[Netconf] zerotouch discussion (was: NETCONF call home and new port assignment)
Kent Watsen <kwatsen@juniper.net> Tue, 25 February 2014 20:27 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134E91A0763 for <netconf@ietfa.amsl.com>; Tue, 25 Feb 2014 12:27:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvPADMmDwkf4 for <netconf@ietfa.amsl.com>; Tue, 25 Feb 2014 12:27:08 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 336031A0789 for <netconf@ietf.org>; Tue, 25 Feb 2014 12:27:07 -0800 (PST)
Received: from mail3-ch1-R.bigfish.com (10.43.68.246) by CH1EHSOBE021.bigfish.com (10.43.70.78) with Microsoft SMTP Server id 14.1.225.22; Tue, 25 Feb 2014 20:27:05 +0000
Received: from mail3-ch1 (localhost [127.0.0.1]) by mail3-ch1-R.bigfish.com (Postfix) with ESMTP id 136212000BD; Tue, 25 Feb 2014 20:27:05 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT004.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -5
X-BigFish: VPS-5(z579ehzbb2dI98dI9371Ic89bh1432I4015Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h8275bh1de097hz2fh109h2a8h839h942he5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25cch1155h)
Received-SPF: pass (mail3-ch1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT004.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(377454003)(24454002)(189002)(199002)(479174003)(164054003)(51704005)(85306002)(83506001)(87266001)(2656002)(87936001)(95416001)(69226001)(81342001)(81542001)(66066001)(80022001)(76482001)(54356001)(53806001)(77982001)(59766001)(4396001)(63696002)(47446002)(49866001)(47976001)(50986001)(74502001)(31966008)(74662001)(47736001)(65816001)(46102001)(54316002)(56776001)(51856001)(19580395003)(19580405001)(83322001)(80976001)(83072002)(85852003)(79102001)(56816005)(92566001)(90146001)(81686001)(74366001)(36756003)(93136001)(94946001)(81816001)(92726001)(93516002)(86362001)(94316002)(76796001)(76786001)(77096001)(95666003)(74876001)(76176001)(74706001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR05MB782; H:CO1PR05MB458.namprd05.prod.outlook.com; CLIP:66.129.241.13; FPR:AEF4DE29.98CAED8B.41D13D7B.46E1D660.203B2; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail3-ch1 (localhost.localdomain [127.0.0.1]) by mail3-ch1 (MessageSwitch) id 1393360024171994_19704; Tue, 25 Feb 2014 20:27:04 +0000 (UTC)
Received: from CH1EHSMHS013.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.245]) by mail3-ch1.bigfish.com (Postfix) with ESMTP id 1C9EE1E0054; Tue, 25 Feb 2014 20:27:04 +0000 (UTC)
Received: from BL2PRD0510HT004.namprd05.prod.outlook.com (157.56.240.101) by CH1EHSMHS013.bigfish.com (10.43.70.13) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 25 Feb 2014 20:27:00 +0000
Received: from DM2PR05MB782.namprd05.prod.outlook.com (10.141.179.142) by BL2PRD0510HT004.namprd05.prod.outlook.com (10.255.100.39) with Microsoft SMTP Server (TLS) id 14.16.411.0; Tue, 25 Feb 2014 20:26:51 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by DM2PR05MB782.namprd05.prod.outlook.com (10.141.179.142) with Microsoft SMTP Server (TLS) id 15.0.883.10; Tue, 25 Feb 2014 20:26:49 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.11]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.11]) with mapi id 15.00.0883.010; Tue, 25 Feb 2014 20:26:48 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Reinaldo Penno (repenno)" <repenno@cisco.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>, netconf <netconf@ietf.org>
Thread-Topic: zerotouch discussion (was: NETCONF call home and new port assignment)
Thread-Index: AQHPMmfoLPdNEnoLdEq1+39DEgWiEg==
Date: Tue, 25 Feb 2014 20:26:47 +0000
Message-ID: <CF326261.5FC3D%kwatsen@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.241.13]
x-forefront-prvs: 01334458E5
Content-Type: text/plain; charset="euc-kr"
Content-ID: <09BCD84D04BC4E468827D379ED1941DC@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/0hW1j9mIvYw_LR0qGyAva5b_qsc
Subject: [Netconf] zerotouch discussion (was: NETCONF call home and new port assignment)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 20:27:10 -0000
[subject line changed] On 2/25/14 12:06 PM, "Reinaldo Penno (repenno)" <repenno@cisco.com> wrote: >I have some comments on this draft. > >Since the draft proposes a ³cold² reverse connection I was expecting some >discussion on the traversal of middleboxes. Given folks that have been >deploying NMS implicitly take for granted that connections are always >inside->out, with the exception of SNMP traps, such a draft should assume >some pitfalls and suggest ways around them. In the case of SNMP for >example, the ³solution² is firewalls/NATs that implement SNMP ALG, but >even then, a first inside->outside connection is expected. Now I'm confused, by inside->outside you mean NMS->device, right? - this would be, for instance, an SP managing Internet routers, yes? If so, then I understand that static addressing is the norm, but automatic deployment (zerotouch) is still useful for initial discovery, at which point the device would likely have its call-home configuration removed and configuration enabling the NMS to login added. In either case, it's fair to say that it's implicit in the solution that the NMS is reachable using TCP. It won't do if the NMS is behind a NAT... >Some points to consider: > >- The NMS IP address downloaded from config server can not be behind a >firewall unless there is some pinhole or traversal method the device can >Use True, it is required the device be able to TCP to the NMS's IP address and port. >- If NMS is behind a NAT, the IP:port should be the outside and stable. Sure. >- In the worst case maybe configuration server (which theoretically could >be reached by both parties) could d server as a relay. I'm not following the need for middle-boxes - at least not in the solution defined by IETF. If a particular deployment needs middle boxes, then it can set them up and have the devices zerotouch to it instead of to the actual NMS - does that make sense? >- If a NAT exists between NMS and device, one can not assume registered >ports will be available. Therefore config server needs to be able to send >port information. This is already the case, ports can be specified in the ZeroTouch Configlet. >- Device should be prepared to check with configuration server is external >port has changed due to state being removed on the NAT. The solution is for the device to check with the configuration server *every* time it boots for a default factory configuration. In order for the device to receive a new value, the configuration server needs to be updated first and then the device rebooted again. Thanks, Kent
- [Netconf] zerotouch discussion (was: NETCONF call… Kent Watsen
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Kent Watsen
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Kent Watsen
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Kent Watsen
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Kent Watsen
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)
- Re: [Netconf] zerotouch discussion (was: NETCONF … Reinaldo Penno (repenno)