Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Slides:

Advertisements

Similar presentations

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Advertisements

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

Secure Network Bootstrapping Infrastructure May 15, 2014.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

NETCONF Light. Motivation To support devices unable to implement the full NETCONF protocol – The “-00” draft noted hardware-based resource constraints.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

ONF Configuration and Management WG Jürgen Quittek

draft-kwatsen-netconf-zerotouch-01

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Introducing CoMI Aligned with RestCONF (draft-ietf-netconf-restconf-04) Common data modeling language (YANG defined in RFC 6020) Protocol (CoAP instead.

July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna

draft-ietf-netconf-zerotouch

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.

Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.

Module: Software Engineering of Web Applications Chapter 2: Technologies 1.

Abierman-netconf-mar07 1 NETCONF WG 68 th IETF Prague, CZ March 19, 2007.

ECRIT - Getting Certain URIs, and Alternatives to Getting Emergency Dialstring(s) draft-polk-ecrit-lost-server-uri-00 draft-polk-dhc-ecrit-uri-psap-esrp-00.

SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.

IETF66 DIME WG John Loughney, Hannes Tschofenig and Victor Fajardo 3588-bis: Current Issues.

7/27/2004IETF San-Diego Plenary meeting 8/2004 EPON MIBs Lior Khermosh – Passave Technologies

August 2001 Slide 1 Extensions to TLS Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

Netconf Schema Query Mark Scott IETF 70 Vancouver December 2007

Subject Identification Method August, 2004 Tim Polk, NIST.

Draft-kwatsen-netconf-server Configuration Model for SSH and TLS Transports.

Trust Bundle Publisher Create Unsigned Trust BundleCreate Signed Trust Bundle C:\TrustAnchors Trust Anchor Directory Create Bundle Browse … Optional Meta.

DHCP Privacy Considerations Tomek Mrugalski IETF90, Toronto IETF-90 DHC WG1.

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Draft-ietf-netconf-server-model-04 NETCONF Server Configuration Model

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

ONAP SD-WAN Use Case Proposal.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-07 NETCONF WG IETF 93 Prague.

[authenticationProfile] <mgmtObj> specialization

Discussion on DHCPv6 Routing Configuration

draft-ietf-simple-message-sessions-00 Ben Campbell

Secure Sockets Layer (SSL)

Markus Isomäki Eva Leppänen

draft-ietf-netconf-reverse-ssh

LMP Behavior Negotiation

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Subscribing to YANG datastore push updates draft-netconf-yang-push-00 IETF #94 Yokohama A. Clemm A. Gonzalez Prieto

draft-dthakore-tls-authz

draft-ietf-ecrit-rough-loc

Joe Clarke (presenting)

IETF #101 - NETCONF WG session

Debashish Purkayastha, Dirk Trossen, Akbar Rahman

Factory default Setting draft-wu-netmod-factory-default-01

Resource Certificate Profile

NETMOD IETF 103 Bangkok Nov , 2018

Post WG LC NMDA datastore architecture draft

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

draft-ietf-p2psip-base-03

Transport Layer Security (TLS)

WebDAV Advanced Collection Requirements

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

IETF #103 - NETCONF WG session

Update on BRSKI-AE – Support for asynchronous enrollment

Schema version selection Reshad Rahman (presenting), Rob Wilton

Presentation transcript:

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Updates Since IETF 99 Reverted back to the device always sending its IDevID certificate to bootstrap servers, even if it doesn’t trust the bootstrap server, as it’s better for the device to give its identity to a potentially bad bootstrap server than it is for the bootstrap server to give device-specific config to a potentially spoofed device. Moved data-tree to an RPC (get-bootstrapping-data) Added ”untrusted-connection” parameter to the “get-bootstrapping-data” RPC so as to alert the bootstrap server that either signed data (of any type) or unsigned redirect info is needed. Added the "ietf-zerotouch-device" module Fixed 'must' expressions, by converting 'choice' to a 'list' of 'image-verification', each of which now points to a base identity called "hash-algorithm".

Bootstrap server's TLS cert Last Call Comments (1) Redirect Information needs to support returning a partial certificate chain, rather than just the single root certificate, to support deployments using public CAs. Trust Anchor Proposed Fix: +--:(redirect-information) +--ro redirect-information +--ro bootstrap-server* [address] +--ro address inet:host +--ro port? inet:port-number +--ro trust-anchor? binary +--ro trust-anchor? pkcs7 GoDaddy CA Org CA ZTP CA Ideally the pkcs7 type is defined in a module like ietf-crypto-types (discussed more in the Keystore presentation) Bootstrap server's TLS cert Sent by bootstrap server

Last Call Comments (2) The DHCP Option text specifying the allowable URI contents and error handling for the DHCP4&6 options can be improved. Proposal: remove a MUST in the URI description so that there is no implication of a server-side processing requirement add language for how clients handle errors when processing a list of URIs. Full proposal sent to list.

Any final questions, comments, or concerns? Final Stretch All Last Call comments have been addressed on list. It seems that a simple draft-update is all that is needed now before being forwarded to IESG (even if referencing an ietf-crypto-types module). Any final questions, comments, or concerns?