Presentation is loading. Please wait.

Presentation is loading. Please wait.

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Published byHendri Lesmana Modified over 5 years ago

Similar presentations

Presentation on theme: "YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99"— Presentation transcript:

1 YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99
Toerless Eckert, Huawei

2 Why Yang model Configure ANI
ANI != fully autonomic. Some things to configure Enable/Disable ANI – global/per interface Superset of enable/disable BRSKI and ACP BRSKI: Registrar + EST server (renewal) (separate ?): enable, define domain certificate parameters CA authentication/URL Simplifications ? Automatically instantiate local CA upon instantiating registrar Parameters for MASAs Allow learning from IDevID part of BRSKI – policies for this ?! Explicit configured MASA (for legacy IDevIDs) GRASP parameter for registrar/EST server announcements ACP: “acp connect” interfaces, explicit configured neighbors/ACP tunnels GRASP (in ANI nothing) ?

3 How Yang model Strategy to allow modularity ?
Build Yang models for ACP, BRSKI, GRASP separately + ANI model ? Would like to make sure these components can be reused in other solutions, (including reuse of yang model) ACP without BRSKI Existing models to provision Certificates ? Everything else to configure in ACP same if ACP is with or without BRSKI ? BRSKI without ACP Additional (from prior slide ANI variant) - configured proxies ? GRASP without ACP ??? Not sure yet.

4 Why Yang model (2) Manage / observe ANI (read(-only) data) Main issue:
Prio 1: Read “configuration” of ANI Will require additional “state” of functions representation Prio 1: ANI operational data E.g.: step-by-step BRSKI, step-by-step ACP neighborship build Current state representation (ACP neighbor table, discovered GRASP objectives,…) Prio 2: For underlying components ACP has most components it uses, e.g.: VRF, “secure channels”, GRASP Probably need to scrape IETF docs: Which component already has MIB and/or operational YANG model EST also “underlying” component of BRSKI Anything for it ? If not… should Yang mode for BRSKI be built as an extension to a to-be-built EST model ? Would allow to re-use then for EST-only servers (MCR: renewal may be EST-only...) GRASP: unchanged question from prior slide Main issue: Operational Yang == better version of “show” CLI. Issue: Often you can not do live “show” in automated networks.

5 Logging Q: can we define some trace/log model
Yang version of syslog ? (Yang push ? What else are the options ?) How about logging locally for later retrieval ? Pledge not enrolling, something wrong, but can not verify in actual target deployment Need to be able to retrieve logs from some on-pledge limited storage later. Except similar issues also in e.g.: Proxy, small device environment (no good generic diagnostics environment).

6 BRSKI Enrolment control
How to express policy which pledges are allowed into domain ? Whitelist / blacklist of IDevID serials on registrars ? Flexibility too limited: Want to be able to trigger some action before making decision (ask operator,…) Decision not binary – may also want to be able to define per-pledge parameters of the cert (address type, subdomain, cert lifetime,...) Most simple & flexible solution ? : RPC type call from registrar to external server to make decision RPC(IDevID) -> (enrol, cert-parameters) Define yang model for RPC, server connection parameters Similar for EST renewal ?

7 BRSKI Enrolment control (2)
Minimum complexity solution ? ANI does not know which pledges are enrolled. Only “external” server and CA Do not model server (only RPC) or CA into ANI model No need to model/track pledges inside ANI, ni modelling whitelist/blacklist With just parameters of registrar enrolment RPC and EST renewal RPC, one can easily build management (“SDN”) server using e.g.: RestConf from Registrar/EST server Useful separation – SDN server can, but usually do not like to implement specific protocols (e.g.: BRSKI, BRSKI-MASA,… ?) EST/BRSKI already HTTP protocol, so a lot closer to what SDN controller like, but: Registrar needs to be connected to ACP. For easy building of system it is very helpfull to be able to have the SDN server be able to live outside of ACP

8 Structuring Yang work One draft ?
Data model ANI, ACP, BRSKI, GRASP Or multiple ? Concept explanations.. Looking for collaborators to this work! Can form design team if interest ?

Download ppt "YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99"

Similar presentations

2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.

2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.
Importing and Calling Web Services from your CA Plex Applications Session Code: Lab13 Rob Layzell.

Importing and Calling Web Services from your CA Plex Applications Session Code: Lab13 Rob Layzell.
Design Principles for Reusable, Composable and Extensible Frameworks Jilles van Gurp.

Design Principles for Reusable, Composable and Extensible Frameworks Jilles van Gurp.
Infoblox Network Automation Matt Gowarty, Sr. Product Marketing Manager Dynamically Controlling Your Network.

Infoblox Network Automation Matt Gowarty, Sr. Product Marketing Manager Dynamically Controlling Your Network.
L3vpn end-system draft Pedro Marques. Overview Defines a mechanism to associate an end- system virtual interface to an L3VPN. – Co-located forwarder:

L3vpn end-system draft Pedro Marques. Overview Defines a mechanism to associate an end- system virtual interface to an L3VPN. – Co-located forwarder:
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Introduction to z/OS Basics © 2006 IBM Corporation Chapter 13: z/OS HTTP Server.

Introduction to z/OS Basics © 2006 IBM Corporation Chapter 13: z/OS HTTP Server.
Apache Axis: A Set of Java Tools for SOAP Web Services.

Apache Axis: A Set of Java Tools for SOAP Web Services.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Draft-li-rtgwg-cc-igp-arch-00IETF 88 RTGWG1 An Architecture of Central Controlled Interior Gateway Protocol (IGP) draft-li-rtgwg-cc-igp-arch-00 Zhenbin.

Draft-li-rtgwg-cc-igp-arch-00IETF 88 RTGWG1 An Architecture of Central Controlled Interior Gateway Protocol (IGP) draft-li-rtgwg-cc-igp-arch-00 Zhenbin.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
DCOM (Overview) by- Jeevan Varma Anga.

DCOM (Overview) by- Jeevan Varma Anga.
Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman

Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Similar presentations

Ads by Google