draft-ietf-opsawg-sdi-00.txt   draft-ietf-opsawg-sdi-01.txt 
**Important:** Read CONTRIBUTING.md before submitting feedback or contributing
```
Network Working Group W. Kumari Network Working Group W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational C. Doyle Intended status: Informational C. Doyle
Expires: January 23, 2020 Juniper Networks Expires: January 23, 2020 Juniper Networks
July 22, 2019 January 17, 2020
Secure Device Install Secure Device Install
draft-ietf-opsawg-sdi-00 draft-ietf-opsawg-sdi-01
Abstract Abstract
Deploying a new network device often requires that an employee Deploying a new network device often requires that an employee
physically travel to a datacenter to perform the initial install and physically travel to a datacenter to perform the initial install and
configuration, even in shared datacenters with "smart-hands" type configuration, even in shared datacenters with "smart-hands" type
support. In many cases, this could be avoided if there were a support. In many cases, this could be avoided if there were a
standard, secure way to initially provision the devices. standard, secure way to initially provision the devices.
This document extends existing auto-install / Zero-Touch Provisioning This document extends existing auto-install / Zero-Touch Provisioning
skipping to change at page 4, line 41 skipping to change at page 4, line 41
TFTP server. TFTP server.
When the device arrives at the POP, it gets installed in Sirius' When the device arrives at the POP, it gets installed in Sirius'
rack, and cabled as instructed. The new device powers up and rack, and cabled as instructed. The new device powers up and
discovers that it has not yet been configured. It enters its discovers that it has not yet been configured. It enters its
autoboot state, and begins the DHCP process. Sirius' DHCP server autoboot state, and begins the DHCP process. Sirius' DHCP server
provides it with an IP address and the address of the configuration provides it with an IP address and the address of the configuration
server. The router uses TFTP to fetch its config file (note that all server. The router uses TFTP to fetch its config file (note that all
this is existing functionality). The device attempts to load the this is existing functionality). The device attempts to load the
config file - if the config file is unparsable, (new functionality) config file - if the config file is unparsable, (new functionality)
the devies tries to uses its private key to decrypt the file, and, the device tries to use its private key to decrypt the file, and,
assuming it validates, installs the new configuration. assuming it validates, installs the new configuration.
Only the "correct" device will have the required private key and be Only the "correct" device will have the required private key and be
able to decrypt and use the config file (See Security able to decrypt and use the config file (See Security
Considerations). An attacker would be able to connect to the network Considerations). An attacker would be able to connect to the network
and get an IP address. They would also be able to retrieve and get an IP address. They would also be able to retrieve
(encrypted) config files by guessing serial numbers (or perhaps the (encrypted) config files by guessing serial numbers (or perhaps the
server would allow directory listing), but without the private keys server would allow directory listing), but without the private keys
an attacker will not be able to decrypt the files. an attacker will not be able to decrypt the files.
skipping to change at line 668 skipping to change at line 670
Email: warren@kumari.net Email: warren@kumari.net
Colin Doyle Colin Doyle
Juniper Networks Juniper Networks
1133 Innovation Way 1133 Innovation Way
Sunnyvale, CA 94089 Sunnyvale, CA 94089
US US
Email: cdoyle@juniper.net Email: cdoyle@juniper.net
```
 End of changes. 5 change blocks. 
3 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/