Someone left a comment on my Zero-Touch Provisioning post claiming how Big Switch Networks solved ZTP challenge using just IPv6 Link-Local Address and Neighbor Discovery instead of the complicated DHCP/TFTP/whatever sequence.
Here’s what he wrote:
They use ipv6 link-local addressing with a combination neighbor discovery to locate the controllers. The caveat being that the controllers need to be L2 adjacent with the switch mgmt ports that they hope to provision. Still...its better than anything DHCP related with all the options and image repos involved.
Somehow that didn’t sound right. After all, we don’t need DHCP to assign an IP address to the switch during zero-touch provisioning process (we could use IPv4 link-local addresses) but to point the switch to its software image and configuration file.
I tried to figure out what’s going on behind the scenes and failed. The Dell/VMware/BSN document he quoted spends exactly one paragraph on this topic without providing any details, and the documentation is still behind a regwall.
ONIE bootloader tries all the sane approaches first: local USB file system, URL passed in DHCP response (supporting HTTP, FTP and TFTP) and URL guessing based on DHCP options. If all that fails, it decides it’s time to use a bigger hammer (remember: never use brute force when a bigger hammer would do the trick):
- Ping all neighbors using broadcast IPv4 ping and all-node multicast IPv6 ping;
- For every neighbor responding to the ping, try to reach it over HTTP (port 80);
- For every web server present on the local network, try two-dozen image names.
Yes, the approach works, but the hammer it uses would probably make Thor proud… and you better hope that:
- The switches send ONIE requests only on their management port(s);
- The management network is totally isolated from the user-facing infrastructure;
- Someone hasn’t broken into one of your switches and started a web server on it (remember: they all run Linux these days) just for the giggles.
Failing either one of these assumptions could result in an interesting security challenge.