]> YANG Groupings for QUIC clients and QUIC servers Cisco Systems
per.ietf@ionio.se
OPS Area NETCONF Working Group This document defines two YANG 1.1 modules to support the configuration of QUIC clients and QUIC servers. The modules include basic parameters for configuring QUIC based clients and servers. Editorial note (To be removed by the RFC Editor) This draft contains placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. No other RFC Editor instructions are specified elsewhere in this document. Artwork in this document contains shorthand references to drafts in progress. Please apply the following replacements:
  • AAAA --> the assigned RFC value for this draft
  • CCCC --> the assigned RFC value for draft-ietf-netconf-udp-client-server
  • HHHH --> the assigned RFC value for draft-ietf-netconf-netconf-client-server
Introduction This documents defines two YANG 1.1 modules to support the configuration of QUIC clients and QUIC servers (QUIC is defined in ), either as standalone or in conjunction with configuration of other protocol layers.
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The following terms are defined in and are not redefined here: client, data model, data tree, feature, extension, module, leaf, leaf-list, and server.
The "ietf-quic-client" Module This section defines a YANG 1.1 module called "ietf-quic-client".
Data model overview This section presents an overview of of the "ietf-quic-client" module in terms of features and groupings.
Features The module itself does not define any features. However, in order to require TLS 1.3 the following "if-feature" is defined "tlscmn:tls13 not tlscmn:tls12". For QUIC TLS requirements see . For further details about available features see the "ietf-tls-client" and "ietf-udp-client" modules. defined in and respectively.
Groupings The "ietf-quic-client" module defines the following "grouping" statement:
  • quic-client
This grouping is presented in the following subsection.
The "quic-client" Grouping The following tree diagram illustrates the "quic-client" grouping: Comments:
  • This grouping uses the "tls-client-grouping" grouping discussed in . Note that QUIC requires TLSĀ 1.3 (or later), thus the "if-feature" invariant "tlscmn:tls13 and not tlscmn:tls12" is defined for this grouping.
  • This grouping uses the "udp-client-grouping" grouping discussed in .
The "quic-client" Augments The "ietf-quic-client" module augments the "/ncs:netconf-client/ncs:initiate" container with the "if-feature" "quic-initiate". This augment enables configuration of QUIC-level parameters for NETCONF client connections. The following tree diagram illustrates the "quic-client" augmentation of "netconf-client":
YANG Module This YANG module has normative references to and . <CODE BEGINS> file "ietf-quic-client@2024-10-19.yang" WG Web: https://datatracker.ietf.org/wg/netconf Author: Per Andersson "; description "This module defines reusable groupings for QUIC clients that can be used as a basis for specific QUIC client instances. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC AAAA (https://www.rfc-editor.org/info/rfcAAAA); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision 2024-10-19 { description "Initial version"; reference "RFC AAAA: YANG Groupings for QUIC Clients and QUIC Servers"; } // Features feature quic-initiate { description "The 'quic-initiate' feature indicates that the NETCONF client supports initiating QUIC connections to NETCONF servers."; reference "RFC AAAA: YANG Groupings for QUIC Clients and QUIC Servers"; } /* FIXME feature quic-listen { description "The 'quic-listen' feature indicates that the NETCONF client supports opening a port to listen for incoming NETCONF server call-home QUIC connections."; reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; reference "RFC AAAA: YANG Groupings for QUIC Clients and QUIC Servers"; } */ // Groupings grouping quic-client { description "Grouping to configure a QUIC client."; reference "RFC 9000: QUIC: A UDP-Based Multiplexed and Secure Transport"; uses tlsc:tls-client-grouping { if-feature "tlscmn:tls13 and not tlscmn:tls12"; description "QUIC requires that TLS 1.3 (or later) is used."; reference "RFC 9001: Using TLS to Secure QUIC"; } uses udpc:udp-client; } // Augments /* FIXME seems pyang don't support this augment */ augment "/ncc:netconf-client/ncc:initiate" { if-feature "quic-initiate"; description "Add 'quic-initate' feature to the NETCONF client connection configuration."; } augment "/ncc:netconf-client/ncc:initiate/ncc:netconf-server" + "/ncc:endpoints/ncc:endpoint/ncc:transport" { description "Add QUIC transport to the NETCONF client connection configuration"; case quic { if-feature "quic-initiate"; container quic { description "QUIC-level client parameters to initiate a NETCONF over QUIC connection."; uses quicc:quic-client; } } } } ]]> <CODE ENDS>
The "ietf-quic-server" Module This section defines a YANG 1.1 module called "ietf-quic-server".
Data model overview This section presents an overview of of the "ietf-quic-server" module in terms of features and groupings.
Features The module itself does not define any features. However, in order to require TLS 1.3 the following "if-feature" is defined "tlscmn:tls13 not tlscmn:tls12". For QUIC TLS requirements see . For further details about available features see the "ietf-tls-server" and "ietf-udp-server" modules, defined in and respectively.
Groupings The "ietf-quic-server" module defines the following "grouping" statement:
  • quic-server
This grouping is presented in the following subsection.
The "quic-server" Grouping The following tree diagram illustrates the "quic-server" grouping: Comments:
  • This grouping uses the "tls-server-grouping" grouping discussed in . Note that QUIC requires TLSĀ 1.3 (or later), thus the "if-feature" invariant "tlscmn:tls13 and not tlscmn:tls12" is defined for this grouping.
  • This grouping uses the "udp-server-grouping" grouping discussed in .
The "quic-server" Augments The "ietf-quic-server" module augments the "/ncs:netconf-server/ncs:listen" container with the "if-feature" "quic-listen". This augment enables configuration of QUIC-level parameters for NETCONF server connections. The following tree diagram illustrates the "quic-server" augmentation of "netconf-server":
YANG Module This YANG module has normative references to and . <CODE BEGINS> file "ietf-quic-server@2024-10-19.yang" WG Web: https://datatracker.ietf.org/wg/netconf Author: Per Andersson "; description "This module defines reusable groupings for QUIC servers that can be used as a basis for specific QUIC server instances. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC AAAA (https://www.rfc-editor.org/info/rfcAAAA); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision 2024-10-19 { description "Initial version"; reference "RFC AAAA: YANG Groupings for QUIC Clients and QUIC Servers"; } // Features feature quic-listen { description "The 'quic-listen' feature indicates that the NETCONF server supports the QUIC transport."; reference "I-D.draft-ietf-netconf-over-quic-00: NETCONF over QUIC"; } // FIXME feature quic-call-home // Groupings grouping quic-server { description "Grouping to configure a QUIC server."; reference "RFC 9000: QUIC: A UDP-Based Multiplexed and Secure Transport"; uses tlss:tls-server-grouping { if-feature "tlscmn:tls13 and not tlscmn:tls12"; description "QUIC requires that TLS 1.3 (or later) is used."; reference "RFC 9001: Using TLS to Secure QUIC"; } uses udps:udp-server; } // Augments /* FIXME seems pyang don't support this augment */ augment "/ncs:netconf-server/ncs:listen" { if-feature "quic-listen"; description "Add 'quic-listen' feature to the NETCONF server listen configuration."; } augment "/ncs:netconf-server/ncs:listen/ncs:endpoints" + "/ncs:endpoint/ncs:transport" { description "Add QUIC transport to the NETCONF server listen configuration."; case quic { if-feature "quic-listen"; container quic { description "QUIC-level server parameters to listen for NETCONF over QUIC connections."; uses quics:quic-server; } } } } ]]> <CODE ENDS>
Security Considerations This section follows the template defined in Section 3.7.1 of . The YANG modules specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF or RESTCONF . The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS . The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. The modules presented in this draft does not contain any protocol accessible nodes, and thus the security considerations for such are not provided here. Furthermore, the modules defines groupings, these considerations are primarily for the designers of other modules that use these groupings. Security considerations for the groupings used in the modules are discussed in and , refer to these documents for further details. Since the modules does not define any RPCs or actions or notifications, and thus the security considerations for such are not provided here.
IANA Considerations
The "IETF XML" Registry This document registers two URIs in the "ns" subregistry of the IETF XML Registry maintained at . Following the format in , the following registration is requested:
The "YANG Module Names" Registry This document registers two YANG modules in the YANG Module Names registry maintained at . Following the format defined in , the below registration is requested:
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The IETF XML Registry This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Using the NETCONF Protocol over Secure Shell (SSH) This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK] The YANG 1.1 Data Modeling Language YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). RESTCONF Protocol This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Network Configuration Access Control Model The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. Guidelines for Authors and Reviewers of Documents Containing YANG Data Models This memo provides guidelines for authors and reviewers of specifications containing YANG modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 6087. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. Using TLS to Secure QUIC This document describes how Transport Layer Security (TLS) is used to secure QUIC. YANG Groupings for TLS Clients and TLS Servers This document presents four YANG 1.1 modules -- three IETF modules and one supporting IANA module. The three IETF modules are "ietf-tls-common", "ietf-tls-client", and "ietf-tls-server". The "ietf-tls-client" and "ietf-tls-server" modules are the primary productions of this work, supporting the configuration and monitoring of TLS clients and servers. The IANA module is "iana-tls-cipher-suite-algs". This module defines YANG enumerations that provide support for an IANA-maintained algorithm registry. Informative References YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] YANG Tree Diagrams This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language.