Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

Slides:



Advertisements
Similar presentations
Secure Network Bootstrapping Infrastructure May 15, 2014.
Advertisements

MyProxy: A Multi-Purpose Grid Authentication Service
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.
NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.
draft-kwatsen-netconf-zerotouch-01
draft-ietf-netconf-call-home-01
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Configuring Network Services and Protocols Lecture 2.
draft-ietf-netconf-zerotouch
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
SEC Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: Agenda Item: Authentication.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Security fundamentals Topic 10 Securing the network perimeter.
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
Serial Server Configuration Peter Szyszko. Hardware Configuration  Unit has to be connected to network and powered.  Computer has to be connected to.
Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.
DHCP Privacy Considerations Tomek Mrugalski IETF90, Toronto IETF-90 DHC WG1.
1 Internal Use Only Network on Demand OVM Demo Script March 2016.
Bakeoff Summary Jari Arkko, Ericsson Arne Dybdahl, SSH August 17 th, 2001.
Draft-ietf-netconf-server-model-04 NETCONF Server Configuration Model
Bootstrapping Key Infrastructures
ONAP SD-WAN Use Case Proposal.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Security fundamentals
TOPIC: HTTPS (Security protocol)
NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-07 NETCONF WG IETF 93 Prague.
Installing TMG & Choosing a Client Type
Module 3: Enabling Access to Internet Resources
Oracle SOA Cloud Integration Project
Enabling Secure Internet Access with TMG
Instructor Materials Chapter 9: Testing and Troubleshooting
Implementing TCP/IP.
Cryptography and Network Security
Modernizing your Remote Access
Configuring and Troubleshooting Routing and Remote Access
Living on the Edge: (Re)focus DNS Efforts on the End-Points
draft-ietf-netconf-reverse-ssh
DNS Session 5 Additional Topics
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
Accelerator Network Safety at PSI
EdgeX System Management Nov 6th 2017
Business Risks of Insecure Networks
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
Introduction To Networking
Introduction to Computers
Introduction to Networking
BRSKI overview and issues
3300 ICP Network Topology/ DHCP Configuration Jill Krzyzanowski Technical Trainer Release 8.0.
Network Services.
VPN-Implementation Using UBUNTU OS and OpenVPN and Hamachi in client-server environment. By Ruphin Byamungu, Kusinza United States International University-Nairobi.
– Chapter 3 – Device Security (B)
OMA – SUPL Security SUPL 1.0 has reliable security for H-SLP non-emergency location of a SET 3GPP solution 1: GBA (Generic Bootstrap Architecture) support.
LXI Security Overview October 2018 Rev 1.8.
– Chapter 3 – Device Security (B)
CS – E-commerce Technologies – Lecture 07
Chapter 10: Advanced Cisco Adaptive Security Appliance
RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00
Advanced Computer Networks
Read this to find out how the internet works!
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
5G Use Case Configuration & PNF SW Upgrade using NETCONF ONAP DDF, Jan 9, 2019 Ericsson.
VNet and Cross-Premises Connectivity
Presentation transcript:

draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home

Introduction Zero Touch is a strategy for how to establish a secure network management relationship between a newly delivered network element, configured with just its factory default settings, and the new owner's NMS. 2

Goals Security – MUST implement vs MUST use (RFC 3365) Flexibility – Works on SP networks, even if behind a firewall Ease of Use – Play-n-play for Installer (“zero” means zero!) Device Cost – Mild (COGS + development effort) 3

Proposal illustrated in following slides 4

Device State Precondition | | | | | | | | | | device private key | | | | device certificate | | | | | | | FQDN of vendor's DNS server | Serial Number Signed by certificate with chain of trust to Vendor’s well-known CA

Vendor's DNS Server State | | |. | | - FQDN of NMS to connect to | | - flag indicating if SSH or TLS | | - username NMS will login using | | - NMS's auth credentials | | | State initialized through a vendor-hosted interface

ZeroTouch Sequence Diagram DEVICE LOCAL DHCP LOCAL DNS VENDOR'S DNS NMS | SERVER SERVER SERVER (DNSSEC) | | | | | | | >| | | | | Lease IP | | | | | | | | | | >| | | | Lookup vendor's DNS server | | | | | | | | | >| | | Lookup. | | | | | | | | >| | | | Lookup NMS IP address | | | | | | | | | >| | Reverse SSH or Reverse TLS | | | | | | | | 7

NMS State Precondition | | | vendor's trusted CA certificate | | serial numbers for expected devices | | username to log into devices with | | auth credentials to log into devices | | | NMS needs CA cert and serial-numbers from Vendor

Supporting Private Networks Potential alternatives to source information: – Impersonate vendor’s DNS server – DHCP (susceptible to a MITM attack?) – USB flash drive – Near-field wireless 9 Or just to avoid doing a lookup in the vendor’s DNS server?

Security Considerations Long-lived certificates Vendor may reveal NMS locations Serial Number in certificate 10

IANA Considerations None 11

Open Issues DNSSEC doesn't currently allow client certificates Should DNS record provide SSH-specific information? Standardize REST API used to set DNS record info? Not in -00 draft: Use something besides DNS? (e.g. HTTPS) 12

Questions / Concerns ? 13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.