Internet-Draft | GRASP API | November 2020 |
Carpenter, et al. | Expires 18 May 2021 | [Page] |
This document is a conceptual outline of an application programming interface (API) for the Generic Autonomic Signaling Protocol (GRASP). Such an API is needed for Autonomic Service Agents (ASA) calling the GRASP protocol module to exchange autonomic network messages with other ASAs. Since GRASP is designed to support asynchronous operations, the API will need to be adapted to the support for asynchronicity in various programming languages and operating systems.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 May 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
As defined in [I-D.ietf-anima-reference-model], the Autonomic Service Agent (ASA) is the atomic entity of an autonomic function, and it is instantiated on autonomic nodes. These nodes are members of a secure Autonomic Control Plane (ACP) such as defined by [I-D.ietf-anima-autonomic-control-plane].¶
When ASAs communicate with each other, they should use the Generic Autonomic Signaling Protocol (GRASP) [I-D.ietf-anima-grasp]. GRASP relies on the message confidentiality and integrity provided by the ACP, with the consequence that all nodes in a given autonomic network share the same trust boundary, i.e., the boundary of the ACP. Nodes that have not successfully joined the ACP cannot send, receive or intercept GRASP messages via the ACP, and cannot usurp ACP addresses. An ASA runs in an ACP node and therefore inherits all its security properties, i.e., message integrity, message confidentiality and the fact that unauthorized nodes cannot join the ACP. All ASAs within a given autonomic network therefore trust each other's messages. For these reasons, the API defined in this document has no explicit security features.¶
An important feature of GRASP is the concept of a GRASP Objective. This is a data structure whose main contents are a name and a value, explained at more length in the 'Terminology' section of [I-D.ietf-anima-grasp]. When an Objective is passed from one ASA to another using GRASP, its value is either conveyed in one direction (by a process of synchronization or flooding), or negotiated bilaterally. The semantics of the value are opaque to GRASP and therefore to the API. Each objective must be accurately specified, as discussed in the 'Objective Options' section of [I-D.ietf-anima-grasp]. Data storage and consistency during negotiation are the responsibility of the ASAs involved. Additionally, GRASP needs to cache the latest values of Objectives that are received by flooding.¶
As Figure 1 shows, a GRASP implementation could contain several sub-layers. The bottom layer is the GRASP base protocol module, which is only responsible for sending and receiving GRASP messages and maintaining shared data structures. Above that is the basic API described in this document. The upper layer contains some extended API functions based upon GRASP basic protocol. For example, [I-D.ietf-anima-grasp-distribution] describes a possible extended function.¶
Multiple ASAs in a single node will share the same instance of GRASP, much as multiple applications share a single TCP/IP stack. This aspect is hidden from individual ASAs by the API, and is not further discussed here.¶
It is desirable that ASAs can be designed as portable user-space programs using a system-independent API. In many implementations, the GRASP code will therefore be split between user space and kernel space. In user space, library functions provide the API and communicate directly with ASAs. In kernel space is a daemon, or a set of sub-services, providing GRASP core functions that are independent of specific ASAs, such as multicast handling and relaying, and common data structures such as the discovery cache. The GRASP API library would need to communicate with the GRASP core via an inter-process communication (IPC) mechanism. The details of this are system-dependent.¶
Both the GRASP library and the extended function modules should be available to the ASAs. However, since the extended functions are expected to be added in an incremental manner, they will be the subject of future documents. This document only describes the basic GRASP API.¶
The functions provided by the API do not map one-to-one onto GRASP messages. Rather, they are intended to offer convenient support for message sequences (such as a discovery request followed by responses from several peers, or a negotiation request followed by various possible responses). This choice was made to assist ASA programmers in writing code based on their application requirements rather than needing to understand protocol details.¶
Note that a simple autonomic node might contain very few ASAs in addition to the autonomic infrastructure components described in [I-D.ietf-anima-bootstrapping-keyinfra] and [I-D.ietf-anima-autonomic-control-plane]. Such a node might directly integrate a GRASP protocol stack in its code and therefore not require this API to be installed. However, the programmer would then need a deeper understanding of the GRASP protocol than is needed to use the API.¶
This document gives a conceptual outline of the API. It is not a formal specification for any particular programming language or operating system, and it is expected that details will be clarified in individual implementations.¶
The assumption of this document is that any Autonomic Service Agent (ASA) needs to call a GRASP module. The latter handles protocol details (security, sending and listening for GRASP messages, waiting, caching discovery results, negotiation looping, sending and receiving sychronization data, etc.) but understands nothing about individual GRASP objectives (Section 2.10 of [I-D.ietf-anima-grasp]). The semantics of objectives are unknown to the GRASP module and are handled only by the ASAs. Thus, this is an abstract API for use by ASAs. Individual language bindings should be defined in separate documents.¶
Different ASAs may make different use of GRASP features:¶
The API also assumes that one ASA may support multiple objectives. Nothing prevents an ASA from supporting some objectives for synchronization and others for negotiation.¶
The API design assumes that the operating system and programming language provide a mechanism for simultaneous asynchronous operations. This is discussed in detail in Section 2.2.¶
A few items are out of scope in this version, since practical experience is required before including them:¶
GRASP depends on asynchronous operations and wait states, and some of its messages are not idempotent, meaning that repeating a message may cause repeated changes of state in the recipient ASA. Many ASAs will need to support several concurrent operations; for example an ASA might need to negotiate one objective with a peer while discovering and synchronizing a different objective with a different peer. Alternatively, an ASA which acts as a resource manager might need to run simultaneous negotiations for a given objective with multiple different peers. Such an ASA will probably need to support uninterruptible atomic changes to its internal data structures, using a mechanism provided by the operating system and programming language in use.¶
Thus, some ASAs need to support asynchronous operations, and therefore the GRASP core must do so. Depending on both the operating system and the programming language in use, there are various techniques for such parallel operations, three of which we consider here: multi-threading, an event loop structure using polling, and an event loop structure using callback functions.¶
The following calls involve waiting for a remote operation, so they could use a polling or callback mechanism. In a threaded mechanism, they will usually require to be called in a separate thread:¶
The design of GRASP allows the following scenario. Consider an ASA "A" that acts as a resource allocator for some objective. An ASA "B" launches a negotiation with "A" to obtain or release a quantity of the resource. While this negotatition is under way, "B" chooses to launch a second simultaneous negotiation with "A" for a different quantity of the same resource. "A" must therefore conduct two separate negotiation sessions at the same time with the same peer, and must not mix them up.¶
Note that ASAs could be designed to avoid such a scenario, i.e. restricted to exactly one negotiation session at a time for a given objective, but this would be a voluntary restriction not required by the GRASP protocol. In fact it is an assumption of GRASP that any ASA managing a resource may need to conduct multiple parallel negotiations, possibly with the same peer. Communication patterns could be very complex, with a group of ASAs overlapping negotiations among themselves, as described in [I-D.ciavaglia-anima-coordination]. Therefore, the API design allows for such scenarios.¶
In the callback model, for the scenario just described, the ASAs "A" and "B" will each provide two instances of negotiate_step_received(), one for each session. For this reason, each ASA must be able to distinguish the two sessions, and the peer's IP address is not sufficient for this. It is also not safe to rely on transport port numbers for this, since future variants of GRASP might use shared ports rather than a separate port per session. Hence the GRASP design includes a session identifier. Thus, when necessary, a 'session_nonce' parameter is used in the API to distinguish simultaneous GRASP sessions from each other, so that any number of sessions may proceed asynchronously in parallel.¶
A GRASP session consists of a finite sequence of messages (for discovery, synchronization, or negotiation) between ASAs. It is identified by a pseudo-random session identifier tagged with an IP address of the initiator of the session to guarantee uniqueness. Further details are given in [I-D.ietf-anima-grasp].¶
On the first call in a new GRASP session, the API returns a 'session_nonce' value based on the GRASP session identifier. This value must be used in all subsequent calls for the same session, and will be provided as a parameter in the callback functions. By this mechanism, multiple overlapping sessions can be distinguished, both in the ASA and in the GRASP core. The value of the 'session_nonce" is opaque to the ASA.¶
An additional mechanism that might increase efficiency for polling implementations is to add a general call, say notify(), which would check the status of all outstanding operations for the calling ASA and return the session_nonce values for all sessions that have changed state. This would eliminate the need for repeated calls to the individual functions returning a 'noReply'. This call is not described below as the details are likely to be implementation-specific.¶
An implication of the above for all GRASP implementations is that the GRASP core must keep state for each GRASP operation in progress, most likely keyed by the GRASP Session ID and the GRASP source address of the session initiator. Even in a threaded implementation, the GRASP core will need such state internally. The session_nonce parameter exposes this aspect of the implementation.¶
The functions provided by the API fall into several groups:¶
Some example logic flows for a resource management ASA are given in [I-D.ietf-anima-asa-guidelines], which may be of help in understanding the following descriptions. The next section describes parameters and data structures used in multiple API calls. The following sections describe various groups of function APIs. Those APIs that do not list asynchronous mechanisms are implicitly synchronous in their behaviour.¶
All functions in the API have an unsigned 'errorcode' integer as their return value (the first returned value in languages that allow multiple returned parameters). An errorcode of zero indicates success. Any other value indicates failure of some kind. The first three errorcodes have special importance:¶
Appendix A gives a full list of currently suggested error codes, based on implementation experience. While there is no absolute requirement for all implementations to use the same error codes, this is highly recommended for portability of applications.¶
Wherever a 'timeout' parameter appears, it is an integer expressed in milliseconds. If it is zero, the GRASP default timeout (GRASP_DEF_TIMEOUT, see [I-D.ietf-anima-grasp]) will apply. If no response is received before the timeout expires, the call will fail unless otherwise noted.¶
An 'objective' parameter is a data structure with the following components:¶
dry (Boolean flag) - True if objective supports dry-run negotiation (default False)¶
value - a specific data structure expressing the value of the objective. The format is language dependent, with the constraint that it can be validly represented in CBOR.¶
An essential requirement for all language mappings and all implementations is that, regardless of what other options exist for a language-specific representation of the value, there is always an option to use a raw CBOR data item as the value. The API will then wrap this with CBOR Tag 24 as an encoded CBOR data item [RFC7049] for transmission via GRASP, and unwrap it after reception.¶
The 'name' and 'value' fields are of variable length. GRASP does not set a maximum length for these fields, but only for the total length of a GRASP message. Implementations might impose length limits.¶
An example data structure definition for an objective in the C language, assuming the use of a particular CBOR library, is:¶
typedef struct { char *name; uint8_t flags; // flag bits as defined by GRASP int loop_count; int value_size; // size of value in bytes cbor_mutable_data cbor_value; // CBOR bytestring (libcbor/cbor/data.h) } objective;¶
An example data structure definition for an objective in the Python language is:¶
class objective: """A GRASP objective""" def __init__(self, name): self.name = name # Unique name (string) self.negotiate = False #True if objective supports negotiation self.dryrun = False #True if objective supports dry-run neg. self.synch = False # True if objective supports synch self.loop_count = GRASP_DEF_LOOPCT # Default starting value self.value = 0 # Place holder; any valid Python object¶
An 'ASA_locator' parameter is a data structure with the following contents:¶
The following cover all locator types currently supported by GRASP:¶
The 'locator' field is of variable length in the case of an FQDN or a URI. GRASP does not set a maximum length for this field, but only for the total length of a GRASP message. Implementations might impose length limits.¶
It should be noted that when one ASA discovers the ASA_locator of another, there is no explicit authentication mechanism. In accordance with the trust model provided by the secure ACP, ASAs are presumed to provide correct locators in response to discovery.¶
A 'tagged_objective' parameter is a data structure with the following contents:¶
Although an authentication and authorization scheme for ASAs has not been defined, the API provides a very simple hook for such a scheme. When an ASA starts up, it registers itself with the GRASP core, which provides it with an opaque nonce that, although not cryptographically protected, would be difficult for a third party to predict. The ASA must present this nonce in future calls. This mechanism will prevent some elementary errors or trivial attacks such as an ASA manipulating an objective it has not registered to use.¶
Thus, in most calls, an 'asa_nonce' parameter is required. It is generated when an ASA first registers with GRASP, and the ASA must then store the asa_nonce and use it in every subsequent GRASP call. Any call in which an invalid nonce is presented will fail. It is an up to 32-bit opaque value (for example represented as a uint32_t, depending on the language). Since it is only used locally, not in GRASP messages, it is only required to be unique within the local GRASP instance. It is valid until the ASA terminates. It should be unpredictable; a possible implementation is to use the same mechanism that GRASP uses to generate Session Identifiers (see Section 2.3.2.7). Another possible implementation is to hash the name of the ASA with a locally defined secret key.¶
In some calls, a 'session_nonce' parameter is required. This is an opaque data structure as far as the ASA is concerned, used to identify calls to the API as belonging to a specific GRASP session (see Section 2.2). The section 'Session Identifier' of [I-D.ietf-anima-grasp] explains how uniqueness of Session Identifiers is provided across the autonomic network. In fully threaded implementations this parameter might not be needed, but it is included to act as a session handle if necessary. It will also allow GRASP to detect and ignore malicious calls or calls from timed-out sessions. A likely implementation is to form the nonce from the underlying GRASP Session ID and the source address of the session.¶
These functions are used to register an ASA, and the objectives that it modifies, with the GRASP module. In the absence of an authorization model, these functions are very simple but they will avoid multiple ASAs choosing the same name, and will prevent multiple ASAs manipulating the same objective. If an authorization model is added to GRASP, these API calls would need to be modified accordingly.¶
register_asa()¶
All ASAs must use this call.¶
Input parameter:¶
Return parameters:¶
deregister_asa()¶
Input parameters:¶
Return parameter:¶
register_objective()¶
ASAs must use this call for any objective whose value they need to transmit by negotiation, synchronization or flooding.¶
Input parameters:¶
Return parameter:¶
deregister_objective()¶
discover()¶
This function may be used by any ASA to discover peers handling a given objective.¶
Input parameters:¶
Return parameters:¶
Asynchronous Mechanisms:¶
Since the negotiation mechanism is different from a typical client/server exchange, Figure 2 illustrates the sequence of calls and GRASP messages in a negotiation. Note that after the first protocol exchange, the process is symmetrical and either side can end the negotiation. Similarly, either side can insert a delay at any time, to extend the other side's timeout.¶
request_negotiate()¶
This function is used by any ASA to initiate negotiation of a GRASP Objective as a requester (client).¶
Input parameters:¶
Return parameters:¶
If the 'errorcode' return parameter is 0, the negotiation has successfully started. There are then two cases:¶
The 'session_nonce' parameter is not null. In this case negotiation must continue. The 'session_nonce' must be presented in all subsequent negotiation steps. The returned 'proffered_objective' contains the first value proffered by the negotiation peer. The contents of this instance of the objective must be used to prepare the next negotiation step (see negotiate_step() below) because it contains the updated loop count, sent by the negotiation peer. The GRASP code automatically decrements the loop count by 1 at each step, and returns an error if it becomes zero.¶
This function must be followed by calls to 'negotiate_step' and/or 'negotiate_wait' and/or 'end_negotiate' until the negotiation ends. 'request_negotiate' may then be called again to start a new negotiation.¶
Asynchronous Mechanisms:¶
listen_negotiate()¶
This function is used by an ASA to start acting as a negotiation responder (listener) for a given GRASP objective.¶
Input parameters:¶
Return parameters:¶
Asynchronous Mechanisms:¶
stop_listen_negotiate()¶
This function is used by an ASA to stop acting as a responder (listener) for a given GRASP objective.¶
negotiate_step()¶
This function is used by either ASA in a negotiation session to make the next step in negotiation.¶
Input parameters:¶
Return parameters:¶
Asynchronous Mechanisms:¶
negotiate_wait()¶
This function is used by either ASA in a negotiation session to delay the next step in negotiation.¶
Input parameters:¶
Return parameters:¶
Asynchronous Mechanisms:¶
end_negotiate()¶
This function is used by either ASA in a negotiation session to end a negotiation.¶
synchronize()¶
This function is used by any ASA to cause synchronization of a GRASP Objective as a requester (client).¶
Input parameters:¶
Return parameters:¶
Asynchronous Mechanisms:¶
listen_synchronize()¶
This function is used by an ASA to start acting as a synchronization responder (listener) for a given GRASP objective.¶
Input parameters:¶
Return parameters:¶
stop_listen_synchronize()¶
This function is used by an ASA to stop acting as a synchronization responder (listener) for a given GRASP objective.¶
flood()¶
This function is used by an ASA to flood one or more GRASP objectives throughout the autonomic network.¶
Note that each GRASP node caches all flooded objectives that it receive, until each one's time-to-live expires. Cached objectives are tagged with their origin as well as an expiry time, so multiple copies of the same objective may be cached simultaneously. Further details are given in the section 'Flood Synchronization Message' of [I-D.ietf-anima-grasp]¶
Input parameters:¶
Return parameters:¶
get_flood()¶
This function is used by any ASA to obtain the current value of a flooded GRASP objective.¶
Input parameters:¶
Return parameters:¶
expire_flood()¶
This function may be used by an ASA to expire specific entries in the local GRASP flood cache.¶
send_invalid()¶
This function may be used by any ASA to stop an ongoing GRASP session.¶
Input parameters:¶
Return parameters:¶
Sends a GRASP Invalid Message (M_INVALID) message, as described in [I-D.ietf-anima-grasp]. Should not be used if end_negotiate() would be sufficient. Note that this message may be used in response to any unicast GRASP message that the receiver cannot interpret correctly. In most cases this message will be generated internally by a GRASP implementation.¶
'info' = optional diagnostic data. May be raw bytes from the invalid message.¶
A prototype open source Python implementation of GRASP, including an API similar to this document, has been used to verify the concepts for the threaded model. It may be found at https://github.com/becarpenter/graspy with associated documentation and demonstration ASAs.¶
Security considerations for the GRASP protocol are discussed in [I-D.ietf-anima-grasp]. These include denial of service issues, even though these are considered a low risk in the ACP. In various places GRASP recommends an exponential backoff. An ASA using the API should use exponential backoff after failed discover(), req_negotiate() or synchronize() operations. The timescale for such backoffs depends on the semantics of the GRASP objective concerned. Additionally, a flood() operation should not be repeated at shorter intervals than is useful. The appropriate interval depends on the semantics of the GRASP objective concerned. These precautions are intended to assist the detection of malicious denial of service attacks.¶
As a general precaution, all ASAs able to handle multiple negotiation or synchronization requests in parallel may protect themselves against a denial of service attack by limiting the number of requests they can handle simultaneously and silently discarding excess requests.¶
As noted earlier, the trust model is that all ASAs in a given autonomic network communicate via a secure autonomic control plane and therefore trust each other's messages. Specific authorization of ASAs to use particular GRASP objectives is a subject for future study, also briefly discussed in [I-D.ietf-anima-grasp].¶
The 'asa_nonce' parameter is used in the API as a first line of defence against a malware process attempting to imitate a legitimately registered ASA. The 'session_nonce' parameter is used in the API as a first line of defence against a malware process attempting to hijack a GRASP session.¶
This document makes no request of the IANA.¶
Excellent suggestions were made by Ignas Bagdonas, Laurent Ciavaglia, Toerless Eckert, Paul Kyzivat, Guangpeng Li, Michael Richardson, Joseph Salowey, Rob Wilton, and other participants in the ANIMA WG.¶
This Appendix lists the error codes defined so far on the basis of implementation experience, with suggested symbolic names and corresponding descriptive strings in English. It is expected that complete API implementations will provide for localisation of these descriptive strings, and that additional error codes will be needed according to implementation details.¶
The error codes that may only be returned by one or two functions are annotated accordingly, and the others are more general. The 'noSecurity' error will be returned to most calls if GRASP is running in an insecure mode (no ACP), except for the specific DULL usage mode described in the section 'Discovery Unsolicited Link-Local' of [I-D.ietf-anima-grasp].¶
ok 0 "OK" declined 1 "Declined" (req_negotiate, negotiate_step) noReply 2 "No reply" unspec 3 "Unspecified error" ASAfull 4 "ASA registry full" (register_asa) dupASA 5 "Duplicate ASA name" (register_asa) noASA 6 "ASA not registered" notYourASA 7 "ASA registered but not by you" (deregister_asa) notBoth 8 "Objective cannot support both negotiation and synchronization" (register_obj) notDry 9 "Dry-run allowed only with negotiation" (register_obj) notOverlap 10 "Overlap not supported by this implementation" (register_obj) objFull 11 "Objective registry full" (register_obj) objReg 12 "Objective already registered" (register_obj) notYourObj 13 "Objective not registered by this ASA" notObj 14 "Objective not found" notNeg 15 "Objective not negotiable" (req_negotiate, listen_negotiate) noSecurity 16 "No security" noDiscReply 17 "No reply to discovery" (req_negotiate) sockErrNegRq 18 "Socket error sending negotiation request" (req_negotiate) noSession 19 "No session" noSocket 20 "No socket" loopExhausted 21 "Loop count exhausted" (negotiate_step) sockErrNegStep 22 "Socket error sending negotiation step" (negotiate_step) noPeer 23 "No negotiation peer" (req_negotiate, negotiate_step) CBORfail 24 "CBOR decode failure" invalidNeg 25 "Invalid Negotiate message" (req_negotiate, negotiate_step) invalidEnd 26 "Invalid end message" (req_negotiate, negotiate_step) noNegReply 27 "No reply to negotiation step" (req_negotiate, negotiate_step) noValidStep 28 "No valid reply to negotiation step" (req_negotiate, negotiate_step) sockErrWait 29 "Socket error sending wait message" (negotiate_wait) sockErrEnd 30 "Socket error sending end message" (end_negotiate, send_invalid) IDclash 31 "Incoming request Session ID clash" (listen_negotiate) notSynch 32 "Not a synchronization objective" (synchronize, get_flood) notFloodDisc 33 "Not flooded and no reply to discovery" (synchronize) sockErrSynRq 34 "Socket error sending synch request" (synchronize) noListener 35 "No synch listener" (synchronize) noSynchReply 36 "No reply to synchronization request" (synchronize) noValidSynch 37 "No valid reply to synchronization request" (synchronize) invalidLoc 38 "Invalid locator" (flood)¶
draft-ietf-anima-grasp-api-08, 2020-11:¶
draft-ietf-anima-grasp-api-07, 2020-10-13:¶
draft-ietf-anima-grasp-api-06, 2020-06-07:¶
draft-ietf-anima-grasp-api-05, 2020-05-08:¶
draft-ietf-anima-grasp-api-04, 2019-10-07:¶
draft-ietf-anima-grasp-api-03, 2019-01-21:¶
draft-ietf-anima-grasp-api-02, 2018-06-30:¶
draft-ietf-anima-grasp-api-01, 2018-03-03:¶
draft-ietf-anima-grasp-api-00, 2017-12-23:¶
draft-liu-anima-grasp-api-06, 2017-11-24:¶
draft-liu-anima-grasp-api-05, 2017-10-02:¶
draft-liu-anima-grasp-api-04, 2017-06-30:¶
draft-liu-anima-grasp-api-03, 2017-02-13:¶
draft-liu-anima-grasp-api-02, 2016-12-17:¶
draft-liu-anima-grasp-api-02, 2016-09-30:¶
draft-liu-anima-grasp-api-01, 2016-06-24:¶
draft-liu-anima-grasp-api-00, 2016-04-04:¶