Search

US-12627985-B2 - Secure zero touch provisioning of network devices using Bluetooth application

US12627985B2US 12627985 B2US12627985 B2US 12627985B2US-12627985-B2

Abstract

A method for provisioning a network device can include, on a network device in a factory-default state and having a factory-installed Secure Zero Touch Provisioning (SZTP) agent, enabling a wireless communication capability of the network device. Upon detecting the wireless communication capability being enabled, the SZTP agent attempts to establish a connection with an SZTP application on a computing device in close proximity to the network device. Once connected, the SZTP agent requests SZTP bootstrap information from the SZTP Application, receives SZTP artifacts, and determines whether the SZTP artifacts contain redirect information to an SZTP bootstrap server. If so, the SZTP agent validates the redirect information and attempts to connect to the SZTP bootstrap server. Once connected, the SZTP agent attempts to retrieve network device provisioning artifacts from the SZTP bootstrap server and provisions the network device using the network device provisioning artifacts retrieved from the SZTP bootstrap server.

Inventors

  • Eamon Doyle
  • Saurabh Singhal

Assignees

  • ARISTA NETWORKS, INC.

Dates

Publication Date
20260512
Application Date
20231020

Claims (20)

  1. 1 . A method for provisioning an unprovisioned network device, the method comprising: upon detecting a wireless communication capability being enabled on the network device, attempting, by a Secure Zero Touch Provisioning (SZTP) agent on the network device, to establish a wireless connection with an SZTP application on a computing device near the network device; once the wireless connection is successfully established, requesting, by the SZTP agent on the network device, SZTP artifacts for provisioning the network device from the SZTP application on the computing device; receiving, by the SZTP agent on the network device over the wireless connection from the SZTP application on the computing device, the SZTP artifacts for provisioning the network device; determining, by the SZTP agent on the network device, whether the SZTP artifacts received from the SZTP application over the wireless connection contain redirect information; if the SZTP artifacts contain redirect information to an SZTP bootstrap server on a remote host: validating, by the SZTP agent, the redirect information; and attempting to connect to the SZTP bootstrap server on the remote host; once a connection to the SZTP bootstrap server is established, attempting to retrieve additional network device provisioning artifacts from the SZTP bootstrap server on the remote host; and provisioning the network device using the network device provisioning artifacts retrieved from the SZTP bootstrap server on the remote host.
  2. 2 . The method according to claim 1 , further comprising: determining whether a trusted connection has been established with the SZTP bootstrap server; and if a trusted connection has been established with the SZTP bootstrap server, sending an SZTP progress report to the SZTP bootstrap server over the trusted connection.
  3. 3 . The method according to claim 2 , wherein determining whether the trusted connection has been established with the SZTP bootstrap server comprises determining whether the redirect information is signed.
  4. 4 . The method according to claim 1 , wherein the connection to the SZTP bootstrap server is an untrusted connection, the method further comprising: responsive to the untrusted connection to the SZTP bootstrap server being established, promoting the untrusted connection to a trusted connection.
  5. 5 . The method according to claim 1 , wherein the validating the redirect information comprises verifying a voucher signed by a manufacturer of the network device using the manufacturer's public key included on the network device.
  6. 6 . The method according to claim 1 , wherein the SZTP artifacts comprise configuration information for setting up the network device on a computer network, the configuration information comprises at least one of: a network address, a routing policy, credential information, or domain name server information.
  7. 7 . The method according to claim 1 , wherein attempting to connect to the SZTP bootstrap server comprises making a remote procedure call to the SZTP bootstrap server.
  8. 8 . A self-provisioning network device in a factory-default state, the network device comprising: a wireless communication capability that uses a radio frequency to share data over a distance locally, and a factory-installed Secure Zero Touch Provisioning (SZTP) agent that is configured for: upon detecting the wireless communication capability being enabled on the network device, attempting to establish a wireless connection with an SZTP application on a computing device near the network device; once the wireless connection is successfully established, requesting SZTP artifacts for provisioning the network device from the SZTP application on the computing device; receiving, over the wireless connection from the SZTP application on the computing device, the SZTP artifacts for provisioning the network device; determining whether the SZTP artifacts received from the SZTP application over the wireless connection contain redirect information; if the SZTP artifacts contain redirect information to an SZTP bootstrap server on a remote host: validating the redirect information; and attempting to connect to the SZTP bootstrap server on the remote host; once a connection to the SZTP bootstrap server is established, attempting to retrieve additional network device provisioning artifacts from the SZTP bootstrap server on the remote host; and provisioning the network device using the network device provisioning artifacts retrieved from the SZTP bootstrap server on the remote host.
  9. 9 . The network device of claim 8 , wherein the SZTP agent is further configured for: determining whether a trusted connection has been established with the SZTP bootstrap server; and if a trusted connection has been established with the SZTP bootstrap server, sending an SZTP progress report to the SZTP bootstrap server over the trusted connection.
  10. 10 . The network device of claim 9 , wherein the SZTP agent is further configured for: determining whether the trusted connection has been established with the SZTP bootstrap server comprises determining whether the redirect information is signed.
  11. 11 . The network device of claim 8 , wherein the connection to the SZTP bootstrap server is an untrusted connection and wherein the SZTP agent is further configured for: responsive to the untrusted connection to the SZTP bootstrap server being established, promoting the untrusted connection to a trusted connection.
  12. 12 . The network device of claim 8 , wherein the validating the redirect information comprises verifying a voucher signed by a manufacturer of the network device using the manufacturer's public key included on the network device.
  13. 13 . The network device of claim 8 , wherein the SZTP artifacts comprise configuration information for setting up the network device on a computer network, the configuration information comprises at least one of: a network address, a routing policy, credential information, or domain name server information.
  14. 14 . The network device of claim 8 , wherein attempting to connect to the SZTP bootstrap server comprises making a remote procedure call to the SZTP bootstrap server.
  15. 15 . A computer program product for self-provisioning a network device, the computer program product comprising a non-transitory computer-readable medium storing instructions translatable by a processor of a network device for implementing a Secure Zero Touch Provisioning (SZTP) agent, the network device having a wireless communication capability that uses a radio frequency to share data over a distance locally, the SZTP agent configured for: upon detecting the wireless communication capability being enabled on the network device, attempting to establish a wireless connection with an SZTP application on a computing device near the network device; once the wireless connection is successfully established, requesting SZTP artifacts for provisioning the network device from the SZTP application on the computing device; receiving, over the wireless connection from the SZTP application on the computing device, the SZTP artifacts for provisioning the network device; determining whether the SZTP artifacts received from the SZTP application over the wireless connection contain redirect information; if the SZTP artifacts contain redirect information to an SZTP bootstrap server on a remote host: validating the redirect information; and attempting to connect to the SZTP bootstrap server on the remote host; once a connection to the SZTP bootstrap server is established, attempting to retrieve additional network device provisioning artifacts from the SZTP bootstrap server on the remote host; and provisioning the network device using the network device provisioning artifacts retrieved from the SZTP bootstrap server on the remote host.
  16. 16 . The computer program product of claim 15 , wherein the SZTP agent is further configured for: determining whether a trusted connection has been established with the SZTP bootstrap server; and if a trusted connection has been established with the SZTP bootstrap server, sending an SZTP progress report to the SZTP bootstrap server over the trusted connection.
  17. 17 . The computer program product of claim 16 , wherein the SZTP agent is further configured for: determining whether the trusted connection has been established with the SZTP bootstrap server comprises determining whether the redirect information is signed.
  18. 18 . The computer program product of claim 15 , wherein the connection to the SZTP bootstrap server is an untrusted connection and wherein the SZTP agent is further configured for: responsive to the untrusted connection to the SZTP bootstrap server being established, promoting the untrusted connection to a trusted connection.
  19. 19 . The computer program product of claim 15 , wherein the validating the redirect information comprises verifying a voucher signed by a manufacturer of the network device using the manufacturer's public key included on the network device.
  20. 20 . The computer program product of claim 15 , wherein attempting to connect to the SZTP bootstrap server comprises making a remote procedure call to the SZTP bootstrap server.

Description

TECHNICAL FIELD This disclosure relates generally to network devices. More particularly, this disclosure relates to an extensible mechanism for bootstrapping network devices over Secure Zero Touch Provisioning (SZTP) using a Bluetooth® SZTP application to redirect to bootstrap servers. BACKGROUND OF THE RELATED ART Generally, network devices shipped from manufacturers need to be configured or otherwise set up before they can operate on computer networks and communicate with other networked devices. In this context, the term “network provisioning” or “provisioning” generally refers to the process of configuring or setting up unprovisioned network devices. Provisioning these network devices (e.g., switches, routers, access points, firewalls, gateways, networking appliances, etc.), however, often falls on authorized users (e.g., site managers, technicians, installers, etc.) at remote sites who have no (or limited) networking expertise. In addition to cabling, such a network device must be configured correctly to connect a remote site to a network (e.g., an enterprise network) in a secure manner. However, such a remote site (e.g., a customer-defined location, a branch office, etc.) often lacks specialized equipment (e.g., a capable laptop computer, a serial cable programmed to operate at a specific frequency and/or an Ethernet cable for a secure shell (SSH) connectivity, etc.) and computer programs required to connect the network device to a network management service capable of performing operations, administration, maintenance, and provisioning (OAMP) functionalities. Even when connected and configured properly, the network device may still not be able to connect to the network if Dynamic Host Configuration Protocol (DHCP) and/or other service discovery features are unavailable. Additionally, a misconfiguration in the network device could result in a security breach. As a result, a provider (e.g., a manufacturer) of the network device must dispatch a more experienced network engineer to troubleshoot the site connectivity and properly configure the network device, which increases deployment costs, inefficiency, and complexity for both the network device owner and the provider. BRIEF DESCRIPTION OF THE DRAWINGS The drawings accompanying and forming part of this specification are included to depict certain aspects of the disclosure. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale. A more complete understanding of the disclosure and the advantages thereof may be acquired by referring to the following description, taken in conjunction with the accompanying drawings in which like reference numbers indicate like features. FIG. 1 depicts a diagrammatical representation of a system according to some embodiments disclosed herein. FIG. 2 is a flowchart that illustrates an example of a method for provisioning an unprovisioned network device according to some embodiments disclosed herein. FIG. 3 depicts a diagrammatical representation of a user device according to some embodiments disclosed herein. FIG. 4 depicts a diagrammatical representation of a computing device in accordance with some embodiments disclosed herein. DETAILED DESCRIPTION Specific embodiments will now be described with reference to the accompanying figures (FIGS). The figures and the following description describe certain embodiments by way of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein. It is noted that wherever practicable similar or like reference numbers may be used in the figures and may indicate similar or like functionality. Zero Touch Provisioning (ZTP) allows network devices to self-provision without administrator interaction. Upon installation, these network devices would enter the ZTP mode when powering up, without a start-up configuration. RFC8572 is an Internet Engineering Task Force (IETF) document that describes the specifications of the Secure Zero Touch Provisioning (SZTP) protocol for securely provisioning a networking device when it is booting in a factory-default state. The SZTP protocol supports a number of alternative sources of bootstrapping data, including DHCP, removable storage devices, and bootstrap servers (which can also be referred to as RESTCONF servers or SZTP bootstrap servers and which are collectively referred to hereinafter as “SZTP bootstrap servers”). As those skilled in the art can appreciate, DHCP can automatically provide an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. DHCP is commonly used for configuring an IP address on a device interface. However, DHCP has known limitations. For instance, DHCP is not secure and is inherently limited by the size of the packets and, therefo