NETCONF Overview

NETCONF is a protocol defined by the IETF to “install, manipulate, and delete the configuration of network devices”. NETCONF operations are realized on top of a Remote Procedure Call (RPC) layer using an XML encoding and provide a basic set of operations to edit and query configuration on a network device.

Download our presentation on NETCONF and YANG for Service Automation presented at LISA Usenix 2011 (pdf, 1.1 MB)

Why Netconf? (9:55 minutes)


The NETCONF base protocol was officially published as a RFC 4741 NETCONF Configuration Protocol in late 2006. The IETF working group producing the standard also produced supporting RFCs for various transport mappings, including:

  • RFC 4742 Using the NETCONF Configuration Protocol over Secure SHell (SSH)
  • RFC 4743 Using NETCONF over the Simple Object Access Protocol
  • RFC 5539 NETCONF over Transport Layer Security (TLS)

The above versions were updated in 2011 to become the following:

  • RFC 6241 obsoletes RFC 4741 with a small set of changes including a persist-id for confirmed commits
  • RFC 6242 obsoletes RFC 4742 and introduces e.g. a new framing mechanism to address some potential security issues with the initial design

Notable additions to the family of NETCONF RFCs produced by the working group are:

  • RFC 5277 NETCONF Event Notifications that describes an asynchronous notification mechanism allowing clients to subscribe to named event streams
  • RFC 6243 With-defaults Capability for NETCONF that describes an extension to the NETCONF protocol that allows clients to identify how defaults are processed by the server

Why NETCONF vs. Other Approaches

CLI scripting was the primary approach to making automated configuration changes to the network prior to NETCONF. CLI scripting has several limitations including lack of transaction management, no structured error management, and ever-changing structure and syntax of commands that makes scripts fragile and costly to maintain. These are all side-effects of the basic fact that CLIs are designed to be used by humans and not an API for programmatic access.

SNMP is another approach that could be used to write changes, but, in practice, is mostly used for performance and monitoring applications. Reasons for this include the lack of a defined discovery process that makes it hard to find the correct MIB modules, limitations inherent in the use of the UDP protocol, and the lack of useful standard security and commit mechanisms.

Key NETCONF Capabilities

The NETCONF protocol was designed to address the shortcomings of existing practices and protocols for configuration management. The background work preceding the design phase has been documented in RFC 3535 Overview of the 2002 IAB Network Management Workshop. The design goals from that work includes:

  • Distinction between configuration and state data
  • Multiple configuration data stores (candidate, running, startup)
  • Configuration change transactions
  • Configuration testing and validation support
  • Selective data retrieval with filtering
  • Streaming and playback of event notifications
  • Extensible procedure call mechanism

NETCONF’s Role in Tail-f Systems’ Product Family

Tail-f Systems offers the broadest family of NETCONF-enabled products and tools in the industry. Developers can build new on-device management applications with ConfD including a robust implementation of NETCONF.

Tail-f Systems’ implementations of NETCONF are mature and thoroughly proven in production networks. Our participation and contribution to the development of the standard ensure our customers benefit from a fully future-proofed solution.