--- 1/draft-ietf-netconf-netconf-client-server-20.txt 2020-08-20 15:13:46.482284429 -0700 +++ 2/draft-ietf-netconf-netconf-client-server-21.txt 2020-08-20 15:13:46.590287166 -0700 @@ -1,18 +1,18 @@ NETCONF Working Group K. Watsen Internet-Draft Watsen Networks -Intended status: Standards Track 8 July 2020 -Expires: 9 January 2021 +Intended status: Standards Track 20 August 2020 +Expires: 21 February 2021 NETCONF Client and Server Models - draft-ietf-netconf-netconf-client-server-20 + draft-ietf-netconf-netconf-client-server-21 Abstract This document defines two YANG modules, one module to configure a NETCONF client and the other module to configure a NETCONF server. Both modules support both the SSH and TLS transport protocols, and support both standard NETCONF and NETCONF Call Home connections. Editorial Note (To be removed by RFC Editor) @@ -42,42 +42,42 @@ * "FFFF" --> the assigned RFC value for draft-ietf-netconf-tls- client-server * "GGGG" --> the assigned RFC value for draft-ietf-netconf-http- client-server * "HHHH" --> the assigned RFC value for this draft Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement: - * "2020-07-08" --> the publication date of this draft + * "2020-08-20" --> the publication date of this draft The following Appendix section is to be removed prior to publication: * Appendix A. Change Log Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 9 January 2021. + This Internet-Draft will expire on 21 February 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -97,48 +97,49 @@ 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 10 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 3. The "ietf-netconf-server" Module . . . . . . . . . . . . . . 25 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 25 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 30 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 36 4. Security Considerations . . . . . . . . . . . . . . . . . . . 49 4.1. The "ietf-netconf-client" YANG Module . . . . . . . . . . 49 4.2. The "ietf-netconf-server" YANG Module . . . . . . . . . . 49 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 - 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 50 - 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 50 - 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 - 6.1. Normative References . . . . . . . . . . . . . . . . . . 50 + 5.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 50 + 5.2. The "YANG Module Names" Registry . . . . . . . . . . . . 50 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 + 6.1. Normative References . . . . . . . . . . . . . . . . . . 51 6.2. Informative References . . . . . . . . . . . . . . . . . 52 - Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 53 - A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 53 - A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53 + Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 54 + A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 54 + A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 54 - A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 54 - A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 54 + A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 55 + A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 55 - A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 55 - A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 55 + A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 56 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 56 A.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 56 - A.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 56 - A.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 56 - A.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 56 + A.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 57 + A.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 57 + A.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 57 A.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 57 A.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 57 A.20. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 57 - Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 57 + A.21. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 58 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction This document defines two YANG [RFC7950] modules, one module to configure a NETCONF [RFC6241] client and the other module to configure a NETCONF server. Both modules support both NETCONF over SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home connections [RFC8071]. 1.1. Relation to other RFCs @@ -146,24 +147,24 @@ This document presents one or more YANG modules [RFC7950] that are part of a collection of RFCs that work together to define configuration modules for clients and servers of both the NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. The modules have been defined in a modular fashion to enable their use by other efforts, some of which are known to be in progress at the time of this writing, with many more expected to be defined in time. - The relationship between the various RFCs in the collection is - presented in the below diagram. The labels in the diagram represent - the primary purpose provided by each RFC. Links the each RFC are - provided below the diagram. + The normative dependency relationship between the various RFCs in the + collection is presented in the below diagram. The labels in the + diagram represent the primary purpose provided by each RFC. + Hyperlinks to each RFC are provided below the diagram. crypto-types ^ ^ / \ / \ truststore keystore ^ ^ ^ ^ | +---------+ | | | | | | | +------------+ | @@ -227,42 +228,51 @@ clients initiating connections to servers, as well as clients listening for connections from servers calling home, using either the SSH and TLS transport protocols. YANG feature statements are used to enable implementations to advertise which potentially uncommon parts of the model the NETCONF client supports. 2.1. Data Model Overview + This section provides an overview of the "ietf-netconf-client" module + in terms of its features and groupings. + 2.1.1. Features The following diagram lists all the "feature" statements defined in the "ietf-netconf-client" module: Features: +-- ssh-initiate +-- tls-initiate +-- ssh-listen +-- tls-listen + | The diagram above uses syntax that is similar to but not + | defined in [RFC8340]. + 2.1.2. Groupings The following diagram lists all the "grouping" statements defined in the "ietf-netconf-client" module: Groupings: +-- netconf-client-grouping +-- netconf-client-initiate-stack-grouping +-- netconf-client-listen-stack-grouping +-- netconf-client-app-grouping + | The diagram above uses syntax that is similar to but not + | defined in [RFC8340]. + Each of these groupings are presented in the following subsections. 2.1.2.1. The "netconf-client-grouping" Grouping The following tree diagram [RFC8340] illustrates the "netconf-client- grouping" grouping: grouping netconf-client-grouping ---> Comments: @@ -411,22 +423,22 @@ * For the referenced grouping statement(s): - The "netconf-client-initiate-stack-grouping" grouping is discussed in Section 2.1.2.2 in this document. - The "netconf-client-listen-stack-grouping" grouping is discussed in Section 2.1.2.3 in this document. 2.1.3. Protocol-accessible Nodes - The following diagram lists all the protocol-accessible nodes defined - in the "ietf-netconf-client" module: + The following tree diagram [RFC8340] lists all the protocol- + accessible nodes defined in the "ietf-netconf-client" module: module: ietf-netconf-client +--rw netconf-client +---u netconf-client-app-grouping Comments: * Protocol-accessible nodes are those nodes that are accessible when the module is "implemented", as described in Section 5.6.5 of [RFC7950]. @@ -626,21 +639,21 @@ 2.3. YANG Module This YANG module has normative references to [RFC6242], [RFC6991], [RFC7589], [RFC8071], [I-D.ietf-netconf-tcp-client-server], [I-D.ietf-netconf-ssh-client-server], and [I-D.ietf-netconf-tls-client-server]. - file "ietf-netconf-client@2020-07-08.yang" + file "ietf-netconf-client@2020-08-20.yang" module ietf-netconf-client { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client"; prefix ncc; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; @@ -644,38 +657,36 @@ prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-tcp-client { prefix tcpc; reference "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; } - import ietf-tcp-server { prefix tcps; reference "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; - } import ietf-ssh-client { prefix sshc; - revision-date 2020-07-08; // stable grouping definitions + revision-date 2020-08-20; // stable grouping definitions reference "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; } import ietf-tls-client { prefix tlsc; - revision-date 2020-07-08; // stable grouping definitions + revision-date 2020-08-20; // stable grouping definitions reference "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: @@ -700,21 +711,21 @@ (https://www.rfc-editor.org/info/rfcHHHH); see the RFC itself for full legal notices.; The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2020-07-08 { + revision 2020-08-20 { description "Initial version"; reference "RFC HHHH: NETCONF Client and Server Models"; } // Features feature ssh-initiate { description @@ -1159,42 +1172,51 @@ The NETCONF server model presented in this section supports both listening for connections as well as initiating call-home connections, using either the SSH and TLS transport protocols. YANG feature statements are used to enable implementations to advertise which potentially uncommon parts of the model the NETCONF server supports. 3.1. Data Model Overview + This section provides an overview of the "ietf-netconf-server" module + in terms of its features and groupings. + 3.1.1. Features The following diagram lists all the "feature" statements defined in the "ietf-netconf-server" module: Features: +-- ssh-listen +-- tls-listen +-- ssh-call-home +-- tls-call-home + | The diagram above uses syntax that is similar to but not + | defined in [RFC8340]. + 3.1.2. Groupings The following diagram lists all the "grouping" statements defined in the "ietf-netconf-server" module: Groupings: +-- netconf-server-grouping +-- netconf-server-listen-stack-grouping +-- netconf-server-callhome-stack-grouping +-- netconf-server-app-grouping + | The diagram above uses syntax that is similar to but not + | defined in [RFC8340]. + Each of these groupings are presented in the following subsections. 3.1.2.1. The "netconf-server-grouping" Grouping The following tree diagram [RFC8340] illustrates the "netconf-server- grouping" grouping: =============== NOTE: '\' line wrapping per RFC 8792 ================ grouping netconf-server-grouping @@ -1354,27 +1376,30 @@ * For the referenced grouping statement(s): - The "netconf-server-listen-stack-grouping" grouping is discussed in Section 3.1.2.2 in this document. - The "netconf-server-callhome-stack-grouping" grouping is discussed in Section 3.1.2.3 in this document. 3.1.3. Protocol-accessible Nodes - The following diagram lists all the protocol-accessible nodes defined - in the "ietf-netconf-server" module: + The following tree diagram [RFC8340] lists all the protocol- + accessible nodes defined in the "ietf-netconf-server" module: module: ietf-netconf-server +--rw netconf-server +---u netconf-server-app-grouping + | The diagram above uses syntax that is similar to but not + | defined in [RFC8340]. + Comments: * Protocol-accessible nodes are those nodes that are accessible when the module is "implemented", as described in Section 5.6.5 of [RFC7950]. * For the "ietf-netconf-server" module, the protocol-accessible nodes are an instance of the "netconf-server-app-grouping" discussed in Section 3.1.2.4 grouping. @@ -1681,22 +1706,21 @@ 3.3. YANG Module This YANG module has normative references to [RFC6242], [RFC6991], [RFC7407], [RFC7589], [RFC8071], [I-D.ietf-netconf-tcp-client-server], [I-D.ietf-netconf-ssh-client-server], and [I-D.ietf-netconf-tls-client-server]. - file "ietf-netconf-server@2020-07-08.yang" - + file "ietf-netconf-server@2020-08-20.yang" module ietf-netconf-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; prefix ncs; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } @@ -1713,37 +1738,38 @@ } import ietf-tcp-server { prefix tcps; reference "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers"; } import ietf-ssh-common { prefix sshcmn; - revision-date 2020-07-08; // stable grouping definitions + revision-date 2020-08-20; // stable grouping definitions reference "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; } import ietf-ssh-server { prefix sshs; - revision-date 2020-07-08; // stable grouping definitions + revision-date 2020-08-20; // stable grouping definitions reference "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers"; } import ietf-tls-server { prefix tlss; - revision-date 2020-07-08; // stable grouping definitions + revision-date 2020-08-20; // stable grouping definitions reference "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; + } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: Author: Kent Watsen Author: Gary Wu @@ -1768,21 +1794,21 @@ (https://www.rfc-editor.org/info/rfcHHHH); see the RFC itself for full legal notices.; The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2020-07-08 { + revision 2020-08-20 { description "Initial version"; reference "RFC HHHH: NETCONF Client and Server Models"; } // Features feature ssh-listen { description @@ -2332,80 +2358,80 @@ This module does not define any RPCs, actions, or notifications, and thus the security consideration for such is not provided here. Please be aware that this module uses groupings defined in other RFCs that define data nodes that do set the NACM "default-deny-all" and "default-deny-write" extensions. 5. IANA Considerations -5.1. The IETF XML Registry +5.1. The "IETF XML" Registry This document registers two URIs in the "ns" subregistry of the IETF XML Registry [RFC3688]. Following the format in [RFC3688], the following registrations are requested: URI: urn:ietf:params:xml:ns:yang:ietf-netconf-client Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace. -5.2. The YANG Module Names Registry +5.2. The "YANG Module Names" Registry This document registers two YANG modules in the YANG Module Names - registry [RFC6020]. Following the format in [RFC6020], the the - following registrations are requested: + registry [RFC6020]. Following the format in [RFC6020], the following + registrations are requested: name: ietf-netconf-client namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-client prefix: ncc reference: RFC HHHH name: ietf-netconf-server namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server prefix: ncs reference: RFC HHHH 6. References 6.1. Normative References [I-D.ietf-netconf-keystore] Watsen, K., "A YANG Data Model for a Keystore", Work in - Progress, Internet-Draft, draft-ietf-netconf-keystore-17, - 20 May 2020, . + Progress, Internet-Draft, draft-ietf-netconf-keystore-19, + 10 July 2020, . [I-D.ietf-netconf-ssh-client-server] Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and SSH Servers", Work in Progress, Internet-Draft, draft- - ietf-netconf-ssh-client-server-19, 20 May 2020, + ietf-netconf-ssh-client-server-21, 10 July 2020, . + client-server-21>. [I-D.ietf-netconf-tcp-client-server] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients and TCP Servers", Work in Progress, Internet-Draft, draft- - ietf-netconf-tcp-client-server-06, 16 June 2020, + ietf-netconf-tcp-client-server-07, 8 July 2020, . + client-server-07>. [I-D.ietf-netconf-tls-client-server] Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and TLS Servers", Work in Progress, Internet-Draft, draft- - ietf-netconf-tls-client-server-19, 20 May 2020, + ietf-netconf-tls-client-server-21, 10 July 2020, . + client-server-21>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, . @@ -2437,52 +2463,52 @@ RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 6.2. Informative References [I-D.ietf-netconf-crypto-types] - Watsen, K., "Common YANG Data Types for Cryptography", - Work in Progress, Internet-Draft, draft-ietf-netconf- - crypto-types-15, 20 May 2020, + Watsen, K., "YANG Data Types and Groupings for + Cryptography", Work in Progress, Internet-Draft, draft- + ietf-netconf-crypto-types-17, 10 July 2020, . + types-17>. [I-D.ietf-netconf-http-client-server] Watsen, K., "YANG Groupings for HTTP Clients and HTTP Servers", Work in Progress, Internet-Draft, draft-ietf- - netconf-http-client-server-03, 20 May 2020, + netconf-http-client-server-04, 8 July 2020, . + client-server-04>. [I-D.ietf-netconf-netconf-client-server] Watsen, K., "NETCONF Client and Server Models", Work in Progress, Internet-Draft, draft-ietf-netconf-netconf- - client-server-19, 20 May 2020, + client-server-20, 8 July 2020, . + client-server-20>. [I-D.ietf-netconf-restconf-client-server] Watsen, K., "RESTCONF Client and Server Models", Work in Progress, Internet-Draft, draft-ietf-netconf-restconf- - client-server-19, 20 May 2020, + client-server-20, 8 July 2020, . + client-server-20>. [I-D.ietf-netconf-trust-anchors] Watsen, K., "A YANG Data Model for a Truststore", Work in Progress, Internet-Draft, draft-ietf-netconf-trust- - anchors-10, 20 May 2020, . + anchors-12, 10 July 2020, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", @@ -2686,20 +2712,26 @@ A.20. 19 to 20 * Expanded "Data Model Overview section(s) [remove "wall" of tree diagrams]. * Removed expanded tree diagrams that were listed in the Appendix. * Updated the Security Considerations section. +A.21. 20 to 21 + + * Cleaned up titles in the IANA Considerations section + + * Fixed issues found by the SecDir review of the "keystore" draft. + Acknowledgements The authors would like to thank for following for lively discussions on list and in the halls (ordered by last name): Andy Bierman, Martin Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs Kovacs, David Lamparter, Ladislav Lhotka, Alan Luchuk, Radek Krejci, Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Author's Address