idnits 2.17.1 draft-ietf-netmod-factory-default-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 26, 2020) is 1493 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 8525' is mentioned on line 203, but not defined == Missing Reference: 'RFC8573' is mentioned on line 458, but not defined == Unused Reference: 'RFC8525' is defined on line 394, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD Working Group Q. Wu 3 Internet-Draft Huawei 4 Intended status: Standards Track B. Lengyel 5 Expires: August 29, 2020 Ericsson Hungary 6 Y. Niu 7 Huawei 8 February 26, 2020 10 A YANG Data Model for Factory Default Settings 11 draft-ietf-netmod-factory-default-14 13 Abstract 15 This document defines a YANG data model to allow clients to reset a 16 server back to its factory default condition. It also defines a 17 "factory-default" datastore to allow clients to read the factory 18 default configuration for the device. 20 The YANG data model in this document conforms to the Network 21 Management Datastore Architecture (NMDA) defined in RFC 8342. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 29, 2020. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Factory-Reset RPC . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Factory-Default Datastore . . . . . . . . . . . . . . . . . . 4 61 4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 63 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 64 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 65 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8 66 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 68 9.2. Informative References . . . . . . . . . . . . . . . . . 9 69 Appendix A. Changes between revisions . . . . . . . . . . . . . 9 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 72 1. Introduction 74 This document defines a method to reset a server to its factory 75 default content. The reset operation may be used, e.g., when the 76 existing configuration has major errors so re-starting the 77 configuration process from scratch is the best option. 79 A "factory-reset" RPC is defined. When resetting a device, all 80 previous configuration settings will be lost and replaced by the 81 factory default content. 83 A "factory-default" read-only datastore is defined, that contains the 84 data to replace the contents of implemented read-write conventional 85 configuration datastores at reset. This datastore can also be used 86 in the operation. 88 The YANG data model in this document conforms to the Network 89 Management Datastore Architecture defined in [RFC8342]. 91 1.1. Terminology 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 95 "OPTIONAL" in this document are to be interpreted as described in BCP 96 14 [RFC2119] [RFC8174] when, and only when, they appear in all 97 capitals, as shown here. 99 The following terms are defined in [RFC8342] [RFC7950] and are not 100 redefined here: 102 o server 104 o startup configuration datastore 106 o candidate configuration datastore 108 o running configuration datastore 110 o intended configuration datastore 112 o operational state datastore 114 o conventional configuration datastore 116 o datastore schema 118 o RPC operation 120 The following terms are defined in this document as follows: 122 o factory-default datastore: A read-only configuration datastore 123 holding a preconfigured initial configuration that is used to 124 initialize the configuration of a server. This datastore is 125 referred to as "". 127 2. Factory-Reset RPC 129 A new "factory-reset" RPC is introduced. Upon receiving the RPC 131 o All supported conventional read-write configuration datastores 132 (i.e. , , and ) are reset to the 133 contents of . 135 o Read-only datastores receive their content from other 136 datastores(e.g., gets its content from ). 138 o All data in any dynamic configuration datastores MUST be 139 discarded. 141 o The contents of the datastore MUST reflect the 142 operational state of the device after applying the factory default 143 configuration. 145 In addition, the "factory-reset" RPC MUST restore non-volatile 146 storage to factory condition. Depending on the system, this may 147 entail deleting dynamically generated files, such as those containing 148 keys (e.g., /etc/ssl/private), certificates (e.g., /etc/ssl), logs 149 (e.g., /var/log), and temporary files (e.g., /tmp/*). All security 150 sensitive data (i.e., private keys, passwords, etc.) SHOULD be 151 overwritten with zeros or a pattern before deletion. The "factory- 152 reset" RPC MAY also be used to trigger some other resetting tasks 153 such as restarting the node or some of the software processes. 155 Note that operators should be aware that since all read-write 156 datastores are immediately reset to factory default, the device may 157 become unreachable on the network. It is important to understand how 158 a given vendor's device will behave after the RPC is executed. 159 Implementors SHOULD reboot the device or otherwise restart processes 160 needed to bootstrap it. 162 3. Factory-Default Datastore 164 Following the guidelines for defining Datastores in the appendix A of 165 [RFC8342], this document introduces a new optional datastore resource 166 named "factory-default" that represents a preconfigured initial 167 configuration that can be used to initialize the configuration of a 168 server. A device MAY implement the "factory-reset" RPC without 169 implementing the "factory-default" datastore, which would only 170 eliminate the ability to programmatically determine the factory 171 default configuration. 173 o Name: "factory-default" 175 o YANG modules: The factory default datastore schema MUST either be 176 the same as the conventional configuration datastores, or a subset 177 of the datastore schema for the conventional configuration 178 datastores. 180 o YANG nodes: all "config true" data nodes 182 o Management operations: The content of the datastore is set by the 183 server in an implementation dependent manner. The content can not 184 be changed by management operations via NETCONF, RESTCONF, the CLI 185 etc. unless specialized, dedicated operations are provided. The 186 datastore can be read using the standard NETCONF/RESTCONF protocol 187 operations. The "factory-reset" operation copies the factory 188 default content to and, if present, and/or 189 and then the content of these datastores is propagated 190 automatically to any other read only datastores, e.g., 191 and . 193 o Origin: This document does not define a new origin identity as it 194 does not interact with the datastore. 196 o Protocols: RESTCONF, NETCONF and other management protocol. 198 o Defining YANG module: "ietf-factory-default". 200 The contents of is defined by the device vendor and 201 MUST persist across device restarts. If supported, the factory- 202 default datastore MUST be included in the list of datastores in YANG 203 library [RFC 8525]. 205 4. YANG Module 207 This module uses the "datastore" identity [RFC8342], and the 208 "default-deny-all" extension statement from [RFC8341]. 210 file "ietf-factory-default@2019-11-27.yang" 211 module ietf-factory-default { 212 yang-version 1.1; 213 namespace "urn:ietf:params:xml:ns:yang:ietf-factory-default"; 214 prefix fd; 216 import ietf-datastores { 217 prefix ds; 218 reference 219 "RFC 8342: Network Management Datastore Architecture (NMDA)"; 220 } 221 import ietf-netconf-acm { 222 prefix nacm; 223 reference 224 "RFC8341: Network Configuration Access Control Model"; 225 } 227 organization 228 "IETF NETMOD (Network Modeling) Working Group"; 229 contact 230 "WG Web: 231 WG List: 233 Editor: Qin Wu 234 235 Editor: Balazs Lengyel 236 237 Editor: Ye Niu 238 "; 239 description 240 "This module provides functionality to reset a server to its 241 factory default configuration and, when supported, to discover 242 the factory default configuration contents independent of 243 resetting the server. 245 Copyright (c) 2020 IETF Trust and the persons identified as 246 authors of the code. All rights reserved. 248 Redistribution and use in source and binary forms, with or 249 without modification, is permitted pursuant to, and subject 250 to the license terms contained in, the Simplified BSD License 251 set forth in Section 4.c of the IETF Trust's Legal Provisions 252 Relating to IETF Documents 253 (http://trustee.ietf.org/license-info). 255 This version of this YANG module is part of RFC XXXX; 256 see the RFC itself for full legal notices."; 257 // RFC Ed.: update the date below with the date of RFC publication 258 // and remove this note. 259 // RFC Ed.: replace XXXX with actual RFC number and remove this 260 // note. 261 revision 2019-11-27 { 262 description 263 "Initial revision."; 264 reference 265 "RFC XXXX: Factory default Setting"; 266 } 268 feature factory-default-datastore { 269 description 270 "Indicates that the factory default configuration is 271 available as a datastore."; 272 } 274 rpc factory-reset { 275 nacm:default-deny-all; 276 description 277 "The server resets all datastores to their factory 278 default content and any non-volatile storage back to 279 factory condition, deleting all dynamically generated 280 files, including those containing keys, certificates, 281 logs, and other temporary files. 283 Depending on the factory default configuration, after 284 being reset, the device may become unreachable on the 285 network."; 286 } 288 identity factory-default { 289 if-feature "factory-default-datastore"; 290 base ds:datastore; 291 description 292 "This read-only datastore contains the factory default 293 configuration for the device used to replace the contents 294 of the read-write conventional configuration datastores 295 during a 'factory-reset' RPC operation."; 296 } 297 } 298 300 5. IANA Considerations 302 This document registers one URI in the IETF XML Registry [RFC3688]. 303 The following registration has been made: 305 URI: urn:ietf:params:xml:ns:yang:ietf-factory-default 306 Registrant Contact: The IESG. 307 XML: N/A, the requested URI is an XML namespace. 309 This document registers one YANG module in the YANG Module Names 310 Registry [RFC6020]. The following registration has been made: 312 name: ietf-factory-default 313 namespace: urn:ietf:params:xml:ns:yang:ietf-factory-default 314 prefix: fd 315 RFC: xxxx 317 6. Security Considerations 319 The YANG module defined in this document extends the base operations 320 for NETCONF [RFC6241] and RESTCONF [RFC8040]. The lowest NETCONF 321 layer is the secure transport layer, and the mandatory-to-implement 322 secure transport is Secure Shell (SSH) [RFC6242]. The lowest 323 RESTCONF layer is HTTPS, and the mandatory-to-implement secure 324 transport is TLS [RFC8446]. 326 Access to the "factory-reset" RPC operation is considered sensitive 327 and therefore has been restricted using the "default-deny-all" access 328 control defined in [RFC8341]. 330 The "factory-reset" RPC can prevent any further management of the 331 device if the session and client config are included in the factory 332 default contents. 334 The operational disruption caused by setting the config to factory 335 default contents varies greatly depending on the implementation and 336 current config. 338 The non-volatile storage is expected to be wiped clean and reset back 339 to the factory default state, but there is no guarantee that the data 340 is wiped according to any particular data cleansing standard, and the 341 owner of the device MUST NOT rely on any sensitive data (e.g., 342 private keys) being forensically unrecoverable from the device's non- 343 volatile storage after a factory-reset RPC has been invoked. 345 7. Acknowledgements 347 Thanks to Juergen Schoenwaelder, Ladislav Lhotka, Alex Campbell, Joe 348 Clarke, Robert Wilton, Kent Watsen, Joel Jaeggli, Lou Berger, Andy 349 Bierman, Susan Hares for reviewing this draft and providing important 350 input to this document. 352 8. Contributors 354 Rohit R Ranade 355 Huawei 356 Email: rohitrranade@huawei.com 358 9. References 360 9.1. Normative References 362 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 363 Requirement Levels", BCP 14, RFC 2119, 364 DOI 10.17487/RFC2119, March 1997, 365 . 367 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 368 DOI 10.17487/RFC3688, January 2004, 369 . 371 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 372 the Network Configuration Protocol (NETCONF)", RFC 6020, 373 DOI 10.17487/RFC6020, October 2010, 374 . 376 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 377 RFC 7950, DOI 10.17487/RFC7950, August 2016, 378 . 380 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 381 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 382 May 2017, . 384 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 385 Access Control Model", STD 91, RFC 8341, 386 DOI 10.17487/RFC8341, March 2018, 387 . 389 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 390 and R. Wilton, "Network Management Datastore Architecture 391 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 392 . 394 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 395 and R. Wilton, "YANG Library", RFC 8525, 396 DOI 10.17487/RFC8525, March 2019, 397 . 399 9.2. Informative References 401 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 402 and A. Bierman, Ed., "Network Configuration Protocol 403 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 404 . 406 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 407 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 408 . 410 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 411 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 412 . 414 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 415 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 416 . 418 Appendix A. Changes between revisions 420 Editorial Note (To be removed by RFC Editor) 422 v13 - 14 424 o Address additional issues raised during AD review. 426 v12 - 13 428 o Address issues raised during AD review. 430 v11 - 12 431 o Fix IDnits and reference issues from Shepherd review. 433 v10 - 11 435 o Incorporate additional Shepherd review's comments. 437 v09 - 10 439 o Incorporate Shepherd review's comments. 441 v08 - 09 443 o Provide some guideline for operators and implementor who implement 444 factory defaut method. 446 v07 - 08 448 o Provide clarification and recommendation on the relationship 449 between factory-reset RPC and reboot. 451 o Nits fixed based on YANG Doctor Review. 453 v06 - 07 455 o Remove Factory default content specification; 457 o Remove reference to YANG instance data file format and zero touch 458 provision [RFC8573]; 460 o Remove copy-config operation extension on factory-default 461 datastore 463 v05 - 06 465 o Additional text to enhance security section. 467 o Add nacm:default-deny-all on "factory-reset" RPC. 469 o A few clarification on Factory default content specification. 471 v03 - 04 473 o Additional text to clarify factory-reset RPC usage. 475 v02 - 03 477 o Update security consideration section. 479 v01 - v02 481 o Address security issue in the security consideration section. 483 o Remove an extension to the NETCONF operation which 484 allows it to operate on the factory-default datastore. 486 o Add an extension to the NETCONF operation which 487 allows it to operate on the factory-default datastore. 489 v00 - v01 491 o Change YANG server into server defined in NMDA architecture based 492 on discussion. 494 o Allow reset the content of all read-write configuraton datastores 495 to its factory default content except . 497 o Add clarification text on factory-reset protocol operation 498 behavior. 500 v03 - v00 502 o Change draft name from draft-wu to draft-ietf-netmod-factory- 503 default-00 without content changes. 505 v02 - v03 507 o Change reset-datastore RPC into factory-reset RPC to allow reset 508 the whole device with factory default content. 510 o Remove target datastore parameter from factory-reset RPC. 512 o Other editorial changes. 514 v01 - v02 516 o Add copy-config based on Rob's comment. 518 o Reference Update. 520 v03 - v00 - v01 522 o Changed name from draft-wu-netconf-restconf-factory-restore to 523 draft-wu-netmod-factory-default 525 o Removed copy-config ; reset-datastore is enough 526 v02 - v03 528 o Restructured 530 o Made new datastore optional 532 o Removed Netconf capability 534 o Listed Open issues 536 v01 - v02 538 o - 540 v00 - v01 542 o - 544 Authors' Addresses 546 Qin Wu 547 Huawei 548 101 Software Avenue, Yuhua District 549 Nanjing, Jiangsu 210012 550 China 552 Email: bill.wu@huawei.com 554 Balazs Lengyel 555 Ericsson Hungary 556 Magyar Tudosok korutja 11 557 1117 Budapest 558 Hungary 560 Phone: +36-70-330-7909 561 Email: balazs.lengyel@ericsson.com 563 Ye Niu 564 Huawei 566 Email: niuye@huawei.com