Autonomic Control Plane A Virtual Out Of Band Channel

Similar documents
Autonomic Networking BRKGEN Michael Behringer

A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-03.txt

Configuring Autonomic Networking

A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt

An Autonomic Control Plane

ANIMA WG (Autonomic Networking Integrated Model and Approach) Rechartering Consideration

MPLS in the DCN. Introduction CHAPTER

BGP-MVPN SAFI 129 IPv6

Managing Site-to-Site VPNs: The Basics

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

Managing Site-to-Site VPNs

Remote Access MPLS-VPNs

CCIE Routing & Switching

Transportní paketová infrastruktura poskytovatelů služeb

Managing Site-to-Site VPNs: The Basics

UniNets MPLS LAB MANUAL MPLS. UNiNets Multiprotocol label Switching MPLS LAB MANUAL. UniNets MPLS LAB MANUAL

[Actual4Exams] Actual & valid exam test dumps for your successful pass

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

ITBraindumps. Latest IT Braindumps study guide

MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution

High Availability Synchronization PAN-OS 5.0.3

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

IPv6 Commands: n to re

PIM Allow RP. Finding Feature Information. Restrictions for PIM Allow RP

ipv6 mobile home-agent (global configuration)

Data Center Configuration. 1. Configuring VXLAN

Configuring Bridge Domain Interfaces

Implementing IP in IP Tunnel

CCIE ROUTING & SWITCHING V5.0

Configuring VRF-lite CHAPTER

MPLS LDP Autoconfiguration

WAN Edge MPLSoL2 Service

MPLS VPN Inter-AS Option AB

Cisco Service Advertisement Framework Deployment Guide

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Multicast only Fast Re-Route

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Network Configuration Example

CCNP TSHOOT. Quick Reference Sheet Exam

Configuring Multicast VPN Extranet Support


MLDP In-Band Signaling/Transit Mode

Cisco SD-Access Building the Routed Underlay

IP Routing: BGP Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Supported Platforms for Cisco Path Trace, Release x. This document describes the supported platforms for the Cisco Path Trace, Release x.

Implementing Management Plane Protection

MPLS VPN--Inter-AS Option AB

Configuring Multicast VPN Inter-AS Support

DNA SA Border Node Support

Connecting to a Service Provider Using External BGP

Static Routing Commands

Configuring IP Unnumbered Interface

MPLS Label Distribution Protocol (LDP)

BGP Cost Community. Prerequisites for the BGP Cost Community Feature

BGP mvpn BGP safi IPv4

OTV Loopback Join Interface

Provisioning Overlay Networks

Cisco Plug and Play Feature Guide Cisco Services. Cisco Plug and Play Feature Guide Cisco and/or its affiliates.

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

Multicast Quick Start Configuration Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling

Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling

VPN User s Guide Release 7.3

BGP Support for the L2VPN Address Family

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Cisco Network Plug and Play Agent Configuration Guide, Cisco IOS XE Everest b

OSPF Commands on Cisco ASR 9000 Series Router

Chapter 5. Security Components and Considerations.

Configuring VXLAN EVPN Multi-Site

An Autonomic Control Plane draft-ietf-anima-autonomic-control-plane- 05 (ietf98:06 - ietf99:08)

IWAN APIC-EM Application Cisco Intelligent WAN

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

Improving IoT Security: the role of the manufacturer. Eliot Lear

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

Configuring Bidirectional PIM

IX: Detailed Infomation

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

SAF Service Advertisement Framework

Configuring Ethernet Virtual Connections on the Cisco ASR 1000 Series Router

Evolved Campus Core: An EVPN Framework for Campus Networks. Vincent Celindro JNCIE #69 / CCIE #8630

Viewing IP and MPLS Multicast Configurations

BGP Best External. Finding Feature Information

Configuring MSDP. Overview. How MSDP operates. MSDP peers

Implementing DHCP for IPv6

Cisco Secure Access Control

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Cisco Path Trace Application on APIC-EM User Guide, Release x

Module 11 Advanced Router Configuration

RIP Commands. output-delay, page 32 passive-interface (RIP), page 33 poison-reverse, page 35 receive version, page 37 redistribute (RIP), page 39

Configuring MPLS and EoMPLS

Stateless Multicast with Bit Indexed Explicit Replication (BIER)

Prepare.csv (Comma-Separated Value) Files to Import New Devices on FND

Control as LCD for future networking

Pradeep Kathail Chief Software Architect Network Operating Systems Technology Group, Cisco Systems Inc.

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Implementing Cisco IP Routing (ROUTE)

Transcription:

Autonomic Control Plane A Virtual Out Of Band Channel Alvaro Retana (aretana@cisco.com) Distinguished Engineer, Cisco Services Slides by Michael Behringer.

We all know: SDN Will Save The World Yes, but 2

SDN Unanswered Questions controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process à Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane! 3

SDN Unanswered Questions controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process à Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane! 4

SDN Unanswered Questions controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process à Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane! 5

SDN Unanswered Questions controller How does a Controller: Discover network elements? Autonomic discovery Enrol them securely? (without pre-staging?) Secure bootstrap process à Domain certificates Reach them consistently? Autonomic Control Plane Independent of the data plane! 6

Bootstrapping Security 7

Secure Domain Certificate Enrolment New device Proxy Registrar IPv6 link local my domain certificate my unique device identifier (802.1AR / SUDI) new device with ID x Fundamental Idea: Using a secure vendor ID to bootstrap a domain ID Accept? Domain parameters For new device Domain enrolment Domain certificate Domain parameters For new device Domain enrolment Domain certificate See: http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfrastructures/ 8

Demo 1: Secure Zero-Touch Bootstrap Minimal config on a central node Network bootstraps automatically AND: securely! 9 9

Would you use Cloud based device identification? Internet domain.com Vendor, is device A really my device? New device A Registrar Vendor Internet Yes, this is your device! Not committed Vendor validates UDI-customer mapping, based on sales records Operator can override on registrar à Control remains with operator 10

Secure Domain Certificate Enrolment New device Proxy Registrar IPv6 link local Factory Cloud Service my unique device identifier (802.1AR / SUDI) my domain certificate Domain parameters Authorization token new device with ID x Domain parameters Authorization token Accept? new device ID x; domain y Authorization token Audit log for device Accept? Join? Domain enrolment Domain certificate Domain enrolment Domain certificate Not committed http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfrastructures/ 11

The Virtual Out Of Band Channel" 12

Where Is The Catch? New device Proxy Registrar IPv6 link local my domain certificate my unique device identifier (802.1AR / SUDI) new device with ID x How do nodes communicate without IP addressing? Accept? Domain parameters For new device Domain enrolment Domain certificate Domain parameters For new device Domain enrolment Domain certificate 13

The Autonomic Control Plane loopbac loopbac k VRF VRF k Secure Tunnel IPv6 link local IPv6 link local Self-forming and self-managing Follows network topology Not dependent on config or routing table* * Some exceptions apply 14

Connecting into the Autonomic Control Plane loopbac k VRF Secure Tunnel loopbac VRF k Like normal ip vrf forwarding command All devices on this interface have full access to ACP à Can SSH, SNMP, etc to loopbacks Interface eth 2 autonomic connect ipv6 address 2000::10/64 Long term: Servers will be autonomic devices 15

Advantages of the Autonomic Control Plane (ACP) loopbac k VRF Secure Tunnel loopbac VRF k Completely self-managing IPv6 link local No config! Secure Separate (VPN) and encrypted (e.g., IPsec) Independent of Routing Only depends on link local addresses Independent of Configuration Only certificate visible in sh running Visible Lots of show commands, debugs, etc. IPv6 link local Use as a Virtual Out-Of-Band Channel 16

Demo 2: The Virtual out of Band Channel Reachability across the network Without addressing Without routing 17 17

Autonomic Networking Work Flow 18

Create a Whitelist Devices joining the domain must be validated before handing out certificates Create a whitelist (text file) of UDIs that are allowed to join Automatically generated by Cisco (from Bill of Sale) for new devices Updated by operator for existing devices Load whitelist on the Registrar (manually) Find Unique Device Identifiers (UDI) on bill of sale Registrar Purchase Bill of Sale Operator updates for Existing devices 19

Configure a Registrar Router#configure terminal Router(config)#autonomic registrar Router(config-registrar)#domain-id cisco.com Router(config-registrar)#whitelist disk:whitelist.txt Router(config-registrar)#ca url <> Router(config-registrar)#no shut Enter Autonomic Registrar Config mode Configure domain-id any name will do Specify a local whitelist (Optional) Specify an external CA s url (Optional) Unshut the Registrar You re done! Registrar also can run an IOS CA locally If a whitelist is not used a deployment window is the recommended alternative Registrar CA 20

Registrar Redundancy A Registrar in an Autonomic domain: validates new devices (whitelist) Hands out domain certificate Registrar down à no new devices can join the autonomic domain! Good practice to configure multiple registrars Registrars can be distributed no need to be neighbors! Registrar Identical Configuration Registrar 21

Bring up Remote Sites: Channel Discovery Newly installed device is always passive Typically, VLAN based E-LINE services - each NID permits one VLAN Channel discovery helps discover the allowed VLAN ACP is kept separate from Data plane using QinQ service instance with fixed inner vlan = 4094 415 Inner Vlan Third-Party Metro-Ethernet Cloud 416 Inner Vlan Probe for VLAN = 416 passes through NID only allows VLAN 416 Outer VLAN Inner VLAN 22

Restricting VLAN Ranges with Channel Discovery Intent configured on registrar Flooded through network Router#configure terminal Router(config)#autonomic intent Router(config-intent)#control-plane Router(config-intent)#vlan outer 400-420 Router(config-intent)#vlan inner 4092 Registrar 23

Autonomic Networking Strategy 24

Possibilities With Domain Certificates External External NOC http://tools.ietf.org/html/draft-behringer-default-secure we can now secure the network automatically bring up OSPF automatically and PIM-SM!! External we could enable guestnet, if a policy says so each device knows what to do we can find BGP speakers automatically! and secure the sessions! the admin can detect unauthorised devices reporting can be aggregated in the network 25

Autonomic Networking Layering Model Autonomic Service Agents Autonomic (switching, routing, Service multicast, Agents monitoring, (switching, ) routing, multicast, monitoring, reporting, ) Naming + Addressing Domain Identity Message Bus API Discovery Autonomic Control Plane Intent Parsing Aggregated Reporting Autonomic Networking Infrastructure Autonomic Node Standard Network OS Features draft-irtf-nmrg-autonomic-network-definitions-04 26

Please Support Standardisation! ANIMA Working Group: http://tools.ietf.org/wg/anima/ Early work A Framework for Autonomic Networking http://tools.ietf.org/html/draft-behringer-autonomic-network-framework Making the Internet Secure by Default http://tools.ietf.org/html/draft-behringer-default-secure NMRG work Autonomic Networking: Definitions and Design Goals http://tools.ietf.org/html/draft-irtf-nmrg-autonomic-network-definitions Gap Analysis for Autonomic Networking https://tools.ietf.org/html/draft-irtf-nmrg-an-gap-analysis Use case drafts: Those are used to derive requirements for the Autonomic Networking Infrastructure Autonomic Networking Use Case for Network Bootstrap https://tools.ietf.org/html/draft-behringer-autonomic-bootstrap Autonomic Network Stable Connectivity https://tools.ietf.org/html/draft-eckert-anima-stable-connectivity Autonomic Prefix Management in Large-scale Networks https://tools.ietf.org/html/draft-jiang-anima-prefix-management Solution drafts: An Autonomic Control Plane https://tools.ietf.org/html/draft-behringer-anima-autonomic-control-plane Bootstrapping Key Infrastructures http://tools.ietf.org/html/draft-pritikin-anima-bootstrapping-keyinfrastructures Bootstrapping Trust on a Homenet (this is in homenet, not ANIMA) https://tools.ietf.org/html/draft-behringer-homenet-trust-bootstrap A Generic Discovery and Neg. Protocol for Autonomic Networking https://tools.ietf.org/html/draft-carpenter-anima-gdn-protocol 27

Please get involved: OpenDayLight: Secure Network Bootstrapping Infrastructure (SNBI) https://wiki.opendaylight.org/view/securenetworkbootstrapping:main 28

Summary 29

Advantages of the Autonomic Control Plane (ACP) loopbac k VRF Secure Tunnel loopbac VRF k Completely self-managing IPv6 link local No config! Secure Separate (VPN) and encrypted (e.g., IPsec) Independent of Routing Only depends on link local addresses Independent of Configuration Only certificate visible in sh running Visible Lots of show commands, debugs, etc. IPv6 link local Use as a Virtual Out-Of-Band Channel 30

Cisco Device Support: SP, Enterprise and IoT 31 Supported today: ASR 901, ASR 901s, ASR 903, ASR 920, ME 3600, ME 3800 Catalyst 2000, 3000, 4000, NG3k, IE 2000 Open Source: Secure Network Bootstrap Infrastructure (SNBI; part of OpenDayLight Helium release) Roadmap ASR 9000 ASR 1000, CSR 1000, ISR-G2, ISR-4000 (more to come) 31

References 32 www.cisco.com/go/autonomic/ IEFT Drafts: See earlier slide OpenDayLight Project SNBI: https://wiki.opendaylight.org/view/securenetworkbootstrapping:main Autonomic Networking Configuration Guide, Cisco IOS Release 15S www.cisco.com/en/us/partner/docs/ios-xml/ios/auto_net/configuration/15-s/an-auto-net-15-sbook.html Cisco IOS Autonomic Networking Command Reference www.cisco.com/en/us/partner/docs/ios-xml/ios/auto_net/command/an-cr-book.html autonomic-team@cisco.com 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback