GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc1125

Network Working Group D. Estrin Request for Comments: 1125 USC Computer Science Department

                                                         November 1989
    POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING

1 STATUS OF THIS MEMO

 The purpose of this memo is to focus discussion on particular
 problems in the Internet and possible methods of solution.  No
 proposed solutions in this document are intended as standards for the
 Internet.  Rather, it is hoped that a general consensus will emerge
 as to the appropriate solution to such problems, leading eventually
 to the development and adoption of standards.  Distribution of this
 memo is unlimited.

2 ABSTRACT

 Efforts are now underway to develop a new generation of routing
 protocol that will allow each Administrative Domain (AD) in the
 growing Internet (and internets in general) to independently express
 and enforce policies regarding the flow of packets to, from, and
 through its resources. (FOOTNOTE 1: The material presented here
 incorporates discussions held with members of the IAB Autonomous
 Networks Research Group and the Open Routing Working Group.)  This
 document articulates the requirements for policy based routing and
 should be used as input to the functional specification and
 evaluation of proposed protocols.
 Two critical assumptions will shape the type of routing mechanism
 that is devised: (1) the topological organization of ADs, and (2) the
 type and variability of policies expressed by ADs.  After justifying
 our assumptions regarding AD topology we present a taxonomy, and
 specific examples, of policies that must be supported by a PR
 protocol.  We conclude with a brief discussion of policy routing
 mechanisms proposed in previous RFCs (827, 1102, 1104, 1105).  Future
 RFCs will elaborate on the architecture and protocols needed to
 support the requirements presented here.

3 BACKGROUND

 The Research Internet has evolved from a single backbone wide area
 network with many connected campus networks, to an internet with
 multiple cross-country backbones, regional access networks, and a
 profusion of campus networks. (FOOTNOTE 2: The term Research Internet
 refers to a collection of government, university, and some private
 company, networks that are used by researchers to access shared

Estrin [Page 1] RFC 1125 Policy Requirements November 1989

 computing resources (e.g., supercomputers), and for research related
 information exchange (e.g., distribution of software, technical
 documents, and email). The networks that make up the Research
 Internet run the DOD Internet Protocol [1].)  At times during its
 development the Research Internet topology appeared somewhat chaotic.
 Overlapping facilities and lateral (as opposed to hierarchical)
 connections seemed to be the rule rather than the exception.  Today
 the Research Internet topology is becoming more regular through
 coordination of agency investment and adoption of a hierarchy similar
 to that of the telephone networks'.  The result is several
 overlapping wide area backbones connected to regional networks, which
 in turn connect to campus networks at universities, research
 laboratories, and private companies. However, the telephone network
 has lateral connections only at the highest level, i.e., between long
 haul carriers.  In the Research Internet there exist lateral
 connections at each level of the hierarchy, i.e., between campus (and
 regional) networks as well.
 Additional complexity is introduced in the Research Internet by
 virtue of connections to private networks. Many private companies are
 connected to the Research Internet for purposes of research or
 support activities. These private companies connect in the same
 manner as campuses, via a regional network or via lateral links to
 other campuses. However, many companies have their own private wide
 area networks which physically overlap with backbone and/or regional
 networks in the research internet, i.e., private vertical bypass
 links.
 Implicit in this complex topology are organizational boundaries.
 These boundaries define Administrative Domains (ADs) which preclude
 the imposition of a single, centralized set of policies on all
 resources.  The subject of this paper is the policy requirements for
 resource usage control in the Research Internet.
 In the remainder of this section we describe the policy routing
 problem in very general terms. Section 4 examines the constraints and
 requirements that makes the problem challenging, and leads us to
 conclude that a new generation of routing and resource control
 protocols are needed. Section 5 provides more detail on our
 assumptions as to the future topology and configuration of
 interconnected ADs. We return to the subject of policy requirements
 in Section 7 and categorize the different types of policies that ADs
 in the research internet may want to enforce.  Included in this
 section are examples of FRICC policy statements.  (FOOTNOTE 3: The
 Federal Research Internet Coordinating Committee (FRICC) is made up
 of representatives of each of the major agencies that are involved in
 networking. They have been very effective in coordinating their
 efforts to eliminate inefficient redundancy and have proposed a plan

Estrin [Page 2] RFC 1125 Policy Requirements November 1989

 for the next 10 years of internetworking for the government,
 scientific, and education community [2].)  Section 7 identifies types
 of policy statements that are problematic to enforce due to their
 dynamics, granularity, or performance implications. Several proposed
 mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105)
 are discussed briefly in Section 8. Future RFCs will elaborate on the
 architecture and protocols needed to support the requirements
 presented here.

3.1 POLICY ROUTING

 Previous protocols such as the Exterior Gateway Protocol (EGP)[3]
 embodied a limited notion of policy and ADs. In particular,
 autonomous system boundaries constrained the flow of routing database
 information, and only indirectly affected the flow of packets
 themselves.  We consider an Administrative Domain (AD) to be a set of
 hosts and network resources (gateways, links, etc.) that is governed
 by common policies.  In large internets that cross organization
 boundaries, e.g., the Research Internet, inter-AD routes must be
 selected according to policy-related parameters such as cost and
 access rights, in addition to the traditional parameters of
 connectivity and congestion. In other words, Policy Routing (PR) is
 needed to navigate through the complex web of policy boundaries
 created by numerous interconnected ADs. Moreover, each AD has its own
 privileges and perspective and therefore must make its own evaluation
 of legal and preferred routes.  Efforts are now underway to develop a
 new generation of routing protocol that will allow each AD to
 independently express and enforce policies regarding the flow of
 packets to, from, and through its resources [4].  (FOOTNOTE 4:  These
 issues are under investigation by the IAB Autonomous Networks
 Research Group and the IAB Open Routing Working Group. For further
 information contact the author.)
 The purpose of this paper is to articulate the requirements for such
 policy based routing. Two critical assumptions will shape the type of
 routing mechanism that is devised:
  • The topological organization of ADs, and
  • The type and variability of policies expressed by ADs.
 We make use of the policies expressed by owners of current Research
 Internet resources and private networks connected to the Research
 Internet to generalize types of policies that must be supported. This
 top down effort must be done with attention to the technical
 implications of the policy statements if the result is to be useful
 in guiding technical development. For example, some ADs express the
 desire to enforce local constraints over how packets travel to their
 destination. Other ADs are only concerned with preventing use of

Estrin [Page 3] RFC 1125 Policy Requirements November 1989

 their own network resources by restricting transit.  Still other ADs
 are concerned primarily with recovering the expense of carrying
 traffic and providing feedback to users so that users will limit
 their own data flows; in other words they are concerned with
 charging.  We refer to ADs whose primary concern is communication to
 and from hosts within their AD as stub and to ADs whose primary
 concern is carrying packets to and from other ADs as transit}.  If we
 address control of transit alone, for example, the resulting
 mechanisms will not necessarily allow an AD to control the flow of
 its packets from source to destination, or to implement flexible
 charging schemes.  (FOOTNOTE 5: Gene Tsudik uses the analogy of
 international travel to express the need for source and transit
 controls. Each country expresses its own policies about travel to and
 through its land.  Travel through one country enroute to another is
 analogous to transit traffic in the network world. A traveler
 collects policy information from each of the countries of interest
 and plans an itinerary that conforms to those policies as well as the
 preferences of the traveler and his/her home nation.  Thus there is
 both source and transit region control of routing.)  Our purpose is
 to articulate a comprehensive set of requirements for PR as input to
 the functional specification, and evaluation, of proposed protocols.

4 WHY THE PROBLEM IS DIFFICULT

 Before proceeding with our description of topology and policy
 requirements this section outlines several assumptions and
 constraints, namely: the lack of global authority, the need to
 support network resource sharing as well as network interconnection,
 the complex and dynamic mapping of users to ADs and privileges, and
 the need for accountability across ADs.  These assumptions limit the
 solution space and raise challenging technical issues.
 The purpose of policy based routing is to allow ADs to interconnect
 and share computer and network resources in a controlled manner.
 Unlike many other problems of resource control, there is no global
 authority. Each AD defines its own policies with respect to its own
 traffic and resources. However, while we assume no global authority,
 and no global policies, we recognize that complete autonomy implies
 no dependence and therefore no communication.  The multi-organization
 internets addressed here have inherent regions of autonomy, as well
 as requirements for interdependence. Our mechanisms should allow ADs
 to design their boundaries, instead of requiring that the boundaries
 be either impenetrable or eliminated.
 One of the most problematic aspects of the policy routing
 requirements identified here is the need to support both network
 resource sharing and interconnection across ADs. An example of
 resource sharing is two ADs (e.g., agencies, divisions, companies)

Estrin [Page 4] RFC 1125 Policy Requirements November 1989

 sharing network resources (e.g., links, or gateways and links) to
 take advantage of economies of scale.  Providing transit services to
 external ADs is another example of network resource sharing.
 Interconnection is the more common example of ADs interconnecting
 their independently used network resources to achieve connectivity
 across the ADs, i.e., to allow a user in one AD to communicate with
 users in another AD. In some respects, network resource control is
 simpler than network interconnection control since the potential
 dangers are fewer (i.e., denial of service and loss of revenue as
 compared with a wide range of attacks on end systems through network
 interconnection). However, controlled network resource sharing is
 more difficult to support.  In an internet a packet may travel
 through a number of transit ADs on its way to the destination.
 Consequently, policies from all transit ADs must be considered when a
 packet is being sent, whereas for stub-AD control only the policies
 of the two end point ADs have to be considered. In other words,
 controlled network resource sharing and transit require that policy
 enforcement be integrated into the routing protocols themselves and
 can not be left to network control mechanisms at the end points.
 (FOOTNOTE 6&7: Another difference is that in the interconnect case,
 traffic traveling over AD A's network resources always has a member
 of AD A as its source or destination (or both).  Under resource
 sharing arrangements members of both AD A and B are connected to the
 same resources and consequently intra-AD traffic (i.e., packets
 sourced and destined for members of the same AD) travels over the
 resources. This distinction is relevant to the writing of policies in
 terms of principal affiliation.  Economies of scale is one motivation
 for resource sharing. For example, instead of interconnecting
 separately to several independent agency networks, a campus network
 may interconnect to a shared backbone facility.  Today,
 interconnection is achieved through a combination of AD specific and
 shared arrangements. We expect this mixed situation to persist for
 "well-connected" campuses for reasons of politics, economics, and
 functionality (e.g., different characteristics of the different
 agency-networks). See Section 5 for more discussion.)
 Complications also result from the fact that legitimate users of an
 AD's resources are not all located in that AD. Many users (and their
 computers) who are funded by, or are affiliated with, a particular
 agency's program reside within the AD of the user's university or
 research laboratory.  They reside in a campus AD along with users who
 are legitimate users of other AD resources.  Moreover, any one person
 may be a legitimate user of multiple AR resources under varying
 conditions and constraints (see examples in Section 6). In addition,
 users can move from one AD to another. In other words, a user's
 rights can not be determined solely based on the AD from which the
 user's communications originate.  Consequently, PR must not only
 identify resources, it must identify principals and associate

Estrin [Page 5] RFC 1125 Policy Requirements November 1989

 different capabilities and rights with different principals.  (The
 term principal is taken from the computer security community[7].)
 One way of reducing the compromise of autonomy associated with
 interconnection is to implement mechanisms that assure
 accountability} for resources used. Accountability may be enforced a
 priori, e.g., access control mechanisms applied before resource usage
 is permitted.  Alternatively, accountability may be enforced after
 the fact, e.g., record keeping or metering that supports detection
 and provides evidence to third parties (i.e., non-repudiation).
 Accountability mechanisms can also be used to provide feedback to
 users as to consumption of resources. Internally an AD often decides
 to do away with such feedback under the premise that communication is
 a global good and should not be inhibited. There is not necessarily a
 "global good" across AD boundaries. Therefore, it becomes more
 appropriate to have resource usage visible to users, whether or not
 actual charging for usage takes place.  Another motivation that
 drives the need for accountability across AD boundaries is the
 greater variability in implementations. Different implementations of
 a single network protocol can vary greatly as to their efficiency
 [8].  We can not assume control over implementation across AD
 boundaries.  Feedback mechanisms such as metering (and charging in
 some cases) would introduce a concrete incentive for ADs to employ
 efficient and correct implementations.  PR should allow an AD to
 advertise and apply such accounting measures to inter-AD traffic.
 In summary, the lack of global authority, the need to support network
 resource sharing as well as network interconnection, the complex and
 dynamic mapping of users to ADs and rights, and the need for
 accountability across ADs, are characteristics of inter-AD
 communications which must be taken into account in the design of both
 policies and supporting technical mechanisms.

5 TOPOLOGY MODEL OF INTERNET

 Before discussing policies per se, we outline our model of inter-AD
 topology and how it influences the type of policy support required.
 Most members of the Internet community agree that the future Internet
 will connect on the order of 150,000,000 termination points and
 100,000 ADs. However, there are conflicting opinions as to the AD
 topology for which we must design PR mechanisms.  The informal
 argument is described here.
 SIMPLE AD TOPOLOGY AND POLICY MODEL Some members of the Internet
 community believe that the current complex topology of interconnected
 ADs is a transient artifact resulting from the evolutionary nature of
 the Research Internet's history.  (FOOTNOTE 9: David Cheriton of
 Stanford University articulated this side of the argument at an

Estrin [Page 6] RFC 1125 Policy Requirements November 1989

 Internet workshop in Santa Clara, January, 1989). The critical points
 of this argument relate to topology and policy. They contend that in
 the long term the following three conditions will prevail:
  • The public carriers will provide pervasive, competitively

priced, high speed data services.

  • The resulting topology of ADs will be

stub (not transit) ADs connected to regional

   backbones, which in turn interconnect via multiple,
   overlapping long haul backbones, i.e., a  hierarchy with
   no lateral connections between stub-ADs or regionals,
   and no vertical bypass links.
  • The policy requirements of the backbone and stub-ADs

will be based only on charging for resource usage at the

   stub-AD to backbone-AD boundary, and to settling accounts
   between neighboring backbone providers (regional to long haul,
   and long haul to long haul).
 Under these assumptions, the primary requirement for general AD
 interconnect is a metering and charging protocol. The routing
 decision can be modeled as a simple least cost path with the metric
 in dollars and cents. In other words, restrictions on access to
 transit services will be minimal and the functionality provided by
 the routing protocol need not be changed significantly from current
 day approaches.
 COMPLEX AD TOPOLOGY AND POLICY MODEL The counter argument is that a
 more complex AD topology will persist. (FOOTNOTE 10:  Much of the
 remainder of this paper attempts to justify and provide evidence for
 this statement.) The different assumptions about AD topology lead to
 the significantly different assumptions about AD policies.
 This model assumes that the topology of ADs will in many respects
 agree with the previous model of increased commercial carrier
 participation and resulting hierarchical structure. However, we
 anticipate unavoidable and persistent exceptions to the hierarchy.
 We assume that there will be a relatively small number of long haul
 transit ADs (on the order of 100), but that there may be tens of
 thousands of regional ADs and hundreds of thousands of stub ADs
 (e.g., campuses, laboratories, and private companies).  The competing
 long haul offerings will differ, both in the services provided and in
 their packaging and pricing.  Regional networks will overlap less and
 will connect campus and private company networks. However, many
 stub-ADs will retain some private lateral links for political,
 technical, and reliability reasons.  For example, political
 incentives cause organizations to invest in bypass links that are not

Estrin [Page 7] RFC 1125 Policy Requirements November 1989

 always justifiable on a strict cost comparison basis; specialized
 technical requirements cause organizations to invest in links that
 have characteristics (e.g., data rate, delay, error, security) not
 available from public carriers at a competitive rate; and critical
 requirements cause organizations to invest in redundant back up links
 for reliability reasons.  These exceptions to the otherwise regular
 topology are not dispensible. They will persist and must be
 accommodated, perhaps at the expense of optimality; see Section 5 for
 more detail.  In addition, many private companies will retain their
 own private long haul network facilities. (FOOTNOTE 11:  While
 private voice networks also exist, private data networks are more
 common.  Voice requirements are more standardized because voice
 applications are more uniform than are data applications, and
 therefore the commercial services more often have what the voice
 customer wants at a price that is competitive with the private
 network option. Data communication requirements are still more
 specialized and dynamic.  Thus, there is less opportunity for economy
 of scale in service offerings and it is harder to keep up to date
 with customer demand. For this reason we expect private data networks
 to persist for the near future. As the telephone companies begin to
 introduce the next generation of high speed packet switched services,
 the scenario should change. However, we maintain that the result will
 be a predominance, but not complete dominance, of public carrier use
 for long haul communication.  Therefore, private data networks will
 persist and the routing architecture must accommodate controlled
 interconnection.)  Critical differences between the two models follow
 from the difference in assumptions regarding AD topology. In the
 complex case, lateral connections must be supported, along with the
 means to control the use of such connections in the routing
 protocols.
 The different topologies imply different policy requirements.  The
 first model assumes that all policies can be expressed and enforced
 in terms of dollars and cents and distributed charging schemes. The
 second model assumes that ADs want more varied control over their
 resources, control that can not be captured in a dollars and cents
 metric alone. We describe the types of policies to be supported and
 provide examples in the following section, Section 6. In brief, given
 private lateral links, ADs must be able to express access and
 charging related restrictions and privileges that discriminate on an
 AD basis.  These policies will be diverse, dynamic, and new
 requirements will emerge over time, consequently support must be
 extensible.  For example, the packaging and charging schemes of any
 single long haul service will vary over time and may be relatively
 elaborate (e.g., many tiers of service, special package deals, to
 achieve price discrimination).
 Note that these assumptions about complexity do not preclude some

Estrin [Page 8] RFC 1125 Policy Requirements November 1989

 collection of ADs from "negotiating away" their policy differences,
 i.e., forming a federation, and coordinating a simplified inter-AD
 configuration in order to reduce the requirements for inter-AD
 mechanisms.  However, we maintain that there will persist collections
 of ADs that will not and can not behave as a single federation; both
 in the research community and, even more predominantly, in the
 broader commercial arena.  Moreover, when it comes to interconnecting
 across these federations, non-negotiable differences will arise
 eventually.  It is our goal to develop mechanisms that are applicable
 in the broader arena.
 The Internet community developed its original protocol suite with
 only minimal provision for resource control [9].  This was
 appropriate at the time of development based on the assumed community
 (i.e., researchers) and the ground breaking nature of the technology.
 The next generation of network technology is now being designed to
 take advantage of high speed media and to support high demand traffic
 generated by more powerful computers and their applications [10].  As
 with TCP/IP we hope that the technology being developed will find
 itself applied outside of the research community. This time it would
 be inexcusable to ignore resource control requirements and not to pay
 careful attention to their specification.
 Finally, we look forward to the Internet structure taking advantage
 of economies of scale offered by enhanced commercial services.
 However, in many respects the problem that stub-ADs may thus avoid,
 will be faced by the multiple regional and long haul carriers
 providing the services. The carriers' charging and resource control
 policies will be complex enough to require routing mechanisms similar
 to ones being proposed for the complex AD topology case described
 here.  Whether the network structure is based on private or
 commercial services, the goal is to construct policy sensitive
 mechanisms that will be transparent to end users (i.e., the
 mechanisms are part of the routing infrastructure at the network
 level, and not an end to end concern).

6 POLICY TYPES

 This section outlines a taxonomy of internet policies for inter-AD
 topologies that allow lateral and bypass links.  The taxonomy is
 intended to cover a wide range of ADs and internets. Any particular
 PR architecture we design should support a significant subset of
 these policy types but may not support all of them due to technical
 complexity and performance considerations.  The general taxonomy is
 important input to a functional specification for PR. Moreover, it
 can be used to evaluate and compare the suitability and completeness
 of existing routing architectures and protocols for PR; see Section
 8.

Estrin [Page 9] RFC 1125 Policy Requirements November 1989

 We provide examples from the Research Internet of the different
 policy types in the form of resource usage policy statements. These
 statements were collected through interviews with agency
 representatives, but they do not represent official policy. These
 sample policy statements should not} be interpreted as agency policy,
 they are provided here only as examples.
 Internet policies fall into two classes, access and charging.  Access
 policies specify who can use resources and under what conditions.
 Charging policies specify the metering, accounting, and billing
 implemented by a particular AD.

6.1 TAXONOMY OF ACCESS POLICIES

 We have identified the following types of access policies that ADs
 may wish to enforce. Charging policies are described in the
 subsequent section. Section 6.3 provides more specific examples of
 both access and charging policies using FRICC policy statements.
 Access policies typically are expressed in the form: principals of
 type x can have access to resources of type y under the following
 conditions, z. The policies are categorized below according to the
 definition of y and z.  In any particular instance, each of the
 policy types would be further qualified by definition of legitimate
 principals, , x, i.e., what characteristics x must have in order to
 access the resource in question.
 We refer to access policies described by stub and transit ADs.  The
 two roles imply different motivations for resource control, however
 the types of policies expressed are similar; we expect the supporting
 mechanisms to be common as well.
 Stub and transit access policies may specify any of the following
 parameters:
  • SOURCE/DESTINATION

Source/Destination policies prevent or restrict communication

 originated by or destined for particular ADs (or hosts or user
 classes within an AD).
  • PATH

Path sensitive policies specify which ADs may or may not be passed

 through en route to a destination. The most general path sensitive
 policies allow stub and transit ADs to express policies that depend
 on any component in the AD path. In other words, a stub AD could
 reject a route based on any AD (or combination of ADs) in the route.
 Similarly, a transit AD could express a packet forwarding policy that
 behaves differently depending upon which ADs a packet has passed

Estrin [Page 10] RFC 1125 Policy Requirements November 1989

 through, and is going to pass through, en route to the destination.
 Less ambitious (and perhaps more reasonable) path sensitive policies
 might only discriminate according to the immediate neighbor ADs
 through which the packet is traveling (i.e., a stub network could
 reject a route based on the first transit AD in the route, and a
 transit AD could express a packet forwarding policy that depends upon
 the previous, and the subsequent, transit ADs in the route.)
  • QUALITY/TYPE OF SERVICE(QOS OR TOS)

This type of policy restricts access to special resources or

 services.  For example, a special high throughput, low delay link may
 be made available on a selective basis.
  • RESOURCE GUARANTEE

These policies provide a guaranteed percentage of a resource on a

 selective, as needed basis.  In other words, the resource can be used
 by others if the preferred-AD's offered load is below the guaranteed
 level of service.  The guarantee may be to always carry intra-AD
 traffic or to always carry inter-AD traffic for a specific AD.
  • TEMPORAL

Temporal policies restrict usage based on the time of day or other

 time related parameters.
  • HIGH LEVEL PROTOCOL

Usage may be restricted to a specific high level protocol such as

 mail or file transfer. (Alternatively, such policies can be
 implemented as source/destination policies by configuring a host(s)
 within an AD as an application relay and composing policy terms that
 allow inter-AD access to only that host.)
  • RESOURCE LIMIT

There may be a limit on the amount of traffic load a source may

 generate during a particular time interval, e.g., so many packets in
 a day, hour, or minute.
  • AUTHENTICATION REQUIREMENTS

Conditions may be specified regarding the authenticability of

 principal identifying information. Some ADs might require some form
 of cryptographic proof as to the identity and affiliations of the
 principal before providing access to critical resources.
 The above policy types usually exist in combination for a particular
 AD, i.e., an AD's policies might express a combination of transit,
 source/destination, and QOS restrictions. This taxonomy will evolve
 as PR is applied to other domains.
 As will be seen in Section 6.3 an AD can express its charging and

Estrin [Page 11] RFC 1125 Policy Requirements November 1989

 access policies in a single syntax. Moreover, both stub and transit
 policies can co-exist. This is important since some ADs operate as
 both stub and transit facilities and require such hybrid control.

6.2 TAXONOMY OF CHARGING POLICIES

 Stub and transit charging policies  may specify the following
 parameters:
  • UNIT OF ACCOUNTING (e.g., dollars or credits).
  • BASIS FOR CHARGING (e.g., per Kbyte or per Kpkt).
  • ACTUAL CHARGES (e.g., actual numbers such as $.50/Mbyte).
  • WHO IS CHARGED OR PAID (e.g., originator of packet,

immediate neighbor from whom packet was received, destination

    of packet, a third party collection agent).
 *  WHOSE PACKET COUNT is used (e.g., source, destination, the
    transit AD's own count, the count of some upstream or
    downstream AD).
 *  BOUND ON CHARGES (e.g., to limit the  amount that a stub
    AD is willing to spend, or the amount that a transit AD is
    willing to carry.)
 The enforcement of these policies may be carried out during route
 synthesis or route selection [4].

6.3 EXAMPLE POLICY STATEMENTS

 The following policy statements were collected in the fall of 1988
 through interviews with representatives of the federal agencies most
 involved in supporting internetworking. Once again we emphasize that
 these are not official policy statements. They are presented here to
 provide concrete examples of the sort of policies that agencies would
 like to enforce.
 Expressing policies as Policy Terms (PTs)
 Each policy is described in English and then expressed in a policy
 term (PT) notation suggested by Dave Clark in [4].  Each PT
 represents a distinct policy of the AD that synthesized it.  The
 format of a PT is:
  [(H{src},AD{src},AD{ent}),(H{dst},AD{dst},AD{exit}),UCI, Cg,Cb]
 Hsrc stands for source host, ADsrc for source AD, ADent for entering
 AD (i.e., neighboring AD from which traffic is arriving directly),
 Hdst for destination host, ADdst for destination AD, ADexit for exit
 AD (i.e.,neighboring AD to which traffic is going directly), UCI for
 user class identifier, and Cg and Cb for global and bilateral

Estrin [Page 12] RFC 1125 Policy Requirements November 1989

 conditions, respectively. The purpose of a PT is to specify that
 packets from some host, H{src}, (or a group of hosts) in a source AD,
 AD{src}, are allowed to enter the AD in question via some directly
 connected AD, AD{ent}, and exit through another directly connected
 AD, AD{exit}, on its way to a host, H{dst}, (or a group of hosts) in
 some destination AD, AD{dst}.  User Class Identifier (UCI) allows for
 distinguishing between various user classes, e.g., Government,
 Research, Commercial, Contract, etc.  Global Conditions (Cg)
 represent billing and other variables.  Bilateral Conditions (Cb)
 relate to agreements between neighboring ADs, e.g., related to
 metering or charging.  In the example policy terms provided below we
 make use of the following abbreviations: Fricc for
 {DOE,NASA,DCA,NSF}, F for Federal Agency, Re for Regional, U for
 University, Co for Commercial Corporation, and Cc for Commercial
 Carrier. A hyphen, -, means no applicable matches.
 By examining a PT we can identify the type of policy represented, as
 per the taxonomy presented earlier.
  • If an AD specifies a policy term that has a null (-) entry for

the ADexit, then it is disallowing transit for some group of users,

    and it is a transit policy.
  • If an AD specifies a policy term that lists itself

explicitly as ADsrc or ADdst, it is expressing restrictions on who

    can access particular resources within its boundaries, or on who inside
    can obtain external access. In other words the AD is expressing a
    source/destination policy.
  • If ADexit or ADentr is specified then the policy expressed is an

exit/entrance path policy.

  • If the global conditions include charging, QOS, resource

guarantee, time of day, higher level application, resource limit, or

    authentication related information it is obviously a charging, QOS,
    resource guarantee, temporal, higher level application, resource
    limit, or authentication policy, respectively.
 As seen below, any one PT typically incorporates a combination of
 policy types.

6.3.1 THE FRICC

 In the following examples all policies (and PTs) are symmetrical
 under the assumption that communication is symmetrical.

Estrin [Page 13] RFC 1125 Policy Requirements November 1989

NATIONAL SCIENCE FOUNDATION (NSF)

 1.  NSF will carry traffic for any host connected to a F/Re network
 talking to any other host connected to a F/Re via any F/Re entry and
 exit network, so long as there is it is being used for research or
 support. There is no authentication of the UCI and no per packet
 charging.  NSFnet is a backbone and so does not connect directly to
 universities or companies...thus the indication of {F/Re} instead of
 {F/Re/U/Co} as ADent and ADexit.
 [NSF1:  (*, {F/Re}, {F/Re})(*, {F/Re}, {F/Re}){research,support}
 {unauthenticated UCI,no-per-pkt charge}{}]
 2.  NSF will carry traffic to user and expert services hosts in NSF
 AD to/from any F/Re AD, via any F/Re AD. These are the only things
 that directly connect to NSFnet.
 [NSF2: ({User svcs, Expert Svcs},{NSF},{F/Re})(*,{F/Re},{-}){}{}{}]

DEPARTMENT OF ENERGY (DOE)

 1.  DOE will carry traffic to and from any host directly connected to
 DOE so long as it is used for research or support. There is no
 authentication of the UCI and no per packet charging.
 [DOE1: (*,DOE,-)(*,*,*){research,support}
 {unauthenticated UCI,no-per-packet charge}{}]
 2.  DOE will carry traffic for any host connected to a F/Re network
 talking to any other host connected to a F/Re via any F/Re entry and
 exit network without regard to the UCI. There is no authentication of
 the UCI and no per packet charging. (in other words DOE is more
 restrictive with its own traffic than with traffic it is carrying as
 part of a resource sharing arrangement.)
 [DOE2: (*,{F/Re},{F/Re})(*,{F/Re},{F/Re}){}
 {unauthenticated UCI, no-per-pkt charge}{}]

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION (NASA)

 1.  Nasa will accept any traffic to/from members of the Nasa AD. But
 no transit. No UCI authentication and no per packet charge.
 [NASA1: (*,*,*)(*,Nasa,-){Nasa-research, support}
 {unauthenticated UCI,no-per-packet-charge}{}]
 2.  Nasa will carry transit traffic to/from other federal agency
 networks if it is in support of research, and if the total use of

Estrin [Page 14] RFC 1125 Policy Requirements November 1989

 available BW by non-nasa Federal agencies is below n%. NOTE THAT this
 non-interference policy type needs some more work in terms of
 integrating it into the routing algorithms. See Section 7.
 [NASA2: (*,{F},*)(*,{F},*){research,support}
 {per-packet accounting, limited to n% of available BW}{}]
 3.  NASA will carry commercial traffic to federal and regional and
 university ADs for nasa research or support. But it will not allow
 transit. The particular entry AD is not important.
 [NASA3: (*,{Co},*} (*,{F/R/U},*) {NASA research,support}
  {unauthenticated UCI, no per packet charge}{}]
 4.  On a case by case basis NASA may provide access to its resources
 on a cost reimbursed basis. Transit traffic will not be carried on
 this basis.
  [NASA4: (*,*,-)(*,*,-){}
  {per-packet-charge, limited to n% of available BW} {}]

DEFENSE ADVANCED RESEARCH PROJECTS AGENCY (DARPA)

 1.  DARPA will carry traffic to/from any host in DARPA AD from any
 external host that can get it there so long as UCI is research or
 support. No UCI authentication or per packet charge.
 [DARPA1: (*,*,*)(*,DARPA,-){research,support}
 {unauthenticated-UCI, no per packet charge}{}]
 2.  DARPA will carry traffic for any host connected to a F/Re/U/Co
 network talking to any other host connected to a F/Re/U/Co via any
 F/Re/U/Co entry and exit network, so long as there is it is being
 used for research or support, and the network is not heavily
 congested!!.  There is no authentication of the UCI and no per packet
 charging.  NOTE: Darpa would like to say something about the need to
 enter the Darpa AD at the point closest to the destination...but i
 don't know how to express this...
 DARPA2: (*,{F/R/U/Co},{F/R/U/Co})(*,{F/R/U/Co},{F/R/U/Co})
 {research,support}{unauthenticated-UCI,no per packet charge,
 non-interference basis}{}]

DEFENSE COMMUNICATIONS AGENCY (DCA)

 1.  DCA will not carry any transit traffic. It will only accept and
 send traffic to and from its mailbridge(s) and only from and to hosts
 on other F/Re nets. All packets are marked and charged for by the

Estrin [Page 15] RFC 1125 Policy Requirements November 1989

 kilopacket.
 [DCA1:(mailbridge,DCA,-)(*,{F/Re},{F/Re}){research,support}
 {unauthenticated UCI, all incoming packets marked, per-kilopacket
 charge}{}]

6.3.2 THE REGIONALS

 Interviews with regional network administrations are now underway. In
 general their policies are still in formation due to the relatively
 recent formation of these regional networks. However, for the sake of
 illustration we provide an example of a hypothetical regional's
 network policies.

REGIONAL A

 1.  Regional A will carry traffic from/to any directly connected
 F/Re/U network to any F/Re/U network via NSF if it is for a research
 or support UCI. (NSF requires that all Regional networks only pass it
 traffic that complies with its, NSF's, policies!)
 [Regional A:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},NSF){research,support}
 {unauthenticated UCI, no-per-packet charge}{}]

REGIONAL B

 1.  Regional B will carry traffic from/to any directly connected
 F/Re/U network to any F/Re/U network via a commercial carrier
 regardless of its UCI. In this case the packets are charged for since
 the commercial carrier charges per kilopacket.
 [Regional B:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},Cc){}
 {unauthenticated UCI, per-kilopacket charge}{}]

6.3.3 CAMPUS AND PRIVATE NETWORKS

 Similar interviews should be conducted with administrators of campus
 and private networks. However, many aspects of their policies are
 contingent on the still unresolved policies of the regionals and
 federal agencies.  In any event, transit policies will be critical
 for campus and private networks to flexibly control access to lateral
 links and private wide area networks, respectively. For example, a
 small set of university and private laboratories may provide access
 to special gigabit links for particular classes of researchers.  On
 the other hand, source/destination policies should not be used in
 place of network level access controls for these end ADs.

Estrin [Page 16] RFC 1125 Policy Requirements November 1989

6.3.4 COMMERCIAL SERVICES

 Currently commercial communication services play a low level role in
 most parts of today's Research Internet; they provide the
 transmission media, i.e.,leased lines. In the future we expect
 commercial carriers to provide increasingly higher level and enhanced
 services such as high speed packet switched backbone services.
 Because such services are not yet part of the Research Internet
 infrastructure there exist no policy statements.
 Charging and accounting are certain to be an important policy type in
 this context.  Moreover, we anticipate the long haul services market
 to be highly competitive. This implies that competing service
 providers will engage in significant gaming in terms of packaging and
 pricing of services. Consequently, the ability to express varied and
 dynamic charging policies will be critical for these ADs.

7 PROBLEMATIC REQUIREMENTS

 Most of this paper has lobbied for articulation of relatively
 detailed policy statements in order to help define the technical
 mechanisms needed for enforcement.  We promoted a top down design
 process beginning with articulation of desired policies.  Now we feel
 compelled to mention requirements that are clearly problematic from
 the bottom up perspective of technical feasibility.
  • Non-interference policies are of the form "I will provide

access for principals x to resources y so long as it does not

    interfere with my internal usage." The problem with such policies
    is that access to an AD at any point in time is contingent upon a
    local, highly dynamic, parameter that is not globally available.
    Therefore such a policy term could well result in looping,
    oscillations, and excessive route (re)computation overhead,
    both unacceptable. Consequently, this is one type of policy that
    routing experts suggest would be difficult to support in a very
    large decentralized internetwork.
  • Granularity can also be problematic, but not as devistating as

highly dynamic PR contingencies. Here the caution is less specific.

    Very fine grain policies, which restrict access to particular
    hosts, or are contingent upon very fine grain user class
    identification, may be achieved more efficiently with network
    level access control [11] or end system controls instead of
    burdening the inter-AD routing mechanism.
  • Security is expensive, as always. Routing protocols are subject

to fraud through impersonation, data substitution, and denial of

    service. Some of the proposed mechanisms provide some means for

Estrin [Page 17] RFC 1125 Policy Requirements November 1989

    detection and non-repudiation. However, to achieve a priori
    prevention of resource misuse is expensive in terms of per
    connection or per packet cryptographic overhead. For some
    environments we firmly believe that this will be necessary and
    we would prefer an architecture that would accommodate such
    variability [12].
 In general, it is difficult to predict the impact of any particular
 policy term. Tools will be needed to assist people in writing and
 validating policy terms.

8 PROPOSED MECHANISMS

 Previous routing protocols have addressed a narrower definition of
 PR, as appropriate for the internets of their day. In particular, EGP
 [3], DGP[13], and BGP[6] incorporate a notion of policy restrictions
 as to where routing database information travels. None are intended
 to support policy based routing of packets as described here.  More
 recent routing proposals such as Landmark [14] and Cartesian [15]
 could be used to restrict packet forwarding but are not suited to
 source/destination, and some of the condition-oriented, policies. We
 feel these policy types are critical to support. We note that for
 environments (e.g., within an AD substructure) in which the simple-
 AD-topology conjecture holds true, these alternatives may be
 suitable.
 RFC 1104 [5] provides a good description of shorter term policy
 routing requirements. Braun classifies three types of mechanisms,
 policy based distribution of route information, policy based packet
 forwarding, and policy based dynamic allocation of network resources.
 The second class is characterized by Dave Clark's PR architecture,
 RFC 1102 [4]. With respect to the longer term requirements laid out
 in this document, only this second class is expressive and flexible
 enough to support the multiplicity of stub and transit policies. In
 other words, the power of the PR approach (e.g., RFC1102) is not just
 in the added granularity of control pointed out by Braun, i.e., the
 ability to specify particular hosts and user classes. Its power is in
 the ability to express and enforce many types of stub and transit
 policies and apply them on a discriminatory basis to different ADs.
 In addition, this approach provides explicit support for stub ADs to
 control routes via the use of source routing.  (FOOTNOTE 12:
 Moreover, the source routing approach loosens the requirements for
 every AD to share a complete view of the entire internet by allowing
 the source to detect routing loops.)  (FOOTNOTE 13:  The match
 between RFC1102 and the requirements specified in this document is
 hardly a coincidence since Clark's paper and discussions with him
 contributed to the requirements formulation presented here. His work
 is currently being evaluated and refined by the ANRG and ORWG.)

Estrin [Page 18] RFC 1125 Policy Requirements November 1989

9 SUMMARY

 Along with the emergence of very high speed applications and media,
 resource management has become a critical issue in the Research
 Internet and internets in general. A fundamental characteristic of
 the resource management problem is allowing administratively ADs to
 interconnect while retaining control over resource usage. However, we
 have lacked a careful articulation of the types of resource
 management policies that need to be supported.  This paper addresses
 policy requirements for the Research Internet.  After justifying our
 assumptions regarding AD topology we presented a taxonomy and
 examples of policies that must be supported by a PR protocol.

10 ACKNOWLEDGMENTS

 Members of the Autonomous Networks Research Group and Open Routing
 Working Group have contributed significantly to the ideas presented
 here, in particular, Guy Almes, Lee Breslau, Scott Brim, Dave Clark,
 Marianne Lepp, and Gene Tsudik. In addition, Lee Breslau and Gene
 Tsudik provided detailed comments on a previous draft. David Cheriton
 inadvertently caused me to write this document.  Sharon Anderson's
 contributions deserve special recognition.  The author is supported
 by research grants from National Science Foundation, AT&T, and GTE.

11 REFERENCES

 [1] J. Postel, Internet Protocol,  Network Information Center, RFC
     791, September 1981.
 [2] G. Vaudreuil, The Federal Research Internet Coordinating
     Committee and National Research Network, ACM SIG Computer
     Communications Review,April 1988.
 [3] E. Rosen, Exterior Gateway Protocol (EGP), Network Information
     Center, RFC 827, October 1982.
 [4] D. Clark, Policy Routing in Internet Protocols, Network
     Information Center, RFC 1102, May 1989.
 [5] H.W.Braun, Models of Policy Based Routing, Network Information
     Center, RFC 1104, June 1989.
 [6] K. Lougheed, Y. Rekhter, A Border Gateway Protocol, Network
     Information Center, RFC 1105, June 1989.
 [7] J. Saltzer, M. Schroeder, The Protection of Information in
     Computer Systems, Proceedings of the IEEE, 63, 9 September 1975.

Estrin [Page 19] RFC 1125 Policy Requirements November 1989

 [8] V. Jacobson, Congestion Avoidance and Control.  Proceedings of
     ACM Sigcomm, pp. 106-114, August 1988, Palo Alto, CA.
 [9] David Clark, Design Philosophy of the DARPA Internet Protocols,
     Proceedings of ACM Sigcomm, pp. 106-114, August 1988, Palo Alto,
     CA.
[10] Gigabit Networking Group, B. Leiner, Editor. Critical Issues in
     High Bandwidth Networking, Network Information Center, RFC 1077,
     November 1988.
[11] D. Estrin, J. Mogul and G. Tsudik, Visa Protocols for Controlling
     Inter-Organizational Datagram Flow, To appear in IEEE Journal on
     Selected Areas in Communications, Spring 1989.
[12] D. Estrin and G. Tsudik, Security Issues in Policy Routing, IEEE
     Symposium on Research in Security and Privacy, Oakland, CA.  May
     1-3 1989.
[13]  M. Little, The Dissimilar Gateway Protocol,  Technical report
[14] P. Tsuchiya, The Landmark Hierarchy: A new hierarchy for routing
     in very large networks, IEEE SIGCOMM 88, Palo Alto, CA. September
     1988.
[15] G. Finn, Reducing the Vulnerability of Dynamic Computer Networks
     USC/Information Sciences Institute, Technical Report, ISI/RR-88-
     201 July 1988.
[16] A. Nakassis Routing Algorithm for Open Routing, Unpublished
     paper, Available from the author at the National Institute of
     Standards and Technology (formerly NBS), Washington D.C.

11 SECURITY CONSIDERATIONS

     This memo does not address the security aspects of the issues
     discussed.

AUTHOR'S ADDRESS:

     Deborah Estrin
     University of Southern California
     Computer Science Department
     Los Angeles, CA 90089-0782
     Phone: (213) 743-7842
     EMail: Estrin@OBERON.USC.EDU

Estrin [Page 20] RFC 1125 Policy Requirements November 1989

Estrin [Page 21]

/data/webs/external/dokuwiki/data/pages/rfc/rfc1125.txt · Last modified: 1990/08/28 17:02 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki