NETCONF
NETCONF, or the Network Configuration Protocol, is a standards-based protocol developed by the Internet Engineering Task Force (IETF) for managing the configuration of network devices, providing mechanisms to install, manipulate, and delete configurations as well as retrieve state information.[1] It utilizes XML-based data encoding for representing configuration and operational data, enabling a structured and extensible approach to network management.[1] Operations in NETCONF are implemented through a remote procedure call (RPC) paradigm, where clients send requests to servers on network devices, which process them serially and respond accordingly.[1]
The protocol was initially defined in RFC 4741, published in December 2006 by the IETF NETCONF Working Group, and later revised and obsoleted by RFC 6241 in June 2011 to incorporate updates such as improved session handling and pipelining support.[2][3] NETCONF addresses limitations of earlier protocols like SNMP by offering transactional semantics, configuration locking to prevent conflicts, and validation capabilities before applying changes.[1] It is transport-independent, allowing use over various secure session layers, with SSH specified as the mandatory transport in companion RFC 6242.[4]
Key features of NETCONF include the separation of configuration data (editable settings) from state data (runtime information), subtree filtering for efficient data retrieval, and a capability exchange mechanism that allows clients and servers to negotiate supported extensions, such as candidate configurations or confirmed commits.[1] These elements make NETCONF suitable for automating and standardizing network configuration across diverse devices from multiple vendors.[1]
Introduction
Definition and Scope
NETCONF, or Network Configuration Protocol, is an IETF-standardized protocol defined in RFC 6241 that enables the installation, manipulation, and deletion of configuration data on network devices.[1] It operates through XML-encoded remote procedure calls (RPCs) exchanged over secure transport protocols, such as SSH or TLS, to ensure reliable and protected communication between management entities.[1]
The protocol's scope is primarily confined to configuration management tasks, allowing for the editing and retrieval of configuration datastores as well as state information from operational datastores via operations such as <get>.[1] At its core, NETCONF employs a client-server architecture, where clients—typically management systems—initiate sessions with servers (network devices) to request or apply configuration changes via structured RPC exchanges.[1]
Unlike broader network management approaches that often rely on periodic polling for status updates, NETCONF emphasizes programmatic, on-demand configuration operations, providing a targeted mechanism for precise control over device settings.[1] While NETCONF defines the protocol structure using XML for data encoding, it relies on modeling languages like YANG to specify the semantics of the configuration data.[1]
Purpose and Advantages
The Network Configuration Protocol (NETCONF) primarily aims to enable the installation, manipulation, and deletion of configurations on network devices in a vendor-agnostic manner, allowing operators to manage diverse equipment from multiple vendors without proprietary tools. This addresses the fragmentation in traditional network management by providing a standardized interface that supports automation across large-scale networks, where manual interventions are impractical. Additionally, NETCONF incorporates transaction-like consistency through mechanisms such as locking, which prevents configuration conflicts by ensuring exclusive access during edits and supporting atomic commits with rollback options.[1]
Key advantages of NETCONF include its XML-based encoding for structured, hierarchical data representation, which facilitates machine-readable configurations and reduces parsing errors compared to unstructured command-line interface (CLI) scripting. Unlike CLI approaches, which lack standardization and are prone to human error in scripting, NETCONF offers extensibility through capability exchange, enabling devices to advertise supported features and allowing incremental enhancements without protocol redesign. It also supports partial retrieval of configuration and state data, improving efficiency over exhaustive polling methods. In comparison to Simple Network Management Protocol (SNMP), which excels in monitoring but lacks robust support for atomic configuration edits, NETCONF provides a programmatic RPC-based model that mirrors native device operations, lowering implementation costs and enhancing feature accessibility.[1]
NETCONF finds prominent use in software-defined networking (SDN) environments, where it serves as a management-plane southbound interface for configuring and maintaining operational resources on switches and controllers. In service provider networks, it enables bulk provisioning of services, such as deploying hundreds of instances across multiple devices in a single transaction, streamlining operations like VPN setups or NTP configurations while ensuring consistency and high performance. NETCONF integrates with YANG models for precise data validation during these processes.[5][6]
History
Origins and Motivation
The development of NETCONF was driven by the recognized shortcomings of existing network management protocols, particularly SNMP, in handling device configuration effectively. In the 2002 IAB Network Management Workshop, operators highlighted SNMP's inadequacies, such as its lack of support for atomic transactions across multiple devices, which made it difficult to ensure consistent configuration changes without errors or partial failures.[7] Additionally, SNMP's reliance on vendor-specific MIBs fragmented interoperability, as standardized writable MIBs were limited, forcing administrators to use proprietary extensions or command-line interfaces (CLIs) for complex configurations.[7] A key issue was SNMP's failure to clearly separate configuration data from operational state data, complicating tasks like configuration retrieval, validation, and rollback.[7]
These critiques, summarized in RFC 3535 published in May 2003, directly motivated the formation of the IETF NETCONF Working Group later that year.[7] The working group emerged from a BOF session at IETF 56 in March 2003, where consensus built around the need for a dedicated protocol to address configuration management gaps exposed by growing network complexity and automation demands.[8] Industry influences, including Juniper Networks' experiments with an XML-based API for Junos OS starting around 2000, demonstrated the potential of structured data encoding for programmatic configuration, inspiring broader standardization efforts.[9] The group's charter, approved in August 2003, emphasized creating a transport-independent protocol to enable secure, reliable network configuration.[10]
Early design goals focused on simplicity and interoperability to overcome SNMP's limitations. The protocol adopted a straightforward RPC-based model to facilitate client-server interactions for configuration tasks like editing and validation, avoiding the parsing challenges of text-based CLIs.[10] XML was selected as the encoding format for all data and messages, leveraging its hierarchical structure and widespread tooling to promote vendor-neutral interoperability.[10] A core principle was the explicit separation of configuration data (intended for modification) from operational data (read-only state information), enabling precise management operations without conflating persistent settings with runtime metrics.[7]
Key early contributors included IETF NETCONF Working Group members such as Andy Bierman from Cisco Systems and Phil Shafer from Juniper Networks, who co-led the design team and shaped the initial protocol drafts through their expertise in XML and network automation.[11]
Evolution and Milestones
The development of the Network Configuration Protocol (NETCONF) progressed through formal standardization efforts by the Internet Engineering Task Force (IETF), beginning with the publication of RFC 4741 in December 2006, which established the base protocol specification for NETCONF version 1.0. This document outlined the core mechanisms for configuration management over secure transport sessions, marking the protocol's initial standardization as a Proposed Standard.[3]
In June 2011, RFC 6241 was published, obsoleting RFC 4741 and defining NETCONF version 1.1, which provided clarifications and enhancements such as improved pipelining support, additional operations for confirmed commits (e.g., <cancel-commit>), and better session handling to improve configuration reliability.[1] This revision refined the protocol's foundational elements while maintaining backward compatibility, solidifying NETCONF's role in network automation. RFC 6243, also published in June 2011, defined the with-defaults capability to handle default values in configuration data consistently across implementations. Early extensions to the protocol followed, including RFC 5277 in July 2008, which defined mechanisms for event notifications to enable asynchronous delivery of system events to clients, and RFC 5717 in December 2009, which introduced partial lock RPCs to allow granular locking of configuration elements without requiring full session locks.[1][12][13]
Key milestones in 2012 further expanded NETCONF's capabilities, with RFC 6470 in February 2012 specifying base notifications for common system events like configuration changes, and RFC 6536 in March 2012 establishing the NETCONF access control model to enforce security policies on protocol operations.[14][15] These advancements addressed practical deployment needs, such as improved interoperability and security. Subsequent work beyond 2012 has continued through additional IETF specifications, including extensions for advanced data modeling and datastore architectures.[13][14][15]
Standards and Specifications
Core Protocol Standards
The core protocol standards for NETCONF are defined primarily in RFC 6241, published in June 2011, which specifies the Network Configuration Protocol (NETCONF) version 1.1 and obsoletes the earlier RFC 4741 for version 1.0.[1] This RFC outlines the foundational mechanisms for installing, manipulating, and deleting network device configurations using a remote procedure call (RPC) paradigm. All protocol messages are encoded in XML with UTF-8 character encoding and must conform to well-formed XML rules, utilizing the base namespace urn:ietf:params:xml:ns:netconf:base:1.0 for core elements.[16] Session establishment begins with an exchange of <hello> messages between client and server to negotiate capabilities, after which RPCs are transported over a secure session.[17] The RPC model employs <rpc> elements for client requests and <rpc-reply> elements for server responses, enabling operations such as <get-config>, <edit-config>, and <commit>.[18]
Error handling in NETCONF is standardized through the <rpc-error> element introduced in RFC 6241, which provides structured reporting of issues during RPC processing.[19] Errors are categorized by error-type attributes, including transport for connection-level failures, rpc for request-specific issues, protocol for session violations, and application for data-related problems.[19] RPC-level errors, such as invalid-value for malformed input parameters, are reported with an error-tag and optional error-severity (e.g., error or warning), along with error-info for additional context like suggested corrections.[20] Protocol-level errors, exemplified by transport disruptions, trigger session termination without further RPC processing.[19] This framework ensures robust diagnostics while maintaining session integrity.
For transport, RFC 6242, also from June 2011, defines the use of Secure Shell (SSH) as the mandatory secure transport for NETCONF, operating over TCP port 830.[4] NETCONF is invoked as an SSH subsystem named "netconf" following SSH authentication, leveraging SSH's encryption and integrity protection for confidentiality.[21] Other secure transports, such as Transport Layer Security (TLS) with mutual X.509 authentication defined in RFC 7589 (2015), are also supported to provide flexibility in deployment.[22] The protocol supports chunked message framing for NETCONF 1.1 (base:1.1 capability) or end-of-message delimiters (e.g., ]]>]]> ) for compatibility with version 1.0.[23]
NETCONF implementations must support base requirements, including the mandatory :base:1.1 capability, which supports core RPC operations, XML encoding, and the running configuration datastore. The candidate and startup configuration datastores are supported via optional capabilities :candidate and :startup, respectively. Operational state data is distinct from configuration datastores.[17] Session persistence is enforced, with locks on datastores (e.g., via <lock> operation) remaining active until explicitly released or the session ends, preventing concurrent modifications.[24] Servers advertise capabilities during the <hello> exchange, ensuring interoperability, while clients may include only the base capability if no extensions are needed.[25]
Modeling and Extension Standards
The YANG data modeling language, essential for representing configuration and state data in NETCONF, was first standardized in RFC 6020 in October 2010, which defined YANG version 1.0 as a language for modeling data manipulated by NETCONF. This specification was later obsoleted by RFC 7950 in August 2016, which introduced YANG version 1.1 with enhancements for improved clarity, backward compatibility, and support for notifications and remote procedure calls while maintaining the core focus on configuration and state data modeling.[26]
Related standards facilitate integration and organization of YANG models with legacy systems. RFC 6643, published in July 2012, specifies a method for translating Structure of Management Information version 2 (SMIv2) Management Information Base (MIB) modules into YANG modules, enabling read-only access to SNMP-defined data objects within NETCONF environments.[27] Additionally, RFC 8199 from July 2017 provides a framework for classifying YANG modules based on criteria such as standardization body, purpose, and structure, promoting consistent categorization and interoperability across diverse implementations.[28]
Extension standards augment NETCONF's capabilities through capability-based mechanisms, particularly for handling notifications and defaults. RFC 5277, issued in July 2008, defines an asynchronous notification delivery service using event streams and subscriptions, allowing clients to receive updates without polling.[29] Complementing this, RFC 6243 from June 2011 introduces the "with-defaults" capability, enabling clients to specify how NETCONF servers process default values in configuration data, such as explicit inclusion or implicit application, to ensure predictable behavior across implementations.[13] These extensions, developed up to 2012, focus on enhancing data handling without altering the core protocol.
The NETMOD Working Group (WG) of the IETF has played a pivotal role in standardizing YANG models for NETCONF since its formation in 2008 and the publication of initial RFCs in 2010, overseeing the development of consistent data models to promote interoperability among vendors and devices.[30] Through collaborative efforts, the WG ensures that YANG models adhere to guidelines for revision, validation, and integration, as seen in subsequent specifications. YANG models are typically encoded in XML for NETCONF transport, aligning with the protocol's XML-based structure.
Data Modeling
XML Encoding and Structure
NETCONF mandates the use of Extensible Markup Language (XML) as the encoding format for all protocol messages and configuration data, ensuring that content is well-formed and encoded in UTF-8. This choice enables the representation of complex, hierarchical network configurations in a structured, human-readable manner, with XML elements nesting to reflect the logical organization of devices and their settings.[1]
The XML structure in NETCONF revolves around a root element such as <config>, which encapsulates the entire configuration hierarchy, often qualified with XML namespaces to avoid conflicts and identify specific schema versions; for instance, the base NETCONF namespace is urn:ietf:params:xml:ns:netconf:base:1.0. Configuration datastores—conceptual repositories including the running (active) datastore, the optional candidate (writable workspace), and the optional startup (boot-loaded) datastore—are modeled as XML trees, allowing clients to retrieve, modify, or compare full or partial views of these trees. To support efficient partial retrieval, NETCONF employs filters: subtree filtering selects specific XML subtrees by matching element patterns, while XPath filtering (optional via the :xpath capability) uses XPath expressions for more precise node selection.[1]
While XML is the core encoding, JSON is supported as an optional alternative in related protocols like RESTCONF, which maps YANG-defined data to JSON structures for HTTP-based access.[31]
A representative example of XML structure appears in the <edit-config> operation payload, which targets a datastore and supplies configuration changes:
<edit-config>
<target>
<running/>
</target>
<config>
<top xmlns="http://example.com/schema/1.2/config">
<interfaces>
<interface>
<name>Ethernet0/0</name>
<mtu>1500</mtu>
</interface>
</interfaces>
</top>
</config>
</edit-config>
<edit-config>
<target>
<running/>
</target>
<config>
<top xmlns="http://example.com/schema/1.2/config">
<interfaces>
<interface>
<name>Ethernet0/0</name>
<mtu>1500</mtu>
</interface>
</interfaces>
</top>
</config>
</edit-config>
This illustrates the hierarchical nesting, with the <config> element containing device-specific sub-elements defined by vendor or standard schemas.[1]
YANG Modeling Language
YANG is a protocol-independent declarative modeling language designed to define data models for configuration data, state data, remote procedure calls (RPCs), and notifications used in network management protocols such as NETCONF.[26] It structures data hierarchically as a tree, where nodes represent either values or groupings of child nodes, enabling clear semantics for modeling network device configurations and operational state.[26] YANG models are organized into modules and submodules, with modules serving as the primary unit that declares a namespace and prefix for unique identification, while submodules allow modular extensions via import and include statements.[26]
Core constructs in YANG include containers, which group related nodes without holding values themselves; leafs, which are terminal nodes with simple typed values like strings or integers; and lists, which represent ordered or unordered collections of entries identified by unique keys.[26] Augmentations extend existing data models by adding new nodes to specified paths, often conditionally using the "when" statement to enforce presence based on XPath expressions, while deviations allow implementations to declare non-support or modifications to parts of a base module.[26] Data types are supported through built-in primitives such as int32, uint64, string, and binary, with the ability to derive custom types via typedef statements that include constraints like ranges, patterns, or lengths.[26] Constraints are enforced using "must" statements for value validations via XPath and "when" for conditional applicability, ensuring model integrity.[26] RPCs are defined at the top level or as actions within data nodes, specifying input and output parameters to model operations, and tree diagrams provide a visual representation of the schema hierarchy for better comprehension.[26]
In the context of NETCONF, YANG modules directly inform the generation of XML schemas for data encoding, mapping hierarchical structures to XML elements prefixed by module namespaces.[26] NETCONF servers advertise their supported YANG modules through the ":yang-library" capability in hello messages, including details like module revisions and sets to enable clients to discover and validate available models.[32] Recent developments include the IESG approval on November 12, 2025, of a YANG data model for NETCONF clients and servers (draft-ietf-netconf-netconf-client-server-40).[33]
A basic example of YANG syntax illustrates these elements in a module for modeling network interfaces:
yang
module example-interface {
yang-version 1.1;
namespace "urn:example:interface";
prefix if;
container interfaces {
list interface {
key "name";
leaf name {
type string;
description "Interface name.";
}
leaf type {
type enumeration {
enum ethernet;
enum wireless;
}
}
}
}
}
module example-interface {
yang-version 1.1;
namespace "urn:example:interface";
prefix if;
container interfaces {
list interface {
key "name";
leaf name {
type string;
description "Interface name.";
}
leaf type {
type enumeration {
enum ethernet;
enum wireless;
}
}
}
}
}
This module defines a container holding a list of interfaces, each with a string-typed name as the key and an enumerated type, demonstrating modularity and type constraints.[26]
Protocol Architecture
Layered Design
The Network Configuration Protocol (NETCONF) employs a layered architecture consisting of four distinct layers, designed to separate concerns and promote modularity in network management operations.[34] This structure, as outlined in RFC 6241, facilitates the installation, manipulation, and deletion of network device configurations through a client-server model.[1] The layers are conceptualized in a bottom-up manner, starting from the foundational transport mechanisms and building toward the application-level content handling.[34]
At the base is the Secure Transport Layer, which establishes a reliable communications path between the NETCONF client and server, ensuring security features such as server and client authentication, data integrity, confidentiality, and protection against replay attacks.[34] This layer is independent of upper layers, allowing flexibility in transport protocol selection, with SSH specified as the mandatory transport in RFC 6242.[35] Above it lies the Messages Layer, responsible for providing a transport-agnostic framing mechanism for remote procedure calls (RPCs) and notifications, utilizing XML-encoded elements such as <rpc>, <rpc-reply>, and <notification> to encapsulate protocol exchanges.[34] The Operations Layer defines the core RPC methods—such as <get-config> and <edit-config>—that invoke protocol operations, with inputs and outputs structured as XML parameters to interact with the data above.[34] Finally, the Content Layer addresses the modeling of configuration and state data itself, remaining outside the protocol's core specification to allow independent evolution of data schemas.[34]
A key design principle of this architecture is extensibility at each layer, enabling the addition of new features through capability advertisements exchanged during session initialization via <hello> messages.[34] This negotiation process allows clients and servers to declare supported protocol versions, operations, and data models, ensuring compatibility without mandating universal feature support.[17] Layer independence further enhances this modularity; for instance, changes to the transport layer do not affect content modeling, promoting reusability and incremental upgrades in diverse network environments.[34]
Unlike the full seven-layer OSI model, NETCONF's simplified four-layer stack is tailored specifically for configuration management tasks, abstracting away lower-level networking concerns to focus on secure, extensible data exchange between management agents.[36] This abstraction supports a conceptual flow where transport secures the channel, messages frame the interactions, operations execute the logic, and content provides the semantic payload, streamlining deployment in operational networks.[34]
Messages and RPC Mechanism
NETCONF employs a Remote Procedure Call (RPC) paradigm to enable communication between clients and servers, where operations are encapsulated in structured XML messages. The client initiates an RPC by sending an <rpc> element, which includes a mandatory message-id attribute to uniquely identify the request; this attribute is typically a string, such as a monotonically increasing integer chosen by the client. For instance, a basic RPC might appear as <rpc message-id="101"><operation>...</operation></rpc>, where the <operation> placeholder represents the specific NETCONF operation payload.[1]
In response, the server sends an <rpc-reply> element that echoes the same message-id attribute for correlation, ensuring the client can match replies to requests. A successful reply contains an <ok/> element, while failures include detailed error information; an example reply is <rpc-reply message-id="101"><ok/></rpc-reply>. This symmetric structure maintains session integrity and allows for ordered processing of multiple outstanding requests.[1]
Beyond request-response interactions, NETCONF supports server-initiated notifications to deliver asynchronous event information to subscribed clients. These are formatted as <notification> elements, which include an <eventTime> timestamp compliant with RFC 3339 and the event-specific content, such as <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2007-07-08T00:01:00Z</eventTime><event>...</event></notification>. Notifications are triggered by client subscriptions established via the <create-subscription> operation, binding events to the session until termination.[29]
NETCONF version 1.1 introduces pipelining to enhance efficiency, permitting clients to send multiple <rpc> elements within a single transport message without awaiting intermediate replies. The server processes these RPCs serially and responds in the order received, reducing latency in high-volume scenarios while preserving the RPC model's reliability.[1]
Error conditions in NETCONF are handled through the <rpc-error> element embedded within an <rpc-reply>, providing structured diagnostics to guide troubleshooting. Key sub-elements include <error-type>, which categorizes the issue as protocol (related to Operations layer violations) or application (Content layer problems), and <error-tag>, a specific identifier such as invalid-value or missing-attribute drawn from a predefined list in Appendix A of the specification. Additional optional elements like <error-severity> (e.g., error or warning) and <error-message> offer further context without disrupting the protocol flow.[1]
Operations
Configuration Operations
NETCONF provides a set of remote procedure calls (RPCs) for managing device configurations through conceptual datastores, enabling retrieval, editing, and copying of configuration data in a structured manner.[37] These operations are defined in the core protocol and operate on XML-encoded data models, ensuring interoperability across network devices.[36]
The protocol defines three primary configuration datastores: the running datastore, which holds the active configuration currently in use by the device; the candidate datastore, an optional workspace for proposed changes that can be edited without affecting the running configuration until committed; and the startup datastore, another optional store that persists the configuration across device reboots.[38] The candidate and startup datastores require specific capabilities (:candidate and :startup, respectively) to be advertised by the device for their use.[39]
The <get-config> operation retrieves all or a portion of the configuration from a specified source datastore, such as running, candidate, or startup.[40] It requires a <source> parameter identifying the datastore and accepts an optional <filter> to select specific data subsets using subtree or XPath filtering.[41] For example, to retrieve user configuration from the running datastore:
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running/>
</source>
<filter type="subtree">
<users xmlns="urn:ietf:params:xml:ns:yang:ietf-system"/>
</filter>
</get-config>
</rpc>
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get-config>
<source>
<running/>
</source>
<filter type="subtree">
<users xmlns="urn:ietf:params:xml:ns:yang:ietf-system"/>
</filter>
</get-config>
</rpc>
The response contains the filtered configuration data within a <data> element.[40]
The <edit-config> operation allows clients to modify a target datastore by creating, updating, or deleting configuration elements.[42] Key parameters include <target> (specifying running or candidate), <config> containing the XML payload of changes, and optional elements like <default-operation> (e.g., merge, the default, which integrates new data without overwriting existing elements) and <error-option> (e.g., stop-on-error or continue-on-error for handling failures).[42] Individual elements in the <config> can specify an operation attribute such as merge, replace, create, delete, or remove to control the edit behavior.[42] An example merging an interface configuration into the candidate datastore:
<rpc message-id="102" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<candidate/>
</target>
<config>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>Ethernet0/0</name>
<mtu>1500</mtu>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
<rpc message-id="102" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<candidate/>
</target>
<config>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>Ethernet0/0</name>
<mtu>1500</mtu>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
This operation supports testing options like <test-option> to validate changes before application.[42] Locking may be used to protect the target datastore from concurrent modifications during editing.[24]
The <copy-config> operation copies an entire configuration from a source (a datastore like running or a URL) to a target (another datastore or URL), effectively duplicating or backing up configurations.[43] It requires <target> and <source> parameters, with the source able to reference datastores or external files, but cannot copy to the same datastore as the source.[43] For instance, copying the running configuration to startup:
<rpc message-id="103" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<copy-config>
<target>
<startup/>
</target>
<source>
<running/>
</source>
</copy-config>
</rpc>
<rpc message-id="103" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<copy-config>
<target>
<startup/>
</target>
<source>
<running/>
</source>
</copy-config>
</rpc>
A successful response returns <ok/>.[43]
The <get> operation retrieves a mixture of configuration data from the running datastore and operational state data, providing a broader view than <get-config>.[44] It accepts an optional <filter> parameter for selection, similar to <get-config>, but defaults to the entire running configuration and state if no filter is provided.[44] An example filtering for interface state:
<rpc message-id="104" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get>
<filter type="subtree">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>eth0</name>
</interface>
</interfaces>
</filter>
</get>
</rpc>
<rpc message-id="104" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<get>
<filter type="subtree">
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>eth0</name>
</interface>
</interfaces>
</filter>
</get>
</rpc>
The response includes both config and non-config (state) elements in <data>.[44]
For session management, the <close-session> operation gracefully terminates the current NETCONF session, releasing any resources and locks held by the client.[45] It has no parameters and simply sends:
<rpc message-id="105" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session/>
</rpc>
<rpc message-id="105" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session/>
</rpc>
The server responds with <ok/> and closes the transport connection.[45]
The <kill-session> operation allows an administrator to forcibly terminate another active session by specifying its <session-id>, which is useful for recovering from hung or problematic sessions.[46] Only clients with appropriate permissions can invoke it. An example:
<rpc message-id="106" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<kill-session>
<session-id>454</session-id>
</kill-session>
</rpc>
<rpc message-id="106" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<kill-session>
<session-id>454</session-id>
</kill-session>
</rpc>
The server responds with <ok/> if successful, and the targeted session is immediately terminated.[46]
Monitoring and Locking Operations
NETCONF provides mechanisms for locking configuration datastores to ensure exclusive access during modifications, preventing conflicts from concurrent sessions. The base <lock> operation, defined in the core protocol, targets an entire datastore such as <running/>, <candidate/>, or <startup/>, and acquires a lock that blocks other NETCONF sessions or external entities from altering the datastore.[24] If the datastore is already locked, the server responds with an <rpc-error> element containing the error-tag lock-denied and includes the <session-id> of the locking session in <error-info>, or zero if held by a non-NETCONF entity.[19] The corresponding <unlock> operation releases the lock on the specified datastore, but only if the requesting session holds it; otherwise, it fails with an appropriate error.[47] These operations are essential for protecting critical edits, such as those performed via <edit-config>, by enforcing serial access to shared resources.[40]
To support finer-grained control in complex environments, the partial lock extension allows locking specific portions of the running datastore using XPath expressions.[48] This capability, identified by the URI urn:ietf:params:netconf:capability:partial-lock:1.0, introduces the <partial-lock> RPC, which requires a mandatory select parameter containing one or more XPath expressions to define the locked nodes or subtrees.[49] Upon success, the server returns a unique lock-id for the lock, which is used in the <partial-unlock> RPC to release it.[50] Partial locks are evaluated once at acquisition time and persist until explicitly unlocked or the session ends, with lock-denied errors handled similarly to global locks, including the conflicting session's ID.[51] This mechanism complements global locking by enabling concurrent modifications to unrelated configuration areas without full datastore contention.[48]
For activating changes in the candidate datastore, the <commit> operation copies the candidate configuration to the running datastore, making it operational.[52] This operation requires the candidate capability (urn:ietf:params:netconf:capability:candidate:1.1) and fails with an in-use error if the candidate is locked by another session.[53] Optional parameters like <confirmed/> and <confirm-timeout> enable timed rollbacks if the commit does not persist, providing a safety net for high-risk changes.[54] Unlocking the candidate after <commit> discards any pending changes, ensuring a clean state.[55]
Prior to committing or editing, the :validate capability allows preemptive checks on configuration validity.[56] Identified by urn:ietf:params:netconf:capability:validate:1.1, it supports the <validate> operation, which examines a specified source like the candidate or running datastore for syntax and semantic errors against the schema.[57] For example, <validate><source><candidate/></source></validate> returns success or detailed <rpc-error> elements if issues are found.[56] This capability also enables <test-option> attributes in <edit-config>, such as test-only for validation without application or test-then-set for validate-and-apply sequences.[40]
Monitoring aspects include retrieving schema definitions via the <get-schema> operation, which fetches YANG modules from the server for data model understanding.[58] Defined in the NETCONF monitoring model, this RPC requires a mandatory identifier parameter (e.g., module name) and optional version and format (defaulting to "yang"); it returns the schema content or errors like invalid-value if the identifier is unrecognized.[58] Sessions in NETCONF begin with a <hello> exchange, where the client advertises capabilities and the server assigns a <session-id> derived from transport authentication parameters, such as username, enabling subsequent monitoring of active sessions through the /netconf-state/sessions path.[17][59]
In error scenarios, particularly lock-denied, the server provides diagnostic details in <error-info> to aid resolution, such as identifying the blocking session for manual intervention via <kill-session> if authorized.[19] This structured handling ensures reliable session control and minimizes downtime from contention.[20]
Transport and Security
Transport Protocols
NETCONF is designed to be transport-independent, allowing mappings to various secure, connection-oriented protocols to establish bidirectional communication between clients and servers. The protocol requires a reliable transport that supports full-duplex operation, ordered delivery, and flow control, but does not support unreliable protocols like UDP.[60]
The default and most widely used transport for NETCONF is Secure Shell (SSH) version 2, as defined in RFC 6242. In this mapping, NETCONF operates as an SSH subsystem invoked over a TCP connection on port 830. The client initiates an SSH connection to the server, requests the "netconf" subsystem, and then exchanges NETCONF messages within the resulting channel. This approach leverages SSH's built-in security features for confidentiality and integrity while providing a straightforward session establishment process.[4][61]
An alternative transport mapping uses Transport Layer Security (TLS) version 1.2 or later with mutual X.509 certificate-based authentication, specified in RFC 7589. Updates to support TLS 1.3 are in progress as of 2025 (draft-ietf-netconf-over-tls13). This was introduced as a post-2011 enhancement to the original NETCONF specification, offering improved security through certificate validation without relying on SSH's subsystem model. NETCONF over TLS runs over TCP on port 6513, where the client and server first complete the TLS handshake—including certificate exchange and verification—before proceeding to protocol messages. This mapping supports the same bidirectional RPC exchange as SSH but emphasizes PKI-based trust models for environments requiring centralized certificate management.[22][62][63]
Regardless of the underlying transport, a NETCONF session follows a standardized flow to ensure compatibility and capability negotiation. Upon connection establishment, the client sends a <hello> message listing its supported capabilities, such as protocol version (e.g., urn:ietf:params:netconf:base:1.1) and optional features. The server responds with its own <hello> message, including a unique session identifier and its capabilities, allowing both peers to agree on a common protocol version and features. Subsequent communication consists of remote procedure calls (RPCs) and responses until either peer issues a <close-session> operation, which gracefully terminates the session, releases any held resources like configuration locks, and closes the transport connection. This flow ensures secure, version-aware interactions across supported transports.[17][39]
Historically, NETCONF supported mappings to SOAP over HTTP and SOAP over BEEP (Blocks Extensible Exchange Protocol), as outlined in RFC 4743 and RFC 4744, respectively. These allowed integration with web services but have been deprecated in favor of SSH and TLS due to their complexity and limited adoption. Modern implementations prioritize the SSH and TLS mappings for their simplicity and robust security.[64]
Authentication and Encryption
NETCONF ensures secure communication through robust authentication and encryption mechanisms integrated at the transport layer, preventing unauthorized access and protecting data integrity and confidentiality. Authentication is handled by the underlying transport protocols, with SSH supporting public-key and password-based methods as defined in RFC 6242, while TLS employs mutual X.509 certificate authentication per RFC 7589. These approaches verify the identity of both clients and servers before any configuration data is exchanged, mitigating risks in multi-administrator environments.[4][22]
For SSH-based sessions, authentication occurs via the SSH user authentication protocol, where public-key methods provide strong identity verification without transmitting secrets over the network, and password authentication uses usernames passed to NETCONF for session validation. Encryption is mandatory, leveraging SSH's transport layer ciphers to encrypt all NETCONF messages, ensuring protection against eavesdropping and tampering without any additional application-layer cryptography. Similarly, TLS sessions require mutual authentication using X.509 certificates, with client identities mapped from certificate attributes like subjectAltName, and all data encrypted via TLS 1.2 or higher cipher suites for end-to-end security.[4][22]
Access control further strengthens authentication by enforcing role-based restrictions on authorized operations, integrated server-side through the NETCONF Access Control Model (NACM) in RFC 6536, which uses transport-provided usernames and groups to apply rules denying unauthorized actions. The :url capability, which allows retrieval of schemas or configurations from remote locations, is subject to these access limits to prevent exposure of sensitive data nodes, supporting RBAC integration for granular permissions in diverse administrative setups.[1][15]
These security features collectively address key threats, including eavesdropping via transport encryption, tampering through message integrity checks, and unauthorized access in shared environments by combining strong authentication with fine-grained authorization controls. No application-layer encryption is provided, relying entirely on the secure transports for comprehensive protection.[4][22][15]
Extensions and Developments
Capabilities and Subscriptions
NETCONF capabilities extend the base protocol by advertising optional features supported by a client or server, allowing peers to negotiate and utilize enhanced functionality during a session. These capabilities are identified by unique uniform resource identifiers (URIs) and are exchanged in the initial <hello> messages sent by both parties at session establishment. The base capability, urn:ietf:params:netconf:base:1.1, is mandatory and defines the core protocol version, while additional capabilities indicate support for specific extensions.[1] For instance, the :xpath:1.0 capability, with URI urn:ietf:params:netconf:capability:xpath:1.0, enables the use of XPath expressions for filtering in operations like <get> and <get-config>. Similarly, the :validate:1.1 capability (URI: urn:ietf:params:netconf:capability:validate:1.1) adds support for the <validate> operation and validation options in <edit-config>.[1]
Capabilities can enable or disable advanced features, such as confirmed commits via the :confirmed-commit:1.1 capability (URI: urn:ietf:params:netconf:capability:confirmed-commit:1.1), which allows commits with a timeout for confirmation or automatic rollback. Another example is the :candidate:1.0 capability (URI: urn:ietf:params:netconf:capability:candidate:1.0), which introduces a candidate configuration datastore for editing without immediate impact on the running state. The URI format generally follows urn:ietf:params:netconf:capability:{name}:{version}, ensuring interoperability and precise identification of supported features.[1] Peers advertise only the capabilities they implement, and the session proceeds with the intersection of supported functionalities, using the highest common protocol version.[1]
Subscriptions in NETCONF provide an asynchronous mechanism for clients to receive event notifications from the server, as defined in RFC 5277. A client creates a subscription using the <create-subscription> RPC, specifying parameters such as the event stream (defaulting to "NETCONF"), filters, and replay options. Filtering allows targeted delivery, for example, using XPath expressions to select specific events (e.g., /event[severity='critical']) or event-time parameters like <startTime> and <stopTime> for replaying historical notifications from a specified date and time in RFC 3339 format.[29] The subscription is bound to the session's lifetime and delivers notifications as XML-encoded <notification> elements interleaved with other RPCs.[29]
NETCONF supports two subscription types: dynamic and configured. Dynamic subscriptions, as defined in RFC 5277, are created and managed via RPCs during the session, offering flexibility for on-demand monitoring. Configured subscriptions, specified in RFC 8639, are predefined in the server's configuration datastore for persistent event delivery across sessions.[29][65] To establish a dynamic subscription, the client sends <create-subscription> with optional filters; the server responds with <ok> if accepted or an error if parameters are invalid, such as an invalid <stopTime> preceding <startTime>. This enables real-time awareness of configuration changes, faults, or other events without polling.[29]
The WITH-DEFAULTS capability, specified in RFC 6243, addresses how NETCONF servers handle unspecified nodes in configuration data, particularly schema-defined defaults, allowing clients to control reporting behavior. Identified by the URI urn:ietf:params:netconf:capability:with-defaults:1.0, it introduces modes via the <with-defaults> parameter in operations like <get> and <get-config>. In explicit mode, only values explicitly set by the client are reported, treating unspecified nodes as unset without including defaults. Trim mode omits nodes that match schema-defined defaults, avoiding redundant data in responses. Merge mode includes unspecified nodes by applying schema defaults, providing a complete view as if all nodes were specified.[13]
This capability enhances data retrieval precision; for example, in explicit mode, a <get-config> for a datastore might exclude default interface settings unless modified, reducing response size. Servers advertise supported modes in their <hello>, and clients select a mode to ensure consistent handling across diverse implementations.[13] Additional submodes like report-all-tagged can mark default values explicitly, aiding in distinguishing configured from default data.[13]
Recent IETF Advances
Since 2023, the IETF NETCONF Working Group has advanced several drafts to enhance NETCONF's flexibility and integration in modern network management. One key development is the draft on support for versioning in YANG notifications subscriptions, which extends the subscription mechanism to include semantic versioning of YANG modules, allowing clients to specify desired versions at subscription time for improved compatibility in dynamic environments.[66] Another draft introduces YANG data models for configuring RESTCONF clients and servers, enabling standardized management of RESTCONF endpoints through NETCONF itself, which supports call-home features as defined in RFC 8071.[67]
Further innovations include the proposal for private candidate datastores in NETCONF and RESTCONF, which allows per-session private candidates to facilitate isolated testing and configuration validation without affecting shared datastores, addressing multi-client deployment challenges.[68] Additionally, the augmented-by addition to the YANG library draft enhances module discovery by providing a list of modules that augment others, simplifying dependency resolution for clients retrieving schema information.[69]
Recent trends emphasize NETCONF's complementarity with RESTCONF, an HTTP-based protocol using JSON that serves as a lightweight alternative for web-oriented management, as standardized in RFC 8040.
NETCONF's adoption has grown in software-defined networking (SDN) for automation, with integration in platforms like Cisco IOS XE, where it enables programmatic configuration and telemetry retrieval via YANG models. Similarly, Juniper Junos OS leverages NETCONF for remote management and interoperability with SDN controllers, supporting XML-based operations in enterprise and service provider environments.[70][71]