Internet Engineering Task Force JG. Cumming Internet-Draft Nokia Updates: 6241, 8526, 9144 (if approved) R. Wills Intended status: Standards Track Cisco Systems Expires: 1 December 2024 30 May 2024 NETCONF Private Candidates draft-ietf-netconf-privcand-03 Abstract This document provides a mechanism to extend the Network Configuration Protocol (NETCONF) and RESTCONF protocol to support multiple clients making configuration changes simultaneously and ensuring that they commit only those changes that they defined. This document addresses two specific aspects: The interaction with a private candidate over the NETCONF and RESTCONF protocols and the methods to identify and resolve conflicts between clients. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 1 December 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Cumming & Wills Expires 1 December 2024 [Page 1] Internet-Draft NETCONF Private Candidates May 2024 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Definitions and terminology . . . . . . . . . . . . . . . . . 4 2.1. Session specific datastore . . . . . . . . . . . . . . . 4 2.2. Shared candidate configuration . . . . . . . . . . . . . 4 2.3. Private candidate configuration . . . . . . . . . . . . . 4 3. Limitations using the shared candidate configuration for multiple clients . . . . . . . . . . . . . . . . . . . . 5 3.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. Unintended deployment of alternate users configuration changes . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Current mitigation strategies . . . . . . . . . . . . . . 5 3.2.1. Locking the shared candidate configuration datastore . . . . . . . . . . . . . . . . . . . . . . 5 3.2.2. Always use the running configuration datastore . . . 6 3.2.3. Fine-grained locking . . . . . . . . . . . . . . . . 6 4. Private candidates solution . . . . . . . . . . . . . . . . . 6 4.1. What is a private candidate . . . . . . . . . . . . . . . 7 4.2. When is a private candidate created . . . . . . . . . . . 7 4.3. When is a private candidate destroyed . . . . . . . . . . 7 4.4. How to signal the use of private candidates . . . . . . . 7 4.4.1. Server . . . . . . . . . . . . . . . . . . . . . . . 7 4.4.2. NETCONF client . . . . . . . . . . . . . . . . . . . 8 4.4.3. RESTCONF client . . . . . . . . . . . . . . . . . . . 10 4.5. Interaction between running and private-candidate(s) . . 11 4.6. Detecting and resolving conflicts . . . . . . . . . . . . 13 4.6.1. What is a conflict? . . . . . . . . . . . . . . . . . 13 4.6.2. Detecting and reporting conflicts . . . . . . . . . . 14 4.6.3. Conflict resolution . . . . . . . . . . . . . . . . . 15 4.6.4. Default resolution mode and advertisement of this mode . . . . . . . . . . . . . . . . . . . . . . . . 22 4.6.5. Supported resolution modes . . . . . . . . . . . . . 23 4.7. NETCONF operations . . . . . . . . . . . . . . . . . . . 23 4.7.1. New NETCONF operations . . . . . . . . . . . . . . . 23 4.7.2. Updated NETCONF operations . . . . . . . . . . . . . 24 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 7.1. Normative References . . . . . . . . . . . . . . . . . . 28 7.2. Informative References . . . . . . . . . . . . . . . . . 29 Appendix A. Behaviour with unaltered NETCONF operations . . . . 29 A.1. . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Cumming & Wills Expires 1 December 2024 [Page 2] Internet-Draft NETCONF Private Candidates May 2024 A.2. . . . . . . . . . . . . . . . . . . . . . 29 Appendix B. YANG modules . . . . . . . . . . . . . . . . . . . . 29 B.1. ietf-netconf@2024-04-16.yang . . . . . . . . . . . . . . 29 B.2. ietf-datastores@2024-04-16.yang . . . . . . . . . . . . . 51 B.3. ietf-nmda-compare@2024-04-16.yang . . . . . . . . . . . . 53 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction NETCONF [RFC6241] and RESTCONF [RFC8040] both provide a mechanism for one or more clients to make configuration changes to a device running as a NETCONF/RESTCONF server. Each client has the ability to make one or more configuration changes to the server's shared candidate configuration. As the name shared candidate suggests, all clients have access to the same candidate configuration. This means that multiple clients may make changes to the shared candidate prior to the configuration being committed. This behaviour may be undesirable as one client may unwittingly commit the configuration changes made by another client. NETCONF provides a way to mitigate this behaviour by allowing clients to place a lock on the shared candidate. The placing of this lock means that no other client may make any changes until that lock is released. This behaviour is, in many situations, also undesirable. Many network devices already support private candidate configurations, where a user (machine or otherwise) is able to edit a personal copy of a device's configuration without blocking other users from doing so. This document details the extensions to the NETCONF protocol in order to support the use of private candidates. It also describes how the RESTCONF protocol can be used on a system that implements private candidates. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Cumming & Wills Expires 1 December 2024 [Page 3] Internet-Draft NETCONF Private Candidates May 2024 2. Definitions and terminology 2.1. Session specific datastore A session specific datastore is a configuration datastore that, unlike the candidate and running configuration datastores which have only one per system, is bound to the specific NETCONF session. 2.2. Shared candidate configuration The candidate configuration datastore defined in [RFC6241] is referenced as the shared candidate configuration in this document. 2.3. Private candidate configuration A private candidate configuration is a session specific candidate configuration datastore. When a private candidate is used by NETCONF, the specific session (and user) that created the private candidate configuration is the only session (user) that has access to it over NETCONF. Devices may expose this to other users through other interfaces but this is out of scope for this document. When a private candidate is used by RESTCONF, the client that created the private candidate configuration is the only client that has access to it over RESTCONF. The private candidate configuration contains a full copy of the running configuration when it is created (in the same way as a branch does in a source control management system and in the same way as the candidate configuration datastore as defined in [RFC6241]). Any changes made to it, for example, through the use of operations such as and , are made in this private candidate configuration. Obtaining this private candidate over NETCONF or RESTCONF will display the entire configuration, including all changes made to it. Performing a operation will merge the changes from the private candidate into the running configuration (the same as a merge in source code management systems). A operation will revert the private candidate to the branch's initial state or it's state at the last (whichever is most recent). All changes made to this private candidate configuration are held separately from any other candidate configuration changes, whether made by other users to the shared candidate or any other private candidate, and are not visible to or accessible by anyone else. Cumming & Wills Expires 1 December 2024 [Page 4] Internet-Draft NETCONF Private Candidates May 2024 3. Limitations using the shared candidate configuration for multiple clients The following sections describe some limitations and mitigation factors in more detail for the use of the shared candidate configuration during multi-client configuration over NETCONF or RESTCONF. 3.1. Issues 3.1.1. Unintended deployment of alternate users configuration changes Consider the following scenario: 1. Client 1 modifies item A in the shared candidate configuration 2. Client 2 then modifies item B in the shared candidate configuration 3. Client 2 then issues a RPC In this situation, both client 1 and client 2 configurations will be committed by client 2. In a machine-to-machine environment client 2 may not have been aware of the change to item A and, if they had been aware, may have decided not to proceed. 3.2. Current mitigation strategies 3.2.1. Locking the shared candidate configuration datastore In order to resolve unintended deployment of alternate users configuration changes as described above NETCONF provides the ability to lock a datastore in order to restrict other users from editing and committed changes. This does resolve the specific issue above, however, it introduces another issue. Whilst one of the clients holds a lock, no other client may edit the configuration. This will result in the client failing and having to retry. Whilst this may be a desirable consequence when two clients are editing the same section of the configuration, where they are editing different sections this behaviour may hold up valid operational activity. Additionally, a lock placed on the shared candidate configuration must also lock the running configuration, otherwise changes committed directly into the running datastore may conflict. Finally, this locking mechanism isn't available to RESTCONF clients. Cumming & Wills Expires 1 December 2024 [Page 5] Internet-Draft NETCONF Private Candidates May 2024 3.2.2. Always use the running configuration datastore The use of the running configuration datastore as the target for all configuration changes does not resolve any issues regarding blocking of system access in the case a lock is taken, nor does it provide a solution for multiple NETCONF and RESTCONF clients as each configuration change is applied immediately and the client has no knowledge of the current configuration at the point in time that they commenced the editing activity nor at the point they commit the activity. 3.2.3. Fine-grained locking [RFC5717] describes a partial lock mechanism that can be used on specific portions of the shared candidate datastore. Partial locking does not solve the issues of staging a set of configuration changes such that only those changes get committed in a commit operation, nor does it solve the issue of multiple clients editing the same parts of the configuration at the same time. Partial locking additionally requires that the client is aware of any interdependencies within the servers YANG models in order to lock all parts of the tree. 4. Private candidates solution The use of private candidates resolves the issues detailed earlier in this document. NETCONF sessions and RESTCONF clients are able to utilize private candidates to streamline network operations, particularly for machine-to-machine communication. Using this approach, clients may improve their performance and reduce the likelihood of blocking other clients from continuing with valid operational activities. One or more private candidates may exist at any one time, however, a private candidate SHOULD: * Be accessible by one client only * Be visible by one client only Additionally, the choice of using a shared candidate configuration datastore or a private candidate configuration datastore MUST be for the entire duration of the NETCONF session. Cumming & Wills Expires 1 December 2024 [Page 6] Internet-Draft NETCONF Private Candidates May 2024 4.1. What is a private candidate A private candidate is defined earlier in the definitions and terminology section of this document. 4.2. When is a private candidate created A private candidate datastore is created when the first RPC that requires access to it is sent to the server. This could be, for example, an . When the private candidate is created a copy of the running configuration is made and stored in it. This can be considered the same as creating a branch in a source code repository. +----------------------------> private candidate / / +------+-------------------------------> running configuration ^ Private candidate created 4.3. When is a private candidate destroyed A private candidate is valid for the duration of the NETCONF session, or the duration of the existence of the RESTCONF client. Issuing a operation will not close the private candidate but will issue an implicit operation resyncing changes from the running configuration. More details on this later in this document. A NETCONF session that is operating using a private candidate will discard all uncommitted changes in that session's private candidate and destroy the private candidate if the session is closed through a deliberate user action or disconnected for any other reason (such as a loss of network connectivity). 4.4. How to signal the use of private candidates 4.4.1. Server The server MUST signal its support for private candidates. The server does this by advertising a new :private-candidate capability: urn:ietf:params:netconf:capability:private-candidate:1.0 A server may also advertise the :candidate capability as defined in [RFC6241] if the shared candidate is also supported. Cumming & Wills Expires 1 December 2024 [Page 7] Internet-Draft NETCONF Private Candidates May 2024 A non-NMDA capable NETCONF server that advertises the :private- candidate capability MUST also advertise the :candidate capability. 4.4.2. NETCONF client In order to utilise a private candidate configuration within a NETCONF session, the client must inform the server that it wishes to do this. Two approaches are available for a NETCONF client to signal that it wants to use a private candidate: 4.4.2.1. Client capability declaration When a NETCONF client connects with a server it sends a list of client capabilities including one of the :base NETCONF version capabilties. In order to enable private candidate mode for the duration of the NETCONF client session the NETCONF client sends the following capability: urn:ietf:params:netconf:capability:private-candidate:1.0 In order for the use of private candidates to be established using this approach both the NETCONF server and the NETCONF client MUST advertise this capability. When a server receives the client capability its mode of operation will be set to private candidate mode for the duration of the NETCONF session. All RPC requests that target the candidate configuration datastore will operate in exactly the same way as they would do when using the shared candidate configuration datastore, however, when the server receives a request to act upon the candidate configuration datastore it instead uses the session's private candidate configuration datastore. Using this method, the use of private candidates can be made available to NMDA and non-NMDA capable servers. No protocol extensions are required for the transitioning of candidates between the shared mode and the private mode and no extensions are required for any RPCs (including ) Cumming & Wills Expires 1 December 2024 [Page 8] Internet-Draft NETCONF Private Candidates May 2024 4.4.2.2. Private candidate datastore The private candidate configuration datastore is exposed as its own datastore similar to other NMDA [RFC8342] capable datastores. This datastore is called private-candidate. +-------------+ +-----------+ +---------------------+ | | | | | |-+ | (ct, rw) |<---+ +--->| (ct, rw) | +->| (ct, rw) | |-+ +-------------+ | | +-----------+ | +---------------------+ | | | | | | | +---------------------+ | | +-----------+<--------+ | +---------------------+ +-------->| | | | // multiple | (ct, rw) |-------------------+ | // private-candidates +-----------+<-------------------------------+ // possible | | // configuration transformations, | // e.g., removal of nodes marked as | // "inactive", expansion of | // templates v +------------+ | | // subject to validation | (ct, ro) | +------------+ | // changes applied, subject to | // local factors, e.g., missing | // resources, delays | dynamic | +-------- learned configuration configuration | +-------- system configuration datastores -----+ | +-------- default configuration | | | v v v +---------------+ | | <-- system state | (ct + cf, ro) | +---------------+ ct = config true; cf = config false rw = read-write; ro = read-only boxes denote named datastores All NMDA operations that support candidate NMDA datastore SHOULD support the private-candidate datastore. Any non-NMDA aware NETCONF operations that take a source or target (destination) may be extended to accept the new datastore. Cumming & Wills Expires 1 December 2024 [Page 9] Internet-Draft NETCONF Private Candidates May 2024 The ability for the server to support private candidates is optional and SHOULD be signalled in NMDA supporting servers as a datastore in addition to the server capabilities described earlier in this document. To use this method the client is not required to send the :private- candidate capability. The first datastore referenced (either candidate or private- candidate) in any NETCONF operation will define which mode that NETCONF session will operate in for its duration. As an example, performing a operation on the private-candidate datastore will switch the session into private candidate configuration mode and subsequent operations that reference the candidate configuration datastore MUST fail. 4.4.3. RESTCONF client RESTCONF doesn't provide a mechanism for the client to advertise a capability. Therefore when a RESTCONF server advertises the :private-candidate capability, the decision of whether to use a private candidate depends on whether a datastore is explicitly referenced in the request using the RESTCONF extensions for NMDA [RFC8527]. 4.4.3.1. Datastore is not explicitly referenced When the server advertises the :private-candidate capability and the client references the "{+restconf}/data" resource described in Section 3.3.1 of [RFC8040], all edits are made to the client's private candidate, and the private candidate is automatically committed. This ensures backwards compatibility with RESTCONF clients that are not aware of private candidates, because those clients will expect their changes to be committed immediately. 4.4.3.2. Private candidate datastore is referenced in the request When the private-candidate datastore is explicitly referenced as an NMDA datastore, edits are made to the client's private candidate, but the private candidate is not committed. To commit the changes, the client must explicitly send a commit request. A commit request is of the form "{+restconf}/operations/ietf- netconf:commit", using the API described in Section 3.3.2 of [RFC8040]. The semantics are identical to the NETCONF operation. Cumming & Wills Expires 1 December 2024 [Page 10] Internet-Draft NETCONF Private Candidates May 2024 Similarly, the client can perform ietf-netconf:discard-changes, ietf- netconf:validate, and ietf-netconf:cancel-commit operations (if the appropriate capabilities are implemented). The semantics are identical to NETCONF. 4.4.3.3. Identifying the private candidate datastore Each RESTCONF client has its own private candidate datastore. The client (and hence the private candidate datastore) is identified using the mechanism described in Section 2.5 of [RFC8040]. 4.5. Interaction between running and private-candidate(s) Multiple operations may be performed on the private candidate in order to stage changes ready for a commit. In the simplest example, a session may create a private candidate configuration, perform multiple operations (such as ) on it and then perform a operation to merge the private candidate configuration into the running configuration in line with semantics in [RFC6241]. commit +--------------------------+--------> private candidate / ^ ^ \ / edit-config edit-config ⌄ +---+-------------------------------+------> running configuration ^ edit-config (Private candidate created) More complex scenarios need to be considered, when multiple private candidate sessions are working on their own configuration (branches) and they make commits into the running configuration. commit +---------------------+----------------> private candidate 1 / \ / edit-config ⌄ +---+------------+-------------+--------------> running configuration edit-config \ \ +-------------------------> private candidate 2 Cumming & Wills Expires 1 December 2024 [Page 11] Internet-Draft NETCONF Private Candidates May 2024 In this situation, if, how and when private candidate 2 is updated with the information that the running configuration has changed must be considered. As described earlier, the client MUST be aware of changes to it's private candidate configuration so it can be assured that it is only committing its own modifications. It should also be aware of any changes to the current running configuration. It is possible, during an update, for conflicts to occur and the detection and resolution of these is discussed later in this document. A good way to understand the interaction between candidates is to consider them as branches such as you might find in a source code management system. Each private candidate is treated as a separate branch and changes made to the running configuration are not placed into a private candidate datastore except in one of the following situations: * The client requests that the private candidate be refreshed using a new operation * is issued (which MUST automatically issue an operation immediately prior to committing the configuration) * An implmentation chooses to perform an operation after a change to the running configuration by any other client It is possible for a private candidate configuration to become significantly out of sync with the running configuration should the private candidate be open for a long time, however, most NETCONF configuration activities (between the first / and a ) are short-lived. An implementation may choose, optionally, to automatically perform an operation after a change to the running configuration from another client. However, this choice should be made with caution as it will replace, overwrite, or otherwise alter (depending on the servers default resolution mode, discussed later) the private candidate configuration without notifying the client. A operation MAY be performed against: * The initial creation point of the private candidate's branch * Against the last update point of the private candidate's branch Cumming & Wills Expires 1 December 2024 [Page 12] Internet-Draft NETCONF Private Candidates May 2024 * Against the running configuration 4.6. Detecting and resolving conflicts 4.6.1. What is a conflict? A conflict is when the intent of the client may have been different had it had a different starting point. In configuration terms, a conflict occurs when the same set of nodes in a configuration being altered by one user are changed between the start of the configuration preparation (the first / operation) and the conclusion of this configuration activity (terminated by a operation). The situation where conflicts have the potential of occurring are when multiple configuration sessions are in progress and one session commits changes into the running configuration after the private candidate (branch) was created. When this happens a conflict occurs for each node modified in the running configuration that is also modified in the private candidate configuration. A node is considered modified if: * There is a change of any value * There is a change of existence (or otherwise) of any list entry * There is a change to the order of any list items in a list configured as "ordered-by user" * There is a change of existence (or otherwise) of a presence container * There is a change of any component member of a leaf-list * There is a change to the order of any items in a leaf-list configured as "ordered-by user" * There is a change of existance (or otherwise) of a leaf with an Empty type definition * There is a change to any YANG metadata associated with the node A server MAY choose to add additional checks over and above the above list. Cumming & Wills Expires 1 December 2024 [Page 13] Internet-Draft NETCONF Private Candidates May 2024 If a server implements the transaction ID feature then this MAY be considered as part of detecting a conflict. When a conflict is identified that node is marked by the server as "in conflict" in the private candidate. This "in conflict" status does not propagate back up the tree to the parent node(s). Each node in the ancestral tree is evaluated as in conflict or otherwise on its own merits. The "in conflict" marker remains until the conflict is resolved on that node. Examples of conflicts include: * An interface has been deleted in the running configuration that existed when the private candidate was created. A change to a child node of this specific interface is made in the private candidate using the default merge operation would, instead of changing the child node, both recreate the interface and then set the child node. * A leaf has been modified in the running configuration from the value that it had when the private candidate was created. The private candidate configuration changes that leaf to another value. 4.6.2. Detecting and reporting conflicts A conflict can occur when an operation is triggered. This can occur in a number of ways: * Manually triggered by the NETCONF operation * Automatically triggered by the server running an operation, such as when a operation is performed by the client in the private candidate session. When a conflict occurs: * The client MUST be given the opportunity to re-evaluate its intent based on the new information. The resolution of the conflict may be manual or automatic depending on the server and client decision (discussed later in this document). * A operation (that MUST trigger an automatic operation immediately before) MUST fail. It MUST inform the client of the conflict and SHOULD detail the location of the conflict(s). Cumming & Wills Expires 1 December 2024 [Page 14] Internet-Draft NETCONF Private Candidates May 2024 * A operation MUST fail unless the server has explicitly configured a system-wide default resolution mode of ignore or overwrite (discussed later in this document) The location of the conflict(s) should be reported as a list of xpaths and values. Note: If a server implementation has chosen to automatically issue an operation every time a change is made to the running configuration, the server will use the system-wide default resolution mode. If this resolution mode is ignore or overwrite the conflicts will be resolved using those rules. If the resolution mode is set to revert-on-conflict the semantics are the same as the ignore method, however, all changes, whether in conflict or otherwise will be marked in the private candidate as "in-conflict". This means that any subsequent will fail until the client makes a conscious choice to resolve them. 4.6.3. Conflict resolution Conflict resolution defines which configuration elements are retained when a conflict is resolved; those from the running configuration or those from the private candidate configuration. When a conflict is detected in any client-triggered activity, the client MUST be informed. The client then has a number of options available to resolve the conflict. An operation uses the resolution method specified in the request, or the system default resolution mode if not specified. The operation is discussed later in this document. The following configuration data is used below to illustrate the behaviour of each resolution method: intf_one Link to London intf_two Link to Tokyo Cumming & Wills Expires 1 December 2024 [Page 15] Internet-Draft NETCONF Private Candidates May 2024 The example workflow is shown in this diagram and is used for the purpose of the examples below. In these examples the reader should assume that the operation is manually provided by a client working in private candidate 1. update commit +--------------------+---+------> private candidate 1 / ^ \ / edit-config / ⌄ +---+--------+--------+---+-------+----> running configuration edit-config \ ^ \ / +---+------------------> private candidate 2 commit There are three defined resolution methods: 4.6.3.1. Ignore Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in the parent chapter of this document. When using the ignore resolution method, items in the running configuration that are not in conflict with the private candidate configuration are merged from the running configuration into the private candidate configuration. Nodes that are in conflict are ignored and not merged. The outcome of this is that the private candidate configuration reflects changes in the running that were not being worked on and those that are being worked on in the private candidate remain in the private candidate. Issuing a operation at this point will overwrite the running configuration with the conflicted items from the private candidate configuration. Example: Session 1 edits the configuration by submitting the following Cumming & Wills Expires 1 December 2024 [Page 16] Internet-Draft NETCONF Private Candidates May 2024 intf_one Link to San Francisco Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. intf_one intf_two Link moved to Paris Session 1 then sends an NETCONF operation. Cumming & Wills Expires 1 December 2024 [Page 17] Internet-Draft NETCONF Private Candidates May 2024 ignore The un-conflicting changes are merged and the conflicting ones are ignored (and not merged from the running into private candidate 1). The resulting data in private candidate 1 is: intf_one Link to San Francisco intf_two Link moved to Paris 4.6.3.2. Overwrite Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in the parent chapter of this document. When using the overwrite resolution method, items in the running configuration that are not in conflict with the private candidate configuration are merged from the running configuration into the private candidate configuration. Nodes that are in conflict are pushed from the running configuration into the private candidate configuration, overwriting any previous changes in the private candidate configuration. The outcome of this is that the private candidate configuration reflects the changes in the running configuration that were not being worked on as well as changing those being worked on in the private candidate to new values. Example: Session 1 edits the configuration by submitting the following Cumming & Wills Expires 1 December 2024 [Page 18] Internet-Draft NETCONF Private Candidates May 2024 intf_one Link to San Francisco Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. intf_one intf_two Link moved to Paris Session 1 then sends an NETCONF operation. Cumming & Wills Expires 1 December 2024 [Page 19] Internet-Draft NETCONF Private Candidates May 2024 overwrite The un-conflicting changes are merged and the conflicting ones are pushed into the private candidate 1 overwriting the existing changes. The resulting data in private candidate 1 is: intf_two Link moved to Paris 4.6.3.3. Revert-on-conflict Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in the parent chapter of this document. When using the revert-on-conflict resolution method, an update will fail to complete when any conflicting node is found. The session issuing the update will be informed of the failure. No changes, whether conflicting or un-conflicting are merged into the private candidate configuration. The owner of the private candidate session must then take deliberate and specific action to adjust the private candidate configuration to rectify the conflict. This may be by issuing further or operations, by issuing a operation or by issuing an operation with a different resolution method. This resolution method is the default resolution method as it provides for the highest level of visibility and control to ensure operational stability. This resolution method MUST be supported by a server. Example: Cumming & Wills Expires 1 December 2024 [Page 20] Internet-Draft NETCONF Private Candidates May 2024 Session 1 edits the configuration by submitting the following: intf_one Link to San Francisco Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. intf_one intf_two Link moved to Paris Session 1 then sends an NETCONF operation. Cumming & Wills Expires 1 December 2024 [Page 21] Internet-Draft NETCONF Private Candidates May 2024 revert-on-conflict A conflict is detected, the update fails with an and no merges/overwrite operations happen. The resulting data in private candidate 1 is: intf_one Link to San Francisco intf_two Link to Tokyo 4.6.4. Default resolution mode and advertisement of this mode The default resolution mode is revert-on-conflict. However, a system MAY choose to select a different default resolution mode. The default resolution mode MUST be advertised in the :private- candidate capability by adding the default-resolution-mode parameter if the system default is anything other than revert-on-conflict. If the system default resolution mode is revert-on-conflict then advertising this in the :private-candidate capability is optional. In this example, a server has configured a default system-wide resolution mode of overwrite which MUST be signalled with the :private-candidate capability as follows: urn:ietf:params:netconf:capability:private-candidate:1.0 ?default-resolution-mode=overwrite Cumming & Wills Expires 1 December 2024 [Page 22] Internet-Draft NETCONF Private Candidates May 2024 4.6.5. Supported resolution modes A server SHOULD support all three resolution modes. However, if the server does not support all three modes, the server MUST report the supported modes in the :private-candidate capability using the supported-resolution-modes, for example: urn:ietf:params:netconf:capability:private-candidate:1.0 ?supported-resolution-modes=revert-on-conflict,ignore 4.7. NETCONF operations 4.7.1. New NETCONF operations 4.7.1.1. The operation is provided to allow NETCONF clients (or servers) to trigger a rebase of the private candidate configuration against the running configuration. The operation may be triggered manually by the client or automatically by the server. The operation is atomic. This means that the entire operation succeeeds or the entire operation MUST fail. The operation MUST be implicitly triggered by a specific NETCONF session issuing a operation when using private candidates. The actual order of operations in the server MUST be to issue the implicit operation first and then the operation. A operation that fails the implicit operation SHOULD fail. The client is then required to make a specific decision to rectify the issue prior to committing. This may be to edit the private candidate configuration or to issue a manual operation with a specific resolution mode selected. 4.7.1.1.1. parameter The operation takes the optional parameter The resolution modes are described earlier in this document and the accepted inputs are: * revert-on-conflict (default) Cumming & Wills Expires 1 December 2024 [Page 23] Internet-Draft NETCONF Private Candidates May 2024 * ignore * overwrite 4.7.2. Updated NETCONF operations Specific NETCONF operations altered by this document are listed in this section. Any notable behaviour with existing unaltered NETCONF operations is noted in the appendix. 4.7.2.1. The operation is updated to accept private-candidate as valid input to the field. The use of will create a private candidate configuration if one does not already exist for that NETCONF session. Sending an request to private-candidate after one has been sent to the shared candidate datastore in the same session will fail (and visa-versa). Multiple requests may be sent to the private-candidate datastore in a single session. 4.7.2.2. The operation is updated to accept private-candidate as valid input to the field. (datastore is an identityref and so the actual input will be ds:private-candidate). The use of will create a private candidate configuration if one does not already exist for that NETCONF session. Multiple requests may be sent to the private-candidate datastore in a single session. 4.7.2.3. and Performing a on the private-candidate datastore is a valid operation, although the practical effect of this is a 'no op' as only one session may edit the locked private candidate. If the client's intention is that no other session may commit changes to the system then the client should issue a operation on the running datastore. Cumming & Wills Expires 1 December 2024 [Page 24] Internet-Draft NETCONF Private Candidates May 2024 Other NETCONF sessions are still able to create a new private- candidate configurations, make edits to them and perform operations on them, such as or . Performing an on the private-candidate datastore is a valid operation. Changes in the private-candidate datastore are not lost when the lock is released. 4.7.2.4. Performing a [RFC9144] operation with the private-candidate datastore as either the or is a valid operation. If is performed prior to a private candidate configuration being created, one will be created at that point. The operation is extended by this document to allow the ability to compare the private-candidate datastore (at its current point in time) with the same private-candidate datastore at an earlier point in time or with another datastore. 4.7.2.4.1. parameter This document adds the optional node to the input of the operation that accepts the following values: * last-update * creation-point Servers MAY support this functionality but are not required to by this document. The last-update selection of will provide an output comparing the current private-candidate configuration datastore with the same private-candidate datastore at the time it was last updated using the NETCONF operation described in this document (whether automatically or manually triggered). The creation-point selection of will provide an output comparing the current private-candidate configuration datastore with the same private-candidate datastore at the time this private-candidate was initially created. Cumming & Wills Expires 1 December 2024 [Page 25] Internet-Draft NETCONF Private Candidates May 2024 4.7.2.5. The operation is updated to accept private-candidate as valid input to the field. The use of will create a private candidate configuration if one does not already exist for that NETCONF session. Sending an request to private-candidate after one has been sent to the shared candidate datastore in the same session will fail (and visa-versa). 4.7.2.6. The operation accepts the private-candidate as a valid datastore. The use of will create a private candidate configuration if one does not already exist for that NETCONF session. Sending an request to private-candidate after one has been sent to the shared candidate datastore in the same session will fail (and visa-versa). 4.7.2.7. The operation is updated to accept private-candidate as a valid input to the or fields. 4.7.2.8. The operation is updated to accept private-candidate as valid input to the field. 4.7.2.9. The operation is updated to accept private-candidate as a valid input to the field. Deleting the private candidate will destroy the private candidate for the client. A new one will subsequently be created on first access as described in Section 4.2. 4.7.2.10. The operation is updated to accept private- candidate as a valid input to the newly added field. Cumming & Wills Expires 1 December 2024 [Page 26] Internet-Draft NETCONF Private Candidates May 2024 Discarding the change to the private candidate will reset it to the state it was when it was initially created, or to the state following the latest operation, whichever is most recent. This state may not match the current running configuration. To align the private candidate with the running configuration the or operations may be used. If the field is not provided with the parameter then the behaviour from [RFC6241] remains and the shared candidate changes are discarded. 4.7.2.11. The operation MUST trigger an implicit operation immediately before copying the private candidate configuration into the running configuration. 4.7.2.11.1. Interactions with commit confirmed operations and private candidates Nothing in this document alters the behaviour of the , or parameters and these MUST work when using the private-candidate configuration datastore if the :confirmed- commit capability is advertised. When a private candidate is committed using the parameter and the commit operation disconnects the client's session, the configuration in the running configuration is immediately reverted and the proposed client changes are discarded. When a private candidate is committed using the parameter and the commit operation does not disconnect the client's session, and subsequently, the commit operation is either cancelled using the operation or the timeout expires, the running configuration is reverted and the proposed client changes are returned to the client's private candidate. If a private candidate is committed using the parameter and the parameter is provided, and the client subsequently disconnects its session for any reason whilst the timer is running, upon cancellation using the operation or on the expiry of the timer, the running configuration will be reverted, and the proposed client changes are discarded. Cumming & Wills Expires 1 December 2024 [Page 27] Internet-Draft NETCONF Private Candidates May 2024 5. IANA Considerations This document requests the registration the the following NETCONF capabilities: * urn:ietf:params:netconf:capability:private-candidate:1.0 (Version 1.0) 6. Security Considerations This document should not affect the security of the Internet. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, . [RFC9144] Clemm, A., Qu, Y., Tantsura, J., and A. Bierman, "Comparison of Network Management Datastore Architecture (NMDA) Datastores", RFC 9144, DOI 10.17487/RFC9144, December 2021, . [RFC5717] Lengyel, B. and M. Bjorklund, "Partial Lock Remote Procedure Call (RPC) for NETCONF", RFC 5717, DOI 10.17487/RFC5717, December 2009, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . Cumming & Wills Expires 1 December 2024 [Page 28] Internet-Draft NETCONF Private Candidates May 2024 [RFC8527] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "RESTCONF Extensions to Support the Network Management Datastore Architecture", RFC 8527, DOI 10.17487/RFC8527, March 2019, . 7.2. Informative References Appendix A. Behaviour with unaltered NETCONF operations A.1. The operation does not accept a datastore value and therefore this document is not applicable to this operation. The use of the get operation will not create a private candidate configuration. A.2. The operation is unchanged. Any changes made to the running configuration are returned to the private candidate if it still exists. Appendix B. YANG modules B.1. ietf-netconf@2024-04-16.yang file "ietf-netconf@2024-04-16.yang" module ietf-netconf { // the namespace for NETCONF XML definitions is unchanged // from RFC 4741, which this document replaces namespace "urn:ietf:params:xml:ns:netconf:base:1.0"; prefix nc; import ietf-inet-types { prefix inet; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: WG Chair: Bert Wijnen Cumming & Wills Expires 1 December 2024 [Page 29] Internet-Draft NETCONF Private Candidates May 2024 WG Chair: Mehmet Ersue Editor: Martin Bjorklund Editor: Juergen Schoenwaelder Editor: Andy Bierman Editor: James Cumming Editor: Robert Wills "; description "NETCONF Protocol Data Types and Protocol Operations. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust’s Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 6241 and draft-ietf-netconf-privcand; see these documents for full legal notices."; revision 2024-04-16 { description "Updated to introduce private candidates"; reference "draft-ietf-netconf-privcand: Netconf Private Candidates"; } revision 2011-06-01 { description "Initial revision"; reference "RFC 6241: Network Configuration Protocol"; } extension get-filter-element-attributes { Cumming & Wills Expires 1 December 2024 [Page 30] Internet-Draft NETCONF Private Candidates May 2024 description "If this extension is present within an 'anyxml' statement named 'filter', which must be conceptually defined within the RPC input section for the and protocol operations, then the following unqualified XML attribute is supported within the element, within a or protocol operation: type : optional attribute with allowed value strings 'subtree' and 'xpath'. If missing, the default value is 'subtree'. If the 'xpath' feature is supported, then the following unqualified XML attribute is also supported: select: optional attribute containing a string representing an XPath expression. The 'type' attribute must be equal to 'xpath' if this attribute is present."; } // NETCONF capabilities defined as features feature writable-running { description "NETCONF :writable-running capability; If the server advertises the :writable-running capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.2"; } feature candidate { description "NETCONF :candidate capability; If the server advertises the :candidate capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.3"; } feature private-candidate { Cumming & Wills Expires 1 December 2024 [Page 31] Internet-Draft NETCONF Private Candidates May 2024 description "NETCONF :private-candidate capability; If the server advertises the :private-candidate capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "draft-ietf-netconf-privcand"; } feature confirmed-commit { if-feature "candidate"; description "NETCONF :confirmed-commit:1.1 capability; If the server advertises the :confirmed-commit:1.1 capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.4"; } feature rollback-on-error { description "NETCONF :rollback-on-error capability; If the server advertises the :rollback-on-error capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.5"; } feature validate { description "NETCONF :validate:1.1 capability; If the server advertises the :validate:1.1 capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.6"; } feature startup { description "NETCONF :startup capability; If the server advertises the :startup Cumming & Wills Expires 1 December 2024 [Page 32] Internet-Draft NETCONF Private Candidates May 2024 capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.7"; } feature url { description "NETCONF :url capability; If the server advertises the :url capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.8"; } feature xpath { description "NETCONF :xpath capability; If the server advertises the :xpath capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "RFC 6241, Section 8.9"; } // NETCONF Simple Types typedef session-id-type { type uint32 { range "1..max"; } description "NETCONF Session Id"; } typedef session-id-or-zero-type { type uint32; description "NETCONF Session Id or Zero to indicate none"; } typedef error-tag-type { type enumeration { enum in-use { Cumming & Wills Expires 1 December 2024 [Page 33] Internet-Draft NETCONF Private Candidates May 2024 description "The request requires a resource that already is in use."; } enum invalid-value { description "The request specifies an unacceptable value for one or more parameters."; } enum too-big { description "The request or response (that would be generated) is too large for the implementation to handle."; } enum missing-attribute { description "An expected attribute is missing."; } enum bad-attribute { description "An attribute value is not correct; e.g., wrong type, out of range, pattern mismatch."; } enum unknown-attribute { description "An unexpected attribute is present."; } enum missing-element { description "An expected element is missing."; } enum bad-element { description "An element value is not correct; e.g., wrong type, out of range, pattern mismatch."; } enum unknown-element { description "An unexpected element is present."; } enum unknown-namespace { description "An unexpected namespace is present."; } enum access-denied { description "Access to the requested protocol operation or data model is denied because authorization failed."; Cumming & Wills Expires 1 December 2024 [Page 34] Internet-Draft NETCONF Private Candidates May 2024 } enum lock-denied { description "Access to the requested lock is denied because the lock is currently held by another entity."; } enum resource-denied { description "Request could not be completed because of insufficient resources."; } enum rollback-failed { description "Request to roll back some configuration change (via rollback-on-error or operations) was not completed for some reason."; } enum data-exists { description "Request could not be completed because the relevant data model content already exists. For example, a 'create' operation was attempted on data that already exists."; } enum data-missing { description "Request could not be completed because the relevant data model content does not exist. For example, a 'delete' operation was attempted on data that does not exist."; } enum operation-not-supported { description "Request could not be completed because the requested operation is not supported by this implementation."; } enum operation-failed { description "Request could not be completed because the requested operation failed for some reason not covered by any other error condition."; } enum partial-operation { description "This error-tag is obsolete, and SHOULD NOT be sent by servers conforming to this document."; } enum malformed-message { Cumming & Wills Expires 1 December 2024 [Page 35] Internet-Draft NETCONF Private Candidates May 2024 description "A message could not be handled because it failed to be parsed correctly. For example, the message is not well-formed XML or it uses an invalid character set."; } } description "NETCONF Error Tag"; reference "RFC 6241, Appendix A"; } typedef error-severity-type { type enumeration { enum error { description "Error severity"; } enum warning { description "Warning severity"; } } description "NETCONF Error Severity"; reference "RFC 6241, Section 4.3"; } typedef edit-operation-type { type enumeration { enum merge { description "The configuration data identified by the element containing this attribute is merged with the configuration at the corresponding level in the configuration datastore identified by the target parameter."; } enum replace { description "The configuration data identified by the element containing this attribute replaces any related configuration in the configuration datastore identified by the target parameter. If no such configuration data exists in the configuration datastore, it is created. Unlike a operation, which replaces the Cumming & Wills Expires 1 December 2024 [Page 36] Internet-Draft NETCONF Private Candidates May 2024 entire target configuration, only the configuration actually present in the config parameter is affected."; } enum create { description "The configuration data identified by the element containing this attribute is added to the configuration if and only if the configuration data does not already exist in the configuration datastore. If the configuration data exists, an element is returned with an value of 'data-exists'."; } enum delete { description "The configuration data identified by the element containing this attribute is deleted from the configuration if and only if the configuration data currently exists in the configuration datastore. If the configuration data does not exist, an element is returned with an value of 'data-missing'."; } enum remove { description "The configuration data identified by the element containing this attribute is deleted from the configuration if the configuration data currently exists in the configuration datastore. If the configuration data does not exist, the 'remove' operation is silently ignored by the server."; } } default "merge"; description "NETCONF 'operation' attribute values"; reference "RFC 6241, Section 7.2"; } // NETCONF Standard Protocol Operations rpc get-config { description "Retrieve all or part of a specified configuration."; reference "RFC 6241, Section 7.1"; Cumming & Wills Expires 1 December 2024 [Page 37] Internet-Draft NETCONF Private Candidates May 2024 input { container source { description "Particular configuration to retrieve."; choice config-source { mandatory true; description "The configuration to retrieve."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config source."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config source."; } leaf running { type empty; description "The running configuration is the config source."; } leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config source. This is optional-to-implement on the server because not all servers will support filtering for this datastore."; } } } anyxml filter { description "Subtree or XPath filter to use."; nc:get-filter-element-attributes; } } output { anyxml data { description "Copy of the source datastore subset that matched the filter criteria (if any). An empty data container Cumming & Wills Expires 1 December 2024 [Page 38] Internet-Draft NETCONF Private Candidates May 2024 indicates that the request did not produce any results."; } } } rpc edit-config { description "The operation loads all or part of a specified configuration to the specified target configuration."; reference "RFC 6241, Section 7.2"; input { container target { description "Particular configuration to edit."; choice config-target { mandatory true; description "The configuration target."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config target."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config target."; } leaf running { if-feature "writable-running"; type empty; description "The running configuration is the config source."; } } } leaf default-operation { type enumeration { enum merge { description "The default operation is merge."; } enum replace { description Cumming & Wills Expires 1 December 2024 [Page 39] Internet-Draft NETCONF Private Candidates May 2024 "The default operation is replace."; } enum none { description "There is no default operation."; } } default "merge"; description "The default operation to use."; } leaf test-option { if-feature "validate"; type enumeration { enum test-then-set { description "The server will test and then set if no errors."; } enum set { description "The server will set without a test first."; } enum test-only { description "The server will only test and not set, even if there are no errors."; } } default "test-then-set"; description "The test option to use."; } leaf error-option { type enumeration { enum stop-on-error { description "The server will stop on errors."; } enum continue-on-error { description "The server may continue on errors."; } enum rollback-on-error { description "The server will roll back on errors. This value can only be used if the 'rollback-on-error' feature is supported."; } Cumming & Wills Expires 1 December 2024 [Page 40] Internet-Draft NETCONF Private Candidates May 2024 } default "stop-on-error"; description "The error option to use."; } choice edit-content { mandatory true; description "The content for the edit operation."; anyxml config { description "Inline Config content."; } leaf url { if-feature "url"; type inet:uri; description "URL-based config content."; } } } } rpc copy-config { description "Create or replace an entire configuration datastore with the contents of another complete configuration datastore."; reference "RFC 6241, Section 7.3"; input { container target { description "Particular configuration to copy to."; choice config-target { mandatory true; description "The configuration target of the copy operation."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config target."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config Cumming & Wills Expires 1 December 2024 [Page 41] Internet-Draft NETCONF Private Candidates May 2024 target."; } leaf running { if-feature "writable-running"; type empty; description "The running configuration is the config target. This is optional-to-implement on the server."; } leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config target."; } leaf url { if-feature "url"; type inet:uri; description "The URL-based configuration is the config target."; } } } container source { description "Particular configuration to copy from."; choice config-source { mandatory true; description "The configuration source for the copy operation."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config source."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config source."; } leaf running { type empty; description "The running configuration is the config source."; } Cumming & Wills Expires 1 December 2024 [Page 42] Internet-Draft NETCONF Private Candidates May 2024 leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config source."; } leaf url { if-feature "url"; type inet:uri; description "The URL-based configuration is the config source."; } anyxml config { description "Inline Config content: element. Represents an entire configuration datastore, not a subset of the running datastore."; } } } } } rpc delete-config { description "Delete a configuration datastore."; reference "RFC 6241, Section 7.4"; input { container target { description "Particular configuration to delete."; choice config-target { mandatory true; description "The configuration target to delete."; leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config target."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config target."; Cumming & Wills Expires 1 December 2024 [Page 43] Internet-Draft NETCONF Private Candidates May 2024 } leaf url { if-feature "url"; type inet:uri; description "The URL-based configuration is the config target."; } } } } } rpc lock { description "The lock operation allows the client to lock the configuration system of a device."; reference "RFC 6241, Section 7.5"; input { container target { description "Particular configuration to lock."; choice config-target { mandatory true; description "The configuration target to lock."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config target."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config target."; } leaf running { type empty; description "The running configuration is the config target."; } leaf startup { if-feature "startup"; type empty; description Cumming & Wills Expires 1 December 2024 [Page 44] Internet-Draft NETCONF Private Candidates May 2024 "The startup configuration is the config target."; } } } } } rpc unlock { description "The unlock operation is used to release a configuration lock, previously obtained with the 'lock' operation."; reference "RFC 6241, Section 7.6"; input { container target { description "Particular configuration to unlock."; choice config-target { mandatory true; description "The configuration target to unlock."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config target."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config target."; } leaf running { type empty; description "The running configuration is the config target."; } leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config target."; } } } } Cumming & Wills Expires 1 December 2024 [Page 45] Internet-Draft NETCONF Private Candidates May 2024 } rpc get { description "Retrieve running configuration and device state information."; reference "RFC 6241, Section 7.7"; input { anyxml filter { description "This parameter specifies the portion of the system configuration and state data to retrieve."; nc:get-filter-element-attributes; } } output { anyxml data { description "Copy of the running datastore subset and/or state data that matched the filter criteria (if any). An empty data container indicates that the request did not produce any results."; } } } rpc close-session { description "Request graceful termination of a NETCONF session."; reference "RFC 6241, Section 7.8"; } rpc kill-session { description "Force the termination of a NETCONF session."; reference "RFC 6241, Section 7.9"; input { leaf session-id { type session-id-type; mandatory true; description "Particular session to kill."; } } } Cumming & Wills Expires 1 December 2024 [Page 46] Internet-Draft NETCONF Private Candidates May 2024 rpc commit { if-feature "candidate"; if-feature "private-candidate"; description "Commit the candidate or private candidate configuration as the device's new current configuration."; reference "RFC 6241, Section 8.3.4.1 and draft-ietf-netconf-privcand"; input { leaf confirmed { if-feature "confirmed-commit"; type empty; description "Requests a confirmed commit."; reference "RFC 6241, Section 8.3.4.1"; } leaf confirm-timeout { if-feature "confirmed-commit"; type uint32 { range "1..max"; } units "seconds"; default "600"; // 10 minutes description "The timeout interval for a confirmed commit."; reference "RFC 6241, Section 8.3.4.1"; } leaf persist { if-feature "confirmed-commit"; type string; description "This parameter is used to make a confirmed commit persistent. A persistent confirmed commit is not aborted if the NETCONF session terminates. The only way to abort a persistent confirmed commit is to let the timer expire, or to use the operation. The value of this parameter is a token that must be given in the 'persist-id' parameter of or operations in order to confirm or cancel the persistent confirmed commit. The token should be a random string."; reference "RFC 6241, Section 8.3.4.1"; } Cumming & Wills Expires 1 December 2024 [Page 47] Internet-Draft NETCONF Private Candidates May 2024 leaf persist-id { if-feature "confirmed-commit"; type string; description "This parameter is given in order to commit a persistent confirmed commit. The value must be equal to the value given in the 'persist' parameter to the operation. If it does not match, the operation fails with an 'invalid-value' error."; reference "RFC 6241, Section 8.3.4.1"; } } } rpc discard-changes { if-feature "candidate"; if-feature "private-candidate"; description "Revert the candidate configuration to the current running configuration."; reference "RFC 6241, Section 8.3.4.2"; input { container target { if-feature "private-candidate"; reference "draft-ietf-netconf-privcand"; description "Particular configuration to discard changes from."; choice config-target { mandatory true; description "The configuration target to discard."; leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config target."; } } } } } rpc cancel-commit { if-feature "confirmed-commit"; description Cumming & Wills Expires 1 December 2024 [Page 48] Internet-Draft NETCONF Private Candidates May 2024 "This operation is used to cancel an ongoing confirmed commit. If the confirmed commit is persistent, the parameter 'persist-id' must be given, and it must match the value of the 'persist' parameter."; reference "RFC 6241, Section 8.4.4.1"; input { leaf persist-id { type string; description "This parameter is given in order to cancel a persistent confirmed commit. The value must be equal to the value given in the 'persist' parameter to the operation. If it does not match, the operation fails with an 'invalid-value' error."; } } } rpc update { if-feature "private-candidate"; description "Updates the private candidate from the running configuration."; reference "draft-ietf-netconf-privcand"; input { leaf resolution-mode { description "Mode to resolve conflicts between running and private-candidate configurations."; default revert-on-conflict; type enumeration { enum revert-on-conflict; enum ignore; enum overwrite; } } } } rpc validate { if-feature "validate"; description "Validates the contents of the specified configuration."; reference "RFC 6241, Section 8.6.4.1"; input { Cumming & Wills Expires 1 December 2024 [Page 49] Internet-Draft NETCONF Private Candidates May 2024 container source { description "Particular configuration to validate."; choice config-source { mandatory true; description "The configuration source to validate."; leaf candidate { if-feature "candidate"; type empty; description "The candidate configuration is the config source."; } leaf private-candidate { if-feature "private-candidate"; type empty; description "The private candidate configuration is the config source."; } leaf running { type empty; description "The running configuration is the config source."; } leaf startup { if-feature "startup"; type empty; description "The startup configuration is the config source."; } leaf url { if-feature "url"; type inet:uri; description "The URL-based configuration is the config source."; } anyxml config { description "Inline Config content: element. Represents an entire configuration datastore, not a subset of the running datastore."; } } } } } } Cumming & Wills Expires 1 December 2024 [Page 50] Internet-Draft NETCONF Private Candidates May 2024 B.2. ietf-datastores@2024-04-16.yang file "ietf-datastores@2024-04-16.yang" module ietf-datastores { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-datastores"; prefix ds; organization "IETF Network Modeling (NETMOD) Working Group"; contact "WG Web: WG List: Author: Martin Bjorklund Author: Juergen Schoenwaelder Author: Phil Shafer Author: Kent Watsen Author: Rob Wilton Author: James Cumming Author: Robert Wills "; description "This YANG module defines a set of identities for identifying datastores. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust’s Legal Provisions Cumming & Wills Expires 1 December 2024 [Page 51] Internet-Draft NETCONF Private Candidates May 2024 Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8342 (https://www.rfc-editor.org/info/rfc8342); and draft-ietf-netconf-privcand. See these documents for full legal notices."; revision 2024-04-16 { description "Updated to introduce private candidates"; reference "draft-ietf-netconf-privcand: Netconf Private Candidates"; } revision 2018-02-14 { description "Initial revision."; reference "RFC 8342: Network Management Datastore Architecture (NMDA)"; } /* * Identities */ identity datastore { description "Abstract base identity for datastore identities."; } identity conventional { base datastore; description "Abstract base identity for conventional configuration datastores."; } identity running { base conventional; description "The running configuration datastore."; } identity candidate { base conventional; description "The candidate configuration datastore."; } Cumming & Wills Expires 1 December 2024 [Page 52] Internet-Draft NETCONF Private Candidates May 2024 identity private-candidate { base conventional; description "The private candidate configuration datastore."; } identity startup { base conventional; description "The startup configuration datastore."; } identity intended { base conventional; description "The intended configuration datastore."; } identity dynamic { base datastore; description "Abstract base identity for dynamic configuration datastores."; } identity operational { base datastore; description "The operational state datastore."; } /* * Type definitions */ typedef datastore-ref { type identityref { base datastore; } description "A datastore identity reference."; } } B.3. ietf-nmda-compare@2024-04-16.yang Cumming & Wills Expires 1 December 2024 [Page 53] Internet-Draft NETCONF Private Candidates May 2024 file "ietf-nmda-compare@2024-04-16.yang" module ietf-nmda-compare { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nmda-compare"; prefix cmp; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-datastores { prefix ds; reference "RFC 8342: Network Management Datastore Architecture (NMDA)"; } import ietf-yang-patch { prefix ypatch; reference "RFC 8072: YANG Patch Media Type"; } import ietf-netconf { prefix nc; reference "RFC 6241: Network Configuration Protocol (NETCONF)"; } organization "IETF NETMOD (Network Modeling) Working Group"; contact "WG Web: WG List: Author: Alexander Clemm Author: Yingzhen Qu Author: Jeff Tantsura Author: Andy Bierman Author: James Cumming Cumming & Wills Expires 1 December 2024 [Page 54] Internet-Draft NETCONF Private Candidates May 2024 Author: Robert Wills "; description "The YANG data model defines a new operation, , that can be used to compare NMDA datastores. Copyright (c) 2021 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9144; see the RFC itself for full legal notices."; revision 2024-04-16 { description "Updated to introduce private candidates"; reference "draft-ietf-netconf-privcand: Netconf Private Candidates"; } revision 2021-12-10 { description "Initial revision."; reference "RFC 9144: Comparison of Network Management Datastore Architecture (NMDA) Datastores"; } feature private-candidate { description "NETCONF :private-candidate capability; If the server advertises the :private-candidate capability for a session, then this feature must also be enabled for that session. Otherwise, this feature must not be enabled."; reference "draft-ietf-netconf-privcand"; } /* RPC */ rpc compare { description Cumming & Wills Expires 1 December 2024 [Page 55] Internet-Draft NETCONF Private Candidates May 2024 "NMDA datastore compare operation."; input { leaf source { type identityref { base ds:datastore; } mandatory true; description "The source datastore to be compared."; } leaf target { type identityref { base ds:datastore; } mandatory true; description "The target datastore to be compared."; } leaf reference-point { reference "draft-ietf-netconf-privcand"; if-feature "private-candidate"; description "When this leaf is provided and the source or destination are the private-candidate datastore, the comparison will either occur between the last-update point of the private candidate or the creation-point of the private candidate."; default last-update; type enumeration { enum last-update; enum creation-point; } } leaf all { type empty; description "When this leaf is provided, all data nodes are compared, whether their schema node pertains to both datastores or not. When this leaf is omitted, a prefiltering step is automatically applied that excludes data nodes from the comparison that can occur in only one datastore but not the other. Specifically, if one of the datastores (source or target) contains only configuration data and the other datastore is , data nodes for the config that is false are excluded from the comparison."; } leaf report-origin { Cumming & Wills Expires 1 December 2024 [Page 56] Internet-Draft NETCONF Private Candidates May 2024 type empty; description "When this leaf is provided, origin metadata is included as part of RPC output. When this leaf is omitted, origin metadata in comparisons that involve is by default omitted."; } choice filter-spec { description "Identifies the portions of the datastores to be compared."; anydata subtree-filter { description "This parameter identifies the portions of the target datastore to retrieve."; reference "RFC 6241, Section 6."; } leaf xpath-filter { if-feature "nc:xpath"; type yang:xpath1.0; description "This parameter contains an XPath expression identifying the portions of the target datastore to retrieve."; reference "RFC 6991: Common YANG Data Types"; } } } output { choice compare-response { description "Comparison results."; leaf no-matches { type empty; description "This leaf indicates that the filter did not match anything and nothing was compared."; } container differences { description "The list of differences, encoded per RFC 8072 with an augmentation to include source values where applicable. When a datastore node in the source is not present in the target, this can be indicated either as a 'delete' or as a 'remove' as there is no difference between them for the purposes of the comparison."; Cumming & Wills Expires 1 December 2024 [Page 57] Internet-Draft NETCONF Private Candidates May 2024 uses ypatch:yang-patch { augment "yang-patch/edit" { description "Provides the value of the source of the patch, respectively of the source of the comparison, in addition to the target value, where applicable."; anydata source-value { when "../operation = 'delete'" + "or ../operation = 'merge'" + "or ../operation = 'move'" + "or ../operation = 'replace'" + "or ../operation = 'remove'"; description "The anydata 'value' is only used for 'delete', 'move', 'merge', 'replace', and 'remove' operations."; } reference "RFC 8072: YANG Patch Media Type"; } } } } } } } Contributors The authors would like to thank Andy Bierman, Jan Lindblad, Lori-Ann McGrath, Jason Sterne, Kent Watsen and Rob Wilton for their contributions and reviews. Authors' Addresses James Cumming Nokia Email: james.cumming@nokia.com Robert Wills Cisco Systems Email: rowills@cisco.com Cumming & Wills Expires 1 December 2024 [Page 58]