IETF Logo Mail Archive

Re: [Netconf] draft-ietf-netconf-zerotouch-21 feedback

Kent Watsen <kwatsen@juniper.net> Mon, 19 March 2018 11:54 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD121275F4 for <netconf@ietfa.amsl.com>; Mon, 19 Mar 2018 04:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6mGci4E-p7BT for <netconf@ietfa.amsl.com>; Mon, 19 Mar 2018 04:54:17 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 510A9124234 for <netconf@ietf.org>; Mon, 19 Mar 2018 04:54:17 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2JBn7s1028584; Mon, 19 Mar 2018 04:54:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=4apf8+9qoiUuUMdHx7/hDSOMxOM7E2ehg62Y+5aRwho=; b=JdDMhJdq1F3HtRaG9g9FPHX4M+iZzr4iybjQP1oUH8JsYdYoqdgGLugCJ7ojc52BgGnz jeNPcwrQ+owmSuB/XLQhgZ7jCfmFehWj5SUm2/5iBcQPjephJZ88pqn6kcLGfhjS52Yk Mf76MyNzrnQDyyFK9eeqhP4wFW93/2EVA8Mt79bTKxjKOKtEM6x89ylI1GzItYgE6Ig8 rHyQkMl8959dKWayuKiAPAm9A+r1pEdXB4VCwyCkbwCvokbbmzmbANrbz63wDYVEp3x7 m022aC1g34ygGKvDIkF8cAVy/SCVmjAd4u2NKmmm3pRWaO/syoLFP+eQLJBWc7rFwwbr jQ==
Received: from nam01-sn1-obe.outbound.protection.outlook.com (mail-sn1nam01lp0114.outbound.protection.outlook.com [207.46.163.114]) by mx0b-00273201.pphosted.com with ESMTP id 2gtb3b84ea-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 19 Mar 2018 04:54:15 -0700
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3289.namprd05.prod.outlook.com (10.174.191.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.6; Mon, 19 Mar 2018 11:54:14 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f%2]) with mapi id 15.20.0609.009; Mon, 19 Mar 2018 11:54:14 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Tarko Tikan <tarko@lanparty.ee>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] draft-ietf-netconf-zerotouch-21 feedback
Thread-Index: AQHTuKJS4H3M9M3UeU67f5nGH6uty6PMrZiAgAm50YCAARlRgA==
Date: Mon, 19 Mar 2018 11:54:14 +0000
Message-ID: <C57BA401-C81D-40C2-8D41-6D650F911B73@juniper.net>
References: <4dbe32ed-7469-7469-cd46-aee06bb2c79c@lanparty.ee> <7B96ECE5-75EF-4DFF-A6E8-39AD5E96C879@juniper.net> <ed540b4c-7ad5-3085-6e48-1f1b3ee47f8f@lanparty.ee>
In-Reply-To: <ed540b4c-7ad5-3085-6e48-1f1b3ee47f8f@lanparty.ee>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [193.110.55.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3289; 7:ScR7cKlwdK1A5RUveakhYUHW7XxtPbe6rdoo6xRsnx2B5vTWm55iuitzviKQue00ShpUaWvOwupeB74NR4cQ1MgJTRtCp8UPUtgCsDGf7QrV9TrDubnSD4y326KCe+/QKr3VhoEtM4bajs29kvtmVJgoqH84U6rVb23k/3S1QBEjioxrLbSxhmwLHAV/OlK6HK9x+jnwWgqQRILOoBK7/af5CF5eeBhAZdgI8CD/McvFykszJsxRquH8GYFnje+l
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 776fbd76-7f1c-4ed3-2f4d-08d58d9022c4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB3289;
x-ms-traffictypediagnostic: DM5PR05MB3289:
x-microsoft-antispam-prvs: <DM5PR05MB32895759CB2C3D1D0067EA76A5D40@DM5PR05MB3289.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501300)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR05MB3289; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3289;
x-forefront-prvs: 06167FAD59
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39380400002)(346002)(396003)(39860400002)(199004)(189003)(40224003)(83716003)(106356001)(305945005)(105586002)(14454004)(97736004)(68736007)(81166006)(81156014)(5660300001)(6512007)(2900100001)(102836004)(6486002)(6116002)(3846002)(26005)(53936002)(6246003)(229853002)(8936002)(7736002)(2906002)(2501003)(316002)(478600001)(99286004)(110136005)(5250100002)(82746002)(66066001)(6506007)(186003)(3280700002)(5890100001)(3660700001)(2950100002)(76176011)(8676002)(6436002)(58126008)(59450400001)(86362001)(36756003)(25786009)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3289; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 8/aqqDJZQeCKn/lVDFQO3PvBkklpz4r3upK0+N3lWHAbQ9Rt501+ErcMQ+KH7qc0tIbn+lFjPIg0rpI3P6IhwfHCRXMdYFMdXUQoYqFLtqNagCbzDR5JEdmn0T4M6hQlPtJ1YCCsyDEdHydmXbe8WSUXaMSQpaQ5lg8R9fqNUk++NAYP7kOg22b/RWyBCZxKJZi38A03vH9KGsxixjgNV7sEiX+6RKs5vLEcMcjbud4l6R6yTSSAt/0LXcULCCSHxlTMQXpmaso9yea5gUAu2auR5o/WgEdsvSWFmeoJUsrpQFOdBZjGfKBk75DyoBKbRyRL0MYrQ+oZjSiCM8NOVw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <D6C331B76A4CD1429F7D3601F13E722A@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 776fbd76-7f1c-4ed3-2f4d-08d58d9022c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2018 11:54:14.0542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3289
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-19_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803190141
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/guM4LQtztYMSd6sS2zlX3shLduA>
Subject: Re: [Netconf] draft-ietf-netconf-zerotouch-21 feedback
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 11:54:19 -0000

Hi Tarko,

>>> I might be mistaken but currently it looks like secure bootstrap is not
>>> possible without properly precustomized devices. If hw-model, os-name
>>> etc. are not sent in get-bootstrapping-data in untrusted mode it becomes
>>> impossible to generate correct configuration for the device.
>> 
>> I'm curious what you mean by the first sentence.  Looking to the 2nd
>> sentence for clues, be aware that those three input parameters are
>> optional and only needed in select cases.  When get-bootstrapping-data is
>> sent to an untrusted bootstrap server, the primary input is the device's
>> authentication credentials (e.g., TLS-level client certificate) with
>> which the bootstrap server can use to return signed data.  Please take
>> a look at Appendix A (Promoting a Connection from Untrusted to Trusted).
>
> Well I'm worried about the implications of the trust model. Getting the 
> owner CA trust anchor onto the devices from factory would be as 
> complicated as todays ZTP. Getting ownership vouchers from the 
> manufacturer is better but from practical perspective it would be best 
> if there would be insecure mode where device blindly trusts whatever is 
> served by bootstrapping server.

This draft does not enable putting an "owner CA trust anchor" on a device
from manufacturing.  Section 5.1 describes devices possessing a list of 
trust anchor certs for *well-known* bootstrap servers and issuers of 
ownership vouchers.  By well-known, we mean something along the lines 
of a MASA (manufacturer assured signing authority), not a deployment-
specific trust anchor for a specific owner.

Insecure zero touch bootstrapping mechanisms have been available for some
time.  What's new with this work is that it is secured.  There cannot be 
an insecure mode, as that would then enable a degradation-attack, whereby
the attacker blocks the device from reaching secured resources, causing 
the device to ultimately land on an insecure resource the attacker controls.

Looking at the above, it seems that your concern hasn't been addressed
yet or, perhaps stated more accurately, I haven't understood it yet.  Can
you try stating it another way?




>>> 2) Currently used ZTP interface information should be sent in
>>> get-bootstrapping-data. Minimally ifName and vlan ID (for the scenarios
>>> where ZTP DHCP client sends out DHCP discovery on all 4k vlan IDs).
>>>
>>> This is required for devices that might have multiple ZTP capable
>>> interfaces (router with DSL and SFP interface for example) and it's not
>>> known which interface might be used during installation. Without this
>>> information it again becomes impossible to generate correct
>>> configuration for the device.
>> 
>> I see.  One or more additional input parameters would be needed to
>> address this.  Do you think a single parameter "interface" (the name
>> of the ZTP interface used) would suffice, or perhaps a generic "opaque"
>> parameter for a vendor-specific text format would be more flexible?
>> Currently, if needed, vendors could define a vendor-specific parameter
>> but, of course, that could affect interoperability - as not all bootstrap
>> servers will handle the additional input the same way.
>
> The first concern is ZTP in general so it'll do even if it is vendor 
> specific. But such things tend to be forgotten by vendors and if the 
> interface parameter is optional then we might end up in the same 
> situation as today - ZTP exists on paper but unusable in real life 
> unless you can directly map device serial number to intended role.
>
> It would be tempting to make it a single parameter filled with ifName of 
> relevant interface. But that would be problematic in cases where device 
> sends DHCP discoveries with all possible VLAN IDs while the subinterface 
> for that VLAN might not exist. So when interface parameter is filled 
> with ge-0/0/0 for example but vlan 123 is in use, the parameter should 
> say ge-0/0/0.123.

SZTP is usable in real life today, but there is the expectation that, for
devices with multiple interfaces, that a specific port would always be 
used, at least within that owner's organization.  This works pretty well,
but there are cases where optional hardware (i.e., an LTE modem) might
be attached, which can introduce variability in the initial configuration
that should be pushed to the device.  This draft addresses this (kind of)
via the "hw-model" input parameter and name-mangling (e.g., srx250-lte).
This is a little bit hacky, but trying to come up with something better
was more complicated than I wanted to get into at this time.  Vendor-
specific input parameters can be used now, if needed.

Regarding VLANs, I haven't seen this as a problem yet, and I'm not sure
why.  Perhaps it just hasn't come up with the range of devices that I've
been working with though all, I think without exception, support VLANs.
Maybe it has to do with how the devices are deployed (e.g. as an access
gateway) and so VLAN isn't an issue, or maybe deployments have use an
untagged VLAN interface.

I'm unclear how big of an issue this is.  What I see most is that the
NMS has a model of the network and thus knows in advance what initial
configuration individual devices need.  Consider the case where the 
initial config is placed onto a removable storage device, such that
the NMS has to anticipate what the device needs.  

You started this saying that the device may have multiple ZTP capable
interfaces and it's not known which interface might be used during 
installation.  It's important to note that SZTP-itself doesn't care
which interface is used to get the bootstrapping data (it can even
be read off a removable storage device).  What matters is what 
interface(s) the initial config needs to configure, which may not
necessarily be the same as the interface used for the SZTP call.
My claim is that this is fairly predictable within a deployment, 
such that canned responses work great.  Can you provide a more 
concrete example where this doesn't work?



>>> 3) zerotouch/enabled? MUST be restored to "true" when device is
>>> reset to factory config using a push-button or CLI command. There
>>> have been negative examples where even factory default customization
>>> is wiped clean during the push-button factory reset.
>> 
>> True, and it is the intention of the draft to enable devices to be
>> "reset" in the field, thereby returning them to their initial states,
>> as described in Section 5.   Perhaps the draft isn't saying this
>> clearly enough?  Please let us know which section you were looking
>> at when thinking this.
>
> I was reading 5.1 when I thought about that. I mentioned this because I 
> have seen situations where devices will end up in some limbo state after 
> factory reset even when they were ZTP capable from the factory. IMHO if 
> someone claims they support draft-ietf-netconf-zerotouch then their 
> devices MUST return to zerotouch/enabled?=true in every factory reset 
> situation imaginable.

Agreed, and I think Section 5.1 is saying this, albeit perhaps not clearly
enough.  Could you provide the OLD/NEW text that you'd like to see there?


Kent // contributor

v2.23.0 | Report a Bug | By Email