-
Notifications
You must be signed in to change notification settings - Fork 3
/
draft-ietf-anima-grasp-06.xml
2839 lines (2332 loc) · 146 KB
/
draft-ietf-anima-grasp-06.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This is built from a template for a generic Internet Draft. Suggestions for
improvement welcome - write to Brian Carpenter, brian.e.carpenter @ gmail.com
This can be converted using the Web service at http://xml.resource.org/ -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<!-- You want a table of contents -->
<?rfc symrefs="yes"?>
<!-- Use symbolic labels for references -->
<?rfc sortrefs="yes"?>
<!-- This sorts the references -->
<?rfc iprnotified="no" ?>
<!-- Change to "yes" if someone has disclosed IPR for the draft -->
<?rfc compact="yes"?>
<!-- This defines the specific filename and version number of your draft (and inserts the appropriate IETF boilerplate -->
<rfc category="std" docName="draft-ietf-anima-grasp-06" ipr="trust200902">
<front>
<title abbrev="GRASP">A Generic Autonomic Signaling Protocol (GRASP)</title>
<author initials="C." surname="Bormann" fullname="Carsten Bormann">
<organization>Universität Bremen TZI</organization>
<address>
<postal>
<street>Postfach 330440</street>
<city>D-28359 Bremen</city>
<country>Germany</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Brian Carpenter" initials="B. E." surname="Carpenter" role="editor">
<organization abbrev="Univ. of Auckland"/>
<address>
<postal>
<street>Department of Computer Science</street>
<street>University of Auckland</street>
<street>PB 92019</street>
<city>Auckland</city>
<region/>
<code>1142</code>
<country>New Zealand</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Bing Liu" initials="B." surname="Liu" role="editor">
<organization>Huawei Technologies Co., Ltd</organization>
<address>
<postal>
<street>Q14, Huawei Campus</street>
<street>No.156 Beiqing Road</street>
<city>Hai-Dian District, Beijing</city>
<code>100095</code>
<country>P.R. China</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<!---->
<date day="27" month="June" year="2016"/>
<abstract>
<t>This document establishes requirements for a signaling protocol that enables autonomic
devices and autonomic service agents to dynamically discover peers, to synchronize
state with them, and to negotiate parameter settings mutually with them. The document
then defines a general protocol for discovery, synchronization and negotiation,
while the technical objectives for specific scenarios are to be described in
separate documents. An Appendix briefly discusses existing protocols with
comparable features.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have become more and more
problematic for human based management. Also, operational costs are growing quickly.
Consequently, there are increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in
<xref target="RFC7575"/> and <xref target="RFC7576"/>. </t>
<t>One approach is to largely decentralize the logic of network management by migrating it
into network elements. A reference model for autonomic networking on this basis is given in
<xref target="I-D.ietf-anima-reference-model"/>. The reader should consult this document
to understand how various autonomic components fit together.
In order to fulfil autonomy, devices that embody Autonomic Service Agents
(ASAs, <xref target="RFC7575"/>)
have specific signaling requirements. In particular they need to discover each other,
to synchronize state with each other,
and to negotiate parameters and resources directly with each other.
There is no limitation on the types of parameters and resources concerned,
which can include very basic information needed for addressing and routing,
as well as anything else that might be configured in a conventional non-autonomic network.
The atomic unit of discovery, synchronization or negotiation is referred to as a technical
objective, i.e, a configurable parameter or set of parameters
(defined more precisely in <xref target="terms"/>).</t>
<t>Following this Introduction, <xref target="reqts"/> describes the requirements
for discovery, synchronization and negotiation.
Negotiation is an iterative process, requiring multiple message exchanges forming
a closed loop between the negotiating entities. In fact, these entities are
ASAs, normally but not necessarily in different network devices.
State synchronization, when needed,
can be regarded as a special case of negotiation, without iteration.
<xref target="highlevel"/> describes a behavior model for a protocol
intended to support discovery, synchronization and negotiation. The
design of GeneRic Autonomic Signaling Protocol (GRASP) in <xref target="Overview"/>
of this document is mainly based on this behavior model. The relevant capabilities
of various existing protocols are reviewed in <xref target="current"/>.</t>
<t>The proposed discovery mechanism is oriented towards synchronization and
negotiation objectives. It is based on a neighbor discovery process, but
also supports diversion to off-link peers. There is no assumption of any
particular form of network topology. When a device starts up with no pre-configuration,
it has no knowledge of the topology. The protocol itself is capable of
being used in a small and/or flat network structure such as a small
office or home network as well as a professionally managed network.
Therefore, the discovery mechanism needs to be able to allow a device
to bootstrap itself without making any prior assumptions about network
structure. </t>
<t>Because GRASP can be used to perform a decision process among distributed
devices or between networks, it must run in a secure and strongly authenticated
environment.
</t>
<t>It is understood that in realistic deployments, not all devices will
support GRASP. It is expected that some autonomic service agents will directly
manage a group of non-autonomic nodes, and that other non-autonomic nodes
will be managed traditionally. Such mixed scenarios
are not discussed in this specification.</t>
</section>
<!-- intro -->
<section anchor="reqts" title="Requirement Analysis of Discovery, Synchronization and Negotiation">
<t>This section discusses the requirements for discovery, negotiation
and synchronization capabilities. The primary user of the protocol is an autonomic service
agent (ASA), so the requirements are mainly expressed as the features needed by an ASA.
A single physical device might contain several ASAs, and a single ASA might manage
several technical objectives. If a technical objective is managed by several ASAs,
any necessary coordination is outside the scope of the signaling protocol itself.</t>
<t>Note that requirements for ASAs themselves, such as the processing of Intent
<xref target="RFC7575"/> or interfaces for coordination between ASAs are out of scope
for the present document.</t>
<section title="Requirements for Discovery">
<t>D1. ASAs may be designed to manage anything, as required in
<xref target="synchreq"/>. A basic requirement
is therefore that the protocol can represent and discover any
kind of technical objective among arbitrary subsets of participating nodes.</t>
<t>In an autonomic network we must assume that when a device starts up
it has no information about any peer devices, the network structure,
or what specific role it must play. The ASA(s) inside the device are
in the same situation. In some cases, when a new application session
starts up within a device, the device or ASA may again lack
information about relevant peers. For example, it might be necessary to set
up resources on multiple other devices, coordinated and matched to
each other so that there is no wasted resource. Security settings
might also need updating to allow for the new device or user.
The relevant peers may be different for different technical
objectives. Therefore discovery needs to be repeated as often as
necessary to find peers capable of acting as counterparts for each
objective that a discovery initiator needs to handle.
From this background we derive the next three requirements:</t>
<t>D2. When an ASA first starts up, it has no knowledge of the specific network to
which it is attached.
Therefore the discovery process must be able to support any network scenario,
assuming only that the device concerned is bootstrapped from factory condition.
</t>
<t>D3. When an ASA starts up, it must require no configured location information about any
peers in order to discover them.</t>
<t>D4. If an ASA supports multiple technical objectives, relevant peers may be different
for different discovery objectives, so discovery needs to be performed separately to
find counterparts for each objective. Thus, there must be a mechanism by
which an ASA can separately discover peer ASAs for each of the
technical objectives that it needs to manage, whenever necessary.</t>
<t>D5. Following discovery, an ASA will normally perform negotiation
or synchronization for the corresponding objectives. The design
should allow for this by conveniently linking discovery to negotiation
and synchronization. It may provide an optional mechanism to
combine discovery and negotiation/synchronization in a single call.</t>
<t>D6. Some objectives may only be significant on the local link,
but others may be significant across the routed network and require
off-link operations. Thus, the relevant peers might be immediate
neighbors on the same layer 2 link, or they might be more distant and
only accessible via layer 3. The mechanism must therefore provide both
on-link and off-link discovery of ASAs supporting specific technical
objectives.</t>
<t>D7. The discovery process should be flexible enough to allow for
special cases, such as the following:
<list style="symbols">
<!-- <t>In some networks, as mentioned above, there will be some
hierarchical structure, at least for certain synchronization or negotiation
objectives, but this is unknown in advance. The discovery protocol must therefore
operate regardless of hierarchical structure, which is an attribute of
individual technical objectives
and not of the autonomic network as a whole. A special case of discovery is that each
device must be able to discover its hierarchical superior for each
such objective that it is capable of handling. This is part of the more
general requirement to discover off-link peers.</t> -->
<t>During initialisation, a device must be able to establish mutual trust
with the rest of the network and join an authentication mechanism. Although
this will inevitably start with a discovery action, it is a special case
precisely because trust is not yet established. This topic
is the subject of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/>.
We require that once trust has been established for a device,
all ASAs within the device inherit the device's credentials and are also trusted.</t>
<t>
Depending on the type of network involved, discovery of other
central functions might be needed, such as
<!--a source of Intent distribution <xref target="RFC7575"/> or -->
the Network Operations
Center (NOC) <xref target="I-D.ietf-anima-stable-connectivity"/>.
The protocol must be capable of supporting such discovery during initialisation,
as well as discovery during ongoing operation.</t>
</list></t>
<t>D8. The discovery process must not generate excessive traffic and
must take account of sleeping nodes in the case of a constrained-node network
<xref target="RFC7228"/>. </t>
<t>D9. There must be a mechanism for handling stale discovery results.</t>
</section>
<section anchor="synchreq" title="Requirements for Synchronization and Negotiation Capability">
<t>As background, consider the example of routing protocols, the closest
approximation to autonomic networking already in widespread use. Routing
protocols use a largely autonomic model based on distributed devices
that communicate repeatedly with each other. The focus
is reachability, so current routing protocols mainly consider simple
link status, i.e., up or down, and an underlying assumption is that
all nodes need a consistent view of the network topology in order
for the routing algorithm to converge. Thus, routing is
mainly based on information synchronization between peers,
rather than on bi-directional negotiation. Other information,
such as latency, congestion, capacity, and particularly unused capacity,
would be helpful to get better path selection and utilization rate, but
is not normally used in distributed routing algorithms. Additionally,
autonomic networks need to be able to manage many more dimensions,
such as security settings, power saving, load balancing, etc.
Status information and traffic metrics need to be shared between
nodes for dynamic adjustment of resources and for monitoring purposes.
While this might be achieved by existing protocols when they are
available, the new protocol needs to be able to support parameter
exchange, including mutual synchronization, even when no negotiation
as such is required. In general, these parameters do not apply to all
participating nodes, but only to a subset. </t>
<t>SN1. A basic requirement for the protocol is therefore the
ability to represent, discover, synchronize and negotiate almost any
kind of network parameter among selected subsets of participating nodes.</t>
<t>SN2. Negotiation is a request/response process that must be guaranteed to terminate
(with success or failure) and if necessary it must contain tie-breaking rules for
each technical objective that requires them. While these must be defined specifically
for each use case, the protocol should have some general mechanisms in support of loop
and deadlock prevention, such as hop count limits or timeouts.</t>
<t>SN3. Synchronization might concern small groups of nodes or very large groups.
Different solutions might be needed at different scales. </t>
<t>SN4. To avoid "reinventing the wheel", the protocol should be able to encapsulate the
data formats used by existing configuration protocols (such as NETCONF/YANG)
in cases where that is convenient.</t>
<t>SN5. Human intervention in complex situations is costly and error-prone.
Therefore, synchronization or negotiation of parameters without human
intervention is desirable whenever the coordination of multiple devices can improve
overall network performance. It therefore follows that the protocol, as part of the
Autonomic Networking Infrastructure, should be capable of running in any device
that would otherwise need human intervention. The issue of running in constrained nodes
is discussed in <xref target="I-D.ietf-anima-reference-model"/>.</t>
<t>SN6. Human intervention in large networks is often replaced by use of a
top-down network management system (NMS). It therefore follows that
the protocol, as part of the Autonomic Networking Infrastructure, should
be capable of running in any device that would otherwise be managed by
an NMS, and that it can co-exist with an NMS, and with protocols
such as SNMP and NETCONF.</t>
<t>SN7. Some features are expected to be implemented by individual ASAs,
but the protocol must be general enough to allow them:
<list style="symbols">
<t>Dependencies and conflicts: In order to
decide a configuration on a given device, the device may need
information from neighbors. This can be established through the
negotiation procedure, or through synchronization if that
is sufficient. However, a given item in a neighbor
may depend on other information from its own neighbors, which may
need another negotiation or synchronization procedure to obtain or decide.
Therefore, there are potential dependencies and conflicts among negotiation or synchronization
procedures. Resolving dependencies and conflicts is a matter for the individual ASAs involved.
To allow this, there need to be clear boundaries and convergence
mechanisms for negotiations. Also some mechanisms are needed to avoid
loop dependencies. In such a case, the protocol's role is limited to
bilateral signaling between ASAs. </t>
<t>Recovery from faults and identification of faulty devices should be
as automatic as possible. The protocol's role is limited
to the ability to handle discovery, synchronization and negotiation at
any time, in case an ASA detects an anomaly such
as a negotiation counterpart failing.</t>
<t>Since the goal is to minimize human intervention, it is necessary that the
network can in effect "think ahead" before changing its parameters. One aspect
of this is an ASA that relies on a knowledge base to predict network behavior.
This is out of scope for the signaling protocol. However, another aspect is
forecasting the effect of a change by a "dry run" negotiation before actually
installing the change. This will be an application of the protocol rather than
a feature of the protocol itself. </t>
<t>Management logging, monitoring, alerts and tools for intervention are required.
However, these can only be features of individual ASAs.
Another document <xref target="I-D.ietf-anima-stable-connectivity"/> discusses how
such agents may be linked into conventional OAM systems via an Autonomic Control Plane
<xref target="I-D.ietf-anima-autonomic-control-plane"/>. </t>
</list></t>
<t>SN8. The protocol will be able to deal with a wide variety of
technical objectives, covering any type of network parameter.
Therefore the protocol will need a flexible and easily extensible format for
describing objectives. At a later stage it may be desirable to adopt an explicit
information model. One consideration is whether to adopt an existing
information model or to design a new one. </t>
</section>
<section title="Specific Technical Requirements">
<t>T1. It should be convenient for ASA designers to define new technical objectives
and for programmers to express them, without excessive impact on
run-time efficiency and footprint. In particular, it should be possible for ASAs
to be implemented independently of each other as user space programs rather than as kernel
code. The classes of device in which the protocol
might run is discussed in <xref target="I-D.ietf-anima-reference-model"/>.
</t>
<t>T2. The protocol should be easily extensible in case the initially defined discovery,
synchronization and negotiation mechanisms prove to be insufficient. </t>
<t>T3. To be a generic platform, the protocol payload format should be
independent of the transport protocol or IP version.
In particular, it should be able to run over IPv6 or IPv4.
However, some functions, such as multicasting on
a link, might need to be IP version dependent. In case of doubt, IPv6 should
be preferred.</t>
<t>T4. The protocol must be able to access off-link counterparts via routable addresses,
i.e., must not be restricted to link-local operation.</t>
<t>T5. It must also be possible for an external discovery mechanism
to be used, if appropriate for a given technical objective. In other words, GRASP discovery
must not be a prerequisite for GRASP negotiation or synchronization. </t>
<t>T6. The protocol must be capable of supporting multiple simultaneous operations,
especially when wait states occur.</t>
<t>T7. Intent: There must be
provision for general Intent rules to be applied by all devices in
the network (e.g., security rules, prefix length, resource sharing
rules). However, Intent distribution might not use the signaling
protocol itself, but its design should not exclude such use. </t>
<t>T8. Management monitoring, alerts and intervention:
Devices should be able to report to a monitoring
system. Some events must be able to generate operator alerts and
some provision for emergency intervention must be possible (e.g.
to freeze synchronization or negotiation in a mis-behaving device). These features
might not use the signaling protocol itself, but its design should not exclude such use.</t>
<t>T9. The protocol needs to be fully secured against forged messages and
man-in-the middle attacks, and secured as much as reasonably possible
against denial of service attacks. It needs to be capable of
encryption in order to resist unwanted monitoring<!--, although this
capability may not be required in all deployments-->. However, it is not
required that the protocol itself provides these security features; it may
depend on an existing secure environment. </t>
</section>
</section>
<!-- reqts -->
<section anchor="Overview" title="GRASP Protocol Overview">
<section anchor="terms" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119"/> when they appear in ALL CAPS. When these words
are not in ALL CAPS (such as "should" or "Should"), they have their
usual English meanings, and are not to be interpreted as <xref target="RFC2119"/> key words.</t>
<t>This document uses terminology defined in <xref target="RFC7575"/>.</t>
<t>The following additional terms are used throughout this document:
<list style="symbols">
<t>Autonomic Device: identical to Autonomic Node.</t>
<t>Discovery: a process by which an ASA discovers peers
according to a specific discovery objective. The discovery results
may be different according to the different discovery objectives.
The discovered peers may later be used as negotiation
counterparts or as sources of synchronization data. </t>
<t>Negotiation: a process by which two ASAs interact
iteratively to agree on parameter settings that best satisfy the
objectives of both ASAs.</t>
<t>State Synchronization: a process by which ASAs
interact to receive the current state of parameter
values stored in other ASAs. This is a special case of negotiation
in which information is sent but the ASAs do not request
their peers to change parameter settings. All other definitions
apply to both negotiation and synchronization. </t>
<t>Technical Objective (usually abbreviated as Objective):
A technical objective is a configurable parameter or set of parameters
of some kind, which occurs in three contexts: Discovery, Negotiation
and Synchronization. In the protocol, an objective is represented by an
identifier and if relevant a value. Normally, a given objective will not
occur in negotiation and synchronization contexts simultaneously.
<list style="symbols">
<t>One ASA may support multiple independent objectives.</t>
<t>The parameter described by a given objective is naturally based
on a specific service or function or action. It may in principle be
anything that can be set to a specific logical, numerical or string
value, or a more complex data structure, by a network node.
That node is generally expected to contain an ASA
which may itself manage subsidiary non-autonomic nodes.</t>
<t>Discovery Objective: if a node needs to synchronize or negotiate
a specific objective but does not know a peer that supports this objective,
it starts a discovery process. The objective is called a Discovery Objective
during this process.</t>
<!-- A discovery objective may be in one-to-one correspondence
with a synchronization objective or a negotiation objective, or it may
correspond to a certain group of such objectives. -->
<t>Synchronization Objective: an objective whose specific technical content
needs to be synchronized among two or more ASAs. </t>
<t>Negotiation Objective: an objective whose specific technical content
needs to be decided in coordination with another ASA. </t>
</list></t>
<t>Discovery Initiator: an ASA that spontaneously starts discovery
by sending a discovery message referring to a specific discovery
objective.</t>
<t>Discovery Responder: a peer that either contains an ASA supporting the discovery objective
indicated by the discovery initiator, or caches the locator(s) of the ASA(s) supporting
the objective. The locator(s) are indicated in a Discovery Response,
which is normally sent by the protocol kernel, as described later.</t>
<t>Synchronization Initiator: an ASA that spontaneously starts synchronization
by sending a request message referring to a specific synchronization
objective.</t>
<t>Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.</t>
<t>Negotiation Initiator: an ASA that spontaneously starts
negotiation by sending a request message referring to a specific
negotiation objective.</t>
<t>Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.</t>
</list></t>
</section>
<section anchor="highlevel" title="High-Level Design Choices">
<t>This section describes a behavior model and some considerations for
designing a generic signaling protocol initially supporting discovery,
synchronization and negotiation, which can
act as a platform for different technical objectives.</t>
<!-- <t>NOTE: An earlier version of this protocol used type-length-value
formats and was prototyped by Huawei
and the Beijing University of Posts and Telecommunications.</t> -->
<t><list style="symbols">
<t>A generic platform<vspace blankLines="1"/>
The protocol is designed as a generic platform, which
is independent from the synchronization or negotiation contents. It takes
care of the general intercommunication between
counterparts. The technical contents will vary according to the
various technical objectives and the different pairs of
counterparts.<vspace blankLines="1"/></t>
<t>The protocol is expected to form part of an Autonomic Networking Infrastructure
<xref target="I-D.ietf-anima-reference-model"/>. It will provide services to
ASAs via a suitable application programming interface (API), which will reflect the
protocol elements but will not necessarily be in one-to-one correspondence to
them. This API is out of scope for the present document.<vspace blankLines="1"/></t>
<t>It is normally expected that a single instance of GRASP will exist in an autonomic
node, and that the protocol engine and each ASA will run as independent
asynchronous processes.<vspace blankLines="1"/></t>
<t>Security infrastructure and trust relationship<vspace blankLines="1"/>
Because this negotiation protocol may directly
cause changes to device configurations and bring significant
impacts to a running network, this protocol
is assumed to run within an existing secure environment with
strong authentication. As a design choice, the protocol itself is not
provided with built-in security functionality.
<vspace blankLines="1"/>
On the other hand, a limited negotiation model
might be deployed based on a limited trust relationship. For
example, between two administrative domains, ASAs might also
exchange limited information and negotiate some particular
configurations based on a limited conventional or contractual
trust relationship.<vspace blankLines="1"/></t>
<t>Discovery, synchronization and negotiation are designed together.<vspace blankLines="1"/>
The discovery method and the synchronization and negotiation methods
are designed in the same way and can be combined when this is
useful. These processes can also be performed independently when appropriate.
<list style="symbols">
<t>GRASP discovery is always available for efficient discovery of GRASP peers
and allows a rapid mode of operation described in <xref target="discmech"/>.
For some objectives, especially those concerned with application layer
services, another discovery mechanism such as the future DNS Service
Discovery <xref target="RFC7558"/> or
Service Location Protocol <xref target="RFC2608"/>
MAY be used. The choice is left to the designers of individual
ASAs.
</t>
</list><vspace blankLines="1"/></t>
<t>A uniform pattern for technical contents<vspace blankLines="1"/>
The synchronization and negotiation contents are defined
according to a uniform pattern. They could be carried either in simple
binary format or in payloads described by a
flexible language. The basic protocol design uses the Concise
Binary Object Representation (CBOR) <xref target="RFC7049"/>.
The format is extensible for unknown future requirements. <vspace blankLines="1"/></t>
<t>A flexible model for synchronization<vspace blankLines="1"/>
GRASP supports bilateral synchronization, which could be used
to perform synchronization among a small number of nodes.
It also supports an unsolicited flooding mode when large groups of nodes,
possibly including all autonomic nodes, need data for the same
technical objective.
<list style="symbols">
<t>There may be some network parameters for which a more traditional flooding
mechanism such as DNCP <xref target="RFC7787"/>
<!-- <xref target="I-D.stenberg-anima-adncp"/> --> is
considered more appropriate. GRASP can coexist with DNCP.
</t>
</list><vspace blankLines="1"/></t>
<t>A simple initiator/responder model for negotiation<vspace blankLines="1"/>
Multi-party negotiations are too complicated to be modeled and
there might be too many dependencies among the parties to converge
efficiently. A simple initiator/responder model is more feasible
and can complete multi-party negotiations by indirect steps.
<vspace blankLines="1"/></t>
<t>Organizing of synchronization or negotiation content<vspace blankLines="1"/>
Naturally, the technical content will be
organized according to the relevant function or service. The
content from different functions or services is kept
independent from each other. They are not combined into a
single option or single session because these contents may be
negotiated or synchronized with different counterparts or may be
different in response time. Thus a normal arrangement would be a
single ASA managing a small set of closely related objectives,
with a version of that ASA in each relevant autonomic node. Further
discussion of this aspect is out of scope for the current document.
<vspace blankLines="1"/></t>
<!-- Paragraph moved to the reference model:
<t>Self-aware network device<vspace blankLines="1"/>Every autonomic
device will be loaded with various functions and ASAs and will be
aware of its own capabilities, typically decided by the hardware,
firmware or pre-installed software. Its exact role may depend on
Intent and on the surrounding network behaviors, which may include
forwarding behaviors, aggregation properties, topology location, bandwidth,
tunnel or translation properties, etc. The surrounding topology will
depend on the network planning. Following an initial discovery phase,
the device properties and those of its neighbors are the
foundation of the synchronization or negotiation behavior of a specific
device. A device and its ASAs have no pre-configuration for the
particular network in which it is installed.<vspace blankLines="1"/></t>
-->
<t>Requests and responses in negotiation procedures<vspace blankLines="1"/>
The initiator can negotiate with
its relevant negotiation counterpart ASAs, which may be
different according to the specific negotiation objective. It can request
relevant information from the negotiation counterpart so that it
can decide its local configuration to give the most coordinated
performance. It can request the negotiation counterpart to make a
matching configuration in order to set up a successful
communication with it. It can request certain simulation or
forecast results by sending some dry run conditions.
<vspace blankLines="1"/>Beyond the traditional yes/no answer, the
responder can reply with a suggested alternative value for the objective
concerned. This would start a bi-directional negotiation
ending in a compromise between the two ASAs.<vspace blankLines="1"/></t>
<t>Convergence of negotiation procedures<vspace blankLines="1"/>
To enable convergence, when a responder makes a
suggestion of a changed condition in a negative reply, it should
be as close as possible to the original request or previous
suggestion. The suggested value of the third or later negotiation
steps should be chosen between the suggested values from the last
two negotiation steps. In any case there must be a mechanism to
guarantee convergence (or failure) in a small number of steps, such
as a timeout or maximum number of iterations.
<vspace blankLines="1"/>
<list style="symbols">
<t>End of negotiation<vspace blankLines="1"/>
A limited number of rounds, for example three, or a timeout, is needed
on each ASA for each negotiation objective. It may be an implementation
choice, a pre-configurable parameter, or network Intent.
These choices might vary between different types of ASA.
Therefore, the definition of each negotiation objective MUST clearly specify
this, so that the negotiation can always be terminated properly.
<vspace blankLines="1"/></t>
<t>Failed negotiation<vspace blankLines="1"/>There must be a
well-defined procedure for concluding that a negotiation cannot
succeed, and if so deciding what happens next (deadlock
resolution, tie-breaking, or revert to best-effort
service). Again, this MUST be specified for individual
negotiation objectives, as an implementation choice, a pre-configurable
parameter, or network Intent.</t>
</list></t>
</list></t>
</section>
<section title="GRASP Protocol Basic Properties and Mechanisms">
<section anchor="reqsec" title="Required External Security Mechanism">
<t>The protocol SHOULD run within a secure Autonomic Control Plane (ACP)
<xref target="I-D.ietf-anima-autonomic-control-plane"/>. The ACP is assumed
to carry all messages securely, including link-local multicast if possible.
A GRASP implementation MUST verify whether the ACP is operational. </t>
<t>If there is no ACP, the protocol
MUST use another form of strong authentication and SHOULD use a form
of strong encryption. TLS <xref target="RFC5246"/>
is RECOMMENDED for this purpose, based on a local Public Key Infrastructure (PKI)
<xref target="RFC5280"/> managed within the autonomic network itself. The details
of such a PKI and how its boundary is established are out of scope for this document.
DTLS <xref target="RFC6347"/> MAY be used but since GRASP operations usually
involve several messages this is not expected to be advantageous. </t>
<t>The ACP, or in its absence the local PKI, sets the boundary within which nodes
are trusted as GRASP peers. A GRASP implementation MUST refuse to execute any GRASP
functions except discovery if there is neither an operational ACP nor an operational
TLS environment. </t>
<t>As mentioned in <xref target="highlevel"/>, limited GRASP operations might be
performed across an administrative domain boundary by mutual agreement. Such operations
MUST be authenticated and SHOULD be encrypted. TLS is RECOMMENDED for this purpose.</t>
<t>Link-local multicast is used for discovery messages. <!-- It is preferred that the
ACP will handle these and distribute them securely to all on-link ACP nodes only.
However, in the absence of an ACP they cannot be secured. -->
Responses to discovery messages MUST be secured, with one exception.</t>
<t>The exception is that during initialisation, before a node has joined the applicable trust
infrastructure, e.g., <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/>, or before
the ACP is fully established, it might be impossible to secure messages.
Indeed, both the security bootstrap process and the ACP creation process might
use insecure GRASP discovery and response messages.
Such usage MUST be limited to the strictly necessary minimum.
A full analysis of the initialisation process is out of scope for the
present document. </t>
</section>
<section title="Transport Layer Usage">
<t>GRASP discovery and flooding messages are designed for use over link-local multicast
UDP. They MUST NOT be fragmented, and therefore MUST NOT exceed the link MTU size.
Nothing in principle prevents them from working over some other method of
sending packets to all on-link neighbors, but this is out of scope for the
present specification. </t>
<t>All other GRASP messages are unicast and could in principle run over any transport protocol.
An implementation MUST support use of TCP. It MAY support use of another transport protocol.
However, GRASP itself does not provide for error detection or retransmission. Use of an
unreliable transport protocol is therefore NOT RECOMMENDED. </t>
<t>When running within a secure ACP on reliable infrastructure,
UDP MAY be used for unicast messages not exceeding the minimum IPv6 path MTU;
however, TCP MUST be used for longer messages. In other words, IPv6 fragmentation
is avoided. If a node receives a UDP message but the reply is too long, it
MUST open a TCP connection to the peer for the reply. Note that when
the network is under heavy load or in a fault condition, UDP might become
unreliable. Since this is when autonomic functions are most necessary,
automatic fallback to TCP MUST be implemented. The simplest implementation
is therefore to use only TCP.</t>
<t>When running without an ACP, TLS MUST be supported and used by default, except
for link-local multicast messages. DTLS MAY be supported as an alternative
but the details are out of scope for this document. </t>
<t>For link-local multicast, the GRASP protocol listens to the GRASP Listen Port
(<xref target="Constants"/>). This port is also used to listen for unicast discovery responses.
For unicast transport sessions used for synchronization and negotiation, the ASA
concerned listens on its own dynamically assigned port, which is communicated to its peers
during discovery. </t>
</section>
<section anchor="discmech" title="Discovery Mechanism and Procedures">
<t><list style="symbols">
<t>Separated discovery and negotiation mechanisms<list style="empty">
<t>Although discovery and negotiation or synchronization are defined
together in the GRASP, they are separated mechanisms. The discovery
process could run independently from the negotiation or synchronization
process. Upon receiving a Discovery (<xref target="DiscoveryMessage"/>)
<!-- or request (<xref target="RequestMessage"/>)--> message, the
recipient node should return a response message in which it either
indicates itself as a discovery responder or diverts the
initiator towards another more suitable ASA.</t>
<t>The discovery action will normally be followed by
a negotiation or synchronization action. The
discovery results could be utilized by the negotiation
protocol to decide which ASA the initiator will negotiate
with.</t>
<t>The initiator of a discovery action for a given objective need not
be capable of responding to that objective as a Negotiation Counterpart, as a
Synchronization Responder or as source for flooding. For example, an ASA might perform
discovery even if it only wishes to act a Synchronization Initiator or Negotiation Initiator.
Such an ASA does not itself need to respond to discovery messages.</t>
<t>It is also entirely possible to use GRASP discovery without any subsequent
negotiation or synchronization action. In this case, the discovered objective
is simply used as a name during the discovery process and any subsequent
operations between the peers are outside the scope of GRASP.</t>
</list></t>
<t>Discovery Procedures<list style="empty">
<t>Discovery starts as an on-link operation. The Divert option
can tell the discovery initiator to contact an off-link
ASA for that discovery objective. Every Discovery message is sent
by a discovery initiator via UDP to the ALL_GRASP_NEIGHBOR link-local
multicast address (<xref target="Constants"/>). Every network
device that supports GRASP always listens to a well-known
UDP port to capture the discovery messages. Because this port
is unique in a device, this is a function of the GRASP kernel
and not of an individual ASA. As a result, each ASA will need to
register the objectives that it supports with the GRASP kernel.</t>
<t>If an ASA in a neighbor device supports the requested discovery objective,
the device SHOULD respond to the link-local multicast with a unicast Discovery Response
message (<xref target="ResponseMessage"/>) with locator option(s), unless it is
temporarily unavailable. Otherwise, if the neighbor has cached information
about an ASA that supports the requested discovery objective (usually
because it discovered the same objective before), it SHOULD
respond with a Discovery Response message with a Divert option pointing
to the appropriate Discovery Responder.</t>
<t>If a device has no information about the requested discovery objective,
and is not acting as a discovery relay (see below) it MUST silently
discard the Discovery message.</t>
<t>If no discovery response is received within a reasonable timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
the Discovery message MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions, in order to mitigate possible denial of service attacks.</t>
<t>After a GRASP device successfully discovers a locator for a Discovery Responder
supporting a specific objective, it MUST cache this information, including the interface
identifier via which it was discovered. This cache record MAY be used for future
negotiation or synchronization, and the locator SHOULD be passed on when appropriate
as a Divert option to another Discovery Initiator.</t>
<t>The cache mechanism MUST include a lifetime for each entry. The
lifetime is an implementation choice that MAY be modified by network Intent.
In some environments, unplanned address renumbering might occur.
In such cases, the cache lifetime SHOULD be short compared to
the typical address lifetime and a mechanism to flush the
discovery cache SHOULD be implemented. The discovery mechanism
needs to track the node's current address to ensure that Discovery
Responses always indicate the correct address.</t>
<t>If multiple Discovery Responders are found for the same objective, they
SHOULD all be cached, unless this creates a resource shortage. The method
of choosing between multiple responders is an implementation choice.
This choice MUST be available to each ASA but the GRASP implementation
SHOULD provide a default choice.</t>
<t>Because Discovery Responders will be cached in a finite cache, they might
be deleted at any time. In this case, discovery will need to be repeated. If an
ASA exits for any reason, its locator might still be cached for some time,
and attempts to connect to it will fail. ASAs need to be robust in these
circumstances. </t>
<t>A GRASP device with multiple link-layer interfaces (typically a router) MUST
support discovery on all interfaces. If it receives a Discovery message
on a given interface for a specific objective that it does not support and for
which it has not previously cached a Discovery Responder, it MUST relay
the query by re-issuing a Discovery message as a link-local multicast on its other
interfaces. The relayed discovery message MUST have the same Session ID as the incoming
discovery message and MUST be tagged with the IP address of its original initiator.
Since the relay device is unaware of the timeout set by the original
initiator it SHOULD set a timeout at least equal to GRASP_DEF_TIMEOUT milliseconds.</t>
<t>The relaying device MUST decrement the loop count within the objective, and
MUST NOT relay the Discovery message if the result is zero.
Also, it MUST limit the total rate at which it relays discovery messages
to a reasonable value, in order to mitigate possible denial of service attacks.
It MUST cache the Session ID value and initiator address of each relayed
Discovery message until any Discovery Responses have arrived or
the discovery process has timed out.
To prevent loops, it MUST NOT relay a Discovery message
which carries a given cached Session ID and initiator address more than once.
These precautions avoid discovery loops and mitigate potential overload.</t>
<t>The discovery results received by the relaying device MUST in turn be
sent as a Discovery Response message to the Discovery message that caused
the relay action.</t>
<t>This relayed discovery mechanism, with caching of the results,
should be sufficient to support most network bootstrapping scenarios.</t>
</list></t>
<t>A complete discovery process will start with a multicast on the
local link. On-link neighbors supporting the discovery objective will
respond directly. A neighbor with multiple interfaces will respond
with a cached discovery response if any. If not, it will relay the
discovery on its other interfaces, for example reaching a higher-level gateway
in a hierarchical network. If a node receiving the relayed discovery
supports the discovery objective, it will respond to the relayed discovery.
If it has a cached response, it will respond with that.
If not, it will repeat the discovery process, which thereby becomes recursive.
The loop count and timeout will ensure that the process ends.
</t>
<t>Rapid Mode (Discovery/Negotiation binding)<list style="empty">
<t>A Discovery message MAY include a Negotiation
Objective option. This allows a rapid mode of negotiation
described in <xref target="negproc"/>. A similar mechanism
is defined for synchronization in <xref target="synchproc"/>.</t>
</list></t>
</list></t>
</section>
<section anchor="negproc" title="Negotiation Procedures">
<t>A negotiation initiator sends a negotiation request to a
counterpart ASA, including a specific negotiation objective.
It may request the negotiation
counterpart to make a specific configuration. Alternatively, it may
request a certain simulation or forecast result by sending a dry run configuration.
The details, including the distinction between dry run and an actual
configuration change, will be defined separately for each type of negotiation
objective.</t>
<t>If no reply message of any kind is received within a reasonable timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
the negotiation request MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions.</t>
<t>If the counterpart can immediately apply the requested
configuration, it will give an immediate positive (accept) answer.
This will end the negotiation phase immediately. Otherwise, it will
negotiate. It will reply with a proposed alternative configuration
that it can apply (typically, a configuration that uses fewer resources
than requested by the negotiation initiator). This will start a
bi-directional negotiation to reach a compromise between the two ASAs.</t>
<t>The negotiation procedure is ended when one of the negotiation
peers sends a Negotiation Ending message, which contains an accept
or decline option and does not need a response from the negotiation
peer. Negotiation may also end in failure (equivalent to a decline)
if a timeout is exceeded or a loop count is exceeded. </t>
<t>A negotiation procedure concerns one objective and one
counterpart. Both the initiator and the counterpart may take part in
simultaneous negotiations with various other ASAs, or in
simultaneous negotiations about different objectives. Thus, GRASP is
expected to be used in a multi-threaded mode. Certain negotiation
objectives may have restrictions on multi-threading, for example to
avoid over-allocating resources. </t>
<t>Some configuration actions, for example wavelength switching
in optical networks, might take considerable time to execute. The ASA
concerned needs to allow for this by design, but GRASP does allow for
a peer to insert latency in a negotiation process if necessary
(<xref target="ConfirmWaitingMessage"/>).</t>
<section anchor="rapidneg" title="Rapid Mode (Discovery/Negotiation Linkage)">
<t>A Discovery message MAY include a Negotiation
Objective option. In this case the Discovery message also acts
as a Request Negotiation message to indicate to the Discovery Responder
that it could directly reply to the Discovery Initiator with
a Negotiation message for rapid processing, if it
could act as the corresponding negotiation
counterpart. However, the indication is only advisory not
prescriptive. </t>
<t>This rapid mode could reduce the interactions between
nodes so that a higher efficiency could be achieved. However, a network in which some
nodes support rapid mode and others do not will have complex timing-dependent behaviors.
Therefore, the rapid negotiation function SHOULD be configured off by default
and MAY be configured on or off by Intent.</t>
</section>
</section>
<section anchor="synchproc" title="Synchronization and Flooding Procedure">
<t>A synchronization initiator sends a synchronization request to a
counterpart, including a specific synchronization objective.
The counterpart responds with a Synchronization message (<xref target="SynchMessage"/>)
containing the current value of the requested synchronization
objective. No further messages are needed. </t>
<t>If no reply message of any kind is received within a reasonable timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
the synchronization request MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions.</t>
<section anchor="flooding" title="Flooding">
<t>In the case just described, the message exchange is unicast and
concerns only one synchronization objective. For large groups of nodes
requiring the same data, synchronization flooding is available. For this,
a flooding initiator MAY send an unsolicited Flood Synchronization message containing
one or more Synchronization Objective option(s), if and only if the specification
of those objectives permits it. This is sent as a multicast message to the
ALL_GRASP_NEIGHBOR multicast address (<xref target="Constants"/>).</t>
<t>Every network device that supports GRASP always listens to a well-known
UDP port to capture flooding messages. Because this port is unique in a device,
this is a function of the GRASP kernel.</t>
<t>To ensure that flooding does not result in a loop, the originator of the Flood Synchronization message
MUST set the loop count in the objectives to a suitable value (the default is GRASP_DEF_LOOPCT).
Also, a suitable mechanism is needed
to avoid excessive multicast traffic. This mechanism MUST be defined as part of the
specification of the synchronization objective(s) concerned. It might be a simple rate
limit or a more complex mechanism such as the Trickle algorithm <xref target="RFC6206"/>.</t>
<t>A GRASP device with multiple link-layer interfaces (typically a router) MUST
support synchronization flooding on all interfaces. If it receives a multicast
Flood Synchronization message on a given interface, it MUST relay
it by re-issuing a Flood Synchronization message on its other interfaces.
The relayed message MUST have the same Session ID as the incoming
message and MUST be tagged with the IP address of its original initiator. </t>
<t>The relaying device MUST decrement the loop count within the first objective, and
MUST NOT relay the Flood Synchronization message if the result is zero.
Also, it MUST limit the total rate at which it relays Flood Synchronization messages
to a reasonable value, in order to mitigate possible denial of service attacks.
It MUST cache the Session ID value and initiator address of each relayed
Flood Synchronization message for a finite time not less than twice GRASP_DEF_TIMEOUT milliseconds.
To prevent loops, it MUST NOT relay a Flood Synchronization message
which carries a given cached Session ID and initiator address more than once.
These precautions avoid synchronization loops and mitigate potential overload.</t>