-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdraft-ietf-anima-grasp-14.xml
3608 lines (3014 loc) · 187 KB
/
draft-ietf-anima-grasp-14.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This is built from a template for a generic Internet Draft. Suggestions for
improvement welcome - write to Brian Carpenter, brian.e.carpenter @ gmail.com
This can be converted using the Web service at http://xml.resource.org/ -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<!-- You want a table of contents -->
<?rfc symrefs="yes"?>
<!-- Use symbolic labels for references -->
<?rfc sortrefs="yes"?>
<!-- This sorts the references -->
<?rfc iprnotified="no" ?>
<!-- Change to "yes" if someone has disclosed IPR for the draft -->
<?rfc compact="yes"?>
<!-- This defines the specific filename and version number of your draft (and inserts the appropriate IETF boilerplate -->
<rfc category="std" docName="draft-ietf-anima-grasp-14" ipr="trust200902">
<front>
<title abbrev="GRASP">A Generic Autonomic Signaling Protocol (GRASP)</title>
<author initials="C." surname="Bormann" fullname="Carsten Bormann">
<organization>Universität Bremen TZI</organization>
<address>
<postal>
<street>Postfach 330440</street>
<city>D-28359 Bremen</city>
<country>Germany</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Brian Carpenter" initials="B. E." surname="Carpenter" role="editor">
<organization abbrev="Univ. of Auckland"/>
<address>
<postal>
<street>Department of Computer Science</street>
<street>University of Auckland</street>
<street>PB 92019</street>
<city>Auckland</city>
<region/>
<code>1142</code>
<country>New Zealand</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Bing Liu" initials="B." surname="Liu" role="editor">
<organization>Huawei Technologies Co., Ltd</organization>
<address>
<postal>
<street>Q14, Huawei Campus</street>
<street>No.156 Beiqing Road</street>
<city>Hai-Dian District, Beijing</city>
<code>100095</code>
<country>P.R. China</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<!---->
<date day="2" month="July" year="2017"/>
<abstract>
<t>This document specifies the GeneRic Autonomic Signaling Protocol (GRASP), which
enables autonomic nodes and autonomic service agents to dynamically discover peers,
to synchronize state with each other, and to negotiate parameter settings with each
other. GRASP depends on an external security environment that is described
elsewhere. The technical objectives and parameters for specific application scenarios
are to be described in separate documents. Appendices briefly discuss requirements
for the protocol and existing protocols with comparable features.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have become more and more
problematic for human based management. Also, operational costs are growing quickly.
Consequently, there are increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in
<xref target="RFC7575"/> and <xref target="RFC7576"/>. </t>
<t>One approach is to largely decentralize the logic of network management by migrating it
into network elements. A reference model for autonomic networking on this basis is given in
<xref target="I-D.ietf-anima-reference-model"/>. The reader should consult this document
to understand how various autonomic components fit together.
In order to fulfill autonomy, devices that embody Autonomic Service Agents
(ASAs, <xref target="RFC7575"/>)
have specific signaling requirements. In particular they need to discover each other,
to synchronize state with each other,
and to negotiate parameters and resources directly with each other.
There is no limitation on the types of parameters and resources concerned,
which can include very basic information needed for addressing and routing,
as well as anything else that might be configured in a conventional non-autonomic network.
The atomic unit of discovery, synchronization or negotiation is referred to as a technical
objective, i.e, a configurable parameter or set of parameters
(defined more precisely in <xref target="terms"/>).</t>
<t>
Negotiation is an iterative process, requiring multiple message exchanges forming
a closed loop between the negotiating entities. In fact, these entities are
ASAs, normally but not necessarily in different network devices.
State synchronization, when needed,
can be regarded as a special case of negotiation, without iteration.
Both negotiation and synchronization must logically follow discovery.
More details of the requirements are found in <xref target="reqts"/>.
<xref target="highlevel"/> describes a behavior model for a protocol
intended to support discovery, synchronization and negotiation. The
design of GeneRic Autonomic Signaling Protocol (GRASP) in <xref target="Overview"/>
of this document is based on this behavior model. The relevant capabilities
of various existing protocols are reviewed in <xref target="current"/>.</t>
<t>The proposed discovery mechanism is oriented towards synchronization and
negotiation objectives. It is based on a neighbor discovery process on the
local link, but also supports diversion to peers on other links.
There is no assumption of any particular form of network topology.
When a device starts up with no pre-configuration,
it has no knowledge of the topology. The protocol itself is capable of
being used in a small and/or flat network structure such as a small
office or home network as well as in a large professionally managed network.
Therefore, the discovery mechanism needs to be able to allow a device
to bootstrap itself without making any prior assumptions about network
structure. </t>
<t>Because GRASP can be used as part of a decision process among distributed
devices or between networks, it must run in a secure and strongly authenticated
environment.
</t>
<t>In realistic deployments, not all devices will
support GRASP. Therefore, some autonomic service agents will directly
manage a group of non-autonomic nodes, and other non-autonomic nodes
will be managed traditionally. Such mixed scenarios
are not discussed in this specification.</t>
</section>
<!-- intro -->
<section anchor="Overview" title="GRASP Protocol Overview">
<section anchor="terms" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119"/> when they appear in ALL CAPS. When these words
are not in ALL CAPS (such as "should" or "Should"), they have their
usual English meanings, and are not to be interpreted as <xref target="RFC2119"/> key words.</t>
<t>This document uses terminology defined in <xref target="RFC7575"/>.</t>
<t>The following additional terms are used throughout this document:
<list style="symbols">
<!-- <t>Autonomic Device: identical to Autonomic Node.</t> -->
<t>Discovery: a process by which an ASA discovers peers
according to a specific discovery objective. The discovery results
may be different according to the different discovery objectives.
The discovered peers may later be used as negotiation
counterparts or as sources of synchronization data. </t>
<t>Negotiation: a process by which two ASAs interact
iteratively to agree on parameter settings that best satisfy the
objectives of both ASAs.</t>
<t>State Synchronization: a process by which ASAs
interact to receive the current state of parameter
values stored in other ASAs. This is a special case of negotiation
in which information is sent but the ASAs do not request
their peers to change parameter settings. All other definitions
apply to both negotiation and synchronization. </t>
<t>Technical Objective (usually abbreviated as Objective):
A technical objective is a data structure, whose main contents
are a name and a value. The value consists of a single configurable
parameter or a set of parameters of some kind. The exact
format of an objective is defined in <xref target="ObjForm"/>.
An objective occurs in three contexts: Discovery, Negotiation
and Synchronization. Normally, a given objective will not
occur in negotiation and synchronization contexts simultaneously.
<list style="symbols">
<t>One ASA may support multiple independent objectives.</t>
<t>The parameter(s) in the value of a given objective apply to
a specific service or function or action. They may in principle be
anything that can be set to a specific logical, numerical or string
value, or a more complex data structure, by a network node.
Each node is expected to contain one or more ASAs
which may each manage subsidiary non-autonomic nodes.</t>
<t>Discovery Objective: an objective in the process of discovery. Its value
may be undefined.</t>
<t>Synchronization Objective: an objective whose specific technical content
needs to be synchronized among two or more ASAs. Thus, each ASA will maintain
its own copy of the objective.</t>
<t>Negotiation Objective: an objective whose specific technical content
needs to be decided in coordination with another ASA. Again, each ASA will maintain
its own copy of the objective.</t>
</list>
A detailed discussion of objectives, including their format, is found in <xref target="ObjOption"/>.</t>
<t>Discovery Initiator: an ASA that starts discovery
by sending a discovery message referring to a specific discovery
objective.</t>
<t>Discovery Responder: a peer that either contains an ASA supporting the discovery objective
indicated by the discovery initiator, or caches the locator(s) of the ASA(s) supporting
the objective. It sends a Discovery Response, as described later.</t>
<t>Synchronization Initiator: an ASA that starts synchronization
by sending a request message referring to a specific synchronization
objective.</t>
<t>Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.</t>
<t>Negotiation Initiator: an ASA that starts
negotiation by sending a request message referring to a specific
negotiation objective.</t>
<t>Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.</t>
<t>GRASP Instance: This refers to an instantiation of a GRASP protocol engine, likely including
multiple threads or processes as well as dynamic data structures such as a discovery cache, running in
a given security environment on a single device. </t>
<t>GRASP Core: This refers to the code and shared data structures of a GRASP instance, which will
communicate with individual ASAs via a suitable Application Programming Interface (API).</t>
<t>Interface or GRASP Interface: Unless otherwise stated, these refer to a network
interface - which might be physical or virtual - that a specific instance of
GRASP is currently using. A device might have other interfaces that are not
used by GRASP and which are outside the scope of the autonomic network.</t>
</list></t>
</section>
<section anchor="hilev" title="High Level Deployment Model">
<t>A GRASP implementation will be part of the Autonomic Networking Infrastructure (ANI)
in an autonomic node, which must also provide an appropriate security environment.
In accordance with <xref target="I-D.ietf-anima-reference-model"/>, this SHOULD be the
Autonomic Control Plane (ACP) <xref target="I-D.ietf-anima-autonomic-control-plane"/>.
As a result, all autonomic nodes in the ACP are able to trust each other.
It is expected that GRASP will access the ACP by using a typical socket programming interface
and the ACP will make available only network interfaces within the autonomic network.
If there is no ACP, the considerations described in <xref target="reqsec"/> apply. </t>
<t>
There will also be one or more Autonomic Service Agents (ASAs). In the minimal case
of a single-purpose device, these components might be fully integrated with GRASP
and the ACP. A more common model is expected to be a multi-purpose device capable of containing
several ASAs, such as a router or large switch. In this case it is expected that the ACP, GRASP and the ASAs will
be implemented as separate processes, which are able to support
asynchronous and simultaneous operations, for example by multi-threading.</t>
<t>In some scenarios, a limited negotiation model might be deployed based on a limited
trust relationship such as that between two administrative domains. ASAs might then
exchange limited information and negotiate some particular configurations.</t>
<t>GRASP is explicitly designed to operate within a single addressing realm.
Its discovery and flooding mechanisms do not support autonomic operations that
cross any form of address translator or upper layer proxy.</t>
<t>A suitable Application Programming Interface (API) will be needed
between GRASP and the ASAs. In some implementations, ASAs would run in user
space with a GRASP library providing the API, and this library would in turn
communicate via system calls with core GRASP functions.
Details of the API are out of scope for the present document.
For further details of possible deployment models, see
<xref target="I-D.ietf-anima-reference-model"/>.
</t>
<t>An instance of GRASP must be aware of the network interfaces it will use, and of the
appropriate global-scope
and link-local addresses. In the presence of the ACP, such information will be available from
the adjacency table discussed in <xref target="I-D.ietf-anima-reference-model"/>.
In other cases, GRASP must determine such information for itself. Details depend on the
device and operating system. In the rest of this document, the terms 'interfaces'
or 'GRASP interfaces'
refers only to the set of network interfaces that a specific instance
of GRASP is currently using. </t>
<t>Because GRASP needs to work with very high reliability, especially during bootstrapping
and during fault conditions, it is essential that every implementation continues to
operate in adverse conditions. For example, discovery failures, or any kind of socket
exception at any time, must not cause irrecoverable failures in GRASP itself, and must
return suitable error codes through the API so that ASAs can also recover.
</t>
<t>GRASP must not depend upon non-volatile data storage. All run time error
conditions, and events such as address renumbering, network interface failures,
and CPU sleep/wake cycles, must be handled in such a way that GRASP will still
operate correctly and securely (<xref target="reqsec"/>) afterwards.</t>
<t>An autonomic node will normally run a single instance of GRASP, used by multiple ASAs.
Possible exceptions are mentioned below.
</t>
</section>
<section anchor="highlevel" title="High Level Design">
<t>This section describes the behavior model and general design of
GRASP, supporting discovery, synchronization and negotiation, to
act as a platform for different technical objectives.</t>
<t><list style="symbols">
<t>A generic platform:<vspace blankLines="1"/>
The protocol design is generic and independent of the synchronization or
negotiation contents. The technical contents will vary according to the
various technical objectives and the different pairs of
counterparts.<vspace blankLines="1"/></t>
<t>Normally, a single main instance of the GRASP protocol engine will exist in an autonomic
node, and each ASA will run as an independent asynchronous process. However, scenarios
where multiple instances of GRASP run in a single node, perhaps with different security
properties, are possible (<xref target="secinst"/>). In this case, each instance MUST
listen independently for GRASP link-local multicasts,
and all instances MUST be woken by each such multicast, in order for
discovery and flooding to work correctly.
<vspace blankLines="1"/></t>
<t>Security infrastructure:<vspace blankLines="1"/>
As noted above, the protocol itself has no built-in security functionality,
and relies on a separate secure infrastructure.<vspace blankLines="1"/></t>
<t>Discovery, synchronization and negotiation are designed together:<vspace blankLines="1"/>
The discovery method and the synchronization and negotiation methods
are designed in the same way and can be combined when this is
useful, allowing a rapid mode of operation described in <xref target="discmech"/>.
These processes can also be performed independently when appropriate.
<list style="symbols">
<t>Thus, for some objectives, especially those concerned with application layer
services, another discovery mechanism such as the future DNS Service
Discovery <xref target="RFC7558"/> MAY be used.
The choice is left to the designers of individual ASAs.</t>
</list>
<vspace blankLines="1"/></t>
<t>A uniform pattern for technical objectives:<vspace blankLines="1"/>
The synchronization and negotiation objectives are defined
according to a uniform pattern. The values that they contain
could be carried either in a simple binary format or in a
complex object format. The basic protocol design uses the Concise
Binary Object Representation (CBOR) <xref target="RFC7049"/>,
which is readily extensible for unknown future requirements. <vspace blankLines="1"/></t>
<t>A flexible model for synchronization:<vspace blankLines="1"/>
GRASP supports synchronization between two nodes, which could be used
repeatedly to perform synchronization among a small number of nodes.
It also supports an unsolicited flooding mode when large groups of nodes,
possibly including all autonomic nodes, need data for the same
technical objective.
<list style="symbols">
<t>There may be some network parameters for which a more traditional flooding
mechanism such as DNCP <xref target="RFC7787"/>
is considered more appropriate. GRASP can coexist with DNCP.
</t>
</list>
<vspace blankLines="1"/></t>
<t>A simple initiator/responder model for negotiation:<vspace blankLines="1"/>
Multi-party negotiations are very complicated to model and cannot
readily be guaranteed to converge. GRASP uses a simple bilateral model
and can support multi-party negotiations by indirect steps.
<vspace blankLines="1"/></t>
<t>Organizing of synchronization or negotiation content:<vspace blankLines="1"/>
The technical content transmitted by GRASP will be
organized according to the relevant function or service. The
objectives for different functions or services are kept
separate, because they may be negotiated or synchronized with different
counterparts or have different response times. Thus a normal arrangement
would be a single ASA managing a small set of closely related objectives,
with a version of that ASA in each relevant autonomic node. Further
discussion of this aspect is out of scope for the current document.
<vspace blankLines="1"/></t>
<t>Requests and responses in negotiation procedures:<vspace blankLines="1"/>
The initiator can negotiate a specific negotiation objective with relevant
counterpart ASAs. It can request relevant information from a counterpart so that it
can coordinate its local configuration. It can request the counterpart to make
a matching configuration. It can request simulation or forecast results by sending
some dry run conditions.
<vspace blankLines="1"/>Beyond the traditional yes/no answer, the
responder can reply with a suggested alternative value for the objective
concerned. This would start a bi-directional negotiation
ending in a compromise between the two ASAs.<vspace blankLines="1"/></t>
<t>Convergence of negotiation procedures:<vspace blankLines="1"/>
To enable convergence, when a responder suggests a new value or
condition in a negotiation step reply, it should be as close as possible
to the original request or previous suggestion. The suggested value of
later negotiation steps should be chosen between the suggested values from
the previous two steps. GRASP provides mechanisms to guarantee convergence
(or failure) in a small number of steps, namely a timeout and a maximum number
of iterations.
<vspace blankLines="1"/>
</t>
<t>Extensibility:<vspace blankLines="1"/>
GRASP intentionally does not have a version number, and can be extended by adding new
message types and options. The Invalid Message (M_INVALID) will be used to signal
that an implementation does not recognize a message or option sent by another
implementation. In normal use, new semantics will be added
by defining new synchronization or negotiation objectives.
</t>
</list></t>
</section>
<section title="Quick Operating Overview">
<t>An instance of GRASP is expected to run as a separate core module,
providing an API (such as <xref target="I-D.liu-anima-grasp-api"/>) to interface to
various ASAs.
These ASAs may operate without special privilege, unless they need it for
other reasons (such as configuring IP addresses or manipulating routing
tables).
</t><t>
The GRASP mechanisms used by the ASA are built around GRASP objectives
defined as data structures
containing administrative information such as the objective's unique
name, and its current value. The format and size of the value is
not restricted by the protocol, except that it must be possible to
serialize it for transmission in CBOR, which is no
restriction at all in practice.
</t><t>
GRASP provides the following mechanisms:
<list style="symbols">
<t>A discovery mechanism (M_DISCOVERY, M_RESPONSE), by which an ASA can
discover other ASAs supporting a given objective.
</t><t>
A negotiation request mechanism (M_REQ_NEG), by which an ASA can start
negotiation of an objective with a counterpart ASA. Once a negotiation has
started, the process is symmetrical, and there is a negotiation step message
(M_NEGOTIATE) for each ASA to use in turn. Two other functions support negotiating
steps (M_WAIT, M_END).
</t><t>
A synchronization mechanism (M_REQ_SYN), by which an ASA can request the
current value of an objective from a counterpart ASA. With this,
there is a corresponding response function (M_SYNCH) for an ASA that
wishes to respond to synchronization requests.
</t><t>
A flood mechanism (M_FLOOD), by which an ASA can cause the current value of
an objective to be flooded throughout the autonomic network so that any ASA can
receive it. One application of this is to act as an announcement, avoiding the need for
discovery of a widely applicable objective.</t>
</list></t>
<t>Some example messages and simple message flows are provided in <xref target="examples"/>.</t>
</section>
<section title="GRASP Protocol Basic Properties and Mechanisms">
<section anchor="reqsec" title="Required External Security Mechanism">
<t>GRASP does not specify transport security because it is meant to be adapted to
different environments. Every solution adopting GRASP MUST specify a security substrate
used by GRASP in that solution.</t>
<t>The substrate MUST enforce sending and receiving GRASP messages only between members of a mutually trusted
group running GRASP. Each group member is an instance of GRASP. The group members are nodes of a
connected graph. The group and graph is created by the security substrate and called the GRASP domain.
The substrate must support unicast messages between any group members and (link-local) multicast
messages between adjacent group members. It must deny messages between group members and non group
members. Substrates MUST use cryptographic member authentication and message integrity for GRASP messages.
This can be end-to-end or hop-by-hop across the domain. The security substrate MUST provide mechanisms
to remove untrusted members from the group.</t>
<t>If the substrate does not mandate and enforce GRASP message encryption then any service
using GRASP in such a solution MUST provide protection and encryption for message elements whose
exposure could constitute an attack vector.</t>
<t>The security substrate for GRASP in the ANI is the ACP. Unless otherwise noted, we assume this
security substrate in the remainder of this document. The ACP does mandate the use of encryption;
therefore GRASP in the ANI can rely on GRASP message being encrypted. The GRASP domain is the ACP: all
nodes in an autonomic domain connected by encrypted virtual links formed by the ACP. The ACP uses
hop-by-hop security (authentication/encryption) of messages. Removal of nodes relies on standard
PKI certificate revocation or expiry of sufficiently short lived certificates. Refer to
<xref target="I-D.ietf-anima-autonomic-control-plane"/> for more details.</t>
<t>As mentioned in <xref target="highlevel"/>, some GRASP operations might be
performed across an administrative domain boundary by mutual agreement, without the
benefit of an ACP. Such operations
MUST be confined to a separate instance of GRASP with its own copy of all GRASP
data structures running across a separate GRASP domain with a security substrate.
In the most simple case, each point-to-point interdomain GRASP peering could be a
separate domain and the security substrate could be built using transport or network layer
security protocols. This is subject to future specifications. </t>
<!-- TLS <xref target="RFC5246"/> and DTLS <xref target="RFC6347"/> based on a Public Key Infrastructure (PKI)
<xref target="RFC5280"/> are RECOMMENDED for this purpose.-->
<t>An exception to the requirements for the security substrate exists
for highly constrained subsets of GRASP meant to support the establishment of a security substrate,
described in the following section.</t>
</section>
<section anchor="secinst" title="Discovery Unsolicited Link-Local (DULL) GRASP">
<t>Some services may need to use insecure GRASP discovery, response
and flood messages without being able to use pre-existing security associations, for example
as part of discovery for establishing security associations such as a security substrate for
GRASP.</t>
<t>Such operations being intrinsically insecure, they need to be confined to link-local
use to minimize the risk of malicious actions. Possible examples
include discovery of candidate ACP neighbors
<xref target="I-D.ietf-anima-autonomic-control-plane"/>, discovery of bootstrap
proxies <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> or perhaps
initialization services in networks using GRASP without being fully autonomic
(e.g., no ACP).
Such usage MUST be limited to link-local operations on a single interface and MUST be confined
to a separate insecure instance of GRASP with its own copy of all GRASP
data structures. This instance is nicknamed DULL - Discovery Unsolicited Link-Local.</t>
<t>The detailed rules for the DULL instance of GRASP are as follows:
<list style="symbols">
<t>An initiator MAY send Discovery or Flood Synchronization link-local
multicast messages which MUST have a loop count of 1, to prevent
off-link operations.
Other GRASP message types MUST NOT be sent.</t>
<t>A responder MUST silently discard any message whose loop count is not 1.</t>
<t>A responder MUST silently discard any message referring to a GRASP Objective that is
not directly part of a service that requires this insecure mode.</t>
<t>A responder MUST NOT relay any multicast messages.</t>
<t>A Discovery Response MUST indicate a link-local address.</t>
<t>A Discovery Response MUST NOT include a Divert option.</t>
<t>A node MUST silently discard any message whose source address is not link-local.</t>
</list></t>
<t>To minimize traffic possibly observed by third parties,
GRASP traffic SHOULD be minimized by using only Flood Synchronization
to announce objectives and their associated locators, rather than by using Discovery
and Response. Further details are out of scope for this document</t>
</section>
<!-- <section anchor="secinst-sonn" title="Secure Only Neighbor Negotiation">
<t>Some services might use insecure on-link operations as in DULL,
but also use unicast synchronization or negotiation operations protected by TLS.
A separate instance of GRASP is used, with its own copy of all GRASP data structures.
This instance is nicknamed SONN - Secure Only Neighbor Negotiation.</t>
<t>
The detailed rules for the SONN instance of GRASP are as follows:
<list style="symbols">
<t>All types of GRASP message are permitted.</t>
<t>An initiator MUST send any Discovery or Flood Synchronization link-local
multicast messages with a loop count of 1.</t>
<t>A responder MUST silently discard any Discovery or Flood Synchronization message whose loop count is not 1.</t>
<t>A responder MUST silently discard any message referring to a GRASP Objective that is
not directly part of the service concerned.</t>
<t>A responder MUST NOT relay any multicast messages.</t>
<t>A Discovery Response MUST indicate a link-local address.</t>
<t>A Discovery Response MUST NOT include a Divert option.</t>
<t>A node MUST silently discard any message whose source address is not link-local.</t>
</list></t>
<t>Further details are out of scope for this document.</t>
</section> -->
<section anchor="trans" title="Transport Layer Usage">
<t>All GRASP messages, after they are serialized as a CBOR byte string, are transmitted
as such directly over the transport protocol in use, which itself runs within the security
environment discussed in the previous section.</t>
<t>GRASP discovery and flooding messages are designed for use over link-local multicast
UDP. They MUST NOT be fragmented, and therefore MUST NOT exceed the link MTU size.
An implementation should report any attempt to send a longer message as a run-time
error.
</t>
<t>All other GRASP messages are unicast and could in principle run over any transport protocol.
An implementation MUST support use of TCP. It MAY support use of another transport
protocol but the details are out of scope for this specification.
However, GRASP itself does not provide for error detection or retransmission of
its unicast messages, so an unreliable transport protocol MUST NOT be used. </t>
<!-- <t>Nevertheless, when running within a secure ACP on reliable infrastructure,
UDP MAY be used for unicast messages not exceeding the minimum IPv6 path MTU;
however, TCP MUST be used for longer messages. In other words, IPv6 fragmentation
is avoided. If a node receives a UDP message but the reply is too long, it
MUST open a TCP connection to the peer for the reply. Note that when
the network is under heavy load or in a fault condition, UDP might become
unreliable. Since this is when autonomic functions are most necessary,
automatic fallback to TCP MUST be implemented. The simplest implementation
is therefore to use only TCP.</t> -->
<t>For considerations when running without an ACP, see <xref target="reqsec"/>.</t>
<t>For link-local multicast, the GRASP protocol listens to the well-known
GRASP Listen Port (<xref target="Constants"/>).
For unicast transport sessions used for discovery responses, synchronization and
negotiation, the ASA concerned normally listens on its own dynamically assigned ports,
which are communicated to its peers during discovery. However, a minimal implementation
MAY use the GRASP Listen Port for this purpose.</t>
</section>
<section anchor="discmech" title="Discovery Mechanism and Procedures">
<section title="Separated discovery and negotiation mechanisms">
<t>Although discovery and negotiation or synchronization are defined
together in GRASP, they are separate mechanisms. The discovery
process could run independently from the negotiation or synchronization
process. Upon receiving a Discovery (<xref target="DiscoveryMessage"/>)
message, the
recipient node should return a response message in which it either
indicates itself as a discovery responder or diverts the
initiator towards another more suitable ASA. However, this
response may be delayed if the recipient needs to relay
the discovery onwards, as described below.</t>
<t>The discovery action (M_DISCOVERY) will normally be followed by
a negotiation (M_REQ_NEG) or synchronization (M_REQ_SYN) action. The
discovery results could be utilized by the negotiation
protocol to decide which ASA the initiator will negotiate
with.</t>
<t>The initiator of a discovery action for a given objective need not
be capable of responding to that objective as a Negotiation Counterpart, as a
Synchronization Responder or as source for flooding. For example, an ASA might perform
discovery even if it only wishes to act a Synchronization Initiator or Negotiation Initiator.
Such an ASA does not itself need to respond to discovery messages.</t>
<t>It is also entirely possible to use GRASP discovery without any subsequent
negotiation or synchronization action. In this case, the discovered objective
is simply used as a name during the discovery process and any subsequent
operations between the peers are outside the scope of GRASP.</t>
</section>
<section anchor="discovw" title="Discovery Overview">
<t>A complete discovery process will start with a multicast (of M_DISCOVERY) on the
local link. On-link neighbors supporting the discovery objective will
respond directly (with M_RESPONSE). A neighbor with multiple interfaces may respond
with a cached discovery response. If it has no cached response, it will relay the
discovery on its other GRASP interfaces<!--, for example reaching a higher-level gateway
in a hierarchical network-->. If a node receiving the relayed discovery
supports the discovery objective, it will respond to the relayed discovery.
If it has a cached response, it will respond with that.
If not, it will repeat the discovery process, which thereby becomes iterative.
The loop count and timeout will ensure that the process ends. Further details
are given below.
</t>
<t>A Discovery message MAY be sent unicast (via UDP or TCP) to a peer node,
which SHOULD then proceed exactly as if the message had been multicast,
except that when TCP is used, the response will be
on the same socket as the query. However,
this mode does not guarantee successful discovery in the general case.
</t>
</section>
<section anchor="discproc" title="Discovery Procedures">
<t>Discovery starts as an on-link operation. The Divert option
can tell the discovery initiator to contact an off-link
ASA for that discovery objective. A Discovery message is sent
by a discovery initiator via UDP to the ALL_GRASP_NEIGHBORS link-local
multicast address (<xref target="Constants"/>). Every network
device that supports GRASP always listens to a well-known
UDP port to capture the discovery messages. Because this port
is unique in a device, this is a function of the GRASP instance
and not of an individual ASA. As a result, each ASA will need to
register the objectives that it supports with the local GRASP instance.</t>
<t>If an ASA in a neighbor device supports the requested discovery objective,
the device SHOULD respond to the link-local multicast with a unicast Discovery Response
message (<xref target="ResponseMessage"/>) with locator option(s), unless it is
temporarily unavailable. Otherwise, if the neighbor has cached information
about an ASA that supports the requested discovery objective (usually
because it discovered the same objective before), it SHOULD
respond with a Discovery Response message with a Divert option pointing
to the appropriate Discovery Responder. However, on a link that supports
link-local multicast, it SHOULD NOT respond
with a cached response on an interface if it learnt that information from
the same interface, because the peer in question will answer directly if still
operational.</t>
<t>If a device has no information about the requested discovery objective,
and is not acting as a discovery relay (see below) it MUST silently
discard the Discovery message.</t>
<t>The discovery initiator MUST set a reasonable timeout on the
discovery process. A suggested value is 100 milliseconds multiplied by the loop count
embedded in the objective.</t>
<t>If no discovery response is received within the timeout,
<!-- a reasonable timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),-->
the Discovery message MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions, to limit the load during busy periods. The
details of the backoff algorithm will depend on the use case for the
objective concerned but MUST be consistent with the recommendations
in <xref target="RFC8085"/> for low data-volume multicast.
Frequent repetition might be symptomatic of a denial of service attack.</t>
<t>After a GRASP device successfully discovers a locator for a Discovery Responder
supporting a specific objective, it SHOULD cache this information, including the interface
index <xref target="RFC3493"/> via which it was discovered. This cache record MAY be used for future
negotiation or synchronization, and the locator SHOULD be passed on when appropriate
as a Divert option to another Discovery Initiator.</t>
<t>The cache mechanism MUST include a lifetime for each entry. The
lifetime is derived from a time-to-live (ttl) parameter in each
Discovery Response message.
Cached entries MUST be ignored or deleted after their lifetime expires.
In some environments, unplanned address renumbering might occur.
In such cases, the lifetime SHOULD be short compared to
the typical address lifetime<!-- and a mechanism to flush the
discovery cache MUST be implemented-->. The discovery mechanism
needs to track the node's current address to ensure that Discovery
Responses always indicate the correct address.</t>
<t>If multiple Discovery Responders are found for the same objective, they
SHOULD all be cached, unless this creates a resource shortage. The method
of choosing between multiple responders is an implementation choice.
This choice MUST be available to each ASA but the GRASP implementation
SHOULD provide a default choice.</t>
<t>Because Discovery Responders will be cached in a finite cache, they might
be deleted at any time. In this case, discovery will need to be repeated. If an
ASA exits for any reason, its locator might still be cached for some time,
and attempts to connect to it will fail. ASAs need to be robust in these
circumstances. </t>
</section>
<section title="Discovery Relaying">
<t>A GRASP instance with multiple link-layer interfaces (typically running in a router) MUST
support discovery on all GRASP interfaces. We refer to this as a 'relaying instance'.</t>
<t>Constrained Instances (<xref target="secinst"/>) are
always single-interface instances and therefore MUST NOT perform discovery relaying.</t>
<t>If a relaying instance receives a Discovery message
on a given interface for a specific objective that it does not support and for
which it has not previously cached a Discovery Responder, it MUST relay
the query by re-issuing a new Discovery message as a link-local multicast on its other
GRASP interfaces.</t>
<t> The relayed discovery message MUST have the same Session ID as the incoming
discovery message and MUST be tagged with the IP address of its original initiator
(see <xref target="DiscoveryMessage"/>). Note that this initiator address is only used
to allow for disambiguation of the Session ID and is never used to address Response packets,
which are sent to the relaying instance, not the original initiator.
</t>
<t>The relaying instance MUST decrement the loop count within the objective, and
MUST NOT relay the Discovery message if the result is zero.
Also, it MUST limit the total rate at which it relays discovery messages
to a reasonable value, in order to mitigate possible denial of service attacks.
For example, the rate limit could be set to a small multiple of the observed
rate of discovery messages during normal operation.
The relaying instance MUST cache the Session ID value and initiator address of each
relayed Discovery message until any Discovery Responses have arrived or
the discovery process has timed out.
To prevent loops, it MUST NOT relay a Discovery message
which carries a given cached Session ID and initiator address more than once.
These precautions avoid discovery loops and mitigate potential overload.</t>
<t>Since the relay device is unaware of the timeout set by the original
initiator it SHOULD set a suitable timeout for the relayed discovery. <!-- significantly less than GRASP_DEF_TIMEOUT
milliseconds (<xref target="Constants"/>).-->
A suggested value is 100 milliseconds multiplied by the remaining loop count.</t>
<t>The discovery results received by the relaying instance MUST in turn be
sent as a Discovery Response message to the Discovery message that caused
the relay action.</t>
</section>
<section anchor="rapid" title="Rapid Mode (Discovery with Negotiation or Synchronization )">
<t>A Discovery message MAY include an
Objective option. This allows a rapid mode of negotiation
(<xref target="rapidneg"/>) or
synchronization (<xref target="rapidsynch"/>).
Rapid mode is currently limited to a single objective
for simplicity of design and implementation. A possible future extension
is to allow multiple objectives in rapid mode for greater efficiency.
</t>
</section>
</section>
<section anchor="negproc" title="Negotiation Procedures">
<t>A negotiation initiator opens a transport connection to a
counterpart ASA using the address, protocol and port obtained during discovery.
It then sends a negotiation request (using M_REQ_NEG) to the counterpart,
including a specific negotiation objective. It may request the negotiation
counterpart to make a specific configuration. Alternatively, it may
request a certain simulation or forecast result by sending a dry run configuration.
The details, including the distinction between a dry run and a live
configuration change, will be defined separately for each type of negotiation
objective. Any state associated with a dry run operation,
such as temporarily reserving a resource for subsequent use in a live
run, is entirely a matter for the designer of the ASA concerned.</t>
<t>Each negotiation session as a whole is subject to a timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
initialised when the request is sent (see <xref target="RequestMessage"/>).
If no reply message of any kind is received within the timeout,
the negotiation request MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions. The
details of the backoff algorithm will depend on the use case for the
objective concerned.</t>
<t/>
<t>If the counterpart can immediately apply the requested
configuration, it will give an immediate positive (O_ACCEPT) answer (using M_END).
This will end the negotiation phase immediately. Otherwise, it will
negotiate (using M_NEGOTIATE). It will reply with a proposed alternative configuration
that it can apply (typically, a configuration that uses fewer resources
than requested by the negotiation initiator). This will start a
bi-directional negotiation (using M_NEGOTIATE) to reach a compromise between the two ASAs.</t>
<t>The negotiation procedure is ended when one of the negotiation
peers sends a Negotiation Ending (M_END) message, which contains an accept (O_ACCEPT)
or decline (O_DECLINE) option and does not need a response from the negotiation
peer. Negotiation may also end in failure (equivalent to a decline)
if a timeout is exceeded or a loop count is exceeded. When the procedure
ends for whatever reason, the transport connection SHOULD be closed.
A transport session failure is treated as a negotiation failure.</t>
<t>A negotiation procedure concerns one objective and one
counterpart. Both the initiator and the counterpart may take part in
simultaneous negotiations with various other ASAs, or in
simultaneous negotiations about different objectives. Thus, GRASP is
expected to be used in a multi-threaded mode or its logical equivalent. Certain negotiation
objectives may have restrictions on multi-threading, for example to
avoid over-allocating resources. </t>
<t>Some configuration actions, for example wavelength switching
in optical networks, might take considerable time to execute. The ASA
concerned needs to allow for this by design, but GRASP does allow for
a peer to insert latency in a negotiation process if necessary
(<xref target="ConfirmWaitingMessage"/>, M_WAIT).</t>
<section anchor="rapidneg" title="Rapid Mode (Discovery/Negotiation Linkage)">
<t>A Discovery message MAY include a Negotiation
Objective option. In this case it is as if the initiator sent the sequence
M_DISCOVERY, immediately followed by M_REQ_NEG.
This has implications for the construction of the GRASP core, as it must carefully
pass the contents of the Negotiation Objective option to the ASA so that it
may evaluate the objective directly. When a Negotiation Objective option is
present the ASA replies with an M_NEGOTIATE message (or M_END with O_ACCEPT if it is
immediately satisfied with the proposal), rather than with an M_RESPONSE.
However, if the recipient node does not support rapid mode, discovery will
continue normally.</t>
<t>It is possible that a Discovery Response will arrive from a responder that
does not support rapid mode, before such a Negotiation message arrives.
In this case, rapid mode will not occur.</t>
<t>This rapid mode could reduce the interactions between
nodes so that a higher efficiency could be achieved. However, a network in which some
nodes support rapid mode and others do not will have complex timing-dependent behaviors.
Therefore, the rapid negotiation function SHOULD be disabled by default.
</t>
</section>
</section>
<section anchor="synchproc" title="Synchronization and Flooding Procedures">
<section anchor="synch" title="Unicast Synchronization">
<t>A synchronization initiator opens a transport connection to a
counterpart ASA using the address, protocol and port obtained during discovery.
It then sends a synchronization request (using M_REQ_SYN) to the
counterpart, including a specific synchronization objective.
The counterpart responds with a Synchronization message (M_SYNCH, <xref target="SynchMessage"/>)
containing the current value of the requested synchronization
objective. No further messages are needed and the transport
connection SHOULD be closed. A transport session failure is treated
as a synchronization failure.</t>
<t>If no reply message of any kind is received within a given timeout
(default GRASP_DEF_TIMEOUT milliseconds, <xref target="Constants"/>),
the synchronization request MAY be repeated, with a newly generated
Session ID (<xref target="SessionID"/>). An exponential backoff SHOULD be used
for subsequent repetitions. The
details of the backoff algorithm will depend on the use case for the
objective concerned.</t>
</section>
<section anchor="flooding" title="Flooding">
<t>In the case just described, the message exchange is unicast and
concerns only one synchronization objective. For large groups of nodes
requiring the same data, synchronization flooding is available. For this,
a flooding initiator MAY send an unsolicited Flood Synchronization message containing
one or more Synchronization Objective option(s), if and only if the specification
of those objectives permits it. This is sent as a multicast message to the
ALL_GRASP_NEIGHBORS multicast address (<xref target="Constants"/>).</t>
<t>Receiving flood multicasts is a function of the GRASP core,
as in the case of discovery multicasts (<xref target="discproc"/>).</t>
<t>To ensure that flooding does not result in a loop, the originator of the Flood Synchronization message
MUST set the loop count in the objectives to a suitable value (the default is GRASP_DEF_LOOPCT).
Also, a suitable mechanism is needed
to avoid excessive multicast traffic. This mechanism MUST be defined as part of the
specification of the synchronization objective(s) concerned. It might be a simple rate
limit or a more complex mechanism such as the Trickle algorithm <xref target="RFC6206"/>.</t>
<t>A GRASP device with multiple link-layer interfaces (typically a router) MUST
support synchronization flooding on all GRASP interfaces. If it receives a multicast
Flood Synchronization message on a given interface, it MUST relay
it by re-issuing a Flood Synchronization message as a link-local multicast
on its other GRASP interfaces.
The relayed message MUST have the same Session ID as the incoming
message and MUST be tagged with the IP address of its original initiator. </t>
<t>Link-layer Flooding is supported by GRASP by setting the loop count to 1,
and sending with a link-local source address. Floods with link-local source addresses
and a loop count other than 1 are invalid, and such messages MUST be discarded.</t>
<t>The relaying device MUST decrement the loop count within the first objective, and
MUST NOT relay the Flood Synchronization message if the result is zero.
Also, it MUST limit the total rate at which it relays Flood Synchronization messages
to a reasonable value, in order to mitigate possible denial of service attacks.
For example, the rate limit could be set to a small multiple of the observed
rate of flood messages during normal operation.
The relaying device MUST cache the Session ID value and initiator address of each relayed
Flood Synchronization message for a time not less than twice GRASP_DEF_TIMEOUT milliseconds.
To prevent loops, it MUST NOT relay a Flood Synchronization message
which carries a given cached Session ID and initiator address more than once.
These precautions avoid synchronization loops and mitigate potential overload.</t>
<t>Note that this mechanism is unreliable in the case of sleeping nodes,
or new nodes that join the network, or nodes that rejoin the network
after a fault. An ASA that initiates a flood SHOULD repeat the flood
at a suitable frequency, which MUST be consistent with the recommendations
in <xref target="RFC8085"/> for low data-volume multicast.
The ASA SHOULD also act as a synchronization responder for
the objective(s) concerned. Thus nodes that require an objective subject to
flooding can either wait for the next flood or request unicast synchronization
for that objective. </t>
<t>The multicast messages for synchronization flooding are subject to the security
rules in <xref target="reqsec"/>. In practice this means that they MUST NOT be transmitted
and MUST be ignored on receipt unless there is an operational ACP or equivalent strong
security in place. However, because
of the security weakness of link-local multicast (<xref target="security"/>),
synchronization objectives that are flooded SHOULD NOT contain unencrypted private
information and SHOULD be validated by the recipient ASA.</t>
</section>
<section anchor="rapidsynch" title="Rapid Mode (Discovery/Synchronization Linkage)">
<t>A Discovery message MAY include a Synchronization
Objective option. In this case the Discovery message also acts
as a Request Synchronization message to indicate to the Discovery Responder
that it could directly reply to the Discovery Initiator with
a Synchronization message <xref target="SynchMessage"/> with synchronization data for rapid processing,
if the discovery target supports the corresponding synchronization
objective. The design implications are similar to those discussed in <xref target="rapidneg"/>.</t>
<t>It is possible that a Discovery Response will arrive from a responder that
does not support rapid mode, before such a Synchronization message arrives.
In this case, rapid mode will not occur.</t>
<t>This rapid mode could reduce the interactions between
nodes so that a higher efficiency could be achieved. However, a network in which some
nodes support rapid mode and others do not will have complex timing-dependent behaviors.
Therefore, the rapid synchronization function SHOULD be configured off by default
and MAY be configured on or off by Intent.</t>
</section>
</section>
</section>
<section anchor="Constants" title="GRASP Constants">