idnits 2.17.1 draft-ietf-netmod-factory-default-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 4, 2019) is 1597 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC6421' is mentioned on line 208, but not defined == Missing Reference: 'RFC3688' is mentioned on line 292, but not defined == Missing Reference: 'RFC6020' is mentioned on line 302, but not defined == Missing Reference: 'RFC6241' is mentioned on line 315, but not defined == Missing Reference: 'RFC8040' is mentioned on line 315, but not defined == Missing Reference: 'RFC6242' is mentioned on line 317, but not defined == Missing Reference: 'RFC8446' is mentioned on line 319, but not defined == Missing Reference: 'RFC8573' is mentioned on line 398, but not defined == Unused Reference: 'I-D.ietf-netmod-yang-instance-file-format' is defined on line 377, but no explicit reference was found in the text == Outdated reference: A later version (-21) exists of draft-ietf-netmod-yang-instance-file-format-06 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD Working Group Q. Wu 3 Internet-Draft Huawei 4 Intended status: Standards Track B. Lengyel 5 Expires: June 6, 2020 Ericsson Hungary 6 Y. Niu 7 Huawei 8 December 4, 2019 10 Factory Default Setting 11 draft-ietf-netmod-factory-default-08 13 Abstract 15 This document defines a method to reset a server to its factory- 16 default content. The reset operation may be used, e.g., when the 17 existing configuration has major errors so re-starting the 18 configuration process from scratch is the best option. 20 A new factory-reset RPC is defined. When resetting a datastore, all 21 previous configuration settings will be lost and replaced by the 22 factory-default content. 24 A new optional "factory-default" read-only datastore is defined, that 25 contains the data that will be copied over to the running datastore 26 at reset. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on June 6, 2020. 45 Copyright Notice 47 Copyright (c) 2019 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Factory-Reset RPC . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Factory-Default Datastore . . . . . . . . . . . . . . . . . . 4 66 4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 68 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 70 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8 71 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 73 9.2. Informative References . . . . . . . . . . . . . . . . . 9 74 Appendix A. Changes between revisions . . . . . . . . . . . . . 9 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 77 1. Introduction 79 This document defines a method to reset a server to its factory- 80 default content. The reset operation may be used, e.g., when the 81 existing configuration has major errors so re-starting the 82 configuration process from scratch is the best option. 84 A factory-reset RPC is defined. When resetting a datastore, all 85 previous configuration settings will be lost and replaced by the 86 factory-default content. 88 A "factory-default" read-only datastore is defined, that contains the 89 data to replace the contents of implemented read-write conventional 90 configuration datastores at reset. This datastore can also be used 91 in operation. 93 NETCONF defines the RPC operation, but that only acts 94 on the , whereas the RPC operation 95 can perform additional changes to the device to fully reset the 96 device back to a factory-default state 98 The YANG data model in this document conforms to the Network 99 Management Datastore Architecture defined in [RFC8342]. 101 1.1. Terminology 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14 [RFC2119] [RFC8174] when, and only when, they appear in all 107 capitals, as shown here. 109 The following terms are defined in [RFC8342] [RFC7950] and are not 110 redefined here: 112 o server 114 o startup configuration datastore 116 o candidate configuration datastore 118 o running configuration datastore 120 o intended configuration datastore 122 o operational state datastore 124 o conventional configuration datastore 126 o RPC operation 128 The following terms are defined in this document as follows: 130 o factory-default datastore: A read-only configuration datastore 131 holding a preconfigured minimal initial configuration that can be 132 used to initialize the configuration of a server. The content of 133 the datastore is usually static, but MAY depend on external 134 factors like available HW. 136 2. Factory-Reset RPC 138 A new "factory-reset" RPC is introduced. Upon receiving the RPC 139 o All supported conventional read-write configuration datastores 140 (i.e. , , and ) are all reset to the 141 contents of . 143 o Read-only datastores receive their content from other 144 datastores(e.g. gets its content from ). 146 o All data in any ephemeral datastores MUST be discarded. 148 o The contents of the datastore MUST be reset back to 149 an appropriate factory-default state. 151 In addition, the "factory-reset" RPC MUST restore storage to factory 152 condition, including remove log files, remove temporary files (from 153 datastore or elsewhere). It MUST also remove security credentials 154 and restoring default security settings including remove 155 certificates, keys, zero passwords, etc. The process invoked by the 156 "factory-reset" RPC SHOULD zero/pattern-write than remove sensitive 157 files such as the TLS keys, configuration stores, etc. The "factory- 158 reset" RPC MAY also be used to trigger some other resetting tasks 159 such as restarting the node or some of the software processes, which 160 are especially needed after having onboard information being 161 processed or when a specified boot image needs to be 162 downloaded,verified and installed. 164 3. Factory-Default Datastore 166 Following guidelines for defining Datastores in the appendix A of 167 [RFC8342], this document introduces a new optional datastore resource 168 named 'factory-default' that represents a preconfigured minimal 169 initial configuration that can be used to initialize the 170 configuration of a server. A device MAY only implement the RPC without implementing the 'factory-default' datastore, 172 which make it lose the ability to see what configuration the device 173 would be reset back to. 175 o Name: "factory-default" 177 o YANG modules: all 179 o YANG nodes: all "config true" data nodes 181 o Management operations: The content of the datastore is set by the 182 server in an implementation dependent manner. The content can not 183 be changed by management operations via NETCONF, RESTCONF,the CLI 184 etcunless specialized, dedicated operations are provided. The 185 datastore can be read using the standard NETCONF/RESTCONF protocol 186 operations. The operation copies the factory 187 default content to and, if present, and then 188 the content of these datastores is propagated automatically to any 189 other read only datastores, e.g., and . 191 o Origin: This document does not define a new origin identity as it 192 does not interact with datastore. 194 o Protocols: RESTCONF, NETCONF and other management protocol. 196 o Defining YANG module: "ietf-factory-default". 198 The datastore content is usually defined by the device vendor. It is 199 usually static, but MAY change e.g., depending on external factors 200 like HW available or during device upgrade. 202 The contents of MUST persist across device 203 restarts. 205 4. YANG Module 207 This module imports typedefs from [RFC8342], and it references 208 [RFC6421],[RFC8341]. 210 file "ietf-factory-default@2019-11-27.yang" 211 module ietf-factory-default { 212 yang-version 1.1; 213 namespace "urn:ietf:params:xml:ns:yang:ietf-factory-default"; 214 prefix fd; 216 import ietf-datastores { 217 prefix ds; 218 } 219 import ietf-netconf-acm { 220 prefix nacm; 221 } 223 organization 224 "IETF NETMOD (Network Modeling) Working Group"; 225 contact 226 "WG Web: 227 WG List: 229 Editor: Qin Wu 230 231 Editor: Balazs Lengyel 232 233 Editor: Ye Niu 234 "; 236 description 237 "This module defines the 238 - factory-reset RPC 239 - factory-default datastore 241 It provides functionality to reset a server to its 242 factory-default content. 244 Copyright (c) 2019 IETF Trust and the persons identified as 245 authors of the code. All rights reserved. 247 Redistribution and use in source and binary forms, with or 248 without modification, is permitted pursuant to, and subject 249 to the license terms contained in, the Simplified BSD License 250 set forth in Section 4.c of the IETF Trust's Legal Provisions 251 Relating to IETF Documents 252 (http://trustee.ietf.org/license-info). 254 This version of this YANG module is part of RFC XXXX; 255 see the RFC itself for full legal notices."; 257 revision 2019-11-27 { 258 description 259 "Initial revision."; 260 reference 261 "RFC XXXX: Factory default Setting"; 262 } 264 feature factory-default-datastore { 265 description 266 "Indicates that the factory default configuration is 267 available as a datastore."; 268 } 270 rpc factory-reset { 271 nacm:default-deny-all; 272 description 273 "The server resets the content of all read-write 274 configuration datastores (i.e., , ,and 275 ) to their factory default content."; 276 } 278 identity factory-default { 279 if-feature "factory-default-datastore"; 280 base ds:datastore; 281 description 282 "This read-only datastore contains the configuration data used to 283 replace the contents ofthe read-write conventional configuration 284 datastores during a factory-reset RPC operation."; 285 } 286 } 288 290 5. IANA Considerations 292 This document registers one URI in the IETF XML Registry [RFC3688]. 293 The following registration has been made: 295 URI: urn:ietf:params:xml:ns:yang:ietf-factory-default 297 Registrant Contact: The IESG. 299 XML: N/A, the requested URI is an XML namespace. 301 This document registers one YANG module in the YANG Module Names 302 Registry [RFC6020]. The following registration has been made: 304 name: ietf-factory-default 306 namespace: urn:ietf:params:xml:ns:yang:ietf-factory-default 308 prefix: fd 310 RFC: xxxx 312 6. Security Considerations 314 The YANG module defined in this document extends the base operations 315 for NETCONF [RFC6241] and RESTCONF [RFC8040]. The lowest NETCONF 316 layer is the secure transport layer, and the mandatory-to-implement 317 secure transport is Secure Shell (SSH) [RFC6242]. The lowest 318 RESTCONF layer is HTTPS, and the mandatory-to-implement secure 319 transport is TLS [RFC8446]. 321 The RPC operation may be considered sensitive in some 322 network enviroments,e.g., remote access to reset the device or 323 overwrite security sensitive information in one of the other 324 datastores, e.g. running, therefore it is important to restrict 325 access to this RPC using the standard access control methods. 326 [RFC8341] 327 The 'factory-reset' RPC can prevent any further management of the 328 device if the session and client config is included in the factory- 329 reset contents. 331 The operational disruption caused by setting the config to factory- 332 reset contents varies greatly depending on the implementation and 333 current config. 335 7. Acknowledgements 337 Thanks to Juergen Schoenwaelder, Ladislav Lhotka, Alex Campbell, Joe 338 Clarke, Robert Wilton, Kent Watsen, Joel Jaeggli, Lou Berger, Andy 339 Bierman, Susan Hares to review this draft and provide important input 340 to this document. 342 8. Contributors 344 Rohit R Ranade 345 Huawei 346 Email: rohitrranade@huawei.com 348 9. References 350 9.1. Normative References 352 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 353 Requirement Levels", BCP 14, RFC 2119, 354 DOI 10.17487/RFC2119, March 1997, 355 . 357 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 358 RFC 7950, DOI 10.17487/RFC7950, August 2016, 359 . 361 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 362 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 363 May 2017, . 365 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 366 Access Control Model", STD 91, RFC 8341, 367 DOI 10.17487/RFC8341, March 2018, 368 . 370 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 371 and R. Wilton, "Network Management Datastore Architecture 372 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 373 . 375 9.2. Informative References 377 [I-D.ietf-netmod-yang-instance-file-format] 378 Lengyel, B. and B. Claise, "YANG Instance Data File 379 Format", draft-ietf-netmod-yang-instance-file-format-06 380 (work in progress), December 2019. 382 Appendix A. Changes between revisions 384 Editorial Note (To be removed by RFC Editor) 386 v07 - 08 388 o Provide clarification and recommendation on the relationship 389 between factory-reset RPC and reboot. 391 o Nits fixed based on YANG Doctor Review. 393 v06 - 07 395 o Remove Factory-default content specification; 397 o Remove reference to YANG instance data file format and zero touch 398 provision [RFC8573]; 400 o Remove copy-config operation extension on factory-default 401 datastore 403 v05 - 06 405 o Additional text to enhance security section. 407 o Add nacm:default-deny-all on "factory-reset" RPC. 409 o A few clarification on Factory-default content specification. 411 v03 - 04 413 o Additional text to clarify factory-reset RPC usage. 415 v02 - 03 417 o Update security consideration section. 419 v01 - v02 421 o Address security issue in the security consideration section. 423 o Remove an extension to the NETCONF operation which 424 allows it to operate on the factory-default datastore. 426 o Add an extension to the NETCONF operation which 427 allows it to operate on the factory-default datastore. 429 v00 - v01 431 o Change YANG server into server defined in NMDA architecture based 432 on discussion. 434 o Allow reset the content of all read-write configuraton datastores 435 to its factory-default content except . 437 o Add clarification text on factory-reset protocol operation 438 behavior. 440 v03 - v00 442 o Change draft name from draft-wu to draft-ietf-netmod-factory- 443 default-00 without content changes. 445 v02 - v03 447 o Change reset-datastore RPC into factory-reset RPC to allow reset 448 the whole device with factory default content. 450 o Remove target datastore parameter from factory-reset RPC. 452 o Other editorial changes. 454 v01 - v02 456 o Add copy-config based on Rob's comment. 458 o Reference Update. 460 v03 - v00 - v01 462 o Changed name from draft-wu-netconf-restconf-factory-restore to 463 draft-wu-netmod-factory-default 465 o Removed copy-config ; reset-datastore is enough 467 v02 - v03 469 o Restructured 470 o Made new datastore optional 472 o Removed Netconf capability 474 o Listed Open issues 476 v01 - v02 478 o - 480 v00 - v01 482 o - 484 Authors' Addresses 486 Qin Wu 487 Huawei 488 101 Software Avenue, Yuhua District 489 Nanjing, Jiangsu 210012 490 China 492 Email: bill.wu@huawei.com 494 Balazs Lengyel 495 Ericsson Hungary 496 Magyar Tudosok korutja 11 497 1117 Budapest 498 Hungary 500 Phone: +36-70-330-7909 501 Email: balazs.lengyel@ericsson.com 503 Ye Niu 504 Huawei 506 Email: niuye@huawei.com