IETF Logo Mail Archive

Re: [Netconf] draft-ietf-netconf-zerotouch-21 feedback

Kent Watsen <kwatsen@juniper.net> Mon, 12 March 2018 18:36 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F341200F1 for <netconf@ietfa.amsl.com>; Mon, 12 Mar 2018 11:36:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isgaaWSgXrEi for <netconf@ietfa.amsl.com>; Mon, 12 Mar 2018 11:36:01 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB1C126B7E for <netconf@ietf.org>; Mon, 12 Mar 2018 11:36:01 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2CIP6Hc011302; Mon, 12 Mar 2018 11:36:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=dlVodCBF42k8nS0yXI9bjEnkfEEy3Y5mqNoEIbdJDLA=; b=ezoss1tzpiHGY0JGnlDCZ2aSEAwWti7at+hTTxRX9Ad0J8HZpAg+bFPcWrkBSqOc0lsO zytHGETsGuAKE2oVwWH/rmz4G384tzFn7TArNwr7IQi+2YQmiRJOTJi576LtLnC2SiLS 6hzc54arnwCXxx4unfCark4d6Oq7uaSrh1g/KHDIa1+WnYvbfQ48j+hMqRHuF8DZA5x4 Fsxa8Nj69ue+DSR0kwWzB8QbRhtMb6zLxoN8xDvwbi9yWVgYvh6yxgbuPAxpTcAksDWf 9GiR5sjtAKVCzvZHRdlj257nn6miLPb4/NpPj4Q/yFyvZy9QC2YDnfBxL/HgP4GBsDfz 0g==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0178.outbound.protection.outlook.com [216.32.180.178]) by mx0a-00273201.pphosted.com with ESMTP id 2gnxqh00xg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 12 Mar 2018 11:36:00 -0700
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3514.namprd05.prod.outlook.com (10.174.242.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.7; Mon, 12 Mar 2018 18:35:58 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f%2]) with mapi id 15.20.0588.013; Mon, 12 Mar 2018 18:35:58 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Tarko Tikan <tarko@lanparty.ee>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] draft-ietf-netconf-zerotouch-21 feedback
Thread-Index: AQHTuKJS4H3M9M3UeU67f5nGH6uty6PMrZiA
Date: Mon, 12 Mar 2018 18:35:58 +0000
Message-ID: <7B96ECE5-75EF-4DFF-A6E8-39AD5E96C879@juniper.net>
References: <4dbe32ed-7469-7469-cd46-aee06bb2c79c@lanparty.ee>
In-Reply-To: <4dbe32ed-7469-7469-cd46-aee06bb2c79c@lanparty.ee>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3514; 7:zye5ogv14NkNdNHTtO+VvCOGOvZmcDbyqjrBlULuCCPoMrdsYrFdTNEdMQXbzDPmGGC+gX41QLb8l56XrBRSGFZG9gT0CAcvuonDdx2L7W9ZnD8YEzVn8bZWFNNXcQWOv13oVA8LEDHNC+CqCl4QIzVgFL4MzNNvhX9IkTwWhuGoICQWGKwZ35lLaWe/4L29E/v+AKE7BCeSZuBE5SFcLEjL8egR7zujStnCDKFcrdTuZfCCUwk+cVTTrwnvAcjh
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 24d7b1e5-9714-4cd3-7ca7-08d588481913
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB3514;
x-ms-traffictypediagnostic: DM5PR05MB3514:
x-microsoft-antispam-prvs: <DM5PR05MB351423B2B123A6FEC932CBA8A5D30@DM5PR05MB3514.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(6055026)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR05MB3514; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3514;
x-forefront-prvs: 06098A2863
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(366004)(39380400002)(39860400002)(51914003)(199004)(189003)(5660300001)(110136005)(229853002)(186003)(3846002)(102836004)(105586002)(8936002)(97736004)(76176011)(2906002)(316002)(86362001)(26005)(68736007)(99286004)(36756003)(6506007)(2900100001)(7736002)(3280700002)(25786009)(2950100002)(106356001)(6436002)(6246003)(478600001)(83716003)(6116002)(66066001)(3660700001)(5250100002)(2501003)(6486002)(305945005)(81166006)(81156014)(8676002)(53936002)(33656002)(6512007)(58126008)(14454004)(82746002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3514; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: t1COISLgBcvza4IGO4DoO+ZlFPwPiAPNf0fn318oXyyqIuikruUX7cfLl7yNWBVstUp+T9t1i15ef8cE2+4jA45aMtAwWrRMK86Hb/PXvXR755J2swyFPi+/lVUF2Fk/31fZYyRXZyPPSBmBruWwYyGLx48RTWXhQ2Nfy3za5A3LcPxO1J/l4IXnS5CtPmXZoxzG02dfQ6eu/oj8Enj4IBxpfBPwGXiA632LZlJiBFYhur920XjHeepeuJJmpc7mn1Erk91O54TSKwshT59g/46gq1GCB8vbEMBxZzNvoTXXp/ZWXYSVgFnHPxUyF7NYtxChuhSM6Wn0Bhy91QoWwg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A4C15613EB53D844BD29F3E28985DC8B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 24d7b1e5-9714-4cd3-7ca7-08d588481913
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2018 18:35:58.2054 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3514
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-12_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803120206
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5uhRmuce9p0ZYGJwfwSTKfUfxBw>
Subject: Re: [Netconf] draft-ietf-netconf-zerotouch-21 feedback
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 18:36:04 -0000

Hi Tarko,


> I was pointed towards this draft during a discussion around operational 
> problems in current ZTP world. This is my feedback from mid-sized SP who 
> would like to use this draft as soon it is implemented.

Thanks for the feedback.


> 1) Not many SPs buy their higher-end devices (used for enterprise 
> services, L3VPNs etc.) in big quantities. Due to smaller quantities, 
> they are not available customized from the manufacturer. Hence the
> need for proper ZTP.

Sounds familiar.


> 1.1) Many times the devices are bought via distributors without direct 
> interaction between manufacturer and SP.

Understood.  The draft doesn't standardize an ownership-tracking solution.
It is left to the manufacturers to devise a strategy that works well with
how their devices are sold and used.


> I might be mistaken but currently it looks like secure bootstrap is not 
> possible without properly precustomized devices. If hw-model, os-name 
> etc. are not sent in get-bootstrapping-data in untrusted mode it becomes 
> impossible to generate correct configuration for the device.

I'm curious what you mean by the first sentence.  Looking to the 2nd
sentence for clues, be aware that those three input parameters are
optional and only needed in select cases.  When get-bootstrapping-data is 
sent to an untrusted bootstrap server, the primary input is the device's
authentication credentials (e.g., TLS-level client certificate) with
which the bootstrap server can use to return signed data.  Please take 
a look at Appendix A (Promoting a Connection from Untrusted to Trusted).


> 2) Currently used ZTP interface information should be sent in 
> get-bootstrapping-data. Minimally ifName and vlan ID (for the scenarios 
> where ZTP DHCP client sends out DHCP discovery on all 4k vlan IDs).
>
> This is required for devices that might have multiple ZTP capable 
> interfaces (router with DSL and SFP interface for example) and it's not 
> known which interface might be used during installation. Without this 
> information it again becomes impossible to generate correct 
> configuration for the device.

I see.  One or more additional input parameters would be needed to 
address this.  Do you think a single parameter "interface" (the name
of the ZTP interface used) would suffice, or perhaps a generic "opaque"
parameter for a vendor-specific text format would be more flexible?
Currently, if needed, vendors could define a vendor-specific parameters
but, of course, that could affect interoperability - as not all bootstrap
servers will handle the additional input the same way.


> 3) zerotouch/enabled? MUST be restored to "true" when device is 
> reset to factory config using a push-button or CLI command. There 
> have been negative examples where even factory default customization
> is wiped clean during the push-button factory reset.

True, and it is the intention of the draft to enable devices to be
"reset" in the field, thereby returning them to their initial states,
as described in Section 5.   Perhaps the draft isn't saying this 
clearly enough?  Please let us know which section you were looking
at when thinking this.


> Thanks to the authors for the work, it's good to see work being done in 
> this, still operationally problematic, area.

Cheers,
Kent

> -- 
> tarko

v2.23.0 | Report a Bug | By Email