IETF Logo Mail Archive

Re: [Netconf] I-D Action: draft-ietf-netconf-zerotouch-27.txt

Kent Watsen <kwatsen@juniper.net> Sat, 05 January 2019 03:07 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71892130DCD for <netconf@ietfa.amsl.com>; Fri, 4 Jan 2019 19:07:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfPn2w_xJudq for <netconf@ietfa.amsl.com>; Fri, 4 Jan 2019 19:07:11 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4E4A1271FF for <netconf@ietf.org>; Fri, 4 Jan 2019 19:07:10 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0536k6F028631 for <netconf@ietf.org>; Fri, 4 Jan 2019 19:07:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=vvhlBLiFxIrMqi5+BWN4SOZSMfxxOLc7rhCAGkKkY4I=; b=UclZTeLleWHoL2ewMlx5jrr/uQTnc+ZXy5DDVxpjTWZ5uMsPDKJbzE3RyRrqr25r2FUl PlzQjVHeTRhocWcCxiqLrsTGyjTcq+7KUGQ9hcLse7ZVuRHDpyCPfmRKJI+QHkmannv+ O8W/07GrhAr+98xm7pxTV7GNr0x4OMKE3lddomErysEJ0yG55Pig7HD69ROfrzajHEbb iT3+M6EILDOI/tGETRcG/2z3qG68KXioTkBPYRHJgQdXdXcfsa1rzPd/sCzTYC28FOFz KS0c1yaFlfD+TKDwR8vLAYRQr+tuJd9iCzjYYveSxM2lFAekgqhMeIA21bOV6uqZFRSA ig==
Received: from nam04-bn3-obe.outbound.protection.outlook.com (mail-bn3nam04lp2054.outbound.protection.outlook.com [104.47.46.54]) by mx0b-00273201.pphosted.com with ESMTP id 2ptfky09nv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <netconf@ietf.org>; Fri, 04 Jan 2019 19:07:09 -0800
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4266.namprd05.prod.outlook.com (20.176.78.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.3; Sat, 5 Jan 2019 03:07:07 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::c9e6:54c9:90c8:211e]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::c9e6:54c9:90c8:211e%2]) with mapi id 15.20.1516.000; Sat, 5 Jan 2019 03:07:07 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] I-D Action: draft-ietf-netconf-zerotouch-27.txt
Thread-Index: AQHUpKJNezH+aji2fEyolLSzGI9ZtqWfqmMA
Date: Sat, 05 Jan 2019 03:07:07 +0000
Message-ID: <501EE9BF-16B3-4861-90D7-0E34D6564065@juniper.net>
References: <154665696826.18401.5716044693185840445@ietfa.amsl.com>
In-Reply-To: <154665696826.18401.5716044693185840445@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4266; 6:EgpACt0jfhI6r2QnoPYEI8xrWt/suutQ0A7rXDqTqxN3xW3ErpaBRsj0aPWN8yfC5YUnnDNOgKJXw22cu8YUmq9vjDxfcqG5IwRydhySSfHNQUGZUBYkNcHFWh6p3oX4/U/uTQjOa3vGXVm2XtuICZMW+2G9e0rwhWy8vrrBm7fY1sDNZxg/12RUbaBgOV3kLjJLu7M3WLQEJ5OFcazEDLPUDpChOutDc3yahQKydCI/XR4kM6vtuegVvv8NcPENtpTIQ1MSQ1gBI+TUDuP3SuhgdwOM+RXAONoGj9Ijt/qcy66o5mioxY4azC0Wg0s9/5huB/4k6Q3tqm28xK6uuzd71UKTgPhjdOelM6GiIH4ESl3fyuKhoNhfs2A0V9ZrTRDhNpYvZW/nUp6GfJ32N7lpIrjkaNePadLhfHnLDTHUT6YCsIp/g1mDogS+stA+QkhEwONVtb5ZpqcAAwpmgw==; 5:lCC653r4GBTs7oUDsMGyTIjCpPz0UjWZVP0SxFwUZI+j+JiwuFgHGAljumzo05ndiLodUK3gSwHeZbcKC7G0x/Bna8RGZ7QTQrh/PMvWxWUqlSA3puCtAU6lgPfy18/cC+XbBBfs2UG2xwfRpOqOCRmDPxfxQTPful5x5ZEthN26zmNek1wrsZxLTHYtduEI+keYnR5PAud3nNeLi/sI8A==; 7:3Gj9jIyBjrMEAJ+BICEwkjQBFewPxszRN/g3bUvhudPIblfpk0iMTzV5ONe8Wu6HndK6B7G5pZc8bcv/dwnFR8TzuauUqGwXekKLXiK6wzGIwwLZEdZ1+EN2DjmZ7kohpLgj8r/SxPjf2hGUh48i4A==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0a99ad37-8b5d-4f68-f4de-08d672bae05f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4266;
x-ms-traffictypediagnostic: DM6PR05MB4266:
x-microsoft-antispam-prvs: <DM6PR05MB426684308F9F5F83123EE9BCA58F0@DM6PR05MB4266.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(93006095)(93001095)(3231475)(944501520)(52105112)(3002001)(10201501046)(6055026)(6041310)(20161123558120)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:DM6PR05MB4266; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4266;
x-forefront-prvs: 09086FB5C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(39860400002)(396003)(376002)(366004)(199004)(189003)(54534003)(13464003)(476003)(2616005)(6116002)(2906002)(7736002)(316002)(6916009)(58126008)(3846002)(83716004)(106356001)(82746002)(68736007)(71190400001)(71200400001)(486006)(99286004)(305945005)(66574012)(6436002)(2351001)(105586002)(6306002)(5660300001)(8936002)(6512007)(5640700003)(66066001)(11346002)(33656002)(446003)(1730700003)(81156014)(81166006)(8676002)(25786009)(229853002)(6246003)(966005)(14444005)(53936002)(97736004)(256004)(6486002)(186003)(14454004)(478600001)(2501003)(86362001)(575784001)(6346003)(26005)(36756003)(76176011)(102836004)(6506007)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4266; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WrejbYW66EW6cROPfsR87Td0E4cxlLYv02rSGsMmOk3WJZzjcpUXIXHrX2UcsSnwXzv8KJZH7/QUIRZzZ25vCBE8zkh2Ct5obGBegBdvUXqJmqPIUJi8UqU5Bv06G+kxiwYVu8UKu993gq4ZrgO7Nr0CL2ckJBsq3BFtndhA+D3ItMHKSg72ccI4xOPzzno3YxbBgfYatCWYQn1j3SGbHz11NLPbBglCkMRHS6kAiEtJqUzG7BzxTzvfWAFhY0s0o7tEwySA4udgUyuV3IQok43enpvOSRIkSoAL9bDIo3DR71VlwmdB7z4qptIrn5if
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <10388E0E8B56B346A4E40CD861451B62@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a99ad37-8b5d-4f68-f4de-08d672bae05f
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2019 03:07:07.2221 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4266
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-05_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901050024
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/cVwlVJU1U6guPcP5xlPLuinxiX4>
Subject: Re: [Netconf] I-D Action: draft-ietf-netconf-zerotouch-27.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jan 2019 03:07:13 -0000

Below is the Change Log. Mostly items from Benjamin Kaduk's review.
The last couple items are from what I mentioned in my email on the 21st.

- Added Security Consideration for cascading trust via redirects.
- Modified the get-bootstrapping-data RPC's "nonce" input parameter
  to being a minimum of 16-bytes (used to be 8-bytes).
- Added Security Consideration regarding possible reuse of device's private key.
- Added Security Consideration regarding use of sign-then-encrypt.
- Renamed "Zero Touch"/"zerotouch" throughout. Now uses "SZTP" when referring
  to the draft/solution, and "conveyed" when referring to the bootstrapping artifact.
- Added missing text for "encrypted unsigned conveyed information" case.
- Renamed "untrusted-connection" input parameter to "signed-data-preferred"
- Switch yd:yang-data back to rc:yang-data
- Added a couple features to the bootstrap-server module.

Kent // contributor


-----Original Message-----
From: Netconf <netconf-bounces@ietf.org> on behalf of "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Reply-To: NETCONF Working Group <netconf@ietf.org>
Date: Friday, January 4, 2019 at 9:56 PM
To: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Cc: NETCONF Working Group <netconf@ietf.org>
Subject: [Netconf] I-D Action: draft-ietf-netconf-zerotouch-27.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Configuration WG of the IETF.

        Title           : Secure Zero Touch Provisioning (SZTP)
        Authors         : Kent Watsen
                          Mikael Abrahamsson
                          Ian Farrer
	Filename        : draft-ietf-netconf-zerotouch-27.txt
	Pages           : 96
	Date            : 2019-01-04

Abstract:
   This draft presents a technique to securely provision a networking
   device when it is booting in a factory-default state.  Variations in
   the solution enables it to be used on both public and private
   networks.  The provisioning steps are able to update the boot image,
   commit an initial configuration, and execute arbitrary scripts to
   address auxiliary needs.  The updated device is subsequently able to
   establish secure connections with other systems.  For instance, a
   device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040)
   connections with deployment-specific network management systems.


The IETF datatracker status page for this draft is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dnetconf-2Dzerotouch_&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=OaUea_LZeY4aifmnpVSGtmAH6CoxbTQjjXH2VPF0bmQ&e=

There are also htmlized versions available at:
https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dnetconf-2Dzerotouch-2D27&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=YsLUoGf-7pADyEyJ5rv8UHfGa8K4iGQpuEcBmiEnoSE&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Dnetconf-2Dzerotouch-2D27&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=qOon7HY_6eKIPVAoA3KiQ-yMVZAQ4uENeKtrcH-8HGc&e=

A diff from the previous version is available at:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Dnetconf-2Dzerotouch-2D27&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=w2x30zS5dKMMpm_mBEQBJg8sQYbituxYMiQT7hU3zYE&e=


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_internet-2Ddrafts_&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=T3W6IQ0peh9XVENA__bYGCz_KsIdTsrd73ZxQVDASu8&e=

_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=_l2PU7UVbo_Ak9ZWZN_xebGb5i-qfx1S9jdVoE1qK_g&s=SxUrO7Qx_ikhB753ZZVpkmp1mrZcKbBUOIumyIbTNMo&e=

v2.23.0 | Report a Bug | By Email