| NETCONF Working Group | K. Watsen |
| Internet-Draft | Juniper Networks |
| Intended status: Standards Track | M. Abrahamsson |
| Expires: April 20, 2018 | T-Systems |
| I. Farrer | |
| Deutsche Telekom AG | |
| October 17, 2017 |
Zero Touch Provisioning for NETCONF or RESTCONF based Management
draft-ietf-netconf-zerotouch-18
This draft presents a secure technique for establishing a NETCONF or RESTCONF connection between a newly deployed device, configured with just its preconfigured initial state (e.g., factory default settings), and its deployment specific network management system (NMS).
This draft contains many placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. Please note that no other RFC Editor instructions are specified anywhere else in this document.
Artwork in the IANA Considerations section contains placeholder values for DHCP options pending IANA assignment. Please apply the following replacements:
Artwork in this document contains shorthand references to drafts in progress. Please apply the following replacements:
Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement:
Please update the following references to reflect their final RFC assignments:
The following one Appendix section is to be removed prior to publication:
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 20, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A fundamental business requirement for any network operator is to reduce costs where possible. For network operators, deploying devices to many locations can be a significant cost, as sending trained specialists to each site for installations is both cost prohibitive and does not scale.
This document defines a bootstrapping strategy enabling devices to securely obtain bootstrapping data with no installer action beyond physical placement and connecting network and power cables. The ultimate goal of this document is to enable a secure NETCONF [RFC6241] or RESTCONF [RFC8040] connection to a deployment specific network management system (NMS).
This document primarily regards physical devices, where the setting of the device's initial state, described in Section 5.1, occurs during the device's manufacturing process. However, the zerotouch solution may be extensible to virtual machines or other such logical constructs. Details for how this can be accomplished is left for future work.
Conceptual workflows for how zerotouch might be deployed are provided in Appendix A.
This document uses the following terms (sorted by name):
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
A simplified graphical representation of the data models is used in this document. The meaning of the symbols in these diagrams is as follows:
This document defines two types of information that devices access during the bootstrapping process. These information types are described in this section. Examples are provided in Section 6.2
Redirect information redirects a device to another bootstrap server. Redirect information encodes a list of bootstrap servers, each defined by its hostname or IP address, an optional port, and an optional trust anchor certificate.
Redirect information is YANG modeled data formally defined by the "redirect-information" container in the YANG module presented in Section 6.3. This container has the tree diagram shown below. Please see Section 1.4 for tree diagram notation.
+--:(redirect-information)
+--ro redirect-information
+--ro bootstrap-server* [address]
+--ro address inet:host
+--ro port? inet:port-number
+--ro trust-anchor? binary
Redirect information MAY be trusted or untrusted. The redirect information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's owner. In all other cases, the redirect information is untrusted.
Trusted redirect information is useful for enabling a device to establish a secure connection to a bootstrap server, which is possible when the redirect information includes the bootstrap server's trust anchor certificate. When a device is able to establish a secure connection to a bootstrap server, any data obtained is implicitly trusted, and thus does not need to be signed.
Untrusted redirect information is useful for directing a device to a bootstrap server where signed data has been staged for it to obtain. When the redirect information is untrusted, the device MUST discard any potentially included trust anchor certificates and SHOULD establish a provisional connection (by blindly accepting the TLS certificate) to any of the specified bootstrap servers. In this case, the device MUST NOT trust the bootstrap server, and data provided by the bootstrap server MUST be signed for it to be of any use to the device.
How devices process redirect information is formally described in Section 5.5.
Onboarding information provides all the data necessary for a device to bootstrap itself, in order to be considered ready to be managed (e.g., by an NMS). As defined in this document, this data includes information about a boot image the device must be running, an initial configuration the device must commit, and optional scripts that, if specified, the device must successfully execute.
Onboarding information is YANG modeled data formally defined by the "onboarding-information" container in the YANG module presented in Section 6.3. This container has the tree diagram shown below. Please see Section 1.4 for tree diagram notation.
+--:(onboarding-information)
+--ro onboarding-information
+--ro boot-image
| +--ro name string
| +--ro (hash-algorithm)
| | +--:(sha256)
| | +--ro sha256? string
| +--ro uri* inet:uri
+--ro configuration-handling enumeration
+--ro pre-configuration-script? script
+--ro configuration?
+--ro post-configuration-script? script
Onboarding information MUST be trusted for it to be of any use to a device. There is no option for a device to process untrusted onboarding information.
Onboarding information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's owner. In all other cases, the onboarding information is untrusted.
How devices process onboarding information is formally described in Section 5.6.
This document defines three artifacts that can be made available to devices while they are bootstrapping. Each source of bootstrapping information specifies a means for providing each of the artifacts defined in this section (see Section 4).
The zero touch information artifact encodes the essential bootstrapping data for the device. This artifact is used to encode the redirect information and onboarding information types discussed in Section 2.
The zero touch information artifact is a PKCS#7 SignedData structure, as specified by Section 9.1 of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690 [ITU.X690.1994]. The PKCS#7 structure MUST contain JSON-encoded content conforming to the YANG module specified in Section 6.3.
In order for the zero touch information artifact to be trusted when conveyed over an untrusted transport, the PKCS#7 structure MUST also contain a "signerInfo" structure, as described in Section 9.1 of [RFC2315], containing a signature generated over the content using the private key associated with the owner certificate (Section 3.2). In order to simplify the verification process, the PKCS#7 structure SHOULD also contain the signing X.509 certificate (i.e. the owner certificate).
The owner certificate artifact is an X.509 certificate [RFC5280] that is used to identify an "owner" (e.g., an organization). The owner certificate can be signed by any certificate authority (CA). The owner certificate MUST either have no Key Usage specified, or the Key Usage MUST at least set the "digitalSignature" bit. The values for the owner certificate's "subject" and/or "subjectAltName" are not constrained by this document.
The owner certificate is used by a device to verify the signature over the zero touch information artifact (Section 3.1) that the device should have also received, as described in Section 3.4. In particular, the device verifies the signature using the public key in the owner certificate over the content contained within the zero touch information artifact.
The owner certificate artifact is formally an unsigned PKCS #7 SignedData structure, as specified by Section 9.1 in [RFC2315], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690 [ITU.X690.1994].
The owner certificate PKCS#7 structure MUST contain the owner certificate itself, as well as all intermediate certificates leading up to the 'pinned-domain-cert' certificate specified in the ownership voucher. The owner certificate artifact MAY optionally include the 'pinned-domain-cert' as well.
Additionally, in order to support devices deployed on private networks, the owner certificate PKCS#7 structure MAY also contain suitably fresh CRLs [RFC5280] and/or OCSP Responses [RFC6960]. Having these revocation objects stapled to the owner certificate precludes the need for the device to have to download them dynamically using the CRL distribution point or an OCSP responder specified in the associated certificates.
The ownership voucher artifact is used to securely identify a device's owner, as it is known to the manufacturer. The ownership voucher is signed by the device's manufacturer.
The ownership voucher is used to verify the owner certificate (Section 3.2) that the device should have also received, as described in Section 3.4. In particular, the device verifies that the owner certificate has a chain of trust leading to the trusted certificate included in the ownership voucher ('pinned-domain-cert'), even if it is itself (e.g., self-signed certificate).
The ownership voucher artifact, including its encoding, is formally defined in [I-D.ietf-anima-voucher].
This section lists all the possible bootstrapping artifacts, but only certain groupings of these artifacts make sense to return in the various bootstrapping situations described in this document. These groupings are:
Zero Touch Ownership Owner
Grouping Information Voucher Certificate
-------------------- ------------- ------------ -----------
Unsigned Information Yes, no sig No No
Signed Information, Yes, with sig Yes, without Yes, without
without revocations revocations revocations
Signed Information, Yes, with sig Yes, with Yes, with
with revocations revocations revocations
The artifacts associated with these groupings are described below:
This section defines some sources for bootstrapping data that a device can access. The list of sources defined here is not meant to be exhaustive. It is left to future documents to define additional sources for obtaining bootstrapping data.
For each source of bootstrapping data defined in this section, details are given for how the three artifacts listed in Section 3 are provided.
A directly attached removable storage device (e.g., a USB flash drive) MAY be used as a source of zero touch bootstrapping data.
Use of a removable storage device is compelling, as it doesn't require any external infrastructure to work. It is notable that the raw boot image file can also be located on the removable storage device, enabling a removable storage device to be a fully self-standing bootstrapping solution.
To use a removable storage device as a source of bootstrapping data, a device need only detect if the removable storage device is plugged in and mount its filesystem.
A removable storage device is an untrusted source of bootstrapping data. This means that the information stored on the removable storage device MUST either be signed, or be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a removable storage device presents itself as a filesystem, the bootstrapping artifacts need to be presented as files. The three artifacts defined in Section 3 are mapped to files below.
Artifact to File Mapping:
The format of the removable storage device's filesystem and the naming of the files are outside the scope of this document. However, in order to facilitate interoperability, it is RECOMMENDED devices support open and/or standards based filesystems. It is also RECOMMENDED that devices assume a file naming convention that enables more than one instance of bootstrapping data to exist on a removable storage device. The file naming convention SHOULD be unique to the manufacturer, in order to enable bootstrapping data from multiple manufacturers to exist on a removable storage device.
A DNS server MAY be used as a source of zero touch bootstrapping data.
Using a DNS server may be a compelling option for deployments having existing DNS infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
To use a DNS server as a source of bootstrapping data, a device MAY perform a multicast DNS [RFC6762] query searching for the service "_zerotouch._tcp.local.". Alternatively the device MAY perform DNS-SD [RFC6763] via normal DNS operation, using the domain returned to it from the DHCP server; for example, searching for the service "_zerotouch._tcp.example.com".
Unsigned DNS records (e.g., not using DNSSEC as described in [RFC6698]) are an untrusted source of bootstrapping data. This means that the information stored in the DNS records either MUST be signed, or MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a DNS server presents resource records (Section 3.2.1 of [RFC1035]), the bootstrapping artifacts need to be presented as resource records. The three artifacts defined in Section 3 are mapped to resource records below.
Artifact to Resource Record Mapping:
TXT records have an upper size limit of 65535 bytes (Section 3.2.1 in RFC1035), since "RDLENGTH" is a 16-bit field. Please see Section 3.1.3 in RFC4408 for how a TXT record can achieve this size. Due to this size limitation, some zero touch information artifacts may not fit. In particular, onboarding information could hit this upper bound, depending on the size of the included configuration and scripts.
When onboarding information (not redirect information) is provided, the URL for the boot-image the device can download would have to point to another server (e.g., http://, ftp://, etc.), as DNS servers do not themselves distribute files.
A DHCP server MAY be used as a source of zero touch bootstrapping data.
Using a DHCP server may be a compelling option for deployments having existing DHCP infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
A DHCP server is an untrusted source of bootstrapping data. Thus the information stored on the DHCP server either MUST be signed, or it MUST be information that can be processed provisionally (e.g., unsigned redirect information).
However, unlike other sources of bootstrapping data described in this document, the DHCP protocol (especially DHCP for IPv4) is limited in the amount of data that can be conveyed, to the extent that signed data cannot be communicated. Thus only unsigned redirect information can be conveyed.
Since the redirect information is unsigned, it SHOULD NOT include the optional trust anchor certificate, as the device would have to discard it anyway. The DHCP options defined in Section 9 do not enable the certificate to be communicated.
From an artifact perspective, the three artifacts defined in Section 3 are mapped to the DHCP fields specified in Section 9 as follows:
A bootstrap server MAY be used as a source of zero touch bootstrapping data. A bootstrap server is defined as a RESTCONF [RFC8040] server implementing the YANG module provided in Section 7.
Using a bootstrap server as a source of bootstrapping data is a compelling option as it MAY use transport-level security, in lieu of signed data, which may be easier to deploy in some situations. Additionally, the bootstrap server is able to receive progress updates from devices, which may be critical to some deployments (e.g., the passing of the device's SSH host keys).
A bootstrap server may be a trusted or an untrusted source of bootstrapping data, depending on if the device learned about the bootstrap server's trust anchor from a trusted source. When a bootstrap server is trusted, the information returned from it MAY be signed. However, when the server is untrusted, in order for its information to be of any use to the device, the bootstrap information MUST either be signed or be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a bootstrap server presents data as a YANG-modeled data, the bootstrapping artifacts need to be mapped to the YANG module. The three artifacts defined in Section 3 are mapped to 'output' node of the 'get-bootstrapping-data' RPC defined in Section 7.3 below.
Artifact to Bootstrap Server Mapping:
Unlike any other source of bootstrapping data described in this document, a bootstrap server is not only a source of data, but it can also receive data from devices using the YANG-defined 'report-progress' RPC defined in the YANG module (Section 7.3). The 'report-progress' RPC enables visibility into the bootstrapping process (e.g., warnings and errors), and provides potentially useful completion status information (e.g., the device's SSH host-keys).
While RESTCONF servers typically support a nested hierarchy of resources, zero touch bootstrap servers only have the two RPCs 'get-bootstrapping-data' and 'report-progress'. These RPCs use the authenticated RESTCONF username to isolate the execution of the RPC from other devices.
Devices supporting the bootstrapping strategy described in this document MUST have the preconfigured state and bootstrapping logic described in the following sections.
+-------------------------------------------------------------+ | <device> | | | | +---------------------------------------------------------+ | | | <read/write storage> | | | | | | | | 1. flag to enable zerotouch bootstrapping set to "true" | | | +---------------------------------------------------------+ | | | | +---------------------------------------------------------+ | | | <read-only storage> | | | | | | | | 2. IDevID cert & associated intermediate certificate(s) | | | | 3. list of trusted well-known bootstrap servers | | | | 4. list of trust anchor certs for bootstrap servers | | | | 5. trust anchor cert for verifying ownership vouchers | | | +---------------------------------------------------------+ | | | | +----------------------+ | | | <secure storage> | | | | | | | | 6. private key | | | +----------------------+ | | | +-------------------------------------------------------------+
Each numbered item below corresponds to a numbered item in the diagram above.
A YANG module representing this data is provided in Section 8.
A device claiming to support the bootstrapping strategy defined in this document MUST support the boot sequence described in this section.
Power On
|
v No
1. Zerotouch bootstrapping configured ------> Boot normally
|
| Yes
v
2. For each supported source of bootstrapping data,
try to load bootstrapping data from the source
|
|
v Yes
3. Able to bootstrap from any source? -----> Run with new config
|
| No
v
4. Loop and/or wait for manual provisioning.
Each numbered item below corresponds to a numbered item in the diagram above.
This section describes a recursive algorithm that devices can use to, ultimately, obtain onboarding information. The algorithm is recursive because sources of bootstrapping data may return redirect information, which causes the algorithm to run again, for the newly discovered sources of bootstrapping information. An expression that captures all possible successful sequences of bootstrapping information is zero or more redirect information responses, followed by one onboarding information response.
Untrusted Source Trusted Source
Kind of Bootstrapping Data Can Provide? Can Provide?
Unsigned Redirect Info : Yes+ Yes
Signed Redirect Info : Yes Yes*
Unsigned Onboarding Info : No Yes
Signed Onboarding Info : Yes Yes*
The '+' above denotes that the source redirected to MUST
return signed data, or more unsigned redirect information.
The '*' above denotes that, while possible, it is generally
unnecessary for a trusted source to return signed data.
An important aspect of the algorithm is knowing when data needs to be signed or not. The following figure provides a summary of options:
The recursive algorithm uses a conceptual global-scoped variable called "trust-state". The trust-state variable is initialized to FALSE. The ultimate goal of this algorithm is for the device to process onboarding information (Section 2.2) while the trust-state variable is TRUE.
If the source of bootstrapping data (Section 4) is a bootstrap server (Section 4.4), and the device is able to authenticate the bootstrap server using X.509 certificate path validation ([RFC6125], Section 6) to one of the device's preconfigured trust anchors, or to a trust anchor that it learned from a previous step, then the device MUST set trust-state to TRUE.
For any source of bootstrapping data (e.g., Section 4), if the bootstrapping data returned is signed and the device is able to validate the signed data using the algorithm described in Section 5.4, then the device MUST set trust-state to TRUE, else the device MUST set trust-state to FALSE. Note, this is worded to cover the special case when signed data is returned even from a trusted bootstrap server.
If the bootstrapping data is onboarding information, and trust-state is FALSE, the device MUST exit the recursive algorithm (as this is not allowed, see the figure above), returning to the state machine described in Section 5.2. Otherwise, the device MUST attempt to process the onboarding information as described in Section 5.6. In either case, success or failure, the device MUST exit the recursive algorithm, returning to the state machine described in Section 5.2, the only difference being in how it responds to the "Able to bootstrap from any source?" conditional described in the figure in the section.
If the bootstrapping data is redirect information, the device MUST process the redirect information as described in Section 5.5. This is the recursion step, it will cause the device to reenter this algorithm, but this time the data source will definitely be a bootstrap server, as that is all redirect information is able to redirect a device to.
Whenever a device is presented signed data, it MUST validate the signed data as described in this section. This includes the case where the signed data is provided by a trusted source.
Whenever there is signed data, the device MUST also be provided an ownership voucher and an owner certificate. How all the needed artifacts are provided for each source of bootstrapping data is defined in Section 4.
The device MUST first authenticate the ownership voucher by validating its signature to one of its preconfigured trust anchors (see Section 5.1), which may entail using additional intermediate certificates attached to the ownership voucher. If the device has an accurate clock, it MUST ensure that the ownership voucher was created in the past (i.e., 'created-on' < now). If the 'expires-on' leaf is present, the device MUST verify that the ownership voucher has not yet expired (i.e., now < 'expires-on'), which requires an accurate clock. The device MUST verify that the ownership voucher's 'assertion' value is acceptable (e.g., some devices may only accept the assertion value 'verified'). The device MUST verify that the ownership voucher specifies the device's serial number in the 'serial-number' leaf. If the 'idevid-issuer' leaf is present, the device MUST verify that the value is set correctly. If the authentication of the ownership voucher is successful, the device extracts the 'pinned-domain-certificate' node, an X.509 certificate, that is needed to verify the owner certificate in the next step.
The device MUST next authenticate the owner certificate by performing X.509 certificate path verification to the trusted certificate extracted from the ownership voucher's 'pinned-domain-cert' node. This verification may entail using additional intermediate certificates attached to the owner certificate artifact. If the ownership voucher's 'domain-cert-revocation-checks' node's value is set to "true", the device MUST verify the revocation status of the certificate chain used to sign the owner certificate and, if the revocation status is not attainable or if it is determined that a certificate has been revoked, the device MUST not validate the owner certificate.
Finally the device MUST verify the signature over the information artifact was generated by the private key matching the public key from the owner certificate.
If any of these steps fail, then the device MUST invalidate the data and not perform any subsequent steps.
In order to process redirect information (Section 2.1), the device MUST follow the steps presented in this section.
Processing redirect information is straightforward. The device sequentially steps through the list of provided bootstrap servers until it can find one it can bootstrap from.
If a hostname is provided, and the hostname's DNS resolution is to more than one IP address, the device MUST attempt to connect to all of the DNS resolved addresses at least once, before moving on to the next bootstrap server. If the device is able to obtain bootstrapping data from any of the DNS resolved addresses, it MUST immediately process that data, without attempting to connect to any of the other DNS resolved addresses.
If the redirect information is trusted (e.g., trust-state is TRUE), and the bootstrap server entry contains a trust anchor certificate, then the device MUST authenticate the specified bootstrap server RESTCONF TLS server certificate using X.509 certificate path validation ([RFC6125], Section 6) to the specified trust anchor. If the device is unable to authenticate the bootstrap server to the specified trust anchor, the device MAY attempt a provisional connection to the bootstrap server (i.e., by blindly accepting its server certificate) and setting trust-state to FALSE.
If the redirect information is untrusted (e.g., trust-state is FALSE), the device MUST discard any trust anchors provided by the redirect information and establish a provisional connection to the bootstrap server (i.e., by blindly accepting its TLS server certificate).
In order to process onboarding information (Section 2.2), the device MUST follow the steps presented in this section.
When processing onboarding information, the device MUST first process the boot image information, then execute the pre-configuration script (if any), then commit the initial configuration, and then execute the post-configuration script (if any), in that order. If the device encounters an error at any step, it MUST NOT proceed to the next step. When the onboarding information was obtained from a trusted bootstrap server, the device SHOULD send progress reports throughout the bootstrapping process using the bootstrap server's 'report-progress' RPC.
First the device MUST determine if the image it is running satisfies the specified boot image criteria (e.g., name and/or fingerprint match). If it does not, the device MUST download (using the supplied URI), verify, and install the specified boot image, and then reboot. To verify the downloaded boot image, the device MUST check that the boot image file matches the fingerprint (e.g., sha256) supplied by the onboarding information. Upon rebooting, the bootstrapping process runs again, which will eventually come to this very point, but this time the device's running image will satisfy the specified criteria, and thus the device will move to processing the next step.
Next, for devices that support executing scripts, if a pre-configuration script has been specified, the device MUST execute the script and check its exit status code to determine if had any warnings or errors. In the case of errors, the device MUST reset itself in such a way that wipes out any bad state the script may have left behind.
Next the device commits the provided initial configuration. Assuming no errors, the device moves to processing the next step.
Again, for devices that support executing scripts, if a post-configuration script has been specified, the device MUST execute the script and check its exit status code to determine if it had any warnings or errors. In the case of errors, the device MUST reset itself in such a way that wipes out any bad state the script may have left behind.
At this point, the device has completely processed the bootstrapping data and is ready to be managed. If the device obtained the onboarding information from a trusted bootstrap server, the device MUST post the 'bootstrap-complete' progress report now, using the bootstrap server's 'report-progress' RPC.
At this point, the device is running its initial configuration. Notably, if NETCONF Call Home or RESTCONF Call Home [RFC8071] is configured, the device initiates trying to establish a call home connection at this time.
This section defines a YANG 1.1 [RFC7950] module that is used to define the data model for the zero touch information artifact described in Section 3.1. This data model uses the 'yang-data' extension statement defined in RFC 8040. Examples illustrating this data model are provided in Section 6.2.
The following tree diagram provides an overview of the data model for the zero touch information artifact. The syntax used for this tree diagram is described in Section 1.4.
module: ietf-zerotouch-information
yang-data zerotouch-information:
+---- (information-type)
+--:(redirect-information)
| +---- redirect-information
| +---- bootstrap-server* [address]
| +---- address inet:host
| +---- port? inet:port-number
| +---- trust-anchor? binary
+--:(onboarding-information)
+---- onboarding-information
+---- boot-image
| +---- os-name string
| +---- os-version string
| +---- uri* inet:uri
| +---- (hash-algorithm)?
| +--:(sha256)
| +---- sha256? yang:hex-string
+---- configuration-handling? enumeration
+---- pre-configuration-script? script
+---- configuration? <anydata>
+---- post-configuration-script? script
The following example illustrates how redirect information (Section 2.1) can be encoded using JSON, as is needed by the zero touch information artifact.
{
"ietf-zerotouch-information:redirect-information" : {
"bootstrap-server" : [
{
"address" : "phs1.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "phs2.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "phs3.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
}
]
}
}
The following example illustrates how onboarding information (Section 2.2) can be encoded using JSON, as is needed by the zero touch information artifact.
Note: the sample configuration used in the below example configures an administrator account with an SSH public key, configures keystore with an authentication certificate, configures NETCONF Call Home and, lastly, disables the zerotouch bootstrapping service. This is acheived through use of YANG modules "ietf-system" from [RFC7317], "ietf-keystore" from [I-D.ietf-netconf-keystore], "ietf-netconf-server" from [I-D.ietf-netconf-netconf-client-server] and "ietf-zerotouch-device" from this document.
[ note: '\' line wrapping for formatting only]
{
"ietf-zerotouch-information:onboarding-information" : {
"boot-image" : {
"os-name" : "VendorOS",
"os-version" : "17.2R1.6",
"uri" : [ "http://some/path/to/raw/file" ],
"sha256" : "ba:ec:cf:a5:67:82:b4:10:77:c6:67:a6:22:ab:7d:50:04\
:a7:8b:8f:0e:db:02:8b:f4:75:55:fb:c1:13:b2:33"
},
"configuration-handling" : "merge",
"configuration" : {
"ietf-system:system" : {
"authentication" : {
"user" : {
"name" : "admin",
"authorized-key" : {
"name" : "admin's rsa ssh host-key",
"algorithm" : "ssh-rsa",
"key-data" : "base64encodedvalue=="
}
}
}
},
"ietf-keystore:keystore" : {
"pinned-certificates" : {
"name" : "deployment-specific-ca-certs",
"description" : "Certs used to auth client connections.",
"pinned-certificate" : {
"name" : "ca.example.com",
"data" : "base64encodedvalue=="
}
},
"pinned-certificates" : {
"name" : "explicitly-trusted-client-certs",
"description" : "Certs for explicitly-trusted clients.",
"pinned-certificate" : {
"name" : "Fred Flintstone",
"data" : "base64encodedvalue=="
}
}
},
"ietf-netconf-server:netconf-server" : {
"call-home" : {
"netconf-client" : {
"name" : "config-mgr",
"endpoints" : {
"endpoint" : {
"name" : "east-data-center",
"ssh" : {
"address" : "east.config-mgr.example.com",
"host-keys" : {
"host-key" : {
"name" : "certificate",
"certificate" : "builtin-idevid-cert"
}
},
"client-cert-auth" : {
"trusted-ca-certs" :
"deployment-specific-ca-certs",
"trusted-client-certs" :
"explicitly-trusted-client-certs"
}
}
},
"endpoint" : {
"name" : "west-data-center",
"ssh" : {
"address" : "west.config-mgr.example.com",
"host-keys" : {
"host-key" : {
"name" : "certificate",
"certificate" : "builtin-idevid-cert"
}
},
"client-cert-auth" : {
"trusted-ca-certs" :
"deployment-specific-ca-certs",
"trusted-client-certs" :
"explicitly-trusted-client-certs"
}
}
}
},
"connection-type" : {
"periodic" : {
"idle-timeout" : 300,
"reconnect-timeout" : 60
}
},
"reconnect-strategy" : {
"start-with" : "last-connected",
"max-attempts" : 3
}
}
}
},
"ietf-device:zerotouch" : {
"enabled" : false
}
}
}
}
The zero touch information data model is defined by the YANG module presented in this section.
Note: the module defined herein uses data types defined in [RFC5280], [RFC6234], and [RFC6991], and an extension statement from [RFC8040], and an encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-information@2017-10-18.yang"
module ietf-zerotouch-information {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-zerotouch-information";
prefix zti;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-restconf {
prefix rc;
description
"This import statement is only present to access
the yang-data extension defined in RFC 8040.";
reference "RFC 8040: RESTCONF Protocol";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netconf
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines the data model for the Zero Touch Information
artifact defined by RFC XXXX: Zero Touch Provisioning for NETCONF
or RESTCONF based Management.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-18 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
rc:yang-data "zerotouch-information" {
choice information-type {
mandatory true;
description
"This choice statement ensures the response contains
redirect-information or onboarding-information.";
container redirect-information {
description
"Redirect information is described in Section 2.1 in
RFC XXXX. Its purpose is to redirect a device to
another bootstrap server.";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF
based Management";
list bootstrap-server {
key "address";
min-elements 1;
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
leaf trust-anchor {
type binary;
description
"An X.509 v3 certificate structure as specified by RFC
5280, Section 4, encoded using ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690. A
certificate that the device can use as the trust anchor
to authenticate the bootstrap server the device is
being redirected to. If not specified, the device may
establish a provisional connection to the bootstrap
server, as described in RFC XXXX.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).
RFC XXXX:
Zero Touch Provisioning for NETCONF or RESTCONF
based Management.";
}
}
}
container onboarding-information {
description
"Onboarding information is described in Section 2.2 in
RFC XXXX. Its purpose is to provide the device everything
it needs to bootstrap itself.";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF
based Management";
container boot-image {
description
"Specifies criteria for the boot image the device MUST
be running.";
leaf os-name {
type string;
mandatory true;
description
"The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. VendorOS).";
}
leaf os-version {
type string;
mandatory true;
description
"The version of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. 17.3R2.1).";
}
leaf-list uri {
type inet:uri;
must '../hash-algorithm' {
description
"A hash is needed in order to validate the downloaded
image.";
}
ordered-by user;
description
"An ordered list of URIs to where the boot-image file
MAY be obtained. Deployments MUST know in which URI
schemes (http, ftp, etc.) a device supports. If a
secure scheme (e.g., https) is provided, a device MAY
establish a provisional connection to the server, by
blindly accepting the server's credentials (e.g., its
TLS certificate)";
}
choice hash-algorithm {
must '../uri' {
description
"A uri is needed in order to downloaded an image to
validate.";
}
description
"Identifies the hash algorithm used.";
leaf sha256 {
type yang:hex-string;
description
"The hex-encoded SHA-256 hash over the boot image
file. This is used by the device to verify a
downloaded boot image file.";
reference "RFC 6234: US Secure Hash Algorithms.";
}
}
}
leaf configuration-handling {
type enumeration {
enum "merge" {
description
"Merge configuration into the running datastore.";
}
enum "replace" {
description
"Replace the existing running datastore with the
passed configuration.";
}
}
must '../configuration';
description
"This enumeration indicates how the server should process
the provided configuration.";
}
leaf pre-configuration-script {
type script;
description
"A script that, when present, is executed before the
configuration has been processed.";
}
anydata configuration {
must '../configuration-handling';
description
"Any configuration data model known to the device. It may
contain manufacturer-specific and/or standards-based data
models.";
}
leaf post-configuration-script {
type script;
description
"A script that, when present, is executed after the
configuration has been processed.";
}
}
}
}
typedef script {
type binary;
description
"A device specific script that enables the execution of
commands to perform actions not possible thru configuration
alone.
No attempt is made to standardize the contents, running
context, or programming language of the script, other than
that it can emit an exit status code and stderr/sdtout. The
contents of the script are considered specific to the vendor,
product line, and/or model of the device.
If a script is erroneously provided to a device that does not
support the execution of scripts, the device SHOULD send a
'script-warning' progress report, but otherwise continue
processing the bootstrapping data as if the script had not
been present.
The script returns exit status code '0' on success and non-zero
on error, with accompanying stderr/stdout for logging purposes.
In the case of an error, the exit status code will specify what
the device should do as follows.
If the exit status code is greater than zero, then the device
should assume that the script had a soft error, which the
script believes does not affect manageability. If the device
obtained the bootstrap information from a bootstrap server,
it SHOULD send a 'script-warning' progress report.
If the exit status code is less than zero, the device should
assume the script had a hard error, which the script believes
will affect manageability. In this case, the device SHOULD
send a 'script-error' progress report followed by a reset that
will wipe out anything the script may have done and restart
the entire bootstrapping process again.";
}
}
<CODE ENDS>
This section defines the API for bootstrap servers. The API is defined as the API produced by a RESTCONF [RFC8040] server that supports the YANG 1.1 [RFC7950] module defined in this section.
The following tree diagram provides an overview for the bootstrap server RESTCONF API. The syntax used for this tree diagram is described in Section 1.4.
module: ietf-zerotouch-bootstrap-server
rpcs:
+---x get-bootstrapping-data
| +---w input
| | +---w untrusted-connection? empty
| | +---w os-name? string
| | +---w os-version? string
| | +---w remote-id? string
| | +---w circuit-id? string
| | +---w nonce? string
| +--ro output
| +--ro bootstrapping-data
| +--ro zerotouch-information pkcs7
| +--ro owner-certificate? pkcs7
| +--ro ownership-voucher? pkcs7
+---x report-progress
+---w input
+---w progress-type enumeration
+---w message? string
+---w ssh-host-keys
| +---w ssh-host-key*
| +---w format enumeration
| +---w key-data string
+---w trust-anchors
+---w trust-anchor*
+---w certificate pkcs7
This section presents three examples illustrating the bootstrap server's API. Two examples are provided for the 'get-bootstrapping-data' RPC (once to an untrusted bootstrap server, and again to a trusted bootstrap server), and one example for the 'report-progress' RPC.
The following example illustrates a device using the API to fetch its bootstrapping data from a untrusted bootstrap server. In this example, the device sends the 'untrusted-connection' input parameter and receives signed data in the response.
REQUEST ------- ['\' line wrapping added for formatting only] POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\ strapping-data HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <input xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <untrusted-connection/> </input> RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <output xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <zerotouch-information>base64encodedvalue==</zerotouch-information> <owner-certificate>base64encodedvalue==</owner-certificate> <ownership-voucher>base64encodedvalue==</ownership-voucher> </output>
The following example illustrates a device using the API to fetch its bootstrapping data from a trusted bootstrap server. In this example, the device sends addition input parameters that the bootstrap server can use when formulating its response to the device.
REQUEST ------- ['\' line wrapping added for formatting only] POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\ strapping-data HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <input xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <os-name>VendorOS</os-name> <os-version>17.3R2.1</os-version> <remote-id>32</remote-id> <circuit-id>2</circuit-id> <nonce>base64encodedvalue==</nonce> </input> RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <output xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <zerotouch-information>base64encodedvalue==</zerotouch-information> </output>
The following example illustrates a device using the API to post a progress update to a bootstrap server. Illustrated below is the 'bootstrap-complete' message, but the device may send other progress reports to the server while bootstrapping. In this example, the device is sending both its SSH host keys and a TLS server certificate, which the bootstrap server may, for example, pass to an NMS, as discussed in Appendix A.3.
REQUEST
-------
['\' line wrapping added for formatting only]
POST /restconf/operations/ietf-zerotouch-bootstrap-server:report-\
progress HTTP/1.1
HOST: example.com
Content-Type: application/yang.data+xml
<input xmlns=
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server">
<progress-type>bootstrap-complete</progress-type>
<message>example message</message>
<ssh-host-keys>
<ssh-host-key>
<format>ssh-rsa</format>
<key-data>base64encodedvalue==</key-data>
</ssh-host-key>
<ssh-host-key>
<format>ssh-dss</format>
<key-data>base64encodedvalue==</key-data>
</ssh-host-key>
</ssh-host-keys>
<trust-anchors>
<trust-anchor>
<certificate>base64encodedvalue==</certificate>
</trust-anchor>
</trust-anchors>
</input>
RESPONSE
--------
HTTP/1.1 204 No Content
Date: Sat, 31 Oct 2015 17:02:40 GMT
Server: example-server
The bootstrap server's device-facing API is normatively defined by the YANG module defined in this section.
Note: the module defined herein uses data types defined in [RFC2315], [RFC5280], [RFC6960], and [I-D.ietf-anima-voucher], and uses an encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-bootstrap-server@2017-10-18.yang"
module ietf-zerotouch-bootstrap-server {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server";
prefix ztbs;
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines an interface for bootstrap servers, as
defined by RFC XXXX: Zero Touch Provisioning for NETCONF or
RESTCONF based Management.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-18 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
// typedefs
typedef pkcs7 {
type binary;
description
"A PKCS #7 SignedData structure, as specified by Section 9.1
in RFC 2315, encoded using ASN.1 distinguished encoding rules
(DER), as specified in ITU-T X.690.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// RPCs
rpc get-bootstrapping-data {
description
"This RPC enables a device, as identified by its RESTCONF
username, to obtain bootstrapping data that has been made
available for it.";
input {
leaf untrusted-connection {
type empty;
description
"This optional input parameter enables a device to
communicate to the bootstrap server that it is unable
to authenticate the bootstrap server's TLS certificate.
In such circumstances, the device likely did not send
any of the other input parameters. The bootstrap server
needs to return either unsigned redirect information or
signed data.";
}
leaf os-name {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server the name of its
operating system. This parameter may be useful if
the device, as identified by its IDevID certificate,
to run more than one type of operating system (e.g.,
on a white-box system.";
}
leaf os-version {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server the version of
its operating system. This parameter may be useful
to a server that wants to return a response optimized
for the device, negating, for instance, the need for
a potentially expensive boot-image update.";
}
leaf remote-id {
type string;
must "../circuit-id";
description
"This optional input parameter enables a device to
communicate to the bootstrap server the 'remote-id'
value it learned from a DHCP server via Option 82,
as described in Section 2.0 or RFC 3046.
This information, along with the circuit-id, enables
the bootstrap server to return a deployment-specific
response independent of the device's IDevID identity.";
reference
"RFC 3046: DHCP Relay Agent Information Option";
}
leaf circuit-id {
type string;
must "../remote-id";
description
"This optional input parameter enables a device to
communicate to the bootstrap server the 'circuit-id'
value it learned from a DHCP server via Option 82,
as described in Section 2.0 or RFC 3046.
This information, along with the remote-id, enables
the bootstrap server to return a deployment-specific
response independent of the device's IDevID identity.";
reference
"RFC 3046: DHCP Relay Agent Information Option";
}
leaf nonce {
type string;
description
"This optional input parameter enables a device to
communicate to the bootstrap server a nonce value.
This may be especially useful for devices lacking
an accurate clock, as then the bootstrap server can
then dynamically obtain from the manufacturer a
voucher with the nonce value in it, as described
in I-D.ietf-anima-voucher.";
reference
"RFC ZZZZ: Voucher Profile for Bootstrapping Protocols.";
}
}
output {
container bootstrapping-data {
description
"Top-level node for the bootstrapping data.";
leaf zerotouch-information {
type pkcs7;
mandatory true;
description
"A 'zerotouch-information' artifact, as described in
Section 4.1 of RFC XXXX. In order to be processed by a
device, when conveyed over an untrusted transport, the
PKCS#7 SignedData structure MUST contain a 'signerInfo'
structure, described in Section 9.1 of RFC 2315,
containing a signature generated using the private key
associated with the 'owner-certificate'.";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or
RESTCONF based Management.
RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5";
}
leaf owner-certificate {
type pkcs7;
must '../ownership-voucher' {
description
"An ownership voucher must be present whenever an owner
certificate is presented.";
}
description
"This PKCS#7 structure MUST contain the owner certificate
and all intermediate certificates leading up to, and
optionally including, the trust anchor certificate
specified in the ownership voucher. Additionally, if
needed by the device, this structure MAY also contain
suitably fresh CRL and/or OCSP Responses with which to
verify the revocation status of the certificates.
X.509 certificates and CRLs are described in RFC 5280.
OCSP Responses are described in RFC 6960.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.
RFC 6960:
X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
leaf ownership-voucher {
type pkcs7;
must '../owner-certificate' {
description
"An owner certificate must be present whenever an
ownership voucher is presented.";
}
description
"A 'voucher' artifact, as described in Section 5 of
I-D.ietf-anima-voucher. The voucher informs the device
who its owner is. The voucher encodes the device's
serial number, so that the device can ensure the
voucher applies to it. The voucher is signed by the
device's manufacturer.";
reference
"I-D.ietf-anima-voucher:
Voucher and Voucher Revocation Profiles for
Bootstrapping Protocols";
}
}
}
}
rpc report-progress {
description
"This RPC enables a device, as identified by its RESTCONF
username, to report its bootstrapping progress to the
bootstrap server.";
input {
leaf progress-type {
type enumeration {
enum "bootstrap-initiated" {
description
"Indicates that the device just used the
'get-bootstrapping-data' RPC. The 'message' field
below MAY contain any additional information that
the manufacturer thinks might be useful.";
}
enum "parsing-warning" {
description
"Indicates that the device had a non-fatal error when
parsing the response from the bootstrap server. The
'message' field below SHOULD indicate the specific
warning that occurred.";
}
enum "parsing-error" {
description
"Indicates that the device encountered a fatal error
when parsing the response from the bootstrap server.
For instance, this could be due to malformed
encoding, the device expecting signed data when
only unsigned data is provided, because the
ownership voucher didn't include the device's
unique identifier, or because the signature didn't
match. The 'message' field below SHOULD indicate
the specific error. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "boot-image-warning" {
description
"Indicates that the device encountered a non-fatal
error condition when trying to install a boot-image.
A possible reason might include a need to reformat a
partition causing loss of data. The 'message' field
below SHOULD indicate any warning messages that were
generated.";
}
enum "boot-image-error" {
description
"Indicates that the device encountered an error when
trying to install a boot-image, which could be for
reasons such as a file server being unreachable,
file not found, signature mismatch, etc. The
'message' field SHOULD indicate the specific error
that occurred. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "pre-script-warning" {
description
"Indicates that the device obtained a greater than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced.";
}
enum "pre-script-error" {
description
"Indicates that the device obtained a less than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "config-warning" {
description
"Indicates that the device obtained warning messages
when it committed the initial configuration. The
'message' field below SHOULD indicate any warning
messages that were generated.";
}
enum "config-error" {
description
"Indicates that the device obtained error messages
when it committed the initial configuration. The
'message' field below SHOULD indicate the error
messages that were generated. This progress type
also indicates that the device has abandoned trying
to bootstrap off this bootstrap server.";
}
enum "post-script-warning" {
description
"Indicates that the device obtained a greater than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced.";
}
enum "post-script-error" {
description
"Indicates that the device obtained a less than
zero exit status code from the script when it was
executed. The 'message' field below SHOULD indicate
both the resulting exit status code, as well as
capture any stdout/stderr messages the script may
have produced. This progress type also indicates
that the device has abandoned trying to bootstrap
off this bootstrap server.";
}
enum "bootstrap-complete" {
description
"Indicates that the device successfully processed all
'onboarding-information' provided, and that it is ready
to be managed. The 'message' field below MAY contain
any additional information that the manufacturer thinks
might be useful. After sending this progress type,
the device is not expected to access the bootstrap
server again.";
}
enum "informational" {
description
"Indicates any additional information not captured
by any of the other progress types. For instance, a
message indicating that the device is about to
reboot after having installed a boot-image could
be provided. The 'message' field below SHOULD
contain information that the manufacturer thinks
might be useful.";
}
}
mandatory true;
description
"The type of progress report provided.";
}
leaf message {
type string;
description
"An optional arbitrary value.";
}
container ssh-host-keys {
when "../progress-type = 'bootstrap-complete'" {
description
"SSH host keys are only sent when the progress type
is 'bootstrap-complete'.";
}
description
"A list of trust anchor certificates an NMS may use to
authenticate subsequent SSH-based connections to this
device (e.g., netconf-ssh, netconf-ch-ssh).";
list ssh-host-key {
description
"An SSH host-key.";
leaf format {
type enumeration {
enum "ssh-dss" {
description
"ssh-dss";
}
enum "ssh-rsa" {
description
"ssh-rsa";
}
}
mandatory true;
description
"The format of the SSH host key.";
}
leaf key-data {
type string;
mandatory true;
description
"The key data for the SSH host key";
}
}
}
container trust-anchors {
when "../progress-type = 'bootstrap-complete'" {
description
"Trust anchors are only sent when the progress type
is 'bootstrap-complete'.";
}
description
"A list of trust anchor certificates an NMS may use to
authenticate subsequent certificate-based connections
to this device (e.g., restconf-tls, netconf-tls, or
even netconf-ssh with X.509 support from RFC 6187).";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication.";
list trust-anchor {
description
"A trust anchor.";
leaf certificate {
type pkcs7;
mandatory true;
description
"An X.509 v3 certificate structure, as specified
by Section 4 in RFC 5280, encoded using ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL)
Profile.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
}
}
}
}
<CODE ENDS>
This section defines a data model that devices can implement to enable the configuration of zerotouch bootstrapping and discovery of what parameters are used by its bootstrapping logic.
The following tree diagram provides an overview for the zerotouch device data model The syntax used for this tree diagram is described in Section 1.4.
module: ietf-zerotouch-device
+--rw zerotouch
+--rw enabled? boolean
+--ro devid-certificate? pkcs7
| {bootstrap-servers}?
+--ro bootstrap-servers {bootstrap-servers}?
| +--ro bootstrap-server* [address]
| +--ro address inet:host
| +--ro port? inet:port-number
+--ro bootstrap-server-ta-certificates?
| -> /ks:keystore/pinned-certificates/name
| {bootstrap-servers}?
+--ro voucher-ta-certificates?
-> /ks:keystore/pinned-certificates/name {signed-data}?
In the above diagram, notice that there is only one configurable node 'enabled'. The expectation is that this node would be set to 'true' in device's factory default configuration and that it would either be set to 'false' or deleted when the zerotouch bootstrapping is longer needed.
Following is an instance example for this data model.
[ note: '\' line wrapping for formatting only]
<zerotouch
xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-device">
<enabled>true</enabled>
<devid-certificate>base64encodedvalue==</devid-certificate>
<bootstrap-servers>
<bootstrap-server>
<address>phs1.example.com</address>
<port>8443</port>
</bootstrap-server>
<bootstrap-server>
<address>phs2.example.com</address>
<port>8443</port>
</bootstrap-server>
<bootstrap-server>
<address>phs3.example.com</address>
<port>8443</port>
</bootstrap-server>
</bootstrap-servers>
<bootstrap-server-ta-certificates>manufacturers-root-ca-certs</boo\
tstrap-server-ta-certificates>
<voucher-ta-certificates>manufacturers-root-ca-certs</voucher-ta-c\
ertificates>
</zerotouch>
The device model is normatively defined by the YANG module defined in this section.
Note: the module defined herein uses data types defined in [RFC2315] and [RFC6991], and uses an encoding defined in [ITU.X690.1994].
<CODE BEGINS> file "ietf-zerotouch-device@2017-10-18.yang"
module ietf-zerotouch-device {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-device";
prefix ztd;
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-keystore {
prefix ks;
reference 'RFC YYYY: YANG Data Model for a "Keystore" Mechanism';
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines a data model to enable zerotouch
bootstrapping and discover what parameters are used.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-18 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
// features
feature bootstrap-servers {
description
"The device supports bootstrapping off bootstrap servers.";
}
feature signed-data {
description
"The device supports bootstrapping off signed data.";
}
// typedefs
typedef pkcs7 {
type binary;
description
"A PKCS #7 SignedData structure, as specified by Section 9.1
in RFC 2315, encoded using ASN.1 distinguished encoding rules
(DER), as specified in ITU-T X.690.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// protocol accessible nodes
container zerotouch {
description
"Top-level container for zerotouch data model.";
leaf enabled {
type boolean;
default false;
description
"The 'enabled' leaf controls if zerotouch bootstrapping is
enabled or disabled. The default is 'false' so that, when
not enabled, which is most of the time, no configuration
needs to be returned.";
}
leaf devid-certificate {
if-feature bootstrap-servers;
type pkcs7;
config false;
description
"An unsigned PKCS #7 SignedData structure, as specified by
Section 9.1 in RFC 2315, encoded using ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.
This structure contains the IDevID certificate and all
intermediate certificates leading up to the manufacturer's
well-known trust anchor certificate. IDevID certificates
are described in IEEE 802.1AR-2009.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).
IEEE 802.1AR-2009:
IEEE Standard for Local and metropolitan area
networks - Secure Device Identity.";
}
container bootstrap-servers {
if-feature bootstrap-servers;
config false;
description
"Default list of bootstrap servers this device is
configured to reach out to when bootstrapping.";
list bootstrap-server {
key "address";
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
}
}
leaf bootstrap-server-ta-certificates {
if-feature bootstrap-servers;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate bootstrap
servers with.";
}
leaf voucher-ta-certificates {
if-feature signed-data;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate ownership
vouchers with.";
}
}
}
<CODE ENDS>
This section defines two DHCP options, one for DHCPv4 and one for DHCPv6. These two options are semantically the same, though syntactically different.
The DHCPv4 Zero Touch Option is used to provision the client with one or more URIs for bootstrap servers that can be contacted to attempt further configuration.
DHCPv4 Zero Touch Redirect Option
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| option-code (TBD) | option-length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
. .
. bootstrap-server-list (variable length) .
. .
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
o option-code: OPTION_V4_ZEROTOUCH_REDIRECT (TBD)
o option-length: The option length in octets
o bootstrap-server-list: A list of servers for the
client to attempt contacting, in order to obtain
further bootstrapping data, in the format shown
in [common-field-encoding].
DHCPv4 Client Behavior
Clients MAY request the OPTION_V4_ZEROTOUCH_REDIRECT by including its option code in the Parameter Request List (55) in DHCP request messages.
On receipt of a DHCPv4 Reply message which contains the OPTION_V4_ZEROTOUCH_REDIRECT, the client performs the following steps:
Any invalid URI entries received in the uri-data field are ignored by the client. If OPTION_V4_ZEROTOUCH_REDIRECT does not contain at least one valid URI entry in the uri-data field, then the client MUST discard the option.
DHCPv4 Server Behavior
The DHCPv4 server MAY include a single instance of Option OPTION_V4_ZEROTOUCH_REDIRECT in DHCP messages it sends. Servers MUST NOT send more than one instance of the OPTION_V4_ZEROTOUCH_REDIRECT option.
The DHCPv6 Zero Touch Option is used to provision the client with one or more URIs for bootstrap servers that can be contacted to attempt further configuration.
DHCPv6 Zero Touch Redirect Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code (TBD) | option-length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. bootstrap-server-list (variable length) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o option-code: OPTION_V6_ZEROTOUCH_REDIRECT (TBD)
o option-length: The option length in octets
o bootstrap-server-list: A list of servers for the client to
attempt contacting, in order to obtain further bootstrapping
data, in the format shown in [common-field-encoding].
DHCPv6 Client Behavior
Clients MAY request the OPTION_V6_ZEROTOUCH_REDIRECT option, as defined in [RFC3315], Sections 17.1.1, 18.1.1, 18.1.3, 18.1.4, 18.1.5, and 22.7. As a convenience to the reader, we mention here that the client includes requested option codes in the Option Request Option.
On receipt of a DHCPv6 reply message which contains the OPTION_V6_ZEROTOUCH_REDIRECT, the client performs the following steps:
Any invalid URI entries received in the uri-data field are ignored by the client. If OPTION_V6_ZEROTOUCH_REDIRECT does not contain at least one valid URI entry in the uri-data field, then the client MUST discard the option.
DHCPv6 Server Behavior
Sections 17.2.2 and 18.2 of [RFC3315] govern server operation in regard to option assignment. As a convenience to the reader, we mention here that the server will send a particular option code only if configured with specific values for that option code and if the client requested it.
Option OPTION_V6_ZEROTOUCH_REDIRECT is a singleton. Servers MUST NOT send more than one instance of the OPTION_V6_ZEROTOUCH_REDIRECT option.
Both of the DHCPv4 and DHCPv6 options defined in this section encode a list of bootstrap server URIs. The "URI" structure is an option that can contain multiple URIs (see [RFC7227], Section 5.7).
bootstrap-server-list:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
| uri-length | URI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
o uri-length: variable, in octets.
o URI: URI of zerotouch bootstrap server, using the HTTPS URI
scheme defined in Section 2.7.2 of RFC7230. URI MUST be in
form "https://<ip-address-or-hostname>[:<port>]".
Devices MUST ensure that all their trust anchor certificates, including those for connecting to bootstrap servers and verifying ownership vouchers, are protected from external modification.
It may be necessary to update these certificates over time (e.g., the manufacturer wants to delegate trust to a new CA). It is therefore expected that devices MAY update these trust anchors when needed through a verifiable process, such as a software upgrade using signed software images.
The solution in this document relies on TLS certificates, owner certificates, and ownership vouchers, all of which require an accurate clock in order to be processed correctly (e.g., to test validity dates and revocation status). Implementations SHOULD ensure devices have an accurate clock when shipped from manufacturing facilities, and take steps to prevent clock tampering.
If it is not possible to ensure clock accuracy, it is RECOMMENDED that implementations disable the aspects of the solution having clock sensitivity. In particular, such implementations should assume that TLS certificates, ownership vouchers, and owner certificates never expire and are not revokable. From an ownership voucher perspective, manufacturers SHOULD issue a single ownership voucher for the lifetime of such devices.
Implementations SHOULD NOT rely on NTP for time, as NTP is not a secure protocol.
This document allows a device to blindly authenticate a bootstrap server's TLS certificate. It does so to allow for cases where the redirect information may be obtained in an unsecured manner, which is desirable to support in some cases.
To compensate for this, this document requires that devices, when connected to an untrusted bootstrap server, assert that data downloaded from the server is signed.
Section 7.2.7.2 of the IEEE Std 802.1AR-2009 standard says that IDevID certificate should never expire (i.e. having the notAfter value 99991231235959Z). Given the long-lived nature of these certificates, it is paramount to use a strong key length (e.g., 512-bit ECC).
This document enables devices to establish provisional connections to bootstrap servers, in order for the bootstrap server to provide either unsigned redirect information or signed data to the device. However, since the server is untrusted, it may be under the control of an adversary, and therefore devices should be cautious about the data they send in such cases.
Already this document requires devices send their IDevID certificate to untrusted bootstrap servers, which means that the device's serial number and hardware manufacturer may be disclosed to an adversary. Serial numbers are ubiquitous and prominently contained in invoices and on labels affixed to devices and their packaging. That said, serial numbers many times encode revealing information, such as the device's model number, manufacture date, and/or manufacturing sequence number. Knowledge of this information may provide an adversary with details needed to launch an attack.
In addition to the IDevID certificate, there are other potentially identifying values that may be disclosed to an untrusted server, including 'os-name', 'os-version', 'remote-id', 'circuit-id', and progress reports. In order to address this issue, it is RECOMMENDED that implementations first promote the untrusted connection to a trusted connection, as described in Appendix B.
For devices supporting more than one source for bootstrapping data, no particular sequencing order has to be observed for security reasons, as the solution for each source is considered equally secure. However, from a privacy perspective, it is RECOMMENDED that devices access local sources before accessing remote sources.
The ietf-zerotouch-information module defined in this document defines a data structure that is always wrapped by a PKCS#7 structure. When accessed by a secure mechanism (e.g., protected by TLS), then the PKCS#7 structure may be unsigned. However, when accessed by an insecure mechanism (e.g., removable storage device), then the PKCS#7 structure must be signed, in order for the device to trust it.
Implementations should be aware that signed bootstrapping data only protects the data from modification, the contents are still visible to others. This doesn't affect Security so much as Privacy. That the contents may be read by unintended parties when accessed by insecure mechanisms is considered next.
The ietf-zerotouch-information module defines a top-level 'choice' statement that declares the contents are either "redirect-information" or "onboarding-information". Each of these two cases are now considered.
When the contents of the PKCS#7 structure are redirect-information, an observer can learn about the bootstrap servers the device is being directed, their IP addresses or hostnames, ports, and trust anchor certificates. Knowledge of this information could provide an observer some insight into a network's inner structure.
When the contents of the PKCS#7 structure are onboarding-information, as observer could learn considerable information about how the device is to be provisioned. This information includes the specific operating system version, the initial configuration, and the specific scripts that the device is to run. All of this information should be considered highly sensitive and precautions should be taken to protect it from falling into the wrong hands.
The ietf-zerotouch-bootstrap-server module defined in this document is specifies an API for a RESTCONF [RFC8040]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF Access Control Model (NACM) [RFC6536] provides the means to restrict access for particular users to a preconfigured subset of all available protocol operations and content.
This module presents no data nodes (only RPCs). There is no need to discuss the sensitivity of data nodes.
This module defines two RPC operations that may be considered sensitive in some network environments. These are the operations and their sensitivity/vulnerability:
The ietf-zerotouch-device module defined in this document is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.
There is a data node defined in this YANG module that is writable/creatable/deletable (i.e., config true, which is the default). This data node may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to this data node without proper protection can have a negative effect on network operations. This is the data node and its sensitivity/vulnerability:
TBD for OPTION_V4_ZEROTOUCH_REDIRECT
IANA is kindly requested to allocate a new option code from the "BOOTP Manufacturer Extensions and DHCP Options" registry maintained at http://www.iana.org/assignments/bootp-dhcp-parameters:
TBD for OPTION_V6_ZEROTOUCH_REDIRECT
And a new option code from the "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry maintained at http://www.iana.org/assignments/dhcpv6-parameters:
This document registers three URIs in the IETF XML registry [RFC3688]. Following the format in [RFC3688], the following registrations are requested:
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-device Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace.
This document registers three YANG modules in the YANG Module Names registry [RFC6020]. Following the format defined in [RFC6020], the the following registrations are requested:
name: ietf-zerotouch-information
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information
prefix: zti
reference: RFC XXXX
name: ietf-zerotouch-bootstrap-server
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-\
server (note: '\' used for formatting reasons only)
prefix: ztbs
reference: RFC XXXX
name: ietf-zerotouch-device
namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-device
prefix: ztd
reference: RFC XXXX
The authors would like to thank for following for lively discussions on list and in the halls (ordered by last name): David Harrington, Michael Behringer, Dean Bogdanovic, Martin Bjorklund, Joe Clarke, Toerless Eckert, Stephen Farrell, Stephen Hanna, Wes Hardaker, Radek Krejci, Russ Mundy, Reinaldo Penno, Randy Presuhn, Max Pritikin, Michael Richardson, Phil Shafer, Juergen Schoenwaelder.
Special thanks goes to Steve Hanna, Russ Mundy, and Wes Hardaker for brainstorming the original I-D's solution during the IETF 87 meeting in Berlin.
| [I-D.ietf-netconf-keystore] | Watsen, K., "Keystore Model", Internet-Draft draft-ietf-netconf-keystore-02, June 2017. |
| [I-D.ietf-netconf-netconf-client-server] | Watsen, K., Wu, G. and J. Schoenwaelder, "NETCONF Client and Server Models", Internet-Draft draft-ietf-netconf-netconf-client-server-04, July 2017. |
| [RFC3688] | Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004. |
| [RFC5246] | Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008. |
| [RFC6241] | Enns, R., Bjorklund, M., Schoenwaelder, J. and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011. |
| [RFC6242] | Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011. |
| [RFC6536] | Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, DOI 10.17487/RFC6536, March 2012. |
| [RFC6698] | Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012. |
| [RFC6960] | Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S. and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 6960, DOI 10.17487/RFC6960, June 2013. |
| [RFC7317] | Bierman, A. and M. Bjorklund, "A YANG Data Model for System Management", RFC 7317, DOI 10.17487/RFC7317, August 2014. |
| [RFC8071] | Watsen, K., "NETCONF Call Home and RESTCONF Call Home", RFC 8071, DOI 10.17487/RFC8071, February 2017. |
The zero touch solution presented in this document is conceptualized to be composed of the non-normative workflows described in this section. Implementation details are expected to vary. Each diagram is followed by a detailed description of the steps presented in the diagram, with further explanation on how implementations may vary.
The following diagram illustrates key interactions that may occur from when a prospective owner enrolls in a manufacturer's zero touch program to when the manufacturer ships devices for an order placed by the prospective owner.
+-----------+
+------------+ |Prospective| +---+
|Manufacturer| | Owner | |NMS|
+------------+ +-----------+ +---+
| | |
| | |
| 1. initiate enrollment | |
#<-----------------------------| |
# | |
# | |
# IDevID trust anchor | |
#-----------------------------># set IDevID trust anchor |
# #--------------------------->|
# | |
# bootstrap server | |
# account credentials | |
#-----------------------------># set credentials |
| #--------------------------->|
| | |
| | |
| 2. set owner certificate trust anchor |
|<----------------------------------------------------------|
| | |
| | |
| 3. place device order | |
|<-----------------------------# model devices |
| #--------------------------->|
| | |
| 4. ship devices and send | |
| device identifiers and | |
| ownership vouchers | |
|-----------------------------># set device identifiers |
| # and ownership vouchers |
| #--------------------------->|
| | |
Each numbered item below corresponds to a numbered item in the diagram above.
The following diagram illustrates how an owner might stage the network for bootstrapping devices.
+----------+ +------------+
|Deployment| |Manufacturer| +------+ +------+
| Specific | | Hosted | | Local| | Local| +---------+
+---+ |Bootstrap | | Bootstrap | | DNS | | DHCP | |Removable|
|NMS| | Server | | Server | |Server| |Server| | Storage |
+---+ +----------+ +------------+ +------+ +------+ +---------+
| | | | | |
1. | | | | | |
activate | | | | | |
modeled | | | | | |
device | | | | | |
-------->| | | | | |
| 2. (optional) | | | |
| configure | | | |
| bootstrap | | | |
| server | | | |
|------->| | | | |
| | | | | |
| 3. (optional) configure | | |
| bootstrap server | | | |
|--------------------->| | | |
| | | | | |
| | | | | |
| 4. (optional) configure DNS server| | |
|---------------------------------->| | |
| | | | | |
| | | | | |
| 5. (optional) configure DHCP server | |
|------------------------------------------->| |
| | | | | |
| | | | | |
| 6. (optional) store bootstrapping artifacts on media |
|----------------------------------------------------->|
| | | | | |
| | | | | |
Each numbered item below corresponds to a numbered item in the diagram above.
+----------+
+-----------+ |Deployment|
| Source of | | Specific |
+------+ | Bootstrap | |Bootstrap | +---+
|Device| | Data | | Server | |NMS|
+------+ +-----------+ +----------+ +---+
| | | |
| | | |
| 1. if zerotouch bootstrap service | | |
| is not enabled, then exit. | | |
| | | |
| 2. for each source supported, check | | |
| for bootstrapping data. | | |
|------------------------------------->| | |
| | | |
| 3. if onboarding information found, | | |
| initialize self and, only if | | |
| source is a bootstrap server, | | |
| send progress updates. | | |
|-------------------------------------># | |
| # webhook | |
| #----------------------->|
| | |
| 4. else if redirect-information found, for each | |
| bootstrap server specified, check for data. | |
|-+-------------------------------------------------->| |
| | | |
| | if more redirect-information is found, recurse | |
| | (not depicted), else if onboarding-information | |
| | found, initialize self and post progress reports | |
| +--------------------------------------------------># |
| # webhook |
| #-------->|
|
| 5. retry sources and/or wait for manual provisioning.
|
The following diagram illustrates the sequence of activities that occur when a device powers on.
The interactions in the above diagram are described below.
If the device successfully completes the bootstrapping process, it exits the bootstrapping logic without considering any additional sources of bootstrapping data.
The following diagram illustrates a sequence of bootstrapping activities that promote an untrusted connection to a bootstrap server to a trusted connection to the same bootstrap server. This enables a device to limit the amount of information it might disclose to an adversary hosting an untrusted bootstrap server.
+----------+
|Deployment|
| Specific |
+------+ |Bootstrap |
|Device| | Server |
+------+ +----------+
| |
| 1. "HTTPS" Request ('untrusted-connection') |
|------------------------------------------------------->|
| 2. "HTTPS" Response (signed redirect information) |
|<-------------------------------------------------------|
| |
| |
| 3. HTTPS Request (os-name=xyz, os-version=123, etc.) |
|------------------------------------------------------->|
| 4. HTTPS Response (unsigned onboarding information |
|<-------------------------------------------------------|
| |
The interactions in the above diagram are described below.