Re: [Anima] Genart last call review of draft-ietf-anima-asa-guidelines-04
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 06 December 2021 21:22 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99E93A0033; Mon, 6 Dec 2021 13:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIKZznl0ZPub; Mon, 6 Dec 2021 13:22:34 -0800 (PST)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6593A3A03F3; Mon, 6 Dec 2021 13:22:34 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id m15so11656303pgu.11; Mon, 06 Dec 2021 13:22:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ih803HwUpqT/qW7XgT+ZF2mBYV1WaSitnN495/NprPQ=; b=cjHfCyQgUuhPJwZCfQrzFkkU2hu8ZOB5m/DbUQT80tRuyw9FaJYrYvalThyeifMOOJ dUVg1EDI4gBxZ2JLTzbzFi5A4MR4DblxfyVcXJiSxjVvCHgmtdCnkCjO6pkhd/+Ks1sp B5FY22V6+uBRte0fe0kag0LOjv7CUwDzd80ipLKYnUygchdHfovhU+odQ9lGf8aMWXJe /3ZVYdp0RL94XTrgf/bR/uw/u4uGOIHJaz3FzYzjbDpBeVLNCnoGkr3GRH5XdEnF5KRe pW7lcGNYc9UpKdMH9yXZWcNnUzP35DfY++jkSSvFGlzbs8j3i1OuoCUyE7MsVVEQb1TT i6UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ih803HwUpqT/qW7XgT+ZF2mBYV1WaSitnN495/NprPQ=; b=jGbWN458agYvHvP0ciVcp2vW0KWSSF7MWKccApBS7CA0/ftLWkd7cXqX6l3B+D/f9c PZhxLM/e1XFmSSrVE4cuGfNkmFg+P+PNpyOUP28wHwbEZGwy0urURucx64GrzgGqA42X gf3gDfVJ4meBa06rCipw6LjhsmDLl45mx1gMsTZuhCAYJi0dOOv2YRE/WjgLvr7R1cFi ETXBdCTPuVlBpnrA/QTb4Q7CKfVqonfWD8R66pF33vZ3nhT/mFb6EFB5bHlgAhXNNHJ/ RNmSHw0U/BYAUsp3SIU/f36ndIXYowUFTSU8vpTKuLi1gBv1cvZ1NyxoZecqi38AehPO 41xA==
X-Gm-Message-State: AOAM5338ZrKpqnGWisUNjC63XSDVCj1CtVZlFWuoSUaHC787WQgw9d9Y 5ZVVwqAAvIRwhY68kMMOEJ9Qx/Bg3t87AQ==
X-Google-Smtp-Source: ABdhPJwk7Z5p4+/nUqDqFvqOo3dCS8i3iREy8qxs1+V2LWiH6P685V2n9AbiHkjvKxLTNztCpo4cPw==
X-Received: by 2002:a63:2362:: with SMTP id u34mr20565652pgm.351.1638825752948; Mon, 06 Dec 2021 13:22:32 -0800 (PST)
Received: from ?IPv6:2406:e003:102d:e801:80b2:5c79:2266:e431? ([2406:e003:102d:e801:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id ot18sm284451pjb.14.2021.12.06.13.22.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Dec 2021 13:22:32 -0800 (PST)
To: Thomas Fossati <thomas.fossati@arm.com>, gen-art@ietf.org
Cc: anima@ietf.org, draft-ietf-anima-asa-guidelines.all@ietf.org, last-call@ietf.org
References: <163880271685.2714.12242758600140257355@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <ff532ba4-8af1-3af9-0d50-e18ac2dc6b48@gmail.com>
Date: Tue, 07 Dec 2021 09:54:16 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <163880271685.2714.12242758600140257355@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/zAX6h77FkxM9ogQ0eSocTe6C71I>
Subject: Re: [Anima] Genart last call review of draft-ietf-anima-asa-guidelines-04
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 21:22:44 -0000
Hi Thomas,
Thanks for the careful reading and review. I think we can deal
with all your comments without difficulty. Just two possible
discussion points in line below.
Regards
Brian
On 07-Dec-21 03:58, Thomas Fossati via Datatracker wrote:
> Reviewer: Thomas Fossati
> Review result: Ready with Issues
>
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair. Please treat these comments just
> like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>
> Document: draft-ietf-anima-asa-guidelines-??
> Reviewer: Thomas Fossati
> Review Date: 2021-12-06
> IETF LC End Date: 2021-12-13
> IESG Telechat date: Not scheduled for a telechat
>
> Summary:
>
> The document contains guidance for building ASAs. It discusses
> different kinds of requirements and their impact on the software
> architecture. It looks like an useful doc to have.
>
> In general, the document reads very well, with the exception of Section
> 6 - see "Minor issues" below.
>
> Major issues:
>
> Minor issues:
>
> In Section 6.3, I have followed the reference to
> draft-peloso-anima-autonomic-function and I noticed that the content of
> Section 6 has been transplanted nearly as-is from there. So, to avoid
> redundancy, I wonder whether that content should be given the same
> treatment as you do in Section 7 WRT draft-ciavaglia-anima-coordination?
> Or maybe you want to re-think the approach and have Section 7 do similar
> copy&paste from draft-ciavaglia-anima-coordination? They are both
> individual and expired draft after all so it's probably better doing the
> latter.
>
> I also wonder whether it is worth to spell out explicitly the fact that,
> given ASAs may need to co-exist with the actual networking application,
> they should be build to require minimal memory footprint &, in general,
> use system resources with parsimony. A related question is whether ASAs
> require dedicated system resources in order to continue operating in a
> busy system?
Generally we expect that ASAs will run at a much lower frequency than
any "production" workload in the node, so CPU load should not be a big
issue, but memory footprint in a constrained node is certainly a
concern. We tend to assume that ASAs will be mainly installed in
non-constrained devices, or that if they are in a constrained device,
they'll have a subset of functionality. Officially, we punted on that
issue - RFC8993 says "At a later stage, the ANIMA Working Group may
define a scope for constrained nodes with a reduced ANI and well-
defined minimal functionality."
>
> Nits/editorial comments:
>
> Section 2.
>
> * Repeatedly flood an objective to the AN, so that any ASA can
>
> Expand "AN" on first use.
>
> These threads should all either exit after their job is done, or
> enter a wait state for new work, to avoid blocking others
> unnecessarily.
>
> "blocking others unnecessarily" is not what would typically happen,
> maybe "to avoid wasting system resources" ?
>
> [...] It
> should also do whatever is required to avoid unnecessary resource
> consumption, such as including an arbitrary wait time in each cycle
> of the main loop.
>
> I am not sure what "arbitrary wait time" refers to? Is it a "sleep(n)"
> at the end of each iteration of the main loop? I think it's the
> parsimony principle what you want to highlight here, and the first part
> of the sentence is sufficient for capturing that without going into
> concrete examples.
>
> Section 3.3
>
> This API is intended to support the various interactions expected
> between most ASAs, such as the interactions outlined in Section 2.
> However, if ASAs require additional communication between themselves,
> they can do so using any desired protocol, even just a TLS session if
> that meets their needs. One option is to use GRASP discovery and
>
> What is the meaning of "just" in "just a TLS session"? Also it's not
> clear what kind of messages would flow through this additional channel
> and if there are any requirements in terms of their security properties.
>
> [...] As
> noted above, the ACP can secure such communications, unless there is
> a good reason to do otherwise.
>
> Maybe s/can/should/ and drop "unless ... otherwise"?
>
> Section 6.1.1.
>
> The typography used here to define inputs is a bit odd. And in general
> the whole section probably needs some more attention from an editorial
> point of view.
>
> Section 6.2
>
> the agent piece of code (when this does not start automatically) and
>
> Maybe drop "piece of".
>
> Section 6.2.1
>
> The operator's goal can be summarized in an instruction to the ANIMA
> ecosystem matching the following format:
>
> [instances of ASAs of a given type] ready to control
> [Instantiation_target_Infrastructure] with
> [Instantiation_target_parameters]
>
> Maybe better to move this at the beginning of Section 6.2.2.
>
> Section 6.2.3
>
> As in Section 6.1.1., the typographic style used here is a bit odd /
> unconventional.
>
> Section 6.3
>
> Note: This section is to be further developed in future revisions of
> the document, especially the implications on the design of ASAs.
>
> Is this note still valid? (I hope not :-) )
>
> Section 10
>
> of robustness that ASA designers should consider
>
> Maybe stick a colon at the end of the line.
>
> 1. If despite all precautions, an ASA does encounter a fatal error,
> it should in any case restart automatically and try again. To
> mitigate a hard loop in case of persistent failure, a suitable
>
> Terminology: what do you mean by "hard loop"?
>
> 8. On the other hand, the definitions of GRASP objectives are very
> likely to be extended, using the flexibility of CBOR or JSON.
> Therefore, ASAs should be able to deal gracefully with unknown
> components within the values of objectives.
>
> Is this in line with Section 6 of draft-iab-protocol-maintenance?
> I.e., has GRASP clearly defined extensibility rules, or is this a call
> for the ASA implementation to apply the robustness principle?
>
> At a slightly more general level, ASAs are not services in
> themselves, but they automate services. This has a fundamental
> impact on how to design robust ASAs. In general, when an ASA
> observes a particular state [1] of operations of the services/
>
> "[1]" looks like a bib reference, please consider using an alternative
> typography, e.g., "(1)", or "A"
>
> Section 11
>
> ASAs are intended to run in an environment that is protected by the
> Autonomic Control Plane [RFC8994], admission to which depends on an
> initial secure bootstrap process such as [RFC8995].
>
> s/such as BRSKI [RFC8995]/
>
> In particular, they must use secure techniques and carefully
> validate any incoming information.
>
> "secure techniques" could be unpacked a bit, for example: "secure coding
> practices" (e.g., input validation, least privilege, etc.), "secure
> configuration practices" (e.g., default deny).
>
> Appendix C
>
> An implementation requirement is that resource pools are kept in
> stable storage. Otherwise, if a delegator exits for any reason, all
> the resources it has obtained or delegated are lost. If an origin
> exits, its entire spare pool is lost. The logic for using stable
> storage and for crash recovery is not included in the pseudocode
> below.
>
> Is there a further requirement for the storage to be shared across all
> ASAs? What I am wondering is whether a shared global map of the current
> resource allocations exists to help reconstructing a partitioned
> topology (in case one ASA disappears)? Or is the delegated resource
> recall, in case the ASA delegator fails, handled by GRASP?
I think the answer depends on the resource. For the one that we fully
defined (IP address prefixes, RFC8992) there certainly needs to be a
solid logging and recovery mechanism, as there is for traditional APAM
systems. Since GRASP operations are not intrinsically idempotent, that
must be done by the ASAs. I don't think it can be a single global map,
because it has to survive network partition and reconnection. The
global map could be constructed if necessary from the log in each ASA.
On the other hand, if the resource being shared is upstream network
capacity from a given router, which is shared among many downstream
routers, there is no need for a global map.
- [Anima] Genart last call review of draft-ietf-ani… Thomas Fossati via Datatracker
- Re: [Anima] Genart last call review of draft-ietf… Brian E Carpenter
- Re: [Anima] [Last-Call] Genart last call review o… Thomas Fossati
- Re: [Anima] [Gen-art] Genart last call review of … Lars Eggert