Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8572

Secure Zero Touch Provisioning (SZTP)

Pages: 87
Proposed Standard
Errata
Part 2 of 5 – Pages 22 to 40
First   Prev   Next

Top   ToC   RFC8572 - Page 22   prevText

5. Device Details

Devices supporting the bootstrapping strategy described in this document MUST have the pre-configured state and bootstrapping logic described in the following sections.

5.1. Initial State

+-------------------------------------------------------------+ | <device> | | | | +---------------------------------------------------------+ | | | <read/write storage> | | | | | | | | 1. flag to enable SZTP bootstrapping set to "true" | | | +---------------------------------------------------------+ | | | | +---------------------------------------------------------+ | | | <read-only storage> | | | | | | | | 2. TLS client cert & related intermediate certificates | | | | 3. list of trusted well-known bootstrap servers | | | | 4. list of trust anchor certs for bootstrap servers | | | | 5. list of trust anchor certs for ownership vouchers | | | +---------------------------------------------------------+ | | | | +-----------------------------------------------------+ | | | <secure storage> | | | | | | | | 6. private key for TLS client certificate | | | | 7. private key for decrypting SZTP artifacts | | | +-----------------------------------------------------+ | | | +-------------------------------------------------------------+ Each numbered item below corresponds to a numbered item in the diagram above. 1. Devices MUST have a configurable variable that is used to enable/ disable SZTP bootstrapping. This variable MUST be enabled by default in order for SZTP bootstrapping to run when the device first powers on. Because it is a goal that the configuration installed by the bootstrapping process disables SZTP bootstrapping, and because the configuration may be merged into the existing configuration, using a configuration node that
Top   ToC   RFC8572 - Page 23
       relies on presence is NOT RECOMMENDED, as it cannot be removed by
       the merging process.

   2.  Devices that support loading bootstrapping data from bootstrap
       servers (see Section 4.4) SHOULD possess a TLS-level client
       certificate and any intermediate certificates leading to the
       certificate's well-known trust anchor.  The well-known trust
       anchor certificate may be an intermediate certificate or a self-
       signed root certificate.  To support devices not having a client
       certificate, devices MAY, alternatively or in addition to,
       identify and authenticate themselves to the bootstrap server
       using an HTTP authentication scheme, as allowed by Section 2.5 of
       [RFC8040]; however, this document does not define a mechanism for
       operator input enabling, for example, the entering of a password.

   3.  Devices that support loading bootstrapping data from well-known
       bootstrap servers MUST possess a list of the well-known bootstrap
       servers.  Consistent with redirect information (Section 2.1),
       each bootstrap server can be identified by its hostname or IP
       address and an optional port.

   4.  Devices that support loading bootstrapping data from well-known
       bootstrap servers MUST also possess a list of trust anchor
       certificates that can be used to authenticate the well-known
       bootstrap servers.  For each trust anchor certificate, if it is
       not itself a self-signed root certificate, the device SHOULD also
       possess the chain of intermediate certificates leading up to and
       including the self-signed root certificate.

   5.  Devices that support loading signed data (see Section 1.2) MUST
       possess the trust anchor certificates for validating ownership
       vouchers.  For each trust anchor certificate, if it is not itself
       a self-signed root certificate, the device SHOULD also possess
       the chain of intermediate certificates leading up to and
       including the self-signed root certificate.

   6.  Devices that support using a TLS-level client certificate to
       identify and authenticate themselves to a bootstrap server MUST
       possess the private key that corresponds to the public key
       encoded in the TLS-level client certificate.  This private key
       SHOULD be securely stored, ideally in a cryptographic processor,
       such as a trusted platform module (TPM) chip.

   7.  Devices that support decrypting SZTP artifacts MUST posses the
       private key that corresponds to the public key encoded in the
       secure device identity certificate used when encrypting the
       artifacts.  This private key SHOULD be securely stored, ideally
       in a cryptographic processor, such as a trusted platform module
Top   ToC   RFC8572 - Page 24
       (TPM) chip.  This private key MAY be the same as the one
       associated to the TLS-level client certificate used when
       connecting to bootstrap servers.

   A YANG module representing this data is provided in Appendix A.

5.2. Boot Sequence

A device claiming to support the bootstrapping strategy defined in this document MUST support the boot sequence described in this section. Power On | v No 1. SZTP bootstrapping configured ------> Boot normally | | Yes v 2. For each supported source of bootstrapping data, try to load bootstrapping data from the source | | v Yes 3. Able to bootstrap from any source? -----> Run with new config | | No v 4. Loop back to Step 1 Note: At any time, the device MAY be configured via an alternate provisioning mechanism (e.g., command-line interface (CLI)). Each numbered item below corresponds to a numbered item in the diagram above. 1. When the device powers on, it first checks to see if SZTP bootstrapping is configured, as is expected to be the case for the device's pre-configured initial state. If SZTP bootstrapping is not configured, then the device boots normally. 2. The device iterates over its list of sources for bootstrapping data (Section 4). Details for how to process a source of bootstrapping data are provided in Section 5.3.
Top   ToC   RFC8572 - Page 25
   3.  If the device is able to bootstrap itself from any of the sources
       of bootstrapping data, it runs with the new bootstrapped
       configuration.

   4.  Otherwise, the device MUST loop back through the list of
       bootstrapping sources again.

   This document does not limit the simultaneous use of alternate
   provisioning mechanisms.  Such mechanisms may include, for instance,
   a CLI, a web-based user interface, or even another bootstrapping
   protocol.  Regardless of how it is configured, the configuration
   SHOULD unset the flag enabling SZTP bootstrapping as discussed in
   Section 5.1.

5.3. Processing a Source of Bootstrapping Data

This section describes a recursive algorithm that devices can use to, ultimately, obtain onboarding information. The algorithm is recursive because sources of bootstrapping data may return redirect information, which causes the algorithm to run again, for the newly discovered sources of bootstrapping data. An expression that captures all possible successful sequences of bootstrapping data is: zero or more redirect information responses, followed by one onboarding information response. An important aspect of the algorithm is knowing when data needs to be signed or not. The following figure provides a summary of options: Untrusted Source Trusted Source Kind of Bootstrapping Data Can Provide? Can Provide? Unsigned Redirect Info : Yes+ Yes Signed Redirect Info : Yes Yes* Unsigned Onboarding Info : No Yes Signed Onboarding Info : Yes Yes* The '+' above denotes that the source redirected to MUST return signed data or more unsigned redirect information. The '*' above denotes that, while possible, it is generally unnecessary for a trusted source to return signed data. The recursive algorithm uses a conceptual globally scoped variable called "trust-state". The trust-state variable is initialized to FALSE. The ultimate goal of this algorithm is for the device to process onboarding information (Section 2.2) while the trust-state variable is TRUE.
Top   ToC   RFC8572 - Page 26
   If the source of bootstrapping data (Section 4) is a bootstrap server
   (Section 4.4), and the device is able to authenticate the bootstrap
   server using X.509 certificate path validation ([RFC6125], Section 6)
   to one of the device's pre-configured trust anchors, or to a trust
   anchor that it learned from a previous step, then the device MUST set
   trust-state to TRUE.

   When establishing a connection to a bootstrap server, whether trusted
   or untrusted, the device MUST identify and authenticate itself to the
   bootstrap server using a TLS-level client certificate and/or an HTTP
   authentication scheme, per Section 2.5 of [RFC8040].  If both
   authentication mechanisms are used, they MUST both identify the same
   serial number.

   When sending a client certificate, the device MUST also send all of
   the intermediate certificates leading up to, and optionally
   including, the client certificate's well-known trust anchor
   certificate.

   For any source of bootstrapping data (e.g., Section 4), if any
   artifact obtained is encrypted, the device MUST first decrypt it
   using the private key associated with the device certificate used to
   encrypt the artifact.

   If the conveyed information artifact is signed, and the device is
   able to validate the signed data using the algorithm described in
   Section 5.4, then the device MUST set trust-state to TRUE; otherwise,
   if the device is unable to validate the signed data, the device MUST
   set trust-state to FALSE.  Note that this is worded to cover the
   special case when signed data is returned even from a trusted source
   of bootstrapping data.

   If the conveyed information artifact contains redirect information,
   the device MUST, within limits of how many recursive loops the device
   allows, process the redirect information as described in Section 5.5.
   Implementations MUST limit the maximum number of recursive redirects
   allowed; the maximum number of recursive redirects allowed SHOULD be
   no more than ten.  This is the recursion step; it will cause the
   device to reenter this algorithm, but this time the data source will
   definitely be a bootstrap server, as redirect information is only
   able to redirect devices to bootstrap servers.

   If the conveyed information artifact contains onboarding information,
   and trust-state is FALSE, the device MUST exit the recursive
   algorithm (as this is not allowed; see the figure above), returning
   to the bootstrapping sequence described in Section 5.2.  Otherwise,
   the device MUST attempt to process the onboarding information as
   described in Section 5.6.  Whether the processing of the onboarding
Top   ToC   RFC8572 - Page 27
   information succeeds or fails, the device MUST exit the recursive
   algorithm, returning to the bootstrapping sequence described in
   Section 5.2; the only difference is how it responds to the "Able to
   bootstrap from any source?" conditional described in the figure in
   that section.

5.4. Validating Signed Data

Whenever a device is presented signed data, it MUST validate the signed data as described in this section. This includes the case where the signed data is provided by a trusted source. Whenever there is signed data, the device MUST also be provided an ownership voucher and an owner certificate. How all the needed artifacts are provided for each source of bootstrapping data is described in Section 4. In order to validate signed data, the device MUST first authenticate the ownership voucher by validating its signature to one of its pre- configured trust anchors (see Section 5.1), which may entail using additional intermediate certificates attached to the ownership voucher. If the device has an accurate clock, it MUST verify that the ownership voucher was created in the past (i.e., "created-on" < now), and if the "expires-on" leaf is present, the device MUST verify that the ownership voucher has not yet expired (i.e., now < "expires- on"). The device MUST verify that the ownership voucher's "assertion" value is acceptable (e.g., some devices may only accept the assertion value "verified"). The device MUST verify that the ownership voucher specifies the device's serial number in the "serial-number" leaf. If the "idevid-issuer" leaf is present, the device MUST verify that the value is set correctly. If the authentication of the ownership voucher is successful, the device extracts the "pinned-domain-cert" node, an X.509 certificate, that is needed to verify the owner certificate in the next step. The device MUST next authenticate the owner certificate by performing X.509 certificate path verification to the trusted certificate extracted from the ownership voucher's "pinned-domain-cert" node. This verification may entail using additional intermediate certificates attached to the owner certificate artifact. If the ownership voucher's "domain-cert-revocation-checks" node's value is set to "true", the device MUST verify the revocation status of the certificate chain used to sign the owner certificate, and if a suitably fresh revocation status is unattainable or if it is determined that a certificate has been revoked, the device MUST NOT validate the owner certificate.
Top   ToC   RFC8572 - Page 28
   Finally, the device MUST verify that the conveyed information
   artifact was signed by the validated owner certificate.

   If any of these steps fail, the device MUST invalidate the signed
   data and not perform any subsequent steps.

5.5. Processing Redirect Information

In order to process redirect information (Section 2.1), the device MUST follow the steps presented in this section. Processing redirect information is straightforward; the device sequentially steps through the list of provided bootstrap servers until it can find one it can bootstrap from. If a hostname is provided, and the hostname's DNS resolution is to more than one IP address, the device MUST attempt to connect to all of the DNS resolved addresses at least once, before moving on to the next bootstrap server. If the device is able to obtain bootstrapping data from any of the DNS resolved addresses, it MUST immediately process that data, without attempting to connect to any of the other DNS resolved addresses. If the redirect information is trusted (e.g., trust-state is TRUE), and the bootstrap server entry contains a trust anchor certificate, then the device MUST authenticate the specified bootstrap server's TLS server certificate using X.509 certificate path validation ([RFC6125], Section 6) to the specified trust anchor. If the bootstrap server entry does not contain a trust anchor certificate device, the device MUST establish a provisional connection to the bootstrap server (i.e., by blindly accepting its server certificate) and set trust-state to FALSE. If the redirect information is untrusted (e.g., trust-state is FALSE), the device MUST discard any trust anchors provided by the redirect information and establish a provisional connection to the bootstrap server (i.e., by blindly accepting its TLS server certificate).

5.6. Processing Onboarding Information

In order to process onboarding information (Section 2.2), the device MUST follow the steps presented in this section. When processing onboarding information, the device MUST first process the boot image information (if any), then execute the pre- configuration script (if any), then commit the initial configuration
Top   ToC   RFC8572 - Page 29
   (if any), and then execute the post-configuration script (if any), in
   that order.

   When the onboarding information is obtained from a trusted bootstrap
   server, the device MUST send the "bootstrap-initiated" progress
   report and send a terminating "boot-image-installed-rebooting",
   "bootstrap-complete", or error-specific progress report.  If the
   "reporting-level" node of the bootstrap server's "get-bootstrapping-
   data" RPC-reply is the value "verbose", the device MUST additionally
   send all appropriate non-terminating progress reports (e.g.,
   initiated, warning, complete, etc.).  Regardless of the reporting
   level requested by the bootstrap server, the device MAY send progress
   reports beyond those required by the reporting level.

   When the onboarding information is obtained from an untrusted
   bootstrap server, the device MUST NOT send any progress reports to
   the bootstrap server, even though the onboarding information was,
   necessarily, signed and authenticated.  Please be aware that
   bootstrap servers are recommended to promote untrusted connections to
   trusted connections, in the last paragraph of Section 9.6, so as to,
   in part, be able to collect progress reports from devices.

   If the device encounters an error at any step, it MUST stop
   processing the onboarding information and return to the bootstrapping
   sequence described in Section 5.2.  In the context of a recursive
   algorithm, the device MUST return to the enclosing loop, not back to
   the very beginning.  Some state MAY be retained from the
   bootstrapping process (e.g., updated boot image, logs, remnants from
   a script, etc.).  However, the retained state MUST NOT be active in
   any way (e.g., no new configuration or running of software) and MUST
   NOT hinder the ability for the device to continue the bootstrapping
   sequence (i.e., process onboarding information from another bootstrap
   server).

   At this point, the specific ordered sequence of actions the device
   MUST perform is described.

   If the onboarding information is obtained from a trusted bootstrap
   server, the device MUST send a "bootstrap-initiated" progress report.
   It is an error if the device does not receive back the "204 No
   Content" HTTP status line.  If an error occurs, the device MUST try
   to send a "bootstrap-error" progress report before exiting.

   The device MUST parse the provided onboarding information document,
   to extract values used in subsequent steps.  Whether using a stream-
   based parser or not, if there is an error when parsing the onboarding
Top   ToC   RFC8572 - Page 30
   information, and the device is connected to a trusted bootstrap
   server, the device MUST try to send a "parsing-error" progress report
   before exiting.

   If boot image criteria are specified, the device MUST first determine
   if the boot image it is running satisfies the specified boot image
   criteria.  If the device is already running the specified boot image,
   then it skips the remainder of this step.  If the device is not
   running the specified boot image, then it MUST download, verify, and
   install, in that order, the specified boot image, and then reboot.
   If connected to a trusted bootstrap server, the device MAY try to
   send a "boot-image-mismatch" progress report.  To download the boot
   image, the device MUST only use the URIs supplied by the onboarding
   information.  To verify the boot image, the device MUST use either
   one of the verification fingerprints supplied by the onboarding
   information or a cryptographic signature embedded into the boot image
   itself using a mechanism not described by this document.  Before
   rebooting, if connected to a trusted bootstrap server, the device
   MUST try to send a "boot-image-installed-rebooting" progress report.
   Upon rebooting, the bootstrapping process runs again, which will
   eventually come to this step again, but then the device will be
   running the specified boot image and thus will move to processing the
   next step.  If an error occurs at any step while the device is
   connected to a trusted bootstrap server (i.e., before the reboot),
   the device MUST try to send a "boot-image-error" progress report
   before exiting.

   If a pre-configuration script has been specified, the device MUST
   execute the script, capture any output emitted from the script, and
   check if the script had any warnings or errors.  If an error occurs
   while the device is connected to a trusted bootstrap server, the
   device MUST try to send a "pre-script-error" progress report before
   exiting.

   If an initial configuration has been specified, the device MUST
   atomically commit the provided initial configuration, using the
   approach specified by the "configuration-handling" leaf.  If an error
   occurs while the device is connected to a trusted bootstrap server,
   the device MUST try to send a "config-error" progress report before
   exiting.

   If a post-configuration script has been specified, the device MUST
   execute the script, capture any output emitted from the script, and
   check if the script had any warnings or errors.  If an error occurs
   while the device is connected to a trusted bootstrap server, the
   device MUST try to send a "post-script-error" progress report before
   exiting.
Top   ToC   RFC8572 - Page 31
   If the onboarding information was obtained from a trusted bootstrap
   server, and the result of the bootstrapping process did not disable
   the "flag to enable SZTP bootstrapping" described in Section 5.1, the
   device SHOULD send an "bootstrap-warning" progress report.

   If the onboarding information was obtained from a trusted bootstrap
   server, the device MUST send a "bootstrap-complete" progress report.
   It is an error if the device does not receive back the "204 No
   Content" HTTP status line.  If an error occurs, the device MUST try
   to send a "bootstrap-error" progress report before exiting.

   At this point, the device has completely processed the bootstrapping
   data.

   The device is now running its initial configuration.  Notably, if
   NETCONF Call Home or RESTCONF Call Home [RFC8071] is configured, the
   device initiates trying to establish the call home connections at
   this time.

   Implementation Notes:

      Implementations may vary in how to ensure no unwanted state is
      retained when an error occurs.

      If the implementation chooses to undo previous steps, the
      following guidelines apply:

      *  When an error occurs, the device must rollback the current step
         and any previous steps.

      *  Most steps are atomic.  For example, the processing of a
         configuration is atomic (as specified above), and the
         processing of scripts is atomic (as specified in the "ietf-
         sztp-conveyed-info" YANG module).

      *  In case the error occurs after the initial configuration was
         committed, the device must restore the configuration to the
         configuration that existed prior to the configuration being
         committed.

      *  In case the error occurs after a script had executed
         successfully, it may be helpful for the implementation to
         define scripts as being able to take a conceptual input
         parameter indicating that the script should remove its
         previously set state.
Top   ToC   RFC8572 - Page 32

6. The Conveyed Information Data Model

This section defines a YANG 1.1 [RFC7950] module that is used to define the data model for the conveyed information artifact described in Section 3.1. This data model uses the "yang-data" extension statement defined in [RFC8040]. Examples illustrating this data model are provided in Section 6.2.

6.1. Data Model Overview

The following tree diagram provides an overview of the data model for the conveyed information artifact. module: ietf-sztp-conveyed-info yang-data conveyed-information: +-- (information-type) +--:(redirect-information) | +-- redirect-information | +-- bootstrap-server* [address] | +-- address inet:host | +-- port? inet:port-number | +-- trust-anchor? cms +--:(onboarding-information) +-- onboarding-information +-- boot-image | +-- os-name? string | +-- os-version? string | +-- download-uri* inet:uri | +-- image-verification* [hash-algorithm] | +-- hash-algorithm identityref | +-- hash-value yang:hex-string +-- configuration-handling? enumeration +-- pre-configuration-script? script +-- configuration? binary +-- post-configuration-script? script

6.2. Example Usage

The following example illustrates how redirect information (Section 2.1) can be encoded using JSON [RFC8259]. { "ietf-sztp-conveyed-info:redirect-information" : { "bootstrap-server" : [ { "address" : "sztp1.example.com", "port" : 8443,
Top   ToC   RFC8572 - Page 33
           "trust-anchor" : "base64encodedvalue=="
         },
         {
           "address" : "sztp2.example.com",
           "port" : 8443,
           "trust-anchor" : "base64encodedvalue=="
         },
         {
           "address" : "sztp3.example.com",
           "port" : 8443,
           "trust-anchor" : "base64encodedvalue=="
         }
       ]
     }
   }

   The following example illustrates how onboarding information
   (Section 2.2) can be encoded using JSON [RFC8259].

   [Note: '\' line wrapping for formatting only]

   {
     "ietf-sztp-conveyed-info:onboarding-information" : {
       "boot-image" : {
         "os-name" : "VendorOS",
         "os-version" : "17.2R1.6",
         "download-uri" : [ "https://example.com/path/to/image/file" ],
         "image-verification" : [
           {
             "hash-algorithm" : "ietf-sztp-conveyed-info:sha-256",
             "hash-value" : "ba:ec:cf:a5:67:82:b4:10:77:c6:67:a6:22:ab:\
   7d:50:04:a7:8b:8f:0e:db:02:8b:f4:75:55:fb:c1:13:b2:33"
           }
         ]
       },
       "configuration-handling" : "merge",
       "pre-configuration-script" : "base64encodedvalue==",
       "configuration" : "base64encodedvalue==",
       "post-configuration-script" : "base64encodedvalue=="
     }
   }
Top   ToC   RFC8572 - Page 34

6.3. YANG Module

The conveyed information data model is defined by the YANG module presented in this section. This module uses data types defined in [RFC5280], [RFC5652], [RFC6234], and [RFC6991]; an extension statement from [RFC8040]; and an encoding defined in [ITU.X690.2015]. <CODE BEGINS> file "ietf-sztp-conveyed-info@2019-04-30.yang" module ietf-sztp-conveyed-info { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info"; prefix sztp-info; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-restconf { prefix rc; reference "RFC 8040: RESTCONF Protocol"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; description "This module defines the data model for the conveyed information artifact defined in RFC 8572 ('Secure Zero Touch Provisioning (SZTP)'). The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here.
Top   ToC   RFC8572 - Page 35
       Copyright (c) 2019 IETF Trust and the persons identified as
       authors of the code.  All rights reserved.

       Redistribution and use in source and binary forms, with or
       without modification, is permitted pursuant to, and subject
       to the license terms contained in, the Simplified BSD License
       set forth in Section 4.c of the IETF Trust's Legal Provisions
       Relating to IETF Documents
       (https://trustee.ietf.org/license-info).

       This version of this YANG module is part of RFC 8572; see the
       RFC itself for full legal notices.";

    revision 2019-04-30 {
      description
        "Initial version";
      reference
        "RFC 8572: Secure Zero Touch Provisioning (SZTP)";
    }

    // identities

    identity hash-algorithm {
      description
        "A base identity for hash algorithm verification.";
    }

    identity sha-256 {
      base hash-algorithm;
      description
        "The SHA-256 algorithm.";
      reference
        "RFC 6234: US Secure Hash Algorithms";
    }

    // typedefs

    typedef cms {
      type binary;
      description
        "A ContentInfo structure, as specified in RFC 5652,
         encoded using ASN.1 distinguished encoding rules (DER),
         as specified in ITU-T X.690.";
      reference
        "RFC 5652:
           Cryptographic Message Syntax (CMS)
Top   ToC   RFC8572 - Page 36
         ITU-T X.690:
           Information technology - ASN.1 encoding rules:
           Specification of Basic Encoding Rules (BER),
           Canonical Encoding Rules (CER) and Distinguished
           Encoding Rules (DER)";
    }

    // yang-data
    rc:yang-data conveyed-information {
      choice information-type {
        mandatory true;
        description
          "This choice statement ensures the response contains
           redirect-information or onboarding-information.";
        container redirect-information {
          description
            "Redirect information is described in Section 2.1 of
             RFC 8572.  Its purpose is to redirect a device to
             another bootstrap server.";
          reference
            "RFC 8572: Secure Zero Touch Provisioning (SZTP)";
          list bootstrap-server {
            key "address";
            min-elements 1;
            description
              "A bootstrap server entry.";
            leaf address {
              type inet:host;
              mandatory true;
              description
                "The IP address or hostname of the bootstrap server the
                 device should redirect to.";
            }
            leaf port {
              type inet:port-number;
              default "443";
              description
                "The port number the bootstrap server listens on.  If no
                 port is specified, the IANA-assigned port for 'https'
                 (443) is used.";
            }
            leaf trust-anchor {
              type cms;
              description
                "A CMS structure that MUST contain the chain of
                 X.509 certificates needed to authenticate the TLS
                 certificate presented by this bootstrap server.
Top   ToC   RFC8572 - Page 37
                 The CMS MUST only contain a single chain of
                 certificates.  The bootstrap server MUST only
                 authenticate to last intermediate CA certificate
                 listed in the chain.

                 In all cases, the chain MUST include a self-signed
                 root certificate.  In the case where the root
                 certificate is itself the issuer of the bootstrap
                 server's TLS certificate, only one certificate
                 is present.

                 If needed by the device, this CMS structure MAY
                 also contain suitably fresh revocation objects
                 with which the device can verify the revocation
                 status of the certificates.

                 This CMS encodes the degenerate form of the SignedData
                 structure that is commonly used to disseminate X.509
                 certificates and revocation objects (RFC 5280).";
              reference
                "RFC 5280:
                   Internet X.509 Public Key Infrastructure Certificate
                   and Certificate Revocation List (CRL) Profile";
            }
          }
        }
        container onboarding-information {
          description
            "Onboarding information is described in Section 2.2 of
             RFC 8572.  Its purpose is to provide the device everything
             it needs to bootstrap itself.";
          reference
            "RFC 8572: Secure Zero Touch Provisioning (SZTP)";
          container boot-image {
            description
              "Specifies criteria for the boot image the device MUST
               be running, as well as information enabling the device
               to install the required boot image.";
            leaf os-name {
              type string;
              description
                "The name of the operating system software the device
                 MUST be running in order to not require a software
                 image upgrade (e.g., VendorOS).";
            }
            leaf os-version {
              type string;
Top   ToC   RFC8572 - Page 38
              description
                "The version of the operating system software the
                 device MUST be running in order to not require a
                 software image upgrade (e.g., 17.3R2.1).";
            }
            leaf-list download-uri {
              type inet:uri;
              ordered-by user;
              description
                "An ordered list of URIs to where the same boot image
                 file may be obtained.  How the URI schemes (http, ftp,
                 etc.) a device supports are known is vendor specific.
                 If a secure scheme (e.g., https) is provided, a device
                 MAY establish an untrusted connection to the remote
                 server, by blindly accepting the server's end-entity
                 certificate, to obtain the boot image.";
            }
            list image-verification {
              must '../download-uri' {
                description
                  "Download URIs must be provided if an image is to
                   be verified.";
              }
              key "hash-algorithm";
              description
                "A list of hash values that a device can use to verify
                 boot image files with.";
              leaf hash-algorithm {
                type identityref {
                  base hash-algorithm;
                }
                description
                  "Identifies the hash algorithm used.";
              }
              leaf hash-value {
                type yang:hex-string;
                mandatory true;
                description
                  "The hex-encoded value of the specified hash
                   algorithm over the contents of the boot image
                   file.";
              }
            }
          }
          leaf configuration-handling {
            type enumeration {
              enum merge {
Top   ToC   RFC8572 - Page 39
                description
                  "Merge configuration into the running datastore.";
              }
              enum replace {
                description
                  "Replace the existing running datastore with the
                   passed configuration.";
              }
            }
            must '../configuration';
            description
              "This enumeration indicates how the server should process
               the provided configuration.";
          }
          leaf pre-configuration-script {
            type script;
            description
              "A script that, when present, is executed before the
               configuration has been processed.";
          }
          leaf configuration {
            type binary;
            must '../configuration-handling';
            description
              "Any configuration known to the device.  The use of
               the 'binary' type enables content (e.g., XML) to be
               embedded into a JSON document.  The exact encoding
               of the content, as with the scripts, is vendor
               specific.";
          }
          leaf post-configuration-script {
            type script;
            description
              "A script that, when present, is executed after the
               configuration has been processed.";
          }
        }
      }
    }

    typedef script {
      type binary;
      description
        "A device-specific script that enables the execution of
         commands to perform actions not possible thru configuration
         alone.
Top   ToC   RFC8572 - Page 40
         No attempt is made to standardize the contents, running
         context, or programming language of the script, other than
         that it can indicate if any warnings or errors occurred and
         can emit output.  The contents of the script are considered
         specific to the vendor, product line, and/or model of the
         device.

         If the script execution indicates that a warning occurred,
         then the device MUST assume that the script had a soft error
         that the script believes will not affect manageability.

         If the script execution indicates that an error occurred,
         the device MUST assume the script had a hard error that the
         script believes will affect manageability.  In this case,
         the script is required to gracefully exit, removing any
         state that might hinder the device's ability to continue
         the bootstrapping sequence (e.g., process onboarding
         information obtained from another bootstrap server).";
    }
  }
  <CODE ENDS>


(next page on part 3)

Next Section