Skip to main content

Secure Device Install
draft-ietf-opsawg-sdi-13

Revision differences

Document history

Date Rev. By Action
2020-08-28
13 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2020-08-23
13 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2020-07-06
13 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2020-06-25
13 Tero Kivinen Closed request for Last Call review by SECDIR with state 'Overtaken by Events'
2020-06-25
13 Tero Kivinen Assignment of request for Last Call review by SECDIR to Sean Turner was marked no-response
2020-06-24
13 (System) IANA Action state changed to No IANA Actions from In Progress
2020-06-24
13 (System) IANA Action state changed to In Progress
2020-06-24
13 (System) RFC Editor state changed to EDIT
2020-06-24
13 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2020-06-24
13 (System) Announcement was received by RFC Editor
2020-06-24
13 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2020-06-24
13 Amy Vezza IESG has approved the document
2020-06-24
13 Amy Vezza Closed "Approve" ballot
2020-06-24
13 Amy Vezza Ballot approval text was generated
2020-06-24
13 Robert Wilton IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2020-06-24
13 Roman Danyliw [Ballot comment]
Thank you for addressing my DISCUSS and COMMENT items.
2020-06-24
13 Roman Danyliw [Ballot Position Update] Position for Roman Danyliw has been changed to No Objection from Discuss
2020-06-24
13 Warren Kumari New version available: draft-ietf-opsawg-sdi-13.txt
2020-06-24
13 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-06-24
13 Warren Kumari Uploaded new revision
2020-06-19
12 Benjamin Kaduk
[Ballot comment]
Thanks for the updates in the -12 (and -11?  My notes claim I reviewed the -10, though
the datatracker history says it was …
[Ballot comment]
Thanks for the updates in the -12 (and -11?  My notes claim I reviewed the -10, though
the datatracker history says it was the -11; perhaps there was some skew between when
I opened the doc and balloted).  They get most of the way to where I want us to be, so
I'm switching to No Objection.  That said, the Abstract and Introduction still feel like
they're slightly overstating the confidentiality protection attainable with this mechanism:

The Abstract currently says "to provide confidentiality to initial configuration
during bootstrapping", but we may need to hedge that a bit more, e.g., that this is
partial or limited confidentiality.  Similarly, Section 1 currently says "while maintaining
confidentiality of the initial configuration", and would get similar treatment.

Finally, I see that you took my suggestion of using "directory service" instead of
"Certificate Publication Server".  It may be worth a reference for this concept -- e.g., Section 2.1 of
RFC 5280 references both [X.500] and RFC 4510 as potential ways to provide
directory service for obtaining certificates.
2020-06-19
12 Benjamin Kaduk [Ballot Position Update] Position for Benjamin Kaduk has been changed to No Objection from Discuss
2020-06-08
12 (System) Sub state has been changed to AD Followup from Revised ID Needed
2020-06-08
12 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2020-06-08
12 Warren Kumari New version available: draft-ietf-opsawg-sdi-12.txt
2020-06-08
12 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-06-08
12 Warren Kumari Uploaded new revision
2020-05-21
11 Michael Richardson

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
  …

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
    type of RFC? Is this type of RFC indicated in the title page header?

This document is intended as Informational.
This document does not proscribe any specific protocol or mechanism, but
rather outlines a general technique.  The details of how to do the
encryption, or how to deliver the encrypted configuration file are left to
vendors to define, using some choice of available protocols.
As such, it is inappropriate for this to be standards track.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up. Recent
    examples can be found in the "Action" announcements for approved
    documents. The approval announcement contains the following sections:

Technical Summary:
  This document provides a guide for vendors to extend existing auto-install
  / Zero-Touch Provisioning mechanisms to make the process more secure for
  operators.

Working Group Summary:

The document receives a modest amount of discussion and was reviewed by a
number of people who provided useful additions.  Given that the document is
a guide and does not specify a directly implementable protocol, it was
difficult for reviewers to say very much about the protocol, as the details
will be up to vendors who implement this.

Document Quality:

No vendors have committed to implement this protocol.
The document still contains a number of editorial [] notes, some of which
make the document seem very uncertain.  Ignoring the notes, the document is
actually quite mature.

No MIB or YANG doctor was needed.

Personnel:

The document shepherd is Michael Richardson.
The Responsible area Director is Ignas Bagdonas

(3) Briefly describe the review of this document that was performed by the
    Document Shepherd. If this version of the document is not ready for
    publication, please explain why the document is being forwarded to the
    IESG.

The Document Shepherd first read the document during the adoption discussion,
and reviewed it again end to end (version -05) during the WGLC.
A review of the differences from 00 to 05 was made to understand whether the
input of the WG was taken into account, it the changes seem reasonable.

(4) Does the document Shepherd have any concerns about the depth or breadth
    of the reviews that have been performed?

The document makes very soft security requirements, and has not at this point
received a security review.  More security review was asked for by the WG at
various times, but it has not yet been received.
In the review of the mailing list, there were instances of threads of
comments from a few people, and it was not always clear from the interaction
if the comments were acted upon.

The document relies upon vendor practice to create key pairs, and for vendors
to create detailed mechanisms.  It is difficult to throw any rocks at this
document, as there is no specific protocol to evaluate: equipment vendors
will have to do a lot of work to finish things out, and the results will be
vendor specific. (That's why this is not standards track)

(5) Do portions of the document need review from a particular or from broader
    perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
    internationalization? If so, describe the review that took place.

The only component which is specifically mentioned is DHCP, and it does not
define any new DHCP behaviour or define any new DHCP options, so a DHCP
review is not necessary.
Had the document suggested a specific mechanism for encryption (CMS, OpenPGP,
JOSE, etc.) then a review there would be useful, but it leaves that decision
to vendors.

(6) Describe any specific concerns or issues that the Document Shepherd has
    with this document that the Responsible Area Director and/or the IESG should
    be aware of? For example, perhaps he or she is uncomfortable with certain
    parts of the document, or has concerns whether there really is a need for
    it. In any event, if the WG has discussed those issues and has indicated that
    it still wishes to advance the document, detail those concerns here.



(7) Has each author confirmed that any and all appropriate IPR disclosures
    required for full conformance with the provisions of BCP 78 and BCP 79 have
    already been filed. If not, explain why?

The authors have confirmed.

(8) Has an IPR disclosure been filed that references this document? If so,
    summarize any WG discussion and conclusion regarding the IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
    strong concurrence of a few individuals, with others being silent, or does
    the WG as a whole understand and agree with it?

The WG consensus is weak.  The document is the result of a strong concurrence
of a few individuals, most others are silent.  As OPSAWG is a rather loose
group of people, this is probably as strong a consensus as one will get.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in separate email
    messages to the Responsible Area Director. (It should be in a separate email
    because this questionnaire is publicly available.)

No one has threatened an appeal

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
    Checklist). Boilerplate checks are not enough; this check needs to be
    thorough.

  -- The document has examples using IPv4 documentation addresses according
    to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
    there should be IPv6 examples, too?

(12) Describe how the document meets any required formal review criteria,
    such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

none were done, none required.

(13) Have all references within this document been identified as either
    normative or informative?

yes.

(14) Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If such normative
    references exist, what is the plan for their completion?

Yes.
The document speaks about DHCP, but does not reference any DHCP specifications.
Perhaps it should.

(15) Are there downward normative references references (see RFC 3967)? If
    so, list these downward references to support the Area Director in the Last
    Call procedure.

no.

(16) Will publication of this document change the status of any existing
    RFCs? Are those RFCs listed on the title page header, listed in the abstract,
    and discussed in the introduction? If the RFCs are not listed in the Abstract
    and Introduction, explain why, and point to the part of the document where
    the relationship of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers it
    unnecessary.

This document does not update any other document.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that
newly created IANA registries include a detailed specification of the initial
contents for the registry, that allocations procedures for future
registrations are defined, and a reasonable name for the new registry has
been suggested (see RFC 8126).

There are no IANA Considerations, and none are needed.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd
to validate sections of the document written in a formal language, such as
XML code, BNF rules, MIB definitions, YANG modules, etc.

none.

(20) If the document contains a YANG module, has the module been checked with
any of the recommended validation tools
(https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and
formatting validation? If there are any resulting errors or warnings, what is
the justification for not fixing them at this time? Does the YANG module
comply with the Network Management Datastore Architecture (NMDA) as specified
in RFC8342?

no YANG module.


2020-05-21
11 Cindy Morgan IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2020-05-21
11 Magnus Westerlund
[Ballot comment]
Support Ben and Roman's discusses. Even if the goal is to have a simplified solution with lesser guarantees it appears that the general …
[Ballot comment]
Support Ben and Roman's discusses. Even if the goal is to have a simplified solution with lesser guarantees it appears that the general architecture is so weak that it is easy to circumvent the protection it appears to apply.
2020-05-21
11 Magnus Westerlund [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund
2020-05-20
11 Martin Duke [Ballot comment]
I support Roman’s discuss.
2020-05-20
11 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2020-05-20
11 Alissa Cooper
[Ballot comment]
I support Benjamin's DISCUSS.

Section 3.1: I'm not thrilled to see EST and SCEP suggested on equal footing, since my understanding is that …
[Ballot comment]
I support Benjamin's DISCUSS.

Section 3.1: I'm not thrilled to see EST and SCEP suggested on equal footing, since my understanding is that the design of EST is preferable to that of SCEP and we are only publishing SCEP because it is in wide use, not because vendors who have a choice should choose it.
2020-05-20
11 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2020-05-20
11 Erik Kline
[Ballot comment]
[[ comments ]]

* Perhaps a suggestion that vendors might want to have a factory-installed
  option for interested customers that /only/ an …
[Ballot comment]
[[ comments ]]

* Perhaps a suggestion that vendors might want to have a factory-installed
  option for interested customers that /only/ an encrypted config can be tried
  and no attempt to use a plaintext config will be made.

* Security considerations paragraph about control of the configuration server
  should include a mention that the key is not required for interference if
  the booting device will happily fall back to loading a cleartext config.

* Though less common than DHCPv4, consider acknowledging the broader (open)
  issue of file/TFTP server service discovery (DHCPv6, RAs plus resolution of
  a well-known hostname, DNSSD, ...).


[[ nits ]]

[ section 4.2 ]
* "Publish TFTP Server" --> "Publish to TFTP Server", perhaps
2020-05-20
11 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2020-05-20
11 Cindy Morgan Changed consensus to Yes from Unknown
2020-05-20
11 Amanda Baber IANA Review state changed to IANA OK - No Actions Needed from Version Changed - Review Needed
2020-05-20
11 Benjamin Kaduk
[Ballot discuss]
I support Roman's discuss.

I don't think this document is sufficiently clear about the limits of
the scope of what it's trying to …
[Ballot discuss]
I support Roman's discuss.

I don't think this document is sufficiently clear about the limits of
the scope of what it's trying to do.

An ideal solution in this space would protect both the confidentiality
of device configuration in transit and the authenticity (and
authorization status) of configuration to be used by the device.  This
document makes no real effort to do the latter, with the device
accepting any configuration file that comes its way and is encrypted
to the device's key (or not encrypted, as the case may be), and with no
attempt to keep the device's public key secret (which is just as well).
I would expect some disucssion of this being highly desirable, but also
requiring more complicated machinery (per, e.g., BRSKI and other
voucher-based methods) and that this document aims to provide something
much simpler, at the cost of only providing limited protection.
However, even the confidentiality protection has only a limited realm of
applicability, and it seems to fall apart in some plausible threat
models.

The security considerations rightly note that an attacker with physical
access can likely extract the device private key, retrieve the encrypted
configuration file, and decrypt the configuration contents.  However, I
don't think this possibility is necessarily limited to an attacker with
physical access.  An attacker on the network in the IXP/POP has several
routes to getting attacker-controlled configuration on the device,
whether by uploading to the configuration server, spoofing the DHCP
response to point to the attacker's configuration server, rewriting
traffic between the device and the configuration server, etc.  Once the
attacker has configuration on the device, they have a foothold by which
to gain remote access and use whatever interfaces the device provides
for decrypting configuration files and learning their contents
(potentially even by installing a "backdoor-type" access mechanism and
then running the normal install process for the legitimate encrypted
configuration, and using the backdoor to return and retrieve the
plaintext configuration information).

While this level of attacker control taking over a device in the process
of being installed is not a new attack with the encrypted configuration,
it does still limit the extent to which confidentiality protection for
configuration data is actually achievable, and I don't think the current
document text provides an accurate description of the risk and what
protection is provided.
2020-05-20
11 Benjamin Kaduk
[Ballot comment]
Per the discussion in the DISCUSS section, the incremental improvement
offered by this mechanism is quite limited, to the extent that I wonder …
[Ballot comment]
Per the discussion in the DISCUSS section, the incremental improvement
offered by this mechanism is quite limited, to the extent that I wonder
if it's worth putting effort into at all.

Abstract

The first paragraph implies that there is not currently a secure way to
initially provision the device ("if there were"), but the second
paragraph implies that there are such mechanisms ("extends existing";
"more secure").  Which is true?

(Also, I'm reluctant to describe the procedure outlined by this document
as a "secure way" to do anything; it's better to talk about the
(limited) protection that is provided for the confidentiality of
sensitive configuration data, as other aspects of security are unchanged
by this mechanism.)

Section 1

  is it intended to solve all use-cases - rather it is a simple
  targeted solution to solve a common operational issue where the
  network device has been delivered, fibre laid (as appropriate) but
  there is no trusted member of the operator's staff to perform the
  initial configuration.

nit: the sentence structure here doesn't seem quite right -- the comma
before fibre sets us up for a list, but the "but" doesn't conclude a
list.  Perhaps replace the comma with "and"?

Section 2

  [RFC2131]).  The device then contacts this configuration server to
  download its initial configuration, which is often identified using
  the devices serial number, MAC address or similar.  This document

nit: "device's"

  [RFC4122]), but this will likely make it somewhat harder for
  operators to use (the serial number is usually easy to find on a
  device, a more complex system is likely harder to track).

nit: comma splice

Section 2.1

  discovers that it has not yet been configured.  It enters its
  autoboot state, and begins the DHCP process.  Operator_A' DHCP server

nit: "Operator_A's".

Section 3.1

  Each devices requires a public-private key keypair, and for the

nit: "device" singular.

  During the manufacturing stage, when the device is initially powered
  on, it will generate a public-private keypair.  It will send its
  unique device identifier and the public key to the vendor's
  Certificate Publication Server to be published.  The vendor's
  Certificate Publication Server should only accept certificates from

side note: in an X.500 or PKIX context this would likely be known as a
"directory server" rather than a "Certificate Publication Server".

  the manufacturing facility, and which match vendor defined policies
  (for example, extended key usage, extensions, etc.)  Note that some
  devices may be constrained, and so may send the raw public key and
  unique device identifier to the certificate publication server, while
  more capable devices may generate and send self-signed certificates.

Don't we need to give some guidance for integrity protecting the public
key data in transit from manufacturing facility to CPS?  The existing
text about only the manufacturing facility being authorized to do so is
helpful, but perhaps incomplete in this regard.

Section 3.2

  The certificate publication server contains a database of
  certificates.  If newly manufactured devices upload certificates the
  certificate publication server can simply publish these; if the
  devices provide the raw public keys and unique device identifier, the
  certificate publication server will need to wrap these in a
  certificate.

What should we say about the signing key used to sign such certificates?
Should it be in anything's trust store?  (No, obviously, but...)  They
clearly cannot be self-signed, since only the public key is sent to the
CPS...


I guess there also needs to be some logic in the baked-in device
firmware about where to publish the self-signed certificate that it
generates, which might contribute some operational fragility (but since
that environment is going to be pretty controlled anyway, probably not
much).

Section 4.2

  of the device).  The operator SHOULD fetch the certificate using a
  secure transport (e.g., HTTPS).  The operator will then encrypt the

It seems like the important part of "secure" transport here is the
source authenticity (and the integrity protection it depends on) --
without that the chain of custody that ties the device serial number to
the device key/certificate is broken.  Confidentiality protection may
not be as critical (though can still provide tangible benefit).

Section 4.3

  process, or will repeat this process until it succeeds.  When
  retrying, care should be taken to not overwhelm the server hosting
  the encrypted configuration files.  It is suggested that the device

(Wouldn't this apply equally to a server hosting unencrypted
configuration files?)

Section 5.2

  technique to install the device), or the device could prefer the
  operators installed key.  This is an implementation decision left to
  the vendor.

nit: either "operator's installed key" or "operator-installed key".

Section 5.3

  Increasingly, operations is moving towards an automated model of
  device management, whereby portions (or the entire) configuration is

nit: "portions of"

Section B.1.1

No love for ECC?

Section B.1.2

I expect that not all readers are familiar with the openssl '.' syntax
for DN entry and it's easy to miss next to the ":".  (Also, it's
possible to automate the process so that you don't get prompted for all
the irrelevant fields.)

Section B.1.3

  $ openssl req -x509 -days 36500 -key key.pem -in SN19842256.csr -out
  SN19842256.crt

Note that RFC 5280 says:

% To indicate that a certificate has no well-defined expiration date,
% the notAfter SHOULD be assigned the GeneralizedTime value of
% 99991231235959Z.

which may be preferable to arbitrarily claiming a 100-year lifetime.

Section B.2.2

CMS best practice would be AuthEnvelopedData rather than just
EnvelopedData, though the openssl cli doesn't support that yet
(https://github.com/openssl/openssl/pull/8024).

Section B.3.2

  $ openssl smime -decrypt -in SN19842256.enc -inform pkcs7\
    -out config.cfg -inkey key.pem

Do you need another space after the continuation line to avoid the
"-inform pkcs7-out" parse error?
2020-05-20
11 Benjamin Kaduk [Ballot Position Update] New position, Discuss, has been recorded for Benjamin Kaduk
2020-05-20
11 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2020-05-20
11 Warren Kumari New version available: draft-ietf-opsawg-sdi-11.txt
2020-05-20
11 (System) New version approved
2020-05-20
11 (System) Request for posting confirmation emailed to previous authors: Colin Doyle , Warren Kumari
2020-05-20
11 Warren Kumari Uploaded new revision
2020-05-20
10 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2020-05-19
10 Barry Leiba
[Ballot comment]
Just a nitty load of nits nitting about:

— Section 1 —

  Internet Exchange Points (IXP) or "carrier neutral

Nit: hyphenate “carrier-neutral”, …
[Ballot comment]
Just a nitty load of nits nitting about:

— Section 1 —

  Internet Exchange Points (IXP) or "carrier neutral

Nit: hyphenate “carrier-neutral”,

  vendor proprietary) protocols to perform initial device installs

Nit: hyphenate “vendor-proprietary” (or just drop “vendor”).

  use DHCP [RFC2131]to get an IP address

Nit: add a space after the citation.

  security related and/or proprietary information

Nit: hyphenate “security-related”.

  (or using an auto-
  install techniques which fetch an unencrypted config file

Nit: remove “an”.

  perform the initial configuration work; this costs, time and money.

Nit: remove the comma.

  configure the devices before shipping it;

Nit: “device” (or “them”).

  optimized for simplicity, both for the implementor and the operator;

Nit: make it “for both” (or repeat “for” before “the operator”).

  is it intended to solve all use-cases

Nit: do not hyphenate “use cases”.

  Solutions such as Secure Zero Touch Provisioning (SZTP)" [RFC8572],

Nit: there’s an unpaired quotation mark.

— Section 2 —

  the devices serial number, MAC address or similar.

Nit: Make it “device’s” (possessive).

  extends this (vendor specific) paradigm

Nit: hyphenate “vendor-specific”.

— Section 2.1 —

  When the device arrives at the POP, it gets installed in Operator_A'

  autoboot state, and begins the DHCP process.  Operator_A' DHCP server

Nit: “Operator_A’s” in both places.

— Section 3.1 —

  Each devices requires a public-private key keypair

Nit: “Each device”
Nit: you don’t need “key keypair”; I suggest “key pair”.

  (for example, extended key usage, extensions, etc.)

Nit: “for example” and “etc.” don’t go together; use one or the other.

— Section 4.3 —

  configurations fails, the device will either abort the auto-install
  process, or will repeat this process until it succeeds.

Nit: “configuration” (singular).
Nit: remove the second “will” (or make it “either will”).

— Section 5.2 —

  completely replace the initial device generated key

Nit: hyphenate “device-generated”.

  operators installed key.

Nit: “operator’s” (possessive).

— Section 5.3 —

  device management, whereby portions (or the entire) configuration

Nit: “portions of”

— Section 7 —

  third-party to copy and paste it over a serial terminal.

Nit: “them”, not “it” (the antecedent is plural).

  An attacker (e.g., a malicious datacenter employee) who has physical
  access to the device before it is connected to the network the
  attacker may be able to extract the device private key

Nit: remove “the attacker”.

  Even when using a secure bootstrapping mechanism, security conscious
  operators may wish to bootstrapping devices with a minimal / less
  sensitive config

Nit: hyphenate “security-conscious”.
Nit: “bootstrap” (no “ing”).
Nit: hyphenate “less-sensitive”.
2020-05-19
10 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2020-05-19
10 Alvaro Retana [Ballot comment]
I support Roman's DISCUSS.
2020-05-19
10 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2020-05-19
10 Éric Vyncke
[Ballot comment]
Thank you for the work put into this document. The document is easy to read.

Please also reply to Nancy's IoT directorate review …
[Ballot comment]
Thank you for the work put into this document. The document is easy to read.

Please also reply to Nancy's IoT directorate review at:
https://datatracker.ietf.org/doc/review-ietf-opsawg-sdi-10-iotdir-telechat-cam-winget-2020-05-14/
(Thank you Nancy for the review)

I am also trusting my security AD peers for the security aspects.

Please find below a couple on non-blocking COMMENTs.

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

Should the "IP address" be scoped ? I.e., is it global scope or (IPv4 and IPv6) link-local only ?

-- Sections 1 & 2 --
PLEASE when mentioning DHCP also refer to DHCPv6 RFC 8415 (trusting the authors to fix this before final publication). You may also explore whether IPv6 Router Advertisement / PvD could be an option.

-- Section 1.1 --
This is an informational document, so, I wonder whether a reference to BCP 14 is useful. (see also Murray's comment on section 4.2)

-- Section 4.2 --
Is there a reason to suggest the use of TLS to fetch the certificate? Normally a certificate is public information and is authenticated.

-- Section 5.1 --
Is there a need to store the public key (and the associate cert I guess) in TPM ?
2020-05-19
10 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2020-05-19
10 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2020-05-18
10 Roman Danyliw
[Ballot discuss]
** Section 3.2.  If keying material is being distributed as a certificate, do the expected behaviors of certificate process apply?  For example, how …
[Ballot discuss]
** Section 3.2.  If keying material is being distributed as a certificate, do the expected behaviors of certificate process apply?  For example, how is expiration handled?

--  If a customer downloads a certificate from the publication server and it is expired, what should be done?

-- If a certificate is loaded in the TPM of the device, should the client stop accepting configurations if it expires?

** Section 4.3.  “After retrieving the config file, the device needs to determine if it is encrypted or not.  If it is not encrypted, the existing behavior is used.”  What downgrade protection is assumed or recommended here.  A rogue data center employee could re-target a DHCP response to a server of choice which provides only unencrypted, tainted configuration.  It would seem that a device expecting an encrypted configuration should not accepted unencrypted ones (or at least this should be a policy consideration).
2020-05-18
10 Roman Danyliw Ballot discuss text updated for Roman Danyliw
2020-05-18
10 Roman Danyliw
[Ballot discuss]
** Section 3.2.  If keying material is being distributed as a certificate, do the expected behaviors of certificate process apply?  For example, how …
[Ballot discuss]
** Section 3.2.  If keying material is being distributed as a certificate, do the expected behaviors of certificate process apply?  For example, how is expiration handled?
--  If a customer downloads a certificate from the publication server and it is expired, what should be done?

-- If a certificate is loaded in the TPM of the device, should the client stop accepting configurations if it expires?

** Section 4.3.  “After retrieving the config file, the device needs to determine if it is encrypted or not.  If it is not encrypted, the existing behavior is used.”  What downgrade protection is assumed or recommended here.  A rogue data center employee could re-target a DHCP response to a server of choice which provides only unencrypted, tainted configuration.  It would seem that a device expecting an encrypted configuration should not accepted unencrypted ones (or at least this should be a policy consideration).
2020-05-18
10 Roman Danyliw
[Ballot comment]
** I struggled a bit to understand where this solution was applicable.  For example:

Abstract: “This document extends existing auto-install / Zero-Touch Provisioning …
[Ballot comment]
** I struggled a bit to understand where this solution was applicable.  For example:

Abstract: “This document extends existing auto-install / Zero-Touch Provisioning mechanisms to make the process more secure.”

Section 1: “this document layers security onto existing auto-install solutions to provide a secure method to initially configure new devices”. 

-- Which “auto-install” and “zero touch provision mechanisms” is this updating?

-- What exact preconditions are necessary to make this “solution” (reference architecture?) applicable?  Would this still be useful if the “auto-install” mechanism was encrypted?  What non-DHCP configurations should be considered?  Does the way the device identifier bind to the configuration matter?  Because there is little specificity, it is difficult to review the security properties.

** Per the Security Considerations, what new security services does this overlay provide? 

** Section 2.  Per “This document extends this (vendor specific) …”, what is “vendor specific” about this approach?

** Section 4.2. Per “The operator will then encrypt the initial configuration (for example, using SMIME [RFC5751]) using the key in the certificate, and place it on their TFTP server”, is this always a TFTP server, or is this only an example – I think this is an example?

** Section 4.3.  Per “Give up, go home” in the figure, is there a retry procedure?  The text above states that “If it cannot decrypt the file, or if parsing the configurations fails, the device will either abort the auto-install process, or will repeat this process until it succeeds.”

** Section 7.  Per “An attacker (e.g., a malicious datacenter employee)”, also a malicious shipping agent.

** Editorial
-- Abstract.  Editorial. I would recommend generalized wording to replace the phrase ‘smart-hands’-type support.

-- Section 1.  Editorial. “asking the smart-hands to …”, Recommend generalizing this reference.

-- Section 1. Editorial. “not intended to be an ‘all singing, all dancing’ fully featured system”, Recommend removing this colloquialism.

-- Section 3.1. Typo. s/Each devices requires/Each device requires/

-- Section 3.1.  Typo. s/cryptograthic/cryptographic/

-- Section 4.3. Typo. s/dependant/dependent/

-- Section 4.3. s/retrys/retries/
2020-05-18
10 Roman Danyliw [Ballot Position Update] New position, Discuss, has been recorded for Roman Danyliw
2020-05-16
10 Murray Kucherawy
[Ballot comment]
Bigger points first:

The shepherd writeup contains this remark, which made me squint a bit: "More security review was asked for by the …
[Ballot comment]
Bigger points first:

The shepherd writeup contains this remark, which made me squint a bit: "More security review was asked for by the WG at various [times], and it is not clear that this input will be taken into account."  Why's that?

This Informational document cites BCP 14, and then has a solitary SHOULD in Section 4.2.  One could easily change "SHOULD fetch" to "fetches" and do away with all of that.

There are several places where the prose uses two words to mean roughly the same thing (e.g., "store / cache").  I found this awkward each time I hit it.  Please, in each case, pick one.  Worst case, replace the slash with "or", but you'll probably find that redundant anyway.

There are several places where a list or example is introduced with a hyphen (e.g., "There are two options when implementing this - a vendor could...").  Instead, it should be a new sentence, or at least a colon followed by a clause or maybe a bulleted list.

And now, a lot of editorial suggestions:

Section 1:
* "... or using an auto install techniques which fetch ..." -- s/techniques/technique/, or remove "an"
* "... or something similar, is an unacceptable ..." -- remove the comma
* "... vendor to pre-configure the devices before shipping it ..." -- change either "devices" to "device", or "it" or "them"
* "... configuration, etc; but these ..." -- change to "... configuration, etc.  However, these ..."
* "... managing installed / deployed devices ..." -- suggest just picking one

Section 2:
* "... newly installed / unconfigured ..." -- change to "... newly installed, unconfigured ..."
* "... obtain an IP address and address of a config server ..." change to "... obtain an IP address for itself and discover the address of a configuration server ..."
* "This document describes a concept ..." -- this paragraph feels like it belongs in Section 1

Section 2.1:
* "... Point of Presence (POP) / datacenter." -- maybe just replace all of this with "facility"?
* "... device configuration, fetches the certificate ..." -- s/,/ and/
* "... encrypted config ..." -- please use either "configuration" (preferred) or "config", but not both
* "... installed in Operator_A' ..." -- missing an "s" (two instances in the third paragraph)
* "... (note that all this ..." -- s/all this/all of this/ (and actually, this should be its own sentence)

OLD:
  The device attempts to load the
  config file - if the config file is unparsable, (new functionality)
  the device tries to use its private key to decrypt the file, and,
  assuming it validates, installs the new configuration.
NEW:
  The device attempts to load the configuration file.  As an added
  step, if the configuration file cannot be parsed, the device tries
  to use its private key to decrypt the file and, assuming it validates,
  proceeds to install the new, decrypted, configuration.

* "(See Security Considerations)" -- section number, please

Section 3:
* This section doesn't appear to me to describe a role other than "vendor".
* "... the vendors roles and ..." -- s/vendors/vendor's/

Section 3.1:
* Please expand "EST" on first use.

Section 3.2:
* "... store / cache ... uptime / reachability ..." -- as above, these really stand out to me as in need of making an editorial choice

Section 4:
* I don't see a role in here either other than "operator".

Section 4.1:
* "(likely serial number)" -- suggest "(e.g., the serial number)"

Section 4.2:
* "publication server, and download ..." -- remove the comma

Section 5.1:
* "chassis / backplane" -- another; see previous remarks
* TPM could use a reference (ISO/IEC 11889?)

Section 5.3:
* "(e.g.: 'load replace  encrypted))" -- unbalanced quoting and parentheses

Section 7:
* "... may wish to bootstrapping devices with ..." -- s/bootstrapping/bootstrap/
* "... minimal / less sensitive ..." -- pick one, or at least use "or"

Appendix B:
* s/csr/CSR/ (and probably expand it)
* "Demo / proof of concept" -- pick one
* "... from the command line, in production ..." -- start a new sentence
* Don't use "I'm".  Maybe change "I'm using S/MIME because ..." to "S/MIME is used here because ..."
2020-05-16
10 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2020-05-14
10 Nancy Cam-Winget Request for Telechat review by IOTDIR Completed: Ready with Issues. Reviewer: Nancy Cam-Winget. Sent review to list.
2020-05-12
10 (System) IANA Review state changed to IANA OK - No Actions Needed from Version Changed - Review Needed
2020-05-11
10 Warren Kumari [Ballot comment]
'm an author...
2020-05-11
10 Warren Kumari [Ballot Position Update] New position, Recuse, has been recorded for Warren Kumari
2020-05-11
10 Warren Kumari New version available: draft-ietf-opsawg-sdi-10.txt
2020-05-11
10 (System) New version approved
2020-05-11
10 (System) Request for posting confirmation emailed to previous authors: Warren Kumari , Colin Doyle
2020-05-11
10 Warren Kumari Uploaded new revision
2020-05-11
09 Samita Chakrabarti Request for Telechat review by IOTDIR is assigned to Nancy Cam-Winget
2020-05-11
09 Samita Chakrabarti Request for Telechat review by IOTDIR is assigned to Nancy Cam-Winget
2020-05-11
09 Éric Vyncke Requested Telechat review by IOTDIR
2020-05-11
09 Amy Vezza Placed on agenda for telechat - 2020-05-21
2020-05-11
09 Robert Wilton IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead
2020-05-11
09 Robert Wilton Ballot has been issued
2020-05-11
09 Robert Wilton [Ballot Position Update] New position, Yes, has been recorded for Robert Wilton
2020-05-11
09 Robert Wilton Created "Approve" ballot
2020-05-07
09 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2020-05-07
09 Warren Kumari New version available: draft-ietf-opsawg-sdi-09.txt
2020-05-07
09 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-05-07
09 Warren Kumari Uploaded new revision
2020-05-06
08 (System) IESG state changed to Waiting for AD Go-Ahead from In Last Call
2020-05-05
08 Mirja Kühlewind Request for Last Call review by TSVART Completed: Ready. Reviewer: Mirja Kühlewind. Sent review to list.
2020-05-04
08 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2020-05-04
08 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-opsawg-sdi-08, which is currently in Last Call, and has the following comments:

We …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-opsawg-sdi-08, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist
2020-05-04
08 Wesley Eddy Request for Last Call review by TSVART is assigned to Mirja Kühlewind
2020-05-04
08 Wesley Eddy Request for Last Call review by TSVART is assigned to Mirja Kühlewind
2020-04-22
08 Robert Wilton Ballot writeup was changed
2020-04-22
08 Amy Vezza IANA Review state changed to IANA - Review Needed
2020-04-22
08 Amy Vezza
The following Last Call announcement was sent out (ends 2020-05-06):

From: The IESG
To: IETF-Announce
CC: mcr+ietf@sandelman.ca, opsawg@ietf.org, draft-ietf-opsawg-sdi@ietf.org, rwilton@cisco.com, opsawg-chairs@ietf.org …
The following Last Call announcement was sent out (ends 2020-05-06):

From: The IESG
To: IETF-Announce
CC: mcr+ietf@sandelman.ca, opsawg@ietf.org, draft-ietf-opsawg-sdi@ietf.org, rwilton@cisco.com, opsawg-chairs@ietf.org, Michael Richardson
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Secure Device Install) to Informational RFC


The IESG has received a request from the Operations and Management Area
Working Group WG (opsawg) to consider the following document: - 'Secure
Device Install'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2020-05-06. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Deploying a new network device in a location where the operator has
  no staff of its own often requires that an employee physically travel
  to the location to perform the initial install and configuration,
  even in shared datacenters with "smart-hands" type support.  In many
  cases, this could be avoided if there were a secure way to initially
  provision the device.

  This document extends existing auto-install / Zero-Touch Provisioning
  mechanisms to make the process more secure.

  [ Ed note: Text inside square brackets ([]) is additional background
  information, answers to frequently asked questions, general musings,
  etc.  They will be removed before publication.  This document is
  being collaborated on in Github at: https://github.com/wkumari/draft-
  wkumari-opsawg-sdi.  The most recent version of the document, open
  issues, etc should all be available here.  The authors (gratefully)
  accept pull requests. ]

  [ Ed note: This document introduces concepts and serves as the basic
  for discussion - because of this, it is conversational, and would
  need to be firmed up before being published ]




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/ballot/


No IPR declarations have been submitted directly on this I-D.




2020-04-22
08 Amy Vezza IESG state changed to In Last Call from Last Call Requested
2020-04-22
08 Robert Wilton Last call was requested
2020-04-22
08 Robert Wilton Last call announcement was generated
2020-04-22
08 Robert Wilton Ballot approval text was generated
2020-04-22
08 Robert Wilton Ballot writeup was generated
2020-04-22
08 Robert Wilton IESG state changed to Last Call Requested from AD Evaluation
2020-04-21
08 Warren Kumari New version available: draft-ietf-opsawg-sdi-08.txt
2020-04-21
08 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-04-21
08 Warren Kumari Uploaded new revision
2020-04-16
07 Robert Wilton IESG state changed to AD Evaluation from Publication Requested
2020-04-12
07 Joe Clarke

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
  …

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
    type of RFC? Is this type of RFC indicated in the title page header?

This document is intended as Informational.
This document does not proscribe any specific protocol or mechanism, but
rather outlines a general technique.  The details of how to do the
encryption, or how to deliver the encrypted configuration file are left to
vendors to define, using some choice of available protocols.
As such, it is inappropriate for this to be standards track.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up. Recent
    examples can be found in the "Action" announcements for approved
    documents. The approval announcement contains the following sections:

Technical Summary:
  This document provides a guide for vendors to extend existing auto-install
  / Zero-Touch Provisioning mechanisms to make the process more secure for
  operators.

Working Group Summary:

The document receives a modest amount of discussion and was reviewed by a
number of people who provided useful additions.  Given that the document is
a guide and does not specify a directly implementable protocol, it was
difficult for reviewers to say very much about the protocol, as the details
will be up to vendors who implement this.

Document Quality:

No vendors have committed to implement this protocol.
The document still contains a number of editorial [] notes, some of which
make the document seem very uncertain.  Ignoring the notes, the document is
actually quite mature.

No MIB or YANG doctor was needed.

Personnel:

The document shepherd is Michael Richardson.
The Responsible area Director is Ignas Bagdonas

(3) Briefly describe the review of this document that was performed by the
    Document Shepherd. If this version of the document is not ready for
    publication, please explain why the document is being forwarded to the
    IESG.

The Document Shepherd first read the document during the adoption discussion,
and reviewed it again end to end (version -05) during the WGLC.
A review of the differences from 00 to 05 was made to understand whether the
input of the WG was taken into account, the changes seem reasonable.

(4) Does the document Shepherd have any concerns about the depth or breadth
    of the reviews that have been performed?

The document makes very soft security requirements, and has not at this point
received a security review.  More security review was asked for by the WG at
various tims, and it is not clear that this input will be taken into account.

The document relies upon vendor practice to create key pairs, and for vendors
to create detailed mechanisms.  It is difficult to throw any rocks at this
document, as there is no specific protocol to evaluate: equipment vendors
will have to do a lot of work to finish things out, and the results will be
vendor specific. (That's why this is not standards track)

(5) Do portions of the document need review from a particular or from broader
    perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
    internationalization? If so, describe the review that took place.

The only component which is specifically mentioned is DHCP, and it does not
define any new DHCP behaviour or define any new DHCP options, so a DHCP
review is not necessary.
Had the document suggested a specific mechanism for encryption (CMS, OpenPGP,
JOSE, etc.) then a review there would be useful, but it leaves that decision
to vendors.

(6) Describe any specific concerns or issues that the Document Shepherd has
    with this document that the Responsible Area Director and/or the IESG should
    be aware of? For example, perhaps he or she is uncomfortable with certain
    parts of the document, or has concerns whether there really is a need for
    it. In any event, if the WG has discussed those issues and has indicated that
    it still wishes to advance the document, detail those concerns here.



(7) Has each author confirmed that any and all appropriate IPR disclosures
    required for full conformance with the provisions of BCP 78 and BCP 79 have
    already been filed. If not, explain why?

The authors have confirmed.

(8) Has an IPR disclosure been filed that references this document? If so,
    summarize any WG discussion and conclusion regarding the IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
    strong concurrence of a few individuals, with others being silent, or does
    the WG as a whole understand and agree with it?

The WG consensus is weak.  The document is the result of a strong concurrence
of a few individuals, most others are silent.  As OPSAWG is a rather loose
group of people, this is probably as strong a consensus as one will get.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in separate email
    messages to the Responsible Area Director. (It should be in a separate email
    because this questionnaire is publicly available.)

No one has threatened an appeal

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
    Checklist). Boilerplate checks are not enough; this check needs to be
    thorough.

  -- The document has examples using IPv4 documentation addresses according
    to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
    there should be IPv6 examples, too?

(12) Describe how the document meets any required formal review criteria,
    such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

none were done, none required.

(13) Have all references within this document been identified as either
    normative or informative?

yes.

(14) Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If such normative
    references exist, what is the plan for their completion?

Yes.
The document speaks about DHCP, but does not reference any DHCP specifications.
Perhaps it should.

(15) Are there downward normative references references (see RFC 3967)? If
    so, list these downward references to support the Area Director in the Last
    Call procedure.

no.

(16) Will publication of this document change the status of any existing
    RFCs? Are those RFCs listed on the title page header, listed in the abstract,
    and discussed in the introduction? If the RFCs are not listed in the Abstract
    and Introduction, explain why, and point to the part of the document where
    the relationship of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers it
    unnecessary.

This document does not update any other document.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that
newly created IANA registries include a detailed specification of the initial
contents for the registry, that allocations procedures for future
registrations are defined, and a reasonable name for the new registry has
been suggested (see RFC 8126).

There are no IANA Considerations, and none are needed.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd
to validate sections of the document written in a formal language, such as
XML code, BNF rules, MIB definitions, YANG modules, etc.

none.

(20) If the document contains a YANG module, has the module been checked with
any of the recommended validation tools
(https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and
formatting validation? If there are any resulting errors or warnings, what is
the justification for not fixing them at this time? Does the YANG module
comply with the Network Management Datastore Architecture (NMDA) as specified
in RFC8342?

no YANG module.


2020-04-12
07 Joe Clarke Responsible AD changed to Robert Wilton
2020-04-12
07 Joe Clarke IETF WG state changed to Submitted to IESG for Publication from WG Document
2020-04-12
07 Joe Clarke IESG state changed to Publication Requested from I-D Exists
2020-04-12
07 Joe Clarke IESG process started in state Publication Requested
2020-04-12
07 Joe Clarke Tag Revised I-D Needed - Issue raised by WGLC cleared.
2020-04-12
07 Joe Clarke
This is an informational draft describing a process whereby new devices can be more securely bootstrapped than commonly existing DHCP/TFTP mechanisms that expose config in …
This is an informational draft describing a process whereby new devices can be more securely bootstrapped than commonly existing DHCP/TFTP mechanisms that expose config in the clear.  It is designed to address specific use cases and not be an all-encompassing solution for all bootstrapping needs.
2020-04-12
07 Joe Clarke Intended Status changed to Informational from None
2020-04-07
07 Warren Kumari New version available: draft-ietf-opsawg-sdi-07.txt
2020-04-07
07 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-04-07
07 Warren Kumari Uploaded new revision
2020-04-03
06 Warren Kumari New version available: draft-ietf-opsawg-sdi-06.txt
2020-04-03
06 (System) New version approved
2020-04-03
06 (System) Request for posting confirmation emailed to previous authors: Warren Kumari , Colin Doyle
2020-04-03
06 Warren Kumari Uploaded new revision
2020-03-17
05 Joe Clarke Shepherd has completed write-up.  Some additional items were raised.  Awaiting a new document revision to address, then this can move on to IESG.
2020-03-17
05 Joe Clarke Tag Doc Shepherd Follow-up Underway cleared.
2020-03-17
05 Joe Clarke IETF WG state changed to WG Document from WG Consensus: Waiting for Write-Up
2020-03-06
05 Michael Richardson

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
  …

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
    type of RFC? Is this type of RFC indicated in the title page header?

This document is intended as Informational.
This document does not proscribe any specific protocol or mechanism, but
rather outlines a general technique.  The details of how to do the
encryption, or how to deliver the encrypted configuration file are left to
vendors to define, using some choice of available protocols.
As such, it is inappropriate for this to be standards track.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up. Recent
    examples can be found in the "Action" announcements for approved
    documents. The approval announcement contains the following sections:

Technical Summary:
  This document provides a guide for vendors to extend existing auto-install
  / Zero-Touch Provisioning mechanisms to make the process more secure for
  operators.

Working Group Summary:

The document receives a modest amount of discussion and was reviewed by a
number of people who provided useful additions.  Given that the document is
a guide and does not specify a directly implementable protocol, it was
difficult for reviewers to say very much about the protocol, as the details
will be up to vendors who implement this.

Document Quality:

No vendors have committed to implement this protocol.
The document still contains a number of editorial [] notes, some of which
make the document seem very uncertain.  Ignoring the notes, the document is
actually quite mature.

No MIB or YANG doctor was needed.

Personnel:

The document shepherd is Michael Richardson.
The Responsible area Director is Ignas Bagdonas

(3) Briefly describe the review of this document that was performed by the
    Document Shepherd. If this version of the document is not ready for
    publication, please explain why the document is being forwarded to the
    IESG.

The Document Shepherd first read the document during the adoption discussion,
and reviewed it again end to end (version -05) during the WGLC.
A review of the differences from 00 to 05 was made to understand whether the
input of the WG was taken into account, the changes seem reasonable.

(4) Does the document Shepherd have any concerns about the depth or breadth
    of the reviews that have been performed?

The document makes very soft security requirements, and has not at this point
received a security review.  More security review was asked for by the WG at
various tims, and it is not clear that this input will be taken into account.

The document relies upon vendor practice to create key pairs, and for vendors
to create detailed mechanisms.  It is difficult to throw any rocks at this
document, as there is no specific protocol to evaluate: equipment vendors
will have to do a lot of work to finish things out, and the results will be
vendor specific. (That's why this is not standards track)

(5) Do portions of the document need review from a particular or from broader
    perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
    internationalization? If so, describe the review that took place.

The only component which is specifically mentioned is DHCP, and it does not
define any new DHCP behaviour or define any new DHCP options, so a DHCP
review is not necessary.
Had the document suggested a specific mechanism for encryption (CMS, OpenPGP,
JOSE, etc.) then a review there would be useful, but it leaves that decision
to vendors.

(6) Describe any specific concerns or issues that the Document Shepherd has
    with this document that the Responsible Area Director and/or the IESG should
    be aware of? For example, perhaps he or she is uncomfortable with certain
    parts of the document, or has concerns whether there really is a need for
    it. In any event, if the WG has discussed those issues and has indicated that
    it still wishes to advance the document, detail those concerns here.



(7) Has each author confirmed that any and all appropriate IPR disclosures
    required for full conformance with the provisions of BCP 78 and BCP 79 have
    already been filed. If not, explain why?

The authors have confirmed.

(8) Has an IPR disclosure been filed that references this document? If so,
    summarize any WG discussion and conclusion regarding the IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
    strong concurrence of a few individuals, with others being silent, or does
    the WG as a whole understand and agree with it?

The WG consensus is weak.  The document is the result of a strong concurrence
of a few individuals, most others are silent.  As OPSAWG is a rather loose
group of people, this is probably as strong a consensus as one will get.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in separate email
    messages to the Responsible Area Director. (It should be in a separate email
    because this questionnaire is publicly available.)

No one has threatened an appeal

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
    Checklist). Boilerplate checks are not enough; this check needs to be
    thorough.

  -- The document has examples using IPv4 documentation addresses according
    to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
    there should be IPv6 examples, too?

(12) Describe how the document meets any required formal review criteria,
    such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

none were done, none required.

(13) Have all references within this document been identified as either
    normative or informative?

yes.

(14) Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If such normative
    references exist, what is the plan for their completion?

Yes.
The document speaks about DHCP, but does not reference any DHCP specifications.
Perhaps it should.

(15) Are there downward normative references references (see RFC 3967)? If
    so, list these downward references to support the Area Director in the Last
    Call procedure.

no.

(16) Will publication of this document change the status of any existing
    RFCs? Are those RFCs listed on the title page header, listed in the abstract,
    and discussed in the introduction? If the RFCs are not listed in the Abstract
    and Introduction, explain why, and point to the part of the document where
    the relationship of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers it
    unnecessary.

This document does not update any other document.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that
newly created IANA registries include a detailed specification of the initial
contents for the registry, that allocations procedures for future
registrations are defined, and a reasonable name for the new registry has
been suggested (see RFC 8126).

There are no IANA Considerations, and none are needed.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd
to validate sections of the document written in a formal language, such as
XML code, BNF rules, MIB definitions, YANG modules, etc.

none.

(20) If the document contains a YANG module, has the module been checked with
any of the recommended validation tools
(https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and
formatting validation? If there are any resulting errors or warnings, what is
the justification for not fixing them at this time? Does the YANG module
comply with the Network Management Datastore Architecture (NMDA) as specified
in RFC8342?

no YANG module.


2020-03-06
05 Michael Richardson

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
  …

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
    Standard, Informational, Experimental, or Historic)? Why is this the proper
    type of RFC? Is this type of RFC indicated in the title page header?

This document is intended as Informational.
This document does not proscribe any specific protocol or mechanism, but
rather outlines a general technique.  The details of how to do the
encryption, or how to deliver the encrypted configuration file are left to
vendors to define, using some choice of available protocols.
As such, it is inappropriate for this to be standards track.

(2) The IESG approval announcement includes a Document Announcement
    Write-Up. Please provide such a Document Announcement Write-Up. Recent
    examples can be found in the "Action" announcements for approved
    documents. The approval announcement contains the following sections:

Technical Summary:
  This document provides a guide for vendors to extend existing auto-install
  / Zero-Touch Provisioning mechanisms to make the process more secure for
  operators.

Working Group Summary:

The document receives a modest amount of discussion and was reviewed by a
number of people who provided useful additions.  Given that the document is
a guide and does not specify a directly implementable protocol, it was
difficult for reviewers to say very much about the protocol, as the details
will be up to vendors who implement this.

Document Quality:

No vendors have committed to implement this protocol.
The document still contains a number of editorial [] notes, some of which
make the document seem very uncertain.  Ignoring the notes, the document is
actually quite mature.

No MIB or YANG doctor was needed.

Personnel:

The document shepherd is Michael Richardson.
The Responsible area Director is Ignas Bagdonas

(3) Briefly describe the review of this document that was performed by the
    Document Shepherd. If this version of the document is not ready for
    publication, please explain why the document is being forwarded to the
    IESG.

The Document Shepherd first read the document during the adoption discussion,
and reviewed it again end to end (version -05) during the WGLC.
A review of the differences from 00 to 05 was made to understand whether the
input of the WG was taken into account, it the changes seem reasonable.

(4) Does the document Shepherd have any concerns about the depth or breadth
    of the reviews that have been performed?

The document makes very soft security requirements, and has not at this point
received a security review.  More security review was asked for by the WG at
various tims, and it is not clear that this input will be taken into account.

The document relies upon vendor practice to create key pairs, and for vendors
to create detailed mechanisms.  It is difficult to throw any rocks at this
document, as there is no specific protocol to evaluate: equipment vendors
will have to do a lot of work to finish things out, and the results will be
vendor specific. (That's why this is not standards track)

(5) Do portions of the document need review from a particular or from broader
    perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
    internationalization? If so, describe the review that took place.

The only component which is specifically mentioned is DHCP, and it does not
define any new DHCP behaviour or define any new DHCP options, so a DHCP
review is not necessary.
Had the document suggested a specific mechanism for encryption (CMS, OpenPGP,
JOSE, etc.) then a review there would be useful, but it leaves that decision
to vendors.

(6) Describe any specific concerns or issues that the Document Shepherd has
    with this document that the Responsible Area Director and/or the IESG should
    be aware of? For example, perhaps he or she is uncomfortable with certain
    parts of the document, or has concerns whether there really is a need for
    it. In any event, if the WG has discussed those issues and has indicated that
    it still wishes to advance the document, detail those concerns here.



(7) Has each author confirmed that any and all appropriate IPR disclosures
    required for full conformance with the provisions of BCP 78 and BCP 79 have
    already been filed. If not, explain why?

The authors have confirmed.

(8) Has an IPR disclosure been filed that references this document? If so,
    summarize any WG discussion and conclusion regarding the IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
    strong concurrence of a few individuals, with others being silent, or does
    the WG as a whole understand and agree with it?

The WG consensus is weak.  The document is the result of a strong concurrence
of a few individuals, most others are silent.  As OPSAWG is a rather loose
group of people, this is probably as strong a consensus as one will get.

(10) Has anyone threatened an appeal or otherwise indicated extreme
    discontent? If so, please summarise the areas of conflict in separate email
    messages to the Responsible Area Director. (It should be in a separate email
    because this questionnaire is publicly available.)

No one has threatened an appeal

(11) Identify any ID nits the Document Shepherd has found in this
    document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
    Checklist). Boilerplate checks are not enough; this check needs to be
    thorough.

  -- The document has examples using IPv4 documentation addresses according
    to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
    there should be IPv6 examples, too?

(12) Describe how the document meets any required formal review criteria,
    such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

none were done, none required.

(13) Have all references within this document been identified as either
    normative or informative?

yes.

(14) Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If such normative
    references exist, what is the plan for their completion?

Yes.
The document speaks about DHCP, but does not reference any DHCP specifications.
Perhaps it should.

(15) Are there downward normative references references (see RFC 3967)? If
    so, list these downward references to support the Area Director in the Last
    Call procedure.

no.

(16) Will publication of this document change the status of any existing
    RFCs? Are those RFCs listed on the title page header, listed in the abstract,
    and discussed in the introduction? If the RFCs are not listed in the Abstract
    and Introduction, explain why, and point to the part of the document where
    the relationship of this document to the other RFCs is discussed. If this
    information is not in the document, explain why the WG considers it
    unnecessary.

This document does not update any other document.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm that
any referenced IANA registries have been clearly identified. Confirm that
newly created IANA registries include a detailed specification of the initial
contents for the registry, that allocations procedures for future
registrations are defined, and a reasonable name for the new registry has
been suggested (see RFC 8126).

There are no IANA Considerations, and none are needed.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd
to validate sections of the document written in a formal language, such as
XML code, BNF rules, MIB definitions, YANG modules, etc.

none.

(20) If the document contains a YANG module, has the module been checked with
any of the recommended validation tools
(https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and
formatting validation? If there are any resulting errors or warnings, what is
the justification for not fixing them at this time? Does the YANG module
comply with the Network Management Datastore Architecture (NMDA) as specified
in RFC8342?

no YANG module.


2020-03-06
05 Warren Kumari New version available: draft-ietf-opsawg-sdi-05.txt
2020-03-06
05 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-03-06
05 Warren Kumari Uploaded new revision
2020-03-04
04 Warren Kumari New version available: draft-ietf-opsawg-sdi-04.txt
2020-03-04
04 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-03-04
04 Warren Kumari Uploaded new revision
2020-02-21
03 Joe Clarke Notification list changed to Michael Richardson <mcr+ietf@sandelman.ca>
2020-02-21
03 Joe Clarke
2020-02-21
03 Joe Clarke
WGLC has concluded with some WG and a GenArt review.  Some comments have been addressed already, but others are pending.  The authors need to submit …
WGLC has concluded with some WG and a GenArt review.  Some comments have been addressed already, but others are pending.  The authors need to submit a new revision.  Michael Richardson has agreed to act as shepherd for this document.
2020-02-21
03 Joe Clarke Tags Revised I-D Needed - Issue raised by WGLC, Doc Shepherd Follow-up Underway set.
2020-02-21
03 Joe Clarke IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document
2020-02-18
03 Mehmet Ersue Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Mehmet Ersue. Sent review to list.
2020-02-18
03 Francis Dupont Request for Last Call review by GENART Completed: Almost Ready. Reviewer: Francis Dupont.
2020-02-11
03 Warren Kumari New version available: draft-ietf-opsawg-sdi-03.txt
2020-02-11
03 (System) New version accepted (logged-in submitter: Warren Kumari)
2020-02-11
03 Warren Kumari Uploaded new revision
2020-02-10
02 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mehmet Ersue
2020-02-10
02 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mehmet Ersue
2020-02-06
02 Jean Mahoney Request for Last Call review by GENART is assigned to Francis Dupont
2020-02-06
02 Jean Mahoney Request for Last Call review by GENART is assigned to Francis Dupont
2020-02-06
02 Tero Kivinen Request for Last Call review by SECDIR is assigned to Sean Turner
2020-02-06
02 Tero Kivinen Request for Last Call review by SECDIR is assigned to Sean Turner
2020-02-04
02 Joe Clarke Requested Last Call review by OPSDIR
2020-02-04
02 Joe Clarke Requested Last Call review by GENART
2020-02-04
02 Joe Clarke Requested Last Call review by SECDIR
2020-02-01
02 Warren Kumari New version available: draft-ietf-opsawg-sdi-02.txt
2020-02-01
02 (System) New version approved
2020-02-01
02 (System) Request for posting confirmation emailed to previous authors: Warren Kumari , Colin Doyle
2020-02-01
02 Warren Kumari Uploaded new revision
2020-01-17
01 Colin Doyle New version available: draft-ietf-opsawg-sdi-01.txt
2020-01-17
01 (System) New version approved
2020-01-17
01 (System) Request for posting confirmation emailed to previous authors: Warren Kumari , Colin Doyle
2020-01-17
01 Colin Doyle Uploaded new revision
2019-08-06
00 Tianran Zhou This document now replaces draft-wkumari-opsawg-sdi instead of None
2019-07-22
00 Warren Kumari New version available: draft-ietf-opsawg-sdi-00.txt
2019-07-22
00 (System) WG -00 approved
2019-07-22
00 Warren Kumari Set submitter to "Warren Kumari ", replaces to (none) and sent approval email to group chairs: opsawg-chairs@ietf.org
2019-07-22
00 Warren Kumari Uploaded new revision