YANG Datastore Telemetry (YANG Push Lite)

YANG Datastore Telemetry (YANG Push Lite) Cisco Systems

rwilton@cisco.com

Deuetsche Telekom

Holger.Keller@telekom.de

Huawei

benoit.claise@huawei.com

Juniper

Ebben Aries exa@juniper.net

Nokia

james.cumming@nokia.com

Swisscom

Thomas.Graf@swisscom.com

Operations and Management Network Configuration YANG Push Observability Network Telemetry Operational Data YANG Push Lite is a YANG datastore telemetry solution, as an alternative specification to the Subscribed Notifications and YANG Push solution, specifically optimized for the efficient observability of operational data. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Network Configuration Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Document Status RFC Editor: If present, please remove this section before publication. Based on the feedback received during the IETF 121 NETCONF session, this document has currently been written as a self-contained lightweight protocol and document replacement for and , defining a separate configuration data model. The comparison between YANG Push and YANG Push Lite is now in . Open issues are either now being tracked inline in the text or in for the higher level issues.

Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. All YANG tree diagrams used in this document follow the notation defined in .

Introduction describes an architecture for how YANG datastore telemetry, e.g., , can be integrated effectively with message brokers, e.g., , that forms part of a wider architecture for a Network Anomaly Detection Framework, specified in . This document specifies "YANG Push Lite", an lightweight alternative to Subscribed Notifications and YANG Push . YANG Push Lite is a separate YANG datastore telemetry solution, which can be implemented independently or, if desired, alongside and . At a high level, YANG Push Lite is designed to solve a similar set of requirements as YANG Push, and it reuses a significant subset of the ideas and base solution from YANG Push. YANG Push Lite defines a separate data model to allow concurrent implementation of both protocols and to facilitate more significant changes in behavior, but many of the data nodes are taken from YANG Push and have the same, or very similar definitions. The following sections give the background for the solution, and highlight the key ways that this specification differs from the specifications that it is derived from.

Background and Motivation for YANG Push Lite A push based telemetry solution, as described both in this document and also the YANG Push solution described by and , is beneficial because it allows operational data to be exported by publishers more immediately and efficiently compared to legacy poll based mechanisms, such as SNMP . Some further background information on the general motivations for push based telemetry, which equally apply here, can be found in the Motivation (section 1.1) of and the Introduction (section 1) of . The remainder of this section is focused on the reasons why a new lightweight version of YANG Push has been specified, and what problems is aims to solve. Early implementation efforts of the architecture hit issues with using either of the two common YANG datastore telemetry solutions that have been specified, i.e., or YANG Push . gNMI is specified by the OpenConfig Industry Consortium. It is more widely implemented, but operators report that some inter-operability issues between device implementations cause problems. Many of the OpenConfig protocols and data models are also expected to evolve more rapidly than IETF protocols and models - that are expected to have a more gradual pace of evolution once an RFC has been published. YANG Push was standardized by the IETF in 2019, but market adoption has been rather slow. During 2023/2024, when vendors started implementing, or considering implementing, YANG Push, it was seen that some design choices for how particular features have been specified in the solution make it expensive and difficult to write performant implementations, particularly when considering the complexities and distributed nature of operational data. In addition, some design choices of how the data is encoded (e.g., YANG Patch ) make more sense when considering changes in configuration data but less sense when the goal is to export a subset of the operational data off the device in an efficient fashion for both devices (publishers) and clients (receivers). Hence, during 2024, the vendors and operators working towards YANG telemetry solutions agreed to a plan to implement a subset of and , including common agreements of features that are not needed and would not be implemented, and deviations from the standards for some aspects of encoding YANG data. In addition, the implementation efforts identified the minimal subset of functionality needed to support the initial telemetry use cases, and areas of potential improvement and optimization to the overall YANG Push telemetry solution (which has been written up as a set of small internet drafts that augment or extend the base YANG Push solution). Out of this work, consensus was building to specify a cut down version of Subscribed Notifications and YANG Push that is both more focussed on the operational telemetry use case, and is also easier to implement, by relaxing some of the constraints on consistency on the device, and removing, or simplifying some of the operational features. This has resulted in this specification, YANG Push Lite. The implementation efforts also gave arise to potential improvements to the protocol and encoding of notification messages.

Complexities in Modelling the Operational State Datastore The YANG abstraction of a single datastore of related consistent data works very well for configuration that has a strong requirement to be self consistent, and that is always updated, and validated, in a transactional way. But for producers of telemetry data, the YANG abstraction of a single operational datastore is not really possible for devices managing a non-trivial quantity of operational data. Some systems may store their operational data in a single logical database, yet it is less likely that the operational data can always be updated in a transactional way, and often for memory efficiency reasons such a database does not store individual leaves, but instead semi-consistent records of data at a container or list entry level. For other systems, the operational information may be distributed across multiple internal nodes (e.g., linecards), and potentially many different process daemons within those distributed nodes. Such systems generally do not, and cannot, exhibit full consistency of the operational data (which would require transactional semantics across all daemons and internal nodes), only offering an eventually consistent view of the data instead. In practice, many network devices will manage their operational data as a combination of some data being stored in a central operational datastore, and other, higher scale, and potentially more frequently changing data (e.g., statistics or FIB information) being stored elsewhere in a more memory efficient and performant way.

Complexities for Consumers of YANG Push Data For the consumer of the telemetry data, there is a requirement to associate a schema with the instance-data that will be provided by a subscription. One approach is to fetch and build the entire schema for the device, e.g., by fetching YANG library, and then use the subscription XPath to select the relevant subtree of the schema that applies only to the subscription. The problem with this approach is that if the schema ever changes, e.g., after a software update, then it is reasonably likely of some changes occurring with the global device schema even if there are no changes to the schema subtree under the subscription path. Hence, it would be helpful to identify and version the schema associated with a particular subscription path, and also to encoded the instance data relatively to the subscription path rather than as an absolute path from the root of the operational datastore. TODO More needs to be added here, e.g., encoding, on-change considerations. Splitting subscriptions up. This document proposes a new opt-in YANG-Push encoding format to use instead of the "push-update" and "push-change-update" notifications defined in .

To allow the device to split a subscription into smaller child subscriptions for more efficient independent and concurrent processing. I.e., reusing the ideas from . However, all child subscriptions are still encoded from the same subscription point.

Combined periodic and on-change subscription Sometimes it is helpful to have a single subscription that covers both periodic and on-change notifications. There are two ways in which this may be useful:

For generally slow changing data (e.g., a device's physical inventory), then on-change notifications may be most appropriate. However, in case there is any lost notification that isn't always detected, for any reason, then it may also be helpful to have a slow cadence periodic backup notification of the data (e.g., once every 24 hours), to ensure that the management systems should always eventually converge on the current state in the network.
For data that is generally polled on a periodic basis (e.g., once every 10 minutes) and put into a time series database, then it may be helpful for some data trees to also get more immediate notifications that the data has changed. Hence, a combined periodic and on-change subscription, would facilitate more frequent notifications of changes of the state, to reduce the need of having to always wait for the next periodic event.

Hence, this document introduces the fairly intuitive "periodic-and-on-change" update trigger that creates a combined periodic and on-change subscription, and allows the same parameters to be configured. For some use cases, e.g., where a time-series database is being updated, the new encoding format proposed previously may be most useful.

Relationships to existing RFCs and Internet Drafts This document, specifying YANG Push Lite, is intended to be a lightweight alternative for and , but that also incorporates various extensions since those RFCs were written. Often substantial parts of those documents and models have been incorporated almost verbatim, but modified to fit the YANG Push Lite functionality and module structure. Hence, the authors of this draft would like to sincerely thank and acknowledge the very significant effort put into those RFCs and drafts by authors, contributors and reviewers. In particular, We would like to thank the listed authors of these documents: Eric Voit, Alex Clemm, Alberto Gonzalez Prieto, Einar Nilsen-Nygaard, Ambika Prasad Tripathy, Balazs Lengyel, Alexander Clemm, Benoit Claise, Qin Wu, Qiufang Ma, Alex Huang Feng, Thomas Graf, Pierre Francois. ** Note, an alternative approach, but not proposed at this time, could be to create bis versions of various documents to also cover YANG Push Lite, e.g., , and perhaps .**

RFC 8639 and RFC 8641 This document is primarily intended to be a lightweight alternative for and , but it intentionally reuses substantial parts of the design and data model of those RFCs. YANG Push Lite is defined using a separate module namespace, and hence can be implemented independently or, if desired, alongside and , and the various extensions to YANG Push. A more complete description of the main differences in YANG Push Lite compares to and is given in {#DifferencesFromYangPush}.

and RFC 5277 All of the notifications defined in this specification, i.e., both the datastore update message and subscription lifecycle update notifications () depend on and use the notification envelope format defined in . As such, this specification does not make use of the notification format defined in . Of course, devices may also use notifications for other YANG notifications, e.g., for the "NETCONF" event stream defined in .

RFC 9196 and This document uses the capabilities concepts defined in . In particular, it augments into the ietf-system-capabilities YANG module, but defines an equivalent alternative capability structure for the ietf-notification-capabilities YANG module, which defines the capabilities for YANG Push . The generic transport capabilities defined in have been incorporated into the ietf-yp-lite YANG module, to augment YANG Push Lite transport capabilities and to use the different identities.

and The ietf-yp-lite YANG module has subsumed and extended the receivers data model defined in the ietf-subscribed-notif-receivers YANG module defined in . The overall YANG Push Lite solution anticipates and requires new bis versions of both of these transports documents that augment into the receivers/receiver/transport-type choice statement, and also augment the transport identity defined in the ietf-yp-lite data model.

TODO. It is likely that some of the base support for distributed notifications will be incorporated into this draft. If so, add acknowledgements to the authors.

YANG Push Lite Overview This document specifies a lightweight telemetry solution that provides a subscription service for updates to the state and changes in state from a chosen datastore. Subscriptions specify when notification messages (also referred to as updates) should be sent, what data to include in the update records, and where those notifications should be sent. A YANG Push lite subscription comprises:

a target datastore for the subscription, where the monitored subscription data is logically sourced from.
a set of selection filters to choose which datastore nodes from the target datstore the subscription is monitoring or sampling, as described in .
a choice of how update event notifications for the datastore's data nodes are triggered. I.e., either periodic sampling of the current state, on-change event-driven, or both. These are described in TODO, add reference.
a chosen encoding of the messages, e.g., JSON, or CBOR.
a set of one or more receivers for which datastore updates and subscription notifications are sent, as described in ;
- for configured subscriptions, the receivers parameters are configured, and specify transport, receiver, and encoding parameters.
- for dynamic subscriptions, the receiver uses the same transport session on which the dynamic subscription has been created.

If a subscription is valid and acceptable to the publisher, and if a suitable connection can be made to one or more receivers associated with a subscription, then the publisher will enact the subscription, periodically sampling or monitoring changes to the chosen datastore's data nodes that match the selection filter. Push updates are subsequently sent by the publisher to the receivers, as per the terms of the subscription. Subscriptions may be set up in two ways: either through configuration - or YANG RPCs to create and manage dynamic subscriptions. These two mechanisms are described in . Changes to the state of subscription are notified to receivers as subscription lifecycle notifications. These are described in . NACM based access control is used to ensure the receivers only get access to the information for which they are allowed. This is further described in . TODO Do we need to tie YANG Push Lite to NACM? While the functionality defined in this document is transport agnostic, transports like the Network Configuration Protocol (NETCONF) or RESTCONF can be used to configure or dynamically signal subscriptions. In the case of configured subscription, the transport used for carrying the subscription notifications is entirely independent from the protocol used to configure the subscription, and other transports, e.g., defines a simple UDP based transport for Push notifications. Transport considerations are described in . TODO the reference to draft-ietf-netconf-udp-notif isn't right, it wouldn't be that draft, but a -bis version of it. James is querying whether we need this at all TODO Introduce capabilities and operational monitoring This document defines a YANG data model, that includes RPCs and notifications, for configuring and managing subscriptions and associated configuration, and to define the format of a update notification message. The YANG model is defined in and associated tree view in . The YANG data model defined in this document conforms to the Network Management Datastore Architecture defined in .

Definitions This document reuses the terminology defined in , , , and . TODO, if this document progresses, we should check which of this terminology we actually use/re-use, and what new terminology should be introduced in this document. And also an action to check that it is used consistently. The following terms are taken from :

Datastore: A conceptual place to store and access information. A datastore might be implemented, for example, using files, a database, flash memory locations, or combinations thereof. A datastore maps to an instantiated YANG data tree.
Client: An entity that can access YANG-defined data on a server, over some network management protocol.
Configuration: Data that is required to get a device from its initial default state into a desired operational state. This data is modeled in YANG using "config true" nodes. Configuration can originate from different sources.
Configuration datastore: A datastore holding configuration.

The following terms are taken from :

Configured subscription: A subscription installed via configuration into a configuration datastore.
Dynamic subscription: A subscription created dynamically by a subscriber via a Remote Procedure Call (RPC).
Event: An occurrence of something that may be of interest. Examples include a configuration change, a fault, a change in status, crossing a threshold, or an external input to the system.
Event occurrence time: A timestamp matching the time an originating process identified as when an event happened.
Event record: A set of information detailing an event.
Event stream: A continuous, chronologically ordered set of events aggregated under some context.
Event stream filter: Evaluation criteria that may be applied against event records in an event stream. Event records pass the filter when specified criteria are met.
Notification message: Information intended for a receiver indicating that one or more events have occurred.
Publisher: An entity responsible for streaming notification messages per the terms of a subscription.
Receiver: A target to which a publisher pushes subscribed event records. For dynamic subscriptions, the receiver and subscriber are the same entity.
Subscriber: A client able to request and negotiate a contract for the generation and push of event records from a publisher. For dynamic subscriptions, the receiver and subscriber are the same entity.

The following terms are taken from :

Datastore node: A node in the instantiated YANG data tree associated with a datastore. In this document, datastore nodes are often also simply referred to as "objects".
Datastore node update: A data item containing the current value of a datastore node at the time the datastore node update was created, as well as the path to the datastore node.
Datastore subscription: A subscription to a stream of datastore node updates.
Datastore subtree: A datastore node and all its descendant datastore nodes.
On-change subscription: A datastore subscription with updates that are triggered when changes in subscribed datastore nodes are detected.
Periodic subscription: A datastore subscription with updates that are triggered periodically according to some time interval.
Selection filter: Evaluation and/or selection criteria that may be applied against a targeted set of objects.
Update record: A representation of one or more datastore node updates. In addition, an update record may contain which type of update led to the datastore node update (e.g., whether the datastore node was added, changed, or deleted). Also included in the update record may be other metadata, such as a subscription ID of the subscription for which the update record was generated. In this document, update records are often also simply referred to as "updates".
Update trigger: A mechanism that determines when an update record needs to be generated.
YANG-Push: The subscription and push mechanism for datastore updates that is specified in .

This document introduces the following terms:

Subscription: A registration with a publisher, stipulating the information that one or more receivers wish to have pushed from the publisher without the need for further solicitation.
Subscription Identifier: A numerical identifier for a configured or dynamic subscription. Also referred to as the subscription-id.
YANG-Push-Lite: The light weight subscription and push mechanism for datastore updates that is specified in this document.

All YANG tree diagrams used in this document follow the notation defined in .

Subscription paths and selection filters A key part of a subscription is to select which data nodes should be monitored, and so a subscription must specify both the selection filters and the datastore against which these selection filters will be applied. This information is used to choose, and subsequently push, update notifications from the publisher's datastore(s) to the subscription's receiver(s). Filters can either be defined inline within a configured subscription (), a dynamic subscription's establish-subscription RPC (), or as part of the datastore-telemetry/filters container () which can then be referenced from a configured or dynamic subscription. The following selection filter types are included in the YANG Push Lite data model and may be applied against a datastore:

YPaths: A list of basic YANG path selection filters that defines a path to a subtree of data nodes in the data tree, with some simple constraints on keys. See .
subtree: A subtree selection filter identifies one or more datastore subtrees. When specified, update records will only include the datastore nodes of selected datastore subtree(s). The syntax and semantics correspond to those specified in , Section 6.
XPaths: A list of XPath selection filter is a full XPath expression that returns a node set. (XPath is a query language for selecting nodes in an XML document; see for details.) When specified, updates will only come from the selected datastore nodes that match the XPath expression.

These filters are used as selectors that define which data nodes fall within the scope of a subscription. A publisher MUST support basic path filters, and MAY also support subtree or xpath filters. XPath itself provides powerful filtering constructs, and care must be used in filter definition. Consider an XPath filter that only passes a datastore node when an interface is up. It is up to the receiver to understand the implications of the presence or absence of objects in each update. For both path and xpath based filters, each filter may define a list of paths/xpaths. Each of these filter paths is processed by the publisher independently, and if two or more filter paths end up selecting overlapping data nodes then the publisher MAY notify duplicate values for those data nodes, but the encoded data that is returned MUST always be syntactically valid, i.e., as per section 5.3 of .

YPath definition A YPath represents a simple path into a YANG schema tree, where some of the list key values may be constrained. It is encoded in the similar format to the YANG JSON encoding for instance-identifier, section 6.11 of , except with more flexibility on the keys, in that keys may be left-out or be bound to a regular expression filter. The rules for constructing a YPath are:

A YPath is a sequence of data tree path segment separated by a '/' character. If the path starts with a '/' then it is absolute path from the root of the schema, otherwise it is a relative path, where the context of the relative path must be declared.
Constraints on key values may be specified within a single pair of '[' ']' brackets, where:
- keys may be given in any order, and may be omitted, in which case they match any value. Key matches are separated by a comma (,) with optional space character either side.
- key match is given by <key>=<value>, with optional space characters either side of the equals (=), and value is specified as:
  - '<value>', for an exact match of the key's value. Single quote characters (') must be escaped with a backslash (\).
  - r'<reg-expr>', for a regex match of the key value using , and where the regular-expression is a full match of the string, i.e, it implicit anchors to the start and end of the value.

Some examples of YPaths:

/ietf-interfaces:interfaces/interface[name='eth0']/ietf-ip:ipv6/ip - which identifies is 'ipv6/ip' data node in the ietf-ip module for the 'eth0' interface.
/ietf-interfaces:interfaces/interface[name=r'eth.*']/ietf-ip:ipv6/ip - which identifies all interfaces with a name that start with "eth".
/example:multi-keys-list[first-key='foo', second-key=r'bar.*'] - which identifies all entries in the 'multi-keys-list, where the first-key matches foo, and the second-key starts with bar.
/ietf-interfaces:interfaces/interface - which identifies the interface list data node in the ietf-interfaces module for all interfaces. I.e., the interface list 'name' key is unrestricted.
/ietf-interfaces:interfaces/interface[] - alternative form of the previous YPath.

The "filters" Container The "filters" container maintains a list of all datastore subhttps://rgwilton.github.io/draft-yp-observability/draft-wilton-netconf-yp-observability.html scription filters that persist outside the lifecycle of a single subscription. This enables predefined filters that may be referenced by more than one configured or dynamic subscription. Below is a tree diagram for the "filters" container. All objects contained in this tree are described in the YANG module in .

{ypl:subtree}? +--:(xpaths) +--rw xpaths* yang:xpath1.0 {ypl:xpath}? ]]>

Decomposing Subscription Filters In order to address the issues described in , YANG Push Lite allows for publishers to send subtrees of data nodes in separate update notifications, rather than requiring that the subscription data be returned as a single datastore update covering all data nodes matched by the subscription filter. This better facilitates publishers that internally group some of their operational data fields together into larger structures for efficiency (referred to as an object), and avoids the publishers or receivers having to consume potentially very large notification messages. For example, each entry in the /ietf-interfaces:interface/interface list could be represents as an object of data internally within the publisher. In essence, a client specified subscription filter can be decomposed by a publisher into more specific, non-overlapping, filters, that are then used to return the data. In particular:

A Publisher MAY decompose a client specified subscription filter path into a set of non-overlapping subscription filter paths that collectively cover the same data. The publisher is allowed to return data for each of these decomposed subscription filter paths in separate update messages, and with separate, perhaps more precise, timestamps.
A Publisher MAY split large lists into multiple separate update messages, each with separate timestamps. E.g., if a device has 10,000 entries in a list, it may return them in a single response, or it may split them into multiple smaller messages, perhaps for 500 interfaces at a time. TODO We need a mechanism so that the client knows all list entries have been returned, and hence it can delete stale entries? E.g., something like a more_data flag.
A Publisher is allowed to generate on-change notifications at an object level, which hence may contain other associated fields that may not have changed state, rather than restricting the on-change notifications strictly to only those specific fields that have changed state. E.g., if a subscribers registers on the path /ietf-interfaces:interfaces/interface[name = *]/oper-status, and if interface eth1 had a change in the oper-status leaf state, then rather than just publishing the updated oper-status leaf, the publisher may instead publish all the data associated with that interface entry object, i.e., everything under /ietf-interfaces:interface/interface[name = eth1]. TODO Does it have to be the entire subtree that is published? Do we need to add a capability annotation to indicate the object publication paths?

To ensure that clients can reasonably process data returned via decomposed filters then:

update notifications MUST indicate the precise subtree of data that the update message is updating or replacing, i.e., so a receiver can infer that data nodes no longer being notified by the publisher have been deleted:
- if we support splitting list entries in multiple updates, then something like a more_data flag is needed to indicate that the given update message is not complete.

TODO We should consider adding a update-complete message (potentially including an incrementing collection counter) to indicate when a periodic update has completed for a subscription.

Datastore Event Streams In YANG Push Lite, a subscription, based on the selected filters, will generate a ordered stream of datastore update records that is referred to as an event stream. Each subscription logically has a different event stream of update records, even if multiple subscriptions use the same filters to select datastore nodes. As YANG-defined event records are created by a system, they may be assigned to one or more streams. The event record is distributed to a subscription's receiver(s) where (1) a subscription includes the identified stream and (2) subscription filtering does not exclude the event record from that receiver. Access control permissions may be used to silently exclude event records from an event stream for which the receiver has no read access. See , Section 3.4.6 for an example of how this might be accomplished. Note that per Section 2.7 of this document, subscription state change notifications are never filtered out. TODO, filtering and NACM filtering should be dependent on whether it is a configured or dynamic subscription. If subscriber permissions change during the lifecycle of a subscription and event stream access is no longer permitted, then the subscription MUST be terminated. TODO, check this Event records SHALL be sent to a receiver in the order in which they were generated. I.e., the publisher MUST not reorder the events when enqueuing notifications on the transport session, but there is no guarantee of delivery order.

Notification Envelope All notifications in the event stream MUST be encoded using to wrap the notification message, and MUST include the event-time, hostname, and sequence-number leaves in all messages. The following example illustrates a fully encoded update notification that includes the notification envelope and additional meta-data fields. The update notification, i.e., as defined via the notification statement in the yang-push-lite YANG module, is carried in the contents anydata data node.

Example of update notification including notification envelope

Event Records A single update record is used for all datastore notifications. It is used to report the current state of a set of data nodes at a given target path for either periodic, on-change, or resync notifications, and also for on-change notifications to indicate that the data node at the given target path has been deleted. The schema for this notifications is given in the following tree diagram:

'update' notification +--ro incomplete? empty ]]> The normative definitions for the notifications fields are given in the YANG module in . The fields can be informatively summarized as:

id - identifies the subscription the notification relates to.
path-prefix - identifies the absolute instance-data path to which all target-paths are data are encoded relative to.
snapshot-type - this indicates what type of event causes the update message to be sent. I.e., a periodic collection, an on-change event, or a resync collection.
observation-time - the time that the data was sampled, or when the on-change event occurred that caused the message to be published.
target-path - identifies the data node that is being acted on, either providing the replacement data for, or that data node that is being deleted.
data - the full replacement data subtree for the content at the target-path, encoded from the path-prefix.
incomplete - indicates that the message is incomplete for any reason. For example, perhaps a periodic subscription expects to retrieve data from multiple data sources, but one of those data sources is unavailable. Normally, a receiver can use the absence of a field in an update message to implicitly indicate that the field has been deleted, but that should not be inferred if the incomplete-update leaf is present because not all changes that have occurred since the last update are actually included with this update.

As per the structure of the update notification, a single notification MAY provide updates for multiple target-paths.

Types of subscription event monitoring Subscription can either be based on sampling the requested data on a periodic cadence or being notified when the requested data changes. In addition, this specification allows for subscriptions that both notify on-change and also with a periodic cadence, which can help ensure that the system eventually converges on the right state, even if on-change notification were somehow lost or mis-processed anywhere in the data processing pipeline. The schema for the update-trigger container is given in the following tree diagram:

'update-trigger' container TODO Minor - is providing the structure from root helpful, or should this just report the update-trigger container. The normative definitions for the update-trigger fields are given in the ietf-yp-lite YANG module in . They are also described in the following sections.

Periodic events In a periodic subscription, the data included as part of an update record corresponds to data that could have been read using a retrieval operation. Only the state that exists in the system at the time that it is being read is reported, periodic updates never explicitly indicate whether any data-nodes or list entries have been deleted. Instead, receivers must infer deletions by the absence of data during a particular collection event. For periodic subscriptions, triggered updates will occur at the boundaries of a specified time interval. These boundaries can be calculated from the periodic parameters:

a period that defines the duration between push updates.
an anchor-time; update intervals fall on the points in time that are a multiple of a period from an anchor-time. If an anchor-time is not provided, then the publisher chooses a suitable anchor-time, e.g., perhaps the time that the subscription was first instantiated by the publisher.

The anchor time and period are particularly useful, in fact required, for when the collected telemetry data is being stored in a time-series database and the subscription is setup to ensure that each collection is placed in a separate time-interval bucket. Periodic update notifications are expected, but not required, to use a single target-path per update notification.

On-Change events In an on-change subscription, update records indicate updated values or when a monitored data node or list node has been deleted. An update record is sent whenever a change in the subscribed information is detected. update records SHOULD be generated at the same subtree as equivalent periodic subscription rather than only the specific data node that is on-change notifiable. The goal is to ensure that the update message contains a consistent set of data on the subscription path. Each entry in the updates list identifies a data node (i.e., list entry, container, leaf or leaf-list), via the target-path that either has changes is state or has been deleted. A delete of a specific individual data node or subtree may be notified in two different ways:

if the data that is being deleted is below the target-path then the delete is implicit by the publisher returning the current data node subtree with the delete data nodes missing. I.e., the receiver must implicitly infer deletion.
if the data node is being deleted at the target path. E.g., if an interface is deleted then an entire list entry related to that interface may be removed. In this case, the target path identifies the list entry that is being deleted, but the data returned is just an empty object {}, which replaces all the existing data for that object in the receiver. TODO, is this better an a delete flag?

On-change subscriptions also support the following additional parameters:

sync-on-start defines whether or not a complete snapshot of all subscribed data is sent at the start of a subscription. Such early synchronization establishes the frame of reference for subsequent updates.

On-Change Notifiable Datastore Nodes Publishers are not required to support on-change notifications for all data nodes, and they may not be able to generate on-change updates for some data nodes. Possible reasons for this include:

the value of the datastore node changes frequently (e.g., the in-octets counter as defined in ),
small object changes that are frequent and meaningless (e.g., a temperature gauge changing 0.1 degrees),
or no implementation is available to generate a notification when the source variable for a particular data node has changed.

In addition, publishers are not required to notify every change or value for an on-change monitored data node. Instead, publishers MAY limit the rate at which changes are reported for a given data node, i.e., effectively deciding the interval at which an underlying value is sampled. If a data node changes value and then reverts back to the original value within a sample interval then the publisher MAY not detect the change and it would go unreported. However, if the data node changes to a new value after it has been sampled, then the change and latest state are reported to the receiver. In addition, if a client was to query the value (e.g., through a NETCONF get-data RPC) then they MUST see the same observed value as would be notified. To give an example, if the interface link state reported by hardware is changing state hundreds of times per second, then it would be entirely reasonable to limit those interface state changes to a much lower cadence, e.g., perhaps every 100 milliseconds. In the particular case of interfaces, there may also be data model specific forms of more advanced dampening that are more appropriate, e.g., that notify interface down events immediately, but rate limit how quickly the interface is allowed to transition to up state, which overall acts as a limit on the rate at which the interface state may change, and hence also act as a limit on the rate at which on-change notifications could be generated. The information about what nodes support on-change notifications is reported using capabilities operational data model. This is further described in .

On-Change Considerations On-change subscriptions allow receivers to receive updates whenever changes to targeted objects occur. As such, on-change subscriptions are particularly effective for data that changes infrequently but for which applications need to be quickly notified, with minimal delay, whenever a change does occur. On-change subscriptions tend to be more difficult to implement than periodic subscriptions. Accordingly, on-change subscriptions may not be supported by all implementations or for every object. Whether or not to accept or reject on-change subscription requests when the scope of the subscription contains objects for which on-change is not supported is up to the publisher implementation. A publisher MAY accept an on-change subscription even when the scope of the subscription contains objects for which on-change is not supported. In that case, updates are sent only for those objects within the scope of the subscription that do support on-change updates, whereas other objects are excluded from update records, even if their values change. In order for a subscriber to determine whether objects support on-change subscriptions, objects are marked accordingly on a publisher. Accordingly, when subscribing, it is the responsibility of the subscriber to ensure that it is aware of which objects support on-change and which do not. For more on how objects are so marked, see Section 3.10. TODO Is this paragraph and the one below still the right choice for YANG Push Lite? Alternatively, a publisher MAY decide to simply reject an on-change subscription if the scope of the subscription contains objects for which on-change is not supported. In the case of a configured subscription, the publisher MAY suspend the subscription.

Combined periodic and on-change subscriptions A single subscription may created to generate notifications both when changes occur and on a periodic cadence. Such subscriptions are equivalent to having separate periodic and on-change subscriptions on the same path, except that they share the same subscription-id and filter paths.

Streaming Update Examples TODO, Generate new JSON based example of a periodic, and delete messages. Current placeholders are the existing YANG Push Notifications. Figure XXX provides an example of a notification message for a subscription tracking the operational status of a single Ethernet interface (per ). This notification message is encoded XML W3C.REC-xml-20081126 over the Network Configuration Protocol (NETCONF) as per .

Example 'update' periodic notification 2017-10-25T08:00:11.22Z 1011

eth0

]]> Figure XXX provides an example of an on-change notification message for the same subscription.

Example 'update' on-change notification 2017-10-25T08:22:33.44Z 89

edit1

replace /ietf-interfaces:interfaces eth0

down

]]>

Receivers, Transports, and Encodings

Receivers Every subscription is associated with one or more receivers, which each identify the destination host where all the subscription notifications are sent. Each receiver has the following associated properties:

a name to identify and reference the receiver in configured subscriptions.
a transport, which identifies the transport protocol to use to connect with all subscription receivers.
- Optional transport-specific related parameters, e.g., DSCP. There are likely to be various data nodes related to establishing appropriate security and encryption.
an encoding to encode all YANG notification messages to the receiver, i.e., see .
optional parameters to identify where traffic should egress the publisher:
- a source-interface, which identifies the egress interface to use from the publisher.
- a source-address address, which identifies the IP address to stamp on notification messages destined for the receiver.
- a source-vrf, which identifies the Virtual Routing and Forwarding (VRF) instance on which to reach receivers. This VRF is a network instance as defined in . Publisher support for VRFs is optional and advertised using the supports-vrf feature. TODO - do we also support inferring the VRF from the source interface?

“If none of the above parameters are set, the publisher MAY decide which interface(s) to source notifications from.

Receivers for Configured Subscriptions For configured subscriptions, receivers are configured independently from the subscriptions and then referenced from the subscription. Configured subscriptions MAY have multiple receivers, but they MUST have the same encoding. Multiple receivers facilitate redundancy at the receivers. Below is a tree diagram for datastore-telemetry/receivers container. All objects contained in this tree are described in the YANG module in .

datastore-telemetry/receivers container Because there is no explicit association with an existing transport session, configuration operations include additional parameters beyond those of dynamic subscriptions. These parameters identify each receiver, how to connect with that receiver, and possibly whether the notification messages need to come from a specific egress interface on the publisher. Receiver-specific transport connectivity parameters MUST be configured via transport-specific augmentations to this specification. See Section 2.5.7 for details. This specification is transport independent. However, supporting a configured subscription will normally require the establishment of transport connectivity. Some parameters used for this transport connectivity establishment are transport specific. As a result, the YANG module defined in is not able to directly define and expose these transport parameters. It is necessary for an implementation to support the connection establishment process. To support this function, the YANG data model defined in this document includes a YANG choice node where transport-specific parameters for a particular receiver may be augmented. This node is /datastore-telemetry/receivers/receiver/transport-type. A publisher supporting configured subscriptions must obviously support at least one YANG data model that augments transport connectivity parameters on /datastore-telemetry/receivers/receiver/transport-type. For an example of such an augmentation, see TODO, fix this to a UDP bis document

Receivers for Dynamic Subscriptions For dynamic subscriptions, each subscription has a single receiver that is implicit from the host that initiated the establish-subscription RPC, reusing the same transport session for all the subscription notifications. Hence most receiver parameters for a dynamic subscription are implicitly determined, and cannot be explicitly controlled. Dynamic subscriptions MUST specify an encoding (see ) and MAY specify DSCP Marking (see ) for the telemetry notifications in the establish-subscription RPC (see ).

Transports This document describes a transport-agnostic mechanism for subscribing to YANG datastore telemetry. Hence, separate specifications are required to define transports that support YANG Push Lite. The requirements for these transport specifications are documented in the following section:

Requirements for Yang Push Lite Transport Specifications This section provides requirements for any transport specifications supporting the YANG Push Lite solution presented in this document. The transport specification MUST provide a YANG module (to be implemented by publishers) that augments the datastore-telemetry/receivers/transport-type choice statement with a container that both identifies the transport and contains all transport specific parameters. Using a secure transport is RECOMMENDED. Thus, any transport specification MUST provide a mechanism to ensure secure communication between the publisher and receiver in a hostile environment, e.g., through the use of transport layer encryption. Transport specification MAY also specify a mechanism for unencrypted communications, which can be used when transport layer security is not required, e.g., if the transport session is being secured via another mechanism, or when operating within a controlled environment or test lab. Any transport specification SHOULD support mutual receiver and publisher authentication at the transport layer. The transport selected by the subscriber to reach the publisher SHOULD be able to support multiple "establish-subscription" requests made in the same transport session. Any transport specification SHOULD ensure that the receiver application can be notified of the subscription-started lifecycle notification before any associated update messages. A specification for a transport built upon this document can choose whether to use the same logical channel for the RPCs and the event records. However, the update records and the subscription state change notifications MUST be sent on the same transport session. Any transport specification SHOULD provide an extensible mechanism to indicate which encodings are supported, e.g., via an IANA registry or protocol negotiation. Supported encodings for a given transport are advertised via the ietf-yp-lite-capabilities YANG Model . Additional transport requirements may be dictated by the choice of transport used with a subscription.

DSCP Marking YANG Push Lite supports dscp marking to differentiate prioritization of notification messages during network transit. A receiver with a dscp leaf results in a corresponding Differentiated Services Code Point (DSCP) marking } being placed in the IP header of any resulting update notification messages and subscription state change notifications. A publisher MUST respect the DSCP markings for subscription traffic egressing that publisher. Different DSCP code points require different transport connections. As a result, where TCP is used, a publisher that supports the "dscp" feature must ensure that a subscription's notification messages are returned in a single TCP transport session where all traffic shares the subscription's "dscp" leaf value. If this cannot be guaranteed, any "establish-subscription" RPC request SHOULD be rejected with a "dscp-unavailable" error. TODO - Is this text still relevant?

Encodings The update notification() and subscription lifecycle notifications () can be encoded in any format that has a definition for encoding YANG data. For a given subscription, all notification messages are encoded using the same encoding. Some IETF standards for YANG encodings known at the time of publication are:

JSON, defined in
CBOR, defined in , and for using compressed schema identifiers (YANG SIDs)
XML, defined in

To maximize interoperability, all implementations are RECOMMENDED to support both JSON and CBOR encodings. Constrained platforms may not be able to support JSON and hence may choose to only support CBOR encoding. JSON encoding may not be supported in the scenario that another encoding becomes the defacto standard (e.g., as JSON has largely replaced XML as the defacto choice for text based encoding). Support for the XML encoding and/or CBOR encoding using YANG SIDs is OPTIONAL. Encodings are defined in the ietf-yp-lite.yang as YANG identities that derive from the encoding base identity. Additional encodings can be defined by defining and implementing new identities that derive from the encoding base identity, and also advertising those identities as part of the ietf-yp-lite-capabilities YANG module's transport capabilities . For configured subscriptions, the encoding is configured as part of the receiver configuration (). For dynamic subscriptions, the encoding is selected as part of the establish-subscription RPC (). TODO For dynamic subscriptions, Yang Push will infer the encoding from incoming RPC if not provided. Do we want to preserve the existing behavior or just be explicit and enforce that an encoding must always be specified?

Setting up and Managing Subscriptions Subscriptions can be set up and managed in two ways:

Configured Subscriptions - a subscription created and controlled solely by configuration.
Dynamic Subscriptions - a subscription created and controlled via a YANG RPC from a telemetry receiver.

Conformant implementations MUST implement at least one of the two mechanisms above for establishing and maintaining subscriptions. Both configured and dynamic subscriptions are represented in the list datastore-telemetry/subscriptions/subscription, and most of the functionality and behavior of configured and dynamic subscriptions described in this document is specified to be the same or very similar. However, they differ in how they are created and in the associated lifecycle management, described in the following sections: Additional characteristics differentiating configured from dynamic subscriptions include the following:

The lifetime of a dynamic subscription is bound by the transport session used to establish it. For connection-oriented stateful transports like NETCONF, the loss of the transport session will result in the immediate termination of any associated dynamic subscriptions. For connectionless or stateless transports like HTTP, a lack of receipt acknowledgment of a sequential set of notification messages and/or keep-alives can be used to trigger a termination of a dynamic subscription. Contrast this to the lifetime of a configured subscription. This lifetime is driven by relevant configuration being present in the publisher's applied configuration. Being tied to configuration operations implies that (1) configured subscriptions can be configured to persist across reboots and (2) a configured subscription can persist even when its publisher is fully disconnected from any network. TODO, the configured subscription doesn't really persist, since it is torn down and re-created. This explanation needs to be improved.
Configured subscriptions can be modified by any configuration client with write permission on the configuration of the subscription. Dynamic subscriptions can only be modified via an RPC request made by the original subscriber or by a change to configuration data referenced by the subscription.

Note that there is no mixing and matching of dynamic and configured operations on a single subscription. Specifically, a configured subscription cannot be modified or deleted using RPCs defined in this document. Similarly, a dynamic subscription cannot be directly modified or deleted by configuration operations. It is, however, possible to perform a configuration operation that indirectly impacts a dynamic subscription. By changing the value of a preconfigured filter referenced by an existing dynamic subscription, the selected event records passed to a receiver might change. A publisher MAY terminate a dynamic subscription at any time. Similarly, it MAY decide to temporarily suspend the sending of notification messages for any dynamic subscription, or for one or more receivers of a configured subscription. Such termination or suspension is driven by internal considerations of the publisher. **TODO, do we want to add text that if a subscription is ever changes (config or dynamic (e.g., referenced filter)) then the subscription MUST be terminated and restarted.

Configured Subscriptions Configured subscriptions allow the management of subscriptions via configuration so that a publisher can send notification messages to a receiver. Support for configured subscriptions is OPTIONAL, with its availability advertised via the configured YANG feature in the ietf-yp-lite YANG module . A configured subscription comprises:

the target datastore for the subscription, as per .
a set of selection filters to choose which datastore nodes the subscription is monitoring or sampling, as described in
configuration for how update notifications for the data nodes are triggered. I.e., either periodic sampling, on-change event-driven, or both. (TODO add section reference)
a set of associated receivers (as described in ) that specify transport, receiver, and encoding parameters.

Configured subscriptions have several characteristics distinguishing them from dynamic subscriptions:

persistence across publisher reboots,
a reference to receiver, is explicitly configured rather than being implicitly associated with the transport session, as would be the case for a dynamic subscription.
an ability to send notification messages to more than one receiver. All receivers for a given subscription must use the same encoding and type of transport (TODO What about DSCP settings?). Note that receivers are unaware of the existence of any other receivers.
persistence even when transport or receiver is unavailable. In this scenario, the publishers will terminate a subscription that it cannot keep active, but it will periodically attempt to restablish connection to the receiver and re-activate the configured subscription.

Multiple configured subscriptions MUST be supportable over a single transport session. TODO, James is suggesting that this should be MAY, either way, I think that this should move to be under the transport considerations section of the document. Below is a tree diagram for the "subscriptions" container. All objects contained in this tree are described in the YANG module in . In the operational datastore , the "subscription" list contains entries both for configured and dynamic subscriptions.

subscriptions container Tree Diagram {ypl:subtree}? | +--:(xpaths) | +--rw xpaths* yang:xpath1.0 {ypl:xpath}? +--rw update-trigger | +--rw periodic! | | +--rw period centiseconds | | +--rw anchor-time? yang:date-and-time | +--rw on-change! {on-change}? | +--rw sync-on-start? boolean +--rw purpose? string {configured}? +--ro status? subscription-status +--rw receivers* [name] | +--rw name | | -> /datastore-telemetry/receivers/receiver/name | +--ro encoding? encoding | +--ro status? receiver-status | +--ro statistics | +--ro sent-event-records? | | yang:zero-based-counter64 | +--ro excluded-event-records? | yang:zero-based-counter64 +---x reset {configured}? ]]>

Configured Subscription State Machine Below is the state machine for a configured subscription on the publisher. This state machine describes the three states (valid, invalid, and concluded) as well as the transitions between these states. Start and end states are depicted to reflect configured subscription creation and deletion events. The creation or modification of a configured subscription, referenced filter or receiver initiates an evaluation by the publisher to determine if the subscription is in the valid state or the invalid state. The publisher uses its own criteria in making this determination. If in the valid state, the subscription becomes operational. See (1) in the diagram below. **TODO - Add a new 'Active state' to the subscription state machine. I.e., a subscription is active as long as it has at least one valid receiver (in some cases this would mean that negotiation with the receiver is complete, for others, such as simple UDP, is just requires configuration to be valid.) Publishers SHOULD NOT send update messages for a subscription that is not active. I.e., a publisher SHOULD NOT send update messages before a subscription-started notification or after a subscription-terminated notification. Similarly, receivers SHOULD ignore any update messages received for a subscription that is not active.

Publisher's State Machine for a Configured Subscription |invalid|-delete->: end : | '-------' :.....: |-[re-evaluate]--no--(2)-. ^ ^ | ^ | | | yes | '->unsupportable delete | modify (subscription- (subscription- | | terminated*) terminated*) | | | | (1) | (3) (4) | .---------------------------------------------------. '-->| valid | '---------------------------------------------------' Legend: Dotted boxes: subscription added or removed via configuration Dashed boxes: states for a subscription [evaluate]: decision point on whether the subscription is supportable (*): resulting subscription state change notification ]]> A subscription in the valid state may move to the invalid state in one of two ways. First, it may be modified in a way that fails a re-evaluation. See (2) in the diagram. Second, the publisher might determine that the subscription is no longer supportable. This could be because of an unexpected but sustained increase in an event stream's event records, degraded CPU capacity, a more complex referenced filter, or other subscriptions that have usurped resources. See (3) in the diagram. No matter the case, a subscription-terminated notification is sent to any receivers in the active or state. Finally, a subscription may be deleted by configuration (4). When a subscription is in the valid state, a publisher will attempt to connect with all receivers of a configured subscription and deliver notification messages. Below is the state machine for each receiver of a configured subscription. This receiver state machine is fully contained in the state machine of the configured subscription and is only relevant when the configured subscription is in the valid state.

Receiver State Machine for a Configured Subscription on a Publisher | receiver | | | |connecting|<----------------reset--(c)|disconnected| | | | |<-transport '------------' | | '----------' loss,reset | | (a) | | | subscription- (b) | | started* .--------. | | '----->| | | | |receiver| | | | active | | | | | | | '--------' | '-----------------------------------------------------------' Legend: Dashed boxes that include the word *receiver* show the possible states for an individual receiver of a valid configured subscription. * indicates a subscription state change notification ]]> When a configured subscription first moves to the valid state, the state leaf of each receiver is initialized to the connecting state. If transport connectivity is not available to any receivers and there are any notification messages to deliver, a transport session is established (e.g., per ). Individual receivers are moved to the active state when a subscription-started subscription state change notification is successfully passed to that receiver (a). Event records are only sent to active receivers. Receivers of a configured subscription remain active on the publisher if both (1) transport connectivity to the receiver is active and (2) event records are not being dropped due to a publisher's sending capacity being reached. In addition, a configured subscription's receiver MUST be moved to the "connecting" state if the receiver is reset via the "reset" action (b), (c). For more on the "reset" action, see Section 2.5.5. If transport connectivity cannot be achieved while in the "connecting" state, the receiver MAY be moved to the "disconnected" state. A configured subscription's receiver MUST be moved to the "suspended" state if there is transport connectivity between the publisher and receiver but (1) delivery of notification messages is failing due to a publisher's buffer capacity being reached or (2) notification messages cannot be generated for that receiver due to insufficient CPU (d). This is indicated to the receiver by the "subscription-suspended" subscription state change notification. A configured subscription's receiver MUST be returned to the "active" state from the "suspended" state when notification messages can be generated, bandwidth is sufficient to handle the notification messages, and a receiver has successfully been sent a "subscription-resumed" or "subscription-modified" subscription state change notification (e). The choice as to which of these two subscription state change notifications is sent is determined by whether the subscription was modified during the period of suspension. Modification of a configured subscription is possible at any time. A "subscription-modified" subscription state change notification will be sent to all active receivers, immediately followed by notification messages conforming to the new parameters. Suspended receivers will also be informed of the modification. However, this notification will await the end of the suspension for that receiver (e).

Creating a Configured Subscription Configured subscriptions are created using configuration operations against the top-level subscriptions subtree. After a subscription is successfully established, the publisher immediately sends a "subscription-started" subscription state change notification to each receiver. It is quite possible that upon configuration, reboot, or even steady-state operations, a transport session may not be currently available to the receiver. In this case, when there is something to transport for an active subscription, transport-specific "call home" operations will be used to establish the connection. When transport connectivity is available, notification messages may then be pushed. With active configured subscriptions, it is allowable to buffer event records even after a subscription-started has been sent. However, if events are lost (rather than just delayed) due to buffer capacity being reached, a subscription-terminated notification must be sent, followed by a new subscription-started" notification. These notifications indicate an event record discontinuity has occurred. TODO, to see an example of subscription creation using configuration operations over NETCONF, see Appendix A.

Modifying a Configured Subscription Configured subscriptions may end up being modified due to configuration changes in the datastore-telemetry container. If the modification involves adding receivers, then those receivers are placed in the connecting state. If a receiver is removed, the subscription state change notification subscription-terminated is sent to that receiver if that receiver is active or suspended. TODO Do we want a common here about tearing down a subscription, or is having it in the common section sufficient?

Deleting a Configured Subscription Configured subscriptions can be deleted via configuration. After a subscription has been removed from configuration, the publisher MAY complete their current collection if one is in progress, then the publisher sends subscription-terminated notification to all of the subscription's receivers to indicate that the subscription is no longer active. TODO, do we need a comment about closing the transport session if there are no more subscription to that receiver? Possibly the Transports section of the document should have a section that describes the lifecycle of a transport session (or will that end up differing between configured and dyanmic subscriptions?)

Resetting a Configured Subscription It is possible that a configured subscription needs to be reset, e.g., if the receiver wasn't ready to start processing the subscription notifications. This can be accomplished via invoking one of the two YANG reset actions in the ietf-yp-lite YANG module:

the reset action at /datastore-telemetry/subscriptions/subscription/reset resets a single subscription, or
the reset action at /datastore-telemetry/receivers/receiver/reset resets all subscriptions that reference that receiver.

These actions may be useful in cases if a receiver or collector determines that a configured subscription is not behaving correctly, and wishes to force a reset of the subscription without modifying the subscription configuration. Although the reset action acts at the subscription application level, the publisher MAY reset any transport session(s) associated with the subscription or attempt to reconnect to the receiver if a transport session could not connect. Publishers SHOULD NOT reset the transport session if the transport session is shared with other subscriptions.

Dynamic Subscriptions Dynamic subscriptions, where a subscriber initiates a subscription negotiation with a publisher via an RPC. If the publisher is able to serve this request, it accepts it and then starts pushing notification messages back to the subscriber. If the publisher is not able to serve it as requested, then an error response is returned. Support for dynamic subscriptions is OPTIONAL, with its availability advertised via the dynamic YANG feature in the ietf-yp-lite YANG module . Dynamic subscriptions are managed via protocol operations (in the form of RPCs, per , Section 7.14) made against targets located in the publisher.

Dynamic Subscription State Machine Below is the publisher's state machine for a dynamic subscription. Each state is shown in its own box. It is important to note that such a subscription doesn't exist at the publisher until an establish-subscription RPC is accepted. The mere request by a subscriber to establish a subscription is not sufficient for that subscription to be externally visible. Start and end states are depicted to reflect subscription creation and deletion events.

Publisher's State Machine for a Dynamic Subscription Of interest in this state machine are the following:

Successful "establish-subscription" RPCs move the subscription to the "active" state.
A "delete-subscription" or "kill-subscription" RPC will end the subscription.
A publisher may choose to end a subscription when there is not sufficient CPU or bandwidth available to service the subscription. This is announced to the subscriber via the subscription-terminated subscription state change notification. The receiver will need to establish a new subscription.

Establishing a Dynamic Subscription The "establish-subscription" RPC allows a subscriber to request the creation of a subscription. The input parameters of the operation are: o An event stream filter, which may reduce the set of event records pushed. If the publisher can satisfy the "establish-subscription" request, it replies with an identifier for the subscription and then immediately starts streaming notification messages. Below is a tree diagram for "establish-subscription". All objects contained in this tree are described in the YANG module in .

establish-subscription YANG RPC {ypl:subtree}? | | | +--:(xpaths) | | | +---w xpaths* yang:xpath1.0 {ypl:xpath}? | | +---w update-trigger | | | +---w periodic! | | | | +---w period centiseconds | | | | +---w anchor-time? yang:date-and-time | | | +---w on-change! {on-change}? | | | +---w sync-on-start? boolean | | +---w encoding encoding | | +---w dscp? inet:dscp | +--ro output | +--ro id subscription-id ]]> A publisher MAY reject the "establish-subscription" RPC for many reasons, as described in Section 2.4.6. Below is a tree diagram for "establish-subscription-stream-error-info" RPC yang-data. All objects contained in this tree are described in the YANG module in Section 4.

"establish-subscription-stream-error-info" Tree Diagram

Negotiation of Subscription Policies A dynamic subscription request SHOULD be declined if a publisher determines that it may be unable to provide update records meeting the terms of an "establish-subscription" RPC request.

Deleting a Dynamic Subscription The delete-subscription operation permits canceling an existing dynamic subscription that was established on the same transport session connecting to the subscriber. If the publisher accepts the request, which it MUST, if the subscription-id matches a dynamic subscription established in the same transport session, then it should stop the subscription and send a subscription-terminated notification. The publisher MAY reply back to the client before the subscription has been terminated, i.e., it may act asynchronously with respect to the request. The publisher SHOULD NOT send any further events related to the subscription after the subscription-terminated notification and TODO, I think that we should relax this to a SHOULD, but also this should be common with configured subscriptions, so perhaps not in this section. If the publisher accepts the request and the publisher has indicated success, the publisher SHOULD NOT send any more notification messages for this subscription.

Killing a Dynamic Subscription The "kill-subscription" RPC operation permits a client to forcibly end any arbitrary dynamic subscription, identified by subscription-id, including those not associated with the transport session used for the RPC. Note, configured subscriptions cannot be killed using this RPC, and requests to do MUST be rejected.

RPC Failures Whenever an RPC is unsuccessful, the publisher returns relevant information as part of the RPC error response. Transport-level error processing MUST be done before the RPC error processing described in this section. In all cases, RPC error information returned by the publisher will use existing transport-layer RPC structures, such as those seen with NETCONF (Appendix A of ) or RESTCONF (Section 7.1 of ). These structures MUST be able to encode subscription-specific errors identified below and defined in this document's YANG data model. As a result of this variety, how subscription errors are encoded in an RPC error response is transport dependent. Valid errors that can occur for each RPC are as follows: To see a NETCONF-based example of an error response from the list above, see the "no-such-subscription" error response illustrated in , Figure 10. There is one final set of transport-independent RPC error elements included in the YANG data model defined in this document: three yang-data structures that enable the publisher to provide to the receiver any error information that does not fit into existing transport-layer RPC structures. These structures are:

"establish-subscription-stream-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "establish-subscription" RPC response. This MUST be sent if hints on how to overcome the RPC error are included.
"modify-subscription-stream-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "modify-subscription" RPC response. This MUST be sent if hints on how to overcome the RPC error are included.
"delete-subscription-error-info": This MUST be returned with the leaf "reason" populated if an RPC error reason has not been placed elsewhere in the transport portion of a failed "delete-subscription" or "kill-subscription" RPC response.

Implementation Considerations (from RFC 8639) TODO, we should rework this to strings for subscription names instead To support deployments that include both configured and dynamic subscriptions, it is recommended that the subscription "id" domain be split into static and dynamic halves. This will eliminate the possibility of collisions if the configured subscriptions attempt to set a "subscription-id" that might have already been dynamically allocated. A best practice is to use the lower half of the "id" object's integer space when that "id" is assigned by an external entity (such as with a configured subscription). This leaves the upper half of the subscription integer space available to be dynamically assigned by the publisher. If a subscription is unable to marshal a series of filtered event records into transmittable notification messages, the receiver should be terminated with the reason "XXX TBD (Was unsupportable volume)". For configured subscriptions, operations are performed against the set of receivers using the subscription "id" as a handle for that set. But for streaming updates, subscription state change notifications are local to a receiver. In the case of this specification, receivers do not get any information from the publisher about the existence of other receivers. But if a network operator wants to let the receivers correlate results, it is useful to use the subscription "id" across the receivers to allow that correlation. Note that due to the possibility of different access control permissions per receiver, each receiver may actually get a different set of event records.

Event Record Delivery Whether dynamic or configured, once a subscription has been set up, the publisher streams event records via notification messages per the terms of the subscription. For dynamic subscriptions, notification messages are sent over the session used to establish the subscription. For configured subscriptions, notification messages are sent over the connections specified by the transport and each receiver of a configured subscription. A notification message is sent to a receiver when an event record is not blocked by either the specified filter criteria or receiver permissions. This notification message MUST include an <eventTime> object, as shown in , Section 4. This <eventTime> MUST be at the top level of a YANG structured event record. The following example of XML W3C.REC-xml-20081126, adapted from Section 4.2.10 of , illustrates a compliant message: 2007-09-01T10:00:00Z

so-1/2/3.0

down

Figure 10: Subscribed Notification Message ]]> , Section 2.2.1 states that a notification message is to be sent to a subscriber that initiated a <create-subscription>. With this document, this statement from should be more broadly interpreted to mean that notification messages can also be sent to a subscriber that initiated an "establish-subscription" or to a configured receiver that has been sent a "subscription-started". When a dynamic subscription has been started with "establish-subscription", respectively, event records matching the newly applied filter criteria MUST NOT be sent until after the RPC reply has been sent. TODO, do we want to keep this? When a configured subscription has been started or modified, event records matching the newly applied filter criteria MUST NOT be sent until after the "subscription-started" notification has been sent.

Subscription Lifecycle Notifications In addition to sending event records to receivers, a publisher also sends subscription lifecycle state change notifications when lifecycle events related to subscription management occur. Subscription state change notifications are generated per subscription, and are injected into the steam of update messages for that that subscription. These notifications MUST NOT be dropped or filtered. Future extensions, or implementations MAY augment additional fields into the notification structures. Receivers MUST silently ignore unexpected fields. The complete set of subscription state change notifications is described in the following subsections:

"subscription-started" The subscription started notification is sent to a receiver to indicate that a subscription is active and they may start to receive update records from the publisher. The subscription started notification may be sent for any of these reasons:

A new subscription has been configured.
A receiver has been added to a configured subscription.
The configuration for a configured subscription has been changed, in which case a subscription-terminated notification should be sent, followed by a subscription-started notification if the new configuration is valid.
A configured subscription previously failed, and was terminated. After the publisher has successfully re-established a connection to the receiver and is starting to send datastore event records again.
A dynamic subscription has been established.

Below is the tree diagram for the subscription-started notification. All data nodes contained in this tree diagram are described in the YANG module in .

subscription-started Notification Tree Diagram {ypl:subtree}? | | +--:(xpaths) | | +--ro xpaths* yang:xpath1.0 {ypl:xpath}? | +--ro update-trigger | +--ro periodic! | | +--ro period centiseconds | | +--ro anchor-time? yang:date-and-time | +--ro on-change! {on-change}? | +--ro sync-on-start? boolean ]]> TODO, Should the subscription-started notification report decomposed subscription paths?

"subscription-terminated" For a receiver, this notification indicates that no further event records for an active subscription should be expected from the publisher unless and until a new subscription-started notification is received. A subscription-terminated notification SHOULD only be sent by a publisher to a receiver if a subscription-started notification was previously sent. The subscription terminated notification may be sent to a receiver for any of these reasons:

A receiver has been removed from a configured subscription.
A configured subscription has been removed.
The configuration for a configured subscription has been changed, in which case a subscription-terminated notification should be sent, followed by a subscription-started notification if the new configuration is valid.
A dynamic subscription was deleted via a "delete-subscription* or kill-subscription RPC.
A subscription has failed for any reason, e.g.,:
- The publisher is no longer able to honor the subscription, due to resource constraints, or the filter is no longer valid.
- Any transport level buffer to the receiver has become full, and the hence the publisher is dropping update notifications.

Below is a tree diagram for "subscription-terminated". All objects contained in this tree are described in the YANG module in .

subscription-terminated Notification Tree Diagram TODO Augmenting extra fields is better for clients? The reason datanode identifyref indicates why a subcription has been terminated, and could be extended with further reasons in future.

"replay-completed" TODO: Need to consider how this works when notifications are split up. Possibly need to replace this with an opt-in message for a per collection complete message. I.e., a notification that would be sent whenever every periodic collection is complete. This notification indicates that all of the event records prior to the current time have been passed to a receiver. It is sent before any notification messages containing an event record with a timestamp later than (1) the subscription's start time. After the "replay-completed" notification has been sent, additional event records will be sent in sequence as they arise naturally on the publisher. Below is a tree diagram for "replay-completed". All objects contained in this tree are described in the YANG module in Section 4.

replay-completed Notification Tree Diagram

Performance, Reliability, and Subscription Monitoring TODO. Needs updating. Not sure if this text doesn't end up elsewhere? A subscription to updates from a datastore is intended to obviate the need for polling. However, in order to do so, it is critical that subscribers can rely on the subscription and have confidence that they will indeed receive the subscribed updates without having to worry about updates being silently dropped. In other words, a subscription constitutes a promise on the side of the publisher to provide the receivers with updates per the terms of the subscription, or otherwise notify the receiver if t Now, there are many reasons why a publisher may at some point no longer be able to fulfill the terms of the subscription, even if the subscription had been initiated in good faith. For example, the volume of datastore nodes may be larger than anticipated, the interval may prove too short to send full updates in rapid succession, or an internal problem may prevent objects from being collected. For this reason, the solution defined in this document (1) mandates that a publisher notify receivers immediately and reliably whenever it encounters a situation in which it is unable to keep the terms of the subscription and (2) provides the publisher with the option to suspend the subscription in such a case. This includes indicating the fact that an update is incomplete as part of a "push-update" or "push-change-update" notification, as well as emitting a "subscription-suspended" notification as applicable. This is described further in Section 3.11.1. A publisher SHOULD reject a request for a subscription if it is unlikely that the publisher will be able to fulfill the terms of that subscription request. In such cases, it is preferable to have a subscriber request a less resource-intensive subscription than to deal with frequently degraded behavior. The solution builds on . As defined therein, any loss of an underlying transport connection will be detected and result in subscription termination (in the case of dynamic subscriptions) or suspension (in the case of configured subscriptions), ensuring that situations where the loss of update notifications would go unnoticed will not occur.

Subscription Monitoring In the operational state datastore, the datastore-telemetry container maintains operational state for all configured and dynamic subscriptions. Dynamic subscriptions are only present in the datastore-telemetry/subscriptions/subscription list when they are active, and are removed as soon as they are terminated. Whereas configured subscriptions are present if the list if they are configured, regardless of whether they are active. TODO, should dynamic receivers be listed? Do we need to report per-receiver stats for dynamic subscriptions? The operational state is important for monitoring the health of subscriptions, receivers, and the overall telemetry subsystem. This includes: TODO, update the YANG model with more useful operational data, and mostly this section should briefly summarize and refer to the YANG model. We should also consider what indications to include from filters that cause a larger amount of internal work but don't generate a large number of transmitted notifications.

per subscription status and counters
per receiver status and counters
maybe some indication of the overall load on the telemetry subsystem, but we need to consider how useful that actually is, and whether just monitoring the device CPU load and general performance would be a better indication.

Robustness and Reliability It is important that updates as discussed in this document, and on-change updates in particular, do not get lost. If the loss of an update is unavoidable, it is critical that the receiver be notified accordingly. Update records for a single subscription MUST NOT be resequenced prior to transport. It is conceivable that, under certain circumstances, a publisher will recognize that it is unable to include in an update record the full set of objects desired per the terms of a subscription. In this case, the publisher MUST act as follows:

The publisher MUST set the "incomplete-update" flag on any update record that is known to be missing information.
The publisher MAY choose to suspend the subscription as per . If the publisher does not create an update record at all, it MUST suspend the subscription.
When resuming an on-change subscription, the publisher SHOULD generate a complete patch from the previous update record. If this is not possible and the "sync-on-start" option is set to "true" for the subscription, then the full datastore contents MAY be sent via a "push-update" instead (effectively replacing the previous contents). If neither scenario above is possible, then an "incomplete-update" flag MUST be included on the next "push-change-update".

Note: It is perfectly acceptable to have a series of "push-change- update" notifications (and even "push-update" notifications) serially queued at the transport layer awaiting transmission. It is not required for the publisher to merge pending update records sent at the same time. On the receiver side, what action to take when a record with an "incomplete-update" flag is received depends on the application. It could simply choose to wait and do nothing. It could choose to resync, actively retrieving all subscribed information. It could also choose to tear down the subscription and start a new one, perhaps with a smaller scope that contains fewer objects.

Publisher Capacity It is far preferable to decline a subscription request than to accept such a request when it cannot be met. Whether or not a subscription can be supported will be determined by a combination of several factors, such as the subscription update trigger (on-change or periodic), the period in which to report changes (one-second periods will consume more resources than one-hour periods), the amount of data in the datastore subtree that is being subscribed to, and the number and combination of other subscriptions that are concurrently being serviced.

Conformance and Capabilities The normative text in this document already indicates which parts of the specification must or should be implemented for a compliant YANG Push Lite implementation via the use of language. It also sets out some additional related requirements, e.g., on transports , that add in additional functionality. Some parts of this specification are optional to implement. Some of these optional parts can be identified through the use of YANG Library specifying the list of implemented YANG modules and YANG features. But, the broader approach adopted by this specification is via extending the ietf-system-capabilities YANG module specified in to make capability information available as standard YANG described operational data.

Capabilities Publishers SHOULD implement the ietf-system-capabilities YANG module, defined in , and the ietf-yp-lite-capabilities YANG module, defined in ) that augments ietf-system-capabilities. The ietf-yp-lite-capabilities module contains capabilities to indicate what types of subscriptions and transports may be configured, along with acceptable subscription parameter for given subtrees. The schema tree for the ietf-system-capabilities augmented by ietf-yp-lite-capabilities is given below.

YANG tree for ietf-system-capabilities with ietf-yl-lite-capabilities augmentations. /yanglib:yang-library/datastore/name | +--ro per-node-capabilities* [] | +--ro (node-selection)? | | +--:(node-selector) | | +--ro node-selector? | | nacm:node-instance-identifier | +--ro yplc:datastore-telemetry | +--ro yplc:periodic-notifications-supported? | | notification-support | +--ro (yplc:update-period)? | | +--:(yplc:minimum-update-period) | | | +--ro yplc:minimum-update-period? uint32 | | +--:(yplc:supported-update-period) | | +--ro yplc:supported-update-period* uint32 | +--ro yplc:on-change-supported? | notification-support +--ro yplc:datastore-telemetry +--ro yplc:periodic-notifications-supported? | notification-support +--ro (yplc:update-period)? | +--:(yplc:minimum-update-period) | | +--ro yplc:minimum-update-period? uint32 | +--:(yplc:supported-update-period) | +--ro yplc:supported-update-period* uint32 +--ro yplc:on-change-supported? | notification-support +--ro yplc:transport +--ro yplc:transport-capability* [transport-protocol] +--ro yplc:transport-protocol identityref +--ro yplc:security-protocol? identityref +--ro yplc:encoding-format* identityref ]]> TODO Do we need to add capabilities to indicate:

Which fields are on-change notifiable.
At which level bags exist internally (for performance reasons).
The points at which subscriptions are decomposed to.

Subscription Content Schema Identification YANG Module Synchronization To make subscription requests, the subscriber needs to know the YANG datastore schemas used by the publisher. These schemas are available in the YANG library module ietf-yang-library.yang as defined in . The receiver is expected to know the YANG library information before starting a subscription. The set of modules, revisions, features, and deviations can change at runtime (if supported by the publisher implementation). For this purpose, the YANG library provides a simple "yang-library-change" notification that informs the subscriber that the library has changed. In this case, a subscription may need to be updated to take the updates into account. The receiver may also need to be informed of module changes in order to process updates regarding datastore TODO, this section should be updated so that a subscription is restarted if the schema that it is using changes, and to incorporate ideas to fingerprint the subscription schema in the subscription-started notification.

YANG

ietf-yp-lite YANG tree This section shows the full tree output for ietf-yp-lite YANG module. Note, this output does not include support for any transport configuration, and for any implementation that supports configured subscriptions using this YANG module then at least one transport would expect to be configurable.

YANG tree for YANG Push Lite Module Tree Output {ypl:subtree}? | +--:(xpaths) | +--rw xpaths* yang:xpath1.0 {ypl:xpath}? +--rw subscriptions | +--rw subscription* [id] | +--rw id subscription-id | +--rw target | | +--rw datastore? identityref | | +--rw (filter)? | | +--:(by-reference) | | | +--rw filter-ref filter-ref | | +--:(within-subscription) | | +--rw (filter-spec)? | | +--:(paths) | | | +--rw paths* ypath | | +--:(subtree) | | | +--rw subtree? {ypl:subtree}? | | +--:(xpaths) | | +--rw xpaths* yang:xpath1.0 {ypl:xpath}? | +--rw update-trigger | | +--rw periodic! | | | +--rw period centiseconds | | | +--rw anchor-time? yang:date-and-time | | +--rw on-change! {on-change}? | | +--rw sync-on-start? boolean | +--rw purpose? string {configured}? | +--ro status? subscription-status | +--rw receivers* [name] | | +--rw name | | | -> /datastore-telemetry/receivers/receiver/name | | +--ro encoding? encoding | | +--ro status? receiver-status | | +--ro statistics | | +--ro sent-event-records? | | | yang:zero-based-counter64 | | +--ro excluded-event-records? | | yang:zero-based-counter64 | +---x reset {configured}? +--rw receivers {configured}? +--rw receiver* [name] +--rw name string +--rw encoding? encoding +--rw dscp? inet:dscp +---x reset +--rw (notification-message-origin)? | +--:(interface-originated) | | +--rw source-interface? if:interface-ref | | {interface-designation}? | +--:(address-originated) | +--rw source-vrf? leafref {supports-vrf}? | +--rw source-address? inet:ip-address-no-zone +--rw (transport-type) rpcs: +---x establish-subscription {dynamic}? | +---w input | | +---w target | | | +---w datastore? identityref | | | +---w (filter)? | | | +--:(by-reference) | | | | +---w filter-ref filter-ref | | | +--:(within-subscription) | | | +---w (filter-spec)? | | | +--:(paths) | | | | +---w paths* ypath | | | +--:(subtree) | | | | +---w subtree? {ypl:subtree}? | | | +--:(xpaths) | | | +---w xpaths* yang:xpath1.0 {ypl:xpath}? | | +---w update-trigger | | | +---w periodic! | | | | +---w period centiseconds | | | | +---w anchor-time? yang:date-and-time | | | +---w on-change! {on-change}? | | | +---w sync-on-start? boolean | | +---w encoding encoding | | +---w dscp? inet:dscp | +--ro output | +--ro id subscription-id +---x delete-subscription {dynamic}? | +---w input | +---w id subscription-id +---x kill-subscription {dynamic}? +---w input +---w id subscription-id notifications: +---n replay-completed | +--ro id subscription-id +---n update-complete | +--ro id subscription-id +---n subscription-started | +--ro id subscription-id | +--ro target | | +--ro datastore? identityref | | +--ro (filter)? | | +--:(by-reference) | | | +--ro filter-ref filter-ref | | +--:(within-subscription) | | +--ro (filter-spec)? | | +--:(paths) | | | +--ro paths* ypath | | +--:(subtree) | | | +--ro subtree? {ypl:subtree}? | | +--:(xpaths) | | +--ro xpaths* yang:xpath1.0 {ypl:xpath}? | +--ro update-trigger | +--ro periodic! | | +--ro period centiseconds | | +--ro anchor-time? yang:date-and-time | +--ro on-change! {on-change}? | +--ro sync-on-start? boolean +---n subscription-terminated | +--ro id subscription-id | +--ro reason identityref +---n update +--ro id? subscription-id +--ro path-prefix? string +--ro snapshot-type? enumeration +--ro observation-time? yang:date-and-time +--ro updates* [target-path] | +--ro target-path string | +--ro data? +--ro incomplete? empty ]]>

ietf-yp-lite YANG Model This module imports typedefs from , , , , and . It references , ("XML Path Language (XPath) Version 1.0"), , , , , and . This YANG module imports typedefs from , identities from , and the "sx:structure" extension from . It also references , , and .

YANG module ietf-yp-lite WG List: Author: Robert Wilton "; description "This module contains YANG specifications for YANG-Push lite, a simplified version of the YANG-Push [RFC 8641] protocol. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2025 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; revision 2024-11-11 { description "Initial revision."; reference "XXX: YANG Push Lite"; } /* * FEATURES */ feature configured { description "This feature indicates that configuration of subscriptions is supported."; } feature dynamic { description "This feature indicates that dynamic establishment of subscriptions is supported."; } feature interface-designation { description "This feature indicates that a publisher supports sourcing all receiver interactions for a configured subscription from a single designated egress interface."; } feature on-change { description "This feature indicates that on-change triggered subscriptions are supported."; } feature subtree { description "This feature indicates support for YANG subtree filtering."; reference "RFC 6241: Network Configuration Protocol (NETCONF), Section 6"; } feature supports-vrf { description "This feature indicates that a publisher supports VRF configuration for configured subscriptions. VRF support for dynamic subscriptions does not require this feature."; reference "RFC 8529: YANG Data Model for Network Instances, Section 6"; } feature xpath { description "This feature indicates support for XPath filtering."; reference "XML Path Language (XPath) Version 1.0 (https://www.w3.org/TR/1999/REC-xpath-19991116)"; } /* * IDENTITIES */ /* Identities for RPC and notification errors */ identity delete-subscription-error { description "Base identity for the problem found while attempting to fulfill either a 'delete-subscription' RPC request or a 'kill-subscription' RPC request."; } identity establish-subscription-error { description "Base identity for the problem found while attempting to fulfill an 'establish-subscription' RPC request."; } identity subscription-terminated-reason { description "Base identity for the problem condition communicated to a receiver as part of a 'subscription-terminated' notification."; } identity dscp-unavailable { base establish-subscription-error; description "The publisher is unable to mark notification messages with prioritization information in a way that will be respected during network transit."; } identity encoding-unsupported { base establish-subscription-error; description "Unable to encode notification messages in the desired format."; } identity filter-unavailable { base subscription-terminated-reason; description "Referenced filter does not exist. This means a receiver is referencing a filter that doesn't exist or to which it does not have access permissions."; } identity filter-unsupported { base establish-subscription-error; description "Cannot parse syntax in the filter. This failure can be from a syntax error or a syntax too complex to be processed by the publisher."; } identity insufficient-resources { base establish-subscription-error; description "The publisher does not have sufficient resources to support the requested subscription. An example might be that allocated CPU is too limited to generate the desired set of notification messages."; } identity no-such-subscription { base delete-subscription-error; base subscription-terminated-reason; description "Referenced subscription doesn't exist. This may be as a result of a nonexistent subscription ID, an ID that belongs to another subscriber, or an ID for a configured subscription."; } identity stream-unavailable { base subscription-terminated-reason; description "Not a subscribable event stream. This means the referenced event stream is not available for subscription by the receiver."; } identity suspension-timeout { base subscription-terminated-reason; description "Termination of a previously suspended subscription. The publisher has eliminated the subscription, as it exceeded a time limit for suspension."; } identity unsupportable-volume { base subscription-terminated-reason; description "The publisher does not have the network bandwidth needed to get the volume of generated information intended for a receiver."; } /* Identities for encodings */ identity configurable-encoding { description "If a transport identity derives from this identity, it means that it supports configurable encodings. An example of a configurable encoding might be a new identity such as 'encode-cbor'. Such an identity could use 'configurable-encoding' as its base. This would allow a dynamic subscription encoded in JSON (RFC 8259) to request that notification messages be encoded via the Concise Binary Object Representation (CBOR) (RFC 7049). Further details for any specific configurable encoding would be explored in a transport document based on this specification. TODO - Clear up this text or use YANG-CBOR reference"; reference "RFC 8259: The JavaScript Object Notation (JSON) Data Interchange Format RFC 7049: Concise Binary Object Representation (CBOR)"; } identity encoding { description "Base identity to represent data encodings."; } identity json { base encoding; description "Encode data using JSON as described in RFC 7951."; reference "RFC 7951: JSON Encoding of Data Modeled with YANG"; } identity xml { base encoding; description "Encode data using XML as described in RFC 7950."; reference "RFC 7950: The YANG 1.1 Data Modeling Language"; } identity cbor { base encoding; description "Encode data using CBOR as described in RFC 9245, without using YANG SIDs"; reference "RFC 9245: Encoding of Data Modeled with YANG in the Concise Binary Object Representation (CBOR)."; } identity cbor-sids { base encoding; description "Encode data using JSON as described in RFC 7951, using YANG SIDs."; reference "RFC 9245: Encoding of Data Modeled with YANG in the Concise Binary Object Representation (CBOR). RFC 9595: YANG Schema Item iDentifier (YANG SID)."; } /* Identities for transports */ identity transport { description "An identity that represents the underlying mechanism for passing notification messages."; } /* * TYPEDEFs */ typedef ypath { type string { length "1..max"; } description "A type for YANG instance data paths."; } typedef encoding { type identityref { base encoding; } description "Specifies a data encoding, e.g., for a data subscription."; } typedef subscription-id { type uint32; description "A type for subscription identifiers."; } typedef transport { type identityref { base transport; } description "Specifies the transport used to send notification messages to a receiver."; } // TODO - Consider changes to list keys or reordering of // user-ordered lists. typedef filter-ref { type leafref { path "/datastore-telemetry/filters/filter/name"; } description "This type is used to reference a selection filter."; } typedef centiseconds { type uint32; description "A period of time, measured in units of 0.01 seconds."; } typedef subscription-type { type enumeration { enum configured { description "A subscription that is created and managed via configuration."; } enum dynamic { description "A subscription that is created and managed via RPC primitives."; } } description "Indicate the type of subscription."; } typedef subscription-status { type enumeration { enum invalid { description "The subscription as a whole is unsupportable with its current parameters."; } enum inactive { description "The subscription is supportable with its current parameters, but it is not currently connected to any connected receivers"; } enum active { description "The subscription is actively running, and is connected to at least one receiver. A subscription-started notification must have been sent for a subscription to be in this state, and the receiver will receive update notifications, as per the update-trigger selection."; } } description "Indicates the status of a subscription"; } typedef receiver-status { type enumeration { enum disconnected { description "The publish is not currently connected to the receiver. Nornally, this is because there are no active subscriptions for this receiver."; } enum connecting { description "The publisher is actively trying to connect to the receiver. This implies that there is at least one active subscription for this receiver. A receiver in connecting state may indicate that the transport or associated security session could not be established, and the publisher is periodically trying to establish the connection."; } enum connected { description "The publisher has successfully connected to the receiver and at least one active subscription is using this receiver."; } } description "Indicates the status of a receiver"; } /* * GROUPINGS */ grouping dscp { description "This grouping describes QoS information concerning a subscription. This information is passed to lower layers for transport prioritization and treatment."; leaf dscp { type inet:dscp; default "0"; description "The desired network transport priority level. This is the priority set on notification messages encapsulating the results of the subscription. This transport priority is shared for all receivers of a given subscription."; } } grouping filter-types { description "This grouping defines the types of selectors for objects from a datastore."; choice filter-spec { description "The content filter specification for this request."; leaf-list paths { type ypath; description "A basic path filter that allows wildcard, regex, or fixed value for list keys. Each format is TODO"; } anydata subtree { if-feature "ypl:subtree"; description "This parameter identifies the portions of the target datastore to retrieve."; reference "RFC 6241: Network Configuration Protocol (NETCONF), Section 6"; } leaf-list xpaths { if-feature "ypl:xpath"; type yang:xpath1.0; description "This parameter contains an XPath expression identifying the portions of the target datastore to retrieve. If the expression returns a node set, all nodes in the node set are selected by the filter. Otherwise, if the expression does not return a node set, the filter doesn't select any nodes. The expression is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the 'namespace' statement in the YANG module. If the leaf is encoded in XML, all namespace declarations in scope on the 'stream-xpath-filter' leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is comprised of the core function library and the XPath functions defined in Section 10 in RFC 7950. o The context node is the root node of the target datastore."; reference "XML Path Language (XPath) Version 1.0 (https://www.w3.org/TR/1999/REC-xpath-19991116) RFC 7950: The YANG 1.1 Data Modeling Language, Section 10"; } } } grouping update-policy { description "This grouping describes the susbcription update policy"; container update-trigger { description "This container describes all conditions under which subscription update messages are generated"; container periodic { presence "indicates a periodic subscription"; description "The publisher is requested to periodically notify the receiver regarding the current values of the datastore as defined by the selection filter."; leaf period { type centiseconds; mandatory true; description "Duration of time that should occur between periodic push updates, in units of 0.01 seconds."; } leaf anchor-time { type yang:date-and-time; description "Designates a timestamp before or after which a series of periodic push updates are determined. The next update will take place at a point in time that is a multiple of a period from the 'anchor-time'. For example, for an 'anchor-time' that is set for the top of a particular minute and a period interval of a minute, updates will be sent at the top of every minute that this subscription is active."; } } container on-change { if-feature "on-change"; presence "indicates an on-change subscription"; description "The publisher is requested to notify the receiver regarding changes in values in the datastore subset as defined by a selection filter."; leaf sync-on-start { type boolean; default "true"; description "When this object is set to 'false', (1) it restricts an on-change subscription from sending 'push-update' notifications and (2) pushing a full selection per the terms of the selection filter MUST NOT be done for this subscription. Only updates about changes (i.e., only 'push-change-update' notifications) are sent. When set to 'true' (the default behavior), in order to facilitate a receiver's synchronization, a full update is sent, via a 'push-update' notification, when the subscription starts. After that, 'push-change-update' notifications are exclusively sent, unless the publisher chooses to resync the subscription via a new 'push-update' notification."; } } } } grouping subscription-common { description "Common settings that are shared between dynamic and configured subscriptions."; container target { description "Identifies the source of information against which a subscription is being applied as well as specifics on the subset of information desired from that source."; leaf datastore { type identityref { base ds:datastore; } default "ds:operational"; description "Datastore from which to retrieve data, defaults to operational"; } choice filter { description "The source of the selection filter applied to the subscription. This will either (1) come referenced from a global list or (2) be provided in the subscription itself."; case by-reference { description "Incorporates a filter that has been configured separately."; leaf filter-ref { type filter-ref; mandatory true; description "References an existing selection filter that is to be applied to the subscription."; } } case within-subscription { description "A local definition allows a filter to have the same lifecycle as the subscription."; uses filter-types; } } } uses update-policy; } /* * RPCs */ rpc establish-subscription { if-feature "dynamic"; description "This RPC allows a subscriber to create (and possibly negotiate) a subscription on its own behalf. If successful, the subscription remains in effect for the duration of the subscriber's association with the publisher or until the subscription is terminated. If an error occurs or the publisher cannot meet the terms of a subscription, an RPC error is returned, and the subscription is not created. In that case, the RPC reply's 'error-info' MAY include suggested parameter settings that would have a higher likelihood of succeeding in a subsequent 'establish-subscription' request."; input { uses subscription-common; leaf encoding { type encoding; mandatory true; description "The encoding to use for the subscription notifications."; } uses dscp; } output { leaf id { type subscription-id; mandatory true; description "Identifier used for this subscription."; } } } sx:structure establish-subscription-stream-error-info { container establish-subscription-stream-error-info { description "If any 'establish-subscription' RPC parameters are unsupportable against the event stream, a subscription is not created and the RPC error response MUST indicate the reason why the subscription failed to be created. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure. This yang-data MUST be inserted if hints are to be provided back to the subscriber."; leaf reason { type identityref { base establish-subscription-error; } description "Indicates the reason why the subscription has failed to be created to a targeted event stream."; } leaf filter-failure-hint { type string; description "Information describing where and/or why a provided filter was unsupportable for a subscription. The syntax and semantics of this hint are implementation specific."; } } } rpc delete-subscription { if-feature "dynamic"; description "This RPC allows a subscriber to delete a subscription that was previously created by that same subscriber using the 'establish-subscription' RPC. Only subscriptions that were created using 'establish-subscription' from the same origin as this RPC can be deleted via this RPC. // TODO - Why same origin? If an error occurs, the server replies with an 'rpc-error' where the 'error-info' field MAY contain a 'delete-subscription-error-info' structure."; input { leaf id { type subscription-id; mandatory true; description "Identifier of the dynamic subscription that is to be deleted."; } } } rpc kill-subscription { if-feature "dynamic"; nacm:default-deny-all; description "This RPC allows an operator to delete a dynamic subscription without restrictions on the originating subscriber or underlying transport session. Only dynamic subscriptions, i.e., those that were created using 'establish-subscription', may be deleted via this RPC. If an error occurs, the server replies with an 'rpc-error' where the 'error-info' field MAY contain a 'delete-subscription-error-info' structure."; input { leaf id { type subscription-id; mandatory true; description "Identifier of the dynamic subscription that is to be deleted."; } } } sx:structure delete-subscription-error-info { container delete-subscription-error-info { description "If a 'delete-subscription' RPC or a 'kill-subscription' RPC fails, the subscription is not deleted and the RPC error response MUST indicate the reason for this failure. This yang-data MAY be inserted as structured data in a subscription's RPC error response to indicate the reason for the failure."; leaf reason { type identityref { base delete-subscription-error; } mandatory true; description "Indicates the reason why the subscription has failed to be deleted."; } } } /* * NOTIFICATIONS */ // TODO - Need to signal when an initial replay has completed, or // possibly when any period subscription has completed. // TODO - Need to think about list key entries that are no longer // present. notification replay-completed { //ypl:subscription-state-notification; //if-feature "replay"; description "This notification is sent to indicate that all of the replay notifications have been sent."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } } notification update-complete { //ypl:subscription-state-notification; //if-feature "replay"; description "This notification indicates the end of a periodic collection, and can be used to purge old state"; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } } notification subscription-started { //ypl:subscription-state-notification; description "This notification indicates that a configured subscription has started and notifications will now be sent."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } uses subscription-common; } notification subscription-terminated { //ypl:subscription-state-notification; description "This notification indicates that a subscription has been terminated."; leaf id { type subscription-id; mandatory true; description "This references the affected subscription."; } leaf reason { type identityref { base subscription-terminated-reason; } mandatory true; description "Identifies the condition that resulted in the termination."; } } notification update { description "This notification contains a push update that in turn contains data subscribed to via a subscription. In the case of a periodic subscription, this notification is sent for periodic updates. It can also be used for synchronization updates of an on-change subscription. This notification shall only be sent to receivers of a subscription. It does not constitute a general-purpose notification that would be subscribable as part of the NETCONF event stream by any receiver."; leaf id { type subscription-id; description "This references the subscription that drove the notification to be sent."; } leaf path-prefix { type string; description "Specifies the common prefix that all other paths and data are encoded relative to. TODO - This should be a JSONified instance data path."; } leaf snapshot-type { type enumeration { enum "periodic" { description "The update message is due to a periodic update."; } enum "on-change-update" { description "The update message is due to an on-change update. This means that one or more fields have changed under the snapshot path. TODO - Split this into a on-change-delete msg?"; } enum "on-change-delete" { description "The update message is due to an on-change event where the data node at the target path has been delete."; } enum "resync" { description "This indicates that the update is to resynchronize the state, e.g., after a subscription started notification. Ideally, the resync message SHOULD be the first notification sent when a subscription has started, but it is not gauranteed or required to be the first (e.g., if an on-change event occurs). These messages can be used to ensure that all state has been sent to the client, and can be used to purge stale data. TODO - In the distributed notification case, need a notification to indicate that all child subscriptions have been sent."; } } description "This indicates the type of notification message that is being sent."; } // Could add observation time here. leaf observation-time { type yang:date-and-time; description "The time that the update was observed by the publisher."; } list updates { key "target-path"; description "This list contains the updated data. It constitutes a snapshot at the time of update of the set of data that has been subscribed to. The snapshot corresponds to the same snapshot that would be returned in a corresponding 'get' operation with the same selection filter parameters applied."; leaf target-path { type string; description "The target path of the data that is being replaced, i.e., updated or deleted. The path is given relative to the path-prefix."; } anydata data { description "This contains the updated data. It constitutes a snapshot at the time of update of the set of data that has been subscribed to. The snapshot corresponds to the same snapshot that would be returned in a corresponding 'get' operation with the same selection filter parameters applied. For an on-change delete notification, the datastore-snapshot will be absent for the given target path. The snapshot is encoded relative to the path-prefix."; } } leaf incomplete { type empty; description "This is a flag that indicates that not all datastore nodes subscribed to are included with this update. Receivers of this data SHOULD NOT assume that any missing data has been implicitly deleted."; } } /* * DATA NODES */ container datastore-telemetry { presence "Enables datastore telemetry"; description "YANG Push Lite Datastore Telemetry Configuration and State."; container filters { description "Contains a list of configurable filters that can be applied to subscriptions. This facilitates the reuse of complex filters once defined."; list filter { key "name"; description "A list of preconfigured filters that can be applied to datastore subscriptions."; leaf name { type string; description "A unique name to identify the selection filters."; } uses filter-types; } } container subscriptions { description "Contains the list of currently active subscriptions, i.e., subscriptions that are currently in effect, used for subscription management and monitoring purposes. This includes subscriptions that have been set up via RPC primitives as well as subscriptions that have been established via configuration."; list subscription { key "id"; description "The identity and specific parameters of a subscription. Subscriptions in this list can be created using a control channel or RPC or can be established through configuration. If the 'kill-subscription' RPC or configuration operations are used to delete a subscription, a 'subscription-terminated' message is sent to any active or suspended receivers."; leaf id { type subscription-id; description "Identifier of a subscription; unique in a given publisher."; } uses subscription-common; leaf purpose { if-feature "configured"; type string; description "Open text allowing a configuring entity to embed the originator or other specifics of this subscription."; } leaf status { type subscription-status; config false; description "The presence of this leaf indicates that the subscription originated from configuration, not through a controlchannel or RPC. The value indicates the state of the subscription as established by the publisher."; } list receivers { key "name"; min-elements 1; description "A host intended as a recipient for the notification messages of a subscription. For configured subscriptions, transport-specific network parameters (or a leafref to those parameters) may be augmented to a specific receiver in this list."; leaf name { type leafref { path "/datastore-telemetry/receivers/receiver/name"; } description "Identifies a unique receiver for a subscription."; } leaf encoding { type encoding; config false; description "The type of encoding for notification messages."; } leaf status { type receiver-status; config false; description "Specifies the connection status of the receiver. I.e., whether a conenction has been sucessfully established"; } container statistics { config false; description "Statistics related to the number of messages sent to the receiver."; leaf sent-event-records { type yang:zero-based-counter64; config false; description "The number of event records sent to the receiver. The count is initialized when a dynamic subscription is established or when a configured receiver transitions to the 'valid' state."; } leaf excluded-event-records { type yang:zero-based-counter64; config false; description "The number of event records explicitly removed via either an event stream filter or an access control filter so that they are not passed to a receiver. This count is set to zero each time 'sent-event-records' is initialized."; } } } action reset { if-feature "configured"; description "Reset the subscription. This action will cause a new subscription-started message to be sent for the subscription"; } } } container receivers { if-feature "configured"; description "A container for all instances of configured receivers."; list receiver { key "name"; leaf name { type string; description "An arbitrary but unique name for this receiver instance."; } leaf encoding { /* when 'not(../transport) or derived-from(../transport, "ypl:configurable-encoding")';*/ type encoding; description "The type of encoding for notification messages. For a dynamic subscription, if not included as part of an 'establish-subscription' RPC, the encoding will be populated with the encoding used by that RPC. For a configured subscription, if not explicitly configured, the encoding will be the default encoding for an underlying transport."; } uses dscp; action reset { description "Resets all configured subscriptions that reference this receiver. This action is directly equivalent to invoking the 'reset' action on all subscriptions that references this receiver configuration."; } choice notification-message-origin { description "Identifies the egress interface on the publisher from which notification messages are to be sent."; case interface-originated { description "When notification messages are to egress a specific, designated interface on the publisher."; leaf source-interface { if-feature "interface-designation"; type if:interface-ref; description "References the interface for notification messages."; } } case address-originated { description "When notification messages are to depart from a publisher using a specific originating address and/or routing context information."; leaf source-vrf { if-feature "supports-vrf"; type leafref { path '/ni:network-instances/ni:network-instance/' + 'ni:name'; } description "VRF from which notification messages should egress a publisher."; } leaf source-address { type inet:ip-address-no-zone; description "The source address for the notification messages. If a source VRF exists but this object doesn't, a publisher's default address for that VRF must be used."; } } } choice transport-type { mandatory true; description "Choice of different types of transports used to send notifications. The 'case' statements must be augmented in by other modules."; } description "A list of all receiver instances."; } } } } ]]>

ietf-yp-lite-capabilities YANG tree This section shows the tree output for ietf-yp-lite-capabilities YANG module, which augments the ietf-system-capabilities YANG module .

YANG tree for YANG Push Lite Capabilities Module Tree Output

ietf-yp-lite-capabiltiies YANG Model This module imports typedefs from the yang-push-lite YANG module. This module augments the ietf-system-capabilities YANG module .

YANG module ietf-yp-lite-capabilities WG List: Author: Robert Wilton "; description "This module contains YANG specifications for YANG-Push lite. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2025 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; revision 2024-11-11 { description "Initial revision."; reference "XXX: YANG Push Lite"; } /* * IDENTITIES */ identity security-protocol { description "Identity for security protocols."; } identity tls12 { base security-protocol; description "Indicates TLS Protocol Version 1.2. TLS 1.2 is obsolete, and thus it is NOT RECOMMENDED to enable this feature."; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } identity tls13 { base security-protocol; description "Indicates TLS Protocol Version 1.3."; reference "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3"; } identity dtls12 { base security-protocol; description "Indicates DTLS Protocol Version 1.2. TLS 1.2 is obsolete, and thus it is NOT RECOMMENDED to enable this feature."; reference "RFC 6347: The Datagram Transport Layer Security (TLS) Protocol Version 1.2"; } identity dtls13 { base security-protocol; description "Indicates DTLS Protocol Version 1.3."; reference "RFC 9147: The Datagram Transport Layer Security (TLS) Protocol Version 1.3"; } identity ssh { base security-protocol; description "Indicates SSH."; } grouping yp-lite-capabilities { description "Capabilities related to YANG Push Lite subscriptions and notifications"; container datastore-telemetry { description "Capabilities related to YANG Push List subscriptions and notifications"; typedef notification-support { type bits { bit config-changes { description "The publisher is capable of sending notifications for 'config true' nodes for the relevant scope and subscription type."; } bit state-changes { description "The publisher is capable of sending notifications for 'config false' nodes for the relevant scope and subscription type."; } } description "Type for defining whether 'on-change' or 'periodic' notifications are supported for all data nodes, 'config false' data nodes, 'config true' data nodes, or no data nodes. The bits config-changes or state-changes have no effect when they are set for a datastore or for a set of nodes that does not contain nodes with the indicated config value. In those cases, the effect is the same as if no support was declared. One example of this is indicating support for state-changes for a candidate datastore that has no effect."; } leaf periodic-notifications-supported { type notification-support; description "Specifies whether the publisher is capable of sending 'periodic' notifications for the selected data nodes, including any subtrees that may exist below them."; reference "RFC 8641: Subscription to YANG Notifications for Datastore Updates, 'periodic' subscription concept"; } choice update-period { description "Supported update period value or values for 'periodic' subscriptions."; leaf minimum-update-period { type uint32; units "centiseconds"; description "Indicates the minimal update period that is supported for a 'periodic' subscription. A subscription request to the selected data nodes with a smaller period than what this leaf specifies is likely to result in a 'period-unsupported' error."; } leaf-list supported-update-period { type uint32; units "centiseconds"; description "Supported update period values for a 'periodic' subscription. A subscription request to the selected data nodes with a period not included in the leaf-list will result in a 'period-unsupported' error."; } } leaf on-change-supported { type notification-support; description "Specifies whether the publisher is capable of sending 'on-change' notifications for the selected data nodes and the subtree below them."; } } } grouping yp-lite-transport-capabilities { description "Capabilities related to transports supporting Yang Push Lite"; container transport { description "Specifies capabilities related to YANG-Push transports."; list transport-capability { key "transport-protocol"; description "Indicates a list of capabilities related to notification transport."; leaf transport-protocol { type identityref { base ypl:transport; } description "Indicates supported transport protocol for YANG-Push."; } leaf security-protocol { type identityref { base security-protocol; } description "Indicates transport security protocol."; } leaf-list encoding-format { type identityref { base ypl:encoding; } description "Indicates supported encoding formats."; } } } } // YANG Push Lite Capabilities augment "/sysc:system-capabilities" { description "Adds system level capabilities for YANG Push Lite"; uses yp-lite-capabilities; } augment "/sysc:system-capabilities/yplc:datastore-telemetry" { description "Adds system level Yang Push Lite transport capabilities"; uses yp-lite-transport-capabilities; } augment "/sysc:system-capabilities/sysc:datastore-capabilities" + "/sysc:per-node-capabilities" { description "Add datastore and node-level capabilities"; uses yp-lite-capabilities; } } ]]>

Security Considerations With configured subscriptions, one or more publishers could be used to overwhelm a receiver. To counter this, notification messages SHOULD NOT be sent to any receiver that does not support this specification. Receivers that do not want notification messages need only terminate or refuse any transport sessions from the publisher. When a receiver of a configured subscription gets a new "subscription-started" message for a known subscription where it is already consuming events, it may indicate that an attacker has done something that has momentarily disrupted receiver connectivity. TODO - Do we still want this paragraph?. For dynamic subscriptions, implementations need to protect against malicious or buggy subscribers that may send a large number of "establish-subscription" requests and thereby use up system resources. To cover this possibility, operators SHOULD monitor for such cases and, if discovered, take remedial action to limit the resources used, such as suspending or terminating a subset of the subscriptions or, if the underlying transport is session based, terminating the underlying transport session. Using DNS names for configured subscription's receiver "name" lookups can cause situations where the name resolves differently than expected on the publisher, so the recipient would be different than expected.

Receiver Authorization TODO Relax when access control must be checked. TODO Consider if this is the best place in the document, but this text needs to be updated regardless. A receiver of subscription data MUST only be sent updates for which it has proper authorization. A publisher MUST ensure that no unauthorized data is included in push updates. To do so, it needs to apply all corresponding checks applicable at the time of a specific pushed update and, if necessary, silently remove any unauthorized data from datastore subtrees. This enables YANG data that is pushed based on subscriptions to be authorized in a way that is equivalent to a regular data retrieval ("get") operation. Each "push-update" and "push-change-update" MUST have access control applied, as depicted in Figure 5. This includes validating that read access is permitted for any new objects selected since the last notification message was sent to a particular receiver. A publisher MUST silently omit data nodes from the results that the client is not authorized to see. To accomplish this, implementations SHOULD apply the conceptual authorization model of , specifically Section 3.2.4, extended to apply analogously to data nodes included in notifications, not just <rpc-reply> messages sent in response to <get> and <get-config> requests.

Access Control for Push Updates | datastore node | yes | add datastore node | push-change-update | access allowed? | ---> | to update record | +-----------------+ +--------------------+ ]]> A publisher MUST allow for the possibility that a subscription's selection filter references nonexistent data or data that a receiver is not allowed to access. Such support permits a receiver the ability to monitor the entire lifecycle of some datastore tree without needing to explicitly enumerate every individual datastore node. If, after access control has been applied, there are no objects remaining in an update record, then the effect varies given if the subscription is a periodic or on-change subscription. For a periodic subscription, an empty "push-update" notification MUST be sent, so that clients do not get confused into thinking that an update was lost. For an on-change subscription, a "push-update" notification MUST NOT be sent, so that clients remain unaware of changes made to nodes they don't have read-access for. A publisher MAY choose to reject an "establish-subscription" request that selects nonexistent data or data that a receiver is not allowed to access. The error identity "unchanging-selection" SHOULD be returned as the reason for the rejection. In addition, a publisher MAY choose to terminate a dynamic subscription or suspend a configured receiver when the authorization privileges of a receiver change or the access controls for subscribed objects change. In that case, the publisher SHOULD include the error identity "unchanging-selection" as the reason when sending the "subscription-terminated" or "subscription-suspended" notification, respectively. Such a capability enables the publisher to avoid having to support continuous and total filtering of a subscription's content for every update record. It also reduces the possibility of leakage of access-controlled objects. If read access into previously accessible nodes has been lost due to a receiver permissions change, this SHOULD be reported as a patch "delete" operation for on-change subscriptions. If not capable of handling such receiver permission changes with such a "delete", publisher implementations MUST force dynamic subscription re-establishment or configured subscription reinitialization so that appropriate filtering is installed.

YANG Module Security Considerations TODO - Check that this section is still correct at WG LC, and before/after IESG Evaluation, if the YANG data model changes at all. This section is modeled after the template described in Section 3.7.1 of . The "ietf-yp-lite" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF and RESTCONF . These protocols have to use a secure transport layer (e.g., SSH , TLS , and QUIC ) and have to use mutual authentication. The Network Configuration Access Control Model (NACM) provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., "config true", which is the default). All writable data nodes are likely to be reasonably sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) and delete operations to these data nodes without proper protection or authentication can have a negative effect on network operations. The following subtrees and data nodes have particular sensitivities/vulnerabilities:

There are no particularly sensitive writable data nodes.

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. Specifically, the following subtrees and data nodes have particular sensitivities/vulnerabilities:

There are no particularly sensitive readable data nodes.

Some of the RPC or action operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. Specifically, the following operations have particular sensitivities/vulnerabilities:

kill-subscription - this RPC operation allows the caller to kill any dynamic subscription, even those created via other users, or other transport sessions.

TODO - As per the template in , we would need to add text for groupings if we add any groupings from elsewhere, or the modules define groupings that are expected to be used by other modules.

IANA Considerations This document registers the following namespace URI in the "IETF XML Registry" : URI: urn:ietf:params:xml:ns:yang:ietf-yp-lite Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document registers the following YANG module in the "YANG Module Names" registry : Name: ietf-yp-lite Namespace: urn:ietf:params:xml:ns:yang:ietf-yp-lite Prefix: ypl Reference: RFC XXXX

Acknowledgments This inital draft is early work is based on discussions with various folk, particularly Thomas Graf, Holger Keller, Dan Voyer, Nils Warnke, and Alex Huang Feng; but also wider conversations that include: Benoit Claise, Pierre Francois, Paolo Lucente, Jean Quilbeuf, among others.

Contributors The following individuals have actively contributed to this draft and the YANG Push Solution.

Dan Voyer (TBD)

References Normative References Extensible YANG Model for YANG-Push Notifications INSA-Lyon INSA-Lyon Swisscom Huawei This document defines a new extensible notification structure, defined in YANG, for use in YANG-Push Notification messages enabling any YANG compatible encodings such as XML, JSON or CBOR. Additionally, it defines two essential extensions to this structure, the support of a hostname and a sequence number and the support of a timestamp caracterizing the moment when the changed data was observed. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers This document defines the IP header field, called the DS (for differentiated services) field. [STANDARDS-TRACK] Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Common YANG Data Types This document introduces a collection of common data types to be used with the YANG data modeling language. This document obsoletes RFC 6021. The YANG 1.1 Data Modeling Language YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). JSON Encoding of Data Modeled with YANG This document defines encoding rules for representing configuration data, state data, parameters of Remote Procedure Call (RPC) operations or actions, and notifications defined using YANG as JavaScript Object Notation (JSON) text. YANG Tree Diagrams This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language. Network Configuration Access Control Model The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model. This document obsoletes RFC 6536. Network Management Datastore Architecture (NMDA) Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950. YANG Library This document describes a YANG library that provides information about the YANG modules, datastores, and datastore schemas used by a network management server. Simple caching mechanisms are provided to allow clients to minimize retrieval of this information. This version of the YANG library supports the Network Management Datastore Architecture (NMDA) by listing all datastores supported by a network management server and the schema that is used by each of these datastores. YANG Data Model for Network Instances This document defines a network instance module. This module can be used to manage the virtual resource partitioning that may be present on a network device. Examples of common industry terms for virtual resource partitioning are VPN Routing and Forwarding (VRF) instances and Virtual Switch Instances (VSIs). The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in RFC 8342. YANG Data Structure Extensions This document describes YANG mechanisms for defining abstract data structures with YANG. YANG Modules Describing Capabilities for Systems and Datastore Update Notifications This document defines two YANG modules, "ietf-system-capabilities" and "ietf-notification-capabilities". The module "ietf-system-capabilities" provides a placeholder structure that can be used to discover YANG-related system capabilities for servers. The module can be used to report capability information from the server at runtime or at implementation time by making use of the YANG instance data file format. The module "ietf-notification-capabilities" augments "ietf-system-capabilities" to specify capabilities related to "Subscription to YANG Notifications for Datastore Updates" (RFC 8641). Encoding of Data Modeled with YANG in the Concise Binary Object Representation (CBOR) YANG (RFC 7950) is a data modeling language used to model configuration data, state data, parameters and results of Remote Procedure Call (RPC) operations or actions, and notifications. This document defines encoding rules for YANG in the Concise Binary Object Representation (CBOR) (RFC 8949). YANG Schema Item iDentifier (YANG SID) YANG Schema Item iDentifiers (YANG SIDs) are globally unique 63-bit unsigned integers used to identify YANG items. SIDs provide a more compact method for identifying those YANG items that can be used efficiently, notably in constrained environments (RFC 7228). This document defines the semantics, registration processes, and assignment processes for YANG SIDs for IETF-managed YANG modules. To enable the implementation of these processes, this document also defines a file format used to persist and publish assigned YANG SIDs. I-Regexp: An Interoperable Regular Expression Format This document specifies I-Regexp, a flavor of regular expression that is limited in scope with the goal of interoperation across many different regular expression libraries. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. NETCONF Event Notifications This document defines mechanisms that provide an asynchronous message notification delivery service for the Network Configuration protocol (NETCONF). This is an optional capability built on top of the base NETCONF definition. This document defines the capabilities and operations necessary to support this service. [STANDARDS-TRACK] Informative References An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks This document describes an architecture for describing Simple Network Management Protocol (SNMP) Management Frameworks. The architecture is designed to be modular to allow the evolution of the SNMP protocol standards over time. The major portions of the architecture are an SNMP engine containing a Message Processing Subsystem, a Security Subsystem and an Access Control Subsystem, and possibly multiple SNMP applications which provide specific functional processing of management data. This document obsoletes RFC 2571. [STANDARDS-TRACK] The IETF XML Registry This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. The Secure Shell (SSH) Authentication Protocol The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. This document describes the SSH authentication protocol framework and public key, password, and host-based client authentication methods. Additional authentication methods are described in separate documents. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol. [STANDARDS-TRACK] YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. Hypertext Transfer Protocol Version 2 (HTTP/2) This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged. The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. A YANG Data Model for Interface Management This document defines a YANG data model for the management of network interfaces. It is expected that interface-type-specific data models augment the generic interfaces data model defined in this document. The data model includes definitions for configuration and system state (status information and counters for the collection of statistics). The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in RFC 8342. This document obsoletes RFC 7223. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. RESTCONF Protocol This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). NETCONF Call Home and RESTCONF Call Home This RFC presents NETCONF Call Home and RESTCONF Call Home, which enable a NETCONF or RESTCONF server to initiate a secure connection to a NETCONF or RESTCONF client, respectively. YANG Patch Media Type This document describes a method for applying patches to configuration datastores using data defined with the YANG data modeling language. Subscription to YANG Notifications This document defines a YANG data model and associated mechanisms enabling subscriber-specific subscriptions to a publisher's event streams. Applying these elements allows a subscriber to request and receive a continuous, customized feed of publisher-generated information. Dynamic Subscription to YANG Events and Datastores over NETCONF This document provides a Network Configuration Protocol (NETCONF) binding to the dynamic subscription capability of both subscribed notifications and YANG-Push. Subscription to YANG Notifications for Datastore Updates This document describes a mechanism that allows subscriber applications to request a continuous and customized stream of updates from a YANG datastore. Providing such visibility into updates enables new capabilities based on the remote mirroring and monitoring of configuration and operational state. QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. Guidelines for Authors and Reviewers of Documents Containing YANG Data Models YumaWorks Orange Huawei This memo provides guidelines for authors and reviewers of specifications containing YANG modules, including IANA-maintained modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 8407. Also, this document updates RFC 8126 by providing additional guidelines for writing the IANA considerations for RFCs that specify IANA-maintained modules. The document also updates RFC 6020 by clarifying how modules and their revisions are handled by IANA. An Architecture for a Network Anomaly Detection Framework Swisscom Swisscom INSA-Lyon This document describes the motivation and architecture of a Network Anomaly Detection Framework and the relationship to other documents describing network symptom semantics and network incident lifecycle. The described architecture for detecting IP network service interruption is generic applicable and extensible. Different applications are being described and exampled with open-source running code. An Architecture for YANG-Push to Message Broker Integration Swisscom Swisscom This document describes the motivation and architecture of a native YANG-Push notifications and YANG Schema integration into a Message Broker and YANG Schema Registry. UDP-based Transport for Configured Subscriptions Huawei Huawei Swisscom INSA-Lyon INSA-Lyon NTT This document describes a UDP-based transport for YANG notifications to collect data from network nodes. A shim header is defined to facilitate the data streaming directly from a publishing process on a network device to telemetry receivers. Such a design enable higher frequency updates and less performance overhead on publisher and receiver processes compared to already established notification mechanisms. A YANG data model is also defined for management of the described UDP-based transport. YANG Notification Transport Capabilities Huawei Huawei INSA-Lyon Swisscom This document specifies a YANG module for YANG notifications transport capabilities which augments "ietf-system-capabilities" YANG module defined in [RFC9196]. The module provides transport, encoding, and encryption system capabilities for transport-specific notification. This YANG module can be used by the client to learn capability information from the server at runtime or at implementation time, by making use of the YANG instance data file format. An HTTPS-based Transport for YANG Notifications Kloud Services Watsen Networks This document defines a protocol for sending asynchronous event notifications similar to notifications defined in RFC 5277, but over HTTPS. YANG modules for configuring publishers are also defined. Examples are provided illustrating how to configure various publishers. This document requires that the publisher is a "server" (e.g., a NETCONF or RESTCONF server), but does not assume that the receiver is a server. Subscription to Distributed Notifications Huawei Huawei Cisco Systems Swisscom INSA-Lyon This document describes extensions to the YANG notifications subscription to allow metrics being published directly from processors on line cards to target receivers, while subscription is still maintained at the route processor in a distributed forwarding system. Apache Kafka Consistency (database systems) Eventual Consistency XML Path Language (XPath) Version 1.0 gRPC Network Management Interface (gNMI) Subscription to Distributed Notifications Huawei Huawei Cisco Systems Swisscom INSA-Lyon This document describes extensions to the YANG notifications subscription to allow metrics being published directly from processors on line cards to target receivers, while subscription is still maintained at the route processor in a distributed forwarding system. Extensible YANG Model for YANG-Push Notifications INSA-Lyon INSA-Lyon Swisscom Huawei This document defines a new extensible notification structure, defined in YANG, for use in YANG-Push Notification messages enabling any YANG compatible encodings such as XML, JSON or CBOR. Additionally, it defines two essential extensions to this structure, the support of a hostname and a sequence number and the support of a timestamp caracterizing the moment when the changed data was observed. Support of Hostname and Sequencing in YANG Notifications Swisscom Huawei INSA-Lyon This document specifies a new YANG module that augments the NETCONF Event Notification header to support the hostname and sequence number to identify from which network node and at which time the message was published. This allows the collector to recognize loss, delay and reordering between the publisher and the downstream system storing the messages. Support of Observation Timestamp in YANG-Push Notifications Swisscom Huawei INSA-Lyon This document extends YANG-Push Notifications with the YANG objects observation timestamp and point-in-time for streaming update YANG- Push notifications.

Functional changes between YANG Push Lite and YANG Push This non-normative section highlights the significant functional changes where the YANG Push Lite implementation differs from YANG Push. However, the main body of this document, from onwards, provides the normative definition of the YANG Push Lite specification, except for any text or sections that explicitly indicate that they are informative rather being normative. Note to reviewers: If you notice mistakes in this section during development of the document and solution then please point them out to the authors and the working group. (RFC editor, please remove this paragraph prior to publication)

Removed Functionality This section lists functionality specified in and YANG Push which is not specified in YANG Push Lite.

Negotiation and hints of failed subscriptions.
The RPC to modify an existing dynamic subscription, instead the subscription must be terminated and re-established.
The ability to suspend and resume a dynamic subscription. Instead a dynamic subscription is terminated if the device cannot reliably fulfill the subscription or a receiver is too slow causing the subscription to be back pressured.
Specifying a subscription stop time, and the corresponding subscription-completed notification have been removed.
Replaying of buffered event records are not supported. The nearest equivalent is requesting a sync-on-start replay when the subscription transport session comes up which will reply the current state.
QoS weighting and dependency between subscriptions has been removed due to the complexity of implementation.
Support for reporting subscription error hints has been removed. The device SHOULD reject subscriptions that are likely to overload the device, but more onus is placed on the operator configuring the subscriptions or setting up the dynamic subscriptions to ensure that subscriptions are reasonable, as they would be expected to do for any other configuration.
The "subscription-state-notif" extension has been removed.
The YANG Patch format is no longer used for on-change subscriptions.

Changed Functionality This section documents behavior that exists in both YANG Push and YANG Push Lite, but the behavior differs between the two:

All YANG Push Lite notifications messages use rather than used by YANG Push.
Changes to handling receivers:
- Receivers are always configured separately from the subscription and are referenced.
- Transport and Encoding parameters are configured as part of a receiver definition, and are used by all subscriptions directed towards a given receiver.
- If a subscription uses multiple receivers then:
  - Update messages and lifecycle notifications are sent to all receivers (to preserve sequence numbers)
  - all receivers must be configured with the same encoding
Periodic and on-change message uses a common update notification message format, allowing for the messages to be processed by clients in a similar fashion and to support combined periodic and on-change subscriptions.
On-change dampening:
- Client configurable on-change dampening has been removed.
- However, YANG Push Lite allows a publisher to limit the rate at which a data node is sampled for on-change notifications. See for further details.
Dynamic subscriptions are no longer mandatory to implement, either or both of Configured and Dynamic Subscriptions may be implemented in YANG Push Lite.
The solution focuses solely on datastore subscriptions that each have their own event stream. Filters cannot be applied to the event stream, only to the set of datastore data nodes that are monitored by the subscription.
The lifecycle events of when a subscription-started or subscription-terminated may be sent differs from RFC 8639/RFC 8649:
- Subscription-started notifications are also sent for dynamic subscriptions.
Some of the requirements on transport have been relaxed.
The encoding identities have been extended with CBOR encodings, and the "encoding-" prefix has been removed (so that there is a better on the wire representation).
YANG Push Lite allows for a publisher to provide an eventually consistent distributed view of the operational datastore, rather than a fully consistent datastore where on-change updates are sent as logic diffs to that datastore.

Added Functionality

Device capabilities are reported via XXX and additional models that augment that data model.
A new update message:
- Covers both on-change and periodic events.
- Allows multiple updates to be sent in a single message (e.g., for on-change).
- Allows for a common path prefix to be specified, with any paths and encoded YANG data to be encoded relative to the common path prefix.
A collection-complete notification, and associated configuration, has been defined to inform collectors when a subscription's periodic collection cycle is complete.
TODO - More operational data on the subscription load and performance.
All YANG Push Lite configuration is under a new datastore-telemetry presence container

Subscription Errors (from RFC 8641)

RPC Failures Rejection of an RPC for any reason is indicated via an RPC error response from the publisher. Valid RPC errors returned include both (1) existing transport-layer RPC error codes, such as those seen with NETCONF in and (2) subscription-specific errors, such as those defined in the YANG data model. As a result, how subscription errors are encoded in an RPC error response is transport dependent. References to specific identities in the ietf-subscribed- notifications YANG module or the ietf-yang-push YANG module may be returned as part of the error responses resulting from failed attempts at datastore subscription. For errors defined as part of the ietf-subscribed-notifications YANG module, please refer to . The errors defined in this document, grouped per RPC, are as follows: There is one final set of transport-independent RPC error elements included in the YANG data model. These are the four yang-data structures for failed datastore subscriptions:

yang-data "establish-subscription-error-datastore": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "establish-subscription" RPC response. This MUST be sent if hints are included.
yang-data "modify-subscription-error-datastore": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "modify-subscription" RPC response. This MUST be sent if hints are included.
yang-data "sn:delete-subscription-error": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "delete-subscription" or "kill-subscription" RPC response.
yang-data "resync-subscription-error": This MUST be returned if information identifying the reason for an RPC error has not been placed elsewhere in the transport portion of a failed "resync-subscription" RPC response.

Failure Notifications A subscription may be unexpectedly terminated or suspended independently of any RPC or configuration operation. In such cases, indications of such a failure MUST be provided. To accomplish this, a number of errors can be returned as part of the corresponding subscription state change notification. For this purpose, the following error identities are introduced in this document, in addition to those that were already defined in :

Examples Notes on examples:

To allow for programmatic validation, most notification examples in this section exclude the mandatory notification envelope and associated metadata defined in . Only the full notification example in includes the notification header.
These examples have been given using a JSON encoding of the regular YANG-Push notification format, i.e., encoded using , but it is anticipated that these notifications could be defined to exclusively use the new format proposed by .
Some additional meta data fields, e.g., like those defined in would also likely be included, but have also been excluded to allow for slightly more concise examples.
The examples include the field for the existing YANG-Push Notification format, and the proposed equivalent "observation-time" leaf for the new update notification format.
All these examples are created by hand, may contain errors, and may not parse correctly.

Example of update message using the new style update message The subscription was made on "Cisco-IOS-XR-pfi-im-cmd-oper:interfaces", but for efficiency reasons, the device has split the subscription into separate child subscriptions for the different data providers, and makes use of the new message format. Hence, this first periodic message is being published for the "Cisco-IOS-XR-pfi-im-cmd-oper:interfaces/interface-summary" container, but it is encoded rooted relative to the schema for "Cisco-IOS-XR-pfi-im-cmd-oper:interfaces". The second periodic message is being published for the "Cisco-IOS-XR-pfi-im-cmd-oper:interfaces/interfaces/interface" list, but again, it is encoded rooted relative to the schema for "Cisco-IOS-XR-pfi-im-cmd-oper:interfaces". This message has a separate observation time that represents the more accurate time that this periodic date was read. Each child subscription would use the same period and anchor time as the configured subscription, possibly with a little bit of initial jitter to avoid all daemons attempting to publish the data at exactly the same time.

Example of an on-change-update notification using the new style update message If the subscription is for on-change notifications, or periodic-and-on-change-notifications, then, if the interface state changed (specifically if the 'state' leaf of the interface changed state), and if the device was capable of generating on-change notifications, then you may see the following message. A few points of notes here:

The on-change notification contains all of the state at the "target-path"
- Not present in the below example, but if the notification excluded some state under an interfaces list entry (e.g., the line-state leaf) then this would logically represent the implicit deletion of that field under the given list entry.
- In this example it is restricted to a single interface. It could also publish an on-change notification for all interfaces, by indicating a target-path without any keys specified. TODO - Can it represent notifications for a subset of interfaces?
The schema of the change message is exactly the same as for the equivalent periodic message. It doesn't use the YANG Patch format for on-change messages.
The "observation time" leaf represents when the system first observed the on-change event occurring.
The on-change event doesn't differentiate the type of change to operational state. The on-change-update snapshot type is used to indicate the creation of a new entry or some update to some existing state. Basically, the message can be thought of as the state existing with some current value.

Example of an on-change-delete notification using the new style update message If the interface was deleted, and if the system was capable of reporting on-change events for the delete event, then an on-change delete message would be encoded as per the following message. Of note:

The on-change-delete snapshot type doesn't include a "datastore-snapshot", instead it represents a delete of the list entry at the path identified by the target-path, which is similar to a YANG Patch delete notification.

Subscription RPC examples (from RFC 8641) YANG-Push subscriptions are established, modified, and deleted using RPCs augmented from .

"establish-subscription" RPC The subscriber sends an "establish-subscription" RPC with the parameters listed in Section 3.1. An example might look like: ds:operational

/ex:foo

500 Figure 10: "establish-subscription" RPC ]]> A positive response includes the "id" of the accepted subscription. In that case, a publisher may respond as follows: 52 Figure 11: "establish-subscription" Positive RPC Response ]]> A subscription can be rejected for multiple reasons, including the lack of authorization to establish a subscription, no capacity to serve the subscription at the publisher, or the inability of the publisher to select datastore content at the requested cadence. If a request is rejected because the publisher is not able to serve it, the publisher SHOULD include in the returned error hints that help a subscriber understand what subscription parameters might have been accepted for the request. These hints would be included in the yang-data structure "establish-subscription-error-datastore". However, even with these hints, there are no guarantees that subsequent requests will in fact be accepted. The specific parameters to be returned as part of the RPC error response depend on the specific transport that is used to manage the subscription. For NETCONF, those parameters are defined in . For example, for the following NETCONF request: ds:operational

/ex:foo

Figure 12: "establish-subscription" Request: Example 2 ]]> A publisher that cannot serve on-change updates but can serve periodic updates might return the following NETCONF response:

application

operation-failed

error

/yp:periodic/yp:period

yp:on-change-unsupported

Figure 13: "establish-subscription" Error Response: Example 2 ]]>

"delete-subscription" RPC To stop receiving updates from a subscription and effectively delete a subscription that had previously been established using an "establish-subscription" RPC, a subscriber can send a "delete-subscription" RPC, which takes as its only input the subscription's "id". This RPC is unmodified from .

"resync-subscription" RPC This RPC is supported only for on-change subscriptions previously established using an "establish-subscription" RPC. For example: 1011 Figure 15: "resync-subscription" ]]> On receipt, a publisher must either (1) accept the request and quickly follow with a "push-update" or (2) send an appropriate error in an RPC error response. In its error response, the publisher MAY include, in the yang-data structure "resync-subscription-error", supplemental information about the reasons for the error.

Summary of Open Issues & Potential Enhancements This temporary section lists open issues and enhancements that require further discussion by the authors, or the WG. Once adopted, it is anticipated that tracking the open issues would move to github. The issues are ordered/grouped by the sections in the current document. I.e., to make it easier to review/update sections of the document.

Issues related to general IETF process:

If this work progresses we will need simple bis versions of the transports document so that they augment into the new data model paths. Drafts that would need to be updated as documented in .
Do we need to fold in any text from RFC 8640? and RESTCONF. I.e., there was this text in the one of the previous docs: Bindings for subscribed event record delivery for NETCONF and RESTCONF are defined in and RESTCONF-Notif, respectively.
- Rob: If text is needed for NETCONF and/or RESTCONF then I suspect that it would be better added to this document than to require small separate documents (as was done before).

Issue related to Terminology/Definitions:

Should we use the object terminology? This may be better than data node subtree, or the equivalent, and could be better than introducing bags?
- Holger: should try and use same terminology as existing YANG Push RFCs.
- Rob: This issue can be a place holder, to go through and check/update the terminology used, and see if any of the referenced terminology isn't neeed in YP Lite.

Issues related to YANG Push Lite Overview. None currently.

Issues related to Subscription Paths and Selection Filters

This draft introduces a new simple yang path (ypath) format that is like a JSON instance data path, that all implementations MUST support.
- Vendors already support a simple JSON like path (e.g., using module-names rather than XML namespaces).
- Open questions (for further discussion):
  - Do we support filtering on non-keys, e.g., this example from Thomas (but which filters on a non-key): /if:interfaces-state/if:interface[if:type='ianaift:ethernetCsmacd']/if:statistics
  - Do we support simple regex filtering on the keys (and if so, how would that be expressed, would it be compatible with JSON Path)
  - Do we need any more complex filtering (e.g., Holger's example of only getting entries from a list if they are in a particular state.), or do we always use subtree filters for that?
- Authors: I provides some suggested text in , but I expect further discussion may be needed. (E.g., how multiple keys should be expressed)
The draft retains OPTIONAL subtree filtering (under a feature statement):
- What is the schema associated with this subtree (compared to a simple path), and how is this expressed?
- Does the subtree filter get put into the subscription-started message?
xpath filtering - conslusion is that we should keep this in a draft as a MAY (under a feature statement).
- Do we allow implementations to support a subset of xpath syntax, or should they support all of xpath.
- Proposal: From an IETF draft perspective, don't say anything, i.e., it just indicates support for XPath filtering without explicitly saying whether or not it must all be supported

Issues related to Datastore Event Streams

Further refinements on how a subscription can be decomposed internally into child subscriptions with the data returned for each child subscription:

Handling lists with separate producers of list entries.
- If a subscription is decomposed, then should the subscription started message for the configured subscription indicate how that subscription has been decomposed?
- Do we need to add an optional replay-end (i.e., after a sync-on-start) or collection-end (i.e., after every collection) notification so that clients can determine when data can be implicitly deleted.
  - Rob: I think that we should add the latter, but make it a subscription config option to turn it on.
  - Holger, strong support for adding this, often requested.
  - Thomas, yes we need this, but need to determine whether this is per subscription or per publisher.

Questions/comments on the notification message format:

We allow multiple updates within a single message (primary use case is for the on-change case). What about the timestamp, which is still just once per message (like gNMI)? Should message bundling be optional/configurable to implement (if they all use a single shared timestamp)?
- on-change deletes are implicit by an update that replaces an existing entry with an empty data node (e.g., "{}" in JSON)
  - An alternative choice here could be an explicit delete flag, we need to decide which would be simpler/better.
- The update message also currently includes a path-prefix to allow (like gNMI) so that they don't necessarily need to be encoded from root, specifically, I think that this makes on-change messages nicer, since the on-change is rooted to the thing that is changing rather than the root of the tree. We need to define semantics of how this works, e.g., this should probably be controlled via configuration.
  - Ideally, the path prefix would be exactly the same as the YPath format that is being specified for configuration.
- Do we keep the "incomplete" update flag? Otherwise how would a publisher indicate that a message was not complete.
  - Thomas: We should keep this.

Further discussion of this issue is needed

Issues related to Receivers, Transports, & Encodings

Constraints on supporting multiple receivers:

Encoding is set per receiver, but do we need to support a subscription supporting more than one receiver with different encodings?
- Rob: Note, it is always possible for a client to setup different subscriptions.
- Thomas: This could be useful, e.g., when migrating from one encoding to another, particularly, if it reduced the load on the publisher (compared to creating a new separate subscription).
- Rob: I don't think that we would end up optimizing for this case (but would need to check).
- Also need to check with Nokia/Huawei would support this.
- Current status: Left open for further discussion.
- Note: This may also have a minor impact on the data model.
Lifecycle message should be sent per subscription, not per receiver (i.e., every receiver gets the same message (ignoring transport headers)):
- Consensus agreed this is the right thing to do.
- Action on Rob to check/update the draft.
- Notes:
  - Every receiver gets the same sequence number in the message.
  - subscription-created notification could perhaps have an enum giving a reason for the notification (e.g., new subscription, receiver added).
Do we need a per-receiver notification to indicate to a specific receiver that it has been disconnected?
- This would seem to only apply to configured subscriptions (since dynamic cannot have more than one receiver).
- If the transport session went down, then the publisher would be expected to reconnect anyway.
- So, the specific use case is likely to be unconfiguring a receiver for a subscription that has multiple receivers.
- Currently parked for further discussion.

Issues related to Transports:

lists quite a lot of rules on what are valid transports and what negotation/etc is required. I think we need to check whether we can weaken some of these (although it is possible that these were imposed during a transport directorate review).
- Rob: Authors, I've updated the transport section, , please can you re-review.
James: We also need to add some text into security section.
- Rob: Is this transport specific, or related to application layer authorization?
What is the rules/restrictions for subscription receiver instances vs transport sessions? E.g., is this entirely down to the transport to define.

Issues related to Setting up & Managing Subscriptions

Issues related to the configuration model: Note some of these apply or impact dynamic subscriptions as well.

YP Lite is somewhat different (separate namespace, separate receivers, no event filters, some config has moved to a separate receivers list.) See the data model and .
We should allow devices to limit which datastores subscriptions can be made against (e.g., not candidate or factory-default as some obvious examples). Should these be advertised in the capabilities?
(James) Should we even document the configuration data model in this document at all, or should it be in a separate document?
Some other changes/proposed changes:
- I've removed some of the YANG features for 'small' one/two changes in configuration. I propose that we don't need features for these at all (e.g., DSCP settings), or in other cases we can use operational capabilities, or rely on deviations.
  - I've renamed the encodings (e.g., from "encode-json" to just "json")
  - Maybe further simplification of the receivers list under the subscription. E.g., do we need stats per subscription per receiver, or just per subscription? Do want stats across all subscriptions to a given receiver?
    - Holger: Stats per subscription should be sufficient. No need for per subscription/pre-receiver stats (which would allow the data model to be simplified a little bit).
  - Subscription-ids are currently numeric values with the space split between configured and dynamic subscriptions, but I think that the config model would be cleaner if we used names for the configured subscriptions (and we could reserve a prefix "dyn-" for dynamic subscriptions).
    - Holger, Rob: Strong preference to names.
    - Thomas, keep ids, but rename 'purpose' to name. Also give receivers an ids and be keyed this.

Issues related to dynamic subscriptions:

In YP Lite, dynamic subscriptions are designed to be closer to configured subscriptions and share more of the data model and lifecycle handling. I.e., the primary differentiator is meant to be how they are instantiated.
- James, Rob: More alignment is better.
Do we want to change how RPC errors are reported? E.g., change the RPC ok response to indicate whether the subscription was successfully created or not, or included extra error information. Note NETCONF and RESTCONF already define how errors are encoded in XML and JSON (for RESTCONF only).
Do we need to allow a dynamic subscription to be modified? If we do, then it would be better to change the establish-subscription RPC to have an optional existing subscription-id rather than define a separate RPC. However, my preference is that the existing subscription is deleted and recreated (or if we allow the client to specify the subscription-id then they could just overwrite the subscription)
- Holger: Overwrite is a neat idea, but delete/recreate would also be sufficient.
- Rob: Related to this, do we allow the client to optionally name dynamic subscriptions (what is config and dynamic subscription names collide)?
For operational data, should be list dynamic receivers in the receiver list so that they are handled the same as configured subscription? Or should the information for them be inlined in the subscriptions container?
- Rob this requires further thought on exactly how configured/dynamic subscriptions may to underlying transport sessions. I.e., how fixed or flexible is this depending on the transport.
Proposal is to make specifying an encoding mandatory.

Issues related to Subscription Lifecycle

Should subscription-started notification include a fingerprint of the schema that is covered by the subscription that would guaranteed to change if the subscription changes?
- Rob: I think that we should do this (i.e., as optimized version of content-id)
- Would this also be impacted by a change to access control? (Rob: Probably not)
- Thomas would like to align to the same mechanism in YANG Push, i.e., in the existing drafts, and we should use the same mechanism
- Rob: I would like to understand what the long term complete solution is here.
- Benoit: Also related to the data manifest draft (in WGLC in OPSWG.)
  - Should discuss all of this together. IETF 122 discussion.
If a subscription references a filter, then should that be included inline in the subscription started notification (as per the RFC 8641 text), or should it indicate that it is a referenced filter?
- Thomas: Do we need referenced filters at all? Subscriptions could be simplified if everything was done inline.
- gNMI is only done inline.
- Juniper also supports filters.
- Thomas try to simplify as much as possible, then do we need templating?
When a subscription is terminated, should it be MUST NOT send any more notifications after the terminated message, or SHOULD NOT? For a dynamic subscription, should the RPC be synchronous and not reply until it knows that all queues have been drained?
- Holger, Thomas, Benoit: MUST NOT
- James: SHOULD NOT
- MUST NOT is clearer from an implementation POV, but probably doesn't really matter.
- What does the receiver do when it gets this message anyway.
Is a publisher allowed to arbitrarily send a sync-on-start resync, e.g., if it detects data loss, or should it always just terminate and reinitialize the subscription?
- Holger, terminate & recreate.
- gNMI, not specified.
- Thomas: Keep this as implementation detail.
- Sequence-id indicates that a client is dropping message anyway.
- Receiver can already monitor and see that there is a problem anyway.
If the parameters for a subscription change in any way (e.g., the config changes for a configured subscription, or a referenced filter changes in a dynamic subscription) then do we want to say that the subscription MUST be killed and recreated. I.e., with subscription-terminated/subscription-started notifications? (Section 11)
- Holger, kill/re-create.
- Collector would need to no.
- Ebben: Includes addition or deletion of the path.
- Benoit: Which parameters are changing, this could impact. It depends. Maybe forcing it down keeps it simple. Would need further definition of what parameters would cause this to be pulled down.
- Locally relevant, e.g., modifying transport parameters doesn't force a change.
- Benoit: If you are not sure what you are doing you must recreate.
Should we have a YANG Action to reset a receiver or a subscription? E.g., discussed in .
- There seems to be consensus that having/keeping such a YANG action is useful if a configured subscription is stuck.
- Further discussion is needed to indicate where such an RPC should be in the data model, and what effect it should have:
  - It could be under the subscription list, which would effectively be equivalent to forcing the subscription to terminate and re-initialise across all receivers.
  - It could also be under the receiver list, which would effectively be equivalent to forcing all subscriptions using that receiver to terminate and re-initialise.
  - We also need to consider whether this would clear subscription counters or not.
  - We also consider whether we need any text to rate limit requests, e.g., in the security considerations section.
  - We also need to consider whether configured subscription MAY/SHOULD share transport sessions where possible, or whether each subscription uses a separate transport session, or whether this is down to the transport session definition. This decision may impact the design of the data model, and pehaps the transport requirements text.
  - Rob: I've written up some text for the reset action on a subscription and under the receiver (that applies to all subscriptions that reference the receiver configuration). Unlike the existing reset action, I've removed the return parameter (timestamp of when it took effect), and I think that we should allow it to be processed asynchronously w.r.t the RPC caller. Authors, please check the latest text.
Should we support configurable subscription-level keepalives?
- This would probably entail periodically sending a small message on on-change subscriptions so that the receiver (message broker) knows that the collection is still alive and active.
- The presumption is that would be configurable option on an on-change subscription (configured or dynamic)
- Note, some transport sessions may already support keepalives, which is a separate, transport specific consideration.
- An alternative would be to configure a joint periodic and on-change subscription, but depending on the keepalive interval this would likely involve sending more data on a periodic basis.
- Another alternative is to monitor the operational state of the subscription to keep that all the expected subscriptions are active.
- Discussed, but no consensus reached yet

Issues related to Performance, Reliability & Subscription Monitoring

Issues/questions related to operational data:

Should we define some additional operational data to help operators check that the telemetry infrastructure is performing correctly, to get an approximation of the load, etc.
- Rob: probably, but lower priority.
Should dynamic subscriptions use the same receivers structure as for configured subscriptions, or should they be inline in the configured subscription?
- Thomas: Two sets of counters, one is at the subscription which is about fetching the data, and the other is on the receiver.
- James: Can think of some uses cases where listing drop counters per subscription may be helpful.
- Rob: Thinking about it further, it probably needs to be separate, since for some transports, each subscription may open a separate transport session to the receiver rather than trying to mux into a single transport (e.g., TCP).

Issues related to Conformance and Capabilities

Do we advertise that conformance via capabilities and/or YANG features (both for configured and dynamic subscriptions)?
- The current doc uses a mixture of both (e.g., features for supporting config vs dyanmic subscriptions), capabilities for advertising other capabilities that either cannot be advertised via features, or would arguably be too fine grained.
For on-change, should a subscription be rejected (or not brought up) if there are no on-change notifiable nodes? Alternative is to offer implementation flexibility between these two approaches.
- Holger: Prefer for the subscription to be rejected.
CBOR SID encoding:
- In terms of conformance, we have SHOULD for CBOR, but the draft is silent on whether this means with SIDs or not.
- Further discussion is required on how to manage SID files.
Check of the current approach in the draft of using a separate tree for YP Lite capbilities rather than reusing the YP capabilities (and augmentations) previously defined.
- Rob: The draft currently includes a separate tree, which I think is necessary because the supported functionality is different (e.g., dampening), and a implementation may support both YANG Push and YANG Push Lite.
Further work and discussion is required for advertising capabilities for filter paths. E.g., listing all of the paths that support on-change could be a very long list. Related, does the draft need to advertise at what points a publisher would decompose a higher subscription into more specific subscriptions.

Issues related to the YANG Modules None open.

Issues related to the Security Considerations (& NACM filtering)

Need to consider how NACM applies to YANG Push Lite, which may differ for dynamic vs configured subscription, but generally we want the permissions to be checked when the subscription is created rather than each time a path is accessed.
- (James) Take out tight binding to NACM from YANG Push Lite altogether. I.e., decouple YANG Push Lite from what security mechanism is being used.
- (Rob) Another choice could be to use NACM as an example rather than the only way.
Where should this be in the document (current it in the security considerations section)
Do we want to retain the the current text in introduction related to terminating a subscription if permissions change?
Also note, text was removed from the transport section related to RPC authorization, and which should be moved to an application (rather than transport) layer security mechanism.

Issues related to the IANA

Need to add in registration for ietf-yp-lite-capabilities.yang

Issues related to the Appendixes

Examples related issues/questions:

Not a question, but a note that most of the examples need to be updated to reflect the data models currently in the draft.

Summary of closed/resolved issues This appendix is only intended while the authors/WG are working on the document, and should be deleted prior to WG LC.

Rename subscription-terminated to subscription-stopped (Change rejected 21 Feb 25, unnecessary renaming.)
MUST use envelope, hostname and sequence-number (and event-time) (Decided 21 Feb 25)
Don't mandate configured or dynamic subscriptions, allow implementations to implement one or both of them. (Decided 21 Feb 25)
Dynamic susbcriptions to require the encoding to be specified. (Decided 21 Feb 25)
DSCP settings are only specified under the receiver (for configured subscriptions) (Decided 21 Feb 25)