Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Published byBeatrix Sparks Modified over 9 years ago

Similar presentations

Presentation on theme: "Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA."— Presentation transcript:

1 Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA

2 Issues with Draft -01 Owners had to interact with a 3rd-party to get their configurations signed Loss of privacy Configuration is locked to enumerated set of devices Loss of portability Undefined how a 3rd-party signing entity would validate Ownership Implies a real-time lookup into a Vendor’s database Unclear how this would be easy to implement Draft offers no support for identifying who is making the request or being able to know which vendor to ask for a given unique identifier

3 Solution (Draft -02) Replace 3rd-party signing authority with:
Rightful Owners can now sign their own configurations Devices use Vendor-provided “voucher” to authenticate rightful Owners Fixes: No more is there a 3rd-party signing entity No more does an Initial Configuration have to be for an enumerated set of devices No more does Vendor need to provide a real-time lookup service

4 Updates since IETF 91 Replaced the need for a Configuration Signer with the ability for each NMS to be able to sign its own configurations, using Vendor-signed Ownership Vouchers and an Owner certificate. Renamed “Configuration Server” to “Bootstrap Server”, a more representative name given the information downloaded from it. Replaced the concept of a “Configlet” by defining a southbound interface for the Bootstrap Server using YANG. Removed the IANA request for media types.

5 draft-ietf-netconf-zerotouch-02
Solution Details draft-ietf-netconf-zerotouch-02

6 Owner Places A Zero-Touch Order
Rightful Owner Vendor 1st-Time Only Owner Certificate Owner ID: 1234 Owner PubKey Expiration Date: none Vendor’s Signature Certificate Signing Request Owner Certificate Place order (“250 devices + supporting zerotouch data please”) Ownership Voucher Owner ID: 1234 List of Device IDs Expiration Date: TBD Vendor’s Signature When ready to ship Ownership Voucher(s) Could be encrypted with the Owner’s PubKey, if privacy needed

7 Owner Stages Network for Zero Touch
Update NMS with list of expected device identifiers from Ownership Voucher(s) (Optional) Owner MAY configure a local DHCP with additional URLs devices should try, with the “ZeroTouch Information” option (IANA assignment pending) Update Bootstrap Server with per-device information: Ownership Voucher Owner Certificate Initial configuration, signed by Owner’s Private Key Boot image, already signed by Vendor All this can be encrypted with Device Public Key if needed

8 Bootstrap Server Southbound REST API
module: ietf-zerotouch-bootstrap-server +--ro devices +--ro device* [unique-id] +--ro unique-id string +--ro ownership-voucher | +--ro voucher binary | +--ro issuer-crl? string +--ro owner-certificate | +--ro certificate string | +--ro issuer-crl? string +--ro boot-image! | +--ro name string | +--ro path string | +--ro signature string +--ro configuration +--ro config +--ro signature string rpcs: +---x notification +---w input +---w unique-id string +---w type enumeration +---w message? string

9 Southbound API via RESTCONF
GET devices/device=123456/ownership-voucher devices/device=123456/owner-certificate devices/device=123456/boot-image devices/device=123456/configuration POST server:notification

10 Bootstrap Sequence Factory Default Config
DHCP (maybe learn additional Bootstrap Server URLs) Iterate over URLs until ZeroTouch info found Validate OwnerShip Voucher (Extract Owner ID) Validate Owner Certificate (Extract Owner PubKey) Reboot Validate Initial Config signed by Owner Private Key S/W upgrade needed? Yes Update Software/Firmware No Commit Initial Config to Running (e.g., configures call home and admin account)

11 Open Issues for many months
#5: Validate if Vendors can support owner-validation service This is now possible, since draft defines specific requirements #6: Consider alternative to using XMLSIG and XMLENC? XMLSIG is replaced by a binary-based signing algorithm XMLENC may by replaced as well, but isn’t defined yet (is it important)?

12 New Issues just Opened #8: Need to define binary-signing algorithm (not XMLSIG) New state (will move to Open) #7: Apply editorial suggestions from on list In Editorial state (Coloring same as on GitHub)

13 Next Steps Present updated solution to ANIMA WG today
immediately after upcoming break! Close previously mentioned open issues Any more issues? Submit Zero Touch -03 in a few weeks after Call Home and Server Model updates

14 Questions / Concerns / Suggestions ?

Download ppt "Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA."

Similar presentations

Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.

Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Universal Plug and Play (UPnP) Presented by: Kamal Kamal Kamal Kamal Mohammad Atieh Mohammad Atieh.

Universal Plug and Play (UPnP) Presented by: Kamal Kamal Kamal Kamal Mohammad Atieh Mohammad Atieh.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS.

App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS.
Vending Machines for Schools POS Interface Architecture for the Reimbursable School Meals Program.

Vending Machines for Schools POS Interface Architecture for the Reimbursable School Meals Program.
NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.
Role of Account Management at ERCOT Market Participant Identity Management Overview (MPIM)

Role of Account Management at ERCOT Market Participant Identity Management Overview (MPIM)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
App-ID Use Cases, Syntax and Attributes SEC-2015-0508-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
The FCLA Endeca Project By Michele Newberry. M.Newberry2 Current OPAC environment  Aleph 500 v.15.5  Heavily customized to reflect pre- implementation.

The FCLA Endeca Project By Michele Newberry. M.Newberry2 Current OPAC environment  Aleph 500 v.15.5  Heavily customized to reflect pre- implementation.
3 rd Party Registration & Account Management SMT Update To AMWG Status February 24, 2014.

3 rd Party Registration & Account Management SMT Update To AMWG Status February 24, 2014.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
© Hitachi, Ltd. 2007. All rights reserved. NETCONF Configuration I/F Advertisement by WSDL and XSD Hideki Okita, Tomoyuki Iijima, Yoshifumi Atarashi, Ray.

© Hitachi, Ltd All rights reserved. NETCONF Configuration I/F Advertisement by WSDL and XSD Hideki Okita, Tomoyuki Iijima, Yoshifumi Atarashi, Ray.

Similar presentations

Ads by Google