Network Working Group R. Enns, Editor Internet-Draft Juniper Networks Expires: August 13, 2003 February 12, 2003 XMLCONF Configuration Protocol draft-enns-xmlconf-spec-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 13, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract There is a need for standardized mechanisms to manipulate, install, edit, and delete the configuration of a network device. In addition, there is a need to retrieve device state information and receive asynchronous device state messages in a manner consistent with the configuration mechanisms. There is great interest in using an XML based data encoding because a significant set of tools for manipulating ASCII text and XML encoded data already exists. Enns, Editor Expires August 13, 2003 [Page 1] Internet-Draft XMLCONF Protocol February 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1 Protocol Overview . . . . . . . . . . . . . . . . . . . . . 6 1.1.1 Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Separation of Configuration and State Data . . . . . . . . . 7 1.3 Executive Commands . . . . . . . . . . . . . . . . . . . . . 8 1.4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4.1 Configuration Session . . . . . . . . . . . . . . . . . . . 8 2. Transport Protocol Requirements . . . . . . . . . . . . . . 9 2.1 Connection-based . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Security and Privacy . . . . . . . . . . . . . . . . . . . . 9 2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 Channels . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4.1 Management Channel . . . . . . . . . . . . . . . . . . . . . 10 2.4.2 Operation Channel . . . . . . . . . . . . . . . . . . . . . 11 2.4.3 Notification Channel . . . . . . . . . . . . . . . . . . . . 11 3. RPC Model . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1 Namespace . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3 . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4 . . . . . . . . . . . . . . . . . . . . . . . . 14 3.5 . . . . . . . . . . . . . . . . . . . . . 14 3.6 . . . . . . . . . . . . . . . . . . . . . . . . 14 3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.8 . . . . . . . . . . . . . . . . . . . . . . . 15 3.9 Pipelining . . . . . . . . . . . . . . . . . . . . . . . . . 16 4. Configuration Model . . . . . . . . . . . . . . . . . . . . 17 4.1 Configuration Datastores . . . . . . . . . . . . . . . . . . 17 5. Protocol Operations . . . . . . . . . . . . . . . . . . . . 18 5.1 . . . . . . . . . . . . . . . . . . . . . . . . 18 5.2 . . . . . . . . . . . . . . . . . . . . . . . 21 5.3 . . . . . . . . . . . . . . . . . . . . . . . 23 5.4 . . . . . . . . . . . . . . . . . . . . . . 25 5.5 . . . . . . . . . . . . . . . . . . . . . . . . 26 5.6 . . . . . . . . . . . . . . . . . . . . . . . 27 6. Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 29 6.1 Capabilities Exchange . . . . . . . . . . . . . . . . . . . 29 6.2 Writable Running . . . . . . . . . . . . . . . . . . . . . . 30 6.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 30 6.2.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 30 6.2.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 30 6.2.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 30 6.2.5 Modifications to Existing Operations . . . . . . . . . . . . 30 6.3 Candidate Configuration . . . . . . . . . . . . . . . . . . 31 6.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 31 6.3.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 31 6.3.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 32 Enns, Editor Expires August 13, 2003 [Page 2] Internet-Draft XMLCONF Protocol February 2003 6.3.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 32 6.3.5 Modifications to Existing Operations . . . . . . . . . . . . 33 6.4 Validate Capability . . . . . . . . . . . . . . . . . . . . 35 6.4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 35 6.4.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 35 6.4.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 35 6.4.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 35 6.5 Distinct Startup . . . . . . . . . . . . . . . . . . . . . . 36 6.5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 36 6.5.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 36 6.5.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 36 6.5.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 37 6.5.5 Modifications to Existing Operations . . . . . . . . . . . . 37 6.6 Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.6.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 37 6.6.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 38 6.6.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 38 6.6.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 38 6.7 Notifications . . . . . . . . . . . . . . . . . . . . . . . 40 6.7.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 41 6.7.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 41 6.7.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 41 6.7.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 41 6.8 URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6.8.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 43 6.8.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 43 6.8.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 43 6.8.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 43 6.8.5 Modifications to Existing Operations . . . . . . . . . . . . 43 7. XML Usage Guidelines for XMLCONF . . . . . . . . . . . . . . 45 7.1 Canonical XML . . . . . . . . . . . . . . . . . . . . . . . 45 7.2 Additional Restrictions . . . . . . . . . . . . . . . . . . 46 7.2.1 Avoid mixed content . . . . . . . . . . . . . . . . . . . . 46 7.2.2 No attributes in the default namespace . . . . . . . . . . . 46 7.2.3 Use container elements for lists . . . . . . . . . . . . . . 47 7.2.4 Elements and Attributes . . . . . . . . . . . . . . . . . . 47 7.2.5 Proper Tag Names . . . . . . . . . . . . . . . . . . . . . . 47 7.2.6 Namespaces . . . . . . . . . . . . . . . . . . . . . . . . . 48 8. BEEP Mapping . . . . . . . . . . . . . . . . . . . . . . . . 50 8.1 XMLCONF Session Initiation . . . . . . . . . . . . . . . . . 50 8.2 XMLCONF RPC Execution . . . . . . . . . . . . . . . . . . . 50 8.3 XMLCONF and . . . . . . . . . . . 51 8.4 XMLCONF Session Teardown . . . . . . . . . . . . . . . . . . 51 8.5 BEEP Profiles for XMLCONF Channels . . . . . . . . . . . . . 51 8.5.1 Management Channel Profile . . . . . . . . . . . . . . . . . 51 8.5.2 Operations Channel Profile . . . . . . . . . . . . . . . . . 53 8.5.3 Notification Channel Profile . . . . . . . . . . . . . . . . 55 9. XML Schema for XMLCONF RPC and Protocol Operations . . . . . 56 Enns, Editor Expires August 13, 2003 [Page 3] Internet-Draft XMLCONF Protocol February 2003 10. XML Schema for XMLCONF State Data . . . . . . . . . . . . . 62 11. Security Considerations . . . . . . . . . . . . . . . . . . 65 12. Authors and Acknowledgements . . . . . . . . . . . . . . . . 66 Normative References . . . . . . . . . . . . . . . . . . . . 67 Informative References . . . . . . . . . . . . . . . . . . . 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . 68 A. Capability Template . . . . . . . . . . . . . . . . . . . . 69 A.1 capability-name (template) . . . . . . . . . . . . . . . . . 69 A.1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 69 A.1.2 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . 69 A.1.3 Capability and Namespace . . . . . . . . . . . . . . . . . . 69 A.1.4 New Operations . . . . . . . . . . . . . . . . . . . . . . . 69 A.1.5 Modifications to Existing Operations . . . . . . . . . . . . 69 A.1.6 Interactions with Other Capabilities . . . . . . . . . . . . 69 B. Configuring Multiple Devices with XMLCONF . . . . . . . . . 70 B.1 Operations Against Individual Devices . . . . . . . . . . . 70 B.1.1 Acquiring the Configuration Lock . . . . . . . . . . . . . . 70 B.1.2 Loading the Update . . . . . . . . . . . . . . . . . . . . . 71 B.1.3 Validating the Incoming Configuration . . . . . . . . . . . 72 B.1.4 Checkpointing the Running Configuration . . . . . . . . . . 73 B.1.5 Changing the Running Configuration . . . . . . . . . . . . . 73 B.1.6 Testing the New Configuration . . . . . . . . . . . . . . . 74 B.1.7 Making the Change Permanent . . . . . . . . . . . . . . . . 74 B.1.8 Releasing the Configuration Lock . . . . . . . . . . . . . . 75 B.2 Operations Against Multiple Devices . . . . . . . . . . . . 75 Intellectual Property and Copyright Statements . . . . . . . 77 Enns, Editor Expires August 13, 2003 [Page 4] Internet-Draft XMLCONF Protocol February 2003 1. Introduction The XMLCONF protocol defines a simple mechanism through which a network device can be managed. Configuration data, state information, and system notifications can be retrieved. New configuration data can be uploaded and manipulated. The protocol allows the device to expose a full, formal, application programming interface (API). Applications can use this simple interface to send and receive full and partial configuration data sets. This mechanism uses a remote procedure call (RPC) paradigm to define a formal API for the device. A client encodes an RPC in XML [1] and sends it to a server using secure, connection-oriented session. The server responds with a reply encoded in XML. The contents of both the request and the response are fully described in XML DTDs and/or XML Schemas, allowing both parties to be cognizant of the syntax constraints imposed on the exchange. One of the key aspects of XMLCONF is an attempt to allow the functionality of the API to closely mirror the native functionality of the device. This will reduce implementation costs and allow timely access to new features. In addition, applications will be able to access the syntactic and semantic content of the device's native user interface. XMLCONF allows a client to discover the set of protocol extensions supported by the server. These "capabilities" permit the client to adjust its behavior to take advantage of the features exposed by the device. The capability definitions can be easily extended in a non-centralized manner. Standard and vendor-specific capabilities can be defined with semantic and syntactic rigor. The XMLCONF protocol is a building block in a system of automated configuration. XML is the lingua franca of interchange, providing a flexible but fully specified encoding mechanism for hierarchical content. XMLCONF can be used in concert with XML-based transformation technologies like XSLT to provide a system for automated generation of full and partial configurations. The system can query one or more databases for data on networking topologies, links, policies, customers, and services. This data can be transformed from a vendor independent data schema into a form that is specific to the vendor, product, operating system, and software release using one or more XSLT [9] scripts. The resulting data can be passed to the device using the XMLCONF protocol. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this Enns, Editor Expires August 13, 2003 [Page 5] Internet-Draft XMLCONF Protocol February 2003 document are to be interpreted as described in RFC 2119 [2]. 1.1 Protocol Overview XMLCONF uses a simple RPC-based mechanism to facilitate communication between a client and a server. The client will be a script or application typically running as part of a network manager. The server will be a network device. The terms device and server are used interchangeably in this document, as are client and application. XMLCONF can be conceptually partitioned into four layers: Layer Example +-------------+ +-----------------------------+ | Content | | Configuration data | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | Operations | | , | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | RPC | | , | +-------------+ +-----------------------------+ | | +-------------+ +-----------------------------+ | Transport | | BEEP, SSH, SSL, Console | +-------------+ +-----------------------------+ The transport layer provides a communication path between client and server. XMLCONF can be layered over any transport that provides a set of basic requirements. Section 2 discusses these requirements and Section 8 defines a transport mapping for running XMLCONF over BEEP. The RPC layer provides a simple, transport-independent framing mechanism for encoding RPCs. Section 3 documents this protocol. The operations layer defines a set of base operations invoked as RPC methods with XML-encoded parameters. Section 5 details the list of base operations. The content layer is outside the scope of this document. Given the current proprietary nature of the configuration data being manipulated, the specification of this content will depend on the device vendor. It is expected that a separate effort to specify a standard data definition language and standard content will be undertaken, independent of this effort. Enns, Editor Expires August 13, 2003 [Page 6] Internet-Draft XMLCONF Protocol February 2003 1.1.1 Capabilities An XMLCONF capability is a set of additional functionality implemented on top of the base XMLCONF specification. The capability is identified by a URI. These URIs should follow the guidelines as described in Section 6. Capabilities augment the base operations of the device, describing both additional operations and the content allowed inside operations. The client can discover the server's capabilities and use any additional operations, parameters, and content defined by those capabilities. The capability definition may name one or more dependent capabilities. These capabilities must be implemented before the first capability can function properly. To support a capability, the server MUST support any capabilities upon which it depends. Section 6 defines the capabilities exchange which allows the client to discover the server's capabilities. Section 6 also lists the set of capabilities defined in this document. Additional capabilities can be defined at any time in external documents, allowing the set of capabilities to grow over time. Standards bodies may define standardized capabilities and vendors may define proprietary ones. The URI MUST sufficiently distinguish the naming authority in order to avoid a naming collision. 1.2 Separation of Configuration and State Data The information that can be retrieved from a running system is separated into two classes, configuration data and state data. Configuration data is the set of writable data that is required to get a system from its initial default state into its current state. State data is the additional data on a system that isn't configuration data such as read-only status information and collected statistics. When performing configuration operations there are a number of problems that would arise if state data was included: o Diffs of configuration files would be dominated by irrelevant entries such as different statistics. o A command to load the file would contain nonsensical commands such as commands to write read-only data. o The configuration file would be too large. As a consequence, the XMLCONF protocol recognizes the difference Enns, Editor Expires August 13, 2003 [Page 7] Internet-Draft XMLCONF Protocol February 2003 between configuration data and state data and provides commands that operate on each independently. For example, the command will only retrieve configuration data while the command is used to retrieve state data. Note that the XMLCONF protocol is only concerned with information required to get the system software into its desired running state. Other important persistent data such as user files and databases are not treated as configuration data by the XMLCONF protocol. Similarly, the collection of configuration files stored on a system is not itself included in configuration data (e.g., a directory listing of the available configuration files). If a local database of user authentication data is stored on the box, it is an implementation dependent matter as to whether that is included in configuration data. 1.3 Executive Commands The XMLCONF protocol also provides for executive commands that perform other functions on the system that ease the process of configuring the system. Examples include resetting a line card, ping, traceroute, and debugging. 1.4 Terminology 1.4.1 Configuration Session The logical connection between a network administrator or network configuration application and a network device. A device will support one or more concurrent sessions. Global configuration attributes can potentially be changed during any session, and the affects are visible in all sessions. Session specific attributes only affect the session in which they are changed. Enns, Editor Expires August 13, 2003 [Page 8] Internet-Draft XMLCONF Protocol February 2003 2. Transport Protocol Requirements XMLCONF uses an RPC-based communication paradigm. A client sends a series of zero or more RPC request operations, which causes the server to respond with a corresponding series of RPC replies. The XMLCONF protocol can be layered upon any transport that provides the required set of functionality. It is not bound to any particular protocol, but allows a mapping to define how it can be implemented over any specific protocol. This document provides the mapping of XMLCONF to the BEEP protocol [7] in Section 8. Other mappings are outside the scope of this document and will be specified in associated protocol-mapping documents. This section details the characteristics that XMLCONF requires from the underlying protocol. 2.1 Connection-based XMLCONF is connection-oriented, requiring a persistent connection between peers. This connection must provide reliable, sequenced delivery of data. XMLCONF connections are long-lived, persisting between protocol operations. This allows the client to make changes to the state of the connection that will persist for the lifetime of the connection. For example, authentication information specified for a connection will remain in effect until the connection is closed. In addition, resources requested from the server for a particular connection can be automatically released when the connection closes, making failure recovery simpler and more robust. For example, when a lock is acquired by a peer, the lock persists until either explicitly released or the server is informed that the connection has been terminated. If a connection is terminated while the client holds a lock, the server can perform any appropriate recovery. 2.2 Security and Privacy XMLCONF connections must provide security and privacy. XMLCONF depends on the underlying protocol for this capability. An XMLCONF peer assumes that an appropriate level of security and privacy are provided independent of this document. For example, connections may be encrypted in TLS [4] (or SSH [11]) depending on the underlying protocol. 2.3 Authentication Enns, Editor Expires August 13, 2003 [Page 9] Internet-Draft XMLCONF Protocol February 2003 XMLCONF connections must be authenticated. The underlying protocol is responsible for this authentication. The peer assumes that the connection's authentication information has been validated by the underlying protocol using sufficiently trustworthy mechanisms and that the peer's entity can be trusted. One of the goals of XMLCONF is to provide a programmatic interface to the device which closely follows the functionality of the device's native interface. Therefore it is expected that the underlying protocol will use existing authentication mechanisms defined by the device. For example, a device that supports RADIUS [5] should use RADIUS to authenticate XMLCONF sessions. The authentication process should result in an entity whose permissions and capabilities are known to the device. These permissions must be enforced during the XMLCONF session. For example, if the native user interface restricts the users from changing the network interface configuration, the user should not be able to change this configuration data using XMLCONF. 2.4 Channels XMLCONF requires two distinct communication channels and an optional third channel. One channel, called the 'management channel', carries information for managing the XMLCONF session. The second channel, called the 'operation channel' carries a series of RPCs that constitute the real content of the XMLCONF session. The third channel, called the 'notification channel' is optional, and carries asynchronous notifications. This channel is only established if both parties request it during the initial capabilities exchange (see Section 6 for more information). 2.4.1 Management Channel The XMLCONF session is considered to start when the management channel is opened and ends when this channel is closed. If the operation channel is open when the management channel is closed, it should be closed immediately. Only one management channel can exist inside a particular session, although multiple sessions can be opened simultaneously. The management channel serves three main purposes: o Advertising the capabilities supported by each peer Enns, Editor Expires August 13, 2003 [Page 10] Internet-Draft XMLCONF Protocol February 2003 o Managing outstanding RPCs on operation channels (aborting them) o Sending progress reports 2.4.1.1 Managing Operation Channel Creation of the operation channel is a transport-specific matter. 2.4.1.2 Managing Outstanding RPCs The nature of XML data streams prohibits unrelated data from being intermingled with normal content. This implies that an operation must be managed by an external data path, to avoid intermixing the true content data from the management data. This is the origin of the requirement for multiple channels. 2.4.2 Operation Channel The operation channel is used to perform XMLCONF protocol operations using the and tags. The RPC Model is discussed in Section 3. The bulk of the work of XMLCONF is performed as RPCs over the operation channel. 2.4.3 Notification Channel The XMLCONF protocol allows for different notification profiles to be used. A specific profile must be supported by both peers in order for the notification mechanism defined in that profile to be used. This document specifies a mapping to the Reliable Delivery for Syslog messages. See Section 6 and RFC 3195 [8] for complete information. Enns, Editor Expires August 13, 2003 [Page 11] Internet-Draft XMLCONF Protocol February 2003 3. RPC Model The XMLCONF protocol uses an RPC-based communication model. XMLCONF peers use and elements to frame protocol requests and responses. The XMLCONF RPC model requires the use of and elements to provide transport-independent framing of protocol messages. 3.1 Namespace The , , elements are defined in the following namespace: http://ietf.org/xmlconf/1.0/base 3.2 The operation is used in both the management and operation channels. The operation has an optional attribute "id". The "id" attribute is an arbitrary string chosen by the sender of the RPC. This will commonly encode a monotonically increasing integer. The receiver of the RPC doesn't decode or interpret this string but simply saves it to use as an "id" attribute in any resulting , or messages. For example: ... The name and parameters for an RPC are encoded as the contents of the operation. The name of the RPC is an element directly inside the element and any parameters are encoded inside this element. This example invokes a method called 'my-own-method' with two parameters, "my-first-parameter" with a value of "14" and "another-parameter" with a value of "fred": Enns, Editor Expires August 13, 2003 [Page 12] Internet-Draft XMLCONF Protocol February 2003 14 fred This example invokes a "rock-the-house" method with a "zip-code" of "27606-0100": 27606-0100 This example invokes the "rock-the-world" method with no parameters: 3.3 The message is sent on the operations channel in response to a operation. The message has an optional attribute "id". The "id" attribute is equal to the "id" attribute of the for which this is a response. The response name and response data are encoded as the contents of the element. The name of the reply is an element directly inside the element and any data is encoded inside this element. For example: ... Enns, Editor Expires August 13, 2003 [Page 13] Internet-Draft XMLCONF Protocol February 2003 3.4 The operation is sent on the management channel by the sender of an who desires to terminate an operation before completion. The operation includes a required attribute "id". The "id" attribute shall be equal to the "id" attribute of the that should be terminated. The operation is encoded as an element with no subelements or data. For example: An message will be immediately sent on the management channel. If the indicated was in progress on the operations channel, it shall be terminated cleanly by closing all open elements. An element (see Section 3.6) should be added to the indicating the operation being aborted. If the has not yet begun, it should be sent containing an element. This must be sent in the proper order if multiple requests are pending. If there is no pending operation matching the "id" attribute, then the abort operation completes without error. The message can only be generated for requests which contain an "id" attribute. If multiple requests with the same "id" are present, then only the request which was received first by the peer will be aborted. 3.5 The message is sent on the management channel in response to an operation. The message has a required attribute "id". The "id" attribute is equal to the "id" attribute of the for which this is a response. The operation is encoded as an empty element. For example: 3.6 The element is emitted in messages if an error occurred during the processing of an request. Enns, Editor Expires August 13, 2003 [Page 14] Internet-Draft XMLCONF Protocol February 2003 The element includes the following information: o tag: The string identifying the error condition. o error-code: The integer identifying the error condition. o severity: The string identifying the error severity, as determined by the device. o edit-path: The configuration data that provides the context for the command that caused the error. This may be the empty string if the command causing the error is located at the top level of the command hierarchy. o statement: The command that caused the error. o message: A string describing the error condition. o action: The action taken by the device in response to this error. 3.7 The element is emitted in messages if no error occurred during the processing of an request. For example: 3.8 Some operations may take a long time to process before an can be generated or may generate an that takes a long time to transmit. If the recipient of an determines that the will not be generated and transmitted in less than N seconds, then it can send a progress report with the message. The number of seconds, N, is implementation-dependent. The message is sent on the management channel. It has an mandatory attribute "id". The "id" attribute is equal to the "id" attribute of the associated on which progress is being reported. The message can only be generated for requests which contain an "id" attribute. The contains one or more of the optional elements , , and . Enns, Editor Expires August 13, 2003 [Page 15] Internet-Draft XMLCONF Protocol February 2003 The element contains an estimate of the percentage of the operation that is complete in terms of real time (i.e., wall clock time). For example: 45 The element contains an absolute quantity indicating an amount of work completed. For example: 45Kb The element contains a text message indicating progress on the associated . For example: Connecting... Connected. Multiple messages may be sent for a particular . 3.9 Pipelining The operations channel is processed serially by the managed device. Additional requests may be sent before previous ones have been completed but they will just be added to the queue for that channel. On any given operations channel, the managed device may only send responses in the order the requests were received. Messages may be received asynchronously on the notification channel. Enns, Editor Expires August 13, 2003 [Page 16] Internet-Draft XMLCONF Protocol February 2003 4. Configuration Model XMLCONF provides an initial set of operations and a number of capabilities that can be used to extend the base. XMLCONF peers exchange device capabilities at session initiation as described in Section 6.1. 4.1 Configuration Datastores XMLCONF defines the existence of one or more configuration datastores and allows configuration operations on these datastores. A configuration datastore is defined as the complete set of configuration data that is required to get a device from its initial default state into a desired operational state. The configuration datastore does not include state data or executive commands. The following configuration datastores are present in the base model. Capabilities may define additional configuration datastores. These datastores are only available on devices that advertise the capabilities that define them. Running: The complete configuration currently active on the network device. There is only one configuration datastore of this type on the device, and it is always present. XMLCONF protocol operations refer to this datastore using the element. Enns, Editor Expires August 13, 2003 [Page 17] Internet-Draft XMLCONF Protocol February 2003 5. Protocol Operations The XMLCONF protocol provides a small set of low level operations to manage device configurations and retrieve device state information. The base protocol provides operations to retrieve, configure, copy, and delete configuration datastores. Additional operations are provided, based on the capabilities advertised by the device. The base protocol includes the following protocol operations: o get-config o edit-config o copy-config o delete-config o get-state o kill-session A protocol operation may fail for various reasons, including 'operation not supported'. An initiator should not assume that any operation will always succeed. The return values in any RPC reply should be checked for error responses. The syntax and XML encoding of the protocol operations are formally defined in the XML schema in Section 9. The following sections describe the semantics of each protocol operation. 5.1 Description: Retrieve all or part of a specified configuration Parameters: source: @config-name Name of the configuration datastore being queried such as or . config: @element-subtree Enns, Editor Expires August 13, 2003 [Page 18] Internet-Draft XMLCONF Protocol February 2003 Specifies the portion(s) of the configuration command subtree to retrieve. The namespace of this configuration should be specified as an attribute of this parameter. If this parameter is empty, then the entire configuration will be returned. If the format parameter is equal to 'text' then the contents of this parameter are proprietary. format: (xml | text) Specifies the format of the return text, either 'xml' or 'text'. If this parameter contains the value 'xml', then the contents of the 'config' parameter are expected to conform to the XML Namespace(s) specified in that parameter. If the value is 'text', then the contents of the 'config' parameter are proprietary. Positive Response: If the device is able to satisfy the request, the server emits an containing a with the results of the query. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: Enns, Editor Expires August 13, 2003 [Page 19] Internet-Draft XMLCONF Protocol February 2003 xml root superuser fred admin barney admin The following example shows how additional nesting within the parameter can be used to filter more of the output in the response: Enns, Editor Expires August 13, 2003 [Page 20] Internet-Draft XMLCONF Protocol February 2003 fred xml fred admin 5.2 Description: Load all or part of a specified configuration to the specified target configuration. This operation allows the new configuration to be expressed in several ways, such as via a local file, a remote file, or inline. If the target configuration does not exist, then it will be created. The device will analyze the source and target configurations and perform the requested changes. The target configuration is not simply replaced, as with the command. Parameters: target: @config-name Enns, Editor Expires August 13, 2003 [Page 21] Internet-Draft XMLCONF Protocol February 2003 The configuration datastore being set, such as . test-option: (test-then-set | set) [default: set] test-then-set: perform a validation test before attempting to set; skip set if any errors set: perform a set without a validation test first This option may only be specified if the device advertises the #validate capability (Section 6.4). write-option: (merge | replace | overwrite) [default: merge] merge: The configuration data identified by the config parameter will be merged with the configuration identified by the target parameter. replace: The configuration data identified by the config parameter will replace any related commands in the configuration identified by the target parameter. Unlike a operation, which replaces the entire target configuration, only the commands actually present via the config parameter will be affected. overwrite: The configuration data identified by the config parameter will replace all configuration in the configuration datastore identified by the target parameter. error-option: (stop-on-error | ignore-error) [default: stop-on-error] stop-on-error: abort the rpc request on first error ignore-error: continue to process configuration data on error; error will be recorded and negative response will be generated if any errors config: @element-tree Specifies the portion(s) of the configuration subtree to set. The namespace of this configuration should be specified as an attribute of this parameter. Positive Response: Enns, Editor Expires August 13, 2003 [Page 22] Internet-Draft XMLCONF Protocol February 2003 If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An response is emitted if the request cannot be completed for any reason. Example: test-then-set replace stop-on-error
1.2.3.4 255.0.0.0
5.3 Description: This operation is used to create or replace an entire configuration file with the contents of another complete configuration file. If the target file exists, then it will be overwritten, otherwise a new file will be created. A device may choose not to support the configuration datastore as the parameter of a operation. A device may choose not to support remote to remote copy operations. The source and target parameters cannot identify the same file. Enns, Editor Expires August 13, 2003 [Page 23] Internet-Draft XMLCONF Protocol February 2003 The device may choose not to support format conversions with this operation. The running and startup configurations are considered to be format-neutral, but all other configuration files are created in a specific format (text or XML). A copy operation on any these format-specific files may fail if the format parameter specifies a value different than the source file format. It is suggested that the format parameter be omitted in this type of operation, in order to select the source file format. Parameters: source: @config-name | config Name of the configuration datastore to use as the source of the copy operation, or the element containing the configuration subtree to copy. target: @config-name Name of the configuration datastore to use as the destination of the copy operation format: (xml | text) [Default: xml] Specifies the format of the configuration file, either 'xml' or 'text'. The format of the source and target configurations must match. The configuration datastores (e.g., ) will match either format. Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: Enns, Editor Expires August 13, 2003 [Page 24] Internet-Draft XMLCONF Protocol February 2003 ftp://example.com/configs/testbed-dec10.txt text 5.4 Description: This operation is used to delete a specified configuration datastore. The configuration file cannot be deleted. Parameters: target: @config-name Name of the configuration datastore to delete Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: Enns, Editor Expires August 13, 2003 [Page 25] Internet-Draft XMLCONF Protocol February 2003 5.5 Description: This protocol operation is used to retrieve device state information. Section 10 contains the XML schema for XMLCONF state data. Parameters: state: (@element-subtree | text) If the parameter is equal to 'xml', then this parameter specifies the portion(s) of the system state subtree to retrieve. The namespace of this configuration should be specified as an attribute of this parameter. If the parameter is equal to 'text', then the contents of this parameter are proprietary. If this parameter is empty, then all the device state information will be returned. format: (xml | text) Specifies the format of the parameter and the return text, either 'xml' or 'text'. Positive Response: If the device was able to satisfy the request, then an is emitted. The section will be filled in with the appropriate subset(s). Negative Response: Enns, Editor Expires August 13, 2003 [Page 26] Internet-Draft XMLCONF Protocol February 2003 An element is emitted within the if the request cannot be completed for any reason. Example: xml 9456823 1228484566 4326 4821050 634712154 2096 5.6 Description: Force the termination of an XMLCONF session. Parameters: session-id: (Positive Integer) Session identifier of the XMLCONF session to be terminated. If this value is equal to the current session ID, then a 'Bad Value' error will be emitted. Enns, Editor Expires August 13, 2003 [Page 27] Internet-Draft XMLCONF Protocol February 2003 Positive Response: If the device was able to satisfy the request, then an is emitted, containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: 4 Enns, Editor Expires August 13, 2003 [Page 28] Internet-Draft XMLCONF Protocol February 2003 6. Capabilities This section defines a set of capabilities which a client or a server MAY implement. Each peer advertises its capabilities by sending them during an initial capabilities exchange. Each peer only needs to understand capabilities that it might use and must be able to process and ignore any capability received from the other peer that it does not require or does not understand. Additional capabilities can be defined using the template in Appendix A. Future capability definitions may be published as standards by standards bodies or published as propriety by vendors. A capability is identified with a URI, in the form: http://{naming authority}/{protocol}/{version}/{category}#{name} Capabilities defined in this document have the following format: http://ietf.org/xmlconf/1.0/base#{name} where {name} is the name of the capability. These are often referenced in discussions and email using the shorthand #{name}. For example, the foo capability would have the formal name "http:// ietf.org/xmlconf/1.0/base#foo" and be called "#foo". The shorthand form MUST NOT be used inside the protocol. 6.1 Capabilities Exchange An XMLCONF capability is a set of additional functionality implemented on top of the base XMLCONF specification. The capability is distinguished by a URI. These URIs should follow the guidelines as described in Section 7.2.6. Capabilities are advertised in messages sent on the management channel at startup. When the management channel is opened, each peer sends a element containing a list of that peer's capabilities. This example has the peer advertising the base XMLCONF capability, one XMLCONF capability defined in the base XMLCONF document, and one vendor-specific capability. Enns, Editor Expires August 13, 2003 [Page 29] Internet-Draft XMLCONF Protocol February 2003 http://ietf.org/xmlconf/1.0/base http://ietf.org/xmlconf/1.0/base#lock http:/example.net/router/2.3/core#cool-feature Each peer sends their element simultaneously as soon as the connection is open. A peer may not wait to receive the capability set from the other side before sending their own set. 6.2 Writable Running 6.2.1 Description The #writable-running capability indicates that the device supports writes directly to the configuration datastore. In other words, if present it means that the device supports edit-config and copy-config operations where the configuration is the target. 6.2.2 Dependencies None. 6.2.3 Capability and Namespace The #writable-running capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#writable-running The #writable-running capability uses the base XMLCONF namespace URI. 6.2.4 New Operations None. 6.2.5 Modifications to Existing Operations 6.2.5.1 The #writable-running capability modifies the operation to accept the element as a . 6.2.5.2 Enns, Editor Expires August 13, 2003 [Page 30] Internet-Draft XMLCONF Protocol February 2003 The #writable-running capability modifies the operation to accept the element as a . 6.3 Candidate Configuration 6.3.1 Description The candidate configuration capability (#candidate) indicates that the device supports a candidate configuration datastore, which is used to hold configuration data that can manipulated without impacting the device's current configuration. The candidate configuration is a full configuration data set which serves as a work place for creating a manipulating configuration data. Additions, deletions, and changes may be made to this data to construct the desired configuration data. A operation may be performed at any time which causes the device's running configuration to be set to the value of the candidate configuration. The candidate configuration can be used as a source or target of any operation with a or parameter. The element is used to indicate that candidate configuration: The candidate configuration may be shared amongst multiple sessions. Unless a client has specific information that the candidate configuration is not shared (e.g. via another capability), it must assume that other sessions may be able to modify the candidate configuration at the same time. It is therefore prudent for a client to lock the candidate configuration before modifying it. The client can discard any changes since the last operation by executing the operation. The candidate configuration's content will revert to the current committed configuration. 6.3.2 Dependencies The #candidate capability requires the #lock capability be implemented. Manipulation of a candidate configuration without a locking mechanism is considered dangerous. Enns, Editor Expires August 13, 2003 [Page 31] Internet-Draft XMLCONF Protocol February 2003 6.3.3 Capability and Namespace The #candidate capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#candidate The #candidate capability uses the base XMLCONF namespace URI. 6.3.4 New Operations 6.3.4.1 Description: When a candidate configuration's content is complete, the configuration data can be committed, publishing the data set to the rest of the device and requesting the device to conform to the behavior described in the new configuration. To commit the candidate configuration as the device's new current configuration use the operation. The operation instructs the device to implement the configuration data contained in the candidate configuration. If the system does not have the #candidate capability, then this operation will not be available. Parameters: confirmed: The element indicates that the operation MUST be reverted if a confirming commit is not issued within ten (10) minutes. The timeout period can be adjusted with the element. confirmed-timeout: Timeout period for confirmed commit, in minutes. Positive Response: If the device was able to satisfy the request, then an is emitted containing the element. Enns, Editor Expires August 13, 2003 [Page 32] Internet-Draft XMLCONF Protocol February 2003 Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: 20 6.3.4.2 If the client decides that the candidate configuration should not be committed, the operation can be used to revert the candidate configuration back to the current committed configuration. This operation will discard any uncommitted changes. 6.3.5 Modifications to Existing Operations 6.3.5.1 and The candidate configuration can be locked by using the operation with the element at the parameter: Enns, Editor Expires August 13, 2003 [Page 33] Internet-Draft XMLCONF Protocol February 2003 Devices implementing the #candidate capability WILL NOT allow a configuration lock to be acquired when there are outstanding changes to the candidate configuration. An error WILL be returned and that status of the lock will remain unchanged. When a client fails with outstanding changes to the candidate configuration, recovery can be painful. To facility easy recovery, the #candidate capability adds a element to the operation. If this element contains the value "automatic", any outstanding changes will be discarded when the lock is released, whether explicitly with the operation or implicitly from session failure. automatic 6.3.5.2 and The candidate configuration is the default target for the and operations. It may be explicitly named via the element: Enns, Editor Expires August 13, 2003 [Page 34] Internet-Draft XMLCONF Protocol February 2003 6.4 Validate Capability 6.4.1 Description Validation consists of checking a candidate configuration for syntax or semantic errors before applying the configuration to the device. If this capability is advertised, the device supports the protocol operation and will check (at least) for syntax errors. In addition, it supports the validate parameter to the operation and when it is provided will check (at least) for syntax errors. 6.4.2 Dependencies None. 6.4.3 Capability and Namespace The #validate capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#validate The #validate capability uses the base XMLCONF namespace URI. 6.4.4 New Operations 6.4.4.1 Description: This protocol operation is used to validate the contents of the specified configuration. Parameters: source: @config-name Name of the configuration datastore being validated, such as . Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Enns, Editor Expires August 13, 2003 [Page 35] Internet-Draft XMLCONF Protocol February 2003 Negative Response: An element is emitted within the if the request cannot be completed for any reason. A validate operation can fail for any of the following reasons: * syntax errors * missing parameters * references to undefined configuration data Example: 6.5 Distinct Startup 6.5.1 Description The device supports separate running and startup configuration datastores. Operations which affect the running configuration will not be automatically copied to the startup configuration. An explicit operation from the to the must be invoked to update the startup configuration to the current contents of the running configuration. XMLCONF protocol operations refer to the startup datastore using the element. 6.5.2 Dependencies None. 6.5.3 Capability and Namespace The #startup capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#startup Enns, Editor Expires August 13, 2003 [Page 36] Internet-Draft XMLCONF Protocol February 2003 The #startup capability uses the base XMLCONF namespace URI. 6.5.4 New Operations None. 6.5.5 Modifications to Existing Operations 6.5.5.1 To save the startup configuration, use the copy-config command to copy the configuration datastore to the configuration datastore. text 6.6 Lock 6.6.1 Description The #lock capability allows the client to lock the configuration system of a device. Such locks are intended to be short-lived and allow a client to make a change without fear of interaction with other XMLCONF clients, non-XMLCONF clients (SNMP and Expect scripts) and human users. An attempt to lock the configuration MUST fail if an existing session currently holds the lock. When the lock is acquired, the server MUST prevent any changes to the locked resource other than those requested by this session. SNMP and CLI requests to modify the resource MUST fail with an appropriate error. The duration of the lock is defined as beginning when the lock is acquired and lasting until either the lock is released or the XMLCONF session closes. The session closure may be explicitly performed by Enns, Editor Expires August 13, 2003 [Page 37] Internet-Draft XMLCONF Protocol February 2003 the client, or implicitly performed by the server based on criteria such as lack of network connectivity, failure of the underlying transport, or simple inactivity timeout. This criteria is dependent on the vendor's implementation and the underlying transport. The lock operation takes an optional parameter, target. If the target parameter is specified, it names the configuration that will be locked. If the target parameter is not specified, then all configurations will be locked. When a lock is active, and operations will be disallowed on the locked configuration(s) by any other session. Additionally, the system will ensure that these locked configuration resources will not be modified by other non-XMLCONF management operations such as SNMP and CLI. The command (at the RPC layer) can be used to force the release of a lock. 6.6.2 Dependencies None. 6.6.3 Capability and Namespace The #lock capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#lock The #lock capability uses the base XMLCONF namespace URI. 6.6.4 New Operations 6.6.4.1 Description: A configuration source can be locked by using the operation. A lock will not be granted if any of the following conditions are true: * a lock is already held by another session * the target configuration has already been modified and these changes have not been committed * lock capability not supported Enns, Editor Expires August 13, 2003 [Page 38] Internet-Draft XMLCONF Protocol February 2003 The server MUST respond with either an element or an . A lock will be released by the system if the session holding the lock is terminated for any reason. Parameters: target: @config-name [Optional] Name of the configuration datastore to lock. If this parameter is not present, than all configuration datastores will be locked. Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. This error response will include the session number of the lock owner (if failure due to lock already held). Example: 6.6.4.2 Description: The unlock operation is used to release a configuration lock, previously obtained with the operation. Enns, Editor Expires August 13, 2003 [Page 39] Internet-Draft XMLCONF Protocol February 2003 An unlock operation will not succeed if any of the following conditions are true: * the specified lock is not currently active * the session issuing the operation is not the same session that obtained the lock The server MUST respond with either an element or an . Parameters: target: @config-name [Optional] Name of the configuration datastore to unlock. If this parameter is not present, than all configuration datastores will be unlocked. An XMLCONF client is not permitted to unlock a configuration datastore that it did not lock. Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: 6.7 Notifications Enns, Editor Expires August 13, 2003 [Page 40] Internet-Draft XMLCONF Protocol February 2003 6.7.1 Description The #notifications capability indicates that the server supports the notification channel. This channel provides a mechanism for sending asynchronous notifications within the XMLCONF session. This channel can be used for events and system logging. 6.7.2 Dependencies None. 6.7.3 Capability and Namespace The #notifications capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#notifications The #notifications capability uses the base XMLCONF namespace URI. 6.7.4 New Operations 6.7.4.1 Description: Use the operation to request the notification channel with a specific set of parameters. If successful, the underlying protocol will open the notification channel with the appropriate parameters. Parameters: format: format Indicates the format of the notification channel. The only legal value is "rfc3195". matching: match-expression [Optional] An optional parameter that limits notifications sent on the channel to those matching the match-expression. Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Enns, Editor Expires August 13, 2003 [Page 41] Internet-Draft XMLCONF Protocol February 2003 Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: rfc3195 match-expression 6.7.4.2 Description: Use the operation to close the notification channel. If successful, the underlying protocol will close the notification channel. Positive Response: If the device was able to satisfy the request, then an is emitted containing an element. Negative Response: An element is emitted within the if the request cannot be completed for any reason. Example: Enns, Editor Expires August 13, 2003 [Page 42] Internet-Draft XMLCONF Protocol February 2003 6.8 URL 6.8.1 Description The XMLCONF peer has the ability to accept the element in and parameters. The capability is further distinguished by URL arguments indicating the protocols supported. 6.8.2 Dependencies None. 6.8.3 Capability and Namespace The #url capability is distinguished by the following capability string: http://ietf.org/xmlconf/1.0/base#url?protocol={protocol-name,...} The #url capability uses the base XMLCONF namespace URI. The #url capability URI MUST contain a "protocol" argument assigned a comma-separated list of protocol names indicating which protocols the XMLCONF peer supports. For example: http://ietf.org/xmlconf/1.0/base#url?protocol=http,ftp,file The #url capability uses the base XMLCONF namespace URI. 6.8.4 New Operations None. 6.8.5 Modifications to Existing Operations 6.8.5.1 The #url capability modifies the operation to accept the element as the parameter. 6.8.5.2 The #url capability modifies the operation to accept the element as the value of the the and the parameters. 6.8.5.3 Enns, Editor Expires August 13, 2003 [Page 43] Internet-Draft XMLCONF Protocol February 2003 The #url capability modifies the operation to accept the element as the value of the the parameters. If this parameter contains a URL, then it should identify a local configuration file. 6.8.5.4 The #url capability modifies the operation to accept the element as the value of the the parameter. Enns, Editor Expires August 13, 2003 [Page 44] Internet-Draft XMLCONF Protocol February 2003 7. XML Usage Guidelines for XMLCONF XML serves as an encoding format for XMLCONF, allowing complex hierarchical data to be expressed in a text format that can be read, saved, and manipulated with both traditional text tools and tools specific to XML. In order to simplify manipulation of XMLCONF content, use of XML is restricted to a simple subset described in this section. 7.1 Canonical XML XMLCONF's use of XML follows the rules specified by Canonical XML (RFC 3076 [6]). These rules were meant to make XML appear in a consistent form, suitable for string comparison. Many of XML's more marginal constructs are excluded, allowing simple parsers to avoid implementation issues for rarely-used features. RFC 3076 summarizes the changes required by Canonical XML as follows: The canonical form of an XML document is physical representation of the document produced by the method described in this specification. The changes are summarized in the following list: * The document is encoded in UTF-8 * Line breaks normalized to #xA on input, before parsing * Attribute values are normalized, as if by a validating processor * Character and parsed entity references are replaced * CDATA sections are replaced with their character content * The XML declaration and document type declaration (DTD) are removed * Empty elements are converted to start-end tag pairs * Whitespace outside of the document element and within start and end tags is normalized * All whitespace in character content is retained (excluding characters removed during line feed normalization) * Attribute value delimiters are set to quotation marks (double quotes) Enns, Editor Expires August 13, 2003 [Page 45] Internet-Draft XMLCONF Protocol February 2003 * Special characters in attribute values and character content are replaced by character references * Superfluous namespace declarations are removed from each element * Default attributes are added to each element * Lexicographic order is imposed on the namespace declarations and attributes of each element See [RFC 3076 [6]] for complete information. 7.2 Additional Restrictions In addition to the restrictions placed by canonical XML encoding, XMLCONF content is constrained by the following rules: 7.2.1 Avoid mixed content Mixed content is defined as elements which can contain both data and other elements. Elements in XMLCONF can only contain either data or additional elements. data data datadatamaybe some This greatly simplifies the complexity of parsing XML, especially in the area of significant whitespace. Whitespace inside data elements is significant. Whitespace outside data elements is not. 7.2.2 No attributes in the default namespace Do not use attributes in the default namespace. All attributes should be qualified. Unqualified attributes belong to the default namespace, and their use will pollute this namespace. Restricting them to the current Enns, Editor Expires August 13, 2003 [Page 46] Internet-Draft XMLCONF Protocol February 2003 namespace encourages meaningful definitions that are free of collisions. 7.2.3 Use container elements for lists When encoding lists with multiple instances, use a distinct container element, preferable the plural form of the instance element. In this example, the element 'gromit' is contained within the 'gromits' element. .... .... .... Use of container elements is meant to allow simpler manipulation of lists and list members. 7.2.4 Elements and Attributes The choice of elements and attributes has been widely discussed, but no absolute guidelines exist. When designing encoding rules for XMLCONF content, the following guidelines should be used: 7.2.4.1 Consider attributes as meta-data Attributes should contain meta-data about the element, not true data. By extension, vital information should not be encoded in attributes. 7.2.4.2 Consider the lack of extensibility of attributes Attributes are unordered, can only appear once, and can have no children. Data scenarios which must leave room for future expansion (in future specifications or future software releases) should avoid attributes. 7.2.5 Proper Tag Names When choosing element names, consider the following guidelines: o Prefer ASCII (7-bit). o Prefer lower case. Enns, Editor Expires August 13, 2003 [Page 47] Internet-Draft XMLCONF Protocol February 2003 o Prefer dashes to underscores. o Prefer full words. Note that 'config' is considered a full word. These are only guidelines and should be considered secondary to the need for consistency with existing vocabularies. For example, when encoding MIB variables names in XMLCONF, use the existing names (ifAddr) instead of shifting to these guidelines (if-address). These guidelines are valuable when no common vocabulary exists, since they help to avoid the scenario where a dozen developers choose a dozen names that differ in ways that lead to homicidal rage (ifaddr, if-addr, if-address, interface-address, intf-addr, iaddr, iface-addr, etc). 7.2.6 Namespaces A namespace URI uniquely identifies the content and meaning of an XML element. When designing XML namespaces for XMLCONF content, the following guidelines should be used: o prefer domain name in URIs. Use the domain name of the organization that controls the content of the scheme. o prefer version numbers in namespaces. Use dates when version numbers are not appropriate. Versions should be formatted in strings that are consistent with the software being referenced. Dates should be formatted as "YYYY-MM-DD". o prefer URLish URIs, but don't expect them all to be reachable or meaningful. While URIs are not URLs and required to reference any resource, using non-URL syntax is needlessly confusing. For example, the following URI looks like a programmer mistake: ietf.org:/rfc/rfc1234.txt The model namespace looks like: http://${naming-authority}/${topic}/${version}/${area} For example: http://ietf.org/xmlconf/1.0/base-config In this usage, 'topic' might be the product name, 'version' might be the software version, and 'area' might be the portion of that software documented in this particular namespace. http://example.net/magic-os/84.1.3/bgp Enns, Editor Expires August 13, 2003 [Page 48] Internet-Draft XMLCONF Protocol February 2003 The ${topic} segment might contain a qualifying hierarchy. For example, if the Puff Router Company has a large set of operating systems targeted at differing market segments, it may express this relationship in the ${topic}: http://example.net/embedded/magic-os/84.1.3/bgp Enns, Editor Expires August 13, 2003 [Page 49] Internet-Draft XMLCONF Protocol February 2003 8. BEEP Mapping All XMLCONF implementations MUST implement the profile and functional mapping between XMLCONF and BEEP as described below. 8.1 XMLCONF Session Initiation Managers may be either BEEP listeners or initiators. Similarly, agents may be either listeners or initiators. Thus the initial exchange takes place without regard to whether a manager is the initiator or the agent is the initiator. After the transport connection is established, as greetings are exchanged, they should each announce their support for TLS [4] and optionally SASL [3] (see below), as well as for the SYSLOG profile [8]. Once greetings are exchanged, if TLS is to be used and available by both parties, the listener will START a channel with the TLS profile. Once TLS has been started, a new greeting is sent by both initiator and listener, as required by the BEEP RFC. At this point, if SASL is desired, the initiator will start BEEP channel 1 to perform a SASL exchange to authenticate itself. When SASL is completed, the channel MUST be closed. Once authentication has occurred, there is no need to distinguish between initiator and listener. We now distinguish between manager and agent. The manager now establishes an XMLCONF management channel for the purpose of exchanging capabilities, monitoring progress, and aborting remote procedure calls. As initiators assign odd channels and listeners assign even channels, the management channel will be BEEP channel 1 or 2, depending on whether the manager is the initiator or the listener. The manager next establishes the XMLCONF operational channel for the purpose of issuing RPC requests. This channel will be BEEP channel 3 or 4. Finally, if either manager or agent wishes to send or receive notifications, it may issue a start on the next available channel if the other side has sent the send or receive XMLCONF capability. At this point, the XMLCONF session is established. 8.2 XMLCONF RPC Execution To issue an RPC, the manager transmits on the operational channel a Enns, Editor Expires August 13, 2003 [Page 50] Internet-Draft XMLCONF Protocol February 2003 BEEP MSG containing the RPC and its arguments. In accordance with the BEEP standard, RPC requests may be split across multiple BEEP frames. Once received and processed, the agent responds with BEEP RPYs on the same channel with the response to the RPC. In accordance with the BEEP standard, responses may be split across multiple BEEP frames. 8.3 XMLCONF and and requests are issued by the manager on the XMLCONF management channel, and the agent responds with BEEP RPYs on that same channel. 8.4 XMLCONF Session Teardown Either side may initiate the termination of an XMLCONF session. In This is done by issuing a BEEP close on the operational channel after the current RPC has completed. The same is done with any notification channels by the end that transmits notifications. Finally, BEEP channel 0 is closed. 8.5 BEEP Profiles for XMLCONF Channels There are two profiles, the management channel profile and the operations channel profile. These are not to be confused with the BEEP control channel. The operations channel will have two commands, and . The management channel will have one additional operation with . 8.5.1 Management Channel Profile %BEEP; --> Enns, Editor Expires August 13, 2003 [Page 52] Internet-Draft XMLCONF Protocol February 2003 8.5.2 Operations Channel Profile %BEEP; --> 8.5.3 Notification Channel Profile The XMLCONF notification channel profile is defined in RFC 3195 [8]. Enns, Editor Expires August 13, 2003 [Page 55] Internet-Draft XMLCONF Protocol February 2003 9. XML Schema for XMLCONF RPC and Protocol Operations Enns, Editor Expires August 13, 2003 [Page 56] Internet-Draft XMLCONF Protocol February 2003 Enns, Editor Expires August 13, 2003 [Page 57] Internet-Draft XMLCONF Protocol February 2003 Enns, Editor Expires August 13, 2003 [Page 58] Internet-Draft XMLCONF Protocol February 2003 Enns, Editor Expires August 13, 2003 [Page 60] Internet-Draft XMLCONF Protocol February 2003 Enns, Editor Expires August 13, 2003 [Page 61] Internet-Draft XMLCONF Protocol February 2003 10. XML Schema for XMLCONF State Data Initial schema for XMLCONF state information. List of XMLCONF capabilities supported by this device. List of XMLCONF sessions currently active on this device. Enns, Editor Expires August 13, 2003 [Page 62] Internet-Draft XMLCONF Protocol February 2003 List of XMLCONF configuration databases supported on this device. Enns, Editor Expires August 13, 2003 [Page 63] Internet-Draft XMLCONF Protocol February 2003 Enns, Editor Expires August 13, 2003 [Page 64] Internet-Draft XMLCONF Protocol February 2003 11. Security Considerations Configuration information is by its very nature sensitive. Its transmission in the clear without integrity checking leaves devices open to classic so-called "Man in the middle" attacks. Configuration information often times contains passwords, user names, service descriptions, and topological information, all of which is sensitive. The protocol, therefore, must minimally support options for both confidentiality and authentication. The initial transport mapping makes use of BEEP. BEEP itself makes use of both transport layer security and SASL. We require that TLS be used in BEEP as described by the BEEP standard. Client side certificates are strongly desirable, but a SASL authentication is the bare minimum. SASL allows for the use of protocols such as radius, so that authentication can occur off the box. In the case of SASL authentication, this will occur on the first channel creation. No further authentication may occur during the same session. This avoids a situation where rights are different between different channels. If an implementation wishes to support multiple accesses by different individuals with different rights, then multiple sessions are required. Different environments may well allow different rights prior to and then after authentication. Thus, an authorization model is not specified in this document. When an operation is not properly authorized then a simple "permission denied" is sufficient. N.B. authorization information may be exchanged in the form of configuration information. This is all the more reason to ensure the security of the connection. Enns, Editor Expires August 13, 2003 [Page 65] Internet-Draft XMLCONF Protocol February 2003 12. Authors and Acknowledgements This document was written by: Andy Bierman, Cisco Systems Ken Crozier, Cisco Systems Rob Enns, Juniper Networks Ted Goddard, Wind River Eliot Lear, Cisco Systems David Perkins, Riverstone Networks Phil Shafer, Juniper Networks Steve Waldbusser Margaret Wasserman, Wind River Enns, Editor Expires August 13, 2003 [Page 66] Internet-Draft XMLCONF Protocol February 2003 Normative References [1] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C REC REC-xml-20001006, October 2000. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. [4] Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A. and P. Kocher, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [5] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [6] Boyer, J., "Canonical XML Version 1.0", RFC 3076, March 2001. [7] Rose, M., "The Blocks Extensible Exchange Protocol Core", RFC 3080, March 2001. [8] New, D. and M. Rose, "Reliable Delivery for syslog", RFC 3195, November 2001. Enns, Editor Expires August 13, 2003 [Page 67] Internet-Draft XMLCONF Protocol February 2003 Informative References [9] Clark, J., "XSL Transformations (XSLT) Version 1.0", W3C REC REC-xslt-19991116, November 1999. [10] T. Rose, M., Masinter, L. and S. Hollenbeck, "Guidelines for The Use of XML within IETF Protocols", draft-hollenbeck-ietf-xml-guidelines-07 (work in progress), November 2002. [11] Rinne, T., Ylonen, T., Kivinen, T. and S. Lehtinen, "SSH Protocol Architecture", draft-ietf-secsh-architecture-13 (work in progress), September 2002. Author's Address Rob Enns Juniper Networks 1194 North Mathilda Ave Sunnyvale, CA 94089 US EMail: rpe@juniper.net Enns, Editor Expires August 13, 2003 [Page 68] Internet-Draft XMLCONF Protocol February 2003 Appendix A. Capability Template A.1 capability-name (template) A.1.1 Overview A.1.2 Dependencies A.1.3 Capability and Namespace The {name} is distinguished by following capability string: http://ietf.org/xmlconf/1.0/base#{name} The {name} capability uses the base XMLCONF namespace URI. A.1.4 New Operations A.1.4.1 A.1.5 Modifications to Existing Operations A.1.5.1 If existing operations are not modified by this capability, this section may be omitted. A.1.6 Interactions with Other Capabilities If this capability does not interact with other capabilities, this section may be omitted. Enns, Editor Expires August 13, 2003 [Page 69] Internet-Draft XMLCONF Protocol February 2003 Appendix B. Configuring Multiple Devices with XMLCONF B.1 Operations Against Individual Devices Consider the work involved in performing a configuration update against a single individual device. In making a change to the configuration, the application needs to build trust that its change has been made correctly and that it has not impacted the operation of the device. The application (and the application user) should feel confident that their change has not damaged the network. Protecting each individual device consists of a number of steps: o acquiring the configuration lock o loading the update o validating the incoming configuration o checkpointing the running configuration o changing the running configuration o testing the new configuration o making the change permanent (if desired) o releasing the configuration lock Let's look at the details of each of these steps. B.1.1 Acquiring the Configuration Lock A lock should be acquired to prevent simultaneous updates from multiple sources. If multiple sources are affecting the device, the application is hampered in both testing of its change to the configuration and in recovery should the update fail. Acquiring a short-lived lock is a simple defense to prevent other parties from introducing unrelated changes while. The lock can only be acquired if the device supports the #lock capability. The lock can be acquired using the operation. Enns, Editor Expires August 13, 2003 [Page 70] Internet-Draft XMLCONF Protocol February 2003 If the #candidate capability is also supported, failure recovery can be simplified by using the parameter. automatic B.1.2 Loading the Update The configuration can be loaded onto the device without impacting the running system. If the #url capability is supported, incoming changes can be placed in a local file. file://incoming.conf text If the #candidate capability is supported, the candidate configuration can be used. Enns, Editor Expires August 13, 2003 [Page 71] Internet-Draft XMLCONF Protocol February 2003 If the update fails, the user file can be deleted using the operation or the candidate configuration reverted using the operation. B.1.3 Validating the Incoming Configuration Before applying the incoming configuration, it is often useful to validate it. Validation allows the application to gain confidence that the change will succeed and simplifies recovery if it does not. If the device supports the #url capability, use the operation with the parameter set to the proper user file: file://incoming.conf If the device supports the #candidate capability, some validation will be performed as part of loading the incoming configuration into the candidate. For full validation, either pass the parameter during the step given above, or use the operation with the parameter set to . Enns, Editor Expires August 13, 2003 [Page 72] Internet-Draft XMLCONF Protocol February 2003 B.1.4 Checkpointing the Running Configuration The running configuration can be saved into a local file as a checkpoint before loading the new configuration. If the update fails, the configuration can be restored by reloading the checkpoint file. The checkpoint file can be created using the operation. file://checkpoint.conf text To restore the checkpoint file, reverse the source and target parameters. B.1.5 Changing the Running Configuration When the incoming configuration has been safely loaded onto the device and validated, it is ready to impact the running system. If the device supports the #url capability, use the operation to merge the incoming configuration into the running configuration. file://incoming.conf If the device supports the #candidate capability, use the operation to set the running configuration to the candidate configuration. Use the parameter to allow automatic reverting to the original configuration if connectivity to the device Enns, Editor Expires August 13, 2003 [Page 73] Internet-Draft XMLCONF Protocol February 2003 fails. 15 B.1.6 Testing the New Configuration Now that the incoming configuration has been integrated into the running configuration, the application needs to gain trust that the change has affected the device in the way intended without affecting it negatively. To gain this confidence, the application can run tests of the operational state of the device. The nature of the test is dependent on the nature of the change and is outside the scope of this document. Such tests may include reachability from the system running the application (using ping), changes in reachability to the rest of the network (by comparing the device's routing table), or inspection of the particular change (looking for operational evidence of the BGP peer that was just added). B.1.7 Making the Change Permanent When the configuration change is in place and the application has sufficient faith in the proper function of this change, the application should make the change permanent. If the device supports the #startup capability, the current configuration can be saved to the startup configuration by using the startup configuration as the target of the operation. text Enns, Editor Expires August 13, 2003 [Page 74] Internet-Draft XMLCONF Protocol February 2003 If the device supports the #candidate capability and a confirmed commit was requested, the confirming commit must be send before the timeout expires. B.1.8 Releasing the Configuration Lock When the configuration update is complete, the lock must be released, allowing other applications access to the configuration. Use the operation to release the configuration lock. B.2 Operations Against Multiple Devices When a configuration change requires updates across a number of devices, care should be taken to provide the required transaction semantics. The XMLCONF protocol contains sufficient primitives upon which transaction-oriented operations can be built. Providing complete transactional semantics across multiple devices is prohibitively expensive, but the size and number of windows for failure scenarios can be reduced. There are two classes of multi-device operations. The first class of multi-device operations allows the operation to fail on individual devices without requiring all devices to revert to their original state. The operation can be retried at a later time, or its failure simply reported to the user. A example of this class might be adding an NTP server. For this class of operations, failure avoidance and recovery are focused on the individual device. This means recovery of the device, reporting the failure, and perhaps rescheduling another attempt. The second class is more interesting. This class requires that the operation should complete on all devices or be fully reversed. The network should either be transformed into a new state or be reset to its original state. For example, a change to a VPN may require updates to a number of devices. Another example of this might be adding a Class Of Service (COS) definition. Leaving the network in a state where only a portion of the devices have been updated with the Enns, Editor Expires August 13, 2003 [Page 75] Internet-Draft XMLCONF Protocol February 2003 new definition will lead to future failures when the definition is referenced. To give transactional semantics, the same steps used in single device operations listed above are used, but are performed in parallel across all devices. Configuration locks should be acquired on all target devices and kept until all devices are updated and the changes made permanent. Configuration changes should be uploaded and validation performed across all devices. Checkpoints should be made on each device. Then the running configuration can be changed, tested, and made permanent. If any of these steps fail, the previous configurations can be restored on any devices upon which it was changed. After the changes have been completely implemented or completely discarded, the locks on each device can be released. Enns, Editor Expires August 13, 2003 [Page 76] Internet-Draft XMLCONF Protocol February 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Enns, Editor Expires August 13, 2003 [Page 77] Internet-Draft XMLCONF Protocol February 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Enns, Editor Expires August 13, 2003 [Page 78]