Network Working Group G. Trewitt Request for Comments: 1023 Stanford C. Partridge BBN/NNSC October 1987 HEMS Monitoring and Control Language This RFC specifies the design of a general-purpose, yet efficient, monitoring and control language for managing network entities. The data in the entity is modeled as a hierarchy and specific items are named by giving the path from the root of the tree. Most items are read-only, but some can be "set" in order to perform control operations. Both requests and responses are represented using the ISO ASN.1 data encoding rules. STATUS OF THIS MEMO The purpose of this RFC is provide a specification for monitoring and control of network entities in the Internet. This is an experimental specification and is intended for use in testing the ideas presented here. No proposals in this memo are intended as standards for the Internet at this time. After sufficient experimentation and discussion, this RFC will be redrafted, perhaps as a standard. Distribution of this memo is unlimited. This language is a component of the High-Level Entity Monitoring System (HEMS) described in RFC-1021 and RFC-1022. Readers may want to consult these RFCs when reading this memo. RFC-1024 contains detailed assignments of numbers and structures used in this system. This memo assumes a knowledge of the ISO data encoding standard, ASN.1. OVERVIEW AND SCOPE The basic model of monitoring and control used in this proposal is that a query is sent to a monitored entity and the entity sends back a response. The term query is used in the database sense -- it may request information, modify things, or both. We will use gateway- oriented examples, but it should be understood that this query- response mechanism can be applied to other entities besides just gateways. In particular, there is no notion of an interactive "conversation" as in SMTP [RFC-821] or FTP [RFC-959]. A query is a complete request that stands on its own and elicits a complete response.
It is not necessary for a monitored entity to be able to store the complete query. It is quite possible for an implementation to process the query on the fly, producing portions of the response while the query is still being received. Other RFCs associated with HEMS are: RFC-1021 -- Overview; RFC-1022 -- transport protocol and message encapsulation; RFC-1024 -- precise data definitions. These issues are not dealt with here. It is assumed that there is some mechanism to transport a sequence of octets to a query processor within the monitored entity and that there is some mechanism to return a sequence of octets to the entity making the query. ENCODING OF QUERIES AND RESPONSES Both queries and responses are encoded using the representation defined in ISO Standard ASN.1 (Abstract Syntax Notation 1). ASN.1 represents data as sequences of <tag,length,contents> triples that are encoded as a stream of octets. The data tuples may be recursively nested to represent structured data such as arrays or records. For a full description of this notation, see the ISO documents IS 8824 and IS 8825. See the end of this memo for information about ordering these documents. NOTATION USED IN THIS PROPOSAL The notation used in this memo is similar to that used in ASN.1, but less formal, smaller, and (hopefully) easier to read. The most important difference is that, in this memo, we are not concerned with the length of the data items. ASN.1 data items may be either a "simple type" such as integer or octet string or a "structured type", a collection of data items. The notation or a "structured type", a collection of data items. The notation: ID(value) represents a simple data item whose tag is "ID" with the given value. A structured data item is represented as: ID { ... contents ... } where contents is a sequence of data items. Remember that the contents may include both simple and structured types, so the structure is fully recursive. There are situations where it is desirable to specify a type but give no value, such as when there is no meaningful value for a particular measured parameter or when the entire contents of a structured type is being specified. In this situation, the same notation is used,
but with the value omitted: ID() or ID{} The representation of this is obvious -- the data item has zero for the length and no contents. DATA MODEL Data in a monitored entity is modeled as a hierarchy. Implementations are not required to organize the data internally as a hierarchy, but they must provide this view of the data through the query language. A hierarchy offers useful structure for the following operations: Organization A hierarchy allows related data to be grouped together in a natural way. Naming The name of a piece of data is just the path from the root to the data of interest. Mapping onto ASN.1 ASN.1 can easily represent a hierarchy by using "constructor" types as an envelope for an entire subtree. Efficient Representation Hierarchical structures are quite compact and can be traversed very quickly. Each node in the hierarchy must have names for its component parts. Although we would normally think of names as being ASCII strings such as "input errors", the actual name would just be an ASN.1 tag. Such names would be small integers (typically, less than 100) and so could easily be mapped by the monitored entity onto its internal representation. We will use the term "dictionary" to represent an internal node in the hierarchy. Here is a possible organization of the hierarchy in an entity that has several network interfaces and multiple processes. The exact organization of data in entities is specified in RFC-1024.
system { name -- host name clock-msec -- msec since boot interfaces -- # of interfaces } interfaces { -- one per interface interface { type, ip-addr, in-pkts, out-pkts, . . . } interface { type, ip-addr, in-pkts, out-pkts, . . . } interface { type, ip-addr, in-pkts, out-pkts, . . . } : } processes { process { name, stack, interrupts, . . . } process { name, stack, interrupts, . . . } : } route-table { route-entry { dest, interface, nexthop, cost, . . . } route-entry { dest, interface, nexthop, cost, . . . } : } arp-table { arp-entry { hard-addr, ip-addr, age } arp-entry { hard-addr, ip-addr, age } : } memory { } The "name" of the clock in this entity would be: system{ clock-msec } and the name of a route-entry's IP address would be: route-table{ route-entry{ ip-addr } }. Actually, this is the name of the IP addresses of ALL of the routing table entries. This ambiguity is a problem in any situation where there are several instances of an item being monitored. If there was a meaningful index for such tabular data (e.g., "routing table entry #1"), there would be no problem. Unfortunately, there usually isn't such an index. The solution to this problem requires that the data be accessed on the basis of some of its content. More on this later. More than one piece of data can be named by a single ASN.1 object. The entire collection of system information is named by: system{ } and the name of a routing table's IP address and cost would be: route-table{ route-entry{ ip-addr, cost } }.
Arrays There is one sub-type of a dictionary that is used as the basis for tables of objects with identical types. We call these dictionaries arrays. In the example above, the dictionaries for interfaces, processes, routing tables, and ARP tables are all arrays. In fact, we expect that most of the interesting data in an entity will be contained in arrays. The primary difference between arrays and plain dictionaries is that arrays may contain only one type of item, while dictionaries, in general, will contain many different types of items. Arrays are usually accessed associatively using special operators in the language. The fact that these objects are viewed externally as arrays does not mean that they are represented in an implementation as linear lists of objects. Any collection of same-typed objects is viewed as an array, even though it might be represented as, for example, a hash table. REPRESENTATION OF A REPLY The data returned to the monitoring entity is a sequence of ASN.1 data items. Each of these corresponds to one the top-level dictionaries maintained by the monitored entity. The tags for these data items will be in the "application-specific" class (e.g., if an entity has the above structure for its data, then the only top-level data items that will be returned will have tags corresponding to these groups). If a query returned data from two of these, the representation might look like: interfaces{ . . . } route-table{ . . . } which is just a stream of two ASN.1 objects (each of which may consist of many sub-objects). Data not in the root dictionary will have tags from the context- specific class. Therefore, data must always be fully qualified. For example, the name of the entity would always be returned encapsulated inside an ASN.1 object for "system". If it were not, there would be no way to tell if the object that was returned were "name" inside the "system" dictionary or "dest" inside the "interfaces" dictionary (assuming in this case that "name" and "dest" were assigned the same ASN.1 tag). Having fully-qualified data simplifies decoding of the data at the receiving end and allows the tags to be locally chosen (e.g., definitions for tags dealing with ARP tables can't conflict with definitions for tags dealing with interfaces). Therefore, the people
doing the name assignments are less constrained. In addition, most of the identifiers will be fairly small integers. It will often be the case that requested data may not be available, either because the request was badly formed (asked for data that couldn't exist) or because the particular data item wasn't defined in a particular situation (time since last error, when there hasn't been an error). In this situation, the returned data item will have the same tag as in the request, but will have zero-length data. Therefore, there can NEVER be an "undefined data" error. This allows completely generic queries to be composed without regard to whether the data is defined at all of the entities that will receive the request. All of the available data will be returned, without generating errors that might otherwise terminate the processing of the query. REPRESENTATION OF A REQUEST A request to a monitored entity is also a sequence of ASN.1 data items. Each item will fit into one of the following categories: Template These are objects with the same types as the objects returned by a request. The difference is that a template only specifies the shape of the data -- there are no values contained in it. Templates are used to select specific data to be returned. No ordering of returned data is implied by the ordering in a template. A template may be either simple or structured, depending upon what data it is naming. The representations of the simple data items in a template all have a length of zero. Tag A tag is a special case of a template that is a simple (non-structured) type (i.e., it names exactly one node in the dictionary tree). Opcodes These objects tell the query interpreter to do something. They are described in detail later in this report. Opcodes are represented as an application-specific type whose value determines the operation. These values are defined in RFC-1024. Data These are the same objects that are used to represent information returned from an entity. It is occasionally be necessary to send data as
part of a request. For example, when requesting
information about the interface with IP address
"10.0.0.51", the address would be sent in the
same format in the request as it would be seen
in a reply.
Data, Tags, and Templates are usually in either the context-specific
class, except for items in the root dictionary and a few special
cases, which are in the application-specific class.
QUERY LANGUAGE
Although queries are formed in a flexible way using what we term a
"language", this is not a programming language. There are operations
that operate on data, but most other features of programming
languages are not present. In particular:
- Programs are not stored in the query processor.
- The only form of temporary storage is a stack.
In the current version of the query language:
- There are no subroutines.
- There are no control structures defined in the language.
- There are no arithmetic or conditional operators.
These features could be added to the language if needed.
This language is designed with the goal of being expressive enough to
write useful queries with, but to guarantee simplicity, both of query
execution and language implementation.
The central element of the language is the stack. It may contain
templates, (and therefore tags), data, or dictionaries (and therefore
arrays) from the entity being monitored. Initially, it contains one
item, the root dictionary.
The overall operation consists of reading ASN.1 objects from the
input stream. All objects that aren't opcodes are pushed onto the
stack as soon as they are read. Each opcode is executed immediately
and may remove things from the stack and may generate ASN.1 objects
and send them to the output stream. Note that portions of the
response may be generated while the query is still being received.
The following opcodes are defined in the language. This is a
provisional list -- changes may need to be made to deal with
additional needs.
In the descriptions below, opcode names are in capital letters,
preceded by the arguments used from the stack and followed by results
left on the stack. For example:
OP a b OP t
means that the OP operator takes <a> and <b> off of the
stack and leaves <t> on the stack. Many of the operators
below leave the first operand (<a> in this example) on
the stack for future use.
Here are the operators defined in the query language:
GET dict template GET dict
Emit an ASN.1 object with the same "shape" as the given
template. Any items in the template that are not in
<dictionary> (or its components) are represented as
objects with a length of zero. This handles requests for
data that isn't available, either because it isn't
defined or because it doesn't apply in this situation.
or dict GET dict
If there is no template, get all of the items in the
dictionary. This is equivalent to providing a template
that lists all of the items in the dictionary.
BEGIN dict1 tag BEGIN dict1 dict
Pushes the value for dict{ tag } on the stack, which
should be another dictionary. At the same time, produce
the beginning octets of an ASN.1 object corresponding to
that dictionary. It is up to the implementation to
choose between using the "indefinite length"
representation or going back and filling the length in
later.
END dict END --
Pop the dictionary off of the stack and terminate the
currently open ASN.1 object. Must be paired with a
BEGIN.
Getting Items Based on Their Values
One problem that has not been dealt with was alluded to earlier:
When dealing with array data, how do you specify one or more entries
based upon some value in the array entries? Consider the situation
where there are several interfaces. The data might be organized as:
interfaces { interface { type, ip-addr, in-pkts, out-pkts, ...} interface { type, ip-addr, in-pkts, out-pkts, ...} : : } If you only want information about one interface (perhaps because there is an enormous amount of data about each), then you have to have some way to name it. One possibility is to just number the interfaces and refer to the desired interface as: interfaces(3) for the third one. But this is probably not sufficient since interface numbers may change over time, perhaps from one reboot to the next. This method is not sufficient at all for arrays with many elements, such as processes, routing tables, etc. Large, changing arrays are probably the more common case, in fact. Because of the lack of utility of indexing in this context, there is no general mechanism in the language for indexing. A better scheme is to select objects based upon some value contained in them, such as the IP address or process name. The GET-MATCH operator provides this functionality in a fairly general way. GET-MATCH array value template GET-MATCH array <array> should be a array (dictionary containing only one type of item). The first tag in <value> and <template> must match this type. For each entry in <array>, match the <value> against the contents of the entry. If there is a match, emit the entry based upon <template>, just as in a GET operation. If there are several leaf items in the value to be matched against, as in: route-entry{ interface(1), cost(3) } all of them must match an array entry for it to be emitted. Here is an example of how this operator would be used to obtain the input and output packet counts for the interface with ip-address 10.0.0.51.
interfaces BEGIN -- get dictionary interface{ ip-addr(10.0.0.51) } -- value to match interface{ in-pkts out-pkts } -- data template to get GET-MATCH END -- finished with dict The exact meaning of a "match" is dependent upon the characteristics of the entities being compared. In almost all cases, it is a comparison for exact equality. However, it is quite reasonable to define values that allow matches to do interesting things. For example, one might define three different flavors of "ip-addr": one that has only the IP net number, one with the IP net+subnet, and the whole IP address. Another possibility is to allow for wildcards in IP addresses (e.g., if the "host" part of an IP address was all ones, then that would match against any IP address with the same net number). So, for all data items defined, the behavior of the match operation must be defined if it is not simple equality. Implementations don't have to provide the ability to use all items in an object to match against. It is expected that some data structures that provide for efficient lookup for one item may be very inefficient for matching against others. (For instance, routing tables are designed for lookup with IP addresses. It may be very difficult to search the routing table, matching against costs.) NOTE: It would be desirable to provide a general-purpose filtering capability, rather than just "equality" as provided by GET-MATCH. However, because of the potential complexity of such a facility, lack of a widely-accepted representation for filter expressions, and time pressure, we are not defining this mechanism now. However, if a generalized filtering mechanism is devised, the GET- MATCH operator will disappear. Data Attributes Although ASN.1 data is self-describing as far as the structure goes, it gives no information about what the data means (e.g., By looking at the raw data, it is possible to tell that an item is of type [context 5] and 4 octets long). That does not tell how to interpret the data (is this an integer, an IP address, or a 4-character string?), or what the data means (IP address of what?). Most of the time, this information will come from RFC-1024, which defines all of the ASN.1 tags and their precise meaning. When extensions have been made, it may not be possible to get
documentation on the extensions. (See the section about extensions, page 15.) The query language provides a set of operators parallel to the GET and GET-MATCH operators that return a set of attributes describing the data. This information should be sufficient to let a human understand the meaning of the data and to let a sophisticated application treat the data appropriately. The information is sufficient to let an application format the information on a display and decide whether or not to subtract one sample from another. Some of the attributes are textual descriptions to help a human understand the nature of the data and provide meaningful labels for it. Extensive descriptions of standard data are optional, since they are defined in RFC-1024. Complete descriptions of extensions must be available, even if they are documented in a user's manual. Network firefighters may not have the manual handy when the network is broken. The format of the attributes is not as simple as the format of the data itself. It isn't possible to use the data's tag, since that would just look exactly like the data itself. The format is: Attributes ::= [APPLICATION 2] IMPLICIT SEQUENCE { tagASN1 [0] IMPLICIT INTEGER, valueFormat [1] IMPLICIT INTEGER, longDesc [2] IMPLICIT IA5String OPTIONAL, shortDesc [3] IMPLICIT IA5String OPTIONAL, unitsDesc [4] IMPLICIT IA5String OPTIONAL, precision [5] IMPLICIT INTEGER OPTIONAL, properties [6] IMPLICIT BITSTRING OPTIONAL, } For example, the attributes for system{ name, clock-msec } might be: system{ Attributes{ tagASN1(name), valueFormat(IA5String), longDesc("The name of the host"), shortDesc("hostname") }, Attributes{ tagASN1(clock-msec), valueFormat(Integer), longDesc("milliseconds since boot"), shortDesc("uptime"), unitsDesc("ms") precision(4294967296), properties(1)
} Note that in this example <name> and <clock-msec> are integer values for the ASN.1 tags for the two data items. A complete definition of the contents of the Attributes type is in RFC-1024. Note that there will be exactly as many Attributes items in the result as there are objects in the template. Attributes objects for items which do not exist in the entity will have a valueFormat of NULL and none of the optional elements will appear. GET-ATTRIBUTES dict template GET-ATTRIBUTES dict Emit ASN.1 Attributes objects that for the objects named in <template>. Any items in the template that are not in <dictionary> (or its components), elicit an Attributes object with no. or dict GET-ATTRIBUTES dict If there is no template, emit Attribute objects for all of the items in the dictionary. This is equivalent to providing a template that lists all of the items in the dictionary. This allows a complete list of a dictionary's contents to be obtained. GET-ATTRIBUTES-MATCH dict value template GET-ATTRIBUTES-MATCH dict <array> should be an array (dictionary containing only one type of item). The first tag in <value> and <template> must match this type. For each entry in <array>, match the <value> against the contents of the entry. If there is a match, emit the atributes based upon <template>, just as in a GET-ATTRIBUTES operation. GET-ATTRIBUTES-MATCH is necessary because there will be situations where the contents of the elements of an array may differ, even though the array elements themselves are of the same type. The most obvious example of this is the situation where several network interfaces exist and are of different types, with different data collected for each type. NOTE: The GET-ATTRIBUTES-MATCH operator will disappear if a generalized filtering mechanism is devised. ADDITIONAL NOTE: A much cleaner method would be to store the attributes as sub-components of the data item of interest. For example, requesting: system{ clock-msec() } GET would normally just get the value of the data. Asking for an
additional layer down the tree would now get its attributes:
system{ clock-msec{ shortDesc, unitsDesc } GET
would get the named attributes. (The attributes would be named with
application-specific tags.) Unfortunately, ASN.1 doesn't provide an
obvious notation to describe this type of organization. So, we're
stuck with the GET-ATTRIBUTES operator. However, if this cleaner
organization becomes possible, this decision may be re-thought.
Examining Memory
Even with the ability to symbolically access all of this information
in an entity, there will still be times when it is necessary to get
to very low levels and examine memory, as in remote debugging
operations. The building blocks outlined so far can easily be
extended to allow memory to be examined.
Memory is modeled as an array, with an ASN.1 representation of
OctetString. Because of the variety of addressing architectures in
existence, the conversion between the OctetString and "memory" is
very machine-dependent. The only simple case is for byte-addressed
machines with 8 bits per byte.
Each address space in an entity is represented by one dictionary. In
a one-address-space situation, this dictionary will be at the top
level. If each process has its own address space, then one "memory"
dictionary may exist for each process.
The GET-RANGE operator is provided for the primary purpose of
retrieving the contents of memory, but can be used on any array. It
is only useful in these other contexts if the array index is
meaningful.
GET-RANGE array start length GET-RANGE dict
Get <length> elements of <array> starting at <start>.
<start> and <length> are both ASN.1 INTEGER type.
The returned data may not be <length> octets long, since it may take
more than one octet to represent one memory location.
Memory is special in that it will not automatically be returned as
part of a request for an entire dictionary (e.g., If memory is part
of the "system" dictionary, then requesting:
system{}
will emit the entire contents of the system dictionary, but not the
memory item).
NOTE: The GET-RANGE operator may disappear if a generalized
filtering mechanism is devised.
Controlling Things
All of the operators defined so far only allow data in an entity to
be retrieved. By replacing the "template" arguments used in the GET
operators with values, data in the entity can be changed.
There are many control operations that do not correspond to simply
changing the value of a piece of data, such as bringing an interface
"down" or "up". In these cases, a special data item associated with
the component being controlled (e.g., each interface), would be
defined. Control operations then consist of "setting" this item to
an appropriate command code.
SET dict value SET dict
Set the value(s) of data in the entity to the value(s)
given in <value>.
SET-MATCH array mvalue svalue SET-MATCH dict
<array> should be a array (dictionary containing only one
type of item). The first tag in <mvalue> and <svalue>
must match this type. For each entry in <array>, match
the <mvalue> against the contents of the entry. If there
is a match, set value(s) in the entity to the value(s) in
<svalue>, just as in SET.
CREATE array value SET dict
Insert a new entry into <array>. Depending upon the
context, there may be severe restrictions about what
constitutes a valid <value>.
DELETE array value SET dict
Delete the entry(s) in <array> that have values that
match <value>.
If there are several leaf items in the matched value, as in
route-entry{ interface(1), cost(3) }
all of them must match an array entry for any values to be changed.
Here is an example of how this operator would be used to shut down
the interface with ip-address 10.0.0.51 changing its status to
"down".
interfaces BEGIN -- get dictionary
interface{ ip-addr(10.0.0.51) } -- value to match
interface{ status(down) } -- value to set
SET-MATCH
END -- finished with dict
Delete the routing table entry for 36.0.0.0. route-table BEGIN -- get dictionary route-entry{ ip-addr(36.0.0.0) } -- value to match DELETE END -- finished with dict Note that this BEGIN/END pair ends up sending an empty ASN.1 item. We don't regard this as a problem, as it is likely that there will be some get operations executed in the same context. In addition, the "open" ASN.1 item provides the correct context for reporting errors. (See page 14.) NOTE: The SET-MATCH operator will disappear and the DELETE operator will change if a generalized filtering mechanism is devised. Atomic Operations Atomic operations can be provided if desired by allowing the stack to contain a fragment of a query. A new operation would take a query fragment and verify its executability and execute it, atomically. This is mentioned as a possibility, but it may be difficult to implement. More study is needed. ERRORS If some particular information is requested but is not available for any reason (e.g., it doesn't apply to this implementation, isn't collected, etc.), it can ALWAYS be returned as "no-value" by giving the ASN.1 length as 0. When there is any other kind of error, such as having improper arguments on the top of the stack or trying to execute BEGIN when the tag doesn't refer to a dictionary, an ERROR object be emitted. The contents of this object identify the exact nature of the error and are discussed in RFC-1024. Since there may be several unterminated ASN.1 objects in progress at the time the error occurs, each one must be terminated. Each unterminated object will be closed with a copy of the ERROR object. Depending upon the type of length encoding used for this object, this will involve filling the value for the length (definite length form) or emitting two zero octets (indefinite length form). After all objects are terminated, a final copy of the ERROR object will be emitted. This structure guarantees that the error will be noticed at every level of interpretation on the receiving end.
If there was an error before any ASN.1 objects were generated, then the result would simply be: error(details) If a couple of ASN.1 objects were unterminated, the result might look like: interfaces{ interface { name(...) type(...) error(details) } error(details) } error{details} EXTENDING THE SET OF VALUES There are two ways to extend the set of values understood by the query language. The first is to register the data and its meaning and get an ASN.1 tag assigned for it. This is the preferred method because it makes that data specification available for everyone to use. The second method is to use the VendorSpecific application type to "wrap" the vendor-specific data. Wherever an implementation defines data that is not in RFC-1024, the "VendorSpecific" tag should be used to label a dictionary containing the vendor-specific data. For example, if a vendor had some data associated with interfaces that was too strange to get standard numbers assigned for, they could, instead represent the data like this: interfaces { interface { in-pkts, out-pkts, ... VendorSpecific { ephemeris, declination } } } In this case, ephemeris and declination are two context-dependent tags assigned by the vendor for its non-standard data. If the vendor-specific method is chosen, the private data MUST have descriptions available through the GET-ATTRIBUTES and GET- ATTRIBUTESMATCH operators. Even with this descriptive ability, the preferred method is to get standard numbers assigned if possible. IMPLEMENTATION Although it is not normally in the spirit of RFCs to define an implementation, the authors feel that some suggestions will be useful
to early implementors of the query language. This list is not meant
to be complete, but merely to give some hints about how the authors
imagine that the query processor might be implemented efficiently.
- The stack is an abstraction -- it should be implemented
with pointers, not by copying dictionaries, etc.
- An object-oriented approach should make initial
implementation fairly easy. Changes to the "shape" if the
data items (which will certainly occur, early on) will also
be easier to make.
- Only a few "messages" need to be understood by objects.
- Most interesting objects are dictionaries, each of which
can be implemented using pointers to the data and procedure
"hooks" to perform specific operations such as GET, MATCH,
SET, etc.
- The hardest part is actually extracting the data from an
existing TCP/IP implementions that weren't designed with
detailed monitoring in mind. This should be less of a
problem if a system is designed with easy monitoring as a
goal.
OBTAINING A COPY OF THE ASN.1 SPECIFICATION
Copies of ISO Standard ASN.1 (Abstract Syntax Notation 1) are
available from the following source. It comes in two parts; both are
needed:
IS 8824 -- Specification (meaning, notation)
IS 8825 -- Encoding Rules (representation)
They are available from:
Omnicom Inc.
115 Park St, S.E. (new address as of March, 1987)
Vienna, VA 22180
(703) 281-1135