draft-kwatsen-netconf-zerotouch-01

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Secure Network Bootstrapping Infrastructure May 15, 2014.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Windows 2003 and 802.1x Secure Wireless Deployments.

Course 201 – Administration, Content Inspection and SSL VPN

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Chapter 31 Network Security

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

Identity Management and DNS Services Tianyi XING.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.

draft-ietf-netconf-call-home-01

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

© Hitachi, Ltd All rights reserved. NETCONF Configuration I/F Advertisement by WSDL and XSD Hideki Okita, Tomoyuki Iijima, Yoshifumi Atarashi, Ray.

CAMP PKI UPDATE August 2002 Jim Jokl

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

draft-ietf-netconf-zerotouch

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Abierman-netconf-mar04 1 NETCONF WG 59th IETF Seoul, Korea March 3, 2003 March 4, 2003.

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

HardSSH Cryptographic Hardware Key Team May07-20: Steven Schulteis (Cpr E) Joseph Sloan (EE, Cpr E, Com S) Michael Ekstrand (Cpr E) Taylor Schreck (Cpr.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

K. Salah1 Security Protocols in the Internet IPSec.

1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.

Draft-kwatsen-netconf-server Configuration Model for SSH and TLS Transports.

Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Draft-ietf-netconf-server-model-04 NETCONF Server Configuration Model

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-07 NETCONF WG IETF 93 Prague.

draft-ietf-netconf-reverse-ssh

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

NSE5 Dumps PDF Fortinet Network Security Expert 5 Written Exam (500) NSE5 DumpsNSE5 BraindumpsNSE5 Questions AnswersNSE5 Study Material.

LXI Security Overview October 2018 Rev 1.8.

Digital Certificates and X.509

ROA Content Proposal November 2006 Geoff Huston.

PKI (Public Key Infrastructure)

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.

Presentation transcript:

draft-kwatsen-netconf-zerotouch-01 Zero Touch Provisioning for NETCONF Call Home

Introduction Zero Touch is a strategy for how to establish a secure network management relationship between a newly deployed network element, configured with just its factory default settings, and the new owner's Network Management System (NMS)

Current Status First presented at IETF 88 Significant interest in the room Now a chartered WG work item Many discussions with stakeholders since Updated draft satisfies almost all interests New strategy, using “Configlets” instead of DNS Almost a complete rewrite from -00

Updates since -00 Device now downloads configuration from URIs, instead of from DNS What device downloads is a YANG-defined XML document, instead of DNS records Downloaded information authenticated using an enveloped signature, instead of DNSSEC Supports delegating the signing and hosting roles to 3rd-parties

Roles and Actors Configuration Server Vendor Configlet Device Configlet Signer NMS

Device Precondition + factory default configuration +------------------------------------------------------------------+ | <device> | | | | +------------------------------------------------------+ | | | <immutable storage> | | | | | | | | list of Configlet Signer trust anchor certificates | | | | list of Configuration Server trust anchor certs | | | +----------------------------------------------------------+ | | | <other storage> | | | | | | | | two sets of Configuration Server URIs | | | | device entity & associated intermediate certificate(s) | | | +----------------------+ | | | <crypto processor> | | | | | | | | device private key | | + factory default configuration

When joining the network The device MAY receive a URL to a software image The device MAY upgrade itself to this image, but Image MUST be signed and device MUST validate the signature The device MUST reboot itself with factory default configuration To restart Zero Touch… The device MAY receive URIs to Configuration Servers The device SHOULD use these URIs alongside its defaults Precedence given within security schemes

Physical Presence Before trying to download a Configlet from a Configuration Server Device, if it is able to, SHOULD first try to load a Configlet using a mechanism that asserts physical presence E.g. Removable USB flash drive, near-field communication Such Configlets Do NOT have to be signed Do NOT have to contain the device’s unique identifier

May also learn URI for images and Configlets Device Boot Sequence DEVICE LOCAL DHCP CONFIGURATION NMS | SERVER SERVERS | | | | | |------------>| | | | Lease IP | | | |--------------------------+ | | | Check Physical Presence | | | |<-------------------------+ | | |------------------------------->| | | Iterate until Configlet found | | |----------------------+ | | | Validate Configlet & | | | | Merge into “running” | | | |<--------------------+ | | |---------------------------------------------->| | reverse-SSH or reverse-TLS | | May also learn URI for images and Configlets

Configuration Server URI Lookup Lookup uses fingerprint to identify device For instance, if the URI were: https://example.com/zerotouch?id= then the device would try to access: https://example.com/zerotouch?id=<fingerprint> Fingerprint is generated using the SHA-256 algorithm over the device's entity certificate

Configlet Data-Model Reuses groupings from: Mimics configuration from: draft-kwatsen-netconf-server For configuring call-home Mimics configuration from: draft-ietf-netmod-system-mgmt For configuring a user account

From draft-ietf-netmod-system-mgmt +--rw system +--rw authentication +--rw user-authentication-order* identityref +--rw user* [name] +--rw name string +--rw password? crypt-hash +--rw ssh-key* [name] +--rw name string +--rw algorithm string +--rw key-data binary

From draft-kwatsen-netconf-server +--rw call-home +--rw network-managers +--rw network-manager* [name] +--rw name string +--rw description? string +--rw endpoints | +--rw endpoint* [address] | +--rw address inet:host | +--rw port? inet:port-number +--rw transport | +--rw ssh {outbound-ssh}? | | +--rw host-keys | | +--rw host-key* [name] | | +--rw name string | +--rw tls! {outbound-tls}? +--rw connection-type ... +--rw reconnect-strategy

Configlet Signature Enveloped signature using the W3C standard: "XML Signature Syntax and Processing” Signature block MUST also embed the Configlet Signer's certificate and any intermediate certificates leading to a Configlet Signer trust anchor Because devices only know about trust anchors

NMS Precondition +----------------------------------------+ | <NMS> | | | | vendor's trusted CA certificate | | serial numbers for expected devices | | username to log into devices with | | auth credentials to log into devices | NMS needs CA cert and serial-numbers from Vendor

Security Considerations MANY! Substitution attack across devices not possible Substitution attack possible on same device Confidentiality assured using secure schemes Insecure schemes allowed Physical presence assertion allowed Network discovered URIs are allowed Etc.

IANA Considerations None

Open Issues Can’t reuse a grouping statement from draft-ietf-netmod-system-mgmt Should Configlet always be signed?

Questions / Concerns ?