RFC 6241 - NETCONF 配置协议
RFC 6241 - NETCONF 配置协议
摘要
The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized on top of a simple Remote Procedure Call (RPC) layer.
本文档中定义的网络配置协议(NETCONF)提供了安装、操作和删除网络设备配置的机制。它对配置数据和协议消息使用基于可扩展标记语言(XML)的数据编码。NETCONF协议操作是在简单远程过程调用(RPC)层上实现的。
1. 介绍
The NETCONF protocol defines a simple mechanism through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. The protocol allows the device to expose a full, formal application programming interface (API). Applications can use this straightforward API to send and receive full and partial configuration data sets.
NETCONF协议定义了一种简单的机制,通过该机制可以管理网络设备、检索配置数据信息以及上载和操作新的配置数据。该协议允许设备公开完整、正式的应用程序编程接口(API)。应用程序可以使用这个简单的API发送和接收完整和部分配置数据集。
The NETCONF protocol uses a remote procedure call (RPC) paradigm. A client encodes an RPC in XML and sends it to a server using a secure, connection-oriented session. The server responds with a reply encoded in XML. The contents of both the request and the response are fully described in XML DTDs or XML schemas, or both, allowing both parties to recognize the syntax constraints imposed on the exchange.
NETCONF协议使用远程过程调用(RPC)范例。客户端用XML对RPC进行编码,并使用安全的、面向连接的会话将其发送到服务器。服务器用XML编码的回复进行响应。请求和响应的内容都用XML DTD或XML模式(或两者)完全描述,允许双方识别施加在交换上的语法约束。
1.1 协议概述
NETCONF uses a simple RPC-based mechanism to facilitate communication between a client and a server. The client can be a script or application typically running as part of a network manager. The server is typically a network device. The terms “device” and “server” are used interchangeably in this document, as are “client” and “application”.
NETCONF使用一种简单的基于RPC的机制来促进客户端和服务器之间的通信。客户端可以是脚本或应用程序,通常作为网络管理器的一部分运行。服务器通常是一个网络设备。术语”设备”和”服务器”在本文档中互换使用,”客户端”和”应用程序”也是如此。
A NETCONF session is the logical connection between a network administrator or network configuration application and a network device. A device MUST support at least one NETCONF session and SHOULD support multiple sessions. Global configuration attributes can be changed during any authorized session, and the effects are visible in all sessions. Session-specific attributes affect only the session in which they are changed.
NETCONF会话是网络管理员或网络配置应用程序与网络设备之间的逻辑连接。设备必须支持至少一个NETCONF会话,并且应该支持多个会话。全局配置属性可以在任何授权会话期间更改,效果在所有会话中都是可见的。会话特定属性仅影响更改它们的会话。
2. 协议层
NETCONF can be conceptually partitioned into four layers:
NETCONF可以在概念上分为四层:
+----------------------+
| Content Layer | <-- 配置数据
+----------------------+
| Operations Layer | <-- <rpc>, <rpc-reply>, <rpc-error>
+----------------------+
| Messages Layer | <-- <hello>, <capabilities>, <session-id>
+----------------------+
| Secure Transport | <-- SSH, TLS, BEEP, etc.
+----------------------+
2.1 内容层
The content layer consists of configuration data being manipulated by NETCONF operations. The data is XML-encoded and can be in any XML namespace. The data can be further structured using XML Schema or DTD.
内容层由NETCONF操作操作的配置数据组成。数据是XML编码的,可以在任何XML命名空间中。可以使用XML Schema或DTD进一步结构化数据。
2.2 操作层
The operations layer defines a set of base protocol operations to retrieve and edit the configuration data. The base protocol includes operations to get, get-config, edit-config, copy-config, delete-config, lock, unlock, close-session, and kill-session.
操作层定义了一组基本协议操作来检索和编辑配置数据。基本协议包括get、get-config、edit-config、copy-config、delete-config、lock、unlock、close-session和kill-session操作。
2.3 消息层
The messages layer provides a simple, transport-independent framing mechanism for encoding RPCs and notifications.
消息层为编码RPC和通知提供了一种简单的、独立于传输的帧机制。
2.4 安全传输层
The secure transport layer provides a secure, connection-oriented session between the client and server.
安全传输层在客户端和服务器之间提供安全的、面向连接的会话。
3. 核心操作
3.1 get 操作
The <get> operation retrieves running configuration and device state information.
<get>操作检索运行配置和设备状态信息。
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get>
<filter type="subtree">
<top xmlns="http://example.com/schema/1.2/config">
<users/>
</top>
</filter>
</get>
</rpc>
3.2 get-config 操作
The <get-config> operation retrieves all or part of a specified configuration datastore.
<get-config>操作检索指定配置数据存储的全部或部分。
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running/>
</source>
<filter type="subtree">
<top xmlns="http://example.com/schema/1.2/config">
<users/>
</top>
</filter>
</get-config>
</rpc>
3.3 edit-config 操作
The <edit-config> operation loads all or part of a specified configuration to the specified target configuration datastore.
<edit-config>操作将指定配置的全部或部分加载到指定的目标配置数据存储。
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<top xmlns="http://example.com/schema/1.2/config">
<users>
<user>
<name>admin</name>
<type>administrator</type>
</user>
</users>
</top>
</config>
</edit-config>
</rpc>
4. 能力协商
NETCONF allows a client to discover the set of protocol extensions supported by a server. These “capabilities” permit the client to adjust its behavior to take advantage of the features exposed by the device.
NETCONF允许客户端发现服务器支持的协议扩展集。这些”功能”允许客户端调整其行为,以利用设备公开的功能。
4.1 能力标识
Capabilities are identified by a URI. A capability URI MUST be a unique identifier for a specific capability.
功能由URI标识。功能URI必须是特定功能的唯一标识符。
4.2 能力交换
Capabilities are exchanged between the client and server during session establishment using the <hello> message.
在会话建立期间,客户端和服务器之间使用<hello>消息交换功能。
5. 错误处理
The NETCONF protocol uses a simple error reporting mechanism. When an error occurs, the server returns an <rpc-error> element instead of the expected <rpc-reply>.
NETCONF协议使用简单的错误报告机制。当发生错误时,服务器返回<rpc-error>元素而不是预期的<rpc-reply>。
5.1 错误类型
- transport-error: 传输层错误
- rpc-error: RPC层错误
- protocol-error: 协议层错误
- application-error: 应用层错误
6. 安全考虑
NETCONF is designed to be run over a secure transport. The secure transport MUST provide:
NETCONF设计为在安全传输上运行。安全传输必须提供:
- 数据完整性: 防止数据在传输过程中被修改
- 数据机密性: 防止数据在传输过程中被窃听
- 身份验证: 确保客户端和服务器身份的真实性
- 重放保护: 防止重放攻击
7. 实现示例
7.1 Python 实现示例
import xml.etree.ElementTree as ET
from ncclient import manager
# 连接到设备
with manager.connect(host='192.168.1.1', port=830, username='admin',
password='password', hostkey_verify=False) as m:
# 获取运行配置
config = m.get_config(source='running')
print(config)
# 编辑配置
config_xml = """
<config>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet0/0/1</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
</interfaces>
</config>
"""
result = m.edit_config(target='running', config=config_xml)
print(result)
7.2 常用操作示例
# 获取所有接口信息
<rpc message-id="101">
<get>
<filter type="subtree">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface/>
</interfaces>
</filter>
</get>
</rpc>
# 获取特定接口配置
<rpc message-id="102">
<get-config>
<source><running/></source>
<filter type="subtree">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet0/0/1</name>
</interface>
</interfaces>
</filter>
</get-config>
</rpc>
8. 最佳实践
8.1 配置管理
- 使用锁机制: 在编辑配置前锁定配置数据存储
- 验证配置: 在应用配置前验证其有效性
- 原子操作: 使用事务确保配置更改的原子性
- 备份配置: 定期备份当前配置
8.2 错误处理
- 检查错误: 始终检查RPC响应中的错误
- 重试机制: 实现适当的重试机制
- 日志记录: 记录所有操作和错误
- 超时处理: 设置合理的超时时间
9. 参考资料
本文档基于 RFC 6241 标准,如有问题请提交 Issue 或 Pull Request。