Autonomic Networking BRKGEN Michael Behringer

Similar documents
Autonomic Control Plane A Virtual Out Of Band Channel

Configuring Autonomic Networking

A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-03.txt

An Autonomic Control Plane

Remote Access MPLS-VPNs

MPLS in the DCN. Introduction CHAPTER

ANIMA WG (Autonomic Networking Integrated Model and Approach) Rechartering Consideration

A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt

Managing Site-to-Site VPNs: The Basics

Cisco SD-Access Building the Routed Underlay

BGP-MVPN SAFI 129 IPv6

CCIE Routing & Switching

Routing Underlay and NFV Automation with DNA Center

[Actual4Exams] Actual & valid exam test dumps for your successful pass

Managing Site-to-Site VPNs

PnP Deep Dive Hands-on with APIC-EM and Prime Infrastructure

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

MPLS LDP Autoconfiguration

Cisco Plug and Play Feature Guide Cisco Services. Cisco Plug and Play Feature Guide Cisco and/or its affiliates.

Cisco SD-Access Hands-on Lab

Supported Platforms for Cisco Path Trace, Release x. This document describes the supported platforms for the Cisco Path Trace, Release x.

Managing Site-to-Site VPNs: The Basics

ITBraindumps. Latest IT Braindumps study guide

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Configuring Bridge Domain Interfaces

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Implementing Cisco IP Routing (ROUTE)

ipv6 mobile home-agent (global configuration)

Configuring VRF-lite CHAPTER

CCIE ROUTING & SWITCHING V5.0

CCNP TSHOOT. Quick Reference Sheet Exam

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

MLDP In-Band Signaling/Transit Mode

Chapter 5. Security Components and Considerations.

Configuring Multicast VPN Inter-AS Support

MPLS VPN Inter-AS Option AB


UniNets MPLS LAB MANUAL MPLS. UNiNets Multiprotocol label Switching MPLS LAB MANUAL. UniNets MPLS LAB MANUAL

Cisco Service Advertisement Framework Deployment Guide

Multicast only Fast Re-Route

PIM Allow RP. Finding Feature Information. Restrictions for PIM Allow RP

Serviceability of SD-WAN

Introduction to OpenConfig

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

Using Cloud VPN Service

IPv6 Commands: n to re

BGP Support for the L2VPN Address Family

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

BGP Support for the L2VPN Address Family

Improving IoT Security: the role of the manufacturer. Eliot Lear

Use Plug and Play to Deploy New Devices

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

MPLS VPN--Inter-AS Option AB

OSPF Commands on Cisco ASR 9000 Series Router

Prepare.csv (Comma-Separated Value) Files to Import New Devices on FND

High Availability Synchronization PAN-OS 5.0.3

IGMP Proxy. Finding Feature Information. Prerequisites for IGMP Proxy

Transportní paketová infrastruktura poskytovatelů služeb

Using Cloud VPN Service

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

VRF, MPLS and MP-BGP Fundamentals

OTV Loopback Join Interface

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DNA Automation Services Offerings

Web Services Management Agent Configuration Guide, Cisco IOS XE Release 3S

MPLS Label Distribution Protocol (LDP)

Internet of Things Field Network Director

Configuring FlexVPN Spoke to Spoke

ECMP Load Balancing. MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 900 Series) 1

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

OpenStack and OpenDaylight, the Evolving Relationship in Cloud Networking Charles Eckel, Open Source Developer Evangelist

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

OSPFv3 Route Filtering Using Distribute-List

Implementing Management Plane Protection

CCNA ROUTING & SWITCHING

Connecting to a Service Provider Using External BGP

VRF, MPLS and MP-BGP Fundamentals

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Configuring High Availability (HA)

Routing Configuration Guide, Cisco IOS XE Everest a (Catalyst 9300 Switches)

IPv6 Module 6 ibgp and Basic ebgp

Configuring MSDP. Overview. How MSDP operates. MSDP peers

Constraining IP Multicast in a Switched Ethernet Network

DNA SA Border Node Support

Configuring IP Unnumbered Interface

Multicast Subsecond Convergence

Interconnecting Cisco Networking Devices: Accelerated

Configuring Ethernet Virtual Connections on the Cisco ASR 1000 Series Router

Cisco Network Plug and Play Agent Configuration Guide, Cisco IOS XE Everest b

IPv6 Module 6x ibgp and Basic ebgp

vcloud Director Tenant Portal Guide vcloud Director 8.20

BGP mvpn BGP safi IPv4

Cisco IOS LISP Application Note Series: Access Control Lists

CCNA Routing & Switching

IEEE 802.1X Multiple Authentication

An Autonomic Control Plane draft-ietf-anima-autonomic-control-plane- 05 (ietf98:06 - ietf99:08)

Transcription:

Autonomic Networking BRKGEN-2999 Michael Behringer

Autonomic Networking Intro How We Got Here

Our First Goal Was: Automatic Network Security External NOC External How to Distinguish inside from outside without configuration? External 4

Certificates to Distinguish Internal from External External NOC External How to distribute certificates, securely, zero-touch? External 5

Autonomic Networking Background

Secure Domain Certificate Enrolment New device Proxy Registrar my domain certificate my unique device identifier (802.1AR / SUDI) new device with ID x Fundamental Idea: Using a secure vendor ID to bootstrap a domain ID Accept? Domain parameters For new device Domain enrolment Domain certificate Domain parameters For new device Domain enrolment Domain certificate See: http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfrastructures/ 7

Result: Each Device has a Domain Cert External NOC External Now, we can find boundaries automatically! External See: http://tools.ietf.org/html/draft-behringer-homenet-trust-bootstrap 8

Demo: Secure Zero-Touch Bootstrap Configure a registrar Network bootstraps automatically AND: securely! 9 9

Would you use Cloud based device identification? Cisco Internet Cisco, is device A really my device? Internet Yes, this is your device! domain.com New device A Registrar

Secure Domain Certificate Enrolment New device Proxy Registrar Factory Cloud Service my unique device identifier (802.1AR / SUDI) my domain certificate new device with ID x Accept? new device ID x; domain y Authorization token Audit log for device Domain parameters Authorization token Domain parameters Authorization token Accept? Join? Domain enrolment Domain certificate Domain enrolment Domain certificate See: http://tools.ietf.org/html/draft-pritikin-bootstrapping-keyinfrastructures/ 11

Where Is The Catch? New device Proxy Registrar my domain certificate my unique device identifier (802.1AR / SUDI) new device with ID x How do nodes communicate without IP addressing? Accept? Domain parameters For new device Domain enrolment Domain certificate Domain parameters For new device Domain enrolment Domain certificate 12

The Autonomic Control Plane loopback VRF Secure Tunnel loopback VRF IPv6 link local IPv6 link local Self-forming and self-managing Follows network topology Not dependent on config or routing table* * Some exceptions apply 13

Connecting into the Autonomic Control Plane loopback VRF Secure Tunnel loopback VRF Like normal ip vrf forwarding command All devices on this interface have full access to ACP Can SSH, SNMP, etc to loopbacks Interface eth 2 autonomic connect ipv6 address 2000::10/64 Long term: Servers will be autonomic devices 14

Advantages of the Autonomic Control Plane (ACP) loopback VRF Secure Tunnel loopback VRF Completely self-managing No config! IPv6 link local IPv6 link local Secure Separate (VPN) and Encrypted (IPsec) Independent of Routing Only depends on link local addresses Independent of Configuration Only certificate visible in sh running Use as a Virtual Out-Of-Band Channel Visible Lots of show commands, debugs, etc.

Domain Certificates: Foundation for Autonomic Networking External External NOC External we can now secure the network automatically bring up OSPF automatically and PIM-SM!! we could enable guestnet, if a policy says so each device knows what to do we can find BGP speakers automatically! and secure the sessions! the admin can detect unauthorised devices reporting can be aggregated in the network See: http://tools.ietf.org/html/draft-behringer-default-secure 16

Autonomic Networking Work Flow

Create a Whitelist Devices joining the domain must be validated before handing out certificates Create a whitelist (text file) of UDIs that are allowed to join Automatically generated by Cisco (from Bill of Sale) for new devices Updated by operator for existing devices Load whitelist on the Registrar (manually) Find Unique Device Identifiers (UDI) on bill of sale Registrar Purchase Bill of Sale Operator updates for Existing devices 18

Configure a Registrar Router#configure terminal Router(config)#autonomic registrar Router(config-registrar)#domain-id cisco.com Router(config-registrar)#whitelist disk:whitelist.txt Router(config-registrar)#ca url <> Router(config-registrar)#no shut Enter Autonomic Registrar Config mode Configure domain-id any name will do Specify a local whitelist (Optional) Specify an external CA s url (Optional) Unshut the Registrar You re done! Registrar also can run an IOS CA locally If a whitelist is not used a deployment window is the recommended alternative Registrar CA 19

Registrar Redundancy A Registrar in an Autonomic domain: validates new devices (whitelist) Hands out domain certificate Registrar down no new devices can join the autonomic domain! Good practice to configure multiple registrars Registrars can be distributed no need to be neighbors! Registrar Registrar Identical Configuration 20

Bring up Remote Sites: Channel Discovery Newly installed device is always passive Typically, VLAN based E-LINE services - each NID permits one VLAN Channel discovery helps discover the allowed VLAN ACP is kept separate from Data plane using QinQ service instance with fixed inner vlan = 4094 Third-Party Metro-Ethernet Cloud Probe for VLAN = 416 passes through NID only allows VLAN 416 Outer VLAN Inner VLAN 21

Restricting VLAN Ranges with Channel Discovery Intent configured on registrar Flooded through network Router#configure terminal Router(config)#autonomic intent Router(config-intent)#control-plane Router(config-intent)#vlan outer 400-420 Router(config-intent)#vlan inner 4092 Registrar

Autonomic Networking Strategy

Next Generation Plug and Play (PnP) Device boots: Listen mode Received DHCP offer Use DHCP/DNS to establish connection Received nothing Received adjacency discovery y PnP server reachable? n Use helper device to enable network connectivity Domain certificate enrolment Join Autonomic Control Plane Download config Download image Zero touch bootstrap finished

More Ideas router bgp <as> autonomic authentication router isis autonomic authentication network-protection autonomic Secure remote device identification <Your idea here.> For each router: For each neighbor: Configure static password at the same time as neighbor Regularly update all passwords, at the same time For each router: For each isis interface: Configure password or chain For each area: Configure password or chain Regularly update all passwords Define Infrastructure ACL for your entire core address space On each edge router: Install iacl Configure management plane protection Configure control plane protection Update entire edge whenever address space changes

Autonomic Networking Complements SDN controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane!

Autonomic Networking Complements SDN controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane!

Autonomic Networking Complements SDN controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane!

Autonomic Networking Complements SDN controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane!

Autonomic Networking Infrastructure Autonomic Node Standard Network OS Features draft-irtf-nmrg-autonomic-network-definitions-04

Standardisation ANIMA Working Group: http://tools.ietf.org/wg/anima/ Early work A Framework for Autonomic Networking http://tools.ietf.org/html/draft-behringer-autonomic-network-framework Making the Internet Secure by Default http://tools.ietf.org/html/draft-behringer-default-secure NMRG work Autonomic Networking: Definitions and Design Goals http://tools.ietf.org/html/draft-irtf-nmrg-autonomic-network-definitions Gap Analysis for Autonomic Networking https://tools.ietf.org/html/draft-irtf-nmrg-an-gap-analysis Use case drafts: Those are used to derive requirements for the Autonomic Networking Infrastructure Autonomic Networking Use Case for Network Bootstrap https://tools.ietf.org/html/draft-behringer-autonomic-bootstrap Autonomic Network Stable Connectivity https://tools.ietf.org/html/draft-eckert-anima-stable-connectivity Autonomic Prefix Management in Large-scale Networks https://tools.ietf.org/html/draft-jiang-anima-prefix-management Solution drafts: An Autonomic Control Plane https://tools.ietf.org/html/draft-behringer-anima-autonomic-control-plane Bootstrapping Key Infrastructures http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfrastructures Bootstrapping Trust on a Homenet (this is in homenet, not ANIMA) https://tools.ietf.org/html/draft-behringer-homenet-trust-bootstrap A Generic Discovery and Neg. Protocol for Autonomic Networking https://tools.ietf.org/html/draft-carpenter-anima-gdn-protocol 31

OpenDayLight: Secure Network Bootstrapping Infrastructure (SNBI) https://wiki.opendaylight.org/view/securenetworkbootstrapping:main 32

Autonomic Networking Summary

Autonomic Networking: The Self-Managing Network Simpler controller Secure by default Network wide, abstract management Intelligent devices Michael Behringer

Device Support: SP, Enterprise and IoT Supported today: ASR 901, ASR 901s, ASR 903, ASR 920, ME 3600, ME 3800 Catalyst 2000, 3000, 4000, NG3k, IE 2000 Open Source: Secure Network Bootstrap Infrastructure (SNBI; part of OpenDayLight Helium release) Roadmap ASR 9000 ASR 1000, CSR 1000, ISR-G2, ISR-4000 (more to come) 35

References www.cisco.com/go/autonomic/ IEFT Drafts: See earlier slide OpenDayLight Project SNBI: https://wiki.opendaylight.org/view/securenetworkbootstrapping:main Autonomic Networking Configuration Guide, Cisco IOS Release 15S www.cisco.com/en/us/partner/docs/ios-xml/ios/auto_net/configuration/15-s/an-auto-net-15- s-book.html Cisco IOS Autonomic Networking Command Reference www.cisco.com/en/us/partner/docs/ios-xml/ios/auto_net/command/an-cr-book.html autonomic-team@cisco.com 36

Call to Action Visit: BRKSPG-2447 - Autonomic Networking: Simplifying Service Provider Access Deployments Thursday, 11:30, Suite 8, Mezzanine, South Wing, Level 2 Demo on Autonomics World of Solutions, in the Service Provider area Meet the Engineer Lunch Time Table Topic: Autonomic Networking Thursday, Level 0 North Catering Area Contact us: autonomic-team@cisco.com Twitter: #autonomic 37

Complete Your Online Session Evaluation Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt. All surveys can be completed via the Cisco Live Mobile App or the Communication Stations 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback