[Anima] [draft-ietf-anima-prefix-management-03] review

Toerless Eckert <tte@cs.fau.de> Wed, 07 June 2017 00:11 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A19128961; Tue, 6 Jun 2017 17:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etvigPKi5uEN; Tue, 6 Jun 2017 17:11:09 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A33126DED; Tue, 6 Jun 2017 17:11:08 -0700 (PDT)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id DF1F258C4F5; Wed, 7 Jun 2017 02:11:04 +0200 (CEST)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id CC082B0C1FE; Wed, 7 Jun 2017 02:11:04 +0200 (CEST)
Date: Wed, 7 Jun 2017 02:11:04 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: anima@ietf.org, draft-ietf-anima-prefix-management@ietf.org
Message-ID: <20170607001104.GD23319@faui40p.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/JiNIvMNSon43Kv_qVO1t4KkuNBE>
Subject: [Anima] [draft-ietf-anima-prefix-management-03] review
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 00:11:11 -0000

[darn, second mail header typo on my side. sorry.]

Dear authors

Some feedback for the PD draft:

1. Relationship to DHCPv6 PD:

The note in 4.3 makes it sound as if there is a concern by the authors that this proposal
could potentially be seen as being in conflict with DHCPv6.

I am not sure about a practical case where this case would ever be a concern. If the authors
can think of such a case, then it would be good to add sentences explaining that case. Otherwise
maybe revisit this concern. IMHO ANIMA-PD could nicely integrate/expand DHCP-PD:

RFC3633 (DHCPv6 PD) abstract says: "..delegating a long- lived prefix from a delegating
router to a requesting router, across an administrative boundary.."
                                         ^^^^^^^^^^^^^^^^^^^^^^^
To validate the ANI, IMHO we just need to show how to use GRASP within a domain, eg: not across
an administrative boundary. == no overlap with the declared intended use of DHCPv6 PD. Instead
i could rather see ANI/GRASP used inside the domain and then DHCP/DHCPv6-PD be used on the edge
of the domain to client (non-ANI devices).

2. Prefix Management Parameters

I do not understand from the text what prefix length is described in 6.1. Maybe i am misunderstanding
how the proposed PD mechanism should work, but in my understanding, a device has at least
TWO type of prefixes:

       GRASP/(+DHCP-PD)   +---------+
         requested        | router  |  ------    Interfaces with assigned prefixes
      <-----------------> |  with   |  ...       "Assigned prefix-length 'APL'"
         prefix-length    | PM-ASA  |  ------    or
           'RPL'          +---------+            GRASP/DHCP-PD requests via downstream PM-ASA

If RPL == APL, then there is no prefix aggregation. This may be acceptable (==scale well enough)
at GRASP/DHCP-PD signaling level. If thats what the authors have in mind then that should
be written explicitly.

Note that if RPL == APL, then this will result in more prefixes at the routing level because
all APLs can be from different prefixes and may not be aggregateable. IMHO, achieving aggregation
and managing that via PM-ASA would be a big benefit of PM-ASA.

Aka: If the document intends to support RPL < APL, then that should be better described. For
example, section 6.1 could for each role have simply those two parameters (requested_prefix_length,
assigned_prefix_length):

[
      [["role", "RSG"],["requested_prefix_length", 34], ["assigned_prefix_length", 56] ],
      [["role", "ASG"],["requested_prefix_length", 44], ["assigned_prefix_length", 64] ],
      [["role", "CSG"],["requested_prefix_length", 56], ["assigned_prefix_length", 64] ]
]

Thre assigned_prefix_length is of course most important if the downstream is an interface
where the router with PM-ASA needs to configure the prefix and the addresses are assigned
by SLAAC or DHCP from the router itself. If the downstream is not a local interface but
requests from PM-ASA, then the prefix can be determined by the  downstream PM-ASA. 

3. Mobile network roles

section 6.1: Please expand (in parenthesis) the abbreviations you use on first use, eg:
IPRAN, RNC in section 6.1. Please check any other unexplained TLAs in the document.

A good picture with RSG, ASG, CSG would be great and help. Especially if you want to take
the prior suggestion into account of what prefix length would be required in which role device.

4. If you read the point 5 below, i think there are a lot of options how PDs with ASAs can be done.
All of these options would require further details such as more GRASP objective parameters,
more description of the ASA state machinery, the individual GRASP negotiation steps etc.
I do not think we want to go through all that detail work because that is IMHO easier done by
first building prototypes, and instead having the document rather be a "framework" or
"architecture document instead of an ASA functional specification. To that end, it would IMHO be
 prudent to say so, for example before the last two paragraphs of the introduction:

proposed text, as 3rd last paragraph of introduction:

  This document is not a functional specification of the proposed autonomic function
  "prefix management" or all detail all the aspects of GRASP objective parameters and ASA procedures
  necessary to achieve all the different options of building a complete system. Instead it
  describes the architectural framework utilizing the components of the ANI and outlines the
  different deployment options and aspects and defines simple type of objectives in GRASP to 
  start building the system as well as some basic parameter examples.

5. Abstract deployment pictures / solution overview:

I think it would help in understanding the document if it would include a logical deployment
model pictures with explanations of the target deployment models. Ideally comparing to how this
is done with DHCP.

For example: In the introduction, there are some high level, very suggestive statements about limitations
of DHCP (non-autonomicity). Its really hard to detail why/how the PD solution improves over
this without a more explicit comparison of some DHCP deployment model example and a PD
deployment model example.

So, i have appended two proposed texts: 5.1 for what i understand to be the two most common
DHCP deployment models, and 5.2 for what i understand to be the proposed PD deployment model.

I would strongly suggest to consider using 5.2 in the document - or something equivalent.
Otherwise its IMHO hard to follow / understand how PD is meant to work.

Brian Carpenter already proved the feedback that a section like 5.1 might be contentuous and
also incomplete because centralized address management has a wide range of options not only
limited to DHCP but also involving Radius and other protocols - and there is even a whole working group
in the making (CASM - coordinated address space management).

So maybe my proposed 5.1 would better go into an appended with sufficient preface stating
exactly that these are just examples, and that there are many more deployment models, and
that there are no current IETF recommendations or documents laying out such complete deployment
pictures. (which IMHO is exactly one of the may problems). If folks feel that any more
explicit description of even exemplary DHCP deployment models is inappropriate because
it would get too contentuous, then its almost impossible to make statements about
the limitations about DHCP in the introduction. But without trying to give an example
and getting backpressure from reviewers, its IMHO a dead end:wq


5.1. Address & Prefix management with DHCP

                                                              edge
                    dynamic, "netconf/YANG"                 interfaces
                     <----------------->   +-------------+
   +-------------+      <- telemetry       | edge router/|+   ------  +--------+
   |config server|    ..... Domain ....    | DHCP server ||   ...     | CPE    |-+   LANs
   +-------------+                         +-------------+|   ------  +--------+ | (----| )
                                            +-------------+   DHCP/    +---------+
                                                            DHCPv6 / PD

Edge DHCP server deployment requires every edge router connecting to CPE to be a DHCP server
assigning IPv4/IPv6 addresses to CPE - and optionally IPv6 prefixes via DHCPv6-PD (RF3633)
for IPv6 capable CPE that are router and have LANs behind them.

This requires various coordination functions via some backend system depicted
as "config server": The address prefixes on the edge interfaces should be slightly larger
than required for the number of CPE connected so that the overall address space is best used.
The config server needs to provision edge interface address prefixes and DHCP parameters
for every edge router.  If too fine grained prefixes are used, this will result in large routing
tables across the "Domain". If too coase grained prefixes are used, address space is wasted.

There is no standard describing algorithms for how config servers would best perform this
ongoing dynamic provisioning to optimize routing table size and address space utilization.
There are currently no complete YANG models that a config server could use to perform
these actions (including telemetry of assigned adddresses from such distributed DHCP servers).
For example, a YANG model for controlling DHCP server operations is still in draft
(draft-liu-dhc-dhcp-yang-model-06).

Due to these and other problems of the above model, the more common DHCP deployment model is as
follows:

                                                              edge
   +-------------+     initial, "CLI"                       interfaces
   |config server|   ----------------->    +-------------+
   +-------------+                         | edge router/|-+   ------  +--------+
         |            ..... Domain ....    | DHCP relay  | |   ...     | CPE    |-+    LANs
   +-------------+                         +-------------+ |   ------  +--------+ | (----|  )
   |DHCP server  |                          +--------------+   DHCP/    +---------+
   +-------------+                                            DHCPv6 / PD


Dynamic provisioning changes to edge routers are avoided by using a central DHCP server
and reducing the edge router from DHCP server to DHCP relay. The "configuration" on the
edge routers is static, the DHCP relay function inserts "edge interface" and/or subscriber
identifying options into DHCP requests from CPE (eg: rfc3046, rfc6221), the DHCP server
has complete policies for address assignments and prefixes useable on every 
edge-router/interface/subscriber-group. When the DHCP relay sees the DHCP reply, it inserts
static routes for the assigned address/address-prefix into the routing table of the edge router
which are then to be distributed by the IGP (or BGP) inside the domain to make the CPE
and LANs reachable across the Domain (the same.

There is no comprehensive standardization of these solutions. RFC3633 section 14. for example
simply refers to "a [non-defined] protocol or other out-of-band communication to add routing
information for delegated prefixes into the provider edge router".

5.2 Prefix management with ANI/GRASP

With the proposed use of ANI and Prefix-management ASAs using GRASP, the deployment model 
is intended to look as follows: 

  |<................... ANI Domain / ACP...................>| (...) ............->

                                              Roles
                                                |
                                                v   "Edge routers"
     GRASP parameter                      +----------------+
     Network wide parameters/policy       | PM-ASA         |  downstream interfaces
         |                                |(DHCP-functions)|  ------
         v  "central device"              +----------------+
   +-------+                                    ^                      +--------+
   |PM-ASA |      <................... GRASP ....             ....     | CPE    |-+  ( LANs )
   +-------+              .                     v                      |(PM-ASA)| |    ----|  
        .               +........+        +----------------+           +--------+ | 
   +...........+        . PM-ASA .        |     PM-ASA     |  ------    +---------+
   .DHCP server.        +........+        |(DHCP-functions)|  SLAAC /
   +...........+     "intermediate router"+----------------+  DHCP / DHCP-pd


The network runs an ANI domain with ACP between some central device (eg: router or ANI
enabled management device) and the edge routers. ANI/ACP provides a secure, zero-touch
communication channel between the devices and enables the use of GRASP not only for p2p
communication, but also for distribution/flooding.

The central devices and edge-routers run software to support this documents autonomic
IPv6 edge prefix management (PM). In the autonomic networking terminology, such software are called
"Autonomic Service Agents" (ASA). The ASA for Prefix Management are called PM-ASA in this document
and form together the Autonomic Prefix Management Function.

Edge-routers can have different roles based on the type and number of CPE attaching to them.
Consider edge routers could be RSG, ASG CSG in mobile aggregation networks (see Section 6.1).
Mechanisms outside the scope of this document make routers aware of their role.

1. In a minimum Prefix Managmeent solution, the central device uses the "PrefixManager.Params"
GRASP Objective introduced in this document to disseminate network wide, per-role parameters
to edge routers. The PM-ASA use the parameters applying to its role to locallly "configuring"
pre-existing addressing functions. Because PM-ASA do not manage the dynamic assignment of actual
IPv6 address prefixes in this case, the following options can be considered:

1.a The edge router connects via downstream interfaces to (host) CPE that each require an address.
The PM-ASA sets up for each such interface a DHCP requesting router (according to RFC3633) to
request an IPv6 prefix for the interface. The routers address on the downstream interface can
be another parameter from the GRASP Objective. The CPEs assign addresses in the prefix via
RAs from the router or the PM-ASA manages a local DHCPv6 server to assign addresses to the
CPEs. A central DHCP server acting as the DHCP delegating router (according to RFC3633) is
required. Its address can be another parameter from the GRASP Objective.

1.b The edge router also connects via downstream interfaces to (customer managed) CPEs that are
routers and act as DHCPv6 requesting routers. The need to support this could be derived from
role and/or GRASP parameters and the PM-ASA sets up a DHCP relay function to pass on requests
to the central DHCP server as in 1.a.

2. In a solution without a central DHCP server, the PM-ASA on the edge routers do not only
learn parameters from "PrefixManager.Params" but also utilize GRASP to request/negotiate
actual IPv6 prefix delegation via the GRASP "PrefixManager" objective described in more detail below.
In the most simple case, these prefixes are delegated via this GRASP objective from the PM-ASA
in the central device.  These addresses are then used by the PM-ASA on the edge routers
to edge routers to configure prefixes on their downstream interfaces to assign addresses
via RA/SLAAC to host CPEs. The PM-ASA may also start local DHCP servers (as in 1.a) to assign
addresses via DHCP to CPE from the prefixes it received. This includes both host CPEs requesting
IPv6 addresses as well as router CPEs that request IPv6 prefixes. The PM-ASA needs to manage the
address pool(s) it has requested via GRASP and allocate sub-address pools to interfaces and the
local DHCP servers it starts. It need to monitor the address utilization and accordingly request
more address prefixes if its existing prefixes are exhausted, or return address prefixes when they
are unneeded.

This solution is quite similar to the initial described IPv6 DHCP deployment model without
central DHCP server, and ANI/ACP/GRASP and the PM-ASA do provides the automation to make this
approach work more easily than it is possible today.

3. The address pool(s) from which prefixes are allocated do not need to be taken all from
one central location. Edge router PM-ASA that received a big (short) prefix from a central
PM-ASA could offer smaller sub-prefixes to neighboring edge-router PM-ASA. GRASP could be used
in such a way that the PM-ASA would find and select the objective from the closest neighboring
PM-ASA, therefore allowing to maximize aggregation: A PM-ASA would only request further
(smaller/shorter) prefixes when it exhausts its own poll (from the central location) and can
not get further large prefixes from that central location anymore. Because
the overflow prefixes taken from a topological nearby PM-ASA, the number of longer prefixes
that have to be injected into the routing tables is limited and the topological proximity
increases the chances that aggregation of prefixes in the IGP can most likely limit
the geography in which the longer prefixes need to be routed. 

4. Instead of peer-to-peer optimization of prefix delegation, a hierarchy of PM-ASA can be built
(indicated in he picture via a dotted intermediate router). This would require additional parameters
to the "PrefixManager" objective to allow creating a hierarchy of PM-ASA across which the
prefixes can be delegated. This is not detailed further below.

5.  In cases where CPEs are also part of the ANI Domain (eg: "Managed CPE"), then GRASP will extend
into the actual customer sites and can equally run a PM-ASA. All the options described in points
1..4 above would then apply to the CPE as the edge router with the mayor changes being that
a) a CPE router will most likley not need to run DHCPv6 PD itself, but only DHCP address assignment,
b) The edge routers to which the CPE connect would most likely become ideal places to run a
hierarchical instance of PD-ASAs on as outlined in point 1.