idnits 2.17.1
draft-ietf-netconf-restconf-client-server-17.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 914 has weird spacing: '...address ine...'
== Line 1946 has weird spacing: '...address ine...'
== Line 1956 has weird spacing: '...nterval uin...'
== Line 2247 has weird spacing: '...assword str...'
== Line 2250 has weird spacing: '...address ine...'
== (15 more instances...)
-- The document date (November 20, 2019) is 1618 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-14
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-16
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-07
Summary: 0 errors (**), 0 flaws (~~), 10 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track November 20, 2019
5 Expires: May 23, 2020
7 RESTCONF Client and Server Models
8 draft-ietf-netconf-restconf-client-server-17
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 RESTCONF client and the other module to configure a RESTCONF server.
14 Both modules support the TLS transport protocol with both standard
15 RESTCONF and RESTCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains many placeholder values that need to be replaced
20 with finalized values at the time of publication. This note
21 summarizes all of the substitutions that are needed. No other RFC
22 Editor instructions are specified elsewhere in this document.
24 This document contains references to other drafts in progress, both
25 in the Normative References section, as well as in body text
26 throughout. Please update the following references to reflect their
27 final RFC assignments:
29 o I-D.ietf-netconf-keystore
31 o I-D.ietf-netconf-tcp-client-server
33 o I-D.ietf-netconf-tls-client-server
35 o I-D.ietf-netconf-http-client-server
37 Artwork in this document contains shorthand references to drafts in
38 progress. Please apply the following replacements:
40 o "XXXX" --> the assigned RFC value for this draft
42 o "AAAA" --> the assigned RFC value for I-D.ietf-netconf-tcp-client-
43 server
45 o "BBBB" --> the assigned RFC value for I-D.ietf-netconf-tls-client-
46 server
48 o "CCCC" --> the assigned RFC value for I-D.ietf-netconf-http-
49 client-server
51 Artwork in this document contains placeholder values for the date of
52 publication of this draft. Please apply the following replacement:
54 o "2019-11-20" --> the publication date of this draft
56 The following Appendix section is to be removed prior to publication:
58 o Appendix B. Change Log
60 Status of This Memo
62 This Internet-Draft is submitted in full conformance with the
63 provisions of BCP 78 and BCP 79.
65 Internet-Drafts are working documents of the Internet Engineering
66 Task Force (IETF). Note that other groups may also distribute
67 working documents as Internet-Drafts. The list of current Internet-
68 Drafts is at https://datatracker.ietf.org/drafts/current/.
70 Internet-Drafts are draft documents valid for a maximum of six months
71 and may be updated, replaced, or obsoleted by other documents at any
72 time. It is inappropriate to use Internet-Drafts as reference
73 material or to cite them other than as "work in progress."
75 This Internet-Draft will expire on May 23, 2020.
77 Copyright Notice
79 Copyright (c) 2019 IETF Trust and the persons identified as the
80 document authors. All rights reserved.
82 This document is subject to BCP 78 and the IETF Trust's Legal
83 Provisions Relating to IETF Documents
84 (https://trustee.ietf.org/license-info) in effect on the date of
85 publication of this document. Please review these documents
86 carefully, as they describe your rights and restrictions with respect
87 to this document. Code Components extracted from this document must
88 include Simplified BSD License text as described in Section 4.e of
89 the Trust Legal Provisions and are provided without warranty as
90 described in the Simplified BSD License.
92 Table of Contents
94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
95 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
96 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 4
97 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
98 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
99 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
100 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 19
101 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 19
102 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 21
103 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25
104 4. Security Considerations . . . . . . . . . . . . . . . . . . . 37
105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
106 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 38
107 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
108 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
109 6.1. Normative References . . . . . . . . . . . . . . . . . . 39
110 6.2. Informative References . . . . . . . . . . . . . . . . . 40
111 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 41
112 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 41
113 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 66
114 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 80
115 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 80
116 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 80
117 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 80
118 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 81
119 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 81
120 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 81
121 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 81
122 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 82
123 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 82
124 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 82
125 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 82
126 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 82
127 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 83
128 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 83
129 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 83
130 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 84
131 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 84
132 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 84
133 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 84
135 1. Introduction
137 This document defines two YANG [RFC7950] modules, one module to
138 configure a RESTCONF client and the other module to configure a
139 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446]
140 transport protocol with both standard RESTCONF and RESTCONF Call Home
141 connections [RFC8071].
143 1.1. Terminology
145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
147 "OPTIONAL" in this document are to be interpreted as described in BCP
148 14 [RFC2119] [RFC8174] when, and only when, they appear in all
149 capitals, as shown here.
151 2. The RESTCONF Client Model
153 The RESTCONF client model presented in this section supports both
154 clients initiating connections to servers, as well as clients
155 listening for connections from servers calling home.
157 YANG feature statements are used to enable implementations to
158 advertise which potentially uncommon parts of the model the RESTCONF
159 client supports.
161 2.1. Tree Diagram
163 The following tree diagram [RFC8340] provides an overview of the data
164 model for the "ietf-restconf-client" module.
166 This tree diagram only shows the nodes defined in this module; it
167 does show the nodes defined by "grouping" statements used by this
168 module.
170 Please see Appendix A.1 for a tree diagram that illustrates what the
171 module looks like with all the "grouping" statements expanded.
173 module: ietf-restconf-client
174 +--rw restconf-client
175 +---u restconf-client-app-grouping
177 grouping restconf-client-grouping
178 grouping restconf-client-initiate-stack-grouping
179 +-- (transport)
180 +--:(https) {https-initiate}?
181 +-- https
182 +-- tcp-client-parameters
183 | +---u tcpc:tcp-client-grouping
184 +-- tls-client-parameters
185 | +---u tlsc:tls-client-grouping
186 +-- http-client-parameters
187 | +---u httpc:http-client-grouping
188 +-- restconf-client-parameters
189 grouping restconf-client-listen-stack-grouping
190 +-- (transport)
191 +--:(http) {http-listen}?
192 | +-- FIXME
193 +--:(https) {https-listen}?
194 +-- https
195 +-- tcp-server-parameters
196 | +---u tcps:tcp-server-grouping
197 +-- tls-client-parameters
198 | +---u tlsc:tls-client-grouping
199 +-- http-client-parameters
200 | +---u httpc:http-client-grouping
201 +-- restconf-client-parameters
202 grouping restconf-client-app-grouping
203 +-- initiate! {https-initiate}?
204 | +-- restconf-server* [name]
205 | +-- name? string
206 | +-- endpoints
207 | | +-- endpoint* [name]
208 | | +-- name? string
209 | | +---u restconf-client-initiate-stack-grouping
210 | +-- connection-type
211 | | +-- (connection-type)
212 | | +--:(persistent-connection)
213 | | | +-- persistent!
214 | | +--:(periodic-connection)
215 | | +-- periodic!
216 | | +-- period? uint16
217 | | +-- anchor-time? yang:date-and-time
218 | | +-- idle-timeout? uint16
219 | +-- reconnect-strategy
220 | +-- start-with? enumeration
221 | +-- max-attempts? uint8
222 +-- listen! {http-listen or https-listen}?
223 +-- idle-timeout? uint16
224 +-- endpoint* [name]
225 +-- name? string
226 +---u restconf-client-listen-stack-grouping
228 2.2. Example Usage
230 The following example illustrates configuring a RESTCONF client to
231 initiate connections, as well as listening for call-home connections.
233 This example is consistent with the examples presented in Section 2
234 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
235 [I-D.ietf-netconf-keystore].
237 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
239
file "ietf-restconf-client@2019-11-20.yang"
413 module ietf-restconf-client {
414 yang-version 1.1;
415 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client";
416 prefix rcc;
418 import ietf-yang-types {
419 prefix yang;
420 reference
421 "RFC 6991: Common YANG Data Types";
422 }
424 import ietf-tcp-client {
425 prefix tcpc;
426 reference
427 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
428 }
429 import ietf-tcp-server {
430 prefix tcps;
431 reference
432 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
433 }
435 import ietf-tls-client {
436 prefix tlsc;
437 reference
438 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
439 }
441 import ietf-http-client {
442 prefix httpc;
443 reference
444 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
445 }
447 organization
448 "IETF NETCONF (Network Configuration) Working Group";
450 contact
451 "WG Web:
452 WG List:
453 Author: Kent Watsen
454 Author: Gary Wu ";
456 description
457 "This module contains a collection of YANG definitions
458 for configuring RESTCONF clients.
460 Copyright (c) 2019 IETF Trust and the persons identified
461 as authors of the code. All rights reserved.
463 Redistribution and use in source and binary forms, with
464 or without modification, is permitted pursuant to, and
465 subject to the license terms contained in, the Simplified
466 BSD License set forth in Section 4.c of the IETF Trust's
467 Legal Provisions Relating to IETF Documents
468 (https://trustee.ietf.org/license-info).
470 This version of this YANG module is part of RFC XXXX
471 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
472 itself for full legal notices.
474 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
475 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
476 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
477 are to be interpreted as described in BCP 14 (RFC 2119)
478 (RFC 8174) when, and only when, they appear in all
479 capitals, as shown here.";
481 revision 2019-11-20 {
482 description
483 "Initial version";
484 reference
485 "RFC XXXX: RESTCONF Client and Server Models";
486 }
488 // Features
490 feature https-initiate {
491 description
492 "The 'https-initiate' feature indicates that the RESTCONF
493 client supports initiating HTTPS connections to RESTCONF
494 servers. This feature exists as HTTPS might not be a
495 mandatory to implement transport in the future.";
496 reference
497 "RFC 8040: RESTCONF Protocol";
498 }
500 feature http-listen {
501 description
502 "The 'https-listen' feature indicates that the RESTCONF client
503 supports opening a port to listen for incoming RESTCONF
504 server call-home connections. This feature exists as not
505 all RESTCONF clients may support RESTCONF call home.";
506 reference
507 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
508 }
510 feature https-listen {
511 description
512 "The 'https-listen' feature indicates that the RESTCONF client
513 supports opening a port to listen for incoming RESTCONF
514 server call-home connections. This feature exists as not
515 all RESTCONF clients may support RESTCONF call home.";
516 reference
517 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
518 }
520 // Groupings
522 grouping restconf-client-grouping {
523 description
524 "A reusable grouping for configuring a RESTCONF client
525 without any consideration for how underlying transport
526 sessions are established.
528 This grouping currently doesn't define any nodes.";
529 }
531 grouping restconf-client-initiate-stack-grouping {
532 description
533 "A reusable grouping for configuring a RESTCONF client
534 'initiate' protocol stack for a single connection.";
536 choice transport {
537 mandatory true;
538 description
539 "Selects between available transports. This is a
540 'choice' statement so as to support additional
541 transport options to be augmented in.";
542 case https {
543 if-feature "https-initiate";
544 container https {
545 description
546 "Specifies HTTPS-specific transport
547 configuration.";
548 container tcp-client-parameters {
549 description
550 "A wrapper around the TCP client parameters
551 to avoid name collisions.";
552 uses tcpc:tcp-client-grouping {
553 refine "remote-port" {
554 default "443";
555 description
556 "The RESTCONF client will attempt to
557 connect to the IANA-assigned well-known
558 port value for 'https' (443) if no value
559 is specified.";
560 }
561 }
562 }
563 container tls-client-parameters {
564 must 'client-identity' {
565 description
566 "NETCONF/TLS clients MUST pass some
567 authentication credentials.";
568 }
569 description
570 "A wrapper around the TLS client parameters
571 to avoid name collisions.";
572 uses tlsc:tls-client-grouping;
574 }
575 container http-client-parameters {
576 description
577 "A wrapper around the HTTP client parameters
578 to avoid name collisions.";
579 uses httpc:http-client-grouping;
580 }
581 container restconf-client-parameters {
582 description
583 "A wrapper around the HTTP client parameters
584 to avoid name collisions.";
585 uses rcc:restconf-client-grouping;
586 }
587 }
588 }
589 }
590 } // restconf-client-initiate-stack-grouping
592 grouping restconf-client-listen-stack-grouping {
593 description
594 "A reusable grouping for configuring a RESTCONF client
595 'listen' protocol stack for a single connection.";
596 choice transport {
597 mandatory true;
598 description
599 "Selects between available transports. This is a
600 'choice' statement so as to support additional
601 transport options to be augmented in.";
602 case http {
603 if-feature "http-listen";
604 container FIXME {
605 description
606 "FIXME";
607 }
608 }
609 case https {
610 if-feature "https-listen";
611 container https {
612 description
613 "HTTPS-specific listening configuration for inbound
614 connections.";
615 container tcp-server-parameters {
616 description
617 "A wrapper around the TCP client parameters
618 to avoid name collisions.";
619 uses tcps:tcp-server-grouping {
620 refine "local-port" {
621 default "4336";
622 description
623 "The RESTCONF client will listen on the IANA-
624 assigned well-known port for 'restconf-ch-tls'
625 (4336) if no value is specified.";
626 }
627 }
628 }
629 container tls-client-parameters {
630 must 'client-identity' {
631 description
632 "NETCONF/TLS clients MUST pass some
633 authentication credentials.";
634 }
635 description
636 "A wrapper around the TLS client parameters
637 to avoid name collisions.";
638 uses tlsc:tls-client-grouping;
639 }
640 container http-client-parameters {
641 description
642 "A wrapper around the HTTP client parameters
643 to avoid name collisions.";
644 uses httpc:http-client-grouping;
645 }
646 container restconf-client-parameters {
647 description
648 "A wrapper around the RESTCONF client parameters
649 to avoid name collisions.";
650 uses rcc:restconf-client-grouping;
651 }
652 }
653 }
654 }
655 } // restconf-client-listen-stack-grouping
657 grouping restconf-client-app-grouping {
658 description
659 "A reusable grouping for configuring a RESTCONF client
660 application that supports both 'initiate' and 'listen'
661 protocol stacks for a multiplicity of connections.";
662 container initiate {
663 if-feature "https-initiate";
664 presence "Enables client to initiate TCP connections";
665 description
666 "Configures client initiating underlying TCP connections.";
667 list restconf-server {
668 key "name";
669 min-elements 1;
670 description
671 "List of RESTCONF servers the RESTCONF client is to
672 maintain simultaneous connections with.";
673 leaf name {
674 type string;
675 description
676 "An arbitrary name for the RESTCONF server.";
677 }
678 container endpoints {
679 description
680 "Container for the list of endpoints.";
681 list endpoint {
682 key "name";
683 min-elements 1;
684 ordered-by user;
685 description
686 "A non-empty user-ordered list of endpoints for this
687 RESTCONF client to try to connect to in sequence.
688 Defining more than one enables high-availability.";
689 leaf name {
690 type string;
691 description
692 "An arbitrary name for this endpoint.";
693 }
694 uses restconf-client-initiate-stack-grouping;
695 }
696 }
697 container connection-type {
698 description
699 "Indicates the RESTCONF client's preference for how
700 the RESTCONF connection is maintained.";
701 choice connection-type {
702 mandatory true;
703 description
704 "Selects between available connection types.";
705 case persistent-connection {
706 container persistent {
707 presence "Indicates that a persistent connection
708 is to be maintained.";
709 description
710 "Maintain a persistent connection to the
711 RESTCONF server. If the connection goes down,
712 immediately start trying to reconnect to the
713 RESTCONF server, using the reconnection strategy.
715 This connection type minimizes any RESTCONF server
716 to RESTCONF client data-transfer delay, albeit
717 at the expense of holding resources longer.";
719 }
720 }
721 case periodic-connection {
722 container periodic {
723 presence "Indicates that a periodic connection is
724 to be maintained.";
725 description
726 "Periodically connect to the RESTCONF server.
728 This connection type increases resource
729 utilization, albeit with increased delay
730 in RESTCONF server to RESTCONF client
731 interactions.
733 The RESTCONF client SHOULD gracefully close
734 the underlying TLS connection upon completing
735 planned activities.
737 In the case that the previous connection is
738 still active, establishing a new connection
739 is NOT RECOMMENDED.";
740 leaf period {
741 type uint16;
742 units "minutes";
743 default "60";
744 description
745 "Duration of time between periodic
746 connections.";
747 }
748 leaf anchor-time {
749 type yang:date-and-time {
750 // constrained to minute-level granularity
751 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
752 + '(Z|[\+\-]\d{2}:\d{2})';
753 }
754 description
755 "Designates a timestamp before or after which
756 a series of periodic connections are
757 determined. The periodic connections occur
758 at a whole multiple interval from the anchor
759 time. For example, for an anchor time is 15
760 minutes past midnight and a period interval
761 of 24 hours, then a periodic connection will
762 occur 15 minutes past midnight everyday.";
763 }
764 leaf idle-timeout {
765 type uint16;
766 units "seconds";
767 default 120; // two minutes
768 description
769 "Specifies the maximum number of seconds
770 that the underlying TCP session may remain
771 idle. A TCP session will be dropped if it
772 is idle for an interval longer than this
773 number of seconds If set to zero, then the
774 RESTCONF client will never drop a session
775 because it is idle.";
776 }
777 }
778 } // periodic-connection
779 } // connection-type
780 } // connection-type
781 container reconnect-strategy {
782 description
783 "The reconnection strategy directs how a RESTCONF
784 client reconnects to a RESTCONF server, after
785 discovering its connection to the server has
786 dropped, even if due to a reboot. The RESTCONF
787 client starts with the specified endpoint and
788 tries to connect to it max-attempts times before
789 trying the next endpoint in the list (round
790 robin).";
791 leaf start-with {
792 type enumeration {
793 enum first-listed {
794 description
795 "Indicates that reconnections should start
796 with the first endpoint listed.";
797 }
798 enum last-connected {
799 description
800 "Indicates that reconnections should start
801 with the endpoint last connected to. If
802 no previous connection has ever been
803 established, then the first endpoint
804 configured is used. RESTCONF clients
805 SHOULD be able to remember the last
806 endpoint connected to across reboots.";
807 }
808 enum random-selection {
809 description
810 "Indicates that reconnections should start with
811 a random endpoint.";
812 }
813 }
814 default "first-listed";
815 description
816 "Specifies which of the RESTCONF server's
817 endpoints the RESTCONF client should start
818 with when trying to connect to the RESTCONF
819 server.";
820 }
821 leaf max-attempts {
822 type uint8 {
823 range "1..max";
824 }
825 default "3";
826 description
827 "Specifies the number times the RESTCONF client
828 tries to connect to a specific endpoint before
829 moving on to the next endpoint in the list
830 (round robin).";
831 }
832 }
833 }
834 } // initiate
835 container listen {
836 if-feature "http-listen or https-listen";
837 presence "Enables client to accept call-home connections";
838 description
839 "Configures client accepting call-home TCP connections.";
840 leaf idle-timeout {
841 type uint16;
842 units "seconds";
843 default 3600; // one hour
844 description
845 "Specifies the maximum number of seconds that an
846 underlying TCP session may remain idle. A TCP session
847 will be dropped if it is idle for an interval longer
848 then this number of seconds. If set to zero, then
849 the server will never drop a session because it is
850 idle. Sessions that have a notification subscription
851 active are never dropped.";
852 }
853 list endpoint {
854 key "name";
855 min-elements 1;
856 description
857 "List of endpoints to listen for RESTCONF connections.";
858 leaf name {
859 type string;
860 description
861 "An arbitrary name for the RESTCONF listen endpoint.";
862 }
863 uses restconf-client-listen-stack-grouping;
864 }
865 }
866 } // restconf-client-app-grouping
868 // Protocol accessible node, for servers that implement this
869 // module.
871 container restconf-client {
872 uses restconf-client-app-grouping;
873 description
874 "Top-level container for RESTCONF client configuration.";
875 }
876 }
878
880 3. The RESTCONF Server Model
882 The RESTCONF server model presented in this section supports both
883 listening for connections as well as initiating call-home
884 connections.
886 YANG feature statements are used to enable implementations to
887 advertise which potentially uncommon parts of the model the RESTCONF
888 server supports.
890 3.1. Tree Diagram
892 The following tree diagram [RFC8340] provides an overview of the data
893 model for the "ietf-restconf-server" module.
895 This tree diagram only shows the nodes defined in this module; it
896 does show the nodes defined by "grouping" statements used by this
897 module.
899 Please see Appendix A.2 for a tree diagram that illustrates what the
900 module looks like with all the "grouping" statements expanded.
902 module: ietf-restconf-server
903 +--rw restconf-server
904 +---u restconf-server-app-grouping
906 grouping restconf-server-grouping
907 +-- client-identity-mappings
908 +---u x509c2n:cert-to-name
909 grouping restconf-server-listen-stack-grouping
910 +-- (transport)
911 +--:(http) {http-listen}?
912 | +-- http
913 | +-- external-endpoint!
914 | | +-- address inet:ip-address
915 | | +-- port? inet:port-number
916 | +-- tcp-server-parameters
917 | | +---u tcps:tcp-server-grouping
918 | +-- http-server-parameters
919 | | +---u https:http-server-grouping
920 | +-- restconf-server-parameters
921 | +---u rcs:restconf-server-grouping
922 +--:(https) {https-listen}?
923 +-- https
924 +-- tcp-server-parameters
925 | +---u tcps:tcp-server-grouping
926 +-- tls-server-parameters
927 | +---u tlss:tls-server-grouping
928 +-- http-server-parameters
929 | +---u https:http-server-grouping
930 +-- restconf-server-parameters
931 +---u rcs:restconf-server-grouping
932 grouping restconf-server-callhome-stack-grouping
933 +-- (transport)
934 +--:(https) {https-listen}?
935 +-- https
936 +-- tcp-client-parameters
937 | +---u tcpc:tcp-client-grouping
938 +-- tls-server-parameters
939 | +---u tlss:tls-server-grouping
940 +-- http-server-parameters
941 | +---u https:http-server-grouping
942 +-- restconf-server-parameters
943 +---u rcs:restconf-server-grouping
944 grouping restconf-server-app-grouping
945 +-- listen! {http-listen or https-listen}?
946 | +-- endpoint* [name]
947 | +-- name? string
948 | +---u restconf-server-listen-stack-grouping
949 +-- call-home! {https-call-home}?
950 +-- restconf-client* [name]
951 +-- name? string
952 +-- endpoints
953 | +-- endpoint* [name]
954 | +-- name? string
955 | +---u restconf-server-callhome-stack-grouping
956 +-- connection-type
957 | +-- (connection-type)
958 | +--:(persistent-connection)
959 | | +-- persistent!
960 | +--:(periodic-connection)
961 | +-- periodic!
962 | +-- period? uint16
963 | +-- anchor-time? yang:date-and-time
964 | +-- idle-timeout? uint16
965 +-- reconnect-strategy
966 +-- start-with? enumeration
967 +-- max-attempts? uint8
969 3.2. Example Usage
971 The following example illustrates configuring a RESTCONF server to
972 listen for RESTCONF client connections, as well as configuring call-
973 home to one RESTCONF client.
975 This example is consistent with the examples presented in Section 2
976 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
977 [I-D.ietf-netconf-keystore].
979 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
981
986
987
988
989 netconf/tls
990
991
992 11.22.33.44
993
994
995
996
997
998 rsa2048
999 ct:subject-public-key-info-format\
1000
1001 base64encodedvalue==
1002 ct:rsa-private-key-format
1004 base64encodedvalue==
1005 base64encodedvalue==
1006
1008
1009
1010
1011
1012 explicitly-trusted-client-ca-cer\
1013 ts
1014
1015
1016 explicitly-trusted-client-certs<\
1017 /truststore-reference>
1018
1019
1020
1021
1022 foo.example.com
1023
1024 HTTP/1.1
1025 HTTP/2.0
1026
1027
1028
1029
1030
1031 1
1032 11:0A:05:11:00
1033 x509c2n:specified
1034 scooby-doo
1035
1036
1037 2
1038 x509c2n:san-any
1039
1040
1041
1042
1043
1044
1046
1047
1048
1049 config-manager
1050
1051
1052 east-data-center
1053
1054
1055 east.example.com
1057
1058
1059
1060
1061
1062 rsa2048
1063 ct:subject-public-key-info-fo\
1064 rmat
1065 base64encodedvalue==
1066 ct:rsa-private-key-format
1068 base64encodedvalue==
1069 base64encodedvalue==
1070
1071
1072
1073
1074
1075 explicitly-trusted-client-ca\
1076 -certs
1077
1078
1079 explicitly-trusted-client-ce\
1080 rts
1081
1082
1083
1084
1085 foo.example.com
1086
1087 HTTP/1.1
1088 HTTP/2.0
1089
1090
1091
1092
1093
1094 1
1095 11:0A:05:11:00
1096 x509c2n:specified
1097 scooby-doo
1098
1099
1100 2
1101 x509c2n:san-any
1102
1103
1104
1106
1107
1108
1109 west-data-center
1110
1111
1112 west.example.com
1113
1114
1115
1116
1117
1118 rsa2048
1119 ct:subject-public-key-info-fo\
1120 rmat
1121 base64encodedvalue==
1122 ct:rsa-private-key-format
1124 base64encodedvalue==
1125 base64encodedvalue==
1126
1127
1128
1129
1130
1131 explicitly-trusted-client-ca\
1132 -certs
1133
1134
1135 explicitly-trusted-client-ce\
1136 rts
1137
1138
1139
1140
1141 foo.example.com
1142
1143 HTTP/1.1
1144 HTTP/2.0
1145
1146
1147
1148
1149
1150 1
1151 11:0A:05:11:00
1152 x509c2n:specified
1153 scooby-doo
1155
1156
1157 2
1158 x509c2n:san-any
1159
1160
1161
1162
1163
1164
1165
1166
1167 300
1168 60
1169
1170
1171
1172 last-connected
1173 3
1174
1175
1176
1177
1179 3.3. YANG Module
1181 This YANG module has normative references to [RFC6991], [RFC7407],
1182 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
1183 [I-D.ietf-netconf-tls-client-server], and
1184 [I-D.kwatsen-netconf-http-client-server].
1186 file "ietf-restconf-server@2019-11-20.yang"
1188 module ietf-restconf-server {
1189 yang-version 1.1;
1190 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server";
1191 prefix rcs;
1193 import ietf-yang-types {
1194 prefix yang;
1195 reference
1196 "RFC 6991: Common YANG Data Types";
1197 }
1199 import ietf-inet-types {
1200 prefix inet;
1201 reference
1202 "RFC 6991: Common YANG Data Types";
1204 }
1206 import ietf-x509-cert-to-name {
1207 prefix x509c2n;
1208 reference
1209 "RFC 7407: A YANG Data Model for SNMP Configuration";
1210 }
1212 import ietf-tcp-client {
1213 prefix tcpc;
1214 reference
1215 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1216 }
1218 import ietf-tcp-server {
1219 prefix tcps;
1220 reference
1221 "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers";
1222 }
1224 import ietf-tls-server {
1225 prefix tlss;
1226 reference
1227 "RFC BBBB: YANG Groupings for TLS Clients and TLS Servers";
1228 }
1230 import ietf-http-server {
1231 prefix https;
1232 reference
1233 "RFC CCCC: YANG Groupings for HTTP Clients and HTTP Servers";
1234 }
1236 organization
1237 "IETF NETCONF (Network Configuration) Working Group";
1239 contact
1240 "WG Web:
1241 WG List:
1242 Author: Kent Watsen
1243 Author: Gary Wu
1244 Author: Juergen Schoenwaelder
1245 ";
1247 description
1248 "This module contains a collection of YANG definitions
1249 for configuring RESTCONF servers.
1251 Copyright (c) 2019 IETF Trust and the persons identified
1252 as authors of the code. All rights reserved.
1254 Redistribution and use in source and binary forms, with
1255 or without modification, is permitted pursuant to, and
1256 subject to the license terms contained in, the Simplified
1257 BSD License set forth in Section 4.c of the IETF Trust's
1258 Legal Provisions Relating to IETF Documents
1259 (https://trustee.ietf.org/license-info).
1261 This version of this YANG module is part of RFC XXXX
1262 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
1263 itself for full legal notices.
1265 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1266 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1267 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1268 are to be interpreted as described in BCP 14 (RFC 2119)
1269 (RFC 8174) when, and only when, they appear in all
1270 capitals, as shown here.";
1272 revision 2019-11-20 {
1273 description
1274 "Initial version";
1275 reference
1276 "RFC XXXX: RESTCONF Client and Server Models";
1277 }
1279 // Features
1281 feature http-listen {
1282 description
1283 "The 'http-listen' feature indicates that the RESTCONF server
1284 supports opening a port to listen for incoming RESTCONF over
1285 TPC client connections, whereby the TLS connections are
1286 terminated by an external system.";
1287 reference
1288 "RFC 8040: RESTCONF Protocol";
1289 }
1291 feature https-listen {
1292 description
1293 "The 'https-listen' feature indicates that the RESTCONF server
1294 supports opening a port to listen for incoming RESTCONF over
1295 TLS client connections, whereby the TLS connections are
1296 terminated by the server itself.";
1297 reference
1298 "RFC 8040: RESTCONF Protocol";
1299 }
1300 feature https-call-home {
1301 description
1302 "The 'https-call-home' feature indicates that the RESTCONF
1303 server supports initiating connections to RESTCONF clients.";
1304 reference
1305 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1306 }
1308 // Groupings
1310 grouping restconf-server-grouping {
1311 description
1312 "A reusable grouping for configuring a RESTCONF server
1313 without any consideration for how underlying transport
1314 sessions are established.
1316 Note that this grouping uses a fairly typical descendent
1317 node name such that a stack of 'uses' statements will
1318 have name conflicts. It is intended that the consuming
1319 data model will resolve the issue by wrapping the 'uses'
1320 statement in a container called, e.g.,
1321 'restconf-server-parameters'. This model purposely does
1322 not do this itself so as to provide maximum flexibility
1323 to consuming models.";
1325 container client-identity-mappings {
1326 //if-feature "client-certificates-supported"; // FIXME: yes?
1327 description
1328 "Specifies mappings through which RESTCONF client X.509
1329 certificates are used to determine a RESTCONF username.
1330 If no matching and valid cert-to-name list entry can be
1331 found, then the RESTCONF server MUST close the connection,
1332 and MUST NOT accept RESTCONF messages over it.";
1333 reference
1334 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1335 uses x509c2n:cert-to-name {
1336 refine "cert-to-name/fingerprint" {
1337 mandatory false;
1338 description
1339 "A 'fingerprint' value does not need to be specified
1340 when the 'cert-to-name' mapping is independent of
1341 fingerprint matching. A 'cert-to-name' having no
1342 fingerprint value will match any client certificate
1343 and therefore should only be present at the end of
1344 the user-ordered 'cert-to-name' list.";
1345 }
1346 }
1348 }
1349 }
1351 grouping restconf-server-listen-stack-grouping {
1352 description
1353 "A reusable grouping for configuring a RESTCONF server
1354 'listen' protocol stack for a single connection.";
1355 choice transport {
1356 mandatory true;
1357 description
1358 "Selects between available transports. This is a
1359 'choice' statement so as to support additional
1360 transport options to be augmented in.";
1361 case http {
1362 if-feature "http-listen";
1363 container http {
1364 description
1365 "Configures RESTCONF server stack assuming that
1366 TLS-termination is handled externally.";
1367 container external-endpoint {
1368 presence
1369 "Specifies configuration for an external endpoint.";
1370 description
1371 "Identifies contact information for the external
1372 system that terminates connections before passing
1373 them thru to this server (e.g., a network address
1374 translator or a load balancer). These values have
1375 no effect on the local operation of this server, but
1376 may be used by the application when needing to
1377 inform other systems how to contact this server.";
1378 leaf address {
1379 type inet:ip-address;
1380 mandatory true;
1381 description
1382 "The IP address or hostname of the external system
1383 that terminates incoming RESTCONF client
1384 connections before forwarding them to this
1385 server.";
1386 }
1387 leaf port {
1388 type inet:port-number;
1389 default "443";
1390 description
1391 "The port number that the external system listens
1392 on for incoming RESTCONF client connections that
1393 are forwarded to this server. The default HTTPS
1394 port (443) is used, as expected for a RESTCONF
1395 connection.";
1397 }
1398 }
1399 container tcp-server-parameters {
1400 description
1401 "A wrapper around the TCP server parameters
1402 to avoid name collisions.";
1403 uses tcps:tcp-server-grouping {
1404 refine "local-port" {
1405 default "80";
1406 description
1407 "The RESTCONF server will listen on the IANA-
1408 assigned well-known port value for 'http'
1409 (80) if no value is specified.";
1410 }
1411 }
1412 }
1413 container http-server-parameters {
1414 description
1415 "A wrapper around the HTTP server parameters
1416 to avoid name collisions.";
1417 uses https:http-server-grouping;
1418 }
1419 container restconf-server-parameters {
1420 description
1421 "A wrapper around the RESTCONF server parameters
1422 to avoid name collisions.";
1423 uses rcs:restconf-server-grouping;
1424 }
1425 }
1426 }
1427 case https {
1428 if-feature "https-listen";
1429 container https {
1430 description
1431 "Configures RESTCONF server stack assuming that
1432 TLS-termination is handled internally.";
1433 container tcp-server-parameters {
1434 description
1435 "A wrapper around the TCP server parameters
1436 to avoid name collisions.";
1437 uses tcps:tcp-server-grouping {
1438 refine "local-port" {
1439 default "443";
1440 description
1441 "The RESTCONF server will listen on the IANA-
1442 assigned well-known port value for 'https'
1443 (443) if no value is specified.";
1444 }
1446 }
1447 }
1448 container tls-server-parameters {
1449 description
1450 "A wrapper around the TLS server parameters
1451 to avoid name collisions.";
1452 uses tlss:tls-server-grouping; /* {
1453 FIXME: commented out since auth could also be external.
1454 ^-- need a better 'must' expression?
1455 refine "client-authentication" {
1456 must 'ca-certs or client-certs';
1457 description
1458 "NETCONF/TLS servers MUST validate client
1459 certificates.";
1460 }*/
1461 }
1462 container http-server-parameters {
1463 description
1464 "A wrapper around the HTTP server parameters
1465 to avoid name collisions.";
1466 uses https:http-server-grouping;
1467 }
1468 container restconf-server-parameters {
1469 description
1470 "A wrapper around the RESTCONF server parameters
1471 to avoid name collisions.";
1472 uses rcs:restconf-server-grouping;
1473 }
1474 }
1475 }
1476 }
1477 }
1479 grouping restconf-server-callhome-stack-grouping {
1480 description
1481 "A reusable grouping for configuring a RESTCONF server
1482 'call-home' protocol stack, for a single connection.";
1483 choice transport {
1484 mandatory true;
1485 description
1486 "Selects between available transports. This is a
1487 'choice' statement so as to support additional
1488 transport options to be augmented in.";
1489 case https {
1490 if-feature "https-listen";
1491 container https {
1492 description
1493 "Configures RESTCONF server stack assuming that
1494 TLS-termination is handled internally.";
1495 container tcp-client-parameters {
1496 description
1497 "A wrapper around the TCP client parameters
1498 to avoid name collisions.";
1499 uses tcpc:tcp-client-grouping {
1500 refine "remote-port" {
1501 default "4336";
1502 description
1503 "The RESTCONF server will attempt to
1504 connect to the IANA-assigned well-known
1505 port for 'restconf-ch-tls' (4336) if no
1506 value is specified.";
1507 }
1508 }
1509 }
1510 container tls-server-parameters {
1511 description
1512 "A wrapper around the TLS server parameters
1513 to avoid name collisions.";
1514 uses tlss:tls-server-grouping; /* {
1515 FIXME: commented out since auth could also be external.
1516 ^-- need a better 'must' expression?
1517 refine "client-authentication" {
1518 must 'ca-certs or client-certs';
1519 description
1520 "NETCONF/TLS servers MUST validate client
1521 certificates.";
1522 }*/
1523 }
1524 container http-server-parameters {
1525 description
1526 "A wrapper around the HTTP server parameters
1527 to avoid name collisions.";
1528 uses https:http-server-grouping;
1529 }
1530 container restconf-server-parameters {
1531 description
1532 "A wrapper around the RESTCONF server parameters
1533 to avoid name collisions.";
1534 uses rcs:restconf-server-grouping;
1535 }
1536 }
1537 }
1538 }
1539 }
1540 grouping restconf-server-app-grouping {
1541 description
1542 "A reusable grouping for configuring a RESTCONF server
1543 application that supports both 'listen' and 'call-home'
1544 protocol stacks for a multiplicity of connections.";
1545 container listen {
1546 if-feature "http-listen or https-listen";
1547 presence
1548 "Enables the RESTCONF server to listen for RESTCONF
1549 client connections.";
1550 description "Configures listen behavior";
1551 list endpoint {
1552 key "name";
1553 min-elements 1;
1554 description
1555 "List of endpoints to listen for RESTCONF connections.";
1556 leaf name {
1557 type string;
1558 description
1559 "An arbitrary name for the RESTCONF listen endpoint.";
1560 }
1561 uses restconf-server-listen-stack-grouping;
1562 }
1563 }
1564 container call-home {
1565 if-feature "https-call-home";
1566 presence
1567 "Enables the RESTCONF server to initiate the underlying
1568 transport connection to RESTCONF clients.";
1569 description "Configures call-home behavior";
1570 list restconf-client {
1571 key "name";
1572 min-elements 1;
1573 description
1574 "List of RESTCONF clients the RESTCONF server is to
1575 maintain simultaneous call-home connections with.";
1576 leaf name {
1577 type string;
1578 description
1579 "An arbitrary name for the remote RESTCONF client.";
1580 }
1581 container endpoints {
1582 description
1583 "Container for the list of endpoints.";
1584 list endpoint {
1585 key "name";
1586 min-elements 1;
1587 ordered-by user;
1588 description
1589 "User-ordered list of endpoints for this RESTCONF
1590 client. Defining more than one enables high-
1591 availability.";
1592 leaf name {
1593 type string;
1594 description
1595 "An arbitrary name for this endpoint.";
1596 }
1597 uses restconf-server-callhome-stack-grouping;
1598 }
1599 }
1600 container connection-type {
1601 description
1602 "Indicates the RESTCONF server's preference for how the
1603 RESTCONF connection is maintained.";
1604 choice connection-type {
1605 mandatory true;
1606 description
1607 "Selects between available connection types.";
1608 case persistent-connection {
1609 container persistent {
1610 presence "Indicates that a persistent connection is
1611 to be maintained.";
1612 description
1613 "Maintain a persistent connection to the RESTCONF
1614 client. If the connection goes down, immediately
1615 start trying to reconnect to the RESTCONF server,
1616 using the reconnection strategy.
1618 This connection type minimizes any RESTCONF
1619 client to RESTCONF server data-transfer delay,
1620 albeit at the expense of holding resources
1621 longer.";
1622 }
1623 }
1624 case periodic-connection {
1625 container periodic {
1626 presence "Indicates that a periodic connection is
1627 to be maintained.";
1628 description
1629 "Periodically connect to the RESTCONF client.
1631 This connection type increases resource
1632 utilization, albeit with increased delay in
1633 RESTCONF client to RESTCONF client interactions.
1635 The RESTCONF client SHOULD gracefully close
1636 the underlying TLS connection upon completing
1637 planned activities. If the underlying TLS
1638 connection is not closed gracefully, the
1639 RESTCONF server MUST immediately attempt
1640 to reestablish the connection.
1642 In the case that the previous connection is
1643 still active (i.e., the RESTCONF client has not
1644 closed it yet), establishing a new connection
1645 is NOT RECOMMENDED.";
1647 leaf period {
1648 type uint16;
1649 units "minutes";
1650 default "60";
1651 description
1652 "Duration of time between periodic connections.";
1653 }
1654 leaf anchor-time {
1655 type yang:date-and-time {
1656 // constrained to minute-level granularity
1657 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1658 + '(Z|[\+\-]\d{2}:\d{2})';
1659 }
1660 description
1661 "Designates a timestamp before or after which a
1662 series of periodic connections are determined.
1663 The periodic connections occur at a whole
1664 multiple interval from the anchor time. For
1665 example, for an anchor time is 15 minutes past
1666 midnight and a period interval of 24 hours, then
1667 a periodic connection will occur 15 minutes past
1668 midnight everyday.";
1669 }
1670 leaf idle-timeout {
1671 type uint16;
1672 units "seconds";
1673 default 120; // two minutes
1674 description
1675 "Specifies the maximum number of seconds that
1676 the underlying TCP session may remain idle.
1677 A TCP session will be dropped if it is idle
1678 for an interval longer than this number of
1679 seconds. If set to zero, then the server
1680 will never drop a session because it is idle.";
1681 }
1682 }
1683 }
1685 }
1686 }
1687 container reconnect-strategy {
1688 description
1689 "The reconnection strategy directs how a RESTCONF server
1690 reconnects to a RESTCONF client after discovering its
1691 connection to the client has dropped, even if due to a
1692 reboot. The RESTCONF server starts with the specified
1693 endpoint and tries to connect to it max-attempts times
1694 before trying the next endpoint in the list (round
1695 robin).";
1696 leaf start-with {
1697 type enumeration {
1698 enum first-listed {
1699 description
1700 "Indicates that reconnections should start with
1701 the first endpoint listed.";
1702 }
1703 enum last-connected {
1704 description
1705 "Indicates that reconnections should start with
1706 the endpoint last connected to. If no previous
1707 connection has ever been established, then the
1708 first endpoint configured is used. RESTCONF
1709 servers SHOULD be able to remember the last
1710 endpoint connected to across reboots.";
1711 }
1712 enum random-selection {
1713 description
1714 "Indicates that reconnections should start with
1715 a random endpoint.";
1716 }
1717 }
1718 default "first-listed";
1719 description
1720 "Specifies which of the RESTCONF client's endpoints
1721 the RESTCONF server should start with when trying
1722 to connect to the RESTCONF client.";
1723 }
1724 leaf max-attempts {
1725 type uint8 {
1726 range "1..max";
1727 }
1728 default "3";
1729 description
1730 "Specifies the number times the RESTCONF server tries
1731 to connect to a specific endpoint before moving on to
1732 the next endpoint in the list (round robin).";
1734 }
1735 }
1736 } // restconf-client
1737 } // call-home
1738 } // restconf-server-app-grouping
1740 // Protocol accessible node, for servers that implement this
1741 // module.
1743 container restconf-server {
1744 uses restconf-server-app-grouping;
1745 description
1746 "Top-level container for RESTCONF server configuration.";
1747 }
1749 }
1751
1753 4. Security Considerations
1755 The YANG module defined in this document uses groupings defined in
1756 [I-D.kwatsen-netconf-tcp-client-server],
1757 [I-D.ietf-netconf-tls-client-server], and
1758 [I-D.kwatsen-netconf-http-client-server]. Please see the Security
1759 Considerations section in those documents for concerns related those
1760 groupings.
1762 The YANG modules defined in this document are designed to be accessed
1763 via YANG based management protocols, such as NETCONF [RFC6241] and
1764 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1765 implement secure transport layers (e.g., SSH, TLS) with mutual
1766 authentication.
1768 The NETCONF access control model (NACM) [RFC8341] provides the means
1769 to restrict access for particular users to a pre-configured subset of
1770 all available protocol operations and content.
1772 There are a number of data nodes defined in the YANG modules that are
1773 writable/creatable/deletable (i.e., config true, which is the
1774 default). Some of these data nodes may be considered sensitive or
1775 vulnerable in some network environments. Write operations (e.g.,
1776 edit-config) to these data nodes without proper protection can have a
1777 negative effect on network operations. These are the subtrees and
1778 data nodes and their sensitivity/vulnerability:
1780 None of the subtrees or data nodes in the modules defined in this
1781 document need to be protected from write operations.
1783 Some of the readable data nodes in the YANG modules may be considered
1784 sensitive or vulnerable in some network environments. It is thus
1785 important to control read access (e.g., via get, get-config, or
1786 notification) to these data nodes. These are the subtrees and data
1787 nodes and their sensitivity/vulnerability:
1789 None of the subtrees or data nodes in the modules defined in this
1790 document need to be protected from read operations.
1792 Some of the RPC operations in the YANG modules may be considered
1793 sensitive or vulnerable in some network environments. It is thus
1794 important to control access to these operations. These are the
1795 operations and their sensitivity/vulnerability:
1797 The modules defined in this document do not define any 'RPC' or
1798 'action' statements.
1800 5. IANA Considerations
1802 5.1. The IETF XML Registry
1804 This document registers two URIs in the "ns" subregistry of the IETF
1805 XML Registry [RFC3688]. Following the format in [RFC3688], the
1806 following registrations are requested:
1808 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1809 Registrant Contact: The NETCONF WG of the IETF.
1810 XML: N/A, the requested URI is an XML namespace.
1812 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1813 Registrant Contact: The NETCONF WG of the IETF.
1814 XML: N/A, the requested URI is an XML namespace.
1816 5.2. The YANG Module Names Registry
1818 This document registers two YANG modules in the YANG Module Names
1819 registry [RFC6020]. Following the format in [RFC6020], the the
1820 following registrations are requested:
1822 name: ietf-restconf-client
1823 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1824 prefix: ncc
1825 reference: RFC XXXX
1827 name: ietf-restconf-server
1828 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1829 prefix: ncs
1830 reference: RFC XXXX
1832 6. References
1834 6.1. Normative References
1836 [I-D.ietf-netconf-keystore]
1837 Watsen, K., "A YANG Data Model for a Keystore", draft-
1838 ietf-netconf-keystore-14 (work in progress), November
1839 2019.
1841 [I-D.ietf-netconf-tls-client-server]
1842 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1843 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1844 server-16 (work in progress), November 2019.
1846 [I-D.kwatsen-netconf-http-client-server]
1847 Watsen, K., "YANG Groupings for HTTP Clients and HTTP
1848 Servers", draft-kwatsen-netconf-http-client-server-05
1849 (work in progress), November 2019.
1851 [I-D.kwatsen-netconf-tcp-client-server]
1852 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1853 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1854 server-02 (work in progress), April 2019.
1856 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1857 Requirement Levels", BCP 14, RFC 2119,
1858 DOI 10.17487/RFC2119, March 1997,
1859 .
1861 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1862 the Network Configuration Protocol (NETCONF)", RFC 6020,
1863 DOI 10.17487/RFC6020, October 2010,
1864 .
1866 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1867 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1868 .
1870 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1871 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1872 December 2014, .
1874 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1875 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1876 .
1878 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1879 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1880 .
1882 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1883 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1884 .
1886 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1887 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1888 May 2017, .
1890 6.2. Informative References
1892 [I-D.ietf-netconf-trust-anchors]
1893 Watsen, K. and H. Birkholz, "A YANG Data Model for a
1894 Truststore", draft-ietf-netconf-trust-anchors-07 (work in
1895 progress), November 2019.
1897 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1898 DOI 10.17487/RFC3688, January 2004,
1899 .
1901 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1902 and A. Bierman, Ed., "Network Configuration Protocol
1903 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1904 .
1906 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1907 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1908 .
1910 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
1911 Access Control Model", STD 91, RFC 8341,
1912 DOI 10.17487/RFC8341, March 2018,
1913 .
1915 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
1916 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
1917 .
1919 Appendix A. Expanded Tree Diagrams
1921 A.1. Expanded Tree Diagram for 'ietf-restconf-client'
1923 The following tree diagram [RFC8340] provides an overview of the data
1924 model for the "ietf-restconf-client" module.
1926 This tree diagram shows all the nodes defined in this module,
1927 including those defined by "grouping" statements used by this module.
1929 Please see Section 2.1 for a tree diagram that illustrates what the
1930 module looks like without all the "grouping" statements expanded.
1932 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
1934 module: ietf-restconf-client
1935 +--rw restconf-client
1936 +--rw initiate! {https-initiate}?
1937 | +--rw restconf-server* [name]
1938 | +--rw name string
1939 | +--rw endpoints
1940 | | +--rw endpoint* [name]
1941 | | +--rw name string
1942 | | +--rw (transport)
1943 | | +--:(https) {https-initiate}?
1944 | | +--rw https
1945 | | +--rw tcp-client-parameters
1946 | | | +--rw remote-address inet:host
1947 | | | +--rw remote-port? inet:port-number
1948 | | | +--rw local-address? inet:ip-address
1949 | | | | {local-binding-supported}?
1950 | | | +--rw local-port? inet:port-number
1951 | | | | {local-binding-supported}?
1952 | | | +--rw keepalives!
1953 | | | {keepalives-supported}?
1954 | | | +--rw idle-time uint16
1955 | | | +--rw max-probes uint16
1956 | | | +--rw probe-interval uint16
1957 | | +--rw tls-client-parameters
1958 | | | +--rw client-identity
1959 | | | | +--rw (auth-type)
1960 | | | | +--:(certificate)
1961 | | | | | +--rw certificate
1962 | | | | | {x509-certificate-auth\
1963 \}?
1964 | | | | | +--rw (local-or-keystore)
1965 | | | | | +--:(local)
1966 | | | | | | {local-definiti\
1968 \ons-supported}?
1969 | | | | | | +--rw local-definition
1970 | | | | | | +--rw algorithm
1971 | | | | | | | iasa:asymm\
1972 \etric-algorithm-type
1973 | | | | | | +--rw public-key-f\
1974 \ormat?
1975 | | | | | | | identityref
1976 | | | | | | +--rw public-key
1977 | | | | | | | binary
1978 | | | | | | +--rw private-key-\
1979 \format?
1980 | | | | | | | identityref
1981 | | | | | | +--rw (private-key\
1982 \-type)
1983 | | | | | | | +--:(private-ke\
1984 \y)
1985 | | | | | | | | +--rw privat\
1986 \e-key?
1987 | | | | | | | | bina\
1988 \ry
1989 | | | | | | | +--:(hidden-pri\
1990 \vate-key)
1991 | | | | | | | | +--rw hidden\
1992 \-private-key?
1993 | | | | | | | | empty
1994 | | | | | | | +--:(encrypted-\
1995 \private-key)
1996 | | | | | | | +--rw encryp\
1997 \ted-private-key
1998 | | | | | | | +--rw (ke\
1999 \y-type)
2000 | | | | | | | | +--:(s\
2001 \ymmetric-key-ref)
2002 | | | | | | | | | +--\
2003 \rw symmetric-key-ref? leafref
2004 | | | | | | | | | \
2005 \ {keystore-supported}?
2006 | | | | | | | | +--:(a\
2007 \symmetric-key-ref)
2008 | | | | | | | | +--\
2009 \rw asymmetric-key-ref? leafref
2010 | | | | | | | | \
2011 \ {keystore-supported}?
2012 | | | | | | | +--rw val\
2013 \ue?
2014 | | | | | | | b\
2015 \inary
2016 | | | | | | +--rw cert?
2017 | | | | | | | end-entity\
2018 \-cert-cms
2019 | | | | | | +---n certificate-\
2020 \expiration
2021 | | | | | | | +-- expiration-\
2022 \date
2023 | | | | | | | yang:da\
2024 \te-and-time
2025 | | | | | | +---x generate-cer\
2026 \tificate-signing-request
2027 | | | | | | +---w input
2028 | | | | | | | +---w subject
2029 | | | | | | | | bina\
2030 \ry
2031 | | | | | | | +---w attrib\
2032 \utes?
2033 | | | | | | | bina\
2034 \ry
2035 | | | | | | +--ro output
2036 | | | | | | +--ro certif\
2037 \icate-signing-request
2038 | | | | | | bina\
2039 \ry
2040 | | | | | +--:(keystore)
2041 | | | | | {keystore-suppo\
2042 \rted}?
2043 | | | | | +--rw keystore-refere\
2044 \nce
2045 | | | | | +--rw asymmetric-k\
2046 \ey?
2047 | | | | | | ks:asymmet\
2048 \ric-key-ref
2049 | | | | | +--rw certificate?\
2050 \ leafref
2051 | | | | +--:(raw-public-key)
2052 | | | | | +--rw raw-public-key
2053 | | | | | {raw-public-key-auth}?
2054 | | | | | +--rw (local-or-keystore)
2055 | | | | | +--:(local)
2056 | | | | | | {local-definiti\
2057 \ons-supported}?
2058 | | | | | | +--rw local-definition
2059 | | | | | | +--rw algorithm
2060 | | | | | | | iasa:asymm\
2061 \etric-algorithm-type
2062 | | | | | | +--rw public-key-f\
2063 \ormat?
2064 | | | | | | | identityref
2065 | | | | | | +--rw public-key
2066 | | | | | | | binary
2067 | | | | | | +--rw private-key-\
2068 \format?
2069 | | | | | | | identityref
2070 | | | | | | +--rw (private-key\
2071 \-type)
2072 | | | | | | +--:(private-ke\
2073 \y)
2074 | | | | | | | +--rw privat\
2075 \e-key?
2076 | | | | | | | bina\
2077 \ry
2078 | | | | | | +--:(hidden-pri\
2079 \vate-key)
2080 | | | | | | | +--rw hidden\
2081 \-private-key?
2082 | | | | | | | empty
2083 | | | | | | +--:(encrypted-\
2084 \private-key)
2085 | | | | | | +--rw encryp\
2086 \ted-private-key
2087 | | | | | | +--rw (ke\
2088 \y-type)
2089 | | | | | | | +--:(s\
2090 \ymmetric-key-ref)
2091 | | | | | | | | +--\
2092 \rw symmetric-key-ref? leafref
2093 | | | | | | | | \
2094 \ {keystore-supported}?
2095 | | | | | | | +--:(a\
2096 \symmetric-key-ref)
2097 | | | | | | | +--\
2098 \rw asymmetric-key-ref? leafref
2099 | | | | | | | \
2100 \ {keystore-supported}?
2101 | | | | | | +--rw val\
2102 \ue?
2103 | | | | | | b\
2104 \inary
2105 | | | | | +--:(keystore)
2106 | | | | | {keystore-suppo\
2107 \rted}?
2108 | | | | | +--rw keystore-refere\
2109 \nce?
2110 | | | | | ks:asymmetric\
2111 \-key-ref
2112 | | | | +--:(psk)
2113 | | | | +--rw psk {psk-auth}?
2114 | | | | +--rw (local-or-keystore)
2115 | | | | +--:(local)
2116 | | | | | {local-definiti\
2117 \ons-supported}?
2118 | | | | | +--rw local-definition
2119 | | | | | +--rw algorithm
2120 | | | | | | isa:symmet\
2121 \ric-algorithm-type
2122 | | | | | +--rw key-format?
2123 | | | | | | identityref
2124 | | | | | +--rw (key-type)
2125 | | | | | +--:(key)
2126 | | | | | | +--rw key?
2127 | | | | | | bina\
2128 \ry
2129 | | | | | +--:(hidden-key)
2130 | | | | | | +--rw hidden\
2131 \-key?
2132 | | | | | | empty
2133 | | | | | +--:(encrypted-\
2134 \key)
2135 | | | | | +--rw encryp\
2136 \ted-key
2137 | | | | | +--rw (ke\
2138 \y-type)
2139 | | | | | | +--:(s\
2140 \ymmetric-key-ref)
2141 | | | | | | | +--\
2142 \rw symmetric-key-ref? leafref
2143 | | | | | | | \
2144 \ {keystore-supported}?
2145 | | | | | | +--:(a\
2146 \symmetric-key-ref)
2147 | | | | | | +--\
2148 \rw asymmetric-key-ref? leafref
2149 | | | | | | \
2150 \ {keystore-supported}?
2151 | | | | | +--rw val\
2152 \ue?
2153 | | | | | b\
2154 \inary
2155 | | | | +--:(keystore)
2156 | | | | {keystore-suppo\
2157 \rted}?
2158 | | | | +--rw keystore-refere\
2159 \nce?
2160 | | | | ks:symmetric-\
2161 \key-ref
2162 | | | +--rw server-authentication
2163 | | | | +--rw ca-certs!
2164 | | | | | {x509-certificate-auth}?
2165 | | | | | +--rw (local-or-truststore)
2166 | | | | | +--:(local)
2167 | | | | | | {local-definitions-su\
2168 \pported}?
2169 | | | | | | +--rw local-definition
2170 | | | | | | +--rw cert*
2171 | | | | | | | trust-anchor-cer\
2172 \t-cms
2173 | | | | | | +---n certificate-expira\
2174 \tion
2175 | | | | | | +-- expiration-date
2176 | | | | | | yang:date-and\
2177 \-time
2178 | | | | | +--:(truststore)
2179 | | | | | {truststore-supported\
2180 \,x509-certificates}?
2181 | | | | | +--rw truststore-reference?
2182 | | | | | ts:certificates-ref
2183 | | | | +--rw server-certs!
2184 | | | | | {x509-certificate-auth}?
2185 | | | | | +--rw (local-or-truststore)
2186 | | | | | +--:(local)
2187 | | | | | | {local-definitions-su\
2188 \pported}?
2189 | | | | | | +--rw local-definition
2190 | | | | | | +--rw cert*
2191 | | | | | | | trust-anchor-cer\
2192 \t-cms
2193 | | | | | | +---n certificate-expira\
2194 \tion
2195 | | | | | | +-- expiration-date
2196 | | | | | | yang:date-and\
2197 \-time
2198 | | | | | +--:(truststore)
2199 | | | | | {truststore-supported\
2200 \,x509-certificates}?
2201 | | | | | +--rw truststore-reference?
2202 | | | | | ts:certificates-ref
2203 | | | | +--rw raw-public-keys!
2204 | | | | | {raw-public-key-auth}?
2205 | | | | | +--rw (local-or-truststore)
2206 | | | | | +--:(local)
2207 | | | | | | {local-definitions-su\
2209 \pported}?
2210 | | | | | | +--rw local-definition
2211 | | | | | | +--rw raw-public-key*
2212 | | | | | | [name]
2213 | | | | | | +--rw name
2214 | | | | | | | string
2215 | | | | | | +--rw algorithm
2216 | | | | | | | iasa:asymmetr\
2217 \ic-algorithm-type
2218 | | | | | | +--rw public-key-form\
2219 \at?
2220 | | | | | | | identityref
2221 | | | | | | +--rw public-key
2222 | | | | | | binary
2223 | | | | | +--:(truststore)
2224 | | | | | {truststore-supported\
2225 \,raw-public-keys}?
2226 | | | | | +--rw truststore-reference?
2227 | | | | | ts:raw-public-keys-\
2228 \ref
2229 | | | | +--rw psks! {psk-auth}?
2230 | | | +--rw hello-params
2231 | | | | {tls-client-hello-params-config\
2232 \}?
2233 | | | | +--rw tls-versions
2234 | | | | | +--rw tls-version* identityref
2235 | | | | +--rw cipher-suites
2236 | | | | +--rw cipher-suite* identityref
2237 | | | +--rw keepalives!
2238 | | | {tls-client-keepalives}?
2239 | | | +--rw max-wait? uint16
2240 | | | +--rw max-attempts? uint8
2241 | | +--rw http-client-parameters
2242 | | | +--rw client-identity
2243 | | | | +--rw (auth-type)
2244 | | | | +--:(basic)
2245 | | | | +--rw basic {basic-auth}?
2246 | | | | +--rw user-id string
2247 | | | | +--rw password string
2248 | | | +--rw proxy-server! {proxy-connect}?
2249 | | | +--rw tcp-client-parameters
2250 | | | | +--rw remote-address inet:host
2251 | | | | +--rw remote-port?
2252 | | | | | inet:port-number
2253 | | | | +--rw local-address?
2254 | | | | | inet:ip-address
2255 | | | | | {local-binding-supported}?
2256 | | | | +--rw local-port?
2257 | | | | | inet:port-number
2258 | | | | | {local-binding-supported}?
2259 | | | | +--rw keepalives!
2260 | | | | {keepalives-supported}?
2261 | | | | +--rw idle-time uint16
2262 | | | | +--rw max-probes uint16
2263 | | | | +--rw probe-interval uint16
2264 | | | +--rw tls-client-parameters
2265 | | | | +--rw client-identity
2266 | | | | | +--rw (auth-type)
2267 | | | | | +--:(certificate)
2268 | | | | | | +--rw certificate
2269 | | | | | | {x509-certificat\
2270 \e-auth}?
2271 | | | | | | +--rw (local-or-keyst\
2272 \ore)
2273 | | | | | | +--:(local)
2274 | | | | | | | {local-de\
2275 \finitions-supported}?
2276 | | | | | | | +--rw local-def\
2277 \inition
2278 | | | | | | | +--rw algori\
2279 \thm
2280 | | | | | | | | iasa\
2281 \:asymmetric-algorithm-type
2282 | | | | | | | +--rw public\
2283 \-key-format?
2284 | | | | | | | | iden\
2285 \tityref
2286 | | | | | | | +--rw public\
2287 \-key
2288 | | | | | | | | bina\
2289 \ry
2290 | | | | | | | +--rw privat\
2291 \e-key-format?
2292 | | | | | | | | iden\
2293 \tityref
2294 | | | | | | | +--rw (priva\
2295 \te-key-type)
2296 | | | | | | | | +--:(priv\
2297 \ate-key)
2298 | | | | | | | | | +--rw \
2299 \private-key?
2300 | | | | | | | | | \
2301 \ binary
2302 | | | | | | | | +--:(hidd\
2303 \en-private-key)
2304 | | | | | | | | | +--rw \
2306 \hidden-private-key?
2307 | | | | | | | | | \
2308 \ empty
2309 | | | | | | | | +--:(encr\
2310 \ypted-private-key)
2311 | | | | | | | | +--rw \
2312 \encrypted-private-key
2313 | | | | | | | | +--\
2314 \rw (key-type)
2315 | | | | | | | | | \
2316 \+--:(symmetric-key-ref)
2317 | | | | | | | | | \
2318 \| +--rw symmetric-key-ref? leafref
2319 | | | | | | | | | \
2320 \| {keystore-supported}?
2321 | | | | | | | | | \
2322 \+--:(asymmetric-key-ref)
2323 | | | | | | | | | \
2324 \ +--rw asymmetric-key-ref? leafref
2325 | | | | | | | | | \
2326 \ {keystore-supported}?
2327 | | | | | | | | +--\
2328 \rw value?
2329 | | | | | | | | \
2330 \ binary
2331 | | | | | | | +--rw cert?
2332 | | | | | | | | end-\
2333 \entity-cert-cms
2334 | | | | | | | +---n certif\
2335 \icate-expiration
2336 | | | | | | | | +-- expir\
2337 \ation-date
2338 | | | | | | | | y\
2339 \ang:date-and-time
2340 | | | | | | | +---x genera\
2341 \te-certificate-signing-request
2342 | | | | | | | +---w inp\
2343 \ut
2344 | | | | | | | | +---w \
2345 \subject
2346 | | | | | | | | | \
2347 \ binary
2348 | | | | | | | | +---w \
2349 \attributes?
2350 | | | | | | | | \
2351 \ binary
2352 | | | | | | | +--ro out\
2353 \put
2354 | | | | | | | +--ro \
2355 \certificate-signing-request
2356 | | | | | | | \
2357 \ binary
2358 | | | | | | +--:(keystore)
2359 | | | | | | {keystore\
2360 \-supported}?
2361 | | | | | | +--rw keystore-\
2362 \reference
2363 | | | | | | +--rw asymme\
2364 \tric-key?
2365 | | | | | | | ks:a\
2366 \symmetric-key-ref
2367 | | | | | | +--rw certif\
2368 \icate? leafref
2369 | | | | | +--:(raw-public-key)
2370 | | | | | | +--rw raw-public-key
2371 | | | | | | {raw-public-key-\
2372 \auth}?
2373 | | | | | | +--rw (local-or-keyst\
2374 \ore)
2375 | | | | | | +--:(local)
2376 | | | | | | | {local-de\
2377 \finitions-supported}?
2378 | | | | | | | +--rw local-def\
2379 \inition
2380 | | | | | | | +--rw algori\
2381 \thm
2382 | | | | | | | | iasa\
2383 \:asymmetric-algorithm-type
2384 | | | | | | | +--rw public\
2385 \-key-format?
2386 | | | | | | | | iden\
2387 \tityref
2388 | | | | | | | +--rw public\
2389 \-key
2390 | | | | | | | | bina\
2391 \ry
2392 | | | | | | | +--rw privat\
2393 \e-key-format?
2394 | | | | | | | | iden\
2395 \tityref
2396 | | | | | | | +--rw (priva\
2397 \te-key-type)
2398 | | | | | | | +--:(priv\
2399 \ate-key)
2400 | | | | | | | | +--rw \
2401 \private-key?
2402 | | | | | | | | \
2403 \ binary
2404 | | | | | | | +--:(hidd\
2405 \en-private-key)
2406 | | | | | | | | +--rw \
2407 \hidden-private-key?
2408 | | | | | | | | \
2409 \ empty
2410 | | | | | | | +--:(encr\
2411 \ypted-private-key)
2412 | | | | | | | +--rw \
2413 \encrypted-private-key
2414 | | | | | | | +--\
2415 \rw (key-type)
2416 | | | | | | | | \
2417 \+--:(symmetric-key-ref)
2418 | | | | | | | | \
2419 \| +--rw symmetric-key-ref? leafref
2420 | | | | | | | | \
2421 \| {keystore-supported}?
2422 | | | | | | | | \
2423 \+--:(asymmetric-key-ref)
2424 | | | | | | | | \
2425 \ +--rw asymmetric-key-ref? leafref
2426 | | | | | | | | \
2427 \ {keystore-supported}?
2428 | | | | | | | +--\
2429 \rw value?
2430 | | | | | | | \
2431 \ binary
2432 | | | | | | +--:(keystore)
2433 | | | | | | {keystore\
2434 \-supported}?
2435 | | | | | | +--rw keystore-\
2436 \reference?
2437 | | | | | | ks:asym\
2438 \metric-key-ref
2439 | | | | | +--:(psk)
2440 | | | | | +--rw psk {psk-auth}?
2441 | | | | | +--rw (local-or-keyst\
2442 \ore)
2443 | | | | | +--:(local)
2444 | | | | | | {local-de\
2445 \finitions-supported}?
2446 | | | | | | +--rw local-def\
2447 \inition
2448 | | | | | | +--rw algori\
2449 \thm
2450 | | | | | | | isa:\
2451 \symmetric-algorithm-type
2452 | | | | | | +--rw key-fo\
2453 \rmat?
2454 | | | | | | | iden\
2455 \tityref
2456 | | | | | | +--rw (key-t\
2457 \ype)
2458 | | | | | | +--:(key)
2459 | | | | | | | +--rw \
2460 \key?
2461 | | | | | | | \
2462 \ binary
2463 | | | | | | +--:(hidd\
2464 \en-key)
2465 | | | | | | | +--rw \
2466 \hidden-key?
2467 | | | | | | | \
2468 \ empty
2469 | | | | | | +--:(encr\
2470 \ypted-key)
2471 | | | | | | +--rw \
2472 \encrypted-key
2473 | | | | | | +--\
2474 \rw (key-type)
2475 | | | | | | | \
2476 \+--:(symmetric-key-ref)
2477 | | | | | | | \
2478 \| +--rw symmetric-key-ref? leafref
2479 | | | | | | | \
2480 \| {keystore-supported}?
2481 | | | | | | | \
2482 \+--:(asymmetric-key-ref)
2483 | | | | | | | \
2484 \ +--rw asymmetric-key-ref? leafref
2485 | | | | | | | \
2486 \ {keystore-supported}?
2487 | | | | | | +--\
2488 \rw value?
2489 | | | | | | \
2490 \ binary
2491 | | | | | +--:(keystore)
2492 | | | | | {keystore\
2493 \-supported}?
2494 | | | | | +--rw keystore-\
2495 \reference?
2496 | | | | | ks:symm\
2497 \etric-key-ref
2498 | | | | +--rw server-authentication
2499 | | | | | +--rw ca-certs!
2500 | | | | | | {x509-certificate-auth\
2501 \}?
2502 | | | | | | +--rw (local-or-truststore)
2503 | | | | | | +--:(local)
2504 | | | | | | | {local-definiti\
2505 \ons-supported}?
2506 | | | | | | | +--rw local-definition
2507 | | | | | | | +--rw cert*
2508 | | | | | | | | trust-anch\
2509 \or-cert-cms
2510 | | | | | | | +---n certificate-\
2511 \expiration
2512 | | | | | | | +-- expiration-\
2513 \date
2514 | | | | | | | yang:da\
2515 \te-and-time
2516 | | | | | | +--:(truststore)
2517 | | | | | | {truststore-sup\
2518 \ported,x509-certificates}?
2519 | | | | | | +--rw truststore-refe\
2520 \rence?
2521 | | | | | | ts:certificat\
2522 \es-ref
2523 | | | | | +--rw server-certs!
2524 | | | | | | {x509-certificate-auth\
2525 \}?
2526 | | | | | | +--rw (local-or-truststore)
2527 | | | | | | +--:(local)
2528 | | | | | | | {local-definiti\
2529 \ons-supported}?
2530 | | | | | | | +--rw local-definition
2531 | | | | | | | +--rw cert*
2532 | | | | | | | | trust-anch\
2533 \or-cert-cms
2534 | | | | | | | +---n certificate-\
2535 \expiration
2536 | | | | | | | +-- expiration-\
2537 \date
2538 | | | | | | | yang:da\
2539 \te-and-time
2540 | | | | | | +--:(truststore)
2541 | | | | | | {truststore-sup\
2542 \ported,x509-certificates}?
2543 | | | | | | +--rw truststore-refe\
2544 \rence?
2545 | | | | | | ts:certificat\
2547 \es-ref
2548 | | | | | +--rw raw-public-keys!
2549 | | | | | | {raw-public-key-auth}?
2550 | | | | | | +--rw (local-or-truststore)
2551 | | | | | | +--:(local)
2552 | | | | | | | {local-definiti\
2553 \ons-supported}?
2554 | | | | | | | +--rw local-definition
2555 | | | | | | | +--rw raw-public-k\
2556 \ey*
2557 | | | | | | | [name]
2558 | | | | | | | +--rw name
2559 | | | | | | | | string
2560 | | | | | | | +--rw algorithm
2561 | | | | | | | | iasa:as\
2562 \ymmetric-algorithm-type
2563 | | | | | | | +--rw public-ke\
2564 \y-format?
2565 | | | | | | | | identit\
2566 \yref
2567 | | | | | | | +--rw public-key
2568 | | | | | | | binary
2569 | | | | | | +--:(truststore)
2570 | | | | | | {truststore-sup\
2571 \ported,raw-public-keys}?
2572 | | | | | | +--rw truststore-refe\
2573 \rence?
2574 | | | | | | ts:raw-public\
2575 \-keys-ref
2576 | | | | | +--rw psks! {psk-auth}?
2577 | | | | +--rw hello-params
2578 | | | | | {tls-client-hello-params-\
2579 \config}?
2580 | | | | | +--rw tls-versions
2581 | | | | | | +--rw tls-version*
2582 | | | | | | identityref
2583 | | | | | +--rw cipher-suites
2584 | | | | | +--rw cipher-suite*
2585 | | | | | identityref
2586 | | | | +--rw keepalives!
2587 | | | | {tls-client-keepalives}?
2588 | | | | +--rw max-wait? uint16
2589 | | | | +--rw max-attempts? uint8
2590 | | | +--rw proxy-client-identity
2591 | | | +--rw (auth-type)
2592 | | | +--:(basic)
2593 | | | +--rw basic {basic-auth}?
2594 | | | +--rw user-id string
2595 | | | +--rw password string
2596 | | +--rw restconf-client-parameters
2597 | +--rw connection-type
2598 | | +--rw (connection-type)
2599 | | +--:(persistent-connection)
2600 | | | +--rw persistent!
2601 | | +--:(periodic-connection)
2602 | | +--rw periodic!
2603 | | +--rw period? uint16
2604 | | +--rw anchor-time? yang:date-and-time
2605 | | +--rw idle-timeout? uint16
2606 | +--rw reconnect-strategy
2607 | +--rw start-with? enumeration
2608 | +--rw max-attempts? uint8
2609 +--rw listen! {http-listen or https-listen}?
2610 +--rw idle-timeout? uint16
2611 +--rw endpoint* [name]
2612 +--rw name string
2613 +--rw (transport)
2614 +--:(http) {http-listen}?
2615 | +--rw FIXME
2616 +--:(https) {https-listen}?
2617 +--rw https
2618 +--rw tcp-server-parameters
2619 | +--rw local-address inet:ip-address
2620 | +--rw local-port? inet:port-number
2621 | +--rw keepalives! {keepalives-supported}?
2622 | +--rw idle-time uint16
2623 | +--rw max-probes uint16
2624 | +--rw probe-interval uint16
2625 +--rw tls-client-parameters
2626 | +--rw client-identity
2627 | | +--rw (auth-type)
2628 | | +--:(certificate)
2629 | | | +--rw certificate
2630 | | | {x509-certificate-auth}?
2631 | | | +--rw (local-or-keystore)
2632 | | | +--:(local)
2633 | | | | {local-definitions-su\
2634 \pported}?
2635 | | | | +--rw local-definition
2636 | | | | +--rw algorithm
2637 | | | | | iasa:asymmetric-\
2638 \algorithm-type
2639 | | | | +--rw public-key-format?
2640 | | | | | identityref
2641 | | | | +--rw public-key
2642 | | | | | binary
2643 | | | | +--rw private-key-format?
2644 | | | | | identityref
2645 | | | | +--rw (private-key-type)
2646 | | | | | +--:(private-key)
2647 | | | | | | +--rw private-key?
2648 | | | | | | binary
2649 | | | | | +--:(hidden-private-k\
2650 \ey)
2651 | | | | | | +--rw hidden-priva\
2652 \te-key?
2653 | | | | | | empty
2654 | | | | | +--:(encrypted-privat\
2655 \e-key)
2656 | | | | | +--rw encrypted-pr\
2657 \ivate-key
2658 | | | | | +--rw (key-type)
2659 | | | | | | +--:(symmetr\
2660 \ic-key-ref)
2661 | | | | | | | +--rw sym\
2662 \metric-key-ref? leafref
2663 | | | | | | | {\
2664 \keystore-supported}?
2665 | | | | | | +--:(asymmet\
2666 \ric-key-ref)
2667 | | | | | | +--rw asy\
2668 \mmetric-key-ref? leafref
2669 | | | | | | {\
2670 \keystore-supported}?
2671 | | | | | +--rw value?
2672 | | | | | binary
2673 | | | | +--rw cert?
2674 | | | | | end-entity-cert-\
2675 \cms
2676 | | | | +---n certificate-expira\
2677 \tion
2678 | | | | | +-- expiration-date
2679 | | | | | yang:date-and\
2680 \-time
2681 | | | | +---x generate-certifica\
2682 \te-signing-request
2683 | | | | +---w input
2684 | | | | | +---w subject
2685 | | | | | | binary
2686 | | | | | +---w attributes?
2687 | | | | | binary
2688 | | | | +--ro output
2689 | | | | +--ro certificate-\
2690 \signing-request
2691 | | | | binary
2692 | | | +--:(keystore)
2693 | | | {keystore-supported}?
2694 | | | +--rw keystore-reference
2695 | | | +--rw asymmetric-key?
2696 | | | | ks:asymmetric-ke\
2697 \y-ref
2698 | | | +--rw certificate? \
2699 \leafref
2700 | | +--:(raw-public-key)
2701 | | | +--rw raw-public-key
2702 | | | {raw-public-key-auth}?
2703 | | | +--rw (local-or-keystore)
2704 | | | +--:(local)
2705 | | | | {local-definitions-su\
2706 \pported}?
2707 | | | | +--rw local-definition
2708 | | | | +--rw algorithm
2709 | | | | | iasa:asymmetric-\
2710 \algorithm-type
2711 | | | | +--rw public-key-format?
2712 | | | | | identityref
2713 | | | | +--rw public-key
2714 | | | | | binary
2715 | | | | +--rw private-key-format?
2716 | | | | | identityref
2717 | | | | +--rw (private-key-type)
2718 | | | | +--:(private-key)
2719 | | | | | +--rw private-key?
2720 | | | | | binary
2721 | | | | +--:(hidden-private-k\
2722 \ey)
2723 | | | | | +--rw hidden-priva\
2724 \te-key?
2725 | | | | | empty
2726 | | | | +--:(encrypted-privat\
2727 \e-key)
2728 | | | | +--rw encrypted-pr\
2729 \ivate-key
2730 | | | | +--rw (key-type)
2731 | | | | | +--:(symmetr\
2732 \ic-key-ref)
2733 | | | | | | +--rw sym\
2734 \metric-key-ref? leafref
2735 | | | | | | {\
2736 \keystore-supported}?
2737 | | | | | +--:(asymmet\
2738 \ric-key-ref)
2739 | | | | | +--rw asy\
2740 \mmetric-key-ref? leafref
2741 | | | | | {\
2742 \keystore-supported}?
2743 | | | | +--rw value?
2744 | | | | binary
2745 | | | +--:(keystore)
2746 | | | {keystore-supported}?
2747 | | | +--rw keystore-reference?
2748 | | | ks:asymmetric-key-r\
2749 \ef
2750 | | +--:(psk)
2751 | | +--rw psk {psk-auth}?
2752 | | +--rw (local-or-keystore)
2753 | | +--:(local)
2754 | | | {local-definitions-su\
2755 \pported}?
2756 | | | +--rw local-definition
2757 | | | +--rw algorithm
2758 | | | | isa:symmetric-al\
2759 \gorithm-type
2760 | | | +--rw key-format?
2761 | | | | identityref
2762 | | | +--rw (key-type)
2763 | | | +--:(key)
2764 | | | | +--rw key?
2765 | | | | binary
2766 | | | +--:(hidden-key)
2767 | | | | +--rw hidden-key?
2768 | | | | empty
2769 | | | +--:(encrypted-key)
2770 | | | +--rw encrypted-key
2771 | | | +--rw (key-type)
2772 | | | | +--:(symmetr\
2773 \ic-key-ref)
2774 | | | | | +--rw sym\
2775 \metric-key-ref? leafref
2776 | | | | | {\
2777 \keystore-supported}?
2778 | | | | +--:(asymmet\
2779 \ric-key-ref)
2780 | | | | +--rw asy\
2781 \mmetric-key-ref? leafref
2782 | | | | {\
2783 \keystore-supported}?
2784 | | | +--rw value?
2785 | | | binary
2786 | | +--:(keystore)
2787 | | {keystore-supported}?
2788 | | +--rw keystore-reference?
2789 | | ks:symmetric-key-ref
2790 | +--rw server-authentication
2791 | | +--rw ca-certs! {x509-certificate-auth}?
2792 | | | +--rw (local-or-truststore)
2793 | | | +--:(local)
2794 | | | | {local-definitions-supporte\
2795 \d}?
2796 | | | | +--rw local-definition
2797 | | | | +--rw cert*
2798 | | | | | trust-anchor-cert-cms
2799 | | | | +---n certificate-expiration
2800 | | | | +-- expiration-date
2801 | | | | yang:date-and-time
2802 | | | +--:(truststore)
2803 | | | {truststore-supported,x509-\
2804 \certificates}?
2805 | | | +--rw truststore-reference?
2806 | | | ts:certificates-ref
2807 | | +--rw server-certs!
2808 | | | {x509-certificate-auth}?
2809 | | | +--rw (local-or-truststore)
2810 | | | +--:(local)
2811 | | | | {local-definitions-supporte\
2812 \d}?
2813 | | | | +--rw local-definition
2814 | | | | +--rw cert*
2815 | | | | | trust-anchor-cert-cms
2816 | | | | +---n certificate-expiration
2817 | | | | +-- expiration-date
2818 | | | | yang:date-and-time
2819 | | | +--:(truststore)
2820 | | | {truststore-supported,x509-\
2821 \certificates}?
2822 | | | +--rw truststore-reference?
2823 | | | ts:certificates-ref
2824 | | +--rw raw-public-keys!
2825 | | | {raw-public-key-auth}?
2826 | | | +--rw (local-or-truststore)
2827 | | | +--:(local)
2828 | | | | {local-definitions-supporte\
2829 \d}?
2830 | | | | +--rw local-definition
2831 | | | | +--rw raw-public-key* [name]
2832 | | | | +--rw name
2833 | | | | | string
2834 | | | | +--rw algorithm
2835 | | | | | iasa:asymmetric-alg\
2836 \orithm-type
2837 | | | | +--rw public-key-format?
2838 | | | | | identityref
2839 | | | | +--rw public-key
2840 | | | | binary
2841 | | | +--:(truststore)
2842 | | | {truststore-supported,raw-p\
2843 \ublic-keys}?
2844 | | | +--rw truststore-reference?
2845 | | | ts:raw-public-keys-ref
2846 | | +--rw psks! {psk-auth}?
2847 | +--rw hello-params
2848 | | {tls-client-hello-params-config}?
2849 | | +--rw tls-versions
2850 | | | +--rw tls-version* identityref
2851 | | +--rw cipher-suites
2852 | | +--rw cipher-suite* identityref
2853 | +--rw keepalives! {tls-client-keepalives}?
2854 | +--rw max-wait? uint16
2855 | +--rw max-attempts? uint8
2856 +--rw http-client-parameters
2857 | +--rw client-identity
2858 | | +--rw (auth-type)
2859 | | +--:(basic)
2860 | | +--rw basic {basic-auth}?
2861 | | +--rw user-id string
2862 | | +--rw password string
2863 | +--rw proxy-server! {proxy-connect}?
2864 | +--rw tcp-client-parameters
2865 | | +--rw remote-address inet:host
2866 | | +--rw remote-port? inet:port-number
2867 | | +--rw local-address? inet:ip-address
2868 | | | {local-binding-supported}?
2869 | | +--rw local-port? inet:port-number
2870 | | | {local-binding-supported}?
2871 | | +--rw keepalives!
2872 | | {keepalives-supported}?
2873 | | +--rw idle-time uint16
2874 | | +--rw max-probes uint16
2875 | | +--rw probe-interval uint16
2876 | +--rw tls-client-parameters
2877 | | +--rw client-identity
2878 | | | +--rw (auth-type)
2879 | | | +--:(certificate)
2880 | | | | +--rw certificate
2881 | | | | {x509-certificate-auth\
2882 \}?
2883 | | | | +--rw (local-or-keystore)
2884 | | | | +--:(local)
2885 | | | | | {local-definiti\
2886 \ons-supported}?
2887 | | | | | +--rw local-definition
2888 | | | | | +--rw algorithm
2889 | | | | | | iasa:asymm\
2890 \etric-algorithm-type
2891 | | | | | +--rw public-key-f\
2892 \ormat?
2893 | | | | | | identityref
2894 | | | | | +--rw public-key
2895 | | | | | | binary
2896 | | | | | +--rw private-key-\
2897 \format?
2898 | | | | | | identityref
2899 | | | | | +--rw (private-key\
2900 \-type)
2901 | | | | | | +--:(private-ke\
2902 \y)
2903 | | | | | | | +--rw privat\
2904 \e-key?
2905 | | | | | | | bina\
2906 \ry
2907 | | | | | | +--:(hidden-pri\
2908 \vate-key)
2909 | | | | | | | +--rw hidden\
2910 \-private-key?
2911 | | | | | | | empty
2912 | | | | | | +--:(encrypted-\
2913 \private-key)
2914 | | | | | | +--rw encryp\
2915 \ted-private-key
2916 | | | | | | +--rw (ke\
2917 \y-type)
2918 | | | | | | | +--:(s\
2919 \ymmetric-key-ref)
2920 | | | | | | | | +--\
2921 \rw symmetric-key-ref? leafref
2922 | | | | | | | | \
2923 \ {keystore-supported}?
2924 | | | | | | | +--:(a\
2925 \symmetric-key-ref)
2926 | | | | | | | +--\
2927 \rw asymmetric-key-ref? leafref
2928 | | | | | | | \
2929 \ {keystore-supported}?
2930 | | | | | | +--rw val\
2932 \ue?
2933 | | | | | | b\
2934 \inary
2935 | | | | | +--rw cert?
2936 | | | | | | end-entity\
2937 \-cert-cms
2938 | | | | | +---n certificate-\
2939 \expiration
2940 | | | | | | +-- expiration-\
2941 \date
2942 | | | | | | yang:da\
2943 \te-and-time
2944 | | | | | +---x generate-cer\
2945 \tificate-signing-request
2946 | | | | | +---w input
2947 | | | | | | +---w subject
2948 | | | | | | | bina\
2949 \ry
2950 | | | | | | +---w attrib\
2951 \utes?
2952 | | | | | | bina\
2953 \ry
2954 | | | | | +--ro output
2955 | | | | | +--ro certif\
2956 \icate-signing-request
2957 | | | | | bina\
2958 \ry
2959 | | | | +--:(keystore)
2960 | | | | {keystore-suppo\
2961 \rted}?
2962 | | | | +--rw keystore-refere\
2963 \nce
2964 | | | | +--rw asymmetric-k\
2965 \ey?
2966 | | | | | ks:asymmet\
2967 \ric-key-ref
2968 | | | | +--rw certificate?\
2969 \ leafref
2970 | | | +--:(raw-public-key)
2971 | | | | +--rw raw-public-key
2972 | | | | {raw-public-key-auth}?
2973 | | | | +--rw (local-or-keystore)
2974 | | | | +--:(local)
2975 | | | | | {local-definiti\
2976 \ons-supported}?
2977 | | | | | +--rw local-definition
2978 | | | | | +--rw algorithm
2979 | | | | | | iasa:asymm\
2981 \etric-algorithm-type
2982 | | | | | +--rw public-key-f\
2983 \ormat?
2984 | | | | | | identityref
2985 | | | | | +--rw public-key
2986 | | | | | | binary
2987 | | | | | +--rw private-key-\
2988 \format?
2989 | | | | | | identityref
2990 | | | | | +--rw (private-key\
2991 \-type)
2992 | | | | | +--:(private-ke\
2993 \y)
2994 | | | | | | +--rw privat\
2995 \e-key?
2996 | | | | | | bina\
2997 \ry
2998 | | | | | +--:(hidden-pri\
2999 \vate-key)
3000 | | | | | | +--rw hidden\
3001 \-private-key?
3002 | | | | | | empty
3003 | | | | | +--:(encrypted-\
3004 \private-key)
3005 | | | | | +--rw encryp\
3006 \ted-private-key
3007 | | | | | +--rw (ke\
3008 \y-type)
3009 | | | | | | +--:(s\
3010 \ymmetric-key-ref)
3011 | | | | | | | +--\
3012 \rw symmetric-key-ref? leafref
3013 | | | | | | | \
3014 \ {keystore-supported}?
3015 | | | | | | +--:(a\
3016 \symmetric-key-ref)
3017 | | | | | | +--\
3018 \rw asymmetric-key-ref? leafref
3019 | | | | | | \
3020 \ {keystore-supported}?
3021 | | | | | +--rw val\
3022 \ue?
3023 | | | | | b\
3024 \inary
3025 | | | | +--:(keystore)
3026 | | | | {keystore-suppo\
3027 \rted}?
3028 | | | | +--rw keystore-refere\
3030 \nce?
3031 | | | | ks:asymmetric\
3032 \-key-ref
3033 | | | +--:(psk)
3034 | | | +--rw psk {psk-auth}?
3035 | | | +--rw (local-or-keystore)
3036 | | | +--:(local)
3037 | | | | {local-definiti\
3038 \ons-supported}?
3039 | | | | +--rw local-definition
3040 | | | | +--rw algorithm
3041 | | | | | isa:symmet\
3042 \ric-algorithm-type
3043 | | | | +--rw key-format?
3044 | | | | | identityref
3045 | | | | +--rw (key-type)
3046 | | | | +--:(key)
3047 | | | | | +--rw key?
3048 | | | | | bina\
3049 \ry
3050 | | | | +--:(hidden-key)
3051 | | | | | +--rw hidden\
3052 \-key?
3053 | | | | | empty
3054 | | | | +--:(encrypted-\
3055 \key)
3056 | | | | +--rw encryp\
3057 \ted-key
3058 | | | | +--rw (ke\
3059 \y-type)
3060 | | | | | +--:(s\
3061 \ymmetric-key-ref)
3062 | | | | | | +--\
3063 \rw symmetric-key-ref? leafref
3064 | | | | | | \
3065 \ {keystore-supported}?
3066 | | | | | +--:(a\
3067 \symmetric-key-ref)
3068 | | | | | +--\
3069 \rw asymmetric-key-ref? leafref
3070 | | | | | \
3071 \ {keystore-supported}?
3072 | | | | +--rw val\
3073 \ue?
3074 | | | | b\
3075 \inary
3076 | | | +--:(keystore)
3077 | | | {keystore-suppo\
3079 \rted}?
3080 | | | +--rw keystore-refere\
3081 \nce?
3082 | | | ks:symmetric-\
3083 \key-ref
3084 | | +--rw server-authentication
3085 | | | +--rw ca-certs!
3086 | | | | {x509-certificate-auth}?
3087 | | | | +--rw (local-or-truststore)
3088 | | | | +--:(local)
3089 | | | | | {local-definitions-su\
3090 \pported}?
3091 | | | | | +--rw local-definition
3092 | | | | | +--rw cert*
3093 | | | | | | trust-anchor-cer\
3094 \t-cms
3095 | | | | | +---n certificate-expira\
3096 \tion
3097 | | | | | +-- expiration-date
3098 | | | | | yang:date-and\
3099 \-time
3100 | | | | +--:(truststore)
3101 | | | | {truststore-supported\
3102 \,x509-certificates}?
3103 | | | | +--rw truststore-reference?
3104 | | | | ts:certificates-ref
3105 | | | +--rw server-certs!
3106 | | | | {x509-certificate-auth}?
3107 | | | | +--rw (local-or-truststore)
3108 | | | | +--:(local)
3109 | | | | | {local-definitions-su\
3110 \pported}?
3111 | | | | | +--rw local-definition
3112 | | | | | +--rw cert*
3113 | | | | | | trust-anchor-cer\
3114 \t-cms
3115 | | | | | +---n certificate-expira\
3116 \tion
3117 | | | | | +-- expiration-date
3118 | | | | | yang:date-and\
3119 \-time
3120 | | | | +--:(truststore)
3121 | | | | {truststore-supported\
3122 \,x509-certificates}?
3123 | | | | +--rw truststore-reference?
3124 | | | | ts:certificates-ref
3125 | | | +--rw raw-public-keys!
3126 | | | | {raw-public-key-auth}?
3127 | | | | +--rw (local-or-truststore)
3128 | | | | +--:(local)
3129 | | | | | {local-definitions-su\
3130 \pported}?
3131 | | | | | +--rw local-definition
3132 | | | | | +--rw raw-public-key*
3133 | | | | | [name]
3134 | | | | | +--rw name
3135 | | | | | | string
3136 | | | | | +--rw algorithm
3137 | | | | | | iasa:asymmetr\
3138 \ic-algorithm-type
3139 | | | | | +--rw public-key-form\
3140 \at?
3141 | | | | | | identityref
3142 | | | | | +--rw public-key
3143 | | | | | binary
3144 | | | | +--:(truststore)
3145 | | | | {truststore-supported\
3146 \,raw-public-keys}?
3147 | | | | +--rw truststore-reference?
3148 | | | | ts:raw-public-keys-\
3149 \ref
3150 | | | +--rw psks! {psk-auth}?
3151 | | +--rw hello-params
3152 | | | {tls-client-hello-params-config\
3153 \}?
3154 | | | +--rw tls-versions
3155 | | | | +--rw tls-version* identityref
3156 | | | +--rw cipher-suites
3157 | | | +--rw cipher-suite* identityref
3158 | | +--rw keepalives!
3159 | | {tls-client-keepalives}?
3160 | | +--rw max-wait? uint16
3161 | | +--rw max-attempts? uint8
3162 | +--rw proxy-client-identity
3163 | +--rw (auth-type)
3164 | +--:(basic)
3165 | +--rw basic {basic-auth}?
3166 | +--rw user-id string
3167 | +--rw password string
3168 +--rw restconf-client-parameters
3170 A.2. Expanded Tree Diagram for 'ietf-restconf-server'
3172 The following tree diagram [RFC8340] provides an overview of the data
3173 model for the "ietf-restconf-server" module.
3175 This tree diagram shows all the nodes defined in this module,
3176 including those defined by "grouping" statements used by this module.
3178 Please see Section 3.1 for a tree diagram that illustrates what the
3179 module looks like without all the "grouping" statements expanded.
3181 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
3183 module: ietf-restconf-server
3184 +--rw restconf-server
3185 +--rw listen! {http-listen or https-listen}?
3186 | +--rw endpoint* [name]
3187 | +--rw name string
3188 | +--rw (transport)
3189 | +--:(http) {http-listen}?
3190 | | +--rw http
3191 | | +--rw external-endpoint!
3192 | | | +--rw address inet:ip-address
3193 | | | +--rw port? inet:port-number
3194 | | +--rw tcp-server-parameters
3195 | | | +--rw local-address inet:ip-address
3196 | | | +--rw local-port? inet:port-number
3197 | | | +--rw keepalives! {keepalives-supported}?
3198 | | | +--rw idle-time uint16
3199 | | | +--rw max-probes uint16
3200 | | | +--rw probe-interval uint16
3201 | | +--rw http-server-parameters
3202 | | | +--rw server-name? string
3203 | | | +--rw protocol-versions
3204 | | | | +--rw protocol-version* enumeration
3205 | | | +--rw client-authentication!
3206 | | | {client-auth-config-supported}?
3207 | | | +--rw users
3208 | | | +--rw user* [user-id]
3209 | | | +--rw user-id string
3210 | | | +--rw (auth-type)?
3211 | | | +--:(basic)
3212 | | | +--rw basic {basic-auth}?
3213 | | | +--rw user-id? string
3214 | | | +--rw password?
3215 | | | ianach:crypt-hash
3216 | | +--rw restconf-server-parameters
3217 | | +--rw client-identity-mappings
3218 | | +--rw cert-to-name* [id]
3219 | | +--rw id uint32
3220 | | +--rw fingerprint?
3221 | | | x509c2n:tls-fingerprint
3222 | | +--rw map-type identityref
3223 | | +--rw name string
3224 | +--:(https) {https-listen}?
3225 | +--rw https
3226 | +--rw tcp-server-parameters
3227 | | +--rw local-address inet:ip-address
3228 | | +--rw local-port? inet:port-number
3229 | | +--rw keepalives! {keepalives-supported}?
3230 | | +--rw idle-time uint16
3231 | | +--rw max-probes uint16
3232 | | +--rw probe-interval uint16
3233 | +--rw tls-server-parameters
3234 | | +--rw server-identity
3235 | | | +--rw (auth-type)
3236 | | | +--:(certificate)
3237 | | | | +--rw certificate
3238 | | | | {x509-certificate-auth}?
3239 | | | | +--rw (local-or-keystore)
3240 | | | | +--:(local)
3241 | | | | | {local-definitions-su\
3242 \pported}?
3243 | | | | | +--rw local-definition
3244 | | | | | +--rw algorithm
3245 | | | | | | iasa:asymmetric-\
3246 \algorithm-type
3247 | | | | | +--rw public-key-format?
3248 | | | | | | identityref
3249 | | | | | +--rw public-key
3250 | | | | | | binary
3251 | | | | | +--rw private-key-format?
3252 | | | | | | identityref
3253 | | | | | +--rw (private-key-type)
3254 | | | | | | +--:(private-key)
3255 | | | | | | | +--rw private-key?
3256 | | | | | | | binary
3257 | | | | | | +--:(hidden-private-k\
3258 \ey)
3259 | | | | | | | +--rw hidden-priva\
3260 \te-key?
3261 | | | | | | | empty
3262 | | | | | | +--:(encrypted-privat\
3263 \e-key)
3264 | | | | | | +--rw encrypted-pr\
3265 \ivate-key
3266 | | | | | | +--rw (key-type)
3267 | | | | | | | +--:(symmetr\
3268 \ic-key-ref)
3269 | | | | | | | | +--rw sym\
3270 \metric-key-ref? leafref
3271 | | | | | | | | {\
3272 \keystore-supported}?
3273 | | | | | | | +--:(asymmet\
3274 \ric-key-ref)
3275 | | | | | | | +--rw asy\
3276 \mmetric-key-ref? leafref
3277 | | | | | | | {\
3278 \keystore-supported}?
3279 | | | | | | +--rw value?
3280 | | | | | | binary
3281 | | | | | +--rw cert?
3282 | | | | | | end-entity-cert-\
3283 \cms
3284 | | | | | +---n certificate-expira\
3285 \tion
3286 | | | | | | +-- expiration-date
3287 | | | | | | yang:date-and\
3288 \-time
3289 | | | | | +---x generate-certifica\
3290 \te-signing-request
3291 | | | | | +---w input
3292 | | | | | | +---w subject
3293 | | | | | | | binary
3294 | | | | | | +---w attributes?
3295 | | | | | | binary
3296 | | | | | +--ro output
3297 | | | | | +--ro certificate-\
3298 \signing-request
3299 | | | | | binary
3300 | | | | +--:(keystore)
3301 | | | | {keystore-supported}?
3302 | | | | +--rw keystore-reference
3303 | | | | +--rw asymmetric-key?
3304 | | | | | ks:asymmetric-ke\
3305 \y-ref
3306 | | | | +--rw certificate? \
3307 \leafref
3308 | | | +--:(raw-private-key)
3309 | | | | +--rw raw-private-key
3310 | | | | {raw-public-key-auth}?
3311 | | | | +--rw (local-or-keystore)
3312 | | | | +--:(local)
3313 | | | | | {local-definitions-su\
3314 \pported}?
3315 | | | | | +--rw local-definition
3316 | | | | | +--rw algorithm
3317 | | | | | | iasa:asymmetric-\
3318 \algorithm-type
3319 | | | | | +--rw public-key-format?
3320 | | | | | | identityref
3321 | | | | | +--rw public-key
3322 | | | | | | binary
3323 | | | | | +--rw private-key-format?
3324 | | | | | | identityref
3325 | | | | | +--rw (private-key-type)
3326 | | | | | +--:(private-key)
3327 | | | | | | +--rw private-key?
3328 | | | | | | binary
3329 | | | | | +--:(hidden-private-k\
3330 \ey)
3331 | | | | | | +--rw hidden-priva\
3332 \te-key?
3333 | | | | | | empty
3334 | | | | | +--:(encrypted-privat\
3335 \e-key)
3336 | | | | | +--rw encrypted-pr\
3337 \ivate-key
3338 | | | | | +--rw (key-type)
3339 | | | | | | +--:(symmetr\
3340 \ic-key-ref)
3341 | | | | | | | +--rw sym\
3342 \metric-key-ref? leafref
3343 | | | | | | | {\
3344 \keystore-supported}?
3345 | | | | | | +--:(asymmet\
3346 \ric-key-ref)
3347 | | | | | | +--rw asy\
3348 \mmetric-key-ref? leafref
3349 | | | | | | {\
3350 \keystore-supported}?
3351 | | | | | +--rw value?
3352 | | | | | binary
3353 | | | | +--:(keystore)
3354 | | | | {keystore-supported}?
3355 | | | | +--rw keystore-reference?
3356 | | | | ks:asymmetric-key-r\
3357 \ef
3358 | | | +--:(psk)
3359 | | | +--rw psk {psk-auth}?
3360 | | | +--rw (local-or-keystore)
3361 | | | +--:(local)
3362 | | | | {local-definitions-su\
3363 \pported}?
3364 | | | | +--rw local-definition
3365 | | | | +--rw algorithm
3366 | | | | | isa:symmetric-al\
3368 \gorithm-type
3369 | | | | +--rw key-format?
3370 | | | | | identityref
3371 | | | | +--rw (key-type)
3372 | | | | +--:(key)
3373 | | | | | +--rw key?
3374 | | | | | binary
3375 | | | | +--:(hidden-key)
3376 | | | | | +--rw hidden-key?
3377 | | | | | empty
3378 | | | | +--:(encrypted-key)
3379 | | | | +--rw encrypted-key
3380 | | | | +--rw (key-type)
3381 | | | | | +--:(symmetr\
3382 \ic-key-ref)
3383 | | | | | | +--rw sym\
3384 \metric-key-ref? leafref
3385 | | | | | | {\
3386 \keystore-supported}?
3387 | | | | | +--:(asymmet\
3388 \ric-key-ref)
3389 | | | | | +--rw asy\
3390 \mmetric-key-ref? leafref
3391 | | | | | {\
3392 \keystore-supported}?
3393 | | | | +--rw value?
3394 | | | | binary
3395 | | | +--:(keystore)
3396 | | | {keystore-supported}?
3397 | | | +--rw keystore-reference?
3398 | | | ks:symmetric-key-ref
3399 | | +--rw client-authentication!
3400 | | | {client-auth-config-supported}?
3401 | | | +--rw ca-certs! {x509-certificate-auth}?
3402 | | | | +--rw (local-or-truststore)
3403 | | | | +--:(local)
3404 | | | | | {local-definitions-supporte\
3405 \d}?
3406 | | | | | +--rw local-definition
3407 | | | | | +--rw cert*
3408 | | | | | | trust-anchor-cert-cms
3409 | | | | | +---n certificate-expiration
3410 | | | | | +-- expiration-date
3411 | | | | | yang:date-and-time
3412 | | | | +--:(truststore)
3413 | | | | {truststore-supported,x509-\
3414 \certificates}?
3415 | | | | +--rw truststore-reference?
3416 | | | | ts:certificates-ref
3417 | | | +--rw client-certs!
3418 | | | | {x509-certificate-auth}?
3419 | | | | +--rw (local-or-truststore)
3420 | | | | +--:(local)
3421 | | | | | {local-definitions-supporte\
3422 \d}?
3423 | | | | | +--rw local-definition
3424 | | | | | +--rw cert*
3425 | | | | | | trust-anchor-cert-cms
3426 | | | | | +---n certificate-expiration
3427 | | | | | +-- expiration-date
3428 | | | | | yang:date-and-time
3429 | | | | +--:(truststore)
3430 | | | | {truststore-supported,x509-\
3431 \certificates}?
3432 | | | | +--rw truststore-reference?
3433 | | | | ts:certificates-ref
3434 | | | +--rw raw-public-keys!
3435 | | | {raw-public-key-auth}?
3436 | | | +--rw (local-or-truststore)
3437 | | | +--:(local)
3438 | | | | {local-definitions-supporte\
3439 \d}?
3440 | | | | +--rw local-definition
3441 | | | | +--rw raw-public-key* [name]
3442 | | | | +--rw name
3443 | | | | | string
3444 | | | | +--rw algorithm
3445 | | | | | iasa:asymmetric-alg\
3446 \orithm-type
3447 | | | | +--rw public-key-format?
3448 | | | | | identityref
3449 | | | | +--rw public-key
3450 | | | | binary
3451 | | | +--:(truststore)
3452 | | | {truststore-supported,raw-p\
3453 \ublic-keys}?
3454 | | | +--rw truststore-reference?
3455 | | | ts:raw-public-keys-ref
3456 | | +--rw hello-params
3457 | | | {tls-server-hello-params-config}?
3458 | | | +--rw tls-versions
3459 | | | | +--rw tls-version* identityref
3460 | | | +--rw cipher-suites
3461 | | | +--rw cipher-suite* identityref
3462 | | +--rw keepalives! {tls-server-keepalives}?
3463 | | +--rw max-wait? uint16
3464 | | +--rw max-attempts? uint8
3465 | +--rw http-server-parameters
3466 | | +--rw server-name? string
3467 | | +--rw protocol-versions
3468 | | | +--rw protocol-version* enumeration
3469 | | +--rw client-authentication!
3470 | | {client-auth-config-supported}?
3471 | | +--rw users
3472 | | +--rw user* [user-id]
3473 | | +--rw user-id string
3474 | | +--rw (auth-type)?
3475 | | +--:(basic)
3476 | | +--rw basic {basic-auth}?
3477 | | +--rw user-id? string
3478 | | +--rw password?
3479 | | ianach:crypt-hash
3480 | +--rw restconf-server-parameters
3481 | +--rw client-identity-mappings
3482 | +--rw cert-to-name* [id]
3483 | +--rw id uint32
3484 | +--rw fingerprint?
3485 | | x509c2n:tls-fingerprint
3486 | +--rw map-type identityref
3487 | +--rw name string
3488 +--rw call-home! {https-call-home}?
3489 +--rw restconf-client* [name]
3490 +--rw name string
3491 +--rw endpoints
3492 | +--rw endpoint* [name]
3493 | +--rw name string
3494 | +--rw (transport)
3495 | +--:(https) {https-listen}?
3496 | +--rw https
3497 | +--rw tcp-client-parameters
3498 | | +--rw remote-address inet:host
3499 | | +--rw remote-port? inet:port-number
3500 | | +--rw local-address? inet:ip-address
3501 | | | {local-binding-supported}?
3502 | | +--rw local-port? inet:port-number
3503 | | | {local-binding-supported}?
3504 | | +--rw keepalives!
3505 | | {keepalives-supported}?
3506 | | +--rw idle-time uint16
3507 | | +--rw max-probes uint16
3508 | | +--rw probe-interval uint16
3509 | +--rw tls-server-parameters
3510 | | +--rw server-identity
3511 | | | +--rw (auth-type)
3512 | | | +--:(certificate)
3513 | | | | +--rw certificate
3514 | | | | {x509-certificate-auth\
3515 \}?
3516 | | | | +--rw (local-or-keystore)
3517 | | | | +--:(local)
3518 | | | | | {local-definiti\
3519 \ons-supported}?
3520 | | | | | +--rw local-definition
3521 | | | | | +--rw algorithm
3522 | | | | | | iasa:asymm\
3523 \etric-algorithm-type
3524 | | | | | +--rw public-key-f\
3525 \ormat?
3526 | | | | | | identityref
3527 | | | | | +--rw public-key
3528 | | | | | | binary
3529 | | | | | +--rw private-key-\
3530 \format?
3531 | | | | | | identityref
3532 | | | | | +--rw (private-key\
3533 \-type)
3534 | | | | | | +--:(private-ke\
3535 \y)
3536 | | | | | | | +--rw privat\
3537 \e-key?
3538 | | | | | | | bina\
3539 \ry
3540 | | | | | | +--:(hidden-pri\
3541 \vate-key)
3542 | | | | | | | +--rw hidden\
3543 \-private-key?
3544 | | | | | | | empty
3545 | | | | | | +--:(encrypted-\
3546 \private-key)
3547 | | | | | | +--rw encryp\
3548 \ted-private-key
3549 | | | | | | +--rw (ke\
3550 \y-type)
3551 | | | | | | | +--:(s\
3552 \ymmetric-key-ref)
3553 | | | | | | | | +--\
3554 \rw symmetric-key-ref? leafref
3555 | | | | | | | | \
3556 \ {keystore-supported}?
3557 | | | | | | | +--:(a\
3558 \symmetric-key-ref)
3559 | | | | | | | +--\
3561 \rw asymmetric-key-ref? leafref
3562 | | | | | | | \
3563 \ {keystore-supported}?
3564 | | | | | | +--rw val\
3565 \ue?
3566 | | | | | | b\
3567 \inary
3568 | | | | | +--rw cert?
3569 | | | | | | end-entity\
3570 \-cert-cms
3571 | | | | | +---n certificate-\
3572 \expiration
3573 | | | | | | +-- expiration-\
3574 \date
3575 | | | | | | yang:da\
3576 \te-and-time
3577 | | | | | +---x generate-cer\
3578 \tificate-signing-request
3579 | | | | | +---w input
3580 | | | | | | +---w subject
3581 | | | | | | | bina\
3582 \ry
3583 | | | | | | +---w attrib\
3584 \utes?
3585 | | | | | | bina\
3586 \ry
3587 | | | | | +--ro output
3588 | | | | | +--ro certif\
3589 \icate-signing-request
3590 | | | | | bina\
3591 \ry
3592 | | | | +--:(keystore)
3593 | | | | {keystore-suppo\
3594 \rted}?
3595 | | | | +--rw keystore-refere\
3596 \nce
3597 | | | | +--rw asymmetric-k\
3598 \ey?
3599 | | | | | ks:asymmet\
3600 \ric-key-ref
3601 | | | | +--rw certificate?\
3602 \ leafref
3603 | | | +--:(raw-private-key)
3604 | | | | +--rw raw-private-key
3605 | | | | {raw-public-key-auth}?
3606 | | | | +--rw (local-or-keystore)
3607 | | | | +--:(local)
3608 | | | | | {local-definiti\
3610 \ons-supported}?
3611 | | | | | +--rw local-definition
3612 | | | | | +--rw algorithm
3613 | | | | | | iasa:asymm\
3614 \etric-algorithm-type
3615 | | | | | +--rw public-key-f\
3616 \ormat?
3617 | | | | | | identityref
3618 | | | | | +--rw public-key
3619 | | | | | | binary
3620 | | | | | +--rw private-key-\
3621 \format?
3622 | | | | | | identityref
3623 | | | | | +--rw (private-key\
3624 \-type)
3625 | | | | | +--:(private-ke\
3626 \y)
3627 | | | | | | +--rw privat\
3628 \e-key?
3629 | | | | | | bina\
3630 \ry
3631 | | | | | +--:(hidden-pri\
3632 \vate-key)
3633 | | | | | | +--rw hidden\
3634 \-private-key?
3635 | | | | | | empty
3636 | | | | | +--:(encrypted-\
3637 \private-key)
3638 | | | | | +--rw encryp\
3639 \ted-private-key
3640 | | | | | +--rw (ke\
3641 \y-type)
3642 | | | | | | +--:(s\
3643 \ymmetric-key-ref)
3644 | | | | | | | +--\
3645 \rw symmetric-key-ref? leafref
3646 | | | | | | | \
3647 \ {keystore-supported}?
3648 | | | | | | +--:(a\
3649 \symmetric-key-ref)
3650 | | | | | | +--\
3651 \rw asymmetric-key-ref? leafref
3652 | | | | | | \
3653 \ {keystore-supported}?
3654 | | | | | +--rw val\
3655 \ue?
3656 | | | | | b\
3657 \inary
3658 | | | | +--:(keystore)
3659 | | | | {keystore-suppo\
3660 \rted}?
3661 | | | | +--rw keystore-refere\
3662 \nce?
3663 | | | | ks:asymmetric\
3664 \-key-ref
3665 | | | +--:(psk)
3666 | | | +--rw psk {psk-auth}?
3667 | | | +--rw (local-or-keystore)
3668 | | | +--:(local)
3669 | | | | {local-definiti\
3670 \ons-supported}?
3671 | | | | +--rw local-definition
3672 | | | | +--rw algorithm
3673 | | | | | isa:symmet\
3674 \ric-algorithm-type
3675 | | | | +--rw key-format?
3676 | | | | | identityref
3677 | | | | +--rw (key-type)
3678 | | | | +--:(key)
3679 | | | | | +--rw key?
3680 | | | | | bina\
3681 \ry
3682 | | | | +--:(hidden-key)
3683 | | | | | +--rw hidden\
3684 \-key?
3685 | | | | | empty
3686 | | | | +--:(encrypted-\
3687 \key)
3688 | | | | +--rw encryp\
3689 \ted-key
3690 | | | | +--rw (ke\
3691 \y-type)
3692 | | | | | +--:(s\
3693 \ymmetric-key-ref)
3694 | | | | | | +--\
3695 \rw symmetric-key-ref? leafref
3696 | | | | | | \
3697 \ {keystore-supported}?
3698 | | | | | +--:(a\
3699 \symmetric-key-ref)
3700 | | | | | +--\
3701 \rw asymmetric-key-ref? leafref
3702 | | | | | \
3703 \ {keystore-supported}?
3704 | | | | +--rw val\
3705 \ue?
3706 | | | | b\
3707 \inary
3708 | | | +--:(keystore)
3709 | | | {keystore-suppo\
3710 \rted}?
3711 | | | +--rw keystore-refere\
3712 \nce?
3713 | | | ks:symmetric-\
3714 \key-ref
3715 | | +--rw client-authentication!
3716 | | | {client-auth-config-supported}?
3717 | | | +--rw ca-certs!
3718 | | | | {x509-certificate-auth}?
3719 | | | | +--rw (local-or-truststore)
3720 | | | | +--:(local)
3721 | | | | | {local-definitions-su\
3722 \pported}?
3723 | | | | | +--rw local-definition
3724 | | | | | +--rw cert*
3725 | | | | | | trust-anchor-cer\
3726 \t-cms
3727 | | | | | +---n certificate-expira\
3728 \tion
3729 | | | | | +-- expiration-date
3730 | | | | | yang:date-and\
3731 \-time
3732 | | | | +--:(truststore)
3733 | | | | {truststore-supported\
3734 \,x509-certificates}?
3735 | | | | +--rw truststore-reference?
3736 | | | | ts:certificates-ref
3737 | | | +--rw client-certs!
3738 | | | | {x509-certificate-auth}?
3739 | | | | +--rw (local-or-truststore)
3740 | | | | +--:(local)
3741 | | | | | {local-definitions-su\
3742 \pported}?
3743 | | | | | +--rw local-definition
3744 | | | | | +--rw cert*
3745 | | | | | | trust-anchor-cer\
3746 \t-cms
3747 | | | | | +---n certificate-expira\
3748 \tion
3749 | | | | | +-- expiration-date
3750 | | | | | yang:date-and\
3751 \-time
3752 | | | | +--:(truststore)
3753 | | | | {truststore-supported\
3755 \,x509-certificates}?
3756 | | | | +--rw truststore-reference?
3757 | | | | ts:certificates-ref
3758 | | | +--rw raw-public-keys!
3759 | | | {raw-public-key-auth}?
3760 | | | +--rw (local-or-truststore)
3761 | | | +--:(local)
3762 | | | | {local-definitions-su\
3763 \pported}?
3764 | | | | +--rw local-definition
3765 | | | | +--rw raw-public-key*
3766 | | | | [name]
3767 | | | | +--rw name
3768 | | | | | string
3769 | | | | +--rw algorithm
3770 | | | | | iasa:asymmetr\
3771 \ic-algorithm-type
3772 | | | | +--rw public-key-form\
3773 \at?
3774 | | | | | identityref
3775 | | | | +--rw public-key
3776 | | | | binary
3777 | | | +--:(truststore)
3778 | | | {truststore-supported\
3779 \,raw-public-keys}?
3780 | | | +--rw truststore-reference?
3781 | | | ts:raw-public-keys-\
3782 \ref
3783 | | +--rw hello-params
3784 | | | {tls-server-hello-params-config\
3785 \}?
3786 | | | +--rw tls-versions
3787 | | | | +--rw tls-version* identityref
3788 | | | +--rw cipher-suites
3789 | | | +--rw cipher-suite* identityref
3790 | | +--rw keepalives!
3791 | | {tls-server-keepalives}?
3792 | | +--rw max-wait? uint16
3793 | | +--rw max-attempts? uint8
3794 | +--rw http-server-parameters
3795 | | +--rw server-name? string
3796 | | +--rw protocol-versions
3797 | | | +--rw protocol-version* enumeration
3798 | | +--rw client-authentication!
3799 | | {client-auth-config-supported}?
3800 | | +--rw users
3801 | | +--rw user* [user-id]
3802 | | +--rw user-id string
3803 | | +--rw (auth-type)?
3804 | | +--:(basic)
3805 | | +--rw basic {basic-auth}?
3806 | | +--rw user-id?
3807 | | | string
3808 | | +--rw password?
3809 | | ianach:crypt-\
3810 \hash
3811 | +--rw restconf-server-parameters
3812 | +--rw client-identity-mappings
3813 | +--rw cert-to-name* [id]
3814 | +--rw id uint32
3815 | +--rw fingerprint?
3816 | | x509c2n:tls-fingerprint
3817 | +--rw map-type identityref
3818 | +--rw name string
3819 +--rw connection-type
3820 | +--rw (connection-type)
3821 | +--:(persistent-connection)
3822 | | +--rw persistent!
3823 | +--:(periodic-connection)
3824 | +--rw periodic!
3825 | +--rw period? uint16
3826 | +--rw anchor-time? yang:date-and-time
3827 | +--rw idle-timeout? uint16
3828 +--rw reconnect-strategy
3829 +--rw start-with? enumeration
3830 +--rw max-attempts? uint8
3832 Appendix B. Change Log
3834 B.1. 00 to 01
3836 o Renamed "keychain" to "keystore".
3838 B.2. 01 to 02
3840 o Filled in previously missing 'ietf-restconf-client' module.
3842 o Updated the ietf-restconf-server module to accommodate new
3843 grouping 'ietf-tls-server-grouping'.
3845 B.3. 02 to 03
3847 o Refined use of tls-client-grouping to add a must statement
3848 indicating that the TLS client must specify a client-certificate.
3850 o Changed restconf-client??? to be a grouping (not a container).
3852 B.4. 03 to 04
3854 o Added RFC 8174 to Requirements Language Section.
3856 o Replaced refine statement in ietf-restconf-client to add a
3857 mandatory true.
3859 o Added refine statement in ietf-restconf-server to add a must
3860 statement.
3862 o Now there are containers and groupings, for both the client and
3863 server models.
3865 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
3867 o Updated examples to inline key and certificates (no longer a
3868 leafref to keystore)
3870 B.5. 04 to 05
3872 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
3874 o Updated examples to inline key and certificates (no longer a
3875 leafref to keystore)
3877 B.6. 05 to 06
3879 o Fixed change log missing section issue.
3881 o Updated examples to match latest updates to the crypto-types,
3882 trust-anchors, and keystore drafts.
3884 o Reduced line length of the YANG modules to fit within 69 columns.
3886 B.7. 06 to 07
3888 o removed "idle-timeout" from "persistent" connection config.
3890 o Added "random-selection" for reconnection-strategy's "starts-with"
3891 enum.
3893 o Replaced "connection-type" choice default (persistent) with
3894 "mandatory true".
3896 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
3897 minutes.
3899 o Replaced reconnect-timeout with period/anchor-time combo.
3901 B.8. 07 to 08
3903 o Modified examples to be compatible with new crypto-types algs
3905 B.9. 08 to 09
3907 o Corrected use of "mandatory true" for "address" leafs.
3909 o Updated examples to reflect update to groupings defined in the
3910 keystore draft.
3912 o Updated to use groupings defined in new TCP and HTTP drafts.
3914 o Updated copyright date, boilerplate template, affiliation, and
3915 folding algorithm.
3917 B.10. 09 to 10
3919 o Reformatted YANG modules.
3921 B.11. 10 to 11
3923 o Adjusted for the top-level "demux container" added to groupings
3924 imported from other modules.
3926 o Added "must" expressions to ensure that keepalives are not
3927 configured for "periodic" connections.
3929 o Updated the boilerplate text in module-level "description"
3930 statement to match copyeditor convention.
3932 o Moved "expanded" tree diagrams to the Appendix.
3934 B.12. 11 to 12
3936 o Removed the 'must' statement limiting keepalives in periodic
3937 connections.
3939 o Updated models and examples to reflect removal of the "demux"
3940 containers in the imported models.
3942 o Updated the "periodic-connnection" description statements to
3943 better describe behavior when connections are not closed
3944 gracefully.
3946 o Updated text to better reference where certain examples come from
3947 (e.g., which Section in which draft).
3949 o In the server model, commented out the "must 'pinned-ca-certs or
3950 pinned-client-certs'" statement to reflect change made in the TLS
3951 draft whereby the trust anchors MAY be defined externally.
3953 o Replaced the 'listen', 'initiate', and 'call-home' features with
3954 boolean expressions.
3956 B.13. 12 to 13
3958 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
3959 anchors/truststore/g + s/pinned.//)
3961 o In ietf-restconf-server, Added 'http-listen' (not https-listen)
3962 choice, to support case when server is behind a TLS-terminator.
3964 o Refactored server module to be more like other 'server' models.
3965 If folks like it, will also apply to the client model, as well as
3966 to both the netconf client/server models. Now the 'restconf-
3967 server-grouping' is just the RC-specific bits (i.e., the "demux"
3968 container minus the container), 'restconf-server-
3969 [listen|callhome]-stack-grouping' is the protocol stack for a
3970 single connection, and 'restconf-server-app-grouping' is
3971 effectively what was before (both listen+callhome for many
3972 inbound/outbound endpoints).
3974 B.14. 13 to 14
3976 o Updated examples to reflect ietf-crypto-types change (e.g.,
3977 identities --> enumerations)
3979 o Adjusting from change in TLS client model (removing the top-level
3980 'certificate' container).
3982 o Added "external-endpoint" to the "http-listen" choice in ietf-
3983 restconf-server.
3985 B.15. 14 to 15
3987 o Added missing "or https-listen" clause in a "must" expression.
3989 o Refactored the client module similar to how the server module was
3990 refactored in -13. Now the 'restconf-client-grouping' is just the
3991 RC-specific bits, the 'restconf-client-[initiate|listen]-stack-
3992 grouping' is the protocol stack for a single connection, and
3993 'restconf-client-app-grouping' is effectively what was before
3994 (both listen+callhome for many inbound/outbound endpoints).
3996 B.16. 15 to 16
3998 o Added refinement to make "cert-to-name/fingerprint" be mandatory
3999 false.
4001 o Commented out refinement to "tls-server-grouping/client-
4002 authentication" until a better "must" expression is defined.
4004 o Updated restconf-client example to reflect that http-client-
4005 grouping no longer has a "protocol-version" leaf.
4007 B.17. 16 to 17
4009 o Updated examples to include the "*-key-format" nodes.
4011 o Updated examples to remove the "required" nodes.
4013 Acknowledgements
4015 The authors would like to thank for following for lively discussions
4016 on list and in the halls (ordered by first name): Alan Luchuk, Andy
4017 Bierman, Balazs Kovacs, Benoit Claise, Bert Wijnen David Lamparter,
4018 Juergen Schoenwaelder, Ladislav Lhotka, Martin Bjorklund, Mehmet
4019 Ersue, Phil Shafer, Radek Krejci, Ramkumar Dhanapal, Sean Turner, and
4020 Tom Petch.
4022 Author's Address
4024 Kent Watsen
4025 Watsen Networks
4027 EMail: kent+ietf@watsen.net