Wes Hardaker is Technical Advisor for Security Matters Configuration of networks of devices has become a critical requirement for operators in today's highly interoperable networks. Operators from large to small have developed their own mechanisms or used vendor specific mechanisms to transfer configuration data to and from a device, and for examining device state information which may impact the configuration. Each of these mechanisms may be different in various aspects, such as session establishment, user authentication, configuration data exchange, and error responses. The NETCONF Working Group is chartered to produce a protocol suitable for network configuration, with the following characteristics: - Provides retrieval mechanisms which can differentiate between configuration data and non-configuration data - Is extensible enough that vendors will provide access to all configuration data on the device using a single protocol - Has a programmatic interface (avoids screen scraping and formatting-related changes between releases) - Uses a textual data representation, that can be easily manipulated using non-specialized text manipulation tools. - Supports integration with existing user authentication methods - Supports integration with existing configuration database systems - Supports network wide configuration transactions (with features such as locking and rollback capability) - Is as transport-independent as possible - Provides the following support for asynchronous notifications: - Specify the message (capability exchange) details to support notifications. - Specify the application mapping details to support notifications. - Specify the protocol syntax and semantics of a notification message. - Specify or select a notification content information model. - Specify a mechanism for controlling the delivery (turn on/off) of notifications during a session. - Specify a mechanism for selectively receiving a configurable subset of all possible notification types. The NETCONF protocol will use XML for data encoding purposes, because XML is a widely deployed standard which is supported by a large number of applications. XML also supports hierarchical data structures. The NETCONF protocol should be independent of the data definition language and data models used to describe configuration and state data. However, the authorization model used in the protocol is dependent on the data model. Although these issues must be fully addressed to develop standard data models, only a small part of this work will be initially addressed. This group will specify requirements for standard data models in order to fully support the NETCONF protocol, such as: - identification of principals, such as user names or distinguished names - mechanism to distinguish configuration from non-configuration data - XML namespace conventions - XML usage guidelines It should be possible to transport the NETCONF protocol using several different protocols. The group will select at least one suitable transport mechanism, and define a mapping for the selected protocol (s). The initial work (has completed) and was restricted to the following items: - NETCONF Protocol Specification, which defines the operational model, protocol operations, transaction model, data model requirements, security requirements, and transport layer requirements. - NETCONF over SSH Specification: Implementation Mandatory; NETCONF over BEEP Specification: Implementation Optional; NETCONF over SOAP Specification: Implementation Optional; These documents define how the NETCONF protocol is used with each transport protocol selected by the working group, and how it meets the security and transport layer requirements of the NETCONF Protocol Specification. Additional Notification work (as described above) will now be addressed since the initial work has been completed. An individual submission Internet Draft has been proposed to the WG as the starting point for the Notification work. The WG shall adopt the document identified as 'draft-chisholm-NETCONF-event-01.txt' as the starting point for this work. A second phase of incremental development of NETCONF will include the following items: 1. Fine-grain locking: The base NETCONF protocol only provides a lock for the entire configuration datastore, which is not deemed to meet important operational and security requirements. The NETCONF working group will produce a standards-track RFC specifying a mechanism for fine-grain locking of the NETCONF configuration datastore. (The initial draft will be based on draft-lengyel-ngo-partial-lock-00.txt barring additional contributions from the community.) 2. NETCONF monitoring: It is considered best practice for IETF working groups to include management of their protocols within the scope of the solution they are providing. NETCONF does not provide this capability. The NETCONF working group will produce a standards-track RFC with mechanisms allowing NETCONF itself to be used to monitor some aspects of NETCONF operation. (The initial draft will be based on draft-chisholm-netconf-monitoring-00.txt barring additional contributions from the community.) 3. Schema advertisement: Currently the NETCONF protocol is able to advertise which protocol features are supported on a particular netconf-capable device. However, there is currently no way to discover which XML Schema are supported on the device. The NETCONF working group will produce a standards-track RFC with mechanisms making this discovery possible. This item may be merged with "NETCONF monitoring" into a single document. (The initial draft will be based on draft-scott-netconf-schema-query-00.txt barring additional contributions from the community.) 4. NETCONF over TLS - based on implementation experience there is a need for a standards track document to define NETCONF over TLS as an optional transport for NETCONF (The initial draft will be based on draft-badra-tls-netconf-04.txt barring additional contributions from the community.) The following are currently not considered in scope for re-chartering at this time, but may be candidates for work when there is community consensus to take them on. Individual submissions are being encouraged. o Access Control requirements o General improvements to the base protocol o NETCONF access to SMI-based MIB data o The Bill Fenner problem: Address real or perceived issue that "giving SSH for NETCONF gives full SSH access to the box"