Restconf and HTTP Transport for Event Notifications

Mechanisms to support Event subscription and push are defined in . Enhancements to which enable YANG Datastore subscription and push are defined in . This document provides a transport specification for these Restconf and HTTP. This has been driven by Requirements for subscriptions to YANG datastores are defined in . Beyond based transport bindings, there are benefits which can be realized when transporting updates directly HTTP/2 which can be realized via an implementation of this transport specification including: Subscription multiplexing over independent HTTP/2 streams Stream prioritization and stream dependencies Flow control on independent streams

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Configured Subscription: a Subscription installed via a configuration interface which persists across reboots. Data Node: An instance of management information in a datastore. Data Node Update: A data item containing the current value/property of a Data Node at the time the Data Node Update was created. Dynamic Subscription: a Subscription negotiated between Subscriber and Publisher via create, establish, modify, and delete RPC control plane signaling messages. Event: an occurrence of something that may be of interest. (e.g., a configuration change, a fault, a change in status, crossing a threshold, status of a flow, or an external input to the system.) Event Notification: a set of information intended for a Receiver indicating that one or more Event(s) have occurred. Details of the Event(s) may be included within. Event Stream: a continuous, ordered set of Events grouped under an explicit criteria. Notification: the communication of an occurrence, perhaps triggered by the occurrence of an Event. Publisher: an entity responsible for streaming Event Notifications per the terms of a Subscription. Receiver: a target to which a Publisher pushes Event Notifications. For Dynamic Subscriptions, the Receiver and Subscriber will often be the same entity. Subscriber: an entity able to request and negotiate a contract for the receipt of Event Notifications from a Publisher Subscription: a contract between a Subscriber and a Publisher stipulating which information the Receiver wishes to have pushed from the Publisher without the need for further solicitation.

Event subscription is defined in , YANG Datastore subscription is defined in . This section specifies transport mechanisms applicable to both.

There are three models for Subscription establishment and maintenance: Dynamic Subscription: Here the Subscriber and Receiver are the same. A Subscription ends with a subscription-terminated notification, or by a loss of transport connectivity. Configured Subscription: Receiver(s) are specified on Publisher in startup and running config. Subscription is not terminated except via an operations interface. (Subscriptions may be Suspended, with no Event Notifications sent however.) Proxy Subscription: Subscriber and Receiver are different. Subscription ends when a Subscription End-time is reached, or the Publisher process is restarted. The real difference between 2 and 3 is that configuration requests are made to RPCs which might evaluate run-time conditions much like in 1. Typically direct configuration via 2 will not go through the same sort of capacity and validation checks seen in 1. The first two are described in this section. The third is described in . This third option can be moved into the body of this specification should the IETF community desire. In theory, all three models may be intermixed in a single deployment.

Dynamic Subscriptions for both and its augmentations are configured and managed via signaling messages transported over Restconf. Extending the paradigm of [restconf] section 6.3.1, it must support the encoding and transport query parameters corresponding to the YANG model for subscriptions defined in [RFC5277bis] and [Yang-Push]. These interactions will be accomplished via the typical POST into Success of the RPC interaction will be indicated by HTTP status codes of 20x being returned by the Publisher, failure will be indicated by error codes transported in payload, as well as the return of negotiation parameters. Once established, streaming Event Notifications are then delivered via Restconf SSE (assuming issue RT8 is reloved, see appx). As they are successfully received, HTTP status codes of 20x will be returned by the Receiver.

With a Configured Subscription, all information needed to establish a secure relationship with that Receiver is configured on the Publisher. With this information, the Publisher will establish a secure transport connection with the Receiver and then begin pushing the Event Notifications to the Receiver. Since Restconf might not exist on the Receiver, it is not desirable to require that such Event Notifications be pushed via Restconf. Nor is there value which Restconf provides on top of HTTP. Therefore in place of Restconf, a TLS secured HTTP Client connection must be established with an HTTP Server located on the Receiver. Event Notifications will then be sent via HTTP Post messages to the Receiver. Post messages will be addressed to HTTP augmentation code on the Receiver capable of accepting and responding to Event Notifications. Some Post messages must include the URI for the subscribed resource. This URI can be retained for operational tracking and debugging use by the Receiver. After successful receipt of an initial Event Notification for a particular Subscription, the Reciever should reply back with an HTTP status code of 201 (Created). Further successful receipts should result in the return of code of 200 (Accepted). To ensure the Receiver always has the URI, it should also be sent in the next push update for a Subscription after any status code of 201 (Created) has been returned from the Receiver. At any point, receipt of any status codes from 300-510 with the exception of 408 (Request Timeout) should result in either the movement of the Subscription to the suspended state, or cause the HTTP session to fail (need to determine appropriate action). A sequential series of multiple 408 exceptions should also drive the Subscription to a suspended state. If a suspension occurs, a POST including a subscription Id and URI post-pended with a Suspended indication (format tbd) must be sent. Figure 2 depicts this message flow.

| | | |HTTP POST (Sub ID, data1) | |------------------------------>| | HTTP 201 (Created)| |<------------------------------| |HTTP POST (Sub ID, URI, data2) | |------------------------------>| | HTTP 200 (OK)| |<------------------------------| | data3 | |<----------------------------->| ]]> If HTTP/2 transport is available to a Receiver, the Publisher should also: point individual Event Notifications to a unique HTTP/2 stream for that Subscription, take any subscription-priority and provision it into the HTTP/2 stream priority, and take any subscription-dependency and provision it into the HTTP/2 stream dependency.

When pushed directly over HTTP/2, it is expected that the Event Notifications from a single Subscription will be allocated a separate HTTP/2 stream. This will enable multiplexing, and address issues of Head-of-line blocking with different priority Subscriptions. When pushed via Restconf over HTTP/2, different Subscriptions will not be mapped to independent HTTP/2 streams. When Restconf specifies this mapping, support may be appended on top of this specification. With or without independent queueing of multiplexed subscriptions, it is possible that updates might be delivered in a different sequence than generated. Reasons for this might include (but are not limited to): replay of pushed updates temporary loss of transport connectivity, with update buffering and different dequeuing priorities per Subscription population, marshalling and bundling of independent Subscription Updates, and parallel HTTP1.1 sessions Therefore each Event Notification will include a microsecond level timestamp to ensure that a Receiver understands the time when a that update was generated. Use of this timestamp can give an indication of the state of objects at a Publisher when state-entangled information is received across different subscriptions. The use of the latest Event Notification timestamp for a particular object update can introduce errors. So when state-entangled updates have inconsistent object values and temporally close timestamps, a Receiver might consider performing a ‘get’ to validate the current state of a Publisher.

Transported updates will contain data for one or more Event Notifications. Each transported Event Notification will contain several parameters: A Subscription ID correlator Event Notification(s) . (Note 1: These must be filtered per access control rules to contain only data that the Subscriber is authorized to see. Note 2: these Event Notifications might be Data Node Update(s).) A timestamp indication when the Event Notification was generated on the Publisher. The timestamp must correspond to a time where any Data Nodes included in the Update held the values/state indicated within the Update.

Subscribers can dynamically learn whether a RESTCONF server supports various types of Event or Yang datastore subscription capabilities. This is done by issuing an HTTP request OPTIONS, HEAD, or GET on the stream. Some examples building upon the existing RESTCONF mechanisms are below:

If the server supports it, it may respond

yang-push Yang push stream xml https://example.com/streams/yang-push-xml json https://example.com/streams/yang-push-json ]]> If the server does not support any form of subscription, it may respond

Subscribers can determine the URL to receive updates by sending an HTTP GET as a request for the "location" leaf with the stream list entry.The stream to use for may be selected from the Event Stream list provided in the capabilities exchange. Note that different encodings are supporting using different Event Stream locations. For example, the Subscriber might send the following request:

The Publisher might send the following response:

https://example.com/streams/yang-push-xml ]]> To subscribe and start receiving updates, the subscriber can then send an HTTP GET request for the URL returned by the Publisher in the request above. The accept header must be "text/event-stream". The Publisher uses the Server Sent Events transport strategy to push filtered Event Notifications from the Event stream,. The Publisher MUST support individual parameters within the POST request body for all the parameters of a subscription. The only exception is the encoding, which is embedded in the URI. An example of this is:

Should the publisher not support the requested subscription, it may reply:

application

operation-not-supported

error

Xpath filters not supported

with an equivalent JSON encoding representation of: HTTP/1.1 501 Not Implemented Date: Mon, 23 Apr 2012 17:11:00 GMT Server: example-server Content-Type: application/yang.errors+json { "ietf-restconf:errors": { "error": { "error-type": "protocol", "error-tag": "operation-not-supported", "error-message": "Xpath filters not supported." "error-info": { "datastore-push:supported-subscription": { "subtree-filter": [null] } } } } } ]]> The following is an example of a pushed Event Notification data for the subscription above. It contains a subtree with root foo that contains a leaf called bar:

my-sub

2015-03-09T19:14:56Z

some_string

]]> Or with the equivalent YANG over JSON encoding representation as defined in :

To modify a Subscription, the subscriber issues another POST request on the provided URI using the same subscription-id as in the original request. For example, to modify the update period to 10 seconds, the subscriber may send:

To delete a Subscription, the Subscriber issues a DELETE request on the provided URI using the same subscription-id as in the original request

For any version of HTTP, the basic encoding will look as below. It consists of a JSON representation wrapped in an HTTP header.

For Restconf, this will be accomplished as specified in [Restconf] section 6.2. The namespace chosen will be the same as how stream names are acquired for NETCONF, and so that backwards compatibility can be maintained without replicating this information. For HTTP, this is not specified as there is no client driven signaling/subscription. As per [restconf] section 6.3, RESTCONF clients can determine the URL for the subscription resource (to receive notifications) by sending an HTTP GET request for the "location" leaf with the stream list entry.

Subscriptions could be used to intentionally or accidentally overload resources of a Publisher. For this reason, it is important that the Publisher has the ability to prioritize the establishment and push of Event Notifications where there might be resource exhaust potential. In addition, a server needs to be able to suspend existing Subscriptions when needed. When this occurs, the subscription status must be updated accordingly and the Receivers notified. A Subscription could be used to attempt retrieve information for which a Receiver has no authorized access. Therefore it is important that data pushed via a Subscription is authorized equivalently with regular data retrieval operations. Data being pushed to a Receiver needs therefore to be filtered accordingly, just like if the data were being retrieved on-demand. The Netconf Authorization Control Model applies even though the transport is not NETCONF. One or more Publishers could be used to overwhelm a Receiver which doesn’t even support Subscriptions. Therefore Event Notifications for Configured Subscriptions MUST only be transmittable over Encrypted transports. Clients which do not want pushed Event Notifications need only terminate or refuse any transport sessions from the Publisher. One or more Publishers could overwhelm a Receiver which is unable to control or handle the volume of Event Notifications received. In deployments where this might be a concern, transports supporting per-subscription Flow Control and Prioritization (such as HTTP/2) should be selected. Another benefit is that a well-behaved Publisher implementation is that it is difficult to a Publisher to perform a DoS attack on a Receiver. DoS attack protection comes from: the requirement for trust of a TLS session before publication, the need for an HTTP transport augmentation on the Receiver, and that the Publication process is suspended when the Receiver doesn’t respond.

We wish to acknowledge the helpful contributions, comments, and suggestions that were received from: Andy Bierman, Sharon Chisholm, Yan Gang, Peipei Guo, Susan Hares, Tim Jenkins, Balazs Lengyel, Hector Trevino, Kent Watsen, and Guangying Zheng.

RESTCONF Protocol Subscribing to YANG datastore push updates Cisco Cisco



      
        
          NETCONF Event Notifications

          
            Cisco

            
              
                

                

                

                

                
              

              

              

              

              
            

          

          
            Cisco
          

          
            Cisco

            
              
                

                

                

                

                
              

              

              

              

              
            

          

          
            Cisco

            
              
                

                

                

                

                
              

              

              

              

              
            

          

          
            Cisco

            
              
                

                

                

                

                
              

              

              

              

              
            

          

          
        
      

      
        
          JSON Encoding of Data Modeled with YANG

          
            
          

          
        
      

      
        
          Server-Sent Events, World Wide Web Consortium CR
          CR-eventsource-20121211

          
            
          

          
        
      

      
        
          NETCONF Call Home and RESTCONF Call Home



    
      The properties of Dynamic and Configured Subscriptions can be
      combined to enable deployment models where the Subscriber and Receiver
      are different. Such separation can be useful with some combination
      of:

      
          An operator doesn’t want the subscription to be dependent
          on the maintenance of transport level keep-alives. (Transport
          independence provides different scalability characteristics.)

          There is not a transport session binding, and a transient
          Subscription needs to survive in an environment where there is
          unreliable connectivity with the Receiver and/or Subscriber.

          An operator wants the Publisher to include highly restrictive
          capacity management and Subscription security mechanisms outside of
          domain of existing operational or programmatic interfaces.
        To build a Proxy Subscription, first the necessary information
      must be signaled as part of the <establish-subscription>. Using
      this set of Subscriber provided information; the same process described
      within section 3 will be followed. There is one exception. When an HTTP
      status code is 201 is received by the Publisher, it will inform the
      Subscriber of Subscription establishment success via its Restconf
      connection.

      

      After a successful establishment, if the Subscriber wishes to track
      the state of Receiver subscriptions, it may choose to place a separate
      on-change Subscription into the "Subscriptions" subtree of the YANG
      Datastore on the Publisher.

      Putting it all together, the message flow is:

      
        |                              |
        |------------------------>|                              |
        |                         |                              |
        |                         |<-----------TLS-------------->|
        |                         |                              |
        |                         |HTTP POST (Sub ID, data1)     |
        |                         |----------------------------->|
        |                         |            HTTP 201 (Created)|
        |                         |<-----------------------------|
        |        Success: HTTP 204|                              |
        |<------------------------|                              |
        |                         |HTTP POST (SubID, URI, data2) |
        |                         |----------------------------->|
        |                         |                 HTTP 200 (OK)|
        |                         |<-----------------------------|
        |                         |              data3           |
        |                         |<---------------------------->|
        |                         |                              |
]]>
      

      
    

    
      Several technologies are expected to be seen within a deployment to
      achieve security and ease-of-use requirements. These are not necessary
      for an implementation of this specification, but will be useful to
      consider when considering the operational context.

      

      
        Pub/Sub implementations should have the ability to transparently
        incorporate lower layer technologies such as Call Home so that secure
        TLS connections are always originated from the Publisher. There is a
        Restconf Call home function in . For
        security reasons, this should be implemented when applicable.

        
      

      
        Unlike NETCONF, HTTP sessions might not quickly allow a Subscriber
        to recognize when the communication path has been lost from the
        Publisher. To recognize this, it is possible for a Receiver (usually
        the subscriber) to establish a TLS heartbeat .
        In the case where a TLS heartbeat is included, it should be sent just
        from Receiver to Publisher. Loss of the heartbeat should result in the
        Subscription being terminated with the Subscriber (even when the
        Subscriber and Receiver are different). The Subscriber can then
        attempt to re-establish the subscription if desired. If the
        Subscription remains active on the Publisher, future receipt of
        objects associated with that (or any other unknown) subscription ID
        should result in a <delete-subscription> being returned to the
        Publisher from the Receiver.

        
      
    

    
      (To be removed by RFC editor prior to publication)

      
        

        RT2 - In what way to we position “Event notifications”
        model in this document vs. current solution in Restconf.

        RT3 - Do we include 3rd party signaled subscriptions within models
        that need to be supported generically, or for a particular type of
        transport.

        RT8 - Once SSE starts, there will be no more Restconf
        interpretation of further signaling upon the connection. It is unclear
        how this can be made to work with modify and delete subscription. If
        it cannot, a method of sending events without SSE will be needed,
        although this would diverge from the existing Restconf mechanisms
      

      
        RT1 - Integration specifics for Restconf capability discovery on
        different types of Streams

        RT4 - Need to add into document examples of 5277bis Event streams.
        Document only includes yang-push examples at this point.

        RT6 - We need to define encodings of rfc5277bis notifications for
        both Restconf and HTTP.

        RT7 - HTTP native option doesn’t currently use SSE. But we
        should evaluate moving to that as possible. It will make development
        integration easier and more consistent.

        RT9 - For static subscriptions, perhaps we can use Restconf call
        home to originate an SSE connection. This assume RT8 & RT2 can be
        resolved with SSE.
      

      
        

        RT5 - Doesn’t make sense to use Restconf for Configured
        subscriptions. HTTP will be used.