Re: [Netconf] few comments on zerotouch-13
Andy Bierman <andy@yumaworks.com> Wed, 10 May 2017 20:04 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9C5B129571 for <netconf@ietfa.amsl.com>; Wed, 10 May 2017 13:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwhZsF0S6Wal for <netconf@ietfa.amsl.com>; Wed, 10 May 2017 13:04:39 -0700 (PDT)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A78771250B8 for <netconf@ietf.org>; Wed, 10 May 2017 13:04:38 -0700 (PDT)
Received: by mail-wr0-x22f.google.com with SMTP id w50so5029093wrc.0 for <netconf@ietf.org>; Wed, 10 May 2017 13:04:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ERP1HXP4vuKy3Ouo6frk6hK3CgNNnwW2mB44lbsCRLk=; b=Q2bTSu1fre7X91YDfe57lXeXuP5CCNVz2b1cz5jEH0B130DNrf2jlLqwrYPr9oibUA f1m0vgwds5X3XWmfXdM8sbsiu9aFDNRaTr/e5SBImiGpjx6gIGeHLAbjgz3GoyrSleht uIpevE7SfRpXctGLZCnOZdczdgYW++h+HhDQbB1c5fCDmTcjVq3u5O6fm9Qn5a3yw8WE R0F/pVThkAKdDedTDEDJTLtftnnp8ZqzGMvKqEO4T3Jrio1xrnXheuWfKVMgyGvdnxot VMARN8wMK8haFmtsA27LEmtSM7giOaFGQn0sxJC0Rv23J3pivOvt1CDKwF+UmEuQAIwz 3bqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ERP1HXP4vuKy3Ouo6frk6hK3CgNNnwW2mB44lbsCRLk=; b=bso+ahgaH6RXucT3Tg0yrWrZw9u92CohCfj9kZA0xOSeU9iaZ2ciCf6cmySYYLQFLC G7qvS+KpAIjfflGXh+gs3o7hx8ogU206jJpJbEsFwWHq4vuHZva/zGPLSB1Bx/qzPGkP pvguIgP5dsv7tzsL/+blEkv5cJGaRRfSY2bwgHNccSPEDE5hCDVdeugutdUxEKYY9wbl 7fhnKrhZGeDJQYFjLwyTFQais0OfoqragkPLhL5cilOoHkEPy9WD21DbGkE377rrFOpZ bMKDhuCKI4l/i4MfUBisnU0g7YZef8eiIFbFST683HN+65dIuvUPR7NtpwfqtKpDU1Rw 1Z4g==
X-Gm-Message-State: AODbwcDPYb2zM4AvCjJvrz9ykkFNSGGBq2IG0ae6+7I/f8xS1G2gEGyb l/hHniO0caE7CmpSs180BP7iGx0O4w==
X-Received: by 10.223.161.70 with SMTP id r6mr4738124wrr.65.1494446677117; Wed, 10 May 2017 13:04:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Wed, 10 May 2017 13:04:36 -0700 (PDT)
In-Reply-To: <3BBA9B41-796E-4521-8748-B0E231A3CEEC@juniper.net>
References: <CABCOCHT1WxXR5EuaDGbXBjQ6qq_FZJ2Ac=rS_0GC2D6kMAZ_0A@mail.gmail.com> <920E9BCF-670B-434C-8D62-85F77D7B9A8C@juniper.net> <CABCOCHQqhVtPB9aSgm+v7pM8ScRwApfZts+wB7C-yJ0w5K+yKg@mail.gmail.com> <3BBA9B41-796E-4521-8748-B0E231A3CEEC@juniper.net>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 10 May 2017 13:04:36 -0700
Message-ID: <CABCOCHQSg6J9KYinu2pFzmxDx_TwONjnyheew1EpdgRSHDHnVQ@mail.gmail.com>
To: Kent Watsen <kwatsen@juniper.net>
Cc: Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="f403045e274a53664d054f30fb00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/cQzshq6u37XG43eCjSKnyVdL4YI>
Subject: Re: [Netconf] few comments on zerotouch-13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 20:04:41 -0000
On Wed, May 10, 2017 at 12:51 PM, Kent Watsen <kwatsen@juniper.net> wrote: > > > > > > I guess I will wait to see an open-source implementation to see how this > draft works. > > > > An odd response. Did I not answer your questions? > > > I don't see any mention of the "notification" action in sec. 7. There are no examples of actual messages in sec. 7 > > Andy > > > > Kent > > > Andy > > > > > On Tue, May 9, 2017 at 4:00 PM, Kent Watsen <kwatsen@juniper.net> wrote: > > Hi Andy, > > > > > I am trying to understand the zerotouch draft. > > > > > > I find it to be very implementation-specific, and not suited for > > > modular servers. > > > > What do you mean by modular servers? I can tell you that it has been > implemented on a Juniper device that is internally a composition of virtual > machines and containers. For this device, the "software image" contains > also the software for the other components as well. If this isn't > suitable, then the pre-configuration script can be used to cover other > cases. > > > > > > > The container bootstrap-information only supports a monolithic server > image. > > > > True, but see above comment. Putting software images to the side > momentarily, how is this modular server managed, does it have a single > NC/RC interface? > > > > > > > It is assumed the entire configuration (modules, features, deviations, > etc) > > > is irrelevant because it is hard-coded into the monolithic boot image. > > > > I'm not 100% sure what this means, but I don't think it's true. > > > > > > > What if a server is modular and the YANG modules, revisions, features, > and deviations > > > come from a bootstrap library config instead of hard-wired into a static > image? > > > This does not seem to be supported at all. > > > > In the world of *zero* touch, I think that it is very safe to say that > devices in their factory default setting have a known/static initial > state. Certainly, the server can install some add-on packages that grow > the number of modules it supports. Juniper does this also. The > pre-configuration script is well suited to installing such add-on packages, > that is, just before the device attempts to commit the configuration, which > may attempt to configure these add-on packages. > > > > > > > All the generic script stuff seems very implementation-specific as well. > > > > How is "generic" implementation-specific? ;) Of course, if the device > can't support executing scripts, then it's options are limited. For what > it's worth, we didn't have scripts at first, but one operator interaction > caused us to add the post-configuration script and another > operator-interaction caused us to add the pre-configuration script. This > just goes to show that the scripts are useful, but not needed in all use > cases. > > > > > > > I don't see the standards value of supporting pre and port bootstrap > scripts > > > using an opaque scripting language. Why isn't this just part of the > > > opaque bootstrap sequence? Why is it configurable? > > > > What is "opaque bootstrap sequence"? How else would the device obtain > these scripts? Why aren't the scripts part of the initial configuration? - > because the scripts are only executed during the zerotouch bootstrapping > process, they have no general value in the ongoing management of the device. > > > > > > > Extra must-stmt: > > > > > > leaf owner-certificate { > > > type pkcs7; > > > must "../zerotouch-information" { > > > > > > The zerotouch-information leaf is mandatory true so the must-stmt is not > needed. > > > > Right you are. There used to be an optional field called "signature" that > this must expression used to depend on, but the signature was rolled into > the new zerotouch-information pkcs7 artifact, and I didn't catch this when > moving things around. > > > > > > > Action notification: > > > What is the protocol interaction model for this action? > > > Who invokes it? Why are the NETCONF error-tag status values ignored and > hard-coded > > > status values like 'parsing-error' and 'post-script-error' used? > > > It looks like config is being passed in container ssh-host-keys and > container trust-anchors. > > > > This action emulates the device sending RC notifications, which it can't > do here because the device is the RC-client (the bootstrap server is the > RC-server). So this action is used to workaround this (note: RPCs have > been used to deliver notifications by many other protocols). This action > is invoked only by the device (recall, ietf-zerotouch-bootstrap-server > only defines a device-facing RC API, only devices are ever expected to use > it). > > > > I don't believe that any error-tags are ignored or hard-coded, in > particular, if the device's invocation of the action causes an error on the > bootstrap server, I'd expect a standard RC error to be returned. That > said, I think you're referring to the "notification type" enumeration, > which has values like 'parsing-error' and 'post-script-error'. What's > wrong with these? > > > > Yes, the special notification "bootstrap-complete" can pass the device's > SSH host key and/or TLS server certificate. How the bootstrap server > consumes these values depends on implementation. In some cases, I've seen > the bootstrap server save these values and, in other cases, I've seen the > bootstrap server pass these values to an NMS so that it can save the > values. In either case, the ability for the device to pass these values is > critical from a security perspective in some scenarios. > > > > > > > Is the 'device-list' normal config=false data that is present on the > server? > > > > Again, this module only defines a "southbound" API from the bootstrap > server to devices. Surely one can imagine the bootstrap server also having > a "northbound" API whereby it can be configured and thus affect what data > is visible to devices, but that API is out of scope for this I-D. Makes > sense? > > > > > > > And only accessible via a normal NETCONF or RESTCONF session, after the > device > > > has booted OK? > > > > I'm not sure what this means. > > > > > > Kent > > > > >
- [Netconf] few comments on zerotouch-13 Andy Bierman
- Re: [Netconf] few comments on zerotouch-13 Kent Watsen
- Re: [Netconf] few comments on zerotouch-13 Andy Bierman
- Re: [Netconf] few comments on zerotouch-13 Kent Watsen
- Re: [Netconf] few comments on zerotouch-13 Andy Bierman
- Re: [Netconf] few comments on zerotouch-13 Kent Watsen