Network Working Group B. Carpenter
Internet-Draft Univ. of Auckland
Intended status: Informational B. Liu, Ed.
Expires: April 9, 2020 Huawei Technologies
W. Wang
X. Gong
BUPT University
October 7, 2019

Generic Autonomic Signaling Protocol Application Program Interface (GRASP API)
draft-ietf-anima-grasp-api-04

Abstract

This document is a conceptual outline of an application programming interface (API) for the Generic Autonomic Signaling Protocol (GRASP). Such an API is needed for Autonomic Service Agents (ASA) calling the GRASP protocol module to exchange autonomic network messages with other ASAs. Since GRASP is designed to support asynchronous operations, the API will need to be adapted to the support for asynchronicity in various languages and operating systems.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on April 9, 2020.

Copyright Notice

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

As defined in [I-D.ietf-anima-reference-model], the Autonomic Service Agent (ASA) is the atomic entity of an autonomic function, and it is instantiated on autonomic nodes. When ASAs communicate with each other, they should use the Generic Autonomic Signaling Protocol (GRASP) [I-D.ietf-anima-grasp].

As the following figure shows, a GRASP implementation could contain two major sub-layers. The bottom is the GRASP base protocol module, which is only responsible for sending and receiving GRASP messages and maintaining shared data structures. The upper layer contains some extended functions based upon GRASP basic protocol. For example, [I-D.liu-anima-grasp-distribution] describes a possible extended function.

It is desirable that ASAs can be designed as portable user-space programs using a portable API. In many operating systems, the GRASP module will therefore be split into two layers. The top layer is a library that provides the API. The lower layer is a daemon that contains GRASP core functions that are independent of specific ASAs, such as multicast handling and relaying, and common data structures such as the discovery cache. The GRASP API library would need to communicate with the GRASP core via an inter-process communication (IPC) mechanism. The details of this are system-dependent.

+----+                              +----+
|ASAs|                              |ASAs|
+----+                              +----+
   |                                   |
   | GRASP Function API                |
   |                                   |
+------------------+                   |GRASP API
| GRASP Extended   |                   |
| Function Modules |                   |
+------------------+                   |
+------------------------------------------+
|                   GRASP API Library      |
|  GRASP Modules - - - - - - - - - - - - - |
|                   GRASP Core (Daemon)    |
+------------------------------------------+

Both the GRASP library and the extended function modules should be available to the ASAs. Thus, there need to be two sub-sets of API. However, since the extended functions are expected to be added in an incremental manner, it is inappropriate to define all the function APIs in a single document. This document only describes the basic GRASP API.

Note that a very simple autonomic node might contain only a single ASA in addition to the autonomic infrastructure components described in [I-D.ietf-anima-bootstrapping-keyinfra] and [I-D.ietf-anima-autonomic-control-plane]. Such a node might directly integrate GRASP in its autonomic code and therefore not require this API to be installed.

This document gives a conceptual outline of the API. It is not a formal specification for any particular programming language or operating system, and it is expected that details will be clarified in individual implementations.

2. GRASP API for ASA

2.1. Design Principles

The assumption of this document is that any Autonomic Service Agent (ASA) needs to call a GRASP module that handles protocol details (security, sending and listening for GRASP messages, waiting, caching discovery results, negotiation looping, sending and receiving sychronization data, etc.) but understands nothing about individual objectives. The semantics of objectives are unknown to the GRASP module and are handled only by the ASAs. Thus, this is a high level abstract API for use by ASAs. Individual language bindings should be defined in separate documents.

An assumption of this API is that ASAs may fall into various classes:

The API also assumes that one ASA may support multiple objectives. Nothing prevents an ASA from supporting some objectives for synchronization and others for negotiation.

The API design assumes that the operating system and programming language provide a mechanism for simultaneous asynchronous operations. This is discussed in detail in Section 2.2.

The functions provided by the API do not map one-to-one onto GRASP messages. Rather, they are intended to offer convenient support for message sequences (such as a discovery request followed by responses from several peers, or a negotiation request followed by various possible responses).

This is a preliminary version. A few gaps exist:

2.2. Asynchronous Operations

GRASP includes asynchronous operations and wait states, and its messages are not idempotent, i.e. they may cause incremental changes of state in the recipient ASA. Most ASAs will need to support several simultaneous operations; for example an ASA might need to negotiate one objective with a peer while discovering and synchronizing a different objective with a different peer. Alternatively, an ASA which acts as a resource manager might need to run simultaneous negotiations for a given objective with multiple different peers. Such an ASA must support atomic access to its internal data structures, for example using operating system locks.

Thus, both the GRASP core and most ASAs need to support asynchronous operations. Depending on both the operating system and the programming language in use, there are three main techniques for such parallel operations: multi-threading, an event loop structure using polling, and an event loop structure using callback functions.

  1. In multi-threading, the operating system and language will provide the necessary support for asynchronous operations, including creation of new threads, context switching between threads, queues, locks, and implicit wait states. In this case, all API calls can be treated naturally as synchronous, even if they include wait states, blocking and queueing. Simultaneous operations will each run in their own threads. For example, the discover() call may not return until discovery results have arrived or a timeout has occurred. If the ASA has other work to do, the discover() call must be in a thread of its own.
  2. In an event loop implementation with polling, blocking calls are not acceptable. Therefore all calls must be non-blocking, and the main loop could support multiple GRASP sessions in parallel by repeatedly polling each one for a change of state. To facilitate this, the API implementation would provide non-blocking versions of all the functions that otherwise involve blocking and queueing. In these calls, a 'noReply' code will be returned by each call instead of blocking, until such time as the event for which it is waiting (or a failure) has occurred. Thus, for example, discover() would return 'noReply' instead of waiting until discovery has succeeded or timed out. The discover() call would be repeated in every cycle of the main loop until it completes. Effectively, it becomes a polling call.
  3. In an event loop implementation with callbacks, the ASA programmer would provide a callback function for each asynchronous operation, e.g. discovery_received(). This would be called asynchronously when a reply is received or a failure such as a timeout occurs.

The following calls involve waiting for a remote operation, so they could use a polling or callback mechanism. In a threaded mechanism, they will usually require to be called in a separate thread:

There is nothing in the design of GRASP to prevent the following scenario. Consider an ASA "A" that acts as a resource allocator for some objective. An ASA "B" launches a negotiation with "A" to obtain or release a quantity of the resource. While this negotatition is under way, "B" chooses to launch a second simultaneous negotiation with "A" for a different quantity of the same resource. "A" must therefore conduct two separate negotiation sessions at the same time with the same peer, and must not mix them up.

Note that ASAs could be designed to avoid such a scenario, i.e. restricted to exactly one negotiation session at a time for a given objective, but this would be a voluntary restriction not required by the GRASP protocol. In fact it is an assumption of GRASP that an ASA managing a resource may need to conduct multiple parallel negotiations, possibly with the same peer. Therefore, the API design allows for such scenarios.

In the callback model, for the scenario just described, the ASAs "A" and "B" will each provide two instances of negotiate_step_received(), one for each session. For this reason, each ASA must be able to distinguish the two sessions, and the peer's IP address is not sufficient for this. It is also not safe to rely on transport port numbers for this, since future variants of GRASP might use shared ports rather than a separate port per session. This is why the GRASP design includes a session identifier. Thus, when necessary, a 'session_nonce' parameter is used in the API to distinguish simultaneous GRASP sessions from each other, so that any number of sessions may proceed asynchronously in parallel.

In calls where it is used, the 'session_nonce' is an opaque read/write parameter. On the first call, it is set to a null value, and the API returns a non-null 'session_nonce' value based on the GRASP session identifier. This value must be used in all subsequent calls for the same session, and will be provided as a parameter in the callback functions. By this mechanism, multiple overlapping sessions can be distinguished, both in the ASA and in the GRASP core. The value of the 'session_nonce" is opaque to the ASA.

An additional mechanism that might increase efficiency for polling implementations is to add a general call, say notify(), which would check the status of all outstanding operations for the calling ASA and return the session_nonce values for all sessions that have changed state. This would eliminate the need for repeated calls to the individual functions returning a 'noReply'. This call is not described below as the details are likely to be implementation-specific.

An implication of the above for all GRASP implementations is that the GRASP core must keep state for each GRASP operation in progress, most likely keyed by the GRASP Session ID and the GRASP source address of the session initiator. Even in a threaded implementation, the GRASP core will need such state internally. The session_nonce parameter exposes this aspect of the implementation.

2.3. API definition

2.3.1. Parameters and data structures

This section describes parameters and data structures used in multiple API calls.

2.3.1.1. Errorcode

All functions in the API have an unsigned 'errorcode' integer as their return value (the first returned value in languages that allow multiple returned parameters). An errorcode of zero indicates success. Any other value indicates failure of some kind. The first three errorcodes have special importance:

  1. Declined: used to indicate that the other end has sent a GRASP Negotiation End message (M_END) with a Decline option (O_DECLINE).
  2. No reply: used in non-blocking calls to indicate that the other end has sent no reply so far (see Section 2.2).
  3. Unspecified error: used when no more specific error code applies.

Appendix A gives a full list of currently suggested error codes, based on implementation experience. While there is no absolute requirement for all implementations to use the same error codes, this is highly recommended for portability of applications.

2.3.1.2. Timeout

Wherever a 'timeout' parameter appears, it is an integer expressed in milliseconds. If it is zero, the GRASP default timeout (GRASP_DEF_TIMEOUT, see [I-D.ietf-anima-grasp]) will apply. If no response is received before the timeout expires, the call will fail unless otherwise noted.

2.3.1.3. Objective

 typedef struct {
    char *name;
    uint8_t flags;            // flag bits as defined by GRASP
    int loop_count;
    int value_size;           // size of value in bytes
    cbor_mutable_data cbor_value;
                              // CBOR bytestring (libcbor/cbor/data.h)
    } objective;
 class objective:
    """A GRASP objective"""
    def __init__(self, name):
        self.name = name    # Unique name (string)
        self.negotiate = False   # True if objective supports negotiation
        self.dryrun = False      # True if objective supports dry-run neg.
        self.synch = False  # True if objective supports synch
        self.loop_count = GRASP_DEF_LOOPCT  # Default starting value
        self.value = 0      # Place holder; any valid Python object

An 'objective' parameter is a data structure with the following components:

2.3.1.4. ASA_locator

An 'ASA_locator' parameter is a data structure with the following contents:

2.3.1.5. Tagged_objective

A 'tagged_objective' parameter is a data structure with the following contents:

2.3.1.6. Asa_nonce

Although an authentication and authorization scheme for ASAs has not been defined, the API provides a very simple hook for such a scheme. When an ASA starts up, it registers itself with the GRASP core, which provides it with an opaque nonce that, although not cryptographically protected, would be difficult for a third party to predict. The ASA must present this nonce in future calls. This mechanism will prevent some elementary errors or trivial attacks such as an ASA manipulating an objective it has not registered to use.

Thus, in most calls, an 'asa_nonce' parameter is required. It is generated when an ASA first registers with GRASP, and the ASA must then store the asa_nonce and use it in every subsequent GRASP call. Any call in which an invalid nonce is presented will fail. It is an up to 32-bit opaque value (for example represented as a uint32_t, depending on the language). It should be unpredictable; a possible implementation is to use the same mechanism that GRASP uses to generate Session IDs [I-D.ietf-anima-grasp]. Another possible implementation is to hash the name of the ASA with a locally defined secret key.

2.3.1.7. Session_nonce

In some calls, a 'session_nonce' parameter is required. This is an opaque data structure as far as the ASA is concerned, used to identify calls to the API as belonging to a specific GRASP session (see Section 2.2). In fully threaded implementations this parameter might not be needed, but it is included to act as a session handle if necessary. It will also allow GRASP to detect and ignore malicious calls or calls from timed-out sessions. A possible implementation is to form the nonce from the underlying GRASP Session ID and the source address of the session.

2.3.2. Registration

These functions are used to register an ASA and the objectives that it supports with the GRASP module. If an authorization model is added to GRASP, it would also be added at this point in the API.

2.3.3. Discovery

2.3.4. Negotiation

2.3.5. Synchronization and Flooding

2.3.6. Invalid Message Function

3. Implementation Status [RFC Editor: please remove]

A prototype open source Python implementation of GRASP, including an API similar to this document, has been used to verify the concepts for the threaded model. It may be found at <https://github.com/becarpenter/graspy> with associated documentation and demonstration ASAs.

4. Security Considerations

Security issues for the GRASP protocol are discussed in [I-D.ietf-anima-grasp]. Authorization of ASAs is a subject for future study.

The 'asa_nonce' parameter is used in the API as a first line of defence against a malware process attempting to imitate a legitimately registered ASA. The 'session_nonce' parameter is used in the API as a first line of defence against a malware process attempting to hijack a GRASP session.

5. IANA Considerations

This document currently makes no request of the IANA.

Open question: Do we need an IANA registry for the error codes?

6. Acknowledgements

Excellent suggestions were made by Ignas Bagdonas, Toerless Eckert, Guangpeng Li, Michael Richardson, and other participants in the ANIMA WG.

7. References

7.1. Normative References

[I-D.ietf-anima-grasp] Bormann, C., Carpenter, B. and B. Liu, "A Generic Autonomic Signaling Protocol (GRASP)", Internet-Draft draft-ietf-anima-grasp-15, July 2017.

7.2. Informative References

[I-D.ietf-anima-autonomic-control-plane] Eckert, T., Behringer, M. and S. Bjarnason, "An Autonomic Control Plane (ACP)", Internet-Draft draft-ietf-anima-autonomic-control-plane-20, July 2019.
[I-D.ietf-anima-bootstrapping-keyinfra] Pritikin, M., Richardson, M., Eckert, T., Behringer, M. and K. Watsen, "Bootstrapping Remote Secure Key Infrastructures (BRSKI)", Internet-Draft draft-ietf-anima-bootstrapping-keyinfra-28, September 2019.
[I-D.ietf-anima-reference-model] Behringer, M., Carpenter, B., Eckert, T., Ciavaglia, L. and J. Nobre, "A Reference Model for Autonomic Networking", Internet-Draft draft-ietf-anima-reference-model-10, November 2018.
[I-D.liu-anima-grasp-distribution] Liu, B., Xiao, X., Jiang, S., Hecker, A. and Z. Despotovic, "Information Distribution in Autonomic Networking", Internet-Draft draft-liu-anima-grasp-distribution-11, July 2019.

Appendix A. Error Codes

This Appendix lists the error codes defined so far, with suggested symbolic names and corresponding descriptive strings in English. It is expected that complete API implementations will provide for localisation of these descriptive strings, and that additional error codes will be needed according to implementation details.

An open issue for these values is whether there is an advantage in aligning them with existing error codes in the socket API, where the meanings coincide, and using different values otherwise. This is to be balanced against the advantage of having a compact and completely portable set of error codes for GRASP alone.

ok               0 "OK"
declined         1 "Declined"
noReply          2 "No reply"
unspec           3 "Unspecified error"
ASAfull          4 "ASA registry full"
dupASA           5 "Duplicate ASA name"
noASA            6 "ASA not registered"
notYourASA       7 "ASA registered but not by you"
notBoth          8 "Objective cannot support both negotiation
                    and synchronization"
notDry           9 "Dry-run allowed only with negotiation"
notOverlap      10 "Overlap not supported by this implementation"
objFull         11 "Objective registry full"
objReg          12 "Objective already registered"
notYourObj      13 "Objective not registered by this ASA"
notObj          14 "Objective not found"
notNeg          15 "Objective not negotiable"
noSecurity      16 "No security"
noDiscReply     17 "No reply to discovery"
sockErrNegRq    18 "Socket error sending negotiation request"
noSession       19 "No session"
noSocket        20 "No socket"
loopExhausted   21 "Loop count exhausted"
sockErrNegStep  22 "Socket error sending negotiation step"
noPeer          23 "No negotiation peer"
CBORfail        24 "CBOR decode failure"
invalidNeg      25 "Invalid Negotiate message"
invalidEnd      26 "Invalid end message"
noNegReply      27 "No reply to negotiation step"
noValidStep     28 "No valid reply to negotiation step"
sockErrWait     29 "Socket error sending wait message"
sockErrEnd      30 "Socket error sending end message"
IDclash         31 "Incoming request Session ID clash"
notSynch        32 "Not a synchronization objective"
notFloodDisc    33 "Not flooded and no reply to discovery"
sockErrSynRq    34 "Socket error sending synch request"
noListener      35 "No synch listener"
noSynchReply    36 "No reply to synchronization request"
noValidSynch    37 "No valid reply to synchronization request"
invalidLoc      38 "Invalid locator"
  

Appendix B. Change log [RFC Editor: Please remove]

draft-ietf-anima-grasp-api-04, 2019-10-07:

Improved discussion of layering, mentioned daemon.

Added callbacks and improved description of asynchronous operations.

Described use case for 'session_nonce'.

More explanation of 'asa_nonce'.

Change 'discover' to use 'age_limit' instead of 'flush'.

Clarified use of 'dry run'.

Editorial improvements.

draft-ietf-anima-grasp-api-03, 2019-01-21:

Replaced empty "logic flows" section by "implementation status".

Minor clarifications.

Editorial improvements.

draft-ietf-anima-grasp-api-02, 2018-06-30:

Additional suggestion for event-loop API.

Discussion of error code values.

draft-ietf-anima-grasp-api-01, 2018-03-03:

Editorial updates

draft-ietf-anima-grasp-api-00, 2017-12-23:

WG adoption

Editorial improvements.

draft-liu-anima-grasp-api-06, 2017-11-24:

Improved description of event-loop model.

Changed intended status to Informational.

Editorial improvements.

draft-liu-anima-grasp-api-05, 2017-10-02:

Added send_invalid()

draft-liu-anima-grasp-api-04, 2017-06-30:

Noted that simple nodes might not include the API.

Minor clarifications.

draft-liu-anima-grasp-api-03, 2017-02-13:

Changed error return to integers.

Required all implementations to accept objective values in CBOR.

Added non-blocking alternatives.

draft-liu-anima-grasp-api-02, 2016-12-17:

Updated for draft-ietf-anima-grasp-09

draft-liu-anima-grasp-api-02, 2016-09-30:

Added items for draft-ietf-anima-grasp-07

Editorial corrections

draft-liu-anima-grasp-api-01, 2016-06-24:

Updated for draft-ietf-anima-grasp-05

Editorial corrections

draft-liu-anima-grasp-api-00, 2016-04-04:

Initial version

Authors' Addresses

Brian Carpenter Department of Computer Science University of Auckland PB 92019 Auckland, 1142 New Zealand EMail: brian.e.carpenter@gmail.com
Bing Liu (editor) Huawei Technologies Q14, Huawei Campus No.156 Beiqing Road Hai-Dian District, Beijing, 100095 P.R. China EMail: leo.liubing@huawei.com
Wendong Wang BUPT University Beijing University of Posts & Telecom. No.10 Xitucheng Road Hai-Dian District, Beijing 100876, P.R. China EMail: wdwang@bupt.edu.cn
Xiangyang Gong BUPT University Beijing University of Posts & Telecom. No.10 Xitucheng Road Hai-Dian District, Beijing 100876, P.R. China EMail: xygong@bupt.edu.cn