IETF Logo Mail Archive

Re: [Netconf] zerotouch issues found while preparing -20

Kent Watsen <kwatsen@juniper.net> Sat, 27 January 2018 04:59 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A3912D7EA for <netconf@ietfa.amsl.com>; Fri, 26 Jan 2018 20:59:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijEUZoH2Bg35 for <netconf@ietfa.amsl.com>; Fri, 26 Jan 2018 20:59:00 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBFAC12711E for <netconf@ietf.org>; Fri, 26 Jan 2018 20:59:00 -0800 (PST)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0R4tWpw023920 for <netconf@ietf.org>; Fri, 26 Jan 2018 20:58:59 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=M726O23poXFa/9N0cwlINMNaI6O0N0ceZnQ8YfhGu/c=; b=oQIcO0mi7kdC8SHb1EshmoRTCK6QuJmwOCf3/oT5T0JZJXQC3F6dV+ASDfC+K6XA4H6Q 4Ecs+0JMQLDUedJx2wn7G5Tr3s8MyAzAc2SYXecqkc04yn8IWbuPYyWVnMAdtBl/2Nzx vUmNLEK+BmeTyFtNqlA60fLEC7Y2Qerl7ctsulaSwTDnwnQP9oqIfbXJk7Zh8vsuKwOS bqb8Fyhi4xD6mMW12+hPbJlIHo4JrT3M8hneUgUSSQxuHNAkkSzMYBDL8xef1l62H7Eo /i3Fdy6Wb+vYkMitDMYssWI9cercouKkfp1ArgzFXVziomMPs/x+UtZ4DKUzqfclj4ia Hw==
Received: from nam01-by2-obe.outbound.protection.outlook.com (mail-by2nam01lp0183.outbound.protection.outlook.com [216.32.181.183]) by mx0b-00273201.pphosted.com with ESMTP id 2frjtxg03k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <netconf@ietf.org>; Fri, 26 Jan 2018 20:58:59 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB2922.namprd05.prod.outlook.com (10.168.176.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.6; Sat, 27 Jan 2018 04:58:57 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0464.008; Sat, 27 Jan 2018 04:58:57 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] zerotouch issues found while preparing -20
Thread-Index: AQHTlyuJU12+v6DK80a7U7VvcTdjHg==
Date: Sat, 27 Jan 2018 04:58:57 +0000
Message-ID: <EB9ED782-BAAF-44EF-9191-C31B76266208@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB2922; 7:MUAQMlp1/FwmKxqIJGOsMJYd/Rlka+rgchYbblsM3N7Tv+syQ+eN/Yp7OTbRf+QorfZIR6kaufmClL8Aolxudj5xBbcVYfT/o8++kiLFUR3a0zsxnsq79iyT+O/gEWw2DDxoOov0VymsPPfULlxtrzhY03t7COa8WH4CAQOa6LZNeBgm2xLPCmDbdFZ2/jTqZzmR9zAy9en4lwhgkbo3iy2/IslPQ27dPy44YsTpHKyAD3bmW5p+X65fmbpxYwEP
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 10b97800-1735-45f0-bd8c-08d56542ac2a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB2922;
x-ms-traffictypediagnostic: DM5PR05MB2922:
x-microsoft-antispam-prvs: <DM5PR05MB29227F4F46805A17A28E88A8A5E70@DM5PR05MB2922.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(3231082)(2400081)(944501161)(93006095)(93001095)(10201501046)(6055026)(6041288)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:DM5PR05MB2922; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB2922;
x-forefront-prvs: 056544FBEE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(396003)(376002)(346002)(366004)(39860400002)(199004)(189003)(3846002)(105586002)(6506007)(7736002)(86362001)(106356001)(83716003)(551544002)(966005)(53936002)(6246003)(102836004)(478600001)(25786009)(82746002)(2906002)(6116002)(8936002)(305945005)(97736004)(59450400001)(33656002)(3660700001)(2900100001)(3280700002)(66066001)(58126008)(5640700003)(68736007)(81156014)(1730700003)(83506002)(2501003)(316002)(6512007)(6486002)(26005)(5660300001)(99286004)(14454004)(6916009)(77096007)(8676002)(229853002)(6306002)(186003)(36756003)(2351001)(6436002)(81166006)(561944003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB2922; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 7VBWWIAym1E4hIjMrO97/qMk7eb7ipmitA7hhP7mbc5aswOr7Rf7Ivx8pEMq1Zq9DvpoSjmoxCFC3GmB2R3n3Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <EDC8E775E2ABA64681CA4375F58FF2C5@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 10b97800-1735-45f0-bd8c-08d56542ac2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jan 2018 04:58:57.2897 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB2922
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-27_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=966 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801270063
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-TIsFXHkMsyROXQwdZrQ2K2Y9l8>
Subject: Re: [Netconf] zerotouch issues found while preparing -20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jan 2018 04:59:03 -0000

I found another issue while updating my PoC code to the current draft.  The issue comes from the draft's "zerotouch-information" artifact, a PKCS7 structure, only supporting a JSON-encoded payload.  The reason why it only supports a JSON-encoded payload was discussed on list before, but it goes to aligning with what draft-ietf-anima-voucher does.  The issue manifests itself when the payload encodes "onboarding-information", which has an 'anydata' node called "configuration".  Being 'anydata' inside a JSON-encoded document means that the configuration itself must also be JSON-encoded, but this is a problem for devices that don't support JSON encoded configuration, and that it's not possible for a bootstrap server (that may not have access to the YANG for the configuration) to generically convert the JSON to XML. Stated the issue another way, the current solution couples the encoding of the submitted configuration with the encoding of the envelop that's used to convey the configuration.  To address that, I propose replacing the 'anydata' node with a 'leaf' of type binary.  I don't foresee any interoperability issue with this change, as already the data sent to the device must be device-specific.  To be clear about this proposal, here is a commit that illustrates the change:

 https://github.com/netconf-wg/zero-touch/commit/14d92eec946b50eb980b51670ace6ce8bf2e2334

While this is a technical change, it doesn't change the solution in a material way, so I'm hoping that it doesn't necessitate another last call to approve.  If no objections are raised, I'll also apply this change to the pending -20 update.

Separately, here are a couple other things we might consider doing:

1) move from PKCS7 to CMS (RFC5652).   CMS is IETF's version of PKCS7.   It's practically identical.  The IESG requested this change when the anima-voucher draft went through its IETF Last Call, and so I expect the same change will be requested for this draft as well.

2) modify the draft's statement that devices MUST send an IDevID certificate to one that says devices MUST send an IDevID certificate and/or HTTP-level authentication.   This wording is consistent with RFC 8040 Section 2.5 and, by allowing HTTP-level authentication, it will better represent products shipping by a number of vendors, whereby the installer can, for instance, type in a password into the device while it's booting.  This appears to be a popular low-barrier choice, as implementing IDevID is not easy.

Thoughts?

Kent  // contributor

v2.23.0 | Report a Bug | By Email