--- 1/draft-ietf-netconf-netconf-client-server-09.txt 2019-03-09 21:17:55.021095392 -0800 +++ 2/draft-ietf-netconf-netconf-client-server-10.txt 2019-03-09 21:17:56.805139064 -0800 @@ -1,18 +1,18 @@ NETCONF Working Group K. Watsen Internet-Draft Watsen Networks Intended status: Standards Track March 9, 2019 Expires: September 10, 2019 NETCONF Client and Server Models - draft-ietf-netconf-netconf-client-server-09 + draft-ietf-netconf-netconf-client-server-10 Abstract This document defines two YANG modules, one module to configure a NETCONF client and the other module to configure a NETCONF server. Both modules support both the SSH and TLS transport protocols, and support both standard NETCONF and NETCONF Call Home connections. Editorial Note (To be removed by RFC Editor) @@ -92,54 +92,54 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. The NETCONF Client Model . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 13 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 16 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 25 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 25 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 34 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 39 - 5. Design Considerations . . . . . . . . . . . . . . . . . . . . 50 + 5. Design Considerations . . . . . . . . . . . . . . . . . . . . 49 5.1. Support all NETCONF transports . . . . . . . . . . . . . 50 5.2. Enable each transport to select which keys to use . . . . 50 5.3. Support authenticating NETCONF clients certificates . . . 50 5.4. Support mapping authenticated NETCONF client certificates - to usernames . . . . . . . . . . . . . . . . . . . . . . 51 - 5.5. Support both listening for connections and call home . . 51 + to usernames . . . . . . . . . . . . . . . . . . . . . . 50 + 5.5. Support both listening for connections and call home . . 50 5.6. For Call Home connections . . . . . . . . . . . . . . . . 51 5.6.1. Support more than one NETCONF client . . . . . . . . 51 5.6.2. Support NETCONF clients having more than one endpoint 51 5.6.3. Support a reconnection strategy . . . . . . . . . . . 51 - 5.6.4. Support both persistent and periodic connections . . 52 - 5.6.5. Reconnection strategy for periodic connections . . . 52 + 5.6.4. Support both persistent and periodic connections . . 51 + 5.6.5. Reconnection strategy for periodic connections . . . 51 5.6.6. Keep-alives for persistent connections . . . . . . . 52 5.6.7. Customizations for periodic connections . . . . . . . 52 6. Security Considerations . . . . . . . . . . . . . . . . . . . 52 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 53 - 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 54 + 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 53 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.1. Normative References . . . . . . . . . . . . . . . . . . 54 8.2. Informative References . . . . . . . . . . . . . . . . . 55 - Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 57 - A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 57 - A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 57 - A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 57 - A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 57 - A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 57 - A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 58 - A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 58 - A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 58 - Appendix B. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . 58 - Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 59 + Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 56 + A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 57 + A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 57 + A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 57 + Appendix B. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . 57 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction This document defines two YANG [RFC7950] modules, one module to configure a NETCONF [RFC6241] client and the other module to configure a NETCONF server. Both modules support both NETCONF over SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home connections [RFC8071]. 2. Terminology @@ -715,21 +715,21 @@ This YANG module has normative references to [RFC6242], [RFC6991], [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], [I-D.ietf-netconf-ssh-client-server], and [I-D.ietf-netconf-tls-client-server]. file "ietf-netconf-client@2019-03-09.yang" module ietf-netconf-client { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client"; - prefix "ncc"; + prefix ncc; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-tcp-client { prefix tcpc; reference @@ -782,21 +781,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision "2019-03-09" { + revision 2019-03-09 { description "Initial version"; reference "RFC XXXX: NETCONF Client and Server Models"; } // Features feature initiate { description @@ -813,22 +812,21 @@ "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; } feature tls-initiate { description "The 'tls-initiate' feature indicates that the NETCONF client supports initiating TLS connections to NETCONF servers."; reference "RFC 7589: Using the NETCONF Protocol over Transport - Layer Security (TLS) with Mutual X.509 - Authentication"; + Layer Security (TLS) with Mutual X.509 Authentication"; } feature listen { description "The 'listen' feature indicates that the NETCONF client supports opening a port to accept NETCONF server call home connections using at least one transport (e.g., SSH, TLS, etc.)."; } @@ -848,152 +846,146 @@ server call-home TLS connections."; reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; } // Groupings grouping netconf-client-grouping { description "Top-level grouping for NETCONF client configuration."; - container initiate { - if-feature initiate; + if-feature "initiate"; presence "Enables client to initiate TCP connections"; description "Configures client initiating underlying TCP connections."; list netconf-server { - key name; + key "name"; min-elements 1; description "List of NETCONF servers the NETCONF client is to initiate connections to in parallel."; leaf name { type string; description "An arbitrary name for the NETCONF server."; } container endpoints { description "Container for the list of endpoints."; list endpoint { - key name; + key "name"; min-elements 1; ordered-by user; description "A user-ordered list of endpoints that the NETCONF client will attempt to connect to in the specified sequence. Defining more than one enables high-availability."; leaf name { type string; description "An arbitrary name for the endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { - if-feature ssh-initiate; + if-feature "ssh-initiate"; container ssh { description "Specifies IP and SSH specific configuration for the connection."; uses tcpc:tcp-client-grouping { refine "remote-port" { - default 830; + default "830"; description "The NETCONF client will attempt to connect to the IANA-assigned well-known port value for 'netconf-ssh' (443) if no value is specified."; } } uses sshc:ssh-client-grouping; - } // container ssh - } // case ssh - + } + } case tls { - if-feature tls-initiate; + if-feature "tls-initiate"; container tls { description "Specifies IP and TLS specific configuration for the connection."; uses tcpc:tcp-client-grouping { refine "remote-port" { - default 6513; + default "6513"; description "The NETCONF client will attempt to connect to the IANA-assigned well-known port value for 'netconf-tls' (6513) if no value is specified."; } } - uses tlsc:tls-client-grouping { refine "tls-client-identity/auth-type" { mandatory true; description "NETCONF/TLS clients MUST pass some authentication credentials."; } } - - } // container tls - } // case tls - + } + } } // choice transport } // list endpoint } // container endpoints container connection-type { description "Indicates the NETCONF client's preference for how the NETCONF connection is maintained."; choice connection-type { mandatory true; description "Selects between available connection types."; case persistent-connection { container persistent { - presence - "Indicates that a persistent connection is to be - maintained."; + presence "Indicates that a persistent connection is + to be maintained."; + description "Maintain a persistent connection to the NETCONF server. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF server to NETCONF client data-transfer delay, albeit at the expense of holding resources longer."; } } case periodic-connection { container periodic { - presence - "Indicates that a periodic connection is to be - maintained."; + presence "Indicates that a periodic connection is + to be maintained."; description "Periodically connect to the NETCONF server. The NETCONF server should close the connection upon completing planned activities. This connection type increases resource utilization, albeit with increased delay in NETCONF server to NETCONF client interactions."; leaf period { type uint16; units "minutes"; - default 60; + default "60"; description "Duration of time between periodic connections."; } leaf anchor-time { type yang:date-and-time { // constrained to minute-level granularity pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' + '(Z|[\+\-]\d{2}:\d{2})'; } description @@ -1046,124 +1038,121 @@ first endpoint configured is used. NETCONF clients SHOULD be able to remember the last endpoint connected to across reboots."; } enum random-selection { description "Indicates that reconnections should start with a random endpoint."; } } - default first-listed; + default "first-listed"; description "Specifies which of the NETCONF server's endpoints the NETCONF client should start with when trying to connect to the NETCONF server."; } leaf max-attempts { type uint8 { range "1..max"; } - default 3; + default "3"; description "Specifies the number times the NETCONF client tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin)."; } } } // netconf-server } // initiate container listen { - if-feature listen; + if-feature "listen"; presence "Enables client to accept call-home connections"; description "Configures client accepting call-home TCP connections."; - leaf idle-timeout { type uint16; units "seconds"; - default 3600; // one hour + default "3600"; // one hour description "Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } - list endpoint { - key name; + key "name"; min-elements 1; description "List of endpoints to listen for NETCONF connections."; leaf name { type string; description "An arbitrary name for the NETCONF listen endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { - if-feature ssh-listen; + if-feature "ssh-listen"; container ssh { description "SSH-specific listening configuration for inbound connections."; uses tcps:tcp-server-grouping { refine "local-port" { - default 4334; + default "4334"; description "The NETCONF client will listen on the IANA- assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified."; } } uses sshc:ssh-client-grouping; } } case tls { - if-feature tls-listen; + if-feature "tls-listen"; container tls { description "TLS-specific listening configuration for inbound connections."; uses tcps:tcp-server-grouping { refine "local-port" { - default 4334; + default "4334"; description "The NETCONF client will listen on the IANA- assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified."; } } uses tlsc:tls-client-grouping { refine "tls-client-identity/auth-type" { mandatory true; description "NETCONF/TLS clients MUST pass some authentication credentials."; } } } } } // transport } // endpoint } // listen } // netconf-client - - // Protocol accessible node, for servers that 'implement' - // this module. + // Protocol accessible node, for servers that implement this + // module. container netconf-client { uses netconf-client-grouping; description "Top-level container for NETCONF client configuration."; } } 4. The NETCONF Server Model @@ -1859,21 +1850,21 @@ [I-D.ietf-netconf-tls-client-server]. This YANG module imports YANG types from [RFC6991], and YANG groupings from [RFC7407], [I-D.ietf-netconf-ssh-client-server] and [I-D.ietf-netconf-ssh-client-server]. file "ietf-netconf-server@2019-03-09.yang" module ietf-netconf-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; - prefix "ncs"; + prefix ncs; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-x509-cert-to-name { prefix x509c2n; reference @@ -1934,21 +1923,21 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision "2019-03-09" { + revision 2019-03-09 { description "Initial version"; reference "RFC XXXX: NETCONF Client and Server Models"; } // Features feature listen { description @@ -2005,77 +1994,78 @@ reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; } // Groupings grouping netconf-server-grouping { description "Top-level grouping for NETCONF server configuration."; container listen { - if-feature listen; + if-feature "listen"; presence "Enables server to listen for TCP connections"; - description "Configures listen behavior"; + description + "Configures listen behavior"; leaf idle-timeout { type uint16; units "seconds"; default 3600; // one hour description "Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } list endpoint { - key name; + key "name"; min-elements 1; description "List of endpoints to listen for NETCONF connections."; leaf name { type string; description "An arbitrary name for the NETCONF listen endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { - if-feature ssh-listen; + if-feature "ssh-listen"; container ssh { description "SSH-specific listening configuration for inbound connections."; uses tcps:tcp-server-grouping { refine "local-port" { - default 830; + default "830"; description "The NETCONF server will listen on the IANA- assigned well-known port value for 'netconf-ssh' (830) if no value is specified."; } } uses sshs:ssh-server-grouping; } } case tls { - if-feature tls-listen; + if-feature "tls-listen"; container tls { description "TLS-specific listening configuration for inbound connections."; uses tcps:tcp-server-grouping { refine "local-port" { - default 6513; + default "6513"; description "The NETCONF server will listen on the IANA- assigned well-known port value for 'netconf-tls' (6513) if no value is specified."; } } uses tlss:tls-server-grouping { refine "tls-client-auth" { must 'pinned-ca-certs or pinned-client-certs'; description @@ -2098,86 +2088,84 @@ it."; reference "RFC WWWW: NETCONF over TLS, Section 7"; } } } } } } } - } - container call-home { - if-feature call-home; + if-feature "call-home"; presence "Enables server to initiate TCP connections"; description "Configures call-home behavior"; list netconf-client { - key name; + key "name"; min-elements 1; description "List of NETCONF clients the NETCONF server is to initiate call-home connections to in parallel."; leaf name { type string; description "An arbitrary name for the remote NETCONF client."; } container endpoints { description "Container for the list of endpoints."; list endpoint { - key name; + key "name"; min-elements 1; ordered-by user; description "A non-empty user-ordered list of endpoints for this NETCONF server to try to connect to in sequence. Defining more than one enables high-availability."; leaf name { type string; description "An arbitrary name for this endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { - if-feature ssh-call-home; + if-feature "ssh-call-home"; container ssh { description "Specifies SSH-specific call-home transport configuration."; uses tcpc:tcp-client-grouping { refine "remote-port" { - default 4334; + default "4334"; description "The NETCONF server will attempt to connect to the IANA-assigned well-known port for 'netconf-ch-tls' (4334) if no value is specified."; } } uses sshs:ssh-server-grouping; } } case tls { - if-feature tls-call-home; + if-feature "tls-call-home"; container tls { description "Specifies TLS-specific call-home transport configuration."; uses tcpc:tcp-client-grouping { refine "remote-port" { - default 4335; + default "4335"; description "The NETCONF server will attempt to connect to the IANA-assigned well-known port for 'netconf-ch-tls' (4335) if no value is specified."; } } uses tlss:tls-server-grouping { refine "tls-client-auth" { must 'pinned-ca-certs or pinned-client-certs'; @@ -2214,23 +2201,22 @@ container connection-type { description "Indicates the NETCONF server's preference for how the NETCONF connection is maintained."; choice connection-type { mandatory true; description "Selects between available connection types."; case persistent-connection { container persistent { - presence - "Indicates that a persistent connection is to be - maintained."; + presence "Indicates that a persistent connection is + to be maintained."; description "Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, albeit at the expense of holding resources longer."; } // container persistent @@ -2228,38 +2214,36 @@ "Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, albeit at the expense of holding resources longer."; } // container persistent } // case persistent-connection - case periodic-connection { container periodic { - presence - "Indicates that a periodic connection is to be - maintained."; + presence "Indicates that a periodic connection is + to be maintained."; description "Periodically connect to the NETCONF client. The NETCONF client should close the underlying TLS connection upon completing planned activities. This connection type increases resource utilization, albeit with increased delay in NETCONF client to NETCONF client interactions."; leaf period { type uint16; units "minutes"; - default 60; + default "60"; description "Duration of time between periodic connections."; } leaf anchor-time { type yang:date-and-time { // constrained to minute-level granularity pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}' + '(Z|[\+\-]\d{2}:\d{2})'; } description @@ -2312,53 +2296,50 @@ first endpoint configured is used. NETCONF servers SHOULD be able to remember the last endpoint connected to across reboots."; } enum random-selection { description "Indicates that reconnections should start with a random endpoint."; } } - default first-listed; + default "first-listed"; description "Specifies which of the NETCONF client's endpoints the NETCONF server should start with when trying to connect to the NETCONF client."; } leaf max-attempts { type uint8 { range "1..max"; } - default 3; + default "3"; description "Specifies the number times the NETCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin)."; } } // container reconnect-strategy } // list netconf-client } // container call-home } // grouping netconf-server-grouping - // Protocol accessible node, for servers that *implement* - // this module. + // Protocol accessible node, for servers that implement this + // module. container netconf-server { uses netconf-server-grouping; description "Top-level container for NETCONF server configuration."; - } - } - 5. Design Considerations Editorial: this section is a hold over from before, previously called "Objectives". It was only written two support the "server" (not the "client"). The question is if it's better to add the missing "client" parts, or remove this section altogether. The primary purpose of the YANG modules defined herein is to enable