YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Slides:

Advertisements

Similar presentations

2 Introduction A central issue in supporting interoperability is achieving type compatibility. Type compatibility allows (a) entities developed by various.

Advertisements

Importing and Calling Web Services from your CA Plex Applications Session Code: Lab13 Rob Layzell.

Design Principles for Reusable, Composable and Extensible Frameworks Jilles van Gurp.

Infoblox Network Automation Matt Gowarty, Sr. Product Marketing Manager Dynamically Controlling Your Network.

L3vpn end-system draft Pedro Marques. Overview Defines a mechanism to associate an end- system virtual interface to an L3VPN. – Co-located forwarder:

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Introduction to z/OS Basics © 2006 IBM Corporation Chapter 13: z/OS HTTP Server.

Apache Axis: A Set of Java Tools for SOAP Web Services.

Lesson 18: Configuring Application Restriction Policies

Draft-li-rtgwg-cc-igp-arch-00IETF 88 RTGWG1 An Architecture of Central Controlled Interior Gateway Protocol (IGP) draft-li-rtgwg-cc-igp-arch-00 Zhenbin.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Windows 2003 and 802.1x Secure Wireless Deployments.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

DCOM (Overview) by- Jeevan Varma Anga.

Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman

Configuring Directory Certificate Services Lesson 13.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

1 Stable Connectivity IETF 91 11/2014 Honolulu draft-eckert-anima-stable-connectivity-00 T.Eckert M. Behringer.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

YANG in a Nutshell The YANG Gang IETF 71. YANG has... A reasonable self-contained specification A focus on readers and reviewers Text-based , patch,

Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,

1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

1 Software Design Lecture What’s Design It’s a representation of something that is to be built. i.e. design  implementation.

Protocol Requirements draft-bryan-p2psip-requirements-00.txt D. Bryan/SIPeerior-editor S. Baset/Columbia University M. Matuszewski/Nokia H. Sinnreich/Adobe.

Netconf Event Notifications IETF 66 Sharon Chisholm Hector Trevino

A service Oriented Architecture & Web Service Technology.

Control System Tools for Beam Commissioning Timo Korhonen Controls Division Chief Engineer April 8, 2014.

Bootstrapping Key Infrastructures

CS 501: Software Engineering Fall 1999 Lecture 23 Design for Usability I.

IETF88 Vancouver Immediate options for Multrans avoiding NAT ?

SDN-O LCM for Mercury Release Key Points and Overview

Convergence of Network Management Protocols

Contents Software components All users in one location:

91th IETF, 10 Nov 2014 Michael Behringer Steinthor Bjarnason Balaji BL

PLM, Document and Workflow Management

GWE Core Grid Wizard Enterprise (

The SUPA Information Model

A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.

Direct Attached Storage and Introduction to SCSI

Jari Arkko Bernard Aboba

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Introduction to Computers

Introduction to Networking

CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch

Direct Attached Storage and Introduction to SCSI

Towards PubSub and Storage integration in ANIMA

Windows PowerShell Remoting: Definitely NOT Just for Servers

UDP based Publication Channel for Streaming Telemetry

By co-authors Sheng Jiang & Toerless Eckert

Distributed Data Collection

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

LbyR discussion Henning Schulzrinne Hannes Tschofenig Richard Barnes

Examples of deployment scenarios

draft-eckert-anima-noc-autoconfig-00 draft-eckert-anima-grasp-dnssd-01

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

Bing Liu, Yuefeng Wu IETF July 2017

YANG Instance Data for Documenting Server Capabilities

Smart filters for Push Updates – Problem Statement draft-clemm-netconf-push-smart-filters-ps-00 Alexander Clemm, Eric Voit, Xufeng Liu, Igor Bryskin,

IoT Onboarding for Date: Authors: November 2018

draft-friel-acme-integrations

Subscription to Multiple Stream Originators

ACP status IETF 103 Montreal 2018

ANIMA recharter IETF 103 Bangkok

ONAP Architecture Principle Review

Talking Between Services with gRPC

Update on BRSKI-AE – Support for asynchronous enrollment

Presentation transcript:

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99 Toerless Eckert, Huawei (tte@cs.fau.de)

Why Yang model Configure ANI ANI != fully autonomic. Some things to configure Enable/Disable ANI – global/per interface Superset of enable/disable BRSKI and ACP BRSKI: Registrar + EST server (renewal) (separate ?): enable, define domain certificate parameters CA authentication/URL Simplifications ? Automatically instantiate local CA upon instantiating registrar Parameters for MASAs Allow learning from IDevID part of BRSKI – policies for this ?! Explicit configured MASA (for legacy IDevIDs) GRASP parameter for registrar/EST server announcements ACP: “acp connect” interfaces, explicit configured neighbors/ACP tunnels GRASP (in ANI nothing) ?

How Yang model Strategy to allow modularity ? Build Yang models for ACP, BRSKI, GRASP separately + ANI model ? Would like to make sure these components can be reused in other solutions, (including reuse of yang model) ACP without BRSKI Existing models to provision Certificates ? Everything else to configure in ACP same if ACP is with or without BRSKI ? BRSKI without ACP Additional (from prior slide ANI variant) - configured proxies ? GRASP without ACP ??? Not sure yet.

Why Yang model (2) Manage / observe ANI (read(-only) data) Main issue: Prio 1: Read “configuration” of ANI Will require additional “state” of functions representation Prio 1: ANI operational data E.g.: step-by-step BRSKI, step-by-step ACP neighborship build Current state representation (ACP neighbor table, discovered GRASP objectives,…) Prio 2: For underlying components ACP has most components it uses, e.g.: VRF, “secure channels”, GRASP Probably need to scrape IETF docs: Which component already has MIB and/or operational YANG model EST also “underlying” component of BRSKI Anything for it ? If not… should Yang mode for BRSKI be built as an extension to a to-be-built EST model ? Would allow to re-use then for EST-only servers (MCR: renewal may be EST-only...) GRASP: unchanged question from prior slide Main issue: Operational Yang == better version of “show” CLI. Issue: Often you can not do live “show” in automated networks.

Logging Q: can we define some trace/log model Yang version of syslog ? (Yang push ? What else are the options ?) How about logging locally for later retrieval ? Pledge not enrolling, something wrong, but can not verify in actual target deployment Need to be able to retrieve logs from some on-pledge limited storage later. Except similar issues also in e.g.: Proxy, small device environment (no good generic diagnostics environment).

BRSKI Enrolment control How to express policy which pledges are allowed into domain ? Whitelist / blacklist of IDevID serials on registrars ? Flexibility too limited: Want to be able to trigger some action before making decision (ask operator,…) Decision not binary – may also want to be able to define per-pledge parameters of the cert (address type, subdomain, cert lifetime,...) Most simple & flexible solution ? : RPC type call from registrar to external server to make decision RPC(IDevID) -> (enrol, cert-parameters) Define yang model for RPC, server connection parameters Similar for EST renewal ?

BRSKI Enrolment control (2) Minimum complexity solution ? ANI does not know which pledges are enrolled. Only “external” server and CA Do not model server (only RPC) or CA into ANI model No need to model/track pledges inside ANI, ni modelling whitelist/blacklist With just parameters of registrar enrolment RPC and EST renewal RPC, one can easily build management (“SDN”) server using e.g.: RestConf from Registrar/EST server Useful separation – SDN server can, but usually do not like to implement specific protocols (e.g.: BRSKI, BRSKI-MASA,… ?) EST/BRSKI already HTTP protocol, so a lot closer to what SDN controller like, but: Registrar needs to be connected to ACP. For easy building of system it is very helpfull to be able to have the SDN server be able to live outside of ACP

Structuring Yang work One draft ? Data model ANI, ACP, BRSKI, GRASP Or multiple ? Concept explanations.. Looking for collaborators to this work! Can form design team if interest ?