draft-ietf-netconf-netconf-client-server-00.txt   draft-ietf-netconf-netconf-client-server-01.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: January 9, 2017 Cisco Networks Expires: May 7, 2017 Cisco Networks
J. Schoenwaelder J. Schoenwaelder
Jacobs University Bremen Jacobs University Bremen
July 8, 2016 November 3, 2016
NETCONF Client and Server Models NETCONF Client and Server Models
draft-ietf-netconf-netconf-client-server-00 draft-ietf-netconf-netconf-client-server-01
Abstract Abstract
This document defines two YANG modules, one module to configure a This document defines two YANG modules, one module to configure a
NETCONF client and the other module to configure a NETCONF server. NETCONF client and the other module to configure a NETCONF server.
Both modules support both the SSH and TLS transport protocols, and Both modules support both the SSH and TLS transport protocols, and
support both standard NETCONF and NETCONF Call Home connections. support both standard NETCONF and NETCONF Call Home connections.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
summarizes all of the substitutions that are needed. No other RFC summarizes all of the substitutions that are needed. No other RFC
Editor instructions are specified elsewhere in this document. Editor instructions are specified elsewhere in this document.
This document contains references to other drafts in progress, both This document contains references to other drafts in progress, both
in the Normative References section, as well as in body text in the Normative References section, as well as in body text
throughout. Please update the following references to reflect their throughout. Please update the following references to reflect their
final RFC assignments: final RFC assignments:
o draft-ietf-netconf-system-keychain o draft-ietf-netconf-keystore
o draft-ietf-netconf-ssh-client-server o draft-ietf-netconf-ssh-client-server
o draft-ietf-netconf-tls-client-server o draft-ietf-netconf-tls-client-server
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements: progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
skipping to change at page 2, line 10 skipping to change at page 2, line 10
client-server client-server
o "ZZZZ" --> the assigned RFC value for draft-ietf-netconf-tls- o "ZZZZ" --> the assigned RFC value for draft-ietf-netconf-tls-
client-server client-server
o "AAAA" --> the assigned RFC value for draft-ietf-netconf-call-home o "AAAA" --> the assigned RFC value for draft-ietf-netconf-call-home
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2016-07-08" --> the publication date of this draft o "2016-11-02" --> the publication date of this draft
The following two Appendix sections are to be removed prior to The following two Appendix sections are to be removed prior to
publication: publication:
o Appendix A. Change Log o Appendix A. Change Log
o Appendix B. Open Issues o Appendix B. Open Issues
Status of This Memo Status of This Memo
skipping to change at page 2, line 34 skipping to change at page 2, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017. This Internet-Draft will expire on May 7, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 49 skipping to change at page 4, line 49
The NETCONF client model presented in this section supports both The NETCONF client model presented in this section supports both
clients initiating connections to servers, as well as clients clients initiating connections to servers, as well as clients
listening for connections from servers calling home. listening for connections from servers calling home.
This model supports both the SSH and TLS transport protocols, using This model supports both the SSH and TLS transport protocols, using
the SSH client and TLS client groupings defined in the SSH client and TLS client groupings defined in
[draft-ietf-netconf-ssh-client-server] and [draft-ietf-netconf-ssh-client-server] and
[draft-ietf-netconf-tls-client-server] respectively. [draft-ietf-netconf-tls-client-server] respectively.
All private keys and trusted certificates are held in the keychain All private keys and trusted certificates are held in the keystore
model defined in [draft-ietf-netconf-system-keychain]. model defined in [draft-ietf-netconf-keystore].
YANG feature statements are used to enable implementations to YANG feature statements are used to enable implementations to
advertise which parts of the model the NETCONF client supports. advertise which parts of the model the NETCONF client supports.
2.1. Tree Diagram 2.1. Tree Diagram
Note: all lines are folded at column 71 with no '\' character. Note: all lines are folded at column 71 with no '\' character.
module: ietf-netconf-client module: ietf-netconf-client
+--rw netconf-client +--rw netconf-client
+--rw initiate {initiate}? +--rw initiate {initiate}?
| +--rw netconf-server* [name] | +--rw netconf-server* [name]
| +--rw name string | +--rw name string
| +--rw (transport) | +--rw (transport)
| +--:(ssh) {ssh-initiate}? | +--:(ssh) {ssh-initiate}?
| +--rw ssh | +--rw ssh
| +--rw address inet:host | +--rw address inet:host
| +--rw port? inet:port-number | +--rw port? inet:port-number
| +--rw server-auth | +--rw server-auth
| | +--rw trusted-ssh-host-keys? -> /kc:keychain/ | | +--rw trusted-ssh-host-keys? -> /ks:keystore
trusted-ssh-host-keys/name /trusted-ssh-host-keys/name
| | +--rw trusted-ca-certs? -> /kc:keychain/ | | +--rw trusted-ca-certs? -> /ks:keystore
trusted-certificates/name {ssh-x509-certs}? /trusted-certificates/name {ssh-x509-certs}?
| | +--rw trusted-server-certs? -> /kc:keychain/ | | +--rw trusted-server-certs? -> /ks:keystore
trusted-certificates/name /trusted-certificates/name
| +--rw client-auth | +--rw client-auth
| +--rw matches* [name] | +--rw matches* [name]
| +--rw name string | +--rw name string
| +--rw match* [name] | +--rw match* [name]
| | +--rw name string | | +--rw name string
| | +--rw trusted-ssh-host-keys? -> /kc:key | | +--rw trusted-ssh-host-keys? -> /ks:ke
chain/trusted-ssh-host-keys/name ystore/trusted-ssh-host-keys/name
| | +--rw trusted-ca-certs? -> /kc:key | | +--rw trusted-ca-certs? -> /ks:ke
chain/trusted-certificates/name ystore/trusted-certificates/name
| | +--rw trusted-server-certs? -> /kc:key | | +--rw trusted-server-certs? -> /ks:ke
chain/trusted-certificates/name ystore/trusted-certificates/name
| +--rw user-auth-credentials? -> /kc:keycha | +--rw user-auth-credentials? -> /ks:keyst
in/user-auth-credentials/user-auth-credential/username ore/user-auth-credentials/user-auth-credential/username
+--rw listen {listen}? +--rw listen {listen}?
+--rw max-sessions? uint16 +--rw max-sessions? uint16
+--rw idle-timeout? uint16 +--rw idle-timeout? uint16
+--rw endpoint* [name] +--rw endpoint* [name]
+--rw name string +--rw name string
+--rw (transport) +--rw (transport)
+--:(ssh) {ssh-listen}? +--:(ssh) {ssh-listen}?
+--rw ssh +--rw ssh
+--rw address? inet:ip-address +--rw address? inet:ip-address
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw server-auth +--rw server-auth
| +--rw trusted-ssh-host-keys? -> /kc:keychain/ | +--rw trusted-ssh-host-keys? -> /ks:keystore
trusted-ssh-host-keys/name /trusted-ssh-host-keys/name
| +--rw trusted-ca-certs? -> /kc:keychain/ | +--rw trusted-ca-certs? -> /ks:keystore
trusted-certificates/name {ssh-x509-certs}? /trusted-certificates/name {ssh-x509-certs}?
| +--rw trusted-server-certs? -> /kc:keychain/ | +--rw trusted-server-certs? -> /ks:keystore
trusted-certificates/name /trusted-certificates/name
+--rw client-auth +--rw client-auth
+--rw matches* [name] +--rw matches* [name]
+--rw name string +--rw name string
+--rw match* [name] +--rw match* [name]
| +--rw name string | +--rw name string
| +--rw trusted-ssh-host-keys? -> /kc:key | +--rw trusted-ssh-host-keys? -> /ks:ke
chain/trusted-ssh-host-keys/name ystore/trusted-ssh-host-keys/name
| +--rw trusted-ca-certs? -> /kc:key | +--rw trusted-ca-certs? -> /ks:ke
chain/trusted-certificates/name ystore/trusted-certificates/name
| +--rw trusted-server-certs? -> /kc:key | +--rw trusted-server-certs? -> /ks:ke
chain/trusted-certificates/name ystore/trusted-certificates/name
+--rw user-auth-credentials? -> /kc:keycha +--rw user-auth-credentials? -> /ks:keyst
in/user-auth-credentials/user-auth-credential/username ore/user-auth-credentials/user-auth-credential/username
2.2. Example Usage 2.2. Example Usage
The following example illustrates configuring a NETCONF client to The following example illustrates configuring a NETCONF client to
initiate connections, using both the SSH and TLS transport protocols, initiate connections, using both the SSH and TLS transport protocols,
as well as listening for call-home connections, again using both the as well as listening for call-home connections, again using both the
SSH and TLS transport protocols. SSH and TLS transport protocols.
This example is consistent with the examples presented in Section 2.2 This example is consistent with the examples presented in Section 2.2
of [draft-ietf-netconf-system-keychain]. of [draft-ietf-netconf-keystore].
<netconf-client <netconf-client
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-client"> xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-client">
<!-- NETCONF servers to initiate NETCONF connections to --> <!-- NETCONF servers to initiate NETCONF connections to -->
<initiate> <initiate>
<netconf-server> <netconf-server>
<name>corp-fw1</name> <name>corp-fw1</name>
<ssh> <ssh>
<address>corp-fw1.example.com</address> <address>corp-fw1.example.com</address>
skipping to change at page 8, line 19 skipping to change at page 8, line 19
</client-auth> </client-auth>
</ssh> </ssh>
</endpoint> </endpoint>
</listen> </listen>
</netconf-client> </netconf-client>
2.3. YANG Model 2.3. YANG Model
This YANG module imports YANG types from [RFC6991] and [RFC7407]. This YANG module imports YANG types from [RFC6991] and [RFC7407].
<CODE BEGINS> file "ietf-netconf-client@2016-07-08.yang" <CODE BEGINS> file "ietf-netconf-client@2016-11-02.yang"
module ietf-netconf-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
prefix "ncc";
import ietf-inet-types { module ietf-netconf-client {
prefix inet; yang-version 1.1;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-x509-cert-to-name { namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
prefix x509c2n; prefix "ncc";
reference
"RFC 7407: A YANG Data Model for SNMP Configuration";
}
import ietf-ssh-client { import ietf-inet-types {
prefix ss; prefix inet;
revision-date 2016-07-08; // stable grouping definitions reference
reference "RFC 6991: Common YANG Data Types";
"RFC YYYY: SSH Client and Server Models"; }
}
import ietf-tls-client { import ietf-x509-cert-to-name {
prefix ts; prefix x509c2n;
revision-date 2016-07-08; // stable grouping definitions reference
reference "RFC 7407: A YANG Data Model for SNMP Configuration";
"RFC ZZZZ: TLS Client and Server Models"; }
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact import ietf-ssh-client {
"WG Web: <http://tools.ietf.org/wg/netconf/> prefix ss;
WG List: <mailto:netconf@ietf.org> revision-date 2016-11-02; // stable grouping definitions
reference
"RFC YYYY: SSH Client and Server Models";
}
WG Chair: Mehmet Ersue // import ietf-tls-client {
<mailto:mehmet.ersue@nsn.com> // prefix ts;
// revision-date 2016-11-02; // stable grouping definitions
// reference
// "RFC ZZZZ: TLS Client and Server Models";
// }
organization
"IETF NETCONF (Network Configuration) Working Group";
WG Chair: Mahesh Jethanandani contact
<mailto:mjethanandani@gmail.com> "WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen WG Chair: Mehmet Ersue
<mailto:kwatsen@juniper.net> <mailto:mehmet.ersue@nsn.com>
Author: Gary Wu WG Chair: Mahesh Jethanandani
<mailto:garywu@cisco.com>"; <mailto:mjethanandani@gmail.com>
description Author: Kent Watsen
"This module contains a collection of YANG definitions for <mailto:kwatsen@juniper.net>
configuring NETCONF servers.
Copyright (c) 2014 IETF Trust and the persons identified as Author: Gary Wu
authors of the code. All rights reserved. <mailto:garywu@cisco.com>";
Redistribution and use in source and binary forms, with or description
without modification, is permitted pursuant to, and subject "This module contains a collection of YANG definitions for
to the license terms contained in, the Simplified BSD configuring NETCONF servers.
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see Copyright (c) 2014 IETF Trust and the persons identified as
the RFC itself for full legal notices."; authors of the code. All rights reserved.
revision "2016-07-08" { Redistribution and use in source and binary forms, with or
description without modification, is permitted pursuant to, and subject
"Initial version"; to the license terms contained in, the Simplified BSD
reference License set forth in Section 4.c of the IETF Trust's
"RFC XXXX: NETCONF Client and Server Models"; Legal Provisions Relating to IETF Documents
} (http://trustee.ietf.org/license-info).
// Features This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
feature initiate { revision "2016-11-02" {
description description
"The 'initiate' feature indicates that the NETCONF client "Initial version";
supports initiating NETCONF connections to NETCONF servers reference
using at least one transport (e.g., SSH, TLS, etc.)."; "RFC XXXX: NETCONF Client and Server Models";
} }
feature ssh-initiate { // Features
description
"The 'ssh-initiate' feature indicates that the NETCONF client
supports initiating SSH connections to NETCONF servers.";
reference
"RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";
}
feature tls-initiate { feature initiate {
description description
"The 'tls-initiate' feature indicates that the NETCONF client "The 'initiate' feature indicates that the NETCONF client
supports initiating TLS connections to NETCONF servers."; supports initiating NETCONF connections to NETCONF servers
reference using at least one transport (e.g., SSH, TLS, etc.).";
"RFC 7589: Using the NETCONF Protocol over Transport }
Layer Security (TLS) with Mutual X.509
Authentication";
}
feature listen { feature ssh-initiate {
description description
"The 'listen' feature indicates that the NETCONF client "The 'ssh-initiate' feature indicates that the NETCONF client
supports opening a port to accept NETCONF server call home supports initiating SSH connections to NETCONF servers.";
connections using at least one transport (e.g., SSH, TLS, etc.)."; reference
} "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";
}
feature ssh-listen { feature tls-initiate {
description description
"The 'ssh-listen' feature indicates that the NETCONF client "The 'tls-initiate' feature indicates that the NETCONF client
supports opening a port to listen for incoming NETCONF supports initiating TLS connections to NETCONF servers.";
server call-home SSH connections."; reference
reference "RFC 7589: Using the NETCONF Protocol over Transport
"RFC AAAA: NETCONF Call Home and RESTCONF Call Home"; Layer Security (TLS) with Mutual X.509
} Authentication";
}
feature tls-listen { feature listen {
description description
"The 'tls-listen' feature indicates that the NETCONF client "The 'listen' feature indicates that the NETCONF client
supports opening a port to listen for incoming NETCONF supports opening a port to accept NETCONF server call
server call-home TLS connections."; home connections using at least one transport (e.g.,
reference SSH, TLS, etc.).";
"RFC AAAA: NETCONF Call Home and RESTCONF Call Home"; }
}
container netconf-client {
description
"Top-level container for NETCONF client configuration.";
container initiate { feature ssh-listen {
if-feature initiate; description
description "The 'ssh-listen' feature indicates that the NETCONF client
"Configures client intiating underlying TCP connections."; supports opening a port to listen for incoming NETCONF
list netconf-server { server call-home SSH connections.";
key name; reference
description "RFC AAAA: NETCONF Call Home and RESTCONF Call Home";
"List of NETCONF servers the NETCONF client is to initiate }
connections to.";
leaf name {
type string;
description
"An arbitrary name for the NETCONF server.";
}
choice transport {
mandatory true;
description
"Selects between available transports.";
case ssh {
if-feature ssh-initiate;
container ssh {
description
"Specifies SSH-specific transport configuration.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the endpoint. If a
hostname is configured and the DNS resolution results
in more than one IP address, the NETCONF client
will process the IP addresses as if they had been
explicitly configured in place of the hostname.";
}
leaf port {
type inet:port-number;
default 830;
description
"The IP port for this endpoint. The NETCONF client will
use the IANA-assigned well-known port if no value is
specified.";
}
uses ss:initiating-ssh-client-grouping;
}
}
/* feature tls-listen {
case tls { description
if-feature tls-initiate; "The 'tls-listen' feature indicates that the NETCONF client
container tls { supports opening a port to listen for incoming NETCONF
description server call-home TLS connections.";
"Specifies TLS-specific transport configuration."; reference
uses endpoints-container { "RFC AAAA: NETCONF Call Home and RESTCONF Call Home";
refine endpoints/endpoint/port { }
default 6513; container netconf-client {
} description
} "Top-level container for NETCONF client configuration.";
uses ts:listening-tls-client-grouping {
augment "client-auth" {
description
"Augments in the cert-to-name structure.";
uses cert-maps-grouping;
}
}
}
}
*/
}
}
} // end initiate
container listen { container initiate {
if-feature listen; if-feature initiate;
description description
"Configures client accepting call-home TCP connections."; "Configures client intiating underlying TCP connections.";
leaf max-sessions { list netconf-server {
type uint16; key name;
default 0; description
description "List of NETCONF servers the NETCONF client is to initiate
"Specifies the maximum number of concurrent sessions connections to.";
that can be active at one time. The value 0 indicates leaf name {
that no artificial session limit should be used."; type string;
} description
leaf idle-timeout { "An arbitrary name for the NETCONF server.";
type uint16; }
units "seconds"; choice transport {
default 3600; // one hour mandatory true;
description description
"Specifies the maximum number of seconds that a NETCONF "Selects between available transports.";
session may remain idle. A NETCONF session will be dropped case ssh {
if it is idle for an interval longer than this number of if-feature ssh-initiate;
seconds. If set to zero, then the server will never drop container ssh {
a session because it is idle. Sessions that have a description
notification subscription active are never dropped."; "Specifies SSH-specific transport configuration.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the endpoint. If
a hostname is configured and the DNS resolution
results in more than one IP address, the NETCONF
client will process the IP addresses as if they
had been explicitly configured in place of the
hostname.";
}
leaf port {
type inet:port-number;
default 830;
description
"The IP port for this endpoint. The NETCONF client
will use the IANA-assigned well-known port if no
value is specified.";
}
uses ss:initiating-ssh-client-grouping;
}
} }
list endpoint { /*
key name; case tls {
description if-feature tls-initiate;
"List of endpoints to listen for NETCONF connections on."; container tls {
leaf name { description
type string; "Specifies TLS-specific transport configuration.";
description uses endpoints-container {
"An arbitrary name for the NETCONF listen endpoint."; refine endpoints/endpoint/port {
} default 6513;
choice transport { }
mandatory true; }
description uses ts:listening-tls-client-grouping {
"Selects between available transports."; augment "client-auth" {
case ssh { description
if-feature ssh-listen; "Augments in the cert-to-name structure.";
container ssh { uses cert-maps-grouping;
description }
"SSH-specific listening configuration for inbound }
connections."; }
uses ss:listening-ssh-client-grouping { }
refine port { */
default 4334; }
} }
} } // end initiate
}
}
/*
case tls {
if-feature tls-listen;
container tls {
description
"TLS-specific listening configuration for inbound
connections.";
uses ts:listening-tls-client-grouping {
refine port {
default 4335;
}
augment "client-auth" {
description
"Augments in the cert-to-name structure.";
uses cert-maps-grouping;
}
}
}
}
*/
}
} container listen {
} // end listen if-feature listen;
} description
"Configures client accepting call-home TCP connections.";
leaf max-sessions {
type uint16;
default 0;
description
"Specifies the maximum number of concurrent sessions
that can be active at one time. The value 0 indicates
that no artificial session limit should be used.";
}
leaf idle-timeout {
type uint16;
units "seconds";
default 3600; // one hour
description
"Specifies the maximum number of seconds that a NETCONF
session may remain idle. A NETCONF session will be dropped
if it is idle for an interval longer than this number of
seconds. If set to zero, then the server will never drop
a session because it is idle. Sessions that have a
notification subscription active are never dropped.";
}
list endpoint {
key name;
description
"List of endpoints to listen for NETCONF connections on.";
leaf name {
type string;
description
"An arbitrary name for the NETCONF listen endpoint.";
}
choice transport {
mandatory true;
description
"Selects between available transports.";
case ssh {
if-feature ssh-listen;
container ssh {
description
"SSH-specific listening configuration for inbound
connections.";
uses ss:listening-ssh-client-grouping {
refine port {
default 4334;
}
}
}
}
/*
case tls {
if-feature tls-listen;
container tls {
description
"TLS-specific listening configuration for inbound
connections.";
uses ts:listening-tls-client-grouping {
refine port {
default 4335;
}
augment "client-auth" {
description
"Augments in the cert-to-name structure.";
uses cert-maps-grouping;
}
}
}
}
*/
}
}
} // end listen
}
grouping cert-maps-grouping { grouping cert-maps-grouping {
description description
"A grouping that defines a container around the "A grouping that defines a container around the
cert-to-name structure defined in RFC 7407."; cert-to-name structure defined in RFC 7407.";
container cert-maps { container cert-maps {
uses x509c2n:cert-to-name; uses x509c2n:cert-to-name;
description description
"The cert-maps container is used by a TLS-based NETCONF "The cert-maps container is used by a TLS-based NETCONF
server to map the NETCONF client's presented X.509 server to map the NETCONF client's presented X.509
certificate to a NETCONF username. If no matching and certificate to a NETCONF username. If no matching and
valid cert-to-name list entry can be found, then the valid cert-to-name list entry can be found, then the
NETCONF server MUST close the connection, and MUST NOT NETCONF server MUST close the connection, and MUST NOT
accept NETCONF messages over it."; accept NETCONF messages over it.";
reference reference
"RFC WWWW: NETCONF over TLS, Section 7"; "RFC WWWW: NETCONF over TLS, Section 7";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3. The NETCONF Server Model 3. The NETCONF Server Model
The NETCONF server model presented in this section supports servers The NETCONF server model presented in this section supports servers
both listening for connections as well as initiating call-home both listening for connections as well as initiating call-home
connections. connections.
This model also supports both the SSH and TLS transport protocols, This model also supports both the SSH and TLS transport protocols,
using the SSH server and TLS server groupings defined in using the SSH server and TLS server groupings defined in
[draft-ietf-netconf-ssh-client-server] and [draft-ietf-netconf-ssh-client-server] and
[draft-ietf-netconf-tls-client-server] respectively. [draft-ietf-netconf-tls-client-server] respectively.
All private keys and trusted certificates are held in the keychain All private keys and trusted certificates are held in the keystore
model defined in [draft-ietf-netconf-system-keychain]. model defined in [draft-ietf-netconf-keystore].
YANG feature statements are used to enable implementations to YANG feature statements are used to enable implementations to
advertise which parts of the model the NETCONF server supports. advertise which parts of the model the NETCONF server supports.
3.1. Tree Diagram 3.1. Tree Diagram
Note: all lines are folded at column 71 with no '\' character. Note: all lines are folded at column 71 with no '\' character.
module: ietf-netconf-server module: ietf-netconf-server
+--rw netconf-server +--rw netconf-server
+--rw session-options +--rw session-options
| +--rw hello-timeout? uint16 | +--rw hello-timeout? uint16
+--rw listen {listen}? +--rw listen {listen}?
| +--rw max-sessions? uint16 | +--rw max-sessions? uint16
| +--rw idle-timeout? uint16 | +--rw idle-timeout? uint16
| +--rw endpoint* [name] | +--rw endpoint* [name]
| +--rw name string | +--rw name string
| +--rw (transport) | +--rw (transport)
| +--:(ssh) {ssh-listen}? | +--:(ssh) {ssh-listen}?
| | +--rw ssh | | +--rw ssh
| | +--rw address? inet:ip-address | | +--rw address? inet:ip-address
| | +--rw port? inet:port-number | | +--rw port? inet:port-number
| | +--rw host-keys | | +--rw host-keys
| | | +--rw host-key* [name] | | | +--rw host-key* [name]
| | | +--rw name string | | | +--rw name string
| | | +--rw (type)? | | | +--rw (host-key-type)
| | | +--:(public-key) | | | +--:(public-key)
| | | | +--rw public-key? -> /kc:keychain/p | | | | +--rw public-key? -> /ks:keystore/
rivate-keys/private-key/name private-keys/private-key/name
| | | +--:(certificate) | | | +--:(certificate)
| | | +--rw certificate? -> /kc:keychain/p | | | +--rw certificate? -> /ks:keystore/
rivate-keys/private-key/certificate-chains/certificate-chain/name {ssh- private-keys/private-key/certificate-chains/certificate-chain/name {ssh
x509-certs}? -x509-certs}?
| | +--rw client-cert-auth {ssh-x509-certs}? | | +--rw client-cert-auth {ssh-x509-certs}?
| | +--rw trusted-ca-certs? -> /kc:keychain/t | | +--rw trusted-ca-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| | +--rw trusted-client-certs? -> /kc:keychain/t | | +--rw trusted-client-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--:(tls) {tls-listen}? | +--:(tls) {tls-listen}?
| +--rw tls | +--rw tls
| +--rw address? inet:ip-address | +--rw address? inet:ip-address
| +--rw port? inet:port-number | +--rw port? inet:port-number
| +--rw certificates | +--rw certificates
| | +--rw certificate* [name] | | +--rw certificate* [name]
| | +--rw name -> /kc:keychain/private-keys/p | | +--rw name -> /ks:keystore/private-keys/
rivate-key/certificate-chains/certificate-chain/name private-key/certificate-chains/certificate-chain/name
| +--rw client-auth | +--rw client-auth
| +--rw trusted-ca-certs? -> /kc:keychain/t | +--rw trusted-ca-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--rw trusted-client-certs? -> /kc:keychain/t | +--rw trusted-client-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--rw cert-maps | +--rw cert-maps
| +--rw cert-to-name* [id] | +--rw cert-to-name* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw fingerprint x509c2n:tls-fingerpr | +--rw fingerprint x509c2n:tls-fingerp
int rint
| +--rw map-type identityref | +--rw map-type identityref
| +--rw name string | +--rw name string
+--rw call-home {call-home}? +--rw call-home {call-home}?
+--rw netconf-client* [name] +--rw netconf-client* [name]
+--rw name string +--rw name string
+--rw (transport) +--rw (transport)
| +--:(ssh) {ssh-call-home}? | +--:(ssh) {ssh-call-home}?
| | +--rw ssh | | +--rw ssh
| | +--rw endpoints | | +--rw endpoints
| | | +--rw endpoint* [name] | | | +--rw endpoint* [name]
| | | +--rw name string | | | +--rw name string
| | | +--rw address inet:host | | | +--rw address inet:host
| | | +--rw port? inet:port-number | | | +--rw port? inet:port-number
| | +--rw host-keys | | +--rw host-keys
| | | +--rw host-key* [name] | | | +--rw host-key* [name]
| | | +--rw name string | | | +--rw name string
| | | +--rw (type)? | | | +--rw (host-key-type)
| | | +--:(public-key) | | | +--:(public-key)
| | | | +--rw public-key? -> /kc:keychain/p | | | | +--rw public-key? -> /ks:keystore/
rivate-keys/private-key/name private-keys/private-key/name
| | | +--:(certificate) | | | +--:(certificate)
| | | +--rw certificate? -> /kc:keychain/p | | | +--rw certificate? -> /ks:keystore/
rivate-keys/private-key/certificate-chains/certificate-chain/name {ssh- private-keys/private-key/certificate-chains/certificate-chain/name {ssh
x509-certs}? -x509-certs}?
| | +--rw client-cert-auth {ssh-x509-certs}? | | +--rw client-cert-auth {ssh-x509-certs}?
| | +--rw trusted-ca-certs? -> /kc:keychain/t | | +--rw trusted-ca-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| | +--rw trusted-client-certs? -> /kc:keychain/t | | +--rw trusted-client-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--:(tls) {tls-call-home}? | +--:(tls) {tls-call-home}?
| +--rw tls | +--rw tls
| +--rw endpoints | +--rw endpoints
| | +--rw endpoint* [name] | | +--rw endpoint* [name]
| | +--rw name string | | +--rw name string
| | +--rw address inet:host | | +--rw address inet:host
| | +--rw port? inet:port-number | | +--rw port? inet:port-number
| +--rw certificates | +--rw certificates
| | +--rw certificate* [name] | | +--rw certificate* [name]
| | +--rw name -> /kc:keychain/private-keys/p | | +--rw name -> /ks:keystore/private-keys/
rivate-key/certificate-chains/certificate-chain/name private-key/certificate-chains/certificate-chain/name
| +--rw client-auth | +--rw client-auth
| +--rw trusted-ca-certs? -> /kc:keychain/t | +--rw trusted-ca-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--rw trusted-client-certs? -> /kc:keychain/t | +--rw trusted-client-certs? -> /ks:keystore/
rusted-certificates/name trusted-certificates/name
| +--rw cert-maps | +--rw cert-maps
| +--rw cert-to-name* [id] | +--rw cert-to-name* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw fingerprint x509c2n:tls-fingerpr | +--rw fingerprint x509c2n:tls-fingerp
int rint
| +--rw map-type identityref | +--rw map-type identityref
| +--rw name string | +--rw name string
+--rw connection-type +--rw connection-type
| +--rw (connection-type)? | +--rw (connection-type)?
| +--:(persistent-connection) | +--:(persistent-connection)
| | +--rw persistent! | | +--rw persistent!
| | +--rw idle-timeout? uint32 | | +--rw idle-timeout? uint32
| | +--rw keep-alives | | +--rw keep-alives
| | +--rw max-wait? uint16 | | +--rw max-wait? uint16
| | +--rw max-attempts? uint8 | | +--rw max-attempts? uint8
| +--:(periodic-connection) | +--:(periodic-connection)
| +--rw periodic! | +--rw periodic!
| +--rw idle-timeout? uint16 | +--rw idle-timeout? uint16
| +--rw reconnect_timeout? uint16 | +--rw reconnect_timeout? uint16
+--rw reconnect-strategy +--rw reconnect-strategy
+--rw start-with? enumeration +--rw start-with? enumeration
+--rw max-attempts? uint8 +--rw max-attempts? uint8
3.2. Example Usage 3.2. Example Usage
The following example illustrates configuring a NETCONF server to The following example illustrates configuring a NETCONF server to
listen for NETCONF client connections using both the SSH and TLS listen for NETCONF client connections using both the SSH and TLS
transport protocols, as well as configuring call-home to two NETCONF transport protocols, as well as configuring call-home to two NETCONF
clients, one using SSH and the other using TLS. clients, one using SSH and the other using TLS.
This example is consistent with the examples presented in Section 2.2 This example is consistent with the examples presented in Section 2.2
of [draft-ietf-netconf-system-keychain]. of [draft-ietf-netconf-keystore].
<netconf-server <netconf-server
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
<listen> <listen>
<!-- listening for SSH connections --> <!-- listening for SSH connections -->
<endpoint> <endpoint>
<name>netconf/ssh</name> <name>netconf/ssh</name>
<ssh> <ssh>
<address>11.22.33.44</address> <address>11.22.33.44</address>
skipping to change at page 21, line 9 skipping to change at page 21, line 9
</reconnect-strategy> </reconnect-strategy>
</netconf-client> </netconf-client>
</call-home> </call-home>
</netconf-server> </netconf-server>
3.3. YANG Model 3.3. YANG Model
This YANG module imports YANG types from [RFC6991] and [RFC7407]. This YANG module imports YANG types from [RFC6991] and [RFC7407].
<CODE BEGINS> file "ietf-netconf-server@2016-07-08.yang" <CODE BEGINS> file "ietf-netconf-server@2016-11-02.yang"
module ietf-netconf-server { module ietf-netconf-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
prefix "ncs"; prefix "ncs";
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
skipping to change at page 21, line 31 skipping to change at page 21, line 31
} }
import ietf-x509-cert-to-name { import ietf-x509-cert-to-name {
prefix x509c2n; prefix x509c2n;
reference reference
"RFC 7407: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
import ietf-ssh-server { import ietf-ssh-server {
prefix ss; prefix ss;
revision-date 2016-07-08; // stable grouping definitions revision-date 2016-11-02; // stable grouping definitions
reference reference
"RFC YYYY: SSH Client and Server Models"; "RFC YYYY: SSH Client and Server Models";
} }
import ietf-tls-server { import ietf-tls-server {
prefix ts; prefix ts;
revision-date 2016-07-08; // stable grouping definitions revision-date 2016-11-02; // stable grouping definitions
reference reference
"RFC ZZZZ: TLS Client and Server Models"; "RFC ZZZZ: TLS Client and Server Models";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netconf/> "WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
skipping to change at page 22, line 28 skipping to change at page 22, line 28
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2016-07-08" { revision "2016-11-02" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: NETCONF Client and Server Models"; "RFC XXXX: NETCONF Client and Server Models";
} }
// Features // Features
feature listen { feature listen {
description description
skipping to change at page 35, line 31 skipping to change at page 35, line 31
and Bert Wijnen. and Bert Wijnen.
Juergen Schoenwaelder and was partly funded by Flamingo, a Network of Juergen Schoenwaelder and was partly funded by Flamingo, a Network of
Excellence project (ICT-318488) supported by the European Commission Excellence project (ICT-318488) supported by the European Commission
under its Seventh Framework Programme. under its Seventh Framework Programme.
8. References 8. References
8.1. Normative References 8.1. Normative References
[draft-ietf-netconf-keystore]
Watsen, K., "Keystore Model", draft-ieft-netconf-
keystore-00 (work in progress), 2016,
<https://datatracker.ietf.org/html/draft-ieft-netconf-
keystore>.
[draft-ietf-netconf-ssh-client-server] [draft-ietf-netconf-ssh-client-server]
Watsen, K., "SSH Client and Server Models", draft-ieft- Watsen, K., "SSH Client and Server Models", draft-ieft-
netconf-ssh-client-server-00 (work in progress), 2016, netconf-ssh-client-server-00 (work in progress), 2016,
<https://datatracker.ietf.org/html/draft-ieft-netconf-ssh- <https://datatracker.ietf.org/html/draft-ieft-netconf-ssh-
client-server>. client-server>.
[draft-ietf-netconf-system-keychain]
Watsen, K., "System Keychain Model", draft-ieft-netconf-
system-keychain-00 (work in progress), 2016,
<https://datatracker.ietf.org/html/draft-ieft-netconf-
system-keychain>.
[draft-ietf-netconf-tls-client-server] [draft-ietf-netconf-tls-client-server]
Watsen, K., "TLS Client and Server Models", draft-ieft- Watsen, K., "TLS Client and Server Models", draft-ieft-
netconf-tls-client-server-00 (work in progress), 2016, netconf-tls-client-server-00 (work in progress), 2016,
<https://datatracker.ietf.org/html/draft-ieft-netconf-tls- <https://datatracker.ietf.org/html/draft-ieft-netconf-tls-
client-server>. client-server>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
 End of changes. 49 change blocks. 
465 lines changed or deleted 465 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/