Cisco Systems

evoit@cisco.com

Cisco Systems

rrahman@cisco.com

Cisco Systems

einarnn@cisco.com

Huawei

ludwig@clemm.org

YumaWorks

andy@yumaworks.com

Operations & Management NETCONF Draft This document provides a RESTCONF binding to the dynamic subscription capability of both subscribed notifications and YANG-Push.

Mechanisms to support event subscription and push are defined in . Enhancements to which enable YANG datastore subscription and push are defined in . This document provides a transport specification for dynamic subscriptions over RESTCONF . Driving these requirements is . The streaming of notifications encapsulating the resulting information push is done via the mechanism described in section 6.3 of .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. The following terms use the definitions from : dynamic subscription, event stream, notification message, publisher, receiver, subscriber, and subscription. Other terms reused include datastore, which is defined in , and HTTP2 stream which maps to the definition of "stream" within , Section 2. [ note to the RFC Editor - please replace XXXX within this document with the number of this document ]

This section provides specifics on how to establish and maintain dynamic subscriptions over RESTCONF . Subscribing to event streams is accomplished in this way via RPCs defined within Section 2.4, the RPCs are done via RESTCONF POSTs. YANG datastore subscription is accomplished via augmentations to as described within Section 4.4. As described in Section 6.3, a GET needs to be made against a specific URI on the publisher. Subscribers cannot pre-determine the URI against which a subscription might exist on a publisher, as the URI will only exist after the "establish-subscription" RPC has been accepted. Therefore, the POST for the "establish-subscription" RPC replaces the GET request for the "location" leaf which is used in to obtain the URI. The subscription URI will be determined and sent as part of the response to the "establish-subscription" RPC, and a subsequent GET to this URI will be done in order to start the flow of notification messages back to the subscriber. A subscription does not move to the active state as per Section 2.4.1. of until the GET is received.

For a dynamic subscription, where a RESTCONF session doesn't already exist, a new RESTCONF session is initiated from the subscriber. As stated in Section 2.1 of , a subscriber MUST establish the HTTP session over TLS in order to secure the content in transit. Without the involvement of additional protocols, HTTP sessions by themselves do not allow for a quick recognition of when the communication path has been lost with the publisher. Where quick recognition of the loss of a publisher is required, a subscriber SHOULD use a TLS heartbeat , just from receiver to publisher, to track HTTP session continuity. Loss of the heartbeat MUST result in any subscription related TCP sessions between those endpoints being torn down. A subscriber can then attempt to re-establish the dynamic subscription by using the procedure described in .

Subscribers can learn what event streams a RESTCONF server supports by querying the "streams" container of ietf-subscribed-notification.yang in . Support for the "streams" container of ietf-restconf-monitoring.yang in is not required. Subscribers can learn what datastores a RESTCONF server supports by following .

Specific HTTP responses codes as defined in section 6 will indicate the result of RESTCONF RPC requests with publisher. An HTTP status code of 200 is the proper response to any successful RPC defined within or . If a publisher fails to serve the RPC request for one of the reasons indicated in Section 2.4.6 or Appendix A, this will be indicated by "406" status code transported in the HTTP response. When a "406" status code is returned, the RPC reply MUST include an "rpc-error" element per Section 7.1 with the following parameter values: an "error-type" node of "application". an "error-tag" node of "operation-failed". an "error-app-tag" node with the value being a string that corresponds to an identity associated with the error, as defined in section 2.4.6 for general subscriptions, and Appendix A.1, for datastore subscriptions. The tag to use depends on the RPC for which the error occurred. Viable errors for different RPCs are as follows:

Each error identity will be inserted as the "error-app-tag" using JSON encoding following the form <modulename>:<identityname>. An example of such as valid encoding would be "ietf-subscribed-notifications:no-such-subscription". In case of error responses to an "establish-subscription" or "modify-subscription" request there is the option of including an "error-info" node. This node may contain hints for parameter settings that might lead to successful RPC requests in the future. Following are the yang-data structures which may be returned:

Note that "error-path" does not need to be included with the "rpc-error" element, as subscription errors are generally associated with the choice of RPC input parameters.

The call flow is defined in . The logical connections denoted by (a) and (b) can be a TCP connection or an HTTP2 stream (multiple HTTP2 streams can be carried in one TCP connection). Requests to or augmented RPCs are sent on a connection indicated by (a). A successful "establish-subscription" will result in an RPC response returned with both a subscription identifier which uniquely identifies a subscription, as well as a URI which uniquely identifies the location of subscription on the publisher (b). This URI is defined via the "uri" leaf the Data Model in . An HTTP GET is then sent on a separate logical connection (b) to the URI on the publisher. This initiates the publisher to initiate the flow of notification messages which are sent in SSE as a response to the GET.

| | HTTP 200 OK (ID,URI)| |<---------------------------------------------| | |HTTP GET (URI) | | |--------------------------------------------->| | | HTTP 200 OK| | |<---------------------------------------------| | | SSE (notif-message)| | |<---------------------------------------------| | RESTCONF POST (RPC:modify-subscription) | | |--------------------------------------------->| | | | HTTP 200 OK| | |<---------------------------------------------| | | | SSE (subscription-modified)| | |<------------------------------------------(c)| | | SSE (notif-message)| | |<---------------------------------------------| | RESTCONF POST (RPC:delete-subscription) | | |--------------------------------------------->| | | | HTTP 200 OK| | |<---------------------------------------------| | | | | | |]]>

Additional requirements for dynamic subscriptions over SSE include: All subscription state notifications from a publisher MUST be returned in a separate SSE message used by the subscription to which the state change refers. Subscription RPCs MUST NOT use the connection currently providing notification messages for that subscription. In addition to an RPC response for a "modify-subscription" RPC traveling over (a), a "subscription-modified" state change notification must be sent within (b). This allows the receiver to know exactly when the new terms of the subscription have been applied to the notification messages. See arrow (c). A publisher MUST terminate a subscription in the following cases: Receipt of a "delete-subscription" or a "kill-subscription" RPC for that subscription. Loss of TLS heartbeat A publisher MAY terminate a subscription at any time as stated in Section 1.3

To meet subscription quality of service promises, the publisher MUST take any existing subscription "dscp" and apply it to the DSCP marking in the IP header. In addition, where HTTP2 transport is available to a notification message queued for transport to a receiver, the publisher MUST: take any existing subscription "priority", as specified by the "dscp" leaf node in , and copy it into the HTTP2 stream priority, section 5.3, and take any existing subscription "dependency", as specified by the "dependency" leaf node in , and use the HTTP2 stream for the parent subscription as the HTTP2 stream dependency, section 5.3.1, of the dependent subscription.

Notification messages transported over RESTCONF will be encoded according to , section 6.4.

The YANG model defined in has one leaf augmented into four places of , plus two identities. As the resulting full tree is large, it will only be inserted at later stages of this document.

This module references .

file "ietf-restconf-subscribed-notifications@2018-10-19.yang" module ietf-restconf-subscribed-notifications { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-restconf-subscribed-notifications"; prefix rsn; import ietf-subscribed-notifications { prefix sn; } import ietf-inet-types { prefix inet; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: Editor: Eric Voit Editor: Alexander Clemm Editor: Reshad Rahman "; description "Defines RESTCONF as a supported transport for subscribed event notifications. Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2018-10-19 { description "Initial version"; reference "RFC XXXX: RESTCONF Transport for Event Notifications"; } grouping uri { description "Provides a reusable description of a URI."; leaf uri { type inet:uri; config false; description "Location of a subscription specific URI on the publisher."; } } augment "/sn:establish-subscription/sn:output" { description "This augmentation allows RESTCONF specific parameters for a response to a publisher's subscription request."; uses uri; } augment "/sn:subscriptions/sn:subscription" { description "This augmentation allows RESTCONF specific parameters to be exposed for a subscription."; uses uri; } augment "/sn:subscription-modified" { description "This augmentation allows RESTCONF specific parameters to be included part of the notification that a subscription has been modified."; uses uri; } } ]]>

This document registers the following namespace URI in the "IETF XML Registry" : URI: urn:ietf:params:xml:ns:yang:ietf-restconf-subscribed-notifications Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document registers the following YANG module in the "YANG Module Names" registry : Name: ietf-restconf-subscribed-notifications Namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-subscribed-notifications Prefix: rsn Reference: RFC XXXX: RESTCONF Transport for Event Notifications

The YANG module specified in this document defines a schema for data that is designed to be accessed via network management transports such as NETCONF or RESTCONF . The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS . The one new data node introduced in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to this data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: Container: "/subscriptions" "uri": leaf will show where subscribed resources might be located on a publisher. Access control must be set so that only someone with proper access permissions, and perhaps even HTTP session has the ability to access this resource.

We wish to acknowledge the helpful contributions, comments, and suggestions that were received from: Ambika Prasad Tripathy, Alberto Gonzalez Prieto, Susan Hares, Tim Jenkins, Balazs Lengyel, Kent Watsen, Michael Scharf, Guangying Zheng, Martin Bjorklund and Qin Wu.

Huawei Cisco VMWare Cisco Cisco YumaWorks Ericsson

This section is non-normative. To allow easy comparison, this section mirrors the functional examples shown with NETCONF over XML within . In addition, HTTP2 vs HTTP1.1 headers are not shown as the contents of the JSON encoded objects are identical within.

The following figure shows two successful "establish-subscription" RPC requests as per . The first request is given a subscription identifier of 22, the second, an identifier of 23.

| (a) | HTTP 200 OK, id#22, URI#1 | |<------------------------------| (b) |GET (URI#1) | |------------------------------>| (c) | HTTP 200 OK,notif-mesg (id#22)| |<------------------------------| | | | | |establish-subscription | |------------------------------>| | HTTP 200 OK, id#23, URI#2| |<------------------------------| |GET (URI#2) | |------------------------------>| | | | | | notif-mesg (id#22)| |<------------------------------| | HTTP 200 OK,notif-mesg (id#23)| |<------------------------------| | | ]]>

To provide examples of the information being transported, example messages for interactions in are detailed below:

As publisher was able to fully satisfy the request, the publisher sends the subscription identifier of the accepted subscription, and the URI:

Upon receipt of the successful response, the subscriber does a GET the provided URI to start the flow of notification messages. When the publisher receives this, the subscription is moved to the active state (c).

While not shown in , if the publisher had not been able to fully satisfy the request, or subscriber has no authorization to establish the subscription, the publisher would have sent an RPC error response. For instance, if the "dscp" value of 10 asserted by the subscriber in proved unacceptable, the publisher may have returned:

The subscriber can use this information in future attempts to establish a subscription.

An existing subscription may be modified. The following exchange shows a negotiation of such a modification via several exchanges between a subscriber and a publisher. This negotiation consists of a failed RPC modification request/response, followed by a successful one.

| (d) | HTTP 406 error (with hint)| |<-----------------------------| (e) | | |modify-subscription (id#23) | |----------------------------->| | HTTP 200 OK | |<-----------------------------| | | | notif-mesg (id#23)| |<-----------------------------| | | ]]>

If the subscription being modified in is a datastore subscription as per , the modification request made in (d) may look like that shown in . As can be seen, the modifications being attempted are the application of a new xpath filter as well as the setting of a new periodic time interval.

If the publisher can satisfy both changes, the publisher sends a positive result for the RPC. If the publisher cannot satisfy either of the proposed changes, the publisher sends an RPC error response (e). The following is an example RPC error response for (e) which includes a hint. This hint is an alternative time period value which might have resulted in a successful modification:

The following demonstrates deleting a subscription. This subscription may have been to either a stream or a datastore.

If the publisher can satisfy the request, the publisher replies with success to the RPC request. If the publisher cannot satisfy the request, the publisher sends an error-rpc element indicating the modification didn't work. shows a valid response for existing valid subscription identifier, but that subscription identifier was created on a different transport session:

A publisher will send subscription state notifications according to the definitions within ).

A "subscription-modified" encoded in JSON would look like:

A "subscription-completed" would look like:

The "subscription-resumed" and "replay-complete" are virtually identical, with "subscription-completed" simply being replaced by "subscription-resumed" and "replay-complete".

A "subscription-terminated" would look like:

The "subscription-suspended" is virtually identical, with "subscription-terminated" simply being replaced by "subscription-suspended".

This section provides an example which illustrate the method of filtering event record contents. The example is based on the YANG notification "vrrp-protocol-error-event" as defined per the ietf-vrrp.yang module within . Event records based on this specification which are generated by the publisher might appear as:

Suppose a subscriber wanted to establish a subscription which only passes instances of event records where there is a "checksum-error" as part of a VRRP protocol event. Also assume the publisher places such event records into the NETCONF stream. To get a continuous series of matching event records, the subscriber might request the application of an XPath filter against the NETCONF stream. An "establish-subscription" RPC to meet this objective might be:

For more examples of XPath filters, see . Suppose the "establish-subscription" in was accepted. And suppose later a subscriber decided they wanted to broaden this subscription cover to all VRRP protocol events (i.e., not just those with a "checksum error"). The subscriber might attempt to modify the subscription in a way which replaces the XPath filter with a subtree filter which sends all VRRP protocol events to a subscriber. Such a "modify-subscription" RPC might look like:

For more examples of subtree filters, see , section 6.4.

(To be removed by RFC editor prior to publication) v08 - v09 Addressed comments received during WGLC. v07 - v08 Aligned with RESTCONF mechanism. YANG model: removed augment of subscription-started, added restconf transport. Tweaked Appendix A.1 to match draft-ietf-netconf-netconf-event-notifications-13. Added Appendix A.3 for filter example. v06 - v07 Removed configured subscriptions. Subscription identifier renamed to id. v05 - v06 JSON examples updated by Reshad. v04 - v05 Error mechanisms updated to match embedded RESTCONF mechanisms Restructured format and sections of document. Added a YANG data model for HTTP specific parameters. Mirrored the examples from the NETCONF transport draft to allow easy comparison. v03 - v04 Draft not fully synched to new version of subscribed-notifications yet. References updated v02 - v03 Event notification reframed to notification message. Tweaks to wording/capitalization/format. v01 - v02 Removed sections now redundant with and such as: mechanisms for subscription maintenance, terminology definitions, stream discovery. 3rd party subscriptions are out-of-scope. SSE only used with RESTCONF and HTTP1.1 dynamic subscriptions Timeframes for event tagging are self-defined. Clean-up of wording, references to terminology, section numbers. v00 - v01 Removed the ability for more than one subscription to go to a single HTTP2 stream. Updated call flows. Extensively. SSE only used with RESTCONF and HTTP1.1 dynamic subscriptions HTTP is not used to determine that a receiver has gone silent and is not Receiving Event Notifications Many clean-ups of wording and terminology