Network Working Group                                           A. Clemm
Internet-Draft                                        A. Gonzalez Prieto
Intended status: Standards Track                                 E. Voit
Expires: January 7, 2016                                   Cisco Systems
                                                            July 6, 2015

               Subscribing to YANG datastore push updates


   This document defines a subscription and push mechanism for YANG
   datastores.  This mechanism allows client applications to request
   updates from a YANG datastore, which are then pushed by the server to
   the client per a subscription policy, without requiring additional
   client requests.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 7, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Clemm, et al.            Expires January 7, 2016                [Page 1]

Internet-Draft               Datastore-Push                    July 2015

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Definitions and Acronyms  . . . . . . . . . . . . . . . . . .   5
   3.  Solution Overview . . . . . . . . . . . . . . . . . . . . . .   6
     3.1.  Subscription Model  . . . . . . . . . . . . . . . . . . .   7
     3.2.  Negotiation of Subscription Policies  . . . . . . . . . .   8
     3.3.  On-Change Considerations  . . . . . . . . . . . . . . . .   8
     3.4.  Additional on-change update triggers  . . . . . . . . . .   9
     3.5.  Data Encodings  . . . . . . . . . . . . . . . . . . . . .  10
     3.6.  Custom Datastreams  . . . . . . . . . . . . . . . . . . .  10
     3.7.  Push Data Stream and Transport Mapping  . . . . . . . . .  11
     3.8.  Subscription operations . . . . . . . . . . . . . . . . .  12
     3.9.  A YANG data model for management of datastore push
           subscriptions . . . . . . . . . . . . . . . . . . . . . .  16
     3.10. Other considerations  . . . . . . . . . . . . . . . . . .  18
       3.10.1.  Authorization  . . . . . . . . . . . . . . . . . . .  18
       3.10.2.  Additional subscription primitives . . . . . . . . .  19
       3.10.3.  Robustness and reliability considerations  . . . . .  20
       3.10.4.  Update size and fragmentation considerations . . . .  20
       3.10.5.  Additional data streams  . . . . . . . . . . . . . .  20
       3.10.6.  Subscription persistency . . . . . . . . . . . . . .  20
       3.10.7.  Implementation considerations  . . . . . . . . . . .  21
   4.  YANG module . . . . . . . . . . . . . . . . . . . . . . . . .  22
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  31
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  31
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  31
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  32
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  32

Clemm, et al.            Expires January 7, 2016                [Page 2]

Internet-Draft               Datastore-Push                    July 2015

1.  Introduction

   YANG [RFC6020] was originally designed for the Netconf protocol
   [RFC6241], which originally put most emphasis on configuration.
   However, YANG is not restricted to configuration data.  YANG
   datastores, i.e. datastores that contain data modeled according using
   YANG, can contain configuration as well as operational data.  It is
   therefore reasonable to expect that data in YANG datastores will
   increasingly be used to support applications that are not focused on
   managing configurations but that are, for example, related to service

   Service assurance applications typically involve monitoring
   operational state of networks and devices; of particular interest are
   changes that this data undergoes over time.  Likewise, there are
   applications in which data and objects from one datastore need to be
   made available both to applications in other systems and to remote
   datastores [I-D.voit-netmod-peer-mount-requirements]
   [I-D.clemm-netmod-mount].  This requires mechanisms that allow remote
   systems to become quickly aware of any updates to allow to validate
   and maintain cross-network integrity and consistency.

   Traditional approaches to remote network state visibility rely
   heavily on polling.  With polling, data is periodically explicitly
   retrieved by a client from a server to stay up-to-date.

   There are various issues associated with polling-based management:

   o  It introduces additional load on network, devices, and
      applications.  Each polling cycle requires a separate yet arguably
      redundant request that results in an interrupt, requires parsing,
      consumes bandwidth.

   o  It lacks robustness.  Polling cycles may be missed, requests may
      be delayed or get lost, often particularly in cases when the
      network is under stress and hence exactly when the need for the
      data is the greatest.

   o  Data may be difficult to calibrate and compare.  Polling requests
      may undergo slight fluctuations, resulting in intervals of
      different lengths which makes data hard to compare.  Likewise,
      pollers may have difficulty issuing requests that reach all
      devices at the same time, resulting in offset polling intervals
      which again make data hard to compare.

   A more effective alternative is when an application can request to be
   automatically updated as necessary of current content of the
   datastore (such as a subtree, or data in a subtree that meets a

Clemm, et al.            Expires January 7, 2016                [Page 3]

Internet-Draft               Datastore-Push                    July 2015

   certain filter condition), and in which the server that maintains the
   datastore subsequently pushes those updates.  However, such a
   solution does not currently exist.

   The need to perform polling-based management is typically considered
   an important shortcoming of management applications that rely on MIBs
   polled using SNMP [RFC1157].  However, without a provision to support
   a push-based alternative, there is no reason to believe that
   management applications that operate on YANG datastores using
   protocols such as NETCONF [RFC6241] or Restconf
   [I-D.ietf-netconf-restconf] will be any more effective, as they would
   follow the same request/response pattern.

   While YANG allows the definition of notifications, such notifications
   are generally intended to indicate the occurrence of certain well-
   specified event conditions, such as a the onset of an alarm condition
   or the occurrence of an error.  A capability to subscribe to and
   deliver event notifications has been defined in [RFC5277].  In
   addition, configuration change notifications have been defined in
   [RFC6470].  These change notifications pertain only to configuration
   information, not to operational state, and convey the root of the
   subtree to which changes were applied along with the edits, but not
   the modified data nodes and their values.

   Accordingly, there is a need for a service that allows client
   applications to subscribe to updates of a YANG datastore and that
   allows the server to push those updates.  The requirements for such a
   service are documented in [I-D.i2rs-pub-sub-requirements].  This
   document proposes a solution that features the following

   o  A mechanism that allows clients to subscribe to automatic
      datastore updates, and the means to manage those subscription.
      The subscription allows clients to specify which data they are
      interested in, and to provide optional filters with criteria that
      data must meet for updates to be sent.  Furthermore, subscription
      can specify a policy that directs when updates are provided.  For
      example, a client may request to be updated periodically in
      certain intervals, or whenever data changes occur.

   o  The ability for a server to push back on requested subscription
      parameters.  Because not every server may support every requested
      interval for every piece of data, it is necessary for a server to
      be able to indicate whether or not it is capable of supporting a
      requested subscription, and possibly allow to negotiate
      subscription parameters.

Clemm, et al.            Expires January 7, 2016                [Page 4]

Internet-Draft               Datastore-Push                    July 2015

   o  A mechanism to communicate the updates themselves.  For this, the
      proposal leverages and extends existing YANG/Netconf/Restconf
      mechanisms, defining special notifications that carry updates.

   This document specifies a YANG data model to manage subscriptions to
   data in YANG datastores, and to configure associated filters and data
   streams.  It defines extensions to RPCs defined in [RFC5277] that
   allow to extend notification subscriptions to subscriptions for
   datastore updates.  It also defines a notification that can be used
   to carry data updates and thus serve as push mechanism.

2.  Definitions and Acronyms

   Data node: An instance of management information in a YANG datastore.

   Data record: A record containing a set of one or more data node
   instances and their associated values.

   Datastore: A conceptual store of instantiated management information,
   with individual data items represented by data nodes which are
   arranged in hierarchical manner.

   Datastream: A continuous stream of data records, each including a set
   of updates, i.e. data node instances and their associated values.

   Data subtree: An instantiated data node and the data nodes that are
   hierarchically contained within it.

   NACM: NETCONF Access Control Model

   NETCONF: Network Configuration Protocol

   Push-update stream: A conceptual data stream of a datastore that
   streams the entire datastore contents continuously and perpetually.

   RPC: Remote Procedure Call

   SNMP: Simple Network Management Protocol

   Subscription: A contract between a client ("subscriber") and a server
   ("publisher"), stipulating which information the client wishes to
   receive from the server (and which information the server has to
   provide to the client) without the need for further solicitation.

   Subscription filter: A filter that contains evaluation criteria which
   are evaluated against YANG objects of a subscription.  An update is
   only published if the object meets the specified filter criteria.

Clemm, et al.            Expires January 7, 2016                [Page 5]

Internet-Draft               Datastore-Push                    July 2015

   Subscription policy: A policy that specifies under what circumstances
   to push an update, e.g. whether updates are to be provided
   periodically or only whenever changes occur.

   Update: A data item containing the current value of a data node.

   Update trigger: A trigger, as specified by a subscription policy,
   that causes an update to be sent, respectively a data record to be
   generated.  An example of a trigger is a change trigger, invoked when
   the value of a data node changes or a data node is created or
   deleted, or a time trigger, invoked after the laps of a periodic time

   URI: Uniform Resource Identifier

   YANG: A data definition language for NETCONF

   Yang-push: The subscription and push mechanism for YANG datastores
   that is specified in this document.

3.  Solution Overview

   This document specifies a solution that allows clients to subscribe
   to information updates in a YANG datastore, which are subsequently
   pushed from the server to the client.

   Subscriptions are initiated by clients.  Servers respond to a
   subscription request explicitly positively or negatively.  Negative
   responses include information about why the subscription was not
   accepted, in order to facilitate converging on an acceptable set of
   subscription parameters.  Once a subscription has been established,
   datastore push updates are pushed from the server to the subscribing
   client until the subscription ends.

   Accordingly, the solution encompasses several components:

   o  The subscription model for configuration and management of the
      subscriptions, with a set of associated services.

   o  The ability to provide hints for acceptable subscription
      parameters, in cases where a subscription desired by a client
      cannot currently be served.

   o  The stream of datastore push updates.

   In addition, there are a number of additional considerations, such as
   the tie-in of the mechanisms with security mechanisms.  Each of those
   aspects will be discussed in the following subsections.

Clemm, et al.            Expires January 7, 2016                [Page 6]

Internet-Draft               Datastore-Push                    July 2015

3.1.  Subscription Model

   Yang-push subscriptions are defined using a data model.  This model
   is based on the subscriptions defined in [RFC-5277], which is also
   reused in Restconf.  The model is extended with several parameters,
   including a subscription type and a subscription ID.

   A subscription refers to a datastream.  The subscription model
   assumes the presence of a conceptual perpetual datastream "push-
   update" of continuous datastore updates.  A subscription refers to
   this datastream and specifies filters that are to be applied to, it
   for example, to provide only those subsets of the information that
   match a filter criteria.  In addition, a subscription specifies a
   subscription policy that defines the trigger when data records should
   be sent, for example at periodic intervals or whenever underlying
   data items change.

   The complete set of subscription parameters is as follows:

   o  The name of the stream being subscribe to.  The subscription model
      always assumes the presence of a perpetual and continuous stream
      of updates.  The stream is called "push-update".  However, as
      mentioned, it is possible to subscribe to other datastreams, such
      as custom datastreams which can be separately configured.

   o  Optional filter(s), describing the subset of data items in the
      stream's data records that are of interest to the subscriber.  The
      server should only send to the subscriber the data items that
      match the filter(s), when present.  The absence of a filter
      indicates that all data items from the stream are of interest to
      the subscriber and all data records must be sent in their entirety
      to the subscriber.  Two filtering mechanisms are provided: subtree
      filtering and Xpath filtering, with the semantics described in
      [RFC 5277 Section 3.6].  (Additional filter types can be added
      through extensions.)

   o  An identifier for the subscription.

   o  An optional start time.  Used to trigger replays starting at the
      provided time.  Its semantics are those in [RFC 5277].

   o  An optional stop time.  Used to limit temporarily the events of
      interest.  Its semantics are those in [RFC 5277].

   o  For subscriptions to "push-update", a subscription policy
      definition regarding the update trigger to send new updates.  The
      trigger can be periodic or based on change.  For periodic
      subscriptions, the trigger is defined by a parameter that defines

Clemm, et al.            Expires January 7, 2016                [Page 7]

Internet-Draft               Datastore-Push                    July 2015

      the interval with which updates are to be pushed.  For on-change
      subscriptions, the trigger occurs when a change in the subscribed
      information is detected.  On-change subscriptions have more
      complex semantics that is guided by additional parameters.  One
      parameter specifies the dampening period, i.e. the interval that
      must pass before a successive update for the same data node is
      sent.  Other parameters allow to restrict the types of changes for
      which updates are sent (changes to object values, object creation
      or deletion events), and to specify the magnitude of change that
      must occur before an update is triggered.  Please refer also to
      Section 3.3 and Section 3.4.

   o  An encoding for the data in the push updates, e.g.  XML or JSON.

   It is conceivable that additional subscription parameters might be
   added in the future.  This can be accomplished through augmentation
   of the subscription data model.

3.2.  Negotiation of Subscription Policies

   A subscription rejection can be caused by the inability of the server
   to provide a stream with the requested semantics.  For example, a
   server may not be able to support "on-change" updates for operational
   data, or only support them for a limited set of data nodes.
   Likewise, a server may not be able to support a requested updated
   frequency, or a requested encoding.

   Yang-push supports a simple negotiation between clients and servers
   for subscription parameters.  The negotiation is limited to a single
   pair of subscription request and response.  For negative responses,
   the server SHOULD include in the returned error what subscription
   parameters would have been accepted for the request.  The returned
   acceptable parameters constitute suggestions that, when followed,
   increase the likelihood of success for subsequent requests.  However,
   they are no guarantee that subsequent requests for this client or
   others will in fact be accepted.

   In case a subscriber requests an encoding other than XML, and this
   encoding is not supported by the server, the server simply indicates
   in the response that the encoding is not supported.

3.3.  On-Change Considerations

   On-change subscriptions allow clients to subscribe to updates
   whenever changes to objects occur.  As such, on-change subscriptions
   are of particular interest for data that changes relatively
   infrequently, yet that require applications to be notified with
   minimal delay when changes do occur.

Clemm, et al.            Expires January 7, 2016                [Page 8]

Internet-Draft               Datastore-Push                    July 2015

   On-change subscriptions tend to be more difficult to implement than
   periodic subscriptions.  Specifically, on-change subscriptions may
   involve a notion of state to see if a change occurred between past
   and current state, or the ability to tap into changes as they occur
   in the underlying system.  Accordingly, on-change subscriptions may
   not be supported by all implementation or for every object.

   When an on-change subscription is requested for a datastream with a
   given subtree filter, where not all objects support on-change update
   triggers, the subscription request MUST be rejected.  As a result,
   on-change subscription requests will tend to be directed at very
   specific, targeted subtrees with only few objects.

   Any updates for an on-change subscription will include only objects
   for which a change was detected.  To avoid flooding clients with
   repeated updates for fast-changing objects, or objects with
   oscillating values, an on-change subscription allows for the
   definition of a dampening period.  Once an update for a given object
   is sent, no other updates for this particular object are sent until
   the end of the dampening period.

   In order to avoid sending updates on objects whose values undergo
   only a negligible change, it is conceivable to attach additional
   parameters to an on-change subscription specifying a policy that
   states how large or "significant" a change has to be before an update
   is sent.  A simple policy is a "delta-policy" that states, for
   integer-valued data nodes, the minimum difference between the current
   value and the value that was last reported that triggers an update.
   More sophisticated policies are conceivable, including policies
   specified in percentage terms or policies that take into account the
   rate of change.  While not specified as part of this draft, such
   policies can be accommodated by augmenting the subscription data
   model accordingly.

3.4.  Additional on-change update triggers

   In conjunction with on-change update triggers, it is conceivable to
   further differentiate between the type of change, i.e. whether a
   change involves the addition of a new data node, the removal of a
   data node, or a value change.

   For this purpose, an on-change qualifier is introduced that allows
   subscribers to specify which update triggers (create, delete, modify)
   to exclude if updates to all change types are not desired.

Clemm, et al.            Expires January 7, 2016                [Page 9]

Internet-Draft               Datastore-Push                    July 2015

3.5.  Data Encodings

   Subscribed data is encoded in either XML or JSON format.  A server
   MUST support XML encoding and MAY support JSON encoding.  XML
   encoding rules for data nodes are defined in [RFC6020].  JSON
   encoding rules are defined in [I-D.ietf-netmod-yang-json].  This
   encoding is valid JSON, but also has special encoding rules to
   identify module namespaces and provide consistent type processing of
   YANG data.

   It is conceivable that additional encodings may be supported as
   options in the future.  This can be accomplished by augmenting the
   subscription data model with additional identity statements used to
   refer to the encodings.

3.6.  Custom Datastreams

   Optionally, it is possible to introduce other datastreams (beyond the
   datastore-push datastream) with custom semantics.  Some datastreams
   can be custom configured.  The support of this is tied to a separate
   feature.  The configuration of a custom datastream specifies the
   trigger conditions under which new data records for the stream are
   generated, and which updates the corresponding data records contain.
   For example, the configuration of a datastream can specify which
   subsets of data nodes in a datastore the datastream should contain,
   which filter criteria the updates need to meet, and under what
   conditions to create updates - for example, periodically or whenever
   a data item changes.

   A subscription that refers to a custom datastream can specify a set
   of filters, like for the "push-update" datastream.  However, the
   policy as to when updates are triggered (periodically or on change)
   needs to be the same as the policy of the datastream and cannot be
   modified.  It is not possible, for example, to define a custom
   datastream which creates on-change updates, yet subscribe to that
   datastream with periodic updates.

   While conceptually similar, the choice between subscribing to
   datastream "push-update" or configuring and subscribing to a custom
   datastream can be thought of as analogous to the choice between
   operating a nozzle that is connected to a hose, or controlling the
   faucet (custom datastream).  Operating the nozzle is for most uses
   simpler; however, the option to operate the faucet instead can
   provide additional flexibility in some scenarios.

Clemm, et al.            Expires January 7, 2016               [Page 10]

Internet-Draft               Datastore-Push                    July 2015

3.7.  Push Data Stream and Transport Mapping

   Pushing data based on a subscription could be considered analogous to
   a response to a data retrieval request, e.g. a "get" request.
   However, contrary to such a request, multiple responses to the same
   request may get sent over a longer period of time.

   A more suitable mechanism is therefore that of a notification.
   Contrary to notifications associated with alarms and unexpected event
   occurrences, push updates are solicited, i.e. tied tied to a
   particular subscription which triggered the notification.  (An
   alternative conceptual model would consider a subscription an "opt-
   in" filter on a continuous stream of updates.)

   The notification contains several parameters:

   o  A subscription correlator, referencing the name of the
      subscription on whose behalf the notification is sent.

   o  A data node that contains a representation of the datastore
      subtree containing the updates.  The subtree is filtered per
      access control rules to contain only data that the subscriber is
      authorized to see.  Also, depending on the subscription type,
      i.e., specifically for on-change subscriptions, the subtree
      contains only the data nodes that contain actual changes.  (This
      can be simply a node of type string or, for XML-based encoding,

   Notifications are sent using <notification> elements as defined in
   [RFC5277].  Alternative transports are conceivable but outside the
   scope of this specification.

   The solution specified in this document uses notifications to
   communicate datastore updates.  The contents of the notification
   includes a set of explicitly defined data nodes.  For this purpose, a
   new generic notification is introduced, "push-update" notification.
   This notification is used to carry a data record with updates of
   datastore contents as specified by a subscription.

   The update record consists of a data snippet that contains an
   instantiated datastore subtree with the subscribed contents.  Data
   nodes that do not match filter criteria are removed.  Likewise, in
   the case of a subscription with "on-change" subscription policy, data
   nodes that have not undergone change are omitted.  The contents of
   the update record is equivalent to the contents that would be
   obtained had the same data been explicitly retrieved using e.g. a
   Netconf "get"-operation, with the same filters applied.

Clemm, et al.            Expires January 7, 2016               [Page 11]

Internet-Draft               Datastore-Push                    July 2015

   The contents of the notification conceptually represents the union of
   all data nodes in the yang modules supported by the server, excluding
   the following statements: "mandatory", "must", "min-elements", "max-
   elements", "when", and "default".  However, in a YANG data model, it
   is not practical to model the precise data contained in the updates
   as part of the notification.  This is because the specific data nodes
   supported depend on the implementing system and may even vary
   dynamically.  Therefore, to capture this data, a single parameter
   that can represent any datastore contents is used, not parameters
   that represent data nodes one at a time.

   The following is an example of push notification.  It contains an
   update for subscription my-sub, including a subtree with root foo
   that contains a leaf, bar:

  <?xml version="1.0" encoding="UTF-8"?>
  <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
     <subscription-id xmlns="urn:ietf:params:xml:ns:netconf:
     <datastore-contents xmlns="urn:ietf:params:xml:ns:netconf:

                          Figure 1: Push example

3.8.  Subscription operations

   There are several operations associated with subscriptions.  At the
   most basic level, clients need to be able to create subscriptions, as
   well as delete subscriptions when they are no longer needed.

   RFC 5277 specifies an operation to create subscriptions for event
   streams, <create-subscription>.  This operation is leveraged and
   extended to create datastore-push subscriptions.  The corresponding
   data model is defined in the "subscription-stream-policy" and
   "subscription-info" groupings of the YANG module defined in
   Section 4.  Specifically:

Clemm, et al.            Expires January 7, 2016               [Page 12]

Internet-Draft               Datastore-Push                    July 2015

   o  An additional parameter is added to allow for the specification of
      trigger policy.  If the trigger is periodic, a parameter specifies
      the period with which updates are to occur.  If the trigger is on
      change, a parameter specifies a dampening period that defines how
      much time must pass before another update for a data node is sent,
      once an update for that data node is sent.  Additional optional
      parameters can further refine trigger behavior, such as
      restrictions on the types of changes for which updates are to be

   o  An additional parameter is added to allow to specify, as an
      option, the desired encoding of the data payload.

   To support datastore push, a server MUST support the interleave
   capability specified in [RFC5277].  This is required to allow for
   modification of what data is being subscribed to without needing to
   establish a separate Netconf session.

   The example below illustrates a subscription for a periodic push of
   all data under a container called foo.

   <netconf:rpc message-id="101"
         <subscription-id xmlns="urn:ietf:params:xml:ns:netconf:
         <filter netconf:type="xpath"
         <period xmlns="urn:ietf:params:xml:ns:netconf:datastore-push:1.0">
         <encoding xmlns="urn:ietf:params:xml:ns:netconf:datastore-push:1.0">

                      Figure 2: Subscription example

   A success response by the server implies that the server will be able
   to serve the subscription as requested.  It constitutes a "promise"
   of the server to push updates to the subscriber along the parameters
   that were requested.

Clemm, et al.            Expires January 7, 2016               [Page 13]

Internet-Draft               Datastore-Push                    July 2015

   The server is not obliged to accept a request if there are any
   aspects of the request that it would not be able to meet.  This
   includes any reason, including update interval periods that are too
   short (requiring more resources than the server could handle), a
   filter condition that is not supported, or a requested encoding that
   is not supported.  Other failure reasons include specification of a
   subscription-id that is already in use (modify-subscription should be
   used to make changes to settings of existing subscriptions), or
   authorization failures (please refer also to section Section 3.10.1.)

   The example below illustrates a subscription response, where an agent
   does not support frequent periodic updates, and suggests a different
   sampling rate to the client.

   <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
            <supported-subscription xmlns="urn:ietf:params:xml:ns:

                Figure 3: Subscription negotiation example

   RFC 5277 does not specify operations to delete subscriptions.
   Instead, it assumes that an event subscription is associated with its
   own Netconf session.  When the session is torn down, the subscription
   is implicitly deleted.  Likewise, there is no operation to modify a
   subscription.  Modifying a subscription requires tearing down a
   Netconf session, starting a new one, and creating a new subscription.
   Furthermore, each session only supports a single subscription.
   Establishing multiple subscriptions requires multiple concurrent
   Netconf sessions.

   To facilitate datastore-push subscriptions, an additional RPC is
   introduced, <delete-subscription>.

   The <delete-subscription> operation takes as parameter a subscription
   ID.  As a result of the operation, the subscription is removed and no
   more data records will be sent.

Clemm, et al.            Expires January 7, 2016               [Page 14]

Internet-Draft               Datastore-Push                    July 2015

      <netconf:rpc message-id="102"
            <subscription-id xmlns="urn:ietf:params:xml:ns:netconf:

                      Figure 4: Subscription deletion

   Finally, a separate operation to modify a subscription is introduced,
   <modify-subscription>.  This operation takes the same parameters as
   <create-subscription>, but refers to an existing subscription.  Of
   course, a subscription could also be deleted and another be created.
   However, modify operation avoids issues regarding the synchronization
   of creation and deletion operations, such as potential loss or
   duplication of updates.  Also, a modify operation allows to simply
   extend an existing subscription beyond the initial subscription end

     <netconf:rpc message-id="103"
           <filter netconf:type="xpath"
           <period xmlns="urn:ietf:params:xml:ns:netconf:

                       Figure 5: Modify subscription

Clemm, et al.            Expires January 7, 2016               [Page 15]

Internet-Draft               Datastore-Push                    July 2015

3.9.  A YANG data model for management of datastore push subscriptions

   Subscriptions as well as datastreams can be subjected to management
   themselves.  For example, it is possible that a server may no longer
   be able to serve a subscription that it had previously accepted.
   Perhaps it has run out of resources, or internal errors may have
   occurred.  When this is the case, a server needs to be able to
   temporarily suspend the subscription, or even to terminate it.  More
   generally, the server should provide a means by which the status of
   subscriptions can be monitored.  When custom datastreams are
   supported, those datastreams need to be configured and monitored as

   For this purpose, a YANG data model is introduced, which is depicted
   in the following figure.

Clemm, et al.            Expires January 7, 2016               [Page 16]

Internet-Draft               Datastore-Push                    July 2015

   module: ietf-datastore-push
      +--rw streams {custom-streams}?
      |  +--rw stream* [stream-name]
      |     +--rw stream-name         string
      |     +--ro stream-status?      identityref
      |     +--rw subtree-filter?     subtree-filter
      |     +--rw xpath-filter?       yang:xpath1.0
      |     +--rw (update-trigger)?
      |        +--:(periodic)
      |        |  +--rw period?             yang:timeticks
      |        +--:(on-change)
      |           +--rw dampening-period    yang:timeticks
      |           +--rw excluded-change*    change-type
      |           +--rw (change-policy)?
      |              +--:(delta-policy)
      |                 +--rw delta?              uint32
      +--rw subscriptions
         +--ro datastore-push-subscription* [subscription-id]
            +--ro subscription-id        subscription-identifier
            +--ro subscription-status?   identityref
            +--ro stream?                string
            +--ro encoding?              encoding
            +--ro start-time?            yang:date-and-time
            +--ro stop-time?             yang:date-and-time
            +--ro subtree-filter?        subtree-filter
            +--ro xpath-filter?          yang:xpath1.0
            +--ro (update-trigger)?
               |  +--ro period?                yang:timeticks
                  +--ro dampening-period       yang:timeticks
                  +--ro excluded-change*       change-type
                  +--ro (change-policy)?
                        +--ro delta?                 uint32

                         Figure 6: Model structure

   Each subscription is represented as a list element "datastore-push-
   subscription".  The associated information includes an identifier for
   the subscription, a subscription status, as well as the various
   subscription paramters.  The subscription status indicates whether
   the subscription is currently active and healthy, or if it is
   degraded in some form.  Subscriptions are automatically removed from
   the list once they expire or are terminated.  Because subscriptions
   are managed using their own set of operation primitives, they are

Clemm, et al.            Expires January 7, 2016               [Page 17]

Internet-Draft               Datastore-Push                    July 2015

   An optional feature, custom-streams, is introduced to allow for the
   configuration of custom datastreams.  Custom datastreams are
   represented through a separate list, consisting of information used
   to configure those datastreams.  This information consititutes mostly
   configuration information, with the exception of parameters used to
   indicate the status and health of the datastream.

   In addition, a server needs to indicate any changes in status to the
   subscriber through a notification.  Specifically, subscribers need to
   be informed of the following:

   o  A subscription has been temporarily suspended (including the

   o  A subscription (that had been suspended earlier) is once again

   o  A subscription has been abnormally terminated (including the

   o  A subscription has been modified (including the current set of
      subscription parameters in effect)

   Finally, a server might provide additional information about
   subscriptions, such as statistics about the number of data updates
   that were sent.  However, such information is currently outside the
   scope of this specification.

3.10.  Other considerations

3.10.1.  Authorization

   A receiver of subscription data may only be sent updates for which
   they have proper authorization.  Data that is being pushed therefore
   needs to be subjected to a filter that applies all corresponding
   rules applicable at the time of a specific pushed update, removing
   any non-authorized data as applicable.

   The authorization model for data in YANG datastores is described in
   the Netconf Access Control Model [RFC6536].  However, some
   clarifications to that RFC are needed so that the desired access
   control behavior is applied to pushed updates.

   One of these clarifications is that a subscription may only be
   established if the Subscriber has read access to the target data

Clemm, et al.            Expires January 7, 2016               [Page 18]

Internet-Draft               Datastore-Push                    July 2015

                    +-------------+                 +-------------+
       subscription |  protocol   |                 |   target    |
       request -->  |  operation  | ------------->  |  data node  |
                    |  allowed?   |   datastore     |   access    |
                    +-------------+   or state      |  allowed?   |
                                      data access   +-------------+

                 Figure 7: Access control for subscription

   Likewise if a subscriber no longer has read access permission to a
   target data node, the subscription must be abnormally terminated
   (with loss of access permission as the reason provided).

   Another clarification to [RFC6536] is that each of the individual
   nodes in a pushed update must also go through access control
   filtering.  This includes new nodes added since the last push update,
   as well as existing nodes.  For each of these read access must be
   verified.  The methods of doing this efficiently are left to

                      +-------------+      +-------------------+
       subscription   |  data node  |  yes |                   |
       update  -->    |   access    | ---> | add data node     |
                      |  allowed?   |      | to update message |
                      +-------------+      +-------------------+

                 Figure 8: Access control for push updates

   If there are read access control changes applied under the target
   node, no notifications indicating the fact that this has occurred
   need to be provided.

3.10.2.  Additional subscription primitives

   Other possible operations include the ability for a Subscriber to
   request the suspension/resumption of a Subscription with a Publisher.
   However, subscriber driven suspension is not viewed as essential at
   this time, as a simpler alternative is to remove a subscription and
   recreate it when needed.

   It should be noted that this does not affect the ability of the
   Publisher to suspend a subscription.  This can occur in cases the
   server is not able to serve the subscription for a certain period of
   time, and indicated by a corresponding notification.

Clemm, et al.            Expires January 7, 2016               [Page 19]

Internet-Draft               Datastore-Push                    July 2015

3.10.3.  Robustness and reliability considerations

   Particularly in the case of on-change push updates, it is important
   that push updates do not get lost.  However, datastore-push uses a
   secure and reliable transport.  Notifications are not getting
   reordered, and in addition contain a time stamp.  For those reasons,
   we believe that additional reliability mechanisms at the application
   level, such as sequence numbers for push updates, are not required.

3.10.4.  Update size and fragmentation considerations

   Depending on the subscription, the volume of updates can become quite
   large.  There is no inherent limitation to the amount of data that
   can be included in a notification.  That said, it may not always be
   practical to send the entire update in a single chunk.
   Implementations MAY therefore choose, at their discretion, to "chunk"
   updates and break them out into several update notifications.

3.10.5.  Additional data streams

   The conceptual data stream introduced in this specification,
   datastore-push, includes the entire YANG datastore in its scope.  It
   is conceivable to introduce other data streams with more limited
   scope, for example:

   o  operdata-push, a datastream containing all operational (read-only)
      data of a YANG datastore

   o  operdata-nocounts-push, a datastream containing all operational
      (read-only) data with the exception of counters

   Those data streams make particular sense for use cases involving
   service assurance (not relying on operational data), and for use
   cases requiring on-change update triggers which make no sense to
   support in conjunction with fast-changing counters.  While it is
   possible to specify subtree filters on datastore-push to the same
   effect, having those data streams greatly simplifies articulating
   subscriptions in such scenarios.

3.10.6.  Subscription persistency

   This specification assumes that a subscriber will explicitly request
   a subscription before it receives any update.  It does not foresee
   that a subscription can be in effect without a subscriber needing to
   enter a subscription first.

   It is conceivable that scenarios exist in which subscriptions should
   be persisted and in effect simply constitute a part of a device's

Clemm, et al.            Expires January 7, 2016               [Page 20]

Internet-Draft               Datastore-Push                    July 2015

   configuration, i.e. scenarios that require a device to simply start
   sending updates without requiring a subscription to be established
   first.  While this possibility is not supported by this
   specification, there are several ways in which it can be addressed.
   One possibility involves adding a subscription configuration model,
   which allows to enter subscriptions as part of a configuration.
   Another possibility involves the introduction of a subscription
   proxy, a subscriber which acts as intermediary between the system
   whose updates are being subscribed to and the actual consuming

3.10.7.  Implementation considerations

   Implementation specifics are outside the scope of this specification.
   That said,it should be noted that monitoring of operational state
   changes inside a system can be associated with significant
   implementation challenges.

   Even periodic retrieval of operational state alone, to be able to
   push it, can consume considerable system resources.  Configuration
   data may in many cases be persisted in an actual database or a
   configuration file, where retrieval of the database content or the
   file itself is reasonably straightforward and computationally
   inexpensive.  However, retrieval of operational data may, depending
   on the implementation, require invocation of APIs, possibly on an
   object-by-object basis, possibly involving additional internal
   interrupts, etc.

   For those reasons, if is important for an implementation to
   understand what subscriptions it can or cannot support.  It is far
   preferrable to decline a subscription request, than to accept it only
   to result in subsequent failure later.

   Whether or not a subscription can be supported will in general be
   determined by a combination of several factors, including the
   subscription policy (on-change or periodic, with on-change in general
   being the more challenging of the two), the period in which to report
   changes (1 second periods will consume more resources than 1 hour
   periods), the amount of data in the subtree that is being subscribed
   to, and the number and combination of other subscriptions that are
   concurrently being serviced.

   When providing access control to every node in a pushed update, it is
   possible to make and update efficient access control filters for an
   update.  These filters can be set upon subscription and applied
   against a stream of updates.  These filters need only be updated when
   (a) there is a new node added/removed from the subscribed tree with

Clemm, et al.            Expires January 7, 2016               [Page 21]

Internet-Draft               Datastore-Push                    July 2015

   different permissions than its parent, or (b) read access permissions
   have been changed on nodes under the target node for the subscriber.

4.  YANG module

   file "ietf-datastore-push@2015-07-06.yang"

   module ietf-datastore-push {
     namespace "urn:ietf:params:xml:ns:yang:ietf-datastore-push";
     prefix datastore-push;

     import ietf-yang-types {
       prefix yang;

     organization "IETF";
       "WG Web:   <>
        WG List:  <>

        WG Chair: Juergen Schoenwaelder

        WG Chair: Kent Watsen

        WG Chair: Tom Nadeau

        Editor:   Alexander Clemm

        Editor:   Alberto Gonzalez Prieto

        Editor:   Eric Voit
       "This module contains conceptual YANG specifications
        for datastore push.";

     revision 2015-07-06 {
         "Initial revision.";
       reference "Datastore push.";

Clemm, et al.            Expires January 7, 2016               [Page 22]

Internet-Draft               Datastore-Push                    July 2015

     feature custom-streams {
         "This feature allows users to configure datastore update
          streams in addition to the stream provided by default,

     identity subscription-stream-status {
         "Base identity for the status of subscriptions and

     identity active {
       base subscription-stream-status;
         "Status is active and healthy.";

     identity inactive {
       base subscription-stream-status;
         "Status is inactive, for example outside the
          interval between start time and stop time.";

     identity in-error {
       base subscription-stream-status;
         "The status is in error or degraded, meaning that
          stream and/or subscription are currently unable to provide
          the negotiated updates.";

     identity subscription-errors {
         "Base identity for subscription errors.";

     identity internal-error {
       base subscription-errors;
         "Subscription failures caused by server internal error.";

     identity no-resources {
       base subscription-errors;

Clemm, et al.            Expires January 7, 2016               [Page 23]

Internet-Draft               Datastore-Push                    July 2015

         "Lack of resources, e.g. CPU, memory, bandwidth";

     identity other {
       base subscription-errors;
         "Fallback reason - any other reason";

     identity encodings {
         "Base identity to represent data encodings";

     identity encode-xml {
       base encodings;
         "Encode data using XML";

     identity encode-json {
       base encodings;
         "Encode data using JSON";

     typedef datastore-contents {
       type string;
         "This type is be used to represent datastore contents,
          including a filtered datastore subtree per a set of
          subscription parameters. ";

     typedef subtree-filter {
       type string;
         "This type is used to define a subtree filter.
          Its precise syntax is TBD.";

     typedef subscription-identifier {
       type string {
         length "1 .. max";
         "A client-provided identifier for the subscription.";

Clemm, et al.            Expires January 7, 2016               [Page 24]

Internet-Draft               Datastore-Push                    July 2015

     typedef subscription-term-reason {
       type identityref {
         base subscription-errors;
         "Reason for a server to terminate a subscription.";

     typedef subscription-susp-reason {
       type identityref {
         base subscription-errors;
         "Reason for a server to suspend a subscription.";

     typedef encoding {
       type identityref {
         base encodings;
         "Specifies a data encoding, e.g. for a data subscription.";

     typedef change-type {
       type enumeration {
         enum "create" {
             "A new data node was created";
         enum "delete" {
             "A data node was deleted";
         enum "modify" {
             "The value of a data node has changed";
         "Specifies different types of changes that may occur
          to a datastore.";

     grouping subscription-stream-policy {
         "This grouping contains the parameters which describe
          the policy which data is pushed as part of a

Clemm, et al.            Expires January 7, 2016               [Page 25]

Internet-Draft               Datastore-Push                    July 2015

          subscription or a data stream.";
       leaf subtree-filter {
         type subtree-filter;
           "Datastore subtree of interest.";
       leaf xpath-filter {
         type yang:xpath1.0;
           "Xpath defining the data items of interest.";
       choice update-trigger {
           "Defines necessary conditions for sending an event  to
            the subscriber.";
         case periodic {
             "The agent is requested to notify periodically the
              current values of the datastore or the subset
              defined by the filter.";
           leaf period {
             type yang:timeticks;
               "Elapsed time between notifications.";
         case on-change {
             "The agent is requested to notify changes in
              values in the datastore or a subset of it defined
              by a filter.";
           leaf dampening-period {
             type yang:timeticks;
             mandatory true;
               "Minimum amount of time that needs to have
                passed since the last time an update was
           leaf-list excluded-change {
             type change-type;
               "Use to restrict which changes trigger an update.
                For example, if modify is excluded, only creation and
                deletion of objects is reported.";
           choice change-policy {

Clemm, et al.            Expires January 7, 2016               [Page 26]

Internet-Draft               Datastore-Push                    July 2015

               "Policy describing necessary conditions for
                sending an event to the subscriber.";
             case delta-policy {
               leaf delta {
                 type uint32;
                   "For modified values of an integer-typed object,
                    minimum difference between current and last
                    report values that can trigger an update.";

     grouping subscription-info {
         "This grouping describes basic information concerning a
          subscription, without the subscription policy which is
          defined separately to be shareable with the definition
          of a datastream.";
       leaf stream {
         type string;
           "The name of the stream subscribed to.";
       leaf encoding {
         type encoding;
         default encode-xml;
           "The type of encoding for the subscribed data.
            Default is XML";
       leaf start-time {
         type yang:date-and-time;
           "Starting time for replays.";
         reference "RFC 5277, Section 2.1.1";
       leaf stop-time {
         type yang:date-and-time;
           "Time limit for events of interest.";
         reference "RFC 5277, Section 2.1.1";

Clemm, et al.            Expires January 7, 2016               [Page 27]

Internet-Draft               Datastore-Push                    July 2015

     notification push-update {
         "This notification contains an update from a datastore";
       leaf subscription-id {
         type subscription-identifier;
         mandatory true;
           "This references the subscription because of which the
            notification is sent.";
       leaf datastore-contents {
         type datastore-contents;
           "This contains datastore contents
            per the subscription.";
     notification subscription-suspended {
         "This notification indicates that a suspension of the
          subscription by the server has occurred.  No further
          datastore updates will be sent until subscription
       leaf subscription-id {
         type subscription-identifier;
         mandatory true;
           "This references the affected subscription.";
       leaf reason {
         type subscription-susp-reason;
           "Provides a reason for why the subscription was
     notification subscription-resumed {
         "This notification indicates that a subscription that had
          previously been suspended has resumed. Datastore updates
          will once again be sent.";
       leaf subscription-id {
         type subscription-identifier;
         mandatory true;
           "This references the affected subscription.";

Clemm, et al.            Expires January 7, 2016               [Page 28]

Internet-Draft               Datastore-Push                    July 2015

     notification subscription-modified {
         "This notification indicates that a subscription has
          been modified.  Datastore updates sent from this point
          on will conform to the modified terms of the
       leaf subscription-id {
         type subscription-identifier;
         mandatory true;
           "This references the affected subscription.";
       uses subscription-info;
       uses subscription-stream-policy;
     notification subscription-terminated {
         "This notification indicates that a subscription has been
       leaf subscription-id {
         type subscription-identifier;
         mandatory true;
           "This references the affected subscription.";
       leaf reason {
         type subscription-term-reason;
           "Provides a reason for why the subscription was
     container streams {
       if-feature custom-streams;
         "This container contains management data for custom streams
          that are configured by a user.";
       list stream {
         key "stream-name";
           "A user-definable stream.";
         leaf stream-name {
           type string;
           mandatory true;
             "The name assigned to the stream.";
         leaf stream-status {

Clemm, et al.            Expires January 7, 2016               [Page 29]

Internet-Draft               Datastore-Push                    July 2015

           type identityref {
             base subscription-stream-status;
           config false;
             "The current status of the stream";
         uses subscription-stream-policy;
     container subscriptions {
         "Contains the list of currently active subscription,
          used for subscription management and monitoring purposes.
          Note that this concerns subscriptions that are in-effect.
          Configuration and setup of subscriptions occurs via separate
          primitives, e.g. create-subscription, delete-subscription,
          and modify-subscription.";
       list datastore-push-subscription {
         key "subscription-id";
         config false;
           "Content of a yang-push subscription.
            Subscriptions are created using a dedicated RPC, hence
            they do not constitute configuration information.";
         leaf subscription-id {
           type subscription-identifier;
             "Identifier to use for this subscription.";
         leaf subscription-status {
           type identityref {
             base subscription-stream-status;
             "The status of the subscription.";
         uses subscription-info;
         uses subscription-stream-policy;


Clemm, et al.            Expires January 7, 2016               [Page 30]

Internet-Draft               Datastore-Push                    July 2015

5.  Security Considerations

   Subscriptions could be used to attempt to overload servers of YANG
   datastores.  For this reason, it is important that the server has the
   ability to decline a subscription request if it would deplete its
   resources.  In addition, a server needs to be able to suspend an
   existing subscription when needed.  When this occur, the subscription
   status is updated accordingly and the clients are notified.
   Likewise, requests for subscriptions need to be properly authorized.

   A subscription could be used to retrieve data in subtrees that a
   client has not authorized access to.  Therefore it is important that
   data pushed based on subscriptions is authorized in the same way that
   regular data retrieval operations are.  Data being pushed to a client
   needs therefore to be filtered accordingly, just like if the data
   were being retrieved on-demand.  The Netconf Authorization Control
   Model applies.

6.  References

6.1.  Normative References

   [RFC1157]  Case, J., Fedor, M., Schoffstall, M., and J. Davin,
              "Simple Network Management Protocol (SNMP)", STD 15, RFC
              1157, May 1990.

   [RFC5277]  Chisholm, S. and H. Trevino, "NETCONF Event
              Notifications", RFC 5277, July 2008.

   [RFC6020]  Bjorklund, M., "YANG - A Data Modeling Language for the
              Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC6241]  Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
              Bierman, "Network Configuration Protocol (NETCONF)", RFC
              6241, June 2011.

   [RFC6470]  Bierman, A., "Network Configuration Protocol (NETCONF)
              Base Notifications", RFC 5277, February 2012.

   [RFC6536]  Bierman, A. and M. Bjorklund, "Network Configuration
              Protocol (NETCONF) Access Control Model", RFC 6536, March

Clemm, et al.            Expires January 7, 2016               [Page 31]

Internet-Draft               Datastore-Push                    July 2015

6.2.  Informative References

              Clemm, A., Medved, J., and E. Voit, "Mounting YANG-defined
              information from remote datastores", draft-clemm-netmod-
              mount-03 (work in progress), April 2015.

              Voit, E., Clemm, A., and A. Gonzalez Prieto, "Requirements
              for Subscription to YANG Datastores", draft-ietf-i2rs-pub-
              sub-requirements-00 (work in progress), March 2015.

              Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
              Protocol", I-D draft-ietf-netconf-restconf-06, June 2015.

              Lhotka, L., "JSON Encoding of Data Modeled with YANG",
              draft-ietf-netmod-yang-json-04 (work in progress), June

              Voit, E., Clemm, A., and S. Mertens, "Requirements for
              Peer Mounting of YANG subtrees from Remote Datastores",
              draft-voit-netmod-peer-mount-requirements-02 (work in
              progress), March 2015.

Authors' Addresses

   Alexander Clemm
   Cisco Systems


   Alberto Gonzalez Prieto
   Cisco Systems


   Eric Voit
   Cisco Systems


Clemm, et al.            Expires January 7, 2016               [Page 32]