idnits 2.17.1
draft-ietf-netconf-restconf-client-server-13.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1782 has weird spacing: '...address ine...'
== Line 1792 has weird spacing: '...nterval uin...'
== Line 1893 has weird spacing: '...address ine...'
== Line 1906 has weird spacing: '...nterval uin...'
== Line 2014 has weird spacing: '...nterval uin...'
== (9 more instances...)
-- The document date (June 7, 2019) is 1777 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-09
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-12
== Outdated reference: A later version (-05) exists of
draft-kwatsen-netconf-http-client-server-02
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-04
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track June 7, 2019
5 Expires: December 9, 2019
7 RESTCONF Client and Server Models
8 draft-ietf-netconf-restconf-client-server-13
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 RESTCONF client and the other module to configure a RESTCONF server.
14 Both modules support the TLS transport protocol with both standard
15 RESTCONF and RESTCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-tls-client-server
35 o I-D.ietf-netconf-http-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "BBBB" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
46 server
48 o "CCCC" --> the assigned RFC value for I-D.ietf-netconf-http-
49 client-server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-06-07" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on December 9, 2019.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
96 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6
99 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 18
101 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18
102 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 19
103 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 23
104 4. Security Considerations . . . . . . . . . . . . . . . . . . . 34
105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
106 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 35
107 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 36
108 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
109 6.1. Normative References . . . . . . . . . . . . . . . . . . 36
110 6.2. Informative References . . . . . . . . . . . . . . . . . 37
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 39
112 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 39
113 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 48
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 54
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 54
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 54
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 55
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 55
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 55
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 55
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 55
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 56
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 56
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 56
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 56
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 56
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 57
128 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57
129 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 57
131 1. Introduction
133 This document defines two YANG [RFC7950] modules, one module to
134 configure a RESTCONF client and the other module to configure a
135 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446]
136 transport protocol with both standard RESTCONF and RESTCONF Call Home
137 connections [RFC8071].
139 1.1. Terminology
141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
143 "OPTIONAL" in this document are to be interpreted as described in BCP
144 14 [RFC2119] [RFC8174] when, and only when, they appear in all
145 capitals, as shown here.
147 2. The RESTCONF Client Model
149 The RESTCONF client model presented in this section supports both
150 clients initiating connections to servers, as well as clients
151 listening for connections from servers calling home.
153 YANG feature statements are used to enable implementations to
154 advertise which potentially uncommon parts of the model the RESTCONF
155 client supports.
157 2.1. Tree Diagram
159 The following tree diagram [RFC8340] provides an overview of the data
160 model for the "ietf-restconf-client" module.
162 This tree diagram only shows the nodes defined in this module; it
163 does show the nodes defined by "grouping" statements used by this
164 module.
166 Please see Appendix A.1 for a tree diagram that illustrates what the
167 module looks like with all the "grouping" statements expanded.
169 module: ietf-restconf-client
170 +--rw restconf-client
171 +---u restconf-client-grouping
173 grouping restconf-client-grouping
174 +-- initiate! {https-initiate}?
175 | +-- restconf-server* [name]
176 | +-- name? string
177 | +-- endpoints
178 | | +-- endpoint* [name]
179 | | +-- name? string
180 | | +-- (transport)
181 | | +--:(https) {https-initiate}?
182 | | +-- https
183 | | +-- tcp-client-parameters
184 | | | +---u tcpc:tcp-client-grouping
185 | | +-- tls-client-parameters
186 | | | +---u tlsc:tls-client-grouping
187 | | +-- http-client-parameters
188 | | +---u httpc:http-client-grouping
189 | +-- connection-type
190 | | +-- (connection-type)
191 | | +--:(persistent-connection)
192 | | | +-- persistent!
193 | | +--:(periodic-connection)
194 | | +-- periodic!
195 | | +-- period? uint16
196 | | +-- anchor-time? yang:date-and-time
197 | | +-- idle-timeout? uint16
198 | +-- reconnect-strategy
199 | +-- start-with? enumeration
200 | +-- max-attempts? uint8
201 +-- listen! {https-listen}?
202 +-- idle-timeout? uint16
203 +-- endpoint* [name]
204 +-- name? string
205 +-- (transport)
206 +--:(https) {https-listen}?
207 +-- https
208 +-- tcp-server-parameters
209 | +---u tcps:tcp-server-grouping
210 +-- tls-client-parameters
211 | +---u tlsc:tls-client-grouping
212 +-- http-client-parameters
213 +---u httpc:http-client-grouping
215 2.2. Example Usage
217 The following example illustrates configuring a RESTCONF client to
218 initiate connections, as well as listening for call-home connections.
220 This example is consistent with the examples presented in Section 2
221 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
222 [I-D.ietf-netconf-keystore].
224 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
226
229
230
231
232 corp-fw1
233
234
235 corp-fw1.example.com
236
237
238 corp-fw1.example.com
239
240 15
241 3
242 30
243
244
245
246
247
248
249 ct:rsa2048
251 base64encodedvalue==
252 base64encodedvalue==
253 base64encodedvalue==
254
255
256
257
258 explicitly-trusted-server-ca-certs
260 explicitly-trusted-server-certs
262
263
264 30
265 3
266
267
268
269 HTTP/1.1
270
271
272 bob
273 secret
274
275
276
277
278
279
280 corp-fw2.example.com
281
282
283 corp-fw2.example.com
284
285 15
286 3
287 30
288
289
290
291
292
293
294 ct:rsa2048
296 base64encodedvalue==
297 base64encodedvalue==
298 base64encodedvalue==
299
300
301
302
303 explicitly-trusted-server-ca-certs
305 explicitly-trusted-server-certs
307
308
309 30
310 3
312
313
314
315 HTTP/1.1
316
317
318 bob
319 secret
320
321
322
323
324
325
326
327
328
329
330
332
333
334
335 Intranet-facing listener
336
337
338 11.22.33.44
339
340
341
342
343
344 ct:rsa2048
346 base64encodedvalue==
347 base64encodedvalue==
348 base64encodedvalue==
349
350
351
352
353 explicitly-trusted-server-ca-certs
354 explicitly-trusted-server-certs
356
357
358
359 HTTP/1.1
360
361
362 bob
363 secret
364
365
366
367
368
369
370
372 2.3. YANG Module
374 This YANG module has normative references to [RFC6991], [RFC8040],
375 and [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
376 [I-D.ietf-netconf-tls-client-server], and
377 [I-D.kwatsen-netconf-http-client-server].
379 file "ietf-restconf-client@2019-06-07.yang"
380 module ietf-restconf-client {
381 yang-version 1.1;
382 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client";
383 prefix rcc;
385 import ietf-yang-types {
386 prefix yang;
387 reference
388 "RFC 6991: Common YANG Data Types";
389 }
391 import ietf-tcp-client {
392 prefix tcpc;
393 reference
394 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
395 }
397 import ietf-tcp-server {
398 prefix tcps;
399 reference
400 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
401 }
403 import ietf-tls-client {
404 prefix tlsc;
405 reference
406 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
407 }
408 import ietf-http-client {
409 prefix httpc;
410 reference
411 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
412 }
414 organization
415 "IETF NETCONF (Network Configuration) Working Group";
417 contact
418 "WG Web:
419 WG List:
420 Author: Kent Watsen
421 Author: Gary Wu ";
423 description
424 "This module contains a collection of YANG definitions
425 for configuring RESTCONF clients.
427 Copyright (c) 2019 IETF Trust and the persons identified
428 as authors of the code. All rights reserved.
430 Redistribution and use in source and binary forms, with
431 or without modification, is permitted pursuant to, and
432 subject to the license terms contained in, the Simplified
433 BSD License set forth in Section 4.c of the IETF Trust's
434 Legal Provisions Relating to IETF Documents
435 (https://trustee.ietf.org/license-info).
437 This version of this YANG module is part of RFC XXXX
438 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
439 itself for full legal notices.;
441 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
442 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
443 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
444 are to be interpreted as described in BCP 14 (RFC 2119)
445 (RFC 8174) when, and only when, they appear in all
446 capitals, as shown here.";
448 revision 2019-06-07 {
449 description
450 "Initial version";
451 reference
452 "RFC XXXX: RESTCONF Client and Server Models";
453 }
455 // Features
456 feature https-initiate {
457 description
458 "The 'https-initiate' feature indicates that the RESTCONF
459 client supports initiating HTTPS connections to RESTCONF
460 servers. This feature exists as HTTPS might not be a
461 mandatory to implement transport in the future.";
462 reference
463 "RFC 8040: RESTCONF Protocol";
464 }
466 feature https-listen {
467 description
468 "The 'https-listen' feature indicates that the RESTCONF client
469 supports opening a port to listen for incoming RESTCONF
470 server call-home connections. This feature exists as not
471 all RESTCONF clients may support RESTCONF call home.";
472 reference
473 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
474 }
476 // Groupings
478 grouping restconf-client-grouping {
479 description
480 "Top-level grouping for RESTCONF client configuration.";
481 container initiate {
482 if-feature "https-initiate";
483 presence "Enables client to initiate TCP connections";
484 description
485 "Configures client initiating underlying TCP connections.";
486 list restconf-server {
487 key "name";
488 min-elements 1;
489 description
490 "List of RESTCONF servers the RESTCONF client is to
491 initiate connections to in parallel.";
492 leaf name {
493 type string;
494 description
495 "An arbitrary name for the RESTCONF server.";
496 }
497 container endpoints {
498 description
499 "Container for the list of endpoints.";
500 list endpoint {
501 key "name";
502 min-elements 1;
503 ordered-by user;
504 description
505 "A non-empty user-ordered list of endpoints for this
506 RESTCONF client to try to connect to in sequence.
507 Defining more than one enables high-availability.";
508 leaf name {
509 type string;
510 description
511 "An arbitrary name for this endpoint.";
512 }
513 choice transport {
514 mandatory true;
515 description
516 "Selects between available transports. This is a
517 'choice' statement so as to support additional
518 transport options to be augmented in.";
519 case https {
520 if-feature "https-initiate";
521 container https {
522 description
523 "Specifies HTTPS-specific transport
524 configuration.";
525 container tcp-client-parameters {
526 description
527 "A wrapper around the TCP client parameters
528 to avoid name collisions.";
529 uses tcpc:tcp-client-grouping {
530 refine "remote-port" {
531 default "443";
532 description
533 "The RESTCONF client will attempt to
534 connect to the IANA-assigned well-known
535 port value for 'https' (443) if no value
536 is specified.";
537 }
538 }
539 }
540 container tls-client-parameters {
541 description
542 "A wrapper around the TLS client parameters
543 to avoid name collisions.";
544 uses tlsc:tls-client-grouping {
545 refine "client-identity/auth-type" {
546 mandatory true;
547 description
548 "RESTCONF clients MUST pass some
549 authentication credentials.";
550 }
551 }
553 }
554 container http-client-parameters {
555 description
556 "A wrapper around the HTTP client parameters
557 to avoid name collisions.";
558 uses httpc:http-client-grouping;
559 }
560 }
561 } // https
562 } // transport
563 } // endpoint
564 } // endpoints
565 container connection-type {
566 description
567 "Indicates the RESTCONF client's preference for how
568 the RESTCONF connection is maintained.";
569 choice connection-type {
570 mandatory true;
571 description
572 "Selects between available connection types.";
573 case persistent-connection {
574 container persistent {
575 presence "Indicates that a persistent connection
576 is to be maintained.";
577 description
578 "Maintain a persistent connection to the
579 RESTCONF server. If the connection goes down,
580 immediately start trying to reconnect to the
581 RESTCONF server, using the reconnection strategy.
583 This connection type minimizes any RESTCONF server
584 to RESTCONF client data-transfer delay, albeit
585 at the expense of holding resources longer.";
586 }
587 }
588 case periodic-connection {
589 container periodic {
590 presence "Indicates that a periodic connection is
591 to be maintained.";
592 description
593 "Periodically connect to the RESTCONF server.
595 This connection type increases resource
596 utilization, albeit with increased delay
597 in RESTCONF server to RESTCONF client
598 interactions.
600 The RESTCONF client SHOULD gracefully close
601 the underlying TLS connection upon completing
602 planned activities.
604 In the case that the previous connection is
605 still active, establishing a new connection
606 is NOT RECOMMENDED.";
608 leaf period {
609 type uint16;
610 units "minutes";
611 default "60";
612 description
613 "Duration of time between periodic
614 connections.";
615 }
616 leaf anchor-time {
617 type yang:date-and-time {
618 // constrained to minute-level granularity
619 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
620 + '(Z|[\+\-]\d{2}:\d{2})';
621 }
622 description
623 "Designates a timestamp before or after which
624 a series of periodic connections are
625 determined. The periodic connections occur
626 at a whole multiple interval from the anchor
627 time. For example, for an anchor time is 15
628 minutes past midnight and a period interval
629 of 24 hours, then a periodic connection will
630 occur 15 minutes past midnight everyday.";
631 }
632 leaf idle-timeout {
633 type uint16;
634 units "seconds";
635 default 120; // two minutes
636 description
637 "Specifies the maximum number of seconds
638 that the underlying TCP session may remain
639 idle. A TCP session will be dropped if it
640 is idle for an interval longer than this
641 number of seconds If set to zero, then the
642 RESTCONF client will never drop a session
643 because it is idle.";
644 }
645 }
646 } // periodic-connection
647 } // connection-type
648 } // connection-type
649 container reconnect-strategy {
650 description
651 "The reconnection strategy directs how a RESTCONF
652 client reconnects to a RESTCONF server, after
653 discovering its connection to the server has
654 dropped, even if due to a reboot. The RESTCONF
655 client starts with the specified endpoint and
656 tries to connect to it max-attempts times before
657 trying the next endpoint in the list (round
658 robin).";
659 leaf start-with {
660 type enumeration {
661 enum first-listed {
662 description
663 "Indicates that reconnections should start
664 with the first endpoint listed.";
665 }
666 enum last-connected {
667 description
668 "Indicates that reconnections should start
669 with the endpoint last connected to. If
670 no previous connection has ever been
671 established, then the first endpoint
672 configured is used. RESTCONF clients
673 SHOULD be able to remember the last
674 endpoint connected to across reboots.";
675 }
676 enum random-selection {
677 description
678 "Indicates that reconnections should start with
679 a random endpoint.";
680 }
681 }
682 default "first-listed";
683 description
684 "Specifies which of the RESTCONF server's
685 endpoints the RESTCONF client should start
686 with when trying to connect to the RESTCONF
687 server.";
688 }
689 leaf max-attempts {
690 type uint8 {
691 range "1..max";
692 }
693 default "3";
694 description
695 "Specifies the number times the RESTCONF client
696 tries to connect to a specific endpoint before
697 moving on to the next endpoint in the list
698 (round robin).";
699 }
700 } // reconnect-strategy
701 } // restconf-server
702 } // initiate
704 container listen {
705 if-feature "https-listen";
706 presence "Enables client to accept call-home connections";
707 description
708 "Configures client accepting call-home TCP connections.";
709 leaf idle-timeout {
710 type uint16;
711 units "seconds";
712 default 3600; // one hour
713 description
714 "Specifies the maximum number of seconds that an
715 underlying TCP session may remain idle. A TCP session
716 will be dropped if it is idle for an interval longer
717 then this number of seconds. If set to zero, then
718 the server will never drop a session because it is
719 idle. Sessions that have a notification subscription
720 active are never dropped.";
721 }
722 list endpoint {
723 key "name";
724 min-elements 1;
725 description
726 "List of endpoints to listen for RESTCONF connections.";
727 leaf name {
728 type string;
729 description
730 "An arbitrary name for the RESTCONF listen endpoint.";
731 }
732 choice transport {
733 mandatory true;
734 description
735 "Selects between available transports. This is a
736 'choice' statement so as to support additional
737 transport options to be augmented in.";
738 case https {
739 if-feature "https-listen";
740 container https {
741 description
742 "HTTPS-specific listening configuration for inbound
743 connections.";
744 container tcp-server-parameters {
745 description
746 "A wrapper around the TCP client parameters
747 to avoid name collisions.";
748 uses tcps:tcp-server-grouping {
749 refine "local-port" {
750 default "4336";
751 description
752 "The RESTCONF client will listen on the IANA-
753 assigned well-known port for 'restconf-ch-tls'
754 (4336) if no value is specified.";
755 }
756 }
757 }
758 container tls-client-parameters {
759 description
760 "A wrapper around the TLS client parameters
761 to avoid name collisions.";
762 uses tlsc:tls-client-grouping {
763 refine "client-identity/auth-type" {
764 mandatory true;
765 description
766 "RESTCONF clients MUST pass some authentication
767 credentials.";
768 }
769 }
770 }
771 container http-client-parameters {
772 description
773 "A wrapper around the HTTP client parameters
774 to avoid name collisions.";
775 uses httpc:http-client-grouping;
776 }
777 }
778 } // case https
779 } // transport
780 } // endpoint
781 } // listen
782 } // restconf-client
784 // Protocol accessible node, for servers that implement this
785 // module.
787 container restconf-client {
788 uses restconf-client-grouping;
789 description
790 "Top-level container for RESTCONF client configuration.";
791 }
792 }
793
795 3. The RESTCONF Server Model
797 The RESTCONF server model presented in this section supports both
798 listening for connections as well as initiating call-home
799 connections.
801 YANG feature statements are used to enable implementations to
802 advertise which potentially uncommon parts of the model the RESTCONF
803 server supports.
805 3.1. Tree Diagram
807 The following tree diagram [RFC8340] provides an overview of the data
808 model for the "ietf-restconf-server" module.
810 This tree diagram only shows the nodes defined in this module; it
811 does show the nodes defined by "grouping" statements used by this
812 module.
814 Please see Appendix A.2 for a tree diagram that illustrates what the
815 module looks like with all the "grouping" statements expanded.
817 module: ietf-restconf-server
818 +--rw restconf-server
819 +---u restconf-server-app-grouping
821 grouping restconf-server-grouping
822 +-- client-identification
823 +-- cert-maps
824 +---u x509c2n:cert-to-name
825 grouping restconf-server-listen-stack-grouping
826 +-- (transport)
827 +--:(http) {http-listen}?
828 | +-- http
829 | +-- tcp-server-parameters
830 | | +---u tcps:tcp-server-grouping
831 | +-- http-server-parameters
832 | | +---u https:http-server-grouping
833 | +-- restconf-server-parameters
834 | +---u rcs:restconf-server-grouping
835 +--:(https) {https-listen}?
836 +-- https
837 +-- tcp-server-parameters
838 | +---u tcps:tcp-server-grouping
839 +-- tls-server-parameters
840 | +---u tlss:tls-server-grouping
841 +-- http-server-parameters
842 | +---u https:http-server-grouping
843 +-- restconf-server-parameters
844 +---u rcs:restconf-server-grouping
845 grouping restconf-server-callhome-stack-grouping
846 +-- (transport)
847 +--:(https) {https-listen}?
848 +-- https
849 +-- tcp-client-parameters
850 | +---u tcpc:tcp-client-grouping
851 +-- tls-server-parameters
852 | +---u tlss:tls-server-grouping
853 +-- http-server-parameters
854 | +---u https:http-server-grouping
855 +-- restconf-server-parameters
856 +---u rcs:restconf-server-grouping
857 grouping restconf-server-app-grouping
858 +-- listen! {https-listen}?
859 | +-- endpoint* [name]
860 | +-- name? string
861 | +---u restconf-server-listen-stack-grouping
862 +-- call-home! {https-call-home}?
863 +-- restconf-client* [name]
864 +-- name? string
865 +-- endpoints
866 | +-- endpoint* [name]
867 | +-- name? string
868 | +---u restconf-server-callhome-stack-grouping
869 +-- connection-type
870 | +-- (connection-type)
871 | +--:(persistent-connection)
872 | | +-- persistent!
873 | +--:(periodic-connection)
874 | +-- periodic!
875 | +-- period? uint16
876 | +-- anchor-time? yang:date-and-time
877 | +-- idle-timeout? uint16
878 +-- reconnect-strategy
879 +-- start-with? enumeration
880 +-- max-attempts? uint8
882 3.2. Example Usage
884 The following example illustrates configuring a RESTCONF server to
885 listen for RESTCONF client connections, as well as configuring call-
886 home to one RESTCONF client.
888 This example is consistent with the examples presented in Section 2
889 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
890 [I-D.ietf-netconf-keystore].
892 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
894
898
899
900
901 netconf/tls
902
903
904 11.22.33.44
905
906
907
908
909 ct:rsa2048
911 base64encodedvalue==
912 base64encodedvalue==
913 base64encodedvalue==
914
915
916
917
918 explicitly-trusted-client-ca-certs
919 explicitly-trusted-client-certs
921
922
923
924 foo.example.com
925
926 HTTP/1.1
927 HTTP/2.0
928
929
930
931
932
933
934 1
935 11:0A:05:11:00
936 x509c2n:san-any
937
938
939 2
940 B3:4F:A1:8C:54
941 x509c2n:specified
942 scooby-doo
943
944
945
946
947
948
949
951
952
953
954 config-manager
955
956
957 east-data-center
958
959
960 east.example.com
961
962
963
964
965 ct:rsa2048
967 base64encodedvalue==
968 base64encodedvalue==
969 base64encodedvalue==
970
971
972
973
974 explicitly-trusted-client-ca-certs
976 explicitly-trusted-client-certs
978
979
980
981 foo.example.com
982
983 HTTP/1.1
984 HTTP/2.0
985
986
987
988
989
990
991 1
992 11:0A:05:11:00
993 x509c2n:san-any
994
995
996 2
997 B3:4F:A1:8C:54
998 x509c2n:specified
999 scooby-doo
1000
1001
1002
1003
1004
1005
1006
1007 west-data-center
1008
1009
1010 west.example.com
1011
1012
1013
1014
1015 ct:rsa2048
1017 base64encodedvalue==
1018 base64encodedvalue==
1019 base64encodedvalue==
1020
1021
1022
1023
1024 explicitly-trusted-client-ca-certs
1026 explicitly-trusted-client-certs
1028
1029
1030
1031 foo.example.com
1032
1033 HTTP/1.1
1034 HTTP/2.0
1035
1036
1037
1038
1039
1040
1041 1
1042 11:0A:05:11:00
1043 x509c2n:san-any
1044
1045
1046 2
1047 B3:4F:A1:8C:54
1048 x509c2n:specified
1049 scooby-doo
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059 300
1060 60
1061
1062
1063
1064 last-connected
1065 3
1066
1067
1068
1069
1071 3.3. YANG Module
1073 This YANG module has normative references to [RFC6991], [RFC7407],
1074 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
1075 [I-D.ietf-netconf-tls-client-server], and
1076 [I-D.kwatsen-netconf-http-client-server].
1078 file "ietf-restconf-server@2019-06-07.yang"
1079 module ietf-restconf-server {
1080 yang-version 1.1;
1081 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server";
1082 prefix rcs;
1084 import ietf-yang-types {
1085 prefix yang;
1086 reference
1087 "RFC 6991: Common YANG Data Types";
1088 }
1090 import ietf-x509-cert-to-name {
1091 prefix x509c2n;
1092 reference
1093 "RFC 7407: A YANG Data Model for SNMP Configuration";
1094 }
1096 import ietf-tcp-client {
1097 prefix tcpc;
1098 reference
1099 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1100 }
1102 import ietf-tcp-server {
1103 prefix tcps;
1104 reference
1105 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1106 }
1108 import ietf-tls-server {
1109 prefix tlss;
1110 reference
1111 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
1112 }
1114 import ietf-http-server {
1115 prefix https;
1116 reference
1117 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
1118 }
1120 organization
1121 "IETF NETCONF (Network Configuration) Working Group";
1123 contact
1124 "WG Web:
1125 WG List:
1126 Author: Kent Watsen
1127 Author: Gary Wu
1128 Author: Juergen Schoenwaelder
1129 ";
1131 description
1132 "This module contains a collection of YANG definitions
1133 for configuring RESTCONF servers.
1135 Copyright (c) 2019 IETF Trust and the persons identified
1136 as authors of the code. All rights reserved.
1138 Redistribution and use in source and binary forms, with
1139 or without modification, is permitted pursuant to, and
1140 subject to the license terms contained in, the Simplified
1141 BSD License set forth in Section 4.c of the IETF Trust's
1142 Legal Provisions Relating to IETF Documents
1143 (https://trustee.ietf.org/license-info).
1145 This version of this YANG module is part of RFC XXXX
1146 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1147 itself for full legal notices.;
1149 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1150 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1151 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1152 are to be interpreted as described in BCP 14 (RFC 2119)
1153 (RFC 8174) when, and only when, they appear in all
1154 capitals, as shown here.";
1156 revision 2019-06-07 {
1157 description
1158 "Initial version";
1159 reference
1160 "RFC XXXX: RESTCONF Client and Server Models";
1161 }
1163 // Features
1165 feature http-listen {
1166 description
1167 "The 'http-listen' feature indicates that the RESTCONF server
1168 supports opening a port to listen for incoming RESTCONF over
1169 TPC client connections, whereby the TLS connections are
1170 terminated by an external system.";
1171 reference
1172 "RFC 8040: RESTCONF Protocol";
1173 }
1175 feature https-listen {
1176 description
1177 "The 'https-listen' feature indicates that the RESTCONF server
1178 supports opening a port to listen for incoming RESTCONF over
1179 TLS client connections, whereby the TLS connections are
1180 terminated by the server itself/";
1181 reference
1182 "RFC 8040: RESTCONF Protocol";
1183 }
1185 feature https-call-home {
1186 description
1187 "The 'https-call-home' feature indicates that the RESTCONF
1188 server supports initiating connections to RESTCONF clients.";
1189 reference
1190 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1191 }
1193 // Groupings
1195 grouping restconf-server-grouping {
1196 description
1197 "A reusable grouping for configuring a RESTCONF server
1198 without any consideration for how underlying transport
1199 sessions are established.
1201 Note that this grouping uses fairly typical descendent
1202 node names such that a stack of 'uses' statements will
1203 have name conflicts. It is intended that the consuming
1204 data model will resolve the issue (e.g., by wrapping
1205 the 'uses' statement in a container called
1206 'restconf-server-parameters'). This model purposely does
1207 not do this itself so as to provide maximum flexibility
1208 to consuming models.";
1210 container client-identification { // FIXME: if-feature?
1211 description
1212 "Specifies a mapping through which clients MAY be identified
1213 (i.e., the RESTCONF username) from a supplied certificate.
1214 Note that a client MAY alternatively be identified via an
1215 HTTP-level authentication schema. This configuration does
1216 not necessitate clients send a certificate (that can be
1217 controlled via the ietf-restconf-server module).";
1218 container cert-maps {
1219 uses x509c2n:cert-to-name;
1220 description
1221 "The cert-maps container is used by TLS-based RESTCONF
1222 servers (even if the TLS sessions are terminated
1223 externally) to map the RESTCONF client's presented
1224 X.509 certificate to a RESTCONF username. If no
1225 matching and valid cert-to-name list entry can be
1226 found, then the RESTCONF server MUST close the
1227 connection, and MUST NOT accept RESTCONF messages
1228 over it.";
1229 reference
1230 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1231 }
1232 }
1233 }
1235 grouping restconf-server-listen-stack-grouping {
1236 description
1237 "A reusable grouping for configuring a RESTCONF server
1238 'listen' protocol stack, for a single connection.";
1239 choice transport {
1240 mandatory true;
1241 description
1242 "Selects between available transports. This is a
1243 'choice' statement so as to support additional
1244 transport options to be augmented in.";
1245 case http {
1246 if-feature "http-listen";
1247 container http {
1248 description
1249 "Configures RESTCONF server stack assuming that
1250 TLS-termination is handled externally.";
1251 container tcp-server-parameters {
1252 description
1253 "A wrapper around the TCP server parameters
1254 to avoid name collisions.";
1255 uses tcps:tcp-server-grouping {
1256 refine "local-port" {
1257 default "80";
1258 description
1259 "The RESTCONF server will listen on the IANA-
1260 assigned well-known port value for 'http'
1261 (80) if no value is specified.";
1262 }
1263 }
1264 }
1265 container http-server-parameters {
1266 description
1267 "A wrapper around the HTTP server parameters
1268 to avoid name collisions.";
1269 uses https:http-server-grouping;
1270 }
1271 container restconf-server-parameters {
1272 description
1273 "A wrapper around the RESTCONF server parameters
1274 to avoid name collisions.";
1275 uses rcs:restconf-server-grouping;
1276 }
1277 }
1278 }
1279 case https {
1280 if-feature "https-listen";
1281 container https {
1282 description
1283 "Configures RESTCONF server stack assuming that
1284 TLS-termination is handled internally.";
1285 container tcp-server-parameters {
1286 description
1287 "A wrapper around the TCP server parameters
1288 to avoid name collisions.";
1289 uses tcps:tcp-server-grouping {
1290 refine "local-port" {
1291 default "443";
1292 description
1293 "The RESTCONF server will listen on the IANA-
1294 assigned well-known port value for 'https'
1295 (443) if no value is specified.";
1296 }
1297 }
1298 }
1299 container tls-server-parameters {
1300 description
1301 "A wrapper around the TLS server parameters
1302 to avoid name collisions.";
1303 uses tlss:tls-server-grouping;
1304 }
1305 container http-server-parameters {
1306 description
1307 "A wrapper around the HTTP server parameters
1308 to avoid name collisions.";
1309 uses https:http-server-grouping;
1310 }
1311 container restconf-server-parameters {
1312 description
1313 "A wrapper around the RESTCONF server parameters
1314 to avoid name collisions.";
1315 uses rcs:restconf-server-grouping;
1317 }
1318 }
1319 }
1320 }
1321 }
1323 grouping restconf-server-callhome-stack-grouping {
1324 description
1325 "A reusable grouping for configuring a RESTCONF server
1326 'call-home' protocol stack, for a single connection.";
1327 choice transport {
1328 mandatory true;
1329 description
1330 "Selects between available transports. This is a
1331 'choice' statement so as to support additional
1332 transport options to be augmented in.";
1333 case https {
1334 if-feature "https-listen";
1335 container https {
1336 description
1337 "Configures RESTCONF server stack assuming that
1338 TLS-termination is handled internally.";
1339 container tcp-client-parameters {
1340 description
1341 "A wrapper around the TCP client parameters
1342 to avoid name collisions.";
1343 uses tcpc:tcp-client-grouping {
1344 refine "remote-port" {
1345 default "4336";
1346 description
1347 "The RESTCONF server will attempt to
1348 connect to the IANA-assigned well-known
1349 port for 'restconf-ch-tls' (4336) if no
1350 value is specified.";
1351 }
1352 }
1353 }
1354 container tls-server-parameters {
1355 description
1356 "A wrapper around the TLS server parameters
1357 to avoid name collisions.";
1358 uses tlss:tls-server-grouping;
1359 }
1360 container http-server-parameters {
1361 description
1362 "A wrapper around the HTTP server parameters
1363 to avoid name collisions.";
1364 uses https:http-server-grouping;
1366 }
1367 container restconf-server-parameters {
1368 description
1369 "A wrapper around the RESTCONF server parameters
1370 to avoid name collisions.";
1371 uses rcs:restconf-server-grouping;
1372 }
1373 }
1374 }
1375 }
1376 }
1378 grouping restconf-server-app-grouping {
1379 description
1380 "A reusable grouping for configuring a RESTCONF server
1381 application that supports both 'listen' and 'call-home'
1382 protocol stacks and for many connections.";
1383 container listen {
1384 if-feature "https-listen";
1385 presence
1386 "Enables the RESTCONF server to listen for RESTCONF
1387 client connections.";
1388 description "Configures listen behavior";
1389 list endpoint {
1390 key "name";
1391 min-elements 1;
1392 description
1393 "List of endpoints to listen for RESTCONF connections.";
1394 leaf name {
1395 type string;
1396 description
1397 "An arbitrary name for the RESTCONF listen endpoint.";
1398 }
1399 uses restconf-server-listen-stack-grouping;
1400 }
1401 }
1402 container call-home {
1403 if-feature "https-call-home";
1404 presence
1405 "Enables the RESTCONF server to initiate the underlying
1406 transport connection to RESTCONF clients.";
1407 description "Configures call-home behavior";
1408 list restconf-client {
1409 key "name";
1410 min-elements 1;
1411 description
1412 "List of RESTCONF clients the RESTCONF server is to
1413 initiate call-home connections to in parallel.";
1414 leaf name {
1415 type string;
1416 description
1417 "An arbitrary name for the remote RESTCONF client.";
1418 }
1419 container endpoints {
1420 description
1421 "Container for the list of endpoints.";
1422 list endpoint {
1423 key "name";
1424 min-elements 1;
1425 ordered-by user;
1426 description
1427 "User-ordered list of endpoints for this RESTCONF
1428 client. Defining more than one enables high-
1429 availability.";
1430 leaf name {
1431 type string;
1432 description
1433 "An arbitrary name for this endpoint.";
1434 }
1435 uses restconf-server-callhome-stack-grouping;
1436 }
1437 }
1438 container connection-type {
1439 description
1440 "Indicates the RESTCONF server's preference for how the
1441 RESTCONF connection is maintained.";
1442 choice connection-type {
1443 mandatory true;
1444 description
1445 "Selects between available connection types.";
1446 case persistent-connection {
1447 container persistent {
1448 presence "Indicates that a persistent connection is
1449 to be maintained.";
1450 description
1451 "Maintain a persistent connection to the RESTCONF
1452 client. If the connection goes down, immediately
1453 start trying to reconnect to the RESTCONF server,
1454 using the reconnection strategy.
1456 This connection type minimizes any RESTCONF
1457 client to RESTCONF server data-transfer delay,
1458 albeit at the expense of holding resources
1459 longer.";
1460 }
1462 }
1463 case periodic-connection {
1464 container periodic {
1465 presence "Indicates that a periodic connection is
1466 to be maintained.";
1467 description
1468 "Periodically connect to the RESTCONF client.
1470 This connection type increases resource
1471 utilization, albeit with increased delay in
1472 RESTCONF client to RESTCONF client interactions.
1474 The RESTCONF client SHOULD gracefully close
1475 the underlying TLS connection upon completing
1476 planned activities. If the underlying TLS
1477 connection is not closed gracefully, the
1478 RESTCONF server MUST immediately attempt
1479 to reestablish the connection.
1481 In the case that the previous connection is
1482 still active (i.e., the RESTCONF client has not
1483 closed it yet), establishing a new connection
1484 is NOT RECOMMENDED.";
1486 leaf period {
1487 type uint16;
1488 units "minutes";
1489 default "60";
1490 description
1491 "Duration of time between periodic connections.";
1492 }
1493 leaf anchor-time {
1494 type yang:date-and-time {
1495 // constrained to minute-level granularity
1496 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1497 + '(Z|[\+\-]\d{2}:\d{2})';
1498 }
1499 description
1500 "Designates a timestamp before or after which a
1501 series of periodic connections are determined.
1502 The periodic connections occur at a whole
1503 multiple interval from the anchor time. For
1504 example, for an anchor time is 15 minutes past
1505 midnight and a period interval of 24 hours, then
1506 a periodic connection will occur 15 minutes past
1507 midnight everyday.";
1508 }
1509 leaf idle-timeout {
1510 type uint16;
1511 units "seconds";
1512 default 120; // two minutes
1513 description
1514 "Specifies the maximum number of seconds that
1515 the underlying TCP session may remain idle.
1516 A TCP session will be dropped if it is idle
1517 for an interval longer than this number of
1518 seconds. If set to zero, then the server
1519 will never drop a session because it is idle.";
1520 }
1521 }
1522 }
1523 }
1524 }
1525 container reconnect-strategy {
1526 description
1527 "The reconnection strategy directs how a RESTCONF server
1528 reconnects to a RESTCONF client after discovering its
1529 connection to the client has dropped, even if due to a
1530 reboot. The RESTCONF server starts with the specified
1531 endpoint and tries to connect to it max-attempts times
1532 before trying the next endpoint in the list (round
1533 robin).";
1534 leaf start-with {
1535 type enumeration {
1536 enum first-listed {
1537 description
1538 "Indicates that reconnections should start with
1539 the first endpoint listed.";
1540 }
1541 enum last-connected {
1542 description
1543 "Indicates that reconnections should start with
1544 the endpoint last connected to. If no previous
1545 connection has ever been established, then the
1546 first endpoint configured is used. RESTCONF
1547 servers SHOULD be able to remember the last
1548 endpoint connected to across reboots.";
1549 }
1550 enum random-selection {
1551 description
1552 "Indicates that reconnections should start with
1553 a random endpoint.";
1554 }
1555 }
1556 default "first-listed";
1557 description
1558 "Specifies which of the RESTCONF client's endpoints
1559 the RESTCONF server should start with when trying
1560 to connect to the RESTCONF client.";
1561 }
1562 leaf max-attempts {
1563 type uint8 {
1564 range "1..max";
1565 }
1566 default "3";
1567 description
1568 "Specifies the number times the RESTCONF server tries
1569 to connect to a specific endpoint before moving on to
1570 the next endpoint in the list (round robin).";
1571 }
1572 }
1573 } // restconf-client
1574 } // call-home
1575 } // restconf-server-app-grouping
1577 // Protocol accessible node, for servers that implement this
1578 // module.
1580 container restconf-server {
1581 uses restconf-server-app-grouping;
1582 description
1583 "Top-level container for RESTCONF server configuration.";
1584 }
1586 }
1587
1589 4. Security Considerations
1591 The YANG module defined in this document uses groupings defined in
1592 [I-D.kwatsen-netconf-tcp-client-server],
1593 [I-D.ietf-netconf-tls-client-server], and
1594 [I-D.kwatsen-netconf-http-client-server]. Please see the Security
1595 Considerations section in those documents for concerns related those
1596 groupings.
1598 The YANG modules defined in this document are designed to be accessed
1599 via YANG based management protocols, such as NETCONF [RFC6241] and
1600 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1601 implement secure transport layers (e.g., SSH, TLS) with mutual
1602 authentication.
1604 The NETCONF access control model (NACM) [RFC8341] provides the means
1605 to restrict access for particular users to a pre-configured subset of
1606 all available protocol operations and content.
1608 There are a number of data nodes defined in the YANG modules that are
1609 writable/creatable/deletable (i.e., config true, which is the
1610 default). Some of these data nodes may be considered sensitive or
1611 vulnerable in some network environments. Write operations (e.g.,
1612 edit-config) to these data nodes without proper protection can have a
1613 negative effect on network operations. These are the subtrees and
1614 data nodes and their sensitivity/vulnerability:
1616 None of the subtrees or data nodes in the modules defined in this
1617 document need to be protected from write operations.
1619 Some of the readable data nodes in the YANG modules may be considered
1620 sensitive or vulnerable in some network environments. It is thus
1621 important to control read access (e.g., via get, get-config, or
1622 notification) to these data nodes. These are the subtrees and data
1623 nodes and their sensitivity/vulnerability:
1625 None of the subtrees or data nodes in the modules defined in this
1626 document need to be protected from read operations.
1628 Some of the RPC operations in the YANG modules may be considered
1629 sensitive or vulnerable in some network environments. It is thus
1630 important to control access to these operations. These are the
1631 operations and their sensitivity/vulnerability:
1633 The modules defined in this document do not define any 'RPC' or
1634 'action' statements.
1636 5. IANA Considerations
1638 5.1. The IETF XML Registry
1640 This document registers two URIs in the "ns" subregistry of the IETF
1641 XML Registry [RFC3688]. Following the format in [RFC3688], the
1642 following registrations are requested:
1644 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1645 Registrant Contact: The NETCONF WG of the IETF.
1646 XML: N/A, the requested URI is an XML namespace.
1648 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1649 Registrant Contact: The NETCONF WG of the IETF.
1650 XML: N/A, the requested URI is an XML namespace.
1652 5.2. The YANG Module Names Registry
1654 This document registers two YANG modules in the YANG Module Names
1655 registry [RFC6020]. Following the format in [RFC6020], the the
1656 following registrations are requested:
1658 name: ietf-restconf-client
1659 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1660 prefix: ncc
1661 reference: RFC XXXX
1663 name: ietf-restconf-server
1664 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1665 prefix: ncs
1666 reference: RFC XXXX
1668 6. References
1670 6.1. Normative References
1672 [I-D.ietf-netconf-keystore]
1673 Watsen, K., "YANG Data Model for a Centralized Keystore
1674 Mechanism", draft-ietf-netconf-keystore-09 (work in
1675 progress), April 2019.
1677 [I-D.ietf-netconf-tls-client-server]
1678 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1679 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1680 server-12 (work in progress), April 2019.
1682 [I-D.kwatsen-netconf-http-client-server]
1683 Watsen, K., "YANG Groupings for HTTP Clients and HTTP
1684 Servers", draft-kwatsen-netconf-http-client-server-02
1685 (work in progress), April 2019.
1687 [I-D.kwatsen-netconf-tcp-client-server]
1688 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1689 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1690 server-02 (work in progress), April 2019.
1692 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1693 Requirement Levels", BCP 14, RFC 2119,
1694 DOI 10.17487/RFC2119, March 1997,
1695 .
1697 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1698 the Network Configuration Protocol (NETCONF)", RFC 6020,
1699 DOI 10.17487/RFC6020, October 2010,
1700 .
1702 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1703 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1704 .
1706 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1707 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1708 December 2014, .
1710 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1711 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1712 .
1714 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1715 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1716 .
1718 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1719 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1720 .
1722 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1723 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1724 May 2017, .
1726 6.2. Informative References
1728 [I-D.ietf-netconf-trust-anchors]
1729 Watsen, K., "YANG Data Model for Global Trust Anchors",
1730 draft-ietf-netconf-trust-anchors-04 (work in progress),
1731 April 2019.
1733 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1734 DOI 10.17487/RFC3688, January 2004,
1735 .
1737 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1738 and A. Bierman, Ed., "Network Configuration Protocol
1739 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1740 .
1742 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1743 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1744 .
1746 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1747 Access Control Model", STD 91, RFC 8341,
1748 DOI 10.17487/RFC8341, March 2018,
1749 .
1751 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
1752 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
1753 .
1755 Appendix A. Expanded Tree Diagrams
1757 A.1. Expanded Tree Diagram for 'ietf-restconf-client'
1759 The following tree diagram [RFC8340] provides an overview of the data
1760 model for the "ietf-restconf-client" module.
1762 This tree diagram shows all the nodes defined in this module,
1763 including those defined by "grouping" statements used by this module.
1765 Please see Section 2.1 for a tree diagram that illustrates what the
1766 module looks like without all the "grouping" statements expanded.
1768 ========== NOTE: '\\' line wrapping per BCP XX (RFC XXXX) ===========
1770 module: ietf-restconf-client
1771 +--rw restconf-client
1772 +--rw initiate! {https-initiate}?
1773 | +--rw restconf-server* [name]
1774 | +--rw name string
1775 | +--rw endpoints
1776 | | +--rw endpoint* [name]
1777 | | +--rw name string
1778 | | +--rw (transport)
1779 | | +--:(https) {https-initiate}?
1780 | | +--rw https
1781 | | +--rw tcp-client-parameters
1782 | | | +--rw remote-address inet:host
1783 | | | +--rw remote-port? inet:port-number
1784 | | | +--rw local-address? inet:ip-address
1785 | | | | {local-binding-supported}?
1786 | | | +--rw local-port? inet:port-number
1787 | | | | {local-binding-supported}?
1788 | | | +--rw keepalives!
1789 | | | {keepalives-supported}?
1790 | | | +--rw idle-time uint16
1791 | | | +--rw max-probes uint16
1792 | | | +--rw probe-interval uint16
1793 | | +--rw tls-client-parameters
1794 | | | +--rw client-identity
1795 | | | | +--rw (auth-type)
1796 | | | | +--:(certificate)
1797 | | | | +--rw certificate
1798 | | | | +--rw (local-or-keystore)
1799 | | | | +--:(local)
1800 | | | | | {local-definiti\
1801 \ons-supported}?
1802 | | | | | +--rw local-definition
1803 | | | | | +--rw algorithm
1804 | | | | | | asymmetric\
1805 \-key-algorithm-ref
1806 | | | | | +--rw public-key
1807 | | | | | | binary
1808 | | | | | +--rw private-key
1809 | | | | | | union
1810 | | | | | +--rw cert?
1811 | | | | | | end-entity\
1812 \-cert-cms
1813 | | | | | +---n certificate-\
1814 \expiration
1815 | | | | | | +-- expiration-\
1816 \date
1817 | | | | | | yang:da\
1818 \te-and-time
1819 | | | | | +---x generate-cer\
1820 \tificate-signing-request
1821 | | | | | +---w input
1822 | | | | | | +---w subject
1823 | | | | | | | bina\
1824 \ry
1825 | | | | | | +---w attrib\
1826 \utes?
1827 | | | | | | bina\
1828 \ry
1829 | | | | | +--ro output
1830 | | | | | +--ro certif\
1831 \icate-signing-request
1832 | | | | | bina\
1833 \ry
1834 | | | | +--:(keystore)
1835 | | | | {keystore-suppo\
1836 \rted}?
1837 | | | | +--rw keystore-refere\
1838 \nce?
1839 | | | | ks:asymmetric\
1840 \-key-certificate-ref
1841 | | | +--rw server-authentication
1842 | | | | +--rw ca-certs?
1843 | | | | | ts:certificates-ref
1844 | | | | | {ts:x509-certificates}?
1845 | | | | +--rw server-certs?
1846 | | | | ts:certificates-ref
1847 | | | | {ts:x509-certificates}?
1848 | | | +--rw hello-params
1849 | | | | {tls-client-hello-params-config\
1850 \}?
1851 | | | | +--rw tls-versions
1852 | | | | | +--rw tls-version* identityref
1853 | | | | +--rw cipher-suites
1854 | | | | +--rw cipher-suite* identityref
1855 | | | +--rw keepalives!
1856 | | | {tls-client-keepalives}?
1857 | | | +--rw max-wait? uint16
1858 | | | +--rw max-attempts? uint8
1859 | | +--rw http-client-parameters
1860 | | +--rw protocol-version? enumeration
1861 | | +--rw client-identity
1862 | | | +--rw (auth-type)?
1863 | | | +--:(basic)
1864 | | | | +--rw basic {basic-auth}?
1865 | | | | +--rw user-id? string
1866 | | | | +--rw password? string
1867 | | | +--:(bearer)
1868 | | | | +--rw bearer {bearer-auth}?
1869 | | | | +--rw token? string
1870 | | | +--:(digest)
1871 | | | | +--rw digest {digest-auth}?
1872 | | | | +--rw username? string
1873 | | | | +--rw password? string
1874 | | | +--:(hoba)
1875 | | | | +--rw hoba {hoba-auth}?
1876 | | | +--:(mutual)
1877 | | | | +--rw mutual {mutual-auth}?
1878 | | | +--:(negotiate)
1879 | | | | +--rw negotiate
1880 | | | | {negotiate-auth}?
1881 | | | +--:(oauth)
1882 | | | | +--rw oauth {oauth-auth}?
1883 | | | +--:(scram-sha-1)
1884 | | | | +--rw scram-sha-1
1885 | | | | {scram-sha-1-auth}?
1886 | | | +--:(scram-sha-256)
1887 | | | | +--rw scram-sha-256
1888 | | | | {scram-sha-256-auth}?
1889 | | | +--:(vapid)
1890 | | | +--rw vapid {vapid-auth}?
1891 | | +--rw proxy-server! {proxy-connect}?
1892 | | +--rw tcp-client-parameters
1893 | | | +--rw remote-address inet:host
1894 | | | +--rw remote-port?
1895 | | | | inet:port-number
1896 | | | +--rw local-address?
1897 | | | | inet:ip-address
1898 | | | | {local-binding-supported}?
1899 | | | +--rw local-port?
1900 | | | | inet:port-number
1901 | | | | {local-binding-supported}?
1902 | | | +--rw keepalives!
1903 | | | {keepalives-supported}?
1904 | | | +--rw idle-time uint16
1905 | | | +--rw max-probes uint16
1906 | | | +--rw probe-interval uint16
1907 | | +--rw tls-client-parameters
1908 | | | +--rw client-identity
1909 | | | | +--rw (auth-type)?
1910 | | | | +--:(certificate)
1911 | | | | +--rw certificate
1912 | | | | +--rw (local-or-keyst\
1913 \ore)
1914 | | | | +--:(local)
1915 | | | | | {local-de\
1916 \finitions-supported}?
1917 | | | | | +--rw local-def\
1918 \inition
1919 | | | | | +--rw algori\
1920 \thm
1921 | | | | | | asym\
1922 \metric-key-algorithm-ref
1923 | | | | | +--rw public\
1924 \-key
1925 | | | | | | bina\
1926 \ry
1927 | | | | | +--rw privat\
1928 \e-key
1929 | | | | | | union
1930 | | | | | +--rw cert?
1931 | | | | | | end-\
1932 \entity-cert-cms
1933 | | | | | +---n certif\
1934 \icate-expiration
1935 | | | | | | +-- expir\
1936 \ation-date
1937 | | | | | | y\
1938 \ang:date-and-time
1939 | | | | | +---x genera\
1940 \te-certificate-signing-request
1941 | | | | | +---w inp\
1942 \ut
1943 | | | | | | +---w \
1944 \subject
1945 | | | | | | | \
1946 \ binary
1947 | | | | | | +---w \
1948 \attributes?
1949 | | | | | | \
1950 \ binary
1951 | | | | | +--ro out\
1952 \put
1953 | | | | | +--ro \
1954 \certificate-signing-request
1955 | | | | | \
1956 \ binary
1957 | | | | +--:(keystore)
1958 | | | | {keystore\
1959 \-supported}?
1960 | | | | +--rw keystore-\
1961 \reference?
1962 | | | | ks:asym\
1963 \metric-key-certificate-ref
1964 | | | +--rw server-authentication
1965 | | | | +--rw ca-certs?
1966 | | | | | ts:certificates-ref
1967 | | | | | {ts:x509-certificates}?
1968 | | | | +--rw server-certs?
1969 | | | | ts:certificates-ref
1970 | | | | {ts:x509-certificates}?
1971 | | | +--rw hello-params
1972 | | | | {tls-client-hello-params-\
1973 \config}?
1974 | | | | +--rw tls-versions
1975 | | | | | +--rw tls-version*
1976 | | | | | identityref
1977 | | | | +--rw cipher-suites
1978 | | | | +--rw cipher-suite*
1979 | | | | identityref
1980 | | | +--rw keepalives!
1981 | | | {tls-client-keepalives}?
1982 | | | +--rw max-wait? uint16
1983 | | | +--rw max-attempts? uint8
1984 | | +--rw proxy-client-identity
1985 | | +--rw user-id? string
1986 | | +--rw password? string
1987 | +--rw connection-type
1988 | | +--rw (connection-type)
1989 | | +--:(persistent-connection)
1990 | | | +--rw persistent!
1991 | | +--:(periodic-connection)
1992 | | +--rw periodic!
1993 | | +--rw period? uint16
1994 | | +--rw anchor-time? yang:date-and-time
1995 | | +--rw idle-timeout? uint16
1996 | +--rw reconnect-strategy
1997 | +--rw start-with? enumeration
1998 | +--rw max-attempts? uint8
1999 +--rw listen! {https-listen}?
2000 +--rw idle-timeout? uint16
2001 +--rw endpoint* [name]
2002 +--rw name string
2003 +--rw (transport)
2004 +--:(https) {https-listen}?
2005 +--rw https
2006 +--rw tcp-server-parameters
2007 | +--rw local-address
2008 | | inet:ip-address
2009 | +--rw local-port?
2010 | | inet:port-number
2011 | +--rw keepalives! {keepalives-supported}?
2012 | | +--rw idle-time uint16
2013 | | +--rw max-probes uint16
2014 | | +--rw probe-interval uint16
2015 | +--rw external-endpoint-values!
2016 | {external-endpoints}?
2017 | +--rw address inet:ip-address
2018 | +--rw port? inet:port-number
2019 +--rw tls-client-parameters
2020 | +--rw client-identity
2021 | | +--rw (auth-type)
2022 | | +--:(certificate)
2023 | | +--rw certificate
2024 | | +--rw (local-or-keystore)
2025 | | +--:(local)
2026 | | | {local-definitions-su\
2027 \pported}?
2028 | | | +--rw local-definition
2029 | | | +--rw algorithm
2030 | | | | asymmetric-key-a\
2031 \lgorithm-ref
2032 | | | +--rw public-key
2033 | | | | binary
2034 | | | +--rw private-key
2035 | | | | union
2036 | | | +--rw cert?
2037 | | | | end-entity-cert-\
2038 \cms
2039 | | | +---n certificate-expira\
2040 \tion
2041 | | | | +-- expiration-date
2042 | | | | yang:date-and\
2044 \-time
2045 | | | +---x generate-certifica\
2046 \te-signing-request
2047 | | | +---w input
2048 | | | | +---w subject
2049 | | | | | binary
2050 | | | | +---w attributes?
2051 | | | | binary
2052 | | | +--ro output
2053 | | | +--ro certificate-\
2054 \signing-request
2055 | | | binary
2056 | | +--:(keystore)
2057 | | {keystore-supported}?
2058 | | +--rw keystore-reference?
2059 | | ks:asymmetric-key-c\
2060 \ertificate-ref
2061 | +--rw server-authentication
2062 | | +--rw ca-certs? ts:certificates-ref
2063 | | | {ts:x509-certificates}?
2064 | | +--rw server-certs? ts:certificates-ref
2065 | | {ts:x509-certificates}?
2066 | +--rw hello-params
2067 | | {tls-client-hello-params-config}?
2068 | | +--rw tls-versions
2069 | | | +--rw tls-version* identityref
2070 | | +--rw cipher-suites
2071 | | +--rw cipher-suite* identityref
2072 | +--rw keepalives! {tls-client-keepalives}?
2073 | +--rw max-wait? uint16
2074 | +--rw max-attempts? uint8
2075 +--rw http-client-parameters
2076 +--rw protocol-version? enumeration
2077 +--rw client-identity
2078 | +--rw (auth-type)?
2079 | +--:(basic)
2080 | | +--rw basic {basic-auth}?
2081 | | +--rw user-id? string
2082 | | +--rw password? string
2083 | +--:(bearer)
2084 | | +--rw bearer {bearer-auth}?
2085 | | +--rw token? string
2086 | +--:(digest)
2087 | | +--rw digest {digest-auth}?
2088 | | +--rw username? string
2089 | | +--rw password? string
2090 | +--:(hoba)
2091 | | +--rw hoba {hoba-auth}?
2092 | +--:(mutual)
2093 | | +--rw mutual {mutual-auth}?
2094 | +--:(negotiate)
2095 | | +--rw negotiate {negotiate-auth}?
2096 | +--:(oauth)
2097 | | +--rw oauth {oauth-auth}?
2098 | +--:(scram-sha-1)
2099 | | +--rw scram-sha-1 {scram-sha-1-auth}?
2100 | +--:(scram-sha-256)
2101 | | +--rw scram-sha-256
2102 | | {scram-sha-256-auth}?
2103 | +--:(vapid)
2104 | +--rw vapid {vapid-auth}?
2105 +--rw proxy-server! {proxy-connect}?
2106 +--rw tcp-client-parameters
2107 | +--rw remote-address inet:host
2108 | +--rw remote-port? inet:port-number
2109 | +--rw local-address? inet:ip-address
2110 | | {local-binding-supported}?
2111 | +--rw local-port? inet:port-number
2112 | | {local-binding-supported}?
2113 | +--rw keepalives!
2114 | {keepalives-supported}?
2115 | +--rw idle-time uint16
2116 | +--rw max-probes uint16
2117 | +--rw probe-interval uint16
2118 +--rw tls-client-parameters
2119 | +--rw client-identity
2120 | | +--rw (auth-type)?
2121 | | +--:(certificate)
2122 | | +--rw certificate
2123 | | +--rw (local-or-keystore)
2124 | | +--:(local)
2125 | | | {local-definiti\
2126 \ons-supported}?
2127 | | | +--rw local-definition
2128 | | | +--rw algorithm
2129 | | | | asymmetric\
2130 \-key-algorithm-ref
2131 | | | +--rw public-key
2132 | | | | binary
2133 | | | +--rw private-key
2134 | | | | union
2135 | | | +--rw cert?
2136 | | | | end-entity\
2137 \-cert-cms
2138 | | | +---n certificate-\
2139 \expiration
2140 | | | | +-- expiration-\
2141 \date
2142 | | | | yang:da\
2143 \te-and-time
2144 | | | +---x generate-cer\
2145 \tificate-signing-request
2146 | | | +---w input
2147 | | | | +---w subject
2148 | | | | | bina\
2149 \ry
2150 | | | | +---w attrib\
2151 \utes?
2152 | | | | bina\
2153 \ry
2154 | | | +--ro output
2155 | | | +--ro certif\
2156 \icate-signing-request
2157 | | | bina\
2158 \ry
2159 | | +--:(keystore)
2160 | | {keystore-suppo\
2161 \rted}?
2162 | | +--rw keystore-refere\
2163 \nce?
2164 | | ks:asymmetric\
2165 \-key-certificate-ref
2166 | +--rw server-authentication
2167 | | +--rw ca-certs?
2168 | | | ts:certificates-ref
2169 | | | {ts:x509-certificates}?
2170 | | +--rw server-certs?
2171 | | ts:certificates-ref
2172 | | {ts:x509-certificates}?
2173 | +--rw hello-params
2174 | | {tls-client-hello-params-config\
2175 \}?
2176 | | +--rw tls-versions
2177 | | | +--rw tls-version* identityref
2178 | | +--rw cipher-suites
2179 | | +--rw cipher-suite* identityref
2180 | +--rw keepalives!
2181 | {tls-client-keepalives}?
2182 | +--rw max-wait? uint16
2183 | +--rw max-attempts? uint8
2184 +--rw proxy-client-identity
2185 +--rw user-id? string
2186 +--rw password? string
2188 A.2. Expanded Tree Diagram for 'ietf-restconf-server'
2190 The following tree diagram [RFC8340] provides an overview of the data
2191 model for the "ietf-restconf-server" module.
2193 This tree diagram shows all the nodes defined in this module,
2194 including those defined by "grouping" statements used by this module.
2196 Please see Section 3.1 for a tree diagram that illustrates what the
2197 module looks like without all the "grouping" statements expanded.
2199 =========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
2201 module: ietf-restconf-server
2202 +--rw restconf-server
2203 +--rw listen! {https-listen}?
2204 | +--rw endpoint* [name]
2205 | +--rw name string
2206 | +--rw (transport)
2207 | +--:(http) {http-listen}?
2208 | | +--rw http
2209 | | +--rw tcp-server-parameters
2210 | | | +--rw local-address
2211 | | | | inet:ip-address
2212 | | | +--rw local-port?
2213 | | | | inet:port-number
2214 | | | +--rw keepalives! {keepalives-supported}?
2215 | | | | +--rw idle-time uint16
2216 | | | | +--rw max-probes uint16
2217 | | | | +--rw probe-interval uint16
2218 | | | +--rw external-endpoint-values!
2219 | | | {external-endpoints}?
2220 | | | +--rw address inet:ip-address
2221 | | | +--rw port? inet:port-number
2222 | | +--rw http-server-parameters
2223 | | | +--rw server-name? string
2224 | | | +--rw protocol-versions
2225 | | | | +--rw protocol-version* enumeration
2226 | | | +--rw client-authentication!
2227 | | | +--rw (required-or-optional)
2228 | | | | +--:(required)
2229 | | | | | +--rw required?
2230 | | | | | empty
2231 | | | | +--:(optional)
2232 | | | | +--rw optional?
2233 | | | | empty
2234 | | | +--rw (local-or-external)
2235 | | | +--:(local)
2236 | | | | {local-client-auth-supported}?
2237 | | | | +--rw users
2238 | | | | +--rw user* [name]
2239 | | | | +--rw name string
2240 | | | | +--rw password?
2241 | | | | ianach:crypt-hash
2242 | | | +--:(external)
2243 | | | {external-client-auth-supporte\
2244 d}?
2245 | | | +--rw client-auth-defined-elsewhere?
2246 | | | empty
2247 | | +--rw restconf-server-parameters
2248 | | +--rw client-identification
2249 | | +--rw cert-maps
2250 | | +--rw cert-to-name* [id]
2251 | | +--rw id uint32
2252 | | +--rw fingerprint
2253 | | | x509c2n:tls-fingerprint
2254 | | +--rw map-type identityref
2255 | | +--rw name string
2256 | +--:(https) {https-listen}?
2257 | +--rw https
2258 | +--rw tcp-server-parameters
2259 | | +--rw local-address
2260 | | | inet:ip-address
2261 | | +--rw local-port?
2262 | | | inet:port-number
2263 | | +--rw keepalives! {keepalives-supported}?
2264 | | | +--rw idle-time uint16
2265 | | | +--rw max-probes uint16
2266 | | | +--rw probe-interval uint16
2267 | | +--rw external-endpoint-values!
2268 | | {external-endpoints}?
2269 | | +--rw address inet:ip-address
2270 | | +--rw port? inet:port-number
2271 | +--rw tls-server-parameters
2272 | | +--rw server-identity
2273 | | | +--rw (local-or-keystore)
2274 | | | +--:(local)
2275 | | | | {local-definitions-supported}?
2276 | | | | +--rw local-definition
2277 | | | | +--rw algorithm
2278 | | | | | asymmetric-key-algorithm-\
2279 ref
2280 | | | | +--rw public-key
2281 | | | | | binary
2282 | | | | +--rw private-key
2283 | | | | | union
2284 | | | | +--rw cert?
2285 | | | | | end-entity-cert-cms
2286 | | | | +---n certificate-expiration
2287 | | | | | +-- expiration-date
2288 | | | | | yang:date-and-time
2289 | | | | +---x generate-certificate-signin\
2290 g-request
2291 | | | | +---w input
2292 | | | | | +---w subject binary
2293 | | | | | +---w attributes? binary
2294 | | | | +--ro output
2295 | | | | +--ro certificate-signing-r\
2296 equest
2297 | | | | binary
2298 | | | +--:(keystore) {keystore-supported}?
2299 | | | +--rw keystore-reference?
2300 | | | ks:asymmetric-key-certificat\
2301 e-ref
2302 | | +--rw client-authentication!
2303 | | | +--rw (required-or-optional)
2304 | | | | +--:(required)
2305 | | | | | +--rw required?
2306 | | | | | empty
2307 | | | | +--:(optional)
2308 | | | | +--rw optional?
2309 | | | | empty
2310 | | | +--rw (local-or-external)
2311 | | | +--:(local)
2312 | | | | {local-client-auth-supported}?
2313 | | | | +--rw ca-certs?
2314 | | | | | ts:certificates-ref
2315 | | | | | {ts:x509-certificates}?
2316 | | | | +--rw client-certs?
2317 | | | | ts:certificates-ref
2318 | | | | {ts:x509-certificates}?
2319 | | | +--:(external)
2320 | | | {external-client-auth-supporte\
2321 d}?
2322 | | | +--rw client-auth-defined-elsewhere?
2323 | | | empty
2324 | | +--rw hello-params
2325 | | | {tls-server-hello-params-config}?
2326 | | | +--rw tls-versions
2327 | | | | +--rw tls-version* identityref
2328 | | | +--rw cipher-suites
2329 | | | +--rw cipher-suite* identityref
2330 | | +--rw keepalives! {tls-server-keepalives}?
2331 | | +--rw max-wait? uint16
2332 | | +--rw max-attempts? uint8
2333 | +--rw http-server-parameters
2334 | | +--rw server-name? string
2335 | | +--rw protocol-versions
2336 | | | +--rw protocol-version* enumeration
2337 | | +--rw client-authentication!
2338 | | +--rw (required-or-optional)
2339 | | | +--:(required)
2340 | | | | +--rw required?
2341 | | | | empty
2342 | | | +--:(optional)
2343 | | | +--rw optional?
2344 | | | empty
2345 | | +--rw (local-or-external)
2346 | | +--:(local)
2347 | | | {local-client-auth-supported}?
2348 | | | +--rw users
2349 | | | +--rw user* [name]
2350 | | | +--rw name string
2351 | | | +--rw password?
2352 | | | ianach:crypt-hash
2353 | | +--:(external)
2354 | | {external-client-auth-supporte\
2355 d}?
2356 | | +--rw client-auth-defined-elsewhere?
2357 | | empty
2358 | +--rw restconf-server-parameters
2359 | +--rw client-identification
2360 | +--rw cert-maps
2361 | +--rw cert-to-name* [id]
2362 | +--rw id uint32
2363 | +--rw fingerprint
2364 | | x509c2n:tls-fingerprint
2365 | +--rw map-type identityref
2366 | +--rw name string
2367 +--rw call-home! {https-call-home}?
2368 +--rw restconf-client* [name]
2369 +--rw name string
2370 +--rw endpoints
2371 | +--rw endpoint* [name]
2372 | +--rw name string
2373 | +--rw (transport)
2374 | +--:(https) {https-listen}?
2375 | +--rw https
2376 | +--rw tcp-client-parameters
2377 | | +--rw remote-address inet:host
2378 | | +--rw remote-port? inet:port-number
2379 | | +--rw local-address? inet:ip-address
2380 | | | {local-binding-supported}?
2381 | | +--rw local-port? inet:port-number
2382 | | | {local-binding-supported}?
2383 | | +--rw keepalives!
2384 | | {keepalives-supported}?
2385 | | +--rw idle-time uint16
2386 | | +--rw max-probes uint16
2387 | | +--rw probe-interval uint16
2388 | +--rw tls-server-parameters
2389 | | +--rw server-identity
2390 | | | +--rw (local-or-keystore)
2391 | | | +--:(local)
2392 | | | | {local-definitions-suppo\
2393 rted}?
2394 | | | | +--rw local-definition
2395 | | | | +--rw algorithm
2396 | | | | | asymmetric-key-algo\
2397 rithm-ref
2398 | | | | +--rw public-key
2399 | | | | | binary
2400 | | | | +--rw private-key
2401 | | | | | union
2402 | | | | +--rw cert?
2403 | | | | | end-entity-cert-cms
2404 | | | | +---n certificate-expiration
2405 | | | | | +-- expiration-date
2406 | | | | | yang:date-and-ti\
2407 me
2408 | | | | +---x generate-certificate-\
2409 signing-request
2410 | | | | +---w input
2411 | | | | | +---w subject
2412 | | | | | | binary
2413 | | | | | +---w attributes?
2414 | | | | | binary
2415 | | | | +--ro output
2416 | | | | +--ro certificate-sig\
2417 ning-request
2418 | | | | binary
2419 | | | +--:(keystore)
2420 | | | {keystore-supported}?
2421 | | | +--rw keystore-reference?
2422 | | | ks:asymmetric-key-cert\
2423 ificate-ref
2424 | | +--rw client-authentication!
2425 | | | +--rw (required-or-optional)
2426 | | | | +--:(required)
2427 | | | | | +--rw required?
2428 | | | | | empty
2429 | | | | +--:(optional)
2430 | | | | +--rw optional?
2431 | | | | empty
2432 | | | +--rw (local-or-external)
2433 | | | +--:(local)
2434 | | | | {local-client-auth-suppo\
2435 rted}?
2436 | | | | +--rw ca-certs?
2437 | | | | | ts:certificates-ref
2438 | | | | | {ts:x509-certificates}?
2439 | | | | +--rw client-certs?
2440 | | | | ts:certificates-ref
2441 | | | | {ts:x509-certificates}?
2442 | | | +--:(external)
2443 | | | {external-client-auth-su\
2444 pported}?
2445 | | | +--rw client-auth-defined-else\
2446 where?
2447 | | | empty
2448 | | +--rw hello-params
2449 | | | {tls-server-hello-params-config\
2450 }?
2451 | | | +--rw tls-versions
2452 | | | | +--rw tls-version* identityref
2453 | | | +--rw cipher-suites
2454 | | | +--rw cipher-suite* identityref
2455 | | +--rw keepalives!
2456 | | {tls-server-keepalives}?
2457 | | +--rw max-wait? uint16
2458 | | +--rw max-attempts? uint8
2459 | +--rw http-server-parameters
2460 | | +--rw server-name? string
2461 | | +--rw protocol-versions
2462 | | | +--rw protocol-version* enumeration
2463 | | +--rw client-authentication!
2464 | | +--rw (required-or-optional)
2465 | | | +--:(required)
2466 | | | | +--rw required?
2467 | | | | empty
2468 | | | +--:(optional)
2469 | | | +--rw optional?
2470 | | | empty
2471 | | +--rw (local-or-external)
2472 | | +--:(local)
2473 | | | {local-client-auth-suppo\
2474 rted}?
2475 | | | +--rw users
2476 | | | +--rw user* [name]
2477 | | | +--rw name string
2478 | | | +--rw password?
2479 | | | ianach:crypt-hash
2480 | | +--:(external)
2481 | | {external-client-auth-su\
2482 pported}?
2483 | | +--rw client-auth-defined-else\
2484 where?
2485 | | empty
2486 | +--rw restconf-server-parameters
2487 | +--rw client-identification
2488 | +--rw cert-maps
2489 | +--rw cert-to-name* [id]
2490 | +--rw id uint32
2491 | +--rw fingerprint
2492 | | x509c2n:tls-fingerprint
2493 | +--rw map-type
2494 | | identityref
2495 | +--rw name string
2496 +--rw connection-type
2497 | +--rw (connection-type)
2498 | +--:(persistent-connection)
2499 | | +--rw persistent!
2500 | +--:(periodic-connection)
2501 | +--rw periodic!
2502 | +--rw period? uint16
2503 | +--rw anchor-time? yang:date-and-time
2504 | +--rw idle-timeout? uint16
2505 +--rw reconnect-strategy
2506 +--rw start-with? enumeration
2507 +--rw max-attempts? uint8
2509 Appendix B. Change Log
2511 B.1. 00 to 01
2513 o Renamed "keychain" to "keystore".
2515 B.2. 01 to 02
2517 o Filled in previously missing 'ietf-restconf-client' module.
2519 o Updated the ietf-restconf-server module to accommodate new
2520 grouping 'ietf-tls-server-grouping'.
2522 B.3. 02 to 03
2524 o Refined use of tls-client-grouping to add a must statement
2525 indicating that the TLS client must specify a client-certificate.
2527 o Changed restconf-client??? to be a grouping (not a container).
2529 B.4. 03 to 04
2531 o Added RFC 8174 to Requirements Language Section.
2533 o Replaced refine statement in ietf-restconf-client to add a
2534 mandatory true.
2536 o Added refine statement in ietf-restconf-server to add a must
2537 statement.
2539 o Now there are containers and groupings, for both the client and
2540 server models.
2542 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2544 o Updated examples to inline key and certificates (no longer a
2545 leafref to keystore)
2547 B.5. 04 to 05
2549 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2551 o Updated examples to inline key and certificates (no longer a
2552 leafref to keystore)
2554 B.6. 05 to 06
2556 o Fixed change log missing section issue.
2558 o Updated examples to match latest updates to the crypto-types,
2559 trust-anchors, and keystore drafts.
2561 o Reduced line length of the YANG modules to fit within 69 columns.
2563 B.7. 06 to 07
2565 o removed "idle-timeout" from "persistent" connection config.
2567 o Added "random-selection" for reconnection-strategy's "starts-with"
2568 enum.
2570 o Replaced "connection-type" choice default (persistent) with
2571 "mandatory true".
2573 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
2574 minutes.
2576 o Replaced reconnect-timeout with period/anchor-time combo.
2578 B.8. 07 to 08
2580 o Modified examples to be compatible with new crypto-types algs
2582 B.9. 08 to 09
2584 o Corrected use of "mandatory true" for "address" leafs.
2586 o Updated examples to reflect update to groupings defined in the
2587 keystore draft.
2589 o Updated to use groupings defined in new TCP and HTTP drafts.
2591 o Updated copyright date, boilerplate template, affiliation, and
2592 folding algorithm.
2594 B.10. 09 to 10
2596 o Reformatted YANG modules.
2598 B.11. 10 to 11
2600 o Adjusted for the top-level "demux container" added to groupings
2601 imported from other modules.
2603 o Added "must" expressions to ensure that keepalives are not
2604 configured for "periodic" connections.
2606 o Updated the boilerplate text in module-level "description"
2607 statement to match copyeditor convention.
2609 o Moved "expanded" tree diagrams to the Appendix.
2611 B.12. 11 to 12
2613 o Removed the 'must' statement limiting keepalives in periodic
2614 connections.
2616 o Updated models and examples to reflect removal of the "demux"
2617 containers in the imported models.
2619 o Updated the "periodic-connnection" description statements to
2620 better describe behavior when connections are not closed
2621 gracefully.
2623 o Updated text to better reference where certain examples come from
2624 (e.g., which Section in which draft).
2626 o In the server model, commented out the "must 'pinned-ca-certs or
2627 pinned-client-certs'" statement to reflect change made in the TLS
2628 draft whereby the trust anchors MAY be defined externally.
2630 o Replaced the 'listen', 'initiate', and 'call-home' features with
2631 boolean expressions.
2633 B.13. 12 to 13
2635 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
2636 anchors/truststore/g + s/pinned.//)
2638 o In ietf-restconf-server, Added 'http-listen' (not https-listen)
2639 choice, to support case when server is behind a TLS-terminator.
2641 o Refactored server module to be more like other 'server' models.
2642 If folks like it, will also apply to the client model, as well as
2643 to both the netconf client/server models. Now the 'restconf-
2644 server-grouping' is just the RC-specific bits (i.e., the "demux"
2645 container minus the container), 'restconf-server-
2646 [listen|callhome]-stack-grouping' is the protocol stack for a
2647 single connection, and 'restconf-server-app-grouping' is
2648 effectively what was before (both listen+callhome for many
2649 inbound/outbound endpoints).
2651 Acknowledgements
2653 The authors would like to thank for following for lively discussions
2654 on list and in the halls (ordered by last name): Andy Bierman, Martin
2655 Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs
2656 Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci,
2657 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert
2658 Wijnen.
2660 Author's Address
2662 Kent Watsen
2663 Watsen Networks
2665 EMail: kent+ietf@watsen.net