netconfcentral logo

ietf-netconf-server

HTML

ietf-netconf-server@2017-10-30



  module ietf-netconf-server {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-netconf-server";

    prefix ncs;

    import ietf-inet-types {
      prefix inet;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-x509-cert-to-name {
      prefix x509c2n;
      reference
        "RFC 7407: A YANG Data Model for SNMP Configuration";


    }
    import ietf-ssh-server {
      prefix ss;
      revision-date "2017-10-30";
      reference
        "RFC YYYY: YANG Groupings for SSH Clients and SSH Servers";


    }
    import ietf-tls-server {
      prefix ts;
      revision-date "2017-10-30";
      reference
        "RFC ZZZZ: YANG Groupings for TLS Clients and TLS Servers";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>

    Author:   Gary Wu
              <mailto:garywu@cisco.com>

    Author:   Juergen Schoenwaelder
              <mailto:j.schoenwaelder@jacobs-university.de>";

    description
      "This module contains a collection of YANG definitions for
    configuring NETCONF servers.

    Copyright (c) 2017 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC XXXX: NETCONF Client and Server Models";

    }


    feature listen {
      description
        "The 'listen' feature indicates that the NETCONF server
      supports opening a port to accept NETCONF client connections
      using at least one transport (e.g., SSH, TLS, etc.).";
    }

    feature ssh-listen {
      description
        "The 'ssh-listen' feature indicates that the NETCONF server
      supports opening a port to accept NETCONF over SSH
      client connections.";
      reference
        "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";

    }

    feature tls-listen {
      description
        "The 'tls-listen' feature indicates that the NETCONF server
      supports opening a port to accept NETCONF over TLS
      client connections.";
      reference
        "RFC 7589: Using the NETCONF Protocol over Transport
        	  Layer Security (TLS) with Mutual X.509
        	  Authentication";

    }

    feature call-home {
      description
        "The 'call-home' feature indicates that the NETCONF server
      supports initiating NETCONF call home connections to NETCONF
      clients using at least one transport (e.g., SSH, TLS, etc.).";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    feature ssh-call-home {
      description
        "The 'ssh-call-home' feature indicates that the NETCONF
      server supports initiating a NETCONF over SSH call
      home connection to NETCONF clients.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    feature tls-call-home {
      description
        "The 'tls-call-home' feature indicates that the NETCONF
      server supports initiating a NETCONF over TLS call
      home connection to NETCONF clients.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    container netconf-server {
      description
        "Top-level container for NETCONF server configuration.";
      uses netconf-server;
    }  // container netconf-server

    grouping netconf-server {
      description
        "Top-level grouping for NETCONF server configuration.";
      container listen {
        if-feature listen;
        description
          "Configures listen behavior";
        leaf idle-timeout {
          type uint16;
          units "seconds";
          default '3600';
          description
            "Specifies the maximum number of seconds that a NETCONF
           session may remain idle. A NETCONF session will be dropped
           if it is idle for an interval longer than this number of
           seconds.  If set to zero, then the server will never drop
           a session because it is idle.  Sessions that have a
           notification subscription active are never dropped.";
        }

        list endpoint {
          key "name";
          min-elements 1;
          description
            "List of endpoints to listen for NETCONF connections.";
          leaf name {
            type string;
            description
              "An arbitrary name for the NETCONF listen endpoint.";
          }

          choice transport {
            mandatory true;
            description
              "Selects between available transports.";
            case ssh {
              if-feature ssh-listen;
              container ssh {
                description
                  "SSH-specific listening configuration for inbound
                 connections.";
                leaf address {
                  type inet:ip-address;
                  mandatory true;
                  description
                    "The IP address to listen on for incoming
                   connections.  The NETCONF server will listen
                   on all configured interfaces if no value is
                   specified.  INADDR_ANY (0.0.0.0) or INADDR6_ANY
                   (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when
                   the server is to listen on all IPv4 or IPv6
                   addresses, respectively.";
                }

                leaf port {
                  type inet:port-number;
                  default '830';
                  description
                    "The local port number to listen on.  If no value
                  is specified, the IANA-assigned port value for
                  'netconf-ssh' (830) is used.";
                }

                uses ss:ssh-server-grouping;
              }  // container ssh
            }  // case ssh

            case tls {
              if-feature tls-listen;
              container tls {
                description
                  "TLS-specific listening configuration for inbound
                 connections.";
                leaf address {
                  type inet:ip-address;
                  mandatory true;
                  description
                    "The IP address to listen on for incoming
                   connections.  The NETCONF server will listen
                   on all configured interfaces if no value is
                   specified.  INADDR_ANY (0.0.0.0) or INADDR6_ANY
                   (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when
                   the server is to listen on all IPv4 or IPv6
                   addresses, respectively.";
                }

                leaf port {
                  type inet:port-number;
                  default '6513';
                  description
                    "The local port number to listen on.  If no value
                  is specified, the IANA-assigned port value for
                  'netconf-tls' (6513) is used.";
                }

                uses ts:tls-server-grouping {
                  refine 
                  augment client-auth {
                    description
                      "Augments in the cert-to-name structure.";
                    container cert-maps {
                      description
                        "The cert-maps container is used by a TLS-based
                      NETCONF server to map the NETCONF client's
                      presented X.509 certificate to a NETCONF
                      username.  If no matching and valid cert-to-name
                      list entry can be found, then the NETCONF server
                      MUST close the connection, and MUST NOT accept
                      NETCONF messages over it.";
                      reference
                        "RFC WWWW: NETCONF over TLS, Section 7";

                      uses x509c2n:cert-to-name;
                    }  // container cert-maps
                  }
                }
              }  // container tls
            }  // case tls
          }  // choice transport
        }  // list endpoint
      }  // container listen

      container call-home {
        if-feature call-home;
        description
          "Configures call-home behavior";
        list netconf-client {
          key "name";
          min-elements 1;
          description
            "List of NETCONF clients the NETCONF server is to initiate
           call-home connections to in parallel.";
          leaf name {
            type string;
            description
              "An arbitrary name for the remote NETCONF client.";
          }

          container endpoints {
            description
              "Container for the list of endpoints.";
            list endpoint {
              key "name";
              min-elements 1;
              ordered-by user;
              description
                "A non-empty user-ordered list of endpoints for this
               NETCONF server to try to connect to in sequence.
               Defining more than one enables high-availability.";
              leaf name {
                type string;
                description
                  "An arbitrary name for this endpoint.";
              }

              choice transport {
                mandatory true;
                description
                  "Selects between available transports.";
                case ssh {
                  if-feature ssh-call-home;
                  container ssh {
                    description
                      "Specifies SSH-specific call-home transport
                     configuration.";
                    leaf address {
                      type inet:host;
                      mandatory true;
                      description
                        "The IP address or hostname of the endpoint.
                      If a domain name is configured, then the DNS
                      resolution should happen on each usage attempt.
                      If the the DNS resolution results in multiple
                      IP addresses, the IP addresses will be tried
                      according to local preference order until a
                      connection has been established or until all
                      IP addresses have failed.";
                    }

                    leaf port {
                      type inet:port-number;
                      default '4334';
                      description
                        "The IP port for this endpoint. The NETCONF
                      server will use the IANA-assigned well-known
                      port for 'netconf-ch-ssh' (4334) if no value
                      is specified.";
                    }

                    uses ss:ssh-server-grouping;
                  }  // container ssh
                }  // case ssh

                case tls {
                  if-feature tls-call-home;
                  container tls {
                    description
                      "Specifies TLS-specific call-home transport
                     configuration.";
                    leaf address {
                      type inet:host;
                      mandatory true;
                      description
                        "The IP address or hostname of the endpoint.
                      If a domain name is configured, then the DNS
                      resolution should happen on each usage attempt.
                      If the the DNS resolution results in multiple
                      IP addresses, the IP addresses will be tried
                      according to local preference order until a
                      connection has been established or until all
                      IP addresses have failed.";
                    }

                    leaf port {
                      type inet:port-number;
                      default '4335';
                      description
                        "The IP port for this endpoint.  The NETCONF
                      server will use the IANA-assigned well-known
                      port for 'netconf-ch-tls' (4335) if no value
                      is specified.";
                    }

                    uses ts:tls-server-grouping {
                      refine 
                      augment client-auth {
                        description
                          "Augments in the cert-to-name structure.";
                        container cert-maps {
                          description
                            "The cert-maps container is used by a
                          TLS-based NETCONF server to map the NETCONF
                          client's presented X.509 certificate to a
                          NETCONF username.  If no matching and valid
                          cert-to-name list entry can be found, then
                          the NETCONF server MUST close the connection,
                          and MUST NOT accept NETCONF messages over
                          it.";
                          reference
                            "RFC WWWW: NETCONF over TLS, Section 7";

                          uses x509c2n:cert-to-name;
                        }  // container cert-maps
                      }
                    }
                  }  // container tls
                }  // case tls
              }  // choice transport
            }  // list endpoint
          }  // container endpoints

          container connection-type {
            description
              "Indicates the kind of connection to use.";
            choice connection-type {
              description
                "Selects between available connection types.";
              container persistent {
                presence 'true';
                description
                  "Maintain a persistent connection to the NETCONF
                  client. If the connection goes down, immediately
                  start trying to reconnect to it, using the
                  reconnection strategy.

                  This connection type minimizes any NETCONF client
                  to NETCONF server data-transfer delay, albeit at
                  the expense of holding resources longer.";
                leaf idle-timeout {
                  type uint32;
                  units "seconds";
                  default '86400';
                  description
                    "Specifies the maximum number of seconds that a
                     a NETCONF session may remain idle. A NETCONF
                     session will be dropped if it is idle for an
                     interval longer than this number of seconds.
                     If set to zero, then the server will never drop
                     a session because it is idle.  Sessions that
                     have a notification subscription active are
                     never dropped.";
                }

                container keep-alives {
                  description
                    "Configures the keep-alive policy, to proactively
                     test the aliveness of the SSH/TLS client.  An
                     unresponsive SSH/TLS client will be dropped after
                     approximately max-attempts * max-wait seconds.";
                  reference
                    "RFC 8071: NETCONF Call Home and RESTCONF Call
                    Home, Section 3.1, item S6";

                  leaf max-wait {
                    type uint16 {
                      range "1..max";
                    }
                    units "seconds";
                    default '30';
                    description
                      "Sets the amount of time in seconds after which
                      if no data has been received from the SSH/TLS
                      client, a SSH/TLS-level message will be sent
                      to test the aliveness of the SSH/TLS client.";
                  }

                  leaf max-attempts {
                    type uint8;
                    default '3';
                    description
                      "Sets the maximum number of sequential keep-alive
                      messages that can fail to obtain a response from
                      the SSH/TLS client before assuming the SSH/TLS
                      client is no longer alive.";
                  }
                }  // container keep-alives
              }  // container persistent
              container periodic {
                presence 'true';
                description
                  "Periodically connect to the NETCONF client, so that
                  the NETCONF client may deliver messages pending for
                  the NETCONF server.  The NETCONF client must close
                  the connection when it is ready to release it. Once
                  the connection has been closed, the NETCONF server
                  will restart its timer until the next connection.";
                leaf idle-timeout {
                  type uint16;
                  units "seconds";
                  default '300';
                  description
                    "Specifies the maximum number of seconds that a
                     a NETCONF session may remain idle. A NETCONF
                     session will be dropped if it is idle for an
                     interval longer than this number of seconds.
                     If set to zero, then the server will never drop
                     a session because it is idle.  Sessions that
                     have a notification subscription active are
                     never dropped.";
                }

                leaf reconnect-timeout {
                  type uint16 {
                    range "1..max";
                  }
                  units "minutes";
                  default '60';
                  description
                    "Sets the maximum amount of unconnected time the
                    NETCONF server will wait before re-establishing
                    a connection to the NETCONF client.  The NETCONF
                    server may initiate a connection before this
                    time if desired (e.g., to deliver an event
                    notification message).";
                }
              }  // container periodic
            }  // choice connection-type
          }  // container connection-type

          container reconnect-strategy {
            description
              "The reconnection strategy directs how a NETCONF server
            reconnects to a NETCONF client, after discovering its
            connection to the client has dropped, even if due to a
            reboot.  The NETCONF server starts with the specified
            endpoint and tries to connect to it max-attempts times
            before trying the next endpoint in the list (round
            robin).";
            leaf start-with {
              type enumeration {
                enum "first-listed" {
                  value 0;
                  description
                    "Indicates that reconnections should start with
                   the first endpoint listed.";
                }
                enum "last-connected" {
                  value 1;
                  description
                    "Indicates that reconnections should start with
                   the endpoint last connected to.  If no previous
                   connection has ever been established, then the
                   first endpoint configured is used.   NETCONF
                   servers SHOULD be able to remember the last
                   endpoint connected to across reboots.";
                }
              }
              default 'first-listed';
              description
                "Specifies which of the NETCONF client's endpoints the
              NETCONF server should start with when trying to connect
              to the NETCONF client.";
            }

            leaf max-attempts {
              type uint8 {
                range "1..max";
              }
              default '3';
              description
                "Specifies the number times the NETCONF server tries to
              connect to a specific endpoint before moving on to the
              next endpoint in the list (round robin).";
            }
          }  // container reconnect-strategy
        }  // list netconf-client
      }  // container call-home
    }  // grouping netconf-server
  }  // module ietf-netconf-server

Summary

  
ietf-netconf-server  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-server
Version 2015-02-02
File ietf-netconf-server.yang
  
Prefix ncserver
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-server
  
Cooked /cookedmodules/ietf-netconf-server/2015-02-02
YANG /src/ietf-netconf-server@2015-02-02.yang
XSD /xsd/ietf-netconf-server@2015-02-02.xsd
  
Abstract This module contains a collection of YANG definitions for configuring NETCONF servers. Copyright (c) 2014 IETF Trust and the pe...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

WG Chair: Mehmet Ersue
	  <mailto:mehmet.ersue@nsn.com>

WG Chair: Mahesh Jethanandani
	  <mailto:mjethanandani@gmail.com>

Editor:   Kent Watsen
	  <mailto:kwatsen@juniper.net>
  
ietf-netconf-server  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-server
Version 2017-10-30
File ietf-netconf-server@2017-10-30.yang
  
Prefix ncs
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-server
  
Cooked /cookedmodules/ietf-netconf-server/2017-10-30
YANG /src/ietf-netconf-server@2017-10-30.yang
XSD /xsd/ietf-netconf-server@2017-10-30.xsd
  
Abstract This module contains a collection of YANG definitions for configuring NETCONF servers. Copyright (c) 2017 IETF Trust and the pe...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

Author:   Kent Watsen
	  <mailto:kwatsen@juniper.net>

Author:   Gary Wu
	  <mailto:garywu@cisco.com>

Author:   Juergen Schoenwaelder
	  <mailto:j.schoenwaelder@jacobs-university.de>

Description

 
ietf-netconf-server
This module contains a collection of YANG definitions for
configuring NETCONF servers.

Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC VVVV; see
the RFC itself for full legal notices.
 
ietf-netconf-server
This module contains a collection of YANG definitions for
configuring NETCONF servers.

Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.

Groupings

Grouping Objects Abstract
address-and-port-grouping address port This grouping is usd by both the ssh and tls containers for listen configuration.
call-home-container call-home This grouping is used only to help improve readability of the YANG module.
certificates-container certificates This grouping is used by both the listen and call-home containers
endpoints-container endpoints This grouping is used by both the ssh and tls containers for call-home configurations.
host-keys-container host-keys This grouping is used by both the listen and call-home containers
keep-alives-container keep-alives This grouping is use by both listen and call-home configurations.
listen-container listen This grouping is used only to help improve readability of the YANG module.
netconf-server listen call-home Top-level grouping for NETCONF server configuration.
session-options-container session-options This grouping is used only to help improve readability of the YANG module.
ssh-container ssh This grouping is used only to help improve readability of the YANG module.
tls-container tls This grouping is used only to help improve readability of the YANG module.
trusted-certs-grouping trusted-ca-certs trusted-client-certs This grouping is used by both the ssh and tls containers.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
netconf-server container Top-level container for NETCONF server configuration.
netconf-server container Top-level container for NETCONF server configuration.
   call-home container Configures call-home behavior
   call-home container Configures call-home behavior
      application list List of NETCONF clients the NETCONF server is to initiate call-home connections to.
         connection-type container Indicates the kind of connection to use.
            connection-type choice Selects between persistent and periodic connections.
               periodic-connection case periodic
                  periodic container Periodically connect to NETCONF client, using the reconnection strategy, so the NETCONF client can deliver pending messages to the NETCONF server. For messages the NETCONF server wants to send to to the NETCONF client, the NETCONF server should proactive...
                     linger-secs leaf The amount of time the NETCONF server should wait after last receiving data from or sending data to the NETCONF client's endpoint before closing its connection to it. This is an optimization to prevent unnecessary connections.
                     timeout-mins leaf The maximum amount of unconnected time the NETCONF server will wait until establishing a connection to the NETCONF client again. The NETCONF server MAY establish a connection before this time if it has data it needs to send to the NETCONF client. Note: th...
               persistent-connection case persistent
                  persistent container Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, al...
                     keep-alives container Configures the keep-alive policy, to proactively test the aliveness of the NETCONF client.
                        count-max leaf Sets the number of keep-alive messages that may be sent without receiving any data from the NETCONF client before assuming the NETCONF client is no longer alive. If this threshold is reached, the transport-level connection will be disconnected, which wil...
                        interval-secs leaf Sets a timeout interval in seconds after which if no data has been received from the NETCONF client, a message will be sent to request a response from the NETCONF client. A value of '0' indicates that no keep-alive messages should be sent.
         name leaf An arbitrary name for the remote NETCONF client.
         reconnect-strategy container The reconnection strategy guides how a NETCONF server reconnects to an NETCONF client, after losing a connection to it, even if due to a reboot. The NETCONF server starts with the specified endpoint and tries to connect to it count-max times, waiting int...
            count-max leaf Specifies the number times the NETCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin).
            interval-secs leaf Specifies the time delay between connection attempts to the same endpoint. Note: this value differs from the periodic-connection's timeout-mins value.
            start-with leaf Specifies which of the NETCONF client's endpoints the NETCONF server should start with when trying to connect to the NETCONF client. If no previous connection has ever been established, last-connected defaults to the first endpoint listed.
         transport choice Selects between available transports.
            ssh case ssh
               ssh container Specifies SSH-specific call-home transport configuration.
                  endpoints container Container for the list of endpoints.
                     endpoint list User-ordered list of endpoints for this NETCONF client. Defining more than one enables high-availability.
                        address leaf The hostname or IP address or hostname of the endpoint. If a hostname is provided and DNS resolves to more than one IP address, the NETCONF server SHOULD try all of the ones it can based on how its networking stack is configured (e.g. v4, v6, dual-stack).
                        name leaf An arbitrary name for the endpoint to connect to.
                        port leaf The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port if not specified.
                  host-keys container Parent container for the list of host-keys.
                     host-key leaf-list A user-ordered list of host-keys the SSH server considers when composing the list of server host key algorithms it will send to the client in its SSH_MSG_KEXINIT message. The value of the string is the unique identifier for a host-key configured on the s...
            tls case tls
               tls container Specifies TLS-specific call-home transport configuration.
                  certificates container Parent container for the list of certificates.
                     certificate leaf-list An unordered list of certificates the TLS server can pick from when sending its Server Certificate message. The value of the string is the unique identifier for a certificate configured on the system. How valid values are discovered is outside the scope...
                  endpoints container Container for the list of endpoints.
                     endpoint list User-ordered list of endpoints for this NETCONF client. Defining more than one enables high-availability.
                        address leaf The hostname or IP address or hostname of the endpoint. If a hostname is provided and DNS resolves to more than one IP address, the NETCONF server SHOULD try all of the ones it can based on how its networking stack is configured (e.g. v4, v6, dual-stack).
                        name leaf An arbitrary name for the endpoint to connect to.
                        port leaf The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port if not specified.
      netconf-client list List of NETCONF clients the NETCONF server is to initiate call-home connections to in parallel.
         connection-type container Indicates the kind of connection to use.
            connection-type choice Selects between available connection types.
               periodic-connection case periodic
                  periodic container Periodically connect to the NETCONF client, so that the NETCONF client may deliver messages pending for the NETCONF server. The NETCONF client must close the connection when it is ready to release it. Once the connection has been closed, the NETCONF serv...
                     idle-timeout leaf Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is i...
                     reconnect-timeout leaf Sets the maximum amount of unconnected time the NETCONF server will wait before re-establishing a connection to the NETCONF client. The NETCONF server may initiate a connection before this time if desired (e.g., to deliver an event notification message).
               persistent-connection case persistent
                  persistent container Maintain a persistent connection to the NETCONF client. If the connection goes down, immediately start trying to reconnect to it, using the reconnection strategy. This connection type minimizes any NETCONF client to NETCONF server data-transfer delay, al...
                     idle-timeout leaf Specifies the maximum number of seconds that a a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is i...
                     keep-alives container Configures the keep-alive policy, to proactively test the aliveness of the SSH/TLS client. An unresponsive SSH/TLS client will be dropped after approximately max-attempts * max-wait seconds.
                        max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the SSH/TLS client before assuming the SSH/TLS client is no longer alive.
                        max-wait leaf Sets the amount of time in seconds after which if no data has been received from the SSH/TLS client, a SSH/TLS-level message will be sent to test the aliveness of the SSH/TLS client.
         endpoints container Container for the list of endpoints.
            endpoint list A non-empty user-ordered list of endpoints for this NETCONF server to try to connect to in sequence. Defining more than one enables high-availability.
               name leaf An arbitrary name for this endpoint.
               transport choice Selects between available transports.
                  ssh case ssh
                     ssh container Specifies SSH-specific call-home transport configuration.
                        address leaf The IP address or hostname of the endpoint. If a domain name is configured, then the DNS resolution should happen on each usage attempt. If the the DNS resolution results in multiple IP addresses, the IP addresses will be tried according to local preferen...
                        client-cert-auth container A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.
                           pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates. A client certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                           pinned-client-certs leaf A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates. A clients certificate is authenticated if it is an exact match to a configured pinned client certificate.
                        port leaf The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified.
                        server-identity container The list of host-keys the SSH server will present when establishing a SSH connection.
                           host-key list An ordered list of host keys the SSH server will use to construct its ordered list of algorithms, when sending its SSH_MSG_KEXINIT message, as defined in Section 7.1 of RFC 4253.
                              host-key-type choice The type of host key being specified
                                 certificate case certificate
                                    certificate container The SSH server uses a certificate for its host key.
                                       algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                       certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                          certificate list A certificate for this private key.
                                             name leaf An arbitrary name for the certificate.
                                             value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                                       private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                       public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                                 public-key case public-key
                                    public-key container The SSH server uses a public-key for its host key.
                                       algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                       private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                       public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                              name leaf An arbitrary name for this host-key
                        transport-params container Configurable parameters of the SSH transport layer.
                           encryption container Parameters regarding encryption.
                              encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation- defined.
                           host-key container Parameters regarding host key.
                              host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable host key algorithms are implementation- defined.
                           key-exchange container Parameters regarding key exchange.
                              key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation- defined.
                           mac container Parameters regarding message authentication code (MAC).
                              mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
                  tls case tls
                     tls container Specifies TLS-specific call-home transport configuration.
                        address leaf The IP address or hostname of the endpoint. If a domain name is configured, then the DNS resolution should happen on each usage attempt. If the the DNS resolution results in multiple IP addresses, the IP addresses will be tried according to local preferen...
                        client-auth container A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.
                           cert-maps container The cert-maps container is used by a TLS-based NETCONF server to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection,...
                           pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates. A client certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                           pinned-client-certs leaf A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates. A clients certificate is authenticated if it is an exact match to a configured pinned client certificate.
                        hello-params container Configurable parameters for the TLS hello message.
                           cipher-suites container Parameters regarding cipher suites.
                              cipher-suite leaf-list Acceptable cipher suites in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable cipher suites are implementation- defined.
                           tls-versions container Parameters regarding TLS versions.
                              tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                        port leaf The IP port for this endpoint. The NETCONF server will use the IANA-assigned well-known port for 'netconf-ch-tls' (4335) if no value is specified.
                        server-identity container The list of certificates the TLS server will present when establishing a TLS connection in its Certificate message, as defined in Section 7.4.2 in RFC 5246.
                           algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                           certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                              certificate list A certificate for this private key.
                                 name leaf An arbitrary name for the certificate.
                                 value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                           private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                           public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
         name leaf An arbitrary name for the remote NETCONF client.
         reconnect-strategy container The reconnection strategy directs how a NETCONF server reconnects to a NETCONF client, after discovering its connection to the client has dropped, even if due to a reboot. The NETCONF server starts with the specified endpoint and tries to connect to it m...
            max-attempts leaf Specifies the number times the NETCONF server tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin).
            start-with leaf Specifies which of the NETCONF client's endpoints the NETCONF server should start with when trying to connect to the NETCONF client.
   listen container Configures listen behavior
   listen container Configures listen behavior
      endpoint list List of endpoints to listen for NETCONF connections on.
      endpoint list List of endpoints to listen for NETCONF connections.
         keep-alives container Configures the keep-alive policy, to proactively test the aliveness of the NETCONF client.
            count-max leaf Sets the number of keep-alive messages that may be sent without receiving any data from the NETCONF client before assuming the NETCONF client is no longer alive. If this threshold is reached, the transport-level connection will be disconnected, which wil...
            interval-secs leaf Sets a timeout interval in seconds after which if no data has been received from the NETCONF client, a message will be sent to request a response from the NETCONF client. A value of '0' indicates that no keep-alive messages should be sent.
         name leaf An arbitrary name for the NETCONF listen endpoint.
         name leaf An arbitrary name for the NETCONF listen endpoint.
         transport choice Selects between SSH and TLS transports.
         transport choice Selects between available transports.
            ssh case ssh
            ssh case ssh
               ssh container SSH-specific listening configuration for inbound connections.
               ssh container SSH-specific listening configuration for inbound connections.
                  address leaf The IP address of the interface to listen on.
                  address leaf The IP address to listen on for incoming connections. The NETCONF server will listen on all configured interfaces if no value is specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to listen on all ...
                  client-cert-auth container A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.
                     pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates. A client certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                     pinned-client-certs leaf A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates. A clients certificate is authenticated if it is an exact match to a configured pinned client certificate.
                  host-keys container Parent container for the list of host-keys.
                     host-key leaf-list A user-ordered list of host-keys the SSH server considers when composing the list of server host key algorithms it will send to the client in its SSH_MSG_KEXINIT message. The value of the string is the unique identifier for a host-key configured on the s...
                  port leaf The local port number on this interface the NETCONF server listens on.
                  port leaf The local port number to listen on. If no value is specified, the IANA-assigned port value for 'netconf-ssh' (830) is used.
                  server-identity container The list of host-keys the SSH server will present when establishing a SSH connection.
                     host-key list An ordered list of host keys the SSH server will use to construct its ordered list of algorithms, when sending its SSH_MSG_KEXINIT message, as defined in Section 7.1 of RFC 4253.
                        host-key-type choice The type of host key being specified
                           certificate case certificate
                              certificate container The SSH server uses a certificate for its host key.
                                 algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                 certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                                    certificate list A certificate for this private key.
                                       name leaf An arbitrary name for the certificate.
                                       value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                                 private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                 public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                           public-key case public-key
                              public-key container The SSH server uses a public-key for its host key.
                                 algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                                 private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                                 public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
                        name leaf An arbitrary name for this host-key
                  transport-params container Configurable parameters of the SSH transport layer.
                     encryption container Parameters regarding encryption.
                        encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation- defined.
                     host-key container Parameters regarding host key.
                        host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable host key algorithms are implementation- defined.
                     key-exchange container Parameters regarding key exchange.
                        key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation- defined.
                     mac container Parameters regarding message authentication code (MAC).
                        mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
            tls case tls
            tls case tls
               tls container TLS-specific listening configuration for inbound connections.
               tls container TLS-specific listening configuration for inbound connections.
                  address leaf The IP address of the interface to listen on.
                  address leaf The IP address to listen on for incoming connections. The NETCONF server will listen on all configured interfaces if no value is specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to listen on all ...
                  certificates container Parent container for the list of certificates.
                     certificate leaf-list An unordered list of certificates the TLS server can pick from when sending its Server Certificate message. The value of the string is the unique identifier for a certificate configured on the system. How valid values are discovered is outside the scope...
                  client-auth container A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.
                     cert-maps container The cert-maps container is used by a TLS-based NETCONF server to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection,...
                     pinned-ca-certs leaf A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates. A client certificate is authenticated if it has a valid chain of trust to a configured pinned CA certificate.
                     pinned-client-certs leaf A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates. A clients certificate is authenticated if it is an exact match to a configured pinned client certificate.
                  hello-params container Configurable parameters for the TLS hello message.
                     cipher-suites container Parameters regarding cipher suites.
                        cipher-suite leaf-list Acceptable cipher suites in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable cipher suites are implementation- defined.
                     tls-versions container Parameters regarding TLS versions.
                        tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                  port leaf The local port number on this interface the NETCONF server listens on.
                  port leaf The local port number to listen on. If no value is specified, the IANA-assigned port value for 'netconf-tls' (6513) is used.
                  server-identity container The list of certificates the TLS server will present when establishing a TLS connection in its Certificate message, as defined in Section 7.4.2 in RFC 5246.
                     algorithm leaf Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded.
                     certificates container Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated.
                        certificate list A certificate for this private key.
                           name leaf An arbitrary name for the certificate.
                           value leaf A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the cert...
                     private-key leaf A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Crypt...
                     public-key leaf A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptog...
      idle-timeout leaf Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is id...
      max-sessions leaf Specifies the maximum number of concurrent sessions that can be active at one time. The value 0 indicates that no artificial session limit should be used.
   session-options container NETCONF session options, independent of transport or connection strategy.
      hello-timeout leaf Specifies the number of seconds that a session may exist before the hello PDU is received. A session will be dropped if no hello PDU is received before this number of seconds elapses. If this parameter is set to zero, then the server will wait forever f...
      idle-timeout leaf Specifies the number of seconds that a NETCONF session may remain idle without issuing any RPC requests. A session will be dropped if it is idle for an interval longer than this number of seconds. If this parameter is set to zero, then the server will n...
   ssh container Configures SSH properties not specific to the listen or call-home use-cases
      x509 container trusted-ca-certs trusted-client-certs
         trusted-ca-certs container A list of Certificate Authority (CA) certificates that a NETCONF server can use to authenticate NETCONF client certificates. A client's certificate is authenticated if there is a chain of trust to a configured trusted CA certificate. The client certific...
            trusted-ca-cert leaf-list The binary certificate structure as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>;
         trusted-client-certs container A list of client certificates that a NETCONF server can use to authenticate a NETCONF client's certificate. A client's certificate is authenticated if it is an exact match to a configured trusted client certificates.
            trusted-client-cert leaf-list The binary certificate structure, as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>;
   tls container Configures TLS properties for authenticating clients.
      client-auth container Container for TLS client authentication configuration.
         cert-maps container The cert-maps container is used by a NETCONF server to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection, and MUST ...
            cert-to-name list This list defines how certificates are mapped to names. The name is derived by considering each cert-to-name list entry in order. The cert-to-name entry's fingerprint determines whether the list entry is a match: 1) If the cert-to-name list entry's fing...
               fingerprint leaf Specifies a value with which the fingerprint of the full certificate presented by the peer is compared. If the fingerprint of the full certificate presented by the peer does not match the fingerprint configured, then the entry is skipped, and the search ...
               id leaf The id specifies the order in which the entries in the cert-to-name list are searched. Entries with lower numbers are searched first.
               map-type leaf Specifies the algorithm used to map the certificate presented by the peer to a name. Mappings that need additional configuration objects should use the 'when' statement to make them conditional based on the map-type.
               name leaf Directly specifies the NETCONF username when the map-type is 'specified'.
         trusted-ca-certs container A list of Certificate Authority (CA) certificates that a NETCONF server can use to authenticate NETCONF client certificates. A client's certificate is authenticated if there is a chain of trust to a configured trusted CA certificate. The client certific...
            trusted-ca-cert leaf-list The binary certificate structure as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>;
         trusted-client-certs container A list of client certificates that a NETCONF server can use to authenticate a NETCONF client's certificate. A client's certificate is authenticated if it is an exact match to a configured trusted client certificates.
            trusted-client-cert leaf-list The binary certificate structure, as specified by RFC 5246, Section 7.4.6, i.e.,: opaque ASN.1Cert<1..2^24>;