ref 2192 | | | | +---x install-hidden-key 2193 | | | | | +---w input 2194 | | | | | +---w algorithm 2195 | | | | | | asymmetric-ke\ 2197 y-algorithm-ref 2198 | | | | | +---w public-key? 2199 | | | | | | binary 2200 | | | | | +---w private-key? 2201 | | | | | binary 2202 | | | | +--rw cert? 2203 | | | | | end-entity-cert-cms 2204 | | | | +---n certificate-expiration 2205 | | | | +-- expiration-date 2206 | | | | yang:date-and-ti\ 2207 me 2208 | | | +--:(keystore) 2209 | | | {keystore-supported}? 2210 | | | +--rw keystore-reference? 2211 | | | ks:asymmetric-key-cert\ 2212 ificate-ref 2213 | | +--rw client-authentication 2214 | | | +--rw pinned-ca-certs? 2215 | | | | ta:pinned-certificates-ref 2216 | | | | {ta:x509-certificates}? 2217 | | | +--rw pinned-client-certs? 2218 | | | | ta:pinned-certificates-ref 2219 | | | | {ta:x509-certificates}? 2220 | | | +--rw cert-maps 2221 | | | +--rw cert-to-name* [id] 2222 | | | +--rw id uint32 2223 | | | +--rw fingerprint 2224 | | | | x509c2n:tls-fingerprint 2225 | | | +--rw map-type 2226 | | | | identityref 2227 | | | +--rw name string 2228 | | +--rw hello-params 2229 | | | {tls-server-hello-params-config\ 2230 }? 2231 | | | +--rw tls-versions 2232 | | | | +--rw tls-version* identityref 2233 | | | +--rw cipher-suites 2234 | | | +--rw cipher-suite* identityref 2235 | | +--rw keepalives! 2236 | | {tls-server-keepalives}? 2237 | | +--rw max-wait? uint16 2238 | | +--rw max-attempts? uint8 2239 | +--rw http-server-parameters 2240 | +--rw server-name? string 2241 | +--rw protocol-versions 2242 | +--rw protocol-version* enumeration 2243 +--rw connection-type 2244 | +--rw (connection-type) 2245 | +--:(persistent-connection) 2246 | | +--rw persistent! 2247 | +--:(periodic-connection) 2248 | +--rw periodic! 2249 | +--rw period? uint16 2250 | +--rw anchor-time? yang:date-and-time 2251 | +--rw idle-timeout? uint16 2252 +--rw reconnect-strategy 2253 +--rw start-with? enumeration 2254 +--rw max-attempts? uint8 2256 Appendix B. Change Log 2258 B.1. 00 to 01 2260 o Renamed "keychain" to "keystore". 2262 B.2. 01 to 02 2264 o Filled in previously missing 'ietf-restconf-client' module. 2266 o Updated the ietf-restconf-server module to accommodate new 2267 grouping 'ietf-tls-server-grouping'. 2269 B.3. 02 to 03 2271 o Refined use of tls-client-grouping to add a must statement 2272 indicating that the TLS client must specify a client-certificate. 2274 o Changed restconf-client??? to be a grouping (not a container). 2276 B.4. 03 to 04 2278 o Added RFC 8174 to Requirements Language Section. 2280 o Replaced refine statement in ietf-restconf-client to add a 2281 mandatory true. 2283 o Added refine statement in ietf-restconf-server to add a must 2284 statement. 2286 o Now there are containers and groupings, for both the client and 2287 server models. 2289 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 2291 o Updated examples to inline key and certificates (no longer a 2292 leafref to keystore) 2294 B.5. 04 to 05 2296 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 2298 o Updated examples to inline key and certificates (no longer a 2299 leafref to keystore) 2301 B.6. 05 to 06 2303 o Fixed change log missing section issue. 2305 o Updated examples to match latest updates to the crypto-types, 2306 trust-anchors, and keystore drafts. 2308 o Reduced line length of the YANG modules to fit within 69 columns. 2310 B.7. 06 to 07 2312 o removed "idle-timeout" from "persistent" connection config. 2314 o Added "random-selection" for reconnection-strategy's "starts-with" 2315 enum. 2317 o Replaced "connection-type" choice default (persistent) with 2318 "mandatory true". 2320 o Reduced the periodic-connection's "idle-timeout" from 5 to 2 2321 minutes. 2323 o Replaced reconnect-timeout with period/anchor-time combo. 2325 B.8. 07 to 08 2327 o Modified examples to be compatible with new crypto-types algs 2329 B.9. 08 to 09 2331 o Corrected use of "mandatory true" for "address" leafs. 2333 o Updated examples to reflect update to groupings defined in the 2334 keystore draft. 2336 o Updated to use groupings defined in new TCP and HTTP drafts. 2338 o Updated copyright date, boilerplate template, affiliation, and 2339 folding algorithm. 2341 B.10. 09 to 10 2343 o Reformatted YANG modules. 2345 B.11. 10 to 11 2347 o Adjusted for the top-level "demux container" added to groupings 2348 imported from other modules. 2350 o Added "must" expressions to ensure that keepalives are not 2351 configured for "periodic" connections. 2353 o Updated the boilerplate text in module-level "description" 2354 statement to match copyeditor convention. 2356 o Moved "expanded" tree diagrams to the Appendix. 2358 Acknowledgements 2360 The authors would like to thank for following for lively discussions 2361 on list and in the halls (ordered by last name): Andy Bierman, Martin 2362 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs 2363 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, 2364 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert 2365 Wijnen. 2367 Author's Address 2369 Kent Watsen 2370 Watsen Networks 2372 EMail: kent+ietf@watsen.net