--- /dev/null
+<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
+ <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-netconf-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
+ prefix ncs;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-x509-cert-to-name {
+ prefix x509c2n;
+ reference
+ "RFC 7407: A YANG Data Model for SNMP Configuration";
+ }
+
+ import ietf-ssh-server {
+ prefix ss;
+ revision-date 2016-11-02;
+ reference
+ "RFC YYYY: SSH Client and Server Models";
+ }
+
+ import ietf-tls-server {
+ prefix ts;
+ revision-date 2016-11-02;
+ reference
+ "RFC ZZZZ: TLS Client and Server Models";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+
+ WG Chair: Mehmet Ersue
+ <mailto:mehmet.ersue@nsn.com>
+
+ WG Chair: Mahesh Jethanandani
+ <mailto:mjethanandani@gmail.com>
+
+ Editor: Kent Watsen
+ <mailto:kwatsen@juniper.net>";
+ description
+ "This module contains a collection of YANG definitions for
+ configuring NETCONF servers.
+
+ Copyright (c) 2014 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+
+ revision 2016-11-02 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: NETCONF Client and Server Models";
+ }
+
+ feature listen {
+ description
+ "The 'listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF client connections
+ using at least one transport (e.g., SSH, TLS, etc.).";
+ }
+
+ feature ssh-listen {
+ description
+ "The 'ssh-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over SSH
+ client connections.";
+ reference
+ "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";
+ }
+
+ feature tls-listen {
+ description
+ "The 'tls-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over TLS
+ client connections.";
+ reference
+ "RFC 7589: Using the NETCONF Protocol over Transport
+ Layer Security (TLS) with Mutual X.509
+ Authentication";
+ }
+
+ feature call-home {
+ description
+ "The 'call-home' feature indicates that the NETCONF server
+ supports initiating NETCONF call home connections to NETCONF
+ clients using at least one transport (e.g., SSH, TLS, etc.).";
+ reference
+ "RFC YYYY: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature ssh-call-home {
+ description
+ "The 'ssh-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over SSH call
+ home connection to NETCONF clients.";
+ reference
+ "RFC YYYY: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature tls-call-home {
+ description
+ "The 'tls-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over TLS call
+ home connection to NETCONF clients.";
+ reference
+ "RFC YYYY: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ grouping cert-maps-grouping {
+ description
+ "A grouping that defines a container around the
+ cert-to-name structure defined in RFC 7407.";
+ container cert-maps {
+ description
+ "The cert-maps container is used by a TLS-based NETCONF
+ server to map the NETCONF client's presented X.509
+ certificate to a NETCONF username. If no matching and
+ valid cert-to-name list entry can be found, then the
+ NETCONF server MUST close the connection, and MUST NOT
+ accept NETCONF messages over it.";
+ reference
+ "RFC WWWW: NETCONF over TLS, Section 7";
+ uses x509c2n:cert-to-name;
+ }
+ }
+
+ grouping endpoints-container {
+ description
+ "This grouping is used by both the ssh and tls containers
+ for call-home configurations.";
+ container endpoints {
+ description
+ "Container for the list of endpoints.";
+ list endpoint {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "User-ordered list of endpoints for this NETCONF client.
+ Defining more than one enables high-availability.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this endpoint.";
+ }
+
+ leaf address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the endpoint. If a
+ hostname is configured and the DNS resolution results
+ in more than one IP address, the NETCONF server
+ will process the IP addresses as if they had been
+ explicitly configured in place of the hostname.";
+ }
+
+ leaf port {
+ type inet:port-number;
+ description
+ "The IP port for this endpoint. The NETCONF server will
+ use the IANA-assigned well-known port if no value is
+ specified.";
+ }
+ }
+ }
+ }
+
+ container netconf-server {
+ description
+ "Top-level container for NETCONF server configuration.";
+ container session-options {
+ description
+ "NETCONF session options, independent of transport
+ or connection strategy.";
+ leaf hello-timeout {
+ type uint16;
+ units "seconds";
+ default "600";
+ description
+ "Specifies the maximum number of seconds that a SSH/TLS
+ connection may wait for a hello message to be received.
+ A connection will be dropped if no hello message is
+ received before this number of seconds elapses. If set
+ to zero, then the server will wait forever for a hello
+ message.";
+ }
+ }
+
+ container listen {
+ if-feature "listen";
+ description
+ "Configures listen behavior";
+ leaf max-sessions {
+ type uint16;
+ default "0";
+ description
+ "Specifies the maximum number of concurrent sessions
+ that can be active at one time. The value 0 indicates
+ that no artificial session limit should be used.";
+ }
+
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default "3600";
+ description
+ "Specifies the maximum number of seconds that a NETCONF
+ session may remain idle. A NETCONF session will be dropped
+ if it is idle for an interval longer than this number of
+ seconds. If set to zero, then the server will never drop
+ a session because it is idle. Sessions that have a
+ notification subscription active are never dropped.";
+ }
+
+ list endpoint {
+ key "name";
+ description
+ "List of endpoints to listen for NETCONF connections on.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NETCONF listen endpoint.";
+ }
+
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-listen";
+ container ssh {
+ description
+ "SSH-specific listening configuration for inbound
+ connections.";
+ uses ss:listening-ssh-server-grouping {
+ refine "port" {
+ default "830";
+ }
+ }
+ }
+ }
+
+ case tls {
+ if-feature "tls-listen";
+ container tls {
+ description
+ "TLS-specific listening configuration for inbound
+ connections.";
+ uses ts:listening-tls-server-grouping {
+ refine "port" {
+ default "6513";
+ }
+ augment "client-auth" {
+ description
+ "Augments in the cert-to-name structure.";
+ uses cert-maps-grouping;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ container call-home {
+ if-feature "call-home";
+ description
+ "Configures call-home behavior";
+ list netconf-client {
+ key "name";
+ description
+ "List of NETCONF clients the NETCONF server is to initiate
+ call-home connections to.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the remote NETCONF client.";
+ }
+
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-call-home";
+ container ssh {
+ description
+ "Specifies SSH-specific call-home transport
+ configuration.";
+ uses endpoints-container {
+ refine "endpoints/endpoint/port" {
+ default "4334";
+ }
+ }
+
+ uses ss:non-listening-ssh-server-grouping;
+ }
+ }
+
+ case tls {
+ if-feature "tls-call-home";
+ container tls {
+ description
+ "Specifies TLS-specific call-home transport
+ configuration.";
+ uses endpoints-container {
+ refine "endpoints/endpoint/port" {
+ default "4335";
+ }
+ }
+
+ uses ts:non-listening-tls-server-grouping {
+ augment "client-auth" {
+ description
+ "Augments in the cert-to-name structure.";
+ uses cert-maps-grouping;
+ }
+ }
+ }
+ }
+ }
+
+ container connection-type {
+ description
+ "Indicates the kind of connection to use.";
+ choice connection-type {
+ description
+ "Selects between available connection types.";
+ case persistent-connection {
+ container persistent {
+ presence "true";
+ description
+ "Maintain a persistent connection to the NETCONF
+ client. If the connection goes down, immediately
+ start trying to reconnect to it, using the
+ reconnection strategy.
+
+ This connection type minimizes any NETCONF client
+ to NETCONF server data-transfer delay, albeit at
+ the expense of holding resources longer.";
+ leaf idle-timeout {
+ type uint32;
+ units "seconds";
+ default "86400";
+ description
+ "Specifies the maximum number of seconds that a
+ a NETCONF session may remain idle. A NETCONF
+ session will be dropped if it is idle for an
+ interval longer than this number of seconds.
+ If set to zero, then the server will never drop
+ a session because it is idle. Sessions that
+ have a notification subscription active are
+ never dropped.";
+ }
+
+ container keep-alives {
+ description
+ "Configures the keep-alive policy, to proactively
+ test the aliveness of the SSH/TLS client. An
+ unresponsive SSH/TLS client will be dropped after
+ approximately max-attempts * max-wait seconds.";
+ reference
+ "RFC YYYY: NETCONF Call Home and RESTCONF Call
+ Home, Section 3.1, item S6";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which
+ if no data has been received from the SSH/TLS
+ client, a SSH/TLS-level message will be sent
+ to test the aliveness of the SSH/TLS client.";
+ }
+
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSH/TLS client before assuming the SSH/TLS
+ client is no longer alive.";
+ }
+ }
+ }
+ }
+
+ case periodic-connection {
+ container periodic {
+ presence "true";
+ description
+ "Periodically connect to the NETCONF client, so that
+ the NETCONF client may deliver messages pending for
+ the NETCONF server. The NETCONF client must close
+ the connection when it is ready to release it. Once
+ the connection has been closed, the NETCONF server
+ will restart its timer until the next connection.";
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default "300";
+ description
+ "Specifies the maximum number of seconds that a
+ a NETCONF session may remain idle. A NETCONF
+ session will be dropped if it is idle for an
+ interval longer than this number of seconds.
+ If set to zero, then the server will never drop
+ a session because it is idle. Sessions that
+ have a notification subscription active are
+ never dropped.";
+ }
+
+ leaf reconnect_timeout {
+ type uint16 {
+ range "1..max";
+ }
+ units "minutes";
+ default "60";
+ description
+ "Sets the maximum amount of unconnected time the
+ NETCONF server will wait before re-establishing
+ a connection to the NETCONF client. The NETCONF
+ server may initiate a connection before this
+ time if desired (e.g., to deliver an event
+ notification message).";
+ }
+ }
+ }
+ }
+ }
+
+ container reconnect-strategy {
+ description
+ "The reconnection strategy directs how a NETCONF server
+ reconnects to a NETCONF client, after discovering its
+ connection to the client has dropped, even if due to a
+ reboot. The NETCONF server starts with the specified
+ endpoint and tries to connect to it max-attempts times
+ before trying the next endpoint in the list (round
+ robin).";
+ leaf start-with {
+ type enumeration {
+ enum "first-listed" {
+ description
+ "Indicates that reconnections should start with
+ the first endpoint listed.";
+ }
+ enum "last-connected" {
+ description
+ "Indicates that reconnections should start with
+ the endpoint last connected to. If no previous
+ connection has ever been established, then the
+ first endpoint configured is used. NETCONF
+ servers SHOULD be able to remember the last
+ endpoint connected to across reboots.";
+ }
+ }
+ default "first-listed";
+ description
+ "Specifies which of the NETCONF client's endpoints the
+ NETCONF server should start with when trying to connect
+ to the NETCONF client.";
+ }
+
+ leaf max-attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default "3";
+ description
+ "Specifies the number times the NETCONF server tries to
+ connect to a specific endpoint before moving on to the
+ next endpoint in the list (round robin).";
+ }
+ }
+ }
+ }
+ }
+}
+</data>
+</rpc-reply>