-
Notifications
You must be signed in to change notification settings - Fork 2
/
draft-ietf-anima-reference-model-04.txt
1568 lines (1081 loc) · 64.3 KB
/
draft-ietf-anima-reference-model-04.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
ANIMA M. Behringer, Ed.
Internet-Draft
Intended status: Informational B. Carpenter
Expires: January 4, 2018 Univ. of Auckland
T. Eckert
Futurewei Technologies Inc.
L. Ciavaglia
P. Peloso
Nokia
B. Liu
Huawei Technologies
J. Nobre
Federal University of Rio Grande do Sul
J. Strassner
Huawei Technologies
July 3, 2017
A Reference Model for Autonomic Networking
draft-ietf-anima-reference-model-04
Abstract
This document describes a reference model for Autonomic Networking.
The goal is to define how the various elements in an autonomic
context work together, to describe their interfaces and relations.
While the document is written as generally as possible, the initial
solutions are limited to the chartered scope of the WG.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018.
Behringer, et al. Expires January 4, 2018 [Page 1]
Internet-Draft AN Reference Model July 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Network View . . . . . . . . . . . . . . . . . . . . . . 4
3. The Autonomic Network Element . . . . . . . . . . . . . . . . 5
3.1. Architecture . . . . . . . . . . . . . . . . . . . . . . 5
3.2. The Adjacency Table . . . . . . . . . . . . . . . . . . . 6
3.3. State Machine . . . . . . . . . . . . . . . . . . . . . . 8
3.3.1. State 1: Factory Default . . . . . . . . . . . . . . 8
3.3.2. State 2: Enrolled . . . . . . . . . . . . . . . . . . 8
3.3.3. State 3: In ACP . . . . . . . . . . . . . . . . . . . 9
4. The Autonomic Networking Infrastructure . . . . . . . . . . . 9
4.1. Naming . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2. Addressing . . . . . . . . . . . . . . . . . . . . . . . 10
4.3. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4. Signaling Between Autonomic Nodes . . . . . . . . . . . . 12
4.5. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.6. The Autonomic Control Plane . . . . . . . . . . . . . . . 12
4.7. Information Distribution (*) . . . . . . . . . . . . . . 13
5. Security and Trust Infrastructure . . . . . . . . . . . . . . 13
5.1. Public Key Infrastructure . . . . . . . . . . . . . . . . 13
5.2. Domain Certificate . . . . . . . . . . . . . . . . . . . 14
5.3. The MASA . . . . . . . . . . . . . . . . . . . . . . . . 14
5.4. Sub-Domains (*) . . . . . . . . . . . . . . . . . . . . . 14
5.5. Cross-Domain Functionality (*) . . . . . . . . . . . . . 14
6. Autonomic Service Agents (ASA) . . . . . . . . . . . . . . . 14
6.1. General Description of an ASA . . . . . . . . . . . . . . 14
6.2. ASA Life-Cycle Management . . . . . . . . . . . . . . . . 16
6.3. Specific ASAs for the Autonomic Network Infrastructure . 17
6.3.1. The enrollment ASAs . . . . . . . . . . . . . . . . . 17
6.3.2. The ACP ASA . . . . . . . . . . . . . . . . . . . . . 17
6.3.3. The Information Distribution ASA (*) . . . . . . . . 18
7. Management and Programmability . . . . . . . . . . . . . . . 18
Behringer, et al. Expires January 4, 2018 [Page 2]
Internet-Draft AN Reference Model July 2017
7.1. How an AN Network Is Managed . . . . . . . . . . . . . . 18
7.2. Intent (*) . . . . . . . . . . . . . . . . . . . . . . . 19
7.3. Aggregated Reporting (*) . . . . . . . . . . . . . . . . 19
7.4. Feedback Loops to NOC(*) . . . . . . . . . . . . . . . . 20
7.5. Control Loops (*) . . . . . . . . . . . . . . . . . . . . 20
7.6. APIs (*) . . . . . . . . . . . . . . . . . . . . . . . . 21
7.7. Data Model (*) . . . . . . . . . . . . . . . . . . . . . 21
8. Coordination Between Autonomic Functions (*) . . . . . . . . 22
8.1. The Coordination Problem (*) . . . . . . . . . . . . . . 22
8.2. A Coordination Functional Block (*) . . . . . . . . . . . 23
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24
9.1. Consequences of a Distributed System . . . . . . . . . . 24
9.2. Security Mechanisms . . . . . . . . . . . . . . . . . . . 25
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction
The document "Autonomic Networking - Definitions and Design Goals"
[RFC7575] explains the fundamental concepts behind Autonomic
Networking, and defines the relevant terms in this space, as well as
a high level reference model. [RFC7576] provides a gap analysis
between traditional and autonomic approaches.
This document defines this reference model with more detail, to allow
for functional and protocol specifications to be developed in an
architecturally consistent, non-overlapping manner. While the
document is written as generally as possible, the initial solutions
are limited to the chartered scope of the WG.
As discussed in [RFC7575], the goal of this work is not to focus
exclusively on fully autonomic nodes or networks. In reality, most
networks will run with some autonomic functions, while the rest of
the network is traditionally managed. This reference model allows
for this hybrid approach.
This document describes phase 1 of an Autonomic Networking solution,
and covers primarily the WG items of the ANIMA WG as of July 2017.
Sections marked with (*) do not represent chartered items at this
time. New WG items will require an update to this document, or
potentially a new document.
Behringer, et al. Expires January 4, 2018 [Page 3]
Internet-Draft AN Reference Model July 2017
2. The Network View
This section describes the various elements in a network with
autonomic functions, and how these entities work together, on a high
level. Subsequent sections explain the detailed inside view for each
of the autonomic network elements, as well as the network functions
(or interfaces) between those elements.
Figure 1 shows the high level view of an Autonomic Network. It
consists of a number of autonomic nodes, which interact directly with
each other. Those autonomic nodes provide a common set of
capabilities across the network, called the "Autonomic Networking
Infrastructure" (ANI). The ANI provides functions like naming,
addressing, negotiation, synchronization, discovery and messaging.
Autonomic functions typically span several, possibly all nodes in the
network. The atomic entities of an autonomic function are called the
"Autonomic Service Agents" (ASA), which are instantiated on nodes.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
: : Autonomic Function 1 : :
: ASA 1 : ASA 1 : ASA 1 : ASA 1 :
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
: : :
: +- - - - - - - - - - - - - - + :
: : Autonomic Function 2 : :
: : ASA 2 : ASA 2 : :
: +- - - - - - - - - - - - - - + :
: : :
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
: Autonomic Networking Infrastructure :
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+--------+ : +--------+ : +--------+ : +--------+
| Node 1 |--------| Node 2 |--------| Node 3 |----...-----| Node n |
+--------+ : +--------+ : +--------+ : +--------+
Figure 1: High level view of an Autonomic Network
In a horizontal view, autonomic functions span across the network, as
well as the Autonomic Networking Infrastructure. In a vertical view,
a node always implements the ANI, plus it may have one or several
Autonomic Service Agents.
The Autonomic Networking Infrastructure (ANI) therefore is the
foundation for autonomic functions. The current charter of the ANIMA
WG is to specify the ANI, using a few autonomic functions as use
cases.
Behringer, et al. Expires January 4, 2018 [Page 4]
Internet-Draft AN Reference Model July 2017
3. The Autonomic Network Element
3.1. Architecture
This section describes an autonomic network element and its internal
architecture. The reference model explained in the document
"Autonomic Networking - Definitions and Design Goals" [RFC7575] shows
the sources of information that an autonomic service agent can
leverage: Self-knowledge, network knowledge (through discovery),
Intent, and feedback loops. There are two levels inside an autonomic
node: the level of Autonomic Service Agents, and the level of the
Autonomic Networking Infrastructure, with the former using the
services of the latter. Figure 2 illustrates this concept.
+------------------------------------------------------------+
| |
| +-----------+ +------------+ +------------+ |
| | Autonomic | | Autonomic | | Autonomic | |
| | Service | | Service | | Service | |
| | Agent 1 | | Agent 2 | | Agent 3 | |
| +-----------+ +------------+ +------------+ |
| ^ ^ ^ |
| - - | - - API level - -| - - - - - - - |- - - |
| V V V |
|------------------------------------------------------------|
| Autonomic Networking Infrastructure |
| - Data structures (ex: certificates, peer information) |
| - Autonomic Control Plane (ACP) |
| - Autonomic Node Addressing |
| Discovery, negotiation and synchronisation functions |
| - Distribution of Intent and other information |
| - Aggregated reporting and feedback loops |
| - Routing |
|------------------------------------------------------------|
| Basic Operating System Functions |
+------------------------------------------------------------+
Figure 2: Model of an autonomic node
The Autonomic Networking Infrastructure (lower part of Figure 2)
contains node specific data structures, for example trust information
about itself and its peers, as well as a generic set of functions,
independent of a particular usage. This infrastructure should be
generic, and support a variety of Autonomic Service Agents (upper
part of Figure 2). The Autonomic Control Plane (ACP) is the summary
of all interactions of the Autonomic Networking Infrastructure with
other nodes and services.
Behringer, et al. Expires January 4, 2018 [Page 5]
Internet-Draft AN Reference Model July 2017
The use cases of "Autonomics" such as self-management, self-
optimisation, etc, are implemented as Autonomic Service Agents. They
use the services and data structures of the underlying Autonomic
Networking Infrastructure, which should be self-managing.
The "Basic Operating System Functions" include the "normal OS",
including the network stack, security functions, etc.
Full AN nodes have the full Autonomic Networking Infrastructure, with
the full functionality described in this document. At a later stage
ANIMA may define a scope for constrained nodes with a reduced ANI and
well-defined minimal functionality. They are currently out of scope.
3.2. The Adjacency Table
Autonomic Networking is based on direct interactions between devices
of a domain. The Autonomic Networking Infrastructure (ANI) is
normally built on a hop-by-hop basis. Therefore, many interactions
in the ANI are based on the ANI adjacency table. There are
interactions that provide input into the adjacency table, and other
interactions that leverage the information contained in it.
The ANI adjacency table contains information about adjacent autonomic
nodes, at a minimum: node-ID, IP address in data plane, IP address in
ACP, domain, certificate. An autonomic node maintains this adjacency
table up to date. The adjacency table only contains information
about other nodes that are capable of Autonomic Networking; non-
autonomic nodes are normally not tracked here. However, the
information is tracked independently of the status of the peer nodes;
specifically, it contains information about non-enrolled nodes, nodes
of the same and other domains. The adjacency table may contain
information about the validity and trust of the adjacent autonomic
node's certificate, although all autonomic interactions must verify
validity and trust independently.
The adjacency table is fed by the following inputs:
o Link local discovery: This interaction happens in the data plane,
using IPv6 link local addressing only, because this addressing
type is itself autonomic. This way the nodes learns about all
autonomic nodes around itself. This is described in
[I-D.ietf-anima-grasp].
o Vendor re-direct: A new device may receive information on where
its home network is through a vendor based MASA re-direct; this is
typically a routable address. See
[I-D.ietf-anima-bootstrapping-keyinfra].
Behringer, et al. Expires January 4, 2018 [Page 6]
Internet-Draft AN Reference Model July 2017
o Non-autonomic input: A node may be configured manually with an
autonomic peer; it could learn about autonomic nodes through DHCP
options, DNS, and other non-autonomic mechanisms. Generally such
non-autonomic mechansims require some administrator intervention.
The key purpose is to by-pass a non-autonomic device or network.
As this pertains to new devices, it is covered in Appendix A and B
of [I-D.ietf-anima-bootstrapping-keyinfra].
The adjacency table is defining the behaviour of an autonomic node:
o If the node has not bootstrapped into a domain (i.e., doesn't have
a domain certificate), it rotates through all nodes in the
adjacency table that claim to have a domain, and will attempt
bootstrapping through them, one by one. One possible response is
a vendor MASA re-direct, which will be entered into the adjacency
table (see second bullet above). See
[I-D.ietf-anima-bootstrapping-keyinfra].
o If the adjacent node has the same domain, it will authenticate
that adjacent node and, if successful, establish the Autonomic
Control Plane (ACP). See
[I-D.ietf-anima-autonomic-control-plane].
o Once the node is part of the ACP of a domain, it will use GRASP
discovery [I-D.ietf-anima-grasp] to find Registrar(s) of its
domain and potentiall other services.
o If the node is part of an ACP and has discovered via GRASP at
least one Registrar in its domain, it will start the "join
assistant" ASA, and act as a join assistant for neighboring nodes
that need to be bootstrapped. See
[I-D.ietf-anima-bootstrapping-keyinfra].
o Other behaviours are possible, for example establishing the ACP
also with devices of a sub-domain, to other domains, etc. Those
will likely be controlled by Intent. They are outside scope for
the moment. Note that Intent is distributed through the ACP;
therefore, a node can only adapt Intent driven behaviour once it
has joined the ACP. At the moment, ANIMA does not consider
providing Intent outside the ACP; this can be considered later.
Once a node has joined the ACP, it will also learn the ACP addresses
of its adjacent nodes, and add them to the adjacency table, to allow
for communication inside the ACP. Further autonomic domain
interactions will now happen inside the ACP. At this moment, only
negotiation / synchronization via GRASP [I-D.ietf-anima-grasp] is
being defined. (Note that GRASP runs in the data plane, as an input
in building the adjacency table, as well as inside the ACP.)
Behringer, et al. Expires January 4, 2018 [Page 7]
Internet-Draft AN Reference Model July 2017
Autonomic Functions consist of Autonomic Service Agents (ASAs). They
run logically above the AN Infrastructure, and may use the adjacency
table, the ACP, negotiation and synchronization through GRASP in the
ACP, Intent and other functions of the ANI. Since the ANI only
provides autonomic interactions within a domain, autonomic functions
can also use any other context on a node, specifically the global
data plane.
3.3. State Machine
Autonomic Networking applies during the full life-cycle of a node.
This section describes a state machine of an autonomic node,
throughout its life.
3.3.1. State 1: Factory Default
An autonomic node is leaving the factory in this state. In this
state, the node has no domain specific configuration, specifically no
LDevID, and could be used in any particular target network. It does
however have a vendor/manufacturer specific ID, the IDevID [IDevID].
Nodes without IDevID cannot be autonomically and securely enrolled
into a domain; they require manual pre-staging, in which case the
pre-staging takes them directly to state 2.
Transitions:
o Bootstrap event: The device enrols into a domain; as part of this
process it receives a domain identity (LDevID). If enrollment is
successful, the next state is state 2. See
[I-D.ietf-anima-bootstrapping-keyinfra] Section 3 for details on
enrollment.
3.3.2. State 2: Enrolled
An autonomic node is in the state "enrolled" if it has a domain
identity (LDevID). It may have further configuration or state, for
example if it had been in state 3 before, but lost all its ACP
channels. The LDevID can only be removed from a device through a
factory reset, which also removes all other state from the device.
This ensures that a device has no stale domain specific state when
entering the "enrolled" state from state 1.
Transitions:
o Joining ACP: The device establishes an ACP channel to an adjacent
device. See [I-D.ietf-anima-autonomic-control-plane] for details.
Next state: 3.
Behringer, et al. Expires January 4, 2018 [Page 8]
Internet-Draft AN Reference Model July 2017
o Factory reset: A factory reset removes all configuration and the
domain identity (LDevID) from the device. Next state: 1.
3.3.3. State 3: In ACP
In this state, the autonomic node has at least one ACP channel to
another device. It can participate in further autonomic
transactions, such as starting autonomic service agents. For example
it must now enable the join assistant ASA, to help other devices to
join the domain. Other conditions may apply to such interactions,
for example to serve as a join assistant, the device must first
discover a bootstrap Registrar.
Transitions:
o Leaving ACP: The device drops the last (or only) ACP channel to an
adjacent device. Next state: 2.
o Factory reset: A factory reset removes all configuration and the
domain identity (LDevID) from the device. Next state: 1.
4. The Autonomic Networking Infrastructure
The Autonomic Networking Infrastructure provides a layer of common
functionality across an Autonomic Network. It comprises "must
implement" functions and services, as well as extensions.
An Autonomic Function, comprising of Autonomic Service Agents on
nodes, can rely on the fact that all nodes in the network implement
at least the "must implement" functions.
4.1. Naming
Inside a domain, each autonomic device should be assigned a unique
name. The naming scheme should be consistent within a domain. Names
are typically assigned by a Registrar at bootstrap time and
persistent over the lifetime of the device. All Registrars in a
domain must follow the same naming scheme.
In the absence of a domain specific naming scheme, a default naming
scheme should use the same logic as the addressing scheme discussed
in [I-D.ietf-anima-autonomic-control-plane]. The device name is then
composed of a Registrar ID (for example taking a MAC address of the
Registrar) and a device number. An example name would then look like
this:
0123-4567-89ab-0001
Behringer, et al. Expires January 4, 2018 [Page 9]
Internet-Draft AN Reference Model July 2017
The first three fields are the MAC address, the fourth field is the
sequential number for the device.
4.2. Addressing
Autonomic Service Agents (ASAs) need to communicate with each other,
using the autonomic addressing of the Autonomic Networking
Infrastructure of the node they reside on. This section describes
the addressing approach of the Autonomic Networking Infrastructure,
used by ASAs.
Out of scope are addressing approaches for the data plane of the
network, which may be configured and managed in the traditional way,
or negotiated as a service of an ASA. One use case for such an
autonomic function is described in
[I-D.ietf-anima-prefix-management].
Autonomic addressing is a function of the Autonomic Networking
Infrastructure (lower part of Figure 2), specifically the Autonomic
Control Plane. ASAs do not have their own addresses. They may use
either API calls, or the autonomic addressing scheme of the Autonomic
Networking Infrastructure.
An autonomic addressing scheme has the following requirements:
o Zero-touch for simple networks: Simple networks should have
complete self-management of addressing, and not require any
central address management, tools, or address planning.
o Low-touch for complex networks: If complex networks require
operator input for autonomic address management, it should be
limited to high level guidance only, expressed in Intent.
o Flexibility: The addressing scheme must be flexible enough for
nodes to be able to move around, for the network to grow, split
and merge.
o Robustness: It should be as hard as possible for an administrator
to negatively affect addressing (and thus connectivity) in the
autonomic context.
o Stability: The addressing scheme should be as stable as possible.
However, implementations need to be able to recover from
unexpected address changes.
o Support for virtualization: Autonomic Nodes may support Autonomic
Service Agents in different virtual machines or containers. The
addressing scheme should support this architecture.
Behringer, et al. Expires January 4, 2018 [Page 10]
Internet-Draft AN Reference Model July 2017
o Simplicity: To make engineering simpler, and to give the human
administrator an easy way to trouble-shoot autonomic functions.
o Scale: The proposed scheme should work in any network of any size.
o Upgradability: The scheme must be able to support different
addressing concepts in the future.
The proposed addressing scheme is described in the document "An
Autonomic Control Plane" ([I-D.ietf-anima-autonomic-control-plane]).
4.3. Discovery
Traditionally, most of the information a node requires is provided
through configuration or northbound interfaces. An autonomic
function should rely on such northbound interfaces minimally or not
at all, and therefore it needs to discover peers and other resources
in the network. This section describes various discovery functions
in an autonomic network.
Discovering nodes and their properties and capabilities: A core
function to establish an autonomic domain is the mutual discovery of
autonomic nodes, primarily adjacent nodes and secondarily off-link
peers. This may in principle either leverage existing discovery
mechanisms, or use new mechanisms tailored to the autonomic context.
An important point is that discovery must work in a network with no
predefined topology, ideally no manual configuration of any kind, and
with nodes starting up from factory condition or after any form of
failure or sudden topology change.
Discovering services: Network services such as AAA should also be
discovered and not configured. Service discovery is required for
such tasks. An autonomic network can either leverage existing
service discovery functions, or use a new approach, or a mixture.
Thus the discovery mechanism could either be fully integrated with
autonomic signaling (next section) or could use an independent
discovery mechanism such as DNS Service Discovery or Service Location
Protocol. This choice could be made independently for each Autonomic
Service Agent, although the infrastructure might require some minimal
lowest common denominator (e.g., for discovering the security
bootstrap mechanism, or the source of information distribution,
Section 4.7).
Phase 1 of Autonomic Networking uses GRASP for discovery, described
in [I-D.ietf-anima-grasp].
Behringer, et al. Expires January 4, 2018 [Page 11]
Internet-Draft AN Reference Model July 2017
4.4. Signaling Between Autonomic Nodes
Autonomic nodes must communicate with each other, for example to
negotiate and/or synchronize technical objectives (i.e., network
parameters) of any kind and complexity. This requires some form of
signaling between autonomic nodes. Autonomic nodes implementing a
specific use case might choose their own signaling protocol, as long
as it fits the overall security model. However, in the general case,
any pair of autonomic nodes might need to communicate, so there needs
to be a generic protocol for this. A prerequisite for this is that
autonomic nodes can discover each other without any preconfiguration,
as mentioned above. To be generic, discovery and signaling must be
able to handle any sort of technical objective, including ones that
require complex data structures. The document "A Generic Autonomic
Signaling Protocol (GRASP)" [I-D.ietf-anima-grasp] describes more
detailed requirements for discovery, negotiation and synchronization
in an autonomic network. It also defines a protocol, GRASP, for this
purpose, including an integrated but optional discovery protocol.
GRASP is normally expected to run inside the Autonomic Control Plane
(ACP; see Section 4.6) and to depend on the ACP for security. It may
run insecurely for a short time during bootstrapping.
An autonomic node will normally run a single instance of GRASP, used
by multiple ASAs. However, scenarios where multiple instances of
GRASP run in a single node, perhaps with different security
properties, are not excluded.
4.5. Routing
All autonomic nodes in a domain must be able to communicate with each
other, and with autonomic nodes outside their own domain. Therefore,
an Autonomic Control Plane relies on a routing function. For
Autonomic Networks to be interoperable, they must all support one
common routing protocol.
The routing protocol is defined in the ACP document
[I-D.ietf-anima-autonomic-control-plane].
4.6. The Autonomic Control Plane
The totality of autonomic interactions forms the "Autonomic Control
Plane". This control plane can be either implemented in the global
routing table of a node, such as IGPs in today's networks; or it can
be provided as an overlay network. The document "An Autonomic
Control Plane" ([I-D.ietf-anima-autonomic-control-plane]) describes
the details.
Behringer, et al. Expires January 4, 2018 [Page 12]
Internet-Draft AN Reference Model July 2017
4.7. Information Distribution (*)
Certain forms of information, such as Intent, must be distributed
across an autonomic domain. The distribution of information is also
a function of the Autonomic Control Plane. One form of such
information is Intent. Intent is the policy language of an Autonomic
Network; see Section 7.2 for general information on Intent. It is a
high level policy, and should change only infrequently (order of
days). Therefore, information such as Intent should be simply
flooded to all nodes in an autonomic domain, and there is currently
no perceived need to have more targeted distribution methods. Intent
is also expected to be monolithic, and flooded as a whole. One
possible method for distributing Intent, as well as other forms of
data, is discussed in [I-D.liu-anima-grasp-distribution]. Intent and
information distribution are not part of phase 1 of ANIMA.
5. Security and Trust Infrastructure
An Autonomic Network is self-protecting. All protocols are secure by
default, without the requirement for the administrator to explicitly
configure security.
Autonomic nodes have direct interactions between themselves, which
must be secured. Since an autonomic network does not rely on
configuration, it is not an option to configure for example pre-
shared keys. A trust infrastructure such as a PKI infrastructure
must be in place. This section describes the principles of this
trust infrastructure.
The default method to automatically bring up a trust infrastructure
is defined in the document "Bootstrapping Key Infrastructures"
[I-D.ietf-anima-bootstrapping-keyinfra]. The ASAs required for this
enrollment process are described in Section 6.3. An autonomic node
must implement the enrollment and join assistant ASAs. The registrar
ASA may be implemented only on a sub-set of nodes.
5.1. Public Key Infrastructure
An autonomic domain uses a PKI model. The root of trust is a
certification authority (CA). A registrar acts as a registration
authority (RA).
A minimum implementation of an autonomic domain contains one CA, one
Registrar, and network elements.
Behringer, et al. Expires January 4, 2018 [Page 13]
Internet-Draft AN Reference Model July 2017
5.2. Domain Certificate
Each device in an autonomic domain uses a domain certificate to prove
its identity. [I-D.ietf-anima-bootstrapping-keyinfra] describes how
a new device receives a domain certificate, and the certificate
format.
5.3. The MASA
The Manufacturer Authorized Signing Authority (MASA) is a trusted
service for bootstrapping devices. The purpose of the MASA is to
provide ownership tracking of devices in a domain. The MASA provides
audit, authorization, and ownership tokens to the registrar during
the bootstrap process to assist in the authentication of devices
attempting to join an Autonomic Domain, and to allow a joining device
to validate whether it is joining the correct domain. The details
for MASA service, security, and usage are defined in
[I-D.ietf-anima-bootstrapping-keyinfra].
5.4. Sub-Domains (*)
By default, sub-domains are treated as different domains. This
implies no trust between a domain and its sub-domains, and no trust
between sub-domains of the same domain. Specifically, no ACP is
built, and Intent is valid only for the domain it is defined for
explicitly.
In phase 2 of ANIMA, alternative trust models should be defined, for
example to allow full or limited trust between domain and sub-domain.
5.5. Cross-Domain Functionality (*)
By default, different domains do not interoperate, no ACP is built
and no trust is implied between them.
In the future, models can be established where other domains can be
trusted in full or for limited operations between the domains.
6. Autonomic Service Agents (ASA)
This section describes how autonomic services run on top of the
Autonomic Networking Infrastructure.
6.1. General Description of an ASA
An Autonomic Service Agent (ASA) is defined in [RFC7575] as "An agent
implemented on an autonomic node that implements an autonomic
function, either in part (in the case of a distributed function) or
Behringer, et al. Expires January 4, 2018 [Page 14]
Internet-Draft AN Reference Model July 2017
whole." Thus it is a process that makes use of the features provided
by the ANI to achieve its own goals, usually including interaction
with other ASAs via the GRASP protocol [I-D.ietf-anima-grasp] or
otherwise. Of course it also interacts with the specific targets of
its function, using any suitable mechanism. Unless its function is
very simple, the ASA will need to be multi-threaded so that it can
handle overlapping asynchronous operations. It may therefore be a
quite complex piece of software in its own right, forming part of the
application layer above the ANI.
Thus we can distinguish at least three classes of ASAs:
o Simple ASAs with a small footprint that could run anywhere.
o Complex, multi-threaded ASAs that have a significant resource
requirement and will only run on selected nodes.
o A few 'infrastructure ASAs' that use basic ANI features in support
of the ANI itself, which must run in all autonomic nodes. These
are outlined in the following sections.
Autonomic nodes, and therefore their ASAs, will be self-aware. Every
autonomic node will be loaded with various functions and ASAs and
will be aware of its own capabilities, typically decided by the
hardware, firmware or pre-installed software. Its exact role may
depend on Intent and on the surrounding network behaviors, which may
include forwarding behaviors, aggregation properties, topology
location, bandwidth, tunnel or translation properties, etc. The
surrounding topology will depend on the network planning. Following
an initial discovery phase, the device properties and those of its
neighbors are the foundation of the behavior of a specific device. A
device and its ASAs have no pre-configuration for the particular
network in which they are installed.
Since all ASAs will interact with the ANI, they will depend on
appropriate application programming interfaces (APIs). It is
desirable that ASAs are portable between operating systems, so these
APIs need to be universal. An API for GRASP is described in
[I-D.liu-anima-grasp-api].
ASAs will in general be designed and coded by experts in a particular
technology and use case, not by experts in the ANI and its
components. Also, they may be coded in a variety of programming
languages, in particular including languages that support object
constructs as well as traditional variables and structures. The APIs
should be designed with these factors in mind.
Behringer, et al. Expires January 4, 2018 [Page 15]
Internet-Draft AN Reference Model July 2017
It must be possible to run ASAs as non-privileged (user space)
processes except for those (such as the infrastructure ASAs) that
necessarily require kernel privilege. Also, it is highly desirable
that ASAs can be dynamically loaded on a running node.
Since autonomic systems must be self-repairing, it is of great
importance that ASAs are coded using robust programming techniques.
All run-time error conditions must be caught, leading to suitable
recovery actions, with a complete restart of the ASA as a last
resort. Conditions such as discovery failures or negotiation
failures must be treated as routine, with the ASA retrying the failed
operation, preferably with an exponential back-off in the case of
persistent errors. When multiple threads are started within an ASA,
these threads must be monitored for failures and hangups, and
appropriate action taken. Attention must be given to garbage
collection, so that ASAs never run out of resources. There is
assumed to be no human operator - again, in the worst case, every ASA
must be capable of restarting itself.
ASAs will automatically benefit from the security provided by the
ANI, and specifically by the ACP and by GRASP. However, beyond that,
they are responsible for their own security, especially when
communicating with the specific targets of their function.
Therefore, the design of an ASA must include a security analysis
beyond 'use ANI security.'
6.2. ASA Life-Cycle Management
ASAs operating on a given ANI may come from different providers and
pursue different objectives. Whichever the ASA, its management and
its interactions with the ANI must follow the same operating
principles, hence comply to a generic life-cycle management model.
The ASA life-cycle provides standard processes to:
o install ASA: copy the ASA code onto the host and start it,
o deploy ASA: associate the ASA instance with a (some) managed
network device(s) (or network function),
o control ASA execution: when and how an ASA executes its control
loop.
The life-cyle will cover the sequential states below: Installation,
Deployment, Operation and the transitional states in-between. This
Life-Cycle will also define which interactions ASAs have with the ANI
in between the different states. The noticeable interactions are:
Behringer, et al. Expires January 4, 2018 [Page 16]
Internet-Draft AN Reference Model July 2017
o Self-description of ASA instances at the end of deployment: its
format needs to define the information required for the management
of ASAs by ANI entities
o Control of ASA control-loop during the operation: a signaling has
to carry formatted messages to control ASA execution (at least
starting and stopping control loop)
6.3. Specific ASAs for the Autonomic Network Infrastructure
The following functions provide essential, required functionality in
an autonomic network, and are therefore mandatory to implement on
unconstrained autonomic nodes. They are described here as ASAs that
include the underlying infrastructure components, but implementation
details might vary.
The first three together support the trust enrollment process
described in Section 5. For details see
[I-D.ietf-anima-bootstrapping-keyinfra].
6.3.1. The enrollment ASAs
6.3.1.1. The Pledge ASA
This ASA includes the function of an autonomic node that bootstraps
into the domain with the help of an join assitant ASA (see below).
Such a node is known as a Pledge during the enrollment process. This
ASA must be installed by default on all nodes that require an
autonomic zero-touch bootstrap.
6.3.1.2. The Join Assistant ASA
This ASA includes the function of an autonomic node that helps a non-
enrolled, adjacent devices to enroll into the domain. This ASA must
be installed on all nodes, although only one join assistant needs to
be active on a given LAN.
6.3.1.3. The Join Registrar ASA
This ASA includes the join registrar function in an autonomic
network. This ASA does not need to be installed on all nodes, but
only on nodes that implement the Join Registrar function.
6.3.2. The ACP ASA
This ASA includes the ACP function in an autonomic network. In
particular it acts to discover other potential ACP nodes, and to
support the establishment and teardown of ACP channels. This ASA
Behringer, et al. Expires January 4, 2018 [Page 17]
Internet-Draft AN Reference Model July 2017
must be installed on all nodes. For details see Section 4.6 and
[I-D.ietf-anima-autonomic-control-plane].
6.3.3. The Information Distribution ASA (*)
This ASA is currently out of scope in ANIMA, and provided here only
as background information.
This ASA includes the information distribution function in an
autonomic network. In particular it acts to announce the
availability of Intent and other information to all other autonomic
nodes. This ASA does not need to be installed on all nodes, but only
on nodes that implement the information distribution function. For
details see Section 4.7.
7. Management and Programmability
This section describes how an Autonomic Network is managed, and
programmed.
7.1. How an AN Network Is Managed
Autonomic management usually co-exists with traditional management
methods in most networks. Thus, autonomic behavior will be defined
for individual functions in most environments. In fact, the co-
existence is twofold: autonomic functions can use traditional methods
and protocols (e.g., SNMP and NETCONF) to perform management tasks;
and autonomic functions can conflict with behavior enforced by the
same traditional methods and protocols.
The autonomic Intent is defined at a high level of abstraction.
However, since it is necessary to address individual managed
elements, autonomic management needs to communicate in lower-level
interactions (e.g., commands and requests). For example, it is
expected that the configuration of such elements be performed using
NETCONF and YANG modules as well as the monitoring be executed
through SNMP and MIBs.
Conflict can occur between autonomic default behavior, autonomic
Intent, traditional management methods. Conflict resolution is
achieved in autonomic management through prioritization [RFC7575].
The rationale is that manual and node-based management have a higher
priority over autonomic management. Thus, the autonomic default
behavior has the lowest priority, then comes the autonomic Intent