Secure Zero Touch Provisioning

Secure Zero Touch Provisioning (SZTP), also referred to as secure ZTP is an implementation of RFC 8572, using the Ownership Voucher format from RFC 8366.

The SR Linux implementation of SZTP partially follows RFC 8572 and does not yet implement the full standard.

With SZTP, the operator bootstraps a network device without staging an initial configuration on the device before it joins the network. The deployment must still include DHCP, bootstrap servers, and ownership artifacts in the network. See SZTP process.

The primary function of the secure ZTP process is to securely bootstrap the node, providing it with the necessary information to boot into an operational state. This includes the initial artifacts to establish a mutual trust relationship between the node and the bootstrap server. After the node boots, it discovers the bootstrap server IP address, communicates with the server, and authenticates both the server and itself. The boot image is fetched via download-uri, and its integrity is verified using an image-verification hash. After verification, the device installs the image and applies the initial configuration information to ensure a secure bootstrapping process.

SR Linux uses different bootstrapping methods to obtain the required TLS certificates, trust anchors, and redirect information to connect securely to the server and download all the information required to boot in an operational mode.

SZTP builds trust into the onboarding workflow, validating the network devices and provisioning servers, making it suitable for both trusted and untrusted deployment scenarios.

Supported platforms

SZTP is supported on the following platforms:

  • 7220 IXR-H5
  • 7220 IXR-H6-64
  • 7250 IXR-X4
  • 7250 IXR-X4 OSFP
  • 7250 IXR-X1b
  • 7250 IXR-X3b
  • 7250 IXR-18e
  • 7250 IXR Gen 2c+
  • 7250 IXR Gen 3
  • 7730 SXR-1-32D
  • 7730 SXR-1d-32D
  • 7730 SXR-1x-44S