RFC 1125 Policy Requi rements November 1989

Security Considerations
This memodoes not address the securityaspects of the issues discussed.
Author's Address
DeborahEstrin
Universityof SouthernCalifornia
Computer Science Department
Los Angeles, CA90089-0782
Phone: (213) 743-7842
EMail: Estrin@OBERON.USC.EDU

Estrin [Page 18]

RFC1125 Pol i cy Requi r ement s November 1989

References
[1] J. Postel, Internet Prot ocol, Network Infor mat ion Cent er , RFC 791, September 1981.
[2] G. Vaudreuil, The Federal Research I nt ernet Coordinat i ng Commi t t ee and t he Nat i onal Re-
search Net work, ACM SI G Comput er Communi cat i ons Revi ew, April 1988.
[3] E. Rosen, Ext eri or Gat eway Prot ocol (EGP), Net wor k I nf or mat i on Cent er , RFC 827,
October 1982.
[4] D. Clark, Pol i cy Rout i ng i n I nt ernet Prot ocol s , Net wor k I nf or mat i on Cent er , RFC1102,
May1989.
[5] H.W.Braun, Model s of Pol i cy Based Rout i ng , Net wor k I nf or mat i on Cent er , RFC 1104,
June 1989.
[6] K. Lougheed, Y. Rekhter, A Border Gat eway Prot ocol , Net wor k I nf or mat i on Cent er , RFC
1105, June 1989.

. Schroeder, The Prot ect i on of

[7] J. Saltzer, M I nf ormat i on i n Comput er Syst ems , Pr oceedi ngs
of t he I EEE, 63, 9Septem ber 1975.
[8] V. Jacobson, Congest i on Avoi dance and Cont rol . Pr oceedi ngs of ACMSi gcomm, pp.
106-114, August 1988, PaloAlto, CA.
[9] David Clark, Desi gn Phi l osophy of t he DARPA I nt ernet Prot ocol s , Pr oceedi ngs of ACM
Si gcomm, pp. 106-114, August 1988, PaloAlto, CA.
[10] Gigabit NetworkingGroup, B. Leiner, Editor. Cri t i cal I ssues i n Hi gh Bandwi dt h Net worki ng ,
Net wor k I nf or mat i on Cent er , RFC 1077, November 1988.
ogul andG. Tsudik, Vi sa Prot ocol s f or Cont rol l i ng I nt er- Organi zat i onal Dat a-
[11] D. Estrin, J. M
gramFl ow, To appear i n I EEE Jour nal on Sel ect ed Ar eas i n Communi cat i ons , Spring
1989.
[12] D.EstrinandG.Tsudik, Securi t y I ssues i n Pol i cy Rout i ng , I EEE Sympos i umon Res ear ch
i n Secur i t y and Pr i vacy, O akland, CA. M
ay1-31989.
. Little, The
[13] M Di ssi mi l ar Gat eway Prot ocol , Techni cal r epor t
[14] P. Tsuchiya, The Landmark Hi erarchy: A new hi erarchy f or rout i ng i n very l arge net works ,
I EEE SI GCOMM88, PaloAlto, CA. September 1988.
[15] G.Finn, Reduci ng t he Vul nerabi l i t y of Dynami c Comput er Net works USC/I nf or mat i on Sci -
ences I ns t i t ut e, Techni cal Repor t , I SI /RR- 88- 201 July1988.
[16] A. Nakassis Rout i ng Al gori t hmf or Open Rout i ng , Unpubl i s hed paper , Available fromthe
author at the National Institute of Standards and Technology (formerly NBS), W
ashington
D.C.

Estrin [Page 17]

RFC1125 Pol i cy Requi r ement s November 1989

source routing. 12 13

9 Summary
Along with the emergence of very high speed applications and media, resource management has
becomeacritical issue inthe ResearchInternet andinternets ingeneral. Afundamental character-
istic of the resource management problemis allowing administrativelyADs to interconnect while
retainingcontrol over resource usage. However, wehavelackedacareful articulationof the types of
resource management policies that needtobesupported. This paper addresses policyrequirements
for the ResearchInternet. After justifyingour assumptions regardingADtopologywe presenteda
taxonomyandexamples of policies that must be supportedbyaPRprotocol.

10 Acknowledgments
Members of the Autonomous Networks ResearchGroupandOpenRouting W orking Grouphave
contributedsignicantlytothe ideas presentedhere, inparticular, GuyAlmes, Lee Breslau, Scott
Brim, Dave Clark, Marianne Lepp, andGene Tsudik. Inaddition, Lee BreslauandGene Tsudik
provided detailed comments on a previous draft. David Cheriton inadvertently caused me to
write this document. SharonAnderson's contributions deserve special recognition. The author is
supportedbyresearchgrants fromNational Science Foundation, AT&T, andGTE.

12
Moreover, the source routing approach loosens the requi rements for every AD to share a compl ete vi ew of the
enti re i nternet by al l owi ng the source to detect routi ng l oops.
13
The match between RFC1102 and the requi rements speci ed i n thi s document i s hardl y a coi nci dence si nce
Cl ark's paper and di scussi ons wi th hi mcontri buted to the requi rements f ormul ati on presented here. Hi s work i s
currentl y bei ng eval uated and rened by the ANRG and ORWG.

Estrin [Page 16]

RFC1125 Pol i cy Requi r ement s November 1989

is that access to an ADat any point in time is contingent upon a local, highly dynamic,
parameter that is not globally available. Therefore such a policy termcould well result
in looping, oscillations, and excessive route (re)computation overhead, both unacceptable.
Consequently, this is one type of policy that routing experts suggest would be dicult to
support inaverylarge decentralizedinternetwork.
 Granularity can also be problematic, but not as devistating as highly dynamic PRcontin-
gencies. Here the caution is less specic. Very ne grain policies, which restrict access to
particular hosts, or are contingent upon very ne grain user class identication, may be
achievedmore ecientlywithnetworklevel access control[11] or endsystemcontrols instead
of burdeningthe inter-ADroutingmechanism.
 Securityis expensive, as always. Routing protocols are subject to fraud throughimperson-
ation, data substitution, and denial of service. Some of the proposed mechanisms provide
some means for detection and non-repudiation. However, to achieve a priori preventionof
resourcemisuse is expensiveintermsof per connectionor per packet cryptographic overhead.
For some environments we rmlybelieve that this will be necessaryandwe wouldprefer an
architecture that wouldaccommodate suchvariability[12].

Ingeneral, it is dicult to predict the impact of anyparticular policyterm. Tools will be needed
toassist people inwritingandvalidatingpolicyterms.

8 Proposed mechanisms
Previous routing protocols have addressed a narrower denition of PR, as appropriate for the
internets of their day. Inparticular, EGP[3], DGP[13], andBGP[6] incorporate anotionof policy
restrictions as towhere routingdatabase informationtravels. None are intendedtosupport policy
basedroutingof packetsas describedhere. M orerecentroutingproposals suchas Landmark[14] and
Cartesian[15] couldbe usedtorestrict packet forwardingbut are not suitedtosource/destination,
and some of the condition-oriented, policies. W e feel these policy types are critical to support.
We note that for environments (e.g., withinanADsubstructure) inwhichthe simple-AD-topology
conjecture holds true, these alternatives maybe suitable.
RFC1104[5] provides a good descriptionof shorter termpolicy routing requirements. Braun
classies three types of mechanisms, policy based distributionof route information, policy based
packet forwarding, and policy based dynamic allocation of network resources. The second class
is characterizedbyDave Clark's PRarchitecture, RFC1102[4]. W ithrespect to the longer term
requirements laidout inthis document, onlythis secondclass is expressive and exible enoughto
support the multiplicityof stubandtransit policies. Inother words, the power of the PRapproach
(e.g., RFC1102) is not just in the added granularity of control pointed out by Braun, i.e., the
abilitytospecifyparticular hosts anduser classes. Its power is inthe abilitytoexpress andenforce
manytypes of stubandtransit policies andapplythemonadiscriminatorybasis todierent ADs.
Inaddition, this approachprovides explicit support for stubADs to control routes via the use of

Estrin [Page 15]

RFC1125 Pol i cy Requi r ement s November 1989

Regi onal B

1. Regional Bwill carrytracfrom/toanydirectlyconnectedF/Re/UnetworktoanyF/Re/U

networkvia a commercial carrier regardless of its UCI. Inthis case the packets are charged
for since the commercial carrier charges per kilopacket.
[RegionalB : (3; fF =Re = U g; fF = Re = U g)(3; fF = Re = U g; Cc )fg
fun a u the n t i c a t e dU C I ; pe r 0 ki l o p a c k e t c h a r g e gfg]

6.3. 3 Campus and Pr i vat e Net wor ks

Similar interviews shouldbe conductedwithadministrators of campus andprivatenetworks. How-

ever, manyaspects of their policies are contingent onthe still unresolvedpolicies of the regionals
andfederal agencies. Inanyevent, transit policies will be critical for campus andprivate networks
to exiblycontrol access tolateral links andprivatewide areanetworks, respectively. For example,
a small set of university and private laboratories may provide access to special gigabit links for
particular classes of researchers. Onthe other hand, source/destinationpolicies shouldnot be used
inplace of networklevel access controls for these endADs.

6. 3. 4 Commer ci al Ser vi ces

Currently commercial communication services play a lowlevel role in most parts of today's Re-
search Internet; they provide the transmission media, i.e., leased lines. In the future we expect
commercial carriers to provide increasinglyhigher level andenhancedservices suchas highspeed
packet switchedbackbone services. Because suchservices are not yet part of the ResearchInternet
infrastructure there exist no policystatements.
Chargingandaccountingare certaintobe animportant policytype inthis context. M oreover,
we anticipate the longhaul services market tobe highlycompetitive. This implies that competing
service providers will engage in signicant gaming in terms of packaging and pricing of services.
Consequently, the abilityto express variedanddynamic chargingpolicies will be critical for these
ADs.

7 Probl emati c requi rements

Most of this paper has lobbiedfor articulationof relativelydetailedpolicystatements inorder to
helpdene thetechnical mechanismsneededfor enforcement. W
epromotedatopdowndesignpro-
cess beginningwitharticulationof desiredpolicies. Nowwefeel compelledtomentionrequirements
that are clearlyproblematic fromthe bottomupperspective of technical feasibility.

 Non-interference policies are of the form\I will provide access for principals x to resources
y so long as it does not interfere with my internal usage." The problemwith suchpolicies

Estrin [Page 14]

RFC1125 Pol i cy Requi r ement s November 1989

Def ens e Advanced Res ear ch Pr oject s Agency (DARPA)

1. DARPAwill carry trac to/fromanyhost inDARPAADfromanyexternal host that can

get it there so long as UCI is research or support. No UCI authentication or per packet
charge.
[DARP A1: (3; 3; 3)(3; DARP A; 0)fr e se a r c h ; s u p p o r t g
f una ut he nt i c a t e d 0 U CI ; no p e r p a c k e t c ha r g e gfg]
2. DARPAwill carrytracfor anyhost connectedtoaF/Re/U/Conetworktalkingtoanyother
host connectedtoaF/Re/U/CoviaanyF/Re/U/Coentryandexit network, solongas there
is it is beingusedfor researchor support, andthe networkis not heavilycongested!!. There
is noauthenticationof the UCI andnoper packet charging. NOTE: Darpawouldlike tosay
somethingabout the needtoenter the DarpaADat the point closest tothe destination...but
i don't knowhowtoexpress this...
[DARP A2: (3; fF = R= U = C o g; fF = R= U = C o g)(3; fF = R= U = C o g; fF = R= U = C o g)
f r e s e a r c h; s up p o r t gfuna ut he nt i c a t e d 0 U CI ; no p e r p a c k e t c ha r g e ;

no n 0i n t e r f e r e n c e ba s i s gfg]

Def ens e Communi cat i ons Agency ( DCA)

1. DCAwill not carry any transit trac. It will only accept and send trac to and fromits
mailbridge(s) and only fromand to hosts onother F/Re nets. All packets are markedand
chargedfor bythe kilopacket.
[DC A1: (ma i l b r i d g e ; DC A; 0)(3; fF = Re g; fF = Re g)fr e s e a r c h; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; a l l i n c o mi n g p a c k e t s ma r k e d ; p e r 0 k i l o p a c k e t c h

6. 3. 2 The Regi onal s

Interviews withregional networkadministrations are nowunderway. Ingeneral their policies are

still information due to the relatively recent formation of these regional networks. However, for
the sake of illustrationwe provide anexample of ahypothetical regional's networkpolicies.

Regi onal A

1. Regional Awill carrytracfrom/toanydirectlyconnectedF/Re/UnetworktoanyF/Re/U

network via NSFif it is for a research or support UCI. (NSFrequires that all Regional
networks onlypass it trac that complies withits, NSF's, policies!)
[Re g i o n a l A : (3; fF = Re = U g; fF = Re = U g)(3; fF = Re = U g; N SF )fr e s e a r c h; s up p o r t g
fu n a u t h e n t i c a t e d U CI ; no 0 p e r 0 p a c k e t c ha r g e gfg]

Estrin [Page 13]

RFC1125 Pol i cy Requi r ement s November 1989

Depar t ment of Ener gy ( DOE)

1. DOEwill carrytrac to andfromanyhost directlyconnectedtoDOEso long as it is used

for researchor support. There is noauthenticationof the UCI andnoper packet charging.
[DOE 1: (3; DOE ; 0)(3; 3; 3)fr e s e a r c h ; s u p p o r t g
f
u n a u t h e n t i c a t e d U CI ; no 0 p e r 0 p a c k e t c ha r g e gfg]
2. DOEwill carry trac for anyhost connected to a F/Re networktalking to anyother host
connectedtoaF/Re viaanyF/Re entryandexit networkwithout regardtothe UCI. There
is no authenticationof the UCI and no per packet charging. (inother words DOEis more
restrictive with its owntrac than with trac it is carrying as part of a resource sharing
arrangement.)
[DOE 2: (3; fF = Re g; fF = Re g)(3; fF = Re g; fF = Re g)fg
f u n a u t h e n t i c a t e d U CI ; no 0 p e r 0 p k t c ha r g e gfg]

Nat i onal Aer onaut i cs and Space Admi ni s t r at i on ( NASA)

1. Nasa will accept any trac to/frommembers of the Nasa AD. But no transit. No UCI
authenticationandnoper packet charge.
[N AS A1: (3; 3; 3)(3; N a s a ; 0)fN a s a 0r e s e a r c h ; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; no 0 p e r 0 p a c k e t 0 c ha r g e gfg]
2. Nasa will carry transit trac to/fromother federal agency networks if it is in support of
research, andif the total use of available BWby non-nasa Federal agencies is belownnon-
interference policy type needs some more work in terms of integrating it into the routing
algorithms. See Section7.
[N AS A2: (3; fF g; 3)(3; fF g; 3)fr e s e a r c h ; s u p p o r t g
fp e r 0p a c k e t a c c o u n t i n g ; l i mi t e d t o n %o f a va i l a b l e BW gfg]
3. NASAwill carry commercial trac to federal and regional and university ADs for nasa
researchor support. But it will not allowtransit. The particular entryADis not important.
[N AS A3: (3; fC o g; 3g(3; fF = R= U g; 3)fN AS Ar e s e a r c h ; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; no p e r p a c k e t c ha r g e gfg]
4. Onacase bycase basis NASAmayprovideaccess toits resources onacost reimbursedbasis.
Transit trac will not be carriedonthis basis.
[N AS A4: (3; 3; 0)(3; 3; 0)fg
fp e r 0p a c k e t 0c h a r g e ; l i mi t e d t o n %o f a v a i l a b l e BW gfg]

Estrin [Page 12]

RFC1125 Pol i cy Requi r ement s November 1989

for Regional, Ufor University, Cofor Commercial Corporation, andCc for Commercial Carrier. A
hyphen, -, means noapplicable matches.
ByexaminingaPTwecanidentifythetypeof policyrepresented, asper thetaxonomypresented
earlier.

 If anADspecies apolicytermthat has anull (-) entryfor the ADexit, thenit is disallowing
transit for some groupof users, andit is atransit policy.
 If anADspecies apolicytermthat lists itself explicitlyas ADsrc or ADdst, it is expressing
restrictions on who can access particular resources within its boundaries, or on who inside
canobtainexternal access. Inother words the ADis expressingasource/destinationpolicy.
 If ADexit or ADentr is speciedthenthe policyexpressedis anexit/entrance pathpolicy.
 If the global conditions include charging, QOS, resource guarantee, time of day, higher level
application, resource limit, or authenticationrelatedinformationit is obviously a charging,
QOS, resource guarantee, temporal, higher level application, resource limit, or authentication
policy, respectively.

As seenbelow, anyone PTtypicallyincorporates acombinationof policytypes.

6. 3. 1 The FRI CC

Inthe followingexamples all policies (andPTs) are symmetrical under the assumptionthat com-
municationis symmetrical.

Nat i onal Sci ence Foundat i on ( NSF)

1. NSFwill carry trac for any host connected to a F/Re network talking to any other host
connectedtoaF/Re viaanyF/Re entryandexit network, solongas there is it is beingused
for researchor support. There is no authenticationof the UCI andno per packet charging.
NSFnet is abackbone andsodoes not connect directlytouniversities or companies...thus the
indicationof fF/Reg insteadof fF/Re/U/Cog as ADent andADexit.
[N S F 1: (3; fF = Re g; fF = Re g)(3; fF = Re g; fF = Re g)fr e s e a r c h ; s up p o r t g
fu n a u t h e n t i c a t e d U C I ; n o 0p e r 0p k t c h a r g e gfg]
2. NSFwill carry trac to user and expert services hosts in NSFADto/fromanyF/Re AD,
viaanyF/Re AD. These are the onlythings that directlyconnect toNSFnet.
[N S F 2: (fU s e r s v c s ; E xp e r t S v c s g; fN S F g; fF = Re g)(3; f
F = Re g f0g)fgfgfg]
;

Estrin [Page 11]

RFC1125 Pol i cy Requi r ement s November 1989

6.2 Taxonomy of Charging Poli ci es

Stubandtransit chargingpolicies mayspecifythe followingparameters:

 Uni t of account i ng (e.g., dollars or credits).

 Bas i s f or char gi ng (e.g., per Kbyte or per Kpkt).
 Act ual char ges (e.g., actual numbers suchas $.50/M
byte).
 Who i s char ged or pai d (e.g., originator of packet, immediate neighbor fromwhompacket
was received, destinationof packet, athirdpartycollectionagent).
 W
hos e packet count is used (e.g., source, destination, the transit AD's own count, the
count of some upstreamor downstreamAD).
 Bound on char ges (e.g., to limit the amount that a stub ADis willing to spend, or the
amount that atransit ADis willingto carry.)

The enforcement of these policies maybe carriedout during route synthesis or route selection[4]

6. 3 Exampl e Pol i cy s tat ement s

The following policy statements were collected in the fall of 1988 through interviews with rep-
resentatives of the federal agencies most involved in supporting internetworking. Once again we
emphasizethat theseare not oci al pol i cy st at ement s . Theyarepresentedheretoprovideconcrete
examples of the sort of policies that agencies wouldlike toenforce.

Expr es s i ng pol i ci es as Pol i cy Ter ms ( PTs ) Each policy is described in English and then
expressed in a pol i cy t erm(PT) notation suggested by Dave Clark in [4]. EachPTrepresents a
distinct policyof the ADthat synthesizedit. The format of aPTis:
[(H src; ADsrc ; ADent); (Hdst ; ADdst ; ADexit ); U C I ; C g ; C b ]
Hsrc stands for source host, ADsrc for source AD, ADent for entering AD(i.e., neighboring
ADfromwhichtrac is arriving directly), Hdst for destinationhost, ADdst for destinationAD,
ADexit for exit AD(i.e., neighboring ADto which trac is going directly), UCI for user class
identier, and Cg andCb for global andbilateral conditions, respectively. The purpose of a PT
is to specify that packets fromsome host, H src , (or a groupof hosts) ina source A D, AD src , are
allowed to enter the ADin question via some directly connected AD, AD ent , and exit throu
gh
another directly connectedAD, AD exi t , onits w ayto a host, H dst , (or a groupof hosts) insom e
destinationAD, AD dst . User Class Identier (UCI) allows for distinguishingbetweenvarious user
classes, e.g., Government, Research, Commercial, Contract, etc. Global Conditions (Cg) represent
billing and other variables. Bilateral Conditions (Cb) relate to agreements between neighboring
ADs, e.g., relatedto metering or charging. Inthe example policy terms providedbelowwe make
use of the following abbreviations: Fricc for fDOE,NASA,DCA,NSFg, Ffor Federal Agency, Re

Estrin [Page 10]

RFC1125 Pol i cy Requi r ement s November 1989

reject a route based on any AD(or combinationof ADs) in the route. Similarly, a transit
ADcouldexpress apacket forwardingpolicythat behaves dierentlydependinguponwhich
ADs apacket has passedthrough, andis going topass through, enroute tothe destination.
Less ambitious (andperhaps more reasonable) pathsensitivepolicies might onlydiscriminate
accordingtothe immediate neighbor ADs throughwhichthe packet is traveling(i.e., astub
network could reject a route based on the rst transit ADin the route, and a transit AD
couldexpress apacket forwardingpolicythat depends upontheprevious, andthesubsequent,
transit ADs inthe route.)
 Qual i t y/Type of Ser vi ce ( QOS or TOS)
This type of policy restricts access to special resources or services. For example, a special
highthroughput, lowdelaylinkmaybe made available onaselective basis.
 Res our ce Guar ant ee
These policies provide aguaranteedpercentage of aresource onaselective, as neededbasis.
Inother words, the resource canbe usedbyothers if the preferred-AD's oeredloadis below
the guaranteedlevel of service. The guarantee maybe toalways carryintra-ADtrac or to
always carryinter-ADtrac for aspecic AD.
 Tempor al
Temporal policies restrict usage basedonthe time of dayor other time relatedparameters.
 Hi gh Level Pr ot ocol
Usage may be restricted to a specic high level protocol suchas mail or le transfer. (Al-
ternatively, suchpolicies canbe implementedas source/destinationpolicies byconguring a
host(s) withinanADas anapplicationrelayandcomposingpolicytermsthat allowinter-AD
access toonlythat host.)
 Res our ce l i mi t
There maybe alimit onthe amount of tracloadasource maygenerate duringaparticular
time interval, e.g., somanypackets inaday, hour, or minute.
 Aut hent i cat i on r equi r ement s
Conditions may be speciedregarding the authenticabilityof principal identifying informa-
tion. Some ADs might require some formof cryptographic proof as to the identity and
aliations of the principal before providingaccess tocritical resources.

The above policy types usually exist in combination for a particular AD, i.e., an AD's policies
might express a combinationof transit, source/destination, andQOSrestrictions. This taxonomy
will evolve as PRis appliedto other domains.
As will be seen in Section 6.3 an ADcan express its charging and access policies in a single
syntax. M oreover, both stuband transit policies cancoexist. This is important since some ADs
operate as bothstubandtransit facilities andrequire suchhybridcontrol.

Estrin [Page 9]
RFC1125 Pol i cy Requi r ement s November 1989

6 Pol i cy types
This section outlines a taxonomy of internet policies for inter-ADtopologies that allowlateral
and bypass links. The taxonomy is intended to cover a wide range of ADs and internets. Any
particular PRarchitecture we designshouldsupport a signicant subset of these policytypes but
may not support all of themdue to technical complexity and performance considerations. The
general taxonomyis important input toafunctional specicationfor PR. Moreover, it canbe used
to evaluate and compare the suitability and completeness of existing routing architectures and
protocols for PR; see Section8.
W
e provide examples fromthe ResearchInternet of the dierent policy types in the formof
resource usage policystatements. These statements were collectedthroughinterviews withagency
representatives, but they do not represent ocial policy. These sample policy statements should
not be interpretedas agencypolicy, theyare providedhere onlyas examples.
Internet policies fall into two classes, access and charging. Access policies specify who can
use resources andunder what conditions. Charging policies specifythe metering, accounting, and
billingimplementedbyaparticular AD.

6. 1 Taxonomy of Acces s Pol i ci es

We have identiedthe followingtypes of access policies that ADs maywishto enforce. Charging
policies are described in the subsequent section. Section 6.3 provides more specic examples of
bothaccess andchargingpolicies usingFRICCpolicystatements .
Access policies typically are expressed in the form: pri nci pal s of t ype x can have access t o
resources of t ype y under t he f ol l owi ng condi t i ons, z . The policies are categorizedbelowaccording
to the denitionof yandz. Inanyparticular instance, eachof the policytypes wouldbe further
qualiedbydenitionof legitimate principals, x, i.e., what characteristics xmust have inorder to
access the resource inquestion.
We refer to access policies described by stub and transit ADs. The two roles imply dierent
motivations for resource control, however the types of policies expressedare similar; we expect the
supportingmechanismstobe commonas well.
Stubandtransit access policies mayspecifyanyof the followingparameters:

 Sour ce/Des t i nat i on

Source/Destinationpolicies prevent or restrict communicationoriginatedbyor destinedfor
particular ADs (or hosts or user classes withinanAD).
 Pat h
Pathsensitive policies specify whichADs mayor maynot be passedthroughen route to a
destination. The most general pathsensitive policies allowstubandtransit ADs to express
policies that depend on any component in the ADpath. In other words, a stub ADcould

Estrin [Page 8]
RFC1125 Pol i cy Requi r ement s November 1989

the complexcase, lateral connections must be supported, along withthe means to control the use
of suchconnections inthe routing protocols.
The dierent topologies imply dierent policy requirements. The rst model assumes that
all policies canbe expressed andenforced in terms of dollars and cents and distributed charging
schemes. Thesecondmodel assumes that ADswantmorevariedcontrol overtheir resources, control
that can not be captured in a dollars and cents metric alone. W e describe the types of policies
to be supported andprovide examples inthe following section, Section6. In brief, givenprivate
lateral links, ADs must be able to express access andcharging relatedrestrictions andprivileges
that discriminate onanADbasis. These policies will be diverse, dynamic, andnewrequirements
will emerge over time, consequentlysupport must be extensible. For example, the packagingand
chargingschemes of anysingle longhaul service will varyover timeandmaybe relativelyelaborate
(e.g., manytiers of service, special package deals, to achieve price discrimination).
Note that these assumptions about complexity do not preclude some collection of ADs from
\negotiatingaway"their policydierences, i.e., formingafederation, andcoordinatingasimplied
inter-ADconguration in order to reduce the requirements for inter-ADmechanisms. However,
we maintain that there will persist collections of ADs that will not and can not behave as a
single federation; both in the researchcommunityand, evenmore predominantly, in the broader
commercial arena. M oreover, when it comes to interconnecting across these federations, non-
negotiable dierences will arise eventually. It is our goal todevelopmechanismsthat are applicable
inthe broader arena.
The Internet communitydevelopedits original protocol suite withonly minimal provisionfor
resource control[9]. This was appropriate at the time of development basedonthe assumedcom-
munity(i.e., researchers) andthe groundbreaking nature of the technology. The next generation
of network technology is nowbeing designed to take advantage of high speed media andto sup-
port highdemandtracgeneratedbymore powerful computers andtheir applications.[10] As with
TCP/IPwehope that the technologybeingdevelopedwill nditself appliedoutside of the research
community. This time it wouldbe inexcusable toignore resource control requirements andnot to
paycareful attentiontotheir specication.
Finally, welookforwardtothe Internet structure takingadvantageof economies of scaleoered
by enhanced commercial services. However, in many respects the problemthat stub-ADs may
thus avoid, will be faced by the multiple regional and long haul carriers providing the services.
The carriers' charging and resource control policies will be complex enough to require routing
mechanisms similar to ones being proposed for the complex ADtopology case described here.
Whether the networkstructure is basedonprivate or commercial services, the goal is toconstruct
policysensitive mechanismsthat will be transparent toendusers (i.e., the mechanismsare part of
the routinginfrastructure at the networklevel, andnot anendtoendconcern).
expect pri vate data networks to persi st f or the near f uture. As the tel ephone compani es begi n to i ntroduce the next
generati on of hi gh speed packet swi tched servi ces, the scenari o shoul d change. However, we mai ntai n that the resul t
wi l l be a predomi nance, but not compl ete domi nance, of publ i c carri er use f or l ong haul communi cati on. Theref ore,
pri vate data networks wi l l persi st and the routi ng archi tecture must accommodate control l ed i nterconnecti on.

Estrin [Page 7]
RFC1125 Pol i cy Requi r ement s November 1989

to topology and policy. They contend that in the long termthe following three conditions will
prevail:

 The public carriers will provide pervasive, competitivelypriced, highspeeddataservices.

 Theresultingtopologyof ADswill bestub(not transit) ADsconnectedtoregional backbones,
which in turn interconnect via multiple, overlapping long haul backbones, i.e., a hierarchy
withnolateral connections betweenstub-ADs or regionals, andnovertical bypass links.
 The policy requirements of the backbone and stub-ADs will be based only on charging for
resource usage at the stub-ADto backbone-ADboundary, andto settling accounts between
neighboringbackbone providers (regional tolonghaul, andlonghaul tolonghaul).

Under these assumptions, the primaryrequirement for general ADinterconnect is a meteringand

chargingprotocol. The routingdecisioncanbe modeledas asimple least cost pathwiththe metric
indollars andcents. Inother words, restrictions onaccess to transit services will be minimal and
the functionalityprovidedbythe routing protocol neednot be changedsignicantlyfromcurrent
dayapproaches.

Compl ex AD t opol ogy and pol i cy model The counter argument is that a more complex
ADtopologywill persist. 10 The dierent assumptions about ADtopologyleadtothe signicantly
dierent assumptions about ADpolicies.
This model assumes that the topology of ADs will in many respects agree with the previous
model of increasedcommercial carrier participationandresultinghierarchical structure. However,
weanticipateunavoidable andpersistent exceptions tothe hierarchy. W e assumethat there will be
arelativelysmall number of longhaul transit ADs (onthe order of 100), but that theremaybe tens
of thousands of regional ADs andhundreds of thousands of stubADs (e.g., campuses, laboratories,
andprivatecompanies). The competinglonghaul oerings will dier, bothinthe services provided
andin their packaging andpricing. Regional networks will overlapless and will connect campus
andprivate companynetworks. However, manystub-ADs will retainsomeprivate lateral links for
political, technical, andreliabilityreasons. For example, political incentives cause organizations to
invest inbypass links that are not always justiable ona strict cost comparisonbasis; specialized
technical requirements cause organizations to invest in links that have characteristics (e.g., data
rate, delay, error, security) not available frompublic carriers at a competitive rate; and critical
requirements cause organizations toinvest inredundant backuplinks for reliabilityreasons. These
exceptions to the otherwise regular topology are not dispensible. They will persist and must be
accommodated, perhaps at the expense of optimality; see Section5 for more detail. In addition,
manyprivate companies will retaintheir ownprivate longhaul networkfacilities. 11 Critical dier-
ences betweenthe twomodels followfromthe dierence inassumptions regardingADtopology. In
10
Much of the remai nder of thi s paper attempts to justi f y and provi de evi dence f or thi s statement.
11
Whi l e pri vate voi ce networks al so exi st, pri vate data networks are more common. Voi ce requi rements are more
standardi zed because voi ce appl i cati ons are more uni f ormthan are data appl i cati ons, and theref ore the commerci al
servi ces more of ten have what the voi ce customer wants at a pri ce that i s competi ti ve wi th the pri vate network
opti on. Data communi cati on requi rements are sti l l more speci al i zed and dynami c. Thus, there i s l ess opportuni ty f or
economy of scal e i n servi ce oeri ngs and i t i s harder to keep up to date wi th customer demand. For thi s reason we

Estrin [Page 6]
RFC1125 Pol i cy Requi r ement s November 1989

laboratory. They reside in a campus ADalong with users who are legitimate users of other AD
resources. M oreover, any one person may be a legitimate user of multiple ARresources under
varying conditions andconstraints (see examples insection6). Inaddition, users canmove from
one ADto another. In other words, a user's rights can not be determined solely based on the
ADfromwhich the user's communications originate. Consequently, PRmust not only identify
resources, it must identify pri nci pal s 8 andassociate dierent capabilities andrights w
ithdierent
principals.
One wayof reducingthe compromise of autonomyassociatedwithinterconnectionis toimple-
ment mechanisms that assure account abi l i t y for resources used. Accountabilitymaybe enforceda
priori, e.g., access control mechanisms applied before resource usage is permitted. Alternatively,
accountabilitymaybe enforcedafter the fact, e.g., recordkeepingor meteringthat supports detec-
tionandprovides evidence tothirdparties (i.e., non-repudiation). Accountabilitymechanismscan
also be usedto provide feedbackto users as to consumptionof resources. InternallyanADoften
decides todoawaywithsuchfeedbackunder the premise that communicationis aglobal goodand
shouldnot be inhibited. There is not necessarilya\global good"across ADboundaries. Therefore,
it becomes more appropriatetohaveresource usage visible tousers, whether or not actual charging
for usage takes place. Another motivationthat drives theneedfor accountabilityacross ADbound-
aries is the greater variabilityinimplementations. Dierent implementations of a single network
protocol canvarygreatlyas totheir eciency[8]. W e cannot assume control over implementation
across ADboundaries. Feedbackmechanismssuchas metering(andcharginginsomecases) would
introduce aconcrete incentivefor ADs toemployecient andcorrect implementations. PRshould
allowanADtoadvertise andapplysuchaccountingmeasures to inter-ADtrac.
Insummary, the lackof global authority, the needtosupport networkresource sharingas well
as networkinterconnection, the complexanddynamic mappingof users toADs andrights, andthe
needfor accountabilityacross ADs, are characteristics of inter-ADcommunications whichmust be
takenintoaccount inthe designof bothpolicies andsupportingtechnical mechanisms.

5 Topol ogy model of Internet

Before discussing policies per se, we outline our model of inter-ADtopologyandhowit in uences
thetypeof policysupport required. M ost members of theInternet communityagreethat thefuture
Internet will connect onthe order of 150,000,000 termination points and100,000 ADs. However,
there are con icting opinions as to the ADtopology for whichwe must design PRmechanisms.
The informal argument is describedhere.

Si mpl e AD t opol ogy and pol i cy model Some members of the Internet community believe
that the current complextopologyof interconnectedADs is atransient artifact resultingfromthe
evolutionarynature of the ResearchInternet's history. 9 T he critical points of this argument relate
8
The termpri nci pal i s taken f romthe computer securi ty communi ty[7].
9
Davi d Cheri ton of Stanf ord Uni versi ty arti cul ated thi s si de of the argument at an Internet workshop i n Santa
Cl ara, January, 1989.

Estrin [Page 5]
RFC1125 Pol i cy Requi r ement s November 1989

4 Why the probl emi s di cul t

Before proceeding with our description of topology and policy requirements this section outlines
several assumptions and constraints, namely: the lack of global authority, the need to support
networkresource sharingas well as networkinterconnection, the complexanddynamic mappingof
users to ADs andprivileges, andthe needfor accountabilityacross ADs. These assumptions limit
the solutionspace andraise challengingtechnical issues.
The purpose of policy basedrouting is to allowADs to interconnect andshare computer and
networkresources inacontrolledmanner. Unlike manyother problemsof resource control, there is
noglobal authority. EachADdenes its ownpolicies withrespect toits owntracandresources.
However, while we assume no global authority, and no global policies, we recognize that com-
plete autonomy implies no dependence and therefore no communication. The multi-organization
internets addressedhere haveinherent regions of autonomy, as well as requirements for interdepen-
dence. Our mechanismsshouldallowADs todesigntheir boundaries, insteadof requiringthat the
boundaries be either impenetrable or eliminated.
One of the most problematic aspects of the policy routing requirements identiedhere is the
need to support both network resource sharing and interconnectionacross ADs. An example of
resource sharing is twoADs (e.g., agencies, divisions, companies) sharing networkresources (e.g.,
links, or gateways and links) to take advantage of economies of scale. Providing transit services
to external ADs is another example of network resource sharing. Interconnection is the more
common example of ADs interconnecting their independently used network resources to achieve
connectivityacross the ADs, i.e., toallowauser inone ADtocommunicate withusers inanother
AD. In some respects, network resource control is simpler than network interconnection control
since the potential dangers are fewer (i.e., denial of service andloss of revenue as comparedwith
a wide range of attacks on end systems through network interconnection). However, controlled
networkresource sharing is more dicult to support. Inaninternet a packet maytravel through
anumber of transit ADs onits waytothe destination. Consequently, policies fromall transit ADs
must be consideredwhena packet is being sent, whereas for stub-ADcontrol onlythe policies of
the twoendpoint ADs have tobe considered. Inother words, controllednetworkresource sharing
andtransit requirethat policyenforcement be integratedintothe routingprotocols themselves and
cannot be left tonetworkcontrol mechanismsat the endpoints. 6 7

Complications also result fromthe fact that legitimate users of an AD's resources are not
all located in that AD. M any users (and their computers) who are funded by, or are aliated
with, a particular agency's programreside within the ADof the user's university or research
6
Another di erence i s that i n the i nterconnect case, trac travel i ng over ADA' s network resources al ways has a
member of ADAas i ts source or desti nati on (or both). Under resource shari ng arrangements members of both ADA
and B are connected to the same resources and consequentl y i ntra-ADtrac (i . e. , packets sourced and desti ned f or
members of the same AD) travel s over the resources. Thi s di sti ncti on i s rel evant to the wri ti ng of pol i ci es i n terms
of pri nci pal al i ati on.
7
Economi es of scal e i s one moti vati on f or resource shari ng. For exampl e, i nstead of i nterconnecti ng separatel y
to several i ndependent agency networks, a campus network may i nterconnect to a shared backbone f aci l i ty. Today,
i nterconnecti on i s achi eved through a combi nati on of AD speci c and shared arrangements. We expect thi s mi xed
si tuati on to persi st f or \wel l - connected" campuses f or reasons of pol i ti cs, economi cs, and f uncti onal i ty (e. g. , di erent
characteri sti cs of the di erent agency- networks). See Secti on 5 f or more di scussi on.

Estrin [Page 4]
RFC1125 Pol i cy Requi r ement s November 1989

3. 1 Pol i cy Rout i ng

Previous protocols such as the Exterior Gateway Protocol (EGP)[3] embodied a limited notion
of policy andADs. Inparticular, autonomous systemboundaries constrainedthe owof routing
database information, and only indirectly aected the owof packets themselves. W e consider
anAdministrative Domain(AD) to be aset of hosts andnetworkresources (gateways, links, etc.)
that is governedbycommonpolicies. Inlargeinternets that cross organizationboundaries, e.g., the
ResearchInternet, inter-ADroutes must be selected according to policy-related parameters such
as cost andaccess rights, inadditiontothe traditional parameters of connectivityandcongestion.
In other words, Policy Routing (PR) is needed to navigate through the complex web of policy
boundaries created by numerous interconnectedADs. M oreover, eachADhas its own privileges
andperspective andtherefore must make its ownevaluationof legal andpreferredroutes. Eorts
are nowunderway to develop a newgeneration of routing protocol that will alloweach ADto
independentlyexpress andenforce policies regarding the owof packets to, from, andthroughits
resources[4]. 4
The purpose of this paper is toarticulate the requirements for suchpolicybasedrouting. Two
critical assumptions will shape the type of routingmechanismthat is devised:

 The topological organizationof ADs, and

 The type andvariabilityof policies expressedbyADs.

Wemakeuse of the policies expressedbyowners of current ResearchInternet resources andprivate

networks connectedtothe ResearchInternet togeneralize types of policies that must besupported.
This topdowneort must be done withattentiontothe technical implications of the policystate-
ments if theresult is tobeuseful inguidingtechnical development. For example, someADs express
the desire to enforce local constraints over howpackets travel to their destination. Other ADs are
onlyconcernedwithpreventinguse of their ownnetworkresources byrestrictingtransit. Still other
ADs are concernedprimarilywithrecoveringthe expense of carryingtracandprovidingfeedback
tousers sothat users will limit their owndata ows; inother words theyare concernedwithcharg-
ing. W e refer toADs whose primaryconcernis communicationtoandfromhosts withintheir AD
as st ub andto ADs whose primary concernis carrying packets to andfromother ADs as t ransi t .
If we address control of transit alone, for example, the resulting mechanisms will not necessarily
allowanADtocontrol the owof its packets fromsource todestination, or toimplement exible
charging schemes. 5 O ur purpose is to articulate a comprehensive set of requirements for PRas
input tothe functional specication, andevaluation, of proposedprotocols.
4 These i ssues are under i nvesti gati on by the I AB Autonomous Networks Research Group and the I AB Open

Routi ng Worki ng Group. For f urther i nf ormati on contact the author.

5
Gene Tsudi k uses the anal ogy of i nternati onal travel to express the need f or source and transi t control s. Each
country expresses i ts own pol i ci es about travel to and through i ts l and. Travel through one country en route to
another i s anal ogous to transi t trac i n the network worl d. Atravel er col l ects pol i cy i nf ormati on f romeach of the
countri es of i nterest and pl ans an i ti nerary that conf orms to those pol i ci es as wel l as the pref erences of the travel er
and hi s/her home nati on. Thus there i s both source and transi t regi on control of routi ng.

Estrin [Page 3]
RFC1125 Pol i cy Requi r ement s November 1989

3 Background
The Research I nt ernet2 has evolvedfromasinglebackbonewideareanetworkwithmanyconnected
campus networks, to aninternet withmultiple cross-countrybackbones, regional access networks,
and a profusion of campus networks. At times during its development the Research Internet
topologyappearedsomewhat chaotic. Overlappingfacilities andlateral (as opposedtohierarchical)
connections seemedtobethe rulerather thanthe exception. TodaytheResearchInternet topology
is becoming more regular throughcoordinationof agency investment andadoptionof a hierarchy
similar to that of the telephone networks'. The result is several overlapping wide area backbones
connectedtoregional networks, whichinturnconnect tocampus networks at universities, research
laboratories, andprivate companies. However, the telephone networkhas lateral connections only
at the highest level, i.e., betweenlong haul carriers. In the ResearchInternet there exist lateral
connections at eachlevel of the hierarchy, i.e., betweencampus (andregional) networks as well.
Additional complexityis introducedintheResearchInternet byvirtue of connections toprivate
networks. M anyprivate companies are connectedtothe ResearchInternet for purposes of research
or support activities. These private companies connect in the same manner as campuses, via a
regional networkor vialateral links toother campuses. However, manycompanies have their own
privatewide areanetworks whichphysicallyoverlapwithbackbone and/or regional networks inthe
researchinternet, i.e., private vertical bypass links.
Implicit inthis complextopology are organizational boundaries. These boundaries dene Ad-
ministrative Domains (ADs) whichpreclude the impositionof a single, centralizedset of policies
onall resources. The subject of this paper is the policyrequirements for resource usage control in
the ResearchInternet.
Inthe remainder of this sectionwe describe the policyrouting probleminverygeneral terms.
Section 4 examines the constraints and requirements that makes the problemchallenging, and
leads us to conclude that a newgeneration of routing and resource control protocols are needed.
Section5 provides more detail onour assumptions as to the future topologyandcongurationof
interconnectedADs. W e returnto the subject of policyrequirements inSection6 andcategorize
the dierent types of policies that ADs in the research internet may want to enforce. Included
in this section are examples of FRICC 3 policy statem ents. Section 7 identies types of policy
statements that are problematic to enforce due to their dynamics, granularity, or performance
implications. Several proposed mechanisms for supporting PR(including RFCs 827, 1102, 1104,
1105) are discussed brie y in Section 8. Future RFCs will elaborate on the architecture and
protocols neededtosupport the requirements presentedhere.
2
The termResearch I nternet ref ers to a col l ecti on of government, uni versi ty, and some pri vate company, networks
that are used by researchers to access shared computi ng resources (e. g. , supercomputers), and f or research rel ated
i nf ormati on exchange (e. g. , di stri buti on of sof tware, techni cal documents, and emai l ). The networks that make up
the Research I nternet run the DODI nternet Protocol [ 1] .
3
The Federal Research I nternet Coordi nati ng Commi ttee (FRI CC) i s made up of representati ves of each of the
maj or agenci es that are i nvol ved i n networki ng. They have been very eecti ve i n coordi nati ng thei r eorts to el i mi nate
i neci ent redundancy and have proposed a pl an f or the next 10 years of i nternetworki ng f or the government, sci enti c,
and educati on communi ty[ 2] .

Estrin [Page 2]
NetworkW orkingGroup D. Estrin
Request for Comments: 1125 U.S.C. Computer Science Department
Novem
ber 1989

Pol i cy Requi rements for Inter Admi ni strati ve Domai n Routi ng

1 Status of thi s Memo

The purpose of this memois tofocus discussiononparticular problemsintheInternet andpossible
methods of solution. No proposed solutions in this document are intended as standards for the
Internet. Rather, it is hopedthat a general consensus will emerge as to the appropriate solution
to suchproblems, leading eventuallyto the development andadoptionof standards. Distribution
of this memois unlimited.

2 Abstract
Eorts are nowunderway to develop a newgeneration of routing protocol that will alloweach
Administrative Domain(AD) inthe growing Internet (andinternets ingeneral) to independently
express andenforce policies regardingthe owof packets to, from,andthroughits resources. 1 This
document articulates the requirements for policybasedroutingandshouldbe usedas input tothe
functional specicationandevaluationof proposedprotocols.
Two critical assumptions will shape the type of routing mechanismthat is devised: (1) the
topological organizationof ADs, and(2) thetypeandvariabilityof policies expressedbyADs. After
justifying our assumptions regarding ADtopologywe present a taxonomy, andspecic examples,
of policies that must be supported by a PRprotocol. W e conclude with a brief discussion of
policyrouting mechanisms proposedinprevious RFCs (827, 1102, 1104, 1105). Future RFCs will
elaborate onthe architecture andprotocols neededtosupport the requirements presentedhere.
1
The materi al presented here i ncorporates di scussi ons hel d wi th members of the I AB Autonomous Networks
Research Group and the Open Routi ng Worki ng Group.

Estrin [Page 1]