Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-kwatsen-netconf-zerotouch-01

Published byChloe Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "draft-kwatsen-netconf-zerotouch-01"— Presentation transcript:

1 draft-kwatsen-netconf-zerotouch-01
Zero Touch Provisioning for NETCONF Call Home

2 Introduction Zero Touch is a strategy for how to establish a secure network management relationship between a newly deployed network element, configured with just its factory default settings, and the new owner's Network Management System (NMS)

3 Current Status First presented at IETF 88
Significant interest in the room Now a chartered WG work item Many discussions with stakeholders since Updated draft satisfies almost all interests New strategy, using “Configlets” instead of DNS Almost a complete rewrite from -00

4 Updates since -00 Device now downloads configuration from URIs, instead of from DNS What device downloads is a YANG-defined XML document, instead of DNS records Downloaded information authenticated using an enveloped signature, instead of DNSSEC Supports delegating the signing and hosting roles to 3rd-parties

5 Roles and Actors Configuration Server Vendor Configlet Device
Configlet Signer NMS

6 Device Precondition + factory default configuration
| <device> | | | | | | | <immutable storage> | | | | | | | | list of Configlet Signer trust anchor certificates | | | | list of Configuration Server trust anchor certs | | | | | | <other storage> | | | | | | | | two sets of Configuration Server URIs | | | | device entity & associated intermediate certificate(s) | | | | | | <crypto processor> | | | | | | | | device private key | | + factory default configuration

7 When joining the network
The device MAY receive a URL to a software image The device MAY upgrade itself to this image, but Image MUST be signed and device MUST validate the signature The device MUST reboot itself with factory default configuration To restart Zero Touch… The device MAY receive URIs to Configuration Servers The device SHOULD use these URIs alongside its defaults Precedence given within security schemes

8 Physical Presence Before trying to download a Configlet from a Configuration Server Device, if it is able to, SHOULD first try to load a Configlet using a mechanism that asserts physical presence E.g. Removable USB flash drive, near-field communication Such Configlets Do NOT have to be signed Do NOT have to contain the device’s unique identifier

9 May also learn URI for images and Configlets
Device Boot Sequence DEVICE LOCAL DHCP CONFIGURATION NMS | SERVER SERVERS | | | | | | >| | | | Lease IP | | | | | | | Check Physical Presence | | | |< | | | >| | | Iterate until Configlet found | | | | | | Validate Configlet & | | | | Merge into “running” | | | |< | | | >| | reverse-SSH or reverse-TLS | | May also learn URI for images and Configlets

10 Configuration Server URI Lookup
Lookup uses fingerprint to identify device For instance, if the URI were: then the device would try to access: Fingerprint is generated using the SHA-256 algorithm over the device's entity certificate

11 Configlet Data-Model Reuses groupings from: Mimics configuration from:
draft-kwatsen-netconf-server For configuring call-home Mimics configuration from: draft-ietf-netmod-system-mgmt For configuring a user account

12 From draft-ietf-netmod-system-mgmt
+--rw system +--rw authentication +--rw user-authentication-order* identityref +--rw user* [name] +--rw name string +--rw password? crypt-hash +--rw ssh-key* [name] +--rw name string +--rw algorithm string +--rw key-data binary

13 From draft-kwatsen-netconf-server
+--rw call-home +--rw network-managers +--rw network-manager* [name] +--rw name string +--rw description? string +--rw endpoints | +--rw endpoint* [address] | rw address inet:host | rw port? inet:port-number +--rw transport | +--rw ssh {outbound-ssh}? | | +--rw host-keys | | rw host-key* [name] | | rw name string | +--rw tls! {outbound-tls}? +--rw connection-type ... +--rw reconnect-strategy

14 Configlet Signature Enveloped signature using the W3C standard:
"XML Signature Syntax and Processing” Signature block MUST also embed the Configlet Signer's certificate and any intermediate certificates leading to a Configlet Signer trust anchor Because devices only know about trust anchors

15 NMS Precondition | <NMS> | | | | vendor's trusted CA certificate | | serial numbers for expected devices | | username to log into devices with | | auth credentials to log into devices | NMS needs CA cert and serial-numbers from Vendor

16 Security Considerations
MANY! Substitution attack across devices not possible Substitution attack possible on same device Confidentiality assured using secure schemes Insecure schemes allowed Physical presence assertion allowed Network discovered URIs are allowed Etc.

17 IANA Considerations None

18 Open Issues Can’t reuse a grouping statement from draft-ietf-netmod-system-mgmt Should Configlet always be signed?

19 Questions / Concerns ?

Download ppt "draft-kwatsen-netconf-zerotouch-01"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Radius based ssh authentication Location of Radius server – radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius – The same config.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Chapter 31 Network Security

Chapter 31 Network Security
Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.

Similar presentations

Ads by Google