NETCONF Working Group | K. Watsen |
Internet-Draft | Juniper Networks |
Intended status: Standards Track | M. Abrahamsson |
Expires: May 4, 2017 | T-Systems |
October 31, 2016 |
Zero Touch Provisioning for NETCONF or RESTCONF based Management
draft-ietf-netconf-zerotouch-11
This draft presents a secure technique for establishing a NETCONF or RESTCONF connection between a newly deployed device, configured with just its factory default settings, and its deployment specific network management system (NMS).
This draft contains many placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. Please note that no other RFC Editor instructions are specified anywhere else in this document.
This document contains references to other drafts in progress, both in the Normative References section, as well as in body text throughout. Please update the following references to reflect their final RFC assignments:
Artwork in this document contains shorthand references to drafts in progress. Please apply the following replacements:
Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement:
The following one Appendix section is to be removed prior to publication:
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A fundamental business requirement for any network operator is to reduce costs where possible. For network operators, deploying devices to many locations can be a significant cost, as sending trained specialists to each site to do installations is both cost prohibitive and does not scale.
This document defines a bootstrapping strategy enabling devices to securely obtain bootstrapping data with no installer input, beyond physical placement and connecting network and power cables. The ultimate goal of this document is to enable a secure NETCONF [RFC6241] or RESTCONF [draft-ietf-netconf-restconf] connection to the deployment specific network management system (NMS).
This document uses the following terms:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the sections below are to be interpreted as described in RFC 2119 [RFC2119].
A simplified graphical representation of the data models is used in this document. The meaning of the symbols in these diagrams is as follows:
This section provides overarching principles guiding the solution presented in this document.
A trust anchor is used in cryptography to represent an entity in which trust is implicit and not derived. In public key infrastructure using X.509 certificates, a root certificate is the trust anchor, from which a chain of trust is derived. The solution presented in this document requires that all the entities involved (e.g., devices, bootstrap servers, NMSs) possess specific trust anchors in order to ensure mutual authentication throughout the zero touch bootstrapping process.
A device in its factory default state possesses a limited set of manufacturer specified trust anchors. In this document, there are two types of trust anchors of interest. The first type of trust anchor is used to authenticate a secure (e.g., HTTPS) connection to, for instance, a manufacturer-hosted Internet-based bootstrap server. The second type of trust anchor is used to authenticate manufacturer-signed data, such as the ownership voucher artifact described in Section 4.3.
Using the first type of trust anchor, trust is conveyed by the device first authenticating the server (e.g., a bootstrap server), and then by the device trusting that the server would only provide data that its rightful owner staged for it to find. Thereby the device can trust any information returned from the server.
Using the second type of trust anchor, trust is conveyed by the device first authenticating that an artifact has been signed by its rightful owner, and thereby can trust any information held within the artifact.
Notably, redirect information, as described in Section 3.1, may include more trust anchors, which illustrates another way in which trust can be conveyed.
The ultimate goal of this document is to enable a device to establish a secure connection with its rightful owner's NMS. This entails the manufacturer being able to track who is the rightful owner of a device (not defined in this document), as well as an ability to convey that information to devices (defined in this document).
Matching the two ways to convey trust (Section 2.2), this document provides two ways to convey ownership, by using a trusted bootstrap server (Section 6.4) or by using an ownership voucher (Section 4.3).
When a device connects to a trusted bootstrap server, one that was preconfigured into its factory default configuration, it implicitly trusts that the bootstrap server would only provide data that its rightful owner staged for it to find. That is, ownership is conveyed by the administrator of the bootstrap server (e.g., a manufacturer) taking the onus of ensuring that only data configured by a device's rightful owner is made available to the device. With this approach, the assignment of a device to an owner is ephemeral, as the administrator can reassign a device to another owner at any time.
When a device is presented signed bootstrapping data, it can authenticate that its rightful owner provided the data by verifying the signature over the data using an additional artifact defined within this document, the ownership voucher. With this approach, ownership is conveyed by the manufacturer (or delegate) taking the onus of ensuring that the ownership vouchers it issues are accurate and, in some cases, also ensuring timely voucher revocations (Section 4.5).
This document defines two types of information, redirect information and bootstrap information, that devices access during the bootstrapping process. These two types of information are described in this section.
Redirect information provides information to redirect a device to a bootstrap server. Redirect information encodes a list of bootstrap servers, each defined by its hostname or IP address, an optional port, and an optional trust anchor certificate.
Redirect information is YANG modeled data formally defined by the "redirect-information" grouping in the YANG module presented in Section 9.2. This grouping has the tree diagram shown below. Please see Section 1.4 for tree diagram notation.
+--:(redirect-information) +--ro redirect-information +--ro bootstrap-server* [address] +--ro address inet:host +--ro port? inet:port-number +--ro trust-anchor? binary
Redirect information MAY be trusted or untrusted. The redirect information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's rightful owner. In all other cases, the redirect information is untrusted.
Trusted redirect information is useful for enabling a device to establish a secure connection to a bootstrap server, which is possible when the redirect information includes the bootstrap server's trust anchor certificate. When a device is able to establish a secure connection to a bootstrap server, the bootstrapping data does not have to be signed in order to be trusted, as described in Section 2.2.
Untrusted redirect information is useful for directing a device to a bootstrap server where signed data has been staged for it to obtain. When the redirect information is untrusted, the device MUST discard any potentially included trust anchor certificates. When the redirect information is untrusted, a device MAY establish a provisional connection to any of the specified bootstrap servers. A provisional connection is accomplished by the device blindly accepting the bootstrap server's TLS certificate. In this case, the device MUST NOT trust the bootstrap server, and data provided by the bootstrap server MUST be signed for it to be of any use to the device.
How devices process redirect information is described more formally in Section 8.5.
Bootstrap information provides all the data necessary for a device to bootstrap itself, in order to be considered ready to be managed (e.g., by an NMS). As defined in this document, this data includes information about a boot image the device MUST be running, an initial configuration the device MUST commit, and optional scripts that, if specified, the device MUST successfully execute.
Bootstrap information is YANG modeled data formally defined by the "bootstrap-information" grouping in the YANG module presented in Section 9.2. This grouping has the tree diagram shown below. Please see Section 1.4 for tree diagram notation.
+--:(bootstrap-information) +--ro bootstrap-information +--ro boot-image | +--ro name string | +--ro (hash-algorithm) | | +--:(sha256) | | +--ro sha256? string | +--ro uri* inet:uri +--ro configuration-handling enumeration +--ro pre-configuration-script? script +--ro configuration? +--ro post-configuration-script? script
Bootstrap information MUST be trusted for it to be of any use to a device. There is no option for a device to process untrusted bootstrap information.
Bootstrap information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's rightful owner. In all other cases, the bootstrap information is untrusted.
How devices process bootstrap information is described more formally in Section 8.6.
This document defines six artifacts that can be made available to devices while they are bootstrapping. As will be seen in Section 6, each source of bootstrapping information specifies a means for providing each of the artifacts defined in this section.
The information type artifact encodes the essential bootstrapping data for the device. This artifact is used to encode the redirect information and bootstrap information types discussed in Section 3.
The information type artifact is YANG modeled data formally defined by the "information-type" choice node in Section 9.2 and can be encoded using any standard YANG encoding (e.g., XML, JSON).
The signature artifact is used by a device to verify that an information type artifact was created by the device's rightful owner. The signature is generated using the owner's private key over the information-type artifact, in whatever encoding it is presented in (e.g., XML, JSON, etc.). How signed data is validated is formally described in Section 8.4.
The signature artifact is formally a PKCS#7 SignedData structure as specified by Section 9.1 of [RFC2315], containing just the signature (no content, certificates, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
The ownership voucher is used to securely identify a device's owner, as it is known to the manufacturer. The ownership voucher is signed by the device's manufacturer or delegate.
The ownership voucher is used by a device to verify the owner certificate (Section 4.4) that the device SHOULD have also received, as described in Section 5. In particular, the device verifies that owner certificate's chain of trust includes the trusted certificate included in the voucher, and also verifies that the owner certificate contains an identifier matching the one specified in the voucher.
In order to validate the voucher, a device MUST verify that the voucher was signed by the private key associated with a trusted certificate known to the device in its factory default state, as described in Section 8.1, and the device MUST verify that the voucher's expression for the devices that it applies to includes the device's unique identifier (e.g., serial number) and, for devices that insist on verifying voucher revocation status, the device MUST verify that the voucher has neither expired nor been revoked.
The ownership voucher artifact, including its encoding, is formally defined in [draft-kwatsen-netconf-voucher].
The owner certificate artifact is a certificate that is used to identify an 'owner' (e.g., an organization), as known to a trusted certificate authority. The owner certificate is signed by the trusted certificate authority.
The owner certificate is used by a device to verify the signature artifact (Section 4.2) that the device SHOULD have also received, as described in Section 5. In particular, the device verifies signature using the public key in the owner certificate over the information type artifact (Section 4.1).
In order to validate the owner certificate, a device MUST verify that the owner certificate's certificate chain includes the certificate specified by the ownership voucher (Section 4.3) that the device SHOULD have also received, as described in Section 5, and the device MUST verify that owner certificate contains an identifier matching the one specified in the voucher and, for devices that insist on verifying certificate revocation status, the device MUST verify that the certificate has neither expired nor been revoked.
The owner certificate artifact is formally an unsigned PKCS #7 SignedData structure as specified by RFC 2315 [RFC2315], Section 9.1, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
The owner certificate artifact contains, in order, the owner certificate itself and all intermediate certificates leading up to a trust anchor certificate. The owner certificate MAY optionally include the trust anchor certificate.
The voucher revocation artifact is used to verify the revocation status of vouchers. Voucher revocations are signed by the manufacturer or delegate (i.e. the issuer of the voucher).
Voucher revocations are generally needed when it is critical for devices to know that assurances implied at the time the voucher was signed are still valid at the time the voucher is being processed.
The need for devices to insist on verifying voucher revocation status is a decision for each manufacturer. If voucher revocation status verification is not asserted, then the ownership vouchers are essentially forever, which may be acceptable for various kinds of devices. If revocations are supported, then it becomes possible to support various scenarios such as handling a key compromise or change in ownership.
If voucher revocations are supported, devices MAY dynamically obtain the voucher revocation artifact (or equivalents) from an Internet based resource. If the access to the Internet based resource is sufficiently reliable, then there may not be a need for the voucher revocation artifact to be supplied by any other means (e.g., Section 6). However, since the access may not be sufficiently reliable, support for this artifact is defined herein.
The voucher revocation artifact is used by a device to verify the ownership voucher (Section 4.3) that the device SHOULD have also received, as described in Section 5. In particular, the device verifies that the voucher revocation explicitly states either that the given voucher is valid or that it is not invalid.
In order to validate a voucher revocation artifact, a device MUST verify that it was signed by a private key associated with a trusted certificate known to the device in its factory default state, as described in Section 8.1, and the device MUST verify that the voucher revocation hasn't expired, and the device SHOULD verify that the revocation is sufficiently fresh, per local policy.
The voucher revocation artifact, including its encoding, is formally defined in [draft-kwatsen-netconf-voucher].
The certificate revocation artifact is a list of CRLS used to verify the revocation status of owner certificates. Certificate revocations are signed by the certificate authority (or delegate) that issued the owner certificate.
Certificate revocations are generally needed when it is critical for devices to know that assurances implied at the time the certificate was signed are still valid at the time the certificate is being processed.
The need for devices to insist on verifying certificate revocation status is a decision for each manufacturer. If certificate revocation status verification is not asserted, then the owner certificates are essentially forever, which may be acceptable for various kinds of devices. If revocations are supported, then it becomes possible to support various scenarios such as handling a key compromise or expiration.
If certificate revocations are supported, devices MAY dynamically obtain the certificate revocation artifact from an Internet based resource (using a CRL distribution point or an OCSP responder). If the access to the Internet based resource is sufficiently reliable, then there may not be a need for the certificate revocation artifact to be supplied by any other means (e.g., Section 6). However, since the access may not be sufficiently reliable, support for this artifact is defined herein, so that the voucher revocation artifact can be distributed by any source of bootstrapping data.
The certificate revocation artifact is used by a device to verify the owner certificate (Section 4.4) that the device SHOULD have also received, as described in Section 5. In particular, the device verifies that the certificate revocation explicitly states either that the given certificate is valid or that it is not invalid.
In order to validate the CRLs contained with the certificate revocation artifact, a device MUST verify that the CRL was signed by a private key associated certificate's issuer (or delegate), and the device MUST verify that the CRL hasn't expired, and the device SHOULD verify that the revocation is sufficiently fresh, per local policy.
The certificate revocation artifact is formally an unsigned PKCS #7 SignedData structure as specified by RFC 2315 [RFC2315], Section 9.1, containing just CRLs (no content, signatures, or certificates), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
The certificate revocation artifact contains, in order, the CRL for the owner certificate itself and the CRLs for all intermediate certificates leading up to but not including a trust anchor certificate.
Section 4 lists all the possible bootstrapping artifacts, but only certain groupings of these artifacts make sense to return in the various bootstrapping situations described in this document. The remainder of this section identifies these groupings to further clarify how the artifacts are used.
The first grouping of artifacts is for unsigned information. That is, when the information type artifact (Section 4.1) has not been signed.
Unsigned information is useful for cases when transport level security can be used to convey trust (e.g., HTTPS), or when the information can be processed in a provisional manner (i.e. unsigned redirect information).
Conveying unsigned information entails communicating just one of the six artifacts listed in Section 4, namely the information type artifact.
List of artifacts included in this grouping: - information type
The second grouping of artifacts is for when the information type artifact (Section 4.1) has been signed, without any revocation information.
Signed information is needed when the information is obtained from an untrusted source of bootstrapping data (Section 6) and yet it is desired that the device be able to trust the information (i.e. no provisional processing).
Revocation information may not need to be provided because, for instance, the device only uses revocation information obtained dynamically from Internet based resources. Another possible reason may be because the device does not have a reliable clock, and therefore the manufacturer decides to never revoke information (e.g., ownership assignments are forever).
Conveying signed information without revocation information entails communicating four of the six artifacts listed in Section 4.
List of artifacts included in this grouping: - information type - signature - ownership voucher - owner certificate
The third grouping of artifacts is for when the information type artifact (Section 4.1) has been signed and also includes revocation information.
Signed information, as described above, is needed when the information is obtained from an untrusted source of bootstrapping data (Section 6) and yet it is desired that the device be able to trust the information (i.e. no provisional processing).
Revocation information may need to be provided because, for instance, the device insists on being able to verify revocations and the device is deployed on a private network and therefore unable to obtain the revocation information from Internet based resources.
Conveying signed information with revocation information entails communicating all six of the artifacts listed in Section 4.
List of artifacts included in this grouping: - information type - signature - ownership voucher - owner certificate - voucher revocations - certificate revocations
This section defines some sources for zero touch bootstrapping data that a device can access. The list of sources defined here is not meant to be exhaustive. It is left to future documents to define additional sources for obtaining zero touch bootstrapping data.
For each source defined in this section, details are given for how each of the six artifacts listed in Section 4 is provided.
A directly attached removable storage device (e.g., a USB flash drive) MAY be used as a source of zero touch bootstrapping data.
To use a removable storage device as a source of bootstrapping data, a device need only detect if the removable storage device is plugged in and mount its filesystem.
Use of a removable storage device is compelling, as it doesn't require any external infrastructure to work. It is also compelling that the raw boot image file can be located on the removable storage device, enabling a removable storage device to be a fully self-standing bootstrapping solution.
A removable storage device is an untrusted source of bootstrapping data. This means that the information stored on the removable storage device either MUST be signed, or it MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a removable storage device presents itself as a file-system, the bootstrapping artifacts need to be presented as files. The six artifacts defined in Section 4 are mapped to files below.
Artifact to File Mapping:
The format of the removable storage device's filesystem and the naming of the files are outside the scope of this document. However, in order to facilitate interoperability, it is RECOMMENDED devices support open and/or standards based filesystems. It is also RECOMMENDED that devices assume a filenaming convention that enables more than one instance of bootstrapping data to exist on a removable storage device. The filenaming convention SHOULD be unique to the manufacturer, in order to enable bootstrapping data from multiple manufacturers to exist on a removable storage device.
A DNS server MAY be used as a source of zero touch bootstrapping data.
Using a DNS server may be a compelling option for deployments having existing DNS infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
To use a DNS server as a source of bootstrapping data, a device MAY perform a multicast DNS [RFC6762] query searching for the service "_zerotouch._tcp.local.". Alternatively the device MAY perform DNS-SD [RFC6763] via normal DNS operation, using the domain returned to it from the DHCP server; for example, searching for the service "_zerotouch._tcp.example.com".
Unsigned DNS records (not using DNSSEC as described in [RFC6698]) are an untrusted source of bootstrapping data. This means that the information stored in the DNS records either MUST be signed, or it MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a DNS server presents resource records (Section 3.2.1 of [RFC1035]), the bootstrapping artifacts need to be presented as resource records. The six artifacts defined in Section 4 are mapped to resource records below.
Artifact to Resource Record Mapping:
TXT records have an upper size limit of 65535 bytes (Section 3.2.1 in RFC1035), since 'RDLENGTH' is a 16-bit field. Please see Section 3.1.3 in RFC4408 for how a TXT record can achieve this size. Due to this size limitation, some information type artifacts may not fit. In particular, the bootstrap information artifact could hit this upper bound, depending on the size of the included configuration and scripts.
When bootstrap information is provided, it is notable that the URL for the boot-image the device can download would have to point to another server (e.g., http://, ftp://, etc.), as DNS servers do not themselves distribute files.
A DHCP server MAY be used as a source of zero touch bootstrapping data.
To use a DHCP server as a source of bootstrapping data, a device need only send a DHCP lease request to a DHCP server. However, the device SHOULD pass the Vendor Class Identifier (option 60) field in its DHCP lease request, so the DHCP server can return bootstrap information shared by devices from the same vendor. However, if it is desired to return device-specific bootstrap information, then the device SHOULD also send the Client Identifier (option 61) field in its DHCP lease request, so the DHCP server can select the specific bootstrap information that has been staged for that one device.
Using a DHCP server may be a compelling option for deployments having existing DHCP infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
A DHCP server is an untrusted source of bootstrapping data. This means that the information returned by the DHCP server either MUST be signed, or it MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a DHCP server presents data as DHCP options , the bootstrapping artifacts need to be presented as DHCP options, specifically the ones specified in Section 11.1. The six artifacts defined in Section 4 are mapped to the DHCP options specified in Section 11.1 below.
Artifact to DHCP Option Field Mapping:
When bootstrap information is provided, it is notable that the URL for the boot-image the device can download would have to point to another server (e.g., http://, ftp://, etc.), as DHCP servers do not themselves distribute files.
A bootstrap server MAY be used as a source of zero touch bootstrapping data. A bootstrap server is defined as a RESTCONF ([draft-ietf-netconf-restconf]) server implementing the YANG module provided in Section 9.
Unlike any other source of bootstrap data described in this document, a bootstrap server is not only a source of data, but it can also receive data from devices using the YANG-defined "notification" action statement defined in the YANG module (Section 9.2). The data sent from devices both enables visibility into the bootstrapping process (e.g., warnings and errors) as well as provides potentially useful completion status information (e.g., the device's SSH host-keys).
To use a bootstrap server as a source of bootstrapping data, a device MUST use the RESTCONF protocol to access the YANG container node /device/, passing its own serial number in the URL as the key to the 'device' list.
Using a bootstrap server as a source of bootstrapping data is a compelling option as it uses transport-level security in lieu of signed data, which may be easier to deploy in some situations. Additionally, the bootstrap server is able to receive notifications from devices, which may be critical to some deployments (e.g., the passing of the device's SSH host keys).
A bootstrap server may be trusted or an untrusted source of bootstrapping data, depending on how the device learned about the bootstrap server's trust anchor from a trusted source. When a bootstrap server is trusted, the information returned from it MAY be signed. However, when the server is untrusted, in order for its information to be of any use to the device, the information MUST either be signed or be information that can be processed provisionally (e.g., unsigned redirect information).
When a device is able to trust a bootstrap server, it MUST send its IDevID certificate in the form of a TLS client certificate, and it MUST send notifications to the bootstrap server. When a device is not able to trust a bootstrap server, it MUST NOT send its IDevID certificate in the form of a TLS client certificate, and it MUST NOT send any notifications to the bootstrap server.
From an artifact perspective, since a bootstrap server presents data as a YANG-modeled data, the bootstrapping artifacts need to be mapped to nodes in the YANG module. The six artifacts defined in Section 4 are mapped to bootstrap server nodes defined in Section 9.2 below.
Artifact to Bootstrap Server Node Mapping:
While RESTCONF servers typically support a nested hierarchy of resources, zero touch bootstrap servers only need to support the paths /device and /device/notification. The processing instructions provided in Section 8.3 only uses these two URLs.
The zero touch solution presented in this document is conceptualized to be composed of the workflows described in this section. Implementations MAY vary in details. Each diagram is followed by a detailed description of the steps presented in the diagram, with further explanation on how implementations may vary.
The following diagram illustrates key interactions that may occur from when a prospective owner enrolls in a manufacturer's zero touch program to when the manufacturer ships devices for an order placed by the prospective owner.
+-----------+ +------------+ |Prospective| +---+ |Manufacturer| | Owner | |NMS| +------------+ +-----------+ +---+ | | | | | | | 1. initiate enrollment | | #<-----------------------------| | # | | # | | # IDevID trust anchor | | #-----------------------------># set IDevID trust anchor | # #--------------------------->| # | | # bootstrap server | | # account credentials | | #-----------------------------># set credentials | # #--------------------------->| # | | # | | # owner certificate | | #-----------------------------># set certificate | | #--------------------------->| | | | | | | | 2. place device order | | |<-----------------------------# model devices | | #--------------------------->| | | | | 3. ship devices and send | | | device identifiers and | | | ownership vouchers | | |-----------------------------># set device identifiers | | # and ownership vouchers | | #--------------------------->| | | |
Each numbered item below corresponds to a numbered item in the diagram above.
The following diagram illustrates how an owner might stage the network for bootstrapping devices.
+----------+ +------------+ |Deployment| |Manufacturer| +------+ +------+ | Specific | | Hosted | | Local| | Local| +---------+ +---+ |Bootstrap | | Bootstrap | | DNS | | DHCP | |Removable| |NMS| | Server | | Server | |Server| |Server| | Storage | +---+ +----------+ +------------+ +------+ +------+ +---------+ | | | | | | activate | | | | | | modeled | | | | | | 1. device | | | | | | ----------->| | | | | | | 2. (optional) | | | | | configure | | | | | bootstrap | | | | | server | | | | |------->| | | | | | | | | | | | 3. (optional) configure | | | | bootstrap server | | | | |--------------------->| | | | | | | | | | | | | | | | | 4. (optional) configure DNS server| | | |---------------------------------->| | | | | | | | | | | | | | | | 5. (optional) configure DHCP server | | |------------------------------------------->| | | | | | | | | | | | | | | 6. (optional) store bootstrapping artifacts on media | |----------------------------------------------------->| | | | | | | | | | | | |
Each numbered item below corresponds to a numbered item in the diagram above.
+----------+ +-----------+ |Deployment| | Source of | | Specific | +------+ | Bootstrap | |Bootstrap | +---+ |Device| | Data | | Server | |NMS| +------+ +-----------+ +----------+ +---+ | | | | | | | | | 1. if running a modified (not | | | | factory default) configuration, | | | | then exit. | | | | | | | | 2. for each source supported, check | | | |------------------------------------->| | | | | | | | 3. if bootstrap-information found, | | | | initialize self and, only if | | | | source is a bootstrap server, | | | | send notifications | | | |-------------------------------------># | | | # webhook | | | #----------------------->| | | | | 4. else if redirect-information found, for | | | each bootstrap server specified, check | | |-+-------------------------------------------------->| | | | | | | | if more redirect-information is found, recurse | | | | (not depicted), else if bootstrap-information | | | | found, initialize self and post notifications | | | +--------------------------------------------------># | | # webhook | | #-------->| | | 5. retry sources and/or wait for manual provisioning. |
The following diagram illustrates the sequence of activities that occur when a device powers on.
The interactions in the above diagram are described below.
If the device is ever able to complete the bootstrapping process successfully (i.e., no longer running its factory default configuration), it exits the bootstrapping logic without considering any additional sources of bootstrapping data.
Devices supporting the bootstrapping strategy described in this document MUST have the preconfigured factory default state and bootstrapping logic described in the following sections.
+------------------------------------------------------------------+ | <device> | | | | +----------------------------------------------------------+ | | | <read-only storage> | | | | | | | | 1. IDevID cert & associated intermediate certificate(s) | | | | 2. list of trusted Internet based bootstrap servers | | | | 3. list of trust anchor certs for bootstrap servers | | | | 4. trust anchor cert for ownership vouchers | | | +----------------------------------------------------------+ | | | | +----------------------+ | | | <secure storage> | | | | | | | | 5. private key | | | +----------------------+ | | | +------------------------------------------------------------------+
Each numbered item below corresponds to a numbered item in the diagram above.
A device claiming to support the bootstrapping strategy defined in this document MUST support the boot sequence described in this section.
Power On | v No 1. Running default config? --------> Boot normally | | Yes v 2. For each supported source of bootstrapping data, try to load bootstrapping data from the source | | v Yes 3. Able to bootstrap off any source? -----> Run with new configuration | | No v 4. Loop and/or wait for manual provisioning.
Each numbered item below corresponds to a numbered item in the diagram above.
This section describes a recursive algorithm that a device claiming to support the bootstrapping strategy defined in this document MUST use to authenticate bootstrapping data. A device enters this algorithm for each new source of bootstrapping data. The first time the device enters this algorithm, it MUST initialize a conceptual trust state variable, herein referred to as "trust-state", to FALSE. The ultimate goal of this algorithm is for the device to process bootstrap information (Section 3.2) while the trust-state variable is TRUE.
If the data source is a bootstrap server, and the device is able to authenticate the server using X.509 certificate path validation ([RFC6125], Section 6) to one of the device's preconfigured trust anchors, or to a trust anchor that it learned from a previous step, then the device MUST set trust-state to TRUE.
If trust-state is TRUE, when connecting to the bootstrap server, the device MUST use its IDevID certificate for client certificate based authentication and MUST POST progress notifications using the bootstrap server's "notification" action. Otherwise, if trust-state is FALSE, when connecting to the bootstrap server, the device MUST NOT use its IDevID certificate for a client certificate based authentication and MUST NOT POST progress notifications using the bootstrap server's "notification" action.
When accessing a bootstrap server, the device MUST only access its top-level resource, to obtain all the data staged for it in one GET request, so that it can determine if the data is signed or not, and thus act accordingly. If trust-state is TRUE, then the device MAY also accesses the bootstrap servers 'notification' resource for the device.
For any source of bootstrapping data (e.g., Section 6), if the data is signed and the device is able to validate the signed data using the algorithm described in Section 8.4, then the device MUST set trust-state to TRUE, else the device MUST set trust-state to FALSE. Note, this is worded to cover the special case when signed data is returned even from a trusted bootstrap server.
If the data is bootstrap information (not redirect information), and trust-state is FALSE, the device MUST exit the recursive algorithm, returning to the state machine described in Section 8.2. Otherwise, the device MUST attempt to process the bootstrap information as described in Section 8.6. In either case, success or failure, the device MUST exit the recursive algorithm, returning to the state machine described in Section 8.2, the only difference being in how it responds to the "Able to bootstrap off any source?" conditional described in that state machine.
If the data is redirect information, the device MUST process the redirect information as described in Section 8.5. This is the recursion step, it will cause to device to reenter this algorithm, but this time the data source will most definitely be a bootstrap server, as that is all redirect information is able to do.
Whenever a device is presented signed data from an untrusted source, it MUST validate the signed data as described in this section. If the signed data is provided by a trusted source, a redundant trust case, the device MAY skip verifying the signature.
Whenever there is signed data, the device MUST also be provided an ownership voucher and an owner certificate. Depending on circumstances, the device MAY also be provided certificate and voucher revocations. How all the needed artifacts are provided for each source of bootstrapping data is defined in Section 6.
The device MUST first authenticate the ownership voucher by validating the signature on it to one of its preconfigured trust anchors (see Section 8.1) and verify that the voucher contains the device's unique identifier (e.g., serial number). If the device insists on verifying revocation status, it MUST also verify that the voucher isn't expired or has been revoked. If the authentication of the voucher is successful, the device extracts the rightful owner's identity from the voucher for use in the next step.
Next the device MUST authenticate the owner certificate by performing X.509 certificate path validation on it, and by verifying that the certificate is both identified by the voucher and also has in its chain of trust the certificate identified by the voucher. If the device insists on verifying revocation status, it MUST also verify that none of the certificates in the chain of certificates have been revoked or expired. If the authentication of the certificate is successful, the device extracts the owner's public key from the certificate for use in the next step.
Finally the device MUST verify the signature over 'information type' artifact was generated by the private key matching the public key extracted from the owner certificate in the previous step.
When the device receives the signed data from a bootstrap server, the device MUST use text-level operations to extract the 'information-type' node from the parent 'device' node in the response in order to verify the signature. It is not important if the extracted text is a valid YANG encoding in order to verify the signature.
If any of these steps fail, then the device MUST mark the data as invalid and not perform any of the subsequent steps.
In order to process redirect information (Section 3.1), the device MUST follow the steps presented in this section.
Processing redirect information is straightforward. The device sequentially steps through the list of provided bootstrap servers until it can find one it can bootstrap off of.
If a hostname is provided, and the hostname's DNS resolution is to more than one IP address, the device MUST attempt to connect to all of the DNS resolved addresses at least once, before moving on to the next bootstrap server. If the device is able to obtain bootstrapping data from any of the DNS resolved addresses, it MUST immediately process that data, without attempting to connect to any of the other DNS resolved addresses.
If the redirect information is trusted (e.g., trust-state is TRUE), and the bootstrap server entry contains a trust anchor certificate, then the device MUST authenticate the bootstrap server using X.509 certificate path validation ([RFC6125], Section 6) to the specified trust anchor. If the device is unable to authenticate the bootstrap server to the specified trust anchor, the device MUST NOT attempt a provisional connection to the bootstrap server (i.e., by blindly accepting its server certificate).
If the redirect information is untrusted (e.g., trust-state is FALSE), the device MUST discard any trust anchors provided by the redirect information and establish a provisional connection to the bootstrap server (i.e., by blindly accepting its TLS server certificate).
In order to process bootstrap information (Section 3.2), the device MUST follow the steps presented in this section.
When processing bootstrap information, the device MUST first process the boot image information, then execute the pre-configuration script (if any), then commit the initial configuration, and then execute the script (if any), in that order. If the device encounters an error at any step, it MUST NOT proceed to the next step.
First the device MUST determine if the image it is running satisfies the specified boot image criteria (e.g., name or fingerprint match). If it does not, the device MUST download, verify, and install the specified boot image, and then reboot. To verify the boot image, the device MUST check that the boot image file matches the fingerprint (e.g., sha256) supplied by the bootstrapping information. Upon rebooting, the device MUST still be in its factory default state, causing the bootstrapping process to run again, which will eventually come to this very point, but this time the device's running image will satisfy the specified criteria, and thus the device will move to processing the next step.
Next, for devices that support executing scripts, if a pre-configuration script has been specified, the device MUST execute the script and check its exit status code to determine if had any warnings or errors. In the case of errors, the device MUST reset itself in such a way that force the reinstallation of its boot image, thereby wiping out any bad state the script might have left behind.
Next the device commits the provided initial configuration. Assuming no errors, the device moves to processing the next step.
Again, for devices that support executing scripts, if a post-configuration script has been specified, the device MUST execute the script and check its exit status code to determine if it had any warnings or errors. In the case of errors, the device MUST reset itself in such a way that force the reinstallation of its boot image, thereby wiping out any bad state the script might have left behind.
At this point, the device has completely processed the bootstrapping data and is ready to be managed. If the device obtained the bootstrap information from a trusted bootstrap server, the device MUST send the 'bootstrap-complete' notification now.
At this point the device is configured and no longer running its factory default configuration. Notably, if the bootstrap information configured the device it initiate a call home connection, the device would proceed to do so now.
This section defines a YANG ([RFC6020]) module that is used to define the RESTCONF ([draft-ietf-netconf-restconf]) API used by the bootstrap server defined in Section 6.4. Examples illustrating this API in use are provided in Appendix A.
The following tree diagram provides an overview for the bootstrap server RESTCONF API. The syntax used for this tree diagram is described in Section 1.4.
module: ietf-zerotouch-bootstrap-server +--ro device* [unique-id] +--ro unique-id string +--ro (information-type) | +--:(redirect-information) | | +--ro redirect-information | | +--ro bootstrap-server* [address] | | +--ro address inet:host | | +--ro port? inet:port-number | | +--ro trust-anchor? binary | +--:(bootstrap-information) | +--ro bootstrap-information | +--ro boot-image | | +--ro name string | | +--ro (hash-algorithm) | | | +--:(sha256) | | | +--ro sha256? string | | +--ro uri* inet:uri | +--ro configuration-handling? enumeration | +--ro pre-configuration-script? script | +--ro configuration? | +--ro post-configuration-script? script +--ro signature? binary +--ro ownership-voucher? binary +--ro owner-certificate? binary +--ro voucher-revocation? binary +--ro certificate-revocation? binary +---x notification +---w input +---w notification-type enumeration +---w message? string +---w ssh-host-keys | +---w ssh-host-key* | +---w format enumeration | +---w key-data string +---w trust-anchors +---w trust-anchor* +---w protocol* enumeration +---w certificate binary
In the above diagram, notice that all of the protocol accessible nodes are read-only, to assert that devices can only pull data from the bootstrap server.
Also notice that the module defines an action statement, which devices use to provide progress notifications to the bootstrap server.
The bootstrap server's device-facing API is normatively defined by the YANG module defined in this section.
Note: the module defined herein uses data types defined in [RFC2315], [RFC5280], [RFC6234], [RFC6991], and [draft-kwatsen-netconf-voucher].
<CODE BEGINS> file "ietf-zerotouch-bootstrap-server@2016-10-31.yang" module ietf-zerotouch-bootstrap-server { yang-version "1.1"; namespace "urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"; prefix "ztbs"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines an interface for bootstrap servers, as defined by RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based Management. Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision "2016-10-31" { description "Initial version"; reference "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based Management"; } list device { key unique-id; config false; description "A device's record entry. This is the only RESTCONF resource that a device will GET, as described in Section 8.2 in RFC XXXX. Getting just this top-level node provides a device with all the data it needs in a single request."; reference "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based Management"; leaf unique-id { type string; description "A unique identifier for the device (e.g., serial number). Each device accesses its bootstrapping record by its unique identifier."; } choice information-type { mandatory true; description "This choice statement ensures the response only contains redirect-information or bootstrap-information. Note that this is the only mandatory true node, as the other nodes are not needed when the device trusts the bootstrap server, in which case the data does not need to be signed."; container redirect-information { description "This is redirect information, as described in Section 3.1 in RFC XXXX. Its purpose is to redirect a device to another bootstrap server."; reference "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based Management"; list bootstrap-server { key address; description "A bootstrap server entry."; leaf address { type inet:host; mandatory true; description "The IP address or hostname of the bootstrap server the device should redirect to."; } leaf port { type inet:port-number; default 443; description "The port number the bootstrap server listens on."; } leaf trust-anchor { //should there be two fields like voucher? type binary; description "An X.509 v3 certificate structure as specified by RFC 5280, Section 4, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. A certificate that a device can use as a trust anchor to authenticate the bootstrap server it is being redirected to."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } } container bootstrap-information { description "This is bootstrap information, as described in Section 3.2 in RFC XXXX. Its purpose is to provide the device everything it needs to bootstrap itself."; reference "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based Management"; container boot-image { description "Specifies criteria for the boot image the device MUST be running."; leaf name { // maybe this should be a regex? type string; mandatory true; description "The name of a software image that the device MUST be running in order to process the remaining nodes."; } choice hash-algorithm { mandatory true; description "Identifies the hash algorithm used."; leaf sha256 { type string; description "The hex-encoded SHA-256 hash over the boot image file. This is used by the device to verify a downloaded boot image file."; reference "RFC 6234: US Secure Hash Algorithms."; } } leaf-list uri { type inet:uri; min-elements 1; description "An ordered list of URIs to where the boot-image file MAY be obtained. Deployments MUST know in which URI schemes (http, ftp, etc.) a device supports. If a secure scheme (e.g., https) is provided, a device MAY establish a provisional connection to the server, by blindly accepting the server's credentials (e.g., its TLS certificate)"; } } leaf configuration-handling { type enumeration { enum merge { description "Merge configuration into existing running configuration."; } enum replace { description "Replace existing running configuration with the passed configuration."; } } description "This enumeration indicates how the server should process the provided configuration. When not specified, the device MAY determine how to process the configuration using other means (e.g., vendor-specific metadata)."; } leaf pre-configuration-script { type script; description "A script that, when present, is executed before the configuration has been processed."; } anydata configuration { must "../configuration-handling"; description "Any configuration data model known to the device. It may contain manufacturer-specific and/or standards-based data models."; } leaf post-configuration-script { type script; description "A script that, when present, is executed after the configuration has been processed."; } } } leaf signature { type binary; must "../redirect-information or ../bootstrap-information" { description "An information type must be present whenever an signature is present."; } description "A PKCS#7 SignedData structure, as specified by Section 9.1 of RFC 2315, containing just the signature (no content, certificates, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This signature is generated by the device's owner using the private key associated with the owner certificate over the information-type node, exactly as it's presented to the device. The device MUST use text-level operations to extract the information-type node from the larger 'device' response in order to verify it. It is not important if the extracted text is itself a valid encoding (e.g., XML or JSON)."; reference "RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } leaf ownership-voucher { type binary; must "../signature" { description "A signature must be present whenever an ownership voucher is presented."; } must "../owner-certificate" { description "An owner certificate must be present whenever an ownership voucher is presented."; } description "A 'voucher' structure, per draft-kwatsen-netconf-voucher. The voucher needs to reference the device's unique identifier and also specify the owner certificate's identity and a CA certificate in the owner certificate's chain of trust."; reference "draft-kwatsen-netconf-voucher: Voucher and Voucher Revocation Profiles for Bootstrapping Protocols"; } leaf owner-certificate { type binary; must "../signature" { description "A signature must be present whenever an owner certificate is presented."; } must "../ownership-voucher" { description "An ownership voucher must be present whenever an owner certificate is presented."; } description "An unsigned PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains, in order, the owner certificate itself and all intermediate certificates leading up to a trust anchor certificate. The owner certificate MAY optionally include the trust anchor certificate."; reference "RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5. ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } leaf voucher-revocation { type binary; must "../ownership-voucher" { description "An ownership voucher must be present whenever a voucher revocation is presented."; } description "A 'voucher-revocation' structure, as defined in draft-kwatsen-netconf-voucher. The voucher revocation definitively states whether a voucher is valid or not."; reference "draft-kwatsen-netconf-voucher: Voucher and Voucher Revocation Profiles for Bootstrapping Protocols"; } leaf certificate-revocation { type binary; must "../owner-certificate" { description "An owner certificate must be present whenever an voucher revocation is presented."; } description "An unsigned PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just CRLs (no content, signatures, or certificates), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains, in order, the CRL for the owner certificate itself and the CRLs for all intermediate certificates leading up to but not including a trust anchor certificate."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } action notification { input { leaf notification-type { type enumeration { enum bootstrap-initiated { description "Indicates that the device has just accessed the bootstrap server. The 'message' field below MAY contain any additional information that the manufacturer thinks might be useful."; } enum validation-error { description "Indicates that the device had an issue validating the response from the bootstrap server. The 'message' field below SHOULD indicate the specific error. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum signature-validation-error { description "Indicates that the device had an issue validating the bootstrapping data. For instance, this could be due to the device expecting signed data, but only found unsigned data, or because the ownership voucher didn't include the device's unique identifier, or because the signature didn't match. The 'message' field below SHOULD indicate the specific error. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum image-mismatch { description "Indicates that the device has determined that its running image does not match the specified criteria. The 'message' field below SHOULD indicate both what image the device is currently running."; } enum image-download-error { description "Indicates that the device had an issue downloading the image, which could be for reasons such as a file server being unreachable to the downloaded file being the incorrect file (signature mismatch). The 'message' field about SHOULD indicate the specific error. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum pre-script-warning { description "Indicates that the device obtained a greater than zero exit status code from the script when it was executed. The 'message' field below SHOULD indicate both the resulting exit status code, as well as capture any stdout/stderr messages the script may have produced."; } enum pre-script-error { description "Indicates that the device obtained a less than zero exit status code from the script when it was executed. The 'message' field below SHOULD indicate both the resulting exit status code, as well as capture any stdout/stderr messages the script may have produced. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum config-warning { description "Indicates that the device obtained warning messages when it committed the initial configuration. The 'message' field below SHOULD indicate the warning messages that were generated."; } enum config-error { description "Indicates that the device obtained error messages when it committed the initial configuration. The 'message' field below SHOULD indicate the error messages that were generated. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum post-script-warning { description "Indicates that the device obtained a greater than zero exit status code from the script when it was executed. The 'message' field below SHOULD indicate both the resulting exit status code, as well as capture any stdout/stderr messages the script may have produced."; } enum post-script-error { description "Indicates that the device obtained a less than zero exit status code from the script when it was executed. The 'message' field below SHOULD indicate both the resulting exit status code, as well as capture any stdout/stderr messages the script may have produced. This message also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum bootstrap-complete { description "Indicates that the device successfully processed the all the bootstrapping data and that it is ready to be managed. The 'message' field below MAY contain any additional information that the manufacturer thinks might be useful. After sending this message, the device is not expected to access the bootstrap server again."; } enum informational { description "Indicates any additional information not captured by any of the other notification-type. The 'message' field below SHOULD contain any additional information that the manufacturer thinks might be useful."; } } mandatory true; description "The type of notification provided."; } leaf message { type string; description "An optional human-readable value."; } container ssh-host-keys { description "A list of SSH host keys an NMS may use to authenticate a NETCONF connection to the device with."; list ssh-host-key { when "../notification-type = 'bootstrap-complete'" { description "SSH host keys are only sent when the notification type is 'bootstrap-complete'."; } description "An SSH host-key"; leaf format { type enumeration { enum ssh-dss { description "ssh-dss"; } enum ssh-rsa { description "ssh-rsa"; } } mandatory true; description "The format of the SSH host key."; } leaf key-data { type string; mandatory true; description "The key data for the SSH host key"; } } } container trust-anchors { description "A list of trust anchor certificates an NMS may use to authenticate a NETCONF or RESTCONF connection to the device with."; list trust-anchor { when "../notification-type = 'bootstrap-complete'" { description "Trust anchors are only sent when the notification type is 'bootstrap-complete'."; } description "A list of trust anchor certificates an NMS may use to authenticate a NETCONF or RESTCONF connection to the device with."; leaf-list protocol { type enumeration { enum netconf-ssh { description "netconf-ssh"; } enum netconf-tls { description "netconf-tls"; } enum restconf-tls { description "restconf-tls"; } enum netconf-ch-ssh { description "netconf-ch-ssh"; } enum netconf-ch-tls { description "netconf-ch-tls"; } enum restconf-ch-tls { description "restconf-ch-tls"; } } min-elements 1; description "The protocols that this trust anchor secures."; } leaf certificate { type binary; mandatory true; description "An X.509 v3 certificate structure, as specified by Section 4 in RFC5280, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } } } } // end action } // end device typedef script { type binary; description "A device specific script that enables the execution of commands to perform actions not possible thru configuration alone. No attempt is made to standardize the contents, running context, or programming language of the script. The contents of the script are considered specific to the vendor, product line, and/or model of the device. If a script is erroneously provided to a device that does not support the execution of scripts, the device SHOULD send a 'script-warning' notification message, but otherwise continue processing the bootstrapping data as if the script had not been present. The script returns exit status code '0' on success and non-zero on error, with accompanying stderr/stdout for logging purposes. In the case of an error, the exit status code will specify what the device should do. If the exit status code is greater than zero, then the device should assume that the script had a soft error, which the script believes does not affect manageability. If the device obtained the bootstrap information from a bootstrap server, it SHOULD send a 'script-warning' notification message. If the exit status code is less than zero, the device should assume the script had a hard error, which the script believes will affect manageability. In this case, the device SHOULD send a 'script-error' notification message followed by a reset that will force a new boot-image install (wiping out anything the script may have done) and restart the entire bootstrapping process again."; } } <CODE ENDS>
Devices MUST ensure that all their trust anchor certificates, including those for connecting to bootstrap servers and verifying ownership vouchers, are protected from external modification.
It may be necessary to update these certificates over time (e.g., the manufacturer wants to delegate trust to a new CA). It is therefore expected that devices MAY update these trust anchors when needed through a verifiable process, such as a software upgrade using signed software images.
The solution in this document relies on TLS certificates, owner certificates, and ownership vouchers, all of which require an accurate clock in order to be processed correctly (e.g., to test validity dates and revocation status). Implementations MUST ensure devices have an accurate clock when shipped from manufacturing facilities, and take steps to prevent clock tampering.
If it is not possible to ensure clock accuracy, it is RECOMMENDED that implementations disable the aspects of the solution having clock sensitivity. In particular, such implementations should assume that TLS certificates, owner certificates, and ownership vouchers are not revokable, In real-world terms, this means that manufacturers SHOULD only issue a single ownership voucher for the lifetime of some devices.
It is important to note that implementations SHOULD NOT rely on NTP for time, as it is not a secure protocol.
This document allows a device to blindly authenticate a bootstrap server's TLS certificate. It does so to allow for cases where the redirect information may be obtained in an unsecured manner, which is desirable to support in some cases.
To compensate for this, this document requires that devices, when connected to an untrusted bootstrap server, do not send their IDevID certificate for client authentication, and they do not POST any progress notifications, and they assert that data downloaded from the server is signed.
Section 7.2.7.2 of the IEEE Std 802.1AR-2009 standard says that IDevID certificate should never expire (i.e. having the notAfter value 99991231235959Z). Given the long-lived nature of these certificates, it is paramount to use a strong key length (e.g., 512-bit ECC).
This draft suggests using the device's serial number as the unique identifier in its IDevID certificate. This is because serial numbers are ubiquitous and prominently contained in invoices and on labels affixed to devices and their packaging. That said, serial numbers many times encode revealing information, such as the device's model number, manufacture date, and/or sequence number. Knowledge of this information may provide an adversary with details needed to launch an attack.
For devices supporting more than one source for bootstrapping data, no particular sequencing order has to be observed for security reasons, as the solution for each source is considered equally secure. However, from a privacy perspective, it is RECOMMENDED that devices access local sources before accessing remote sources.
The following registrations are in accordance to RFC 2939 [RFC2939] for "BOOTP Manufacturer Extensions and DHCP Options" registry maintained at http://www.iana.org/assignments/bootp-dhcp-parameters.
Tag: XXX Name: Zero Touch Information Returns up to six zero touch bootstrapping artifacts. Code Len +-----+-----+----------+------------------+-----------+ | XXX | n | encoding | information-type | signature | +-----+-----+----------+------------------+-----------+ +-------------------+-------------------+-------------------------+ | owner-certificate | ownership-voucher | certificate-revocations | +-------------------+-------------------+-------------------------+ +---------------------+ | voucher-revocations | +---------------------+ Reference: RFC XXXX
Tag: YYY Name: Zero Touch Information Returns up to six zero touch bootstrapping artifacts. Code Len +-----+-----+----------+------------------+-----------+ | XXX | n | encoding | information-type | signature | +-----+-----+----------+------------------+-----------+ +-------------------+-------------------+-------------------------+ | owner-certificate | ownership-voucher | certificate-revocations | +-------------------+-------------------+-------------------------+ +---------------------+ | voucher-revocations | +---------------------+ Reference: RFC XXXX
This document registers one URI in the IETF XML registry [RFC3688]. Following the format in [RFC3688], the following registration is requested:
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace.
This document registers one YANG module in the YANG Module Names registry [RFC6020]. Following the format defined in [RFC6020], the the following registration is requested:
name: ietf-zerotouch-bootstrap-server namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server prefix: ztbs reference: RFC XXXX
Both this document and [draft-ietf-anima-bootstrapping-keyinfra] define bootstrapping mechanisms. The authors have collaborated on both solutions and believe that each solution has merit and, in fact, can work together. That is, it is possible for a device to support both solutions simultaneously.
The authors would like to thank for following for lively discussions on list and in the halls (ordered by last name): David Harrington, Michael Behringer, Dean Bogdanovic, Martin Bjorklund, Joe Clarke, Toerless Eckert, Stephen Farrell, Stephen Hanna, Wes Hardaker, Russ Mundy, Reinaldo Penno, Randy Presuhn, Max Pritikin, Michael Richardson, Phil Shafer, Juergen Schoenwaelder.
Special thanks goes to Steve Hanna, Russ Mundy, and Wes Hardaker for brainstorming the original I-D's solution during the IETF 87 meeting in Berlin.
[draft-ietf-anima-bootstrapping-keyinfra] | Pritikin, M., Behringer, M. and S. Bjarnason, "Bootstrapping Key Infrastructures", Internet-Draft draft-ietf-anima-bootstrapping-keyinfra-03, 2016. |
[draft-ietf-netconf-call-home] | Watsen, K., "NETCONF Call Home (work in progress)", Internet-Draft draft-ieft-netconf-restconf-10, December 2015. |
[draft-ietf-netconf-server-model] | Watsen, K., "NETCONF Server Model (work in progress)", Internet-Draft draft-ieft-netconf-server-model-09, March 2016. |
[RFC2939] | Droms, R., "Procedures and IANA Guidelines for Definition of New DHCP Options and Message Types", BCP 43, RFC 2939, DOI 10.17487/RFC2939, September 2000. |
[RFC3688] | Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004. |
[RFC6241] | Enns, R., Bjorklund, M., Schoenwaelder, J. and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011. |
[RFC6698] | Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012. |
[RFC7317] | Bierman, A. and M. Bjorklund, "A YANG Data Model for System Management", RFC 7317, DOI 10.17487/RFC7317, August 2014. |
This section presents some examples illustrating device interactions with a bootstrap server to access Redirect and Bootstrap information, both unsigned and signed, as well as to send a progress notification. These examples show the bootstrap information containing configuration from the YANG modules in [RFC7317] and [draft-ietf-netconf-server-model].
The following example illustrates a device using the API to fetch its bootstrapping data. In this example, the device receives unsigned redirect information. This example is representative of a response a trusted redirect server might return.
REQUEST ------- ['\' line wrapping added for formatting only] GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ device=123456 HTTP/1.1 HOST: example.com Accept: application/yang.data+xml RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <!-- '\' line wrapping added for formatting purposes only --> <device xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <unique-id>123456789</unique-id> <redirect-information> <bootstrap-server> <address>phs1.example.com</address> <port>8443</port> <trust-anchor> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ RJSUJQFRStS0Cg== </trust-anchor> </bootstrap-server> <bootstrap-server> <address>phs2.example.com</address> <port>8443</port> <trust-anchor> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ RJSUJQFRStS0Cg== </trust-anchor> </bootstrap-server> </redirect-information> </device>
The following example illustrates a device using the API to fetch its bootstrapping data. In this example, the device receives signed redirect information. This example is representative of a response that redirect server might return if concerned the device might not be able to authenticate its TLS certificate.
REQUEST ------- ['\' line wrapping added for formatting only] GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ device=123456 HTTP/1.1 HOST: example.com Accept: application/yang.data+xml RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <!-- '\' line wrapping added for formatting purposes only --> <device xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <unique-id>123456789</unique-id> <redirect-information> <bootstrap-server> <address>phs1.example.com</address> <port>8443</port> <trust-anchor> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ RJSUJQFRStS0Cg== </trust-anchor> </bootstrap-server> <bootstrap-server> <address>phs2.example.com</address> <port>8443</port> <trust-anchor> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ RJSUJQFRStS0Cg== </trust-anchor> </bootstrap-server> </redirect-information> <signature> RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= </signature> <ownership-voucher> ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAO </ownership-voucher> <owner-certificate> MIIExTCCA62gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx\ EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEZMBcGA1UE\ ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ ap1DgmS3IaYl/s4OOF8yzcYJprm8O7NyZp+Y9H1U/7Qfp97/KbqwCgkHSzOlnt0X\ KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ KmORbiKU2GTGZkaCgCjmrWpvrYWLoXv/sf2nPLyK6YjiWsslOJtRO+KzRbs2B18C\ AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAOBgNVHQ8BAf8EBAMCAgQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5q\ dW5pcGVyLm5ldD9jYT1KdW5pcGVyX1RydXN0X0FuY2hvcl9DQTANBgkqhkiG9w0B\ AQsFAAOCAQEAOuD7EBilqQcT3t2C4AXta1gGNNwdldLLw0jtk4BMiA9l//DZfskB\ 2AaJtiseLTXsMF6MQwDs1YKkiXKLu7gBZDlJ6NiDwy1UnXhi2BDG+MYXQrc6p76K\ z3bsVwZlaJQCdF5sbggc1MyrsOu9QirnRZkIv3R8ndJH5K792ztLquulAcMfnK1Y\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX7WJzEbT/G7MUfo\ Sb+U2PVsQTDWEzUjVnG7vNWYxirnAOZ0OXEWWYxHUJntx6DsbXYuX7D1PkkNr7ir\ 96DpOPtX7h8pxxGSDPBXIyvg02aFMphstQ== </owner-certificate> <voucher-revocation> QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= </voucher-revocation> <certificate-revocation> Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAO== </certificate-revocation> </device>
The following example illustrates a device using the API to fetch its bootstrapping data. In this example, the device receives unsigned bootstrapping information. This example is representative of a response a locally deployed bootstrap server might return.
REQUEST ------- ['\' line wrapping added for formatting only] GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ device=123456 HTTP/1.1 HOST: example.com Accept: application/yang.data+xml RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <!-- '\' line wrapping added for formatting purposes only --> <device xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <unique-id>123456789</unique-id> <bootstrap-information> <boot-image> <name> boot-image-v3.2R1.6.img </name> <md5> SomeMD5String </md5> <sha1> SomeSha1String </sha1> <uri> ftp://ftp.example.com/path/to/file </uri> </boot-image> <configuration-handling>merge</configuration-handling> <configuration> <!-- from ietf-system.yang --> <system xmlns="urn:ietf:params:xml:ns:yang:ietf-system"> <authentication> <user> <name>admin</name> <authorized-key> <name>admin's rsa ssh host-key</name> <algorithm>ssh-rsa</algorithm> <key-data>AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsR\ jCzfve2m6zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2Mw\ E1lG9YxLzeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVc\ WAw1lOr9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA\ vg7SLqQFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jW\ EIuA7LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf\ gakWVOZZgQ8929uWjCWlGlqn2mPibp2Go1</key-data> </authorized-key> </user> </authentication> </system> <!-- from ietf-netconf-server.yang --> <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <call-home> <application> <name>config-mgr</name> <ssh> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <host-keys> <host-key>my-call-home-x509-key</host-key> </host-keys> </ssh> </application> </call-home> </netconf-server> </configuration> </bootstrap-information> </device>
The following example illustrates a device using the API to fetch its bootstrapping data. In this example, the device receives signed bootstrap information. This example is representative of a response that bootstrap server might return if concerned the device might not be able to authenticate its TLS certificate.
REQUEST ------- ['\' line wrapping added for formatting only] GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ device=123456 HTTP/1.1 HOST: example.com Accept: application/yang.data+xml RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <!-- '\' line wrapping added for formatting purposes only --> <device xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <unique-id>123456789</unique-id> <bootstrap-information> <boot-image> <name> boot-image-v3.2R1.6.img </name> <md5> SomeMD5String </md5> <sha1> SomeSha1String </sha1> <uri> /path/to/on/same/bootserver </uri> </boot-image> <configuration> <!-- from ietf-system.yang --> <system xmlns="urn:ietf:params:xml:ns:yang:ietf-system"> <authentication> <user> <name>admin</name> <authorized-key> <name>admin's rsa ssh host-key</name> <algorithm>ssh-rsa</algorithm> <key-data>AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsR\ jCzfve2m6zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2Mw\ E1lG9YxLzeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVc\ WAw1lOr9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA\ vg7SLqQFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jW\ EIuA7LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf\ gakWVOZZgQ8929uWjCWlGlqn2mPibp2Go1</key-data> </authorized-key> </user> </authentication> </system> <!-- from ietf-netconf-server.yang --> <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server"> <call-home> <application> <name>config-mgr</name> <ssh> <endpoints> <endpoint> <name>east-data-center</name> <address>11.22.33.44</address> </endpoint> <endpoint> <name>west-data-center</name> <address>55.66.77.88</address> </endpoint> </endpoints> <host-keys> <host-key>my-call-home-x509-key</host-key> </host-keys> </ssh> </application> </call-home> </netconf-server> </configuration> </bootstrap-information> <signature> RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= </signature> <ownership-voucher> ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAO </ownership-voucher> <owner-certificate> MIIExTCCA62gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx\ EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEZMBcGA1UE\ ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ ap1DgmS3IaYl/s4OOF8yzcYJprm8O7NyZp+Y9H1U/7Qfp97/KbqwCgkHSzOlnt0X\ KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ KmORbiKU2GTGZkaCgCjmrWpvrYWLoXv/sf2nPLyK6YjiWsslOJtRO+KzRbs2B18C\ AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAOBgNVHQ8BAf8EBAMCAgQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5q\ dW5pcGVyLm5ldD9jYT1KdW5pcGVyX1RydXN0X0FuY2hvcl9DQTANBgkqhkiG9w0B\ AQsFAAOCAQEAOuD7EBilqQcT3t2C4AXta1gGNNwdldLLw0jtk4BMiA9l//DZfskB\ 2AaJtiseLTXsMF6MQwDs1YKkiXKLu7gBZDlJ6NiDwy1UnXhi2BDG+MYXQrc6p76K\ z3bsVwZlaJQCdF5sbggc1MyrsOu9QirnRZkIv3R8ndJH5K792ztLquulAcMfnK1Y\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX7WJzEbT/G7MUfo\ Sb+U2PVsQTDWEzUjVnG7vNWYxirnAOZ0OXEWWYxHUJntx6DsbXYuX7D1PkkNr7ir\ 96DpOPtX7h8pxxGSDPBXIyvg02aFMphstQ== </owner-certificate> <voucher-revocation> QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= </voucher-revocation> <certificate-revocation> Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ MjAO== </certificate-revocation> </device>
The following example illustrates a device using the API to post a notification to a trusted bootstrap server. Illustrated below is the 'bootstrap-complete' message, but the device may send other notifications to the server while bootstrapping (e.g., to provide status updates).
The bootstrap server MUST NOT process a notification from a device without first authenticating the device. This is in contrast to when a device is fetching data from the server, a read-only operation, in which case device authentication is not strictly required (e.g., when sending signed information).
In this example, the device sends a notification indicating that it has completed bootstrapping off the data provided by the server. This example illustrates the device sending both its SSH host keys and TLS server certificate to the bootstrap server, which the bootstrap server may, for example, pass to an NMS, as discussed in Section 7.3.
Note that devices that are able to present an IDevID certificate [Std-802.1AR-2009], when establishing SSH or TLS connections, do not need to include its DevID certificate in the bootstrap-complete message. It is unnecessary to send the DevID certificate in this case because the IDevID certificate does not need to be pinned by an NMS in order to be trusted.
REQUEST ------- ['\' line wrapping added for formatting only] POST https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ device=123456/notification HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <!-- '\' line wrapping added for formatting purposes only --> <input xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <notification-type>bootstrap-complete</notification-type> <message>example message</message> <ssh-host-keys> <ssh-host-key> <format>ssh-rsa</format> <key-data> AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsRCjCzfve2m6\ zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2MwjE1lG9YxL\ zeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVcCWAw1lOr\ 9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA5vg7SLq\ QFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jWqEIuA7\ LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf6gakW\ VOZZgQ8929uWjCWlGlqn2mPibp2Go1 </key-data> </ssh-host-key> <ssh-host-key> <format>ssh-dsa</format> <key-data> zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2MwjE1lG9YxL\ zeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVcCWAw1lOr\ 9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA5vg7SLq\ AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsRCjCzfve2m6\ QFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jWqEIuA7\ LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf6gakW\ VOZZgQ8929uWjCWlGlqn2mPibp2Go1 </key-data> </ssh-host-key> </ssh-host-keys> <trust-anchors> <trust-anchor> <protocol>netconf-ssh</protocol> <protocol>netconf-tls</protocol> <protocol>restconf-tls</protocol> <protocol>netconf-ch-ssh</protocol> <protocol>netconf-ch-tls</protocol> <protocol>restconf-ch-tls</protocol> <certificate> WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ RJSUJQFRStS0Cg== </certificate> </trust-anchor> </trust-anchors> </input> RESPONSE -------- HTTP/1.1 204 No Content Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server
This section presents examples for how the 'information type' artifact (Section 4.1) can be encoded into a document that can be distributed outside the bootstrap server's RESETCONF API. The encoding for these artifacts is the same as if an HTTP GET request had been sent to the RESTCONF URL for the specific resource.
These examples show the bootstrap information containing configuration from the YANG modules in [RFC7317] and [draft-ietf-netconf-server-model].
Only examples for information type artifact are provided as the other five artifacts in Section 4 have their own encodings.
The following example illustrates how redirect information can be encoded into an artifact.
INSERT _TEXT_FROM_FILE(refs/ex-file-redirect-information.xml)
The following example illustrates how bootstrap information can be encoded into an artifact.
INSERT _TEXT_FROM_FILE(refs/ex-file-bootstrap-information.xml)