idnits 2.17.1 draft-ietf-netmod-factory-default-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of too long lines in the document, the longest one being 5 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 17, 2019) is 1623 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC6421' is mentioned on line 205, but not defined == Missing Reference: 'RFC3688' is mentioned on line 286, but not defined == Missing Reference: 'RFC6020' is mentioned on line 296, but not defined == Missing Reference: 'RFC6241' is mentioned on line 309, but not defined == Missing Reference: 'RFC8040' is mentioned on line 309, but not defined == Missing Reference: 'RFC6242' is mentioned on line 311, but not defined == Missing Reference: 'RFC8446' is mentioned on line 313, but not defined == Missing Reference: 'RFC8573' is mentioned on line 391, but not defined == Unused Reference: 'I-D.ietf-netmod-yang-instance-file-format' is defined on line 372, but no explicit reference was found in the text == Unused Reference: 'RFC8572' is defined on line 377, but no explicit reference was found in the text == Outdated reference: A later version (-21) exists of draft-ietf-netmod-yang-instance-file-format-04 Summary: 1 error (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD Working Group Q. Wu 3 Internet-Draft Huawei 4 Intended status: Standards Track B. Lengyel 5 Expires: May 20, 2020 Ericsson Hungary 6 Y. Niu 7 Huawei 8 November 17, 2019 10 Factory Default Setting 11 draft-ietf-netmod-factory-default-07 13 Abstract 15 This document defines a method to reset a server to its factory- 16 default content. The reset operation may be used, e.g., when the 17 existing configuration has major errors so re-starting the 18 configuration process from scratch is the best option. 20 A new factory-reset RPC is defined. When resetting a datastore, all 21 previous configuration settings will be lost and replaced by the 22 factory-default content. 24 A new optional "factory-default" read-only datastore is defined, that 25 contains the data that will be copied over to the running datastore 26 at reset. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on May 20, 2020. 45 Copyright Notice 47 Copyright (c) 2019 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Factory-Reset RPC . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Factory-Default Datastore . . . . . . . . . . . . . . . . . . 4 66 4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 68 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 70 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8 71 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 73 9.2. Informative References . . . . . . . . . . . . . . . . . 9 74 Appendix A. Changes between revisions . . . . . . . . . . . . . 9 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 77 1. Introduction 79 This document defines a method to reset a server to its factory- 80 default content. The reset operation may be used, e.g., when the 81 existing configuration has major errors so re-starting the 82 configuration process from scratch is the best option. 84 A factory-reset RPC is defined. When resetting a datastore, all 85 previous configuration settings will be lost and replaced by the 86 factory-default content. 88 A "factory-default" read-only datastore is defined, that contains the 89 data to replace the contents of implemented read-write conventional 90 configuration datastores at reset. This datastore can also be used 91 in operation. 93 NETCONF defines the RPC operation, but that only acts 94 on the , whereas the RPC operation 95 can perform additional changes to the device to fully reset the 96 device back to a factory-default state 98 The YANG data model in this document conforms to the Network 99 Management Datastore Architecture defined in [RFC8342]. 101 1.1. Terminology 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14 [RFC2119] [RFC8174] when, and only when, they appear in all 107 capitals, as shown here. 109 The following terms are defined in [RFC8342] [RFC7950] and are not 110 redefined here: 112 o server 114 o startup configuration datastore 116 o candidate configuration datastore 118 o running configuration datastore 120 o intended configuration datastore 122 o operational state datastore 124 o conventional configuration datastore 126 o RPC operation 128 The following terms are defined in this document as follows: 130 o factory-default datastore: A read-only configuration datastore 131 holding a preconfigured minimal initial configuration that can be 132 used to initialize the configuration of a server. The content of 133 the datastore is usually static, but MAY depend on external 134 factors like available HW. 136 2. Factory-Reset RPC 138 A new "factory-reset" RPC is introduced. Upon receiving the RPC 139 o All supported conventional read-write configuration datastores 140 (i.e. , , and ) are all reset to the 141 contents of . 143 o Read-only datastores receive their content from other 144 datastores(e.g. gets its content from ). 146 o All data in any ephemeral datastores MUST be discarded. 148 o The contents of the datastore MUST be reset back to 149 an appropriate factory-default state. 151 In addition, the "factory-reset" RPC MUST restore storage to factory 152 condition, including remove log files, remove temporary files (from 153 datastore or elsewhere). It MUST also remove security credentials 154 and restoring default security settings including remove 155 certificates, keys, zero passwords, etc. The process invoked by the 156 "factory-reset" RPC SHOULD zero/pattern-write than remove sensitive 157 files such as the TLS keys, configuration stores, etc. The "factory- 158 reset" RPC MAY also be used to trigger some other resetting tasks 159 such as restarting the node or some of the software processes. 161 3. Factory-Default Datastore 163 Following guidelines for defining Datastores in the appendix A of 164 [RFC8342], this document introduces a new optional datastore resource 165 named 'factory-default' that represents a preconfigured minimal 166 initial configuration that can be used to initialize the 167 configuration of a server. A device MAY only implement the RPC without implementing the 'factory-default' datastore, 169 which make it lose the ability to see what configuration the device 170 would be reset back to. 172 o Name: "factory-default" 174 o YANG modules: all 176 o YANG nodes: all "config true" data nodes 178 o Management operations: The content of the datastore is set by the 179 server in an implementation dependent manner. The content can not 180 be changed by management operations via NETCONF, RESTCONF,the CLI 181 etcunless specialized, dedicated operations are provided. The 182 datastore can be read using the standard NETCONF/RESTCONF protocol 183 operations. The operation copies the factory 184 default content to and, if present, and then 185 the content of these datastores is propagated automatically to any 186 other read only datastores, e.g., and . 188 o Origin: This document does not define a new origin identity as it 189 does not interact with datastore. 191 o Protocols: RESTCONF, NETCONF and other management protocol. 193 o Defining YANG module: "ietf-factory-default". 195 The datastore content is usually defined by the device vendor. It is 196 usually static, but MAY change e.g., depending on external factors 197 like HW available or during device upgrade. 199 The contents of MUST persist across device 200 restarts. 202 4. YANG Module 204 This module imports typedefs from [RFC8342], and it references 205 [RFC6421],[RFC8341]. 207 file "ietf-factory-default.yang" 208 module ietf-factory-default { 209 yang-version 1.1; 210 namespace "urn:ietf:params:xml:ns:yang:ietf-factory-default"; 211 prefix fd; 213 import ietf-datastores { 214 prefix ds; 215 } 216 import ietf-netconf-acm { 217 prefix nacm; 218 } 220 organization 221 "IETF NETMOD (Network Modeling) Working Group"; 222 contact 223 "WG Web: 224 WG List: 226 Editor: Qin Wu 227 228 Editor: Balazs Lengyel 229 230 Editor: Ye Niu 231 "; 232 description 233 "This module defines the 234 - factory-reset RPC 235 - factory-default datastore 236 It provides functionality to reset a server to its 237 factory-default content. 239 Copyright (c) 2019 IETF Trust and the persons identified as 240 authors of the code. All rights reserved. 242 Redistribution and use in source and binary forms, with or 243 without modification, is permitted pursuant to, and subject 244 to the license terms contained in, the Simplified BSD License 245 set forth in Section 4.c of the IETF Trust's Legal Provisions 246 Relating to IETF Documents 247 (http://trustee.ietf.org/license-info). 249 This version of this YANG module is part of RFC XXXX; 250 see the RFC itself for full legal notices."; 252 revision 2019-05-03 { 253 description 254 "Initial revision."; 255 reference 256 "RFC XXXX: Factory default Setting"; 257 } 259 feature factory-default-datastore { 260 description 261 "Indicates that the factory default configuration is 262 available as a datastore."; 263 } 265 rpc factory-reset { 266 nacm:default-deny-all; 267 description 268 "The server resets the content of all read-write 269 configuration datastores (i.e., , ) to 270 their factory default content."; 271 } 273 identity factory-default { 274 if-feature "factory-default-datastore"; 275 base ds:datastore; 276 description 277 "This read-only datastore contains the configuration data used to 278 replace the contents ofthe read-write conventional configuration 279 datastores during a factory-reset RPC operation."; 280 } 281 } 283 284 5. IANA Considerations 286 This document registers one URI in the IETF XML Registry [RFC3688]. 287 The following registration has been made: 289 URI: urn:ietf:params:xml:ns:yang:ietf-factory-default 291 Registrant Contact: The IESG. 293 XML: N/A, the requested URI is an XML namespace. 295 This document registers one YANG module in the YANG Module Names 296 Registry [RFC6020]. The following registration has been made: 298 name: ietf-factory-default 300 namespace: urn:ietf:params:xml:ns:yang:ietf-factory-default 302 prefix: fd 304 RFC: xxxx 306 6. Security Considerations 308 The YANG module defined in this document extends the base operations 309 for NETCONF [RFC6241] and RESTCONF [RFC8040]. The lowest NETCONF 310 layer is the secure transport layer, and the mandatory-to-implement 311 secure transport is Secure Shell (SSH) [RFC6242]. The lowest 312 RESTCONF layer is HTTPS, and the mandatory-to-implement secure 313 transport is TLS [RFC8446]. 315 The RPC operation may be considered sensitive in some 316 network enviroments,e.g., remote access to reset the device or 317 overwrite security sensitive information in one of the other 318 datastores, e.g. running, therefore it is important to restrict 319 access to this RPC using the standard access control methods. 320 [RFC8341] 322 The 'factory-reset' RPC can prevent any further management of the 323 device if the session and client config is included in the factory- 324 reset contents. 326 The operational disruption caused by setting the config to factory- 327 reset contents varies greatly depending on the implementation and 328 current config. 330 7. Acknowledgements 332 Thanks to Juergen Schoenwaelder, Ladislav Lhotka, Alex Campbell, Joe 333 Clarke, Robert Wilton, Kent Watsen, Joel Jaeggli, Lou Berger, Andy 334 Bierman, Susan Hares to review this draft and provide important input 335 to this document. 337 8. Contributors 339 Rohit R Ranade 340 Huawei 341 Email: rohitrranade@huawei.com 343 9. References 345 9.1. Normative References 347 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 348 Requirement Levels", BCP 14, RFC 2119, 349 DOI 10.17487/RFC2119, March 1997, 350 . 352 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 353 RFC 7950, DOI 10.17487/RFC7950, August 2016, 354 . 356 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 357 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 358 May 2017, . 360 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 361 Access Control Model", STD 91, RFC 8341, 362 DOI 10.17487/RFC8341, March 2018, 363 . 365 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 366 and R. Wilton, "Network Management Datastore Architecture 367 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 368 . 370 9.2. Informative References 372 [I-D.ietf-netmod-yang-instance-file-format] 373 Lengyel, B. and B. Claise, "YANG Instance Data File 374 Format", draft-ietf-netmod-yang-instance-file-format-04 375 (work in progress), August 2019. 377 [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero 378 Touch Provisioning (SZTP)", RFC 8572, 379 DOI 10.17487/RFC8572, April 2019, 380 . 382 Appendix A. Changes between revisions 384 Editorial Note (To be removed by RFC Editor) 386 v06 - 07 388 o Remove Factory-default content specification; 390 o Remove reference to YANG instance data file format and zero touch 391 provision [RFC8573]; 393 o Remove copy-config operation extension on factory-default 394 datastore 396 v05 - 06 398 o Additional text to enhance security section. 400 o Add nacm:default-deny-all on "factory-reset" RPC. 402 o A few clarification on Factory-default content specification. 404 v03 - 04 406 o Additional text to clarify factory-reset RPC usage. 408 v02 - 03 410 o Update security consideration section. 412 v01 - v02 414 o Address security issue in the security consideration section. 416 o Remove an extension to the NETCONF operation which 417 allows it to operate on the factory-default datastore. 419 o Add an extension to the NETCONF operation which 420 allows it to operate on the factory-default datastore. 422 v00 - v01 424 o Change YANG server into server defined in NMDA architecture based 425 on discussion. 427 o Allow reset the content of all read-write configuraton datastores 428 to its factory-default content except . 430 o Add clarification text on factory-reset protocol operation 431 behavior. 433 v03 - v00 435 o Change draft name from draft-wu to draft-ietf-netmod-factory- 436 default-00 without content changes. 438 v02 - v03 440 o Change reset-datastore RPC into factory-reset RPC to allow reset 441 the whole device with factory default content. 443 o Remove target datastore parameter from factory-reset RPC. 445 o Other editorial changes. 447 v01 - v02 449 o Add copy-config based on Rob's comment. 451 o Reference Update. 453 v03 - v00 - v01 455 o Changed name from draft-wu-netconf-restconf-factory-restore to 456 draft-wu-netmod-factory-default 458 o Removed copy-config ; reset-datastore is enough 460 v02 - v03 462 o Restructured 464 o Made new datastore optional 466 o Removed Netconf capability 467 o Listed Open issues 469 v01 - v02 471 o - 473 v00 - v01 475 o - 477 Authors' Addresses 479 Qin Wu 480 Huawei 481 101 Software Avenue, Yuhua District 482 Nanjing, Jiangsu 210012 483 China 485 Email: bill.wu@huawei.com 487 Balazs Lengyel 488 Ericsson Hungary 489 Magyar Tudosok korutja 11 490 1117 Budapest 491 Hungary 493 Phone: +36-70-330-7909 494 Email: balazs.lengyel@ericsson.com 496 Ye Niu 497 Huawei 499 Email: niuye@huawei.com