-
Notifications
You must be signed in to change notification settings - Fork 3
/
draft-ietf-anima-grasp-03.txt
3192 lines (2163 loc) · 127 KB
/
draft-ietf-anima-grasp-03.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group C. Bormann
Internet-Draft Universitaet Bremen TZI
Intended status: Standards Track B. Carpenter, Ed.
Expires: August 27, 2016 Univ. of Auckland
B. Liu, Ed.
Huawei Technologies Co., Ltd
February 24, 2016
A Generic Autonomic Signaling Protocol (GRASP)
draft-ietf-anima-grasp-03
Abstract
This document establishes requirements for a signaling protocol that
enables autonomic devices and autonomic service agents to dynamically
discover peers, to synchronize state with them, and to negotiate
parameter settings mutually with them. The document then defines a
general protocol for discovery, synchronization and negotiation,
while the technical objectives for specific scenarios are to be
described in separate documents. An Appendix briefly discusses
existing protocols with comparable features.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 27, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Bormann, et al. Expires August 27, 2016 [Page 1]
Internet-Draft GRASP February 2016
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirement Analysis of Discovery, Synchronization and
Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements for Discovery . . . . . . . . . . . . . . . 4
2.2. Requirements for Synchronization and Negotiation
Capability . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. Specific Technical Requirements . . . . . . . . . . . . . 8
3. GRASP Protocol Overview . . . . . . . . . . . . . . . . . . . 10
3.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 10
3.2. High-Level Design Choices . . . . . . . . . . . . . . . . 11
3.3. GRASP Protocol Basic Properties and Mechanisms . . . . . 15
3.3.1. Required External Security Mechanism . . . . . . . . 15
3.3.2. Transport Layer Usage . . . . . . . . . . . . . . . . 16
3.3.3. Discovery Mechanism and Procedures . . . . . . . . . 16
3.3.4. Negotiation Procedures . . . . . . . . . . . . . . . 19
3.3.5. Synchronization and Flooding Procedure . . . . . . . 20
3.4. High Level Deployment Model . . . . . . . . . . . . . . . 21
3.5. GRASP Constants . . . . . . . . . . . . . . . . . . . . . 22
3.6. Session Identifier (Session ID) . . . . . . . . . . . . . 22
3.7. GRASP Messages . . . . . . . . . . . . . . . . . . . . . 23
3.7.1. Message Overview . . . . . . . . . . . . . . . . . . 23
3.7.2. GRASP Message Format . . . . . . . . . . . . . . . . 23
3.7.3. Discovery Message . . . . . . . . . . . . . . . . . . 24
3.7.4. Discovery Response Message . . . . . . . . . . . . . 25
3.7.5. Request Messages . . . . . . . . . . . . . . . . . . 25
3.7.6. Negotiation Message . . . . . . . . . . . . . . . . . 26
3.7.7. Negotiation End Message . . . . . . . . . . . . . . . 26
3.7.8. Confirm Waiting Message . . . . . . . . . . . . . 27
3.7.9. Synchronization Message . . . . . . . . . . . . . . . 27
3.7.10. Flood Synchronization Message . . . . . . . . . . . . 27
3.7.11. No Operation Message . . . . . . . . . . . . . . . . 28
3.8. GRASP Options . . . . . . . . . . . . . . . . . . . . . . 28
3.8.1. Format of GRASP Options . . . . . . . . . . . . . . . 28
3.8.2. Divert Option . . . . . . . . . . . . . . . . . . . . 28
3.8.3. Accept Option . . . . . . . . . . . . . . . . . . . . 29
3.8.4. Decline Option . . . . . . . . . . . . . . . . . . . 29
3.8.5. Locator Options . . . . . . . . . . . . . . . . . . . 29
3.9. Objective Options . . . . . . . . . . . . . . . . . . . . 31
3.9.1. Format of Objective Options . . . . . . . . . . . . . 31
Bormann, et al. Expires August 27, 2016 [Page 2]
Internet-Draft GRASP February 2016
3.9.2. Objective flags . . . . . . . . . . . . . . . . . . . 32
3.9.3. General Considerations for Objective Options . . . . 32
3.9.4. Organizing of Objective Options . . . . . . . . . . . 33
3.9.5. Experimental and Example Objective Options . . . . . 34
4. Security Considerations . . . . . . . . . . . . . . . . . . . 34
5. CDDL Specification of GRASP . . . . . . . . . . . . . . . . . 36
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
8.1. Normative References . . . . . . . . . . . . . . . . . . 40
8.2. Informative References . . . . . . . . . . . . . . . . . 41
Appendix A. Open Issues . . . . . . . . . . . . . . . . . . . . 44
Appendix B. Closed Issues [RFC Editor: Please remove] . . . . . 45
Appendix C. Change log [RFC Editor: Please remove] . . . . . . . 51
Appendix D. Capability Analysis of Current Protocols . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction
The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have
become more and more problematic for human based management. Also,
operational costs are growing quickly. Consequently, there are
increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in [RFC7575] and
[RFC7576].
One approach is to largely decentralize the logic of network
management by migrating it into network elements. A reference model
for autonomic networking on this basis is given in
[I-D.behringer-anima-reference-model]. In order to fulfil autonomy,
devices that embody autonomic service agents have specific signaling
requirements. In particular they need to discover each other, to
synchronize state with each other, and to negotiate parameters and
resources directly with each other. There is no restriction on the
type of parameters and resources concerned, which include very basic
information needed for addressing and routing, as well as anything
else that might be configured in a conventional non-autonomic
network. The atomic unit of synchronization or negotiation is
referred to as a technical objective, i.e, a configurable parameter
or set of parameters (defined more precisely in Section 3.1).
Following this Introduction, Section 2 describes the requirements for
discovery, synchronization and negotiation. Negotiation is an
iterative process, requiring multiple message exchanges forming a
closed loop between the negotiating devices. State synchronization,
when needed, can be regarded as a special case of negotiation,
without iteration. Section 3.2 describes a behavior model for a
Bormann, et al. Expires August 27, 2016 [Page 3]
Internet-Draft GRASP February 2016
protocol intended to support discovery, synchronization and
negotiation. The design of GeneRic Autonomic Signaling Protocol
(GRASP) in Section 3 of this document is mainly based on this
behavior model. The relevant capabilities of various existing
protocols are reviewed in Appendix D.
The proposed discovery mechanism is oriented towards synchronization
and negotiation objectives. It is based on a neighbor discovery
process, but also supports diversion to off-link peers. Although
many negotiations will occur between horizontally distributed peers,
many target scenarios are hierarchical networks, which is the
predominant structure of current large-scale managed networks.
However, when a device starts up with no pre-configuration, it has no
knowledge of the topology. The protocol itself is capable of being
used in a small and/or flat network structure such as a small office
or home network as well as a professionally managed network.
Therefore, the discovery mechanism needs to be able to allow a device
to bootstrap itself without making any prior assumptions about
network structure.
Because GRASP can be used to perform a decision process among
distributed devices or between networks, it must run in a secure and
strongly authenticated environment.
It is understood that in realistic deployments, not all devices will
support GRASP. It is expected that some autonomic service agents
will directly manage a group of non-autonomic nodes, and that other
non-autonomic nodes will be managed traditionally. Such mixed
scenarios are not discussed in this specification.
2. Requirement Analysis of Discovery, Synchronization and Negotiation
This section discusses the requirements for discovery, negotiation
and synchronization capabilities. The primary user of the protocol
is an autonomic service agent (ASA), so the requirements are mainly
expressed as the features needed by an ASA. A single physical device
might contain several ASAs, and a single ASA might manage several
technical objectives.
Note that requirements for ASAs themselves, such as the processing of
Intent [RFC7575] or interfaces for coordination between ASAs are out
of scope for the present document.
2.1. Requirements for Discovery
D1. ASAs may be designed to manage anything, as required in
Section 2.2. A basic requirement is therefore that the protocol can
Bormann, et al. Expires August 27, 2016 [Page 4]
Internet-Draft GRASP February 2016
represent and discover any kind of technical objective among
arbitrary subsets of participating nodes.
In an autonomic network we must assume that when a device starts up
it has no information about any peer devices, the network structure,
or what specific role it must play. The ASA(s) inside the device are
in the same situation. In some cases, when a new application session
starts up within a device, the device or ASA may again lack
information about relevant peers. It might be necessary to set up
resources on multiple other devices, coordinated and matched to each
other so that there is no wasted resource. Security settings might
also need updating to allow for the new device or user. The relevant
peers may be different for different technical objectives. Therefore
discovery needs to be repeated as often as necessary to find peers
capable of acting as counterparts for each objective that a discovery
initiator needs to handle. From this background we derive the next
three requirements:
D2. When an ASA first starts up, it has no knowledge of the specific
network to which it is attached. Therefore the discovery process
must be able to support any network scenario, assuming only that the
device concerned is bootstrapped from factory condition.
D3. When an ASA starts up, it must require no information about any
peers in order to discover them.
D4. If an ASA supports multiple technical objectives, relevant peers
may be different for different discovery objectives, so discovery
needs to be repeated to find counterparts for each objective. Thus,
there must be a mechanism by which an ASA can separately discover
peer ASAs for each of the technical objectives that it needs to
manage, whenever necessary.
D5. Following discovery, an ASA will normally perform negotiation or
synchronization for the corresponding objectives. The design should
allow for this by associating discovery, negotiation and
synchronization objectives. It may provide an optional mechanism to
combine discovery and negotiation/synchronization in a single call.
D6. Some objectives may only be significant on the local link, but
others may be significant across the routed network and require off-
link operations. Thus, the relevant peers might be immediate
neighbors on the same layer 2 link, or they might be more distant and
only accessible via layer 3. The mechanism must therefore provide
both on-link and off-link discovery of ASAs supporting specific
technical objectives.
Bormann, et al. Expires August 27, 2016 [Page 5]
Internet-Draft GRASP February 2016
D7. The discovery process should be flexible enough to allow for
special cases, such as the following:
o In some networks, as mentioned above, there will be some
hierarchical structure, at least for certain synchronization or
negotiation objectives, but this is unknown in advance. The
discovery protocol must therefore operate regardless of
hierarchical structure, which is an attribute of individual
technical objectives and not of the autonomic network as a whole.
This is part of the more general requirement to discover off-link
peers.
o During initialisation, a device must be able to establish mutual
trust with the rest of the network and join an authentication
mechanism. Although this will inevitably start with a discovery
action, it is a special case precisely because trust is not yet
established. This topic is the subject of
[I-D.ietf-anima-bootstrapping-keyinfra]. We require that once
trust has been established for a device, all ASAs within the
device inherit the device's credentials and are also trusted.
o Depending on the type of network involved, discovery of other
central functions might be needed, such as the Network Operations
Center (NOC) [I-D.eckert-anima-stable-connectivity]. The protocol
must be capable of supporting such discovery during
initialisation, as well as discovery during ongoing operation.
D8. The discovery process must not generate excessive traffic and
must take account of sleeping nodes in the case of a constrained-node
network [RFC7228].
D9. There must be a mechanism for handling stale discovery results.
2.2. Requirements for Synchronization and Negotiation Capability
As background, consider the example of routing protocols, the closest
approximation to autonomic networking already in widespread use.
Routing protocols use a largely autonomic model based on distributed
devices that communicate repeatedly with each other. The focus is
reachability, so current routing protocols mainly consider simple
link status, i.e., up or down, and an underlying assumption is that
all nodes need a consistent view of the network topology in order for
the routing algorithm to converge. Thus, routing is mainly based on
information synchronization between peers, rather than on bi-
directional negotiation. Other information, such as latency,
congestion, capacity, and particularly unused capacity, would be
helpful to get better path selection and utilization rate, but is not
normally used in distributed routing algorithms. Additionally,
Bormann, et al. Expires August 27, 2016 [Page 6]
Internet-Draft GRASP February 2016
autonomic networks need to be able to manage many more dimensions,
such as security settings, power saving, load balancing, etc. Status
information and traffic metrics need to be shared between nodes for
dynamic adjustment of resources and for monitoring purposes. While
this might be achieved by existing protocols when they are available,
the new protocol needs to be able to support parameter exchange,
including mutual synchronization, even when no negotiation as such is
required. In general, these parameters do not apply to all
participating nodes, but only to a subset.
SN1. A basic requirement for the protocol is therefore the ability
to represent, discover, synchronize and negotiate almost any kind of
network parameter among arbitrary subsets of participating nodes.
SN2. Negotiation is a request/response process that must be
guaranteed to terminate (with success or failure) and if necessary it
must contain tie-breaking rules for each technical objective that
requires them. While these must be defined specifically for each use
case, the protocol should have some general mechanisms in support of
loop and deadlock prevention, such as hop count limits or timeouts.
SN3. Synchronization might concern small groups of nodes or very
large groups. Different solutions might be needed at different
scales.
SN4. To avoid "reinventing the wheel", the protocol should be able
to carry the message formats used by existing configuration protocols
(such as NETCONF/YANG) in cases where that is convenient.
SN5. Human intervention in complex situations is costly and error-
prone. Therefore, synchronization or negotiation of parameters
without human intervention is desirable whenever the coordination of
multiple devices can improve overall network performance. It
therefore follows that the protocol, as part of the Autonomic
Networking Infrastructure, must be capable of running in any device
that would otherwise need human intervention.
SN6. Human intervention in large networks is often replaced by use
of a top-down network management system (NMS). It therefore follows
that the protocol, as part of the Autonomic Networking
Infrastructure, must be capable of running in any device that would
otherwise be managed by an NMS, and that it can co-exist with an NMS,
and with protocols such as SNMP and NETCONF.
SN7. Some features are expected to be implemented by individual
ASAs, but the protocol must be general enough to allow them:
Bormann, et al. Expires August 27, 2016 [Page 7]
Internet-Draft GRASP February 2016
o Dependencies and conflicts: In order to decide a configuration on
a given device, the device may need information from neighbors.
This can be established through the negotiation procedure, or
through synchronization if that is sufficient. However, a given
item in a neighbor may depend on other information from its own
neighbors, which may need another negotiation or synchronization
procedure to obtain or decide. Therefore, there are potential
dependencies and conflicts among negotiation or synchronization
procedures. Resolving dependencies and conflicts is a matter for
the individual ASAs involved. To allow this, there need to be
clear boundaries and convergence mechanisms for negotiations.
Also some mechanisms are needed to avoid loop dependencies. In
such a case, the protocol's role is limited to signaling between
ASAs.
o Recovery from faults and identification of faulty devices should
be as automatic as possible. The protocol's role is limited to
the ability to handle discovery, synchronization and negotiation
at any time, in case an ASA detects an anomaly such as a
negotiation counterpart failing.
o Since the goal is to minimize human intervention, it is necessary
that the network can in effect "think ahead" before changing its
parameters. In other words there must be a possibility of
forecasting the effect of a change by a "dry run" mechanism before
actually installing the change. This will be an application of
the protocol rather than a feature of the protocol itself.
o Management logging, monitoring, alerts and tools for intervention
are required. However, these can only be features of individual
ASAs. Another document [I-D.eckert-anima-stable-connectivity]
discusses how such agents may be linked into conventional OAM
systems via an Autonomic Control Plane
[I-D.ietf-anima-autonomic-control-plane].
SN8. The protocol will be able to deal with a wide variety of
technical objectives, covering any type of network parameter.
Therefore the protocol will need either an explicit information model
describing its messages, or at least a flexible and easily extensible
message format. One design consideration is whether to adopt an
existing information model or to design a new one.
2.3. Specific Technical Requirements
T1. It should be convenient for ASA designers to define new
technical objectives and for programmers to express them, without
excessive impact on run-time efficiency and footprint. The classes
Bormann, et al. Expires August 27, 2016 [Page 8]
Internet-Draft GRASP February 2016
of device in which the protocol might run is discussed in
[I-D.behringer-anima-reference-model].
T2. The protocol should be easily extensible in case the initially
defined discovery, synchronization and negotiation mechanisms prove
to be insufficient.
T3. To be a generic platform, the protocol payload format should be
independent of the transport protocol or IP version. In particular,
it should be able to run over IPv6 or IPv4. However, some functions,
such as multicasting on a link, might need to be IP version
dependent. In case of doubt, IPv6 should be preferred.
T4. The protocol must be able to access off-link counterparts via
routable addresses, i.e., must not be restricted to link-local
operation.
T5. It must also be possible for an external discovery mechanism to
be used, if appropriate for a given technical objective. In other
words, GRASP discovery must not be a prerequisite for GRASP
negotiation or synchronization; the prerequisite is discovering a
peer's locator by any method.
T6. ASAs and the signaling protocol need to run asynchronously when
wait states occur.
T7. Intent: There must be provision for general Intent rules to be
applied by all devices in the network (e.g., security rules, prefix
length, resource sharing rules). However, Intent distribution might
not use the signaling protocol itself, but its design should not
exclude such use.
T8. Management monitoring, alerts and intervention: Devices should
be able to report to a monitoring system. Some events must be able
to generate operator alerts and some provision for emergency
intervention must be possible (e.g. to freeze synchronization or
negotiation in a mis-behaving device). These features might not use
the signaling protocol itself, but its design should not exclude such
use.
T9. The protocol needs to be fully secured against forged messages
and man-in-the middle attacks, and secured as much as reasonably
possible against denial of service attacks. It needs to be capable
of encryption in order to resist unwanted monitoring. However, it is
not required that the protocol itself provides these security
features; it may depend on an existing secure environment.
Bormann, et al. Expires August 27, 2016 [Page 9]
Internet-Draft GRASP February 2016
3. GRASP Protocol Overview
3.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] when they appear in ALL CAPS. When these words are not in
ALL CAPS (such as "should" or "Should"), they have their usual
English meanings, and are not to be interpreted as [RFC2119] key
words.
This document uses terminology defined in [RFC7575].
The following additional terms are used throughout this document:
o Autonomic Device: identical to Autonomic Node.
o Discovery: a process by which an ASA discovers peers according to
a specific discovery objective. The discovery results may be
different according to the different discovery objectives. The
discovered peers may later be used as negotiation counterparts or
as sources of synchronization data.
o Negotiation: a process by which two (or more) ASAs interact
iteratively to agree on parameter settings that best satisfy the
objectives of one or more ASAs.
o State Synchronization: a process by which two (or more) ASAs
interact to agree on the current state of parameter values stored
in each ASA. This is a special case of negotiation in which
information is sent but the ASAs do not request their peers to
change parameter settings. All other definitions apply to both
negotiation and synchronization.
o Technical Objective (usually abbreviated as Objective): A
technical objective is a configurable parameter or set of
parameters of some kind, which occurs in three contexts:
Discovery, Negotiation and Synchronization. In the protocol, an
objective is represented by an identifier and if relevant a value.
Normally, a given objective will occur during discovery and
negotiation, or during discovery and synchronization, but not in
all three contexts.
* One ASA may support multiple independent objectives.
* The parameter described by a given objective is naturally based
on a specific service or function or action. It may in
Bormann, et al. Expires August 27, 2016 [Page 10]
Internet-Draft GRASP February 2016
principle be anything that can be set to a specific logical,
numerical or string value, or a more complex data structure, by
a network node. That node is generally expected to contain an
ASA which may itself manage other nodes.
* Discovery Objective: if a node needs to synchronize or
negotiate a specific objective but does not know a peer that
supports this objective, it starts a discovery process. The
objective is called a Discovery Objective during this process.
* Synchronization Objective: an objective whose specific
technical content needs to be synchronized among two or more
ASAs.
* Negotiation Objective: an objective whose specific technical
content needs to be decided in coordination with another ASA.
o Discovery Initiator: an ASA that spontaneously starts discovery by
sending a discovery message referring to a specific discovery
objective.
o Discovery Responder: a peer ASA which responds to the discovery
objective initiated by the discovery initiator.
o Synchronization Initiator: an ASA that spontaneously starts
synchronization by sending a request message referring to a
specific synchronization objective.
o Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.
o Negotiation Initiator: an ASA that spontaneously starts
negotiation by sending a request message referring to a specific
negotiation objective.
o Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.
3.2. High-Level Design Choices
This section describes a behavior model and some considerations for
designing a generic signaling protocol initially supporting
discovery, synchronization and negotiation, which can act as a
platform for different technical objectives.
o A generic platform
Bormann, et al. Expires August 27, 2016 [Page 11]
Internet-Draft GRASP February 2016
The protocol is designed as a generic platform, which is
independent from the synchronization or negotiation contents. It
takes care of the general intercommunication between counterparts.
The technical contents will vary according to the various
technical objectives and the different pairs of counterparts.
o The protocol is expected to form part of an Autonomic Networking
Infrastructure [I-D.behringer-anima-reference-model]. It will
provide services to ASAs via a suitable application programming
interface, which will reflect the protocol elements but will not
necessarily be in one-to-one correspondence to them. It is
expected that a single instance of GRASP will exist in an
autonomic node, and that the protocol engine and each ASA will run
as independent asynchronous processes.
o Security infrastructure and trust relationship
Because this negotiation protocol may directly cause changes to
device configurations and bring significant impacts to a running
network, this protocol is assumed to run within an existing secure
environment with strong authentication.
On the other hand, a limited negotiation model might be deployed
based on a limited trust relationship. For example, between two
administrative domains, ASAs might also exchange limited
information and negotiate some particular configurations based on
a limited conventional or contractual trust relationship.
o Discovery, synchronization and negotiation are designed together.
The discovery method and the synchronization and negotiation
methods are designed in the same way and can be combined when this
is useful. These processes can also be performed independently
when appropriate.
* GRASP discovery is always available for efficient discovery of
GRASP peers and allows a rapid mode of operation described in
Section 3.3.3. For some objectives, especially those concerned
with application layer services, another discovery mechanism
such as the future DNS Service Discovery [RFC7558] or Service
Location Protocol [RFC2608] MAY be used. The choice is left to
the designers of individual ASAs.
o A uniform pattern for technical contents
Bormann, et al. Expires August 27, 2016 [Page 12]
Internet-Draft GRASP February 2016
The synchronization and negotiation contents are defined according
to a uniform pattern. They could be carried either in simple
binary format or in payloads described by a flexible language.
The basic protocol design uses the Concise Binary Object
Representation (CBOR) [RFC7049]. The format is extensible for
unknown future requirements.
o A flexible model for synchronization
GRASP supports bilateral synchronization, which could be used to
perform synchronization among a small number of nodes. It also
supports an unsolicited flooding mode when large groups of nodes,
possibly including all autonomic nodes, need data for the same
technical objective.
* There may be some network parameters for which a more
traditional flooding mechanism such as DNCP
[I-D.ietf-homenet-dncp] is considered more appropriate. GRASP
can coexist with DNCP.
o A simple initiator/responder model for negotiation
Multi-party negotiations are too complicated to be modeled and
there might be too many dependencies among the parties to converge
efficiently. A simple initiator/responder model is more feasible
and can complete multi-party negotiations by indirect steps.
o Organizing of synchronization or negotiation content
Naturally, the technical content will be organized according to
the relevant function or service. The content from different
functions or services is kept independent from each other. They
are not combined into a single option or single session because
these contents may be negotiated or synchronized with different
counterparts or may be different in response time.
o Self-aware network device
Every autonomic device will be pre-loaded with various functions
and ASAs and will be aware of its own capabilities, typically
decided by the hardware, firmware or pre-installed software. Its
exact role may depend on Intent and on the surrounding network
behaviors, which may include forwarding behaviors, aggregation
properties, topology location, bandwidth, tunnel or translation
Bormann, et al. Expires August 27, 2016 [Page 13]
Internet-Draft GRASP February 2016
properties, etc. The surrounding topology will depend on the
network planning. Following an initial discovery phase, the
device properties and those of its neighbors are the foundation of
the synchronization or negotiation behavior of a specific device.
A device has no pre-configuration for the particular network in
which it is installed.
o Requests and responses in negotiation procedures
The initiator can negotiate with its relevant negotiation
counterpart ASAs, which may be different according to the specific
negotiation objective. It can request relevant information from
the negotiation counterpart so that it can decide its local
configuration to give the most coordinated performance. It can
request the negotiation counterpart to make a matching
configuration in order to set up a successful communication with
it. It can request certain simulation or forecast results by
sending some dry run conditions.
Beyond the traditional yes/no answer, the responder can reply with
a suggested alternative if its answer is 'no'. This would start a
bi-directional negotiation ending in a compromise between the two
ASAs.
o Convergence of negotiation procedures
To enable convergence, when a responder makes a suggestion of a
changed condition in a negative reply, it should be as close as
possible to the original request or previous suggestion. The
suggested value of the third or later negotiation steps should be
chosen between the suggested values from the last two negotiation
steps. In any case there must be a mechanism to guarantee
convergence (or failure) in a small number of steps, such as a
timeout or maximum number of iterations.
* End of negotiation
A limited number of rounds, for example three, or a timeout, is
needed on each ASA for each negotiation objective. It may be
an implementation choice, a pre-configurable parameter, or
network Intent. These choices might vary between different
types of ASA. Therefore, the definition of each negotiation
objective MUST clearly specify this, so that the negotiation
can always be terminated properly.
Bormann, et al. Expires August 27, 2016 [Page 14]
Internet-Draft GRASP February 2016
* Failed negotiation
There must be a well-defined procedure for concluding that a
negotiation cannot succeed, and if so deciding what happens
next (deadlock resolution, tie-breaking, or revert to best-
effort service). Again, this MUST be specified for individual
negotiation objectives, as an implementation choice, a pre-
configurable parameter, or network Intent.
3.3. GRASP Protocol Basic Properties and Mechanisms
3.3.1. Required External Security Mechanism
The protocol SHOULD run within a secure Autonomic Control Plane (ACP)
[I-D.ietf-anima-autonomic-control-plane]. The ACP is assumed to
carry all messages securely, including link-local multicast if
possible. A GRASP implementation MUST verify whether the ACP is
operational.
If there is no ACP, the protocol MUST use another form of strong
authentication and SHOULD use a form of strong encryption. TLS
[RFC5246] is RECOMMENDED for this purpose, based on a local Public
Key Infrastructure (PKI) [RFC5280] managed within the autonomic
network itself. The details of such a PKI and how its boundary is
established are out of scope for this document. DTLS [RFC6347] MAY
be used but since GRASP operations usually involve several messages
this is not expected to be advantageous.
The ACP, or in its absence the local PKI, sets the boundary within
which nodes are trusted as GRASP peers. A GRASP implementation MUST
refuse to execute any GRASP functions except discovery if there is
neither an operational ACP nor an operational TLS environment.
As mentioned in Section 3.2, limited GRASP operations might be
performed across an administrative domain boundary by mutual
agreement. Such operations MUST be authenticated and SHOULD be
encrypted. TLS is RECOMMENDED for this purpose.
Link-local multicast is used for discovery messages. Responses to
discovery messages MUST be secured, with one exception.
The exception is that during initialisation, before a node has joined
the applicable trust infrastructure, e.g.,
[I-D.ietf-anima-bootstrapping-keyinfra], or before the ACP is fully
established, it might be impossible to secure messages. Indeed, both
the security bootstrap process and the ACP creation process might use
insecure GRASP discovery and response messages. Such usage MUST be
Bormann, et al. Expires August 27, 2016 [Page 15]
Internet-Draft GRASP February 2016
limited to the strictly necessary minimum. A full analysis of the
initialisation process is out of scope for the present document.
3.3.2. Transport Layer Usage
GRASP discovery and flooding messages are designed for use over link-
local multicast UDP. They MUST NOT be fragmented, and therefore MUST
NOT exceed the link MTU size. Nothing in principle prevents them
from working over some other method of sending packets to all on-link
neighbors, but this is out of scope for the present specification.
All other GRASP messages are unicast and could in principle run over
any transport protocol. An implementation MUST support use of TCP.
It MAY support use of another transport protocol. However, GRASP
itself does not provide for error detection or retransmission. Use
of an unreliable transport protocol is therefore NOT RECOMMENDED.
When running within a secure ACP on reliable infrastructure, UDP MAY
be used for unicast messages not exceeding the minimum IPv6 path MTU;
however, TCP MUST be used for longer messages. In other words, IPv6
fragmentation is avoided. If a node receives a UDP message but the
reply is too long, it MUST open a TCP connection to the peer for the
reply. Note that when the network is under heavy load or in a fault
condition, UDP might become unreliable. Since this is when autonomic
functions are most necessary, automatic fallback to TCP MUST be
implemented. The simplest implementation is therefore to use only
TCP.
When running without an ACP, TLS MUST be supported and used by
default, except for link-local multicast messages. DTLS MAY be
supported as an alternative but the details are out of scope for this
document.
For all transport protocols, the GRASP protocol listens to the GRASP
Listen Port (Section 3.5).
3.3.3. Discovery Mechanism and Procedures
o Separated discovery and negotiation mechanisms
Although discovery and negotiation or synchronization are
defined together in the GRASP, they are separated mechanisms.
The discovery process could run independently from the
negotiation or synchronization process. Upon receiving a
Discovery (Section 3.7.3) message, the recipient ASA should
return a response message in which it either indicates itself
as a discovery responder or diverts the initiator towards
another more suitable ASA.
Bormann, et al. Expires August 27, 2016 [Page 16]
Internet-Draft GRASP February 2016
The discovery action will normally be followed by a negotiation
or synchronization action. The discovery results could be
utilized by the negotiation protocol to decide which ASA the
initiator will negotiate with.
It is entirely possible to use GRASP discovery without a
subsequent negotiation or synchronization action. In this
case, the discovered objective is simply used as a name during
the discovery process and any subsequent operations between the
peers are outside the scope of GRASP.
o Discovery Procedures
Discovery starts as an on-link operation. The Divert option
can tell the discovery initiator to contact an off-link ASA for
that discovery objective. Every Discovery message is sent by a
discovery initiator via UDP to the ALL_GRASP_NEIGHBOR multicast
address (Section 3.5). Every network device that supports the
GRASP always listens to a well-known UDP port to capture the
discovery messages.
If an ASA in the neighbor device supports the requested
discovery objective, it MAY respond with a Discovery Response
message (Section 3.7.4) with locator option(s). Otherwise, if
the neighbor has cached information about an ASA that supports
the requested discovery objective (usually because it
discovered the same objective before), it SHOULD respond with a
Discovery Response message with a Divert option pointing to the
appropriate Discovery Responder.
If no discovery response is received within a reasonable
timeout (default GRASP_DEF_TIMEOUT milliseconds, Section 3.5),
the Discovery message MAY be repeated, with a newly generated
Session ID (Section 3.6). An exponential backoff SHOULD be
used for subsequent repetitions, in order to mitigate possible
denial of service attacks.
After a GRASP device successfully discovers a Discovery
Responder supporting a specific objective, it MUST cache this
information. This cache record MAY be used for future
negotiation or synchronization, and SHOULD be passed on when
appropriate as a Divert option to another Discovery Initiator.
The cache lifetime is an implementation choice that MAY be
modified by network Intent.
If multiple Discovery Responders are found for the same
objective, they SHOULD all be cached, unless this creates a
resource shortage. The method of choosing between multiple
Bormann, et al. Expires August 27, 2016 [Page 17]
Internet-Draft GRASP February 2016
responders is an implementation choice. This choice MUST be
available to each ASA but the GRASP implementation SHOULD
provide a default choice.
Because Discovery Responders will be cached in a finite cache,
they might be deleted at any time. In this case, discovery
will need to be repeated. If an ASA exits for any reason, its
locator might still be cached for some time, and attempts to
connect to it will fail. ASAs need to be robust in these
circumstances.
A GRASP device with multiple link-layer interfaces (typically a
router) MUST support discovery on all interfaces. If it
receives a Discovery message on a given interface for a
specific objective that it does not support and for which it
has not previously cached a Discovery Responder, it MUST relay
the query by re-issuing a Discovery message on its other
interfaces. The relayed message MUST have a new Session ID.
Before this, it MUST decrement the loop count within the
objective, and MUST NOT relay the Discovery message if the
result is zero. Also, it MUST limit the total rate at which it
relays discovery messages to a reasonable value, in order to
mitigate possible denial of service attacks. It MUST cache the
Session ID value of each relayed discovery message and, to
prevent loops, MUST NOT relay a Discovery message which carries
such a cached Session ID. These precautions avoid discovery
loops and mitigate potential overload.
This relayed discovery mechanism, with caching of the results,
should be sufficient to support most network bootstrapping
scenarios.
o A complete discovery process will start with a multicast on the
local link. On-link neighbors supporting the discovery objective
will respond directly. A neighbor with multiple interfaces will
respond with a cached discovery response if any. If not, it will
relay the discovery on its other interfaces, for example reaching
a higher-level gateway in a hierarchical network. If a node
receiving the relayed discovery supports the discovery objective,
it will respond to the relayed discovery. If it has a cached
response, it will respond with that. If not, it will repeat the
discovery process, which thereby becomes recursive. The loop
count and timeout will ensure that the process ends.