NETCONF Working Group K. Watsen Internet-Draft Juniper Networks Intended status: Standards Track J. Schoenwaelder Expires:August 6, 2015January 7, 2016 Jacobs University BremenFebruary 2,July 6, 2015 NETCONF Server and RESTCONF Server Configuration Modelsdraft-ietf-netconf-server-model-06draft-ietf-netconf-server-model-07 Abstract This draft defines a NETCONF server configuration data model and a RESTCONF server configuration data model. These data models enable configuration of the NETCONF and RESTCONF services themselves, including which transports are supported, what ports the serverslistenslisten on,whethercall-homeis supported,parameters, client authentication, andassociatedother related configuration parameters. Editorial Note (To be removed by RFC Editor) This draft contains many placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. Please note that no other RFC Editor instructions are specified anywhere else in this document. This document contains references to other drafts in progress, both in the Normative References section, as well as in body text throughout. Please update the following references to reflect their final RFC assignments: odraft-ietf-netconf-rfc5539bis odraft-ietf-netconf-restconf o draft-ietf-netconf-call-home Artwork in this document contains shorthand references to drafts in progress. Please apply the following replacements: o "VVVV" --> the assigned RFC value for this draft o"WWWW" --> the assigned RFC value for draft-ietf-netconf- rfc5539bis o"XXXX" --> the assigned RFC value for draft-ietf-netconf-restconf o "YYYY" --> the assigned RFC value for draft-ietf-netconf-call-home o "ZZZZ" --> the assigned RFC value for draft-thomson-httpbis-cant Artwork in this document contains placeholder values for ports pending IANA assignment from "draft-ietf-netconf-call-home". Please apply the following replacements: o "7777" --> the assigned port value for "netconf-ch-ssh" o "8888" --> the assigned port value for "netconf-ch-tls" o "9999" --> the assigned port value for "restconf-ch-tls" Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement: o"2015-02-02""2015-07-06" --> the publication date of this draft The following two Appendix sections are to be removed prior to publication: o Appendix B. Change Log o Appendix C. Open Issues Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onAugust 6, 2015.January 7, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . .45 2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Support all NETCONF and RESTCONF transports . . . . . . . 5 2.2. Enable each transport to select which keys to use . . . . 5 2.3. Support authenticating NETCONF/RESTCONF clients certificates . . . . . . . . . . . . . . . . . . . . . .56 2.4. Support mapping authenticated NETCONF/RESTCONF client certificates to usernames . . . . . . . . . . . . . . . . 6 2.5. Support bothListeninglistening for connections andCall Homecall home . . 6 2.6. For Call Home connections . . . . . . . . . . . . . . . . 6 2.6.1. Support more than onenorthbound applicationNETCONF/RESTCONF client . . . . 6 2.6.2. SupportapplicationsNETCONF/RESTCONF clients having more than oneserverendpoint . . . . . . . . . . . . . . . . . . . . . . 6 2.6.3. Support a reconnection strategy . . . . . . . . . . .67 2.6.4. Support both persistent and periodic connections . . 7 2.6.5. Reconnection strategy for periodic connections . . . 7 2.6.6. Keep-alives for persistent connections . . . . . . . 7 2.6.7. Customizations for periodic connections . . . . . . .78 3. The NETCONF ServerConfigurationModel . . . . . . . . . . .8 3.1. Overview. . . . . . . 8 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 83.1.1. The "session-options" subtree3.2. Example Usage . . . . . . . . . . . .8 3.1.2. The "listen" subtree. . . . . . . . . . 9 3.2.1. Configuring SSH Transport . . . . . .8 3.1.3. The "call-home" subtree. . . . . . . . 10 3.2.2. Configuring TLS Transport . . . . . . .9 3.1.4. The "ssh" subtree. . . . . . . 11 3.3. YANG Model . . . . . . . . . . .11 3.1.5. The "tls" subtree. . . . . . . . . . . . 13 4. The RESTCONF Server Model . . . . . .11 3.2. YANG Module. . . . . . . . . . . . 26 4.1. Tree Diagram . . . . . . . . . . .12 4. The RESTCONF Server Configuration Model. . . . . . . . . . .25 4.1. Overview26 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 27 4.2.1. Configuring TLS Transport . .25 4.1.1. The "listen" subtree. . . . . . . . . . . . 27 4.3. YANG Model . . . .25 4.1.2. The "call-home" subtree. . . . . . . . . . . . . . .26 4.1.3. The "client-cert-auth" subtree. . . . 28 5. Security Considerations . . . . . . .28 4.2. YANG Module. . . . . . . . . . . . 37 6. IANA Considerations . . . . . . . . . . .28 5. Implementation strategy for keep-alives. . . . . . . . . . 38 7. Other Considerations .39 5.1. Keep-alives for SSH. . . . . . . . . . . . . . . . . . . 395.2. Keep-alives for TLS8. Acknowledgements . . . . . . . . . . . . . . . . . . .40 6. Security Considerations. . . 39 9. References . . . . . . . . . . . . . . . .40 7. IANA Considerations. . . . . . . . . 39 9.1. Normative References . . . . . . . . . . . .41 8. Other Considerations. . . . . . 39 9.2. Informative References . . . . . . . . . . . . . .41 9. Acknowledgements. . . 40 Appendix A. Alternative solution addressing Issue #49 . . . . . 41 A.1. The Keychain Model . . . . . . . . . . . . . . . .42 10. References. . . 41 A.1.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . 41 A.1.2. Example Usage . .42 10.1. Normative References. . . . . . . . . . . . . . . . . . 4210.2. Informative ReferencesA.1.3. YANG Model . . . . . . . . . . . . . . . . .43 Appendix A. Examples. . . . 45 A.2. The SSH Server Model . . . . . . . . . . . . . . . . . .44 A.1. NETCONF Configuration using SSH Transport52 A.2.1. Tree Diagram . . . . . . . .44 A.2. NETCONF Configuration using TLS Transport. . . . . . . .45 A.3. RESTCONF Configuration using TLS Transport. . . . 52 A.2.2. Example Usage . . .47 Appendix B. Change Log. . . . . . . . . . . . . . . . . 53 A.2.3. YANG Model . . . .47 B.1. 00 to 01. . . . . . . . . . . . . . . . . 53 A.3. The TLS Server Model . . . . . . .47 B.2. 01 to 02. . . . . . . . . . . 56 A.3.1. Tree Diagram . . . . . . . . . . . . .48 B.3. 02 to 03. . . . . . . 56 A.3.2. Example Usage . . . . . . . . . . . . . . . . .48 B.4. 03. . . 57 A.3.3. YANG Model . . . . . . . . . . . . . . . . . . . . . 57 A.4. The NETCONF Server Model . . . . . . . . . . . . . . . . 60 A.4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . 60 A.4.2. Example Usage . . . . . . . . . . . . . . . . . . . . 62 A.4.3. YANG Model . . . . . . . . . . . . . . . . . . . . . 64 A.5. The RESTCONF Server Model . . . . . . . . . . . . . . . . 75 A.5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . 75 A.5.2. Example Usage . . . . . . . . . . . . . . . . . . . . 76 A.5.3. YANG Model . . . . . . . . . . . . . . . . . . . . . 76 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 84 B.1. 00 to0401 . . . . . . . . . . . . . . . . . . . . . . . .48 B.5. 0484 B.2. 01 to0502 . . . . . . . . . . . . . . . . . . . . . . . .48 B.6. 0584 B.3. 02 to0603 . . . . . . . . . . . . . . . . . . . . . . . .49 Appendix C. Open Issues84 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . .49 1. Introduction This draft defines a NETCONF [RFC6241] server. . . . 84 B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 85 B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 85 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 86 Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . 87 1. Introduction This draft defines a NETCONF [RFC6241] server configuration data model and a RESTCONF [draft-ietf-netconf-restconf] server configuration data model. These data models enable configuration of the NETCONF and RESTCONF services themselves, including which transports are supported, what ports the serverslistenslisten on,whethercall-homeis supported,parameters, client authentication, andassociatedother related configuration parameters. 1.1. Terminology The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 1.2. Tree Diagrams A simplified graphical representation of the data models is used in this document. The meaning of the symbols in these diagrams is as follows: o Brackets "[" and "]" enclose list keys. o Braces "{" and "}" enclose feature names, and indicate that the named feature must be present for the subtree to be present. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" state data (read-only). o Symbols after data node names: "?" means an optional node, "!" means a presence container, and "*" denotes a list and leaf-list. o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 2. Objectives The primary purpose of the YANG modules defined herein is to enable the configuration of the NETCONF and RESTCONF services on a network element. This scope includes the following objectives: 2.1. Support all NETCONF and RESTCONF transports The YANG module should support all current NETCONF and RESTCONF transports, namely NETCONF over SSH [RFC6242], NETCONF over TLS[draft-ietf-netconf-rfc5539bis],[RFC7589], and RESTCONF over TLS [draft-ietf-netconf-restconf], and to be extensible to support future transports as necessary. Because implementations may not support all transports, the module should use YANG "feature" statements so that implementations can accurately advertise which transports are supported. 2.2. Enable each transport to select which keys to use Servers may have a multiplicity of host-keys or server-certificates from which subsets may be selected for specific uses. For instance, a NETCONF server may want to use one set of SSH host-keys when listening on port 830, and a different set of SSH host-keys when calling home. The data models provided herein should enable configuration of which keys to use on a per-use basis. 2.3. Support authenticating NETCONF/RESTCONF clients certificates When a certificate is used to authenticate a NETCONF or RESTCONF client, there is a need to configure the server to know how to authenticate the certificates. The server should be able to authenticate the client's certificate either by using path-validation to a configured trust anchor or by matching the client-certificate to one previously configured. 2.4. Support mapping authenticated NETCONF/RESTCONF client certificates to usernames When a clientcertifcatecertificate is used for TLStransport-levelclient authentication, the NETCONF/RESTCONF server must be able to derive a username from the authenticatedcertifcate.certificate. Thus the modules defined herein should enable this mapping to be configured. 2.5. Support bothListeninglistening for connections andCall Homecall home The NETCONF and RESTCONF protocols were originally defined as having the server opening a port to listen for client connections. More recently the NETCONF working group defined support for call-home ([draft-ietf-netconf-call-home]), enabling the server to initiate the connection to the client, for both the NETCONF and RESTCONF protocols. Thus the modules defined herein should enable configuration for both listening for connections and calling home. Because implementations may not support both listening for connections and calling home, YANG "feature" statements should be used so that implementation can accurately advertise the connection types it supports. 2.6. For Call Home connections The following objectives only pertain to call home connections. 2.6.1. Support more than onenorthbound applicationNETCONF/RESTCONF client AdeviceNETCONF/RESTCONF server may be managed by more than onenorthbound application.NETCONF/ RESTCONF client. For instance, a deployment may have oneapplicationclient for provisioning and another for fault monitoring. Therefore, when it is desired for adeviceserver to initiate call home connections, it should be able to do so to more than oneapplication.client. 2.6.2. SupportapplicationsNETCONF/RESTCONF clients having more than oneserverendpoint AnapplicationNETCONF/RESTCONF client managing adeviceNETCONF/RESTCONF server may implement a high-availability strategy employing a multiplicity of active and/or passiveservers.endpoint. Therefore, when it is desired for adeviceserver to initiate call home connections, it should be able to connect to any of theapplication's servers.client's endpoints. 2.6.3. Support a reconnection strategy Assumingan applicationa NETCONF/RESTCONF client has more than oneserver,endpoint, then it becomes necessary to configure how adeviceNETCONF/RESTCONF server should reconnect to theapplicationclient should it lose its connection to one theapplication's servers. Of primary interest is ifclient's endpoints. For instance, thedevice shouldNETCONF/RESTCONF server may start with firstserverendpoint defined in a user-ordered list ofserversendpoints or withthethei lastserverendpoints it was connected to.Secondary settings might specify the frequency of attempts and number of attempts per server. Therefore, a reconnection strategy should be configurable.2.6.4. Support both persistent and periodic connectionsApplicationsNETCONF/RESTCONF clients may vary greatly on how frequently they need to interact with adevice,NETCONF/RESTCONF server, how responsive interactionswith devicesneed to be, and how many simultaneous connections they can support. Someapplicationsclients may need a persistent connection todevicesservers to optimize real-time interactions, while others prefer periodic interactions in order to minimize resource requirements. Therefore, when it is necessary fordevicesserver to initiate connections,the type of connection desiredit should beconfigurable.configurable if the connection is persistent or periodic. 2.6.5. Reconnection strategy for periodic connections The reconnection strategy should apply to both persistent and periodic connections. How it applies to periodic connections becomes clear when considering that a periodic "connection" is a logical connection to a single server. That is, the periods of unconnectedness are intentional as opposed to due to external reasons. A periodic "connection" should always reconnect to the same server until it is no longer able to, at which time the reconnection strategy guides how to connect to another server. 2.6.6. Keep-alives for persistent connections If a persistent connection is desired, it is the responsibility of the connection initiator to actively test the "aliveness" of the connection. The connection initiator must immediately work to reestablish a persistent connection as soon as the connection is lost. How often the connection should be tested is driven byapplicationNETCONF/RESTCONF client requirements, and therefore keep-alive settings should be configurable on aper-applicationper-client basis. 2.6.7. Customizations for periodic connections If a periodic connection is desired, it is necessary for thedeviceNETCONF/ RESTCONF server to know how often it should connect. Thisdelay essentiallyfrequency determineshow longtheapplication mightmaximum amount of time a NETCONF/RESTCONF client may have to wait to send data tothe device. This setting does not constrain how often the device must wait to send dataa server. A server may connect tothe application, as the device should immediately connect to the application whenever it has data to send to it. A common communication pattern is that one data transmission is many times closely followed by another. For instance,a client before this interval expires ifthe device needsdesired (e.g., to senda notification message, there's a high probability that it will send another shortly thereafter. Likewise, the application may have a sequence of pending messages to send. Thus, it should be possible for a devicedata toholdaconnection open until some amount of time of no data being transmitted as transpired.client). 3. The NETCONF ServerConfigurationModel 3.1.Overview 3.1.1. The "session-options" subtreeTree Diagram module: ietf-netconf-server +--rw netconf-server +--rw session-options | +--rw hello-timeout?uint32 +--rw idle-timeout? uint32 The above subtree illustrates how the ietf-netconf-server YANG module enables configuration of NETCONF session options, independent of any transport or connection strategy. Please see the YANG module (Section 3.2) for a complete description of these configuration knobs. 3.1.2. The "listen" subtree module: ietf-netconf-server +--rw netconf-serveruint16 +--rw listen{listen}?{(ssh-listen or tls-listen)}? | +--rw max-sessions? uint16 | +--rw idle-timeout? uint16 | +--rw endpoint* [name] | +--rw name string | +--rw (transport) | +--:(ssh){ssh}?{ssh-listen}? | | +--rw ssh | | +--rw address? inet:ip-address | | +--rw port? inet:port-number | | +--rw host-keys | | +--rw host-key* string | +--:(tls){tls}?{tls-listen}? | +--rw tls | +--rw address? inet:ip-address | +--rw port? inet:port-number | +--rw certificates | +--rw certificate* string +--rwkeep-alives +--rw interval-secs? uint8 +--rw count-max? uint8 The above subtree illustrates how the ietf-netconf-server YANG module enables configuration for listening for remote connections, as described in [RFC6242]. Feature statements are used to limit both if listening is supported at all as well as for which transports. If listening for connections is supported, then the model enables configuring a list of listening endpoints, each configured with a user-specified name (the key field), the transport to use (i.e. SSH, TLS), and the IP address and port to listen on. The port field is optional, defaulting to the transport-specific port when not configured. Please see the YANG module (Section 3.2) for a complete description of these configuration knobs. 3.1.3. The "call-home" subtree module: ietf-netconf-server +--rw netconf-server +--rwcall-home{call-home}?{(ssh-call-home or tls-call-home)}? | +--rwapplication*netconf-client* [name] | +--rw name string | +--rw (transport) | | +--:(ssh){ssh}?{ssh-call-home}? | | | +--rw ssh | | | +--rw endpoints | | | | +--rw endpoint* [name] | | | | +--rw name string | | | | +--rw address inet:host | | | | +--rw port? inet:port-number | | | +--rw host-keys | | | +--rw host-key* string | | +--:(tls){tls}?{tls-call-home}? | | +--rw tls | | +--rw endpoints | | | +--rw endpoint* [name] | | | +--rw name string | | | +--rw address inet:host | | | +--rw port? inet:port-number | | +--rw certificates | | +--rw certificate* string | +--rw connection-type | | +--rw (connection-type)? |+--:(persistent-connection)| +--:(persistent-connection) |+--rw persistent| | +--rwkeep-alivespersistent! | | | +--rwinterval-secs? uint8idle-timeout? uint32 | | | +--rw keep-alives | | | +--rw max-wait? uint16 | | | +--rwcount-max?max-attempts? uint8 | | +--:(periodic-connection) | | +--rwperiodicperiodic! | | +--rwtimeout-mins? uint8idle-timeout? uint16 | | +--rwlinger-secs? uint8reconnect_timeout? uint16 | +--rw reconnect-strategy | +--rw start-with? enumeration | +--rwinterval-secs? uint8 +--rw count-max?max-attempts? uint8The above subtree illustrates how the ietf-netconf-server YANG module enables configuration for call home, as described in [draft-ietf-netconf-call-home]. Feature statements are used to limit both if call-home is supported at all as well as for which transports, if it is. If call-home is supported, then the model supports configuring a list of applications to connect to. Each application is configured with a user-specified name (the key field), the transport to be used (i.e. SSH, TLS), and a list of remote endpoints, each having a name, an IP address, and an optional port. Additionally, the configuration for each remote application indicates the connection-type (persistent vs. periodic) and associated parameters, as well as the reconnection strategy to use. Please see the YANG module (Section 3.2) for a complete description of these configuration knobs. 3.1.4. The "ssh" subtree module: ietf-netconf-server +--rw netconf-server+--rw ssh{ssh}?{(ssh-listen or ssh-call-home)}? | +--rw x509 {ssh-x509-certs}? | +--rw trusted-ca-certs | | +--rw trusted-ca-cert* binary | +--rw trusted-client-certs | +--rw trusted-client-cert* binaryThe above subtree illustrates how the ietf-netconf-server YANG module enables some SSH configuration independent of if the NETCONF server is listening or calling home. Specifically, when RFC 6187 is supported, this data model provides an ability to configure how client-certificates are authenticated. Please see the YANG module (Section 3.2) for a complete description of these configuration knobs. 3.1.5. The "tls" subtree module: ietf-netconf-server +--rw netconf-server+--rw tls{tls}?{(tls-listen or tls-call-home)}? +--rw client-auth +--rw trusted-ca-certs | +--rw trusted-ca-cert* binary +--rw trusted-client-certs | +--rw trusted-client-cert* binary +--rw cert-maps +--rw cert-to-name* [id] +--rw id uint32 +--rw fingerprint x509c2n:tls-fingerprint +--rw map-type identityref +--rw name string 3.2. Example Usage 3.2.1. Configuring SSH Transport Theabove subtreefollowing example illustrateshow the ietf-netconf-server YANG module enables TLS configuration independent of ifthe <get> response from a NETCONF serveristhat only supports SSH, both listeningorfor incoming connections as well as callinghome. Specifically, this data-model provides 1) an ability to configure how client-certificates are authenticated and 2) how authenticated client-certificates are mappedhome toNETCONF user names. Please seea single NETCONF/RESTCONF client having two endpoints. <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <listen> <endpoint> <name>netconf/ssh</name> <ssh> <address>11.22.33.44</address> <host-keys> <host-key>my-rsa-key</host-key> <host-key>my-dss-key</host-key> </host-keys> </ssh> </endpoint> </listen> <call-home> <netconf-client> <name>config-mgr</name> <ssh> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <host-keys> <host-key>my-call-home-x509-key</host-key> </host-keys> </ssh> </netconf-client> </call-home> <ssh> <x509> <trusted-ca-certs> <trusted-ca-cert> QW4gRWFzdGVyIGVnZywgZm9yIHRob3NlIHdobyBtaWdodCBsb29rICA6KQo= </trusted-ca-cert> </trusted-ca-certs> <trusted-client-certs> <trusted-client-cert> SSBhbSB0aGUgZWdnIG1hbiwgdGhleSBhcmUgdGhlIGVnZyBtZW4uCg== </trusted-client-cert> <trusted-client-cert> SSBhbSB0aGUgd2FscnVzLCBnb28gZ29vIGcnam9vYi4K </trusted-client-cert> </trusted-client-certs> </x509> </ssh> </netconf-server> 3.2.2. Configuring TLS Transport The following example illustrates theYANG module (Section 3.2)<get> response from a NETCONF server that only supports TLS, both listening for incoming connections as well as calling home to acomplete description of these configuration knobs. 3.2.single NETCONF/RESTCONF client having two endpoints. Please note also the configurations for authenticating client certificates and mappings authenticated certificates to NETCONF user names. <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server" xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"> <listen> <endpoint> <name>netconf/tls</name> <tls> <address>11.22.33.44</address> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </endpoint> </listen> <call-home> <netconf-client> <name>config-mgr</name> <tls> <endpoints> <endpoint> <name>east-data-center</name> <address>22.33.44.55</address> </endpoint> <endpoint> <name>west-data-center</name> <address>33.44.55.66</address> </endpoint> </endpoints> <certificates> <certificate>IDevID Certificate</certificate> </certificates> </tls> </netconf-client> </call-home> <tls> <client-auth> <trusted-ca-certs> <trusted-ca-cert> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2 RJSUJQFRStS0Cg== </trusted-ca-cert> </trusted-ca-certs> <trusted-client-certs> <trusted-client-cert> QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2 RV0JCU2t2MXI2SFNHeUFUVkpwSmYyOWtXbUU0NEo5akJrQmdOVkhTTUVY VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER UxNQWtHQTFVRUJoTUNWVk14RURBT0JnTlZCQW9UQjJWNApZVzF3YkdVeE V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW xWVE1SQXdEZ1lEVlFRSwpFd2RsZUdGdGNHeGxNUk13RVFZRFZRUURFd3B EVWt3Z1NYTnpkV1Z5TUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCCkFFc3BK WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM TQzcjFZSjk0M1FQLzV5eGUKN2QxMkxCV0dxUjUrbEl5N01YL21ka2M4al zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot LS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== </trusted-client-cert> <trusted-client-cert> VlEVlFRREV3Vm9ZWEJ3ZVRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQm pRQXdnWWtDCmdZRUE1RzRFSWZsS1p2bDlXTW44eUhyM2hObUFRaUhVUzV rRUpPQy9hSFA3eGJXQW1ra054ZStUa2hrZnBsL3UKbVhsTjhSZUd1ODhG NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW xWVE1SQXdEZ1lEVlFRSwpFd2RsZUdGdGNHeGxNUk13RVFZRFZRUURFd3B EVWt3Z1NYTnpkV1Z5TUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCCkFFc3BK WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot QWtUOCBDRVUUZJ0RUF== </trusted-client-cert> </trusted-client-certs> <cert-maps> <cert-to-name> <id>1</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:san-any</map-type> </cert-to-name> <cert-to-name> <id>2</id> <fingerprint>B3:4F:A1:8C:54</fingerprint> <map-type>x509c2n:specified</map-type> <name>scooby-doo</name> </cert-to-name> </cert-maps> </client-auth> </tls> </netconf-server> 3.3. YANGModuleModel This YANG module imports YANG types from [RFC6991] and [RFC7407]. <CODE BEGINS> file"ietf-netconf-server@2015-02-02.yang""ietf-netconf-server@2015-07-06.yang" module ietf-netconf-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; prefix "ncserver"; import ietf-netconf-acm { prefix nacm; // RFC 6536revision-date 2012-02-22;} import ietf-inet-types { // RFC 6991 prefix inet;revision-date 2013-07-15;} import ietf-x509-cert-to-name { // RFC 7407 prefix x509c2n;revision-date 2014-12-10;} organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module contains a collection of YANG definitions for configuring NETCONF servers. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision"2015-02-02""2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } // Features featuresshssh-listen { description "Thesshssh-listen feature indicates that the NETCONF server supportstheopening a port to accept NETCONF over SSHtransport protocol.";client connections."; reference "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; } featuretlsssh-call-home { description "Thetlsssh-call-home feature indicates that the NETCONF server supportsthe TLS transport protocol.";initiating a NETCONF over SSH call home connection to NETCONF clients."; reference "RFC5539:YYYY: NETCONFover Transport Layer Security (TLS)";Call Home and RESTCONF Call Home"; } featurelistentls-listen { description "Thelistentls-listen feature indicates that the NETCONF server supports opening a port tolisten for incomingaccept NETCONF over TLS client connections."; reference "RFC6242:5539: Using the NETCONF Protocol overSecure Shell (SSH) RFC 5539: NETCONF overTransport Layer Security(TLS)";(TLS) with Mutual X.509 Authentication"; } featurecall-hometls-call-home { description "Thecall-hometls-call-home feature indicates that the NETCONF server supportsconnectinginitiating a NETCONF over TLS call home connection tothe client";NETCONF clients."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home"; } feature ssh-x509-certs { description "The ssh-x509-certs feature indicates that the NETCONF server supports RFC 6187"; reference "RFC 6187: X.509v3 Certificates for Secure Shell Authentication"; } // top-level container (groupings below) container netconf-server { description "Top-level container for NETCONF server configuration.";uses session-options-container; uses listen-container; uses call-home-container; uses ssh-container; uses tls-container; } grouping session-options-container { description "This grouping is used only to help improve readability of the YANG module."; container session-optionscontainer session-options { // SHOULD WE REMOVE THIS ALTOGETHER? description "NETCONF session options, independent of transport or connection strategy."; leaf hello-timeout { typeuint32 { range "0 | 10 .. 3600"; }uint16; units "seconds"; default'600';600; description "Specifies the maximum number of seconds that asessionSSH/TLS connection mayexist before thewait for a helloPDU ismessage to be received. Asessionconnection will be dropped if no helloPDUmessage is received before this number of seconds elapses. Ifthis parameter isset to zero, then the server will wait forever for a hellomessage, and not drop any sessions stuck in 'hello-wait' state. Setting this parameter to zero may permit denial of service attacks, since only a limitedmessage."; } } container listen { description "Configures listen behavior"; if-feature "(ssh-listen or tls-listen)"; leaf max-sessions { type uint16; default 0; description "Specifies the maximum number of concurrent sessionsmaythat can besupported by the server.";active at one time. The value 0 indicates that no artificial session limit should be used."; } leaf idle-timeout { typeuint32 { range "0 | 10 .. 360000"; }uint16; units "seconds"; default'3600';3600; // one hour description "Specifies the maximum number of seconds that a NETCONF session may remainidle without issuing any RPC requests.idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. Ifthis parameter isset to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are neverdropped. This mechanism is independent of keep-alives, as it regards activity occurring at the NETCONF protocol layer, whereas the keep-alive mechanism regards transport-level activity."; } } } grouping listen-container { description "This grouping is used only to help improve readability of the YANG module."; container listen { description "Configures listen behavior"; if-feature listen; leaf max-sessions { type uint16 { range "0 .. 1024"; } default '0'; description "Specifies the maximum number of concurrent sessions that can be active at one time. The value 0 indicates that no artificial session limit should be used.";dropped."; } list endpoint { key name; description "List of endpoints to listen for NETCONF connections on."; leaf name { type string; description "An arbitrary name for the NETCONF listen endpoint."; } choice transport { mandatory true; description "Selects betweenSSH and TLSavailable transports."; case ssh { if-featuressh;ssh-listen; container ssh { description "SSH-specific listening configuration for inbound connections."; uses address-and-port-grouping { refine port { default 830; } } useshost-keys-container;host-keys-grouping; } } case tls { if-featuretls;tls-listen; container tls { description "TLS-specific listening configuration for inbound connections."; uses address-and-port-grouping { refine port { default 6513; } } usescertificates-container; } } } uses keep-alives-container { refine keep-alives/interval-secs { default 0; // disabled by default for listen connectionscertificates-grouping; } } } } }grouping call-home-container { description "This grouping is used only to help improve readability of the YANG module.";container call-home { if-featurecall-home;"(ssh-call-home or tls-call-home)"; description "Configures call-home behavior"; listapplicationnetconf-client { key name; description "List of NETCONF clients the NETCONF server is to initiate call-home connections to."; leaf name { type string; description "An arbitrary name for the remote NETCONF client."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { if-featuressh;ssh-call-home; container ssh { description "Specifies SSH-specific call-home transport configuration."; uses endpoints-container { refine endpoints/endpoint/port { default 7777; } } useshost-keys-container;host-keys-grouping; } } case tls { if-featuretls;tls-call-home; container tls { description "Specifies TLS-specific call-home transport configuration."; uses endpoints-container { refine endpoints/endpoint/port { default 8888; } } usescertificates-container;certificates-grouping; } } } container connection-type { description "Indicates the kind of connection to use."; choice connection-type {default persistent-connection;description "Selects betweenpersistent and periodic connections.";available connection types."; case persistent-connection { container persistent { presence true; description "Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, albeit at the expense of holding resources longer.";uses keep-alives-container { refine keep-alives/interval-secsleaf idle-timeout { type uint32; units "seconds"; default15;86400; //15 seconds for call-home sessions } } } } case periodic-connection { container periodic {one day; description"Periodically connect to NETCONF client, using the reconnection strategy, so the NETCONF client can deliver pending messages to"Specifies the maximum number of seconds that a a NETCONFserver. For messages thesession may remain idle. A NETCONFserver wants to send tosession will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then theNETCONF client, the NETCONFservershould proactively connect towill never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } container keep-alives { description "Configures theNETCONF client, if not already,keep-alive policy, tosendproactively test themessages immediately.";aliveness of the SSH/TLS client. An unresponsive SSH/TLS client will be dropped after approximately (max-attempts * max-wait) seconds."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home, Section 3.1, item S6"; leaftimeout-minsmax-wait { typeuint8;uint16 { range "1..max"; } unitsminutes;seconds; default5;30; description"The maximum"Sets the amount ofunconnected time the NETCONF server will wait until establishing a connection to the NETCONF client again. The NETCONF server MAY establish a connection before thistime in seconds after which ifit hasno datait needs to sendhas been received from the SSH/TLS client, a SSH/TLS-level message will be sent to test theNETCONF client. Note: this value differs fromaliveness of thereconnection strategy's interval-secs value.";SSH/TLS client."; } leaflinger-secsmax-attempts { type uint8;units seconds;default30;3; description"The amount of time"Sets theNETCONF server should wait after last receiving data from or sending datanumber of sequential keep-alive messages that can fail to obtain a response from theNETCONF client's endpointSSH/TLS client beforeclosing its connection to it. Thisassuming the SSH/TLS client isan optimization to prevent unnecessary connections."; }no longer alive."; } } } } case periodic-connection { containerreconnect-strategyperiodic { presence true; description"The reconnection strategy guides how a NETCONF server reconnects"Periodically connect toanthe NETCONF client,after losing a connection to it, even if due to a reboot.so that the NETCONF client may deliver messages pending for the NETCONF server. The NETCONF client is expected to close the connection when it is ready to release it, thus starting the NETCONF server's timer until next connection."; leaf idle-timeout { type uint16; units "seconds"; default 300; // five minutes description "Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } leaf reconnect_timeout { type uint16 { range "1..max"; } units minutes; default 60; description "The maximum amount of unconnected time the NETCONF server will wait before establishing a connection to the NETCONF client. The NETCONF server may initiate a connection before this time if desired (e.g., to deliver a notification)."; } } } } } container reconnect-strategy { description "The reconnection strategy guides how a NETCONF server reconnects to an NETCONF client, after losing a connection to it, even if due to a reboot. The NETCONF server starts with the specified endpoint and tries to connect to itcount-max times, waiting interval-secs between each connection attempt,max-attempts times before trying the next endpoint in the list (round robin)."; leaf start-with { type enumeration { enum first-listed { description "Indicates that reconnections should start with the first endpoint listed."; } enum last-connected { description "Indicates that reconnections should start with the endpoint last connected to. If no previous connection has ever been established, then the first endpoint configured is used. NETCONF servers SHOULDsupport this flagbe able to remember the last endpoint connected to across reboots."; } } default first-listed; description "Specifies which of the NETCONF client's endpoints the NETCONF server should start with when trying to connect to the NETCONFclient. If no previous connection has ever been established, last-connected defaults to the first endpoint listed.";client."; } leafinterval-secsmax-attempts { typeuint8; units seconds; default 5; description "Specifies the time delay between connection attempts to the same endpoint. Note: this value differs from the periodic-connection's timeout-mins value."; } leaf count-maxuint8 {type uint8;range "1..max"; } default 3; description "Specifies the number times the NETCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin)."; } } } }} grouping ssh-container { description "This grouping is used only to help improve readability of the YANG module.";container ssh { description "Configures SSH properties not specific to the listen or call-home use-cases"; if-featuressh;"(ssh-listen or ssh-call-home)"; container x509 { if-feature ssh-x509-certs; uses trusted-certs-grouping; } }} grouping tls-container { description "This grouping is used only to help improve readability of the YANG module.";container tls { description "Configures TLS properties for authenticating clients."; if-featuretls;"(tls-listen or tls-call-home)"; container client-auth { description "Container for TLS client authentication configuration."; uses trusted-certs-grouping; container cert-maps { uses x509c2n:cert-to-name; description "The cert-maps container is used by a NETCONF server to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection, and MUST NOT accept NETCONF messages over it."; reference "RFC WWWW: NETCONF over TLS, Section 7"; } } } } grouping trusted-certs-grouping { description "This grouping is used by both the ssh and tls containers."; container trusted-ca-certs { description "A list of Certificate Authority (CA) certificates that a NETCONF server can use to authenticate NETCONF clientcertificates. A client's certificate is authenticated if there is a chain of trust to a configured trusted CA certificate. The client certificate MAY be accompanied with additional certificates forming a chain of trust.certificates."; reference "RFC WWWW: NETCONF over TLS, Sections 5 and 7. RFC 4253: Theclient's certificate is authenticated if there is path-validation from any of the certificates it presents to a configured trust anchor.";Secure Shell (SSH) Transport Layer Protocol, Section 8, #3. RFC 6187: X.509v3 Certificates for Secure Shell Authentication."; leaf-list trusted-ca-cert { type binary;ordered-by system;nacm:default-deny-write; description "The binary certificate structure as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>; "; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } } container trusted-client-certs { description "A list of client certificates that a NETCONF server can use to authenticate a NETCONF client's certificate. A client's certificate is authenticated if it is an exact match to a configured trusted clientcertificates.";certificate."; leaf-list trusted-client-cert { type binary;ordered-by system;nacm:default-deny-write; description "The binary certificate structure, as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>; "; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } } } groupinghost-keys-containerhost-keys-grouping { description "This grouping is used by both the listen and call-home containers"; container host-keys { description "Parent container for the list of host-keys."; leaf-list host-key { type string; min-elements 1; ordered-by user; description "A user-ordered list of host-keys the SSH server considers when composing the list of server host key algorithms it will send to the client in its SSH_MSG_KEXINIT message. The value of the string is the unique identifier for a host-key configured on the system. How valid values are discovered is outside the scope of this module, but they are envisioned to be the keys for a list of host-keys provided by another YANG module"; reference "RFC 4253: The SSH Transport Layer Protocol, Section 7"; } } } groupingcertificates-containercertificates-grouping { description "This grouping is used by both the listen and call-home containers"; container certificates { description "Parent container for the list of certificates."; leaf-list certificate { type string; min-elements 1; description "An unordered list of certificates the TLS server can pick from when sending its Server Certificate message. The value of the string is the unique identifier for a certificate configured on the system. How valid values are discovered is outside the scope of this module, but they are envisioned to be the keys for a list of certificates provided by another YANG module"; reference "RFC 5246: The TLS Protocol, Section 7.4.2"; } } } grouping address-and-port-grouping { description "This grouping isusdused by both the ssh and tls containers for listen configuration."; leaf address { type inet:ip-address; description "The IP address of the interface to listenon.";on. The NETCONF server will listen on all interfaces if no value is specified."; } leaf port { type inet:port-number; description "The local port number on this interface the NETCONF server listenson.";on. The NETCONF server will use the IANA-assigned well-known port if no value is specified."; } } grouping endpoints-container { description "This grouping is used by both the ssh and tls containers for call-home configurations."; container endpoints { description "Container for the list of endpoints."; list endpoint { key name; min-elements 1; ordered-by user; description "User-ordered list of endpoints for this NETCONF client. Defining more than one enables high-availability."; leaf name { type string; description "An arbitrary name forthe endpoint to connect to.";this endpoint."; } leaf address { type inet:host; mandatory true; description "Thehostname orIP address or hostname of the endpoint. If a hostname isprovidedconfigured and the DNSresolves toresolution results in more than one IP address, the NETCONF serverSHOULD try all ofwill process theones it can based on how its networking stack isIP addresses as if they had been explicitly configured(e.g. v4, v6, dual-stack).";in place of the hostname."; } leaf port { type inet:port-number; description "The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port ifnotno value is specified."; } } } }grouping keep-alives-container { description "This grouping is use by both listen and call-home configurations."; container keep-alives { description "Configures the keep-alive policy, to proactively test the aliveness of the NETCONF client."; reference "RFC VVVV: NETCONF Server and} <CODE ENDS> 4. The RESTCONF ServerConfiguration Models, Section 4"; leaf interval-secs { type uint8; units seconds; description "Sets a timeout interval in seconds after which if no data has been received from the NETCONF client, a message will be sent to request a response from the NETCONF client. A value of '0' indicates that no keep-alive messages should be sent."; } leaf count-max { type uint8; default 3; description "Sets the number of keep-alive messages that may be sent without receiving any data from the NETCONF client before assuming the NETCONF client is no longer alive. If this threshold is reached, the transport-level connection will be disconnected, which will trigger the reconnection strategy). The interval timer is reset after each transmission, thus an unresponsive NETCONF client will be dropped after approximately (count-max * interval-secs) seconds."; } } } } <CODE ENDS> 4. The RESTCONF Server ConfigurationModel 4.1.Overview 4.1.1. The "listen" subtreeTree Diagram module: ietf-restconf-server +--rw restconf-server +--rw listen{listen}?{tls-listen}? | +--rw max-sessions? uint16 | +--rw endpoint* [name] | +--rw name string | +--rw (transport) | +--:(tls) | +--rw tls | +--rw address? inet:ip-address | +--rw port? inet:port-number | +--rw certificates | +--rw certificate* string +--rwkeep-alives +--rw interval-secs? uint8 +--rw count-max? uint8 The above subtree illustrates how the ietf-restconf-server YANG module enables configuration for listening for remote connections, as described in [draft-ietf-netconf-restconf]. Feature statements are used to limit both if listening is supported at all as well as for which transports. If listening for connections is supported, then the model enables configuring a list of listening endpoints, each configured with a user-specified name (the key field), the transport to use (i.e. TLS), and the IP address and port to listen on. The port field is optional, defaulting to the transport-specific port when not configured. Please see the YANG module (Section 4.2) for a complete description of these configuration knobs. 4.1.2. The "call-home" subtree module: ietf-restconf-server +--rw restconf-server +--rwcall-home{call-home}?{tls-call-home}? | +--rwapplication*restconf-client* [name] | +--rw name string | +--rw (transport) | | +--:(tls){tls}?| | +--rw tls | | +--rw endpoints | | | +--rw endpoint* [name] | | | +--rw name string | | | +--rw address inet:host | | | +--rw port? inet:port-number | | +--rw certificates | | +--rw certificate* string | +--rw connection-type | | +--rw (connection-type)? | | +--:(persistent-connection) | | | +--rwpersistentpersistent! | | | +--rw keep-alives | | | +--rwinterval-secs? uint8max-wait? uint16 | | | +--rwcount-max?max-attempts? uint8 | | +--:(periodic-connection) |+--rw periodic| +--rwtimeout-mins? uint8periodic! | | +--rwlinger-secs? uint8reconnect-timeout? uint16 | +--rw reconnect-strategy | +--rw start-with? enumeration | +--rwinterval-secs?max-attempts? uint8 +--rwcount-max? uint8 The above subtree illustrates how the ietf-restconf-server YANG module enables configuration for call home, as described in [draft-ietf-netconf-call-home]. Feature statements are used to limit both if call-home is supported at all as well as for which transports, if it is. If call-home is supported, then the model supports configuring a list of applications to connect to. Each application is configured with a user-specified name (the key field), the transport to be used (i.e. TLS), and a list of remote endpoints, each having a name, an IP address, and an optional port. Additionally, the configuration for each remote application indicates the connection-type (persistent vs. periodic) and associated parameters, as well as the reconnection strategy to use. Please see the YANG module (Section 4.2) for a complete description of these configuration knobs. 4.1.3. The "client-cert-auth" subtree module: ietf-restconf-server +--rw restconf-server +--rwclient-cert-auth {client-cert-auth}? +--rw trusted-ca-certs | +--rw trusted-ca-cert* binary +--rw trusted-client-certs | +--rw trusted-client-cert* binary +--rw cert-maps +--rw cert-to-name* [id] +--rw id uint32 +--rw fingerprint x509c2n:tls-fingerprint +--rw map-type identityref +--rw name string 4.2. Example Usage 4.2.1. Configuring TLS Transport Theabove subtreefollowing example illustrateshowtheietf-restconf-server YANG module enables configuration of client-certificate authentication. Specifically, this data-model provides 1) an ability to configure how client-certificates are authenticated and 2) how authenticated client-certificates are mapped to<get> response from a RESTCONFuser names. Please see the YANG module (Section 4.2)server that only supports TLS, both listening for incoming connections as well as calling home to acomplete description of these configuration knobs. 4.2.single RESTCONF client having two endpoints. <restconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-server"> <listen> <endpoint> <name>primary-restconf-endpoint</name> <tls> <address>11.22.33.44</address> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </endpoint> </listen> <call-home> <restconf-client> <name>config-mgr</name> <tls> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </restconf-client> </call-home> </restconf-server> 4.3. YANGModuleModel This YANG module imports YANG types from [RFC6991] and [RFC7407]. <CODE BEGINS> file"ietf-restconf-server@2015-02-02.yang""ietf-restconf-server@2015-07-06.yang" module ietf-restconf-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server"; prefix "rcserver"; import ietf-netconf-acm { prefix nacm; // RFC 6536revision-date 2012-02-22;} import ietf-inet-types { // RFC 6991 prefix inet;revision-date 2013-07-15;} import ietf-x509-cert-to-name { // RFC 7407 prefix x509c2n;revision-date 2014-12-10;} organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module contains a collection of YANG definitions for configuring RESTCONF servers. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision"2015-02-02""2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } // Features featuretls { description "The tls feature indicates that the server supports RESTCONF over the TLS transport protocol."; reference "RFC XXXX: RESTCONF Protocol"; } feature listentls-listen { description "The listen feature indicates that the RESTCONF server supports opening a port to listen for incoming RESTCONF client connections."; reference "RFC XXXX: RESTCONF Protocol"; } featurecall-hometls-call-home { description "The call-home feature indicates that the RESTCONF server supportsconnectinginitiating connections tothe client.";RESTCONF clients."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home"; } feature client-cert-auth { description "The client-cert-auth featureindicatresindicates that the RESTCONF server supports the ClientCertificate authentication scheme."; reference "RFC ZZZZ: Client Authentication over New TLS Connection"; } // top-level container (groupings below) container restconf-server { description "Top-level container for RESTCONF server configuration.";uses listen-container; uses call-home-container; uses client-cert-auth-container; } grouping listen-container { description "This grouping is used only to help improve readability of the YANG module.";container listen { description "Configures listen behavior"; if-featurelisten;tls-listen; leaf max-sessions { typeuint16 { range "0 .. 1024"; }uint16; default'0';0; // should this be 'max'? description "Specifies the maximum number of concurrent sessions that can be active at one time. The value 0 indicates that no artificial session limit should be used."; } list endpoint { key name; description "List of endpoints to listen for RESTCONF connections on."; leaf name { type string; description "An arbitrary name for the RESTCONF listen endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case tls { container tls { description "TLS-specific listening configuration for inbound connections.";uses address-and-port-grouping { refine portleaf address {default 443; } } uses certificates-container; } } } uses keep-alives-container { refine keep-alives/interval-secstype inet:ip-address; description "The IP address of the interface to listen on. The RESTCONF server will listen on all interfaces if no value is specified."; } leaf port { type inet:port-number; default0; // disabled by default for443; description "The port number the RESTCONF server will listenconnectionson."; } uses certificates-grouping; } } } } }grouping call-home-container { description "This grouping is used only to help improve readability of the YANG module.";container call-home { if-featurecall-home;tls-call-home; description "Configures call-home behavior"; listapplicationrestconf-client { key name; description "List of RESTCONF clients the RESTCONF server is to initiate call-home connections to."; leaf name { type string; description "An arbitrary name for the remote RESTCONF client."; } choice transport { mandatory true; description "Selects between TLS and anyfuturetransports augmented in."; case tls {if-feature tls;container tls { description "Specifies TLS-specific call-home transport configuration.";uses endpoints-containercontainer endpoints {refine endpoints/endpoint/portdescription "Container for the list of endpoints."; list endpoint { key name; min-elements 1; ordered-by user; description "User-ordered list of endpoints for this RESTCONF client. More than one enables high-availability."; leaf name { type string; description "An arbitrary name for this endpoint."; } leaf address { type inet:host; mandatory true; description "The IP address or hostname of the endpoint. If a hostname is configured and the DNS resolution results in more than one IP address, the RESTCONF server will process the IP addresses as if they had been explicitly configured in place of the hostname."; } leaf port { type inet:port-number; default 9999; description "The IP port for this endpoint. The RESTCONF server will use the IANA-assigned well-known port if no value is specified."; } } } usescertificates-container;certificates-grouping; } } } container connection-type { description "Indicates the RESTCONF client's preference for how the RESTCONF server's connection is maintained."; choice connection-type {default persistent-connection;description "Selects betweenpersistent and periodic connections.";available connection types."; case persistent-connection { container persistent { presence true; description "Maintain a persistent connection to the RESTCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any RESTCONF client to RESTCONF server data-transfer delay, albeit at the expense of holding resources longer.";uses keep-alives-container { refine keep-alives/interval-secs { default 15; // 15 seconds for call-home sessions } } } } case periodic-connection {containerperiodickeep-alives { description"Periodically connect"Configures the keep-alive policy, toRESTCONF client, usingproactively test thereconnection strategy, soaliveness of theRESTCONFTLS client. An unresponsive TLS clientcan deliver pending messages to thewill be dropped after approximately (max-attempts * max-wait) seconds."; reference "RFC YYYY: NETCONF Call Home and RESTCONFserver. For messagesCall Home, Section 3.1, item S6"; leaf max-wait { type uint16 { range "1..max"; } units seconds; default 30; description "Sets theRESTCONF server wantsamount of time in seconds after which if no data has been received from the TLS client, a TLS-level message will be sent tosendtest the aliveness of the TLS client."; } leaf max-attempts { type uint8; default 3; description "Sets the number of sequential keep-alive messages that can fail to obtain a response from the TLS client before assuming the TLS client is no longer alive."; } } } } case periodic-connection { container periodic { presence true; description "Periodically connect to the RESTCONF client, so that the RESTCONFserver should proactively connect toclient may deliver messages pending for the RESTCONFclient, if not already,server. The RESTCONF client is expected tosendclose themessages immediately.";connection when it is ready to release it, thus starting the RESTCONF server's timer until next connection."; leaftimeout-minsreconnect-timeout { typeuint8;uint16 { range "1..max"; } units minutes; default5;60; description "The maximum amount of unconnected time the RESTCONF server will waituntil establishingbefore re-establishing a connection to the RESTCONFclient again.client. The RESTCONF serverMAY establishmay initiate a connection before this time ifit has data it needs to send to the RESTCONF client. Note: this value differs from the reconnection strategy's interval-secs value."; } leaf linger-secs { type uint8; units seconds; default 30; description "The amount of time the RESTCONF server should wait after last receiving data from or sending data to the RESTCONF client's endpoint before closing its connection to it. This is an optimizationdesired (e.g., toprevent unnecessary connections.";deliver a notification)."; } } } } } container reconnect-strategy { description "The reconnection strategy guides how a RESTCONF server reconnects to an RESTCONF client, after losing a connection to it, even if due to a reboot. The RESTCONF server starts with the specified endpoint and tries to connect to itcount-max times, waiting interval-secs between each connection attempt,max-attempts times before trying the next endpoint in the list (round robin)."; leaf start-with { type enumeration { enum first-listed { description "Indicates that reconnections should start with the first endpoint listed."; } enum last-connected { description "Indicates that reconnections should start with the endpoint last connected to. If no previous connection has ever been established, then the first endpoint configured is used. RESTCONF servers SHOULDsupport this flagbe able to remember the last endpoint connected to across reboots."; } } default first-listed; description "Specifies which of the RESTCONF client's endpoints the RESTCONF server should start with when trying to connect to the RESTCONFclient. If no previous connection has ever been established, last-connected defaults to the first endpoint listed.";client."; } leafinterval-secsmax-attempts { typeuint8; units seconds;uint8 { range "1..max"; } default5; description "Specifies the time delay between connection attempts to the same endpoint. Note: this value differs from the periodic-connection's timeout-mins value."; } leaf count-max { type uint8; default 3;3; description "Specifies the number times the RESTCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin)."; } } } }} grouping client-cert-auth-container { description "This grouping is used only to help improve readability of the YANG module.";container client-cert-auth { if-feature client-cert-auth; description "Container for TLS client certificate authentication configuration."; container trusted-ca-certs { description "A list of Certificate Authority (CA) certificates that aNETCONFRESTCONF server can use to authenticateNETCONF client certificates. A client's certificate is authenticated if there is a chain of trust to a configured trusted CA certificate. TheRESTCONF clientcertificate MAY be accompanied with additional certificates forming a chain of trust. The client's certificate is authenticated if there is path-validation from any of the certificates it presents to a configured trust anchor.";certificates."; reference "RFC XXXX: RESTCONF Protocol, Sections 2.3 and 2.5."; leaf-list trusted-ca-cert { type binary;ordered-by system;nacm:default-deny-write; description "The binary certificate structure as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>; "; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } } container trusted-client-certs { description "A list of client certificates that aNETCONFRESTCONF server can use to authenticate aNETCONFRESTCONF client's certificate. A client's certificate is authenticated if it is an exact match to a configured trusted clientcertificates.";certificate."; leaf-list trusted-client-cert { type binary;ordered-by system;nacm:default-deny-write; description "The binary certificate structure, as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>; "; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } } container cert-maps { uses x509c2n:cert-to-name; description "The cert-maps container is used by aNETCONFRESTCONF server to map theNETCONFRESTCONF client's presented X.509 certificate to aNETCONFRESTCONF username. If no matching and valid cert-to-name list entry can be found, then theNETCONFRESTCONF server MUST close the connection, and MUST NOT acceptNETCONFRESTCONF messages over it."; reference "RFC XXXX: RESTCONF Protocol, Section 2.5"; } } } groupingcertificates-containercertificates-grouping { description "This grouping is used by both the listen and call-home containers"; container certificates { description "Parent container for the list of certificates."; leaf-list certificate { type string; min-elements 1; description "An unordered list of certificates the TLS server can pick from when sending its Server Certificate message. The value of the string is the unique identifier for a certificate configured on the system. How valid values are discovered is outside the scope of this module, but they are envisioned to be the keys for a list of certificates provided by another YANG module"; reference "RFC 5246: The TLS Protocol, Section 7.4.2"; } } }grouping address-and-port-grouping { description "This grouping is usd by both the ssh and tls containers for listen configuration."; leaf address { type inet:ip-address; description "The IP address} <CODE ENDS> 5. Security Considerations There are a number of data nodes defined in theinterface"ietf-netconf-server" YANG module which are readable and/or writable that may be considered sensitive or vulnerable in some network environments. Write and read operations tolisten on."; } leaf port { type inet:port-number; description "The local port numberthese data nodes can have a negative effect onthis interface the RESTCONF server listens on."; } } grouping endpoints-container { description "This groupingnetwork operations. It isused by boththus important to control write and read access to these data nodes. Below are thesshdata nodes andtls containers for call-home configurations.";their sensitivity/ vulnerability. netconf-server/tls/client-auth/trusted-ca-certs: o This containerendpoints { description "Container for the list of endpoints."; list endpoint { key name; min-elements 1; ordered-by user; description "User-ordered list of endpoints for this RESTCONF client. Defining more than one enables high-availability."; leaf name { type string; description "An arbitrary namecontains certificates that a NETCONF server is to use as trust anchors forthe endpointauthenticating X.509-based client certificates. Write access toconnect to."; } leaf address { type inet:host; mandatory true; description "The hostname or IP address or hostname of the endpoint. Ifthis node is protected using an nacm:default-deny-write statement. netconf-server/tls/client-auth/trusted-client-certs: o This container contains certificates that ahostnameNETCONF server isprovided and DNS resolvestomore than one IP address, thetrust directly when authenticating X.509-based client certificates. Write access to this node is protected using an nacm:default-deny-write statement. restconf-server/tls/client-auth/trusted-ca-certs: o This container contains certificates that a RESTCONF serverSHOULD try all of the ones it can based on how its networking stackisconfigured (e.g. v4, v6, dual-stack)."; } leaf port { type inet:port-number; description "The IP portto use as trust anchors for authenticating X.509-based client certificates. Write access to thisendpoint. Thenode is protected using an nacm:default-deny-write statement. restconf-server/tls/client-auth/trusted-client-certs: o This container contains certificates that a RESTCONF serverwill use the IANA-assigned well-known port if not specified."; } } } } grouping keep-alives-container { description "This groupingisuse by both listen and call-home configurations."; container keep-alives { description "Configures the keep-alive policy,toproactively testtrust directly when authenticating X.509-based client certificates. Write access to this node is protected using an nacm:default-deny-write statement. 6. IANA Considerations This document registers two URIs in thealiveness ofIETF XML registry [RFC2119]. Following theRESTCONF client."; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models, Section 4"; leaf interval-secs { type uint8; units seconds; description "Sets a timeout intervalformat inseconds after which if no data has been received from the RESTCONF client, a message will be sent to request a response from the RESTCONF client. A value of '0' indicates that no keep-alive messages should be sent."; } leaf count-max { type uint8; default 3; description "Sets[RFC3688], thenumberfollowing registrations are requested: URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server Registrant Contact: The NETCONF WG ofkeep-alive messages that may be sent without receiving any data from the RESTCONF client before assuming the RESTCONF client is no longer alive. If this threshold is reached,thetransport-level connection will be disconnected, which will triggerIETF. XML: N/A, thereconnection strategy). The interval timerrequested URI isreset after each transmission, thusanunresponsive RESTCONF client will be dropped after approximately (count-max * interval-secs) seconds."; } } } } <CODE ENDS> 5. Implementation strategy for keep-alives OneXML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server Registrant Contact: The NETCONF WG of theobjectives listed above, Keep-alives for persistent connections Section 2.6.6, indicates a need for a "keep-alive" mechanism. This section specifies howIETF. XML: N/A, thekeep-alive mechanismrequested URI isto be implemented for bothan XML namespace. This document registers two YANG modules in theSSH and TLS transports. Both SSH and TLS haveYANG Module Names registry [RFC6020]. Following theability to support keep-alives securely. Usingformat in [RFC6020], thestrategies listed below,thekeep-alive messagesfollowing registrations aresent inside the encrypted tunnel and thus immune to attack. 5.1. Keep-alives for SSHrequested: name: ietf-netconf-server namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server prefix: ncserver reference: RFC VVVV name: ietf-restconf-server namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server prefix: rcserver reference: RFC VVVV 7. Other Considerations TheSSH keep-alive solution thatYANG modules define herein do not themselves support virtual routing and forwarding (VRF). It is expectedto be used is ubiquitous in practice, though never being explicitly definedthat external modules will augment inan RFC.VRF designations when needed. 8. Acknowledgements Thestrategy used is to purposely send a malformed request message with a flag set to ensure a response. More specifically, per section 4 of [RFC4253], either SSH peer can send a SSH_MSG_GLOBAL_REQUEST message with "want reply" setauthors would like to'1'thank for following for lively discussions on list andthat, if there is an error, will get back a SSH_MSG_REQUEST_FAILURE response. Similarly, section 5 of [RFC4253] says that either SSH peer can send a SSH_MSG_CHANNEL_REQUEST message with "want reply" set to '1'in the halls (ordered by last name): Andy Bierman, Martin Bjorklund, Benoit Claise, Mehmet Ersue, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Phil Shafer, andthat, if there is an error, will get backBert Wijnen. Juergen Schoenwaelder and was partly funded by Flamingo, aSSH_MSG_CHANNEL_FAILURE response. To ensure that the request will fail, current implementationsNetwork ofthis keep-alive strategy (e.g. OpenSSH's `sshd` server) send an invalid "request name" or "request type", respectively. Abiding toExcellence project (ICT-318488) supported by theextensibility guidelines specified in Section 6 of [RFC4251], these implementationsEuropean Commission under its Seventh Framework Programme. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for usethe "name@domain". For instance, when configuredin RFCs tosend keep-alives, OpenSSH sendsIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for thestring "keepalive@openssh.com". In order to remain compatible with existing implementations, this draft does not require a specific "request name" or "request type" string be used, implementations are free to pick values of their choosing. 5.2. Keep-alivesNetwork Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates forTLS The TLS keep-alive solution that is expected to be used is defined in [RFC6520]. This solution allows both peers to advertise if they can receive heartbeat request messages from its peer. For standard TLS connections, devices SHOULD advertise "peer_allowed_to_send", as per [RFC6520]. This advertisement is not a "MUST" in order to grandfather existing NETCONF/RESTCONFSecure Shell Authentication", RFC 6187, March 2011. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011. [RFC6242] Wasserman, M., "Using the NETCONF Protocol overTLS implementations. ForSecure Shell (SSH)", RFC 6242, June 2011. [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, March 2012. [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for SNMP Configuration", RFC 7407, December 2014. [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication", RFC 7589, June 2015. [draft-ietf-netconf-call-home] Watsen, K., "NETCONF Call Homeorand RESTCONF CallHome, the network management system MUST advertise "peer_allowed_to_send" per [RFC6520]. This is a "MUST" so as to ensure devices can depend on it always being there for call home connections, which is when keep-alives are needed the most. 6. Security Considerations The YANG modules definedHome", draft-ieft-netconf-call-home-02 (work inthis memo are designedprogress), 2014. [draft-ietf-netconf-restconf] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", draft-ieft-netconf-restconf-04 (work in progress), 2014. 9.2. Informative References [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. Appendix A. Alternative solution addressing Issue #49 Option #4 for Issue #49 proposed tobe accessed via the NETCONF protocol [RFC6241]. Authorizationdefine configuration foraccessa keychain and on-going discussion proposed tospecific portions of conceptual datacreate reusable groupings for SSH/TLS servers (referencing keys andoperations within this modulecertificates held in the keychain) that the NETCONF/RESTCONF servers would uses. This relationship isprovidedillustrated by theNETCONF access control model (NACM) [RFC6536]. There are a number of data nodes defined indiagram below. +-------------+ |ietf-keychain| +-------------+ ^ ^ | | <leafref> | | <leafref> +------------+ +------------+ | | +---------------+ +------------------+ |ietf-ssh-server| | ietf-tls-server | +---------------+ +------------------+ ^ ^ ^ | <uses> | | | <augments> | | | +--------------------+ | <augments> | | | +-------------------+ +--------------------+ |ietf-netconf-server| |ietf-restconf-server| +-------------------+ +--------------------+ The following sections each of the"ietf-netconf-server"five YANGmodule which are readable and/or writable that may be considered sensitive or vulnerable in some network environments. Write and read operations to these data nodes can have a negative effect on network operations. It is thus important to control write and read access to these data nodes. Below are the data nodesmodules above. A.1. The Keychain Model A.1.1. Tree Diagram module: ietf-keychain +--rw keychain +--rw private-keys | +--rw private-key* [name] | +--rw name string | +--ro algorithm? enumeration | +--ro key-length? uint32 | +--ro public-key? string | +--rw certificates | +--rw certificate* [name] | +--rw name string | +--rw chain? binary +--rw trusted-certificates* [name] +--rw name string +--rw trusted-certificate* [name] +--rw name string +--rw certificate? binary rpcs: +---x generate-certificate-signing-request | +---w input | | +---w private-key? -> /keychain/private-keys/private-key/name | | +---w subject binary | | +---w attributes? binary | +--ro output | +--ro certificate-signing-request binary +---x generate-private-key +---w input +---w name string +---w algorithm enumeration +---w key-length uint32 A.1.2. Example Usage <keychain xmlns="urn:ietf:params:xml:ns:yang:ietf-keychain"> <!-- private keys andtheir sensitivity/ vulnerability. netconf-server/tls/client-auth/trusted-ca-certs: o This container containsassociated certificatesthat a NETCONF server is to use as trust anchors for authenticating X.509-based--> <private-keys> <private-key> <name>TPM key</name> <algorithm>rsa</algorithm> <key-length>2048</key-length> <public-key> cztvaWRoc2RmZ2tqaHNkZmdramRzZnZzZGtmam5idnNvO2RmanZvO3NkZ mJpdmhzZGZpbHVidjtvc2lkZmhidml1bHNkYmZ2aXNiZGZpYmhzZG87Zm JvO3NkZ25iO29pLmR6Zgo= </public-key> <certificates> <certificate> <name>IDevID Certificate</name> <chain> LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNrekNDQWZ5Z 0F3SUJBZ0lKQUpRT2t3bGpNK2pjTUEwR0NTcUdTSWIzRFFFQkJRVU FNRFF4Q3pBSkJnTlYKQkFZVEFsVlRNUkF3RGdZRFZRUUtFd2RsZUd GdGNHeGxNUk13RVFZRFZRUURFd3BEVWt3Z1NYTnpkV1Z5TUI0WApE diR1V4RXpBUkJnTlZCQU1UQ2tOU1RDQkpjM04xWlhJd2daOHdEUVl KS29aSWh2Y04KQVFFQkJRQURnWTBBTUlHSkFvR0JBTXVvZmFPNEV3 El1QWMrQ1RsTkNmc0d6cEw1Um5ydXZsOFRIcUJTdGZQY3N0Zk1KT1 FaNzlnNlNWVldsMldzaHE1bUViCkJNNitGNzdjbTAvU25FcFE0TnV bXBDT2YKQWdNQkFBR2pnYXd3Z2Frd0hRWURWUjBPQkJZRUZKY1o2W URiR0lPNDB4ajlPb3JtREdsRUNCVTFNR1FHQTFVZApJd1JkTUZ1QU ZKY1o2WURiR0lPNDB4ajlPb3JtREdsRUNCVTFvVGlrTmpBME1Rc3d mMKTUE0R0ExVWREd0VCL3dRRUF3SUNCREFTQmdOVkhSTUJBZjhFQ0 RBR0FRSC9BZ0VBTUEwR0NTcUdTSWIzRFFFQgpCUVVBQTRHQkFMMmx rWmFGNWcyaGR6MVNhZnZPbnBneHA4eG00SHRhbStadHpLazFlS3Bx TXp4YXJCbFpDSHlLCklVbC9GVzRtV1RQS1VDeEtFTE40NEY2Zmk2d c4d0tSSElkYW1WL0pGTmlQS0VXSTF4K1I1aDZmazcrQzQ1QXg1RWV SWHgzZjdVM2xZTgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== </chain> </certificate> </certificates> </private-key> </private-keys> <!-- trusted netconf/restconf clientcertificates. Write access to this node is protected using an nacm:default-deny-write statement. netconf-server/tls/client-auth/trusted-client-certs: o This container containscertificatesthat a NETCONF server is to trust directly when authenticating X.509-based client certificates. Write access to this node is protected using an nacm:default-deny-write statement. restconf-server/tls/client-auth/trusted-ca-certs: o This container contains--> <trusted-certificates> <name>Trusted certificatesthat a RESTCONF server is to use asfor netconf/restconf client</name> <trusted-certificate> <name>George Jetson</name> <certificate> QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2 RV0JCU2t2MXI2SFNHeUFUVkpwSmYyOWtXbUU0NEo5akJrQmdOVkhTTUVY VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER UxNQWtHQTFVRUJoTUNWVk14RURBT0JnTlZCQW9UQjJWNApZVzF3YkdVeE V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW xWVE1SQXdEZ1lEVlFRSwpFd2RsZUdGdGNHeGxNUk13RVFZRFZRUURFd3B EVWt3Z1NYTnpkV1Z5TUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCCkFFc3BK WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM TQzcjFZSjk0M1FQLzV5eGUKN2QxMkxCV0dxUjUrbEl5N01YL21ka2M4al zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot LS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== </certificate> </trusted-certificate> <trusted-certificate> <name>Fred Flinstone</name> <certificate> VlEVlFRREV3Vm9ZWEJ3ZVRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQm pRQXdnWWtDCmdZRUE1RzRFSWZsS1p2bDlXTW44eUhyM2hObUFRaUhVUzV rRUpPQy9hSFA3eGJXQW1ra054ZStUa2hrZnBsL3UKbVhsTjhSZUd1ODhG NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW xWVE1SQXdEZ1lEVlFRSwpFd2RsZUdGdGNHeGxNUk13RVFZRFZRUURFd3B EVWt3Z1NYTnpkV1Z5TUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCCkFFc3BK WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot QWtUOCBDRVUUZJ0RUF== </certificate> </trusted-certificate> </trusted-certificates> <!-- trust anchors forauthenticating X.509-based client certificates. Write access to this node is protected using an nacm:default-deny-write statement. restconf-server/tls/client-auth/trusted-client-certs: o This container contains certificates that a RESTCONF server is to trust directly when authenticating X.509-based client certificates. Write access to this node is protected using an nacm:default-deny-write statement. 7. IANA Considerations This document registers two URIs in the IETF XML registry [RFC2119]. Following the format in [RFC3688], the following registrations are requested: URI: urn:ietf:params:xml:ns:yang:ietf-netconf-server Registrant Contact: Thenetconf/restconf clients --> <trusted-certificates> <name>Trust anchors for netconf/restconf clients</name> <trusted-certificate> <name>Example.com</name> <certificate> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2 RJSUJQFRStS0Cg== </certificate> </trusted-certificate> </trusted-certificates> <!-- trust anchors for random HTTPS servers on Internet --> <trusted-certificates> <name>Trust anchors for random HTTPS servers</name> <trusted-certificate> <name>Example.com</name> <certificate> NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2 WpiMjB2WlhoaGJYQnNaUzVqY215aU9L= </certificate> </trusted-certificate> </trusted-certificates> </keychain> A.1.3. YANG Model <CODE BEGINS> file "ietf-keychain@2015-07-06.yang" module ietf-keychain { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-keychain"; prefix "kc"; organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WGof the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-restconf-server Registrant Contact: The NETCONFList: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines a keychain to centralize management of security credentials. Copyright (c) 2014 IETF Trust and theIETF. XML: N/A,persons identified as authors of therequested URI is an XML namespace. This document registers two YANG modulescode. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to theYANG Module Names registry [RFC6020]. Followinglicense terms contained in, theformatSimplified BSD License set forth in[RFC6020], theSection 4.c of thefollowing registrations are requested: name: ietf-netconf-server namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server prefix: ncserver reference: RFC VVVV name: ietf-restconf-server namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-server prefix: rcserver reference: RFC VVVV 8. Other Considerations TheIETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANGmodules define herein do not themselves support virtual routing and forwarding (VRF). Itmodule isexpected that external modules will augment in VRF designations when needed. 9. Acknowledgements The authors would like to thank for followingpart of RFC VVVV; see the RFC itself forlively discussions on listfull legal notices."; revision "2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server andin the halls (ordered by last name): Andy Bierman, Martin Bjorklund, Benoit Claise, Mehmet Ersue, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Phil Shafer,RESTCONF Server Configuration Models"; } container keychain { description "A list of private-keys andBert Wijnen. Juergen Schoenwaeldertheir associated certificates, as well as lists of trusted certificates for client certificate authentication. RPCs are provided to generate a new private key andwas partly funded by Flamingo,to generate aNetworkcertificate signing requests."; container private-keys { description "A list ofExcellence project (ICT-318488) supportedprivate key maintained by theEuropean Commission under its Seventh Framework Programme. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key wordskeychain."; list private-key { key name; description "A private key."; leaf name { type string; description "An arbitrary name foruse in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4251] Ylonen, T. and C. Lonvick,the private key."; } leaf algorithm { type enumeration { enum rsa { description "TBD"; } enum dsa { description "TBD"; } enum secp192r1 { description "TBD"; } enum sect163k1 { description "TBD"; } enum sect163r2 { description "TBD"; } enum secp224r1 { description "TBD"; } enum sect233k1 { description "TBD"; } enum sect233r1 { description "TBD"; } enum secp256r1 { description "TBD"; } enum sect283k1 { description "TBD"; } enum sect283r1 { description "TBD"; } enum secp384r1 { description "TBD"; } enum sect409k1 { description "TBD"; } enum sect409r1 { description "TBD"; } enum secp521r1 { description "TBD"; } enum sect571k1 { description "TBD"; } enum sect571r1 { description "TBD"; } } config false; description "TheSecure Shell (SSH) Protocol Architecture", RFC 4251, January 2006. [RFC4253] Ylonen, T. and C. Lonvick,algorithm used by the private key."; } leaf key-length { type uint32; config false; description "TheSecure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language forkey-length used by theNetwork Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificatesprivate key."; } leaf public-key { type string; config false; description "The public-key matching the private key."; } container certificates { list certificate { key name; description "A certificate for this public key."; leaf name { type string; description "An arbitrary name forSecure Shell Authentication", RFC 6187, March 2011. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011. [RFC6242] Wasserman, M., "UsingtheNETCONF Protocol over Secure Shell (SSH)",certificate."; } leaf chain { type binary; description "The certificate itself, as well as an ordered sequence of intermediate certificates leading to a trust anchor, as specified by RFC6242, June 2011. [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport Layer Security (TLS) and Datagram5246, Section 7.4.2."; reference "RFC 5246: The Transport Layer Security(DTLS) Heartbeat Extension", RFC 6520, February 2012. [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration(TLS) Protocol(NETCONF) Access Control Model", RFC 6536, March 2012. [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. [RFC7407] Bjorklund, M. and J. Schoenwaelder,Version 1.2"; } } description "AYANG Data Modellist of certificates forSNMP Configuration", RFC 7407, December 2014. [draft-ietf-netconf-call-home] Watsen, K., "NETCONF Call Homethis public key."; } action generate-certificate-signing-request { description "Generates a certificate signing request structure for the associated private key using the passed subject andRESTCONF Call Home", draft-ieft-netconf-call-home-02 (workattribute values."; input { leaf subject { type binary; mandatory true; description "The 'subject' field inprogress), 2014. [draft-ietf-netconf-restconf] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", draft-ieft-netconf-restconf-04 (workthe CertificationRequestInfo defined in RFC 2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } leaf attributes { type binary; description "The 'attributes' field inprogress), 2014. [draft-ietf-netconf-rfc5539bis] Badra, M., Luchuk, A., and J. Schoenwaelder, "UsingtheNETCONF Protocol over Transport Layer Security (TLS)", draft-ietf-netconf-rfc5539bis-06 (workCertificationRequestInfo defined inprogress), 2014. 10.2. Informative References [RFC3688] Mealling, M.,RFC 2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } } output { leaf certificate-signing-request { type binary; mandatory true; description "TheIETF XML Registry", BCP 81,CertificationRequestInfo structure as specified by RFC3688, January 2004. Appendix A. Examples A.1. NETCONF Configuration2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } } } } action generate-private-key { description "Generates a private key usingSSH Transport The following example illustratesthe<get> response fromspecified algorithm and key length."; input { leaf name { type string; mandatory true; description "The name this private-key should have when listed in /keychain/private-keys/private-key. As such, the passed value must not match any existing 'name' value."; } leaf algorithm { type enumeration { enum rsa { description "TBD"; } enum dsa { description "TBD"; } enum secp192r1 { description "TBD"; } enum sect163k1 { description "TBD"; } enum sect163r2 { description "TBD"; } enum secp224r1 { description "TBD"; } enum sect233k1 { description "TBD"; } enum sect233r1 { description "TBD"; } enum secp256r1 { description "TBD"; } enum sect283k1 { description "TBD"; } enum sect283r1 { description "TBD"; } enum secp384r1 { description "TBD"; } enum sect409k1 { description "TBD"; } enum sect409r1 { description "TBD"; } enum secp521r1 { description "TBD"; } enum sect571k1 { description "TBD"; } enum sect571r1 { description "TBD"; } } mandatory true; description "The algorithm to be used."; } leaf key-length { type uint32; mandatory true; description "The key length to be used."; } } } } list trusted-certificates { key name; description "A list of lists of trusted certificates."; leaf name { type string; description "An arbitrary name for this list of trusted certificates."; } list trusted-certificate { key name; description "A list of trusted certificates for aNETCONFspecific use."; leaf name { type string; description "An arbitrary name for this trusted certificate."; } leaf certificate { type binary; description "The binary certificate structure as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>; "; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } } } } rpc generate-certificate-signing-request { description "Generates a certificate signing request structure for the specified private key using the passed subject and attribute values."; input { leaf private-key { type leafref { path "/keychain/private-keys/private-key/name"; } description "The private key to generate the certificate signing request for."; } leaf subject { type binary; mandatory true; description "The 'subject' field in the CertificationRequestInfo defined in RFC 2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } leaf attributes { type binary; description "The 'attributes' field in the CertificationRequestInfo defined in RFC 2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } } output { leaf certificate-signing-request { type binary; mandatory true; description "The CertificationRequestInfo structure as specified by RFC 2986, Section 4.1."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7"; } } } rpc generate-private-key { description "Generates a private key using the specified algorithm and key length."; input { leaf name { type string; mandatory true; description "The name this private-key should have when listed in /keychain/private-keys/private-key. As such, the passed value must not match any existing 'name' value."; } leaf algorithm { type enumeration { enum rsa { description "TBD"; } enum dsa { description "TBD"; } enum secp192r1 { description "TBD"; } enum sect163k1 { description "TBD"; } enum sect163r2 { description "TBD"; } enum secp224r1 { description "TBD"; } enum sect233k1 { description "TBD"; } enum sect233r1 { description "TBD"; } enum secp256r1 { description "TBD"; } enum sect283k1 { description "TBD"; } enum sect283r1 { description "TBD"; } enum secp384r1 { description "TBD"; } enum sect409k1 { description "TBD"; } enum sect409r1 { description "TBD"; } enum secp521r1 { description "TBD"; } enum sect571k1 { description "TBD"; } enum sect571r1 { description "TBD"; } } mandatory true; description "The algorithm to be used."; } leaf key-length { type uint32; mandatory true; description "The key length to be used."; } } } } <CODE ENDS> A.2. The SSH Server Model A.2.1. Tree Diagram The following tree diagram is faked, as a module having only a grouping in it has no tree diagram. However, for illustrative purposes, a container has been added as nothing more than a "uses" statement of the grouping. module: ietf-ssh-server +--rw fake-ssh-server +--rw host-keys | +--rw host-key* [name] | +--rw name string | +--rw (type)? | +--:(public-key) | | +--rw public-key? -> /kc:keychain/private-keys/private-key/name | +--:(certificate) | +--rw certificate? -> /kc:keychain/private-keys/private-key/certificates/certificate/name {ssh-x509-certs}? +--rw client-cert-auth {ssh-x509-certs}? +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name A.2.2. Example Usage <fake-ssh-server xmlns="urn:ietf:params:xml:ns:yang:ietf-ssh-server"> <host-keys> <host-key> <name>IDevID</name> <certificate> IDevID Certificate </certificate> </host-key> </host-keys> </certificates> <client-cert-auth> <trusted-ca-certs> Trusted certificates for netconf/restconf clients </trusted-ca-certs> <trusted-client-certs> Trust anchors for netconf/restconf clients </trusted-client-certs> </client-cert-auth> </fake-ssh-server> A.2.3. YANG Model <CODE BEGINS> file "ietf-ssh-server@2015-07-06.yang" module ietf-ssh-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; prefix "ts"; import ietf-keychain { prefix kc; // RFC VVVV } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines a reusable grouping for a SSH server that can be used as a basis for specific SSH server instances. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } // features feature ssh-x509-certs { description "The ssh-x509-certs feature indicates that the NETCONF server supports RFC 6187"; reference "RFC 6187: X.509v3 Certificates for Secure Shell Authentication"; } // grouping grouping ssh-server-grouping { description "A reusable grouping for a SSH server that can be used as a basis for specific SSH server instances."; container host-keys { description "The list of host-keys the SSH server will present when establishing a SSH connection."; list host-key { key name; min-elements 1; ordered-by user; description "An ordered list of hostkeys the SSH server advertises when sending its ??? message."; reference "RFC ????: ..."; leaf name { type string; mandatory true; description "An arbitrary name for this host-key"; } choice type { leaf public-key { type leafref { path "/kc:keychain/kc:private-keys/kc:private-key/kc:name"; } description "The name of a private-key in the keychain."; } leaf certificate { if-feature ssh-x509-certs; type leafref { path "/kc:keychain/kc:private-keys/kc:private-key/kc:certificates/kc:certificate/kc:name"; } description "The name of a certificate in the keychain."; } } } } container client-cert-auth { if-feature ssh-x509-certs; description "A reference to a list of trusted certificate authority (CA) certificates and a reference to a list of trusted client certificates."; leaf trusted-ca-certs { type leafref { path "/kc:keychain/kc:trusted-certificates/kc:name"; } description "A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates."; } leaf trusted-client-certs { type leafref { path "/kc:keychain/kc:trusted-certificates/kc:name"; } description "A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates. A clients certificate is authenticated if it is an exact match to a configured trusted client certificate."; } } } } <CODE ENDS> A.3. The TLS Server Model A.3.1. Tree Diagram The following tree diagram is faked, as a module having only a grouping in it has no tree diagram. However, for illustrative purposes, a container has been added as nothing more than a "uses" statement of the grouping. module: ietf-tls-server +--rw fake-tls-server +--rw certificates | +--rw certificate* [name] | +--rw name -> /kc:keychain/private-keys/private-key/certificates/certificate/name +--rw client-auth +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name A.3.2. Example Usage <fake-tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> </certificates> <certificate> IDevID Certificate </certificate> </certificates> <client-auth> <trusted-ca-certs> Trusted certificates for netconf/restconf clients </trusted-ca-certs> <trusted-client-certs> Trust anchors for netconf/restconf clients </trusted-client-certs> </client-auth> </fake-tls-server> A.3.3. YANG Model <CODE BEGINS> file "ietf-tls-server@2015-07-06.yang" module ietf-tls-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; prefix "ts"; import ietf-keychain { prefix kc; // RFC VVVV } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines a reusable grouping for a TLS server that can be used as a basis for specific TLS server instances. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } grouping tls-server-grouping { description "A reusable grouping for a TLS server that can be used as a basis for specific TLS server instances."; container certificates { description "The list of certificates the TLS server will present when establishing a TLS connection."; list certificate { key name; min-elements 1; description "An unordered list of certificates the TLS server can pick from when sending its Server Certificate message."; reference "RFC 5246: The TLS Protocol, Section 7.4.2"; leaf name { type leafref { path "/kc:keychain/kc:private-keys/kc:private-key/kc:certificates/kc:certificate/kc:name"; } description "The name of the certificate in the keychain."; } } } container client-auth { description "A reference to a list of trusted certificate authority (CA) certificates and a reference to a list of trusted client certificates."; leaf trusted-ca-certs { type leafref { path "/kc:keychain/kc:trusted-certificates/kc:name"; } description "A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates."; } leaf trusted-client-certs { type leafref { path "/kc:keychain/kc:trusted-certificates/kc:name"; } description "A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates. A clients certificate is authenticated if it is an exact match to a configured trusted client certificate."; } } } } <CODE ENDS> A.4. The NETCONF Server Model A.4.1. Tree Diagram module: ietf-netconf-server-new +--rw netconf-server +--rw session-options | +--rw hello-timeout? uint16 +--rw listen {(ssh-listen or tls-listen)}? | +--rw max-sessions? uint16 | +--rw idle-timeout? uint16 | +--rw endpoint* [name] | +--rw name string | +--rw (transport) | +--:(ssh) {ssh-listen}? | | +--rw ssh | | +--rw address? inet:ip-address | | +--rw port? inet:port-number | | +--rw host-keys | | | +--rw host-key* [name] | | | +--rw name string | | | +--rw (type)? | | | +--:(public-key) | | | | +--rw public-key? -> /kc:keychain/private-keys/private-key/name | | | +--:(certificate) | | | +--rw certificate? -> /kc:keychain/private-keys/private-key/certificates/certificate/name {ssh-x509-certs}? | | +--rw client-cert-auth {ssh-x509-certs}? | | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--:(tls) {tls-listen}? | +--rw tls | +--rw address? inet:ip-address | +--rw port? inet:port-number | +--rw certificates | | +--rw certificate* [name] | | +--rw name -> /kc:keychain/private-keys/private-key/certificates/certificate/name | +--rw client-auth | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 | +--rw fingerprint x509c2n:tls-fingerprint | +--rw map-type identityref | +--rw name string +--rw call-home {(ssh-call-home or tls-call-home)}? +--rw netconf-client* [name] +--rw name string +--rw (transport) | +--:(ssh) {ssh-call-home}? | | +--rw ssh | | +--rw endpoints | | | +--rw endpoint* [name] | | | +--rw name string | | | +--rw address inet:host | | | +--rw port? inet:port-number | | +--rw host-keys | | | +--rw host-key* [name] | | | +--rw name string | | | +--rw (type)? | | | +--:(public-key) | | | | +--rw public-key? -> /kc:keychain/private-keys/private-key/name | | | +--:(certificate) | | | +--rw certificate? -> /kc:keychain/private-keys/private-key/certificates/certificate/name {ssh-x509-certs}? | | +--rw client-cert-auth {ssh-x509-certs}? | | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--:(tls) {tls-call-home}? | +--rw tls | +--rw endpoints | | +--rw endpoint* [name] | | +--rw name string | | +--rw address inet:host | | +--rw port? inet:port-number | +--rw certificates | | +--rw certificate* [name] | | +--rw name -> /kc:keychain/private-keys/private-key/certificates/certificate/name | +--rw client-auth | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 | +--rw fingerprint x509c2n:tls-fingerprint | +--rw map-type identityref | +--rw name string +--rw connection-type | +--rw (connection-type)? | +--:(persistent-connection) | | +--rw persistent! | | +--rw idle-timeout? uint32 | | +--rw keep-alives | | +--rw max-wait? uint16 | | +--rw max-attempts? uint8 | +--:(periodic-connection) | +--rw periodic! | +--rw idle-timeout? uint16 | +--rw reconnect_timeout? uint16 +--rw reconnect-strategy +--rw start-with? enumeration +--rw max-attempts? uint8 A.4.2. Example Usage Configuring an SSH Server <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <listen> <endpoint> <name>netconf/ssh</name> <ssh> <address>11.22.33.44</address> <host-keys> <host-key> <public-key>my-rsa-key</public-key> </host-key> <host-key> <certificate>TPM key</certificate> </host-key> </host-keys> <client-cert-auth> <trusted-ca-certs> Trusted netconf/restconf client certificates </trusted-ca-certs> <trusted-client-certs> Trust anchors for netconf/restconf clients </trusted-client-certs> </client-cert-auth> </ssh> </endpoint> </listen> <call-home> <netconf-client> <name>config-mgr</name> <ssh> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <host-keys> <host-key> <certificate>TPM key</certificate> </host-key> </host-keys> <client-cert-auth> <trusted-ca-certs> Trusted netconf/restconf client certificates </trusted-ca-certs> <trusted-client-certs> Trust anchors for netconf/restconf clients </trusted-client-certs> </client-cert-auth> </ssh> </netconf-client> </call-home> </netconf-server> Configuring a TLS Server <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server" xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"> <listen> <endpoint> <name>netconf/tls</name> <tls> <address>11.22.33.44</address> <certificates> <certificate>IDevID Certificate</certificate> </certificates> <client-auth> <trusted-ca-certs> Trusted netconf/restconf client certificates </trusted-ca-certs> <trusted-client-certs> Trust anchors for netconf/restconf clients </trusted-client-certs> <cert-maps> <cert-to-name> <id>1</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:san-any</map-type> </cert-to-name> <cert-to-name> <id>2</id> <fingerprint>B3:4F:A1:8C:54</fingerprint> <map-type>x509c2n:specified</map-type> <name>scooby-doo</name> </cert-to-name> </cert-maps> </client-auth> </tls> </endpoint> </listen> <call-home> <netconf-client> <name>config-mgr</name> <tls> <endpoints> <endpoint> <name>east-data-center</name> <address>22.33.44.55</address> </endpoint> <endpoint> <name>west-data-center</name> <address>33.44.55.66</address> </endpoint> </endpoints> <certificates> <certificate>IDevID Certificate</certificate> </certificates> </tls> </netconf-client> </call-home> </netconf-server> A.4.3. YANG Model This YANG module imports YANG types from [RFC6991] and [RFC7407]. <CODE BEGINS> file "ietf-netconf-server-new@2015-07-06.yang" module ietf-netconf-server-new { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server-new"; prefix "ncserver"; import ietf-inet-types { // RFC 6991 prefix inet; } import ietf-x509-cert-to-name { // RFC 7407 prefix x509c2n; } import ietf-ssh-server { // RFC VVVV prefix ss; } import ietf-tls-server { // RFC VVVV prefix ts; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module contains a collection of YANG definitions for configuring NETCONF servers. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } // Features feature ssh-listen { description "The ssh-listen feature indicates that the NETCONF server supports opening a port to accept NETCONF over SSH client connections."; reference "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; } feature ssh-call-home { description "The ssh-call-home feature indicates that the NETCONF server supports initiating a NETCONF over SSH call home connection to NETCONF clients."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home"; } feature tls-listen { description "The tls-listen feature indicates that the NETCONF server supports opening a port to accept NETCONF over TLS client connections."; reference "RFC 5539: Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication"; } feature tls-call-home { description "The tls-call-home feature indicates that the NETCONF server supports initiating a NETCONF over TLS call home connection to NETCONF clients."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home"; } feature ssh-x509-certs { description "The ssh-x509-certs feature indicates that the NETCONF server supports RFC 6187"; reference "RFC 6187: X.509v3 Certificates for Secure Shell Authentication"; } // top-level container (groupings below) container netconf-server { description "Top-level container for NETCONF server configuration."; container session-options { // SHOULD WE REMOVE THIS ALTOGETHER? description "NETCONF session options, independent of transport or connection strategy."; leaf hello-timeout { type uint16; units "seconds"; default 600; description "Specifies the maximum number of seconds that a SSH/TLS connection may wait for a hello message to be received. A connection will be dropped if no hello message is received before this number of seconds elapses. If set to zero, then the server will wait forever for a hello message."; } } container listen { description "Configures listen behavior"; if-feature "(ssh-listen or tls-listen)"; leaf max-sessions { type uint16; default 0; description "Specifies the maximum number of concurrent sessions that can be active at one time. The value 0 indicates that no artificial session limit should be used."; } leaf idle-timeout { type uint16; units "seconds"; default 3600; // one hour description "Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } list endpoint { key name; description "List of endpoints to listen for NETCONF connections on."; leaf name { type string; description "An arbitrary name for the NETCONF listen endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { if-feature ssh-listen; container ssh { description "SSH-specific listening configuration for inbound connections."; uses address-and-port-grouping { refine port { default 830; } } uses ss:ssh-server-grouping; } } case tls { if-feature tls-listen; container tls { description "TLS-specific listening configuration for inbound connections."; uses address-and-port-grouping { refine port { default 6513; } } uses tls-server-grouping; } } } } } container call-home { if-feature "(ssh-call-home or tls-call-home)"; description "Configures call-home behavior"; list netconf-client { key name; description "List of NETCONF clients the NETCONF server is to initiate call-home connections to."; leaf name { type string; description "An arbitrary name for the remote NETCONF client."; } choice transport { mandatory true; description "Selects between available transports."; case ssh { if-feature ssh-call-home; container ssh { description "Specifies SSH-specific call-home transport configuration."; uses endpoints-container { refine endpoints/endpoint/port { default 7777; } } uses ss:ssh-server-grouping; } } case tls { if-feature tls-call-home; container tls { description "Specifies TLS-specific call-home transport configuration."; uses endpoints-container { refine endpoints/endpoint/port { default 8888; } } uses tls-server-grouping; } } } container connection-type { description "Indicates the kind of connection to use."; choice connection-type { description "Selects between available connection types."; case persistent-connection { container persistent { presence true; description "Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, albeit at the expense of holding resources longer."; leaf idle-timeout { type uint32; units "seconds"; default 86400; // one day; description "Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } container keep-alives { description "Configures the keep-alive policy, to proactively test the aliveness of the SSH/TLS client. An unresponsive SSH/TLS client will be dropped after approximately (max-attempts * max-wait) seconds."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home, Section 3.1, item S6"; leaf max-wait { type uint16 { range "1..max"; } units seconds; default 30; description "Sets the amount of time in seconds after which if no data has been received from the SSH/TLS client, a SSH/TLS-level message will be sent to test the aliveness of the SSH/TLS client."; } leaf max-attempts { type uint8; default 3; description "Sets the number of sequential keep-alive messages that can fail to obtain a response from the SSH/TLS client before assuming the SSH/TLS client is no longer alive."; } } } } case periodic-connection { container periodic { presence true; description "Periodically connect to the NETCONF client, so that the NETCONF client may deliver messages pending for the NETCONF server. The NETCONF client is expected to close the connection when it is ready to release it, thus starting the NETCONF server's timer until next connection."; leaf idle-timeout { type uint16; units "seconds"; default 300; // five minutes description "Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is idle. Sessions that have a notification subscription active are never dropped."; } leaf reconnect_timeout { type uint16 { range "1..max"; } units minutes; default 60; description "The maximum amount of unconnected time the NETCONF server will wait before re-establishing a connection to the NETCONF client. The NETCONF server may initiate a connection before this time if desired (e.g., to deliver a notification)."; } } } } } container reconnect-strategy { description "The reconnection strategy guides how a NETCONF server reconnects to an NETCONF client, after losing a connection to it, even if due to a reboot. The NETCONF server starts with the specified endpoint and tries to connect to it max-attempts times before trying the next endpoint in the list (round robin)."; leaf start-with { type enumeration { enum first-listed { description "Indicates that reconnections should start with the first endpoint listed."; } enum last-connected { description "Indicates that reconnections should start with the endpoint last connected to. If no previous connection has ever been established, then the first endpoint configured is used. NETCONF servers SHOULD be able to remember the last endpoint connected to across reboots."; } } default first-listed; description "Specifies which of the NETCONF client's endpoints the NETCONF server should start with when trying to connect to the NETCONF client."; } leaf max-attempts { type uint8 { range "1..max"; } default 3; description "Specifies the number times the NETCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin)."; } } } } } grouping tls-server-grouping { description "An augmentation of tls-server-grouping, as defined in the ietf-tls-server module, to add in cert-maps."; uses ts:tls-server-grouping { augment "client-auth" { container cert-maps { uses x509c2n:cert-to-name; description "The cert-maps container is used by a NETCONF server to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection, and MUST NOT accept NETCONF messages over it."; reference "RFC WWWW: NETCONF over TLS, Section 7"; } } } } grouping address-and-port-grouping { description "This grouping is used by both the ssh and tls containers for listen configuration."; leaf address { type inet:ip-address; description "The IP address of the interface to listen on. The NETCONF server will listen on all interfaces if no value is specified."; } leaf port { type inet:port-number; description "The local port number on this interface the NETCONF server listens on. The NETCONF server will use the IANA-assigned well-known port if no value is specified."; } } grouping endpoints-container { description "This grouping is used by both the ssh and tls containers for call-home configurations."; container endpoints { description "Container for the list of endpoints."; list endpoint { key name; min-elements 1; ordered-by user; description "User-ordered list of endpoints for this NETCONF client. Defining more than one enables high-availability."; leaf name { type string; description "An arbitrary name for this endpoint."; } leaf address { type inet:host; mandatory true; description "The IP address or hostname of the endpoint. If a hostname is configured and the DNS resolution results in more than one IP address, the NETCONF server will process the IP addresses as if they had been explicitly configured in place of the hostname."; } leaf port { type inet:port-number; description "The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port if no value is specified."; } } } } } <CODE ENDS> A.5. The RESTCONF Server Model A.5.1. Tree Diagram module: ietf-restconf-server-new +--rw restconf-server +--rw listen {tls-listen}? | +--rw max-sessions? uint16 | +--rw endpoint* [name] | +--rw name string | +--rw (transport) | +--:(tls) | +--rw tls | +--rw address? inet:ip-address | +--rw port? inet:port-number | +--rw certificates | | +--rw certificate* [name] | | +--rw name -> /kc:keychain/private-keys/private-key/certificates/certificate/name | +--rw client-auth | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 | +--rw fingerprint x509c2n:tls-fingerprint | +--rw map-type identityref | +--rw name string +--rw call-home {tls-call-home}? +--rw restconf-client* [name] +--rw name string +--rw (transport) | +--:(tls) | +--rw tls | +--rw endpoints | | +--rw endpoint* [name] | | +--rw name string | | +--rw address inet:host | | +--rw port? inet:port-number | +--rw certificates | | +--rw certificate* [name] | | +--rw name -> /kc:keychain/private-keys/private-key/certificates/certificate/name | +--rw client-auth | +--rw trusted-ca-certs? -> /kc:keychain/trusted-certificates/name | +--rw trusted-client-certs? -> /kc:keychain/trusted-certificates/name | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 | +--rw fingerprint x509c2n:tls-fingerprint | +--rw map-type identityref | +--rw name string +--rw connection-type | +--rw (connection-type)? | +--:(persistent-connection) | | +--rw persistent! | | +--rw keep-alives | | +--rw max-wait? uint16 | | +--rw max-attempts? uint8 | +--:(periodic-connection) | +--rw periodic! | +--rw reconnect-timeout? uint16 +--rw reconnect-strategy +--rw start-with? enumeration +--rw max-attempts? uint8 A.5.2. Example Usage TBD A.5.3. YANG Model This YANG module imports YANG types from [RFC6991] and [RFC7407]. <CODE BEGINS> file "ietf-restconf-server-new@2015-07-06.yang" module ietf-restconf-server-new { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-server-new"; prefix "rcserver"; import ietf-netconf-acm { prefix nacm; // RFC 6536 } import ietf-inet-types { // RFC 6991 prefix inet; } import ietf-x509-cert-to-name { // RFC 7407 prefix x509c2n; } import ietf-tls-server { // RFC VVVV prefix ts; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Mahesh Jethanandani <mailto:mjethanandani@gmail.com> Editor: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module contains a collection of YANG definitions for configuring RESTCONF servers. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2015-07-06" { description "Initial version"; reference "RFC VVVV: NETCONF Server and RESTCONF Server Configuration Models"; } // Features feature tls-listen { description "The listen feature indicates that the RESTCONF server supports opening a port to listen for incoming RESTCONF client connections."; reference "RFC XXXX: RESTCONF Protocol"; } feature tls-call-home { description "The call-home feature indicates that the RESTCONF server supports initiating connections to RESTCONF clients."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home"; } feature client-cert-auth { description "The client-cert-auth feature indicates that the RESTCONF server supports the ClientCertificate authentication scheme."; reference "RFC ZZZZ: Client Authentication over New TLS Connection"; } // top-level container (groupings below) container restconf-server { description "Top-level container for RESTCONF server configuration."; container listen { description "Configures listen behavior"; if-feature tls-listen; leaf max-sessions { type uint16; default 0; // should this be 'max'? description "Specifies the maximum number of concurrent sessions that can be active at one time. The value 0 indicates that no artificial session limit should be used."; } list endpoint { key name; description "List of endpoints to listen for RESTCONF connections on."; leaf name { type string; description "An arbitrary name for the RESTCONF listen endpoint."; } choice transport { mandatory true; description "Selects between available transports."; case tls { container tls { description "TLS-specific listening configuration for inbound connections."; leaf address { type inet:ip-address; description "The IP address of the interface to listen on. The RESTCONF server will listen on all interfaces if no value is specified."; } leaf port { type inet:port-number; default 443; description "The port number the RESTCONF server will listen on."; } uses tls-server-grouping; } } } } } container call-home { if-feature tls-call-home; description "Configures call-home behavior"; list restconf-client { key name; description "List of RESTCONF clients the RESTCONF server is to initiate call-home connections to."; leaf name { type string; description "An arbitrary name for the remote RESTCONF client."; } choice transport { mandatory true; description "Selects between TLS and any transports augmented in."; case tls { container tls { description "Specifies TLS-specific call-home transport configuration."; container endpoints { description "Container for the list of endpoints."; list endpoint { key name; min-elements 1; ordered-by user; description "User-ordered list of endpoints for this RESTCONF client. More than one enables high-availability."; leaf name { type string; description "An arbitrary name for this endpoint."; } leaf address { type inet:host; mandatory true; description "The IP address or hostname of the endpoint. If a hostname is configured and the DNS resolution results in more than one IP address, the RESTCONF server will process the IP addresses as if they had been explicitly configured in place of the hostname."; } leaf port { type inet:port-number; default 9999; description "The IP port for this endpoint. The RESTCONF server will use the IANA-assigned well-known port if no value is specified."; } } } uses tls-server-grouping; } } } container connection-type { description "Indicates the RESTCONF client's preference for how the RESTCONF server's connection is maintained."; choice connection-type { description "Selects between available connection types."; case persistent-connection { container persistent { presence true; description "Maintain a persistent connection to the RESTCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any RESTCONF client to RESTCONF server data-transfer delay, albeit at the expense of holding resources longer."; container keep-alives { description "Configures the keep-alive policy, to proactively test the aliveness of the TLS client. An unresponsive TLS client will be dropped after approximately (max-attempts * max-wait) seconds."; reference "RFC YYYY: NETCONF Call Home and RESTCONF Call Home, Section 3.1, item S6"; leaf max-wait { type uint16 { range "1..max"; } units seconds; default 30; description "Sets the amount of time in seconds after which if no data has been received from the TLS client, a TLS-level message will be sent to test the aliveness of the TLS client."; } leaf max-attempts { type uint8; default 3; description "Sets the number of sequential keep-alive messages that can fail to obtain a response from the TLS client before assuming the TLS client is no longer alive."; } } } } case periodic-connection { container periodic { presence true; description "Periodically connect to the RESTCONF client, so that the RESTCONF client may deliver messages pending for the RESTCONF server. The RESTCONF client is expected to close the connection when it is ready to release it, thus starting the RESTCONF server's timer until next connection."; leaf reconnect-timeout { type uint16 { range "1..max"; } units minutes; default 60; description "The maximum amount of unconnected time the RESTCONF server will wait before re-establishing a connection to the RESTCONF client. The RESTCONF server may initiate a connection before this time if desired (e.g., to deliver a notification)."; } } } } } container reconnect-strategy { description "The reconnection strategy guides how a RESTCONF server reconnects to an RESTCONF client, after losing a connection to it, even if due to a reboot. The RESTCONF server starts with the specified endpoint and tries to connect to it max-attempts times before trying the next endpoint in the list (round robin)."; leaf start-with { type enumeration { enum first-listed { description "Indicates that reconnections should start with the first endpoint listed."; } enum last-connected { description "Indicates that reconnections should start with the endpoint last connected to. If no previous connection has ever been established, then the first endpoint configured is used. RESTCONF servers SHOULD be able to remember the last endpoint connected to across reboots."; } } default first-listed; description "Specifies which of the RESTCONF client's endpoints the RESTCONF serverthat only supports SSH, both listening for incoming connections as well as calling homeshould start with when trying to connect toa single application having two endpoints. <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <session-options> <hello-timeout>600</hello-timeout> <idle-timeout>3600</idle-timeout> </session-options> <listen> <endpoint> <name>foo bar</name> <ssh> <address>11.22.33.44</address> <host-keys> <host-key>my-rsa-key</host-key> <host-key>my-dss-key</host-key> </host-keys> </ssh> </endpoint> </listen> <call-home> <application> <name>config-mgr</name> <ssh> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <host-keys> <host-key>my-call-home-x509-key</host-key> </host-keys> </ssh> </application> </call-home> <ssh> <x509> <trusted-ca-certs> <trusted-ca-cert> QW4gRWFzdGVyIGVnZywgZm9yIHRob3NlIHdobyBtaWdodCBsb29rICA6KQo= </trusted-ca-cert> </trusted-ca-certs> <trusted-client-certs> <trusted-client-cert> SSBhbSB0aGUgZWdnIG1hbiwgdGhleSBhcmUgdGhlIGVnZyBtZW4uCg== </trusted-client-cert> <trusted-client-cert> SSBhbSB0aGUgd2FscnVzLCBnb28gZ29vIGcnam9vYi4K </trusted-client-cert> </trusted-client-certs> </x509> </ssh> </netconf-server> A.2. NETCONF Configuration using TLS Transport The following example illustratesthe<get> response from a NETCONFRESTCONF client."; } leaf max-attempts { type uint8 { range "1..max"; } default 3; description "Specifies the number times the RESTCONF serverthat only supports TLS, both listening for incoming connections as well as calling hometries to connect to asingle application having two endpoints. Please note also the configurations for authenticating client certificates and mappings authenticated certificatesspecific endpoint before moving on toNETCONF user names. <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <session-options> <hello-timeout>600</hello-timeout> <idle-timeout>3600</idle-timeout> </session-options> <listen> <endpoint> <name>primary-netconf-endpoint</name> <tls> <address>11.22.33.44</address> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </endpoint> </listen> <call-home> <application> <name>config-mgr</name> <tls> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </application> </call-home> <tls> <client-auth> <trusted-ca-certs> <trusted-ca-cert> QW4gRWFzdGVyIGVnZywgZm9yIHRob3NlIHdobyBtaWdodCBsb29rICA6KQo= </trusted-ca-cert> </trusted-ca-certs> <trusted-client-certs> <trusted-client-cert> SSBhbSB0aGUgZWdnIG1hbiwgdGhleSBhcmUgdGhlIGVnZyBtZW4uCg== </trusted-client-cert> <trusted-client-cert> SSBhbSB0aGUgd2FscnVzLCBnb28gZ29vIGcnam9vYi4K </trusted-client-cert> </trusted-client-certs> <cert-maps> <cert-to-name> <id>1</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:san-any</map-type> </cert-to-name> <cert-to-name> <id>2</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:specified</map-type> <name>Joe Cool</name> </cert-to-name> </cert-maps> </client-auth> </tls> </netconf-server> A.3. RESTCONF Configuration using TLS Transport The following example illustratesthe<get> response fromnext endpoint in the list (round robin)."; } } } } } grouping tls-server-grouping { description "An augmentation of tls-server-grouping, as defined in the ietf-tls-server module, to add in cert-maps."; uses ts:tls-server-grouping { augment "client-auth" { container cert-maps { uses x509c2n:cert-to-name; description "The cert-maps container is used by aRESTCONFNETCONF serverthat only supports TLS, both listening for incoming connections as well as calling hometo map the NETCONF client's presented X.509 certificate to asingle application having two endpoints. <restconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf-server"> <listen> <endpoint> <name>primary-restconf-endpoint</name> <tls> <address>11.22.33.44</address> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </endpoint> </listen> <call-home> <application> <name>config-mgr</name> <tls> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <certificates> <certificate>fw1.east.example.com</certificate> </certificates> </tls> </application> </call-home> </restconf-server>NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection, and MUST NOT accept NETCONF messages over it."; reference "RFC WWWW: NETCONF over TLS, Section 7"; } } } } } <CODE ENDS> Appendix B. Change Log B.1. 00 to 01 o Restructured document so it flows better o Added trusted-ca-certs and trusted-client-certs objects into the ietf-system-tls-auth module B.2. 01 to 02 o removed the "one-to-many" construct o removed "address" as a key field o removed "network-manager" terminology o moved open issues to github issues o brought TLS client auth back into model B.3. 02 to 03 o fixed tree diagrams and surrounding text B.4. 03 to 04 o reduced the number of grouping statements o removed psk-maps and associated feature statements o added ability for listen/call-home instances to specify which host-keys/certificates (of all listed) to use o clarified that last-connected should span reboots o added missing "objectives" for selecting which keys to use, authenticating client-certificates, and mapping authenticated client-certificates to usernames o clarified indirect client certificate authentication o added keep-alive configuration for listen connections o added global-level NETCONF session parameters B.5. 04 to 05 o Removed all refs to the old ietf-system-tls-auth module o Removed YANG 1.1 style if-feature statements (loss some expressiveness) o Removed the read-only (config false) lists of SSH host-keys and TLS certs o Added an if-feature around session-options container o Added ability to configure trust-anchors for SSH X.509 client certs o Now imports by revision, per best practice o Added support for RESTCONF server o Added RFC Editor instructions B.6. 05 to 06 o Removed feature statement on the session-options container (issue #21). o Added NACM statements to YANG modules for sensitive nodes (issue #24). o Fixed default RESTCONF server port value to be 443 (issue #26). o Added client-cert-auth subtree to ietf-restconf-server module (issue #27). o Updated draft-ietf-netmod-snmp-cfg reference to RFC 7407 (issue #28). o Added description statements for groupings (issue #29). o Added description for braces to tree diagram section (issue #30). o Renamed feature from "rfc6187" to "ssh-x509-certs" (issue #31). B.7. 06 to 07 o Replaced "application" with "NETCONF/RESTCONF client" (issue #32). o Reverted back to YANG 1.1 if-feature statements (issue #34). o Removed import by revisions (issue #36). o Removed groupings only used once (issue #37). o Removed upper-bound on hello-timeout, idle-timeout, and max- sessions (issue #38). o Clarified that when no listen address is configured, the NETCONF/ RESTCONF server will listen on all addresses (issue #41). o Update keep-alive reference to new section in Call Home draft (issue #42). o Modified connection-type/persistent/keep-alives/interval-secs default value, removed the connection-type/periodic/linger-secs node, and also removed the reconnect-strategy/interval-secs node (issue #43). o Clarified how last-connected reconnection type should work across reboots (issue #44). o Clarified how DNS-expanded hostnames should be processed (issue #45). o Removed text on how to implement keep-alives (now in the call-home draft) and removed the keep-alive configuration for listen connections (issue #46). o Clarified text for .../periodic-connection/timeout-mins (issue #47). o Fixed description on the "trusted-ca-certs" leaf-list (issue #48). o Added optional keychain-based solution in appendix A (issue #49). o Fixed description text for the interval-secs leaf (issue #50). o moved idle-time into the listen, persistent, and periodic subtrees (issue #51). o put presence statements on containers where it makes sense (issue #53). Appendix C. Open Issues Please see: https://github.com/netconf-wg/server-model/issues. Authors' Addresses Kent Watsen Juniper Networks EMail: kwatsen@juniper.net Juergen Schoenwaelder Jacobs University Bremen EMail: j.schoenwaelder@jacobs-university.de