YANG Library
draft-ietf-netconf-rfc7895bis-06
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8525.
|
|
---|---|---|---|
Authors | Andy Bierman , Martin Björklund , Jürgen Schönwälder , Kent Watsen , Robert Wilton | ||
Last updated | 2018-10-11 (Latest revision 2018-04-08) | ||
Replaces | draft-nmdsdt-netconf-rfc7895bis | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Mahesh Jethanandani | ||
Shepherd write-up | Show Last changed 2018-04-09 | ||
IESG | IESG state | Became RFC 8525 (Proposed Standard) | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Ignas Bagdonas | ||
Send notices to | Mahesh Jethanandani <mjethanandani@gmail.com> | ||
IANA | IANA review state | IANA OK - Actions Needed |
draft-ietf-netconf-rfc7895bis-06
"; uses common-leafs { status deprecated; } uses schema-leaf { status deprecated; } } } } /* * Legacy operational state data nodes */ container modules-state { config false; status deprecated; Bierman, et al. Expires October 11, 2018 [Page 19] Internet-Draft YANG Library April 2018 description "Contains YANG module monitoring information."; leaf module-set-id { type string; mandatory true; status deprecated; description "Contains a server-specific identifier representing the current set of modules and submodules. The server MUST change the value of this leaf if the information represented by the 'module' list instances has changed."; } uses module-list { status deprecated; } } /* * Legacy notifications */ notification yang-library-change { status deprecated; description "Generated when the set of modules and submodules supported by the server has changed."; leaf module-set-id { type leafref { path "/yanglib:modules-state/yanglib:module-set-id"; } mandatory true; status deprecated; description "Contains the module-set-id value representing the set of modules and submodules supported at the server at the time the notification is generated."; } } } <CODE ENDS> Bierman, et al. Expires October 11, 2018 [Page 20] Internet-Draft YANG Library April 2018 5. IANA Considerations RFC 7895 previously registered one URI in the IETF XML registry [RFC3688]. This document takes over this registration entry made by RFC 7895 and changes the Registrant to the IESG according to Section 4 in [RFC3688]. URI: urn:ietf:params:xml:ns:yang:ietf-yang-library Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace. RFC 7895 previously registered one YANG module in the "YANG Module Names" registry [RFC6020] as follows: name: ietf-yang-library namespace: urn:ietf:params:xml:ns:yang:ietf-yang-library prefix: yanglib reference: RFC 7895 This document takes over this registration entry made by RFC 7895. 6. Security Considerations The YANG module specified in this document defines a schema for data that is accessed by network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: The "/yang-library" subtree of the YANG library may help an attacker identify the server capabilities and server implementations with known bugs since the set of YANG modules supported by a server may reveal the kind of device and the manufacturer of the device. Bierman, et al. Expires October 11, 2018 [Page 21] Internet-Draft YANG Library April 2018 Although some of this information may be available to all NETCONF users via the NETCONF <hello> message (or similar messages in other management protocols), this YANG module potentially exposes additional details that could be of some assistance to an attacker. Server vulnerabilities may be specific to particular modules, module revisions, module features, or even module deviations. For example, if a particular operation on a particular data node is known to cause a server to crash or significantly degrade device performance, then the module list information will help an attacker identify server implementations with such a defect, in order to launch a denial-of- service attack on the device. 7. Acknowledgments Contributions to this material by Andy Bierman are based upon work supported by the The Space & Terrestrial Communications Directorate (S&TCD) under Contract No. W15P7T-13-C-A616. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of The Space & Terrestrial Communications Directorate (S&TCD). 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, <https://www.rfc-editor.org/info/ rfc2119>. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <https://www.rfc- editor.org/info/rfc3688>. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ RFC5246, August 2008, <https://www.rfc-editor.org/info/ rfc5246>. [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc- editor.org/info/rfc6020>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. Bierman, et al. Expires October 11, 2018 [Page 22] Internet-Draft YANG Library April 2018 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, DOI 10.17487/RFC6536, March 2012, <https://www.rfc- editor.org/info/rfc6536>. [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc- editor.org/info/rfc6991>. [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, <https://www.rfc-editor.org/info/rfc7950>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, <https://www.rfc-editor.org/info/rfc8342>. 8.2. Informative References [I-D.ietf-netconf-nmda-netconf] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "NETCONF Extensions to Support the Network Management Datastore Architecture", draft-ietf-netconf- nmda-netconf-04 (work in progress), March 2018. [I-D.ietf-netconf-nmda-restconf] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "RESTCONF Extensions to Support the Network Management Datastore Architecture", draft-ietf-netconf- nmda-restconf-03 (work in progress), March 2018. [I-D.ietf-netmod-schema-mount] Bjorklund, M. and L. Lhotka, "YANG Schema Mount", draft- ietf-netmod-schema-mount-09 (work in progress), March 2018. Bierman, et al. Expires October 11, 2018 [Page 23] Internet-Draft YANG Library April 2018 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, <https://www.rfc-editor.org/info/rfc5277>. [RFC6470] Bierman, A., "Network Configuration Protocol (NETCONF) Base Notifications", RFC 6470, DOI 10.17487/RFC6470, February 2012, <https://www.rfc-editor.org/info/rfc6470>. [RFC7895] Bierman, A., Bjorklund, M., and K. Watsen, "YANG Module Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, <https://www.rfc-editor.org/info/rfc7895>. [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, <https://www.rfc-editor.org/info/rfc8340>. [RFC8343] Bjorklund, M., "A YANG Data Model for Interface Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, <https://www.rfc-editor.org/info/rfc8343>. [RFC8344] Bjorklund, M., "A YANG Data Model for IP Management", RFC 8344, DOI 10.17487/RFC8344, March 2018, <https://www.rfc- editor.org/info/rfc8344>. [RFC8345] Clemm, A., Medved, J., Varga, R., Bahadur, N., Ananthakrishnan, H., and X. Liu, "A YANG Data Model for Network Topologies", RFC 8345, DOI 10.17487/RFC8345, March 2018, <https://www.rfc-editor.org/info/rfc8345>. [RFC8348] Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A YANG Data Model for Hardware Management", RFC 8348, DOI 10.17487/RFC8348, March 2018, <https://www.rfc- editor.org/info/rfc8348>. [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for Routing Management (NMDA Version)", RFC 8349, DOI 10.17487/RFC8349, March 2018, <https://www.rfc- editor.org/info/rfc8349>. Appendix A. Summary of Changes from RFC 7895 This document updates [RFC7895] in the following ways: o Renamed document title from "YANG Module Library" to "YANG Library". Bierman, et al. Expires October 11, 2018 [Page 24] Internet-Draft YANG Library April 2018 o Added a new top-level "/yang-library" container to hold the entire YANG library providing information about module sets, schemas, and datastores. o Refactored the "/modules-state" container into a new "/yang-library/module-set" list. o Added a new "/yang-library/schema" list and a new "/yang-library/ datastore" list. o Added a set of new groupings as replacements for the deprecated groupings. o Added a "yang-library-update" notification as a replacement for the deprecated "yang-library-change" notification. o Deprecated the "/modules-state" tree. o Deprecated the "/module-list" grouping. o Deprecated the "/yang-library-change" notification. Appendix B. Example YANG Library Instance for a Basic Server The following example shows the YANG Library of a basic server implementing the "ietf-interfaces" [RFC8343] and "ietf-ip" [RFC8344] modules in the <running>, <startup>, and <operational> datastores and the "ietf-hardware" [RFC8348] module in the <operational> datastore. Newlines in leaf values are added for formatting reasons. <yang-library xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library" xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores"> <module-set> <name>config-modules</name> <module> <name>ietf-interfaces</name> <revision>2018-01-09</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-interfaces </namespace> </module> <module> <name>ietf-ip</name> <revision>2018-01-09</revision> <!-- RFC Ed. update this --> <namespace> Bierman, et al. Expires October 11, 2018 [Page 25] Internet-Draft YANG Library April 2018 urn:ietf:params:xml:ns:yang:ietf-ip </namespace> </module> <import-only-module> <name>ietf-yang-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-yang-types </namespace> </import-only-module> <import-only-module> <name>ietf-inet-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-inet-types </namespace> </import-only-module> </module-set> <module-set> <name>state-modules</name> <module> <name>ietf-hardware</name> <revision>2018-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-hardware </namespace> </module> <import-only-module> <name>ietf-inet-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-inet-types </namespace> </import-only-module> <import-only-module> <name>ietf-yang-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-yang-types </namespace> </import-only-module> <import-only-module> <name>iana-hardware</name> <revision>2017-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:iana-hardware </namespace> Bierman, et al. Expires October 11, 2018 [Page 26] Internet-Draft YANG Library April 2018 </import-only-module> </module-set> <schema> <name>config-schema</name> <module-set>config-modules</module-set> </schema> <schema> <name>state-schema</name> <module-set>config-modules</module-set> <module-set>state-modules</module-set> </schema> <datastore> <name>ds:startup</name> <schema>config-schema</schema> </datastore> <datastore> <name>ds:running</name> <schema>config-schema</schema> </datastore> <datastore> <name>ds:operational</name> <schema>state-schema</schema> </datastore> <checksum>75a43df9bd56b92aacc156a2958fbe12312fb285</checksum> </yang-library> Appendix C. Example YANG Library Instance for an Advanced Server The following example extends the preceding Basic Server YANG Library example, by using modules from [RFC8345] and [RFC8349], to illustrate a slightly more advanced server that: o Has a module with features only enabled in <operational>; the "ietf-routing module" is supported in <running>, <startup>, and <operational>, but the "multiple-ribs" and "router-id" features are only enabled in <operational>. Hence the "router-id" leaf may be read but not configured. o Supports a dynamic configuration datastore "example-ds-ephemeral", with only the "ietf-network" and "ietf-network-topology" modules configurable via a notional dynamic configuration protocol. o Shows an example of datastore specific deviations. The module "example-vendor-hardware-deviations" is included in the schema for Bierman, et al. Expires October 11, 2018 [Page 27] Internet-Draft YANG Library April 2018 <operational> to remove data nodes that cannot be supported by the server. o Shows how module-sets can be used to organize related modules together. <yang-library xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library" xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores" xmlns:ex-ds-eph="urn:example:ds-ephemeral"> <module-set> <name>config-state-modules</name> <module> <name>ietf-interfaces</name> <revision>2018-01-09</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-interfaces </namespace> </module> <module> <name>ietf-ip</name> <revision>2018-01-09</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-ip </namespace> </module> <module> <name>ietf-routing</name> <revision>2018-01-25</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-routing </namespace> </module> <import-only-module> <name>ietf-yang-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-yang-types </namespace> </import-only-module> <import-only-module> <name>ietf-inet-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-inet-types </namespace> </import-only-module> Bierman, et al. Expires October 11, 2018 [Page 28] Internet-Draft YANG Library April 2018 </module-set> <module-set> <name>config-only-modules</name> <module> <name>ietf-routing</name> <revision>2018-01-25</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-routing </namespace> </module> </module-set> <module-set> <name>dynamic-config-state-modules</name> <module> <name>ietf-network</name> <revision>2017-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-network </namespace> </module> <module> <name>ietf-network-topology</name> <revision>2017-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-network-topology </namespace> </module> <import-only-module> <name>ietf-inet-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-inet-types </namespace> </import-only-module> </module-set> <module-set> <name>state-only-modules</name> <module> <name>ietf-hardware</name> <revision>2018-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-hardware </namespace> <deviation>example-vendor-hardware-deviations</deviation> </module> Bierman, et al. Expires October 11, 2018 [Page 29] Internet-Draft YANG Library April 2018 <module> <name>ietf-routing</name> <revision>2018-01-25</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:ietf-routing </namespace> <feature>multiple-ribs</feature> <feature>router-id</feature> </module> <module> <name>example-vendor-hardware-deviations</name> <revision>2018-01-31</revision> <namespace> urn:example:example-vendor-hardware-deviations </namespace> </module> <import-only-module> <name>ietf-inet-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-inet-types </namespace> </import-only-module> <import-only-module> <name>ietf-yang-types</name> <revision>2013-07-15</revision> <namespace> urn:ietf:params:xml:ns:yang:ietf-yang-types </namespace> </import-only-module> <import-only-module> <name>iana-hardware</name> <revision>2017-12-18</revision> <!-- RFC Ed. update this --> <namespace> urn:ietf:params:xml:ns:yang:iana-hardware </namespace> </import-only-module> </module-set> <schema> <name>config-schema</name> <module-set>config-state-modules</module-set> <module-set>config-only-modules</module-set> </schema> <schema> <name>dynamic-config-schema</name> <module-set>dynamic-config-state-modules</module-set> </schema> Bierman, et al. Expires October 11, 2018 [Page 30] Internet-Draft YANG Library April 2018 <schema> <name>state-schema</name> <module-set>config-state-modules</module-set> <module-set>dynamic-config-state-modules</module-set> <module-set>state-only-modules</module-set> </schema> <datastore> <name>ds:startup</name> <schema>config-schema</schema> </datastore> <datastore> <name>ds:running</name> <schema>config-schema</schema> </datastore> <datastore> <name>ex-ds-eph:ds-ephemeral</name> <schema>dynamic-config-schema</schema> </datastore> <datastore> <name>ds:operational</name> <schema>state-schema</schema> </datastore> <checksum>14782ab9bd56b92aacc156a2958fbe12312fb285</checksum> </yang-library> Authors' Addresses Andy Bierman YumaWorks Email: andy@yumaworks.com Martin Bjorklund Tail-f Systems Email: mbj@tail-f.com Juergen Schoenwaelder Jacobs University Email: j.schoenwaelder@jacobs-university.de Bierman, et al. Expires October 11, 2018 [Page 31] Internet-Draft YANG Library April 2018 Kent Watsen Juniper Networks Email: kwatsen@juniper.net Robert Wilton Cisco Systems Email: rwilton@cisco.com Bierman, et al. Expires October 11, 2018 [Page 32]