draft-ietf-opsawg-sdi-04.txt   draft-ietf-opsawg-sdi-05.txt 
Network Working Group W. Kumari Network Working Group W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational C. Doyle Intended status: Informational C. Doyle
Expires: September 5, 2020 Juniper Networks Expires: September 7, 2020 Juniper Networks
March 04, 2020 March 06, 2020
Secure Device Install Secure Device Install
draft-ietf-opsawg-sdi-04 draft-ietf-opsawg-sdi-05
Abstract Abstract
Deploying a new network device often requires that an employee Deploying a new network device often requires that an employee
physically travel to a datacenter to perform the initial install and physically travel to a datacenter to perform the initial install and
configuration, even in shared datacenters with "smart-hands" type configuration, even in shared datacenters with "smart-hands" type
support. In many cases, this could be avoided if there were a support. In many cases, this could be avoided if there were a
standard, secure way to initially provision the devices. standard, secure way to initially provision the devices.
This document extends existing auto-install / Zero-Touch Provisioning This document extends existing auto-install / Zero-Touch Provisioning
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 5, 2020. This Internet-Draft will expire on September 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 40
4. Operator Role / Responsibilities . . . . . . . . . . . . . . 7 4. Operator Role / Responsibilities . . . . . . . . . . . . . . 7
4.1. Administrative . . . . . . . . . . . . . . . . . . . . . 7 4.1. Administrative . . . . . . . . . . . . . . . . . . . . . 7
4.2. Technical . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Technical . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3. Initial Customer Boot . . . . . . . . . . . . . . . . . . 8 4.3. Initial Customer Boot . . . . . . . . . . . . . . . . . . 8
5. Additional Considerations . . . . . . . . . . . . . . . . . . 11 5. Additional Considerations . . . . . . . . . . . . . . . . . . 11
5.1. Key storage . . . . . . . . . . . . . . . . . . . . . . . 11 5.1. Key storage . . . . . . . . . . . . . . . . . . . . . . . 11
5.2. Key replacement . . . . . . . . . . . . . . . . . . . . . 11 5.2. Key replacement . . . . . . . . . . . . . . . . . . . . . 11
5.3. Device reinstall . . . . . . . . . . . . . . . . . . . . 11 5.3. Device reinstall . . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 13 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 13
Appendix B. Demo / proof of concept . . . . . . . . . . . . . . 14 Appendix B. Demo / proof of concept . . . . . . . . . . . . . . 14
B.1. Step 1: Generating the certificate. . . . . . . . . . . . 14 B.1. Step 1: Generating the certificate. . . . . . . . . . . . 14
B.1.1. Step 1.1: Generate the private key. . . . . . . . . . 14 B.1.1. Step 1.1: Generate the private key. . . . . . . . . . 15
B.1.2. Step 1.2: Generate the certificate signing request. . 15 B.1.2. Step 1.2: Generate the certificate signing request. . 15
B.1.3. Step 1.3: Generate the (self signed) certificate B.1.3. Step 1.3: Generate the (self signed) certificate
itself. . . . . . . . . . . . . . . . . . . . . . . . 15 itself. . . . . . . . . . . . . . . . . . . . . . . . 15
B.2. Step 2: Generating the encrypted config. . . . . . . . . 15 B.2. Step 2: Generating the encrypted config. . . . . . . . . 15
B.2.1. Step 2.1: Fetch the certificate. . . . . . . . . . . 15 B.2.1. Step 2.1: Fetch the certificate. . . . . . . . . . . 15
B.2.2. Step 2.2: Encrypt the config file. . . . . . . . . . 16 B.2.2. Step 2.2: Encrypt the config file. . . . . . . . . . 16
B.2.3. Step 2.3: Copy config to the config server. . . . . . 16 B.2.3. Step 2.3: Copy config to the config server. . . . . . 16
B.3. Step 3: Decrypting and using the config. . . . . . . . . 16 B.3. Step 3: Decrypting and using the config. . . . . . . . . 16
B.3.1. Step 3.1: Fetch encrypted config file from config B.3.1. Step 3.1: Fetch encrypted config file from config
server. . . . . . . . . . . . . . . . . . . . . . . . 16 server. . . . . . . . . . . . . . . . . . . . . . . . 16
skipping to change at page 5, line 7 skipping to change at page 5, line 7
implementing this concept. As devices have different capabilities, implementing this concept. As devices have different capabilities,
and use different configuration paradigms, one method will not suit and use different configuration paradigms, one method will not suit
all, and so it is expected that vendors will differ in exactly how all, and so it is expected that vendors will differ in exactly how
they implement this. they implement this.
This document uses the serial number of the device as a unique This document uses the serial number of the device as a unique
identifier for simplicity; some vendors may not want to implement the identifier for simplicity; some vendors may not want to implement the
system using the serial number as the identifier for business reasons system using the serial number as the identifier for business reasons
(a competitor or similar could enumerate the serial numbers and (a competitor or similar could enumerate the serial numbers and
determine how many devices have been manufactured). Implementors are determine how many devices have been manufactured). Implementors are
free to choose some other way of generating identifiers (e.g UUID free to choose some other way of generating identifiers (e.g., UUID
[RFC4122]), but this will likely make it somewhat harder for [RFC4122]), but this will likely make it somewhat harder for
operators to use (the serial number is usually easy to find on a operators to use (the serial number is usually easy to find on a
device, a more complex system is likely harder to track). device, a more complex system is likely harder to track).
[ Ed note: This example also uses TFTP because that is what many [ Ed note: This example also uses TFTP because that is what many
vendors use in their auto-install / ZTP feature. It could easily vendors use in their auto-install / ZTP feature. It could easily
instead be HTTP, FTP, etc. ] instead be HTTP, FTP, etc. ]
2.1. Example Scenario 2.1. Example Scenario
Sirius Cybernetics Corp needs another peering router, and so they Sirius Cybernetics Corp needs another peering router, and so they
order another router from Acme Network Widgets, to be drop-shipped to order another router from Acme Network Widgets, to be drop-shipped to
the Point of Presence (POP) / datacenter. Acme begins assembling the the Point of Presence (POP) / datacenter. Acme begins assembling the
new device, and tells Sirius what the new device's serial number will new device, and tells Sirius what the new device's serial number will
be (SN:17894321). When Acme first installs the firmware on the be (SN:17894321). When Acme first installs the firmware on the
device and boots it, the device generates a public-private keypair, device and boots it, the device generates a public-private keypair,
and Acme publishes it on their keyserver (in a certificate, for ease and Acme publishes it on their keyserver (in a public key
of use). certificate, for ease of use).
While the device is being shipped, Sirius generates the initial While the device is being shipped, Sirius generates the initial
device configuration, fetches the certificate from Acme keyservers by device configuration, fetches the certificate from Acme keyservers by
providing the serial number of the new device. Sirius then encrypts providing the serial number of the new device. Sirius then encrypts
the device configuration and puts this encrypted config on a (local) the device configuration and puts this encrypted config on a (local)
TFTP server. TFTP server.
When the device arrives at the POP, it gets installed in Sirius' When the device arrives at the POP, it gets installed in Sirius'
rack, and cabled as instructed. The new device powers up and rack, and cabled as instructed. The new device powers up and
discovers that it has not yet been configured. It enters its discovers that it has not yet been configured. It enters its
skipping to change at page 6, line 12 skipping to change at page 6, line 12
server would allow directory listing), but without the private keys server would allow directory listing), but without the private keys
an attacker will not be able to decrypt the files. an attacker will not be able to decrypt the files.
3. Vendor Role / Requirements 3. Vendor Role / Requirements
This section describes the vendors roles and responsibilities and This section describes the vendors roles and responsibilities and
provides an overview of what the device needs to do. provides an overview of what the device needs to do.
3.1. Device key generation 3.1. Device key generation
Each devices requires a public-private key keypair, and for the
public part to be published and retrievable by the operator. This
section illustrates one method, but, as with much of this document
the exact mechanism may will vary by vendor. [I-D.gutmann-scep] is
one method which vendors may want to strongly consider.
During the manufacturing stage, when the device is initially powered During the manufacturing stage, when the device is initially powered
on, it will generate a public-private keypair. It will send its on, it will generate a public-private keypair. It will send its
unique identifier and the public key to the vendor's Certificate unique identifier and the public key to the vendor's Certificate
Publication Server to be published. The mechanism used to do this is Publication Server to be published. The vendor's Certificate
left undefined. Note that some devices may be constrained, and so Publication Server should only accept certificates from the
may send the raw public key and unique identifier to the certificate manufacturing facility, and which match vendor defined policies (for
publication server, while mode capable devices may generate and send example, extended key usage, extensions, etc.) Note that some
self-signed certificates. devices may be constrained, and so may send the raw public key and
unique identifier to the certificate publication server, while more
capable devices may generate and send self-signed certificates.
3.2. Certificate Publication Server 3.2. Certificate Publication Server
The certificate publication server contains a database of The certificate publication server contains a database of
certificates. If newly manufactured devices upload certificates the certificates. If newly manufactured devices upload certificates the
certificate publication server can simply publish these, if the certificate publication server can simply publish these, if the
devices provide raw public keys and unique identifiers the devices provide raw public keys and unique identifiers the
certificate publication server will need to wrap these in a certificate publication server will need to wrap these in a
certificate. Note that the certificate publication server MUST only certificate. Note that the certificate publication server MUST only
accept certificates or keys from the vendor's manufacturing accept certificates or keys from the vendor's manufacturing
facilities. facilities.
The customers (e.g Sirius Cybernetics Corp) query this server with The customers (e.g., Sirius Cybernetics Corp) query this server with
the serial number (or other provided unique identifier) of a device, the serial number (or other provided unique identifier) of a device,
and retrieve the associated certificate. It is expected that and retrieve the associated certificate. It is expected that
operators will receive the unique identifier (serial number) of operators will receive the unique identifier (serial number) of
devices when they purchase them, and will download and store / cache devices when they purchase them, and will download and store / cache
the certificate. This means that there is not a hard requirement on the certificate. This means that there is not a hard requirement on
the uptime / reachability of the certificate publication server. the uptime / reachability of the certificate publication server.
+------------+ +------------+
+------+ |Certificate | +------+ |Certificate |
|Device| |Publication | |Device| |Publication |
skipping to change at page 7, line 46 skipping to change at page 7, line 46
When purchasing a new device, the accounting department will need to When purchasing a new device, the accounting department will need to
get the unique device identifier (likely serial number) of the new get the unique device identifier (likely serial number) of the new
device and communicate it to the operations group. device and communicate it to the operations group.
4.2. Technical 4.2. Technical
The operator will contact the vendor's publication server, and The operator will contact the vendor's publication server, and
download the certificate (by providing the unique device identifier download the certificate (by providing the unique device identifier
of the device). The operator SHOULD fetch the certificate using a of the device). The operator SHOULD fetch the certificate using a
secure transport (e.g HTTPS). The operator will then encrypt the secure transport (e.g., HTTPS). The operator will then encrypt the
initial configuration to the key in the certificate, and place it on initial configuration (for example, using SMIME) using the key in the
their TFTP server. See Appendix B for examples. certificate, and place it on their TFTP server. See Appendix B for
examples.
+------------+ +------------+
+--------+ |Certificate | +--------+ |Certificate |
|Operator| |Publication | |Operator| |Publication |
+--------+ | Server | +--------+ | Server |
+------------+ +------------+
+----------------+ +----------------+ +----------------+ +----------------+
| +-----------+ | | +-----------+ | | +-----------+ | | +-----------+ |
| | Fetch | | | | | | | | Fetch | | | | | |
| | Device |<------>|Certificate| | | | Device |<------>|Certificate| |
skipping to change at page 8, line 39 skipping to change at page 8, line 39
+----------------+ +----------------+ +----------------+ +----------------+
Fetching the certificate, encrypting the configuration, publishing Fetching the certificate, encrypting the configuration, publishing
the encrypted configuration. the encrypted configuration.
4.3. Initial Customer Boot 4.3. Initial Customer Boot
When the device is first booted by the customer (and on subsequent When the device is first booted by the customer (and on subsequent
boots), if the device does not have a valid configuration, it will boots), if the device does not have a valid configuration, it will
use existing auto-install functionality. As an example, it performs use existing auto-install functionality. As an example, it performs
DHCP Discovery until it gets a DHCP offer including DHCP option 66 or DHCP Discovery until it gets a DHCP offer including DHCP option 66
150, contact the server listed in these DHCP options and downloads (Server-Name) or 150 (TFTP server address), contact the server listed
its config file. Note that this is existing functionality (for in these DHCP options and downloads its config file. Note that this
example, Cisco devices fetch the config file named by the Bootfile- is existing functionality (for example, Cisco devices fetch the
Name DHCP option (67)). config file named by the Bootfile-Name DHCP option (67)).
After retrieving the config file, the device needs to determine if it After retrieving the config file, the device needs to determine if it
is encrypted or not. If it is not encrypted, the existing behavior is encrypted or not. If it is not encrypted, the existing behavior
is used. If the configuration is encrypted, the process continues as is used. If the configuration is encrypted, the process continues as
described in this document. The method used to determine if the described in this document. The method used to determine if the
config is encrypted or not is implementation dependant; there are a config is encrypted or not is implementation dependant; there are a
number of (obvious) options, including having a magic string in the number of (obvious) options, including having a magic string in the
file header, using a file name extension (e.g config.enc), or using file header, using a file name extension (e.g., config.enc), or using
specific DHCP options. specific DHCP options.
If the file is encrypted, the device will attempt to decrypt and If the file is encrypted, the device will attempt to decrypt and
parse the file. It able, it will install the configuration, and parse the file. It able, it will install the configuration, and
start using it. If this fails, the device with either abort the start using it. If this fails, the device with either abort the
auto-install process, or will repeat this process until it succeeds. auto-install process, or will repeat this process until it succeeds.
Note that the device only needs DHCP and to be able to download the Note that the device only needs DHCP and to be able to download the
config file; after the initial power-on in the factory it never needs config file; after the initial power-on in the factory it never needs
to access the Internet or vendor or certificate publication server - to access the Internet or vendor or certificate publication server -
it (and only it) has the private key and so has the ability to it (and only it) has the private key and so has the ability to
decrypt the config file. decrypt the config file.
+--------+ +--------------+ +--------+ +--------------+
| Device | |Config server | | Device | |Config server |
+--------+ | (e.g TFTP) | +--------+ | (e.g. TFTP) |
+--------------+ +--------------+
+---------------------------+ +------------------+ +---------------------------+ +------------------+
| +-----------+ | | | | +-----------+ | | |
| | | | | | | | | | | |
| | DHCP | | | | | | DHCP | | | |
| | | | | | | | | | | |
| +-----+-----+ | | | | +-----+-----+ | | |
| | | | | | | | | |
| +-----v------+ | | +-----------+ | | +-----v------+ | | +-----------+ |
| | | | | | Encrypted | | | | | | | | Encrypted | |
skipping to change at page 11, line 9 skipping to change at page 11, line 9
| +--------+ | | | | +--------+ | | |
| | | | | | | |
+---------------------------+ +------------------+ +---------------------------+ +------------------+
Device boot, fetch and install config file Device boot, fetch and install config file
5. Additional Considerations 5. Additional Considerations
5.1. Key storage 5.1. Key storage
Ideally, the keypair would be stored in a TPM on something which is Ideally, the keypair would be stored in a Trusted Platform Module
identified as the "router" - for example, the chassis / backplane. (TPM) on something which is identified as the "router" - for example,
This is so that a keypair is bound to what humans think of as the the chassis / backplane. This is so that a keypair is bound to what
"device", and not, for example (redundant) routing engines. Devices humans think of as the "device", and not, for example (redundant)
which implement IEEE 802.1AR could choose to use the IDevID for this routing engines. Devices which implement IEEE 802.1AR could choose
purpose. to use the IDevID for this purpose.
5.2. Key replacement 5.2. Key replacement
It is anticipated that some operator may want to replace the (vendor It is anticipated that some operator may want to replace the (vendor
provided) keys after installing the device. There are two options provided) keys after installing the device. There are two options
when implementing this - a vendor could allow the operator's key to when implementing this - a vendor could allow the operator's key to
completely replace the initial device generated key (which means completely replace the initial device generated key (which means
that, if the device is ever sold, the new owner couldn't use this that, if the device is ever sold, the new owner couldn't use this
technique to install the device), or the device could prefer the technique to install the device), or the device could prefer the
operators installed key. This is an implementation decision left to operators installed key. This is an implementation decision left to
skipping to change at page 11, line 37 skipping to change at page 11, line 37
5.3. Device reinstall 5.3. Device reinstall
Increasingly, operations is moving towards an automated model of Increasingly, operations is moving towards an automated model of
device management, whereby portions (or the entire) configuration is device management, whereby portions (or the entire) configuration is
programmatically generated. This means that operators may want to programmatically generated. This means that operators may want to
generate an entire configuration after the device has been initially generate an entire configuration after the device has been initially
installed and ask the device to load and use this new configuration. installed and ask the device to load and use this new configuration.
It is expected (but not defined in this document, as it is vendor It is expected (but not defined in this document, as it is vendor
specific) that vendors will allow the operator to copy a new, specific) that vendors will allow the operator to copy a new,
encrypted config (or part of a config) onto a device and then request encrypted config (or part of a config) onto a device and then request
that the device decrypt and install it (e.g: 'load replace <filename> that the device decrypt and install it (e.g.: 'load replace
encrypted)). The operator could also choose to reset the device to <filename> encrypted)). The operator could also choose to reset the
factory defaults, and allow the device to act as though it were the device to factory defaults, and allow the device to act as though it
initial boot (see Section 4.3). were the initial boot (see Section 4.3).
6. IANA Considerations 6. IANA Considerations
This document makes no requests of the IANA. This document makes no requests of the IANA.
7. Security Considerations 7. Security Considerations
This mechanism is intended to replace either expensive (traveling This mechanism is intended to replace either expensive (traveling
employees) or insecure mechanisms of installing newly deployed employees) or insecure mechanisms of installing newly deployed
devices such as: unencrypted config files which can be downloaded by devices such as: unencrypted config files which can be downloaded by
connecting to unprotected ports in datacenters, mailing initial connecting to unprotected ports in datacenters, mailing initial
config files on flash drives, or emailing config files and asking a config files on flash drives, or emailing config files and asking a
third-party to copy and paste it over a serial terminal. It does not third-party to copy and paste it over a serial terminal. It does not
protect against devices with malicious firmware, nor theft and reuse protect against devices with malicious firmware, nor theft and reuse
of devices. of devices.
An attacker (e.g a malicious datacenter employee) who has physical An attacker (e.g., a malicious datacenter employee) who has physical
access to the device before it is connected to the network the access to the device before it is connected to the network the
attacker may be able to extract the device private key (especially if attacker may be able to extract the device private key (especially if
it isn't stored in a TPM), pretend to be the device when connecting it isn't stored in a TPM), pretend to be the device when connecting
to the network, and download and extract the (encrypted) config file. to the network, and download and extract the (encrypted) config file.
This mechanism does not protect against a malicious vendor - while This mechanism does not protect against a malicious vendor - while
the keypair should be generated on the device, and the private key the keypair should be generated on the device, and the private key
should be securely stored, the mechanism cannot detect or protect should be securely stored, the mechanism cannot detect or protect
against a vendor who claims to do this, but instead generates the against a vendor who claims to do this, but instead generates the
keypair off device and keeps a copy of the private key. It is keypair off device and keeps a copy of the private key. It is
largely understood in the operator community that a malicious vendor largely understood in the operator community that a malicious vendor
or attacker with physical access to the device is largely a "Game or attacker with physical access to the device is largely a "Game
Over" situation. Over" situation.
Even when using a secure bootstrapping mechanism, security conscious Even when using a secure bootstrapping mechanism, security conscious
operators may wish to bootstrapping devices with a minimal / less operators may wish to bootstrapping devices with a minimal / less
sensitive config, and then replace this with a more complete one sensitive config, and then replace this with a more complete one
after install. after install.
8. Acknowledgements 8. Acknowledgments
The authors wish to thank everyone who contributed, including Benoit The authors wish to thank everyone who contributed, including Benoit
Claise, Tom Petch, Sam Ribeiro, Michael Richardson, Sean Turner and Claise, Francis Dupont, Tom Petch, Sam Ribeiro, Michael Richardson,
Kent Watsen. Joe Clarke provided significant comments and review. Sean Turner and Kent Watsen. Joe Clarke also provided significant
comments and review.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[I-D.gutmann-scep]
Gutmann, P., "Simple Certificate Enrolment Protocol",
draft-gutmann-scep-15 (work in progress), February 2020.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
[RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero
Touch Provisioning (SZTP)", RFC 8572, Touch Provisioning (SZTP)", RFC 8572,
DOI 10.17487/RFC8572, April 2019, DOI 10.17487/RFC8572, April 2019,
<https://www.rfc-editor.org/info/rfc8572>. <https://www.rfc-editor.org/info/rfc8572>.
skipping to change at page 16, line 33 skipping to change at page 16, line 33
B.3. Step 3: Decrypting and using the config. B.3. Step 3: Decrypting and using the config.
When the router connects to the operator's network it will detect When the router connects to the operator's network it will detect
that does not have a valid configuration file, and will start the that does not have a valid configuration file, and will start the
"autoboot" process. This is a well documented process, but the high "autoboot" process. This is a well documented process, but the high
level overview is that it will use DHCP to obtain an IP address and level overview is that it will use DHCP to obtain an IP address and
config server. It will then use TFTP to download a configuration config server. It will then use TFTP to download a configuration
file, based upon its serial number (this document modifies the file, based upon its serial number (this document modifies the
solution to fetch an encrypted config file (ending in .enc)). It solution to fetch an encrypted config file (ending in .enc)). It
will then then decrypt the config file, and install it. will then decrypt the config file, and install it.
B.3.1. Step 3.1: Fetch encrypted config file from config server. B.3.1. Step 3.1: Fetch encrypted config file from config server.
$ tftp 192.0.2.1 -c get SN19842256.enc $ tftp 192.0.2.1 -c get SN19842256.enc
B.3.2. Step 3.2: Decrypt and use the config. B.3.2. Step 3.2: Decrypt and use the config.
$ openssl smime -decrypt -in SN19842256.enc -inform pkcs7\ $ openssl smime -decrypt -in SN19842256.enc -inform pkcs7\
-out config.cfg -inkey key.pem -out config.cfg -inkey key.pem
 End of changes. 22 change blocks. 
41 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/