NETCONF Working Group K. Watsen
Internet-Draft Juniper Networks
Intended status: Standards Track M. Abrahamsson
Expires: April 21, 2018 T-Systems
I. Farrer
Deutsche Telekom AG
October 18, 2017
Zero Touch Provisioning for NETCONF or RESTCONF based Management
draft-ietf-netconf-zerotouch-19
Abstract
This draft presents a secure technique for establishing a NETCONF or
RESTCONF connection between a newly deployed device, configured with
just its preconfigured initial state (e.g., factory default
settings), and its deployment specific network management system
(NMS).
Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note
summarizes all of the substitutions that are needed. Please note
that no other RFC Editor instructions are specified anywhere else in
this document.
Artwork in the IANA Considerations section contains placeholder
values for DHCP options pending IANA assignment. Please apply the
following replacements:
o "OPTION_V4_ZEROTOUCH_REDIRECT" --> the option code assigned for
the "DHCPv4 Zero Touch Option" option
o "OPTION_V6_ZEROTOUCH_REDIRECT" --> the option code assigned for
the "DHCPv6 Zero Touch Option" option
Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for [I-D.ietf-netconf-keystore]
o "ZZZZ" --> the assigned RFC value for [I-D.ietf-anima-voucher]
Watsen, et al. Expires April 21, 2018 [Page 1]
Internet-Draft Zero Touch October 2017
Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement:
o "2017-10-19" --> the publication date of this draft
Please update the following references to reflect their final RFC
assignments:
o I-D.ietf-netconf-netconf-client-server
o I-D.ieft-anima-voucher
The following one Appendix section is to be removed prior to
publication:
o Appendix A. Change Log
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Watsen, et al. Expires April 21, 2018 [Page 2]
Internet-Draft Zero Touch October 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7
1.4. Tree Diagram Notation . . . . . . . . . . . . . . . . . . 7
2. Types of Bootstrapping Information . . . . . . . . . . . . . 8
2.1. Redirect Information . . . . . . . . . . . . . . . . . . 8
2.2. Onboarding Information . . . . . . . . . . . . . . . . . 9
3. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Zero Touch Information . . . . . . . . . . . . . . . . . 10
3.2. Owner Certificate . . . . . . . . . . . . . . . . . . . . 10
3.3. Ownership Voucher . . . . . . . . . . . . . . . . . . . . 11
3.4. Artifact Groupings . . . . . . . . . . . . . . . . . . . 12
4. Sources of Bootstrapping Data . . . . . . . . . . . . . . . . 12
4.1. Removable Storage . . . . . . . . . . . . . . . . . . . . 13
4.2. DNS Server . . . . . . . . . . . . . . . . . . . . . . . 14
4.3. DHCP Server . . . . . . . . . . . . . . . . . . . . . . . 15
4.4. Bootstrap Server . . . . . . . . . . . . . . . . . . . . 16
5. Device Details . . . . . . . . . . . . . . . . . . . . . . . 17
5.1. Initial State . . . . . . . . . . . . . . . . . . . . . . 17
5.2. Boot Sequence . . . . . . . . . . . . . . . . . . . . . . 18
5.3. Processing a Source of Bootstrapping Data . . . . . . . . 19
5.4. Validating Signed Data . . . . . . . . . . . . . . . . . 21
5.5. Processing Redirect Information . . . . . . . . . . . . . 22
5.6. Processing Onboarding Information . . . . . . . . . . . . 22
6. The Zero Touch Information Data Model . . . . . . . . . . . . 24
6.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 24
6.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 24
6.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28
7. The Zero Touch Bootstrap Server API . . . . . . . . . . . . . 34
7.1. API Overview . . . . . . . . . . . . . . . . . . . . . . 34
7.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 34
7.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 37
8. The Zero Touch Device Data Model . . . . . . . . . . . . . . 47
8.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 47
8.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 47
8.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 48
9. DHCP Zero Touch Options . . . . . . . . . . . . . . . . . . . 52
9.1. DHCPv4 Zero Touch Option . . . . . . . . . . . . . . . . 52
9.2. DHCPv6 Zero Touch Option . . . . . . . . . . . . . . . . 53
9.3. Common Field Encoding . . . . . . . . . . . . . . . . . . 55
10. Security Considerations . . . . . . . . . . . . . . . . . . . 55
10.1. Immutable storage for trust anchors . . . . . . . . . . 55
10.2. Clock Sensitivity . . . . . . . . . . . . . . . . . . . 56
10.3. Blindly authenticating a bootstrap server . . . . . . . 56
10.4. Entropy loss over time . . . . . . . . . . . . . . . . . 56
Watsen, et al. Expires April 21, 2018 [Page 3]
Internet-Draft Zero Touch October 2017
10.5. Disclosing Information to Untrusted Servers . . . . . . 56
10.6. Sequencing Sources of Bootstrapping Data . . . . . . . . 57
10.7. The "ietf-zerotouch-information" YANG Module . . . . . . 57
10.8. The "ietf-zerotouch-bootstrap-server" YANG Module . . . 58
10.9. The "ietf-zerotouch-device" YANG Module . . . . . . . . 58
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
11.1. The BOOTP Manufacturer Extensions and DHCP Options
Registry . . . . . . . . . . . . . . . . . . . . . . . . 59
11.2. The IETF XML Registry . . . . . . . . . . . . . . . . . 59
11.3. The YANG Module Names Registry . . . . . . . . . . . . . 60
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 60
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 61
13.1. Normative References . . . . . . . . . . . . . . . . . . 61
13.2. Informative References . . . . . . . . . . . . . . . . . 63
Appendix A. Workflow Overview . . . . . . . . . . . . . . . . . 65
A.1. Enrollment and Ordering Devices . . . . . . . . . . . . . 65
A.2. Owner Stages the Network for Bootstrap . . . . . . . . . 67
A.3. Device Powers On . . . . . . . . . . . . . . . . . . . . 70
Appendix B. Promoting a Connection from Untrusted to Trusted . . 72
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 73
C.1. ID to 00 . . . . . . . . . . . . . . . . . . . . . . . . 73
C.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 74
C.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 74
C.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 74
C.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 74
C.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 75
C.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 75
C.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 75
C.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 75
C.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 76
C.11. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 76
C.12. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 76
C.13. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 77
C.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 77
C.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 77
C.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 78
C.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 78
C.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 79
C.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 79
C.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 79
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79
1. Introduction
A fundamental business requirement for any network operator is to
reduce costs where possible. For network operators, deploying
devices to many locations can be a significant cost, as sending
Watsen, et al. Expires April 21, 2018 [Page 4]
Internet-Draft Zero Touch October 2017
trained specialists to each site for installations is both cost
prohibitive and does not scale.
This document defines a bootstrapping strategy enabling devices to
securely obtain bootstrapping data with no installer action beyond
physical placement and connecting network and power cables. The
ultimate goal of this document is to enable a secure NETCONF
[RFC6241] or RESTCONF [RFC8040] connection to a deployment specific
network management system (NMS).
This document primarily regards physical devices, where the setting
of the device's initial state, described in Section 5.1, occurs
during the device's manufacturing process. However, the zerotouch
solution may be extensible to virtual machines or other such logical
constructs. Details for how this can be accomplished is left for
future work.
1.1. Use Cases
o Device connecting to a remotely administered network
This use-case involves scenarios, such as a remote branch
office or convenience store, whereby a device connects as an
access gateway to an ISP's network. Assuming it is not
possible to customize the ISP's network to provide any
bootstrapping support, and with no other nearby device to
leverage, the device has no recourse but to reach out to an
Internet-based bootstrap server to bootstrap from.
o Device connecting to a locally administered network
This use-case covers all other scenarios and differs only in
that the device may additionally leverage nearby devices, which
may direct it to use a local service to bootstrap from. If no
such information is available, or the device is unable to use
the information provided, it can then reach out to the network
just as it would for the remotely administered network use-
case.
Conceptual workflows for how zerotouch might be deployed are provided
in Appendix A.
1.2. Terminology
This document uses the following terms (sorted by name):
Artifact: The term "artifact" is used throughout to represent any of
the three artifacts defined in Section 3 (zero touch information,
Watsen, et al. Expires April 21, 2018 [Page 5]
Internet-Draft Zero Touch October 2017
ownership voucher, and owner certificate). These artifacts
collectively provide all the bootstrapping data a device may use.
Bootstrapping Data: The term "bootstrapping data" is used throughout
this document to refer to the collection of data that a device
may obtain during the bootstrapping process. Specifically, it
refers to the three artifacts zero touch information, owner
certificate, and ownership voucher, as described in Section 3.
Bootstrap Server: The term "bootstrap server" is used within this
document to mean any RESTCONF server implementing the YANG module
defined in Section 7.3.
Device: The term "device" is used throughout this document to refer
to the network element that needs to be bootstrapped. See
Section 5 for more information about devices.
Initial Secure Device Identifier (IDevID): The term "IDevID" is
defined in [Std-802.1AR-2009] as the globally unique secure
device identifier (DevID) installed on the device by the
manufacturer. This identifier is used in this document to enable
a bootstrap server to securely identify and authenticate the
device.
Manufacturer: The term "manufacturer" is used herein to refer to the
manufacturer of a device or a delegate of the manufacturer.
Network Management System (NMS): The acronym "NMS" is used
throughout this document to refer to the deployment specific
management system that the bootstrapping process is responsible
for introducing devices to. From a device's perspective, when
the bootstrapping process has completed, the NMS is a NETCONF or
RESTCONF client.
Onboarding Information: The term "onboarding information" is used
herein to refer to one of the two types of "zero touch
information" defined in this document, the other being "redirect
information". Onboarding information is formally defined by the
"onboarding-information" YANG-data structure in Section 6.3.
Owner: The term "owner" is used throughout this document to refer to
the person or organization that purchased or otherwise owns a
device.
Owner Certificate: The term "owner certificate" is used in this
document to represent an X.509 certificate that binds an owner
identity to a public key, which a device can use to validate a
signature over the zero touch information artifacts. The owner
Watsen, et al. Expires April 21, 2018 [Page 6]
Internet-Draft Zero Touch October 2017
certificate is one of the three bootstrapping artifacts described
in Section 3.
Ownership Voucher: The term "ownership voucher" is used in this
document to represent the voucher artifact defined in
[I-D.ietf-anima-voucher]. The ownership voucher is used to
assign a device to an owner. The ownership voucher is one of the
three bootstrapping artifacts described in Section 3.
Redirect Information: The term "redirect information" is used herein
to refer to one of the two types of "zero touch information"
defined in this document, the other being "onboarding
information". Redirect information is formally defined by the
"redirect-information" YANG-data structure in Section 6.3.
Redirect Server: The term "redirect server" is used to refer to a
bootstrap server that only returns redirect information. A
redirect server is particularly useful when hosted by a
manufacturer, as a well-known (e.g., Internet-based) resource to
redirect devices to deployment-specific bootstrap servers.
Signed Data: The term "signed data" is used throughout to mean
either redirect information or onboarding information that has
been signed, specifically by a private key possessed by a
device's owner.
Unsigned Data: The term "unsigned data" is used throughout to mean
either redirect information or onboarding information that has
not been signed.
Zero Touch Information: The term "zero touch information" is used
generally herein to refer either redirect information or
onboarding information. Zero touch information is one of the
three bootstrapping artifacts described in Section 3.
1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.4. Tree Diagram Notation
A simplified graphical representation of the data models is used in
this document. The meaning of the symbols in these diagrams is as
follows:
Watsen, et al. Expires April 21, 2018 [Page 7]
Internet-Draft Zero Touch October 2017
o Brackets "[" and "]" enclose list keys.
o Braces "{" and "}" enclose feature names, and indicate that the
named feature must be present for the subtree to be present.
o Abbreviations before data node names: "rw" (read-write) represents
configuration data and "ro" (read-only) represents state data.
o Symbols after data node names: "?" means an optional node, "!"
means a presence container, and "*" denotes a list and leaf-list.
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
2. Types of Bootstrapping Information
This document defines two types of information that devices access
during the bootstrapping process. These information types are
described in this section. Examples are provided in Section 6.2
2.1. Redirect Information
Redirect information redirects a device to another bootstrap server.
Redirect information encodes a list of bootstrap servers, each
defined by its hostname or IP address, an optional port, and an
optional trust anchor certificate.
Redirect information is YANG modeled data formally defined by the
"redirect-information" container in the YANG module presented in
Section 6.3. This container has the tree diagram shown below.
Please see Section 1.4 for tree diagram notation.
+--:(redirect-information)
+--ro redirect-information
+--ro bootstrap-server* [address]
+--ro address inet:host
+--ro port? inet:port-number
+--ro trust-anchor? binary
Redirect information MAY be trusted or untrusted. The redirect
information is trusted whenever it is obtained via a secure
connection to a trusted bootstrap server, or whenever it is signed by
the device's owner. In all other cases, the redirect information is
untrusted.
Watsen, et al. Expires April 21, 2018 [Page 8]
Internet-Draft Zero Touch October 2017
Trusted redirect information is useful for enabling a device to
establish a secure connection to a bootstrap server, which is
possible when the redirect information includes the bootstrap
server's trust anchor certificate. When a device is able to
establish a secure connection to a bootstrap server, any data
obtained is implicitly trusted, and thus does not need to be signed.
Untrusted redirect information is useful for directing a device to a
bootstrap server where signed data has been staged for it to obtain.
When the redirect information is untrusted, the device MUST discard
any potentially included trust anchor certificates and SHOULD
establish a provisional connection (by blindly accepting the TLS
certificate) to any of the specified bootstrap servers. In this
case, the device MUST NOT trust the bootstrap server, and data
provided by the bootstrap server MUST be signed for it to be of any
use to the device.
How devices process redirect information is formally described in
Section 5.5.
2.2. Onboarding Information
Onboarding information provides all the data necessary for a device
to bootstrap itself, in order to be considered ready to be managed
(e.g., by an NMS). As defined in this document, this data includes
information about a boot image the device must be running, an initial
configuration the device must commit, and optional scripts that, if
specified, the device must successfully execute.
Onboarding information is YANG modeled data formally defined by the
"onboarding-information" container in the YANG module presented in
Section 6.3. This container has the tree diagram shown below.
Please see Section 1.4 for tree diagram notation.
+--:(onboarding-information)
+--ro onboarding-information
+--ro boot-image
| +--ro name string
| +--ro (hash-algorithm)
| | +--:(sha256)
| | +--ro sha256? string
| +--ro uri* inet:uri
+--ro configuration-handling enumeration
+--ro pre-configuration-script? script
+--ro configuration?
+--ro post-configuration-script? script
Watsen, et al. Expires April 21, 2018 [Page 9]
Internet-Draft Zero Touch October 2017
Onboarding information MUST be trusted for it to be of any use to a
device. There is no option for a device to process untrusted
onboarding information.
Onboarding information is trusted whenever it is obtained via a
secure connection to a trusted bootstrap server, or whenever it is
signed by the device's owner. In all other cases, the onboarding
information is untrusted.
How devices process onboarding information is formally described in
Section 5.6.
3. Artifacts
This document defines three artifacts that can be made available to
devices while they are bootstrapping. Each source of bootstrapping
information specifies a means for providing each of the artifacts
defined in this section (see Section 4).
3.1. Zero Touch Information
The zero touch information artifact encodes the essential
bootstrapping data for the device. This artifact is used to encode
the redirect information and onboarding information types discussed
in Section 2.
The zero touch information artifact is a PKCS#7 SignedData structure,
as specified by Section 9.1 of [RFC2315], encoded using ASN.1
distinguished encoding rules (DER), as specified in ITU-T X.690
[ITU.X690.1994]. The PKCS#7 structure MUST contain JSON-encoded
content conforming to the YANG module specified in Section 6.3.
In order for the zero touch information artifact to be trusted when
conveyed over an untrusted transport, the PKCS#7 structure MUST also
contain a "signerInfo" structure, as described in Section 9.1 of
[RFC2315], containing a signature generated over the content using
the private key associated with the owner certificate (Section 3.2).
In order to simplify the verification process, the PKCS#7 structure
SHOULD also contain the signing X.509 certificate (i.e. the owner
certificate).
3.2. Owner Certificate
The owner certificate artifact is an X.509 certificate [RFC5280] that
is used to identify an "owner" (e.g., an organization). The owner
certificate can be signed by any certificate authority (CA). The
owner certificate MUST either have no Key Usage specified, or the Key
Usage MUST at least set the "digitalSignature" bit. The values for
Watsen, et al. Expires April 21, 2018 [Page 10]
Internet-Draft Zero Touch October 2017
the owner certificate's "subject" and/or "subjectAltName" are not
constrained by this document.
The owner certificate is used by a device to verify the signature
over the zero touch information artifact (Section 3.1) that the
device should have also received, as described in Section 3.4. In
particular, the device verifies the signature using the public key in
the owner certificate over the content contained within the zero
touch information artifact.
The owner certificate artifact is formally an unsigned PKCS #7
SignedData structure, as specified by Section 9.1 in [RFC2315],
encoded using ASN.1 distinguished encoding rules (DER), as specified
in ITU-T X.690 [ITU.X690.1994].
The owner certificate PKCS#7 structure MUST contain the owner
certificate itself, as well as all intermediate certificates leading
up to the 'pinned-domain-cert' certificate specified in the ownership
voucher. The owner certificate artifact MAY optionally include the
'pinned-domain-cert' as well.
Additionally, in order to support devices deployed on private
networks, the owner certificate PKCS#7 structure MAY also contain
suitably fresh CRLs [RFC5280] and/or OCSP Responses [RFC6960].
Having these revocation objects stapled to the owner certificate
precludes the need for the device to have to download them
dynamically using the CRL distribution point or an OCSP responder
specified in the associated certificates.
3.3. Ownership Voucher
The ownership voucher artifact is used to securely identify a
device's owner, as it is known to the manufacturer. The ownership
voucher is signed by the device's manufacturer.
The ownership voucher is used to verify the owner certificate
(Section 3.2) that the device should have also received, as described
in Section 3.4. In particular, the device verifies that the owner
certificate has a chain of trust leading to the trusted certificate
included in the ownership voucher ('pinned-domain-cert'), even if it
is itself (e.g., self-signed certificate).
The ownership voucher artifact, including its encoding, is formally
defined in [I-D.ietf-anima-voucher].
Watsen, et al. Expires April 21, 2018 [Page 11]
Internet-Draft Zero Touch October 2017
3.4. Artifact Groupings
This section lists all the possible bootstrapping artifacts, but only
certain groupings of these artifacts make sense to return in the
various bootstrapping situations described in this document. These
groupings are:
Unsigned Information: This grouping is useful for cases when
transport level security can be used to convey trust (e.g.,
HTTPS), or when the information can be processed in a
provisional manner (i.e. unsigned redirect information).
Signed Information, without revocations: The grouping is useful
when signed information is needed, because it's obtained from
an untrusted source, and it cannot be processed provisionally,
and yet either revocations are not needed or they can be
obtained dynamically.
Signed Information, with revocations: The grouping is useful when
signed information is needed, because it's obtained from an
untrusted source, and it cannot be processed provisionally, and
revocations are needed and cannot be obtained dynamically.
The artifacts associated with these groupings are described below:
Zero Touch Ownership Owner
Grouping Information Voucher Certificate
-------------------- ------------- ------------ -----------
Unsigned Information Yes, no sig No No
Signed Information, Yes, with sig Yes, without Yes, without
without revocations revocations revocations
Signed Information, Yes, with sig Yes, with Yes, with
with revocations revocations revocations
4. Sources of Bootstrapping Data
This section defines some sources for bootstrapping data that a
device can access. The list of sources defined here is not meant to
be exhaustive. It is left to future documents to define additional
sources for obtaining bootstrapping data.
For each source of bootstrapping data defined in this section,
details are given for how the three artifacts listed in Section 3 are
provided.
Watsen, et al. Expires April 21, 2018 [Page 12]
Internet-Draft Zero Touch October 2017
4.1. Removable Storage
A directly attached removable storage device (e.g., a USB flash
drive) MAY be used as a source of zero touch bootstrapping data.
Use of a removable storage device is compelling, as it doesn't
require any external infrastructure to work. It is notable that the
raw boot image file can also be located on the removable storage
device, enabling a removable storage device to be a fully self-
standing bootstrapping solution.
To use a removable storage device as a source of bootstrapping data,
a device need only detect if the removable storage device is plugged
in and mount its filesystem.
A removable storage device is an untrusted source of bootstrapping
data. This means that the information stored on the removable
storage device MUST either be signed, or be information that can be
processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a removable storage device
presents itself as a filesystem, the bootstrapping artifacts need to
be presented as files. The three artifacts defined in Section 3 are
mapped to files below.
Artifact to File Mapping:
Zero Touch Information: Mapped to a file containing the binary
artifact described in Section 3.1 (e.g., zerotouch-
information.pk7).
Owner Certificate: Mapped to a file containing the binary
artifact described in Section 3.2 (e.g., owner-
certificate.pk7).
Ownership Voucher: Mapped to a file containing the binary
artifact described in Section 3.3 (e.g., ownership-
voucher.pk7).
The format of the removable storage device's filesystem and the
naming of the files are outside the scope of this document. However,
in order to facilitate interoperability, it is RECOMMENDED devices
support open and/or standards based filesystems. It is also
RECOMMENDED that devices assume a file naming convention that enables
more than one instance of bootstrapping data to exist on a removable
storage device. The file naming convention SHOULD be unique to the
manufacturer, in order to enable bootstrapping data from multiple
manufacturers to exist on a removable storage device.
Watsen, et al. Expires April 21, 2018 [Page 13]
Internet-Draft Zero Touch October 2017
4.2. DNS Server
A DNS server MAY be used as a source of zero touch bootstrapping
data.
Using a DNS server may be a compelling option for deployments having
existing DNS infrastructure, as it enables a touchless bootstrapping
option that does not entail utilizing an Internet based resource
hosted by a 3rd-party.
To use a DNS server as a source of bootstrapping data, a device MAY
perform a multicast DNS [RFC6762] query searching for the service
"_zerotouch._tcp.local.". Alternatively the device MAY perform DNS-
SD [RFC6763] via normal DNS operation, using the domain returned to
it from the DHCP server; for example, searching for the service
"_zerotouch._tcp.example.com".
Unsigned DNS records (e.g., not using DNSSEC as described in
[RFC6698]) are an untrusted source of bootstrapping data. This means
that the information stored in the DNS records either MUST be signed,
or MUST be information that can be processed provisionally (e.g.,
unsigned redirect information).
From an artifact perspective, since a DNS server presents resource
records (Section 3.2.1 of [RFC1035]), the bootstrapping artifacts
need to be presented as resource records. The three artifacts
defined in Section 3 are mapped to resource records below.
Artifact to Resource Record Mapping:
Zero Touch Information: Mapped to a TXT record called "zt-info"
containing the base64-encoding of the binary artifact described
in Section 3.1.
Owner Certificate: Mapped to a TXT record called "zt-cert"
containing the base64-encoding of the binary artifact described
in Section 3.2.
Ownership Voucher: Mapped to a TXT record called "zt-voucher"
containing the base64-encoding of the binary artifact described
in Section 3.3.
TXT records have an upper size limit of 65535 bytes (Section 3.2.1 in
RFC1035), since "RDLENGTH" is a 16-bit field. Please see
Section 3.1.3 in RFC4408 for how a TXT record can achieve this size.
Due to this size limitation, some zero touch information artifacts
may not fit. In particular, onboarding information could hit this
Watsen, et al. Expires April 21, 2018 [Page 14]
Internet-Draft Zero Touch October 2017
upper bound, depending on the size of the included configuration and
scripts.
When onboarding information (not redirect information) is provided,
the URL for the boot-image the device can download would have to
point to another server (e.g., http://, ftp://, etc.), as DNS servers
do not themselves distribute files.
4.3. DHCP Server
A DHCP server MAY be used as a source of zero touch bootstrapping
data.
Using a DHCP server may be a compelling option for deployments having
existing DHCP infrastructure, as it enables a touchless bootstrapping
option that does not entail utilizing an Internet based resource
hosted by a 3rd-party.
A DHCP server is an untrusted source of bootstrapping data. Thus the
information stored on the DHCP server either MUST be signed, or it
MUST be information that can be processed provisionally (e.g.,
unsigned redirect information).
However, unlike other sources of bootstrapping data described in this
document, the DHCP protocol (especially DHCP for IPv4) is limited in
the amount of data that can be conveyed, to the extent that signed
data cannot be communicated. Thus only unsigned redirect information
can be conveyed.
Since the redirect information is unsigned, it SHOULD NOT include the
optional trust anchor certificate, as the device would have to
discard it anyway. The DHCP options defined in Section 9 do not
enable the certificate to be communicated.
From an artifact perspective, the three artifacts defined in
Section 3 are mapped to the DHCP fields specified in Section 9 as
follows:
Zero Touch Information: This artifact is not supported directly.
Instead, the essence of redirect information (not onboarding
information) is mapped to the DHCP fields described in
Section 9.
Owner Certificate: Not supported. There is not enough space in
the DHCP packet to hold an owner certificate artifact.
Ownership Voucher: Not supported. There is not enough space in
the DHCP packet to hold an ownership voucher artifact.
Watsen, et al. Expires April 21, 2018 [Page 15]
Internet-Draft Zero Touch October 2017
4.4. Bootstrap Server
A bootstrap server MAY be used as a source of zero touch
bootstrapping data. A bootstrap server is defined as a RESTCONF
[RFC8040] server implementing the YANG module provided in Section 7.
Using a bootstrap server as a source of bootstrapping data is a
compelling option as it MAY use transport-level security, in lieu of
signed data, which may be easier to deploy in some situations.
Additionally, the bootstrap server is able to receive progress
updates from devices, which may be critical to some deployments
(e.g., the passing of the device's SSH host keys).
A bootstrap server may be a trusted or an untrusted source of
bootstrapping data, depending on if the device learned about the
bootstrap server's trust anchor from a trusted source. When a
bootstrap server is trusted, the information returned from it MAY be
signed. However, when the server is untrusted, in order for its
information to be of any use to the device, the bootstrap information
MUST either be signed or be information that can be processed
provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a bootstrap server presents data
as a YANG-modeled data, the bootstrapping artifacts need to be mapped
to the YANG module. The three artifacts defined in Section 3 are
mapped to 'output' node of the 'get-bootstrapping-data' RPC defined
in Section 7.3 below.
Artifact to Bootstrap Server Mapping:
Zero Touch Information: Mapped to the 'zerotouch-information'
leaf in the output of the 'get-bootstrapping-data' RPC.
Owner Certificate: Mapped to the 'owner-certificate' leaf in the
output of the 'get-bootstrapping-data' RPC.
Ownership Voucher: Mapped to the 'ownership-voucher' leaf in the
output of the 'get-bootstrapping-data' RPC.
Unlike any other source of bootstrapping data described in this
document, a bootstrap server is not only a source of data, but it can
also receive data from devices using the YANG-defined 'report-
progress' RPC defined in the YANG module (Section 7.3). The 'report-
progress' RPC enables visibility into the bootstrapping process
(e.g., warnings and errors), and provides potentially useful
completion status information (e.g., the device's SSH host-keys).
Watsen, et al. Expires April 21, 2018 [Page 16]
Internet-Draft Zero Touch October 2017
While RESTCONF servers typically support a nested hierarchy of
resources, zero touch bootstrap servers only have the two RPCs 'get-
bootstrapping-data' and 'report-progress'. These RPCs use the
authenticated RESTCONF username to isolate the execution of the RPC
from other devices.
5. Device Details
Devices supporting the bootstrapping strategy described in this
document MUST have the preconfigured state and bootstrapping logic
described in the following sections.
5.1. Initial State
+-------------------------------------------------------------+
| <device> |
| |
| +---------------------------------------------------------+ |
| | <read/write storage> | |
| | | |
| | 1. flag to enable zerotouch bootstrapping set to "true" | |
| +---------------------------------------------------------+ |
| |
| +---------------------------------------------------------+ |
| | <read-only storage> | |
| | | |
| | 2. IDevID cert & associated intermediate certificate(s) | |
| | 3. list of trusted well-known bootstrap servers | |
| | 4. list of trust anchor certs for bootstrap servers | |
| | 5. trust anchor cert for verifying ownership vouchers | |
| +---------------------------------------------------------+ |
| |
| +----------------------+ |
| | <secure storage> | |
| | | |
| | 6. private key | |
| +----------------------+ |
| |
+-------------------------------------------------------------+
Each numbered item below corresponds to a numbered item in the
diagram above.
1. Devices MUST have a configurable variable that is used to enable/
disable the zerotouch bootstrapping. This variable MUST be
enabled by default in order for zerotouch bootstrapping to run
when the device first powers on. Because it is a goal that the
configuration installed by the bootstrapping process is able to
Watsen, et al. Expires April 21, 2018 [Page 17]
Internet-Draft Zero Touch October 2017
disable zerotouch bootstrapping, and because said configuration
may be merged into the existing configuration, using a
configuration node that relies on presence is NOT RECOMMENDED, as
it cannot be removed by the merging process.
2. Devices that support loading bootstrapping data from bootstrap
servers (see Section 4.4), whether preconfigured or learned
through the bootstrapping process, MUST possess an initial device
identifier (IDevID), as defined in [Std-802.1AR-2009]. The
IDevID is an X.509 certificate encoding, amongst other things,
the device's serial number and hardware manufacturer. The device
MUST also possess any intermediate certificates between the
IDevID certificate and the manufacturer's IDevID trust anchor
certificate provided to prospective owners separately (e.g.,
Appendix A.1).
3. Devices that support loading bootstrapping data from well-known
bootstrap servers MUST possess a list of the well-known bootstrap
servers. Consistent with redirect information (Section 2.1, each
bootstrap server MAY be identified by its hostname or IP address,
and an optional port.
4. Devices that support loading bootstrapping data from well-known
bootstrap servers MUST also possess a list of trust anchor
certificates that can be used to secure the TLS connection to the
well-known bootstrap servers.
5. Devices that support loading signed data (see Section 1.2) MUST
possess the manufacturer's trust anchor certificate for
validating ownership vouchers.
6. Devices MUST possess a private key that corresponds to the public
key encoded in the device's IDevID certificate. This private key
SHOULD be securely stored, ideally in a cryptographic processor
(e.g., a TPM).
A YANG module representing this data is provided in Section 8.
5.2. Boot Sequence
A device claiming to support the bootstrapping strategy defined in
this document MUST support the boot sequence described in this
section.
Watsen, et al. Expires April 21, 2018 [Page 18]
Internet-Draft Zero Touch October 2017
Power On
|
v No
1. Zerotouch bootstrapping configured ------> Boot normally
|
| Yes
v
2. For each supported source of bootstrapping data,
try to load bootstrapping data from the source
|
|
v Yes
3. Able to bootstrap from any source? -----> Run with new config
|
| No
v
4. Loop and/or wait for manual provisioning.
Each numbered item below corresponds to a numbered item in the
diagram above.
1. When the device powers on, it first checks to see if zerotouch
bootstrapping is configured, as is expected to be the case for
the device's preconfigured state. If zerotouch bootstrapping is
not configured, then the device boots normally.
2. The device iterates over its list of sources for bootstrapping
data (Section 4). Details for how to processes a source of
bootstrapping data are provided in Section 5.3.
3. If the device is able to bootstrap itself from any of the sources
of bootstrapping data, it runs with the new bootstrapped
configuration.
4. Otherwise the device MAY loop back through the list of
bootstrapping sources again and/or wait for manual provisioning.
5.3. Processing a Source of Bootstrapping Data
This section describes a recursive algorithm that devices can use to,
ultimately, obtain onboarding information. The algorithm is
recursive because sources of bootstrapping data may return redirect
information, which causes the algorithm to run again, for the newly
discovered sources of bootstrapping information. An expression that
captures all possible successful sequences of bootstrapping
information is zero or more redirect information responses, followed
by one onboarding information response.
Watsen, et al. Expires April 21, 2018 [Page 19]
Internet-Draft Zero Touch October 2017
An important aspect of the algorithm is knowing when data needs to be
signed or not. The following figure provides a summary of options:
Untrusted Source Trusted Source
Kind of Bootstrapping Data Can Provide? Can Provide?
Unsigned Redirect Info : Yes+ Yes
Signed Redirect Info : Yes Yes*
Unsigned Onboarding Info : No Yes
Signed Onboarding Info : Yes Yes*
The '+' above denotes that the source redirected to MUST
return signed data, or more unsigned redirect information.
The '*' above denotes that, while possible, it is generally
unnecessary for a trusted source to return signed data.
The recursive algorithm uses a conceptual global-scoped variable
called "trust-state". The trust-state variable is initialized to
FALSE. The ultimate goal of this algorithm is for the device to
process onboarding information (Section 2.2) while the trust-state
variable is TRUE.
If the source of bootstrapping data (Section 4) is a bootstrap server
(Section 4.4), and the device is able to authenticate the bootstrap
server using X.509 certificate path validation ([RFC6125], Section 6)
to one of the device's preconfigured trust anchors, or to a trust
anchor that it learned from a previous step, then the device MUST set
trust-state to TRUE.
For any source of bootstrapping data (e.g., Section 4), if the
bootstrapping data returned is signed and the device is able to
validate the signed data using the algorithm described in
Section 5.4, then the device MUST set trust-state to TRUE, else the
device MUST set trust-state to FALSE. Note, this is worded to cover
the special case when signed data is returned even from a trusted
bootstrap server.
If the bootstrapping data is onboarding information, and trust-state
is FALSE, the device MUST exit the recursive algorithm (as this is
not allowed, see the figure above), returning to the state machine
described in Section 5.2. Otherwise, the device MUST attempt to
process the onboarding information as described in Section 5.6. In
either case, success or failure, the device MUST exit the recursive
algorithm, returning to the state machine described in Section 5.2,
the only difference being in how it responds to the "Able to
bootstrap from any source?" conditional described in the figure in
the section.
Watsen, et al. Expires April 21, 2018 [Page 20]
Internet-Draft Zero Touch October 2017
If the bootstrapping data is redirect information, the device MUST
process the redirect information as described in Section 5.5. This
is the recursion step, it will cause the device to reenter this
algorithm, but this time the data source will definitely be a
bootstrap server, as that is all redirect information is able to
redirect a device to.
5.4. Validating Signed Data
Whenever a device is presented signed data, it MUST validate the
signed data as described in this section. This includes the case
where the signed data is provided by a trusted source.
Whenever there is signed data, the device MUST also be provided an
ownership voucher and an owner certificate. How all the needed
artifacts are provided for each source of bootstrapping data is
defined in Section 4.
The device MUST first authenticate the ownership voucher by
validating its signature to one of its preconfigured trust anchors
(see Section 5.1), which may entail using additional intermediate
certificates attached to the ownership voucher. If the device has an
accurate clock, it MUST ensure that the ownership voucher was created
in the past (i.e., 'created-on' < now). If the 'expires-on' leaf is
present, the device MUST verify that the ownership voucher has not
yet expired (i.e., now < 'expires-on'), which requires an accurate
clock. The device MUST verify that the ownership voucher's
'assertion' value is acceptable (e.g., some devices may only accept
the assertion value 'verified'). The device MUST verify that the
ownership voucher specifies the device's serial number in the
'serial-number' leaf. If the 'idevid-issuer' leaf is present, the
device MUST verify that the value is set correctly. If the
authentication of the ownership voucher is successful, the device
extracts the 'pinned-domain-certificate' node, an X.509 certificate,
that is needed to verify the owner certificate in the next step.
The device MUST next authenticate the owner certificate by performing
X.509 certificate path verification to the trusted certificate
extracted from the ownership voucher's 'pinned-domain-cert' node.
This verification may entail using additional intermediate
certificates attached to the owner certificate artifact. If the
ownership voucher's 'domain-cert-revocation-checks' node's value is
set to "true", the device MUST verify the revocation status of the
certificate chain used to sign the owner certificate and, if the
revocation status is not attainable or if it is determined that a
certificate has been revoked, the device MUST not validate the owner
certificate.
Watsen, et al. Expires April 21, 2018 [Page 21]
Internet-Draft Zero Touch October 2017
Finally the device MUST verify the signature over the information
artifact was generated by the private key matching the public key
from the owner certificate.
If any of these steps fail, then the device MUST invalidate the data
and not perform any subsequent steps.
5.5. Processing Redirect Information
In order to process redirect information (Section 2.1), the device
MUST follow the steps presented in this section.
Processing redirect information is straightforward. The device
sequentially steps through the list of provided bootstrap servers
until it can find one it can bootstrap from.
If a hostname is provided, and the hostname's DNS resolution is to
more than one IP address, the device MUST attempt to connect to all
of the DNS resolved addresses at least once, before moving on to the
next bootstrap server. If the device is able to obtain bootstrapping
data from any of the DNS resolved addresses, it MUST immediately
process that data, without attempting to connect to any of the other
DNS resolved addresses.
If the redirect information is trusted (e.g., trust-state is TRUE),
and the bootstrap server entry contains a trust anchor certificate,
then the device MUST authenticate the specified bootstrap server
RESTCONF TLS server certificate using X.509 certificate path
validation ([RFC6125], Section 6) to the specified trust anchor. If
the device is unable to authenticate the bootstrap server to the
specified trust anchor, the device MAY attempt a provisional
connection to the bootstrap server (i.e., by blindly accepting its
server certificate) and setting trust-state to FALSE.
If the redirect information is untrusted (e.g., trust-state is
FALSE), the device MUST discard any trust anchors provided by the
redirect information and establish a provisional connection to the
bootstrap server (i.e., by blindly accepting its TLS server
certificate).
5.6. Processing Onboarding Information
In order to process onboarding information (Section 2.2), the device
MUST follow the steps presented in this section.
When processing onboarding information, the device MUST first process
the boot image information, then execute the pre-configuration script
(if any), then commit the initial configuration, and then execute the
Watsen, et al. Expires April 21, 2018 [Page 22]
Internet-Draft Zero Touch October 2017
post-configuration script (if any), in that order. If the device
encounters an error at any step, it MUST NOT proceed to the next
step. When the onboarding information was obtained from a trusted
bootstrap server, the device SHOULD send progress reports throughout
the bootstrapping process using the bootstrap server's 'report-
progress' RPC.
First the device MUST determine if the image it is running satisfies
the specified boot image criteria (e.g., name and/or fingerprint
match). If it does not, the device MUST download (using the supplied
URI), verify, and install the specified boot image, and then reboot.
To verify the downloaded boot image, the device MUST check that the
boot image file matches the fingerprint (e.g., sha256) supplied by
the onboarding information. Upon rebooting, the bootstrapping
process runs again, which will eventually come to this very point,
but this time the device's running image will satisfy the specified
criteria, and thus the device will move to processing the next step.
Next, for devices that support executing scripts, if a pre-
configuration script has been specified, the device MUST execute the
script and check its exit status code to determine if had any
warnings or errors. In the case of errors, the device MUST reset
itself in such a way that wipes out any bad state the script may have
left behind.
Next the device commits the provided initial configuration. Assuming
no errors, the device moves to processing the next step.
Again, for devices that support executing scripts, if a post-
configuration script has been specified, the device MUST execute the
script and check its exit status code to determine if it had any
warnings or errors. In the case of errors, the device MUST reset
itself in such a way that wipes out any bad state the script may have
left behind.
At this point, the device has completely processed the bootstrapping
data and is ready to be managed. If the device obtained the
onboarding information from a trusted bootstrap server, the device
MUST post the 'bootstrap-complete' progress report now, using the
bootstrap server's 'report-progress' RPC.
At this point, the device is running its initial configuration.
Notably, if NETCONF Call Home or RESTCONF Call Home [RFC8071] is
configured, the device initiates trying to establish a call home
connection at this time.
Watsen, et al. Expires April 21, 2018 [Page 23]
Internet-Draft Zero Touch October 2017
6. The Zero Touch Information Data Model
This section defines a YANG 1.1 [RFC7950] module that is used to
define the data model for the zero touch information artifact
described in Section 3.1. This data model uses the 'yang-data'
extension statement defined in RFC 8040. Examples illustrating this
data model are provided in Section 6.2.
6.1. Data Model Overview
The following tree diagram provides an overview of the data model for
the zero touch information artifact. The syntax used for this tree
diagram is described in Section 1.4.
module: ietf-zerotouch-information
yang-data zerotouch-information:
+---- (information-type)
+--:(redirect-information)
| +---- redirect-information
| +---- bootstrap-server* [address]
| +---- address inet:host
| +---- port? inet:port-number
| +---- trust-anchor? binary
+--:(onboarding-information)
+---- onboarding-information
+---- boot-image
| +---- os-name string
| +---- os-version string
| +---- download-uri* inet:uri
| +---- image-verification* [hash-algorithm]
| +---- hash-algorithm identityref
| +---- hash-value? yang:hex-string
+---- configuration-handling? enumeration
+---- pre-configuration-script? script
+---- configuration? <anydata>
+---- post-configuration-script? script
6.2. Example Usage
The following example illustrates how redirect information
(Section 2.1) can be encoded using JSON, as is needed by the zero
touch information artifact.
Watsen, et al. Expires April 21, 2018 [Page 24]
Internet-Draft Zero Touch October 2017
{
"ietf-zerotouch-information:redirect-information" : {
"bootstrap-server" : [
{
"address" : "phs1.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "phs2.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "phs3.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
}
]
}
}
The following example illustrates how onboarding information
(Section 2.2) can be encoded using JSON, as is needed by the zero
touch information artifact.
Note: the sample configuration used in the below example configures
an administrator account with an SSH public key, configures keystore
with an authentication certificate, configures NETCONF Call Home and,
lastly, disables the zerotouch bootstrapping service. This is
acheived through use of YANG modules "ietf-system" from [RFC7317],
"ietf-keystore" from [I-D.ietf-netconf-keystore], "ietf-netconf-
server" from [I-D.ietf-netconf-netconf-client-server] and "ietf-
zerotouch-device" from this document.
[ note: '\' line wrapping for formatting only]
{
"ietf-zerotouch-information:onboarding-information" : {
"boot-image" : {
"os-name" : "VendorOS",
"os-version" : "17.2R1.6",
"download-uri" : [ "http://some/path/to/raw/file" ],
"image-verification" : [
{
"hash-algorithm" : "ietf-zerotouch-information:sha-256",
"hash-value" : "ba:ec:cf:a5:67:82:b4:10:77:c6:67:a6:22:ab:\
Watsen, et al. Expires April 21, 2018 [Page 25]
Internet-Draft Zero Touch October 2017
7d:50:04:a7:8b:8f:0e:db:02:8b:f4:75:55:fb:c1:13:b2:33"
}
]
},
"configuration-handling" : "merge",
"configuration" : {
"ietf-system:system" : {
"authentication" : {
"user" : {
"name" : "admin",
"authorized-key" : {
"name" : "admin's rsa ssh host-key",
"algorithm" : "ssh-rsa",
"key-data" : "base64encodedvalue=="
}
}
}
},
"ietf-keystore:keystore" : {
"pinned-certificates" : {
"name" : "deployment-specific-ca-certs",
"description" : "Certs used to auth client connections.",
"pinned-certificate" : {
"name" : "ca.example.com",
"data" : "base64encodedvalue=="
}
},
"pinned-certificates" : {
"name" : "explicitly-trusted-client-certs",
"description" : "Certs for explicitly-trusted clients.",
"pinned-certificate" : {
"name" : "Fred Flintstone",
"data" : "base64encodedvalue=="
}
}
},
"ietf-netconf-server:netconf-server" : {
"call-home" : {
"netconf-client" : {
"name" : "config-mgr",
"endpoints" : {
"endpoint" : {
"name" : "east-data-center",
"ssh" : {
"address" : "east.config-mgr.example.com",
"host-keys" : {
Watsen, et al. Expires April 21, 2018 [Page 26]
Internet-Draft Zero Touch October 2017
"host-key" : {
"name" : "certificate",
"certificate" : "builtin-idevid-cert"
}
},
"client-cert-auth" : {
"trusted-ca-certs" :
"deployment-specific-ca-certs",
"trusted-client-certs" :
"explicitly-trusted-client-certs"
}
}
},
"endpoint" : {
"name" : "west-data-center",
"ssh" : {
"address" : "west.config-mgr.example.com",
"host-keys" : {
"host-key" : {
"name" : "certificate",
"certificate" : "builtin-idevid-cert"
}
},
"client-cert-auth" : {
"trusted-ca-certs" :
"deployment-specific-ca-certs",
"trusted-client-certs" :
"explicitly-trusted-client-certs"
}
}
}
},
"connection-type" : {
"periodic" : {
"idle-timeout" : 300,
"reconnect-timeout" : 60
}
},
"reconnect-strategy" : {
"start-with" : "last-connected",
"max-attempts" : 3
}
}
}
},
"ietf-device:zerotouch" : {
"enabled" : false
}
Watsen, et al. Expires April 21, 2018 [Page 27]
Internet-Draft Zero Touch October 2017
}
}
}
6.3. YANG Module
The zero touch information data model is defined by the YANG module
presented in this section.
Note: the module defined herein uses data types defined in [RFC5280],
[RFC6234], and [RFC6991], and an extension statement from [RFC8040],
and an encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-information@2017-10-19.yang"
module ietf-zerotouch-information {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-zerotouch-information";
prefix zti;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-restconf {
prefix rc;
description
"This import statement is only present to access
the yang-data extension defined in RFC 8040.";
reference "RFC 8040: RESTCONF Protocol";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netconf
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines the data model for the Zero Touch Information
artifact defined by RFC XXXX: Zero Touch Provisioning for NETCONF
or RESTCONF based Management.
Watsen, et al. Expires April 21, 2018 [Page 28]
Internet-Draft Zero Touch October 2017
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-19 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
identity hash-algorithm {
description
"A base identity for hash algorith verification";
}
identity sha-256 {
base "hash-algorithm";
description "The SHA-256 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms.";
}
rc:yang-data "zerotouch-information" {
choice information-type {
mandatory true;
description
"This choice statement ensures the response contains
redirect-information or onboarding-information.";
container redirect-information {
description
"Redirect information is described in Section 2.1 in
RFC XXXX. Its purpose is to redirect a device to
another bootstrap server.";
reference
Watsen, et al. Expires April 21, 2018 [Page 29]
Internet-Draft Zero Touch October 2017
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF
based Management";
list bootstrap-server {
key "address";
min-elements 1;
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
leaf trust-anchor {
type binary;
description
"An X.509 v3 certificate structure as specified by RFC
5280, Section 4, encoded using ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690. A
certificate that the device can use as the trust anchor
to authenticate the bootstrap server the device is
being redirected to. If not specified, the device may
establish a provisional connection to the bootstrap
server, as described in RFC XXXX.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).
RFC XXXX:
Zero Touch Provisioning for NETCONF or RESTCONF
based Management.";
}
}
}
Watsen, et al. Expires April 21, 2018 [Page 30]
Internet-Draft Zero Touch October 2017
container onboarding-information {
description
"Onboarding information is described in Section 2.2 in
RFC XXXX. Its purpose is to provide the device everything
it needs to bootstrap itself.";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF
based Management";
container boot-image {
description
"Specifies criteria for the boot image the device MUST
be running.";
leaf os-name {
type string;
mandatory true;
description
"The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. VendorOS).";
}
leaf os-version {
type string;
mandatory true;
description
"The version of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. 17.3R2.1).";
}
leaf-list download-uri {
type inet:uri;
must '../image-verification' {
description
"Image verification information must be provided if
the device is going to download an image.";
}
ordered-by user;
description
"An ordered list of URIs to where the necessary
boot-image file MAY be obtained. Deployments must
know through out-of-band means which URI schemes
(http, ftp, etc.) the bootstrapping device supports.
If a secure scheme (e.g., https) is provided, a
device MAY establish an untrusted connection to the
remote server to obtain the boot-image.";
}
list image-verification {
key hash-algorithm;
description
Watsen, et al. Expires April 21, 2018 [Page 31]
Internet-Draft Zero Touch October 2017
"A list of hash values that a device can use to verify
boot image files with.";
leaf hash-algorithm {
type identityref {
base "hash-algorithm";
}
mandatory true;
description
"Identifies the hash algorithm used.";
}
leaf hash-value {
type yang:hex-string;
description
"The hex-encoded value of the specified hash algorithm
over the contents of the boot image file.";
}
}
}
leaf configuration-handling {
type enumeration {
enum "merge" {
description
"Merge configuration into the running datastore.";
}
enum "replace" {
description
"Replace the existing running datastore with the
passed configuration.";
}
}
must '../configuration';
description
"This enumeration indicates how the server should process
the provided configuration.";
}
leaf pre-configuration-script {
type script;
description
"A script that, when present, is executed before the
configuration has been processed.";
}
anydata configuration {
must '../configuration-handling';
description
"Any configuration data model known to the device. It may
contain manufacturer-specific and/or standards-based data
models.";
}
Watsen, et al. Expires April 21, 2018 [Page 32]
Internet-Draft Zero Touch October 2017
leaf post-configuration-script {
type script;
description
"A script that, when present, is executed after the
configuration has been processed.";
}
}
}
}
typedef script {
type binary;
description
"A device specific script that enables the execution of
commands to perform actions not possible thru configuration
alone.
No attempt is made to standardize the contents, running
context, or programming language of the script, other than
that it can emit an exit status code and stderr/sdtout. The
contents of the script are considered specific to the vendor,
product line, and/or model of the device.
If a script is erroneously provided to a device that does not
support the execution of scripts, the device SHOULD send a
'script-warning' progress report, but otherwise continue
processing the bootstrapping data as if the script had not
been present.
The script returns exit status code '0' on success and non-zero
on error, with accompanying stderr/stdout for logging purposes.
In the case of an error, the exit status code will specify what
the device should do as follows.
If the exit status code is greater than zero, then the device
should assume that the script had a soft error, which the
script believes does not affect manageability. If the device
obtained the bootstrap information from a bootstrap server,
it SHOULD send a 'script-warning' progress report.
If the exit status code is less than zero, the device should
assume the script had a hard error, which the script believes
will affect manageability. In this case, the device SHOULD
send a 'script-error' progress report followed by a reset that
will wipe out anything the script may have done and restart
the entire bootstrapping process again.";
}
}
Watsen, et al. Expires April 21, 2018 [Page 33]
Internet-Draft Zero Touch October 2017
<CODE ENDS>
7. The Zero Touch Bootstrap Server API
This section defines the API for bootstrap servers. The API is
defined as the API produced by a RESTCONF [RFC8040] server that
supports the YANG 1.1 [RFC7950] module defined in this section.
7.1. API Overview
The following tree diagram provides an overview for the bootstrap
server RESTCONF API. The syntax used for this tree diagram is
described in Section 1.4.
module: ietf-zerotouch-bootstrap-server
rpcs:
+---x get-bootstrapping-data
| +---w input
| | +---w untrusted-connection? empty
| | +---w os-name? string
| | +---w os-version? string
| | +---w remote-id? string
| | +---w circuit-id? string
| | +---w nonce? string
| +--ro output
| +--ro bootstrapping-data
| +--ro zerotouch-information pkcs7
| +--ro owner-certificate? pkcs7
| +--ro ownership-voucher? pkcs7
+---x report-progress
+---w input
+---w progress-type enumeration
+---w message? string
+---w ssh-host-keys
| +---w ssh-host-key*
| +---w format enumeration
| +---w key-data string
+---w trust-anchors
+---w trust-anchor*
+---w certificate pkcs7
7.2. Example Usage
This section presents three examples illustrating the bootstrap
server's API. Two examples are provided for the 'get-bootstrapping-
data' RPC (once to an untrusted bootstrap server, and again to a
Watsen, et al. Expires April 21, 2018 [Page 34]
Internet-Draft Zero Touch October 2017
trusted bootstrap server), and one example for the 'report-progress'
RPC.
The following example illustrates a device using the API to fetch its
bootstrapping data from a untrusted bootstrap server. In this
example, the device sends the 'untrusted-connection' input parameter
and receives signed data in the response.
REQUEST
-------
['\' line wrapping added for formatting only]
POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\
strapping-data HTTP/1.1
HOST: example.com
Content-Type: application/yang.data+xml
<input
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<untrusted-connection/>
</input>
RESPONSE
--------
HTTP/1.1 200 OK
Date: Sat, 31 Oct 2015 17:02:40 GMT
Server: example-server
Content-Type: application/yang.data+xml
<output
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<zerotouch-information>base64encodedvalue==</zerotouch-information>
<owner-certificate>base64encodedvalue==</owner-certificate>
<ownership-voucher>base64encodedvalue==</ownership-voucher>
</output>
The following example illustrates a device using the API to fetch its
bootstrapping data from a trusted bootstrap server. In this example,
the device sends addition input parameters that the bootstrap server
can use when formulating its response to the device.
Watsen, et al. Expires April 21, 2018 [Page 35]
Internet-Draft Zero Touch October 2017
REQUEST
-------
['\' line wrapping added for formatting only]
POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\
strapping-data HTTP/1.1
HOST: example.com
Content-Type: application/yang.data+xml
<input
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<os-name>VendorOS</os-name>
<os-version>17.3R2.1</os-version>
<remote-id>32</remote-id>
<circuit-id>2</circuit-id>
<nonce>base64encodedvalue==</nonce>
</input>
RESPONSE
--------
HTTP/1.1 200 OK
Date: Sat, 31 Oct 2015 17:02:40 GMT
Server: example-server
Content-Type: application/yang.data+xml
<output
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<zerotouch-information>base64encodedvalue==</zerotouch-information>
</output>
The following example illustrates a device using the API to post a
progress update to a bootstrap server. Illustrated below is the
'bootstrap-complete' message, but the device may send other progress
reports to the server while bootstrapping. In this example, the
device is sending both its SSH host keys and a TLS server
certificate, which the bootstrap server may, for example, pass to an
NMS, as discussed in Appendix A.3.
Watsen, et al. Expires April 21, 2018 [Page 36]
Internet-Draft Zero Touch October 2017
REQUEST
-------
['\' line wrapping added for formatting only]
POST /restconf/operations/ietf-zerotouch-bootstrap-server:report-\
progress HTTP/1.1
HOST: example.com
Content-Type: application/yang.data+xml
<input xmlns=
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<progress-type>bootstrap-complete</progress-type>
<message>example message</message>
<ssh-host-keys>
<ssh-host-key>
<format>ssh-rsa</format>
<key-data>base64encodedvalue==</key-data>
</ssh-host-key>
<ssh-host-key>
<format>ssh-dss</format>
<key-data>base64encodedvalue==</key-data>
</ssh-host-key>
</ssh-host-keys>
<trust-anchors>
<trust-anchor>
<certificate>base64encodedvalue==</certificate>
</trust-anchor>
</trust-anchors>
</input>
RESPONSE
--------
HTTP/1.1 204 No Content
Date: Sat, 31 Oct 2015 17:02:40 GMT
Server: example-server
7.3. YANG Module
The bootstrap server's device-facing API is normatively defined by
the YANG module defined in this section.
Note: the module defined herein uses data types defined in [RFC2315],
[RFC5280], [RFC6960], and [I-D.ietf-anima-voucher], and uses an
encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-bootstrap-server@2017-10-19.yang"
module ietf-zerotouch-bootstrap-server {
Watsen, et al. Expires April 21, 2018 [Page 37]
Internet-Draft Zero Touch October 2017
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server";
prefix ztbs;
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines an interface for bootstrap servers, as
defined by RFC XXXX: Zero Touch Provisioning for NETCONF or
RESTCONF based Management.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-19 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
// typedefs
typedef pkcs7 {
type binary;
description
Watsen, et al. Expires April 21, 2018 [Page 38]
Internet-Draft Zero Touch October 2017
"A PKCS #7 SignedData structure, as specified by Section 9.1
in RFC 2315, encoded using ASN.1 distinguished encoding rules
(DER), as specified in ITU-T X.690.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// RPCs
rpc get-bootstrapping-data {
description
"This RPC enables a device, as identified by its RESTCONF
username, to obtain bootstrapping data that has been made
available for it.";
input {
leaf untrusted-connection {
type empty;
description
"This optional input parameter enables a device to
communicate to the bootstrap server that it is unable
to authenticate the bootstrap server's TLS certificate.
In such circumstances, the device likely did not send
any of the other input parameters. The bootstrap server
needs to return either unsigned redirect information or
signed data.";
}
leaf os-name {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server the name of its
operating system. This parameter may be useful if
the device, as identified by its IDevID certificate,
to run more than one type of operating system (e.g.,
on a white-box system.";
}
leaf os-version {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server the version of
its operating system. This parameter may be useful
Watsen, et al. Expires April 21, 2018 [Page 39]
Internet-Draft Zero Touch October 2017
to a server that wants to return a response optimized
for the device, negating, for instance, the need for
a potentially expensive boot-image update.";
}
leaf remote-id {
type string;
must "../circuit-id";
description
"This optional input parameter enables a device to
communicate to the bootstrap server the 'remote-id'
value it learned from a DHCP server via Option 82,
as described in Section 2.0 or RFC 3046.
This information, along with the circuit-id, enables
the bootstrap server to return a deployment-specific
response independent of the device's IDevID identity.";
reference
"RFC 3046: DHCP Relay Agent Information Option";
}
leaf circuit-id {
type string;
must "../remote-id";
description
"This optional input parameter enables a device to
communicate to the bootstrap server the 'circuit-id'
value it learned from a DHCP server via Option 82,
as described in Section 2.0 or RFC 3046.
This information, along with the remote-id, enables
the bootstrap server to return a deployment-specific
response independent of the device's IDevID identity.";
reference
"RFC 3046: DHCP Relay Agent Information Option";
}
leaf nonce {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server a nonce value.
This may be especially useful for devices lacking
an accurate clock, as then the bootstrap server can
then dynamically obtain from the manufacturer a
voucher with the nonce value in it, as described
in I-D.ietf-anima-voucher.";
reference
"RFC ZZZZ: Voucher Profile for Bootstrapping Protocols.";
}
}
Watsen, et al. Expires April 21, 2018 [Page 40]
Internet-Draft Zero Touch October 2017
output {
container bootstrapping-data {
description
"Top-level node for the bootstrapping data.";
leaf zerotouch-information {
type pkcs7;
mandatory true;
description
"A 'zerotouch-information' artifact, as described in
Section 4.1 of RFC XXXX. In order to be processed by a
device, when conveyed over an untrusted transport, the
PKCS#7 SignedData structure MUST contain a 'signerInfo'
structure, described in Section 9.1 of RFC 2315,
containing a signature generated using the private key
associated with the 'owner-certificate'.";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or
RESTCONF based Management.
RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5";
}
leaf owner-certificate {
type pkcs7;
must '../ownership-voucher' {
description
"An ownership voucher must be present whenever an owner
certificate is presented.";
}
description
"This PKCS#7 structure MUST contain the owner certificate
and all intermediate certificates leading up to, and
optionally including, the trust anchor certificate
specified in the ownership voucher. Additionally, if
needed by the device, this structure MAY also contain
suitably fresh CRL and/or OCSP Responses with which to
verify the revocation status of the certificates.
X.509 certificates and CRLs are described in RFC 5280.
OCSP Responses are described in RFC 6960.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.
RFC 6960:
X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP.
Watsen, et al. Expires April 21, 2018 [Page 41]
Internet-Draft Zero Touch October 2017
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
leaf ownership-voucher {
type pkcs7;
must '../owner-certificate' {
description
"An owner certificate must be present whenever an
ownership voucher is presented.";
}
description
"A 'voucher' artifact, as described in Section 5 of
I-D.ietf-anima-voucher. The voucher informs the device
who its owner is. The voucher encodes the device's
serial number, so that the device can ensure the
voucher applies to it. The voucher is signed by the
device's manufacturer.";
reference
"I-D.ietf-anima-voucher:
Voucher and Voucher Revocation Profiles for
Bootstrapping Protocols";
}
}
}
}
rpc report-progress {
description
"This RPC enables a device, as identified by its RESTCONF
username, to report its bootstrapping progress to the
bootstrap server.";
input {
leaf progress-type {
type enumeration {
enum "bootstrap-initiated" {
description
"Indicates that the device just used the
'get-bootstrapping-data' RPC. The 'message' field
below MAY contain any additional information that
the manufacturer thinks might be useful.";
}
enum "parsing-warning" {
description
"Indicates that the device had a non-fatal error when
parsing the response from the bootstrap server. The
Watsen, et al. Expires April 21, 2018 [Page 42]
Internet-Draft Zero Touch October 2017
'message' field below SHOULD indicate the specific
warning that occurred.";
}
enum "parsing-error" {
description
"Indicates that the device encountered a fatal error
when parsing the response from the bootstrap server.
For instance, this could be due to malformed
encoding, the device expecting signed data when
only unsigned data is provided, because the
ownership voucher didn't include the device's
unique identifier, or because the signature didn't
match. The 'message' field below SHOULD indicate
the specific error. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "boot-image-warning" {
description
"Indicates that the device encountered a non-fatal
error condition when trying to install a boot-image.
A possible reason might include a need to reformat a
partition causing loss of data. The 'message' field
below SHOULD indicate any warning messages that were
generated.";
}
enum "boot-image-error" {
description
"Indicates that the device encountered an error when
trying to install a boot-image, which could be for
reasons such as a file server being unreachable,
file not found, signature mismatch, etc. The
'message' field SHOULD indicate the specific error
that occurred. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "pre-script-warning" {
description
"Indicates that the device obtained a greater than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced.";
}
enum "pre-script-error" {
description
Watsen, et al. Expires April 21, 2018 [Page 43]
Internet-Draft Zero Touch October 2017
"Indicates that the device obtained a less than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "config-warning" {
description
"Indicates that the device obtained warning messages
when it committed the initial configuration. The
'message' field below SHOULD indicate any warning
messages that were generated.";
}
enum "config-error" {
description
"Indicates that the device obtained error messages
when it committed the initial configuration. The
'message' field below SHOULD indicate the error
messages that were generated. This progress type
also indicates that the device has abandoned trying
to bootstrap off this bootstrap server.";
}
enum "post-script-warning" {
description
"Indicates that the device obtained a greater than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced.";
}
enum "post-script-error" {
description
"Indicates that the device obtained a less than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "bootstrap-complete" {
description
"Indicates that the device successfully processed all
Watsen, et al. Expires April 21, 2018 [Page 44]
Internet-Draft Zero Touch October 2017
'onboarding-information' provided, and that it is ready
to be managed. The 'message' field below MAY contain
any additional information that the manufacturer thinks
might be useful. After sending this progress type,
the device is not expected to access the bootstrap
server again.";
}
enum "informational" {
description
"Indicates any additional information not captured
by any of the other progress types. For instance, a
message indicating that the device is about to
reboot after having installed a boot-image could
be provided. The 'message' field below SHOULD
contain information that the manufacturer thinks
might be useful.";
}
}
mandatory true;
description
"The type of progress report provided.";
}
leaf message {
type string;
description
"An optional arbitrary value.";
}
container ssh-host-keys {
when "../progress-type = 'bootstrap-complete'" {
description
"SSH host keys are only sent when the progress type
is 'bootstrap-complete'.";
}
description
"A list of trust anchor certificates an NMS may use to
authenticate subsequent SSH-based connections to this
device (e.g., netconf-ssh, netconf-ch-ssh).";
list ssh-host-key {
description
"An SSH host-key.";
leaf format {
type enumeration {
enum "ssh-dss" {
description
"ssh-dss";
}
enum "ssh-rsa" {
description
Watsen, et al. Expires April 21, 2018 [Page 45]
Internet-Draft Zero Touch October 2017
"ssh-rsa";
}
}
mandatory true;
description
"The format of the SSH host key.";
}
leaf key-data {
type string;
mandatory true;
description
"The key data for the SSH host key";
}
}
}
container trust-anchors {
when "../progress-type = 'bootstrap-complete'" {
description
"Trust anchors are only sent when the progress type
is 'bootstrap-complete'.";
}
description
"A list of trust anchor certificates an NMS may use to
authenticate subsequent certificate-based connections
to this device (e.g., restconf-tls, netconf-tls, or
even netconf-ssh with X.509 support from RFC 6187).";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication.";
list trust-anchor {
description
"A trust anchor.";
leaf certificate {
type pkcs7;
mandatory true;
description
"An X.509 v3 certificate structure, as specified
by Section 4 in RFC 5280, encoded using ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL)
Profile.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Watsen, et al. Expires April 21, 2018 [Page 46]
Internet-Draft Zero Touch October 2017
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
}
}
}
}
<CODE ENDS>
8. The Zero Touch Device Data Model
This section defines a data model that devices can implement to
enable the configuration of zerotouch bootstrapping and discovery of
what parameters are used by its bootstrapping logic.
8.1. Data Model Overview
The following tree diagram provides an overview for the zerotouch
device data model The syntax used for this tree diagram is described
in Section 1.4.
module: ietf-zerotouch-device
+--rw zerotouch
+--rw enabled? boolean
+--ro devid-certificate? pkcs7
| {bootstrap-servers}?
+--ro bootstrap-servers {bootstrap-servers}?
| +--ro bootstrap-server* [address]
| +--ro address inet:host
| +--ro port? inet:port-number
+--ro bootstrap-server-ta-certificates?
| -> /ks:keystore/pinned-certificates/name
| {bootstrap-servers}?
+--ro voucher-ta-certificates?
-> /ks:keystore/pinned-certificates/name {signed-data}?
In the above diagram, notice that there is only one configurable node
'enabled'. The expectation is that this node would be set to 'true'
in device's factory default configuration and that it would either be
set to 'false' or deleted when the zerotouch bootstrapping is longer
needed.
8.2. Example Usage
Following is an instance example for this data model.
Watsen, et al. Expires April 21, 2018 [Page 47]
Internet-Draft Zero Touch October 2017
[ note: '\' line wrapping for formatting only]
<zerotouch
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-device">
<enabled>true</enabled>
<devid-certificate>base64encodedvalue==</devid-certificate>
<bootstrap-servers>
<bootstrap-server>
<address>phs1.example.com</address>
<port>8443</port>
</bootstrap-server>
<bootstrap-server>
<address>phs2.example.com</address>
<port>8443</port>
</bootstrap-server>
<bootstrap-server>
<address>phs3.example.com</address>
<port>8443</port>
</bootstrap-server>
</bootstrap-servers>
<bootstrap-server-ta-certificates>manufacturers-root-ca-certs</boo\
tstrap-server-ta-certificates>
<voucher-ta-certificates>manufacturers-root-ca-certs</voucher-ta-c\
ertificates>
</zerotouch>
8.3. YANG Module
The device model is normatively defined by the YANG module defined in
this section.
Note: the module defined herein uses data types defined in [RFC2315]
and [RFC6991], and uses an encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-device@2017-10-19.yang"
module ietf-zerotouch-device {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-device";
prefix ztd;
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-keystore {
prefix ks;
reference 'RFC YYYY: YANG Data Model for a "Keystore" Mechanism';
Watsen, et al. Expires April 21, 2018 [Page 48]
Internet-Draft Zero Touch October 2017
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines a data model to enable zerotouch
bootstrapping and discover what parameters are used.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-19 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
// features
feature bootstrap-servers {
description
"The device supports bootstrapping off bootstrap servers.";
}
feature signed-data {
description
Watsen, et al. Expires April 21, 2018 [Page 49]
Internet-Draft Zero Touch October 2017
"The device supports bootstrapping off signed data.";
}
// typedefs
typedef pkcs7 {
type binary;
description
"A PKCS #7 SignedData structure, as specified by Section 9.1
in RFC 2315, encoded using ASN.1 distinguished encoding rules
(DER), as specified in ITU-T X.690.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// protocol accessible nodes
container zerotouch {
description
"Top-level container for zerotouch data model.";
leaf enabled {
type boolean;
default false;
description
"The 'enabled' leaf controls if zerotouch bootstrapping is
enabled or disabled. The default is 'false' so that, when
not enabled, which is most of the time, no configuration
needs to be returned.";
}
leaf devid-certificate {
if-feature bootstrap-servers;
type pkcs7;
config false;
description
"An unsigned PKCS #7 SignedData structure, as specified by
Section 9.1 in RFC 2315, encoded using ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.
This structure contains the IDevID certificate and all
intermediate certificates leading up to the manufacturer's
well-known trust anchor certificate. IDevID certificates
are described in IEEE 802.1AR-2009.";
Watsen, et al. Expires April 21, 2018 [Page 50]
Internet-Draft Zero Touch October 2017
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).
IEEE 802.1AR-2009:
IEEE Standard for Local and metropolitan area
networks - Secure Device Identity.";
}
container bootstrap-servers {
if-feature bootstrap-servers;
config false;
description
"Default list of bootstrap servers this device is
configured to reach out to when bootstrapping.";
list bootstrap-server {
key "address";
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
}
}
leaf bootstrap-server-ta-certificates {
if-feature bootstrap-servers;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate bootstrap
Watsen, et al. Expires April 21, 2018 [Page 51]
Internet-Draft Zero Touch October 2017
servers with.";
}
leaf voucher-ta-certificates {
if-feature signed-data;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate ownership
vouchers with.";
}
}
}
<CODE ENDS>
9. DHCP Zero Touch Options
This section defines two DHCP options, one for DHCPv4 and one for
DHCPv6. These two options are semantically the same, though
syntactically different.
9.1. DHCPv4 Zero Touch Option
The DHCPv4 Zero Touch Option is used to provision the client with one
or more URIs for bootstrap servers that can be contacted to attempt
further configuration.
DHCPv4 Zero Touch Redirect Option
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| option-code (TBD) | option-length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
. .
. bootstrap-server-list (variable length) .
. .
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
o option-code: OPTION_V4_ZEROTOUCH_REDIRECT (TBD)
o option-length: The option length in octets
o bootstrap-server-list: A list of servers for the
client to attempt contacting, in order to obtain
further bootstrapping data, in the format shown
in [common-field-encoding].
Watsen, et al. Expires April 21, 2018 [Page 52]
Internet-Draft Zero Touch October 2017
DHCPv4 Client Behavior
Clients MAY request the OPTION_V4_ZEROTOUCH_REDIRECT by including its
option code in the Parameter Request List (55) in DHCP request
messages.
On receipt of a DHCPv4 Reply message which contains the
OPTION_V4_ZEROTOUCH_REDIRECT, the client performs the following
steps:
1. Check the contents of the DHCPv4 message for at least one valid
URI. If there is more than one valid URI in the list, a candidate
list of possible URIs is created.
2. Attempt to connect to the one of the URIs in the candidate list.
The order in which these are processed by the client is
implementation specific and not defined here.
3. If a successful connection to the zerotouch bootstrap server,
then the client stops processing entries in the list and proceeds
according to Appendix A.3, step(3).
4. If the zerotouch bootstrap server does not respond, provides
an invalid response, or the transaction otherwise fails, the
client SHOULD attempt to contact another server from the
candidate list.
Any invalid URI entries received in the uri-data field are ignored by
the client. If OPTION_V4_ZEROTOUCH_REDIRECT does not contain at
least one valid URI entry in the uri-data field, then the client MUST
discard the option.
DHCPv4 Server Behavior
The DHCPv4 server MAY include a single instance of Option
OPTION_V4_ZEROTOUCH_REDIRECT in DHCP messages it sends. Servers MUST
NOT send more than one instance of the OPTION_V4_ZEROTOUCH_REDIRECT
option.
9.2. DHCPv6 Zero Touch Option
The DHCPv6 Zero Touch Option is used to provision the client with one
or more URIs for bootstrap servers that can be contacted to attempt
further configuration.
Watsen, et al. Expires April 21, 2018 [Page 53]
Internet-Draft Zero Touch October 2017
DHCPv6 Zero Touch Redirect Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code (TBD) | option-length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. bootstrap-server-list (variable length) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o option-code: OPTION_V6_ZEROTOUCH_REDIRECT (TBD)
o option-length: The option length in octets
o bootstrap-server-list: A list of servers for the client to
attempt contacting, in order to obtain further bootstrapping
data, in the format shown in [common-field-encoding].
DHCPv6 Client Behavior
Clients MAY request the OPTION_V6_ZEROTOUCH_REDIRECT option, as
defined in [RFC3315], Sections 17.1.1, 18.1.1, 18.1.3, 18.1.4,
18.1.5, and 22.7. As a convenience to the reader, we mention here
that the client includes requested option codes in the Option Request
Option.
On receipt of a DHCPv6 reply message which contains the
OPTION_V6_ZEROTOUCH_REDIRECT, the client performs the following
steps:
1. Check the contents of the DHCPv6 message for at least one valid
URI. If there is more than one valid URI in the list, a
candidate list of possible URIs is created.
2. Attempt to connect to the one of the URIs in the candidate list.
The order in which these are processed by the client is
implementation specific and not defined here.
3. If a successful connection to the zerotouch bootstrap server,
then the client stops processing entries in the list and proceeds
according to Appendix A.3, step(3).
4. If the zerotouch bootstrap server does not respond, provides
and invalid response or the transaction otherwise fails, the
client SHOULD attempt to contact another server from the
candidate list.
Any invalid URI entries received in the uri-data field are ignored by
the client. If OPTION_V6_ZEROTOUCH_REDIRECT does not contain at
Watsen, et al. Expires April 21, 2018 [Page 54]
Internet-Draft Zero Touch October 2017
least one valid URI entry in the uri-data field, then the client MUST
discard the option.
DHCPv6 Server Behavior
Sections 17.2.2 and 18.2 of [RFC3315] govern server operation
in regard to option assignment. As a convenience to the reader,
we mention here that the server will send a particular option code
only if configured with specific values for that option code and if
the client requested it.
Option OPTION_V6_ZEROTOUCH_REDIRECT is a singleton. Servers MUST NOT
send more than one instance of the OPTION_V6_ZEROTOUCH_REDIRECT
option.
9.3. Common Field Encoding
Both of the DHCPv4 and DHCPv6 options defined in this section encode
a list of bootstrap server URIs. The "URI" structure is an option
that can contain multiple URIs (see [RFC7227], Section 5.7).
bootstrap-server-list:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
| uri-length | URI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
o uri-length: variable, in octets.
o URI: URI of zerotouch bootstrap server, using the HTTPS URI
scheme defined in Section 2.7.2 of RFC7230. URI MUST be in
form "https://<ip-address-or-hostname>[:<port>]".
10. Security Considerations
10.1. Immutable storage for trust anchors
Devices MUST ensure that all their trust anchor certificates,
including those for connecting to bootstrap servers and verifying
ownership vouchers, are protected from external modification.
It may be necessary to update these certificates over time (e.g., the
manufacturer wants to delegate trust to a new CA). It is therefore
expected that devices MAY update these trust anchors when needed
through a verifiable process, such as a software upgrade using signed
software images.
Watsen, et al. Expires April 21, 2018 [Page 55]
Internet-Draft Zero Touch October 2017
10.2. Clock Sensitivity
The solution in this document relies on TLS certificates, owner
certificates, and ownership vouchers, all of which require an
accurate clock in order to be processed correctly (e.g., to test
validity dates and revocation status). Implementations SHOULD ensure
devices have an accurate clock when shipped from manufacturing
facilities, and take steps to prevent clock tampering.
If it is not possible to ensure clock accuracy, it is RECOMMENDED
that implementations disable the aspects of the solution having clock
sensitivity. In particular, such implementations should assume that
TLS certificates, ownership vouchers, and owner certificates never
expire and are not revokable. From an ownership voucher perspective,
manufacturers SHOULD issue a single ownership voucher for the
lifetime of such devices.
Implementations SHOULD NOT rely on NTP for time, as NTP is not a
secure protocol.
10.3. Blindly authenticating a bootstrap server
This document allows a device to blindly authenticate a bootstrap
server's TLS certificate. It does so to allow for cases where the
redirect information may be obtained in an unsecured manner, which is
desirable to support in some cases.
To compensate for this, this document requires that devices, when
connected to an untrusted bootstrap server, assert that data
downloaded from the server is signed.
10.4. Entropy loss over time
Section 7.2.7.2 of the IEEE Std 802.1AR-2009 standard says that
IDevID certificate should never expire (i.e. having the notAfter
value 99991231235959Z). Given the long-lived nature of these
certificates, it is paramount to use a strong key length (e.g.,
512-bit ECC).
10.5. Disclosing Information to Untrusted Servers
This document enables devices to establish provisional connections to
bootstrap servers, in order for the bootstrap server to provide
either unsigned redirect information or signed data to the device.
However, since the server is untrusted, it may be under the control
of an adversary, and therefore devices should be cautious about the
data they send in such cases.
Watsen, et al. Expires April 21, 2018 [Page 56]
Internet-Draft Zero Touch October 2017
Already this document requires devices send their IDevID certificate
to untrusted bootstrap servers, which means that the device's serial
number and hardware manufacturer may be disclosed to an adversary.
Serial numbers are ubiquitous and prominently contained in invoices
and on labels affixed to devices and their packaging. That said,
serial numbers many times encode revealing information, such as the
device's model number, manufacture date, and/or manufacturing
sequence number. Knowledge of this information may provide an
adversary with details needed to launch an attack.
In addition to the IDevID certificate, there are other potentially
identifying values that may be disclosed to an untrusted server,
including 'os-name', 'os-version', 'remote-id', 'circuit-id', and
progress reports. In order to address this issue, it is RECOMMENDED
that implementations first promote the untrusted connection to a
trusted connection, as described in Appendix B.
10.6. Sequencing Sources of Bootstrapping Data
For devices supporting more than one source for bootstrapping data,
no particular sequencing order has to be observed for security
reasons, as the solution for each source is considered equally
secure. However, from a privacy perspective, it is RECOMMENDED that
devices access local sources before accessing remote sources.
10.7. The "ietf-zerotouch-information" YANG Module
The ietf-zerotouch-information module defined in this document
defines a data structure that is always wrapped by a PKCS#7
structure. When accessed by a secure mechanism (e.g., protected by
TLS), then the PKCS#7 structure may be unsigned. However, when
accessed by an insecure mechanism (e.g., removable storage device),
then the PKCS#7 structure must be signed, in order for the device to
trust it.
Implementations should be aware that signed bootstrapping data only
protects the data from modification, the contents are still visible
to others. This doesn't affect Security so much as Privacy. That
the contents may be read by unintended parties when accessed by
insecure mechanisms is considered next.
The ietf-zerotouch-information module defines a top-level 'choice'
statement that declares the contents are either "redirect-
information" or "onboarding-information". Each of these two cases
are now considered.
When the contents of the PKCS#7 structure are redirect-information,
an observer can learn about the bootstrap servers the device is being
Watsen, et al. Expires April 21, 2018 [Page 57]
Internet-Draft Zero Touch October 2017
directed, their IP addresses or hostnames, ports, and trust anchor
certificates. Knowledge of this information could provide an
observer some insight into a network's inner structure.
When the contents of the PKCS#7 structure are onboarding-information,
as observer could learn considerable information about how the device
is to be provisioned. This information includes the specific
operating system version, the initial configuration, and the specific
scripts that the device is to run. All of this information should be
considered highly sensitive and precautions should be taken to
protect it from falling into the wrong hands.
10.8. The "ietf-zerotouch-bootstrap-server" YANG Module
The ietf-zerotouch-bootstrap-server module defined in this document
is specifies an API for a RESTCONF [RFC8040]. The lowest RESTCONF
layer is HTTPS, and the mandatory-to-implement secure transport is
TLS [RFC5246].
The NETCONF Access Control Model (NACM) [RFC6536] provides the means
to restrict access for particular users to a preconfigured subset of
all available protocol operations and content.
This module presents no data nodes (only RPCs). There is no need to
discuss the sensitivity of data nodes.
This module defines two RPC operations that may be considered
sensitive in some network environments. These are the operations and
their sensitivity/vulnerability:
get-bootstrapping-data: This RPC is used by devices to obtain their
bootstrapping data. By design, each device, as identified by its
IDevID certificate, can only obtain its own data. NACM is not
needed to further constrain access to this RPC.
report-bootstrapping-progress: This RPC is used by devices to report
their bootstrapping progress. By design, each device, as
identified by its IDevID certificate, can only report data for
itself. NACM is not needed to further constrain access to this
RPC.
10.9. The "ietf-zerotouch-device" YANG Module
The ietf-zerotouch-device module defined in this document is designed
to be accessed via network management protocols such as NETCONF
[RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the
secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
Watsen, et al. Expires April 21, 2018 [Page 58]
Internet-Draft Zero Touch October 2017
is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC5246].
The NETCONF access control model [RFC6536] provides the means to
restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
There is a data node defined in this YANG module that is
writable/creatable/deletable (i.e., config true, which is the
default). This data node may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config)
to this data node without proper protection can have a negative
effect on network operations. This is the data node and its
sensitivity/vulnerability:
/enabled: This data node is used to enable/disable the zerotouch
bootstrapping mechanism on a device. NACM rules or equivalent
should be used to restrict write-access to this node to
authenticated clients.
11. IANA Considerations
11.1. The BOOTP Manufacturer Extensions and DHCP Options Registry
IANA is kindly requested to allocate a new option code from the
"BOOTP Manufacturer Extensions and DHCP Options" registry maintained
at http://www.iana.org/assignments/bootp-dhcp-parameters:
TBD for OPTION_V4_ZEROTOUCH_REDIRECT
And a new option code from the "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)" registry maintained at
http://www.iana.org/assignments/dhcpv6-parameters:
TBD for OPTION_V6_ZEROTOUCH_REDIRECT
11.2. The IETF XML Registry
This document registers three URIs in the IETF XML registry
[RFC3688]. Following the format in [RFC3688], the following
registrations are requested:
Watsen, et al. Expires April 21, 2018 [Page 59]
Internet-Draft Zero Touch October 2017
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information
Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server
Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-device
Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace.
11.3. The YANG Module Names Registry
This document registers three YANG modules in the YANG Module Names
registry [RFC6020]. Following the format defined in [RFC6020], the
the following registrations are requested:
name: ietf-zerotouch-information
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information
prefix: zti
reference: RFC XXXX
name: ietf-zerotouch-bootstrap-server
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-\
server (note: '\' used for formatting reasons only)
prefix: ztbs
reference: RFC XXXX
name: ietf-zerotouch-device
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-device
prefix: ztd
reference: RFC XXXX
12. Acknowledgements
The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): David Harrington,
Michael Behringer, Dean Bogdanovic, Martin Bjorklund, Joe Clarke,
Toerless Eckert, Stephen Farrell, Stephen Hanna, Wes Hardaker, Radek
Krejci, Russ Mundy, Reinaldo Penno, Randy Presuhn, Max Pritikin,
Michael Richardson, Phil Shafer, Juergen Schoenwaelder.
Special thanks goes to Steve Hanna, Russ Mundy, and Wes Hardaker for
brainstorming the original I-D's solution during the IETF 87 meeting
in Berlin.
Watsen, et al. Expires April 21, 2018 [Page 60]
Internet-Draft Zero Touch October 2017
13. References
13.1. Normative References
[I-D.ietf-anima-voucher]
Watsen, K., Richardson, M., Pritikin, M., and T. Eckert,
"Voucher Profile for Bootstrapping Protocols", draft-ietf-
anima-voucher-05 (work in progress), August 2017.
[ITU.X690.1994]
International Telecommunications Union, "Information
Technology - ASN.1 encoding rules: Specification of Basic
Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, 1994.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998,
<https://www.rfc-editor.org/info/rfc2315>.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
2003, <https://www.rfc-editor.org/info/rfc3315>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
Watsen, et al. Expires April 21, 2018 [Page 61]
Internet-Draft Zero Touch October 2017
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and
S. Krishnan, "Guidelines for Creating New DHCPv6 Options",
BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014,
<https://www.rfc-editor.org/info/rfc7227>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[Std-802.1AR-2009]
IEEE SA-Standards Board, "IEEE Standard for Local and
metropolitan area networks - Secure Device Identity",
December 2009, <http://standards.ieee.org/findstds/
standard/802.1AR-2009.html>.
Watsen, et al. Expires April 21, 2018 [Page 62]
Internet-Draft Zero Touch October 2017
13.2. Informative References
[I-D.ietf-netconf-keystore]
Watsen, K., "Keystore Model", draft-ietf-netconf-
keystore-02 (work in progress), June 2017.
[I-D.ietf-netconf-netconf-client-server]
Watsen, K., Wu, G., and J. Schoenwaelder, "NETCONF Client
and Server Models", draft-ietf-netconf-netconf-client-
server-04 (work in progress), July 2017.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August
2012, <https://www.rfc-editor.org/info/rfc6698>.
[RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A.,
Galperin, S., and C. Adams, "X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol - OCSP",
RFC 6960, DOI 10.17487/RFC6960, June 2013,
<https://www.rfc-editor.org/info/rfc6960>.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for
System Management", RFC 7317, DOI 10.17487/RFC7317, August
2014, <https://www.rfc-editor.org/info/rfc7317>.
Watsen, et al. Expires April 21, 2018 [Page 63]
Internet-Draft Zero Touch October 2017
[RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home",
RFC 8071, DOI 10.17487/RFC8071, February 2017,
<https://www.rfc-editor.org/info/rfc8071>.
Watsen, et al. Expires April 21, 2018 [Page 64]
Internet-Draft Zero Touch October 2017
Appendix A. Workflow Overview
The zero touch solution presented in this document is conceptualized
to be composed of the non-normative workflows described in this
section. Implementation details are expected to vary. Each diagram
is followed by a detailed description of the steps presented in the
diagram, with further explanation on how implementations may vary.
A.1. Enrollment and Ordering Devices
The following diagram illustrates key interactions that may occur
from when a prospective owner enrolls in a manufacturer's zero touch
program to when the manufacturer ships devices for an order placed by
the prospective owner.
Watsen, et al. Expires April 21, 2018 [Page 65]
Internet-Draft Zero Touch October 2017
+-----------+
+------------+ |Prospective| +---+
|Manufacturer| | Owner | |NMS|
+------------+ +-----------+ +---+
| | |
| | |
| 1. initiate enrollment | |
#<-----------------------------| |
# | |
# | |
# IDevID trust anchor | |
#-----------------------------># set IDevID trust anchor |
# #--------------------------->|
# | |
# bootstrap server | |
# account credentials | |
#-----------------------------># set credentials |
| #--------------------------->|
| | |
| | |
| 2. set owner certificate trust anchor |
|<----------------------------------------------------------|
| | |
| | |
| 3. place device order | |
|<-----------------------------# model devices |
| #--------------------------->|
| | |
| 4. ship devices and send | |
| device identifiers and | |
| ownership vouchers | |
|-----------------------------># set device identifiers |
| # and ownership vouchers |
| #--------------------------->|
| | |
Each numbered item below corresponds to a numbered item in the
diagram above.
1. A prospective owner of a manufacturer's devices initiates an
enrollment process with the manufacturer. This process includes
the following:
* Regardless how the prospective owner intends to bootstrap
their devices, they will always obtain from the manufacturer
the trust anchor certificate for the IDevID certificates.
This certificate will is installed on the prospective owner's
Watsen, et al. Expires April 21, 2018 [Page 66]
Internet-Draft Zero Touch October 2017
NMS so that the NMS can authenticate the IDevID certificates
when they're presented to subsequent steps.
* If the manufacturer hosts an Internet based bootstrap server
(e.g., a redirect server) such as described in Section 4.4,
then credentials necessary to configure the bootstrap server
would be provided to the prospective owner. If the bootstrap
server is configurable through an API (outside the scope of
this document), then the credentials might be installed on the
prospective owner's NMS so that the NMS can subsequently
configure the manufacturer-hosted bootstrap server directly.
2. If the manufacturer's devices are able to validate signed data
(Section 5.4), and assuming that the prospective owner's NMS is
able to prepare and sign the bootstrapping data itself, the
prospective owner's NMS might set a trust anchor certificate onto
the manufacturer's bootstrap server, using the credentials
provided in the previous step. This certificate is the trust
anchor certificate that the prospective owner would like the
manufacturer to place into the ownership vouchers it generates,
thereby enabling devices to trust the owner's owner certificate.
How this trust anchor certificate is used to enable devices to
validate signed bootstrapping data is described in Section 5.4.
3. Some time later, the prospective owner places an order with the
manufacturer, perhaps with a special flag checked for zero touch
handling. At this time, or perhaps before placing the order, the
owner may model the devices in their NMS, creating virtual
objects for the devices with no real-world device associations.
For instance the model can be used to simulate the device's
location in the network and the configuration it should have when
fully operational.
4. When the manufacturer fulfills the order, shipping the devices to
their intended locations, they may notify the owner of the
devices's serial numbers and shipping destinations, which the
owner may use to stage the network for when the devices power on.
Additionally, the manufacturer may send one or more ownership
vouchers, cryptographically assigning ownership of those devices
to the owner. The owner may set this information on their NMS,
perhaps binding specific modeled devices to the serial numbers
and ownership vouchers.
A.2. Owner Stages the Network for Bootstrap
The following diagram illustrates how an owner might stage the
network for bootstrapping devices.
Watsen, et al. Expires April 21, 2018 [Page 67]
Internet-Draft Zero Touch October 2017
+----------+ +------------+
|Deployment| |Manufacturer| +------+ +------+
| Specific | | Hosted | | Local| | Local| +---------+
+---+ |Bootstrap | | Bootstrap | | DNS | | DHCP | |Removable|
|NMS| | Server | | Server | |Server| |Server| | Storage |
+---+ +----------+ +------------+ +------+ +------+ +---------+
| | | | | |
1. | | | | | |
activate | | | | | |
modeled | | | | | |
device | | | | | |
-------->| | | | | |
| 2. (optional) | | | |
| configure | | | |
| bootstrap | | | |
| server | | | |
|------->| | | | |
| | | | | |
| 3. (optional) configure | | |
| bootstrap server | | | |
|--------------------->| | | |
| | | | | |
| | | | | |
| 4. (optional) configure DNS server| | |
|---------------------------------->| | |
| | | | | |
| | | | | |
| 5. (optional) configure DHCP server | |
|------------------------------------------->| |
| | | | | |
| | | | | |
| 6. (optional) store bootstrapping artifacts on media |
|----------------------------------------------------->|
| | | | | |
| | | | | |
Each numbered item below corresponds to a numbered item in the
diagram above.
1. Having previously modeled the devices, including setting their
fully operational configurations and associating device serial
numbers and (optionally) ownership vouchers, the owner might
"activate" one or more modeled devices. That is, the owner tells
the NMS to perform the steps necessary to prepare for when the
real-world devices power up and initiate the bootstrapping
process. Note that, in some deployments, this step might be
combined with the last step from the previous workflow. Here it
Watsen, et al. Expires April 21, 2018 [Page 68]
Internet-Draft Zero Touch October 2017
is depicted that an NMS performs the steps, but they may be
performed manually or through some other mechanism.
2. If it is desired to use a deployment specific bootstrap server,
it must be configured to provide the bootstrapping information
for the specific devices. Configuring the bootstrap server may
occur via a programmatic API not defined by this document.
Illustrated here as an external component, the bootstrap server
may be implemented as an internal component of the NMS itself.
3. If it is desired to use a manufacturer hosted bootstrap server,
it must be configured to provide the bootstrapping information
for the specific devices. The configuration must be either
redirect or onboarding information. That is, either the
manufacturer hosted bootstrap server will redirect the device to
another bootstrap server, or provide the device with the
onboarding information itself. The types of bootstrapping
information the manufacturer hosted bootstrap server supports may
vary by implementation; some implementations may only support
redirect information, or only support onboarding information, or
support both redirect and onboarding information. Configuring
the bootstrap server may occur via a programmatic API not defined
by this document.
4. If it is desired to use a DNS server to supply bootstrapping
information, a DNS server needs to be configured. If multicast
DNS-SD is desired, then the server must reside on the local
network, otherwise the DNS server may reside on a remote network.
Please see Section 4.2 for more information about how to
configure DNS servers. Configuring the DNS server may occur via
a programmatic API not defined by this document.
5. If it is desired to use a DHCP server to supply bootstrapping
data, a DHCP server needs to be configured. The DHCP server may
be accessed directly or via a DHCP relay. Please see Section 4.3
for more information about how to configure DHCP servers.
Configuring the DHCP server may occur via a programmatic API not
defined by this document.
6. If it is desired to use a removable storage device (e.g., USB
flash drive) to supply bootstrapping information, the information
would need to be placed onto it. Please see Section 4.1 for more
information about how to configure a removable storage device.
Watsen, et al. Expires April 21, 2018 [Page 69]
Internet-Draft Zero Touch October 2017
A.3. Device Powers On
The following diagram illustrates the sequence of activities that
occur when a device powers on.
+----------+
+-----------+ |Deployment|
| Source of | | Specific |
+------+ | Bootstrap | |Bootstrap | +---+
|Device| | Data | | Server | |NMS|
+------+ +-----------+ +----------+ +---+
| | | |
| | | |
| 1. if zerotouch bootstrap service | | |
| is not enabled, then exit. | | |
| | | |
| 2. for each source supported, check | | |
| for bootstrapping data. | | |
|------------------------------------->| | |
| | | |
| 3. if onboarding information found, | | |
| initialize self and, only if | | |
| source is a bootstrap server, | | |
| send progress updates. | | |
|-------------------------------------># | |
| # webhook | |
| #----------------------->|
| | |
| 4. else if redirect-information found, for each | |
| bootstrap server specified, check for data. | |
|-+-------------------------------------------------->| |
| | | |
| | if more redirect-information is found, recurse | |
| | (not depicted), else if onboarding-information | |
| | found, initialize self and post progress reports | |
| +--------------------------------------------------># |
| # webhook |
| #-------->|
|
| 5. retry sources and/or wait for manual provisioning.
|
The interactions in the above diagram are described below.
1. Upon power being applied, the device checks to see if zerotouch
bootstrapping is configured, such as must be the case when
running its "factory default" configuration. If zerotouch
Watsen, et al. Expires April 21, 2018 [Page 70]
Internet-Draft Zero Touch October 2017
bootstrapping is not configured, then the bootstrapping logic
exits and none of the following interactions occur.
2. For each source of bootstrapping data the device supports,
preferably in order of closeness to the device (e.g., removable
storage before Internet based servers), the device checks to see
if there is any bootstrapping data for it there.
3. If onboarding information is found, the device initializes itself
accordingly (e.g., installing a boot-image and committing an
initial configuration). If the source is a bootstrap server, and
the bootstrap server can be trusted (i.e., TLS-level
authentication), the device also sends progress reports to the
bootstrap server.
* The contents of the initial configuration should configure an
administrator account on the device (e.g., username, ssh-rsa
key, etc.), and should configure the device either to listen
for NETCONF or RESTCONF connections or to initiate call home
connections [RFC8071], and should disable the zerotouch
bootstrapping service.
* If the bootstrap server supports forwarding device progress
updates to external systems (e.g., via a webhook), a
"bootstrap-complete" progress report (Section 7.3) informs the
external system to know when it can, for instance, initiate a
connection to the device. To support this scenario further,
the 'bootstrap-complete' progress update may also relay the
device's SSH host keys and/or TLS certificates, with which the
external system can use to authenticate subsequent connections
to the device. IDevID certificates do not need to be sent as
they do not need to be pinned by an NMS in order for the NMS
to trust the IDevID certificate.
If the device successfully completes the bootstrapping process,
it exits the bootstrapping logic without considering any
additional sources of bootstrapping data.
4. Otherwise, if redirect information is found, the device iterates
through the list of specified bootstrap servers, checking to see
if it has bootstrapping data for the device. If the bootstrap
server returns more redirect information, then the device
processes it recursively. Otherwise, if the bootstrap server
returns onboarding information, the device processes it following
the description provided in (3) above.
5. After having tried all supported sources of bootstrapping data,
the device may retry again all the sources and/or provide
Watsen, et al. Expires April 21, 2018 [Page 71]
Internet-Draft Zero Touch October 2017
manageability interfaces for manual configuration (e.g., CLI,
HTTP, NETCONF, etc.). If manual configuration is allowed, and
such configuration is provided, the configuration should also
disable the zerotouch bootstrapping service, as the need for
bootstrapping would no longer be present.
Appendix B. Promoting a Connection from Untrusted to Trusted
The following diagram illustrates a sequence of bootstrapping
activities that promote an untrusted connection to a bootstrap server
to a trusted connection to the same bootstrap server. This enables a
device to limit the amount of information it might disclose to an
adversary hosting an untrusted bootstrap server.
+----------+
|Deployment|
| Specific |
+------+ |Bootstrap |
|Device| | Server |
+------+ +----------+
| |
| 1. "HTTPS" Request ('untrusted-connection') |
|------------------------------------------------------->|
| 2. "HTTPS" Response (signed redirect information) |
|<-------------------------------------------------------|
| |
| |
| 3. HTTPS Request (os-name=xyz, os-version=123, etc.) |
|------------------------------------------------------->|
| 4. HTTPS Response (unsigned onboarding information |
|<-------------------------------------------------------|
| |
The interactions in the above diagram are described below.
1. The device initiates an untrusted connection to a bootstrap
server, as is indicated by putting "HTTPS" in double quotes
above. It is still an HTTPS connection, but the device is unable
to authenticate the bootstrap server's TLS certificate. Because
the device is unable to trust the bootstrap server, it purposely
only sends the 'untrusted-connection' input parameter to the
'get-bootstrapping-data' RPC, informing the bootstrap server that
it doesn't trust it and may be holding back some information from
the server (e.g., other input parameters, progress reports,
etc.).
2. The bootstrap server, seeing the 'untrusted-connection' input
parameters, knows that it can either send unsigned redirect
Watsen, et al. Expires April 21, 2018 [Page 72]
Internet-Draft Zero Touch October 2017
information or signed data of any type. But, in this case, the
bootstrap server has the ability to sign data and chooses to
respond with signed redirect information, not signed onboarding
information as might be expected, securely redirecting the device
back to it again.
3. Upon validating the signed redirect information, the device
establishes a secure connection to the bootstrap server.
Unbeknownst to the device, it is the same bootstrap server it was
connected to previously but, because the device is able to
authenticate the bootstrap server tis time, it sends its normal
'get-bootstrapping-data' request (i.e., with additional input
parameters) as well as its progress reports (not depicted).
4. This time, because the 'untrusted-connection' parameter was not
passed, having access to all of the device's input parameters,
the bootstrap server returns unsigned onboarding information to
the device.
Appendix C. Change Log
C.1. ID to 00
o Major structural update; the essence is the same. Most every
section was rewritten to some degree.
o Added a Use Cases section
o Added diagrams for "Actors and Roles" and "NMS Precondition"
sections, and greatly improved the "Device Boot Sequence" diagram
o Removed support for physical presence or any ability for
configlets to not be signed.
o Defined the Zero Touch Information DHCP option
o Added an ability for devices to also download images from
configuration servers
o Added an ability for configlets to be encrypted
o Now configuration servers only have to support HTTP/S - no other
schemes possible
Watsen, et al. Expires April 21, 2018 [Page 73]
Internet-Draft Zero Touch October 2017
C.2. 00 to 01
o Added boot-image and validate-owner annotations to the "Actors and
Roles" diagram.
o Fixed 2nd paragraph in section 7.1 to reflect current use of
anyxml.
o Added encrypted and signed-encrypted examples
o Replaced YANG module with XSD schema
o Added IANA request for the Zero Touch Information DHCP Option
o Added IANA request for media types for boot-image and
configuration
C.3. 01 to 02
o Replaced the need for a configuration signer with the ability for
each NMS to be able to sign its own configurations, using
manufacturer signed ownership vouchers and owner certificates.
o Renamed configuration server to bootstrap server, a more
representative name given the information devices download from
it.
o Replaced the concept of a configlet by defining a southbound
interface for the bootstrap server using YANG.
o Removed the IANA request for the boot-image and configuration
media types
C.4. 02 to 03
o Minor update, mostly just to add an Editor's Note to show how this
draft might integrate with the draft-pritikin-anima-bootstrapping-
keyinfra.
C.5. 03 to 04
o Major update formally introducing unsigned data and support for
Internet-based redirect servers.
o Added many terms to Terminology section.
o Added all new "Guiding Principles" section.
Watsen, et al. Expires April 21, 2018 [Page 74]
Internet-Draft Zero Touch October 2017
o Added all new "Sources for Bootstrapping Data" section.
o Rewrote the "Interactions" section and renamed it "Workflow
Overview".
C.6. 04 to 05
o Semi-major update, refactoring the document into more logical
parts
o Created new section for information types
o Added support for DNS servers
o Now allows provisional TLS connections
o Bootstrapping data now supports scripts
o Device Details section overhauled
o Security Considerations expanded
o Filled in enumerations for notification types
C.7. 05 to 06
o Minor update
o Added many Normative and Informative references.
o Added new section Other Considerations.
C.8. 06 to 07
o Minor update
o Added an Editorial Note section for RFC Editor.
o Updated the IANA Considerations section.
C.9. 07 to 08
o Minor update
o Updated to reflect review from Michael Richardson.
Watsen, et al. Expires April 21, 2018 [Page 75]
Internet-Draft Zero Touch October 2017
C.10. 08 to 09
o Added in missing "Signature" artifact example.
o Added recommendation for manufacturers to use interoperable
formats and file naming conventions for removable storage devices.
o Added configuration-handling leaf to guide if config should be
merged, replaced, or processed like an edit-config/yang-patch
document.
o Added a pre-configuration script, in addition to the post-
configuration script from -05 (issue #15).
C.11. 09 to 10
o Factored ownership voucher and voucher revocation to a separate
document: draft-kwatsen-netconf-voucher. (issue #11)
o Removed <configuration-handling> options 'edit-config' and 'yang-
patch'. (issue #12)
o Defined how a signature over signed-data returned from a bootstrap
server is processed. (issue #13)
o Added recommendation for removable storage devices to use open/
standard file systems when possible. (issue #14)
o Replaced notifications "script-[warning/error]" with "[pre/post]-
script-[warning/error]". (goes with issue #15)
o switched owner-certificate to be encoded using the pkcs#7 format.
(issue #16)
o Replaced md5/sha1 with sha256 inside a choice statement, for
future extensibility. (issue #17)
o A ton of editorial changes, as I went thru the entire draft with a
fine-toothed comb.
C.12. 10 to 11
o fixed yang validation issues found by IETFYANGPageCompilation.
note: these issues were NOT found by pyang --ietf or by the
submission-time validator...
o fixed a typo in the yang module, someone the config false
statement was removed.
Watsen, et al. Expires April 21, 2018 [Page 76]
Internet-Draft Zero Touch October 2017
C.13. 11 to 12
o fixed typo that prevented Appendix B from loading the examples
correctly.
o fixed more yang validation issues found by
IETFYANGPageCompilation. note: again, these issues were NOT found
by pyang --ietf or by the submission-time validator...
o updated a few of the notification enumerations to be more
consistent with the other enumerations (following the warning/
error pattern).
o updated the information-type artifact to state how it's encoded,
matching the language that was in Appendix B.
C.14. 12 to 13
o defined a standalone artifact to encode the old information-type
into a PKCS#7 structure.
o standalone information artifact hardcodes JSON encoding (to match
the voucher draft).
o combined the information and signature PKCS#7 structures into a
single PKCS#7 structure.
o moved the certificate-revocations into the owner-certificate's
PKCS#7 structure.
o eliminated support for voucher-revocations, to reflect the
voucher-draft's switch from revocations to renewals.
C.15. 13 to 14
o Renamed "bootstrap information" to "onboarding information".
o Rewrote DHCP sections to address the packet-size limitation issue,
as discussed in Chicago.
o Added Ian as an author for his text-contributions to the DHCP
sections.
o Removed the Guiding Principles section.
Watsen, et al. Expires April 21, 2018 [Page 77]
Internet-Draft Zero Touch October 2017
C.16. 14 to 15
o Renamed action 'notification' to 'update-progress' and, likewise
'notification-type' to 'update-type'.
o Updated examples to use "base64encodedvalue==" for binary values.
o Greatly simplified the "Artifact Groupings" section, and moved it
as a subsection to the "Artifacts" section.
o Moved the "Workflow Overview" section to the Appendix.
o Renamed "bootstrap information" to "update information".
o Removed "Other Considerations" section.
o Tons of editorial updates.
C.17. 15 to 16
o tweaked language to refer to "initial state" rather than "factory
default configuration", so as accommodate white-box scenarios.
o added a paragraph to Intro regarding how the solution primarily
regards physical machines, but could be extended to VMs by a
future document.
o added a pointer to the Workflow Overview section (recently moved
to the Appendix) to the Intro.
o added a note that, in order to simplify the verification process,
the "Zerotouch Information" PKCS#7 structure MUST also contain the
signing X.509 certificate.
o noted that the owner certificate's must either have no Key Usage
or the Key Usage must set the "digitalSignature" bit.
o noted that the owner certificate's subject and subjectAltName
values are not constrained.
o moved/consolidated some text from the Artifacts section down to
the Device Details section.
o tightened up some ambiguous language, for instance, by referring
to specific leaf names in the Voucher artifact.
o reverted a previously overzealous s/unique-id/serial-number/
change.
Watsen, et al. Expires April 21, 2018 [Page 78]
Internet-Draft Zero Touch October 2017
o modified language for when ZTP runs from when factory-default
config is running to when ZTP is configured, which the factory-
defaults should set .
C.18. 16 to 17
o Added an example for how to promote an untrusted connection to a
trusted connection.
o Added a "query parameters" section defining some parameters
enabling scenarios raised in last call.
o Added a "Disclosing Information to Untrusted Servers" section to
the Security Considerations.
C.19. 17 to 18
o Added Security Considerations for each YANG module.
o Reverted back to the device always sending its DevID cert.
o Moved data tree to ac'get-bootstrapping-data' RPC.
o Moved the 'update-progress' action to a 'report-progress' RPC.
o Added an 'untrusted-connection' parameter to 'get-bootstrapping-
data' RPC.
o Added the "ietf-zerotouch-device" module.
o Lots of small updates.
C.20. 18 to 19
o Fixed 'must' expressions, by converting 'choice' to a 'list' of
'image-verification', each of which now points to a base identity
called "hash-algorithm". There's just one algorithm currently
defined (sha-256). Wish there was a standard crypto module that
could identify such identities.
Authors' Addresses
Kent Watsen
Juniper Networks
EMail: kwatsen@juniper.net
Watsen, et al. Expires April 21, 2018 [Page 79]
Internet-Draft Zero Touch October 2017
Mikael Abrahamsson
T-Systems
EMail: mikael.abrahamsson@t-systems.se
Ian Farrer
Deutsche Telekom AG
EMail: ian.farrer@telekom.de
Watsen, et al. Expires April 21, 2018 [Page 80]