RE: Underspecified CallHome

["Kent Watsen" <kwatsen@juniper.net>]

>>   - data model to NV-configure an agent to call home
>
>The config needed to get a device to call home is might
>well be device specific.

At first I was hopeful that a standard agent-configuration model could
be imposed on all devices, but than realized that devices have wildly
different approaches towards how they enable services on interfaces.
However, it might make sense to standardize a "virtual
agent-configuration" - that is, a top-level node using the
netconf-namespace that if read-from or written-to would trigger the
device to adapt to/from its internal model.  My assumption is
<get-config> would not return this virtual-configuration without a
filter, but it would return the device-specific configuration for the
same. 


> As far as device identification, the device's ssh host-key (or its
> fingerprint?) should suffice.

This only works if there is a chance to float the host-key beforehand,
which isn't possible when the customer receives the equipment directly
from manufacturing and uses an NMS-supplied script to bootstrap its call
home.  A resolution to this is to also configure the agent with
NMS-supplied ID/OTP (one-time password).  Thus, immediately after the
agent-initiated TCP session is established and before passing the
connection to `sshd -i`, the device can send a TCP message containing
its ID, host-key, and the HMAC of its host-key using the OTP.  The NMS
can use the ID to do a database lookup for the device's record, which
should contain the same OTP, which it can use to authenticate the
host-key.  Then the NMS can initiate an SSH-client on top of the
already-established TCP session and authenticate itself to the device
(i.e. login) at which time the device can clear the OTP from its
configuration.


Kent


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>