draft kwatsen netconf zerotouch 00
Download
Skip this Video
Download Presentation
draft-kwatsen-netconf-zerotouch-00

Loading in 2 Seconds...

play fullscreen
1 / 13

draft-kwatsen-netconf-zerotouch-00 - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

draft-kwatsen-netconf-zerotouch-00. Zero Touch Provisioning for NETCONF Call Home. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' draft-kwatsen-netconf-zerotouch-00' - myra


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
draft kwatsen netconf zerotouch 00

draft-kwatsen-netconf-zerotouch-00

Zero Touch Provisioning for NETCONF Call Home

introduction
Introduction

Zero Touch is a strategy for how to establish a secure network management relationship between a newly delivered network element, configured with just its factory default settings, and the new owner\'s NMS.

goals
Goals

Security

  • MUSTimplementvs MUST use(RFC 3365)

Flexibility

  • Works on SP networks, even if behind a firewall

Ease of Use

  • Play-n-play for Installer (“zero” means zero!)

Device Cost

  • Mild (COGS + development effort)
device state precondition
Device State Precondition

+--------------------------------+

| <device> |

| |

| +----------------------+ |

| | <crypto processor> | |

| | | |

| | device private key | |

| | device certificate | |

| +----------------------+ |

| |

| FQDN of vendor\'s DNS server |

+--------------------------------+

Serial Number

Signed by certificate with chain of trust to Vendor’s well-known CA

vendor s dns server state
Vendor\'s DNS Server State

+-------------------------------------------------+

| <vendor\'s DNS server> |

| |

| <sha1-of-device-public-key>.<vendor-zone> |

| - FQDN of NMS to connect to |

| - flag indicating if SSH or TLS |

| - username NMS will login using |

| - NMS\'s auth credentials |

| |

+-------------------------------------------------+

  • State initialized through a vendor-hosted interface
zerotouch sequence diagram
ZeroTouch Sequence Diagram

DEVICE LOCAL DHCP LOCAL DNS VENDOR\'S DNS NMS

| SERVER SERVER SERVER (DNSSEC) |

| | | | |

|------------>| | | |

| Lease IP | | | |

| | | | |

|------------------------------->| | |

| Lookup vendor\'s DNS server | | |

| | | | |

|---------------------------------------------->| |

| Lookup <sha1-of-device-pub-key>.<vendor-zone> | |

| | | | |

|------------------------------->| | |

| Lookup NMS IP address | | |

| | | | |

|------------------------------------------------------------->|

| Reverse SSH or Reverse TLS | | |

| | | | |

nms state precondition
NMS State Precondition

+----------------------------------------+

| <NMS> |

| |

| vendor\'s trusted CA certificate |

| serial numbers for expected devices |

| username to log into devices with |

| auth credentials to log into devices |

| |

+----------------------------------------+

  • NMS needs CA cert and serial-numbers from Vendor
supporting private networks
Supporting Private Networks
  • Potential alternatives to source information:
    • Impersonate vendor’s DNS server
    • DHCP (susceptible to a MITM attack?)
    • USB flash drive
    • Near-field wireless
  • Or just to avoid doing a lookup in the vendor’s DNS server?
security considerations
Security Considerations
  • Long-lived certificates
  • Vendor may reveal NMS locations
  • Serial Number in certificate
open issues
Open Issues
  • DNSSEC doesn\'t currently allow client certificates
  • Should DNS record provide SSH-specific information?
  • Standardize REST API used to set DNS record info?

Not in -00 draft:

  • Use something besides DNS? (e.g. HTTPS)
ad