Secure Network Bootstrapping Infrastructure
snbi
The Secure Network Bootstrapping Infrastructure (SNBI) project securely and automatically brings up an integrated set of network devices and controllers. Typically, operators must perform some manual key distribution process before secure communication is possible between a set of network devices. Instead, SNBI uses a zero-touch approach to bootstrapping that leverages manufacturer-installed IEEE 802.1AR certificates to secure even the initial communications. SNBI devices and controllers automatically discover each other, get an IP-address assigned, and establish secure IP connectivity. In addition, this discovery process reveals the physical topology of the network, exposes each type of a device (i.e. whether it is a regular network device or a controller), and assigns the domain for each device. This device type and domain information can also be used for initiating controller federation processes. As part of the SNBI project a basic infrastructure to host, run, and lifecycle-manage multiple network components/functions within a network device is created. These components/functions can include individual network element services, such as performance measurement, traffic-sniffing functionality, or traffic transformation functionality.
The scope of the SNBI project includes:
Secure network bootstrapping – device component: The secure discovery service is created as a software package and integrated with the network container reference platform for the devices.
Secure network bootstrapping – controller components:SNBI Registrar: The registrar is the trusted entity/anchor for a network domain. It maintains the list of devices which belong to a domain. It decides (based on its policy rules) which devices are admitted to join the domain. The SNBI Registrar also offers certificate management (issue, renew, revoke) using a lightweight implementation of a certificate authority. Certificate management is fully contained in the SNBI solution, hence ease of use and out-of-the-box ínstall of the OpenDaylight solution are maintained.SNBI Plugin: The secure discovery service is created as a southbound plugin.
The figure below provides an overview of the different components of the SNBI project.
Technical solution details: The following section provides a high-level overview of how the SNBI is expected to operate. The SNBI incrementally adds devices to a Domain. The Domain could initially be formed by just a Controller serving as SNBI-Registrar (please also see the picture below). The following steps are followed in case a new device attaches to a Domain:
Create a loopback interface on the new device and assign it an address from an SNBI specific address prefix (e.g. combining the prefix with a hash of the device serial number and domain name).Establish a secure tunnel between the new device and the domain-edge device.Automatically configure a routing protocol (e.g. OSPF, RPL) over the newly established tunnel.Establish clock-synchronization between the newly added device and the domain by configuring NTP.Enable hop by hop service discovery mechanism, using mDNS to discover services like NTP Server, AAA Server, SBNI-Registrar.
The intent is to have all code match to evolving IETF drafts and standards. The following technologies are expected to be used from existing open source projects: NTP, AAA, Syslog, secure tunneling (e.g. IPsec), SCEP, mDNS, CA (Dogtag). Beyond these stable technologies, there is relevant IETF bootstrapping work in its infancy in the Homenet and NMRG working groups. Therefore full standards compliance is not possible today. As standardization solidifies, all SNBI-required code will be made compliant.
The code base will be created as a part of the project. The new code base will have no vendor package names in code and no vendor branding present in code or output of build. In addition, no vendor branding will be present in documentation.
Yes.
Event | Date | Theme | Presenter | Deck | Notes |
---|---|---|---|---|---|
SNBI Overview | May/15/2014 | SNBI overview for the TSC | Frank Brockners <fbrockne@cisco.com>, IRC: brockners, Balaji B L <blbalaji@cisco.com> | SNBI overview deck |