draft-ietf-netconf-zerotouch

Slides:

Advertisements

Similar presentations

3G WLAN handover Gabor Bajko Nokia. Experiment Upstream-router DSMIP6-HA V6 V4 V6 Internet WiFi HSPA DSMIP6 Home Agent.

Advertisements

Secure Network Bootstrapping Infrastructure May 15, 2014.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Nassau Community College

Remote Viewing Setup DVR & IP Video Devices

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Data Security in Local Networks using Distributed Firewalls

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

Network Performance Toolkit (NPToolkit) A Knoppix Live-CD Rich Carlson Tools Tutorial 12/4/06.

Design Wireless Network 2

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

hotEx RADIUS Manager Installation

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

TOSIBOX LOCK security options 1 1.

Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.

On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida.

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

How to configure Linksys WRT-120N wireless Access-Point(AP) router

MAC Address IP Addressing DHCP Client DHCP Server Scope Exclusion Range Reservations Netsh.

Chapter 14: Remote Server Administration BAI617. Chapter Topics Configure Windows Server 2008 R2 servers for remote administration Remotely connect to.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.

Ch 13. Wireless Management and Support Myungchul Kim

Module 10: Designing Operating System Deployment and Maintenance.

Enabling Embedded Systems to access Internet Resources.

70-411: Administering Windows Server 2012

draft-kwatsen-netconf-zerotouch-01

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa

Network Security David Lazăr.

Translate tech terms into plain English. ?

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

SERVER I SLIDE: 5. Objectie 4.2 The DHCP IP address assignment process.

03/20/10Plug-and-Play Deployment of Network Devices Tina TSOU Juergen Schoenwaelder

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

9: Troubleshooting Your Network

ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7 Dynamic Host Protocol.

Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.

Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Welcome to Early Bird Class

MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.

+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.

Chapter 38 Initialization & Configuration. Bootstrapping occurs during boot up to obtain boot program which may then load operating system may use network.

What’s wrong with this network? IP: SM: Default Gateway: /28 Fa0/1.

Fall 2006CS 395: Computer Security1 Key Management.

1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.

@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.

LINCWorks Mesh Networking User Guide. This user guide will give a brief overview of mesh networking followed by step by step instructions for configuring.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Kevin Watson and Ammar Ammar IT Asset Visibility.

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

ONAP SD-WAN Use Case Proposal.

draft-ietf-netconf-reverse-ssh

Network Load Balancing

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

A Firmware Update Architecture for Internet of Things Devices

Presentation transcript:

draft-ietf-netconf-zerotouch ANIMA & Zero Touch Provisioning for NETCONF Call Home draft-ietf-netconf-zerotouch

NETCONF Zero Touch A technique to bootstrap a secure NETCONF connection between a newly deployed device and a deployment-specific Network Management System Assumes device uses DHCP to obtain IP settings address, netmask, gateway, DNS servers, etc.

Use Cases Connecting to a remotely administered network DHCP server administered by 3rd-party Unlikely device will receive site-specific information Device must reach out to network for initial configuration Connecting to a locally administered network DHCP server can be customized Device may receive some site-specific information Device tries local information first, falling back to network otherwise

Solution In a Nutshell Device’s factory default state includes logic to try to download a “Configlet” from a Configuration Server (a HTTP server) Device’s pre-programmed list of well-known Configuration Server URLs can be augmented by a new DHCP option The Configlet specifies the required boot-image and contains an initial configuration, which is expected to configure a NETCONF Call Home connection Device may also download a boot-image from the Configuration Server, rebooting if necessary Configlet is signed by a chain of trust that the device can authenticate. Configlet may optionally be encrypted with device’s public key Mutually-authenticated secure NETCONF Call Home connection, realized by device’s IDevID and Configlet’s settings

How it relates to ANIMA NETCONF Zero Touch is really about bootstrapping a device with an initial boot-image and a configuration that, in part, supplies public-keys for mutual authentication The configuration can be *anything* Set public-keys, configure “anima” mode, etc. It does NOT have to configure NETCONF Call Home

Potential Issues Assumes L3 and a DHCP server In order to prevent substitution attacks, Configlet must contain device’s unique identifier (no option for reduced security). Configuration Server may need to get a signed Configlet in near real-time. For isolated networks (no Internet), deployments need a local Configuration Server (an HTTP server) and configure local DHCP servers with the Configuration Server’s URL

Potential Remedies If reliance on DHCP is objectionable, alternates can be supported, so long as they result in a configured IP stack, including DNS DNS resolution not needed if URL encodes an IP address automate the Configlet signing and staging steps, to support deployments where device identifiers are not known until the last minute. (scan QCR off device)

Relationship to bootstrapping-keyinfra Overlap Both drafts begin with device having an IDevID Both drafts end with mutually authenticated trust Both drafts have an L3 aspect Differences KeyInfra can work at L2, before moving to L3 ZeroTouch more than just key distribution  config KeyInfra supports follow-on interactions, but doesn’t define any

Questions / Concerns / Suggestions ?