netconfcentral logo

ietf-netconf-client

HTML

ietf-netconf-client@2017-10-30



  module ietf-netconf-client {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-netconf-client";

    prefix ncc;

    import ietf-inet-types {
      prefix inet;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-ssh-client {
      prefix ss;
      revision-date "2017-10-30";
      reference
        "RFC YYYY: YANG Groupings for SSH Clients and SSH Servers";


    }
    import ietf-tls-client {
      prefix ts;
      revision-date "2017-10-30";
      reference
        "RFC ZZZZ: YANG Groupings for TLS Clients and TLS Servers";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>

    Author:   Gary Wu
              <mailto:garywu@cisco.com>";

    description
      "This module contains a collection of YANG definitions for
    configuring NETCONF clients.

    Copyright (c) 2017 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC XXXX: NETCONF Client and Server Models";

    }


    feature initiate {
      description
        "The 'initiate' feature indicates that the NETCONF client
      supports initiating NETCONF connections to NETCONF servers
      using at least one transport (e.g., SSH, TLS, etc.).";
    }

    feature ssh-initiate {
      description
        "The 'ssh-initiate' feature indicates that the NETCONF client
      supports initiating SSH connections to NETCONF servers.";
      reference
        "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";

    }

    feature tls-initiate {
      description
        "The 'tls-initiate' feature indicates that the NETCONF client
      supports initiating TLS connections to NETCONF servers.";
      reference
        "RFC 7589: Using the NETCONF Protocol over Transport
        	  Layer Security (TLS) with Mutual X.509
        	  Authentication";

    }

    feature listen {
      description
        "The 'listen' feature indicates that the NETCONF client
      supports opening a port to accept NETCONF server call
      home connections using at least one transport (e.g.,
      SSH, TLS, etc.).";
    }

    feature ssh-listen {
      description
        "The 'ssh-listen' feature indicates that the NETCONF client
      supports opening a port to listen for incoming NETCONF
      server call-home SSH connections.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    feature tls-listen {
      description
        "The 'tls-listen' feature indicates that the NETCONF client
      supports opening a port to listen for incoming NETCONF
      server call-home TLS connections.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    container netconf-client {
      description
        "Top-level container for NETCONF client configuration.";
      uses netconf-client;
    }  // container netconf-client

    grouping netconf-client {
      description
        "Top-level grouping for NETCONF client configuration.";
      container initiate {
        if-feature initiate;
        description
          "Configures client initiating underlying TCP connections.";
        list netconf-server {
          key "name";
          min-elements 1;
          description
            "List of NETCONF servers the NETCONF client is to initiate
           connections to in parallel.";
          leaf name {
            type string;
            description
              "An arbitrary name for the NETCONF server.";
          }

          container endpoints {
            description
              "Container for the list of endpoints.";
            list endpoint {
              key "name";
              min-elements 1;
              ordered-by user;
              description
                "A user-ordered list of endpoints that the NETCONF
               client will attempt to connect to in the specified
               sequence.  Defining more than one enables
               high-availability.";
              leaf name {
                type string;
                description
                  "An arbitrary name for the endpoint.";
              }

              choice transport {
                mandatory true;
                description
                  "Selects between available transports.";
                case ssh {
                  if-feature ssh-initiate;
                  container ssh {
                    description
                      "Specifies IP and SSH specific configuration for
                     the connection.";
                    leaf address {
                      type inet:host;
                      description
                        "The IP address or hostname of the endpoint.
                      If a domain name is configured, then the DNS
                      resolution should happen on each usage attempt.
                      If the DNS resolution results in multiple IP
                      addresses, the IP addresses will be tried
                      according to local preference order until a
                      connection has been established or until all
                      IP addresses have failed.";
                    }

                    leaf port {
                      type inet:port-number;
                      default '830';
                      description
                        "The IP port for this endpoint.  The NETCONF
                       client will use the IANA-assigned well-known
                       port for 'netconf-ssh' (830) if no value is
                       specified.";
                    }

                    uses ss:ssh-client-grouping;
                  }  // container ssh
                }  // case ssh

                case tls {
                  if-feature tls-initiate;
                  container tls {
                    description
                      "Specifies IP and TLS specific configuration for
                     the connection.";
                    leaf address {
                      type inet:host;
                      description
                        "The IP address or hostname of the endpoint.
                       If a domain name is configured, then the DNS
                       resolution should happen on each usage attempt.
                       If the DNS resolution results in multiple IP
                       addresses, the IP addresses will be tried
                       according to local preference order until a
                       connection has been established or until all
                       IP addresses have failed.";
                    }

                    leaf port {
                      type inet:port-number;
                      default '6513';
                      description
                        "The IP port for this endpoint. The NETCONF
                         client will use the IANA-assigned well-known
                         port for 'netconf-tls' (6513) if no value is
                         specified.";
                    }

                    uses ts:tls-client-grouping {
                      refine 
                    }
                  }  // container tls
                }  // case tls
              }  // choice transport
            }  // list endpoint
          }  // container endpoints

          container connection-type {
            description
              "Indicates the kind of connection to use.";
            choice connection-type {
              description
                "Selects between available connection types.";
              container persistent {
                presence 'true';
                description
                  "Maintain a persistent connection to the NETCONF
                  server. If the connection goes down, immediately
                  start trying to reconnect to it, using the
                  reconnection strategy.

                  This connection type minimizes any NETCONF server
                  to NETCONF client data-transfer delay, albeit at
                  the expense of holding resources longer.";
                leaf idle-timeout {
                  type uint32;
                  units "seconds";
                  default '86400';
                  description
                    "Specifies the maximum number of seconds that a
                     a NETCONF session may remain idle. A NETCONF
                     session will be dropped if it is idle for an
                     interval longer than this number of seconds.
                     If set to zero, then the client will never drop
                     a session because it is idle.  Sessions that
                     have a notification subscription active are
                     never dropped.";
                }

                container keep-alives {
                  description
                    "Configures the keep-alive policy, to proactively
                     test the aliveness of the SSH/TLS server.  An
                     unresponsive SSH/TLS server will be dropped after
                     approximately max-attempts * max-wait seconds.";
                  reference
                    "RFC 8071: NETCONF Call Home and RESTCONF Call
                    Home, Section 3.1, item S6";

                  leaf max-wait {
                    type uint16 {
                      range "1..max";
                    }
                    units "seconds";
                    default '30';
                    description
                      "Sets the amount of time in seconds after which
                      if no data has been received from the SSH/TLS
                      server, a SSH/TLS-level message will be sent
                      to test the aliveness of the SSH/TLS server.";
                  }

                  leaf max-attempts {
                    type uint8;
                    default '3';
                    description
                      "Sets the maximum number of sequential keep-alive
                      messages that can fail to obtain a response from
                      the SSH/TLS server before assuming the SSH/TLS
                      server is no longer alive.";
                  }
                }  // container keep-alives
              }  // container persistent
              container periodic {
                presence 'true';
                description
                  "Periodically connect to the NETCONF server, so that
                  the NETCONF server may deliver messages pending for
                  the NETCONF client.  The NETCONF server must close
                  the connection when it is ready to release it. Once
                  the connection has been closed, the NETCONF client
                  will restart its timer until the next connection.";
                leaf idle-timeout {
                  type uint16;
                  units "seconds";
                  default '300';
                  description
                    "Specifies the maximum number of seconds that a
                     a NETCONF session may remain idle. A NETCONF
                     session will be dropped if it is idle for an
                     interval longer than this number of seconds.
                     If set to zero, then the server will never drop
                     a session because it is idle.  Sessions that
                     have a notification subscription active are
                     never dropped.";
                }

                leaf reconnect-timeout {
                  type uint16 {
                    range "1..max";
                  }
                  units "minutes";
                  default '60';
                  description
                    "Sets the maximum amount of unconnected time the
                    NETCONF client will wait before re-establishing
                    a connection to the NETCONF server.  The NETCONF
                    client may initiate a connection before this
                    time if desired (e.g., to set configuration).";
                }
              }  // container periodic
            }  // choice connection-type
          }  // container connection-type

          container reconnect-strategy {
            description
              "The reconnection strategy directs how a NETCONF client
            reconnects to a NETCONF server, after discovering its
            connection to the server has dropped, even if due to a
            reboot.  The NETCONF client starts with the specified
            endpoint and tries to connect to it max-attempts times
            before trying the next endpoint in the list (round
            robin).";
            leaf start-with {
              type enumeration {
                enum "first-listed" {
                  value 0;
                  description
                    "Indicates that reconnections should start with
                   the first endpoint listed.";
                }
                enum "last-connected" {
                  value 1;
                  description
                    "Indicates that reconnections should start with
                   the endpoint last connected to.  If no previous
                   connection has ever been established, then the
                   first endpoint configured is used.   NETCONF
                   clients SHOULD be able to remember the last
                   endpoint connected to across reboots.";
                }
              }
              default 'first-listed';
              description
                "Specifies which of the NETCONF server's endpoints the
              NETCONF client should start with when trying to connect
              to the NETCONF server.";
            }

            leaf max-attempts {
              type uint8 {
                range "1..max";
              }
              default '3';
              description
                "Specifies the number times the NETCONF client tries to
              connect to a specific endpoint before moving on to the
              next endpoint in the list (round robin).";
            }
          }  // container reconnect-strategy
        }  // list netconf-server
      }  // container initiate

      container listen {
        if-feature listen;
        description
          "Configures client accepting call-home TCP connections.";
        leaf idle-timeout {
          type uint16;
          units "seconds";
          default '3600';
          description
            "Specifies the maximum number of seconds that a NETCONF
           session may remain idle. A NETCONF session will be dropped
           if it is idle for an interval longer than this number of
           seconds.  If set to zero, then the server will never drop
           a session because it is idle.  Sessions that have a
           notification subscription active are never dropped.";
        }

        list endpoint {
          key "name";
          min-elements 1;
          description
            "List of endpoints to listen for NETCONF connections.";
          leaf name {
            type string;
            description
              "An arbitrary name for the NETCONF listen endpoint.";
          }

          choice transport {
            mandatory true;
            description
              "Selects between available transports.";
            case ssh {
              if-feature ssh-listen;
              container ssh {
                description
                  "SSH-specific listening configuration for inbound
                 connections.";
                leaf address {
                  type inet:ip-address;
                  description
                    "The IP address to listen on for incoming call-home
                  connections.  The NETCONF client will listen on
                  all configured interfaces if no value is specified.
                  INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0
                  a.k.a. ::) MUST be used when the server is to listen
                  on all IPv4 or IPv6 addresses, respectively.";
                }

                leaf port {
                  type inet:port-number;
                  default '4334';
                  description
                    "The port number to listen on for call-home
                  connections.  The NETCONF client will listen on the
                  IANA-assigned well-known port for 'netconf-ch-ssh'
                  (4334) if no value is specified.";
                }

                uses ss:ssh-client-grouping;
              }  // container ssh
            }  // case ssh

            case tls {
              if-feature tls-listen;
              container tls {
                description
                  "TLS-specific listening configuration for inbound
                 connections.";
                leaf address {
                  type inet:ip-address;
                  description
                    "The IP address to listen on for incoming call-home
                  connections.  The NETCONF client will listen on
                  all configured interfaces if no value is specified.
                  INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0
                  a.k.a. ::) MUST be used when the server is to listen
                  on all IPv4 or IPv6 addresses, respectively.";
                }

                leaf port {
                  type inet:port-number;
                  default '4335';
                  description
                    "The port number to listen on for call-home
                  connections.  The NETCONF client will listen on the
                  IANA-assigned well-known port for 'netconf-ch-tls'
                  (4335) if no value is specified.";
                }

                uses ts:tls-client-grouping {
                  refine 
                }
              }  // container tls
            }  // case tls
          }  // choice transport
        }  // list endpoint
      }  // container listen
    }  // grouping netconf-client
  }  // module ietf-netconf-client

Summary

  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-client
Version 2017-10-30
File ietf-netconf-client@2017-10-30.yang
  
Prefix ncc
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-client
  
Cooked /cookedmodules/ietf-netconf-client/2017-10-30
YANG /src/ietf-netconf-client@2017-10-30.yang
XSD /xsd/ietf-netconf-client@2017-10-30.xsd
  
Abstract This module contains a collection of YANG definitions for configuring NETCONF clients. Copyright (c) 2017 IETF Trust and the pe...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

Author:   Kent Watsen
	  <mailto:kwatsen@juniper.net>

Author:   Gary Wu
	  <mailto:garywu@cisco.com>

Description

 
This module contains a collection of YANG definitions for
configuring NETCONF clients.

Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.

Groupings

Grouping Objects Abstract
netconf-client initiate listen Top-level grouping for NETCONF client configuration.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
netconf-client container Top-level container for NETCONF client configuration.
   initiate container Configures client initiating underlying TCP connections.
      netconf-server list List of NETCONF servers the NETCONF client is to initiate connections to in parallel.
         connection-type container Indicates the kind of connection to use.
            connection-type choice Selects between available connection types.
               periodic-connection case periodic
                  periodic container Periodically connect to the NETCONF server, so that the NETCONF server may deliver messages pending for the NETCONF client. The NETCONF server must close the connection when it is ready to release it. Once the connection has been closed, the NETCONF clie...
                     idle-timeout leaf Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is i...
                     reconnect-timeout leaf Sets the maximum amount of unconnected time the NETCONF client will wait before re-establishing a connection to the NETCONF server. The NETCONF client may initiate a connection before this time if desired (e.g., to set configuration).
               persistent-connection case persistent
                  persistent container Maintain a persistent connection to the NETCONF server. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF server to NETCONF client data-transfer delay, al...
                     idle-timeout leaf Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the client will never drop a session because it is i...
                     keep-alives container Configures the keep-alive policy, to proactively test the aliveness of the SSH/TLS server. An unresponsive SSH/TLS server will be dropped after approximately max-attempts * max-wait seconds.
                        max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the SSH/TLS server before assuming the SSH/TLS server is no longer alive.
                        max-wait leaf Sets the amount of time in seconds after which if no data has been received from the SSH/TLS server, a SSH/TLS-level message will be sent to test the aliveness of the SSH/TLS server.
         endpoints container Container for the list of endpoints.
            endpoint list A user-ordered list of endpoints that the NETCONF client will attempt to connect to in the specified sequence. Defining more than one enables high-availability.
               name leaf An arbitrary name for the endpoint.
               transport choice Selects between available transports.
                  ssh case ssh
                     ssh container Specifies IP and SSH specific configuration for the connection.
                        address leaf The IP address or hostname of the endpoint. If a domain name is configured, then the DNS resolution should happen on each usage attempt. If the DNS resolution results in multiple IP addresses, the IP addresses will be tried according to local preference o...
                        client-identity container The credentials used by the client to authenticate to the SSH server.
                           auth-type choice The authentication type.
                              certificate case certificate
                                 certificate container A certificates to be used for client authentication.
                                    algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                    certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                       certificate list A certificate for this private key.
                                          name leaf An arbitrary name for the certificate.
                                          value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                                    private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                    public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                              password case password
                                 password leaf A password to be used for client authentication.
                              public-key case public-key
                                 public-key container A public key to be used for client authentication.
                                    algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                    private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                    public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                           username leaf The username of this user. This will be the username used, for instance, to log into an SSH server.
                        port leaf The IP port for this endpoint. The NETCONF client will use the IANA-assigned well-known port for 'netconf-ssh' (830) if no value is specified.
                        server-auth container Trusted server identities.
                           pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the SSH client to authenticate SSH server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured CA certificate.
                           pinned-server-certs leaf A reference to a list of server certificates used by the SSH client to authenticate SSH server certificates. A server certificate is authenticated if it is an exact match to a configured server certificate.
                           pinned-ssh-host-keys leaf A reference to a list of SSH host keys used by the SSH client to authenticate SSH server host keys. A server host key is authenticated if it is an exact match to a configured SSH host key.
                        transport-params container Configurable parameters of the SSH transport layer.
                           encryption container Parameters regarding encryption.
                              encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation- defined.
                           host-key container Parameters regarding host key.
                              host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable host key algorithms are implementation- defined.
                           key-exchange container Parameters regarding key exchange.
                              key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation- defined.
                           mac container Parameters regarding message authentication code (MAC).
                              mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
                  tls case tls
                     tls container Specifies IP and TLS specific configuration for the connection.
                        address leaf The IP address or hostname of the endpoint. If a domain name is configured, then the DNS resolution should happen on each usage attempt. If the DNS resolution results in multiple IP addresses, the IP addresses will be tried according to local preference o...
                        client-identity container The credentials used by the client to authenticate to the TLS server.
                           auth-type choice The authentication type.
                              certificate case certificate
                                 certificate container Choice statement for future augmentations.
                                    algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                    certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                       certificate list A certificate for this private key.
                                          name leaf An arbitrary name for the certificate.
                                          value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                                    private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                    public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                        hello-params container Configurable parameters for the TLS hello message.
                           cipher-suites container Parameters regarding cipher suites.
                              cipher-suite leaf-list Acceptable cipher suites in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable cipher suites are implementation- defined.
                           tls-versions container Parameters regarding TLS versions.
                              tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                        port leaf The IP port for this endpoint. The NETCONF client will use the IANA-assigned well-known port for 'netconf-tls' (6513) if no value is specified.
                        server-auth container Trusted server identities.
                           pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                           pinned-server-certs leaf A reference to a list of server certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it is an exact match to a configured pinned server certificate.
         name leaf An arbitrary name for the NETCONF server.
         reconnect-strategy container The reconnection strategy directs how a NETCONF client reconnects to a NETCONF server, after discovering its connection to the server has dropped, even if due to a reboot. The NETCONF client starts with the specified endpoint and tries to connect to it m...
            max-attempts leaf Specifies the number times the NETCONF client tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin).
            start-with leaf Specifies which of the NETCONF server's endpoints the NETCONF client should start with when trying to connect to the NETCONF server.
   listen container Configures client accepting call-home TCP connections.
      endpoint list List of endpoints to listen for NETCONF connections.
         name leaf An arbitrary name for the NETCONF listen endpoint.
         transport choice Selects between available transports.
            ssh case ssh
               ssh container SSH-specific listening configuration for inbound connections.
                  address leaf The IP address to listen on for incoming call-home connections. The NETCONF client will listen on all configured interfaces if no value is specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to liste...
                  client-identity container The credentials used by the client to authenticate to the SSH server.
                     auth-type choice The authentication type.
                        certificate case certificate
                           certificate container A certificates to be used for client authentication.
                              algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                              certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                 certificate list A certificate for this private key.
                                    name leaf An arbitrary name for the certificate.
                                    value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                              private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                              public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                        password case password
                           password leaf A password to be used for client authentication.
                        public-key case public-key
                           public-key container A public key to be used for client authentication.
                              algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                              private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                              public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                     username leaf The username of this user. This will be the username used, for instance, to log into an SSH server.
                  port leaf The port number to listen on for call-home connections. The NETCONF client will listen on the IANA-assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified.
                  server-auth container Trusted server identities.
                     pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the SSH client to authenticate SSH server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured CA certificate.
                     pinned-server-certs leaf A reference to a list of server certificates used by the SSH client to authenticate SSH server certificates. A server certificate is authenticated if it is an exact match to a configured server certificate.
                     pinned-ssh-host-keys leaf A reference to a list of SSH host keys used by the SSH client to authenticate SSH server host keys. A server host key is authenticated if it is an exact match to a configured SSH host key.
                  transport-params container Configurable parameters of the SSH transport layer.
                     encryption container Parameters regarding encryption.
                        encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation- defined.
                     host-key container Parameters regarding host key.
                        host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable host key algorithms are implementation- defined.
                     key-exchange container Parameters regarding key exchange.
                        key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation- defined.
                     mac container Parameters regarding message authentication code (MAC).
                        mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
            tls case tls
               tls container TLS-specific listening configuration for inbound connections.
                  address leaf The IP address to listen on for incoming call-home connections. The NETCONF client will listen on all configured interfaces if no value is specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to liste...
                  client-identity container The credentials used by the client to authenticate to the TLS server.
                     auth-type choice The authentication type.
                        certificate case certificate
                           certificate container Choice statement for future augmentations.
                              algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                              certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                 certificate list A certificate for this private key.
                                    name leaf An arbitrary name for the certificate.
                                    value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                              private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                              public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                  hello-params container Configurable parameters for the TLS hello message.
                     cipher-suites container Parameters regarding cipher suites.
                        cipher-suite leaf-list Acceptable cipher suites in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable cipher suites are implementation- defined.
                     tls-versions container Parameters regarding TLS versions.
                        tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                  port leaf The port number to listen on for call-home connections. The NETCONF client will listen on the IANA-assigned well-known port for 'netconf-ch-tls' (4335) if no value is specified.
                  server-auth container Trusted server identities.
                     pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                     pinned-server-certs leaf A reference to a list of server certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it is an exact match to a configured pinned server certificate.
      idle-timeout leaf Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is id...