]> Cisco Systems

rwilton@cisco.com

Operations and Management Network Configuration YANG Push Observability Network Telemetry Operational Data This version of the document is aimed to be a base reference point to compare against to see how YANG Push Lite compares to the two core RFCs & that it is based on. The next draft revision would serve as a better starting point to see the proposed protocol & data model for YANG Push Lite. YANG Push Lite is a simplified specification of YANG Push, specifically optimized for observability of operational data. This early draft proposes some enhancements to YANG-Push to optimize its behavior for operational data telemetry. It also lists some additional issues that could potentially be discussed if there is further interest in this work, in particular whether we should be attempting extensions to YANG-Push (as this document is currently framed) or instead should attempt to define a new 'YANG-Push lite'. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Network Configuration Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Document Status PLEASE READ - This version of the document is aimed to be a base reference point () to compare against to see how YANG Push Lite compares to the two core RFCs & that it is based on. The next draft revision would serve as a better starting point to see the proposed protocol & data model for YANG Push Lite. Based on the feedback received during the IETF 121 NETCONF session, this document has currently been written as a self-contained lightweight replacement for and , defining a separate configuration data model. It leverages as the envelope for the generated notifications with a new update message format.

Acknowledgement to the authors of RFC 8639 and RFC 8641 This document is intended to be a lightweight alternative for and , but it intentionally reuses substantial part of the design and data model of those RFCs. For ease of reference, this document, at least initially, sources most of the text and basis for the YANG model directly from those RFCs, rather than creating a separate document that would contain numerous references. Hence, the authors of this draft would like to thank and acknowledge the very significant previous work by the authors and of those RFCs, i.e., Eric Voit, Alex Clemm, Alberto Gonzalez Prieto, Einar Nilsen-Nygaard, Ambika Prasad Tripathy, and also all those who contributed to the underlying work upon which this document is heavily based.

Introduction describes an architecture for how YANG-Push can be integrated effectively with message brokers, e.g., , that is part of a wider architecture for a Network Anomaly Detection Framework, specified in . YANG-Push is a key part of these architectures, but through experience of implementing YANG-Push specifically for the use cases described in the above architecture documents, it became clear that there are aspects of YANG-Push that are not optimal for these use cases for neither producer or consumer, particular as they relate to operational data. For the consumer of the telemetry data, there is a requirement to associate a schema with the instance-data that will be provided by a subscription. One approach is to fetch and build the entire schema for the device, e.g., by fetching YANG library, and then use the subscription XPath to select the relevant subtree of the schema that applies only to the subscription. The problem with this approach is that if the schema ever changes, e.g., after a software update, then it is reasonably likely of some changes occurring with the global device schema even if there are no changes to the schema subtree under the subscription path. Hence, it would be helpful to identify and version the schema associated with a particular subscription path, and also to encoded the instance data relatively to the subscription path rather than as an absolute path from the root of the operational datastore.

Introduction text from Subscribed Notifications (RFC 8639) This document defines a YANG data model and associated mechanisms enabling subscriber-specific subscriptions to a publisher's event streams. This effectively enables a "subscribe, then publish" capability where the customized information needs and access permissions of each target receiver are understood by the publisher before subscribed event records are marshaled and pushed. The receiver then gets a continuous, customized feed of publisher-generated information. While the functionality defined in this document is transport agnostic, transports like the Network Configuration Protocol (NETCONF) [RFC6241] or RESTCONF [RFC8040] can be used to configure or dynamically signal subscriptions. Bindings for subscribed event record delivery for NETCONF and RESTCONF are defined in [RFC8640] and [RESTCONF-Notif], respectively. The YANG data model defined in this document conforms to the Network Management Datastore Architecture defined in .

Motivation Various limitations to subscriptions as described in [RFC5277] were alleviated to some extent by the requirements provided in [RFC7923]. Resolving any remaining issues is the primary motivation for this work. Key capabilities supported by this document include:

• multiple subscriptions on a single transport session
• support for dynamic and configured subscriptions
• modification of an existing subscription in progress
• per-subscription operational counters
• negotiation of subscription parameters (through the use of hints returned as part of declined subscription requests)
• subscription state change notifications (e.g., publisher-driven suspension, parameter modification)
• independence from transport

Introduction text from YANG Push (RFC 8641) Traditional approaches for providing visibility into managed entities from a remote system have been built on polling. With polling, data is periodically requested and retrieved by a client from a server to stay up to date. However, there are issues associated with polling- based management:

• Polling incurs significant latency. This latency prohibits many types of applications.
• Polling cycles may be missed, and requests may be delayed or get lost -- often when the network is under stress and the need for the data is the greatest.
• Polling requests may undergo slight fluctuations, resulting in intervals of different lengths. The resulting data is difficult to calibrate and compare.
• For applications that monitor for changes, many remote polling cycles place unwanted and ultimately wasteful load on the network, devices, and applications, particularly when changes occur only infrequently.

A more effective alternative to polling is for an application to receive automatic and continuous updates from a targeted subset of a datastore. Accordingly, there is a need for a service that (1) allows applications to subscribe to updates from a datastore and (2) enables the server (also referred to as the "publisher") to push and, in effect, stream those updates. The requirements for such a service have been documented in [RFC7923]. This document defines a corresponding solution that is built on top of . Supplementing that work are YANG data model augmentations, extended RPCs, and new datastore-specific update notifications. Transport options provided in will work seamlessly with this solution.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Definitions taken from Subscribed Notifications (RFC 8639)

• Client: Defined in .
• Configuration: Defined in .
• Configuration datastore: Defined in .
• Configured subscription: A subscription installed via configuration into a configuration datastore.
• Dynamic subscription: A subscription created dynamically by a subscriber via a Remote Procedure Call (RPC).
• Event: An occurrence of something that may be of interest. Examples include a configuration change, a fault, a change in status, crossing a threshold, or an external input to the system.
• Event occurrence time: A timestamp matching the time an originating process identified as when an event happened.
• Event record: A set of information detailing an event.
• Event stream: A continuous, chronologically ordered set of events aggregated under some context.
• Event stream filter: Evaluation criteria that may be applied against event records in an event stream. Event records pass the filter when specified criteria are met.
• Notification message: Information intended for a receiver indicating that one or more events have occurred.
• Publisher: An entity responsible for streaming notification messages per the terms of a subscription.
• Receiver: A target to which a publisher pushes subscribed event records. For dynamic subscriptions, the receiver and subscriber are the same entity.
• Subscriber: A client able to request and negotiate a contract for the generation and push of event records from a publisher. For dynamic subscriptions, the receiver and subscriber are the same entity.
• Subscription: A contract with a publisher, stipulating the information that one or more receivers wish to have pushed from the publisher without the need for further solicitation.

All YANG tree diagrams used in this document follow the notation defined in .

Definitions taken from YANG Push (RFC 8641) This document uses the terminology defined in [RFC7950], , , and . In addition, this document defines the following terms:

• Datastore node: A node in the instantiated YANG data tree associated with a datastore. In this document, datastore nodes are often also simply referred to as "objects".
• Datastore node update: A data item containing the current value of a datastore node at the time the datastore node update was created, as well as the path to the datastore node.
• Datastore subscription: A subscription to a stream of datastore node updates.
• Datastore subtree: A datastore node and all its descendant datastore nodes.
• On-change subscription: A datastore subscription with updates that are triggered when changes in subscribed datastore nodes are detected.
• Periodic subscription: A datastore subscription with updates that are triggered periodically according to some time interval.
• Selection filter: Evaluation and/or selection criteria that may be applied against a targeted set of objects.
• Update record: A representation of one or more datastore node updates. In addition, an update record may contain which type of update led to the datastore node update (e.g., whether the datastore node was added, changed, or deleted). Also included in the update record may be other metadata, such as a subscription ID of the subscription for which the update record was generated. In this document, update records are often also simply referred to as "updates".
• Update trigger: A mechanism that determines when an update record needs to be generated.
• YANG-Push: The subscription and push mechanism for datastore updates that is specified in this document.

Subscribed Notifications Solution Overview (all from RFC 8639) This document describes a transport-agnostic mechanism for subscribing to and receiving content from an event stream in a publisher. This mechanism operates through the use of a subscription. Two types of subscriptions are supported:

1. Dynamic subscriptions, where a subscriber initiates a subscription negotiation with a publisher via an RPC. If the publisher is able to serve this request, it accepts it and then starts pushing notification messages back to the subscriber. If the publisher is not able to serve it as requested, then an error response is returned. This response MAY include hints for subscription parameters that, had they been present, may have enabled the dynamic subscription request to be accepted.
2. Configured subscriptions, which allow the management of subscriptions via a configuration so that a publisher can send notification messages to a receiver. Support for configured subscriptions is optional, with its availability advertised via a YANG feature.

Additional characteristics differentiating configured from dynamic subscriptions include the following:

• The lifetime of a dynamic subscription is bound by the transport session used to establish it. For connection-oriented stateful transports like NETCONF, the loss of the transport session will result in the immediate termination of any associated dynamic subscriptions. For connectionless or stateless transports like HTTP, a lack of receipt acknowledgment of a sequential set of notification messages and/or keep-alives can be used to trigger a termination of a dynamic subscription. Contrast this to the lifetime of a configured subscription. This lifetime is driven by relevant configuration being present in the publisher's applied configuration. Being tied to configuration operations implies that (1) configured subscriptions can be configured to persist across reboots and (2) a configured subscription can persist even when its publisher is fully disconnected from any network.
• Configured subscriptions can be modified by any configuration client with write permission on the configuration of the subscription. Dynamic subscriptions can only be modified via an RPC request made by the original subscriber or by a change to configuration data referenced by the subscription.

Note that there is no mixing and matching of dynamic and configured operations on a single subscription. Specifically, a configured subscription cannot be modified or deleted using RPCs defined in this document. Similarly, a dynamic subscription cannot be directly modified or deleted by configuration operations. It is, however, possible to perform a configuration operation that indirectly impacts a dynamic subscription. By changing the value of a preconfigured filter referenced by an existing dynamic subscription, the selected event records passed to a receiver might change. Also note that transport-specific specifications based on this specification MUST detail the lifecycle of dynamic subscriptions as well as the lifecycle of configured subscriptions (if supported). A publisher MAY terminate a dynamic subscription at any time. Similarly, it MAY decide to temporarily suspend the sending of notification messages for any dynamic subscription, or for one or more receivers of a configured subscription. Such termination or suspension is driven by internal considerations of the publisher.

Relationship to RFC 5277 This document is intended to provide a superset of the subscription capabilities initially defined in [RFC5277]. It is important to understand what has been reused and what has been replaced, especially when extending an existing implementation that is based on [RFC5277]. Key relationships between these two documents include the following:

• This document defines a transport-independent capability; [RFC5277] is specific to NETCONF.
• For the new operations, the data model defined in this document is used instead of the data model defined in Section 3.4 of [RFC5277].
• The RPC operations in this document replace the operation <create-subscription> as defined in [RFC5277], Section 4.
• The <notification> message of [RFC5277], Section 4 is used.
• The included contents of the "NETCONF" event stream are identical between this document and [RFC5277].
• A publisher MAY implement both the Notification Management Schema and RPCs defined in [RFC5277] and this document concurrently.
• Unlike [RFC5277], this document enables a single transport session to intermix notification messages and RPCs for different subscriptions.
• A subscription "stop-time" can be specified as part of a notification replay. This supports a capability analogous to the <stopTime> parameter of [RFC5277]. However, in this specification, a "stop-time" parameter can also be applied without replay.

Solution Per the overview provided in Section 1.3, this section details the overall context, state machines, and subsystems that may be assembled to allow the subscription of events from a publisher.

Event Streams An event stream is a named entity on a publisher; this entity exposes a continuously updating set of YANG-defined event records. An event record is an instantiation of a "notification" YANG statement. If the "notification" is defined as a child to a data node, the instantiation includes the hierarchy of nodes that identifies the data node in the datastore (see Section 7.16.2 of [RFC7950]). Each event stream is available for subscription. Identifying a) how event streams are defined (other than the NETCONF stream), b) how event records are defined/generated, and c) how event records are assigned to event streams is out of scope for this document. There is only one reserved event stream name in this document: "NETCONF". The "NETCONF" event stream contains all NETCONF event record information supported by the publisher, except where an event record has explicitly been excluded from the stream. Beyond the "NETCONF" stream, implementations MAY define additional event streams. As YANG-defined event records are created by a system, they may be assigned to one or more streams. The event record is distributed to a subscription's receiver(s) where (1) a subscription includes the identified stream and (2) subscription filtering does not exclude the event record from that receiver. Access control permissions may be used to silently exclude event records from an event stream for which the receiver has no read access. See , Section 3.4.6 for an example of how this might be accomplished. Note that per Section 2.7 of this document, subscription state change notifications are never filtered out. If no access control permissions are in place for event records on an event stream, then a receiver MUST be allowed access to all the event records. If subscriber permissions change during the lifecycle of a subscription and event stream access is no longer permitted, then the subscription MUST be terminated. Event records MUST NOT be delivered to a receiver in a different order than the order in which they were placed on an event stream.

Event Stream Filters This document defines an extensible filtering mechanism. The filter itself is a boolean test that is placed on the content of an event record. A "false" filtering result causes the event record to be excluded from delivery to a receiver. A filter never results in information being stripped from an event record prior to that event record being encapsulated in a notification message. The two optional event stream filtering syntaxes supported are [XPATH] and subtree [RFC6241]. If no event stream filter is provided in a subscription, all event records on an event stream are to be sent.

QoS This document provides for several Quality of Service (QoS) parameters. These parameters indicate the treatment of a subscription relative to other traffic between publisher and receiver. Included are:

• A "dscp" marking to differentiate prioritization of notification messages during network transit.
• A "weighting" so that bandwidth proportional to this weighting can be allocated to this subscription relative to other subscriptions.
• A "dependency" upon another subscription.

If the publisher supports the "dscp" feature, then a subscription with a "dscp" leaf MUST result in a corresponding Differentiated Services Code Point (DSCP) marking [RFC2474] being placed in the IP header of any resulting notification messages and subscription state change notifications. A publisher MUST respect the DSCP markings for subscription traffic egressing that publisher. Different DSCP code points require different transport connections. As a result, where TCP is used, a publisher that supports the "dscp" feature must ensure that a subscription's notification messages are returned in a single TCP transport session where all traffic shares the subscription's "dscp" leaf value. If this cannot be guaranteed, any "establish-subscription" RPC request SHOULD be rejected with a "dscp-unavailable" error. For the "weighting" parameter, when concurrently dequeuing notification messages from multiple subscriptions to a receiver, the publisher MUST allocate bandwidth to each subscription proportional to the weights assigned to those subscriptions. "Weighting" is an optional capability of the publisher; support for it is identified via the "qos" feature. If a subscription has the "dependency" parameter set, then any buffered notification messages containing event records selected by the parent subscription MUST be dequeued prior to the notification messages of the dependent subscription. If notification messages have dependencies on each other, the notification message queued the longest MUST go first. If a "dependency" included in an RPC references a subscription that does not exist or is no longer accessible to that subscriber, that "dependency" MUST be silently removed. "Dependency" is an optional capability of the publisher; support for it is identified via the "qos" feature. "Dependency" and "weighting" parameters will only be respected and enforced between subscriptions that share the same "dscp" leaf value. There are additional types of publisher capacity overload that this specification does not address, as they are out of scope. For example, the prioritization of which subscriptions have precedence when the publisher CPU is overloaded is not discussed. As a result, implementation choices will need to be made to address such considerations.

Configured Subscriptions A configured subscription is a subscription installed via configuration. Configured subscriptions may be modified by any configuration client with the proper permissions. Subscriptions can be modified or terminated via configuration at any point during their lifetime. Multiple configured subscriptions MUST be supportable over a single transport session. Configured subscriptions have several characteristics distinguishing them from dynamic subscriptions:

• persistence across publisher reboots,
• persistence even when transport is unavailable, and
• an ability to send notification messages to more than one receiver. (Note that receivers are unaware of the existence of any other receivers.)

On the publisher, support for configured subscriptions is optional and advertised using the "configured" feature. On a receiver of a configured subscription, support for dynamic subscriptions is optional. However, if replaying missed event records is required for a configured subscription, support for dynamic subscription is highly recommended. In this case, a separate dynamic subscription can be established to retransmit the missing event records. In addition to the subscription parameters available to dynamic subscriptions as described in Section 2.4.2, the following additional parameters are also available to configured subscriptions:

• A "transport", which identifies the transport protocol to use to connect with all subscription receivers.
• One or more receivers, each intended as the destination for event records. Note that each individual receiver is identifiable by its "name".
• Optional parameters to identify where traffic should egress a publisher:
  • A "source-interface", which identifies the egress interface to use from the publisher. Publisher support for this parameter is optional and advertised using the "interface-designation" feature.
  • A "source-address" address, which identifies the IP address to stamp on notification messages destined for the receiver.
  • A "source-vrf", which identifies the Virtual Routing and Forwarding (VRF) instance on which to reach receivers. This VRF is a network instance as defined in [RFC8529]. Publisher support for VRFs is optional and advertised using the "supports-vrf" feature.
  If none of the above parameters are set, notification messages MUST egress the publisher's default interface.

A tree diagram that includes these parameters is provided in Figure 20 in Section 3.3. These parameters are described in the YANG module in Section 4.

Configured Subscription State Machine Below is the state machine for a configured subscription on the publisher. This state machine describes the three states ("valid", "invalid", and "concluded") as well as the transitions between these states. Start and end states are depicted to reflect configured subscription creation and deletion events. The creation or modification of a configured subscription initiates an evaluation by the publisher to determine if the subscription is in the "valid" state or the "invalid" state. The publisher uses its own criteria in making this determination. If in the "valid" state, the subscription becomes operational. See (1) in the diagram below. |invalid|-delete->: end :<-delete-|concluded| | '-------' :.....: '---------' |-[evaluate]--no-(2). ^ ^ ^ | ^ | | | | yes | '->unsupportable delete stop-time | modify (subscription- (subscription- (subscription- | | terminated*) terminated*) concluded*) | | | | | (1) | (3) (4) (5) | .---------------------------------------------------------------. '-->| valid | '---------------------------------------------------------------' Legend: Dotted boxes: subscription added or removed via configuration Dashed boxes: states for a subscription [evaluate]: decision point on whether the subscription is supportable (*): resulting subscription state change notification Figure 8: Publisher's State Machine for a Configured Subscription ]]> A subscription in the "valid" state may move to the "invalid" state in one of two ways. First, it may be modified in a way that fails a re-evaluation. See (2) in the diagram. Second, the publisher might determine that the subscription is no longer supportable. This could be because of an unexpected but sustained increase in an event stream's event records, degraded CPU capacity, a more complex referenced filter, or other subscriptions that have usurped resources. See (3) in the diagram. No matter the case, a "subscription-terminated" notification is sent to any receivers in the "active" or "suspended" state. A subscription in the "valid" state may also transition to the "concluded" state via (5) if a configured stop time has been reached. In this case, a "subscription-concluded" notification is sent to any receivers in the "active" or "suspended" state. Finally, a subscription may be deleted by configuration (4). When a subscription is in the "valid" state, a publisher will attempt to connect with all receivers of a configured subscription and deliver notification messages. Below is the state machine for each receiver of a configured subscription. This receiver state machine is fully contained in the state machine of the configured subscription and is only relevant when the configured subscription is in the "valid" state. | receiver | | | |connecting|<----------------reset--(c)|disconnected| | | | |<-transport '------------' | | '----------' loss,reset------------------------------. | | (a) | | | | subscription- (b) (b) | | started* .--------. .---------. | | '----->| |(d)-insufficient CPU,------->| | | | |receiver| buffer overflow |receiver | | | subscription-| active | |suspended| | | modified* | |<----CPU, b/w sufficient,-(e)| | | | '---->'--------' subscription-modified* '---------' | '-----------------------------------------------------------------' Legend: Dashed boxes that include the word "receiver" show the possible states for an individual receiver of a valid configured subscription. * indicates a subscription state change notification Figure 9: Receiver State Machine for a Configured Subscription on a Publisher ]]> When a configured subscription first moves to the "valid" state, the "state" leaf of each receiver is initialized to the "connecting" state. If transport connectivity is not available to any receivers and there are any notification messages to deliver, a transport session is established (e.g., per [RFC8071]). Individual receivers are moved to the "active" state when a "subscription-started" subscription state change notification is successfully passed to that receiver (a). Event records are only sent to active receivers. Receivers of a configured subscription remain active on the publisher if both (1) transport connectivity to the receiver is active and (2) event records are not being dropped due to a publisher's sending capacity being reached. In addition, a configured subscription's receiver MUST be moved to the "connecting" state if the receiver is reset via the "reset" action (b), (c). For more on the "reset" action, see Section 2.5.5. If transport connectivity cannot be achieved while in the "connecting" state, the receiver MAY be moved to the "disconnected" state. A configured subscription's receiver MUST be moved to the "suspended" state if there is transport connectivity between the publisher and receiver but (1) delivery of notification messages is failing due to a publisher's buffer capacity being reached or (2) notification messages cannot be generated for that receiver due to insufficient CPU (d). This is indicated to the receiver by the "subscription- suspended" subscription state change notification. A configured subscription's receiver MUST be returned to the "active" state from the "suspended" state when notification messages can be generated, bandwidth is sufficient to handle the notification messages, and a receiver has successfully been sent a "subscription- resumed" or "subscription-modified" subscription state change notification (e). The choice as to which of these two subscription state change notifications is sent is determined by whether the subscription was modified during the period of suspension. Modification of a configured subscription is possible at any time. A "subscription-modified" subscription state change notification will be sent to all active receivers, immediately followed by notification messages conforming to the new parameters. Suspended receivers will also be informed of the modification. However, this notification will await the end of the suspension for that receiver (e). The mechanisms described above are mirrored in the RPCs and notifications defined in this document. It should be noted that these RPCs and notifications have been designed to be extensible and allow subscriptions into targets other than event streams. For instance, the YANG module defined in Section 5 of augments "/sn:modify-subscription/sn:input/sn:target".

Creating a Configured Subscription Configured subscriptions are established using configuration operations against the top-level "subscriptions" subtree. Because there is no explicit association with an existing transport session, configuration operations MUST include additional parameters beyond those of dynamic subscriptions. These parameters identify each receiver, how to connect with that receiver, and possibly whether the notification messages need to come from a specific egress interface on the publisher. Receiver-specific transport connectivity parameters MUST be configured via transport-specific augmentations to this specification. See Section 2.5.7 for details. After a subscription is successfully established, the publisher immediately sends a "subscription-started" subscription state change notification to each receiver. It is quite possible that upon configuration, reboot, or even steady-state operations, a transport session may not be currently available to the receiver. In this case, when there is something to transport for an active subscription, transport-specific "call home" operations [RFC8071] will be used to establish the connection. When transport connectivity is available, notification messages may then be pushed. With active configured subscriptions, it is allowable to buffer event records even after a "subscription-started" has been sent. However, if events are lost (rather than just delayed) due to replay buffer capacity being reached, a new "subscription-started" must be sent. This new "subscription-started" indicates an event record discontinuity. To see an example of subscription creation using configuration operations over NETCONF, see Appendix A.

Modifying a Configured Subscription Configured subscriptions can be modified using configuration operations against the top-level "subscriptions" subtree. If the modification involves adding receivers, added receivers are placed in the "connecting" state. If a receiver is removed, the subscription state change notification "subscription-terminated" is sent to that receiver if that receiver is active or suspended. If the modification involves changing the policies for the subscription, the publisher sends to currently active receivers a "subscription-modified" notification. For any suspended receivers, a "subscription-modified" notification will be delayed until the receiver's subscription has been resumed. (Note: In this case, the "subscription-modified" notification informs the receiver that the subscription has been resumed, so no additional "subscription- resumed" need be sent. Also note that if multiple modifications have occurred during the suspension, only the "subscription-modified" notification describing the latest one need be sent to the receiver.)

Deleting a Configured Subscription Subscriptions can be deleted through configuration against the top-level "subscriptions" subtree. Immediately after a subscription is successfully deleted, the publisher sends to all receivers of that subscription a subscription state change notification stating that the subscription has ended (i.e., "subscription-terminated").

Resetting a Configured Subscription's Receiver It is possible that a configured subscription to a receiver needs to be reset. This is accomplished via the "reset" action in the YANG module at "/subscriptions/subscription/receivers/receiver/reset". This action may be useful in cases where a publisher has timed out trying to reach a receiver. When such a reset occurs, a transport session will be initiated if necessary, and a new "subscription- started" notification will be sent. This action does not have any effect on transport connectivity if the needed connectivity already exists.

Replay for a Configured Subscription It is possible to do replay on a configured subscription. This is supported via the configuration of the "configured-replay" object on the subscription. The setting of this object enables the streaming of the buffered event records for the subscribed event stream. All buffered event records that have been retained since the last publisher restart will be sent to each configured receiver. Replay of event records created since restart is useful. It allows event records generated before transport connectivity establishment to be passed to a receiver. Setting the restart time as the earliest configured replay time precludes the possibility of resending event records that were logged prior to publisher restart. It also ensures that the same records will be sent to each configured receiver, regardless of the speed of transport connectivity establishment to each receiver. Finally, by establishing restart as the earliest potential time for event records to be included in notification messages, a well-understood timeframe for replay is defined. As a result, when any configured subscription's receivers become active, buffered event records will be sent immediately after the "subscription-started" notification. If the publisher knows the last event record sent to a receiver and the publisher has not rebooted, the next event record on the event stream that meets filtering criteria will be the leading event record sent. Otherwise, the leading event record will be the first event record meeting filtering criteria subsequent to the latest of three different times: the "replay-log-creation-time", the "replay-log-aged-time", or the most recent publisher boot time. The "replay-log-creation-time" and "replay-log-aged-time" are discussed in Section 2.4.2.1. The most recent publisher boot time ensures that duplicate event records are not replayed from a previous time the publisher was booted. It is quite possible that a receiver might want to retrieve event records from an event stream prior to the latest boot. If such records exist where there is a configured replay, the publisher MUST send the time of the event record immediately preceding the "replay-start-time" in the "replay-previous-event-time" leaf. Through the existence of the "replay-previous-event-time", the receiver will know that earlier events prior to reboot exist. In addition, if the subscriber was previously receiving event records with the same subscription "id", the receiver can determine if there was a time gap where records generated on the publisher were not successfully received. And with this information, the receiver may choose to dynamically subscribe to retrieve any event records placed in the event stream before the most recent boot time. All other replay functionality remains the same as with dynamic subscriptions as described in Section 2.4.2.1.

Transport Connectivity for a Configured Subscription This specification is transport independent. However, supporting a configured subscription will often require the establishment of transport connectivity. And the parameters used for this transport connectivity establishment are transport specific. As a result, the YANG module defined in Section 4 is not able to directly define and expose these transport parameters. It is necessary for an implementation to support the connection establishment process. To support this function, the YANG data model defined in this document includes a node where transport-specific parameters for a particular receiver may be augmented. This node is "/subscriptions/subscription/receivers/receiver". By augmenting transport parameters from this node, system developers are able to incorporate the YANG objects necessary to support the transport connectivity establishment process. The result of this is the following requirement. A publisher supporting the feature "configured" MUST also support at least one YANG data model that augments transport connectivity parameters on "/subscriptions/subscription/receivers/receiver". For an example of such an augmentation, see Appendix A.

Dynamic Subscriptions Dynamic subscriptions are managed via protocol operations (in the form of RPCs, per [RFC7950], Section 7.14) made against targets located in the publisher. These RPCs have been designed extensibly so that they may be augmented for subscription targets beyond event streams. For examples of such augmentations, see the RPC augmentations in the YANG data model provided in .

Dynamic Subscription State Machine Below is the publisher's state machine for a dynamic subscription. Each state is shown in its own box. It is important to note that such a subscription doesn't exist at the publisher until an "establish-subscription" RPC is accepted. The mere request by a subscriber to establish a subscription is not sufficient for that subscription to be externally visible. Start and end states are depicted to reflect subscription creation and deletion events. | receiver | modify- '| active | | suspended | subscription | |<----CPU, b/w sufficient--| | ---------->'-----------' '-----------' | | delete/kill-subscription delete/kill- | subscription v | ......... | : end :<---------------------------------' :.......: Figure 1: Publisher's State Machine for a Dynamic Subscription ]]> Of interest in this state machine are the following: o Successful "establish-subscription" or "modify-subscription" RPCs move the subscription to the "active" state. o Failed "modify-subscription" RPCs will leave the subscription in its previous state, with no visible change to any streaming updates. o A "delete-subscription" or "kill-subscription" RPC will end the subscription, as will reaching a "stop-time". o A publisher may choose to suspend a subscription when there is not sufficient CPU or bandwidth available to service the subscription. This is announced to the subscriber via the "subscription- suspended" subscription state change notification. o A suspended subscription may be modified by the subscriber (for example, in an attempt to use fewer resources). Successful modification returns the subscription to the "active" state. o Even without a "modify-subscription" request, a publisher may return a subscription to the "active" state when sufficient resources are again available. This is announced to the subscriber via the "subscription-resumed" subscription state change notification.

Establishing a Dynamic Subscription The "establish-subscription" RPC allows a subscriber to request the creation of a subscription. The input parameters of the operation are: o A "stream" name, which identifies the targeted event stream against which the subscription is applied. o An event stream filter, which may reduce the set of event records pushed. o If the transport used by the RPC supports multiple encodings, an optional "encoding" for the event records pushed. If no "encoding" is included, the encoding of the RPC MUST be used. o An optional "stop-time" for the subscription. If no "stop-time" is present, notification messages will continue to be sent until the subscription is terminated. o An optional "replay-start-time" for the subscription. The "replay-start-time" MUST be in the past and indicates that the subscription is requesting a replay of previously generated information from the event stream. For more on replay, see Section 2.4.2.1. If there is no "replay-start-time", the subscription starts immediately. If the publisher can satisfy the "establish-subscription" request, it replies with an identifier for the subscription and then immediately starts streaming notification messages. Below is a tree diagram for "establish-subscription". All objects contained in this tree are described in the YANG module in Section 4. | | | | {subtree}? | | | +--:(stream-xpath-filter) | | | +---w stream-xpath-filter? | | | yang:xpath1.0 {xpath}? | | +---w stream stream-ref | | +---w replay-start-time? | | yang:date-and-time {replay}? | +---w stop-time? | | yang:date-and-time | +---w dscp? inet:dscp | | {dscp}? | +---w weighting? uint8 | | {qos}? | +---w dependency? | | subscription-id {qos}? | +---w encoding? encoding +--ro output +--ro id subscription-id +--ro replay-start-time-revision? yang:date-and-time {replay}? Figure 2: "establish-subscription" RPC Tree Diagram ]]> A publisher MAY reject the "establish-subscription" RPC for many reasons, as described in Section 2.4.6. The contents of the resulting RPC error response MAY include details on input parameters that, if considered in a subsequent "establish-subscription" RPC, may result in successful subscription establishment. Any such hints MUST be transported in a yang-data "establish-subscription-stream-error- info" container included in the RPC error response. Below is a tree diagram for "establish-subscription-stream-error- info" RPC yang-data. All objects contained in this tree are described in the YANG module in Section 4.

Requesting a Replay of Event Records Replay provides the ability to establish a subscription that is also capable of passing event records generated in the recent past. In other words, as the subscription initializes itself, it sends any event records in the target event stream that meet the filter criteria that have an event time that is after the "replay-start- time" and also have an event time before the "stop-time" should this "stop-time" exist. The end of these historical event records is identified via a "replay-completed" subscription state change notification. Any event records generated since the subscription establishment may then follow. For a particular subscription, all event records will be delivered in the order in which they are placed in the event stream. Replay is an optional feature that is dependent on an event stream supporting some form of logging. This document puts no restrictions on the size or form of the log, where it resides in the publisher, or when event record entries in the log are purged. The inclusion of a "replay-start-time" in an "establish-subscription" RPC indicates a replay request. If the "replay-start-time" contains a value that is earlier than what a publisher's retained history supports, then if the subscription is accepted, the actual publisher's revised start time MUST be set in the returned "replay-start-time-revision" object. A "stop-time" parameter may be included in a replay subscription. For a replay subscription, the "stop-time" MAY be earlier than the current time but MUST be later than the "replay-start-time". If the given "replay-start-time" is later than the time marked in any event records retained in the replay buffer, then the publisher MUST send a "replay-completed" notification immediately after a successful "establish-subscription" RPC response. If an event stream supports replay, the "replay-support" leaf is present in the "/streams/stream" list entry for the event stream. An event stream that does support replay is not expected to have an unlimited supply of saved notifications available to accommodate any given replay request. To assess the timeframe available for replay, subscribers can read the leafs "replay-log-creation-time" and "replay-log-aged-time". See Figure 18 for the YANG tree and Section 4 for the YANG module describing these elements. The actual size of the replay log at any given time is a publisher-specific matter. Control parameters for the replay log are outside the scope of this document.

Modifying a Dynamic Subscription The "modify-subscription" operation permits changing the terms of an existing dynamic subscription. Dynamic subscriptions can be modified any number of times. Dynamic subscriptions can only be modified via this RPC using a transport session connecting to the subscriber. If the publisher accepts the requested modifications, it acknowledges success to the subscriber, then immediately starts sending event records based on the new terms. Subscriptions created by configuration cannot be modified via this RPC. However, configuration may be used to modify objects referenced by the subscription (such as a referenced filter). Below is a tree diagram for "modify-subscription". All objects contained in this tree are described in the YANG module in Section 4. | | {subtree}? | +--:(stream-xpath-filter) | +---w stream-xpath-filter? | yang:xpath1.0 {xpath}? +---w stop-time? yang:date-and-time Figure 4: "modify-subscription" RPC Tree Diagram ]]> If the publisher accepts the requested modifications on a currently suspended subscription, the subscription will immediately be resumed (i.e., the modified subscription is returned to the "active" state). The publisher MAY immediately suspend this newly modified subscription through the "subscription-suspended" notification before any event records are sent. If the publisher rejects the RPC request, the subscription remains as it was prior to the request. That is, the request has no impact whatsoever. Rejection of the RPC for any reason is indicated via an RPC error as described in Section 2.4.6. The contents of such a rejected RPC MAY include hints on inputs that (if considered) may result in a successfully modified subscription. These hints MUST be transported in a yang-data "modify-subscription-stream-error-info" container inserted into the RPC error response. Below is a tree diagram for "modify-subscription-stream-error-info" RPC yang-data. All objects contained in this tree are described in the YANG module in Section 4.

Deleting a Dynamic Subscription The "delete-subscription" operation permits canceling an existing subscription. If the publisher accepts the request and the publisher has indicated success, the publisher MUST NOT send any more notification messages for this subscription. Below is a tree diagram for "delete-subscription". All objects contained in this tree are described in the YANG module in Section 4. Dynamic subscriptions can only be deleted via this RPC using a transport session connecting to the subscriber. Configured subscriptions cannot be deleted using RPCs.

Killing a Dynamic Subscription The "kill-subscription" operation permits an operator to end a dynamic subscription that is not associated with the transport session used for the RPC. A publisher MUST terminate any dynamic subscription identified by the "id" parameter in the RPC request, if such a subscription exists. Configured subscriptions cannot be killed using this RPC. Instead, configured subscriptions are deleted as part of regular configuration operations. Publishers MUST reject any RPC attempt to kill a configured subscription. Below is a tree diagram for "kill-subscription". All objects contained in this tree are described in the YANG module in Section 4.

RPC Failures Whenever an RPC is unsuccessful, the publisher returns relevant information as part of the RPC error response. Transport-level error processing MUST be done before the RPC error processing described in this section. In all cases, RPC error information returned by the publisher will use existing transport-layer RPC structures, such as those seen with NETCONF (Appendix A of [RFC6241]) or RESTCONF (Section 7.1 of [RFC8040]). These structures MUST be able to encode subscription-specific errors identified below and defined in this document's YANG data model. As a result of this variety, how subscription errors are encoded in an RPC error response is transport dependent. Valid errors that can occur for each RPC are as follows: To see a NETCONF-based example of an error response from the list above, see the "no-such-subscription" error response illustrated in [RFC8640], Figure 10. There is one final set of transport-independent RPC error elements included in the YANG data model defined in this document: three yang-data structures that enable the publisher to provide to the receiver any error information that does not fit into existing transport-layer RPC structures. These structures are:

1. "establish-subscription-stream-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "establish-subscription" RPC response. This MUST be sent if hints on how to overcome the RPC error are included.
2. "modify-subscription-stream-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "modify-subscription" RPC response. This MUST be sent if hints on how to overcome the RPC error are included.
3. "delete-subscription-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "delete-subscription" or "kill-subscription" RPC response.

Event Record Delivery Whether dynamic or configured, once a subscription has been set up, the publisher streams event records via notification messages per the terms of the subscription. For dynamic subscriptions, notification messages are sent over the session used to establish the subscription. For configured subscriptions, notification messages are sent over the connections specified by the transport and each receiver of a configured subscription. A notification message is sent to a receiver when an event record is not blocked by either the specified filter criteria or receiver permissions. This notification message MUST include an <eventTime> object, as shown in [RFC5277], Section 4. This <eventTime> MUST be at the top level of a YANG structured event record. The following example of XML [W3C.REC-xml-20081126], adapted from Section 4.2.10 of [RFC7950], illustrates a compliant message: 2007-09-01T10:00:00Z so-1/2/3.0 up down Figure 10: Subscribed Notification Message ]]> [RFC5277], Section 2.2.1 states that a notification message is to be sent to a subscriber that initiated a <create-subscription>. With this document, this statement from [RFC5277] should be more broadly interpreted to mean that notification messages can also be sent to a subscriber that initiated an "establish-subscription" or to a configured receiver that has been sent a "subscription-started". When a dynamic subscription has been started or modified with "establish-subscription" or "modify-subscription", respectively, event records matching the newly applied filter criteria MUST NOT be sent until after the RPC reply has been sent. When a configured subscription has been started or modified, event records matching the newly applied filter criteria MUST NOT be sent until after the "subscription-started" or "subscription-modified" notification has been sent, respectively.

Subscription State Change Notifications In addition to sending event records to receivers, a publisher MUST also send subscription state change notifications when events related to subscription management have occurred. Subscription state change notifications are unlike other notifications in that they are never included in any event stream. Instead, they are inserted (as defined in this section) into the sequence of notification messages sent to a particular receiver. Subscription state change notifications cannot be dropped or filtered out, they cannot be stored in replay buffers, and they are delivered only to impacted receivers of a subscription. The identification of subscription state change notifications is easy to separate from other notification messages through the use of the YANG extension "subscription-state-notif". This extension tags a notification as a subscription state change notification. The complete set of subscription state change notifications is described in the following subsections.

"subscription-started" This notification indicates that a configured subscription has started, and event records may be sent. Included in this subscription state change notification are all the parameters of the subscription, except for (1) transport connection information for one or more receivers and (2) origin information indicating where notification messages will egress the publisher. Note that if a referenced filter from the "filters" container has been used in the subscription, the notification still provides the contents of that referenced filter under the "within-subscription" subtree. Note that for dynamic subscriptions, no "subscription-started" notifications are ever sent. Below is a tree diagram for "subscription-started". All objects contained in this tree are described in the YANG module in Section 4. | | | {subtree}? | | +--:(stream-xpath-filter) | | +--ro stream-xpath-filter? yang:xpath1.0 | | {xpath}? | +--ro stream stream-ref | +--ro replay-start-time? | | yang:date-and-time {replay}? | +--ro replay-previous-event-time? | yang:date-and-time {replay}? +--ro stop-time? | yang:date-and-time +--ro dscp? inet:dscp | {dscp}? +--ro weighting? uint8 {qos}? +--ro dependency? | subscription-id {qos}? +--ro transport? transport | {configured}? +--ro encoding? encoding +--ro purpose? string {configured}? Figure 11: "subscription-started" Notification Tree Diagram ]]>

"subscription-modified" This notification indicates that a subscription has been modified by configuration operations. It is delivered directly after the last event records processed using the previous subscription parameters, and before any event records processed after the modification. Below is a tree diagram for "subscription-modified". All objects contained in this tree are described in the YANG module in Section 4. | | | {subtree}? | | +--:(stream-xpath-filter) | | +--ro stream-xpath-filter? yang:xpath1.0 | | {xpath}? | +--ro stream stream-ref | +--ro replay-start-time? | yang:date-and-time {replay}? +--ro stop-time? | yang:date-and-time +--ro dscp? inet:dscp | {dscp}? +--ro weighting? uint8 {qos}? +--ro dependency? | subscription-id {qos}? +--ro transport? transport | {configured}? +--ro encoding? encoding +--ro purpose? string {configured}? Figure 12: "subscription-modified" Notification Tree Diagram ]]> A publisher most often sends this notification directly after the modification of any configuration parameters impacting a configured subscription. But it may also be sent at two other times:

1. If a configured subscription has been modified during the suspension of a receiver, the notification will be delayed until the receiver's suspension is lifted. In this situation, the notification indicates that the subscription has been both modified and resumed.
2. A "subscription-modified" subscription state change notification MUST be sent if the contents of the filter identified by the subscription's "stream-filter-ref" leaf have changed. This state change notification is to be sent for a filter change impacting any active receivers of a configured or dynamic subscription.

"subscription-terminated" This notification indicates that no further event records for this subscription should be expected from the publisher. A publisher may terminate the sending of event records to a receiver for the following reasons:

1. Configuration that removes a configured subscription, or a "kill-subscription" RPC that ends a dynamic subscription. These are identified via the reason "no-such-subscription".
2. A referenced filter is no longer accessible. This reason is identified by the "filter-unavailable" identity.
3. The event stream referenced by a subscription is no longer accessible by the receiver. This reason is identified by the "stream-unavailable" identity.
4. A suspended subscription has exceeded some timeout. This reason is identified by the "suspension-timeout" identity.

Each reason listed above derives from the "subscription-terminated- reason" base identity specified in the YANG data model in this document. Below is a tree diagram for "subscription-terminated". All objects contained in this tree are described in the YANG module in Section 4. Note: This subscription state change notification MUST be sent to a dynamic subscription's receiver when the subscription ends unexpectedly. This might happen when a "kill-subscription" RPC is successful or when some other event, not including reaching the subscription's "stop-time", results in a publisher choosing to end the subscription.

"subscription-suspended" This notification indicates that a publisher has suspended the sending of event records to a receiver and also indicates the possible loss of events. Suspension happens when capacity constraints stop a publisher from serving a valid subscription. The two conditions where this is possible are:

1. "insufficient-resources", when a publisher is unable to produce the requested event stream of notification messages, and
2. "unsupportable-volume", when the bandwidth needed to get generated notification messages to a receiver exceeds a threshold.

These conditions are encoded in the "reason" object. No further notifications will be sent until the subscription resumes or is terminated. Below is a tree diagram for "subscription-suspended". All objects contained in this tree are described in the YANG module in Section 4.

"subscription-resumed" This notification indicates that a previously suspended subscription has been resumed under the unmodified terms previously in place. Subscribed event records generated after the issuance of this subscription state change notification may now be sent. Below is a tree diagram for "subscription-resumed". All objects contained in this tree are described in the YANG module in Section 4.

"subscription-completed" This notification indicates that a subscription that includes a "stop-time" has successfully finished passing event records upon reaching that time. Below is a tree diagram for "subscription-completed". All objects contained in this tree are described in the YANG module in Section 4.

"replay-completed" This notification indicates that all of the event records prior to the current time have been passed to a receiver. It is sent before any notification messages containing an event record with a timestamp later than (1) the "stop-time" or (2) the subscription's start time. If a subscription does not contain a "stop-time" or has a "stop-time" that has not been reached, then after the "replay-completed" notification has been sent, additional event records will be sent in sequence as they arise naturally on the publisher. Below is a tree diagram for "replay-completed". All objects contained in this tree are described in the YANG module in Section 4.

Subscription Monitoring In the operational state datastore, the "subscriptions" container maintains the state of all dynamic subscriptions as well as all configured subscriptions. Using datastore retrieval operations or subscribing to the "subscriptions" container (Section 3.3) allows the state of subscriptions and their connectivity to receivers to be monitored. Each subscription in the operational state datastore is represented as a list element. Included in this list are event counters for each receiver, the state of each receiver, and the subscription parameters currently in effect. The appearance of the leaf "configured- subscription-state" indicates that a particular subscription came into being via configuration. This leaf also indicates whether the current state of that subscription is "valid", "invalid", or "concluded". To understand the flow of event records in a subscription, there are two counters available for each receiver. The first counter is "sent-event-records", which shows the number of events identified for sending to a receiver. The second counter is "excluded-event- records", which shows the number of event records not sent to a receiver. "excluded-event-records" shows the combined results of both access control and per-subscription filtering. For configured subscriptions, counters are reset whenever the subscription's state is evaluated as "valid" (see (1) in Figure 8). Dynamic subscriptions are removed from the operational state datastore once they expire (reaching "stop-time") or when they are terminated. While many subscription objects are shown as configurable, dynamic subscriptions are only included in the operational state datastore and as a result are not configurable.

Support for the "ietf-subscribed-notifications" YANG Module Publishers supporting this document MUST indicate support of the YANG module "ietf-subscribed-notifications" in the YANG library of the publisher. In addition, if supported, the optional features "encode-xml", "encode-json", "configured", "supports-vrf", "qos", "xpath", "subtree", "interface-designation", "dscp", and "replay" MUST be indicated.

YANG Push Solution Overview (all from RFC 8641) This document specifies a solution that provides a subscription service for updates from a datastore. This solution supports dynamic as well as configured subscriptions to updates of datastore nodes. Subscriptions specify when notification messages (also referred to as "push updates") should be sent and what data to include in update records. Datastore node updates are subsequently pushed from the publisher to the receiver per the terms of the subscription.

Subscription Model YANG-Push subscriptions are defined using a YANG data model. This model enhances the subscription model defined in with capabilities that allow subscribers to subscribe to datastore node updates -- specifically, to specify the update triggers defining when to generate update records as well as what to include in an update record. Key enhancements include:

• The specification of selection filters that identify targeted YANG datastore nodes and/or datastore subtrees for which updates are to be pushed.
• The specification of update policies that contain conditions that trigger the generation and pushing of new update records. There are two types of subscriptions, distinguished by how updates are triggered:
  • For periodic subscriptions, the update trigger is specified by two parameters that define when updates are to be pushed. These parameters are (1) the period interval with which to report updates and (2) an "anchor-time", i.e., a reference point in time that can be used to calculate at which points in time periodic updates need to be assembled and sent.
  • For on-change subscriptions, an update trigger occurs whenever a change in the subscribed information is detected. The following additional parameters are included:
    • "dampening-period": In an on-change subscription, detected object changes should be sent as quickly as possible. However, it may be undesirable to send a rapid series of object changes. Such behavior has the potential to exhaust resources in the publisher or receiver. In order to protect against this type of scenario, a dampening period MAY be used to specify the interval that has to pass before successive update records for the same subscription are generated for a receiver. The dampening period collectively applies to the set of all datastore nodes selected by a single subscription. This means that when there is a change to one or more subscribed objects, an update record containing those objects is created immediately (when no dampening period is in effect) or at the end of a dampening period (when a dampening period is in fact in effect). If multiple changes to a single object occur during a dampening period, only the value that is in effect at the time when the update record is created is included. The dampening period goes into effect every time the assembly of an update record is completed.
    • "change-type": This parameter can be used to reduce the types of datastore changes for which updates are sent (e.g., you might only send an update when an object is created or deleted, but not when an object value changes).
    • "sync-on-start": This parameter defines whether or not a complete "push-update" (Section 3.7) of all subscribed data will be sent at the beginning of a subscription. Such early synchronization establishes the frame of reference for subsequent updates.
• An encoding (using anydata) for the contents of periodic and on-change push updates.

Negotiation of Subscription Policies A dynamic subscription request SHOULD be declined if a publisher determines that it may be unable to provide update records meeting the terms of an "establish-subscription" or "modify-subscription" RPC request. In this case, a subscriber may quickly follow up with a new RPC request using different parameters. Random guessing of different parameters by a subscriber is to be discouraged. Therefore, in order to minimize the number of subscription iterations between subscriber and publisher, a dynamic subscription supports a simple negotiation between subscribers and publishers for subscription parameters. This negotiation is in the form of supplemental information that should be inserted into error responses to a failed RPC request. This returned error response information, when considered, should increase the likelihood of success for subsequent RPC requests. Such hints include suggested periodic time intervals, acceptable dampening periods, and size estimates for the number of objects that would be returned from a proposed selection filter. However, there are no guarantees that subsequent requests that consider these hints will be accepted.

On-Change Considerations On-change subscriptions allow receivers to receive updates whenever changes to targeted objects occur. As such, on-change subscriptions are particularly effective for data that changes infrequently but for which applications need to be quickly notified, with minimal delay, whenever a change does occur. On-change subscriptions tend to be more difficult to implement than periodic subscriptions. Accordingly, on-change subscriptions may not be supported by all implementations or for every object. Whether or not to accept or reject on-change subscription requests when the scope of the subscription contains objects for which on-change is not supported is up to the publisher implementation. A publisher MAY accept an on-change subscription even when the scope of the subscription contains objects for which on-change is not supported. In that case, updates are sent only for those objects within the scope of the subscription that do support on-change updates, whereas other objects are excluded from update records, even if their values change. In order for a subscriber to determine whether objects support on-change subscriptions, objects are marked accordingly on a publisher. Accordingly, when subscribing, it is the responsibility of the subscriber to ensure that it is aware of which objects support on-change and which do not. For more on how objects are so marked, see Section 3.10. Alternatively, a publisher MAY decide to simply reject an on-change subscription if the scope of the subscription contains objects for which on-change is not supported. In the case of a configured subscription, the publisher MAY suspend the subscription. To avoid flooding receivers with repeated updates for subscriptions containing fast-changing objects or objects with oscillating values, an on-change subscription allows for the definition of a dampening period. Once an update record for a given object is generated, no other updates for this particular subscription will be created until the end of the dampening period. Values sent at the end of the dampening period are the values that are current at the end of the dampening period of all changed objects. Changed objects include those objects that were deleted or newly created during that dampening period. If an object has returned to its original value (or even has been created and then deleted) during the dampening period, that value (and not the interim change) will still be sent. This will indicate that churn is occurring on that object. On-change subscriptions can be refined to let users subscribe only to certain types of changes. For example, a subscriber might only want object creations and deletions, but not modifications of object values. Putting it all together, the conceptual process for creating an update record as part of an on-change subscription is as follows:

1. Just before a change, or at the start of a dampening period, evaluate any filtering and any access control rules to ensure that a receiver is authorized to view all subscribed datastore nodes (filtering out any nodes for which this is not the case). The result is a set "A" of datastore nodes and subtrees.
2. Just after a change, or at the end of a dampening period, evaluate any filtering and any (possibly new) access control rules. The result is a set "B" of datastore nodes and subtrees.
3. Construct an update record, which takes the form of a YANG Patch record [RFC8072] for going from A to B.
4. If there were any changes made between A and B that canceled each other out, insert into the YANG Patch record the last change made, even if the new value is no different from the original value (since changes that were made in the interim were canceled out). If the changes involve creating a new datastore node and then deleting it, the YANG Patch record will indicate the deletion of the datastore node. Similarly, if the changes involve deleting a new datastore node and then recreating it, the YANG Patch record will indicate the creation of the datastore node.
5. If the resulting YANG Patch record is non-empty, send it to the receiver.

Note: In cases where a subscriber wants to have separate dampening periods for different objects, the subscriber has the option to create multiple subscriptions with different selection filters.

Reliability Considerations A subscription to updates from a datastore is intended to obviate the need for polling. However, in order to do so, it is critical that subscribers can rely on the subscription and have confidence that they will indeed receive the subscribed updates without having to worry about updates being silently dropped. In other words, a subscription constitutes a promise on the side of the publisher to provide the receivers with updates per the terms of the subscription. Now, there are many reasons why a publisher may at some point no longer be able to fulfill the terms of the subscription, even if the subscription had been initiated in good faith. For example, the volume of datastore nodes may be larger than anticipated, the interval may prove too short to send full updates in rapid succession, or an internal problem may prevent objects from being collected. For this reason, the solution defined in this document (1) mandates that a publisher notify receivers immediately and reliably whenever it encounters a situation in which it is unable to keep the terms of the subscription and (2) provides the publisher with the option to suspend the subscription in such a case. This includes indicating the fact that an update is incomplete as part of a "push-update" or "push-change-update" notification, as well as emitting a "subscription-suspended" notification as applicable. This is described further in Section 3.11.1. A publisher SHOULD reject a request for a subscription if it is unlikely that the publisher will be able to fulfill the terms of that subscription request. In such cases, it is preferable to have a subscriber request a less resource-intensive subscription than to deal with frequently degraded behavior. The solution builds on . As defined therein, any loss of an underlying transport connection will be detected and result in subscription termination (in the case of dynamic subscriptions) or suspension (in the case of configured subscriptions), ensuring that situations where the loss of update notifications would go unnoticed will not occur.

Data Encodings

Periodic Subscriptions In a periodic subscription, the data included as part of an update record corresponds to data that could have been read using a retrieval operation.

On-Change Subscriptions In an on-change subscription, update records need to indicate not only values of changed datastore nodes but also the types of changes that occurred since the last update. Therefore, encoding rules for data in on-change updates will generally follow YANG Patch operations as specified in [RFC8072]. The YANG Patch operations will describe what needs to be applied to the earlier state reported by the preceding update in order to result in the now-current state. Note that objects referred to in an update are not limited to configuration data but can include any objects (including operational data), whereas [RFC8072] patches apply only to configuration data in configuration datastores. A publisher indicates the type of change to a datastore node using the different YANG Patch operations: the "create" operation is used for newly created objects (except entries in a user-ordered list), the "delete" operation is used for deleted objects (including in user-ordered lists), the "replace" operation is used when only the object value changes, the "insert" operation is used when a new entry is inserted in a list, and the "move" operation is used when an existing entry in a user-ordered list is moved. However, a patch must be able to do more than just describe the delta from the previous state to the current state. As per Section 3.3, it must also be able to identify whether transient changes have occurred on an object during a dampening period. To support this, it is valid to encode a YANG Patch operation so that its application would result in no change between the previous state and the current state. This indicates that some churn has occurred on the object. An example of this would be a patch that indicates a "create" operation for a datastore node where the receiver believes one already exists or a "replace" operation that replaces a previous value with the same value. Note that this means that the "create" and "delete" errors as described in [RFC8072], Section 2.5 are not errors in the case of YANG-Push (i.e., they are considered valid operations for YANG-Push).

Defining the Selection with a Datastore A subscription must specify both the selection filters and the datastore against which these selection filters will be applied. This information is used to choose and subsequently push data from the publisher's datastore to the receivers. Only a single selection filter can be applied to a subscription at a time. An RPC request proposing a new selection filter replaces any existing filter. The following selection filter types are included in the YANG-Push data model and may be applied against a datastore:

• subtree: A subtree selection filter identifies one or more datastore subtrees. When specified, update records will only come from the datastore nodes of selected datastore subtree(s). The syntax and semantics correspond to those specified in [RFC6241], Section 6.
• xpath: An "xpath" selection filter is an XPath expression that returns a node set. (XPath is a query language for selecting nodes in an XML document; see [XPATH] for details.) When specified, updates will only come from the selected datastore nodes.

These filters are intended to be used as selectors that define which objects are within the scope of a subscription. A publisher MUST support at least one type of selection filter. XPath itself provides powerful filtering constructs, and care must be used in filter definition. Consider an XPath filter that only passes a datastore node when an interface is up. It is up to the receiver to understand the implications of the presence or absence of objects in each update. When the set of selection-filtering criteria is applied for a periodic subscription, these criteria are applied whenever a periodic update record is constructed, and only datastore nodes that pass the filter and to which a receiver has access are provided to that receiver. If the same filtering criteria are applied to an on-change subscription, only the subset of those datastore nodes supporting on-change is provided. A datastore node that doesn't support on-change is never sent as part of an on-change subscription's "push-update" or "push-change-update" (Section 3.7).

Streaming Updates Contrary to traditional data retrieval requests, datastore subscription enables an unbounded series of update records to be streamed over time. Two generic YANG notifications for update records have been defined for this scenario: "push-update" and "push-change-update". A "push-update" notification defines a complete, filtered update of the datastore per the terms of a subscription. This type of YANG notification is used for continuous updates of periodic subscriptions. A "push-update" notification can also be used for the on-change subscriptions in two cases. First, it MUST be used as the initial "push-update" if there is a need to synchronize the receiver at the start of a new subscription. Second, it MAY be sent if the publisher later chooses to resync an on-change subscription. The "push-update" update record contains an instantiated datastore subtree with all of the subscribed contents. The content of the update record is equivalent to the contents that would be obtained had the same data been explicitly retrieved using a datastore retrieval operation using the same transport with the same filters applied. A "push-change-update" notification is the most common type of update for on-change subscriptions. The update record in this case contains the set of changes that datastore nodes have undergone since the last notification message. In other words, this indicates which datastore nodes have been created, have been deleted, or have had changes to their values. In cases where multiple changes have occurred over the course of a dampening period and the object has not been deleted, the object's most current value is reported. (In other words, for each object, only one change is reported, not its entire history. Doing so would defeat the purpose of the dampening period.) "push-update" and "push-change-update" are encoded and placed in notification messages and are ultimately queued for egress over the specified transport. Figure 1 provides an example of a notification message for a subscription tracking the operational status of a single Ethernet interface (per ). This notification message is encoded XML W3C.REC-xml-20081126 over the Network Configuration Protocol (NETCONF) as per RFC8640. 2017-10-25T08:00:11.22Z 1011 eth0 up Figure 1: Push Example ]]> Figure 2 provides an example of an on-change notification message for the same subscription. 2017-10-25T08:22:33.44Z 89 0 edit1 replace /ietf-interfaces:interfaces eth0 down Figure 2: Push Example for an On-Change Notification Message ]]> Of note in the above example is the "patch-id" with a value of "0". Per [RFC8072], the "patch-id" is an arbitrary string. With YANG-Push, the publisher SHOULD put into the "patch-id" a counter starting at "0" that increments with every "push-change-update" generated for a subscription. If used as a counter, this counter MUST be reset to "0" any time a resynchronization occurs (i.e., with the sending of a "push-update"). Also, if used as a counter, the counter MUST be reset to "0" after passing a maximum value of "4294967295" (i.e., the maximum value that can be represented using the uint32 data type). Such a mechanism allows easy identification of lost or out-of-sequence update records.

Subscription Management The RPCs defined in have been enhanced to support datastore subscription negotiation. Also, new error codes have been added that are able to indicate why a datastore subscription attempt has failed, along with new yang-data that MAY be used to include details on input parameters that might result in a successful subsequent RPC invocation. The establishment or modification of a datastore subscription can be rejected for multiple reasons, including a subtree request that is too large or the inability of the publisher to push update records as frequently as requested. In such cases, no subscription is established. Instead, a subscription result that includes the reason for the failure is returned as part of the RPC response. As part of this response, a set of alternative subscription parameters MAY be returned that would likely have resulted in acceptance of the subscription request. The subscriber may consider including such parameters in future subscription attempts. In the case of a rejected request for establishment of a datastore subscription, if there are hints, the hints SHOULD be transported in a yang-data "establish-subscription-datastore-error-info" container inserted into the RPC error response, in lieu of the "establish- subscription-stream-error-info" that is inserted in the case of a stream subscription. Figure 3 shows a tree diagram for "establish-subscription-datastore- error-info". All tree diagrams used in this document follow the notation defined in . Similarly, in the case of a rejected request for modification of a datastore subscription, if there are hints, the hints SHOULD be transported in a yang-data "modify-subscription-datastore-error-info" container inserted into the RPC error response, in lieu of the "modify-subscription-stream-error-info" that is inserted in the case of a stream subscription. Figure 4 shows a tree diagram for "modify-subscription-datastore- error-info".

Receiver Authorization A receiver of subscription data MUST only be sent updates for which it has proper authorization. A publisher MUST ensure that no unauthorized data is included in push updates. To do so, it needs to apply all corresponding checks applicable at the time of a specific pushed update and, if necessary, silently remove any unauthorized data from datastore subtrees. This enables YANG data that is pushed based on subscriptions to be authorized in a way that is equivalent to a regular data retrieval ("get") operation. Each "push-update" and "push-change-update" MUST have access control applied, as depicted in Figure 5. This includes validating that read access is permitted for any new objects selected since the last notification message was sent to a particular receiver. A publisher MUST silently omit data nodes from the results that the client is not authorized to see. To accomplish this, implementations SHOULD apply the conceptual authorization model of , specifically Section 3.2.4, extended to apply analogously to data nodes included in notifications, not just <rpc-reply> messages sent in response to <get> and <get-config> requests. | datastore node | yes | add datastore node | push-change-update | access allowed? | ---> | to update record | +-----------------+ +--------------------+ Figure 5: Access Control for Push Updates ]]> A publisher MUST allow for the possibility that a subscription's selection filter references nonexistent data or data that a receiver is not allowed to access. Such support permits a receiver the ability to monitor the entire lifecycle of some datastore tree without needing to explicitly enumerate every individual datastore node. If, after access control has been applied, there are no objects remaining in an update record, then the effect varies given if the subscription is a periodic or on-change subscription. For a periodic subscription, an empty "push-update" notification MUST be sent, so that clients do not get confused into thinking that an update was lost. For an on-change subscription, a "push-update" notification MUST NOT be sent, so that clients remain unaware of changes made to nodes they don't have read-access for. By the same token, changes to objects that are filtered MUST NOT affect any dampening intervals. A publisher MAY choose to reject an "establish-subscription" request that selects nonexistent data or data that a receiver is not allowed to access. The error identity "unchanging-selection" SHOULD be returned as the reason for the rejection. In addition, a publisher MAY choose to terminate a dynamic subscription or suspend a configured receiver when the authorization privileges of a receiver change or the access controls for subscribed objects change. In that case, the publisher SHOULD include the error identity "unchanging- selection" as the reason when sending the "subscription-terminated" or "subscription-suspended" notification, respectively. Such a capability enables the publisher to avoid having to support continuous and total filtering of a subscription's content for every update record. It also reduces the possibility of leakage of access-controlled objects. If read access into previously accessible nodes has been lost due to a receiver permissions change, this SHOULD be reported as a patch "delete" operation for on-change subscriptions. If not capable of handling such receiver permission changes with such a "delete", publisher implementations MUST force dynamic subscription re-establishment or configured subscription reinitialization so that appropriate filtering is installed.

On-Change Notifiable Datastore Nodes In some cases, a publisher supporting on-change notifications may not be able to push on-change updates for some object types. Reasons for this might be that the value of the datastore node changes frequently (e.g., the in-octets counter as defined in ), small object changes are frequent and meaningless (e.g., a temperature gauge changing 0.1 degrees), or the implementation is not capable of on-change notification for a particular object. In those cases, it will be important for client applications to have a way to identify for which objects on-change notifications are supported and for which ones they are not supported. Otherwise, client applications will have no way of knowing whether they can indeed rely on their on-change subscription to provide them with the change updates that they are interested in. In other words, if implementations do not provide a solution and do not support comprehensive on-change notifiability, clients of those implementations will have no way of knowing what their on-change subscription actually covers. Implementations are therefore strongly advised to provide a solution to this problem. One solution might involve making discoverable to clients which objects are on-change notifiable, specified using another YANG data model. Such a solution is specified in Yang-Push-Notif-Cap. Until this solution is standardized, implementations SHOULD provide their own solution.

Other Considerations

Robustness and Reliability It is important that updates as discussed in this document, and on-change updates in particular, do not get lost. If the loss of an update is unavoidable, it is critical that the receiver be notified accordingly. Update records for a single subscription MUST NOT be resequenced prior to transport. It is conceivable that, under certain circumstances, a publisher will recognize that it is unable to include in an update record the full set of objects desired per the terms of a subscription. In this case, the publisher MUST act as follows:

• The publisher MUST set the "incomplete-update" flag on any update record that is known to be missing information.
• The publisher MAY choose to suspend the subscription as per . If the publisher does not create an update record at all, it MUST suspend the subscription.
• When resuming an on-change subscription, the publisher SHOULD generate a complete patch from the previous update record. If this is not possible and the "sync-on-start" option is set to "true" for the subscription, then the full datastore contents MAY be sent via a "push-update" instead (effectively replacing the previous contents). If neither scenario above is possible, then an "incomplete-update" flag MUST be included on the next "push-change-update".

Note: It is perfectly acceptable to have a series of "push-change- update" notifications (and even "push-update" notifications) serially queued at the transport layer awaiting transmission. It is not required for the publisher to merge pending update records sent at the same time. On the receiver side, what action to take when a record with an "incomplete-update" flag is received depends on the application. It could simply choose to wait and do nothing. It could choose to resync, actively retrieving all subscribed information. It could also choose to tear down the subscription and start a new one, perhaps with a smaller scope that contains fewer objects.

Publisher Capacity It is far preferable to decline a subscription request than to accept such a request when it cannot be met. Whether or not a subscription can be supported will be determined by a combination of several factors, such as the subscription update trigger (on-change or periodic), the period in which to report changes (one-second periods will consume more resources than one-hour periods), the amount of data in the datastore subtree that is being subscribed to, and the number and combination of other subscriptions that are concurrently being serviced.

Subscription State Change Notifications

YANG Data Model Tree Diagrams (from RFC 8639) This section contains tree diagrams for nodes defined in Section 4. For tree diagrams of subscription state change notifications, see Section 2.7. For the tree diagrams for the RPCs, see Section 2.4.

The "streams" Container A publisher maintains a list of available event streams as operational data. This list contains both standardized and vendor-specific event streams. This enables subscribers to discover what streams a publisher supports. Below is a tree diagram for the "streams" container. All objects contained in this tree are described in the YANG module in Section 4.

The "filters" Container The "filters" container maintains a list of all subscription filters that persist outside the lifecycle of a single subscription. This enables predefined filters that may be referenced by more than one subscription. Below is a tree diagram for the "filters" container. All objects contained in this tree are described in the YANG module in Section 4. {subtree}? +--:(stream-xpath-filter) +--rw stream-xpath-filter? yang:xpath1.0 {xpath}? Figure 19: "filters" Container Tree Diagram ]]>

The "subscriptions" Container The "subscriptions" container maintains a list of all subscriptions on a publisher, both configured and dynamic. It can be used to retrieve information about the subscriptions that a publisher is serving. Below is a tree diagram for the "subscriptions" container. All objects contained in this tree are described in the YANG module in Section 4. | | | {subtree}? | | +--:(stream-xpath-filter) | | +--rw stream-xpath-filter? | | yang:xpath1.0 {xpath}? | +--rw stream stream-ref | +--ro replay-start-time? | | yang:date-and-time {replay}? | +--rw configured-replay? empty | {configured,replay}? +--rw stop-time? | yang:date-and-time +--rw dscp? inet:dscp | {dscp}? +--rw weighting? uint8 {qos}? +--rw dependency? | subscription-id {qos}? +--rw transport? transport | {configured}? +--rw encoding? encoding +--rw purpose? string | {configured}? +--rw (notification-message-origin)? {configured}? | +--:(interface-originated) | | +--rw source-interface? | | if:interface-ref {interface-designation}? | +--:(address-originated) | +--rw source-vrf? | | -> /ni:network-instances/network-instance/name | | {supports-vrf}? | +--rw source-address? | inet:ip-address-no-zone +--ro configured-subscription-state? enumeration | {configured}? +--rw receivers +--rw receiver* [name] +--rw name string +--ro sent-event-records? | yang:zero-based-counter64 +--ro excluded-event-records? | yang:zero-based-counter64 +--ro state enumeration +---x reset {configured}? +--ro output +--ro time yang:date-and-time Figure 20: "subscriptions" Container Tree Diagram ]]>

A YANG Data Model for Management of Datastore Push Subscriptions (from RFC 8641)

Overview The YANG data model for datastore push subscriptions is depicted in Figures 6 through 9. The tree diagram that is used follows the notation defined in . New schema objects defined here (i.e., beyond those from ) are identified with "yp". For the reader's convenience, in order to compact the tree representation, some nodes that are defined in the ietf-subscribed- notifications YANG module and therefore are not essential to the understanding of the data model defined here have been removed. This is indicated by "..." in the diagram where applicable. Because the tree diagram is quite large, its depiction is broken up into four figures. Figure 6 depicts the augmentations that are introduced in YANG module ietf-yang-push to the subscription configuration specified in YANG module ietf-subscribed-notifications. | | {sn:subtree}? | +--:(yp:datastore-xpath-filter) | +--rw yp:datastore-xpath-filter? yang:xpath1.0 | {sn:xpath}? +--rw subscriptions +--rw subscription* [id] | ... +--rw (target) | +--:(stream) | | ... | +--:(yp:datastore) | +--rw yp:datastore identityref | +--rw (yp:selection-filter)? | +--:(yp:by-reference) | | +--rw yp:selection-filter-ref | | selection-filter-ref | +--:(yp:within-subscription) | +--rw (yp:filter-spec)? | +--:(yp:datastore-subtree-filter) | | +--rw yp:datastore-subtree-filter? | | {sn:subtree}? | +--:(yp:datastore-xpath-filter) | +--rw yp:datastore-xpath-filter? | yang:xpath1.0 {sn:xpath}? | ... +--rw (yp:update-trigger) +--:(yp:periodic) | +--rw yp:periodic! | +--rw yp:period centiseconds | +--rw yp:anchor-time? yang:date-and-time +--:(yp:on-change) {on-change}? +--rw yp:on-change! +--rw yp:dampening-period? centiseconds +--rw yp:sync-on-start? boolean +--rw yp:excluded-change* change-type Figure 6: Data Model Structure: Subscription Configuration ]]> Figure 7 depicts the augmentations of YANG module ietf-yang-push made to RPCs specified in YANG module ietf-subscribed-notifications . Specifically, these augmentations concern the "establish- subscription" and "modify-subscription" RPCs, which are augmented with parameters that are needed to specify datastore push subscriptions. {sn:subtree}? | | | +--:(yp:datastore-xpath-filter) | | | +---w yp:datastore-xpath-filter? | | | yang:xpath1.0 {sn:xpath}? | | | ... | | +---w (yp:update-trigger) | | +--:(yp:periodic) | | | +---w yp:periodic! | | | +---w yp:period centiseconds | | | +---w yp:anchor-time? yang:date-and-time | | +--:(yp:on-change) {on-change}? | | +---w yp:on-change! | | +---w yp:dampening-period? centiseconds | | +---w yp:sync-on-start? boolean | | +---w yp:excluded-change* change-type | +--ro output | +--ro id subscription-id | +--ro replay-start-time-revision? yang:date-and-time | {replay}? +---x modify-subscription | +---w input | ... | +---w (target) | | ... | | +--:(yp:datastore) | | +---w yp:datastore identityref | | +---w (yp:selection-filter)? | | +--:(yp:by-reference) | | | +---w yp:selection-filter-ref | | | selection-filter-ref | | +--:(yp:within-subscription) | | +---w (yp:filter-spec)? | | +--:(yp:datastore-subtree-filter) | | | +---w yp:datastore-subtree-filter? | | | {sn:subtree}? | | +--:(yp:datastore-xpath-filter) | | +---w yp:datastore-xpath-filter? | | yang:xpath1.0 {sn:xpath}? | | ... | +---w (yp:update-trigger) | +--:(yp:periodic) | | +---w yp:periodic! | | +---w yp:period centiseconds | | +---w yp:anchor-time? yang:date-and-time | +--:(yp:on-change) {on-change}? | +---w yp:on-change! | +---w yp:dampening-period? centiseconds +---x delete-subscription | ... +---x kill-subscription ... yang-data (for placement into RPC error responses) ... Figure 7: Data Model Structure: RPCs ]]> Figure 8 depicts augmentations of YANG module ietf-yang-push to the notifications that are specified in YANG module ietf-subscribed- notifications. The augmentations allow the inclusion of subscription configuration parameters that are specific to datastore push subscriptions as part of "subscription-started" and "subscription- modified" notifications. {sn:subtree}? | | +--:(yp:datastore-xpath-filter) | | +--ro yp:datastore-xpath-filter? | | yang:xpath1.0 {sn:xpath}? | ... | +--ro (yp:update-trigger) | +--:(yp:periodic) | | +--ro yp:periodic! | | +--ro yp:period centiseconds | | +--ro yp:anchor-time? yang:date-and-time | +--:(yp:on-change) {on-change}? | +--ro yp:on-change! | +--ro yp:dampening-period? centiseconds | +--ro yp:sync-on-start? boolean | +--ro yp:excluded-change* change-type +---n subscription-resumed | ... +---n subscription-modified | ... | +--ro (target) | | | ... | | +--:(yp:datastore) | | +--ro yp:datastore identityref | | +--ro (yp:selection-filter)? | | +--:(yp:by-reference) | | | +--ro yp:selection-filter-ref | | | selection-filter-ref | | +--:(yp:within-subscription) | | +--ro (yp:filter-spec)? | | +--:(yp:datastore-subtree-filter) | | | +--ro yp:datastore-subtree-filter? | | | {sn:subtree}? | | +--:(yp:datastore-xpath-filter) | | +--ro yp:datastore-xpath-filter? | | yang:xpath1.0 {sn:xpath}? | ... | +--ro (yp:update-trigger)? | +--:(yp:periodic) | | +--ro yp:periodic! | | +--ro yp:period centiseconds | | +--ro yp:anchor-time? yang:date-and-time | +--:(yp:on-change) {on-change}? | +--ro yp:on-change! | +--ro yp:dampening-period? centiseconds | +--ro yp:sync-on-start? boolean | +--ro yp:excluded-change* change-type +---n subscription-terminated | ... +---n subscription-suspended ... Figure 8: Data Model Structure: Notifications ]]> Finally, Figure 9 depicts the parts of YANG module ietf-yang-push that are newly introduced in this document (i.e., that are not simply augmentations of another YANG module). | +--ro incomplete-update? empty +---n push-change-update {on-change}? +--ro id? sn:subscription-id +--ro datastore-changes | +--ro yang-patch | +--ro patch-id string | +--ro comment? string | +--ro edit* [edit-id] | +--ro edit-id string | +--ro operation enumeration | +--ro target target-resource-offset | +--ro point? target-resource-offset | +--ro where? enumeration | +--ro value? +--ro incomplete-update? empty Figure 9: Data Model Structure: Non-augmentation Portions ]]> Selected components of the data model are summarized below.

Subscription Configuration Both configured and dynamic subscriptions are represented in the list "subscription". New parameters extending the basic subscription data model in include:

• The targeted datastore from which the selection is being made. The potential datastores include those from . A platform may also choose to support a custom datastore.
• A selection filter identifying YANG nodes of interest in a datastore. Filter contents are specified via a reference to an existing filter or via an in-line definition for only that subscription. Referenced filters allow an implementation to avoid evaluating filter acceptability during a dynamic subscription request. The "case" statement differentiates the options.
• For periodic subscriptions, triggered updates will occur at the boundaries of a specified time interval. These boundaries can be calculated from the periodic parameters:
  • a "period" that defines the duration between push updates.
  • an "anchor-time"; update intervals fall on the points in time that are a multiple of a "period" from an "anchor-time". If an "anchor-time" is not provided, then the "anchor-time" MUST be set with the creation time of the initial update record.
• For on-change subscriptions, assuming that any dampening period has completed, triggering occurs whenever a change in the subscribed information is detected. On-change subscriptions have more-complex semantics that are guided by their own set of parameters:
  • a "dampening-period" that specifies the interval that must pass before a successive update for the subscription is sent. If no dampening period is in effect, the update is sent immediately. If a subsequent change is detected, another update is only sent once the dampening period has passed for this subscription.
  • an "excluded-change" that allows the restriction of the types of changes for which updates should be sent (e.g., only add to an update record on object creation).
  • a "sync-on-start" that specifies whether a complete update with all the subscribed data is to be sent at the beginning of a subscription.

YANG Notifications

State Change Notifications Subscription state notifications and mechanisms are reused from . Notifications "subscription-started" and "subscription- modified" have been augmented to include the datastore-specific objects.

Notifications for Subscribed Content Along with the subscribed content, there are other objects that might be part of a "push-update" or "push-change-update" notification.

• An "id" (that identifies the subscription). This object MUST be transported along with the subscribed contents. It allows a receiver to determine which subscription resulted in a particular update record.
• An "incomplete-update" leaf. This leaf indicates that not all changes that have occurred since the last update are actually included with this update. In other words, the publisher has failed to fulfill its full subscription obligations. (For example, a datastore was unable to provide the full set of datastore nodes to a publisher process.) To facilitate the resynchronization of on-change subscriptions, a publisher MAY subsequently send a "push-update" containing a full selection snapshot of subscribed data.

YANG RPCs YANG-Push subscriptions are established, modified, and deleted using RPCs augmented from .

"establish-subscription" RPC The subscriber sends an "establish-subscription" RPC with the parameters listed in Section 3.1. An example might look like: ds:operational /ex:foo 500 Figure 10: "establish-subscription" RPC ]]> A positive response includes the "id" of the accepted subscription. In that case, a publisher may respond as follows: 52 Figure 11: "establish-subscription" Positive RPC Response ]]> A subscription can be rejected for multiple reasons, including the lack of authorization to establish a subscription, no capacity to serve the subscription at the publisher, or the inability of the publisher to select datastore content at the requested cadence. If a request is rejected because the publisher is not able to serve it, the publisher SHOULD include in the returned error hints that help a subscriber understand what subscription parameters might have been accepted for the request. These hints would be included in the yang-data structure "establish-subscription-error-datastore". However, even with these hints, there are no guarantees that subsequent requests will in fact be accepted. The specific parameters to be returned as part of the RPC error response depend on the specific transport that is used to manage the subscription. For NETCONF, those parameters are defined in [RFC8640]. For example, for the following NETCONF request: ds:operational /ex:foo 100 Figure 12: "establish-subscription" Request: Example 2 ]]> A publisher that cannot serve on-change updates but can serve periodic updates might return the following NETCONF response: application operation-failed error /yp:periodic/yp:period yp:on-change-unsupported Figure 13: "establish-subscription" Error Response: Example 2 ]]>

"modify-subscription" RPC The subscriber MAY invoke the "modify-subscription" RPC for a subscription it previously established. The subscriber will include newly desired values in the "modify-subscription" RPC. Parameters not included MUST remain unmodified. Figure 14 provides an example where a subscriber attempts to modify the period and datastore XPath filter of a subscription using NETCONF. 1011 ds:operational /ex:bar 250 Figure 14: "modify-subscription" Request ]]> The publisher MUST respond to the subscription modification request. If the request is rejected, the existing subscription is left unchanged, and the publisher MUST send an RPC error response. This response might have hints encapsulated in the yang-data structure "modify-subscription-error-datastore". A subscription MAY be modified multiple times. The specific parameters to be returned as part of the RPC error response depend on the specific transport that is used to manage the subscription. For NETCONF, those parameters are specified in [RFC8640]. A configured subscription cannot be modified using a "modify-subscription" RPC. Instead, the configuration needs to be edited as needed.

"delete-subscription" RPC To stop receiving updates from a subscription and effectively delete a subscription that had previously been established using an "establish-subscription" RPC, a subscriber can send a "delete-subscription" RPC, which takes as its only input the subscription's "id". This RPC is unmodified from .

"resync-subscription" RPC This RPC is supported only for on-change subscriptions previously established using an "establish-subscription" RPC. For example: 1011 Figure 15: "resync-subscription" ]]> On receipt, a publisher must either (1) accept the request and quickly follow with a "push-update" or (2) send an appropriate error in an RPC error response. In its error response, the publisher MAY include, in the yang-data structure "resync-subscription-error", supplemental information about the reasons for the error.

YANG Module Synchronization To make subscription requests, the subscriber needs to know the YANG datastore schemas used by the publisher. These schemas are available in the YANG library module ietf-yang-library.yang as defined in [RFC8525]. The receiver is expected to know the YANG library information before starting a subscription. The set of modules, revisions, features, and deviations can change at runtime (if supported by the publisher implementation). For this purpose, the YANG library provides a simple "yang-library-change" notification that informs the subscriber that the library has changed. In this case, a subscription may need to be updated to take the updates into account. The receiver may also need to be informed of module changes in order to process updates regarding datastore nodes from changed modules correctly.

YANG Model RFC 8639: This module imports typedefs from [RFC6991], , , [RFC8529], and [RFC8040]. It references [RFC6241], [XPATH] ("XML Path Language (XPath) Version 1.0"), [RFC7049], [RFC8259], [RFC7950], [RFC7951], and [RFC7540]. RFC 8641: This YANG module imports typedefs from [RFC6991], identities from , the "yang-data" extension from [RFC8040], and the "yang-patch" grouping from [RFC8072]. In addition, it imports and augments many definitions from . It also references [RFC6241], [XPATH] ("XML Path Language (XPath) Version 1.0"), and [RFC7950].

YANG module ietf-subscribed-notifications WG List: Author: Alexander Clemm Author: Eric Voit Author: Alberto Gonzalez Prieto Author: Einar Nilsen-Nygaard Author: Ambika Prasad Tripathy "; description "This module defines a YANG data model for subscribing to event records and receiving matching content in notification messages. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2019 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8639; see the RFC itself for full legal notices."; revision 2019-09-09 { description "Initial version."; reference "RFC 8639: A YANG Data Model for Subscriptions to Event Notifications"; } /* * FEATURES */ feature configured { description "This feature indicates that configuration of subscriptions is supported."; } feature dscp { description "This feature indicates that a publisher supports the ability to set the Differentiated Services Code Point (DSCP) value in outgoing packets."; } feature encode-json { description "This feature indicates that JSON encoding of notification messages is supported."; } feature encode-xml { description "This feature indicates that XML encoding of notification messages is supported."; } feature interface-designation { description "This feature indicates that a publisher supports sourcing all receiver interactions for a configured subscription from a single designated egress interface."; } feature qos { description "This feature indicates that a publisher supports absolute dependencies of one subscription's traffic over another as well as weighted bandwidth sharing between subscriptions. Both of these are Quality of Service (QoS) features that allow differentiated treatment of notification messages between a publisher and a specific receiver."; } feature replay { description "This feature indicates that historical event record replay is supported. With replay, it is possible for past event records to be streamed in chronological order."; } feature subtree { description "This feature indicates support for YANG subtree filtering."; reference "RFC 6241: Network Configuration Protocol (NETCONF), Section 6"; } feature supports-vrf { description "This feature indicates that a publisher supports VRF configuration for configured subscriptions. VRF support for dynamic subscriptions does not require this feature."; reference "RFC 8529: YANG Data Model for Network Instances, Section 6"; } feature xpath { description "This feature indicates support for XPath filtering."; reference "XML Path Language (XPath) Version 1.0 (https://www.w3.org/TR/1999/REC-xpath-19991116)"; } /* * EXTENSIONS */ extension subscription-state-notification { description "This statement applies only to notifications. It indicates that the notification is a subscription state change notification. Therefore, it does not participate in a regular event stream and does not need to be specifically subscribed to in order to be received. This statement can only occur as a substatement of the YANG 'notification' statement. This statement is not for use outside of this YANG module."; } /* * IDENTITIES */ /* Identities for RPC and notification errors */ identity delete-subscription-error { description "Base identity for the problem found while attempting to fulfill either a 'delete-subscription' RPC request or a 'kill-subscription' RPC request."; } identity establish-subscription-error { description "Base identity for the problem found while attempting to fulfill an 'establish-subscription' RPC request."; } identity modify-subscription-error { description "Base identity for the problem found while attempting to fulfill a 'modify-subscription' RPC request."; } identity subscription-suspended-reason { description "Base identity for the problem condition communicated to a receiver as part of a 'subscription-suspended' notification."; } identity subscription-terminated-reason { description "Base identity for the problem condition communicated to a receiver as part of a 'subscription-terminated' notification."; } identity dscp-unavailable { base establish-subscription-error; if-feature "dscp"; description "The publisher is unable to mark notification messages with prioritization information in a way that will be respected during network transit."; } identity encoding-unsupported { base establish-subscription-error; description "Unable to encode notification messages in the desired format."; } identity filter-unavailable { base subscription-terminated-reason; description "Referenced filter does not exist. This means a receiver is referencing a filter that doesn't exist or to which it does not have access permissions."; } identity filter-unsupported { base establish-subscription-error; base modify-subscription-error; description "Cannot parse syntax in the filter. This failure can be from a syntax error or a syntax too complex to be processed by the publisher."; } identity insufficient-resources { base establish-subscription-error; base modify-subscription-error; base subscription-suspended-reason; description "The publisher does not have sufficient resources to support the requested subscription. An example might be that allocated CPU is too limited to generate the desired set of notification messages."; } identity no-such-subscription { base modify-subscription-error; base delete-subscription-error; base subscription-terminated-reason; description "Referenced subscription doesn't exist. This may be as a result of a nonexistent subscription ID, an ID that belongs to another subscriber, or an ID for a configured subscription."; } identity replay-unsupported { base establish-subscription-error; if-feature "replay"; description "Replay cannot be performed for this subscription. This means the publisher will not provide the requested historic information from the event stream via replay to this receiver."; } identity stream-unavailable { base subscription-terminated-reason; description "Not a subscribable event stream. This means the referenced event stream is not available for subscription by the receiver."; } identity suspension-timeout { base subscription-terminated-reason; description "Termination of a previously suspended subscription. The publisher has eliminated the subscription, as it exceeded a time limit for suspension."; } identity unsupportable-volume { base subscription-suspended-reason; description "The publisher does not have the network bandwidth needed to get the volume of generated information intended for a receiver."; } /* Identities for encodings */ identity configurable-encoding { description "If a transport identity derives from this identity, it means that it supports configurable encodings. An example of a configurable encoding might be a new identity such as 'encode-cbor'. Such an identity could use 'configurable-encoding' as its base. This would allow a dynamic subscription encoded in JSON (RFC 8259) to request that notification messages be encoded via the Concise Binary Object Representation (CBOR) (RFC 7049). Further details for any specific configurable encoding would be explored in a transport document based on this specification."; reference "RFC 8259: The JavaScript Object Notation (JSON) Data Interchange Format RFC 7049: Concise Binary Object Representation (CBOR)"; } identity encoding { description "Base identity to represent data encodings."; } identity encode-xml { base encoding; if-feature "encode-xml"; description "Encode data using XML as described in RFC 7950."; reference "RFC 7950: The YANG 1.1 Data Modeling Language"; } identity encode-json { base encoding; if-feature "encode-json"; description "Encode data using JSON as described in RFC 7951."; reference "RFC 7951: JSON Encoding of Data Modeled with YANG"; } /* Identities for transports */ identity transport { description "An identity that represents the underlying mechanism for passing notification messages."; } /* * TYPEDEFs */ typedef encoding { type identityref { base encoding; } description "Specifies a data encoding, e.g., for a data subscription."; } typedef stream-filter-ref { type leafref { path "/sn:filters/sn:stream-filter/sn:name"; } description "This type is used to reference an event stream filter."; } typedef stream-ref { type leafref { path "/sn:streams/sn:stream/sn:name"; } description "This type is used to reference a system-provided event stream."; } typedef subscription-id { type uint32; description "A type for subscription identifiers."; } typedef transport { type identityref { base transport; } description "Specifies the transport used to send notification messages to a receiver."; } /* * GROUPINGS */ grouping stream-filter-elements { description "This grouping defines the base for filters applied to event streams."; choice filter-spec { description "The content filter specification for this request."; anydata stream-subtree-filter { if-feature "subtree"; description "Event stream evaluation criteria encoded in the syntax of a subtree filter as defined in RFC 6241, Section 6. The subtree filter is applied to the representation of individual, delineated event records as contained in the event stream. If the subtree filter returns a non-empty node set, the filter matches the event record, and the event record is included in the notification message sent to the receivers."; reference "RFC 6241: Network Configuration Protocol (NETCONF), Section 6"; } leaf stream-xpath-filter { if-feature "xpath"; type yang:xpath1.0; description "Event stream evaluation criteria encoded in the syntax of an XPath 1.0 expression. The XPath expression is evaluated on the representation of individual, delineated event records as contained in the event stream. The result of the XPath expression is converted to a boolean value using the standard XPath 1.0 rules. If the boolean value is 'true', the filter matches the event record, and the event record is included in the notification message sent to the receivers. The expression is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the 'namespace' statement in the YANG module. If the leaf is encoded in XML, all namespace declarations in scope on the 'stream-xpath-filter' leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is comprised of the core function library and the XPath functions defined in Section 10 in RFC 7950. o The context node is the root node."; reference "XML Path Language (XPath) Version 1.0 (https://www.w3.org/TR/1999/REC-xpath-19991116) RFC 7950: The YANG 1.1 Data Modeling Language, Section 10"; } } } grouping update-qos { description "This grouping describes QoS information concerning a subscription. This information is passed to lower layers for transport prioritization and treatment."; leaf dscp { if-feature "dscp"; type inet:dscp; default "0"; description "The desired network transport priority level. This is the priority set on notification messages encapsulating the results of the subscription. This transport priority is shared for all receivers of a given subscription."; } leaf weighting { if-feature "qos"; type uint8 { range "0 .. 255"; } description "Relative weighting for a subscription. Larger weights get more resources. Allows an underlying transport layer to perform informed load-balance allocations between various subscriptions."; reference "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2), Section 5.3.2"; } leaf dependency { if-feature "qos"; type subscription-id; description "Provides the 'subscription-id' of a parent subscription. The parent subscription has absolute precedence should that parent have push updates ready to egress the publisher. In other words, there should be no streaming of objects from the current subscription if the parent has something ready to push. If a dependency is asserted via configuration or via an RPC but the referenced 'subscription-id' does not exist, the dependency is silently discarded. If a referenced subscription is deleted, this dependency is removed."; reference "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2), Section 5.3.1"; } } grouping subscription-policy-modifiable { description "This grouping describes all objects that may be changed in a subscription."; choice target { mandatory true; description "Identifies the source of information against which a subscription is being applied as well as specifics on the subset of information desired from that source."; case stream { choice stream-filter { description "An event stream filter can be applied to a subscription. That filter will either come referenced from a global list or be provided in the subscription itself."; case by-reference { description "Apply a filter that has been configured separately."; leaf stream-filter-name { type stream-filter-ref; mandatory true; description "References an existing event stream filter that is to be applied to an event stream for the subscription."; } } case within-subscription { description "A local definition allows a filter to have the same lifecycle as the subscription."; uses stream-filter-elements; } } } } leaf stop-time { type yang:date-and-time; description "Identifies a time after which notification messages for a subscription should not be sent. If 'stop-time' is not present, the notification messages will continue until the subscription is terminated. If 'replay-start-time' exists, 'stop-time' must be for a subsequent time. If 'replay-start-time' doesn't exist, 'stop-time', when established, must be for a future time."; } } grouping subscription-policy-dynamic { description "This grouping describes the only information concerning a subscription that can be passed over the RPCs defined in this data model."; uses subscription-policy-modifiable { augment "target/stream" { description "Adds additional objects that can be modified by an RPC."; leaf stream { type stream-ref { require-instance false; } mandatory true; description "Indicates the event stream to be considered for this subscription."; } leaf replay-start-time { if-feature "replay"; type yang:date-and-time; config false; description "Used to trigger the 'replay' feature for a dynamic subscription, where event records that are selected need to be at or after the specified starting time. If 'replay-start-time' is not present, this is not a replay subscription and event record push should start immediately. It is never valid to specify start times that are later than or equal to the current time."; } } } uses update-qos; } grouping subscription-policy { description "This grouping describes the full set of policy information concerning both dynamic and configured subscriptions, with the exclusion of both receivers and networking information specific to the publisher, such as what interface should be used to transmit notification messages."; uses subscription-policy-dynamic; leaf transport { if-feature "configured"; type transport; description "For a configured subscription, this leaf specifies the transport used to deliver messages destined for all receivers of that subscription."; } leaf encoding { when 'not(../transport) or derived-from(../transport, "sn:configurable-encoding")'; type encoding; description "The type of encoding for notification messages. For a dynamic subscription, if not included as part of an 'establish-subscription' RPC, the encoding will be populated with the encoding used by that RPC. For a configured subscription, if not explicitly configured, the encoding will be the default encoding for an underlying transport."; } leaf purpose { if-feature "configured"; type string; description "Open text allowing a configuring entity to embed the originator or other specifics of this subscription."; } } /* * RPCs */ rpc establish-subscription { description "This RPC allows a subscriber to create (and possibly negotiate) a subscription on its own behalf. If successful, the subscription remains in effect for the duration of the subscriber's association with the publisher or until the subscription is terminated. If an error occurs or the publisher cannot meet the terms of a subscription, an RPC error is returned, and the subscription is not created. In that case, the RPC reply's 'error-info' MAY include suggested parameter settings that would have a higher likelihood of succeeding in a subsequent 'establish-subscription' request."; input { uses subscription-policy-dynamic; leaf encoding { type encoding; description "The type of encoding for the subscribed data. If not included as part of the RPC, the encoding MUST be set by the publisher to be the encoding used by this RPC."; } } output { leaf id { type subscription-id; mandatory true; description "Identifier used for this subscription."; } leaf replay-start-time-revision { if-feature "replay"; type yang:date-and-time; description "If a replay has been requested, this object represents the earliest time covered by the event buffer for the requested event stream. The value of this object is the 'replay-log-aged-time' if it exists. Otherwise, it is the 'replay-log-creation-time'. All buffered event records after this time will be replayed to a receiver. This object will only be sent if the starting time has been revised to be later than the time requested by the subscriber."; } } } rc:yang-data establish-subscription-stream-error-info { container establish-subscription-stream-error-info { description "If any 'establish-subscription' RPC parameters are unsupportable against the event stream, a subscription is not created and the RPC error response MUST indicate the reason why the subscription failed to be created. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure. This yang-data MUST be inserted if hints are to be provided back to the subscriber."; leaf reason { type identityref { base establish-subscription-error; } description "Indicates the reason why the subscription has failed to be created to a targeted event stream."; } leaf filter-failure-hint { type string; description "Information describing where and/or why a provided filter was unsupportable for a subscription. The syntax and semantics of this hint are implementation specific."; } } } rpc modify-subscription { description "This RPC allows a subscriber to modify a dynamic subscription's parameters. If successful, the changed subscription parameters remain in effect for the duration of the subscription, until the subscription is again modified, or until the subscription is terminated. In the case of an error or an inability to meet the modified parameters, the subscription is not modified and the original subscription parameters remain in effect. In that case, the RPC error MAY include 'error-info' suggested parameter hints that would have a high likelihood of succeeding in a subsequent 'modify-subscription' request. A successful 'modify-subscription' will return a suspended subscription to the 'active' state."; input { leaf id { type subscription-id; mandatory true; description "Identifier to use for this subscription."; } uses subscription-policy-modifiable; } } rc:yang-data modify-subscription-stream-error-info { container modify-subscription-stream-error-info { description "This yang-data MAY be provided as part of a subscription's RPC error response when there is a failure of a 'modify-subscription' RPC that has been made against an event stream. This yang-data MUST be used if hints are to be provided back to the subscriber."; leaf reason { type identityref { base modify-subscription-error; } description "Information in a 'modify-subscription' RPC error response that indicates the reason why the subscription to an event stream has failed to be modified."; } leaf filter-failure-hint { type string; description "Information describing where and/or why a provided filter was unsupportable for a subscription. The syntax and semantics of this hint are implementation specific."; } } } rpc delete-subscription { description "This RPC allows a subscriber to delete a subscription that was previously created by that same subscriber using the 'establish-subscription' RPC. If an error occurs, the server replies with an 'rpc-error' where the 'error-info' field MAY contain a 'delete-subscription-error-info' structure."; input { leaf id { type subscription-id; mandatory true; description "Identifier of the subscription that is to be deleted. Only subscriptions that were created using 'establish-subscription' from the same origin as this RPC can be deleted via this RPC."; } } } rpc kill-subscription { nacm:default-deny-all; description "This RPC allows an operator to delete a dynamic subscription without restrictions on the originating subscriber or underlying transport session. If an error occurs, the server replies with an 'rpc-error' where the 'error-info' field MAY contain a 'delete-subscription-error-info' structure."; input { leaf id { type subscription-id; mandatory true; description "Identifier of the subscription that is to be deleted. Only subscriptions that were created using 'establish-subscription' can be deleted via this RPC."; } } } rc:yang-data delete-subscription-error-info { container delete-subscription-error-info { description "If a 'delete-subscription' RPC or a 'kill-subscription' RPC fails, the subscription is not deleted and the RPC error response MUST indicate the reason for this failure. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure."; leaf reason { type identityref { base delete-subscription-error; } mandatory true; description "Indicates the reason why the subscription has failed to be deleted."; } } } /* * NOTIFICATIONS */ notification replay-completed { sn:subscription-state-notification; if-feature "replay"; description "This notification is sent to indicate that all of the replay notifications have been sent."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } } notification subscription-completed { sn:subscription-state-notification; if-feature "configured"; description "This notification is sent to indicate that a subscription has finished passing event records, as the 'stop-time' has been reached."; leaf id { type subscription-id; mandatory true; description "This references the gracefully completed subscription."; } } notification subscription-modified { sn:subscription-state-notification; description "This notification indicates that a subscription has been modified. Notification messages sent from this point on will conform to the modified terms of the subscription. For completeness, this subscription state change notification includes both modified and unmodified aspects of a subscription."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } uses subscription-policy { refine "target/stream/stream-filter/within-subscription" { description "Filter applied to the subscription. If the 'stream-filter-name' is populated, the filter in the subscription came from the 'filters' container. Otherwise, it is populated in-line as part of the subscription."; } } } notification subscription-resumed { sn:subscription-state-notification; description "This notification indicates that a subscription that had previously been suspended has resumed. Notifications will once again be sent. In addition, a 'subscription-resumed' indicates that no modification of parameters has occurred since the last time event records have been sent."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } } notification subscription-started { sn:subscription-state-notification; if-feature "configured"; description "This notification indicates that a subscription has started and notifications will now be sent."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } uses subscription-policy { refine "target/stream/replay-start-time" { description "Indicates the time that a replay is using for the streaming of buffered event records. This will be populated with the most recent of the following: the event time of the previous event record sent to a receiver, the 'replay-log-creation-time', the 'replay-log-aged-time', or the most recent publisher boot time."; } refine "target/stream/stream-filter/within-subscription" { description "Filter applied to the subscription. If the 'stream-filter-name' is populated, the filter in the subscription came from the 'filters' container. Otherwise, it is populated in-line as part of the subscription."; } augment "target/stream" { description "This augmentation adds additional parameters specific to a 'subscription-started' notification."; leaf replay-previous-event-time { when '../replay-start-time'; if-feature "replay"; type yang:date-and-time; description "If there is at least one event in the replay buffer prior to 'replay-start-time', this gives the time of the event generated immediately prior to the 'replay-start-time'. If a receiver previously received event records for this configured subscription, it can compare this time to the last event record previously received. If the two are not the same (perhaps due to a reboot), then a dynamic replay can be initiated to acquire any missing event records."; } } } } notification subscription-suspended { sn:subscription-state-notification; description "This notification indicates that a suspension of the subscription by the publisher has occurred. No further notifications will be sent until the subscription resumes. This notification shall only be sent to receivers of a subscription; it does not constitute a general-purpose notification."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } leaf reason { type identityref { base subscription-suspended-reason; } mandatory true; description "Identifies the condition that resulted in the suspension."; } } notification subscription-terminated { sn:subscription-state-notification; description "This notification indicates that a subscription has been terminated."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } leaf reason { type identityref { base subscription-terminated-reason; } mandatory true; description "Identifies the condition that resulted in the termination."; } } /* * DATA NODES */ container streams { config false; description "Contains information on the built-in event streams provided by the publisher."; list stream { key "name"; description "Identifies the built-in event streams that are supported by the publisher."; leaf name { type string; description "A handle for a system-provided event stream made up of a sequential set of event records, each of which is characterized by its own domain and semantics."; } leaf description { type string; description "A description of the event stream, including such information as the type of event records that are available in this event stream."; } leaf replay-support { if-feature "replay"; type empty; description "Indicates that event record replay is available on this event stream."; } leaf replay-log-creation-time { when '../replay-support'; if-feature "replay"; type yang:date-and-time; mandatory true; description "The timestamp of the creation of the log used to support the replay function on this event stream. This time might be earlier than the earliest available information contained in the log. This object is updated if the log resets for some reason."; } leaf replay-log-aged-time { when '../replay-support'; if-feature "replay"; type yang:date-and-time; description "The timestamp associated with the last event record that has been aged out of the log. This timestamp identifies how far back in history this replay log extends, if it doesn't extend back to the 'replay-log-creation-time'. This object MUST be present if replay is supported and any event records have been aged out of the log."; } } } container filters { description "Contains a list of configurable filters that can be applied to subscriptions. This facilitates the reuse of complex filters once defined."; list stream-filter { key "name"; description "A list of preconfigured filters that can be applied to subscriptions."; leaf name { type string; description "A name to differentiate between filters."; } uses stream-filter-elements; } } container subscriptions { description "Contains the list of currently active subscriptions, i.e., subscriptions that are currently in effect, used for subscription management and monitoring purposes. This includes subscriptions that have been set up via RPC primitives as well as subscriptions that have been established via configuration."; list subscription { key "id"; description "The identity and specific parameters of a subscription. Subscriptions in this list can be created using a control channel or RPC or can be established through configuration. If the 'kill-subscription' RPC or configuration operations are used to delete a subscription, a 'subscription-terminated' message is sent to any active or suspended receivers."; leaf id { type subscription-id; description "Identifier of a subscription; unique in a given publisher."; } uses subscription-policy { refine "target/stream/stream" { description "Indicates the event stream to be considered for this subscription. If an event stream has been removed and can no longer be referenced by an active subscription, send a 'subscription-terminated' notification with 'stream-unavailable' as the reason. If a configured subscription refers to a nonexistent event stream, move that subscription to the 'invalid' state."; } refine "transport" { description "For a configured subscription, this leaf specifies the transport used to deliver messages destined for all receivers of that subscription. This object is mandatory for subscriptions in the configuration datastore. This object (1) is not mandatory for dynamic subscriptions in the operational state datastore and (2) should not be present for other types of dynamic subscriptions."; } augment "target/stream" { description "Enables objects to be added to a configured stream subscription."; leaf configured-replay { if-feature "configured"; if-feature "replay"; type empty; description "The presence of this leaf indicates that replay for the configured subscription should start at the earliest time in the event log or at the publisher boot time, whichever is later."; } } } choice notification-message-origin { if-feature "configured"; description "Identifies the egress interface on the publisher from which notification messages are to be sent."; case interface-originated { description "When notification messages are to egress a specific, designated interface on the publisher."; leaf source-interface { if-feature "interface-designation"; type if:interface-ref; description "References the interface for notification messages."; } } case address-originated { description "When notification messages are to depart from a publisher using a specific originating address and/or routing context information."; leaf source-vrf { if-feature "supports-vrf"; type leafref { path "/ni:network-instances/ni:network-instance/ni:name"; } description "VRF from which notification messages should egress a publisher."; } leaf source-address { type inet:ip-address-no-zone; description "The source address for the notification messages. If a source VRF exists but this object doesn't, a publisher's default address for that VRF must be used."; } } } leaf configured-subscription-state { if-feature "configured"; type enumeration { enum valid { value 1; description "The subscription is supportable with its current parameters."; } enum invalid { value 2; description "The subscription as a whole is unsupportable with its current parameters."; } enum concluded { value 3; description "A subscription is inactive, as it has hit a stop time. It no longer has receivers in the 'active' or 'suspended' state, but the subscription has not yet been removed from configuration."; } } config false; description "The presence of this leaf indicates that the subscription originated from configuration, not through a control channel or RPC. The value indicates the state of the subscription as established by the publisher."; } container receivers { description "Set of receivers in a subscription."; list receiver { key "name"; min-elements 1; description "A host intended as a recipient for the notification messages of a subscription. For configured subscriptions, transport-specific network parameters (or a leafref to those parameters) may be augmented to a specific receiver in this list."; leaf name { type string; description "Identifies a unique receiver for a subscription."; } leaf sent-event-records { type yang:zero-based-counter64; config false; description "The number of event records sent to the receiver. The count is initialized when a dynamic subscription is established or when a configured receiver transitions to the 'valid' state."; } leaf excluded-event-records { type yang:zero-based-counter64; config false; description "The number of event records explicitly removed via either an event stream filter or an access control filter so that they are not passed to a receiver. This count is set to zero each time 'sent-event-records' is initialized."; } leaf state { type enumeration { enum active { value 1; description "The receiver is currently being sent any applicable notification messages for the subscription."; } enum suspended { value 2; description "The receiver state is 'suspended', so the publisher is currently unable to provide notification messages for the subscription."; } enum connecting { value 3; if-feature "configured"; description "A subscription has been configured, but a 'subscription-started' subscription state change notification needs to be successfully received before notification messages are sent. If the 'reset' action is invoked for a receiver of an active configured subscription, the state must be moved to 'connecting'."; } enum disconnected { value 4; if-feature "configured"; description "A subscription has failed to send a 'subscription-started' state change to the receiver. Additional connection attempts are not currently being made."; } } config false; mandatory true; description "Specifies the state of a subscription from the perspective of a particular receiver. With this information, it is possible to determine whether a publisher is currently generating notification messages intended for that receiver."; } action reset { if-feature "configured"; description "Allows the reset of this configured subscription's receiver to the 'connecting' state. This enables the connection process to be reinitiated."; output { leaf time { type yang:date-and-time; mandatory true; description "Time at which a publisher returned the receiver to the 'connecting' state."; } } } } } } } } ]]>

YANG module ietf-yang-push WG List: Author: Alexander Clemm Author: Eric Voit "; description "This module contains YANG specifications for YANG-Push. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2019 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 8641; see the RFC itself for full legal notices."; revision 2019-09-09 { description "Initial revision."; reference "RFC 8641: Subscriptions to YANG Datastores"; } /* * FEATURES */ feature on-change { description "This feature indicates that on-change triggered subscriptions are supported."; } /* * IDENTITIES */ /* Error type identities for datastore subscription */ identity resync-subscription-error { description "Problem found while attempting to fulfill a 'resync-subscription' RPC request."; } identity cant-exclude { base sn:establish-subscription-error; description "Unable to remove the set of 'excluded-change' parameters. This means that the publisher is unable to restrict 'push-change-update' notifications to just the change types requested for this subscription."; } identity datastore-not-subscribable { base sn:establish-subscription-error; base sn:subscription-terminated-reason; description "This is not a subscribable datastore."; } identity no-such-subscription-resync { base resync-subscription-error; description "The referenced subscription doesn't exist. This may be as a result of a nonexistent subscription ID, an ID that belongs to another subscriber, or an ID for a configured subscription."; } identity on-change-unsupported { base sn:establish-subscription-error; description "On-change is not supported for any objects that are selectable by this filter."; } identity on-change-sync-unsupported { base sn:establish-subscription-error; description "Neither 'sync-on-start' nor resynchronization is supported for this subscription. This error will be used for two reasons: (1) if an 'establish-subscription' RPC includes 'sync-on-start' but the publisher can't support sending a 'push-update' for this subscription for reasons other than 'on-change-unsupported' or 'sync-too-big' (2) if the 'resync-subscription' RPC is invoked for either an existing periodic subscription or an on-change subscription that can't support resynchronization."; } identity period-unsupported { base sn:establish-subscription-error; base sn:modify-subscription-error; base sn:subscription-suspended-reason; description "The requested time period or 'dampening-period' is too short. This can be for both periodic and on-change subscriptions (with or without dampening). Hints suggesting alternative periods may be returned as supplemental information."; } identity update-too-big { base sn:establish-subscription-error; base sn:modify-subscription-error; base sn:subscription-suspended-reason; description "Periodic or on-change push update data trees exceed a maximum size limit. Hints on the estimated size of what was too big may be returned as supplemental information."; } identity sync-too-big { base sn:establish-subscription-error; base sn:modify-subscription-error; base resync-subscription-error; base sn:subscription-suspended-reason; description "The 'sync-on-start' or resynchronization data tree exceeds a maximum size limit. Hints on the estimated size of what was too big may be returned as supplemental information."; } identity unchanging-selection { base sn:establish-subscription-error; base sn:modify-subscription-error; base sn:subscription-terminated-reason; description "The selection filter is unlikely to ever select data tree nodes. This means that based on the subscriber's current access rights, the publisher recognizes that the selection filter is unlikely to ever select data tree nodes that change. Examples for this might be that the node or subtree doesn't exist, read access is not permitted for a receiver, or static objects that only change at reboot have been chosen."; } /* * TYPE DEFINITIONS */ typedef change-type { type enumeration { enum create { description "A change that refers to the creation of a new datastore node."; } enum delete { description "A change that refers to the deletion of a datastore node."; } enum insert { description "A change that refers to the insertion of a new user-ordered datastore node."; } enum move { description "A change that refers to a reordering of the target datastore node."; } enum replace { description "A change that refers to a replacement of the target datastore node's value."; } } description "Specifies different types of datastore changes. This type is based on the edit operations defined for YANG Patch, with the difference that it is valid for a receiver to process an update record that performs a 'create' operation on a datastore node the receiver believes exists or to process a delete on a datastore node the receiver believes is missing."; reference "RFC 8072: YANG Patch Media Type, Section 2.5"; } typedef selection-filter-ref { type leafref { path "/sn:filters/yp:selection-filter/yp:filter-id"; } description "This type is used to reference a selection filter."; } typedef centiseconds { type uint32; description "A period of time, measured in units of 0.01 seconds."; } /* * GROUP DEFINITIONS */ grouping datastore-criteria { description "A grouping to define criteria for which selected objects from a targeted datastore should be included in push updates."; leaf datastore { type identityref { base ds:datastore; } mandatory true; description "Datastore from which to retrieve data."; } uses selection-filter-objects; } grouping selection-filter-types { description "This grouping defines the types of selectors for objects from a datastore."; choice filter-spec { description "The content filter specification for this request."; anydata datastore-subtree-filter { if-feature "sn:subtree"; description "This parameter identifies the portions of the target datastore to retrieve."; reference "RFC 6241: Network Configuration Protocol (NETCONF), Section 6"; } leaf datastore-xpath-filter { if-feature "sn:xpath"; type yang:xpath1.0; description "This parameter contains an XPath expression identifying the portions of the target datastore to retrieve. If the expression returns a node set, all nodes in the node set are selected by the filter. Otherwise, if the expression does not return a node set, the filter doesn't select any nodes. The expression is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the 'namespace' statement in the YANG module. If the leaf is encoded in XML, all namespace declarations in scope on the 'stream-xpath-filter' leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is comprised of the core function library and the XPath functions defined in Section 10 in RFC 7950. o The context node is the root node of the target datastore."; reference "XML Path Language (XPath) Version 1.0 (https://www.w3.org/TR/1999/REC-xpath-19991116) RFC 7950: The YANG 1.1 Data Modeling Language, Section 10"; } } } grouping selection-filter-objects { description "This grouping defines a selector for objects from a datastore."; choice selection-filter { description "The source of the selection filter applied to the subscription. This will either (1) come referenced from a global list or (2) be provided in the subscription itself."; case by-reference { description "Incorporates a filter that has been configured separately."; leaf selection-filter-ref { type selection-filter-ref; mandatory true; description "References an existing selection filter that is to be applied to the subscription."; } } case within-subscription { description "A local definition allows a filter to have the same lifecycle as the subscription."; uses selection-filter-types; } } } grouping update-policy-modifiable { description "This grouping describes the datastore-specific subscription conditions that can be changed during the lifetime of the subscription."; choice update-trigger { description "Defines necessary conditions for sending an event record to the subscriber."; case periodic { container periodic { presence "indicates a periodic subscription"; description "The publisher is requested to periodically notify the receiver regarding the current values of the datastore as defined by the selection filter."; leaf period { type centiseconds; mandatory true; description "Duration of time that should occur between periodic push updates, in units of 0.01 seconds."; } leaf anchor-time { type yang:date-and-time; description "Designates a timestamp before or after which a series of periodic push updates are determined. The next update will take place at a point in time that is a multiple of a period from the 'anchor-time'. For example, for an 'anchor-time' that is set for the top of a particular minute and a period interval of a minute, updates will be sent at the top of every minute that this subscription is active."; } } } case on-change { if-feature "on-change"; container on-change { presence "indicates an on-change subscription"; description "The publisher is requested to notify the receiver regarding changes in values in the datastore subset as defined by a selection filter."; leaf dampening-period { type centiseconds; default "0"; description "Specifies the minimum interval between the assembly of successive update records for a single receiver of a subscription. Whenever subscribed objects change and a dampening-period interval (which may be zero) has elapsed since the previous update record creation for a receiver, any subscribed objects and properties that have changed since the previous update record will have their current values marshalled and placed in a new update record."; } } } } } grouping update-policy { description "This grouping describes the datastore-specific subscription conditions of a subscription."; uses update-policy-modifiable { augment "update-trigger/on-change/on-change" { description "Includes objects that are not modifiable once a subscription is established."; leaf sync-on-start { type boolean; default "true"; description "When this object is set to 'false', (1) it restricts an on-change subscription from sending 'push-update' notifications and (2) pushing a full selection per the terms of the selection filter MUST NOT be done for this subscription. Only updates about changes (i.e., only 'push-change-update' notifications) are sent. When set to 'true' (the default behavior), in order to facilitate a receiver's synchronization, a full update is sent, via a 'push-update' notification, when the subscription starts. After that, 'push-change-update' notifications are exclusively sent, unless the publisher chooses to resync the subscription via a new 'push-update' notification."; } leaf-list excluded-change { type change-type; description "Used to restrict which changes trigger an update. For example, if a 'replace' operation is excluded, only the creation and deletion of objects are reported."; } } } } grouping hints { description "Parameters associated with an error for a subscription made upon a datastore."; leaf period-hint { type centiseconds; description "Returned when the requested time period is too short. This hint can assert a viable period for either a periodic push cadence or an on-change dampening interval."; } leaf filter-failure-hint { type string; description "Information describing where and/or why a provided filter was unsupportable for a subscription."; } leaf object-count-estimate { type uint32; description "If there are too many objects that could potentially be returned by the selection filter, this identifies the estimate of the number of objects that the filter would potentially pass."; } leaf object-count-limit { type uint32; description "If there are too many objects that could be returned by the selection filter, this identifies the upper limit of the publisher's ability to service this subscription."; } leaf kilobytes-estimate { type uint32; description "If the returned information could be beyond the capacity of the publisher, this would identify the estimated data size that could result from this selection filter."; } leaf kilobytes-limit { type uint32; description "If the returned information would be beyond the capacity of the publisher, this identifies the upper limit of the publisher's ability to service this subscription."; } } /* * RPCs */ rpc resync-subscription { if-feature "on-change"; description "This RPC allows a subscriber of an active on-change subscription to request a full push of objects. A successful invocation results in a 'push-update' of all datastore nodes that the subscriber is permitted to access. This RPC can only be invoked on the same session on which the subscription is currently active. In the case of an error, a 'resync-subscription-error' is sent as part of an error response."; input { leaf id { type sn:subscription-id; mandatory true; description "Identifier of the subscription that is to be resynced."; } } } rc:yang-data resync-subscription-error { container resync-subscription-error { description "If a 'resync-subscription' RPC fails, the subscription is not resynced and the RPC error response MUST indicate the reason for this failure. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure."; leaf reason { type identityref { base resync-subscription-error; } mandatory true; description "Indicates the reason why the publisher has declined a request for subscription resynchronization."; } uses hints; } } augment "/sn:establish-subscription/sn:input" { description "This augmentation adds additional subscription parameters that apply specifically to datastore updates to RPC input."; uses update-policy; } augment "/sn:establish-subscription/sn:input/sn:target" { description "This augmentation adds the datastore as a valid target for the subscription to RPC input."; case datastore { description "Information specifying the parameters of a request for a datastore subscription."; uses datastore-criteria; } } rc:yang-data establish-subscription-datastore-error-info { container establish-subscription-datastore-error-info { description "If any 'establish-subscription' RPC parameters are unsupportable against the datastore, a subscription is not created and the RPC error response MUST indicate the reason why the subscription failed to be created. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure. This yang-data MUST be inserted if hints are to be provided back to the subscriber."; leaf reason { type identityref { base sn:establish-subscription-error; } description "Indicates the reason why the subscription has failed to be created to a targeted datastore."; } uses hints; } } augment "/sn:modify-subscription/sn:input" { description "This augmentation adds additional subscription parameters specific to datastore updates."; uses update-policy-modifiable; } augment "/sn:modify-subscription/sn:input/sn:target" { description "This augmentation adds the datastore as a valid target for the subscription to RPC input."; case datastore { description "Information specifying the parameters of a request for a datastore subscription."; uses datastore-criteria; } } rc:yang-data modify-subscription-datastore-error-info { container modify-subscription-datastore-error-info { description "This yang-data MAY be provided as part of a subscription's RPC error response when there is a failure of a 'modify-subscription' RPC that has been made against a datastore. This yang-data MUST be used if hints are to be provided back to the subscriber."; leaf reason { type identityref { base sn:modify-subscription-error; } description "Indicates the reason why the subscription has failed to be modified."; } uses hints; } } /* * NOTIFICATIONS */ notification push-update { description "This notification contains a push update that in turn contains data subscribed to via a subscription. In the case of a periodic subscription, this notification is sent for periodic updates. It can also be used for synchronization updates of an on-change subscription. This notification shall only be sent to receivers of a subscription. It does not constitute a general-purpose notification that would be subscribable as part of the NETCONF event stream by any receiver."; leaf id { type sn:subscription-id; description "This references the subscription that drove the notification to be sent."; } anydata datastore-contents { description "This contains the updated data. It constitutes a snapshot at the time of update of the set of data that has been subscribed to. The snapshot corresponds to the same snapshot that would be returned in a corresponding 'get' operation with the same selection filter parameters applied."; } leaf incomplete-update { type empty; description "This is a flag that indicates that not all datastore nodes subscribed to are included with this update. In other words, the publisher has failed to fulfill its full subscription obligations and, despite its best efforts, is providing an incomplete set of objects."; } } notification push-change-update { if-feature "on-change"; description "This notification contains an on-change push update. This notification shall only be sent to the receivers of a subscription. It does not constitute a general-purpose notification that would be subscribable as part of the NETCONF event stream by any receiver."; leaf id { type sn:subscription-id; description "This references the subscription that drove the notification to be sent."; } container datastore-changes { description "This contains the set of datastore changes of the target datastore, starting at the time of the previous update, per the terms of the subscription."; uses ypatch:yang-patch; } leaf incomplete-update { type empty; description "The presence of this object indicates that not all changes that have occurred since the last update are included with this update. In other words, the publisher has failed to fulfill its full subscription obligations -- for example, in cases where it was not able to keep up with a burst of changes."; } } augment "/sn:subscription-started" { description "This augmentation adds datastore-specific objects to the notification that a subscription has started."; uses update-policy; } augment "/sn:subscription-started/sn:target" { description "This augmentation allows the datastore to be included as part of the notification that a subscription has started."; case datastore { uses datastore-criteria { refine "selection-filter/within-subscription" { description "Specifies the selection filter and where it originated from. If the 'selection-filter-ref' is populated, the filter in the subscription came from the 'filters' container. Otherwise, it is populated in-line as part of the subscription itself."; } } } } augment "/sn:subscription-modified" { description "This augmentation adds datastore-specific objects to the notification that a subscription has been modified."; uses update-policy; } augment "/sn:subscription-modified/sn:target" { description "This augmentation allows the datastore to be included as part of the notification that a subscription has been modified."; case datastore { uses datastore-criteria { refine "selection-filter/within-subscription" { description "Specifies the selection filter and where it originated from. If the 'selection-filter-ref' is populated, the filter in the subscription came from the 'filters' container. Otherwise, it is populated in-line as part of the subscription itself."; } } } } /* * DATA NODES */ augment "/sn:filters" { description "This augmentation allows the datastore to be included as part of the selection-filtering criteria for a subscription."; list selection-filter { key "filter-id"; description "A list of preconfigured filters that can be applied to datastore subscriptions."; leaf filter-id { type string; description "An identifier to differentiate between selection filters."; } uses selection-filter-types; } } augment "/sn:subscriptions/sn:subscription" { when 'yp:datastore'; description "This augmentation adds objects to a subscription that are specific to a datastore subscription, i.e., a subscription to a stream of datastore node updates."; uses update-policy; } augment "/sn:subscriptions/sn:subscription/sn:target" { description "This augmentation allows the datastore to be included as part of the selection-filtering criteria for a subscription."; case datastore { uses datastore-criteria; } } } ]]>

Implementation Considerations (from RFC 8639) To support deployments that include both configured and dynamic subscriptions, it is recommended that the subscription "id" domain be split into static and dynamic halves. This will eliminate the possibility of collisions if the configured subscriptions attempt to set a "subscription-id" that might have already been dynamically allocated. A best practice is to use the lower half of the "id" object's integer space when that "id" is assigned by an external entity (such as with a configured subscription). This leaves the upper half of the subscription integer space available to be dynamically assigned by the publisher. If a subscription is unable to marshal a series of filtered event records into transmittable notification messages, the receiver should be suspended with the reason "unsupportable-volume". For configured subscriptions, operations are performed against the set of receivers using the subscription "id" as a handle for that set. But for streaming updates, subscription state change notifications are local to a receiver. In the case of this specification, receivers do not get any information from the publisher about the existence of other receivers. But if a network operator wants to let the receivers correlate results, it is useful to use the subscription "id" across the receivers to allow that correlation. Note that due to the possibility of different access control permissions per receiver, each receiver may actually get a different set of event records. For configured replay subscriptions, the receiver is protected from duplicated events being pushed after a publisher is rebooted. However, it is possible that a receiver might want to acquire event records that failed to be delivered just prior to the reboot. Delivering these event records can be accomplished by leveraging the <eventTime> [RFC5277] from the last event record received prior to the receipt of a "subscription-started" subscription state change notification. With this <eventTime> and the "replay-start-time" from the "subscription-started" notification, an independent dynamic subscription can be established that retrieves any event records that may have been generated but not sent to the receiver.

Transport Requirements (from RFC 8639) This section provides requirements for any subscribed notification transport supporting the solution presented in this document. The transport selected by the subscriber to reach the publisher MUST be able to support multiple "establish-subscription" requests made in the same transport session. For both configured and dynamic subscriptions, the publisher MUST authenticate a receiver via some transport-level mechanism before sending any event records that the receiver is authorized to see. In addition, the receiver MUST authenticate the publisher at the transport level. The result is mutual authentication between the two. A secure transport is highly recommended. Beyond this, the publisher MUST ensure that the receiver has sufficient authorization to perform the function it is requesting against the specific subset of content involved. A specification for a transport built upon this document may or may not choose to require the use of the same logical channel for the RPCs and the event records. However, the event records and the subscription state change notifications MUST be sent on the same transport session to ensure properly ordered delivery. A specification for a transport MUST identify any encodings that are supported. If a configured subscription's transport allows different encodings, the specification MUST identify the default encoding. A subscriber that includes a "dscp" leaf in an "establish- subscription" request will need to understand and consider what the corresponding DSCP value represents in the domain of the publisher. Additional transport requirements will be dictated by the choice of transport used with a subscription. For an example of such requirements, see [RFC8640].

Security Considerations TODO. New YANG models will be defined that need to document their security considerations, but otherwise the security considerations in YANG-Push should be sufficient. Note, we should use the new security considerations template, which will allow this section to be considerable shorter.

Security Considerations from RFC 8639 The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246]. The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. With configured subscriptions, one or more publishers could be used to overwhelm a receiver. To counter this, notification messages SHOULD NOT be sent to any receiver that does not support this specification. Receivers that do not want notification messages need only terminate or refuse any transport sessions from the publisher. When a receiver of a configured subscription gets a new "subscription-started" message for a known subscription where it is already consuming events, it may indicate that an attacker has done something that has momentarily disrupted receiver connectivity. To acquire events lost during this interval, the receiver SHOULD retrieve any event records generated since the last event record was received. This can be accomplished by establishing a separate dynamic replay subscription with the same filtering criteria with the publisher, assuming that the publisher supports the "replay" feature. For dynamic subscriptions, implementations need to protect against malicious or buggy subscribers that may send a large number of "establish-subscription" requests and thereby use up system resources. To cover this possibility, operators SHOULD monitor for such cases and, if discovered, take remedial action to limit the resources used, such as suspending or terminating a subset of the subscriptions or, if the underlying transport is session based, terminating the underlying transport session. The replay mechanisms described in Sections 2.4.2.1 and 2.5.6 provide access to historical event records. By design, the access control model that protects these records could enable subscribers to view data to which they were not authorized at the time of collection. Using DNS names for configured subscription's receiver "name" lookups can cause situations where the name resolves differently than expected on the publisher, so the recipient would be different than expected. An attacker that can cause the publisher to use an incorrect time can induce message replay by setting the time in the past and can introduce a risk of message loss by setting the time in the future. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: Container: "/filters"

• "stream-subtree-filter": Updating a filter could increase the computational complexity of all referencing subscriptions.
• "stream-xpath-filter": Updating a filter could increase the computational complexity of all referencing subscriptions.

Container: "/subscriptions" The following considerations are only relevant for configuration operations made upon configured subscriptions:

• "configured-replay": Can be used to send a large number of event records to a receiver.
• "dependency": Can be used to force important traffic to be queued behind updates that are not as important.
• "dscp": If unvalidated, can result in the sending of traffic with a higher-priority marking than warranted.
• "id": Can overwrite an existing subscription, perhaps one configured by another entity.
• "name": Adding a new key entry can be used to attempt to send traffic to an unwilling receiver.
• "replay-start-time": Can be used to push very large logs, wasting resources.
• "source-address": The configured address might not be able to reach a desired receiver.
• "source-interface": The configured interface might not be able to reach a desired receiver.
• "source-vrf": Can place a subscription in a virtual network where receivers are not entitled to view the subscribed content.
• "stop-time": Could be used to terminate content at an inopportune time.
• "stream": Could set a subscription to an event stream that does not contain content permitted for the targeted receivers.
• "stream-filter-name": Could be set to a filter that is not relevant to the event stream.
• "stream-subtree-filter": A complex filter can increase the computational resources for this subscription.
• "stream-xpath-filter": A complex filter can increase the computational resources for this subscription.
• "weighting": Allocating a large weight can overwhelm the dequeuing of other subscriptions.

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: Container: "/streams"

• "name": If access control is not properly configured, can expose system internals to those who should not have access to this information.
• "replay-support": If access control is not properly configured, can expose logs to those who should not have access.

Container: "/subscriptions"

• "excluded-event-records": This leaf can provide information about filtered event records. A network operator should have the proper permissions to know about such filtering. However, exposing the count of excluded events to a receiver could leak information about the presence of access control filters that might be in place for that receiver.
• "subscription": Different operational teams might have a desire to set varying subsets of subscriptions. Access control should be designed to permit read access to just the allowed set.

Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. These are the operations and their sensitivity/vulnerability: RPC: all

• If a malicious or buggy subscriber sends an unexpectedly large number of RPCs, the result might be an excessive use of system resources on the publisher just to determine that these subscriptions should be declined. In such a situation, subscription interactions MAY be terminated by terminating the transport session.

RPC: "delete-subscription"

• No special considerations.

RPC: "establish-subscription"

• Subscriptions could overload a publisher's resources. For this reason, publishers MUST ensure that they have sufficient resources to fulfill this request; otherwise, they MUST reject the request.

RPC: "kill-subscription"

• The "kill-subscription" RPC MUST be secured so that only connections with administrative rights are able to invoke this RPC.

RPC: "modify-subscription"

• Subscriptions could overload a publisher's resources. For this reason, publishers MUST ensure that they have sufficient resources to fulfill this request; otherwise, they MUST reject the request.

Security Considerations from RFC 8641 The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446]. The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability. (It should be noted that the YANG module defined in this document augments the YANG module defined in . All security considerations that are listed in are also relevant for datastore subscriptions. In the following list, we focus on the new data nodes that are introduced in this document.)

• Subtree "selection-filter" under container "filters": This subtree allows a subscriber to specify which objects or subtrees to include in a datastore subscription. An attacker could attempt to modify the filter. For example, the filter might be modified to result in very few objects being filtered in order to attempt to overwhelm the receiver. Alternatively, the filter might be modified to result in certain objects being excluded from updates, in which case certain changes would go unnoticed.
• Subtree "datastore" in choice "target" in list "subscription": Analogous to "selection filter", an attacker might attempt to modify the objects being filtered in order to overwhelm a receiver with a larger volume of object updates than expected or cause certain changes to go unnoticed.
• Choice "update-trigger" in list "subscription": By modifying the update trigger, an attacker might alter the updates that are being sent in order to confuse a receiver, withhold certain updates to be sent to the receiver, and/or overwhelm a receiver. For example, an attacker might modify the period with which updates are reported for a periodic subscription, or it might modify the dampening period for an on-change subscription, resulting in a greater delay for successive updates (potentially affecting the responsiveness of applications that depend on the updates) or in a high volume of updates (to exhaust receiver resources).

The NACM provides one means to mitigate these threats on the publisher side. In order to address those threats as a subscriber, the subscriber could monitor the subscription configuration for any unexpected changes and subscribe to updates to the YANG datastore nodes that represent its datastore subscriptions. As this volume of data is small, a paranoid subscriber could even revert to occasional polling to guard against a compromised subscription against subscription configuration updates itself. Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:

• Subtree "selection-filter" under container "filters": If access control is not properly configured, can expose system internals to those who should not have access to this information.
• Subtree "datastore" in choice "target" in list "subscription": If access control is not properly configured, can expose system internals to those who should not have access to this information.
• Choice "update-trigger" in list "subscription": If access control is not properly configured, can expose system internals to those who should not have access to this information.

Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. These are the operations and their sensitivity/vulnerability:

• RPC "resync-subscription": This RPC allows a subscriber of an on-change subscription to request a full push of objects in the subscription's scope. This can result in a large volume of data. An attacker could attempt to use this RPC to exhaust resources on the server to generate the data and could then attempt to overwhelm a receiver with the resulting large volume of data.

IANA Considerations TODO - This document will need to register new YANG models with IANA.

IANA Considerations from RFC 8639 IANA has registered one URI in the "ns" subregistry of the "IETF XML Registry" [RFC3688] maintained at https://www.iana.org/assignments/xml-registry. The following registration has been made per the format in [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications Registrant Contact: The NETCONF WG of the IETF. XML: N/A; the requested URI is an XML namespace. IANA has registered one YANG module in the "YANG Module Names" registry [RFC6020] maintained at https://www.iana.org/assignments/yang-parameters. The following registration has been made per the format in [RFC6020]: Name: ietf-subscribed-notifications Namespace: urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications Prefix: sn Reference: RFC 8639

IANA Considerations from RFC 8641 This document registers the following namespace URI in the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-yang-push Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document registers the following YANG module in the "YANG Module Names" registry [RFC6020]: Name: ietf-yang-push Namespace: urn:ietf:params:xml:ns:yang:ietf-yang-push Prefix: yp Reference: RFC 8641

Acknowledgments This inital draft is early work is based on discussions with various folk, particularly Thomas Graf, Holger Keller, Dan Voyer, Nils Warnke, and Alex Huang Feng; but also wider conversations that include: Benoit Claise, Pierre Francois, Paolo Lucente, Jean Quilbeuf, among others.

References Normative References INSA-Lyon INSA-Lyon Swisscom Huawei This document defines a new extensible notification structure, defined in YANG, for use in YANG-Push Notification messages enabling any YANG compatible encodings such as XML, JSON or CBOR. This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language. The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950. This document defines a YANG data model for the management of network interfaces. It is expected that interface-type-specific data models augment the generic interfaces data model defined in this document. The data model includes definitions for configuration and system state (status information and counters for the collection of statistics). The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in RFC 8342. This document obsoletes RFC 7223. This document defines a YANG data model and associated mechanisms enabling subscriber-specific subscriptions to a publisher's event streams. Applying these elements allows a subscriber to request and receive a continuous, customized feed of publisher-generated information. This document describes a mechanism that allows subscriber applications to request a continuous and customized stream of updates from a YANG datastore. Providing such visibility into updates enables new capabilities based on the remote mirroring and monitoring of configuration and operational state. Swisscom Swisscom INSA-Lyon This document describes the motivation and architecture of a Network Anomaly Detection Framework and the relationship to other documents describing network symptom semantics and network incident lifecycle. The described architecture for detecting IP network service interruption is generic applicable and extensible. Different applications are being described and exampled with open-source running code. Swisscom Swisscom This document describes the motivation and architecture of a native YANG-Push notifications and YANG Schema integration into a Message Broker and YANG Schema Registry. Watsen Networks This document presents two YANG modules: the first defines a minimal grouping for configuring an HTTP client, and the second defines a minimal grouping for configuring an HTTP server. It is intended that these groupings will be used to help define the configuration for simple HTTP-based protocols (not for complete web servers or browsers). Support is provided for HTTP/1.1, HTTP/2, and HTTP/3.

Example Configured Transport Augmentation (from RFC 8639) This appendix provides a non-normative example of how the YANG module defined in Section 4 may be enhanced to incorporate the configuration parameters needed to support the transport connectivity process. This example is not intended to be a complete transport model. In this example, connectivity via an imaginary transport type of "foo" is explored. For more on the overall objectives behind configuring transport connectivity for a configured subscription, see Section 2.5.7. The YANG module example defined in this appendix contains two main elements. First is a transport identity "foo". This transport identity allows a configuration agent to define "foo" as the selected type of transport for a subscription. Second is a YANG case augmentation "foo", which is made to the "/subscriptions/subscription/receivers/receiver" node of Section 4. In this augmentation are the transport configuration parameters "address" and "port", which are necessary to make the connection to the receiver. This example YANG module for transport "foo" will not be seen in a real-world deployment. For a real-world deployment supporting an actual transport technology, a similar YANG module must be defined.

Subscription Errors (from RFC 8641)

RPC Failures Rejection of an RPC for any reason is indicated via an RPC error response from the publisher. Valid RPC errors returned include both (1) existing transport-layer RPC error codes, such as those seen with NETCONF in [RFC6241] and (2) subscription-specific errors, such as those defined in the YANG data model. As a result, how subscription errors are encoded in an RPC error response is transport dependent. References to specific identities in the ietf-subscribed- notifications YANG module or the ietf-yang-push YANG module may be returned as part of the error responses resulting from failed attempts at datastore subscription. For errors defined as part of the ietf-subscribed-notifications YANG module, please refer to . The errors defined in this document, grouped per RPC, are as follows: There is one final set of transport-independent RPC error elements included in the YANG data model. These are the four yang-data structures for failed datastore subscriptions:

1. yang-data "establish-subscription-error-datastore": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "establish-subscription" RPC response. This MUST be sent if hints are included.
2. yang-data "modify-subscription-error-datastore": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "modify-subscription" RPC response. This MUST be sent if hints are included.
3. yang-data "sn:delete-subscription-error": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "delete-subscription" or "kill-subscription" RPC response.
4. yang-data "resync-subscription-error": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "resync-subscription" RPC response.

Failure Notifications A subscription may be unexpectedly terminated or suspended independently of any RPC or configuration operation. In such cases, indications of such a failure MUST be provided. To accomplish this, a number of errors can be returned as part of the corresponding subscription state change notification. For this purpose, the following error identities are introduced in this document, in addition to those that were already defined in :