Netconf Working Group Weijing Chen
Internet Draft Keith Allen
Expiration Date: February 2004 SBC Labs
August 2003
XML Network Management Interface
draft-weijing-netconf-interface-01
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC2026].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document specifies an XML network management interface between
a network managing system and a network managed system. The XML
network management interface is intended for use in diverse network
environments where transport, data and operating model requirements
vary greatly. It is unlikely that a single transport, data and
operating model specification will meet the needs of all anticipated
service operators. Therefore, the XML network management interface
is partitioned into layered components.
Table of Contents
1. Introduction.................................................2
2. Protocol Operations..........................................4
2.1. Operation Descriptions......................................4
2.1.1. Get Operation............................................4
2.1.2. Perform Operation........................................7
Chen and Allen Expires February 2004 [Page 1]
Internet Draft draft-weijing-netconf-interface-01 August 2003
2.1.3. Abort Operation.........................................11
2.1.4. Notification............................................12
2.2. Protocol Operations XML Schema.............................13
3. Capabilities................................................20
3.1. Capabilities Exchange......................................20
3.2. Capabilities Schema........................................21
4. An Example Operating Model..................................23
4.1. Operating Model Descriptions...............................23
4.2. Operating Model Schema.....................................25
5. Security Consideration......................................30
6. References..................................................30
7. Authors' Addresses..........................................30
1. Introduction
This document specifies an XML network management interface between
a network managing system and a network managed system. The XML
network management interface is intended for use in diverse network
environments where transport, data and operating model requirements
vary greatly. It is unlikely that a single transport, data and
operating model specification will meet the needs of all anticipated
service operators. Therefore, the XML network management interface
is partitioned into the following layered components.
+---------------------------------------------+
| Data and Operating Model XML Schema: |
| Standard |
| CLI +---------------------+
| Proprietary | Capabilities |
| | XML Schema |
+-----------------------+---------------------+
| Protocol Operations: Operation XML Schema |
| |
| |
| |
| |
+---------------------------------------------+
| Protocol Transport: |
| BEEP, SOAP/HTTP, SSH |
+---------------------------------------------+
Starting at the bottom of the figure and working up, the binding of
the protocol operations to the protocol transport is out of scope of
this document. Separate documents will describe different protocol
bindings.
Chen and Allen Expire February 2004 [Page 2]
Internet Draft draft-weijing-netconf-interface-01 August 2003
This document describes the protocol operations, the second layer up
in the figure above. The protocol operations are specified in XML
schema, which describe each operation message construct.
Some protocol capabilities are optional or not specified by this
document. The protocol capabilities supported by a managed system
are described in a capabilities XML dataset. This allows a managing
system to discover the actual functionality implemented in the
managed system. The schema for this XML dataset is specified in
this document.
Examples of data and operating models are described in this document
using XML schema, too. This document, though, does not attempt to
define a standard data or operating model.
The dividing of interface functionality allows the formal
verification of interface messages against interface specifications
using available general purpose XML toolkits as in the following:
Protocol Data/Operating
Operation Model XML
Schema Schema Instance
\ / Dataset
\ / / \
\ / / \
+---+-----+--+ +-----+--+ \
Interface | XML Schema | w/ XPath | XPath | \
------------>| Validator |-----+-------->| Parser |--->Application
Message +-----+------+ | +-------++
| | |
| | w/o XPath |
| +-----------------+---->Application
| | |
Error <--------+------------------------------+----------+
The interface XML message can be validated against the protocol
operation XML schema and specific data and operating model XML
schema using a general purpose XML schema validator. If the system
supports XPath and the interface XML message contains XPath
elements, the validated XML message can be parsed and validated
against live XML instance datasets in the system using an XPath
parser. Thereafter the processed XML message is passed on to the
management application for further processing.
Chen and Allen Expire February 2004 [Page 3]
Internet Draft draft-weijing-netconf-interface-01 August 2003
2. Protocol Operations
The protocol operations consist of four basic operations: get,
perform, abort, and notification. Each operation has a request and
response message correlated with a unique message id.
2.1. Operation Descriptions
2.1.1. Get Operation
... any
... any
... any
... any
A "get-request" message is a request from the managing system to the
managed system to obtain specific information. The "messageId"
attribute MUST uniquely identify the request message and is used to
correlate the request and response messages. The "category"
attribute indicates the type of data that this "get-request" message
requests. "all" means all the data, "config" means configuration
data, and "state" means state data. It is recommended that each
element in the data and operating model schema SHOULD have an
attribute "category" with a fixed value from the type "Category" to
indicate what type of data this element is. The "subordinate"
attribute indicates the scope of subordinate elements which the
"get-request" expects in the return. It has the value of "all" or
"direct". "all" means all levels of the subordinate elements,
"direct" means only direct subordinate elements. The target element
of the "get-request" MUST be the longest matched sub-element in the
targeted XML configuration datastore.
A "get-response" message is a response from the managed system to
the managing system to return requested information. The
"messageId" attribute MUST be the same message id of the
corresponding request message, which is used to correlate the
request and response messages.
Chen and Allen Expire February 2004 [Page 4]
Internet Draft draft-weijing-netconf-interface-01 August 2003
The sub-element of the "get-request" and "get-response" message is
defined as in the protocol operation XML schema. The
element enables the data and operating model designers to
create interface messages containing elements beyond what was
specified by the protocol operation XML schema. It empowers the
model designers with the ability to define data and operating models
appropriate to the system being managed. The validation of the
whole interface message can be done by a general-purpose XML
validator with operation XML schema, data and operating model XML
schema.
The following example retrieves an XML snippet of configuration data
for interfaces with "up" "adminStatus" from the startup
configuration datastore. The protocol operation XML schema is
defined in the namespace "http://www.ietf.org/netconf/operations".
The data and operating model XML schema is defined in the namespace
"http://example.com/schema".
"up"
"192.116.67.5"
"up"
"135.104.57.3"
Chen and Allen Expire February 2004 [Page 5]
Internet Draft draft-weijing-netconf-interface-01 August 2003
"up"
The following example retrieves the entire running configuration,
which could be loaded back to the device later to restore the device
configuration. Note that the attribute "category" has a value of
"config", which instructs the device not to retrieve any state
information elements since they are not configurable.
XML configuration data goes here ...
However, the following example only retrieves the top level running
configuration, which could be the starting points for later
navigation.
Chen and Allen Expire February 2004 [Page 6]
Internet Draft draft-weijing-netconf-interface-01 August 2003
top level XML configuration data goes here ...
The following example retrieves an XML snippet of device performance
data that is state information in the running configuration.
94568231228484566432648210506347121542096
2.1.2. Perform Operation
... any
Chen and Allen Expire February 2004 [Page 7]
Internet Draft draft-weijing-netconf-interface-01 August 2003
... any
... any
... any
A "perform-request" message is a request from the managing system to
the managed system for a specific action. The "messageId" attribute
MUST uniquely identify the request message and is used to correlate
the request and response messages. The "transaction" attribute
describes the desired message transaction handling as one of the
following: stop on error, continue on error, or rollback on error.
The actual action SHOULD be described by the data and operating
model. The recommendation is that an attribute named "action" in
the targeted element SHOULD specify the actual action (this is
referred to as "action-as-attribute"). The protocol operation XML
schema has defined an "Action" type with these permitted values:
nop, create, delete, replace, merge, copy, validate, lock, unlock.
Each object element in the data and operating model schema SHOULD
have an attribute "action" of the type "Action" to indicate what
actions on this object (element) are permitted. The data and
operating model XML schema MAY extend or restrict the permitted
value of the "Action" type through the XML attribute type definition
mechanism.
The action-as-attribute approach places operation behavior
definitions in the data and operating model, not in the protocol
operation layer, resulting in a more object-oriented approach. The
object reference is identified by XML element tree or XPath (if
supported) in the message but the operation behaviors that may be
performed on that object are determined by the object’s definition
(i.e. the data and operating model XML schema).
A "perform-response" message is a response from the managed system
to the managing system to return the results of the "perform-
request" operation. The "messageId" attribute MUST be the same
message id of the corresponding request message, which is used to
correlate the request and response message.
The action-as-attribute approach must be considered in the response
message. Elements with an attribute named "action" of type "Action"
MUST have a value of "nop" in the perform-response message. The
Chen and Allen Expire February 2004 [Page 8]
Internet Draft draft-weijing-netconf-interface-01 August 2003
value "nop" SHOULD be defined in data and operating model schema as
the default value for attributes named "action" of type "Action."
This will relieve the managed system from including the attribute in
its response.
The sub-element of the "perform-request" and "perform-response"
message is defined as in the protocol operation XML
schema, as with the "get-request" and "get-response".
The following example modifies the OSPF "hello-interval" of an
Ethernet interface in the running configuration. The protocol
operation XML schema is defined in the namespace
"http://www.ietf.org/netconf/operations". The data and operating
model XML schema is defined in the namespace
"http://example.com/schema". The attribute "action" is closely
associated with the targeted element and specified by the data model
instead of the protocol operation model, which makes the interface
flexible and extensible.
The following example only modifies the "hello-interval".
1010
Chen and Allen Expire February 2004 [Page 9]
Internet Draft draft-weijing-netconf-interface-01 August 2003
The following example creates the OSPF area 0 with a specified
interface and "hello-interval".
1010
The following example modifies the configuration through non-XML
content (i.e. plain text). Note that the attribute "action" has a
value of "cli", which is specific to this data model
"http://example.com/cli".
enable
config terminal
Chen and Allen Expire February 2004 [Page 10]
Internet Draft draft-weijing-netconf-interface-01 August 2003
ip vrf v7:yellow-s
rd 64000:10004
route-target export 64000:5003
route-target import 64000:5002
maximum routes 500 80
2.1.3. Abort Operation
... any
... any
... any
An "abort-request" message is a request from the managing system to
the managed system to prematurely terminate a previously issued
"perform-request" message identified by the "messageId". For an
abort operation to be effective, the "abort-request" message MAY be
sent through a transport channel separate from the "perform-request"
message. Otherwise the abort-request message could be queued behind
the intended "perform-request" message in the same channel.
An "abort-response" message is a response from the managed system to
the managing system to return the results of the "abort-request"
operation. The "messageId" attribute MUST be the same message id of
the corresponding request message, which is used to correlate the
request and response message.
Chen and Allen Expire February 2004 [Page 11]
Internet Draft draft-weijing-netconf-interface-01 August 2003
In addition to returning the abort-response message, a managed
system MUST return a response to the original request (either a get-
response or perform-response) with a protocol error code indicating
the operation was aborted.
The following example aborts a previous perform-request message and
receives a failure response.
xmlns="http://www.ietf.org/netconf/operations"/>
2.1.4. Notification
... any
... any
... any
... any
A "notif" message is a notification from the managed system to the
managing system to announce asynchronous events such as alarms,
configuration changes, etc. Ideally, the transport channel for
notification messages MAY be separate from normal operation
messages.
A "notif-confirm" message is a confirmation from the managing system
to the managed system to acknowledge the receipt of a notification.
The "messageId" attribute MUST be the same message id as the
corresponding notification message, which is used to correlate the
notification and confirmation message.
Chen and Allen Expire February 2004 [Page 12]
Internet Draft draft-weijing-netconf-interface-01 August 2003
The following example shows a managed system sending an XML-based
syslog alarm to a managing system. The managing system sends a
confirmation back to the managed system.
Sep 26, 200216:32:02.848OSPFconfig5
hello interval changed
2.2. Protocol Operations XML Schema
The formal specification of the interface protocol operations is
defined in XML schema, which describes each operation message
construct.
Chen and Allen Expire February 2004 [Page 13]
Internet Draft draft-weijing-netconf-interface-01 August 2003
"Category" indicates the type of data: "all"
for all data, "config" for configuration data (e.g.
administativeState), "state" for state data (e.g. operationalState,
routing table)."Action" indicates the type of action that
the managing system performs on the configuration of the managed
system."ProtocolErrorCode" indicates the type of
error that occurs in the protocol layer."ApplicationErrorCode" indicates the type of
error that occurs in the application layer.
Chen and Allen Expire February 2004 [Page 14]
Internet Draft draft-weijing-netconf-interface-01 August 2003
"ProtocolError" describes the errors that
occur in the protocol layer.Detailed XML contents or text of the
protocol errors, depending on the data model."ApplicationError" describes the errors that
occur in the application layer.Detailed XML contents or text of the
application errors, depending on the data model."Error" describes the errors that occur in
the application or protocol interaction.A "get-request" message is a request from
the managing system to the managed system to obtain specific
information. The "messageId" attribute MUST uniquely identify the
request message and is used to correlate the request and response
messages. The "category" attribute indicates the type of data that
Chen and Allen Expire February 2004 [Page 15]
Internet Draft draft-weijing-netconf-interface-01 August 2003
this "get-request" message requests. "all" means all the data,
"config" means configuration data, and "state" means state data. It
is recommended that each element in the data and operating model
schema SHOULD have an attribute "category" with a fixed value from
the type "Category" to indicate what type of data this element is.
The "subordinate" attribute indicates the scope of subordinate
elements which the "get-request" expects in the return. It has the
value of "all" or "direct". "all" means all levels of the
subordinate elements, "direct" means only direct subordinate
elements. Detailed XML contents or text of the
request, depending on the data model.A "get-response" message is a response from
the managed system to the managing system to return requested
information. The "messageId" attribute MUST be the same message id
of the corresponding request message, which is used to correlate the
request and response messages.Detailed XML contents or text of the
response, depending on the data model.
Chen and Allen Expire February 2004 [Page 16]
Internet Draft draft-weijing-netconf-interface-01 August 2003
A "perform-request" message is a request
from the managing system to the managed system for a specific
action. The "messageId" attribute MUST uniquely identify the
request message and is used to correlate the request and response
messages. The "transaction" attribute describes the desired message
transaction handling as one of the following: stop on error,
continue on error, or rollback on error. The actual action SHOULD
be described by the data and operating model. The recommendation is
that an attribute named "action" in the targeted element SHOULD
specify the actual action (this is referred to as "action-as-
attribute"). The protocol operation XML schema has defined an
"Action" type with these permitted values: nop, create, delete,
replace, merge, copy, validate, lock, unlock. Each object element
in the data and operating model schema SHOULD have an attribute
"action" of the type "Action" to indicate what actions on this
object (element) are permitted. The data and operating model XML
schema MAY extend or restrict the permitted value of the "Action"
type through the XML attribute type definition
mechanism.Detailed XML contents or text of the
request, depending on the data model.
Chen and Allen Expire February 2004 [Page 17]
Internet Draft draft-weijing-netconf-interface-01 August 2003
A "perform-response" message is a response
from the managed system to the managing system to return the results
of the "perform-request" operation. The "messageId" attribute MUST
be the same message id of the corresponding request message, which
is used to correlate the request and response message. The action-
as-attribute approach must be considered in the response message.
Elements with an attribute named "action" of type "Action" MUST have
a value of "nop" in the perform-response message. The value "nop"
SHOULD be defined in data and operating model schema as the default
value for attributes named "action" of type "Action." This will
relieve the managed system from including the attribute in its
response. Detailed XML contents or text of the
response, depending on the data model.An "abort-request" message is a request from
the managing system to the managed system to prematurely terminate a
previously issued "perform-request" message identified by the
"messageId". For an abort operation to be effective, the "abort-
request" message MAY be sent through a transport channel separate
from the "perform-request" message. Otherwise the abort-request
message could be queued behind the intended "perform-request"
message in the same channel.An "abort-response" message is a response
from the managed system to the managing system to return the results
of the "abort-request" operation. The "messageId" attribute MUST be
the same message id of the corresponding request message, which is
Chen and Allen Expire February 2004 [Page 18]
Internet Draft draft-weijing-netconf-interface-01 August 2003
used to correlate the request and response
message.Detailed XML contents or text of the
response, depending on the data model.A "notif" message is a notification from the
managed system to the managing system to announce asynchronous
events such as alarms, configuration changes, etc. Ideally, the
transport channel for notification messages MAY be separate from
normal operation messages.Detailed XML contents or text of the
notification, depending on the data model.A "notif-confirm" message is a confirmation
from the managing system to the managed system to acknowledge the
receipt of a notification. The "messageId" attribute MUST be the
same message id as the corresponding notification message, which is
used to correlate the notification and confirmation
message.
Chen and Allen Expire February 2004 [Page 19]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Detailed XML contents or text of the
confirmation, depending on the data model.
3. Capabilities
3.1. Capabilities Exchange
The optional functions and schema that may be supported by a managed
system are described in a capabilities XML dataset. This allows a
managing system to discover the specific protocol operations
capabilities of a managed system. The capabilities XML dataset MUST
be supported by the end systems. The schema for the capabilities
XML data is described here.
The "capabilities" element of the managed system has three sub-
elements: "notification", "notifSchema", and "modelSchema". The
"notification" element describes the notification functionality
supported by the managed system, which is a list with the following
possible values: "notif-nonconfirm" or "notif-confirm". A value of
"nonconfirm" means the managed system supports non-confirmed
notifications. A value of "notif-confirm" means the managed system
supports confirmed notifications. The list may have zero, one or
both values.
The "notifSchema" specifies the notification XML schemas supported
by the managed system. Its value is a list of URLs.
The "modelSchema", specifies the data and operating model XML
schemas supported by the managed system. Its value is a list of
URLs.
The following example shows a pair of systems exchanging the
capabilities through the protocol operations. It is expected that
this exchange would be the very first interface interaction once the
end systems establish communications.
Chen and Allen Expire February 2004 [Page 20]
Internet Draft draft-weijing-netconf-interface-01 August 2003
notif-nonconfirm
http://example.com/schema
http://acme.com/schema
http://example.com/syslog
3.2. Capabilities Schema
Notification capabilities of the managed
systemXML schemas of the managed
system
Chen and Allen Expire February 2004 [Page 21]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Capabilities of the managed
systemNotification capabilities of the
managed systemData model XML schemas of the managed
systemNotification data XML schemas of the
managed system
Chen and Allen Expire February 2004 [Page 22]
Internet Draft draft-weijing-netconf-interface-01 August 2003
4. An Example Operating Model
4.1. Operating Model Descriptions
This is an example of a typical operating model. It shows how a
particular operating model can fit into the overall interface
framework.
This operating model supports three manageable configuration
datastores: candidate configuration, startup configuration, and
running configuration. It also supports one or more text-based
named configuration files.
Following the recommendation of the protocol operations, the
"category" attribute has the fixed value "all" for the manageable
configuration datastore. Also the "action" attribute of the
manageable configuration datastore takes the "Action" type without
any restriction.
The named configuration files only support limited manageability.
The "category" attribute has the fixed value "config". The "action"
attribute is a type of "Action" but restricts the allowable values
to: "nop", "create", "delete", and "copy".
The "source" sub-element of the configuration specifies the name of
configuration files or datastores from which the configuration is
created or copied. The "lockedBy" sub-element of the manageable
configuration datastore identifies the session of the current lock
holder. The "content" sub-element of the named configuration file
contains the text file content.
The following example copies the candidate configuration to running
configuration.
Chen and Allen Expire February 2004 [Page 23]
Internet Draft draft-weijing-netconf-interface-01 August 2003
candidate
copied configuration data goes here ...
The following example validates the startup configuration.
configuration data goes here if needed ...
The following example locks the running configuration for multiple
operations later on.
session id
4.2. Operating Model Schema
Operating model of managed
deviceCandidate configuration
datastoreSource name of configuration
file or datastore for the candidate configuration
Chen and Allen Expire February 2004 [Page 25]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Session identification of the
lock holderDetailed XML contents of the
candidate configuration, dependant on the data
model.Startup configuration
datastore
Chen and Allen Expire February 2004 [Page 26]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Source name of configuration
file or datastore for the startup configurationSession identification of the
lock holderDetailed XML contents of the
startup configuration, dependant on the data
model
Chen and Allen Expire February 2004 [Page 27]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Running configuration
datastoreSource name of configuration
file or datastore for the running configurationSession identification of the
lock holderDetailed XML contents of the
running configuration, dependant on the data
model.
Chen and Allen Expire February 2004 [Page 28]
Internet Draft draft-weijing-netconf-interface-01 August 2003
Named configuration
fileSource name of configuration
file or datastore for this configuration filePlain text contents of the
configuration file
Chen and Allen Expire February 2004 [Page 29]
Internet Draft draft-weijing-netconf-interface-01 August 2003
5. Security Consideration
Security concerns regarding network management interfaces are very
sensitive by their nature.
The interface protocol operations specified here do not explicitly
address security. They rely on the underlying protocol transport
and upper layer data model to provide proper security protection.
6. References
[RFC2119] "Key words for use in RFCs to Indicate Requirement
Levels", Bradner, S., March 1997.
[XML1.0] "Extensible Markup Language (XML) 1.0 (Second Edition)",
W3C REC-xml-20001006, October 2000.
[XML Schema-1] "XML Schema Part 1: Structures", W3C REC-xmlschema-1-
20010502, May 2001.
[XML Schema-2] "XML Schema Part 2: Datatypes", W3C REC-xmlschema-2-
20010502, May 2001.
[WSDL1.1] "Web Services Description Language (WSDL) 1.1", W3C NOTE-
wsdl-20010315, March 2001.
[XPath1.0] "XML Path Language (XPath) Version 1.0", W3C REC-xpath-
19991116, November 1999.
7. Authors' Addresses
Weijing Chen
SBC Labs
Chen and Allen Expire February 2004 [Page 30]
Internet Draft draft-weijing-netconf-interface-01 August 2003
9505 Arboretum Blvd.
Austin, Texas 78759
Phone: +1 512 372 5710
Email: wchen@labs.sbc.com
Keith Allen
SBC Labs
9505 Arboretum Blvd.
Austin, Texas 78759
Phone: +1 512 372 5741
Email: kallen@labs.sbc.com
Chen and Allen Expire February 2004 [Page 31]