forked from becarpenter/animaproto
-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-carpenter-anima-gdn-protocol-04A.txt
2352 lines (1595 loc) · 96.3 KB
/
draft-carpenter-anima-gdn-protocol-04A.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group B. Carpenter
Internet-Draft Univ. of Auckland
Intended status: Standards Track B. Liu
Expires: November 18, 2015 Huawei Technologies Co., Ltd
May 17, 2015
A Generic Discovery and Negotiation Protocol for Autonomic Networking
draft-carpenter-anima-gdn-protocol-04
Abstract
This document establishes requirements for a signaling protocol that
enables autonomic devices and autonomic service agents to dynamically
discover peers, to synchronize state with them, and to negotiate
parameter settings mutually with them. The document then defines a
general protocol for discovery, synchronization and negotiation,
while the technical objectives for specific scenarios are to be
described in separate documents. An Appendix briefly discusses
existing protocols with comparable features.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 18, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Carpenter & Liu Expires November 18, 2015 [Page 1]
Internet-Draft GDN Protocol May 2015
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirement Analysis of Discovery, Synchronization and
Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements for Discovery . . . . . . . . . . . . . . . 4
2.2. Requirements for Synchronization and Negotiation
Capability . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Specific Technical Requirements . . . . . . . . . . . . . 7
3. GDNP Protocol Overview . . . . . . . . . . . . . . . . . . . 8
3.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. High-Level Design Choices . . . . . . . . . . . . . . . . 10
3.3. GDNP Protocol Basic Properties and Mechanisms . . . . . . 14
3.3.1. Required External Security Mechanism . . . . . . . . 14
3.3.2. Transport Layer Usage . . . . . . . . . . . . . . . . 14
3.3.3. Discovery Mechanism and Procedures . . . . . . . . . 14
3.3.4. Negotiation Procedures . . . . . . . . . . . . . . . 16
3.3.5. Synchronization Procedure . . . . . . . . . . . . . . 17
3.4. GDNP Constants . . . . . . . . . . . . . . . . . . . . . 18
3.5. Session Identifier (Session ID) . . . . . . . . . . . . . 19
3.6. GDNP Messages . . . . . . . . . . . . . . . . . . . . . . 19
3.6.1. GDNP Message Format . . . . . . . . . . . . . . . . . 19
3.6.2. Discovery Message . . . . . . . . . . . . . . . . . . 20
3.6.3. Response Message . . . . . . . . . . . . . . . . . . 20
3.6.4. Request Message . . . . . . . . . . . . . . . . . . . 21
3.6.5. Negotiation Message . . . . . . . . . . . . . . . . . 21
3.6.6. Negotiation-ending Message . . . . . . . . . . . . . 22
3.6.7. Confirm-waiting Message . . . . . . . . . . . . . . . 22
3.7. GDNP General Options . . . . . . . . . . . . . . . . . . 22
3.7.1. Format of GDNP Options . . . . . . . . . . . . . . . 22
3.7.2. Divert Option . . . . . . . . . . . . . . . . . . . . 23
3.7.3. Accept Option . . . . . . . . . . . . . . . . . . . . 23
3.7.4. Decline Option . . . . . . . . . . . . . . . . . . . 24
3.7.5. Waiting Time Option . . . . . . . . . . . . . . . . . 24
3.7.6. Device Identity Option . . . . . . . . . . . . . . . 25
3.7.7. Locator Options . . . . . . . . . . . . . . . . . . . 25
3.8. Objective Options . . . . . . . . . . . . . . . . . . . . 27
3.8.1. Format of Objective Options . . . . . . . . . . . . . 27
3.8.2. General Considerations for Objective Options . . . . 28
3.8.3. Organizing of Objective Options . . . . . . . . . . . 29
3.8.4. Vendor Specific Objective Options . . . . . . . . . . 29
3.8.5. Experimental Objective Options . . . . . . . . . . . 30
4. Items for Future Work . . . . . . . . . . . . . . . . . . . . 31
Carpenter & Liu Expires November 18, 2015 [Page 2]
Internet-Draft GDN Protocol May 2015
5. Security Considerations . . . . . . . . . . . . . . . . . . . 31
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34
8. Change log [RFC Editor: Please remove] . . . . . . . . . . . 35
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.1. Normative References . . . . . . . . . . . . . . . . . . 36
9.2. Informative References . . . . . . . . . . . . . . . . . 36
Appendix A. Capability Analysis of Current Protocols . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction
The success of the Internet has made IP-based networks bigger and
more complicated. Large-scale ISP and enterprise networks have
become more and more problematic for human based management. Also,
operational costs are growing quickly. Consequently, there are
increased requirements for autonomic behavior in the networks.
General aspects of autonomic networks are discussed in
[I-D.irtf-nmrg-autonomic-network-definitions] and
[I-D.irtf-nmrg-an-gap-analysis]. In order to fulfil autonomy,
devices that embody autonomic service agents have specific signaling
requirements. In particular they need to discover each other, to
synchronize state with each other, and to negotiate parameters and
resources directly with each other. There is no restriction on the
type of parameters and resources concerned, which include very basic
information needed for addressing and routing, as well as anything
else that might be configured in a conventional network. The atomic
unit of synchronization or negotiation is referred to as an
objective, defined more precisely later in this document.
Following this Introduction, Section 2 describes the requirements for
discovery, synchronization and negotiation. Negotiation is an
iterative process, requiring multiple message exchanges forming a
closed loop between the negotiating devices. State synchronization,
when needed, can be regarded as a special case of negotiation,
without iteration. Section 3.2 describes a behavior model for a
protocol intended to support discovery, synchronization and
negotiation. The design of Generic Discovery and Negotiation
Protocol (GDNP) in Section 3 of this document is mainly based on this
behavior model. The relevant capabilities of various existing
protocols are reviewed in Appendix A.
The proposed discovery mechanism is oriented towards synchronization
and negotiation objectives. It is based on a neighbor discovery
process, but also supports diversion to off-link peers. Although
many negotiations will occur between horizontally distributed peers,
many target scenarios are hierarchical networks, which is the
predominant structure of current large-scale managed networks.
Carpenter & Liu Expires November 18, 2015 [Page 3]
Internet-Draft GDN Protocol May 2015
However, when a device starts up with no pre-configuration, it has no
knowledge of the topology. The protocol itself is capable of being
used in a small and/or flat network structure such as a small office
or home network as well as a professionally managed network.
Therefore, the discovery mechanism needs to be able to allow a device
to bootstrap itself without making any prior assumptions about
network structure.
Because GDNP can be used to perform a decision process among
distributed devices or between networks, it must run in a secure and
strongly authenticated environment.
It is understood that in realistic deployments, not all devices will
support GDNP. It is expected that some autonomic service agents will
directly manage a group of non-autonomic nodes, and that other non-
autonomic nodes will be managed traditionally. Such mixed scenarios
are not discussed in this specification.
2. Requirement Analysis of Discovery, Synchronization and Negotiation
This section discusses the requirements for discovery, negotiation
and synchronization capabilities. The primary user of the protocol
is an autonomic service agent (ASA), so the requirements are mainly
expressed as the features needed by an ASA. A single physical device
might contain several ASAs, and a single ASA might manage several
objectives.
2.1. Requirements for Discovery
In an autonomic network we must assume that when a device starts up
it has no information about any peer devices, the network structure,
or what specific role it must play. The ASA(s) inside the device are
in the same situation. In some cases, when a new application session
starts up within a device, the device or ASA may again lack
information about relevant peers. It might be necessary to set up
resources on multiple other devices, coordinated and matched to each
other so that there is no wasted resource. Security settings might
also need updating to allow for the new device or user. Therefore a
basic requirement is that there must be a mechanism by which an ASA
can separately discover peer ASAs for each of the technical
objectives that it needs to manage. Some objectives may only be
significant on the local link, but others may be significant across
the routed network and require off-link operations. Thus, the
relevant peers might be immediate neighbors on the same layer 2 link
or they might be more distant and only accessible via layer 3. The
mechanism must therefore support both on-link discovery and off-link
discovery of ASAs that support specific technical objectives.
Carpenter & Liu Expires November 18, 2015 [Page 4]
Internet-Draft GDN Protocol May 2015
The relevant peers may be different for different technical
objectives. Therefore discovery needs to be repeated as often as
necessary to find peers capable of acting as counterparts for each
objective that a discovery initiator needs to handle. In many
scenarios, the discovery process may be followed by a synchronization
or negotiation process. Therefore, a discovery objective may be
associated with one or more synchronization or negotiation
objectives.
When an ASA first starts up, it has no knowledge of the network
structure. Therefore the discovery process must be able to support
any network scenario, assuming only that the device concerned is
bootstrapped from factory condition.
In some networks, as mentioned above, there will be some hierarchical
structure, at least for certain synchronization or negotiation
objectives, but this is unknown in advance. The discovery protocol
must therefore operate regardless of hierarchical structure, which is
an attribute of individual objectives and not of the autonomic
network as a whole. This is part of the more general requirement to
discover off-link peers.
During initialisation, a device must be able to establish mutual
trust with the rest of the network and join an authentication
mechanism. Although this will inevitably start with a discovery
action, it is a special case precisely because trust is not yet
established. This topic is the subject of
[I-D.pritikin-anima-bootstrapping-keyinfra]. We require that once
trust has been established for a device, all ASAs within the device
inherit the device's credentials and are also trusted.
In addition, depending on the type of network involved, discovery of
other central functions might be needed, such as the Network
Operations Center (NOC) [I-D.eckert-anima-stable-connectivity]. GDNP
must be capable of supporting such discovery during initialisation,
as well as discovery during ongoing operation.
The discovery process must not generate excessive (multicast) traffic
and must take account of sleeping nodes in the case of a resource-
constrained network.
2.2. Requirements for Synchronization and Negotiation Capability
We start by considering routing protocols, the closest approximation
to autonomic networking in widespread use. Routing protocols use a
largely autonomic model based on distributed devices that communicate
repeatedly with each other. However, routing is mainly based on one-
way information synchronization (in either direction), rather than on
Carpenter & Liu Expires November 18, 2015 [Page 5]
Internet-Draft GDN Protocol May 2015
bi-directional negotiation. The focus is reachability, so current
routing protocols only consider simple link status, i.e., up or down,
and an underlying assumption is that all nodes need a consistent view
of the network topology. Other information, such as latency,
congestion, capacity, and particularly unused capacity, would be
helpful to get better path selection and utilization rate, but are
not normally used in distributed routing algorithms. Also, autonomic
networks need to be able to manage many more dimensions, such as
security settings, power saving, load balancing, etc. In general,
these items do not apply to all participating nodes, but only to a
subset. A basic requirement for the protocol is therefore the
ability to represent, discover, synchronize and negotiate almost any
kind of network parameter among arbitrary subsets of participating
nodes.
Human intervention in complex situations is costly and error-prone.
Therefore, synchronization or negotiation of parameters without human
intervention is desirable whenever the coordination of multiple
devices can improve overall network performance. It follows that a
requirement for the protocol is to be capable of running in any
device that would otherwise need human intervention.
Human intervention in large networks is often replaced by use of a
top-down network management system (NMS). It therefore follows that
a requirement for the protocol is to be capable of running in any
device that would otherwise be managed by an NMS, and that it can co-
exist with an NMS.
Status information and traffic metrics need to be shared between
nodes for dynamic adjustment of resources and for monitoring
purposes. While this might be achieved by existing protocols when
they are available, the new protocol needs to be able to support
parameter exchange, including mutual synchronization, even when no
negotiation as such is required.
Some features are expected to be implemented by individual ASAs, but
the protocol must be general enough to allow them:
It might happen that multiple ASAs attempt to manage the same
resource, leading to a need for conflict resolution. In such a
case, the protocol's role is limited to signaling between ASAs.
Recovery from faults and identification of faulty devices should
be as automatic as possible. The protocol's role is limited to
the ability to handle discovery, synchronization and negotiation
at any time, in case an ASA detects an anomaly such as a
negotiation counterpart failing.
Carpenter & Liu Expires November 18, 2015 [Page 6]
Internet-Draft GDN Protocol May 2015
Since the goal is to minimize human intervention, it is necessary
that the network can in effect "think ahead" before changing its
parameters. In other words there must be a possibility of
forecasting the effect of a change by a "dry run" mechanism before
actually installing the change. This will be an application of
the protocol rather than a feature of the protocol itself.
Management logging, monitoring, alerts and tools for intervention
are required. However, these can only be features of individual
ASAs. Another document [I-D.eckert-anima-stable-connectivity]
discusses how such agents may be linked into conventional OAM
systems via an Autonomic Control Plane
[I-D.behringer-anima-autonomic-control-plane].
The protocol needs to be able to deal with a wide variety of
technical objectives, covering any type of network parameter.
Therefore the protocol will need either an explicit information model
describing its messages, or at least a flexible and extensible
message format. One design consideration is whether to adopt an
existing information model or to design a new one. Another
consideration is whether it should be able to carry some or all of
the message formats used by existing configuration protocols.
The negotiation process must be guaranteed to terminate (with success
or failure) and if necessary it must contain tie-breaking rules for
each technical objective that requires them. While this must be
defined specifically for each use case, the protocol should have some
general mechanisms in support of loop and deadlock prevention.
2.3. Specific Technical Requirements
To be a generic platform, the protocol payload format should be
independent of the transport protocol or IP version. In particular,
it should be able to run over IPv6 or IPv4. However, some functions,
such as multicasting or broadcasting on a link, might need to be IP
version dependent. In case of doubt, IPv6 should be preferred.
The protocol must be able to access off-link counterparts via
routable addresses, i.e., must not be restricted to link-local
operation.
Following discovery, an ASA will normally perform negotiation or
synchronization for the corresponding objectives. The design should
allow for this and may provide an optional mechanism to combine
discovery and negotiation/synchronization in a single call. However,
it must also be possible for an external discovery mechanism to be
used, if so defined for a given objective. In other words, GDNP
Carpenter & Liu Expires November 18, 2015 [Page 7]
Internet-Draft GDN Protocol May 2015
discovery must not be a prerequisite for GDNP negotiation or
synchronization.
Dependencies and conflicts: In order to decide a configuration on a
given device, the device may need information from neighbors. This
can be established through the negotiation procedure, or through
synchronization if that is sufficient. However, a given item in a
neighbor may depend on other information from its own neighbors,
which may need another negotiation or synchronization procedure to
obtain or decide. Therefore, there are potential dependencies and
conflicts among negotiation or synchronization procedures. Resolving
dependencies and conflicts is a matter for the individual ASAs
involved. To allow this, there need to be clear boundaries and
convergence mechanisms for negotiations. Also some mechanisms are
needed to avoid loop dependencies.
Policy constraints: There must be provision for general policy intent
rules to be applied by all devices in the network (e.g., security
rules, prefix length, resource sharing rules). However, policy
intent distribution might not use the negotiation protocol itself.
Management monitoring, alerts and intervention: Devices should be
able to report to a monitoring system. Some events must be able to
generate operator alerts and some provision for emergency
intervention must be possible (e.g. to freeze synchronization or
negotiation in a mis-behaving device). These features may not use
the negotiation protocol itself.
The protocol needs to be fully secure against forged messages and
man-in-the middle attacks, and as secure as reasonably possible
against denial of service attacks. It needs to be capable of
encryption in order to resist unwanted monitoring, although this
capability may not be required in all deployments. However, it is
not required that the protocol itself provides these security
features; it may depend on an existing secure environment.
ASAs and the protocol engine need to run asynchronously when wait
states occur.
3. GDNP Protocol Overview
3.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] when they appear in ALL CAPS. When these words are not in
ALL CAPS (such as "should" or "Should"), they have their usual
Carpenter & Liu Expires November 18, 2015 [Page 8]
Internet-Draft GDN Protocol May 2015
English meanings, and are not to be interpreted as [RFC2119] key
words.
This document uses terminology defined in
[I-D.irtf-nmrg-autonomic-network-definitions].
The following additional terms are used throughout this document:
o Discovery: a process by which an ASA discovers peers according to
a specific discovery objective. The discovery results may be
different according to the different discovery objectives. The
discovered peers may later be used as negotiation counterparts or
as sources of synchronization data.
o Negotiation: a process by which two (or more) ASAs interact
iteratively to agree on parameter settings that best satisfy the
objectives of one or more ASAs.
o State Synchronization: a process by which two (or more) ASAs
interact to agree on the current state of parameter values stored
in each ASA. This is a special case of negotiation in which
information is sent but the ASAs do not request their peers to
change parameter settings. All other definitions apply to both
negotiation and synchronization.
o Objective: An objective in GDNP is a configurable state of some
kind, which occurs in three contexts: Discovery, Negotiation and
Synchronization. In the protocol, an objective is represented by
an identifier (actually a GDNP option number) and if relevant a
value. Normally, a given objective will occur during discovery
and negotiation, or during discovery and synchronization, but not
in all three contexts.
* One ASA may support multiple independent objectives.
* The parameter described by a given objective is naturally based
on a specific service or function or action. It may in
principle be anything that can be set to a specific logical,
numerical or string value, or a more complex data structure, by
a network node. That node is generally expected to contain an
ASA which may itself manage other nodes.
* Discovery Objective: if a node needs to synchronize or
negotiate a specific objective but does not know a peer that
supports this objective, it starts a discovery process. The
objective is called a Discovery Objective during this process.
Carpenter & Liu Expires November 18, 2015 [Page 9]
Internet-Draft GDN Protocol May 2015
* Synchronization Objective: an objective whose specific
technical content needs to be synchronized among two or more
ASAs.
* Negotiation Objective: an objective whose specific technical
content needs to be decided in coordination with another ASA.
o Discovery Initiator: an ASA that spontaneously starts discovery by
sending a discovery message referring to a specific discovery
objective.
o Discovery Responder: a peer ASA which responds to the discovery
objective initiated by the discovery initiator.
o Synchronization Initiator: an ASA that spontaneously starts
synchronization by sending a request message referring to a
specific synchronization objective.
o Synchronization Responder: a peer ASA which responds with the
value of a synchronization objective.
o Negotiation Initiator: an ASA that spontaneously starts
negotiation by sending a request message referring to a specific
negotiation objective.
o Negotiation Counterpart: a peer with which the Negotiation
Initiator negotiates a specific negotiation objective.
3.2. High-Level Design Choices
This section describes a behavior model and some considerations for
designing a generic discovery, synchronization and negotiation
protocol, which can act as a platform for different technical
objectives.
NOTE: This protocol is described here in a stand-alone fashion as a
proof of concept. An early version was prototyped by Huawei and the
Beijing University of Posts and Telecommunications. However, this is
not yet a definitive proposal for IETF adoption. In particular,
adaptation and extension of one of the protocols discussed in
Appendix A might be an option. This whole specification is subject
to change as a result.
o A generic platform
The protocol is designed as a generic platform, which is
independent from the synchronization or negotiation contents. It
takes care of the general intercommunication between counterparts.
Carpenter & Liu Expires November 18, 2015 [Page 10]
Internet-Draft GDN Protocol May 2015
The technical contents will vary according to the various
synchronization or negotiation objectives and the different pairs
of counterparts.
o Security infrastructure and trust relationship
Because this negotiation protocol may directly cause changes to
device configurations and bring significant impacts to a running
network, this protocol is assumed to run within an existing secure
environment with strong authentication.
On the other hand, a limited negotiation model might be deployed
based on a limited trust relationship. For example, between two
administrative domains, ASAs might also exchange limited
information and negotiate some particular configurations based on
a limited conventional or contractual trust relationship.
o Discovery, synchronization and negotiation designed together
The discovery method and the synchronization and negotiation
methods are designed in the same way and can be combined when this
is useful. These processes can also be performed independently
when appropriate.
* GDNP discovery is appropriate for efficient discovery of GDNP
peers and allows a rapid mode of operation described in
Section 3.3.3. For some parameters, especially those concerned
with application layer services, a text-based discovery
mechanism such as DNS Service Discovery
[I-D.ietf-dnssd-requirements] or Service Location Protocol
[RFC2608] might be more appropriate. The choice is left to the
designers of individual ASAs.
o A uniform pattern for technical contents
The synchronization and negotiation contents are defined according
to a uniform pattern. They could be carried either in simple TLV
(Type, Length and Value) format or in payloads described by a
flexible language. The initial protocol design uses the TLV
approach. The format is extensible for unknown future
requirements.
o A conservative model for synchronization
Carpenter & Liu Expires November 18, 2015 [Page 11]
Internet-Draft GDN Protocol May 2015
GDNP supports bilateral synchronization, which could be used to
perform synchronization among a small number of nodes.
* For some parameters, synchronization across large groups of
nodes, possibly including all autonomic nodes, might be needed.
For such cases, a flooding mechanism such as ADNCP
[I-D.stenberg-anima-adncp] is considered more appropriate.
GDNP is designed to coexist with ADNCP. The choice is left to
the designers of individual ASAs.
o A simple initiator/responder model for negotiation
Multi-party negotiations are too complicated to be modeled and
there might be too many dependencies among the parties to converge
efficiently. A simple initiator/responder model is more feasible
and can complete multiple-party negotiations by indirect steps.
o Organizing of synchronization or negotiation content
Naturally, the technical content will be organized according to
the relevant function or service. The content from different
functions or services is kept independent from each other. They
are not combined into a single option or single session because
these contents may be negotiated or synchronized with different
counterparts or may be different in response time.
o Self aware network device
Every autonomic device will be pre-loaded with various functions
and ASAs and will be aware of its own capabilities, typically
decided by the hardware, firmware or pre-installed software. Its
exact role may depend on the surrounding network behaviors, which
may include forwarding behaviors, aggregation properties, topology
location, bandwidth, tunnel or translation properties, etc. The
surrounding topology will depend on the network planning.
Following an initial discovery phase, the device properties and
those of its neighbors are the foundation of the synchronization
or negotiation behavior of a specific device. A device has no
pre-configuration for the particular network in which it is
installed.
o Requests and responses in negotiation procedures
The initiator can negotiate with its relevant negotiation
counterpart ASAs, which may be different according to the specific
Carpenter & Liu Expires November 18, 2015 [Page 12]
Internet-Draft GDN Protocol May 2015
negotiation objective. It can request relevant information from
the negotiation counterpart so that it can decide its local
configuration to give the most coordinated performance. It can
request the negotiation counterpart to make a matching
configuration in order to set up a successful communication with
it. It can request certain simulation or forecast results by
sending some dry run conditions.
Beyond the traditional yes/no answer, the responder can reply with
a suggested alternative if its answer is 'no'. This would start a
bi-directional negotiation ending in a compromise between the two
ASAs.
o Convergence of negotiation procedures
To enable convergence, when a responder makes a suggestion of a
changed condition in a negative reply, it should be as close as
possible to the original request or previous suggestion. The
suggested value of the third or later negotiation steps should be
chosen between the suggested values from the last two negotiation
steps. In any case there must be a mechanism to guarantee
convergence (or failure) in a small number of steps, such as a
timeout or maximum number of iterations.
* End of negotiation
A limited number of rounds, for example three, or a timeout, is
needed on each ASA for each negotiation objective. It may be
an implementation choice, a pre-configurable parameter, or a
network-wide policy intent. These choices might vary between
different types of ASA. Therefore, the definition of each
negotiation objective MUST clearly specify this, so that the
negotiation can always be terminated properly.
* Failed negotiation
There must be a well-defined procedure for concluding that a
negotiation cannot succeed, and if so deciding what happens
next (deadlock resolution, tie-breaking, or revert to best-
effort service). Again, this MUST be specified for individual
negotiation objectives, as an implementation choice, a pre-
configurable parameter, or a network-wide policy intent.
Carpenter & Liu Expires November 18, 2015 [Page 13]
Internet-Draft GDN Protocol May 2015
3.3. GDNP Protocol Basic Properties and Mechanisms
3.3.1. Required External Security Mechanism
The protocol SHOULD run within a secure Autonomic Control Plane (ACP)
[I-D.behringer-anima-autonomic-control-plane]. The procedure for
establishing the ACP MUST provide a flag indicating to GDNP that the
ACP has been established.
If there is no ACP, the protocol MUST use TLS [RFC5246] or DTLS
[RFC6347] for all messages, based on a local Public Key
Infrastructure (PKI) [RFC5280] managed within the autonomic network
itself.
Link-local multicast is used for discovery messages. These cannot be
secured, but responses to discovery messages MUST be secured.
However, during initialisation, before a node has joined the
applicable trust infrastructure, e.g.,
[I-D.pritikin-anima-bootstrapping-keyinfra], it might be impossible
to secure certain messages. Such messages MUST be limited to the
strictly necessary minimum.
3.3.2. Transport Layer Usage
The protocol is capable of running over UDP or TCP, except for link-
local multicast discovery messages, which can only run over UDP and
MUST NOT be fragmented, and therefore cannot exceed the link MTU
size.
When running within a secure ACP, UDP SHOULD be used for messages not
exceeding the minimum IPv6 path MTU, and TCP MUST be used for longer
messages. In other words, IPv6 fragmentation is avoided. If a node
receives a UDP message but the reply is too long, it MUST open a TCP
connection to the peer for the reply.
When running without an ACP, TLS MUST be supported and used by
default, except for multicast discovery messages. DTLS MAY be
supported as an alternative but the details are out of scope for this
document.
For all transport protocols, the GDNP protocol listens to the GDNP
Listen Port (Section 3.4).
3.3.3. Discovery Mechanism and Procedures
o Separated discovery and negotiation mechanisms
Carpenter & Liu Expires November 18, 2015 [Page 14]
Internet-Draft GDN Protocol May 2015
Although discovery and negotiation or synchronization are
defined together in the GDNP, they are separated mechanisms.
The discovery process could run independently from the
negotiation or synchronization process. Upon receiving a
discovery (Section 3.6.2) or request (Section 3.6.4) message,
the recipient ASA should return a message in which it either
indicates itself as a discovery responder or diverts the
initiator towards another more suitable ASA.
The discovery action will normally be followed by a negotiation
or synchronization action. The discovery results could be
utilized by the negotiation protocol to decide which ASA the
initiator will negotiate with.
o Discovery Procedures
Discovery starts as an on-link operation. The Divert option
can tell the discovery initiator to contact an off-link ASA for
that discovery objective. Every DISCOVERY message is sent by a
discovery initiator via UDP to the ALL_GDNP_NEIGHBOR multicast
address (Section 3.4). Every network device that supports the
GDNP always listens to a well-known UDP port to capture the
discovery messages.
If an ASA in the neighbor device supports the requested
discovery objective, it MAY respond with a Response message
(Section 3.6.3) with locator option(s). Otherwise, if the
neigbor has cached information about an ASA that supports the
requested discovery objective (usually because it discovered
the same objective before), it SHOULD respond with a Response
message with a Divert option pointing to the appropriate
Discovery Responder.
If no discovery response is received within a reasonable
timeout (default GDNP_DEF_TIMEOUT milliseconds, Section 3.4),
the DISCOVERY message MAY be repeated, with a newly generated
Session ID (Section 3.5). An exponential backoff SHOULD be
used for subsequent repetitions, in order to mitigate possible
denial of service attacks.
After a GDNP device successfully discovers a Discovery
Responder supporting a specific objective, it MUST cache this
information. This cache record MAY be used for future
negotiation or synchronization, and SHOULD be passed on when
appropriate as a Divert option to another Discovery Initiator.
The cache lifetime is an implementation choice.
Carpenter & Liu Expires November 18, 2015 [Page 15]
Internet-Draft GDN Protocol May 2015
If multiple Discovery Responders are found for the same
objective, they SHOULD all be cached, unless this creates a
resource shortage. The method of choosing between multiple
responders is an implementation choice.
A GDNP device with multiple link-layer interfaces (typically a
router) MUST support discovery on all interfaces. If it
receives a DISCOVERY message on a given interface for a
specific objective that it does not support and for which it
has not previously discovered a Discovery Responder, it MUST
relay the query by re-issuing the same DISCOVERY message on its
other interfaces. However, it MUST limit the total rate at
which it relays discovery messages to a reasonable value, in
order to mitigate possible denial of service attacks. It MUST
cache the Session ID value of each relayed discovery message
and, to prevent loops, MUST NOT relay a DISCOVERY message which
carries such a cached Session ID.
This relayed discovery mechanism, with caching of the results,
should be sufficient to support most network bootstrapping
scenarios.
o A complete discovery process will start with multicast on the
local link; a neighbor might divert it to an off-link destination,
which could be a default higher-level gateway in a hierarchical
network. Then discovery would continue with a unicast to that
gateway; if that gateway is still not the right counterpart, it
should divert to another gateway, which is in principle closer to
the right counterpart. Finally the right counterpart responds to
start the negotiation or synchronization process.
o Rapid Mode (Discovery/Negotiation binding)
A Discovery message MAY include one or more Negotiation
Objective option(s). This allows a rapid mode of negotiation
described in Section 3.3.4. A similar mechanism is defined for
synchronization in Section 3.3.5.
3.3.4. Negotiation Procedures
A negotiation initiator sends a negotiation request to a counterpart
ASA, including a specific negotiation objective. It may request the
negotiation counterpart to make a specific configuration.
Alternatively, it may request a certain simulation or forecast result
by sending a dry run configuration. The details, including the
distinction between dry run and an actual configuration change, will
be defined separately for each type of negotiation objective.
Carpenter & Liu Expires November 18, 2015 [Page 16]
Internet-Draft GDN Protocol May 2015
If the counterpart can immediately apply the requested configuration,
it will give an immediate positive (accept) answer. This will end
the negotiation phase immediately. Otherwise, it will negotiate. It
will reply with a proposed alternative configuration that it can
apply (typically, a configuration that uses fewer resources than
requested by the negotiation initiator). This will start a bi-
directional negotiation to reach a compromise between the two ASAs.
The negotiation procedure is ended when one of the negotiation peers
sends a Negotiation Ending message, which contains an accept or
decline option and does not need a response from the negotiation
peer. Negotiation may also end in failure (equivalent to a decline)
if a timeout is exceeded or a loop count is exceeded.
A negotiation procedure concerns one objective and one counterpart.
Both the initiator and the counterpart may take part in simultaneous
negotiations with various other ASAs, or in simultaneous negotiations
about different objectives. Thus, GDNP is expected to be used in a
multi-threaded mode. Certain negotiation objectives may have
restrictions on multi-threading, for example to avoid over-allocating
resources.
Rapid Mode (Discovery/Negotiation linkage)
A Discovery message MAY include a Negotiation Objective option.
In this case the Discovery message also acts as a Request message
to indicate to the Discovery Responder that it could directly
reply to the Discovery Initiator with a Negotiation message for
rapid processing, if it could act as the corresponding negotiation
counterpart. However, the indication is only advisory not
prescriptive.
This rapid mode could reduce the interactions between nodes so
that a higher efficiency could be achieved. This rapid
negotiation function SHOULD be configured off by default and MAY
be configured on or off by policy intent.
3.3.5. Synchronization Procedure
A synchronization initiator sends a synchronization request to a
counterpart, including a specific synchronization objective. The
counterpart responds with a Response message containing the current
value of the requested synchronization objective. No further
messages are needed. If no Response message is received, the
synchronization request MAY be repeated after a suitable timeout.
In the case just described, the message exchange is unicast and
concerns only one synchronization objective. For large groups of
Carpenter & Liu Expires November 18, 2015 [Page 17]
Internet-Draft GDN Protocol May 2015
nodes requiring mutual synchronization, ADNCP
[I-D.stenberg-anima-adncp] is considered more appropriate. In the
following case, several synchronization objectives may be combined.
Rapid Mode (Discovery/Synchronization linkage)
A Discovery message MAY include one or more Synchronization
Objective option(s). In this case the Discovery message also acts
as a Request message to indicate to the Discovery Responder that
it could directly reply to the Discovery Initiator with a Response
message with synchronization data for rapid processing, if the
discovery target supports the corresponding synchronization
objective(s). However, the indication is only advisory not
prescriptive.
This rapid mode could reduce the interactions between nodes so
that a higher efficiency could be achieved. This rapid
synchronization function SHOULD be configured off by default and
MAY be configured on or off by policy intent.
3.4. GDNP Constants
o ALL_GDNP_NEIGHBOR
A link-local scope multicast address used by a GDNP-enabled device
to discover GDNP-enabled neighbor (i.e., on-link) devices . All
devices that support GDNP are members of this multicast group.
* IPv6 multicast address: TBD1
* IPv4 multicast address: TBD2
o GDNP Listen Port (TBD3)
A UDP and TCP port that every GDNP-enabled network device always
listens to.
o GDNP_DEF_TIMEOUT (60000 milliseconds)
The default timeout used to determine that a discovery or
negotiation has failed to complete.
o GDNP_DEF_LOOPCT (6)