NETCONF Working Group | K. Watsen |
Internet-Draft | Juniper Networks |
Intended status: Standards Track | M. Abrahamsson |
Expires: June 23, 2019 | T-Systems |
I. Farrer | |
Deutsche Telekom AG | |
December 20, 2018 |
Zero Touch Provisioning for Networking Devices
draft-ietf-netconf-zerotouch-26
This draft presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enables it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems.
This draft contains many placeholder values that need to be replaced with finalized values at the time of publication. This note summarizes all of the substitutions that are needed. No other RFC Editor instructions are specified elsewhere in this document.
Artwork in the IANA Considerations section contains placeholder values for DHCP options pending IANA assignment. Please apply the following replacements:
Artwork in this document contains shorthand references to drafts in progress. Please apply the following replacements:
Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement:
The following one Appendix section is to be removed prior to publication:
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 23, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A fundamental business requirement for any network operator is to reduce costs where possible. For network operators, deploying devices to many locations can be a significant cost, as sending trained specialists to each site for installations is both cost prohibitive and does not scale.
This document defines Secure Zero Touch Provisioning (SZTP), a bootstrapping strategy enabling devices to securely obtain bootstrapping data with no installer action beyond physical placement and connecting network and power cables. As such, SZTP enables non-technical personnel to bring up devices in remote locations without the need for any operator input.
The SZTP solution includes updating the boot image, committing an initial configuration, and executing arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a devices may establish NETCONF [RFC8040] and/or RESTCONF [RFC6241] connections with deployment-specific network management systems.
This document primarily regards physical devices, where the setting of the device's initial state, described in Section 5.1, occurs during the device's manufacturing process. The SZTP solution may be extended to support virtual machines or other such logical constructs, but details for how this can be accomplished is left for future work.
Conceptual workflows for how SZTP might be deployed are provided in Appendix C.
This document uses the following terms (sorted by name):
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
Tree diagrams used in this document follow the notation defined in [RFC8340].
This document defines two types of zero touch information that devices can access during the bootstrapping process. These zero touch information types are described in this section. Examples are provided in Section 6.2
Redirect information redirects a device to another bootstrap server. Redirect information encodes a list of bootstrap servers, each specifying the bootstrap server's hostname (or IP address), an optional port, and an optional trust anchor certificate that the device can use to authenticate the bootstrap server with.
Redirect information is YANG modeled data formally defined by the "redirect-information" container in the YANG module presented in Section 6.3. This container has the tree diagram shown below.
+--:(redirect-information) +-- redirect-information +-- bootstrap-server* [address] +-- address inet:host +-- port? inet:port-number +-- trust-anchor? cms
Redirect information may be trusted or untrusted. The redirect information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's owner. In all other cases, the redirect information is untrusted.
Trusted redirect information is useful for enabling a device to establish a secure connection to a specified bootstrap server, which is possible when the redirect information includes the bootstrap server's trust anchor certificate.
Untrusted redirect information is useful for directing a device to a bootstrap server where signed data has been staged for it to obtain. Note that, when the redirect information is untrusted, devices discard any potentially included trust anchor certificates.
How devices process redirect information is described in Section 5.5.
Onboarding information provides data necessary for a device to bootstrap itself and establish secure connections with other systems. As defined in this document, onboarding information can specify details about the boot image a device must be running, specify an initial configuration the device must commit, and specify scripts that the device must successfully execute.
Onboarding information is YANG modeled data formally defined by the "onboarding-information" container in the YANG module presented in Section 6.3. This container has the tree diagram shown below.
+--:(onboarding-information) +-- onboarding-information +-- boot-image | +-- os-name? string | +-- os-version? string | +-- download-uri* inet:uri | +-- image-verification* [hash-algorithm] | +-- hash-algorithm identityref | +-- hash-value yang:hex-string +-- configuration-handling? enumeration +-- pre-configuration-script? script +-- configuration? binary +-- post-configuration-script? script
Onboarding information must be trusted for it to be of any use to a device. There is no option for a device to process untrusted onboarding information.
Onboarding information is trusted whenever it is obtained via a secure connection to a trusted bootstrap server, or whenever it is signed by the device's owner. In all other cases, the onboarding information is untrusted.
How devices process onboarding information is described in Section 5.6.
This document defines three artifacts that can be made available to devices while they are bootstrapping. Each source of bootstrapping data specifies how it provides the artifacts defined in this section (see Section 4).
The zero touch information artifact encodes the essential bootstrapping data for the device. This artifact is used to encode the redirect information and onboarding information types discussed in Section 2.
The zero touch information artifact is a CMS structure, as described in [RFC5652], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690 [ITU.X690.2015]. The CMS structure MUST contain content conforming to the YANG module specified in Section 6.3.
The zero touch information CMS structure may encode signed or unsigned bootstrapping data. When the bootstrapping data is signed, it may also be encrypted but, from a terminology perspective, it is still "signed data" Section 1.2.
When the zero touch information artifact is unsigned, as it might be when communicated over trusted channels, the CMS structure's top-most content type MUST be one of the OIDs described in Section 10.3 (i.e., id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON), or the OID id-data (1.2.840.113549.1.7.1). When the OID id-data is used, the encoding (JSON, XML, etc.) SHOULD be communicated externally. In either case, the associated content is an octet string containing "zerotouch-information" data in the expected encoding.
When the zero touch information artifact is signed, as it might be when communicated over untrusted channels, the CMS structure's top-most content type MUST be the OID id-signedData (1.2.840.113549.1.7.2). Furthermore, the inner eContentType MUST be one of the OIDs described in Section 10.3 (i.e., id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON), or the OID id-data (1.2.840.113549.1.7.1). When the OID id-data is used, the encoding (JSON, XML, etc.) SHOULD be communicated externally. In either case, the associated content or eContent is an octet string containing "zerotouch-information" data in the expected encoding.
When the zero touch information artifact is signed and encrypted, as it might be when communicated over untrusted channels and privacy is important, the CMS structure's top-most content type MUST be the OID id-envelopedData (1.2.840.113549.1.7.3). Furthermore, the encryptedContentInfo's content type MUST be the OID id-signedData (1.2.840.113549.1.7.2), whose eContentType MUST be one of the OIDs described in Section 10.3 (i.e., id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON), or the OID id-data (1.2.840.113549.1.7.1). When the OID id-data is used, the encoding (JSON, XML, etc.) SHOULD be communicated externally. In either case, the associated content or eContent is an octet string containing "zerotouch-information" data in the expected encoding.
The owner certificate artifact is an X.509 certificate [RFC5280] that is used to identify an "owner" (e.g., an organization). The owner certificate can be signed by any certificate authority (CA). The owner certificate either MUST have no Key Usage specified or the Key Usage MUST at least set the "digitalSignature" bit. The values for the owner certificate's "subject" and/or "subjectAltName" are not constrained by this document.
The owner certificate is used by a device to verify the signature over the zero touch information artifact (Section 3.1) that the device should have also received, as described in Section 3.5. In particular, the device verifies the signature using the public key in the owner certificate over the content contained within the zero touch information artifact.
The owner certificate artifact is formally a CMS structure, as specified by [RFC5652], encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690 [ITU.X690.2015].
The owner certificate CMS structure MUST contain the owner certificate itself, as well as all intermediate certificates leading to the "pinned-domain-cert" certificate specified in the ownership voucher. The owner certificate artifact MAY optionally include the "pinned-domain-cert" as well.
In order to support devices deployed on private networks, the owner certificate CMS structure MAY also contain suitably fresh, as determined by local policy, revocation objects (e.g., CRLs). Having these revocation objects stapled to the owner certificate may obviate the need for the device to have to download them dynamically using the CRL distribution point or an OCSP responder specified in the associated certificates.
When unencrypted, the owner certificate artifact's CMS structure's top-most content type MUST be the OID id-signedData (1.2.840.113549.1.7.2). The inner SignedData structure is the degenerate form, whereby there are no signers, that is commonly used to disseminate certificates and revocation objects.
When encrypted, the owner certificate artifact's CMS structure's top-most content type MUST be the OID id-envelopedData (1.2.840.113549.1.7.3), and the encryptedContentInfo's content type MUST be the OID id-signedData (1.2.840.113549.1.7.2), whereby the inner SignedData structure is the degenerate form that has no signers commonly used to disseminate certificates and revocation objects.
The ownership voucher artifact is used to securely identify a device's owner, as it is known to the manufacturer. The ownership voucher is signed by the device's manufacturer.
The ownership voucher is used to verify the owner certificate (Section 3.2) that the device should have also received, as described in Section 3.5. In particular, the device verifies that the owner certificate has a chain of trust leading to the trusted certificate included in the ownership voucher ("pinned-domain-cert"). Note that this relationship holds even when the owner certificate is a self-signed certificate, and hence also the pinned-domain-cert.
When unencrypted, the ownership voucher artifact is as defined in [RFC8366]. As described, it is a CMS structure whose top-most content type MUST be the OID id-signedData (1.2.840.113549.1.7.2), whose eContentType MUST be OID id-ct-animaJSONVoucher (1.2.840.113549.1.9.16.1), or the OID id-data (1.2.840.113549.1.7.1). When the OID id-data is used, the encoding (JSON, XML, etc.) SHOULD be communicated externally. In either case, the associated content is an octet string containing ietf-voucher data in the expected encoding.
When encrypted, the ownership voucher artifact's CMS structure's top-most content type MUST be the OID id-envelopedData (1.2.840.113549.1.7.3), and the encryptedContentInfo's content type MUST be the OID id-signedData (1.2.840.113549.1.7.2), whose eContentType MUST be OID id-ct-animaJSONVoucher (1.2.840.113549.1.9.16.1), or the OID id-data (1.2.840.113549.1.7.1). When the OID id-data is used, the encoding (JSON, XML, etc.) SHOULD be communicated externally. In either case, the associated content is an octet string containing ietf-voucher data in the expected encoding.
Each of the three artifacts MAY be individually encrypted. Encryption may be important in some environments where the content is considered sensitive.
Each of the three artifacts are encrypted in the same way, by the unencrypted form being encapsulated inside a CMS EnvelopedData type.
As a consequence, both the zero touch information and ownership voucher artifacts are signed and then encrypted, never encrypted and then signed.
This sequencing has the advantage of shrouding the signer's certificate, and ensuring that the owner knows the content being signed. This sequencing further enables the owner to inspect an unencrypted voucher obtained from a manufacturer and then encrypt the voucher later themselves, perhaps while also stapling in current revocation objects, when ready to place the artifact in an unsafe location.
When encrypted, the CMS MUST be encrypted using a secure device identity certificate for the device. This certificate MAY be the same as the TLS-level client certificate the device uses when connecting to bootstrap servers. The owner must possess the device's identity certificate at the time of encrypting the data. How the owner comes to posses the device's identity certificate for this purpose is outside the scope of this document.
The previous sections discussed the bootstrapping artifacts, but only certain groupings of these artifacts make sense to return in the various bootstrapping situations described in this document. These groupings are:
+---------------------+---------------+--------------+--------------+ | Artifact | Zero Touch | Ownership | Owner | | Grouping | Information | Voucher | Certificate | +=====================+===============+==============+==============+ | Unsigned Data | Yes, no sig | No | No | +---------------------+---------------+--------------+--------------+ | Signed Data, | Yes, with sig | Yes, without | Yes, without | | without revocations | | revocations | revocations | +---------------------+---------------+--------------+--------------+ | Signed Data, | Yes, with sig | Yes, with | Yes, with | | with revocations | | revocations | revocations | +---------------------+---------------+--------------+--------------+
The presence of each artifact, and any distinguishing characteristics, are identified for each artifact grouping in the table below ("yes/no" regards if the artifact is present in the artifact grouping):
This section defines some sources for bootstrapping data that a device can access. The list of sources defined here is not meant to be exhaustive. It is left to future documents to define additional sources for obtaining bootstrapping data.
For each source of bootstrapping data defined in this section, details are given for how the three artifacts listed in Section 3 are provided.
A directly attached removable storage device (e.g., a USB flash drive) MAY be used as a source of zero touch bootstrapping data.
Use of a removable storage device is compelling, as it does not require any external infrastructure to work. It is notable that the raw boot image file can also be located on the removable storage device, enabling a removable storage device to be a fully self-standing bootstrapping solution.
To use a removable storage device as a source of bootstrapping data, a device need only detect if the removable storage device is plugged in and mount its filesystem.
A removable storage device is an untrusted source of bootstrapping data. This means that the information stored on the removable storage device either MUST be signed or MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a removable storage device presents itself as a filesystem, the bootstrapping artifacts need to be presented as files. The three artifacts defined in Section 3 are mapped to files below.
Artifact to File Mapping:
The format of the removable storage device's filesystem and the naming of the files are outside the scope of this document. However, in order to facilitate interoperability, it is RECOMMENDED devices support open and/or standards based filesystems. It is also RECOMMENDED that devices assume a file naming convention that enables more than one instance of bootstrapping data (i.e., for different devices) to exist on a removable storage device. The file naming convention SHOULD additionally be unique to the manufacturer, in order to enable bootstrapping data from multiple manufacturers to exist on a removable storage device.
A DNS server MAY be used as a source of zero touch bootstrapping data.
Using a DNS server may be a compelling option for deployments having existing DNS infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
DNS is an untrusted source of bootstrapping data. Even if DNSSEC [RFC6698] is used to authenticate the various DNS resource records (e.g., A, AAAA, CERT, TXT, and TLSA), the device cannot be sure that the domain returned to it from e.g., a DHCP server, belongs to its rightful owner. This means that the information stored in the DNS records either MUST be signed (per this document, not DNSSEC), or MUST be information that can be processed provisionally (e.g., unsigned redirect information).
Devices claiming to support DNS as a source of bootstrapping data MUST first query for device-specific DNS records using DNS-SD [RFC6763] and, only if doing so does not result in a successful bootstrap, then query for device-independent records using traditional service discovery [RFC2782]. Furthermore, when issuing the device-specific and device-independent queries, devices MUST first query using multicast DNS [RFC6762] and, only if doing so does not result in a successful bootstrap, then query again using unicast DNS [RFC1035][RFC7766], assuming the address of a DNS server is known.
When querying for device-specific DNS records, devices SHOULD immediately query for their instance-specific record, without first querying for PTR records (Section 4.1 of [RFC6763]). Device MUST use their serial number (i.e., the same value as in the device identity certificate) for the "<instance>" portion of the service instance name (Section 4.1.1 of [RFC6763]). Device MUST only query for TXT records, in order to access the three bootstrapping artifacts defined in Section 3.
When querying for device-independent DNS records, devices MUST only query for SRV records. Multiple SRV records, each specifying an address, port, weight, and priority [RFC2782] is comparable to an unsigned redirect information's list of bootstrap servers. Note that a device-independent response is only able to encode unsigned data, since signed data necessitates the use of a device-specific ownership voucher. Exclusive use of SRV records maximally leverages existing DNS standards for what is likely to be a common case when using a DNS server as a source of bootstrapping data.
By example, assuming a device's serial number is "<serial number>", and that the domain discovered per Section 11 of [RFC6763] is "example.com", the device may issue the following sequence of DNS queries:
This document registers the service name "zerotouch" in Section 10.6.
For device-specific queries, the three bootstrapping artifacts defined in Section 3 are encoded into the TXT records using key/value pairs, as described in Section 6.3 in [RFC6763].
Artifact to TXT Record Mapping:
Devices MUST ignore any other keys that may be returned.
Note that, despite the name, TXT records can and SHOULD (per Section 6.5 of [RFC6763]) encode binary data.
<sn>._zerotouch._tcp.example.com. 3600 IN TXT "zi=<binary data>" <sn>._zerotouch._tcp.example.com. 3600 IN TXT "oc=<binary data>" <sn>._zerotouch._tcp.example.com. 3600 IN TXT "ov=<binary data>"
Following is an example of a device-specific response, as it might be presented by a user-agent, containing signed data. This example assumes that the device's serial number is "<sn>":
Note that, in the case that "zi" encodes unsigned data, the "oc" and "ov" keys would not be present in the response.
For device-independent queries, the three bootstrapping artifacts defined in Section 3 are encoded into the SVR records as follows.
Artifact to SRV Record Mapping:
_zerotouch._tcp.example.com. 1800 IN SRV 0 0 443 sztp1.example.com. _zerotouch._tcp.example.com. 1800 IN SRV 1 0 443 sztp2.example.com. _zerotouch._tcp.example.com. 1800 IN SRV 2 0 443 sztp3.example.com. _zerotouch._tcp.example.com. 1800 IN SRV 2 0 443 sztp4.example.com.
Following is an example of a device-independent response, as it might be presented by a user-agent, containing (effectively) unsigned redirect information to four bootstrap servers:
Note that, in this example, "sztp3" and "sztp4" have equal priority, and hence effectively represent a clustered pair of bootstrap servers. While "sztp1" and "sztp2" only have a single SRV record each, it may be that the record points to a load-balancer fronting a cluster of bootstrap servers.
The signed data artifacts are large by DNS conventions. In the smallest-footprint scenario, they are each a few kilobytes in size. However, onboarding information can easily be several kilobytes in size, and has the potential to be many kilobytes in size.
All resource records, including TXT records, have an upper size limit of 65535 bytes, since "RDLENGTH" is a 16-bit field (Section 3.2.1 in [RFC1035]). If it is ever desired to encode onboarding information that exceeds this limit, the DNS records returned should instead encode redirect information, to direct the device to a bootstrap server from which the onboarding information can be obtained.
Given the expected size of the TXT records, it is unlikely that signed data will fit into a UDP-based DNS packet, even with the EDNS(0) Extensions [RFC6891] enabled. Depending on content, signed data may also not fit into a multicast DNS packet, which bounds the size of the TXT records to 8900 bytes, per Section 6.1 in [RFC6763]. Thus it is expected that DNS Transport over TCP [RFC7766] will be required in order to return signed data.
A DHCP server MAY be used as a source of zero touch bootstrapping data.
Using a DHCP server may be a compelling option for deployments having existing DHCP infrastructure, as it enables a touchless bootstrapping option that does not entail utilizing an Internet based resource hosted by a 3rd-party.
A DHCP server is an untrusted source of bootstrapping data. Thus the information stored on the DHCP server either MUST be signed, or it MUST be information that can be processed provisionally (e.g., unsigned redirect information).
However, unlike other sources of bootstrapping data described in this document, the DHCP protocol (especially DHCP for IPv4) is very limited in the amount of data that can be conveyed, to the extent that signed data cannot be communicated. This means that only unsigned redirect information can be conveyed via DHCP.
Since the redirect information is unsigned, it SHOULD NOT include the optional trust anchor certificate, as it takes up space in the DHCP message, and the device would have to discard it anyway. For this reason, the DHCP options defined in Section 8 do not enable the trust anchor certificate to be encoded.
From an artifact perspective, the three artifacts defined in Section 3 are mapped to the DHCP fields specified in Section 8 as follows.
Artifact to DHCP Option Fields Mapping:
A bootstrap server MAY be used as a source of zero touch bootstrapping data. A bootstrap server is defined as a RESTCONF [RFC8040] server implementing the YANG module provided in Section 7.
Using a bootstrap server as a source of bootstrapping data is a compelling option as it MAY use transport-level security, obviating the need for signed data, which may be easier to deploy in some situations.
Unlike any other source of bootstrapping data described in this document, a bootstrap server is not only a source of data, but it can also receive data from devices using the YANG-defined "report-progress" RPC defined in the YANG module (Section 7.3). The "report-progress" RPC enables visibility into the bootstrapping process (e.g., warnings and errors), and provides potentially useful information upon completion (e.g., the device's SSH host-keys).
A bootstrap server may be a trusted or an untrusted source of bootstrapping data, depending on if the device learned about the bootstrap server's trust anchor from a trusted source. When a bootstrap server is trusted, the zero touch information returned from it MAY be signed. When the bootstrap server is untrusted, the zero touch information either MUST be signed or MUST be information that can be processed provisionally (e.g., unsigned redirect information).
From an artifact perspective, since a bootstrap server presents data conforming to a YANG data model, the bootstrapping artifacts need to be mapped to YANG nodes. The three artifacts defined in Section 3 are mapped to "output" nodes of the "get-bootstrapping-data" RPC defined in Section 7.3 below.
Artifact to Bootstrap Server Mapping:
Zero touch bootstrap servers have only two endpoints, one for the "get-bootstrapping-data" RPC and one for the "report-progress" RPC. These RPCs use the authenticated RESTCONF username to isolate the execution of the RPC from other devices.
Devices supporting the bootstrapping strategy described in this document MUST have the preconfigured state and bootstrapping logic described in the following sections.
+-------------------------------------------------------------+ | <device> | | | | +---------------------------------------------------------+ | | | <read/write storage> | | | | | | | | 1. flag to enable zerotouch bootstrapping set to "true" | | | +---------------------------------------------------------+ | | | | +---------------------------------------------------------+ | | | <read-only storage> | | | | | | | | 2. TLS client cert & related intermediate certificates | | | | 3. list of trusted well-known bootstrap servers | | | | 4. list of trust anchor certs for bootstrap servers | | | | 5. list of trust anchor certs for ownership vouchers | | | +---------------------------------------------------------+ | | | | +-----------------------------------------------------+ | | | <secure storage> | | | | | | | | 6. private key for TLS client certificate | | | | 7. private key for decrypting zerotouch artifacts | | | +-----------------------------------------------------+ | | | +-------------------------------------------------------------+
Each numbered item below corresponds to a numbered item in the diagram above.
A YANG module representing this data is provided in Appendix A.
A device claiming to support the bootstrapping strategy defined in this document MUST support the boot sequence described in this section.
Power On | v No 1. Zerotouch bootstrapping configured ------> Boot normally | | Yes v 2. For each supported source of bootstrapping data, try to load bootstrapping data from the source | | v Yes 3. Able to bootstrap from any source? -----> Run with new config | | No v 4. Loop back to Step 1. Note: At any time, the device MAY be configured via an alternate provisioning mechanism (e.g., CLI).
Each numbered item below corresponds to a numbered item in the diagram above.
This document does not limit the simultaneous use of alternate provisioning mechanisms. Such mechanisms may include, for instance, a command line interface (CLI), a web-based user interface, or even another bootstrapping protocol. Regardless how it is configured, the configuration SHOULD unset the flag enabling zerotouch bootstrapping discussed in Section 5.1.
This section describes a recursive algorithm that devices can use to, ultimately, obtain onboarding information. The algorithm is recursive because sources of bootstrapping data may return redirect information, which causes the algorithm to run again, for the newly discovered sources of bootstrapping data. An expression that captures all possible successful sequences of bootstrapping data is zero or more redirect information responses, followed by one onboarding information response.
Untrusted Source Trusted Source Kind of Bootstrapping Data Can Provide? Can Provide? Unsigned Redirect Info : Yes+ Yes Signed Redirect Info : Yes Yes* Unsigned Onboarding Info : No Yes Signed Onboarding Info : Yes Yes* The '+' above denotes that the source redirected to MUST return signed data, or more unsigned redirect information. The '*' above denotes that, while possible, it is generally unnecessary for a trusted source to return signed data.
An important aspect of the algorithm is knowing when data needs to be signed or not. The following figure provides a summary of options:
The recursive algorithm uses a conceptual global-scoped variable called "trust-state". The trust-state variable is initialized to FALSE. The ultimate goal of this algorithm is for the device to process onboarding information (Section 2.2) while the trust-state variable is TRUE.
If the source of bootstrapping data (Section 4) is a bootstrap server (Section 4.4), and the device is able to authenticate the bootstrap server using X.509 certificate path validation ([RFC6125], Section 6) to one of the device's preconfigured trust anchors, or to a trust anchor that it learned from a previous step, then the device MUST set trust-state to TRUE.
When establishing a connection to a bootstrap server, whether trusted or untrusted, the device MUST identify and authenticate itself to the bootstrap server using a TLS-level client certificate and/or an HTTP authentication scheme, per Section 2.5 in [RFC8040]. If both authentication mechanisms are used, they MUST both identify the same serial number.
When sending a client certificate, the device MUST also send all of the intermediate certificates leading up to, and optionally including, the client certificate's well-known trust anchor certificate.
For any source of bootstrapping data (e.g., Section 4), if any artifact obtained is encrypted, the device MUST first decrypt it using the private key associated with the device certificate used to encrypt the artifact.
If the zero touch information artifact is signed, and the device is able to validate the signed data using the algorithm described in Section 5.4, then the device MUST set trust-state to TRUE; otherwise, if the device is unable to validate the signed data, the device MUST set trust-state to FALSE. Note, this is worded to cover the special case when signed data is returned even from a trusted source of bootstrapping data.
If the zero touch information artifact contains redirect information, the device MUST, within limits of how many recursive loops the device allows, process the redirect information as described in Section 5.5. Implementations MUST limit the maximum number of recursive redirects allowed; the maximum number of recursive redirects allowed SHOULD be no more than ten. This is the recursion step, it will cause the device to reenter this algorithm, but this time the data source will definitely be a bootstrap server, as redirect information is only able to redirect devices to bootstrap servers.
If the zero touch information artifact contains onboarding information, and trust-state is FALSE, the device MUST exit the recursive algorithm (as this is not allowed, see the figure above), returning to the bootstrapping sequence described in Section 5.2. Otherwise, the device MUST attempt to process the onboarding information as described in Section 5.6. In either case, success or failure, the device MUST exit the recursive algorithm, returning to the bootstrapping sequence described in Section 5.2, the only difference being in how it responds to the "Able to bootstrap from any source?" conditional described in the figure in the section.
Whenever a device is presented signed data, it MUST validate the signed data as described in this section. This includes the case where the signed data is provided by a trusted source.
Whenever there is signed data, the device MUST also be provided an ownership voucher and an owner certificate. How all the needed artifacts are provided for each source of bootstrapping data is described in Section 4.
In order to validate signed data, the device MUST first authenticate the ownership voucher by validating its signature to one of its preconfigured trust anchors (see Section 5.1), which may entail using additional intermediate certificates attached to the ownership voucher. If the device has an accurate clock, it MUST verify that the ownership voucher was created in the past (i.e., "created-on" < now) and, if the "expires-on" leaf is present, the device MUST verify that the ownership voucher has not yet expired (i.e., now < "expires-on"). The device MUST verify that the ownership voucher's "assertion" value is acceptable (e.g., some devices may only accept the assertion value "verified"). The device MUST verify that the ownership voucher specifies the device's serial number in the "serial-number" leaf. If the "idevid-issuer" leaf is present, the device MUST verify that the value is set correctly. If the authentication of the ownership voucher is successful, the device extracts the "pinned-domain-cert" node, an X.509 certificate, that is needed to verify the owner certificate in the next step.
The device MUST next authenticate the owner certificate by performing X.509 certificate path verification to the trusted certificate extracted from the ownership voucher's "pinned-domain-cert" node. This verification may entail using additional intermediate certificates attached to the owner certificate artifact. If the ownership voucher's "domain-cert-revocation-checks" node's value is set to "true", the device MUST verify the revocation status of the certificate chain used to sign the owner certificate and, if suitably-fresh revocation status is unattainable or if it is determined that a certificate has been revoked, the device MUST NOT validate the owner certificate.
Finally the device MUST verify the zero touch information artifact was signed by the validated owner certificate.
If any of these steps fail, the device MUST invalidate the signed data and not perform any subsequent steps.
In order to process redirect information (Section 2.1), the device MUST follow the steps presented in this section.
Processing redirect information is straightforward; the device sequentially steps through the list of provided bootstrap servers until it can find one it can bootstrap from.
If a hostname is provided, and the hostname's DNS resolution is to more than one IP address, the device MUST attempt to connect to all of the DNS resolved addresses at least once, before moving on to the next bootstrap server. If the device is able to obtain bootstrapping data from any of the DNS resolved addresses, it MUST immediately process that data, without attempting to connect to any of the other DNS resolved addresses.
If the redirect information is trusted (e.g., trust-state is TRUE), and the bootstrap server entry contains a trust anchor certificate, then the device MUST authenticate the specified bootstrap server's TLS server certificate using X.509 certificate path validation ([RFC6125], Section 6) to the specified trust anchor. If the bootstrap server entry does not contain a trust anchor certificate device, the device MUST establish a provisional connection to the bootstrap server (i.e., by blindly accepting its server certificate), and set trust-state to FALSE.
If the redirect information is untrusted (e.g., trust-state is FALSE), the device MUST discard any trust anchors provided by the redirect information and establish a provisional connection to the bootstrap server (i.e., by blindly accepting its TLS server certificate).
In order to process onboarding information (Section 2.2), the device MUST follow the steps presented in this section.
When processing onboarding information, the device MUST first process the boot image information (if any), then execute the pre-configuration script (if any), then commit the initial configuration (if any), and then execute the post-configuration script (if any), in that order.
When the onboarding information is obtained from a trusted bootstrap server, the device MUST send the "bootstrap-initiated" progress report, and send either a terminating "boot-image-installed-rebooting", "bootstrap-complete", or error specific progress report. If the bootstrap server's "get-bootstrapping-data" RPC-reply's "reporting-level" node is set to "verbose", the device MUST additionally send all appropriate non-terminating progress reports (e.g., initiated, warning, complete, etc.). Regardless of the reporting-level indicated by the bootstrap server, the device MAY send progress reports beyond the mandatory ones specified for the given reporting level.
When the onboarding information is obtained from an untrusted bootstrap server, the device MUST NOT send any progress reports to the bootstrap server.
If the device encounters an error at any step, it MUST stop processing the onboarding information and return to the bootstrapping sequence described in Section 5.2. In the context of a recursive algorithm, the device MUST return to the enclosing loop, not back to the very beginning. Some state MAY be retained from the bootstrapping process (e.g., updated boot image, logs, remnants from a script, etc.). However, the retained state MUST NOT be active in any way (e.g., no new configuration or running of software), and MUST NOT hinder the ability for the device to continue the bootstrapping sequence (i.e., process onboarding information from another bootstrap server).
At this point, the specific ordered sequence of actions the device MUST perform is described.
If the onboarding information is obtained from a trusted bootstrap server, the device MUST send a "bootstrap-initiated" progress report. It is an error if the device does not receive back the "204 No Content" HTTP status line. If an error occurs, the device MUST try to send a "bootstrap-error" progress report before exiting.
The device MUST parse the provided onboarding information document, to extract values used in subsequent steps. Whether using a stream-based parser or not, if there is an error when parsing the onboarding information, and the device is connected to a trusted bootstrap server, the device MUST try to send a "parsing-error" progress report before exiting.
If boot image criteria are specified, the device MUST first determine if the boot image it is running satisfies the specified boot image criteria. If the device is already running the specified boot image, then it skips the remainder of this step. If the device is not running the specified boot image, then it MUST download, verify, and install, in that order, the specified boot image, and then reboot. If connected to a trusted bootstrap server, the device MAY try to send a "boot-image-mismatch" progress report. To download the boot image, the device MUST only use the URIs supplied by the onboarding information. To verify the boot image, the device MUST either use one of the verification fingerprints supplied by the onboarding information, or use a cryptographic signature embedded into the boot image itself using a mechanism not described by this document. Before rebooting, if connected to a trusted bootstrap server, the device MUST try to send a "boot-image-installed-rebooting" progress report. Upon rebooting, the bootstrapping process runs again, which will eventually come to this step again, but then the device will be running the specified boot image, and thus will move to processing the next step. If an error occurs at any step while the device is connected to a trusted bootstrap server (i.e., before the reboot), the device MUST try to send a "boot-image-error" progress report before exiting.
If a pre-configuration script has been specified, the device MUST execute the script, capture any output emitted from the script, and check if the script had any warnings or errors. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "pre-script-error" progress report before exiting.
If an initial configuration has been specified, the device MUST atomically commit the provided initial configuration, using the approach specified by the "configuration-handling" leaf. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "config-error" progress report before exiting.
If a post-configuration script has been specified, the device MUST execute the script, capture any output emitted from the script, and check if the script had any warnings or errors. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "post-script-error" progress report before exiting.
If the onboarding information was obtained from a trusted bootstrap server, and the result of the bootstrapping process did not disable the "flag to enable zerotouch bootstrapping" described in Section 5.1, the device SHOULD send an "bootstrap-warning" progress report.
If the onboarding information was obtained from a trusted bootstrap server, the device MUST send a "bootstrap-complete" progress report. It is an error if the device does not receive back the "204 No Content" HTTP status line. If an error occurs, the device MUST try to send a "bootstrap-error" progress report before exiting.
At this point, the device has completely processed the bootstrapping data.
The device is now running its initial configuration. Notably, if NETCONF Call Home or RESTCONF Call Home [RFC8071] is configured, the device initiates trying to establish the call home connections at this time.
Implementation Notes:
This section defines a YANG 1.1 [RFC7950] module that is used to define the data model for the zero touch information artifact described in Section 3.1. This data model uses the "yang-data" extension statement defined in [I-D.ietf-netmod-yang-data-ext]. Examples illustrating this data model are provided in Section 6.2.
The following tree diagram provides an overview of the data model for the zero touch information artifact.
module: ietf-zerotouch-information yang-data zerotouch-information: +-- (information-type) +--:(redirect-information) | +-- redirect-information | +-- bootstrap-server* [address] | +-- address inet:host | +-- port? inet:port-number | +-- trust-anchor? cms +--:(onboarding-information) +-- onboarding-information +-- boot-image | +-- os-name? string | +-- os-version? string | +-- download-uri* inet:uri | +-- image-verification* [hash-algorithm] | +-- hash-algorithm identityref | +-- hash-value yang:hex-string +-- configuration-handling? enumeration +-- pre-configuration-script? script +-- configuration? binary +-- post-configuration-script? script
The following example illustrates how redirect information (Section 2.1) can be encoded using JSON.
{ "ietf-zerotouch-information:redirect-information" : { "bootstrap-server" : [ { "address" : "phs1.example.com", "port" : 8443, "trust-anchor" : "base64encodedvalue==" }, { "address" : "phs2.example.com", "port" : 8443, "trust-anchor" : "base64encodedvalue==" }, { "address" : "phs3.example.com", "port" : 8443, "trust-anchor" : "base64encodedvalue==" } ] } }
The following example illustrates how onboarding information (Section 2.2) can be encoded using JSON.
[Note: '\' line wrapping for formatting only] { "ietf-zerotouch-information:onboarding-information" : { "boot-image" : { "os-name" : "VendorOS", "os-version" : "17.2R1.6", "download-uri" : [ "http://some/path/to/raw/file" ], "image-verification" : [ { "hash-algorithm" : "ietf-zerotouch-information:sha-256", "hash-value" : "ba:ec:cf:a5:67:82:b4:10:77:c6:67:a6:22:ab:\ 7d:50:04:a7:8b:8f:0e:db:02:8b:f4:75:55:fb:c1:13:b2:33" } ] }, "configuration-handling" : "merge", "pre-configuration-script" : "base64encodedvalue==", "configuration" : "base64encodedvalue==", "post-configuration-script" : "base64encodedvalue==" } }
The zero touch information data model is defined by the YANG module presented in this section.
This module uses data types defined in [RFC5280], [RFC5652], [RFC6234], and [RFC6991], an extension statement from [I-D.ietf-netmod-yang-data-ext], and an encoding defined in [ITU.X690.2015].
<CODE BEGINS> file "ietf-zerotouch-information@2018-12-20.yang" module ietf-zerotouch-information { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-zerotouch-information"; prefix zti; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-yang-data-ext { prefix yd; reference "I-D.ietf-netmod-yang-data-ext: YANG Data Extensions"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: http://tools.ietf.org/wg/netconf WG List: <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines the data model for the Zero Touch Information artifact defined in RFC XXXX: Zero Touch Provisioning for Networking Devices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Copyright (c) 2019 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2018-12-20 { description "Initial version"; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } // identities identity hash-algorithm { description "A base identity for hash algorithm verification"; } identity sha-256 { base "hash-algorithm"; description "The SHA-256 algorithm."; reference "RFC 6234: US Secure Hash Algorithms."; } // typedefs typedef cms { type binary; description "A ContentInfo structure, as specified in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 5652: Cryptographic Message Syntax (CMS) ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } // yang-data yd:yang-data "zerotouch-information" { choice information-type { mandatory true; description "This choice statement ensures the response contains redirect-information or onboarding-information."; container redirect-information { description "Redirect information is described in Section 2.1 in RFC XXXX. Its purpose is to redirect a device to another bootstrap server."; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; list bootstrap-server { key "address"; min-elements 1; description "A bootstrap server entry."; leaf address { type inet:host; mandatory true; description "The IP address or hostname of the bootstrap server the device should redirect to."; } leaf port { type inet:port-number; default "443"; description "The port number the bootstrap server listens on. If no port is specified, the IANA-assigned port for 'https' (443) is used."; } leaf trust-anchor { type cms; description "A CMS structure that MUST contain the chain of X.509 certificates needed to authenticate the TLS certificate presented by this bootstrap server. The CMS MUST only contain a single chain of certificates. The bootstrap server MUST only authenticate to last intermediate CA certificate listed in the chain. In all cases, the chain MUST include a self-signed root certificate. In the case where the root certificate is itself the issuer of the bootstrap server's TLS certificate, only one certificate is present. If needed by the device, this CMS structure MAY also contain suitably fresh revocation objects with which the device can verify the revocation status of the certificates. This CMS encodes the degenerate form of the SignedData structure that is commonly used to disseminate X.509 certificates and revocation objects (RFC 5280)."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } } } container onboarding-information { description "Onboarding information is described in Section 2.2 in RFC XXXX. Its purpose is to provide the device everything it needs to bootstrap itself."; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; container boot-image { description "Specifies criteria for the boot image the device MUST be running, as well as information enabling the device to install the required boot image."; leaf os-name { type string; description "The name of the operating system software the device MUST be running in order to not require a software image upgrade (ex. VendorOS)."; } leaf os-version { type string; description "The version of the operating system software the device MUST be running in order to not require a software image upgrade (ex. 17.3R2.1)."; } leaf-list download-uri { type inet:uri; ordered-by user; description "An ordered list of URIs to where the same boot image file may be obtained. How the URI schemes (http, ftp, etc.) a device supports are known is vendor specific. If a secure scheme (e.g., https) is provided, a device MAY establish an untrusted connection to the remote server, by blindly accepting the server's end-entity certificate, to obtain the boot image."; } list image-verification { must '../download-uri' { description "Download URIs must be provided if an image is to be verified."; } key hash-algorithm; description "A list of hash values that a device can use to verify boot image files with."; leaf hash-algorithm { type identityref { base "hash-algorithm"; } description "Identifies the hash algorithm used."; } leaf hash-value { type yang:hex-string; mandatory true; description "The hex-encoded value of the specified hash algorithm over the contents of the boot image file."; } } } leaf configuration-handling { type enumeration { enum "merge" { description "Merge configuration into the running datastore."; } enum "replace" { description "Replace the existing running datastore with the passed configuration."; } } must '../configuration'; description "This enumeration indicates how the server should process the provided configuration."; } leaf pre-configuration-script { type script; description "A script that, when present, is executed before the configuration has been processed."; } leaf configuration { type binary; must '../configuration-handling'; description "Any configuration known to the device. The use of the 'binary' type enables e.g., XML-content to be embedded into a JSON document. The exact encoding of the content, as with the scripts, is vendor specific."; } leaf post-configuration-script { type script; description "A script that, when present, is executed after the configuration has been processed."; } } } } typedef script { type binary; description "A device specific script that enables the execution of commands to perform actions not possible thru configuration alone. No attempt is made to standardize the contents, running context, or programming language of the script, other than that it can indicate if any warnings or errors occurred and can emit output. The contents of the script are considered specific to the vendor, product line, and/or model of the device. If the script execution indicates that an warning occurred, then the device MUST assume that the script had a soft error that the script believes will not affect manageability. If the script execution indicates that an error occurred, the device MUST assume the script had a hard error that the script believes will affect manageability. In this case, the script is required to gracefully exit, removing any state that might hinder the device's ability to continue the bootstrapping sequence (e.g., process onboarding information obtained from another bootstrap server)."; } } <CODE ENDS>
This section defines the API for bootstrap servers. The API is defined as that produced by a RESTCONF [RFC8040] server that supports the YANG 1.1 [RFC7950] module defined in this section.
The following tree diagram provides an overview for the bootstrap server RESTCONF API.
module: ietf-zerotouch-bootstrap-server rpcs: +---x get-bootstrapping-data | +---w input | | +---w untrusted-connection? empty | | +---w hw-model? string | | +---w os-name? string | | +---w os-version? string | | +---w nonce? binary | +--ro output | +--ro reporting-level? enumeration | +--ro zerotouch-information cms | +--ro owner-certificate? cms | +--ro ownership-voucher? cms +---x report-progress +---w input +---w progress-type enumeration +---w message? string +---w ssh-host-keys | +---w ssh-host-key* [] | +---w algorithm string | +---w key-data binary +---w trust-anchor-certs +---w trust-anchor-cert* cms
This section presents three examples illustrating the bootstrap server's API. Two examples are provided for the "get-bootstrapping-data" RPC (once to an untrusted bootstrap server, and again to a trusted bootstrap server), and one example for the "report-progress" RPC.
The following example illustrates a device using the API to fetch its bootstrapping data from a untrusted bootstrap server. In this example, the device sends the "untrusted-connection" input parameter and receives signed data in the response.
REQUEST ------- ['\' line wrapping added for formatting only] POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\ strapping-data HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <input xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <untrusted-connection/> </input> RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <output xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <zerotouch-information>base64encodedvalue==</zerotouch-information> <owner-certificate>base64encodedvalue==</owner-certificate> <ownership-voucher>base64encodedvalue==</ownership-voucher> </output>
The following example illustrates a device using the API to fetch its bootstrapping data from a trusted bootstrap server. In this example, the device sends addition input parameters to the bootstrap server, which it may use when formulating its response to the device.
REQUEST ------- ['\' line wrapping added for formatting only] POST /restconf/operations/ietf-zerotouch-bootstrap-server:get-boot\ strapping-data HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <input xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <hw-model>model-x</hw-model> <os-name>vendor-os</os-name> <os-version>17.3R2.1</os-version> <nonce>base64encodedvalue==</nonce> </input> RESPONSE -------- HTTP/1.1 200 OK Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server Content-Type: application/yang.data+xml <output xmlns="urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <reporting-level>verbose</reporting-level> <zerotouch-information>base64encodedvalue==</zerotouch-information> </output>
The following example illustrates a device using the API to post a progress report to a bootstrap server. Illustrated below is the "bootstrap-complete" message, but the device may send other progress reports to the server while bootstrapping. In this example, the device is sending both its SSH host keys and a TLS server certificate, which the bootstrap server may, for example, pass to an NMS, as discussed in Appendix C.3.
REQUEST ------- ['\' line wrapping added for formatting only] POST /restconf/operations/ietf-zerotouch-bootstrap-server:report-\ progress HTTP/1.1 HOST: example.com Content-Type: application/yang.data+xml <input xmlns= "urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"> <progress-type>bootstrap-complete</progress-type> <message>example message</message> <ssh-host-keys> <ssh-host-key> <algorithm>ssh-rsa</algorithm> <key-data>base64encodedvalue==</key-data> </ssh-host-key> <ssh-host-key> <algorithm>rsa-sha2-256</algorithm> <key-data>base64encodedvalue==</key-data> </ssh-host-key> </ssh-host-keys> <trust-anchor-certs> <trust-anchor-cert>base64encodedvalue==</trust-anchor-cert> </trust-anchor-certs> </input> RESPONSE -------- HTTP/1.1 204 No Content Date: Sat, 31 Oct 2015 17:02:40 GMT Server: example-server
The bootstrap server's device-facing API is normatively defined by the YANG module defined in this section.
This module uses data types defined in [RFC4253], [RFC5652], [RFC5280], [RFC6960], and [RFC8366], uses an encoding defined in [ITU.X690.2015], and makes a reference to [RFC4250] and [RFC6187].
<CODE BEGINS> file "ietf-zerotouch-bootstrap-server@2018-12-20.yang" module ietf-zerotouch-bootstrap-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"; prefix ztbs; organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kwatsen@juniper.net>"; description "This module defines an interface for bootstrap servers, as defined by RFC XXXX: Zero Touch Provisioning for Networking Devices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Copyright (c) 2019 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2018-12-20 { description "Initial version"; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } // typedefs typedef cms { type binary; description "A CMS structure, as specified in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 5652: Cryptographic Message Syntax (CMS) ITU-T X.690: Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } // RPCs rpc get-bootstrapping-data { description "This RPC enables a device, as identified by the RESTCONF username, to obtain bootstrapping data that has been made available for it."; input { leaf untrusted-connection { type empty; description "This optional input parameter enables a device to communicate to the bootstrap server that it is unable to authenticate the bootstrap server's TLS certificate. In such circumstances, the device likely does not send any of the other input parameters, except for the 'nonce' parameter. Upon receiving this input parameter, the bootstrap server should only return unsigned redirect information or signed data of any type."; } leaf hw-model { type string; description "This optional input parameter enables a device to communicate to the bootstrap server its vendor specific hardware model number. This parameter may be needed, for instance, when a device's IDevID certificate does not include the 'hardwareModelName' value in its subjectAltName field, as is allowed by 802.1AR-2009."; reference "IEEE 802.1AR-2009: IEEE Standard for Local and metropolitan area networks - Secure Device Identity"; } leaf os-name { type string; description "This optional input parameter enables a device to communicate to the bootstrap server the name of its operating system. This parameter may be useful if the device, as identified by its serial number, can run more than one type of operating system (e.g., on a white-box system."; } leaf os-version { type string; description "This optional input parameter enables a device to communicate to the bootstrap server the version of its operating system. This parameter may be used by a bootstrap server to return an operating system specific response to the device, thus negating the need for a potentially expensive boot-image update."; } leaf nonce { type binary { length "8..32"; } description "This optional input parameter enables a device to communicate to the bootstrap server a nonce value. This may be especially useful for devices lacking an accurate clock, as then the bootstrap server can dynamically obtain from the manufacturer a voucher with the nonce value in it, as described in RFC 8366."; reference "RFC 8366: A Voucher Artifact for Bootstrapping Protocols"; } } output { leaf reporting-level { type enumeration { enum standard { description "Send just the progress reports required by RFC XXXX."; } enum verbose { description "Send additional progress reports that might help troubleshooting an SZTP bootstrapping issue."; } } default standard; description "Specifies the reporting level for progress reports the bootstrap server would like to receive when processing onboarding information. Progress reports are not sent when processing redirect information, or when the bootstrap server is untrusted (e.g., device sent the '<untrusted-connection>' input parameter)."; } leaf zerotouch-information { type cms; mandatory true; description "A zero touch information artifact, as described in Section 3.1 of RFC XXXX."; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } leaf owner-certificate { type cms; must '../ownership-voucher' { description "An ownership voucher must be present whenever an owner certificate is presented."; } description "An owner certificate artifact, as described in Section 3.2 of RFC XXXX. This leaf is optional because it is only needed when the zero touch information artifact is signed."; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } leaf ownership-voucher { type cms; must '../owner-certificate' { description "An owner certificate must be present whenever an ownership voucher is presented."; } description "An ownership voucher artifact, as described by Section 3.3 of RFC XXXX. This leaf is optional because it is only needed when the zero touch information artifact is signed."; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } } } rpc report-progress { description "This RPC enables a device, as identified by the RESTCONF username, to report its bootstrapping progress to the bootstrap server. This RPC is expected to be used when the device obtains onboarding-information from a trusted bootstap server."; input { leaf progress-type { type enumeration { enum "bootstrap-initiated" { description "Indicates that the device just used the 'get-bootstrapping-data' RPC. The 'message' node below MAY contain any additional information that the manufacturer thinks might be useful."; } enum "parsing-initiated" { description "Indicates that the device is about to start parsing the onboarding information. This progress type is only for when parsing is implemented as a distinct step."; } enum "parsing-warning" { description "Indicates that the device had a non-fatal error when parsing the response from the bootstrap server. The 'message' node below SHOULD indicate the specific warning that occurred."; } enum "parsing-error" { description "Indicates that the device encountered a fatal error when parsing the response from the bootstrap server. For instance, this could be due to malformed encoding, the device expecting signed data when only unsigned data is provided, the ownership voucher not listing the device's serial number, or because the signature didn't match. The 'message' node below SHOULD indicate the specific error. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "parsing-complete" { description "Indicates that the device successfully completed parsing the onboarding information. This progress type is only for when parsing is implemented as a distinct step."; } enum "boot-image-initiated" { description "Indicates that the device is about to start processing the boot-image information."; } enum "boot-image-warning" { description "Indicates that the device encountered a non-fatal error condition when trying to install a boot-image. A possible reason might include a need to reformat a partition causing loss of data. The 'message' node below SHOULD indicate any warning messages that were generated."; } enum "boot-image-error" { description "Indicates that the device encountered an error when trying to install a boot-image, which could be for reasons such as a file server being unreachable, file not found, signature mismatch, etc. The 'message' node SHOULD indicate the specific error that occurred. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "boot-image-mismatch" { description "Indicates that the device that has determined that it is not running the correct boot image. This message SHOULD precipitate trying to download a boot image."; } enum "boot-image-installed-rebooting" { description "Indicates that the device successfully installed a new boot image and is about to reboot. After sending this progress type, the device is not expected to access the bootstrap server again for this bootrapping attempt. The device may access this bootstrap server after rebooting and restarting the zerotouch bootstrapping process."; } enum "boot-image-complete" { description "Indicates that the device believes that it is running the correct boot-image."; } enum "pre-script-initiated" { description "Indicates that the device is about to execute the 'pre-configuration-script'."; } enum "pre-script-warning" { description "Indicates that the device obtained a warning from the 'pre-configuration-script' when it was executed. The 'message' node below SHOULD capture any output the script produces."; } enum "pre-script-error" { description "Indicates that the device obtained an error from the 'pre-configuration-script' when it was executed. The 'message' node below SHOULD capture any output the script produces. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "pre-script-complete" { description "Indicates that the device successfully executed the 'pre-configuration-script'."; } enum "config-initiated" { description "Indicates that the device is about to commit the initial configuration."; } enum "config-warning" { description "Indicates that the device obtained warning messages when it committed the initial configuration. The 'message' node below SHOULD indicate any warning messages that were generated."; } enum "config-error" { description "Indicates that the device obtained error messages when it committed the initial configuration. The 'message' node below SHOULD indicate the error messages that were generated. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "config-complete" { description "Indicates that the device successfully committed the initial configuration."; } enum "post-script-initiated" { description "Indicates that the device is about to execute the 'post-configuration-script'."; } enum "post-script-warning" { description "Indicates that the device obtained a warning from the 'post-configuration-script' when it was executed. The 'message' node below SHOULD capture any output the script produces."; } enum "post-script-error" { description "Indicates that the device obtained an error from the 'post-configuration-script' when it was executed. The 'message' node below SHOULD capture any output the script produces. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "post-script-complete" { description "Indicates that the device successfully executed the 'post-configuration-script'."; } enum "bootstrap-warning" { description "Indicates that a warning condition occurred for which there no other 'progress-type' enumeration is deemed suitable. The 'message' node below SHOULD describe the warning."; } enum "bootstrap-error" { description "Indicates that an error condition occurred for which there no other 'progress-type' enumeration is deemed suitable. The 'message' node below SHOULD describe the error. This progress type also indicates that the device has abandoned trying to bootstrap off this bootstrap server."; } enum "bootstrap-complete" { description "Indicates that the device successfully processed all 'onboarding-information' provided, and that it is ready to be managed. The 'message' node below MAY contain any additional information that the manufacturer thinks might be useful. After sending this progress type, the device is not expected to access the bootstrap server again."; } enum "informational" { description "Indicates any additional information not captured by any of the other progress types. For instance, a message indicating that the device is about to reboot after having installed a boot-image could be provided. The 'message' node below SHOULD contain information that the manufacturer thinks might be useful."; } } mandatory true; description "The type of progress report provided."; } leaf message { type string; description "An optional arbitrary value."; } container ssh-host-keys { when "../progress-type = 'bootstrap-complete'" { description "SSH host keys are only sent when the progress type is 'bootstrap-complete'."; } description "A list of SSH host keys an NMS may use to authenticate subsequent SSH-based connections to this device (e.g., netconf-ssh, netconf-ch-ssh)."; list ssh-host-key { description "An SSH host key an NMS may use to authenticate subsequent SSH-based connections to this device (e.g., netconf-ssh, netconf-ch-ssh)."; reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; leaf algorithm { type string; mandatory true; description "The public key algorithm name for this SSH key. Valid values are listed in the 'Public Key Algorithm Names' subregistry of the 'Secure Shell (SSH) Protocol Parameters' registry maintained by IANA."; reference "RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers IANA URL: https://www.iana.org/assignments/ssh-param\\ eters/ssh-parameters.xhtml#ssh-parameters-19 ('\\' added for formatting reasons)"; } leaf key-data { type binary; mandatory true; description "The binary public key data for this SSH key, as specified by RFC 4253, Section 6.6, i.e.: string certificate or public key format identifier byte[n] key/certificate data."; reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; } } } container trust-anchor-certs { when "../progress-type = 'bootstrap-complete'" { description "Trust anchors are only sent when the progress type is 'bootstrap-complete'."; } description "A list of trust anchor certificates an NMS may use to authenticate subsequent certificate-based connections to this device (e.g., restconf-tls, netconf-tls, or even netconf-ssh with X.509 support from RFC 6187). In practice, trust anchors for IDevID certificates do not need to be conveyed using this mechanism."; reference "RFC 6187: X.509v3 Certificates for Secure Shell Authentication."; leaf-list trust-anchor-cert { type cms; description "A CMS structure whose top-most content type MUST be the signed-data content type, as described by Section 5 in RFC 5652. The CMS MUST contain the chain of X.509 certificates needed to authenticate the certificate presented by the device. The CMS MUST contain only a single chain of certificates. The device's end-entity certificate MUST only authenticate to the last intermediate CA certificate listed in the chain. In all cases, the chain MUST include a self-signed root certificate. In the case where the root certificate is itself the issuer of the device's end-entity certificate, only one certificate is present. This CMS encodes the degenerate form of the SignedData structure that is commonly used to disseminate X.509 certificates and revocation objects (RFC 5280)."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5652: Cryptographic Message Syntax (CMS)"; } } } } } <CODE ENDS>
This section defines two DHCP options, one for DHCPv4 and one for DHCPv6. These two options are semantically the same, though syntactically different.
The DHCPv4 Zero Touch Option is used to provision the client with one or more URIs for bootstrap servers that can be contacted to attempt further configuration.
DHCPv4 Zero Touch Redirect Option 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | option-code (143) | option-length | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ . . . bootstrap-server-list (variable length) . . . +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ o option-code: OPTION_V4_ZEROTOUCH_REDIRECT (143) o option-length: The option length in octets. o bootstrap-server-list: A list of servers for the client to attempt contacting, in order to obtain further bootstrapping data, in the format shown in Section 8.3.
DHCPv4 Client Behavior
Clients MAY request the OPTION_V4_ZEROTOUCH_REDIRECT by including its option code in the Parameter Request List (55) in DHCP request messages.
On receipt of a DHCPv4 Reply message which contains the OPTION_V4_ZEROTOUCH_REDIRECT, the client processes the response according to Section 5.5, with the understanding that the "address" and "port" values are encoded in the URIs.
Any invalid URI entries received in the uri-data field are ignored by the client. If OPTION_V4_ZEROTOUCH_REDIRECT does not contain at least one valid URI entry in the uri-data field, then the client MUST discard the option.
As the list of URIs may exceed the maximum allowed length of a single DHCPv4 option (255 octets), the client MUST implement [RFC3396], allowing the URI list to be split across a number of OPTION_V4_ZEROTOUCH_REDIRECT option instances.
DHCPv4 Server Behavior
The DHCPv4 server MAY include a single instance of Option OPTION_V4_ZEROTOUCH_REDIRECT in DHCP messages it sends. Servers MUST NOT send more than one instance of the OPTION_V4_ZEROTOUCH_REDIRECT option.
The server’s DHCP message MUST contain only a single instance of the OPTION_V4_ZEROTOUCH_REDIRECT’s 'bootstrap-server-list’ field. However, the list of URIs in this field may exceed the maximum allowed length of a single DHCPv4 option (per [RFC3396]).
If the length of 'bootstrap-server-list’ is small enough to fit into a single instance of OPTION_V4_ZEROTOUCH_REDIRECT, the server MUST NOT send more than one instance of this option.
If the length of the 'bootstrap-server-list’ field is too large to fit into a single option, then OPTION_V4_ZEROTOUCH_REDIRECT MUST be split into multiple instances of the option according to the process described in [RFC3396].
The DHCPv6 Zero Touch Option is used to provision the client with one or more URIs for bootstrap servers that can be contacted to attempt further configuration.
DHCPv6 Zero Touch Redirect Option 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-code (136) | option-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . bootstrap-server-list (variable length) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o option-code: OPTION_V6_ZEROTOUCH_REDIRECT (136) o option-length: The option length in octets. o bootstrap-server-list: A list of servers for the client to attempt contacting, in order to obtain further bootstrapping data, in the format shown in Section 8.3.
DHCPv6 Client Behavior
Clients MAY request the OPTION_V6_ZEROTOUCH_REDIRECT option, as defined in [RFC8415], Sections 18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7. As a convenience to the reader, we mention here that the client includes requested option codes in the Option Request Option.
On receipt of a DHCPv6 Reply message which contains the OPTION_V6_ZEROTOUCH_REDIRECT, the client processes the response according to Section 5.5, with the understanding that the "address" and "port" values are encoded in the URIs.
Any invalid URI entries received in the uri-data field are ignored by the client. If OPTION_V6_ZEROTOUCH_REDIRECT does not contain at least one valid URI entry in the uri-data field, then the client MUST discard the option.
DHCPv6 Server Behavior
Section 18.3 of [RFC8415] governs server operation in regard to option assignment. As a convenience to the reader, we mention here that the server will send a particular option code only if configured with specific values for that option code and if the client requested it.
Option OPTION_V6_ZEROTOUCH_REDIRECT is a singleton. Servers MUST NOT send more than one instance of the OPTION_V6_ZEROTOUCH_REDIRECT option.
Both of the DHCPv4 and DHCPv6 options defined in this section encode a list of bootstrap server URIs. The "URI" structure is an option that can contain multiple URIs (see [RFC7227], Section 5.7). Each URI entry in the bootstrap-server-list is structured as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+ | uri-length | URI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+ o uri-length: 2 octets long, specifies the length of the URI data. o URI: URI of zerotouch bootstrap server, using the HTTPS URI scheme defined in Section 2.7.2 of RFC7230. URI MUST be in form "https://<ip-address-or-hostname>[:<port>]".
The solution in this document relies on TLS certificates, owner certificates, and ownership vouchers, all of which require an accurate clock in order to be processed correctly (e.g., to test validity dates and revocation status). Implementations SHOULD ensure devices have an accurate clock when shipped from manufacturing facilities, and take steps to prevent clock tampering.
If it is not possible to ensure clock accuracy, it is RECOMMENDED that implementations disable the aspects of the solution having clock sensitivity. In particular, such implementations should assume that TLS certificates, ownership vouchers, and owner certificates never expire and are not revokable. From an ownership voucher perspective, manufacturers SHOULD issue a single ownership voucher for the lifetime of such devices.
Implementations SHOULD NOT rely on NTP for time, as NTP is not a secure protocol at this time. Note, there is an IETF work-in-progress to secure NTP [I-D.ietf-ntp-using-nts-for-ntp].
IDevID certificates, as defined in [Std-802.1AR-2009], are RECOMMENDED, both for the TLS-level client certificate used by devices when connecting to a bootstrap server, as well as for the device identity certificate used by owners when encrypting the zero touch artifacts.
Devices MUST ensure that all their trust anchor certificates, including those for connecting to bootstrap servers and verifying ownership vouchers, are protected from external modification.
It may be necessary to update these certificates over time (e.g., the manufacturer wants to delegate trust to a new CA). It is therefore expected that devices MAY update these trust anchors when needed through a verifiable process, such as a software upgrade using signed software images.
Manufacturer-generated device identifiers may have very long lifetimes. For instance, [Std-802.1AR-2009] recommends using the "notAfter" value 99991231235959Z in IDevID certificates. Given the long-lived nature of these private keys, it is paramount that they are stored so as to resist discovery, such as in a secure cryptographic processor, such as a trusted platform module (TPM) chip.
This document allows a device to blindly authenticate a bootstrap server's TLS certificate. It does so to allow for cases where the redirect information may be obtained in an unsecured manner, which is desirable to support in some cases.
To compensate for this, this document requires that devices, when connected to an untrusted bootstrap server, assert that data downloaded from the server is signed.
This document allows devices to establish connections to untrusted bootstrap servers. However, since the bootstrap server is untrusted, it may be under the control of an adversary, and therefore devices SHOULD be cautious about the data they send to the bootstrap server in such cases.
Devices send different data to bootstrap servers at each of the protocol layers TCP, TLS, HTTP, and RESTCONF.
At the TCP protocol layer, devices may relay their IP address, subject to network translations. Disclosure of this information is not considered a security risk.
At the TLS protocol layer, devices may use a client certificate to identify and authenticate themselves to untrusted bootstrap servers. At a minimum, the client certificate must disclose the device's serial number, and may disclose additional information such as the device's manufacturer, hardware model, public key, etc. Knowledge of this information may provide an adversary with details needed to launch an attack. It is RECOMMENDED that secrecy of the network constituency is not relied on for security.
At the HTTP protocol layer, devices may use an HTTP authentication scheme to identify and authenticate themselves to untrusted bootstrap servers. At a minimum, the authentication scheme must disclose the device's serial number and, concerningly, may, depending on the authentication mechanism used, reveal a secret that is only supposed to be known to the device (e.g., a password). Devices SHOULD NOT use an HTTP authentication scheme (e.g., HTTP Basic) with an untrusted bootstrap server that reveals a secret that is only supposed to be known to the device.
At the RESTCONF protocol layer, devices use the "get-bootstrapping-data" RPC, but not the "report-progress" RPC, when connected to an untrusted bootstrap server. The "get-bootstrapping-data" RPC allows additional input parameters to be passed to the bootstrap server (e.g., "os-name", "os-version", "hw-model"). It is RECOMMENDED that devices only pass the "untrusted-connection" input parameter to an untrusted bootstrap server. While it is okay for a bootstrap server to immediately return signed onboarding information, it is RECOMMENDED that bootstrap servers instead promote the untrusted connection to a trusted connection, as described in Appendix B, thus enabling the device to use the "report-progress" RPC while processing the onboarding information.
For devices supporting more than one source for bootstrapping data, no particular sequencing order has to be observed for security reasons, as the solution for each source is considered equally secure. However, from a privacy perspective, it is RECOMMENDED that devices access local sources before accessing remote sources.
The solution presented in this document enables bootstrapping data to be trusted in two ways, either through transport level security or through the signing of artifacts.
When transport level security (i.e., a trusted bootstrap server) is used, the private key for the end-entity certificate must be online in order to establish the TLS connection.
When artifacts are signed, the signing key is required to be online only when the bootstrap server is returning a dynamically generated signed-data response. For instance, a bootstrap server, upon receiving the "untrusted-connection" input parameter to the "get-bootstrapping-data" RPC, may dynamically generate a response that is signed.
Bootstrap server administrators are RECOMMENDED to follow best practice to protect the private key used for any online operation. For instance, use of a hardware security module (HSM) is RECOMMENDED. If an HSM is not used, frequent private key refreshes are RECOMMENDED, assuming all bootstrapping devices have an accurate clock (see Section 9.1).
For best security, it is RECOMMENDED that owners only provide bootstrapping data that has been signed, using a protected private key, and encrypted, using the device's public key from its secure device identity certificate.
The zero touch bootstrapping protocol presented in this document shifts some control of initial configuration away from the rightful owner of the device and towards the manufacturer and its delegates.
The manufacturer maintains the list of well-known bootstrap servers its devices will trust. By design, if no bootstrapping data is found via other methods first, the device will try to reach out to the well-known bootstrap servers. There is no mechanism to prevent this from occurring other than by using an external firewall to block such connections. Concerns related to trusted bootstrap servers are discussed in Section 9.10.
Similarly, the manufacturer maintains the list of voucher signing authorities its devices will trust. The voucher signing authorities issue the vouchers that enable a device to trust an owner's domain certificate. It is vital that manufacturers ensure the integrity of these voucher signing authorities, so as to avoid incorrect assignments.
Operators should be aware that this system assumes that they trust all the pre-configured bootstrap servers and voucher signing authorities designated by the manufacturers. While operators may use points in the network to block access to the well-known bootstrap servers, operators cannot prevent voucher signing authorities from generating vouchers for their devices.
Trusted bootstrap servers, whether well-known or discovered, have the potential to cause problems, such as the following.
Zero touch information does not specify a validity period. For instance, neither redirect information nor onboarding information enable "not-before" or "not-after" values to be specified, and neither artifact alone can be revoked.
For unsigned data provided by an untrusted source of bootstrapping data, it is not meaningful to discuss its validity period when the information itself has no authenticity and may have come from anywhere.
For unsigned data provided by a trusted source of bootstrapping data (i.e., a bootstrap server), the availability of the data is the only measure of it being current. Since the untrusted data comes from a trusted source, its current availability is meaningful and, since bootstrap servers use TLS, the contents of the exchange cannot be modified or replayed.
For signed data, whether provided by an untrusted or trusted source of bootstrapping data, the validity is constrained by the validity of the both the ownership voucher and owner certificate used to authenticate it.
The ownership voucher's validity is primarily constrained by the ownership voucher's "created-on" and "expires-on" nodes. While [RFC8366] recommends short-lived vouchers (see Section 6.1), the "expires-on" node may be set to any point in the future, or omitted altogether to indicate that the voucher never expires. The ownership voucher's validity is secondarily constrained by the manufacturer's PKI used to sign the voucher; whilst an ownership voucher cannot be revoked directly, the PKI used to sign it may be.
The owner certificate's validity is primarily constrained by the X.509's validity field, the "notBefore" and "notAfter" values, as specified by the certificate authority that signed it. The owner certificate's validity is secondarily constrained by the validity of the PKI used to sign the voucher. Owner certificates may be revoked directly.
For owners that wish to have maximum flexibility in their ability to specify and constrain the validity of signed data, it is RECOMMENDED that a unique owner certificate is created for each signed artifact. Not only does this enable a validity period to be specified, for each artifact, but it also enables to the validity of each artifact to be revoked.
The ietf-zerotouch-information module defined in this document defines a data structure that is always wrapped by a CMS structure. When accessed by a secure mechanism (e.g., protected by TLS), then the CMS structure may be unsigned. However, when accessed by an insecure mechanism (e.g., removable storage device), then the CMS structure must be signed, in order for the device to trust it.
Implementations should be aware that signed bootstrapping data only protects the data from modification, and that the contents are still visible to others. This doesn't affect security so much as privacy. That the contents may be read by unintended parties when accessed by insecure mechanisms is considered next.
The ietf-zerotouch-information module defines a top-level "choice" statement that declares the contents are either "redirect-information" or "onboarding-information". Each of these two cases are now considered.
When the content of the CMS structure is redirect-information, an observer can learn about the bootstrap servers the device is being directed to, their IP addresses or hostnames, ports, and trust anchor certificates. Knowledge of this information could provide an observer some insight into a network's inner structure.
When the content of the CMS structure is onboarding information, an observer could learn considerable information about how the device is to be provisioned. This information includes the operating system version, initial configuration, and script contents. This information should be considered sensitive and precautions should be taken to protect it (e.g., encrypt the artifact using the device's public key).
The ietf-zerotouch-bootstrap-server module defined in this document specifies an API for a RESTCONF [RFC8040]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446].
The NETCONF Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular users to a preconfigured subset of all available protocol operations and content.
This module presents no data nodes (only RPCs). There is no need to discuss the sensitivity of data nodes.
This module defines two RPC operations that may be considered sensitive in some network environments. These are the operations and their sensitivity/vulnerability:
This document registers two URIs in the "ns" subregistry of the IETF XML Registry [RFC3688] maintained at https://www.iana.org/assignments/xml-registry/xml-registry.xhtml#ns. Following the format in [RFC3688], the following registrations are requested:
URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace.
This document registers two YANG modules in the YANG Module Names registry [RFC6020] maintained at https://www.iana.org/assignments/yang-parameters/yang-parameters.xhtml. Following the format defined in [RFC6020], the below registrations are requested:
name: ietf-zerotouch-information namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-information prefix: zti reference: RFC XXXX name: ietf-zerotouch-bootstrap-server namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-\ server (note: '\' used for formatting reasons only) prefix: ztbs reference: RFC XXXX
This document registers two SMI security codes in the "SMI Security for S/MIME CMS Content Type" registry (1.2.840.113549.1.9.16.1) maintained at https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1. Following the format used in Section 3.4 of [RFC7107], the below registrations are requested:
Decimal Description References ------- -------------------------------------- ---------- TBD1 id-ct-zerotouchInformationXML [RFCXXXX] TBD2 id-ct-zerotouchInformationJSON [RFCXXXX]
id-ct-zerotouchInformationXML indicates that the "zerotouch- information" is encoded using XML. id-ct-zerotouchInformationJSON indicates that the "zerotouch-information" is encoded using JSON.
This document registers one DHCP code point in the "BOOTP Manufacturer Extensions and DHCP Options" registry maintained at http://www.iana.org/assignments/bootp-dhcp-parameters. Following the format used by other registrations, the below registration is requested:
Tag: 143 Name: OPTION_V4_ZEROTOUCH_REDIRECT Data Length: N Meaning: This option provides a list of URIs for zero touch bootstrap servers Reference: [RFCXXXX]
Note: this request is to make permanent a previously registered early code point allocation.
This document registers one DHCP code point in "Option Codes" subregistry of the "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry maintained at http://www.iana.org/assignments/dhcpv6-parameters. Following the format used by other registrations, the below registration is requested:
Value: 136 Description: OPTION_V6_ZEROTOUCH_REDIRECT Client ORO: Yes Singleton Option: Yes Reference: [RFCXXXX]
Note: this request is to make permanent a previously registered early code point allocation.
This document registers one service name in the Service Name and Transport Protocol Port Number Registry [RFC6335] maintained at https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml. Following the format defined in Section 8.1.1 of [RFC6335], the below registration is requested:
Service Name: zerotouch Transport Protocol(s): TCP Assignee: IESG <iesg@ietf.org> Contact: IETF Chair <chair@ietf.org> Description: This service name is used to construct the SRV service label "_zerotouch" for discovery of zero touch bootstrap servers. Reference: [RFCXXXX] Port Number: N/A Service Code: N/A Known Unauthorized Uses: N/A Assignment Notes: This protocol uses HTTPS as a substrate.
This section defines a non-normative data model that enables the configuration of zerotouch bootstrapping and discovery of what parameters are used by a device's bootstrapping logic.
The following tree diagram provides an overview for the zerotouch device data model.
module: example-zerotouch-device +--rw zerotouch +--rw enabled? boolean +--ro idevid-certificate? | ct:end-entity-cert-cms {bootstrap-servers}? +--ro bootstrap-servers {bootstrap-servers}? | +--ro bootstrap-server* [address] | +--ro address inet:host | +--ro port? inet:port-number +--ro bootstrap-server-pinned-certificates? | ta:pinned-certificates-ref {bootstrap-servers}? +--ro voucher-pinned-certificates? ta:pinned-certificates-ref {signed-data}?
In the above diagram, notice that there is only one configurable node "enabled". The expectation is that this node would be set to "true" in device's factory default configuration and that it would either be set to "false" or deleted when the zerotouch bootstrapping is longer needed.
Following is an instance example for this data model.
[Note: '\' line wrapping for formatting only] <zerotouch xmlns="https://example.com/zerotouch-device"> <enabled>true</enabled> <idevid-certificate>base64encodedvalue==</idevid-certificate> <bootstrap-servers> <bootstrap-server> <address>phs1.example.com</address> <port>8443</port> </bootstrap-server> <bootstrap-server> <address>phs2.example.com</address> <port>8443</port> </bootstrap-server> <bootstrap-server> <address>phs3.example.com</address> <port>8443</port> </bootstrap-server> </bootstrap-servers> <bootstrap-server-pinned-certificates>manufacturers-root-ca-certs<\ /bootstrap-server-pinned-certificates> <voucher-pinned-certificates>manufacturers-root-ca-certs</voucher-\ pinned-certificates> </zerotouch>
The device model is defined by the YANG module defined in this section.
This module uses data types defined in [RFC6991], [I-D.ietf-netconf-crypto-types], and [I-D.ietf-netconf-trust-anchors].
module example-zerotouch-device { yang-version 1.1; namespace "https://example.com/zerotouch-device"; prefix ztd; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-crypto-types { prefix ct; revision-date 2018-06-04; description "This revision is defined in the -00 version of draft-ietf-netconf-crypto-types"; reference "draft-ietf-netconf-crypto-types: Common YANG Data Types for Cryptography"; } import ietf-trust-anchors { prefix ta; revision-date 2018-06-04; description "This revision is defined in -00 version of draft-ietf-netconf-trust-anchors."; reference "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; } organization "Example Corporation"; contact "Author: Bootstrap Admin <mailto:admin@example.com>"; description "This module defines a data model to enable zerotouch bootstrapping and discover what parameters are used. This module assumes the use of an IDevID certificate, as opposed to any other client certificate, or the use of an HTTP-based client authentication scheme."; revision 2018-12-20 { description "Initial version"; reference "RFC XXXX: Zero Touch Provisioning for Networking Devices"; } // features feature bootstrap-servers { description "The device supports bootstrapping off bootstrap servers."; } feature signed-data { description "The device supports bootstrapping off signed data."; } // protocol accessible nodes container zerotouch { description "Top-level container for zerotouch data model."; leaf enabled { type boolean; default false; description "The 'enabled' leaf controls if zerotouch bootstrapping is enabled or disabled. The default is 'false' so that, when not enabled, which is most of the time, no configuration is needed."; } leaf idevid-certificate { if-feature bootstrap-servers; type ct:end-entity-cert-cms; config false; description "This CMS structure contains the IEEE 802.1AR-2009 IDevID certificate itself, and all intermediate certificates leading up to, and optionally including, the manufacturer's well-known trust anchor certificate for IDevID certificates. The well-known trust anchor does not have to be a self-signed certificate."; reference "IEEE 802.1AR-2009: IEEE Standard for Local and metropolitan area networks - Secure Device Identity."; } container bootstrap-servers { if-feature bootstrap-servers; config false; description "List of bootstrap servers this device will attempt to reach out to when bootstrapping."; list bootstrap-server { key "address"; description "A bootstrap server entry."; leaf address { type inet:host; mandatory true; description "The IP address or hostname of the bootstrap server the device should redirect to."; } leaf port { type inet:port-number; default "443"; description "The port number the bootstrap server listens on. If no port is specified, the IANA-assigned port for 'https' (443) is used."; } } } leaf bootstrap-server-pinned-certificates { if-feature bootstrap-servers; type ta:pinned-certificates-ref; config false; description "A reference to a list of pinned certificate authority (CA) certificates that the device uses to validate bootstrap servers with."; } leaf voucher-pinned-certificates { if-feature signed-data; type ta:pinned-certificates-ref; config false; description "A reference to a list of pinned certificate authority (CA) certificates that the device uses to validate ownership vouchers with."; } } }
The following diagram illustrates a sequence of bootstrapping activities that promote an untrusted connection to a bootstrap server to a trusted connection to the same bootstrap server. This enables a device to limit the amount of information it might disclose to an adversary hosting an untrusted bootstrap server.
+----------+ |Deployment| | Specific | +------+ |Bootstrap | |Device| | Server | +------+ +----------+ | | | 1. "HTTPS" Request ("untrusted-connection", nonce) | |------------------------------------------------------->| | 2. "HTTPS" Response (signed redirect information) | |<-------------------------------------------------------| | | | | | 3. HTTPS Request (os-name=xyz, os-version=123, etc.) | |------------------------------------------------------->| | 4. HTTPS Response (unsigned onboarding information | |<-------------------------------------------------------| | |
The interactions in the above diagram are described below.
The zero touch solution presented in this document is conceptualized to be composed of the non-normative workflows described in this section. Implementation details are expected to vary. Each diagram is followed by a detailed description of the steps presented in the diagram, with further explanation on how implementations may vary.
The following diagram illustrates key interactions that may occur from when a prospective owner enrolls in a manufacturer's zero touch program to when the manufacturer ships devices for an order placed by the prospective owner.
+-----------+ +------------+ |Prospective| +---+ |Manufacturer| | Owner | |NMS| +------------+ +-----------+ +---+ | | | | | | | 1. initiate enrollment | | #<-----------------------------| | # | | # | | # IDevID trust anchor | | #-----------------------------># set IDevID trust anchor | # #--------------------------->| # | | # bootstrap server | | # account credentials | | #-----------------------------># set credentials | | #--------------------------->| | | | | | | | 2. set owner certificate trust anchor | |<----------------------------------------------------------| | | | | | | | 3. place device order | | |<-----------------------------# model devices | | #--------------------------->| | | | | 4. ship devices and send | | | device identifiers and | | | ownership vouchers | | |-----------------------------># set device identifiers | | # and ownership vouchers | | #--------------------------->| | | |
Each numbered item below corresponds to a numbered item in the diagram above.
The following diagram illustrates how an owner might stage the network for bootstrapping devices.
+----------+ +------------+ |Deployment| |Manufacturer| +------+ +------+ | Specific | | Hosted | | Local| | Local| +---------+ +---+ |Bootstrap | | Bootstrap | | DNS | | DHCP | |Removable| |NMS| | Server | | Server | |Server| |Server| | Storage | +---+ +----------+ +------------+ +------+ +------+ +---------+ | | | | | | 1. | | | | | | activate| | | | | | modeled | | | | | | device | | | | | | ------->| | | | | | | 2. (optional) | | | | | configure | | | | | bootstrap | | | | | server | | | | |------->| | | | | | | | | | | | 3. (optional) configure | | | | bootstrap server | | | | |--------------------->| | | | | | | | | | | | | | | | | 4. (optional) configure DNS server| | | |---------------------------------->| | | | | | | | | | | | | | | | 5. (optional) configure DHCP server | | |------------------------------------------->| | | | | | | | | | | | | | | 6. (optional) store bootstrapping artifacts on media | |----------------------------------------------------->| | | | | | | | | | | | |
Each numbered item below corresponds to a numbered item in the diagram above.
+----------+ +-----------+ |Deployment| | Source of | | Specific | +------+ | Bootstrap | |Bootstrap | +---+ |Device| | Data | | Server | |NMS| +------+ +-----------+ +----------+ +---+ | | | | | | | | | 1. if zerotouch bootstrap service | | | | is not enabled, then exit. | | | | | | | | 2. for each source supported, check | | | | for bootstrapping data. | | | |------------------------------------>| | | | | | | | 3. if onboarding information found, | | | | initialize self and, only if | | | | source is a trusted bootstrap | | | | server, send progress reports. | | | |------------------------------------># | | | # webhook | | | #----------------------->| | | | | 4. else if redirect-information found, for each | | | bootstrap server specified, check for data. | | |-+------------------------------------------------->| | | | | | | | if more redirect-information is found, recurse | | | | (not depicted), else if onboarding information | | | | found, initialize self and post progress reports | | | +-------------------------------------------------># | | # webhook | | #-------->| | | 5. retry sources and/or wait for manual provisioning. |
The following diagram illustrates the sequence of activities that occur when a device powers on.
The interactions in the above diagram are described below.
If the device successfully completes the bootstrapping process, it exits the bootstrapping logic without considering any additional sources of bootstrapping data.
The authors would like to thank for following for lively discussions on list and in the halls (ordered by last name): Michael Behringer, Dean Bogdanovic, Martin Bjorklund, Joe Clarke, Toerless Eckert, Stephen Farrell, Stephen Hanna, Wes Hardaker, David Harrington, Mirja Kühlewind, Radek Krejci, Suresh Krishnan, Benjamin Kaduk, David Mandelberg, Alexey Melnikov, Russ Mundy, Reinaldo Penno, Randy Presuhn, Max Pritikin, Michael Richardson, Adam Roach, Phil Shafer, Juergen Schoenwaelder.
Special thanks goes to Steve Hanna, Russ Mundy, and Wes Hardaker for brainstorming the original I-D's solution during the IETF 87 meeting in Berlin.