draft-ietf-netmod-factory-default-14.txt   draft-ietf-netmod-factory-default-15.txt 
NETMOD Working Group Q. Wu NETMOD Working Group Q. Wu
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track B. Lengyel Intended status: Standards Track B. Lengyel
Expires: August 29, 2020 Ericsson Hungary Expires: October 27, 2020 Ericsson Hungary
Y. Niu Y. Niu
Huawei Huawei
February 26, 2020 April 25, 2020
A YANG Data Model for Factory Default Settings A YANG Data Model for Factory Default Settings
draft-ietf-netmod-factory-default-14 draft-ietf-netmod-factory-default-15
Abstract Abstract
This document defines a YANG data model to allow clients to reset a This document defines a YANG data model with the "factory-reset" RPC
server back to its factory default condition. It also defines a to allow clients to reset a server back to its factory default
"factory-default" datastore to allow clients to read the factory condition. It also defines an optional "factory-default" datastore
default configuration for the device. to allow clients to read the factory default configuration for the
device.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in RFC 8342. Management Datastore Architecture (NMDA) defined in RFC 8342.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 29, 2020. This Internet-Draft will expire on October 27, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Factory-Reset RPC . . . . . . . . . . . . . . . . . . . . . . 3 2. Factory-Reset RPC . . . . . . . . . . . . . . . . . . . . . . 3
3. Factory-Default Datastore . . . . . . . . . . . . . . . . . . 4 3. Factory-Default Datastore . . . . . . . . . . . . . . . . . . 4
4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Changes between revisions . . . . . . . . . . . . . 9 Appendix A. Changes between revisions . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines a method to reset a server to its factory This document defines a YANG data model and associated mechanism to
default content. The reset operation may be used, e.g., when the reset a server to its factory default content. This mechanism may be
existing configuration has major errors so re-starting the used, e.g., when the existing configuration has major errors so re-
configuration process from scratch is the best option. starting the configuration process from scratch is the best option.
A "factory-reset" RPC is defined. When resetting a device, all A "factory-reset" RPC is defined within the YANG data model. When
previous configuration settings will be lost and replaced by the resetting a device, all previous configuration settings will be lost
factory default content. and replaced by the factory default content.
A "factory-default" read-only datastore is defined, that contains the In addition, an optional "factory-default" read-only datastore is
data to replace the contents of implemented read-write conventional defined within the YANG data model, that contains the data to replace
configuration datastores at reset. This datastore can also be used the contents of implemented read-write conventional configuration
in the <get-data> operation. datastores at reset. This datastore can also be used in the <get-
data> operation.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture defined in [RFC8342]. Management Datastore Architecture defined in [RFC8342].
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
skipping to change at page 3, line 31 skipping to change at page 3, line 37
o conventional configuration datastore o conventional configuration datastore
o datastore schema o datastore schema
o RPC operation o RPC operation
The following terms are defined in this document as follows: The following terms are defined in this document as follows:
o factory-default datastore: A read-only configuration datastore o factory-default datastore: A read-only configuration datastore
holding a preconfigured initial configuration that is used to holding a pre-set initial configuration that is used to initialize
initialize the configuration of a server. This datastore is the configuration of a server. This datastore is referred to as
referred to as "<factory-default>". "<factory-default>".
2. Factory-Reset RPC 2. Factory-Reset RPC
A new "factory-reset" RPC is introduced. Upon receiving the RPC A new "factory-reset" remote procedure call (RPC) is introduced.
Upon receiving the RPC:
o All supported conventional read-write configuration datastores o All supported conventional read-write configuration datastores
(i.e. <running>, <startup>, and <candidate>) are reset to the (i.e. <running>, <startup>, and <candidate>) are reset to the
contents of <factory-default>. contents of <factory-default>.
o Read-only datastores receive their content from other o Read-only datastores receive their content from other datastores
datastores(e.g., <intended> gets its content from <running>). (e.g., <intended> gets its content from <running>).
o All data in any dynamic configuration datastores MUST be o All data in any dynamic configuration datastores MUST be
discarded. discarded.
o The contents of the <operational> datastore MUST reflect the o The contents of the <operational> datastore MUST reflect the
operational state of the device after applying the factory default operational state of the device after applying the factory default
configuration. configuration.
In addition, the "factory-reset" RPC MUST restore non-volatile In addition, the "factory-reset" RPC MUST restore non-volatile
storage to factory condition. Depending on the system, this may storage to factory condition. Depending on the system, this may
entail deleting dynamically generated files, such as those containing entail deleting dynamically generated files, such as those containing
keys (e.g., /etc/ssl/private), certificates (e.g., /etc/ssl), logs keys (e.g., /etc/ssl/private), certificates (e.g., /etc/ssl), logs
(e.g., /var/log), and temporary files (e.g., /tmp/*). All security (e.g., /var/log), and temporary files (e.g., /tmp/*). Any other
sensitive data (i.e., private keys, passwords, etc.) SHOULD be cryptographic keys that are part of the factory-installed image will
overwritten with zeros or a pattern before deletion. The "factory- be retained (such as an IDevID certificate) [I-D.ietf-anima-
reset" RPC MAY also be used to trigger some other resetting tasks bootstrapping-keyinfra]. When this process includes security-
such as restarting the node or some of the software processes. sensitive data such as cryptographic keys or passwords, it is
RECOMMENDED to perform the deletion in a manner as thorough as
possible (e.g., overwriting the physical storage medium with zeros
and/or random bits for repurpose or end of life (EoL) disposal) to
reduce the risk of the sensitive material being recoverable. The
"factory-reset" RPC MAY also be used to trigger some other resetting
tasks such as restarting the node or some of the software processes.
Note that operators should be aware that since all read-write Note that operators should be aware that since all read-write
datastores are immediately reset to factory default, the device may datastores are immediately reset to factory default, the device may
become unreachable on the network. It is important to understand how become unreachable as a host on the network. It is important to
a given vendor's device will behave after the RPC is executed. understand how a given vendor's device will behave after the RPC is
Implementors SHOULD reboot the device or otherwise restart processes executed. Implementors SHOULD reboot the device and get it properly
needed to bootstrap it. configured or otherwise restart processes needed to bootstrap it.
3. Factory-Default Datastore 3. Factory-Default Datastore
Following the guidelines for defining Datastores in the appendix A of Following the guidelines for defining Datastores in the appendix A of
[RFC8342], this document introduces a new optional datastore resource [RFC8342], this document introduces a new optional datastore resource
named "factory-default" that represents a preconfigured initial named "factory-default" that represents a pre-set initial
configuration that can be used to initialize the configuration of a configuration that can be used to initialize the configuration of a
server. A device MAY implement the "factory-reset" RPC without server. A device MAY implement the "factory-reset" RPC without
implementing the "factory-default" datastore, which would only implementing the "factory-default" datastore, which would only
eliminate the ability to programmatically determine the factory eliminate the ability to programmatically determine the factory
default configuration. default configuration.
o Name: "factory-default" o Name: "factory-default"
o YANG modules: The factory default datastore schema MUST either be o YANG modules: The factory default datastore schema MUST either be
the same as the conventional configuration datastores, or a subset the same as the conventional configuration datastores, or a subset
skipping to change at page 5, line 12 skipping to change at page 5, line 25
automatically to any other read only datastores, e.g., <intended> automatically to any other read only datastores, e.g., <intended>
and <operational>. and <operational>.
o Origin: This document does not define a new origin identity as it o Origin: This document does not define a new origin identity as it
does not interact with the <operational> datastore. does not interact with the <operational> datastore.
o Protocols: RESTCONF, NETCONF and other management protocol. o Protocols: RESTCONF, NETCONF and other management protocol.
o Defining YANG module: "ietf-factory-default". o Defining YANG module: "ietf-factory-default".
The contents of <factory-default> is defined by the device vendor and The contents of <factory-default> are defined by the device vendor
MUST persist across device restarts. If supported, the factory- and MUST persist across device restarts. If supported, the factory-
default datastore MUST be included in the list of datastores in YANG default datastore MUST be included in the list of datastores in YANG
library [RFC 8525]. library [RFC 8525].
4. YANG Module 4. YANG Module
This module uses the "datastore" identity [RFC8342], and the This module uses the "datastore" identity [RFC8342], and the
"default-deny-all" extension statement from [RFC8341]. "default-deny-all" extension statement from [RFC8341].
<CODE BEGINS> file "ietf-factory-default@2019-11-27.yang" <CODE BEGINS> file "ietf-factory-default@2019-11-27.yang"
module ietf-factory-default { module ietf-factory-default {
skipping to change at page 7, line 8 skipping to change at page 7, line 21
Depending on the factory default configuration, after Depending on the factory default configuration, after
being reset, the device may become unreachable on the being reset, the device may become unreachable on the
network."; network.";
} }
identity factory-default { identity factory-default {
if-feature "factory-default-datastore"; if-feature "factory-default-datastore";
base ds:datastore; base ds:datastore;
description description
"This read-only datastore contains the factory default "This read-only datastore contains the factory default
configuration for the device used to replace the contents configuration for the device that will be used to replace
of the read-write conventional configuration datastores the contents of the read-write conventional configuration
during a 'factory-reset' RPC operation."; datastores during a 'factory-reset' RPC operation.";
} }
} }
<CODE ENDS> <CODE ENDS>
5. IANA Considerations 5. IANA Considerations
This document registers one URI in the IETF XML Registry [RFC3688]. This document registers one URI in the IETF XML Registry [RFC3688].
The following registration has been made: The following registration has been made:
URI: urn:ietf:params:xml:ns:yang:ietf-factory-default URI: urn:ietf:params:xml:ns:yang:ietf-factory-default
skipping to change at page 7, line 41 skipping to change at page 8, line 7
6. Security Considerations 6. Security Considerations
The YANG module defined in this document extends the base operations The YANG module defined in this document extends the base operations
for NETCONF [RFC6241] and RESTCONF [RFC8040]. The lowest NETCONF for NETCONF [RFC6241] and RESTCONF [RFC8040]. The lowest NETCONF
layer is the secure transport layer, and the mandatory-to-implement layer is the secure transport layer, and the mandatory-to-implement
secure transport is Secure Shell (SSH) [RFC6242]. The lowest secure transport is Secure Shell (SSH) [RFC6242]. The lowest
RESTCONF layer is HTTPS, and the mandatory-to-implement secure RESTCONF layer is HTTPS, and the mandatory-to-implement secure
transport is TLS [RFC8446]. transport is TLS [RFC8446].
Access to the "factory-reset" RPC operation is considered sensitive Access to the "factory-reset" RPC operation and factory default
and therefore has been restricted using the "default-deny-all" access values of all configuration data nodes within "factory-default"
control defined in [RFC8341]. datastore is considered sensitive and therefore has been restricted
using the "default-deny-all" access control defined in [RFC8341].
The "factory-reset" RPC can prevent any further management of the The "factory-reset" RPC can prevent any further management of the
device if the session and client config are included in the factory device when the server is reset back to its factory default
default contents. condition,e.g., the session and client config are included in the
factory default contents or treated as dynamic files on the
nonvoliatile storage and overwritten by the the "factory-reset" RPC.
The operational disruption caused by setting the config to factory The operational disruption caused by setting the config to factory
default contents varies greatly depending on the implementation and default contents or lacking appropriate security control on factory
current config. default configuration varies greatly depending on the implementation
and current config.
The non-volatile storage is expected to be wiped clean and reset back The non-volatile storage is expected to be wiped clean and reset back
to the factory default state, but there is no guarantee that the data to the factory default state, but there is no guarantee that the data
is wiped according to any particular data cleansing standard, and the is wiped according to any particular data cleansing standard, and the
owner of the device MUST NOT rely on any sensitive data (e.g., owner of the device MUST NOT rely on any sensitive data (e.g.,
private keys) being forensically unrecoverable from the device's non- private keys) being forensically unrecoverable from the device's non-
volatile storage after a factory-reset RPC has been invoked. volatile storage after a factory-reset RPC has been invoked.
7. Acknowledgements 7. Acknowledgements
Thanks to Juergen Schoenwaelder, Ladislav Lhotka, Alex Campbell, Joe Thanks to Juergen Schoenwaelder, Ladislav Lhotka, Alex Campbell, Joe
Clarke, Robert Wilton, Kent Watsen, Joel Jaeggli, Lou Berger, Andy Clarke, Robert Wilton, Kent Watsen, Joel Jaeggli, Lou Berger, Andy
Bierman, Susan Hares for reviewing this draft and providing important Bierman, Susan Hares, Benjamin Kaduk, Stephen Kent, Stewart Bryant,
input to this document. Eric Vyncke, Murray Kucherawy, Roman Danyliw, Tony Przygienda, John
Heasley for reviewing this draft and providing important input to
this document.
8. Contributors 8. Contributors
Rohit R Ranade Rohit R Ranade
Huawei Huawei
Email: rohitrranade@huawei.com Email: rohitrranade@huawei.com
9. References 9. References
9.1. Normative References 9.1. Normative References
skipping to change at page 9, line 22 skipping to change at page 9, line 44
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-41 (work in progress), April 2020.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
skipping to change at page 9, line 43 skipping to change at page 10, line 26
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
Appendix A. Changes between revisions Appendix A. Changes between revisions
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
v14 -15
o Address comments raised in IESG review.
v13 - 14 v13 - 14
o Address additional issues raised during AD review. o Address additional issues raised during AD review.
v12 - 13 v12 - 13
o Address issues raised during AD review. o Address issues raised during AD review.
v11 - 12 v11 - 12
o Fix IDnits and reference issues from Shepherd review. o Fix IDnits and reference issues from Shepherd review.
v10 - 11 v10 - 11
o Incorporate additional Shepherd review's comments. o Incorporate additional Shepherd review's comments.
v09 - 10 v09 - 10
o Incorporate Shepherd review's comments. o Incorporate Shepherd review's comments.
 End of changes. 25 change blocks. 
52 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/