idnits 2.17.1
draft-ietf-netconf-restconf-client-server-15.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 897 has weird spacing: '...address ine...'
== Line 1902 has weird spacing: '...address ine...'
== Line 1912 has weird spacing: '...nterval uin...'
== Line 2042 has weird spacing: '...assword str...'
== Line 2045 has weird spacing: '...address ine...'
== (15 more instances...)
-- The document date (October 18, 2019) is 1644 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-12
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-14
== Outdated reference: A later version (-05) exists of
draft-kwatsen-netconf-http-client-server-03
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-05
Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track October 18, 2019
5 Expires: April 20, 2020
7 RESTCONF Client and Server Models
8 draft-ietf-netconf-restconf-client-server-15
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 RESTCONF client and the other module to configure a RESTCONF server.
14 Both modules support the TLS transport protocol with both standard
15 RESTCONF and RESTCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-tls-client-server
35 o I-D.ietf-netconf-http-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "BBBB" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
46 server
48 o "CCCC" --> the assigned RFC value for I-D.ietf-netconf-http-
49 client-server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-10-18" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on April 20, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
96 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
99 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 19
101 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 19
102 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 20
103 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25
104 4. Security Considerations . . . . . . . . . . . . . . . . . . . 36
105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
106 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 37
107 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
108 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
109 6.1. Normative References . . . . . . . . . . . . . . . . . . 38
110 6.2. Informative References . . . . . . . . . . . . . . . . . 39
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 41
112 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 41
113 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 53
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 63
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 63
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 63
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 63
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 63
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 64
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 64
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 64
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 64
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 64
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 65
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 65
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 65
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 65
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 66
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 66
130 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 66
131 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 67
133 1. Introduction
135 This document defines two YANG [RFC7950] modules, one module to
136 configure a RESTCONF client and the other module to configure a
137 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446]
138 transport protocol with both standard RESTCONF and RESTCONF Call Home
139 connections [RFC8071].
141 1.1. Terminology
143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
145 "OPTIONAL" in this document are to be interpreted as described in BCP
146 14 [RFC2119] [RFC8174] when, and only when, they appear in all
147 capitals, as shown here.
149 2. The RESTCONF Client Model
151 The RESTCONF client model presented in this section supports both
152 clients initiating connections to servers, as well as clients
153 listening for connections from servers calling home.
155 YANG feature statements are used to enable implementations to
156 advertise which potentially uncommon parts of the model the RESTCONF
157 client supports.
159 2.1. Tree Diagram
161 The following tree diagram [RFC8340] provides an overview of the data
162 model for the "ietf-restconf-client" module.
164 This tree diagram only shows the nodes defined in this module; it
165 does show the nodes defined by "grouping" statements used by this
166 module.
168 Please see Appendix A.1 for a tree diagram that illustrates what the
169 module looks like with all the "grouping" statements expanded.
171 module: ietf-restconf-client
172 +--rw restconf-client
173 +---u restconf-client-app-grouping
175 grouping restconf-client-grouping
176 grouping restconf-client-initiate-stack-grouping
177 +-- (transport)
178 +--:(https) {https-initiate}?
179 +-- https
180 +-- tcp-client-parameters
181 | +---u tcpc:tcp-client-grouping
182 +-- tls-client-parameters
183 | +---u tlsc:tls-client-grouping
184 +-- http-client-parameters
185 | +---u httpc:http-client-grouping
186 +-- restconf-client-parameters
187 grouping restconf-client-listen-stack-grouping
188 +-- (transport)
189 +--:(http) {http-listen}?
190 | +-- FIXME
191 +--:(https) {https-listen}?
192 +-- https
193 +-- tcp-server-parameters
194 | +---u tcps:tcp-server-grouping
195 +-- tls-client-parameters
196 | +---u tlsc:tls-client-grouping
197 +-- http-client-parameters
198 | +---u httpc:http-client-grouping
199 +-- restconf-client-parameters
200 grouping restconf-client-app-grouping
201 +-- initiate! {https-initiate}?
202 | +-- restconf-server* [name]
203 | +-- name? string
204 | +-- endpoints
205 | | +-- endpoint* [name]
206 | | +-- name? string
207 | | +---u restconf-client-initiate-stack-grouping
208 | +-- connection-type
209 | | +-- (connection-type)
210 | | +--:(persistent-connection)
211 | | | +-- persistent!
212 | | +--:(periodic-connection)
213 | | +-- periodic!
214 | | +-- period? uint16
215 | | +-- anchor-time? yang:date-and-time
216 | | +-- idle-timeout? uint16
217 | +-- reconnect-strategy
218 | +-- start-with? enumeration
219 | +-- max-attempts? uint8
220 +-- listen! {http-listen or https-listen}?
221 +-- idle-timeout? uint16
222 +-- endpoint* [name]
223 +-- name? string
224 +---u restconf-client-listen-stack-grouping
226 2.2. Example Usage
228 The following example illustrates configuring a RESTCONF client to
229 initiate connections, as well as listening for call-home connections.
231 This example is consistent with the examples presented in Section 2
232 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
233 [I-D.ietf-netconf-keystore].
235 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
236
239
240
241
242 corp-fw1
243
244
245 corp-fw1.example.com
246
247
248 corp-fw1.example.com
249
250 15
251 3
252 30
253
254
255
256
257
258 rsa2048
259 base64encodedvalue==
260 base64encodedvalue==
261 base64encodedvalue==
262
263
264
265
266 explicitly-trusted-server-ca\
267 -certs
268
269
270 explicitly-trusted-server-ce\
271 rts
272
273
274
275 30
276 3
277
278
279
280 HTTP/1.1
281
282
283 bob
284 secret
285
286
287
288
289
290
291 corp-fw2.example.com
292
293
294 corp-fw2.example.com
295
296 15
297 3
298 30
299
300
301
302
303
304 rsa2048
305 base64encodedvalue==
306 base64encodedvalue==
307 base64encodedvalue==
308
309
310
311
312 explicitly-trusted-server-ca\
313 -certs
314
315
316 explicitly-trusted-server-ce\
317 rts
318
319
320
321 30
322 3
323
324
325
326 HTTP/1.1
327
328
329 bob
330 secret
331
333
334
335
336
337
338
339
340
341
342
344
345
346
347 Intranet-facing listener
348
349
350 11.22.33.44
351
352
353
354
355 rsa2048
356 base64encodedvalue==
357 base64encodedvalue==
358 base64encodedvalue==
359
360
361
362
363 explicitly-trusted-server-ca-cer\
364 ts
365
366
367 explicitly-trusted-server-certs<\
368 /truststore-reference>
369
370
371
372
373 HTTP/1.1
374
375
376 bob
377 secret
378
379
380
382
383
384
385
387 2.3. YANG Module
389 This YANG module has normative references to [RFC6991], [RFC8040],
390 and [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
391 [I-D.ietf-netconf-tls-client-server], and
392 [I-D.kwatsen-netconf-http-client-server].
394 file "ietf-restconf-client@2019-10-18.yang"
396 module ietf-restconf-client {
397 yang-version 1.1;
398 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client";
399 prefix rcc;
401 import ietf-yang-types {
402 prefix yang;
403 reference
404 "RFC 6991: Common YANG Data Types";
405 }
407 import ietf-tcp-client {
408 prefix tcpc;
409 reference
410 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
411 }
413 import ietf-tcp-server {
414 prefix tcps;
415 reference
416 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
417 }
419 import ietf-tls-client {
420 prefix tlsc;
421 reference
422 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
423 }
425 import ietf-http-client {
426 prefix httpc;
427 reference
428 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
429 }
430 organization
431 "IETF NETCONF (Network Configuration) Working Group";
433 contact
434 "WG Web:
435 WG List:
436 Author: Kent Watsen
437 Author: Gary Wu ";
439 description
440 "This module contains a collection of YANG definitions
441 for configuring RESTCONF clients.
443 Copyright (c) 2019 IETF Trust and the persons identified
444 as authors of the code. All rights reserved.
446 Redistribution and use in source and binary forms, with
447 or without modification, is permitted pursuant to, and
448 subject to the license terms contained in, the Simplified
449 BSD License set forth in Section 4.c of the IETF Trust's
450 Legal Provisions Relating to IETF Documents
451 (https://trustee.ietf.org/license-info).
453 This version of this YANG module is part of RFC XXXX
454 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
455 itself for full legal notices.;
457 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
458 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
459 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
460 are to be interpreted as described in BCP 14 (RFC 2119)
461 (RFC 8174) when, and only when, they appear in all
462 capitals, as shown here.";
464 revision 2019-10-18 {
465 description
466 "Initial version";
467 reference
468 "RFC XXXX: RESTCONF Client and Server Models";
469 }
471 // Features
473 feature https-initiate {
474 description
475 "The 'https-initiate' feature indicates that the RESTCONF
476 client supports initiating HTTPS connections to RESTCONF
477 servers. This feature exists as HTTPS might not be a
478 mandatory to implement transport in the future.";
479 reference
480 "RFC 8040: RESTCONF Protocol";
481 }
483 feature http-listen {
484 description
485 "The 'https-listen' feature indicates that the RESTCONF client
486 supports opening a port to listen for incoming RESTCONF
487 server call-home connections. This feature exists as not
488 all RESTCONF clients may support RESTCONF call home.";
489 reference
490 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
491 }
493 feature https-listen {
494 description
495 "The 'https-listen' feature indicates that the RESTCONF client
496 supports opening a port to listen for incoming RESTCONF
497 server call-home connections. This feature exists as not
498 all RESTCONF clients may support RESTCONF call home.";
499 reference
500 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
501 }
503 // Groupings
505 grouping restconf-client-grouping {
506 description
507 "A reusable grouping for configuring a RESTCONF client
508 without any consideration for how underlying transport
509 sessions are established.
511 This grouping currently doesn't define any nodes.";
512 }
514 grouping restconf-client-initiate-stack-grouping {
515 description
516 "A reusable grouping for configuring a RESTCONF client
517 'initiate' protocol stack for a single connection.";
519 choice transport {
520 mandatory true;
521 description
522 "Selects between available transports. This is a
523 'choice' statement so as to support additional
524 transport options to be augmented in.";
525 case https {
526 if-feature "https-initiate";
527 container https {
528 description
529 "Specifies HTTPS-specific transport
530 configuration.";
531 container tcp-client-parameters {
532 description
533 "A wrapper around the TCP client parameters
534 to avoid name collisions.";
535 uses tcpc:tcp-client-grouping {
536 refine "remote-port" {
537 default "443";
538 description
539 "The RESTCONF client will attempt to
540 connect to the IANA-assigned well-known
541 port value for 'https' (443) if no value
542 is specified.";
543 }
544 }
545 }
546 container tls-client-parameters {
547 must "client-identity" {
548 description
549 "NETCONF/TLS clients MUST pass some
550 authentication credentials.";
551 }
552 description
553 "A wrapper around the TLS client parameters
554 to avoid name collisions.";
555 uses tlsc:tls-client-grouping;
556 }
557 container http-client-parameters {
558 description
559 "A wrapper around the HTTP client parameters
560 to avoid name collisions.";
561 uses httpc:http-client-grouping;
562 }
563 container restconf-client-parameters {
564 description
565 "A wrapper around the HTTP client parameters
566 to avoid name collisions.";
567 uses rcc:restconf-client-grouping;
568 }
569 }
570 }
571 }
572 } // restconf-client-initiate-stack-grouping
573 grouping restconf-client-listen-stack-grouping {
574 description
575 "A reusable grouping for configuring a RESTCONF client
576 'listen' protocol stack for a single connection.";
577 choice transport {
578 mandatory true;
579 description
580 "Selects between available transports. This is a
581 'choice' statement so as to support additional
582 transport options to be augmented in.";
583 case http {
584 if-feature "http-listen";
585 container FIXME {
586 description "FIXME";
587 }
588 }
589 case https {
590 if-feature "https-listen";
591 container https {
592 description
593 "HTTPS-specific listening configuration for inbound
594 connections.";
595 container tcp-server-parameters {
596 description
597 "A wrapper around the TCP client parameters
598 to avoid name collisions.";
599 uses tcps:tcp-server-grouping {
600 refine "local-port" {
601 default "4336";
602 description
603 "The RESTCONF client will listen on the IANA-
604 assigned well-known port for 'restconf-ch-tls'
605 (4336) if no value is specified.";
606 }
607 }
608 }
609 container tls-client-parameters {
610 must "client-identity" {
611 description
612 "NETCONF/TLS clients MUST pass some
613 authentication credentials.";
614 }
615 description
616 "A wrapper around the TLS client parameters
617 to avoid name collisions.";
618 uses tlsc:tls-client-grouping;
619 }
620 container http-client-parameters {
621 description
622 "A wrapper around the HTTP client parameters
623 to avoid name collisions.";
624 uses httpc:http-client-grouping;
625 }
626 container restconf-client-parameters {
627 description
628 "A wrapper around the RESTCONF client parameters
629 to avoid name collisions.";
630 uses rcc:restconf-client-grouping;
631 }
632 }
633 }
634 }
635 } // restconf-client-listen-stack-grouping
637 grouping restconf-client-app-grouping {
638 description
639 "A reusable grouping for configuring a RESTCONF client
640 application that supports both 'initiate' and 'listen'
641 protocol stacks for a multiplicity of connections.";
642 container initiate {
643 if-feature "https-initiate";
644 presence "Enables client to initiate TCP connections";
645 description
646 "Configures client initiating underlying TCP connections.";
647 list restconf-server {
648 key "name";
649 min-elements 1;
650 description
651 "List of RESTCONF servers the RESTCONF client is to
652 maintain simultaneous connections with.";
653 leaf name {
654 type string;
655 description
656 "An arbitrary name for the RESTCONF server.";
657 }
658 container endpoints {
659 description
660 "Container for the list of endpoints.";
661 list endpoint {
662 key "name";
663 min-elements 1;
664 ordered-by user;
665 description
666 "A non-empty user-ordered list of endpoints for this
667 RESTCONF client to try to connect to in sequence.
668 Defining more than one enables high-availability.";
670 leaf name {
671 type string;
672 description
673 "An arbitrary name for this endpoint.";
674 }
675 uses restconf-client-initiate-stack-grouping;
676 }
677 }
678 container connection-type {
679 description
680 "Indicates the RESTCONF client's preference for how
681 the RESTCONF connection is maintained.";
682 choice connection-type {
683 mandatory true;
684 description
685 "Selects between available connection types.";
686 case persistent-connection {
687 container persistent {
688 presence "Indicates that a persistent connection
689 is to be maintained.";
690 description
691 "Maintain a persistent connection to the
692 RESTCONF server. If the connection goes down,
693 immediately start trying to reconnect to the
694 RESTCONF server, using the reconnection strategy.
696 This connection type minimizes any RESTCONF server
697 to RESTCONF client data-transfer delay, albeit
698 at the expense of holding resources longer.";
699 }
700 }
701 case periodic-connection {
702 container periodic {
703 presence "Indicates that a periodic connection is
704 to be maintained.";
705 description
706 "Periodically connect to the RESTCONF server.
708 This connection type increases resource
709 utilization, albeit with increased delay
710 in RESTCONF server to RESTCONF client
711 interactions.
713 The RESTCONF client SHOULD gracefully close
714 the underlying TLS connection upon completing
715 planned activities.
717 In the case that the previous connection is
718 still active, establishing a new connection
719 is NOT RECOMMENDED.";
721 leaf period {
722 type uint16;
723 units "minutes";
724 default "60";
725 description
726 "Duration of time between periodic
727 connections.";
728 }
729 leaf anchor-time {
730 type yang:date-and-time {
731 // constrained to minute-level granularity
732 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
733 + '(Z|[\+\-]\d{2}:\d{2})';
734 }
735 description
736 "Designates a timestamp before or after which
737 a series of periodic connections are
738 determined. The periodic connections occur
739 at a whole multiple interval from the anchor
740 time. For example, for an anchor time is 15
741 minutes past midnight and a period interval
742 of 24 hours, then a periodic connection will
743 occur 15 minutes past midnight everyday.";
744 }
745 leaf idle-timeout {
746 type uint16;
747 units "seconds";
748 default 120; // two minutes
749 description
750 "Specifies the maximum number of seconds
751 that the underlying TCP session may remain
752 idle. A TCP session will be dropped if it
753 is idle for an interval longer than this
754 number of seconds If set to zero, then the
755 RESTCONF client will never drop a session
756 because it is idle.";
757 }
758 }
759 } // periodic-connection
760 } // connection-type
761 } // connection-type
762 container reconnect-strategy {
763 description
764 "The reconnection strategy directs how a RESTCONF
765 client reconnects to a RESTCONF server, after
766 discovering its connection to the server has
767 dropped, even if due to a reboot. The RESTCONF
768 client starts with the specified endpoint and
769 tries to connect to it max-attempts times before
770 trying the next endpoint in the list (round
771 robin).";
772 leaf start-with {
773 type enumeration {
774 enum first-listed {
775 description
776 "Indicates that reconnections should start
777 with the first endpoint listed.";
778 }
779 enum last-connected {
780 description
781 "Indicates that reconnections should start
782 with the endpoint last connected to. If
783 no previous connection has ever been
784 established, then the first endpoint
785 configured is used. RESTCONF clients
786 SHOULD be able to remember the last
787 endpoint connected to across reboots.";
788 }
789 enum random-selection {
790 description
791 "Indicates that reconnections should start with
792 a random endpoint.";
793 }
794 }
795 default "first-listed";
796 description
797 "Specifies which of the RESTCONF server's
798 endpoints the RESTCONF client should start
799 with when trying to connect to the RESTCONF
800 server.";
801 }
802 leaf max-attempts {
803 type uint8 {
804 range "1..max";
805 }
806 default "3";
807 description
808 "Specifies the number times the RESTCONF client
809 tries to connect to a specific endpoint before
810 moving on to the next endpoint in the list
811 (round robin).";
812 }
813 }
815 }
816 } // initiate
817 container listen {
818 if-feature "http-listen or https-listen";
819 presence "Enables client to accept call-home connections";
820 description
821 "Configures client accepting call-home TCP connections.";
822 leaf idle-timeout {
823 type uint16;
824 units "seconds";
825 default 3600; // one hour
826 description
827 "Specifies the maximum number of seconds that an
828 underlying TCP session may remain idle. A TCP session
829 will be dropped if it is idle for an interval longer
830 then this number of seconds. If set to zero, then
831 the server will never drop a session because it is
832 idle. Sessions that have a notification subscription
833 active are never dropped.";
834 }
835 list endpoint {
836 key "name";
837 min-elements 1;
838 description
839 "List of endpoints to listen for RESTCONF connections.";
840 leaf name {
841 type string;
842 description
843 "An arbitrary name for the RESTCONF listen endpoint.";
844 }
845 uses restconf-client-listen-stack-grouping;
846 }
847 }
848 } // restconf-client-app-grouping
850 // Protocol accessible node, for servers that implement this
851 // module.
853 container restconf-client {
854 uses restconf-client-app-grouping;
855 description
856 "Top-level container for RESTCONF client configuration.";
857 }
858 }
860
862 3. The RESTCONF Server Model
864 The RESTCONF server model presented in this section supports both
865 listening for connections as well as initiating call-home
866 connections.
868 YANG feature statements are used to enable implementations to
869 advertise which potentially uncommon parts of the model the RESTCONF
870 server supports.
872 3.1. Tree Diagram
874 The following tree diagram [RFC8340] provides an overview of the data
875 model for the "ietf-restconf-server" module.
877 This tree diagram only shows the nodes defined in this module; it
878 does show the nodes defined by "grouping" statements used by this
879 module.
881 Please see Appendix A.2 for a tree diagram that illustrates what the
882 module looks like with all the "grouping" statements expanded.
884 module: ietf-restconf-server
885 +--rw restconf-server
886 +---u restconf-server-app-grouping
888 grouping restconf-server-grouping
889 +-- client-identification
890 +-- cert-maps
891 +---u x509c2n:cert-to-name
892 grouping restconf-server-listen-stack-grouping
893 +-- (transport)
894 +--:(http) {http-listen}?
895 | +-- http
896 | +-- external-endpoint!
897 | | +-- address inet:ip-address
898 | | +-- port? inet:port-number
899 | +-- tcp-server-parameters
900 | | +---u tcps:tcp-server-grouping
901 | +-- http-server-parameters
902 | | +---u https:http-server-grouping
903 | +-- restconf-server-parameters
904 | +---u rcs:restconf-server-grouping
905 +--:(https) {https-listen}?
906 +-- https
907 +-- tcp-server-parameters
908 | +---u tcps:tcp-server-grouping
909 +-- tls-server-parameters
910 | +---u tlss:tls-server-grouping
911 +-- http-server-parameters
912 | +---u https:http-server-grouping
913 +-- restconf-server-parameters
914 +---u rcs:restconf-server-grouping
915 grouping restconf-server-callhome-stack-grouping
916 +-- (transport)
917 +--:(https) {https-listen}?
918 +-- https
919 +-- tcp-client-parameters
920 | +---u tcpc:tcp-client-grouping
921 +-- tls-server-parameters
922 | +---u tlss:tls-server-grouping
923 +-- http-server-parameters
924 | +---u https:http-server-grouping
925 +-- restconf-server-parameters
926 +---u rcs:restconf-server-grouping
927 grouping restconf-server-app-grouping
928 +-- listen! {http-listen or https-listen}?
929 | +-- endpoint* [name]
930 | +-- name? string
931 | +---u restconf-server-listen-stack-grouping
932 +-- call-home! {https-call-home}?
933 +-- restconf-client* [name]
934 +-- name? string
935 +-- endpoints
936 | +-- endpoint* [name]
937 | +-- name? string
938 | +---u restconf-server-callhome-stack-grouping
939 +-- connection-type
940 | +-- (connection-type)
941 | +--:(persistent-connection)
942 | | +-- persistent!
943 | +--:(periodic-connection)
944 | +-- periodic!
945 | +-- period? uint16
946 | +-- anchor-time? yang:date-and-time
947 | +-- idle-timeout? uint16
948 +-- reconnect-strategy
949 +-- start-with? enumeration
950 +-- max-attempts? uint8
952 3.2. Example Usage
954 The following example illustrates configuring a RESTCONF server to
955 listen for RESTCONF client connections, as well as configuring call-
956 home to one RESTCONF client.
958 This example is consistent with the examples presented in Section 2
959 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
960 [I-D.ietf-netconf-keystore].
962 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
964
968
969
970
971 netconf/tls
972
973
974 11.22.33.44
975
976
977
978
979 rsa2048
980 base64encodedvalue==
981 base64encodedvalue==
982 base64encodedvalue==
983
984
985
986
987
988 explicitly-trusted-client-ca-cer\
989 ts
990
991
992 explicitly-trusted-client-certs<\
993 /truststore-reference>
994
995
996
997
998 foo.example.com
999
1000 HTTP/1.1
1001 HTTP/2.0
1002
1003
1004
1005
1006
1007
1008 1
1009 11:0A:05:11:00
1010 x509c2n:san-any
1011
1012
1013 2
1014 B3:4F:A1:8C:54
1015 x509c2n:specified
1016 scooby-doo
1017
1018
1019
1020
1021
1022
1023
1025
1026
1027
1028 config-manager
1029
1030
1031 east-data-center
1032
1033
1034 east.example.com
1035
1036
1037
1038
1039 rsa2048
1040 base64encodedvalue==
1041 base64encodedvalue==
1042 base64encodedvalue==
1043
1044
1045
1046
1047
1048 explicitly-trusted-client-ca\
1049 -certs
1050
1051
1052 explicitly-trusted-client-ce\
1053 rts
1054
1055
1056
1057
1058 foo.example.com
1059
1060 HTTP/1.1
1061 HTTP/2.0
1062
1063
1064
1065
1066
1067
1068 1
1069 11:0A:05:11:00
1070 x509c2n:san-any
1071
1072
1073 2
1074 B3:4F:A1:8C:54
1075 x509c2n:specified
1076 scooby-doo
1077
1078
1079
1080
1081
1082
1083
1084 west-data-center
1085
1086
1087 west.example.com
1088
1089
1090
1091
1092 rsa2048
1093 base64encodedvalue==
1094 base64encodedvalue==
1095 base64encodedvalue==
1096
1097
1098
1099
1100
1101 explicitly-trusted-client-ca\
1103 -certs
1104
1105
1106 explicitly-trusted-client-ce\
1107 rts
1108
1109
1110
1111
1112 foo.example.com
1113
1114 HTTP/1.1
1115 HTTP/2.0
1116
1117
1118
1119
1120
1121
1122 1
1123 11:0A:05:11:00
1124 x509c2n:san-any
1125
1126
1127 2
1128 B3:4F:A1:8C:54
1129 x509c2n:specified
1130 scooby-doo
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140 300
1141 60
1142
1143
1144
1145 last-connected
1146 3
1147
1148
1149
1150
1152 3.3. YANG Module
1154 This YANG module has normative references to [RFC6991], [RFC7407],
1155 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
1156 [I-D.ietf-netconf-tls-client-server], and
1157 [I-D.kwatsen-netconf-http-client-server].
1159 file "ietf-restconf-server@2019-10-18.yang"
1161 module ietf-restconf-server {
1162 yang-version 1.1;
1163 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server";
1164 prefix rcs;
1166 import ietf-yang-types {
1167 prefix yang;
1168 reference
1169 "RFC 6991: Common YANG Data Types";
1170 }
1172 import ietf-inet-types {
1173 prefix inet;
1174 reference
1175 "RFC 6991: Common YANG Data Types";
1176 }
1178 import ietf-x509-cert-to-name {
1179 prefix x509c2n;
1180 reference
1181 "RFC 7407: A YANG Data Model for SNMP Configuration";
1182 }
1184 import ietf-tcp-client {
1185 prefix tcpc;
1186 reference
1187 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1188 }
1190 import ietf-tcp-server {
1191 prefix tcps;
1192 reference
1193 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1194 }
1196 import ietf-tls-server {
1197 prefix tlss;
1198 reference
1199 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
1201 }
1203 import ietf-http-server {
1204 prefix https;
1205 reference
1206 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
1207 }
1209 organization
1210 "IETF NETCONF (Network Configuration) Working Group";
1212 contact
1213 "WG Web:
1214 WG List:
1215 Author: Kent Watsen
1216 Author: Gary Wu
1217 Author: Juergen Schoenwaelder
1218 ";
1220 description
1221 "This module contains a collection of YANG definitions
1222 for configuring RESTCONF servers.
1224 Copyright (c) 2019 IETF Trust and the persons identified
1225 as authors of the code. All rights reserved.
1227 Redistribution and use in source and binary forms, with
1228 or without modification, is permitted pursuant to, and
1229 subject to the license terms contained in, the Simplified
1230 BSD License set forth in Section 4.c of the IETF Trust's
1231 Legal Provisions Relating to IETF Documents
1232 (https://trustee.ietf.org/license-info).
1234 This version of this YANG module is part of RFC XXXX
1235 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1236 itself for full legal notices.;
1238 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1239 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1240 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1241 are to be interpreted as described in BCP 14 (RFC 2119)
1242 (RFC 8174) when, and only when, they appear in all
1243 capitals, as shown here.";
1245 revision 2019-10-18 {
1246 description
1247 "Initial version";
1248 reference
1249 "RFC XXXX: RESTCONF Client and Server Models";
1250 }
1252 // Features
1254 feature http-listen {
1255 description
1256 "The 'http-listen' feature indicates that the RESTCONF server
1257 supports opening a port to listen for incoming RESTCONF over
1258 TPC client connections, whereby the TLS connections are
1259 terminated by an external system.";
1260 reference
1261 "RFC 8040: RESTCONF Protocol";
1262 }
1264 feature https-listen {
1265 description
1266 "The 'https-listen' feature indicates that the RESTCONF server
1267 supports opening a port to listen for incoming RESTCONF over
1268 TLS client connections, whereby the TLS connections are
1269 terminated by the server itself.";
1270 reference
1271 "RFC 8040: RESTCONF Protocol";
1272 }
1274 feature https-call-home {
1275 description
1276 "The 'https-call-home' feature indicates that the RESTCONF
1277 server supports initiating connections to RESTCONF clients.";
1278 reference
1279 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1280 }
1282 // Groupings
1284 grouping restconf-server-grouping {
1285 description
1286 "A reusable grouping for configuring a RESTCONF server
1287 without any consideration for how underlying transport
1288 sessions are established.
1290 Note that this grouping uses a fairly typical descendent
1291 node name such that a stack of 'uses' statements will
1292 have name conflicts. It is intended that the consuming
1293 data model will resolve the issue by wrapping the 'uses'
1294 statement in a container called, e.g.,
1295 'restconf-server-parameters'. This model purposely does
1296 not do this itself so as to provide maximum flexibility
1297 to consuming models.";
1299 container client-identification { // FIXME: if-feature?
1300 description
1301 "Specifies a mapping through which clients MAY be identified
1302 (i.e., the RESTCONF username) from a supplied certificate.
1303 Note that a client MAY alternatively be identified via an
1304 HTTP-level authentication schema. This configuration does
1305 not necessitate clients send a certificate (that can be
1306 controlled via the ietf-restconf-server module).";
1307 container cert-maps {
1308 uses x509c2n:cert-to-name;
1309 description
1310 "The cert-maps container is used by TLS-based RESTCONF
1311 servers (even if the TLS sessions are terminated
1312 externally) to map the RESTCONF client's presented
1313 X.509 certificate to a RESTCONF username. If no
1314 matching and valid cert-to-name list entry can be
1315 found, then the RESTCONF server MUST close the
1316 connection, and MUST NOT accept RESTCONF messages
1317 over it.";
1318 reference
1319 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1320 }
1321 }
1322 }
1324 grouping restconf-server-listen-stack-grouping {
1325 description
1326 "A reusable grouping for configuring a RESTCONF server
1327 'listen' protocol stack for a single connection.";
1328 choice transport {
1329 mandatory true;
1330 description
1331 "Selects between available transports. This is a
1332 'choice' statement so as to support additional
1333 transport options to be augmented in.";
1334 case http {
1335 if-feature "http-listen";
1336 container http {
1337 description
1338 "Configures RESTCONF server stack assuming that
1339 TLS-termination is handled externally.";
1340 container external-endpoint {
1341 presence
1342 "Specifies configuration for an external endpoint.";
1344 description
1345 "Identifies contact information for the external
1346 system that terminates connections before passing
1347 them thru to this server (e.g., a network address
1348 translator or a load balancer). These values have
1349 no effect on the local operation of this server, but
1350 may be used by the application when needing to
1351 inform other systems how to contact this server.";
1352 leaf address {
1353 type inet:ip-address;
1354 mandatory true;
1355 description
1356 "The IP address or hostname of the external system
1357 that terminates incoming RESTCONF client
1358 connections before forwarding them to this
1359 server.";
1360 }
1361 leaf port {
1362 type inet:port-number;
1363 default "443";
1364 description
1365 "The port number that the external system listens
1366 on for incoming RESTCONF client connections that
1367 are forwarded to this server. The default HTTPS
1368 port (443) is used, as expected for a RESTCONF
1369 connection.";
1370 }
1371 }
1372 container tcp-server-parameters {
1373 description
1374 "A wrapper around the TCP server parameters
1375 to avoid name collisions.";
1376 uses tcps:tcp-server-grouping {
1377 refine "local-port" {
1378 default "80";
1379 description
1380 "The RESTCONF server will listen on the IANA-
1381 assigned well-known port value for 'http'
1382 (80) if no value is specified.";
1383 }
1384 }
1385 }
1386 container http-server-parameters {
1387 description
1388 "A wrapper around the HTTP server parameters
1389 to avoid name collisions.";
1390 uses https:http-server-grouping;
1391 }
1392 container restconf-server-parameters {
1393 description
1394 "A wrapper around the RESTCONF server parameters
1395 to avoid name collisions.";
1396 uses rcs:restconf-server-grouping;
1397 }
1398 }
1399 }
1400 case https {
1401 if-feature "https-listen";
1402 container https {
1403 description
1404 "Configures RESTCONF server stack assuming that
1405 TLS-termination is handled internally.";
1406 container tcp-server-parameters {
1407 description
1408 "A wrapper around the TCP server parameters
1409 to avoid name collisions.";
1410 uses tcps:tcp-server-grouping {
1411 refine "local-port" {
1412 default "443";
1413 description
1414 "The RESTCONF server will listen on the IANA-
1415 assigned well-known port value for 'https'
1416 (443) if no value is specified.";
1417 }
1418 }
1419 }
1420 container tls-server-parameters {
1421 description
1422 "A wrapper around the TLS server parameters
1423 to avoid name collisions.";
1424 uses tlss:tls-server-grouping;
1425 }
1426 container http-server-parameters {
1427 description
1428 "A wrapper around the HTTP server parameters
1429 to avoid name collisions.";
1430 uses https:http-server-grouping;
1431 }
1432 container restconf-server-parameters {
1433 description
1434 "A wrapper around the RESTCONF server parameters
1435 to avoid name collisions.";
1436 uses rcs:restconf-server-grouping;
1437 }
1438 }
1439 }
1441 }
1442 }
1444 grouping restconf-server-callhome-stack-grouping {
1445 description
1446 "A reusable grouping for configuring a RESTCONF server
1447 'call-home' protocol stack, for a single connection.";
1448 choice transport {
1449 mandatory true;
1450 description
1451 "Selects between available transports. This is a
1452 'choice' statement so as to support additional
1453 transport options to be augmented in.";
1454 case https {
1455 if-feature "https-listen";
1456 container https {
1457 description
1458 "Configures RESTCONF server stack assuming that
1459 TLS-termination is handled internally.";
1460 container tcp-client-parameters {
1461 description
1462 "A wrapper around the TCP client parameters
1463 to avoid name collisions.";
1464 uses tcpc:tcp-client-grouping {
1465 refine "remote-port" {
1466 default "4336";
1467 description
1468 "The RESTCONF server will attempt to
1469 connect to the IANA-assigned well-known
1470 port for 'restconf-ch-tls' (4336) if no
1471 value is specified.";
1472 }
1473 }
1474 }
1475 container tls-server-parameters {
1476 description
1477 "A wrapper around the TLS server parameters
1478 to avoid name collisions.";
1479 uses tlss:tls-server-grouping;
1480 }
1481 container http-server-parameters {
1482 description
1483 "A wrapper around the HTTP server parameters
1484 to avoid name collisions.";
1485 uses https:http-server-grouping;
1486 }
1487 container restconf-server-parameters {
1488 description
1489 "A wrapper around the RESTCONF server parameters
1490 to avoid name collisions.";
1491 uses rcs:restconf-server-grouping;
1492 }
1493 }
1494 }
1495 }
1496 }
1498 grouping restconf-server-app-grouping {
1499 description
1500 "A reusable grouping for configuring a RESTCONF server
1501 application that supports both 'listen' and 'call-home'
1502 protocol stacks for a multiplicity of connections.";
1503 container listen {
1504 if-feature "http-listen or https-listen";
1505 presence
1506 "Enables the RESTCONF server to listen for RESTCONF
1507 client connections.";
1508 description "Configures listen behavior";
1509 list endpoint {
1510 key "name";
1511 min-elements 1;
1512 description
1513 "List of endpoints to listen for RESTCONF connections.";
1514 leaf name {
1515 type string;
1516 description
1517 "An arbitrary name for the RESTCONF listen endpoint.";
1518 }
1519 uses restconf-server-listen-stack-grouping;
1520 }
1521 }
1522 container call-home {
1523 if-feature "https-call-home";
1524 presence
1525 "Enables the RESTCONF server to initiate the underlying
1526 transport connection to RESTCONF clients.";
1527 description "Configures call-home behavior";
1528 list restconf-client {
1529 key "name";
1530 min-elements 1;
1531 description
1532 "List of RESTCONF clients the RESTCONF server is to
1533 maintain simultaneous call-home connections with.";
1534 leaf name {
1535 type string;
1536 description
1537 "An arbitrary name for the remote RESTCONF client.";
1538 }
1539 container endpoints {
1540 description
1541 "Container for the list of endpoints.";
1542 list endpoint {
1543 key "name";
1544 min-elements 1;
1545 ordered-by user;
1546 description
1547 "User-ordered list of endpoints for this RESTCONF
1548 client. Defining more than one enables high-
1549 availability.";
1550 leaf name {
1551 type string;
1552 description
1553 "An arbitrary name for this endpoint.";
1554 }
1555 uses restconf-server-callhome-stack-grouping;
1556 }
1557 }
1558 container connection-type {
1559 description
1560 "Indicates the RESTCONF server's preference for how the
1561 RESTCONF connection is maintained.";
1562 choice connection-type {
1563 mandatory true;
1564 description
1565 "Selects between available connection types.";
1566 case persistent-connection {
1567 container persistent {
1568 presence "Indicates that a persistent connection is
1569 to be maintained.";
1570 description
1571 "Maintain a persistent connection to the RESTCONF
1572 client. If the connection goes down, immediately
1573 start trying to reconnect to the RESTCONF server,
1574 using the reconnection strategy.
1576 This connection type minimizes any RESTCONF
1577 client to RESTCONF server data-transfer delay,
1578 albeit at the expense of holding resources
1579 longer.";
1580 }
1581 }
1582 case periodic-connection {
1583 container periodic {
1584 presence "Indicates that a periodic connection is
1585 to be maintained.";
1586 description
1587 "Periodically connect to the RESTCONF client.
1589 This connection type increases resource
1590 utilization, albeit with increased delay in
1591 RESTCONF client to RESTCONF client interactions.
1593 The RESTCONF client SHOULD gracefully close
1594 the underlying TLS connection upon completing
1595 planned activities. If the underlying TLS
1596 connection is not closed gracefully, the
1597 RESTCONF server MUST immediately attempt
1598 to reestablish the connection.
1600 In the case that the previous connection is
1601 still active (i.e., the RESTCONF client has not
1602 closed it yet), establishing a new connection
1603 is NOT RECOMMENDED.";
1605 leaf period {
1606 type uint16;
1607 units "minutes";
1608 default "60";
1609 description
1610 "Duration of time between periodic connections.";
1611 }
1612 leaf anchor-time {
1613 type yang:date-and-time {
1614 // constrained to minute-level granularity
1615 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1616 + '(Z|[\+\-]\d{2}:\d{2})';
1617 }
1618 description
1619 "Designates a timestamp before or after which a
1620 series of periodic connections are determined.
1621 The periodic connections occur at a whole
1622 multiple interval from the anchor time. For
1623 example, for an anchor time is 15 minutes past
1624 midnight and a period interval of 24 hours, then
1625 a periodic connection will occur 15 minutes past
1626 midnight everyday.";
1627 }
1628 leaf idle-timeout {
1629 type uint16;
1630 units "seconds";
1631 default 120; // two minutes
1632 description
1633 "Specifies the maximum number of seconds that
1634 the underlying TCP session may remain idle.
1635 A TCP session will be dropped if it is idle
1636 for an interval longer than this number of
1637 seconds. If set to zero, then the server
1638 will never drop a session because it is idle.";
1639 }
1640 }
1641 }
1642 }
1643 }
1644 container reconnect-strategy {
1645 description
1646 "The reconnection strategy directs how a RESTCONF server
1647 reconnects to a RESTCONF client after discovering its
1648 connection to the client has dropped, even if due to a
1649 reboot. The RESTCONF server starts with the specified
1650 endpoint and tries to connect to it max-attempts times
1651 before trying the next endpoint in the list (round
1652 robin).";
1653 leaf start-with {
1654 type enumeration {
1655 enum first-listed {
1656 description
1657 "Indicates that reconnections should start with
1658 the first endpoint listed.";
1659 }
1660 enum last-connected {
1661 description
1662 "Indicates that reconnections should start with
1663 the endpoint last connected to. If no previous
1664 connection has ever been established, then the
1665 first endpoint configured is used. RESTCONF
1666 servers SHOULD be able to remember the last
1667 endpoint connected to across reboots.";
1668 }
1669 enum random-selection {
1670 description
1671 "Indicates that reconnections should start with
1672 a random endpoint.";
1673 }
1674 }
1675 default "first-listed";
1676 description
1677 "Specifies which of the RESTCONF client's endpoints
1678 the RESTCONF server should start with when trying
1679 to connect to the RESTCONF client.";
1681 }
1682 leaf max-attempts {
1683 type uint8 {
1684 range "1..max";
1685 }
1686 default "3";
1687 description
1688 "Specifies the number times the RESTCONF server tries
1689 to connect to a specific endpoint before moving on to
1690 the next endpoint in the list (round robin).";
1691 }
1692 }
1693 } // restconf-client
1694 } // call-home
1695 } // restconf-server-app-grouping
1697 // Protocol accessible node, for servers that implement this
1698 // module.
1700 container restconf-server {
1701 uses restconf-server-app-grouping;
1702 description
1703 "Top-level container for RESTCONF server configuration.";
1704 }
1706 }
1708
1710 4. Security Considerations
1712 The YANG module defined in this document uses groupings defined in
1713 [I-D.kwatsen-netconf-tcp-client-server],
1714 [I-D.ietf-netconf-tls-client-server], and
1715 [I-D.kwatsen-netconf-http-client-server]. Please see the Security
1716 Considerations section in those documents for concerns related those
1717 groupings.
1719 The YANG modules defined in this document are designed to be accessed
1720 via YANG based management protocols, such as NETCONF [RFC6241] and
1721 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1722 implement secure transport layers (e.g., SSH, TLS) with mutual
1723 authentication.
1725 The NETCONF access control model (NACM) [RFC8341] provides the means
1726 to restrict access for particular users to a pre-configured subset of
1727 all available protocol operations and content.
1729 There are a number of data nodes defined in the YANG modules that are
1730 writable/creatable/deletable (i.e., config true, which is the
1731 default). Some of these data nodes may be considered sensitive or
1732 vulnerable in some network environments. Write operations (e.g.,
1733 edit-config) to these data nodes without proper protection can have a
1734 negative effect on network operations. These are the subtrees and
1735 data nodes and their sensitivity/vulnerability:
1737 None of the subtrees or data nodes in the modules defined in this
1738 document need to be protected from write operations.
1740 Some of the readable data nodes in the YANG modules may be considered
1741 sensitive or vulnerable in some network environments. It is thus
1742 important to control read access (e.g., via get, get-config, or
1743 notification) to these data nodes. These are the subtrees and data
1744 nodes and their sensitivity/vulnerability:
1746 None of the subtrees or data nodes in the modules defined in this
1747 document need to be protected from read operations.
1749 Some of the RPC operations in the YANG modules may be considered
1750 sensitive or vulnerable in some network environments. It is thus
1751 important to control access to these operations. These are the
1752 operations and their sensitivity/vulnerability:
1754 The modules defined in this document do not define any 'RPC' or
1755 'action' statements.
1757 5. IANA Considerations
1759 5.1. The IETF XML Registry
1761 This document registers two URIs in the "ns" subregistry of the IETF
1762 XML Registry [RFC3688]. Following the format in [RFC3688], the
1763 following registrations are requested:
1765 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1766 Registrant Contact: The NETCONF WG of the IETF.
1767 XML: N/A, the requested URI is an XML namespace.
1769 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1770 Registrant Contact: The NETCONF WG of the IETF.
1771 XML: N/A, the requested URI is an XML namespace.
1773 5.2. The YANG Module Names Registry
1775 This document registers two YANG modules in the YANG Module Names
1776 registry [RFC6020]. Following the format in [RFC6020], the the
1777 following registrations are requested:
1779 name: ietf-restconf-client
1780 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1781 prefix: ncc
1782 reference: RFC XXXX
1784 name: ietf-restconf-server
1785 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1786 prefix: ncs
1787 reference: RFC XXXX
1789 6. References
1791 6.1. Normative References
1793 [I-D.ietf-netconf-keystore]
1794 Watsen, K., "A YANG Data Model for a Keystore", draft-
1795 ietf-netconf-keystore-12 (work in progress), July 2019.
1797 [I-D.ietf-netconf-tls-client-server]
1798 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1799 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1800 server-14 (work in progress), July 2019.
1802 [I-D.kwatsen-netconf-http-client-server]
1803 Watsen, K., "YANG Groupings for HTTP Clients and HTTP
1804 Servers", draft-kwatsen-netconf-http-client-server-03
1805 (work in progress), June 2019.
1807 [I-D.kwatsen-netconf-tcp-client-server]
1808 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1809 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1810 server-02 (work in progress), April 2019.
1812 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1813 Requirement Levels", BCP 14, RFC 2119,
1814 DOI 10.17487/RFC2119, March 1997,
1815 .
1817 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1818 the Network Configuration Protocol (NETCONF)", RFC 6020,
1819 DOI 10.17487/RFC6020, October 2010,
1820 .
1822 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1823 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1824 .
1826 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1827 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1828 December 2014, .
1830 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1831 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1832 .
1834 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1835 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1836 .
1838 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1839 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1840 .
1842 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1843 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1844 May 2017, .
1846 6.2. Informative References
1848 [I-D.ietf-netconf-trust-anchors]
1849 Watsen, K., "A YANG Data Model for a Truststore", draft-
1850 ietf-netconf-trust-anchors-05 (work in progress), June
1851 2019.
1853 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1854 DOI 10.17487/RFC3688, January 2004,
1855 .
1857 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1858 and A. Bierman, Ed., "Network Configuration Protocol
1859 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1860 .
1862 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1863 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1864 .
1866 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1867 Access Control Model", STD 91, RFC 8341,
1868 DOI 10.17487/RFC8341, March 2018,
1869 .
1871 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
1872 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
1873 .
1875 Appendix A. Expanded Tree Diagrams
1877 A.1. Expanded Tree Diagram for 'ietf-restconf-client'
1879 The following tree diagram [RFC8340] provides an overview of the data
1880 model for the "ietf-restconf-client" module.
1882 This tree diagram shows all the nodes defined in this module,
1883 including those defined by "grouping" statements used by this module.
1885 Please see Section 2.1 for a tree diagram that illustrates what the
1886 module looks like without all the "grouping" statements expanded.
1888 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
1890 module: ietf-restconf-client
1891 +--rw restconf-client
1892 +--rw initiate! {https-initiate}?
1893 | +--rw restconf-server* [name]
1894 | +--rw name string
1895 | +--rw endpoints
1896 | | +--rw endpoint* [name]
1897 | | +--rw name string
1898 | | +--rw (transport)
1899 | | +--:(https) {https-initiate}?
1900 | | +--rw https
1901 | | +--rw tcp-client-parameters
1902 | | | +--rw remote-address inet:host
1903 | | | +--rw remote-port? inet:port-number
1904 | | | +--rw local-address? inet:ip-address
1905 | | | | {local-binding-supported}?
1906 | | | +--rw local-port? inet:port-number
1907 | | | | {local-binding-supported}?
1908 | | | +--rw keepalives!
1909 | | | {keepalives-supported}?
1910 | | | +--rw idle-time uint16
1911 | | | +--rw max-probes uint16
1912 | | | +--rw probe-interval uint16
1913 | | +--rw tls-client-parameters
1914 | | | +--rw client-identity
1915 | | | | +--rw (local-or-keystore)
1916 | | | | +--:(local)
1917 | | | | | {local-definitions-suppo\
1918 \rted}?
1919 | | | | | +--rw local-definition
1920 | | | | | +--rw algorithm
1921 | | | | | | asymmetric-key-algo\
1922 \rithm-t
1923 | | | | | +--rw public-key-format?
1924 | | | | | | identityref
1925 | | | | | +--rw public-key
1926 | | | | | | binary
1927 | | | | | +--rw private-key-format?
1928 | | | | | | identityref
1929 | | | | | +--rw (private-key-type)
1930 | | | | | | +--:(private-key)
1931 | | | | | | | +--rw private-key?
1932 | | | | | | | binary
1933 | | | | | | +--:(hidden-private-key)
1934 | | | | | | | +--rw hidden-private-\
1935 \key?
1936 | | | | | | | empty
1937 | | | | | | +--:(encrypted-private-k\
1938 \ey)
1939 | | | | | | +--rw encrypted-priva\
1940 \te-key
1941 | | | | | | +--rw (key-type)
1942 | | | | | | | +--:(symmetric-\
1943 \key-ref)
1944 | | | | | | | | +--rw symmet\
1945 \ric-key-ref? leafref
1946 | | | | | | | | {key\
1947 \store-supported}?
1948 | | | | | | | +--:(asymmetric\
1949 \-key-ref)
1950 | | | | | | | +--rw asymme\
1951 \tric-key-ref? leafref
1952 | | | | | | | {key\
1953 \store-supported}?
1954 | | | | | | +--rw value?
1955 | | | | | | binary
1956 | | | | | +--rw cert?
1957 | | | | | | end-entity-cert-cms
1958 | | | | | +---n certificate-expiration
1959 | | | | | | +-- expiration-date
1960 | | | | | | yang:date-and-ti\
1961 \me
1962 | | | | | +---x generate-certificate-\
1963 \signing-request
1964 | | | | | +---w input
1965 | | | | | | +---w subject
1966 | | | | | | | binary
1967 | | | | | | +---w attributes?
1968 | | | | | | binary
1969 | | | | | +--ro output
1970 | | | | | +--ro certificate-sig\
1972 \ning-request
1973 | | | | | binary
1974 | | | | +--:(keystore)
1975 | | | | {keystore-supported}?
1976 | | | | +--rw keystore-reference
1977 | | | | +--rw asymmetric-key?
1978 | | | | | ks:asymmetric-key-r\
1979 \ef
1980 | | | | +--rw certificate? lea\
1981 \fref
1982 | | | +--rw server-authentication
1983 | | | | +--rw ca-certs!
1984 | | | | | {ts:x509-certificates}?
1985 | | | | | +--rw (local-or-truststore)
1986 | | | | | +--:(local)
1987 | | | | | | {local-definitions-su\
1988 \pported}?
1989 | | | | | | +--rw local-definition
1990 | | | | | | +--rw cert*
1991 | | | | | | | trust-anchor-cer\
1992 \t-cms
1993 | | | | | | +---n certificate-expira\
1994 \tion
1995 | | | | | | +-- expiration-date
1996 | | | | | | yang:date-and\
1997 \-time
1998 | | | | | +--:(truststore)
1999 | | | | | {truststore-supported\
2000 \,x509-certificates}?
2001 | | | | | +--rw truststore-reference?
2002 | | | | | ts:certificates-ref
2003 | | | | +--rw server-certs!
2004 | | | | {ts:x509-certificates}?
2005 | | | | +--rw (local-or-truststore)
2006 | | | | +--:(local)
2007 | | | | | {local-definitions-su\
2008 \pported}?
2009 | | | | | +--rw local-definition
2010 | | | | | +--rw cert*
2011 | | | | | | trust-anchor-cer\
2012 \t-cms
2013 | | | | | +---n certificate-expira\
2014 \tion
2015 | | | | | +-- expiration-date
2016 | | | | | yang:date-and\
2017 \-time
2018 | | | | +--:(truststore)
2019 | | | | {truststore-supported\
2021 \,x509-certificates}?
2022 | | | | +--rw truststore-reference?
2023 | | | | ts:certificates-ref
2024 | | | +--rw hello-params
2025 | | | | {tls-client-hello-params-config\
2026 \}?
2027 | | | | +--rw tls-versions
2028 | | | | | +--rw tls-version* identityref
2029 | | | | +--rw cipher-suites
2030 | | | | +--rw cipher-suite* identityref
2031 | | | +--rw keepalives!
2032 | | | {tls-client-keepalives}?
2033 | | | +--rw max-wait? uint16
2034 | | | +--rw max-attempts? uint8
2035 | | +--rw http-client-parameters
2036 | | | +--rw protocol-version? enumeration
2037 | | | +--rw client-identity
2038 | | | | +--rw (auth-type)
2039 | | | | +--:(basic)
2040 | | | | +--rw basic {basic-auth}?
2041 | | | | +--rw user-id string
2042 | | | | +--rw password string
2043 | | | +--rw proxy-server! {proxy-connect}?
2044 | | | +--rw tcp-client-parameters
2045 | | | | +--rw remote-address inet:host
2046 | | | | +--rw remote-port?
2047 | | | | | inet:port-number
2048 | | | | +--rw local-address?
2049 | | | | | inet:ip-address
2050 | | | | | {local-binding-supported}?
2051 | | | | +--rw local-port?
2052 | | | | | inet:port-number
2053 | | | | | {local-binding-supported}?
2054 | | | | +--rw keepalives!
2055 | | | | {keepalives-supported}?
2056 | | | | +--rw idle-time uint16
2057 | | | | +--rw max-probes uint16
2058 | | | | +--rw probe-interval uint16
2059 | | | +--rw tls-client-parameters
2060 | | | | +--rw client-identity
2061 | | | | | +--rw (local-or-keystore)
2062 | | | | | +--:(local)
2063 | | | | | | {local-definitions\
2064 \-supported}?
2065 | | | | | | +--rw local-definition
2066 | | | | | | +--rw algorithm
2067 | | | | | | | asymmetric-ke\
2068 \y-algorithm-t
2069 | | | | | | +--rw public-key-form\
2070 \at?
2071 | | | | | | | identityref
2072 | | | | | | +--rw public-key
2073 | | | | | | | binary
2074 | | | | | | +--rw private-key-for\
2075 \mat?
2076 | | | | | | | identityref
2077 | | | | | | +--rw (private-key-ty\
2078 \pe)
2079 | | | | | | | +--:(private-key)
2080 | | | | | | | | +--rw private-k\
2081 \ey?
2082 | | | | | | | | binary
2083 | | | | | | | +--:(hidden-privat\
2084 \e-key)
2085 | | | | | | | | +--rw hidden-pr\
2086 \ivate-key?
2087 | | | | | | | | empty
2088 | | | | | | | +--:(encrypted-pri\
2089 \vate-key)
2090 | | | | | | | +--rw encrypted\
2091 \-private-key
2092 | | | | | | | +--rw (key-t\
2093 \ype)
2094 | | | | | | | | +--:(symm\
2095 \etric-key-ref)
2096 | | | | | | | | | +--rw \
2097 \symmetric-key-ref? leafref
2098 | | | | | | | | | \
2099 \ {keystore-supported}?
2100 | | | | | | | | +--:(asym\
2101 \metric-key-ref)
2102 | | | | | | | | +--rw \
2103 \asymmetric-key-ref? leafref
2104 | | | | | | | | \
2105 \ {keystore-supported}?
2106 | | | | | | | +--rw value?
2107 | | | | | | | bina\
2108 \ry
2109 | | | | | | +--rw cert?
2110 | | | | | | | end-entity-ce\
2111 \rt-cms
2112 | | | | | | +---n certificate-exp\
2113 \iration
2114 | | | | | | | +-- expiration-date
2115 | | | | | | | yang:date-\
2116 \and-time
2117 | | | | | | +---x generate-certif\
2118 \icate-signing-request
2119 | | | | | | +---w input
2120 | | | | | | | +---w subject
2121 | | | | | | | | binary
2122 | | | | | | | +---w attribute\
2123 \s?
2124 | | | | | | | binary
2125 | | | | | | +--ro output
2126 | | | | | | +--ro certifica\
2127 \te-signing-request
2128 | | | | | | binary
2129 | | | | | +--:(keystore)
2130 | | | | | {keystore-supporte\
2131 \d}?
2132 | | | | | +--rw keystore-reference
2133 | | | | | +--rw asymmetric-key?
2134 | | | | | | ks:asymmetric\
2135 \-key-ref
2136 | | | | | +--rw certificate? \
2137 \ leafref
2138 | | | | +--rw server-authentication
2139 | | | | | +--rw ca-certs!
2140 | | | | | | {ts:x509-certificates}?
2141 | | | | | | +--rw (local-or-truststore)
2142 | | | | | | +--:(local)
2143 | | | | | | | {local-definiti\
2144 \ons-supported}?
2145 | | | | | | | +--rw local-definition
2146 | | | | | | | +--rw cert*
2147 | | | | | | | | trust-anch\
2148 \or-cert-cms
2149 | | | | | | | +---n certificate-\
2150 \expiration
2151 | | | | | | | +-- expiration-\
2152 \date
2153 | | | | | | | yang:da\
2154 \te-and-time
2155 | | | | | | +--:(truststore)
2156 | | | | | | {truststore-sup\
2157 \ported,x509-certificates}?
2158 | | | | | | +--rw truststore-refe\
2159 \rence?
2160 | | | | | | ts:certificat\
2161 \es-ref
2162 | | | | | +--rw server-certs!
2163 | | | | | {ts:x509-certificates}?
2164 | | | | | +--rw (local-or-truststore)
2165 | | | | | +--:(local)
2166 | | | | | | {local-definiti\
2167 \ons-supported}?
2168 | | | | | | +--rw local-definition
2169 | | | | | | +--rw cert*
2170 | | | | | | | trust-anch\
2171 \or-cert-cms
2172 | | | | | | +---n certificate-\
2173 \expiration
2174 | | | | | | +-- expiration-\
2175 \date
2176 | | | | | | yang:da\
2177 \te-and-time
2178 | | | | | +--:(truststore)
2179 | | | | | {truststore-sup\
2180 \ported,x509-certificates}?
2181 | | | | | +--rw truststore-refe\
2182 \rence?
2183 | | | | | ts:certificat\
2184 \es-ref
2185 | | | | +--rw hello-params
2186 | | | | | {tls-client-hello-params-\
2187 \config}?
2188 | | | | | +--rw tls-versions
2189 | | | | | | +--rw tls-version*
2190 | | | | | | identityref
2191 | | | | | +--rw cipher-suites
2192 | | | | | +--rw cipher-suite*
2193 | | | | | identityref
2194 | | | | +--rw keepalives!
2195 | | | | {tls-client-keepalives}?
2196 | | | | +--rw max-wait? uint16
2197 | | | | +--rw max-attempts? uint8
2198 | | | +--rw proxy-client-identity
2199 | | | +--rw (auth-type)
2200 | | | +--:(basic)
2201 | | | +--rw basic {basic-auth}?
2202 | | | +--rw user-id string
2203 | | | +--rw password string
2204 | | +--rw restconf-client-parameters
2205 | +--rw connection-type
2206 | | +--rw (connection-type)
2207 | | +--:(persistent-connection)
2208 | | | +--rw persistent!
2209 | | +--:(periodic-connection)
2210 | | +--rw periodic!
2211 | | +--rw period? uint16
2212 | | +--rw anchor-time? yang:date-and-time
2213 | | +--rw idle-timeout? uint16
2214 | +--rw reconnect-strategy
2215 | +--rw start-with? enumeration
2216 | +--rw max-attempts? uint8
2217 +--rw listen! {http-listen or https-listen}?
2218 +--rw idle-timeout? uint16
2219 +--rw endpoint* [name]
2220 +--rw name string
2221 +--rw (transport)
2222 +--:(http) {http-listen}?
2223 | +--rw FIXME
2224 +--:(https) {https-listen}?
2225 +--rw https
2226 +--rw tcp-server-parameters
2227 | +--rw local-address inet:ip-address
2228 | +--rw local-port? inet:port-number
2229 | +--rw keepalives! {keepalives-supported}?
2230 | +--rw idle-time uint16
2231 | +--rw max-probes uint16
2232 | +--rw probe-interval uint16
2233 +--rw tls-client-parameters
2234 | +--rw client-identity
2235 | | +--rw (local-or-keystore)
2236 | | +--:(local)
2237 | | | {local-definitions-supported}?
2238 | | | +--rw local-definition
2239 | | | +--rw algorithm
2240 | | | | asymmetric-key-algorithm-t
2241 | | | +--rw public-key-format?
2242 | | | | identityref
2243 | | | +--rw public-key
2244 | | | | binary
2245 | | | +--rw private-key-format?
2246 | | | | identityref
2247 | | | +--rw (private-key-type)
2248 | | | | +--:(private-key)
2249 | | | | | +--rw private-key?
2250 | | | | | binary
2251 | | | | +--:(hidden-private-key)
2252 | | | | | +--rw hidden-private-key?
2253 | | | | | empty
2254 | | | | +--:(encrypted-private-key)
2255 | | | | +--rw encrypted-private-key
2256 | | | | +--rw (key-type)
2257 | | | | | +--:(symmetric-key-re\
2258 \f)
2259 | | | | | | +--rw symmetric-ke\
2260 \y-ref? leafref
2261 | | | | | | {keystore-\
2262 \supported}?
2263 | | | | | +--:(asymmetric-key-r\
2264 \ef)
2265 | | | | | +--rw asymmetric-k\
2266 \ey-ref? leafref
2267 | | | | | {keystore-\
2268 \supported}?
2269 | | | | +--rw value?
2270 | | | | binary
2271 | | | +--rw cert?
2272 | | | | end-entity-cert-cms
2273 | | | +---n certificate-expiration
2274 | | | | +-- expiration-date
2275 | | | | yang:date-and-time
2276 | | | +---x generate-certificate-signin\
2277 \g-request
2278 | | | +---w input
2279 | | | | +---w subject binary
2280 | | | | +---w attributes? binary
2281 | | | +--ro output
2282 | | | +--ro certificate-signing-r\
2283 \equest
2284 | | | binary
2285 | | +--:(keystore) {keystore-supported}?
2286 | | +--rw keystore-reference
2287 | | +--rw asymmetric-key?
2288 | | | ks:asymmetric-key-ref
2289 | | +--rw certificate? leafref
2290 | +--rw server-authentication
2291 | | +--rw ca-certs! {ts:x509-certificates}?
2292 | | | +--rw (local-or-truststore)
2293 | | | +--:(local)
2294 | | | | {local-definitions-supporte\
2295 \d}?
2296 | | | | +--rw local-definition
2297 | | | | +--rw cert*
2298 | | | | | trust-anchor-cert-cms
2299 | | | | +---n certificate-expiration
2300 | | | | +-- expiration-date
2301 | | | | yang:date-and-time
2302 | | | +--:(truststore)
2303 | | | {truststore-supported,x509-\
2304 \certificates}?
2305 | | | +--rw truststore-reference?
2306 | | | ts:certificates-ref
2307 | | +--rw server-certs! {ts:x509-certificates}?
2308 | | +--rw (local-or-truststore)
2309 | | +--:(local)
2310 | | | {local-definitions-supporte\
2311 \d}?
2312 | | | +--rw local-definition
2313 | | | +--rw cert*
2314 | | | | trust-anchor-cert-cms
2315 | | | +---n certificate-expiration
2316 | | | +-- expiration-date
2317 | | | yang:date-and-time
2318 | | +--:(truststore)
2319 | | {truststore-supported,x509-\
2320 \certificates}?
2321 | | +--rw truststore-reference?
2322 | | ts:certificates-ref
2323 | +--rw hello-params
2324 | | {tls-client-hello-params-config}?
2325 | | +--rw tls-versions
2326 | | | +--rw tls-version* identityref
2327 | | +--rw cipher-suites
2328 | | +--rw cipher-suite* identityref
2329 | +--rw keepalives! {tls-client-keepalives}?
2330 | +--rw max-wait? uint16
2331 | +--rw max-attempts? uint8
2332 +--rw http-client-parameters
2333 | +--rw protocol-version? enumeration
2334 | +--rw client-identity
2335 | | +--rw (auth-type)
2336 | | +--:(basic)
2337 | | +--rw basic {basic-auth}?
2338 | | +--rw user-id string
2339 | | +--rw password string
2340 | +--rw proxy-server! {proxy-connect}?
2341 | +--rw tcp-client-parameters
2342 | | +--rw remote-address inet:host
2343 | | +--rw remote-port? inet:port-number
2344 | | +--rw local-address? inet:ip-address
2345 | | | {local-binding-supported}?
2346 | | +--rw local-port? inet:port-number
2347 | | | {local-binding-supported}?
2348 | | +--rw keepalives!
2349 | | {keepalives-supported}?
2350 | | +--rw idle-time uint16
2351 | | +--rw max-probes uint16
2352 | | +--rw probe-interval uint16
2353 | +--rw tls-client-parameters
2354 | | +--rw client-identity
2355 | | | +--rw (local-or-keystore)
2356 | | | +--:(local)
2357 | | | | {local-definitions-suppo\
2358 \rted}?
2359 | | | | +--rw local-definition
2360 | | | | +--rw algorithm
2361 | | | | | asymmetric-key-algo\
2362 \rithm-t
2363 | | | | +--rw public-key-format?
2364 | | | | | identityref
2365 | | | | +--rw public-key
2366 | | | | | binary
2367 | | | | +--rw private-key-format?
2368 | | | | | identityref
2369 | | | | +--rw (private-key-type)
2370 | | | | | +--:(private-key)
2371 | | | | | | +--rw private-key?
2372 | | | | | | binary
2373 | | | | | +--:(hidden-private-key)
2374 | | | | | | +--rw hidden-private-\
2375 \key?
2376 | | | | | | empty
2377 | | | | | +--:(encrypted-private-k\
2378 \ey)
2379 | | | | | +--rw encrypted-priva\
2380 \te-key
2381 | | | | | +--rw (key-type)
2382 | | | | | | +--:(symmetric-\
2383 \key-ref)
2384 | | | | | | | +--rw symmet\
2385 \ric-key-ref? leafref
2386 | | | | | | | {key\
2387 \store-supported}?
2388 | | | | | | +--:(asymmetric\
2389 \-key-ref)
2390 | | | | | | +--rw asymme\
2391 \tric-key-ref? leafref
2392 | | | | | | {key\
2393 \store-supported}?
2394 | | | | | +--rw value?
2395 | | | | | binary
2396 | | | | +--rw cert?
2397 | | | | | end-entity-cert-cms
2398 | | | | +---n certificate-expiration
2399 | | | | | +-- expiration-date
2400 | | | | | yang:date-and-ti\
2401 \me
2402 | | | | +---x generate-certificate-\
2403 \signing-request
2404 | | | | +---w input
2405 | | | | | +---w subject
2406 | | | | | | binary
2407 | | | | | +---w attributes?
2408 | | | | | binary
2409 | | | | +--ro output
2410 | | | | +--ro certificate-sig\
2411 \ning-request
2412 | | | | binary
2413 | | | +--:(keystore)
2414 | | | {keystore-supported}?
2415 | | | +--rw keystore-reference
2416 | | | +--rw asymmetric-key?
2417 | | | | ks:asymmetric-key-r\
2418 \ef
2419 | | | +--rw certificate? lea\
2420 \fref
2421 | | +--rw server-authentication
2422 | | | +--rw ca-certs!
2423 | | | | {ts:x509-certificates}?
2424 | | | | +--rw (local-or-truststore)
2425 | | | | +--:(local)
2426 | | | | | {local-definitions-su\
2427 \pported}?
2428 | | | | | +--rw local-definition
2429 | | | | | +--rw cert*
2430 | | | | | | trust-anchor-cer\
2431 \t-cms
2432 | | | | | +---n certificate-expira\
2433 \tion
2434 | | | | | +-- expiration-date
2435 | | | | | yang:date-and\
2436 \-time
2437 | | | | +--:(truststore)
2438 | | | | {truststore-supported\
2439 \,x509-certificates}?
2440 | | | | +--rw truststore-reference?
2441 | | | | ts:certificates-ref
2442 | | | +--rw server-certs!
2443 | | | {ts:x509-certificates}?
2444 | | | +--rw (local-or-truststore)
2445 | | | +--:(local)
2446 | | | | {local-definitions-su\
2447 \pported}?
2448 | | | | +--rw local-definition
2449 | | | | +--rw cert*
2450 | | | | | trust-anchor-cer\
2451 \t-cms
2452 | | | | +---n certificate-expira\
2454 \tion
2455 | | | | +-- expiration-date
2456 | | | | yang:date-and\
2457 \-time
2458 | | | +--:(truststore)
2459 | | | {truststore-supported\
2460 \,x509-certificates}?
2461 | | | +--rw truststore-reference?
2462 | | | ts:certificates-ref
2463 | | +--rw hello-params
2464 | | | {tls-client-hello-params-config\
2465 \}?
2466 | | | +--rw tls-versions
2467 | | | | +--rw tls-version* identityref
2468 | | | +--rw cipher-suites
2469 | | | +--rw cipher-suite* identityref
2470 | | +--rw keepalives!
2471 | | {tls-client-keepalives}?
2472 | | +--rw max-wait? uint16
2473 | | +--rw max-attempts? uint8
2474 | +--rw proxy-client-identity
2475 | +--rw (auth-type)
2476 | +--:(basic)
2477 | +--rw basic {basic-auth}?
2478 | +--rw user-id string
2479 | +--rw password string
2480 +--rw restconf-client-parameters
2482 A.2. Expanded Tree Diagram for 'ietf-restconf-server'
2484 The following tree diagram [RFC8340] provides an overview of the data
2485 model for the "ietf-restconf-server" module.
2487 This tree diagram shows all the nodes defined in this module,
2488 including those defined by "grouping" statements used by this module.
2490 Please see Section 3.1 for a tree diagram that illustrates what the
2491 module looks like without all the "grouping" statements expanded.
2493 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
2495 module: ietf-restconf-server
2496 +--rw restconf-server
2497 +--rw listen! {http-listen or https-listen}?
2498 | +--rw endpoint* [name]
2499 | +--rw name string
2500 | +--rw (transport)
2501 | +--:(http) {http-listen}?
2502 | | +--rw http
2503 | | +--rw external-endpoint!
2504 | | | +--rw address inet:ip-address
2505 | | | +--rw port? inet:port-number
2506 | | +--rw tcp-server-parameters
2507 | | | +--rw local-address inet:ip-address
2508 | | | +--rw local-port? inet:port-number
2509 | | | +--rw keepalives! {keepalives-supported}?
2510 | | | +--rw idle-time uint16
2511 | | | +--rw max-probes uint16
2512 | | | +--rw probe-interval uint16
2513 | | +--rw http-server-parameters
2514 | | | +--rw server-name? string
2515 | | | +--rw protocol-versions
2516 | | | | +--rw protocol-version* enumeration
2517 | | | +--rw client-authentication!
2518 | | | +--rw (required-or-optional)
2519 | | | | +--:(required)
2520 | | | | | +--rw required?
2521 | | | | | empty
2522 | | | | +--:(optional)
2523 | | | | +--rw optional?
2524 | | | | empty
2525 | | | +--rw (local-or-external)
2526 | | | +--:(local)
2527 | | | | {local-client-auth-supported}?
2528 | | | | +--rw users
2529 | | | | +--rw user* [user-id]
2530 | | | | +--rw user-id string
2531 | | | | +--rw (auth-type)?
2532 | | | | +--:(basic)
2533 | | | | +--rw basic {basic-auth}?
2534 | | | | +--rw user-id?
2535 | | | | | string
2536 | | | | +--rw password?
2537 | | | | ianach:crypt-\
2538 hash
2539 | | | +--:(external)
2540 | | | {external-client-auth-supporte\
2541 d}?
2542 | | | +--rw client-auth-defined-elsewhere?
2543 | | | empty
2544 | | +--rw restconf-server-parameters
2545 | | +--rw client-identification
2546 | | +--rw cert-maps
2547 | | +--rw cert-to-name* [id]
2548 | | +--rw id uint32
2549 | | +--rw fingerprint
2550 | | | x509c2n:tls-fingerprint
2551 | | +--rw map-type identityref
2552 | | +--rw name string
2553 | +--:(https) {https-listen}?
2554 | +--rw https
2555 | +--rw tcp-server-parameters
2556 | | +--rw local-address inet:ip-address
2557 | | +--rw local-port? inet:port-number
2558 | | +--rw keepalives! {keepalives-supported}?
2559 | | +--rw idle-time uint16
2560 | | +--rw max-probes uint16
2561 | | +--rw probe-interval uint16
2562 | +--rw tls-server-parameters
2563 | | +--rw server-identity
2564 | | | +--rw (local-or-keystore)
2565 | | | +--:(local)
2566 | | | | {local-definitions-supported}?
2567 | | | | +--rw local-definition
2568 | | | | +--rw algorithm
2569 | | | | | asymmetric-key-algorithm-t
2570 | | | | +--rw public-key-format?
2571 | | | | | identityref
2572 | | | | +--rw public-key
2573 | | | | | binary
2574 | | | | +--rw private-key-format?
2575 | | | | | identityref
2576 | | | | +--rw (private-key-type)
2577 | | | | | +--:(private-key)
2578 | | | | | | +--rw private-key?
2579 | | | | | | binary
2580 | | | | | +--:(hidden-private-key)
2581 | | | | | | +--rw hidden-private-key?
2582 | | | | | | empty
2583 | | | | | +--:(encrypted-private-key)
2584 | | | | | +--rw encrypted-private-key
2585 | | | | | +--rw (key-type)
2586 | | | | | | +--:(symmetric-key-re\
2587 f)
2588 | | | | | | | +--rw symmetric-ke\
2589 y-ref? leafref
2590 | | | | | | | {keystore-\
2591 supported}?
2592 | | | | | | +--:(asymmetric-key-r\
2593 ef)
2594 | | | | | | +--rw asymmetric-k\
2595 ey-ref? leafref
2596 | | | | | | {keystore-\
2597 supported}?
2598 | | | | | +--rw value?
2599 | | | | | binary
2600 | | | | +--rw cert?
2601 | | | | | end-entity-cert-cms
2602 | | | | +---n certificate-expiration
2603 | | | | | +-- expiration-date
2604 | | | | | yang:date-and-time
2605 | | | | +---x generate-certificate-signin\
2606 g-request
2607 | | | | +---w input
2608 | | | | | +---w subject binary
2609 | | | | | +---w attributes? binary
2610 | | | | +--ro output
2611 | | | | +--ro certificate-signing-r\
2612 equest
2613 | | | | binary
2614 | | | +--:(keystore) {keystore-supported}?
2615 | | | +--rw keystore-reference
2616 | | | +--rw asymmetric-key?
2617 | | | | ks:asymmetric-key-ref
2618 | | | +--rw certificate? leafref
2619 | | +--rw client-authentication!
2620 | | | +--rw (required-or-optional)
2621 | | | | +--:(required)
2622 | | | | | +--rw required?
2623 | | | | | empty
2624 | | | | +--:(optional)
2625 | | | | +--rw optional?
2626 | | | | empty
2627 | | | +--rw (local-or-external)
2628 | | | +--:(local)
2629 | | | | {local-client-auth-supported}?
2630 | | | | +--rw ca-certs!
2631 | | | | | {ts:x509-certificates}?
2632 | | | | | +--rw (local-or-truststore)
2633 | | | | | +--:(local)
2634 | | | | | | {local-definitions-su\
2635 pported}?
2636 | | | | | | +--rw local-definition
2637 | | | | | | +--rw cert*
2638 | | | | | | | trust-anchor-cer\
2639 t-cms
2640 | | | | | | +---n certificate-expira\
2641 tion
2642 | | | | | | +-- expiration-date
2643 | | | | | | yang:date-and\
2644 -time
2645 | | | | | +--:(truststore)
2646 | | | | | {truststore-supported\
2647 ,x509-certificates}?
2648 | | | | | +--rw truststore-reference?
2649 | | | | | ts:certificates-ref
2650 | | | | +--rw client-certs!
2651 | | | | {ts:x509-certificates}?
2652 | | | | +--rw (local-or-truststore)
2653 | | | | +--:(local)
2654 | | | | | {local-definitions-su\
2655 pported}?
2656 | | | | | +--rw local-definition
2657 | | | | | +--rw cert*
2658 | | | | | | trust-anchor-cer\
2659 t-cms
2660 | | | | | +---n certificate-expira\
2661 tion
2662 | | | | | +-- expiration-date
2663 | | | | | yang:date-and\
2664 -time
2665 | | | | +--:(truststore)
2666 | | | | {truststore-supported\
2667 ,x509-certificates}?
2668 | | | | +--rw truststore-reference?
2669 | | | | ts:certificates-ref
2670 | | | +--:(external)
2671 | | | {external-client-auth-supporte\
2672 d}?
2673 | | | +--rw client-auth-defined-elsewhere?
2674 | | | empty
2675 | | +--rw hello-params
2676 | | | {tls-server-hello-params-config}?
2677 | | | +--rw tls-versions
2678 | | | | +--rw tls-version* identityref
2679 | | | +--rw cipher-suites
2680 | | | +--rw cipher-suite* identityref
2681 | | +--rw keepalives! {tls-server-keepalives}?
2682 | | +--rw max-wait? uint16
2683 | | +--rw max-attempts? uint8
2684 | +--rw http-server-parameters
2685 | | +--rw server-name? string
2686 | | +--rw protocol-versions
2687 | | | +--rw protocol-version* enumeration
2688 | | +--rw client-authentication!
2689 | | +--rw (required-or-optional)
2690 | | | +--:(required)
2691 | | | | +--rw required?
2692 | | | | empty
2693 | | | +--:(optional)
2694 | | | +--rw optional?
2695 | | | empty
2696 | | +--rw (local-or-external)
2697 | | +--:(local)
2698 | | | {local-client-auth-supported}?
2699 | | | +--rw users
2700 | | | +--rw user* [user-id]
2701 | | | +--rw user-id string
2702 | | | +--rw (auth-type)?
2703 | | | +--:(basic)
2704 | | | +--rw basic {basic-auth}?
2705 | | | +--rw user-id?
2706 | | | | string
2707 | | | +--rw password?
2708 | | | ianach:crypt-\
2709 hash
2710 | | +--:(external)
2711 | | {external-client-auth-supporte\
2712 d}?
2713 | | +--rw client-auth-defined-elsewhere?
2714 | | empty
2715 | +--rw restconf-server-parameters
2716 | +--rw client-identification
2717 | +--rw cert-maps
2718 | +--rw cert-to-name* [id]
2719 | +--rw id uint32
2720 | +--rw fingerprint
2721 | | x509c2n:tls-fingerprint
2722 | +--rw map-type identityref
2723 | +--rw name string
2724 +--rw call-home! {https-call-home}?
2725 +--rw restconf-client* [name]
2726 +--rw name string
2727 +--rw endpoints
2728 | +--rw endpoint* [name]
2729 | +--rw name string
2730 | +--rw (transport)
2731 | +--:(https) {https-listen}?
2732 | +--rw https
2733 | +--rw tcp-client-parameters
2734 | | +--rw remote-address inet:host
2735 | | +--rw remote-port? inet:port-number
2736 | | +--rw local-address? inet:ip-address
2737 | | | {local-binding-supported}?
2738 | | +--rw local-port? inet:port-number
2739 | | | {local-binding-supported}?
2740 | | +--rw keepalives!
2741 | | {keepalives-supported}?
2742 | | +--rw idle-time uint16
2743 | | +--rw max-probes uint16
2744 | | +--rw probe-interval uint16
2745 | +--rw tls-server-parameters
2746 | | +--rw server-identity
2747 | | | +--rw (local-or-keystore)
2748 | | | +--:(local)
2749 | | | | {local-definitions-suppo\
2750 rted}?
2751 | | | | +--rw local-definition
2752 | | | | +--rw algorithm
2753 | | | | | asymmetric-key-algo\
2754 rithm-t
2755 | | | | +--rw public-key-format?
2756 | | | | | identityref
2757 | | | | +--rw public-key
2758 | | | | | binary
2759 | | | | +--rw private-key-format?
2760 | | | | | identityref
2761 | | | | +--rw (private-key-type)
2762 | | | | | +--:(private-key)
2763 | | | | | | +--rw private-key?
2764 | | | | | | binary
2765 | | | | | +--:(hidden-private-key)
2766 | | | | | | +--rw hidden-private-\
2767 key?
2768 | | | | | | empty
2769 | | | | | +--:(encrypted-private-k\
2770 ey)
2771 | | | | | +--rw encrypted-priva\
2772 te-key
2773 | | | | | +--rw (key-type)
2774 | | | | | | +--:(symmetric-\
2775 key-ref)
2776 | | | | | | | +--rw symmet\
2777 ric-key-ref? leafref
2778 | | | | | | | {key\
2779 store-supported}?
2780 | | | | | | +--:(asymmetric\
2781 -key-ref)
2782 | | | | | | +--rw asymme\
2783 tric-key-ref? leafref
2784 | | | | | | {key\
2785 store-supported}?
2786 | | | | | +--rw value?
2787 | | | | | binary
2788 | | | | +--rw cert?
2789 | | | | | end-entity-cert-cms
2790 | | | | +---n certificate-expiration
2791 | | | | | +-- expiration-date
2792 | | | | | yang:date-and-ti\
2793 me
2794 | | | | +---x generate-certificate-\
2795 signing-request
2796 | | | | +---w input
2797 | | | | | +---w subject
2798 | | | | | | binary
2799 | | | | | +---w attributes?
2800 | | | | | binary
2801 | | | | +--ro output
2802 | | | | +--ro certificate-sig\
2803 ning-request
2804 | | | | binary
2805 | | | +--:(keystore)
2806 | | | {keystore-supported}?
2807 | | | +--rw keystore-reference
2808 | | | +--rw asymmetric-key?
2809 | | | | ks:asymmetric-key-r\
2810 ef
2811 | | | +--rw certificate? lea\
2812 fref
2813 | | +--rw client-authentication!
2814 | | | +--rw (required-or-optional)
2815 | | | | +--:(required)
2816 | | | | | +--rw required?
2817 | | | | | empty
2818 | | | | +--:(optional)
2819 | | | | +--rw optional?
2820 | | | | empty
2821 | | | +--rw (local-or-external)
2822 | | | +--:(local)
2823 | | | | {local-client-auth-suppo\
2824 rted}?
2825 | | | | +--rw ca-certs!
2826 | | | | | {ts:x509-certificates}?
2827 | | | | | +--rw (local-or-truststore)
2828 | | | | | +--:(local)
2829 | | | | | | {local-definiti\
2830 ons-supported}?
2831 | | | | | | +--rw local-definition
2832 | | | | | | +--rw cert*
2833 | | | | | | | trust-anch\
2834 or-cert-cms
2835 | | | | | | +---n certificate-\
2836 expiration
2837 | | | | | | +-- expiration-\
2839 date
2840 | | | | | | yang:da\
2841 te-and-time
2842 | | | | | +--:(truststore)
2843 | | | | | {truststore-sup\
2844 ported,x509-certificates}?
2845 | | | | | +--rw truststore-refe\
2846 rence?
2847 | | | | | ts:certificat\
2848 es-ref
2849 | | | | +--rw client-certs!
2850 | | | | {ts:x509-certificates}?
2851 | | | | +--rw (local-or-truststore)
2852 | | | | +--:(local)
2853 | | | | | {local-definiti\
2854 ons-supported}?
2855 | | | | | +--rw local-definition
2856 | | | | | +--rw cert*
2857 | | | | | | trust-anch\
2858 or-cert-cms
2859 | | | | | +---n certificate-\
2860 expiration
2861 | | | | | +-- expiration-\
2862 date
2863 | | | | | yang:da\
2864 te-and-time
2865 | | | | +--:(truststore)
2866 | | | | {truststore-sup\
2867 ported,x509-certificates}?
2868 | | | | +--rw truststore-refe\
2869 rence?
2870 | | | | ts:certificat\
2871 es-ref
2872 | | | +--:(external)
2873 | | | {external-client-auth-su\
2874 pported}?
2875 | | | +--rw client-auth-defined-else\
2876 where?
2877 | | | empty
2878 | | +--rw hello-params
2879 | | | {tls-server-hello-params-config\
2880 }?
2881 | | | +--rw tls-versions
2882 | | | | +--rw tls-version* identityref
2883 | | | +--rw cipher-suites
2884 | | | +--rw cipher-suite* identityref
2885 | | +--rw keepalives!
2886 | | {tls-server-keepalives}?
2887 | | +--rw max-wait? uint16
2888 | | +--rw max-attempts? uint8
2889 | +--rw http-server-parameters
2890 | | +--rw server-name? string
2891 | | +--rw protocol-versions
2892 | | | +--rw protocol-version* enumeration
2893 | | +--rw client-authentication!
2894 | | +--rw (required-or-optional)
2895 | | | +--:(required)
2896 | | | | +--rw required?
2897 | | | | empty
2898 | | | +--:(optional)
2899 | | | +--rw optional?
2900 | | | empty
2901 | | +--rw (local-or-external)
2902 | | +--:(local)
2903 | | | {local-client-auth-suppo\
2904 rted}?
2905 | | | +--rw users
2906 | | | +--rw user* [user-id]
2907 | | | +--rw user-id
2908 | | | | string
2909 | | | +--rw (auth-type)?
2910 | | | +--:(basic)
2911 | | | +--rw basic
2912 | | | {basic-aut\
2913 h}?
2914 | | | +--rw user-id?
2915 | | | | string
2916 | | | +--rw password?
2917 | | | ianach:\
2918 crypt-hash
2919 | | +--:(external)
2920 | | {external-client-auth-su\
2921 pported}?
2922 | | +--rw client-auth-defined-else\
2923 where?
2924 | | empty
2925 | +--rw restconf-server-parameters
2926 | +--rw client-identification
2927 | +--rw cert-maps
2928 | +--rw cert-to-name* [id]
2929 | +--rw id uint32
2930 | +--rw fingerprint
2931 | | x509c2n:tls-fingerprint
2932 | +--rw map-type
2933 | | identityref
2934 | +--rw name string
2935 +--rw connection-type
2936 | +--rw (connection-type)
2937 | +--:(persistent-connection)
2938 | | +--rw persistent!
2939 | +--:(periodic-connection)
2940 | +--rw periodic!
2941 | +--rw period? uint16
2942 | +--rw anchor-time? yang:date-and-time
2943 | +--rw idle-timeout? uint16
2944 +--rw reconnect-strategy
2945 +--rw start-with? enumeration
2946 +--rw max-attempts? uint8
2948 Appendix B. Change Log
2950 B.1. 00 to 01
2952 o Renamed "keychain" to "keystore".
2954 B.2. 01 to 02
2956 o Filled in previously missing 'ietf-restconf-client' module.
2958 o Updated the ietf-restconf-server module to accommodate new
2959 grouping 'ietf-tls-server-grouping'.
2961 B.3. 02 to 03
2963 o Refined use of tls-client-grouping to add a must statement
2964 indicating that the TLS client must specify a client-certificate.
2966 o Changed restconf-client??? to be a grouping (not a container).
2968 B.4. 03 to 04
2970 o Added RFC 8174 to Requirements Language Section.
2972 o Replaced refine statement in ietf-restconf-client to add a
2973 mandatory true.
2975 o Added refine statement in ietf-restconf-server to add a must
2976 statement.
2978 o Now there are containers and groupings, for both the client and
2979 server models.
2981 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2982 o Updated examples to inline key and certificates (no longer a
2983 leafref to keystore)
2985 B.5. 04 to 05
2987 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
2989 o Updated examples to inline key and certificates (no longer a
2990 leafref to keystore)
2992 B.6. 05 to 06
2994 o Fixed change log missing section issue.
2996 o Updated examples to match latest updates to the crypto-types,
2997 trust-anchors, and keystore drafts.
2999 o Reduced line length of the YANG modules to fit within 69 columns.
3001 B.7. 06 to 07
3003 o removed "idle-timeout" from "persistent" connection config.
3005 o Added "random-selection" for reconnection-strategy's "starts-with"
3006 enum.
3008 o Replaced "connection-type" choice default (persistent) with
3009 "mandatory true".
3011 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
3012 minutes.
3014 o Replaced reconnect-timeout with period/anchor-time combo.
3016 B.8. 07 to 08
3018 o Modified examples to be compatible with new crypto-types algs
3020 B.9. 08 to 09
3022 o Corrected use of "mandatory true" for "address" leafs.
3024 o Updated examples to reflect update to groupings defined in the
3025 keystore draft.
3027 o Updated to use groupings defined in new TCP and HTTP drafts.
3029 o Updated copyright date, boilerplate template, affiliation, and
3030 folding algorithm.
3032 B.10. 09 to 10
3034 o Reformatted YANG modules.
3036 B.11. 10 to 11
3038 o Adjusted for the top-level "demux container" added to groupings
3039 imported from other modules.
3041 o Added "must" expressions to ensure that keepalives are not
3042 configured for "periodic" connections.
3044 o Updated the boilerplate text in module-level "description"
3045 statement to match copyeditor convention.
3047 o Moved "expanded" tree diagrams to the Appendix.
3049 B.12. 11 to 12
3051 o Removed the 'must' statement limiting keepalives in periodic
3052 connections.
3054 o Updated models and examples to reflect removal of the "demux"
3055 containers in the imported models.
3057 o Updated the "periodic-connnection" description statements to
3058 better describe behavior when connections are not closed
3059 gracefully.
3061 o Updated text to better reference where certain examples come from
3062 (e.g., which Section in which draft).
3064 o In the server model, commented out the "must 'pinned-ca-certs or
3065 pinned-client-certs'" statement to reflect change made in the TLS
3066 draft whereby the trust anchors MAY be defined externally.
3068 o Replaced the 'listen', 'initiate', and 'call-home' features with
3069 boolean expressions.
3071 B.13. 12 to 13
3073 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
3074 anchors/truststore/g + s/pinned.//)
3076 o In ietf-restconf-server, Added 'http-listen' (not https-listen)
3077 choice, to support case when server is behind a TLS-terminator.
3079 o Refactored server module to be more like other 'server' models.
3080 If folks like it, will also apply to the client model, as well as
3081 to both the netconf client/server models. Now the 'restconf-
3082 server-grouping' is just the RC-specific bits (i.e., the "demux"
3083 container minus the container), 'restconf-server-
3084 [listen|callhome]-stack-grouping' is the protocol stack for a
3085 single connection, and 'restconf-server-app-grouping' is
3086 effectively what was before (both listen+callhome for many
3087 inbound/outbound endpoints).
3089 B.14. 13 to 14
3091 o Updated examples to reflect ietf-crypto-types change (e.g.,
3092 identities --> enumerations)
3094 o Adjusting from change in TLS client model (removing the top-level
3095 'certificate' container).
3097 o Added "external-endpoint" to the "http-listen" choice in ietf-
3098 restconf-server.
3100 B.15. 14 to 15
3102 o Added missing "or https-listen" clause in a "must" expression.
3104 o Refactored the client module similar to how the server module was
3105 refactored in -13. Now the 'restconf-client-grouping' is just the
3106 RC-specific bits, the 'restconf-client-[initiate|listen]-stack-
3107 grouping' is the protocol stack for a single connection, and
3108 'restconf-client-app-grouping' is effectively what was before
3109 (both listen+callhome for many inbound/outbound endpoints).
3111 Acknowledgements
3113 The authors would like to thank for following for lively discussions
3114 on list and in the halls (ordered by first name): Alan Luchuk, Andy
3115 Bierman, Balazs Kovacs, Benoit Claise, Bert Wijnen David Lamparter,
3116 Juergen Schoenwaelder, Ladislav Lhotka, Martin Bjorklund, Mehmet
3117 Ersue, Phil Shafer, Radek Krejci, Ramkumar Dhanapal, Sean Turner, and
3118 Tom Petch.
3120 Author's Address
3122 Kent Watsen
3123 Watsen Networks
3125 EMail: kent+ietf@watsen.net