On Feb 11, 2020, at 15:41, Warren Kumari <[email protected]<mailto:[email protected]>> wrote:
On Tue, Feb 11, 2020 at 10:19 AM Joe Clarke (jclarke) <[email protected]<mailto:[email protected]>> wrote: As a contributor, I think this document is mostly ready (and as previously stated, I like and support the work). That said, after another read I found a few spelling nits and some comments: In Section 2, you paint the picture of a scenario, but “break the fourth wall” to explain what is existing and what is new functionality as well as state that the document prescribes using the SN as the unique identifier. In the spirit of a scenario with additional context, I think you should clarify that the DHCP boot of an out-of-the-box device is _typically_ existing functionality. Some vendors’ devices may not do this. Good point. I have just submitted a new version which I think addresses this (and your other comments below) -- I broke section 2 ("Overview / Example Scenario") into 2 sections, "Overview" and "Example Scenario". This required moving some text around, but I think addresses your concern (and improves the document). Thanks. I like these changes. Yes -- unfortunately there doesn't seem to be any sort of standard way to add a comment device configs - these all work on different devices: # I'm a comment ! I'm also a comment ; Yet another comment format : This is getting silly ' Ugh, who thought apostrophes was a sane comment character?! I was actually thinking about the opposite. Could your encrypted blob have a header? Like a PEM encoded certificate has "-----BEGIN CERTIFICATE——“. This way if you have that, you try to decrypt, else you assume a regular config. How about some text along the lines of: "Unfortunately there is no standard way to identify if a config file has been successfully decrypted, as different vendors use different configuration languages, with different forms of comments, etc. It is recommended that each vendor documents a standard header or magic which devices can use to determine if the configuration seems largely correct. As an example, Cisco IOS configuration files use the '!' character as a comment, and so Cisco IOS files could be expected to start with something like '! This is a Cisco IOS configuration file'. Juniper Network's JunOS uses '#' as a comment character, and so Juniper could adopt the convention of using '## JunOS device configuration file' (or some other string, to be chosen and documented by the vendor)." Note that I have *not* included this is the newly posted version yet, as I think it needs some polishing... Sure. This text works as a means to know if decryption works. But (and I haven’t tried this), if I point IOS to just some random bytes via option 150, I think it will try to load it (I know that some file extensions like .tcl and .py will be considered). So you might not need to worry so much about what if decryption works as to know what should be attempted to be decrypted. Joe
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
