Draft kwatsen netconf zerotouch 00
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

draft-kwatsen-netconf-zerotouch-00 PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

draft-kwatsen-netconf-zerotouch-00. Zero Touch Provisioning for NETCONF Call Home. Introduction.

Download Presentation

draft-kwatsen-netconf-zerotouch-00

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Draft kwatsen netconf zerotouch 00

draft-kwatsen-netconf-zerotouch-00

Zero Touch Provisioning for NETCONF Call Home


Introduction

Introduction

Zero Touch is a strategy for how to establish a secure network management relationship between a newly delivered network element, configured with just its factory default settings, and the new owner's NMS.


Goals

Goals

Security

  • MUSTimplementvs MUST use(RFC 3365)

    Flexibility

  • Works on SP networks, even if behind a firewall

    Ease of Use

  • Play-n-play for Installer (“zero” means zero!)

    Device Cost

  • Mild (COGS + development effort)


Proposal illustrated in following slides

Proposal illustrated in following slides


Device state precondition

Device State Precondition

+--------------------------------+

| <device> |

| |

| +----------------------+ |

| | <crypto processor> | |

| | | |

| | device private key | |

| | device certificate | |

| +----------------------+ |

| |

| FQDN of vendor's DNS server |

+--------------------------------+

Serial Number

Signed by certificate with chain of trust to Vendor’s well-known CA


Vendor s dns server state

Vendor's DNS Server State

+-------------------------------------------------+

| <vendor's DNS server> |

| |

| <sha1-of-device-public-key>.<vendor-zone> |

| - FQDN of NMS to connect to |

| - flag indicating if SSH or TLS |

| - username NMS will login using |

| - NMS's auth credentials |

| |

+-------------------------------------------------+

  • State initialized through a vendor-hosted interface


Zerotouch sequence diagram

ZeroTouch Sequence Diagram

DEVICE LOCAL DHCP LOCAL DNS VENDOR'S DNS NMS

| SERVER SERVER SERVER (DNSSEC) |

| | | | |

|------------>| | | |

| Lease IP | | | |

| | | | |

|------------------------------->| | |

| Lookup vendor's DNS server | | |

| | | | |

|---------------------------------------------->| |

| Lookup <sha1-of-device-pub-key>.<vendor-zone> | |

| | | | |

|------------------------------->| | |

| Lookup NMS IP address | | |

| | | | |

|------------------------------------------------------------->|

| Reverse SSH or Reverse TLS | | |

| | | | |


Nms state precondition

NMS State Precondition

+----------------------------------------+

| <NMS> |

| |

| vendor's trusted CA certificate |

| serial numbers for expected devices |

| username to log into devices with |

| auth credentials to log into devices |

| |

+----------------------------------------+

  • NMS needs CA cert and serial-numbers from Vendor


Supporting private networks

Supporting Private Networks

  • Potential alternatives to source information:

    • Impersonate vendor’s DNS server

    • DHCP (susceptible to a MITM attack?)

    • USB flash drive

    • Near-field wireless

  • Or just to avoid doing a lookup in the vendor’s DNS server?


Security considerations

Security Considerations

  • Long-lived certificates

  • Vendor may reveal NMS locations

  • Serial Number in certificate


Iana considerations

IANA Considerations

  • None


Open issues

Open Issues

  • DNSSEC doesn't currently allow client certificates

  • Should DNS record provide SSH-specific information?

  • Standardize REST API used to set DNS record info?

    Not in -00 draft:

  • Use something besides DNS? (e.g. HTTPS)


Draft kwatsen netconf zerotouch 00

Questions / Concerns ?


  • Login