Network Working Group R. Atarashi Internet-Draft Internet Initiative Japan Inc. Expires: January 15, 2007 H. Okita Central Research Laboratory, Hitachi, Ltd. Y. Atarashi Alaxala Networks Co. E. Boschi Hitachi Europe SAS July 14, 2006 Netconf System Architecture draft-atarashi-netconfmodel-architecture-03 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 15, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The NETwork CONFiguration (NETCONF) protocol has been designed to configure routers, switches, firewalls and other network devices. Atarashi, et al. Expires January 15, 2007 [Page 1] Internet-Draft Netconf System Architecture July 2006 This document describes a high level description of the Netconf architecture and how the Netconf framework relates to other network management protocols and architectures. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. NETCONF Protocol . . . . . . . . . . . . . . . . . . . . . 3 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 2. NETCONF System Architecture . . . . . . . . . . . . . . . . . 5 2.1. NETCONF Manager . . . . . . . . . . . . . . . . . . . . . 5 2.2. NETCONF Device . . . . . . . . . . . . . . . . . . . . . . 6 2.2.1. SOAP/HTTP(S) Transport Mapping . . . . . . . . . . . . 7 2.2.2. SSH Transport Mapping . . . . . . . . . . . . . . . . 8 2.2.3. BEEP Transport Mapping . . . . . . . . . . . . . . . . 9 2.3. NETCONF System Functions . . . . . . . . . . . . . . . . . 10 3. Relation to other Protocols . . . . . . . . . . . . . . . . . 12 3.1. NETCONF Role in Network Management System . . . . . . . . 12 3.2. Network Management System Reference Model using NETCONF protocol . . . . . . . . . . . . . . . . . . . . . 12 4. NETCONF Applicability . . . . . . . . . . . . . . . . . . . . 15 4.1. Target Networks . . . . . . . . . . . . . . . . . . . . . 15 4.2. Network Operation Scenario . . . . . . . . . . . . . . . . 15 5. Event Notification . . . . . . . . . . . . . . . . . . . . . . 20 5.1. Comparison of Event Notification Protocols . . . . . . . . 20 5.2. Event Handling Architecture . . . . . . . . . . . . . . . 21 6. Security Considerations . . . . . . . . . . . . . . . . . . . 24 6.1. Configuration Sniffing . . . . . . . . . . . . . . . . . . 24 6.2. Spoofing of the NETOCNF Manager . . . . . . . . . . . . . 24 6.3. Spoofing of the NETCONF Device . . . . . . . . . . . . . . 24 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27 8.2. Informative References . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Intellectual Property and Copyright Statements . . . . . . . . . . 30 Atarashi, et al. Expires January 15, 2007 [Page 2] Internet-Draft Netconf System Architecture July 2006 1. Introduction 1.1. NETCONF Protocol NETCONF Protocol [2] is specified as standardized protocol for network devices configuration by network management system. NETCONF Protocol is used to configure routers, switches, firewall appliance and other network devices. With NETCONF Protocol, the network management system can configure the network devices in unified procedure. NETCONF Protocol is a client-sever type protocol based on RPC model communication, which provides a response for each configuration request. NETCONF uses Extensible Markup Language (XML) [13] to describe its protocol messages and its configuration data. Applications can access the structure and contents of the messages and data with XML parsers. These features enable network management systems to automate its network management process. For example, with XML Stylesheet Language Transformation (XSLT) [14] , the management system can transform responses from network devices into a human-readable form to indicate the response for operators. NETCONF Protocol is divided into four layers shown in the following figure (Figure 1). NETCONF Protocol operations are classified into configuration and notification. NETCONF configuration operations are unified by NETCONF RPC. The NETCONF RPCs are mapped into three transport protocols, SSH [3], SOAP/HTTP(S) [4] and BEEP [5]. NETCONF notification [6] operations are mapped directly into the transport protocols. Layer Example +-------------+ +-------------------------------------------+ | Content | | Configuration data | +-------------+ +-------------------------------------------+ | | +-------------+ +-------------------------------------------+ | Operations | | , | +-------------+ +-------------------------------------------+ | | | +-------------+ +-----------------------------+ | | RPC | | , | | +-------------+ +-----------------------------+ | | | | +-------------+ +-------------------------------------------+ | Application | | BEEP, SSH, SSL, console | | Protocol | | | +-------------+ +-------------------------------------------+ Atarashi, et al. Expires January 15, 2007 [Page 3] Internet-Draft Netconf System Architecture July 2006 Figure 1: NETCONF Protocol Layers 1.2. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [8]. 1.3. Motivation This document describes the Netconf architecture for the configuration of routers, switches, firewalls and other network devices. It provides a description of the Netconf framework key components and their functions. In the Operation and Management Area, there exist various management protocols, such as for instance SNMP [9], SYSLOG, IPFIX, DIAMETER. Each of these protocols is optimized for its objective. For example, SNMP is a basic network management protocol implemented almost all network devices and has an ability to set and extract MIB-defined management information on network devices. SNMP has an event notification function called "SNMP trap", and other of the above mentioned protocols also have the ability to notify management information, e.g. system status changes, flow statistics, authentication, authorization and accounting. This draft discusses the role of the NETCONF protocol in the entire network management system and its relation to other operation and management protocols. Atarashi, et al. Expires January 15, 2007 [Page 4] Internet-Draft Netconf System Architecture July 2006 2. NETCONF System Architecture In this section, we describe the architectural components of the NETCONF manager and the NETCONF device. 2.1. NETCONF Manager Figure 2 shows the components on the NETCONF manager. With these components, it automates network management operation. NETCONF Manager +------------------------------------------------------+ |+----------------------------------------------------+| +----------+ || +-----------+ +---------+ +---------+ +----------+|| |Other | || |NETCONF | |Visualize| |User | |Configs, ||| |Network |<-++->|Automation | |Tool | |Interface| |Status, ||| |Management| || |Application| | | | | |Policies ||| |System | || | | | | | | | (XML DB) ||| |System | || +-----------+ +---------+ +---------+ +----------+|| +----------+ |+----------------------------------------------------+| | ^ ^ | | | | | | | +------------+-------------------------+ | | | | | | | | | | | | v +-------------+| | | | | +-------------------+ | Config || | | | | | Network Level API | | Datamodel || | | | | +-------------------+ | (XML Schema)|| | | | | ^ +-------------+| | | | | | | | | | +------------+-------------------------+ | | | | | | +------+-----------------+-------------------------+ | | | | | | | | | v v +--------------+| | | | +--------------------------+ | Config || | | | | NETCONF API | | Datamodel || | | | +--------------------------+ | (XML Schema) || | | | +--------------+| | | +--------------------------------------------------+ | +------------------------------------------------------+ Figure 2: NETCONF Manager Components Atarashi, et al. Expires January 15, 2007 [Page 5] Internet-Draft Netconf System Architecture July 2006 Visual Design Tool: The visual Design Tool visualizes network topology and type of each device on display. It follows network topology change and update the links and nodes on the display. It is also used to validate the network topology before the actual change is carried out. User Interface: The user interface is the interface for the operators to instruct the NETCONF manager to transfer the configuration data which they create to NETCONF device via NETCONF protocol. This interface receives designation of the target device in the form of IP address or host name. This interface indicates the operator about the configuration data applied to the devices. NETCONF Application: The NETCONF application is the main component of the NETCONF manager to automate the network operation. It implements configuration operation logic. According to this logic, Network level API and NETCONF API are called from a NETCONF application. Further, the application interacts with other network management systems like SNMP server, and receives the information about events which occurred in the network from the systems. Configs, Status, Policies: An XML database on the NETCONF manager contains the configuration set, the abstract network model and the network policies, which are described in XML. XML technologies can also describe semantics including relation. We can generate device dependent configuration from device independent configuration using XML technology. NETCONF Configuration Datamodel: A configuration datamodel defines element type and data type in the NETCONF protocol message and configuration data. This datamodel is composed of XML schema. Components in the NETCONF manager share this datamodel. NETCONF API: NETCONF API is the API to operate the objects defined in a network device. This API , being called from upper layer application, creates NETCONF RPC message to operate the designated object(s) and transport this RPC message to corresponding NETCONF device. Network Level API: Network level API is the API to operate the objects extended over the network. This API is called from upper layer application and internally calls NETCONF API. 2.2. NETCONF Device A NETCONF device has two kinds of functional blocks, NETCONF message analysis block and device internal configuration interface. These Atarashi, et al. Expires January 15, 2007 [Page 6] Internet-Draft Netconf System Architecture July 2006 blocks cooperate for configuration of the device itself via NETCONF protocol. The NETCONF message analysis block receives the NETCONF protocol message from the NETCONF manager. It extracts the operation command described in XML from the NETCONF protocol message and translates the operation command into internal message format and passes the translated operation command to the internal configuration interface block. This block contains transport protocol dependent block, XML translation block, and configuration data model described by XML schema. The transport dependent block and the XML translation block use configuration datamodel to validate and analyze the received NETCONF message. The XML translation block contains Extensible Stylesheet Language Transformations (XSLT) module and/or custom module(s). The custom modules may use XML API like Document Object Model (DOM) [16] or Simple API for XML (SAX) [17] to translate the NETCONF operation message. The modules extract NETCONF operation block from the RPC message, and starts the processes corresponding to the operation block. 2.2.1. SOAP/HTTP(S) Transport Mapping Since the NETCONF protocol has three candidates for its transport protocol, components of the NETCONF device vary according to the selected transport protocol. In the NETCONF device with SOAP/HTTP transport mapping (Figure 3), the NETCONF message analysis block executes SSL decryption followed by HTTP session termination. It extracts SOAP data from the HTTP request and removes SOAP envelope and extracts the NETCONF RPC message including NETCONF operation message. The XSLT module or a custom module receives the operation message including the transported configuration data. The NETCONF device implementors can use the optional module of the Web server implementation to implement SSL, SOAP, XSLT function block. On Java 2 Enterprise Environment (J2EE), they can integrate even proprietary module(s) as Enterprise Java Bean (EJB) on EJB container. Each EJB is bound to the NETCONF operation extracted from NETCONF RPC message. Atarashi, et al. Expires January 15, 2007 [Page 7] Internet-Draft Netconf System Architecture July 2006 Configuration Data | +-------------+---------------------------+ | | | | v | | +-----------------------------------+ | | | +------------------+ +----------+ | | | | | SSL Module | | Config | | | | | +------------------+ | Model | | | | | | HTTP Engine | | (XML | | | | | +------------------+ | Schema | | | | | | SOAP Module | | | | | | | +------+-----------+ +----------+ | | | | |XSLT |Custom | | | | | |Module|Modules(s) | | | | | +------+-----------+ | | | +-----------------------------------+ | | | | | v | | +-----------------------------------+ | | | Network Device | | | | Internal Configuration Interface | | | +-----------------------------------+ | +-----------------------------------------+ Figure 3: NETCONF Device Architecture (SOAP/HTTP(S) Mapping) 2.2.2. SSH Transport Mapping In the NETCONF device with SSH transport mapping (Figure 4), the NETCONF message analysis block has SSH stack and XML parse/RPC stack. The SSH stack manages secure channels to the NETCONF manager, and passes the transported NETCONF protocol message and configuration data to the XML parse/RPC stack. The RPC stack specifies the requested operation and, according to the operation type, calls the corresponding internal configuration interface of the network device. Atarashi, et al. Expires January 15, 2007 [Page 8] Internet-Draft Netconf System Architecture July 2006 Configuration Data | +-------------+---------------------------+ | | | | v | | +-----------------------------------+ | | | +------------------+ +----------+ | | | | | SSH Stack | | | | | | | +------------------+ | Config | | | | | +------------------+ | Model | | | | | | XML Parse | | (XML | | | | | | /RPC Stack | | Schema) | | | | | +------------------+ +----------+ | | | | +-----++-----------+ | | | | |XSLT ||Custom | | | | | |Stack||Stack(s) | | | | | +-----++-----------+ | | | +-----------------------------------+ | | | | | v | | +-----------------------------------+ | | | Network Device | | | | Internal Configuration Interface | | | +-----------------------------------+ | +-----------------------------------------+ Figure 4: NETCONF Device Architecture (SSH Mapping) 2.2.3. BEEP Transport Mapping In the NETCONF device with BEEP transport mapping (Figure 5), the NETCONF message analysis block has TLS and optionally SASL stack and BEEP stack. The TLS stack manages the secure channels to the NETCONF manager, and passes the transported NETCONF protocol message and configuration data to the BEEP stack. According to the operation type, the BEEP stack calls the corresponding internal configuration interface of a network device. Atarashi, et al. Expires January 15, 2007 [Page 9] Internet-Draft Netconf System Architecture July 2006 Configuration Data | +-------------+---------------------------+ | | | | v | | +-----------------------------------+ | | | +------------------+ +----------+ | | | | | TLS/SASL Stack | | Config | | | | | +------------------+ | Model | | | | | +------------------+ | (XML | | | | | | BEEP Stack | | Schema) | | | | | +------------------+ +----------+ | | | | +-----++-----------+ | | | | |XSLT ||Custom | | | | | |Stack||Stack(s) | | | | | +-----++-----------+ | | | +-----------------------------------+ | | | | | v | | +-----------------------------------+ | | | Network Device | | | | Internal Configuration Interface | | | +-----------------------------------+ | +-----------------------------------------+ Figure 5: NETCONF Device Architecture (BEEP Mapping) 2.3. NETCONF System Functions The NETCONF manager transports, via the NETCONF protocol, the configuration data customized for each NETCONF device in the network. The configuration operations are classified into merge, replace, create and delete of the configuration on the NETCONF devices. The NETCONF manager should confirm the acceptance or failure of the configuration data on the NETCONF devices by NETCONF RPC reply from the devices. In addition to the configuration function, the NETCONF protocol has a notification function[6], which allows asynchronous message transmission between the NETCONF manager and the NETCONF devices. The NETCONF devices notify errors, warnings and information about configuration changes occurred on the devices to the NETCONF manager. The NETCONF manager creates event notification subscription specifying the events of interest. In the configuration and notification operation, the NETCONF manager and the NETCONF devices share the same data model to parse the Atarashi, et al. Expires January 15, 2007 [Page 10] Internet-Draft Netconf System Architecture July 2006 protocol message and configuration data described in XML. This datamodel is described by XML schema and its contents are mapped into objects on the NETCONF devices. From the application point of view, application on the NETCONF manager accesses these mapped objects to configure the NETCONF devices. NETCONF protocol intermediates this object operation between the NETCONF manager and the NETCONF devices. Atarashi, et al. Expires January 15, 2007 [Page 11] Internet-Draft Netconf System Architecture July 2006 3. Relation to other Protocols 3.1. NETCONF Role in Network Management System Traditional networks require human intervention to numerous events happening in the network. Network operators should deal promptly with network events, for example, topology change due to additional router or switch they installed, and network trouble from device failure. When these events occur, the operators create substitute configuration optimized for each device and apply these configuration to each device via proprietary configuration interface of each device. The role of the NETCONF protocol is transmission of the configuration data from the NETCONF manager to the NETCONF devices, and notification of the event information about configuration data on the NETCONF devices. The objective of the NETCONF protocol adoption is the reduction of network operation cost by automating network operator's configuration task. A network management system with NETCONF system configures the network devices automatically based on the network event. Using the NETCONF protocol, the NETCONF system distributes the configurations of the devices generated by the network management system according to the pre-defined algorithm or rule. To automate network operation, network management system should detect events and gather event information in the network. The network management system combine NETCONF configuration/notification function with other event management function, for example, Simple Network Management Protocol (SNMP), IP Flow Information Export (IPFIX) protocol, SYSLOG protocol. We should consider how we combine these protocols with NETCONF protocol function. The interaction between Netconf and those protocols should be addressed. 3.2. Network Management System Reference Model using NETCONF protocol Figure 6 shows reference model of entire network management system. It includes NETCONF manager, NETCONF devices and other network management servers like SNMP server, Syslog server and Flow Collector. Atarashi, et al. Expires January 15, 2007 [Page 12] Internet-Draft Netconf System Architecture July 2006 +-----------+ | NETCONF | Interaction | Manager |<- -----------------+--------+---------+ | | | | | +-----------+ | | | ^ | | | NETCONF | | | | Notification | +------+--------+---------+------+ | | | | | | | | v v v | | | +-------+ +------+ +---------+ | NETCONF | | |SNMP | |Syslog| |flow | | Configuration | | |Manager| |Server| |Collector| | (RPC reply) | | +-------+ +------+ +---------+ | | | ^ ^ ^ | | | | | | | | +------+--------+---------+------+ | | | | NETCONF | | | | Configuration | |SNMP |SYSLOG | IPFIX (RPC request) | | | | | | | | +--------------+----------------------+ | | | | | | | | | | v | | | | |+---------+ +---------+ +---------+ | | | | || Network | | Network | | Network |<-+--+ | | || Device | | Device | | Device |--+-----------+ | || | | | | |--+---------------------+ |+---------+ +---------+ +---------+ | | | +-------------------------------------+ Figure 6: Network Management System Reference Model using NETCONF protocol Following events can be a trigger of the NETCONF configuration in the system. Network operator's operation NETCONF notification Other event gathering At first, network operators configure network device via NETCONF protocol to define VLAN, assign IP address, initiate routing Atarashi, et al. Expires January 15, 2007 [Page 13] Internet-Draft Netconf System Architecture July 2006 protocol, activate filtering function, and management functions. NETCONF manager applies configuration data to network devices by NETCONF RPC. Network devices start to forward frames/packets and to interact with management servers via SNMP, SYSLOG protocol, IPFIX protocol, and some other management protocols. In the configuration data, NETCONF manager tells addresses of management servers and exported information. Network devices send NETCONF notification message to the NETCONF manager when configuration status or device construction changed. These events come from direct configuration without the NETCONF protocol or parts replacement of the devices by the operators, or some failure of the devices. Configured network devices notify asynchronously the corresponding management servers of threshold exceeding of traffic counter, protocol status change, flow statistics, and so on. In these management servers, the SNMP server may access periodically network devices and read synchronously the MIB-defined management information from the devices. The NETCONF manager and the management servers interact, and the NETCONF manager receives the event notifications from the servers. Receiving these event notifications, the NETCONF manager creates substitute configuration data of the network devices to deal with the events. For example, it activates the secondary device in slave state to save user traffic when the primary device fails, and enables bandwidth restriction to shape the traffic when traffic exceeds the threshold. Atarashi, et al. Expires January 15, 2007 [Page 14] Internet-Draft Netconf System Architecture July 2006 4. NETCONF Applicability 4.1. Target Networks NETCONF protocol has applicability for carrier network and enterprise network and home or Small Office Home Office (SOHO) network as following. Carrier network It has numerous network devices widely deployed in its service area. The devices contain normally multiple vendor's products and have proprietary configuration method. By unifying configuration procedure of the numerous devices with NETCONF protocol, carrier operators can reduce their operation load. Enterprise network Operators of enterprise networks are requested to hold down administrative cost. The operators should configure the network devices according to reorganization or additional service deployment. Automation of the configuration can save the administrative cost of enterprise networks. Home/SOHO network Carrier or Internet Service Provider (ISP) can use NETCONF protocol as a method for configuration of subscriber's Home/SOHO network devices as one of their service. The concept of the Home/SOHO network device configuration by the central management system, named as CallHome, is discussed in netconf WG about its required protocol procedures and its specification. 4.2. Network Operation Scenario Figure 7shows a NETCONF system usage example. In this example, when network topology changes occur, the NETCONF manager dynamically configures the routing protocol of the routers deployed in a carrier network. Atarashi, et al. Expires January 15, 2007 [Page 15] Internet-Draft Netconf System Architecture July 2006 +-----------------------+ | NETCONF Manager | +-----------------------+ | | ^ NETCONF | | | | | | SNMP Trap +-------------+ | | | | | Career Network +-------+---------------------+-----------------------------+ | | | | | | +-------------+ | | | | Core Router | | | | +-------------+ | | | / | \ | | | /- | \- | | | / | \ | | | / | \ | | | /- OSPF | OSPF \- OSPF | | | / | \ | | | / | \ | | | /- | \- | | v / | \ | | +-------------+ +-------------+ +-------------+ | | | Edge Router | | Edge Router | | Edge Router | | | +-------------+ +-------------+ +-------------+ | +-----------------------------------------------------------+ Figure 7: NETCONF system usage example The example system has a network manager, a core router and three edge routers. The manager and the routers have NETCONF protocol stack. The NETCONF manager is connected to the core router, and the core router accommodates the edge routers to form tree topologies. The core router and the edge routers exchange route information in the network by OSPF routing protocol. We assume that operator would add additional subnet by configuring the network interface of the left side edge router. The routing information of the additional route is distributed into the other routers via OSPF routing protocol. The core router receives the additional route information via OSPF and send it to the NETCONF manager via SNMP trap. In addition to the SNMP trap, the routers can notify the configuration change via the NETCONF notification. The NETCONF manager extracts, from the SNMP trap, the route information and ID of the origin edge router. The NETCONF manager configures the router according to the new route. For example, the Atarashi, et al. Expires January 15, 2007 [Page 16] Internet-Draft Netconf System Architecture July 2006 NETCONF manager configures filter of the router to restrict clients in newly added subnet to access a service. Receiving the SNMP trap, the NETCONF manager creates automatically the configuration data describing filter settings in XML and sends a RPC message including the configuration data in an element to the router. The router parses this RPC message and updates its filter settings. Figure 8 shows the message sequence between the NETCONF manager, the core router and the edge router when the new route is added to the edge router. Atarashi, et al. Expires January 15, 2007 [Page 17] Internet-Draft Netconf System Architecture July 2006 NETCONF Manger Core Router Edge Router | | | | Transport Initiation | | |<----------------------------------------------------------->| | | NECONF | | | | |------------------------------------------------------------>| | NETCONF | | | | | |<------------------------------------------------------------| | | | | | NETCONF | | | | |------------------------------------------------------------>| | NETCONF | | | | | |<------------------------------------------------------------| | | | | | +-------------+ | | | Route added | | | +-------------+ | SNMP Trap | OSPF | |<------------------------------|<----------------------------| | | | +-------------+ | | | RPC Message | | | | Generation | | | +---+---------+ | NETCONF | | | | |------------------------------------------------------------>| | | | | | +-------------------+ | | | NETCONF Operation | | | | Deployment | | NETCONF | +-------------------+ | | | |<------------------------------------------------------------| | | | | NETCONF | | | | | |<------------------------------------------------------------| | | | v v v Figure 8: NETCONF Sequence The NETCONF manager initiates NETCONF transport session with the edge Atarashi, et al. Expires January 15, 2007 [Page 18] Internet-Draft Netconf System Architecture July 2006 router. When the transport is opened, they exchange message including element. If the edge router has a capability of the NETCONF notification, the NETCONF manager creates subscription of the notification about configuration change. When an operator defines an additional network on the edge router, which creates new route, the core router and the edge router exchange the additional route information via OSPF. The core router sends an SNMP trap to the NETCONF manager about the route information update. Receiving the notification about the additional route via SNMP trap, the NETCONF manager generates an RPC message to configure filtering rules on the edge router. The NETCONF manager sends the message including element inside to the edge router via NETCONF protocol. The edge router analyzes the requested RPC from the NETCONF manager, and creates additional filtering rules on its configuration store according to the transported configuration data. If the edge router succeed to create the filtering rules, it sends message to the NETCONF manager including element in the message. In addition to this message, the edge router sends asynchronously a message to the NETCONF manager to notify the configuration change. By these interaction between the NETCONF manager and the network devices, integrated with the existing management means, we can automate network operation and reduce the administrative cost. Moreover, we can tighten security by the prompt configuration against the network incidents. Atarashi, et al. Expires January 15, 2007 [Page 19] Internet-Draft Netconf System Architecture July 2006 5. Event Notification Network management system may contain multiple network management protocols. Various event management protocols, SNMP, Syslog, IPFIX, RADIUS / DIAMETER, and etc., are specified according to the management information which operators want to obtain. Each protocol has optimized sequence, datamodel and message encoding format. When we construct a network management system, we do not need to choose NETCONF notification as the unified event notification protocol. Network management system is an organism composed of multiple management means. Important point is to integrate the multiple means to the management system and to choose appropriate management protocol for each event notification. 5.1. Comparison of Event Notification Protocols NETCONF Notification Addition, change, removal of configuration Addition, removal of a device component SNMP MIB-defined event Syslog Application independent event IPFIX Flow statistics information Sampled packets information Routing Protocol Link state information Route information RADIUS, DIAMETER Authentication, Authorization and Accounting (AAA) information Atarashi, et al. Expires January 15, 2007 [Page 20] Internet-Draft Netconf System Architecture July 2006 Proprietary Device independent management information As a general event notification means, SNMP and Syslog are widely deployed. These management protocols are widely applied to, not only a small network of a laboratory, but also enterprise's intra-network or carrier's service network. These protocols are designed as general-purpose protocol to transport various management information. SNMP trap transports almost all kinds of management information. The management information has hierarchical structure, and each information node is specified by Object Identifier. Syslog transports the notification mainly about status changes of the control processes and device components. It has no hierarchical datamodel. Its messages are described in human-readable format as the main use-case of the Syslog is message logging for operators. Unlike the general purpose protocols, IPFIX protocol, RADIUS / DIAMETER protocol and routing protocol are designed to transport flow statistics, AAA information and link state/route information, respectively. It is respective decision whether it adopt hierarchical structure for its datamodel and message format or not. In the NETCONF notification, as the NETCONF configuration, protocol messages and notification data are hierarchically described by XML so that the NETCONF manager can analyze easily the data and react automatically. The NETCONF notification conveys the event information about configurations, hardware and software on the NETCONF devices. When these components are added, removed or replaced, the NETCONF devices send the NETCONF notification message. The NETCONF notification, unlike IPFIX protocol, does not require large capacity for its transported message size and frequency. Change of configuration, hardware or software on the network device seldom occurs since it affects network service directly. A huge, or frequent notification message including many events means that the network or its device fell into terrible and unrecoverable condition. 5.2. Event Handling Architecture Figure 9 shows an example of the NETCONF manager handling the NETCONF configuration, NETCONF notification and other notification. The NETCONF notification and configuration use the same NETCONF transport including SSH, SOAP/HTTP or BEEP. Atarashi, et al. Expires January 15, 2007 [Page 21] Internet-Draft Netconf System Architecture July 2006 NETCONF Manager +-------------------------------------------------------+ | +-------------------------------------------------+ | | | | | | | NETCONF Application | | | | | | | +-------------------------------------------------+ | | +---------------+ +--------------+ +--------------+ | | | NETCONF | | NETCONF | | Other | | | | Configuration | | Notification | | Notification | | | |+-------------+| | | | | | | || Operation || | | | | | | |+-------------+| | | | | | | |+-------------+| | | | | | | || RPC || | | | | | | |+-------------+| | | | | | | +---------------+ +--------------+ | | | | +--------------------------------+ | | | | | NETCONF Transport | | | | | | +-----+ +------+ +------+ | | | | | | | SSH | | SOAP | | BEEP | | | | | | | +-----+ +------+ +------+ | | | | | +--------------------------------+ +--------------+ | | | ^ ^ ^ ^ | | | | | | | | +-------+--+----------+---------------------+-----+-----+ | | | | | | | | | |Event | | | | |Notification NETCONF| | NETCONF |NETCONF | +----+ RPC | | RPC |Event | | |Other NMS request| | reply |Notification | | | | | | | +----+ | | | | ^ v | | | | +------------------------------------------------+ | NETCONF Device | +------------------------------------------------+ Figure 9: Notification Handling on the Network Manager This NETCONF manager handles, in addition to the NETCONF notification, other event notifications on each transport protocol. The other notifications comes directly from the NETCONF devices or indirectly from other management server. Operators should select the notification method to suit the event. Atarashi, et al. Expires January 15, 2007 [Page 22] Internet-Draft Netconf System Architecture July 2006 The NETCONF application integrates the network events received by these multiple methods. According to the notification content, for example, router added, device status changed, or flow threshold exceeded, the NETCONF application selects the countermeasure and apply it to the corresponding devices via the NETCONF configuration. Atarashi, et al. Expires January 15, 2007 [Page 23] Internet-Draft Netconf System Architecture July 2006 6. Security Considerations The NETCONF system treats configurations of the network devices. The configuration data is important and critical by nature. It can reveal the network topology, address assignment, administrator's password, flow filtering policy, user authentication policy, and so on. So, it requires us to consider the security model for the NETCONF system. To consider the security model of the NETCONF system, we need to clarify the possible threats in the system. We can assume following threats on the NETCONF system. 6.1. Configuration Sniffing Threat: The configuration data can be sniffed on the route between a NETCONF manager and a network device. Solution: The NETCONF system can use data encryption for the transported message. We can use SSH/SSL/TSL for encryption in the transport layer. Also, we can use XML encryption (XML-ENC) [15] in the content layer. 6.2. Spoofing of the NETOCNF Manager Threat: The network devices receive their configuration data from the NETCONF manager. If a spoofing NETCONF manager sends the untruth configuration data, the network device falls into inappropriate behaviour and the network are confused. Solution: The NETCONF system can use authentication of the NETCONF manager. At the session initiation stage, The NETCONF device can justify the manager by authentication method of the SSH/SSH/TLS transport protocols. Also, the NETCONF device can justify the RPC message generated by the NETCONF manager by XML signature [12]. 6.3. Spoofing of the NETCONF Device Threat: If the NETCONF system is configured to automatically start NETCONF session with the newly added NETCONF device, the malicious user can obtain the configuration data by introducing his computer pretending to be NETCONF device. Not only the malicious user, proper users are possible to connect their network devices to the network. Atarashi, et al. Expires January 15, 2007 [Page 24] Internet-Draft Netconf System Architecture July 2006 Solution: Same as the authentication of the NETCONF manager, the NETCONF system can use authentication of the NETCONF device. The NETCONF manager prepares the database of the proper devices and justifies the newly added devices in the initiation session, for example, in the SSH/SSL/TLS transport initiation stage, or in the message exchange stage. When the NETCONF system uses the SOAP/HTTP as the transport method, the system can adopt HTTP over TLS [11] concept to improve its security. The HTTP over TLS mechanism is widely deployed to existing implementation of HTTP server and application server. NETCONF system implementors can reduce implementation cost by these existing resource. Atarashi, et al. Expires January 15, 2007 [Page 25] Internet-Draft Netconf System Architecture July 2006 7. IANA Considerations This document has no actions for IANA. Atarashi, et al. Expires January 15, 2007 [Page 26] Internet-Draft Netconf System Architecture July 2006 8. References 8.1. Normative References [1] Schoenwaelder, J., "Overview of the 2002 IAB Network Management Workshop", RFC 3535, May 2003. [2] Enns, R., "NETCONF Configuration Protocol", draft-ietf-netconf-prot-12 (work in progress), March 2006. [3] Wasserman, M. and T. Goddard, "Using the NETCONF Configuration Protocol over Secure Shell (SSH)", draft-ietf-netconf-ssh-06 (work in progress), March 2006. [4] Goddard, T., "Using the Network Configuration Protocol (NETCONF) Over the Simple Object Access Protocol (SOAP)", draft-ietf-netconf-soap-08 (work in progress), March 2006. [5] Lear, E. and K. Crozier, "Using the NETCONF Protocol over Blocks Extensible Exchange Protocol (BEEP)", draft-ietf-netconf-beep-10 (work in progress), March 2006. [6] Chisholm, S., "NETCONF Event Notifications", draft-ietf-netconf-notification-02 (work in progress), June 2006. [7] Adwankar, S. and S. Chisholm, "Framework for Netconf Content", draft-chisholm-netconf-model-05 (work in progress), April 2006. 8.2. Informative References [8] Bradner, S. , "Key words for use in RFCs to Indicate Requirement Levels" , BCP 14 , RFC 2119 , March 1997 . [9] Harrington, D. , Presuhn, R. , and B. Wijnen , "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks" , STD 62 , RFC 3411 , December 2002 . [10] Harrington, D. and J. Schoenwaelder , "Transport Mapping Security Model (TMSM) Architectural Extension for the Simple Network Management Protocol (SNMP)" , draft-ietf-isms-tmsm-02 (work in progress) , May 2006 . [11] Rescorla, E. , "HTTP Over TLS" , RFC 2818 , May 2000 . [12] Eastlake, D. , Reagle, J. , and D. Solo , "XML-Signature Syntax and Processing" , RFC 3075 , March 2001 . Atarashi, et al. Expires January 15, 2007 [Page 27] Internet-Draft Netconf System Architecture July 2006 [13] Orchard, D. , Maler, E. , and S. DeRose , "XML 1.0 Recommendation" , World Wide Web Consortium FirstEdition http://www.w3.org/TR/1998/REC-xml-19980210 , February 1998 . [14] Clark, J. , "XSL Transformations (XSLT) Version 1.0" , World Wide Web Consortium Recommendation http://www.w3.org/TR/1999/REC-xslt-19991116 , November 1999 . [15] Eastlake, D. and J. Reagle , "XML Encryption Syntax and Processing" , World Wide Web Consortium Recommendation http:// www.w3.org/TR/2002/REC-xmlenc-core-20021210 , December 2002 . [16] Robie, J. , Byrne, S. , Hegaret, P. , Hors, A. , Wood, L. , Nicol, G. , and M. Champion , "Document Object Model (DOM) Level 3 Core Specification" , World Wide Web Consortium Recomme ndation http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407 , April 2004 . [17] "Simple API for XML (SAX)" . Atarashi, et al. Expires January 15, 2007 [Page 28] Internet-Draft Netconf System Architecture July 2006 Authors' Addresses Ray S. Atarashi Internet Initiative Japan Inc. Jinbocho Mitsui Bldg. 1-105 Kanda Jinbo-cho Chiyoda-ku, Tokyo 101-0051 Japan Phone: +81-3-5205-6464 Fax: +81-3-5205-6466 Email: ray@iijlab.net Hideki Okita Central Research Laboratory, Hitachi, Ltd. 1-280 Higashi-Koigakubo Kokubunji, Tokyo 185-8601 Japan Phone: +81-42-323-1111 Fax: +81-42-327-7868 Email: hideki.okita.pf@hitachi.com Yoshifumi Atarashi Alaxala Networks Co. Shin-Kawasaki Mitsui Bldg. 890 Saiwai-ku Kashimada Kawasaki, Kanagawa 212-0058 Japan Phone: +81-44-549-1200 Fax: +81-44-549-1272 Email: atarashi@alaxala.net Elisa Boschi Hitachi Europe SAS Immeuble Le Theleme 1503 Route des Dolines Valbonne 06560 France Phone: +33 4 89874180 Email: elisa.boschi@hitachi-eu.com Atarashi, et al. Expires January 15, 2007 [Page 29] Internet-Draft Netconf System Architecture July 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Atarashi, et al. Expires January 15, 2007 [Page 30]