GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc4741

Network Working Group R. Enns, Ed. Request for Comments: 4741 Juniper Networks Category: Standards Track December 2006

                   NETCONF Configuration Protocol

Status of This Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (C) The IETF Trust (2006).

Abstract

 The Network Configuration Protocol (NETCONF) defined in this document
 provides mechanisms to install, manipulate, and delete the
 configuration of network devices.  It uses an Extensible Markup
 Language (XML)-based data encoding for the configuration data as well
 as the protocol messages.  The NETCONF protocol operations are
 realized on top of a simple Remote Procedure Call (RPC) layer.

Enns Standards Track [Page 1] RFC 4741 NETCONF Protocol December 2006

Table of Contents

 1. Introduction ....................................................5
    1.1. Protocol Overview ..........................................6
    1.2. Capabilities ...............................................7
    1.3. Separation of Configuration and State Data .................7
 2. Transport Protocol Requirements .................................8
    2.1. Connection-Oriented Operation ..............................9
    2.2. Authentication, Integrity, and Confidentiality .............9
    2.3. Authentication .............................................9
    2.4. Mandatory Transport Protocol ..............................10
 3. XML Considerations .............................................10
    3.1. Namespace .................................................10
    3.2. No Document Type Declarations .............................10
 4. RPC Model ......................................................10
    4.1. <rpc> Element .............................................10
    4.2. <rpc-reply> Element .......................................12
    4.3. <rpc-error> Element .......................................12
    4.4. <ok> Element ..............................................16
    4.5. Pipelining ................................................16
 5. Configuration Model ............................................16
    5.1. Configuration Datastores ..................................16
    5.2. Data Modeling .............................................17
 6. Subtree Filtering ..............................................17
    6.1. Overview ..................................................17
    6.2. Subtree Filter Components .................................18
         6.2.1. Namespace Selection ................................18
         6.2.2. Attribute Match Expressions ........................19
         6.2.3. Containment Nodes ..................................19
         6.2.4. Selection Nodes ....................................20
         6.2.5. Content Match Nodes ................................20
    6.3. Subtree Filter Processing .................................22
    6.4. Subtree Filtering Examples ................................22
         6.4.1. No Filter ..........................................22
         6.4.2. Empty Filter .......................................23
         6.4.3. Select the Entire <users> Subtree ..................23
         6.4.4. Select All <name> Elements within the
                <users> Subtree ....................................25
         6.4.5. One Specific <user> Entry ..........................26
         6.4.6. Specific Elements from a Specific <user> Entry .....27
         6.4.7. Multiple Subtrees ..................................28
         6.4.8. Elements with Attribute Naming .....................29
 7. Protocol Operations ............................................31
    7.1. <get-config> ..............................................31
    7.2. <edit-config> .............................................34
    7.3. <copy-config> .............................................39
    7.4. <delete-config> ...........................................41
    7.5. <lock> ....................................................42

Enns Standards Track [Page 2] RFC 4741 NETCONF Protocol December 2006

    7.6. <unlock> ..................................................44
    7.7. <get> .....................................................45
    7.8. <close-session> ...........................................47
    7.9. <kill-session> ............................................48
 8. Capabilities ...................................................49
    8.1. Capabilities Exchange .....................................49
    8.2. Writable-Running Capability ...............................50
         8.2.1. Description ........................................50
         8.2.2. Dependencies .......................................50
         8.2.3. Capability Identifier ..............................50
         8.2.4. New Operations .....................................51
         8.2.5. Modifications to Existing Operations ...............51
    8.3. Candidate Configuration Capability ........................51
         8.3.1. Description ........................................51
         8.3.2. Dependencies .......................................52
         8.3.3. Capability Identifier ..............................52
         8.3.4. New Operations .....................................52
         8.3.5. Modifications to Existing Operations ...............53
    8.4. Confirmed Commit Capability ...............................55
         8.4.1. Description ........................................55
         8.4.2. Dependencies .......................................55
         8.4.3. Capability Identifier ..............................56
         8.4.4. New Operations .....................................56
         8.4.5. Modifications to Existing Operations ...............56
    8.5. Rollback on Error Capability ..............................57
         8.5.1. Description ........................................57
         8.5.2. Dependencies .......................................57
         8.5.3. Capability Identifier ..............................57
         8.5.4. New Operations .....................................57
         8.5.5. Modifications to Existing Operations ...............57
    8.6. Validate Capability .......................................58
         8.6.1. Description ........................................58
         8.6.2. Dependencies .......................................58
         8.6.3. Capability Identifier ..............................58
         8.6.4. New Operations .....................................58
    8.7. Distinct Startup Capability ...............................60
         8.7.1. Description ........................................60
         8.7.2. Dependencies .......................................60
         8.7.3. Capability Identifier ..............................60
         8.7.4. New Operations .....................................60
         8.7.5. Modifications to Existing Operations ...............60
    8.8. URL Capability ............................................61
         8.8.1. Description ........................................61
         8.8.2. Dependencies .......................................61
         8.8.3. Capability Identifier ..............................62
         8.8.4. New Operations .....................................62
         8.8.5. Modifications to Existing Operations ...............62

Enns Standards Track [Page 3] RFC 4741 NETCONF Protocol December 2006

    8.9. XPath Capability ..........................................63
         8.9.1. Description ........................................63
         8.9.2. Dependencies .......................................63
         8.9.3. Capability Identifier ..............................63
         8.9.4. New Operations .....................................63
         8.9.5. Modifications to Existing Operations ...............63
 9. Security Considerations ........................................64
 10. IANA Considerations ...........................................66
    10.1. NETCONF XML Namespace ....................................66
    10.2. NETCONF XML Schema .......................................66
    10.3. NETCONF Capability URNs ..................................66
 11. Authors and Acknowledgements ..................................68
 12. References ....................................................68
    12.1. Normative References .....................................68
    12.2. Informative References ...................................69
 Appendix A. NETCONF Error List ....................................70
 Appendix B. XML Schema for NETCONF RPC and Protocol Operations ....74
 Appendix C. Capability Template ...................................86
    C.1. capability-name (template) ................................86
         C.1.1. Overview ...........................................86
         C.1.2. Dependencies .......................................86
         C.1.3. Capability Identifier ..............................86
         C.1.4. New Operations .....................................86
         C.1.5. Modifications to Existing Operations ...............86
         C.1.6. Interactions with Other Capabilities ...............86
 Appendix D.  Configuring Multiple Devices with NETCONF ............87
    D.1. Operations on Individual Devices ..........................87
         D.1.1. Acquiring the Configuration Lock ...................87
         D.1.2. Loading the Update .................................88
         D.1.3. Validating the Incoming Configuration ..............89
         D.1.4. Checkpointing the Running Configuration ............89
         D.1.5. Changing the Running Configuration .................90
         D.1.6. Testing the New Configuration ......................91
         D.1.7. Making the Change Permanent ........................91
         D.1.8. Releasing the Configuration Lock ...................92
    D.2. Operations on Multiple Devices ............................92
 Appendix E. Deferred Features .....................................93

Enns Standards Track [Page 4] RFC 4741 NETCONF Protocol December 2006

1. Introduction

 The NETCONF protocol defines a simple mechanism through which a
 network device can be managed, configuration data information can be
 retrieved, and new configuration data can be uploaded and
 manipulated.  The protocol allows the device to expose a full, formal
 application programming interface (API).  Applications can use this
 straightforward API to send and receive full and partial
 configuration data sets.
 The NETCONF protocol uses a remote procedure call (RPC) paradigm.  A
 client encodes an RPC in XML [1] and sends it to a server using a
 secure, connection-oriented session.  The server responds with a
 reply encoded in XML.  The contents of both the request and the
 response are fully described in XML DTDs or XML schemas, or both,
 allowing both parties to recognize the syntax constraints imposed on
 the exchange.
 A key aspect of NETCONF is that it allows the functionality of the
 management protocol to closely mirror the native functionality of the
 device.  This reduces implementation costs and allows timely access
 to new features.  In addition, applications can access both the
 syntactic and semantic content of the device's native user interface.
 NETCONF allows a client to discover the set of protocol extensions
 supported by a server.  These "capabilities" permit the client to
 adjust its behavior to take advantage of the features exposed by the
 device.  The capability definitions can be easily extended in a
 noncentralized manner.  Standard and non-standard capabilities can be
 defined with semantic and syntactic rigor.  Capabilities are
 discussed in Section 8.
 The NETCONF protocol is a building block in a system of automated
 configuration.  XML is the lingua franca of interchange, providing a
 flexible but fully specified encoding mechanism for hierarchical
 content.  NETCONF can be used in concert with XML-based
 transformation technologies, such as XSLT [8], to provide a system
 for automated generation of full and partial configurations.  The
 system can query one or more databases for data about networking
 topologies, links, policies, customers, and services.  This data can
 be transformed using one or more XSLT scripts from a task-oriented,
 vendor-independent data schema into a form that is specific to the
 vendor, product, operating system, and software release.  The
 resulting data can be passed to the device using the NETCONF
 protocol.

Enns Standards Track [Page 5] RFC 4741 NETCONF Protocol December 2006

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [3].

1.1. Protocol Overview

 NETCONF uses a simple RPC-based mechanism to facilitate communication
 between a client and a server.  The client can be a script or
 application typically running as part of a network manager.  The
 server is typically a network device.  The terms "device" and
 "server" are used interchangeably in this document, as are "client"
 and "application".
 A NETCONF session is the logical connection between a network
 administrator or network configuration application and a network
 device.  A device MUST support at least one NETCONF session and
 SHOULD support multiple sessions.  Global configuration attributes
 can be changed during any authorized session, and the effects are
 visible in all sessions.  Session-specific attributes affect only the
 session in which they are changed.
 NETCONF can be conceptually partitioned into four layers:
            Layer                      Example
       +-------------+      +-----------------------------+
   (4) |   Content   |      |     Configuration data      |
       +-------------+      +-----------------------------+
              |                           |
       +-------------+      +-----------------------------+
   (3) | Operations  |      | <get-config>, <edit-config> |
       +-------------+      +-----------------------------+
              |                           |
       +-------------+      +-----------------------------+
   (2) |     RPC     |      |    <rpc>, <rpc-reply>       |
       +-------------+      +-----------------------------+
              |                           |
       +-------------+      +-----------------------------+
   (1) |  Transport  |      |   BEEP, SSH, SSL, console   |
       |   Protocol  |      |                             |
       +-------------+      +-----------------------------+
 1.  The transport protocol layer provides a communication path
     between the client and server.  NETCONF can be layered over any
     transport protocol that provides a set of basic requirements.
     Section 2 discusses these requirements.
 2.  The RPC layer provides a simple, transport-independent framing
     mechanism for encoding RPCs.  Section 4 documents this protocol.

Enns Standards Track [Page 6] RFC 4741 NETCONF Protocol December 2006

 3.  The operations layer defines a set of base operations invoked as
     RPC methods with XML-encoded parameters.  Section 7 details the
     list of base operations.
 4.  The content layer is outside the scope of this document.  Given
     the current proprietary nature of the configuration data being
     manipulated, the specification of this content depends on the
     NETCONF implementation.  It is expected that a separate effort to
     specify a standard data definition language and standard content
     will be undertaken.

1.2. Capabilities

 A NETCONF capability is a set of functionality that supplements the
 base NETCONF specification.  The capability is identified by a
 uniform resource identifier (URI).  These URIs should follow the
 guidelines as described in Section 8.
 Capabilities augment the base operations of the device, describing
 both additional operations and the content allowed inside operations.
 The client can discover the server's capabilities and use any
 additional operations, parameters, and content defined by those
 capabilities.
 The capability definition may name one or more dependent
 capabilities.  To support a capability, the server MUST support any
 capabilities upon which it depends.
 Section 8 defines the capabilities exchange that allows the client to
 discover the server's capabilities.  Section 8 also lists the set of
 capabilities defined in this document.
 Additional capabilities can be defined at any time in external
 documents, allowing the set of capabilities to expand over time.
 Standards bodies may define standardized capabilities, and
 implementations may define proprietary ones.  A capability URI MUST
 sufficiently distinguish the naming authority to avoid naming
 collisions.

1.3. Separation of Configuration and State Data

 The information that can be retrieved from a running system is
 separated into two classes, configuration data and state data.
 Configuration data is the set of writable data that is required to
 transform a system from its initial default state into its current
 state.  State data is the additional data on a system that is not

Enns Standards Track [Page 7] RFC 4741 NETCONF Protocol December 2006

 configuration data such as read-only status information and collected
 statistics.  When a device is performing configuration operations, a
 number of problems would arise if state data were included:
 o  Comparisons of configuration data sets would be dominated by
    irrelevant entries such as different statistics.
 o  Incoming data could contain nonsensical requests, such as attempts
    to write read-only data.
 o  The data sets would be large.
 o  Archived data could contain values for read-only data items,
    complicating the processing required to restore archived data.
 To account for these issues, the NETCONF protocol recognizes the
 difference between configuration data and state data and provides
 operations for each.  The <get-config> operation retrieves
 configuration data only, while the <get> operation retrieves
 configuration and state data.
 Note that the NETCONF protocol is focused on the information required
 to get the device into its desired running state.  The inclusion of
 other important, persistent data is implementation specific.  For
 example, user files and databases are not treated as configuration
 data by the NETCONF protocol.
 If a local database of user authentication data is stored on the
 device, whether it is included in configuration data is an
 implementation-dependent matter.

2. Transport Protocol Requirements

 NETCONF uses an RPC-based communication paradigm.  A client sends a
 series of one or more RPC request operations, which cause the server
 to respond with a corresponding series of RPC replies.
 The NETCONF protocol can be layered on any transport protocol that
 provides the required set of functionality.  It is not bound to any
 particular transport protocol, but allows a mapping to define how it
 can be implemented over any specific protocol.
 The transport protocol MUST provide a mechanism to indicate the
 session type (client or server) to the NETCONF protocol layer.
 This section details the characteristics that NETCONF requires from
 the underlying transport protocol.

Enns Standards Track [Page 8] RFC 4741 NETCONF Protocol December 2006

2.1. Connection-Oriented Operation

 NETCONF is connection-oriented, requiring a persistent connection
 between peers.  This connection must provide reliable, sequenced data
 delivery.
 NETCONF connections are long-lived, persisting between protocol
 operations.  This allows the client to make changes to the state of
 the connection that will persist for the lifetime of the connection.
 For example, authentication information specified for a connection
 remains in effect until the connection is closed.
 In addition, resources requested from the server for a particular
 connection MUST be automatically released when the connection closes,
 making failure recovery simpler and more robust.  For example, when a
 lock is acquired by a client, the lock persists until either it is
 explicitly released or the server determines that the connection has
 been terminated.  If a connection is terminated while the client
 holds a lock, the server can perform any appropriate recovery.  The
 lock operation is further discussed in Section 7.5.

2.2. Authentication, Integrity, and Confidentiality

 NETCONF connections must provide authentication, data integrity, and
 confidentiality.  NETCONF depends on the transport protocol for this
 capability.  A NETCONF peer assumes that appropriate levels of
 security and confidentiality are provided independently of this
 document.  For example, connections may be encrypted in TLS [9] or
 SSH [10], depending on the underlying protocol.

2.3. Authentication

 NETCONF connections must be authenticated.  The transport protocol is
 responsible for authentication.  The peer assumes that the
 connection's authentication information has been validated by the
 underlying protocol using sufficiently trustworthy mechanisms and
 that the peer's identity has been sufficiently proven.
 One goal of NETCONF is to provide a programmatic interface to the
 device that closely follows the functionality of the device's native
 interface.  Therefore, it is expected that the underlying protocol
 uses existing authentication mechanisms defined by the device.  For
 example, a device that supports RADIUS [11] should allow the use of
 RADIUS to authenticate NETCONF sessions.
 The authentication process should result in an identity whose
 permissions are known to the device.  These permissions MUST be
 enforced during the remainder of the NETCONF session.

Enns Standards Track [Page 9] RFC 4741 NETCONF Protocol December 2006

2.4. Mandatory Transport Protocol

 A NETCONF implementation MUST support the SSH transport protocol
 mapping [4].

3. XML Considerations

 XML serves as the encoding format for NETCONF, allowing complex
 hierarchical data to be expressed in a text format that can be read,
 saved, and manipulated with both traditional text tools and tools
 specific to XML.
 This section discusses a small number of XML-related considerations
 pertaining to NETCONF.

3.1. Namespace

 All NETCONF protocol elements are defined in the following namespace:
    urn:ietf:params:xml:ns:netconf:base:1.0
 NETCONF capability names MUST be URIs [5].  NETCONF capabilities are
 discussed in Section 8.

3.2. No Document Type Declarations

 Document type declarations MUST NOT appear in NETCONF content.

4. RPC Model

 The NETCONF protocol uses an RPC-based communication model.  NETCONF
 peers use <rpc> and <rpc-reply> elements to provide transport
 protocol-independent framing of NETCONF requests and responses.

4.1. <rpc> Element

 The <rpc> element is used to enclose a NETCONF request sent from the
 client to the server.
 The <rpc> element has a mandatory attribute "message-id", which is an
 arbitrary string chosen by the sender of the RPC that will commonly
 encode a monotonically increasing integer.  The receiver of the RPC
 does not decode or interpret this string but simply saves it to be
 used as a "message-id" attribute in any resulting <rpc-reply>
 message.  For example:

Enns Standards Track [Page 10] RFC 4741 NETCONF Protocol December 2006

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <some-method>
         <!-- method parameters here... -->
       </some-method>
     </rpc>
 If additional attributes are present in an <rpc> element, a NETCONF
 peer MUST return them unmodified in the <rpc-reply> element.
 The name and parameters of an RPC are encoded as the contents of the
 <rpc> element.  The name of the RPC is an element directly inside the
 <rpc> element, and any parameters are encoded inside this element.
 The following example invokes a method called <my-own-method>, which
 has two parameters, <my-first-parameter>, with a value of "14", and
 <another-parameter>, with a value of "fred":
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <my-own-method xmlns="http://example.net/me/my-own/1.0">
       <my-first-parameter>14</my-first-parameter>
       <another-parameter>fred</another-parameter>
     </my-own-method>
   </rpc>
 The following example invokes a <rock-the-house> method with a
 <zip-code> parameter of "27606-0100":
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <rock-the-house xmlns="http://example.net/rock/1.0">
       <zip-code>27606-0100</zip-code>
     </rock-the-house>
   </rpc>
 The following example invokes the NETCONF <get> method with no
 parameters:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get/>
   </rpc>

Enns Standards Track [Page 11] RFC 4741 NETCONF Protocol December 2006

4.2. <rpc-reply> Element

 The <rpc-reply> message is sent in response to an <rpc> operation.
 The <rpc-reply> element has a mandatory attribute "message-id", which
 is equal to the "message-id" attribute of the <rpc> for which this is
 a response.
 A NETCONF peer MUST also return any additional attributes included in
 the <rpc> element unmodified in the <rpc-reply> element.
 The response name and response data are encoded as the contents of
 the <rpc-reply> element.  The name of the reply is an element
 directly inside the <rpc-reply> element, and any data is encoded
 inside this element.
 For example:
 The following <rpc> element invokes the NETCONF <get> method and
 includes an additional attribute called "user-id".  Note that the
 "user-id" attribute is not in the NETCONF namespace.  The returned
 <rpc-reply> element returns the "user-id" attribute, as well as the
 requested content.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
        xmlns:ex="http://example.net/content/1.0"
        ex:user-id="fred">
     <get/>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
        xmlns:ex="http://example.net/content/1.0"
        ex:user-id="fred">
     <data>
       <!-- contents here... -->
     </data>
   </rpc-reply>

4.3. <rpc-error> Element

 The <rpc-error> element is sent in <rpc-reply> messages if an error
 occurs during the processing of an <rpc> request.
 If a server encounters multiple errors during the processing of an
 <rpc> request, the <rpc-reply> MAY contain multiple <rpc-error>
 elements.  However, a server is not required to detect or report more

Enns Standards Track [Page 12] RFC 4741 NETCONF Protocol December 2006

 than one <rpc-error> element, if a request contains multiple errors.
 A server is not required to check for particular error conditions in
 a specific sequence.  A server MUST return an <rpc-error> element if
 any error conditions occur during processing and SHOULD return an
 <rpc-error> element if any warning conditions occur during
 processing.
 A server MUST NOT return application-level- or data-model-specific
 error information in an <rpc-error> element for which the client does
 not have sufficient access rights.
 The <rpc-error> element includes the following information:
 error-type: Defines the conceptual layer that the error occurred.
    Enumeration.  One of:
  • transport
  • rpc
  • protocol
  • application
 error-tag: Contains a string identifying the error condition.  See
    Appendix A for allowed values.
 error-severity: Contains a string identifying the error severity, as
    determined by the device.  One of:
  • error
  • warning
 error-app-tag: Contains a string identifying the data-model-specific
    or implementation-specific error condition, if one exists.  This
    element will not be present if no appropriate application error
    tag can be associated with a particular error condition.
 error-path: Contains the absolute XPath [2] expression identifying
    the element path to the node that is associated with the error
    being reported in a particular rpc-error element.  This element
    will not be present if no appropriate payload element can be
    associated with a particular error condition, or if the
    'bad-element' QString returned in the 'error-info' container is
    sufficient to identify the node associated with the error.  When

Enns Standards Track [Page 13] RFC 4741 NETCONF Protocol December 2006

    the XPath expression is interpreted, the set of namespace
    declarations are those in scope on the rpc-error element,
    including the default namespace.
 error-message: Contains a string suitable for human display that
    describes the error condition.  This element will not be present
    if no appropriate message is provided for a particular error
    condition.  This element SHOULD include an xml:lang attribute as
    defined in [1] and discussed in [12].
 error-info: Contains protocol- or data-model-specific error content.
    This element will not be present if no such error content is
    provided for a particular error condition.  The list in Appendix A
    defines any mandatory error-info content for each error.  After
    any protocol-mandated content, a data model definition may mandate
    that certain application-layer error information be included in
    the error-info container.  An implementation may include
    additional elements to provide extended and/or implementation-
    specific debugging information.
 Appendix A enumerates the standard NETCONF errors.
 Example:
    An error is returned if an <rpc> element is received without a
    message-id attribute.  Note that only in this case is it
    acceptable for the NETCONF peer to omit the message-id attribute
    in the <rpc-reply> element.
   <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
     </get-config>
   </rpc>
   <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <rpc-error>
       <error-type>rpc</error-type>
       <error-tag>missing-attribute</error-tag>
       <error-severity>error</error-severity>
       <error-info>
         <bad-attribute>message-id</bad-attribute>
         <bad-element>rpc</bad-element>
       </error-info>
     </rpc-error>
   </rpc-reply>

Enns Standards Track [Page 14] RFC 4741 NETCONF Protocol December 2006

    The following <rpc-reply> illustrates the case of returning
    multiple <rpc-error> elements.
    Note that the data models used in the examples in this section use
    the <name> element to distinguish between multiple instances of
    the <interface> element.
   <rpc-reply message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
     xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
     <rpc-error>
       <error-type>application</error-type>
       <error-tag>invalid-value</error-tag>
       <error-severity>error</error-severity>
       <error-message xml:lang="en">
         MTU value 25000 is not within range 256..9192
       </error-message>
       <error-info>
         <top xmlns="http://example.com/schema/1.2/config">
           <interface>
             <name>Ethernet0/0</name>
             <mtu>25000</mtu>
           </interface>
         </top>
       </error-info>
     </rpc-error>
     <rpc-error>
       <error-type>application</error-type>
       <error-tag>invalid-value</error-tag>
       <error-severity>error</error-severity>
       <error-message xml:lang="en">
         Invalid IP address for interface Ethernet1/0
       </error-message>
       <error-info>
         <top xmlns="http://example.com/schema/1.2/config">
           <interface xc:operation="replace">
             <name>Ethernet1/0</name>
             <address>
               <name>1.4</name>
               <prefix-length>24</prefix-length>
             </address>
           </interface>
         </top>
       </error-info>
     </rpc-error>
   </rpc-reply>

Enns Standards Track [Page 15] RFC 4741 NETCONF Protocol December 2006

4.4. <ok> Element

 The <ok> element is sent in <rpc-reply> messages if no errors or
 warnings occurred during the processing of an <rpc> request.  For
 example:
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

4.5. Pipelining

 NETCONF <rpc> requests MUST be processed serially by the managed
 device.  Additional <rpc> requests MAY be sent before previous ones
 have been completed.  The managed device MUST send responses only in
 the order the requests were received.

5. Configuration Model

 NETCONF provides an initial set of operations and a number of
 capabilities that can be used to extend the base.  NETCONF peers
 exchange device capabilities when the session is initiated as
 described in Section 8.1.

5.1. Configuration Datastores

 NETCONF defines the existence of one or more configuration datastores
 and allows configuration operations on them.  A configuration
 datastore is defined as the complete set of configuration data that
 is required to get a device from its initial default state into a
 desired operational state.  The configuration datastore does not
 include state data or executive commands.
 Only the <running> configuration datastore is present in the base
 model.  Additional configuration datastores may be defined by
 capabilities.  Such configuration datastores are available only on
 devices that advertise the capabilities.
 o  Running: The complete configuration currently active on the
    network device.  Only one configuration datastore of this type
    exists on the device, and it is always present.  NETCONF protocol
    operations refer to this datastore using the <running> element.
 The capabilities in Sections 8.3 and 8.7 define the <candidate> and
 <startup> configuration datastores, respectively.

Enns Standards Track [Page 16] RFC 4741 NETCONF Protocol December 2006

5.2. Data Modeling

 Data modeling and content issues are outside the scope of the NETCONF
 protocol.  An assumption is made that the device's data model is
 well-known to the application and that both parties are aware of
 issues such as the layout, containment, keying, lookup, replacement,
 and management of the data, as well as any other constraints imposed
 by the data model.
 NETCONF carries configuration data inside the <config> element that
 is specific to device's data model.  The protocol treats the contents
 of that element as opaque data.  The device uses capabilities to
 announce the set of data models that the device implements.  The
 capability definition details the operation and constraints imposed
 by data model.
 Devices and managers may support multiple data models, including both
 standard and proprietary data models.

6. Subtree Filtering

6.1. Overview

 XML subtree filtering is a mechanism that allows an application to
 select particular XML subtrees to include in the <rpc-reply> for a
 <get> or <get-config> operation.  A small set of filters for
 inclusion, simple content exact-match, and selection is provided,
 which allows some useful, but also very limited, selection
 mechanisms.  The agent does not need to utilize any data-model-
 specific semantics during processing, allowing for simple and
 centralized implementation strategies.
 Conceptually, a subtree filter is comprised of zero or more element
 subtrees, which represent the filter selection criteria.  At each
 containment level within a subtree, the set of sibling nodes is
 logically processed by the server to determine if its subtree and
 path of elements to the root are included in the filter output.
 All elements present in a particular subtree within a filter must
 match associated nodes present in the server's conceptual data model.
 XML namespaces may be specified (via 'xmlns' declarations) within the
 filter data model.  If they are, the declared namespace must first
 exactly match a namespace supported by the server.  Note that prefix
 values for qualified namespaces are not relevant when comparing
 filter elements to elements in the underlying data model.  Only data
 associated with a specified namespace will be included in the filter
 output.

Enns Standards Track [Page 17] RFC 4741 NETCONF Protocol December 2006

 Each node specified in a subtree filter represents an inclusive
 filter.  Only associated nodes in underlying data model(s) within the
 specified configuration datastore on the server are selected by the
 filter.  A node must exactly match the namespace and hierarchy of
 elements given in the filter data, except that the filter absolute
 path name is adjusted to start from the layer below <filter>.
 Response messages contain only the subtrees selected by the filter.
 Any selection criteria that were present in the request, within a
 particular selected subtree, are also included in the response.  Note
 that some elements expressed in the filter as leaf nodes will be
 expanded (i.e., subtrees included) in the filter output.  Specific
 data instances are not duplicated in the response in the event that
 the request contains multiple filter subtree expressions that select
 the same data.

6.2. Subtree Filter Components

 A subtree filter is comprised of XML elements and their XML
 attributes.  There are five types of components that may be present
 in a subtree filter:
 o  Namespace Selection
 o  Attribute Match Expressions
 o  Containment Nodes
 o  Selection Nodes
 o  Content Match Nodes

6.2.1. Namespace Selection

 If namespaces are used, then the filter output will only include
 elements from the specified namespace.  A namespace is considered to
 match (for filter purposes) if the content of the 'xmlns' attributes
 are the same in the filter and the underlying data model.  Note that
 namespace selection cannot be used by itself.  At least one element
 must be specified in the filter any elements to be included in the
 filter output.
 Example:
   <filter type="subtree">
     <top xmlns="http://example.com/schema/1.2/config"/>
   </filter>

Enns Standards Track [Page 18] RFC 4741 NETCONF Protocol December 2006

 In this example, the <top> element is a selection node, and only this
 node and any child nodes (from the underlying data model) in the
 'http://example.com/schema/1.2/config' namespace will be included in
 the filter output.

6.2.2. Attribute Match Expressions

 An attribute that appears in a subtree filter is part of an
 "attribute match expression".  Any number of (unqualified or
 qualified) XML attributes may be present in any type of filter node.
 In addition to the selection criteria normally applicable to that
 node, the selected data must have matching values for every attribute
 specified in the node.  If an element is not defined to include a
 specified attribute, then it is not selected in the filter output.
 Example:
   <filter type="subtree">
     <t:top xmlns:t="http://example.com/schema/1.2/config">
       <t:interfaces>
         <t:interface t:ifName="eth0"/>
       </t:interfaces>
     </t:top>
   </filter>
 In this example, the <top>, <interfaces>, and <interface> elements
 are containment nodes, and 'ifName' is an attribute match expression.
 Only 'interface' nodes in the 'http://example.com/schema/1.2/config'
 namespace that have an 'ifName' attribute with the value 'eth0' and
 occur within 'interfaces' nodes within 'top' nodes will be included
 in the filter output.

6.2.3. Containment Nodes

 Nodes that contain child elements within a subtree filter are called
 "containment nodes".  Each child element can be any type of node,
 including another containment node.  For each containment node
 specified in a subtree filter, all data model instances that exactly
 match the specified namespaces, element hierarchy, and any attribute
 match expressions are included in the filter output.
 Example:
   <filter type="subtree">
     <top xmlns="http://example.com/schema/1.2/config">
       <users/>
     </top>
   </filter>

Enns Standards Track [Page 19] RFC 4741 NETCONF Protocol December 2006

 In this example, the <top> element is a containment node.

6.2.4. Selection Nodes

 An empty leaf node within a filter is called a "selection node", and
 it represents an "explicit selection" filter on the underlying data
 model.  Presence of any selection nodes within a set of sibling nodes
 will cause the filter to select the specified subtree(s) and suppress
 automatic selection of the entire set of sibling nodes in the
 underlying data model.  For filtering purposes, an empty leaf node
 can be declared either with an empty tag (e.g., <foo/>) or with
 explicit start and end tags (e.g., <foo> </foo>).  Any whitespace
 characters are ignored in this form.
 Example:
   <filter type="subtree">
     <top xmlns="http://example.com/schema/1.2/config">
       <users/>
     </top>
   </filter>
 In this example, the <top> element is a containment node, and the
 <users> element is a selection node.  Only 'users' nodes in the
 'http://example.com/schema/1.2/config' namespace that occur within a
 'top' element that is the root of the configuration datastore will be
 included in the filter output.

6.2.5. Content Match Nodes

 A leaf node that contains simple content is called a "content match
 node".  It is used to select some or all of its sibling nodes for
 filter output, and it represents an exact-match filter on the leaf
 node element content.  The following constraints apply to content
 match nodes:
 o  A content match node must not contain nested elements (i.e., must
    resolve to a simpleType in the XML Schema Definition (XSD)).
 o  Multiple content match nodes (i.e., sibling nodes) are logically
    combined in an "AND" expression.
 o  Filtering of mixed content is not supported.
 o  Filtering of list content is not supported.
 o  Filtering of whitespace-only content is not supported.

Enns Standards Track [Page 20] RFC 4741 NETCONF Protocol December 2006

 o  A content match node must contain non-whitespace characters.  An
    empty element (e.g., <foo></foo>) will be interpreted as a
    selection node (e.g., <foo/>).
 o  Leading and trailing whitespace characters are ignored, but any
    whitespace characters within a block of text characters are not
    ignored or modified.
 If all specified sibling content match nodes in a subtree filter
 expression are 'true', then the filter output nodes are selected in
 the following manner:
 o  Each content match node in the sibling set is included in the
    filter output.
 o  If any containment nodes are present in the sibling set, then they
    are processed further and included if any nested filter criteria
    are also met.
 o  If any selection nodes are present in the sibling set, then all of
    them are included in the filter output.
 o  Otherwise (i.e., there are no selection or containment nodes in
    the filter sibling set), all the nodes defined at this level in
    the underlying data model (and their subtrees, if any) are
    returned in the filter output.
 If any of the sibling content match node tests are 'false', then no
 further filter processing is performed on that sibling set, and none
 of the sibling subtrees are selected by the filter, including the
 content match node(s).
 Example:
   <filter type="subtree">
     <top xmlns="http://example.com/schema/1.2/config">
       <users>
         <user>
           <name>fred</name>
         </user>
       </users>
     </top>
   </filter>
 In this example, the <users> and <user> nodes are both containment
 nodes, and <name> is a content match node.  Since no sibling nodes of
 <name> are specified (and therefore no containment or selection
 nodes), all of the sibling nodes of <name> are returned in the filter

Enns Standards Track [Page 21] RFC 4741 NETCONF Protocol December 2006

 output.  Only 'user' nodes in the
 'http://example.com/schema/1.2/config' namespace that match the
 element hierarchy and for which the <name> element is equal to 'fred'
 will be included in the filter output.

6.3. Subtree Filter Processing

 The filter output (the set of selected nodes) is initially empty.
 Each subtree filter can contain one or more data model fragments,
 which represent portions of the data model that should be selected
 (with all child nodes) in the filter output.
 Each subtree data fragment is compared by the server to the internal
 data models supported by the server.  If the entire subtree data-
 fragment filter (starting from the root to the innermost element
 specified in the filter) exactly matches a corresponding portion of
 the supported data model, then that node and all its children are
 included in the result data.
 The server processes all nodes with the same parent node (sibling
 set) together, starting from the root to the leaf nodes.  The root
 elements in the filter are considered in the same sibling set
 (assuming they are in the same namespace), even though they do not
 have a common parent.
 For each sibling set, the server determines which nodes are included
 (or potentially included) in the filter output, and which sibling
 subtrees are excluded (pruned) from the filter output.  The server
 first determines which types of nodes are present in the sibling set
 and processes the nodes according to the rules for their type.  If
 any nodes in the sibling set are selected, then the process is
 recursively applied to the sibling sets of each selected node.  The
 algorithm continues until all sibling sets in all subtrees specified
 in the filter have been processed.

6.4. Subtree Filtering Examples

6.4.1. No Filter

 Leaving out the filter on the get operation returns the entire data
 model.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get/>
   </rpc>

Enns Standards Track [Page 22] RFC 4741 NETCONF Protocol December 2006

   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <!-- ... entire set of data returned ... -->
     </data>
   </rpc-reply>

6.4.2. Empty Filter

 An empty filter will select nothing because no content match or
 selection nodes are present.  This is not an error.  The filter type
 attribute used in these examples is discussed further in Section 7.1.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get>
       <filter type="subtree">
       </filter>
     </get>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
     </data>
   </rpc-reply>

6.4.3. Select the Entire <users> Subtree

 The filter in this example contains one selection node (<users>), so
 just that subtree is selected by the filter.  This example represents
 the fully-populated <users> data model in most of the filter examples
 that follow.  In a real data model, the <company-info> would not
 likely be returned with the list of users for a particular host or
 network.
 NOTE: The filtering and configuration examples used in this document
 appear in the namespace "http://example.com/schema/1.2/config".  The
 root element of this namespace is <top>.  The <top> element and its
 descendents represent an example configuration data model only.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">

Enns Standards Track [Page 23] RFC 4741 NETCONF Protocol December 2006

         <top xmlns="http://example.com/schema/1.2/config">
           <users/>
         </top>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>root</name>
             <type>superuser</type>
             <full-name>Charlie Root</full-name>
             <company-info>
               <dept>1</dept>
               <id>1</id>
             </company-info>
           </user>
           <user>
             <name>fred</name>
             <type>admin</type>
             <full-name>Fred Flintstone</full-name>
             <company-info>
               <dept>2</dept>
               <id>2</id>
             </company-info>
           </user>
           <user>
             <name>barney</name>
             <type>admin</type>
             <full-name>Barney Rubble</full-name>
             <company-info>
               <dept>2</dept>
               <id>3</id>
             </company-info>
           </user>
         </users>
       </top>
     </data>
   </rpc-reply>
 The following filter request would have produced the same result, but
 only because the container <users> defines one child element
 (<user>).

Enns Standards Track [Page 24] RFC 4741 NETCONF Protocol December 2006

   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user/>
           </users>
         </top>
       </filter>
     </get-config>
   </rpc>

6.4.4. Select All <name> Elements within the <users> Subtree

 This filter contains two containment nodes (<users>, <user>) and one
 selector node (<name>).  All instances of the <name> element in the
 same sibling set are selected in the filter output.  The manager may
 need to know that <name> is used as an instance identifier in this
 particular data structure, but the server does not need to know that
 meta-data in order to process the request.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name/>
             </user>
           </users>
         </top>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>

Enns Standards Track [Page 25] RFC 4741 NETCONF Protocol December 2006

           <user>
             <name>root</name>
           </user>
           <user>
             <name>fred</name>
           </user>
           <user>
             <name>barney</name>
           </user>
         </users>
       </top>
     </data>
   </rpc-reply>

6.4.5. One Specific <user> Entry

 This filter contains two containment nodes (<users>, <user>) and one
 content match node (<name>).  All instances of the sibling set
 containing <name> for which the value of <name> equals "fred" are
 selected in the filter output.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>fred</name>
             </user>
           </users>
         </top>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>fred</name>
             <type>admin</type>
             <full-name>Fred Flintstone</full-name>

Enns Standards Track [Page 26] RFC 4741 NETCONF Protocol December 2006

             <company-info>
               <dept>2</dept>
               <id>2</id>
             </company-info>
           </user>
         </users>
       </top>
     </data>
   </rpc-reply>

6.4.6. Specific Elements from a Specific <user> Entry

 This filter contains two containment nodes (<users>, <user>), one
 content match node (<name>), and two selector nodes (<type>,
 <full-name>).  All instances of the <type> and <full-name> elements
 in the same sibling set containing <name> for which the value of
 <name> equals "fred" are selected in the filter output.  The
 <company-info> element is not included because the sibling set
 contains selection nodes.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>fred</name>
               <type/>
               <full-name/>
             </user>
           </users>
         </top>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>fred</name>
             <type>admin</type>

Enns Standards Track [Page 27] RFC 4741 NETCONF Protocol December 2006

             <full-name>Fred Flintstone</full-name>
           </user>
         </users>
       </top>
     </data>
   </rpc-reply>

6.4.7. Multiple Subtrees

 This filter contains three subtrees (name=root, fred, barney).
 The "root" subtree filter contains two containment nodes (<users>,
 <user>), one content match node (<name>), and one selector node
 (<company-info>).  The subtree selection criteria is met, and just
 the company-info subtree for "root" is selected in the filter output.
 The "fred" subtree filter contains three containment nodes (<users>,
 <user>, <company-info>), one content match node (<name>), and one
 selector node (<id>).  The subtree selection criteria is met, and
 just the <id> element within the company-info subtree for "fred" is
 selected in the filter output.
 The "barney" subtree filter contains three containment nodes
 (<users>, <user>, <company-info>), two content match nodes (<name>,
 <type>), and one selector node (<dept>).  The subtree selection
 criteria is not met because user "barney" is not a "superuser", and
 the entire subtree for "barney" (including its parent <user> entry)
 is excluded from the filter output.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>root</name>
               <company-info/>
             </user>
             <user>
               <name>fred</name>
               <company-info>
                 <id/>
               </company-info>
             </user>

Enns Standards Track [Page 28] RFC 4741 NETCONF Protocol December 2006

             <user>
               <name>barney</name>
               <type>superuser</type>
               <company-info>
                 <dept/>
               </company-info>
             </user>
           </users>
         </top>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>root</name>
             <company-info>
               <dept>1</dept>
               <id>1</id>
             </company-info>
           </user>
           <user>
             <name>fred</name>
             <company-info>
               <id>2</id>
             </company-info>
           </user>
         </users>
       </top>
     </data>
   </rpc-reply>

6.4.8. Elements with Attribute Naming

 In this example, the filter contains one containment node
 (<interfaces>), one attribute match expression (ifName), and one
 selector node (<interface>).  All instances of the <interface>
 subtree that have an ifName attribute equal to "eth0" are selected in
 the filter output.  The filter data elements and attributes must be
 qualified because the ifName attribute will not be considered part of
 the 'schema/1.2' namespace if it is unqualified.

Enns Standards Track [Page 29] RFC 4741 NETCONF Protocol December 2006

   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get>
       <filter type="subtree">
         <t:top xmlns:t="http://example.com/schema/1.2/stats">
           <t:interfaces>
             <t:interface t:ifName="eth0"/>
           </t:interfaces>
         </t:top>
       </filter>
     </get>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <t:top xmlns:t="http://example.com/schema/1.2/stats">
         <t:interfaces>
           <t:interface t:ifName="eth0">
             <t:ifInOctets>45621</t:ifInOctets>
             <t:ifOutOctets>774344</t:ifOutOctets>
           </t:interface>
         </t:interfaces>
       </t:top>
     </data>
   </rpc-reply>
 If ifName were a child node instead of an attribute, then the
 following request would produce similar results.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/stats">
           <interfaces>
             <interface>
               <ifName>eth0</ifName>
             </interface>
           </interfaces>
         </top>
       </filter>
     </get>
   </rpc>

Enns Standards Track [Page 30] RFC 4741 NETCONF Protocol December 2006

7. Protocol Operations

 The NETCONF protocol provides a small set of low-level operations to
 manage device configurations and retrieve device state information.
 The base protocol provides operations to retrieve, configure, copy,
 and delete configuration datastores.  Additional operations are
 provided, based on the capabilities advertised by the device.
 The base protocol includes the following protocol operations:
 o  get
 o  get-config
 o  edit-config
 o  copy-config
 o  delete-config
 o  lock
 o  unlock
 o  close-session
 o  kill-session
 A protocol operation may fail for various reasons, including
 "operation not supported".  An initiator should not assume that any
 operation will always succeed.  The return values in any RPC reply
 should be checked for error responses.
 The syntax and XML encoding of the protocol operations are formally
 defined in the XML schema in Appendix B.  The following sections
 describe the semantics of each protocol operation.

7.1. <get-config>

 Description:
    Retrieve all or part of a specified configuration.

Enns Standards Track [Page 31] RFC 4741 NETCONF Protocol December 2006

 Parameters:
    source:
       Name of the configuration datastore being queried, such as
       <running/>.
    filter:
       The filter element identifies the portions of the device
       configuration to retrieve.  If this element is unspecified, the
       entire configuration is returned.
       The filter element may optionally contain a "type" attribute.
       This attribute indicates the type of filtering syntax used
       within the filter element.  The default filtering mechanism in
       NETCONF is referred to as subtree filtering and is described in
       Section 6.  The value "subtree" explicitly identifies this type
       of filtering.
       If the NETCONF peer supports the :xpath capability
       (Section 8.9), the value "xpath" may be used to indicate that
       the select attribute on the filter element contains an XPath
       expression.
 Positive Response:
    If the device can satisfy the request, the server sends an
    <rpc-reply> element containing a <data> element with the results
    of the query.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
 Example: To retrieve the entire <users> subtree:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/config">
           <users/>
         </top>

Enns Standards Track [Page 32] RFC 4741 NETCONF Protocol December 2006

       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>root</name>
             <type>superuser</type>
             <full-name>Charlie Root</full-name>
             <company-info>
               <dept>1</dept>
               <id>1</id>
             </company-info>
           </user>
           <!-- additional <user> elements appear here... -->
         </users>
       </top>
     </data>
   </rpc-reply>
 If the configuration is available in multiple formats, such as XML
 and text, an XML namespace can be used to specify which format is
 desired.  In the following example, the client uses a specific
 element (<config-text>) in a specific namespace to indicate to the
 server the desire to receive the configuration in an alternative
 format.  The server may support any number of distinct formats or
 views into the configuration data, with the client using the <filter>
 parameter to select between them.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>
       </source>
       <filter type="subtree">
         <!-- request a text version of the configuration -->
         <config-text xmlns="http://example.com/text/1.2/config"/>
       </filter>
     </get-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

Enns Standards Track [Page 33] RFC 4741 NETCONF Protocol December 2006

     <data>
       <config-text xmlns="http://example.com/text/1.2/config">
         <!-- configuration text... -->
       </config-text>
     </data>
   </rpc-reply>
    Section 6 contains additional examples of subtree filtering.

7.2. <edit-config>

 Description:
    The <edit-config> operation loads all or part of a specified
    configuration to the specified target configuration.  This
    operation allows the new configuration to be expressed in several
    ways, such as using a local file, a remote file, or inline.  If
    the target configuration does not exist, it will be created.  If a
    NETCONF peer supports the :url capability (Section 8.8), the <url>
    element can appear instead of the <config> parameter and should
    identify a local configuration file.
    The device analyzes the source and target configurations and
    performs the requested changes.  The target configuration is not
    necessarily replaced, as with the <copy-config> message.  Instead,
    the target configuration is changed in accordance with the
    source's data and requested operations.
 Attributes:
    operation:
       Elements in the <config> subtree may contain an "operation"
       attribute.  The attribute identifies the point in the
       configuration to perform the operation and MAY appear on
       multiple elements throughout the <config> subtree.
       If the operation attribute is not specified, the configuration
       is merged into the configuration datastore.
       The operation attribute has one of the following values:
       merge: The configuration data identified by the element
          containing this attribute is merged with the configuration
          at the corresponding level in the configuration datastore
          identified by the target parameter.  This is the default
          behavior.

Enns Standards Track [Page 34] RFC 4741 NETCONF Protocol December 2006

       replace: The configuration data identified by the element
          containing this attribute replaces any related configuration
          in the configuration datastore identified by the target
          parameter.  Unlike a <copy-config> operation, which replaces
          the entire target configuration, only the configuration
          actually present in the config parameter is affected.
       create: The configuration data identified by the element
          containing this attribute is added to the configuration if
          and only if the configuration data does not already exist on
          the device.  If the configuration data exists, an
          <rpc-error> element is returned with an <error-tag> value of
          data-exists.
       delete: The configuration data identified by the element
          containing this attribute is deleted in the configuration
          datastore identified by the target parameter.
 Parameters:
    target:
       Name of the configuration datastore being edited, such as
       <running/> or <candidate/>.
    default-operation:
       Selects the default operation (as described in the "operation"
       attribute) for this <edit-config> request.  The default value
       for the default-operation parameter is "merge".
       The default-operation parameter is optional, but if provided,
       it must have one of the following values:
       merge: The configuration data in the <config> parameter is
          merged with the configuration at the corresponding level in
          the target datastore.  This is the default behavior.
       replace: The configuration data in the <config> parameter
          completely replaces the configuration in the target
          datastore.  This is useful for loading previously saved
          configuration data.
       none: The target datastore is unaffected by the configuration
          in the <config> parameter, unless and until the incoming
          configuration data uses the "operation" attribute to request
          a different operation.  If the configuration in the <config>
          parameter contains data for which there is not a

Enns Standards Track [Page 35] RFC 4741 NETCONF Protocol December 2006

          corresponding level in the target datastore, an <rpc-error>
          is returned with an <error-tag> value of data-missing.
          Using "none" allows operations like "delete" to avoid
          unintentionally creating the parent hierarchy of the element
          to be deleted.
    test-option:
       The test-option element may be specified only if the device
       advertises the :validate capability (Section 8.6).
       The test-option element has one of the following values:
       test-then-set: Perform a validation test before attempting to
          set.  If validation errors occur, do not perform the
          <edit-config> operation.  This is the default test-option.
       set: Perform a set without a validation test first.
    error-option:
       The error-option element has one of the following values:
       stop-on-error: Abort the edit-config operation on first error.
          This is the default error-option.
       continue-on-error: Continue to process configuration data on
          error; error is recorded, and negative response is generated
          if any errors occur.
       rollback-on-error: If an error condition occurs such that an
          error severity <rpc-error> element is generated, the server
          will stop processing the edit-config operation and restore
          the specified configuration to its complete state at the
          start of this edit-config operation.  This option requires
          the server to support the :rollback-on-error capability
          described in Section 8.5.
    config:
       A hierarchy of configuration data as defined by one of the
       device's data models.  The contents MUST be placed in an
       appropriate namespace, to allow the device to detect the
       appropriate data model, and the contents MUST follow the
       constraints of that data model, as defined by its capability
       definition.  Capabilities are discussed in Section 8.

Enns Standards Track [Page 36] RFC 4741 NETCONF Protocol December 2006

 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent containing an <ok> element.
 Negative Response:
    An <rpc-error> response is sent if the request cannot be completed
    for any reason.
 Example:
    The <edit-config> examples in this section utilize a simple data
    model, in which multiple instances of the 'interface' element may
    be present, and an instance is distinguished by the 'name' element
    within each 'interface' element.
    Set the MTU to 1500 on an interface named "Ethernet0/0" in the
    running configuration:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <running/>
       </target>
       <config>
         <top xmlns="http://example.com/schema/1.2/config">
           <interface>
             <name>Ethernet0/0</name>
             <mtu>1500</mtu>
           </interface>
         </top>
       </config>
     </edit-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>
    Add an interface named "Ethernet0/0" to the running configuration,
    replacing any previous interface with that name:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>

Enns Standards Track [Page 37] RFC 4741 NETCONF Protocol December 2006

       <target>
         <running/>
       </target>
       <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
         <top xmlns="http://example.com/schema/1.2/config">
           <interface xc:operation="replace">
             <name>Ethernet0/0</name>
             <mtu>1500</mtu>
             <address>
               <name>192.0.2.4</name>
               <prefix-length>24</prefix-length>
             </address>
           </interface>
         </top>
       </config>
     </edit-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>
    Delete the configuration for an interface named "Ethernet0/0" from
    the running configuration:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <running/>
       </target>
       <default-operation>none</default-operation>
       <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
         <top xmlns="http://example.com/schema/1.2/config">
           <interface xc:operation="delete">
             <name>Ethernet0/0</name>
           </interface>
         </top>
       </config>
     </edit-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

Enns Standards Track [Page 38] RFC 4741 NETCONF Protocol December 2006

    Delete interface 192.0.2.4 from an OSPF area (other interfaces
    configured in the same area are unaffected):
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <running/>
       </target>
       <default-operation>none</default-operation>
       <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
         <top xmlns="http://example.com/schema/1.2/config">
           <protocols>
             <ospf>
               <area>
                 <name>0.0.0.0</name>
                 <interfaces>
                   <interface xc:operation="delete">
                     <name>192.0.2.4</name>
                   </interface>
                 </interfaces>
               </area>
             </ospf>
           </protocols>
         </top>
       </config>
     </edit-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

7.3. <copy-config>

 Description:
    Create or replace an entire configuration datastore with the
    contents of another complete configuration datastore.  If the
    target datastore exists, it is overwritten.  Otherwise, a new one
    is created, if allowed.
    If a NETCONF peer supports the :url capability (Section 8.8), the
    <url> element can appear as the <source> or <target> parameter.
    Even if it advertises the :writable-running capability, a device
    may choose not to support the <running/> configuration datastore

Enns Standards Track [Page 39] RFC 4741 NETCONF Protocol December 2006

    as the <target> parameter of a <copy-config> operation.  A device
    may choose not to support remote-to-remote copy operations, where
    both the <source> and <target> parameters use the <url> element.
    If the source and target parameters identify the same URL or
    configuration datastore, an error MUST be returned with an error-
    tag containing invalid-value.
 Parameters:
    target:
       Name of the configuration datastore to use as the destination
       of the copy operation.
    source:
       Name of the configuration datastore to use as the source of the
       copy operation or the <config> element containing the
       configuration subtree to copy.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that includes an <ok> element.
 Negative Response:
    An <rpc-error> element is included within the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <copy-config>
       <target>
         <running/>
       </target>
       <source>
         <url>https://user@example.com:passphrase/cfg/new.txt</url>
       </source>
     </copy-config>
   </rpc>

Enns Standards Track [Page 40] RFC 4741 NETCONF Protocol December 2006

   <rpc-reply message-id="101"
       xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

7.4. <delete-config>

 Description:
    Delete a configuration datastore.  The <running> configuration
    datastore cannot be deleted.
    If a NETCONF peer supports the :url capability (Section 8.8), the
    <url> element can appear as the <target> parameter.
 Parameters:
    target:
       Name of the configuration datastore to delete.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that includes an <ok> element.
 Negative Response:
    An <rpc-error> element is included within the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <delete-config>
       <target>
         <startup/>
       </target>
     </delete-config>
   </rpc>
    <rpc-reply message-id="101"
         xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

Enns Standards Track [Page 41] RFC 4741 NETCONF Protocol December 2006

7.5. <lock>

 Description:
    The lock operation allows the client to lock the configuration
    system of a device.  Such locks are intended to be short-lived and
    allow a client to make a change without fear of interaction with
    other NETCONF clients, non-NETCONF clients (e.g., SNMP and command
    line interface (CLI) scripts), and human users.
    An attempt to lock the configuration MUST fail if an existing
    session or other entity holds a lock on any portion of the lock
    target.
    When the lock is acquired, the server MUST prevent any changes to
    the locked resource other than those requested by this session.
    SNMP and CLI requests to modify the resource MUST fail with an
    appropriate error.
    The duration of the lock is defined as beginning when the lock is
    acquired and lasting until either the lock is released or the
    NETCONF session closes.  The session closure may be explicitly
    performed by the client, or implicitly performed by the server
    based on criteria such as failure of the underlying transport, or
    simple inactivity timeout.  This criteria is dependent on the
    implementation and the underlying transport.
    The lock operation takes a mandatory parameter, target.  The
    target parameter names the configuration that will be locked.
    When a lock is active, using the <edit-config> operation on the
    locked configuration and using the locked configuration as a
    target of the <copy-config> operation will be disallowed by any
    other NETCONF session.  Additionally, the system will ensure that
    these locked configuration resources will not be modified by other
    non-NETCONF management operations such as SNMP and CLI.  The
    <kill-session> message (at the RPC layer) can be used to force the
    release of a lock owned by another NETCONF session.  It is beyond
    the scope of this document to define how to break locks held by
    other entities.
    A lock MUST not be granted if either of the following conditions
    is true:
  • A lock is already held by any NETCONF session or another

entity.

Enns Standards Track [Page 42] RFC 4741 NETCONF Protocol December 2006

  • The target configuration is <candidate>, it has already been

modified, and these changes have not been committed or rolled

       back.
    The server MUST respond with either an <ok> element or an
    <rpc-error>.
    A lock will be released by the system if the session holding the
    lock is terminated for any reason.
 Parameters:
    target:
       Name of the configuration datastore to lock.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that contains an <ok> element.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
    If the lock is already held, the <error-tag> element will be
    'lock-denied' and the <error-info> element will include the
    <session-id> of the lock owner.  If the lock is held by a non-
    NETCONF entity, a <session-id> of 0 (zero) is included.  Note that
    any other entity performing a lock on even a partial piece of a
    target will prevent a NETCONF lock (which is global) from being
    obtained on that target.
 Example:
    The following example shows a successful acquisition of a lock.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <lock>
       <target>
         <running/>
       </target>
     </lock>
   </rpc>

Enns Standards Track [Page 43] RFC 4741 NETCONF Protocol December 2006

   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/> <!-- lock succeeded -->
   </rpc-reply>
 Example:
    The following example shows a failed attempt to acquire a lock
    when the lock is already in use.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <lock>
       <target>
         <running/>
       </target>
     </lock>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <rpc-error> <!-- lock failed -->
       <error-type>protocol</error-type>
       <error-tag>lock-denied</error-tag>
       <error-severity>error</error-severity>
       <error-message>
         Lock failed, lock is already held
       </error-message>
       <error-info>
         <session-id>454</session-id>
         <!-- lock is held by NETCONF session 454 -->
       </error-info>
     </rpc-error>
   </rpc-reply>

7.6. <unlock>

 Description:
    The unlock operation is used to release a configuration lock,
    previously obtained with the <lock> operation.
    An unlock operation will not succeed if any of the following
    conditions are true:
  • the specified lock is not currently active

Enns Standards Track [Page 44] RFC 4741 NETCONF Protocol December 2006

  • the session issuing the <unlock> operation is not the same

session that obtained the lock

    The server MUST respond with either an <ok> element or an
    <rpc-error>.
 Parameters:
    target:
       Name of the configuration datastore to unlock.
       A NETCONF client is not permitted to unlock a configuration
       datastore that it did not lock.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that contains an <ok> element.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <unlock>
       <target>
        <running/>
       </target>
     </unlock>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

7.7. <get>

 Description:
    Retrieve running configuration and device state information.

Enns Standards Track [Page 45] RFC 4741 NETCONF Protocol December 2006

 Parameters:
    filter:
       This parameter specifies the portion of the system
       configuration and state data to retrieve.  If this parameter is
       empty, all the device configuration and state information is
       returned.
       The filter element may optionally contain a 'type' attribute.
       This attribute indicates the type of filtering syntax used
       within the filter element.  The default filtering mechanism in
       NETCONF is referred to as subtree filtering and is described in
       Section 6.  The value 'subtree' explicitly identifies this type
       of filtering.
       If the NETCONF peer supports the :xpath capability
       (Section 8.9), the value "xpath" may be used to indicate that
       the select attribute of the filter element contains an XPath
       expression.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent.  The <data> section contains the appropriate subset.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get>
       <filter type="subtree">
         <top xmlns="http://example.com/schema/1.2/stats">
           <interfaces>
             <interface>
               <ifName>eth0</ifName>
             </interface>
           </interfaces>
         </top>
       </filter>
     </get>
   </rpc>

Enns Standards Track [Page 46] RFC 4741 NETCONF Protocol December 2006

   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <data>
       <top xmlns="http://example.com/schema/1.2/stats">
         <interfaces>
           <interface>
             <ifName>eth0</ifName>
             <ifInOctets>45621</ifInOctets>
             <ifOutOctets>774344</ifOutOctets>
           </interface>
         </interfaces>
       </top>
     </data>
   </rpc-reply>

7.8. <close-session>

 Description:
    Request graceful termination of a NETCONF session.
    When a NETCONF server receives a <close-session> request, it will
    gracefully close the session.  The server will release any locks
    and resources associated with the session and gracefully close any
    associated connections.  Any NETCONF requests received after a
    <close-session> request will be ignored.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that includes an <ok> element.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <close-session/>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

Enns Standards Track [Page 47] RFC 4741 NETCONF Protocol December 2006

7.9. <kill-session>

 Description:
    Force the termination of a NETCONF session.
    When a NETCONF entity receives a <kill-session> request for an
    open session, it will abort any operations currently in process,
    release any locks and resources associated with the session, and
    close any associated connections.
    If a NETCONF server receives a <kill-session> request while
    processing a confirmed commit (Section 8.4), it must restore the
    configuration to its state before the confirmed commit was issued.
    Otherwise, the <kill-session> operation does not roll back
    configuration or other device state modifications made by the
    entity holding the lock.
 Parameters:
    session-id:
       Session identifier of the NETCONF session to be terminated.  If
       this value is equal to the current session ID, an
       'invalid-value' error is returned.
 Positive Response:
    If the device was able to satisfy the request, an <rpc-reply> is
    sent that includes an <ok> element.
 Negative Response:
    An <rpc-error> element is included in the <rpc-reply> if the
    request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <kill-session>
       <session-id>4</session-id>
     </kill-session>
   </rpc>

Enns Standards Track [Page 48] RFC 4741 NETCONF Protocol December 2006

   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

8. Capabilities

 This section defines a set of capabilities that a client or a server
 MAY implement.  Each peer advertises its capabilities by sending them
 during an initial capabilities exchange.  Each peer needs to
 understand only those capabilities that it might use and MUST ignore
 any capability received from the other peer that it does not require
 or does not understand.
 Additional capabilities can be defined using the template in
 Appendix C.  Future capability definitions may be published as
 standards by standards bodies or published as proprietary extensions.
 A NETCONF capability is identified with a URI.  The base capabilities
 are defined using URNs following the method described in RFC 3553
 [6].  Capabilities defined in this document have the following
 format:
    urn:ietf:params:netconf:capability:{name}:1.0
 where {name} is the name of the capability.  Capabilities are often
 referenced in discussions and email using the shorthand :{name}.  For
 example, the foo capability would have the formal name
 "urn:ietf:params:netconf:capability:foo:1.0" and be called ":foo".
 The shorthand form MUST NOT be used inside the protocol.

8.1. Capabilities Exchange

 Capabilities are advertised in messages sent by each peer during
 session establishment.  When the NETCONF session is opened, each peer
 (both client and server) MUST send a <hello> element containing a
 list of that peer's capabilities.  Each peer MUST send at least the
 base NETCONF capability, "urn:ietf:params:netconf:base:1.0".
 A server sending the <hello> element MUST include a <session-id>
 element containing the session ID for this NETCONF session.  A client
 sending the <hello> element MUST NOT include a <session-id> element.
 A server receiving a <session-id> element MUST NOT continue the
 NETCONF session.  Similarly, a client that does not receive a
 <session-id> element in the server's <hello> message MUST NOT
 continue the NETCONF session.  In both cases, the underlying
 transport should be closed.

Enns Standards Track [Page 49] RFC 4741 NETCONF Protocol December 2006

 In the following example, a server advertises the base NETCONF
 capability, one NETCONF capability defined in the base NETCONF
 document, and one implementation-specific capability.
 <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
   <capabilities>
     <capability>
       urn:ietf:params:netconf:base:1.0
     </capability>
     <capability>
       urn:ietf:params:netconf:capability:startup:1.0
     </capability>
     <capability>
       http://example.net/router/2.3/myfeature
     </capability>
   </capabilities>
   <session-id>4</session-id>
 </hello>
 Each peer sends its <hello> element simultaneously as soon as the
 connection is open.  A peer MUST NOT wait to receive the capability
 set from the other side before sending its own set.

8.2. Writable-Running Capability

8.2.1. Description

 The :writable-running capability indicates that the device supports
 direct writes to the <running> configuration datastore.  In other
 words, the device supports edit-config and copy-config operations
 where the <running> configuration is the target.

8.2.2. Dependencies

 None.

8.2.3. Capability Identifier

 The :writable-running capability is identified by the following
 capability string:
    urn:ietf:params:netconf:capability:writable-running:1.0

Enns Standards Track [Page 50] RFC 4741 NETCONF Protocol December 2006

8.2.4. New Operations

 None.

8.2.5. Modifications to Existing Operations

8.2.5.1. <edit-config>

 The :writable-running capability modifies the <edit-config> operation
 to accept the <running> element as a <target>.

8.2.5.2. <copy-config>

 The :writable-running capability modifies the <copy-config> operation
 to accept the <running> element as a <target>.

8.3. Candidate Configuration Capability

8.3.1. Description

 The candidate configuration capability, :candidate, indicates that
 the device supports a candidate configuration datastore, which is
 used to hold configuration data that can be manipulated without
 impacting the device's current configuration.  The candidate
 configuration is a full configuration data set that serves as a work
 place for creating and manipulating configuration data.  Additions,
 deletions, and changes may be made to this data to construct the
 desired configuration data.  A <commit> operation may be performed at
 any time that causes the device's running configuration to be set to
 the value of the candidate configuration.
 The <commit> operation effectively sets the running configuration to
 the current contents of the candidate configuration.  While it could
 be modeled as a simple copy, it is done as a distinct operation for a
 number of reasons.  In keeping high-level concepts as first class
 operations, we allow developers to see more clearly both what the
 client is requesting and what the server must perform.  This keeps
 the intentions more obvious, the special cases less complex, and the
 interactions between operations more straightforward.  For example,
 the :confirmed-commit capability (Section 8.4) would make no sense as
 a "copy confirmed" operation.
 The candidate configuration may be shared among multiple sessions.
 Unless a client has specific information that the candidate
 configuration is not shared, it must assume that other sessions may
 be able to modify the candidate configuration at the same time.  It
 is therefore prudent for a client to lock the candidate configuration
 before modifying it.

Enns Standards Track [Page 51] RFC 4741 NETCONF Protocol December 2006

 The client can discard any uncommitted changes to the candidate
 configuration by executing the <discard-changes> operation.  This
 operation reverts the contents of the candidate configuration to the
 contents of the running configuration.

8.3.2. Dependencies

 None.

8.3.3. Capability Identifier

 The :candidate capability is identified by the following capability
 string:
    urn:ietf:params:netconf:capability:candidate:1.0

8.3.4. New Operations

8.3.4.1. <commit>

 Description:
       When a candidate configuration's content is complete, the
       configuration data can be committed, publishing the data set to
       the rest of the device and requesting the device to conform to
       the behavior described in the new configuration.
       To commit the candidate configuration as the device's new
       current configuration, use the <commit> operation.
       The <commit> operation instructs the device to implement the
       configuration data contained in the candidate configuration.
       If the device is unable to commit all of the changes in the
       candidate configuration datastore, then the running
       configuration MUST remain unchanged.  If the device does
       succeed in committing, the running configuration MUST be
       updated with the contents of the candidate configuration.
       If the system does not have the :candidate capability, the
       <commit> operation is not available.
 Positive Response:
       If the device was able to satisfy the request, an <rpc-reply>
       is sent that contains an <ok> element.

Enns Standards Track [Page 52] RFC 4741 NETCONF Protocol December 2006

 Negative Response:
       An <rpc-error> element is included in the <rpc-reply> if the
       request cannot be completed for any reason.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <commit/>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

8.3.4.2. <discard-changes>

 If the client decides that the candidate configuration should not be
 committed, the <discard-changes> operation can be used to revert the
 candidate configuration to the current running configuration.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <discard-changes/>
   </rpc>
 This operation discards any uncommitted changes by resetting the
 candidate configuration with the content of the running
 configuration.

8.3.5. Modifications to Existing Operations

8.3.5.1. <get-config>, <edit-config>, <copy-config>, and <validate>

 The candidate configuration can be used as a source or target of any
 <get-config>, <edit-config>, <copy-config>, or <validate> operation
 as a <source> or <target> parameter.  The <candidate> element is used
 to indicate the candidate configuration:

Enns Standards Track [Page 53] RFC 4741 NETCONF Protocol December 2006

   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config> <!-- any NETCONF operation -->
       <source>
         <candidate/>
       </source>
     </get-config>
   </rpc>

8.3.5.2. <lock> and <unlock>

 The candidate configuration can be locked using the <lock> operation
 with the <candidate> element as the <target> parameter:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <lock>
       <target>
         <candidate/>
       </target>
     </lock>
   </rpc>
 Similarly, the candidate configuration is unlocked using the
 <candidate> element as the <target> parameter:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <unlock>
       <target>
         <candidate/>
       </target>
     </unlock>
   </rpc>
 When a client fails with outstanding changes to the candidate
 configuration, recovery can be difficult.  To facilitate easy
 recovery, any outstanding changes are discarded when the lock is
 released, whether explicitly with the <unlock> operation or
 implicitly from session failure.

Enns Standards Track [Page 54] RFC 4741 NETCONF Protocol December 2006

8.4. Confirmed Commit Capability

8.4.1. Description

 The :confirmed-commit capability indicates that the server will
 support the <confirmed> and <confirm-timeout> parameters for the
 <commit> protocol operation.  See Section 8.3 for further details on
 the <commit> operation.
 A confirmed commit operation MUST be reverted if a follow-up commit
 (called the "confirming commit") is not issued within 600 seconds (10
 minutes).  The timeout period can be adjusted with the
 <confirm-timeout> element.  The confirming commit can itself include
 a <confirmed> parameter.
 If the session issuing the confirmed commit is terminated for any
 reason before the confirm timeout expires, the server MUST restore
 the configuration to its state before the confirmed commit was
 issued.
 If the device reboots for any reason before the confirm timeout
 expires, the server MUST restore the configuration to its state
 before the confirmed commit was issued.
 If a confirming commit is not issued, the device will revert its
 configuration to the state prior to the issuance of the confirmed
 commit.  Note that any commit operation, including a commit which
 introduces additional changes to the configuration, will serve as a
 confirming commit.  Thus to cancel a confirmed commit and revert
 changes without waiting for the confirm timeout to expire, the
 manager can explicitly restore the configuration to its state before
 the confirmed commit was issued.
 For shared configurations, this feature can cause other configuration
 changes (for example, via other NETCONF sessions) to be inadvertently
 altered or removed, unless the configuration locking feature is used
 (in other words, the lock is obtained before the edit-config
 operation is started).  Therefore, it is strongly suggested that in
 order to use this feature with shared configuration databases,
 configuration locking should also be used.

8.4.2. Dependencies

 The :confirmed-commit capability is only relevant if the :candidate
 capability is also supported.

Enns Standards Track [Page 55] RFC 4741 NETCONF Protocol December 2006

8.4.3. Capability Identifier

 The :confirmed-commit capability is identified by the following
 capability string:
    urn:ietf:params:netconf:capability:confirmed-commit:1.0

8.4.4. New Operations

 None.

8.4.5. Modifications to Existing Operations

8.4.5.1. <commit>

 The :confirmed-commit capability allows 2 additional parameters to
 the <commit> operation.
 Parameters:
    confirmed:
          Perform a confirmed commit operation.
    confirm-timeout:
          Timeout period for confirmed commit, in seconds.  If
          unspecified, the confirm timeout defaults to 600 seconds.
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <commit>
       <confirmed/>
       <confirm-timeout>120</confirm-timeout>
     </commit>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

Enns Standards Track [Page 56] RFC 4741 NETCONF Protocol December 2006

8.5. Rollback on Error Capability

8.5.1. Description

 This capability indicates that the server will support the
 'rollback-on-error' value in the <error-option> parameter to the
 <edit-config> operation.
 For shared configurations, this feature can cause other configuration
 changes (for example, via other NETCONF sessions) to be inadvertently
 altered or removed, unless the configuration locking feature is used
 (in other words, the lock is obtained before the edit-config
 operation is started).  Therefore, it is strongly suggested that in
 order to use this feature with shared configuration databases,
 configuration locking also be used.

8.5.2. Dependencies

 None

8.5.3. Capability Identifier

 The :rollback-on-error capability is identified by the following
 capability string:
    urn:ietf:params:netconf:capability:rollback-on-error:1.0

8.5.4. New Operations

 None.

8.5.5. Modifications to Existing Operations

8.5.5.1. <edit-config>

 The :rollback-on-error capability allows the 'rollback-on-error'
 value to the <error-option> parameter on the <edit-config> operation.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <running/>
       </target>
       <error-option>rollback-on-error</error-option>
       <config>
         <top xmlns="http://example.com/schema/1.2/config">

Enns Standards Track [Page 57] RFC 4741 NETCONF Protocol December 2006

           <interface>
             <name>Ethernet0/0</name>
             <mtu>100000</mtu>
           </interface>
         </top>
       </config>
     </edit-config>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

8.6. Validate Capability

8.6.1. Description

 Validation consists of checking a candidate configuration for
 syntactical and semantic errors before applying the configuration to
 the device.
 If this capability is advertised, the device supports the <validate>
 protocol operation and checks at least for syntax errors.  In
 addition, this capability supports the test-option parameter to the
 <edit-config> operation and, when it is provided, checks at least for
 syntax errors.

8.6.2. Dependencies

 None.

8.6.3. Capability Identifier

 The :validate capability is identified by the following capability
 string:
    urn:ietf:params:netconf:capability:validate:1.0

8.6.4. New Operations

8.6.4.1. <validate>

 Description:
       This protocol operation validates the contents of the specified
       configuration.

Enns Standards Track [Page 58] RFC 4741 NETCONF Protocol December 2006

 Parameters:
    source:
          Name of the configuration datastore being validated, such as
          <candidate> or the <config> element containing the
          configuration subtree to validate.
 Positive Response:
       If the device was able to satisfy the request, an <rpc-reply>
       is sent that contains an <ok> element.
 Negative Response:
       An <rpc-error> element is included in the <rpc-reply> if the
       request cannot be completed for any reason.
       A validate operation can fail for any of the following reasons:
       +  Syntax errors
       +  Missing parameters
       +  References to undefined configuration data
 Example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <validate>
       <source>
         <candidate/>
       </source>
     </validate>
   </rpc>
   <rpc-reply message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <ok/>
   </rpc-reply>

Enns Standards Track [Page 59] RFC 4741 NETCONF Protocol December 2006

8.7. Distinct Startup Capability

8.7.1. Description

 The device supports separate running and startup configuration
 datastores.  Operations that affect the running configuration will
 not be automatically copied to the startup configuration.  An
 explicit <copy-config> operation from the <running> to the <startup>
 must be invoked to update the startup configuration to the current
 contents of the running configuration.  NETCONF protocol operations
 refer to the startup datastore using the <startup> element.

8.7.2. Dependencies

 None.

8.7.3. Capability Identifier

 The :startup capability is identified by the following capability
 string:
    urn:ietf:params:netconf:capability:startup:1.0

8.7.4. New Operations

 None.

8.7.5. Modifications to Existing Operations

8.7.5.1. General

 The :startup capability adds the <startup/> configuration datastore
 to arguments of several NETCONF operations.  The server MUST support
 the following additional values:

Enns Standards Track [Page 60] RFC 4741 NETCONF Protocol December 2006

 +--------------------+--------------------------+-------------------+
 | Operation          | Parameters               | Notes             |
 +--------------------+--------------------------+-------------------+
 | <get-config>       | <source>                 |                   |
 |                    |                          |                   |
 | <copy-config>      | <source> <target>        |                   |
 |                    |                          |                   |
 | <lock>             | <target>                 |                   |
 |                    |                          |                   |
 | <unlock>           | <target>                 |                   |
 |                    |                          |                   |
 | <validate>         | <source>                 | If :validate is   |
 |                    |                          | advertised        |
 +--------------------+--------------------------+-------------------+
 To save the startup configuration, use the copy-config operation to
 copy the <running> configuration datastore to the <startup>
 configuration datastore.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <copy-config>
       <source>
         <running/>
       </source>
       <target>
         <startup/>
       </target>
     </copy-config>
   </rpc>

8.8. URL Capability

8.8.1. Description

 The NETCONF peer has the ability to accept the <url> element in
 <source> and <target> parameters.  The capability is further
 identified by URL arguments indicating the URL schemes supported.

8.8.2. Dependencies

 None.

Enns Standards Track [Page 61] RFC 4741 NETCONF Protocol December 2006

8.8.3. Capability Identifier

 The :url capability is identified by the following capability string:
 urn:ietf:params:netconf:capability:url:1.0?scheme={name,...}
 The :url capability URI MUST contain a "scheme" argument assigned a
 comma-separated list of scheme names indicating which schemes the
 NETCONF peer supports.  For example:
    urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file

8.8.4. New Operations

 None.

8.8.5. Modifications to Existing Operations

8.8.5.1. <edit-config>

 The :url capability modifies the <edit-config> operation to accept
 the <url> element as an alternative to the <config> parameter.  If
 the <url> element is specified, then it should identify a local
 configuration file.

8.8.5.2. <copy-config>

 The :url capability modifies the <copy-config> operation to accept
 the <url> element as the value of the <source> and the <target>
 parameters.

8.8.5.3. <delete-config>

 The :url capability modifies the <delete-config> operation to accept
 the <url> element as the value of the <target> parameters.  If this
 parameter contains a URL, then it should identify a local
 configuration file.

8.8.5.4. <validate>

 The :url capability modifies the <validate> operation to accept the
 <url> element as the value of the <source> parameter.

Enns Standards Track [Page 62] RFC 4741 NETCONF Protocol December 2006

8.9. XPath Capability

8.9.1. Description

 The XPath capability indicates that the NETCONF peer supports the use
 of XPath expressions in the <filter> element.  XPath is described in
 [2].
 The XPath expression must return a node-set.
 The XPath expression is evaluated in a context where the context node
 is the root node, and the set of namespace declarations are those in
 scope on the filter element, including the default namespace.

8.9.2. Dependencies

 None.

8.9.3. Capability Identifier

 The :xpath capability is identified by the following capability
 string:
    urn:ietf:params:netconf:capability:xpath:1.0

8.9.4. New Operations

 None.

8.9.5. Modifications to Existing Operations

8.9.5.1. <get-config> and <get>

 The :xpath capability modifies the <get> and <get-config> operations
 to accept the value "xpath" in the type attribute of the filter
 element.  When the type attribute is set to "xpath", a select
 attribute MUST be present on the filter element.  The select
 attribute will be treated as an XPath expression and used to filter
 the returned data.  The filter element itself MUST be empty in this
 case.
 For example:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <get-config>
       <source>
         <running/>

Enns Standards Track [Page 63] RFC 4741 NETCONF Protocol December 2006

       </source>
       <!-- get the user named fred -->
       <filter type="xpath" select="top/users/user[name='fred']"/>
      </get-config>
   </rpc>

9. Security Considerations

 This document does not specify an authorization scheme, as such a
 scheme should be tied to a meta-data model or a data model.
 Implementors SHOULD provide a comprehensive authorization scheme with
 NETCONF.
 Authorization of individual users via the NETCONF server may or may
 not map 1:1 to other interfaces.  First, the data models may be
 incompatible.  Second, it may be desirable to authorize based on
 mechanisms available in the transport protocol layer (TELNET, SSH,
 etc).
 In addition, operations on configurations may have unintended
 consequences if those operations are also not guarded by the global
 lock on the files or objects being operated upon.  For instance, a
 partially complete access list could be committed from a candidate
 configuration unbeknownst to the owner of the lock of the candidate
 configuration, leading to either an insecure or inaccessible device
 if the lock on the candidate configuration does not also apply to the
 <copy-config> operation when applied to it.
 Configuration information is by its very nature sensitive.  Its
 transmission in the clear and without integrity checking leaves
 devices open to classic eavesdropping attacks.  Configuration
 information often contains passwords, user names, service
 descriptions, and topological information, all of which are
 sensitive.  Because of this, this protocol should be implemented
 carefully with adequate attention to all manner of attack one might
 expect to experience with other management interfaces.
 The protocol, therefore, must minimally support options for both
 confidentiality and authentication.  It is anticipated that the
 underlying protocol (SSH, BEEP, etc) will provide for both
 confidentiality and authentication, as is required.  It is further
 expected that the identity of each end of a NETCONF session will be
 available to the other in order to determine authorization for any
 given request.  One could also easily envision additional
 information, such as transport and encryption methods, being made
 available for purposes of authorization.  NETCONF itself provide no
 means to re-authenticate, much less authenticate.  All such actions
 occur at lower layers.

Enns Standards Track [Page 64] RFC 4741 NETCONF Protocol December 2006

 Different environments may well allow different rights prior to and
 then after authentication.  Thus, an authorization model is not
 specified in this document.  When an operation is not properly
 authorized, a simple "access denied" is sufficient.  Note that
 authorization information may be exchanged in the form of
 configuration information, which is all the more reason to ensure the
 security of the connection.
 That having been said, it is important to recognize that some
 operations are clearly more sensitive by nature than others.  For
 instance, <copy-config> to the startup or running configurations is
 clearly not a normal provisioning operation, whereas <edit-config>
 is.  Such global operations MUST disallow the changing of information
 that an individual does not have authorization to perform.  For
 example, if a user A is not allowed to configure an IP address on an
 interface but user B has configured an IP address on an interface in
 the <candidate> configuration, user A must not be allowed to commit
 the <candidate> configuration.
 Similarly, just because someone says "go write a configuration
 through the URL capability at a particular place", this does not mean
 that an element should do it without proper authorization.
 The <lock> operation will demonstrate that NETCONF is intended for
 use by systems that have at least some trust of the administrator.
 As specified in this document, it is possible to lock portions of a
 configuration that a principal might not otherwise have access to.
 After all, the entire configuration is locked.  To mitigate this
 problem, there are two approaches.  It is possible to kill another
 NETCONF session programmatically from within NETCONF if one knows the
 session identifier of the offending session.  The other possible way
 to break a lock is to provide an function within the device's native
 user interface.  These two mechanisms suffer from a race condition
 that may be ameliorated by removing the offending user from an AAA
 server.  However, such a solution is not useful in all deployment
 scenarios, such as those where SSH public/private key pairs are used.

Enns Standards Track [Page 65] RFC 4741 NETCONF Protocol December 2006

10. IANA Considerations

10.1. NETCONF XML Namespace

 This document registers a URI for the NETCONF XML namespace in the
 IETF XML registry [7].
 Following the format in RFC 3688, IANA has made the following
 registration.
 URI: urn:ietf:params:xml:ns:netconf:base:1.0
 Registrant Contact: The IESG.
 XML: N/A, the requested URI is an XML namespace.

10.2. NETCONF XML Schema

 This document registers a URI for the NETCONF XML schema in the IETF
 XML registry [7].
 Following the format in RFC 3688, IANA has made the following
 registration.
 URI: urn:ietf:params:xml:schema:netconf
 Registrant Contact: The IESG.
 XML: Appendix B of this document.

10.3. NETCONF Capability URNs

 This document creates a registry that allocates NETCONF capability
 identifiers.  Additions to the registry require IETF Standards
 Action.
 The initial content of the registry contains the capability URNs
 defined in Section 8.
 Following the guidelines in RFC 3553 [6], IANA assigned a NETCONF
 sub-namespace as follows:
 Registry name: netconf
 Specification: Section 8 of this document.
 Repository: The following table.

Enns Standards Track [Page 66] RFC 4741 NETCONF Protocol December 2006

 +--------------------+----------------------------------------------+
 | Index              | Capability Identifier                        |
 +--------------------+----------------------------------------------+
 | :writable-running  | urn:ietf:params:netconf:capability:writable- |
 |                    | running:1.0                                  |
 |                    |                                              |
 | :candidate         | urn:ietf:params:netconf:capability:candidate |
 |                    | :1.0                                         |
 |                    |                                              |
 | :confirmed-commit  | urn:ietf:params:netconf:capability:confirmed |
 |                    | -commit:1.0                                  |
 |                    |                                              |
 | :rollback-on-error | urn:ietf:params:netconf:capability:rollback- |
 |                    | on-error:1.0                                 |
 |                    |                                              |
 | :validate          | urn:ietf:params:netconf:capability:validate: |
 |                    | 1.0                                          |
 |                    |                                              |
 | :startup           | urn:ietf:params:netconf:capability:startup:1 |
 |                    | .0                                           |
 |                    |                                              |
 | :url               | urn:ietf:params:netconf:capability:url:1.0   |
 |                    |                                              |
 | :xpath             | urn:ietf:params:netconf:capability:xpath:1.0 |
 +--------------------+----------------------------------------------+
 Index value: The capability name.

Enns Standards Track [Page 67] RFC 4741 NETCONF Protocol December 2006

11. Authors and Acknowledgements

 This document was written by:
    Andy Bierman
    Ken Crozier, Cisco Systems
    Rob Enns, Juniper Networks
    Ted Goddard, IceSoft
    Eliot Lear, Cisco Systems
    Phil Shafer, Juniper Networks
    Steve Waldbusser
    Margaret Wasserman, ThingMagic
 The authors would like to acknowledge the members of the NETCONF
 working group.  In particular, we would like to thank Wes Hardaker
 for his persistance and patience in assisting us with security
 considerations.  We would also like to thank Randy Presuhn, Sharon
 Chisholm, Juergen Schoenwalder, Glenn Waters, David Perkins, Weijing
 Chen, Simon Leinen, Keith Allen, and Dave Harrington for all of their
 valuable advice.

12. References

12.1. Normative References

 [1]  Sperberg-McQueen, C., Paoli, J., Maler, E., and T. Bray,
      "Extensible Markup Language (XML) 1.0 (Second Edition)", World
      Wide Web Consortium, http://www.w3.org/TR/2000/REC-xml-20001006,
      October 2000.
 [2]  Clark, J. and S. DeRose, "XML Path Language (XPath) Version
      1.0", World Wide Web Consortium Recommendation,
      http://www.w3.org/TR/1999/REC-xpath-19991116, November 1999.
 [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997.
 [4]  Wasserman, M. and T. Goddard, "Using the NETCONF Configuration
      Protocol over Secure SHell (SSH)", RFC 4742, December 2006.

Enns Standards Track [Page 68] RFC 4741 NETCONF Protocol December 2006

 [5]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
      Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
      January 2005.
 [6]  Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF
      URN Sub-namespace for Registered Protocol Parameters", BCP 73,
      RFC 3553, June 2003.
 [7]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
      January 2004.

12.2. Informative References

 [8]   Clark, J., "XSL Transformations (XSLT) Version 1.0", World Wide
       Web Consortium Recommendation, http://www.w3.org/TR/1999/REC-
       xslt-19991116, November 1999.
 [9]   Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
       Protocol Version 1.1", RFC 4346, April 2006.
 [10]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol
       Architecture", RFC 4251, January 2006.
 [11]  Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
       Authentication Dial In User Service (RADIUS)", RFC 2865,
       June 2000.
 [12]  Hollenbeck, S., Rose, M., and L. Masinter, "Guidelines for the
       Use of Extensible Markup Language (XML) within IETF Protocols",
       BCP 70, RFC 3470, January 2003.

Enns Standards Track [Page 69] RFC 4741 NETCONF Protocol December 2006

Appendix A. NETCONF Error List

 Tag:         in-use
 Error-type:  protocol, application
 Severity:    error
 Error-info:  none
 Description: The request requires a resource that already in use.
 Tag:         invalid-value
 Error-type:  protocol, application
 Severity:    error
 Error-info:  none
 Description: The request specifies an unacceptable value for one
              or more parameters.
 Tag:         too-big
 Error-type:  transport, rpc, protocol, application
 Severity:    error
 Error-info:  none
 Description: The request or response (that would be generated) is too
              large for the implementation to handle.
 Tag:         missing-attribute
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-attribute> : name of the missing attribute
              <bad-element> : name of the element that should
              contain the missing attribute
 Description: An expected attribute is missing.
 Tag:         bad-attribute
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-attribute> : name of the attribute w/ bad value
              <bad-element> : name of the element that contains
              the attribute with the bad value
 Description: An attribute value is not correct; e.g., wrong type,
              out of range, pattern mismatch.
 Tag:         unknown-attribute
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-attribute> : name of the unexpected attribute
              <bad-element> : name of the element that contains
              the unexpected attribute
 Description: An unexpected attribute is present.

Enns Standards Track [Page 70] RFC 4741 NETCONF Protocol December 2006

 Tag:         missing-element
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-element> : name of the missing element
 Description: An expected element is missing.
 Tag:         bad-element
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-element> : name of the element w/ bad value
 Description: An element value is not correct; e.g., wrong type,
              out of range, pattern mismatch.
 Tag:         unknown-element
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-element> : name of the unexpected element
 Description: An unexpected element is present.
 Tag:         unknown-namespace
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  <bad-element> : name of the element that contains
              the unexpected namespace
              <bad-namespace> : name of the unexpected namespace
 Description: An unexpected namespace is present.
 Tag:         access-denied
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  none
 Description: Access to the requested RPC, protocol operation,
              or data model is denied because authorization failed.
 Tag:         lock-denied
 Error-type:  protocol
 Severity:    error
 Error-info:  <session-id> : session ID of session holding the
              requested lock, or zero to indicate a non-NETCONF
              entity holds the lock
 Description: Access to the requested lock is denied because the
              lock is currently held by another entity.

Enns Standards Track [Page 71] RFC 4741 NETCONF Protocol December 2006

 Tag:         resource-denied
 Error-type:  transport, rpc, protocol, application
 Severity:    error
 Error-info:  none
 Description: Request could not be completed because of insufficient
              resources.
 Tag:         rollback-failed
 Error-type:  protocol, application
 Severity:    error
 Error-info:  none
 Description: Request to rollback some configuration change (via
              rollback-on-error or discard-changes operations) was
              not completed for some reason.
 Tag:         data-exists
 Error-type:  application
 Severity:    error
 Error-info:  none
 Description: Request could not be completed because the relevant
              data model content already exists. For example,
              a 'create' operation was attempted on data that
              already exists.
 Tag:         data-missing
 Error-type:  application
 Severity:    error
 Error-info:  none
 Description: Request could not be completed because the relevant
              data model content does not exist.  For example,
              a 'replace' or 'delete' operation was attempted on
              data that does not exist.
 Tag:         operation-not-supported
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  none
 Description: Request could not be completed because the requested
              operation is not supported by this implementation.
 Tag:         operation-failed
 Error-type:  rpc, protocol, application
 Severity:    error
 Error-info:  none
 Description: Request could not be completed because the requested
              operation failed for some reason not covered by
              any other error condition.

Enns Standards Track [Page 72] RFC 4741 NETCONF Protocol December 2006

 Tag:         partial-operation
 Error-type:  application
 Severity:    error
 Error-info:  <ok-element> : identifies an element in the data model
              for which the requested operation has been completed
              for that node and all its child nodes.  This element
              can appear zero or more times in the <error-info>
              container.
              <err-element> : identifies an element in the data model
              for which the requested operation has failed for that
              node and all its child nodes.  This element
              can appear zero or more times in the <error-info>
              container.
              <noop-element> : identifies an element in the data model
              for which the requested operation was not attempted for
              that node and all its child nodes.  This element
              can appear zero or more times in the <error-info>
              container.
 Description: Some part of the requested operation failed or was
              not attempted for some reason.  Full cleanup has
              not been performed (e.g., rollback not supported)
              by the server.  The error-info container is used
              to identify which portions of the application
              data model content for which the requested operation
              has succeeded (<ok-element>), failed (<bad-element>),
              or not been attempted (<noop-element>).

Enns Standards Track [Page 73] RFC 4741 NETCONF Protocol December 2006

Appendix B. XML Schema for NETCONF RPC and Protocol Operations

 BEGIN
 <?xml version="1.0" encoding="UTF-8"?>
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
            targetNamespace="urn:ietf:params:xml:ns:netconf:base:1.0"
            elementFormDefault="qualified"
            attributeFormDefault="unqualified"
            xml:lang="en">
   <!--
     import standard XML definitions
     -->
   <xs:import namespace="http://www.w3.org/XML/1998/namespace"
              schemaLocation="http://www.w3.org/2001/xml.xsd">
     <xs:annotation>
       <xs:documentation>
         This import accesses the xml: attribute groups for the
         xml:lang as declared on the error-message element.
       </xs:documentation>
     </xs:annotation>
   </xs:import>
   <!--
     message-id attribute
     -->
   <xs:simpleType name="messageIdType">
     <xs:restriction base="xs:string">
       <xs:maxLength value="4095"/>
     </xs:restriction>
   </xs:simpleType>
   <!--
     Types used for session-id
   -->
   <xs:simpleType name="SessionId">
     <xs:restriction base="xs:unsignedInt">
       <xs:minInclusive value="1"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:simpleType name="SessionIdOrZero">
     <xs:restriction base="xs:unsignedInt"/>
   </xs:simpleType>
   <!--
     <rpc> element
     -->
   <xs:complexType name="rpcType">
     <xs:sequence>
       <xs:element ref="rpcOperation"/>

Enns Standards Track [Page 74] RFC 4741 NETCONF Protocol December 2006

     </xs:sequence>
     <xs:attribute name="message-id" type="messageIdType"
       use="required"/>
     <!--
       Arbitrary attributes can be supplied with <rpc> element.
     -->
     <xs:anyAttribute processContents="lax"/>
   </xs:complexType>
   <xs:element name="rpc" type="rpcType"/>
   <!--
     data types and elements used to construct rpc-errors
     -->
   <xs:simpleType name="ErrorType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="transport"/>
       <xs:enumeration value="rpc"/>
       <xs:enumeration value="protocol"/>
       <xs:enumeration value="application"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:simpleType name="ErrorTag">
     <xs:restriction base="xs:string">
       <xs:enumeration value="in-use"/>
       <xs:enumeration value="invalid-value"/>
       <xs:enumeration value="too-big"/>
       <xs:enumeration value="missing-attribute"/>
       <xs:enumeration value="bad-attribute"/>
       <xs:enumeration value="unknown-attribute"/>
       <xs:enumeration value="missing-element"/>
       <xs:enumeration value="bad-element"/>
       <xs:enumeration value="unknown-element"/>
       <xs:enumeration value="unknown-namespace"/>
       <xs:enumeration value="access-denied"/>
       <xs:enumeration value="lock-denied"/>
       <xs:enumeration value="resource-denied"/>
       <xs:enumeration value="rollback-failed"/>
       <xs:enumeration value="data-exists"/>
       <xs:enumeration value="data-missing"/>
       <xs:enumeration value="operation-not-supported"/>
       <xs:enumeration value="operation-failed"/>
       <xs:enumeration value="partial-operation"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:simpleType name="ErrorSeverity">
     <xs:restriction base="xs:string">
       <xs:enumeration value="error"/>
       <xs:enumeration value="warning"/>
     </xs:restriction>

Enns Standards Track [Page 75] RFC 4741 NETCONF Protocol December 2006

   </xs:simpleType>
   <xs:complexType name="errorInfoType">
     <xs:sequence>
       <xs:choice>
         <xs:element name="session-id" type="SessionIdOrZero"/>
         <xs:sequence minOccurs="0" maxOccurs="unbounded">
           <xs:sequence>
             <xs:element name="bad-attribute" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
             <xs:element name="bad-element" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
             <xs:element name="ok-element" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
             <xs:element name="err-element" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
             <xs:element name="noop-element" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
             <xs:element name="bad-namespace" type="xs:QName"
               minOccurs="0" maxOccurs="1"/>
           </xs:sequence>
         </xs:sequence>
       </xs:choice>
       <!-- elements from any other namespace are also allowed
            to follow the NETCONF elements -->
       <xs:any namespace="##other"
         minOccurs="0" maxOccurs="unbounded"/>
     </xs:sequence>
   </xs:complexType>
   <xs:complexType name="rpcErrorType">
     <xs:sequence>
       <xs:element name="error-type" type="ErrorType"/>
       <xs:element name="error-tag" type="ErrorTag"/>
       <xs:element name="error-severity" type="ErrorSeverity"/>
       <xs:element name="error-app-tag" type="xs:string"
                   minOccurs="0"/>
       <xs:element name="error-path" type="xs:string" minOccurs="0"/>
       <xs:element name="error-message" minOccurs="0">
         <xs:complexType>
           <xs:simpleContent>
             <xs:extension base="xs:string">
               <xs:attribute ref="xml:lang" use="optional"/>
             </xs:extension>
           </xs:simpleContent>
         </xs:complexType>
       </xs:element>
       <xs:element name="error-info" type="errorInfoType"
         minOccurs="0"/>
     </xs:sequence>

Enns Standards Track [Page 76] RFC 4741 NETCONF Protocol December 2006

   </xs:complexType>
   <!--
     <rpc-reply> element
     -->
   <xs:complexType name="rpcReplyType">
     <xs:choice>
       <xs:element name="ok"/>
       <xs:group ref="rpcResponse"/>
     </xs:choice>
     <xs:attribute name="message-id" type="messageIdType"
       use="optional"/>
     <!--
       Any attributes supplied with <rpc> element must be returned
       on <rpc-reply>.
     -->
     <xs:anyAttribute processContents="lax"/>
   </xs:complexType>
   <xs:group name="rpcResponse">
     <xs:sequence>
       <xs:element name="rpc-error" type="rpcErrorType"
         minOccurs="0" maxOccurs="unbounded"/>
       <xs:element name="data" type="dataInlineType" minOccurs="0"/>
     </xs:sequence>
   </xs:group>
   <xs:element name="rpc-reply" type="rpcReplyType"/>
   <!--
     Type for <test-option> parameter to <edit-config>
     -->
   <xs:simpleType name="testOptionType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="test-then-set"/>
       <xs:enumeration value="set"/>
     </xs:restriction>
   </xs:simpleType>
   <!--
     Type for <error-option> parameter to <edit-config>
     -->
   <xs:simpleType name="errorOptionType">
     <xs:restriction base="xs:string">
       <xs:annotation>
         <xs:documentation>
           Use of the rollback-on-error value requires
           the :rollback-on-error capability.
         </xs:documentation>
       </xs:annotation>
       <xs:enumeration value="stop-on-error"/>
       <xs:enumeration value="continue-on-error"/>
       <xs:enumeration value="rollback-on-error"/>

Enns Standards Track [Page 77] RFC 4741 NETCONF Protocol December 2006

     </xs:restriction>
   </xs:simpleType>
   <!--
     rpcOperationType: used as a base type for all
     NETCONF operations
     -->
   <xs:complexType name="rpcOperationType"/>
   <xs:element name="rpcOperation"
               type="rpcOperationType" abstract="true"/>
   <!--
     Type for <config> element
     -->
   <xs:complexType name="configInlineType">
     <xs:complexContent>
       <xs:extension base="xs:anyType"/>
     </xs:complexContent>
   </xs:complexType>
   <!--
     Type for <data> element
     -->
   <xs:complexType name="dataInlineType">
     <xs:complexContent>
       <xs:extension base="xs:anyType"/>
     </xs:complexContent>
   </xs:complexType>
   <!--
     Type for <filter> element
     -->
   <xs:simpleType name="FilterType">
     <xs:restriction base="xs:string">
       <xs:annotation>
         <xs:documentation>
           Use of the xpath value requires the :xpath capability.
        </xs:documentation>
       </xs:annotation>
       <xs:enumeration value="subtree"/>
       <xs:enumeration value="xpath"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:complexType name="filterInlineType">
     <xs:complexContent>
       <xs:extension base="xs:anyType">
         <xs:attribute name="type"
                       type="FilterType" default="subtree"/>
         <!-- if type="xpath", the xpath expression
         appears in the select element -->
         <xs:attribute name="select"/>
       </xs:extension>

Enns Standards Track [Page 78] RFC 4741 NETCONF Protocol December 2006

     </xs:complexContent>
   </xs:complexType>
   <!--
     configuration datastore names
     -->
   <xs:annotation>
     <xs:documentation>
       The startup datastore can be used only if the :startup
       capability is advertised.  The candidate datastore can
       be used only if the :candidate datastore is advertised.
      </xs:documentation>
   </xs:annotation>
   <xs:complexType name="configNameType"/>
   <xs:element name="config-name"
               type="configNameType" abstract="true"/>
   <xs:element name="startup" type="configNameType"
               substitutionGroup="config-name"/>
   <xs:element name="candidate" type="configNameType"
               substitutionGroup="config-name"/>
   <xs:element name="running" type="configNameType"
               substitutionGroup="config-name"/>
   <!--
     operation attribute used in <edit-config>
     -->
   <xs:simpleType name="editOperationType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="merge"/>
       <xs:enumeration value="replace"/>
       <xs:enumeration value="create"/>
       <xs:enumeration value="delete"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:attribute name="operation"
                 type="editOperationType" default="merge"/>
   <!--
     <default-operation> element
     -->
   <xs:simpleType name="defaultOperationType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="merge"/>
       <xs:enumeration value="replace"/>
       <xs:enumeration value="none"/>
     </xs:restriction>
   </xs:simpleType>
   <!--
     <url> element
     -->
   <xs:complexType name="configURIType">

Enns Standards Track [Page 79] RFC 4741 NETCONF Protocol December 2006

     <xs:annotation>
       <xs:documentation>
         Use of the url element requires the :url capability.
       </xs:documentation>
     </xs:annotation>
     <xs:simpleContent>
       <xs:extension base="xs:anyURI"/>
     </xs:simpleContent>
   </xs:complexType>
   <!--
     Type for <source> element (except <get-config>)
     -->
   <xs:complexType name="rpcOperationSourceType">
     <xs:choice>
       <xs:element name="config" type="configInlineType"/>
       <xs:element ref="config-name"/>
       <xs:element name="url" type="configURIType"/>
     </xs:choice>
   </xs:complexType>
   <!--
     Type for <source> element in <get-config>
     -->
   <xs:complexType name="getConfigSourceType">
     <xs:choice>
       <xs:element ref="config-name"/>
       <xs:element name="url" type="configURIType"/>
     </xs:choice>
   </xs:complexType>
   <!--
     Type for <target> element
     -->
   <xs:complexType name="rpcOperationTargetType">
     <xs:choice>
       <xs:element ref="config-name"/>
       <xs:element name="url" type="configURIType"/>
     </xs:choice>
   </xs:complexType>
   <!--
     <get-config> operation
     -->
   <xs:complexType name="getConfigType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="source"
                       type="getConfigSourceType"/>
           <xs:element name="filter"
                       type="filterInlineType" minOccurs="0"/>

Enns Standards Track [Page 80] RFC 4741 NETCONF Protocol December 2006

         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="get-config" type="getConfigType"
               substitutionGroup="rpcOperation"/>
   <!--
     <edit-config> operation
     -->
   <xs:complexType name="editConfigType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:annotation>
             <xs:documentation>
               Use of the test-option element requires the
               :validate capability.  Use of the url element
               requires the :url capability.
             </xs:documentation>
           </xs:annotation>
           <xs:element name="target"
                       type="rpcOperationTargetType"/>
           <xs:element name="default-operation"
                       type="defaultOperationType"
                       minOccurs="0"/>
           <xs:element name="test-option"
                       type="testOptionType"
                       minOccurs="0"/>
           <xs:element name="error-option"
                       type="errorOptionType"
                       minOccurs="0"/>
           <xs:choice>
             <xs:element name="config"
                         type="configInlineType"/>
             <xs:element name="url"
                         type="configURIType"/>
           </xs:choice>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="edit-config" type="editConfigType"
               substitutionGroup="rpcOperation"/>
   <!--
     <copy-config> operation
     -->
   <xs:complexType name="copyConfigType">
     <xs:complexContent>

Enns Standards Track [Page 81] RFC 4741 NETCONF Protocol December 2006

       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="target" type="rpcOperationTargetType"/>
           <xs:element name="source" type="rpcOperationSourceType"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="copy-config" type="copyConfigType"
               substitutionGroup="rpcOperation"/>
   <!--
     <delete-config> operation
     -->
   <xs:complexType name="deleteConfigType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="target" type="rpcOperationTargetType"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="delete-config" type="deleteConfigType"
               substitutionGroup="rpcOperation"/>
   <!--
     <get> operation
     -->
   <xs:complexType name="getType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="filter"
                       type="filterInlineType" minOccurs="0"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="get" type="getType"
               substitutionGroup="rpcOperation"/>
   <!--
     <lock> operation
     -->
   <xs:complexType name="lockType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="target"
                       type="rpcOperationTargetType"/>

Enns Standards Track [Page 82] RFC 4741 NETCONF Protocol December 2006

         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="lock" type="lockType"
               substitutionGroup="rpcOperation"/>
   <!--
     <unlock> operation
     -->
   <xs:complexType name="unlockType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="target" type="rpcOperationTargetType"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="unlock" type="unlockType"
               substitutionGroup="rpcOperation"/>
   <!--
     <validate> operation
     -->
   <xs:complexType name="validateType">
     <xs:annotation>
       <xs:documentation>
         The validate operation requires the :validate capability.
       </xs:documentation>
     </xs:annotation>
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="source" type="rpcOperationSourceType"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="validate" type="validateType"
               substitutionGroup="rpcOperation"/>
   <!--
     <commit> operation
     -->
   <xs:simpleType name="confirmTimeoutType">
     <xs:restriction base="xs:unsignedInt">
       <xs:minInclusive value="1"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:complexType name="commitType">

Enns Standards Track [Page 83] RFC 4741 NETCONF Protocol December 2006

     <xs:annotation>
       <xs:documentation>
         The commit operation requires the :candidate capability.
       </xs:documentation>
     </xs:annotation>
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:annotation>
             <xs:documentation>
               Use of the confirmed and confirm-timeout elements
               requires the :confirmed-commit capability.
             </xs:documentation>
           </xs:annotation>
           <xs:element name="confirmed" minOccurs="0"/>
           <xs:element name="confirm-timeout"
                       type="confirmTimeoutType"
                       minOccurs="0"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="commit" type="commitType"
               substitutionGroup="rpcOperation"/>
   <!--
     <discard-changes> operation
     -->
   <xs:complexType name="discardChangesType">
     <xs:annotation>
       <xs:documentation>
         The discard-changes operation requires the
         :candidate capability.
       </xs:documentation>
     </xs:annotation>
     <xs:complexContent>
       <xs:extension base="rpcOperationType"/>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="discard-changes"
               type="discardChangesType"
               substitutionGroup="rpcOperation"/>
   <!--
     <close-session> operation
     -->
   <xs:complexType name="closeSessionType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType"/>
     </xs:complexContent>

Enns Standards Track [Page 84] RFC 4741 NETCONF Protocol December 2006

   </xs:complexType>
   <xs:element name="close-session" type="closeSessionType"
               substitutionGroup="rpcOperation"/>
   <!--
     <kill-session> operation
     -->
   <xs:complexType name="killSessionType">
     <xs:complexContent>
       <xs:extension base="rpcOperationType">
         <xs:sequence>
           <xs:element name="session-id"
                       type="SessionId" minOccurs="1"/>
         </xs:sequence>
       </xs:extension>
     </xs:complexContent>
   </xs:complexType>
   <xs:element name="kill-session" type="killSessionType"
               substitutionGroup="rpcOperation"/>
   <!--
     <hello> element
     -->
   <xs:element name="hello">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="capabilities">
           <xs:complexType>
             <xs:sequence>
               <xs:element name="capability" type="xs:anyURI"
                 maxOccurs="unbounded"/>
             </xs:sequence>
           </xs:complexType>
         </xs:element>
         <xs:element name="session-id"
                     type="SessionId" minOccurs="0"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>
 </xs:schema>
 END

Enns Standards Track [Page 85] RFC 4741 NETCONF Protocol December 2006

Appendix C. Capability Template

C.1. capability-name (template)

C.1.1. Overview

C.1.2. Dependencies

C.1.3. Capability Identifier

 The {name} capability is identified by the following capability
 string:
    {capability uri}

C.1.4. New Operations

C.1.4.1. <op-name>

C.1.5. Modifications to Existing Operations

C.1.5.1. <op-name>

 If existing operations are not modified by this capability, this
 section may be omitted.

C.1.6. Interactions with Other Capabilities

 If this capability does not interact with other capabilities, this
 section may be omitted.

Enns Standards Track [Page 86] RFC 4741 NETCONF Protocol December 2006

Appendix D. Configuring Multiple Devices with NETCONF

D.1. Operations on Individual Devices

 Consider the work involved in performing a configuration update
 against a single individual device.  In making a change to the
 configuration, the application needs to build trust that its change
 has been made correctly and that it has not impacted the operation of
 the device.  The application (and the application user) should feel
 confident that their change has not damaged the network.
 Protecting each individual device consists of a number of steps:
 o  Acquiring the configuration lock.
 o  Loading the update.
 o  Validating the incoming configuration.
 o  Checkpointing the running configuration.
 o  Changing the running configuration.
 o  Testing the new configuration.
 o  Making the change permanent (if desired).
 o  Releasing the configuration lock.
 Let's look at the details of each step.

D.1.1. Acquiring the Configuration Lock

 A lock should be acquired to prevent simultaneous updates from
 multiple sources.  If multiple sources are affecting the device, the
 application is hampered in both testing of its change to the
 configuration and in recovery should the update fail.  Acquiring a
 short-lived lock is a simple defense to prevent other parties from
 introducing unrelated changes.
 The lock can be acquired using the <lock> operation.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <lock>
       <target>
         <running/>
       </target>

Enns Standards Track [Page 87] RFC 4741 NETCONF Protocol December 2006

     </lock>
   </rpc>

D.1.2. Loading the Update

 The configuration can be loaded onto the device without impacting the
 running system.  If the :url capability is supported and lists "file"
 as a supported scheme, incoming changes can be placed in a local
 file.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <copy-config>
       <target>
         <url>file://incoming.conf</url>
       </target>
       <source>
         <config>
           <!-- place incoming configuration here -->
         </config>
       </source>
     </copy-config>
   </rpc>
 If the :candidate capability is supported, the candidate
 configuration can be used.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <candidate/>
       </target>
       <config>
         <!-- place incoming configuration here -->
       </config>
     </edit-config>
   </rpc>
 If the update fails, the user file can be deleted using the
 <delete-config> operation, or the candidate configuration can be
 reverted using the <discard-changes> operation.

Enns Standards Track [Page 88] RFC 4741 NETCONF Protocol December 2006

D.1.3. Validating the Incoming Configuration

 Before the incoming configuration is applied, validating it is often
 useful.  Validation allows the application to gain confidence that
 the change will succeed and simplifies recovery if it does not.
 If the device supports the :url capability and lists "file" as a
 supported scheme, use the <validate> operation with the <source>
 parameter set to the proper user file:
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <validate>
       <source>
         <url>file://incoming.conf</url>
       </source>
     </validate>
   </rpc>
 If the device supports the :candidate capability, some validation
 will be performed as part of loading the incoming configuration into
 the candidate.  For full validation, either pass the <validate>
 parameter during the <edit-config> step given above, or use the
 <validate> operation with the <source> parameter set to <candidate>.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <validate>
       <source>
         <candidate/>
       </source>
     </validate>
   </rpc>

D.1.4. Checkpointing the Running Configuration

 The running configuration can be saved into a local file as a
 checkpoint before loading the new configuration.  If the update
 fails, the configuration can be restored by reloading the checkpoint
 file.
 The checkpoint file can be created using the <copy-config> operation.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <copy-config>
       <target>
         <url>file://checkpoint.conf</url>

Enns Standards Track [Page 89] RFC 4741 NETCONF Protocol December 2006

       </target>
       <source>
         <running/>
       </source>
     </copy-config>
   </rpc>
 To restore the checkpoint file, reverse the source and target
 parameters.

D.1.5. Changing the Running Configuration

 When the incoming configuration has been safely loaded onto the
 device and validated, it is ready to impact the running system.
 If the device supports the :url capability and lists "file" as a
 supported scheme, use the <edit-config> operation to merge the
 incoming configuration into the running configuration.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <edit-config>
       <target>
         <running/>
       </target>
       <config>
         <url>file://incoming.conf</url>
       </config>
     </edit-config>
   </rpc>
 If the device supports the :candidate capability, use the <commit>
 operation to set the running configuration to the candidate
 configuration.  Use the <confirmed> parameter to allow automatic
 reversion to the original configuration if connectivity to the device
 fails.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <commit>
       <confirmed/>
       <confirm-timeout>120</confirm-timeout>
     </commit>
   </rpc>

Enns Standards Track [Page 90] RFC 4741 NETCONF Protocol December 2006

D.1.6. Testing the New Configuration

 Now that the incoming configuration has been integrated into the
 running configuration, the application needs to gain trust that the
 change has affected the device in the way intended without affecting
 it negatively.
 To gain this confidence, the application can run tests of the
 operational state of the device.  The nature of the test is dependent
 on the nature of the change and is outside the scope of this
 document.  Such tests may include reachability from the system
 running the application (using ping), changes in reachability to the
 rest of the network (by comparing the device's routing table), or
 inspection of the particular change (looking for operational evidence
 of the BGP peer that was just added).

D.1.7. Making the Change Permanent

 When the configuration change is in place and the application has
 sufficient faith in the proper function of this change, the
 application should make the change permanent.
 If the device supports the :startup capability, the current
 configuration can be saved to the startup configuration by using the
 startup configuration as the target of the <copy-config> operation.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <copy-config>
       <target>
         <startup/>
       </target>
       <source>
         <running/>
       </source>
     </copy-config>
   </rpc>
 If the device supports the :candidate capability and a confirmed
 commit was requested, the confirming commit must be sent before the
 timeout expires.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <commit/>
   </rpc>

Enns Standards Track [Page 91] RFC 4741 NETCONF Protocol December 2006

D.1.8. Releasing the Configuration Lock

 When the configuration update is complete, the lock must be released,
 allowing other applications access to the configuration.
 Use the <unlock> operation to release the configuration lock.
   <rpc message-id="101"
        xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <unlock>
       <target>
         <running/>
       </target>
     </unlock>
   </rpc>

D.2. Operations on Multiple Devices

 When a configuration change requires updates across a number of
 devices, care should be taken to provide the required transaction
 semantics.  The NETCONF protocol contains sufficient primitives upon
 which transaction-oriented operations can be built.  Providing
 complete transactional semantics across multiple devices is
 prohibitively expensive, but the size and number of windows for
 failure scenarios can be reduced.
 There are two classes of multi-device operations.  The first class
 allows the operation to fail on individual devices without requiring
 all devices to revert to their original state.  The operation can be
 retried at a later time, or its failure simply reported to the user.
 An example of this class might be adding an NTP server.  For this
 class of operations, failure avoidance and recovery are focused on
 the individual device.  This means recovery of the device, reporting
 the failure, and perhaps scheduling another attempt.
 The second class is more interesting, requiring that the operation
 should complete on all devices or be fully reversed.  The network
 should either be transformed into a new state or be reset to its
 original state.  For example, a change to a VPN may require updates
 to a number of devices.  Another example of this might be adding a
 class-of-service definition.  Leaving the network in a state where
 only a portion of the devices have been updated with the new
 definition will lead to future failures when the definition is
 referenced.
 To give transactional semantics, the same steps used in single device
 operations listed above are used, but are performed in parallel
 across all devices.  Configuration locks should be acquired on all

Enns Standards Track [Page 92] RFC 4741 NETCONF Protocol December 2006

 target devices and kept until all devices are updated and the changes
 made permanent.  Configuration changes should be uploaded and
 validation performed across all devices.  Checkpoints should be made
 on each device.  Then the running configuration can be changed,
 tested, and made permanent.  If any of these steps fail, the previous
 configurations can be restored on any devices upon which they were
 changed.  After the changes have been completely implemented or
 completely discarded, the locks on each device can be released.

Appendix E. Deferred Features

 The following features have been deferred until a future revision of
 this document.
 o  Granular locking of configuration objects.
 o  Named configuration files/datastores.
 o  Support for multiple NETCONF channels.
 o  Asynchronous notifications.
 o  Explicit protocol support for rollback of configuration changes to
    prior versions.

Enns Standards Track [Page 93] RFC 4741 NETCONF Protocol December 2006

Editor's Address

 Rob Enns
 Juniper Networks
 1194 North Mathilda Ave
 Sunnyvale, CA  94089
 US
 EMail: rpe@juniper.net

Enns Standards Track [Page 94] RFC 4741 NETCONF Protocol December 2006

Full Copyright Statement

 Copyright (C) The IETF Trust (2006).
 This document is subject to the rights, licenses and restrictions
 contained in BCP 78, and except as set forth therein, the authors
 retain all their rights.
 This document and the information contained herein are provided on an
 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
 AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
 THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
 IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
 PURPOSE.

Intellectual Property

 The IETF takes no position regarding the validity or scope of any
 Intellectual Property Rights or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; nor does it represent that it has
 made any independent effort to identify any such rights.  Information
 on the procedures with respect to rights in RFC documents can be
 found in BCP 78 and BCP 79.
 Copies of IPR disclosures made to the IETF Secretariat and any
 assurances of licenses to be made available, or the result of an
 attempt made to obtain a general license or permission for the use of
 such proprietary rights by implementers or users of this
 specification can be obtained from the IETF on-line IPR repository at
 http://www.ietf.org/ipr.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights that may cover technology that may be required to implement
 this standard.  Please address the information to the IETF at
 ietf-ipr@ietf.org.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Enns Standards Track [Page 95]

/data/webs/external/dokuwiki/data/pages/rfc/rfc4741.txt · Last modified: 2006/12/13 01:10 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki