Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Kent Watsen <kwatsen@juniper.net> Mon, 14 January 2019 20:43 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6171A1312E4; Mon, 14 Jan 2019 12:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.253
X-Spam-Level:
X-Spam-Status: No, score=-5.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ifku9APgTNif; Mon, 14 Jan 2019 12:43:36 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113F11312A8; Mon, 14 Jan 2019 12:43:36 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0EKgT2v000459; Mon, 14 Jan 2019 12:43:31 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=wE8k7aLfkeGkRLfxpZkKYScWUfAgdyaKoJL14/W3iYc=; b=oulCqCGQn+40JNfNeIvKSp2RM2u5IXSOuhwsYS2JxbQTBPy8Unbd9qZO2kiMPOLgDhzF kZonI3LeSa0Qao3Y3fxA6tDwUj4jJDX1ArkjHoEI+hxNy9G/qwlJEbOzkrYAQTKgxzs3 4GsMP28FbPCVa0fTLTg0ORtysmb2dG8eF9syebTmTEkypuzex1lbvcLLdBQ3DweW5Juw B/8125/hUj4zVl8XagyJtd5Zd0XfFHyDu2RlUObW52ipsM2j9CNJalfT/XDOx5MQXT9d AN3EbV4xlejXfgOnXvcfmAXhTIp4nnBzwG32cBGgJimHui622qehru/uHWEnvsLA9m/3 7Q==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2059.outbound.protection.outlook.com [104.47.36.59]) by mx0a-00273201.pphosted.com with ESMTP id 2q0p6ts2bf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 14 Jan 2019 12:43:31 -0800
Received: from BYAPR05MB5416.namprd05.prod.outlook.com (20.177.184.221) by BYAPR05MB3944.namprd05.prod.outlook.com (52.135.195.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.17; Mon, 14 Jan 2019 20:43:28 +0000
Received: from BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b]) by BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b%5]) with mapi id 15.20.1537.018; Mon, 14 Jan 2019 20:43:28 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Adam Roach <adam@nostrum.com>, Dave Crocker <dcrocker@bbiw.net>, Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
Thread-Index: AQHUi5qky69pAtgeuk6GIUpsNSYi7qVz1VIAgCLBFICAB70FgIADj4qAgAJJm4CAAxXrAIAAYVAA//+xH4CAAacWAIAAD4+AgAADiwD//8aMAIAActaAgAFSQoCAAHCvAIAEHSWA
Date: Mon, 14 Jan 2019 20:43:28 +0000
Message-ID: <A1F059FB-5229-45B9-9EBB-CF60B78FF454@juniper.net>
References: <35A436B3-5D57-4015-A51E-5F9A1E349D31@juniper.net> <DAC627AC-8453-41D2-B95C-BC25746E66C1@juniper.net> <cc5adc78-6751-fabf-03d2-e0c65f8a6c91@bbiw.net> <F844EDFB-3E15-47FB-A714-06363B996FC2@juniper.net> <42cddba1-9f59-f19f-176f-197f0c0c0c96@bbiw.net> <32cfe06c-8204-a63a-263d-cb5b30a7a2fc@nostrum.com> <20190110183444.GN28515@kduck.mit.edu> <0CDD631D-47A4-4478-A250-85603C653D23@juniper.net> <f9e64452-a2e1-fb18-80b1-b2c5fa9c54ac@nostrum.com> <3ABB2B04-DB2C-4E2C-86C7-40D83D440DFB@juniper.net> <20190112005406.GU28515@kduck.mit.edu>
In-Reply-To: <20190112005406.GU28515@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB3944; 6:jblcMbGk//h9UKZHHdnC2pV+t3XZDgbFG8UrJIRaktQ2HeAzzgQFxu5Ti2uG56983EesHyqHgd/lMK6H6+ZHoKRUm8E37zK8Wg/MPaPnkKy1vuui+erhRSPY4hGrt7JOmzEYcsm+iuEOBp0iNuCmsYH8BfID7OJAqUit7rxB7kyM/PKJEedyL2+4inoFjyM6jbwxS7yIw1pehbStM0QLd7EGuEyX6ZgORMcnKxEYh5s7lH0/lK3xMLCDVULRiIjIrG7PRVd5QQvm/U46SaWBChZPiqcwGG5G9bmp/G/Lq6xbI9dA0pwB3+911nYucIrT883RATqxnjMsKwgQYklOanMRzge+P1A59hKdCQIh7JRBJ9rLZXidg1ifrzv6S8xFRjMRGfUkXmWUiRK54yXDslt6iacGgCO3WYZNz9W93Kb5T1VVmXEig/WujHJktHsaQ6XbRhUNI6n3SNsK9d9Tcw==; 5:hDO8jtrqcXbSxhHkziz3fU8d+/mH7tSVkzAYOAo+zy+Xnu5s90WI8+7EBv5G2e+1BW48yNBAJoandErhW3O9rKQe6PKpkcYfIClKV5cI/C+Mzxolr11IeAypk33cP7jAfHT3WvtcFxj9UIFI5H9OIoh0k0O1GIBGahHfnI05grhfabnbXvVJMCvz7ucML/RgiLmfZogme97XmBKZJU2Ecw==; 7:sT+t82+eGNwePMDcDQwJDJhHvMy02mnNNuYWvQdAk3Qt481Y1JfXMMkSq+jODUmabu8W1D8DoUheoWorfpSjKKCchZg06cdW0DnFxfxifeK4DAvM82DdLeo5GLKioiFjm++T6DNtI+2AnFIAivwBZA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a411554d-010a-4ddb-6817-08d67a60f065
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB3944;
x-ms-traffictypediagnostic: BYAPR05MB3944:
x-microsoft-antispam-prvs: <BYAPR05MB39448E6CCFFF15857E81161EA5800@BYAPR05MB3944.namprd05.prod.outlook.com>
x-forefront-prvs: 0917DFAC67
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(396003)(366004)(136003)(40224003)(199004)(189003)(3846002)(6116002)(25786009)(97736004)(33656002)(105586002)(86362001)(7736002)(229853002)(83716004)(8936002)(71190400001)(2906002)(71200400001)(6916009)(81166006)(8676002)(305945005)(99286004)(81156014)(6486002)(6436002)(58126008)(54906003)(446003)(93886005)(76176011)(4326008)(11346002)(476003)(14444005)(6306002)(2171002)(26005)(53936002)(36756003)(5660300001)(66066001)(186003)(966005)(14454004)(478600001)(106356001)(114624004)(68736007)(486006)(6506007)(102836004)(82746002)(316002)(256004)(6512007)(2616005)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB3944; H:BYAPR05MB5416.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: fx3jBADlxipEAgPZBvMSguDAW50iRWc0Q+4Sjh0Rb9JPnQmF1nxlbiwfCPYzuF24WU+lzkx81Udm2fmgS23SL2tzqDkLHSmRA++MbV6mJUbmAYeePLydJrRcq0KZUk3xgYQj8DIbwMycHi4vRrFLqE3Kqfk6LXKNkp35f/BNFjzYF0oXoG/QeZQ5gu94lpzQs8h6j7/Sqjdrmhq2bOMpQ5Nerlh9CsBT/zM2/PCqoFJyvrNX7vTZHDRiy1nW7ckI4vYvQmjrontt6vLVnT1xzm90woQaJ0nR8RM35yWOkQIdGUo/PSHq32Mc4Pkjht4TCZon/wOojxH2SPr5s0Nu3piS5lgNwjHXgcqWH95KFqkEKAaiJ1JSV6VR/ZHBzyIEO/FL7ZdQyDSwtI+ikYu5wq1U7Mqru3FcgitxKgM12sc=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <BEAB38C57B4E174ABDED75A4020218A6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: a411554d-010a-4ddb-6817-08d67a60f065
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2019 20:43:28.6359 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB3944
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-14_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901140160
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/hCItEw93iXCCuKLGq9glF9jNth8>
Subject: Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 20:43:39 -0000

Hi Ben,

>>   I just posted -28 to address this last COMMENT.
>>   Please review to see how it can be improved.
>> 
>>   The draft no longer says it uses DNS-SD and it
>>   now registers "_sztp" in DNS Underscore Global
>>   Scoped Entry Registry.
>>   
>>   Here's a direct link to updated/new sections:
>>    - https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-28#section-4.2
>>    - https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-28#section-10.7
>
> Thanks, this seems to be a fine resolution of the issues.

Great!


> While looking at the diff, I managed to confuse myself as to where it is
> specified how the device serial number is encoded in the identity
> certificate (so that we are confident that that encoding is usable as a
> DNS label).  Am I correct in assuming that that's in 802.1AR?  (Also, the
> URL in the -28 gave me a 404, and I ended up at
> https://standards.ieee.org/standard/802_1AR-2018.html by searching.)

Yes, that is the correct URL.  I've fixed it in my local copy.  The 802.1AR spec is behind a paywall, but it says this about the serial number:

  An IDevID certificate subject field be non-null and should
  include a   unique device serial number encoded as the 
  serialNumber attribute(RFC 5280 X520SerialNumber).

From RFC 5280:

   X520SerialNumber ::=    PrintableString (SIZE (1..ub-serial-number))

   ub-serial-number INTEGER ::= 64

   The character string type PrintableString supports a very basic Latin
   character set: the lowercase letters 'a' through 'z', uppercase
   letters 'A' through 'Z', the digits '0' through '9', eleven special
   characters ' = ( ) + , - . / : ? and space.

Any comments/concerns about this?


PS: I'll defer publishing the update until sure nothing more is coming.  

PPS: Looking at Datatracker, all items are cleared and the summary now says "Has enough positions to pass".  Out of curiosity, how does the document progress to the next state - is it the Responsible AD pushing a button of some sort?

Kent