idnits 2.17.1
draft-ietf-netconf-restconf-client-server-12.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1744 has weird spacing: '...address ine...'
== Line 1751 has weird spacing: '...nterval uin...'
== Line 1859 has weird spacing: '...address ine...'
== Line 1869 has weird spacing: '...nterval uin...'
== Line 1978 has weird spacing: '...address ine...'
== (7 more instances...)
-- The document date (April 29, 2019) is 1822 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-08
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-11
== Outdated reference: A later version (-05) exists of
draft-kwatsen-netconf-http-client-server-01
== Outdated reference: A later version (-02) exists of
draft-kwatsen-netconf-tcp-client-server-01
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-03
Summary: 0 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track April 29, 2019
5 Expires: October 31, 2019
7 RESTCONF Client and Server Models
8 draft-ietf-netconf-restconf-client-server-12
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 RESTCONF client and the other module to configure a RESTCONF server.
14 Both modules support the TLS transport protocol with both standard
15 RESTCONF and RESTCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-tls-client-server
35 o I-D.ietf-netconf-http-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "BBBB" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
46 server
48 o "CCCC" --> the assigned RFC value for I-D.ietf-netconf-http-
49 client-server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-04-29" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on October 31, 2019.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
96 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 18
101 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18
102 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20
103 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 23
104 4. Security Considerations . . . . . . . . . . . . . . . . . . . 34
105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
106 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 35
107 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 35
108 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
109 6.1. Normative References . . . . . . . . . . . . . . . . . . 35
110 6.2. Informative References . . . . . . . . . . . . . . . . . 37
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 38
112 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 38
113 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 47
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 52
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 52
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 53
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 53
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 53
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 53
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 54
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 54
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 54
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 54
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 54
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 55
127 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 55
128 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 55
130 1. Introduction
132 This document defines two YANG [RFC7950] modules, one module to
133 configure a RESTCONF client and the other module to configure a
134 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446]
135 transport protocol with both standard RESTCONF and RESTCONF Call Home
136 connections [RFC8071].
138 1.1. Terminology
140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
142 "OPTIONAL" in this document are to be interpreted as described in BCP
143 14 [RFC2119] [RFC8174] when, and only when, they appear in all
144 capitals, as shown here.
146 2. The RESTCONF Client Model
148 The RESTCONF client model presented in this section supports both
149 clients initiating connections to servers, as well as clients
150 listening for connections from servers calling home.
152 YANG feature statements are used to enable implementations to
153 advertise which potentially uncommon parts of the model the RESTCONF
154 client supports.
156 2.1. Tree Diagram
158 The following tree diagram [RFC8340] provides an overview of the data
159 model for the "ietf-restconf-client" module.
161 This tree diagram only shows the nodes defined in this module; it
162 does show the nodes defined by "grouping" statements used by this
163 module.
165 Please see Appendix A.1 for a tree diagram that illustrates what the
166 module looks like with all the "grouping" statements expanded.
168 module: ietf-restconf-client
169 +--rw restconf-client
170 +---u restconf-client-grouping
172 grouping restconf-client-grouping
173 +-- initiate! {https-initiate}?
174 | +-- restconf-server* [name]
175 | +-- name? string
176 | +-- endpoints
177 | | +-- endpoint* [name]
178 | | +-- name? string
179 | | +-- (transport)
180 | | +--:(https) {https-initiate}?
181 | | +-- https
182 | | +-- tcp-client-parameters
183 | | | +---u restconf-client-grouping
184 | | +-- tls-client-parameters
185 | | | +---u restconf-client-grouping
186 | | +-- http-client-parameters
187 | | +---u restconf-client-grouping
188 | +-- connection-type
189 | | +-- (connection-type)
190 | | +--:(persistent-connection)
191 | | | +-- persistent!
192 | | +--:(periodic-connection)
193 | | +-- periodic!
194 | | +-- period? uint16
195 | | +-- anchor-time? yang:date-and-time
196 | | +-- idle-timeout? uint16
197 | +-- reconnect-strategy
198 | +-- start-with? enumeration
199 | +-- max-attempts? uint8
200 +-- listen! {https-listen}?
201 +-- idle-timeout? uint16
202 +-- endpoint* [name]
203 +-- name? string
204 +-- (transport)
205 +--:(https) {https-listen}?
206 +-- https
207 +-- tcp-server-parameters
208 | +---u restconf-client-grouping
209 +-- tls-client-parameters
210 | +---u restconf-client-grouping
211 +-- http-client-parameters
212 +---u restconf-client-grouping
214 2.2. Example Usage
216 The following example illustrates configuring a RESTCONF client to
217 initiate connections, as well as listening for call-home connections.
219 This example is consistent with the examples presented in Section 2
220 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
221 [I-D.ietf-netconf-keystore].
223 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
225
228
229
230
231 corp-fw1
232
233
234 corp-fw1.example.com
235
236
237 corp-fw1.example.com
238
239 15
240 3
241 30
242
243
244
245
246
247
248 ct:rsa2048
250 base64encodedvalue==
251 base64encodedvalue==
252 base64encodedvalue==
253
254
255
256
257 explicitly-trusted-server-ca-certs<\
258 /pinned-ca-certs>
259 explicitly-trusted-server-certs\
260
261
262
263 30
264 3
265
266
267
268 HTTP/1.1
269
270
271 bob
272 secret
273
274
275
276
277
278
279 corp-fw2.example.com
280
281
282 corp-fw2.example.com
283
284 15
285 3
286 30
287
288
289
290
291
292
293 ct:rsa2048
295 base64encodedvalue==
296 base64encodedvalue==
297 base64encodedvalue==
298
299
300
301
302 explicitly-trusted-server-ca-certs<\
303 /pinned-ca-certs>
304 explicitly-trusted-server-certs\
305
306
307
308 30
309 3
311
312
313
314 HTTP/1.1
315
316
317 bob
318 secret
319
320
321
322
323
324
325
326
327
328
329
331
332
333
334 Intranet-facing listener
335
336
337 11.22.33.44
338
339
340
341
342
343 ct:rsa2048
345 base64encodedvalue==
346 base64encodedvalue==
347 base64encodedvalue==
348
349
350
351
352 explicitly-trusted-server-ca-certs
354 explicitly-trusted-server-certs
356
357
358
359 HTTP/1.1
360
361
362 bob
363 secret
364
365
366
367
368
369
370
372 2.3. YANG Module
374 This YANG module has normative references to [RFC6991], [RFC8040],
375 and [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
376 [I-D.ietf-netconf-tls-client-server], and
377 [I-D.kwatsen-netconf-http-client-server].
379 file "ietf-restconf-client@2019-04-29.yang"
380 module ietf-restconf-client {
381 yang-version 1.1;
382 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client";
383 prefix rcc;
385 import ietf-yang-types {
386 prefix yang;
387 reference
388 "RFC 6991: Common YANG Data Types";
389 }
391 import ietf-tcp-client {
392 prefix tcpc;
393 reference
394 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
395 }
397 import ietf-tcp-server {
398 prefix tcps;
399 reference
400 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
401 }
403 import ietf-tls-client {
404 prefix tlsc;
405 reference
406 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
408 }
410 import ietf-http-client {
411 prefix httpc;
412 reference
413 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
414 }
416 organization
417 "IETF NETCONF (Network Configuration) Working Group";
419 contact
420 "WG Web:
421 WG List:
422 Author: Kent Watsen
423 Author: Gary Wu ";
425 description
426 "This module contains a collection of YANG definitions
427 for configuring RESTCONF clients.
429 Copyright (c) 2019 IETF Trust and the persons identified
430 as authors of the code. All rights reserved.
432 Redistribution and use in source and binary forms, with
433 or without modification, is permitted pursuant to, and
434 subject to the license terms contained in, the Simplified
435 BSD License set forth in Section 4.c of the IETF Trust's
436 Legal Provisions Relating to IETF Documents
437 (https://trustee.ietf.org/license-info).
439 This version of this YANG module is part of RFC XXXX
440 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
441 itself for full legal notices.;
443 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
444 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
445 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
446 are to be interpreted as described in BCP 14 (RFC 2119)
447 (RFC 8174) when, and only when, they appear in all
448 capitals, as shown here.";
450 revision 2019-04-29 {
451 description
452 "Initial version";
453 reference
454 "RFC XXXX: RESTCONF Client and Server Models";
455 }
456 // Features
458 feature https-initiate {
459 description
460 "The 'https-initiate' feature indicates that the RESTCONF
461 client supports initiating HTTPS connections to RESTCONF
462 servers. This feature exists as HTTPS might not be a
463 mandatory to implement transport in the future.";
464 reference
465 "RFC 8040: RESTCONF Protocol";
466 }
468 feature https-listen {
469 description
470 "The 'https-listen' feature indicates that the RESTCONF client
471 supports opening a port to listen for incoming RESTCONF
472 server call-home connections. This feature exists as not
473 all RESTCONF clients may support RESTCONF call home.";
474 reference
475 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
476 }
478 // Groupings
480 grouping restconf-client-grouping {
481 description
482 "Top-level grouping for RESTCONF client configuration.";
483 container initiate {
484 if-feature "https-initiate";
485 presence "Enables client to initiate TCP connections";
486 description
487 "Configures client initiating underlying TCP connections.";
488 list restconf-server {
489 key "name";
490 min-elements 1;
491 description
492 "List of RESTCONF servers the RESTCONF client is to
493 initiate connections to in parallel.";
494 leaf name {
495 type string;
496 description
497 "An arbitrary name for the RESTCONF server.";
498 }
499 container endpoints {
500 description
501 "Container for the list of endpoints.";
502 list endpoint {
503 key "name";
504 min-elements 1;
505 ordered-by user;
506 description
507 "A non-empty user-ordered list of endpoints for this
508 RESTCONF client to try to connect to in sequence.
509 Defining more than one enables high-availability.";
510 leaf name {
511 type string;
512 description
513 "An arbitrary name for this endpoint.";
514 }
515 choice transport {
516 mandatory true;
517 description
518 "Selects between available transports. This is a
519 'choice' statement so as to support additional
520 transport options to be augmented in.";
521 case https {
522 if-feature "https-initiate";
523 container https {
524 description
525 "Specifies HTTPS-specific transport
526 configuration.";
527 container tcp-client-parameters {
528 description
529 "A wrapper around the TCP client parameters
530 to avoid name collisions.";
531 uses tcpc:tcp-client-grouping {
532 refine "remote-port" {
533 default "443";
534 description
535 "The RESTCONF client will attempt to
536 connect to the IANA-assigned well-known
537 port value for 'https' (443) if no value
538 is specified.";
539 }
540 }
541 }
542 container tls-client-parameters {
543 description
544 "A wrapper around the TLS client parameters
545 to avoid name collisions.";
546 uses tlsc:tls-client-grouping {
547 refine "client-identity/auth-type" {
548 mandatory true;
549 description
550 "RESTCONF clients MUST pass some
551 authentication credentials.";
553 }
554 }
555 }
556 container http-client-parameters {
557 description
558 "A wrapper around the HTTP client parameters
559 to avoid name collisions.";
560 uses httpc:http-client-grouping;
561 }
562 }
563 } // https
564 } // transport
565 } // endpoint
566 } // endpoints
567 container connection-type {
568 description
569 "Indicates the RESTCONF client's preference for how
570 the RESTCONF connection is maintained.";
571 choice connection-type {
572 mandatory true;
573 description
574 "Selects between available connection types.";
575 case persistent-connection {
576 container persistent {
577 presence "Indicates that a persistent connection
578 is to be maintained.";
579 description
580 "Maintain a persistent connection to the
581 RESTCONF server. If the connection goes down,
582 immediately start trying to reconnect to the
583 RESTCONF server, using the reconnection strategy.
585 This connection type minimizes any RESTCONF server
586 to RESTCONF client data-transfer delay, albeit
587 at the expense of holding resources longer.";
588 }
589 }
590 case periodic-connection {
591 container periodic {
592 presence "Indicates that a periodic connection is
593 to be maintained.";
594 description
595 "Periodically connect to the RESTCONF server.
597 This connection type increases resource
598 utilization, albeit with increased delay
599 in RESTCONF server to RESTCONF client
600 interactions.
602 The RESTCONF client SHOULD gracefully close
603 the underlying TLS connection upon completing
604 planned activities.
606 In the case that the previous connection is
607 still active, establishing a new connection
608 is NOT RECOMMENDED.";
610 leaf period {
611 type uint16;
612 units "minutes";
613 default "60";
614 description
615 "Duration of time between periodic
616 connections.";
617 }
618 leaf anchor-time {
619 type yang:date-and-time {
620 // constrained to minute-level granularity
621 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
622 + '(Z|[\+\-]\d{2}:\d{2})';
623 }
624 description
625 "Designates a timestamp before or after which
626 a series of periodic connections are
627 determined. The periodic connections occur
628 at a whole multiple interval from the anchor
629 time. For example, for an anchor time is 15
630 minutes past midnight and a period interval
631 of 24 hours, then a periodic connection will
632 occur 15 minutes past midnight everyday.";
633 }
634 leaf idle-timeout {
635 type uint16;
636 units "seconds";
637 default 120; // two minutes
638 description
639 "Specifies the maximum number of seconds
640 that the underlying TCP session may remain
641 idle. A TCP session will be dropped if it
642 is idle for an interval longer than this
643 number of seconds If set to zero, then the
644 RESTCONF client will never drop a session
645 because it is idle.";
646 }
647 }
648 } // periodic-connection
649 } // connection-type
651 } // connection-type
652 container reconnect-strategy {
653 description
654 "The reconnection strategy directs how a RESTCONF
655 client reconnects to a RESTCONF server, after
656 discovering its connection to the server has
657 dropped, even if due to a reboot. The RESTCONF
658 client starts with the specified endpoint and
659 tries to connect to it max-attempts times before
660 trying the next endpoint in the list (round
661 robin).";
662 leaf start-with {
663 type enumeration {
664 enum first-listed {
665 description
666 "Indicates that reconnections should start
667 with the first endpoint listed.";
668 }
669 enum last-connected {
670 description
671 "Indicates that reconnections should start
672 with the endpoint last connected to. If
673 no previous connection has ever been
674 established, then the first endpoint
675 configured is used. RESTCONF clients
676 SHOULD be able to remember the last
677 endpoint connected to across reboots.";
678 }
679 enum random-selection {
680 description
681 "Indicates that reconnections should start with
682 a random endpoint.";
683 }
684 }
685 default "first-listed";
686 description
687 "Specifies which of the RESTCONF server's
688 endpoints the RESTCONF client should start
689 with when trying to connect to the RESTCONF
690 server.";
691 }
692 leaf max-attempts {
693 type uint8 {
694 range "1..max";
695 }
696 default "3";
697 description
698 "Specifies the number times the RESTCONF client
699 tries to connect to a specific endpoint before
700 moving on to the next endpoint in the list
701 (round robin).";
702 }
703 } // reconnect-strategy
704 } // restconf-server
705 } // initiate
707 container listen {
708 if-feature "https-listen";
709 presence "Enables client to accept call-home connections";
710 description
711 "Configures client accepting call-home TCP connections.";
712 leaf idle-timeout {
713 type uint16;
714 units "seconds";
715 default 3600; // one hour
716 description
717 "Specifies the maximum number of seconds that an
718 underlying TCP session may remain idle. A TCP session
719 will be dropped if it is idle for an interval longer
720 then this number of seconds. If set to zero, then
721 the server will never drop a session because it is
722 idle. Sessions that have a notification subscription
723 active are never dropped.";
724 }
725 list endpoint {
726 key "name";
727 min-elements 1;
728 description
729 "List of endpoints to listen for RESTCONF connections.";
730 leaf name {
731 type string;
732 description
733 "An arbitrary name for the RESTCONF listen endpoint.";
734 }
735 choice transport {
736 mandatory true;
737 description
738 "Selects between available transports. This is a
739 'choice' statement so as to support additional
740 transport options to be augmented in.";
741 case https {
742 if-feature "https-listen";
743 container https {
744 description
745 "HTTPS-specific listening configuration for inbound
746 connections.";
748 container tcp-server-parameters {
749 description
750 "A wrapper around the TCP client parameters
751 to avoid name collisions.";
752 uses tcps:tcp-server-grouping {
753 refine "local-port" {
754 default "4336";
755 description
756 "The RESTCONF client will listen on the IANA-
757 assigned well-known port for 'restconf-ch-tls'
758 (4336) if no value is specified.";
759 }
760 }
761 }
762 container tls-client-parameters {
763 description
764 "A wrapper around the TLS client parameters
765 to avoid name collisions.";
766 uses tlsc:tls-client-grouping {
767 refine "client-identity/auth-type" {
768 mandatory true;
769 description
770 "RESTCONF clients MUST pass some authentication
771 credentials.";
772 }
773 }
774 }
775 container http-client-parameters {
776 description
777 "A wrapper around the HTTP client parameters
778 to avoid name collisions.";
779 uses httpc:http-client-grouping;
780 }
781 }
782 } // case https
783 } // transport
784 } // endpoint
785 } // listen
786 } // restconf-client
788 // Protocol accessible node, for servers that implement this
789 // module.
791 container restconf-client {
792 uses restconf-client-grouping;
793 description
794 "Top-level container for RESTCONF client configuration.";
795 }
797 }
798
800 3. The RESTCONF Server Model
802 The RESTCONF server model presented in this section supports both
803 listening for connections as well as initiating call-home
804 connections.
806 YANG feature statements are used to enable implementations to
807 advertise which potentially uncommon parts of the model the RESTCONF
808 server supports.
810 3.1. Tree Diagram
812 The following tree diagram [RFC8340] provides an overview of the data
813 model for the "ietf-restconf-server" module.
815 This tree diagram only shows the nodes defined in this module; it
816 does show the nodes defined by "grouping" statements used by this
817 module.
819 Please see Appendix A.2 for a tree diagram that illustrates what the
820 module looks like with all the "grouping" statements expanded.
822 module: ietf-restconf-server
823 +--rw restconf-server
824 +---u restconf-server-grouping
826 grouping restconf-server-grouping
827 +-- listen! {https-listen}?
828 | +-- endpoint* [name]
829 | +-- name? string
830 | +-- (transport)
831 | +--:(https) {https-listen}?
832 | +-- https
833 | +-- tcp-server-parameters
834 | | +---u restconf-server-grouping
835 | +-- tls-server-parameters
836 | | +---u restconf-server-grouping
837 | +-- http-server-parameters
838 | +---u restconf-server-grouping
839 +-- call-home! {https-call-home}?
840 +-- restconf-client* [name]
841 +-- name? string
842 +-- endpoints
843 | +-- endpoint* [name]
844 | +-- name? string
845 | +-- (transport)
846 | +--:(https) {https-call-home}?
847 | +-- https
848 | +-- tcp-client-parameters
849 | | +---u restconf-server-grouping
850 | +-- tls-server-parameters
851 | | +---u restconf-server-grouping
852 | +-- http-server-parameters
853 | +---u restconf-server-grouping
854 +-- connection-type
855 | +-- (connection-type)
856 | +--:(persistent-connection)
857 | | +-- persistent!
858 | +--:(periodic-connection)
859 | +-- periodic!
860 | +-- period? uint16
861 | +-- anchor-time? yang:date-and-time
862 | +-- idle-timeout? uint16
863 +-- reconnect-strategy
864 +-- start-with? enumeration
865 +-- max-attempts? uint8
867 3.2. Example Usage
869 The following example illustrates configuring a RESTCONF server to
870 listen for RESTCONF client connections, as well as configuring call-
871 home to one RESTCONF client.
873 This example is consistent with the examples presented in Section 2
874 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
875 [I-D.ietf-netconf-keystore].
877 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
879
883
884
885
886 netconf/tls
887
888
889 11.22.33.44
890
891
892
893
894 ct:rsa2048
896 base64encodedvalue==
897 base64encodedvalue==
898 base64encodedvalue==
899
900
901
902
903 explicitly-trusted-client-ca-certs
905 explicitly-trusted-client-certs
907
908
909 1
910 11:0A:05:11:00
911 x509c2n:san-any
912
913
914 2
915 B3:4F:A1:8C:54
916 x509c2n:specified
917 scooby-doo
918
919
920
921
922
923 foo.example.com
924
925 HTTP/1.1
926 HTTP/2.0
927
928
929
930
931
933
934
935
936 config-manager
937
938
939 east-data-center
940
941
942 east.example.com
943
944
945
946
947 ct:rsa2048
949 base64encodedvalue==
950 base64encodedvalue==
951 base64encodedvalue==
952
953
954
955
956 explicitly-trusted-client-ca-certs<\
957 /pinned-ca-certs>
958 explicitly-trusted-client-certs\
959
960
961
962 1
963 11:0A:05:11:00
964 x509c2n:san-any
965
966
967 2
968 B3:4F:A1:8C:54
969 x509c2n:specified
970 scooby-doo
971
972
973
974
975
976 foo.example.com
977
978 HTTP/1.1
979 HTTP/2.0
980
981
982
983
984
985 west-data-center
986
987
988 west.example.com
989
990
991
992
993 ct:rsa2048
995 base64encodedvalue==
996 base64encodedvalue==
997 base64encodedvalue==
998
999
1000
1001
1002 explicitly-trusted-client-ca-certs<\
1003 /pinned-ca-certs>
1004 explicitly-trusted-client-certs\
1005
1006
1007
1008 1
1009 11:0A:05:11:00
1010 x509c2n:san-any
1012
1013
1014 2
1015 B3:4F:A1:8C:54
1016 x509c2n:specified
1017 scooby-doo
1018
1019
1020
1021
1022
1023 foo.example.com
1024
1025 HTTP/1.1
1026 HTTP/2.0
1027
1028
1029
1030
1031
1032
1033
1034 300
1035 60
1036
1037
1038
1039 last-connected
1040 3
1041
1042
1043
1044
1046 3.3. YANG Module
1048 This YANG module has normative references to [RFC6991], [RFC7407],
1049 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
1050 [I-D.ietf-netconf-tls-client-server], and
1051 [I-D.kwatsen-netconf-http-client-server].
1053 file "ietf-restconf-server@2019-04-29.yang"
1054 module ietf-restconf-server {
1055 yang-version 1.1;
1056 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server";
1057 prefix rcs;
1059 import ietf-yang-types {
1060 prefix yang;
1061 reference
1062 "RFC 6991: Common YANG Data Types";
1063 }
1065 import ietf-x509-cert-to-name {
1066 prefix x509c2n;
1067 reference
1068 "RFC 7407: A YANG Data Model for SNMP Configuration";
1069 }
1071 import ietf-tcp-client {
1072 prefix tcpc;
1073 reference
1074 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1075 }
1077 import ietf-tcp-server {
1078 prefix tcps;
1079 reference
1080 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1081 }
1083 import ietf-tls-server {
1084 prefix tlss;
1085 reference
1086 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
1087 }
1089 import ietf-http-server {
1090 prefix https;
1091 reference
1092 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
1093 }
1095 organization
1096 "IETF NETCONF (Network Configuration) Working Group";
1098 contact
1099 "WG Web:
1100 WG List:
1101 Author: Kent Watsen
1102 Author: Gary Wu
1103 Author: Juergen Schoenwaelder
1104 ";
1106 description
1107 "This module contains a collection of YANG definitions
1108 for configuring RESTCONF servers.
1110 Copyright (c) 2019 IETF Trust and the persons identified
1111 as authors of the code. All rights reserved.
1113 Redistribution and use in source and binary forms, with
1114 or without modification, is permitted pursuant to, and
1115 subject to the license terms contained in, the Simplified
1116 BSD License set forth in Section 4.c of the IETF Trust's
1117 Legal Provisions Relating to IETF Documents
1118 (https://trustee.ietf.org/license-info).
1120 This version of this YANG module is part of RFC XXXX
1121 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1122 itself for full legal notices.;
1124 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1125 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1126 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1127 are to be interpreted as described in BCP 14 (RFC 2119)
1128 (RFC 8174) when, and only when, they appear in all
1129 capitals, as shown here.";
1131 revision 2019-04-29 {
1132 description
1133 "Initial version";
1134 reference
1135 "RFC XXXX: RESTCONF Client and Server Models";
1136 }
1138 // Features
1140 feature https-listen {
1141 description
1142 "The 'https-listen' feature indicates that the RESTCONF server
1143 supports opening a port to listen for incoming RESTCONF
1144 client connections. This feature exists as HTTPS might not
1145 be a mandatory to implement transport in the future.";
1146 reference
1147 "RFC 8040: RESTCONF Protocol";
1148 }
1150 feature https-call-home {
1151 description
1152 "The 'https-call-home' feature indicates that the RESTCONF
1153 server supports initiating connections to RESTCONF clients.
1154 This feature exists as not all RESTCONF servers may
1155 support RESTCONF call home.";
1157 reference
1158 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1159 }
1161 // Groupings
1163 grouping restconf-server-grouping {
1164 description
1165 "Top-level grouping for RESTCONF server configuration.";
1166 container listen {
1167 if-feature "https-listen";
1168 presence
1169 "Enables the RESTCONF server to listen for RESTCONF
1170 client connections.";
1171 description "Configures listen behavior";
1172 list endpoint {
1173 key "name";
1174 min-elements 1;
1175 description
1176 "List of endpoints to listen for RESTCONF connections.";
1177 leaf name {
1178 type string;
1179 description
1180 "An arbitrary name for the RESTCONF listen endpoint.";
1181 }
1182 choice transport {
1183 mandatory true;
1184 description
1185 "Selects between available transports. This is a
1186 'choice' statement so as to support additional
1187 transport options to be augmented in.";
1188 case https {
1189 if-feature "https-listen";
1190 container https {
1191 description
1192 "HTTPS-specific listening configuration for inbound
1193 connections.";
1194 container tcp-server-parameters {
1195 description
1196 "A wrapper around the TCP server parameters
1197 to avoid name collisions.";
1198 uses tcps:tcp-server-grouping {
1199 refine "local-port" {
1200 default "443";
1201 description
1202 "The RESTCONF server will listen on the IANA-
1203 assigned well-known port value for 'https'
1204 (443) if no value is specified.";
1206 }
1207 }
1208 }
1209 container tls-server-parameters {
1210 description
1211 "A wrapper around the TLS server parameters
1212 to avoid name collisions.";
1213 uses tlss:tls-server-grouping {
1214 /*
1215 refine
1216 "client-authentication" {
1217 //must 'pinned-ca-certs or pinned-client-certs';
1218 //presence "Enables TLS-level authentication
1219 // using client certificates.";
1220 description
1221 "RESTCONF servers MUST be able to validate
1222 clients.";
1223 }
1224 */
1225 augment
1226 "client-authentication/local-or-external/local" {
1227 description
1228 "Augments in the cert-to-name structure,
1229 so the RESTCONF server can map TLS-layer
1230 client certificates to RESTCONF usernames.";
1231 container cert-maps {
1232 /*must '../pinned-ca-certs
1233 or ../pinned-client-certs'; */
1234 uses x509c2n:cert-to-name;
1235 description
1236 "The cert-maps container is used by a TLS-
1237 based RESTCONF server to map the RESTCONF
1238 client's presented X.509 certificate to
1239 a RESTCONF username. If no matching and
1240 valid cert-to-name list entry can be found,
1241 then the RESTCONF server MUST close the
1242 connection, and MUST NOT accept RESTCONF
1243 messages over it.";
1244 reference
1245 "RFC 7407: A YANG Data Model for SNMP
1246 Configuration.";
1247 }
1248 //leaf optional {
1249 // type empty;
1250 //}
1251 }
1252 }
1253 }
1254 container http-server-parameters {
1255 description
1256 "A wrapper around the HTTP server parameters
1257 to avoid name collisions.";
1258 uses https:http-server-grouping;
1259 /* {
1260 augment "http-server-parameters" { // HELP!!!
1261 description
1262 "Augments in a flag indicating that the
1263 RESCONF server MUST authenticate the
1264 RESTCONF client using the HTTP 'basic'
1265 authentication scheme. How the RESTCONF
1266 server defines users and passwords is
1267 outside the scope of this data model.";
1268 container client-authentication {
1269 leaf optional {
1270 type empty;
1271 }
1272 choice configured-or-external {
1273 mandatory true;
1274 case external {
1275 leaf user-auth-defined-elsewhere {
1276 type empty;
1277 }
1278 }
1279 }
1280 }
1281 }
1282 }
1283 */
1284 }
1285 } // https container
1286 } // tls case
1287 } // transport
1288 } // endpoint
1289 } // listen
1291 container call-home {
1292 if-feature "https-call-home";
1293 presence
1294 "Enables the RESTCONF server to initiate the underlying
1295 transport connection to RESTCONF clients.";
1296 description "Configures call-home behavior";
1297 list restconf-client {
1298 key "name";
1299 min-elements 1;
1300 description
1301 "List of RESTCONF clients the RESTCONF server is to
1302 initiate call-home connections to in parallel.";
1303 leaf name {
1304 type string;
1305 description
1306 "An arbitrary name for the remote RESTCONF client.";
1307 }
1308 container endpoints {
1309 description
1310 "Container for the list of endpoints.";
1311 list endpoint {
1312 key "name";
1313 min-elements 1;
1314 ordered-by user;
1315 description
1316 "User-ordered list of endpoints for this RESTCONF
1317 client. Defining more than one enables high-
1318 availability.";
1319 leaf name {
1320 type string;
1321 description
1322 "An arbitrary name for this endpoint.";
1323 }
1324 choice transport {
1325 mandatory true;
1326 description
1327 "Selects between available transports. This is a
1328 'choice' statement so as to support additional
1329 transport options to be augmented in.";
1330 case https {
1331 if-feature "https-call-home";
1332 container https {
1333 description
1334 "Specifies HTTPS-specific call-home transport
1335 configuration.";
1336 container tcp-client-parameters {
1337 description
1338 "A wrapper around the TCP client parameters
1339 to avoid name collisions.";
1340 uses tcpc:tcp-client-grouping {
1341 refine "remote-port" {
1342 default "4336";
1343 description
1344 "The RESTCONF server will attempt to
1345 connect to the IANA-assigned well-known
1346 port for 'restconf-ch-tls' (4336) if no
1347 value is specified.";
1348 }
1349 }
1351 }
1352 container tls-server-parameters {
1353 description
1354 "A wrapper around the TLS server parameters
1355 to avoid name collisions.";
1356 uses tlss:tls-server-grouping {
1357 refine "client-authentication" {
1358 /*must 'pinned-ca-certs
1359 or pinned-client-certs'; */
1360 description
1361 "RESTCONF servers MUST be able to validate
1362 clients.";
1363 }
1364 augment "client-authentication" {
1365 description
1366 "Augments in the cert-to-name structure,
1367 so the RESTCONF server can map TLS-layer
1368 client certificates to RESTCONF
1369 usernames.";
1370 container cert-maps {
1371 uses x509c2n:cert-to-name;
1372 description
1373 "The cert-maps container is used by a
1374 TLS-based RESTCONF server to map the
1375 RESTCONF client's presented X.509
1376 certificate to a RESTCONF username. If
1377 no matching and valid cert-to-name list
1378 entry can be found, then the RESTCONF
1379 server MUST close the connection, and
1380 MUST NOT accept RESTCONF messages over
1381 it.";
1382 reference
1383 "RFC 7407: A YANG Data Model for SNMP
1384 Configuration.";
1385 }
1386 }
1387 }
1388 }
1389 container http-server-parameters {
1390 description
1391 "A wrapper around the HTTP server parameters
1392 to avoid name collisions.";
1393 uses https:http-server-grouping;
1394 }
1395 }
1396 }
1397 } // transport
1398 } // endpoint
1400 } // endpoints
1401 container connection-type {
1402 description
1403 "Indicates the RESTCONF server's preference for how the
1404 RESTCONF connection is maintained.";
1405 choice connection-type {
1406 mandatory true;
1407 description
1408 "Selects between available connection types.";
1409 case persistent-connection {
1410 container persistent {
1411 presence "Indicates that a persistent connection is
1412 to be maintained.";
1413 description
1414 "Maintain a persistent connection to the RESTCONF
1415 client. If the connection goes down, immediately
1416 start trying to reconnect to the RESTCONF server,
1417 using the reconnection strategy.
1419 This connection type minimizes any RESTCONF
1420 client to RESTCONF server data-transfer delay,
1421 albeit at the expense of holding resources
1422 longer.";
1423 }
1424 }
1425 case periodic-connection {
1426 container periodic {
1427 presence "Indicates that a periodic connection is
1428 to be maintained.";
1429 description
1430 "Periodically connect to the RESTCONF client.
1432 This connection type increases resource
1433 utilization, albeit with increased delay in
1434 RESTCONF client to RESTCONF client interactions.
1436 The RESTCONF client SHOULD gracefully close
1437 the underlying TLS connection upon completing
1438 planned activities. If the underlying TLS
1439 connection is not closed gracefully, the
1440 RESTCONF server MUST immediately attempt
1441 to reestablish the connection.
1443 In the case that the previous connection is
1444 still active (i.e., the RESTCONF client has not
1445 closed it yet), establishing a new connection
1446 is NOT RECOMMENDED.";
1448 leaf period {
1449 type uint16;
1450 units "minutes";
1451 default "60";
1452 description
1453 "Duration of time between periodic connections.";
1454 }
1455 leaf anchor-time {
1456 type yang:date-and-time {
1457 // constrained to minute-level granularity
1458 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1459 + '(Z|[\+\-]\d{2}:\d{2})';
1460 }
1461 description
1462 "Designates a timestamp before or after which a
1463 series of periodic connections are determined.
1464 The periodic connections occur at a whole
1465 multiple interval from the anchor time. For
1466 example, for an anchor time is 15 minutes past
1467 midnight and a period interval of 24 hours, then
1468 a periodic connection will occur 15 minutes past
1469 midnight everyday.";
1470 }
1471 leaf idle-timeout {
1472 type uint16;
1473 units "seconds";
1474 default 120; // two minutes
1475 description
1476 "Specifies the maximum number of seconds that
1477 the underlying TCP session may remain idle.
1478 A TCP session will be dropped if it is idle
1479 for an interval longer than this number of
1480 seconds. If set to zero, then the server
1481 will never drop a session because it is idle.";
1482 }
1483 }
1484 }
1485 }
1486 }
1487 container reconnect-strategy {
1488 description
1489 "The reconnection strategy directs how a RESTCONF server
1490 reconnects to a RESTCONF client after discovering its
1491 connection to the client has dropped, even if due to a
1492 reboot. The RESTCONF server starts with the specified
1493 endpoint and tries to connect to it max-attempts times
1494 before trying the next endpoint in the list (round
1495 robin).";
1497 leaf start-with {
1498 type enumeration {
1499 enum first-listed {
1500 description
1501 "Indicates that reconnections should start with
1502 the first endpoint listed.";
1503 }
1504 enum last-connected {
1505 description
1506 "Indicates that reconnections should start with
1507 the endpoint last connected to. If no previous
1508 connection has ever been established, then the
1509 first endpoint configured is used. RESTCONF
1510 servers SHOULD be able to remember the last
1511 endpoint connected to across reboots.";
1512 }
1513 enum random-selection {
1514 description
1515 "Indicates that reconnections should start with
1516 a random endpoint.";
1517 }
1518 }
1519 default "first-listed";
1520 description
1521 "Specifies which of the RESTCONF client's endpoints
1522 the RESTCONF server should start with when trying
1523 to connect to the RESTCONF client.";
1524 }
1525 leaf max-attempts {
1526 type uint8 {
1527 range "1..max";
1528 }
1529 default "3";
1530 description
1531 "Specifies the number times the RESTCONF server tries
1532 to connect to a specific endpoint before moving on to
1533 the next endpoint in the list (round robin).";
1534 }
1535 }
1536 } // restconf-client
1537 } // call-home
1538 } // restconf-server-grouping
1540 // Protocol accessible node, for servers that implement this
1541 // module.
1543 container restconf-server {
1544 uses restconf-server-grouping;
1545 description
1546 "Top-level container for RESTCONF server configuration.";
1547 }
1548 }
1549
1551 4. Security Considerations
1553 The YANG module defined in this document uses groupings defined in
1554 [I-D.kwatsen-netconf-tcp-client-server],
1555 [I-D.ietf-netconf-tls-client-server], and
1556 [I-D.kwatsen-netconf-http-client-server]. Please see the Security
1557 Considerations section in those documents for concerns related those
1558 groupings.
1560 The YANG modules defined in this document are designed to be accessed
1561 via YANG based management protocols, such as NETCONF [RFC6241] and
1562 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1563 implement secure transport layers (e.g., SSH, TLS) with mutual
1564 authentication.
1566 The NETCONF access control model (NACM) [RFC8341] provides the means
1567 to restrict access for particular users to a pre-configured subset of
1568 all available protocol operations and content.
1570 There are a number of data nodes defined in the YANG modules that are
1571 writable/creatable/deletable (i.e., config true, which is the
1572 default). Some of these data nodes may be considered sensitive or
1573 vulnerable in some network environments. Write operations (e.g.,
1574 edit-config) to these data nodes without proper protection can have a
1575 negative effect on network operations. These are the subtrees and
1576 data nodes and their sensitivity/vulnerability:
1578 None of the subtrees or data nodes in the modules defined in this
1579 document need to be protected from write operations.
1581 Some of the readable data nodes in the YANG modules may be considered
1582 sensitive or vulnerable in some network environments. It is thus
1583 important to control read access (e.g., via get, get-config, or
1584 notification) to these data nodes. These are the subtrees and data
1585 nodes and their sensitivity/vulnerability:
1587 None of the subtrees or data nodes in the modules defined in this
1588 document need to be protected from read operations.
1590 Some of the RPC operations in the YANG modules may be considered
1591 sensitive or vulnerable in some network environments. It is thus
1592 important to control access to these operations. These are the
1593 operations and their sensitivity/vulnerability:
1595 The modules defined in this document do not define any 'RPC' or
1596 'action' statements.
1598 5. IANA Considerations
1600 5.1. The IETF XML Registry
1602 This document registers two URIs in the "ns" subregistry of the IETF
1603 XML Registry [RFC3688]. Following the format in [RFC3688], the
1604 following registrations are requested:
1606 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1607 Registrant Contact: The NETCONF WG of the IETF.
1608 XML: N/A, the requested URI is an XML namespace.
1610 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1611 Registrant Contact: The NETCONF WG of the IETF.
1612 XML: N/A, the requested URI is an XML namespace.
1614 5.2. The YANG Module Names Registry
1616 This document registers two YANG modules in the YANG Module Names
1617 registry [RFC6020]. Following the format in [RFC6020], the the
1618 following registrations are requested:
1620 name: ietf-restconf-client
1621 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1622 prefix: ncc
1623 reference: RFC XXXX
1625 name: ietf-restconf-server
1626 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1627 prefix: ncs
1628 reference: RFC XXXX
1630 6. References
1632 6.1. Normative References
1634 [I-D.ietf-netconf-keystore]
1635 Watsen, K., "YANG Data Model for a Centralized Keystore
1636 Mechanism", draft-ietf-netconf-keystore-08 (work in
1637 progress), March 2019.
1639 [I-D.ietf-netconf-tls-client-server]
1640 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1641 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1642 server-11 (work in progress), April 2019.
1644 [I-D.kwatsen-netconf-http-client-server]
1645 Watsen, K., "YANG Groupings for HTTP Clients and HTTP
1646 Servers", draft-kwatsen-netconf-http-client-server-01
1647 (work in progress), April 2019.
1649 [I-D.kwatsen-netconf-tcp-client-server]
1650 Watsen, K., "YANG Groupings for TCP Clients and TCP
1651 Servers", draft-kwatsen-netconf-tcp-client-server-01 (work
1652 in progress), April 2019.
1654 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1655 Requirement Levels", BCP 14, RFC 2119,
1656 DOI 10.17487/RFC2119, March 1997,
1657 .
1659 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1660 the Network Configuration Protocol (NETCONF)", RFC 6020,
1661 DOI 10.17487/RFC6020, October 2010,
1662 .
1664 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1665 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1666 .
1668 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1669 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1670 December 2014, .
1672 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1673 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1674 .
1676 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1677 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1678 .
1680 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1681 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1682 .
1684 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1685 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1686 May 2017, .
1688 6.2. Informative References
1690 [I-D.ietf-netconf-trust-anchors]
1691 Watsen, K., "YANG Data Model for Global Trust Anchors",
1692 draft-ietf-netconf-trust-anchors-03 (work in progress),
1693 March 2019.
1695 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1696 DOI 10.17487/RFC3688, January 2004,
1697 .
1699 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1700 and A. Bierman, Ed., "Network Configuration Protocol
1701 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1702 .
1704 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1705 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1706 .
1708 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1709 Access Control Model", STD 91, RFC 8341,
1710 DOI 10.17487/RFC8341, March 2018,
1711 .
1713 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
1714 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
1715 .
1717 Appendix A. Expanded Tree Diagrams
1719 A.1. Expanded Tree Diagram for 'ietf-restconf-client'
1721 The following tree diagram [RFC8340] provides an overview of the data
1722 model for the "ietf-restconf-client" module.
1724 This tree diagram shows all the nodes defined in this module,
1725 including those defined by "grouping" statements used by this module.
1727 Please see Section 2.1 for a tree diagram that illustrates what the
1728 module looks like without all the "grouping" statements expanded.
1730 ========== NOTE: '\\' line wrapping per BCP XX (RFC XXXX) ===========
1732 module: ietf-restconf-client
1733 +--rw restconf-client
1734 +--rw initiate! {https-initiate}?
1735 | +--rw restconf-server* [name]
1736 | +--rw name string
1737 | +--rw endpoints
1738 | | +--rw endpoint* [name]
1739 | | +--rw name string
1740 | | +--rw (transport)
1741 | | +--:(https) {https-initiate}?
1742 | | +--rw https
1743 | | +--rw tcp-client-parameters
1744 | | | +--rw remote-address inet:host
1745 | | | +--rw remote-port? inet:port-number
1746 | | | +--rw local-address? inet:ip-address
1747 | | | +--rw local-port? inet:port-number
1748 | | | +--rw keepalives!
1749 | | | +--rw idle-time uint16
1750 | | | +--rw max-probes uint16
1751 | | | +--rw probe-interval uint16
1752 | | +--rw tls-client-parameters
1753 | | | +--rw client-identity
1754 | | | | +--rw (auth-type)
1755 | | | | +--:(certificate)
1756 | | | | +--rw certificate
1757 | | | | +--rw (local-or-keystore)
1758 | | | | +--:(local)
1759 | | | | | {local-keys-sup\
1760 \ported}?
1761 | | | | | +--rw local-definition
1762 | | | | | +--rw algorithm?
1763 | | | | | | asymmetric\
1764 \-key-algorithm-ref
1765 | | | | | +--rw public-key?
1766 | | | | | | binary
1767 | | | | | +--rw private-key?
1768 | | | | | | union
1769 | | | | | +---x generate-hid\
1770 \den-key
1771 | | | | | | +---w input
1772 | | | | | | +---w algori\
1773 \thm
1774 | | | | | | asym\
1775 \metric-key-algorithm-ref
1776 | | | | | +---x install-hidd\
1777 \en-key
1778 | | | | | | +---w input
1779 | | | | | | +---w algori\
1780 \thm
1781 | | | | | | | asym\
1782 \metric-key-algorithm-ref
1783 | | | | | | +---w public\
1784 \-key?
1785 | | | | | | | bina\
1786 \ry
1787 | | | | | | +---w privat\
1788 \e-key?
1789 | | | | | | bina\
1790 \ry
1791 | | | | | +--rw cert?
1792 | | | | | | end-entity\
1793 \-cert-cms
1794 | | | | | +---n certificate-\
1795 \expiration
1796 | | | | | +-- expiration-\
1797 \date
1798 | | | | | yang:da\
1799 \te-and-time
1800 | | | | +--:(keystore)
1801 | | | | {keystore-suppo\
1802 \rted}?
1803 | | | | +--rw keystore-refere\
1804 \nce?
1805 | | | | ks:asymmetric\
1806 \-key-certificate-ref
1807 | | | +--rw server-authentication
1808 | | | | +--rw pinned-ca-certs?
1809 | | | | | ta:pinned-certificates-ref
1810 | | | | | {ta:x509-certificates}?
1811 | | | | +--rw pinned-server-certs?
1812 | | | | ta:pinned-certificates-ref
1813 | | | | {ta:x509-certificates}?
1814 | | | +--rw hello-params
1815 | | | | {tls-client-hello-params-config\
1816 \}?
1817 | | | | +--rw tls-versions
1818 | | | | | +--rw tls-version* identityref
1819 | | | | +--rw cipher-suites
1820 | | | | +--rw cipher-suite* identityref
1821 | | | +--rw keepalives!
1822 | | | {tls-client-keepalives}?
1823 | | | +--rw max-wait? uint16
1824 | | | +--rw max-attempts? uint8
1825 | | +--rw http-client-parameters
1826 | | +--rw protocol-version? enumeration
1827 | | +--rw client-identity
1828 | | | +--rw (auth-type)?
1829 | | | +--:(basic)
1830 | | | | +--rw basic {basic-auth}?
1831 | | | | +--rw user-id? string
1832 | | | | +--rw password? string
1833 | | | +--:(bearer)
1834 | | | | +--rw bearer {bearer-auth}?
1835 | | | | +--rw token? string
1836 | | | +--:(digest)
1837 | | | | +--rw digest {digest-auth}?
1838 | | | | +--rw username? string
1839 | | | | +--rw password? string
1840 | | | +--:(hoba)
1841 | | | | +--rw hoba {hoba-auth}?
1842 | | | +--:(mutual)
1843 | | | | +--rw mutual {mutual-auth}?
1844 | | | +--:(negotiate)
1845 | | | | +--rw negotiate
1846 | | | | {negotiate-auth}?
1847 | | | +--:(oauth)
1848 | | | | +--rw oauth {oauth-auth}?
1849 | | | +--:(scram-sha-1)
1850 | | | | +--rw scram-sha-1
1851 | | | | {scram-sha-1-auth}?
1852 | | | +--:(scram-sha-256)
1853 | | | | +--rw scram-sha-256
1854 | | | | {scram-sha-256-auth}?
1855 | | | +--:(vapid)
1856 | | | +--rw vapid {vapid-auth}?
1857 | | +--rw proxy-server! {proxy-connect}?
1858 | | +--rw tcp-client-parameters
1859 | | | +--rw remote-address inet:host
1860 | | | +--rw remote-port?
1861 | | | | inet:port-number
1862 | | | +--rw local-address?
1863 | | | | inet:ip-address
1864 | | | +--rw local-port?
1865 | | | | inet:port-number
1866 | | | +--rw keepalives!
1867 | | | +--rw idle-time uint16
1868 | | | +--rw max-probes uint16
1869 | | | +--rw probe-interval uint16
1870 | | +--rw tls-client-parameters
1871 | | | +--rw client-identity
1872 | | | | +--rw (auth-type)?
1873 | | | | +--:(certificate)
1874 | | | | +--rw certificate
1875 | | | | +--rw (local-or-keyst\
1876 \ore)
1877 | | | | +--:(local)
1878 | | | | | {local-ke\
1879 \ys-supported}?
1880 | | | | | +--rw local-def\
1881 \inition
1882 | | | | | +--rw algori\
1883 \thm?
1884 | | | | | | asym\
1885 \metric-key-algorithm-ref
1886 | | | | | +--rw public\
1887 \-key?
1888 | | | | | | bina\
1889 \ry
1890 | | | | | +--rw privat\
1891 \e-key?
1892 | | | | | | union
1893 | | | | | +---x genera\
1894 \te-hidden-key
1895 | | | | | | +---w inp\
1896 \ut
1897 | | | | | | +---w \
1898 \algorithm
1899 | | | | | | \
1900 \ asymmetric-key-algorithm-ref
1901 | | | | | +---x instal\
1902 \l-hidden-key
1903 | | | | | | +---w inp\
1904 \ut
1905 | | | | | | +---w \
1906 \algorithm
1907 | | | | | | | \
1908 \ asymmetric-key-algorithm-ref
1909 | | | | | | +---w \
1910 \public-key?
1911 | | | | | | | \
1912 \ binary
1913 | | | | | | +---w \
1914 \private-key?
1915 | | | | | | \
1916 \ binary
1917 | | | | | +--rw cert?
1918 | | | | | | end-\
1919 \entity-cert-cms
1920 | | | | | +---n certif\
1921 \icate-expiration
1922 | | | | | +-- expir\
1923 \ation-date
1924 | | | | | y\
1925 \ang:date-and-time
1926 | | | | +--:(keystore)
1927 | | | | {keystore\
1928 \-supported}?
1929 | | | | +--rw keystore-\
1930 \reference?
1931 | | | | ks:asym\
1932 \metric-key-certificate-ref
1933 | | | +--rw server-authentication
1934 | | | | +--rw pinned-ca-certs?
1935 | | | | | ta:pinned-certificates\
1936 \-ref
1937 | | | | | {ta:x509-certificates}?
1938 | | | | +--rw pinned-server-certs?
1939 | | | | ta:pinned-certificates\
1940 \-ref
1941 | | | | {ta:x509-certificates}?
1942 | | | +--rw hello-params
1943 | | | | {tls-client-hello-params-\
1944 \config}?
1945 | | | | +--rw tls-versions
1946 | | | | | +--rw tls-version*
1947 | | | | | identityref
1948 | | | | +--rw cipher-suites
1949 | | | | +--rw cipher-suite*
1950 | | | | identityref
1951 | | | +--rw keepalives!
1952 | | | {tls-client-keepalives}?
1953 | | | +--rw max-wait? uint16
1954 | | | +--rw max-attempts? uint8
1955 | | +--rw proxy-client-identity
1956 | | +--rw user-id? string
1957 | | +--rw password? string
1958 | +--rw connection-type
1959 | | +--rw (connection-type)
1960 | | +--:(persistent-connection)
1961 | | | +--rw persistent!
1962 | | +--:(periodic-connection)
1963 | | +--rw periodic!
1964 | | +--rw period? uint16
1965 | | +--rw anchor-time? yang:date-and-time
1966 | | +--rw idle-timeout? uint16
1967 | +--rw reconnect-strategy
1968 | +--rw start-with? enumeration
1969 | +--rw max-attempts? uint8
1970 +--rw listen! {https-listen}?
1971 +--rw idle-timeout? uint16
1972 +--rw endpoint* [name]
1973 +--rw name string
1974 +--rw (transport)
1975 +--:(https) {https-listen}?
1976 +--rw https
1977 +--rw tcp-server-parameters
1978 | +--rw local-address inet:ip-address
1979 | +--rw local-port? inet:port-number
1980 | +--rw keepalives!
1981 | +--rw idle-time uint16
1982 | +--rw max-probes uint16
1983 | +--rw probe-interval uint16
1984 +--rw tls-client-parameters
1985 | +--rw client-identity
1986 | | +--rw (auth-type)
1987 | | +--:(certificate)
1988 | | +--rw certificate
1989 | | +--rw (local-or-keystore)
1990 | | +--:(local)
1991 | | | {local-keys-supported\
1992 \}?
1993 | | | +--rw local-definition
1994 | | | +--rw algorithm?
1995 | | | | asymmetric-key-a\
1996 \lgorithm-ref
1997 | | | +--rw public-key?
1998 | | | | binary
1999 | | | +--rw private-key?
2000 | | | | union
2001 | | | +---x generate-hidden-key
2002 | | | | +---w input
2003 | | | | +---w algorithm
2004 | | | | asymmetric\
2006 \-key-algorithm-ref
2007 | | | +---x install-hidden-key
2008 | | | | +---w input
2009 | | | | +---w algorithm
2010 | | | | | asymmetric\
2011 \-key-algorithm-ref
2012 | | | | +---w public-key?
2013 | | | | | binary
2014 | | | | +---w private-key?
2015 | | | | binary
2016 | | | +--rw cert?
2017 | | | | end-entity-cert-\
2018 \cms
2019 | | | +---n certificate-expira\
2020 \tion
2021 | | | +-- expiration-date
2022 | | | yang:date-and\
2023 \-time
2024 | | +--:(keystore)
2025 | | {keystore-supported}?
2026 | | +--rw keystore-reference?
2027 | | ks:asymmetric-key-c\
2028 \ertificate-ref
2029 | +--rw server-authentication
2030 | | +--rw pinned-ca-certs?
2031 | | | ta:pinned-certificates-ref
2032 | | | {ta:x509-certificates}?
2033 | | +--rw pinned-server-certs?
2034 | | ta:pinned-certificates-ref
2035 | | {ta:x509-certificates}?
2036 | +--rw hello-params
2037 | | {tls-client-hello-params-config}?
2038 | | +--rw tls-versions
2039 | | | +--rw tls-version* identityref
2040 | | +--rw cipher-suites
2041 | | +--rw cipher-suite* identityref
2042 | +--rw keepalives! {tls-client-keepalives}?
2043 | +--rw max-wait? uint16
2044 | +--rw max-attempts? uint8
2045 +--rw http-client-parameters
2046 +--rw protocol-version? enumeration
2047 +--rw client-identity
2048 | +--rw (auth-type)?
2049 | +--:(basic)
2050 | | +--rw basic {basic-auth}?
2051 | | +--rw user-id? string
2052 | | +--rw password? string
2053 | +--:(bearer)
2054 | | +--rw bearer {bearer-auth}?
2055 | | +--rw token? string
2056 | +--:(digest)
2057 | | +--rw digest {digest-auth}?
2058 | | +--rw username? string
2059 | | +--rw password? string
2060 | +--:(hoba)
2061 | | +--rw hoba {hoba-auth}?
2062 | +--:(mutual)
2063 | | +--rw mutual {mutual-auth}?
2064 | +--:(negotiate)
2065 | | +--rw negotiate {negotiate-auth}?
2066 | +--:(oauth)
2067 | | +--rw oauth {oauth-auth}?
2068 | +--:(scram-sha-1)
2069 | | +--rw scram-sha-1 {scram-sha-1-auth}?
2070 | +--:(scram-sha-256)
2071 | | +--rw scram-sha-256
2072 | | {scram-sha-256-auth}?
2073 | +--:(vapid)
2074 | +--rw vapid {vapid-auth}?
2075 +--rw proxy-server! {proxy-connect}?
2076 +--rw tcp-client-parameters
2077 | +--rw remote-address inet:host
2078 | +--rw remote-port? inet:port-number
2079 | +--rw local-address? inet:ip-address
2080 | +--rw local-port? inet:port-number
2081 | +--rw keepalives!
2082 | +--rw idle-time uint16
2083 | +--rw max-probes uint16
2084 | +--rw probe-interval uint16
2085 +--rw tls-client-parameters
2086 | +--rw client-identity
2087 | | +--rw (auth-type)?
2088 | | +--:(certificate)
2089 | | +--rw certificate
2090 | | +--rw (local-or-keystore)
2091 | | +--:(local)
2092 | | | {local-keys-sup\
2093 \ported}?
2094 | | | +--rw local-definition
2095 | | | +--rw algorithm?
2096 | | | | asymmetric\
2097 \-key-algorithm-ref
2098 | | | +--rw public-key?
2099 | | | | binary
2100 | | | +--rw private-key?
2101 | | | | union
2102 | | | +---x generate-hid\
2103 \den-key
2104 | | | | +---w input
2105 | | | | +---w algori\
2106 \thm
2107 | | | | asym\
2108 \metric-key-algorithm-ref
2109 | | | +---x install-hidd\
2110 \en-key
2111 | | | | +---w input
2112 | | | | +---w algori\
2113 \thm
2114 | | | | | asym\
2115 \metric-key-algorithm-ref
2116 | | | | +---w public\
2117 \-key?
2118 | | | | | bina\
2119 \ry
2120 | | | | +---w privat\
2121 \e-key?
2122 | | | | bina\
2123 \ry
2124 | | | +--rw cert?
2125 | | | | end-entity\
2126 \-cert-cms
2127 | | | +---n certificate-\
2128 \expiration
2129 | | | +-- expiration-\
2130 \date
2131 | | | yang:da\
2132 \te-and-time
2133 | | +--:(keystore)
2134 | | {keystore-suppo\
2135 \rted}?
2136 | | +--rw keystore-refere\
2137 \nce?
2138 | | ks:asymmetric\
2139 \-key-certificate-ref
2140 | +--rw server-authentication
2141 | | +--rw pinned-ca-certs?
2142 | | | ta:pinned-certificates-ref
2143 | | | {ta:x509-certificates}?
2144 | | +--rw pinned-server-certs?
2145 | | ta:pinned-certificates-ref
2146 | | {ta:x509-certificates}?
2147 | +--rw hello-params
2148 | | {tls-client-hello-params-config\
2149 \}?
2150 | | +--rw tls-versions
2151 | | | +--rw tls-version* identityref
2152 | | +--rw cipher-suites
2153 | | +--rw cipher-suite* identityref
2154 | +--rw keepalives!
2155 | {tls-client-keepalives}?
2156 | +--rw max-wait? uint16
2157 | +--rw max-attempts? uint8
2158 +--rw proxy-client-identity
2159 +--rw user-id? string
2160 +--rw password? string
2162 A.2. Expanded Tree Diagram for 'ietf-restconf-server'
2164 The following tree diagram [RFC8340] provides an overview of the data
2165 model for the "ietf-restconf-server" module.
2167 This tree diagram shows all the nodes defined in this module,
2168 including those defined by "grouping" statements used by this module.
2170 Please see Section 3.1 for a tree diagram that illustrates what the
2171 module looks like without all the "grouping" statements expanded.
2173 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
2175 module: ietf-restconf-server
2176 +--rw restconf-server
2177 +--rw listen! {https-listen}?
2178 | +--rw endpoint* [name]
2179 | +--rw name string
2180 | +--rw (transport)
2181 | +--:(https) {https-listen}?
2182 | +--rw https
2183 | +--rw tcp-server-parameters
2184 | | +--rw local-address inet:ip-address
2185 | | +--rw local-port? inet:port-number
2186 | | +--rw keepalives!
2187 | | +--rw idle-time uint16
2188 | | +--rw max-probes uint16
2189 | | +--rw probe-interval uint16
2190 | +--rw tls-server-parameters
2191 | | +--rw server-identity
2192 | | | +--rw (local-or-keystore)
2193 | | | +--:(local) {local-keys-supported}?
2194 | | | | +--rw local-definition
2195 | | | | +--rw algorithm?
2196 | | | | | asymmetric-key-algorithm-\
2197 ref
2198 | | | | +--rw public-key?
2199 | | | | | binary
2200 | | | | +--rw private-key?
2201 | | | | | union
2202 | | | | +---x generate-hidden-key
2203 | | | | | +---w input
2204 | | | | | +---w algorithm
2205 | | | | | asymmetric-key-algo\
2206 rithm-ref
2207 | | | | +---x install-hidden-key
2208 | | | | | +---w input
2209 | | | | | +---w algorithm
2210 | | | | | | asymmetric-key-algo\
2211 rithm-ref
2212 | | | | | +---w public-key? binary
2213 | | | | | +---w private-key? binary
2214 | | | | +--rw cert?
2215 | | | | | end-entity-cert-cms
2216 | | | | +---n certificate-expiration
2217 | | | | +-- expiration-date
2218 | | | | yang:date-and-time
2219 | | | +--:(keystore) {keystore-supported}?
2220 | | | +--rw keystore-reference?
2221 | | | ks:asymmetric-key-certificat\
2222 e-ref
2223 | | +--rw client-authentication!
2224 | | | +--rw (required-or-optional)
2225 | | | | +--:(required)
2226 | | | | | +--rw required?
2227 | | | | | empty
2228 | | | | +--:(optional)
2229 | | | | +--rw optional?
2230 | | | | empty
2231 | | | +--rw (local-or-external)
2232 | | | +--:(local)
2233 | | | | {local-client-auth-supported}?
2234 | | | | +--rw pinned-ca-certs?
2235 | | | | | ta:pinned-certificates-ref
2236 | | | | | {ta:x509-certificates}?
2237 | | | | +--rw pinned-client-certs?
2238 | | | | | ta:pinned-certificates-ref
2239 | | | | | {ta:x509-certificates}?
2240 | | | | +--rw cert-maps
2241 | | | | +--rw cert-to-name* [id]
2242 | | | | +--rw id uint32
2243 | | | | +--rw fingerprint
2244 | | | | | x509c2n:tls-fingerprint
2245 | | | | +--rw map-type
2246 | | | | | identityref
2247 | | | | +--rw name string
2248 | | | +--:(external)
2249 | | | {external-client-auth-supporte\
2250 d}?
2251 | | | +--rw client-auth-defined-elsewhere?
2252 | | | empty
2253 | | +--rw hello-params
2254 | | | {tls-server-hello-params-config}?
2255 | | | +--rw tls-versions
2256 | | | | +--rw tls-version* identityref
2257 | | | +--rw cipher-suites
2258 | | | +--rw cipher-suite* identityref
2259 | | +--rw keepalives! {tls-server-keepalives}?
2260 | | +--rw max-wait? uint16
2261 | | +--rw max-attempts? uint8
2262 | +--rw http-server-parameters
2263 | +--rw server-name? string
2264 | +--rw protocol-versions
2265 | | +--rw protocol-version* enumeration
2266 | +--rw client-authentication!
2267 | +--rw (required-or-optional)
2268 | | +--:(required)
2269 | | | +--rw required?
2270 | | | empty
2271 | | +--:(optional)
2272 | | +--rw optional?
2273 | | empty
2274 | +--rw (local-or-external)
2275 | +--:(local)
2276 | | {local-client-auth-supported}?
2277 | | +--rw users
2278 | | +--rw user* [name]
2279 | | +--rw name string
2280 | | +--rw password?
2281 | | ianach:crypt-hash
2282 | +--:(external)
2283 | {external-client-auth-supporte\
2284 d}?
2285 | +--rw client-auth-defined-elsewhere?
2286 | empty
2287 +--rw call-home! {https-call-home}?
2288 +--rw restconf-client* [name]
2289 +--rw name string
2290 +--rw endpoints
2291 | +--rw endpoint* [name]
2292 | +--rw name string
2293 | +--rw (transport)
2294 | +--:(https) {https-call-home}?
2295 | +--rw https
2296 | +--rw tcp-client-parameters
2297 | | +--rw remote-address inet:host
2298 | | +--rw remote-port? inet:port-number
2299 | | +--rw local-address? inet:ip-address
2300 | | +--rw local-port? inet:port-number
2301 | | +--rw keepalives!
2302 | | +--rw idle-time uint16
2303 | | +--rw max-probes uint16
2304 | | +--rw probe-interval uint16
2305 | +--rw tls-server-parameters
2306 | | +--rw server-identity
2307 | | | +--rw (local-or-keystore)
2308 | | | +--:(local)
2309 | | | | {local-keys-supported}?
2310 | | | | +--rw local-definition
2311 | | | | +--rw algorithm?
2312 | | | | | asymmetric-key-algo\
2313 rithm-ref
2314 | | | | +--rw public-key?
2315 | | | | | binary
2316 | | | | +--rw private-key?
2317 | | | | | union
2318 | | | | +---x generate-hidden-key
2319 | | | | | +---w input
2320 | | | | | +---w algorithm
2321 | | | | | asymmetric-ke\
2322 y-algorithm-ref
2323 | | | | +---x install-hidden-key
2324 | | | | | +---w input
2325 | | | | | +---w algorithm
2326 | | | | | | asymmetric-ke\
2327 y-algorithm-ref
2328 | | | | | +---w public-key?
2329 | | | | | | binary
2330 | | | | | +---w private-key?
2331 | | | | | binary
2332 | | | | +--rw cert?
2333 | | | | | end-entity-cert-cms
2334 | | | | +---n certificate-expiration
2335 | | | | +-- expiration-date
2336 | | | | yang:date-and-ti\
2337 me
2338 | | | +--:(keystore)
2339 | | | {keystore-supported}?
2340 | | | +--rw keystore-reference?
2341 | | | ks:asymmetric-key-cert\
2343 ificate-ref
2344 | | +--rw client-authentication!
2345 | | | +--rw (required-or-optional)
2346 | | | | +--:(required)
2347 | | | | | +--rw required?
2348 | | | | | empty
2349 | | | | +--:(optional)
2350 | | | | +--rw optional?
2351 | | | | empty
2352 | | | +--rw (local-or-external)
2353 | | | | +--:(local)
2354 | | | | | {local-client-auth-suppo\
2355 rted}?
2356 | | | | | +--rw pinned-ca-certs?
2357 | | | | | | ta:pinned-certificates\
2358 -ref
2359 | | | | | | {ta:x509-certificates}?
2360 | | | | | +--rw pinned-client-certs?
2361 | | | | | ta:pinned-certificates\
2362 -ref
2363 | | | | | {ta:x509-certificates}?
2364 | | | | +--:(external)
2365 | | | | {external-client-auth-su\
2366 pported}?
2367 | | | | +--rw client-auth-defined-else\
2368 where?
2369 | | | | empty
2370 | | | +--rw cert-maps
2371 | | | +--rw cert-to-name* [id]
2372 | | | +--rw id uint32
2373 | | | +--rw fingerprint
2374 | | | | x509c2n:tls-fingerprint
2375 | | | +--rw map-type
2376 | | | | identityref
2377 | | | +--rw name string
2378 | | +--rw hello-params
2379 | | | {tls-server-hello-params-config\
2380 }?
2381 | | | +--rw tls-versions
2382 | | | | +--rw tls-version* identityref
2383 | | | +--rw cipher-suites
2384 | | | +--rw cipher-suite* identityref
2385 | | +--rw keepalives!
2386 | | {tls-server-keepalives}?
2387 | | +--rw max-wait? uint16
2388 | | +--rw max-attempts? uint8
2389 | +--rw http-server-parameters
2390 | +--rw server-name? string
2391 | +--rw protocol-versions
2392 | | +--rw protocol-version* enumeration
2393 | +--rw client-authentication!
2394 | +--rw (required-or-optional)
2395 | | +--:(required)
2396 | | | +--rw required?
2397 | | | empty
2398 | | +--:(optional)
2399 | | +--rw optional?
2400 | | empty
2401 | +--rw (local-or-external)
2402 | +--:(local)
2403 | | {local-client-auth-suppo\
2404 rted}?
2405 | | +--rw users
2406 | | +--rw user* [name]
2407 | | +--rw name string
2408 | | +--rw password?
2409 | | ianach:crypt-hash
2410 | +--:(external)
2411 | {external-client-auth-su\
2412 pported}?
2413 | +--rw client-auth-defined-else\
2414 where?
2415 | empty
2416 +--rw connection-type
2417 | +--rw (connection-type)
2418 | +--:(persistent-connection)
2419 | | +--rw persistent!
2420 | +--:(periodic-connection)
2421 | +--rw periodic!
2422 | +--rw period? uint16
2423 | +--rw anchor-time? yang:date-and-time
2424 | +--rw idle-timeout? uint16
2425 +--rw reconnect-strategy
2426 +--rw start-with? enumeration
2427 +--rw max-attempts? uint8
2429 Appendix B. Change Log
2431 B.1. 00 to 01
2433 o Renamed "keychain" to "keystore".
2435 B.2. 01 to 02
2437 o Filled in previously missing 'ietf-restconf-client' module.
2439 o Updated the ietf-restconf-server module to accommodate new
2440 grouping 'ietf-tls-server-grouping'.
2442 B.3. 02 to 03
2444 o Refined use of tls-client-grouping to add a must statement
2445 indicating that the TLS client must specify a client-certificate.
2447 o Changed restconf-client??? to be a grouping (not a container).
2449 B.4. 03 to 04
2451 o Added RFC 8174 to Requirements Language Section.
2453 o Replaced refine statement in ietf-restconf-client to add a
2454 mandatory true.
2456 o Added refine statement in ietf-restconf-server to add a must
2457 statement.
2459 o Now there are containers and groupings, for both the client and
2460 server models.
2462 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2464 o Updated examples to inline key and certificates (no longer a
2465 leafref to keystore)
2467 B.5. 04 to 05
2469 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2471 o Updated examples to inline key and certificates (no longer a
2472 leafref to keystore)
2474 B.6. 05 to 06
2476 o Fixed change log missing section issue.
2478 o Updated examples to match latest updates to the crypto-types,
2479 trust-anchors, and keystore drafts.
2481 o Reduced line length of the YANG modules to fit within 69 columns.
2483 B.7. 06 to 07
2485 o removed "idle-timeout" from "persistent" connection config.
2487 o Added "random-selection" for reconnection-strategy's "starts-with"
2488 enum.
2490 o Replaced "connection-type" choice default (persistent) with
2491 "mandatory true".
2493 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
2494 minutes.
2496 o Replaced reconnect-timeout with period/anchor-time combo.
2498 B.8. 07 to 08
2500 o Modified examples to be compatible with new crypto-types algs
2502 B.9. 08 to 09
2504 o Corrected use of "mandatory true" for "address" leafs.
2506 o Updated examples to reflect update to groupings defined in the
2507 keystore draft.
2509 o Updated to use groupings defined in new TCP and HTTP drafts.
2511 o Updated copyright date, boilerplate template, affiliation, and
2512 folding algorithm.
2514 B.10. 09 to 10
2516 o Reformatted YANG modules.
2518 B.11. 10 to 11
2520 o Adjusted for the top-level "demux container" added to groupings
2521 imported from other modules.
2523 o Added "must" expressions to ensure that keepalives are not
2524 configured for "periodic" connections.
2526 o Updated the boilerplate text in module-level "description"
2527 statement to match copyeditor convention.
2529 o Moved "expanded" tree diagrams to the Appendix.
2531 B.12. 11 to 12
2533 o Removed the 'must' statement limiting keepalives in periodic
2534 connections.
2536 o Updated models and examples to reflect removal of the "demux"
2537 containers in the imported models.
2539 o Updated the "periodic-connnection" description statements to
2540 better describe behavior when connections are not closed
2541 gracefully.
2543 o Updated text to better reference where certain examples come from
2544 (e.g., which Section in which draft).
2546 o In the server model, commented out the "must 'pinned-ca-certs or
2547 pinned-client-certs'" statement to reflect change made in the TLS
2548 draft whereby the trust anchors MAY be defined externally.
2550 o Replaced the 'listen', 'initiate', and 'call-home' features with
2551 boolean expressions.
2553 Acknowledgements
2555 The authors would like to thank for following for lively discussions
2556 on list and in the halls (ordered by last name): Andy Bierman, Martin
2557 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
2558 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
2559 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
2560 Wijnen.
2562 Author's Address
2564 Kent Watsen
2565 Watsen Networks
2567 EMail: kent+ietf@watsen.net