-
Notifications
You must be signed in to change notification settings - Fork 3
/
draft-ietf-anima-grasp-08.txt
4088 lines (2746 loc) · 160 KB
/
draft-ietf-anima-grasp-08.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group C. Bormann
Internet-Draft Universitaet Bremen TZI
Intended status: Standards Track B. Carpenter, Ed.
Expires: May 3, 2017 Univ. of Auckland
B. Liu, Ed.
Huawei Technologies Co., Ltd
October 30, 2016
A Generic Autonomic Signaling Protocol (GRASP)
draft-ietf-anima-grasp-08
Abstract
This document establishes requirements for a signaling protocol that
enables autonomic devices and autonomic service agents to dynamically
discover peers, to synchronize state with them, and to negotiate
parameter settings mutually with them. The document then defines a
general protocol for discovery, synchronization and negotiation,
while the technical objectives for specific scenarios are to be
described in separate documents. An Appendix briefly discusses
existing protocols with comparable features.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Bormann, et al. Expires May 3, 2017 [Page 1]
Internet-Draft GRASP October 2016
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirement Analysis of Discovery, Synchronization and
Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements for Discovery . . . . . . . . . . . . . . . 5
2.2. Requirements for Synchronization and Negotiation
Capability . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. Specific Technical Requirements . . . . . . . . . . . . . 9
3. GRASP Protocol Overview . . . . . . . . . . . . . . . . . . . 10
3.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 10
3.2. High Level Deployment Model . . . . . . . . . . . . . . . 12
3.3. High Level Design Choices . . . . . . . . . . . . . . . . 13
3.4. Quick Operating Overview . . . . . . . . . . . . . . . . 16
3.5. GRASP Protocol Basic Properties and Mechanisms . . . . . 17
3.5.1. Required External Security Mechanism . . . . . . . . 17
3.5.2. Limited Security Instances . . . . . . . . . . . . . 17
3.5.3. Transport Layer Usage . . . . . . . . . . . . . . . . 19
3.5.4. Discovery Mechanism and Procedures . . . . . . . . . 20
3.5.5. Negotiation Procedures . . . . . . . . . . . . . . . 23
3.5.6. Synchronization and Flooding Procedure . . . . . . . 25
3.6. GRASP Constants . . . . . . . . . . . . . . . . . . . . . 27
3.7. Session Identifier (Session ID) . . . . . . . . . . . . . 27
3.8. GRASP Messages . . . . . . . . . . . . . . . . . . . . . 28
3.8.1. Message Overview . . . . . . . . . . . . . . . . . . 28
3.8.2. GRASP Message Format . . . . . . . . . . . . . . . . 28
3.8.3. Message Size . . . . . . . . . . . . . . . . . . . . 29
3.8.4. Discovery Message . . . . . . . . . . . . . . . . . . 29
3.8.5. Discovery Response Message . . . . . . . . . . . . . 31
3.8.6. Request Messages . . . . . . . . . . . . . . . . . . 31
3.8.7. Negotiation Message . . . . . . . . . . . . . . . . . 32
3.8.8. Negotiation End Message . . . . . . . . . . . . . . . 33
3.8.9. Confirm Waiting Message . . . . . . . . . . . . . 33
3.8.10. Synchronization Message . . . . . . . . . . . . . . . 33
3.8.11. Flood Synchronization Message . . . . . . . . . . . . 34
3.8.12. Invalid Message . . . . . . . . . . . . . . . . . . . 35
3.8.13. No Operation Message . . . . . . . . . . . . . . . . 35
3.9. GRASP Options . . . . . . . . . . . . . . . . . . . . . . 35
3.9.1. Format of GRASP Options . . . . . . . . . . . . . . . 35
3.9.2. Divert Option . . . . . . . . . . . . . . . . . . . . 36
3.9.3. Accept Option . . . . . . . . . . . . . . . . . . . . 36
Bormann, et al. Expires May 3, 2017 [Page 2]
Internet-Draft GRASP October 2016
3.9.4. Decline Option . . . . . . . . . . . . . . . . . . . 36
3.9.5. Locator Options . . . . . . . . . . . . . . . . . . . 37
3.10. Objective Options . . . . . . . . . . . . . . . . . . . . 39
3.10.1. Format of Objective Options . . . . . . . . . . . . 39
3.10.2. Objective flags . . . . . . . . . . . . . . . . . . 40
3.10.3. General Considerations for Objective Options . . . . 40
3.10.4. Organizing of Objective Options . . . . . . . . . . 41
3.10.5. Experimental and Example Objective Options . . . . . 42
4. Implementation Status [RFC Editor: please remove] . . . . . . 42
4.1. BUPT C++ Implementation . . . . . . . . . . . . . . . . . 42
4.2. Python Implementation . . . . . . . . . . . . . . . . . . 43
5. Security Considerations . . . . . . . . . . . . . . . . . . . 44
6. CDDL Specification of GRASP . . . . . . . . . . . . . . . . . 46
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 50
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.1. Normative References . . . . . . . . . . . . . . . . . . 50
9.2. Informative References . . . . . . . . . . . . . . . . . 51
Appendix A. Open Issues [RFC Editor: Please remove if empty] . . 54
Appendix B. Closed Issues [RFC Editor: Please remove] . . . . . 54
Appendix C. Change log [RFC Editor: Please remove] . . . . . . . 62
Appendix D. Example Message Formats . . . . . . . . . . . . . . 67
D.1. Discovery Example . . . . . . . . . . . . . . . . . . . . 68
D.2. Flood Example . . . . . . . . . . . . . . . . . . . . . . 68
D.3. Synchronization Example . . . . . . . . . . . . . . . . . 68
D.4. Simple Negotiation Example . . . . . . . . . . . . . . . 69
D.5. Complete Negotiation Example . . . . . . . . . . . . . . 69
Appendix E. Capability Analysis of Current Protocols . . . . . . 70
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 73
1. Introduction
The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have
become more and more problematic for human based management. Also,
operational costs are growing quickly. Consequently, there are
increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in [RFC7575] and
[RFC7576].
One approach is to largely decentralize the logic of network
management by migrating it into network elements. A reference model
for autonomic networking on this basis is given in
[I-D.ietf-anima-reference-model]. The reader should consult this
document to understand how various autonomic components fit together.
In order to fulfil autonomy, devices that embody Autonomic Service
Agents (ASAs, [RFC7575]) have specific signaling requirements. In
particular they need to discover each other, to synchronize state
Bormann, et al. Expires May 3, 2017 [Page 3]
Internet-Draft GRASP October 2016
with each other, and to negotiate parameters and resources directly
with each other. There is no limitation on the types of parameters
and resources concerned, which can include very basic information
needed for addressing and routing, as well as anything else that
might be configured in a conventional non-autonomic network. The
atomic unit of discovery, synchronization or negotiation is referred
to as a technical objective, i.e, a configurable parameter or set of
parameters (defined more precisely in Section 3.1).
Following this Introduction, Section 2 describes the requirements for
discovery, synchronization and negotiation. Negotiation is an
iterative process, requiring multiple message exchanges forming a
closed loop between the negotiating entities. In fact, these
entities are ASAs, normally but not necessarily in different network
devices. State synchronization, when needed, can be regarded as a
special case of negotiation, without iteration. Section 3.3
describes a behavior model for a protocol intended to support
discovery, synchronization and negotiation. The design of GeneRic
Autonomic Signaling Protocol (GRASP) in Section 3 of this document is
mainly based on this behavior model. The relevant capabilities of
various existing protocols are reviewed in Appendix E.
The proposed discovery mechanism is oriented towards synchronization
and negotiation objectives. It is based on a neighbor discovery
process, but also supports diversion to off-link peers. There is no
assumption of any particular form of network topology. When a device
starts up with no pre-configuration, it has no knowledge of the
topology. The protocol itself is capable of being used in a small
and/or flat network structure such as a small office or home network
as well as a professionally managed network. Therefore, the
discovery mechanism needs to be able to allow a device to bootstrap
itself without making any prior assumptions about network structure.
Because GRASP can be used to perform a decision process among
distributed devices or between networks, it must run in a secure and
strongly authenticated environment.
It is understood that in realistic deployments, not all devices will
support GRASP. It is expected that some autonomic service agents
will directly manage a group of non-autonomic nodes, and that other
non-autonomic nodes will be managed traditionally. Such mixed
scenarios are not discussed in this specification.
2. Requirement Analysis of Discovery, Synchronization and Negotiation
This section discusses the requirements for discovery, negotiation
and synchronization capabilities. The primary user of the protocol
is an autonomic service agent (ASA), so the requirements are mainly
Bormann, et al. Expires May 3, 2017 [Page 4]
Internet-Draft GRASP October 2016
expressed as the features needed by an ASA. A single physical device
might contain several ASAs, and a single ASA might manage several
technical objectives. If a technical objective is managed by several
ASAs, any necessary coordination is outside the scope of the
signaling protocol itself.
Note that requirements for ASAs themselves, such as the processing of
Intent [RFC7575] or interfaces for coordination between ASAs are out
of scope for the present document.
2.1. Requirements for Discovery
D1. ASAs may be designed to manage anything, as required in
Section 2.2. A basic requirement is therefore that the protocol can
represent and discover any kind of technical objective among
arbitrary subsets of participating nodes.
In an autonomic network we must assume that when a device starts up
it has no information about any peer devices, the network structure,
or what specific role it must play. The ASA(s) inside the device are
in the same situation. In some cases, when a new application session
starts up within a device, the device or ASA may again lack
information about relevant peers. For example, it might be necessary
to set up resources on multiple other devices, coordinated and
matched to each other so that there is no wasted resource. Security
settings might also need updating to allow for the new device or
user. The relevant peers may be different for different technical
objectives. Therefore discovery needs to be repeated as often as
necessary to find peers capable of acting as counterparts for each
objective that a discovery initiator needs to handle. From this
background we derive the next three requirements:
D2. When an ASA first starts up, it has no knowledge of the specific
network to which it is attached. Therefore the discovery process
must be able to support any network scenario, assuming only that the
device concerned is bootstrapped from factory condition.
D3. When an ASA starts up, it must require no configured location
information about any peers in order to discover them.
D4. If an ASA supports multiple technical objectives, relevant peers
may be different for different discovery objectives, so discovery
needs to be performed separately to find counterparts for each
objective. Thus, there must be a mechanism by which an ASA can
separately discover peer ASAs for each of the technical objectives
that it needs to manage, whenever necessary.
Bormann, et al. Expires May 3, 2017 [Page 5]
Internet-Draft GRASP October 2016
D5. Following discovery, an ASA will normally perform negotiation or
synchronization for the corresponding objectives. The design should
allow for this by conveniently linking discovery to negotiation and
synchronization. It may provide an optional mechanism to combine
discovery and negotiation/synchronization in a single call.
D6. Some objectives may only be significant on the local link, but
others may be significant across the routed network and require off-
link operations. Thus, the relevant peers might be immediate
neighbors on the same layer 2 link, or they might be more distant and
only accessible via layer 3. The mechanism must therefore provide
both on-link and off-link discovery of ASAs supporting specific
technical objectives.
D7. The discovery process should be flexible enough to allow for
special cases, such as the following:
o During initialisation, a device must be able to establish mutual
trust with the rest of the network and join an authentication
mechanism. Although this will inevitably start with a discovery
action, it is a special case precisely because trust is not yet
established. This topic is the subject of
[I-D.ietf-anima-bootstrapping-keyinfra]. We require that once
trust has been established for a device, all ASAs within the
device inherit the device's credentials and are also trusted.
o Depending on the type of network involved, discovery of other
central functions might be needed, such as the Network Operations
Center (NOC) [I-D.ietf-anima-stable-connectivity]. The protocol
must be capable of supporting such discovery during
initialisation, as well as discovery during ongoing operation.
D8. The discovery process must not generate excessive traffic and
must take account of sleeping nodes in the case of a constrained-node
network [RFC7228].
D9. There must be a mechanism for handling stale discovery results.
2.2. Requirements for Synchronization and Negotiation Capability
As background, consider the example of routing protocols, the closest
approximation to autonomic networking already in widespread use.
Routing protocols use a largely autonomic model based on distributed
devices that communicate repeatedly with each other. The focus is
reachability, so current routing protocols mainly consider simple
link status, i.e., up or down, and an underlying assumption is that
all nodes need a consistent view of the network topology in order for
the routing algorithm to converge. Thus, routing is mainly based on
Bormann, et al. Expires May 3, 2017 [Page 6]
Internet-Draft GRASP October 2016
information synchronization between peers, rather than on bi-
directional negotiation. Other information, such as latency,
congestion, capacity, and particularly unused capacity, would be
helpful to get better path selection and utilization rate, but is not
normally used in distributed routing algorithms. Additionally,
autonomic networks need to be able to manage many more dimensions,
such as security settings, power saving, load balancing, etc. Status
information and traffic metrics need to be shared between nodes for
dynamic adjustment of resources and for monitoring purposes. While
this might be achieved by existing protocols when they are available,
the new protocol needs to be able to support parameter exchange,
including mutual synchronization, even when no negotiation as such is
required. In general, these parameters do not apply to all
participating nodes, but only to a subset.
SN1. A basic requirement for the protocol is therefore the ability
to represent, discover, synchronize and negotiate almost any kind of
network parameter among selected subsets of participating nodes.
SN2. Negotiation is a request/response process that must be
guaranteed to terminate (with success or failure) and if necessary it
must contain tie-breaking rules for each technical objective that
requires them. While these must be defined specifically for each use
case, the protocol should have some general mechanisms in support of
loop and deadlock prevention, such as hop count limits or timeouts.
SN3. Synchronization might concern small groups of nodes or very
large groups. Different solutions might be needed at different
scales.
SN4. To avoid "reinventing the wheel", the protocol should be able
to encapsulate the data formats used by existing configuration
protocols (such as NETCONF/YANG) in cases where that is convenient.
SN5. Human intervention in complex situations is costly and error-
prone. Therefore, synchronization or negotiation of parameters
without human intervention is desirable whenever the coordination of
multiple devices can improve overall network performance. It
therefore follows that the protocol, as part of the Autonomic
Networking Infrastructure, should be capable of running in any device
that would otherwise need human intervention. The issue of running
in constrained nodes is discussed in
[I-D.ietf-anima-reference-model].
SN6. Human intervention in large networks is often replaced by use
of a top-down network management system (NMS). It therefore follows
that the protocol, as part of the Autonomic Networking
Infrastructure, should be capable of running in any device that would
Bormann, et al. Expires May 3, 2017 [Page 7]
Internet-Draft GRASP October 2016
otherwise be managed by an NMS, and that it can co-exist with an NMS,
and with protocols such as SNMP and NETCONF.
SN7. Some features are expected to be implemented by individual
ASAs, but the protocol must be general enough to allow them:
o Dependencies and conflicts: In order to decide a configuration on
a given device, the device may need information from neighbors.
This can be established through the negotiation procedure, or
through synchronization if that is sufficient. However, a given
item in a neighbor may depend on other information from its own
neighbors, which may need another negotiation or synchronization
procedure to obtain or decide. Therefore, there are potential
dependencies and conflicts among negotiation or synchronization
procedures. Resolving dependencies and conflicts is a matter for
the individual ASAs involved. To allow this, there need to be
clear boundaries and convergence mechanisms for negotiations.
Also some mechanisms are needed to avoid loop dependencies. In
such a case, the protocol's role is limited to bilateral signaling
between ASAs.
o Recovery from faults and identification of faulty devices should
be as automatic as possible. The protocol's role is limited to
the ability to handle discovery, synchronization and negotiation
at any time, in case an ASA detects an anomaly such as a
negotiation counterpart failing.
o Since the goal is to minimize human intervention, it is necessary
that the network can in effect "think ahead" before changing its
parameters. One aspect of this is an ASA that relies on a
knowledge base to predict network behavior. This is out of scope
for the signaling protocol. However, another aspect is
forecasting the effect of a change by a "dry run" negotiation
before actually installing the change. This will be an
application of the protocol rather than a feature of the protocol
itself.
o Management logging, monitoring, alerts and tools for intervention
are required. However, these can only be features of individual
ASAs. Another document [I-D.ietf-anima-stable-connectivity]
discusses how such agents may be linked into conventional OAM
systems via an Autonomic Control Plane
[I-D.ietf-anima-autonomic-control-plane].
SN8. The protocol will be able to deal with a wide variety of
technical objectives, covering any type of network parameter.
Therefore the protocol will need a flexible and easily extensible
format for describing objectives. At a later stage it may be
Bormann, et al. Expires May 3, 2017 [Page 8]
Internet-Draft GRASP October 2016
desirable to adopt an explicit information model. One consideration
is whether to adopt an existing information model or to design a new
one.
2.3. Specific Technical Requirements
T1. It should be convenient for ASA designers to define new
technical objectives and for programmers to express them, without
excessive impact on run-time efficiency and footprint. In
particular, it should be possible for ASAs to be implemented
independently of each other as user space programs rather than as
kernel code. The classes of device in which the protocol might run
is discussed in [I-D.ietf-anima-reference-model].
T2. The protocol should be easily extensible in case the initially
defined discovery, synchronization and negotiation mechanisms prove
to be insufficient.
T3. To be a generic platform, the protocol payload format should be
independent of the transport protocol or IP version. In particular,
it should be able to run over IPv6 or IPv4. However, some functions,
such as multicasting on a link, might need to be IP version
dependent. In case of doubt, IPv6 should be preferred.
T4. The protocol must be able to access off-link counterparts via
routable addresses, i.e., must not be restricted to link-local
operation.
T5. It must also be possible for an external discovery mechanism to
be used, if appropriate for a given technical objective. In other
words, GRASP discovery must not be a prerequisite for GRASP
negotiation or synchronization.
T6. The protocol must be capable of supporting multiple simultaneous
operations, especially when wait states occur.
T7. Intent: There must be provision for general Intent rules to be
applied by all devices in the network (e.g., security rules, prefix
length, resource sharing rules). However, Intent distribution might
not use the signaling protocol itself, but its design should not
exclude such use.
T8. Management monitoring, alerts and intervention: Devices should
be able to report to a monitoring system. Some events must be able
to generate operator alerts and some provision for emergency
intervention must be possible (e.g. to freeze synchronization or
negotiation in a mis-behaving device). These features might not use
Bormann, et al. Expires May 3, 2017 [Page 9]
Internet-Draft GRASP October 2016
the signaling protocol itself, but its design should not exclude such
use.
T9. The protocol needs to be fully secured against forged messages
and man-in-the middle attacks, and secured as much as reasonably
possible against denial of service attacks. It needs to be capable
of encryption in order to resist unwanted monitoring. However, it is
not required that the protocol itself provides these security
features; it may depend on an existing secure environment.
3. GRASP Protocol Overview
3.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] when they appear in ALL CAPS. When these words are not in
ALL CAPS (such as "should" or "Should"), they have their usual
English meanings, and are not to be interpreted as [RFC2119] key
words.
This document uses terminology defined in [RFC7575].
The following additional terms are used throughout this document:
o Autonomic Device: identical to Autonomic Node.
o Discovery: a process by which an ASA discovers peers according to
a specific discovery objective. The discovery results may be
different according to the different discovery objectives. The
discovered peers may later be used as negotiation counterparts or
as sources of synchronization data.
o Negotiation: a process by which two ASAs interact iteratively to
agree on parameter settings that best satisfy the objectives of
both ASAs.
o State Synchronization: a process by which ASAs interact to receive
the current state of parameter values stored in other ASAs. This
is a special case of negotiation in which information is sent but
the ASAs do not request their peers to change parameter settings.
All other definitions apply to both negotiation and
synchronization.
o Technical Objective (usually abbreviated as Objective): A
technical objective is a configurable parameter or set of
parameters of some kind, which occurs in three contexts:
Bormann, et al. Expires May 3, 2017 [Page 10]
Internet-Draft GRASP October 2016
Discovery, Negotiation and Synchronization. In the protocol, an
objective is represented by an identifier and if relevant a value.
Normally, a given objective will not occur in negotiation and
synchronization contexts simultaneously.
* One ASA may support multiple independent objectives.
* The parameter described by a given objective is naturally based
on a specific service or function or action. It may in
principle be anything that can be set to a specific logical,
numerical or string value, or a more complex data structure, by
a network node. That node is generally expected to contain an
ASA which may itself manage subsidiary non-autonomic nodes.
* Discovery Objective: if a node needs to synchronize or
negotiate a specific objective but does not know a peer that
supports this objective, it starts a discovery process. The
objective is called a Discovery Objective during this process.
* Synchronization Objective: an objective whose specific
technical content needs to be synchronized among two or more
ASAs.
* Negotiation Objective: an objective whose specific technical
content needs to be decided in coordination with another ASA.
o Discovery Initiator: an ASA that spontaneously starts discovery by
sending a discovery message referring to a specific discovery
objective.
o Discovery Responder: a peer that either contains an ASA supporting
the discovery objective indicated by the discovery initiator, or
caches the locator(s) of the ASA(s) supporting the objective. The
locator(s) are indicated in a Discovery Response, which is
normally sent by the protocol kernel, as described later.
o Synchronization Initiator: an ASA that spontaneously starts
synchronization by sending a request message referring to a
specific synchronization objective.
o Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.
o Negotiation Initiator: an ASA that spontaneously starts
negotiation by sending a request message referring to a specific
negotiation objective.
Bormann, et al. Expires May 3, 2017 [Page 11]
Internet-Draft GRASP October 2016
o Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.
3.2. High Level Deployment Model
It is expected that a GRASP implementation will reside in an
autonomic node that also contains both the appropriate security
environment, preferably the Autonomic Control Plane (ACP)
[I-D.ietf-anima-autonomic-control-plane], and one or more Autonomic
Service Agents (ASAs). In the minimal case of a single-purpose
device, these three components might be fully integrated. A more
common model is expected to be a multi-purpose device capable of
containing several ASAs. In this case it is expected that the ACP,
GRASP and the ASAs will be implemented as separate processes, which
are probably multi-threaded to support asynchronous and simultaneous
operations. It is expected that GRASP will access the ACP by using a
typical socket interface. A well defined Application Programming
Interface (API) will be needed between GRASP and the ASAs. In some
implementations, ASAs would run in user space with a GRASP library
providing the API, and this library would in turn communicate via
system calls with core GRASP functions running in kernel mode. For
further details of possible deployment models, see
[I-D.ietf-anima-reference-model].
A GRASP instance must be aware of its network interfaces, and of its
own global-scope and link-local addresses. In the presence of the
ACP, such information will be available from the adjacency table
discussed in [I-D.ietf-anima-reference-model]. In other cases, GRASP
must determine such information for itself. Details depend on the
operating system.
Because GRASP needs to work whatever happens, especially during
bootstrapping and during fault conditions, it is essential that every
implementation is as robust as possible. For example, discovery
failures, or any kind of socket error at any time, must not cause
irrecoverable failures in GRASP itself, and must return suitable
error codes through the API so that ASAs can also recover.
GRASP must always start up correctly after a system restart. All run
time error conditions, and events such as address renumbering,
network interface failures, and CPU sleep/wake cycles, must be
handled in such a way that GRASP will still operate correctly and
securely (Section 3.5.1) afterwards.
An autonomic node will normally run a single instance of GRASP, used
by multiple ASAs. However, scenarios where multiple instances of
GRASP run in a single node, perhaps with different security
properties, are not excluded. In this case, each instance MUST
Bormann, et al. Expires May 3, 2017 [Page 12]
Internet-Draft GRASP October 2016
listen independently for GRASP link-local multicasts in order for
discovery and flooding to work correctly.
3.3. High Level Design Choices
This section describes a behavior model and design considerations for
GRASP, supporting discovery, synchronization and negotiation, to act
as a platform for different technical objectives.
o A generic platform
The protocol is designed as a generic platform, which is
independent from the synchronization or negotiation contents. It
takes care of the general intercommunication between counterparts.
The technical contents will vary according to the various
technical objectives and the different pairs of counterparts.
o The protocol is expected to form part of an Autonomic Networking
Infrastructure [I-D.ietf-anima-reference-model]. It will provide
services to ASAs via a suitable application programming interface
(API), which will reflect the protocol elements but will not
necessarily be in one-to-one correspondence to them. This API is
out of scope for the present document.
o It is normally expected that a single main instance of GRASP will
exist in an autonomic node, and that the protocol engine and each
ASA will run as independent asynchronous processes. However,
separate GRASP instances may exist for security reasons
(Section 3.5.2).
o Security infrastructure and trust relationship
Because this negotiation protocol may directly cause changes to
device configurations and bring significant impacts to a running
network, this protocol is assumed to run within an existing secure
environment with strong authentication. As a design choice, the
protocol itself is not provided with built-in security
functionality.
On the other hand, a limited negotiation model might be deployed
based on a limited trust relationship. For example, between two
administrative domains, ASAs might also exchange limited
information and negotiate some particular configurations based on
a limited conventional or contractual trust relationship.
Bormann, et al. Expires May 3, 2017 [Page 13]
Internet-Draft GRASP October 2016
o Discovery, synchronization and negotiation are designed together.
The discovery method and the synchronization and negotiation
methods are designed in the same way and can be combined when this
is useful. These processes can also be performed independently
when appropriate.
* GRASP discovery is always available for efficient discovery of
GRASP peers and allows a rapid mode of operation described in
Section 3.5.4. For some objectives, especially those concerned
with application layer services, another discovery mechanism
such as the future DNS Service Discovery [RFC7558] or Service
Location Protocol [RFC2608] MAY be used. The choice is left to
the designers of individual ASAs.
o A uniform pattern for technical contents
The synchronization and negotiation contents are defined according
to a uniform pattern. They could be carried either in simple
binary format or in payloads described by a flexible language.
The basic protocol design uses the Concise Binary Object
Representation (CBOR) [RFC7049]. The format is extensible for
unknown future requirements.
o A flexible model for synchronization
GRASP supports bilateral synchronization, which could be used to
perform synchronization among a small number of nodes. It also
supports an unsolicited flooding mode when large groups of nodes,
possibly including all autonomic nodes, need data for the same
technical objective.
* There may be some network parameters for which a more
traditional flooding mechanism such as DNCP [RFC7787] is
considered more appropriate. GRASP can coexist with DNCP.
o A simple initiator/responder model for negotiation
Multi-party negotiations are too complicated to be modeled and
there might be too many dependencies among the parties to converge
efficiently. A simple initiator/responder model is more feasible
and can complete multi-party negotiations by indirect steps.
o Organizing of synchronization or negotiation content
Bormann, et al. Expires May 3, 2017 [Page 14]
Internet-Draft GRASP October 2016
Naturally, the technical content will be organized according to
the relevant function or service. The content from different
functions or services is kept independent from each other. They
are not combined into a single option or single session because
these contents may be negotiated or synchronized with different
counterparts or may be different in response time. Thus a normal
arrangement would be a single ASA managing a small set of closely
related objectives, with a version of that ASA in each relevant
autonomic node. Further discussion of this aspect is out of scope
for the current document.
o Requests and responses in negotiation procedures
The initiator can negotiate with its relevant negotiation
counterpart ASAs, which may be different according to the specific
negotiation objective. It can request relevant information from
the negotiation counterpart so that it can decide its local
configuration to give the most coordinated performance. It can
request the negotiation counterpart to make a matching
configuration in order to set up a successful communication with
it. It can request certain simulation or forecast results by
sending some dry run conditions.
Beyond the traditional yes/no answer, the responder can reply with
a suggested alternative value for the objective concerned. This
would start a bi-directional negotiation ending in a compromise
between the two ASAs.
o Convergence of negotiation procedures
To enable convergence, when a responder makes a suggestion of a
changed condition in a negative reply, it should be as close as
possible to the original request or previous suggestion. The
suggested value of the third or later negotiation steps should be
chosen between the suggested values from the last two negotiation
steps. In any case there must be a mechanism to guarantee
convergence (or failure) in a small number of steps, such as a
timeout or maximum number of iterations.
* End of negotiation
A limited number of rounds, for example three, or a timeout, is
needed on each ASA for each negotiation objective. It may be
an implementation choice, a pre-configurable parameter, or
Bormann, et al. Expires May 3, 2017 [Page 15]
Internet-Draft GRASP October 2016
network Intent. These choices might vary between different
types of ASA. Therefore, the definition of each negotiation
objective MUST clearly specify this, so that the negotiation
can always be terminated properly.
* Failed negotiation
There must be a well-defined procedure for concluding that a
negotiation cannot succeed, and if so deciding what happens
next (deadlock resolution, tie-breaking, or revert to best-
effort service). Again, this MUST be specified for individual
negotiation objectives, as an implementation choice, a pre-
configurable parameter, or network Intent.
o Extensibility
GRASP does not have a version number. In most cases new semantics
will be added by defining new synchronization or negotiation
objectives. However, the protocol could be extended by adding new
message types and options in future.
3.4. Quick Operating Overview
GRASP is expected to run as an operating system core module,
providing an API (such as [I-D.liu-anima-grasp-api]) to interface to
less privileged ASAs. Thus ASAs may operate without special
privilege, unless they need it for other reasons (such as configuring
IP addresses or manipulating routing tables).
The GRASP mechanisms used by the ASA are built around GRASP
objectives defined as data structures containing administrative
information such as the objective's unique name, and its current
value. The format and size of the value is not restricted by the
protocol, except that it must be possible to serialise it for
transmission in CBOR, which is no restriction at all in practice.
The GRASP provides the following mechanisms:
o A discovery mechanism (M_DISCOVERY, M_RESPONSE), by which an ASA
can discover other ASAs supporting a given objective.
o A negotiation request mechanism (M_REQ_NEG), by which an ASA can
start negotiation of an objective with a counterpart ASA. Once a
negotiation has started, the process is symmetrical, and there is
a negotiation step message (M_NEGOTIATE) for each ASA to use in
turn. Two other functions support negotiating steps (M_WAIT,
M_END).
Bormann, et al. Expires May 3, 2017 [Page 16]
Internet-Draft GRASP October 2016
o A synchronization mechanism (M_REQ_SYN), by which an ASA can
request the current value of an objective from a counterpart ASA.
With this, there is a corresponding response function (M_SYNCH)
for an ASA that wishes to respond to synchronization requests.
o A flood mechanism (M_FLOOD), by which an ASA can cause the current
value of an objective to be flooded throughout the AN so that any
ASA can receive it.
3.5. GRASP Protocol Basic Properties and Mechanisms
3.5.1. Required External Security Mechanism
The protocol SHOULD run within a secure Autonomic Control Plane (ACP)
[I-D.ietf-anima-autonomic-control-plane]. The ACP is assumed to
carry all messages securely, including link-local multicast if
possible. A GRASP implementation MUST verify whether the ACP is
operational.
If there is no ACP, the protocol MUST use another form of strong
authentication and SHOULD use a form of strong encryption. TLS
[RFC5246] is RECOMMENDED for this purpose, based on a local Public
Key Infrastructure (PKI) [RFC5280] managed within the autonomic
network itself. The details of such a PKI and how its boundary is
established are out of scope for this document. DTLS [RFC6347] MAY
be used but since GRASP operations usually involve several messages
this is not expected to be advantageous.
The ACP, or in its absence the local PKI, sets the boundary within
which nodes are trusted as GRASP peers. A GRASP implementation MUST
refuse to execute GRASP synchronization and negotiation functions if
there is neither an operational ACP nor an operational TLS or DTLS
environment.
Link-local multicast is used for discovery messages. Responses to
discovery messages MUST be secured, with one exception mentioned in
the next section.
3.5.2. Limited Security Instances
This section describes three cases where additional instances of
GRASP are appropriate.
1) As mentioned in Section 3.3, some GRASP operations might be
performed across an administrative domain boundary by mutual
agreement. Such operations MUST be confined to a separate instance
of GRASP with its own copy of all GRASP data structures. Messages
Bormann, et al. Expires May 3, 2017 [Page 17]
Internet-Draft GRASP October 2016
MUST be authenticated and SHOULD be encrypted. TLS is RECOMMENDED
for this purpose.
2) During initialisation, before a node has joined the applicable
trust infrastructure, [I-D.ietf-anima-bootstrapping-keyinfra], it is
impossible to secure messages. Thus, the security bootstrap process
needs to use insecure GRASP discovery, response and flood messages.
Such usage MUST be limited to link-local operations and MUST be
confined to a separate insecure instance of GRASP with its own copy
of all GRASP data structures. This instance is nicknamed DULL -
Discovery Unsolicited Link Local.
The detailed rules for the DULL instance of GRASP are as follows:
o An initiator MUST only send Discovery or Flood Synchronization
link-local multicast messages with a loop count of 1. A responder
MAY send a Discovery Response message. Other GRASP message types
MUST NOT be sent.
o A responder MUST silently discard any message whose loop count is
not 1.
o A responder MUST silently discard any message referring to a GRASP
Objective that is not directly part of the bootstrap creation
process.
o A responder MUST NOT relay any multicast messages.
o A Discovery Response MUST indicate a link-local address.
o A Discovery Response MUST NOT include a Divert option.
o A node MUST silently discard any message whose source address is
not link-local.
3) During ACP formation [I-D.ietf-anima-autonomic-control-plane], a
separate instance of GRASP is used, with unicast messages secured by
TLS, and with its own copy of all GRASP data structures. This
instance is nicknamed SONN - Secure Only Neighbor Negotiation.
The detailed rules for the SONN instance of GRASP are as follows:
o Any type of GRASP message MAY be sent.