NETCONF and RESTCONF Private Candidate Datastores

Private candidates solution To resolve the concurrency and locking issues described in without sacrificing the benefits of a candidate datastore, this document introduces the concept of a private candidate: a session-specific datastore that isolates changes until they are ready to be committed. NETCONF sessions and RESTCONF clients are able to utilize private candidates to streamline network operations, particularly for machine-to-machine communication. Using this approach, clients may improve their performance and reduce the likelihood of blocking other clients from continuing with valid operational activities. One or more private candidates may exist at any one time, however, a private candidate SHOULD:

Be accessible by one client only
Be visible by one client only

Additionally, the choice of using a shared candidate configuration datastore or a private candidate configuration datastore MUST be for the entire duration of the NETCONF session.

What is a private candidate A private candidate is defined in the definitions and terminology section of this document.

When is a private candidate created A private candidate datastore is created when the first RPC that requires access to it is sent to the server. This could be, for example, an <edit-config>. When the private candidate is created a copy of the running configuration is made and stored in it. This can be considered the same as creating a branch in a source code repository. +----------------------------> private candidate / / +------+-------------------------------> running configuration ^ Private candidate created

When is a private candidate destroyed A private candidate is valid for the duration of the NETCONF session, or the duration of the RESTCONF request. Issuing a <commit> operation will not close the private candidate but will issue an implicit <update> operation resyncing changes from the running configuration. More details on this later in this document. A NETCONF session that is operating using a private candidate will discard all uncommitted changes in that session's private candidate and destroy the private candidate if the session is closed through a deliberate user action or disconnected for any other reason (such as a loss of network connectivity).

When is a private candidate updated An <update> operation performed on a private candidate triggers a rebase of the private candidate configuration datastore against the running configuration datastore. This rebase is conceptually described as replacing the candidate configuration datastore with the current running configuration datastore at that point in time and replaying the configuration changes from the candidate configuration datastore against it, identifying any conflicts as this process progresses. A server may choose to automatically issue an update when any client updates the running configuration datastore. Triggering an update in this manner must be specifically chosen and signalled by a server using an optional parameter to the :private-candidate NETCONF capability (see ). A <commit> operation always issues an implicit <update>, therefore it is not necessary for a client to perform an <update> before a <commit>. The implicit <update> will fail if conflicts are found. More details on the <update> operation are provided later in this document.

How to signal the use of private candidates

Server The server MUST signal its support for private candidates. The server does this by advertising a new :private-candidate capability: urn:ietf:params:netconf:capability:private-candidate:1.0 As support for the shared candidate configuration datastore is a pre-requisite for the private candidate functionlity, a server MUST also advertise the :candidate capability as defined in . If a server chooses to execute an update operation automatically when any client (not just the local client) performs an update to the running configuration datastore it must advertise this behaviour using the following optional parameter to the capability: trigger=all-updates.

NETCONF client In order to utilise a private candidate configuration within a NETCONF session, the client must inform the server that it wishes to do this. When a NETCONF client connects with a server it sends a list of client capabilities including one of the :base NETCONF version capabilties. In order to enable private candidate mode for the duration of the NETCONF client session the NETCONF client sends the following capability: urn:ietf:params:netconf:capability:private-candidate:1.0 In order for the use of private candidates to be established using this approach both the NETCONF server and the NETCONF client MUST advertise this capability. If a client sends the capability and the server does not support private candidates, the server MUST choose one of the following options:

Ignore the capability and continue with the session without the use of private candidates (this ensures backwards compatibility with older servers).
Close the session as the requested functionality cannot be provided. New clients and servers implementing private candidate support should use this option.

When a server receives the client capability its mode of operation will be set to private candidate mode for the duration of the NETCONF session. All RPC requests that target or impact the shared candidate configuration datastore will implicitly target or impact the session's private candidate configuration datastore instead, and operate in exactly the same way. Using this method, the use of private candidates can be made available to NMDA and non-NMDA capable servers.

RESTCONF client RESTCONF does not provide a mechanism for the client to advertise a capability. Therefore when a RESTCONF server advertises the :private-candidate capability, all client requests will use a private candidate when the client references the "{+restconf}/data" resource described in . All edits are made to the client's private candidate, and the private candidate is automatically committed. This ensures backwards compatibility with RESTCONF clients that are not aware of private candidates, because those clients will expect their changes to be committed immediately.

Interaction between running and private-candidate(s) Multiple operations may be performed on the private candidate in order to stage changes ready for a commit. In the simplest example, a session may create a private candidate configuration, perform multiple operations (such as <edit-config>) on it and then perform a <commit> operation to merge the private candidate configuration into the running configuration in line with semantics in . commit +--------------------------+--------> private candidate / ^ ^ \ / edit-config edit-config ⌄ +---+-------------------------------+------> running configuration ^ edit-config (Private candidate created) More complex scenarios need to be considered, when multiple private candidate sessions are working on their own configuration (branches) and they make commits into the running configuration. commit +---------------------+----------------> private candidate 1 / \ / edit-config ⌄ +---+------------+-------------+--------------> running configuration edit-config \ \ +-------------------------> private candidate 2 In this situation, if, how and when private candidate 2 is updated with the information that the running configuration has changed must be considered. As described earlier, the client MUST be aware of changes to its private candidate configuration that are different from the running configuration datastore so it can be assured that it is only committing its own modifications. It is possible, during an update, for conflicts to occur and the detection and resolution of these is discussed later in this document. A good way to understand the interaction between candidates is to consider them as branches such as you might find in a source code management system. Each private candidate is treated as a separate branch and changes made to the running configuration are not placed into a private candidate datastore except in one of the following situations:

The client requests that the private candidate be refreshed using a new <update> operation
<commit> is issued from the private candidate (which MUST automatically issue an <update> operation for that private candidate immediately prior to committing the configuration)
An implementation chooses to perform an <update> operation after a change to the running configuration by any other client.

It is possible for a private candidate configuration to become significantly out of sync with the running configuration should the private candidate be open for a long time, however, most NETCONF configuration activities (between the first <edit-config>/<edit-data> and a <commit>) are short-lived. To provide visibility into the differences between the private candidate configuration datastore a <compare> operation MAY be performed against:

The initial creation point of the private candidate's branch
Against the last update point of the private candidate's branch
Against the running configuration

An implementation may choose, optionally, to automatically perform an <update> operation on each private candidate configuration datastore after a change to the running configuration from another client. In this situation, the client will be unaware of these changes to its private candidate configuration datastore, and issuing a manual <update> operation will be a no-op.

Detecting and resolving conflicts

What is a conflict? A conflict is when the intent of the client may have been different had it had a different starting point. In configuration terms, a conflict occurs when the same set of nodes in a configuration being altered by one user are changed between the start of the configuration preparation (the first <edit-config>/<edit-data> operation) and the conclusion of this configuration activity (terminated by a <commit> operation). The situation where conflicts have the potential of occurring are when multiple configuration sessions are in progress and one session commits changes into the running configuration after the private candidate (branch) was created. When this happens a conflict occurs for each node modified in the running configuration that is also modified in the private candidate configuration. A node is considered modified if:

There is a change of any value
There is a change of existence (or otherwise) of any list entry
There is a change to the order of any list items in a list configured as "ordered-by user"
There is a change of existence (or otherwise) of a presence container
There is a change of any component member of a leaf-list
There is a change to the order of any items in a leaf-list configured as "ordered-by user"
There is a change of existence (or otherwise) of a leaf
There is a change to any YANG metadata associated with the node

A server MAY choose to add extra checks in addition to the list above. If a server implements the transaction ID feature then this MAY be considered as part of detecting a conflict. Examples of conflicts include:

An interface has been deleted in the running configuration that existed when the private candidate was created. A change to a child node of this specific interface is made in the private candidate using the default merge operation would, instead of changing the child node, both recreate the interface and then set the child node.
A leaf has been modified in the running configuration from the value that it had when the private candidate was created. The private candidate configuration changes that leaf to another value.

Detecting and reporting conflicts A conflict can occur when an <update> operation is triggered. This can occur in a number of ways:

Manually triggered by the <update> NETCONF operation
Automatically triggered by the server running an <update> operation, such as when a <commit> operation is performed by the client in the private candidate session.

When a conflict is identified that node is internally marked by the server as "in conflict" in the private candidate. This "in conflict" status does not propagate back up the tree to the parent node(s). Each node in the ancestral tree is evaluated as in conflict or otherwise on its own merits. The "in conflict" marker remains until the conflict is resolved on that node. The mechanism by which a server marks a node as "in conflict" is outside the scope of this draft. When a conflict occurs:

The client MUST be given the opportunity to re-evaluate its intent based on the new information. The resolution of the conflict may be manual or automatic depending on the server and client decision (discussed later in this document).
A <commit> operation (that MUST trigger an automatic <update> operation immediately before) MUST fail irrespective of any system-wide default resolution-mode. It MUST inform the client of the conflict and SHOULD detail the location of the conflict(s).
An <update> operation triggered by a client (excluding updates triggered by the <commit> operation) MUST fail unless the server has explicitly configured a system-wide resolution-mode of prefer-candidate or prefer-running (discussed later in this document).

The location of the conflict(s) should be reported as a list of xpaths and values. Note: If a server implementation has chosen to automatically issue an <update> operation every time a change is made to the running configuration, the server will use the system-wide system resolution mode. If this resolution mode is prefer-candidate or prefer-running the conflicts will be resolved using those rules. If the resolution mode is set to revert-on-conflict the semantics are the same as the prefer-candidate method, however, all changes, whether in conflict or otherwise will be marked in the private candidate as "in-conflict". This means that any subsequent <commit> will fail until the client makes a conscious choice to resolve them.

Conflict resolution Conflict resolution defines which configuration elements are retained when a conflict is resolved; those from the running configuration or those from the private candidate configuration. When a conflict is detected in any client-triggered activity, the client MUST be informed. The client then has a number of options available to resolve the conflict:

Edit the candidate configuration nodes marked as "in conflict". When a node marked as "in conflict" is subsequently edited the "in conflict" marker on that node is removed.
Issue an <update> operation with a specific resolution-mode.

The <update> operation uses the resolution-mode specified in the request, or the system resolution mode in specific circumstances, to resolve the conflicts. The <update> operation is discussed later in this document. The following configuration data is used below to illustrate the behaviour of each resolution method: <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to London<description> </interface> <interface> <name>intf_two</name> <description>Link to Tokyo<description> </interface> </interfaces> </configure> The example workflow is shown in this diagram and is used for the purpose of the examples below. In these examples the reader should assume that the <update> operation is manually provided by a client working in private candidate 1. The update operation triggered by a system upon commit is not shown. update commit +--------------------+---+------> private candidate 1 / ^ \ / edit-config / ⌄ +---+--------+--------+---+-------+----> running configuration edit-config \ ^ \ / +---+------------------> private candidate 2 commit There are three defined resolution methods:

Prefer-candidate Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in . When using the prefer-candidate resolution method, items in the running configuration that are not in conflict with the private candidate configuration are merged from the running configuration into the private candidate configuration. Nodes that are in conflict are ignored and not merged. The outcome of this is that the private candidate configuration reflects changes in the running that were not being worked on and those that are being worked on in the private candidate remain in the private candidate. Issuing a <commit> operation at this point will overwrite the running configuration with the conflicted items from the private candidate configuration. Example: Session 1 edits the configuration by submitting the following <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to San Francisco<description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name operation="delete">intf_one</name> </interface> <interface> <name>intf_two</name> <description>Link moved to Paris</description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 1 then sends an <update> NETCONF operation. <rpc message-id="update" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <update> <resolution-mode>prefer-candidate</resolution-mode> </update> </rpc> The un-conflicting changes are merged and the conflicting ones are ignored (and not merged from the running into private candidate 1). The resulting data in private candidate 1 is: <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to San Francisco<description> </interface> <interface> <name>intf_two</name> <description>Link moved to Paris<description> </interface> </interfaces> </configure>

Prefer-running Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in . When using the prefer-running resolution method, items in the running configuration that are not in conflict with the private candidate configuration are merged from the running configuration into the private candidate configuration. Nodes that are in conflict are pushed from the running configuration into the private candidate configuration, overwriting any previous changes in the private candidate configuration. The outcome of this is that the private candidate configuration reflects the changes in the running configuration that were not being worked on as well as changing those being worked on in the private candidate to new values. Example: Session 1 edits the configuration by submitting the following <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to San Francisco<description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name operation="delete">intf_one</name> </interface> <interface> <name>intf_two</name> <description>Link moved to Paris</description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 1 then sends an <update> NETCONF operation. <rpc message-id="update" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <update> <resolution-mode>prefer-running</resolution-mode> </update> </rpc> The un-conflicting changes are merged and the conflicting ones are pushed into the private candidate 1 overwriting the existing changes. The resulting data in private candidate 1 is: <configure> <interfaces> <interface> <name>intf_two</name> <description>Link moved to Paris<description> </interface> </interfaces> </configure>

Revert-on-conflict Reminder: The starting configuration and workflow used to illustrate this resolution method is detailed in . When using the revert-on-conflict resolution method, an update will fail to complete when any conflicting node is found. The session issuing the update will be informed of the failure. No changes, whether conflicting or un-conflicting are merged into the private candidate configuration. The owner of the private candidate session must then take deliberate and specific action to adjust the private candidate configuration to rectify the conflict. This may be by issuing further <edit-config> or <edit-data> operations, by issuing a <discard-changes> operation or by issuing an <update> operation with a different resolution method. This resolution method MUST be the default resolution method as it provides for the highest level of visibility and control to ensure operational stability. This resolution method MUST be supported by a server. Example: Session 1 edits the configuration by submitting the following: <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to San Francisco<description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 2 then edits the configuration deleting the interface intf_one, updating the description on interface intf_two and commits the configuration to the running configuration datastore. <rpc message-id="config" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target><candidate/><target> <config> <configure> <interfaces> <interface> <name operation="delete">intf_one</name> </interface> <interface> <name>intf_two</name> <description>Link moved to Paris</description> </interface> </interfaces> </configure> </config> </edit-config> </rpc> Session 1 then sends an <update> NETCONF operation. <rpc message-id="update" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <update> <resolution-mode>revert-on-conflict</resolution-mode> </update> </rpc> A conflict is detected, the update fails with an <rpc-error> and no merges/overwrite operations happen. The resulting data in private candidate 1 is: <configure> <interfaces> <interface> <name>intf_one</name> <description>Link to San Francisco<description> </interface> <interface> <name>intf_two</name> <description>Link to Tokyo<description> </interface> </interfaces> </configure>

System resolution mode and advertisement of this mode The system resolution mode is revert-on-conflict. However, a system MAY choose to select a different system resolution mode. The system resolution mode only takes effect if a server implementation performs an automatic update to all private candidate configurations following a commit to running. The system resolution mode MUST be advertised in the :private-candidate capability by adding the default-resolution-mode parameter if the system default is anything other than revert-on-conflict. If the system default resolution mode is revert-on-conflict then advertising this in the :private-candidate capability is optional. In this example, a server has configured a default system-wide resolution mode of prefer-running which MUST be signalled with the :private-candidate capability as follows: urn:ietf:params:netconf:capability:private-candidate:1.0 ?default-resolution-mode=prefer-running

Supported resolution modes A server SHOULD support all three resolution modes. However, if the server does not support all three modes, the server MUST report the supported modes in the :private-candidate capability using the supported-resolution-modes, for example: urn:ietf:params:netconf:capability:private-candidate:1.0 ?supported-resolution-modes=revert-on-conflict,prefer-candidate

NETCONF operations

New NETCONF operations

<update> The <update> operation triggers a rebase of the private candidate configuration against the running configuration. This rebase is conceptually described as replacing the candidate configuration with the current running configuration at that point in time and replaying the configuration changes from the candidate against it, identifing any conflicts as this process progresses. The <update> operation may be triggered manually by the client or automatically by the server. The <update> operation is atomic. This means that the entire <update> operation succeeeds or the entire <update> operation MUST fail. The <update> operation MUST be implicitly triggered by a specific NETCONF session issuing a <commit> operation when using private candidates. This implicit <update> operation always has a resolution mode of revert-on-conflict. The actual order of operations in the server MUST be to issue the implicit <update> operation first and then the <commit> operation. A <commit> operation that fails the implicit <update> operation MUST fail. The client is then required to make a specific decision to rectify the issue prior to committing. This may be to edit the private candidate configuration or to issue a manual <update> operation with a specific resolution mode selected.

<resolution-mode> parameter The <update> operation takes the optional <resolution-mode> parameter The resolution modes are described earlier in this document and the accepted inputs are:

revert-on-conflict (default)
prefer-candidate
prefer-running

Updated NETCONF operations Specific NETCONF operations altered by this document are listed in this section.

<commit> The behaviour of the <commit> operation is updated such that processing a <commit> MUST follow a two step process in order to copy the proposed private configuration into the running configuration. These steps are:

An implicit update operation MUST be performed by the server using the resolution-mode revert-on-conflict (described earlier in this document).
On successful completion of step 1, the private candidate configuration is copied into the running configuration replacing the current contents.

Interactions with commit confirmed operations and private candidates Nothing in this document alters the behaviour of the <confirmed>, <persist> or <persist-id> parameters and these MUST work when using the a private candidate configuration if the :confirmed-commit capability is advertised. When a private candidate is committed using the <confirmed/> parameter and the commit operation disconnects the client's session, the configuration in the running configuration is immediately reverted and the proposed client changes are discarded. When a private candidate is committed using the <confirmed/> parameter and the commit operation does not disconnect the client's session, and subsequently, the commit operation is either cancelled using the <cancel-commit> operation or the timeout expires, the running configuration is reverted and the proposed client changes are returned to the client's private candidate. If a private candidate is committed using the <confirmed/> parameter and the <persist> parameter is provided, and the client subsequently disconnects its session for any reason whilst the timer is running, upon cancellation using the <cancel-commit> operation or on the expiry of the timer, the running configuration will be reverted, and the proposed client changes are discarded.

<get-config> Performing a <get-config> operation with the candidate configuration datastore as the source input parameter will instead act on the private candidate datastore, and return data from that datastore. If no private candidate configuration has been created, one will be created at this point.

<edit-config> Performing an <edit-config> operation with the candidate configuration datastore as the target, the changes will be placed into the private candidate configuration datastore. If no private candidate configuration has been created, one will be created at this point.

<copy-config> When performing a <copy-config> operation with the candidate configuration datastore as the source or target, the private candidate will be used. If no private candidate configuration has been created, one will be created at this point.

<get-data> Performing a <get-data> operation with the candidate configuration datastore as the datastore, the configuration from the private candidate will be returned. If no private candidate configuration has been created, one will be created at this point.

<edit-data> Performing an <edit-data> operation with the candidate configuration datastore as the datastore, the changes will be placed into the private candidate configuration datastore. If no private candidate configuration has been created, one will be created at this point.

<compare> Performing a <compare> operation with the candidate datastore, operating as a private candidate, as either the <source> or <target> is a valid operation. If <compare> is performed prior to a private candidate configuration being created, one will be created at that point. The <compare> operation is extended by this document to allow the ability to compare the private candidate (at its current point in time) with the same private candidate at an earlier point in time, or with another datastore.

<reference-point> parameter This document adds the optional <reference-point> node to the input of the <compare> operation that accepts the following values:

last-update
creation-point

Servers MAY support this functionality but are not required to by this document. The last-update selection of <reference-point> will provide an output comparing the current private candidate configuration with the same private candidate configuration at the time it was last updated using the <update> NETCONF operation described in this document (whether automatically or manually triggered). The creation-point selection of <reference-point> will provide an output comparing the current private candidate configuration datastore with the same private candidate configuration datastore at it was first created.

<lock> The behaviour of the <lock> operation is updated such that locking the candidate configuration datastore will lock that session's private candidate configuration datastore only.

<unlock> The behaviour of the <unlock> operation is updated such that unlocking the candidate configuration datastore will unlock that session's private candidate configuration datastore only.

<delete-config> The behaviour of the <delete-config> operation is updated such that deleting the private candidate will destroy the private candidate for that session. A new one will subsequently be created on first access as described in .

<discard-changes> The behaviour of the <discard-changes> operation is updated such that discarding the changes in a private candidate will reset it to the state it was when it was initially created, or to the state following the latest <update> operation, whichever is most recent. This state may not match the current running configuration. To align the private candidate with the running configuration the <update> or <delete-config> operations may be used.

<get> The <get> operation does not accept a datastore value and therefore this document is not applicable to this operation. The use of the get operation will not create a private candidate configuration.

<cancel-commit> The <cancel-commit> operation is unchanged. Any changes made to the running configuration are returned to the private candidate if it still exists. See for further details.