BootZ
BootZ is a gRPC-based protocol used to bootstrap a network device securely.
To enable device bootstrapping, BootZ defines the boot process and provides a specification that enumerates the data elements that can be vendor-agnostic.
The SR Linux implementation of BootZ is currently a partial application of the BootZ specification and is evolving to meet all BootZ protocol aspects.
SR Linux BootZ implementation uses DHCP and bootstrap servers to initiate the bootstrapping of source data. Currently, only the bootstrap process from DHCP discovery to successful processing of the bootstrap data is supported.
In BootZ implementation, the DHCP server provides the CPM with unsigned redirect information, which includes a list of bootstrap servers. The CPM then uses this information to execute the bootstrapping RPCs against the list of bootstrap servers.
BootZ components
On-boarding device
Nokia router that you want to provision and connect to your network.
DHCP server
The DHCP server provides the node with the location of the bootstrap BootZ server.
BootZ bootstrap server
The BootZ bootstrap server hosts the bootstrapping data, which includes the OS version and initial device configuration. The bootstrap servers use gRPC methods to communicate with the on-boarding devices.
The on-boarding device uses RPC GetBootstrappingData
to initiate the
BootZ process with the BootZ server. The RPC method uses the structure
GetBootstrapDataRequest
for the request data and the structure
GetBootstrapDataResponse
for the response data. The structure
GetBootstrappingDataResponse
contains the bootstrapping data.
The on-boarding device uses RPC ReportProgress
to report its
bootstrapping progress to the BootZ server.
Bootstrapping artifacts
Bootstrapping artifacts are as follows:- TPM keys: See TPM Keys (IDevID and IAK).
- Redirect information: refers to the data provided to an on-boarding device that directs it to an alternative server or endpoint for obtaining further configurations or bootstrapping data.
- On-boarding information: On-boarding information supplies the data required for a device to bootstrap and establish secure connections with other systems.
- Ownership Voucher: To support BootZ, an Ownership Voucher (OV) must be obtained by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC), a trusted digital certificate issued by Nokia and pinned by operators, and the order details containing the router serial numbers.
- Ownership certificate: represents an X.509 certificate that binds an owner identity to a public key, allowing a device to validate a signature on the conveyed information artifact. It is provided to the device via the bootstrap server. The digital signature is validated against the PDC, which is contained in the Ownership Voucher.
BootZ process
- Ensure you obtain a bootstrapping RTU (Right to Use) license and purchase new devices with an OS kit, with BootZ enabled by default, instead of ZTP.
- Ensure you obtain an Ownership Voucher (OV) by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC), a trusted digital certificate issued by Nokia and pinned by operators, along with the order details containing the serial numbers of the routers.
-
Ensure DHCP and BootZ bootstrap servers are configured in the network.
- At the installation site, the BootZ OS kit triggers the initialization of the secure bootstrapping process.
-
DHCP discovery of BootZ Bootstrap server
- The node boots up and initiates a DHCP request to the DHCP server.
-
The DHCP server assigns an address to the requesting node and provides
a list of bootstrap server URIs. The DHCP response contains the option
code,
OPTION_V4_SZTP_REDIRECT(143)
orOPTION_V6_SZTP_REDIRECT(136)
. The response code,OPTION_V4_SZTP_REDIRECT(143)
is the DHCP v4 code for IPV4 addressing, andOPTION_V6_SZTP_REDIRECT(136)
is the DHCP v4 code for IPV6 addressing. The URI is in the following format:bootz://<host or ip>:<port>
.
-
Bootstrapping service
-
The router sends the
GetBootstrappingData
RPC to the bootstrap server obtained from the DHCP server. The device establishes a gRPC connection to the BootZ server. The device must use its unique IDevID certificate stored in the control card to establish and secure the TLS connection to the BootZ server. -
The BootZ server sends a response in the structure
GetBootstrappingDataResponse
. The server messages are signed by an ownership certificate. - The device validates the Ownership Voucher, which authenticates the ownership certificate. Before accepting the message, the device verifies the signature of the message body. If the signature cannot be verified, the Bootstrap process restarts from step 2.
- After the on-boarding router is authenticated, the BootZ server sends the required artifacts. These include the OS version and initial device configuration.
-
The router sends the
-
Report progress
-
When the router obtains the on-boarding information, it reports the
bootstrapping progress to the BootZ server using RPC
ReportProgress
. Currently, SR Linux does not support EnrollZ and AttestZ functionalities.
-
When the router obtains the on-boarding information, it reports the
bootstrapping progress to the BootZ server using RPC
- The router downloads the OS image, verifies its hash, checks if the image version from bootstrap data differs from the current running version, and installs the OS. The router then applies the configuration and becomes operational. A reboot is required if the image version differs from the current running image.
- After the device boots up with the new image, it applies the configuration provided by the bootstrap server and sends out a final report.