GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc1479

Network Working Group M. Steenstrup Request for Comments: 1479 BBN Systems and Technologies

                                                            July 1993
   Inter-Domain Policy Routing Protocol Specification: Version 1

Status of this Memo

 This RFC specifies an IAB standards track protocol for the Internet
 community, and requests discussion and suggestions for improvements.
 Please refer to the current edition of the "IAB Official Protocol
 Standards" for the standardization state and status of this protocol.
 Distribution of this memo is unlimited.

Abstract

 We present the set of protocols and procedures that constitute
 Inter-Domain Policy Routing (IDPR).  IDPR includes the virtual
 gateway protocol, the flooding protocol, the route server query
 protocol, the route generation procedure, the path control protocol,
 and the data message forwarding procedure.

Contributors

 The following people have contributed to the protocols and procedures
 described in this document: Helen Bowns, Lee Breslau, Ken Carlberg,
 Isidro Castineyra, Deborah Estrin, Tony Li, Mike Little, Katia
 Obraczka, Sam Resheff, Martha Steenstrup, Gene Tsudik, and Robert
 Woodburn.

Table of Contents

 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 3
 1.1. Domain Elements . . . . . . . . . . . . . . . . . . . . . . . 3
 1.2. Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
 1.3. IDPR Functions. . . . . . . . . . . . . . . . . . . . . . . . 5
 1.3.1. IDPR Entities . . . . . . . . . . . . . . . . . . . . . . . 6
 1.4. Policy Semantics. . . . . . . . . . . . . . . . . . . . . . . 7
 1.4.1. Source Policies . . . . . . . . . . . . . . . . . . . . . . 7
 1.4.2. Transit Policies. . . . . . . . . . . . . . . . . . . . . . 8
 1.5. IDPR Message Encapsulation. . . . . . . . . . . . . . . . . . 9
 1.5.1. IDPR Data Message Format. . . . . . . . . . . . . . . . . .11
 1.6. Security. . . . . . . . . . . . . . . . . . . . . . . . . . .12
 1.7. Timestamps and Clock Synchronization. . . . . . . . . . . . .13
 1.8. Network Management. . . . . . . . . . . . . . . . . . . . . .14
 1.8.1. Policy Gateway Configuration. . . . . . . . . . . . . . . .17
 1.8.2. Route Server Configuration. . . . . . . . . . . . . . . . .18

Steenstrup [Page 1] RFC 1479 IDPR Protocol July 1993

 2. Control Message Transport Protocol. . . . . . . . . . . . . . .18
 2.1. Message Transmission. . . . . . . . . . . . . . . . . . . . .20
 2.2. Message Reception . . . . . . . . . . . . . . . . . . . . . .22
 2.3. Message Validation. . . . . . . . . . . . . . . . . . . . . .23
 2.4. CMTP Message Formats. . . . . . . . . . . . . . . . . . . . .24
 3. Virtual Gateway Protocol. . . . . . . . . . . . . . . . . . . .27
 3.1. Message Scope . . . . . . . . . . . . . . . . . . . . . . . .28
 3.1.1. Pair-PG Messages. . . . . . . . . . . . . . . . . . . . . .28
 3.1.2. Intra-VG Messages . . . . . . . . . . . . . . . . . . . . .29
 3.1.3. Inter-VG Messages . . . . . . . . . . . . . . . . . . . . .29
 3.1.4. VG Representatives. . . . . . . . . . . . . . . . . . . . .31
 3.2. Up/Down Protocol. . . . . . . . . . . . . . . . . . . . . . .31
 3.3. Implementation. . . . . . . . . . . . . . . . . . . . . . . .33
 3.4. Policy Gateway Connectivity . . . . . . . . . . . . . . . . .35
 3.4.1. Within a Virtual Gateway. . . . . . . . . . . . . . . . . .35
 3.4.2. Between Virtual Gateways. . . . . . . . . . . . . . . . . .37
 3.4.3. Communication Complexity. . . . . . . . . . . . . . . . . .40
 3.5. VGP Message Formats . . . . . . . . . . . . . . . . . . . . .41
 3.5.1. UP/DOWN . . . . . . . . . . . . . . . . . . . . . . . . . .41
 3.5.2. PG CONNECT. . . . . . . . . . . . . . . . . . . . . . . . .42
 3.5.3. PG POLICY . . . . . . . . . . . . . . . . . . . . . . . . .43
 3.5.4. VG CONNECT. . . . . . . . . . . . . . . . . . . . . . . . .44
 3.5.5. VG POLICY . . . . . . . . . . . . . . . . . . . . . . . . .45
 3.5.6. Negative Acknowledgements . . . . . . . . . . . . . . . . .46
 4. Routing Information Distribution. . . . . . . . . . . . . . . .47
 4.1. AD Representatives. . . . . . . . . . . . . . . . . . . . . .48
 4.2. Flooding Protocol . . . . . . . . . . . . . . . . . . . . . .48
 4.2.1. Message Generation. . . . . . . . . . . . . . . . . . . . .50
 4.2.2. Sequence Numbers. . . . . . . . . . . . . . . . . . . . . .52
 4.2.3. Message Acceptance. . . . . . . . . . . . . . . . . . . . .52
 4.2.4. Message Incorporation . . . . . . . . . . . . . . . . . . .54
 4.2.5. Routing Information Database. . . . . . . . . . . . . . . .56
 4.3. Routing Information Message Formats . . . . . . . . . . . . .57
 4.3.1. CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . .57
 4.3.2. DYNAMIC . . . . . . . . . . . . . . . . . . . . . . . . . .62
 4.3.3. Negative Acknowledgements . . . . . . . . . . . . . . . . .63
 5. Route Server Query Protocol . . . . . . . . . . . . . . . . . .64
 5.1. Message Exchange. . . . . . . . . . . . . . . . . . . . . . .64
 5.2. Remote Route Server Communication . . . . . . . . . . . . . .65
 5.3. Routing Information . . . . . . . . . . . . . . . . . . . . .66
 5.4. Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . .67
 5.5. Route Server Message Formats. . . . . . . . . . . . . . . . .67
 5.5.1. ROUTING INFORMATION REQUEST . . . . . . . . . . . . . . . .67
 5.5.2. ROUTE REQUEST . . . . . . . . . . . . . . . . . . . . . . .68
 5.5.3. ROUTE RESPONSE. . . . . . . . . . . . . . . . . . . . . . .71
 5.5.4. Negative Acknowledgements . . . . . . . . . . . . . . . . .72
 6. Route Generation. . . . . . . . . . . . . . . . . . . . . . . .73
 6.1. Searching . . . . . . . . . . . . . . . . . . . . . . . . . .74

Steenstrup [Page 2] RFC 1479 IDPR Protocol July 1993

 6.1.1. Implementation. . . . . . . . . . . . . . . . . . . . . . .75
 6.2. Route Directionality. . . . . . . . . . . . . . . . . . . . .78
 6.3. Route Database. . . . . . . . . . . . . . . . . . . . . . . .79
 6.3.1. Cache Maintenance . . . . . . . . . . . . . . . . . . . . .80
 7. Path Control Protocol and Data Message Forwarding Procedure . .80
 7.1. An Example of Path Setup. . . . . . . . . . . . . . . . . . .81
 7.2. Path Identifiers. . . . . . . . . . . . . . . . . . . . . . .84
 7.3. Path Control Messages . . . . . . . . . . . . . . . . . . . .85
 7.4. Setting Up and Tearing Down a Path. . . . . . . . . . . . . .87
 7.4.1. Validating Path Identifiers . . . . . . . . . . . . . . . .89
 7.4.2. Path Consistency with Configured Transit Policies . . . . .89
 7.4.3. Path Consistency with Virtual Gateway Reachability. . . . .91
 7.4.4. Obtaining Resources . . . . . . . . . . . . . . . . . . . .92
 7.4.5. Target Response . . . . . . . . . . . . . . . . . . . . . .93
 7.4.6. Originator Response . . . . . . . . . . . . . . . . . . . .93
 7.4.7. Path Life . . . . . . . . . . . . . . . . . . . . . . . .  94
 7.5. Path Failure and Recovery . . . . . . . . . . . . . . . . .  95
 7.5.1. Handling Implicit Path Failures . . . . . . . . . . . . .  96
 7.5.2. Local Path Repair . . . . . . . . . . . . . . . . . . . .  97
 7.5.3. Repairing a Path. . . . . . . . . . . . . . . . . . . . .  98
 7.6. Path Control Message Formats. . . . . . . . . . . . . . . . 100
 7.6.1. SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . 101
 7.6.2. ACCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . 103
 7.6.3. REFUSE. . . . . . . . . . . . . . . . . . . . . . . . . . 103
 7.6.4. TEARDOWN. . . . . . . . . . . . . . . . . . . . . . . . . 104
 7.6.5. ERROR . . . . . . . . . . . . . . . . . . . . . . . . . . 105
 7.6.6. REPAIR. . . . . . . . . . . . . . . . . . . . . . . . . . 106
 7.6.7. Negative Acknowledgements . . . . . . . . . . . . . . . . 106
 8. Security Considerations . . . . . . . . . . . . . . . . . . . 106
 9. Authors's Address . . . . . . . . . . . . . . . . . . . . . . 107
 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

1. Introduction

 In this document, we specify the protocols and procedures that
 compose Inter-Domain Policy Routing (IDPR).  The objective of IDPR is
 to construct and maintain routes between source and destination
 administrative domains, that provide user traffic with the services
 requested within the constraints stipulated for the domains
 transited.  IDPR supports link state routing information distribution
 and route generation in conjunction with source specified message
 forwarding.  Refer to [5] for a detailed justification of our
 approach to inter-domain policy routing.

1.1. Domain Elements

 The IDPR architecture has been designed to accommodate an
 internetwork with tens of thousands of administrative domains

Steenstrup [Page 3] RFC 1479 IDPR Protocol July 1993

 collectively containing hundreds of thousands of local networks.
 Inter-domain policy routes are constructed using information about
 the services offered by, and the connectivity between, administrative
 domains.  The intra-domain details - gateways, networks, and links
 traversed - of an inter-domain policy route are the responsibility of
 intra-domain routing and are thus outside the scope of IDPR.
 An "administrative domain" (AD) is a collection of contiguous hosts,
 gateways, networks, and links managed by a single administrative
 authority.  The domain administrator defines service restrictions for
 transit traffic and service requirements for locally-generated
 traffic, and selects the addressing schemes and routing procedures
 that apply within the domain.  Within the Internet, each domain has a
 unique numeric identifier assigned by the Internet Assigned Numbers
 Authority (IANA).
 "Virtual gateways" (VGs) are the only IDPR-recognized connecting
 points between adjacent domains.  Each virtual gateway is a
 collection of directly-connected "policy gateways" (see below) in two
 adjoining domains, whose existence has been sanctioned by the
 administrators of both domains.  The domain administrators may agree
 to establish more than one virtual gateway between the two domains.
 For each such virtual gateway, the two administrators together assign
 a local numeric identifier, unique within the set of virtual gateways
 connecting the two domains.  To produce a virtual gateway identifier
 unique within its domain, a domain administrator concatenates the
 mutually assigned local virtual gateway identifier together with the
 adjacent domain's identifier.
 Policy gateways (PGs) are the physical gateways within a virtual
 gateway.  Each policy gateway enforces service restrictions on IDPR
 transit traffic, as stipulated by the domain administrator, and
 forwards the traffic accordingly.  Within a domain, two policy
 gateways are "neighbors" if they are in different virtual gateways.
 A single policy gateway may belong to multiple virtual gateways.
 Within a virtual gateway, two policy gateways are "peers" if they are
 in the same domain and are "adjacent" if they are in different
 domains.  Adjacent policy gateways are "directly connected" if the
 only Internet-addressable entities attached to the connecting medium
 are policy gateways in the virtual gateways.  Note that this
 definition implies that not only point-to-point links but also
 networks may serve as direct connections between adjacent policy
 gateways.  The domain administrator assigns to each of its policy
 gateways a numeric identifier, unique within that domain.
 A "domain component" is a subset of a domain's entities such that all
 entities within the subset are mutually reachable via intra-domain
 routes, but no entities outside the subset are reachable via intra-

Steenstrup [Page 4] RFC 1479 IDPR Protocol July 1993

 domain routes from entities within the subset.  Normally, a domain
 consists of a single component, namely itself; however, when
 partitioned, a domain consists of multiple components.  Each domain
 component has an identifier, unique within the Internet, composed of
 the domain identifier together with the identifier of the lowest-
 numbered operational policy gateway within the component.  All
 operational policy gateways within a domain component can discover
 mutual reachability through intra-domain routing information.  Hence,
 all such policy gateways can consistently determine, without explicit
 negotiation, which of them has the lowest number.

1.2. Policy

 With IDPR, each domain administrator sets "transit policies" that
 dictate how and by whom the resources in its domain should be used.
 Transit policies are usually public, and they specify offered
 services comprising:
  1. Access restrictions: e.g., applied to traffic to or from certain

domains or classes of users.

  1. Quality: e.g., delay, throughput, or error characteristics.
  1. Monetary cost: e.g., charge per byte, message, or unit time.
 Each domain administrator also sets "source policies" for traffic
 originating in its domain.  Source policies are usually private, and
 they specify requested services comprising:
  1. Access restrictions: e.g., domains to favor or avoid in routes.
  1. Quality: e.g., acceptable delay, throughput, and reliability.
  1. Monetary cost: e.g., acceptable session cost.

1.3. IDPR Functions

 IDPR comprises the following functions:
  1. Collecting and distributing routing information including domain

transit policies and inter-domain connectivity.

  1. Generating and selecting policy routes based on the routing

information distributed and on the source policies configured or

     requested.
  1. Setting up paths across the Internet using the policy routes

generated.

Steenstrup [Page 5] RFC 1479 IDPR Protocol July 1993

  1. Forwarding messages across and between domains along the

established paths.

  1. Maintaining databases of routing information, inter-domain policy

routes, forwarding information, and configuration information.

1.3.1. IDPR Entities

 Several different entities are responsible for performing the IDPR
 functions.
 Policy gateways, the only IDPR-recognized connecting points between
 adjacent domains, collect and distribute routing information,
 participate in path setup, forward data messages along established
 paths, and maintain forwarding information databases.
 "Path agents", resident within policy gateways and within "route
 servers" (see below), act on behalf of hosts to select policy routes,
 to set up and manage paths, and to maintain forwarding information
 databases.  Any Internet host can reap the benefits of IDPR, as long
 as there exists a path agent configured to act on its behalf and a
 means by which the host's messages can reach the path agent.
 Specifically, a path agent in one domain may be configured to act on
 behalf of hosts in another domain.  In this case, the path agent's
 domain is an IDPR "proxy" for the hosts' domain.
 Route servers maintain both the routing information database and the
 route database, and they generate policy routes using the routing
 information collected and the source policies requested by the path
 agents.  A route server may reside within a policy gateway, or it may
 exist as an autonomous entity.  Separating the route server functions
 from the policy gateways frees the policy gateways from both the
 memory intensive task of database (routing information and route)
 maintenance and the computationally intensive task of route
 generation.  Route servers, like policy gateways, each have a unique
 numeric identifier within their domain, assigned by the domain
 administrator.
 Given the size of the current Internet, each policy gateway can
 perform the route server functions, in addition to its message
 forwarding functions, with little or no degradation in message
 forwarding performance.  Aggregating the routing functions into
 policy gateways simplifies implementation; one need only install IDPR
 protocols in policy gateways.  Moreover, it simplifies communication
 between routing functions, as all functions reside within each policy
 gateway.  As the Internet grows, the memory and processing required
 to perform the route server functions may become a burden for the
 policy gateways.  When this happens, each domain administrator should

Steenstrup [Page 6] RFC 1479 IDPR Protocol July 1993

 separate the route server functions from the policy gateways in its
 domain.
 "Mapping servers" maintain the database of mappings that resolve
 Internet names and addresses to domain identifiers.  Each host is
 contained within a domain and is associated with a proxy domain which
 may be identical with the host's domain.  The mapping server function
 will be integrated into the existing DNS name service (see [6]) and
 will provide mappings between a host and its local and proxy domains.
 "Configuration servers" maintain the databases of configured
 information that apply to IDPR entities within their domains.
 Configuration information for a given domain includes transit
 policies (i.e., service offerings and restrictions), source policies
 (i.e., service requirements), and mappings between local IDPR
 entities and their names and addresses.  The configuration server
 function will be integrated into a domain's existing network
 management system (see [7]-[8]).

1.4. Policy Semantics

 The source and transit policies supported by IDPR are intended to
 accommodate a wide range of services available throughout the
 Internet.  We describe the semantics of these policies, concentrating
 on the access restriction aspects.  To express these policies in this
 document, we have chosen to use a syntactic variant of Clark's policy
 term notation [1].  However, we provide a more succinct syntax (see
 [7]) for actually configuring source and transit policies.

1.4.1. Source Policies

 Each source policy takes the form of a collection of sets as follows:
 Applicable Sources and Destinations:
    {((H(1,1),s(1,1)),...,(H(1,f1),s(1,f1))),...,((H(n,1),s(n,1)),...,
    (H(n,fn),s(n,fn)))}: The set of groups of source/destination
    traffic flows to which the source policy applies.  Each traffic
    flow group ((H(i,1),s(i,1)),...,(H(i,fi),s(i,fi))) contains a set
    of source hosts and corresponding destination hosts.  Here, H(i,j)
    represents a host, and s(i,j), an element of {SOURCE,
    DESTINATION}, represents an indicator of whether H(i,j) is to be
    considered as a source or as a destination.
 Domain Preferences: {(AD(1),x(1)),...,(AD(m),x(m))}: The set of
    transit domains that the traffic flows should favor, avoid, or
    exclude.  Here, AD(i) represents a domain, and x(i), an element of
    {FAVOR, AVOID, EXCLUDE}, represents an indicator of whether routes
    including AD(i) are to be favored, avoided if possible, or

Steenstrup [Page 7] RFC 1479 IDPR Protocol July 1993

    unconditionally excluded.
 UCI: The source user class for the traffic flows listed.
 RequestedServices: The set of requested services not related to
    access restrictions, i.e., service quality and monetary cost.
 When selecting a route for a traffic flow from a source host H(i,j)
 to a destination host H(i,k), where 1 < or = i < or = n and 1 < or =
 j, k < or = fi, the path agent (see section 1.3.1) must honor the
 source policy such that:
  1. For each domain, AD(p), contained in the route, AD(p) is not equal

to any AD(k), such that 1 < or = k < or = m and x(k) = EXCLUDE.

  1. The route provides the services listed in the set Requested

Services.

1.4.2. Transit Policies

 Each transit policy takes the form of a collection of sets as
 follows:
 Source/Destination Access Restrictions:
    {((H(1,1),AD(1,1),s(1,1)),...,(H(1,f1),AD(1,f1),s(1,f1))),...,
    ((H(n,1),AD(n,1),s(n,1)),...,(H(n,fn),AD(n,fn),s(n,fn)))}: The set
    of groups of source and destination hosts and domains to which the
    transit policy applies.  Each domain group
    ((H(i,1),AD(i,1),s(i,1)),...,(H(i,fi),AD(i,fi),s(i,fi))) contains
    a set of source and destination hosts and domains such that this
    transit domain will carry traffic from each source listed to each
    destination listed.  Here, H(i,j) represents a set of hosts,
    AD(i,j) represents a domain containing H(i,j), and s(i,j), a
    subset of {SOURCE, DESTINATION}, represents an indicator of
    whether (H(i,j),AD(i,j)) is to be considered as a set of sources,
    destinations, or both.
 Temporal Access Restrictions: The set of time intervals during which
    the transit policy applies.
 User Class Access Restrictions: The set of user classes to which the
    transit policy applies.
 Offered Services: The set of offered services not related to access
    restrictions, i.e., service quality and monetary cost.

Steenstrup [Page 8] RFC 1479 IDPR Protocol July 1993

 Virtual Gateway Access Restrictions:
    {((VG(1,1),e(1,1)),...,(VG(1,g1),e(1,g1))),...,((VG(m,1),e(m,1)),
    gateways to which the transit policy applies.  Each virtual
    gateway group ((VG(i,1),e(i,1)),...,(VG(i,gi),e(i,gi))) contains a
    set of domain entry and exit points such that each entry virtual
    gateway can reach (barring an intra-domain routing failure) each
    exit virtual gateway via an intra-domain route supporting the
    transit policy.  Here, VG(i,j) represents a virtual gateway, and
    e(i,j), a subset of {ENTRY, EXIT}, represents an indicator of
    whether VG(i,j) is to be considered as a domain entry point, exit
    point, or both.
 The domain advertising such a transit policy will carry traffic from
 any host in the set H(i,j) in AD(i,j) to any host in the set H(i,k)
 in AD(i,k), where 1 < or = i < or = n and 1 < or = j, k < or = fi,
 provided that:
  1. SOURCE is an element of s(i,j).
  1. DESTINATION is an element of s(i,k).
  1. Traffic from H(i,j) enters the domain during one of the intervals

in the set Temporal Access Restrictions.

  1. Traffic from H(i,j) carries one of the user class identifiers in

the set User Class Access Restrictions.

  1. Traffic from H(i,j) enters via any VG(u,v) such that ENTRY is an

element of e(u,v), where 1 < or = u < or = m and 1 < or = v < or =

   gu.
  1. Traffic to H(i,k) leaves via any VG(u,w) such that EXIT is an

element of e(u,w), where 1 < or = w < or = gu.

1.5. IDPR Message Encapsulation

 There are two kinds of IDPR messages:
  1. "Data messages" containing user data generated by hosts.
  1. "Control messages" containing IDPR protocol-related control

information generated by policy gateways and route servers.

 Within an internetwork, only policy gateways and route servers are
 able to generate, recognize, and process IDPR messages.  The
 existence of IDPR is invisible to all other gateways and hosts,
 including mapping servers and configuration servers.  Mapping servers
 and configuration servers perform necessary but ancillary functions

Steenstrup [Page 9] RFC 1479 IDPR Protocol July 1993

 for IDPR, and thus they are not required to handle IDPR messages.
 An IDPR entity places IDPR-specific information in each IDPR control
 message it originates; this information is significant only to
 recipient IDPR entities.  Using "encapsulation" across each domain,
 an IDPR message tunnels from source to destination across an
 internetwork through domains that may employ disparate intra-domain
 addressing schemes and routing procedures.
 As an alternative to encapsulation, we had considered embedding IDPR
 in IP, as a set of IP options.  However, this approach has the
 following disadvantages:
  1. Only domains that support IP would be able to participate in IDPR;

domains that do not support IP would be excluded.

  1. Each gateway, policy or other, in a participating domain would at

least have to recognize the IDPR option, even if it did not execute

   the IDPR protocols.  However, most commercial routers are not
   optimized for IP options processing, and so IDPR message handling
   might require significant processing at each gateway.
  1. For some IDPR protocols, in particular path control, the size

restrictions on IP options would preclude inclusion of all of the

   necessary protocol-related information.
 For these reasons, we decided against the IP option approach and in
 favor of encapsulation.
 An IDPR message travels from source to destination between
 consecutive policy gateways.  Each policy gateway encapsulates the
 IDPR message with information, for example an IP header, that will
 enable the message to reach the next policy gateway.  Note that the
 encapsulating header and the IDPR-specific information may increase
 the message size beyond the MTU of the given domain.  However,
 message fragmentation and reassembly is the responsibility of the
 protocol, for example IP, that encapsulates IDPR messages for
 transport between successive policy gateways; it is not currently the
 responsibility of IDPR itself.
 A policy gateway, when forwarding an IDPR message to a peer or a
 neighbor policy gateway, encapsulates the message in accordance with
 the addressing scheme and routing procedure of the given domain and
 indicates in the protocol field of the encapsulating header that the
 message is indeed an IDPR message.  Intermediate gateways between the
 two policy gateways forward the IDPR message as they would any other
 message, using the information in the encapsulating header.  Only the
 recipient policy gateway interprets the protocol field, strips off

Steenstrup [Page 10] RFC 1479 IDPR Protocol July 1993

 the encapsulating header, and processes the IDPR message.
 A policy gateway, when forwarding an IDPR message to a directly-
 connected adjacent policy gateway, encapsulates the message in
 accordance with the addressing scheme of the entities within the
 virtual gateway and indicates in the protocol field of the
 encapsulating header that the message is indeed an IDPR message.  The
 recipient policy gateway strips off the encapsulating header and
 processes the IDPR message.  We recommend that the recipient policy
 gateway perform the following validation check of the encapsulating
 header, prior to stripping it off.  Specifically, the recipient
 policy gateway should verify that the source address and the
 destination address in the encapsulating header match the adjacent
 policy gateway's address and its own address, respectively.
 Moreover, the recipient policy gateway should verify that the message
 arrived on the interface designated for the direct connection to the
 adjacent policy gateway.  These checks help to ensure that IDPR
 traffic that crosses domain boundaries does so only over direct
 connections between adjacent policy gateways.
 Policy gateways forward IDPR data messages according to a forwarding
 information database which maps "path identifiers", carried in the
 data messages, into next policy gateways.  Policy gateways forward
 IDPR control messages according to next policy gateways selected by
 the particular IDPR control protocols associated with the messages.
 Distinguishing IDPR data messages and IDPR control messages at the
 encapsulating protocol level, instead of at the IDPR protocol level,
 eliminates an extra level of dispatching and hence makes IDPR message
 forwarding more efficient.  When encapsulated within IP messages,
 IDPR data messages and IDPR control messages carry the IP protocol
 numbers 35 and 38, respectively.

1.5.1. IDPR Data Message Format

 The path agents at a source domain determine which data messages
 generated by local hosts are to be handled by IDPR.  To each data
 message selected for IDPR handling, a source path agent prepends the
 following header:

Steenstrup [Page 11] RFC 1479 IDPR Protocol July 1993

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    VERSION    |     PROTO     |            LENGTH             |
 +---------------+---------------+-------------------------------+
 |                            PATH ID                            |
 |                                                               |
 +---------------------------------------------------------------+
 |                           TIMESTAMP                           |
 +---------------------------------------------------------------+
 |                            INT/AUTH                           |
 |                                                               |
 +---------------------------------------------------------------+
 VERSION (8 bits) Version number for IDPR data messages, currently
 equal to 1.
 PROTO (8 bits) Numeric identifier for the protocol with which to
 process the contents of the IDPR data message.  Only the path agent
 at the destination interprets and acts upon the contents of the PROTO
 field.
 LENGTH (16 bits) Length of the entire IDPR data message in bytes.
 PATH ID (64 bits) Path identifier assigned by the source's path agent
 and consisting of the numeric identifier for the path agent's domain
 (16 bits), the numeric identifier for the path agent's policy gateway
 (16 bits), and the path agent's local path identifier (32 bits) (see
 section 7.2).
 TIMESTAMP (32 bits) Number of seconds elapsed since 1 January 1970
 0:00 GMT.
 INT/AUTH (variable) Computed integrity/authentication value,
 dependent on the type of integrity/authentication requested during
 path setup.
 We describe the IDPR control message header in section 2.4.

1.6. Security

 IDPR contains mechanisms for verifying message integrity and source
 authenticity and for protecting against certain types of denial of
 service attacks.  It is particularly important to keep IDPR control
 messages intact, because they carry control information critical to
 the construction and use of viable policy routes between domains.
 All IDPR messages carry a single piece of information, referred to as

Steenstrup [Page 12] RFC 1479 IDPR Protocol July 1993

 the "integrity/authentication value", which may be used not only to
 detect message corruption but also to verify the authenticity of the
 message source.  In the Internet, the IANA will sanction the set of
 valid algorithms which may be used to compute the
 integrity/authentication values.  This set may include algorithms
 that perform only message integrity checks such as n-bit cyclic
 redundancy checksums (CRCs), as well as algorithms that perform both
 message integrity and source authentication checks such as signed
 hash functions of message contents.
 Each domain administrator is free to select any
 integrity/authentication algorithm, from the set specified by the
 IANA, for computing the integrity/authentication values contained in
 its domain's messages.  However, we recommend that IDPR entities in
 each domain be capable of executing all of the valid algorithms so
 that an IDPR control message originating at an entity in one domain
 can be properly checked by an entity in another domain.
 Each IDPR control message must carry a non-null
 integrity/authentication value.  We recommend that control message
 integrity/authentication be based on a digital signature algorithm
 applied to a one-way hash function, such as RSA applied to MD5 [17],
 which simultaneously verifies message integrity and source
 authenticity.  The digital signature may be based on either public-
 key or private-key cryptography.  Our approach to digital signature
 use in IDPR is based on the privacy-enhanced Internet electronic mail
 service [13]-[15], already available in the Internet.
 We do not require that IDPR data messages carry a non-null
 integrity/authentication value.  In fact, we recommend that a higher
 layer (end-to-end) procedure, and not IDPR, assume responsibility for
 checking the integrity and authenticity of data messages, because of
 the amount of computation involved.

1.7. Timestamps and Clock Synchronization

 Each IDPR message carries a timestamp (expressed in seconds elapsed
 since 1 January 1970 0:00 GMT, following the UNIX precedent) supplied
 by the source IDPR entity, which serves to indicate the age of the
 message.  IDPR entities use the absolute value of the timestamp to
 confirm that a message is current and use the relative difference
 between timestamps to determine which message contains the more
 recent information.
 All IDPR entities must possess internal clocks that are synchronized
 to some degree, in order for the absolute value of a message
 timestamp to be meaningful.  The synchronization granularity required
 by IDPR is on the order of minutes and can be achieved manually.

Steenstrup [Page 13] RFC 1479 IDPR Protocol July 1993

 Thus, a clock synchronization protocol operating among all IDPR
 entities in all domains, while useful, is not necessary.
 An IDPR entity can determine whether to accept or reject a message
 based on the discrepancy between the message's timestamp and the
 entity's own internal clock time.  Any IDPR message whose timestamp
 lies outside of the acceptable range may contain stale or corrupted
 information or may have been issued by a source whose internal clock
 has lost synchronization with the message recipient's internal clock.
 Timestamp checks are required for control messages because of the
 consequences of propagating and acting upon incorrect control
 information.  However, timestamp checks are discretionary for data
 messages but may be invoked during problem diagnosis, for example,
 when checking for suspected message replays.
 We note that none of the IDPR protocols contain explicit provisions
 for dealing with an exhausted timestamp space.  As timestamp space
 exhaustion will not occur until well into the next century, we expect
 timestamp space viability to outlast the IDPR protocols.

1.8. Network Management

 In this document, we do not describe how to configure and manage
 IDPR.  However, in this section, we do provide a list of the types of
 IDPR configuration information required.  Also, in later sections
 describing the IDPR protocols, we briefly note the types of
 exceptional events that must be logged for network management.
 Complete descriptions of IDPR entity configuration and IDPR managed
 objects appear in [7] and [8] respectively.
 To participate in inter-domain policy routing, policy gateways and
 route servers within a domain each require configuration information.
 Some of the configuration information is specifically defined within
 the given domain, while some of the configuration information is
 universally defined throughout an internetwork.  A domain
 administrator determines domain-specific information, and in the
 Internet, the IANA determines globally significant information.
 To produce valid domain configurations, the domain administrators
 must receive the following global information from the IANA:
  1. For each integrity/authentication type, the numeric

identifier, syntax, and semantics. Available integrity and

   authentication types include but are not limited to:
     o    public-key based signatures;
     o    private-key based signatures;

Steenstrup [Page 14] RFC 1479 IDPR Protocol July 1993

     o    cyclic redundancy checksums;
     o    no integrity/authentication.
  1. For each user class, the numeric identifier, syntax, and

semantics. Available user classes include but are not limited to:

     o    federal (and if necessary, agency-specific such as NSF, DOD,
          DOE, etc.);
     o    research;
     o    commercial;
     o    support.
  1. For each offered service that may be advertised in transit

policies, the numeric identifier, syntax, and semantics. Available

   offered services include but are not limited to:
     o    average message delay;
     o    message delay variation;
     o    average bandwidth available;
     o    available bandwidth variation;
     o    maximum transfer unit (MTU);
     o    charge per byte;
     o    charge per message;
     o    charge per unit time.
  1. For each access restriction that may be advertised in transit

policies, the numeric identifier, syntax, and semantics. Available

   access restrictions include but are not limited to:
     o    Source and destination domains and host sets.
     o    User classes.
     o    Entry and exit virtual gateways.
     o    Time of day.

Steenstrup [Page 15] RFC 1479 IDPR Protocol July 1993

  1. For each requested service that may appear within a path setup

message, the numeric identifier, syntax, and semantics. Available

   requested services include but are not limited to:
     o    maximum path life in minutes, messages, or bytes;
     o    integrity/authentication algorithms to be used on data
          messages sent over the path;
     o    upper bound on path delay;
     o    minimum delay path;
     o    upper bound on path delay variation;
     o    minimum delay variation path;
     o    lower bound on path bandwidth;
     o    maximum bandwidth path;
     o    upper bound on monetary cost;
     o    minimum monetary cost path.
 In an internetwork-wide implementation of IDPR, the set of global
 configuration parameters and their syntax and semantics must be
 consistent across all participating domains.  The IANA, responsible
 for establishing the full set of global configuration parameters in
 the Internet, relies on the cooperation of the administrators of all
 participating domains to ensure that the global parameters are
 consistent with the desired transit policies and user service
 requirements of each domain.  Moreover, as the syntax and semantics
 of the global parameters affects the syntax and semantics of the
 corresponding IDPR software, the IANA must carefully define each
 global parameter so that it is unlikely to require future
 modification.
 The IANA provides configured global information to configuration
 servers in all domains participating in IDPR.  Each domain
 administrator uses the configured global information maintained by
 its configuration servers to develop configurations for each IDPR
 entity within its domain.  Each configuration server retains a copy
 of the configuration for each local IDPR entity and also distributes
 the configuration to that entity using, for example, SNMP.

Steenstrup [Page 16] RFC 1479 IDPR Protocol July 1993

1.8.1. Policy Gateway Configuration

 Each policy gateway must contain sufficient configuration information
 to perform its IDPR functions, which subsume those of the path agent.
 These include: validating IDPR control messages; generating and
 distributing virtual gateway connectivity and routing information
 messages to peer, neighbor, and adjacent policy gateways;
 distributing routing information messages to route servers in its
 domain; resolving destination addresses; requesting policy routes
 from route servers; selecting policy routes and initiating path
 setup; ensuring consistency of a path with its domain's transit
 policies; establishing path forwarding information; and forwarding
 IDPR data messages along existing paths.  The necessary configuration
 information includes the following:
  1. For each integrity/authentication type, the numeric identifier,

syntax, and semantics.

  1. For each policy gateway and route server in the given domain, the

numeric identifier and set of addresses or names.

  1. For each virtual gateway connected to the given domain, the numeric

identifier, the numeric identifiers for the constituent peer policy

   gateways, and the numeric identifier for the adjacent domain.
  1. For each virtual gateway of which the given policy gateway is a

member, the numeric identifiers and set of addresses for the

   constituent adjacent policy gateways.
  1. For each policy gateway directly-connected and adjacent to the

given policy gateway, the local connecting interface.

  1. For each local route server to which the given policy gateway

distributes routing information, the numeric identifier.

  1. For each source policy applicable to hosts within the given domain,

the syntax and semantics.

  1. For each transit policy applicable to the domain, the numeric

identifier, syntax, and semantics.

  1. For each requested service that may appear within a path setup

message, the numeric identifier, syntax, and semantics.

  1. For each source user class, the numeric identifier, syntax, and

semantics.

Steenstrup [Page 17] RFC 1479 IDPR Protocol July 1993

1.8.2. Route Server Configuration

 Each route server must contain sufficient configuration information
 to perform its IDPR functions, which subsume those of the path agent.
 These include: validating IDPR control messages; deciphering and
 storing the contents of routing information messages; exchanging
 routing information with other route servers and policy gateways;
 generating policy routes that respect transit policy restrictions and
 source service requirements; distributing policy routes to path
 agents in policy gateways; resolving destination addresses; selecting
 policy routes and initiating path setup; establishing path forwarding
 information; and forwarding IDPR data messages along existing paths.
 The necessary configuration information includes the following:
  1. For each integrity/authentication type, the numeric identifier,

syntax, and semantics.

  1. For each policy gateway and route server in the given domain, the

numeric identifier and set of addresses or names.

  1. For each source policy applicable to hosts within the given domain,

the syntax and semantics.

  1. For access restriction that may be advertised in transit

policies, the numeric identifier, syntax, and semantics.

  1. For each offered service that may be advertised in transit policies,

the numeric identifier, syntax, and semantics.

  1. For each requested service that may appear within a path setup

message, the numeric identifier, syntax, and semantics.

  1. For each source user class, the numeric identifier, syntax, and

semantics.

2. Control Message Transport Protocol

 IDPR control messages convey routing-related information that
 directly affects the policy routes generated and the paths set up
 across the Internet.  Errors in IDPR control messages can have
 widespread, deleterious effects on inter-domain policy routing, and
 so the IDPR protocols have been designed to minimize loss and
 corruption of control messages.  For every control message it
 transmits, each IDPR protocol expects to receive notification as to
 whether the control message successfully reached the intended IDPR
 recipient.  Moreover, the IDPR recipient of a control message first
 verifies that the message appears to be well-formed, before acting on
 its contents.

Steenstrup [Page 18] RFC 1479 IDPR Protocol July 1993

 All IDPR protocols use the Control Message Transport Protocol (CMTP),
 a connectionless, transaction-based transport layer protocol, for
 communication with intended recipients of control messages.  CMTP
 retransmits unacknowledged control messages and applies integrity and
 authenticity checks to received control messages.
 There are three types of CMTP messages:
 DATAGRAM:
      Contains IDPR control messages.
 ACK: Positive acknowledgement in response to a DATAGRAM message.
 NAK: Negative acknowledgement in response to a DATAGRAM message.
 Each CMTP message contains several pieces of information supplied by
 the sender that allow the recipient to test the integrity and
 authenticity of the message.  The set of integrity and authenticity
 checks performed after CMTP message reception are collectively
 referred to as "validation checks" and are described in section 2.3.
 When we first designed the IDPR protocols, CMTP as a distinct
 protocol did not exist.  Instead, CMTP-equivalent functionality was
 embedded in each IDPR protocol.  To provide a cleaner implementation,
 we later decided to provide a single transport protocol that could be
 used by all IDPR protocols.  We originally considered using an
 existing transport protocol, but rejected this approach for the
 following reasons:
  1. The existing reliable transport protocols do not provide all of the

validation checks, in particular the timestamp and authenticity

   checks, required by the IDPR protocols.  Hence, if we were to use
   one of these protocols, we would still have to provide a separate
   protocol on top of the transport protocol to force retransmission of
   IDPR messages that failed to pass the required validation checks.
  1. Many of the existing reliable transport protocols are window-based

and hence can result in increased message delay and resource use

   when, as is the case with IDPR, multiple independent messages use
   the same transport connection.  A single message experiencing
   transmission problems and requiring retransmission can prevent the
   window from advancing, forcing all subsequent messages to queue
   behind it.  Moreover, many of the window-based protocols do not
   support selective retransmission of failed messages but instead
   require retransmission of not only the failed message but also all
   preceding messages within the window.
 For these reasons, we decided against using an existing transport

Steenstrup [Page 19] RFC 1479 IDPR Protocol July 1993

 protocol and in favor of developing CMTP.

2.1. Message Transmission

 At the transmitting entity, when an IDPR protocol is ready to issue a
 control message, it passes a copy of the message to CMTP; it also
 passes a set of parameters to CMTP for inclusion in the CMTP header
 and for proper CMTP message handling.  In turn, CMTP converts the
 control message and associated parameters into a DATAGRAM by
 prepending the appropriate header to the control message.  The CMTP
 header contains several pieces of information to aid the message
 recipient in detecting errors (see section 2.4).  Each IDPR protocol
 can specify all of the following CMTP parameters applicable to its
 control message:
  1. IDPR protocol and message type.
  1. Destination.
  1. Integrity/authentication scheme.
  1. Timestamp.
  1. Maximum number of transmissions allotted.
  1. Retransmission interval in microseconds.
 One of these parameters, the timestamp, can be specified directly by
 CMTP as the internal clock time at which the message is transmitted.
 However, two of the IDPR protocols, namely flooding and path control,
 themselves require message generation timestamps for proper protocol
 operation.  Thus, instead of requiring CMTP to pass back a timestamp
 to an IDPR protocol, we simplify the service interface between CMTP
 and the IDPR protocols by allowing an IDPR protocol to specify the
 timestamp in the first place.
 Using the control message and accompanying parameters supplied by the
 IDPR protocol, CMTP constructs a DATAGRAM, adding to the header
 CMTP-specific parameters.  In particular, CMTP assigns a "transaction
 identifier" to each DATAGRAM generated, which it uses to associate
 acknowledgements with DATAGRAM messages.  Each DATAGRAM recipient
 includes the received transaction identifier in its returned ACK or
 NAK, and each DATAGRAM sender uses the transaction identifier to
 match the received ACK or NAK with the original DATAGRAM.
 A single DATAGRAM, for example a routing information message or a
 path control message, may be handled by CMTP at many different policy
 gateways.  Within a pair of consecutive IDPR entities, the DATAGRAM

Steenstrup [Page 20] RFC 1479 IDPR Protocol July 1993

 sender expects to receive an acknowledgement from the DATAGRAM
 recipient.  However, only the IDPR entity that actually generated the
 original CMTP DATAGRAM has control over the transaction identifier,
 because that entity may supply a digital signature that covers the
 entire DATAGRAM.  The intermediate policy gateways that transmit the
 DATAGRAM do not change the transaction identifier.  Nevertheless, at
 each DATAGRAM recipient, the transaction identifier must uniquely
 distinguish the DATAGRAM so that only one acknowledgement from the
 next DATAGRAM recipient matches the original DATAGRAM.  Therefore,
 the transaction identifier must be globally unique.
 The transaction identifier consists of the numeric identifiers for
 the domain and IDPR entity (policy gateway or route server) issuing
 the original DATAGRAM, together with a 32-bit local identifier
 assigned by CMTP operating within that IDPR entity.  We recommend
 implementing the 32-bit local identifier either as a simple counter
 incremented for each DATAGRAM generated or as a fine granularity
 clock.  The former always guarantees uniqueness of transaction
 identifiers; the latter guarantees uniqueness of transaction
 identifiers, provided the clock granularity is finer than the minimum
 possible interval between DATAGRAM generations and the clock wrapping
 period is longer than the maximum round-trip delay to and from any
 internetwork destination.
 Before transmitting a DATAGRAM, CMTP computes the length of the
 entire message, taking into account the prescribed
 integrity/authentication scheme, and then computes the
 integrity/authentication value over the whole message.  CMTP includes
 both of these quantities, which are crucial for checking message
 integrity and authenticity at the recipient, in the DATAGRAM header.
 After sending a DATAGRAM, CMTP saves a copy and sets an associated
 retransmission timer, as directed by the IDPR protocol parameters.
 If the retransmission timer fires and CMTP has received neither an
 ACK nor a NAK for the DATAGRAM, CMTP then retransmits the DATAGRAM,
 provided this retransmission does not exceed the transmission
 allotment.  Whenever a DATAGRAM exhausts its transmission allotment,
 CMTP discards the DATAGRAM, informs the IDPR protocol that the
 control message transmission was not successful, and logs the event
 for network management.  In this case, the IDPR protocol may either
 resubmit its control message to CMTP, specifying an alternate
 destination, or discard the control message altogether.

Steenstrup [Page 21] RFC 1479 IDPR Protocol July 1993

2.2. Message Reception

 At the receiving entity, when CMTP obtains a DATAGRAM, it takes one
 of the following actions, depending upon the outcome of the message
 validation checks:
  1. The DATAGRAM passes the CMTP validation checks. CMTP then delivers

the DATAGRAM with enclosed IDPR control message, to the appropriate

   IDPR protocol, which in turn applies its own integrity checks to
   the control message before acting on the contents.  The recipient
   IDPR protocol, except in one case, directs CMTP to generate an ACK
   and return the ACK to the sender.  That exception is the up/down
   protocol (see section 3.2) which determines reachability of
   adjacent policy gateways and does not use CMTP ACK messages to
   notify the sender of message reception.  Instead, the up/down
   protocol messages themselves carry implicit information about
   message reception at the adjacent policy gateway.  In the cases
   where the recipient IDPR protocol directs CMTP to generate an ACK,
   it may pass control information to CMTP for inclusion in the ACK,
   depending on the contents of the original IDPR control message.
   For example, a route server unable to fill a request for routing
   information may inform the requesting IDPR entity, through an ACK
   for the initial request, to place its request elsewhere.
  1. The DATAGRAM fails at least one of the CMTP validation checks.

CMTP then generates a NAK, returns the NAK to the sender, and

   discards the DATAGRAM, regardless of the type of IDPR control
   message contained in the DATAGRAM.  The NAK indicates the nature of
   the validation failure and serves to help the sender establish
   communication with the recipient.  In particular, the CMTP NAK
   provides a mechanism for negotiation of IDPR version and
   integrity/authentication scheme, two parameters crucial for
   establishing communication between IDPR entities.
 Upon receiving an ACK or a NAK, CMTP immediately discards the message
 if at least one of the validation checks fails or if it is unable to
 locate the associated DATAGRAM.  CMTP logs the latter event for
 network management.  Otherwise, if all of the validation checks pass
 and if it is able to locate the associated DATAGRAM, CMTP clears the
 associated retransmission timer and then takes one of the following
 actions, depending upon the message type:
  1. The message is an ACK. CMTP discards the associated DATAGRAM and

delivers the ACK, which may contain IDPR control information, to

   the appropriate IDPR protocol.
  1. The message is a NAK. If the associated DATAGRAM has exhausted its

transmission allotment, CMTP discards the DATAGRAM, informs the

Steenstrup [Page 22] RFC 1479 IDPR Protocol July 1993

   appropriate IDPR protocol that the control message transmission was
   not successful, and logs the event for network management.
   Otherwise, if the associated DATAGRAM has not yet exhausted its
   transmission allotment, CMTP first checks its copy of the DATAGRAM
   against the failure indication contained in the NAK.  If its
   DATAGRAM copy appears to be intact, CMTP retransmits the DATAGRAM
   and sets the associated retransmission timer.  However, if its
   DATAGRAM copy appears to be corrupted, CMTP discards the DATAGRAM,
   informs the IDPR protocol that the control message transmission was
   not successful, and logs the event for network management.

2.3. Message Validation

 On every CMTP message received, CMTP performs a set of validation
 checks to test message integrity and authenticity.  The order in
 which these tests are executed is important.  CMTP must first
 determine if it can parse enough of the message to compute the
 integrity/authentication value.  (Refer to section 2.4 for a
 description of CMTP message formats.)  Then, CMTP must immediately
 compute the integrity/authentication value before checking other
 header information.  An incorrect integrity/authentication value
 means that the message is corrupted, and so it is likely that CMTP
 header information is incorrect.  Checking specific header fields
 before computing the integrity/authentication value not only may
 waste time and resources, but also may lead to incorrect diagnoses of
 a validation failure.
 The CMTP validation checks are as follows:
  1. CMTP verifies that it can recognize both the control message

version type contained in the header. Failure to recognize either

   one of these values means that CMTP cannot continue to parse the
   message.
  1. CMTP verifies that it can recognize and accept the

integrity/authentication type contained in the header; no

   integrity/authentication is not an acceptable type for CMTP.
  1. CMTP computes the integrity/authentication value and verifies that

it equals the integrity/authentication value contained in the

   header.  For key-based integrity/authentication schemes, CMTP may
   use the source domain identifier contained in the CMTP header to
   index the correct key.  Failure to index a key means that CMTP
   cannot compute the integrity/authentication value.
  1. CMTP computes the message length in bytes and verifies that it

equals the length value contained in the header.

Steenstrup [Page 23] RFC 1479 IDPR Protocol July 1993

  1. CMTP verifies that the message timestamp is in the acceptable

range. The message should be no more recent than cmtp_new (300)

   seconds ahead of the entity's current internal clock time.  In this
   document, when we present an IDPR system configuration parameter,
   such as cmtp_new, we usually follow it with a recommended value in
   parentheses.  The cmtp_new value allows some clock drift between
   IDPR entities.  Moreover, each IDPR protocol has its own limit on
   the maximum age of its control messages.  The message should be no
   less recent than a prescribed number of seconds behind the
   recipient entity's current internal clock time.  Hence, each IDPR
   protocol performs its own message timestamp check in addition to
   that performed by CMTP.
  1. CMTP verifies that it can recognize the IDPR protocol designated

for the enclosed control message.

 Whenever CMTP encounters a failure while performing any of these
 validation checks, it logs the event for network management.  If the
 failure occurs on a DATAGRAM, CMTP immediately generates a NAK
 containing the reason for the failure, returns the NAK to the sender,
 and discards the DATAGRAM message.  If the failure occurs on an ACK
 or a NAK, CMTP discards the ACK or NAK message.

2.4. CMTP Message Formats

 In designing the format of IDPR control messages, we have attempted
 to strike a balance between efficiency of link bandwidth usage and
 efficiency of message processing.  In general, we have chosen compact
 representations for IDPR information in order to minimize the link
 bandwidth consumed by IDPR-specific information.  However, we have
 also organized IDPR information in order to speed message processing,
 which does not always result in minimum link bandwidth usage.
 To limit link bandwidth usage, we currently use fixed-length
 identifier fields in IDPR messages; domains, virtual gateways, policy
 gateways, and route servers are all represented by fixed-length
 identifiers.  To simplify message processing, we currently align
 fields containing an even number of bytes on even-byte boundaries
 within a message.  In the future, if the Internet adopts the use of
 super domains, we will offer hierarchical, variable-length identifier
 fields in an updated version of IDPR.
 The header of each CMTP message contains the following information:

Steenstrup [Page 24] RFC 1479 IDPR Protocol July 1993

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    VERSION    |  PRT  |  MSG  |  DPR  |  DMS  |    I/A TYP    |
 +---------------+-------+-------+-------+-------+---------------+
 |           SOURCE AD           |           SOURCE ENT          |
 +-------------------------------+-------------------------------+
 |                           TRANS ID                            |
 +---------------------------------------------------------------+
 |                           TIMESTAMP                           |
 +-------------------------------+-------------------------------+
 |            LENGTH             |       message specific        |
 +-------------------------------+-------------------------------+
 |         DATAGRAM AD           |         DATAGRAM ENT          |
 +-------------------------------+-------------------------------+
 |                             INFORM                            |
 +---------------------------------------------------------------+
 |                            INT/AUTH                           |
 |                                                               |
 +---------------------------------------------------------------+
 VERSION
      (8 bits) Version number for IDPR control messages, currently
      equal to 1.
 PRT (4 bits) Numeric identifier for the control message transport
      protocol, equal to 0 for CMTP.
 MSG (4 bits) Numeric identifier for the CMTP message type,equal to 0
      for a DATAGRAM, 1 for an ACK, and 2 for a NAK.
 DPR (4 bits) Numeric identifier for the original DATAGRAM's IDPR
      protocol type.
 DMS (4 bits) Numeric identifier for the original DATAGRAM's IDPR
      message type.
 I/A TYP (8 bits) Numeric identifier for the integrity/authentication
      scheme used.  CMTP requires the use of an
      integrity/authentication scheme; this value must not be set
      equal to 0, indicating no integrity/authentication in use.
 SOURCE AD (16 bits) Numeric identifier for the domain containing the
      IDPR entity that generated the message.
 SOURCE ENT (16 bits) Numeric identifier for the IDPR entity that
      generated the message.

Steenstrup [Page 25] RFC 1479 IDPR Protocol July 1993

 TRANSACTION ID (32 bits) Local transaction identifier assigned by the
      IDPR entity that generated the original DATAGRAM.
 TIMESTAMP (32 bits) Number of seconds elapsed since 1 January 1970
      0:00 GMT.
 LENGTH (16 bits) Length of the entire IDPR control message, including
      the CMTP header, in bytes.
 message specific (16 bits) Dependent upon CMTP message type.
      For DATAGRAM and ACK messages:
           RESERVED
                (16 bits) Reserved for future use and currently set
                equal to 0.
      For NAK messages:
           ERR TYP (8 bits) Numeric identifier for the type of CMTP
                validation failure encountered.  Validation failures
                include the following types:
                1.   Unrecognized IDPR control message version number.
                2.   Unrecognized CMTP message type.
                3.   Unrecognized integrity/authentication scheme.
                4.   Unacceptable integrity/authentication scheme.
                5.   Unable to locate key using source domain.
                6.   Incorrect integrity/authentication value.
                7.   Incorrect message length.
                8.   Message timestamp out of range.
                9.   Unrecognized IDPR protocol designated for the
                enclosed control message.

Steenstrup [Page 26] RFC 1479 IDPR Protocol July 1993

           ERR INFO (8 bits) CMTP supplies the following additional
                information for the designated types of validation
                failures:
                Type 1:
                    Acceptable IDPR control message version number.
                Types 3 and 4: Acceptable integrity/authentication
                    type.
 DATAGRAM AD
      (16 bits) Numeric identifier for the domain containing the IDPR
      entity that generated the original DATAGRAM.  Present only in
      ACK and NAK messages.
 DATAGRAM ENT (16 bits) Numeric identifier for the IDPR entity that
      generated the original DATAGRAM.  Present only in ACK and NAK
      messages.
 INFORM (optional,variable) Information to be interpreted by the IDPR
      protocol that issued the original DATAGRAM.  Present only in ACK
      messages and dependent on the original DATAGRAM's IDPR protocol
      type.
 INT/AUTH (variable) Computed integrity/authentication value,
      dependent on the type of integrity/authentication scheme used.

3. Virtual Gateway Protocol

 Every policy gateway within a domain participates in gathering
 information about connectivity within and between virtual gateways of
 which it is a member and in distributing this information to other
 virtual gateways in its domain.  We refer to these functions
 collectively as the Virtual Gateway Protocol (VGP).
 The information collected through VGP has both local and global
 significance for IDPR.  Virtual gateway connectivity information,
 distributed to policy gateways within a single domain, aids those
 policy gateways in selecting routes across and between virtual
 gateways connecting their domain to adjacent domains.  Inter-domain
 connectivity information, distributed throughout an internetwork in
 routing information messages, aids route servers in constructing
 feasible policy routes.
 Provided that a domain contains simple virtual gateway and transit
 policy configurations, one need only implement a small subset of the
 VGP functions.  The connectivity among policy gateways within a
 virtual gateway and the heterogeneity of transit policies within a

Steenstrup [Page 27] RFC 1479 IDPR Protocol July 1993

 domain determine which VGP functions must be implemented, as we
 explain toward the end of this section.

3.1. Message Scope

 Policy gateways generate VGP messages containing information about
 perceived changes in virtual gateway connectivity and distribute
 these messages to other policy gateways within the same domain and
 within the same virtual gateway.  We classify VGP messages into three
 distinct categories: "pair-PG", "intra-VG", and "inter-VG", depending
 upon the scope of message distribution.
 Policy gateways use CMTP for reliable transport of VGP messages.  The
 issuing policy gateway must communicate to CMTP the maximum number of
 transmissions per VGP message, vgp_ret, and the interval between VGP
 message retransmissions, vgp_int microseconds.  The recipient policy
 gateway must determine VGP message acceptability; conditions of
 acceptability depend on the type of VGP message, as we describe
 below.
 Policy gateways store, act upon, and in the case of inter-VG
 messages, forward the information contained in acceptable VGP
 messages.  VGP messages that pass the CMTP validation checks but fail
 a specific VGP message acceptability check are considered to be
 unacceptable and are hence discarded by recipient policy gateways.  A
 policy gateway that receives an unacceptable VGP message also logs
 the event for network management.

3.1.1. Pair-PG Messages

 Pair-PG message communication occurs between the two members of a
 pair of adjacent, peer, or neighbor policy gateways.  With IDPR, the
 only pair-PG messages are those periodically generated by the up/down
 protocol and used to monitor mutual reachability between policy
 gateways.
 A pair-PG message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than vgp_old (300) seconds behind the

recipient's internal clock time.

  1. Its destination policy gateway identifier coincides with the

identifier of the recipient policy gateway.

  1. Its source policy gateway identifier coincides with the identifier

of a policy gateway configured for the recipient's domain or

Steenstrup [Page 28] RFC 1479 IDPR Protocol July 1993

   associated virtual gateway.

3.1.2. Intra-VG Messages

 Intra-VG message communication occurs between one policy gateway and
 all of its peers.  Whenever a policy gateway discovers that its
 connectivity to an adjacent or neighbor policy gateway has changed,
 it issues an intra-VG message indicating the connectivity change to
 all of its reachable peers.  Whenever a policy gateway detects that a
 previously unreachable peer is now reachable, it issues, to that
 peer, intra-VG messages indicating connectivity to adjacent and
 neighbor policy gateways.  If the issuing policy gateway fails to
 receive an analogous intra-VG message from the newly reachable peer
 within twice the configured VGP retransmission interval, vgp_int
 microseconds, it actively requests the intra-VG message from that
 peer.  These message exchanges ensure that peers maintain a
 consistent view of each others' connectivity to adjacent and neighbor
 policy gateways.
 An intra-VG message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than vgp_old (300) seconds behind the

recipient's internal clock time.

  1. Its virtual gateway identifier coincides with that of a virtual

gateway configured for the recipient's domain.

3.1.3. Inter-VG Messages

 Inter-VG message communication occurs between one policy gateway and
 all of its neighbors.  Whenever the lowest-numbered operational
 policy gateway in a set of mutually reachable peers discovers that
 its virtual gateway's connectivity to the adjacent domain or to
 another virtual gateway has changed, it issues an inter-VG message
 indicating the connectivity change to all of its neighbors.
 Specifically, the policy gateway distributes an inter-VG message to a
 "VG representative" policy gateway (see section 3.1.4 below) in each
 virtual gateway in the domain.  Each VG representative in turn
 propagates the inter-VG message to each of its peers.
 Whenever the lowest-numbered operational policy gateway in a set of
 mutually peers detects that one or more previously unreachable peers
 are now reachable, it issues, to the lowest-numbered operational
 policy gateway in all other virtual gateways, requests for inter-VG
 information indicating connectivity to adjacent domains and to other
 virtual gateways.  The recipient policy gateways return the requested

Steenstrup [Page 29] RFC 1479 IDPR Protocol July 1993

 inter-VG messages to the issuing policy gateway, which in turn
 distributes the messages to the newly reachable peers.  These message
 exchanges ensure that virtual gateways maintain a consistent view of
 each others' connectivity, while consuming minimal domain resources
 in distributing connectivity information.
 An inter-VG message contains information about the entire virtual
 gateway, not just about the issuing policy gateway.  Thus, when
 virtual gateway connectivity changes happen in rapid succession,
 recipients of the resultant inter-VG messages should be able to
 determine the most recent message and that message must contain the
 current virtual gateway connectivity information.  To ensure that the
 connectivity information distributed is consistent and unambiguous,
 we designate a single policy gateway, namely the lowest-numbered
 operational peer, for generating and distributing inter-VG messages.
 It is a simple procedure for a set of mutually reachable peers to
 determine the lowest-numbered member, as we describe in section 3.2
 below.
 To understand why a single member of a virtual gateway must issue
 inter-VG messages, consider the following example.  Suppose that two
 peers in a virtual gateway each detect a different connectivity
 change and generate separate inter-VG messages.  Recipients of these
 messages may not be able to determine which message is more recent if
 policy gateway internal clocks are not perfectly synchronized.
 Moreover, even if the clocks were perfectly synchronized, and hence
 message recency could be consistently determined, it is possible for
 each peer to issue its inter-VG message before receiving current
 information from the other.  As a result, neither inter-VG message
 contains the correct connectivity from the perspective of the virtual
 gateway.  However, these problems are eliminated if all inter-VG
 messages are generated by a single peer within a virtual gateway, in
 particular the lowest-numbered operational policy gateway.
 An inter-VG message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than vgp_old (300) seconds behind the

recipient's internal clock time.

  1. Its virtual gateway identifier coincides with that of a virtual

gateway configured for the recipient's domain.

  1. Its source policy gateway identifier represents the lowest numbered

operational member of the issuing virtual gateway, reachable from

   the recipient.

Steenstrup [Page 30] RFC 1479 IDPR Protocol July 1993

 Distribution of intra-VG messages among peers often triggers
 generation and distribution of inter-VG messages among virtual
 gateways.  Usually, the lowest-numbered operational policy gateway in
 a virtual gateway generates and distributes an inter-VG message
 immediately after detecting a change in virtual gateway connectivity,
 through receipt or generation of an intra-VG message.  However, if
 this policy gateway is also waiting for an intra-VG message from a
 newly reachable peer, it does not immediately generate and distribute
 the inter-VG message.
 Waiting for intra-VG messages enables the lowest-numbered operational
 policy gateway in a virtual gateway to gather the most recent
 connectivity information for inclusion in the inter-VG message.
 However, under unusual circumstances, the policy gateway may fail to
 receive an intra-VG message from a newly reachable peer, even after
 actively requesting such a message.  To accommodate this case, VGP
 uses an upper bound of four times the configured retransmission
 interval, vgp_int microseconds, on the amount of time to wait before
 generating and distributing an inter-VG message, when receipt of an
 intra-VG message is pending.

3.1.4. VG Representatives

 When distributing an inter-VG message, the issuing policy gateway
 selects as recipients one neighbor, the VG Representative, from each
 virtual gateway in the domain.  To be selected as a VG
 representative, a policy gateway must be reachable from the issuing
 policy gateway via intra-domain routing.  The issuing policy gateway
 gives preference to neighbors that are members of more than one
 virtual gateway.  Such a neighbor acts as a VG representative for all
 virtual gateways of which it is a member and restricts inter-VG
 message distribution as follows: any policy gateway that is a peer in
 more than one of the represented virtual gateways receives at most
 one copy of the inter-VG message.  This message distribution strategy
 minimizes the number of message copies required for disseminating
 inter-VG information.

3.2. Up/Down Protocol

 Directly-connected adjacent policy gateways execute the Up/Down
 Protocol to determine mutual reachability.  Pairs of peer or neighbor
 policy gateways can determine mutual reachability through information
 provided by the intra-domain routing procedure or through execution
 of the up/down protocol.  In general, we do not recommend
 implementing the up/down protocol between each pair of policy
 gateways in a domain, as it results in O(n**2) (where n is the number
 of policy gateways within the domain) communications complexity.
 However, if the intra-domain routing procedure is slow to detect

Steenstrup [Page 31] RFC 1479 IDPR Protocol July 1993

 connectivity changes or is unable to report reachability at the IDPR
 entity level, the reachability information obtained through the
 up/down protocol may well be worth the extra communications cost.  In
 the remainder of this section, we decribe the up/down protocol from
 the perspective of adjacent policy gateways, but we note that the
 identical protocol can be applied to peer and neighbor policy
 gateways as well.
 The up/down protocol determines whether the direct connection between
 adjacent policy gateways is acceptable for data traffic transport.  A
 direct connection is presumed to be "down" (unacceptable for data
 traffic transport) until the up/down protocol declares it to be "up"
 (acceptable for data traffic transport).  We say that a virtual
 gateway is "up" if there exists at least one pair of adjacent policy
 gateways whose direct connection is acceptable for data traffic
 transport, and that a virtual gateway is "down" if there exists no
 such pair of adjacent policy gateways.
 When executing the up/down protocol, policy gateways exchange UP/DOWN
 messages every ud_per (1) second.  All policy gateways use the same
 default period of ud_per initially and then negotiate a preferred
 period through exchange of UP/DOWN messages.  A policy gateway
 reports its desired value for ud_per within its UP/DOWN messages.  It
 then chooses the larger of its desired value and that of the adjacent
 policy gateway as the period for exchanging subsequent UP/DOWN
 messages.  Policy gateways also exchange, in UP/DOWN messages,
 information about the identity of their respective domain components.
 This information assists the policy gateways in selecting routes
 across virtual gateways to partitioned domains.
 Each UP/DOWN message is transported using CMTP and hence is covered
 by the CMTP validation checks.  However, unlike other IDPR control
 messages, UP/DOWN messages do not require reliable transport.
 Specifically, the up/down protocol requires only a single
 transmission per UP/DOWN message and never directs CMTP to return an
 ACK.  As pair-PG messages, UP/DOWN messages are acceptable under the
 conditions described in section 3.1.1.
 Each policy gateway assesses the state of its direct connection, to
 the adjacent policy gateway, by counting the number of acceptable
 UP/DOWN messages received within a set of consecutive periods.  A
 policy gateway communicates its perception of the state of the direct
 connection through its UP/DOWN messages.  Initially, a policy gateway
 indicates the down state in each of its UP/DOWN messages.  Only when
 the direct connection appears to be up from its perspective does a
 policy gateway indicate the up state in its UP/DOWN messages.
 A policy gateway can begin to transport data traffic over a direct

Steenstrup [Page 32] RFC 1479 IDPR Protocol July 1993

 connection only if both of the following conditions are true:
  1. The policy gateway receives from the adjacent policy gateway at

least j acceptable UP/DOWN messages within the last m consecutive

   periods.  From the recipient policy gateway's perspective, this
   event up.  Hence, the recipient policy gateway indicates the up
   state in its subsequent UP/DOWN messages.
  1. The UP/DOWN message most recently received from the adjacent policy

gateway indicates the up state, signifying that the adjacent policy

   gateway considers the direct connection to be up.
 A policy gateway must cease to transport data traffic over a direct
 connection whenever either of the following conditions is true:
  1. The policy gateway receives from the adjacent policy gateway at

most acceptable UP/DOWN messages within the last n consecutive

   periods.
  1. The UP/DOWN message most recently received from the adjacent policy

gateway indicates the down state, signifying that the adjacent

   policy gateway considers the direct connection to be down.
 From the recipient policy gateway's perspective, either of these
 events constitutes a state transition of the direct connection from
 up to down.  Hence, the policy gateway indicates the down state in
 its subsequent UP/DOWN messages.

3.3. Implementation

 We recommend implementing the up/down protocol using a sliding
 window.  Each window slot indicates the UP/DOWN message activity
 during a given period, containing either a "hit" for receipt of an
 acceptable UP/DOWN message or a "miss" for failure to receive an
 acceptable UP/DOWN message.  In addition to the sliding window, the
 implementation should include a tally of hits recorded during the
 current period and a tally of misses recorded over the current
 window.
 When the direct connection moves to the down state, the initial
 values of the up/down protocol parameters must be set as follows:
  1. The sliding window size is equal to m.
  1. Each window slot contains a miss.
  1. The current period hit tally is equal to 0.

Steenstrup [Page 33] RFC 1479 IDPR Protocol July 1993

  1. The current window miss tally is equal to m.
 When the direct connection moves to the up state, the initial values
 of the up/down protocol parameters must be set as follows:
  1. The sliding window size is equal to n.
  1. Each window slot contains a hit.
  1. The current period hit tally is equal to 0.
  1. The current window miss tally is equal to 0.
 At the conclusion of each period, a policy gateway computes the miss
 tally and determines whether there has been a state transition of the
 direct connection to the adjacent policy gateway.  In the down state,
 a miss tally of no more than m - j signals a transition to the up
 state.  In the up state, a miss tally of no less than n - k signals a
 transition to the down state.
 Computing the correct miss tally involves several steps.  First, the
 policy gateway prepares to slide the window by one slot so that the
 oldest slot disappears, making room for the newest slot.  However,
 before sliding the window, the policy gateway checks the contents of
 the oldest window slot.  If this slot contains a miss, the policy
 gateway decrements the miss tally by 1, as this slot is no longer
 part of the current window.
 After sliding the window, the policy gateway determines the proper
 contents.  If the hit tally for the current period equals 0, the
 policy gateway records a miss for the newest slot and increments the
 miss tally by 1.  Otherwise, if the hit tally for the current period
 is greater than 0, the policy gateway records a hit for the newest
 slot and decrements the hit tally by 1.  Moreover, the policy gateway
 applies any remaining hits to slots containing misses, beginning with
 the newest and progressing to the oldest such slot.  For each such
 slot containing a miss, the policy gateway records a hit in that slot
 and decrements both the hit and miss tallies by 1, as the hit cancels
 out a miss.  The policy gateway continues to apply each remaining hit
 tallied to any slot containing a miss, until either all such hits are
 exhausted or all such slots are accounted for.  Before beginning the
 next up/down period, the policy gateway resets the hit tally to 0.
 Although we expect the hit tally, within any given period, to be no
 greater than 1, we do anticipate the occasional period in which a
 policy gateway receives more than one UP/DOWN message from an
 adjacent policy gateway.  The most common reasons for this occurrence
 are message delay and clock drift.  When an UP/DOWN message is

Steenstrup [Page 34] RFC 1479 IDPR Protocol July 1993

 delayed, the receiving policy gateway observes a miss in one period
 followed by two hits in the next period, one of which cancels the
 previous miss.  However, excess hits remaining in the tally after
 miss cancellation indicate a problem, such as clock drift.  Thus,
 whenever a policy gateway accumulates excess hits, it logs the event
 for network management.
 When clock drift occurs between two adjacent policy gateways, it
 causes the period of one policy gateway to grow with respect to the
 period of the other policy gateway.  Let p(X) be the period for PG X,
 let p(Y) be the period for PG Y, and let g and h be the smallest
 positive integers such that g * p(X) = h * p(Y).  Suppose that p(Y) >
 p(X) because of clock drift.  In this case, PG X observes g - h
 misses in g consecutive periods, while PG Y observes g - h surplus
 hits in h consecutive periods.  As long as (g - h)/g < (n - k)/n and
 (g - h)/g < or = (m - j)/m, the clock drift itself will not cause the
 direct connection to enter or remain in the down state.

3.4. Policy Gateway Connectivity

 Policy gateways collect connectivity information through the intra-
 domain routing procedure and through VGP, and they distribute
 connectivity changes through VGP in both intra-VG messages to peers
 and inter-VG messages to neighbors.  Locally, this connectivity
 information assists policy gateways in selecting routes, not only
 across a virtual gateway to an adjacent domain but also across a
 domain between two virtual gateways.  Moreover, changes in
 connectivity between domains are distributed, in routing information
 messages, to route servers throughout an internetwork.

3.4.1. Within a Virtual Gateway

 Each policy gateway within a virtual gateway constantly monitors its
 connectivity to all adjacent and to all peer policy gateways.  To
 determine the state of its direct connection to an adjacent policy
 gateway, a policy gateway uses reachability information supplied by
 the up/down protocol.  To determine the state of its intra-domain
 routes to a peer policy gateway, a policy gateway uses reachability
 information supplied by either the intra-domain routing procedure or
 the up/down protocol.
 A policy gateway generates a PG CONNECT message whenever either of
 the following conditions is true:
  1. The policy gateway detects a change, in state or in adjacent

domain component, associated with its direct connection to an

     adjacent policy gateway.  In this case, the policy gateway
     distributes a copy of the message to each peer reachable via

Steenstrup [Page 35] RFC 1479 IDPR Protocol July 1993

     intra-domain routing.
  1. The policy gateway detects that a previously unreachable peer is

now reachable. In this case, the policy gateway distributes a

     copy of the message to the newly reachable peer.
 A PG CONNECT message is an intra-VG message that includes information
 about each adjacent policy gateway directly connected to the issuing
 policy gateway.  Specifically, the PG CONNECT message contains the
 adjacent policy gateway's identifier, status (reachable or
 unreachable), and domain component identifier.  If a PG CONNECT
 message contains a "request", each peer that receives the message
 responds to the sender with its own PG CONNECT message.
 All mutually reachable peers monitor policy gateway connectivity
 within their virtual gateway, through the up/down protocol, the
 intra-domain routing procedure, and the exchange of PG CONNECT
 messages.  Within a given virtual gateway, each constituent policy
 gateway maintains the following information about each configured
 adjacent policy gateway:
  1. The identifier for the adjacent policy gateway.
  1. The status of the adjacent policy gateway: reachable/unreachable,

directly connected/not directly connected.

  1. The local exit interfaces used to reach the adjacent policy

gateway, provided it is reachable.

  1. The identifier for the adjacent policy gateway's domain component.
  1. The set of peers to which the adjacent policy gateway is

directly-connected.

 Hence, all mutually reachable peers can detect changes in
 connectivity across the virtual gateway to adjacent domain
 components.
 When the lowest-numbered operational peer policy gateway within a
 virtual gateway detects a change in the set of adjacent domain
 components reachable through direct connections across the given
 virtual gateway, it generates a VGCONNECT message and distributes a
 copy to a VG representative in all other virtual gateways connected
 to its domain.  A VG CONNECT message is an inter-VG message that
 includes information about each peer's connectivity across the given
 virtual gateway.  Specifically, the VG CONNECT message contains, for
 each peer, its identifier and the identifiers of the domain
 components reachable through its direct connections to adjacent

Steenstrup [Page 36] RFC 1479 IDPR Protocol July 1993

 policy gateways.  Moreover, the VG CONNECT message gives each
 recipient enough information to determine the state, up or down, of
 the issuing virtual gateway.
 The issuing policy gateway, namely the lowest-numbered operational
 peer, may have to wait up to four times vgp_int microseconds after
 detecting the connectivity change, before generating and distributing
 the VGCONNECT message, as described in section 3.1.3.  Each recipient
 VG representative in turn distributes a copy of the VG CONNECT
 message to each of its peers reachable via intra-domain routing.  If
 a VG CONNECT message contains a "request", then in each recipient
 virtual gateway, the lowest-numbered operational peer that receives
 the message responds to the original sender with its own VGCONNECT
 message.

3.4.2. Between Virtual Gateways

 At present, we expect transit policies to be uniform over all intra-
 domain routes between any pair of policy gateways within a domain.
 However, when tariffed qualities of service become prevalent
 offerings for intra-domain routing, we can no longer expect
 uniformity of transit policies throughout a domain.  To monitor the
 transit policies supported on intra-domain routes between virtual
 gateways requires both a policy-sensitive intra-domain routing
 procedure and a VGP exchange of policy information between neighbor
 policy gateways.
 Each policy gateway within a domain constantly monitors its
 connectivity to all peer and neighbor policy gateways, including the
 transit policies supported on intra-domain routes to these policy
 gateways.  To determine the state of its intra-domain connection to a
 peer or neighbor policy gateway, a policy gateway uses reachability
 information supplied by either the intra-domain routing procedure or
 the up/down protocol.  To determine the transit policies supported on
 intra-domain routes to a peer or neighbor policy gateway, a policy
 gateway uses policy-sensitive reachability information supplied by
 the intra-domain routing procedure.  We note that when transit
 policies are uniform over a domain, reachability and policy-sensitive
 reachability are equivalent.
 Within a virtual gateway, each constituent policy gateway maintains
 the following information about each configured peer and neighbor
 policy gateway:
  1. The identifier for the peer or neighbor policy gateway.
  1. The identifiers corresponding to the transit policies configured to

be supported by intra-domain routes to the peer or neighbor policy

Steenstrup [Page 37] RFC 1479 IDPR Protocol July 1993

   gateway.
  1. According to each transit policy, the status of the peer or

neighbor policy gateway: reachable/unreachable.

  1. For each transit policy, the local exit interfaces used to reach

the peer or neighbor policy gateway, provided it is reachable.

  1. The identifiers for the adjacent domain components reachable

through direct connections from the peer or neighbor policy

   gateway, obtained through VG CONNECT messages.
 Using this information, a policy gateway can detect changes in its
 connectivity to an adjoining domain component, with respect to a
 given transit policy and through a given neighbor.  Moreover,
 combining the information obtained for all neighbors within a given
 virtual gateway, the policy gateway can detect changes in its
 connectivity, with respect to a given transit policy, to that virtual
 gateway and to adjoining domain components reachable through that
 virtual gateway.
 All policy gateways mutually reachable via intra-domain routes
 supporting a configured transit policy need not exchange information
 about perceived changes in connectivity, with respect to the given
 transit policy.  In this case, each policy gateway can infer
 another's policy-sensitive reachability to a third, through mutual
 intra-domain reachability information provided by the intra-domain
 routing procedure.  However, whenever two or more policy gateways are
 no longer mutually reachable with respect to a given transit policy,
 these policy gateways can no longer infer each other's reachability
 to other policy gateways, with respect to that transit policy.  In
 this case, these policy gateways must exchange explicit information
 about changes in connectivity to other policy gateways, with respect
 to that transit policy.
 A policy gateway generates a PG POLICY message whenever either of the
 following conditions is true:
  1. The policy gateway detects a change in its connectivity to another

virtual gateway, with respect to a configured transit policy, or to

   an adjoining domain component reachable through that virtual
   gateway.  In this case, the policy gateway distributes a copy of
   the message to each peer reachable via intra-domain routing but not
   currently reachable via any intra-domain routes of the given
   transit policy.
  1. The policy gateway detects that a previously unreachable peer is

reachable. In this case, the policy gateway distributes a copy of

Steenstrup [Page 38] RFC 1479 IDPR Protocol July 1993

   the message to the newly reachable peer.
 A PG POLICY message is an intra-VG message that includes information
 about each configured transit policy and each virtual gateway
 configured to be reachable from the issuing policy gateway via
 intra-domain routes of the given transit policy.  Specifically, the
 PGPOLICY message contains, for each configured transit policy:
  1. The identifier for the transit policy.
  1. The identifiers for the virtual gateways associated with the given

transit policy and currently reachable, with respect to that

   transit policy, from the issuing policy gateway.
  1. The identifiers for the domain components reachable from and

adjacent to the members of the given virtual gateways.

 If a PG POLICY message contains a "request", each peer that receives
 the message responds to the original sender with its own PG POLICY
 message.
 In addition to connectivity between itself and its neighbors, each
 policy gateway also monitors the connectivity, between domain
 components adjacent to its virtual gateway and domain components
 adjacent to other virtual gateways, through its domain and with
 respect to the configured transit policies.  For each member of each
 of its virtual gateways, a policy gateway monitors:
  1. The set of adjacent domain components currently reachable

through direct connections across the given virtual gateway. The

   policy gateway obtains this information through PG CONNECT messages
   from reachable peers and through UP/DOWN messages from adjacent
   policy gateways.
  1. For each configured transit policy, the set of virtual gateways

currently reachable from the given virtual gateway with respect to

   that transit policy and the set of adjoining domain components
   currently reachable through direct connections across those virtual
   gateways.  The policy gateway obtains this information through PG
   POLICY messages from peers, VG CONNECT messages from neighbors, and
   the intra-domain routing procedure.  Using this information, a
   policy gateway can detect connectivity changes, through its domain
   and with respect to a given transit policy, between adjoining
   domain components.
 When the lowest-numbered operational policy gateway within a virtual
 gateway detects a change in the connectivity between a domain
 component adjacent to its virtual gateway and a domain component

Steenstrup [Page 39] RFC 1479 IDPR Protocol July 1993

 adjacent to another virtual gateway in its domain, with respect to a
 configured transit policy, it generates a VG POLICY message and
 distributes a copy to a VG representative in selected virtual
 gateways connected to its domain.  In particular, the lowest-numbered
 operational policy gateway distributes a VG POLICY message to a VG
 representative in every other virtual gateway containing a member
 reachable via intra-domain routing but not currently reachable via
 any routes of the given transit policy.  A VG POLICY message is an
 inter-VG message that includes information about the connectivity
 between domain components adjacent to the issuing virtual gateway and
 domain components adjacent to the other virtual gateways in the
 domain, with respect to configured transit policies.  Specifically,
 the VG POLICY message contains, for each transit policy:
  1. The identifier for the transit policy.
  1. The identifiers for the virtual gateways associated with the given

transit policy and currently reachable, with respect to that

   transit policy, from the issuing virtual gateway.
  1. The identifiers for the domain components reachable from and

adjacent to the members of the given virtual gateways.

 The issuing policy gateway, namely the lowest-numbered operational
 peer, may have to wait up to four times vgp_int microseconds after
 detecting the connectivity change, before generating and distributing
 the VG POLICY message, as described in section 3.1.3.  Each recipient
 VG representative in turn distributes a copy of the VG POLICY message
 to each of its peers reachable via intra-domain routing.  If a VG
 POLICY message contains a "request", then in each recipient virtual
 gateway, the lowest-numbered operational peer that receives the
 message responds to the original sender with its own VG POLICY
 message.

3.4.3. Communication Complexity

 We offer an example, to provide an estimate of the number of VGP
 messages exchanged within a domain, AD X, after a detected change in
 policy gateway connectivity.  Suppose that an adjacent domain, AD Y,
 partitions such that the partition is detectable through the exchange
 of UP/DOWN messages across a virtual gateway connecting AD X and AD
 Y.  Let V be the number of virtual gateways in AD X.  Suppose each
 virtual gateway contains P peer policy gateways, and no policy
 gateway is a member of multiple virtual gateways.  Then, within AD X,
 the detected partition will result in the following VGP message
 exchanges:
  1. P policy gateways each receive at most P-1 PG CONNECT messages.

Steenstrup [Page 40] RFC 1479 IDPR Protocol July 1993

   Each policy gateway detecting the adjacent domain partition
   generates a PG CONNECT message and distributes it to each reachable
   peer in the virtual gateway.
  1. P * (V-1) policy gateways each receive at most one VG CONNECT

message. The lowest-numbered operational policy gateway in the

   virtual gateway detecting the partition of the adjacent domain
   generates a VG CONNECT message and distributes it to a VG
   representative in all other virtual gateways connected to the
   domain.  In turn, each VG representative distributes the VG CONNECT
   message to each reachable peer within its virtual gateway.
  1. P * (V-1) policy gateways each receive at most P-1 PG POLICY

messages, and only if the domain has more than a single uniform

   transit policy.  Each policy gateway in each virtual gateway
   generates a PG POLICY message and distributes it to all reachable
   peers not currently reachable with respect to the given transit
   policy.
  1. P * V policy gateways each receive at most V-1 VG POLICY messages,

only if the domain has more than a single uniform transit policy.

   The lowest-numbered operational policy gateway in each virtual
   gateway generates a VG POLICY message and distributes it to a VG
   representative in all other virtual gateways containing at least
   one reachable member not currently reachable with respect to the
   given transit policy.  In turn, each VG representative distributes
   a VG POLICY message to each peer within its virtual gateway.

3.5. VGP Message Formats

 The virtual gateway protocol number is equal to 0.  We describe the
 contents of each type of VGP message below.

3.5.1. UP/DOWN

 The UP/DOWN message type is equal to 0.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            SRC CMP            |            DST AD             |
 +-------------------------------+---------------+---------------+
 |            DST PG             |    PERIOD     |     STATE     |
 +-------------------------------+---------------+---------------+
 SRC CMP
      (16 bits) Numeric identifier for the domain component containing
      the issuing policy gateway.

Steenstrup [Page 41] RFC 1479 IDPR Protocol July 1993

 DST AD (16 bits) Numeric identifier for the destination domain.
 DST PG (16 bits) Numeric identifier for the destination policy
      gateway.
 PERIOD (8 bits) Length of the UP/DOWN message generation period, in
      seconds.
 STATE (8 bits) Perceived state (1 up, 0 down) of the direct
      connection from the perspective of the issuing policy gateway,
      contained in the right-most bit.

3.5.2. PG CONNECT

 The PG CONNECT message type is equal to 1.  PG CONNECT messages are
 not required for any virtual gateway containing exactly two policy
 gateways.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            ADJ AD             |      VG       |     RQST      |
 +-------------------------------+---------------+---------------+
 |            NUM RCH            |           NUM UNRCH           |
 +-------------------------------+-------------------------------+
 For each reachable adjacent policy gateway:
 +-------------------------------+-------------------------------+
 |            ADJ PG             |            ADJ CMP            |
 +-------------------------------+-------------------------------+
 For each unreachable adjacent policy gateway:
 +-------------------------------+
 |            ADJ PG             |
 +-------------------------------+
 ADJ AD
      (16 bits) Numeric identifier for the adjacent domain.
 VG (8 bits) Numeric identifier for the virtual gateway.
 RQST (8 bits) Request for a PG CONNECT message (1 request, 0 no
      request) from each recipient peer, contained in the right-most
      bit.
 NUM RCH (16 bits) Number of adjacent policy gateways within the
      virtual gateway, which are directly-connected to and currently
      reachable from the issuing policy gateway.
 NUM UNRCH (16 bits) Number of adjacent policy gateways within the

Steenstrup [Page 42] RFC 1479 IDPR Protocol July 1993

      virtual gateway, which are directly-connected to but not
      currently reachable from the issuing policy gateway.
 ADJ PG (16 bits) Numeric identifier for a directly-connected adjacent
      policy gateway.
 ADJ CMP (16 bits) Numeric identifier for the domain component
      containing the reachable, directly-connected adjacent policy
      gateway.

3.5.3. PG POLICY

 The PG POLICY message type is equal to 2.  PG POLICY messages are not
 required for any virtual gateway containing exactly two policy
 gateways or for any domain with a single uniform transit policy.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            ADJ AD             |      VG       |     RQST      |
 +-------------------------------+---------------+---------------+
 |            NUM TP             |
 +-------------------------------+
 For each transit policy associated with the virtual gateway:
 +-------------------------------+-------------------------------+
 |              TP               |            NUM VG             |
 +-------------------------------+-------------------------------+
 For each virtual gateway reachable via the transit policy:
 +-------------------------------+---------------+---------------+
 |            ADJ AD             |      VG       |    UNUSED     |
 +-------------------------------+---------------+---------------+
 |            NUM CMP            |            ADJ CMP            |
 +-------------------------------+-------------------------------+
 ADJ AD
      (16 bits) Numeric identifier for the adjacent domain.
 VG (8 bits) Numeric identifier for the virtual gateway.
 RQST (8 bits) Request for a PG POLICY message (1 request, 0 no
      request) from each recipient peer, contained in the right-most
      bit.
 NUM TP (8 bits) Number of transit policies configured to include the
      virtual gateway.
 TP (16 bits) Numeric identifier for a transit policy associated with
      the virtual gateway.

Steenstrup [Page 43] RFC 1479 IDPR Protocol July 1993

 NUM VG (16 bits) Number of virtual gateways reachable from the
      issuing policy gateway, via intra-domain routes supporting the
      transit policy.
 UNUSED (8 bits) Not currently used; must be set equal to 0.
 NUM CMP (16 bits) Number of adjacent domain components reachable via
      direct connections through the virtual gateway.
 ADJ CMP (16 bits) Numeric identifier for a reachable adjacent domain
      component.

3.5.4. VG CONNECT

 The VG CONNECT message type is equal to 3.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            ADJ AD             |      VG       |     RQST      |
 +-------------------------------+---------------+---------------+
 |            NUM PG             |
 +-------------------------------+
 For each reach policy gateway in the virtual gateway:
 +-------------------------------+-------------------------------+
 |              PG               |            NUM CMP            |
 +-------------------------------+-------------------------------+
 |            ADJ CMP            |
 +-------------------------------+
 ADJ AD
      (16 bits) Numeric identifier for the adjacent domain.
 VG (8 bits) Numeric identifier for the virtual gateway.
 RQST (8 bits) Request for a VG CONNECT message (1 request, 0 no
      request) from a recipient in each virtual gateway, contained in
      the right-most bit.
 NUM PG (16 bits) Number of mutually-reachable peer policy gateways in
      the virtual gateway.
 PG (16 bits) Numeric identifier for a peer policy gateway.
 NUM CMP (16 bits) Number of components of the adjacent domain
      reachable via direct connections from the policy gateway.

Steenstrup [Page 44] RFC 1479 IDPR Protocol July 1993

 ADJ CMP (16 bits) Numeric identifier for a reachable adjacent domain
      component.

3.5.5. VG POLICY

 The VG POLICY message type is equal to 4.  VG POLICY messages are not
 required for any domain with a single uniform transit policy.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            ADJ AD             |      VG       |     RQST      |
 +-------------------------------+---------------+---------------+
 |            NUM TP             |
 +-------------------------------+
 For each transit policy associated with the virtual gateway:
 +-------------------------------+-------------------------------+
 |              TP               |            NUM GRP            |
 +-------------------------------+-------------------------------+
 For each virtual gateway group reachable via the transit policy:
 +-------------------------------+-------------------------------+
 |            NUM VG             |            ADJ AD             |
 +---------------+---------------+-------------------------------+
 |     VG        |    UNUSED     |            NUM CMP            |
 +---------------+---------------+-------------------------------+
 |            ADJ CMP            |
 +-------------------------------+
 ADJ AD
      (16 bits) Numeric identifier for the adjacent domain.
 VG (8 bits) Numeric identifier for the virtual gateway.
 RQST (8 bits) Request for a VG POLICY message (1 request, 0 no
      request) from a recipient in each virtual gateway, contained in
      the right-most bit.
 NUM TP (16 bits) Number of transit policies configured to include the
      virtual gateway.
 TP (16 bits) Numeric identifier for a transit policy associated with
      the virtual gateway.
 NUM GRP (16 bits) Number of groups of virtual gateways, such that all
      members in a group are reachable from the issuing virtual
      gateway via intra-domain routes supporting the given transit
      policy.

Steenstrup [Page 45] RFC 1479 IDPR Protocol July 1993

 NUM VG (16 bits) Number of virtual gateways in a virtual gateway
      group.
 UNUSED (8 bits) Not currently used; must be set equal to 0.
 NUM CMP (16 bits) Number of adjacent domain components reachable via
      direct connections through the virtual gateway.
 ADJ CMP (16 bits) Numeric identifier for a reachable adjacent domain
      component.
 Normally, each VG POLICY message will contain a single virtual
 gateway group.  However, if the issuing virtual gateway becomes
 partitioned such that peers are mutually reachable with respect to
 some transit policies but not others, virtual gateway groups may be
 necessary.  For example, let PG X and PG Y be two peers in VG A which
 configured to support transit policies 1 and 2.  Suppose that PG X
 and PG Y are reachable with respect to transit policy 1 but not with
 respect to transit policy 2.  Furthermore, suppose that PG X can
 reach members of VG B via intra-domain routes of transit policy 2 and
 that PG Y can reach members of VG C via intra-domain routes of
 transit policy 2.  Then the entry in the VG POLICY message issued by
 VG A will include, for transit policy 2, two groups of virtual
 gateways, one containing VG B and one containing VG C.

3.5.6. Negative Acknowledgements

 When a policy gateway receives an unacceptable VGP message that
 passes the CMTP validation checks, it includes, in its CMTP ACK, an
 appropriate VGP negative acknowledgement.  This information is placed
 in the INFORM field of the CMTP ACK (described previously in section
 2.4); the numeric identifier for each type of VGP negative
 acknowledgement is contained in the left-most 8 bits of the INFORM
 field.  Negative acknowledgements associated with VGP include the
 following types:
 1.  Unrecognized VGP message type.  Numeric identifier for the
     unrecognized message type (8 bits).
 2.  Out-of-date VGP message.
 3.  Unrecognized virtual gateway source.  Numeric identifier for the
     unrecognized virtual gateway including the adjacent domain
     identifier (16 bits) and the local identifier (8 bits).

Steenstrup [Page 46] RFC 1479 IDPR Protocol July 1993

4. Routing Information Distribution

 Each domain participating in IDPR generates and distributes its
 routing information messages to route servers throughout an
 internetwork.  IDPR routing information messages contain information
 about the transit policies in effect across the given domain and the
 virtual gateway connectivity to adjacent domains.  Route servers in
 turn use IDPR routing information to generate policy routes between
 source and destination domains.
 There are three different procedures for distributing IDPR routing
 information:
  1. The flooding protocol. In this case, a representative policy

gateway in each domain floods its routing information messages to

   route servers in all other domains.
  1. Remote route server communication. In this case, a route server

distributes its domain's routing information messages to route

   servers in specific destination domains, by encapsulating these
   messages within IDPR data messages.  Thus, a domain administrator
   may control the distribution of the domain's routing information by
   restricting routing information exchange with remote route servers.
   Currently, routing information distribution restrictions are not
   included in IDPR configuration information.
  1. The route server query protocol. In this case, a policy gateway or

route server requests routing information from another route

   server, which in turn responds with routing information from its
   database.  The route server query protocol may be used for quickly
   updating the routing information maintained by a policy gateway
   or route server that has just been connected or reconnected to an
   internetwork.  It may also be used to retrieve routing information
   from domains that restrict distribution of their routing
   information.
 In this section, we describe the flooding protocol only.  In section
 5, we describe the route server query protocol, and in section 5.2,
 we describe communication between route servers in separate domains.
 Policy gateways and route servers use CMTP for reliable transport of
 IDPR routing information messages flooded between peer, neighbor, and
 adjacent policy gateways and between those policy gateways and route
 servers.  The issuing policy gateway must communicate to CMTP the
 maximum number of transmissions per routing information message,
 flood_ret, and the interval between routing information message
 retransmissions, flood_int microseconds.  The recipient policy
 gateway or route server must determine routing information message

Steenstrup [Page 47] RFC 1479 IDPR Protocol July 1993

 acceptability, as we describe in section 4.2.3 below.

4.1. AD Representatives

 We designate a single policy gateway, the "AD representative", for
 generating and distributing IDPR routing information about its
 domain, to ensure that the routing information distributed is
 consistent and unambiguous and to minimize the communication required
 for routing information distribution.  There is usually only a single
 AD representative per domain, namely the lowest-numbered operational
 policy gateway in the domain.  Within a domain, policy gateways need
 no explicit election procedure to determine the AD representative.
 Instead, all members of a set of policy gateways mutually reachable
 via intra-domain routes can agree on set membership and therefore on
 which member has the lowest number.
 A partitioned domain has as many AD representatives as it does domain
 components.  In fact, the numeric identifier for an AD representative
 is identical to the numeric identifier for a domain component.  One
 cannot normally predict when and where a domain partition will occur,
 and thus any policy gateway within a domain may become an AD
 representative at any time.  To prepare for the role of AD
 representative in the event of a domain partition, every policy
 gateway must continually monitor its domain's IDPR routing
 information, through VGP and through the intra-domain routing
 procedure.

4.2. Flooding Protocol

 An AD representative policy gateway uses unrestricted flooding among
 all domains to distribute its domain's IDPR routing information
 messages to route servers in an internetwork.  There are two kinds of
 IDPR routing information messages issued by each AD representative:
 CONFIGURATION and DYNAMIC messages.  Each CONFIGURATION message
 contains the transit policy information configured by the domain
 administrator, including for each transit policy, its identifier, its
 specification, and the sets of virtual gateways configured as
 mutually reachable via intra-domain routes supporting the given
 transit policy.  Each DYNAMIC message contains information about
 current virtual gateway connectivity to adjacent domains and about
 the sets of virtual gateways currently mutually reachable via intra-
 domain routes supporting the configured transit policies.
 The IDPR Flooding Protocol is similar to the flooding procedures
 described in [9]-[11].  Through flooding, the AD representative
 distributes its routing information messages to route servers in its
 own domain and in adjacent domains.  After generating a routing
 information message, the AD representative distributes a copy to each

Steenstrup [Page 48] RFC 1479 IDPR Protocol July 1993

 of its peers and to a selected VG representative (see section 3.1.4)
 in all other virtual gateways connected to the domain.  Each VG
 representative in turn distributes a copy of the routing information
 message to each of its peers.  We note that distribution of routing
 information messages among virtual gateways and among peers within a
 virtual gateway is identical to distribution of inter-VG messages in
 VGP, as described in section 3.1.3.
 Within a virtual gateway, each policy gateway distributes a copy of
 the routing information message:
  1. To each route server in its configured set of route servers. A

domain administrator should ensure that each route server not

   contained within a policy gateway appears in the set of configured
   route servers for at least two distinct policy gateways.  Hence,
   such a route server will continue to receive routing information
   messages, even when one of the policy gateways becomes unreachable.
   However, the route server will normally receive duplicate copies of
   a routing information message.
  1. To certain directly-connected adjacent policy gateways. A policy

gateway distributes a routing information message to a

   directly-connected adjacent policy gateway in an adjacent domain
   component, only when it is the lowest-numbered operational peer
   with a direct connection to the given domain component.  We note
   that each policy gateway knows, through information provided by
   VGP, which peers have direct connections to which components of
   the adjacent domain.  If the policy gateway has direct connections
   to more than one adjacent policy gateway in that domain component,
   it selects the routing information message recipient according to
   the order in which the adjacent policy gateways appear in its
   database, choosing the first one encountered.  This selection
   procedure ensures that a copy of the routing information message
   reaches each component of the adjacent domain, while limiting the
   number of copies distributed.
 Once a routing information message reaches an adjacent policy
 gateway, that policy gateway distributes copies of the message
 throughout its domain.  The adjacent policy gateway, acting as the
 first recipient of the routing information message in its domain,
 follows the same message distribution procedure as the AD
 representative in the source domain, as described above.  The
 flooding procedure terminates when all reachable route servers in an
 internetwork receive a copy of the routing information message.
 Neighbor policy gateways may receive copies of the same routing
 information message from different adjoining domains.  If two
 neighbor policy gateways receive the message copies simultaneously,

Steenstrup [Page 49] RFC 1479 IDPR Protocol July 1993

 they will distribute them to VG representatives in other virtual
 gateways within their domain, resulting in duplicate message
 distribution.  However, each policy gateway stops the spread of
 duplicate routing information messages as soon as it detects them, as
 described in section 4.2.3 below.  In the Internet, we expect
 simultaneous message receptions to be the exception rather than the
 rule, given the hierarchical structure of the current topology.

4.2.1. Message Generation

 An AD representative generates and distributes a CONFIGURATION
 message whenever there is a configuration change in a transit policy
 or virtual gateway associated with its domain.  This ensures that
 route servers maintain an up-to-date view of a domain's configured
 transit policies and adjacencies.  An AD representative may also
 distribute a CONFIGURATION message at a configurable period of
 conf_per (500) hours.  A CONFIGURATION message contains, for each
 configured transit policy, the identifier assigned by the domain
 administrator, the specification, and the set of associated "virtual
 gateway groups".  Each virtual gateway group comprises virtual
 gateways configured to be mutually reachable via intra-domain routes
 of the given transit policy.  Accompanying each virtual gateway
 listed is an indication of whether the virtual gateway is configured
 to be a domain entry point, a domain exit point, or both according to
 the given transit policy.  The CONFIGURATION message also contains
 the set of local route servers that the domain administrator has
 configured to be available to IDPR clients in other domains.
 An AD representative generates and distributes a DYNAMIC message
 whenever there is a change in currently supported transit policies or
 in current virtual gateway connectivity associated with its domain.
 This ensures that route servers maintain an up-to-date view of a
 domain's supported transit policies and existing adjacencies and how
 they differ from those configured for the domain.  Specifically, an
 AD representative generates a DYNAMIC message whenever there is a
 change in the connectivity, through the given domain and with respect
 to a configured transit policy, between two components of adjoining
 domains.  An AD representative may also distribute a DYNAMIC message
 at a configurable period of dyn_per (24) hours.  A DYNAMIC message
 contains, for each configured transit policy, its identifier,
 associated virtual gateway groups, and domain components reachable
 through virtual gateways in each group.  Each DYNAMIC message also
 contains the set of currently "unavailable", either down or
 unreachable, virtual gateways in the domain.
 We note that each virtual gateway group expressed in a DYNAMIC
 message may be a proper subset of one of the corresponding virtual
 gateway groups expressed in a CONFIGURATION message.  For example,

Steenstrup [Page 50] RFC 1479 IDPR Protocol July 1993

 suppose that, for a given domain, the virtual gateway group (VG
 A,...,VG E) were configured for a transit policy such that each
 virtual gateway was both a domain entry and exit point.  Thus, all
 virtual gateways in this group are configured to be mutually
 reachable via intra-domain routes of the given transit policy.  Now
 suppose that VG E becomes unreachable because of a power failure and
 furthermore that the remaining virtual gateways form two distinct
 groups, (VG A,VG B) and (VG C,VG D), such that although virtual
 gateways in both groups are still mutually reachable via some intra-
 domain routes they are no longer mutually reachable via any intra-
 domain routes of the given transit policy.  In this case, the virtual
 gateway groups for the given transit policy now become (VG A,VG B)
 and (VG C,VG D); VG E is listed as an unavailable virtual gateway.
 A route server uses information about the set of unavailable virtual
 gateways to determine which of its routes are no longer viable, and
 it subsequently removes such routes from its route database.
 Although route servers could determine the set of unavailable virtual
 gateways using information about configured virtual gateways and
 currently reachable virtual gateways, the associated processing cost
 is high.  In particular, a route server would have to examine all
 virtual gateway groups listed in a DYNAMIC message to determine
 whether there are any unavailable virtual gateways in the given
 domain.  To reduce the message processing at each route server, we
 have chosen to include the set of unavailable virtual gateways in
 each DYNAMIC message.
 In order to construct a DYNAMIC message, an AD representative
 assembles information gathered from intra-domain routing and from
 VGP.  Specifically, the AD representative uses the following
 information:
  1. VG CONNECT and UP/DOWN messages to determine the state, up or down,

of each of its domain's virtual gateways and the adjacent domain

   components reachable through a given virtual gateway.
  1. Intra-domain routing information to determine, for each of its

domain's transit policies, whether a given virtual gateway in the

   domain is reachable with respect to that transit policy.
  1. VG POLICY messages to determine the connectivity of adjoining

domain components, across the given domain and with respect to a

   configured transit policy, such that these components are adjacent
   to virtual gateways not currently reachable from the AD
   representative's virtual gateway according to the given transit
   policy.

Steenstrup [Page 51] RFC 1479 IDPR Protocol July 1993

4.2.2. Sequence Numbers

 Each IDPR routing information message carries a sequence number
 which, when used in conjunction with the timestamp carried in the
 CMTP message header, determines the recency of the message.  An AD
 representative assigns a sequence number to each routing information
 message it generates, depending upon its internal clock time:
  1. The AD representative sets the sequence number to 0, if its

internal clock time is greater than the timestamp in its previously

   generated routing information message.
  1. The AD representative sets the sequence number to 1 greater than

the sequence number in its previously generated routing information

   message, if its internal clock time equals the timestamp for its
   previously generated routing information message and if the
   previous sequence number is less than the maximum value
   (currently 2**16 - 1).  If the previous sequence number equals the
   maximum value, the AD representative waits until its internal clock
   time exceeds the timestamp in its previously generated routing
   information message and then sets the sequence number to 0.
 In general, we do not expect generation of multiple distinct IDPR
 routing information messages carrying identical timestamps, and so
 the sequence number may seem superfluous.  However, the sequence
 number may become necessary during synchronization of an AD
 representative's internal clock.  In particular, the AD
 representative may need to freeze the clock value during
 synchronization, and thus distinct sequence numbers serve to
 distinguish routing information messages generated during the clock
 synchronization interval.

4.2.3. Message Acceptance

 Prior to a policy gateway forwarding a routing information message or
 a route server incorporating routing information into its routing
 information database, the policy gateway or route server assesses
 routing information message acceptability.  An IDPR routing
 information message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than conf_old (530) hours behind the

recipient's internal clock time for CONFIGURATION messages and less

   than dyn_old (25) hours behind the recipient's internal clock time
   for DYNAMIC messages.
  1. Its timestamp and sequence number indicate that it is more recent

Steenstrup [Page 52] RFC 1479 IDPR Protocol July 1993

   than the currently-stored routing information from the given
   domain.  If there is no routing information currently stored from
   the given domain, then the routing information message contains, by
   default, the more recent information.
 Policy gateways acknowledge and forward acceptable IDPR routing
 information messages, according to the flooding protocol described in
 section 4.2 above.  Moreover, each policy gateway retains the
 timestamp and sequence number for the most recently accepted routing
 information message from each domain and uses these values to
 determine acceptability of routing information messages received in
 the future.  Route servers acknowledge the receipt of acceptable
 routing information messages and incorporate the contents of these
 messages into their routing information databases, contingent upon
 criteria discussed in section 4.2.4 below; however, they do not
 participate in the flooding protocol.  We note that when a policy
 gateway or route server first returns to service, it immediately
 updates its routing information database with routing information
 obtained from another route server, using the route server query
 protocol described in section 5.
 An AD representative takes special action upon receiving an
 acceptable routing information message, supposedly generated by
 itself but originally obtained from a policy gateway or route server
 other than itself.  There are at least three possible reasons for the
 occurrence of this event:
  1. The routing information message has been corrupted in a way that is

not detectable by the integrity/authentication value.

  1. The AD representative has experienced a memory error.
  1. Some other entity is generating routing information messages on

behalf of the AD representative.

 In any case, the AD representative logs the event for network
 management.  Moreover, the AD representative must reestablish its own
 routing information messages as the most recent for its domain.  To
 do so, the AD representative waits until its internal clock time
 exceeds the value of the timestamp in the received routing
 information message and then generates a new routing information
 message using the currently-stored domain routing information
 supplied by VGP and by the intra-domain routing procedure.  Note that
 the length of time the AD representative must wait to generate the
 new message is at most cmtp_new (300) seconds, the maximum CMTP-
 tolerated difference between the received message's timestamp and the
 AD representative's internal clock time.

Steenstrup [Page 53] RFC 1479 IDPR Protocol July 1993

 IDPR routing information messages that pass the CMTP validity checks
 but appear less recent than stored routing information are
 unacceptable.  Policy gateways do not forward unacceptable routing
 information messages, and route servers do not incorporate the
 contents of unacceptable routing information messages into their
 routing information databases.  Instead, the recipient of an
 unacceptable routing information message acknowledges the message in
 one of two ways:
  1. If the routing information message timestamp and sequence number

equal to the timestamp and sequence number associated with the

   stored routing information for the given domain, the recipient
   assumes that the routing information message is a duplicate and
   acknowledges the message.
  1. If the routing information message timestamp and sequence number

indicate that the message is less recent than the stored routing

   information for the domain, the recipient acknowledges the message
   with an indication that the routing information it contains is
   out-of-date.  Such a negative acknowledgement is a signal to the
   sender of the routing information message to request more up-to-
   date routing information from a route server, using the route
   server query protocol.  Furthermore, if the recipient of the out-
   of-date routing information message is a route server, it
   regenerates a routing information message from its own routing
   information database and forwards the message to the sender.  The
   sender may in turn propagate this more recent routing information
   message to other policy gateways and route servers.

4.2.4. Message Incorporation

 A route server usually stores the entire contents of an acceptable
 IDPR routing information message in its routing information database,
 so that it has access to all advertised transit policies when
 generating a route and so that it can regenerate routing information
 messages at a later point in time if requested to do so by another
 route server or policy gateway.  However, a route server may elect
 not to store all routing information message contents.  In
 particular, the route server need not store any transit policy that
 excludes the route server's domain as a source or any routing
 information from a domain that the route server's domain's source
 policies exclude for transit.  Selective storing of routing
 information message contents simplifies the route generation
 procedure since it reduces the search space of possible routes, and
 it limits the amount of route server memory devoted to routing
 information.  However, selective storing of routing information also
 means that the route server cannot always regenerate the original
 routing information message, if requested to do so by another route

Steenstrup [Page 54] RFC 1479 IDPR Protocol July 1993

 server or policy gateway.
 An acceptable IDPR routing information message may contain transit
 policy information that is not well-defined according to the route
 server's perception.  A CONFIGURATION message may contain an
 unrecognized domain, virtual gateway, or transit policy attribute,
 such as user class access restrictions or offered service.  In this
 case, "unrecognized" means that the value in the routing information
 message is not listed in the route server's configuration database,
 as described previously in section 1.8.2.  A DYNAMIC message may
 contain an unrecognized transit policy or virtual gateway.  In this
 case, "unrecognized" means that the transit policy or virtual gateway
 was not listed in the most recent CONFIGURATION message for the given
 domain.
 Each route server can always parse an acceptable routing information
 messsage, even if some of the information is not well-defined, and
 thus can always use the information that it does recognize.
 Therefore, a route server can store the contents of acceptable
 routing information messages from domains in which it is interested,
 regardless of whether all contents appear to be well-defined at
 present.  If a routing message contains unrecognized information, the
 route server may attempt to obtain the additional information it
 needs to decipher the unrecognized information.  For a CONFIGURATION
 message, the route server logs the event for network management; for
 a DYNAMIC message, the route server requests, from another route
 server, the most recent CONFIGURATION message for the domain in
 question.
 When a domain is partitioned, each domain component has its own AD
 representative, which generates routing information messages on
 behalf of that component.  Discovery of a domain partition prompts
 the AD representative for each domain component to generate and
 distribute a DYNAMIC message.  In this case, a route server receives
 and stores more than one routing information message at a time for
 the given domain, namely one for each domain component.
 When the partition heals, the AD representative for the entire domain
 generates and distributes a DYNAMIC message.  In each route server's
 routing information database, the new DYNAMIC message does not
 automatically replace all of the currently-stored DYNAMIC messages
 for the given domain.  Instead, the new message only replaces that
 message whose AD representative matches the AD representative for the
 new message.  The other DYNAMIC messages, generated during the period
 over which the partition occurred, remain in the routing information
 database until they attain their maximum lifetime, as described in
 section 4.2.5 below.  Such stale information may lead to the
 generation of routes that result in path setup failures and hence the

Steenstrup [Page 55] RFC 1479 IDPR Protocol July 1993

 selection of alternative routes.  To reduce the chances of path setup
 failures, we will investigate, for a future version of IDPR,
 mechanisms for removing partition-related DYNAMIC messages
 immediately after a partition disappears.

4.2.5. Routing Information Database

 We expect that most of the IDPR routing information stored in a
 routing information database will remain viable for long periods of
 time, perhaps until a domain reconfiguration occurs.  By "viable", we
 mean that the information reflects the current state of the domain
 and hence may be used successfully for generating policy routes.  To
 reduce the probability of retaining stale routing information, a
 route server imposes a maximum lifetime on each database entry,
 initialized when it incorporates an accepted entry into its routing
 information database.  The maximum lifetime should be longer than the
 corresponding message generation period, so that the database entry
 is likely to be refreshed before it attains its maximum lifetime.
 Each CONFIGURATION message stored in the routing information database
 has a maximum lifetime of conf_old (530) hours; each DYNAMIC message
 stored in the routing information database has a maximum lifetime of
 dyn_old (25) hours.  Periodic generation of routing information
 messages makes it unlikely that any routing information message will
 remain in a routing information database for its full lifetime.
 However, a routing information message may attain its maximum
 lifetime in a route server that is separated from a internetwork for
 a long period of time.
 When an IDPR routing information message attains its maximum lifetime
 in a routing information database, the route server removes the
 message contents from its database, so that it will not generate new
 routes with the outdated routing information nor distribute old
 routing information in response to requests from other route servers
 or policy gateways.  Nevertheless, the route server continues to
 dispense routes previously generated with the old routing
 information, as long as path setup (see section 7) for these routes
 succeeds.
 The route server treats routing information message lifetime
 expiration differently, depending on the type of routing information
 message.  When a CONFIGURATION message expires, the route server
 requests, from another route server, the most recent CONFIGURATION
 message issued for the given domain.  When a DYNAMIC message expires,
 the route server does not initially attempt to obtain more recent
 routing information.  Instead, if route generation is necessary, the
 route server uses the routing information contained in the
 corresponding CONFIGURATION message for the given domain.  Only if

Steenstrup [Page 56] RFC 1479 IDPR Protocol July 1993

 there is a path setup failure (see section 7.4) involving the given
 domain does the route server request, from another route server, the
 most recent DYNAMIC message issued for the given domain.

4.3. Routing Information Message Formats

 The flooding protocol number is equal to 1.  We describe the contents
 of each type of routing information message below.

4.3.1. CONFIGURATION

 The CONFIGURATION message type is equal to 0.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            AD CMP             |              SEQ              |
 +-------------------------------+-------------------------------+
 |            NUM TP             |            NUM RS             |
 +-------------------------------+-------------------------------+
 |              RS               |
 +-------------------------------+
 For each transit policy configured for the domain:
 +-------------------------------+-------------------------------+
 |              TP               |            NUM ATR            |
 +-------------------------------+-------------------------------+
 For each attribute of the transit policy:
 +-------------------------------+-------------------------------+
 |            ATR TYP            |            ATR LEN            |
 +-------------------------------+-------------------------------+
 For the source/destination access restrictions attribute:
 +-------------------------------+
 |          NUM AD GRP           |
 +-------------------------------+
 For each domain group in the source/destination access restrictions:
 +-------------------------------+-------------------------------+
 |            NUM AD             |              AD               |
 +---------------+---------------+-------------------------------+
 |    AD FLGS    |    NUM HST    |            HST SET            |
 +---------------+---------------+-------------------------------+
 For the temporal access restrictions attribute:
 +-------------------------------+
 |            NUM TIM            |
 +-------------------------------+

Steenstrup [Page 57] RFC 1479 IDPR Protocol July 1993

 For each set of times in the temporal access restrictions:
 +---------------+-----------------------------------------------+
 |   TIM FLGS    |                   DURATION                    |
 +---------------+-----------------------------------------------+
 |                             START                             |
 +-------------------------------+-------------------------------+
 |            PERIOD             |            ACTIVE             |
 +-------------------------------+-------------------------------+
 For the user class access restrictions attribute:
 +-------------------------------+
 |            NUM UCI            |
 +-------------------------------+
 For each UCI in the user class access restrictions:
 +---------------+
 |      UCI      |
 +---------------+
 For each offered service attribute:
 +---------------------------------------------------------------+
 |                            OFR SRV                            |
 +---------------------------------------------------------------+
 For the virtual gateway access restrictions attribute:
 +-------------------------------+
 |           NUM VG GRP          |
 +-------------------------------+
 For each virtual gateway group in the virtual gateway access
 restrictions:
 +-------------------------------+-------------------------------+
 |            NUM VG             |            ADJ AD             |
 +---------------+---------------+-------------------------------+
 |      VG       |    VG FLGS    |
 +---------------+---------------+
 AD CMP
      (16 bits) Numeric identifier for the domain component containing
      the AD representative policy gateway.
 SEQ (16 bits) Routing information message sequence number.
 NUM TP (16 bits) Number of transit policy specifications contained in
      the routing information message.
 NUM RS (16 bits) Number of route servers advertised to serve clients
      outside of the domain.
 RS (16 bits) Numeric identifier for a route server.
 TP (16 bits) Numeric identifier for a transit policy specification.

Steenstrup [Page 58] RFC 1479 IDPR Protocol July 1993

 NUM ATR (16 bits) Number of attributes associated with the transit
      policy.
 ATR TYP (16 bits) Numeric identifier for a type of attribute.  Valid
      attributes include the following types:
  1. Set of virtual gateway access restrictions (see section 1.4.2)

associated with the transit policy (variable). This attribute must

   be included.
  1. Set of source/destination access restrictions (see section 1.4.2)

associated with the transit policy (variable). This attribute may

   be omitted.  Absence of this attribute implies that traffic from
   any source to any destination is acceptable.
  1. Set of temporal access restrictions (see section 1.4.2) associated

with the transit policy (variable). This attribute may be omitted.

   Absence of this attribute implies that the transit policy applies
   at all times.
  1. Set of user class access restrictions (see section 1.4.2)

associated with the transit policy (variable). This attribute may

   be omitted.  Absence of this attribute implies that traffic from
   any user class is acceptable.
  1. Average delay in milliseconds (16 bits). This attribute may be

omitted.

  1. Delay variation in milliseconds (16 bits). This attribute may be

omitted.

  1. Average available bandwidth in bits per second (48 bits). This

attribute may be omitted.

  1. Available bandwidth variation in bits per second (48 bits). This

attribute may be omitted.

  1. MTU in bytes (16 bits). This attribute may be omitted.
  1. Charge per byte in thousandths of a cent (16 bits). This attribute

may be omitted.

  1. Charge per message in thousandths of a cent (16 bits). This

attribute may be omitted.

  1. Charge for session time in thousandths of a cent per second (16

bits). This attribute may be omitted. Absence of any charge

   attribute implies that the domain provides free transit service.

Steenstrup [Page 59] RFC 1479 IDPR Protocol July 1993

 ATR LEN (16 bits) Length of an attribute in bytes, beginning with the
 subsequent field.
 NUM AD GRP (16 bits) Number of source/destination domain groups (see
 section 1.4.2) associated with the source/destination access
 restrictions.
 NUM AD (16 bits) Number of domains or sets of domains in a domain
 group.
 AD (16 bits) Numeric identifier for a domain or domain set.
 AD FLGS (8 bits) Set of five flags indicating how to interpret the AD
 field, contained in the right-most bits.  Proceeding left to right,
 the first flag indicates whether the transit policy applies to all
 domains or to specific domains (1 all, 0 specific), and when set to
 1, causes the second and third flags to be ignored.  The second flag
 indicates whether the domain identifier signifies a single domain or
 a domain set (1 single, 0 set).  The third flag indicates whether the
 transit policy applies to the given domain or domain set (1 applies,
 0 does not apply) and is used for representing complements of sets of
 domains.  The fourth flag indicates whether the domain is a source (1
 source, 0 not source).  The fifth flag indicates whether the domain
 is a destination (1 destination, 0 not destination).  At least one of
 the fourth and fifth flags must be set to 1.
 NUM HST (8 bits) Number of "host sets" (see section 1.4.2) associated
 with a particular domain or domain set.  The value 0 indicates that
 all hosts in the given domain or domain set are acceptable sources or
 destinations, as specified by the fourth and fifth AD flags.
 HST SET (16 bits) Numeric identifier for a host set.
 NUM TIM (16 bits) Number of time specifications associated with the
 temporal access restrictions.  Each time specification is split into
 a set of continguous identical periods, as we describe below.
 TIM FLGS (8 bits) Set of two flags indicating how to combine the time
 specifications, contained in the right-most bits.  Proceeding left to
 right, the first flag indicates whether the transit policy applies
 during the periods specified in the time specification (1 applies, 0
 does not apply) and is used for representing complements of policy
 applicability intervals.  The second flag indicates whether the time
 specification takes precedence over the previous time specifications
 listed (1 precedence, 0 no precedence).  Precedence is equivalent to
 the boolean OR and AND operators, in the following sense.  At any
 given instant, a transit policy either applies or does not apply,
 according to a given time specification, and we can assign a boolean

Steenstrup [Page 60] RFC 1479 IDPR Protocol July 1993

 value to the state of policy applicability according to a given time
 specification.  If the second flag assumes the value 1 for a given
 time specification, that indicates the boolean operator OR should be
 applied to the values of policy applicability, according to the given
 time specification and to all previously listed time specifications.
 If the second flag assumes the value 0 for a given time
 specification, that indicates the boolean operator AND should be
 applied to the values of policy applicability, according to the given
 time specification and to all previously listed time specifications.
 DURATION (24 bits) Length of the time specification duration, in
 minutes.  A value of 0 indicates an infinite duration.
 START (32 bits) Time at which the time specification first takes
 effect, in seconds elapsed since 1 January 1970 0:00 GMT.
 PERIOD (16 bits) Length of each time period within the time
 specification, in minutes.
 ACTIVE (16 bits) Length of the policy applicable interval during each
 time period, in minutes from the beginning of the time period.
 NUM UCI (16 bits) Number of user classes associated with the user
 class access restrictions.
 UCI (8 bits) Numeric identifier for a user class.
 NUM VG GRP (16 bits) Number of virtual gateway groups (see section
 1.4.2) associated with the virtual gateway access restrictions.
 NUM VG (16 bits) Number of virtual gateways in a virtual gateway
 group.
 ADJ AD (16 bits) Numeric identifier for the adjacent domain to which
 a virtual gateway connects.
 VG (8 bits) Numeric identifier for a virtual gateway.
 VG FLGS (8 bits) Set of two flags indicating how to interpret the VG
 field, contained in the right-most bits.  Proceeding left to right,
 the first flag indicates whether the virtual gateway is a domain
 entry point (1 entry, 0 not entry).  The second flag indicates
 whether the virtual gateway is a domain exit point (1 exit, 0 not
 exit).  At least one of the first and second flags must be set to 1.

Steenstrup [Page 61] RFC 1479 IDPR Protocol July 1993

4.3.2. DYNAMIC

 The DYNAMIC message type is equal to 1.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            AD CMP             |              SEQ              |
 +-------------------------------+-------------------------------+
 |           UNAVL VG            |            NUM PS             |
 +-------------------------------+-------------------------------+
 For each unavailable virtual gateway in the domain:
 +-------------------------------+---------------+---------------+
 |            ADJ AD             |      VG       |    UNUSED     |
 +-------------------------------+---------------+---------------+
 For each set of transit policies for the domain:
 +-------------------------------+-------------------------------+
 |            NUM TP             |          NUM VG GRP           |
 +-------------------------------+-------------------------------+
 |              TP               |
 +-------------------------------+
 For each virtual gateway group associated with the transit policy
 set:
 +-------------------------------+-------------------------------+
 |            NUM VG             |            ADJ AD             |
 +---------------+---------------+-------------------------------+
 |      VG       |    VG FLGS    |            NUM CMP            |
 +---------------+---------------+-------------------------------+
 |            ADJ CMP            |
 +-------------------------------+
 AD CMP
      (16 bits) Numeric identifier for the domain component containing
      the AD representative policy gateway.
 SEQ (16 bits) Routing information message sequence number.
 UNAVL VG (16 bits) Number of virtual gateways in the domain component
      that are currently unavailable via any intra-domain routes.
 NUM PS (16 bits) Number of sets of transit policies listed.  Transit
      policy sets provide a mechanism for reducing the size of DYNAMIC
      messages.  A single set of virtual gateway groups applies to all
      transit policies in a given set.
 ADJ AD (16 bits) Numeric identifier for the adjacent domain to which
      a virtual gateway connects.

Steenstrup [Page 62] RFC 1479 IDPR Protocol July 1993

 VG (8 bits) Numeric identifier for a virtual gateway.
 UNUSED (8 bits) Not currently used; must be set equal to 0.
 NUM TP (16 bits) Number of transit policies in a set.
 NUM VGGRP (16 bits) Number of virtual gateway groups currently
      associated with the transit policy set.
 TP (16 bits) Numeric identifier for a transit policy.
 NUM VG (16 bits) Number of virtual gateways in a virtual gateway
      group.
 VG FLGS (8 bits) Set of two flags indicating how to interpret the VG
      field, contained in the right-most bits.  Proceeding left to
      right, the first flag indicates whether the virtual gateway is a
      domain entry point (1 entry, 0 not entry).  The second flag
      indicates whether the virtual gateway is a domain exit point (1
      exit, 0 not exit).  At least one of the first and second flags
      must be set to 1.
 NUM CMP (16 bits) Number of adjacent domain components reachable via
      direct connections through the virtual gateway.
 ADJ CMP (16 bits) Numeric identifier for a reachable adjacent domain
      component.

4.3.3. Negative Acknowledgements

 When a policy gateway or route server receives an unacceptable IDPR
 routing information message that passes the CMTP validation checks,
 it includes, in its CMTP ACK, an appropriate negative
 acknowledgement.  This information is placed in the INFORM field of
 the CMTP ACK (described previously in section 2.4); the numeric
 identifier for each type of routing information message negative
 acknowledgement is contained in the left-most 8 bits of the INFORM
 field.  Negative acknowledgements associated with routing information
 messages include the following types:
 1.  Unrecognized IDPR routing information message type.  Numeric
     identifier for the unrecognized message type (8 bits).
 2.  Out-of-date IDPR routing information message.  This is a signal
     to the sender that it may not have the most recent routing
     information for the given domain.

Steenstrup [Page 63] RFC 1479 IDPR Protocol July 1993

5. Route Server Query Protocol

 Each route server is responsible for maintaining both the routing
 information database and the route database and for responding to
 database information requests from policy gateways and other route
 servers.  These requests and their responses are the messages
 exchanged via the Route Server Query Protocol (RSQP).
 Policy gateways and route servers normally invoke RSQP to replace
 absent, outdated, or corrupted information in their own routing
 information or route databases.  In section 4, we discussed some of
 the situations in which RSQP may be invoked; in this section and in
 section 7, we discuss other such situations.

5.1. Message Exchange

 Policy gateways and route servers use CMTP for reliable transport of
 route server requests and responses.  RSQP must communicate to CMTP
 the maximum number of transmissions per request/response message,
 rsqp_ret, and the interval between request/response message
 retransmissions, rsqp_int microseconds.  A route server
 request/response message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than rsqp_old (300) seconds behind the

recipient's internal clock time.

 With RSQP, a requesting entity expects to receive an acknowledgement
 from the queried route server indicating whether the route server can
 accommodate the request.  The route server may fail to fill a given
 request for either of the following reasons:
  1. Its corresponding database contains no entry or only a partial

entry for the requested information.

  1. It is governed by special message distribution rules, imposed by

the domain administrator, that preclude it from releasing the

   requested information.  Currently, such distribution rules are not
   included in IDPR configuration information.
 For all requests that it cannot fill, the route server responds with
 a negative acknowledgement message carried in a CMTP acknowledgement,
 indicating the set of unfulfilled requests (see section 5.5.4).
 If the requesting entity either receives a negative acknowledgement
 or does not receive any acknowledgement after rsqp_ret attempts
 directed at the same route server, it queries a different route

Steenstrup [Page 64] RFC 1479 IDPR Protocol July 1993

 server, as long as the number of attempted requests to different
 route servers does not exceed rsqp_try (3).  Specifically, the
 requesting entity proceeds in round-robin order through its list of
 addressable route servers.  However, if the requesting entity is
 unsuccessful after rsqp_try attempts, it abandons the request
 altogether and logs the event for network management.
 A policy gateway or a route server can request information from any
 route server that it can address.  Addresses for local route servers
 within a domain are part of the configuration for each IDPR entity
 within a domain; addresses for remote route servers in other domains
 are obtained through flooded CONFIGURATION messages, as described
 previously in section 4.2.1.  However, requesting entities always
 query local route servers before remote route servers, in order to
 contain the costs associated with the query and response.  If the
 requesting entity and the queried route server are in the same
 domain, they can communicate over intra-domain routes, whereas if the
 requesting entity and the queried route server are in different
 domains, they must obtain a policy route and establish a path before
 they can communicate, as we describe below.

5.2. Remote Route Server Communication

 RSQP communication involving a remote route server requires a policy
 route and accompanying path setup (see section 7) between the
 requesting and queried entities, as these entities reside in
 different domains.  After generating a request message, the
 requesting entity hands to CMTP its request message along with the
 remote route server's entity and domain identifiers.  CMTP encloses
 the request in a DATAGRAM and hands the DATAGRAM and remote route
 server information to the path agent.  Using the remote route server
 information, the path agent obtains, and if necessary sets up, a path
 to the remote route server.  Once the path to the remote route server
 has been successfully established, the path agent encapsulates the
 DATAGRAM within an IDPR data message and forwards the data message
 along the designated path.
 When the path agent in the remote route server receives the IDPR data
 message, it extracts the DATAGRAM and hands it to CMTP.  In addition,
 the path agent, using the requesting entity and domain identifiers
 contained in the path identifier, obtains, and if necessary sets up,
 a path back to the requesting entity.
 If the DATAGRAM fails any of the CMTP validation checks, CMTP returns
 a NAK to the requesting entity.  If the DATAGRAM passes all of the
 CMTP validation checks, the remote route server assesses the
 acceptability of the request message.  Provided the request message
 is acceptable, the remote route server determines whether it can

Steenstrup [Page 65] RFC 1479 IDPR Protocol July 1993

 fulfill the request and directs CMTP to return an ACK to the
 requesting entity.  The ACK may contain a negative acknowledgement if
 the entire request cannot be fulfilled.
 The remote route server generates responses for all requests that it
 can fulfill and returns the responses to the requesting entity.
 Specifically, the remote route server hands to CMTP its response and
 the requesting entity information.  CMTP in turn encloses the
 response in a DATAGRAM.
 When returning an ACK, a NAK, or a response to the requesting entity,
 the remote route server hands the corresponding CMTP message and
 requesting entity information to the path agent.  Using the
 requesting entity information, the path agent retrieves the path to
 the requesting entity, encapsulates the CMTP message within an IDPR
 data message, and forwards the data message along the designated
 path.
 When the path agent in the requesting entity receives the IDPR data
 message, it extracts the ACK, NAK, or response to its request and
 performs the CMTP validation checks for that message.  In the case of
 a response messsage, the requesting entity also assesses message
 acceptability before incorporating the contents into the appropriate
 database.

5.3 Routing Information

 Policy gateways and route servers request routing information from
 route servers, in order to update their routing information
 databases.  To obtain routing information from a route server, the
 requesting entity issues a ROUTING INFORMATION REQUEST message
 containing the type of routing information requested - CONFIGURATION
 messages, DYNAMIC messages, or both - and the set of domains from
 which the routing information is requested.
 Upon receiving a ROUTING INFORMATION REQUEST message, a route server
 first assesses message acceptability before proceeding to act on the
 contents.  If the ROUTING INFORMATION REQUEST message is deemed
 acceptable, the route server determines how much of the request it
 can fulfill and then instructs CMTP to generate an acknowledgement,
 indicating its ability to fulfill the request.  The route server
 proceeds to fulfill as much of the request as possible by
 reconstructing individual routing information messages, one per
 requested message type and domain, from its routing information
 database.  We note that only a regenerated routing information
 message whose entire contents match that of the original routing
 information message may pass the CMTP integrity/authentication
 checks.

Steenstrup [Page 66] RFC 1479 IDPR Protocol July 1993

5.4. Routes

 Path agents request routes from route servers when they require
 policy routes for path setup.  To obtain routes from a route server,
 the requesting path agent issues a ROUTE REQUEST message containing
 the destination domain and applicable service requirements, the
 maximum number of routes requested, a directive indicating whether to
 generate the routes or retrieve them from the route database, and a
 directive indicating whether to refresh the routing information
 database with the most recent CONFIGURATION or DYNAMIC message from a
 given domain, before generating the routes.  To refresh its routing
 information database, a route server must obtain routing information
 from another route server.  The path agent usually issues routing
 information database refresh directives in response to a failed path
 setup.  We discuss the application of these directives in more detail
 in section 7.4.
 Upon receiving a ROUTE REQUEST message, a route server first assesses
 message acceptability before proceeding to act on the contents.  If
 the ROUTE REQUEST message is deemed acceptable, the route server
 determines whether it can fulfill the request and then instructs CMTP
 to generate an acknowledgement, indicating its ability to fulfill the
 request.  The route server proceeds to fulfill the request with
 policy routes, either retrieved from its route database or generated
 from its routing information database if necessary, and returns these
 routes in a ROUTE RESPONSE message.

5.5. Route Server Message Formats

 The route server query protocol number is equal to 2.  We describe
 the contents of each type of RSQP message below.

5.5.1. ROUTING INFORMATION REQUEST

 The ROUTING INFORMATION REQUEST message type is equal to 0.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            QRY AD             |            QRY RS             |
 +-------------------------------+-------------------------------+
 |            NUM AD             |              AD               |
 +---------------+---------------+-------------------------------+
 |   RIM FLGS    |    UNUSED     |
 +---------------+---------------+
 QRY AD
      (16 bits) Numeric identifier for the domain containing the

Steenstrup [Page 67] RFC 1479 IDPR Protocol July 1993

      queried route server.
 QRY RS (16 bits) Numeric identifier for the queried route server.
 NUM AD (16 bits) Number of domains about which routing information is
      requested.  The value 0 indicates a request for routing
      information from all domains.
 AD (16 bits) Numeric identifier for a domain.  This field is absent
      when NUM AD equals 0.
 RIM FLGS (8 bits) Set of two flags indicating the type of routing
      information messages requested, contained in the right-most
      bits.  Proceeding left to right, the first flag indicates
      whether the request is for a CONFIGURATION message (1
      CONFIGURATION, 0 no CONFIGURATION).  The second flag indicates
      whether the request is for a DYNAMIC message (1 DYNAMIC, 0 no
      DYNAMIC).  At least one of the first and second flags must be
      set to 1.
 UNUSED (8 bits) Not currently used; must be set equal to 0.

5.5.2. ROUTE REQUEST

      The ROUTE REQUEST message type is equal to 1.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |            QRY AD             |            QRY RS             |
 +-------------------------------+-------------------------------+
 |            SRC AD             |            HST SET            |
 +---------------+---------------+-------------------------------+
 |      UCI      |    UNUSED     |            NUM RQS            |
 +---------------+---------------+-------------------------------+
 |            DST AD             |            PRX AD             |
 +---------------+---------------+-------------------------------+
 |    NUM RTS    |   GEN FLGS    |            RFS AD             |
 +---------------+---------------+-------------------------------+
 |            NUM AD             |
 +-------------------------------+
 For each domain to be favored, avoided, or excluded:
 +-------------------------------+---------------+---------------+
 |              AD               |    AD FLGS    |    UNUSED     |
 +-------------------------------+---------------+---------------+

Steenstrup [Page 68] RFC 1479 IDPR Protocol July 1993

 For each requested service:
 +-------------------------------+-------------------------------+
 |            RQS TYP            |            RQS LEN            |
 +-------------------------------+-------------------------------+
 |                            RQS SRV                            |
 +---------------------------------------------------------------+
 QRY AD
      (16 bits) Numeric identifier for the domain containing the
      queried route server.
 QRY RS (16 bits) Numeric identifier for the queried route server.
 SRC AD (16 bits) Numeric identifier for the route's source domain.
 HST SET (16 bits) Numeric identifier for the source's host set.
 UCI (8 bits) Numeric identifier for the source user class. The value
      0 indicates that there is no particular source user class.
 UNUSED (8 bits) Not currently used; must be set equal to 0.
 NUM RQS (16 bits) Number of requested services.  The value 0
      indicates that the source requests no special services.
 DST AD (16 bits) Numeric identifier for the route's destination
      domain.
 PRX AD (16 bits) Numeric identifier for the destination domain's
      proxy (see section 1.3.1).  If the destination domain provides
      the path agent function for its hosts, then the destination and
      proxy domains are identical.  A route server constructs routes
      between the source domain's proxy and the destination domain's
      proxy.  We note that the source domain's proxy is identical to
      the domain issuing the CMTP message containing the ROUTE REQUEST
      message, and hence available in the CMTP header.
 NUM RTS (8 bits) Number of policy routes requested.
 GEN FLGS (8 bits) Set of three flags indicating how to obtain the
      requested routes, contained in the right-most bits.  Proceeding
      left to right, the first flag indicates whether the route server
      should retrieve existing routes from its route database or
      generate new routes (1 retrieve, 0 generate).  The second flag
      indicates whether the route server should refresh its routing
      information database before generating the requested routes (1
      refresh, 0 no refresh) and when set to 1, causes the third flag
      and the RFS AD field to become significant.  The third flag

Steenstrup [Page 69] RFC 1479 IDPR Protocol July 1993

      indicates whether the routing information database refresh
      should include CONFIGURATION messages or DYNAMIC messages (1
      configuration, 0 dynamic).
 RFS AD (16 bits) Numeric identifier for the domain for which routing
      information should be refreshed.  This field is meaningful only
      if the second flag in the GEN FLGS field is set to 1.
 NUM AD (16 bits) Number of transit domains that are to be favored,
      avoided, or excluded during route selection (see section 1.4.1).
 AD (16 bits) Numeric identifier for a transit domain to be favored,
      avoided, or excluded.
 AD FLGS (8 bits) Three flags indicating how to interpret the AD
      field, contained in the right-most bits.  Proceeding left to
      right, the first flag indicates whether the domain should be
      favored (1 favored, 0 not favored).  The second flag indicates
      whether the domain should be avoided (1 avoided, 0 not avoided).
      The third flag indicates whether the domain should be excluded
      (1 excluded, 0 not excluded).  No more than one of the first,
      second, and third flags must set to 1.
 RQS TYP (16 bits) Numeric identifier for a type of requested service.
      Valid requested services include the following types:
 1.  Upper bound on delay, in milliseconds (16 bits).  This attribute
     may be omitted.
 2.  Minimum delay route.  This attribute may be omitted.
 3.  Upper bound on delay variation, in milliseconds (16 bits).  This
     attribute may be omitted.
 4.  Minimum delay variation route.  This attribute may be omitted.
 5.  Lower bound on bandwidth, in bits per second (48 bits).  This
     attribute may be omitted.
 6.  Maximum bandwidth route.  This attribute may be omitted.
 7.  Upper bound on monetary cost, in cents (32 bits).  This attribute
     may be omitted.
 8.  Minimum monetary cost route.  This attribute may be omitted.
 9.  Path lifetime in minutes (16 bits). This attribute may be omitted
     but must be present if types 7 or 8 are present. Route servers

Steenstrup [Page 70] RFC 1479 IDPR Protocol July 1993

     use path lifetime information together with domain charging
     method to compute expected session monetary cost over a given
     domain.
 10. Path lifetime in messages (16 bits).  This attribute may be
     omitted but must be present if types 7 or 8 are present.
 11. Path lifetime in bytes (48 bits).  This attribute may be omitted
     but must be present if types 7 or 8 are present.
 RQS LEN
      (16 bits) Length of the requested service, in bytes, beginning
      with the next field.
 RQS SRV
      (variable) Description of the requested service.

5.5.3. ROUTE RESPONSE

 The ROUTE RESPONSE message type is equal to 2.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |    NUM RTS    |
 +---------------+
 For each route provided:
 +---------------+---------------+
 |    NUM AD     |   RTE FLGS    |
 +---------------+---------------+
 For each domain in the route:
 +---------------+---------------+-------------------------------+
 |    AD LEN     |      VG       |            ADJ AD             |
 +---------------+---------------+-------------------------------+
 |            ADJ CMP            |            NUM TP             |
 +-------------------------------+-------------------------------+
 |              TP               |
 +-------------------------------+
 NUM RTS
      (16 bits) Number of policy routes provided.
 RTE FLGS (8 bits) Set of two flags indicating the directions in which
      a route can be used, contained in the right-most bits.  Refer to
      sections 6.2, 7, and 7.2 for detailed discussions of path
      directionality.  Proceeding left to right, the first flag
      indicates whether the route can be used from source to
      destination (1 from source, 0 not from source).  The second flag

Steenstrup [Page 71] RFC 1479 IDPR Protocol July 1993

      indicates whether the route can be used from destination to
      source (1 from destination, 0 not from destination).  At least
      one of the first and second flags must be set to 1, if NUM RTS
      is greater than 0.
 NUM AD (8 bits) Number of domains in the policy route, not including
      the first domain on the route.
 AD LEN (8 bits) Length of the information associated with a
      particular domain, in bytes, beginning with the next field.
 VG (8 bits) Numeric identifier for an exit virtual gateway.
 ADJ AD (16 bits) Numeric identifier for the adjacent domain connected
      to the virtual gateway.
 ADJ CMP (16 bits) Numeric identifier for the adjacent domain
      component.  Used by policy gateways to select a route across a
      virtual gateway connecting to a partitioned domain.
 NUM TP (16 bits) Number of transit policies that apply to the section
      of the route traversing the domain component.
 TP (16 bits) Numeric identifier for a transit policy.

5.5.4. Negative Acknowledgements

 When a policy gateway receives an unacceptable RSQP message that
 passes the CMTP validation checks, it includes, in its CMTP ACK, an
 appropriate negative acknowledgement.  This information is placed in
 the INFORM field of the CMTP ACK (described previously in section
 2.4); the numeric identifier for each type of RSQP negative
 acknowledgement is contained in the left-most 8 bits of the INFORM
 field.  Negative acknowledgements associated with RSQP include the
 following types:
 1.  Unrecognized RSQP message type.  Numeric identifier for the
     unrecognized message type (8 bits).
 2.  Out-of-date RSQP message.
 3.  Unable to fill requests for routing information from the
     following domains.  Number of domains for which requests cannot
     be filled (16 bits); a value of 0 indicates that the route
     server cannot fill any of the requests.  Numeric identifier for
     each domain for which a request cannot be filled (16 bits).

Steenstrup [Page 72] RFC 1479 IDPR Protocol July 1993

 4.  Unable to fill requests for routes to the following destination
     domain.  Numeric identifier for the destination domain (16 bits).

6. Route Generation

 Route generation is the most computationally complex part of IDPR,
 because of the number of domains and the number and heterogeneity of
 policies that it must accommodate.  Route servers must generate
 policy routes that satisfy the requested services of the source
 domains and respect the offered services of the transit domains.
 We distinguish requested qualities of service and route generation
 with respect to them as follows:
  1. Requested service limits include upper bounds on route delay, route

delay variation, and session monetary cost and lower bounds on

  available route bandwidth.  Generating a route that must satisfy
  more than one quality of service constraint, for example route delay
  of no more than X seconds and available route bandwidth of no less
  than Y bits per second, is an NP-complete problem.
  1. Optimal requested services include minimum route delay, minimum

route delay variation, minimum session monetary cost, and maximum

  available route bandwidth.  In the worst case, the computational
  complexity of generating a route that is optimal with respect to a
  given requested service is O((N + L) log N) for Dijkstra's shortest
  path first (SPF) search and O(N + (L * L)) for breadth-first (BF)
  search, where N is the number of nodes and L is the number of links
  in the search graph.  Multi-criteria optimization, for example
  finding a route with minimal delay variation and minimal session
  monetary cost, may be defined in several ways.  One approach to
  multi-criteria optimization is to assign each link a single value
  equal to a weighted sum of the values of the individual offered
  qualities of service and generate a route that is optimal with
  respect to this new criterion.  However, selecting the weights that
  yield the desired route generation behavior is itself an
  optimization procedure and hence not trivial.

To help contain the combinatorial explosion of processing and memory costs associated with route generation, we supply the following guidelines for generation of suitable policy routes:

  1. Each route server should only generate policy routes from the

perspective of its own domain as source; it need not generate policy

  routes for arbitrary source/destination domain pairs.  Thus, we can
  distribute the computational burden over all route servers.
  1. Route servers should precompute routes for which they anticipate

Steenstrup [Page 73] RFC 1479 IDPR Protocol July 1993

  requests and should generate routes on demand only in order to
  satisfy unanticipated route requests.  Hence, a single route server
  can distribute its computational burden over time.
  1. Route servers should cache the results of route generation, in order

to minimize the computation associated with responding to future

  route requests.
  1. To handle requested service limits, a route server should always

select the first route generated that satisfies all of the requested

  service limits.
  1. To handle multi-criteria optimization in route selection, a route

server should generate routes that are optimal with respect to the

  first optimal requested service listed in the ROUTE REQUEST message.
  The route server should resolve ties between otherwise equivalent
  routes by evaluating these routes according to the other optimal
  requested services contained in the ROUTE REQUEST message, in the
  order in which they are listed.  With respect to the route server's
  routing information database, the selected route is optimal
  according to the first optimal requested service listed in the ROUTE
  REQUEST message but is not necessarily optimal according to any
  other optimal requested service listed in the ROUTE REQUEST message.
  ti 2 - To handle a mixture of requested service limits and optimal
  requested services, a route server should generate routes that
  satisfy all of the requested service limits.  The route server
  should resolve ties between otherwise equivalent routes by
  evaluating these routes as described in the multi-criteria
  optimization case above.
  ti 2 - All else being equal, a route server should always prefer
  minimum-hop routes, because they minimize the amount of network
  resources consumed by the routes.
  ti 2 - A route server should generate at least one route to each
  component of a partitioned destination domain, because it may not
  know in which domain component the destination host resides.  Hence,
  a route server can maximize the chances of providing a feasible
  route to a destination within a partitioned domain.

6.1 Searching

  All domains need not execute the identical route generation
  procedure.  Each domain administrator is free to specify the IDPR
  route generation procedure for route servers in its own domain,
  making the procedure as simple or as complex as desired.

Steenstrup [Page 74] RFC 1479 IDPR Protocol July 1993

  We offer an IDPR route generation procedure as a model.  With slight
  modification, this procedure can be made to search in either BF or
  SPF order.  The procedure can be used either to generate a single
  policy route from the source to a specified destination domain or to
  generate a set of policy routes from the source domain to all
  destination domains.  If the source or destination domain has a
  proxy, then the source or destination endpoint of the policy route
  is a proxy domain and not the actual source or destination domain.
  For high-bandwidth traffic flows, BF search is the recommended
  search technique, because it produces minimum-hop routes.  For low-
  bandwidth traffic flows, the route server may use either BF search
  or SPF search.  The computational complexity of BF search is O(N +
  L) and hence it is the search procedure of choice, except when
  generating routes with optimal requested services.  We recommend
  using SPF search only for optimal requested services and never in
  response to a request for a maximum bandwidth route.

6.1.1. Implementation

 Data Structures:
 The routing information database contains the graph of an
 internetwork, in which virtual gateways are the nodes and intra-
 domain routes between virtual gateways are the links.  During route
 generation, each route is represented as a sequence of virtual
 gateways, domains, and relevant transit policies, together with a
 list of route characteristics, stored in a temporary array and
 indexed by destination domain.
  1. Execute the Policy Consistency routine, first with the source

domain the given domain and second with the destination domain as

   the given domain.  If any policy inconsistency precludes the
   requested traffic flow, go to Exit.
  1. For each domain, initialize a null route, set the route bandwidth

to and set the following route characteristics to infinity: route

   delay, route delay variation, session monetary cost, and route
   length in hops.
  1. With each operational virtual gateway in the source or source proxy

domain, associate the initial route characteristics.

  1. Initialize a next-node data structure which will contain, for each

route in progress, the virtual gateway at the current endpoint of

   the route together with the associated route characteristics.  The
   next-node data structure determines the order in which routes get
   expanded.

Steenstrup [Page 75] RFC 1479 IDPR Protocol July 1993

      BF:  A fifo queue.
      SPF: A heap, ordered according to the first optimal requested
           service listed in the ROUTE REQUEST message.
 Remove Next Node: These steps are performed for each virtual gateway
      in the next-node data structure.
  1. If there are no more virtual gateways in the next-node data

structure, go to Exit.

  1. Extract a virtual gateway and its associated route

characteristics from the next-node data structure, obtain the

      adjacent domain, and:
           SPF: Remake the heap.
  1. If there is a specific destination domain and if for the primary

optimal service:

           BF:  Route length in hops.
           SPF: First optimal requested service listed in the ROUTE
           REQUEST message.
      the extracted virtual gateway's associated route characteristic
      is no better than that of the destination domain, go to Remove
      Next Node.
  1. Execute the Policy Consistency routine with the adjacent domain

as given domain. If any policy inconsistency precludes the

      requested traffic flow, go to Remove Next Node.
  1. Check that the source domain's transit policies do not preclude

traffic generated by members of the source host set with the

      specified user class and requested services, from flowing to the
      adjacent domain as destination.  This check is necessary because
      the route server caches what it considers to be all feasible
      routes, to intermediate destination domains, generated during
      the computation of the requested route.  If there are no policy
      inconsistencies, associate the route and its characteristics
      with the adjacent domain as destination.
  1. If there is a specific destination domain and if the adjacent

domain is the destination or destination proxy domain, go to

      Remove Next Node.
  1. Record the set of all exit virtual gateways in the adjacent

Steenstrup [Page 76] RFC 1479 IDPR Protocol July 1993

      domain which the adjacent domain's transit policies permit the
      requested traffic flow and which are currently reachable from
      the entry virtual gateway.
 Next Node:
      These steps are performed for all exit virtual gateways in the
      above set.
  1. If there are no exit virtual gateways in the set, go to Remove

Next Node.

  1. Compute the characteristics for the route to the exit virtual

gateway, and check that all of the route characteristics are

      within the requested service limits.  If any of the route
      characteristics are outside of these limits, go to Next Node.
  1. Compare these route characteristics with those already

associated with the exit virtual gateway (there may be none, if

      this is the first time the exit virtual gateway has been visited
      in the search), according to the primary optimal service.
  1. Select the route with the optimal value of the primary optimal

service, resolve ties by considering optimality according to any

      other optimal requested services in the order in which they are
      listed in the ROUTE REQUEST message, and associate the selected
      route and its characteristics with the exit virtual gateway.
  1. Add the virtual gateway to the next-node structure:
           BF:  Add to the end of the fifo queue.
           SPF: Add to the heap.
           and go to Next Node.
 Exit:
      Return a response to the route request, consisting of either a
      set of candidate policy routes or an indication that the route
      request cannot be fulfilled.
 Policy Consistency: Check policy consistency for the given domain.
  1. Check that the given domain is not specified as an excluded

domain in the route request.

  1. Check that the given domain's transit policies do not preclude

traffic generated by members of the source host set with the

Steenstrup [Page 77] RFC 1479 IDPR Protocol July 1993

      specified user class and requested services, from flowing to the
      destination domain.
 During the computation of the requested routes, a route server also
 caches what it considers to be all feasible routes to intermediate
 destination domains, thus increasing the chances of being able to
 respond to a future route request without having to generate a new
 route.  The route server does perform some policy consistency checks
 on the routes, as they are generated, to intermediate destinations.
 However, these routes may not in fact be feasible; the transit
 domains contained on the routes may not permit traffic between the
 source and the given intermediate destinations.  Hence, before
 dispensing such a route in response to a route request, a route
 server must check that the transit policies of the constituent
 domains are consistent with the source and destination of the traffic
 flow.

6.2. Route Directionality

 A path agent may wish to set up a bidirectional path using a route
 supplied by a route server.  (Refer to sections 7.2 and 7.4 for
 detailed discussions of path directionality.)  However, a route
 server can only guarantee that the routes it supplies are feasible if
 used in the direction from source to destination.  The reason is that
 the route server, which resides in the source or source proxy domain,
 does not have access to, and thus cannot account for, the source
 policies of the destination domain.  Nevertheless, the route server
 can provide the path agent with an indication of its assessment of
 route feasibility in the direction from destination to source.
 A necessary but insufficient condition for a route to be feasible in
 the direction from destination to source is as follows.  The route
 must be consistent, in the direction from destination to source, with
 the transit policies of the domains that compose the route.  The
 transit policy consistency checks performed by the route server
 during route generation account for the direction from source to
 destination but not for the direction from destination to source.
 Only after a route server generates a feasible route from source to
 destination does it perform the transit policy consistency checks for
 the route in the direction from destination to source.  Following
 these checks, the route server includes in its ROUTE RESPONSE message
 to the path agent an indication of its assessment of route
 feasibility in each direction.

Steenstrup [Page 78] RFC 1479 IDPR Protocol July 1993

6.3. Route Database

 A policy route, as originally specified by a route server, is an
 ordered list of virtual gateways, domains, and transit policies: VG 1
 - AD 1 - TP 1 - ... - VG n - AD n - TP n. where VG i is the virtual
 gateway that serves as exit from AD i-1 and entry to AD i, and TP i
 is the set of transit policies associated with AD i and relevant to
 the particular route.  Each route is indexed by source and
 destination domain.  Route servers and paths agents store policy
 routes in route databases maintained as caches whose entries must be
 periodically flushed to avoid retention of stale policy routes.  A
 route server's route database is the set of all routes it has
 generated on behalf of its domain as source or source proxy;
 associated with each route in the database are its route
 characteristics.  A path agent's route database is the set of all
 routes it has requested and received from route servers on behalf of
 hosts for which it is configured to act.
 When attempting to locate a feasible route for a traffic flow, a path
 agent first consults its own route database before querying a route
 server.  If the path agent's route database contains one or more
 routes between the given source and destination domains and
 accommodating the given host set and UCI, then the path agent checks
 each such route against the set of excluded domains listed in the
 source policy.  The path agent either selects the first route
 encountered that does not include the excluded domains, or, if no
 such route exists in its route database, requests a route from a
 route server.
 A path agent must query a route server for routes when it is unable
 to fulfill a route request from its own route database.  Moreover, we
 recommend that a path agent automatically forward to a route server,
 all route requests with non-null requested services.  The reason is
 that the path agent retains no route characteristics in its route
 database.  Hence, the path agent cannot determine whether an entry in
 its route database satisfies the requested services.
 When responding to a path agent's request for a policy route, a route
 server first consults its route database, unless the ROUTE REQUEST
 message contains an explicit directive to generate a new route.  If
 its route database contains one or more routes between the given
 source and destination domains and accommodating the given host set
 and UCI, the route server checks each such route against the set of
 excluded domains listed in the ROUTE REQUEST message.  The route
 server either selects all routes encountered that do not include the
 excluded domains, or, if no such route exists in its route database,
 attempts to generate such a route.  Once the route server selects a
 set of routes, it then checks each such route against the services

Steenstrup [Page 79] RFC 1479 IDPR Protocol July 1993

 requested by the path agent and the services offered by the domains
 composing the route.  To obtain the offered services information, the
 route server consults its routing information database.  The route
 server either selects the first route encountered that is consistent
 with both the requested and offered services, or, if no such route
 exists in its route database, attempts to generate such a route.

6.3.1. Cache Maintenance

 Each route stored in a route database has a maximum cache lifetime
 equal to rdb_rs minutes for a route server and rdb_ps minutes for a
 path agent.  Route servers and path agents reclaim cache space by
 flushing entries that have attained their maximum lifetimes.
 Moreover, paths agents reclaim cache space for routes whose paths
 have failed to be set up successfully or have been torn down (see
 section 7.4).
 Nevertheless, cache space may become scarce, even with reclamation of
 entries.  If a cache fills, the route server or path agent logs the
 event for network management.  To obtain space in the cache when the
 cache is full, the route server or path agent deletes from the cache
 the oldest entry.

7. Path Control Protocol and Data Message Forwarding Procedure

 Two entities in different domains may exchange IDPR data messages,
 only if there exists an IDPR path set up between the two domains.
 Path setup requires cooperation among path agents and intermediate
 policy gateways.  Path agents locate policy routes, initiate the Path
 Control Protocol (PCP), and manage existing paths between
 administrative domains.  Intermediate policy gateways verify that a
 given policy route is consistent with their domains' transit
 policies, establish the forwarding information, and forward messages
 along existing paths.
 Each policy gateway and each route server contains a path agent.  The
 path agent that initiates path setup in the source or source proxy
 domain is the "originator", and the path agent that handles the
 originator's path setup message in the destination or destination
 proxy domain is the "target".  Every path has two possible directions
 of traffic flow: from originator to target and from target to
 originator.  Path control messages are free to travel in either
 direction, but data messages may be restricted to only one direction.
 Once a path for a policy route is set up, its physical realization is
 a set of consecutive policy gateways, with policy gateways or route
 servers forming the endpoints.  Two successive entities in this set
 belong to either the same domain or the same virtual gateway.  A

Steenstrup [Page 80] RFC 1479 IDPR Protocol July 1993

 policy gateway or route server may, at any time, recover the
 resources dedicated to a path that goes through it by tearing down
 that path.  For example, a policy gateway may decide to tear down a
 path that has not been used for some period of time.
 PCP may build multiple paths between source and destination domains,
 but it is not responsible for managing such paths as a group or for
 eliminating redundant paths.

7.1. An Example of Path Setup

 We illustrate how path setup works by stepping through an example.
 Suppose host Hx in domain AD X wants to communicate with host Hy in
 domain AD Y and that both AD X and AD Y support IDPR.  Hx need not
 know the identity of its own domain or of Hy's domain in order to
 send messages to Hy.  Instead, Hx simply forwards a message bound for
 Hy to one of the gateways on its local network, according to its
 local forwarding information only.  If the recipient gateway is a
 policy gateway, the resident path agent determines how to forward the
 message outside of the domain.  Otherwise, the recipient gateway
 forwards the message to another gateway in AD X, according to its
 local forwading information.  Eventually, the message will arrive at
 a policy gateway in AD X, as policy gateways are the only egress
 points to other domains, in domains that support IDPR.
 The path agent resident in the recipient policy gateway uses the
 message header, including source and destination addresses and any
 requested service information (for example, type of service), in
 order to determine whether it is an intra-domain or inter-domain
 message, and if inter-domain, whether it requires an IDPR policy
 route.  Specifically, the path agent attempts to locate a forwarding
 information database entry for the given traffic flow, from the
 information contained in the message header.  In the future, for IP
 messages, the relevant header information may also include special
 service-specific IP options or even information from higher layer
 protocols.
 Forwarding database entries exist for all of the following:
  1. All intra-domain traffic flows. Intra-domain forwarding

information is integrated into the forwarding information database

   as soon as it is received.
  1. Inter-domain traffic flows that do not require IDPR policy routes.

Non-IDPR forwarding information is integrated into the forwarding

   database as soon as it is received.
  1. IDPR inter-domain traffic flows for which a path has already been

Steenstrup [Page 81] RFC 1479 IDPR Protocol July 1993

   set up.  IDPR forwarding information is integrated into the
   forwarding database only during path setup.
 The path agent uses the message header contents to guide the search
 for a forwarding information database entry for a given traffic flow.
 We recommend a radix search to locate such an entry.  When the search
 terminates, it produces either an entry, or, in the case of a new
 IDPR traffic flow, a directive to generate an entry.  If the search
 terminates in an existing forwarding information database entry, the
 path agent forwards the message according to that entry.
 Suppose that the search terminates indicating that the traffic flow
 from Hx to Hy requires an IDPR policy route and that no entry in the
 forwarding information database yet exists for that traffic flow.  In
 this case, the path agent first determines the source and destination
 domains associated with the message's source and destination
 addresses, before attempting to obtain a policy route.  The path
 agent relies on the mapping servers to supply the domain information,
 but it caches all mapping server responses locally to limit the
 number of future queries.  When attempting to resolve an address to a
 domain, the path agent always checks its local cache before
 contacting a mapping server.
 After obtaining the domain information, the path agent attempts to
 obtain a policy route to carry the traffic from Hx to Hy.  The path
 agent relies on route servers to supply policy routes, but it caches
 all route server responses locally to limit the number of future
 queries.  When attempting to locate a suitable policy route, the path
 agent usually consults its local cache before contacting a route
 server, as described previously in section 6.3.
 If no suitable cache entry exists, the path agent queries the route
 server, providing it with the source and destination domains together
 with source policy information carried in the host message or
 specified through configuration.  Upon receiving a policy route
 query, a route server consults its route database.  If it cannot
 locate a suitable route in its route database, the route server
 attempts to generate at least one route to AD Y, consistent with the
 requested services for Hx.
 The route server always returns a response to the path agent,
 regardless of whether it is successful in locating a suitable policy
 route.  The response to a successful route query consists of a set of
 candidate routes, from which the path agent makes its selection.  We
 expect that a path agent will normally choose a single route from a
 candidate set.  Nevertheless, IDPR does not preclude a path agent
 from selecting multiple routes from the candidate set.  A path agent
 may desire multiple routes to support features such as fault

Steenstrup [Page 82] RFC 1479 IDPR Protocol July 1993

 tolerance or load balancing; however, IDPR does not currently specify
 how the path agent should use multiple routes.
 If the policy route is a new route provided by the route server,
 there will be no existing path for the route, and thus the path agent
 must set up such a path.  However, if the policy route is an existing
 route extracted from the path agent's cache, there may well be an
 existing path for the route, set up to accommodate a host traffic
 flow.  IDPR permits multiple traffic flows to use the same path,
 provided that all traffic flows sharing the path travel between the
 same endpoint domains and have the same service requirements.
 Nevertheless, IDPR does not preclude a path agent from setting up
 distinct paths along the same policy route to preserve the
 distinction between host traffic flows.
 The path agent associates an identifier with the path, which is
 included in each message that travels down the path and is used by
 the policy gateways along the path in order to determine how to
 forward the message.  If the path already exists, the path agent uses
 the preexisting identifier.  However, for new paths, the path agent
 chooses a path identifier that is different from those of all other
 paths that it manages.  The path agent also updates its forwarding
 information database to reference the path identifier and modifies
 its search procedure to yield the correct entry in the forwarding
 information database given the data message header.
 For new paths, the path agent initiates path setup, communicating the
 policy route, in terms of requested services, constituent domains,
 relevant transit policies, and the connecting virtual gateways, to
 policy gateways in intermediate domains.  Using this information, an
 intermediate policy gateway determines whether to accept or refuse
 the path and to which next policy gateway to forward the path setup
 information.  The path setup procedure allows policy gateways to set
 up a path in both directions simultaneously.  Each intermediate
 policy gateway, after path acceptance, updates its forwarding
 information database to include an entry that associates the path
 identifier with the appropriate previous and next hop policy
 gateways.
 When a policy gateway in AD Y accepts a path, it notifies the source
 path agent in AD X.  We expect that the source path agent will
 normally wait until a path has been successfully established before
 using it to transport data traffic.  However, PCP does not preclude a
 path agent from forwarding messages along a path prior to
 confirmation of successful path establishment.  Paths remain in place
 until they are torn down because of failure, expiration, or when
 resources are scarce, preemption in favor of other paths.

Steenstrup [Page 83] RFC 1479 IDPR Protocol July 1993

 We note that data communication between Hx and Hy may occur over two
 separate IDPR paths: one from AD X to AD Y and one from AD Y to AD X.
 The reasons are that within a domain, hosts know nothing about path
 agents nor IDPR paths, and path agents know nothing about other path
 agents' existing IDPR paths.  Thus, in AD Y, the path agent that
 terminates the path from AD X may not be the same as the path agent
 that receives traffic from Hy destined for Hx.  In this case, receipt
 of traffic from Hy forces the second path agent to set up an
 independent path from AD Y to AD X.

7.2. Path Identifiers

 Each path has an associated path identifier, unique throughout an
 internetwork.  Every IDPR data message travelling along that path
 includes the path identifier, used for message forwarding.  The path
 identifier is the concatenation of three items: the identifier of the
 originator's domain, the identifier of the originator's policy
 gateway or route server, and a 32-bit local path identifier specified
 by the originator.  The path identifier and the CMTP transaction
 identifier have analogous syntax and play analogous roles in their
 respective protocols.
 When issuing a new path identifier, the originator always assigns a
 local path identifier that is different from that of any other active
 or recently torn-down path originally set up by that path agent.
 This helps to distinguish new paths from replays.  Hence, the
 originator must keep a record of each extinct path for long enough
 that all policy gateways on the path will have eliminated any
 reference to it from their memories.  The right-most 30 bits of the
 local identifier are the same for each path direction, as they are
 assigned by the originator.  The left-most 2 bits of the local
 identifier indicate the path direction.
 At path setup time, the originator specifies which of the path
 directions to enable contingent upon the information received from
 the route server in the ROUTE RESPONSE message.  By "enable", we mean
 that each path agent and each intermediate policy gateway establishes
 an association between the path identifier and the previous and next
 policy gateways on the path, which it uses for forwarding data
 messages along that path.  IDPR data messages may travel in the
 enabled path directions only, but path control messages are always
 free to travel in either path direction.  The originator may enable
 neither path direction, if the entire data transaction can be carried
 in the path setup message itself.  In this case, the path agents and
 the intermediate policy gateways do not establish forwarding
 associations for the path, but they do verify consistency of the
 policy information contained in the path setup message, with their
 own transit policies, before forwarding the setup message on to the

Steenstrup [Page 84] RFC 1479 IDPR Protocol July 1993

 next policy gateway.
 The path direction portion of the local path identifier has different
 interpretations, depending upon message type.  In an IDPR path setup
 message, the path direction indicates the directions in which the
 path should be enabled: the value 01 denotes originator to target,
 the value 10 denotes target to originator, the value 11 denotes both
 directions, and the value 00 denotes neither direction.  Each policy
 gateway along the path interprets the path direction in the setup
 message and sets up the forwarding information as directed.  In an
 IDPR data message, the path direction indicates the current direction
 of traffic flow: either 01 for originator to target or 10 for target
 to originator.  Thus, if for example, an originator sets up a path
 enabling only the direction from target to originator, the target
 sends data messages containing the path identifier selected by the
 originator together with the path direction set equal to 10.
 Instead of using path identifiers that are unique throughout an
 internetwork, we could have used path identifiers that are unique
 only between a pair of consecutive policy gateways and that change
 from one policy gateway pair to the next.  The advantage of locally
 unique path identifiers is that they may be much shorter than
 globally unique identifiers and hence consume less transmission
 bandwidth.  However, the disadvantage is that the path identifier
 carried in each IDPR data message must be modified at each policy
 gateway, and hence if the integrity/authentication information covers
 the path identifier, it must be recomputed at each policy gateway.
 For security reasons, we have chosen to include the path identifier
 in the set of information covered by the integrity/authentication
 value, and moreover, we advocate public-key based signatures for
 authentication.  Thus, it is not possible for intermediate policy
 gateways to modify the path identifier and then recompute the correct
 integrity/authentication value.  Therefore, we have decided in favor
 of path identifiers that do not change from hop to hop and hence must
 be globally unique.  To speed forwarding of IDPR data messages with
 long path identifiers, policy gateways should hash the path
 identifiers in order to index IDPR forwarding information.

7.3. Path Control Messages

 Messages exchanged by the path control protocol are classified into
 "requests": SETUP, TEARDOWN, REPAIR; and "responses": ACCEPT, REFUSE,
 ERROR.  These messages have significance for intermediate policy
 gateways as well as for path agents.
 SETUP:
      Establishes a path by linking together pairs of policy gateways.
      The SETUP message is generated by the originator and propagates

Steenstrup [Page 85] RFC 1479 IDPR Protocol July 1993

      to the target.  In response to a SETUP message, the originator
      expects to receive an ACCEPT, REFUSE, or ERROR message.  The
      SETUP message carries all information necessary to set up the
      path including path identifier, requested services, transit
      policy information relating to each domain traversed, and
      optionally, expedited data.
 ACCEPT: Signals successful path establishment.  The ACCEPT message is
      generated by the target, in response to a SETUP message, and
      propagates back to the originator.  Reception of an ACCEPT
      message by the originator indicates that the originator can now
      safely proceed to send data along the path.  The ACCEPT message
      contains the path identifier and an optional reason for
      conditional acceptance.
 REFUSE: Signals that the path could not be successfully established,
      either because resources were not available or because there was
      an inconsistency between the services requested by the source
      and the services offered by a transit domain along the path.
      The REFUSE message is generated by the target or by any
      intermediate policy gateway, in response to a SETUP message, and
      propagates back to the originator.  All recipients of a REFUSE
      message recover the resources dedicated to the given path.  The
      REFUSE message contains the path identifier and the reason for
      path refusal.
 TEARDOWN: Tears down a path, typically when a non-recoverable failure
      is detected.  The TEARDOWN message may be generated by any path
      agent or policy gateway in the path and usually propagates in
      both path directions.  All recipients of a TEARDOWN message
      recover the resources dedicated to the given path.  The TEARDOWN
      message contains the path identifier and the reason for path
      teardown.
 REPAIR: Establishes a repaired path by linking together pairs of
      policy gateways.  The REPAIR message is generated by a policy
      gateway after detecting that the next policy gateway on one of
      its existing paths is unreachable.  A policy gateway that
      generates a REPAIR message propagates the message forward at
      most one virtual gateway.  In response to a REPAIR message, the
      policy gateway expects to receive an ACCEPT, REFUSE, TEARDOWN,
      or ERROR message.  The REPAIR message carries the original SETUP
      message.
 ERROR: Transports information about a path error back to the
      originator, when a PCP message contains unrecognized
      information.  The ERROR message may be generated by the target
      or by any intermediate policy gateway and propagates back to the

Steenstrup [Page 86] RFC 1479 IDPR Protocol July 1993

      originator.  Most, but not all, ERROR messages are generated in
      response to errors encountered during path setup.  The ERROR
      message includes the path identifier and an explanation of the
      error detected.
 Policy gateways use CMTP for reliable transport of PCP messages,
 between path agents and policy gateways and between consecutive
 policy gateways on a path.  PCP must communicate to CMTP the maximum
 number of transmissions per path control message, pcp_ret, and the
 interval between path contol message retransmissions, pcp_int
 microseconds.  All path control messages, except ERROR messages, may
 be transmitted up to pcp_ret times; ERROR messages are never
 retransmitted.  A path control message is "acceptable" if:
  1. It passes the CMTP validation checks.
  1. Its timestamp is less than pcp_old (300) seconds behind the

recipient's internal clock time.

  1. It carries a recognized path identifier, provided it is not a SETUP

message.

 An intermediate policy gateway on a path forwards acceptable PCP
 messages.  As we describe in section 7.4 below, SETUP messages must
 undergo additional tests at each intermediate policy gateway prior to
 forwarding.  Moreover, receipt of an acceptable ACCEPT, REFUSE,
 TEARDOWN, or ERROR message at either path agent or at any
 intermediate policy gateway indirectly cancels any active local CMTP
 retransmissions of the original SETUP message.  When a path agent or
 intermediate policy gateway receives an unacceptable path control
 message, it discards the message and logs the event for network
 management.  The path control message age limit reduces the
 likelihood of denial of service attacks based on message replay.

7.4. Setting Up and Tearing Down a Path

 Path setup begins when the originator generates a SETUP message
 containing:
  1. The path identifier, including path directions to enable.
  1. An indication of whether the message includes expedited data.
  1. The source user class identifier.
  1. The requested services (see section 5.5.2) and source-specific

information (see section 7.6.1) for the path.

Steenstrup [Page 87] RFC 1479 IDPR Protocol July 1993

  1. For each domain on the path, the domain component, applicable

transit policies, and entry and exit virtual gateways.

 The only mandatory requested service is the maximum path lifetime,
 pth_lif, and the only mandatory source-specific information is the
 data message integrity/authentication type.  If these are not
 specified in the path setup message, each recipient policy gateway
 assigns them default values, (60) minutes for pth_lif and no
 authentication for integrity/authentication type.  Each path agent
 and intermediate policy gateway tears down a path when the path
 lifetime is exceeded.  Hence, no single source can indefinitely
 monopolize policy gateway resources or still functioning parts of
 partially broken paths.
 After generating the SETUP message and establishing the proper local
 forwarding information, the originator selects the next policy
 gateway on the path and forwards the SETUP message to the selected
 policy gateway.  The next policy gateway selection procedure,
 described below, applies when either the originator or an
 intermediate policy gateway is making the selection.  We have elected
 to describe the procedure from the perspective of a selecting
 intermediate policy gateway.
 The policy gateway selects the next policy gateway on a path, in
 round-robin order from its list of policy gateways contained in the
 present or next virtual gateway, as explained below.  In selecting
 the next policy gateway, the policy gateway uses information
 contained in the SETUP message and information provided by VGP and by
 the intra-domain routing procedure.
 If the selecting policy gateway is a domain entry point, the next
 policy gateway must be:
  1. A member of the next virtual gateway listed in the SETUP message.
  1. Reachable according to intra-domain routes supporting the transit

policies listed in the SETUP message.

  1. Able to reach, according to VGP, the next domain component listed

in the SETUP message.

 In addition, the selecting policy gateway may use quality of service
 information supplied by intra-domain routing to resolve ties between
 otherwise equivalent next policy gateways in the same domain.  In
 particular, the selecting policy gateway may select the next policy
 gateway whose connecting intra-domain route is optimal according to
 the requested services listed in the SETUP message.

Steenstrup [Page 88] RFC 1479 IDPR Protocol July 1993

 If the selecting policy gateway is a domain exit point, the next
 policy gateway must be:
  1. A member of the current virtual gateway listed in the SETUP message

(which is also the selecting policy gateway's virtual gateway).

  1. Reachable according to VGP.
  1. A member of the next domain component listed in the SETUP message.
 Once the originator or intermediate policy gateway selects a next
 policy gateway, it forwards the SETUP message to the selected policy
 gateway.  Each recipient (policy gateway or target) of an acceptable
 SETUP message performs several checks on the contents of the message,
 in order to determine whether to establish or reject the path.  We
 describe these checks in detail below from the perspective of a
 policy gateway as SETUP message recipient.

7.4.1. Validating Path Identifiers

 The recipient of a SETUP message first checks the path identifier, to
 make sure that it does not correspond to that of an already existing
 or recently extinct path.  To detect replays, malicious or otherwise,
 path agents and policy gateways maintain a record of each path that
 they establish, for max{pth_lif, pcp_old} seconds.  If the path
 identifier and timestamp carried in the SETUP message match a stored
 path identifier and timestamp, the policy gateway considers the
 message to be a retransmission and does not forward the message.  If
 the path identifier carried in the SETUP message matches a stored
 path identifier but the two timestamps do not agree, the policy
 gateway abandons path setup, logs the event for network management,
 and returns an ERROR message to the originator via the previous
 policy gateway.

7.4.2. Path Consistency with Configured Transit Policies

 Provided the path identifier in the SETUP message appears to be new,
 the policy gateway proceeds to determine whether the information
 contained within the SETUP message is consistent with the transit
 policies configured for its domain.  The policy gateway must locate
 the source and destination domains, the source host set and user
 class identifier, and the domain-specific information for its own
 domain, within the SETUP message, in order to evaluate path
 consistency.  If the policy gateway fails to recognize the source
 user class (or one or more of the requested services), it logs the
 event for network management but continues with path setup.  If the
 policy gateway fails to locate its domain within the SETUP message,
 it abandons path setup, logs the event for network management, and

Steenstrup [Page 89] RFC 1479 IDPR Protocol July 1993

 returns an ERROR message to the originator via the previous policy
 gateway.  The originator responds by tearing down the path and
 subsequently removing the route from its cache.
 Once the policy gateway locates its domain-specific portion of the
 SETUP message, it may encounter the following problems with the
 contents:
  1. The domain-specific portion lists a transit policy not configured

for the domain.

  1. The domain-specific portion lists a virtual gateway not configured

for the domain.

 In each case, the policy gateway abandons path setup, logs the event
 for network management, and returns an ERROR message to the
 originator via the previous policy gateway.  These types of ERROR
 messages indicate to the originator that the route may have been
 generated using information from an out-of-date CONFIGURATION
 message.
 The originator reacts to the receipt of such an ERROR message as
 follows.  First, it tears down the path and removes the route from
 its cache.  Then, it issues to a route server a ROUTE REQUEST message
 containing a directive to refresh the routing information database,
 with the most recent CONFIGURATION message from the domain that
 issued the ERROR message, before generating a new route.
 Once it verifies that its domain-specific information in the SETUP
 message is recognizable, the policy gateway then checks that the
 information contained within the SETUP message is consistent with the
 transit policies configured for its domain.  A policy gateway at the
 entry to a domain checks path consistency in the direction from
 originator to target, if the enabled path directions include
 originator to target.  A policy gateway at the exit to a domain
 checks path consistency in the direction from target to originator,
 if the enabled path directions include target to originator.
 When evaluating the consistency of the path with the transit policies
 configured for the domain, the policy gateway may encounter any of
 the following problems with SETUP message contents:
  1. A transit policy does not apply in the given direction between the

virtual gateways listed in the SETUP message.

  1. A transit policy denies access to traffic from the given host set

between the source and destination domains listed in the SETUP

   message.

Steenstrup [Page 90] RFC 1479 IDPR Protocol July 1993

  1. A transit policy denies access to traffic from the source user

class listed in the SETUP message.

  1. A transit policy denies access to traffic at the current time.
 In each case, the policy gateway abandons path setup, logs the event
 for network management, and returns a REFUSE message to the
 originator via the previous policy gateway.  These types of REFUSE
 messages indicate to the originator that the route may have been
 generated using information from an out-of-date CONFIGURATION
 message.  The REFUSE message also serves to teardown the path.
 The originator reacts to the receipt of such a REFUSE message as
 follows. First, it removes the route from its cache.  Then, it issues
 to a route server a ROUTE REQUEST message containing a directive to
 refresh the routing information database, with the most recent
 CONFIGURATION message from the domain that issued the REFUSE message,
 before generating a new route.

7.4.3. Path Consistency with Virtual Gateway Reachability

 Provided the information contained in the SETUP message is consistent
 with the transit policies configured for its domain, the policy
 gateway proceeds to determine whether the path is consistent with the
 reachability of the virtual gateway containing the potential next
 hop.  To determine virtual gateway reachability, the policy gateway
 uses information provided by VGP and by the intra-domain routing
 procedure.
 When evaluating the consistency of the path with virtual gateway
 reachability, the policy gateway may encounter any of the following
 problems:
  1. The virtual gateway containing the potential next hop is down.
  1. The virtual gateway containing the potential next hop is not

reachable via any intra-domain routes supporting the transit

   policies listed in the SETUP message.
  1. The next domain component listed in the SETUP message is not

reachable.

 Each of these determinations is made from the perspective of a single
 policy gateway and may not reflect actual reachability.  In each
 case, the policy gateway encountering such a problem returns a REFUSE
 message to the previous policy gateway which then selects a different
 next policy gateway, in round-robin order, as described in
 previously.  If the policy gateway receives the same response from

Steenstrup [Page 91] RFC 1479 IDPR Protocol July 1993

 all next policy gateways selected, it abandons path setup, logs the
 event for network management, and returns the REFUSE message to the
 originator via the previous policy gateway.  These types of REFUSE
 messages indicate to the originator that the route may have been
 generated using information from an out-of-date DYNAMIC message.  The
 REFUSE message also serves to teardown the path.
 The originator reacts to the receipt of such a REFUSE message as
 follows.  First, it removes the route from its cache.  Then, it
 issues to a route server a ROUTE REQUEST message containing a
 directive to refresh the routing information database, with the most
 recent DYNAMIC message from the domain that issued the REFUSE
 message, before generating a new route.

7.4.4. Obtaining Resources

 Once the policy gateway determines that the SETUP message contents
 are consistent with the transit policies and virtual gateway
 reachability of its domain, it attempts to gain resources for the new
 path.  For this version of IDPR, path resources consist of memory in
 the local forwarding information database.  However, in the future,
 path resources may also include reserved link bandwidth.
 If the policy gateway does not have sufficient resources to establish
 the new path, it uses the following algorithm to determine whether to
 generate a REFUSE message for the new path or a TEARDOWN message for
 an existing path in favor of the new path.  There are two cases:
  1. No paths have been idle for more than pcp_idle (300) seconds. In

this case, the policy gateway returns a REFUSE message to the

   previous policy gateway.  This policy gateway then tries to select
   a different next policy gateway, as described previously, provided
   the policy gateway that issued the REFUSE message was not the
   target. If the REFUSE message was issued by the target or if there
   is no available next policy gateway, the policy gateway returns
   the REFUSE message to the originator via the previous policy
   gateway and logs the event for network management.  The REFUSE
   message serves to tear down the path.
  1. At least one path has been idle for more than pcp_idle seconds. In

this case, the policy gateway tears down an older path in order to

   accommodate the newer path and logs the event for network
   management.  Specifically, the policy gateway tears down the least
   recently used path among those that have been idle for longer than
   pcp_idle seconds, resolving ties by choosing the oldest such path.
 If the policy gateway has sufficient resources to establish the path,

Steenstrup [Page 92] RFC 1479 IDPR Protocol July 1993

 it attempts to update its local forwarding information database with
 information about the path identifier, previous and next policy
 gateways on the path, and directions in which the path should be
 enabled for data traffic transport.

7.4.5 Target Response

 When an acceptable SETUP message successfully reaches an entry policy
 gateway in the destination or destination proxy domain, this policy
 gateway performs all of the SETUP message checks described in the
 above sections.  The policy gateway's path agent then becomes the
 target, provided no checks fail, unless there is an explicit target
 specified in the SETUP message.  For example, remote route servers
 act as originator and target during RSQP message exchanges (see
 section 5.2).  If the recipient policy gateway is not the target, it
 attempts to forward the SETUP message to the target along an intra-
 domain route.  However, if the target is not reachable via intra-
 domain routing, the policy gateway abandons path setup, logs the
 event for network management, and returns a REFUSE message to the
 originator via the previous policy gateway.  The REFUSE message
 serves to tear down the path.
 Once the SETUP message reaches the target, the target determines
 whether it has sufficient path resources.  The target generates an
 ACCEPT message, provided it has sufficient resources to establish the
 path.  Otherwise, it generates a REFUSE message.
 The target may choose to use the reverse path to transport data
 traffic to the source domain, if the enabled path directions include
 10 or 11.  However, the target must first verify the consistency of
 the reverse path with its own domain's configured transit policies,
 before sending data traffic over that path.

7.4.6. Originator Response

 The originator expects to receive an ACCEPT, REFUSE, or ERROR message
 in response to a SETUP message and reacts as follows:
  1. The originator receives an ACCEPT message, confirming successful

path establishment. To expedite data delivery, the originator may

   forward data messages along the path prior to receiving an ACCEPT
   message, with the understanding that there is no guarantee that the
   path actually exists.
  1. The originator receives a REFUSE message or an ERROR message,

implying that the path could not be successfully established. In

   response, the originator attempts to set up a different path to the
   same destination, as long as the number of selected different paths

Steenstrup [Page 93] RFC 1479 IDPR Protocol July 1993

   does not exceed setup_try (3).  If the originator is unsuccessful
   after setup_try attempts, it abandons path setup and logs the event
   for network management.
  1. The originator fails to receive any response to the SETUP message

within setup_int microseconds after transmission. In this case,

   the originator attempts path setup using the same policy route and
   a new path identifier, as long as the number of path setup attempts
   using the same route does not exceed setup_ret (2).  If the
   originator fails to receive a response to a SETUP message after
   setup_ret attempts, it logs the event for network management and
   then proceeds as though it received a negative response, namely a
   REFUSE or an ERROR, to the SETUP message.  Specifically, it
   attempts to set up a different path to the same destination, or it
   abandons path setup altogether, depending on the value of
   setup_try.

7.4.7. Path Life

 Once set up, a path does not live forever.  A path agent or policy
 gateway may tear down an existing path, provided any of the following
 conditions are true:
  1. The maximum path lifetime (in minutes, bytes, or messages) has been

exceeded at the originator, the target, or an intermediate policy

   gateway.  In each case, the IDPR entity detecting path expiration
   logs the event for network management and generates a TEARDOWN
   message as follows:
    o The originator path agent generates a TEARDOWN message for
      propagation toward the target.
    o The target path agent generates a TEARDOWN message for
      propagation toward the originator.
    o An intermediate policy gateway generates two TEARDOWN messages,
      one for propagation toward the originator and one for
      propagation toward the target.
  1. The previous or next policy gateway becomes unreachable, across a

virtual gateway or across a domain according to a given transit

   policy, and the path is not reparable.  In either case, the policy
   gateway detecting the reachability problem logs the event for
   network management and generates a TEARDOWN message as follows:
    o If the previous policy gateway is unreachable, an intermediate
      policy gateway generates a TEARDOWN message for propagation to
      the target.

Steenstrup [Page 94] RFC 1479 IDPR Protocol July 1993

    o If the next policy gateway is unreachable, an intermediate
      policy gateway generates a TEARDOWN message for propagation to
      the originator.
  1. All of the policy gateway's path resources are in use at the

originator, the target, or an intermediate policy gateway, a new

   path requires resources, and the given existing path is expendable,
   according to the least recently used criterion discussed in section
   7.4.4 above.  In each case, the IDPR entity initiating path
   preemption logs the event for network management and generates a
   TEARDOWN message as follows:
    o The originator path agent generates a TEARDOWN message for
      propagation toward the originator.
    o The target path agent generates a TEARDOWN message for
      propagation toward the originator.
    o An intermediate policy gateway generates two TEARDOWN messages,
      one for propagation toward the originator and one for
      propagation toward the target.
 Path teardown at a path agent or policy gateway, whether initiated by
 one of the above events, by receipt of a TEARDOWN message, or by
 receipt of a REFUSE message during path setup (as discussed in the
 previous sections), results in the path agent or policy gateway
 releasing all resources devoted to both directions of the path.

7.5. Path Failure and Recovery

 When a policy gateway fails, it may not be able to save information
 pertaining to its established paths.  Thus, when the policy gateway
 returns to service, it may have no recollection of the paths set up
 through it and hence may no longer be able to forward data messages
 along these paths.  We expect that when a policy gateway fails, it
 will usually be out of service for long enough that the up/down
 protocol and the intra-domain routing procedure can detect that the
 particular policy gateway is no longer reachable.  In this case,
 adjacent or neighbor policy gateways that have set up paths through
 the failed policy gateway and that have detected the failure, attempt
 local path repair (see section 7.5.2 below), and if unsuccessful,
 issue TEARDOWN messages for all affected paths.

Steenstrup [Page 95] RFC 1479 IDPR Protocol July 1993

7.5.1. Handling Implicit Path Failures

 Nevertheless, policy gateways along a path must be able to handle the
 case in which a policy gateway fails and subsequently returns to
 service without either the up/down protocol or the intra-domain
 routing procedure detecting the failure; we do not expect this event
 to occur often.  If the policy gateway, prior to failure, contained
 forwarding information for several established paths, it may now
 receive many IDPR data messages containing unrecognized path
 identifiers.  The policy gateway should alert the data sources that
 their paths through it are no longer viable.
 Policy gateways that receive IDPR data messages with unrecognized
 path identifiers take one of the following two actions, depending
 upon their past failure record:
  1. The policy gateway has not failed in the past pg_up (24) hour

period. In this case, there are at least four possible reasons for

   the unrecognized path identifier in the data message:
    o The data message path identifier has been corrupted in a way
      that is not detectable by the integrity/authentication value, if
      one is present.
    o The policy gateway has experienced a memory error.
    o The policy gateway failed sometime during the life of the path
      and source sent no data on the path for a period of pg_up hours
      following the failure.  Although paths may persist for more than
      pg_up hours, we expect that they will also be used more
      frequently than once every pg_up hours.
    o The path was not successfully established, and the originator
      sent data messages down the path prior to receiving a response
      to its SETUP message.
    In all cases, the policy gateway discards the data message and
    logs the event for network management.
  1. The policy gateway has failed at least once in the past pg_up hour

period. Thus, the policy gateway assumes that the unrecognized

   path identifier in the data message may be attributed to its
   failure.  In response to the data message, the policy gateway
   generates an ERROR message containing the unrecognized path
   identifier.  The policy gateway then sends the ERROR message back
   to the entity from which it received the data message, which should
   be equivalent to the previous policy gateway on the path.

Steenstrup [Page 96] RFC 1479 IDPR Protocol July 1993

 When the previous policy gateway receives such an ERROR message, it
 decides whether the message is acceptable.  If the policy gateway
 does not recognize the path identifier contained in the ERROR
 message, it does not find the ERROR message acceptable and
 subsequently discards the message.  However, if the policy gateway
 does find the ERROR message acceptable, it then determines whether it
 has already received an ACCEPT message for the given path.  If the
 policy gateway has not received an ACCEPT message for that path, it
 discards the ERROR message and takes no further action.
 If the policy gateway has received an ACCEPT message for that path,
 it then attempts path repair, as described in section 7.5.2 below.
 Only if path repair is unsuccessful does the previous policy gateway
 generate a TEARDOWN message for the path and return it to the
 originator.  The TEARDOWN message includes the domain and virtual
 gateway containing the policy gateway that failed, which aids the
 originator in selecting a new path that does not include the domain
 containing the failed policy gateway.  This mechanism ensures that
 path agents quickly discover and recover from disrupted paths, while
 guarding against unwarranted path teardown.

7.5.2. Local Path Repair

 Failure of one of more entities on a given path may render the path
 unusable.  If the failure is within a domain, IDPR relies on the
 intra-domain routing procedure to find an alternate route across the
 domain, which leaves the path unaffected.  If the failure is in a
 virtual gateway, policy gateways must bear the responsibility of
 repairing the path.  Policy gateways nearest to the failure are the
 first to recognize its existence and hence can react most quickly to
 repair the path.
 Relinquishing control over path repair to policy gateways in other
 domains may be unacceptable to some domain administrators.  The
 reason is that these policy gateways cannot guarantee construction of
 a path that satisfies the source policies of the source domain, as
 they have no knowledge of other domains' source policies.
 Nevertheless, limited local path repair is feasible, without
 distributing either source policy information throughout an
 internetwork or detailed path information among policy gateways in
 the same domain or in the same virtual gateway.  We say that a path
 is "locally reparable" if there exists an alternate route between two
 policy gateways, separated by at most one virtual gateway, on the
 path.  This definition covers path repair in the presence of failed
 routes between consecutive policy gateways as well as failed policy
 gateways themselves.

Steenstrup [Page 97] RFC 1479 IDPR Protocol July 1993

 An IDPR entity attempts local repair of an established path, in the
 direction from originator to target, immediately after detecting that
 the next policy gateway on the path is no longer reachable.  To
 prevent multiple path repairs in response to the same failure, we
 have stipulated that path repair can only be initiated in the
 direction from originator to target.  The IDPR entity initiating
 local path repair attempts to find an alternate path to the policy
 gateway immediately following the unreachable policy gateway on the
 path.
 Local path repair minimizes the disruption of data traffic flow
 caused by certain types of failures along an established path.
 Specifically, local path repair can accommodate an individual failed
 policy gateway or failed direct connection between two adjacent
 policy gateways.  However, it can only be attempted through virtual
 gateways containing multiple peer policy gateways.  Local path repair
 is not designed to repair paths traversing failed virtual gateways or
 domain partitions.  Whenever local path repair is impossible, the
 failing path must be torn down.

7.5.3. Repairing a Path

 When an IDPR entity detects through an ERROR message that the next
 policy gateway has no knowledge of a given path, it generates a
 REPAIR message and forwards it to the next policy gateway.  This
 REPAIR message will reestablish the path through the next policy
 gateway.
 When an entity detects that the next policy gateway on a path is no
 longer reachable, it takes one of the following actions, depending
 upon whether the entity is a member of the next policy gateway's
 virtual gateway.
  1. If the entity is not a member of the next policy gateway's virtual

gateway, then one of the following two conditions must be true:

    o The next policy gateway has a peer that is reachable via an
      intra-domain route consistent with the requested services.  In
      this case, the entity generates a REPAIR message containing the
      original SETUP message and forwards it to the next policy
      gateway's peer.
    o The next policy gateway has no peers that are reachable via
      intra-domain routes consistent with the requested services.  In
      this case, the entity tears down the path back to the
      originator.
  1. If the entity is a member of the next policy gateway's virtual

Steenstrup [Page 98] RFC 1479 IDPR Protocol July 1993

 gateway, then one of the following four conditions must be true:
    o The next policy gateway has a peer that belongs to the same
      domain component and is directly-connected to and reachable from
      the entity.  In this case, the entity generates a REPAIR message
      and forwards it to the next policy gateway's peer.
    o The next policy gateway has a peer that belongs to the same
      domain component, is not directly-connected to the entity, but
      is directly-connected to and reachable from one of the entity's
      peers, which in turn is reachable from the entity via an intra-
      domain route consistent with the requested services.  In this
      case, the entity generates a REPAIR message and forwards it to
      its peer.
    o The next policy gateway has no operational peers within its
      domain component, but is directly-connected to and reachable
      from one of the entity's peers, which in turn is reachable from
      the entity via an intra-domain route consistent with the
      requested services.  In this case, the entity generates a REPAIR
      message and forwards it to its peer.
    o The next policy gateway has no operational peers within its
      domain component, and the entity has no operational peers which
      are both reachable via intra-domain routes consistent with the
      requested services and directly-connected to and reachable from
      the next policy gateway.  In this case, the entity tears down
      the path back to the originator.
 A recipient of a REPAIR message takes the following steps, depending
 upon its relationship to the entity that issued the REPAIR message.
  1. The recipient and the issuing entity are in the same domain or in

same virtual gateway. In this case, the recipient extracts the

   SETUP message contained within the REPAIR message and treats the
   message as it would any other SETUP message.  Specifically, the
   recipient checks consistency of the path with its domain's transit
   policies and virtual gateway reachability.  If there are
   unrecognized portions of the SETUP message, the recipient generates
   an ERROR message, and if there are path inconsistencies, the
   recipient generates a REFUSE message.  In either case, the
   recipient returns the corresponding message to the policy gateway
   from which it received the REPAIR message.  Otherwise, if the
   recipient accepts the REPAIR message, it updates its local
   forwarding information database accordingly and forwards the REPAIR
   message to a potential next policy gateway, according to the
   information contained in the enclosed SETUP message.

Steenstrup [Page 99] RFC 1479 IDPR Protocol July 1993

  1. The recipient and the issuing entity are in different domains and

different virtual gateways. In this case, the recipient extracts

   the SETUP message from the REPAIR message and determines whether
   the associated path matches any of its established paths.  If the
   path does not match an established path, the recipient generates a
   REFUSE message and returns it to the policy gateway from which it
   received the REPAIR message.  In response to the receipt of a
   REFUSE message, the policy gateway tries a different next policy
   gateway.
 The path is reparable, if a path match is discovered.  In this case,
 the recipient updates the path entry in the local forwarding
 information database and issues an ACCEPT message to the policy
 gateway from which it received the REPAIR message, which in turn
 returns the message to the entity that issued the REPAIR message.
 The path is irreparable if all potential next policy gateways have
 been exhausted and a path match has yet to be discovered.  In this
 case, the policy gateway that fails to locate a next policy gateway
 issues a TEARDOWN message to return to the originator.
 An IDPR entity expects to receive an ACCEPT, TEARDOWN, REFUSE, or
 ERROR message in response to a REPAIR message and reacts to these
 responses differently as follows:
  1. The entity always returns a TEARDOWN message to the originator via

previous policy gateway.

  1. The entity does not return an ACCEPT message to the originator, but

receipt of such a message indicates that the path has been

   successfully repaired.
  1. The entity infers that the path is irreparable and subsequently

tears down the path and logs the event for network management, upon

   receipt of a REFUSE or ERROR message or when no response to the
   REPAIR message arrives within setup_int microseconds.
 When an entity detects that the previous policy gateway on a path
 becomes unreachable, it expects to receive a REPAIR message within
 setup_wait microseconds.  If the entity does not receive a REPAIR
 message for the path within that time, it infers that the path is
 irreparable and subsequently tears down the path and logs the event
 for network management.

7.6. Path Control Message Formats

 The path control protocol number is equal to 3.  We describe the
 contents of each type of PCP message below.

Steenstrup [Page 100] RFC 1479 IDPR Protocol July 1993

7.6.1. SETUP

 The SETUP message type is equal to 0.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            PATH ID                            |
 |                                                               |
 +-------------------------------+-------------------------------+
 |            SRC AD             |            HST SET            |
 +---------------+---------------+-------------------------------+
 |      UCI      |    UNUSED     |            NUM RQS            |
 +---------------+---------------+-------------------------------+
 |            DST AD             |            TGT ENT            |
 +-------------------------------+-------------------------------+
 |            AD PTR             |
 +-------------------------------+
 For each requested service for the path:
 +-------------------------------+-------------------------------+
 |            RQS TYP            |            RQS LEN            |
 +-------------------------------+-------------------------------+
 |                            RQS SRV                            |
 +---------------------------------------------------------------+
 For each domain contained in the path:
 +---------------+---------------+-------------------------------+
 |    AD LEN     |      VG       |            ADJ AD             |
 +---------------+---------------+-------------------------------+
 |            ADJ CMP            |            NUM TP             |
 +-------------------------------+-------------------------------+
 |              TP               |
 +-------------------------------+
 PATH ID
      (64 bits) Path identifier consisting of the numeric identifier
      for the originator's domain (16 bits), the numeric identifier
      for the originator policy gateway or route server (16 bits), the
      path direction (2 bits), and the local path identifier (30
      bits).
 SRC AD (16 bits) Numeric identifier for the source domain, which may
      be different from the originator domain if the originator domain
      is a proxy for the source.
 HST SET (16 bits) Numeric identifier for the source's host set.
 UCI (8 bits) Numeric identifier for the source user class.  The value
      0 indicates that there is no particular source user class.

Steenstrup [Page 101] RFC 1479 IDPR Protocol July 1993

 UNUSED (8 bits) Not currently used; must be set equal to 0.
 NUM RQS (16 bits) Number of requested services.
 DST AD (16 bits) Numeric identifier for the destination domain, which
      may be different from the target domain if the target domain is
      a proxy for the destination.
 TGT ENT (16 bits) Numeric identifier for the target entity.  A value
      of 0 indicates that there is no specific target entity.
 AD PTR (16 bits) Byte offset from the beginning of the message
      indicating the location of the beginning of the domain-specific
      information, contained in the right-most 15 bits.  The left-most
      bit indicates whether the message includes expedited data (1
      expedited data, 0 no expedited data).
 RQS TYP (16 bits) Numeric identifier for a type of requested service
      or source-specific information.  Valid requested services are
      described in section 5.5.2.  Valid source source-specific
      information includes the following types:
      12.  MD4/RSA data message authentication (see [16]).
      13.  MD5/RSA data message authentication (see [17]).
      14.  Billing address (variable).
      15.  Charge number (variable).
 RQS LEN (16 bits) Length of the requested service or source-specific
      information, in bytes, beginning with the next field.
 RQS SRV (variable) Description of the requested service or source-
      specific information.
 AD LEN (8 bits) Length of the information associated with a
      particular domain on the route, in bytes, beginning with the
      next field.
 VG (8 bits) Numeric identifier for an exit virtual gateway.
 ADJ AD (16 bits) Numeric identifier for an adjacent domain.
 ADJ CMP (16 bits) Numeric identifier for a component of the adjacent
      domain.  Used to aid a policy gateway in routing across a
      virtual gateway connected to a partitioned domain.

Steenstrup [Page 102] RFC 1479 IDPR Protocol July 1993

 NUM TP (16 bits) Number of transit policies that apply to the section
      of the path traversing the given domain component.
 TP (16 bits) Numeric identifier for a transit policy.

7.6.2. ACCEPT

 The ACCEPT message type is equal to 1.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            PATH ID                            |
 |                                                               |
 +---------------+-----------------------------------------------+
 |    RSN TYP    |                    REASON                     |
 +---------------+-----------------------------------------------+
 PATH ID
      (64 bits) Path identifier contained in the original SETUP
      message.
 RSN TYP (optional, 8 bits) Numeric identifier for the reason for
      conditional path acceptance.
 REASON (optional, variable) Description of the reason for conditional
      path acceptance.  Currently, no reasons have been defined.

7.6.3 REFUSE

 The REFUSE message type is equal to 2.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            PATH ID                            |
 |                                                               |
 +---------------+-----------------------------------------------+
 |    RSN TYP    |                    REASON                     |
 +---------------+-----------------------------------------------+
 PATH ID
      (64 bits) Path identifier contained in the original SETUP
      message.
 RSN TYP (8 bits) Numeric identifier for the reason for path refusal.
 REASON (variable) Description of the reason for path refusal.  Valid

Steenstrup [Page 103] RFC 1479 IDPR Protocol July 1993

      reasons include the following types:
      1.  Transit policy does not apply between the virtual gateways in a
          given direction.  Numeric identifier for the transit policy (16
          bits).
      2.  Transit policy denies access to traffic from the host set between
          the source and destination domains.  Numeric identifier for the
          transit policy (16 bits).
      3.  Transit policy denies access to traffic from the source user
          class.  Numeric identifier for the transit policy (16 bits).
      4.  Transit policy denies access to traffic at the current time.
          Numeric identifier for the transit policy (16 bits).
      5.  Virtual gateway is down.  Numeric identifier for the virtual
          gateway (8 bits) and associated adjacent domain (16 bits).
      6.  Virtual gateway is not reachable according to the given transit
          policy.  Numeric identifier for the virtual gateway (8 bits),
          associated adjacent domain (16 bits), and transit policy (16
          bits).
      7.  Domain component is not reachable.  Numeric identifier for the
          domain (16 bits) and the component (16 bits).
      8.  Insufficient resources to establish the path.
      9.  Target is not reachable via intra-domain routing.
      10. No existing path with the given path identifier, in response to
          a REPAIR message only.

7.6.4. TEARDOWN

 The TEARDOWN message type is equal to 3.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            PATH ID                            |
 |                                                               |
 +---------------+-----------------------------------------------+
 |    RSN TYP    |                    REASON                     |
 +---------------+-----------------------------------------------+

Steenstrup [Page 104] RFC 1479 IDPR Protocol July 1993

 PATH ID
      (64 bits) Path identifier contained in the original SETUP
      message.
 RSN TYP (8 bits) Numeric identifier for the reason for path teardown.
 REASON (variable) Description of the reason for path teardown. Valid
      reasons include the following types:
 1.  Virtual gateway is down.  Numeric identifier for the virtual
     gateway (8 bits) and associated adjacent domain (16 bits).
 2.  Virtual gateway is not reachable according to the given transit
     policy.  Numeric identifier for the virtual gateway (8 bits),
     associated adjacent domain (16 bits), and transit policy (16
     bits).
 3.  Domain component is not reachable.  Numeric identifier for the
     domain (16 bits) and the component (16 bits).
 4.  Maximum path lifetime exceeded.
 5.  Preempted path.
 6.  Unable to repair path.

7.6.5. ERROR

 The ERROR message type is equal to 4.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            PATH ID                            |
 |                                                               |
 +---------------+---------------+-------------------------------+
 |      MSG      |    RSN TYP    |            REASON             |
 +---------------+---------------+-------------------------------+
 PATH ID
      (64 bits) Path identifier contained in the path control or data
      message in error.
 MSG (8 bits) Numeric identifier for the type of path control message
      in error.  This field is ignored for error type 5.
 RSN TYP (8 bits) Numeric identifier for the reason for the PCP
      message error.

Steenstrup [Page 105] RFC 1479 IDPR Protocol July 1993

 REASON (variable) Description of the reason for the PCP message
      error.  Valid reasons include the following types:
 1.   Path identifier is already currently active.
 2.   Domain does not appear in the SETUP message.
 3.   Transit policy is not configured for the domain.  Numeric
 identifer for
      the transit policy (16 bits).
 4.   Virtual gateway not configured for the domain.  Numeric
 identifier
      for the virtual gateway (8 bits) and associated adjacent domain
 (16
      bits).
 5.   Unrecognized path identifier in an IDPR data message.

7.6.6. REPAIR

 The REPAIR message type is equal to 5.  A REPAIR message contains the
 original SETUP message only.

7.6.7. Negative Acknowledgements

 When a policy gateway receives an unacceptable PCP message that
 passes the CMTP validation checks, it includes, in its CMTP ACK, an
 appropriate negative acknowledgement.  This information is placed in
 the INFORM field of the CMTP ACK (described previously in section
 2.4); the numeric identifier for each type of PCP negative
 acknowledgement is contained in the left-most 8 bits of the INFORM
 field.  Negative acknowledgements associated with PCP include the
 following types:
 1.  Unrecognized PCP message type.  Numeric identifier for the
     unrecognized message type (8 bits).
 2.  Out-of-date PCP message.
 3.  Unrecognized path identifier (for all PCP messages except SETUP).
     Numeric identifier for the unrecognized path (64 bits).

8. Security Considerations

 Refer to sections 1.6, 1.7, and 2.3 for details on security in IDPR.

Steenstrup [Page 106] RFC 1479 IDPR Protocol July 1993

9. Author's Address

 Martha Steenstrup
 BBN Systems and Technologies
 10 Moulton Street
 Cambridge, MA 02138
 Phone: (617) 873-3192
 Email: msteenst@bbn.com

References

 [1]  Clark, D., "Policy Routing in Internet Protocols", RFC 1102, May
      1989.
 [2]  Estrin, D., "Requirements for Policy Based Routing in the
      Research Internet", RFC 1125, November 1989.
 [3]  Little, M., "Goals and Functional Requirements for Inter-
      Autonomous System Routing", RFC 1126, July 1989.
 [4]  Breslau, L. and Estrin, D., "Design of Inter-Administrative
      Domain Routing Protocols", Proceedings of the ACM SIGCOMM '90
      Symposium, September 1990.
 [5]  Steenstrup, M., "An Architecture for Inter-Domain Policy Rout-
      ing", RFC 1478, July 1993.
 [6]  Austein, R., "DNS Support for IDPR", Work in Progress, March
      1993.
 [7]  Bowns, H. and Steenstrup, M., "Inter-Domain Policy Routing Con-
      figuration and Usage", Work in Progress, July 1991.
 [8]  Woodburn, R., "Definitions of Managed Objects for Inter-Domain
      Policy Routing (Version 1)", Work in Progress, March 1993.
 [9]  McQuillan, J., Richer, I., Rosen, E., and Bertsekas, D.,
      "ARPANET Routing Algorithm Improvements: Second Semiannual
      Technical Report", BBN Report No. 3940, October 1978.
 [10] Moy, J., "The OSPF Specification", RFC 1131, October 1989.
 [11] Oran, D. (editor), "Intermediate System to Intermediate System
      Routeing Exchange Protocol for Use in Conjunction with the Pro-
      tocol for Providing the Connectionless-mode Network Service (ISO
      8473)", ISO/IEC JTC1/SC6/WG2, October 1989.

Steenstrup [Page 107] RFC 1479 IDPR Protocol July 1993

 [12] Estrin, D., and Tsudik, G., "Secure Control of Transit Internet-
      work Traffic, TR-89-15, Computer Science Department, University
      of Southern California.
 [13] Linn, J., "Privacy Enhancement for Internet Electronic Mail:
      Part I - Message Encipherment and Authentication Procedures",
      RFC 1113, August 1989.
 [14] Kent, S., and Linn, J., "Privacy Enhancement for Internet Elec-
      tronic Mail: Part II - Certificate-based Key Management", RFC
      1114, August 1989.
 [15] Linn, J., "Privacy Enhancement for Internet Electronic Mail:
      Part III - Algorithms, Modes, and Identifiers", RFC 1115, August
      1989.
 [16] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April
      1992.
 [17] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
      1992.

Steenstrup [Page 108]

/data/webs/external/dokuwiki/data/pages/rfc/rfc1479.txt · Last modified: 1993/07/21 23:10 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki