1. Autonomic functions communicate over the ACP. The ACP therefore directly supports Autonomic Networking functions, as described in [RFC 8993]. For example, GRASP ("[GeneRic Autonomic Signaling Protocol (GRASP)]" [RFC 8990]) runs securely inside the ACP and depends on the ACP as its "security and transport substrate".
2. A controller or network management system can use ACP to securely bootstrap network devices in remote locations, even if the (data plane) network in between is not yet configured; no bootstrap configuration that is dependent on the data plane is required. An example of such a secure bootstrap process is described in "[Bootstrapping Remote Secure Key Infrastructure (BRSKI)]" [RFC 8995].
3. An operator can use ACP to access remote devices using protocols such as Secure SHell (SSH) or Network Configuration Protocol (NETCONF), even if the network is misconfigured or unconfigured.

ACP:

Autonomic Control Plane. The autonomic function as defined in this document. It provides secure, zero-touch (automated) transitive (network-wide) IPv6 connectivity for all nodes in the same ACP domain as well as a GRASP instance running across this ACP IPv6 connectivity. The ACP is primarily meant to be used as a component of the ANI to enable Autonomic Networks, but it can equally be used in simple ANI networks (with no other autonomic functions) or completely by itself.

ACP address:

An IPv6 address assigned to the ACP node. It is stored in the acp-node-name of the ACP certificate.

ACP address range or set:

The ACP address may imply a range or set of addresses that the node can assign for different purposes. This address range or set is derived by the node from the format of the ACP address called the addressing sub-scheme.

ACP certificate:

A Local Device IDentity (LDevID) certificate conforming to "[Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]" [RFC 5280] that carries the acp-node-name, which is used by the ACP to learn its address in the ACP and to derive and cryptographically assert its membership in the ACP domain. In the context of the ANI, the ACP certificate is also called the ANI certificate.In the context of AN, the ACP certificate is also called the AN certificate.

ACP connect interface:

An interface on an ACP node that provides access to the ACP for non-ACP-capable nodes without using an ACP secure channel. See Section 8.1.1.

ACP domain:

The ACP domain is the set of nodes with ACP certificates that allow them to authenticate each other as members of the ACP domain. See also Section 6.2.3.

ACP loopback interface:

The loopback interface in the ACP VRF that has the ACP address assigned to it. See Section 6.13.5.1.

ACP network:

The ACP network comprises all the nodes that have access to the ACP. It is the set of active and transitively connected nodes of an ACP domain plus all nodes that get access to the ACP of that domain via ACP edge nodes.

ACP (ULA) prefix(es):

The /48 IPv6 address prefixes used across the ACP. In the normal or simple case, the ACP has one Unique Local Address (ULA) prefix, see Section 6.11. The ACP routing table may include multiple ULA prefixes if the rsub option is used to create addresses from more than one ULA prefix. See Section 6.2.2. The ACP may also include non-ULA prefixes if those are configured on ACP connect interfaces. See Section 8.1.1.

ACP secure channel:

A channel authenticated via ACP certificates providing integrity protection and confidentiality through encryption. These channels are established between (normally) adjacent ACP nodes to carry ACP VRF traffic in-band over the same links and paths as data plane traffic but isolate it from the data plane traffic and secure it.

ACP secure channel protocol:

The protocol used to build an ACP secure channel, e.g., Internet Key Exchange Protocol version 2 (IKEv2) with IPsec or DTLS.

ACP virtual interface:

An interface in the ACP VRF mapped to one or more ACP secure channels. See Section 6.13.5.

acp-node-name field:

An information field in the ACP certificate in which the following ACP-relevant information is encoded: the ACP domain name, the ACP IPv6 address of the node, and optional additional role attributes about the node.

AN:

Autonomic Network. A network according to [RFC 8993]. Its main components are ANI, autonomic functions, and Intent.

(AN) Domain Name:

An FQDN (Fully Qualified Domain Name) in the acp-node-name of the domain certificate. See Section 6.2.2.

ANI (nodes/network):

Autonomic Network Infrastructure. The ANI is the infrastructure to enable Autonomic Networks. It includes ACP, BRSKI, and GRASP. Every Autonomic Network includes the ANI, but not every ANI network needs to include autonomic functions beyond the ANI (nor Intent). An ANI network without further autonomic functions can, for example, support secure zero-touch (automated) bootstrap and stable connectivity for SDN networks, see [RFC 8368].

ANIMA:

Autonomic Networking Integrated Model and Approach. ACP, BRSKI, and GRASP are specifications of the IETF ANIMA Working Group.

ASA:

Autonomic Service Agent. Autonomic software modules running on an ANI device. The components making up the ANI (BRSKI, ACP, and GRASP) are also described as ASAs.

autonomic function:

A function and/or service in an Autonomic Network (AN) composed of one or more ASAs across one or more ANI nodes.

BRSKI:

Bootstrapping Remote Secure Key Infrastructure [RFC 8995]. A protocol extending EST to enable secure zero-touch bootstrap in conjunction with ACP. ANI nodes use ACP, BRSKI, and GRASP.

CA:

Certification Authority. An entity that issues digital certificates. A CA uses its private key to sign the certificates it issues. Relying parties use the public key in the CA certificate to validate the signature.

CRL:

Certificate Revocation List. A list of revoked certificates is required to revoke certificates before their lifetime expires.

data plane:

The counterpoint to the ACP VRF in an ACP node: the forwarding of user traffic in non-autonomous nodes and/or networks and also any non-autonomous control and/or management plane functions. In a fully Autonomic Network node, the data plane is managed autonomically via autonomic functions and Intent. See Section 1 for more details.

device:

A physical system or physical node.

enrollment:

The process by which a node authenticates itself to a network with an initial identity, which is often called an Initial Device IDentity (IDevID) certificate, and acquires from the network a network-specific identity, which is often called an LDevID certificate, and certificates of one or more trust anchor(s). In the ACP, the LDevID certificate is called the ACP certificate.

EST:

Enrollment over Secure Transport [RFC 7030]. IETF Standards Track protocol for enrollment of a node with an LDevID certificate. BRSKI is based on EST.

GRASP:

GeneRic Autonomic Signaling Protocol. An extensible signaling protocol required by the ACP for ACP neighbor discovery.

The ACP also provides the "security and transport substrate" for the "ACP instance of GRASP". This instance of GRASP runs across the ACP secure channels to support BRSKI and other NOC and/or OAM or autonomic functions. See [RFC 8990].

IDevID:

An Initial Device IDentity X.509 certificate installed by the vendor on new equipment. The IDevID certificate contains information that establishes the identity of the node in the context of its vendor and/or manufacturer such as device model and/or type and serial number. See [AR8021]. The IDevID certificate cannot be used as a node identifier for the ACP because they are not provisioned by the owner of the network, so they can not directly indicate an ACP domain they belong to.

in-band (as in management or signaling):

In-band management traffic and/or control plane signaling uses the same network resources such as routers and/or switches and network links that it manages and/or controls. In-band is the standard management and signaling mechanism in IP networks. Compared to out-of-band, the in-band mechanism requires no additional physical resources, but it introduces potentially circular dependencies for its correct operations. See Section 1.

Intent:

The policy language of an Autonomic Network according to [RFC 8993].

Loopback interface:

See ACP loopback interface.

LDevID:

A Local Device IDentity is an X.509 certificate installed during enrollment. The domain certificate used by the ACP is an LDevID certificate. See [AR8021].

management:

Used in this document as another word for OAM.

MASA (service):

Manufacturer Authorized Signing Authority. A vendor and/or manufacturer or delegated cloud service on the Internet used as part of the BRSKI protocol.

MIC:

Manufacturer Installed Certificate. A synonym for an IDevID in referenced materials. This term is not used in this document.

native interface:

Interfaces existing on a node without configuration of the already running node. On physical nodes, these are usually physical interfaces; on virtual nodes, their equivalent.

NOC:

Network Operations Center.

node:

A system supporting the ACP according to this document. A node can be virtual or physical. Physical nodes are called devices.

Node-ID:

The identifier of an ACP node inside that ACP. It is either the last 64 bits (see Section 6.11.3) or 78 bits (see Section 6.11.5) of the ACP address.

OAM:

Operations, Administration, and Management. Includes network monitoring.

Operational Technology (OT):

"The hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc." [OP-TECH]. In most cases today, OT networks are well separated from Information Technology (IT) networks.

out-of-band (management) network:

An out-of-band network is a secondary network used to manage a primary network. The equipment of the primary network is connected to the out-of-band network via dedicated management ports on the primary network equipment. Serial (console) management ports were historically most common; however, higher-end network equipment now also has Ethernet ports dedicated only to management. An out-of-band network provides management access to the primary network independent of the configuration state of the primary network. See Section 1.

out-of-band network, virtual:

The ACP can be called a virtual out-of-band network for management and control because it attempts to provide the benefits of a (physical) out-of-band network even though it is physically carried in-band. See Section 1.

root CA:

root Certification Authority. A CA for which the root CA key update procedures of RFC 7030, Section 4.4, can be applied.

RPL:

IPv6 Routing Protocol for Low-Power and Lossy Networks. The routing protocol used in the ACP. See [RFC 6550].

registrar (ACP, ANI/BRSKI):

An ACP registrar is an entity (software and/or person) that orchestrates the enrollment of ACP nodes with the ACP certificate. ANI nodes use BRSKI, so ANI registrars are also called BRSKI registrars. For non-ANI ACP nodes, the registrar mechanisms are not defined in this document. See Section 6.11.7. Renewal and other maintenance (such as revocation) of ACP certificates may be performed by entities other than registrars. EST must be supported for ACP certificate renewal (see Section 6.2.5). BRSKI is an extension of EST, so ANI/BRSKI registrars can easily support ACP domain certificate renewal in addition to initial enrollment.

RPI:

RPL Packet Information. Network extension headers for use with RPL. Not used with RPL in the ACP. See Section 6.12.1.13.

RPL:

Routing Protocol for Low-Power and Lossy Networks. The routing protocol used in the ACP. See Section 6.12.

sUDI:

secured Unique Device Identifier. This is a synonym of IDevID in referenced material. This term is not used in this document.

TA:

Trust Anchor. A TA is an entity that is trusted for the purpose of certificate validation. TA information such as self-signed certificate(s) of the TA is configured into the ACP node as part of enrollment. See RFC 5280, Section 6.1.1.

UDI:

Unique Device Identifier. In the context of this document, unsecured identity information of a node typically consists of at least a device model and/or type and a serial number, often in a vendor-specific format. See sUDI and LDevID.

ULA (Global ID prefix):

A Unique Local Address is an IPv6 address in the block fc00::/7, defined in "[Unique Local IPv6 Unicast Addresses]" [RFC 4193]. ULA is the IPv6 successor of the IPv4 private address space ("[Address Allocation for Private Internets]" [RFC 1918]). ULAs have important differences over IPv4 private addresses that are beneficial for and exploited by the ACP, such as the locally assigned Global ID prefix, which is the first 48 bits of a ULA address RFC 4193, Section 3.2.1. In this document, this prefix is abbreviated as "ULA prefix".

(ACP) VRF:

The ACP is modeled in this document as a Virtual Routing and Forwarding instance. This means that it is based on a "virtual router" consisting of a separate IPv6 forwarding table to which the ACP virtual interfaces are attached and an associated IPv6 routing table separate from the data plane. Unlike the VRFs on MPLS/VPN Provider Edge ("[BGP/MPLS IP Virtual Private Networks (VPNs)]" [RFC 4364]) or LISP xTR ("[The Locator/ID Separation Protocol (LISP)]" [RFC 6830]), the ACP VRF does not have any special "core facing" functionality or routing and/or mapping protocols shared across multiple VRFs. In vendor products, a VRF such as the ACP VRF may also be referred to as a VRF-lite.

(ACP) Zone:

An ACP zone is a set of ACP nodes using the same zone field value in their ACP address according to Section 6.11.3. Zones are a mechanism to support structured addressing of ACP addresses within the same /48 ULA prefix.

• For management plane protocols, the ACP provides the functionality of a Virtual out-of-Band (VooB) channel, by providing connectivity to all nodes regardless of their data plane configuration, and routing and forwarding tables.
• For control plane protocols, the ACP allows their operation even when the data plane is temporarily faulty, or during transitional events, such as routing changes, which may affect the control plane at least temporarily. This is specifically important for autonomic service agents, which could affect data plane connectivity.

ACP1:

The ACP should provide robust connectivity: as far as possible, it should be independent of configured addressing, configuration, and routing. Requirements 2 and 3 build on this requirement, but they also have value on their own.

ACP2:

The ACP must have a separate address space from the data plane. This separate address space provides traceability, ease of debugging, separation from data plane, and infrastructure security (filtering based on known address space).

ACP3:

The ACP must use an autonomically managed address space. An autonomically managed address space provides ease of bootstrap and setup ("autonomic"), and robustness (the administrator cannot break network easily). This document uses ULA for this purpose, see [RFC 4193].

ACP4:

The ACP must be generic, that is, it must be usable by all the functions and protocols of the ANI. Clients of the ACP must not be tied to a particular application or transport protocol.

ACP5:

The ACP must provide security: messages coming through the ACP must be authenticated to be from a trusted node, and it is very strongly recommended that they be encrypted.

1. The node creates a VRF instance or a similar virtual context for the ACP.
2. The node assigns its ULA IPv6 address (prefix) (see Section 6.11), which is learned from the acp-node-name (see Section 6.2.2) of its ACP certificate (see Section 6.2.1), to an ACP loopback interface (see Section 6.11) and connects this interface to the ACP VRF.
3. The node establishes a list of candidate peer adjacencies and candidate channel types to try for the adjacency. This is automatic for all candidate link-local adjacencies (see Section 6.4) across all native interfaces (see Section 9.3.4). If a candidate peer is discovered via multiple interfaces, this will result in one adjacency per interface. If the ACP node has multiple interfaces connecting to the same subnet across which it is also operating as an L2 switch in the data plane, it employs methods for ACP with L2 switching, see Section 7.
4. For each entry in the candidate adjacency list, the node negotiates a secure tunnel using the candidate channel types. See Section 6.6.
5. The node authenticates the peer node during secure channel setup and authorizes it to become part of the ACP according to Section 6.2.3.
6. Unsuccessful authentication of a candidate peer results in throttled connection retries for as long as the candidate peer is discoverable. See Section 6.7.
7. Each successfully established secure channel is mapped to an ACP virtual interface, which is placed into the ACP VRF. See Section 6.13.5.2.
8. Each node runs a lightweight routing protocol (see Section 6.12) to announce reachability of the ACP loopback address (or prefix) across the ACP.
9. This completes the creation of the ACP with hop-by-hop secure tunnels, auto-addressing, and auto-routing. The node is now an ACP node with a running ACP.

• None of the above operations (except the following explicitly configured ones) are reflected in the configuration of the node.
• Non-ACP network management systems (NMS) or SDN controllers have to be explicitly configured for connection to the ACP.
• Additional candidate peer adjacencies for ACP connections across non-ACP Layer 3 clouds requires explicit configuration. See Section 8.2.

          ACP Node 1                          ACP Node 2
       ...................               ...................
secure .                 .   secure      .                 .  secure
channel:  +-----------+  :   channel     :  +-----------+  : channel
..--------| ACP VRF   |---------------------| ACP VRF   |---------..
       : / \         / \   <--routing-->   / \         / \ :
       : \ /         \ /                   \ /         \ / :
..--------| loopback  |---------------------| loopback  |---------..
       :  | interface |  :               :  | interface |  :
       :  +-----------+  :               :  +-----------+  :
       :                 :               :                 :
       :   Data Plane    :...............:   Data Plane    :
       :                 :    link       :                 :
       :.................:               :.................:

  acp-node-name = local-part "@" acp-domain-name
  local-part = [ acp-address ] [ "+" rsub extensions ]
  acp-address = 32HEXDIG / "0" ; HEXDIG as of [RFC5234], Appendix B.1
  rsub = [ <subdomain> ] ; <subdomain> as of [RFC1034], Section 3.5
  acp-domain-name = <domain> ; as of [RFC1034], Section 3.5
  extensions = *( "+" extension )
  extension  = 1*etext  ; future standard definition.
  etext      = ALPHA / DIGIT /  ; Printable US-ASCII
               "!" / "#" / "$" / "%" / "&" / "'" /
               "*" / "-" / "/" / "=" / "?" / "^" /
               "_" / "`" / "{" / "|" / "}" / "~"

  routing-subdomain = [ rsub "." ] acp-domain-name

  acp-node-name      = fd89b714f3db00000200000064000000
                       +area51.research@acp.example.com
  acp-domain-name    = acp.example.com
  routing-subdomain  = area51.research.acp.example.com

1. Formatting notes:

   1.1

   The rsub component needs to be in the local-part: if the format just had routing-subdomain as the domain part of the acp-node-name, rsub and acp-domain-name could not be separated from each other to determine in the ACP domain membership check which part is the acp-domain-name and which is solely for creating a different ULA prefix.

   1.2

   If both acp-address and rsub are omitted from AcpNodeName, the local-part will have the format "++extension(s)". The two plus characters are necessary so the node can unambiguously parse that both acp-address and rsub are omitted.
2. The encoding of the ACP domain name and ACP address as described in this section is used for the following reasons:

   2.1

   The acp-node-name is the identifier of a node's ACP. It includes the necessary components to identify a node's ACP both from within the ACP as well as from the outside of the ACP.

   2.2

   For manual and/or automated diagnostics and backend management of devices and ACPs, it is necessary to have an easily human-readable and software-parsable standard, single string representation of the information in the acp-node-name. For example, inventory or other backend systems can always identify an entity by one unique string field but not by a combination of multiple fields, which would be necessary if there were no single string representation.

   2.3

   If the encoding was not such a string, it would be necessary to define a second standard encoding to provide this format (standard string encoding) for operator consumption.

   2.4

   Addresses of the form <local>@<domain> have become the preferred format for identifiers of entities in many systems, including the majority of user identifiers in web or mobile applications such as multi-domain single-sign-on systems.
3. Compatibilities:

   3.1

   It should be possible to use the ACP certificate as an LDevID certificate on the system for uses besides the ACP. Therefore, the information element required for the ACP should be encoded so that it minimizes the possibility of creating incompatibilities with other such uses. The attributes of the subject field, for example, are often used in non-ACP applications and therefore should not be occupied by new ACP values.

   3.2

   The element should not require additional ASN.1 encoding and/or decoding because libraries for accessing certificate information, especially for embedded devices, may not support extended ASN.1 decoding beyond predefined, mandatory fields. subjectAltName / otherName is already used with a single string parameter for several otherNames (see "[Extensible Messaging and Presence Protocol (XMPP): Core]" [RFC 6120], "[Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)]" [RFC 7585], "[Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name]" [RFC 4985], "[Internationalized Email Addresses in X.509 Certificates]" [RFC 8398]).

   3.3

   The element required for the ACP should minimize the risk of being misinterpreted by other uses of the LDevID certificate. It also must not be misinterpreted as an email address, hence the use of the otherName / rfc822Name option in the certificate would be inappropriate.

1. The peer has proved ownership of the private key associated with the certificate's public key. This check is performed by the security association protocol used, for example, Section 2.15 of [RFC 7296].
2. The peer's certificate passes certificate path validation as defined in RFC 5280, Section 6, against one of the TAs associated with the ACP node's ACP certificate (see Section 6.2.4). This includes verification of the validity (lifetime) of the certificates in the path.
3. If the peer's certificate indicates a CRLDP (RFC 5280, Section 4.2.1.13) or OCSP responder (RFC 5280, Section 4.2.2.1), then the peer's certificate MUST be valid according to those mechanisms when they are available: an OCSP check for the peer's certificate across the ACP must succeed, or the peer's certificate must not be listed in the CRL retrieved from the CRLDP. These mechanisms are not available when the ACP node has no ACP or non-ACP connectivity to retrieve a current CRL or has no access an OCSP responder, and the security association protocol itself also has no way to communicate the CRL or OCSP check. Retries to learn revocation via OCSP or CRL SHOULD be made using the same backoff as described in Section 6.7. If and when the ACP node then learns that an ACP peer's certificate is invalid for which Rule 3 had to be skipped during ACP secure channel establishment, then the ACP secure channel to that peer MUST be closed even if this peer is the only connectivity to access CRL/OCSP. This applies (of course) to all ACP secure channels to this peer if there are multiple. The ACP secure channel connection MUST be retried periodically to support the case that the neighbor acquires a new, valid certificate.
4. The peer's certificate has a syntactically valid acp-node-name field, and the acp-domain-name in that peer's acp-node-name is the same as in this ACP node's certificate (lowercase normalized).

5. The acp-address field of the candidate peer certificate's AcpNodeName is not omitted but is either 32HEXDIG or 0, according to Figure 2.

• Steps 1 through 4 constitute standard certificate validity verification and private key authentication as defined by [RFC 5280] and security association protocols (such as [RFC 7296]) when leveraging certificates.
• Except for its public key, Steps 1 through 4 do not include the verification of any preexisting form of a certificate's identity elements, such as a web server's domain name prefix, which is often encoded in the certificate common name. Step 5 is an equivalent step for the AcpNodeName.
• Step 4 constitutes standard CRL and OCSP checks refined for the case of missing connectivity and limited-functionality security association protocols.
• Steps 1 through 4 authorize the building of any secure connection between members of the same ACP domain except for ACP secure channels.
• Step 5 is the additional verification of the presence of an ACP address as necessary for ACP secure channels.
• Steps 1 through 5 therefore authorize the building of an ACP secure channel.

• An ACP node may choose to attempt to initiate the different feasible ACP secure channel protocols it supports according to its local policies sequentially or in parallel, but it MUST support acting as a responder to all of them in parallel.
• Once the first ACP secure channel protocol connection to a specific peer IPv6 address passes peer authentication, the two peers know each other's certificate because those ACP certificates are used by all secure channel protocols for mutual authentication. The peer with the higher Node-ID in the AcpNodeName of its ACP certificate takes on the role of the Decider towards the peer. The other peer takes on the role of the Follower. The Decider selects which secure channel protocol to ultimately use.
• The Follower becomes passive: it does not attempt to further initiate ACP secure channel protocol connections with the Decider and does not consider it to be an error when the Decider closes secure channels. The Decider becomes the active party, continuing to attempt the setup of secure channel protocols with the Follower. This process terminates when the Decider arrives at the "best" ACP secure channel connection option that also works with the Follower ("best" from the Decider's point of view).
• A peer with a "0" acp-address in its AcpNodeName takes on the role of Follower when peering with a node that has a non-"0" acp-address (note that this specification does not fully define the behavior of ACP secure channel negotiation for nodes with a "0" ACP address field, it only defines interoperability with such ACP nodes).

[1]

Node 1 sends GRASP "AN_ACP" message to announce itself.

[2]

Node 2 sends GRASP "AN_ACP" message to announce itself.

[3]

Node 2 receives [1] from Node 1.

[4:C1]

Because of [3], Node 2 starts as initiator on its preferredsecure channel protocol towards Node 1. Connection C1.

[5]

Node 1 receives [2] from Node 2.

[6:C2]

Because of [5], Node 1 starts as initiator on its preferred secure channel protocol towards Node 2. Connection C2.

[7:C1]

Node 1 and Node 2 have authenticated each other's certificate on connection C1 as valid ACP peers.

[8:C1]

Node 1's certificate has a lower ACP Node-ID than Node 2's, therefore Node 1 considers itself the Follower and Node 2 the Decider on connection C1. Connection setup C1 is completed.

[9]

Node 1 refrains from attempting any further secure channel connections to Node2 (the Decider) as learned from [2] because it knows from [8:C1] that it is the Follower relative to Node 2.

[10:C2]

Node 1 and Node 2 have authenticated each other's certificate on connection C2 (like [7:C1]).

[11:C2]

Node 1's certificate has a lower ACP Node-ID than Node 2's, therefore Node 1considers itself the Follower and Node 2 the Decider on connection C2, butthey also identify that C2 is to the same mutual peer as their C1, so this hasno further impact: the roles Decider and Follower where already assignedbetween these two peers by [8:C1].

[12:C2]

Node 2 (the Decider) closes C1. Node 1 is fine with this, because of its role as the Follower (from [8:C1]).

[13]

Node 2 (the Decider) and Node 1 (the Follower) start datatransfer across C2, which makes it become a secure channel for the ACP.

• ENCR_NULL AH MUST NOT be used (because it does not provide confidentiality).
• ENCR_AES_GCM_16 is the only MTI ESP encryption algorithm for ACP via IPsec/ESP (it is already listed as MUST in [RFC 8221]).
• ENCR_AES_CBC with AUTH_HMAC_SHA2_256_128 (as the ESP authentication algorithm) and ENCR_AES_CCM_8 MAY be supported. If either provides higher performance than ENCR_AES_GCM_16, it SHOULD be supported.
• ENCR_CHACHA20_POLY1305 SHOULD be supported at equal or higher performance than ENCR_AES_GCM_16. If that performance is not feasible, it MAY be supported.

• There is no requirement to interoperate with legacy equipment in ACP secure channels, so a single MTI encryption algorithm for IPsec in ACP secure channels is sufficient for interoperability and allows for the most lightweight implementations.
• ENCR_AES_GCM_16 is an Authenticated Encryption with Associated Data (AEAD) cipher mode, so no additional ESP authentication algorithm is needed, simplifying the MTI requirements of IPsec for the ACP.
• There is no MTI requirement for the support of ENCR_AES_CBC because ENCR_AES_GCM_16 is assumed to be feasible with less cost and/or higher performance in modern devices' hardware-accelerated implementations compared to ENCR-AES_CBC.
• ENCR_CHACHA20_POLY1305 is mandatory in [RFC 8221] because of its target use as a fallback algorithm in case weaknesses in AES are uncovered. Unfortunately, there is currently no way to automatically propagate across an ACP a policy to disallow use of AES-based algorithms, so this target benefit of ENCR_CHACHA20_POLY1305 cannot fully be adopted yet for the ACP. Therefore, this algorithm is only recommended. Changing from AES to this algorithm with a potentially big drop in performance could also render the ACP inoperable. Therefore, there is a performance requirement against this algorithm so that it could become an effective security backup to AES for the ACP once a policy to switch over to it or prefer it is available in an ACP framework.

• There is more experience with DTLS 1.2 across the spectrum of target ACP nodes.
• Firmware of lower-end, embedded ACP nodes may not support a newer version for a long time.
• There are significant changes with DTLS 1.3, such as a different record layer requiring time to gain implementation and deployment experience especially on lower-end devices with limited code space.
• The existing BCP [RFC 7525] for DTLS 1.2 may take an equally longer time to be updated with experience from a newer DTLS version.
• There are no significant benefits of DTLS 1.3 over DTLS 1.2 that are use-case relevant in the context of the ACP options for DTLS. For example, signaling performance improvements for session setup in DTLS 1.3 is not important for the ACP given the long-lived nature of ACP secure channel connections and the fact that DTLS connections are mostly link local (short RTT).

• Secure channel methods such as IPsec may provide protection against additional attacks, for example, reset attacks.
• The secure channel method may leverage hardware acceleration, and there may be little or no gain in eliminating it.
• The security model for ACP GRASP is no different than other ACP traffic. Instead, there is just another layer of protection against certain attacks from the inside, which is important due to the role of GRASP in the ACP.

• Usage: autonomic addresses are exclusively used for self-management functions inside a trusted domain. They are not used for user traffic. Communications with entities outside the trusted domain use another address space, for example, a normally managed routable address space (called "data plane" in this document).
• Separation: autonomic address space is used separately from user address space and other address realms. This supports the robustness requirement.
• Loopback only: only ACP loopback interfaces (and potentially those configured for ACP connect, see Section 8.1) carry routable address(es); all other interfaces (called ACP virtual interfaces) only use IPv6 link-local addresses. The usage of IPv6 link-local addressing is discussed in "[Using Only Link-Local Addressing inside an IPv6 Network]" [RFC 7404].
• Use of ULA: for loopback interfaces of ACP nodes, we use ULA with the L bit set to 1 (as defined in Section 3.1 of RFC 4193). Note that the random hash for ACP loopback addresses uses the definition in Section 6.11.2 and not the one in RFC 4193, Section 3.2.2.
• No external connectivity: the addresses do not provide access to the Internet. If a node requires further connectivity, it should use another, traditionally managed addressing scheme in parallel.
• Addresses in the ACP are permanent and do not support temporary addresses as defined in "[Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6]" [RFC 8981].
• Addresses in the ACP are not considered sensitive on privacy grounds because ACP nodes are not expected to be end-user hosts, and therefore ACP addresses do not represent end users or groups of end users. All ACP nodes are in one (potentially federated) administrative domain. For ACP traffic, the nodes are assumed to be either candidate hosts or transit nodes. There are no transit nodes with fewer privileges to know the identity of other hosts in the ACP. Therefore, ACP addresses do not need to be pseudorandom as discussed in "[Security and Privacy Considerations for IPv6 Address Generation Mechanisms]" [RFC 7721]. Because they are not propagated to untrusted (non-ACP) nodes and stay within a domain (of trust), we also do not consider them to be subject to scanning attacks.

• Simplicity, reliability, and scale: if other network-layer protocols were supported, each would have to have its own set of security associations, routing table, and process, etc.
• Autonomic functions do not require IPv4: autonomic functions and autonomic service agents are new concepts. They can be exclusively built on IPv6 from day one. There is no need for backward compatibility.
• OAM protocols do not require IPv4: the ACP may carry OAM protocols. All relevant protocols (SNMP, TFTP, SSH, SCP, RADIUS, Diameter, NETCONF, etc.) are available in IPv6. See also [RFC 8368] for how ACP could be made to interoperate with IPv4-only OAM.

  8      40                     2                     78
+--+-------------------------+------+------------------------------+
|fd| hash(routing-subdomain) | Type |     (sub-scheme)             |
+--+-------------------------+------+------------------------------+

fd:

Identifies a locally defined ULA address.

hash(routing-subdomain):

The 40-bit ULA Global ID (a term from [RFC 4193]) for ACP addresses carried in the acp-node-name in the ACP certificates are the first 40 bits of the SHA-256 hash of the routing-subdomain from the same acp-node-name. In the example of Section 6.2.2, the routing-subdomain is "area51.research.acp.example.com", and the 40-bit ULA Global ID is 89b714f3db.

When creating a new routing-subdomain for an existing Autonomic Network, it MUST be ensured that rsub is selected so the resulting hash of the routing-subdomain does not collide with the hash of any preexisting routing-subdomains of the Autonomic Network. This ensures that ACP addresses created by registrars for different routing subdomains do not collide with each other.

To allow for extensibility, the fact that the ULA Global ID is a hash of the routing-subdomain SHOULD NOT be assumed by any ACP node during normal operations. The hash function is only executed during the creation of the certificate. If BRSKI is used, then the BRSKI registrar will create the acp-node-name in response to the EST Certificate Signing Request (CSR) Attributes Request message sent by the pledge.

Establishing connectivity between different ACPs (different acp-domain-names) is outside the scope of this specification. If it is being done through future extensions, then the rsub of all routing-subdomains across those Autonomic Networks needs to be selected so that the resulting routing-subdomain hashes do not collide. For example, a large cooperation with its own private TA may want to create different Autonomic Networks that initially do not connect but where the option to do so should be kept open. When taking this possibility into account, it is always easy to select rsub so that no collisions happen.

Type:

This field allows different addressing sub-schemes. This addresses the "upgradability" requirement. Assignment of types for this field will be maintained by IANA.

(sub-scheme):

The sub-scheme may imply a range or set of addresses assigned to the node. This is called the ACP address range/set and explained in each sub-scheme.

                 64                             64
+-----------------+---+---------++-----------------------------+---+
|  (base scheme)  | Z | Zone-ID ||           Node-ID               |
|                 |   |         || Registrar-ID |   Node-Number| V |
+-----------------+---+---------++--------------+--------------+---+
         50         1     13            48           15          1

Type:

MUST be 0.

Z:

MUST be 0.

Zone-ID:

A value for a network zone.

Node-ID:

A unique value for each node.

The 64-bit Node-ID must be unique across the ACP domain for each node. It is derived and composed as follows:

Registrar-ID (48 bits):

A number unique inside the domain identifying the ACP registrar that assigned the Node-ID to the node. One or more domain-wide unique identifiers of the ACP registrar can be used for this purpose. See Section 6.11.7.2.

Node-Number:

A number to make the Node-ID unique. This can be sequentially assigned by the ACP registrar owning the Registrar-ID.

V (1 bit):

Virtualization bit:

0:

Indicates the ACP itself ("ACP node base system)

1:

Indicates the optional "host" context on the ACP node (see below).

                64                             64
+---------------------+---+----------++-----------------------------+
|    (base scheme)    | Z | Subnet-ID||     Interface Identifier    |
+---------------------+---+----------++-----------------------------+
         50             1    13 

Type:

MUST be 0.

Z:

MUST be 1.

Subnet-ID:

Configured subnet identifier.

Interface Identifier:

Interface identifier according to [RFC 4291].

          50                              78
+---------------------++-----------------------------+----------+
|    (base scheme)    ||           Node-ID                      |
|                     || Registrar-ID |F| Node-Number|        V |
+---------------------++--------------+--------------+----------+
          50                46         1   23/15          8/16

F:

Format bit. This bit determines the format of the subsequent bits.

V:

Virtualization bit: this is a field that is either 8 or 16 bits. For F=0, it is 8 bits, for F=1 it is 16 bits. The V-bits are assigned by the ACP node. In the ACP certificate's ACP address (Section 6.2.2), the V-bits are always set to 0.

Registrar-ID:

To maximize Node-Number and V, the Registrar-ID is reduced to 46 bits. One or more domain-wide unique identifiers of the ACP registrar can be used for this purpose. See Section 6.11.7.2.

Node-Number:

The Node-Number is unique to each ACP node. There are two formats for the Node-Number. When F=0, the Node-Number is 23 bits, for F=1, it is 15 bits. Each format of Node-Number is considered to be in a unique number space.

• Use the 'K' flag in unsolicited DAO to indicate change from previous information (to require DAO-ACK).
• Retry such DAO DAO-RETRIES(3) times with DAO-ACK_TIME_OUT(256ms) in between.

Objective Function (OF):

Use Objective Function Zero (OF0) ("[Objective Function Zero for the Routing Protocol for Low-Power and Lossy Networks (RPL)]" [RFC 6552]). Metric containers are not used.

rank_factor:

Derived from link speed: if less than or equal to 100 Mbps, LOW_SPEED_FACTOR(5), else HIGH_SPEED_FACTOR(1).

This is a simple rank differentiation between typical "low speed" or IoT links that commonly max out at 100 Mbps and typical infrastructure links with speeds of 1 Gbps or higher. Given how the path selection for the ACP focuses only on reachability but not on path cost optimization, no attempts at finer-grained path optimization are made.

Global Repair:

We assume stable links and ranks (metrics), so there is no need to periodically rebuild the DODAG. The DODAG version is only incremented under catastrophic events (e.g., administrative action).

Local Repair:

As soon as link breakage is detected, the ACP node sends a No-Path DAO for all the targets that were reachable only via this link. As soon as link repair is detected, the ACP node validates if this link provides a better parent. If so, a new rank is computed by the ACP node, and it sends a new DIO that advertises the new rank. Then it sends a DAO with a new path sequence about itself.

When using ACP multi-access virtual interfaces, local repair can be triggered directly by peer breakage, see Section 6.13.5.2.2.

stretch_rank:

None provided ("not stretched").

Data-Path Validation:

Not used.

Trickle:

Not used.

The preference is indicated in the DODAGPreference field of DIO message.

Explicitly configured "root":

0b100

ACP registrar (default):

0b011

ACP connect (non-registrar):

0b010

Default:

0b001

1. IPv6 addresses are assigned to interfaces, not nodes. IPv6 continues the IPv4 model that a subnet prefix is associated with one link, see Section 2.1 of [RFC 4291].
2. IPv6 implementations commonly do not allow assignment of the same IPv6 global-scope address in the same VRF to more than one interface.
3. Global-scope addresses assigned to interfaces that connect to other nodes (external interfaces) may not be stable addresses for communications because any such interface could fail due to reasons external to the node. This could render the addresses assigned to that interface unusable.
4. If failure of the subnet does not bring down the interface and make the addresses unusable, it could result in unreachability of the address because the shortest path to the node might go through one of the other nodes on the same subnet, which could equally consider the subnet to be operational even though it is not.
5. Many OAM service implementations on routers cannot deal with more than one peer address, often because they already expect that a single loopback address can be used, especially to provide a stable address under failure of external interfaces or links.
6. Even when an application supports multiple addresses to a peer, it can only use one address at a time for a connection with the most widely deployed transport protocols, TCP and UDP. While "[TCP Extensions for Multipath Operation with Multiple Addresses]" [RFC 6824]/[RFC 8684] solves this problem, it is not widely adopted by implementations of router OAM services.
7. To completely autonomously assign global-scope addresses to subnets connecting to other nodes, it would be necessary for every node to have an amount of prefix address space on the order of the maximum number of subnets that the node could connect to, and then the node would have to negotiate with adjacent nodes across those subnets which address space to use for each subnet.
8. Using global-scope addresses for subnets between nodes is unnecessary if those subnets only connect routers, such as ACP secure channels, because they can communicate to remote nodes via their global-scope loopback addresses. Using global-scope addresses for those external subnets is therefore wasteful for the address space and also unnecessarily increases the size of the routing and forwarding tables, which, especially for the ACP, is highly undesirable because it should attempt to minimize the per-node overhead of the ACP VRF.
9. For all these reasons, the ACP addressing sub-schemes do not consider ACP addresses for subnets connecting ACP nodes.

  connection = method "," local-addr "," remote-addr [ "," pmtu ]
  method =    "any"
             / ( "IKEv2" [ ":" port ] )
             / (  "DTLS"  [ ":"  port ] )
  port = 1*DIGIT
  local-addr  = [ address  [ ":" vrf  ] ]
  remote-addr =   address
  address =  "any"
             / IPv4address / IPv6address  ; From [RFC5954]
  vrf = system-dependent ; Name of VRF for local-address

• The local and remote address can be IPv4 or IPv6 and are typically global-scope addresses.
• The VRF across which the connection is built (and in which local-addr exists) can be specified. If vrf is not specified, it is the default VRF on the node. In DULL GRASP, the VRF is implied by the interface across which DULL GRASP operates.
• If local address is "any", the local address used when initiating a secure channel connection is decided by source address selection ([RFC 6724] for IPv6). As a responder, the connection listens on all addresses of the node in the selected VRF.
• Configuration of port is only required for methods where no defaults exist (e.g., "DTLS").
• If the remote address is "any", the connection is only a responder. It is a "hub" that can be used by multiple remote peers to connect simultaneously -- without having to know or configure their addresses, for example, a hub site for remote "spoke" sites reachable over the Internet.
• The pmtu parameter should be configurable to overcome issues or limitations of Path MTU Discovery (PMTUD).
• IKEv2/IPsec to remote peers should support the optional NAT Traversal (NAT-T) procedures.

• Section 9.1 describes the recommended capabilities of operator diagnostics of ACP nodes.
• Section 9.2 describes at a high level how an ACP registrar needs to work, what its configuration parameters are, and specific issues impacting the choices of deployment design due to renewal and revocation issues. It describes a model where ACP registrars have their own sub-CA to provide the most distributed deployment option for ACP registrars, and it describes considerations for centralized policy control of ACP registrar operations.
• Section 9.3 describes suggested ACP node behavior and operational interfaces (configuration options) to manage the ACP in so-called greenfield devices (previously unconfigured) and brownfield devices (preconfigured).

• Developing the logic to identify common issues requires operational experience with the components of the ANI. Letting each management system define its own analysis is inefficient.
• When the ANI is not operating correctly, it may not be possible to run diagnostics remotely because of missing connectivity. The ANI should therefore have diagnostic capabilities available locally on the nodes themselves.
• Certain operations are difficult or impossible to monitor in real time, such as initial bootstrap issues in a network location where no capabilities exist to attach local diagnostics. Therefore, it is important to also define how to capture (log) diagnostics locally for later retrieval. Ideally, these captures are also nonvolatile so that they can survive extended power-off conditions, for example, when a device that fails to be brought up zero-touch is sent for diagnostics at a more appropriate location.

• Check if the necessary configurations to make ACP/ANI operational are correct (see Section 9.3 for a discussion of such commands).
• Does the system time look reasonable, or could it be the default system time after battery failure of the clock chip? Certificate checks depend on reasonable notion of time.
• Does the node have keying material, such as domain certificate, TA certificates, etc.?
• If there is no keying material and the ANI is supported/enabled, check the state of BRSKI (not detailed in this example).
• Check the validity of the domain certificate:
  • Does the certificate validate against the TA?
  • Has it been revoked?
  • Was the last scheduled attempt to retrieve a CRL successful? (e.g., do we know that our CRL information is up to date?)
  • Is the certificate valid? The validity start time is in the past, and the expiration time is in the future?
  • Does the certificate have a correctly formatted acp-node-name field?
• Was the ACP VRF successfully created?
• Is ACP enabled on one or more interfaces that are up and running?

• Is the interface physically up? Does it have an IPv6 link-local address?
• Is it enabled for ACP?
• Do we successfully send DULL GRASP messages to the interface? (Are there link-layer errors?)
• Do we receive DULL GRASP messages on the interface? If not, some intervening L2 equipment performing bad MLD snooping could have caused problems. Provide, e.g., diagnostics of the MLD querier IPv6 and MAC address.
• Do we see the ACP objective in any DULL GRASP message from that interface? Diagnose the supported secure channel methods.
• Do we know the MAC address of the neighbor with the ACP objective? If not, diagnose SLAAC/ND state.
• When did we last attempt to build an ACP secure channel to the neighbor?
• If it failed:
  • Did the neighbor close the connection on us, or did we close the connection on it because the domain certificate membership failed?
  • If the neighbor closed the connection on us, provide any error diagnostics from the secure channel protocol.
  • If we failed the attempt, display our local reason:
    • There was no common secure channel protocol supported by the two neighbors (this could not happen on nodes supporting this specification because it mandates common support for IPsec).
    • Did the ACP certificate membership check (Section 6.2.3) fail?
      • The neighbor's certificate is not signed directly or indirectly by one of the node's TA. Provide diagnostics which TA it has (can identify whom the device belongs to).
      • The neighbor's certificate does not have the same domain (or no domain at all). Diagnose acp-domain-name and potentially other cert info.
      • The neighbor's certificate has been revoked or could not be authenticated by OCSP.
      • The neighbor's certificate has expired, or it is not yet valid.
  • Are there any other connection issues, e.g., IKEv2/IPsec, DTLS?

• Are there one or more active ACP neighbors with secure channels?
• Is RPL for the ACP running?
• Is there a default route to the root in the ACP routing table?
• Is there, for each direct ACP neighbor not reachable over the ACP virtual interface to the root, a route in the ACP routing table?
• Is ACP GRASP running?
• Is at least one "SRV.est" objective cached (to support certificate renewal)?
• Is there at least one BRSKI registrar objective cached? (If BRSKI is supported.)
• Is the BRSKI proxy operating normally on all interfaces where ACP is operating?

1. BRSKI does not allow for a neighboring device to identify the pledge's IDevID certificate. Only the selected BRSKI registrar can do this, but it may be difficult to disseminate information from those BRSKI registrars about undesired pledges to locations and/or nodes where information about those pledges is desired.
2. LLDP disseminates information about nodes, such as node model, type, and/or software and interface name and/or number of the connection, to their immediate neighbors. This information is often helpful or even necessary in network diagnostics. It can equally be considered too insecure to make this information available unprotected to all possible neighbors.

• A URL to the TA and credentials so that the ACP registrar can let the TA sign candidate ACP node certificates.
• The ACP domain name.
• The Registrar-ID to use. This could default to a MAC address of the ACP registrar.
• For recovery, the next usable Node-IDs for the Zone Addressing Sub-Scheme (Zone-ID 0) and for the Vlong Addressing Sub-Scheme (/112 and /120). These IDs would only need to be provisioned after recovering from a crash. Some other mechanism would be required to remember these IDs in a backup location or to recover them from the set of currently known ACP nodes.
• Policies on whether the candidate ACP nodes should receive a domain certificate or not, for example, based on the device's IDevID certificate as in BRSKI. The ACP registrar may whitelist or blacklist based on a device's "serialNumber" attribute [X.520] in the subject field distinguished name encoding of its IDevID certificate.
• Policies on what type of address prefix to assign to a candidate ACP device, likely based on the same information.
• For BRSKI or other mechanisms using vouchers: parameters to determine how to retrieve vouchers for specific types of secure bootstrap candidate ACP nodes (such as MASA URLs), unless this information is automatically learned, such as from the IDevID certificate of candidate ACP nodes (as defined in BRSKI).

1. The ACP registrar cannot directly assign certificates to nodes and therefore needs an "online" connection to the TA.
2. Recovery from a compromised ACP registrar is difficult. When an ACP registrar is compromised, it can insert, for example, a conflicting acp-node-name and thereby create an attack against other ACP nodes through the ACP routing protocol.

• Deciding which candidate ACP node is permitted or not permitted into an ACP domain. This may not be a decision to be made upfront, so that a policy per "serialNumber" attribute in the subject field distinguished name encoding can be loaded into every ACP registrar. Instead, it may better be decided in real time, potentially including a human decision in a NOC.
• Tracking all enrolled ACP nodes and their certificate information. For example, in support of revoking an individual ACP node's certificates.
• Needing more flexible policies as to which type of address prefix or even which specific address prefix to assign to a candidate ACP node.

• When ACP nodes do not support an autonomic way to receive an ACP certificate, for example, BRSKI, then such a certificate needs to be configured via some preexisting mechanisms outside the scope of this specification. Today, routers typically have a variety of mechanisms to do this.
• Certificate maintenance requires PKI functions. Discovery of these functions across the ACP is automated (see Section 6.2.5), but their configuration is not.
• When non-ACP-capable nodes such as preexisting NMS need to be physically connected to the ACP, the ACP node to which they attach needs to be configured with ACP connect according to Section 8.1. It is also possible to use that single physical connection to connect both to the ACP and the data plane of the network as explained in Section 8.1.4.
• When devices are not autonomically bootstrapped, explicit configuration to enable the ACP needs to be applied. See Section 9.3.
• When the ACP needs to be extended across interfaces other than L2, the ACP as defined in this document cannot auto-discover candidate neighbors automatically. Remote neighbors need to be configured, see Section 8.2.

• New neighbors will automatically join the ACP after successful validation and will become reachable using their unique ULA address across the ACP.
• When any changes happen in the topology, the routing protocol used in the ACP will automatically adapt to the changes and will continue to provide reachability to all nodes.
• The ACP tracks the validity of peer certificates and tears down ACP secure channels when a peer certificate has expired. When short-lived certificates with lifetimes on the order of OCSP/CRL refresh times are used, then this allows for removal of invalid peers (whose certificate was not renewed) at similar speeds as when using OCSP/CRL. The same benefit can be achieved when using CRL/OCSP, periodically refreshing the revocation information and also tearing down ACP secure channels when the peer's (long-lived) certificate is revoked. There is no requirement for ACP implementations to require this enhancement, though, in order to keep the mandatory implementations simpler.

• The usage of domain certificates depends on a valid supporting PKI infrastructure. If the chain of trust of this PKI infrastructure is compromised, the security of the ACP is also compromised. This is typically under the control of the network administrator.
• ACP nodes receive their certificates from ACP registrars. These ACP registrars are security-critical dependencies of the ACP. Procedures and protocols for ACP registrars are outside the scope of this specification as explained in Section 6.11.7.1; only the requirements for the resulting ACP certificates are specified.
• Every ACP registrar (for enrollment of ACP certificates) and ACP EST server (for renewal of ACP certificates) is a security-critical entity and its protocols are security-critical protocols. Both need to be hardened against attacks, similar to a CA and its protocols. A malicious registrar can enroll malicious nodes to an ACP network (if the CA delegates this policy to the registrar) or break ACP routing, for example, by assigning duplicate ACP addresses to ACP nodes via their ACP certificates.
• ACP nodes that are ANI nodes rely on BRSKI as the protocol for ACP registrars. For ANI-type ACP nodes, the security considerations of BRSKI apply. It enables automated, secure enrollment of ACP certificates.
• BRSKI and potentially other ACP registrar protocol options require that nodes have an (X.509 v3 based) IDevID. IDevIDs are an option for ACP registrars to securely identify candidate ACP nodes that should be enrolled into an ACP domain.
• For IDevIDs to securely identify the node to which its IDevID is assigned, the node needs (1) to utilize hardware support such as a Trusted Platform Module (TPM) to protect against extraction and/or cloning of the private key of the IDevID and (2) a hardware/software infrastructure to prohibit execution of unauthenticated software to protect against malicious use of the IDevID.
• Like the IDevID, the ACP certificate should equally be protected from extraction or other abuse by the same ACP node infrastructure. This infrastructure for IDevID and ACP certificate is beneficial independent of the ACP registrar protocol used (BRSKI or other).
• Renewal of ACP certificates requires support for EST; therefore, the security considerations of [RFC 7030] related to certificate renewal and/or rekeying and TP renewal apply to the ACP. EST security considerations when using other than mutual certificate authentication do not apply, nor do considerations for initial enrollment via EST apply, except for ANI-type ACP nodes because BRSKI leverages EST.
• A malicious ACP node could declare itself to be an EST server via GRASP across the ACP if malicious software could be executed on it. The CA should therefore authenticate only known trustworthy EST servers, such as nodes with hardware protections against malicious software. When registrars use their ACP certificate to authenticate towards a CA, the id-kp-cmcRA [RFC 6402] extended key usage attribute allows the CA to determine that the ACP node was permitted during enrollment to act as an ACP registrar. Without the ability to talk to the CA, a malicious EST server can still attract ACP nodes attempting to renew their keying material, but they will fail to perform successful renewal of a valid ACP certificate. The ACP node attempting to use the malicious EST server can then continue to use a different EST server and log a failure against a malicious EST server.
• Malicious on-path ACP nodes may filter valid EST server announcements across the ACP, but such malicious ACP nodes could equally filter any ACP traffic such as the EST traffic itself. Either attack requires the ability to execute malicious software on an impaired ACP node, though.
• In the absence of malicious software injection, an attacker that can misconfigure an ACP node that supports EST server functionality could attempt to configure a malicious CA. This would not result in the ability to successfully renew ACP certificates, but it could result in DoS attacks by becoming an EST server and by making ACP nodes attempt their ACP certificate renewal via this impaired ACP node. This problem can be avoided when the EST server implementation can verify that the configured CA is indeed providing renewal for certificates of the node's ACP. The ability to do so depends on the protocol between the EST server and the CA, which is outside the scope of this document.

[IKEV2IANA]

, "Internet Key Exchange Version 2 (IKEv2) Parameters",
<https://www.iana.org/assignments/ikev2-parameters>.

[RFC1034]

P.V. Mockapetris, "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.

[RFC2119]

S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC3810]

R. Vida, and L. Costa, "Multicast Listener Discovery Version 2 (MLDv2) for IPv6", RFC 3810, DOI 10.17487/RFC3810, June 2004,
<https://www.rfc-editor.org/info/rfc3810>.

[RFC4191]

R. Draves, and D. Thaler, "Default Router Preferences and More-Specific Routes", RFC 4191, DOI 10.17487/RFC4191, November 2005,
<https://www.rfc-editor.org/info/rfc4191>.

[RFC4193]

R. Hinden, and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<https://www.rfc-editor.org/info/rfc4193>.

[RFC4291]

R. Hinden, and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006,
<https://www.rfc-editor.org/info/rfc4291>.

[RFC4301]

S. Kent, and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005,
<https://www.rfc-editor.org/info/rfc4301>.

[RFC4861]

T. Narten, E. Nordmark, W. Simpson, and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/info/rfc4861>.

[RFC4862]

S. Thomson, T. Narten, and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, DOI 10.17487/RFC4862, September 2007,
<https://www.rfc-editor.org/info/rfc4862>.

[RFC5234]

D. Crocker, and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>.

[RFC5246]

T. Dierks, and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.

[RFC5280]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.

[RFC5954]

V. Gurbani, B. Carpenter, and B. Tate, "Essential Correction for IPv6 ABNF and URI Comparison in RFC 3261", RFC 5954, DOI 10.17487/RFC5954, August 2010,
<https://www.rfc-editor.org/info/rfc5954>.

[RFC6347]

E. Rescorla, and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012,
<https://www.rfc-editor.org/info/rfc6347>.

[RFC6550]

T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik, JP. Vasseur, and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, DOI 10.17487/RFC6550, March 2012,
<https://www.rfc-editor.org/info/rfc6550>.

[RFC6551]

JP. Vasseur, M. Kim, K. Pister, N. Dejean, and D. Barthel, "Routing Metrics Used for Path Calculation in Low-Power and Lossy Networks", RFC 6551, DOI 10.17487/RFC6551, March 2012,
<https://www.rfc-editor.org/info/rfc6551>.

[RFC6552]

P. Thubert, "Objective Function Zero for the Routing Protocol for Low-Power and Lossy Networks (RPL)", RFC 6552, DOI 10.17487/RFC6552, March 2012,
<https://www.rfc-editor.org/info/rfc6552>.

[RFC6553]

J. Hui, and JP. Vasseur, "The Routing Protocol for Low-Power and Lossy Networks (RPL) Option for Carrying RPL Information in Data-Plane Datagrams", RFC 6553, DOI 10.17487/RFC6553, March 2012,
<https://www.rfc-editor.org/info/rfc6553>.

[RFC7030]

M. Pritikin, P. Yee, and D. Harkins, "Enrollment over Secure Transport", RFC 7030, DOI 10.17487/RFC7030, October 2013,
<https://www.rfc-editor.org/info/rfc7030>.

[RFC7296]

C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014,
<https://www.rfc-editor.org/info/rfc7296>.

[RFC7525]

Y. Sheffer, R. Holz, and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015,
<https://www.rfc-editor.org/info/rfc7525>.

[RFC7676]

C. Pignataro, R. Bonica, and S. Krishnan, "IPv6 Support for Generic Routing Encapsulation (GRE)", RFC 7676, DOI 10.17487/RFC7676, October 2015,
<https://www.rfc-editor.org/info/rfc7676>.

[RFC8174]

B. Leiba, "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.

[RFC8221]

P. Wouters, D. Migault, J. Mattsson, Y. Nir, and T. Kivinen, "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)", RFC 8221, DOI 10.17487/RFC8221, October 2017,
<https://www.rfc-editor.org/info/rfc8221>.

[RFC8247]

Y. Nir, T. Kivinen, P. Wouters, and D. Migault, "Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 8247, DOI 10.17487/RFC8247, September 2017,
<https://www.rfc-editor.org/info/rfc8247>.

[RFC8422]

Y. Nir, S. Josefsson, and M. Pegourie-Gonnard, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier", RFC 8422, DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/info/rfc8422>.

[RFC8446]

E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.

[RFC8610]

H. Birkholz, C. Vigano, and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019,
<https://www.rfc-editor.org/info/rfc8610>.

[RFC8990]

C Bormann, B Carpenter, and B Liu, "GeneRic Autonomic Signaling Protocol (GRASP)", RFC 8990, DOI 10.17487/RFC8990, May 2021,
<https://www.rfc-editor.org/info/rfc8990>.

[RFC8995]

M Pritikin, M Richardson, T Eckert, M Behringer, and K Watsen, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, May 2021,
<https://www.rfc-editor.org/info/rfc8995>.

[AR8021]

IEEE, "IEEE Standard for Local and metropolitan area networks - Secure Device Identity", IEEE 802.1AR,
<https://1.ieee802.org/security/802-1ar>.

[CABFORUM]

CA/Browser Forum, "Certificate Contents for Baseline SSL", Nov 2019,
<https://cabforum.org/baseline-requirements-certificate-contents/>.

[FCC]

FCC, "June 15, 2020 T-Mobile Network Outage Report", PS Docket No. 20-183, October 2020,
<https://docs.fcc.gov/public/attachments/DOC-367699A1.docx>.

[IEEE-1588-2008]

IEEE, "IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems", DOI 10.1109/IEEESTD.2008.4579760, IEEE 1588-2008, July 2008,
<https://standards.ieee.org/standard/1588-2008.html>.

[IEEE-802.1X]

IEEE, "IEEE Standard for Local and metropolitan area networks--Port-Based Network Access Control", DOI 10.1109/IEEESTD.2010.5409813, IEEE 802.1X-2010, February 2010,
<https://standards.ieee.org/standard/802_1X-2010.html>.

[LLDP]

IEEE, "IEEE Standard for Local and metropolitan area networks: Station and Media Access Control Connectivity Discovery", DOI 10.1109/IEEESTD.2016.7433915, IEEE 802.1AB-2016, March 2016,
<https://standards.ieee.org/standard/802_1AB-2016.html>.

[MACSEC]

IEEE, "IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security", DOI 10.1109/IEEESTD.2006.245590, IEEE 802.1AE-2006, August 2006,
<https://standards.ieee.org/standard/802_1AE-2006.html>.

[NOC-AUTOCONFIG]

Futurewei Technologies Inc., , "Autoconfiguration of NOC services in ACP networks via GRASP", Internet-Draft draft-eckert-anima-noc-autoconfig-00, July 2018,
<https://tools.ietf.org/html/draft-eckert-anima-noc-autoconfig-00>.

[OP-TECH]

Wikipedia, "Operational technology", October 2020,
<https://en.wikipedia.org/w/index.php?title=Operational_technology&oldid=986363045>.

[RFC1112]

S.E. Deering, "Host extensions for IP multicasting", STD 5, RFC 1112, DOI 10.17487/RFC1112, August 1989,
<https://www.rfc-editor.org/info/rfc1112>.

[RFC1492]

C. Finseth, "An Access Control Protocol, Sometimes Called TACACS", RFC 1492, DOI 10.17487/RFC1492, July 1993,
<https://www.rfc-editor.org/info/rfc1492>.

[RFC1654]

Y. Rekhter, and T. Li, "A Border Gateway Protocol 4 (BGP-4)", RFC 1654, DOI 10.17487/RFC1654, July 1994,
<https://www.rfc-editor.org/info/rfc1654>.

[RFC1918]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<https://www.rfc-editor.org/info/rfc1918>.

[RFC2315]

B. Kaliski, "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998,
<https://www.rfc-editor.org/info/rfc2315>.

[RFC2409]

D. Harkins, and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998,
<https://www.rfc-editor.org/info/rfc2409>.

[RFC2865]

C. Rigney, S. Willens, A. Rubens, and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000,
<https://www.rfc-editor.org/info/rfc2865>.

[RFC3164]

C. Lonvick, "The BSD Syslog Protocol", RFC 3164, DOI 10.17487/RFC3164, August 2001,
<https://www.rfc-editor.org/info/rfc3164>.

[RFC3315]

R. Droms, J. Bound, B. Volz, T. Lemon, C. Perkins, and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 2003,
<https://www.rfc-editor.org/info/rfc3315>.

[RFC3411]

D. Harrington, R. Presuhn, and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, DOI 10.17487/RFC3411, December 2002,
<https://www.rfc-editor.org/info/rfc3411>.

[RFC3596]

S. Thomson, C. Huitema, V. Ksinant, and M. Souissi, "DNS Extensions to Support IP Version 6", STD 88, RFC 3596, DOI 10.17487/RFC3596, October 2003,
<https://www.rfc-editor.org/info/rfc3596>.

[RFC3954]

B. Claise, "Cisco Systems NetFlow Services Export Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004,
<https://www.rfc-editor.org/info/rfc3954>.

[RFC4007]

S. Deering, B. Haberman, T. Jinmei, E. Nordmark, and B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, DOI 10.17487/RFC4007, March 2005,
<https://www.rfc-editor.org/info/rfc4007>.

[RFC4210]

C. Adams, S. Farrell, T. Kause, and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, DOI 10.17487/RFC4210, September 2005,
<https://www.rfc-editor.org/info/rfc4210>.

[RFC4364]

E. Rosen, and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 2006,
<https://www.rfc-editor.org/info/rfc4364>.

[RFC4429]

N. Moore, "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429, DOI 10.17487/RFC4429, April 2006,
<https://www.rfc-editor.org/info/rfc4429>.

[RFC4541]

M. Christensen, K. Kimball, and F. Solensky, "Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches", RFC 4541, DOI 10.17487/RFC4541, May 2006,
<https://www.rfc-editor.org/info/rfc4541>.

[RFC4604]

H. Holbrook, B. Cain, and B. Haberman, "Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Protocol Version 2 (MLDv2) for Source-Specific Multicast", RFC 4604, DOI 10.17487/RFC4604, August 2006,
<https://www.rfc-editor.org/info/rfc4604>.

[RFC4607]

H. Holbrook, and B. Cain, "Source-Specific Multicast for IP", RFC 4607, DOI 10.17487/RFC4607, August 2006,
<https://www.rfc-editor.org/info/rfc4607>.

[RFC4610]

D. Farinacci, and Y. Cai, "Anycast-RP Using Protocol Independent Multicast (PIM)", RFC 4610, DOI 10.17487/RFC4610, August 2006,
<https://www.rfc-editor.org/info/rfc4610>.

[RFC4985]

S. Santesson, "Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name", RFC 4985, DOI 10.17487/RFC4985, August 2007,
<https://www.rfc-editor.org/info/rfc4985>.

[RFC5790]

H. Liu, W. Cao, and H. Asaeda, "Lightweight Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Version 2 (MLDv2) Protocols", RFC 5790, DOI 10.17487/RFC5790, February 2010,
<https://www.rfc-editor.org/info/rfc5790>.

[RFC5880]

D. Katz, and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010,
<https://www.rfc-editor.org/info/rfc5880>.

[RFC5905]

D. Mills, J. Martin, J. Burbank, and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>.

[RFC5912]

P. Hoffman, and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>.

[RFC6120]

P. Saint-Andre, "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120, March 2011,
<https://www.rfc-editor.org/info/rfc6120>.

[RFC6241]

R. Enns, M. Bjorklund, J. Schoenwaelder, and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.

[RFC6335]

M. Cotton, L. Eggert, J. Touch, M. Westerlund, and S. Cheshire, "Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry", BCP 165, RFC 6335, DOI 10.17487/RFC6335, August 2011,
<https://www.rfc-editor.org/info/rfc6335>.

[RFC6402]

J. Schaad, "Certificate Management over CMS (CMC) Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011,
<https://www.rfc-editor.org/info/rfc6402>.

[RFC6407]

B. Weis, S. Rowles, and T. Hardjono, "The Group Domain of Interpretation", RFC 6407, DOI 10.17487/RFC6407, October 2011,
<https://www.rfc-editor.org/info/rfc6407>.

[RFC6554]

J. Hui, JP. Vasseur, D. Culler, and V. Manral, "An IPv6 Routing Header for Source Routes with the Routing Protocol for Low-Power and Lossy Networks (RPL)", RFC 6554, DOI 10.17487/RFC6554, March 2012,
<https://www.rfc-editor.org/info/rfc6554>.

[RFC6724]

D. Thaler, R. Draves, A. Matsumoto, and T. Chown, "Default Address Selection for Internet Protocol Version 6 (IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012,
<https://www.rfc-editor.org/info/rfc6724>.

[RFC6733]

V. Fajardo, J. Arkko, J. Loughney, and G. Zorn, "Diameter Base Protocol", RFC 6733, DOI 10.17487/RFC6733, October 2012,
<https://www.rfc-editor.org/info/rfc6733>.

[RFC6762]

S. Cheshire, and M. Krochmal, "Multicast DNS", RFC 6762, DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.

[RFC6763]

S. Cheshire, and M. Krochmal, "DNS-Based Service Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.

[RFC6824]

A. Ford, C. Raiciu, M. Handley, and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
<https://www.rfc-editor.org/info/rfc6824>.

[RFC6830]

D. Farinacci, V. Fuller, D. Meyer, and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013,
<https://www.rfc-editor.org/info/rfc6830>.

[RFC7011]

B. Claise, B. Trammell, and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013,
<https://www.rfc-editor.org/info/rfc7011>.

[RFC7404]

M. Behringer, and E. Vyncke, "Using Only Link-Local Addressing inside an IPv6 Network", RFC 7404, DOI 10.17487/RFC7404, November 2014,
<https://www.rfc-editor.org/info/rfc7404>.

[RFC7426]

E. Haleplidis, K. Pentikousis, S. Denazis, J. Hadi Salim, D. Meyer, and O. Koufopavlou, "Software-Defined Networking (SDN): Layers and Architecture Terminology", RFC 7426, DOI 10.17487/RFC7426, January 2015,
<https://www.rfc-editor.org/info/rfc7426>.

[RFC7435]

V. Dukhovni, "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014,
<https://www.rfc-editor.org/info/rfc7435>.

[RFC7575]

M. Behringer, M. Pritikin, S. Bjarnason, A. Clemm, B. Carpenter, S. Jiang, and L. Ciavaglia, "Autonomic Networking: Definitions and Design Goals", RFC 7575, DOI 10.17487/RFC7575, June 2015,
<https://www.rfc-editor.org/info/rfc7575>.

[RFC7576]

S. Jiang, B. Carpenter, and M. Behringer, "General Gap Analysis for Autonomic Networking", RFC 7576, DOI 10.17487/RFC7576, June 2015,
<https://www.rfc-editor.org/info/rfc7576>.

[RFC7585]

S. Winter, and M. McCauley, "Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)", RFC 7585, DOI 10.17487/RFC7585, October 2015,
<https://www.rfc-editor.org/info/rfc7585>.

[RFC7721]

A. Cooper, F. Gont, and D. Thaler, "Security and Privacy Considerations for IPv6 Address Generation Mechanisms", RFC 7721, DOI 10.17487/RFC7721, March 2016,
<https://www.rfc-editor.org/info/rfc7721>.

[RFC7761]

B. Fenner, M. Handley, H. Holbrook, I. Kouvelas, R. Parekh, Z. Zhang, and L. Zheng, "Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March 2016,
<https://www.rfc-editor.org/info/rfc7761>.

[RFC7950]

M. Bjorklund, "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.

[RFC8028]

F. Baker, and B. Carpenter, "First-Hop Router Selection by Hosts in a Multi-Prefix Network", RFC 8028, DOI 10.17487/RFC8028, November 2016,
<https://www.rfc-editor.org/info/rfc8028>.

[RFC8126]

M. Cotton, B. Leiba, and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.

[RFC8316]

J. Nobre, L. Granville, A. Clemm, and A. Gonzalez Prieto, "Autonomic Networking Use Case for Distributed Detection of Service Level Agreement (SLA) Violations", RFC 8316, DOI 10.17487/RFC8316, February 2018,
<https://www.rfc-editor.org/info/rfc8316>.

[RFC8366]

K. Watsen, M. Richardson, M. Pritikin, and T. Eckert, "A Voucher Artifact for Bootstrapping Protocols", RFC 8366, DOI 10.17487/RFC8366, May 2018,
<https://www.rfc-editor.org/info/rfc8366>.

[RFC8368]

T. Eckert, and M. Behringer, "Using an Autonomic Control Plane for Stable Connectivity of Network Operations, Administration, and Maintenance (OAM)", RFC 8368, DOI 10.17487/RFC8368, May 2018,
<https://www.rfc-editor.org/info/rfc8368>.

[RFC8398]

A. Melnikov, and W. Chuang, "Internationalized Email Addresses in X.509 Certificates", RFC 8398, DOI 10.17487/RFC8398, May 2018,
<https://www.rfc-editor.org/info/rfc8398>.

[RFC8402]

C. Filsfils, S. Previdi, L. Ginsberg, B. Decraene, S. Litkowski, and R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, July 2018,
<https://www.rfc-editor.org/info/rfc8402>.

[RFC8572]

K. Watsen, I. Farrer, and M. Abrahamsson, "Secure Zero Touch Provisioning (SZTP)", RFC 8572, DOI 10.17487/RFC8572, April 2019,
<https://www.rfc-editor.org/info/rfc8572>.

[RFC8684]

A. Ford, C. Raiciu, M. Handley, O. Bonaventure, and C. Paasch, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 8684, DOI 10.17487/RFC8684, March 2020,
<https://www.rfc-editor.org/info/rfc8684>.

[RFC8739]

Y. Sheffer, D. Lopez, O. Gonzalez de Dios, A. Pastor Perales, and T. Fossati, "Support for Short-Term, Automatically Renewed (STAR) Certificates in the Automated Certificate Management Environment (ACME)", RFC 8739, DOI 10.17487/RFC8739, March 2020,
<https://www.rfc-editor.org/info/rfc8739>.

[RFC8981]

F. Gont, S. Krishnan, T. Narten, and R. Draves, "Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6", RFC 8981, DOI 10.17487/RFC8981, February 2021,
<https://www.rfc-editor.org/info/rfc8981>.

[RFC8992]

S Jiang, Z Du, B Carpenter, and Q Sun, "Autonomic IPv6 Edge Prefix Management in Large-Scale Networks", RFC 8992, DOI 10.17487/RFC8992, May 2021,
<https://www.rfc-editor.org/info/rfc8992>.

[RFC8993]

M Behringer, B Carpenter, T Eckert, L Ciavaglia, and J Nobre, "A Reference Model for Autonomic Networking", RFC 8993, DOI 10.17487/RFC8993, May 2021,
<https://www.rfc-editor.org/info/rfc8993>.

[ROLL-APPLICABILITY]

M Richardson, "ROLL Applicability Statement Template", Internet-Draft draft-ietf-roll-applicability-template-09, May 2016,
<https://tools.ietf.org/html/draft-ietf-roll-applicability-template-09>.

[SR]

Wikipedia, "Single-root input/output virtualization", September 2020,
<https://en.wikipedia.org/w/index.php?title=Single-root_input/output_virtualization&oldid=978867619>.

[TLS-DTLS13]

Google, Inc., , , and , "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-dtls13-43, April 2021,
<https://tools.ietf.org/html/draft-ietf-tls-dtls13-43>.

[X.509]

ITU-T, "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks", ITU-T Recommendation X.509, October 2016,
<https://www.itu.int/rec/T-REC-X.509>.

[X.520]

ITU-T, "Information technology - Open Systems Interconnection - The Directory: Selected attribute types", ITU-T Recommendation X.520, October 2016,
<https://www.itu.int/rec/T-REC-X.520>.

• Self-management: the ACP must build automatically, without human intervention. Therefore, the routing protocol must also work completely automatically. RPL is a simple, self-managing protocol, which does not require zones or areas; it is also self-configuring, since configuration is carried as part of the protocol (see Section 6.7.6 of RFC 6550).
• Scale: the ACP builds over an entire domain, which could be a large enterprise or service provider network. The routing protocol must therefore support domains of 100,000 nodes or more, ideally without the need for zoning or separation into areas. RPL has this scale property. This is based on extensive use of default routing.
• Low resource consumption: the ACP supports traditional network infrastructure, thus runs in addition to traditional protocols. The ACP, and specifically the routing protocol, must have low resource consumption requirements, both in terms of memory and CPU. Specifically, at edge nodes, where memory and CPU are scarce, consumption should be minimal. RPL builds a DODAG, where the main resource consumption is at the root of the DODAG. The closer to the edge of the network, the less state needs to be maintained. This adapts nicely to the typical network design. Also, all changes below a common parent node are kept below that parent node.
• Support for unstructured address space: in the ANI, node addresses are identifiers, they and may not be assigned in a topological way. Also, nodes may move topologically, without changing their address. Therefore, the routing protocol must support completely unstructured address space. RPL is specifically made for mobile, ad hoc networks, with no assumptions on topologically aligned addressing.
• Modularity: to keep the initial implementation small, yet allow for more complex methods later, it is highly desirable that the routing protocol has a simple base functionality, but can import new functional modules if needed. RPL has this property with the concept of "Objective Function", which is a plugin to modify routing behavior.
• Extensibility: since the ANI is a new concept, it is likely that changes to the way of operation will happen over time. RPL allows for new Objective Functions to be introduced later, which allow changes to the way the routing protocol creates the DAGs.
• Multi-topology support: it may become necessary in the future to support more than one DODAG for different purposes, using different Objective Functions. RPL allow for the creation of several parallel DODAGs should this be required. This could be used to create different topologies to reach different roots.
• No need for path optimization: RPL does not necessarily compute the optimal path between any two nodes. However, the ACP does not require this today, since it carries mainly delay-insensitive feedback loops. It is possible that different optimization schemes will become necessary in the future, but RPL can be expanded (see above).

1. Consider if LLDP should be a recommended functionality for ANI devices to improve diagnostics, and if so, which information elements it should signal (noting that such information is conveyed in an insecure manner). This includes potentially new information elements.
2. As an alternative to LLDP, a DULL GRASP diagnostics objective could be defined to carry these information elements.
3. The IDevID certificate of BRSKI pledges should be included in the selected insecure diagnostics option. This may be undesirable when exposure of device information is seen as too much of a security issue (the ability to deduce possible attack vectors from device model, for example).
4. A richer set of diagnostics information should be made available via the secured ACP channels, using either single-hop GRASP or network-wide "topology discovery" mechanisms.

Brian Carpenter

Michael C. Richardson

Pascal Thubert

Toerless Eckert

Michael H. Behringer

Steinthor Bjarnason