<?xml version='1.0' encoding='utf-8'?> encoding='UTF-8'?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc linkmailto="no" ?>
<?rfc editing="no" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext include-index="no" ?>
<!--<?rfc strict="no"?> -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true" submissionType="IETF" docName="draft-ietf-netconf-tcp-client-server-26" number="9643" updates="" obsoletes="" ipr="trust200902" tocInclude="true" symRefs="true" sortRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.17.4 --> version="3" xml:lang="en">

  <front>

    <title abbrev="Groupings for TCP Clients and Servers">YANG Groupings for
      TCP Clients and TCP Servers</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-netconf-tcp-client-server-26"/> name="RFC" value="9643"/>
    <author fullname="Kent Watsen" initials="K." surname="Watsen">
      <organization>Watsen Networks</organization>
      <address>
        <email>kent+ietf@watsen.net</email>
      </address>
    </author>
    <author fullname="Michael Scharf" initials="M." surname="Scharf">
      <organization abbrev="Hochschule Esslingen">
        Hochschule Esslingen - University of Applied Sciences
      </organization>
      <address>
	<postal>
	  <street>University of Applied Sciences</street>
	  <street>Kanalstr. 33</street>
	  <code>73728</code>
	  <city>Esslingen am Neckar</city>
	  <country>Germany</country>
	</postal>
        <email>michael.scharf@hs-esslingen.de</email>
      </address>
    </author>
    <date/>
    <area>Operations</area>
    <workgroup>NETCONF Working Group</workgroup>
    <date month="October" year="2024"/>
    <area>OPS</area>
    <workgroup>netconf</workgroup>
<keyword>IETF</keyword>

    <abstract>
      <t>This document presents three YANG 1.1 modules
        to support the configuration of TCP clients and TCP servers. The modules
        include basic parameters of a TCP connection relevant for client or server
        applications, as well as client configuration required for traversing proxies.
        The data models defined by these modules can may be used either standalone directly (e.g., to define a specific TCP client or TCP server) or in conjunction with the configuration defined for higher level protocols that depend on TCP (e.g., SSH, TLS, etc.).  Examples of other stack higher level protocol layers.</t>
    </abstract>
    <note>
      <name>Editorial Note (To be removed by RFC Editor)</name>
      <t>This draft contains placeholder values that need configuration designed to be replaced
        with finalized values at the time of publication. This note summarizes
        all of the substitutions that are needed. No other RFC Editor
        instructions are specified elsewhere in this document.</t>
      <t>Artwork in this document contains shorthand references to drafts in
        progress.  Please apply the following replacements:
      </t>
      <ul spacing="normal">
        <li>
          <tt>AAAA</tt> --&gt; the assigned RFC value for draft-ietf-netconf-crypto-types</li>
        <li>
          <tt>DDDD</tt> --&gt; the assigned RFC value for this draft</li>
      </ul>
      <t>Artwork in this document contains placeholder values for the date of
        publication of this draft. Please apply the following replacement:
      </t>
      <ul spacing="normal">
        <li>
          <tt>2024-04-04</tt> --&gt; the publication date of this draft</li>
      </ul>
      <t>The "Relation to other RFCs" section <xref target="collective-effort"/> contains
        the text "one or more YANG modules" and, later, "modules".  This text is sourced
        from a file in a context where it is unknown how many modules a draft defines.
        The text is not wrong as is, but it may be improved by stating more directly how
        many modules are defined.</t>
      <t>The "Relation to other RFCs" section <xref target="collective-effort"/> contains
          a self-reference to this draft, along with a corresponding reference in
          the Appendix.  Please replace the self-reference used in this section conjunction with "This RFC"
          (or similar) and remove the self-reference in the "Normative/Informative References"
          section, whichever it is in.</t>
      <t>Tree-diagrams in this draft may use the '\' line-folding mode defined configuration are in RFC 8792.
          However, nicer-to-the-eye is when the '\\' line-folding mode is used.  The AD suggested
          suggested putting a request here for the RFC Editor to help convert "ugly" '\' folded
          examples to use the '\\' folding mode.  "Help convert" may be interpreted as, identify
          what looks ugly RFCs 9644 and ask the authors to make the adjustment.</t>
      <t>The following Appendix section is to be removed prior to publication:
      </t>
      <ul spacing="normal">
        <li>
          <xref target="change-log"/>.  Change Log</li>
      </ul>
    </note> 9645.</t>
    </abstract>
  </front>
  <middle>
    <section>
      <name>Introduction</name>
      <t>This document defines three YANG 1.1 <xref target="RFC7950"/> modules
        to support the configuration of TCP clients and TCP servers (TCP is
        defined in <xref target="RFC9293"/>), either as standalone target="RFC9293"/>). The data models defined by these modules may be used directly (e.g., to define a specific TCP client or TCP server) or in conjunction with the configuration defined for higher level protocols that depend on TCP (e.g., SSH, TLS, etc.).  Examples of other stack higher level protocol layers.</t> configuration designed to be used in conjunction with this configuration are in <xref target="RFC9644"/> and <xref target="RFC9645"/>.</t>
      <t>The modules focus on three different types of base TCP parameters that matter
        for TCP-based applications: First, the modules cover fundamental configuration of a
        TCP client or TCP server application, such as addresses and port numbers. Second, a
        reusable grouping enables modification of application-specific parameters for a TCP
        connections, such as use of TCP keep-alives. keepalives. And third, client configuration for
        traversing proxies is included as well. In each case, the modules have a very narrow
        scope and focus on a minimum set of required parameters.</t>
      <t>Please be advised that while this document presents support for some TCP
        proxy techniques, there are other TCP proxy techniques that are not part
        of this document, document but could be added by augmenting the YANG module.</t>
      <section anchor="collective-effort">
        <name>Relation to other Other RFCs</name>
        <t>This document presents one or more three YANG modules <xref target="RFC7950"/>
            that are part of a collection of RFCs that work together
            to, ultimately,
            to ultimately support the configuration of both the clients
            and servers of both the NETCONF Network Configuration Protocol (NETCONF) <xref target="RFC6241"/> and
            RESTCONF <xref target="RFC8040"/> protocols.</t> target="RFC8040"/>.</t>
        <t> The dependency relationship between the primary YANG groupings
            defined in the various RFCs is presented in the below diagram.
            In some cases, a draft document may define secondary groupings that
            introduce dependencies not illustrated in the diagram.
            The labels in the diagram are a shorthand name names for the defining
            RFC.
            RFCs.  The citation reference references for shorthand name is names are provided below
            the diagram.</t>
        <t>Please note that the arrows in the diagram point from referencer
            to referenced.  For example, the "crypto-types" RFC does not
            have any dependencies, whilst the "keystore" RFC depends on the
            "crypto-types" RFC.</t>
        <artwork><![CDATA[
                               crypto-types
                                 ^      ^
                                /        \
                               /          \
                      truststore         keystore
                       ^     ^             ^  ^
                       |     +---------+   |  |
                       |               |   |  |
                       |      +------------+  |
tcp-client-server      |     /         |      |
   ^    ^        ssh-client-server     |      |
   |    |           ^            tls-client-server
   |    |           |              ^     ^        http-client-server
   |    |           |              |     |                 ^
   |    |           |        +-----+     +---------+       |
   |    |           |        |                     |       |
   |    +-----------|--------|--------------+      |       |
   |                |        |              |      |       |
   +-----------+    |        |              |      |       |
               |    |        |              |      |       |
               |    |        |              |      |       |
            netconf-client-server       restconf-client-server

]]></artwork>
        <!-- RFC Editor: is there anyway to flush-left the table in PDF/HTML views? -->
          <table>

          <table align="left">
          <name>Label in Diagram to RFC Mapping</name>
          <tbody>
            <tr>
              <th>Label in Diagram</th>
              <th>Originating RFC</th>
              <th>Reference</th>
            </tr>
            <tr>
              <td>crypto-types</td>
              <td>
                <xref target="I-D.ietf-netconf-crypto-types"/></td> target="RFC9640"/></td>
            </tr>
            <tr>
              <td>truststore</td>
              <td>
                <xref target="I-D.ietf-netconf-trust-anchors"/></td> target="RFC9641"/></td>
            </tr>
            <tr>
              <td>keystore</td>
              <td>
                <xref target="I-D.ietf-netconf-keystore"/></td> target="RFC9642"/></td>
            </tr>
            <tr>
              <td>tcp-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-tcp-client-server"/></td>
                RFC 9643</td>
            </tr>
            <tr>
              <td>ssh-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-ssh-client-server"/></td> target="RFC9644"/></td>
            </tr>
            <tr>
              <td>tls-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-tls-client-server"/></td> target="RFC9645"/></td>
            </tr>
            <tr>
              <td>http-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-http-client-server"/></td>
            </tr>
            <tr>
              <td>netconf-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-netconf-client-server"/></td>
            </tr>
            <tr>
              <td>restconf-client-server</td>
              <td>
                <xref target="I-D.ietf-netconf-restconf-client-server"/></td>
            </tr>
          </tbody>
        </table>
      </section>
      <section>
        <name>Specification Language</name>
        <t>The
        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
            NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
            "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.</t> here.
        </t>
      </section>
      <section>
        <name>Adherence to the NMDA</name>
        <t>This document is compliant with the Network Management Datastore
          Architecture (NMDA) <xref target="RFC8342"/>. It does not define
          any protocol accessible nodes that are "config false".</t>
      </section>
      <section>
	<name>Conventions</name>
	<t>  Various examples in this document use the XML
  <xref target="W3C.REC-xml-20081126"/> encoding. Other encodings, such as JSON <xref target="RFC8259"/>,
  could alternatively be used.
	</t>
      </section>
    </section>
    <section anchor="tcp-common-model">
      <name>The "ietf-tcp-common" Module</name>
      <t>This section defines a YANG 1.1 module called
        "ietf-tcp-common".  A high-level overview of the module is provided in
        <xref target="common-overview"/>. Examples illustrating the module's use
        are provided in <xref target="common-examples">Examples</xref>. target="common-examples"/> ("Example Usage"). The YANG
        module itself is defined in <xref target="common-yang-module"/>.</t>
      <section anchor="common-overview">
        <name>Data Model Overview</name>
        <t>This section provides an overview of the "ietf-tcp-common" module
          in terms of its features and groupings.</t>
        <section toc="exclude">
          <name>Model Scope</name>
          <t>This document presents a common "grouping" statement for basic TCP connection
            parameters that matter to applications. It is "common" in that this grouping
            is used by both the "ietf-tcp-client" and "ietf-tcp-server" modules.  In some
            TCP stacks, such parameters can also directly be set by an application using
            system calls, such as the sockets API. The base YANG data model in this document
            focuses on modeling TCP keep-alives. keepalives. This base model can be extended as needed.</t>
        </section>
        <section anchor="common-features" toc="exclude">
          <name>Features</name>
          <t>The following diagram lists all the "feature" statements
            defined in the "ietf-tcp-common" module:</t>
          <artwork><![CDATA[
          <sourcecode type="yangtree"><![CDATA[
Features:
  +-- keepalives-supported
]]></artwork>
          <!--<aside>-->
]]></sourcecode>
            <t>The diagram above uses syntax that is similar to but not
              defined in <xref target="RFC8340"/>.</t>
          <!--</aside>-->
        </section>
        <section toc="exclude">
          <name>Groupings</name>
          <t>The "ietf-tcp-common" module defines the following "grouping" statement:</t>
          <ul spacing="compact">
            <li>tcp-common-grouping</li>
          </ul>
          <t>This grouping is presented in the following subsection.</t>
          <section anchor="tcp-common-grouping">
            <name>The "tcp-common-grouping" Grouping</name>
            <t>The following tree diagram <xref target="RFC8340"/> illustrates the
              "tcp-common-grouping" grouping:</t>
            <artwork><![CDATA[
            <sourcecode type="yangtree"><![CDATA[
  grouping tcp-common-grouping:
    +-- keepalives! {keepalives-supported}?
       +-- idle-time?        uint16
       +-- max-probes?       uint16
       +-- probe-interval?   uint16
]]></artwork>
]]></sourcecode>
            <t>Comments:</t>
            <ul>
              <li>The "keepalives" node is a "presence" container so that the mandatory descendant nodes
                 do not imply that keepalives must be configured.</li>
              <li>The "idle-time", "max-probes", and "probe-interval" nodes have the
                common meanings.  Please see the YANG module in <xref target="common-yang-module"/>
                for details.</li>
            </ul>
          </section>
        </section>
        <section toc="exclude">
          <name>Protocol-accessible
          <name>Protocol-Accessible Nodes</name>
          <t>The "ietf-tcp-common" module defines only "grouping" statements that are used by
            other modules to instantiate protocol-accessible nodes.  Thus  Thus, this module, when
            implemented, does not itself define any protocol-accessible nodes.</t>
        </section>
        <section toc="exclude">
          <name>Guidelines for Configuring TCP Keep-Alives</name> Keepalives</name>
          <t>Network stacks may include "keep-alives" keepalives in their TCP implementations,
          although this practice is not universally implemented. If keep-alives keepalives are
            included, <xref target="RFC9293"/> mandates that the application MUST <bcp14>MUST</bcp14> be
            able to turn them on or off for each TCP connection, connection and that they MUST <bcp14>MUST</bcp14>
            default to off.</t>
          <t>Keep-alive
          <t>Keepalive mechanisms exist in many protocols. Depending on the protocol
            stack, TCP keep-alives keepalives may only be one out of several alternatives.  Which
            mechanism(s) to use depends on the use case and application requirements. If
            keep-alives
            keepalives are needed by an application, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the
            liveness check happens only at the protocol layers that are meaningful
            to the application.</t>
          <t>A TCP keep-alive keepalive mechanism SHOULD <bcp14>SHOULD</bcp14> only be invoked in server applications
            that might otherwise hang indefinitely and consume resources unnecessarily
            if a client crashes or aborts a connection during a network failure <xref target="RFC9293"/>.
            TCP keep-alives keepalives may consume significant resources both in the network and
            in endpoints (e.g., battery power).  In addition, frequent keep-alives keepalives
            risk network congestion. The higher the frequency of keep-alives, keepalives, the
            higher the overhead.</t>
          <t>
            Given the cost of keep-alives, keepalives, parameters have to be configured carefully:
          </t>
          <ul spacing="normal">
            <li>The default idle interval (leaf "idle-time") is two hours, i.e.,
                7200 seconds <xref target="RFC9293"/>.  A lower value MAY <bcp14>MAY</bcp14> be
                configured, but idle intervals SHOULD NOT <bcp14>SHOULD NOT</bcp14> be smaller than 15
                seconds. Longer idle intervals SHOULD <bcp14>SHOULD</bcp14> be used when possible.</li>
            <li>The maximum number of sequential keep-alive keepalive probes that can fail
                (leaf "max-probes") trades off responsiveness and robustness against
                packet loss. ACK segments that contain no data are not reliably
                transmitted by TCP. Consequently, if a keep-alive keepalive mechanism is
                implemented
                implemented, it MUST NOT <bcp14>MUST NOT</bcp14> interpret failure to respond to any
                specific probe as a dead connection <xref target="RFC9293"/>.
                Typically, a single-digit number should suffice.</li>
            <li>TCP implementations may include a parameter for the number of
                seconds between TCP keep-alive keepalive probes (leaf "probe-interval"). In
                order to avoid congestion, the time interval between probes MUST NOT <bcp14>MUST NOT</bcp14>
                be smaller than one second. Significantly longer intervals SHOULD <bcp14>SHOULD</bcp14> be
                used. It is important to note that keep-alive keepalive probes (or replies)
                can get dropped due to network congestion. Sending further probe
                messages into a congested path after a short interval, without
                backing off timers, could cause harm and result in a congestion
                collapse.  Therefore  Therefore, it is essential to pick a large, conservative
                value for this interval.</li>
          </ul>
        </section>
      </section>
      <section anchor="common-examples">
        <name>Example Usage</name>
        <t>This section presents an example showing the "tcp-common-grouping" grouping
        populated with some data.</t>
        <artwork><![CDATA[
        <sourcecode type="xml"><![CDATA[
<!-- The outermost element below doesn't exist in the data model. -->
<!--  It simulates if the "grouping" were a "container" instead.  -->

<tcp-common xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp-common">
  <keepalives>
    <idle-time>7200</idle-time>
    <max-probes>9</max-probes>
    <probe-interval>75</probe-interval>
  </keepalives>
</tcp-common>
]]></artwork>
]]></sourcecode>
      </section>
      <section anchor="common-yang-module">
        <name>YANG Module</name>
        <t>The ietf-tcp-common "ietf-tcp-common" YANG module references <xref target="RFC6991"/>
        and <xref target="RFC9293"/>.</t>
        <t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tcp-common@2024-04-04.yang"</t>
        <artwork><![CDATA[
        <sourcecode name="ietf-tcp-common@2024-04-04.yang" type="yang" markers="true"><![CDATA[
module ietf-tcp-common {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common";
  prefix tcpcmn;

  organization
    "IETF NETCONF (Network Configuration) Working Group and the
     IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";

  contact
    "WG Web:   https://datatracker.ietf.org/wg/netconf
               https://datatracker.ietf.org/wg/tcpm
     WG List:  NETCONF WG list <mailto:netconf@ietf.org>
               TCPM WG list <mailto:tcpm@ietf.org>
     Authors:  Kent Watsen <mailto:kent+ietf@watsen.net>
               Michael Scharf
               <mailto:michael.scharf@hs-esslingen.de>";

  description
    "This module define a reusable 'grouping' that is common
     to both TCP-clients TCP clients and TCP-servers. TCP servers.  This grouping statement
     is used by both the 'ietf-tcp-client' and 'ietf-tcp-server'
     modules.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.

     Copyright (c) 2023 2024 IETF Trust and the persons identified
     as authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC DDDD
     (https://www.rfc-editor.org/info/rfcDDDD); 9643
     (https://www.rfc-editor.org/info/rfc9643); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here."; notices.";

  revision 2024-04-04 {
    description
      "Initial version"; version.";
    reference
      "RFC DDDD: 9643: YANG Groupings for TCP Clients and TCP Servers";
  }

  // Features

  feature keepalives-supported {
    description
      "Indicates that keepalives are supported.";
  }

  // Groupings

  grouping tcp-common-grouping {
    description
      "A reusable grouping for configuring TCP parameters common
       to TCP connections as well as the operating system as a
       whole.";
    container keepalives {
      if-feature "keepalives-supported";
      presence "Indicates that keepalives are enabled, aligning to
                the requirement in Section 3.8.4 of RFC 9293 that
                states keepalives are off by default.";
      description
        "Configures the keep-alive policy, keepalive policy to proactively test the
         aliveness of the TCP peer.  An unresponsive TCP peer is
         dropped after approximately (idle-time + max-probes *
         probe-interval) seconds.  Further guidance can be found
         in Section 2.1.5 of RFC DDDD."; 9643.";
      reference
        "RFC 9293: Transmission Control Protocol (TCP)";
      leaf idle-time {
        type uint16 {
          range "1..max";
        }
        units "seconds";
        default 7200; "7200";
        description
          "Sets the amount of time after which if no data has been
           received from the TCP peer, a TCP-level probe
           message will be sent to test the aliveness of the TCP
           peer if no data has been received from the TCP peer.
           Two hours (7200 seconds) is a safe value, per RFC 9293 Section 3.8.4.";
           3.8.4 of RFC 9293.";
        reference
          "RFC 9293: Transmission Control Protocol (TCP)";
      }
      leaf max-probes {
        type uint16 {
          range "1..max";
        }
        default 9; "9";
        description
          "Sets the maximum number of sequential keep-alive keepalive probes
           that can fail to obtain a response from the TCP peer
           before assuming the TCP peer is no longer alive.";
      }
      leaf probe-interval {
        type uint16 {
          range "1..max";
        }
        units "seconds";
        default 75; "75";
        description
          "Sets the time interval between failed probes.  The
           interval SHOULD be significantly longer than one second
           in order to avoid harm on a congested link.";
      }
    } // container keepalives
  } // grouping tcp-common-grouping

}
]]></artwork>
        <t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
]]></sourcecode>
      </section>
    </section>
    <section anchor="tcp-client-model">
      <name>The "ietf-tcp-client" Module</name>
      <t>This section defines a YANG 1.1 module called
        "ietf-tcp-client".  A high-level overview of the module is provided in
        <xref target="client-overview"/>. Examples illustrating the module's use
        are provided in <xref target="client-examples">Examples</xref>. target="client-examples"/> ("Example Usage"). The YANG
        module itself is defined in <xref target="client-yang-module"/>.</t>
      <section anchor="client-overview">
        <name>Data Model Overview</name>
        <t>This section provides an overview of the "ietf-tcp-client" module
          in terms of its features and groupings.</t>
        <section anchor="features" toc="exclude">
          <name>Features</name>
          <t>The following diagram lists all the "feature" statements
            defined in the "ietf-tcp-client" module:</t>
          <artwork><![CDATA[
          <sourcecode type="yangtree"><![CDATA[
Features:
  +-- local-binding-supported
  +-- tcp-client-keepalives
  +-- proxy-connect
      +-- socks4-supported {proxy-connect}?
      +-- socks4a-supported {proxy-connect}?
      +-- socks5-supported {proxy-connect}?
          +-- socks5-gss-api {socks5-supported}?
          +-- socks5-username-password {socks5-supported}?
]]></artwork>
]]></sourcecode>
          <t>Comments:</t>
          <ul>
            <li>The "local-binding-supported" feature indicates that
                the server supports configuring local bindings (i.e.,
            the local address and local port) for TCP clients."</li> clients.</li>
            <li>The "tcp-client-keepalives" feature indicates that
                per socket
                TCP keepalive parameters are configurable for
                TCP clients on the server implementing this feature.</li>
            <li>The "proxy-connect" feature indicates the TCP-client TCP client
                supports connecting through TCP proxies.</li>
            <li>The "socks4-supported" feature indicates the
                TCP-client
                TCP client supports Socks4-based proxies.</li>
            <li>The "socks4a-supported" feature indicates the
                TCP-client
                TCP client supports Socks4a-based proxies.  The difference
                between Socks4 and Socks4a is that Socks4a enables the
                "remote-address" to be specified using a hostname, in
                addition to an IP address.</li>
            <li>The "socks5-supported" feature indicates the
                TCP-client
                TCP client supports Socks5-based proxies.</li>
            <li>The "socks5-gss-api" feature indicates that
                the server, when acting as a TCP-client, TCP client, supports
                authenticating to a SOCKS Version 5 proxy server
                using GSSAPI Generic Security Service Application Program Interface (GSS-API) credentials.</li>
            <li>The "socks5-username-password" feature indicates
                that the server, when acting as a TCP-client, TCP client,
                supports authenticating to a SOCKS Version 5
                proxy server using 'username' "username" and 'password' "password"
                credentials."</li>
          </ul>
          <!--<aside>-->
            <t>The diagram above uses syntax that is similar to but not
              defined in <xref target="RFC8340"/>.</t>
          <!--</aside>-->
        </section>
        <section toc="exclude">
          <name>Groupings</name>
          <t>The "ietf-tcp-client" module defines the following "grouping" statement:</t>
          <ul spacing="compact">
            <li>tcp-client-grouping</li>
          </ul>
          <t>This grouping is presented in the following subsection.</t>
          <section anchor="tcp-client-grouping">
            <name>The "tcp-client-grouping" Grouping</name>
            <t>The following tree diagram <xref target="RFC8340"/> illustrates the
              "tcp-client-grouping" grouping:</t>
            <artwork><![CDATA[
            <sourcecode type="yangtree"><![CDATA[
  grouping tcp-client-grouping:
    +-- remote-address                inet:host
    +-- remote-port?                  inet:port-number
    +-- local-address?                inet:ip-address
    |       {local-binding-supported}?
    +-- local-port?                   inet:port-number
    |       {local-binding-supported}?
    +-- proxy-server! {proxy-connect}?
    |  +-- (proxy-type)
    |     +--:(socks4) {socks4-supported}?
    |     |  +-- socks4-parameters
    |     |     +-- remote-address    inet:ip-address
    |     |     +-- remote-port?      inet:port-number
    |     +--:(socks4a) {socks4a-supported}?
    |     |  +-- socks4a-parameters
    |     |     +-- remote-address    inet:host
    |     |     +-- remote-port?      inet:port-number
    |     +--:(socks5) {socks5-supported}?
    |        +-- socks5-parameters
    |           +-- remote-address               inet:host
    |           +-- remote-port?                 inet:port-number
    |           +-- authentication-parameters!
    |              +-- (auth-type)
    |                 +--:(gss-api) {socks5-gss-api}?
    |                 |  +-- gss-api
    |                 +--:(username-password)
    |                          {socks5-username-password}?
    |                    +-- username-password
    |                       +-- username                string
    |                       +---u ct:password-grouping
    +---u tcpcmn:tcp-common-grouping
]]></artwork>
]]></sourcecode>
            <t>Comments:</t>
            <ul>
              <li>The "remote-address" node, which is mandatory, may be configured as
              an IPv4 address, an IPv6 address, or a hostname.</li>
	      <li>The "remote-port" node is not mandatory, but its default value leaf is defined with neither a "default" nor a "mandatory" statement.  YANG modules using this grouping <bcp14>SHOULD</bcp14> refine the invalid value '0', thus forcing grouping
with a "default" statement, when the consuming data model port number is well-known (e.g., a port number allocated by IANA), or with a
"mandatory" statement, if a port number needs to
                refine it in order always be configured.   The <bcp14>SHOULD</bcp14> can be ignored when the port number is neither well-known nor mandatory to provide it an appropriate default value.</li> configure, such as might be the case when this grouping is used by another grouping.</li>
              <li>The "local-address" node, which is enabled by the "local-binding-supported"
                feature (<xref target="common-features"/>), target="features"/>), may be configured as
                an IPv4 address, an IPv6 address, or a wildcard value.</li>
              <li>The "local-port" node, which is enabled by the "local-binding-supported"
                feature (<xref target="common-features"/>), target="features"/>), is not mandatory. Its default
                value is '0', "0", indicating that the operating system can pick an
                arbitrary port number.</li>
              <li>The "proxy-server" node is enabled by a "feature" statement and, for
                servers that enable it, is a "presence" container so that the descendant
                "mandatory true" choice node does not imply that the proxy-server node
                must be configured.  The proxy-server node uses a "choice" statement
                to allow one of several types of proxies to be configured.  The choices
                presented in this document include Socks4, Socks4a, and Socks5, each
                enabled by a YANG feature (see <xref target="features"/>).  Other proxy
                types may be added by future work.</li>
              <li>This grouping uses the "password-grouping" grouping discussed in
                <xref target="I-D.ietf-netconf-crypto-types"/>.</li> target="RFC9640"/>.</li>
              <li>This grouping uses the "tcp-common-grouping" grouping discussed in
                <xref target="tcp-common-grouping"/>.</li>
            </ul>
          </section>
        </section>
        <section toc="exclude">
          <name>Protocol-accessible
          <name>Protocol-Accessible Nodes</name>
          <t>The "ietf-tcp-client" module defines only "grouping" statements that are used by
          other modules to instantiate protocol-accessible nodes.  Thus  Thus, this module, when
          implemented, does not itself define any protocol-accessible nodes.</t>
        </section>
      </section>
      <section anchor="client-examples">
        <name>Example Usage</name>
        <t>This section presents two examples showing the "tcp-client-grouping" grouping
          populated with some data.  This example shows a TCP-client TCP client configured to
        not connect via a proxy:</t>
        <artwork><![CDATA[
        <sourcecode type="xml"><![CDATA[
<!-- The outermost element below doesn't exist in the data model. -->
<!--  It simulates if the "grouping" were a "container" instead.  -->

<tcp-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp-client">
  <remote-address>www.example.com</remote-address>
  <remote-port>8443</remote-port>
  <local-address>192.0.2.2</local-address>
  <local-port>12345</local-port>
  <keepalives>
    <idle-time>7200</idle-time>
    <max-probes>9</max-probes>
    <probe-interval>75</probe-interval>
  </keepalives>
</tcp-client>
]]></artwork>
]]></sourcecode>
        <t>This example shows a TCP-client TCP client configured to connect via a proxy:</t>
        <artwork><![CDATA[ proxy.</t>
        <sourcecode type="xml"><![CDATA[
<!-- The outermost element below doesn't exist in the data model. -->
<!--  It simulates if the "grouping" were a "container" instead.  -->

<tcp-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp-client">
  <remote-address>www.example.com</remote-address>
  <remote-port>8443</remote-port>
  <local-address>192.0.2.2</local-address>
  <local-port>12345</local-port>
  <proxy-server>
    <socks5-parameters>
      <remote-address>proxy.example.com</remote-address>
      <remote-port>1080</remote-port>
      <authentication-parameters>
        <username-password>
          <username>foobar</username>
          <cleartext-password>secret</cleartext-password>
        </username-password>
      </authentication-parameters>
    </socks5-parameters>
  </proxy-server>
  <keepalives>
    <idle-time>7200</idle-time>
    <max-probes>9</max-probes>
    <probe-interval>75</probe-interval>
  </keepalives>
</tcp-client>
]]></artwork>
]]></sourcecode>
      </section>
      <section anchor="client-yang-module">
        <name>YANG Module</name>
        <t>The ietf-tcp-client "ietf-tcp-client" YANG module references <xref target="SOCKS"/>, <xref target="SOCKS_4A"/>, <xref target="RFC1928"/>,
        <xref target="RFC1929"/>, <xref target="RFC2743"/>, <xref target="RFC6991"/>,
        <xref target="RFC9293"/>, and <xref target="I-D.ietf-netconf-crypto-types"/>.</t>
        <t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tcp-client@2024-04-04.yang"</t>
        <artwork><![CDATA[ target="RFC9640"/>.</t>
        <sourcecode name="ietf-tcp-client@2024-04-04.yang" type="yang" markers="true"><![CDATA[
module ietf-tcp-client {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client";
  prefix tcpc;

  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991: Common YANG Data Types";
  }

  import ietf-crypto-types {
    prefix ct;
    reference
      "RFC AAAA: 9640: YANG Data Types and Groupings for Cryptography";
  }

  import ietf-tcp-common {
    prefix tcpcmn;
    reference
      "RFC DDDD: 9643: YANG Groupings for TCP Clients and TCP Servers";
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group and the
     IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";

  contact
    "WG Web:   https://datatracker.ietf.org/wg/netconf
               https://datatracker.ietf.org/wg/tcpm
     WG List:  NETCONF WG list <mailto:netconf@ietf.org>
               TCPM WG list <mailto:tcpm@ietf.org>
     Authors:  Kent Watsen <mailto:kent+ietf@watsen.net>
               Michael Scharf
               <mailto:michael.scharf@hs-esslingen.de>";

  description
    "This module defines reusable groupings for TCP clients that
     can be used as a basis for specific TCP client instances.

     Copyright (c) 2024 IETF Trust and the persons identified
     as authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC DDDD
     (https://www.rfc-editor.org/info/rfcDDDD); 9643
     (https://www.rfc-editor.org/info/rfc9643); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here."; notices.";

  revision 2024-04-04 {
    description
      "Initial version"; version.";
    reference
      "RFC DDDD: 9643: YANG Groupings for TCP Clients and TCP Servers";
  }

  // Features

  feature local-binding-supported {
    description
      "Indicates that the server supports configuring local
       bindings (i.e., the local address and local port) for
       TCP clients.";
  }

  feature tcp-client-keepalives {
    description
      "Per socket TCP
      "TCP keepalive parameters are configurable for
       TCP clients on the server implementing this feature.";
    reference
      "RFC 9293: Transmission Control Protocol (TCP)";
  }

  feature proxy-connect {
    description
      "Indicates the TCP-client TCP client supports connecting through
       TCP proxies.";
  }

  feature socks4-supported {
    if-feature proxy-connect; "proxy-connect";
    description
      "Indicates the TCP-client TCP client supports Socks4-based proxies.";
    reference
      "SOCKS Proceedings: 1992 Usenix Security Symposium."; Symposium";
  }

  feature socks4a-supported {
    if-feature proxy-connect; "proxy-connect";
    description
      "Indicates the TCP-client TCP client supports Socks4a-based proxies.";
    reference
      "OpenSSH message:
         SOCKS 4A: A Simple Extension to SOCKS 4 Protocol
         https://www.openssh.com/txt/socks4a.protocol.";
         <https://www.openssh.com/txt/socks4a.protocol>";
  }

  feature socks5-supported {
    if-feature proxy-connect; "proxy-connect";
    description
      "Indicates the TCP-client TCP client supports Socks5-based proxies.";
    reference
      "RFC 1928: SOCKS Protocol Version 5";
  }

  feature socks5-gss-api {
    if-feature socks5-supported; "socks5-supported";
    description
      "Indicates that the server, when acting as a TCP-client, TCP client,
       supports authenticating to a SOCKS Version 5 proxy server
       using GSSAPI GSS-API credentials.";
    reference
      "RFC 1928: SOCKS Protocol Version 5";
  }

  feature socks5-username-password {
    if-feature socks5-supported; "socks5-supported";
    description
      "Indicates that the server, when acting as a TCP-client, TCP client,
       supports authenticating to a SOCKS Version 5 proxy server
       using 'username' and 'password' credentials.";
    reference
      "RFC 1928: SOCKS Protocol Version 5";
  }

  // Groupings

  grouping tcp-client-grouping {
    description
      "A reusable grouping for configuring a TCP client.

       Note that this grouping uses fairly typical descendant
       node names such that a stack of 'uses' statements will
       have name conflicts.  It is intended that the consuming
       data model will resolve the issue (e.g., by wrapping
       the 'uses' statement in a container called
       'tcp-client-parameters').  This model purposely does
       not do this itself so as to provide maximum flexibility
       to consuming models.";

    leaf remote-address {
      type inet:host;
      mandatory true;
      description
        "The IP address or hostname of the remote peer to
         establish a connection with.  If a domain name is
         configured, then the DNS resolution should happen on
         each connection attempt.  If the DNS resolution
         results in multiple IP addresses, the IP addresses
         are tried according to local preference order until
         a connection has been established or until all IP
         addresses have failed.";
    }
    leaf remote-port {
      type inet:port-number;
      default "0";
      description
        "The IP port number for of the remote peer to establish a
         connection with.  An invalid default value is used
         so that importing modules may 'refine' it with the
         appropriate default port number value."; TCP server.";
    }
    leaf local-address {
      if-feature "local-binding-supported";
      type inet:ip-address;
      description
        "The local IP address/interface to bind to for when
         connecting to the remote peer.  INADDR_ANY ('0.0.0.0') or
         INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to
         explicitly indicate the implicit default, that which the server
         can bind to any IPv4 or IPv6 address.";
    }
    leaf local-port {
      if-feature "local-binding-supported";
      type inet:port-number;
      default "0";
      description
        "The local IP port number to bind to for when connecting
         to the remote peer.  The port number '0', which is the
         default value, indicates that any available local port
         number may be used.";
    }
    container proxy-server {
      if-feature "proxy-connect";
      presence "Indicates that a proxy connection has been
                configured. Present so that the mandatory
                descendant nodes do not imply that this node
                must be configured.";
      choice proxy-type {
        mandatory true;
        description
          "Selects a proxy connection protocol.";
        case socks4 {
          if-feature socks4-supported; "socks4-supported";
          container socks4-parameters {
            leaf remote-address {
              type inet:ip-address;
              mandatory true;
              description
                "The IP address of the proxy server.";
            }
            leaf remote-port {
              type inet:port-number;
              default "1080";
              description
                "The IP port number for the proxy server.";
            }
            description
              "Parameters for connecting to a TCP-based proxy
               server using the SOCKS4 protocol.";
            reference
              "SOCKS,
              "SOCKS Proceedings: 1992 Usenix Security Symposium."; Symposium";
          }
        }
        case socks4a {
          if-feature socks4a-supported; "socks4a-supported";
          container socks4a-parameters {
            leaf remote-address {
              type inet:host;
              mandatory true;
              description
                "The IP address or hostname of the proxy server.";
            }
            leaf remote-port {
              type inet:port-number;
              default "1080";
              description
                "The IP port number for the proxy server.";
            }
            description
              "Parameters for connecting to a TCP-based proxy
               server using the SOCKS4a protocol.";
            reference
              "SOCKS Proceedings:
                 1992 Usenix Security Symposium. Symposium
               OpenSSH message:
                 SOCKS 4A: A Simple Extension to SOCKS 4 Protocol
                 https://www.openssh.com/txt/socks4a.protocol";
                 <https://www.openssh.com/txt/socks4a.protocol>";
          }
        }
        case socks5 {
          if-feature socks5-supported; "socks5-supported";
          container socks5-parameters {
            leaf remote-address {
              type inet:host;
              mandatory true;
              description
                "The IP address or hostname of the proxy server.";
            }
            leaf remote-port {
              type inet:port-number;
              default "1080";
              description
                "The IP port number for the proxy server.";
            }
            container authentication-parameters {
              presence "Indicates that an authentication mechanism
                        has been configured.  Present so that the
                        mandatory descendant nodes do not imply that
                        this node must be configured.";
              description
                "A container for SOCKS Version 5 authentication
                 mechanisms.

                 A complete list of methods is defined at:
                 https://www.iana.org/assignments/socks-methods
                 /socks-methods.xhtml.";
                 <https://www.iana.org/assignments/socks-methods>.";
              reference
                "RFC 1928: SOCKS Protocol Version 5";
              choice auth-type {
                mandatory true;
                description
                  "A choice amongst supported SOCKS Version 5
                   authentication mechanisms.";
                case gss-api {
                  if-feature "socks5-gss-api";
                  container gss-api {
                    description
                      "Contains GSS-API configuration.  Defines
                       as an empty container to enable specific
                       GSS-API configuration to be augmented in
                       by future modules.";
                    reference
                      "RFC 1928: SOCKS Protocol Version 5
                       RFC 2743: Generic Security Service
                                 Application Program Interface
                                 Version 2, Update 1";
                  }
                }
                case username-password {
                  if-feature "socks5-username-password";
                  container username-password {
                    leaf username {
                      type string;
                      mandatory true;
                      description
                        "The 'username' value to use for client
                         identification.";
                    }
                    uses ct:password-grouping {
                      description
                        "The password to be used for client
                         authentication.";
                    }
                    description
                      "Contains Username/Password username/password configuration.";
                    reference
                      "RFC 1929: Username/Password Authentication
                                 for SOCKS V5";
                  }
                }
              }
            }
            description
              "Parameters for connecting to a TCP-based proxy server
               using the SOCKS5 protocol.";
            reference
              "RFC 1928: SOCKS Protocol Version 5";
          }
        }
      }
      description
        "Proxy server settings.";
    }

    uses tcpcmn:tcp-common-grouping {
      refine "keepalives" {
        if-feature "tcp-client-keepalives";
        description
          "An if-feature 'if-feature' statement so that implementations
           can choose to support TCP client keepalives.";
      }
    }
  }
}
]]></artwork>
        <t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
]]></sourcecode>
      </section>
    </section>
    <section anchor="tcp-server-model">
      <name>The "ietf-tcp-server" Module</name>
      <t>This section defines a YANG 1.1 module called
        "ietf-tcp-server".  A high-level overview of the module is provided in
        <xref target="server-overview"/>. Examples illustrating the module's use
        are provided in <xref target="server-examples">Examples</xref>. target="server-examples"/> ("Example Usage"). The YANG
        module itself is defined in <xref target="server-yang-module"/>.</t>
      <section anchor="server-overview">
        <name>Data Model Overview</name>
        <t>This section provides an overview of the "ietf-tcp-server" module
          in terms of its features and groupings.</t>
        <section toc="exclude">
          <name>Features</name>
          <t>The following diagram lists all the "feature" statements
            defined in the "ietf-tcp-server" module:</t>
          <artwork><![CDATA[
          <sourcecode type="yangtree"><![CDATA[
Features:
  +-- tcp-server-keepalives
]]></artwork>
          <!--<aside>-->
]]></sourcecode>
            <t>The diagram above uses syntax that is similar to but not
              defined in <xref target="RFC8340"/>.</t>
          <!--</aside>-->
        </section>
        <section toc="exclude">
          <name>Groupings</name>
          <t>The "ietf-tcp-server" module defines the following "grouping" statement:</t>
          <ul spacing="compact">
            <li>tcp-server-grouping</li>
          </ul>
          <t>This grouping is presented in the following subsection.</t>
          <section anchor="tcp-server-grouping">
            <name>The "tcp-server-grouping" Grouping</name>
            <t>The following tree diagram <xref target="RFC8340"/> illustrates the
              "tcp-server-grouping" grouping:</t>
            <artwork><![CDATA[
            <sourcecode type="yangtree"><![CDATA[
  grouping tcp-server-grouping:
    +-- local-bind* [local-address]
    |  +-- local-address? local-address   inet:ip-address
    |  +-- local-port?     inet:port-number
    +---u tcpcmn:tcp-common-grouping
]]></artwork>
]]></sourcecode>
            <t>Comments:</t>
            <ul>
              <li>The "local-address" node, which is mandatory, may be configured as
                an IPv4 address, an IPv6 address, or a wildcard value.</li>
              <li>The "local-port" node is not mandatory, but its default value leaf is defined with neither a "default" nor a "mandatory"
statement.  YANG modules using this grouping <bcp14>SHOULD</bcp14> refine the invalid value '0', thus forcing
grouping with a "default" statement, when the consuming data model port number is well-known (e.g., a port number allocated by IANA), or with a "mandatory" statement,	if a port number needs to
                refine it in order always be configured.   The <bcp14>SHOULD</bcp14> can be ignored when the port number is neither well-known nor mandatory to provide it an appropriate default value.</li> configure, such as might be the case when this grouping is used by another grouping.</li>
              <li>This grouping uses the "tcp-common-grouping" grouping discussed in
                <xref target="tcp-common-grouping"/>.</li>
            </ul>
          </section>
        </section>
        <section toc="exclude">
          <name>Protocol-accessible
          <name>Protocol-Accessible Nodes</name>
          <t>The "ietf-tcp-server" module defines only "grouping" statements that are used by
            other modules to instantiate protocol-accessible nodes.  Thus  Thus, this module, when
            implemented, does not itself define any protocol-accessible nodes.</t>
        </section>
      </section>
      <section anchor="server-examples">
        <name>Example Usage</name>
        <t>This section presents an example showing the "tcp-server-grouping" grouping
        populated with some data.</t>
        <artwork><![CDATA[
        <sourcecode type="xml"><![CDATA[
<!-- The outermost element below doesn't exist in the data model. -->
<!--  It simulates if the "grouping" were a "container" instead.  -->

<tcp-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp-server">
  <local-bind>
    <local-address>192.0.2.2</local-address>
    <local-port>49152</local-port>
  </local-bind>
  <keepalives>
    <idle-time>7200</idle-time>
    <max-probes>9</max-probes>
    <probe-interval>75</probe-interval>
  </keepalives>
</tcp-server>
]]></artwork>
]]></sourcecode>
      </section>
      <section anchor="server-yang-module">
        <name>YANG Module</name>
        <t>The ietf-tcp-server "ietf-tcp-server" YANG module references <xref target="RFC6991"/>
           and <xref target="RFC9293"/>.</t>
        <t keepWithNext="true">&lt;CODE BEGINS&gt; file "ietf-tcp-server@2024-04-04.yang"</t>
        <artwork><![CDATA[
        <sourcecode name="ietf-tcp-server@2024-04-04.yang" type="yang" markers="true"><![CDATA[
module ietf-tcp-server {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server";
  prefix tcps;

  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991: Common YANG Data Types";
  }

  import ietf-tcp-common {
    prefix tcpcmn;
    reference
      "RFC DDDD: 9643: YANG Groupings for TCP Clients and TCP Servers";
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group and the
     IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";

  contact
    "WG Web:   https://datatracker.ietf.org/wg/netconf
               https://datatracker.ietf.org/wg/tcpm
     WG List:  NETCONF WG list <mailto:netconf@ietf.org>
               TCPM WG list <mailto:tcpm@ietf.org>
     Authors:  Kent Watsen <mailto:kent+ietf@watsen.net>
               Michael Scharf
               <mailto:michael.scharf@hs-esslingen.de>";

  description
    "This module defines reusable groupings for TCP servers that
     can be used as a basis for specific TCP server instances.

     Copyright (c) 2024 IETF Trust and the persons identified
     as authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC DDDD
     (https://www.rfc-editor.org/info/rfcDDDD); 9643
     (https://www.rfc-editor.org/info/rfc9643); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here."; notices.";

  revision 2024-04-04 {
    description
      "Initial version"; version.";
    reference
      "RFC DDDD: 9643: YANG Groupings for TCP Clients and TCP Servers";
  }

  // Features

  feature tcp-server-keepalives {
    description
      "Per socket TCP
      "TCP keepalive parameters are configurable for
       TCP servers on the server implementing this feature.";
    reference
      "RFC 9293: Transmission Control Protocol (TCP)";
  }

  // Groupings

  grouping tcp-server-grouping {
    description
      "A reusable grouping for configuring a TCP server.

       Note that this grouping uses fairly typical descendant
       node names such that a stack of 'uses' statements will
       have name conflicts.  It is intended that the consuming
       data model will resolve the issue (e.g., by wrapping
       the 'uses' statement in a container called
       'tcp-server-parameters').  This model purposely does
       not do this itself so as to provide maximum flexibility
       to consuming models.";
    list local-bind {
      key local-address; "local-address";
      min-elements 1;
      description
        "A list of bind (listen) points for this server
         instance.  A server instance may have multiple
         bind points to support, e.g., the same port in
         different address families or different ports
         in the same address family.";
      leaf local-address {
        type inet:ip-address;
        description
          "The local IP address to listen on for incoming
           TCP client connections.  To configure listening
           on all IPv4 addresses addresses, the value must be '0.0.0.0'
           (INADDR_ANY).  To configure listening on all IPv6
           addresses
           addresses, the value must be '::' (INADDR6_ANY).";
      }
      leaf local-port {
        type inet:port-number;
        default "0";
        description
          "The local port number to listen on for incoming TCP
           client connections.  An invalid default value (0)
           is used (instead of 'mandatory true') so that an
           application level data model may 'refine' it with
           an application specific default port number value."; connections.";
      }
    }
    uses tcpcmn:tcp-common-grouping {
      refine "keepalives" {
        if-feature "tcp-server-keepalives";
        description
          "An if-feature 'if-feature' statement so that implementations
           can choose to support TCP server keepalives.";
      }
    }
  }
}
]]></artwork>
        <t keepWithPrevious="true">&lt;CODE ENDS&gt;</t>
]]></sourcecode>
      </section>
    </section>
    <section>
      <name>Security Considerations</name>
      <t>The three YANG modules in this document define groupings and will
        not be deployed as standalone modules. Their security implications
        may be context dependent context-dependent based on their use in other modules.  The
        designers of modules which that import these grouping groupings must conduct their
        own analysis of the security considerations.</t>
	<section>
        <name>Considerations for the "ietf-tcp-common" YANG Module</name>
        <t>This section follows is modeled after the template defined in <xref section="3.7.1" sectionFormat="of" target="RFC8407"/>.</t>
        <t>The "ietf-tcp-common" YANG module defines "grouping" statements
          that are designed to be accessed via YANG based YANG-based management
          protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF
          <xref target="RFC8040"/>.  Both of these protocols have
          mandatory-to-implement secure transport layers (e.g., SSH, TLS)
          with
   Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xref target="RFC9000"/>) and
   mandatory-to-implement mutual authentication.</t>
        <t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341"/>
          provides the means to restrict access for particular users to a
          pre-configured
          preconfigured subset of all available protocol operations and
          content.</t>
        <t>Please be aware that this YANG module uses groupings from
          other YANG modules that define nodes that may be considered
          sensitive or vulnerable in network environments.  Please
          review the Security Considerations security considerations for dependent YANG modules
          for information as to which nodes may be considered sensitive
          or vulnerable in network environments.</t>
        <t>None of the readable data nodes defined in this YANG module are
          considered sensitive or vulnerable in network environments.
          The NACM "default-deny-all" extension has not been set for
          any data nodes defined in this module.</t>
        <t>None of the writable data nodes defined in this YANG module are
          considered sensitive or vulnerable in network environments.
          The NACM "default-deny-write" extension has not been set for
          any data nodes defined in this module.</t>
        <t>This module does not define any RPCs, actions, or notifications,
          and thus thus, the security consideration considerations for such is are not provided here.</t>
      </section>
      <section>
        <name>Considerations for the "ietf-tcp-client" YANG Module</name>
        <t>This section follows is modeled after the template defined in <xref section="3.7.1" sectionFormat="of" target="RFC8407"/>.</t>
        <t>The "ietf-tcp-client" YANG module defines "grouping" statements
          that are designed to be accessed via YANG based YANG-based management
          protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF
          <xref target="RFC8040"/>.  Both of these protocols have
          mandatory-to-implement secure transport layers (e.g., SSH, TLS)
          with
   Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xref target="RFC9000"/>) and
   mandatory-to-implement mutual authentication.</t>
        <t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341"/>
          provides the means to restrict access for particular users to a
          pre-configured
          preconfigured subset of all available protocol operations and
          content.</t>
        <t>Please be aware that this YANG module uses groupings from
          other YANG modules that define nodes that may be considered
          sensitive or vulnerable in network environments.  Please
          review the Security Considerations security considerations for dependent YANG modules
          for information as to which nodes may be considered sensitive
          or vulnerable in network environments.</t>
        <t>One readable data node defined in this YANG module may be considered
          sensitive or vulnerable in some network environments. This
          node is as follows:
        </t>
        <ul spacing="normal">
          <li>
            <t>The "proxy-server/socks5-parameters/authentication-parameters/username-password/password" node:
            </t>
            <ul empty="true">
              <li>The "password" node defined in the "tcp-client-grouping"
                  grouping is defined using the "password-grouping" grouping
                  presented in <xref target="I-D.ietf-netconf-crypto-types"/>. target="RFC9640"/>.
                  This grouping enables both cleartext and encrypted passwords
                  to be configured.  As the referenced document states, configuration
                  of cleartext passwords is NOT RECOMMENDED. <bcp14>NOT RECOMMENDED</bcp14>.  However, in the
                  case cleartext values are configured, this node is additionally
                  sensitive to read operations such that, in normal use cases,
                  it should never be returned to a client.  For this reason, the
                  NACM extension "default-deny-all" extension has been applied to it.</li>
            </ul>
          </li>
        </ul>
        <t>None of the writable data nodes defined in this YANG module are
          considered sensitive or vulnerable in network environments.
          The NACM "default-deny-write" extension has not been set for
          any data nodes defined in this module.</t>
        <t>This module does not define any RPCs, actions, or notifications,
          and thus thus, the security consideration considerations for such is are not provided here.</t>
        <t>Implementations are RECOMMENDED <bcp14>RECOMMENDED</bcp14> to implement the "local-binding-supported"
          feature for cryptographically-secure protocols, cryptographically secure protocols so as to enable more
          granular ingress/egress firewall rulebases. rule bases.  It is NOT RECOMMENDED <bcp14>NOT RECOMMENDED</bcp14> to
          implement this feature for unsecure protocols, as per <xref target="RFC6056"/>.</t>
      </section>
      <section>
        <name>Considerations for the "ietf-tcp-server" YANG Module</name>
        <t>This section follows is modeled after the template defined in <xref section="3.7.1" sectionFormat="of" target="RFC8407"/>.</t>
        <t>The "ietf-tcp-server" YANG module defines "grouping" statements
          that are designed to be accessed via YANG based YANG-based management
          protocols, such as NETCONF <xref target="RFC6241"/> and RESTCONF
          <xref target="RFC8040"/>.  Both of these protocols have
          mandatory-to-implement secure transport layers (e.g., SSH, TLS)
          with
   Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="RFC8446"/>, and QUIC <xref target="RFC9000"/>) and
   mandatory-to-implement mutual authentication.</t>
        <t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341"/>
          provides the means to restrict access for particular users to a
          pre-configured
          preconfigured subset of all available protocol operations and
          content.</t>
        <t>Please be aware that this YANG module uses groupings from
          other YANG modules that define nodes that may be considered
          sensitive or vulnerable in network environments.  Please
          review the Security Considerations security considerations for dependent YANG modules
          for information as to which nodes may be considered sensitive
          or vulnerable in network environments.</t>
        <t>None of the readable data nodes defined in this YANG module are
          considered sensitive or vulnerable in network environments.
          The NACM "default-deny-all" extension has not been set for
          any data nodes defined in this module.</t>
        <t>None of the writable data nodes defined in this YANG module are
          considered sensitive or vulnerable in network environments.
          The NACM "default-deny-write" extension has not been set for
          any data nodes defined in this module.</t>
        <t>This module does not define any RPCs, actions, or notifications,
          and thus thus, the security consideration considerations for such is are not provided here.</t>
      </section>
    </section>
    <section>
      <name>IANA Considerations</name>
      <section>
        <name>The "IETF XML" IETF XML Registry</name>
        <t>This document registers three URIs
        <t>IANA has registered the following URI in the "ns" subregistry registry of
  the
        IETF "IETF XML Registry <xref target="RFC3688"/>. Following the format in Registry" <xref target="RFC3688"/>, the following registrations are
        requested:</t>
        <artwork><![CDATA[
   URI: urn:ietf:params:xml:ns:yang:ietf-tcp-common
   Registrant Contact: The IESG
   XML: N/A, target="RFC3688"/>.</t>
<dl newline="false" spacing="compact">
   <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-common</dd>
   <dt>Registrant Contact:</dt> <dd>The IESG</dd>
   <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.

   URI: urn:ietf:params:xml:ns:yang:ietf-tcp-client
   Registrant Contact: The IESG
   XML: N/A, namespace.</dd>
</dl>

<dl newline="false" spacing="compact">
   <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-client</dd>
   <dt>Registrant Contact:</dt> <dd>The IESG</dd>
   <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.

   URI: urn:ietf:params:xml:ns:yang:ietf-tcp-server
   Registrant Contact: The IESG
   XML: N/A, namespace.</dd>
</dl>

<dl newline="false" spacing="compact">
   <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-server</dd>
   <dt>Registrant Contact:</dt> <dd>The IESG</dd>
   <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.
]]></artwork> namespace.</dd>
</dl>
      </section>
      <section>
        <name>The "YANG YANG Module Names" Names Registry</name>
        <t>This document registers
        <t>IANA has registered the following three YANG modules in the YANG "YANG Module Names Names"
        registry <xref target="RFC6020"/>. Following the format in <xref target="RFC6020"/>, the following registrations are requested:</t>
        <artwork><![CDATA[
   name:         ietf-tcp-common
   namespace:    urn:ietf:params:xml:ns:yang:ietf-tcp-common
   prefix:       tcpcmn
   reference:    RFC DDDD

   name:         ietf-tcp-client
   namespace:    urn:ietf:params:xml:ns:yang:ietf-tcp-client
   prefix:       tcpc
   reference:    RFC DDDD

   name:         ietf-tcp-server
   namespace:    urn:ietf:params:xml:ns:yang:ietf-tcp-server
   prefix:       tcps
   reference:    RFC DDDD
]]></artwork> </t>
<dl newline="false" spacing="compact">
   <dt>Name:</dt>         <dd>ietf-tcp-common</dd>
   <dt>Namespace:</dt>    <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-common</dd>
   <dt>Prefix:</dt>       <dd>tcpcmn</dd>
   <dt>Reference:</dt>    <dd>RFC 9643</dd>
</dl>
<dl newline="false" spacing="compact">
   <dt>Name:</dt>         <dd>ietf-tcp-client</dd>
   <dt>Namespace:</dt>    <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-client</dd>
   <dt>Prefix:</dt>       <dd>tcpc</dd>
   <dt>Reference:</dt>    <dd>RFC 9643</dd>
</dl>
<dl newline="false" spacing="compact">
   <dt>Name:</dt>         <dd>ietf-tcp-server</dd>
   <dt>Namespace:</dt>    <dd>urn:ietf:params:xml:ns:yang:ietf-tcp-server</dd>
   <dt>Prefix:</dt>       <dd>tcps</dd>
   <dt>Reference:</dt>    <dd>RFC 9643</dd>
</dl>
      </section>
    </section>
  </middle>
  <back>

<displayreference target="I-D.ietf-netconf-http-client-server"
to="HTTP-CLIENT-SERVER"/>
<displayreference target="I-D.ietf-netconf-netconf-client-server"
to="NETCONF-CLIENT-SERVER"/>
<displayreference target="I-D.ietf-netconf-restconf-client-server"
to="RESTCONF-CLIENT-SERVER"/>

    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>

	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4252.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6991.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9293.xml"/>

	<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC6020" target="https://www.rfc-editor.org/info/rfc6020" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"> anchor="RFC9640" target="https://www.rfc-editor.org/info/rfc9640">
	  <front>
	    <title>YANG - A Data Modeling Language Types and Groupings for the Network Configuration Protocol (NETCONF)</title> Cryptography</title>
	    <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/> initials="K." surname="Watsen" fullname="Kent Watsen">
	      <organization>Watsen Networks</organization>
	    </author>
	    <date month="October" year="2010"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t>
            </abstract> year="2024"/>
	  </front>
	  <seriesInfo name="RFC" value="6020"/> value="9640"/>
	  <seriesInfo name="DOI" value="10.17487/RFC6020"/> value="10.17487/RFC9640"/>
	</reference>

      </references>
      <references>
        <name>Informative References</name>

	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1928.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1929.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2743.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6056.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8407.xml"/>
	<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/>
	<reference anchor="RFC6991" target="https://www.rfc-editor.org/info/rfc6991" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6991.xml"> anchor="RFC9641" target="https://www.rfc-editor.org/info/rfc9641">
	  <front>
            <title>Common
	    <title>A YANG Data Types</title> Model for a Truststore</title>
	    <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/> initials="K." surname="Watsen" fullname="Kent Watsen">
	      <organization>Watsen Networks</organization>
	    </author>
	    <date month="July" year="2013"/>
            <abstract>
              <t>This document introduces a collection of common data types to be used with the YANG data modeling language. This document obsoletes RFC 6021.</t>
            </abstract> month="October" year="2024"/>
	  </front>
	  <seriesInfo name="RFC" value="6991"/> value="9641"/>
	  <seriesInfo name="DOI" value="10.17487/RFC6991"/> value="10.17487/RFC9641"/>
	</reference>

	<reference anchor="RFC7950" target="https://www.rfc-editor.org/info/rfc7950" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"> anchor="RFC9642" target="https://www.rfc-editor.org/info/rfc9642">
	  <front>
            <title>The
	    <title>A YANG 1.1 Data Modeling Language</title>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications Model for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7950"/>
          <seriesInfo name="DOI" value="10.17487/RFC7950"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> Keystore</title>
	    <author fullname="B. Leiba" initials="B." surname="Leiba"/> initials="K." surname="Watsen" fullname="Kent Watsen">
	      <organization>Watsen Networks</organization>
	    </author>
	    <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract> month="October" year="2024"/>
	  </front>
	  <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/> value="9642"/>
	  <seriesInfo name="DOI" value="10.17487/RFC8174"/> value="10.17487/RFC9642"/>
	</reference>

	<reference anchor="RFC8341" target="https://www.rfc-editor.org/info/rfc8341" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"> anchor="RFC9644" target="https://www.rfc-editor.org/info/rfc9644">
	  <front>
            <title>Network Configuration Access Control Model</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access
	    <title>YANG Groupings for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations SSH Clients and content. This document defines such an access control model.</t>
              <t>This document obsoletes RFC 6536.</t>
            </abstract> SSH Servers</title>
	    <author initials="K." surname="Watsen" fullname="Kent Watsen">
	      <organization>Watsen Networks</organization>
	    </author>
	    <date month="October" year="2024"/>
	  </front>
	  <seriesInfo name="STD" value="91"/>
          <seriesInfo name="RFC" value="8341"/> value="9644"/>
	  <seriesInfo name="DOI" value="10.17487/RFC8341"/> value="10.17487/RFC9644"/>
	</reference>

	<reference anchor="RFC9293" target="https://www.rfc-editor.org/info/rfc9293" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9293.xml"> anchor="RFC9645" target="https://www.rfc-editor.org/info/rfc9645">
	  <front>
            <title>Transmission Control Protocol (TCP)</title>
	    <title>YANG Groupings for TLS Clients and TLS Servers</title>
	    <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/> initials="K." surname="Watsen" fullname="Kent Watsen">
	      <organization>Watsen Networks</organization>
	    </author>
	    <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
            </abstract> month="October" year="2024"/>
	  </front>
	  <seriesInfo name="STD" value="7"/>
          <seriesInfo name="RFC" value="9293"/> value="9645"/>
	  <seriesInfo name="DOI" value="10.17487/RFC9293"/> value="10.17487/RFC9645"/>
	</reference>

<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-crypto-types.xml"/>
      </references>
      <references>
        <name>Informative References</name> href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-http-client-server"/>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-netconf-client-server"/>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-restconf-client-server"/>

        <reference anchor="RFC1928" target="https://www.rfc-editor.org/info/rfc1928" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1928.xml"> anchor="SOCKS_4A" target="https://www.openssh.com/txt/socks4a.protocol">
          <front>
            <title>SOCKS Protocol Version 5</title>
            <author fullname="M. Leech" initials="M." surname="Leech"/>
            <author fullname="M. Ganis" initials="M." surname="Ganis"/> 4A: A Simple Extension to SOCKS 4 Protocol</title>
            <author fullname="Y. fullname="Ying-Da Lee" initials="Y." surname="Lee"/>
            <author fullname="R. Kuris" initials="R." surname="Kuris"/>
            <author fullname="D. Koblas" initials="D." surname="Koblas"/>
            <author fullname="L. Jones" initials="L." surname="Jones"/>
            <date month="March" year="1996"/>
            <abstract>
              <t>This memo describes a protocol that is an evolution of the previous version of the protocol, version 4 [1]. This new protocol stems from active discussions and prototype implementations. [STANDARDS-TRACK]</t>
            </abstract> surname="Lee" initials="Y."/>
          </front>
          <seriesInfo name="RFC" value="1928"/>
          <seriesInfo name="DOI" value="10.17487/RFC1928"/>
        </reference>

	<reference anchor="RFC1929" target="https://www.rfc-editor.org/info/rfc1929" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1929.xml"> anchor="SOCKS" target="https://www.usenix.org/legacy/publications/library/proceedings/sec92/full_papers/koblas.pdf">
	  <front>
            <title>Username/Password Authentication for SOCKS V5</title>
	    <title>SOCKS</title>
	    <author fullname="M. Leech" initials="M." surname="Leech"/>
            <date month="March" year="1996"/>
            <abstract>
              <t>The protocol specification for SOCKS Version 5 specifies a generalized framework for the use of arbitrary authentication protocols in the initial socks connection setup. This document describes one of those protocols, as it fits into the SOCKS Version 5 authentication "subnegotiation". [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1929"/>
          <seriesInfo name="DOI" value="10.17487/RFC1929"/>
        </reference>
        <reference anchor="RFC2743" target="https://www.rfc-editor.org/info/rfc2743" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2743.xml">
          <front>
            <title>Generic Security Service Application Program Interface Version 2, Update 1</title> fullname="David Koblas" surname="Koblas" initials="D."/>
	    <author fullname="J. Linn" initials="J." surname="Linn"/> fullname="Michelle R. Koblas" surname="Koblas" initials="M."/>
	    <date month="January" year="2000"/>
            <abstract>
              <t>This memo obsoletes [STANDARDS-TRACK]</t>
            </abstract> month="September" year="1992"/>
	  </front>
          <seriesInfo name="RFC" value="2743"/>
          <seriesInfo name="DOI" value="10.17487/RFC2743"/>
	  <refcontent>USENIX UNIX Security Symposium III</refcontent>
	</reference>

<reference anchor="RFC3688" target="https://www.rfc-editor.org/info/rfc3688" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"> anchor="W3C.REC-xml-20081126"
target="https://www.w3.org/TR/2008/REC-xml-20081126/">
  <front>
            <title>The IETF XML Registry</title>
            <author fullname="M. Mealling" initials="M." surname="Mealling"/>
            <date month="January" year="2004"/>
            <abstract>
              <t>This document describes an IANA maintained registry for IETF standards which use Extensible
    <title>Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="81"/>
          <seriesInfo name="RFC" value="3688"/>
          <seriesInfo name="DOI" value="10.17487/RFC3688"/>
        </reference>
        <reference anchor="RFC6056" target="https://www.rfc-editor.org/info/rfc6056" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6056.xml">
          <front>
            <title>Recommendations for Transport-Protocol Port Randomization</title>
            <author fullname="M. Larsen" initials="M." surname="Larsen"/>
            <author fullname="F. Gont" initials="F." surname="Gont"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers). This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="156"/>
          <seriesInfo name="RFC" value="6056"/>
          <seriesInfo name="DOI" value="10.17487/RFC6056"/>
        </reference>
        <reference anchor="RFC6241" target="https://www.rfc-editor.org/info/rfc6241" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml">
          <front>
            <title>Network Configuration Protocol (NETCONF)</title>
            <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
            <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6241"/>
          <seriesInfo name="DOI" value="10.17487/RFC6241"/>
        </reference>
        <reference anchor="RFC8040" target="https://www.rfc-editor.org/info/rfc8040" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml">
          <front>
            <title>RESTCONF Protocol</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8040"/>
          <seriesInfo name="DOI" value="10.17487/RFC8040"/>
        </reference>
        <reference anchor="RFC8340" target="https://www.rfc-editor.org/info/rfc8340" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml">
          <front>
            <title>YANG Tree Diagrams</title> 1.0
    (Fifth Edition)</title>
    <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/> initials="T." surname="Bray" fullname="Tim Bray"/>
    <author fullname="L. Berger" initials="L." role="editor" surname="Berger"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="215"/>
          <seriesInfo name="RFC" value="8340"/>
          <seriesInfo name="DOI" value="10.17487/RFC8340"/>
        </reference>
        <reference anchor="RFC8342" target="https://www.rfc-editor.org/info/rfc8342" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml">
          <front>
            <title>Network Management Datastore Architecture (NMDA)</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." surname="Schoenwaelder"/> surname="Paoli" fullname="Jean Paoli"/>
    <author fullname="P. Shafer" initials="P." surname="Shafer"/> initials="C.M." surname="Sperberg-McQueen" fullname="C. M.
Sperberg-McQueen"/>
    <author fullname="K. Watsen" initials="K." surname="Watsen"/> initials="E." surname="Maler" fullname="Eve Maler"/>
    <author fullname="R. Wilton" initials="R." surname="Wilton"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8342"/>
          <seriesInfo name="DOI" value="10.17487/RFC8342"/>
        </reference>
        <reference anchor="RFC8407" target="https://www.rfc-editor.org/info/rfc8407" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8407.xml">
          <front>
            <title>Guidelines for Authors and Reviewers of Documents Containing YANG Data Models</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/> initials="F." surname="Yergeau" fullname="François Yergeau"/>
    <date month="October" year="2018"/>
            <abstract>
              <t>This memo provides guidelines for authors and reviewers of specifications containing YANG modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules. This document obsoletes RFC 6087.</t>
            </abstract> month="November" year="2008"/>
  </front>
  <seriesInfo name="BCP" value="216"/>
          <seriesInfo name="RFC" value="8407"/>
          <seriesInfo name="DOI" value="10.17487/RFC8407"/>
        </reference>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-trust-anchors.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-keystore.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-tcp-client-server.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-ssh-client-server.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-tls-client-server.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-http-client-server.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-netconf-client-server.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-netconf-restconf-client-server.xml"/>
        <reference anchor="SOCKS_4A" target="https://www.openssh.com/txt/socks4a.protocol">
          <front>
            <title>SOCKS 4A: A Simple Extension to SOCKS 4 Protocol</title>
            <author fullname="The OpenSSH Project"/>
          </front> name="World Wide Web Consortium
                    Recommendation" value="REC-xml-20081126"/>
</reference>

      </references>
    </references>
    <section anchor="change-log">
      <name>Change Log</name>
      <section>
        <name>00 to 01</name>
        <ul spacing="normal">
          <li>Added 'local-binding-supported' feature to TCP-client model.</li>
          <li>Added 'keepalives-supported' feature to TCP-common model.</li>
          <li>Added 'external-endpoint-values' container and 'external-endpoints' feature to TCP-server model.</li>
        </ul>
      </section>
      <section>
        <name>01 to 02</name>
        <ul spacing="normal">
          <li>Removed the 'external-endpoint-values' container and 'external-endpoints' feature from the TCP-server model.</li>
        </ul>
      </section>
      <section>
        <name>02 to 03</name>
        <ul spacing="normal">
          <li>Moved the common model section to be before the client and server specific sections.</li>
          <li>Added sections "Model Scope" and "Usage Guidelines for Configuring TCP Keep-Alives" to
              the common model section.</li>
        </ul>
      </section>
      <section>
        <name>03 to 04</name>
        <ul spacing="normal">
          <li>Fixed a few typos.</li>
        </ul>
      </section>
      <section>
        <name>04 to 05</name>
        <ul spacing="normal">
          <li>Removed commented out "grouping tcp-system-grouping" statement kept for reviewers.</li>
          <li>Added a "Note to Reviewers" note to first page.</li>
        </ul>
      </section>
      <section>
        <name>05 to 06</name>
        <ul spacing="normal">
          <li>Added support for TCP proxies.</li>
        </ul>
      </section>
      <section>
        <name>06 to 07</name>
        <ul spacing="normal">
          <li>Expanded "Data Model Overview section(s) [remove "wall" of tree diagrams].</li>
          <li>Updated the Security Considerations section.</li>
        </ul>
      </section>
      <section>
        <name>07 to 08</name>
        <ul spacing="normal">
          <li>Added missing IANA registration for "ietf-tcp-common"</li>
          <li>Added "mandatory true" for the "username" and "password" leafs</li>
          <li>Added an example of a TCP-client configured to connect via a proxy</li>
          <li>Fixed issues found by the SecDir review of the "keystore" draft.</li>
          <li>Updated the "ietf-tcp-client" module to use the new "password-grouping"
              grouping from the "crypto-types" module.</li>
        </ul>
      </section>
      <section>
        <name>08 to 09</name>
        <ul spacing="normal">
          <li>Addressed comments raised by YANG Doctor in the ct/ts/ks drafts.</li>
        </ul>
      </section>
      <section>
        <name>09 to 10</name>
        <ul spacing="normal">
          <li>Updated Abstract and Intro to address comments by Tom Petch.</li>
          <li>Removed the "tcp-connection-grouping" grouping (now models use the "tcp-common-grouping" directly).</li>
          <li>Added XML-comment above examples explaining the reason for the unusual top-most element's presence.</li>
          <li>Added Securty Considerations section for the "local-binding-supported" feature.</li>
          <li>Replaced some hardcoded refs to &lt;xref&gt; elements.</li>
          <li>Fixed nits found by YANG Doctor reviews.</li>
          <li>Aligned modules with `pyang -f` formatting.</li>
          <li>Added an "Acknowledgements" secetion.</li>
        </ul>
      </section>
      <section>
        <name>10 to 11</name>
        <ul spacing="normal">
          <li>Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples.</li>
          <li>Minor editorial nits</li>
        </ul>
      </section>
      <section>
        <name>11 to 12</name>
        <ul spacing="normal">
          <li>Fixed up the 'WG Web' and 'WG List' lines in YANG module(s)</li>
          <li>Fixed up copyright (i.e., s/Simplified/Revised/) in YANG module(s)</li>
        </ul>
      </section>
      <section>
        <name>12 to 13</name>
        <ul spacing="normal">
          <li>NO UPDATE.</li>
        </ul>
      </section>
      <section>
        <name>13 to 14</name>
        <ul spacing="normal">
          <li>Updated per Shepherd reviews impacting the suite of drafts.</li>
        </ul>
      </section>
      <section>
        <name>14 to 15</name>
        <ul spacing="normal">
          <li>Updated per Shepherd reviews impacting the suite of drafts.</li>
        </ul>
      </section>
      <section>
        <name>15 to 16</name>
        <ul spacing="normal">
          <li>Updated per Tom Petch review.</li>
          <li>Added refs to RFC9293 and SOCKS 4A.</li>
          <li>Fixed examples to use IETF-sanctioned values for examples.</li>
        </ul>
      </section>
      <section>
        <name>16 to 17</name>
        <ul spacing="normal">
          <li>Addresses AD review comments.</li>
          <li>Added note to Editor to fix line foldings.</li>
          <li>Added Security Considerations text to also look a SC-section from imported modules.</li>
          <li>Fixed bug: s/augment "keepalives"/refine "keepalives"/</li>
          <li>Set defaults for idle-time, max-probes, and probe-interval (removed "mandatory true").</li>
          <li>Updated examples to use IETF recommended values for examples.</li>
        </ul>
      </section>
      <section>
        <name>18 to 19</name>
        <ul spacing="normal">
          <li>Addresses AD review by Rob Wilton.</li>
        </ul>
      </section>
      <section>
        <name>18 to 19</name>
        <ul spacing="normal">
          <li>Replace RFC 1122 with RFC 9293.</li>
        </ul>
      </section>
      <section>
        <name>19 to 20</name>
        <ul spacing="normal">
          <li>Addresses 1st-round of IESG reviews.</li>
        </ul>
      </section>
      <section>
        <name>20 to 22</name>
        <ul spacing="normal">
          <li>Addresses issues found in OpsDir review of the ssh-client-server draft.</li>
          <li>Updated to address Mallory Knodel's Gen-ART review.</li>
          <li>Renamed Security Considerations section s/Template for/Considerations for/</li>
          <li>s/defines/presents/ in a few places.</li>
          <li>Add refs to where the 'operational' and 'system' datastores are defined.</li>
          <li>Added more 'feature' statements and descriptions for them</li>
          <li>Added Security Considaration for the "password" node</li>
        </ul>
      </section>
      <section>
        <name>22 to 23</name>
        <ul spacing="normal">
          <li>Address IESG review comments.</li>
        </ul>
      </section>
      <section>
        <name>23 to 24</name>
        <ul spacing="normal">
          <li>Nothing changed.  Bumped only for automation.</li>
        </ul>
      </section>
      <section>
        <name>24 to 25</name>
        <ul spacing="normal">
          <li>Updated to support dual-stacks</li>
        </ul>
      </section>
      <section>
        <name>25 to 26</name>
        <ul spacing="normal">
          <li>Updated to ensure at least one local-bind is specified.</li>
        </ul>
      </section>
    </section>
    <section numbered="false">
      <name>Acknowledgements</name>
      <t>The authors would like to thank the following for lively discussions
        on list and in the halls (ordered by first name):
        Éric Vyncke,
        Joe Clarke,
        Jürgen Schönwälder,
        Ladislav Lhotka,
        Mallory Knodel,
        Martin Duke,
        Michael Tüxen,
        Mohamed Boucadair,
        Nancy Cam-Winget,
        Nick Hancock,
        Per Andersson,
        Rob Wilton,
        Roman Danyliw,
        Tom Petch,
        Wim Henderickx.
        <contact fullname="Éric Vyncke"/>,
        <contact fullname="Joe Clarke"/>,
        <contact fullname="Jürgen Schönwälder"/>,
        <contact fullname="Ladislav Lhotka"/>,
        <contact fullname="Mallory Knodel"/>,
        <contact fullname="Martin Duke"/>,
        <contact fullname="Michael Tüxen"/>,
        <contact fullname="Mohamed Boucadair"/>,
        <contact fullname="Nancy Cam-Winget"/>,
        <contact fullname="Nick Hancock"/>,
        <contact fullname="Per Andersson"/>,
        <contact fullname="Rob Wilton"/>,
        <contact fullname="Roman Danyliw"/>,
        <contact fullname="Tom Petch"/>, and
        <contact fullname="Wim Henderickx"/>.
      </t>
    </section>
  </back>
</rfc>