idnits 2.17.1
draft-ietf-netconf-restconf-client-server-19.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [4], [5], [6], [7],
[8], [9], [1]), which it shouldn't. Please replace those with straight
textual mentions of the documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 1017 has weird spacing: '...address ine...'
== Line 2057 has weird spacing: '...address ine...'
== Line 2067 has weird spacing: '...nterval uin...'
== Line 2354 has weird spacing: '...assword str...'
== Line 2357 has weird spacing: '...address ine...'
== (20 more instances...)
-- The document date (May 20, 2020) is 1409 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
-- Looks like a reference, but probably isn't: '1' on line 2010
-- Looks like a reference, but probably isn't: '2' on line 2012
-- Looks like a reference, but probably isn't: '3' on line 2014
-- Looks like a reference, but probably isn't: '4' on line 2016
-- Looks like a reference, but probably isn't: '5' on line 2018
-- Looks like a reference, but probably isn't: '6' on line 2020
-- Looks like a reference, but probably isn't: '7' on line 2022
-- Looks like a reference, but probably isn't: '8' on line 2024
-- Looks like a reference, but probably isn't: '9' on line 2027
== Outdated reference: A later version (-35) exists of
draft-ietf-netconf-keystore-16
== Outdated reference: A later version (-41) exists of
draft-ietf-netconf-tls-client-server-18
== Outdated reference: A later version (-28) exists of
draft-ietf-netconf-trust-anchors-09
Summary: 1 error (**), 0 flaws (~~), 10 warnings (==), 10 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 NETCONF Working Group K. Watsen
3 Internet-Draft Watsen Networks
4 Intended status: Standards Track May 20, 2020
5 Expires: November 21, 2020
7 RESTCONF Client and Server Models
8 draft-ietf-netconf-restconf-client-server-19
10 Abstract
12 This document defines two YANG modules, one module to configure a
13 RESTCONF client and the other module to configure a RESTCONF server.
14 Both modules support the TLS transport protocol with both standard
15 RESTCONF and RESTCONF Call Home connections.
17 Editorial Note (To be removed by RFC Editor)
19 This draft contains placeholder values that need to be replaced with
20 finalized values at the time of publication. This note summarizes
21 all of the substitutions that are needed. No other RFC Editor
22 instructions are specified elsewhere in this document.
24 Artwork in this document contains shorthand references to drafts in
25 progress. Please apply the following replacements (note: not all may
26 be present):
28 o "AAAA" --> the assigned RFC value for draft-ietf-netconf-crypto-
29 types
31 o "BBBB" --> the assigned RFC value for draft-ietf-netconf-trust-
32 anchors
34 o "CCCC" --> the assigned RFC value for draft-ietf-netconf-keystore
36 o "DDDD" --> the assigned RFC value for draft-ietf-netconf-tcp-
37 client-server
39 o "EEEE" --> the assigned RFC value for draft-ietf-netconf-ssh-
40 client-server
42 o "FFFF" --> the assigned RFC value for draft-ietf-netconf-tls-
43 client-server
45 o "GGGG" --> the assigned RFC value for draft-ietf-netconf-http-
46 client-server
48 o "HHHH" --> the assigned RFC value for draft-ietf-netconf-netconf-
49 client-server
51 o "IIII" --> the assigned RFC value for this draft
53 Artwork in this document contains placeholder values for the date of
54 publication of this draft. Please apply the following replacement:
56 o "2020-05-20" --> the publication date of this draft
58 The following Appendix section is to be removed prior to publication:
60 o Appendix B. Change Log
62 Note to Reviewers (To be removed by RFC Editor)
64 This document presents a YANG module or modules that is/are part of a
65 collection of drafts that work together to produce the ultimate goal
66 of the NETCONF WG: to define configuration modules for NETCONF client
67 and servers, and RESTCONF client and servers.
69 The relationship between the various drafts in the collection is
70 presented in the below diagram.
72 crypto-types
73 ^ ^
74 / \
75 / \
76 trust-anchors keystore
77 ^ ^ ^ ^
78 | +---------+ | |
79 | | | |
80 | +------------+ |
81 tcp-client-server | / | |
82 ^ ^ ssh-client-server | |
83 | | ^ tls-client-server
84 | | | ^ ^ http-client-server
85 | | | | | ^
86 | | | +-----+ +---------+ |
87 | | | | | |
88 | +-----------|--------|--------------+ | |
89 | | | | | |
90 +-----------+ | | | | |
91 | | | | | |
92 | | | | | |
93 netconf-client-server restconf-client-server
95 Full draft names and link to drafts:
97 o draft-ietf-netconf-crypto-types (html [1])
99 o draft-ietf-netconf-trust-anchors (html [2])
101 o draft-ietf-netconf-keystore (html [3])
103 o draft-ietf-netconf-tcp-client-server (html [4])
105 o draft-ietf-netconf-ssh-client-server (html [5])
107 o draft-ietf-netconf-tls-client-server (html [6])
109 o draft-ietf-netconf-http-client-server (html [7])
111 o draft-ietf-netconf-netconf-client-server (html [8])
113 o draft-ietf-netconf-restconf-client-server (html [9])
115 Status of This Memo
117 This Internet-Draft is submitted in full conformance with the
118 provisions of BCP 78 and BCP 79.
120 Internet-Drafts are working documents of the Internet Engineering
121 Task Force (IETF). Note that other groups may also distribute
122 working documents as Internet-Drafts. The list of current Internet-
123 Drafts is at https://datatracker.ietf.org/drafts/current/.
125 Internet-Drafts are draft documents valid for a maximum of six months
126 and may be updated, replaced, or obsoleted by other documents at any
127 time. It is inappropriate to use Internet-Drafts as reference
128 material or to cite them other than as "work in progress."
130 This Internet-Draft will expire on November 21, 2020.
132 Copyright Notice
134 Copyright (c) 2020 IETF Trust and the persons identified as the
135 document authors. All rights reserved.
137 This document is subject to BCP 78 and the IETF Trust's Legal
138 Provisions Relating to IETF Documents
139 (https://trustee.ietf.org/license-info) in effect on the date of
140 publication of this document. Please review these documents
141 carefully, as they describe your rights and restrictions with respect
142 to this document. Code Components extracted from this document must
143 include Simplified BSD License text as described in Section 4.e of
144 the Trust Legal Provisions and are provided without warranty as
145 described in the Simplified BSD License.
147 Table of Contents
149 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
150 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
151 2. The RESTCONF Client Model . . . . . . . . . . . . . . . . . . 5
152 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 5
153 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 7
154 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10
155 3. The RESTCONF Server Model . . . . . . . . . . . . . . . . . . 21
156 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 21
157 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 23
158 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 27
159 4. Security Considerations . . . . . . . . . . . . . . . . . . . 39
160 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
161 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 40
162 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 40
163 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 41
164 6.1. Normative References . . . . . . . . . . . . . . . . . . 41
165 6.2. Informative References . . . . . . . . . . . . . . . . . 42
166 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 42
167 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 44
168 A.1. Expanded Tree Diagram for 'ietf-restconf-client' . . . . 44
169 A.2. Expanded Tree Diagram for 'ietf-restconf-server' . . . . 76
170 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89
171 B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 89
172 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 89
173 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 89
174 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 90
175 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 90
176 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 90
177 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 90
178 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 91
179 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 91
180 B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 91
181 B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 91
182 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 91
183 B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 92
184 B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 92
185 B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 92
186 B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 93
187 B.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 93
188 B.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 93
189 B.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 93
190 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 93
191 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 93
193 1. Introduction
195 This document defines two YANG [RFC7950] modules, one module to
196 configure a RESTCONF client and the other module to configure a
197 RESTCONF server [RFC8040]. Both modules support the TLS [RFC8446]
198 transport protocol with both standard RESTCONF and RESTCONF Call Home
199 connections [RFC8071].
201 1.1. Terminology
203 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
204 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
205 "OPTIONAL" in this document are to be interpreted as described in BCP
206 14 [RFC2119] [RFC8174] when, and only when, they appear in all
207 capitals, as shown here.
209 2. The RESTCONF Client Model
211 The RESTCONF client model presented in this section supports both
212 clients initiating connections to servers, as well as clients
213 listening for connections from servers calling home.
215 YANG feature statements are used to enable implementations to
216 advertise which potentially uncommon parts of the model the RESTCONF
217 client supports.
219 2.1. Tree Diagram
221 The following tree diagram [RFC8340] provides an overview of the data
222 model for the "ietf-restconf-client" module.
224 This tree diagram only shows the nodes defined in this module; it
225 does show the nodes defined by "grouping" statements used by this
226 module.
228 Please see Appendix A.1 for a tree diagram that illustrates what the
229 module looks like with all the "grouping" statements expanded.
231 module: ietf-restconf-client
232 +--rw restconf-client
233 +---u restconf-client-app-grouping
235 grouping restconf-client-grouping
236 grouping restconf-client-initiate-stack-grouping
237 +-- (transport)
238 +--:(https) {https-initiate}?
239 +-- https
240 +-- tcp-client-parameters
241 | +---u tcpc:tcp-client-grouping
242 +-- tls-client-parameters
243 | +---u tlsc:tls-client-grouping
244 +-- http-client-parameters
245 | +---u httpc:http-client-grouping
246 +-- restconf-client-parameters
247 grouping restconf-client-listen-stack-grouping
248 +-- (transport)
249 +--:(http) {http-listen}?
250 | +-- http
251 | +-- tcp-server-parameters
252 | | +---u tcps:tcp-server-grouping
253 | +-- http-client-parameters
254 | | +---u httpc:http-client-grouping
255 | +-- restconf-client-parameters
256 +--:(https) {https-listen}?
257 +-- https
258 +-- tcp-server-parameters
259 | +---u tcps:tcp-server-grouping
260 +-- tls-client-parameters
261 | +---u tlsc:tls-client-grouping
262 +-- http-client-parameters
263 | +---u httpc:http-client-grouping
264 +-- restconf-client-parameters
265 grouping restconf-client-app-grouping
266 +-- initiate! {https-initiate}?
267 | +-- restconf-server* [name]
268 | +-- name? string
269 | +-- endpoints
270 | | +-- endpoint* [name]
271 | | +-- name? string
272 | | +---u restconf-client-initiate-stack-grouping
273 | +-- connection-type
274 | | +-- (connection-type)
275 | | +--:(persistent-connection)
276 | | | +-- persistent!
277 | | +--:(periodic-connection)
278 | | +-- periodic!
279 | | +-- period? uint16
280 | | +-- anchor-time? yang:date-and-time
281 | | +-- idle-timeout? uint16
282 | +-- reconnect-strategy
283 | +-- start-with? enumeration
284 | +-- max-attempts? uint8
285 +-- listen! {http-listen or https-listen}?
286 +-- idle-timeout? uint16
287 +-- endpoint* [name]
288 +-- name? string
289 +---u restconf-client-listen-stack-grouping
291 2.2. Example Usage
293 The following example illustrates configuring a RESTCONF client to
294 initiate connections, as well as listening for call-home connections.
296 This example is consistent with the examples presented in Section 2
297 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
298 [I-D.ietf-netconf-keystore].
300 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
302
file "ietf-restconf-client@2020-05-20.yang"
480 module ietf-restconf-client {
481 yang-version 1.1;
482 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-client";
483 prefix rcc;
485 import ietf-yang-types {
486 prefix yang;
487 reference
488 "RFC 6991: Common YANG Data Types";
489 }
491 import ietf-tcp-client {
492 prefix tcpc;
493 reference
494 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
495 }
497 import ietf-tcp-server {
498 prefix tcps;
499 reference
500 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
501 }
503 import ietf-tls-client {
504 prefix tlsc;
505 reference
506 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
507 }
509 import ietf-http-client {
510 prefix httpc;
511 reference
512 "RFC GGGG: YANG Groupings for HTTP Clients and HTTP Servers";
513 }
515 organization
516 "IETF NETCONF (Network Configuration) Working Group";
518 contact
519 "WG Web:
520 WG List:
521 Author: Kent Watsen
522 Author: Gary Wu ";
524 description
525 "This module contains a collection of YANG definitions
526 for configuring RESTCONF clients.
528 Copyright (c) 2020 IETF Trust and the persons identified
529 as authors of the code. All rights reserved.
531 Redistribution and use in source and binary forms, with
532 or without modification, is permitted pursuant to, and
533 subject to the license terms contained in, the Simplified
534 BSD License set forth in Section 4.c of the IETF Trust's
535 Legal Provisions Relating to IETF Documents
536 (https://trustee.ietf.org/license-info).
538 This version of this YANG module is part of RFC IIII
539 (https://www.rfc-editor.org/info/rfcIIII); see the RFC
540 itself for full legal notices.
542 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
543 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
544 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
545 are to be interpreted as described in BCP 14 (RFC 2119)
546 (RFC 8174) when, and only when, they appear in all
547 capitals, as shown here.";
549 revision 2020-05-20 {
550 description
551 "Initial version";
552 reference
553 "RFC IIII: RESTCONF Client and Server Models";
554 }
556 // Features
558 feature https-initiate {
559 description
560 "The 'https-initiate' feature indicates that the RESTCONF
561 client supports initiating HTTPS connections to RESTCONF
562 servers. This feature exists as HTTPS might not be a
563 mandatory to implement transport in the future.";
564 reference
565 "RFC 8040: RESTCONF Protocol";
566 }
568 feature http-listen {
569 description
570 "The 'https-listen' feature indicates that the RESTCONF client
571 supports opening a port to listen for incoming RESTCONF
572 server call-home connections. This feature exists as not
573 all RESTCONF clients may support RESTCONF call home.";
574 reference
575 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
577 }
579 feature https-listen {
580 description
581 "The 'https-listen' feature indicates that the RESTCONF client
582 supports opening a port to listen for incoming RESTCONF
583 server call-home connections. This feature exists as not
584 all RESTCONF clients may support RESTCONF call home.";
585 reference
586 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
587 }
589 // Groupings
591 grouping restconf-client-grouping {
592 description
593 "A reusable grouping for configuring a RESTCONF client
594 without any consideration for how underlying transport
595 sessions are established.
597 This grouping currently doesn't define any nodes.";
598 }
600 grouping restconf-client-initiate-stack-grouping {
601 description
602 "A reusable grouping for configuring a RESTCONF client
603 'initiate' protocol stack for a single connection.";
605 choice transport {
606 mandatory true;
607 description
608 "Selects between available transports. This is a
609 'choice' statement so as to support additional
610 transport options to be augmented in.";
611 case https {
612 if-feature "https-initiate";
613 container https {
614 description
615 "Specifies HTTPS-specific transport
616 configuration.";
617 container tcp-client-parameters {
618 description
619 "A wrapper around the TCP client parameters
620 to avoid name collisions.";
621 uses tcpc:tcp-client-grouping {
622 refine "remote-port" {
623 default "443";
624 description
625 "The RESTCONF client will attempt to
626 connect to the IANA-assigned well-known
627 port value for 'https' (443) if no value
628 is specified.";
629 }
630 }
631 }
632 container tls-client-parameters {
633 must 'client-identity' {
634 description
635 "NETCONF/TLS clients MUST pass some
636 authentication credentials.";
637 }
638 description
639 "A wrapper around the TLS client parameters
640 to avoid name collisions.";
641 uses tlsc:tls-client-grouping;
642 }
643 container http-client-parameters {
644 description
645 "A wrapper around the HTTP client parameters
646 to avoid name collisions.";
647 uses httpc:http-client-grouping;
648 }
649 container restconf-client-parameters {
650 description
651 "A wrapper around the HTTP client parameters
652 to avoid name collisions.";
653 uses rcc:restconf-client-grouping;
654 }
655 }
656 }
657 }
658 } // restconf-client-initiate-stack-grouping
660 grouping restconf-client-listen-stack-grouping {
661 description
662 "A reusable grouping for configuring a RESTCONF client
663 'listen' protocol stack for a single connection. The
664 'listen' stack supports call home connections, as
665 described in RFC 8071";
666 reference
667 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
668 choice transport {
669 mandatory true;
670 description
671 "Selects between available transports. This is a
672 'choice' statement so as to support additional
673 transport options to be augmented in.";
674 case http {
675 if-feature "http-listen";
676 container http {
677 description
678 "HTTP-specific listening configuration for inbound
679 connections.
681 This transport option is made available to support
682 deployments where the TLS connections are terminated
683 by another system (e.g., a load balanacer) fronting
684 the client.";
685 container tcp-server-parameters {
686 description
687 "A wrapper around the TCP client parameters
688 to avoid name collisions.";
689 uses tcps:tcp-server-grouping {
690 refine "local-port" {
691 default "4336";
692 description
693 "The RESTCONF client will listen on the IANA-
694 assigned well-known port for 'restconf-ch-tls'
695 (4336) if no value is specified.";
696 }
697 }
698 }
699 container http-client-parameters {
700 description
701 "A wrapper around the HTTP client parameters
702 to avoid name collisions.";
703 uses httpc:http-client-grouping;
704 }
705 container restconf-client-parameters {
706 description
707 "A wrapper around the RESTCONF client parameters
708 to avoid name collisions.";
709 uses rcc:restconf-client-grouping;
710 }
711 }
712 }
713 case https {
714 if-feature "https-listen";
715 container https {
716 description
717 "HTTPS-specific listening configuration for inbound
718 connections.";
719 container tcp-server-parameters {
720 description
721 "A wrapper around the TCP client parameters
722 to avoid name collisions.";
723 uses tcps:tcp-server-grouping {
724 refine "local-port" {
725 default "4336";
726 description
727 "The RESTCONF client will listen on the IANA-
728 assigned well-known port for 'restconf-ch-tls'
729 (4336) if no value is specified.";
730 }
731 }
732 }
733 container tls-client-parameters {
734 must 'client-identity' {
735 description
736 "NETCONF/TLS clients MUST pass some
737 authentication credentials.";
738 }
739 description
740 "A wrapper around the TLS client parameters
741 to avoid name collisions.";
742 uses tlsc:tls-client-grouping;
743 }
744 container http-client-parameters {
745 description
746 "A wrapper around the HTTP client parameters
747 to avoid name collisions.";
748 uses httpc:http-client-grouping;
749 }
750 container restconf-client-parameters {
751 description
752 "A wrapper around the RESTCONF client parameters
753 to avoid name collisions.";
754 uses rcc:restconf-client-grouping;
755 }
756 }
757 }
758 }
759 } // restconf-client-listen-stack-grouping
761 grouping restconf-client-app-grouping {
762 description
763 "A reusable grouping for configuring a RESTCONF client
764 application that supports both 'initiate' and 'listen'
765 protocol stacks for a multiplicity of connections.";
766 container initiate {
767 if-feature "https-initiate";
768 presence "Enables client to initiate TCP connections";
769 description
770 "Configures client initiating underlying TCP connections.";
771 list restconf-server {
772 key "name";
773 min-elements 1;
774 description
775 "List of RESTCONF servers the RESTCONF client is to
776 maintain simultaneous connections with.";
777 leaf name {
778 type string;
779 description
780 "An arbitrary name for the RESTCONF server.";
781 }
782 container endpoints {
783 description
784 "Container for the list of endpoints.";
785 list endpoint {
786 key "name";
787 min-elements 1;
788 ordered-by user;
789 description
790 "A non-empty user-ordered list of endpoints for this
791 RESTCONF client to try to connect to in sequence.
792 Defining more than one enables high-availability.";
793 leaf name {
794 type string;
795 description
796 "An arbitrary name for this endpoint.";
797 }
798 uses restconf-client-initiate-stack-grouping;
799 }
800 }
801 container connection-type {
802 description
803 "Indicates the RESTCONF client's preference for how
804 the RESTCONF connection is maintained.";
805 choice connection-type {
806 mandatory true;
807 description
808 "Selects between available connection types.";
809 case persistent-connection {
810 container persistent {
811 presence "Indicates that a persistent connection
812 is to be maintained.";
813 description
814 "Maintain a persistent connection to the
815 RESTCONF server. If the connection goes down,
816 immediately start trying to reconnect to the
817 RESTCONF server, using the reconnection strategy.
819 This connection type minimizes any RESTCONF server
820 to RESTCONF client data-transfer delay, albeit
821 at the expense of holding resources longer.";
822 }
823 }
824 case periodic-connection {
825 container periodic {
826 presence "Indicates that a periodic connection is
827 to be maintained.";
828 description
829 "Periodically connect to the RESTCONF server.
831 This connection type increases resource
832 utilization, albeit with increased delay
833 in RESTCONF server to RESTCONF client
834 interactions.
836 The RESTCONF client SHOULD gracefully close
837 the underlying TLS connection upon completing
838 planned activities.
840 In the case that the previous connection is
841 still active, establishing a new connection
842 is NOT RECOMMENDED.";
843 leaf period {
844 type uint16;
845 units "minutes";
846 default "60";
847 description
848 "Duration of time between periodic
849 connections.";
850 }
851 leaf anchor-time {
852 type yang:date-and-time {
853 // constrained to minute-level granularity
854 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
855 + '(Z|[\+\-]\d{2}:\d{2})';
856 }
857 description
858 "Designates a timestamp before or after which
859 a series of periodic connections are
860 determined. The periodic connections occur
861 at a whole multiple interval from the anchor
862 time. For example, for an anchor time is 15
863 minutes past midnight and a period interval
864 of 24 hours, then a periodic connection will
865 occur 15 minutes past midnight everyday.";
866 }
867 leaf idle-timeout {
868 type uint16;
869 units "seconds";
870 default 120; // two minutes
871 description
872 "Specifies the maximum number of seconds
873 that the underlying TCP session may remain
874 idle. A TCP session will be dropped if it
875 is idle for an interval longer than this
876 number of seconds If set to zero, then the
877 RESTCONF client will never drop a session
878 because it is idle.";
879 }
880 }
881 } // periodic-connection
882 } // connection-type
883 } // connection-type
884 container reconnect-strategy {
885 description
886 "The reconnection strategy directs how a RESTCONF
887 client reconnects to a RESTCONF server, after
888 discovering its connection to the server has
889 dropped, even if due to a reboot. The RESTCONF
890 client starts with the specified endpoint and
891 tries to connect to it max-attempts times before
892 trying the next endpoint in the list (round
893 robin).";
894 leaf start-with {
895 type enumeration {
896 enum first-listed {
897 description
898 "Indicates that reconnections should start
899 with the first endpoint listed.";
900 }
901 enum last-connected {
902 description
903 "Indicates that reconnections should start
904 with the endpoint last connected to. If
905 no previous connection has ever been
906 established, then the first endpoint
907 configured is used. RESTCONF clients
908 SHOULD be able to remember the last
909 endpoint connected to across reboots.";
910 }
911 enum random-selection {
912 description
913 "Indicates that reconnections should start with
914 a random endpoint.";
915 }
916 }
917 default "first-listed";
918 description
919 "Specifies which of the RESTCONF server's
920 endpoints the RESTCONF client should start
921 with when trying to connect to the RESTCONF
922 server.";
923 }
924 leaf max-attempts {
925 type uint8 {
926 range "1..max";
927 }
928 default "3";
929 description
930 "Specifies the number times the RESTCONF client
931 tries to connect to a specific endpoint before
932 moving on to the next endpoint in the list
933 (round robin).";
934 }
935 }
936 }
937 } // initiate
938 container listen {
939 if-feature "http-listen or https-listen";
940 presence "Enables client to accept call-home connections";
941 description
942 "Configures the client to accept call-home TCP connections.";
943 leaf idle-timeout {
944 type uint16;
945 units "seconds";
946 default 3600; // one hour
947 description
948 "Specifies the maximum number of seconds that an
949 underlying TCP session may remain idle. A TCP session
950 will be dropped if it is idle for an interval longer
951 then this number of seconds. If set to zero, then
952 the server will never drop a session because it is
953 idle. Sessions that have a notification subscription
954 active are never dropped.";
955 }
956 list endpoint {
957 key "name";
958 min-elements 1;
959 description
960 "List of endpoints to listen for RESTCONF connections.";
962 leaf name {
963 type string;
964 description
965 "An arbitrary name for the RESTCONF listen endpoint.";
966 }
967 uses restconf-client-listen-stack-grouping;
968 }
969 }
970 } // restconf-client-app-grouping
972 // Protocol accessible node, for servers that implement
973 // this module.
974 container restconf-client {
975 uses restconf-client-app-grouping;
976 description
977 "Top-level container for RESTCONF client configuration.";
978 }
979 }
981
983 3. The RESTCONF Server Model
985 The RESTCONF server model presented in this section supports both
986 listening for connections as well as initiating call-home
987 connections.
989 YANG feature statements are used to enable implementations to
990 advertise which potentially uncommon parts of the model the RESTCONF
991 server supports.
993 3.1. Tree Diagram
995 The following tree diagram [RFC8340] provides an overview of the data
996 model for the "ietf-restconf-server" module.
998 This tree diagram only shows the nodes defined in this module; it
999 does show the nodes defined by "grouping" statements used by this
1000 module.
1002 Please see Appendix A.2 for a tree diagram that illustrates what the
1003 module looks like with all the "grouping" statements expanded.
1005 module: ietf-restconf-server
1006 +--rw restconf-server
1007 +---u restconf-server-app-grouping
1009 grouping restconf-server-grouping
1010 +-- client-identity-mappings
1011 +---u x509c2n:cert-to-name
1012 grouping restconf-server-listen-stack-grouping
1013 +-- (transport)
1014 +--:(http) {http-listen}?
1015 | +-- http
1016 | +-- external-endpoint!
1017 | | +-- address inet:ip-address
1018 | | +-- port? inet:port-number
1019 | +-- tcp-server-parameters
1020 | | +---u tcps:tcp-server-grouping
1021 | +-- http-server-parameters
1022 | | +---u https:http-server-grouping
1023 | +-- restconf-server-parameters
1024 | +---u rcs:restconf-server-grouping
1025 +--:(https) {https-listen}?
1026 +-- https
1027 +-- tcp-server-parameters
1028 | +---u tcps:tcp-server-grouping
1029 +-- tls-server-parameters
1030 | +---u tlss:tls-server-grouping
1031 +-- http-server-parameters
1032 | +---u https:http-server-grouping
1033 +-- restconf-server-parameters
1034 +---u rcs:restconf-server-grouping
1035 grouping restconf-server-callhome-stack-grouping
1036 +-- (transport)
1037 +--:(https) {https-listen}?
1038 +-- https
1039 +-- tcp-client-parameters
1040 | +---u tcpc:tcp-client-grouping
1041 +-- tls-server-parameters
1042 | +---u tlss:tls-server-grouping
1043 +-- http-server-parameters
1044 | +---u https:http-server-grouping
1045 +-- restconf-server-parameters
1046 +---u rcs:restconf-server-grouping
1047 grouping restconf-server-app-grouping
1048 +-- listen! {http-listen or https-listen}?
1049 | +-- endpoint* [name]
1050 | +-- name? string
1051 | +---u restconf-server-listen-stack-grouping
1052 +-- call-home! {https-call-home}?
1053 +-- restconf-client* [name]
1054 +-- name? string
1055 +-- endpoints
1056 | +-- endpoint* [name]
1057 | +-- name? string
1058 | +---u restconf-server-callhome-stack-grouping
1059 +-- connection-type
1060 | +-- (connection-type)
1061 | +--:(persistent-connection)
1062 | | +-- persistent!
1063 | +--:(periodic-connection)
1064 | +-- periodic!
1065 | +-- period? uint16
1066 | +-- anchor-time? yang:date-and-time
1067 | +-- idle-timeout? uint16
1068 +-- reconnect-strategy
1069 +-- start-with? enumeration
1070 +-- max-attempts? uint8
1072 3.2. Example Usage
1074 The following example illustrates configuring a RESTCONF server to
1075 listen for RESTCONF client connections, as well as configuring call-
1076 home to one RESTCONF client.
1078 This example is consistent with the examples presented in Section 2
1079 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
1080 [I-D.ietf-netconf-keystore].
1082 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
1084
1089
1090
1091
1092 netconf/tls
1093
1094
1095 11.22.33.44
1096
1097
1098
1099
1100
1101 ct:subject-public-key-info-format\
1102
1103 base64encodedvalue==
1104 ct:rsa-private-key-format
1106 base64encodedvalue==
1107 base64encodedvalue==
1108
1109
1110
1111
1112
1113 trusted-client-ca-certs
1115
1116
1117 trusted-client-ee-certs
1119
1120
1121
1122
1123
1124
1125
1126 foo.example.com
1127
1128
1129
1130
1131 1
1132 11:0A:05:11:00
1133 x509c2n:specified
1134 scooby-doo
1135
1136
1137 2
1138 x509c2n:san-any
1139
1140
1141
1142
1143
1144
1146
1147
1148
1149 config-manager
1150
1151
1152 east-data-center
1153
1154
1155 east.example.com
1156
1157 15
1158 3
1159 30
1160
1161
1162
1163
1164
1165
1166 ct:subject-public-key-info-fo\
1167 rmat
1168 base64encodedvalue==
1169 ct:rsa-private-key-format
1171 base64encodedvalue==
1172 base64encodedvalue==
1173
1174
1175
1176
1177
1178 trusted-client-ca-certs
1180
1181
1182 trusted-client-ee-certs
1184
1185
1186
1187
1188 30
1189 3
1190
1191
1192
1193
1194 foo.example.com
1195
1196
1197
1198
1199 1
1200 11:0A:05:11:00
1201 x509c2n:specified
1202 scooby-doo
1203
1204
1205 2
1206 x509c2n:san-any
1207
1208
1209
1210
1211
1212
1213 west-data-center
1214
1215
1216 west.example.com
1217
1218 15
1219 3
1220 30
1221
1222
1223
1224
1225
1226
1227 ct:subject-public-key-info-fo\
1228 rmat
1229 base64encodedvalue==
1230 ct:rsa-private-key-format
1232 base64encodedvalue==
1233 base64encodedvalue==
1234
1235
1236
1237
1238
1239 trusted-client-ca-certs
1241
1242
1243 trusted-client-ee-certs
1245
1246
1247
1248
1249 30
1250 3
1251
1252
1253
1254
1255 foo.example.com
1256
1257
1258
1259
1260 1
1261 11:0A:05:11:00
1262 x509c2n:specified
1263 scooby-doo
1264
1265
1266 2
1267 x509c2n:san-any
1268
1269
1270
1271
1272
1273
1274
1275
1276 300
1277 60
1278
1279
1280
1281 last-connected
1282 3
1283
1284
1285
1286
1288 3.3. YANG Module
1290 This YANG module has normative references to [RFC6991], [RFC7407],
1291 [RFC8040], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server],
1292 [I-D.ietf-netconf-tls-client-server], and
1293 [I-D.kwatsen-netconf-http-client-server].
1295 file "ietf-restconf-server@2020-05-20.yang"
1297 module ietf-restconf-server {
1298 yang-version 1.1;
1299 namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server";
1300 prefix rcs;
1302 import ietf-yang-types {
1303 prefix yang;
1304 reference
1305 "RFC 6991: Common YANG Data Types";
1306 }
1308 import ietf-inet-types {
1309 prefix inet;
1310 reference
1311 "RFC 6991: Common YANG Data Types";
1312 }
1314 import ietf-x509-cert-to-name {
1315 prefix x509c2n;
1316 reference
1317 "RFC 7407: A YANG Data Model for SNMP Configuration";
1318 }
1320 import ietf-tcp-client {
1321 prefix tcpc;
1322 reference
1323 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
1324 }
1326 import ietf-tcp-server {
1327 prefix tcps;
1328 reference
1329 "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
1330 }
1332 import ietf-tls-server {
1333 prefix tlss;
1334 reference
1335 "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
1336 }
1338 import ietf-http-server {
1339 prefix https;
1340 reference
1341 "RFC GGGG: YANG Groupings for HTTP Clients and HTTP Servers";
1342 }
1344 organization
1345 "IETF NETCONF (Network Configuration) Working Group";
1347 contact
1348 "WG Web:
1349 WG List:
1350 Author: Kent Watsen
1351 Author: Gary Wu
1352 Author: Juergen Schoenwaelder
1353 ";
1355 description
1356 "This module contains a collection of YANG definitions
1357 for configuring RESTCONF servers.
1359 Copyright (c) 2020 IETF Trust and the persons identified
1360 as authors of the code. All rights reserved.
1362 Redistribution and use in source and binary forms, with
1363 or without modification, is permitted pursuant to, and
1364 subject to the license terms contained in, the Simplified
1365 BSD License set forth in Section 4.c of the IETF Trust's
1366 Legal Provisions Relating to IETF Documents
1367 (https://trustee.ietf.org/license-info).
1369 This version of this YANG module is part of RFC IIII
1370 (https://www.rfc-editor.org/info/rfcIIII); see the RFC
1371 itself for full legal notices.
1373 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
1374 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
1375 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
1376 are to be interpreted as described in BCP 14 (RFC 2119)
1377 (RFC 8174) when, and only when, they appear in all
1378 capitals, as shown here.";
1380 revision 2020-05-20 {
1381 description
1382 "Initial version";
1383 reference
1384 "RFC IIII: RESTCONF Client and Server Models";
1385 }
1387 // Features
1389 feature http-listen {
1390 description
1391 "The 'http-listen' feature indicates that the RESTCONF server
1392 supports opening a port to listen for incoming RESTCONF over
1393 TPC client connections, whereby the TLS connections are
1394 terminated by an external system.";
1396 reference
1397 "RFC 8040: RESTCONF Protocol";
1398 }
1400 feature https-listen {
1401 description
1402 "The 'https-listen' feature indicates that the RESTCONF server
1403 supports opening a port to listen for incoming RESTCONF over
1404 TLS client connections, whereby the TLS connections are
1405 terminated by the server itself.";
1406 reference
1407 "RFC 8040: RESTCONF Protocol";
1408 }
1410 feature https-call-home {
1411 description
1412 "The 'https-call-home' feature indicates that the RESTCONF
1413 server supports initiating connections to RESTCONF clients.";
1414 reference
1415 "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
1416 }
1418 // Groupings
1420 grouping restconf-server-grouping {
1421 description
1422 "A reusable grouping for configuring a RESTCONF server
1423 without any consideration for how underlying transport
1424 sessions are established.
1426 Note that this grouping uses a fairly typical descendent
1427 node name such that a stack of 'uses' statements will
1428 have name conflicts. It is intended that the consuming
1429 data model will resolve the issue by wrapping the 'uses'
1430 statement in a container called, e.g.,
1431 'restconf-server-parameters'. This model purposely does
1432 not do this itself so as to provide maximum flexibility
1433 to consuming models.";
1435 container client-identity-mappings {
1436 description
1437 "Specifies mappings through which RESTCONF client X.509
1438 certificates are used to determine a RESTCONF username.
1439 If no matching and valid cert-to-name list entry can be
1440 found, then the RESTCONF server MUST close the connection,
1441 and MUST NOT accept RESTCONF messages over it.";
1442 reference
1443 "RFC 7407: A YANG Data Model for SNMP Configuration.";
1444 uses x509c2n:cert-to-name {
1445 refine "cert-to-name/fingerprint" {
1446 mandatory false;
1447 description
1448 "A 'fingerprint' value does not need to be specified
1449 when the 'cert-to-name' mapping is independent of
1450 fingerprint matching. A 'cert-to-name' having no
1451 fingerprint value will match any client certificate
1452 and therefore should only be present at the end of
1453 the user-ordered 'cert-to-name' list.";
1454 }
1455 }
1456 }
1457 }
1459 grouping restconf-server-listen-stack-grouping {
1460 description
1461 "A reusable grouping for configuring a RESTCONF server
1462 'listen' protocol stack for a single connection.";
1463 choice transport {
1464 mandatory true;
1465 description
1466 "Selects between available transports. This is a
1467 'choice' statement so as to support additional
1468 transport options to be augmented in.";
1469 case http {
1470 if-feature "http-listen";
1471 container http {
1472 description
1473 "Configures RESTCONF server stack assuming that
1474 TLS-termination is handled externally.";
1475 container external-endpoint {
1476 presence
1477 "Specifies configuration for an external endpoint.";
1478 description
1479 "Identifies contact information for the external
1480 system that terminates connections before passing
1481 them thru to this server (e.g., a network address
1482 translator or a load balancer). These values have
1483 no effect on the local operation of this server, but
1484 may be used by the application when needing to
1485 inform other systems how to contact this server.";
1486 leaf address {
1487 type inet:ip-address;
1488 mandatory true;
1489 description
1490 "The IP address or hostname of the external system
1491 that terminates incoming RESTCONF client
1492 connections before forwarding them to this
1493 server.";
1494 }
1495 leaf port {
1496 type inet:port-number;
1497 default "443";
1498 description
1499 "The port number that the external system listens
1500 on for incoming RESTCONF client connections that
1501 are forwarded to this server. The default HTTPS
1502 port (443) is used, as expected for a RESTCONF
1503 connection.";
1504 }
1505 }
1506 container tcp-server-parameters {
1507 description
1508 "A wrapper around the TCP server parameters
1509 to avoid name collisions.";
1510 uses tcps:tcp-server-grouping {
1511 refine "local-port" {
1512 default "80";
1513 description
1514 "The RESTCONF server will listen on the IANA-
1515 assigned well-known port value for 'http'
1516 (80) if no value is specified.";
1517 }
1518 }
1519 }
1520 container http-server-parameters {
1521 description
1522 "A wrapper around the HTTP server parameters
1523 to avoid name collisions.";
1524 uses https:http-server-grouping;
1525 }
1526 container restconf-server-parameters {
1527 description
1528 "A wrapper around the RESTCONF server parameters
1529 to avoid name collisions.";
1530 uses rcs:restconf-server-grouping;
1531 }
1532 }
1533 }
1534 case https {
1535 if-feature "https-listen";
1536 container https {
1537 description
1538 "Configures RESTCONF server stack assuming that
1539 TLS-termination is handled internally.";
1540 container tcp-server-parameters {
1541 description
1542 "A wrapper around the TCP server parameters
1543 to avoid name collisions.";
1544 uses tcps:tcp-server-grouping {
1545 refine "local-port" {
1546 default "443";
1547 description
1548 "The RESTCONF server will listen on the IANA-
1549 assigned well-known port value for 'https'
1550 (443) if no value is specified.";
1551 }
1552 }
1553 }
1554 container tls-server-parameters {
1555 description
1556 "A wrapper around the TLS server parameters
1557 to avoid name collisions.";
1558 uses tlss:tls-server-grouping;
1559 }
1560 container http-server-parameters {
1561 description
1562 "A wrapper around the HTTP server parameters
1563 to avoid name collisions.";
1564 uses https:http-server-grouping;
1565 }
1566 container restconf-server-parameters {
1567 description
1568 "A wrapper around the RESTCONF server parameters
1569 to avoid name collisions.";
1570 uses rcs:restconf-server-grouping;
1571 }
1572 }
1573 }
1574 }
1575 }
1577 grouping restconf-server-callhome-stack-grouping {
1578 description
1579 "A reusable grouping for configuring a RESTCONF server
1580 'call-home' protocol stack, for a single connection.";
1581 choice transport {
1582 mandatory true;
1583 description
1584 "Selects between available transports. This is a
1585 'choice' statement so as to support additional
1586 transport options to be augmented in.";
1588 case https {
1589 if-feature "https-listen";
1590 container https {
1591 description
1592 "Configures RESTCONF server stack assuming that
1593 TLS-termination is handled internally.";
1594 container tcp-client-parameters {
1595 description
1596 "A wrapper around the TCP client parameters
1597 to avoid name collisions.";
1598 uses tcpc:tcp-client-grouping {
1599 refine "remote-port" {
1600 default "4336";
1601 description
1602 "The RESTCONF server will attempt to
1603 connect to the IANA-assigned well-known
1604 port for 'restconf-ch-tls' (4336) if no
1605 value is specified.";
1606 }
1607 }
1608 }
1609 container tls-server-parameters {
1610 description
1611 "A wrapper around the TLS server parameters
1612 to avoid name collisions.";
1613 uses tlss:tls-server-grouping;
1614 }
1615 container http-server-parameters {
1616 description
1617 "A wrapper around the HTTP server parameters
1618 to avoid name collisions.";
1619 uses https:http-server-grouping;
1620 }
1621 container restconf-server-parameters {
1622 description
1623 "A wrapper around the RESTCONF server parameters
1624 to avoid name collisions.";
1625 uses rcs:restconf-server-grouping;
1626 }
1627 }
1628 }
1629 }
1630 }
1632 grouping restconf-server-app-grouping {
1633 description
1634 "A reusable grouping for configuring a RESTCONF server
1635 application that supports both 'listen' and 'call-home'
1636 protocol stacks for a multiplicity of connections.";
1637 container listen {
1638 if-feature "http-listen or https-listen";
1639 presence
1640 "Enables the RESTCONF server to listen for RESTCONF
1641 client connections.";
1642 description "Configures listen behavior";
1643 list endpoint {
1644 key "name";
1645 min-elements 1;
1646 description
1647 "List of endpoints to listen for RESTCONF connections.";
1648 leaf name {
1649 type string;
1650 description
1651 "An arbitrary name for the RESTCONF listen endpoint.";
1652 }
1653 uses restconf-server-listen-stack-grouping;
1654 }
1655 }
1656 container call-home {
1657 if-feature "https-call-home";
1658 presence
1659 "Enables the RESTCONF server to initiate the underlying
1660 transport connection to RESTCONF clients.";
1661 description "Configures call-home behavior";
1662 list restconf-client {
1663 key "name";
1664 min-elements 1;
1665 description
1666 "List of RESTCONF clients the RESTCONF server is to
1667 maintain simultaneous call-home connections with.";
1668 leaf name {
1669 type string;
1670 description
1671 "An arbitrary name for the remote RESTCONF client.";
1672 }
1673 container endpoints {
1674 description
1675 "Container for the list of endpoints.";
1676 list endpoint {
1677 key "name";
1678 min-elements 1;
1679 ordered-by user;
1680 description
1681 "User-ordered list of endpoints for this RESTCONF
1682 client. Defining more than one enables high-
1683 availability.";
1684 leaf name {
1685 type string;
1686 description
1687 "An arbitrary name for this endpoint.";
1688 }
1689 uses restconf-server-callhome-stack-grouping;
1690 }
1691 }
1692 container connection-type {
1693 description
1694 "Indicates the RESTCONF server's preference for how the
1695 RESTCONF connection is maintained.";
1696 choice connection-type {
1697 mandatory true;
1698 description
1699 "Selects between available connection types.";
1700 case persistent-connection {
1701 container persistent {
1702 presence "Indicates that a persistent connection is
1703 to be maintained.";
1704 description
1705 "Maintain a persistent connection to the RESTCONF
1706 client. If the connection goes down, immediately
1707 start trying to reconnect to the RESTCONF server,
1708 using the reconnection strategy.
1710 This connection type minimizes any RESTCONF
1711 client to RESTCONF server data-transfer delay,
1712 albeit at the expense of holding resources
1713 longer.";
1714 }
1715 }
1716 case periodic-connection {
1717 container periodic {
1718 presence "Indicates that a periodic connection is
1719 to be maintained.";
1720 description
1721 "Periodically connect to the RESTCONF client.
1723 This connection type increases resource
1724 utilization, albeit with increased delay in
1725 RESTCONF client to RESTCONF client interactions.
1727 The RESTCONF client SHOULD gracefully close
1728 the underlying TLS connection upon completing
1729 planned activities. If the underlying TLS
1730 connection is not closed gracefully, the
1731 RESTCONF server MUST immediately attempt
1732 to reestablish the connection.
1734 In the case that the previous connection is
1735 still active (i.e., the RESTCONF client has not
1736 closed it yet), establishing a new connection
1737 is NOT RECOMMENDED.";
1739 leaf period {
1740 type uint16;
1741 units "minutes";
1742 default "60";
1743 description
1744 "Duration of time between periodic connections.";
1745 }
1746 leaf anchor-time {
1747 type yang:date-and-time {
1748 // constrained to minute-level granularity
1749 pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
1750 + '(Z|[\+\-]\d{2}:\d{2})';
1751 }
1752 description
1753 "Designates a timestamp before or after which a
1754 series of periodic connections are determined.
1755 The periodic connections occur at a whole
1756 multiple interval from the anchor time. For
1757 example, for an anchor time is 15 minutes past
1758 midnight and a period interval of 24 hours, then
1759 a periodic connection will occur 15 minutes past
1760 midnight everyday.";
1761 }
1762 leaf idle-timeout {
1763 type uint16;
1764 units "seconds";
1765 default 120; // two minutes
1766 description
1767 "Specifies the maximum number of seconds that
1768 the underlying TCP session may remain idle.
1769 A TCP session will be dropped if it is idle
1770 for an interval longer than this number of
1771 seconds. If set to zero, then the server
1772 will never drop a session because it is idle.";
1773 }
1774 }
1775 }
1776 }
1777 }
1778 container reconnect-strategy {
1779 description
1780 "The reconnection strategy directs how a RESTCONF server
1781 reconnects to a RESTCONF client after discovering its
1782 connection to the client has dropped, even if due to a
1783 reboot. The RESTCONF server starts with the specified
1784 endpoint and tries to connect to it max-attempts times
1785 before trying the next endpoint in the list (round
1786 robin).";
1787 leaf start-with {
1788 type enumeration {
1789 enum first-listed {
1790 description
1791 "Indicates that reconnections should start with
1792 the first endpoint listed.";
1793 }
1794 enum last-connected {
1795 description
1796 "Indicates that reconnections should start with
1797 the endpoint last connected to. If no previous
1798 connection has ever been established, then the
1799 first endpoint configured is used. RESTCONF
1800 servers SHOULD be able to remember the last
1801 endpoint connected to across reboots.";
1802 }
1803 enum random-selection {
1804 description
1805 "Indicates that reconnections should start with
1806 a random endpoint.";
1807 }
1808 }
1809 default "first-listed";
1810 description
1811 "Specifies which of the RESTCONF client's endpoints
1812 the RESTCONF server should start with when trying
1813 to connect to the RESTCONF client.";
1814 }
1815 leaf max-attempts {
1816 type uint8 {
1817 range "1..max";
1818 }
1819 default "3";
1820 description
1821 "Specifies the number times the RESTCONF server tries
1822 to connect to a specific endpoint before moving on to
1823 the next endpoint in the list (round robin).";
1824 }
1825 }
1826 } // restconf-client
1828 } // call-home
1829 } // restconf-server-app-grouping
1831 // Protocol accessible node, for servers that implement
1832 // this module.
1833 container restconf-server {
1834 uses restconf-server-app-grouping;
1835 description
1836 "Top-level container for RESTCONF server configuration.";
1837 }
1839 }
1841
1843 4. Security Considerations
1845 The YANG module defined in this document uses groupings defined in
1846 [I-D.kwatsen-netconf-tcp-client-server],
1847 [I-D.ietf-netconf-tls-client-server], and
1848 [I-D.kwatsen-netconf-http-client-server]. Please see the Security
1849 Considerations section in those documents for concerns related those
1850 groupings.
1852 The YANG modules defined in this document are designed to be accessed
1853 via YANG based management protocols, such as NETCONF [RFC6241] and
1854 RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
1855 implement secure transport layers (e.g., SSH, TLS) with mutual
1856 authentication.
1858 The NETCONF access control model (NACM) [RFC8341] provides the means
1859 to restrict access for particular users to a pre-configured subset of
1860 all available protocol operations and content.
1862 There are a number of data nodes defined in the YANG modules that are
1863 writable/creatable/deletable (i.e., config true, which is the
1864 default). Some of these data nodes may be considered sensitive or
1865 vulnerable in some network environments. Write operations (e.g.,
1866 edit-config) to these data nodes without proper protection can have a
1867 negative effect on network operations. These are the subtrees and
1868 data nodes and their sensitivity/vulnerability:
1870 None of the subtrees or data nodes in the modules defined in this
1871 document need to be protected from write operations.
1873 Some of the readable data nodes in the YANG modules may be considered
1874 sensitive or vulnerable in some network environments. It is thus
1875 important to control read access (e.g., via get, get-config, or
1876 notification) to these data nodes. These are the subtrees and data
1877 nodes and their sensitivity/vulnerability:
1879 None of the subtrees or data nodes in the modules defined in this
1880 document need to be protected from read operations.
1882 Some of the RPC operations in the YANG modules may be considered
1883 sensitive or vulnerable in some network environments. It is thus
1884 important to control access to these operations. These are the
1885 operations and their sensitivity/vulnerability:
1887 The modules defined in this document do not define any 'RPC' or
1888 'action' statements.
1890 5. IANA Considerations
1892 5.1. The IETF XML Registry
1894 This document registers two URIs in the "ns" subregistry of the IETF
1895 XML Registry [RFC3688]. Following the format in [RFC3688], the
1896 following registrations are requested:
1898 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1899 Registrant Contact: The NETCONF WG of the IETF.
1900 XML: N/A, the requested URI is an XML namespace.
1902 URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1903 Registrant Contact: The NETCONF WG of the IETF.
1904 XML: N/A, the requested URI is an XML namespace.
1906 5.2. The YANG Module Names Registry
1908 This document registers two YANG modules in the YANG Module Names
1909 registry [RFC6020]. Following the format in [RFC6020], the the
1910 following registrations are requested:
1912 name: ietf-restconf-client
1913 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-client
1914 prefix: ncc
1915 reference: RFC IIII
1917 name: ietf-restconf-server
1918 namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server
1919 prefix: ncs
1920 reference: RFC IIII
1922 6. References
1924 6.1. Normative References
1926 [I-D.ietf-netconf-keystore]
1927 Watsen, K., "A YANG Data Model for a Keystore", draft-
1928 ietf-netconf-keystore-16 (work in progress), March 2020.
1930 [I-D.ietf-netconf-tls-client-server]
1931 Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS
1932 Clients and TLS Servers", draft-ietf-netconf-tls-client-
1933 server-18 (work in progress), March 2020.
1935 [I-D.kwatsen-netconf-http-client-server]
1936 Watsen, K., "YANG Groupings for HTTP Clients and HTTP
1937 Servers", draft-kwatsen-netconf-http-client-server-05
1938 (work in progress), November 2019.
1940 [I-D.kwatsen-netconf-tcp-client-server]
1941 Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
1942 and TCP Servers", draft-kwatsen-netconf-tcp-client-
1943 server-02 (work in progress), April 2019.
1945 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1946 Requirement Levels", BCP 14, RFC 2119,
1947 DOI 10.17487/RFC2119, March 1997,
1948 .
1950 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
1951 the Network Configuration Protocol (NETCONF)", RFC 6020,
1952 DOI 10.17487/RFC6020, October 2010,
1953 .
1955 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
1956 RFC 6991, DOI 10.17487/RFC6991, July 2013,
1957 .
1959 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
1960 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
1961 December 2014, .
1963 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
1964 RFC 7950, DOI 10.17487/RFC7950, August 2016,
1965 .
1967 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1968 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1969 .
1971 [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
1972 RFC 8071, DOI 10.17487/RFC8071, February 2017,
1973 .
1975 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1976 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1977 May 2017, .
1979 6.2. Informative References
1981 [I-D.ietf-netconf-trust-anchors]
1982 Watsen, K., "A YANG Data Model for a Truststore", draft-
1983 ietf-netconf-trust-anchors-09 (work in progress), March
1984 2020.
1986 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1987 DOI 10.17487/RFC3688, January 2004,
1988 .
1990 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
1991 and A. Bierman, Ed., "Network Configuration Protocol
1992 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
1993 .
1995 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
1996 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
1997 .
1999 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
2000 Access Control Model", STD 91, RFC 8341,
2001 DOI 10.17487/RFC8341, March 2018,
2002 .
2004 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
2005 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
2006 .
2008 6.3. URIs
2010 [1] https://tools.ietf.org/html/draft-ietf-netconf-crypto-types
2012 [2] https://tools.ietf.org/html/draft-ietf-netconf-trust-anchors
2014 [3] https://tools.ietf.org/html/draft-ietf-netconf-keystore
2016 [4] https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server
2018 [5] https://tools.ietf.org/html/draft-ietf-netconf-ssh-client-server
2020 [6] https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server
2022 [7] https://tools.ietf.org/html/draft-ietf-netconf-http-client-server
2024 [8] https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-
2025 server
2027 [9] https://tools.ietf.org/html/draft-ietf-netconf-restconf-client-
2028 server
2030 Appendix A. Expanded Tree Diagrams
2032 A.1. Expanded Tree Diagram for 'ietf-restconf-client'
2034 The following tree diagram [RFC8340] provides an overview of the data
2035 model for the "ietf-restconf-client" module.
2037 This tree diagram shows all the nodes defined in this module,
2038 including those defined by "grouping" statements used by this module.
2040 Please see Section 2.1 for a tree diagram that illustrates what the
2041 module looks like without all the "grouping" statements expanded.
2043 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
2045 module: ietf-restconf-client
2046 +--rw restconf-client
2047 +--rw initiate! {https-initiate}?
2048 | +--rw restconf-server* [name]
2049 | +--rw name string
2050 | +--rw endpoints
2051 | | +--rw endpoint* [name]
2052 | | +--rw name string
2053 | | +--rw (transport)
2054 | | +--:(https) {https-initiate}?
2055 | | +--rw https
2056 | | +--rw tcp-client-parameters
2057 | | | +--rw remote-address inet:host
2058 | | | +--rw remote-port? inet:port-number
2059 | | | +--rw local-address? inet:ip-address
2060 | | | | {local-binding-supported}?
2061 | | | +--rw local-port? inet:port-number
2062 | | | | {local-binding-supported}?
2063 | | | +--rw keepalives!
2064 | | | {keepalives-supported}?
2065 | | | +--rw idle-time uint16
2066 | | | +--rw max-probes uint16
2067 | | | +--rw probe-interval uint16
2068 | | +--rw tls-client-parameters
2069 | | | +--rw client-identity
2070 | | | | +--rw (auth-type)?
2071 | | | | +--:(certificate)
2072 | | | | | {x509-certificate-auth}?
2073 | | | | | +--rw certificate
2074 | | | | | +--rw (local-or-keystore)
2075 | | | | | +--:(local)
2076 | | | | | | {local-definiti\
2077 \ons-supported}?
2078 | | | | | | +--rw local-definition
2079 | | | | | | +--rw public-key-f\
2080 \ormat
2081 | | | | | | | identityref
2082 | | | | | | +--rw public-key
2083 | | | | | | | binary
2084 | | | | | | +--rw private-key-\
2085 \format?
2086 | | | | | | | identityref
2087 | | | | | | +--rw (private-key\
2088 \-type)
2089 | | | | | | | +--:(private-ke\
2090 \y)
2091 | | | | | | | | +--rw privat\
2092 \e-key?
2093 | | | | | | | | bina\
2094 \ry
2095 | | | | | | | +--:(hidden-pri\
2096 \vate-key)
2097 | | | | | | | | +--rw hidden\
2098 \-private-key?
2099 | | | | | | | | empty
2100 | | | | | | | +--:(encrypted-\
2101 \private-key)
2102 | | | | | | | +--rw encryp\
2103 \ted-private-key
2104 | | | | | | | +--rw (ke\
2105 \y-type)
2106 | | | | | | | | +--:(s\
2107 \ymmetric-key-ref)
2108 | | | | | | | | | +--\
2109 \rw symmetric-key-ref? leafref
2110 | | | | | | | | | \
2111 \ {keystore-supported}?
2112 | | | | | | | | +--:(a\
2113 \symmetric-key-ref)
2114 | | | | | | | | +--\
2115 \rw asymmetric-key-ref? leafref
2116 | | | | | | | | \
2117 \ {keystore-supported}?
2118 | | | | | | | +--rw val\
2119 \ue?
2120 | | | | | | | b\
2121 \inary
2122 | | | | | | +--rw cert?
2123 | | | | | | | end-entity\
2124 \-cert-cms
2125 | | | | | | +---n certificate-\
2127 \expiration
2128 | | | | | | | +-- expiration-\
2129 \date
2130 | | | | | | | yang:da\
2131 \te-and-time
2132 | | | | | | +---x generate-cer\
2133 \tificate-signing-request
2134 | | | | | | {certifica\
2135 \te-signing-request-generation}?
2136 | | | | | | +---w input
2137 | | | | | | | +---w subject
2138 | | | | | | | | bina\
2139 \ry
2140 | | | | | | | +---w attrib\
2141 \utes?
2142 | | | | | | | bina\
2143 \ry
2144 | | | | | | +--ro output
2145 | | | | | | +--ro certif\
2146 \icate-signing-request
2147 | | | | | | ct:c\
2148 \sr
2149 | | | | | +--:(keystore)
2150 | | | | | {keystore-suppo\
2151 \rted}?
2152 | | | | | +--rw keystore-refere\
2153 \nce
2154 | | | | | +--rw asymmetric-k\
2155 \ey?
2156 | | | | | | ks:asymmet\
2157 \ric-key-ref
2158 | | | | | +--rw certificate?\
2159 \ leafref
2160 | | | | +--:(raw-public-key)
2161 | | | | | {raw-public-key-auth}?
2162 | | | | | +--rw raw-private-key
2163 | | | | | +--rw (local-or-keystore)
2164 | | | | | +--:(local)
2165 | | | | | | {local-definiti\
2166 \ons-supported}?
2167 | | | | | | +--rw local-definition
2168 | | | | | | +--rw public-key-f\
2169 \ormat
2170 | | | | | | | identityref
2171 | | | | | | +--rw public-key
2172 | | | | | | | binary
2173 | | | | | | +--rw private-key-\
2174 \format?
2175 | | | | | | | identityref
2176 | | | | | | +--rw (private-key\
2177 \-type)
2178 | | | | | | +--:(private-ke\
2179 \y)
2180 | | | | | | | +--rw privat\
2181 \e-key?
2182 | | | | | | | bina\
2183 \ry
2184 | | | | | | +--:(hidden-pri\
2185 \vate-key)
2186 | | | | | | | +--rw hidden\
2187 \-private-key?
2188 | | | | | | | empty
2189 | | | | | | +--:(encrypted-\
2190 \private-key)
2191 | | | | | | +--rw encryp\
2192 \ted-private-key
2193 | | | | | | +--rw (ke\
2194 \y-type)
2195 | | | | | | | +--:(s\
2196 \ymmetric-key-ref)
2197 | | | | | | | | +--\
2198 \rw symmetric-key-ref? leafref
2199 | | | | | | | | \
2200 \ {keystore-supported}?
2201 | | | | | | | +--:(a\
2202 \symmetric-key-ref)
2203 | | | | | | | +--\
2204 \rw asymmetric-key-ref? leafref
2205 | | | | | | | \
2206 \ {keystore-supported}?
2207 | | | | | | +--rw val\
2208 \ue?
2209 | | | | | | b\
2210 \inary
2211 | | | | | +--:(keystore)
2212 | | | | | {keystore-suppo\
2213 \rted}?
2214 | | | | | +--rw keystore-refere\
2215 \nce?
2216 | | | | | ks:asymmetric\
2217 \-key-ref
2218 | | | | +--:(psk) {psk-auth}?
2219 | | | | +--rw psk
2220 | | | | +--rw (local-or-keystore)
2221 | | | | +--:(local)
2222 | | | | | {local-definiti\
2224 \ons-supported}?
2225 | | | | | +--rw local-definition
2226 | | | | | +--rw key-format?
2227 | | | | | | identityref
2228 | | | | | +--rw (key-type)
2229 | | | | | | +--:(key)
2230 | | | | | | | +--rw key?
2231 | | | | | | | bina\
2232 \ry
2233 | | | | | | +--:(hidden-key)
2234 | | | | | | | +--rw hidden\
2235 \-key?
2236 | | | | | | | empty
2237 | | | | | | +--:(encrypted-\
2238 \key)
2239 | | | | | | +--rw encryp\
2240 \ted-key
2241 | | | | | | +--rw (ke\
2242 \y-type)
2243 | | | | | | | +--:(s\
2244 \ymmetric-key-ref)
2245 | | | | | | | | +--\
2246 \rw symmetric-key-ref? leafref
2247 | | | | | | | | \
2248 \ {keystore-supported}?
2249 | | | | | | | +--:(a\
2250 \symmetric-key-ref)
2251 | | | | | | | +--\
2252 \rw asymmetric-key-ref? leafref
2253 | | | | | | | \
2254 \ {keystore-supported}?
2255 | | | | | | +--rw val\
2256 \ue?
2257 | | | | | | b\
2258 \inary
2259 | | | | | +--rw id?
2260 | | | | | string
2261 | | | | | {ks:local-\
2262 \definitions-supported}?
2263 | | | | +--:(keystore)
2264 | | | | {keystore-suppo\
2265 \rted}?
2266 | | | | +--rw keystore-refere\
2267 \nce?
2268 | | | | ks:symmetric-\
2269 \key-ref
2270 | | | +--rw server-authentication
2271 | | | | +--rw ca-certs!
2272 | | | | | {x509-certificate-auth}?
2273 | | | | | +--rw (local-or-truststore)
2274 | | | | | +--:(local)
2275 | | | | | | {local-definitions-su\
2276 \pported}?
2277 | | | | | | +--rw local-definition
2278 | | | | | | +--rw cert*
2279 | | | | | | | trust-anchor-cer\
2280 \t-cms
2281 | | | | | | +---n certificate-expira\
2282 \tion
2283 | | | | | | +-- expiration-date
2284 | | | | | | yang:date-and\
2285 \-time
2286 | | | | | +--:(truststore)
2287 | | | | | {truststore-supported\
2288 \,certificates}?
2289 | | | | | +--rw truststore-reference?
2290 | | | | | ts:certificate-bag-\
2291 \ref
2292 | | | | +--rw ee-certs!
2293 | | | | | {x509-certificate-auth}?
2294 | | | | | +--rw (local-or-truststore)
2295 | | | | | +--:(local)
2296 | | | | | | {local-definitions-su\
2297 \pported}?
2298 | | | | | | +--rw local-definition
2299 | | | | | | +--rw cert*
2300 | | | | | | | trust-anchor-cer\
2301 \t-cms
2302 | | | | | | +---n certificate-expira\
2303 \tion
2304 | | | | | | +-- expiration-date
2305 | | | | | | yang:date-and\
2306 \-time
2307 | | | | | +--:(truststore)
2308 | | | | | {truststore-supported\
2309 \,certificates}?
2310 | | | | | +--rw truststore-reference?
2311 | | | | | ts:certificate-bag-\
2312 \ref
2313 | | | | +--rw raw-public-keys!
2314 | | | | | {raw-public-key-auth}?
2315 | | | | | +--rw (local-or-truststore)
2316 | | | | | +--:(local)
2317 | | | | | | {local-definitions-su\
2318 \pported}?
2319 | | | | | | +--rw local-definition
2320 | | | | | | +--rw public-key* [name]
2321 | | | | | | +--rw name
2322 | | | | | | | string
2323 | | | | | | +--rw public-key-form\
2324 \at
2325 | | | | | | | identityref
2326 | | | | | | +--rw public-key
2327 | | | | | | binary
2328 | | | | | +--:(truststore)
2329 | | | | | {truststore-supported\
2330 \,public-keys}?
2331 | | | | | +--rw truststore-reference?
2332 | | | | | ts:public-key-bag-r\
2333 \ef
2334 | | | | +--rw psks! {psk-auth}?
2335 | | | +--rw hello-params
2336 | | | | {tls-client-hello-params-config\
2337 \}?
2338 | | | | +--rw tls-versions
2339 | | | | | +--rw tls-version* identityref
2340 | | | | +--rw cipher-suites
2341 | | | | +--rw cipher-suite* identityref
2342 | | | +--rw keepalives
2343 | | | {tls-client-keepalives}?
2344 | | | +--rw peer-allowed-to-send? empty
2345 | | | +--rw test-peer-aliveness!
2346 | | | +--rw max-wait? uint16
2347 | | | +--rw max-attempts? uint8
2348 | | +--rw http-client-parameters
2349 | | | +--rw client-identity!
2350 | | | | +--rw (auth-type)?
2351 | | | | +--:(basic)
2352 | | | | +--rw basic {basic-auth}?
2353 | | | | +--rw user-id string
2354 | | | | +--rw password string
2355 | | | +--rw proxy-server! {proxy-connect}?
2356 | | | +--rw tcp-client-parameters
2357 | | | | +--rw remote-address inet:host
2358 | | | | +--rw remote-port?
2359 | | | | | inet:port-number
2360 | | | | +--rw local-address?
2361 | | | | | inet:ip-address
2362 | | | | | {local-binding-supported}?
2363 | | | | +--rw local-port?
2364 | | | | | inet:port-number
2365 | | | | | {local-binding-supported}?
2366 | | | | +--rw keepalives!
2367 | | | | {keepalives-supported}?
2368 | | | | +--rw idle-time uint16
2369 | | | | +--rw max-probes uint16
2370 | | | | +--rw probe-interval uint16
2371 | | | +--rw tls-client-parameters
2372 | | | | +--rw client-identity
2373 | | | | | +--rw (auth-type)?
2374 | | | | | +--:(certificate)
2375 | | | | | | {x509-certificate-\
2376 \auth}?
2377 | | | | | | +--rw certificate
2378 | | | | | | +--rw (local-or-keyst\
2379 \ore)
2380 | | | | | | +--:(local)
2381 | | | | | | | {local-de\
2382 \finitions-supported}?
2383 | | | | | | | +--rw local-def\
2384 \inition
2385 | | | | | | | +--rw public\
2386 \-key-format
2387 | | | | | | | | iden\
2388 \tityref
2389 | | | | | | | +--rw public\
2390 \-key
2391 | | | | | | | | bina\
2392 \ry
2393 | | | | | | | +--rw privat\
2394 \e-key-format?
2395 | | | | | | | | iden\
2396 \tityref
2397 | | | | | | | +--rw (priva\
2398 \te-key-type)
2399 | | | | | | | | +--:(priv\
2400 \ate-key)
2401 | | | | | | | | | +--rw \
2402 \private-key?
2403 | | | | | | | | | \
2404 \ binary
2405 | | | | | | | | +--:(hidd\
2406 \en-private-key)
2407 | | | | | | | | | +--rw \
2408 \hidden-private-key?
2409 | | | | | | | | | \
2410 \ empty
2411 | | | | | | | | +--:(encr\
2412 \ypted-private-key)
2413 | | | | | | | | +--rw \
2414 \encrypted-private-key
2415 | | | | | | | | +--\
2417 \rw (key-type)
2418 | | | | | | | | | \
2419 \+--:(symmetric-key-ref)
2420 | | | | | | | | | \
2421 \| +--rw symmetric-key-ref? leafref
2422 | | | | | | | | | \
2423 \| {keystore-supported}?
2424 | | | | | | | | | \
2425 \+--:(asymmetric-key-ref)
2426 | | | | | | | | | \
2427 \ +--rw asymmetric-key-ref? leafref
2428 | | | | | | | | | \
2429 \ {keystore-supported}?
2430 | | | | | | | | +--\
2431 \rw value?
2432 | | | | | | | | \
2433 \ binary
2434 | | | | | | | +--rw cert?
2435 | | | | | | | | end-\
2436 \entity-cert-cms
2437 | | | | | | | +---n certif\
2438 \icate-expiration
2439 | | | | | | | | +-- expir\
2440 \ation-date
2441 | | | | | | | | y\
2442 \ang:date-and-time
2443 | | | | | | | +---x genera\
2444 \te-certificate-signing-request
2445 | | | | | | | {cer\
2446 \tificate-signing-request-generation}?
2447 | | | | | | | +---w inp\
2448 \ut
2449 | | | | | | | | +---w \
2450 \subject
2451 | | | | | | | | | \
2452 \ binary
2453 | | | | | | | | +---w \
2454 \attributes?
2455 | | | | | | | | \
2456 \ binary
2457 | | | | | | | +--ro out\
2458 \put
2459 | | | | | | | +--ro \
2460 \certificate-signing-request
2461 | | | | | | | \
2462 \ ct:csr
2463 | | | | | | +--:(keystore)
2464 | | | | | | {keystore\
2466 \-supported}?
2467 | | | | | | +--rw keystore-\
2468 \reference
2469 | | | | | | +--rw asymme\
2470 \tric-key?
2471 | | | | | | | ks:a\
2472 \symmetric-key-ref
2473 | | | | | | +--rw certif\
2474 \icate? leafref
2475 | | | | | +--:(raw-public-key)
2476 | | | | | | {raw-public-key-au\
2477 \th}?
2478 | | | | | | +--rw raw-private-key
2479 | | | | | | +--rw (local-or-keyst\
2480 \ore)
2481 | | | | | | +--:(local)
2482 | | | | | | | {local-de\
2483 \finitions-supported}?
2484 | | | | | | | +--rw local-def\
2485 \inition
2486 | | | | | | | +--rw public\
2487 \-key-format
2488 | | | | | | | | iden\
2489 \tityref
2490 | | | | | | | +--rw public\
2491 \-key
2492 | | | | | | | | bina\
2493 \ry
2494 | | | | | | | +--rw privat\
2495 \e-key-format?
2496 | | | | | | | | iden\
2497 \tityref
2498 | | | | | | | +--rw (priva\
2499 \te-key-type)
2500 | | | | | | | +--:(priv\
2501 \ate-key)
2502 | | | | | | | | +--rw \
2503 \private-key?
2504 | | | | | | | | \
2505 \ binary
2506 | | | | | | | +--:(hidd\
2507 \en-private-key)
2508 | | | | | | | | +--rw \
2509 \hidden-private-key?
2510 | | | | | | | | \
2511 \ empty
2512 | | | | | | | +--:(encr\
2513 \ypted-private-key)
2514 | | | | | | | +--rw \
2515 \encrypted-private-key
2516 | | | | | | | +--\
2517 \rw (key-type)
2518 | | | | | | | | \
2519 \+--:(symmetric-key-ref)
2520 | | | | | | | | \
2521 \| +--rw symmetric-key-ref? leafref
2522 | | | | | | | | \
2523 \| {keystore-supported}?
2524 | | | | | | | | \
2525 \+--:(asymmetric-key-ref)
2526 | | | | | | | | \
2527 \ +--rw asymmetric-key-ref? leafref
2528 | | | | | | | | \
2529 \ {keystore-supported}?
2530 | | | | | | | +--\
2531 \rw value?
2532 | | | | | | | \
2533 \ binary
2534 | | | | | | +--:(keystore)
2535 | | | | | | {keystore\
2536 \-supported}?
2537 | | | | | | +--rw keystore-\
2538 \reference?
2539 | | | | | | ks:asym\
2540 \metric-key-ref
2541 | | | | | +--:(psk) {psk-auth}?
2542 | | | | | +--rw psk
2543 | | | | | +--rw (local-or-keyst\
2544 \ore)
2545 | | | | | +--:(local)
2546 | | | | | | {local-de\
2547 \finitions-supported}?
2548 | | | | | | +--rw local-def\
2549 \inition
2550 | | | | | | +--rw key-fo\
2551 \rmat?
2552 | | | | | | | iden\
2553 \tityref
2554 | | | | | | +--rw (key-t\
2555 \ype)
2556 | | | | | | | +--:(key)
2557 | | | | | | | | +--rw \
2558 \key?
2559 | | | | | | | | \
2560 \ binary
2561 | | | | | | | +--:(hidd\
2563 \en-key)
2564 | | | | | | | | +--rw \
2565 \hidden-key?
2566 | | | | | | | | \
2567 \ empty
2568 | | | | | | | +--:(encr\
2569 \ypted-key)
2570 | | | | | | | +--rw \
2571 \encrypted-key
2572 | | | | | | | +--\
2573 \rw (key-type)
2574 | | | | | | | | \
2575 \+--:(symmetric-key-ref)
2576 | | | | | | | | \
2577 \| +--rw symmetric-key-ref? leafref
2578 | | | | | | | | \
2579 \| {keystore-supported}?
2580 | | | | | | | | \
2581 \+--:(asymmetric-key-ref)
2582 | | | | | | | | \
2583 \ +--rw asymmetric-key-ref? leafref
2584 | | | | | | | | \
2585 \ {keystore-supported}?
2586 | | | | | | | +--\
2587 \rw value?
2588 | | | | | | | \
2589 \ binary
2590 | | | | | | +--rw id?
2591 | | | | | | stri\
2592 \ng
2593 | | | | | | {ks:\
2594 \local-definitions-supported}?
2595 | | | | | +--:(keystore)
2596 | | | | | {keystore\
2597 \-supported}?
2598 | | | | | +--rw keystore-\
2599 \reference?
2600 | | | | | ks:symm\
2601 \etric-key-ref
2602 | | | | +--rw server-authentication
2603 | | | | | +--rw ca-certs!
2604 | | | | | | {x509-certificate-auth\
2605 \}?
2606 | | | | | | +--rw (local-or-truststore)
2607 | | | | | | +--:(local)
2608 | | | | | | | {local-definiti\
2609 \ons-supported}?
2610 | | | | | | | +--rw local-definition
2611 | | | | | | | +--rw cert*
2612 | | | | | | | | trust-anch\
2613 \or-cert-cms
2614 | | | | | | | +---n certificate-\
2615 \expiration
2616 | | | | | | | +-- expiration-\
2617 \date
2618 | | | | | | | yang:da\
2619 \te-and-time
2620 | | | | | | +--:(truststore)
2621 | | | | | | {truststore-sup\
2622 \ported,certificates}?
2623 | | | | | | +--rw truststore-refe\
2624 \rence?
2625 | | | | | | ts:certificat\
2626 \e-bag-ref
2627 | | | | | +--rw ee-certs!
2628 | | | | | | {x509-certificate-auth\
2629 \}?
2630 | | | | | | +--rw (local-or-truststore)
2631 | | | | | | +--:(local)
2632 | | | | | | | {local-definiti\
2633 \ons-supported}?
2634 | | | | | | | +--rw local-definition
2635 | | | | | | | +--rw cert*
2636 | | | | | | | | trust-anch\
2637 \or-cert-cms
2638 | | | | | | | +---n certificate-\
2639 \expiration
2640 | | | | | | | +-- expiration-\
2641 \date
2642 | | | | | | | yang:da\
2643 \te-and-time
2644 | | | | | | +--:(truststore)
2645 | | | | | | {truststore-sup\
2646 \ported,certificates}?
2647 | | | | | | +--rw truststore-refe\
2648 \rence?
2649 | | | | | | ts:certificat\
2650 \e-bag-ref
2651 | | | | | +--rw raw-public-keys!
2652 | | | | | | {raw-public-key-auth}?
2653 | | | | | | +--rw (local-or-truststore)
2654 | | | | | | +--:(local)
2655 | | | | | | | {local-definiti\
2656 \ons-supported}?
2657 | | | | | | | +--rw local-definition
2658 | | | | | | | +--rw public-key*
2659 | | | | | | | [name]
2660 | | | | | | | +--rw name
2661 | | | | | | | | string
2662 | | | | | | | +--rw public-ke\
2663 \y-format
2664 | | | | | | | | identit\
2665 \yref
2666 | | | | | | | +--rw public-key
2667 | | | | | | | binary
2668 | | | | | | +--:(truststore)
2669 | | | | | | {truststore-sup\
2670 \ported,public-keys}?
2671 | | | | | | +--rw truststore-refe\
2672 \rence?
2673 | | | | | | ts:public-key\
2674 \-bag-ref
2675 | | | | | +--rw psks! {psk-auth}?
2676 | | | | +--rw hello-params
2677 | | | | | {tls-client-hello-params-\
2678 \config}?
2679 | | | | | +--rw tls-versions
2680 | | | | | | +--rw tls-version*
2681 | | | | | | identityref
2682 | | | | | +--rw cipher-suites
2683 | | | | | +--rw cipher-suite*
2684 | | | | | identityref
2685 | | | | +--rw keepalives
2686 | | | | {tls-client-keepalives}?
2687 | | | | +--rw peer-allowed-to-send?
2688 | | | | | empty
2689 | | | | +--rw test-peer-aliveness!
2690 | | | | +--rw max-wait? uint16
2691 | | | | +--rw max-attempts? uint8
2692 | | | +--rw http-client-parameters
2693 | | | +--rw client-identity!
2694 | | | +--rw (auth-type)?
2695 | | | +--:(basic)
2696 | | | +--rw basic {basic-auth}?
2697 | | | +--rw user-id
2698 | | | | string
2699 | | | +--rw password
2700 | | | string
2701 | | +--rw restconf-client-parameters
2702 | +--rw connection-type
2703 | | +--rw (connection-type)
2704 | | +--:(persistent-connection)
2705 | | | +--rw persistent!
2706 | | +--:(periodic-connection)
2707 | | +--rw periodic!
2708 | | +--rw period? uint16
2709 | | +--rw anchor-time? yang:date-and-time
2710 | | +--rw idle-timeout? uint16
2711 | +--rw reconnect-strategy
2712 | +--rw start-with? enumeration
2713 | +--rw max-attempts? uint8
2714 +--rw listen! {http-listen or https-listen}?
2715 +--rw idle-timeout? uint16
2716 +--rw endpoint* [name]
2717 +--rw name string
2718 +--rw (transport)
2719 +--:(http) {http-listen}?
2720 | +--rw http
2721 | +--rw tcp-server-parameters
2722 | | +--rw local-address inet:ip-address
2723 | | +--rw local-port? inet:port-number
2724 | | +--rw keepalives! {keepalives-supported}?
2725 | | +--rw idle-time uint16
2726 | | +--rw max-probes uint16
2727 | | +--rw probe-interval uint16
2728 | +--rw http-client-parameters
2729 | | +--rw client-identity!
2730 | | | +--rw (auth-type)?
2731 | | | +--:(basic)
2732 | | | +--rw basic {basic-auth}?
2733 | | | +--rw user-id string
2734 | | | +--rw password string
2735 | | +--rw proxy-server! {proxy-connect}?
2736 | | +--rw tcp-client-parameters
2737 | | | +--rw remote-address inet:host
2738 | | | +--rw remote-port? inet:port-number
2739 | | | +--rw local-address? inet:ip-address
2740 | | | | {local-binding-supported}?
2741 | | | +--rw local-port? inet:port-number
2742 | | | | {local-binding-supported}?
2743 | | | +--rw keepalives!
2744 | | | {keepalives-supported}?
2745 | | | +--rw idle-time uint16
2746 | | | +--rw max-probes uint16
2747 | | | +--rw probe-interval uint16
2748 | | +--rw tls-client-parameters
2749 | | | +--rw client-identity
2750 | | | | +--rw (auth-type)?
2751 | | | | +--:(certificate)
2752 | | | | | {x509-certificate-auth}?
2753 | | | | | +--rw certificate
2754 | | | | | +--rw (local-or-keystore)
2755 | | | | | +--:(local)
2756 | | | | | | {local-definiti\
2757 \ons-supported}?
2758 | | | | | | +--rw local-definition
2759 | | | | | | +--rw public-key-f\
2760 \ormat
2761 | | | | | | | identityref
2762 | | | | | | +--rw public-key
2763 | | | | | | | binary
2764 | | | | | | +--rw private-key-\
2765 \format?
2766 | | | | | | | identityref
2767 | | | | | | +--rw (private-key\
2768 \-type)
2769 | | | | | | | +--:(private-ke\
2770 \y)
2771 | | | | | | | | +--rw privat\
2772 \e-key?
2773 | | | | | | | | bina\
2774 \ry
2775 | | | | | | | +--:(hidden-pri\
2776 \vate-key)
2777 | | | | | | | | +--rw hidden\
2778 \-private-key?
2779 | | | | | | | | empty
2780 | | | | | | | +--:(encrypted-\
2781 \private-key)
2782 | | | | | | | +--rw encryp\
2783 \ted-private-key
2784 | | | | | | | +--rw (ke\
2785 \y-type)
2786 | | | | | | | | +--:(s\
2787 \ymmetric-key-ref)
2788 | | | | | | | | | +--\
2789 \rw symmetric-key-ref? leafref
2790 | | | | | | | | | \
2791 \ {keystore-supported}?
2792 | | | | | | | | +--:(a\
2793 \symmetric-key-ref)
2794 | | | | | | | | +--\
2795 \rw asymmetric-key-ref? leafref
2796 | | | | | | | | \
2797 \ {keystore-supported}?
2798 | | | | | | | +--rw val\
2799 \ue?
2800 | | | | | | | b\
2801 \inary
2802 | | | | | | +--rw cert?
2803 | | | | | | | end-entity\
2804 \-cert-cms
2805 | | | | | | +---n certificate-\
2806 \expiration
2807 | | | | | | | +-- expiration-\
2808 \date
2809 | | | | | | | yang:da\
2810 \te-and-time
2811 | | | | | | +---x generate-cer\
2812 \tificate-signing-request
2813 | | | | | | {certifica\
2814 \te-signing-request-generation}?
2815 | | | | | | +---w input
2816 | | | | | | | +---w subject
2817 | | | | | | | | bina\
2818 \ry
2819 | | | | | | | +---w attrib\
2820 \utes?
2821 | | | | | | | bina\
2822 \ry
2823 | | | | | | +--ro output
2824 | | | | | | +--ro certif\
2825 \icate-signing-request
2826 | | | | | | ct:c\
2827 \sr
2828 | | | | | +--:(keystore)
2829 | | | | | {keystore-suppo\
2830 \rted}?
2831 | | | | | +--rw keystore-refere\
2832 \nce
2833 | | | | | +--rw asymmetric-k\
2834 \ey?
2835 | | | | | | ks:asymmet\
2836 \ric-key-ref
2837 | | | | | +--rw certificate?\
2838 \ leafref
2839 | | | | +--:(raw-public-key)
2840 | | | | | {raw-public-key-auth}?
2841 | | | | | +--rw raw-private-key
2842 | | | | | +--rw (local-or-keystore)
2843 | | | | | +--:(local)
2844 | | | | | | {local-definiti\
2845 \ons-supported}?
2846 | | | | | | +--rw local-definition
2847 | | | | | | +--rw public-key-f\
2848 \ormat
2849 | | | | | | | identityref
2850 | | | | | | +--rw public-key
2851 | | | | | | | binary
2852 | | | | | | +--rw private-key-\
2853 \format?
2854 | | | | | | | identityref
2855 | | | | | | +--rw (private-key\
2856 \-type)
2857 | | | | | | +--:(private-ke\
2858 \y)
2859 | | | | | | | +--rw privat\
2860 \e-key?
2861 | | | | | | | bina\
2862 \ry
2863 | | | | | | +--:(hidden-pri\
2864 \vate-key)
2865 | | | | | | | +--rw hidden\
2866 \-private-key?
2867 | | | | | | | empty
2868 | | | | | | +--:(encrypted-\
2869 \private-key)
2870 | | | | | | +--rw encryp\
2871 \ted-private-key
2872 | | | | | | +--rw (ke\
2873 \y-type)
2874 | | | | | | | +--:(s\
2875 \ymmetric-key-ref)
2876 | | | | | | | | +--\
2877 \rw symmetric-key-ref? leafref
2878 | | | | | | | | \
2879 \ {keystore-supported}?
2880 | | | | | | | +--:(a\
2881 \symmetric-key-ref)
2882 | | | | | | | +--\
2883 \rw asymmetric-key-ref? leafref
2884 | | | | | | | \
2885 \ {keystore-supported}?
2886 | | | | | | +--rw val\
2887 \ue?
2888 | | | | | | b\
2889 \inary
2890 | | | | | +--:(keystore)
2891 | | | | | {keystore-suppo\
2892 \rted}?
2893 | | | | | +--rw keystore-refere\
2894 \nce?
2895 | | | | | ks:asymmetric\
2896 \-key-ref
2897 | | | | +--:(psk) {psk-auth}?
2898 | | | | +--rw psk
2899 | | | | +--rw (local-or-keystore)
2900 | | | | +--:(local)
2901 | | | | | {local-definiti\
2902 \ons-supported}?
2903 | | | | | +--rw local-definition
2904 | | | | | +--rw key-format?
2905 | | | | | | identityref
2906 | | | | | +--rw (key-type)
2907 | | | | | | +--:(key)
2908 | | | | | | | +--rw key?
2909 | | | | | | | bina\
2910 \ry
2911 | | | | | | +--:(hidden-key)
2912 | | | | | | | +--rw hidden\
2913 \-key?
2914 | | | | | | | empty
2915 | | | | | | +--:(encrypted-\
2916 \key)
2917 | | | | | | +--rw encryp\
2918 \ted-key
2919 | | | | | | +--rw (ke\
2920 \y-type)
2921 | | | | | | | +--:(s\
2922 \ymmetric-key-ref)
2923 | | | | | | | | +--\
2924 \rw symmetric-key-ref? leafref
2925 | | | | | | | | \
2926 \ {keystore-supported}?
2927 | | | | | | | +--:(a\
2928 \symmetric-key-ref)
2929 | | | | | | | +--\
2930 \rw asymmetric-key-ref? leafref
2931 | | | | | | | \
2932 \ {keystore-supported}?
2933 | | | | | | +--rw val\
2934 \ue?
2935 | | | | | | b\
2936 \inary
2937 | | | | | +--rw id?
2938 | | | | | string
2939 | | | | | {ks:local-\
2940 \definitions-supported}?
2941 | | | | +--:(keystore)
2942 | | | | {keystore-suppo\
2943 \rted}?
2944 | | | | +--rw keystore-refere\
2945 \nce?
2946 | | | | ks:symmetric-\
2948 \key-ref
2949 | | | +--rw server-authentication
2950 | | | | +--rw ca-certs!
2951 | | | | | {x509-certificate-auth}?
2952 | | | | | +--rw (local-or-truststore)
2953 | | | | | +--:(local)
2954 | | | | | | {local-definitions-su\
2955 \pported}?
2956 | | | | | | +--rw local-definition
2957 | | | | | | +--rw cert*
2958 | | | | | | | trust-anchor-cer\
2959 \t-cms
2960 | | | | | | +---n certificate-expira\
2961 \tion
2962 | | | | | | +-- expiration-date
2963 | | | | | | yang:date-and\
2964 \-time
2965 | | | | | +--:(truststore)
2966 | | | | | {truststore-supported\
2967 \,certificates}?
2968 | | | | | +--rw truststore-reference?
2969 | | | | | ts:certificate-bag-\
2970 \ref
2971 | | | | +--rw ee-certs!
2972 | | | | | {x509-certificate-auth}?
2973 | | | | | +--rw (local-or-truststore)
2974 | | | | | +--:(local)
2975 | | | | | | {local-definitions-su\
2976 \pported}?
2977 | | | | | | +--rw local-definition
2978 | | | | | | +--rw cert*
2979 | | | | | | | trust-anchor-cer\
2980 \t-cms
2981 | | | | | | +---n certificate-expira\
2982 \tion
2983 | | | | | | +-- expiration-date
2984 | | | | | | yang:date-and\
2985 \-time
2986 | | | | | +--:(truststore)
2987 | | | | | {truststore-supported\
2988 \,certificates}?
2989 | | | | | +--rw truststore-reference?
2990 | | | | | ts:certificate-bag-\
2991 \ref
2992 | | | | +--rw raw-public-keys!
2993 | | | | | {raw-public-key-auth}?
2994 | | | | | +--rw (local-or-truststore)
2995 | | | | | +--:(local)
2996 | | | | | | {local-definitions-su\
2997 \pported}?
2998 | | | | | | +--rw local-definition
2999 | | | | | | +--rw public-key* [name]
3000 | | | | | | +--rw name
3001 | | | | | | | string
3002 | | | | | | +--rw public-key-form\
3003 \at
3004 | | | | | | | identityref
3005 | | | | | | +--rw public-key
3006 | | | | | | binary
3007 | | | | | +--:(truststore)
3008 | | | | | {truststore-supported\
3009 \,public-keys}?
3010 | | | | | +--rw truststore-reference?
3011 | | | | | ts:public-key-bag-r\
3012 \ef
3013 | | | | +--rw psks! {psk-auth}?
3014 | | | +--rw hello-params
3015 | | | | {tls-client-hello-params-config\
3016 \}?
3017 | | | | +--rw tls-versions
3018 | | | | | +--rw tls-version* identityref
3019 | | | | +--rw cipher-suites
3020 | | | | +--rw cipher-suite* identityref
3021 | | | +--rw keepalives
3022 | | | {tls-client-keepalives}?
3023 | | | +--rw peer-allowed-to-send? empty
3024 | | | +--rw test-peer-aliveness!
3025 | | | +--rw max-wait? uint16
3026 | | | +--rw max-attempts? uint8
3027 | | +--rw http-client-parameters
3028 | | +--rw client-identity!
3029 | | +--rw (auth-type)?
3030 | | +--:(basic)
3031 | | +--rw basic {basic-auth}?
3032 | | +--rw user-id string
3033 | | +--rw password string
3034 | +--rw restconf-client-parameters
3035 +--:(https) {https-listen}?
3036 +--rw https
3037 +--rw tcp-server-parameters
3038 | +--rw local-address inet:ip-address
3039 | +--rw local-port? inet:port-number
3040 | +--rw keepalives! {keepalives-supported}?
3041 | +--rw idle-time uint16
3042 | +--rw max-probes uint16
3043 | +--rw probe-interval uint16
3044 +--rw tls-client-parameters
3045 | +--rw client-identity
3046 | | +--rw (auth-type)?
3047 | | +--:(certificate)
3048 | | | {x509-certificate-auth}?
3049 | | | +--rw certificate
3050 | | | +--rw (local-or-keystore)
3051 | | | +--:(local)
3052 | | | | {local-definitions-su\
3053 \pported}?
3054 | | | | +--rw local-definition
3055 | | | | +--rw public-key-format
3056 | | | | | identityref
3057 | | | | +--rw public-key
3058 | | | | | binary
3059 | | | | +--rw private-key-format?
3060 | | | | | identityref
3061 | | | | +--rw (private-key-type)
3062 | | | | | +--:(private-key)
3063 | | | | | | +--rw private-key?
3064 | | | | | | binary
3065 | | | | | +--:(hidden-private-k\
3066 \ey)
3067 | | | | | | +--rw hidden-priva\
3068 \te-key?
3069 | | | | | | empty
3070 | | | | | +--:(encrypted-privat\
3071 \e-key)
3072 | | | | | +--rw encrypted-pr\
3073 \ivate-key
3074 | | | | | +--rw (key-type)
3075 | | | | | | +--:(symmetr\
3076 \ic-key-ref)
3077 | | | | | | | +--rw sym\
3078 \metric-key-ref? leafref
3079 | | | | | | | {\
3080 \keystore-supported}?
3081 | | | | | | +--:(asymmet\
3082 \ric-key-ref)
3083 | | | | | | +--rw asy\
3084 \mmetric-key-ref? leafref
3085 | | | | | | {\
3086 \keystore-supported}?
3087 | | | | | +--rw value?
3088 | | | | | binary
3089 | | | | +--rw cert?
3090 | | | | | end-entity-cert-\
3091 \cms
3092 | | | | +---n certificate-expira\
3093 \tion
3094 | | | | | +-- expiration-date
3095 | | | | | yang:date-and\
3096 \-time
3097 | | | | +---x generate-certifica\
3098 \te-signing-request
3099 | | | | {certificate-sig\
3100 \ning-request-generation}?
3101 | | | | +---w input
3102 | | | | | +---w subject
3103 | | | | | | binary
3104 | | | | | +---w attributes?
3105 | | | | | binary
3106 | | | | +--ro output
3107 | | | | +--ro certificate-\
3108 \signing-request
3109 | | | | ct:csr
3110 | | | +--:(keystore)
3111 | | | {keystore-supported}?
3112 | | | +--rw keystore-reference
3113 | | | +--rw asymmetric-key?
3114 | | | | ks:asymmetric-ke\
3115 \y-ref
3116 | | | +--rw certificate? \
3117 \leafref
3118 | | +--:(raw-public-key)
3119 | | | {raw-public-key-auth}?
3120 | | | +--rw raw-private-key
3121 | | | +--rw (local-or-keystore)
3122 | | | +--:(local)
3123 | | | | {local-definitions-su\
3124 \pported}?
3125 | | | | +--rw local-definition
3126 | | | | +--rw public-key-format
3127 | | | | | identityref
3128 | | | | +--rw public-key
3129 | | | | | binary
3130 | | | | +--rw private-key-format?
3131 | | | | | identityref
3132 | | | | +--rw (private-key-type)
3133 | | | | +--:(private-key)
3134 | | | | | +--rw private-key?
3135 | | | | | binary
3136 | | | | +--:(hidden-private-k\
3137 \ey)
3138 | | | | | +--rw hidden-priva\
3139 \te-key?
3140 | | | | | empty
3141 | | | | +--:(encrypted-privat\
3142 \e-key)
3143 | | | | +--rw encrypted-pr\
3144 \ivate-key
3145 | | | | +--rw (key-type)
3146 | | | | | +--:(symmetr\
3147 \ic-key-ref)
3148 | | | | | | +--rw sym\
3149 \metric-key-ref? leafref
3150 | | | | | | {\
3151 \keystore-supported}?
3152 | | | | | +--:(asymmet\
3153 \ric-key-ref)
3154 | | | | | +--rw asy\
3155 \mmetric-key-ref? leafref
3156 | | | | | {\
3157 \keystore-supported}?
3158 | | | | +--rw value?
3159 | | | | binary
3160 | | | +--:(keystore)
3161 | | | {keystore-supported}?
3162 | | | +--rw keystore-reference?
3163 | | | ks:asymmetric-key-r\
3164 \ef
3165 | | +--:(psk) {psk-auth}?
3166 | | +--rw psk
3167 | | +--rw (local-or-keystore)
3168 | | +--:(local)
3169 | | | {local-definitions-su\
3170 \pported}?
3171 | | | +--rw local-definition
3172 | | | +--rw key-format?
3173 | | | | identityref
3174 | | | +--rw (key-type)
3175 | | | | +--:(key)
3176 | | | | | +--rw key?
3177 | | | | | binary
3178 | | | | +--:(hidden-key)
3179 | | | | | +--rw hidden-key?
3180 | | | | | empty
3181 | | | | +--:(encrypted-key)
3182 | | | | +--rw encrypted-key
3183 | | | | +--rw (key-type)
3184 | | | | | +--:(symmetr\
3185 \ic-key-ref)
3186 | | | | | | +--rw sym\
3187 \metric-key-ref? leafref
3188 | | | | | | {\
3189 \keystore-supported}?
3190 | | | | | +--:(asymmet\
3191 \ric-key-ref)
3192 | | | | | +--rw asy\
3193 \mmetric-key-ref? leafref
3194 | | | | | {\
3195 \keystore-supported}?
3196 | | | | +--rw value?
3197 | | | | binary
3198 | | | +--rw id?
3199 | | | string
3200 | | | {ks:local-defini\
3201 \tions-supported}?
3202 | | +--:(keystore)
3203 | | {keystore-supported}?
3204 | | +--rw keystore-reference?
3205 | | ks:symmetric-key-ref
3206 | +--rw server-authentication
3207 | | +--rw ca-certs! {x509-certificate-auth}?
3208 | | | +--rw (local-or-truststore)
3209 | | | +--:(local)
3210 | | | | {local-definitions-supporte\
3211 \d}?
3212 | | | | +--rw local-definition
3213 | | | | +--rw cert*
3214 | | | | | trust-anchor-cert-cms
3215 | | | | +---n certificate-expiration
3216 | | | | +-- expiration-date
3217 | | | | yang:date-and-time
3218 | | | +--:(truststore)
3219 | | | {truststore-supported,certi\
3220 \ficates}?
3221 | | | +--rw truststore-reference?
3222 | | | ts:certificate-bag-ref
3223 | | +--rw ee-certs! {x509-certificate-auth}?
3224 | | | +--rw (local-or-truststore)
3225 | | | +--:(local)
3226 | | | | {local-definitions-supporte\
3227 \d}?
3228 | | | | +--rw local-definition
3229 | | | | +--rw cert*
3230 | | | | | trust-anchor-cert-cms
3231 | | | | +---n certificate-expiration
3232 | | | | +-- expiration-date
3233 | | | | yang:date-and-time
3234 | | | +--:(truststore)
3235 | | | {truststore-supported,certi\
3237 \ficates}?
3238 | | | +--rw truststore-reference?
3239 | | | ts:certificate-bag-ref
3240 | | +--rw raw-public-keys!
3241 | | | {raw-public-key-auth}?
3242 | | | +--rw (local-or-truststore)
3243 | | | +--:(local)
3244 | | | | {local-definitions-supporte\
3245 \d}?
3246 | | | | +--rw local-definition
3247 | | | | +--rw public-key* [name]
3248 | | | | +--rw name
3249 | | | | | string
3250 | | | | +--rw public-key-format
3251 | | | | | identityref
3252 | | | | +--rw public-key
3253 | | | | binary
3254 | | | +--:(truststore)
3255 | | | {truststore-supported,publi\
3256 \c-keys}?
3257 | | | +--rw truststore-reference?
3258 | | | ts:public-key-bag-ref
3259 | | +--rw psks! {psk-auth}?
3260 | +--rw hello-params
3261 | | {tls-client-hello-params-config}?
3262 | | +--rw tls-versions
3263 | | | +--rw tls-version* identityref
3264 | | +--rw cipher-suites
3265 | | +--rw cipher-suite* identityref
3266 | +--rw keepalives {tls-client-keepalives}?
3267 | +--rw peer-allowed-to-send? empty
3268 | +--rw test-peer-aliveness!
3269 | +--rw max-wait? uint16
3270 | +--rw max-attempts? uint8
3271 +--rw http-client-parameters
3272 | +--rw client-identity!
3273 | | +--rw (auth-type)?
3274 | | +--:(basic)
3275 | | +--rw basic {basic-auth}?
3276 | | +--rw user-id string
3277 | | +--rw password string
3278 | +--rw proxy-server! {proxy-connect}?
3279 | +--rw tcp-client-parameters
3280 | | +--rw remote-address inet:host
3281 | | +--rw remote-port? inet:port-number
3282 | | +--rw local-address? inet:ip-address
3283 | | | {local-binding-supported}?
3284 | | +--rw local-port? inet:port-number
3285 | | | {local-binding-supported}?
3286 | | +--rw keepalives!
3287 | | {keepalives-supported}?
3288 | | +--rw idle-time uint16
3289 | | +--rw max-probes uint16
3290 | | +--rw probe-interval uint16
3291 | +--rw tls-client-parameters
3292 | | +--rw client-identity
3293 | | | +--rw (auth-type)?
3294 | | | +--:(certificate)
3295 | | | | {x509-certificate-auth}?
3296 | | | | +--rw certificate
3297 | | | | +--rw (local-or-keystore)
3298 | | | | +--:(local)
3299 | | | | | {local-definiti\
3300 \ons-supported}?
3301 | | | | | +--rw local-definition
3302 | | | | | +--rw public-key-f\
3303 \ormat
3304 | | | | | | identityref
3305 | | | | | +--rw public-key
3306 | | | | | | binary
3307 | | | | | +--rw private-key-\
3308 \format?
3309 | | | | | | identityref
3310 | | | | | +--rw (private-key\
3311 \-type)
3312 | | | | | | +--:(private-ke\
3313 \y)
3314 | | | | | | | +--rw privat\
3315 \e-key?
3316 | | | | | | | bina\
3317 \ry
3318 | | | | | | +--:(hidden-pri\
3319 \vate-key)
3320 | | | | | | | +--rw hidden\
3321 \-private-key?
3322 | | | | | | | empty
3323 | | | | | | +--:(encrypted-\
3324 \private-key)
3325 | | | | | | +--rw encryp\
3326 \ted-private-key
3327 | | | | | | +--rw (ke\
3328 \y-type)
3329 | | | | | | | +--:(s\
3330 \ymmetric-key-ref)
3331 | | | | | | | | +--\
3332 \rw symmetric-key-ref? leafref
3333 | | | | | | | | \
3334 \ {keystore-supported}?
3335 | | | | | | | +--:(a\
3336 \symmetric-key-ref)
3337 | | | | | | | +--\
3338 \rw asymmetric-key-ref? leafref
3339 | | | | | | | \
3340 \ {keystore-supported}?
3341 | | | | | | +--rw val\
3342 \ue?
3343 | | | | | | b\
3344 \inary
3345 | | | | | +--rw cert?
3346 | | | | | | end-entity\
3347 \-cert-cms
3348 | | | | | +---n certificate-\
3349 \expiration
3350 | | | | | | +-- expiration-\
3351 \date
3352 | | | | | | yang:da\
3353 \te-and-time
3354 | | | | | +---x generate-cer\
3355 \tificate-signing-request
3356 | | | | | {certifica\
3357 \te-signing-request-generation}?
3358 | | | | | +---w input
3359 | | | | | | +---w subject
3360 | | | | | | | bina\
3361 \ry
3362 | | | | | | +---w attrib\
3363 \utes?
3364 | | | | | | bina\
3365 \ry
3366 | | | | | +--ro output
3367 | | | | | +--ro certif\
3368 \icate-signing-request
3369 | | | | | ct:c\
3370 \sr
3371 | | | | +--:(keystore)
3372 | | | | {keystore-suppo\
3373 \rted}?
3374 | | | | +--rw keystore-refere\
3375 \nce
3376 | | | | +--rw asymmetric-k\
3377 \ey?
3378 | | | | | ks:asymmet\
3379 \ric-key-ref
3380 | | | | +--rw certificate?\
3382 \ leafref
3383 | | | +--:(raw-public-key)
3384 | | | | {raw-public-key-auth}?
3385 | | | | +--rw raw-private-key
3386 | | | | +--rw (local-or-keystore)
3387 | | | | +--:(local)
3388 | | | | | {local-definiti\
3389 \ons-supported}?
3390 | | | | | +--rw local-definition
3391 | | | | | +--rw public-key-f\
3392 \ormat
3393 | | | | | | identityref
3394 | | | | | +--rw public-key
3395 | | | | | | binary
3396 | | | | | +--rw private-key-\
3397 \format?
3398 | | | | | | identityref
3399 | | | | | +--rw (private-key\
3400 \-type)
3401 | | | | | +--:(private-ke\
3402 \y)
3403 | | | | | | +--rw privat\
3404 \e-key?
3405 | | | | | | bina\
3406 \ry
3407 | | | | | +--:(hidden-pri\
3408 \vate-key)
3409 | | | | | | +--rw hidden\
3410 \-private-key?
3411 | | | | | | empty
3412 | | | | | +--:(encrypted-\
3413 \private-key)
3414 | | | | | +--rw encryp\
3415 \ted-private-key
3416 | | | | | +--rw (ke\
3417 \y-type)
3418 | | | | | | +--:(s\
3419 \ymmetric-key-ref)
3420 | | | | | | | +--\
3421 \rw symmetric-key-ref? leafref
3422 | | | | | | | \
3423 \ {keystore-supported}?
3424 | | | | | | +--:(a\
3425 \symmetric-key-ref)
3426 | | | | | | +--\
3427 \rw asymmetric-key-ref? leafref
3428 | | | | | | \
3429 \ {keystore-supported}?
3430 | | | | | +--rw val\
3431 \ue?
3432 | | | | | b\
3433 \inary
3434 | | | | +--:(keystore)
3435 | | | | {keystore-suppo\
3436 \rted}?
3437 | | | | +--rw keystore-refere\
3438 \nce?
3439 | | | | ks:asymmetric\
3440 \-key-ref
3441 | | | +--:(psk) {psk-auth}?
3442 | | | +--rw psk
3443 | | | +--rw (local-or-keystore)
3444 | | | +--:(local)
3445 | | | | {local-definiti\
3446 \ons-supported}?
3447 | | | | +--rw local-definition
3448 | | | | +--rw key-format?
3449 | | | | | identityref
3450 | | | | +--rw (key-type)
3451 | | | | | +--:(key)
3452 | | | | | | +--rw key?
3453 | | | | | | bina\
3454 \ry
3455 | | | | | +--:(hidden-key)
3456 | | | | | | +--rw hidden\
3457 \-key?
3458 | | | | | | empty
3459 | | | | | +--:(encrypted-\
3460 \key)
3461 | | | | | +--rw encryp\
3462 \ted-key
3463 | | | | | +--rw (ke\
3464 \y-type)
3465 | | | | | | +--:(s\
3466 \ymmetric-key-ref)
3467 | | | | | | | +--\
3468 \rw symmetric-key-ref? leafref
3469 | | | | | | | \
3470 \ {keystore-supported}?
3471 | | | | | | +--:(a\
3472 \symmetric-key-ref)
3473 | | | | | | +--\
3474 \rw asymmetric-key-ref? leafref
3475 | | | | | | \
3476 \ {keystore-supported}?
3477 | | | | | +--rw val\
3479 \ue?
3480 | | | | | b\
3481 \inary
3482 | | | | +--rw id?
3483 | | | | string
3484 | | | | {ks:local-\
3485 \definitions-supported}?
3486 | | | +--:(keystore)
3487 | | | {keystore-suppo\
3488 \rted}?
3489 | | | +--rw keystore-refere\
3490 \nce?
3491 | | | ks:symmetric-\
3492 \key-ref
3493 | | +--rw server-authentication
3494 | | | +--rw ca-certs!
3495 | | | | {x509-certificate-auth}?
3496 | | | | +--rw (local-or-truststore)
3497 | | | | +--:(local)
3498 | | | | | {local-definitions-su\
3499 \pported}?
3500 | | | | | +--rw local-definition
3501 | | | | | +--rw cert*
3502 | | | | | | trust-anchor-cer\
3503 \t-cms
3504 | | | | | +---n certificate-expira\
3505 \tion
3506 | | | | | +-- expiration-date
3507 | | | | | yang:date-and\
3508 \-time
3509 | | | | +--:(truststore)
3510 | | | | {truststore-supported\
3511 \,certificates}?
3512 | | | | +--rw truststore-reference?
3513 | | | | ts:certificate-bag-\
3514 \ref
3515 | | | +--rw ee-certs!
3516 | | | | {x509-certificate-auth}?
3517 | | | | +--rw (local-or-truststore)
3518 | | | | +--:(local)
3519 | | | | | {local-definitions-su\
3520 \pported}?
3521 | | | | | +--rw local-definition
3522 | | | | | +--rw cert*
3523 | | | | | | trust-anchor-cer\
3524 \t-cms
3525 | | | | | +---n certificate-expira\
3526 \tion
3527 | | | | | +-- expiration-date
3528 | | | | | yang:date-and\
3529 \-time
3530 | | | | +--:(truststore)
3531 | | | | {truststore-supported\
3532 \,certificates}?
3533 | | | | +--rw truststore-reference?
3534 | | | | ts:certificate-bag-\
3535 \ref
3536 | | | +--rw raw-public-keys!
3537 | | | | {raw-public-key-auth}?
3538 | | | | +--rw (local-or-truststore)
3539 | | | | +--:(local)
3540 | | | | | {local-definitions-su\
3541 \pported}?
3542 | | | | | +--rw local-definition
3543 | | | | | +--rw public-key* [name]
3544 | | | | | +--rw name
3545 | | | | | | string
3546 | | | | | +--rw public-key-form\
3547 \at
3548 | | | | | | identityref
3549 | | | | | +--rw public-key
3550 | | | | | binary
3551 | | | | +--:(truststore)
3552 | | | | {truststore-supported\
3553 \,public-keys}?
3554 | | | | +--rw truststore-reference?
3555 | | | | ts:public-key-bag-r\
3556 \ef
3557 | | | +--rw psks! {psk-auth}?
3558 | | +--rw hello-params
3559 | | | {tls-client-hello-params-config\
3560 \}?
3561 | | | +--rw tls-versions
3562 | | | | +--rw tls-version* identityref
3563 | | | +--rw cipher-suites
3564 | | | +--rw cipher-suite* identityref
3565 | | +--rw keepalives
3566 | | {tls-client-keepalives}?
3567 | | +--rw peer-allowed-to-send? empty
3568 | | +--rw test-peer-aliveness!
3569 | | +--rw max-wait? uint16
3570 | | +--rw max-attempts? uint8
3571 | +--rw http-client-parameters
3572 | +--rw client-identity!
3573 | +--rw (auth-type)?
3574 | +--:(basic)
3575 | +--rw basic {basic-auth}?
3576 | +--rw user-id string
3577 | +--rw password string
3578 +--rw restconf-client-parameters
3580 A.2. Expanded Tree Diagram for 'ietf-restconf-server'
3582 The following tree diagram [RFC8340] provides an overview of the data
3583 model for the "ietf-restconf-server" module.
3585 This tree diagram shows all the nodes defined in this module,
3586 including those defined by "grouping" statements used by this module.
3588 Please see Section 3.1 for a tree diagram that illustrates what the
3589 module looks like without all the "grouping" statements expanded.
3591 ========== NOTE: '\\' line wrapping per BCP XXX (RFC XXXX) ==========
3593 module: ietf-restconf-server
3594 +--rw restconf-server
3595 +--rw listen! {http-listen or https-listen}?
3596 | +--rw endpoint* [name]
3597 | +--rw name string
3598 | +--rw (transport)
3599 | +--:(http) {http-listen}?
3600 | | +--rw http
3601 | | +--rw external-endpoint!
3602 | | | +--rw address inet:ip-address
3603 | | | +--rw port? inet:port-number
3604 | | +--rw tcp-server-parameters
3605 | | | +--rw local-address inet:ip-address
3606 | | | +--rw local-port? inet:port-number
3607 | | | +--rw keepalives! {keepalives-supported}?
3608 | | | +--rw idle-time uint16
3609 | | | +--rw max-probes uint16
3610 | | | +--rw probe-interval uint16
3611 | | +--rw http-server-parameters
3612 | | | +--rw server-name? string
3613 | | | +--rw client-authentication!
3614 | | | {client-auth-config-supported}?
3615 | | | +--rw users
3616 | | | +--rw user* [user-id]
3617 | | | +--rw user-id string
3618 | | | +--rw (auth-type)?
3619 | | | +--:(basic)
3620 | | | +--rw basic {basic-auth}?
3621 | | | +--rw user-id? string
3622 | | | +--rw password?
3623 | | | ianach:crypt-hash
3624 | | +--rw restconf-server-parameters
3625 | | +--rw client-identity-mappings
3626 | | +--rw cert-to-name* [id]
3627 | | +--rw id uint32
3628 | | +--rw fingerprint?
3629 | | | x509c2n:tls-fingerprint
3630 | | +--rw map-type identityref
3631 | | +--rw name string
3632 | +--:(https) {https-listen}?
3633 | +--rw https
3634 | +--rw tcp-server-parameters
3635 | | +--rw local-address inet:ip-address
3636 | | +--rw local-port? inet:port-number
3637 | | +--rw keepalives! {keepalives-supported}?
3638 | | +--rw idle-time uint16
3639 | | +--rw max-probes uint16
3640 | | +--rw probe-interval uint16
3641 | +--rw tls-server-parameters
3642 | | +--rw server-identity
3643 | | | +--rw (auth-type)
3644 | | | +--:(certificate)
3645 | | | | {x509-certificate-auth}?
3646 | | | | +--rw certificate
3647 | | | | +--rw (local-or-keystore)
3648 | | | | +--:(local)
3649 | | | | | {local-definitions-su\
3650 \pported}?
3651 | | | | | +--rw local-definition
3652 | | | | | +--rw public-key-format
3653 | | | | | | identityref
3654 | | | | | +--rw public-key
3655 | | | | | | binary
3656 | | | | | +--rw private-key-format?
3657 | | | | | | identityref
3658 | | | | | +--rw (private-key-type)
3659 | | | | | | +--:(private-key)
3660 | | | | | | | +--rw private-key?
3661 | | | | | | | binary
3662 | | | | | | +--:(hidden-private-k\
3663 \ey)
3664 | | | | | | | +--rw hidden-priva\
3665 \te-key?
3666 | | | | | | | empty
3667 | | | | | | +--:(encrypted-privat\
3668 \e-key)
3669 | | | | | | +--rw encrypted-pr\
3670 \ivate-key
3671 | | | | | | +--rw (key-type)
3672 | | | | | | | +--:(symmetr\
3673 \ic-key-ref)
3674 | | | | | | | | +--rw sym\
3675 \metric-key-ref? leafref
3676 | | | | | | | | {\
3677 \keystore-supported}?
3678 | | | | | | | +--:(asymmet\
3679 \ric-key-ref)
3680 | | | | | | | +--rw asy\
3681 \mmetric-key-ref? leafref
3682 | | | | | | | {\
3683 \keystore-supported}?
3684 | | | | | | +--rw value?
3685 | | | | | | binary
3686 | | | | | +--rw cert?
3687 | | | | | | end-entity-cert-\
3688 \cms
3689 | | | | | +---n certificate-expira\
3690 \tion
3691 | | | | | | +-- expiration-date
3692 | | | | | | yang:date-and\
3693 \-time
3694 | | | | | +---x generate-certifica\
3695 \te-signing-request
3696 | | | | | {certificate-sig\
3697 \ning-request-generation}?
3698 | | | | | +---w input
3699 | | | | | | +---w subject
3700 | | | | | | | binary
3701 | | | | | | +---w attributes?
3702 | | | | | | binary
3703 | | | | | +--ro output
3704 | | | | | +--ro certificate-\
3705 \signing-request
3706 | | | | | ct:csr
3707 | | | | +--:(keystore)
3708 | | | | {keystore-supported}?
3709 | | | | +--rw keystore-reference
3710 | | | | +--rw asymmetric-key?
3711 | | | | | ks:asymmetric-ke\
3712 \y-ref
3713 | | | | +--rw certificate? \
3714 \leafref
3715 | | | +--:(raw-private-key)
3716 | | | | {raw-public-key-auth}?
3717 | | | | +--rw raw-private-key
3718 | | | | +--rw (local-or-keystore)
3719 | | | | +--:(local)
3720 | | | | | {local-definitions-su\
3721 \pported}?
3722 | | | | | +--rw local-definition
3723 | | | | | +--rw public-key-format
3724 | | | | | | identityref
3725 | | | | | +--rw public-key
3726 | | | | | | binary
3727 | | | | | +--rw private-key-format?
3728 | | | | | | identityref
3729 | | | | | +--rw (private-key-type)
3730 | | | | | +--:(private-key)
3731 | | | | | | +--rw private-key?
3732 | | | | | | binary
3733 | | | | | +--:(hidden-private-k\
3734 \ey)
3735 | | | | | | +--rw hidden-priva\
3736 \te-key?
3737 | | | | | | empty
3738 | | | | | +--:(encrypted-privat\
3739 \e-key)
3740 | | | | | +--rw encrypted-pr\
3741 \ivate-key
3742 | | | | | +--rw (key-type)
3743 | | | | | | +--:(symmetr\
3744 \ic-key-ref)
3745 | | | | | | | +--rw sym\
3746 \metric-key-ref? leafref
3747 | | | | | | | {\
3748 \keystore-supported}?
3749 | | | | | | +--:(asymmet\
3750 \ric-key-ref)
3751 | | | | | | +--rw asy\
3752 \mmetric-key-ref? leafref
3753 | | | | | | {\
3754 \keystore-supported}?
3755 | | | | | +--rw value?
3756 | | | | | binary
3757 | | | | +--:(keystore)
3758 | | | | {keystore-supported}?
3759 | | | | +--rw keystore-reference?
3760 | | | | ks:asymmetric-key-r\
3761 \ef
3762 | | | +--:(psk) {psk-auth}?
3763 | | | +--rw psk
3764 | | | +--rw (local-or-keystore)
3765 | | | +--:(local)
3766 | | | | {local-definitions-su\
3768 \pported}?
3769 | | | | +--rw local-definition
3770 | | | | +--rw key-format?
3771 | | | | | identityref
3772 | | | | +--rw (key-type)
3773 | | | | | +--:(key)
3774 | | | | | | +--rw key?
3775 | | | | | | binary
3776 | | | | | +--:(hidden-key)
3777 | | | | | | +--rw hidden-key?
3778 | | | | | | empty
3779 | | | | | +--:(encrypted-key)
3780 | | | | | +--rw encrypted-key
3781 | | | | | +--rw (key-type)
3782 | | | | | | +--:(symmetr\
3783 \ic-key-ref)
3784 | | | | | | | +--rw sym\
3785 \metric-key-ref? leafref
3786 | | | | | | | {\
3787 \keystore-supported}?
3788 | | | | | | +--:(asymmet\
3789 \ric-key-ref)
3790 | | | | | | +--rw asy\
3791 \mmetric-key-ref? leafref
3792 | | | | | | {\
3793 \keystore-supported}?
3794 | | | | | +--rw value?
3795 | | | | | binary
3796 | | | | +--rw id?
3797 | | | | string
3798 | | | | {ks:local-defini\
3799 \tions-supported}?
3800 | | | +--:(keystore)
3801 | | | {keystore-supported}?
3802 | | | +--rw keystore-reference?
3803 | | | ks:symmetric-key-ref
3804 | | +--rw client-authentication!
3805 | | | {client-auth-config-supported}?
3806 | | | +--rw ca-certs! {x509-certificate-auth}?
3807 | | | | +--rw (local-or-truststore)
3808 | | | | +--:(local)
3809 | | | | | {local-definitions-supporte\
3810 \d}?
3811 | | | | | +--rw local-definition
3812 | | | | | +--rw cert*
3813 | | | | | | trust-anchor-cert-cms
3814 | | | | | +---n certificate-expiration
3815 | | | | | +-- expiration-date
3816 | | | | | yang:date-and-time
3817 | | | | +--:(truststore)
3818 | | | | {truststore-supported,certi\
3819 \ficates}?
3820 | | | | +--rw truststore-reference?
3821 | | | | ts:certificate-bag-ref
3822 | | | +--rw ee-certs! {x509-certificate-auth}?
3823 | | | | +--rw (local-or-truststore)
3824 | | | | +--:(local)
3825 | | | | | {local-definitions-supporte\
3826 \d}?
3827 | | | | | +--rw local-definition
3828 | | | | | +--rw cert*
3829 | | | | | | trust-anchor-cert-cms
3830 | | | | | +---n certificate-expiration
3831 | | | | | +-- expiration-date
3832 | | | | | yang:date-and-time
3833 | | | | +--:(truststore)
3834 | | | | {truststore-supported,certi\
3835 \ficates}?
3836 | | | | +--rw truststore-reference?
3837 | | | | ts:certificate-bag-ref
3838 | | | +--rw raw-public-keys!
3839 | | | | {raw-public-key-auth}?
3840 | | | | +--rw (local-or-truststore)
3841 | | | | +--:(local)
3842 | | | | | {local-definitions-supporte\
3843 \d}?
3844 | | | | | +--rw local-definition
3845 | | | | | +--rw public-key* [name]
3846 | | | | | +--rw name
3847 | | | | | | string
3848 | | | | | +--rw public-key-format
3849 | | | | | | identityref
3850 | | | | | +--rw public-key
3851 | | | | | binary
3852 | | | | +--:(truststore)
3853 | | | | {truststore-supported,publi\
3854 \c-keys}?
3855 | | | | +--rw truststore-reference?
3856 | | | | ts:public-key-bag-ref
3857 | | | +--rw psks! {psk-auth}?
3858 | | +--rw hello-params
3859 | | | {tls-server-hello-params-config}?
3860 | | | +--rw tls-versions
3861 | | | | +--rw tls-version* identityref
3862 | | | +--rw cipher-suites
3863 | | | +--rw cipher-suite* identityref
3864 | | +--rw keepalives {tls-server-keepalives}?
3865 | | +--rw peer-allowed-to-send? empty
3866 | | +--rw test-peer-aliveness!
3867 | | +--rw max-wait? uint16
3868 | | +--rw max-attempts? uint8
3869 | +--rw http-server-parameters
3870 | | +--rw server-name? string
3871 | | +--rw client-authentication!
3872 | | {client-auth-config-supported}?
3873 | | +--rw users
3874 | | +--rw user* [user-id]
3875 | | +--rw user-id string
3876 | | +--rw (auth-type)?
3877 | | +--:(basic)
3878 | | +--rw basic {basic-auth}?
3879 | | +--rw user-id? string
3880 | | +--rw password?
3881 | | ianach:crypt-hash
3882 | +--rw restconf-server-parameters
3883 | +--rw client-identity-mappings
3884 | +--rw cert-to-name* [id]
3885 | +--rw id uint32
3886 | +--rw fingerprint?
3887 | | x509c2n:tls-fingerprint
3888 | +--rw map-type identityref
3889 | +--rw name string
3890 +--rw call-home! {https-call-home}?
3891 +--rw restconf-client* [name]
3892 +--rw name string
3893 +--rw endpoints
3894 | +--rw endpoint* [name]
3895 | +--rw name string
3896 | +--rw (transport)
3897 | +--:(https) {https-listen}?
3898 | +--rw https
3899 | +--rw tcp-client-parameters
3900 | | +--rw remote-address inet:host
3901 | | +--rw remote-port? inet:port-number
3902 | | +--rw local-address? inet:ip-address
3903 | | | {local-binding-supported}?
3904 | | +--rw local-port? inet:port-number
3905 | | | {local-binding-supported}?
3906 | | +--rw keepalives!
3907 | | {keepalives-supported}?
3908 | | +--rw idle-time uint16
3909 | | +--rw max-probes uint16
3910 | | +--rw probe-interval uint16
3911 | +--rw tls-server-parameters
3912 | | +--rw server-identity
3913 | | | +--rw (auth-type)
3914 | | | +--:(certificate)
3915 | | | | {x509-certificate-auth}?
3916 | | | | +--rw certificate
3917 | | | | +--rw (local-or-keystore)
3918 | | | | +--:(local)
3919 | | | | | {local-definiti\
3920 \ons-supported}?
3921 | | | | | +--rw local-definition
3922 | | | | | +--rw public-key-f\
3923 \ormat
3924 | | | | | | identityref
3925 | | | | | +--rw public-key
3926 | | | | | | binary
3927 | | | | | +--rw private-key-\
3928 \format?
3929 | | | | | | identityref
3930 | | | | | +--rw (private-key\
3931 \-type)
3932 | | | | | | +--:(private-ke\
3933 \y)
3934 | | | | | | | +--rw privat\
3935 \e-key?
3936 | | | | | | | bina\
3937 \ry
3938 | | | | | | +--:(hidden-pri\
3939 \vate-key)
3940 | | | | | | | +--rw hidden\
3941 \-private-key?
3942 | | | | | | | empty
3943 | | | | | | +--:(encrypted-\
3944 \private-key)
3945 | | | | | | +--rw encryp\
3946 \ted-private-key
3947 | | | | | | +--rw (ke\
3948 \y-type)
3949 | | | | | | | +--:(s\
3950 \ymmetric-key-ref)
3951 | | | | | | | | +--\
3952 \rw symmetric-key-ref? leafref
3953 | | | | | | | | \
3954 \ {keystore-supported}?
3955 | | | | | | | +--:(a\
3956 \symmetric-key-ref)
3957 | | | | | | | +--\
3958 \rw asymmetric-key-ref? leafref
3959 | | | | | | | \
3961 \ {keystore-supported}?
3962 | | | | | | +--rw val\
3963 \ue?
3964 | | | | | | b\
3965 \inary
3966 | | | | | +--rw cert?
3967 | | | | | | end-entity\
3968 \-cert-cms
3969 | | | | | +---n certificate-\
3970 \expiration
3971 | | | | | | +-- expiration-\
3972 \date
3973 | | | | | | yang:da\
3974 \te-and-time
3975 | | | | | +---x generate-cer\
3976 \tificate-signing-request
3977 | | | | | {certifica\
3978 \te-signing-request-generation}?
3979 | | | | | +---w input
3980 | | | | | | +---w subject
3981 | | | | | | | bina\
3982 \ry
3983 | | | | | | +---w attrib\
3984 \utes?
3985 | | | | | | bina\
3986 \ry
3987 | | | | | +--ro output
3988 | | | | | +--ro certif\
3989 \icate-signing-request
3990 | | | | | ct:c\
3991 \sr
3992 | | | | +--:(keystore)
3993 | | | | {keystore-suppo\
3994 \rted}?
3995 | | | | +--rw keystore-refere\
3996 \nce
3997 | | | | +--rw asymmetric-k\
3998 \ey?
3999 | | | | | ks:asymmet\
4000 \ric-key-ref
4001 | | | | +--rw certificate?\
4002 \ leafref
4003 | | | +--:(raw-private-key)
4004 | | | | {raw-public-key-auth}?
4005 | | | | +--rw raw-private-key
4006 | | | | +--rw (local-or-keystore)
4007 | | | | +--:(local)
4008 | | | | | {local-definiti\
4010 \ons-supported}?
4011 | | | | | +--rw local-definition
4012 | | | | | +--rw public-key-f\
4013 \ormat
4014 | | | | | | identityref
4015 | | | | | +--rw public-key
4016 | | | | | | binary
4017 | | | | | +--rw private-key-\
4018 \format?
4019 | | | | | | identityref
4020 | | | | | +--rw (private-key\
4021 \-type)
4022 | | | | | +--:(private-ke\
4023 \y)
4024 | | | | | | +--rw privat\
4025 \e-key?
4026 | | | | | | bina\
4027 \ry
4028 | | | | | +--:(hidden-pri\
4029 \vate-key)
4030 | | | | | | +--rw hidden\
4031 \-private-key?
4032 | | | | | | empty
4033 | | | | | +--:(encrypted-\
4034 \private-key)
4035 | | | | | +--rw encryp\
4036 \ted-private-key
4037 | | | | | +--rw (ke\
4038 \y-type)
4039 | | | | | | +--:(s\
4040 \ymmetric-key-ref)
4041 | | | | | | | +--\
4042 \rw symmetric-key-ref? leafref
4043 | | | | | | | \
4044 \ {keystore-supported}?
4045 | | | | | | +--:(a\
4046 \symmetric-key-ref)
4047 | | | | | | +--\
4048 \rw asymmetric-key-ref? leafref
4049 | | | | | | \
4050 \ {keystore-supported}?
4051 | | | | | +--rw val\
4052 \ue?
4053 | | | | | b\
4054 \inary
4055 | | | | +--:(keystore)
4056 | | | | {keystore-suppo\
4057 \rted}?
4058 | | | | +--rw keystore-refere\
4059 \nce?
4060 | | | | ks:asymmetric\
4061 \-key-ref
4062 | | | +--:(psk) {psk-auth}?
4063 | | | +--rw psk
4064 | | | +--rw (local-or-keystore)
4065 | | | +--:(local)
4066 | | | | {local-definiti\
4067 \ons-supported}?
4068 | | | | +--rw local-definition
4069 | | | | +--rw key-format?
4070 | | | | | identityref
4071 | | | | +--rw (key-type)
4072 | | | | | +--:(key)
4073 | | | | | | +--rw key?
4074 | | | | | | bina\
4075 \ry
4076 | | | | | +--:(hidden-key)
4077 | | | | | | +--rw hidden\
4078 \-key?
4079 | | | | | | empty
4080 | | | | | +--:(encrypted-\
4081 \key)
4082 | | | | | +--rw encryp\
4083 \ted-key
4084 | | | | | +--rw (ke\
4085 \y-type)
4086 | | | | | | +--:(s\
4087 \ymmetric-key-ref)
4088 | | | | | | | +--\
4089 \rw symmetric-key-ref? leafref
4090 | | | | | | | \
4091 \ {keystore-supported}?
4092 | | | | | | +--:(a\
4093 \symmetric-key-ref)
4094 | | | | | | +--\
4095 \rw asymmetric-key-ref? leafref
4096 | | | | | | \
4097 \ {keystore-supported}?
4098 | | | | | +--rw val\
4099 \ue?
4100 | | | | | b\
4101 \inary
4102 | | | | +--rw id?
4103 | | | | string
4104 | | | | {ks:local-\
4105 \definitions-supported}?
4106 | | | +--:(keystore)
4107 | | | {keystore-suppo\
4108 \rted}?
4109 | | | +--rw keystore-refere\
4110 \nce?
4111 | | | ks:symmetric-\
4112 \key-ref
4113 | | +--rw client-authentication!
4114 | | | {client-auth-config-supported}?
4115 | | | +--rw ca-certs!
4116 | | | | {x509-certificate-auth}?
4117 | | | | +--rw (local-or-truststore)
4118 | | | | +--:(local)
4119 | | | | | {local-definitions-su\
4120 \pported}?
4121 | | | | | +--rw local-definition
4122 | | | | | +--rw cert*
4123 | | | | | | trust-anchor-cer\
4124 \t-cms
4125 | | | | | +---n certificate-expira\
4126 \tion
4127 | | | | | +-- expiration-date
4128 | | | | | yang:date-and\
4129 \-time
4130 | | | | +--:(truststore)
4131 | | | | {truststore-supported\
4132 \,certificates}?
4133 | | | | +--rw truststore-reference?
4134 | | | | ts:certificate-bag-\
4135 \ref
4136 | | | +--rw ee-certs!
4137 | | | | {x509-certificate-auth}?
4138 | | | | +--rw (local-or-truststore)
4139 | | | | +--:(local)
4140 | | | | | {local-definitions-su\
4141 \pported}?
4142 | | | | | +--rw local-definition
4143 | | | | | +--rw cert*
4144 | | | | | | trust-anchor-cer\
4145 \t-cms
4146 | | | | | +---n certificate-expira\
4147 \tion
4148 | | | | | +-- expiration-date
4149 | | | | | yang:date-and\
4150 \-time
4151 | | | | +--:(truststore)
4152 | | | | {truststore-supported\
4153 \,certificates}?
4154 | | | | +--rw truststore-reference?
4155 | | | | ts:certificate-bag-\
4156 \ref
4157 | | | +--rw raw-public-keys!
4158 | | | | {raw-public-key-auth}?
4159 | | | | +--rw (local-or-truststore)
4160 | | | | +--:(local)
4161 | | | | | {local-definitions-su\
4162 \pported}?
4163 | | | | | +--rw local-definition
4164 | | | | | +--rw public-key* [name]
4165 | | | | | +--rw name
4166 | | | | | | string
4167 | | | | | +--rw public-key-form\
4168 \at
4169 | | | | | | identityref
4170 | | | | | +--rw public-key
4171 | | | | | binary
4172 | | | | +--:(truststore)
4173 | | | | {truststore-supported\
4174 \,public-keys}?
4175 | | | | +--rw truststore-reference?
4176 | | | | ts:public-key-bag-r\
4177 \ef
4178 | | | +--rw psks! {psk-auth}?
4179 | | +--rw hello-params
4180 | | | {tls-server-hello-params-config\
4181 \}?
4182 | | | +--rw tls-versions
4183 | | | | +--rw tls-version* identityref
4184 | | | +--rw cipher-suites
4185 | | | +--rw cipher-suite* identityref
4186 | | +--rw keepalives
4187 | | {tls-server-keepalives}?
4188 | | +--rw peer-allowed-to-send? empty
4189 | | +--rw test-peer-aliveness!
4190 | | +--rw max-wait? uint16
4191 | | +--rw max-attempts? uint8
4192 | +--rw http-server-parameters
4193 | | +--rw server-name? string
4194 | | +--rw client-authentication!
4195 | | {client-auth-config-supported}?
4196 | | +--rw users
4197 | | +--rw user* [user-id]
4198 | | +--rw user-id string
4199 | | +--rw (auth-type)?
4200 | | +--:(basic)
4201 | | +--rw basic {basic-auth}?
4202 | | +--rw user-id?
4203 | | | string
4204 | | +--rw password?
4205 | | ianach:crypt-\
4206 \hash
4207 | +--rw restconf-server-parameters
4208 | +--rw client-identity-mappings
4209 | +--rw cert-to-name* [id]
4210 | +--rw id uint32
4211 | +--rw fingerprint?
4212 | | x509c2n:tls-fingerprint
4213 | +--rw map-type identityref
4214 | +--rw name string
4215 +--rw connection-type
4216 | +--rw (connection-type)
4217 | +--:(persistent-connection)
4218 | | +--rw persistent!
4219 | +--:(periodic-connection)
4220 | +--rw periodic!
4221 | +--rw period? uint16
4222 | +--rw anchor-time? yang:date-and-time
4223 | +--rw idle-timeout? uint16
4224 +--rw reconnect-strategy
4225 +--rw start-with? enumeration
4226 +--rw max-attempts? uint8
4228 Appendix B. Change Log
4230 B.1. 00 to 01
4232 o Renamed "keychain" to "keystore".
4234 B.2. 01 to 02
4236 o Filled in previously missing 'ietf-restconf-client' module.
4238 o Updated the ietf-restconf-server module to accommodate new
4239 grouping 'ietf-tls-server-grouping'.
4241 B.3. 02 to 03
4243 o Refined use of tls-client-grouping to add a must statement
4244 indicating that the TLS client must specify a client-certificate.
4246 o Changed restconf-client??? to be a grouping (not a container).
4248 B.4. 03 to 04
4250 o Added RFC 8174 to Requirements Language Section.
4252 o Replaced refine statement in ietf-restconf-client to add a
4253 mandatory true.
4255 o Added refine statement in ietf-restconf-server to add a must
4256 statement.
4258 o Now there are containers and groupings, for both the client and
4259 server models.
4261 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
4263 o Updated examples to inline key and certificates (no longer a
4264 leafref to keystore)
4266 B.5. 04 to 05
4268 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams
4270 o Updated examples to inline key and certificates (no longer a
4271 leafref to keystore)
4273 B.6. 05 to 06
4275 o Fixed change log missing section issue.
4277 o Updated examples to match latest updates to the crypto-types,
4278 trust-anchors, and keystore drafts.
4280 o Reduced line length of the YANG modules to fit within 69 columns.
4282 B.7. 06 to 07
4284 o removed "idle-timeout" from "persistent" connection config.
4286 o Added "random-selection" for reconnection-strategy's "starts-with"
4287 enum.
4289 o Replaced "connection-type" choice default (persistent) with
4290 "mandatory true".
4292 o Reduced the periodic-connection's "idle-timeout" from 5 to 2
4293 minutes.
4295 o Replaced reconnect-timeout with period/anchor-time combo.
4297 B.8. 07 to 08
4299 o Modified examples to be compatible with new crypto-types algs
4301 B.9. 08 to 09
4303 o Corrected use of "mandatory true" for "address" leafs.
4305 o Updated examples to reflect update to groupings defined in the
4306 keystore draft.
4308 o Updated to use groupings defined in new TCP and HTTP drafts.
4310 o Updated copyright date, boilerplate template, affiliation, and
4311 folding algorithm.
4313 B.10. 09 to 10
4315 o Reformatted YANG modules.
4317 B.11. 10 to 11
4319 o Adjusted for the top-level "demux container" added to groupings
4320 imported from other modules.
4322 o Added "must" expressions to ensure that keepalives are not
4323 configured for "periodic" connections.
4325 o Updated the boilerplate text in module-level "description"
4326 statement to match copyeditor convention.
4328 o Moved "expanded" tree diagrams to the Appendix.
4330 B.12. 11 to 12
4332 o Removed the 'must' statement limiting keepalives in periodic
4333 connections.
4335 o Updated models and examples to reflect removal of the "demux"
4336 containers in the imported models.
4338 o Updated the "periodic-connnection" description statements to
4339 better describe behavior when connections are not closed
4340 gracefully.
4342 o Updated text to better reference where certain examples come from
4343 (e.g., which Section in which draft).
4345 o In the server model, commented out the "must 'pinned-ca-certs or
4346 pinned-client-certs'" statement to reflect change made in the TLS
4347 draft whereby the trust anchors MAY be defined externally.
4349 o Replaced the 'listen', 'initiate', and 'call-home' features with
4350 boolean expressions.
4352 B.13. 12 to 13
4354 o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
4355 anchors/truststore/g + s/pinned.//)
4357 o In ietf-restconf-server, Added 'http-listen' (not https-listen)
4358 choice, to support case when server is behind a TLS-terminator.
4360 o Refactored server module to be more like other 'server' models.
4361 If folks like it, will also apply to the client model, as well as
4362 to both the netconf client/server models. Now the 'restconf-
4363 server-grouping' is just the RC-specific bits (i.e., the "demux"
4364 container minus the container), 'restconf-server-
4365 [listen|callhome]-stack-grouping' is the protocol stack for a
4366 single connection, and 'restconf-server-app-grouping' is
4367 effectively what was before (both listen+callhome for many
4368 inbound/outbound endpoints).
4370 B.14. 13 to 14
4372 o Updated examples to reflect ietf-crypto-types change (e.g.,
4373 identities --> enumerations)
4375 o Adjusting from change in TLS client model (removing the top-level
4376 'certificate' container).
4378 o Added "external-endpoint" to the "http-listen" choice in ietf-
4379 restconf-server.
4381 B.15. 14 to 15
4383 o Added missing "or https-listen" clause in a "must" expression.
4385 o Refactored the client module similar to how the server module was
4386 refactored in -13. Now the 'restconf-client-grouping' is just the
4387 RC-specific bits, the 'restconf-client-[initiate|listen]-stack-
4388 grouping' is the protocol stack for a single connection, and
4389 'restconf-client-app-grouping' is effectively what was before
4390 (both listen+callhome for many inbound/outbound endpoints).
4392 B.16. 15 to 16
4394 o Added refinement to make "cert-to-name/fingerprint" be mandatory
4395 false.
4397 o Commented out refinement to "tls-server-grouping/client-
4398 authentication" until a better "must" expression is defined.
4400 o Updated restconf-client example to reflect that http-client-
4401 grouping no longer has a "protocol-version" leaf.
4403 B.17. 16 to 17
4405 o Updated examples to include the "*-key-format" nodes.
4407 o Updated examples to remove the "required" nodes.
4409 B.18. 17 to 18
4411 o Updated examples to reflect new "bag" addition to truststore.
4413 B.19. 18 to 19
4415 o Updated examples to remove the 'algorithm' nodes.
4417 o Updated examples to reflect the new TLS keepalives structure.
4419 o Removed the 'protocol-versions' node from the restconf-server
4420 examples.
4422 o Added a "Note to Reviewers" note to first page.
4424 Acknowledgements
4426 The authors would like to thank for following for lively discussions
4427 on list and in the halls (ordered by last name): Andy Bierman, Martin
4428 Bjorklund, Benoit Claise, Mehmet Ersue, Ramkumar Dhanapal, Balazs
4429 Kovacs, Radek Krejci, David Lamparter, Ladislav Lhotka, Alan Luchuk,
4430 Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, Bert
4431 Wijnen.
4433 Author's Address
4435 Kent Watsen
4436 Watsen Networks
4438 EMail: kent+ietf@watsen.net