idnits 2.17.1 draft-ietf-netconf-zerotouch-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 6 instances of too long lines in the document, the longest one being 4 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1640 has weird spacing: '...on-type enu...' == Line 1645 has weird spacing: '...ey-data str...' == Line 1649 has weird spacing: '...ificate bin...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 31, 2016) is 2731 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7468' is defined on line 2506, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2315 ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Downref: Normative reference to an Informational RFC: RFC 6234 Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Juniper Networks 4 Intended status: Standards Track M. Abrahamsson 5 Expires: May 4, 2017 T-Systems 6 October 31, 2016 8 Zero Touch Provisioning for NETCONF or RESTCONF based Management 9 draft-ietf-netconf-zerotouch-11 11 Abstract 13 This draft presents a secure technique for establishing a NETCONF or 14 RESTCONF connection between a newly deployed device, configured with 15 just its factory default settings, and its deployment specific 16 network management system (NMS). 18 Editorial Note (To be removed by RFC Editor) 20 This draft contains many placeholder values that need to be replaced 21 with finalized values at the time of publication. This note 22 summarizes all of the substitutions that are needed. Please note 23 that no other RFC Editor instructions are specified anywhere else in 24 this document. 26 This document contains references to other drafts in progress, both 27 in the Normative References section, as well as in body text 28 throughout. Please update the following references to reflect their 29 final RFC assignments: 31 o draft-ietf-netconf-call-home 33 o draft-ietf-netconf-restconf 35 o draft-ieft-netconf-server-model 37 o draft-ietf-anima-bootstrapping-keyinfra 39 Artwork in this document contains shorthand references to drafts in 40 progress. Please apply the following replacements: 42 o "XXXX" --> the assigned RFC value for this draft 44 Artwork in this document contains placeholder values for the date of 45 publication of this draft. Please apply the following replacement: 47 o "2016-10-31" --> the publication date of this draft 48 The following one Appendix section is to be removed prior to 49 publication: 51 o Appendix A. Change Log 53 Status of This Memo 55 This Internet-Draft is submitted in full conformance with the 56 provisions of BCP 78 and BCP 79. 58 Internet-Drafts are working documents of the Internet Engineering 59 Task Force (IETF). Note that other groups may also distribute 60 working documents as Internet-Drafts. The list of current Internet- 61 Drafts is at http://datatracker.ietf.org/drafts/current/. 63 Internet-Drafts are draft documents valid for a maximum of six months 64 and may be updated, replaced, or obsoleted by other documents at any 65 time. It is inappropriate to use Internet-Drafts as reference 66 material or to cite them other than as "work in progress." 68 This Internet-Draft will expire on May 4, 2017. 70 Copyright Notice 72 Copyright (c) 2016 IETF Trust and the persons identified as the 73 document authors. All rights reserved. 75 This document is subject to BCP 78 and the IETF Trust's Legal 76 Provisions Relating to IETF Documents 77 (http://trustee.ietf.org/license-info) in effect on the date of 78 publication of this document. Please review these documents 79 carefully, as they describe your rights and restrictions with respect 80 to this document. Code Components extracted from this document must 81 include Simplified BSD License text as described in Section 4.e of 82 the Trust Legal Provisions and are provided without warranty as 83 described in the Simplified BSD License. 85 Table of Contents 87 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 88 1.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 4 89 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 90 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 6 91 1.4. Tree Diagram Notation . . . . . . . . . . . . . . . . . . 7 92 2. Guiding Principles . . . . . . . . . . . . . . . . . . . . . 7 93 2.1. Trust Anchors . . . . . . . . . . . . . . . . . . . . . . 7 94 2.2. Conveying Trust . . . . . . . . . . . . . . . . . . . . . 7 95 2.3. Conveying Ownership . . . . . . . . . . . . . . . . . . . 8 97 3. Types of Information . . . . . . . . . . . . . . . . . . . . 9 98 3.1. Redirect Information . . . . . . . . . . . . . . . . . . 9 99 3.2. Bootstrap Information . . . . . . . . . . . . . . . . . . 10 100 4. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 11 101 4.1. Information Type . . . . . . . . . . . . . . . . . . . . 11 102 4.2. Signature . . . . . . . . . . . . . . . . . . . . . . . . 11 103 4.3. Ownership Voucher . . . . . . . . . . . . . . . . . . . . 11 104 4.4. Owner Certificate . . . . . . . . . . . . . . . . . . . . 12 105 4.5. Voucher Revocation . . . . . . . . . . . . . . . . . . . 12 106 4.6. Certificate Revocation . . . . . . . . . . . . . . . . . 13 107 5. Artifact Groupings . . . . . . . . . . . . . . . . . . . . . 14 108 5.1. Unsigned Information . . . . . . . . . . . . . . . . . . 15 109 5.2. Signed Information (without Revocations) . . . . . . . . 15 110 5.3. Signed Information (with Revocations) . . . . . . . . . . 16 111 6. Sources of Bootstrapping Data . . . . . . . . . . . . . . . . 16 112 6.1. Removable Storage . . . . . . . . . . . . . . . . . . . . 16 113 6.2. DNS Server . . . . . . . . . . . . . . . . . . . . . . . 18 114 6.3. DHCP Server . . . . . . . . . . . . . . . . . . . . . . . 19 115 6.4. Bootstrap Server . . . . . . . . . . . . . . . . . . . . 20 116 7. Workflow Overview . . . . . . . . . . . . . . . . . . . . . . 22 117 7.1. Onboarding and Ordering Devices . . . . . . . . . . . . . 22 118 7.2. Owner Stages the Network for Bootstrap . . . . . . . . . 25 119 7.3. Device Powers On . . . . . . . . . . . . . . . . . . . . 27 120 8. Device Details . . . . . . . . . . . . . . . . . . . . . . . 29 121 8.1. Factory Default State . . . . . . . . . . . . . . . . . . 29 122 8.2. Boot Sequence . . . . . . . . . . . . . . . . . . . . . . 30 123 8.3. Processing a Source of Bootstrapping Data . . . . . . . . 31 124 8.4. Validating Signed Data . . . . . . . . . . . . . . . . . 32 125 8.5. Processing Redirect Information . . . . . . . . . . . . . 33 126 8.6. Processing Bootstrap Information . . . . . . . . . . . . 34 127 9. RESTCONF API for Bootstrap Servers . . . . . . . . . . . . . 35 128 9.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 35 129 9.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 37 130 10. Security Considerations . . . . . . . . . . . . . . . . . . . 49 131 10.1. Immutable storage for trust anchors . . . . . . . . . . 50 132 10.2. Clock Sensitivity . . . . . . . . . . . . . . . . . . . 50 133 10.3. Blindly authenticating a bootstrap server . . . . . . . 50 134 10.4. Entropy loss over time . . . . . . . . . . . . . . . . . 51 135 10.5. Serial Numbers . . . . . . . . . . . . . . . . . . . . . 51 136 10.6. Sequencing Sources of Bootstrapping Data . . . . . . . . 51 137 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 138 11.1. The BOOTP Manufacturer Extensions and DHCP Options 139 Registry . . . . . . . . . . . . . . . . . . . . . . . . 51 140 11.1.1. DHCP v4 Option . . . . . . . . . . . . . . . . . . . 51 141 11.1.2. DHCP v6 Option . . . . . . . . . . . . . . . . . . . 52 142 11.2. The IETF XML Registry . . . . . . . . . . . . . . . . . 53 143 11.3. The YANG Module Names Registry . . . . . . . . . . . . . 53 144 12. Other Considerations . . . . . . . . . . . . . . . . . . . . 53 145 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 146 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 147 14.1. Normative References . . . . . . . . . . . . . . . . . . 54 148 14.2. Informative References . . . . . . . . . . . . . . . . . 55 149 Appendix A. API Examples . . . . . . . . . . . . . . . . . . . . 57 150 A.1. Unsigned Redirect Information . . . . . . . . . . . . . . 57 151 A.2. Signed Redirect Information . . . . . . . . . . . . . . . 58 152 A.3. Unsigned Bootstrap Information . . . . . . . . . . . . . 61 153 A.4. Signed Bootstrap Information . . . . . . . . . . . . . . 63 154 A.5. Progress Notifications . . . . . . . . . . . . . . . . . 67 155 Appendix B. Artifact Examples . . . . . . . . . . . . . . . . . 69 156 B.1. Redirect Information . . . . . . . . . . . . . . . . . . 69 157 B.2. Bootstrap Information . . . . . . . . . . . . . . . . . . 69 158 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 69 159 C.1. ID to 00 . . . . . . . . . . . . . . . . . . . . . . . . 69 160 C.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 70 161 C.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 70 162 C.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 71 163 C.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 71 164 C.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 71 165 C.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 71 166 C.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 72 167 C.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 72 168 C.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 72 169 C.11. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 72 170 C.12. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 73 171 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 73 173 1. Introduction 175 A fundamental business requirement for any network operator is to 176 reduce costs where possible. For network operators, deploying 177 devices to many locations can be a significant cost, as sending 178 trained specialists to each site to do installations is both cost 179 prohibitive and does not scale. 181 This document defines a bootstrapping strategy enabling devices to 182 securely obtain bootstrapping data with no installer input, beyond 183 physical placement and connecting network and power cables. The 184 ultimate goal of this document is to enable a secure NETCONF 185 [RFC6241] or RESTCONF [draft-ietf-netconf-restconf] connection to the 186 deployment specific network management system (NMS). 188 1.1. Use Cases 190 o Connecting to a remotely administered network 191 This use-case involves scenarios, such as a remote branch 192 office or convenience store, whereby a device connects as an 193 access gateway to an ISP's network. Assuming it is not 194 possible to customize the ISP's network to provide any 195 bootstrapping support, and with no other nearby device to 196 leverage, the device has no recourse but to reach out to an 197 Internet-based bootstrap server to bootstrap off of. 199 o Connecting to a locally administered network 201 This use-case covers all other scenarios and differs only in 202 that the device may additionally leverage nearby devices, which 203 may direct it to use a local service to bootstrap off of. If 204 no such information is available, or the device is unable to 205 use the information provided, it can then reach out to network 206 just as it would for the remotely administered network use- 207 case. 209 1.2. Terminology 211 This document uses the following terms: 213 Artifact: The term "artifact" is used throughout to represent the 214 any of the six artifacts defined in Section 4. These artifacts 215 collectively provide all the bootstrapping data a device needs. 217 Bootstrapping Data: The term "bootstrapping data" is used throughout 218 this document to refer to the collection of data that a device 219 may obtain from any source of bootstrapping data. Specifically, 220 it refers to the artifacts defined in Section 4. 222 Bootstrap Information: The term "bootstrap information" is used 223 herein to refer to one of the bootstrapping artifacts defined in 224 Section 4. Specifically, bootstrap information is the 225 bootstrapping data that guides a device to, for instance, install 226 a specific boot-image and commit a specific configuration. 228 Bootstrap Server: The term "bootstrap server" is used within this 229 document to mean any RESTCONF server implementing the YANG module 230 defined in Section 9.2. 232 Device: The term "device" is used throughout this document to refer 233 to the network element that needs to be bootstrapped. See 234 Section 8 for more information about devices. 236 Initial Secure Device Identifier (IDevID): The term "IDevID" is 237 defined in [Std-802.1AR-2009] as the secure device identifier 238 (DevID) installed on the device by the manufacturer. This 239 identifier is used in this document to enable a Bootstrap Server 240 to securely identify and authenticate a device. 242 Manufacturer: The term "manufacturer is used herein to refer to the 243 manufacturer of a device or a delegate of the manufacturer. 245 Network Management System (NMS): The acronym "NMS" is used 246 throughout this document to refer to the deployment specific 247 management system that the bootstrapping process is responsible 248 for introducing devices to. From a device's perspective, when 249 the bootstrapping process has completed, the NMS is a NETCONF or 250 RESTCONF client. 252 Owner: See Rightful Owner. 254 Redirect Information: The term "bootstrap information" is used 255 herein to refer to one of the bootstrapping artifacts defined in 256 Section 4. Specifically, redirect information is the 257 bootstrapping data that directs a device to connect to a 258 bootstrap server. 260 Redirect Server: The term "redirect server" is used to refer to a 261 subset of bootstrap servers that only returns redirect 262 information. A redirect server is particularly useful when 263 hosted by a manufacturer, to redirect devices to deployment- 264 specific bootstrap servers. 266 Rightful Owner: The term "rightful owner" is used herein to refer to 267 the person or organization that purchased or otherwise owns a 268 device. Ownership is further described in Section 2.3. 270 Signed Data: The term "signed data" is used throughout to mean 271 either redirect information or bootstrap information that has 272 been signed by a device's rightful owner's private key. 274 Unsigned Data: The term "unsigned data" is used throughout to mean 275 either redirect rnformation or bootstrap information that has not 276 been signed by a device's rightful owner's private key. 278 1.3. Requirements Language 280 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 281 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the 282 sections below are to be interpreted as described in RFC 2119 283 [RFC2119]. 285 1.4. Tree Diagram Notation 287 A simplified graphical representation of the data models is used in 288 this document. The meaning of the symbols in these diagrams is as 289 follows: 291 o Brackets "[" and "]" enclose list keys. 293 o Braces "{" and "}" enclose feature names, and indicate that the 294 named feature must be present for the subtree to be present. 296 o Abbreviations before data node names: "rw" (read-write) represents 297 configuration data and "ro" (read-only) represents state data. 299 o Symbols after data node names: "?" means an optional node, "!" 300 means a presence container, and "*" denotes a list and leaf-list. 302 o Parentheses enclose choice and case nodes, and case nodes are also 303 marked with a colon (":"). 305 o Ellipsis ("...") stands for contents of subtrees that are not 306 shown. 308 2. Guiding Principles 310 This section provides overarching principles guiding the solution 311 presented in this document. 313 2.1. Trust Anchors 315 A trust anchor is used in cryptography to represent an entity in 316 which trust is implicit and not derived. In public key 317 infrastructure using X.509 certificates, a root certificate is the 318 trust anchor, from which a chain of trust is derived. The solution 319 presented in this document requires that all the entities involved 320 (e.g., devices, bootstrap servers, NMSs) possess specific trust 321 anchors in order to ensure mutual authentication throughout the zero 322 touch bootstrapping process. 324 2.2. Conveying Trust 326 A device in its factory default state possesses a limited set of 327 manufacturer specified trust anchors. In this document, there are 328 two types of trust anchors of interest. The first type of trust 329 anchor is used to authenticate a secure (e.g., HTTPS) connection to, 330 for instance, a manufacturer-hosted Internet-based bootstrap server. 331 The second type of trust anchor is used to authenticate manufacturer- 332 signed data, such as the ownership voucher artifact described in 333 Section 4.3. 335 Using the first type of trust anchor, trust is conveyed by the device 336 first authenticating the server (e.g., a bootstrap server), and then 337 by the device trusting that the server would only provide data that 338 its rightful owner staged for it to find. Thereby the device can 339 trust any information returned from the server. 341 Using the second type of trust anchor, trust is conveyed by the 342 device first authenticating that an artifact has been signed by its 343 rightful owner, and thereby can trust any information held within the 344 artifact. 346 Notably, redirect information, as described in Section 3.1, may 347 include more trust anchors, which illustrates another way in which 348 trust can be conveyed. 350 2.3. Conveying Ownership 352 The ultimate goal of this document is to enable a device to establish 353 a secure connection with its rightful owner's NMS. This entails the 354 manufacturer being able to track who is the rightful owner of a 355 device (not defined in this document), as well as an ability to 356 convey that information to devices (defined in this document). 358 Matching the two ways to convey trust (Section 2.2), this document 359 provides two ways to convey ownership, by using a trusted bootstrap 360 server (Section 6.4) or by using an ownership voucher (Section 4.3). 362 When a device connects to a trusted bootstrap server, one that was 363 preconfigured into its factory default configuration, it implicitly 364 trusts that the bootstrap server would only provide data that its 365 rightful owner staged for it to find. That is, ownership is conveyed 366 by the administrator of the bootstrap server (e.g., a manufacturer) 367 taking the onus of ensuring that only data configured by a device's 368 rightful owner is made available to the device. With this approach, 369 the assignment of a device to an owner is ephemeral, as the 370 administrator can reassign a device to another owner at any time. 372 When a device is presented signed bootstrapping data, it can 373 authenticate that its rightful owner provided the data by verifying 374 the signature over the data using an additional artifact defined 375 within this document, the ownership voucher. With this approach, 376 ownership is conveyed by the manufacturer (or delegate) taking the 377 onus of ensuring that the ownership vouchers it issues are accurate 378 and, in some cases, also ensuring timely voucher revocations 379 (Section 4.5). 381 3. Types of Information 383 This document defines two types of information, redirect information 384 and bootstrap information, that devices access during the 385 bootstrapping process. These two types of information are described 386 in this section. 388 3.1. Redirect Information 390 Redirect information provides information to redirect a device to a 391 bootstrap server. Redirect information encodes a list of bootstrap 392 servers, each defined by its hostname or IP address, an optional 393 port, and an optional trust anchor certificate. 395 Redirect information is YANG modeled data formally defined by the 396 "redirect-information" grouping in the YANG module presented in 397 Section 9.2. This grouping has the tree diagram shown below. Please 398 see Section 1.4 for tree diagram notation. 400 +--:(redirect-information) 401 +--ro redirect-information 402 +--ro bootstrap-server* [address] 403 +--ro address inet:host 404 +--ro port? inet:port-number 405 +--ro trust-anchor? binary 407 Redirect information MAY be trusted or untrusted. The redirect 408 information is trusted whenever it is obtained via a secure 409 connection to a trusted bootstrap server, or whenever it is signed by 410 the device's rightful owner. In all other cases, the redirect 411 information is untrusted. 413 Trusted redirect information is useful for enabling a device to 414 establish a secure connection to a bootstrap server, which is 415 possible when the redirect information includes the bootstrap 416 server's trust anchor certificate. When a device is able to 417 establish a secure connection to a bootstrap server, the 418 bootstrapping data does not have to be signed in order to be trusted, 419 as described in Section 2.2. 421 Untrusted redirect information is useful for directing a device to a 422 bootstrap server where signed data has been staged for it to obtain. 423 When the redirect information is untrusted, the device MUST discard 424 any potentially included trust anchor certificates. When the 425 redirect information is untrusted, a device MAY establish a 426 provisional connection to any of the specified bootstrap servers. A 427 provisional connection is accomplished by the device blindly 428 accepting the bootstrap server's TLS certificate. In this case, the 429 device MUST NOT trust the bootstrap server, and data provided by the 430 bootstrap server MUST be signed for it to be of any use to the 431 device. 433 How devices process redirect information is described more formally 434 in Section 8.5. 436 3.2. Bootstrap Information 438 Bootstrap information provides all the data necessary for a device to 439 bootstrap itself, in order to be considered ready to be managed 440 (e.g., by an NMS). As defined in this document, this data includes 441 information about a boot image the device MUST be running, an initial 442 configuration the device MUST commit, and optional scripts that, if 443 specified, the device MUST successfully execute. 445 Bootstrap information is YANG modeled data formally defined by the 446 "bootstrap-information" grouping in the YANG module presented in 447 Section 9.2. This grouping has the tree diagram shown below. Please 448 see Section 1.4 for tree diagram notation. 450 +--:(bootstrap-information) 451 +--ro bootstrap-information 452 +--ro boot-image 453 | +--ro name string 454 | +--ro (hash-algorithm) 455 | | +--:(sha256) 456 | | +--ro sha256? string 457 | +--ro uri* inet:uri 458 +--ro configuration-handling enumeration 459 +--ro pre-configuration-script? script 460 +--ro configuration? 461 +--ro post-configuration-script? script 463 Bootstrap information MUST be trusted for it to be of any use to a 464 device. There is no option for a device to process untrusted 465 bootstrap information. 467 Bootstrap information is trusted whenever it is obtained via a secure 468 connection to a trusted bootstrap server, or whenever it is signed by 469 the device's rightful owner. In all other cases, the bootstrap 470 information is untrusted. 472 How devices process bootstrap information is described more formally 473 in Section 8.6. 475 4. Artifacts 477 This document defines six artifacts that can be made available to 478 devices while they are bootstrapping. As will be seen in Section 6, 479 each source of bootstrapping information specifies a means for 480 providing each of the artifacts defined in this section. 482 4.1. Information Type 484 The information type artifact encodes the essential bootstrapping 485 data for the device. This artifact is used to encode the redirect 486 information and bootstrap information types discussed in Section 3. 488 The information type artifact is YANG modeled data formally defined 489 by the "information-type" choice node in Section 9.2 and can be 490 encoded using any standard YANG encoding (e.g., XML, JSON). 492 4.2. Signature 494 The signature artifact is used by a device to verify that an 495 information type artifact was created by the device's rightful owner. 496 The signature is generated using the owner's private key over the 497 information-type artifact, in whatever encoding it is presented in 498 (e.g., XML, JSON, etc.). How signed data is validated is formally 499 described in Section 8.4. 501 The signature artifact is formally a PKCS#7 SignedData structure as 502 specified by Section 9.1 of [RFC2315], containing just the signature 503 (no content, certificates, or CRLs), encoded using ASN.1 504 distinguished encoding rules (DER), as specified in ITU-T X.690. 506 4.3. Ownership Voucher 508 The ownership voucher is used to securely identify a device's owner, 509 as it is known to the manufacturer. The ownership voucher is signed 510 by the device's manufacturer or delegate. 512 The ownership voucher is used by a device to verify the owner 513 certificate (Section 4.4) that the device SHOULD have also received, 514 as described in Section 5. In particular, the device verifies that 515 owner certificate's chain of trust includes the trusted certificate 516 included in the voucher, and also verifies that the owner certificate 517 contains an identifier matching the one specified in the voucher. 519 In order to validate the voucher, a device MUST verify that the 520 voucher was signed by the private key associated with a trusted 521 certificate known to the device in its factory default state, as 522 described in Section 8.1, and the device MUST verify that the 523 voucher's expression for the devices that it applies to includes the 524 device's unique identifier (e.g., serial number) and, for devices 525 that insist on verifying voucher revocation status, the device MUST 526 verify that the voucher has neither expired nor been revoked. 528 The ownership voucher artifact, including its encoding, is formally 529 defined in [draft-kwatsen-netconf-voucher]. 531 4.4. Owner Certificate 533 The owner certificate artifact is a certificate that is used to 534 identify an 'owner' (e.g., an organization), as known to a trusted 535 certificate authority. The owner certificate is signed by the 536 trusted certificate authority. 538 The owner certificate is used by a device to verify the signature 539 artifact (Section 4.2) that the device SHOULD have also received, as 540 described in Section 5. In particular, the device verifies signature 541 using the public key in the owner certificate over the information 542 type artifact (Section 4.1). 544 In order to validate the owner certificate, a device MUST verify that 545 the owner certificate's certificate chain includes the certificate 546 specified by the ownership voucher (Section 4.3) that the device 547 SHOULD have also received, as described in Section 5, and the device 548 MUST verify that owner certificate contains an identifier matching 549 the one specified in the voucher and, for devices that insist on 550 verifying certificate revocation status, the device MUST verify that 551 the certificate has neither expired nor been revoked. 553 The owner certificate artifact is formally an unsigned PKCS #7 554 SignedData structure as specified by RFC 2315 [RFC2315], Section 9.1, 555 containing just certificates (no content, signatures, or CRLs), 556 encoded using ASN.1 distinguished encoding rules (DER), as specified 557 in ITU-T X.690. 559 The owner certificate artifact contains, in order, the owner 560 certificate itself and all intermediate certificates leading up to a 561 trust anchor certificate. The owner certificate MAY optionally 562 include the trust anchor certificate. 564 4.5. Voucher Revocation 566 The voucher revocation artifact is used to verify the revocation 567 status of vouchers. Voucher revocations are signed by the 568 manufacturer or delegate (i.e. the issuer of the voucher). 570 Voucher revocations are generally needed when it is critical for 571 devices to know that assurances implied at the time the voucher was 572 signed are still valid at the time the voucher is being processed. 574 The need for devices to insist on verifying voucher revocation status 575 is a decision for each manufacturer. If voucher revocation status 576 verification is not asserted, then the ownership vouchers are 577 essentially forever, which may be acceptable for various kinds of 578 devices. If revocations are supported, then it becomes possible to 579 support various scenarios such as handling a key compromise or change 580 in ownership. 582 If voucher revocations are supported, devices MAY dynamically obtain 583 the voucher revocation artifact (or equivalents) from an Internet 584 based resource. If the access to the Internet based resource is 585 sufficiently reliable, then there may not be a need for the voucher 586 revocation artifact to be supplied by any other means (e.g., 587 Section 6). However, since the access may not be sufficiently 588 reliable, support for this artifact is defined herein. 590 The voucher revocation artifact is used by a device to verify the 591 ownership voucher (Section 4.3) that the device SHOULD have also 592 received, as described in Section 5. In particular, the device 593 verifies that the voucher revocation explicitly states either that 594 the given voucher is valid or that it is not invalid. 596 In order to validate a voucher revocation artifact, a device MUST 597 verify that it was signed by a private key associated with a trusted 598 certificate known to the device in its factory default state, as 599 described in Section 8.1, and the device MUST verify that the voucher 600 revocation hasn't expired, and the device SHOULD verify that the 601 revocation is sufficiently fresh, per local policy. 603 The voucher revocation artifact, including its encoding, is formally 604 defined in [draft-kwatsen-netconf-voucher]. 606 4.6. Certificate Revocation 608 The certificate revocation artifact is a list of CRLS used to verify 609 the revocation status of owner certificates. Certificate revocations 610 are signed by the certificate authority (or delegate) that issued the 611 owner certificate. 613 Certificate revocations are generally needed when it is critical for 614 devices to know that assurances implied at the time the certificate 615 was signed are still valid at the time the certificate is being 616 processed. 618 The need for devices to insist on verifying certificate revocation 619 status is a decision for each manufacturer. If certificate 620 revocation status verification is not asserted, then the owner 621 certificates are essentially forever, which may be acceptable for 622 various kinds of devices. If revocations are supported, then it 623 becomes possible to support various scenarios such as handling a key 624 compromise or expiration. 626 If certificate revocations are supported, devices MAY dynamically 627 obtain the certificate revocation artifact from an Internet based 628 resource (using a CRL distribution point or an OCSP responder). If 629 the access to the Internet based resource is sufficiently reliable, 630 then there may not be a need for the certificate revocation artifact 631 to be supplied by any other means (e.g., Section 6). However, since 632 the access may not be sufficiently reliable, support for this 633 artifact is defined herein, so that the voucher revocation artifact 634 can be distributed by any source of bootstrapping data. 636 The certificate revocation artifact is used by a device to verify the 637 owner certificate (Section 4.4) that the device SHOULD have also 638 received, as described in Section 5. In particular, the device 639 verifies that the certificate revocation explicitly states either 640 that the given certificate is valid or that it is not invalid. 642 In order to validate the CRLs contained with the certificate 643 revocation artifact, a device MUST verify that the CRL was signed by 644 a private key associated certificate's issuer (or delegate), and the 645 device MUST verify that the CRL hasn't expired, and the device SHOULD 646 verify that the revocation is sufficiently fresh, per local policy. 648 The certificate revocation artifact is formally an unsigned PKCS #7 649 SignedData structure as specified by RFC 2315 [RFC2315], Section 9.1, 650 containing just CRLs (no content, signatures, or certificates), 651 encoded using ASN.1 distinguished encoding rules (DER), as specified 652 in ITU-T X.690. 654 The certificate revocation artifact contains, in order, the CRL for 655 the owner certificate itself and the CRLs for all intermediate 656 certificates leading up to but not including a trust anchor 657 certificate. 659 5. Artifact Groupings 661 Section 4 lists all the possible bootstrapping artifacts, but only 662 certain groupings of these artifacts make sense to return in the 663 various bootstrapping situations described in this document. The 664 remainder of this section identifies these groupings to further 665 clarify how the artifacts are used. 667 5.1. Unsigned Information 669 The first grouping of artifacts is for unsigned information. That 670 is, when the information type artifact (Section 4.1) has not been 671 signed. 673 Unsigned information is useful for cases when transport level 674 security can be used to convey trust (e.g., HTTPS), or when the 675 information can be processed in a provisional manner (i.e. unsigned 676 redirect information). 678 Conveying unsigned information entails communicating just one of the 679 six artifacts listed in Section 4, namely the information type 680 artifact. 682 List of artifacts included in this grouping: 683 - information type 685 5.2. Signed Information (without Revocations) 687 The second grouping of artifacts is for when the information type 688 artifact (Section 4.1) has been signed, without any revocation 689 information. 691 Signed information is needed when the information is obtained from an 692 untrusted source of bootstrapping data (Section 6) and yet it is 693 desired that the device be able to trust the information (i.e. no 694 provisional processing). 696 Revocation information may not need to be provided because, for 697 instance, the device only uses revocation information obtained 698 dynamically from Internet based resources. Another possible reason 699 may be because the device does not have a reliable clock, and 700 therefore the manufacturer decides to never revoke information (e.g., 701 ownership assignments are forever). 703 Conveying signed information without revocation information entails 704 communicating four of the six artifacts listed in Section 4. 706 List of artifacts included in this grouping: 707 - information type 708 - signature 709 - ownership voucher 710 - owner certificate 712 5.3. Signed Information (with Revocations) 714 The third grouping of artifacts is for when the information type 715 artifact (Section 4.1) has been signed and also includes revocation 716 information. 718 Signed information, as described above, is needed when the 719 information is obtained from an untrusted source of bootstrapping 720 data (Section 6) and yet it is desired that the device be able to 721 trust the information (i.e. no provisional processing). 723 Revocation information may need to be provided because, for instance, 724 the device insists on being able to verify revocations and the device 725 is deployed on a private network and therefore unable to obtain the 726 revocation information from Internet based resources. 728 Conveying signed information with revocation information entails 729 communicating all six of the artifacts listed in Section 4. 731 List of artifacts included in this grouping: 732 - information type 733 - signature 734 - ownership voucher 735 - owner certificate 736 - voucher revocations 737 - certificate revocations 739 6. Sources of Bootstrapping Data 741 This section defines some sources for zero touch bootstrapping data 742 that a device can access. The list of sources defined here is not 743 meant to be exhaustive. It is left to future documents to define 744 additional sources for obtaining zero touch bootstrapping data. 746 For each source defined in this section, details are given for how 747 each of the six artifacts listed in Section 4 is provided. 749 6.1. Removable Storage 751 A directly attached removable storage device (e.g., a USB flash 752 drive) MAY be used as a source of zero touch bootstrapping data. 754 To use a removable storage device as a source of bootstrapping data, 755 a device need only detect if the removable storage device is plugged 756 in and mount its filesystem. 758 Use of a removable storage device is compelling, as it doesn't 759 require any external infrastructure to work. It is also compelling 760 that the raw boot image file can be located on the removable storage 761 device, enabling a removable storage device to be a fully self- 762 standing bootstrapping solution. 764 A removable storage device is an untrusted source of bootstrapping 765 data. This means that the information stored on the removable 766 storage device either MUST be signed, or it MUST be information that 767 can be processed provisionally (e.g., unsigned redirect information). 769 From an artifact perspective, since a removable storage device 770 presents itself as a file-system, the bootstrapping artifacts need to 771 be presented as files. The six artifacts defined in Section 4 are 772 mapped to files below. 774 Artifact to File Mapping: 776 Information Type: Mapped to a file containing a standard YANG 777 encoding for the YANG modeled data described in Section 4.1. A 778 filenaming convention SHOULD be used to indicate data encoding 779 (e.g., boot-info.[xml|json]). 781 Signature: Mapped to a file containing the binary artifact 782 described in Section 4.2. 784 Ownership Voucher: Mapped to a file containing the binary 785 artifact described in Section 4.3. 787 Owner Certificate: Mapped to a file containing the binary 788 artifact described in Section 4.4. 790 Voucher Revocation: Mapped to a file containing the binary 791 artifact described in Section 4.5. 793 Certificate Revocation: Mapped to a file containing binary 794 artifact described in Section 4.6. 796 The format of the removable storage device's filesystem and the 797 naming of the files are outside the scope of this document. However, 798 in order to facilitate interoperability, it is RECOMMENDED devices 799 support open and/or standards based filesystems. It is also 800 RECOMMENDED that devices assume a filenaming convention that enables 801 more than one instance of bootstrapping data to exist on a removable 802 storage device. The filenaming convention SHOULD be unique to the 803 manufacturer, in order to enable bootstrapping data from multiple 804 manufacturers to exist on a removable storage device. 806 6.2. DNS Server 808 A DNS server MAY be used as a source of zero touch bootstrapping 809 data. 811 Using a DNS server may be a compelling option for deployments having 812 existing DNS infrastructure, as it enables a touchless bootstrapping 813 option that does not entail utilizing an Internet based resource 814 hosted by a 3rd-party. 816 To use a DNS server as a source of bootstrapping data, a device MAY 817 perform a multicast DNS [RFC6762] query searching for the service 818 "_zerotouch._tcp.local.". Alternatively the device MAY perform DNS- 819 SD [RFC6763] via normal DNS operation, using the domain returned to 820 it from the DHCP server; for example, searching for the service 821 "_zerotouch._tcp.example.com". 823 Unsigned DNS records (not using DNSSEC as described in [RFC6698]) are 824 an untrusted source of bootstrapping data. This means that the 825 information stored in the DNS records either MUST be signed, or it 826 MUST be information that can be processed provisionally (e.g., 827 unsigned redirect information). 829 From an artifact perspective, since a DNS server presents resource 830 records (Section 3.2.1 of [RFC1035]), the bootstrapping artifacts 831 need to be presented as resource records. The six artifacts defined 832 in Section 4 are mapped to resource records below. 834 Artifact to Resource Record Mapping: 836 Information Type: Mapped to a TXT record called "info-type" 837 containing a standard YANG encoding for the YANG modeled data 838 described in Section 4.1. Note: no additional field is 839 provided to specify the encoding. 841 Signature: Mapped to a TXT record called "sig" containing the 842 base64-encoding of the binary artifact described in 843 Section 4.2. 845 Ownership Voucher: Mapped to a TXT record called "voucher" 846 containing the base64-encoding of the binary artifact described 847 in Section 4.3. 849 Owner Certificate: Mapped to a TXT record called "cert" 850 containing the base64-encoding of the binary artifact described 851 in Section 4.4. 853 Voucher Revocation: Mapped to a TXT record called "vouch-rev" 854 containing the base64-encoding of the binary artifact described 855 in Section 4.5. 857 Certificate Revocation: Mapped to a TXT record called "cert-rev" 858 that containing the base64-encoding of the binary artifact 859 described in Section 4.6. 861 TXT records have an upper size limit of 65535 bytes (Section 3.2.1 in 862 RFC1035), since 'RDLENGTH' is a 16-bit field. Please see 863 Section 3.1.3 in RFC4408 for how a TXT record can achieve this size. 864 Due to this size limitation, some information type artifacts may not 865 fit. In particular, the bootstrap information artifact could hit 866 this upper bound, depending on the size of the included configuration 867 and scripts. 869 When bootstrap information is provided, it is notable that the URL 870 for the boot-image the device can download would have to point to 871 another server (e.g., http://, ftp://, etc.), as DNS servers do not 872 themselves distribute files. 874 6.3. DHCP Server 876 A DHCP server MAY be used as a source of zero touch bootstrapping 877 data. 879 To use a DHCP server as a source of bootstrapping data, a device need 880 only send a DHCP lease request to a DHCP server. However, the device 881 SHOULD pass the Vendor Class Identifier (option 60) field in its DHCP 882 lease request, so the DHCP server can return bootstrap information 883 shared by devices from the same vendor. However, if it is desired to 884 return device-specific bootstrap information, then the device SHOULD 885 also send the Client Identifier (option 61) field in its DHCP lease 886 request, so the DHCP server can select the specific bootstrap 887 information that has been staged for that one device. 889 Using a DHCP server may be a compelling option for deployments having 890 existing DHCP infrastructure, as it enables a touchless bootstrapping 891 option that does not entail utilizing an Internet based resource 892 hosted by a 3rd-party. 894 A DHCP server is an untrusted source of bootstrapping data. This 895 means that the information returned by the DHCP server either MUST be 896 signed, or it MUST be information that can be processed provisionally 897 (e.g., unsigned redirect information). 899 From an artifact perspective, since a DHCP server presents data as 900 DHCP options , the bootstrapping artifacts need to be presented as 901 DHCP options, specifically the ones specified in Section 11.1. The 902 six artifacts defined in Section 4 are mapped to the DHCP options 903 specified in Section 11.1 below. 905 Artifact to DHCP Option Field Mapping: 907 Information Type: Mapped to the DHCP option field "information- 908 type" containing the YANG modeled data described in 909 Section 4.1. The additional field "encoding" is provided to 910 specify the encoding used, taking the values "xml" or "json". 912 Signature: Mapped to the DHCP option field "signature" containing 913 the binary artifact described in Section 4.2. 915 Ownership Voucher: Mapped to the DHCP option field "ownership- 916 voucher" containing the binary artifact described in 917 Section 4.3. 919 Owner Certificate: Mapped to the DHCP option field "owner- 920 certificate" containing the binary artifact described in 921 Section 4.4. 923 Voucher Revocation: Mapped to the DHCP option field "voucher- 924 revocations" containing the binary artifact described in 925 Section 4.5. 927 Certificate Revocation: Mapped to the DHCP option field 928 "certificate-revocations" containing the binary artifact 929 described in Section 4.6. 931 When bootstrap information is provided, it is notable that the URL 932 for the boot-image the device can download would have to point to 933 another server (e.g., http://, ftp://, etc.), as DHCP servers do not 934 themselves distribute files. 936 6.4. Bootstrap Server 938 A bootstrap server MAY be used as a source of zero touch 939 bootstrapping data. A bootstrap server is defined as a RESTCONF 940 ([draft-ietf-netconf-restconf]) server implementing the YANG module 941 provided in Section 9. 943 Unlike any other source of bootstrap data described in this document, 944 a bootstrap server is not only a source of data, but it can also 945 receive data from devices using the YANG-defined "notification" 946 action statement defined in the YANG module (Section 9.2). The data 947 sent from devices both enables visibility into the bootstrapping 948 process (e.g., warnings and errors) as well as provides potentially 949 useful completion status information (e.g., the device's SSH host- 950 keys). 952 To use a bootstrap server as a source of bootstrapping data, a device 953 MUST use the RESTCONF protocol to access the YANG container node 954 /device/, passing its own serial number in the URL as the key to the 955 'device' list. 957 Using a bootstrap server as a source of bootstrapping data is a 958 compelling option as it uses transport-level security in lieu of 959 signed data, which may be easier to deploy in some situations. 960 Additionally, the bootstrap server is able to receive notifications 961 from devices, which may be critical to some deployments (e.g., the 962 passing of the device's SSH host keys). 964 A bootstrap server may be trusted or an untrusted source of 965 bootstrapping data, depending on how the device learned about the 966 bootstrap server's trust anchor from a trusted source. When a 967 bootstrap server is trusted, the information returned from it MAY be 968 signed. However, when the server is untrusted, in order for its 969 information to be of any use to the device, the information MUST 970 either be signed or be information that can be processed 971 provisionally (e.g., unsigned redirect information). 973 When a device is able to trust a bootstrap server, it MUST send its 974 IDevID certificate in the form of a TLS client certificate, and it 975 MUST send notifications to the bootstrap server. When a device is 976 not able to trust a bootstrap server, it MUST NOT send its IDevID 977 certificate in the form of a TLS client certificate, and it MUST NOT 978 send any notifications to the bootstrap server. 980 From an artifact perspective, since a bootstrap server presents data 981 as a YANG-modeled data, the bootstrapping artifacts need to be mapped 982 to nodes in the YANG module. The six artifacts defined in Section 4 983 are mapped to bootstrap server nodes defined in Section 9.2 below. 985 Artifact to Bootstrap Server Node Mapping: 987 Information Type: Mapped to the choice node /device/information- 988 type. 990 Signature: Mapped to the leaf node /device/signature. 992 Ownership Voucher: Mapped to the leaf node /device/ownership- 993 voucher. 995 Owner Certificate: Mapped to the leaf node /device/owner- 996 certificate. 998 Voucher Revocations: Mapped to the leaf node /device/voucher- 999 revocation. 1001 Certificate Revocations: Mapped to the leaf-list node /device/ 1002 certificate-revocation. 1004 While RESTCONF servers typically support a nested hierarchy of 1005 resources, zero touch bootstrap servers only need to support the 1006 paths /device and /device/notification. The processing instructions 1007 provided in Section 8.3 only uses these two URLs. 1009 7. Workflow Overview 1011 The zero touch solution presented in this document is conceptualized 1012 to be composed of the workflows described in this section. 1013 Implementations MAY vary in details. Each diagram is followed by a 1014 detailed description of the steps presented in the diagram, with 1015 further explanation on how implementations may vary. 1017 7.1. Onboarding and Ordering Devices 1019 The following diagram illustrates key interactions that may occur 1020 from when a prospective owner enrolls in a manufacturer's zero touch 1021 program to when the manufacturer ships devices for an order placed by 1022 the prospective owner. 1024 +-----------+ 1025 +------------+ |Prospective| +---+ 1026 |Manufacturer| | Owner | |NMS| 1027 +------------+ +-----------+ +---+ 1028 | | | 1029 | | | 1030 | 1. initiate enrollment | | 1031 #<-----------------------------| | 1032 # | | 1033 # | | 1034 # IDevID trust anchor | | 1035 #-----------------------------># set IDevID trust anchor | 1036 # #--------------------------->| 1037 # | | 1038 # bootstrap server | | 1039 # account credentials | | 1040 #-----------------------------># set credentials | 1041 # #--------------------------->| 1042 # | | 1043 # | | 1044 # owner certificate | | 1045 #-----------------------------># set certificate | 1046 | #--------------------------->| 1047 | | | 1048 | | | 1049 | 2. place device order | | 1050 |<-----------------------------# model devices | 1051 | #--------------------------->| 1052 | | | 1053 | 3. ship devices and send | | 1054 | device identifiers and | | 1055 | ownership vouchers | | 1056 |-----------------------------># set device identifiers | 1057 | # and ownership vouchers | 1058 | #--------------------------->| 1059 | | | 1061 Each numbered item below corresponds to a numbered item in the 1062 diagram above. 1064 1. A prospective owner of a manufacturer's devices, or an existing 1065 owner that wishes to start using zero touch for future device 1066 orders, initiates an enrollment process with the manufacturer or 1067 delegate. This process includes the following: 1069 * Regardless how the prospective owner intends to bootstrap 1070 their devices, they will always obtain from the manufacturer 1071 or delegate the trust anchor certificate for its device's 1072 IDevID certificates. This certificate will need to be 1073 installed on the prospective owner's NMS so that the NMS can 1074 subsequently authenticate the device's IDevID certificates. 1076 * If the manufacturer hosts an Internet based bootstrap server 1077 (e.g., a redirect server) such as described in Section 6.4, 1078 then credentials necessary to configure the bootstrap server 1079 would be provided to the prospective owner. If the bootstrap 1080 server is configurable through an API (outside the scope of 1081 this document), then the credentials might be installed on the 1082 prospective owner's NMS so that the NMS can subsequently 1083 configure the manufacturer-hosted bootstrap server directly. 1085 * If the manufacturer's devices are able to validate signed data 1086 (Section 8.4), then the manufacturer, acting as a certificate 1087 authority, may additionally sign an owner certificate for the 1088 prospective owner. Alternatively, and not depicted, the owner 1089 may obtain an owner certificate from a manufacturer-trusted 1090 3rd-party certificate authority, and report that certificate 1091 to the manufacturer. How the owner certificate is used to 1092 enable devices to validate signed bootstrapping data is 1093 described in Section 8.4. Assuming the prospective owner's 1094 NMS is able to prepare and sign the bootstrapping data, the 1095 owner certificate would be installed on the NMS at this time. 1097 2. Some time later, the prospective owner places an order with the 1098 manufacturer (or delegate), perhaps with a special flag checked 1099 for zero touch handling. At this time, or perhaps before placing 1100 the order, the owner may model the devices in their NMS, creating 1101 virtual objects for the devices with no real-world device 1102 associations. For instance the model can be used to simulate the 1103 device's location in the network and the configuration it should 1104 have when fully operational. 1106 3. When the manufacturer or delegate fulfills the order, shipping 1107 the devices to their intended locations, they may notify the 1108 owner of the devices's unique identifiers (e.g., serial numbers) 1109 and shipping destinations, which the owner may use to stage the 1110 network for when the devices power on. Additionally, the 1111 manufacturer may send one or more ownership vouchers, 1112 cryptographically assigning ownership of those devices to the 1113 rightful owner. The owner may set this information on their NMS, 1114 perhaps binding specific modeled devices to the unique 1115 identifiers and ownership vouchers. 1117 7.2. Owner Stages the Network for Bootstrap 1119 The following diagram illustrates how an owner might stage the 1120 network for bootstrapping devices. 1122 +----------+ +------------+ 1123 |Deployment| |Manufacturer| +------+ +------+ 1124 | Specific | | Hosted | | Local| | Local| +---------+ 1125 +---+ |Bootstrap | | Bootstrap | | DNS | | DHCP | |Removable| 1126 |NMS| | Server | | Server | |Server| |Server| | Storage | 1127 +---+ +----------+ +------------+ +------+ +------+ +---------+ 1128 | | | | | | 1129 activate | | | | | | 1130 modeled | | | | | | 1131 1. device | | | | | | 1132 ----------->| | | | | | 1133 | 2. (optional) | | | | 1134 | configure | | | | 1135 | bootstrap | | | | 1136 | server | | | | 1137 |------->| | | | | 1138 | | | | | | 1139 | 3. (optional) configure | | | 1140 | bootstrap server | | | | 1141 |--------------------->| | | | 1142 | | | | | | 1143 | | | | | | 1144 | 4. (optional) configure DNS server| | | 1145 |---------------------------------->| | | 1146 | | | | | | 1147 | | | | | | 1148 | 5. (optional) configure DHCP server | | 1149 |------------------------------------------->| | 1150 | | | | | | 1151 | | | | | | 1152 | 6. (optional) store bootstrapping artifacts on media | 1153 |----------------------------------------------------->| 1154 | | | | | | 1155 | | | | | | 1157 Each numbered item below corresponds to a numbered item in the 1158 diagram above. 1160 1. Having previously modeled the devices, including setting their 1161 fully operational configurations and associating both device 1162 identifiers (e.g., serial numbers) and ownership vouchers, the 1163 owner "activates" one or more modeled devices. That is, the 1164 owner tells the NMS to perform the steps necessary to prepare for 1165 when the real-world devices power up and initiate the 1166 bootstrapping process. Note that, in some deployments, this step 1167 might be combined with the last step from the previous workflow. 1168 Here it is depicted that an NMS performs the steps, but they may 1169 be performed manually or through some other mechanism. 1171 2. If it is desired to use a deployment specific bootstrap server, 1172 it MUST be configured to provide the bootstrapping information 1173 for the specific devices. Configuring the bootstrap server MAY 1174 occur via a programmatic API not defined by this document. 1175 Illustrated here as an external component, the bootstrap server 1176 MAY be implemented as an internal component of the NMS itself. 1178 3. If it is desired to use a manufacturer (or delegate) hosted 1179 bootstrap server, it MUST be configured to provide the 1180 bootstrapping information for the specific devices. The 1181 configuration MUST be either redirect or bootstrap information. 1182 That is, either the manufacturer hosted bootstrap server will 1183 redirect the device to another bootstrap server, or provide the 1184 device with its bootstrapping information itself. The types of 1185 bootstrapping information the manufacturer hosted bootstrap 1186 server supports MAY vary by implementation; some implementations 1187 may only support redirect information, or only support bootstrap 1188 information, or support both redirect and bootstrap information. 1189 Configuring the bootstrap server MAY occur via a programmatic API 1190 not defined by this document. 1192 4. If it is desired to use a DNS server to supply bootstrapping 1193 information, a DNS server needs to be configured. If multicast 1194 DNS-SD is desired, then the server MUST reside on the local 1195 network, otherwise the DNS server MAY reside on a remote network. 1196 Please see Section 6.2 for more information about how to 1197 configure DNS servers. Configuring the DNS server MAY occur via 1198 a programmatic API not defined by this document. 1200 5. If it is desired to use a DHCP server to supply bootstrapping 1201 data, a DHCP server needs to be configured. The DHCP server may 1202 be accessed directly or via a DHCP relay. Please see Section 6.3 1203 for more information about how to configure DHCP servers. 1204 Configuring the DHCP server MAY occur via a programmatic API not 1205 defined by this document. 1207 6. If it is desired to use a removable storage device (e.g., USB 1208 flash drive) to supply bootstrapping information, the information 1209 would need to be placed onto it. Please see Section 6.1 for more 1210 information about how to configure a removable storage device. 1212 7.3. Device Powers On 1214 The following diagram illustrates the sequence of activities that 1215 occur when a device powers on. 1217 +----------+ 1218 +-----------+ |Deployment| 1219 | Source of | | Specific | 1220 +------+ | Bootstrap | |Bootstrap | +---+ 1221 |Device| | Data | | Server | |NMS| 1222 +------+ +-----------+ +----------+ +---+ 1223 | | | | 1224 | | | | 1225 | 1. if running a modified (not | | | 1226 | factory default) configuration, | | | 1227 | then exit. | | | 1228 | | | | 1229 | 2. for each source supported, check | | | 1230 |------------------------------------->| | | 1231 | | | | 1232 | 3. if bootstrap-information found, | | | 1233 | initialize self and, only if | | | 1234 | source is a bootstrap server, | | | 1235 | send notifications | | | 1236 |-------------------------------------># | | 1237 | # webhook | | 1238 | #----------------------->| 1239 | | | 1240 | 4. else if redirect-information found, for | | 1241 | each bootstrap server specified, check | | 1242 |-+-------------------------------------------------->| | 1243 | | | | 1244 | | if more redirect-information is found, recurse | | 1245 | | (not depicted), else if bootstrap-information | | 1246 | | found, initialize self and post notifications | | 1247 | +--------------------------------------------------># | 1248 | # webhook | 1249 | #-------->| 1250 | 1251 | 5. retry sources and/or wait for manual provisioning. 1252 | 1254 The interactions in the above diagram are described below. 1256 1. Upon power being applied, the device's bootstrapping logic first 1257 checks to see if it is running in its factory default state. If 1258 it is in a modified state, then the bootstrapping logic exits and 1259 none of the following interactions occur. 1261 2. For each source of bootstrapping data the device supports, 1262 preferably in order of closeness to the device (e.g., removable 1263 storage before Internet based servers), the device checks to see 1264 if there is any bootstrapping data for it there. 1266 3. If bootstrap-information is found, the device initializes itself 1267 accordingly (e.g., installing a boot-image and committing an 1268 initial configuration). If the source is a bootstrap server, and 1269 the bootstrap server can be trusted (i.e., TLS-level 1270 authentication), the device also sends progress notifications to 1271 the bootstrap server. 1273 * The contents of the initial configuration SHOULD configure an 1274 administrator account on the device (e.g., username, ssh-rsa 1275 key, etc.) and SHOULD configure the device either to listen 1276 for NETCONF or RESTCONF connections or to initiate call home 1277 connections ([draft-ietf-netconf-call-home]). 1279 * If the bootstrap server supports forwarding device 1280 notifications to external systems (e.g., via a webhook), the 1281 "bootstrap-complete" notification (Section 9.2) informs the 1282 external system to know when it can, for instance, initiate a 1283 connection to the device (assuming it knows the device's 1284 address and the device was configured to listen for 1285 connections). To support this further, the bootstrap-complete 1286 notification also relays the device's SSH host keys and/or TLS 1287 certificates, with which the external system can use to 1288 authenticate subsequent connections to the device. 1290 If the device is ever able to complete the bootstrapping process 1291 successfully (i.e., no longer running its factory default 1292 configuration), it exits the bootstrapping logic without 1293 considering any additional sources of bootstrapping data. 1295 4. Otherwise, if redirect-information is found, the device iterates 1296 through the list of specified bootstrap servers, checking to see 1297 if there is any bootstrapping data for it on them. If the 1298 bootstrap server returns more redirect-information, then the 1299 device processes it recursively. Otherwise, if the bootstrap 1300 server returns bootstrap-information, the device processes it 1301 following the description provided in (3) above. 1303 5. After having tried all supported sources of bootstrapping data, 1304 the device MAY retry again all the sources and/or provide 1305 manageability interfaces for manual configuration (e.g., CLI, 1306 HTTP, NETCONF, etc.). If manual configuration is allowed, and 1307 such configuration is provided, the device MUST immediately cease 1308 trying to obtain bootstrapping data, as it would then no longer 1309 be in running its factory default configuration. 1311 8. Device Details 1313 Devices supporting the bootstrapping strategy described in this 1314 document MUST have the preconfigured factory default state and 1315 bootstrapping logic described in the following sections. 1317 8.1. Factory Default State 1319 +------------------------------------------------------------------+ 1320 | | 1321 | | 1322 | +----------------------------------------------------------+ | 1323 | | | | 1324 | | | | 1325 | | 1. IDevID cert & associated intermediate certificate(s) | | 1326 | | 2. list of trusted Internet based bootstrap servers | | 1327 | | 3. list of trust anchor certs for bootstrap servers | | 1328 | | 4. trust anchor cert for ownership vouchers | | 1329 | +----------------------------------------------------------+ | 1330 | | 1331 | +----------------------+ | 1332 | | | | 1333 | | | | 1334 | | 5. private key | | 1335 | +----------------------+ | 1336 | | 1337 +------------------------------------------------------------------+ 1339 Each numbered item below corresponds to a numbered item in the 1340 diagram above. 1342 1. Devices MUST be manufactured with an initial device identifier 1343 (IDevID), as defined in [Std-802.1AR-2009]. The IDevID is an 1344 X.509 certificate, encoding the device's unique device identifier 1345 (e.g., serial number). The device MUST also possess any 1346 intermediate certificates between the IDevID certificate and the 1347 manufacturer's IDevID trust anchor certificate, which is provided 1348 to prospective owners separately (e.g., Section 7.1). 1350 2. Devices that support loading bootstrapping data from an Internet- 1351 based bootstrap server (see Section 6.4) MUST be manufactured 1352 with a configured list of trusted bootstrap servers. Consistent 1353 with redirect information (Section 3.1, each bootstrap server MAY 1354 be identified by its hostname or IP address, and an optional 1355 port. 1357 3. Devices that support loading bootstrapping data from an Internet- 1358 based bootstrap server (see Section 6.4) MUST also be 1359 manufactured with a list of trust anchor certificates that can be 1360 used for X.509 certificate path validation ([RFC6125], Section 6) 1361 on the bootstrap server's TLS server certificate. 1363 4. Devices that support loading owner signed data (see Section 1.2) 1364 MUST also be manufactured with the trust anchor certificate for 1365 the ownership vouchers. 1367 5. Device MUST be manufactured with a private key that corresponds 1368 to the public key encoded in the device's IDevID certificate. 1369 This private key SHOULD be securely stored, ideally by a 1370 cryptographic processor (e.g., a TPM). 1372 8.2. Boot Sequence 1374 A device claiming to support the bootstrapping strategy defined in 1375 this document MUST support the boot sequence described in this 1376 section. 1378 Power On 1379 | 1380 v No 1381 1. Running default config? --------> Boot normally 1382 | 1383 | Yes 1384 v 1385 2. For each supported source of bootstrapping data, 1386 try to load bootstrapping data from the source 1387 | 1388 | 1389 v Yes 1390 3. Able to bootstrap off any source? -----> Run with new configuration 1391 | 1392 | No 1393 v 1394 4. Loop and/or wait for manual provisioning. 1396 Each numbered item below corresponds to a numbered item in the 1397 diagram above. 1399 1. When the device powers on, it first checks to see if it is 1400 running the factory default configuration. If it is running a 1401 modified configuration, then it boots normally. 1403 2. The device iterates over its list of sources for bootstrapping 1404 data (Section 6). Details for how to processes a source of 1405 bootstrapping data are provided in Section 8.3. 1407 3. If the device is able to bootstrap itself off any of the sources 1408 of bootstrapping data, it runs with the new bootstrapped 1409 configuration. 1411 4. Otherwise the device MAY loop back through the list of 1412 bootstrapping sources again and/or wait for manual provisioning. 1414 8.3. Processing a Source of Bootstrapping Data 1416 This section describes a recursive algorithm that a device claiming 1417 to support the bootstrapping strategy defined in this document MUST 1418 use to authenticate bootstrapping data. A device enters this 1419 algorithm for each new source of bootstrapping data. The first time 1420 the device enters this algorithm, it MUST initialize a conceptual 1421 trust state variable, herein referred to as "trust-state", to FALSE. 1422 The ultimate goal of this algorithm is for the device to process 1423 bootstrap information (Section 3.2) while the trust-state variable is 1424 TRUE. 1426 If the data source is a bootstrap server, and the device is able to 1427 authenticate the server using X.509 certificate path validation 1428 ([RFC6125], Section 6) to one of the device's preconfigured trust 1429 anchors, or to a trust anchor that it learned from a previous step, 1430 then the device MUST set trust-state to TRUE. 1432 If trust-state is TRUE, when connecting to the bootstrap server, the 1433 device MUST use its IDevID certificate for client certificate based 1434 authentication and MUST POST progress notifications using the 1435 bootstrap server's "notification" action. Otherwise, if trust-state 1436 is FALSE, when connecting to the bootstrap server, the device MUST 1437 NOT use its IDevID certificate for a client certificate based 1438 authentication and MUST NOT POST progress notifications using the 1439 bootstrap server's "notification" action. 1441 When accessing a bootstrap server, the device MUST only access its 1442 top-level resource, to obtain all the data staged for it in one GET 1443 request, so that it can determine if the data is signed or not, and 1444 thus act accordingly. If trust-state is TRUE, then the device MAY 1445 also accesses the bootstrap servers 'notification' resource for the 1446 device. 1448 For any source of bootstrapping data (e.g., Section 6), if the data 1449 is signed and the device is able to validate the signed data using 1450 the algorithm described in Section 8.4, then the device MUST set 1451 trust-state to TRUE, else the device MUST set trust-state to FALSE. 1452 Note, this is worded to cover the special case when signed data is 1453 returned even from a trusted bootstrap server. 1455 If the data is bootstrap information (not redirect information), and 1456 trust-state is FALSE, the device MUST exit the recursive algorithm, 1457 returning to the state machine described in Section 8.2. Otherwise, 1458 the device MUST attempt to process the bootstrap information as 1459 described in Section 8.6. In either case, success or failure, the 1460 device MUST exit the recursive algorithm, returning to the state 1461 machine described in Section 8.2, the only difference being in how it 1462 responds to the "Able to bootstrap off any source?" conditional 1463 described in that state machine. 1465 If the data is redirect information, the device MUST process the 1466 redirect information as described in Section 8.5. This is the 1467 recursion step, it will cause to device to reenter this algorithm, 1468 but this time the data source will most definitely be a bootstrap 1469 server, as that is all redirect information is able to do. 1471 8.4. Validating Signed Data 1473 Whenever a device is presented signed data from an untrusted source, 1474 it MUST validate the signed data as described in this section. If 1475 the signed data is provided by a trusted source, a redundant trust 1476 case, the device MAY skip verifying the signature. 1478 Whenever there is signed data, the device MUST also be provided an 1479 ownership voucher and an owner certificate. Depending on 1480 circumstances, the device MAY also be provided certificate and 1481 voucher revocations. How all the needed artifacts are provided for 1482 each source of bootstrapping data is defined in Section 6. 1484 The device MUST first authenticate the ownership voucher by 1485 validating the signature on it to one of its preconfigured trust 1486 anchors (see Section 8.1) and verify that the voucher contains the 1487 device's unique identifier (e.g., serial number). If the device 1488 insists on verifying revocation status, it MUST also verify that the 1489 voucher isn't expired or has been revoked. If the authentication of 1490 the voucher is successful, the device extracts the rightful owner's 1491 identity from the voucher for use in the next step. 1493 Next the device MUST authenticate the owner certificate by performing 1494 X.509 certificate path validation on it, and by verifying that the 1495 certificate is both identified by the voucher and also has in its 1496 chain of trust the certificate identified by the voucher. If the 1497 device insists on verifying revocation status, it MUST also verify 1498 that none of the certificates in the chain of certificates have been 1499 revoked or expired. If the authentication of the certificate is 1500 successful, the device extracts the owner's public key from the 1501 certificate for use in the next step. 1503 Finally the device MUST verify the signature over 'information type' 1504 artifact was generated by the private key matching the public key 1505 extracted from the owner certificate in the previous step. 1507 When the device receives the signed data from a bootstrap server, the 1508 device MUST use text-level operations to extract the 'information- 1509 type' node from the parent 'device' node in the response in order to 1510 verify the signature. It is not important if the extracted text is a 1511 valid YANG encoding in order to verify the signature. 1513 If any of these steps fail, then the device MUST mark the data as 1514 invalid and not perform any of the subsequent steps. 1516 8.5. Processing Redirect Information 1518 In order to process redirect information (Section 3.1), the device 1519 MUST follow the steps presented in this section. 1521 Processing redirect information is straightforward. The device 1522 sequentially steps through the list of provided bootstrap servers 1523 until it can find one it can bootstrap off of. 1525 If a hostname is provided, and the hostname's DNS resolution is to 1526 more than one IP address, the device MUST attempt to connect to all 1527 of the DNS resolved addresses at least once, before moving on to the 1528 next bootstrap server. If the device is able to obtain bootstrapping 1529 data from any of the DNS resolved addresses, it MUST immediately 1530 process that data, without attempting to connect to any of the other 1531 DNS resolved addresses. 1533 If the redirect information is trusted (e.g., trust-state is TRUE), 1534 and the bootstrap server entry contains a trust anchor certificate, 1535 then the device MUST authenticate the bootstrap server using X.509 1536 certificate path validation ([RFC6125], Section 6) to the specified 1537 trust anchor. If the device is unable to authenticate the bootstrap 1538 server to the specified trust anchor, the device MUST NOT attempt a 1539 provisional connection to the bootstrap server (i.e., by blindly 1540 accepting its server certificate). 1542 If the redirect information is untrusted (e.g., trust-state is 1543 FALSE), the device MUST discard any trust anchors provided by the 1544 redirect information and establish a provisional connection to the 1545 bootstrap server (i.e., by blindly accepting its TLS server 1546 certificate). 1548 8.6. Processing Bootstrap Information 1550 In order to process bootstrap information (Section 3.2), the device 1551 MUST follow the steps presented in this section. 1553 When processing bootstrap information, the device MUST first process 1554 the boot image information, then execute the pre-configuration script 1555 (if any), then commit the initial configuration, and then execute the 1556 script (if any), in that order. If the device encounters an error at 1557 any step, it MUST NOT proceed to the next step. 1559 First the device MUST determine if the image it is running satisfies 1560 the specified boot image criteria (e.g., name or fingerprint match). 1561 If it does not, the device MUST download, verify, and install the 1562 specified boot image, and then reboot. To verify the boot image, the 1563 device MUST check that the boot image file matches the fingerprint 1564 (e.g., sha256) supplied by the bootstrapping information. Upon 1565 rebooting, the device MUST still be in its factory default state, 1566 causing the bootstrapping process to run again, which will eventually 1567 come to this very point, but this time the device's running image 1568 will satisfy the specified criteria, and thus the device will move to 1569 processing the next step. 1571 Next, for devices that support executing scripts, if a pre- 1572 configuration script has been specified, the device MUST execute the 1573 script and check its exit status code to determine if had any 1574 warnings or errors. In the case of errors, the device MUST reset 1575 itself in such a way that force the reinstallation of its boot image, 1576 thereby wiping out any bad state the script might have left behind. 1578 Next the device commits the provided initial configuration. Assuming 1579 no errors, the device moves to processing the next step. 1581 Again, for devices that support executing scripts, if a post- 1582 configuration script has been specified, the device MUST execute the 1583 script and check its exit status code to determine if it had any 1584 warnings or errors. In the case of errors, the device MUST reset 1585 itself in such a way that force the reinstallation of its boot image, 1586 thereby wiping out any bad state the script might have left behind. 1588 At this point, the device has completely processed the bootstrapping 1589 data and is ready to be managed. If the device obtained the 1590 bootstrap information from a trusted bootstrap server, the device 1591 MUST send the 'bootstrap-complete' notification now. 1593 At this point the device is configured and no longer running its 1594 factory default configuration. Notably, if the bootstrap information 1595 configured the device it initiate a call home connection, the device 1596 would proceed to do so now. 1598 9. RESTCONF API for Bootstrap Servers 1600 This section defines a YANG ([RFC6020]) module that is used to define 1601 the RESTCONF ([draft-ietf-netconf-restconf]) API used by the 1602 bootstrap server defined in Section 6.4. Examples illustrating this 1603 API in use are provided in Appendix A. 1605 9.1. Tree Diagram 1607 The following tree diagram provides an overview for the bootstrap 1608 server RESTCONF API. The syntax used for this tree diagram is 1609 described in Section 1.4. 1611 module: ietf-zerotouch-bootstrap-server 1612 +--ro device* [unique-id] 1613 +--ro unique-id string 1614 +--ro (information-type) 1615 | +--:(redirect-information) 1616 | | +--ro redirect-information 1617 | | +--ro bootstrap-server* [address] 1618 | | +--ro address inet:host 1619 | | +--ro port? inet:port-number 1620 | | +--ro trust-anchor? binary 1621 | +--:(bootstrap-information) 1622 | +--ro bootstrap-information 1623 | +--ro boot-image 1624 | | +--ro name string 1625 | | +--ro (hash-algorithm) 1626 | | | +--:(sha256) 1627 | | | +--ro sha256? string 1628 | | +--ro uri* inet:uri 1629 | +--ro configuration-handling? enumeration 1630 | +--ro pre-configuration-script? script 1631 | +--ro configuration? 1632 | +--ro post-configuration-script? script 1633 +--ro signature? binary 1634 +--ro ownership-voucher? binary 1635 +--ro owner-certificate? binary 1636 +--ro voucher-revocation? binary 1637 +--ro certificate-revocation? binary 1638 +---x notification 1639 +---w input 1640 +---w notification-type enumeration 1641 +---w message? string 1642 +---w ssh-host-keys 1643 | +---w ssh-host-key* 1644 | +---w format enumeration 1645 | +---w key-data string 1646 +---w trust-anchors 1647 +---w trust-anchor* 1648 +---w protocol* enumeration 1649 +---w certificate binary 1651 In the above diagram, notice that all of the protocol accessible 1652 nodes are read-only, to assert that devices can only pull data from 1653 the bootstrap server. 1655 Also notice that the module defines an action statement, which 1656 devices use to provide progress notifications to the bootstrap 1657 server. 1659 9.2. YANG Module 1661 The bootstrap server's device-facing API is normatively defined by 1662 the YANG module defined in this section. 1664 Note: the module defined herein uses data types defined in [RFC2315], 1665 [RFC5280], [RFC6234], [RFC6991], and [draft-kwatsen-netconf-voucher]. 1667 file "ietf-zerotouch-bootstrap-server@2016-10-31.yang" 1669 module ietf-zerotouch-bootstrap-server { 1670 yang-version "1.1"; 1672 namespace 1673 "urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server"; 1674 prefix "ztbs"; 1676 import ietf-inet-types { 1677 prefix inet; 1678 reference "RFC 6991: Common YANG Data Types"; 1679 } 1681 organization 1682 "IETF NETCONF (Network Configuration) Working Group"; 1684 contact 1685 "WG Web: 1686 WG List: 1687 Author: Kent Watsen 1688 "; 1690 description 1691 "This module defines an interface for bootstrap servers, as defined 1692 by RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based 1693 Management. 1695 Copyright (c) 2014 IETF Trust and the persons identified as 1696 authors of the code. All rights reserved. 1698 Redistribution and use in source and binary forms, with or without 1699 modification, is permitted pursuant to, and subject to the license 1700 terms contained in, the Simplified BSD License set forth in Section 1701 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents 1702 (http://trustee.ietf.org/license-info). 1704 This version of this YANG module is part of RFC XXXX; see the RFC 1705 itself for full legal notices."; 1707 revision "2016-10-31" { 1708 description 1709 "Initial version"; 1710 reference 1711 "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based 1712 Management"; 1713 } 1715 list device { 1716 key unique-id; 1717 config false; 1719 description 1720 "A device's record entry. This is the only RESTCONF resource 1721 that a device will GET, as described in Section 8.2 in RFC XXXX. 1722 Getting just this top-level node provides a device with all the 1723 data it needs in a single request."; 1724 reference 1725 "RFC XXXX: Zero Touch Provisioning for NETCONF or 1726 RESTCONF based Management"; 1728 leaf unique-id { 1729 type string; 1730 description 1731 "A unique identifier for the device (e.g., serial number). 1732 Each device accesses its bootstrapping record by its unique 1733 identifier."; 1734 } 1736 choice information-type { 1737 mandatory true; 1738 description 1739 "This choice statement ensures the response only contains 1740 redirect-information or bootstrap-information. Note that 1741 this is the only mandatory true node, as the other nodes 1742 are not needed when the device trusts the bootstrap server, 1743 in which case the data does not need to be signed."; 1745 container redirect-information { 1746 description 1747 "This is redirect information, as described in Section 3.1 1748 in RFC XXXX. Its purpose is to redirect a device to another 1749 bootstrap server."; 1750 reference 1751 "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF 1752 based Management"; 1754 list bootstrap-server { 1755 key address; 1756 description 1757 "A bootstrap server entry."; 1759 leaf address { 1760 type inet:host; 1761 mandatory true; 1762 description 1763 "The IP address or hostname of the bootstrap server the 1764 device should redirect to."; 1765 } 1766 leaf port { 1767 type inet:port-number; 1768 default 443; 1769 description 1770 "The port number the bootstrap server listens on."; 1771 } 1772 leaf trust-anchor { //should there be two fields like voucher? 1773 type binary; 1774 description 1775 "An X.509 v3 certificate structure as specified by RFC 1776 5280, Section 4, encoded using ASN.1 distinguished 1777 encoding rules (DER), as specified in ITU-T X.690. A 1778 certificate that a device can use as a trust anchor 1779 to authenticate the bootstrap server it is being 1780 redirected to."; 1781 reference 1782 "RFC 5280: 1783 Internet X.509 Public Key Infrastructure Certificate 1784 and Certificate Revocation List (CRL) Profile. 1785 ITU-T X.690: 1786 Information technology - ASN.1 encoding rules: 1787 Specification of Basic Encoding Rules (BER), 1788 Canonical Encoding Rules (CER) and Distinguished 1789 Encoding Rules (DER)."; 1790 } 1791 } 1792 } 1794 container bootstrap-information { 1796 description 1797 "This is bootstrap information, as described in Section 3.2 in 1798 RFC XXXX. Its purpose is to provide the device everything it 1799 needs to bootstrap itself."; 1800 reference 1801 "RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF 1802 based Management"; 1804 container boot-image { 1805 description 1806 "Specifies criteria for the boot image the device MUST 1807 be running."; 1809 leaf name { // maybe this should be a regex? 1810 type string; 1811 mandatory true; 1812 description 1813 "The name of a software image that the device MUST 1814 be running in order to process the remaining nodes."; 1815 } 1816 choice hash-algorithm { 1817 mandatory true; 1818 description 1819 "Identifies the hash algorithm used."; 1820 leaf sha256 { 1821 type string; 1822 description 1823 "The hex-encoded SHA-256 hash over the boot 1824 image file. This is used by the device to 1825 verify a downloaded boot image file."; 1826 reference 1827 "RFC 6234: US Secure Hash Algorithms."; 1828 } 1829 } 1830 leaf-list uri { 1831 type inet:uri; 1832 min-elements 1; 1833 description 1834 "An ordered list of URIs to where the boot-image file MAY 1835 be obtained. Deployments MUST know in which URI schemes 1836 (http, ftp, etc.) a device supports. If a secure scheme 1837 (e.g., https) is provided, a device MAY establish a 1838 provisional connection to the server, by blindly 1839 accepting the server's credentials (e.g., its TLS 1840 certificate)"; 1841 } 1842 } 1844 leaf configuration-handling { 1845 type enumeration { 1846 enum merge { 1847 description 1848 "Merge configuration into existing running configuration."; 1849 } 1850 enum replace { 1851 description 1852 "Replace existing running configuration with the passed 1853 configuration."; 1854 } 1855 } 1856 description 1857 "This enumeration indicates how the server should process 1858 the provided configuration. When not specified, the device 1859 MAY determine how to process the configuration using other 1860 means (e.g., vendor-specific metadata)."; 1861 } 1863 leaf pre-configuration-script { 1864 type script; 1865 description 1866 "A script that, when present, is executed before the 1867 configuration has been processed."; 1868 } 1870 anydata configuration { 1871 must "../configuration-handling"; 1872 description 1873 "Any configuration data model known to the device. It may 1874 contain manufacturer-specific and/or standards-based data 1875 models."; 1876 } 1878 leaf post-configuration-script { 1879 type script; 1880 description 1881 "A script that, when present, is executed after the 1882 configuration has been processed."; 1883 } 1884 } 1885 } 1887 leaf signature { 1888 type binary; 1889 must "../redirect-information or ../bootstrap-information" { 1890 description 1891 "An information type must be present whenever an 1892 signature is present."; 1893 } 1894 description 1895 "A PKCS#7 SignedData structure, as specified by Section 9.1 1896 of RFC 2315, containing just the signature (no content, 1897 certificates, or CRLs), encoded using ASN.1 distinguished 1898 encoding rules (DER), as specified in ITU-T X.690. 1900 This signature is generated by the device's owner using 1901 the private key associated with the owner certificate 1902 over the information-type node, exactly as it's presented 1903 to the device. The device MUST use text-level operations 1904 to extract the information-type node from the larger 1905 'device' response in order to verify it. It is not 1906 important if the extracted text is itself a valid 1907 encoding (e.g., XML or JSON)."; 1908 reference 1909 "RFC 2315: 1910 PKCS #7: Cryptographic Message Syntax Version 1.5 1911 ITU-T X.690: 1912 Information technology - ASN.1 encoding rules: 1913 Specification of Basic Encoding Rules (BER), 1914 Canonical Encoding Rules (CER) and Distinguished 1915 Encoding Rules (DER)."; 1916 } 1918 leaf ownership-voucher { 1919 type binary; 1920 must "../signature" { 1921 description 1922 "A signature must be present whenever an ownership voucher 1923 is presented."; 1924 } 1925 must "../owner-certificate" { 1926 description 1927 "An owner certificate must be present whenever an ownership 1928 voucher is presented."; 1929 } 1930 description 1931 "A 'voucher' structure, per draft-kwatsen-netconf-voucher. 1932 The voucher needs to reference the device's unique identifier 1933 and also specify the owner certificate's identity and a CA 1934 certificate in the owner certificate's chain of trust."; 1935 reference 1936 "draft-kwatsen-netconf-voucher: 1937 Voucher and Voucher Revocation Profiles for Bootstrapping 1938 Protocols"; 1939 } 1941 leaf owner-certificate { 1942 type binary; 1943 must "../signature" { 1944 description 1945 "A signature must be present whenever an owner certificate 1946 is presented."; 1947 } 1948 must "../ownership-voucher" { 1949 description 1950 "An ownership voucher must be present whenever an owner 1951 certificate is presented."; 1952 } 1953 description 1954 "An unsigned PKCS #7 SignedData structure, as specified 1955 by Section 9.1 in RFC 2315, containing just certificates 1956 (no content, signatures, or CRLs), encoded using ASN.1 1957 distinguished encoding rules (DER), as specified in 1958 ITU-T X.690. 1960 This structure contains, in order, the owner certificate 1961 itself and all intermediate certificates leading up to a 1962 trust anchor certificate. The owner certificate MAY 1963 optionally include the trust anchor certificate."; 1964 reference 1965 "RFC 2315: 1966 PKCS #7: Cryptographic Message Syntax Version 1.5. 1967 ITU-T X.690: 1968 Information technology - ASN.1 encoding rules: 1969 Specification of Basic Encoding Rules (BER), 1970 Canonical Encoding Rules (CER) and Distinguished 1971 Encoding Rules (DER)."; 1972 } 1974 leaf voucher-revocation { 1975 type binary; 1976 must "../ownership-voucher" { 1977 description 1978 "An ownership voucher must be present whenever a voucher 1979 revocation is presented."; 1980 } 1981 description 1982 "A 'voucher-revocation' structure, as defined in 1983 draft-kwatsen-netconf-voucher. The voucher revocation 1984 definitively states whether a voucher is valid or not."; 1985 reference 1986 "draft-kwatsen-netconf-voucher: 1987 Voucher and Voucher Revocation Profiles for Bootstrapping 1988 Protocols"; 1989 } 1991 leaf certificate-revocation { 1992 type binary; 1993 must "../owner-certificate" { 1994 description 1995 "An owner certificate must be present whenever an voucher 1996 revocation is presented."; 1997 } 1998 description 1999 "An unsigned PKCS #7 SignedData structure, as specified by 2000 Section 9.1 in RFC 2315, containing just CRLs (no content, 2001 signatures, or certificates), encoded using ASN.1 2002 distinguished encoding rules (DER), as specified in 2003 ITU-T X.690. 2005 This structure contains, in order, the CRL for the owner 2006 certificate itself and the CRLs for all intermediate 2007 certificates leading up to but not including a trust 2008 anchor certificate."; 2009 reference 2010 "RFC 5280: 2011 Internet X.509 Public Key Infrastructure Certificate 2012 and Certificate Revocation List (CRL) Profile. 2013 ITU-T X.690: 2014 Information technology - ASN.1 encoding rules: 2015 Specification of Basic Encoding Rules (BER), 2016 Canonical Encoding Rules (CER) and Distinguished 2017 Encoding Rules (DER)."; 2018 } 2020 action notification { 2021 input { 2022 leaf notification-type { 2023 type enumeration { 2024 enum bootstrap-initiated { 2025 description 2026 "Indicates that the device has just accessed the 2027 bootstrap server. The 'message' field below MAY 2028 contain any additional information that the 2029 manufacturer thinks might be useful."; 2030 } 2031 enum validation-error { 2032 description 2033 "Indicates that the device had an issue validating 2034 the response from the bootstrap server. The 2035 'message' field below SHOULD indicate the specific 2036 error. This message also indicates that the device 2037 has abandoned trying to bootstrap off this bootstrap 2038 server."; 2039 } 2040 enum signature-validation-error { 2041 description 2042 "Indicates that the device had an issue validating the 2043 bootstrapping data. For instance, this could be due 2044 to the device expecting signed data, but only found 2045 unsigned data, or because the ownership voucher didn't 2046 include the device's unique identifier, or because the 2047 signature didn't match. The 'message' field below 2048 SHOULD indicate the specific error. This message also 2049 indicates that the device has abandoned trying to 2050 bootstrap off this bootstrap server."; 2051 } 2052 enum image-mismatch { 2053 description 2054 "Indicates that the device has determined that its 2055 running image does not match the specified criteria. 2056 The 'message' field below SHOULD indicate both what 2057 image the device is currently running."; 2058 } 2059 enum image-download-error { 2060 description 2061 "Indicates that the device had an issue downloading 2062 the image, which could be for reasons such as a file 2063 server being unreachable to the downloaded file 2064 being the incorrect file (signature mismatch). The 2065 'message' field about SHOULD indicate the specific 2066 error. This message also indicates that the device 2067 has abandoned trying to bootstrap off this bootstrap 2068 server."; 2069 } 2070 enum pre-script-warning { 2071 description 2072 "Indicates that the device obtained a greater than 2073 zero exit status code from the script when it was 2074 executed. The 'message' field below SHOULD indicate 2075 both the resulting exit status code, as well as 2076 capture any stdout/stderr messages the script may 2077 have produced."; 2078 } 2079 enum pre-script-error { 2080 description 2081 "Indicates that the device obtained a less than zero 2082 exit status code from the script when it was executed. 2083 The 'message' field below SHOULD indicate both the 2084 resulting exit status code, as well as capture any 2085 stdout/stderr messages the script may have produced. 2086 This message also indicates that the device has 2087 abandoned trying to bootstrap off this bootstrap 2088 server."; 2089 } 2090 enum config-warning { 2091 description 2092 "Indicates that the device obtained warning messages 2093 when it committed the initial configuration. The 2094 'message' field below SHOULD indicate the warning 2095 messages that were generated."; 2096 } 2097 enum config-error { 2098 description 2099 "Indicates that the device obtained error messages 2100 when it committed the initial configuration. The 2101 'message' field below SHOULD indicate the error 2102 messages that were generated. This message also 2103 indicates that the device has abandoned trying to 2104 bootstrap off this bootstrap server."; 2105 } 2106 enum post-script-warning { 2107 description 2108 "Indicates that the device obtained a greater than 2109 zero exit status code from the script when it was 2110 executed. The 'message' field below SHOULD indicate 2111 both the resulting exit status code, as well as 2112 capture any stdout/stderr messages the script may 2113 have produced."; 2114 } 2115 enum post-script-error { 2116 description 2117 "Indicates that the device obtained a less than zero 2118 exit status code from the script when it was executed. 2119 The 'message' field below SHOULD indicate both the 2120 resulting exit status code, as well as capture any 2121 stdout/stderr messages the script may have produced. 2122 This message also indicates that the device has 2123 abandoned trying to bootstrap off this bootstrap 2124 server."; 2125 } 2126 enum bootstrap-complete { 2127 description 2128 "Indicates that the device successfully processed the 2129 all the bootstrapping data and that it is ready to 2130 be managed. The 'message' field below MAY contain 2131 any additional information that the manufacturer 2132 thinks might be useful. After sending this message, 2133 the device is not expected to access the bootstrap 2134 server again."; 2135 } 2136 enum informational { 2137 description 2138 "Indicates any additional information not captured by 2139 any of the other notification-type. The 'message' 2140 field below SHOULD contain any additional information 2141 that the manufacturer thinks might be useful."; 2142 } 2143 } 2144 mandatory true; 2145 description 2146 "The type of notification provided."; 2147 } 2148 leaf message { 2149 type string; 2150 description 2151 "An optional human-readable value."; 2152 } 2153 container ssh-host-keys { 2154 description 2155 "A list of SSH host keys an NMS may use to authenticate 2156 a NETCONF connection to the device with."; 2157 list ssh-host-key { 2158 when "../notification-type = 'bootstrap-complete'" { 2159 description 2160 "SSH host keys are only sent when the notification 2161 type is 'bootstrap-complete'."; 2162 } 2163 description 2164 "An SSH host-key"; 2165 leaf format { 2166 type enumeration { 2167 enum ssh-dss { description "ssh-dss"; } 2168 enum ssh-rsa { description "ssh-rsa"; } 2169 } 2170 mandatory true; 2171 description 2172 "The format of the SSH host key."; 2173 } 2174 leaf key-data { 2175 type string; 2176 mandatory true; 2177 description 2178 "The key data for the SSH host key"; 2179 } 2180 } 2181 } 2182 container trust-anchors { 2183 description 2184 "A list of trust anchor certificates an NMS may use to 2185 authenticate a NETCONF or RESTCONF connection to the 2186 device with."; 2187 list trust-anchor { 2188 when "../notification-type = 'bootstrap-complete'" { 2189 description 2190 "Trust anchors are only sent when the notification 2191 type is 'bootstrap-complete'."; 2192 } 2193 description 2194 "A list of trust anchor certificates an NMS may use to 2195 authenticate a NETCONF or RESTCONF connection to the 2196 device with."; 2197 leaf-list protocol { 2198 type enumeration { 2199 enum netconf-ssh { description "netconf-ssh"; } 2200 enum netconf-tls { description "netconf-tls"; } 2201 enum restconf-tls { description "restconf-tls"; } 2202 enum netconf-ch-ssh { description "netconf-ch-ssh"; } 2203 enum netconf-ch-tls { description "netconf-ch-tls"; } 2204 enum restconf-ch-tls { description "restconf-ch-tls"; } 2205 } 2206 min-elements 1; 2207 description 2208 "The protocols that this trust anchor secures."; 2209 } 2210 leaf certificate { 2211 type binary; 2212 mandatory true; 2213 description 2214 "An X.509 v3 certificate structure, as specified by 2215 Section 4 in RFC5280, encoded using ASN.1 distinguished 2216 encoding rules (DER), as specified in ITU-T X.690."; 2217 reference 2218 "RFC 5280: 2219 Internet X.509 Public Key Infrastructure Certificate 2220 and Certificate Revocation List (CRL) Profile. 2221 ITU-T X.690: 2222 Information technology - ASN.1 encoding rules: 2223 Specification of Basic Encoding Rules (BER), 2224 Canonical Encoding Rules (CER) and Distinguished 2225 Encoding Rules (DER)."; 2226 } 2227 } 2228 } 2229 } 2230 } // end action 2232 } // end device 2233 typedef script { 2234 type binary; 2235 description 2236 "A device specific script that enables the execution of commands 2237 to perform actions not possible thru configuration alone. 2239 No attempt is made to standardize the contents, running context, 2240 or programming language of the script. The contents of the 2241 script are considered specific to the vendor, product line, 2242 and/or model of the device. 2244 If a script is erroneously provided to a device that does not 2245 support the execution of scripts, the device SHOULD send a 2246 'script-warning' notification message, but otherwise continue 2247 processing the bootstrapping data as if the script had not 2248 been present. 2250 The script returns exit status code '0' on success and non-zero 2251 on error, with accompanying stderr/stdout for logging purposes. 2252 In the case of an error, the exit status code will specify what 2253 the device should do. 2255 If the exit status code is greater than zero, then the device 2256 should assume that the script had a soft error, which the 2257 script believes does not affect manageability. If the device 2258 obtained the bootstrap information from a bootstrap server, 2259 it SHOULD send a 'script-warning' notification message. 2261 If the exit status code is less than zero, the device should 2262 assume the script had a hard error, which the script believes 2263 will affect manageability. In this case, the device SHOULD 2264 send a 'script-error' notification message followed by a 2265 reset that will force a new boot-image install (wiping out 2266 anything the script may have done) and restart the entire 2267 bootstrapping process again."; 2268 } 2270 } 2272 2274 10. Security Considerations 2275 10.1. Immutable storage for trust anchors 2277 Devices MUST ensure that all their trust anchor certificates, 2278 including those for connecting to bootstrap servers and verifying 2279 ownership vouchers, are protected from external modification. 2281 It may be necessary to update these certificates over time (e.g., the 2282 manufacturer wants to delegate trust to a new CA). It is therefore 2283 expected that devices MAY update these trust anchors when needed 2284 through a verifiable process, such as a software upgrade using signed 2285 software images. 2287 10.2. Clock Sensitivity 2289 The solution in this document relies on TLS certificates, owner 2290 certificates, and ownership vouchers, all of which require an 2291 accurate clock in order to be processed correctly (e.g., to test 2292 validity dates and revocation status). Implementations MUST ensure 2293 devices have an accurate clock when shipped from manufacturing 2294 facilities, and take steps to prevent clock tampering. 2296 If it is not possible to ensure clock accuracy, it is RECOMMENDED 2297 that implementations disable the aspects of the solution having clock 2298 sensitivity. In particular, such implementations should assume that 2299 TLS certificates, owner certificates, and ownership vouchers are not 2300 revokable, In real-world terms, this means that manufacturers SHOULD 2301 only issue a single ownership voucher for the lifetime of some 2302 devices. 2304 It is important to note that implementations SHOULD NOT rely on NTP 2305 for time, as it is not a secure protocol. 2307 10.3. Blindly authenticating a bootstrap server 2309 This document allows a device to blindly authenticate a bootstrap 2310 server's TLS certificate. It does so to allow for cases where the 2311 redirect information may be obtained in an unsecured manner, which is 2312 desirable to support in some cases. 2314 To compensate for this, this document requires that devices, when 2315 connected to an untrusted bootstrap server, do not send their IDevID 2316 certificate for client authentication, and they do not POST any 2317 progress notifications, and they assert that data downloaded from the 2318 server is signed. 2320 10.4. Entropy loss over time 2322 Section 7.2.7.2 of the IEEE Std 802.1AR-2009 standard says that 2323 IDevID certificate should never expire (i.e. having the notAfter 2324 value 99991231235959Z). Given the long-lived nature of these 2325 certificates, it is paramount to use a strong key length (e.g., 2326 512-bit ECC). 2328 10.5. Serial Numbers 2330 This draft suggests using the device's serial number as the unique 2331 identifier in its IDevID certificate. This is because serial numbers 2332 are ubiquitous and prominently contained in invoices and on labels 2333 affixed to devices and their packaging. That said, serial numbers 2334 many times encode revealing information, such as the device's model 2335 number, manufacture date, and/or sequence number. Knowledge of this 2336 information may provide an adversary with details needed to launch an 2337 attack. 2339 10.6. Sequencing Sources of Bootstrapping Data 2341 For devices supporting more than one source for bootstrapping data, 2342 no particular sequencing order has to be observed for security 2343 reasons, as the solution for each source is considered equally 2344 secure. However, from a privacy perspective, it is RECOMMENDED that 2345 devices access local sources before accessing remote sources. 2347 11. IANA Considerations 2349 11.1. The BOOTP Manufacturer Extensions and DHCP Options Registry 2351 The following registrations are in accordance to RFC 2939 [RFC2939] 2352 for "BOOTP Manufacturer Extensions and DHCP Options" registry 2353 maintained at http://www.iana.org/assignments/bootp-dhcp-parameters. 2355 11.1.1. DHCP v4 Option 2356 Tag: XXX 2358 Name: Zero Touch Information 2360 Returns up to six zero touch bootstrapping artifacts. 2362 Code Len 2363 +-----+-----+----------+------------------+-----------+ 2364 | XXX | n | encoding | information-type | signature | 2365 +-----+-----+----------+------------------+-----------+ 2367 +-------------------+-------------------+-------------------------+ 2368 | owner-certificate | ownership-voucher | certificate-revocations | 2369 +-------------------+-------------------+-------------------------+ 2371 +---------------------+ 2372 | voucher-revocations | 2373 +---------------------+ 2375 Reference: RFC XXXX 2377 11.1.2. DHCP v6 Option 2379 Tag: YYY 2381 Name: Zero Touch Information 2383 Returns up to six zero touch bootstrapping artifacts. 2385 Code Len 2386 +-----+-----+----------+------------------+-----------+ 2387 | XXX | n | encoding | information-type | signature | 2388 +-----+-----+----------+------------------+-----------+ 2390 +-------------------+-------------------+-------------------------+ 2391 | owner-certificate | ownership-voucher | certificate-revocations | 2392 +-------------------+-------------------+-------------------------+ 2394 +---------------------+ 2395 | voucher-revocations | 2396 +---------------------+ 2398 Reference: RFC XXXX 2400 11.2. The IETF XML Registry 2402 This document registers one URI in the IETF XML registry [RFC3688]. 2403 Following the format in [RFC3688], the following registration is 2404 requested: 2406 URI: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server 2407 Registrant Contact: The NETCONF WG of the IETF. 2408 XML: N/A, the requested URI is an XML namespace. 2410 11.3. The YANG Module Names Registry 2412 This document registers one YANG module in the YANG Module Names 2413 registry [RFC6020]. Following the format defined in [RFC6020], the 2414 the following registration is requested: 2416 name: ietf-zerotouch-bootstrap-server 2417 namespace: urn:ietf:params:xml:ns:yang:ietf-zerotouch-bootstrap-server 2418 prefix: ztbs 2419 reference: RFC XXXX 2421 12. Other Considerations 2423 Both this document and [draft-ietf-anima-bootstrapping-keyinfra] 2424 define bootstrapping mechanisms. The authors have collaborated on 2425 both solutions and believe that each solution has merit and, in fact, 2426 can work together. That is, it is possible for a device to support 2427 both solutions simultaneously. 2429 13. Acknowledgements 2431 The authors would like to thank for following for lively discussions 2432 on list and in the halls (ordered by last name): David Harrington, 2433 Michael Behringer, Dean Bogdanovic, Martin Bjorklund, Joe Clarke, 2434 Toerless Eckert, Stephen Farrell, Stephen Hanna, Wes Hardaker, Russ 2435 Mundy, Reinaldo Penno, Randy Presuhn, Max Pritikin, Michael 2436 Richardson, Phil Shafer, Juergen Schoenwaelder. 2438 Special thanks goes to Steve Hanna, Russ Mundy, and Wes Hardaker for 2439 brainstorming the original I-D's solution during the IETF 87 meeting 2440 in Berlin. 2442 14. References 2443 14.1. Normative References 2445 [draft-ietf-netconf-restconf] 2446 Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2447 Protocol", draft-ieft-netconf-restconf-10 (work in 2448 progress), 2016, . 2451 [draft-kwatsen-netconf-voucher] 2452 Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, 2453 "Voucher and Voucher Revocation Profiles for Bootstrapping 2454 Protocols", draft-kwatsen-netconf-voucher-00 (work in 2455 progress), 2016, . 2458 [RFC1035] Mockapetris, P., "Domain names - implementation and 2459 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 2460 November 1987, . 2462 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2463 Requirement Levels", BCP 14, RFC 2119, 2464 DOI 10.17487/RFC2119, March 1997, 2465 . 2467 [RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax 2468 Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998, 2469 . 2471 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 2472 Housley, R., and W. Polk, "Internet X.509 Public Key 2473 Infrastructure Certificate and Certificate Revocation List 2474 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 2475 . 2477 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2478 the Network Configuration Protocol (NETCONF)", RFC 6020, 2479 DOI 10.17487/RFC6020, October 2010, 2480 . 2482 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 2483 Verification of Domain-Based Application Service Identity 2484 within Internet Public Key Infrastructure Using X.509 2485 (PKIX) Certificates in the Context of Transport Layer 2486 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 2487 2011, . 2489 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 2490 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 2491 DOI 10.17487/RFC6234, May 2011, 2492 . 2494 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 2495 DOI 10.17487/RFC6762, February 2013, 2496 . 2498 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 2499 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 2500 . 2502 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 2503 RFC 6991, DOI 10.17487/RFC6991, July 2013, 2504 . 2506 [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, 2507 PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, 2508 April 2015, . 2510 [Std-802.1AR-2009] 2511 IEEE SA-Standards Board, "IEEE Standard for Local and 2512 metropolitan area networks - Secure Device Identity", 2513 December 2009, . 2516 14.2. Informative References 2518 [draft-ietf-anima-bootstrapping-keyinfra] 2519 Pritikin, M., Behringer, M., and S. Bjarnason, 2520 "Bootstrapping Key Infrastructures", draft-ietf-anima- 2521 bootstrapping-keyinfra-03 (work in progress), 2016, 2522 . 2525 [draft-ietf-netconf-call-home] 2526 Watsen, K., "NETCONF Call Home (work in progress)", draft- 2527 ieft-netconf-restconf-10 (work in progress), December 2528 2015, . 2531 [draft-ietf-netconf-server-model] 2532 Watsen, K., "NETCONF Server Model (work in progress)", 2533 draft-ieft-netconf-server-model-09 (work in progress), 2534 March 2016, . 2537 [RFC2939] Droms, R., "Procedures and IANA Guidelines for Definition 2538 of New DHCP Options and Message Types", BCP 43, RFC 2939, 2539 DOI 10.17487/RFC2939, September 2000, 2540 . 2542 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2543 DOI 10.17487/RFC3688, January 2004, 2544 . 2546 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2547 and A. Bierman, Ed., "Network Configuration Protocol 2548 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2549 . 2551 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 2552 of Named Entities (DANE) Transport Layer Security (TLS) 2553 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2554 2012, . 2556 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 2557 System Management", RFC 7317, DOI 10.17487/RFC7317, August 2558 2014, . 2560 Appendix A. API Examples 2562 This section presents some examples illustrating device interactions 2563 with a bootstrap server to access Redirect and Bootstrap information, 2564 both unsigned and signed, as well as to send a progress notification. 2565 These examples show the bootstrap information containing 2566 configuration from the YANG modules in [RFC7317] and 2567 [draft-ietf-netconf-server-model]. 2569 A.1. Unsigned Redirect Information 2571 The following example illustrates a device using the API to fetch its 2572 bootstrapping data. In this example, the device receives unsigned 2573 redirect information. This example is representative of a response a 2574 trusted redirect server might return. 2576 REQUEST 2577 ------- 2578 ['\' line wrapping added for formatting only] 2580 GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ 2581 device=123456 HTTP/1.1 2582 HOST: example.com 2583 Accept: application/yang.data+xml 2585 RESPONSE 2586 -------- 2588 HTTP/1.1 200 OK 2589 Date: Sat, 31 Oct 2015 17:02:40 GMT 2590 Server: example-server 2591 Content-Type: application/yang.data+xml 2593 2595 2597 123456789 2598 2599 2600
phs1.example.com
2601 8443 2602 2603 WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ 2604 lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ 2605 zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ 2606 NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ 2607 VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ 2608 V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ 2609 NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ 2610 Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ 2611 WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ 2612 QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ 2613 MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 2614 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ 2615 RJSUJQFRStS0Cg== 2616 2617 2618 2619
phs2.example.com
2620 8443 2621 2622 WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ 2623 lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ 2624 zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ 2625 NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ 2626 VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ 2627 V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ 2628 NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ 2629 Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ 2630 WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ 2631 QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ 2632 MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 2633 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ 2634 RJSUJQFRStS0Cg== 2635 2636 2637 2638 2640 A.2. Signed Redirect Information 2642 The following example illustrates a device using the API to fetch its 2643 bootstrapping data. In this example, the device receives signed 2644 redirect information. This example is representative of a response 2645 that redirect server might return if concerned the device might not 2646 be able to authenticate its TLS certificate. 2648 REQUEST 2649 ------- 2650 ['\' line wrapping added for formatting only] 2652 GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ 2653 device=123456 HTTP/1.1 2654 HOST: example.com 2655 Accept: application/yang.data+xml 2657 RESPONSE 2658 -------- 2660 HTTP/1.1 200 OK 2661 Date: Sat, 31 Oct 2015 17:02:40 GMT 2662 Server: example-server 2663 Content-Type: application/yang.data+xml 2665 2667 2669 123456789 2670 2671 2672
phs1.example.com
2673 8443 2674 2675 WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ 2676 lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ 2677 zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ 2678 NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ 2679 VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ 2680 V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ 2681 NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ 2682 Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ 2683 WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ 2684 QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ 2685 MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 2686 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ 2687 RJSUJQFRStS0Cg== 2688 2689 2690 2691
phs2.example.com
2692 8443 2693 2694 WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ 2695 lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ 2696 zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ 2697 NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ 2698 VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ 2699 V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ 2700 NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ 2701 Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ 2702 WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ 2703 QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ 2704 MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 2705 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ 2706 RJSUJQFRStS0Cg== 2707 2708 2709 2710 2711 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 2712 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 2713 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2714 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= 2715 2716 2717 ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ 2718 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 2719 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2720 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2721 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 2722 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2723 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 2724 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 2725 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 2726 MjAO 2727 2728 2729 MIIExTCCA62gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx\ 2730 EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEZMBcGA1UE\ 2731 ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ 2732 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 2733 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 2734 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2735 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2736 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 2737 ap1DgmS3IaYl/s4OOF8yzcYJprm8O7NyZp+Y9H1U/7Qfp97/KbqwCgkHSzOlnt0X\ 2738 KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 2739 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ 2740 KmORbiKU2GTGZkaCgCjmrWpvrYWLoXv/sf2nPLyK6YjiWsslOJtRO+KzRbs2B18C\ 2741 AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ 2742 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 2743 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2744 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 2745 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 2746 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 2747 MjAOBgNVHQ8BAf8EBAMCAgQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5q\ 2748 dW5pcGVyLm5ldD9jYT1KdW5pcGVyX1RydXN0X0FuY2hvcl9DQTANBgkqhkiG9w0B\ 2749 AQsFAAOCAQEAOuD7EBilqQcT3t2C4AXta1gGNNwdldLLw0jtk4BMiA9l//DZfskB\ 2750 2AaJtiseLTXsMF6MQwDs1YKkiXKLu7gBZDlJ6NiDwy1UnXhi2BDG+MYXQrc6p76K\ 2751 z3bsVwZlaJQCdF5sbggc1MyrsOu9QirnRZkIv3R8ndJH5K792ztLquulAcMfnK1Y\ 2752 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX7WJzEbT/G7MUfo\ 2753 Sb+U2PVsQTDWEzUjVnG7vNWYxirnAOZ0OXEWWYxHUJntx6DsbXYuX7D1PkkNr7ir\ 2754 96DpOPtX7h8pxxGSDPBXIyvg02aFMphstQ== 2755 2756 2757 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 2758 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2759 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2760 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 2761 KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 2762 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ 2763 AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ 2764 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2765 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= 2766 2767 2768 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 2769 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2770 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2771 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 2772 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2773 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 2774 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 2775 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 2776 MjAO== 2777 2778 2780 A.3. Unsigned Bootstrap Information 2782 The following example illustrates a device using the API to fetch its 2783 bootstrapping data. In this example, the device receives unsigned 2784 bootstrapping information. This example is representative of a 2785 response a locally deployed bootstrap server might return. 2787 REQUEST 2788 ------- 2789 ['\' line wrapping added for formatting only] 2791 GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ 2792 device=123456 HTTP/1.1 2793 HOST: example.com 2794 Accept: application/yang.data+xml 2796 RESPONSE 2797 -------- 2799 HTTP/1.1 200 OK 2800 Date: Sat, 31 Oct 2015 17:02:40 GMT 2801 Server: example-server 2802 Content-Type: application/yang.data+xml 2804 2806 2808 123456789 2809 2810 2811 2812 boot-image-v3.2R1.6.img 2813 2814 2815 SomeMD5String 2816 2817 2818 SomeSha1String 2819 2820 2821 ftp://ftp.example.com/path/to/file 2822 2823 2824 merge 2825 2826 2827 2828 2829 2830 admin 2831 2832 admin's rsa ssh host-key 2833 ssh-rsa 2834 AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsR\ 2835 jCzfve2m6zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2Mw\ 2836 E1lG9YxLzeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVc\ 2837 WAw1lOr9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA\ 2838 vg7SLqQFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jW\ 2839 EIuA7LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf\ 2840 gakWVOZZgQ8929uWjCWlGlqn2mPibp2Go1 2841 2842 2843 2844 2845 2846 2848 2849 2850 config-mgr 2851 2852 2853 2854 east-data-center 2855
11.22.33.44
2856 2857 2858 west-data-center 2859
55.66.77.88
2860 2861 2862 2863 my-call-home-x509-key 2864 2865 2866 2867 2868 2869 2870 2871 2873 A.4. Signed Bootstrap Information 2875 The following example illustrates a device using the API to fetch its 2876 bootstrapping data. In this example, the device receives signed 2877 bootstrap information. This example is representative of a response 2878 that bootstrap server might return if concerned the device might not 2879 be able to authenticate its TLS certificate. 2881 REQUEST 2882 ------- 2884 ['\' line wrapping added for formatting only] 2886 GET https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ 2887 device=123456 HTTP/1.1 2888 HOST: example.com 2889 Accept: application/yang.data+xml 2891 RESPONSE 2892 -------- 2894 HTTP/1.1 200 OK 2895 Date: Sat, 31 Oct 2015 17:02:40 GMT 2896 Server: example-server 2897 Content-Type: application/yang.data+xml 2899 2901 2903 123456789 2904 2905 2906 2907 boot-image-v3.2R1.6.img 2908 2909 2910 SomeMD5String 2911 2912 2913 SomeSha1String 2914 2915 2916 /path/to/on/same/bootserver 2917 2918 2919 2920 2921 2922 2923 2924 admin 2925 2926 admin's rsa ssh host-key 2927 ssh-rsa 2928 AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsR\ 2929 jCzfve2m6zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2Mw\ 2930 E1lG9YxLzeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVc\ 2931 WAw1lOr9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA\ 2932 vg7SLqQFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jW\ 2933 EIuA7LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf\ 2934 gakWVOZZgQ8929uWjCWlGlqn2mPibp2Go1 2935 2936 2937 2938 2939 2940 2942 2943 2944 config-mgr 2945 2946 2947 2948 east-data-center 2949
11.22.33.44
2950 2951 2952 west-data-center 2953
55.66.77.88
2954 2955 2956 2957 my-call-home-x509-key 2958 2959 2960 2961 2962 2963 2964 2965 2966 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 2967 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 2968 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2969 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= 2970 2971 2972 ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ 2973 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 2974 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2975 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2976 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 2977 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2978 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 2979 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 2980 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 2981 MjAO 2982 2983 2984 MIIExTCCA62gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx\ 2985 EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEZMBcGA1UE\ 2986 ChQQSnVuaXBlcl9OZXR3b3JrczEdMBsGA1UECxQUQ2VydGlmaWNhdGVfSXNzdWFu\ 2987 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 2988 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 2989 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 2990 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 2991 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 2992 ap1DgmS3IaYl/s4OOF8yzcYJprm8O7NyZp+Y9H1U/7Qfp97/KbqwCgkHSzOlnt0X\ 2993 KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 2994 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ 2995 KmORbiKU2GTGZkaCgCjmrWpvrYWLoXv/sf2nPLyK6YjiWsslOJtRO+KzRbs2B18C\ 2996 AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ 2997 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 2998 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 2999 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 3000 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 3001 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 3002 MjAOBgNVHQ8BAf8EBAMCAgQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5q\ 3003 dW5pcGVyLm5ldD9jYT1KdW5pcGVyX1RydXN0X0FuY2hvcl9DQTANBgkqhkiG9w0B\ 3004 AQsFAAOCAQEAOuD7EBilqQcT3t2C4AXta1gGNNwdldLLw0jtk4BMiA9l//DZfskB\ 3005 2AaJtiseLTXsMF6MQwDs1YKkiXKLu7gBZDlJ6NiDwy1UnXhi2BDG+MYXQrc6p76K\ 3006 z3bsVwZlaJQCdF5sbggc1MyrsOu9QirnRZkIv3R8ndJH5K792ztLquulAcMfnK1Y\ 3007 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX7WJzEbT/G7MUfo\ 3008 Sb+U2PVsQTDWEzUjVnG7vNWYxirnAOZ0OXEWWYxHUJntx6DsbXYuX7D1PkkNr7ir\ 3009 96DpOPtX7h8pxxGSDPBXIyvg02aFMphstQ== 3010 3011 3012 QGp1bmlwZXIuY29tMB4XDTE0MDIyNzE0MTM1MloXDTE1MDIyNzE0MTM1MlowMDET\ 3013 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 3014 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 3015 RDEuRiZNRNLeJpgN9YWkXLAZX2rASwy041EMmZ6KAkWUd3ZmXucfoLpdRemfuPii\ 3016 KQTpIM/rNrbrkuTmalezFoFS7mrxLXJAsfP1guVcD7sLCyjvegL8pRCCrU9xyKLF\ 3017 8u/Qz4s0x0uzcGYh0sd3iWj21+AtigSLdMD76/j/VzftQL8B1yp3vc1EZiowOwq4\ 3018 AwEAAaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHppoyXF\ 3019 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 3020 NTOufhQsD2t4TYpEkzLEiZqSswdBOaPxPcJLQNW8Bw2xN+A9GX= 3021 3022 3023 Y2UxGTAXBgNVBAMUEFRQTV9UcnVzdF9BbmNob3IxHTAbBgkqhkiG9w0BCQEWDmNh\ 3024 MBEGA1UEChQKVFBNX1ZlbmRvcjEZMBcGA1UEAxQQSnVuaXBlcl9YWFhYWF9DQTCC\ 3025 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANL5Mk5qFsVuqo+JmXWLmFxI\ 3026 yh/JaftWYf7m3KBzOdg2MIHfBgNVHSMEgdcwgdSAFDSljCNmTN5b+CDujJLlyDal\ 3027 WFPaoYGwpIGtMIGqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTES\ 3028 MBAGA1UEBxMJU3Vubnl2YWxlMRkwFwYDVQQKFBBKdW5pcGVyX05ldHdvcmtzMR0w\ 3029 GwYDVQQLFBRDZXJ0aWZpY2F0ZV9Jc3N1YW5jZTEZMBcGA1UEAxQQVFBNX1RydXN0\ 3030 X0FuY2hvcjEdMBsGCSqGSIb3DQEJARYOY2FAanVuaXBlci5jb22CCQDUbsEdTn5v\ 3031 MjAO== 3032 3033 3034 A.5. Progress Notifications 3036 The following example illustrates a device using the API to post a 3037 notification to a trusted bootstrap server. Illustrated below is the 3038 'bootstrap-complete' message, but the device may send other 3039 notifications to the server while bootstrapping (e.g., to provide 3040 status updates). 3042 The bootstrap server MUST NOT process a notification from a device 3043 without first authenticating the device. This is in contrast to when 3044 a device is fetching data from the server, a read-only operation, in 3045 which case device authentication is not strictly required (e.g., when 3046 sending signed information). 3048 In this example, the device sends a notification indicating that it 3049 has completed bootstrapping off the data provided by the server. 3050 This example illustrates the device sending both its SSH host keys 3051 and TLS server certificate to the bootstrap server, which the 3052 bootstrap server may, for example, pass to an NMS, as discussed in 3053 Section 7.3. 3055 Note that devices that are able to present an IDevID certificate 3056 [Std-802.1AR-2009], when establishing SSH or TLS connections, do not 3057 need to include its DevID certificate in the bootstrap-complete 3058 message. It is unnecessary to send the DevID certificate in this 3059 case because the IDevID certificate does not need to be pinned by an 3060 NMS in order to be trusted. 3062 REQUEST 3063 ------- 3064 ['\' line wrapping added for formatting only] 3066 POST https://example.com/restconf/data/ietf-zerotouch-bootstrap-server:\ 3067 device=123456/notification HTTP/1.1 3068 HOST: example.com 3069 Content-Type: application/yang.data+xml 3071 3073 3075 bootstrap-complete 3076 example message 3077 3078 3079 ssh-rsa 3080 3081 AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsRCjCzfve2m6\ 3082 zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2MwjE1lG9YxL\ 3083 zeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVcCWAw1lOr\ 3084 9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA5vg7SLq\ 3085 QFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jWqEIuA7\ 3086 LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf6gakW\ 3087 VOZZgQ8929uWjCWlGlqn2mPibp2Go1 3088 3089 3090 3091 ssh-dsa 3092 3093 zD3awSBPrh7ICggLQvHVbPL89eHLuecStKL3HrEgXaI/O2MwjE1lG9YxL\ 3094 zeS5p2ngzK61vikUSqfMukeBohFTrDZ8bUtrF+HMLlTRnoCVcCWAw1lOr\ 3095 9IDGDAuww6G45gLcHalHMmBtQxKnZdzU9kx/fL3ZS5G76Fy6sA5vg7SLq\ 3096 AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJMV8zrtsi8CgEsRCjCzfve2m6\ 3097 QFPjXXft2CAhin8xwYRZy6r/2N9PMJ2Dnepvq4H2DKqBIe340jWqEIuA7\ 3098 LvEJYql4unq4Iog+/+CiumTkmQIWRgIoj4FCzYkO9NvRE6fOSLLf6gakW\ 3099 VOZZgQ8929uWjCWlGlqn2mPibp2Go1 3100 3101 3102 3103 3104 3105 netconf-ssh 3106 netconf-tls 3107 restconf-tls 3108 netconf-ch-ssh 3109 netconf-ch-tls 3110 restconf-ch-tls 3111 3112 WmdsK2gyTTg3QmtGMjhWbW1CdFFVaWc3OEgrRkYyRTFwdSt4ZVRJbVFFM\ 3113 lLQllsdWpOcjFTMnRLR05EMUc2OVJpK2FWNGw2NTdZNCtadVJMZgpRYjk\ 3114 zSFNwSDdwVXBCYnA4dmtNanFtZjJma3RqZHBxeFppUUtTbndWZTF2Zwot\ 3115 NGcEk3UE90cnNFVjRwTUNBd0VBQWFPQ0FSSXdnZ0VPCk1CMEdBMVVkRGd\ 3116 VEJiZ0JTWEdlbUEKMnhpRHVOTVkvVHFLNWd4cFJBZ1ZOYUU0cERZd05ER\ 3117 V6QVJCZ05WQkFNVENrTlNUQ0JKYzNOMVpYS0NDUUNVRHBNSll6UG8zREF\ 3118 NQmdOVkhSTUJBZjhFCkFqQUFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQnBC\ 3119 Z05WSFI4RVlqQmdNRjZnSXFBZ2hoNW9kSFJ3T2k4dlpYaGgKYlhCc1pTN\ 3120 WpiMjB2WlhoaGJYQnNaUzVqY215aU9LUTJNRFF4Q3pBSkJnTlZCQVlUQW\ 3121 QmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLRXdkbAplR0Z0Y0d4bE1RNHdEQ\ 3122 MkF6a3hqUDlVQWtHR0dvS1U1eUc1SVR0Wm0vK3B0R2FieXVDMjBRd2kvZ\ 3123 25PZnpZNEhONApXY0pTaUpZK2xtYWs3RTRORUZXZS9RdGp4NUlXZmdvN2\ 3124 RJSUJQFRStS0Cg== 3125 3126 3127 3129 3130 RESPONSE 3131 -------- 3133 HTTP/1.1 204 No Content 3134 Date: Sat, 31 Oct 2015 17:02:40 GMT 3135 Server: example-server 3137 Appendix B. Artifact Examples 3139 This section presents examples for how the 'information type' 3140 artifact (Section 4.1) can be encoded into a document that can be 3141 distributed outside the bootstrap server's RESETCONF API. The 3142 encoding for these artifacts is the same as if an HTTP GET request 3143 had been sent to the RESTCONF URL for the specific resource. 3145 These examples show the bootstrap information containing 3146 configuration from the YANG modules in [RFC7317] and 3147 [draft-ietf-netconf-server-model]. 3149 Only examples for information type artifact are provided as the other 3150 five artifacts in Section 4 have their own encodings. 3152 B.1. Redirect Information 3154 The following example illustrates how redirect information can be 3155 encoded into an artifact. 3157 INSERT _TEXT_FROM_FILE(refs/ex-file-redirect-information.xml) 3159 B.2. Bootstrap Information 3161 The following example illustrates how bootstrap information can be 3162 encoded into an artifact. 3164 INSERT _TEXT_FROM_FILE(refs/ex-file-bootstrap-information.xml) 3166 Appendix C. Change Log 3168 C.1. ID to 00 3170 o Major structural update; the essence is the same. Most every 3171 section was rewritten to some degree. 3173 o Added a Use Cases section 3175 o Added diagrams for "Actors and Roles" and "NMS Precondition" 3176 sections, and greatly improved the "Device Boot Sequence" diagram 3178 o Removed support for physical presence or any ability for 3179 configlets to not be signed. 3181 o Defined the Zero Touch Information DHCP option 3183 o Added an ability for devices to also download images from 3184 configuration servers 3186 o Added an ability for configlets to be encrypted 3188 o Now configuration servers only have to support HTTP/S - no other 3189 schemes possible 3191 C.2. 00 to 01 3193 o Added boot-image and validate-owner annotations to the "Actors and 3194 Roles" diagram. 3196 o Fixed 2nd paragraph in section 7.1 to reflect current use of 3197 anyxml. 3199 o Added encrypted and signed-encrypted examples 3201 o Replaced YANG module with XSD schema 3203 o Added IANA request for the Zero Touch Information DHCP Option 3205 o Added IANA request for media types for boot-image and 3206 configuration 3208 C.3. 01 to 02 3210 o Replaced the need for a configuration signer with the ability for 3211 each NMS to be able to sign its own configurations, using 3212 manufacturer signed ownership vouchers and owner certificates. 3214 o Renamed configuration server to bootstrap server, a more 3215 representative name given the information devices download from 3216 it. 3218 o Replaced the concept of a configlet by defining a southbound 3219 interface for the bootstrap server using YANG. 3221 o Removed the IANA request for the boot-image and configuration 3222 media types 3224 C.4. 02 to 03 3226 o Minor update, mostly just to add an Editor's Note to show how this 3227 draft might integrate with the draft-pritikin-anima-bootstrapping- 3228 keyinfra. 3230 C.5. 03 to 04 3232 o Major update formally introducing unsigned data and support for 3233 Internet-based redirect servers. 3235 o Added many terms to Terminology section. 3237 o Added all new "Guiding Principles" section. 3239 o Added all new "Sources for Bootstrapping Data" section. 3241 o Rewrote the "Interactions" section and renamed it "Workflow 3242 Overview". 3244 C.6. 04 to 05 3246 o Semi-major update, refactoring the document into more logical 3247 parts 3249 o Created new section for information types 3251 o Added support for DNS servers 3253 o Now allows provisional TLS connections 3255 o Bootstrapping data now supports scripts 3257 o Device Details section overhauled 3259 o Security Considerations expanded 3261 o Filled in enumerations for notification types 3263 C.7. 05 to 06 3265 o Minor update 3267 o Added many Normative and Informative references. 3269 o Added new section Other Considerations. 3271 C.8. 06 to 07 3273 o Minor update 3275 o Added an Editorial Note section for RFC Editor. 3277 o Updated the IANA Considerations section. 3279 C.9. 07 to 08 3281 o Minor update 3283 o Updated to reflect review from Michael Richardson. 3285 C.10. 08 to 09 3287 o Added in missing "Signature" artifact example. 3289 o Added recommendation for manufacturers to use interoperable 3290 formats and file naming conventions for removable storage devices. 3292 o Added configuration-handling leaf to guide if config should be 3293 merged, replaced, or processed like an edit-config/yang-patch 3294 document. 3296 o Added a pre-configuration script, in addition to the post- 3297 configuration script from -05 (issue #15). 3299 C.11. 09 to 10 3301 o Factored ownership vocher and voucher revocation to a separate 3302 document: draft-kwatsen-netconf-voucher. (issue #11) 3304 o Removed options 'edit-config' and yang- 3305 patch'. (issue #12) 3307 o Defined how a signature over signed-data returned from a bootstrap 3308 server is processed. (issue #13) 3310 o Added recommendation for removable storage devices to use open/ 3311 standard file systems when possible. (issue #14) 3313 o Replaced notifications "script-[warning/error]" with "[pre/post]- 3314 script-[warning/error]". (goes with issue #15) 3316 o switched owner-certificate to be encoded using the pkcs#7 format. 3317 (issue #16) 3319 o Replaced md5/sha1 with sha256 inside a choice statement, for 3320 future extensibility. (issue #17) 3322 o A ton of editorial changes, as I went thru the entire draft with a 3323 fine-toothed comb. 3325 C.12. 10 to 11 3327 o fixed yang validation issues found by IETFYANGPageCompilation. 3328 note: these issues were NOT found by pyang --ietf or by the 3329 submission-time validator... 3331 o fixed a typo in the yang module, someone the config false 3332 statement was removed. 3334 Authors' Addresses 3336 Kent Watsen 3337 Juniper Networks 3339 EMail: kwatsen@juniper.net 3341 Mikael Abrahamsson 3342 T-Systems 3344 EMail: "mikael.abrahamsson@t-systems.se