-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdraft-ietf-anima-grasp-12.xml
3484 lines (2905 loc) · 179 KB
/
draft-ietf-anima-grasp-12.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This is built from a template for a generic Internet Draft. Suggestions for
improvement welcome - write to Brian Carpenter, brian.e.carpenter @ gmail.com
This can be converted using the Web service at http://xml.resource.org/ -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<!-- You want a table of contents -->
<?rfc symrefs="yes"?>
<!-- Use symbolic labels for references -->
<?rfc sortrefs="yes"?>
<!-- This sorts the references -->
<?rfc iprnotified="no" ?>
<!-- Change to "yes" if someone has disclosed IPR for the draft -->
<?rfc compact="yes"?>
<!-- This defines the specific filename and version number of your draft (and inserts the appropriate IETF boilerplate -->
<rfc category="std" docName="draft-ietf-anima-grasp-12" ipr="trust200902">
<front>
<title abbrev="GRASP">A Generic Autonomic Signaling Protocol (GRASP)</title>
<author initials="C." surname="Bormann" fullname="Carsten Bormann">
<organization>Universität Bremen TZI</organization>
<address>
<postal>
<street>Postfach 330440</street>
<city>D-28359 Bremen</city>
<country>Germany</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Brian Carpenter" initials="B. E." surname="Carpenter" role="editor">
<organization abbrev="Univ. of Auckland"/>
<address>
<postal>
<street>Department of Computer Science</street>
<street>University of Auckland</street>
<street>PB 92019</street>
<city>Auckland</city>
<region/>
<code>1142</code>
<country>New Zealand</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Bing Liu" initials="B." surname="Liu" role="editor">
<organization>Huawei Technologies Co., Ltd</organization>
<address>
<postal>
<street>Q14, Huawei Campus</street>
<street>No.156 Beiqing Road</street>
<city>Hai-Dian District, Beijing</city>
<code>100095</code>
<country>P.R. China</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<!---->
<date day="19" month="May" year="2017"/>
<abstract>
<t>This document establishes requirements for a signaling protocol that enables autonomic
nodes and autonomic service agents to dynamically discover peers, to synchronize
state with them, and to negotiate parameter settings with them. The document
then defines a general protocol for discovery, synchronization and negotiation,
while the technical objectives for specific scenarios are to be described in
separate documents. An Appendix briefly discusses existing protocols with
comparable features.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have become more and more
problematic for human based management. Also, operational costs are growing quickly.
Consequently, there are increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in
<xref target="RFC7575"/> and <xref target="RFC7576"/>. </t>
<t>One approach is to largely decentralize the logic of network management by migrating it
into network elements. A reference model for autonomic networking on this basis is given in
<xref target="I-D.ietf-anima-reference-model"/>. The reader should consult this document
to understand how various autonomic components fit together.
In order to fulfill autonomy, devices that embody Autonomic Service Agents
(ASAs, <xref target="RFC7575"/>)
have specific signaling requirements. In particular they need to discover each other,
to synchronize state with each other,
and to negotiate parameters and resources directly with each other.
There is no limitation on the types of parameters and resources concerned,
which can include very basic information needed for addressing and routing,
as well as anything else that might be configured in a conventional non-autonomic network.
The atomic unit of discovery, synchronization or negotiation is referred to as a technical
objective, i.e, a configurable parameter or set of parameters
(defined more precisely in <xref target="terms"/>).</t>
<t>Following this Introduction, <xref target="reqts"/> describes the requirements
for discovery, synchronization and negotiation.
Negotiation is an iterative process, requiring multiple message exchanges forming
a closed loop between the negotiating entities. In fact, these entities are
ASAs, normally but not necessarily in different network devices.
State synchronization, when needed,
can be regarded as a special case of negotiation, without iteration.
<xref target="highlevel"/> describes a behavior model for a protocol
intended to support discovery, synchronization and negotiation. The
design of GeneRic Autonomic Signaling Protocol (GRASP) in <xref target="Overview"/>
of this document is based on this behavior model. The relevant capabilities
of various existing protocols are reviewed in <xref target="current"/>.</t>
<t>The proposed discovery mechanism is oriented towards synchronization and
negotiation objectives. It is based on a neighbor discovery process on the
local link, but also supports diversion to peers on other links.
There is no assumption of any particular form of network topology.
When a device starts up with no pre-configuration,
it has no knowledge of the topology. The protocol itself is capable of
being used in a small and/or flat network structure such as a small
office or home network as well as in a large professionally managed network.
Therefore, the discovery mechanism needs to be able to allow a device
to bootstrap itself without making any prior assumptions about network
structure. </t>
<t>Because GRASP can be used as part of a decision process among distributed
devices or between networks, it must run in a secure and strongly authenticated
environment.
</t>
<t>In realistic deployments, not all devices will
support GRASP. Therefore, some autonomic service agents will directly
manage a group of non-autonomic nodes, and other non-autonomic nodes
will be managed traditionally. Such mixed scenarios
are not discussed in this specification.</t>
</section>
<!-- intro -->
<section anchor="reqts" title="Requirement Analysis of Discovery, Synchronization and Negotiation">
<t>This section discusses the requirements for discovery, negotiation
and synchronization capabilities. The primary user of the protocol is an autonomic service
agent (ASA), so the requirements are mainly expressed as the features needed by an ASA.
A single physical device might contain several ASAs, and a single ASA might manage
several technical objectives. If a technical objective is managed by several ASAs,
any necessary coordination is outside the scope of the GRASP signaling protocol.
Furthermore, requirements for ASAs themselves, such as the processing of Intent
<xref target="RFC7575"/>, are out of scope for the present document.</t>
<section title="Requirements for Discovery">
<t>D1. ASAs may be designed to manage any type of configurable device or software,
as required in <xref target="synchreq"/>. A basic requirement
is therefore that the protocol can represent and discover any
kind of technical objective among arbitrary subsets of participating nodes.</t>
<t>In an autonomic network we must assume that when a device starts up
it has no information about any peer devices, the network structure,
or what specific role it must play. The ASA(s) inside the device are
in the same situation. In some cases, when a new application session
starts up within a device, the device or ASA may again lack
information about relevant peers. For example, it might be necessary to set
up resources on multiple other devices, coordinated and matched to
each other so that there is no wasted resource. Security settings
might also need updating to allow for the new device or user.
The relevant peers may be different for different technical
objectives. Therefore discovery needs to be repeated as often as
necessary to find peers capable of acting as counterparts for each
objective that a discovery initiator needs to handle.
From this background we derive the next three requirements:</t>
<t>D2. When an ASA first starts up, it may have no knowledge of the specific network to
which it is attached.
Therefore the discovery process must be able to support any network scenario,
assuming only that the device concerned is bootstrapped from factory condition.
</t>
<t>D3. When an ASA starts up, it must require no configured location information about any
peers in order to discover them.</t>
<t>D4. If an ASA supports multiple technical objectives, relevant peers may be different
for different discovery objectives, so discovery needs to be performed separately to
find counterparts for each objective. Thus, there must be a mechanism by
which an ASA can separately discover peer ASAs for each of the
technical objectives that it needs to manage, whenever necessary.</t>
<t>D5. Following discovery, an ASA will normally perform negotiation
or synchronization for the corresponding objectives. The design
should allow for this by conveniently linking discovery to negotiation
and synchronization. It may provide an optional mechanism to
combine discovery and negotiation/synchronization in a single protocol exchange.</t>
<t>D6. Some objectives may only be significant on the local link,
but others may be significant across the routed network and require
off-link operations. Thus, the relevant peers might be immediate
neighbors on the same layer 2 link, or they might be more distant and
only accessible via layer 3. The mechanism must therefore provide both
on-link and off-link discovery of ASAs supporting specific technical
objectives.</t>
<t>D7. The discovery process should be flexible enough to allow for
special cases, such as the following:
<list style="symbols">
<t>During initialization, a device must be able to establish mutual trust
with the rest of the network and participate in an authentication mechanism. Although
this will inevitably start with a discovery action, it is a special case
precisely because trust is not yet established. This topic
is the subject of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/>.
We require that once trust has been established for a device,
all ASAs within the device inherit the device's credentials and are also trusted.
This does not preclude the device having multiple credentials.</t>
<t>
Depending on the type of network involved, discovery of other
central functions might be needed, such as
the Network Operations Center (NOC) <xref target="I-D.ietf-anima-stable-connectivity"/>.
The protocol must be capable of supporting such discovery during initialization,
as well as discovery during ongoing operation.</t>
</list></t>
<t>D8. The discovery process must not generate excessive traffic and
must take account of sleeping nodes. </t>
<t>D9. There must be a mechanism for handling stale discovery results.</t>
</section>
<section anchor="synchreq" title="Requirements for Synchronization and Negotiation Capability">
<t>As background, consider the example of routing protocols, the closest
approximation to autonomic networking already in widespread use. Routing
protocols use a largely autonomic model based on distributed devices
that communicate repeatedly with each other. The focus
is reachability, so routing protocols primarily consider simple
link status and metrics, and an underlying assumption is that
nodes need a consistent, although partial, view of the network topology
in order for the routing algorithm to converge. Also, routing is
mainly based on simple information synchronization between peers,
rather than on bi-directional negotiation.</t>
<t>By contrast, autonomic networks need to be able to manage many
different types of parameter and consider many more dimensions,
such as latency, load, unused or limited resources,
conflicting resource requests,
security settings, power saving, load balancing, etc.
Status information and resource metrics need to be shared between
nodes for dynamic adjustment of resources and for monitoring purposes.
While this might be achieved by existing protocols when they are
available, the new protocol needs to be able to support parameter
exchange, including mutual synchronization, even when no negotiation
as such is required. In general, these parameters do not apply to all
participating nodes, but only to a subset. </t>
<t>SN1. A basic requirement for the protocol is therefore the
ability to represent, discover, synchronize and negotiate almost any
kind of network parameter among selected subsets of participating nodes.</t>
<t>SN2. Negotiation is an iterative request/response process that must be guaranteed to terminate
(with success or failure). While tie-breaking rules must be defined specifically
for each use case, the protocol should have some general mechanisms in support of loop
and deadlock prevention, such as hop count limits or timeouts.</t>
<t>SN3. Synchronization must be possible for groups of nodes ranging from small to very large.
</t>
<t>SN4. To avoid "reinventing the wheel", the protocol should be able to encapsulate the
data formats used by existing configuration protocols (such as NETCONF/YANG)
in cases where that is convenient.</t>
<t>SN5. Human intervention in complex situations is costly and error-prone.
Therefore, synchronization or negotiation of parameters without human
intervention is desirable whenever the coordination of multiple devices can improve
overall network performance. It follows that the protocol's resource requirements
must be appropriate for any device that would otherwise need human intervention.
The issue of running in constrained nodes
is discussed in <xref target="I-D.ietf-anima-reference-model"/>.</t>
<t>SN6. Human intervention in large networks is often replaced by use of a
top-down network management system (NMS). It therefore follows that
the protocol, as part of the Autonomic Networking Infrastructure, should
be capable of running in any device that would otherwise be managed by
an NMS, and that it can co-exist with an NMS, and with protocols
such as SNMP and NETCONF.</t>
<t>SN7. Some features are expected to be implemented by individual ASAs,
but the protocol must be general enough to allow them:
<list style="symbols">
<t>Dependencies and conflicts: In order to
decide upon a configuration for a given device, the device may need
information from neighbors. This can be established through the
negotiation procedure, or through synchronization if that
is sufficient. However, a given item in a neighbor
may depend on other information from its own neighbors, which may
need another negotiation or synchronization procedure to obtain or decide.
Therefore, there are potential dependencies and conflicts among negotiation or synchronization
procedures. Resolving dependencies and conflicts is a matter for the individual ASAs involved.
To allow this, there need to be clear boundaries and convergence
mechanisms for negotiations. Also some mechanisms are needed to avoid
loop dependencies or uncontrolled growth in a tree of dependencies.
It is the ASA designer's responsibility
to avoid or detect looping dependencies or excessive growth of dependency trees.
The protocol's role is limited to bilateral signaling between ASAs,
and the avoidance of loops during bilateral signaling.</t>
<t>Recovery from faults and identification of faulty devices should be
as automatic as possible. The protocol's role is limited to discovery, synchronization and
negotiation. These processes can occur at any time, and an ASA may
need to repeat any of these steps when the ASA detects an event
such as a negotiation counterpart failing.</t>
<t>Since a major goal is to minimize human intervention, it is necessary that the
network can in effect "think ahead" before changing its parameters. One aspect
of this is an ASA that relies on a knowledge base to predict network behavior.
This is out of scope for the signaling protocol. However, another aspect is
forecasting the effect of a change by a "dry run" negotiation before actually
installing the change. Signaling a dry run is therefore a desirable feature
of the protocol. </t>
</list></t>
<t>Note that management logging, monitoring, alerts and tools for intervention are required.
However, these can only be features of individual ASAs, not of the protocol itself.
Another document <xref target="I-D.ietf-anima-stable-connectivity"/> discusses how
such agents may be linked into conventional OAM systems via an Autonomic Control Plane
<xref target="I-D.ietf-anima-autonomic-control-plane"/>. </t>
<t>SN8. The protocol will be able to deal with a wide variety of
technical objectives, covering any type of network parameter.
Therefore the protocol will need a flexible and easily extensible format for
describing objectives. At a later stage it may be desirable to adopt an explicit
information model. One consideration is whether to adopt an existing
information model or to design a new one. </t>
</section>
<section title="Specific Technical Requirements">
<t>T1. It should be convenient for ASA designers to define new technical objectives
and for programmers to express them, without excessive impact on
run-time efficiency and footprint. In particular, it should be convenient for ASAs
to be implemented independently of each other as user space programs rather than as kernel
code, where such a programming model is possible. The classes of device in which the protocol
might run is discussed in <xref target="I-D.ietf-anima-reference-model"/>.
</t>
<t>T2. The protocol should be easily extensible in case the initially defined discovery,
synchronization and negotiation mechanisms prove to be insufficient. </t>
<t>T3. To be a generic platform, the protocol payload format should be
independent of the transport protocol or IP version.
In particular, it should be able to run over IPv6 or IPv4.
However, some functions, such as multicasting on
a link, might need to be IP version dependent. By default, IPv6 should
be preferred.</t>
<t>T4. The protocol must be able to access off-link counterparts via routable addresses,
i.e., must not be restricted to link-local operation.</t>
<t>T5. It must also be possible for an external discovery mechanism
to be used, if appropriate for a given technical objective. In other words, GRASP discovery
must not be a prerequisite for GRASP negotiation or synchronization. </t>
<t>T6. The protocol must be capable of distinguishing multiple simultaneous
operations with one or more peers, especially when wait states occur.</t>
<t>T7. Intent: Although the distribution of Intent is out of scope
for this document, the protocol must not by design exclude its
use for Intent distribution. </t>
<t>T8. Management monitoring, alerts and intervention:
Devices should be able to report to a monitoring
system. Some events must be able to generate operator alerts and
some provision for emergency intervention must be possible (e.g.
to freeze synchronization or negotiation in a mis-behaving device). These features
might not use the signaling protocol itself, but its design should not exclude such use.</t>
<t>T9. Because this protocol may directly cause changes to device configurations
and have significant impacts on a running network, all protocol exchanges need to be
fully secured against forged messages and man-in-the middle attacks, and secured
as much as reasonably possible against denial of service attacks. There must also
be an encryption mechanism to resist unwanted monitoring. However, it is not required
that the protocol itself provides these security features; it may depend on an existing
secure environment. </t>
</section>
</section>
<!-- reqts -->
<section anchor="Overview" title="GRASP Protocol Overview">
<section anchor="terms" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119"/> when they appear in ALL CAPS. When these words
are not in ALL CAPS (such as "should" or "Should"), they have their
usual English meanings, and are not to be interpreted as <xref target="RFC2119"/> key words.</t>
<t>This document uses terminology defined in <xref target="RFC7575"/>.</t>
<t>The following additional terms are used throughout this document:
<list style="symbols">
<!-- <t>Autonomic Device: identical to Autonomic Node.</t> -->
<t>Discovery: a process by which an ASA discovers peers
according to a specific discovery objective. The discovery results
may be different according to the different discovery objectives.
The discovered peers may later be used as negotiation
counterparts or as sources of synchronization data. </t>
<t>Negotiation: a process by which two ASAs interact
iteratively to agree on parameter settings that best satisfy the
objectives of both ASAs.</t>
<t>State Synchronization: a process by which ASAs
interact to receive the current state of parameter
values stored in other ASAs. This is a special case of negotiation
in which information is sent but the ASAs do not request
their peers to change parameter settings. All other definitions
apply to both negotiation and synchronization. </t>
<t>Technical Objective (usually abbreviated as Objective):
A technical objective is a data structure, whose main contents
are a name and a value. The value consists of a single configurable
parameter or a set of parameters of some kind. The exact
format of an objective is defined in <xref target="ObjForm"/>.
An objective occurs in three contexts: Discovery, Negotiation
and Synchronization. Normally, a given objective will not
occur in negotiation and synchronization contexts simultaneously.
<list style="symbols">
<t>One ASA may support multiple independent objectives.</t>
<t>The parameter(s) in the value of a given objective apply to
a specific service or function or action. They may in principle be
anything that can be set to a specific logical, numerical or string
value, or a more complex data structure, by a network node.
Each node is expected to contain one or more ASAs
which may each manage subsidiary non-autonomic nodes.</t>
<t>Discovery Objective: an objective in the process of discovery. Its value
may be undefined.</t>
<t>Synchronization Objective: an objective whose specific technical content
needs to be synchronized among two or more ASAs. Thus, each ASA will maintain
its own copy of the objective.</t>
<t>Negotiation Objective: an objective whose specific technical content
needs to be decided in coordination with another ASA. Again, each ASA will maintain
its own copy of the objective.</t>
</list>
A detailed discussion of objectives, including their format, is found in <xref target="ObjOption"/>.</t>
<t>Discovery Initiator: an ASA that starts discovery
by sending a discovery message referring to a specific discovery
objective.</t>
<t>Discovery Responder: a peer that either contains an ASA supporting the discovery objective
indicated by the discovery initiator, or caches the locator(s) of the ASA(s) supporting
the objective. It sends a Discovery Response, as described later.</t>
<t>Synchronization Initiator: an ASA that starts synchronization
by sending a request message referring to a specific synchronization
objective.</t>
<t>Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.</t>
<t>Negotiation Initiator: an ASA that starts
negotiation by sending a request message referring to a specific
negotiation objective.</t>
<t>Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.</t>
<t>GRASP Instance: This refers to an instantiation of a GRASP protocol engine, likely including
multiple threads or processes as well as dynamic data structures such as a discovery cache, running in
a given security environment on a single device. </t>
<t>Interface or GRASP Interface: Unless otherwise stated, these refer to a network
interface - which might be physical or virtual - that a specific instance of
GRASP is currently using. A device might have other interfaces that are not
used by GRASP and which are outside the scope of the autonomic network.</t>
</list></t>
</section>
<section anchor="hilev" title="High Level Deployment Model">
<t>A GRASP implementation will be part of the Autonomic Networking Infrastructure
in an autonomic node, which must also provide an appropriate security environment.
In accordance with <xref target="I-D.ietf-anima-reference-model"/>, this SHOULD be the
Autonomic Control Plane (ACP) <xref target="I-D.ietf-anima-autonomic-control-plane"/>.
It is expected that GRASP will access the ACP by using a typical socket programming interface
and the ACP will make available only network interfaces within the autonomic network.
If there is no ACP, the considerations described in <xref target="reqsec"/> apply. </t>
<t>
There will also be one or more Autonomic Service Agents (ASAs). In the minimal case
of a single-purpose device, these components might be fully integrated with GRASP
and the ACP. A more
common model is expected to be a multi-purpose device capable of containing
several ASAs. In this case it is expected that the ACP, GRASP and the ASAs will
be implemented as separate processes, which are probably multi-threaded to support
asynchronous and simultaneous operations.</t>
<t>In some scenarios, a limited negotiation model might be deployed based on a limited
trust relationship such as that between two administrative domains. ASAs might then
exchange limited information and negotiate some particular configurations.</t>
<t>GRASP is explicitly designed to operate within a single addressing realm.
Its discovery and flooding mechanisms do not support autonomic operations that
cross any form of address translator or upper layer proxy.</t>
<t>A suitable Application Programming Interface (API) will be needed
between GRASP and the ASAs. In some implementations, ASAs would run in user
space with a GRASP library providing the API, and this library would in turn
communicate via system calls with core GRASP functions.
Details of the API are out of scope for the present document.
For further details of possible deployment models, see
<xref target="I-D.ietf-anima-reference-model"/>.
</t>
<t>An instance of GRASP must be aware of the network interfaces it will use, and of the
appropriate global-scope
and link-local addresses. In the presence of the ACP, such information will be available from
the adjacency table discussed in <xref target="I-D.ietf-anima-reference-model"/>.
In other cases, GRASP must determine such information for itself. Details depend on the
device and operating system. In the rest of this document, the terms 'interfaces'
or 'GRASP interfaces'
refers only to the set of network interfaces that a specific instance
of GRASP is currently using. </t>
<t>Because GRASP needs to work with very high reliability, especially during bootstrapping
and during fault conditions, it is essential that every implementation is as
robust as possible. For example, discovery failures, or any kind of socket exception
at any time, must not cause irrecoverable failures in GRASP itself, and must
return suitable error codes through the API so that ASAs can also recover.
</t>
<t>GRASP must not depend upon non-volatile data storage. All run time error
conditions, and events such as address renumbering, network interface failures,
and CPU sleep/wake cycles, must be handled in such a way that GRASP will still
operate correctly and securely (<xref target="reqsec"/>) afterwards.</t>
<t>An autonomic node will normally run a single instance of GRASP, used by multiple ASAs.
Possible exceptions are mentioned below.
</t>
</section>
<section anchor="highlevel" title="High Level Design Choices">
<t>This section describes a behavior model and design choices for
GRASP, supporting discovery, synchronization and negotiation, to
act as a platform for different technical objectives.</t>
<t><list style="symbols">
<t>A generic platform:<vspace blankLines="1"/>
The protocol design is generic and independent of the synchronization or
negotiation contents. The technical contents will vary according to the
various technical objectives and the different pairs of
counterparts.<vspace blankLines="1"/></t>
<t>Normally, a single main instance of the GRASP protocol engine will exist in an autonomic
node, and each ASA will run as an independent asynchronous process. However, scenarios
where multiple instances of GRASP run in a single node, perhaps with different security
properties, are possible (<xref target="secinst"/>). In this case, each instance MUST
listen independently for GRASP link-local multicasts,
and all instances MUST be woken by each such multicast, in order for
discovery and flooding to work correctly.
<vspace blankLines="1"/></t>
<t>Security infrastructure:<vspace blankLines="1"/>
As noted above, the protocol itself has no built-in security functionality,
and relies on a separate secure infrastructure.<vspace blankLines="1"/></t>
<t>Discovery, synchronization and negotiation are designed together:<vspace blankLines="1"/>
The discovery method and the synchronization and negotiation methods
are designed in the same way and can be combined when this is
useful, allowing a rapid mode of operation described in <xref target="discmech"/>.
These processes can also be performed independently when appropriate.
<list style="symbols">
<t>Thus, for some objectives, especially those concerned with application layer
services, another discovery mechanism such as the future DNS Service
Discovery <xref target="RFC7558"/> MAY be used.
The choice is left to the designers of individual ASAs.</t>
</list>
<vspace blankLines="1"/></t>
<t>A uniform pattern for technical objectives:<vspace blankLines="1"/>
The synchronization and negotiation objectives are defined
according to a uniform pattern. The values that they contain
could be carried either in a simple binary format or in a
complex object format. The basic protocol design uses the Concise
Binary Object Representation (CBOR) <xref target="RFC7049"/>,
which is readily extensible for unknown future requirements. <vspace blankLines="1"/></t>
<t>A flexible model for synchronization:<vspace blankLines="1"/>
GRASP supports synchronization between two nodes, which could be used
repeatedly to perform synchronization among a small number of nodes.
It also supports an unsolicited flooding mode when large groups of nodes,
possibly including all autonomic nodes, need data for the same
technical objective.
<list style="symbols">
<t>There may be some network parameters for which a more traditional flooding
mechanism such as DNCP <xref target="RFC7787"/>
is considered more appropriate. GRASP can coexist with DNCP.
</t>
</list>
<vspace blankLines="1"/></t>
<t>A simple initiator/responder model for negotiation:<vspace blankLines="1"/>
Multi-party negotiations are very complicated to model and cannot
readily be guaranteed to converge. GRASP uses a simple bilateral model
and can support multi-party negotiations by indirect steps.
<vspace blankLines="1"/></t>
<t>Organizing of synchronization or negotiation content:<vspace blankLines="1"/>
The technical content transmitted by GRASP will be
organized according to the relevant function or service. The
objectives for different functions or services are kept
separate, because they may be negotiated or synchronized with different
counterparts or have different response times. Thus a normal arrangement
would be a single ASA managing a small set of closely related objectives,
with a version of that ASA in each relevant autonomic node. Further
discussion of this aspect is out of scope for the current document.
<vspace blankLines="1"/></t>
<t>Requests and responses in negotiation procedures:<vspace blankLines="1"/>
The initiator can negotiate a specific negotiation objective with relevant
counterpart ASAs. It can request relevant information from a counterpart so that it
can coordinate its local configuration. It can request the counterpart to make
a matching configuration. It can request simulation or forecast results by sending
some dry run conditions.
<vspace blankLines="1"/>Beyond the traditional yes/no answer, the
responder can reply with a suggested alternative value for the objective
concerned. This would start a bi-directional negotiation
ending in a compromise between the two ASAs.<vspace blankLines="1"/></t>
<t>Convergence of negotiation procedures:<vspace blankLines="1"/>
To enable convergence, when a responder suggests a new value or
condition in a negotiation step reply, it should be as close as possible
to the original request or previous suggestion. The suggested value of
later negotiation steps should be chosen between the suggested values from
the previous two steps. GRASP provides mechanisms to guarantee convergence
(or failure) in a small number of steps, namely a timeout and a maximum number
of iterations.
<vspace blankLines="1"/>
</t>
<t>Extensibility:<vspace blankLines="1"/>
GRASP does not have a version number, and could be extended by adding new
message types and options. In normal use, new semantics will be added
by defining new synchronization or negotiation objectives.
</t>
</list></t>
</section>
<section title="Quick Operating Overview">
<t>An instance of GRASP is expected to run as a separate core module,
providing an API (such as <xref target="I-D.liu-anima-grasp-api"/>) to interface to
various ASAs.
These ASAs may operate without special privilege, unless they need it for
other reasons (such as configuring IP addresses or manipulating routing
tables).
</t><t>
The GRASP mechanisms used by the ASA are built around GRASP objectives
defined as data structures
containing administrative information such as the objective's unique
name, and its current value. The format and size of the value is
not restricted by the protocol, except that it must be possible to
serialise it for transmission in CBOR, which is no
restriction at all in practice.
</t><t>
GRASP provides the following mechanisms:
<list style="symbols">
<t>A discovery mechanism (M_DISCOVERY, M_RESPONSE), by which an ASA can
discover other ASAs supporting a given objective.
</t><t>
A negotiation request mechanism (M_REQ_NEG), by which an ASA can start
negotiation of an objective with a counterpart ASA. Once a negotiation has
started, the process is symmetrical, and there is a negotiation step message
(M_NEGOTIATE) for each ASA to use in turn. Two other functions support negotiating
steps (M_WAIT, M_END).
</t><t>
A synchronization mechanism (M_REQ_SYN), by which an ASA can request the
current value of an objective from a counterpart ASA. With this,
there is a corresponding response function (M_SYNCH) for an ASA that
wishes to respond to synchronization requests.
</t><t>
A flood mechanism (M_FLOOD), by which an ASA can cause the current value of
an objective to be flooded throughout the autonomic network so that any ASA can
receive it. One application of this is to act as an announcement, avoiding the need for
discovery of a widely applicable objective.</t>
</list></t>
<t>Some example messages and simple message flows are provided in <xref target="examples"/>.</t>
</section>
<section title="GRASP Protocol Basic Properties and Mechanisms">
<section anchor="reqsec" title="Required External Security Mechanism">
<t>The protocol SHOULD always run within a secure Autonomic Control Plane (ACP)
<xref target="I-D.ietf-anima-autonomic-control-plane"/>. The ACP is assumed
to carry all messages securely, including link-local multicast when
it is virtualized over the ACP.
A GRASP instance MUST verify whether the ACP is operational. </t>
<t>If there is no ACP, one of the following alternatives applies:
<list style="numbers">
<t>The protocol instance MUST use another form of strong authentication and a form
of strong encryption MUST be implemented. An exception is that during initialization of nodes there will be
a transition period during which it might not be practical to run with strong encryption.
This period MUST be as short as possible, changing to a fully secure setup as soon as possible.
See <xref target="secinst-noacp"/> for further discussion. </t>
<t>The protocol instance MUST operate as described in <xref target="secinst-dull"/>
or <xref target="secinst-sonn"/>.</t>
</list></t>
<t>Network interfaces could be at different security levels, for example
being part of the ACP or not. All the interfaces supported
by a given GRASP instance MUST be at the same security level. </t>
<t>The ACP, or in its absence another security mechanism, sets the boundary within which nodes
are trusted as GRASP peers. A GRASP implementation MUST refuse to execute GRASP
synchronization and negotiation functions if there is neither an operational
ACP nor another secure environment. </t>
<t>Link-local multicast is used for discovery messages.
Responses to discovery messages MUST be secured, with one exception mentioned in the next section.</t>
</section>
<section anchor="secinst" title="Constrained Instances">
<t>This section describes some cases where additional instances of GRASP
subject to certain constraints are appropriate.</t>
<section anchor="secinst-noacp" title="No ACP">
<t>As mentioned in <xref target="highlevel"/>, some GRASP operations might be
performed across an administrative domain boundary by mutual agreement, without the
benefit of an ACP. Such operations
MUST be confined to a separate instance of GRASP with its own copy of all GRASP
data structures. Messages MUST be authenticated and encryption MUST be implemented.
TLS <xref target="RFC5246"/> and DTLS <xref target="RFC6347"/> based on a Public Key Infrastructure (PKI)
<xref target="RFC5280"/> are RECOMMENDED for this purpose. Further details are out of scope
for this document.
</t></section>
<section anchor="secinst-dull" title="Discovery Unsolicited Link-Local">
<t>Some services may need to use insecure GRASP discovery, response
and flood messages without being able to use pre-existing security associations.
Such operations being intrinsically insecure, they need to be confined to link-local
use to minimize the risk of malicious actions. Possible examples
include discovery of candidate ACP neighbors
<xref target="I-D.ietf-anima-autonomic-control-plane"/>, discovery of bootstrap
proxies <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> or perhaps
initialization services in networks using GRASP without being fully autonomic
(e.g., no ACP).
Such usage MUST be limited to link-local operations and MUST be confined
to a separate insecure instance of GRASP with its own copy of all GRASP
data structures. This instance is nicknamed DULL - Discovery Unsolicited Link-Local.</t>
<t>The detailed rules for the DULL instance of GRASP are as follows:
<list style="symbols">
<t>An initiator MUST only send Discovery or Flood Synchronization link-local
multicast messages with a loop count of 1. <!-- A responder SHOULD NOT send a Discovery Response
message unless it cannot be avoided.--> Other GRASP message types MUST NOT be sent.</t>
<t>A responder MUST silently discard any message whose loop count is not 1.</t>
<t>A responder MUST silently discard any message referring to a GRASP Objective that is
not directly part of a service that requires this insecure mode.</t>
<t>A responder MUST NOT relay any multicast messages.</t>
<t>A Discovery Response MUST indicate a link-local address.</t>
<t>A Discovery Response MUST NOT include a Divert option.</t>
<t>A node MUST silently discard any message whose source address is not link-local.</t>
</list></t>
<t>To minimize traffic possibly observed by third parties,
GRASP traffic SHOULD be minimized by using only Flood Synchronization
to announce objectives and their associated locators, rather than by using Discovery
and Response. Further details are out of scope for this document</t>
</section>
<section anchor="secinst-sonn" title="Secure Only Neighbor Negotiation">
<t>Some services might use insecure on-link operations as in DULL,
but also use unicast synchronization or negotiation operations protected by TLS.
A separate instance of GRASP is used, with its own copy of all GRASP data structures.
This instance is nicknamed SONN - Secure Only Neighbor Negotiation.</t>
<t>
The detailed rules for the SONN instance of GRASP are as follows:
<list style="symbols">
<t>All types of GRASP message are permitted.</t>
<t>An initiator MUST send any Discovery or Flood Synchronization link-local
multicast messages with a loop count of 1.</t>
<t>A responder MUST silently discard any Discovery or Flood Synchronization message whose loop count is not 1.</t>
<t>A responder MUST silently discard any message referring to a GRASP Objective that is
not directly part of the service concerned.</t>
<t>A responder MUST NOT relay any multicast messages.</t>
<t>A Discovery Response MUST indicate a link-local address.</t>
<t>A Discovery Response MUST NOT include a Divert option.</t>
<t>A node MUST silently discard any message whose source address is not link-local.</t>
</list></t>
<t>Further details are out of scope for this document.</t>
</section>
</section>
<section anchor="trans" title="Transport Layer Usage">
<t>GRASP discovery and flooding messages are designed for use over link-local multicast
UDP. They MUST NOT be fragmented, and therefore MUST NOT exceed the link MTU size.
</t>
<t>All other GRASP messages are unicast and could in principle run over any transport protocol.
An implementation MUST support use of TCP. It MAY support use of another transport
protocol but the details are out of scope for this specification.
However, GRASP itself does not provide for error detection or retransmission. Use of an
unreliable transport protocol is therefore NOT RECOMMENDED. </t>
<!-- <t>Nevertheless, when running within a secure ACP on reliable infrastructure,
UDP MAY be used for unicast messages not exceeding the minimum IPv6 path MTU;
however, TCP MUST be used for longer messages. In other words, IPv6 fragmentation
is avoided. If a node receives a UDP message but the reply is too long, it
MUST open a TCP connection to the peer for the reply. Note that when
the network is under heavy load or in a fault condition, UDP might become
unreliable. Since this is when autonomic functions are most necessary,
automatic fallback to TCP MUST be implemented. The simplest implementation
is therefore to use only TCP.</t> -->
<t>For considerations when running without an ACP, see <xref target="secinst-noacp"/>.</t>
<t>For link-local multicast, the GRASP protocol listens to the well-known
GRASP Listen Port (<xref target="Constants"/>).
For unicast transport sessions used for discovery responses, synchronization and
negotiation, the ASA concerned normally listens on its own dynamically assigned ports,
which are communicated to its peers during discovery. However, a minimal implementation
MAY use the GRASP Listen Port for this purpose.</t>
</section>
<section anchor="discmech" title="Discovery Mechanism and Procedures">
<section title="Separated discovery and negotiation mechanisms">
<t>Although discovery and negotiation or synchronization are defined
together in GRASP, they are separate mechanisms. The discovery
process could run independently from the negotiation or synchronization
process. Upon receiving a Discovery (<xref target="DiscoveryMessage"/>)
message, the
recipient node should return a response message in which it either
indicates itself as a discovery responder or diverts the
initiator towards another more suitable ASA. However, this
response may be delayed if the recipient needs to relay
the discovery onwards, as described below.</t>
<t>The discovery action (M_DISCOVERY) will normally be followed by
a negotiation (M_REQ_NEG) or synchronization (M_REQ_SYN) action. The
discovery results could be utilized by the negotiation
protocol to decide which ASA the initiator will negotiate
with.</t>
<t>The initiator of a discovery action for a given objective need not
be capable of responding to that objective as a Negotiation Counterpart, as a
Synchronization Responder or as source for flooding. For example, an ASA might perform
discovery even if it only wishes to act a Synchronization Initiator or Negotiation Initiator.
Such an ASA does not itself need to respond to discovery messages.</t>
<t>It is also entirely possible to use GRASP discovery without any subsequent
negotiation or synchronization action. In this case, the discovered objective
is simply used as a name during the discovery process and any subsequent
operations between the peers are outside the scope of GRASP.</t>
</section>
<section anchor="discovw" title="Discovery Overview">
<t>A complete discovery process will start with a multicast (of M_DISCOVERY) on the
local link. On-link neighbors supporting the discovery objective will
respond directly (with M_RESPONSE). A neighbor with multiple interfaces will respond
with a cached discovery response if any. However, it SHOULD NOT respond
with a cached response on an interface if it learnt that information from
the same interface, because the peer in question will answer directly if still
operational. If it has no cached response, it will relay the
discovery on its other GRASP interfaces, for example reaching a higher-level gateway
in a hierarchical network. If a node receiving the relayed discovery
supports the discovery objective, it will respond to the relayed discovery.
If it has a cached response, it will respond with that.
If not, it will repeat the discovery process, which thereby becomes iterative.
The loop count and timeout will ensure that the process ends.
</t>
<t>A Discovery message MAY be sent unicast (via UDP or TCP) to a peer node,
which SHOULD then proceed exactly as if the message had been multicast,
except that when TCP is used, the response will be
on the same socket as the query. However,
this mode does not guarantee successful discovery in the general case.
</t>
</section>
<section anchor="discproc" title="Discovery Procedures">
<t>Discovery starts as an on-link operation. The Divert option
can tell the discovery initiator to contact an off-link
ASA for that discovery objective. A Discovery message is sent
by a discovery initiator via UDP to the ALL_GRASP_NEIGHBORS link-local
multicast address (<xref target="Constants"/>). Every network
device that supports GRASP always listens to a well-known
UDP port to capture the discovery messages. Because this port
is unique in a device, this is a function of the GRASP instance
and not of an individual ASA. As a result, each ASA will need to
register the objectives that it supports with the local GRASP instance.</t>
<t>If an ASA in a neighbor device supports the requested discovery objective,
the device SHOULD respond to the link-local multicast with a unicast Discovery Response
message (<xref target="ResponseMessage"/>) with locator option(s), unless it is
temporarily unavailable. Otherwise, if the neighbor has cached information
about an ASA that supports the requested discovery objective (usually
because it discovered the same objective before), it SHOULD
respond with a Discovery Response message with a Divert option pointing
to the appropriate Discovery Responder.</t>
<t>If a device has no information about the requested discovery objective,
and is not acting as a discovery relay (see below) it MUST silently
discard the Discovery message.</t>
<t>If no discovery response is received within a reasonable timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
the Discovery message MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions, to limit the load during busy periods.
Frequent repetition might be symptomatic of a denial of service attack.</t>
<t>After a GRASP device successfully discovers a locator for a Discovery Responder
supporting a specific objective, it MUST cache this information, including the interface
index via which it was discovered. This cache record MAY be used for future
negotiation or synchronization, and the locator SHOULD be passed on when appropriate
as a Divert option to another Discovery Initiator.</t>
<t>The cache mechanism MUST include a lifetime for each entry. The
lifetime is derived from a time-to-live (ttl) parameter in each
Discovery Response message.
Cached entries MUST be ignored or deleted after their lifetime expires.
In some environments, unplanned address renumbering might occur.
In such cases, the lifetime SHOULD be short compared to
the typical address lifetime and a mechanism to flush the
discovery cache MUST be implemented. The discovery mechanism
needs to track the node's current address to ensure that Discovery
Responses always indicate the correct address.</t>
<t>If multiple Discovery Responders are found for the same objective, they
SHOULD all be cached, unless this creates a resource shortage. The method
of choosing between multiple responders is an implementation choice.
This choice MUST be available to each ASA but the GRASP implementation
SHOULD provide a default choice.</t>
<t>Because Discovery Responders will be cached in a finite cache, they might
be deleted at any time. In this case, discovery will need to be repeated. If an
ASA exits for any reason, its locator might still be cached for some time,
and attempts to connect to it will fail. ASAs need to be robust in these
circumstances. </t>
</section>
<section title="Discovery Relaying">
<t>A GRASP instance with multiple link-layer interfaces (typically running in a router) MUST
support discovery on all GRASP interfaces. We refer to this as a 'relaying instance'.</t>
<t>Constrained Instances (<xref target="secinst"/>) are
always single-interface instances and therefore MUST NOT perform discovery relaying.</t>
<t>If a relaying instance receives a Discovery message
on a given interface for a specific objective that it does not support and for
which it has not previously cached a Discovery Responder, it MUST relay
the query by re-issuing a new Discovery message as a link-local multicast on its other
GRASP interfaces.</t>
<t> The relayed discovery message MUST have the same Session ID as the incoming
discovery message and MUST be tagged with the IP address of its original initiator
(see <xref target="DiscoveryMessage"/>). Note that this initiator address is only used
to allow for disambiguation of the Session ID and is never used to address Response packets,
which are sent to the relaying instance, not the original initiator.
</t>
<t>Since the relay device is unaware of the timeout set by the original
initiator it SHOULD set a timeout at least equal to GRASP_DEF_TIMEOUT milliseconds.</t>
<t>The relaying instance MUST decrement the loop count within the objective, and
MUST NOT relay the Discovery message if the result is zero.
Also, it MUST limit the total rate at which it relays discovery messages
to a reasonable value, in order to mitigate possible denial of service attacks.
It MUST cache the Session ID value and initiator address of each relayed
Discovery message until any Discovery Responses have arrived or
the discovery process has timed out.
To prevent loops, it MUST NOT relay a Discovery message
which carries a given cached Session ID and initiator address more than once.