ARMWARE RFC Archive <- RFC Index (6201..6300)

RFC 6241

Obsoletes RFC 4741
Updated by RFC 7803, RFC 8526

Internet Engineering Task Force (IETF)                      R. Enns, Ed.
Request for Comments: 6241                              Juniper Networks
Obsoletes: 4741                                        M. Bjorklund, Ed.
Category: Standards Track                                 Tail-f Systems
ISSN: 2070-1721                                    J. Schoenwaelder, Ed.
                                                       Jacobs University
                                                         A. Bierman, Ed.
                                                                 Brocade
                                                               June 2011

                Network Configuration Protocol (NETCONF)

Abstract

   The Network Configuration Protocol (NETCONF) defined in this document
   provides mechanisms to install, manipulate, and delete the
   configuration of network devices.  It uses an Extensible Markup
   Language (XML)-based data encoding for the configuration data as well
   as the protocol messages.  The NETCONF protocol operations are
   realized as remote procedure calls (RPCs).  This document obsoletes
   RFC 4741.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6241.

Enns, et al.                 Standards Track                    [Page 1]



RFC 6241                    NETCONF Protocol                   June 2011

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Enns, et al.                 Standards Track                    [Page 2]



RFC 6241                    NETCONF Protocol                   June 2011

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   6
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   7
     1.2.  Protocol Overview . . . . . . . . . . . . . . . . . . . .   8
     1.3.  Capabilities  . . . . . . . . . . . . . . . . . . . . . .  10
     1.4.  Separation of Configuration and State Data  . . . . . . .  10
   2.  Transport Protocol Requirements . . . . . . . . . . . . . . .  11
     2.1.  Connection-Oriented Operation . . . . . . . . . . . . . .  11
     2.2.  Authentication, Integrity, and Confidentiality  . . . . .  12
     2.3.  Mandatory Transport Protocol  . . . . . . . . . . . . . .  12
   3.  XML Considerations  . . . . . . . . . . . . . . . . . . . . .  13
     3.1.  Namespace . . . . . . . . . . . . . . . . . . . . . . . .  13
     3.2.  Document Type Declarations  . . . . . . . . . . . . . . .  13
   4.  RPC Model . . . . . . . . . . . . . . . . . . . . . . . . . .  13
     4.1.  <rpc> Element . . . . . . . . . . . . . . . . . . . . . .  13
     4.2.  <rpc-reply> Element . . . . . . . . . . . . . . . . . . .  15
     4.3.  <rpc-error> Element . . . . . . . . . . . . . . . . . . .  16
     4.4.  <ok> Element  . . . . . . . . . . . . . . . . . . . . . .  19
     4.5.  Pipelining  . . . . . . . . . . . . . . . . . . . . . . .  19
   5.  Configuration Model . . . . . . . . . . . . . . . . . . . . .  19
     5.1.  Configuration Datastores  . . . . . . . . . . . . . . . .  19
     5.2.  Data Modeling . . . . . . . . . . . . . . . . . . . . . .  20
   6.  Subtree Filtering . . . . . . . . . . . . . . . . . . . . . .  20
     6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  20
     6.2.  Subtree Filter Components . . . . . . . . . . . . . . . .  21
       6.2.1.  Namespace Selection . . . . . . . . . . . . . . . . .  21
       6.2.2.  Attribute Match Expressions . . . . . . . . . . . . .  22
       6.2.3.  Containment Nodes . . . . . . . . . . . . . . . . . .  23
       6.2.4.  Selection Nodes . . . . . . . . . . . . . . . . . . .  23
       6.2.5.  Content Match Nodes . . . . . . . . . . . . . . . . .  24
     6.3.  Subtree Filter Processing . . . . . . . . . . . . . . . .  25
     6.4.  Subtree Filtering Examples  . . . . . . . . . . . . . . .  26
       6.4.1.  No Filter . . . . . . . . . . . . . . . . . . . . . .  26
       6.4.2.  Empty Filter  . . . . . . . . . . . . . . . . . . . .  26
       6.4.3.  Select the Entire <users> Subtree . . . . . . . . . .  27
       6.4.4.  Select All <name> Elements within the <users>
               Subtree . . . . . . . . . . . . . . . . . . . . . . .  29
       6.4.5.  One Specific <user> Entry . . . . . . . . . . . . . .  30
       6.4.6.  Specific Elements from a Specific <user> Entry  . . .  31
       6.4.7.  Multiple Subtrees . . . . . . . . . . . . . . . . . .  32
       6.4.8.  Elements with Attribute Naming  . . . . . . . . . . .  33
   7.  Protocol Operations . . . . . . . . . . . . . . . . . . . . .  35
     7.1.  <get-config>  . . . . . . . . . . . . . . . . . . . . . .  35
     7.2.  <edit-config> . . . . . . . . . . . . . . . . . . . . . .  37
     7.3.  <copy-config> . . . . . . . . . . . . . . . . . . . . . .  43
     7.4.  <delete-config> . . . . . . . . . . . . . . . . . . . . .  44
     7.5.  <lock>  . . . . . . . . . . . . . . . . . . . . . . . . .  44

Enns, et al.                 Standards Track                    [Page 3]



RFC 6241                    NETCONF Protocol                   June 2011

     7.6.  <unlock>  . . . . . . . . . . . . . . . . . . . . . . . .  47
     7.7.  <get> . . . . . . . . . . . . . . . . . . . . . . . . . .  48
     7.8.  <close-session> . . . . . . . . . . . . . . . . . . . . .  49
     7.9.  <kill-session>  . . . . . . . . . . . . . . . . . . . . .  50
   8.  Capabilities  . . . . . . . . . . . . . . . . . . . . . . . .  51
     8.1.  Capabilities Exchange . . . . . . . . . . . . . . . . . .  51
     8.2.  Writable-Running Capability . . . . . . . . . . . . . . .  53
       8.2.1.  Description . . . . . . . . . . . . . . . . . . . . .  53
       8.2.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  53
       8.2.3.  Capability Identifier . . . . . . . . . . . . . . . .  53
       8.2.4.  New Operations  . . . . . . . . . . . . . . . . . . .  53
       8.2.5.  Modifications to Existing Operations  . . . . . . . .  53
     8.3.  Candidate Configuration Capability  . . . . . . . . . . .  53
       8.3.1.  Description . . . . . . . . . . . . . . . . . . . . .  53
       8.3.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  54
       8.3.3.  Capability Identifier . . . . . . . . . . . . . . . .  54
       8.3.4.  New Operations  . . . . . . . . . . . . . . . . . . .  54
       8.3.5.  Modifications to Existing Operations  . . . . . . . .  56
     8.4.  Confirmed Commit Capability . . . . . . . . . . . . . . .  57
       8.4.1.  Description . . . . . . . . . . . . . . . . . . . . .  57
       8.4.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  58
       8.4.3.  Capability Identifier . . . . . . . . . . . . . . . .  58
       8.4.4.  New Operations  . . . . . . . . . . . . . . . . . . .  59
       8.4.5.  Modifications to Existing Operations  . . . . . . . .  60
     8.5.  Rollback-on-Error Capability  . . . . . . . . . . . . . .  61
       8.5.1.  Description . . . . . . . . . . . . . . . . . . . . .  61
       8.5.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  62
       8.5.3.  Capability Identifier . . . . . . . . . . . . . . . .  62
       8.5.4.  New Operations  . . . . . . . . . . . . . . . . . . .  62
       8.5.5.  Modifications to Existing Operations  . . . . . . . .  62
     8.6.  Validate Capability . . . . . . . . . . . . . . . . . . .  63
       8.6.1.  Description . . . . . . . . . . . . . . . . . . . . .  63
       8.6.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  63
       8.6.3.  Capability Identifier . . . . . . . . . . . . . . . .  63
       8.6.4.  New Operations  . . . . . . . . . . . . . . . . . . .  63
       8.6.5.  Modifications to Existing Operations  . . . . . . . .  64
     8.7.  Distinct Startup Capability . . . . . . . . . . . . . . .  64
       8.7.1.  Description . . . . . . . . . . . . . . . . . . . . .  64
       8.7.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  65
       8.7.3.  Capability Identifier . . . . . . . . . . . . . . . .  65
       8.7.4.  New Operations  . . . . . . . . . . . . . . . . . . .  65
       8.7.5.  Modifications to Existing Operations  . . . . . . . .  65
     8.8.  URL Capability  . . . . . . . . . . . . . . . . . . . . .  66
       8.8.1.  Description . . . . . . . . . . . . . . . . . . . . .  66
       8.8.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  66
       8.8.3.  Capability Identifier . . . . . . . . . . . . . . . .  66
       8.8.4.  New Operations  . . . . . . . . . . . . . . . . . . .  66
       8.8.5.  Modifications to Existing Operations  . . . . . . . .  66

Enns, et al.                 Standards Track                    [Page 4]



RFC 6241                    NETCONF Protocol                   June 2011

     8.9.  XPath Capability  . . . . . . . . . . . . . . . . . . . .  67
       8.9.1.  Description . . . . . . . . . . . . . . . . . . . . .  67
       8.9.2.  Dependencies  . . . . . . . . . . . . . . . . . . . .  68
       8.9.3.  Capability Identifier . . . . . . . . . . . . . . . .  68
       8.9.4.  New Operations  . . . . . . . . . . . . . . . . . . .  68
       8.9.5.  Modifications to Existing Operations  . . . . . . . .  68
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  69
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  71
     10.1. NETCONF XML Namespace . . . . . . . . . . . . . . . . . .  71
     10.2. NETCONF XML Schema  . . . . . . . . . . . . . . . . . . .  71
     10.3. NETCONF YANG Module . . . . . . . . . . . . . . . . . . .  72
     10.4. NETCONF Capability URNs . . . . . . . . . . . . . . . . .  72
   11. Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  73
   12. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  73
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  74
     13.1. Normative References  . . . . . . . . . . . . . . . . . .  74
     13.2. Informative References  . . . . . . . . . . . . . . . . .  75
   Appendix A.  NETCONF Error List . . . . . . . . . . . . . . . . .  76
   Appendix B.  XML Schema for NETCONF Messages Layer  . . . . . . .  80
   Appendix C.  YANG Module for NETCONF Protocol Operations  . . . .  85
   Appendix D.  Capability Template  . . . . . . . . . . . . . . . . 105
     D.1.  capability-name (template)  . . . . . . . . . . . . . . . 105
       D.1.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . 105
       D.1.2.  Dependencies  . . . . . . . . . . . . . . . . . . . . 105
       D.1.3.  Capability Identifier . . . . . . . . . . . . . . . . 105
       D.1.4.  New Operations  . . . . . . . . . . . . . . . . . . . 105
       D.1.5.  Modifications to Existing Operations  . . . . . . . . 105
       D.1.6.  Interactions with Other Capabilities  . . . . . . . . 105
   Appendix E.  Configuring Multiple Devices with NETCONF  . . . . . 106
     E.1.  Operations on Individual Devices  . . . . . . . . . . . . 106
       E.1.1.  Acquiring the Configuration Lock  . . . . . . . . . . 106
       E.1.2.  Checkpointing the Running Configuration . . . . . . . 107
       E.1.3.  Loading and Validating the Incoming Configuration . . 108
       E.1.4.  Changing the Running Configuration  . . . . . . . . . 108
       E.1.5.  Testing the New Configuration . . . . . . . . . . . . 109
       E.1.6.  Making the Change Permanent . . . . . . . . . . . . . 109
       E.1.7.  Releasing the Configuration Lock  . . . . . . . . . . 110
     E.2.  Operations on Multiple Devices  . . . . . . . . . . . . . 111
   Appendix F.  Changes from RFC 4741  . . . . . . . . . . . . . . . 112

Enns, et al.                 Standards Track                    [Page 5]



RFC 6241                    NETCONF Protocol                   June 2011

1.  Introduction

   The NETCONF protocol defines a simple mechanism through which a
   network device can be managed, configuration data information can be
   retrieved, and new configuration data can be uploaded and
   manipulated.  The protocol allows the device to expose a full, formal
   application programming interface (API).  Applications can use this
   straightforward API to send and receive full and partial
   configuration data sets.

   The NETCONF protocol uses a remote procedure call (RPC) paradigm.  A
   client encodes an RPC in XML [W3C.REC-xml-20001006] and sends it to a
   server using a secure, connection-oriented session.  The server
   responds with a reply encoded in XML.  The contents of both the
   request and the response are fully described in XML DTDs or XML
   schemas, or both, allowing both parties to recognize the syntax
   constraints imposed on the exchange.

   A key aspect of NETCONF is that it allows the functionality of the
   management protocol to closely mirror the native functionality of the
   device.  This reduces implementation costs and allows timely access
   to new features.  In addition, applications can access both the
   syntactic and semantic content of the device's native user interface.

   NETCONF allows a client to discover the set of protocol extensions
   supported by a server.  These "capabilities" permit the client to
   adjust its behavior to take advantage of the features exposed by the
   device.  The capability definitions can be easily extended in a
   noncentralized manner.  Standard and non-standard capabilities can be
   defined with semantic and syntactic rigor.  Capabilities are
   discussed in Section 8.

   The NETCONF protocol is a building block in a system of automated
   configuration.  XML is the lingua franca of interchange, providing a
   flexible but fully specified encoding mechanism for hierarchical
   content.  NETCONF can be used in concert with XML-based
   transformation technologies, such as XSLT [W3C.REC-xslt-19991116], to
   provide a system for automated generation of full and partial
   configurations.  The system can query one or more databases for data
   about networking topologies, links, policies, customers, and
   services.  This data can be transformed using one or more XSLT
   scripts from a task-oriented, vendor-independent data schema into a
   form that is specific to the vendor, product, operating system, and
   software release.  The resulting data can be passed to the device
   using the NETCONF protocol.

Enns, et al.                 Standards Track                    [Page 6]



RFC 6241                    NETCONF Protocol                   June 2011

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

1.1.  Terminology

   o  candidate configuration datastore: A configuration datastore that
      can be manipulated without impacting the device's current
      configuration and that can be committed to the running
      configuration datastore.  Not all devices support a candidate
      configuration datastore.

   o  capability: A functionality that supplements the base NETCONF
      specification.

   o  client: Invokes protocol operations on a server.  In addition, a
      client can subscribe to receive notifications from a server.

   o  configuration data: The set of writable data that is required to
      transform a system from its initial default state into its current
      state.

   o  datastore: A conceptual place to store and access information.  A
      datastore might be implemented, for example, using files, a
      database, flash memory locations, or combinations thereof.

   o  configuration datastore: The datastore holding the complete set of
      configuration data that is required to get a device from its
      initial default state into a desired operational state.

   o  message: A protocol element sent over a session.  Messages are
      well-formed XML documents.

   o  notification: A server-initiated message indicating that a certain
      event has been recognized by the server.

   o  protocol operation: A specific remote procedure call, as used
      within the NETCONF protocol.

   o  remote procedure call (RPC): Realized by exchanging <rpc> and
      <rpc-reply> messages.

   o  running configuration datastore: A configuration datastore holding
      the complete configuration currently active on the device.  The
      running configuration datastore always exists.

   o  server: Executes protocol operations invoked by a client.  In
      addition, a server can send notifications to a client.

Enns, et al.                 Standards Track                    [Page 7]



RFC 6241                    NETCONF Protocol                   June 2011

   o  session: Client and server exchange messages using a secure,
      connection-oriented session.

   o  startup configuration datastore: The configuration datastore
      holding the configuration loaded by the device when it boots.
      Only present on devices that separate the startup configuration
      datastore from the running configuration datastore.

   o  state data: The additional data on a system that is not
      configuration data such as read-only status information and
      collected statistics.

   o  user: The authenticated identity of the client.  The authenticated
      identity of a client is commonly referred to as the NETCONF
      username.

1.2.  Protocol Overview

   NETCONF uses a simple RPC-based mechanism to facilitate communication
   between a client and a server.  The client can be a script or
   application typically running as part of a network manager.  The
   server is typically a network device.  The terms "device" and
   "server" are used interchangeably in this document, as are "client"
   and "application".

   A NETCONF session is the logical connection between a network
   administrator or network configuration application and a network
   device.  A device MUST support at least one NETCONF session and
   SHOULD support multiple sessions.  Global configuration attributes
   can be changed during any authorized session, and the effects are
   visible in all sessions.  Session-specific attributes affect only the
   session in which they are changed.

   NETCONF can be conceptually partitioned into four layers as shown in
   Figure 1.

Enns, et al.                 Standards Track                    [Page 8]



RFC 6241                    NETCONF Protocol                   June 2011

            Layer                 Example
       +-------------+      +-----------------+      +----------------+
   (4) |   Content   |      |  Configuration  |      |  Notification  |
       |             |      |      data       |      |      data      |
       +-------------+      +-----------------+      +----------------+
              |                       |                      |
       +-------------+      +-----------------+              |
   (3) | Operations  |      |  <edit-config>  |              |
       |             |      |                 |              |
       +-------------+      +-----------------+              |
              |                       |                      |
       +-------------+      +-----------------+      +----------------+
   (2) |  Messages   |      |     <rpc>,      |      | <notification> |
       |             |      |   <rpc-reply>   |      |                |
       +-------------+      +-----------------+      +----------------+
              |                       |                      |
       +-------------+      +-----------------------------------------+
   (1) |   Secure    |      |  SSH, TLS, BEEP/TLS, SOAP/HTTP/TLS, ... |
       |  Transport  |      |                                         |
       +-------------+      +-----------------------------------------+

                     Figure 1: NETCONF Protocol Layers

   (1)  The Secure Transport layer provides a communication path between
        the client and server.  NETCONF can be layered over any
        transport protocol that provides a set of basic requirements.
        Section 2 discusses these requirements.

   (2)  The Messages layer provides a simple, transport-independent
        framing mechanism for encoding RPCs and notifications.
        Section 4 documents the RPC messages, and [RFC5717] documents
        notifications.

   (3)  The Operations layer defines a set of base protocol operations
        invoked as RPC methods with XML-encoded parameters.  Section 7
        details the list of base protocol operations.

   (4)  The Content layer is outside the scope of this document.  It is
        expected that separate efforts to standardize NETCONF data
        models will be undertaken.

   The YANG data modeling language [RFC6020] has been developed for
   specifying NETCONF data models and protocol operations, covering the
   Operations and the Content layers of Figure 1.

Enns, et al.                 Standards Track                    [Page 9]



RFC 6241                    NETCONF Protocol                   June 2011

1.3.  Capabilities

   A NETCONF capability is a set of functionality that supplements the
   base NETCONF specification.  The capability is identified by a
   uniform resource identifier (URI) [RFC3986].

   Capabilities augment the base operations of the device, describing
   both additional operations and the content allowed inside operations.
   The client can discover the server's capabilities and use any
   additional operations, parameters, and content defined by those
   capabilities.

   The capability definition might name one or more dependent
   capabilities.  To support a capability, the server MUST support any
   capabilities upon which it depends.

   Section 8 defines the capabilities exchange that allows the client to
   discover the server's capabilities.  Section 8 also lists the set of
   capabilities defined in this document.

   Additional capabilities can be defined at any time in external
   documents, allowing the set of capabilities to expand over time.
   Standards bodies can define standardized capabilities, and
   implementations can define proprietary ones.  A capability URI MUST
   sufficiently distinguish the naming authority to avoid naming
   collisions.

1.4.  Separation of Configuration and State Data

   The information that can be retrieved from a running system is
   separated into two classes, configuration data and state data.
   Configuration data is the set of writable data that is required to
   transform a system from its initial default state into its current
   state.  State data is the additional data on a system that is not
   configuration data such as read-only status information and collected
   statistics.  When a device is performing configuration operations, a
   number of problems would arise if state data were included:

   o  Comparisons of configuration data sets would be dominated by
      irrelevant entries such as different statistics.

   o  Incoming data could contain nonsensical requests, such as attempts
      to write read-only data.

   o  The data sets would be large.

   o  Archived data could contain values for read-only data items,
      complicating the processing required to restore archived data.

Enns, et al.                 Standards Track                   [Page 10]



RFC 6241                    NETCONF Protocol                   June 2011

   To account for these issues, the NETCONF protocol recognizes the
   difference between configuration data and state data and provides
   operations for each.  The <get-config> operation retrieves
   configuration data only, while the <get> operation retrieves
   configuration and state data.

   Note that the NETCONF protocol is focused on the information required
   to get the device into its desired running state.  The inclusion of
   other important, persistent data is implementation specific.  For
   example, user files and databases are not treated as configuration
   data by the NETCONF protocol.

   For example, if a local database of user authentication data is
   stored on the device, it is an implementation-dependent matter
   whether it is included in configuration data.

2.  Transport Protocol Requirements

   NETCONF uses an RPC-based communication paradigm.  A client sends a
   series of one or more RPC request messages, which cause the server to
   respond with a corresponding series of RPC reply messages.

   The NETCONF protocol can be layered on any transport protocol that
   provides the required set of functionality.  It is not bound to any
   particular transport protocol, but allows a mapping to define how it
   can be implemented over any specific protocol.

   The transport protocol MUST provide a mechanism to indicate the
   session type (client or server) to the NETCONF protocol layer.

   This section details the characteristics that NETCONF requires from
   the underlying transport protocol.

2.1.  Connection-Oriented Operation

   NETCONF is connection-oriented, requiring a persistent connection
   between peers.  This connection MUST provide reliable, sequenced data
   delivery.  NETCONF connections are long-lived, persisting between
   protocol operations.

   In addition, resources requested from the server for a particular
   connection MUST be automatically released when the connection closes,
   making failure recovery simpler and more robust.  For example, when a
   lock is acquired by a client, the lock persists until either it is
   explicitly released or the server determines that the connection has
   been terminated.  If a connection is terminated while the client
   holds a lock, the server can perform any appropriate recovery.  The
   <lock> operation is further discussed in Section 7.5.

Enns, et al.                 Standards Track                   [Page 11]



RFC 6241                    NETCONF Protocol                   June 2011

2.2.  Authentication, Integrity, and Confidentiality

   NETCONF connections MUST provide authentication, data integrity,
   confidentiality, and replay protection.  NETCONF depends on the
   transport protocol for this capability.  A NETCONF peer assumes that
   appropriate levels of security and confidentiality are provided
   independently of this document.  For example, connections could be
   encrypted using Transport Layer Security (TLS) [RFC5246] or Secure
   Shell (SSH) [RFC4251], depending on the underlying protocol.

   NETCONF connections MUST be authenticated.  The transport protocol is
   responsible for authentication of the server to the client and
   authentication of the client to the server.  A NETCONF peer assumes
   that the connection's authentication information has been validated
   by the underlying transport protocol using sufficiently trustworthy
   mechanisms and that the peer's identity has been sufficiently proven.

   One goal of NETCONF is to provide a programmatic interface to the
   device that closely follows the functionality of the device's native
   interface.  Therefore, it is expected that the underlying protocol
   uses existing authentication mechanisms available on the device.  For
   example, a NETCONF server on a device that supports RADIUS [RFC2865]
   might allow the use of RADIUS to authenticate NETCONF sessions.

   The authentication process MUST result in an authenticated client
   identity whose permissions are known to the server.  The
   authenticated identity of a client is commonly referred to as the
   NETCONF username.  The username is a string of characters that match
   the "Char" production from Section 2.2 of [W3C.REC-xml-20001006].
   The algorithm used to derive the username is transport protocol
   specific and in addition specific to the authentication mechanism
   used by the transport protocol.  The transport protocol MUST provide
   a username to be used by the other NETCONF layers.

   The access permissions of a given client, identified by its NETCONF
   username, are part of the configuration of the NETCONF server.  These
   permissions MUST be enforced during the remainder of the NETCONF
   session.  The details of how access control is configured is outside
   the scope of this document.

2.3.  Mandatory Transport Protocol

   A NETCONF implementation MUST support the SSH transport protocol
   mapping [RFC6242].

Enns, et al.                 Standards Track                   [Page 12]



RFC 6241                    NETCONF Protocol                   June 2011

3.  XML Considerations

   XML serves as the encoding format for NETCONF, allowing complex
   hierarchical data to be expressed in a text format that can be read,
   saved, and manipulated with both traditional text tools and tools
   specific to XML.

   All NETCONF messages MUST be well-formed XML, encoded in UTF-8
   [RFC3629].  If a peer receives an <rpc> message that is not well-
   formed XML or not encoded in UTF-8, it SHOULD reply with a
   "malformed-message" error.  If a reply cannot be sent for any reason,
   the server MUST terminate the session.

   A NETCONF message MAY begin with an XML declaration (see Section 2.8
   of [W3C.REC-xml-20001006]).

   This section discusses a small number of XML-related considerations
   pertaining to NETCONF.

3.1.  Namespace

   All NETCONF protocol elements are defined in the following namespace:

      urn:ietf:params:xml:ns:netconf:base:1.0

   NETCONF capability names MUST be URIs [RFC3986].  NETCONF
   capabilities are discussed in Section 8.

3.2.  Document Type Declarations

   Document type declarations (see Section 2.8 of
   [W3C.REC-xml-20001006]) MUST NOT appear in NETCONF content.

4.  RPC Model

   The NETCONF protocol uses an RPC-based communication model.  NETCONF
   peers use <rpc> and <rpc-reply> elements to provide transport-
   protocol-independent framing of NETCONF requests and responses.

   The syntax and XML encoding of the Messages-layer RPCs are formally
   defined in the XML schema in Appendix B.

4.1.  <rpc> Element

   The <rpc> element is used to enclose a NETCONF request sent from the
   client to the server.

Enns, et al.                 Standards Track                   [Page 13]



RFC 6241                    NETCONF Protocol                   June 2011

   The <rpc> element has a mandatory attribute "message-id", which is a
   string chosen by the sender of the RPC that will commonly encode a
   monotonically increasing integer.  The receiver of the RPC does not
   decode or interpret this string but simply saves it to be used as a
   "message-id" attribute in any resulting <rpc-reply> message.  The
   sender MUST ensure that the "message-id" value is normalized
   according to the XML attribute value normalization rules defined in
   [W3C.REC-xml-20001006] if the sender wants the string to be returned
   unmodified.  For example:

       <rpc message-id="101"
            xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
         <some-method>
           <!-- method parameters here... -->
         </some-method>
       </rpc>

   If additional attributes are present in an <rpc> element, a NETCONF
   peer MUST return them unmodified in the <rpc-reply> element.  This
   includes any "xmlns" attributes.

   The name and parameters of an RPC are encoded as the contents of the
   <rpc> element.  The name of the RPC is an element directly inside the
   <rpc> element, and any parameters are encoded inside this element.

   The following example invokes a method called <my-own-method>, which
   has two parameters, <my-first-parameter>, with a value of "14", and
   <another-parameter>, with a value of "fred":

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <my-own-method xmlns="http://example.net/me/my-own/1.0">
         <my-first-parameter>14</my-first-parameter>
         <another-parameter>fred</another-parameter>
       </my-own-method>
     </rpc>

   The following example invokes a <rock-the-house> method with a
   <zip-code> parameter of "27606-0100":

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <rock-the-house xmlns="http://example.net/rock/1.0">
         <zip-code>27606-0100</zip-code>
       </rock-the-house>
     </rpc>

Enns, et al.                 Standards Track                   [Page 14]



RFC 6241                    NETCONF Protocol                   June 2011

   The following example invokes the NETCONF <get> method with no
   parameters:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get/>
     </rpc>

4.2.  <rpc-reply> Element

   The <rpc-reply> message is sent in response to an <rpc> message.

   The <rpc-reply> element has a mandatory attribute "message-id", which
   is equal to the "message-id" attribute of the <rpc> for which this is
   a response.

   A NETCONF server MUST also return any additional attributes included
   in the <rpc> element unmodified in the <rpc-reply> element.

   The response data is encoded as one or more child elements to the
   <rpc-reply> element.

   For example:

   The following <rpc> element invokes the NETCONF <get> method and
   includes an additional attribute called "user-id".  Note that the
   "user-id" attribute is not in the NETCONF namespace.  The returned
   <rpc-reply> element returns the "user-id" attribute, as well as the
   requested content.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
          xmlns:ex="http://example.net/content/1.0"
          ex:user-id="fred">
       <get/>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
          xmlns:ex="http://example.net/content/1.0"
          ex:user-id="fred">
       <data>
         <!-- contents here... -->
       </data>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 15]



RFC 6241                    NETCONF Protocol                   June 2011

4.3.  <rpc-error> Element

   The <rpc-error> element is sent in <rpc-reply> messages if an error
   occurs during the processing of an <rpc> request.

   If a server encounters multiple errors during the processing of an
   <rpc> request, the <rpc-reply> MAY contain multiple <rpc-error>
   elements.  However, a server is not required to detect or report more
   than one <rpc-error> element, if a request contains multiple errors.
   A server is not required to check for particular error conditions in
   a specific sequence.  A server MUST return an <rpc-error> element if
   any error conditions occur during processing.

   A server MUST NOT return application-level- or data-model-specific
   error information in an <rpc-error> element for which the client does
   not have sufficient access rights.

   The <rpc-error> element includes the following information:

   error-type:  Defines the conceptual layer that the error occurred.
      Enumeration.  One of:

      *  transport (layer: Secure Transport)

      *  rpc (layer: Messages)

      *  protocol (layer: Operations)

      *  application (layer: Content)

   error-tag:  Contains a string identifying the error condition.  See
      Appendix A for allowed values.

   error-severity:  Contains a string identifying the error severity, as
      determined by the device.  One of:

      *  error

      *  warning

      Note that there are no <error-tag> values defined in this document
      that utilize the "warning" enumeration.  This is reserved for
      future use.

   error-app-tag:  Contains a string identifying the data-model-specific
      or implementation-specific error condition, if one exists.  This
      element will not be present if no appropriate application error-
      tag can be associated with a particular error condition.  If a

Enns, et al.                 Standards Track                   [Page 16]



RFC 6241                    NETCONF Protocol                   June 2011

      data-model-specific and an implementation-specific error-app-tag
      both exist, then the data-model-specific value MUST be used by the
      server.

   error-path:  Contains the absolute XPath [W3C.REC-xpath-19991116]
      expression identifying the element path to the node that is
      associated with the error being reported in a particular
      <rpc-error> element.  This element will not be present if no
      appropriate payload element or datastore node can be associated
      with a particular error condition.

      The XPath expression is interpreted in the following context:

      *  The set of namespace declarations are those in scope on the
         <rpc-error> element.

      *  The set of variable bindings is empty.

      *  The function library is the core function library.

      The context node depends on the node associated with the error
      being reported:

      *  If a payload element can be associated with the error, the
         context node is the rpc request's document node (i.e., the
         <rpc> element).

      *  Otherwise, the context node is the root of all data models,
         i.e., the node that has the top-level nodes from all data
         models as children.

   error-message:  Contains a string suitable for human display that
      describes the error condition.  This element will not be present
      if no appropriate message is provided for a particular error
      condition.  This element SHOULD include an "xml:lang" attribute as
      defined in [W3C.REC-xml-20001006] and discussed in [RFC3470].

   error-info:  Contains protocol- or data-model-specific error content.
      This element will not be present if no such error content is
      provided for a particular error condition.  The list in Appendix A
      defines any mandatory error-info content for each error.  After
      any protocol-mandated content, a data model definition MAY mandate
      that certain application-layer error information be included in
      the error-info container.  An implementation MAY include
      additional elements to provide extended and/or implementation-
      specific debugging information.

   Appendix A enumerates the standard NETCONF errors.

Enns, et al.                 Standards Track                   [Page 17]



RFC 6241                    NETCONF Protocol                   June 2011

   Example:  An error is returned if an <rpc> element is received
      without a "message-id" attribute.  Note that only in this case is
      it acceptable for the NETCONF peer to omit the "message-id"
      attribute in the <rpc-reply> element.

     <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
       </get-config>
     </rpc>

     <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <rpc-error>
         <error-type>rpc</error-type>
         <error-tag>missing-attribute</error-tag>
         <error-severity>error</error-severity>
         <error-info>
           <bad-attribute>message-id</bad-attribute>
           <bad-element>rpc</bad-element>
         </error-info>
       </rpc-error>
     </rpc-reply>

   The following <rpc-reply> illustrates the case of returning multiple
   <rpc-error> elements.

   Note that the data models used in the examples in this section use
   the <name> element to distinguish between multiple instances of the
   <interface> element.

     <rpc-reply message-id="101"
       xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
       xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
       <rpc-error>
         <error-type>application</error-type>
         <error-tag>invalid-value</error-tag>
         <error-severity>error</error-severity>
         <error-path xmlns:t="http://example.com/schema/1.2/config">
           /t:top/t:interface[t:name="Ethernet0/0"]/t:mtu
         </error-path>
         <error-message xml:lang="en">
           MTU value 25000 is not within range 256..9192
         </error-message>
       </rpc-error>
       <rpc-error>
         <error-type>application</error-type>

Enns, et al.                 Standards Track                   [Page 18]



RFC 6241                    NETCONF Protocol                   June 2011

         <error-tag>invalid-value</error-tag>
         <error-severity>error</error-severity>
         <error-path xmlns:t="http://example.com/schema/1.2/config">
           /t:top/t:interface[t:name="Ethernet1/0"]/t:address/t:name
         </error-path>
         <error-message xml:lang="en">
           Invalid IP address for interface Ethernet1/0
         </error-message>
       </rpc-error>
     </rpc-reply>

4.4.  <ok> Element

   The <ok> element is sent in <rpc-reply> messages if no errors or
   warnings occurred during the processing of an <rpc> request, and no
   data was returned from the operation.  For example:

     <rpc-reply message-id="101"
                xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

4.5.  Pipelining

   NETCONF <rpc> requests MUST be processed serially by the managed
   device.  Additional <rpc> requests MAY be sent before previous ones
   have been completed.  The managed device MUST send responses only in
   the order the requests were received.

5.  Configuration Model

   NETCONF provides an initial set of operations and a number of
   capabilities that can be used to extend the base.  NETCONF peers
   exchange device capabilities when the session is initiated as
   described in Section 8.1.

5.1.  Configuration Datastores

   NETCONF defines the existence of one or more configuration datastores
   and allows configuration operations on them.  A configuration
   datastore is defined as the complete set of configuration data that
   is required to get a device from its initial default state into a
   desired operational state.  The configuration datastore does not
   include state data or executive commands.

Enns, et al.                 Standards Track                   [Page 19]



RFC 6241                    NETCONF Protocol                   June 2011

   The running configuration datastore holds the complete configuration
   currently active on the network device.  Only one configuration
   datastore of this type exists on the device, and it is always
   present.  NETCONF protocol operations refer to this datastore using
   the <running> element.

   Only the <running> configuration datastore is present in the base
   model.  Additional configuration datastores MAY be defined by
   capabilities.  Such configuration datastores are available only on
   devices that advertise the capabilities.

   The capabilities in Sections 8.3 and 8.7 define the <candidate> and
   <startup> configuration datastores, respectively.

5.2.  Data Modeling

   Data modeling and content issues are outside the scope of the NETCONF
   protocol.  An assumption is made that the device's data model is
   well-known to the application and that both parties are aware of
   issues such as the layout, containment, keying, lookup, replacement,
   and management of the data, as well as any other constraints imposed
   by the data model.

   NETCONF carries configuration data inside the <config> element that
   is specific to the device's data model.  The protocol treats the
   contents of that element as opaque data.  The device uses
   capabilities to announce the set of data models that the device
   implements.  The capability definition details the operation and
   constraints imposed by data model.

   Devices and managers can support multiple data models, including both
   standard and proprietary data models.

6.  Subtree Filtering

6.1.  Overview

   XML subtree filtering is a mechanism that allows an application to
   select particular XML subtrees to include in the <rpc-reply> for a
   <get> or <get-config> operation.  A small set of filters for
   inclusion, simple content exact-match, and selection is provided,
   which allows some useful, but also very limited, selection
   mechanisms.  The server does not need to utilize any data-model-
   specific semantics during processing, allowing for simple and
   centralized implementation strategies.

Enns, et al.                 Standards Track                   [Page 20]



RFC 6241                    NETCONF Protocol                   June 2011

   Conceptually, a subtree filter is comprised of zero or more element
   subtrees, which represent the filter selection criteria.  At each
   containment level within a subtree, the set of sibling nodes is
   logically processed by the server to determine if its subtree and
   path of elements to the root are included in the filter output.

   Each node specified in a subtree filter represents an inclusive
   filter.  Only associated nodes in underlying data model(s) within the
   specified datastore on the server are selected by the filter.  A node
   is selected if it matches the selection criteria and hierarchy of
   elements given in the filter data, except that the filter absolute
   path name is adjusted to start from the layer below <filter>.

   Response messages contain only the subtrees selected by the filter.
   Any selection criteria that were present in the request, within a
   particular selected subtree, are also included in the response.  Note
   that some elements expressed in the filter as leaf nodes will be
   expanded (i.e., subtrees included) in the filter output.  Specific
   data instances are not duplicated in the response in the event that
   the request contains multiple filter subtree expressions that select
   the same data.

6.2.  Subtree Filter Components

   A subtree filter is comprised of XML elements and their XML
   attributes.  There are five types of components that can be present
   in a subtree filter:

   o  Namespace Selection

   o  Attribute Match Expressions

   o  Containment Nodes

   o  Selection Nodes

   o  Content Match Nodes

6.2.1.  Namespace Selection

   A namespace is considered to match (for filter purposes) if the XML
   namespace associated with a particular node within the <filter>
   element is the same as in the underlying data model.  Note that
   namespace selection cannot be used by itself.  At least one element
   MUST be specified in the filter if any elements are to be included in
   the filter output.

Enns, et al.                 Standards Track                   [Page 21]



RFC 6241                    NETCONF Protocol                   June 2011

   An XML namespace wildcard mechanism is defined for subtree filtering.
   If an element within the <filter> element is not qualified by a
   namespace (e.g., xmlns=""), then the server MUST evaluate all the XML
   namespaces it supports, when processing that subtree filter node.
   This wildcard mechanism is not applicable to XML attributes.

   Note that prefix values for qualified namespaces are not relevant
   when comparing filter elements to elements in the underlying data
   model.

   Example:

     <filter type="subtree">
       <top xmlns="http://example.com/schema/1.2/config"/>
     </filter>

   In this example, the <top> element is a selection node, and only this
   node in the "http://example.com/schema/1.2/config" namespace and any
   child nodes (from the underlying data model) will be included in the
   filter output.

6.2.2.  Attribute Match Expressions

   An attribute that appears in a subtree filter is part of an
   "attribute match expression".  Any number of (unqualified or
   qualified) XML attributes MAY be present in any type of filter node.
   In addition to the selection criteria normally applicable to that
   node, the selected data MUST have matching values for every attribute
   specified in the node.  If an element is not defined to include a
   specified attribute, then it is not selected in the filter output.

   Example:

     <filter type="subtree">
       <t:top xmlns:t="http://example.com/schema/1.2/config">
         <t:interfaces>
           <t:interface t:ifName="eth0"/>
         </t:interfaces>
       </t:top>
     </filter>

   In this example, the <top> and <interfaces> elements are containment
   nodes, the <interface> element is a selection node, and "ifName" is
   an attribute match expression.  Only "interface" nodes in the
   "http://example.com/schema/1.2/config" namespace that have an
   "ifName" attribute with the value "eth0" and occur within
   "interfaces" nodes within "top" nodes will be included in the filter
   output.

Enns, et al.                 Standards Track                   [Page 22]



RFC 6241                    NETCONF Protocol                   June 2011

6.2.3.  Containment Nodes

   Nodes that contain child elements within a subtree filter are called
   "containment nodes".  Each child element can be any type of node,
   including another containment node.  For each containment node
   specified in a subtree filter, all data model instances that exactly
   match the specified namespaces, element hierarchy, and any attribute
   match expressions are included in the filter output.

   Example:

     <filter type="subtree">
       <top xmlns="http://example.com/schema/1.2/config">
         <users/>
       </top>
     </filter>

   In this example, the <top> element is a containment node.

6.2.4.  Selection Nodes

   An empty leaf node within a filter is called a "selection node", and
   it represents an "explicit selection" filter on the underlying data
   model.  Presence of any selection nodes within a set of sibling nodes
   will cause the filter to select the specified subtree(s) and suppress
   automatic selection of the entire set of sibling nodes in the
   underlying data model.  For filtering purposes, an empty leaf node
   can be declared either with an empty tag (e.g., <foo/>) or with
   explicit start and end tags (e.g., <foo> </foo>).  Any whitespace
   characters are ignored in this form.

   Example:

     <filter type="subtree">
       <top xmlns="http://example.com/schema/1.2/config">
         <users/>
       </top>
     </filter>

   In this example, the <top> element is a containment node, and the
   <users> element is a selection node.  Only "users" nodes in the
   "http://example.com/schema/1.2/config" namespace that occur within a
   <top> element that is the root of the configuration datastore will be
   included in the filter output.

Enns, et al.                 Standards Track                   [Page 23]



RFC 6241                    NETCONF Protocol                   June 2011

6.2.5.  Content Match Nodes

   A leaf node that contains simple content is called a "content match
   node".  It is used to select some or all of its sibling nodes for
   filter output, and it represents an exact-match filter on the leaf
   node element content.  The following constraints apply to content
   match nodes:

   o  A content match node MUST NOT contain nested elements.

   o  Multiple content match nodes (i.e., sibling nodes) are logically
      combined in an "AND" expression.

   o  Filtering of mixed content is not supported.

   o  Filtering of list content is not supported.

   o  Filtering of whitespace-only content is not supported.

   o  A content match node MUST contain non-whitespace characters.  An
      empty element (e.g., <foo></foo>) will be interpreted as a
      selection node (e.g., <foo/>).

   o  Leading and trailing whitespace characters are ignored, but any
      whitespace characters within a block of text characters are not
      ignored or modified.

   If all specified sibling content match nodes in a subtree filter
   expression are "true", then the filter output nodes are selected in
   the following manner:

   o  Each content match node in the sibling set is included in the
      filter output.

   o  If any containment nodes are present in the sibling set, then they
      are processed further and included if any nested filter criteria
      are also met.

   o  If any selection nodes are present in the sibling set, then all of
      them are included in the filter output.

   o  If any sibling nodes of the selection node are instance identifier
      components for a conceptual data structure (e.g., list key leaf),
      then they MAY also be included in the filter output.

Enns, et al.                 Standards Track                   [Page 24]



RFC 6241                    NETCONF Protocol                   June 2011

   o  Otherwise (i.e., there are no selection or containment nodes in
      the filter sibling set), all the nodes defined at this level in
      the underlying data model (and their subtrees, if any) are
      returned in the filter output.

   If any of the sibling content match node tests are "false", then no
   further filter processing is performed on that sibling set, and none
   of the sibling subtrees are selected by the filter, including the
   content match node(s).

   Example:

     <filter type="subtree">
       <top xmlns="http://example.com/schema/1.2/config">
         <users>
           <user>
             <name>fred</name>
           </user>
         </users>
       </top>
     </filter>

   In this example, the <users> and <user> nodes are both containment
   nodes, and <name> is a content match node.  Since no sibling nodes of
   <name> are specified (and therefore no containment or selection
   nodes), all of the sibling nodes of <name> are returned in the filter
   output.  Only "user" nodes in the
   "http://example.com/schema/1.2/config" namespace that match the
   element hierarchy and for which the <name> element is equal to "fred"
   will be included in the filter output.

6.3.  Subtree Filter Processing

   The filter output (the set of selected nodes) is initially empty.

   Each subtree filter can contain one or more data model fragments,
   which represent portions of the data model that will be selected
   (with all child nodes) in the filter output.

   Each subtree data fragment is compared by the server to the internal
   data models supported by the server.  If the entire subtree data-
   fragment filter (starting from the root to the innermost element
   specified in the filter) exactly matches a corresponding portion of
   the supported data model, then that node and all its children are
   included in the result data.

   The server processes all nodes with the same parent node (sibling
   set) together, starting from the root to the leaf nodes.  The root

Enns, et al.                 Standards Track                   [Page 25]



RFC 6241                    NETCONF Protocol                   June 2011

   elements in the filter are considered in the same sibling set
   (assuming they are in the same namespace), even though they do not
   have a common parent.

   For each sibling set, the server determines which nodes are included
   (or potentially included) in the filter output, and which sibling
   subtrees are excluded (pruned) from the filter output.  The server
   first determines which types of nodes are present in the sibling set
   and processes the nodes according to the rules for their type.  If
   any nodes in the sibling set are selected, then the process is
   recursively applied to the sibling sets of each selected node.  The
   algorithm continues until all sibling sets in all subtrees specified
   in the filter have been processed.

6.4.  Subtree Filtering Examples

6.4.1.  No Filter

   Leaving out the filter on the <get> operation returns the entire data
   model.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get/>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <!-- ... entire set of data returned ... -->
       </data>
     </rpc-reply>

6.4.2.  Empty Filter

   An empty filter will select nothing because no content match or
   selection nodes are present.  This is not an error.  The <filter>
   element's "type" attribute used in these examples is discussed
   further in Section 7.1.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get>
         <filter type="subtree">
         </filter>
       </get>
     </rpc>

Enns, et al.                 Standards Track                   [Page 26]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
       </data>
     </rpc-reply>

6.4.3.  Select the Entire <users> Subtree

   The filter in this example contains one selection node (<users>), so
   just that subtree is selected by the filter.  This example represents
   the fully populated <users> data model in most of the filter examples
   that follow.  In a real data model, the <company-info> would not
   likely be returned with the list of users for a particular host or
   network.

   NOTE: The filtering and configuration examples used in this document
   appear in the namespace "http://example.com/schema/1.2/config".  The
   root element of this namespace is <top>.  The <top> element and its
   descendents represent an example configuration data model only.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users/>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>root</name>
               <type>superuser</type>
               <full-name>Charlie Root</full-name>
               <company-info>
                 <dept>1</dept>
                 <id>1</id>
               </company-info>
             </user>

Enns, et al.                 Standards Track                   [Page 27]



RFC 6241                    NETCONF Protocol                   June 2011

             <user>
               <name>fred</name>
               <type>admin</type>
               <full-name>Fred Flintstone</full-name>
               <company-info>
                 <dept>2</dept>
                 <id>2</id>
               </company-info>
             </user>
             <user>
               <name>barney</name>
               <type>admin</type>
               <full-name>Barney Rubble</full-name>
               <company-info>
                 <dept>2</dept>
                 <id>3</id>
               </company-info>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

   The following filter request would have produced the same result, but
   only because the container <users> defines one child element
   (<user>).

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users>
               <user/>
             </users>
           </top>
         </filter>
       </get-config>
     </rpc>

Enns, et al.                 Standards Track                   [Page 28]



RFC 6241                    NETCONF Protocol                   June 2011

6.4.4.  Select All <name> Elements within the <users> Subtree

   This filter contains two containment nodes (<users>, <user>) and one
   selection node (<name>).  All instances of the <name> element in the
   same sibling set are selected in the filter output.  The client might
   need to know that <name> is used as an instance identifier in this
   particular data structure, but the server does not need to know that
   meta-data in order to process the request.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users>
               <user>
                 <name/>
               </user>
             </users>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>root</name>
             </user>
             <user>
               <name>fred</name>
             </user>
             <user>
               <name>barney</name>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 29]



RFC 6241                    NETCONF Protocol                   June 2011

6.4.5.  One Specific <user> Entry

   This filter contains two containment nodes (<users>, <user>) and one
   content match node (<name>).  All instances of the sibling set
   containing <name> for which the value of <name> equals "fred" are
   selected in the filter output.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users>
               <user>
                 <name>fred</name>
               </user>
             </users>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>fred</name>
               <type>admin</type>
               <full-name>Fred Flintstone</full-name>
               <company-info>
                 <dept>2</dept>
                 <id>2</id>
               </company-info>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 30]



RFC 6241                    NETCONF Protocol                   June 2011

6.4.6.  Specific Elements from a Specific <user> Entry

   This filter contains two containment nodes (<users>, <user>), one
   content match node (<name>), and two selection nodes (<type>,
   <full-name>).  All instances of the <type> and <full-name> elements
   in the same sibling set containing <name> for which the value of
   <name> equals "fred" are selected in the filter output.  The
   <company-info> element is not included because the sibling set
   contains selection nodes.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users>
               <user>
                 <name>fred</name>
                 <type/>
                 <full-name/>
               </user>
             </users>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>fred</name>
               <type>admin</type>
               <full-name>Fred Flintstone</full-name>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 31]



RFC 6241                    NETCONF Protocol                   June 2011

6.4.7.  Multiple Subtrees

   This filter contains three subtrees (name=root, fred, barney).

   The "root" subtree filter contains two containment nodes (<users>,
   <user>), one content match node (<name>), and one selection node
   (<company-info>).  The subtree selection criteria are met, and just
   the company-info subtree for "root" is selected in the filter output.

   The "fred" subtree filter contains three containment nodes (<users>,
   <user>, <company-info>), one content match node (<name>), and one
   selection node (<id>).  The subtree selection criteria are met, and
   just the <id> element within the company-info subtree for "fred" is
   selected in the filter output.

   The "barney" subtree filter contains three containment nodes
   (<users>, <user>, <company-info>), two content match nodes (<name>,
   <type>), and one selection node (<dept>).  The subtree selection
   criteria are not met because user "barney" is not a "superuser", and
   the entire subtree for "barney" (including its parent <user> entry)
   is excluded from the filter output.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users>
               <user>
                 <name>root</name>
                 <company-info/>
               </user>
               <user>
                 <name>fred</name>
                 <company-info>
                   <id/>
                 </company-info>
               </user>
               <user>
                 <name>barney</name>
                 <type>superuser</type>
                 <company-info>
                   <dept/>
                 </company-info>
               </user>

Enns, et al.                 Standards Track                   [Page 32]



RFC 6241                    NETCONF Protocol                   June 2011

             </users>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
                xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>root</name>
               <company-info>
                 <dept>1</dept>
                 <id>1</id>
               </company-info>
             </user>
             <user>
               <name>fred</name>
               <company-info>
                 <id>2</id>
               </company-info>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

6.4.8.  Elements with Attribute Naming

   In this example, the filter contains one containment node
   (<interfaces>), one attribute match expression ("ifName"), and one
   selection node (<interface>).  All instances of the <interface>
   subtree that have an "ifName" attribute equal to "eth0" are selected
   in the filter output.  The filter data elements and attributes are
   qualified because the "ifName" attribute will not be considered part
   of the "schema/1.2" namespace if it is unqualified.

Enns, et al.                 Standards Track                   [Page 33]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get>
         <filter type="subtree">
           <t:top xmlns:t="http://example.com/schema/1.2/stats">
             <t:interfaces>
               <t:interface t:ifName="eth0"/>
             </t:interfaces>
           </t:top>
         </filter>
       </get>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <t:top xmlns:t="http://example.com/schema/1.2/stats">
           <t:interfaces>
             <t:interface t:ifName="eth0">
               <t:ifInOctets>45621</t:ifInOctets>
               <t:ifOutOctets>774344</t:ifOutOctets>
             </t:interface>
           </t:interfaces>
         </t:top>
       </data>
     </rpc-reply>

   If "ifName" were a child node instead of an attribute, then the
   following request would produce similar results.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/stats">
             <interfaces>
               <interface>
                 <ifName>eth0</ifName>
               </interface>
             </interfaces>
           </top>
         </filter>
       </get>
     </rpc>

Enns, et al.                 Standards Track                   [Page 34]



RFC 6241                    NETCONF Protocol                   June 2011

7.  Protocol Operations

   The NETCONF protocol provides a small set of low-level operations to
   manage device configurations and retrieve device state information.
   The base protocol provides operations to retrieve, configure, copy,
   and delete configuration datastores.  Additional operations are
   provided, based on the capabilities advertised by the device.

   The base protocol includes the following protocol operations:

   o  get

   o  get-config

   o  edit-config

   o  copy-config

   o  delete-config

   o  lock

   o  unlock

   o  close-session

   o  kill-session

   A protocol operation can fail for various reasons, including
   "operation not supported".  An initiator SHOULD NOT assume that any
   operation will always succeed.  The return values in any RPC reply
   SHOULD be checked for error responses.

   The syntax and XML encoding of the protocol operations are formally
   defined in the YANG module in Appendix C.  The following sections
   describe the semantics of each protocol operation.

7.1.  <get-config>

   Description:  Retrieve all or part of a specified configuration
      datastore.

   Parameters:

      source:  Name of the configuration datastore being queried, such
         as <running/>.

Enns, et al.                 Standards Track                   [Page 35]



RFC 6241                    NETCONF Protocol                   June 2011

      filter:  This parameter identifies the portions of the device
         configuration datastore to retrieve.  If this parameter is not
         present, the entire configuration is returned.

         The <filter> element MAY optionally contain a "type" attribute.
         This attribute indicates the type of filtering syntax used
         within the <filter> element.  The default filtering mechanism
         in NETCONF is referred to as subtree filtering and is described
         in Section 6.  The value "subtree" explicitly identifies this
         type of filtering.

         If the NETCONF peer supports the :xpath capability
         (Section 8.9), the value "xpath" MAY be used to indicate that
         the "select" attribute on the <filter> element contains an
         XPath expression.

   Positive Response:  If the device can satisfy the request, the server
      sends an <rpc-reply> element containing a <data> element with the
      results of the query.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:  To retrieve the entire <users> subtree:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/config">
             <users/>
           </top>
         </filter>
       </get-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>root</name>
               <type>superuser</type>
               <full-name>Charlie Root</full-name>

Enns, et al.                 Standards Track                   [Page 36]



RFC 6241                    NETCONF Protocol                   June 2011

               <company-info>
                 <dept>1</dept>
                 <id>1</id>
               </company-info>
             </user>
             <!-- additional <user> elements appear here... -->
           </users>
         </top>
       </data>
     </rpc-reply>

      Section 6 contains additional examples of subtree filtering.

7.2.  <edit-config>

   Description:

      The <edit-config> operation loads all or part of a specified
      configuration to the specified target configuration datastore.
      This operation allows the new configuration to be expressed in
      several ways, such as using a local file, a remote file, or
      inline.  If the target configuration datastore does not exist, it
      will be created.

      If a NETCONF peer supports the :url capability (Section 8.8), the
      <url> element can appear instead of the <config> parameter.

      The device analyzes the source and target configurations and
      performs the requested changes.  The target configuration is not
      necessarily replaced, as with the <copy-config> message.  Instead,
      the target configuration is changed in accordance with the
      source's data and requested operations.

      If the <edit-config> operation contains multiple sub-operations
      that apply to the same conceptual node in the underlying data
      model, then the result of the operation is undefined (i.e.,
      outside the scope of the NETCONF protocol).

   Attributes:

      operation:  Elements in the <config> subtree MAY contain an
         "operation" attribute, which belongs to the NETCONF namespace
         defined in Section 3.1.  The attribute identifies the point in
         the configuration to perform the operation and MAY appear on
         multiple elements throughout the <config> subtree.

         If the "operation" attribute is not specified, the
         configuration is merged into the configuration datastore.

Enns, et al.                 Standards Track                   [Page 37]



RFC 6241                    NETCONF Protocol                   June 2011

         The "operation" attribute has one of the following values:

         merge:  The configuration data identified by the element
            containing this attribute is merged with the configuration
            at the corresponding level in the configuration datastore
            identified by the <target> parameter.  This is the default
            behavior.

         replace:  The configuration data identified by the element
            containing this attribute replaces any related configuration
            in the configuration datastore identified by the <target>
            parameter.  If no such configuration data exists in the
            configuration datastore, it is created.  Unlike a
            <copy-config> operation, which replaces the entire target
            configuration, only the configuration actually present in
            the <config> parameter is affected.

         create:  The configuration data identified by the element
            containing this attribute is added to the configuration if
            and only if the configuration data does not already exist in
            the configuration datastore.  If the configuration data
            exists, an <rpc-error> element is returned with an
            <error-tag> value of "data-exists".

         delete:  The configuration data identified by the element
            containing this attribute is deleted from the configuration
            if and only if the configuration data currently exists in
            the configuration datastore.  If the configuration data does
            not exist, an <rpc-error> element is returned with an
            <error-tag> value of "data-missing".

         remove:  The configuration data identified by the element
            containing this attribute is deleted from the configuration
            if the configuration data currently exists in the
            configuration datastore.  If the configuration data does not
            exist, the "remove" operation is silently ignored by the
            server.

   Parameters:

      target:  Name of the configuration datastore being edited, such as
         <running/> or <candidate/>.

      default-operation:  Selects the default operation (as described in
         the "operation" attribute) for this <edit-config> request.  The
         default value for the <default-operation> parameter is "merge".

Enns, et al.                 Standards Track                   [Page 38]



RFC 6241                    NETCONF Protocol                   June 2011

         The <default-operation> parameter is optional, but if provided,
         it has one of the following values:

         merge:  The configuration data in the <config> parameter is
            merged with the configuration at the corresponding level in
            the target datastore.  This is the default behavior.

         replace:  The configuration data in the <config> parameter
            completely replaces the configuration in the target
            datastore.  This is useful for loading previously saved
            configuration data.

         none:  The target datastore is unaffected by the configuration
            in the <config> parameter, unless and until the incoming
            configuration data uses the "operation" attribute to request
            a different operation.  If the configuration in the <config>
            parameter contains data for which there is not a
            corresponding level in the target datastore, an <rpc-error>
            is returned with an <error-tag> value of data-missing.
            Using "none" allows operations like "delete" to avoid
            unintentionally creating the parent hierarchy of the element
            to be deleted.

      test-option:  The <test-option> element MAY be specified only if
         the device advertises the :validate:1.1 capability
         (Section 8.6).

         The <test-option> element has one of the following values:

         test-then-set:  Perform a validation test before attempting to
            set.  If validation errors occur, do not perform the
            <edit-config> operation.  This is the default test-option.

         set:  Perform a set without a validation test first.

         test-only:  Perform only the validation test, without
            attempting to set.

      error-option:  The <error-option> element has one of the following
         values:

         stop-on-error:  Abort the <edit-config> operation on first
            error.  This is the default error-option.

         continue-on-error:  Continue to process configuration data on
            error; error is recorded, and negative response is generated
            if any errors occur.

Enns, et al.                 Standards Track                   [Page 39]



RFC 6241                    NETCONF Protocol                   June 2011

         rollback-on-error:  If an error condition occurs such that an
            error severity <rpc-error> element is generated, the server
            will stop processing the <edit-config> operation and restore
            the specified configuration to its complete state at the
            start of this <edit-config> operation.  This option requires
            the server to support the :rollback-on-error capability
            described in Section 8.5.

      config:  A hierarchy of configuration data as defined by one of
         the device's data models.  The contents MUST be placed in an
         appropriate namespace, to allow the device to detect the
         appropriate data model, and the contents MUST follow the
         constraints of that data model, as defined by its capability
         definition.  Capabilities are discussed in Section 8.

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent containing an <ok> element.

   Negative Response:  An <rpc-error> response is sent if the request
      cannot be completed for any reason.

   Example:  The <edit-config> examples in this section utilize a simple
      data model, in which multiple instances of the <interface> element
      can be present, and an instance is distinguished by the <name>
      element within each <interface> element.

      Set the MTU to 1500 on an interface named "Ethernet0/0" in the
      running configuration:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <config>
           <top xmlns="http://example.com/schema/1.2/config">
             <interface>
               <name>Ethernet0/0</name>
               <mtu>1500</mtu>
             </interface>
           </top>
         </config>
       </edit-config>
     </rpc>

Enns, et al.                 Standards Track                   [Page 40]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

   Add an interface named "Ethernet0/0" to the running configuration,
   replacing any previous interface with that name:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
           <top xmlns="http://example.com/schema/1.2/config">
             <interface xc:operation="replace">
               <name>Ethernet0/0</name>
               <mtu>1500</mtu>
               <address>
                 <name>192.0.2.4</name>
                 <prefix-length>24</prefix-length>
               </address>
             </interface>
           </top>
         </config>
       </edit-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

   Delete the configuration for an interface named "Ethernet0/0" from
   the running configuration:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <default-operation>none</default-operation>
         <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
           <top xmlns="http://example.com/schema/1.2/config">
             <interface xc:operation="delete">
               <name>Ethernet0/0</name>

Enns, et al.                 Standards Track                   [Page 41]



RFC 6241                    NETCONF Protocol                   June 2011

             </interface>
           </top>
         </config>
       </edit-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

   Delete interface 192.0.2.4 from an OSPF area (other interfaces
   configured in the same area are unaffected):

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <default-operation>none</default-operation>
         <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
           <top xmlns="http://example.com/schema/1.2/config">
             <protocols>
               <ospf>
                 <area>
                   <name>0.0.0.0</name>
                   <interfaces>
                     <interface xc:operation="delete">
                       <name>192.0.2.4</name>
                     </interface>
                   </interfaces>
                 </area>
               </ospf>
             </protocols>
           </top>
         </config>
       </edit-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 42]



RFC 6241                    NETCONF Protocol                   June 2011

7.3.  <copy-config>

   Description:  Create or replace an entire configuration datastore
      with the contents of another complete configuration datastore.  If
      the target datastore exists, it is overwritten.  Otherwise, a new
      one is created, if allowed.

      If a NETCONF peer supports the :url capability (Section 8.8), the
      <url> element can appear as the <source> or <target> parameter.

      Even if it advertises the :writable-running capability, a device
      MAY choose not to support the <running/> configuration datastore
      as the <target> parameter of a <copy-config> operation.  A device
      MAY choose not to support remote-to-remote copy operations, where
      both the <source> and <target> parameters use the <url> element.
      If the <source> and <target> parameters identify the same URL or
      configuration datastore, an error MUST be returned with an error-
      tag containing "invalid-value".

   Parameters:

      target:  Name of the configuration datastore to use as the
         destination of the <copy-config> operation.

      source:  Name of the configuration datastore to use as the source
         of the <copy-config> operation, or the <config> element
         containing the complete configuration to copy.

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that includes an <ok> element.

   Negative Response:  An <rpc-error> element is included within the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <copy-config>
         <target>
           <running/>
         </target>
         <source>
           <url>https://user:password@example.com/cfg/new.txt</url>
         </source>
       </copy-config>
     </rpc>

Enns, et al.                 Standards Track                   [Page 43]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc-reply message-id="101"
         xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

7.4.  <delete-config>

   Description:  Delete a configuration datastore.  The <running>
      configuration datastore cannot be deleted.

      If a NETCONF peer supports the :url capability (Section 8.8), the
      <url> element can appear as the <target> parameter.

   Parameters:

      target:  Name of the configuration datastore to delete.

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that includes an <ok> element.

   Negative Response:  An <rpc-error> element is included within the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <delete-config>
         <target>
           <startup/>
         </target>
       </delete-config>
     </rpc>

      <rpc-reply message-id="101"
           xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

7.5.  <lock>

   Description:  The <lock> operation allows the client to lock the
      entire configuration datastore system of a device.  Such locks are
      intended to be short-lived and allow a client to make a change
      without fear of interaction with other NETCONF clients, non-
      NETCONF clients (e.g., SNMP and command line interface (CLI)
      scripts), and human users.

Enns, et al.                 Standards Track                   [Page 44]



RFC 6241                    NETCONF Protocol                   June 2011

      An attempt to lock the configuration datastore MUST fail if an
      existing session or other entity holds a lock on any portion of
      the lock target.

      When the lock is acquired, the server MUST prevent any changes to
      the locked resource other than those requested by this session.
      SNMP and CLI requests to modify the resource MUST fail with an
      appropriate error.

      The duration of the lock is defined as beginning when the lock is
      acquired and lasting until either the lock is released or the
      NETCONF session closes.  The session closure can be explicitly
      performed by the client, or implicitly performed by the server
      based on criteria such as failure of the underlying transport,
      simple inactivity timeout, or detection of abusive behavior on the
      part of the client.  These criteria are dependent on the
      implementation and the underlying transport.

      The <lock> operation takes a mandatory parameter, <target>.  The
      <target> parameter names the configuration datastore that will be
      locked.  When a lock is active, using the <edit-config> operation
      on the locked configuration datastore and using the locked
      configuration as a target of the <copy-config> operation will be
      disallowed by any other NETCONF session.  Additionally, the system
      will ensure that these locked configuration resources will not be
      modified by other non-NETCONF management operations such as SNMP
      and CLI.  The <kill-session> operation can be used to force the
      release of a lock owned by another NETCONF session.  It is beyond
      the scope of this document to define how to break locks held by
      other entities.

      A lock MUST NOT be granted if any of the following conditions is
      true:

      *  A lock is already held by any NETCONF session or another
         entity.

      *  The target configuration is <candidate>, it has already been
         modified, and these changes have not been committed or rolled
         back.

      *  The target configuration is <running>, and another NETCONF
         session has an ongoing confirmed commit (Section 8.4).

      The server MUST respond with either an <ok> element or an
      <rpc-error>.

Enns, et al.                 Standards Track                   [Page 45]



RFC 6241                    NETCONF Protocol                   June 2011

      A lock will be released by the system if the session holding the
      lock is terminated for any reason.

   Parameters:

      target:  Name of the configuration datastore to lock.

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that contains an <ok> element.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

      If the lock is already held, the <error-tag> element will be
      "lock-denied" and the <error-info> element will include the
      <session-id> of the lock owner.  If the lock is held by a non-
      NETCONF entity, a <session-id> of 0 (zero) is included.  Note that
      any other entity performing a lock on even a partial piece of a
      target will prevent a NETCONF lock (which is global) from being
      obtained on that target.

   Example:  The following example shows a successful acquisition of a
      lock.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <lock>
         <target>
           <running/>
         </target>
       </lock>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/> <!-- lock succeeded -->
     </rpc-reply>

   Example:  The following example shows a failed attempt to acquire a
      lock when the lock is already in use.

Enns, et al.                 Standards Track                   [Page 46]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <lock>
         <target>
           <running/>
         </target>
       </lock>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <rpc-error> <!-- lock failed -->
         <error-type>protocol</error-type>
         <error-tag>lock-denied</error-tag>
         <error-severity>error</error-severity>
         <error-message>
           Lock failed, lock is already held
         </error-message>
         <error-info>
           <session-id>454</session-id>
           <!-- lock is held by NETCONF session 454 -->
         </error-info>
       </rpc-error>
     </rpc-reply>

7.6.  <unlock>

   Description:  The <unlock> operation is used to release a
      configuration lock, previously obtained with the <lock> operation.

      An <unlock> operation will not succeed if either of the following
      conditions is true:

      *  The specified lock is not currently active.

      *  The session issuing the <unlock> operation is not the same
         session that obtained the lock.

      The server MUST respond with either an <ok> element or an
      <rpc-error>.

   Parameters:

      target:  Name of the configuration datastore to unlock.

         A NETCONF client is not permitted to unlock a configuration
         datastore that it did not lock.

Enns, et al.                 Standards Track                   [Page 47]



RFC 6241                    NETCONF Protocol                   June 2011

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that contains an <ok> element.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <unlock>
         <target>
          <running/>
         </target>
       </unlock>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

7.7.  <get>

   Description:  Retrieve running configuration and device state
      information.

   Parameters:

      filter:  This parameter specifies the portion of the system
         configuration and state data to retrieve.  If this parameter is
         not present, all the device configuration and state information
         is returned.

         The <filter> element MAY optionally contain a "type" attribute.
         This attribute indicates the type of filtering syntax used
         within the <filter> element.  The default filtering mechanism
         in NETCONF is referred to as subtree filtering and is described
         in Section 6.  The value "subtree" explicitly identifies this
         type of filtering.

         If the NETCONF peer supports the :xpath capability
         (Section 8.9), the value "xpath" MAY be used to indicate that
         the "select" attribute of the <filter> element contains an
         XPath expression.

Enns, et al.                 Standards Track                   [Page 48]



RFC 6241                    NETCONF Protocol                   June 2011

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent.  The <data> section contains the appropriate
      subset.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get>
         <filter type="subtree">
           <top xmlns="http://example.com/schema/1.2/stats">
             <interfaces>
               <interface>
                 <ifName>eth0</ifName>
               </interface>
             </interfaces>
           </top>
         </filter>
       </get>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/stats">
           <interfaces>
             <interface>
               <ifName>eth0</ifName>
               <ifInOctets>45621</ifInOctets>
               <ifOutOctets>774344</ifOutOctets>
             </interface>
           </interfaces>
         </top>
       </data>
     </rpc-reply>

7.8.  <close-session>

   Description:  Request graceful termination of a NETCONF session.

      When a NETCONF server receives a <close-session> request, it will
      gracefully close the session.  The server will release any locks
      and resources associated with the session and gracefully close any
      associated connections.  Any NETCONF requests received after a
      <close-session> request will be ignored.

Enns, et al.                 Standards Track                   [Page 49]



RFC 6241                    NETCONF Protocol                   June 2011

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that includes an <ok> element.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <close-session/>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

7.9.  <kill-session>

   Description:  Force the termination of a NETCONF session.

      When a NETCONF entity receives a <kill-session> request for an
      open session, it will abort any operations currently in process,
      release any locks and resources associated with the session, and
      close any associated connections.

      If a NETCONF server receives a <kill-session> request while
      processing a confirmed commit (Section 8.4), it MUST restore the
      configuration to its state before the confirmed commit was issued.

      Otherwise, the <kill-session> operation does not roll back
      configuration or other device state modifications made by the
      entity holding the lock.

   Parameters:

      session-id:  Session identifier of the NETCONF session to be
         terminated.  If this value is equal to the current session ID,
         an "invalid-value" error is returned.

   Positive Response:  If the device was able to satisfy the request, an
      <rpc-reply> is sent that includes an <ok> element.

   Negative Response:  An <rpc-error> element is included in the
      <rpc-reply> if the request cannot be completed for any reason.

Enns, et al.                 Standards Track                   [Page 50]



RFC 6241                    NETCONF Protocol                   June 2011

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <kill-session>
         <session-id>4</session-id>
       </kill-session>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

8.  Capabilities

   This section defines a set of capabilities that a client or a server
   MAY implement.  Each peer advertises its capabilities by sending them
   during an initial capabilities exchange.  Each peer needs to
   understand only those capabilities that it might use and MUST ignore
   any capability received from the other peer that it does not require
   or does not understand.

   Additional capabilities can be defined using the template in
   Appendix D.  Future capability definitions can be published as
   standards by standards bodies or published as proprietary extensions.

   A NETCONF capability is identified with a URI.  The base capabilities
   are defined using URNs following the method described in RFC 3553
   [RFC3553].  Capabilities defined in this document have the following
   format:

      urn:ietf:params:netconf:capability:{name}:1.x

   where {name} is the name of the capability.  Capabilities are often
   referenced in discussions and email using the shorthand :{name}, or
   :{name}:{version} if the capability exists in multiple versions.  For
   example, the foo capability would have the formal name
   "urn:ietf:params:netconf:capability:foo:1.0" and be called ":foo".
   The shorthand form MUST NOT be used inside the protocol.

8.1.  Capabilities Exchange

   Capabilities are advertised in messages sent by each peer during
   session establishment.  When the NETCONF session is opened, each peer
   (both client and server) MUST send a <hello> element containing a
   list of that peer's capabilities.  Each peer MUST send at least the

Enns, et al.                 Standards Track                   [Page 51]



RFC 6241                    NETCONF Protocol                   June 2011

   base NETCONF capability, "urn:ietf:params:netconf:base:1.1".  A peer
   MAY include capabilities for previous NETCONF versions, to indicate
   that it supports multiple protocol versions.

   Both NETCONF peers MUST verify that the other peer has advertised a
   common protocol version.  When comparing protocol version capability
   URIs, only the base part is used, in the event any parameters are
   encoded at the end of the URI string.  If no protocol version
   capability in common is found, the NETCONF peer MUST NOT continue the
   session.  If more than one protocol version URI in common is present,
   then the highest numbered (most recent) protocol version MUST be used
   by both peers.

   A server sending the <hello> element MUST include a <session-id>
   element containing the session ID for this NETCONF session.  A client
   sending the <hello> element MUST NOT include a <session-id> element.

   A server receiving a <hello> message with a <session-id> element MUST
   terminate the NETCONF session.  Similarly, a client that does not
   receive a <session-id> element in the server's <hello> message MUST
   terminate the NETCONF session (without first sending a
   <close-session>).

   In the following example, a server advertises the base NETCONF
   capability, one NETCONF capability defined in the base NETCONF
   document, and one implementation-specific capability.

   <hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
     <capabilities>
       <capability>
         urn:ietf:params:netconf:base:1.1
       </capability>
       <capability>
         urn:ietf:params:netconf:capability:startup:1.0
       </capability>
       <capability>
         http://example.net/router/2.3/myfeature
       </capability>
     </capabilities>
     <session-id>4</session-id>
   </hello>

   Each peer sends its <hello> element simultaneously as soon as the
   connection is open.  A peer MUST NOT wait to receive the capability
   set from the other side before sending its own set.

Enns, et al.                 Standards Track                   [Page 52]



RFC 6241                    NETCONF Protocol                   June 2011

8.2.  Writable-Running Capability

8.2.1.  Description

   The :writable-running capability indicates that the device supports
   direct writes to the <running> configuration datastore.  In other
   words, the device supports <edit-config> and <copy-config> operations
   where the <running> configuration is the target.

8.2.2.  Dependencies

   None.

8.2.3.  Capability Identifier

   The :writable-running capability is identified by the following
   capability string:

      urn:ietf:params:netconf:capability:writable-running:1.0

8.2.4.  New Operations

   None.

8.2.5.  Modifications to Existing Operations

8.2.5.1.  <edit-config>

   The :writable-running capability modifies the <edit-config> operation
   to accept the <running> element as a <target>.

8.2.5.2.  <copy-config>

   The :writable-running capability modifies the <copy-config> operation
   to accept the <running> element as a <target>.

8.3.  Candidate Configuration Capability

8.3.1.  Description

   The candidate configuration capability, :candidate, indicates that
   the device supports a candidate configuration datastore, which is
   used to hold configuration data that can be manipulated without
   impacting the device's current configuration.  The candidate
   configuration is a full configuration data set that serves as a work
   place for creating and manipulating configuration data.  Additions,
   deletions, and changes can be made to this data to construct the

Enns, et al.                 Standards Track                   [Page 53]



RFC 6241                    NETCONF Protocol                   June 2011

   desired configuration data.  A <commit> operation MAY be performed at
   any time that causes the device's running configuration to be set to
   the value of the candidate configuration.

   The <commit> operation effectively sets the running configuration to
   the current contents of the candidate configuration.  While it could
   be modeled as a simple copy, it is done as a distinct operation for a
   number of reasons.  In keeping high-level concepts as first-class
   operations, we allow developers to see more clearly both what the
   client is requesting and what the server must perform.  This keeps
   the intentions more obvious, the special cases less complex, and the
   interactions between operations more straightforward.  For example,
   the :confirmed-commit:1.1 capability (Section 8.4) would make no
   sense as a "copy confirmed" operation.

   The candidate configuration can be shared among multiple sessions.
   Unless a client has specific information that the candidate
   configuration is not shared, it MUST assume that other sessions are
   able to modify the candidate configuration at the same time.  It is
   therefore prudent for a client to lock the candidate configuration
   before modifying it.

   The client can discard any uncommitted changes to the candidate
   configuration by executing the <discard-changes> operation.  This
   operation reverts the contents of the candidate configuration to the
   contents of the running configuration.

8.3.2.  Dependencies

   None.

8.3.3.  Capability Identifier

   The :candidate capability is identified by the following capability
   string:

      urn:ietf:params:netconf:capability:candidate:1.0

8.3.4.  New Operations

8.3.4.1.  <commit>

   Description:

         When the candidate configuration's content is complete, the
         configuration data can be committed, publishing the data set to
         the rest of the device and requesting the device to conform to
         the behavior described in the new configuration.

Enns, et al.                 Standards Track                   [Page 54]



RFC 6241                    NETCONF Protocol                   June 2011

         To commit the candidate configuration as the device's new
         current configuration, use the <commit> operation.

         The <commit> operation instructs the device to implement the
         configuration data contained in the candidate configuration.
         If the device is unable to commit all of the changes in the
         candidate configuration datastore, then the running
         configuration MUST remain unchanged.  If the device does
         succeed in committing, the running configuration MUST be
         updated with the contents of the candidate configuration.

         If the running or candidate configuration is currently locked
         by a different session, the <commit> operation MUST fail with
         an <error-tag> value of "in-use".

         If the system does not have the :candidate capability, the
         <commit> operation is not available.

   Positive Response:

         If the device was able to satisfy the request, an <rpc-reply>
         is sent that contains an <ok> element.

   Negative Response:

         An <rpc-error> element is included in the <rpc-reply> if the
         request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit/>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

8.3.4.2.  <discard-changes>

   If the client decides that the candidate configuration is not to be
   committed, the <discard-changes> operation can be used to revert the
   candidate configuration to the current running configuration.

Enns, et al.                 Standards Track                   [Page 55]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <discard-changes/>
     </rpc>

   This operation discards any uncommitted changes by resetting the
   candidate configuration with the content of the running
   configuration.

8.3.5.  Modifications to Existing Operations

8.3.5.1.  <get-config>, <edit-config>, <copy-config>, and <validate>

   The candidate configuration can be used as a source or target of any
   <get-config>, <edit-config>, <copy-config>, or <validate> operation
   as a <source> or <target> parameter.  The <candidate> element is used
   to indicate the candidate configuration:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <candidate/>
         </source>
       </get-config>
     </rpc>

8.3.5.2.  <lock> and <unlock>

   The candidate configuration can be locked using the <lock> operation
   with the <candidate> element as the <target> parameter:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <lock>
         <target>
           <candidate/>
         </target>
       </lock>
     </rpc>

   Similarly, the candidate configuration is unlocked using the
   <candidate> element as the <target> parameter:

Enns, et al.                 Standards Track                   [Page 56]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <unlock>
         <target>
           <candidate/>
         </target>
       </unlock>
     </rpc>

   When a client fails with outstanding changes to the candidate
   configuration, recovery can be difficult.  To facilitate easy
   recovery, any outstanding changes are discarded when the lock is
   released, whether explicitly with the <unlock> operation or
   implicitly from session failure.

8.4.  Confirmed Commit Capability

8.4.1.  Description

   The :confirmed-commit:1.1 capability indicates that the server will
   support the <cancel-commit> operation and the <confirmed>,
   <confirm-timeout>, <persist>, and <persist-id> parameters for the
   <commit> operation.  See Section 8.3 for further details on the
   <commit> operation.

   A confirmed <commit> operation MUST be reverted if a confirming
   commit is not issued within the timeout period (by default 600
   seconds = 10 minutes).  The confirming commit is a <commit> operation
   without the <confirmed> parameter.  The timeout period can be
   adjusted with the <confirm-timeout> parameter.  If a follow-up
   confirmed <commit> operation is issued before the timer expires, the
   timer is reset to the new value (600 seconds by default).  Both the
   confirming commit and a follow-up confirmed <commit> operation MAY
   introduce additional changes to the configuration.

   If the <persist> element is not given in the confirmed commit
   operation, any follow-up commit and the confirming commit MUST be
   issued on the same session that issued the confirmed commit.  If the
   <persist> element is given in the confirmed <commit> operation, a
   follow-up commit and the confirming commit can be given on any
   session, and they MUST include a <persist-id> element with a value
   equal to the given value of the <persist> element.

   If the server also advertises the :startup capability, a
   <copy-config> from running to startup is also necessary to save the
   changes to startup.

Enns, et al.                 Standards Track                   [Page 57]



RFC 6241                    NETCONF Protocol                   June 2011

   If the session issuing the confirmed commit is terminated for any
   reason before the confirm timeout expires, the server MUST restore
   the configuration to its state before the confirmed commit was
   issued, unless the confirmed commit also included a <persist>
   element.

   If the device reboots for any reason before the confirm timeout
   expires, the server MUST restore the configuration to its state
   before the confirmed commit was issued.

   If a confirming commit is not issued, the device will revert its
   configuration to the state prior to the issuance of the confirmed
   commit.  To cancel a confirmed commit and revert changes without
   waiting for the confirm timeout to expire, the client can explicitly
   restore the configuration to its state before the confirmed commit
   was issued, by using the <cancel-commit> operation.

   For shared configurations, this feature can cause other configuration
   changes (for example, via other NETCONF sessions) to be inadvertently
   altered or removed, unless the configuration locking feature is used
   (in other words, the lock is obtained before the <edit-config>
   operation is started).  Therefore, it is strongly suggested that in
   order to use this feature with shared configuration datastores,
   configuration locking SHOULD also be used.

   Version 1.0 of this capability was defined in [RFC4741].  Version 1.1
   is defined in this document, and extends version 1.0 by adding a new
   operation, <cancel-commit>, and two new optional parameters,
   <persist> and <persist-id>.  For backwards compatibility with old
   clients, servers conforming to this specification MAY advertise
   version 1.0 in addition to version 1.1.

8.4.2.  Dependencies

   The :confirmed-commit:1.1 capability is only relevant if the
   :candidate capability is also supported.

8.4.3.  Capability Identifier

   The :confirmed-commit:1.1 capability is identified by the following
   capability string:

      urn:ietf:params:netconf:capability:confirmed-commit:1.1

Enns, et al.                 Standards Track                   [Page 58]



RFC 6241                    NETCONF Protocol                   June 2011

8.4.4.  New Operations

8.4.4.1.  <cancel-commit>

   Description:

         Cancels an ongoing confirmed commit.  If the <persist-id>
         parameter is not given, the <cancel-commit> operation MUST be
         issued on the same session that issued the confirmed commit.

   Parameters:

      persist-id:

            Cancels a persistent confirmed commit.  The value MUST be
            equal to the value given in the <persist> parameter to the
            <commit> operation.  If the value does not match, the
            operation fails with an "invalid-value" error.

   Positive Response:

         If the device was able to satisfy the request, an <rpc-reply>
         is sent that contains an <ok> element.

   Negative Response:

         An <rpc-error> element is included in the <rpc-reply> if the
         request cannot be completed for any reason.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit>
         <confirmed/>
       </commit>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

     <rpc message-id="102"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <cancel-commit/>
     </rpc>

Enns, et al.                 Standards Track                   [Page 59]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc-reply message-id="102"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

8.4.5.  Modifications to Existing Operations

8.4.5.1.  <commit>

   The :confirmed-commit:1.1 capability allows 4 additional parameters
   to the <commit> operation.

   Parameters:

      confirmed:

            Perform a confirmed <commit> operation.

      confirm-timeout:

            Timeout period for confirmed commit, in seconds.  If
            unspecified, the confirm timeout defaults to 600 seconds.

      persist:

            Make the confirmed commit survive a session termination, and
            set a token on the ongoing confirmed commit.

      persist-id:

            Used to issue a follow-up confirmed commit or a confirming
            commit from any session, with the token from the previous
            <commit> operation.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit>
         <confirmed/>
         <confirm-timeout>120</confirm-timeout>
       </commit>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 60]



RFC 6241                    NETCONF Protocol                   June 2011

   Example:

     <!-- start a persistent confirmed-commit -->
     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit>
         <confirmed/>
         <persist>IQ,d4668</persist>
       </commit>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

     <!-- confirm the persistent confirmed-commit,
          possibly from another session -->
     <rpc message-id="102"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit>
         <persist-id>IQ,d4668</persist-id>
       </commit>
     </rpc>

     <rpc-reply message-id="102"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

8.5.  Rollback-on-Error Capability

8.5.1.  Description

   This capability indicates that the server will support the
   "rollback-on-error" value in the <error-option> parameter to the
   <edit-config> operation.

   For shared configurations, this feature can cause other configuration
   changes (for example, via other NETCONF sessions) to be inadvertently
   altered or removed, unless the configuration locking feature is used
   (in other words, the lock is obtained before the <edit-config>
   operation is started).  Therefore, it is strongly suggested that in
   order to use this feature with shared configuration datastores,
   configuration locking also be used.

Enns, et al.                 Standards Track                   [Page 61]



RFC 6241                    NETCONF Protocol                   June 2011

8.5.2.  Dependencies

   None.

8.5.3.  Capability Identifier

   The :rollback-on-error capability is identified by the following
   capability string:

      urn:ietf:params:netconf:capability:rollback-on-error:1.0

8.5.4.  New Operations

   None.

8.5.5.  Modifications to Existing Operations

8.5.5.1.  <edit-config>

   The :rollback-on-error capability allows the "rollback-on-error"
   value to the <error-option> parameter on the <edit-config> operation.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <error-option>rollback-on-error</error-option>
         <config>
           <top xmlns="http://example.com/schema/1.2/config">
             <interface>
               <name>Ethernet0/0</name>
               <mtu>100000</mtu>
             </interface>
           </top>
         </config>
       </edit-config>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

Enns, et al.                 Standards Track                   [Page 62]



RFC 6241                    NETCONF Protocol                   June 2011

8.6.  Validate Capability

8.6.1.  Description

   Validation consists of checking a complete configuration for
   syntactical and semantic errors before applying the configuration to
   the device.

   If this capability is advertised, the device supports the <validate>
   protocol operation and checks at least for syntax errors.  In
   addition, this capability supports the <test-option> parameter to the
   <edit-config> operation and, when it is provided, checks at least for
   syntax errors.

   Version 1.0 of this capability was defined in [RFC4741].  Version 1.1
   is defined in this document, and extends version 1.0 by adding a new
   value, "test-only", to the <test-option> parameter of the
   <edit-config> operation.  For backwards compatibility with old
   clients, servers conforming to this specification MAY advertise
   version 1.0 in addition to version 1.1.

8.6.2.  Dependencies

   None.

8.6.3.  Capability Identifier

   The :validate:1.1 capability is identified by the following
   capability string:

      urn:ietf:params:netconf:capability:validate:1.1

8.6.4.  New Operations

8.6.4.1.  <validate>

   Description:

         This protocol operation validates the contents of the specified
         configuration.

   Parameters:

      source:

            Name of the configuration datastore to validate, such as
            <candidate>, or the <config> element containing the complete
            configuration to validate.

Enns, et al.                 Standards Track                   [Page 63]



RFC 6241                    NETCONF Protocol                   June 2011

   Positive Response:

         If the device was able to satisfy the request, an <rpc-reply>
         is sent that contains an <ok> element.

   Negative Response:

         An <rpc-error> element is included in the <rpc-reply> if the
         request cannot be completed for any reason.

         A <validate> operation can fail for a number of reasons, such
         as syntax errors, missing parameters, references to undefined
         configuration data, or any other violations of rules
         established by the underlying data model.

   Example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <validate>
         <source>
           <candidate/>
         </source>
       </validate>
     </rpc>

     <rpc-reply message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <ok/>
     </rpc-reply>

8.6.5.  Modifications to Existing Operations

8.6.5.1.  <edit-config>

   The :validate:1.1 capability modifies the <edit-config> operation to
   accept the <test-option> parameter.

8.7.  Distinct Startup Capability

8.7.1.  Description

   The device supports separate running and startup configuration
   datastores.  The startup configuration is loaded by the device when
   it boots.  Operations that affect the running configuration will not
   be automatically copied to the startup configuration.  An explicit
   <copy-config> operation from the <running> to the <startup> is used
   to update the startup configuration to the current contents of the

Enns, et al.                 Standards Track                   [Page 64]



RFC 6241                    NETCONF Protocol                   June 2011

   running configuration.  NETCONF protocol operations refer to the
   startup datastore using the <startup> element.

8.7.2.  Dependencies

   None.

8.7.3.  Capability Identifier

   The :startup capability is identified by the following capability
   string:

      urn:ietf:params:netconf:capability:startup:1.0

8.7.4.  New Operations

   None.

8.7.5.  Modifications to Existing Operations

8.7.5.1.  General

   The :startup capability adds the <startup/> configuration datastore
   to arguments of several NETCONF operations.  The server MUST support
   the following additional values:

   +--------------------+--------------------------+-------------------+
   | Operation          | Parameters               | Notes             |
   +--------------------+--------------------------+-------------------+
   | <get-config>       | <source>                 |                   |
   |                    |                          |                   |
   | <copy-config>      | <source> <target>        |                   |
   |                    |                          |                   |
   | <lock>             | <target>                 |                   |
   |                    |                          |                   |
   | <unlock>           | <target>                 |                   |
   |                    |                          |                   |
   | <validate>         | <source>                 | If :validate:1.1  |
   |                    |                          | is advertised     |
   |                    |                          |                   |
   | <delete-config>    | <target>                 | Resets the device |
   |                    |                          | to its factory    |
   |                    |                          | defaults          |
   +--------------------+--------------------------+-------------------+

   To save the startup configuration, use the <copy-config> operation to
   copy the <running> configuration datastore to the <startup>
   configuration datastore.

Enns, et al.                 Standards Track                   [Page 65]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <copy-config>
         <target>
           <startup/>
         </target>
         <source>
           <running/>
         </source>
       </copy-config>
     </rpc>

8.8.  URL Capability

8.8.1.  Description

   The NETCONF peer has the ability to accept the <url> element in
   <source> and <target> parameters.  The capability is further
   identified by URL arguments indicating the URL schemes supported.

8.8.2.  Dependencies

   None.

8.8.3.  Capability Identifier

   The :url capability is identified by the following capability string:

      urn:ietf:params:netconf:capability:url:1.0?scheme={name,...}

   The :url capability URI MUST contain a "scheme" argument assigned a
   comma-separated list of scheme names indicating which schemes the
   NETCONF peer supports.  For example:

      urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file

8.8.4.  New Operations

   None.

8.8.5.  Modifications to Existing Operations

8.8.5.1.  <edit-config>

   The :url capability modifies the <edit-config> operation to accept
   the <url> element as an alternative to the <config> parameter.

Enns, et al.                 Standards Track                   [Page 66]



RFC 6241                    NETCONF Protocol                   June 2011

   The file that the url refers to contains the configuration data
   hierarchy to be modified, encoded in XML under the element <config>
   in the "urn:ietf:params:xml:ns:netconf:base:1.0" namespace.

8.8.5.2.  <copy-config>

   The :url capability modifies the <copy-config> operation to accept
   the <url> element as the value of the <source> and the <target>
   parameters.

   The file that the url refers to contains the complete datastore,
   encoded in XML under the element <config> in the
   "urn:ietf:params:xml:ns:netconf:base:1.0" namespace.

8.8.5.3.  <delete-config>

   The :url capability modifies the <delete-config> operation to accept
   the <url> element as the value of the <target> parameters.

8.8.5.4.  <validate>

   The :url capability modifies the <validate> operation to accept the
   <url> element as the value of the <source> parameter.

8.9.  XPath Capability

8.9.1.  Description

   The XPath capability indicates that the NETCONF peer supports the use
   of XPath expressions in the <filter> element.  XPath is described in
   [W3C.REC-xpath-19991116].

   The data model used in the XPath expression is the same as that used
   in XPath 1.0 [W3C.REC-xpath-19991116], with the same extension for
   root node children as used by XSLT 1.0 ([W3C.REC-xslt-19991116],
   Section 3.1).  Specifically, it means that the root node MAY have any
   number of element nodes as its children.

   The XPath expression is evaluated in the following context:

   o  The set of namespace declarations are those in scope on the
      <filter> element.

   o  The set of variable bindings is defined by the data model.  If no
      such variable bindings are defined, the set is empty.

   o  The function library is the core function library, plus any
      functions defined by the data model.

Enns, et al.                 Standards Track                   [Page 67]



RFC 6241                    NETCONF Protocol                   June 2011

   o  The context node is the root node.

   The XPath expression MUST return a node set.  If it does not return a
   node set, the operation fails with an "invalid-value" error.

   The response message contains the subtrees selected by the filter
   expression.  For each such subtree, the path from the data model root
   node down to the subtree, including any elements or attributes
   necessary to uniquely identify the subtree, are included in the
   response message.  Specific data instances are not duplicated in the
   response.

8.9.2.  Dependencies

   None.

8.9.3.  Capability Identifier

   The :xpath capability is identified by the following capability
   string:

      urn:ietf:params:netconf:capability:xpath:1.0

8.9.4.  New Operations

   None.

8.9.5.  Modifications to Existing Operations

8.9.5.1.  <get-config> and <get>

   The :xpath capability modifies the <get> and <get-config> operations
   to accept the value "xpath" in the "type" attribute of the <filter>
   element.  When the "type" attribute is set to "xpath", a "select"
   attribute MUST be present on the <filter> element.  The "select"
   attribute will be treated as an XPath expression and used to filter
   the returned data.  The <filter> element itself MUST be empty in this
   case.

   The XPath result for the select expression MUST be a node-set.  Each
   node in the node-set MUST correspond to a node in the underlying data
   model.  In order to properly identify each node, the following
   encoding rules are defined:

   o  All ancestor nodes of the result node MUST be encoded first, so
      the <data> element returned in the reply contains only fully
      specified subtrees, according to the underlying data model.

Enns, et al.                 Standards Track                   [Page 68]



RFC 6241                    NETCONF Protocol                   June 2011

   o  If any sibling or ancestor nodes of the result node are needed to
      identify a particular instance within a conceptual data structure,
      then these nodes MUST also be encoded in the response.

   For example:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <get-config>
         <source>
           <running/>
         </source>
         <!-- get the user named fred -->
         <filter xmlns:t="http://example.com/schema/1.2/config"
                 type="xpath"
                 select="/t:top/t:users/t:user[t:name='fred']"/>
        </get-config>
     </rpc>

     <rpc-reply message-id="101"
                xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <data>
         <top xmlns="http://example.com/schema/1.2/config">
           <users>
             <user>
               <name>fred</name>
               <company-info>
                 <id>2</id>
               </company-info>
             </user>
           </users>
         </top>
       </data>
     </rpc-reply>

9.  Security Considerations

   This section provides security considerations for the base NETCONF
   message layer and the base operations of the NETCONF protocol.
   Security considerations for the NETCONF transports are provided in
   the transport documents, and security considerations for the content
   manipulated by NETCONF can be found in the documents defining data
   models.

   This document does not specify an authorization scheme, as such a
   scheme will likely be tied to a meta-data model or a data model.
   Implementors SHOULD provide a comprehensive authorization scheme with
   NETCONF.

Enns, et al.                 Standards Track                   [Page 69]



RFC 6241                    NETCONF Protocol                   June 2011

   Authorization of individual users via the NETCONF server may or may
   not map 1:1 to other interfaces.  First, the data models might be
   incompatible.  Second, it could be desirable to authorize based on
   mechanisms available in the Secure Transport layer (e.g., SSH, Blocks
   Extensible Exchange Protocol (BEEP), etc.).

   In addition, operations on configurations could have unintended
   consequences if those operations are also not guarded by the global
   lock on the files or objects being operated upon.  For instance, if
   the running configuration is not locked, a partially complete access
   list could be committed from the candidate configuration unbeknownst
   to the owner of the lock of the candidate configuration, leading to
   either an insecure or inaccessible device.

   Configuration information is by its very nature sensitive.  Its
   transmission in the clear and without integrity checking leaves
   devices open to classic eavesdropping and false data injection
   attacks.  Configuration information often contains passwords, user
   names, service descriptions, and topological information, all of
   which are sensitive.  Because of this, this protocol SHOULD be
   implemented carefully with adequate attention to all manner of attack
   one might expect to experience with other management interfaces.

   The protocol, therefore, MUST minimally support options for both
   confidentiality and authentication.  It is anticipated that the
   underlying protocol (SSH, BEEP, etc.) will provide for both
   confidentiality and authentication, as is required.  It is further
   expected that the identity of each end of a NETCONF session will be
   available to the other in order to determine authorization for any
   given request.  One could also easily envision additional
   information, such as transport and encryption methods, being made
   available for purposes of authorization.  NETCONF itself provides no
   means to re-authenticate, much less authenticate.  All such actions
   occur at lower layers.

   Different environments may well allow different rights prior to and
   then after authentication.  Thus, an authorization model is not
   specified in this document.  When an operation is not properly
   authorized, a simple "access denied" is sufficient.  Note that
   authorization information can be exchanged in the form of
   configuration information, which is all the more reason to ensure the
   security of the connection.

   That having been said, it is important to recognize that some
   operations are clearly more sensitive by nature than others.  For
   instance, <copy-config> to the startup or running configurations is
   clearly not a normal provisioning operation, whereas <edit-config>
   is.  Such global operations MUST disallow the changing of information

Enns, et al.                 Standards Track                   [Page 70]



RFC 6241                    NETCONF Protocol                   June 2011

   that an individual does not have authorization to perform.  For
   example, if user A is not allowed to configure an IP address on an
   interface but user B has configured an IP address on an interface in
   the <candidate> configuration, user A MUST NOT be allowed to commit
   the <candidate> configuration.

   Similarly, just because someone says "go write a configuration
   through the URL capability at a particular place", this does not mean
   that an element will do it without proper authorization.

   The <lock> operation will demonstrate that NETCONF is intended for
   use by systems that have at least some trust of the administrator.
   As specified in this document, it is possible to lock portions of a
   configuration that a principal might not otherwise have access to.
   After all, the entire configuration is locked.  To mitigate this
   problem, there are two approaches.  It is possible to kill another
   NETCONF session programmatically from within NETCONF if one knows the
   session identifier of the offending session.  The other possible way
   to break a lock is to provide a function within the device's native
   user interface.  These two mechanisms suffer from a race condition
   that could be ameliorated by removing the offending user from an
   Authentication, Authorization, and Accounting (AAA) server.  However,
   such a solution is not useful in all deployment scenarios, such as
   those where SSH public/private key pairs are used.

10.  IANA Considerations

10.1.  NETCONF XML Namespace

   This document registers a URI for the NETCONF XML namespace in the
   IETF XML registry [RFC3688].

   IANA has updated the following URI to reference this document.

   URI: urn:ietf:params:xml:ns:netconf:base:1.0

   Registrant Contact: The IESG.

   XML: N/A, the requested URI is an XML namespace.

10.2.  NETCONF XML Schema

   This document registers a URI for the NETCONF XML schema in the IETF
   XML registry [RFC3688].

   IANA has updated the following URI to reference this document.

   URI: urn:ietf:params:xml:schema:netconf

Enns, et al.                 Standards Track                   [Page 71]



RFC 6241                    NETCONF Protocol                   June 2011

   Registrant Contact: The IESG.

   XML: Appendix B of this document.

10.3.  NETCONF YANG Module

   This document registers a YANG module in the YANG Module Names
   registry [RFC6020].

     name:        ietf-netconf
     namespace:   urn:ietf:params:xml:ns:netconf:base:1.0
     prefix:      nc
     reference:   RFC 6241

10.4.  NETCONF Capability URNs

   IANA has created and now maintains a registry "Network Configuration
   Protocol (NETCONF) Capability URNs" that allocates NETCONF capability
   identifiers.  Additions to the registry require IETF Standards
   Action.

   IANA has updated the allocations of the following capabilities to
   reference this document.

      Index
         Capability Identifier
      ------------------------

      :writable-running
         urn:ietf:params:netconf:capability:writable-running:1.0

      :candidate
         urn:ietf:params:netconf:capability:candidate:1.0

      :rollback-on-error
         urn:ietf:params:netconf:capability:rollback-on-error:1.0

      :startup
         urn:ietf:params:netconf:capability:startup:1.0

      :url
         urn:ietf:params:netconf:capability:url:1.0

      :xpath
         urn:ietf:params:netconf:capability:xpath:1.0

Enns, et al.                 Standards Track                   [Page 72]



RFC 6241                    NETCONF Protocol                   June 2011

   IANA has added the following capabilities to the registry:

      Index
         Capability Identifier
      ------------------------

      :base:1.1
         urn:ietf:params:netconf:base:1.1

      :confirmed-commit:1.1
         urn:ietf:params:netconf:capability:confirmed-commit:1.1

      :validate:1.1
         urn:ietf:params:netconf:capability:validate:1.1

11.  Contributors

   In addition to the editors, this document was written by:

      Ken Crozier, Cisco Systems

      Ted Goddard, IceSoft

      Eliot Lear, Cisco Systems

      Phil Shafer, Juniper Networks

      Steve Waldbusser

      Margaret Wasserman, Painless Security, LLC

12.  Acknowledgements

   The authors would like to acknowledge the members of the NETCONF
   working group.  In particular, we would like to thank Wes Hardaker
   for his persistence and patience in assisting us with security
   considerations.  We would also like to thank Randy Presuhn, Sharon
   Chisholm, Glenn Waters, David Perkins, Weijing Chen, Simon Leinen,
   Keith Allen, Dave Harrington, Ladislav Lhotka, Tom Petch, and Kent
   Watsen for all of their valuable advice.

Enns, et al.                 Standards Track                   [Page 73]



RFC 6241                    NETCONF Protocol                   June 2011

13.  References

13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3553]  Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
              IETF URN Sub-namespace for Registered Protocol
              Parameters", BCP 73, RFC 3553, June 2003.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, November 2003.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              January 2004.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, January 2005.

   [RFC5717]  Lengyel, B. and M. Bjorklund, "Partial Lock Remote
              Procedure Call (RPC) for NETCONF", RFC 5717,
              December 2009.

   [RFC6020]  Bjorklund, M., "YANG - A Data Modeling Language for the
              Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC6021]  Schoenwaelder, J., "Common YANG Data Types", RFC 6021,
              October 2010.

   [RFC6242]  Wasserman, M., "Using the NETCONF Configuration Protocol
              over Secure Shell (SSH)", RFC 6242, June 2011.

   [W3C.REC-xml-20001006]
              Sperberg-McQueen, C., Bray, T., Paoli, J., and E. Maler,
              "Extensible Markup Language (XML) 1.0 (Second Edition)",
              World Wide Web Consortium REC-xml-20001006, October 2000,
              <http://www.w3.org/TR/2000/REC-xml-20001006>.

   [W3C.REC-xpath-19991116]
              DeRose, S. and J. Clark, "XML Path Language (XPath)
              Version 1.0", World Wide Web Consortium
              Recommendation REC-xpath-19991116, November 1999,
              <http://www.w3.org/TR/1999/REC-xpath-19991116>.

Enns, et al.                 Standards Track                   [Page 74]



RFC 6241                    NETCONF Protocol                   June 2011

13.2.  Informative References

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, June 2000.

   [RFC3470]  Hollenbeck, S., Rose, M., and L. Masinter, "Guidelines for
              the Use of Extensible Markup Language (XML)
              within IETF Protocols", BCP 70, RFC 3470, January 2003.

   [RFC4251]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Protocol Architecture", RFC 4251, January 2006.

   [RFC4741]  Enns, R., "NETCONF Configuration Protocol", RFC 4741,
              December 2006.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [W3C.REC-xslt-19991116]
              Clark, J., "XSL Transformations (XSLT) Version 1.0", World
              Wide Web Consortium Recommendation REC-xslt-19991116,
              November 1999,
              <http://www.w3.org/TR/1999/REC-xslt-19991116>.

Enns, et al.                 Standards Track                   [Page 75]



RFC 6241                    NETCONF Protocol                   June 2011

Appendix A.  NETCONF Error List

   This section is normative.

   For each error-tag, the valid error-type and error-severity values
   are listed, together with any mandatory error-info, if any.

   error-tag:      in-use
   error-type:     protocol, application
   error-severity: error
   error-info:     none
   Description:    The request requires a resource that already is in
                   use.

   error-tag:      invalid-value
   error-type:     protocol, application
   error-severity: error
   error-info:     none
   Description:    The request specifies an unacceptable value for one
                   or more parameters.

   error-tag:      too-big
   error-type:     transport, rpc, protocol, application
   error-severity: error
   error-info:     none
   Description:    The request or response (that would be generated) is
                   too large for the implementation to handle.

   error-tag:      missing-attribute
   error-type:     rpc, protocol, application
   error-severity: error
   error-info:     <bad-attribute> : name of the missing attribute
                   <bad-element> : name of the element that is supposed
                     to contain the missing attribute
   Description:    An expected attribute is missing.

   error-tag:      bad-attribute
   error-type:     rpc, protocol, application
   error-severity: error
   error-info:     <bad-attribute> : name of the attribute w/ bad value
                   <bad-element> : name of the element that contains
                     the attribute with the bad value
   Description:    An attribute value is not correct; e.g., wrong type,
                   out of range, pattern mismatch.

Enns, et al.                 Standards Track                   [Page 76]



RFC 6241                    NETCONF Protocol                   June 2011

   error-tag:      unknown-attribute
   error-type:     rpc, protocol, application
   error-severity: error
   error-info:     <bad-attribute> : name of the unexpected attribute
                   <bad-element> : name of the element that contains
                     the unexpected attribute
   Description:    An unexpected attribute is present.

   error-tag:      missing-element
   error-type:     protocol, application
   error-severity: error
   error-info:     <bad-element> : name of the missing element
   Description:    An expected element is missing.

   error-tag:      bad-element
   error-type:     protocol, application
   error-severity: error
   error-info:     <bad-element> : name of the element w/ bad value
   Description:    An element value is not correct; e.g., wrong type,
                   out of range, pattern mismatch.

   error-tag:      unknown-element
   error-type:     protocol, application
   error-severity: error
   error-info:     <bad-element> : name of the unexpected element
   Description:    An unexpected element is present.

   error-tag:      unknown-namespace
   error-type:     protocol, application
   error-severity: error
   error-info:     <bad-element> : name of the element that contains
                     the unexpected namespace
                   <bad-namespace> : name of the unexpected namespace
   Description:    An unexpected namespace is present.

   error-tag:      access-denied
   error-type:     protocol, application
   error-severity: error
   error-info:     none
   Description:    Access to the requested protocol operation or
                   data model is denied because authorization failed.

Enns, et al.                 Standards Track                   [Page 77]



RFC 6241                    NETCONF Protocol                   June 2011

   error-tag:      lock-denied
   error-type:     protocol
   error-severity: error
   error-info:     <session-id> : session ID of session holding the
                     requested lock, or zero to indicate a non-NETCONF
                     entity holds the lock
   Description:    Access to the requested lock is denied because the
                   lock is currently held by another entity.

   error-tag:      resource-denied
   error-type:     transport, rpc, protocol, application
   error-severity: error
   error-info:     none
   Description:    Request could not be completed because of
                   insufficient resources.

   error-tag:      rollback-failed
   error-type:     protocol, application
   error-severity: error
   error-info:     none
   Description:    Request to roll back some configuration change (via
                   rollback-on-error or <discard-changes> operations)
                   was not completed for some reason.

   error-tag:      data-exists
   error-type:     application
   error-severity: error
   error-info:     none
   Description:    Request could not be completed because the relevant
                   data model content already exists.  For example,
                   a "create" operation was attempted on data that
                   already exists.

   error-tag:      data-missing
   error-type:     application
   error-severity: error
   error-info:     none
   Description:    Request could not be completed because the relevant
                   data model content does not exist.  For example,
                   a "delete" operation was attempted on
                   data that does not exist.

   error-tag:      operation-not-supported
   error-type:     protocol, application
   error-severity: error
   error-info:     none
   Description:    Request could not be completed because the requested
                   operation is not supported by this implementation.

Enns, et al.                 Standards Track                   [Page 78]



RFC 6241                    NETCONF Protocol                   June 2011

   error-tag:      operation-failed
   error-type:     rpc, protocol, application
   error-severity: error
   error-info:     none
   Description:    Request could not be completed because the requested
                   operation failed for some reason not covered by
                   any other error condition.

   error-tag:      partial-operation
   error-type:     application
   error-severity: error
   error-info:     <ok-element> : identifies an element in the data
                     model for which the requested operation has been
                     completed for that node and all its child nodes.
                     This element can appear zero or more times in the
                     <error-info> container.

                   <err-element> : identifies an element in the data
                     model for which the requested operation has failed
                     for that node and all its child nodes.
                     This element can appear zero or more times in the
                     <error-info> container.

                   <noop-element> : identifies an element in the data
                     model for which the requested operation was not
                     attempted for that node and all its child nodes.
                     This element can appear zero or more times in the
                     <error-info> container.

   Description:    This error-tag is obsolete, and SHOULD NOT be sent
                   by servers conforming to this document.

                   Some part of the requested operation failed or was
                   not attempted for some reason.  Full cleanup has
                   not been performed (e.g., rollback not supported)
                   by the server.  The error-info container is used
                   to identify which portions of the application
                   data model content for which the requested operation
                   has succeeded (<ok-element>), failed (<bad-element>),
                   or not been attempted (<noop-element>).

Enns, et al.                 Standards Track                   [Page 79]



RFC 6241                    NETCONF Protocol                   June 2011

   error-tag:      malformed-message
   error-type:     rpc
   error-severity: error
   error-info:     none
   Description:    A message could not be handled because it failed to
                   be parsed correctly.  For example, the message is not
                   well-formed XML or it uses an invalid character set.

                   This error-tag is new in :base:1.1 and MUST NOT be
                   sent to old clients.

Appendix B.  XML Schema for NETCONF Messages Layer

   This section is normative.

   <CODE BEGINS> file "netconf.xsd"

   <?xml version="1.0" encoding="UTF-8"?>
   <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
              xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
              targetNamespace="urn:ietf:params:xml:ns:netconf:base:1.0"
              elementFormDefault="qualified"
              attributeFormDefault="unqualified"
              xml:lang="en"
              version="1.1">

     <xs:annotation>
       <xs:documentation>
         This schema defines the syntax for the NETCONF Messages layer
         messages 'hello', 'rpc', and 'rpc-reply'.
       </xs:documentation>
     </xs:annotation>

     <!--
        import standard XML definitions
       -->
     <xs:import namespace="http://www.w3.org/XML/1998/namespace"
                schemaLocation="http://www.w3.org/2001/xml.xsd">
       <xs:annotation>
         <xs:documentation>
           This import accesses the xml: attribute groups for the
           xml:lang as declared on the error-message element.
         </xs:documentation>
       </xs:annotation>
     </xs:import>
     <!--
        message-id attribute
       -->

Enns, et al.                 Standards Track                   [Page 80]



RFC 6241                    NETCONF Protocol                   June 2011

     <xs:simpleType name="messageIdType">
       <xs:restriction base="xs:string">
         <xs:maxLength value="4095"/>
       </xs:restriction>
     </xs:simpleType>
     <!--
        Types used for session-id
       -->
     <xs:simpleType name="SessionId">
       <xs:restriction base="xs:unsignedInt">
         <xs:minInclusive value="1"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="SessionIdOrZero">
       <xs:restriction base="xs:unsignedInt"/>
     </xs:simpleType>
     <!--
        <rpc> element
       -->
     <xs:complexType name="rpcType">
       <xs:sequence>
         <xs:element ref="rpcOperation"/>
       </xs:sequence>
       <xs:attribute name="message-id" type="messageIdType"
                     use="required"/>
       <!--
          Arbitrary attributes can be supplied with <rpc> element.
         -->
       <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:element name="rpc" type="rpcType"/>
     <!--
        data types and elements used to construct rpc-errors
       -->
     <xs:simpleType name="ErrorType">
       <xs:restriction base="xs:string">
         <xs:enumeration value="transport"/>
         <xs:enumeration value="rpc"/>
         <xs:enumeration value="protocol"/>
         <xs:enumeration value="application"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="ErrorTag">
       <xs:restriction base="xs:string">
         <xs:enumeration value="in-use"/>
         <xs:enumeration value="invalid-value"/>
         <xs:enumeration value="too-big"/>
         <xs:enumeration value="missing-attribute"/>

Enns, et al.                 Standards Track                   [Page 81]



RFC 6241                    NETCONF Protocol                   June 2011

         <xs:enumeration value="bad-attribute"/>
         <xs:enumeration value="unknown-attribute"/>
         <xs:enumeration value="missing-element"/>
         <xs:enumeration value="bad-element"/>
         <xs:enumeration value="unknown-element"/>
         <xs:enumeration value="unknown-namespace"/>
         <xs:enumeration value="access-denied"/>
         <xs:enumeration value="lock-denied"/>
         <xs:enumeration value="resource-denied"/>
         <xs:enumeration value="rollback-failed"/>
         <xs:enumeration value="data-exists"/>
         <xs:enumeration value="data-missing"/>
         <xs:enumeration value="operation-not-supported"/>
         <xs:enumeration value="operation-failed"/>
         <xs:enumeration value="partial-operation"/>
         <xs:enumeration value="malformed-message"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="ErrorSeverity">
       <xs:restriction base="xs:string">
         <xs:enumeration value="error"/>
         <xs:enumeration value="warning"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:complexType name="errorInfoType">
       <xs:sequence>
         <xs:choice>
           <xs:element name="session-id" type="SessionIdOrZero"/>
           <xs:sequence minOccurs="0" maxOccurs="unbounded">
             <xs:sequence>
               <xs:element name="bad-attribute" type="xs:QName"
                           minOccurs="0" maxOccurs="1"/>
               <xs:element name="bad-element" type="xs:QName"
                           minOccurs="0" maxOccurs="1"/>
               <xs:element name="ok-element" type="xs:QName"
                           minOccurs="0" maxOccurs="1"/>
               <xs:element name="err-element" type="xs:QName"
                           minOccurs="0" maxOccurs="1"/>
               <xs:element name="noop-element" type="xs:QName"
                           minOccurs="0" maxOccurs="1"/>
               <xs:element name="bad-namespace" type="xs:string"
                           minOccurs="0" maxOccurs="1"/>
             </xs:sequence>
           </xs:sequence>
         </xs:choice>
         <!-- elements from any other namespace are also allowed
              to follow the NETCONF elements -->
         <xs:any namespace="##other" processContents="lax"

Enns, et al.                 Standards Track                   [Page 82]



RFC 6241                    NETCONF Protocol                   June 2011

                 minOccurs="0" maxOccurs="unbounded"/>
       </xs:sequence>
     </xs:complexType>
     <xs:complexType name="rpcErrorType">
       <xs:sequence>
         <xs:element name="error-type" type="ErrorType"/>
         <xs:element name="error-tag" type="ErrorTag"/>
         <xs:element name="error-severity" type="ErrorSeverity"/>
         <xs:element name="error-app-tag" type="xs:string"
                     minOccurs="0"/>
         <xs:element name="error-path" type="xs:string" minOccurs="0"/>
         <xs:element name="error-message" minOccurs="0">
           <xs:complexType>
             <xs:simpleContent>
               <xs:extension base="xs:string">
                 <xs:attribute ref="xml:lang" use="optional"/>
               </xs:extension>
             </xs:simpleContent>
           </xs:complexType>
         </xs:element>
         <xs:element name="error-info" type="errorInfoType"
                     minOccurs="0"/>
       </xs:sequence>
     </xs:complexType>
     <!--
        operation attribute used in <edit-config>
       -->
     <xs:simpleType name="editOperationType">
       <xs:restriction base="xs:string">
         <xs:enumeration value="merge"/>
         <xs:enumeration value="replace"/>
         <xs:enumeration value="create"/>
         <xs:enumeration value="delete"/>
         <xs:enumeration value="remove"/>
       </xs:restriction>
     </xs:simpleType>
     <xs:attribute name="operation" type="editOperationType"/>
     <!--
        <rpc-reply> element
       -->
     <xs:complexType name="rpcReplyType">
       <xs:choice>
         <xs:element name="ok"/>
         <xs:sequence>
           <xs:element ref="rpc-error"
                       minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="rpcResponse"
                       minOccurs="0" maxOccurs="unbounded"/>

Enns, et al.                 Standards Track                   [Page 83]



RFC 6241                    NETCONF Protocol                   June 2011

         </xs:sequence>
       </xs:choice>
       <xs:attribute name="message-id" type="messageIdType"
                     use="optional"/>
       <!--
          Any attributes supplied with <rpc> element must be returned
          on <rpc-reply>.
         -->
       <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:element name="rpc-reply" type="rpcReplyType"/>
     <!--
        <rpc-error> element
          -->
     <xs:element name="rpc-error" type="rpcErrorType"/>
     <!--
        rpcOperationType: used as a base type for all
        NETCONF operations
       -->
     <xs:complexType name="rpcOperationType"/>
     <xs:element name="rpcOperation" type="rpcOperationType"
                 abstract="true"/>
     <!--
        rpcResponseType: used as a base type for all
        NETCONF responses
       -->
     <xs:complexType name="rpcResponseType"/>
     <xs:element name="rpcResponse" type="rpcResponseType"
                 abstract="true"/>
     <!--
        <hello> element
       -->
     <xs:element name="hello">
       <xs:complexType>
         <xs:sequence>
           <xs:element name="capabilities">
             <xs:complexType>
               <xs:sequence>
                 <xs:element name="capability" type="xs:anyURI"
                             maxOccurs="unbounded"/>
               </xs:sequence>
             </xs:complexType>
           </xs:element>
           <xs:element name="session-id" type="SessionId"
                       minOccurs="0"/>

Enns, et al.                 Standards Track                   [Page 84]



RFC 6241                    NETCONF Protocol                   June 2011

         </xs:sequence>
       </xs:complexType>
     </xs:element>
   </xs:schema>

   <CODE ENDS>

Appendix C.  YANG Module for NETCONF Protocol Operations

   This section is normative.

   The ietf-netconf YANG module imports typedefs from [RFC6021].

  <CODE BEGINS> file "ietf-netconf@2011-06-01.yang"

  module ietf-netconf {

    // the namespace for NETCONF XML definitions is unchanged
    // from RFC 4741, which this document replaces
    namespace "urn:ietf:params:xml:ns:netconf:base:1.0";

    prefix nc;

    import ietf-inet-types {
      prefix inet;
    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
       WG List:  <netconf@ietf.org>

       WG Chair: Bert Wijnen
                 <bertietf@bwijnen.net>

       WG Chair: Mehmet Ersue
                 <mehmet.ersue@nsn.com>

       Editor:   Martin Bjorklund
                 <mbj@tail-f.com>

       Editor:   Juergen Schoenwaelder
                 <j.schoenwaelder@jacobs-university.de>

       Editor:   Andy Bierman
                 <andy.bierman@brocade.com>";

Enns, et al.                 Standards Track                   [Page 85]



RFC 6241                    NETCONF Protocol                   June 2011

    description
      "NETCONF Protocol Data Types and Protocol Operations.

       Copyright (c) 2011 IETF Trust and the persons identified as
       the document authors.  All rights reserved.

       Redistribution and use in source and binary forms, with or
       without modification, is permitted pursuant to, and subject
       to the license terms contained in, the Simplified BSD License
       set forth in Section 4.c of the IETF Trust's Legal Provisions
       Relating to IETF Documents
       (http://trustee.ietf.org/license-info).

       This version of this YANG module is part of RFC 6241; see
       the RFC itself for full legal notices.";
    revision 2011-06-01 {
      description
        "Initial revision";
      reference
        "RFC 6241: Network Configuration Protocol";
    }

    extension get-filter-element-attributes {
      description
        "If this extension is present within an 'anyxml'
         statement named 'filter', which must be conceptually
         defined within the RPC input section for the <get>
         and <get-config> protocol operations, then the
         following unqualified XML attribute is supported
         within the <filter> element, within a <get> or
         <get-config> protocol operation:

           type : optional attribute with allowed
                  value strings 'subtree' and 'xpath'.
                  If missing, the default value is 'subtree'.

         If the 'xpath' feature is supported, then the
         following unqualified XML attribute is
         also supported:

           select: optional attribute containing a
                   string representing an XPath expression.
                   The 'type' attribute must be equal to 'xpath'
                   if this attribute is present.";
    }

    // NETCONF capabilities defined as features
    feature writable-running {

Enns, et al.                 Standards Track                   [Page 86]



RFC 6241                    NETCONF Protocol                   June 2011

      description
        "NETCONF :writable-running capability;
         If the server advertises the :writable-running
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.2";
    }

    feature candidate {
      description
        "NETCONF :candidate capability;
         If the server advertises the :candidate
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.3";
    }

    feature confirmed-commit {
      if-feature candidate;
      description
        "NETCONF :confirmed-commit:1.1 capability;
         If the server advertises the :confirmed-commit:1.1
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";

      reference "RFC 6241, Section 8.4";
    }

    feature rollback-on-error {
      description
        "NETCONF :rollback-on-error capability;
         If the server advertises the :rollback-on-error
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.5";
    }

    feature validate {
      description
        "NETCONF :validate:1.1 capability;
         If the server advertises the :validate:1.1
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";

Enns, et al.                 Standards Track                   [Page 87]



RFC 6241                    NETCONF Protocol                   June 2011

      reference "RFC 6241, Section 8.6";
    }

    feature startup {
      description
        "NETCONF :startup capability;
         If the server advertises the :startup
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.7";
    }

    feature url {
      description
        "NETCONF :url capability;
         If the server advertises the :url
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.8";
    }

    feature xpath {
      description
        "NETCONF :xpath capability;
         If the server advertises the :xpath
         capability for a session, then this feature must
         also be enabled for that session.  Otherwise,
         this feature must not be enabled.";
      reference "RFC 6241, Section 8.9";
    }

    // NETCONF Simple Types

    typedef session-id-type {
      type uint32 {
        range "1..max";
      }
      description
        "NETCONF Session Id";
    }

    typedef session-id-or-zero-type {
      type uint32;
      description
        "NETCONF Session Id or Zero to indicate none";
    }

Enns, et al.                 Standards Track                   [Page 88]



RFC 6241                    NETCONF Protocol                   June 2011

    typedef error-tag-type {
      type enumeration {
         enum in-use {
           description
             "The request requires a resource that
              already is in use.";
         }
         enum invalid-value {
           description
             "The request specifies an unacceptable value for one
              or more parameters.";
         }
         enum too-big {
           description
             "The request or response (that would be generated) is
              too large for the implementation to handle.";
         }
         enum missing-attribute {
           description
             "An expected attribute is missing.";
         }
         enum bad-attribute {
           description
             "An attribute value is not correct; e.g., wrong type,
              out of range, pattern mismatch.";
         }
         enum unknown-attribute {
           description
             "An unexpected attribute is present.";
         }
         enum missing-element {
           description
             "An expected element is missing.";
         }
         enum bad-element {
           description
             "An element value is not correct; e.g., wrong type,
              out of range, pattern mismatch.";
         }
         enum unknown-element {
           description
             "An unexpected element is present.";
         }
         enum unknown-namespace {
           description
             "An unexpected namespace is present.";
         }
         enum access-denied {

Enns, et al.                 Standards Track                   [Page 89]



RFC 6241                    NETCONF Protocol                   June 2011

           description
             "Access to the requested protocol operation or
              data model is denied because authorization failed.";
         }
         enum lock-denied {
           description
             "Access to the requested lock is denied because the
              lock is currently held by another entity.";
         }
         enum resource-denied {
           description
             "Request could not be completed because of
              insufficient resources.";
         }
         enum rollback-failed {
           description
             "Request to roll back some configuration change (via
              rollback-on-error or <discard-changes> operations)
              was not completed for some reason.";

         }
         enum data-exists {
           description
             "Request could not be completed because the relevant
              data model content already exists.  For example,
              a 'create' operation was attempted on data that
              already exists.";
         }
         enum data-missing {
           description
             "Request could not be completed because the relevant
              data model content does not exist.  For example,
              a 'delete' operation was attempted on
              data that does not exist.";
         }
         enum operation-not-supported {
           description
             "Request could not be completed because the requested
              operation is not supported by this implementation.";
         }
         enum operation-failed {
           description
             "Request could not be completed because the requested
              operation failed for some reason not covered by
              any other error condition.";
         }
         enum partial-operation {
           description

Enns, et al.                 Standards Track                   [Page 90]



RFC 6241                    NETCONF Protocol                   June 2011

             "This error-tag is obsolete, and SHOULD NOT be sent
              by servers conforming to this document.";
         }
         enum malformed-message {
           description
             "A message could not be handled because it failed to
              be parsed correctly.  For example, the message is not
              well-formed XML or it uses an invalid character set.";
         }
       }
       description "NETCONF Error Tag";
       reference "RFC 6241, Appendix A";
    }

    typedef error-severity-type {
      type enumeration {
        enum error {
          description "Error severity";
        }
        enum warning {
          description "Warning severity";
        }
      }
      description "NETCONF Error Severity";
      reference "RFC 6241, Section 4.3";
    }

    typedef edit-operation-type {
      type enumeration {
        enum merge {
          description
            "The configuration data identified by the
             element containing this attribute is merged
             with the configuration at the corresponding
             level in the configuration datastore identified
             by the target parameter.";
        }
        enum replace {
          description
            "The configuration data identified by the element
             containing this attribute replaces any related
             configuration in the configuration datastore
             identified by the target parameter.  If no such
             configuration data exists in the configuration
             datastore, it is created.  Unlike a
             <copy-config> operation, which replaces the
             entire target configuration, only the configuration
             actually present in the config parameter is affected.";

Enns, et al.                 Standards Track                   [Page 91]



RFC 6241                    NETCONF Protocol                   June 2011

        }
        enum create {
          description
            "The configuration data identified by the element
             containing this attribute is added to the
             configuration if and only if the configuration
             data does not already exist in the configuration
             datastore.  If the configuration data exists, an
             <rpc-error> element is returned with an
             <error-tag> value of 'data-exists'.";
        }
        enum delete {
          description
            "The configuration data identified by the element
             containing this attribute is deleted from the
             configuration if and only if the configuration
             data currently exists in the configuration
             datastore.  If the configuration data does not
             exist, an <rpc-error> element is returned with
             an <error-tag> value of 'data-missing'.";
        }
        enum remove {
          description
            "The configuration data identified by the element
             containing this attribute is deleted from the
             configuration if the configuration
             data currently exists in the configuration
             datastore.  If the configuration data does not
             exist, the 'remove' operation is silently ignored
             by the server.";
        }
      }
      default "merge";
      description "NETCONF 'operation' attribute values";
      reference "RFC 6241, Section 7.2";
    }

    // NETCONF Standard Protocol Operations

    rpc get-config {
      description
        "Retrieve all or part of a specified configuration.";

      reference "RFC 6241, Section 7.1";

      input {
        container source {
          description

Enns, et al.                 Standards Track                   [Page 92]



RFC 6241                    NETCONF Protocol                   June 2011

            "Particular configuration to retrieve.";

          choice config-source {
            mandatory true;
            description
              "The configuration to retrieve.";
            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config source.";
            }
            leaf running {
              type empty;
              description
                "The running configuration is the config source.";
            }
            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config source.
                 This is optional-to-implement on the server because
                 not all servers will support filtering for this
                 datastore.";
            }
          }
        }

        anyxml filter {
          description
            "Subtree or XPath filter to use.";
          nc:get-filter-element-attributes;
        }
      }

      output {
        anyxml data {
          description
            "Copy of the source datastore subset that matched
             the filter criteria (if any).  An empty data container
             indicates that the request did not produce any results.";
        }
      }
    }

    rpc edit-config {
      description

Enns, et al.                 Standards Track                   [Page 93]



RFC 6241                    NETCONF Protocol                   June 2011

        "The <edit-config> operation loads all or part of a specified
         configuration to the specified target configuration.";

      reference "RFC 6241, Section 7.2";

      input {
        container target {
          description
            "Particular configuration to edit.";

          choice config-target {
            mandatory true;
            description
              "The configuration target.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config target.";
            }
            leaf running {
              if-feature writable-running;
              type empty;
              description
                "The running configuration is the config source.";
            }
          }
        }

        leaf default-operation {
          type enumeration {
            enum merge {
              description
                "The default operation is merge.";
            }
            enum replace {
              description
                "The default operation is replace.";
            }
            enum none {
              description
                "There is no default operation.";
            }
          }
          default "merge";
          description
            "The default operation to use.";

Enns, et al.                 Standards Track                   [Page 94]



RFC 6241                    NETCONF Protocol                   June 2011

        }

        leaf test-option {
          if-feature validate;
          type enumeration {
            enum test-then-set {
              description
                "The server will test and then set if no errors.";
            }
            enum set {
              description
                "The server will set without a test first.";
            }

            enum test-only {
              description
                "The server will only test and not set, even
                 if there are no errors.";
            }
          }
          default "test-then-set";
          description
            "The test option to use.";
        }

        leaf error-option {
          type enumeration {
            enum stop-on-error {
              description
                "The server will stop on errors.";
            }
            enum continue-on-error {
              description
                "The server may continue on errors.";
            }
            enum rollback-on-error {
              description
                "The server will roll back on errors.
                 This value can only be used if the 'rollback-on-error'
                 feature is supported.";
            }
          }
          default "stop-on-error";
          description
            "The error option to use.";
        }

        choice edit-content {

Enns, et al.                 Standards Track                   [Page 95]



RFC 6241                    NETCONF Protocol                   June 2011

          mandatory true;
          description
            "The content for the edit operation.";

          anyxml config {
            description
              "Inline Config content.";
          }
          leaf url {
            if-feature url;
            type inet:uri;
            description
              "URL-based config content.";
          }
        }
      }
    }

    rpc copy-config {
      description
        "Create or replace an entire configuration datastore with the
         contents of another complete configuration datastore.";

      reference "RFC 6241, Section 7.3";

      input {
        container target {
          description
            "Particular configuration to copy to.";

          choice config-target {
            mandatory true;
            description
              "The configuration target of the copy operation.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config target.";
            }
            leaf running {
              if-feature writable-running;
              type empty;
              description
                "The running configuration is the config target.
                 This is optional-to-implement on the server.";
            }

Enns, et al.                 Standards Track                   [Page 96]



RFC 6241                    NETCONF Protocol                   June 2011

            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config target.";
            }
            leaf url {
              if-feature url;
              type inet:uri;
              description
                "The URL-based configuration is the config target.";
            }
          }
        }

        container source {
          description
            "Particular configuration to copy from.";

          choice config-source {
            mandatory true;
            description
              "The configuration source for the copy operation.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config source.";
            }
            leaf running {
              type empty;
              description
                "The running configuration is the config source.";
            }
            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config source.";
            }
            leaf url {
              if-feature url;
              type inet:uri;
              description
                "The URL-based configuration is the config source.";
            }
            anyxml config {

Enns, et al.                 Standards Track                   [Page 97]



RFC 6241                    NETCONF Protocol                   June 2011

              description
                "Inline Config content: <config> element.  Represents
                 an entire configuration datastore, not
                 a subset of the running datastore.";
            }
          }
        }
      }
    }

    rpc delete-config {
      description
        "Delete a configuration datastore.";

      reference "RFC 6241, Section 7.4";

      input {
        container target {
          description
            "Particular configuration to delete.";

          choice config-target {
            mandatory true;
            description
              "The configuration target to delete.";

            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config target.";
            }
            leaf url {
              if-feature url;
              type inet:uri;
              description
                "The URL-based configuration is the config target.";
            }
          }
        }
      }
    }

    rpc lock {
      description
        "The lock operation allows the client to lock the configuration
         system of a device.";

Enns, et al.                 Standards Track                   [Page 98]



RFC 6241                    NETCONF Protocol                   June 2011

      reference "RFC 6241, Section 7.5";

      input {
        container target {
          description
            "Particular configuration to lock.";

          choice config-target {
            mandatory true;
            description
              "The configuration target to lock.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config target.";
            }
            leaf running {
              type empty;
              description
                "The running configuration is the config target.";
            }
            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config target.";
            }
          }
        }
      }
    }

    rpc unlock {
      description
        "The unlock operation is used to release a configuration lock,
         previously obtained with the 'lock' operation.";

      reference "RFC 6241, Section 7.6";

      input {
        container target {
          description
            "Particular configuration to unlock.";

          choice config-target {
            mandatory true;

Enns, et al.                 Standards Track                   [Page 99]



RFC 6241                    NETCONF Protocol                   June 2011

            description
              "The configuration target to unlock.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config target.";
            }
            leaf running {
              type empty;
              description
                "The running configuration is the config target.";
            }
            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config target.";
            }
          }
        }
      }
    }

    rpc get {
      description
        "Retrieve running configuration and device state information.";

      reference "RFC 6241, Section 7.7";

      input {
        anyxml filter {
          description
            "This parameter specifies the portion of the system
             configuration and state data to retrieve.";
          nc:get-filter-element-attributes;
        }
      }

      output {
        anyxml data {
          description
            "Copy of the running datastore subset and/or state
             data that matched the filter criteria (if any).
             An empty data container indicates that the request did not
             produce any results.";
        }

Enns, et al.                 Standards Track                  [Page 100]



RFC 6241                    NETCONF Protocol                   June 2011

      }
    }

    rpc close-session {
      description
        "Request graceful termination of a NETCONF session.";

      reference "RFC 6241, Section 7.8";
    }

    rpc kill-session {
      description
        "Force the termination of a NETCONF session.";

      reference "RFC 6241, Section 7.9";

      input {
        leaf session-id {
          type session-id-type;
          mandatory true;
          description
            "Particular session to kill.";
        }
      }
    }

    rpc commit {
      if-feature candidate;

      description
        "Commit the candidate configuration as the device's new
         current configuration.";

      reference "RFC 6241, Section 8.3.4.1";

      input {
        leaf confirmed {
          if-feature confirmed-commit;
          type empty;
          description
            "Requests a confirmed commit.";
          reference "RFC 6241, Section 8.3.4.1";
        }

        leaf confirm-timeout {
          if-feature confirmed-commit;
          type uint32 {
            range "1..max";

Enns, et al.                 Standards Track                  [Page 101]



RFC 6241                    NETCONF Protocol                   June 2011

          }
          units "seconds";
          default "600";   // 10 minutes
          description
            "The timeout interval for a confirmed commit.";
          reference "RFC 6241, Section 8.3.4.1";
        }

        leaf persist {
          if-feature confirmed-commit;
          type string;
          description
            "This parameter is used to make a confirmed commit
             persistent.  A persistent confirmed commit is not aborted
             if the NETCONF session terminates.  The only way to abort
             a persistent confirmed commit is to let the timer expire,
             or to use the <cancel-commit> operation.

             The value of this parameter is a token that must be given
             in the 'persist-id' parameter of <commit> or
             <cancel-commit> operations in order to confirm or cancel
             the persistent confirmed commit.

             The token should be a random string.";
          reference "RFC 6241, Section 8.3.4.1";
        }

        leaf persist-id {
          if-feature confirmed-commit;
          type string;
          description
            "This parameter is given in order to commit a persistent
             confirmed commit.  The value must be equal to the value
             given in the 'persist' parameter to the <commit> operation.
             If it does not match, the operation fails with an
            'invalid-value' error.";
          reference "RFC 6241, Section 8.3.4.1";
        }

      }
    }

    rpc discard-changes {
      if-feature candidate;

      description
        "Revert the candidate configuration to the current
         running configuration.";

Enns, et al.                 Standards Track                  [Page 102]



RFC 6241                    NETCONF Protocol                   June 2011

      reference "RFC 6241, Section 8.3.4.2";
    }

    rpc cancel-commit {
      if-feature confirmed-commit;
      description
        "This operation is used to cancel an ongoing confirmed commit.
         If the confirmed commit is persistent, the parameter
         'persist-id' must be given, and it must match the value of the
         'persist' parameter.";
      reference "RFC 6241, Section 8.4.4.1";

      input {
        leaf persist-id {
          type string;
          description
            "This parameter is given in order to cancel a persistent
             confirmed commit.  The value must be equal to the value
             given in the 'persist' parameter to the <commit> operation.
             If it does not match, the operation fails with an
            'invalid-value' error.";
        }
      }
    }

    rpc validate {
      if-feature validate;

      description
        "Validates the contents of the specified configuration.";

      reference "RFC 6241, Section 8.6.4.1";

      input {
        container source {
          description
            "Particular configuration to validate.";

          choice config-source {
            mandatory true;
            description
              "The configuration source to validate.";

            leaf candidate {
              if-feature candidate;
              type empty;
              description
                "The candidate configuration is the config source.";

Enns, et al.                 Standards Track                  [Page 103]



RFC 6241                    NETCONF Protocol                   June 2011

            }
            leaf running {
              type empty;
              description
                "The running configuration is the config source.";
            }
            leaf startup {
              if-feature startup;
              type empty;
              description
                "The startup configuration is the config source.";
            }
            leaf url {
              if-feature url;
              type inet:uri;
              description
                "The URL-based configuration is the config source.";
            }
            anyxml config {
              description
                "Inline Config content: <config> element.  Represents
                 an entire configuration datastore, not
                 a subset of the running datastore.";
            }
          }
        }
      }
    }

  }

  <CODE ENDS>

Enns, et al.                 Standards Track                  [Page 104]



RFC 6241                    NETCONF Protocol                   June 2011

Appendix D.  Capability Template

   This non-normative section defines a template that can be used to
   define protocol capabilities.  Data models written in YANG usually do
   not need to define protocol capabilities since the usage of YANG
   automatically leads to a capability announcing the data model and any
   optional portions of the data model, so called features in YANG
   terminology.  The capabilities template is intended to be used in
   cases where the YANG mechanisms are not powerful enough (e.g., for
   handling parameterized features) or a different data modeling
   language is used.

D.1.  capability-name (template)

D.1.1.  Overview

D.1.2.  Dependencies

D.1.3.  Capability Identifier

   The {name} capability is identified by the following capability
   string:

      {capability uri}

D.1.4.  New Operations

D.1.4.1.  <op-name>

D.1.5.  Modifications to Existing Operations

D.1.5.1.  <op-name>

   If existing operations are not modified by this capability, this
   section may be omitted.

D.1.6.  Interactions with Other Capabilities

   If this capability does not interact with other capabilities, this
   section may be omitted.

Enns, et al.                 Standards Track                  [Page 105]



RFC 6241                    NETCONF Protocol                   June 2011

Appendix E.  Configuring Multiple Devices with NETCONF

   This section is non-normative.

E.1.  Operations on Individual Devices

   Consider the work involved in performing a configuration update
   against a single individual device.  In making a change to the
   configuration, the application needs to build trust that its change
   has been made correctly and that it has not impacted the operation of
   the device.  The application (and the application user) should feel
   confident that their change has not damaged the network.

   Protecting each individual device consists of a number of steps:

   o  Acquiring the configuration lock.

   o  Checkpointing the running configuration.

   o  Loading and validating the incoming configuration.

   o  Changing the running configuration.

   o  Testing the new configuration.

   o  Making the change permanent (if desired).

   o  Releasing the configuration lock.

   Let's look at the details of each step.

E.1.1.  Acquiring the Configuration Lock

   A lock should be acquired to prevent simultaneous updates from
   multiple sources.  If multiple sources are affecting the device, the
   application is hampered in both testing of its change to the
   configuration and in recovery if the update fails.  Acquiring a
   short-lived lock is a simple defense to prevent other parties from
   introducing unrelated changes.

   The lock can be acquired using the <lock> operation.

Enns, et al.                 Standards Track                  [Page 106]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <lock>
         <target>
           <running/>
         </target>
       </lock>
     </rpc>

   If the :candidate capability is supported, the candidate
   configuration should be locked.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <lock>
         <target>
           <candidate/>
         </target>
       </lock>
     </rpc>

E.1.2.  Checkpointing the Running Configuration

   The running configuration can be saved into a local file as a
   checkpoint before loading the new configuration.  If the update
   fails, the configuration can be restored by reloading the checkpoint
   file.

   The checkpoint file can be created using the <copy-config> operation.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <copy-config>
         <target>
           <url>file://checkpoint.conf</url>
         </target>
         <source>
           <running/>
         </source>
       </copy-config>
     </rpc>

   To restore the checkpoint file, reverse the <source> and <target>
   parameters.

Enns, et al.                 Standards Track                  [Page 107]



RFC 6241                    NETCONF Protocol                   June 2011

E.1.3.  Loading and Validating the Incoming Configuration

   If the :candidate capability is supported, the configuration can be
   loaded onto the device without impacting the running system.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <candidate/>
         </target>
         <config>
           <!-- place incoming configuration changes here -->
         </config>
       </edit-config>
     </rpc>

   If the device supports the :validate:1.1 capability, it will by
   default validate the incoming configuration when it is loaded into
   the candidate.  To avoid this validation, pass the <test-option>
   parameter with the value "set".  Full validation can be requested
   with the <validate> operation.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <validate>
         <source>
           <candidate/>
         </source>
       </validate>
     </rpc>

E.1.4.  Changing the Running Configuration

   When the incoming configuration has been safely loaded onto the
   device and validated, it is ready to impact the running system.

   If the device supports the :candidate capability, use the <commit>
   operation to set the running configuration to the candidate
   configuration.  Use the <confirmed> parameter to allow automatic
   reversion to the original configuration if connectivity to the device
   fails.

Enns, et al.                 Standards Track                  [Page 108]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit>
         <confirmed/>
         <confirm-timeout>120</confirm-timeout>
       </commit>
     </rpc>

   If the candidate is not supported by the device, the incoming
   configuration change is loaded directly into running.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <config>
           <!-- place incoming configuration changes here -->
         </config>
       </edit-config>
     </rpc>

E.1.5.  Testing the New Configuration

   Now that the incoming configuration has been integrated into the
   running configuration, the application needs to gain trust that the
   change has affected the device in the way intended without affecting
   it negatively.

   To gain this confidence, the application can run tests of the
   operational state of the device.  The nature of the test is dependent
   on the nature of the change and is outside the scope of this
   document.  Such tests may include reachability from the system
   running the application (using ping), changes in reachability to the
   rest of the network (by comparing the device's routing table), or
   inspection of the particular change (looking for operational evidence
   of the BGP peer that was just added).

E.1.6.  Making the Change Permanent

   When the configuration change is in place and the application has
   sufficient faith in the proper function of this change, the
   application is expected to make the change permanent.

   If the device supports the :startup capability, the current
   configuration can be saved to the startup configuration by using the
   startup configuration as the target of the <copy-config> operation.

Enns, et al.                 Standards Track                  [Page 109]



RFC 6241                    NETCONF Protocol                   June 2011

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <copy-config>
         <target>
           <startup/>
         </target>
         <source>
           <running/>
         </source>
       </copy-config>
     </rpc>

   If the device supports the :candidate capability and a confirmed
   commit was requested, the confirming commit must be sent before the
   timeout expires.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <commit/>
     </rpc>

E.1.7.  Releasing the Configuration Lock

   When the configuration update is complete, the lock must be released,
   allowing other applications access to the configuration.

   Use the <unlock> operation to release the configuration lock.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <unlock>
         <target>
           <running/>
         </target>
       </unlock>
     </rpc>

   If the :candidate capability is supported, the candidate
   configuration should be unlocked.

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <unlock>
         <target>
           <candidate/>
         </target>
       </unlock>
     </rpc>

Enns, et al.                 Standards Track                  [Page 110]



RFC 6241                    NETCONF Protocol                   June 2011

E.2.  Operations on Multiple Devices

   When a configuration change requires updates across a number of
   devices, care needs to be taken to provide the required transaction
   semantics.  The NETCONF protocol contains sufficient primitives upon
   which transaction-oriented operations can be built.  Providing
   complete transactional semantics across multiple devices is
   prohibitively expensive, but the size and number of windows for
   failure scenarios can be reduced.

   There are two classes of multi-device operations.  The first class
   allows the operation to fail on individual devices without requiring
   all devices to revert to their original state.  The operation can be
   retried at a later time, or its failure simply reported to the user.
   An example of this class might be adding an NTP server.  For this
   class of operations, failure avoidance and recovery are focused on
   the individual device.  This means recovery of the device, reporting
   the failure, and perhaps scheduling another attempt.

   The second class is more interesting, requiring that the operation
   should complete on all devices or be fully reversed.  The network
   should either be transformed into a new state or be reset to its
   original state.  For example, a change to a VPN may require updates
   to a number of devices.  Another example of this might be adding a
   class-of-service definition.  Leaving the network in a state where
   only a portion of the devices have been updated with the new
   definition will lead to future failures when the definition is
   referenced.

   To give transactional semantics, the same steps used in single-device
   operations listed above are used, but are performed in parallel
   across all devices.  Configuration locks should be acquired on all
   target devices and kept until all devices are updated and the changes
   made permanent.  Configuration changes should be uploaded and
   validation performed across all devices.  Checkpoints should be made
   on each device.  Then the running configuration can be changed,
   tested, and made permanent.  If any of these steps fail, the previous
   configurations can be restored on any devices upon which they were
   changed.  After the changes have been completely implemented or
   completely discarded, the locks on each device can be released.

Enns, et al.                 Standards Track                  [Page 111]



RFC 6241                    NETCONF Protocol                   June 2011

Appendix F.  Changes from RFC 4741

   This section lists major changes between this document and RFC 4741.

   o  Added the "malformed-message" error-tag.

   o  Added "remove" enumeration value to the "operation" attribute.

   o  Obsoleted the "partial-operation" error-tag enumeration value.

   o  Added <persist> and <persist-id> parameters to the <commit>
      operation.

   o  Updated the base protocol URI and clarified the <hello> message
      exchange to select and identify the base protocol version in use
      for a particular session.

   o  Added a YANG module to model the operations and removed the
      operation layer from the XSD.

   o  Clarified lock behavior for the candidate datastore.

   o  Clarified the error response server requirements for the "delete"
      enumeration value of the "operation" attribute.

   o  Added a namespace wildcarding mechanism for subtree filtering.

   o  Added a "test-only" value for the <test-option> parameter to the
      <edit-config> operation.

   o  Added a <cancel-commit> operation.

   o  Introduced a NETCONF username and a requirement for transport
      protocols to explain how a username is derived.

Enns, et al.                 Standards Track                  [Page 112]



RFC 6241                    NETCONF Protocol                   June 2011

Authors' Addresses

   Rob Enns (editor)
   Juniper Networks

   EMail: rob.enns@gmail.com

   Martin Bjorklund (editor)
   Tail-f Systems

   EMail: mbj@tail-f.com

   Juergen Schoenwaelder (editor)
   Jacobs University

   EMail: j.schoenwaelder@jacobs-university.de

   Andy Bierman (editor)
   Brocade

   EMail: andy.bierman@brocade.com

Enns, et al.                 Standards Track                  [Page 113]