Network Working Group D. Estrin
Request for Comments: 1125 USC Computer Science Department
November 1989
POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING
1 STATUS OF THIS MEMO
The purpose of this memo is to focus discussion on particular
problems in the Internet and possible methods of solution. No
proposed solutions in this document are intended as standards for the
Internet. Rather, it is hoped that a general consensus will emerge
as to the appropriate solution to such problems, leading eventually
to the development and adoption of standards. Distribution of this
memo is unlimited.
2 ABSTRACT
Efforts are now underway to develop a new generation of routing
protocol that will allow each Administrative Domain (AD) in the
growing Internet (and internets in general) to independently express
and enforce policies regarding the flow of packets to, from, and
through its resources. (FOOTNOTE 1: The material presented here
incorporates discussions held with members of the IAB Autonomous
Networks Research Group and the Open Routing Working Group.) This
document articulates the requirements for policy based routing and
should be used as input to the functional specification and
evaluation of proposed protocols.
Two critical assumptions will shape the type of routing mechanism
that is devised: (1) the topological organization of ADs, and (2) the
type and variability of policies expressed by ADs. After justifying
our assumptions regarding AD topology we present a taxonomy, and
specific examples, of policies that must be supported by a PR
protocol. We conclude with a brief discussion of policy routing
mechanisms proposed in previous RFCs (827, 1102, 1104, 1105). Future
RFCs will elaborate on the architecture and protocols needed to
support the requirements presented here.
3 BACKGROUND
The Research Internet has evolved from a single backbone wide area
network with many connected campus networks, to an internet with
multiple cross-country backbones, regional access networks, and a
profusion of campus networks. (FOOTNOTE 2: The term Research Internet
refers to a collection of government, university, and some private
company, networks that are used by researchers to access shared
Estrin [Page 1]
RFC 1125 Policy Requirements November 1989
computing resources (e.g., supercomputers), and for research related
information exchange (e.g., distribution of software, technical
documents, and email). The networks that make up the Research
Internet run the DOD Internet Protocol [1].) At times during its
development the Research Internet topology appeared somewhat chaotic.
Overlapping facilities and lateral (as opposed to hierarchical)
connections seemed to be the rule rather than the exception. Today
the Research Internet topology is becoming more regular through
coordination of agency investment and adoption of a hierarchy similar
to that of the telephone networks'. The result is several
overlapping wide area backbones connected to regional networks, which
in turn connect to campus networks at universities, research
laboratories, and private companies. However, the telephone network
has lateral connections only at the highest level, i.e., between long
haul carriers. In the Research Internet there exist lateral
connections at each level of the hierarchy, i.e., between campus (and
regional) networks as well.
Additional complexity is introduced in the Research Internet by
virtue of connections to private networks. Many private companies are
connected to the Research Internet for purposes of research or
support activities. These private companies connect in the same
manner as campuses, via a regional network or via lateral links to
other campuses. However, many companies have their own private wide
area networks which physically overlap with backbone and/or regional
networks in the research internet, i.e., private vertical bypass
links.
Implicit in this complex topology are organizational boundaries.
These boundaries define Administrative Domains (ADs) which preclude
the imposition of a single, centralized set of policies on all
resources. The subject of this paper is the policy requirements for
resource usage control in the Research Internet.
In the remainder of this section we describe the policy routing
problem in very general terms. Section 4 examines the constraints and
requirements that makes the problem challenging, and leads us to
conclude that a new generation of routing and resource control
protocols are needed. Section 5 provides more detail on our
assumptions as to the future topology and configuration of
interconnected ADs. We return to the subject of policy requirements
in Section 7 and categorize the different types of policies that ADs
in the research internet may want to enforce. Included in this
section are examples of FRICC policy statements. (FOOTNOTE 3: The
Federal Research Internet Coordinating Committee (FRICC) is made up
of representatives of each of the major agencies that are involved in
networking. They have been very effective in coordinating their
efforts to eliminate inefficient redundancy and have proposed a plan
Estrin [Page 2]
RFC 1125 Policy Requirements November 1989
for the next 10 years of internetworking for the government,
scientific, and education community [2].) Section 7 identifies types
of policy statements that are problematic to enforce due to their
dynamics, granularity, or performance implications. Several proposed
mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105)
are discussed briefly in Section 8. Future RFCs will elaborate on the
architecture and protocols needed to support the requirements
presented here.
Previous protocols such as the Exterior Gateway Protocol (EGP)[3]
embodied a limited notion of policy and ADs. In particular,
autonomous system boundaries constrained the flow of routing database
information, and only indirectly affected the flow of packets
themselves. We consider an Administrative Domain (AD) to be a set of
hosts and network resources (gateways, links, etc.) that is governed
by common policies. In large internets that cross organization
boundaries, e.g., the Research Internet, inter-AD routes must be
selected according to policy-related parameters such as cost and
access rights, in addition to the traditional parameters of
connectivity and congestion. In other words, Policy Routing (PR) is
needed to navigate through the complex web of policy boundaries
created by numerous interconnected ADs. Moreover, each AD has its own
privileges and perspective and therefore must make its own evaluation
of legal and preferred routes. Efforts are now underway to develop a
new generation of routing protocol that will allow each AD to
independently express and enforce policies regarding the flow of
packets to, from, and through its resources [4]. (FOOTNOTE 4: These
issues are under investigation by the IAB Autonomous Networks
Research Group and the IAB Open Routing Working Group. For further
information contact the author.)
The purpose of this paper is to articulate the requirements for such
policy based routing. Two critical assumptions will shape the type of
routing mechanism that is devised:
* The topological organization of ADs, and
* The type and variability of policies expressed by ADs.
We make use of the policies expressed by owners of current Research
Internet resources and private networks connected to the Research
Internet to generalize types of policies that must be supported. This
top down effort must be done with attention to the technical
implications of the policy statements if the result is to be useful
in guiding technical development. For example, some ADs express the
desire to enforce local constraints over how packets travel to their
destination. Other ADs are only concerned with preventing use of
Estrin [Page 3]
RFC 1125 Policy Requirements November 1989
their own network resources by restricting transit. Still other ADs
are concerned primarily with recovering the expense of carrying
traffic and providing feedback to users so that users will limit
their own data flows; in other words they are concerned with
charging. We refer to ADs whose primary concern is communication to
and from hosts within their AD as stub and to ADs whose primary
concern is carrying packets to and from other ADs as transit}. If we
address control of transit alone, for example, the resulting
mechanisms will not necessarily allow an AD to control the flow of
its packets from source to destination, or to implement flexible
charging schemes. (FOOTNOTE 5: Gene Tsudik uses the analogy of
international travel to express the need for source and transit
controls. Each country expresses its own policies about travel to and
through its land. Travel through one country enroute to another is
analogous to transit traffic in the network world. A traveler
collects policy information from each of the countries of interest
and plans an itinerary that conforms to those policies as well as the
preferences of the traveler and his/her home nation. Thus there is
both source and transit region control of routing.) Our purpose is
to articulate a comprehensive set of requirements for PR as input to
the functional specification, and evaluation, of proposed protocols.
4 WHY THE PROBLEM IS DIFFICULT
Before proceeding with our description of topology and policy
requirements this section outlines several assumptions and
constraints, namely: the lack of global authority, the need to
support network resource sharing as well as network interconnection,
the complex and dynamic mapping of users to ADs and privileges, and
the need for accountability across ADs. These assumptions limit the
solution space and raise challenging technical issues.
The purpose of policy based routing is to allow ADs to interconnect
and share computer and network resources in a controlled manner.
Unlike many other problems of resource control, there is no global
authority. Each AD defines its own policies with respect to its own
traffic and resources. However, while we assume no global authority,
and no global policies, we recognize that complete autonomy implies
no dependence and therefore no communication. The multi-organization
internets addressed here have inherent regions of autonomy, as well
as requirements for interdependence. Our mechanisms should allow ADs
to design their boundaries, instead of requiring that the boundaries
be either impenetrable or eliminated.
One of the most problematic aspects of the policy routing
requirements identified here is the need to support both network
resource sharing and interconnection across ADs. An example of
resource sharing is two ADs (e.g., agencies, divisions, companies)
Estrin [Page 4]
RFC 1125 Policy Requirements November 1989
sharing network resources (e.g., links, or gateways and links) to
take advantage of economies of scale. Providing transit services to
external ADs is another example of network resource sharing.
Interconnection is the more common example of ADs interconnecting
their independently used network resources to achieve connectivity
across the ADs, i.e., to allow a user in one AD to communicate with
users in another AD. In some respects, network resource control is
simpler than network interconnection control since the potential
dangers are fewer (i.e., denial of service and loss of revenue as
compared with a wide range of attacks on end systems through network
interconnection). However, controlled network resource sharing is
more difficult to support. In an internet a packet may travel
through a number of transit ADs on its way to the destination.
Consequently, policies from all transit ADs must be considered when a
packet is being sent, whereas for stub-AD control only the policies
of the two end point ADs have to be considered. In other words,
controlled network resource sharing and transit require that policy
enforcement be integrated into the routing protocols themselves and
can not be left to network control mechanisms at the end points.
(FOOTNOTE 6&7: Another difference is that in the interconnect case,
traffic traveling over AD A's network resources always has a member
of AD A as its source or destination (or both). Under resource
sharing arrangements members of both AD A and B are connected to the
same resources and consequently intra-AD traffic (i.e., packets
sourced and destined for members of the same AD) travels over the
resources. This distinction is relevant to the writing of policies in
terms of principal affiliation. Economies of scale is one motivation
for resource sharing. For example, instead of interconnecting
separately to several independent agency networks, a campus network
may interconnect to a shared backbone facility. Today,
interconnection is achieved through a combination of AD specific and
shared arrangements. We expect this mixed situation to persist for
"well-connected" campuses for reasons of politics, economics, and
functionality (e.g., different characteristics of the different
agency-networks). See Section 5 for more discussion.)
Complications also result from the fact that legitimate users of an
AD's resources are not all located in that AD. Many users (and their
computers) who are funded by, or are affiliated with, a particular
agency's program reside within the AD of the user's university or
research laboratory. They reside in a campus AD along with users who
are legitimate users of other AD resources. Moreover, any one person
may be a legitimate user of multiple AR resources under varying
conditions and constraints (see examples in Section 6). In addition,
users can move from one AD to another. In other words, a user's
rights can not be determined solely based on the AD from which the
user's communications originate. Consequently, PR must not only
identify resources, it must identify principals and associate
Estrin [Page 5]
RFC 1125 Policy Requirements November 1989
different capabilities and rights with different principals. (The
term principal is taken from the computer security community[7].)
One way of reducing the compromise of autonomy associated with
interconnection is to implement mechanisms that assure
accountability} for resources used. Accountability may be enforced a
priori, e.g., access control mechanisms applied before resource usage
is permitted. Alternatively, accountability may be enforced after
the fact, e.g., record keeping or metering that supports detection
and provides evidence to third parties (i.e., non-repudiation).
Accountability mechanisms can also be used to provide feedback to
users as to consumption of resources. Internally an AD often decides
to do away with such feedback under the premise that communication is
a global good and should not be inhibited. There is not necessarily a
"global good" across AD boundaries. Therefore, it becomes more
appropriate to have resource usage visible to users, whether or not
actual charging for usage takes place. Another motivation that
drives the need for accountability across AD boundaries is the
greater variability in implementations. Different implementations of
a single network protocol can vary greatly as to their efficiency
[8]. We can not assume control over implementation across AD
boundaries. Feedback mechanisms such as metering (and charging in
some cases) would introduce a concrete incentive for ADs to employ
efficient and correct implementations. PR should allow an AD to
advertise and apply such accounting measures to inter-AD traffic.
In summary, the lack of global authority, the need to support network
resource sharing as well as network interconnection, the complex and
dynamic mapping of users to ADs and rights, and the need for
accountability across ADs, are characteristics of inter-AD
communications which must be taken into account in the design of both
policies and supporting technical mechanisms.
5 TOPOLOGY MODEL OF INTERNET
Before discussing policies per se, we outline our model of inter-AD
topology and how it influences the type of policy support required.
Most members of the Internet community agree that the future Internet
will connect on the order of 150,000,000 termination points and
100,000 ADs. However, there are conflicting opinions as to the AD
topology for which we must design PR mechanisms. The informal
argument is described here.
SIMPLE AD TOPOLOGY AND POLICY MODEL Some members of the Internet
community believe that the current complex topology of interconnected
ADs is a transient artifact resulting from the evolutionary nature of
the Research Internet's history. (FOOTNOTE 9: David Cheriton of
Stanford University articulated this side of the argument at an
Estrin [Page 6]
RFC 1125 Policy Requirements November 1989
Internet workshop in Santa Clara, January, 1989). The critical points
of this argument relate to topology and policy. They contend that in
the long term the following three conditions will prevail:
* The public carriers will provide pervasive, competitively
priced, high speed data services.
* The resulting topology of ADs will be
stub (not transit) ADs connected to regional
backbones, which in turn interconnect via multiple,
overlapping long haul backbones, i.e., a hierarchy with
no lateral connections between stub-ADs or regionals,
and no vertical bypass links.
* The policy requirements of the backbone and stub-ADs
will be based only on charging for resource usage at the
stub-AD to backbone-AD boundary, and to settling accounts
between neighboring backbone providers (regional to long haul,
and long haul to long haul).
Under these assumptions, the primary requirement for general AD
interconnect is a metering and charging protocol. The routing
decision can be modeled as a simple least cost path with the metric
in dollars and cents. In other words, restrictions on access to
transit services will be minimal and the functionality provided by
the routing protocol need not be changed significantly from current
day approaches.
COMPLEX AD TOPOLOGY AND POLICY MODEL The counter argument is that a
more complex AD topology will persist. (FOOTNOTE 10: Much of the
remainder of this paper attempts to justify and provide evidence for
this statement.) The different assumptions about AD topology lead to
the significantly different assumptions about AD policies.
This model assumes that the topology of ADs will in many respects
agree with the previous model of increased commercial carrier
participation and resulting hierarchical structure. However, we
anticipate unavoidable and persistent exceptions to the hierarchy.
We assume that there will be a relatively small number of long haul
transit ADs (on the order of 100), but that there may be tens of
thousands of regional ADs and hundreds of thousands of stub ADs
(e.g., campuses, laboratories, and private companies). The competing
long haul offerings will differ, both in the services provided and in
their packaging and pricing. Regional networks will overlap less and
will connect campus and private company networks. However, many
stub-ADs will retain some private lateral links for political,
technical, and reliability reasons. For example, political
incentives cause organizations to invest in bypass links that are not
Estrin [Page 7]
RFC 1125 Policy Requirements November 1989
always justifiable on a strict cost comparison basis; specialized
technical requirements cause organizations to invest in links that
have characteristics (e.g., data rate, delay, error, security) not
available from public carriers at a competitive rate; and critical
requirements cause organizations to invest in redundant back up links
for reliability reasons. These exceptions to the otherwise regular
topology are not dispensible. They will persist and must be
accommodated, perhaps at the expense of optimality; see Section 5 for
more detail. In addition, many private companies will retain their
own private long haul network facilities. (FOOTNOTE 11: While
private voice networks also exist, private data networks are more
common. Voice requirements are more standardized because voice
applications are more uniform than are data applications, and
therefore the commercial services more often have what the voice
customer wants at a price that is competitive with the private
network option. Data communication requirements are still more
specialized and dynamic. Thus, there is less opportunity for economy
of scale in service offerings and it is harder to keep up to date
with customer demand. For this reason we expect private data networks
to persist for the near future. As the telephone companies begin to
introduce the next generation of high speed packet switched services,
the scenario should change. However, we maintain that the result will
be a predominance, but not complete dominance, of public carrier use
for long haul communication. Therefore, private data networks will
persist and the routing architecture must accommodate controlled
interconnection.) Critical differences between the two models follow
from the difference in assumptions regarding AD topology. In the
complex case, lateral connections must be supported, along with the
means to control the use of such connections in the routing
protocols.
The different topologies imply different policy requirements. The
first model assumes that all policies can be expressed and enforced
in terms of dollars and cents and distributed charging schemes. The
second model assumes that ADs want more varied control over their
resources, control that can not be captured in a dollars and cents
metric alone. We describe the types of policies to be supported and
provide examples in the following section, Section 6. In brief, given
private lateral links, ADs must be able to express access and
charging related restrictions and privileges that discriminate on an
AD basis. These policies will be diverse, dynamic, and new
requirements will emerge over time, consequently support must be
extensible. For example, the packaging and charging schemes of any
single long haul service will vary over time and may be relatively
elaborate (e.g., many tiers of service, special package deals, to
achieve price discrimination).
Note that these assumptions about complexity do not preclude some
Estrin [Page 8]
RFC 1125 Policy Requirements November 1989
collection of ADs from "negotiating away" their policy differences,
i.e., forming a federation, and coordinating a simplified inter-AD
configuration in order to reduce the requirements for inter-AD
mechanisms. However, we maintain that there will persist collections
of ADs that will not and can not behave as a single federation; both
in the research community and, even more predominantly, in the
broader commercial arena. Moreover, when it comes to interconnecting
across these federations, non-negotiable differences will arise
eventually. It is our goal to develop mechanisms that are applicable
in the broader arena.
The Internet community developed its original protocol suite with
only minimal provision for resource control [9]. This was
appropriate at the time of development based on the assumed community
(i.e., researchers) and the ground breaking nature of the technology.
The next generation of network technology is now being designed to
take advantage of high speed media and to support high demand traffic
generated by more powerful computers and their applications [10]. As
with TCP/IP we hope that the technology being developed will find
itself applied outside of the research community. This time it would
be inexcusable to ignore resource control requirements and not to pay
careful attention to their specification.
Finally, we look forward to the Internet structure taking advantage
of economies of scale offered by enhanced commercial services.
However, in many respects the problem that stub-ADs may thus avoid,
will be faced by the multiple regional and long haul carriers
providing the services. The carriers' charging and resource control
policies will be complex enough to require routing mechanisms similar
to ones being proposed for the complex AD topology case described
here. Whether the network structure is based on private or
commercial services, the goal is to construct policy sensitive
mechanisms that will be transparent to end users (i.e., the
mechanisms are part of the routing infrastructure at the network
level, and not an end to end concern).
6 POLICY TYPES
This section outlines a taxonomy of internet policies for inter-AD
topologies that allow lateral and bypass links. The taxonomy is
intended to cover a wide range of ADs and internets. Any particular
PR architecture we design should support a significant subset of
these policy types but may not support all of them due to technical
complexity and performance considerations. The general taxonomy is
important input to a functional specification for PR. Moreover, it
can be used to evaluate and compare the suitability and completeness
of existing routing architectures and protocols for PR; see Section
8.
Estrin [Page 9]
RFC 1125 Policy Requirements November 1989
We provide examples from the Research Internet of the different
policy types in the form of resource usage policy statements. These
statements were collected through interviews with agency
representatives, but they do not represent official policy. These
sample policy statements should not} be interpreted as agency policy,
they are provided here only as examples.
Internet policies fall into two classes, access and charging. Access
policies specify who can use resources and under what conditions.
Charging policies specify the metering, accounting, and billing
implemented by a particular AD.
We have identified the following types of access policies that ADs
may wish to enforce. Charging policies are described in the
subsequent section. Section 6.3 provides more specific examples of
both access and charging policies using FRICC policy statements.
Access policies typically are expressed in the form: principals of
type x can have access to resources of type y under the following
conditions, z. The policies are categorized below according to the
definition of y and z. In any particular instance, each of the
policy types would be further qualified by definition of legitimate
principals, , x, i.e., what characteristics x must have in order to
access the resource in question.
We refer to access policies described by stub and transit ADs. The
two roles imply different motivations for resource control, however
the types of policies expressed are similar; we expect the supporting
mechanisms to be common as well.
Stub and transit access policies may specify any of the following
parameters:
* SOURCE/DESTINATION
Source/Destination policies prevent or restrict communication
originated by or destined for particular ADs (or hosts or user
classes within an AD).
* PATH
Path sensitive policies specify which ADs may or may not be passed
through en route to a destination. The most general path sensitive
policies allow stub and transit ADs to express policies that depend
on any component in the AD path. In other words, a stub AD could
reject a route based on any AD (or combination of ADs) in the route.
Similarly, a transit AD could express a packet forwarding policy that
behaves differently depending upon which ADs a packet has passed
Estrin [Page 10]
RFC 1125 Policy Requirements November 1989
through, and is going to pass through, en route to the destination.
Less ambitious (and perhaps more reasonable) path sensitive policies
might only discriminate according to the immediate neighbor ADs
through which the packet is traveling (i.e., a stub network could
reject a route based on the first transit AD in the route, and a
transit AD could express a packet forwarding policy that depends upon
the previous, and the subsequent, transit ADs in the route.)
* QUALITY/TYPE OF SERVICE(QOS OR TOS)
This type of policy restricts access to special resources or
services. For example, a special high throughput, low delay link may
be made available on a selective basis.
* RESOURCE GUARANTEE
These policies provide a guaranteed percentage of a resource on a
selective, as needed basis. In other words, the resource can be used
by others if the preferred-AD's offered load is below the guaranteed
level of service. The guarantee may be to always carry intra-AD
traffic or to always carry inter-AD traffic for a specific AD.
* TEMPORAL
Temporal policies restrict usage based on the time of day or other
time related parameters.
* HIGH LEVEL PROTOCOL
Usage may be restricted to a specific high level protocol such as
mail or file transfer. (Alternatively, such policies can be
implemented as source/destination policies by configuring a host(s)
within an AD as an application relay and composing policy terms that
allow inter-AD access to only that host.)
* RESOURCE LIMIT
There may be a limit on the amount of traffic load a source may
generate during a particular time interval, e.g., so many packets in
a day, hour, or minute.
* AUTHENTICATION REQUIREMENTS
Conditions may be specified regarding the authenticability of
principal identifying information. Some ADs might require some form
of cryptographic proof as to the identity and affiliations of the
principal before providing access to critical resources.
The above policy types usually exist in combination for a particular
AD, i.e., an AD's policies might express a combination of transit,
source/destination, and QOS restrictions. This taxonomy will evolve
as PR is applied to other domains.
As will be seen in Section 6.3 an AD can express its charging and
Estrin [Page 11]
RFC 1125 Policy Requirements November 1989
access policies in a single syntax. Moreover, both stub and transit
policies can co-exist. This is important since some ADs operate as
both stub and transit facilities and require such hybrid control.
Stub and transit charging policies may specify the following
parameters:
* UNIT OF ACCOUNTING (e.g., dollars or credits).
* BASIS FOR CHARGING (e.g., per Kbyte or per Kpkt).
* ACTUAL CHARGES (e.g., actual numbers such as $.50/Mbyte).
* WHO IS CHARGED OR PAID (e.g., originator of packet,
immediate neighbor from whom packet was received, destination
of packet, a third party collection agent).
* WHOSE PACKET COUNT is used (e.g., source, destination, the
transit AD's own count, the count of some upstream or
downstream AD).
* BOUND ON CHARGES (e.g., to limit the amount that a stub
AD is willing to spend, or the amount that a transit AD is
willing to carry.)
The enforcement of these policies may be carried out during route
synthesis or route selection [4].
The following policy statements were collected in the fall of 1988
through interviews with representatives of the federal agencies most
involved in supporting internetworking. Once again we emphasize that
these are not official policy statements. They are presented here to
provide concrete examples of the sort of policies that agencies would
like to enforce.
Expressing policies as Policy Terms (PTs)
Each policy is described in English and then expressed in a policy
term (PT) notation suggested by Dave Clark in [4]. Each PT
represents a distinct policy of the AD that synthesized it. The
format of a PT is:
[(H{src},AD{src},AD{ent}),(H{dst},AD{dst},AD{exit}),UCI, Cg,Cb]
Hsrc stands for source host, ADsrc for source AD, ADent for entering
AD (i.e., neighboring AD from which traffic is arriving directly),
Hdst for destination host, ADdst for destination AD, ADexit for exit
AD (i.e.,neighboring AD to which traffic is going directly), UCI for
user class identifier, and Cg and Cb for global and bilateral
Estrin [Page 12]
RFC 1125 Policy Requirements November 1989
conditions, respectively. The purpose of a PT is to specify that
packets from some host, H{src}, (or a group of hosts) in a source AD,
AD{src}, are allowed to enter the AD in question via some directly
connected AD, AD{ent}, and exit through another directly connected
AD, AD{exit}, on its way to a host, H{dst}, (or a group of hosts) in
some destination AD, AD{dst}. User Class Identifier (UCI) allows for
distinguishing between various user classes, e.g., Government,
Research, Commercial, Contract, etc. Global Conditions (Cg)
represent billing and other variables. Bilateral Conditions (Cb)
relate to agreements between neighboring ADs, e.g., related to
metering or charging. In the example policy terms provided below we
make use of the following abbreviations: Fricc for
{DOE,NASA,DCA,NSF}, F for Federal Agency, Re for Regional, U for
University, Co for Commercial Corporation, and Cc for Commercial
Carrier. A hyphen, -, means no applicable matches.
By examining a PT we can identify the type of policy represented, as
per the taxonomy presented earlier.
* If an AD specifies a policy term that has a null (-) entry for
the ADexit, then it is disallowing transit for some group of users,
and it is a transit policy.
* If an AD specifies a policy term that lists itself
explicitly as ADsrc or ADdst, it is expressing restrictions on who
can access particular resources within its boundaries, or on who inside
can obtain external access. In other words the AD is expressing a
source/destination policy.
* If ADexit or ADentr is specified then the policy expressed is an
exit/entrance path policy.
* If the global conditions include charging, QOS, resource
guarantee, time of day, higher level application, resource limit, or
authentication related information it is obviously a charging, QOS,
resource guarantee, temporal, higher level application, resource
limit, or authentication policy, respectively.
As seen below, any one PT typically incorporates a combination of
policy types.
In the following examples all policies (and PTs) are symmetrical
under the assumption that communication is symmetrical.
Estrin [Page 13]
RFC 1125 Policy Requirements November 1989
NATIONAL SCIENCE FOUNDATION (NSF)
1. NSF will carry traffic for any host connected to a F/Re network
talking to any other host connected to a F/Re via any F/Re entry and
exit network, so long as there is it is being used for research or
support. There is no authentication of the UCI and no per packet
charging. NSFnet is a backbone and so does not connect directly to
universities or companies...thus the indication of {F/Re} instead of
{F/Re/U/Co} as ADent and ADexit.
[NSF1: (*, {F/Re}, {F/Re})(*, {F/Re}, {F/Re}){research,support}
{unauthenticated UCI,no-per-pkt charge}{}]
2. NSF will carry traffic to user and expert services hosts in NSF
AD to/from any F/Re AD, via any F/Re AD. These are the only things
that directly connect to NSFnet.
[NSF2: ({User svcs, Expert Svcs},{NSF},{F/Re})(*,{F/Re},{-}){}{}{}]
DEPARTMENT OF ENERGY (DOE)
1. DOE will carry traffic to and from any host directly connected to
DOE so long as it is used for research or support. There is no
authentication of the UCI and no per packet charging.
[DOE1: (*,DOE,-)(*,*,*){research,support}
{unauthenticated UCI,no-per-packet charge}{}]
2. DOE will carry traffic for any host connected to a F/Re network
talking to any other host connected to a F/Re via any F/Re entry and
exit network without regard to the UCI. There is no authentication of
the UCI and no per packet charging. (in other words DOE is more
restrictive with its own traffic than with traffic it is carrying as
part of a resource sharing arrangement.)
[DOE2: (*,{F/Re},{F/Re})(*,{F/Re},{F/Re}){}
{unauthenticated UCI, no-per-pkt charge}{}]
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION (NASA)
1. Nasa will accept any traffic to/from members of the Nasa AD. But
no transit. No UCI authentication and no per packet charge.
[NASA1: (*,*,*)(*,Nasa,-){Nasa-research, support}
{unauthenticated UCI,no-per-packet-charge}{}]
2. Nasa will carry transit traffic to/from other federal agency
networks if it is in support of research, and if the total use of
Estrin [Page 14]
RFC 1125 Policy Requirements November 1989
available BW by non-nasa Federal agencies is below n%. NOTE THAT this
non-interference policy type needs some more work in terms of
integrating it into the routing algorithms. See Section 7.
[NASA2: (*,{F},*)(*,{F},*){research,support}
{per-packet accounting, limited to n% of available BW}{}]
3. NASA will carry commercial traffic to federal and regional and
university ADs for nasa research or support. But it will not allow
transit. The particular entry AD is not important.
[NASA3: (*,{Co},*} (*,{F/R/U},*) {NASA research,support}
{unauthenticated UCI, no per packet charge}{}]
4. On a case by case basis NASA may provide access to its resources
on a cost reimbursed basis. Transit traffic will not be carried on
this basis.
[NASA4: (*,*,-)(*,*,-){}
{per-packet-charge, limited to n% of available BW} {}]
DEFENSE ADVANCED RESEARCH PROJECTS AGENCY (DARPA)
1. DARPA will carry traffic to/from any host in DARPA AD from any
external host that can get it there so long as UCI is research or
support. No UCI authentication or per packet charge.
[DARPA1: (*,*,*)(*,DARPA,-){research,support}
{unauthenticated-UCI, no per packet charge}{}]
2. DARPA will carry traffic for any host connected to a F/Re/U/Co
network talking to any other host connected to a F/Re/U/Co via any
F/Re/U/Co entry and exit network, so long as there is it is being
used for research or support, and the network is not heavily
congested!!. There is no authentication of the UCI and no per packet
charging. NOTE: Darpa would like to say something about the need to
enter the Darpa AD at the point closest to the destination...but i
don't know how to express this...
DARPA2: (*,{F/R/U/Co},{F/R/U/Co})(*,{F/R/U/Co},{F/R/U/Co})
{research,support}{unauthenticated-UCI,no per packet charge,
non-interference basis}{}]
DEFENSE COMMUNICATIONS AGENCY (DCA)
1. DCA will not carry any transit traffic. It will only accept and
send traffic to and from its mailbridge(s) and only from and to hosts
on other F/Re nets. All packets are marked and charged for by the
Estrin [Page 15]
RFC 1125 Policy Requirements November 1989
kilopacket.
[DCA1:(mailbridge,DCA,-)(*,{F/Re},{F/Re}){research,support}
{unauthenticated UCI, all incoming packets marked, per-kilopacket
charge}{}]
Interviews with regional network administrations are now underway. In
general their policies are still in formation due to the relatively
recent formation of these regional networks. However, for the sake of
illustration we provide an example of a hypothetical regional's
network policies.
REGIONAL A
1. Regional A will carry traffic from/to any directly connected
F/Re/U network to any F/Re/U network via NSF if it is for a research
or support UCI. (NSF requires that all Regional networks only pass it
traffic that complies with its, NSF's, policies!)
[Regional A:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},NSF){research,support}
{unauthenticated UCI, no-per-packet charge}{}]
REGIONAL B
1. Regional B will carry traffic from/to any directly connected
F/Re/U network to any F/Re/U network via a commercial carrier
regardless of its UCI. In this case the packets are charged for since
the commercial carrier charges per kilopacket.
[Regional B:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},Cc){}
{unauthenticated UCI, per-kilopacket charge}{}]
Similar interviews should be conducted with administrators of campus
and private networks. However, many aspects of their policies are
contingent on the still unresolved policies of the regionals and
federal agencies. In any event, transit policies will be critical
for campus and private networks to flexibly control access to lateral
links and private wide area networks, respectively. For example, a
small set of university and private laboratories may provide access
to special gigabit links for particular classes of researchers. On
the other hand, source/destination policies should not be used in
place of network level access controls for these end ADs.
Estrin [Page 16]
RFC 1125 Policy Requirements November 1989
Currently commercial communication services play a low level role in
most parts of today's Research Internet; they provide the
transmission media, i.e.,leased lines. In the future we expect
commercial carriers to provide increasingly higher level and enhanced
services such as high speed packet switched backbone services.
Because such services are not yet part of the Research Internet
infrastructure there exist no policy statements.
Charging and accounting are certain to be an important policy type in
this context. Moreover, we anticipate the long haul services market
to be highly competitive. This implies that competing service
providers will engage in significant gaming in terms of packaging and
pricing of services. Consequently, the ability to express varied and
dynamic charging policies will be critical for these ADs.
7 PROBLEMATIC REQUIREMENTS
Most of this paper has lobbied for articulation of relatively
detailed policy statements in order to help define the technical
mechanisms needed for enforcement. We promoted a top down design
process beginning with articulation of desired policies. Now we feel
compelled to mention requirements that are clearly problematic from
the bottom up perspective of technical feasibility.
* Non-interference policies are of the form "I will provide
access for principals x to resources y so long as it does not
interfere with my internal usage." The problem with such policies
is that access to an AD at any point in time is contingent upon a
local, highly dynamic, parameter that is not globally available.
Therefore such a policy term could well result in looping,
oscillations, and excessive route (re)computation overhead,
both unacceptable. Consequently, this is one type of policy that
routing experts suggest would be difficult to support in a very
large decentralized internetwork.
* Granularity can also be problematic, but not as devistating as
highly dynamic PR contingencies. Here the caution is less specific.
Very fine grain policies, which restrict access to particular
hosts, or are contingent upon very fine grain user class
identification, may be achieved more efficiently with network
level access control [11] or end system controls instead of
burdening the inter-AD routing mechanism.
* Security is expensive, as always. Routing protocols are subject
to fraud through impersonation, data substitution, and denial of
service. Some of the proposed mechanisms provide some means for
Estrin [Page 17]
RFC 1125 Policy Requirements November 1989
detection and non-repudiation. However, to achieve a priori
prevention of resource misuse is expensive in terms of per
connection or per packet cryptographic overhead. For some
environments we firmly believe that this will be necessary and
we would prefer an architecture that would accommodate such
variability [12].
In general, it is difficult to predict the impact of any particular
policy term. Tools will be needed to assist people in writing and
validating policy terms.
8 PROPOSED MECHANISMS
Previous routing protocols have addressed a narrower definition of
PR, as appropriate for the internets of their day. In particular, EGP
[3], DGP[13], and BGP[6] incorporate a notion of policy restrictions
as to where routing database information travels. None are intended
to support policy based routing of packets as described here. More
recent routing proposals such as Landmark [14] and Cartesian [15]
could be used to restrict packet forwarding but are not suited to
source/destination, and some of the condition-oriented, policies. We
feel these policy types are critical to support. We note that for
environments (e.g., within an AD substructure) in which the simple-
AD-topology conjecture holds true, these alternatives may be
suitable.
RFC 1104 [5] provides a good description of shorter term policy
routing requirements. Braun classifies three types of mechanisms,
policy based distribution of route information, policy based packet
forwarding, and policy based dynamic allocation of network resources.
The second class is characterized by Dave Clark's PR architecture,
RFC 1102 [4]. With respect to the longer term requirements laid out
in this document, only this second class is expressive and flexible
enough to support the multiplicity of stub and transit policies. In
other words, the power of the PR approach (e.g., RFC1102) is not just
in the added granularity of control pointed out by Braun, i.e., the
ability to specify particular hosts and user classes. Its power is in
the ability to express and enforce many types of stub and transit
policies and apply them on a discriminatory basis to different ADs.
In addition, this approach provides explicit support for stub ADs to
control routes via the use of source routing. (FOOTNOTE 12:
Moreover, the source routing approach loosens the requirements for
every AD to share a complete view of the entire internet by allowing
the source to detect routing loops.) (FOOTNOTE 13: The match
between RFC1102 and the requirements specified in this document is
hardly a coincidence since Clark's paper and discussions with him
contributed to the requirements formulation presented here. His work
is currently being evaluated and refined by the ANRG and ORWG.)
Estrin [Page 18]
RFC 1125 Policy Requirements November 1989
9 SUMMARY
Along with the emergence of very high speed applications and media,
resource management has become a critical issue in the Research
Internet and internets in general. A fundamental characteristic of
the resource management problem is allowing administratively ADs to
interconnect while retaining control over resource usage. However, we
have lacked a careful articulation of the types of resource
management policies that need to be supported. This paper addresses
policy requirements for the Research Internet. After justifying our
assumptions regarding AD topology we presented a taxonomy and
examples of policies that must be supported by a PR protocol.
10 ACKNOWLEDGMENTS
Members of the Autonomous Networks Research Group and Open Routing
Working Group have contributed significantly to the ideas presented
here, in particular, Guy Almes, Lee Breslau, Scott Brim, Dave Clark,
Marianne Lepp, and Gene Tsudik. In addition, Lee Breslau and Gene
Tsudik provided detailed comments on a previous draft. David Cheriton
inadvertently caused me to write this document. Sharon Anderson's
contributions deserve special recognition. The author is supported
by research grants from National Science Foundation, AT&T, and GTE.
11 REFERENCES
[1] J. Postel, Internet Protocol, Network Information Center, RFC
791, September 1981.
[2] G. Vaudreuil, The Federal Research Internet Coordinating
Committee and National Research Network, ACM SIG Computer
Communications Review,April 1988.
[3] E. Rosen, Exterior Gateway Protocol (EGP), Network Information
Center, RFC 827, October 1982.
[4] D. Clark, Policy Routing in Internet Protocols, Network
Information Center, RFC 1102, May 1989.
[5] H.W.Braun, Models of Policy Based Routing, Network Information
Center, RFC 1104, June 1989.
[6] K. Lougheed, Y. Rekhter, A Border Gateway Protocol, Network
Information Center, RFC 1105, June 1989.
[7] J. Saltzer, M. Schroeder, The Protection of Information in
Computer Systems, Proceedings of the IEEE, 63, 9 September 1975.
Estrin [Page 19]
RFC 1125 Policy Requirements November 1989
[8] V. Jacobson, Congestion Avoidance and Control. Proceedings of
ACM Sigcomm, pp. 106-114, August 1988, Palo Alto, CA.
[9] David Clark, Design Philosophy of the DARPA Internet Protocols,
Proceedings of ACM Sigcomm, pp. 106-114, August 1988, Palo Alto,
CA.
[10] Gigabit Networking Group, B. Leiner, Editor. Critical Issues in
High Bandwidth Networking, Network Information Center, RFC 1077,
November 1988.
[11] D. Estrin, J. Mogul and G. Tsudik, Visa Protocols for Controlling
Inter-Organizational Datagram Flow, To appear in IEEE Journal on
Selected Areas in Communications, Spring 1989.
[12] D. Estrin and G. Tsudik, Security Issues in Policy Routing, IEEE
Symposium on Research in Security and Privacy, Oakland, CA. May
1-3 1989.
[13] M. Little, The Dissimilar Gateway Protocol, Technical report
[14] P. Tsuchiya, The Landmark Hierarchy: A new hierarchy for routing
in very large networks, IEEE SIGCOMM 88, Palo Alto, CA. September
1988.
[15] G. Finn, Reducing the Vulnerability of Dynamic Computer Networks
USC/Information Sciences Institute, Technical Report, ISI/RR-88-
201 July 1988.
[16] A. Nakassis Routing Algorithm for Open Routing, Unpublished
paper, Available from the author at the National Institute of
Standards and Technology (formerly NBS), Washington D.C.
11 SECURITY CONSIDERATIONS
This memo does not address the security aspects of the issues
discussed.
AUTHOR'S ADDRESS:
Deborah Estrin
University of Southern California
Computer Science Department
Los Angeles, CA 90089-0782
Phone: (213) 743-7842
EMail: Estrin@OBERON.USC.EDU
Estrin [Page 20]
RFC 1125 Policy Requirements November 1989
Estrin [Page 21]