Professional Documents
Culture Documents
Security Considerations
This memodoes not address the securityaspects of the issues discussed.
Author's Address
DeborahEstrin
Universityof SouthernCalifornia
Computer Science Department
Los Angeles, CA90089-0782
Phone: (213) 743-7842
EMail: Estrin@OBERON.USC.EDU
References
[1] J. Postel, Internet Prot ocol, Network Infor mat ion Cent er , RFC 791, September 1981.
[2] G. Vaudreuil, The Federal Research I nt ernet Coordinat i ng Commi t t ee and t he Nat i onal Re-
search Net work, ACM SI G Comput er Communi cat i ons Revi ew, April 1988.
[3] E. Rosen, Ext eri or Gat eway Prot ocol (EGP), Net wor k I nf or mat i on Cent er , RFC 827,
October 1982.
[4] D. Clark, Pol i cy Rout i ng i n I nt ernet Prot ocol s , Net wor k I nf or mat i on Cent er , RFC1102,
May1989.
[5] H.W.Braun, Model s of Pol i cy Based Rout i ng , Net wor k I nf or mat i on Cent er , RFC 1104,
June 1989.
[6] K. Lougheed, Y. Rekhter, A Border Gat eway Prot ocol , Net wor k I nf or mat i on Cent er , RFC
1105, June 1989.
source routing. 12 13
9 Summary
Along with the emergence of very high speed applications and media, resource management has
becomeacritical issue inthe ResearchInternet andinternets ingeneral. Afundamental character-
istic of the resource management problemis allowing administrativelyADs to interconnect while
retainingcontrol over resource usage. However, wehavelackedacareful articulationof the types of
resource management policies that needtobesupported. This paper addresses policyrequirements
for the ResearchInternet. After justifyingour assumptions regardingADtopologywe presenteda
taxonomyandexamples of policies that must be supportedbyaPRprotocol.
10 Acknowledgments
Members of the Autonomous Networks ResearchGroupandOpenRouting W orking Grouphave
contributedsignicantlytothe ideas presentedhere, inparticular, GuyAlmes, Lee Breslau, Scott
Brim, Dave Clark, Marianne Lepp, andGene Tsudik. Inaddition, Lee BreslauandGene Tsudik
provided detailed comments on a previous draft. David Cheriton inadvertently caused me to
write this document. SharonAnderson's contributions deserve special recognition. The author is
supportedbyresearchgrants fromNational Science Foundation, AT&T, andGTE.
12
Moreover, the source routing approach loosens the requi rements for every AD to share a compl ete vi ew of the
enti re i nternet by al l owi ng the source to detect routi ng l oops.
13
The match between RFC1102 and the requi rements speci ed i n thi s document i s hardl y a coi nci dence si nce
Cl ark's paper and di scussi ons wi th hi mcontri buted to the requi rements f ormul ati on presented here. Hi s work i s
currentl y bei ng eval uated and rened by the ANRG and ORWG.
is that access to an ADat any point in time is contingent upon a local, highly dynamic,
parameter that is not globally available. Therefore such a policy termcould well result
in looping, oscillations, and excessive route (re)computation overhead, both unacceptable.
Consequently, this is one type of policy that routing experts suggest would be dicult to
support inaverylarge decentralizedinternetwork.
Granularity can also be problematic, but not as devistating as highly dynamic PRcontin-
gencies. Here the caution is less specic. Very ne grain policies, which restrict access to
particular hosts, or are contingent upon very ne grain user class identication, may be
achievedmore ecientlywithnetworklevel access control[11] or endsystemcontrols instead
of burdeningthe inter-ADroutingmechanism.
Securityis expensive, as always. Routing protocols are subject to fraud throughimperson-
ation, data substitution, and denial of service. Some of the proposed mechanisms provide
some means for detection and non-repudiation. However, to achieve a priori preventionof
resourcemisuse is expensiveintermsof per connectionor per packet cryptographic overhead.
For some environments we rmlybelieve that this will be necessaryandwe wouldprefer an
architecture that wouldaccommodate suchvariability[12].
Ingeneral, it is dicult to predict the impact of anyparticular policyterm. Tools will be needed
toassist people inwritingandvalidatingpolicyterms.
8 Proposed mechanisms
Previous routing protocols have addressed a narrower denition of PR, as appropriate for the
internets of their day. Inparticular, EGP[3], DGP[13], andBGP[6] incorporate anotionof policy
restrictions as towhere routingdatabase informationtravels. None are intendedtosupport policy
basedroutingof packetsas describedhere. M orerecentroutingproposals suchas Landmark[14] and
Cartesian[15] couldbe usedtorestrict packet forwardingbut are not suitedtosource/destination,
and some of the condition-oriented, policies. W e feel these policy types are critical to support.
We note that for environments (e.g., withinanADsubstructure) inwhichthe simple-AD-topology
conjecture holds true, these alternatives maybe suitable.
RFC1104[5] provides a good descriptionof shorter termpolicy routing requirements. Braun
classies three types of mechanisms, policy based distributionof route information, policy based
packet forwarding, and policy based dynamic allocation of network resources. The second class
is characterizedbyDave Clark's PRarchitecture, RFC1102[4]. W ithrespect to the longer term
requirements laidout inthis document, onlythis secondclass is expressive and
exible enoughto
support the multiplicityof stubandtransit policies. Inother words, the power of the PRapproach
(e.g., RFC1102) is not just in the added granularity of control pointed out by Braun, i.e., the
abilitytospecifyparticular hosts anduser classes. Its power is inthe abilitytoexpress andenforce
manytypes of stubandtransit policies andapplythemonadiscriminatorybasis todierent ADs.
Inaddition, this approachprovides explicit support for stubADs to control routes via the use of
Regi onal B
Currently commercial communication services play a lowlevel role in most parts of today's Re-
search Internet; they provide the transmission media, i.e., leased lines. In the future we expect
commercial carriers to provide increasinglyhigher level andenhancedservices suchas highspeed
packet switchedbackbone services. Because suchservices are not yet part of the ResearchInternet
infrastructure there exist no policystatements.
Chargingandaccountingare certaintobe animportant policytype inthis context. M oreover,
we anticipate the longhaul services market tobe highlycompetitive. This implies that competing
service providers will engage in signicant gaming in terms of packaging and pricing of services.
Consequently, the abilityto express variedanddynamic chargingpolicies will be critical for these
ADs.
Non-interference policies are of the form\I will provide access for principals x to resources
y so long as it does not interfere with my internal usage." The problemwith suchpolicies
no n 0i n t e r f e r e n c e ba s i s gfg]
1. DCAwill not carry any transit trac. It will only accept and send trac to and fromits
mailbridge(s) and only fromand to hosts onother F/Re nets. All packets are markedand
chargedfor bythe kilopacket.
[DC A1: (ma i l b r i d g e ; DC A; 0)(3; fF = Re g; fF = Re g)fr e s e a r c h; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; a l l i n c o mi n g p a c k e t s ma r k e d ; p e r 0 k i l o p a c k e t c h
Regi onal A
1. Nasa will accept any trac to/frommembers of the Nasa AD. But no transit. No UCI
authenticationandnoper packet charge.
[N AS A1: (3; 3; 3)(3; N a s a ; 0)fN a s a 0r e s e a r c h ; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; no 0 p e r 0 p a c k e t 0 c ha r g e gfg]
2. Nasa will carry transit trac to/fromother federal agency networks if it is in support of
research, andif the total use of available BWby non-nasa Federal agencies is belownnon-
interference policy type needs some more work in terms of integrating it into the routing
algorithms. See Section7.
[N AS A2: (3; fF g; 3)(3; fF g; 3)fr e s e a r c h ; s u p p o r t g
fp e r 0p a c k e t a c c o u n t i n g ; l i mi t e d t o n %o f a va i l a b l e BW gfg]
3. NASAwill carry commercial trac to federal and regional and university ADs for nasa
researchor support. But it will not allowtransit. The particular entryADis not important.
[N AS A3: (3; fC o g; 3g(3; fF = R= U g; 3)fN AS Ar e s e a r c h ; s up p o r t g
f u n a u t h e n t i c a t e d U CI ; no p e r p a c k e t c ha r g e gfg]
4. Onacase bycase basis NASAmayprovideaccess toits resources onacost reimbursedbasis.
Transit trac will not be carriedonthis basis.
[N AS A4: (3; 3; 0)(3; 3; 0)fg
fp e r 0p a c k e t 0c h a r g e ; l i mi t e d t o n %o f a v a i l a b l e BW gfg]
for Regional, Ufor University, Cofor Commercial Corporation, andCc for Commercial Carrier. A
hyphen, -, means noapplicable matches.
ByexaminingaPTwecanidentifythetypeof policyrepresented, asper thetaxonomypresented
earlier.
If anADspecies apolicytermthat has anull (-) entryfor the ADexit, thenit is disallowing
transit for some groupof users, andit is atransit policy.
If anADspecies apolicytermthat lists itself explicitlyas ADsrc or ADdst, it is expressing
restrictions on who can access particular resources within its boundaries, or on who inside
canobtainexternal access. Inother words the ADis expressingasource/destinationpolicy.
If ADexit or ADentr is speciedthenthe policyexpressedis anexit/entrance pathpolicy.
If the global conditions include charging, QOS, resource guarantee, time of day, higher level
application, resource limit, or authenticationrelatedinformationit is obviously a charging,
QOS, resource guarantee, temporal, higher level application, resource limit, or authentication
policy, respectively.
6. 3. 1 The FRI CC
Inthe followingexamples all policies (andPTs) are symmetrical under the assumptionthat com-
municationis symmetrical.
1. NSFwill carry trac for any host connected to a F/Re network talking to any other host
connectedtoaF/Re viaanyF/Re entryandexit network, solongas there is it is beingused
for researchor support. There is no authenticationof the UCI andno per packet charging.
NSFnet is abackbone andsodoes not connect directlytouniversities or companies...thus the
indicationof fF/Reg insteadof fF/Re/U/Cog as ADent andADexit.
[N S F 1: (3; fF = Re g; fF = Re g)(3; fF = Re g; fF = Re g)fr e s e a r c h ; s up p o r t g
fu n a u t h e n t i c a t e d U C I ; n o 0p e r 0p k t c h a r g e gfg]
2. NSFwill carry trac to user and expert services hosts in NSFADto/fromanyF/Re AD,
viaanyF/Re AD. These are the onlythings that directlyconnect toNSFnet.
[N S F 2: (fU s e r s v c s ; E xp e r t S v c s g; fN S F g; fF = Re g)(3; f
F = Re g f0g)fgfgfg]
;
The enforcement of these policies maybe carriedout during route synthesis or route selection[4]
The following policy statements were collected in the fall of 1988 through interviews with rep-
resentatives of the federal agencies most involved in supporting internetworking. Once again we
emphasizethat theseare not oci al pol i cy st at ement s . Theyarepresentedheretoprovideconcrete
examples of the sort of policies that agencies wouldlike toenforce.
Expr es s i ng pol i ci es as Pol i cy Ter ms ( PTs ) Each policy is described in English and then
expressed in a pol i cy t erm(PT) notation suggested by Dave Clark in [4]. EachPTrepresents a
distinct policyof the ADthat synthesizedit. The format of aPTis:
[(H src; ADsrc ; ADent); (Hdst ; ADdst ; ADexit ); U C I ; C g ; C b ]
Hsrc stands for source host, ADsrc for source AD, ADent for entering AD(i.e., neighboring
ADfromwhichtrac is arriving directly), Hdst for destinationhost, ADdst for destinationAD,
ADexit for exit AD(i.e., neighboring ADto which trac is going directly), UCI for user class
identier, and Cg andCb for global andbilateral conditions, respectively. The purpose of a PT
is to specify that packets fromsome host, H src , (or a groupof hosts) ina source A D, AD src , are
allowed to enter the ADin question via some directly connected AD, AD ent , and exit throu
gh
another directly connectedAD, AD exi t , onits w ayto a host, H dst , (or a groupof hosts) insom e
destinationAD, AD dst . User Class Identier (UCI) allows for distinguishingbetweenvarious user
classes, e.g., Government, Research, Commercial, Contract, etc. Global Conditions (Cg) represent
billing and other variables. Bilateral Conditions (Cb) relate to agreements between neighboring
ADs, e.g., relatedto metering or charging. Inthe example policy terms providedbelowwe make
use of the following abbreviations: Fricc for fDOE,NASA,DCA,NSFg, Ffor Federal Agency, Re
reject a route based on any AD(or combinationof ADs) in the route. Similarly, a transit
ADcouldexpress apacket forwardingpolicythat behaves dierentlydependinguponwhich
ADs apacket has passedthrough, andis going topass through, enroute tothe destination.
Less ambitious (andperhaps more reasonable) pathsensitivepolicies might onlydiscriminate
accordingtothe immediate neighbor ADs throughwhichthe packet is traveling(i.e., astub
network could reject a route based on the rst transit ADin the route, and a transit AD
couldexpress apacket forwardingpolicythat depends upontheprevious, andthesubsequent,
transit ADs inthe route.)
Qual i t y/Type of Ser vi ce ( QOS or TOS)
This type of policy restricts access to special resources or services. For example, a special
highthroughput, lowdelaylinkmaybe made available onaselective basis.
Res our ce Guar ant ee
These policies provide aguaranteedpercentage of aresource onaselective, as neededbasis.
Inother words, the resource canbe usedbyothers if the preferred-AD's oeredloadis below
the guaranteedlevel of service. The guarantee maybe toalways carryintra-ADtrac or to
always carryinter-ADtrac for aspecic AD.
Tempor al
Temporal policies restrict usage basedonthe time of dayor other time relatedparameters.
Hi gh Level Pr ot ocol
Usage may be restricted to a specic high level protocol suchas mail or le transfer. (Al-
ternatively, suchpolicies canbe implementedas source/destinationpolicies byconguring a
host(s) withinanADas anapplicationrelayandcomposingpolicytermsthat allowinter-AD
access toonlythat host.)
Res our ce l i mi t
There maybe alimit onthe amount of tracloadasource maygenerate duringaparticular
time interval, e.g., somanypackets inaday, hour, or minute.
Aut hent i cat i on r equi r ement s
Conditions may be speciedregarding the authenticabilityof principal identifying informa-
tion. Some ADs might require some formof cryptographic proof as to the identity and
aliations of the principal before providingaccess tocritical resources.
The above policy types usually exist in combination for a particular AD, i.e., an AD's policies
might express a combinationof transit, source/destination, andQOSrestrictions. This taxonomy
will evolve as PRis appliedto other domains.
As will be seen in Section 6.3 an ADcan express its charging and access policies in a single
syntax. M oreover, both stuband transit policies cancoexist. This is important since some ADs
operate as bothstubandtransit facilities andrequire suchhybridcontrol.
Estrin [Page 9]
RFC1125 Pol i cy Requi r ement s November 1989
6 Pol i cy types
This section outlines a taxonomy of internet policies for inter-ADtopologies that allowlateral
and bypass links. The taxonomy is intended to cover a wide range of ADs and internets. Any
particular PRarchitecture we designshouldsupport a signicant subset of these policytypes but
may not support all of themdue to technical complexity and performance considerations. The
general taxonomyis important input toafunctional specicationfor PR. Moreover, it canbe used
to evaluate and compare the suitability and completeness of existing routing architectures and
protocols for PR; see Section8.
W
e provide examples fromthe ResearchInternet of the dierent policy types in the formof
resource usage policystatements. These statements were collectedthroughinterviews withagency
representatives, but they do not represent ocial policy. These sample policy statements should
not be interpretedas agencypolicy, theyare providedhere onlyas examples.
Internet policies fall into two classes, access and charging. Access policies specify who can
use resources andunder what conditions. Charging policies specifythe metering, accounting, and
billingimplementedbyaparticular AD.
We have identiedthe followingtypes of access policies that ADs maywishto enforce. Charging
policies are described in the subsequent section. Section 6.3 provides more specic examples of
bothaccess andchargingpolicies usingFRICCpolicystatements .
Access policies typically are expressed in the form: pri nci pal s of t ype x can have access t o
resources of t ype y under t he f ol l owi ng condi t i ons, z . The policies are categorizedbelowaccording
to the denitionof yandz. Inanyparticular instance, eachof the policytypes wouldbe further
qualiedbydenitionof legitimate principals, x, i.e., what characteristics xmust have inorder to
access the resource inquestion.
We refer to access policies described by stub and transit ADs. The two roles imply dierent
motivations for resource control, however the types of policies expressedare similar; we expect the
supportingmechanismstobe commonas well.
Stubandtransit access policies mayspecifyanyof the followingparameters:
Estrin [Page 8]
RFC1125 Pol i cy Requi r ement s November 1989
the complexcase, lateral connections must be supported, along withthe means to control the use
of suchconnections inthe routing protocols.
The dierent topologies imply dierent policy requirements. The rst model assumes that
all policies canbe expressed andenforced in terms of dollars and cents and distributed charging
schemes. Thesecondmodel assumes that ADswantmorevariedcontrol overtheir resources, control
that can not be captured in a dollars and cents metric alone. W e describe the types of policies
to be supported andprovide examples inthe following section, Section6. In brief, givenprivate
lateral links, ADs must be able to express access andcharging relatedrestrictions andprivileges
that discriminate onanADbasis. These policies will be diverse, dynamic, andnewrequirements
will emerge over time, consequentlysupport must be extensible. For example, the packagingand
chargingschemes of anysingle longhaul service will varyover timeandmaybe relativelyelaborate
(e.g., manytiers of service, special package deals, to achieve price discrimination).
Note that these assumptions about complexity do not preclude some collection of ADs from
\negotiatingaway"their policydierences, i.e., formingafederation, andcoordinatingasimplied
inter-ADconguration in order to reduce the requirements for inter-ADmechanisms. However,
we maintain that there will persist collections of ADs that will not and can not behave as a
single federation; both in the researchcommunityand, evenmore predominantly, in the broader
commercial arena. M oreover, when it comes to interconnecting across these federations, non-
negotiable dierences will arise eventually. It is our goal todevelopmechanismsthat are applicable
inthe broader arena.
The Internet communitydevelopedits original protocol suite withonly minimal provisionfor
resource control[9]. This was appropriate at the time of development basedonthe assumedcom-
munity(i.e., researchers) andthe groundbreaking nature of the technology. The next generation
of network technology is nowbeing designed to take advantage of high speed media andto sup-
port highdemandtracgeneratedbymore powerful computers andtheir applications.[10] As with
TCP/IPwehope that the technologybeingdevelopedwill nditself appliedoutside of the research
community. This time it wouldbe inexcusable toignore resource control requirements andnot to
paycareful attentiontotheir specication.
Finally, welookforwardtothe Internet structure takingadvantageof economies of scaleoered
by enhanced commercial services. However, in many respects the problemthat stub-ADs may
thus avoid, will be faced by the multiple regional and long haul carriers providing the services.
The carriers' charging and resource control policies will be complex enough to require routing
mechanisms similar to ones being proposed for the complex ADtopology case described here.
Whether the networkstructure is basedonprivate or commercial services, the goal is toconstruct
policysensitive mechanismsthat will be transparent toendusers (i.e., the mechanismsare part of
the routinginfrastructure at the networklevel, andnot anendtoendconcern).
expect pri vate data networks to persi st f or the near f uture. As the tel ephone compani es begi n to i ntroduce the next
generati on of hi gh speed packet swi tched servi ces, the scenari o shoul d change. However, we mai ntai n that the resul t
wi l l be a predomi nance, but not compl ete domi nance, of publ i c carri er use f or l ong haul communi cati on. Theref ore,
pri vate data networks wi l l persi st and the routi ng archi tecture must accommodate control l ed i nterconnecti on.
Estrin [Page 7]
RFC1125 Pol i cy Requi r ement s November 1989
to topology and policy. They contend that in the long termthe following three conditions will
prevail:
Compl ex AD t opol ogy and pol i cy model The counter argument is that a more complex
ADtopologywill persist. 10 The dierent assumptions about ADtopologyleadtothe signicantly
dierent assumptions about ADpolicies.
This model assumes that the topology of ADs will in many respects agree with the previous
model of increasedcommercial carrier participationandresultinghierarchical structure. However,
weanticipateunavoidable andpersistent exceptions tothe hierarchy. W e assumethat there will be
arelativelysmall number of longhaul transit ADs (onthe order of 100), but that theremaybe tens
of thousands of regional ADs andhundreds of thousands of stubADs (e.g., campuses, laboratories,
andprivatecompanies). The competinglonghaul oerings will dier, bothinthe services provided
andin their packaging andpricing. Regional networks will overlapless and will connect campus
andprivate companynetworks. However, manystub-ADs will retainsomeprivate lateral links for
political, technical, andreliabilityreasons. For example, political incentives cause organizations to
invest inbypass links that are not always justiable ona strict cost comparisonbasis; specialized
technical requirements cause organizations to invest in links that have characteristics (e.g., data
rate, delay, error, security) not available frompublic carriers at a competitive rate; and critical
requirements cause organizations toinvest inredundant backuplinks for reliabilityreasons. These
exceptions to the otherwise regular topology are not dispensible. They will persist and must be
accommodated, perhaps at the expense of optimality; see Section5 for more detail. In addition,
manyprivate companies will retaintheir ownprivate longhaul networkfacilities. 11 Critical dier-
ences betweenthe twomodels followfromthe dierence inassumptions regardingADtopology. In
10
Much of the remai nder of thi s paper attempts to justi f y and provi de evi dence f or thi s statement.
11
Whi l e pri vate voi ce networks al so exi st, pri vate data networks are more common. Voi ce requi rements are more
standardi zed because voi ce appl i cati ons are more uni f ormthan are data appl i cati ons, and theref ore the commerci al
servi ces more of ten have what the voi ce customer wants at a pri ce that i s competi ti ve wi th the pri vate network
opti on. Data communi cati on requi rements are sti l l more speci al i zed and dynami c. Thus, there i s l ess opportuni ty f or
economy of scal e i n servi ce oeri ngs and i t i s harder to keep up to date wi th customer demand. For thi s reason we
Estrin [Page 6]
RFC1125 Pol i cy Requi r ement s November 1989
laboratory. They reside in a campus ADalong with users who are legitimate users of other AD
resources. M oreover, any one person may be a legitimate user of multiple ARresources under
varying conditions andconstraints (see examples insection6). Inaddition, users canmove from
one ADto another. In other words, a user's rights can not be determined solely based on the
ADfromwhich the user's communications originate. Consequently, PRmust not only identify
resources, it must identify pri nci pal s 8 andassociate dierent capabilities andrights w
ithdierent
principals.
One wayof reducingthe compromise of autonomyassociatedwithinterconnectionis toimple-
ment mechanisms that assure account abi l i t y for resources used. Accountabilitymaybe enforceda
priori, e.g., access control mechanisms applied before resource usage is permitted. Alternatively,
accountabilitymaybe enforcedafter the fact, e.g., recordkeepingor meteringthat supports detec-
tionandprovides evidence tothirdparties (i.e., non-repudiation). Accountabilitymechanismscan
also be usedto provide feedbackto users as to consumptionof resources. InternallyanADoften
decides todoawaywithsuchfeedbackunder the premise that communicationis aglobal goodand
shouldnot be inhibited. There is not necessarilya\global good"across ADboundaries. Therefore,
it becomes more appropriatetohaveresource usage visible tousers, whether or not actual charging
for usage takes place. Another motivationthat drives theneedfor accountabilityacross ADbound-
aries is the greater variabilityinimplementations. Dierent implementations of a single network
protocol canvarygreatlyas totheir eciency[8]. W e cannot assume control over implementation
across ADboundaries. Feedbackmechanismssuchas metering(andcharginginsomecases) would
introduce aconcrete incentivefor ADs toemployecient andcorrect implementations. PRshould
allowanADtoadvertise andapplysuchaccountingmeasures to inter-ADtrac.
Insummary, the lackof global authority, the needtosupport networkresource sharingas well
as networkinterconnection, the complexanddynamic mappingof users toADs andrights, andthe
needfor accountabilityacross ADs, are characteristics of inter-ADcommunications whichmust be
takenintoaccount inthe designof bothpolicies andsupportingtechnical mechanisms.
Si mpl e AD t opol ogy and pol i cy model Some members of the Internet community believe
that the current complextopologyof interconnectedADs is atransient artifact resultingfromthe
evolutionarynature of the ResearchInternet's history. 9 T he critical points of this argument relate
8
The termpri nci pal i s taken f romthe computer securi ty communi ty[7].
9
Davi d Cheri ton of Stanf ord Uni versi ty arti cul ated thi s si de of the argument at an Internet workshop i n Santa
Cl ara, January, 1989.
Estrin [Page 5]
RFC1125 Pol i cy Requi r ement s November 1989
Complications also result fromthe fact that legitimate users of an AD's resources are not
all located in that AD. M any users (and their computers) who are funded by, or are aliated
with, a particular agency's programreside within the ADof the user's university or research
6
Another di erence i s that i n the i nterconnect case, trac travel i ng over ADA' s network resources al ways has a
member of ADAas i ts source or desti nati on (or both). Under resource shari ng arrangements members of both ADA
and B are connected to the same resources and consequentl y i ntra-ADtrac (i . e. , packets sourced and desti ned f or
members of the same AD) travel s over the resources. Thi s di sti ncti on i s rel evant to the wri ti ng of pol i ci es i n terms
of pri nci pal al i ati on.
7
Economi es of scal e i s one moti vati on f or resource shari ng. For exampl e, i nstead of i nterconnecti ng separatel y
to several i ndependent agency networks, a campus network may i nterconnect to a shared backbone f aci l i ty. Today,
i nterconnecti on i s achi eved through a combi nati on of AD speci c and shared arrangements. We expect thi s mi xed
si tuati on to persi st f or \wel l - connected" campuses f or reasons of pol i ti cs, economi cs, and f uncti onal i ty (e. g. , di erent
characteri sti cs of the di erent agency- networks). See Secti on 5 f or more di scussi on.
Estrin [Page 4]
RFC1125 Pol i cy Requi r ement s November 1989
3. 1 Pol i cy Rout i ng
Previous protocols such as the Exterior Gateway Protocol (EGP)[3] embodied a limited notion
of policy andADs. Inparticular, autonomous systemboundaries constrainedthe
owof routing
database information, and only indirectly aected the
owof packets themselves. W e consider
anAdministrative Domain(AD) to be aset of hosts andnetworkresources (gateways, links, etc.)
that is governedbycommonpolicies. Inlargeinternets that cross organizationboundaries, e.g., the
ResearchInternet, inter-ADroutes must be selected according to policy-related parameters such
as cost andaccess rights, inadditiontothe traditional parameters of connectivityandcongestion.
In other words, Policy Routing (PR) is needed to navigate through the complex web of policy
boundaries created by numerous interconnectedADs. M oreover, eachADhas its own privileges
andperspective andtherefore must make its ownevaluationof legal andpreferredroutes. Eorts
are nowunderway to develop a newgeneration of routing protocol that will alloweach ADto
independentlyexpress andenforce policies regarding the
owof packets to, from, andthroughits
resources[4]. 4
The purpose of this paper is toarticulate the requirements for suchpolicybasedrouting. Two
critical assumptions will shape the type of routingmechanismthat is devised:
Estrin [Page 3]
RFC1125 Pol i cy Requi r ement s November 1989
3 Background
The Research I nt ernet2 has evolvedfromasinglebackbonewideareanetworkwithmanyconnected
campus networks, to aninternet withmultiple cross-countrybackbones, regional access networks,
and a profusion of campus networks. At times during its development the Research Internet
topologyappearedsomewhat chaotic. Overlappingfacilities andlateral (as opposedtohierarchical)
connections seemedtobethe rulerather thanthe exception. TodaytheResearchInternet topology
is becoming more regular throughcoordinationof agency investment andadoptionof a hierarchy
similar to that of the telephone networks'. The result is several overlapping wide area backbones
connectedtoregional networks, whichinturnconnect tocampus networks at universities, research
laboratories, andprivate companies. However, the telephone networkhas lateral connections only
at the highest level, i.e., betweenlong haul carriers. In the ResearchInternet there exist lateral
connections at eachlevel of the hierarchy, i.e., betweencampus (andregional) networks as well.
Additional complexityis introducedintheResearchInternet byvirtue of connections toprivate
networks. M anyprivate companies are connectedtothe ResearchInternet for purposes of research
or support activities. These private companies connect in the same manner as campuses, via a
regional networkor vialateral links toother campuses. However, manycompanies have their own
privatewide areanetworks whichphysicallyoverlapwithbackbone and/or regional networks inthe
researchinternet, i.e., private vertical bypass links.
Implicit inthis complextopology are organizational boundaries. These boundaries dene Ad-
ministrative Domains (ADs) whichpreclude the impositionof a single, centralizedset of policies
onall resources. The subject of this paper is the policyrequirements for resource usage control in
the ResearchInternet.
Inthe remainder of this sectionwe describe the policyrouting probleminverygeneral terms.
Section 4 examines the constraints and requirements that makes the problemchallenging, and
leads us to conclude that a newgeneration of routing and resource control protocols are needed.
Section5 provides more detail onour assumptions as to the future topologyandcongurationof
interconnectedADs. W e returnto the subject of policyrequirements inSection6 andcategorize
the dierent types of policies that ADs in the research internet may want to enforce. Included
in this section are examples of FRICC 3 policy statem ents. Section 7 identies types of policy
statements that are problematic to enforce due to their dynamics, granularity, or performance
implications. Several proposed mechanisms for supporting PR(including RFCs 827, 1102, 1104,
1105) are discussed brie
y in Section 8. Future RFCs will elaborate on the architecture and
protocols neededtosupport the requirements presentedhere.
2
The termResearch I nternet ref ers to a col l ecti on of government, uni versi ty, and some pri vate company, networks
that are used by researchers to access shared computi ng resources (e. g. , supercomputers), and f or research rel ated
i nf ormati on exchange (e. g. , di stri buti on of sof tware, techni cal documents, and emai l ). The networks that make up
the Research I nternet run the DODI nternet Protocol [ 1] .
3
The Federal Research I nternet Coordi nati ng Commi ttee (FRI CC) i s made up of representati ves of each of the
maj or agenci es that are i nvol ved i n networki ng. They have been very eecti ve i n coordi nati ng thei r eorts to el i mi nate
i neci ent redundancy and have proposed a pl an f or the next 10 years of i nternetworki ng f or the government, sci enti c,
and educati on communi ty[ 2] .
Estrin [Page 2]
NetworkW orkingGroup D. Estrin
Request for Comments: 1125 U.S.C. Computer Science Department
Novem
ber 1989
2 Abstract
Eorts are nowunderway to develop a newgeneration of routing protocol that will alloweach
Administrative Domain(AD) inthe growing Internet (andinternets ingeneral) to independently
express andenforce policies regardingthe
owof packets to, from,andthroughits resources. 1 This
document articulates the requirements for policybasedroutingandshouldbe usedas input tothe
functional specicationandevaluationof proposedprotocols.
Two critical assumptions will shape the type of routing mechanismthat is devised: (1) the
topological organizationof ADs, and(2) thetypeandvariabilityof policies expressedbyADs. After
justifying our assumptions regarding ADtopologywe present a taxonomy, andspecic examples,
of policies that must be supported by a PRprotocol. W e conclude with a brief discussion of
policyrouting mechanisms proposedinprevious RFCs (827, 1102, 1104, 1105). Future RFCs will
elaborate onthe architecture andprotocols neededtosupport the requirements presentedhere.
1
The materi al presented here i ncorporates di scussi ons hel d wi th members of the I AB Autonomous Networks
Research Group and the Open Routi ng Worki ng Group.
Estrin [Page 1]