Call Home Server

The yangcli-pro program supports the IETF NETCONF Call Home feature defined in RFC 8071.

Call Home for NETCONF over SSH Port Assignment:

Service Name:           netconf-ch-ssh
Port Number:            4334
Transport Protocol(s):  TCP
Description:            NETCONF Call Home (SSH)
Assignee:               IESG <[email protected]>
Contact:                IETF Chair <[email protected]>
Reference:              RFC 8071

Call Home for NETCONF over TLS Port Assignment:

Service Name:           netconf-ch-tls
Port Number:            4335
Transport Protocol(s):  TCP
Description:            NETCONF Call Home (TLS)
Assignee:               IESG <[email protected]>
Contact:                IETF Chair <[email protected]>
Reference:              RFC 8071

A server implementing Call Home will initiate the TCP connection for a NETCONF session to a pre-configured manager (e.g., yangcli-pro), which will start a normal SSH or TLS session for NETCONF, but using the incoming TCP connection instead of creating a new connection.

In Call Home Server mode, yangcli-pro will listen for incoming TCP connections on its Call Home ports,

There must be pre-configured user or session entries for yangcli-pro to accept an incoming Call Home session.

Call Home Configuration

The following CLI parameters are available to Call Home configuration:

• --callhome-address (default 0.0.0.0)

• --callhome-enabled (default false)

• --callhome-port (default 4334)

• --callhome-tls-port (default 4335)

• --callhome-user (no default)

1. This feature has to be enabled by setting --callhome-enabled=true in the configuration or command line.

   • This is not required if the callhome-server command is used to start the Call Home server.

2. If the default listen address (all IPv4 addresses) is not desired, then the --callhome-address parameter must be configured.

   • This parameter can be set at run-time if the callhome-server command is used to start the Call Home server.

3. If the default TCP port number (4334) is not desired for NETCONF over SSH, then the --callhome-port parameter must be set.

   • This parameter can be set at run-time if the callhome-server command is used to start the Call Home server.

4. If the default TCP port number (4335) is not desired for NETCONF over TLS, then the --callhome-tls-port parameter must be set.

   • This parameter can be set at run-time if the callhome-server command is used to start the Call Home server.

5. One or more named sessions may be configured to use address-specific session configuration. The session-cfg "save” command can be used to save a current session. This mode requires the client to be able to connect to the desired server.

6. Zero or more named user entries can be be designated a “callhome-user” entry. The “user-cfg save” command can be used to create a suitable user entry. Then the --callhome-user parameter is set to the user-cfg name. In this mode the client does not need to connect to the desired server first, but the user and credentials need to be pre-configured on the NETCONF server in advance.

   • The callhome-user command can be used in to add or remove Call Home user entries at run-time.

   1. The success of a callhome-user entry is tracked for each server address attempting a connection.

   2. If the first callhome-user entry has failed when a server attempts to reconnect, then that entry will be skipped and the next entry will be attempted.

   3. The failed server list cannot be cleared at this time. The program must be restarted to clear the failed server mappings for each callhome-user.

   4. Refer to the --callhome-user CLI parameter section for more details

It is not possible to attempt multiple users or connection attempts on the same TCP connection. This is a security feature built into the transport protocols.

Call Home Accept Session Procedure

If --callhome-enabled=true then yangcli-pro will listen for callhome sessions.

When an incoming Call Home connection is received, yangcli-pro will attempt to start a new NETCONF session in the following manner:

1. The source IP address is checked against the IP address of any named session configurations. If a match is found, that session will be used. If it is already in use then the incoming session will be rejected.

2. For yp-client applications, it is possible that a callhome user-select callback has been registered. If so, then the callback will be invoked with the server address. The callback will do 1 of 3 things

   1. Reject the session so it will be dropped without a connection attempt

   2. Return the callhome-user entry to use for a connection attempt

   3. Return no callhome-user so proceed to step 3 as if no callback was invoked

3. If no matching IP address session entry found, then check if any callhome-user entries are configured. If so, find the first entry that has not failed for this address, then create a temporary session using the user-cfg data and the incoming address information for the server configuration.

4. If no callhome-user entry is configured then the incoming connection is dropped