Difference between revisions of "RFC1125"

Revision as of 22:52, 22 September 2020

Network Working Group D. Estrin Request for Comments: 1125 USC Computer Science Department

                                                          November 1989

     POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING

1 STATUS OF THIS MEMO

  The purpose of this memo is to focus discussion on particular
  problems in the Internet and possible methods of solution.  No
  proposed solutions in this document are intended as standards for the
  Internet.  Rather, it is hoped that a general consensus will emerge
  as to the appropriate solution to such problems, leading eventually
  to the development and adoption of standards.  Distribution of this
  memo is unlimited.

2 ABSTRACT

  Efforts are now underway to develop a new generation of routing
  protocol that will allow each Administrative Domain (AD) in the
  growing Internet (and internets in general) to independently express
  and enforce policies regarding the flow of packets to, from, and
  through its resources. (FOOTNOTE 1: The material presented here
  incorporates discussions held with members of the IAB Autonomous
  Networks Research Group and the Open Routing Working Group.)  This
  document articulates the requirements for policy based routing and
  should be used as input to the functional specification and
  evaluation of proposed protocols.

  Two critical assumptions will shape the type of routing mechanism
  that is devised: (1) the topological organization of ADs, and (2) the
  type and variability of policies expressed by ADs.  After justifying
  our assumptions regarding AD topology we present a taxonomy, and
  specific examples, of policies that must be supported by a PR
  protocol.  We conclude with a brief discussion of policy routing
  mechanisms proposed in previous RFCs (827, 1102, 1104, 1105).  Future
  RFCs will elaborate on the architecture and protocols needed to
  support the requirements presented here.

3 BACKGROUND

  The Research Internet has evolved from a single backbone wide area
  network with many connected campus networks, to an internet with
  multiple cross-country backbones, regional access networks, and a
  profusion of campus networks. (FOOTNOTE 2: The term Research Internet
  refers to a collection of government, university, and some private
  company, networks that are used by researchers to access shared

Estrin [Page 1]

RFC 1125 Policy Requirements November 1989

  computing resources (e.g., supercomputers), and for research related
  information exchange (e.g., distribution of software, technical
  documents, and email). The networks that make up the Research
  Internet run the DOD Internet Protocol [1].)  At times during its
  development the Research Internet topology appeared somewhat chaotic.
  Overlapping facilities and lateral (as opposed to hierarchical)
  connections seemed to be the rule rather than the exception.  Today
  the Research Internet topology is becoming more regular through
  coordination of agency investment and adoption of a hierarchy similar
  to that of the telephone networks'.  The result is several
  overlapping wide area backbones connected to regional networks, which
  in turn connect to campus networks at universities, research
  laboratories, and private companies. However, the telephone network
  has lateral connections only at the highest level, i.e., between long
  haul carriers.  In the Research Internet there exist lateral
  connections at each level of the hierarchy, i.e., between campus (and
  regional) networks as well.

  Additional complexity is introduced in the Research Internet by
  virtue of connections to private networks. Many private companies are
  connected to the Research Internet for purposes of research or
  support activities. These private companies connect in the same
  manner as campuses, via a regional network or via lateral links to
  other campuses. However, many companies have their own private wide
  area networks which physically overlap with backbone and/or regional
  networks in the research internet, i.e., private vertical bypass
  links.

  Implicit in this complex topology are organizational boundaries.
  These boundaries define Administrative Domains (ADs) which preclude
  the imposition of a single, centralized set of policies on all
  resources.  The subject of this paper is the policy requirements for
  resource usage control in the Research Internet.

  In the remainder of this section we describe the policy routing
  problem in very general terms. Section 4 examines the constraints and
  requirements that makes the problem challenging, and leads us to
  conclude that a new generation of routing and resource control
  protocols are needed. Section 5 provides more detail on our
  assumptions as to the future topology and configuration of
  interconnected ADs. We return to the subject of policy requirements
  in Section 7 and categorize the different types of policies that ADs
  in the research internet may want to enforce.  Included in this
  section are examples of FRICC policy statements.  (FOOTNOTE 3: The
  Federal Research Internet Coordinating Committee (FRICC) is made up
  of representatives of each of the major agencies that are involved in
  networking. They have been very effective in coordinating their
  efforts to eliminate inefficient redundancy and have proposed a plan

Estrin [Page 2]

RFC 1125 Policy Requirements November 1989

  for the next 10 years of internetworking for the government,
  scientific, and education community [2].)  Section 7 identifies types
  of policy statements that are problematic to enforce due to their
  dynamics, granularity, or performance implications. Several proposed
  mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105)
  are discussed briefly in Section 8. Future RFCs will elaborate on the
  architecture and protocols needed to support the requirements
  presented here.

3.1 POLICY ROUTING

  Previous protocols such as the Exterior Gateway Protocol (EGP)[3]
  embodied a limited notion of policy and ADs. In particular,
  autonomous system boundaries constrained the flow of routing database
  information, and only indirectly affected the flow of packets
  themselves.  We consider an Administrative Domain (AD) to be a set of
  hosts and network resources (gateways, links, etc.) that is governed
  by common policies.  In large internets that cross organization
  boundaries, e.g., the Research Internet, inter-AD routes must be
  selected according to policy-related parameters such as cost and
  access rights, in addition to the traditional parameters of
  connectivity and congestion. In other words, Policy Routing (PR) is
  needed to navigate through the complex web of policy boundaries
  created by numerous interconnected ADs. Moreover, each AD has its own
  privileges and perspective and therefore must make its own evaluation
  of legal and preferred routes.  Efforts are now underway to develop a
  new generation of routing protocol that will allow each AD to
  independently express and enforce policies regarding the flow of
  packets to, from, and through its resources [4].  (FOOTNOTE 4:  These
  issues are under investigation by the IAB Autonomous Networks
  Research Group and the IAB Open Routing Working Group. For further
  information contact the author.)

  The purpose of this paper is to articulate the requirements for such
  policy based routing. Two critical assumptions will shape the type of
  routing mechanism that is devised:

  * The topological organization of ADs, and
  * The type and variability of policies expressed by ADs.

  We make use of the policies expressed by owners of current Research
  Internet resources and private networks connected to the Research
  Internet to generalize types of policies that must be supported. This
  top down effort must be done with attention to the technical
  implications of the policy statements if the result is to be useful
  in guiding technical development. For example, some ADs express the
  desire to enforce local constraints over how packets travel to their
  destination. Other ADs are only concerned with preventing use of

Estrin [Page 3]

RFC 1125 Policy Requirements November 1989

  their own network resources by restricting transit.  Still other ADs
  are concerned primarily with recovering the expense of carrying
  traffic and providing feedback to users so that users will limit
  their own data flows; in other words they are concerned with
  charging.  We refer to ADs whose primary concern is communication to
  and from hosts within their AD as stub and to ADs whose primary
  concern is carrying packets to and from other ADs as transit}.  If we
  address control of transit alone, for example, the resulting
  mechanisms will not necessarily allow an AD to control the flow of
  its packets from source to destination, or to implement flexible
  charging schemes.  (FOOTNOTE 5: Gene Tsudik uses the analogy of
  international travel to express the need for source and transit
  controls. Each country expresses its own policies about travel to and
  through its land.  Travel through one country enroute to another is
  analogous to transit traffic in the network world. A traveler
  collects policy information from each of the countries of interest
  and plans an itinerary that conforms to those policies as well as the
  preferences of the traveler and his/her home nation.  Thus there is
  both source and transit region control of routing.)  Our purpose is
  to articulate a comprehensive set of requirements for PR as input to
  the functional specification, and evaluation, of proposed protocols.

4 WHY THE PROBLEM IS DIFFICULT

  Before proceeding with our description of topology and policy
  requirements this section outlines several assumptions and
  constraints, namely: the lack of global authority, the need to
  support network resource sharing as well as network interconnection,
  the complex and dynamic mapping of users to ADs and privileges, and
  the need for accountability across ADs.  These assumptions limit the
  solution space and raise challenging technical issues.

  The purpose of policy based routing is to allow ADs to interconnect
  and share computer and network resources in a controlled manner.
  Unlike many other problems of resource control, there is no global
  authority. Each AD defines its own policies with respect to its own
  traffic and resources. However, while we assume no global authority,
  and no global policies, we recognize that complete autonomy implies
  no dependence and therefore no communication.  The multi-organization
  internets addressed here have inherent regions of autonomy, as well
  as requirements for interdependence. Our mechanisms should allow ADs
  to design their boundaries, instead of requiring that the boundaries
  be either impenetrable or eliminated.

  One of the most problematic aspects of the policy routing
  requirements identified here is the need to support both network
  resource sharing and interconnection across ADs. An example of
  resource sharing is two ADs (e.g., agencies, divisions, companies)

Estrin [Page 4]

RFC 1125 Policy Requirements November 1989

  sharing network resources (e.g., links, or gateways and links) to
  take advantage of economies of scale.  Providing transit services to
  external ADs is another example of network resource sharing.
  Interconnection is the more common example of ADs interconnecting
  their independently used network resources to achieve connectivity
  across the ADs, i.e., to allow a user in one AD to communicate with
  users in another AD. In some respects, network resource control is
  simpler than network interconnection control since the potential
  dangers are fewer (i.e., denial of service and loss of revenue as
  compared with a wide range of attacks on end systems through network
  interconnection). However, controlled network resource sharing is
  more difficult to support.  In an internet a packet may travel
  through a number of transit ADs on its way to the destination.
  Consequently, policies from all transit ADs must be considered when a
  packet is being sent, whereas for stub-AD control only the policies
  of the two end point ADs have to be considered. In other words,
  controlled network resource sharing and transit require that policy
  enforcement be integrated into the routing protocols themselves and
  can not be left to network control mechanisms at the end points.
  (FOOTNOTE 6&7: Another difference is that in the interconnect case,
  traffic traveling over AD A's network resources always has a member
  of AD A as its source or destination (or both).  Under resource
  sharing arrangements members of both AD A and B are connected to the
  same resources and consequently intra-AD traffic (i.e., packets
  sourced and destined for members of the same AD) travels over the
  resources. This distinction is relevant to the writing of policies in
  terms of principal affiliation.  Economies of scale is one motivation
  for resource sharing. For example, instead of interconnecting
  separately to several independent agency networks, a campus network
  may interconnect to a shared backbone facility.  Today,
  interconnection is achieved through a combination of AD specific and
  shared arrangements. We expect this mixed situation to persist for
  "well-connected" campuses for reasons of politics, economics, and
  functionality (e.g., different characteristics of the different
  agency-networks). See Section 5 for more discussion.)

  Complications also result from the fact that legitimate users of an
  AD's resources are not all located in that AD. Many users (and their
  computers) who are funded by, or are affiliated with, a particular
  agency's program reside within the AD of the user's university or
  research laboratory.  They reside in a campus AD along with users who
  are legitimate users of other AD resources.  Moreover, any one person
  may be a legitimate user of multiple AR resources under varying
  conditions and constraints (see examples in Section 6). In addition,
  users can move from one AD to another. In other words, a user's
  rights can not be determined solely based on the AD from which the
  user's communications originate.  Consequently, PR must not only
  identify resources, it must identify principals and associate

Estrin [Page 5]

RFC 1125 Policy Requirements November 1989

  different capabilities and rights with different principals.  (The
  term principal is taken from the computer security community[7].)

  One way of reducing the compromise of autonomy associated with
  interconnection is to implement mechanisms that assure
  accountability} for resources used. Accountability may be enforced a
  priori, e.g., access control mechanisms applied before resource usage
  is permitted.  Alternatively, accountability may be enforced after
  the fact, e.g., record keeping or metering that supports detection
  and provides evidence to third parties (i.e., non-repudiation).
  Accountability mechanisms can also be used to provide feedback to
  users as to consumption of resources. Internally an AD often decides
  to do away with such feedback under the premise that communication is
  a global good and should not be inhibited. There is not necessarily a
  "global good" across AD boundaries. Therefore, it becomes more
  appropriate to have resource usage visible to users, whether or not
  actual charging for usage takes place.  Another motivation that
  drives the need for accountability across AD boundaries is the
  greater variability in implementations. Different implementations of
  a single network protocol can vary greatly as to their efficiency
  [8].  We can not assume control over implementation across AD
  boundaries.  Feedback mechanisms such as metering (and charging in
  some cases) would introduce a concrete incentive for ADs to employ
  efficient and correct implementations.  PR should allow an AD to
  advertise and apply such accounting measures to inter-AD traffic.

  In summary, the lack of global authority, the need to support network
  resource sharing as well as network interconnection, the complex and
  dynamic mapping of users to ADs and rights, and the need for
  accountability across ADs, are characteristics of inter-AD
  communications which must be taken into account in the design of both
  policies and supporting technical mechanisms.

5 TOPOLOGY MODEL OF INTERNET

  Before discussing policies per se, we outline our model of inter-AD
  topology and how it influences the type of policy support required.
  Most members of the Internet community agree that the future Internet
  will connect on the order of 150,000,000 termination points and
  100,000 ADs. However, there are conflicting opinions as to the AD
  topology for which we must design PR mechanisms.  The informal
  argument is described here.

  SIMPLE AD TOPOLOGY AND POLICY MODEL Some members of the Internet
  community believe that the current complex topology of interconnected
  ADs is a transient artifact resulting from the evolutionary nature of
  the Research Internet's history.  (FOOTNOTE 9: David Cheriton of
  Stanford University articulated this side of the argument at an

Estrin [Page 6]

RFC 1125 Policy Requirements November 1989

  Internet workshop in Santa Clara, January, 1989). The critical points
  of this argument relate to topology and policy. They contend that in
  the long term the following three conditions will prevail:

  * The public carriers will provide pervasive, competitively
    priced, high speed data services.

  * The resulting topology of ADs will  be
    stub (not transit) ADs connected to regional
    backbones, which in turn interconnect via multiple,
    overlapping long haul backbones, i.e., a  hierarchy with
    no lateral connections between stub-ADs or regionals,
    and no vertical bypass links.

  * The policy requirements of the backbone and stub-ADs
    will be based only on charging for resource usage at the
    stub-AD to backbone-AD boundary, and to settling accounts
    between neighboring backbone providers (regional to long haul,
    and long haul to long haul).

  Under these assumptions, the primary requirement for general AD
  interconnect is a metering and charging protocol. The routing
  decision can be modeled as a simple least cost path with the metric
  in dollars and cents. In other words, restrictions on access to
  transit services will be minimal and the functionality provided by
  the routing protocol need not be changed significantly from current
  day approaches.

  COMPLEX AD TOPOLOGY AND POLICY MODEL The counter argument is that a
  more complex AD topology will persist. (FOOTNOTE 10:  Much of the
  remainder of this paper attempts to justify and provide evidence for
  this statement.) The different assumptions about AD topology lead to
  the significantly different assumptions about AD policies.

  This model assumes that the topology of ADs will in many respects
  agree with the previous model of increased commercial carrier
  participation and resulting hierarchical structure. However, we
  anticipate unavoidable and persistent exceptions to the hierarchy.
  We assume that there will be a relatively small number of long haul
  transit ADs (on the order of 100), but that there may be tens of
  thousands of regional ADs and hundreds of thousands of stub ADs
  (e.g., campuses, laboratories, and private companies).  The competing
  long haul offerings will differ, both in the services provided and in
  their packaging and pricing.  Regional networks will overlap less and
  will connect campus and private company networks. However, many
  stub-ADs will retain some private lateral links for political,
  technical, and reliability reasons.  For example, political
  incentives cause organizations to invest in bypass links that are not

Estrin [Page 7]

RFC 1125 Policy Requirements November 1989

  always justifiable on a strict cost comparison basis; specialized
  technical requirements cause organizations to invest in links that
  have characteristics (e.g., data rate, delay, error, security) not
  available from public carriers at a competitive rate; and critical
  requirements cause organizations to invest in redundant back up links
  for reliability reasons.  These exceptions to the otherwise regular
  topology are not dispensible. They will persist and must be
  accommodated, perhaps at the expense of optimality; see Section 5 for
  more detail.  In addition, many private companies will retain their
  own private long haul network facilities. (FOOTNOTE 11:  While
  private voice networks also exist, private data networks are more
  common.  Voice requirements are more standardized because voice
  applications are more uniform than are data applications, and
  therefore the commercial services more often have what the voice
  customer wants at a price that is competitive with the private
  network option. Data communication requirements are still more
  specialized and dynamic.  Thus, there is less opportunity for economy
  of scale in service offerings and it is harder to keep up to date
  with customer demand. For this reason we expect private data networks
  to persist for the near future. As the telephone companies begin to
  introduce the next generation of high speed packet switched services,
  the scenario should change. However, we maintain that the result will
  be a predominance, but not complete dominance, of public carrier use
  for long haul communication.  Therefore, private data networks will
  persist and the routing architecture must accommodate controlled
  interconnection.)  Critical differences between the two models follow
  from the difference in assumptions regarding AD topology. In the
  complex case, lateral connections must be supported, along with the
  means to control the use of such connections in the routing
  protocols.

  The different topologies imply different policy requirements.  The
  first model assumes that all policies can be expressed and enforced
  in terms of dollars and cents and distributed charging schemes. The
  second model assumes that ADs want more varied control over their
  resources, control that can not be captured in a dollars and cents
  metric alone. We describe the types of policies to be supported and
  provide examples in the following section, Section 6. In brief, given
  private lateral links, ADs must be able to express access and
  charging related restrictions and privileges that discriminate on an
  AD basis.  These policies will be diverse, dynamic, and new
  requirements will emerge over time, consequently support must be
  extensible.  For example, the packaging and charging schemes of any
  single long haul service will vary over time and may be relatively
  elaborate (e.g., many tiers of service, special package deals, to
  achieve price discrimination).

  Note that these assumptions about complexity do not preclude some

Estrin [Page 8]

RFC 1125 Policy Requirements November 1989

  collection of ADs from "negotiating away" their policy differences,
  i.e., forming a federation, and coordinating a simplified inter-AD
  configuration in order to reduce the requirements for inter-AD
  mechanisms.  However, we maintain that there will persist collections
  of ADs that will not and can not behave as a single federation; both
  in the research community and, even more predominantly, in the
  broader commercial arena.  Moreover, when it comes to interconnecting
  across these federations, non-negotiable differences will arise
  eventually.  It is our goal to develop mechanisms that are applicable
  in the broader arena.

  The Internet community developed its original protocol suite with
  only minimal provision for resource control [9].  This was
  appropriate at the time of development based on the assumed community
  (i.e., researchers) and the ground breaking nature of the technology.
  The next generation of network technology is now being designed to
  take advantage of high speed media and to support high demand traffic
  generated by more powerful computers and their applications [10].  As
  with TCP/IP we hope that the technology being developed will find
  itself applied outside of the research community. This time it would
  be inexcusable to ignore resource control requirements and not to pay
  careful attention to their specification.

  Finally, we look forward to the Internet structure taking advantage
  of economies of scale offered by enhanced commercial services.
  However, in many respects the problem that stub-ADs may thus avoid,
  will be faced by the multiple regional and long haul carriers
  providing the services. The carriers' charging and resource control
  policies will be complex enough to require routing mechanisms similar
  to ones being proposed for the complex AD topology case described
  here.  Whether the network structure is based on private or
  commercial services, the goal is to construct policy sensitive
  mechanisms that will be transparent to end users (i.e., the
  mechanisms are part of the routing infrastructure at the network
  level, and not an end to end concern).

6 POLICY TYPES

  This section outlines a taxonomy of internet policies for inter-AD
  topologies that allow lateral and bypass links.  The taxonomy is
  intended to cover a wide range of ADs and internets. Any particular
  PR architecture we design should support a significant subset of
  these policy types but may not support all of them due to technical
  complexity and performance considerations.  The general taxonomy is
  important input to a functional specification for PR. Moreover, it
  can be used to evaluate and compare the suitability and completeness
  of existing routing architectures and protocols for PR; see Section
  8.

Estrin [Page 9]

RFC 1125 Policy Requirements November 1989

  We provide examples from the Research Internet of the different
  policy types in the form of resource usage policy statements. These
  statements were collected through interviews with agency
  representatives, but they do not represent official policy. These
  sample policy statements should not} be interpreted as agency policy,
  they are provided here only as examples.

  Internet policies fall into two classes, access and charging.  Access
  policies specify who can use resources and under what conditions.
  Charging policies specify the metering, accounting, and billing
  implemented by a particular AD.

6.1 TAXONOMY OF ACCESS POLICIES

  We have identified the following types of access policies that ADs
  may wish to enforce. Charging policies are described in the
  subsequent section. Section 6.3 provides more specific examples of
  both access and charging policies using FRICC policy statements.

  Access policies typically are expressed in the form: principals of
  type x can have access to resources of type y under the following
  conditions, z. The policies are categorized below according to the
  definition of y and z.  In any particular instance, each of the
  policy types would be further qualified by definition of legitimate
  principals, , x, i.e., what characteristics x must have in order to
  access the resource in question.

  We refer to access policies described by stub and transit ADs.  The
  two roles imply different motivations for resource control, however
  the types of policies expressed are similar; we expect the supporting
  mechanisms to be common as well.

  Stub and transit access policies may specify any of the following
  parameters:

  * SOURCE/DESTINATION
  Source/Destination policies prevent or restrict communication
  originated by or destined for particular ADs (or hosts or user
  classes within an AD).

  * PATH
  Path sensitive policies specify which ADs may or may not be passed
  through en route to a destination. The most general path sensitive
  policies allow stub and transit ADs to express policies that depend
  on any component in the AD path. In other words, a stub AD could
  reject a route based on any AD (or combination of ADs) in the route.
  Similarly, a transit AD could express a packet forwarding policy that
  behaves differently depending upon which ADs a packet has passed

Estrin [Page 10]

RFC 1125 Policy Requirements November 1989

  through, and is going to pass through, en route to the destination.
  Less ambitious (and perhaps more reasonable) path sensitive policies
  might only discriminate according to the immediate neighbor ADs
  through which the packet is traveling (i.e., a stub network could
  reject a route based on the first transit AD in the route, and a
  transit AD could express a packet forwarding policy that depends upon
  the previous, and the subsequent, transit ADs in the route.)

  * QUALITY/TYPE OF SERVICE(QOS OR TOS)
  This type of policy restricts access to special resources or
  services.  For example, a special high throughput, low delay link may
  be made available on a selective basis.

  * RESOURCE GUARANTEE
  These policies provide a guaranteed percentage of a resource on a
  selective, as needed basis.  In other words, the resource can be used
  by others if the preferred-AD's offered load is below the guaranteed
  level of service.  The guarantee may be to always carry intra-AD
  traffic or to always carry inter-AD traffic for a specific AD.

  *  TEMPORAL
  Temporal policies restrict usage based on the time of day or other
  time related parameters.

  *  HIGH LEVEL PROTOCOL
  Usage may be restricted to a specific high level protocol such as
  mail or file transfer. (Alternatively, such policies can be
  implemented as source/destination policies by configuring a host(s)
  within an AD as an application relay and composing policy terms that
  allow inter-AD access to only that host.)

  *  RESOURCE LIMIT
  There may be a limit on the amount of traffic load a source may
  generate during a particular time interval, e.g., so many packets in
  a day, hour, or minute.

  *  AUTHENTICATION REQUIREMENTS
  Conditions may be specified regarding the authenticability of
  principal identifying information. Some ADs might require some form
  of cryptographic proof as to the identity and affiliations of the
  principal before providing access to critical resources.

  The above policy types usually exist in combination for a particular
  AD, i.e., an AD's policies might express a combination of transit,
  source/destination, and QOS restrictions. This taxonomy will evolve
  as PR is applied to other domains.

  As will be seen in Section 6.3 an AD can express its charging and

Estrin [Page 11]

RFC 1125 Policy Requirements November 1989

  access policies in a single syntax. Moreover, both stub and transit
  policies can co-exist. This is important since some ADs operate as
  both stub and transit facilities and require such hybrid control.

6.2 TAXONOMY OF CHARGING POLICIES

  Stub and transit charging policies  may specify the following
  parameters:

  *  UNIT OF ACCOUNTING (e.g., dollars or credits).
  *  BASIS FOR CHARGING (e.g., per Kbyte or per Kpkt).
  *  ACTUAL CHARGES (e.g., actual numbers such as $.50/Mbyte).
  *  WHO IS CHARGED OR PAID (e.g., originator of packet,
     immediate neighbor from whom packet was received, destination
     of packet, a third party collection agent).
  *  WHOSE PACKET COUNT is used (e.g., source, destination, the
     transit AD's own count, the count of some upstream or
     downstream AD).
  *  BOUND ON CHARGES (e.g., to limit the  amount that a stub
     AD is willing to spend, or the amount that a transit AD is
     willing to carry.)

  The enforcement of these policies may be carried out during route
  synthesis or route selection [4].

6.3 EXAMPLE POLICY STATEMENTS

  The following policy statements were collected in the fall of 1988
  through interviews with representatives of the federal agencies most
  involved in supporting internetworking. Once again we emphasize that
  these are not official policy statements. They are presented here to
  provide concrete examples of the sort of policies that agencies would
  like to enforce.

  Expressing policies as Policy Terms (PTs)

  Each policy is described in English and then expressed in a policy
  term (PT) notation suggested by Dave Clark in [4].  Each PT
  represents a distinct policy of the AD that synthesized it.  The
  format of a PT is:

   [(H{src},AD{src},AD{ent}),(H{dst},AD{dst},AD{exit}),UCI, Cg,Cb]

  Hsrc stands for source host, ADsrc for source AD, ADent for entering
  AD (i.e., neighboring AD from which traffic is arriving directly),
  Hdst for destination host, ADdst for destination AD, ADexit for exit
  AD (i.e.,neighboring AD to which traffic is going directly), UCI for
  user class identifier, and Cg and Cb for global and bilateral

Estrin [Page 12]

RFC 1125 Policy Requirements November 1989

  conditions, respectively. The purpose of a PT is to specify that
  packets from some host, H{src}, (or a group of hosts) in a source AD,
  AD{src}, are allowed to enter the AD in question via some directly
  connected AD, AD{ent}, and exit through another directly connected
  AD, AD{exit}, on its way to a host, H{dst}, (or a group of hosts) in
  some destination AD, AD{dst}.  User Class Identifier (UCI) allows for
  distinguishing between various user classes, e.g., Government,
  Research, Commercial, Contract, etc.  Global Conditions (Cg)
  represent billing and other variables.  Bilateral Conditions (Cb)
  relate to agreements between neighboring ADs, e.g., related to
  metering or charging.  In the example policy terms provided below we
  make use of the following abbreviations: Fricc for
  {DOE,NASA,DCA,NSF}, F for Federal Agency, Re for Regional, U for
  University, Co for Commercial Corporation, and Cc for Commercial
  Carrier. A hyphen, -, means no applicable matches.

  By examining a PT we can identify the type of policy represented, as
  per the taxonomy presented earlier.

  *  If an AD specifies a policy term that has a null (-) entry for
     the ADexit, then it is disallowing transit for some group of users,
     and it is a transit policy.

  *  If an AD specifies a  policy term that lists itself
     explicitly as ADsrc or ADdst, it is expressing restrictions on who
     can access particular resources within its boundaries, or on who inside
     can obtain external access. In other words the AD is expressing a
     source/destination policy.

  *  If ADexit or ADentr is specified then the policy expressed is an
     exit/entrance path policy.

  *  If the global conditions include charging, QOS, resource
     guarantee,  time of day, higher level application, resource limit, or
     authentication related information it is obviously a charging, QOS,
     resource guarantee, temporal, higher level application, resource
     limit, or authentication policy, respectively.

  As seen below, any one PT typically incorporates a combination of
  policy types.

6.3.1 THE FRICC

  In the following examples all policies (and PTs) are symmetrical
  under the assumption that communication is symmetrical.

Estrin [Page 13]

RFC 1125 Policy Requirements November 1989

NATIONAL SCIENCE FOUNDATION (NSF)

  1.  NSF will carry traffic for any host connected to a F/Re network
  talking to any other host connected to a F/Re via any F/Re entry and
  exit network, so long as there is it is being used for research or
  support. There is no authentication of the UCI and no per packet
  charging.  NSFnet is a backbone and so does not connect directly to
  universities or companies...thus the indication of {F/Re} instead of
  {F/Re/U/Co} as ADent and ADexit.

  [NSF1:  (*, {F/Re}, {F/Re})(*, {F/Re}, {F/Re}){research,support}
  {unauthenticated UCI,no-per-pkt charge}{}]

  2.  NSF will carry traffic to user and expert services hosts in NSF
  AD to/from any F/Re AD, via any F/Re AD. These are the only things
  that directly connect to NSFnet.

  [NSF2: ({User svcs, Expert Svcs},{NSF},{F/Re})(*,{F/Re},{-}){}{}{}]

DEPARTMENT OF ENERGY (DOE)

  1.  DOE will carry traffic to and from any host directly connected to
  DOE so long as it is used for research or support. There is no
  authentication of the UCI and no per packet charging.

  [DOE1: (*,DOE,-)(*,*,*){research,support}
  {unauthenticated UCI,no-per-packet charge}{}]

  2.  DOE will carry traffic for any host connected to a F/Re network
  talking to any other host connected to a F/Re via any F/Re entry and
  exit network without regard to the UCI. There is no authentication of
  the UCI and no per packet charging. (in other words DOE is more
  restrictive with its own traffic than with traffic it is carrying as
  part of a resource sharing arrangement.)

  [DOE2: (*,{F/Re},{F/Re})(*,{F/Re},{F/Re}){}
  {unauthenticated UCI, no-per-pkt charge}{}]

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION (NASA)

  1.  Nasa will accept any traffic to/from members of the Nasa AD. But
  no transit. No UCI authentication and no per packet charge.

  [NASA1: (*,*,*)(*,Nasa,-){Nasa-research, support}
  {unauthenticated UCI,no-per-packet-charge}{}]

  2.  Nasa will carry transit traffic to/from other federal agency
  networks if it is in support of research, and if the total use of

Estrin [Page 14]

RFC 1125 Policy Requirements November 1989

  available BW by non-nasa Federal agencies is below n%. NOTE THAT this
  non-interference policy type needs some more work in terms of
  integrating it into the routing algorithms. See Section 7.

  [NASA2: (*,{F},*)(*,{F},*){research,support}
  {per-packet accounting, limited to n% of available BW}{}]

  3.  NASA will carry commercial traffic to federal and regional and
  university ADs for nasa research or support. But it will not allow
  transit. The particular entry AD is not important.

  [NASA3: (*,{Co},*} (*,{F/R/U},*) {NASA research,support}
   {unauthenticated UCI, no per packet charge}{}]

  4.  On a case by case basis NASA may provide access to its resources
  on a cost reimbursed basis. Transit traffic will not be carried on
  this basis.

   [NASA4: (*,*,-)(*,*,-){}
   {per-packet-charge, limited to n% of available BW} {}]

DEFENSE ADVANCED RESEARCH PROJECTS AGENCY (DARPA)

  1.  DARPA will carry traffic to/from any host in DARPA AD from any
  external host that can get it there so long as UCI is research or
  support. No UCI authentication or per packet charge.

  [DARPA1: (*,*,*)(*,DARPA,-){research,support}
  {unauthenticated-UCI, no per packet charge}{}]

  2.  DARPA will carry traffic for any host connected to a F/Re/U/Co
  network talking to any other host connected to a F/Re/U/Co via any
  F/Re/U/Co entry and exit network, so long as there is it is being
  used for research or support, and the network is not heavily
  congested!!.  There is no authentication of the UCI and no per packet
  charging.  NOTE: Darpa would like to say something about the need to
  enter the Darpa AD at the point closest to the destination...but i
  don't know how to express this...

  DARPA2: (*,{F/R/U/Co},{F/R/U/Co})(*,{F/R/U/Co},{F/R/U/Co})
  {research,support}{unauthenticated-UCI,no per packet charge,
  non-interference basis}{}]

DEFENSE COMMUNICATIONS AGENCY (DCA)

  1.  DCA will not carry any transit traffic. It will only accept and
  send traffic to and from its mailbridge(s) and only from and to hosts
  on other F/Re nets. All packets are marked and charged for by the

Estrin [Page 15]

RFC 1125 Policy Requirements November 1989

  kilopacket.

  [DCA1:(mailbridge,DCA,-)(*,{F/Re},{F/Re}){research,support}
  {unauthenticated UCI, all incoming packets marked, per-kilopacket
  charge}{}]

6.3.2 THE REGIONALS

  Interviews with regional network administrations are now underway. In
  general their policies are still in formation due to the relatively
  recent formation of these regional networks. However, for the sake of
  illustration we provide an example of a hypothetical regional's
  network policies.

REGIONAL A

  1.  Regional A will carry traffic from/to any directly connected
  F/Re/U network to any F/Re/U network via NSF if it is for a research
  or support UCI. (NSF requires that all Regional networks only pass it
  traffic that complies with its, NSF's, policies!)

  [Regional A:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},NSF){research,support}
  {unauthenticated UCI, no-per-packet charge}{}]

REGIONAL B

  1.  Regional B will carry traffic from/to any directly connected
  F/Re/U network to any F/Re/U network via a commercial carrier
  regardless of its UCI. In this case the packets are charged for since
  the commercial carrier charges per kilopacket.

  [Regional B:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},Cc){}
  {unauthenticated UCI, per-kilopacket charge}{}]

6.3.3 CAMPUS AND PRIVATE NETWORKS

  Similar interviews should be conducted with administrators of campus
  and private networks. However, many aspects of their policies are
  contingent on the still unresolved policies of the regionals and
  federal agencies.  In any event, transit policies will be critical
  for campus and private networks to flexibly control access to lateral
  links and private wide area networks, respectively. For example, a
  small set of university and private laboratories may provide access
  to special gigabit links for particular classes of researchers.  On
  the other hand, source/destination policies should not be used in
  place of network level access controls for these end ADs.

Estrin [Page 16]

RFC 1125 Policy Requirements November 1989

6.3.4 COMMERCIAL SERVICES

  Currently commercial communication services play a low level role in
  most parts of today's Research Internet; they provide the
  transmission media, i.e.,leased lines. In the future we expect
  commercial carriers to provide increasingly higher level and enhanced
  services such as high speed packet switched backbone services.
  Because such services are not yet part of the Research Internet
  infrastructure there exist no policy statements.

  Charging and accounting are certain to be an important policy type in
  this context.  Moreover, we anticipate the long haul services market
  to be highly competitive. This implies that competing service
  providers will engage in significant gaming in terms of packaging and
  pricing of services. Consequently, the ability to express varied and
  dynamic charging policies will be critical for these ADs.

7 PROBLEMATIC REQUIREMENTS

  Most of this paper has lobbied for articulation of relatively
  detailed policy statements in order to help define the technical
  mechanisms needed for enforcement.  We promoted a top down design
  process beginning with articulation of desired policies.  Now we feel
  compelled to mention requirements that are clearly problematic from
  the bottom up perspective of technical feasibility.

  *  Non-interference policies are of the form "I will provide
     access for principals x to resources y so long as it does not
     interfere with my internal usage." The problem with such policies
     is that access to an AD at any point in time is contingent upon a
     local, highly dynamic, parameter that is not globally available.
     Therefore such a policy term could well result in looping,
     oscillations, and excessive route (re)computation overhead,
     both unacceptable. Consequently, this is one type of policy that
     routing experts suggest would be difficult to support in a very
     large decentralized internetwork.

  *  Granularity can also be problematic, but not as devistating as
     highly dynamic PR contingencies. Here the caution is less specific.
     Very fine grain policies, which restrict access to particular
     hosts, or are contingent upon very fine grain user class
     identification, may be achieved more efficiently with network
     level access control [11] or end system controls instead of
     burdening the inter-AD routing mechanism.

  *  Security  is expensive, as always. Routing protocols are subject
     to fraud through impersonation, data substitution, and denial of
     service. Some of the proposed mechanisms provide some means for

Estrin [Page 17]

RFC 1125 Policy Requirements November 1989

     detection and non-repudiation. However, to achieve a priori
     prevention of resource misuse is expensive in terms of per
     connection or per packet cryptographic overhead. For some
     environments we firmly believe that this will be necessary and
     we would prefer an architecture that would accommodate such
     variability [12].

  In general, it is difficult to predict the impact of any particular
  policy term. Tools will be needed to assist people in writing and
  validating policy terms.

8 PROPOSED MECHANISMS

  Previous routing protocols have addressed a narrower definition of
  PR, as appropriate for the internets of their day. In particular, EGP
  [3], DGP[13], and BGP[6] incorporate a notion of policy restrictions
  as to where routing database information travels. None are intended
  to support policy based routing of packets as described here.  More
  recent routing proposals such as Landmark [14] and Cartesian [15]
  could be used to restrict packet forwarding but are not suited to
  source/destination, and some of the condition-oriented, policies. We
  feel these policy types are critical to support. We note that for
  environments (e.g., within an AD substructure) in which the simple-
  AD-topology conjecture holds true, these alternatives may be
  suitable.

  RFC 1104 [5] provides a good description of shorter term policy
  routing requirements. Braun classifies three types of mechanisms,
  policy based distribution of route information, policy based packet
  forwarding, and policy based dynamic allocation of network resources.
  The second class is characterized by Dave Clark's PR architecture,
  RFC 1102 [4]. With respect to the longer term requirements laid out
  in this document, only this second class is expressive and flexible
  enough to support the multiplicity of stub and transit policies. In
  other words, the power of the PR approach (e.g., RFC1102) is not just
  in the added granularity of control pointed out by Braun, i.e., the
  ability to specify particular hosts and user classes. Its power is in
  the ability to express and enforce many types of stub and transit
  policies and apply them on a discriminatory basis to different ADs.
  In addition, this approach provides explicit support for stub ADs to
  control routes via the use of source routing.  (FOOTNOTE 12:
  Moreover, the source routing approach loosens the requirements for
  every AD to share a complete view of the entire internet by allowing
  the source to detect routing loops.)  (FOOTNOTE 13:  The match
  between RFC1102 and the requirements specified in this document is
  hardly a coincidence since Clark's paper and discussions with him
  contributed to the requirements formulation presented here. His work
  is currently being evaluated and refined by the ANRG and ORWG.)

Estrin [Page 18]

RFC 1125 Policy Requirements November 1989

9 SUMMARY

  Along with the emergence of very high speed applications and media,
  resource management has become a critical issue in the Research
  Internet and internets in general. A fundamental characteristic of
  the resource management problem is allowing administratively ADs to
  interconnect while retaining control over resource usage. However, we
  have lacked a careful articulation of the types of resource
  management policies that need to be supported.  This paper addresses
  policy requirements for the Research Internet.  After justifying our
  assumptions regarding AD topology we presented a taxonomy and
  examples of policies that must be supported by a PR protocol.

10 ACKNOWLEDGMENTS

  Members of the Autonomous Networks Research Group and Open Routing
  Working Group have contributed significantly to the ideas presented
  here, in particular, Guy Almes, Lee Breslau, Scott Brim, Dave Clark,
  Marianne Lepp, and Gene Tsudik. In addition, Lee Breslau and Gene
  Tsudik provided detailed comments on a previous draft. David Cheriton
  inadvertently caused me to write this document.  Sharon Anderson's
  contributions deserve special recognition.  The author is supported
  by research grants from National Science Foundation, AT&T, and GTE.

11 REFERENCES

  [1] J. Postel, Internet Protocol,  Network Information Center, RFC
      791, September 1981.

  [2] G. Vaudreuil, The Federal Research Internet Coordinating
      Committee and National Research Network, ACM SIG Computer
      Communications Review,April 1988.

  [3] E. Rosen, Exterior Gateway Protocol (EGP), Network Information
      Center, RFC 827, October 1982.

  [4] D. Clark, Policy Routing in Internet Protocols, Network
      Information Center, RFC 1102, May 1989.

  [5] H.W.Braun, Models of Policy Based Routing, Network Information
      Center, RFC 1104, June 1989.

  [6] K. Lougheed, Y. Rekhter, A Border Gateway Protocol, Network
      Information Center, RFC 1105, June 1989.

  [7] J. Saltzer, M. Schroeder, The Protection of Information in
      Computer Systems, Proceedings of the IEEE, 63, 9 September 1975.

Estrin [Page 19]

RFC 1125 Policy Requirements November 1989

  [8] V. Jacobson, Congestion Avoidance and Control.  Proceedings of
      ACM Sigcomm, pp. 106-114, August 1988, Palo Alto, CA.

  [9] David Clark, Design Philosophy of the DARPA Internet Protocols,
      Proceedings of ACM Sigcomm, pp. 106-114, August 1988, Palo Alto,
      CA.

 [10] Gigabit Networking Group, B. Leiner, Editor. Critical Issues in
      High Bandwidth Networking, Network Information Center, RFC 1077,
      November 1988.

 [11] D. Estrin, J. Mogul and G. Tsudik, Visa Protocols for Controlling
      Inter-Organizational Datagram Flow, To appear in IEEE Journal on
      Selected Areas in Communications, Spring 1989.

 [12] D. Estrin and G. Tsudik, Security Issues in Policy Routing, IEEE
      Symposium on Research in Security and Privacy, Oakland, CA.  May
      1-3 1989.

 [13]  M. Little, The Dissimilar Gateway Protocol,  Technical report

 [14] P. Tsuchiya, The Landmark Hierarchy: A new hierarchy for routing
      in very large networks, IEEE SIGCOMM 88, Palo Alto, CA. September
      1988.

 [15] G. Finn, Reducing the Vulnerability of Dynamic Computer Networks
      USC/Information Sciences Institute, Technical Report, ISI/RR-88-
      201 July 1988.

 [16] A. Nakassis Routing Algorithm for Open Routing, Unpublished
      paper, Available from the author at the National Institute of
      Standards and Technology (formerly NBS), Washington D.C.

11 SECURITY CONSIDERATIONS

      This memo does not address the security aspects of the issues
      discussed.

AUTHOR'S ADDRESS:

      Deborah Estrin
      University of Southern California
      Computer Science Department
      Los Angeles, CA 90089-0782

      Phone: (213) 743-7842

      EMail: [email protected]

Estrin [Page 20]

RFC 1125 Policy Requirements November 1989

Estrin [Page 21]

Anonymous

Search

Difference between revisions of "RFC1125"

Namespaces

More

Page actions

Revision as of 22:52, 22 September 2020

Navigation

Navigation

Wiki tools

Wiki tools

Anonymous

Search

Difference between revisions of "RFC1125"

Revision as of 22:52, 22 September 2020

Navigation

Wiki tools

Page tools