What Is SZTP?
Secure Zero Touch Provisioning (SZTP) adds a bootstrap server to DHCP-based ZTP deployment scenarios and uses two-way authentication and data encryption to secure ZTP data. After a device without a configuration file is powered on, it functions as a DHCP client to obtain the bootstrap server's IP address or domain name from the DHCP server. The device then uses the preconfigured certificate to perform two-way authentication with the bootstrap server, establishes an HTTPS connection, and obtains deployment information from it. This helps to achieve SZTP. SZTP applies to scenarios that require high security, such as the financial industry.
How Does SZTP Work?
To perform SZTP, you must set up an SZTP network first, which includes the DHCP server, bootstrap server, and deployment file server, as shown in the following figure.
- Device: a newly delivered device or device without a configuration file, which functions as a DHCP client and is to be deployed.
- DHCP server: allocates a temporary management IP address, default gateway, DNS server address, and bootstrap server address or domain name to the device to be deployed through SZTP.
- DHCP relay agent: forwards packets exchanged between the device to be deployed and the DHCP server when they are located on different network segments.
- Bootstrap server: is used to guide SZTP. After establishing an HTTPS connection with the device to be deployed, the bootstrap server sends information such as the IP address of the deployment file server and path for downloading deployment files to the device.
- Deployment file server: stores the deployment files to be loaded to the device to be deployed, including the system software, configuration file, and patch file. The deployment file server establishes an HTTPS connection with the device to provide deployment files.
- DNS server: provides mappings between domain names and IP addresses, and resolves the domain name of the server such as the bootstrap server to an IP address.
- Syslog server: uploads user logs recorded during the SZTP process to the network management system (NMS).
SZTP networking
The following example describes the SZTP working process where a DNS server is not used.
- After being powered on, the device without a configuration file functions as a DHCP client to send a DHCP request packet to the DHCP server. After receiving the packet, the DHCP server assigns an IP address, a default gateway, and the IP address or domain name of the bootstrap server to the device.
- After obtaining the IP address of the bootstrap server, the device performs two-way authentication with the bootstrap server using the preconfigured certificate, establishes an HTTPS connection with the bootstrap server, and obtains information such as the IP address of the deployment file server and the path for downloading the deployment file from the bootstrap server.
- After obtaining the IP address of the deployment file server, the device sets up an HTTPS connection with the deployment file server to download the system software, configuration file, and so on.
- The device specifies the downloaded files as the files to be loaded at the next startup. After the device restarts, the version files are automatically loaded.
How Does SZTP Ensure Deployment Security?
A device capable of SZTP is preconfigured with a certificate before delivery. The bootstrap server and deployment file server are also preconfigured with related certificates. The device uses the preconfigured certificate to perform two-way authentication and establishes an HTTPS connection with the bootstrap server. In this way, secure data exchange is ensured.
Similarly, after obtaining the IP address of the deployment file server, the device uses the preconfigured certificate to perform two-way authentication and establishes an HTTPS connection with the deployment file server to securely download system files and configuration files.
- Author: Chen Guixiang, Tang Jie
- Updated on: 2024-02-27
- Views: 7402
- Average rating:
