idnits 2.17.1 draft-ietf-netconf-restconf-client-server-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [5], [6], [7], [8], [9], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1017 has weird spacing: '...address ine...' == Line 2057 has weird spacing: '...address ine...' == Line 2067 has weird spacing: '...nterval uin...' == Line 2354 has weird spacing: '...assword str...' == Line 2357 has weird spacing: '...address ine...' == (20 more instances...) -- The document date (May 20, 2020) is 1409 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 2010 -- Looks like a reference, but probably isn't: '2' on line 2012 -- Looks like a reference, but probably isn't: '3' on line 2014 -- Looks like a reference, but probably isn't: '4' on line 2016 -- Looks like a reference, but probably isn't: '5' on line 2018 -- Looks like a reference, but probably isn't: '6' on line 2020 -- Looks like a reference, but probably isn't: '7' on line 2022 -- Looks like a reference, but probably isn't: '8' on line 2024 -- Looks like a reference, but probably isn't: '9' on line 2027 == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-16 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-18 == Outdated reference: A later version (-28) exists of draft-ietf-netconf-trust-anchors-09 Summary: 1 error (**), 0 flaws (~~), 10 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track May 20, 2020 5 Expires: November 21, 2020 7 RESTCONF Client and Server Models 8 draft-ietf-netconf-restconf-client-server-19 10 Abstract 12 This document defines two YANG modules, one module to configure a 13 RESTCONF client and the other module to configure a RESTCONF server. 14 Both modules support the TLS transport protocol with both standard 15 RESTCONF and RESTCONF Call Home connections. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains placeholder values that need to be replaced with 20 finalized values at the time of publication. This note summarizes 21 all of the substitutions that are needed. No other RFC Editor 22 instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements (note: not all may 26 be present): 28 o "AAAA" --> the assigned RFC value for draft-ietf-netconf-crypto- 29 types 31 o "BBBB" --> the assigned RFC value for draft-ietf-netconf-trust- 32 anchors 34 o "CCCC" --> the assigned RFC value for draft-ietf-netconf-keystore 36 o "DDDD" --> the assigned RFC value for draft-ietf-netconf-tcp- 37 client-server 39 o "EEEE" --> the assigned RFC value for draft-ietf-netconf-ssh- 40 client-server 42 o "FFFF" --> the assigned RFC value for draft-ietf-netconf-tls- 43 client-server 45 o "GGGG" --> the assigned RFC value for draft-ietf-netconf-http- 46 client-server 48 o "HHHH" --> the assigned RFC value for draft-ietf-netconf-netconf- 49 client-server 51 o "IIII" --> the assigned RFC value for this draft 53 Artwork in this document contains placeholder values for the date of 54 publication of this draft. Please apply the following replacement: 56 o "2020-05-20" --> the publication date of this draft 58 The following Appendix section is to be removed prior to publication: 60 o Appendix B. Change Log 62 Note to Reviewers (To be removed by RFC Editor) 64 This document presents a YANG module or modules that is/are part of a 65 collection of drafts that work together to produce the ultimate goal 66 of the NETCONF WG: to define configuration modules for NETCONF client 67 and servers, and RESTCONF client and servers. 69 The relationship between the various drafts in the collection is 70 presented in the below diagram. 72 crypto-types 73 ^ ^ 74 / \ 75 / \ 76 trust-anchors keystore 77 ^ ^ ^ ^ 78 | +---------+ | | 79 | | | | 80 | +------------+ | 81 tcp-client-server | / | | 82 ^ ^ ssh-client-server | | 83 | | ^ tls-client-server 84 | | | ^ ^ http-client-server 85 | | | | | ^ 86 | | | +-----+ +---------+ | 87 | | | | | | 88 | +-----------|--------|--------------+ | | 89 | | | | | | 90 +-----------+ | | | | | 91 | | | | | | 92 | | | | | | 93 netconf-client-server restconf-client-server 95 Full draft names and link to drafts: 97 o draft-ietf-netconf-crypto-types (html [1]) 99 o draft-ietf-netconf-trust-anchors (html [2]) 101 o draft-ietf-netconf-keystore (html [3]) 103 o draft-ietf-netconf-tcp-client-server (html [4]) 105 o draft-ietf-netconf-ssh-client-server (html [5]) 107 o draft-ietf-netconf-tls-client-server (html [6]) 109 o draft-ietf-netconf-http-client-server (html [7]) 111 o draft-ietf-netconf-netconf-client-server (html [8]) 113 o draft-ietf-netconf-restconf-client-server (html [9]) 115 Status of This Memo 117 This Internet-Draft is submitted in full conformance with the 118 provisions of BCP 78 and BCP 79. 120 Internet-Drafts are working documents of the Internet Engineering 121 Task Force (IETF). Note that other groups may also distribute 122 working documents as Internet-Drafts. The list of current Internet- 123 Drafts is at https://datatracker.ietf.org/drafts/current/. 125 Internet-Drafts are draft documents valid for a maximum of six months 126 and may be updated, replaced, or obsoleted by other documents at any 127 time. It is inappropriate to use Internet-Drafts as reference 128 material or to cite them other than as "work in progress." 130 This Internet-Draft will expire on November 21, 2020. 132 Copyright Notice 134 Copyright (c) 2020 IETF Trust and the persons identified as the 135 document authors. All rights reserved. 137 This document is subject to BCP 78 and the IETF Trust's Legal 138 Provisions Relating to IETF Documents 139 (https://trustee.ietf.org/license-info) in effect on the date of 140 publication of this document. Please review these documents 141 carefully, as they describe your rights and restrictions with respect 142 to this document. Code Components extracted from this document must 143 include Simplified BSD License text as described in Section 4.e of 144 the Trust Legal Provisions and are provided without warranty as 145 described in the Simplified BSD License. 147 Table of Contents 149 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 150 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 151 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 5 152 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 5 153 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 7 154 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10 155 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 21 156 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 21 157 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 23 158 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 27 159 4. Security Considerations . . . . . . . . . . . . . . . . . . . 39 160 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 161 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 40 162 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 40 163 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 164 6.1. Normative References . . . . . . . . . . . . . . . . . . 41 165 6.2. Informative References . . . . . . . . . . . . . . . . . 42 166 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 42 167 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 44 168 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 44 169 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 76 170 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89 171 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 89 172 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 89 173 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 89 174 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 90 175 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 90 176 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 90 177 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 90 178 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 91 179 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 91 180 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 91 181 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 91 182 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 91 183 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 92 184 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 92 185 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 92 186 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 93 187 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 93 188 B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 93 189 B.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 93 190 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 93 191 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 93 193 1. Introduction 195 This document defines two YANG [RFC7950] modules, one module to 196 configure a RESTCONF client and the other module to configure a 197 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446] 198 transport protocol with both standard RESTCONF and RESTCONF Call Home 199 connections [RFC8071]. 201 1.1. Terminology 203 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 204 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 205 "OPTIONAL" in this document are to be interpreted as described in BCP 206 14 [RFC2119] [RFC8174] when, and only when, they appear in all 207 capitals, as shown here. 209 2. The RESTCONF Client Model 211 The RESTCONF client model presented in this section supports both 212 clients initiating connections to servers, as well as clients 213 listening for connections from servers calling home. 215 YANG feature statements are used to enable implementations to 216 advertise which potentially uncommon parts of the model the RESTCONF 217 client supports. 219 2.1. Tree Diagram 221 The following tree diagram [RFC8340] provides an overview of the data 222 model for the "ietf-restconf-client" module. 224 This tree diagram only shows the nodes defined in this module; it 225 does show the nodes defined by "grouping" statements used by this 226 module. 228 Please see Appendix A.1 for a tree diagram that illustrates what the 229 module looks like with all the "grouping" statements expanded. 231 module: ietf-restconf-client 232 +--rw restconf-client 233 +---u restconf-client-app-grouping 235 grouping restconf-client-grouping 236 grouping restconf-client-initiate-stack-grouping 237 +-- (transport) 238 +--:(https) {https-initiate}? 239 +-- https 240 +-- tcp-client-parameters 241 | +---u tcpc:tcp-client-grouping 242 +-- tls-client-parameters 243 | +---u tlsc:tls-client-grouping 244 +-- http-client-parameters 245 | +---u httpc:http-client-grouping 246 +-- restconf-client-parameters 247 grouping restconf-client-listen-stack-grouping 248 +-- (transport) 249 +--:(http) {http-listen}? 250 | +-- http 251 | +-- tcp-server-parameters 252 | | +---u tcps:tcp-server-grouping 253 | +-- http-client-parameters 254 | | +---u httpc:http-client-grouping 255 | +-- restconf-client-parameters 256 +--:(https) {https-listen}? 257 +-- https 258 +-- tcp-server-parameters 259 | +---u tcps:tcp-server-grouping 260 +-- tls-client-parameters 261 | +---u tlsc:tls-client-grouping 262 +-- http-client-parameters 263 | +---u httpc:http-client-grouping 264 +-- restconf-client-parameters 265 grouping restconf-client-app-grouping 266 +-- initiate! {https-initiate}? 267 | +-- restconf-server* [name] 268 | +-- name? string 269 | +-- endpoints 270 | | +-- endpoint* [name] 271 | | +-- name? string 272 | | +---u restconf-client-initiate-stack-grouping 273 | +-- connection-type 274 | | +-- (connection-type) 275 | | +--:(persistent-connection) 276 | | | +-- persistent! 277 | | +--:(periodic-connection) 278 | | +-- periodic! 279 | | +-- period? uint16 280 | | +-- anchor-time? yang:date-and-time 281 | | +-- idle-timeout? uint16 282 | +-- reconnect-strategy 283 | +-- start-with? enumeration 284 | +-- max-attempts? uint8 285 +-- listen! {http-listen or https-listen}? 286 +-- idle-timeout? uint16 287 +-- endpoint* [name] 288 +-- name? string 289 +---u restconf-client-listen-stack-grouping 291 2.2. Example Usage 293 The following example illustrates configuring a RESTCONF client to 294 initiate connections, as well as listening for call-home connections. 296 This example is consistent with the examples presented in Section 2 297 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 298 [I-D.ietf-netconf-keystore]. 300 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 302 306 307 308 309 corp-fw1 310 311 312 corp-fw1.example.com 313 314 315 corp-fw1.example.com 316 317 15 318 3 319 30 320 321 322 323 324 325 326 ct:subject-public-key-info-fo\ 327 rmat 328 base64encodedvalue== 329 ct:rsa-private-key-format 331 base64encodedvalue== 332 base64encodedvalue== 333 334 336 337 338 339 trusted-server-ca-certs 341 342 343 trusted-server-ee-certs 345 346 347 348 349 30 350 3 351 352 353 354 355 356 357 bob 358 secret 359 360 361 362 363 364 365 corp-fw2.example.com 366 367 368 corp-fw2.example.com 369 370 15 371 3 372 30 373 374 375 376 377 378 379 ct:subject-public-key-info-fo\ 380 rmat 381 base64encodedvalue== 382 ct:rsa-private-key-format 384 base64encodedvalue== 385 base64encodedvalue== 386 387 388 389 390 391 trusted-server-ca-certs 393 394 395 trusted-server-ee-certs 397 398 399 400 401 30 402 3 403 404 405 406 407 408 409 bob 410 secret 411 412 413 414 415 416 417 418 419 420 421 423 424 425 426 Intranet-facing listener 427 428 429 11.22.33.44 430 431 432 433 434 435 ct:subject-public-key-info-format\ 436 437 base64encodedvalue== 438 ct:rsa-private-key-format 440 base64encodedvalue== 441 base64encodedvalue== 442 443 444 445 446 447 trusted-server-ca-certs 449 450 451 trusted-server-ee-certs 453 454 455 456 457 458 459 460 461 462 bob 463 secret 464 465 466 467 468 469 470 472 2.3. YANG Module 474 This YANG module has normative references to [RFC6991], [RFC8040], 475 and [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], 476 [I-D.ietf-netconf-tls-client-server], and 477 [I-D.kwatsen-netconf-http-client-server]. 479 file "ietf-restconf-client@2020-05-20.yang" 480 module ietf-restconf-client { 481 yang-version 1.1; 482 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client"; 483 prefix rcc; 485 import ietf-yang-types { 486 prefix yang; 487 reference 488 "RFC 6991: Common YANG Data Types"; 489 } 491 import ietf-tcp-client { 492 prefix tcpc; 493 reference 494 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; 495 } 497 import ietf-tcp-server { 498 prefix tcps; 499 reference 500 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; 501 } 503 import ietf-tls-client { 504 prefix tlsc; 505 reference 506 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 507 } 509 import ietf-http-client { 510 prefix httpc; 511 reference 512 "RFC GGGG: YANG Groupings for HTTP Clients and HTTP Servers"; 513 } 515 organization 516 "IETF NETCONF (Network Configuration) Working Group"; 518 contact 519 "WG Web: 520 WG List: 521 Author: Kent Watsen 522 Author: Gary Wu "; 524 description 525 "This module contains a collection of YANG definitions 526 for configuring RESTCONF clients. 528 Copyright (c) 2020 IETF Trust and the persons identified 529 as authors of the code. All rights reserved. 531 Redistribution and use in source and binary forms, with 532 or without modification, is permitted pursuant to, and 533 subject to the license terms contained in, the Simplified 534 BSD License set forth in Section 4.c of the IETF Trust's 535 Legal Provisions Relating to IETF Documents 536 (https://trustee.ietf.org/license-info). 538 This version of this YANG module is part of RFC IIII 539 (https://www.rfc-editor.org/info/rfcIIII); see the RFC 540 itself for full legal notices. 542 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 543 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 544 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 545 are to be interpreted as described in BCP 14 (RFC 2119) 546 (RFC 8174) when, and only when, they appear in all 547 capitals, as shown here."; 549 revision 2020-05-20 { 550 description 551 "Initial version"; 552 reference 553 "RFC IIII: RESTCONF Client and Server Models"; 554 } 556 // Features 558 feature https-initiate { 559 description 560 "The 'https-initiate' feature indicates that the RESTCONF 561 client supports initiating HTTPS connections to RESTCONF 562 servers. This feature exists as HTTPS might not be a 563 mandatory to implement transport in the future."; 564 reference 565 "RFC 8040: RESTCONF Protocol"; 566 } 568 feature http-listen { 569 description 570 "The 'https-listen' feature indicates that the RESTCONF client 571 supports opening a port to listen for incoming RESTCONF 572 server call-home connections. This feature exists as not 573 all RESTCONF clients may support RESTCONF call home."; 574 reference 575 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 577 } 579 feature https-listen { 580 description 581 "The 'https-listen' feature indicates that the RESTCONF client 582 supports opening a port to listen for incoming RESTCONF 583 server call-home connections. This feature exists as not 584 all RESTCONF clients may support RESTCONF call home."; 585 reference 586 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 587 } 589 // Groupings 591 grouping restconf-client-grouping { 592 description 593 "A reusable grouping for configuring a RESTCONF client 594 without any consideration for how underlying transport 595 sessions are established. 597 This grouping currently doesn't define any nodes."; 598 } 600 grouping restconf-client-initiate-stack-grouping { 601 description 602 "A reusable grouping for configuring a RESTCONF client 603 'initiate' protocol stack for a single connection."; 605 choice transport { 606 mandatory true; 607 description 608 "Selects between available transports. This is a 609 'choice' statement so as to support additional 610 transport options to be augmented in."; 611 case https { 612 if-feature "https-initiate"; 613 container https { 614 description 615 "Specifies HTTPS-specific transport 616 configuration."; 617 container tcp-client-parameters { 618 description 619 "A wrapper around the TCP client parameters 620 to avoid name collisions."; 621 uses tcpc:tcp-client-grouping { 622 refine "remote-port" { 623 default "443"; 624 description 625 "The RESTCONF client will attempt to 626 connect to the IANA-assigned well-known 627 port value for 'https' (443) if no value 628 is specified."; 629 } 630 } 631 } 632 container tls-client-parameters { 633 must 'client-identity' { 634 description 635 "NETCONF/TLS clients MUST pass some 636 authentication credentials."; 637 } 638 description 639 "A wrapper around the TLS client parameters 640 to avoid name collisions."; 641 uses tlsc:tls-client-grouping; 642 } 643 container http-client-parameters { 644 description 645 "A wrapper around the HTTP client parameters 646 to avoid name collisions."; 647 uses httpc:http-client-grouping; 648 } 649 container restconf-client-parameters { 650 description 651 "A wrapper around the HTTP client parameters 652 to avoid name collisions."; 653 uses rcc:restconf-client-grouping; 654 } 655 } 656 } 657 } 658 } // restconf-client-initiate-stack-grouping 660 grouping restconf-client-listen-stack-grouping { 661 description 662 "A reusable grouping for configuring a RESTCONF client 663 'listen' protocol stack for a single connection. The 664 'listen' stack supports call home connections, as 665 described in RFC 8071"; 666 reference 667 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 668 choice transport { 669 mandatory true; 670 description 671 "Selects between available transports. This is a 672 'choice' statement so as to support additional 673 transport options to be augmented in."; 674 case http { 675 if-feature "http-listen"; 676 container http { 677 description 678 "HTTP-specific listening configuration for inbound 679 connections. 681 This transport option is made available to support 682 deployments where the TLS connections are terminated 683 by another system (e.g., a load balanacer) fronting 684 the client."; 685 container tcp-server-parameters { 686 description 687 "A wrapper around the TCP client parameters 688 to avoid name collisions."; 689 uses tcps:tcp-server-grouping { 690 refine "local-port" { 691 default "4336"; 692 description 693 "The RESTCONF client will listen on the IANA- 694 assigned well-known port for 'restconf-ch-tls' 695 (4336) if no value is specified."; 696 } 697 } 698 } 699 container http-client-parameters { 700 description 701 "A wrapper around the HTTP client parameters 702 to avoid name collisions."; 703 uses httpc:http-client-grouping; 704 } 705 container restconf-client-parameters { 706 description 707 "A wrapper around the RESTCONF client parameters 708 to avoid name collisions."; 709 uses rcc:restconf-client-grouping; 710 } 711 } 712 } 713 case https { 714 if-feature "https-listen"; 715 container https { 716 description 717 "HTTPS-specific listening configuration for inbound 718 connections."; 719 container tcp-server-parameters { 720 description 721 "A wrapper around the TCP client parameters 722 to avoid name collisions."; 723 uses tcps:tcp-server-grouping { 724 refine "local-port" { 725 default "4336"; 726 description 727 "The RESTCONF client will listen on the IANA- 728 assigned well-known port for 'restconf-ch-tls' 729 (4336) if no value is specified."; 730 } 731 } 732 } 733 container tls-client-parameters { 734 must 'client-identity' { 735 description 736 "NETCONF/TLS clients MUST pass some 737 authentication credentials."; 738 } 739 description 740 "A wrapper around the TLS client parameters 741 to avoid name collisions."; 742 uses tlsc:tls-client-grouping; 743 } 744 container http-client-parameters { 745 description 746 "A wrapper around the HTTP client parameters 747 to avoid name collisions."; 748 uses httpc:http-client-grouping; 749 } 750 container restconf-client-parameters { 751 description 752 "A wrapper around the RESTCONF client parameters 753 to avoid name collisions."; 754 uses rcc:restconf-client-grouping; 755 } 756 } 757 } 758 } 759 } // restconf-client-listen-stack-grouping 761 grouping restconf-client-app-grouping { 762 description 763 "A reusable grouping for configuring a RESTCONF client 764 application that supports both 'initiate' and 'listen' 765 protocol stacks for a multiplicity of connections."; 766 container initiate { 767 if-feature "https-initiate"; 768 presence "Enables client to initiate TCP connections"; 769 description 770 "Configures client initiating underlying TCP connections."; 771 list restconf-server { 772 key "name"; 773 min-elements 1; 774 description 775 "List of RESTCONF servers the RESTCONF client is to 776 maintain simultaneous connections with."; 777 leaf name { 778 type string; 779 description 780 "An arbitrary name for the RESTCONF server."; 781 } 782 container endpoints { 783 description 784 "Container for the list of endpoints."; 785 list endpoint { 786 key "name"; 787 min-elements 1; 788 ordered-by user; 789 description 790 "A non-empty user-ordered list of endpoints for this 791 RESTCONF client to try to connect to in sequence. 792 Defining more than one enables high-availability."; 793 leaf name { 794 type string; 795 description 796 "An arbitrary name for this endpoint."; 797 } 798 uses restconf-client-initiate-stack-grouping; 799 } 800 } 801 container connection-type { 802 description 803 "Indicates the RESTCONF client's preference for how 804 the RESTCONF connection is maintained."; 805 choice connection-type { 806 mandatory true; 807 description 808 "Selects between available connection types."; 809 case persistent-connection { 810 container persistent { 811 presence "Indicates that a persistent connection 812 is to be maintained."; 813 description 814 "Maintain a persistent connection to the 815 RESTCONF server. If the connection goes down, 816 immediately start trying to reconnect to the 817 RESTCONF server, using the reconnection strategy. 819 This connection type minimizes any RESTCONF server 820 to RESTCONF client data-transfer delay, albeit 821 at the expense of holding resources longer."; 822 } 823 } 824 case periodic-connection { 825 container periodic { 826 presence "Indicates that a periodic connection is 827 to be maintained."; 828 description 829 "Periodically connect to the RESTCONF server. 831 This connection type increases resource 832 utilization, albeit with increased delay 833 in RESTCONF server to RESTCONF client 834 interactions. 836 The RESTCONF client SHOULD gracefully close 837 the underlying TLS connection upon completing 838 planned activities. 840 In the case that the previous connection is 841 still active, establishing a new connection 842 is NOT RECOMMENDED."; 843 leaf period { 844 type uint16; 845 units "minutes"; 846 default "60"; 847 description 848 "Duration of time between periodic 849 connections."; 850 } 851 leaf anchor-time { 852 type yang:date-and-time { 853 // constrained to minute-level granularity 854 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 855 + '(Z|[\+\-]\d{2}:\d{2})'; 856 } 857 description 858 "Designates a timestamp before or after which 859 a series of periodic connections are 860 determined. The periodic connections occur 861 at a whole multiple interval from the anchor 862 time. For example, for an anchor time is 15 863 minutes past midnight and a period interval 864 of 24 hours, then a periodic connection will 865 occur 15 minutes past midnight everyday."; 866 } 867 leaf idle-timeout { 868 type uint16; 869 units "seconds"; 870 default 120; // two minutes 871 description 872 "Specifies the maximum number of seconds 873 that the underlying TCP session may remain 874 idle. A TCP session will be dropped if it 875 is idle for an interval longer than this 876 number of seconds If set to zero, then the 877 RESTCONF client will never drop a session 878 because it is idle."; 879 } 880 } 881 } // periodic-connection 882 } // connection-type 883 } // connection-type 884 container reconnect-strategy { 885 description 886 "The reconnection strategy directs how a RESTCONF 887 client reconnects to a RESTCONF server, after 888 discovering its connection to the server has 889 dropped, even if due to a reboot. The RESTCONF 890 client starts with the specified endpoint and 891 tries to connect to it max-attempts times before 892 trying the next endpoint in the list (round 893 robin)."; 894 leaf start-with { 895 type enumeration { 896 enum first-listed { 897 description 898 "Indicates that reconnections should start 899 with the first endpoint listed."; 900 } 901 enum last-connected { 902 description 903 "Indicates that reconnections should start 904 with the endpoint last connected to. If 905 no previous connection has ever been 906 established, then the first endpoint 907 configured is used. RESTCONF clients 908 SHOULD be able to remember the last 909 endpoint connected to across reboots."; 910 } 911 enum random-selection { 912 description 913 "Indicates that reconnections should start with 914 a random endpoint."; 915 } 916 } 917 default "first-listed"; 918 description 919 "Specifies which of the RESTCONF server's 920 endpoints the RESTCONF client should start 921 with when trying to connect to the RESTCONF 922 server."; 923 } 924 leaf max-attempts { 925 type uint8 { 926 range "1..max"; 927 } 928 default "3"; 929 description 930 "Specifies the number times the RESTCONF client 931 tries to connect to a specific endpoint before 932 moving on to the next endpoint in the list 933 (round robin)."; 934 } 935 } 936 } 937 } // initiate 938 container listen { 939 if-feature "http-listen or https-listen"; 940 presence "Enables client to accept call-home connections"; 941 description 942 "Configures the client to accept call-home TCP connections."; 943 leaf idle-timeout { 944 type uint16; 945 units "seconds"; 946 default 3600; // one hour 947 description 948 "Specifies the maximum number of seconds that an 949 underlying TCP session may remain idle. A TCP session 950 will be dropped if it is idle for an interval longer 951 then this number of seconds. If set to zero, then 952 the server will never drop a session because it is 953 idle. Sessions that have a notification subscription 954 active are never dropped."; 955 } 956 list endpoint { 957 key "name"; 958 min-elements 1; 959 description 960 "List of endpoints to listen for RESTCONF connections."; 962 leaf name { 963 type string; 964 description 965 "An arbitrary name for the RESTCONF listen endpoint."; 966 } 967 uses restconf-client-listen-stack-grouping; 968 } 969 } 970 } // restconf-client-app-grouping 972 // Protocol accessible node, for servers that implement 973 // this module. 974 container restconf-client { 975 uses restconf-client-app-grouping; 976 description 977 "Top-level container for RESTCONF client configuration."; 978 } 979 } 981 983 3. The RESTCONF Server Model 985 The RESTCONF server model presented in this section supports both 986 listening for connections as well as initiating call-home 987 connections. 989 YANG feature statements are used to enable implementations to 990 advertise which potentially uncommon parts of the model the RESTCONF 991 server supports. 993 3.1. Tree Diagram 995 The following tree diagram [RFC8340] provides an overview of the data 996 model for the "ietf-restconf-server" module. 998 This tree diagram only shows the nodes defined in this module; it 999 does show the nodes defined by "grouping" statements used by this 1000 module. 1002 Please see Appendix A.2 for a tree diagram that illustrates what the 1003 module looks like with all the "grouping" statements expanded. 1005 module: ietf-restconf-server 1006 +--rw restconf-server 1007 +---u restconf-server-app-grouping 1009 grouping restconf-server-grouping 1010 +-- client-identity-mappings 1011 +---u x509c2n:cert-to-name 1012 grouping restconf-server-listen-stack-grouping 1013 +-- (transport) 1014 +--:(http) {http-listen}? 1015 | +-- http 1016 | +-- external-endpoint! 1017 | | +-- address inet:ip-address 1018 | | +-- port? inet:port-number 1019 | +-- tcp-server-parameters 1020 | | +---u tcps:tcp-server-grouping 1021 | +-- http-server-parameters 1022 | | +---u https:http-server-grouping 1023 | +-- restconf-server-parameters 1024 | +---u rcs:restconf-server-grouping 1025 +--:(https) {https-listen}? 1026 +-- https 1027 +-- tcp-server-parameters 1028 | +---u tcps:tcp-server-grouping 1029 +-- tls-server-parameters 1030 | +---u tlss:tls-server-grouping 1031 +-- http-server-parameters 1032 | +---u https:http-server-grouping 1033 +-- restconf-server-parameters 1034 +---u rcs:restconf-server-grouping 1035 grouping restconf-server-callhome-stack-grouping 1036 +-- (transport) 1037 +--:(https) {https-listen}? 1038 +-- https 1039 +-- tcp-client-parameters 1040 | +---u tcpc:tcp-client-grouping 1041 +-- tls-server-parameters 1042 | +---u tlss:tls-server-grouping 1043 +-- http-server-parameters 1044 | +---u https:http-server-grouping 1045 +-- restconf-server-parameters 1046 +---u rcs:restconf-server-grouping 1047 grouping restconf-server-app-grouping 1048 +-- listen! {http-listen or https-listen}? 1049 | +-- endpoint* [name] 1050 | +-- name? string 1051 | +---u restconf-server-listen-stack-grouping 1052 +-- call-home! {https-call-home}? 1053 +-- restconf-client* [name] 1054 +-- name? string 1055 +-- endpoints 1056 | +-- endpoint* [name] 1057 | +-- name? string 1058 | +---u restconf-server-callhome-stack-grouping 1059 +-- connection-type 1060 | +-- (connection-type) 1061 | +--:(persistent-connection) 1062 | | +-- persistent! 1063 | +--:(periodic-connection) 1064 | +-- periodic! 1065 | +-- period? uint16 1066 | +-- anchor-time? yang:date-and-time 1067 | +-- idle-timeout? uint16 1068 +-- reconnect-strategy 1069 +-- start-with? enumeration 1070 +-- max-attempts? uint8 1072 3.2. Example Usage 1074 The following example illustrates configuring a RESTCONF server to 1075 listen for RESTCONF client connections, as well as configuring call- 1076 home to one RESTCONF client. 1078 This example is consistent with the examples presented in Section 2 1079 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of 1080 [I-D.ietf-netconf-keystore]. 1082 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 1084 1089 1090 1091 1092 netconf/tls 1093 1094 1095 11.22.33.44 1096 1097 1098 1099 1100 1101 ct:subject-public-key-info-format\ 1102 1103 base64encodedvalue== 1104 ct:rsa-private-key-format 1106 base64encodedvalue== 1107 base64encodedvalue== 1108 1109 1110 1111 1112 1113 trusted-client-ca-certs 1115 1116 1117 trusted-client-ee-certs 1119 1120 1121 1122 1123 1124 1125 1126 foo.example.com 1127 1128 1129 1130 1131 1 1132 11:0A:05:11:00 1133 x509c2n:specified 1134 scooby-doo 1135 1136 1137 2 1138 x509c2n:san-any 1139 1140 1141 1142 1143 1144 1146 1147 1148 1149 config-manager 1150 1151 1152 east-data-center 1153 1154 1155 east.example.com 1156 1157 15 1158 3 1159 30 1160 1161 1162 1163 1164 1165 1166 ct:subject-public-key-info-fo\ 1167 rmat 1168 base64encodedvalue== 1169 ct:rsa-private-key-format 1171 base64encodedvalue== 1172 base64encodedvalue== 1173 1174 1175 1176 1177 1178 trusted-client-ca-certs 1180 1181 1182 trusted-client-ee-certs 1184 1185 1186 1187 1188 30 1189 3 1190 1191 1192 1193 1194 foo.example.com 1195 1196 1197 1198 1199 1 1200 11:0A:05:11:00 1201 x509c2n:specified 1202 scooby-doo 1203 1204 1205 2 1206 x509c2n:san-any 1207 1208 1209 1210 1211 1212 1213 west-data-center 1214 1215 1216 west.example.com 1217 1218 15 1219 3 1220 30 1221 1222 1223 1224 1225 1226 1227 ct:subject-public-key-info-fo\ 1228 rmat 1229 base64encodedvalue== 1230 ct:rsa-private-key-format 1232 base64encodedvalue== 1233 base64encodedvalue== 1234 1235 1236 1237 1238 1239 trusted-client-ca-certs 1241 1242 1243 trusted-client-ee-certs 1245 1246 1247 1248 1249 30 1250 3 1251 1252 1253 1254 1255 foo.example.com 1256 1257 1258 1259 1260 1 1261 11:0A:05:11:00 1262 x509c2n:specified 1263 scooby-doo 1264 1265 1266 2 1267 x509c2n:san-any 1268 1269 1270 1271 1272 1273 1274 1275 1276 300 1277 60 1278 1279 1280 1281 last-connected 1282 3 1283 1284 1285 1286 1288 3.3. YANG Module 1290 This YANG module has normative references to [RFC6991], [RFC7407], 1291 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], 1292 [I-D.ietf-netconf-tls-client-server], and 1293 [I-D.kwatsen-netconf-http-client-server]. 1295 file "ietf-restconf-server@2020-05-20.yang" 1297 module ietf-restconf-server { 1298 yang-version 1.1; 1299 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server"; 1300 prefix rcs; 1302 import ietf-yang-types { 1303 prefix yang; 1304 reference 1305 "RFC 6991: Common YANG Data Types"; 1306 } 1308 import ietf-inet-types { 1309 prefix inet; 1310 reference 1311 "RFC 6991: Common YANG Data Types"; 1312 } 1314 import ietf-x509-cert-to-name { 1315 prefix x509c2n; 1316 reference 1317 "RFC 7407: A YANG Data Model for SNMP Configuration"; 1318 } 1320 import ietf-tcp-client { 1321 prefix tcpc; 1322 reference 1323 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; 1324 } 1326 import ietf-tcp-server { 1327 prefix tcps; 1328 reference 1329 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; 1330 } 1332 import ietf-tls-server { 1333 prefix tlss; 1334 reference 1335 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; 1336 } 1338 import ietf-http-server { 1339 prefix https; 1340 reference 1341 "RFC GGGG: YANG Groupings for HTTP Clients and HTTP Servers"; 1342 } 1344 organization 1345 "IETF NETCONF (Network Configuration) Working Group"; 1347 contact 1348 "WG Web: 1349 WG List: 1350 Author: Kent Watsen 1351 Author: Gary Wu 1352 Author: Juergen Schoenwaelder 1353 "; 1355 description 1356 "This module contains a collection of YANG definitions 1357 for configuring RESTCONF servers. 1359 Copyright (c) 2020 IETF Trust and the persons identified 1360 as authors of the code. All rights reserved. 1362 Redistribution and use in source and binary forms, with 1363 or without modification, is permitted pursuant to, and 1364 subject to the license terms contained in, the Simplified 1365 BSD License set forth in Section 4.c of the IETF Trust's 1366 Legal Provisions Relating to IETF Documents 1367 (https://trustee.ietf.org/license-info). 1369 This version of this YANG module is part of RFC IIII 1370 (https://www.rfc-editor.org/info/rfcIIII); see the RFC 1371 itself for full legal notices. 1373 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1374 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1375 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1376 are to be interpreted as described in BCP 14 (RFC 2119) 1377 (RFC 8174) when, and only when, they appear in all 1378 capitals, as shown here."; 1380 revision 2020-05-20 { 1381 description 1382 "Initial version"; 1383 reference 1384 "RFC IIII: RESTCONF Client and Server Models"; 1385 } 1387 // Features 1389 feature http-listen { 1390 description 1391 "The 'http-listen' feature indicates that the RESTCONF server 1392 supports opening a port to listen for incoming RESTCONF over 1393 TPC client connections, whereby the TLS connections are 1394 terminated by an external system."; 1396 reference 1397 "RFC 8040: RESTCONF Protocol"; 1398 } 1400 feature https-listen { 1401 description 1402 "The 'https-listen' feature indicates that the RESTCONF server 1403 supports opening a port to listen for incoming RESTCONF over 1404 TLS client connections, whereby the TLS connections are 1405 terminated by the server itself."; 1406 reference 1407 "RFC 8040: RESTCONF Protocol"; 1408 } 1410 feature https-call-home { 1411 description 1412 "The 'https-call-home' feature indicates that the RESTCONF 1413 server supports initiating connections to RESTCONF clients."; 1414 reference 1415 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 1416 } 1418 // Groupings 1420 grouping restconf-server-grouping { 1421 description 1422 "A reusable grouping for configuring a RESTCONF server 1423 without any consideration for how underlying transport 1424 sessions are established. 1426 Note that this grouping uses a fairly typical descendent 1427 node name such that a stack of 'uses' statements will 1428 have name conflicts. It is intended that the consuming 1429 data model will resolve the issue by wrapping the 'uses' 1430 statement in a container called, e.g., 1431 'restconf-server-parameters'. This model purposely does 1432 not do this itself so as to provide maximum flexibility 1433 to consuming models."; 1435 container client-identity-mappings { 1436 description 1437 "Specifies mappings through which RESTCONF client X.509 1438 certificates are used to determine a RESTCONF username. 1439 If no matching and valid cert-to-name list entry can be 1440 found, then the RESTCONF server MUST close the connection, 1441 and MUST NOT accept RESTCONF messages over it."; 1442 reference 1443 "RFC 7407: A YANG Data Model for SNMP Configuration."; 1444 uses x509c2n:cert-to-name { 1445 refine "cert-to-name/fingerprint" { 1446 mandatory false; 1447 description 1448 "A 'fingerprint' value does not need to be specified 1449 when the 'cert-to-name' mapping is independent of 1450 fingerprint matching. A 'cert-to-name' having no 1451 fingerprint value will match any client certificate 1452 and therefore should only be present at the end of 1453 the user-ordered 'cert-to-name' list."; 1454 } 1455 } 1456 } 1457 } 1459 grouping restconf-server-listen-stack-grouping { 1460 description 1461 "A reusable grouping for configuring a RESTCONF server 1462 'listen' protocol stack for a single connection."; 1463 choice transport { 1464 mandatory true; 1465 description 1466 "Selects between available transports. This is a 1467 'choice' statement so as to support additional 1468 transport options to be augmented in."; 1469 case http { 1470 if-feature "http-listen"; 1471 container http { 1472 description 1473 "Configures RESTCONF server stack assuming that 1474 TLS-termination is handled externally."; 1475 container external-endpoint { 1476 presence 1477 "Specifies configuration for an external endpoint."; 1478 description 1479 "Identifies contact information for the external 1480 system that terminates connections before passing 1481 them thru to this server (e.g., a network address 1482 translator or a load balancer). These values have 1483 no effect on the local operation of this server, but 1484 may be used by the application when needing to 1485 inform other systems how to contact this server."; 1486 leaf address { 1487 type inet:ip-address; 1488 mandatory true; 1489 description 1490 "The IP address or hostname of the external system 1491 that terminates incoming RESTCONF client 1492 connections before forwarding them to this 1493 server."; 1494 } 1495 leaf port { 1496 type inet:port-number; 1497 default "443"; 1498 description 1499 "The port number that the external system listens 1500 on for incoming RESTCONF client connections that 1501 are forwarded to this server. The default HTTPS 1502 port (443) is used, as expected for a RESTCONF 1503 connection."; 1504 } 1505 } 1506 container tcp-server-parameters { 1507 description 1508 "A wrapper around the TCP server parameters 1509 to avoid name collisions."; 1510 uses tcps:tcp-server-grouping { 1511 refine "local-port" { 1512 default "80"; 1513 description 1514 "The RESTCONF server will listen on the IANA- 1515 assigned well-known port value for 'http' 1516 (80) if no value is specified."; 1517 } 1518 } 1519 } 1520 container http-server-parameters { 1521 description 1522 "A wrapper around the HTTP server parameters 1523 to avoid name collisions."; 1524 uses https:http-server-grouping; 1525 } 1526 container restconf-server-parameters { 1527 description 1528 "A wrapper around the RESTCONF server parameters 1529 to avoid name collisions."; 1530 uses rcs:restconf-server-grouping; 1531 } 1532 } 1533 } 1534 case https { 1535 if-feature "https-listen"; 1536 container https { 1537 description 1538 "Configures RESTCONF server stack assuming that 1539 TLS-termination is handled internally."; 1540 container tcp-server-parameters { 1541 description 1542 "A wrapper around the TCP server parameters 1543 to avoid name collisions."; 1544 uses tcps:tcp-server-grouping { 1545 refine "local-port" { 1546 default "443"; 1547 description 1548 "The RESTCONF server will listen on the IANA- 1549 assigned well-known port value for 'https' 1550 (443) if no value is specified."; 1551 } 1552 } 1553 } 1554 container tls-server-parameters { 1555 description 1556 "A wrapper around the TLS server parameters 1557 to avoid name collisions."; 1558 uses tlss:tls-server-grouping; 1559 } 1560 container http-server-parameters { 1561 description 1562 "A wrapper around the HTTP server parameters 1563 to avoid name collisions."; 1564 uses https:http-server-grouping; 1565 } 1566 container restconf-server-parameters { 1567 description 1568 "A wrapper around the RESTCONF server parameters 1569 to avoid name collisions."; 1570 uses rcs:restconf-server-grouping; 1571 } 1572 } 1573 } 1574 } 1575 } 1577 grouping restconf-server-callhome-stack-grouping { 1578 description 1579 "A reusable grouping for configuring a RESTCONF server 1580 'call-home' protocol stack, for a single connection."; 1581 choice transport { 1582 mandatory true; 1583 description 1584 "Selects between available transports. This is a 1585 'choice' statement so as to support additional 1586 transport options to be augmented in."; 1588 case https { 1589 if-feature "https-listen"; 1590 container https { 1591 description 1592 "Configures RESTCONF server stack assuming that 1593 TLS-termination is handled internally."; 1594 container tcp-client-parameters { 1595 description 1596 "A wrapper around the TCP client parameters 1597 to avoid name collisions."; 1598 uses tcpc:tcp-client-grouping { 1599 refine "remote-port" { 1600 default "4336"; 1601 description 1602 "The RESTCONF server will attempt to 1603 connect to the IANA-assigned well-known 1604 port for 'restconf-ch-tls' (4336) if no 1605 value is specified."; 1606 } 1607 } 1608 } 1609 container tls-server-parameters { 1610 description 1611 "A wrapper around the TLS server parameters 1612 to avoid name collisions."; 1613 uses tlss:tls-server-grouping; 1614 } 1615 container http-server-parameters { 1616 description 1617 "A wrapper around the HTTP server parameters 1618 to avoid name collisions."; 1619 uses https:http-server-grouping; 1620 } 1621 container restconf-server-parameters { 1622 description 1623 "A wrapper around the RESTCONF server parameters 1624 to avoid name collisions."; 1625 uses rcs:restconf-server-grouping; 1626 } 1627 } 1628 } 1629 } 1630 } 1632 grouping restconf-server-app-grouping { 1633 description 1634 "A reusable grouping for configuring a RESTCONF server 1635 application that supports both 'listen' and 'call-home' 1636 protocol stacks for a multiplicity of connections."; 1637 container listen { 1638 if-feature "http-listen or https-listen"; 1639 presence 1640 "Enables the RESTCONF server to listen for RESTCONF 1641 client connections."; 1642 description "Configures listen behavior"; 1643 list endpoint { 1644 key "name"; 1645 min-elements 1; 1646 description 1647 "List of endpoints to listen for RESTCONF connections."; 1648 leaf name { 1649 type string; 1650 description 1651 "An arbitrary name for the RESTCONF listen endpoint."; 1652 } 1653 uses restconf-server-listen-stack-grouping; 1654 } 1655 } 1656 container call-home { 1657 if-feature "https-call-home"; 1658 presence 1659 "Enables the RESTCONF server to initiate the underlying 1660 transport connection to RESTCONF clients."; 1661 description "Configures call-home behavior"; 1662 list restconf-client { 1663 key "name"; 1664 min-elements 1; 1665 description 1666 "List of RESTCONF clients the RESTCONF server is to 1667 maintain simultaneous call-home connections with."; 1668 leaf name { 1669 type string; 1670 description 1671 "An arbitrary name for the remote RESTCONF client."; 1672 } 1673 container endpoints { 1674 description 1675 "Container for the list of endpoints."; 1676 list endpoint { 1677 key "name"; 1678 min-elements 1; 1679 ordered-by user; 1680 description 1681 "User-ordered list of endpoints for this RESTCONF 1682 client. Defining more than one enables high- 1683 availability."; 1684 leaf name { 1685 type string; 1686 description 1687 "An arbitrary name for this endpoint."; 1688 } 1689 uses restconf-server-callhome-stack-grouping; 1690 } 1691 } 1692 container connection-type { 1693 description 1694 "Indicates the RESTCONF server's preference for how the 1695 RESTCONF connection is maintained."; 1696 choice connection-type { 1697 mandatory true; 1698 description 1699 "Selects between available connection types."; 1700 case persistent-connection { 1701 container persistent { 1702 presence "Indicates that a persistent connection is 1703 to be maintained."; 1704 description 1705 "Maintain a persistent connection to the RESTCONF 1706 client. If the connection goes down, immediately 1707 start trying to reconnect to the RESTCONF server, 1708 using the reconnection strategy. 1710 This connection type minimizes any RESTCONF 1711 client to RESTCONF server data-transfer delay, 1712 albeit at the expense of holding resources 1713 longer."; 1714 } 1715 } 1716 case periodic-connection { 1717 container periodic { 1718 presence "Indicates that a periodic connection is 1719 to be maintained."; 1720 description 1721 "Periodically connect to the RESTCONF client. 1723 This connection type increases resource 1724 utilization, albeit with increased delay in 1725 RESTCONF client to RESTCONF client interactions. 1727 The RESTCONF client SHOULD gracefully close 1728 the underlying TLS connection upon completing 1729 planned activities. If the underlying TLS 1730 connection is not closed gracefully, the 1731 RESTCONF server MUST immediately attempt 1732 to reestablish the connection. 1734 In the case that the previous connection is 1735 still active (i.e., the RESTCONF client has not 1736 closed it yet), establishing a new connection 1737 is NOT RECOMMENDED."; 1739 leaf period { 1740 type uint16; 1741 units "minutes"; 1742 default "60"; 1743 description 1744 "Duration of time between periodic connections."; 1745 } 1746 leaf anchor-time { 1747 type yang:date-and-time { 1748 // constrained to minute-level granularity 1749 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' 1750 + '(Z|[\+\-]\d{2}:\d{2})'; 1751 } 1752 description 1753 "Designates a timestamp before or after which a 1754 series of periodic connections are determined. 1755 The periodic connections occur at a whole 1756 multiple interval from the anchor time. For 1757 example, for an anchor time is 15 minutes past 1758 midnight and a period interval of 24 hours, then 1759 a periodic connection will occur 15 minutes past 1760 midnight everyday."; 1761 } 1762 leaf idle-timeout { 1763 type uint16; 1764 units "seconds"; 1765 default 120; // two minutes 1766 description 1767 "Specifies the maximum number of seconds that 1768 the underlying TCP session may remain idle. 1769 A TCP session will be dropped if it is idle 1770 for an interval longer than this number of 1771 seconds. If set to zero, then the server 1772 will never drop a session because it is idle."; 1773 } 1774 } 1775 } 1776 } 1777 } 1778 container reconnect-strategy { 1779 description 1780 "The reconnection strategy directs how a RESTCONF server 1781 reconnects to a RESTCONF client after discovering its 1782 connection to the client has dropped, even if due to a 1783 reboot. The RESTCONF server starts with the specified 1784 endpoint and tries to connect to it max-attempts times 1785 before trying the next endpoint in the list (round 1786 robin)."; 1787 leaf start-with { 1788 type enumeration { 1789 enum first-listed { 1790 description 1791 "Indicates that reconnections should start with 1792 the first endpoint listed."; 1793 } 1794 enum last-connected { 1795 description 1796 "Indicates that reconnections should start with 1797 the endpoint last connected to. If no previous 1798 connection has ever been established, then the 1799 first endpoint configured is used. RESTCONF 1800 servers SHOULD be able to remember the last 1801 endpoint connected to across reboots."; 1802 } 1803 enum random-selection { 1804 description 1805 "Indicates that reconnections should start with 1806 a random endpoint."; 1807 } 1808 } 1809 default "first-listed"; 1810 description 1811 "Specifies which of the RESTCONF client's endpoints 1812 the RESTCONF server should start with when trying 1813 to connect to the RESTCONF client."; 1814 } 1815 leaf max-attempts { 1816 type uint8 { 1817 range "1..max"; 1818 } 1819 default "3"; 1820 description 1821 "Specifies the number times the RESTCONF server tries 1822 to connect to a specific endpoint before moving on to 1823 the next endpoint in the list (round robin)."; 1824 } 1825 } 1826 } // restconf-client 1828 } // call-home 1829 } // restconf-server-app-grouping 1831 // Protocol accessible node, for servers that implement 1832 // this module. 1833 container restconf-server { 1834 uses restconf-server-app-grouping; 1835 description 1836 "Top-level container for RESTCONF server configuration."; 1837 } 1839 } 1841 1843 4. Security Considerations 1845 The YANG module defined in this document uses groupings defined in 1846 [I-D.kwatsen-netconf-tcp-client-server], 1847 [I-D.ietf-netconf-tls-client-server], and 1848 [I-D.kwatsen-netconf-http-client-server]. Please see the Security 1849 Considerations section in those documents for concerns related those 1850 groupings. 1852 The YANG modules defined in this document are designed to be accessed 1853 via YANG based management protocols, such as NETCONF [RFC6241] and 1854 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1855 implement secure transport layers (e.g., SSH, TLS) with mutual 1856 authentication. 1858 The NETCONF access control model (NACM) [RFC8341] provides the means 1859 to restrict access for particular users to a pre-configured subset of 1860 all available protocol operations and content. 1862 There are a number of data nodes defined in the YANG modules that are 1863 writable/creatable/deletable (i.e., config true, which is the 1864 default). Some of these data nodes may be considered sensitive or 1865 vulnerable in some network environments. Write operations (e.g., 1866 edit-config) to these data nodes without proper protection can have a 1867 negative effect on network operations. These are the subtrees and 1868 data nodes and their sensitivity/vulnerability: 1870 None of the subtrees or data nodes in the modules defined in this 1871 document need to be protected from write operations. 1873 Some of the readable data nodes in the YANG modules may be considered 1874 sensitive or vulnerable in some network environments. It is thus 1875 important to control read access (e.g., via get, get-config, or 1876 notification) to these data nodes. These are the subtrees and data 1877 nodes and their sensitivity/vulnerability: 1879 None of the subtrees or data nodes in the modules defined in this 1880 document need to be protected from read operations. 1882 Some of the RPC operations in the YANG modules may be considered 1883 sensitive or vulnerable in some network environments. It is thus 1884 important to control access to these operations. These are the 1885 operations and their sensitivity/vulnerability: 1887 The modules defined in this document do not define any 'RPC' or 1888 'action' statements. 1890 5. IANA Considerations 1892 5.1. The IETF XML Registry 1894 This document registers two URIs in the "ns" subregistry of the IETF 1895 XML Registry [RFC3688]. Following the format in [RFC3688], the 1896 following registrations are requested: 1898 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client 1899 Registrant Contact: The NETCONF WG of the IETF. 1900 XML: N/A, the requested URI is an XML namespace. 1902 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server 1903 Registrant Contact: The NETCONF WG of the IETF. 1904 XML: N/A, the requested URI is an XML namespace. 1906 5.2. The YANG Module Names Registry 1908 This document registers two YANG modules in the YANG Module Names 1909 registry [RFC6020]. Following the format in [RFC6020], the the 1910 following registrations are requested: 1912 name: ietf-restconf-client 1913 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client 1914 prefix: ncc 1915 reference: RFC IIII 1917 name: ietf-restconf-server 1918 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server 1919 prefix: ncs 1920 reference: RFC IIII 1922 6. References 1924 6.1. Normative References 1926 [I-D.ietf-netconf-keystore] 1927 Watsen, K., "A YANG Data Model for a Keystore", draft- 1928 ietf-netconf-keystore-16 (work in progress), March 2020. 1930 [I-D.ietf-netconf-tls-client-server] 1931 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS 1932 Clients and TLS Servers", draft-ietf-netconf-tls-client- 1933 server-18 (work in progress), March 2020. 1935 [I-D.kwatsen-netconf-http-client-server] 1936 Watsen, K., "YANG Groupings for HTTP Clients and HTTP 1937 Servers", draft-kwatsen-netconf-http-client-server-05 1938 (work in progress), November 2019. 1940 [I-D.kwatsen-netconf-tcp-client-server] 1941 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients 1942 and TCP Servers", draft-kwatsen-netconf-tcp-client- 1943 server-02 (work in progress), April 2019. 1945 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1946 Requirement Levels", BCP 14, RFC 2119, 1947 DOI 10.17487/RFC2119, March 1997, 1948 . 1950 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1951 the Network Configuration Protocol (NETCONF)", RFC 6020, 1952 DOI 10.17487/RFC6020, October 2010, 1953 . 1955 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1956 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1957 . 1959 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for 1960 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, 1961 December 2014, . 1963 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1964 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1965 . 1967 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1968 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1969 . 1971 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", 1972 RFC 8071, DOI 10.17487/RFC8071, February 2017, 1973 . 1975 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1976 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1977 May 2017, . 1979 6.2. Informative References 1981 [I-D.ietf-netconf-trust-anchors] 1982 Watsen, K., "A YANG Data Model for a Truststore", draft- 1983 ietf-netconf-trust-anchors-09 (work in progress), March 1984 2020. 1986 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1987 DOI 10.17487/RFC3688, January 2004, 1988 . 1990 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1991 and A. Bierman, Ed., "Network Configuration Protocol 1992 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1993 . 1995 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1996 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1997 . 1999 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 2000 Access Control Model", STD 91, RFC 8341, 2001 DOI 10.17487/RFC8341, March 2018, 2002 . 2004 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2005 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2006 . 2008 6.3. URIs 2010 [1] https://tools.ietf.org/html/draft-ietf-netconf-crypto-types 2012 [2] https://tools.ietf.org/html/draft-ietf-netconf-trust-anchors 2014 [3] https://tools.ietf.org/html/draft-ietf-netconf-keystore 2016 [4] https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server 2018 [5] https://tools.ietf.org/html/draft-ietf-netconf-ssh-client-server 2020 [6] https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server 2022 [7] https://tools.ietf.org/html/draft-ietf-netconf-http-client-server 2024 [8] https://tools.ietf.org/html/draft-ietf-netconf-netconf-client- 2025 server 2027 [9] https://tools.ietf.org/html/draft-ietf-netconf-restconf-client- 2028 server 2030 Appendix A. Expanded Tree Diagrams 2032 A.1. Expanded Tree Diagram for 'ietf-restconf-client' 2034 The following tree diagram [RFC8340] provides an overview of the data 2035 model for the "ietf-restconf-client" module. 2037 This tree diagram shows all the nodes defined in this module, 2038 including those defined by "grouping" statements used by this module. 2040 Please see Section 2.1 for a tree diagram that illustrates what the 2041 module looks like without all the "grouping" statements expanded. 2043 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ========== 2045 module: ietf-restconf-client 2046 +--rw restconf-client 2047 +--rw initiate! {https-initiate}? 2048 | +--rw restconf-server* [name] 2049 | +--rw name string 2050 | +--rw endpoints 2051 | | +--rw endpoint* [name] 2052 | | +--rw name string 2053 | | +--rw (transport) 2054 | | +--:(https) {https-initiate}? 2055 | | +--rw https 2056 | | +--rw tcp-client-parameters 2057 | | | +--rw remote-address inet:host 2058 | | | +--rw remote-port? inet:port-number 2059 | | | +--rw local-address? inet:ip-address 2060 | | | | {local-binding-supported}? 2061 | | | +--rw local-port? inet:port-number 2062 | | | | {local-binding-supported}? 2063 | | | +--rw keepalives! 2064 | | | {keepalives-supported}? 2065 | | | +--rw idle-time uint16 2066 | | | +--rw max-probes uint16 2067 | | | +--rw probe-interval uint16 2068 | | +--rw tls-client-parameters 2069 | | | +--rw client-identity 2070 | | | | +--rw (auth-type)? 2071 | | | | +--:(certificate) 2072 | | | | | {x509-certificate-auth}? 2073 | | | | | +--rw certificate 2074 | | | | | +--rw (local-or-keystore) 2075 | | | | | +--:(local) 2076 | | | | | | {local-definiti\ 2077 \ons-supported}? 2078 | | | | | | +--rw local-definition 2079 | | | | | | +--rw public-key-f\ 2080 \ormat 2081 | | | | | | | identityref 2082 | | | | | | +--rw public-key 2083 | | | | | | | binary 2084 | | | | | | +--rw private-key-\ 2085 \format? 2086 | | | | | | | identityref 2087 | | | | | | +--rw (private-key\ 2088 \-type) 2089 | | | | | | | +--:(private-ke\ 2090 \y) 2091 | | | | | | | | +--rw privat\ 2092 \e-key? 2093 | | | | | | | | bina\ 2094 \ry 2095 | | | | | | | +--:(hidden-pri\ 2096 \vate-key) 2097 | | | | | | | | +--rw hidden\ 2098 \-private-key? 2099 | | | | | | | | empty 2100 | | | | | | | +--:(encrypted-\ 2101 \private-key) 2102 | | | | | | | +--rw encryp\ 2103 \ted-private-key 2104 | | | | | | | +--rw (ke\ 2105 \y-type) 2106 | | | | | | | | +--:(s\ 2107 \ymmetric-key-ref) 2108 | | | | | | | | | +--\ 2109 \rw symmetric-key-ref? leafref 2110 | | | | | | | | | \ 2111 \ {keystore-supported}? 2112 | | | | | | | | +--:(a\ 2113 \symmetric-key-ref) 2114 | | | | | | | | +--\ 2115 \rw asymmetric-key-ref? leafref 2116 | | | | | | | | \ 2117 \ {keystore-supported}? 2118 | | | | | | | +--rw val\ 2119 \ue? 2120 | | | | | | | b\ 2121 \inary 2122 | | | | | | +--rw cert? 2123 | | | | | | | end-entity\ 2124 \-cert-cms 2125 | | | | | | +---n certificate-\ 2127 \expiration 2128 | | | | | | | +-- expiration-\ 2129 \date 2130 | | | | | | | yang:da\ 2131 \te-and-time 2132 | | | | | | +---x generate-cer\ 2133 \tificate-signing-request 2134 | | | | | | {certifica\ 2135 \te-signing-request-generation}? 2136 | | | | | | +---w input 2137 | | | | | | | +---w subject 2138 | | | | | | | | bina\ 2139 \ry 2140 | | | | | | | +---w attrib\ 2141 \utes? 2142 | | | | | | | bina\ 2143 \ry 2144 | | | | | | +--ro output 2145 | | | | | | +--ro certif\ 2146 \icate-signing-request 2147 | | | | | | ct:c\ 2148 \sr 2149 | | | | | +--:(keystore) 2150 | | | | | {keystore-suppo\ 2151 \rted}? 2152 | | | | | +--rw keystore-refere\ 2153 \nce 2154 | | | | | +--rw asymmetric-k\ 2155 \ey? 2156 | | | | | | ks:asymmet\ 2157 \ric-key-ref 2158 | | | | | +--rw certificate?\ 2159 \ leafref 2160 | | | | +--:(raw-public-key) 2161 | | | | | {raw-public-key-auth}? 2162 | | | | | +--rw raw-private-key 2163 | | | | | +--rw (local-or-keystore) 2164 | | | | | +--:(local) 2165 | | | | | | {local-definiti\ 2166 \ons-supported}? 2167 | | | | | | +--rw local-definition 2168 | | | | | | +--rw public-key-f\ 2169 \ormat 2170 | | | | | | | identityref 2171 | | | | | | +--rw public-key 2172 | | | | | | | binary 2173 | | | | | | +--rw private-key-\ 2174 \format? 2175 | | | | | | | identityref 2176 | | | | | | +--rw (private-key\ 2177 \-type) 2178 | | | | | | +--:(private-ke\ 2179 \y) 2180 | | | | | | | +--rw privat\ 2181 \e-key? 2182 | | | | | | | bina\ 2183 \ry 2184 | | | | | | +--:(hidden-pri\ 2185 \vate-key) 2186 | | | | | | | +--rw hidden\ 2187 \-private-key? 2188 | | | | | | | empty 2189 | | | | | | +--:(encrypted-\ 2190 \private-key) 2191 | | | | | | +--rw encryp\ 2192 \ted-private-key 2193 | | | | | | +--rw (ke\ 2194 \y-type) 2195 | | | | | | | +--:(s\ 2196 \ymmetric-key-ref) 2197 | | | | | | | | +--\ 2198 \rw symmetric-key-ref? leafref 2199 | | | | | | | | \ 2200 \ {keystore-supported}? 2201 | | | | | | | +--:(a\ 2202 \symmetric-key-ref) 2203 | | | | | | | +--\ 2204 \rw asymmetric-key-ref? leafref 2205 | | | | | | | \ 2206 \ {keystore-supported}? 2207 | | | | | | +--rw val\ 2208 \ue? 2209 | | | | | | b\ 2210 \inary 2211 | | | | | +--:(keystore) 2212 | | | | | {keystore-suppo\ 2213 \rted}? 2214 | | | | | +--rw keystore-refere\ 2215 \nce? 2216 | | | | | ks:asymmetric\ 2217 \-key-ref 2218 | | | | +--:(psk) {psk-auth}? 2219 | | | | +--rw psk 2220 | | | | +--rw (local-or-keystore) 2221 | | | | +--:(local) 2222 | | | | | {local-definiti\ 2224 \ons-supported}? 2225 | | | | | +--rw local-definition 2226 | | | | | +--rw key-format? 2227 | | | | | | identityref 2228 | | | | | +--rw (key-type) 2229 | | | | | | +--:(key) 2230 | | | | | | | +--rw key? 2231 | | | | | | | bina\ 2232 \ry 2233 | | | | | | +--:(hidden-key) 2234 | | | | | | | +--rw hidden\ 2235 \-key? 2236 | | | | | | | empty 2237 | | | | | | +--:(encrypted-\ 2238 \key) 2239 | | | | | | +--rw encryp\ 2240 \ted-key 2241 | | | | | | +--rw (ke\ 2242 \y-type) 2243 | | | | | | | +--:(s\ 2244 \ymmetric-key-ref) 2245 | | | | | | | | +--\ 2246 \rw symmetric-key-ref? leafref 2247 | | | | | | | | \ 2248 \ {keystore-supported}? 2249 | | | | | | | +--:(a\ 2250 \symmetric-key-ref) 2251 | | | | | | | +--\ 2252 \rw asymmetric-key-ref? leafref 2253 | | | | | | | \ 2254 \ {keystore-supported}? 2255 | | | | | | +--rw val\ 2256 \ue? 2257 | | | | | | b\ 2258 \inary 2259 | | | | | +--rw id? 2260 | | | | | string 2261 | | | | | {ks:local-\ 2262 \definitions-supported}? 2263 | | | | +--:(keystore) 2264 | | | | {keystore-suppo\ 2265 \rted}? 2266 | | | | +--rw keystore-refere\ 2267 \nce? 2268 | | | | ks:symmetric-\ 2269 \key-ref 2270 | | | +--rw server-authentication 2271 | | | | +--rw ca-certs! 2272 | | | | | {x509-certificate-auth}? 2273 | | | | | +--rw (local-or-truststore) 2274 | | | | | +--:(local) 2275 | | | | | | {local-definitions-su\ 2276 \pported}? 2277 | | | | | | +--rw local-definition 2278 | | | | | | +--rw cert* 2279 | | | | | | | trust-anchor-cer\ 2280 \t-cms 2281 | | | | | | +---n certificate-expira\ 2282 \tion 2283 | | | | | | +-- expiration-date 2284 | | | | | | yang:date-and\ 2285 \-time 2286 | | | | | +--:(truststore) 2287 | | | | | {truststore-supported\ 2288 \,certificates}? 2289 | | | | | +--rw truststore-reference? 2290 | | | | | ts:certificate-bag-\ 2291 \ref 2292 | | | | +--rw ee-certs! 2293 | | | | | {x509-certificate-auth}? 2294 | | | | | +--rw (local-or-truststore) 2295 | | | | | +--:(local) 2296 | | | | | | {local-definitions-su\ 2297 \pported}? 2298 | | | | | | +--rw local-definition 2299 | | | | | | +--rw cert* 2300 | | | | | | | trust-anchor-cer\ 2301 \t-cms 2302 | | | | | | +---n certificate-expira\ 2303 \tion 2304 | | | | | | +-- expiration-date 2305 | | | | | | yang:date-and\ 2306 \-time 2307 | | | | | +--:(truststore) 2308 | | | | | {truststore-supported\ 2309 \,certificates}? 2310 | | | | | +--rw truststore-reference? 2311 | | | | | ts:certificate-bag-\ 2312 \ref 2313 | | | | +--rw raw-public-keys! 2314 | | | | | {raw-public-key-auth}? 2315 | | | | | +--rw (local-or-truststore) 2316 | | | | | +--:(local) 2317 | | | | | | {local-definitions-su\ 2318 \pported}? 2319 | | | | | | +--rw local-definition 2320 | | | | | | +--rw public-key* [name] 2321 | | | | | | +--rw name 2322 | | | | | | | string 2323 | | | | | | +--rw public-key-form\ 2324 \at 2325 | | | | | | | identityref 2326 | | | | | | +--rw public-key 2327 | | | | | | binary 2328 | | | | | +--:(truststore) 2329 | | | | | {truststore-supported\ 2330 \,public-keys}? 2331 | | | | | +--rw truststore-reference? 2332 | | | | | ts:public-key-bag-r\ 2333 \ef 2334 | | | | +--rw psks! {psk-auth}? 2335 | | | +--rw hello-params 2336 | | | | {tls-client-hello-params-config\ 2337 \}? 2338 | | | | +--rw tls-versions 2339 | | | | | +--rw tls-version* identityref 2340 | | | | +--rw cipher-suites 2341 | | | | +--rw cipher-suite* identityref 2342 | | | +--rw keepalives 2343 | | | {tls-client-keepalives}? 2344 | | | +--rw peer-allowed-to-send? empty 2345 | | | +--rw test-peer-aliveness! 2346 | | | +--rw max-wait? uint16 2347 | | | +--rw max-attempts? uint8 2348 | | +--rw http-client-parameters 2349 | | | +--rw client-identity! 2350 | | | | +--rw (auth-type)? 2351 | | | | +--:(basic) 2352 | | | | +--rw basic {basic-auth}? 2353 | | | | +--rw user-id string 2354 | | | | +--rw password string 2355 | | | +--rw proxy-server! {proxy-connect}? 2356 | | | +--rw tcp-client-parameters 2357 | | | | +--rw remote-address inet:host 2358 | | | | +--rw remote-port? 2359 | | | | | inet:port-number 2360 | | | | +--rw local-address? 2361 | | | | | inet:ip-address 2362 | | | | | {local-binding-supported}? 2363 | | | | +--rw local-port? 2364 | | | | | inet:port-number 2365 | | | | | {local-binding-supported}? 2366 | | | | +--rw keepalives! 2367 | | | | {keepalives-supported}? 2368 | | | | +--rw idle-time uint16 2369 | | | | +--rw max-probes uint16 2370 | | | | +--rw probe-interval uint16 2371 | | | +--rw tls-client-parameters 2372 | | | | +--rw client-identity 2373 | | | | | +--rw (auth-type)? 2374 | | | | | +--:(certificate) 2375 | | | | | | {x509-certificate-\ 2376 \auth}? 2377 | | | | | | +--rw certificate 2378 | | | | | | +--rw (local-or-keyst\ 2379 \ore) 2380 | | | | | | +--:(local) 2381 | | | | | | | {local-de\ 2382 \finitions-supported}? 2383 | | | | | | | +--rw local-def\ 2384 \inition 2385 | | | | | | | +--rw public\ 2386 \-key-format 2387 | | | | | | | | iden\ 2388 \tityref 2389 | | | | | | | +--rw public\ 2390 \-key 2391 | | | | | | | | bina\ 2392 \ry 2393 | | | | | | | +--rw privat\ 2394 \e-key-format? 2395 | | | | | | | | iden\ 2396 \tityref 2397 | | | | | | | +--rw (priva\ 2398 \te-key-type) 2399 | | | | | | | | +--:(priv\ 2400 \ate-key) 2401 | | | | | | | | | +--rw \ 2402 \private-key? 2403 | | | | | | | | | \ 2404 \ binary 2405 | | | | | | | | +--:(hidd\ 2406 \en-private-key) 2407 | | | | | | | | | +--rw \ 2408 \hidden-private-key? 2409 | | | | | | | | | \ 2410 \ empty 2411 | | | | | | | | +--:(encr\ 2412 \ypted-private-key) 2413 | | | | | | | | +--rw \ 2414 \encrypted-private-key 2415 | | | | | | | | +--\ 2417 \rw (key-type) 2418 | | | | | | | | | \ 2419 \+--:(symmetric-key-ref) 2420 | | | | | | | | | \ 2421 \| +--rw symmetric-key-ref? leafref 2422 | | | | | | | | | \ 2423 \| {keystore-supported}? 2424 | | | | | | | | | \ 2425 \+--:(asymmetric-key-ref) 2426 | | | | | | | | | \ 2427 \ +--rw asymmetric-key-ref? leafref 2428 | | | | | | | | | \ 2429 \ {keystore-supported}? 2430 | | | | | | | | +--\ 2431 \rw value? 2432 | | | | | | | | \ 2433 \ binary 2434 | | | | | | | +--rw cert? 2435 | | | | | | | | end-\ 2436 \entity-cert-cms 2437 | | | | | | | +---n certif\ 2438 \icate-expiration 2439 | | | | | | | | +-- expir\ 2440 \ation-date 2441 | | | | | | | | y\ 2442 \ang:date-and-time 2443 | | | | | | | +---x genera\ 2444 \te-certificate-signing-request 2445 | | | | | | | {cer\ 2446 \tificate-signing-request-generation}? 2447 | | | | | | | +---w inp\ 2448 \ut 2449 | | | | | | | | +---w \ 2450 \subject 2451 | | | | | | | | | \ 2452 \ binary 2453 | | | | | | | | +---w \ 2454 \attributes? 2455 | | | | | | | | \ 2456 \ binary 2457 | | | | | | | +--ro out\ 2458 \put 2459 | | | | | | | +--ro \ 2460 \certificate-signing-request 2461 | | | | | | | \ 2462 \ ct:csr 2463 | | | | | | +--:(keystore) 2464 | | | | | | {keystore\ 2466 \-supported}? 2467 | | | | | | +--rw keystore-\ 2468 \reference 2469 | | | | | | +--rw asymme\ 2470 \tric-key? 2471 | | | | | | | ks:a\ 2472 \symmetric-key-ref 2473 | | | | | | +--rw certif\ 2474 \icate? leafref 2475 | | | | | +--:(raw-public-key) 2476 | | | | | | {raw-public-key-au\ 2477 \th}? 2478 | | | | | | +--rw raw-private-key 2479 | | | | | | +--rw (local-or-keyst\ 2480 \ore) 2481 | | | | | | +--:(local) 2482 | | | | | | | {local-de\ 2483 \finitions-supported}? 2484 | | | | | | | +--rw local-def\ 2485 \inition 2486 | | | | | | | +--rw public\ 2487 \-key-format 2488 | | | | | | | | iden\ 2489 \tityref 2490 | | | | | | | +--rw public\ 2491 \-key 2492 | | | | | | | | bina\ 2493 \ry 2494 | | | | | | | +--rw privat\ 2495 \e-key-format? 2496 | | | | | | | | iden\ 2497 \tityref 2498 | | | | | | | +--rw (priva\ 2499 \te-key-type) 2500 | | | | | | | +--:(priv\ 2501 \ate-key) 2502 | | | | | | | | +--rw \ 2503 \private-key? 2504 | | | | | | | | \ 2505 \ binary 2506 | | | | | | | +--:(hidd\ 2507 \en-private-key) 2508 | | | | | | | | +--rw \ 2509 \hidden-private-key? 2510 | | | | | | | | \ 2511 \ empty 2512 | | | | | | | +--:(encr\ 2513 \ypted-private-key) 2514 | | | | | | | +--rw \ 2515 \encrypted-private-key 2516 | | | | | | | +--\ 2517 \rw (key-type) 2518 | | | | | | | | \ 2519 \+--:(symmetric-key-ref) 2520 | | | | | | | | \ 2521 \| +--rw symmetric-key-ref? leafref 2522 | | | | | | | | \ 2523 \| {keystore-supported}? 2524 | | | | | | | | \ 2525 \+--:(asymmetric-key-ref) 2526 | | | | | | | | \ 2527 \ +--rw asymmetric-key-ref? leafref 2528 | | | | | | | | \ 2529 \ {keystore-supported}? 2530 | | | | | | | +--\ 2531 \rw value? 2532 | | | | | | | \ 2533 \ binary 2534 | | | | | | +--:(keystore) 2535 | | | | | | {keystore\ 2536 \-supported}? 2537 | | | | | | +--rw keystore-\ 2538 \reference? 2539 | | | | | | ks:asym\ 2540 \metric-key-ref 2541 | | | | | +--:(psk) {psk-auth}? 2542 | | | | | +--rw psk 2543 | | | | | +--rw (local-or-keyst\ 2544 \ore) 2545 | | | | | +--:(local) 2546 | | | | | | {local-de\ 2547 \finitions-supported}? 2548 | | | | | | +--rw local-def\ 2549 \inition 2550 | | | | | | +--rw key-fo\ 2551 \rmat? 2552 | | | | | | | iden\ 2553 \tityref 2554 | | | | | | +--rw (key-t\ 2555 \ype) 2556 | | | | | | | +--:(key) 2557 | | | | | | | | +--rw \ 2558 \key? 2559 | | | | | | | | \ 2560 \ binary 2561 | | | | | | | +--:(hidd\ 2563 \en-key) 2564 | | | | | | | | +--rw \ 2565 \hidden-key? 2566 | | | | | | | | \ 2567 \ empty 2568 | | | | | | | +--:(encr\ 2569 \ypted-key) 2570 | | | | | | | +--rw \ 2571 \encrypted-key 2572 | | | | | | | +--\ 2573 \rw (key-type) 2574 | | | | | | | | \ 2575 \+--:(symmetric-key-ref) 2576 | | | | | | | | \ 2577 \| +--rw symmetric-key-ref? leafref 2578 | | | | | | | | \ 2579 \| {keystore-supported}? 2580 | | | | | | | | \ 2581 \+--:(asymmetric-key-ref) 2582 | | | | | | | | \ 2583 \ +--rw asymmetric-key-ref? leafref 2584 | | | | | | | | \ 2585 \ {keystore-supported}? 2586 | | | | | | | +--\ 2587 \rw value? 2588 | | | | | | | \ 2589 \ binary 2590 | | | | | | +--rw id? 2591 | | | | | | stri\ 2592 \ng 2593 | | | | | | {ks:\ 2594 \local-definitions-supported}? 2595 | | | | | +--:(keystore) 2596 | | | | | {keystore\ 2597 \-supported}? 2598 | | | | | +--rw keystore-\ 2599 \reference? 2600 | | | | | ks:symm\ 2601 \etric-key-ref 2602 | | | | +--rw server-authentication 2603 | | | | | +--rw ca-certs! 2604 | | | | | | {x509-certificate-auth\ 2605 \}? 2606 | | | | | | +--rw (local-or-truststore) 2607 | | | | | | +--:(local) 2608 | | | | | | | {local-definiti\ 2609 \ons-supported}? 2610 | | | | | | | +--rw local-definition 2611 | | | | | | | +--rw cert* 2612 | | | | | | | | trust-anch\ 2613 \or-cert-cms 2614 | | | | | | | +---n certificate-\ 2615 \expiration 2616 | | | | | | | +-- expiration-\ 2617 \date 2618 | | | | | | | yang:da\ 2619 \te-and-time 2620 | | | | | | +--:(truststore) 2621 | | | | | | {truststore-sup\ 2622 \ported,certificates}? 2623 | | | | | | +--rw truststore-refe\ 2624 \rence? 2625 | | | | | | ts:certificat\ 2626 \e-bag-ref 2627 | | | | | +--rw ee-certs! 2628 | | | | | | {x509-certificate-auth\ 2629 \}? 2630 | | | | | | +--rw (local-or-truststore) 2631 | | | | | | +--:(local) 2632 | | | | | | | {local-definiti\ 2633 \ons-supported}? 2634 | | | | | | | +--rw local-definition 2635 | | | | | | | +--rw cert* 2636 | | | | | | | | trust-anch\ 2637 \or-cert-cms 2638 | | | | | | | +---n certificate-\ 2639 \expiration 2640 | | | | | | | +-- expiration-\ 2641 \date 2642 | | | | | | | yang:da\ 2643 \te-and-time 2644 | | | | | | +--:(truststore) 2645 | | | | | | {truststore-sup\ 2646 \ported,certificates}? 2647 | | | | | | +--rw truststore-refe\ 2648 \rence? 2649 | | | | | | ts:certificat\ 2650 \e-bag-ref 2651 | | | | | +--rw raw-public-keys! 2652 | | | | | | {raw-public-key-auth}? 2653 | | | | | | +--rw (local-or-truststore) 2654 | | | | | | +--:(local) 2655 | | | | | | | {local-definiti\ 2656 \ons-supported}? 2657 | | | | | | | +--rw local-definition 2658 | | | | | | | +--rw public-key* 2659 | | | | | | | [name] 2660 | | | | | | | +--rw name 2661 | | | | | | | | string 2662 | | | | | | | +--rw public-ke\ 2663 \y-format 2664 | | | | | | | | identit\ 2665 \yref 2666 | | | | | | | +--rw public-key 2667 | | | | | | | binary 2668 | | | | | | +--:(truststore) 2669 | | | | | | {truststore-sup\ 2670 \ported,public-keys}? 2671 | | | | | | +--rw truststore-refe\ 2672 \rence? 2673 | | | | | | ts:public-key\ 2674 \-bag-ref 2675 | | | | | +--rw psks! {psk-auth}? 2676 | | | | +--rw hello-params 2677 | | | | | {tls-client-hello-params-\ 2678 \config}? 2679 | | | | | +--rw tls-versions 2680 | | | | | | +--rw tls-version* 2681 | | | | | | identityref 2682 | | | | | +--rw cipher-suites 2683 | | | | | +--rw cipher-suite* 2684 | | | | | identityref 2685 | | | | +--rw keepalives 2686 | | | | {tls-client-keepalives}? 2687 | | | | +--rw peer-allowed-to-send? 2688 | | | | | empty 2689 | | | | +--rw test-peer-aliveness! 2690 | | | | +--rw max-wait? uint16 2691 | | | | +--rw max-attempts? uint8 2692 | | | +--rw http-client-parameters 2693 | | | +--rw client-identity! 2694 | | | +--rw (auth-type)? 2695 | | | +--:(basic) 2696 | | | +--rw basic {basic-auth}? 2697 | | | +--rw user-id 2698 | | | | string 2699 | | | +--rw password 2700 | | | string 2701 | | +--rw restconf-client-parameters 2702 | +--rw connection-type 2703 | | +--rw (connection-type) 2704 | | +--:(persistent-connection) 2705 | | | +--rw persistent! 2706 | | +--:(periodic-connection) 2707 | | +--rw periodic! 2708 | | +--rw period? uint16 2709 | | +--rw anchor-time? yang:date-and-time 2710 | | +--rw idle-timeout? uint16 2711 | +--rw reconnect-strategy 2712 | +--rw start-with? enumeration 2713 | +--rw max-attempts? uint8 2714 +--rw listen! {http-listen or https-listen}? 2715 +--rw idle-timeout? uint16 2716 +--rw endpoint* [name] 2717 +--rw name string 2718 +--rw (transport) 2719 +--:(http) {http-listen}? 2720 | +--rw http 2721 | +--rw tcp-server-parameters 2722 | | +--rw local-address inet:ip-address 2723 | | +--rw local-port? inet:port-number 2724 | | +--rw keepalives! {keepalives-supported}? 2725 | | +--rw idle-time uint16 2726 | | +--rw max-probes uint16 2727 | | +--rw probe-interval uint16 2728 | +--rw http-client-parameters 2729 | | +--rw client-identity! 2730 | | | +--rw (auth-type)? 2731 | | | +--:(basic) 2732 | | | +--rw basic {basic-auth}? 2733 | | | +--rw user-id string 2734 | | | +--rw password string 2735 | | +--rw proxy-server! {proxy-connect}? 2736 | | +--rw tcp-client-parameters 2737 | | | +--rw remote-address inet:host 2738 | | | +--rw remote-port? inet:port-number 2739 | | | +--rw local-address? inet:ip-address 2740 | | | | {local-binding-supported}? 2741 | | | +--rw local-port? inet:port-number 2742 | | | | {local-binding-supported}? 2743 | | | +--rw keepalives! 2744 | | | {keepalives-supported}? 2745 | | | +--rw idle-time uint16 2746 | | | +--rw max-probes uint16 2747 | | | +--rw probe-interval uint16 2748 | | +--rw tls-client-parameters 2749 | | | +--rw client-identity 2750 | | | | +--rw (auth-type)? 2751 | | | | +--:(certificate) 2752 | | | | | {x509-certificate-auth}? 2753 | | | | | +--rw certificate 2754 | | | | | +--rw (local-or-keystore) 2755 | | | | | +--:(local) 2756 | | | | | | {local-definiti\ 2757 \ons-supported}? 2758 | | | | | | +--rw local-definition 2759 | | | | | | +--rw public-key-f\ 2760 \ormat 2761 | | | | | | | identityref 2762 | | | | | | +--rw public-key 2763 | | | | | | | binary 2764 | | | | | | +--rw private-key-\ 2765 \format? 2766 | | | | | | | identityref 2767 | | | | | | +--rw (private-key\ 2768 \-type) 2769 | | | | | | | +--:(private-ke\ 2770 \y) 2771 | | | | | | | | +--rw privat\ 2772 \e-key? 2773 | | | | | | | | bina\ 2774 \ry 2775 | | | | | | | +--:(hidden-pri\ 2776 \vate-key) 2777 | | | | | | | | +--rw hidden\ 2778 \-private-key? 2779 | | | | | | | | empty 2780 | | | | | | | +--:(encrypted-\ 2781 \private-key) 2782 | | | | | | | +--rw encryp\ 2783 \ted-private-key 2784 | | | | | | | +--rw (ke\ 2785 \y-type) 2786 | | | | | | | | +--:(s\ 2787 \ymmetric-key-ref) 2788 | | | | | | | | | +--\ 2789 \rw symmetric-key-ref? leafref 2790 | | | | | | | | | \ 2791 \ {keystore-supported}? 2792 | | | | | | | | +--:(a\ 2793 \symmetric-key-ref) 2794 | | | | | | | | +--\ 2795 \rw asymmetric-key-ref? leafref 2796 | | | | | | | | \ 2797 \ {keystore-supported}? 2798 | | | | | | | +--rw val\ 2799 \ue? 2800 | | | | | | | b\ 2801 \inary 2802 | | | | | | +--rw cert? 2803 | | | | | | | end-entity\ 2804 \-cert-cms 2805 | | | | | | +---n certificate-\ 2806 \expiration 2807 | | | | | | | +-- expiration-\ 2808 \date 2809 | | | | | | | yang:da\ 2810 \te-and-time 2811 | | | | | | +---x generate-cer\ 2812 \tificate-signing-request 2813 | | | | | | {certifica\ 2814 \te-signing-request-generation}? 2815 | | | | | | +---w input 2816 | | | | | | | +---w subject 2817 | | | | | | | | bina\ 2818 \ry 2819 | | | | | | | +---w attrib\ 2820 \utes? 2821 | | | | | | | bina\ 2822 \ry 2823 | | | | | | +--ro output 2824 | | | | | | +--ro certif\ 2825 \icate-signing-request 2826 | | | | | | ct:c\ 2827 \sr 2828 | | | | | +--:(keystore) 2829 | | | | | {keystore-suppo\ 2830 \rted}? 2831 | | | | | +--rw keystore-refere\ 2832 \nce 2833 | | | | | +--rw asymmetric-k\ 2834 \ey? 2835 | | | | | | ks:asymmet\ 2836 \ric-key-ref 2837 | | | | | +--rw certificate?\ 2838 \ leafref 2839 | | | | +--:(raw-public-key) 2840 | | | | | {raw-public-key-auth}? 2841 | | | | | +--rw raw-private-key 2842 | | | | | +--rw (local-or-keystore) 2843 | | | | | +--:(local) 2844 | | | | | | {local-definiti\ 2845 \ons-supported}? 2846 | | | | | | +--rw local-definition 2847 | | | | | | +--rw public-key-f\ 2848 \ormat 2849 | | | | | | | identityref 2850 | | | | | | +--rw public-key 2851 | | | | | | | binary 2852 | | | | | | +--rw private-key-\ 2853 \format? 2854 | | | | | | | identityref 2855 | | | | | | +--rw (private-key\ 2856 \-type) 2857 | | | | | | +--:(private-ke\ 2858 \y) 2859 | | | | | | | +--rw privat\ 2860 \e-key? 2861 | | | | | | | bina\ 2862 \ry 2863 | | | | | | +--:(hidden-pri\ 2864 \vate-key) 2865 | | | | | | | +--rw hidden\ 2866 \-private-key? 2867 | | | | | | | empty 2868 | | | | | | +--:(encrypted-\ 2869 \private-key) 2870 | | | | | | +--rw encryp\ 2871 \ted-private-key 2872 | | | | | | +--rw (ke\ 2873 \y-type) 2874 | | | | | | | +--:(s\ 2875 \ymmetric-key-ref) 2876 | | | | | | | | +--\ 2877 \rw symmetric-key-ref? leafref 2878 | | | | | | | | \ 2879 \ {keystore-supported}? 2880 | | | | | | | +--:(a\ 2881 \symmetric-key-ref) 2882 | | | | | | | +--\ 2883 \rw asymmetric-key-ref? leafref 2884 | | | | | | | \ 2885 \ {keystore-supported}? 2886 | | | | | | +--rw val\ 2887 \ue? 2888 | | | | | | b\ 2889 \inary 2890 | | | | | +--:(keystore) 2891 | | | | | {keystore-suppo\ 2892 \rted}? 2893 | | | | | +--rw keystore-refere\ 2894 \nce? 2895 | | | | | ks:asymmetric\ 2896 \-key-ref 2897 | | | | +--:(psk) {psk-auth}? 2898 | | | | +--rw psk 2899 | | | | +--rw (local-or-keystore) 2900 | | | | +--:(local) 2901 | | | | | {local-definiti\ 2902 \ons-supported}? 2903 | | | | | +--rw local-definition 2904 | | | | | +--rw key-format? 2905 | | | | | | identityref 2906 | | | | | +--rw (key-type) 2907 | | | | | | +--:(key) 2908 | | | | | | | +--rw key? 2909 | | | | | | | bina\ 2910 \ry 2911 | | | | | | +--:(hidden-key) 2912 | | | | | | | +--rw hidden\ 2913 \-key? 2914 | | | | | | | empty 2915 | | | | | | +--:(encrypted-\ 2916 \key) 2917 | | | | | | +--rw encryp\ 2918 \ted-key 2919 | | | | | | +--rw (ke\ 2920 \y-type) 2921 | | | | | | | +--:(s\ 2922 \ymmetric-key-ref) 2923 | | | | | | | | +--\ 2924 \rw symmetric-key-ref? leafref 2925 | | | | | | | | \ 2926 \ {keystore-supported}? 2927 | | | | | | | +--:(a\ 2928 \symmetric-key-ref) 2929 | | | | | | | +--\ 2930 \rw asymmetric-key-ref? leafref 2931 | | | | | | | \ 2932 \ {keystore-supported}? 2933 | | | | | | +--rw val\ 2934 \ue? 2935 | | | | | | b\ 2936 \inary 2937 | | | | | +--rw id? 2938 | | | | | string 2939 | | | | | {ks:local-\ 2940 \definitions-supported}? 2941 | | | | +--:(keystore) 2942 | | | | {keystore-suppo\ 2943 \rted}? 2944 | | | | +--rw keystore-refere\ 2945 \nce? 2946 | | | | ks:symmetric-\ 2948 \key-ref 2949 | | | +--rw server-authentication 2950 | | | | +--rw ca-certs! 2951 | | | | | {x509-certificate-auth}? 2952 | | | | | +--rw (local-or-truststore) 2953 | | | | | +--:(local) 2954 | | | | | | {local-definitions-su\ 2955 \pported}? 2956 | | | | | | +--rw local-definition 2957 | | | | | | +--rw cert* 2958 | | | | | | | trust-anchor-cer\ 2959 \t-cms 2960 | | | | | | +---n certificate-expira\ 2961 \tion 2962 | | | | | | +-- expiration-date 2963 | | | | | | yang:date-and\ 2964 \-time 2965 | | | | | +--:(truststore) 2966 | | | | | {truststore-supported\ 2967 \,certificates}? 2968 | | | | | +--rw truststore-reference? 2969 | | | | | ts:certificate-bag-\ 2970 \ref 2971 | | | | +--rw ee-certs! 2972 | | | | | {x509-certificate-auth}? 2973 | | | | | +--rw (local-or-truststore) 2974 | | | | | +--:(local) 2975 | | | | | | {local-definitions-su\ 2976 \pported}? 2977 | | | | | | +--rw local-definition 2978 | | | | | | +--rw cert* 2979 | | | | | | | trust-anchor-cer\ 2980 \t-cms 2981 | | | | | | +---n certificate-expira\ 2982 \tion 2983 | | | | | | +-- expiration-date 2984 | | | | | | yang:date-and\ 2985 \-time 2986 | | | | | +--:(truststore) 2987 | | | | | {truststore-supported\ 2988 \,certificates}? 2989 | | | | | +--rw truststore-reference? 2990 | | | | | ts:certificate-bag-\ 2991 \ref 2992 | | | | +--rw raw-public-keys! 2993 | | | | | {raw-public-key-auth}? 2994 | | | | | +--rw (local-or-truststore) 2995 | | | | | +--:(local) 2996 | | | | | | {local-definitions-su\ 2997 \pported}? 2998 | | | | | | +--rw local-definition 2999 | | | | | | +--rw public-key* [name] 3000 | | | | | | +--rw name 3001 | | | | | | | string 3002 | | | | | | +--rw public-key-form\ 3003 \at 3004 | | | | | | | identityref 3005 | | | | | | +--rw public-key 3006 | | | | | | binary 3007 | | | | | +--:(truststore) 3008 | | | | | {truststore-supported\ 3009 \,public-keys}? 3010 | | | | | +--rw truststore-reference? 3011 | | | | | ts:public-key-bag-r\ 3012 \ef 3013 | | | | +--rw psks! {psk-auth}? 3014 | | | +--rw hello-params 3015 | | | | {tls-client-hello-params-config\ 3016 \}? 3017 | | | | +--rw tls-versions 3018 | | | | | +--rw tls-version* identityref 3019 | | | | +--rw cipher-suites 3020 | | | | +--rw cipher-suite* identityref 3021 | | | +--rw keepalives 3022 | | | {tls-client-keepalives}? 3023 | | | +--rw peer-allowed-to-send? empty 3024 | | | +--rw test-peer-aliveness! 3025 | | | +--rw max-wait? uint16 3026 | | | +--rw max-attempts? uint8 3027 | | +--rw http-client-parameters 3028 | | +--rw client-identity! 3029 | | +--rw (auth-type)? 3030 | | +--:(basic) 3031 | | +--rw basic {basic-auth}? 3032 | | +--rw user-id string 3033 | | +--rw password string 3034 | +--rw restconf-client-parameters 3035 +--:(https) {https-listen}? 3036 +--rw https 3037 +--rw tcp-server-parameters 3038 | +--rw local-address inet:ip-address 3039 | +--rw local-port? inet:port-number 3040 | +--rw keepalives! {keepalives-supported}? 3041 | +--rw idle-time uint16 3042 | +--rw max-probes uint16 3043 | +--rw probe-interval uint16 3044 +--rw tls-client-parameters 3045 | +--rw client-identity 3046 | | +--rw (auth-type)? 3047 | | +--:(certificate) 3048 | | | {x509-certificate-auth}? 3049 | | | +--rw certificate 3050 | | | +--rw (local-or-keystore) 3051 | | | +--:(local) 3052 | | | | {local-definitions-su\ 3053 \pported}? 3054 | | | | +--rw local-definition 3055 | | | | +--rw public-key-format 3056 | | | | | identityref 3057 | | | | +--rw public-key 3058 | | | | | binary 3059 | | | | +--rw private-key-format? 3060 | | | | | identityref 3061 | | | | +--rw (private-key-type) 3062 | | | | | +--:(private-key) 3063 | | | | | | +--rw private-key? 3064 | | | | | | binary 3065 | | | | | +--:(hidden-private-k\ 3066 \ey) 3067 | | | | | | +--rw hidden-priva\ 3068 \te-key? 3069 | | | | | | empty 3070 | | | | | +--:(encrypted-privat\ 3071 \e-key) 3072 | | | | | +--rw encrypted-pr\ 3073 \ivate-key 3074 | | | | | +--rw (key-type) 3075 | | | | | | +--:(symmetr\ 3076 \ic-key-ref) 3077 | | | | | | | +--rw sym\ 3078 \metric-key-ref? leafref 3079 | | | | | | | {\ 3080 \keystore-supported}? 3081 | | | | | | +--:(asymmet\ 3082 \ric-key-ref) 3083 | | | | | | +--rw asy\ 3084 \mmetric-key-ref? leafref 3085 | | | | | | {\ 3086 \keystore-supported}? 3087 | | | | | +--rw value? 3088 | | | | | binary 3089 | | | | +--rw cert? 3090 | | | | | end-entity-cert-\ 3091 \cms 3092 | | | | +---n certificate-expira\ 3093 \tion 3094 | | | | | +-- expiration-date 3095 | | | | | yang:date-and\ 3096 \-time 3097 | | | | +---x generate-certifica\ 3098 \te-signing-request 3099 | | | | {certificate-sig\ 3100 \ning-request-generation}? 3101 | | | | +---w input 3102 | | | | | +---w subject 3103 | | | | | | binary 3104 | | | | | +---w attributes? 3105 | | | | | binary 3106 | | | | +--ro output 3107 | | | | +--ro certificate-\ 3108 \signing-request 3109 | | | | ct:csr 3110 | | | +--:(keystore) 3111 | | | {keystore-supported}? 3112 | | | +--rw keystore-reference 3113 | | | +--rw asymmetric-key? 3114 | | | | ks:asymmetric-ke\ 3115 \y-ref 3116 | | | +--rw certificate? \ 3117 \leafref 3118 | | +--:(raw-public-key) 3119 | | | {raw-public-key-auth}? 3120 | | | +--rw raw-private-key 3121 | | | +--rw (local-or-keystore) 3122 | | | +--:(local) 3123 | | | | {local-definitions-su\ 3124 \pported}? 3125 | | | | +--rw local-definition 3126 | | | | +--rw public-key-format 3127 | | | | | identityref 3128 | | | | +--rw public-key 3129 | | | | | binary 3130 | | | | +--rw private-key-format? 3131 | | | | | identityref 3132 | | | | +--rw (private-key-type) 3133 | | | | +--:(private-key) 3134 | | | | | +--rw private-key? 3135 | | | | | binary 3136 | | | | +--:(hidden-private-k\ 3137 \ey) 3138 | | | | | +--rw hidden-priva\ 3139 \te-key? 3140 | | | | | empty 3141 | | | | +--:(encrypted-privat\ 3142 \e-key) 3143 | | | | +--rw encrypted-pr\ 3144 \ivate-key 3145 | | | | +--rw (key-type) 3146 | | | | | +--:(symmetr\ 3147 \ic-key-ref) 3148 | | | | | | +--rw sym\ 3149 \metric-key-ref? leafref 3150 | | | | | | {\ 3151 \keystore-supported}? 3152 | | | | | +--:(asymmet\ 3153 \ric-key-ref) 3154 | | | | | +--rw asy\ 3155 \mmetric-key-ref? leafref 3156 | | | | | {\ 3157 \keystore-supported}? 3158 | | | | +--rw value? 3159 | | | | binary 3160 | | | +--:(keystore) 3161 | | | {keystore-supported}? 3162 | | | +--rw keystore-reference? 3163 | | | ks:asymmetric-key-r\ 3164 \ef 3165 | | +--:(psk) {psk-auth}? 3166 | | +--rw psk 3167 | | +--rw (local-or-keystore) 3168 | | +--:(local) 3169 | | | {local-definitions-su\ 3170 \pported}? 3171 | | | +--rw local-definition 3172 | | | +--rw key-format? 3173 | | | | identityref 3174 | | | +--rw (key-type) 3175 | | | | +--:(key) 3176 | | | | | +--rw key? 3177 | | | | | binary 3178 | | | | +--:(hidden-key) 3179 | | | | | +--rw hidden-key? 3180 | | | | | empty 3181 | | | | +--:(encrypted-key) 3182 | | | | +--rw encrypted-key 3183 | | | | +--rw (key-type) 3184 | | | | | +--:(symmetr\ 3185 \ic-key-ref) 3186 | | | | | | +--rw sym\ 3187 \metric-key-ref? leafref 3188 | | | | | | {\ 3189 \keystore-supported}? 3190 | | | | | +--:(asymmet\ 3191 \ric-key-ref) 3192 | | | | | +--rw asy\ 3193 \mmetric-key-ref? leafref 3194 | | | | | {\ 3195 \keystore-supported}? 3196 | | | | +--rw value? 3197 | | | | binary 3198 | | | +--rw id? 3199 | | | string 3200 | | | {ks:local-defini\ 3201 \tions-supported}? 3202 | | +--:(keystore) 3203 | | {keystore-supported}? 3204 | | +--rw keystore-reference? 3205 | | ks:symmetric-key-ref 3206 | +--rw server-authentication 3207 | | +--rw ca-certs! {x509-certificate-auth}? 3208 | | | +--rw (local-or-truststore) 3209 | | | +--:(local) 3210 | | | | {local-definitions-supporte\ 3211 \d}? 3212 | | | | +--rw local-definition 3213 | | | | +--rw cert* 3214 | | | | | trust-anchor-cert-cms 3215 | | | | +---n certificate-expiration 3216 | | | | +-- expiration-date 3217 | | | | yang:date-and-time 3218 | | | +--:(truststore) 3219 | | | {truststore-supported,certi\ 3220 \ficates}? 3221 | | | +--rw truststore-reference? 3222 | | | ts:certificate-bag-ref 3223 | | +--rw ee-certs! {x509-certificate-auth}? 3224 | | | +--rw (local-or-truststore) 3225 | | | +--:(local) 3226 | | | | {local-definitions-supporte\ 3227 \d}? 3228 | | | | +--rw local-definition 3229 | | | | +--rw cert* 3230 | | | | | trust-anchor-cert-cms 3231 | | | | +---n certificate-expiration 3232 | | | | +-- expiration-date 3233 | | | | yang:date-and-time 3234 | | | +--:(truststore) 3235 | | | {truststore-supported,certi\ 3237 \ficates}? 3238 | | | +--rw truststore-reference? 3239 | | | ts:certificate-bag-ref 3240 | | +--rw raw-public-keys! 3241 | | | {raw-public-key-auth}? 3242 | | | +--rw (local-or-truststore) 3243 | | | +--:(local) 3244 | | | | {local-definitions-supporte\ 3245 \d}? 3246 | | | | +--rw local-definition 3247 | | | | +--rw public-key* [name] 3248 | | | | +--rw name 3249 | | | | | string 3250 | | | | +--rw public-key-format 3251 | | | | | identityref 3252 | | | | +--rw public-key 3253 | | | | binary 3254 | | | +--:(truststore) 3255 | | | {truststore-supported,publi\ 3256 \c-keys}? 3257 | | | +--rw truststore-reference? 3258 | | | ts:public-key-bag-ref 3259 | | +--rw psks! {psk-auth}? 3260 | +--rw hello-params 3261 | | {tls-client-hello-params-config}? 3262 | | +--rw tls-versions 3263 | | | +--rw tls-version* identityref 3264 | | +--rw cipher-suites 3265 | | +--rw cipher-suite* identityref 3266 | +--rw keepalives {tls-client-keepalives}? 3267 | +--rw peer-allowed-to-send? empty 3268 | +--rw test-peer-aliveness! 3269 | +--rw max-wait? uint16 3270 | +--rw max-attempts? uint8 3271 +--rw http-client-parameters 3272 | +--rw client-identity! 3273 | | +--rw (auth-type)? 3274 | | +--:(basic) 3275 | | +--rw basic {basic-auth}? 3276 | | +--rw user-id string 3277 | | +--rw password string 3278 | +--rw proxy-server! {proxy-connect}? 3279 | +--rw tcp-client-parameters 3280 | | +--rw remote-address inet:host 3281 | | +--rw remote-port? inet:port-number 3282 | | +--rw local-address? inet:ip-address 3283 | | | {local-binding-supported}? 3284 | | +--rw local-port? inet:port-number 3285 | | | {local-binding-supported}? 3286 | | +--rw keepalives! 3287 | | {keepalives-supported}? 3288 | | +--rw idle-time uint16 3289 | | +--rw max-probes uint16 3290 | | +--rw probe-interval uint16 3291 | +--rw tls-client-parameters 3292 | | +--rw client-identity 3293 | | | +--rw (auth-type)? 3294 | | | +--:(certificate) 3295 | | | | {x509-certificate-auth}? 3296 | | | | +--rw certificate 3297 | | | | +--rw (local-or-keystore) 3298 | | | | +--:(local) 3299 | | | | | {local-definiti\ 3300 \ons-supported}? 3301 | | | | | +--rw local-definition 3302 | | | | | +--rw public-key-f\ 3303 \ormat 3304 | | | | | | identityref 3305 | | | | | +--rw public-key 3306 | | | | | | binary 3307 | | | | | +--rw private-key-\ 3308 \format? 3309 | | | | | | identityref 3310 | | | | | +--rw (private-key\ 3311 \-type) 3312 | | | | | | +--:(private-ke\ 3313 \y) 3314 | | | | | | | +--rw privat\ 3315 \e-key? 3316 | | | | | | | bina\ 3317 \ry 3318 | | | | | | +--:(hidden-pri\ 3319 \vate-key) 3320 | | | | | | | +--rw hidden\ 3321 \-private-key? 3322 | | | | | | | empty 3323 | | | | | | +--:(encrypted-\ 3324 \private-key) 3325 | | | | | | +--rw encryp\ 3326 \ted-private-key 3327 | | | | | | +--rw (ke\ 3328 \y-type) 3329 | | | | | | | +--:(s\ 3330 \ymmetric-key-ref) 3331 | | | | | | | | +--\ 3332 \rw symmetric-key-ref? leafref 3333 | | | | | | | | \ 3334 \ {keystore-supported}? 3335 | | | | | | | +--:(a\ 3336 \symmetric-key-ref) 3337 | | | | | | | +--\ 3338 \rw asymmetric-key-ref? leafref 3339 | | | | | | | \ 3340 \ {keystore-supported}? 3341 | | | | | | +--rw val\ 3342 \ue? 3343 | | | | | | b\ 3344 \inary 3345 | | | | | +--rw cert? 3346 | | | | | | end-entity\ 3347 \-cert-cms 3348 | | | | | +---n certificate-\ 3349 \expiration 3350 | | | | | | +-- expiration-\ 3351 \date 3352 | | | | | | yang:da\ 3353 \te-and-time 3354 | | | | | +---x generate-cer\ 3355 \tificate-signing-request 3356 | | | | | {certifica\ 3357 \te-signing-request-generation}? 3358 | | | | | +---w input 3359 | | | | | | +---w subject 3360 | | | | | | | bina\ 3361 \ry 3362 | | | | | | +---w attrib\ 3363 \utes? 3364 | | | | | | bina\ 3365 \ry 3366 | | | | | +--ro output 3367 | | | | | +--ro certif\ 3368 \icate-signing-request 3369 | | | | | ct:c\ 3370 \sr 3371 | | | | +--:(keystore) 3372 | | | | {keystore-suppo\ 3373 \rted}? 3374 | | | | +--rw keystore-refere\ 3375 \nce 3376 | | | | +--rw asymmetric-k\ 3377 \ey? 3378 | | | | | ks:asymmet\ 3379 \ric-key-ref 3380 | | | | +--rw certificate?\ 3382 \ leafref 3383 | | | +--:(raw-public-key) 3384 | | | | {raw-public-key-auth}? 3385 | | | | +--rw raw-private-key 3386 | | | | +--rw (local-or-keystore) 3387 | | | | +--:(local) 3388 | | | | | {local-definiti\ 3389 \ons-supported}? 3390 | | | | | +--rw local-definition 3391 | | | | | +--rw public-key-f\ 3392 \ormat 3393 | | | | | | identityref 3394 | | | | | +--rw public-key 3395 | | | | | | binary 3396 | | | | | +--rw private-key-\ 3397 \format? 3398 | | | | | | identityref 3399 | | | | | +--rw (private-key\ 3400 \-type) 3401 | | | | | +--:(private-ke\ 3402 \y) 3403 | | | | | | +--rw privat\ 3404 \e-key? 3405 | | | | | | bina\ 3406 \ry 3407 | | | | | +--:(hidden-pri\ 3408 \vate-key) 3409 | | | | | | +--rw hidden\ 3410 \-private-key? 3411 | | | | | | empty 3412 | | | | | +--:(encrypted-\ 3413 \private-key) 3414 | | | | | +--rw encryp\ 3415 \ted-private-key 3416 | | | | | +--rw (ke\ 3417 \y-type) 3418 | | | | | | +--:(s\ 3419 \ymmetric-key-ref) 3420 | | | | | | | +--\ 3421 \rw symmetric-key-ref? leafref 3422 | | | | | | | \ 3423 \ {keystore-supported}? 3424 | | | | | | +--:(a\ 3425 \symmetric-key-ref) 3426 | | | | | | +--\ 3427 \rw asymmetric-key-ref? leafref 3428 | | | | | | \ 3429 \ {keystore-supported}? 3430 | | | | | +--rw val\ 3431 \ue? 3432 | | | | | b\ 3433 \inary 3434 | | | | +--:(keystore) 3435 | | | | {keystore-suppo\ 3436 \rted}? 3437 | | | | +--rw keystore-refere\ 3438 \nce? 3439 | | | | ks:asymmetric\ 3440 \-key-ref 3441 | | | +--:(psk) {psk-auth}? 3442 | | | +--rw psk 3443 | | | +--rw (local-or-keystore) 3444 | | | +--:(local) 3445 | | | | {local-definiti\ 3446 \ons-supported}? 3447 | | | | +--rw local-definition 3448 | | | | +--rw key-format? 3449 | | | | | identityref 3450 | | | | +--rw (key-type) 3451 | | | | | +--:(key) 3452 | | | | | | +--rw key? 3453 | | | | | | bina\ 3454 \ry 3455 | | | | | +--:(hidden-key) 3456 | | | | | | +--rw hidden\ 3457 \-key? 3458 | | | | | | empty 3459 | | | | | +--:(encrypted-\ 3460 \key) 3461 | | | | | +--rw encryp\ 3462 \ted-key 3463 | | | | | +--rw (ke\ 3464 \y-type) 3465 | | | | | | +--:(s\ 3466 \ymmetric-key-ref) 3467 | | | | | | | +--\ 3468 \rw symmetric-key-ref? leafref 3469 | | | | | | | \ 3470 \ {keystore-supported}? 3471 | | | | | | +--:(a\ 3472 \symmetric-key-ref) 3473 | | | | | | +--\ 3474 \rw asymmetric-key-ref? leafref 3475 | | | | | | \ 3476 \ {keystore-supported}? 3477 | | | | | +--rw val\ 3479 \ue? 3480 | | | | | b\ 3481 \inary 3482 | | | | +--rw id? 3483 | | | | string 3484 | | | | {ks:local-\ 3485 \definitions-supported}? 3486 | | | +--:(keystore) 3487 | | | {keystore-suppo\ 3488 \rted}? 3489 | | | +--rw keystore-refere\ 3490 \nce? 3491 | | | ks:symmetric-\ 3492 \key-ref 3493 | | +--rw server-authentication 3494 | | | +--rw ca-certs! 3495 | | | | {x509-certificate-auth}? 3496 | | | | +--rw (local-or-truststore) 3497 | | | | +--:(local) 3498 | | | | | {local-definitions-su\ 3499 \pported}? 3500 | | | | | +--rw local-definition 3501 | | | | | +--rw cert* 3502 | | | | | | trust-anchor-cer\ 3503 \t-cms 3504 | | | | | +---n certificate-expira\ 3505 \tion 3506 | | | | | +-- expiration-date 3507 | | | | | yang:date-and\ 3508 \-time 3509 | | | | +--:(truststore) 3510 | | | | {truststore-supported\ 3511 \,certificates}? 3512 | | | | +--rw truststore-reference? 3513 | | | | ts:certificate-bag-\ 3514 \ref 3515 | | | +--rw ee-certs! 3516 | | | | {x509-certificate-auth}? 3517 | | | | +--rw (local-or-truststore) 3518 | | | | +--:(local) 3519 | | | | | {local-definitions-su\ 3520 \pported}? 3521 | | | | | +--rw local-definition 3522 | | | | | +--rw cert* 3523 | | | | | | trust-anchor-cer\ 3524 \t-cms 3525 | | | | | +---n certificate-expira\ 3526 \tion 3527 | | | | | +-- expiration-date 3528 | | | | | yang:date-and\ 3529 \-time 3530 | | | | +--:(truststore) 3531 | | | | {truststore-supported\ 3532 \,certificates}? 3533 | | | | +--rw truststore-reference? 3534 | | | | ts:certificate-bag-\ 3535 \ref 3536 | | | +--rw raw-public-keys! 3537 | | | | {raw-public-key-auth}? 3538 | | | | +--rw (local-or-truststore) 3539 | | | | +--:(local) 3540 | | | | | {local-definitions-su\ 3541 \pported}? 3542 | | | | | +--rw local-definition 3543 | | | | | +--rw public-key* [name] 3544 | | | | | +--rw name 3545 | | | | | | string 3546 | | | | | +--rw public-key-form\ 3547 \at 3548 | | | | | | identityref 3549 | | | | | +--rw public-key 3550 | | | | | binary 3551 | | | | +--:(truststore) 3552 | | | | {truststore-supported\ 3553 \,public-keys}? 3554 | | | | +--rw truststore-reference? 3555 | | | | ts:public-key-bag-r\ 3556 \ef 3557 | | | +--rw psks! {psk-auth}? 3558 | | +--rw hello-params 3559 | | | {tls-client-hello-params-config\ 3560 \}? 3561 | | | +--rw tls-versions 3562 | | | | +--rw tls-version* identityref 3563 | | | +--rw cipher-suites 3564 | | | +--rw cipher-suite* identityref 3565 | | +--rw keepalives 3566 | | {tls-client-keepalives}? 3567 | | +--rw peer-allowed-to-send? empty 3568 | | +--rw test-peer-aliveness! 3569 | | +--rw max-wait? uint16 3570 | | +--rw max-attempts? uint8 3571 | +--rw http-client-parameters 3572 | +--rw client-identity! 3573 | +--rw (auth-type)? 3574 | +--:(basic) 3575 | +--rw basic {basic-auth}? 3576 | +--rw user-id string 3577 | +--rw password string 3578 +--rw restconf-client-parameters 3580 A.2. Expanded Tree Diagram for 'ietf-restconf-server' 3582 The following tree diagram [RFC8340] provides an overview of the data 3583 model for the "ietf-restconf-server" module. 3585 This tree diagram shows all the nodes defined in this module, 3586 including those defined by "grouping" statements used by this module. 3588 Please see Section 3.1 for a tree diagram that illustrates what the 3589 module looks like without all the "grouping" statements expanded. 3591 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ========== 3593 module: ietf-restconf-server 3594 +--rw restconf-server 3595 +--rw listen! {http-listen or https-listen}? 3596 | +--rw endpoint* [name] 3597 | +--rw name string 3598 | +--rw (transport) 3599 | +--:(http) {http-listen}? 3600 | | +--rw http 3601 | | +--rw external-endpoint! 3602 | | | +--rw address inet:ip-address 3603 | | | +--rw port? inet:port-number 3604 | | +--rw tcp-server-parameters 3605 | | | +--rw local-address inet:ip-address 3606 | | | +--rw local-port? inet:port-number 3607 | | | +--rw keepalives! {keepalives-supported}? 3608 | | | +--rw idle-time uint16 3609 | | | +--rw max-probes uint16 3610 | | | +--rw probe-interval uint16 3611 | | +--rw http-server-parameters 3612 | | | +--rw server-name? string 3613 | | | +--rw client-authentication! 3614 | | | {client-auth-config-supported}? 3615 | | | +--rw users 3616 | | | +--rw user* [user-id] 3617 | | | +--rw user-id string 3618 | | | +--rw (auth-type)? 3619 | | | +--:(basic) 3620 | | | +--rw basic {basic-auth}? 3621 | | | +--rw user-id? string 3622 | | | +--rw password? 3623 | | | ianach:crypt-hash 3624 | | +--rw restconf-server-parameters 3625 | | +--rw client-identity-mappings 3626 | | +--rw cert-to-name* [id] 3627 | | +--rw id uint32 3628 | | +--rw fingerprint? 3629 | | | x509c2n:tls-fingerprint 3630 | | +--rw map-type identityref 3631 | | +--rw name string 3632 | +--:(https) {https-listen}? 3633 | +--rw https 3634 | +--rw tcp-server-parameters 3635 | | +--rw local-address inet:ip-address 3636 | | +--rw local-port? inet:port-number 3637 | | +--rw keepalives! {keepalives-supported}? 3638 | | +--rw idle-time uint16 3639 | | +--rw max-probes uint16 3640 | | +--rw probe-interval uint16 3641 | +--rw tls-server-parameters 3642 | | +--rw server-identity 3643 | | | +--rw (auth-type) 3644 | | | +--:(certificate) 3645 | | | | {x509-certificate-auth}? 3646 | | | | +--rw certificate 3647 | | | | +--rw (local-or-keystore) 3648 | | | | +--:(local) 3649 | | | | | {local-definitions-su\ 3650 \pported}? 3651 | | | | | +--rw local-definition 3652 | | | | | +--rw public-key-format 3653 | | | | | | identityref 3654 | | | | | +--rw public-key 3655 | | | | | | binary 3656 | | | | | +--rw private-key-format? 3657 | | | | | | identityref 3658 | | | | | +--rw (private-key-type) 3659 | | | | | | +--:(private-key) 3660 | | | | | | | +--rw private-key? 3661 | | | | | | | binary 3662 | | | | | | +--:(hidden-private-k\ 3663 \ey) 3664 | | | | | | | +--rw hidden-priva\ 3665 \te-key? 3666 | | | | | | | empty 3667 | | | | | | +--:(encrypted-privat\ 3668 \e-key) 3669 | | | | | | +--rw encrypted-pr\ 3670 \ivate-key 3671 | | | | | | +--rw (key-type) 3672 | | | | | | | +--:(symmetr\ 3673 \ic-key-ref) 3674 | | | | | | | | +--rw sym\ 3675 \metric-key-ref? leafref 3676 | | | | | | | | {\ 3677 \keystore-supported}? 3678 | | | | | | | +--:(asymmet\ 3679 \ric-key-ref) 3680 | | | | | | | +--rw asy\ 3681 \mmetric-key-ref? leafref 3682 | | | | | | | {\ 3683 \keystore-supported}? 3684 | | | | | | +--rw value? 3685 | | | | | | binary 3686 | | | | | +--rw cert? 3687 | | | | | | end-entity-cert-\ 3688 \cms 3689 | | | | | +---n certificate-expira\ 3690 \tion 3691 | | | | | | +-- expiration-date 3692 | | | | | | yang:date-and\ 3693 \-time 3694 | | | | | +---x generate-certifica\ 3695 \te-signing-request 3696 | | | | | {certificate-sig\ 3697 \ning-request-generation}? 3698 | | | | | +---w input 3699 | | | | | | +---w subject 3700 | | | | | | | binary 3701 | | | | | | +---w attributes? 3702 | | | | | | binary 3703 | | | | | +--ro output 3704 | | | | | +--ro certificate-\ 3705 \signing-request 3706 | | | | | ct:csr 3707 | | | | +--:(keystore) 3708 | | | | {keystore-supported}? 3709 | | | | +--rw keystore-reference 3710 | | | | +--rw asymmetric-key? 3711 | | | | | ks:asymmetric-ke\ 3712 \y-ref 3713 | | | | +--rw certificate? \ 3714 \leafref 3715 | | | +--:(raw-private-key) 3716 | | | | {raw-public-key-auth}? 3717 | | | | +--rw raw-private-key 3718 | | | | +--rw (local-or-keystore) 3719 | | | | +--:(local) 3720 | | | | | {local-definitions-su\ 3721 \pported}? 3722 | | | | | +--rw local-definition 3723 | | | | | +--rw public-key-format 3724 | | | | | | identityref 3725 | | | | | +--rw public-key 3726 | | | | | | binary 3727 | | | | | +--rw private-key-format? 3728 | | | | | | identityref 3729 | | | | | +--rw (private-key-type) 3730 | | | | | +--:(private-key) 3731 | | | | | | +--rw private-key? 3732 | | | | | | binary 3733 | | | | | +--:(hidden-private-k\ 3734 \ey) 3735 | | | | | | +--rw hidden-priva\ 3736 \te-key? 3737 | | | | | | empty 3738 | | | | | +--:(encrypted-privat\ 3739 \e-key) 3740 | | | | | +--rw encrypted-pr\ 3741 \ivate-key 3742 | | | | | +--rw (key-type) 3743 | | | | | | +--:(symmetr\ 3744 \ic-key-ref) 3745 | | | | | | | +--rw sym\ 3746 \metric-key-ref? leafref 3747 | | | | | | | {\ 3748 \keystore-supported}? 3749 | | | | | | +--:(asymmet\ 3750 \ric-key-ref) 3751 | | | | | | +--rw asy\ 3752 \mmetric-key-ref? leafref 3753 | | | | | | {\ 3754 \keystore-supported}? 3755 | | | | | +--rw value? 3756 | | | | | binary 3757 | | | | +--:(keystore) 3758 | | | | {keystore-supported}? 3759 | | | | +--rw keystore-reference? 3760 | | | | ks:asymmetric-key-r\ 3761 \ef 3762 | | | +--:(psk) {psk-auth}? 3763 | | | +--rw psk 3764 | | | +--rw (local-or-keystore) 3765 | | | +--:(local) 3766 | | | | {local-definitions-su\ 3768 \pported}? 3769 | | | | +--rw local-definition 3770 | | | | +--rw key-format? 3771 | | | | | identityref 3772 | | | | +--rw (key-type) 3773 | | | | | +--:(key) 3774 | | | | | | +--rw key? 3775 | | | | | | binary 3776 | | | | | +--:(hidden-key) 3777 | | | | | | +--rw hidden-key? 3778 | | | | | | empty 3779 | | | | | +--:(encrypted-key) 3780 | | | | | +--rw encrypted-key 3781 | | | | | +--rw (key-type) 3782 | | | | | | +--:(symmetr\ 3783 \ic-key-ref) 3784 | | | | | | | +--rw sym\ 3785 \metric-key-ref? leafref 3786 | | | | | | | {\ 3787 \keystore-supported}? 3788 | | | | | | +--:(asymmet\ 3789 \ric-key-ref) 3790 | | | | | | +--rw asy\ 3791 \mmetric-key-ref? leafref 3792 | | | | | | {\ 3793 \keystore-supported}? 3794 | | | | | +--rw value? 3795 | | | | | binary 3796 | | | | +--rw id? 3797 | | | | string 3798 | | | | {ks:local-defini\ 3799 \tions-supported}? 3800 | | | +--:(keystore) 3801 | | | {keystore-supported}? 3802 | | | +--rw keystore-reference? 3803 | | | ks:symmetric-key-ref 3804 | | +--rw client-authentication! 3805 | | | {client-auth-config-supported}? 3806 | | | +--rw ca-certs! {x509-certificate-auth}? 3807 | | | | +--rw (local-or-truststore) 3808 | | | | +--:(local) 3809 | | | | | {local-definitions-supporte\ 3810 \d}? 3811 | | | | | +--rw local-definition 3812 | | | | | +--rw cert* 3813 | | | | | | trust-anchor-cert-cms 3814 | | | | | +---n certificate-expiration 3815 | | | | | +-- expiration-date 3816 | | | | | yang:date-and-time 3817 | | | | +--:(truststore) 3818 | | | | {truststore-supported,certi\ 3819 \ficates}? 3820 | | | | +--rw truststore-reference? 3821 | | | | ts:certificate-bag-ref 3822 | | | +--rw ee-certs! {x509-certificate-auth}? 3823 | | | | +--rw (local-or-truststore) 3824 | | | | +--:(local) 3825 | | | | | {local-definitions-supporte\ 3826 \d}? 3827 | | | | | +--rw local-definition 3828 | | | | | +--rw cert* 3829 | | | | | | trust-anchor-cert-cms 3830 | | | | | +---n certificate-expiration 3831 | | | | | +-- expiration-date 3832 | | | | | yang:date-and-time 3833 | | | | +--:(truststore) 3834 | | | | {truststore-supported,certi\ 3835 \ficates}? 3836 | | | | +--rw truststore-reference? 3837 | | | | ts:certificate-bag-ref 3838 | | | +--rw raw-public-keys! 3839 | | | | {raw-public-key-auth}? 3840 | | | | +--rw (local-or-truststore) 3841 | | | | +--:(local) 3842 | | | | | {local-definitions-supporte\ 3843 \d}? 3844 | | | | | +--rw local-definition 3845 | | | | | +--rw public-key* [name] 3846 | | | | | +--rw name 3847 | | | | | | string 3848 | | | | | +--rw public-key-format 3849 | | | | | | identityref 3850 | | | | | +--rw public-key 3851 | | | | | binary 3852 | | | | +--:(truststore) 3853 | | | | {truststore-supported,publi\ 3854 \c-keys}? 3855 | | | | +--rw truststore-reference? 3856 | | | | ts:public-key-bag-ref 3857 | | | +--rw psks! {psk-auth}? 3858 | | +--rw hello-params 3859 | | | {tls-server-hello-params-config}? 3860 | | | +--rw tls-versions 3861 | | | | +--rw tls-version* identityref 3862 | | | +--rw cipher-suites 3863 | | | +--rw cipher-suite* identityref 3864 | | +--rw keepalives {tls-server-keepalives}? 3865 | | +--rw peer-allowed-to-send? empty 3866 | | +--rw test-peer-aliveness! 3867 | | +--rw max-wait? uint16 3868 | | +--rw max-attempts? uint8 3869 | +--rw http-server-parameters 3870 | | +--rw server-name? string 3871 | | +--rw client-authentication! 3872 | | {client-auth-config-supported}? 3873 | | +--rw users 3874 | | +--rw user* [user-id] 3875 | | +--rw user-id string 3876 | | +--rw (auth-type)? 3877 | | +--:(basic) 3878 | | +--rw basic {basic-auth}? 3879 | | +--rw user-id? string 3880 | | +--rw password? 3881 | | ianach:crypt-hash 3882 | +--rw restconf-server-parameters 3883 | +--rw client-identity-mappings 3884 | +--rw cert-to-name* [id] 3885 | +--rw id uint32 3886 | +--rw fingerprint? 3887 | | x509c2n:tls-fingerprint 3888 | +--rw map-type identityref 3889 | +--rw name string 3890 +--rw call-home! {https-call-home}? 3891 +--rw restconf-client* [name] 3892 +--rw name string 3893 +--rw endpoints 3894 | +--rw endpoint* [name] 3895 | +--rw name string 3896 | +--rw (transport) 3897 | +--:(https) {https-listen}? 3898 | +--rw https 3899 | +--rw tcp-client-parameters 3900 | | +--rw remote-address inet:host 3901 | | +--rw remote-port? inet:port-number 3902 | | +--rw local-address? inet:ip-address 3903 | | | {local-binding-supported}? 3904 | | +--rw local-port? inet:port-number 3905 | | | {local-binding-supported}? 3906 | | +--rw keepalives! 3907 | | {keepalives-supported}? 3908 | | +--rw idle-time uint16 3909 | | +--rw max-probes uint16 3910 | | +--rw probe-interval uint16 3911 | +--rw tls-server-parameters 3912 | | +--rw server-identity 3913 | | | +--rw (auth-type) 3914 | | | +--:(certificate) 3915 | | | | {x509-certificate-auth}? 3916 | | | | +--rw certificate 3917 | | | | +--rw (local-or-keystore) 3918 | | | | +--:(local) 3919 | | | | | {local-definiti\ 3920 \ons-supported}? 3921 | | | | | +--rw local-definition 3922 | | | | | +--rw public-key-f\ 3923 \ormat 3924 | | | | | | identityref 3925 | | | | | +--rw public-key 3926 | | | | | | binary 3927 | | | | | +--rw private-key-\ 3928 \format? 3929 | | | | | | identityref 3930 | | | | | +--rw (private-key\ 3931 \-type) 3932 | | | | | | +--:(private-ke\ 3933 \y) 3934 | | | | | | | +--rw privat\ 3935 \e-key? 3936 | | | | | | | bina\ 3937 \ry 3938 | | | | | | +--:(hidden-pri\ 3939 \vate-key) 3940 | | | | | | | +--rw hidden\ 3941 \-private-key? 3942 | | | | | | | empty 3943 | | | | | | +--:(encrypted-\ 3944 \private-key) 3945 | | | | | | +--rw encryp\ 3946 \ted-private-key 3947 | | | | | | +--rw (ke\ 3948 \y-type) 3949 | | | | | | | +--:(s\ 3950 \ymmetric-key-ref) 3951 | | | | | | | | +--\ 3952 \rw symmetric-key-ref? leafref 3953 | | | | | | | | \ 3954 \ {keystore-supported}? 3955 | | | | | | | +--:(a\ 3956 \symmetric-key-ref) 3957 | | | | | | | +--\ 3958 \rw asymmetric-key-ref? leafref 3959 | | | | | | | \ 3961 \ {keystore-supported}? 3962 | | | | | | +--rw val\ 3963 \ue? 3964 | | | | | | b\ 3965 \inary 3966 | | | | | +--rw cert? 3967 | | | | | | end-entity\ 3968 \-cert-cms 3969 | | | | | +---n certificate-\ 3970 \expiration 3971 | | | | | | +-- expiration-\ 3972 \date 3973 | | | | | | yang:da\ 3974 \te-and-time 3975 | | | | | +---x generate-cer\ 3976 \tificate-signing-request 3977 | | | | | {certifica\ 3978 \te-signing-request-generation}? 3979 | | | | | +---w input 3980 | | | | | | +---w subject 3981 | | | | | | | bina\ 3982 \ry 3983 | | | | | | +---w attrib\ 3984 \utes? 3985 | | | | | | bina\ 3986 \ry 3987 | | | | | +--ro output 3988 | | | | | +--ro certif\ 3989 \icate-signing-request 3990 | | | | | ct:c\ 3991 \sr 3992 | | | | +--:(keystore) 3993 | | | | {keystore-suppo\ 3994 \rted}? 3995 | | | | +--rw keystore-refere\ 3996 \nce 3997 | | | | +--rw asymmetric-k\ 3998 \ey? 3999 | | | | | ks:asymmet\ 4000 \ric-key-ref 4001 | | | | +--rw certificate?\ 4002 \ leafref 4003 | | | +--:(raw-private-key) 4004 | | | | {raw-public-key-auth}? 4005 | | | | +--rw raw-private-key 4006 | | | | +--rw (local-or-keystore) 4007 | | | | +--:(local) 4008 | | | | | {local-definiti\ 4010 \ons-supported}? 4011 | | | | | +--rw local-definition 4012 | | | | | +--rw public-key-f\ 4013 \ormat 4014 | | | | | | identityref 4015 | | | | | +--rw public-key 4016 | | | | | | binary 4017 | | | | | +--rw private-key-\ 4018 \format? 4019 | | | | | | identityref 4020 | | | | | +--rw (private-key\ 4021 \-type) 4022 | | | | | +--:(private-ke\ 4023 \y) 4024 | | | | | | +--rw privat\ 4025 \e-key? 4026 | | | | | | bina\ 4027 \ry 4028 | | | | | +--:(hidden-pri\ 4029 \vate-key) 4030 | | | | | | +--rw hidden\ 4031 \-private-key? 4032 | | | | | | empty 4033 | | | | | +--:(encrypted-\ 4034 \private-key) 4035 | | | | | +--rw encryp\ 4036 \ted-private-key 4037 | | | | | +--rw (ke\ 4038 \y-type) 4039 | | | | | | +--:(s\ 4040 \ymmetric-key-ref) 4041 | | | | | | | +--\ 4042 \rw symmetric-key-ref? leafref 4043 | | | | | | | \ 4044 \ {keystore-supported}? 4045 | | | | | | +--:(a\ 4046 \symmetric-key-ref) 4047 | | | | | | +--\ 4048 \rw asymmetric-key-ref? leafref 4049 | | | | | | \ 4050 \ {keystore-supported}? 4051 | | | | | +--rw val\ 4052 \ue? 4053 | | | | | b\ 4054 \inary 4055 | | | | +--:(keystore) 4056 | | | | {keystore-suppo\ 4057 \rted}? 4058 | | | | +--rw keystore-refere\ 4059 \nce? 4060 | | | | ks:asymmetric\ 4061 \-key-ref 4062 | | | +--:(psk) {psk-auth}? 4063 | | | +--rw psk 4064 | | | +--rw (local-or-keystore) 4065 | | | +--:(local) 4066 | | | | {local-definiti\ 4067 \ons-supported}? 4068 | | | | +--rw local-definition 4069 | | | | +--rw key-format? 4070 | | | | | identityref 4071 | | | | +--rw (key-type) 4072 | | | | | +--:(key) 4073 | | | | | | +--rw key? 4074 | | | | | | bina\ 4075 \ry 4076 | | | | | +--:(hidden-key) 4077 | | | | | | +--rw hidden\ 4078 \-key? 4079 | | | | | | empty 4080 | | | | | +--:(encrypted-\ 4081 \key) 4082 | | | | | +--rw encryp\ 4083 \ted-key 4084 | | | | | +--rw (ke\ 4085 \y-type) 4086 | | | | | | +--:(s\ 4087 \ymmetric-key-ref) 4088 | | | | | | | +--\ 4089 \rw symmetric-key-ref? leafref 4090 | | | | | | | \ 4091 \ {keystore-supported}? 4092 | | | | | | +--:(a\ 4093 \symmetric-key-ref) 4094 | | | | | | +--\ 4095 \rw asymmetric-key-ref? leafref 4096 | | | | | | \ 4097 \ {keystore-supported}? 4098 | | | | | +--rw val\ 4099 \ue? 4100 | | | | | b\ 4101 \inary 4102 | | | | +--rw id? 4103 | | | | string 4104 | | | | {ks:local-\ 4105 \definitions-supported}? 4106 | | | +--:(keystore) 4107 | | | {keystore-suppo\ 4108 \rted}? 4109 | | | +--rw keystore-refere\ 4110 \nce? 4111 | | | ks:symmetric-\ 4112 \key-ref 4113 | | +--rw client-authentication! 4114 | | | {client-auth-config-supported}? 4115 | | | +--rw ca-certs! 4116 | | | | {x509-certificate-auth}? 4117 | | | | +--rw (local-or-truststore) 4118 | | | | +--:(local) 4119 | | | | | {local-definitions-su\ 4120 \pported}? 4121 | | | | | +--rw local-definition 4122 | | | | | +--rw cert* 4123 | | | | | | trust-anchor-cer\ 4124 \t-cms 4125 | | | | | +---n certificate-expira\ 4126 \tion 4127 | | | | | +-- expiration-date 4128 | | | | | yang:date-and\ 4129 \-time 4130 | | | | +--:(truststore) 4131 | | | | {truststore-supported\ 4132 \,certificates}? 4133 | | | | +--rw truststore-reference? 4134 | | | | ts:certificate-bag-\ 4135 \ref 4136 | | | +--rw ee-certs! 4137 | | | | {x509-certificate-auth}? 4138 | | | | +--rw (local-or-truststore) 4139 | | | | +--:(local) 4140 | | | | | {local-definitions-su\ 4141 \pported}? 4142 | | | | | +--rw local-definition 4143 | | | | | +--rw cert* 4144 | | | | | | trust-anchor-cer\ 4145 \t-cms 4146 | | | | | +---n certificate-expira\ 4147 \tion 4148 | | | | | +-- expiration-date 4149 | | | | | yang:date-and\ 4150 \-time 4151 | | | | +--:(truststore) 4152 | | | | {truststore-supported\ 4153 \,certificates}? 4154 | | | | +--rw truststore-reference? 4155 | | | | ts:certificate-bag-\ 4156 \ref 4157 | | | +--rw raw-public-keys! 4158 | | | | {raw-public-key-auth}? 4159 | | | | +--rw (local-or-truststore) 4160 | | | | +--:(local) 4161 | | | | | {local-definitions-su\ 4162 \pported}? 4163 | | | | | +--rw local-definition 4164 | | | | | +--rw public-key* [name] 4165 | | | | | +--rw name 4166 | | | | | | string 4167 | | | | | +--rw public-key-form\ 4168 \at 4169 | | | | | | identityref 4170 | | | | | +--rw public-key 4171 | | | | | binary 4172 | | | | +--:(truststore) 4173 | | | | {truststore-supported\ 4174 \,public-keys}? 4175 | | | | +--rw truststore-reference? 4176 | | | | ts:public-key-bag-r\ 4177 \ef 4178 | | | +--rw psks! {psk-auth}? 4179 | | +--rw hello-params 4180 | | | {tls-server-hello-params-config\ 4181 \}? 4182 | | | +--rw tls-versions 4183 | | | | +--rw tls-version* identityref 4184 | | | +--rw cipher-suites 4185 | | | +--rw cipher-suite* identityref 4186 | | +--rw keepalives 4187 | | {tls-server-keepalives}? 4188 | | +--rw peer-allowed-to-send? empty 4189 | | +--rw test-peer-aliveness! 4190 | | +--rw max-wait? uint16 4191 | | +--rw max-attempts? uint8 4192 | +--rw http-server-parameters 4193 | | +--rw server-name? string 4194 | | +--rw client-authentication! 4195 | | {client-auth-config-supported}? 4196 | | +--rw users 4197 | | +--rw user* [user-id] 4198 | | +--rw user-id string 4199 | | +--rw (auth-type)? 4200 | | +--:(basic) 4201 | | +--rw basic {basic-auth}? 4202 | | +--rw user-id? 4203 | | | string 4204 | | +--rw password? 4205 | | ianach:crypt-\ 4206 \hash 4207 | +--rw restconf-server-parameters 4208 | +--rw client-identity-mappings 4209 | +--rw cert-to-name* [id] 4210 | +--rw id uint32 4211 | +--rw fingerprint? 4212 | | x509c2n:tls-fingerprint 4213 | +--rw map-type identityref 4214 | +--rw name string 4215 +--rw connection-type 4216 | +--rw (connection-type) 4217 | +--:(persistent-connection) 4218 | | +--rw persistent! 4219 | +--:(periodic-connection) 4220 | +--rw periodic! 4221 | +--rw period? uint16 4222 | +--rw anchor-time? yang:date-and-time 4223 | +--rw idle-timeout? uint16 4224 +--rw reconnect-strategy 4225 +--rw start-with? enumeration 4226 +--rw max-attempts? uint8 4228 Appendix B. Change Log 4230 B.1. 00 to 01 4232 o Renamed "keychain" to "keystore". 4234 B.2. 01 to 02 4236 o Filled in previously missing 'ietf-restconf-client' module. 4238 o Updated the ietf-restconf-server module to accommodate new 4239 grouping 'ietf-tls-server-grouping'. 4241 B.3. 02 to 03 4243 o Refined use of tls-client-grouping to add a must statement 4244 indicating that the TLS client must specify a client-certificate. 4246 o Changed restconf-client??? to be a grouping (not a container). 4248 B.4. 03 to 04 4250 o Added RFC 8174 to Requirements Language Section. 4252 o Replaced refine statement in ietf-restconf-client to add a 4253 mandatory true. 4255 o Added refine statement in ietf-restconf-server to add a must 4256 statement. 4258 o Now there are containers and groupings, for both the client and 4259 server models. 4261 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 4263 o Updated examples to inline key and certificates (no longer a 4264 leafref to keystore) 4266 B.5. 04 to 05 4268 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 4270 o Updated examples to inline key and certificates (no longer a 4271 leafref to keystore) 4273 B.6. 05 to 06 4275 o Fixed change log missing section issue. 4277 o Updated examples to match latest updates to the crypto-types, 4278 trust-anchors, and keystore drafts. 4280 o Reduced line length of the YANG modules to fit within 69 columns. 4282 B.7. 06 to 07 4284 o removed "idle-timeout" from "persistent" connection config. 4286 o Added "random-selection" for reconnection-strategy's "starts-with" 4287 enum. 4289 o Replaced "connection-type" choice default (persistent) with 4290 "mandatory true". 4292 o Reduced the periodic-connection's "idle-timeout" from 5 to 2 4293 minutes. 4295 o Replaced reconnect-timeout with period/anchor-time combo. 4297 B.8. 07 to 08 4299 o Modified examples to be compatible with new crypto-types algs 4301 B.9. 08 to 09 4303 o Corrected use of "mandatory true" for "address" leafs. 4305 o Updated examples to reflect update to groupings defined in the 4306 keystore draft. 4308 o Updated to use groupings defined in new TCP and HTTP drafts. 4310 o Updated copyright date, boilerplate template, affiliation, and 4311 folding algorithm. 4313 B.10. 09 to 10 4315 o Reformatted YANG modules. 4317 B.11. 10 to 11 4319 o Adjusted for the top-level "demux container" added to groupings 4320 imported from other modules. 4322 o Added "must" expressions to ensure that keepalives are not 4323 configured for "periodic" connections. 4325 o Updated the boilerplate text in module-level "description" 4326 statement to match copyeditor convention. 4328 o Moved "expanded" tree diagrams to the Appendix. 4330 B.12. 11 to 12 4332 o Removed the 'must' statement limiting keepalives in periodic 4333 connections. 4335 o Updated models and examples to reflect removal of the "demux" 4336 containers in the imported models. 4338 o Updated the "periodic-connnection" description statements to 4339 better describe behavior when connections are not closed 4340 gracefully. 4342 o Updated text to better reference where certain examples come from 4343 (e.g., which Section in which draft). 4345 o In the server model, commented out the "must 'pinned-ca-certs or 4346 pinned-client-certs'" statement to reflect change made in the TLS 4347 draft whereby the trust anchors MAY be defined externally. 4349 o Replaced the 'listen', 'initiate', and 'call-home' features with 4350 boolean expressions. 4352 B.13. 12 to 13 4354 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust- 4355 anchors/truststore/g + s/pinned.//) 4357 o In ietf-restconf-server, Added 'http-listen' (not https-listen) 4358 choice, to support case when server is behind a TLS-terminator. 4360 o Refactored server module to be more like other 'server' models. 4361 If folks like it, will also apply to the client model, as well as 4362 to both the netconf client/server models. Now the 'restconf- 4363 server-grouping' is just the RC-specific bits (i.e., the "demux" 4364 container minus the container), 'restconf-server- 4365 [listen|callhome]-stack-grouping' is the protocol stack for a 4366 single connection, and 'restconf-server-app-grouping' is 4367 effectively what was before (both listen+callhome for many 4368 inbound/outbound endpoints). 4370 B.14. 13 to 14 4372 o Updated examples to reflect ietf-crypto-types change (e.g., 4373 identities --> enumerations) 4375 o Adjusting from change in TLS client model (removing the top-level 4376 'certificate' container). 4378 o Added "external-endpoint" to the "http-listen" choice in ietf- 4379 restconf-server. 4381 B.15. 14 to 15 4383 o Added missing "or https-listen" clause in a "must" expression. 4385 o Refactored the client module similar to how the server module was 4386 refactored in -13. Now the 'restconf-client-grouping' is just the 4387 RC-specific bits, the 'restconf-client-[initiate|listen]-stack- 4388 grouping' is the protocol stack for a single connection, and 4389 'restconf-client-app-grouping' is effectively what was before 4390 (both listen+callhome for many inbound/outbound endpoints). 4392 B.16. 15 to 16 4394 o Added refinement to make "cert-to-name/fingerprint" be mandatory 4395 false. 4397 o Commented out refinement to "tls-server-grouping/client- 4398 authentication" until a better "must" expression is defined. 4400 o Updated restconf-client example to reflect that http-client- 4401 grouping no longer has a "protocol-version" leaf. 4403 B.17. 16 to 17 4405 o Updated examples to include the "*-key-format" nodes. 4407 o Updated examples to remove the "required" nodes. 4409 B.18. 17 to 18 4411 o Updated examples to reflect new "bag" addition to truststore. 4413 B.19. 18 to 19 4415 o Updated examples to remove the 'algorithm' nodes. 4417 o Updated examples to reflect the new TLS keepalives structure. 4419 o Removed the 'protocol-versions' node from the restconf-server 4420 examples. 4422 o Added a "Note to Reviewers" note to first page. 4424 Acknowledgements 4426 The authors would like to thank for following for lively discussions 4427 on list and in the halls (ordered by last name): Andy Bierman, Martin 4428 Bjorklund, Benoit Claise, Mehmet Ersue, Ramkumar Dhanapal, Balazs 4429 Kovacs, Radek Krejci, David Lamparter, Ladislav Lhotka, Alan Luchuk, 4430 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, Bert 4431 Wijnen. 4433 Author's Address 4435 Kent Watsen 4436 Watsen Networks 4438 EMail: kent+ietf@watsen.net