| < draft-ietf-opsawg-sdi-00.txt | draft-ietf-opsawg-sdi-01.txt > | |||
|---|---|---|---|---|
| **Important:** Read CONTRIBUTING.md before submitting feedback or contributing | ||||
| ``` | ||||
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational C. Doyle | Intended status: Informational C. Doyle | |||
| Expires: January 23, 2020 Juniper Networks | Expires: January 23, 2020 Juniper Networks | |||
| July 22, 2019 | January 17, 2020 | |||
| Secure Device Install | Secure Device Install | |||
| draft-ietf-opsawg-sdi-00 | draft-ietf-opsawg-sdi-01 | |||
| Abstract | Abstract | |||
| Deploying a new network device often requires that an employee | Deploying a new network device often requires that an employee | |||
| physically travel to a datacenter to perform the initial install and | physically travel to a datacenter to perform the initial install and | |||
| configuration, even in shared datacenters with "smart-hands" type | configuration, even in shared datacenters with "smart-hands" type | |||
| support. In many cases, this could be avoided if there were a | support. In many cases, this could be avoided if there were a | |||
| standard, secure way to initially provision the devices. | standard, secure way to initially provision the devices. | |||
| This document extends existing auto-install / Zero-Touch Provisioning | This document extends existing auto-install / Zero-Touch Provisioning | |||
| skipping to change at page 4, line 41 ¶ | skipping to change at page 4, line 41 ¶ | |||
| TFTP server. | TFTP server. | |||
| When the device arrives at the POP, it gets installed in Sirius' | When the device arrives at the POP, it gets installed in Sirius' | |||
| rack, and cabled as instructed. The new device powers up and | rack, and cabled as instructed. The new device powers up and | |||
| discovers that it has not yet been configured. It enters its | discovers that it has not yet been configured. It enters its | |||
| autoboot state, and begins the DHCP process. Sirius' DHCP server | autoboot state, and begins the DHCP process. Sirius' DHCP server | |||
| provides it with an IP address and the address of the configuration | provides it with an IP address and the address of the configuration | |||
| server. The router uses TFTP to fetch its config file (note that all | server. The router uses TFTP to fetch its config file (note that all | |||
| this is existing functionality). The device attempts to load the | this is existing functionality). The device attempts to load the | |||
| config file - if the config file is unparsable, (new functionality) | config file - if the config file is unparsable, (new functionality) | |||
| the devies tries to uses its private key to decrypt the file, and, | the device tries to use its private key to decrypt the file, and, | |||
| assuming it validates, installs the new configuration. | assuming it validates, installs the new configuration. | |||
| Only the "correct" device will have the required private key and be | Only the "correct" device will have the required private key and be | |||
| able to decrypt and use the config file (See Security | able to decrypt and use the config file (See Security | |||
| Considerations). An attacker would be able to connect to the network | Considerations). An attacker would be able to connect to the network | |||
| and get an IP address. They would also be able to retrieve | and get an IP address. They would also be able to retrieve | |||
| (encrypted) config files by guessing serial numbers (or perhaps the | (encrypted) config files by guessing serial numbers (or perhaps the | |||
| server would allow directory listing), but without the private keys | server would allow directory listing), but without the private keys | |||
| an attacker will not be able to decrypt the files. | an attacker will not be able to decrypt the files. | |||
| skipping to change at line 668 ¶ | skipping to change at line 670 ¶ | |||
| Email: warren@kumari.net | Email: warren@kumari.net | |||
| Colin Doyle | Colin Doyle | |||
| Juniper Networks | Juniper Networks | |||
| 1133 Innovation Way | 1133 Innovation Way | |||
| Sunnyvale, CA 94089 | Sunnyvale, CA 94089 | |||
| US | US | |||
| Email: cdoyle@juniper.net | Email: cdoyle@juniper.net | |||
| ``` | ||||
| End of changes. 5 change blocks. | ||||
| 3 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||