SZTPD Release Notes (0.0.39)
Table of Contents inside PDF →

1 Introduction

The sections below cover what is and is not working in this release of the SZTPD product.

Most everything listed as “not working” will be implemented before FCS.

2 Implemented / Tested

SZTPD implements features on top of YANGcore. Please see the “Implemented / Tested” section in the YANGcore Release Notes for details about what is implemented/tested in the YANGcore layer.

For the SZTPD layer, the following are implemented/tested:

  • The ‘rfc8572’ interface implementing the “bootstrap server” defined in RFC 8572.
  • The ‘rfc8572’ interface supports client-auth via TLS client-certs and/or HTTP basic auth.
  • Both XML and JSON supported on SBI. Strong HTTP header checking.
  • Plugin-based dynamic callouts to relay progress reports
  • Plugin-based dynamic callouts for ownership verification
  • Plugin-based dynamic callouts for response manager1.
  • Bootstrapping log per device (including information about SZTPD’s relay to remote systems)

3 Should Work

SZTPD implements features on top of YANGcore. Please see the “Should Work” section in the YANGcore Release Notes for details about what is should work in the YANGcore layer.

SZTPD adds no new “should work” items.

4 Upcoming Features/Releases:

The following features are sorted by the expected release they might show up in. Please let us know if there is something out of place or missing.

4.1 Alpha-X

  • Bootstrapping event counter. SZTPD needs to maintain bootstrapping event counters.

  • Device record counters. It is planned to track when the device records are created, last modified, and the total number of modifications. Similarly, to track when the bootstrapping device first connected, last connected, and the total number of connections.

  • send notifications, as currently none are.

4.2 Beta

  • Run performance and soak tests. Only address issues found.

4.3 FCS

  • Nothing new
  • Stress tests
  • Soak tests

4.4 Post 1.0

  • Run the “verify-device-ownership” callouts at time of bootstrapping event (in addition to when the device record was first created). Seems like something that should be opt-ed into, and hence a feature that can be implemented later.

  • Support a callout to retrieve an ownership voucher from an external system. This would implement the “supply-ownership-voucher” RPC defined in the “sztpd-rpcs” module. The RPC is currently protected by a ‘feature’ statement called “supply-ownership-voucher”, thus programmatically signaling that it is not supported, though visible in the YANG.

  • Support signing conveyed information sent from SZTPD using the private key associated with a configured owner certificate.

  • Support encrypting conveyed information sent from SZTPD using the device’s public key from its identity certificate (e.g., IDevID).

  • Support stapling revocation responses to CMS objects returned to devices.

  • Update the SBI’s “get-bootstrapping-data” response to strip-out the “ietf-sztp-conveyed-info:” prefix from the “hash-algorithm” value. Since the namespace is already “ietf-sztp-conveyed-info”, the value MAY be prefixed, and while it is considered clearer to always use prefixes, it may be considered cluttering in this instance…

5 Known Limitations

SZTPD inherits known limitations from YANGcore. Please see the “Known Limitations” section in the YANGcore Release Notes for details.

SZTPD has no new known limitations.

6 Change Log

Earlier releases have been removed since 0.0.35 was a restart of sorts.

6.1 0.0.35

  • Significant update!
  • Completely factored YANGcore out to it’s own Python package. See YANGcore’s Release Notes for what is new in the YANGcore layer for its “0.0.1” release.
  • Many nodes moved and/or renamed.
  • YANG simplified: collapsed groupings from old multi-tenancy solution
  • The data model is no longer a single namspace (related to collapsing the groupings).
  • Documentation overhauled (more friendly and now only documents what works)

6.2 0.0.36

  • updated image in design notes document
  • updated code to execute dynamic callouts asynchronously
  • updated dynamic callout examples in user guide document to be asynchronous
  • updated bootstrapping-log to subsections “request”, “handling”, and “response”.
  • removed “identity-certificate” from get-conveyed-information-callout
  • changed relay-progress-report-callout content to not duplicate bootstrapping-log
  • added relay-bootstrapping-log-record-callout (also updated user guide)

6.3 0.0.37

  • bump due to CI/CD snafu

6.4 0.0.38

  • bump due to CI/CD snafu

6.5 0.0.39

  • updated pytests per YANGcore’s new env var “YANGCORE_DISABLE_VAL”

  1. Plugin-based dynamic callouts have been used to test support for RFC 9646.↩︎