Network Working Group D. Estrin Request for Comments: 1125 USC Computer Science Department November 1989 POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING 1 STATUS OF THIS MEMO The purpose of this memo is to focus discussion on particular problems in the Internet and possible methods of solution. No proposed solutions in this document are intended as standards for the Internet. Rather, it is hoped that a general consensus will emerge as to the appropriate solution to such problems, leading eventually to the development and adoption of standards. Distribution of this memo is unlimited. 2 ABSTRACT Efforts are now underway to develop a new generation of routing protocol that will allow each Administrative Domain (AD) in the growing Internet (and internets in general) to independently express and enforce policies regarding the flow of packets to, from, and through its resources. (FOOTNOTE 1: The material presented here incorporates discussions held with members of the IAB Autonomous Networks Research Group and the Open Routing Working Group.) This document articulates the requirements for policy based routing and should be used as input to the functional specification and evaluation of proposed protocols. Two critical assumptions will shape the type of routing mechanism that is devised: (1) the topological organization of ADs, and (2) the type and variability of policies expressed by ADs. After justifying our assumptions regarding AD topology we present a taxonomy, and specific examples, of policies that must be supported by a PR protocol. We conclude with a brief discussion of policy routing mechanisms proposed in previous RFCs (827, 1102, 1104, 1105). Future RFCs will elaborate on the architecture and protocols needed to support the requirements presented here. 3 BACKGROUND The Research Internet has evolved from a single backbone wide area network with many connected campus networks, to an internet with multiple cross-country backbones, regional access networks, and a profusion of campus networks. (FOOTNOTE 2: The term Research Internet refers to a collection of government, university, and some private company, networks that are used by researchers to access shared Estrin [Page 1] RFC 1125 Policy Requirements November 1989 computing resources (e.g., supercomputers), and for research related information exchange (e.g., distribution of software, technical documents, and email). The networks that make up the Research Internet run the DOD Internet Protocol [1].) At times during its development the Research Internet topology appeared somewhat chaotic. Overlapping facilities and lateral (as opposed to hierarchical) connections seemed to be the rule rather than the exception. Today the Research Internet topology is becoming more regular through coordination of agency investment and adoption of a hierarchy similar to that of the telephone networks'. The result is several overlapping wide area backbones connected to regional networks, which in turn connect to campus networks at universities, research laboratories, and private companies. However, the telephone network has lateral connections only at the highest level, i.e., between long haul carriers. In the Research Internet there exist lateral connections at each level of the hierarchy, i.e., between campus (and regional) networks as well. Additional complexity is introduced in the Research Internet by virtue of connections to private networks. Many private companies are connected to the Research Internet for purposes of research or support activities. These private companies connect in the same manner as campuses, via a regional network or via lateral links to other campuses. However, many companies have their own private wide area networks which physically overlap with backbone and/or regional networks in the research internet, i.e., private vertical bypass links. Implicit in this complex topology are organizational boundaries. These boundaries define Administrative Domains (ADs) which preclude the imposition of a single, centralized set of policies on all resources. The subject of this paper is the policy requirements for resource usage control in the Research Internet. In the remainder of this section we describe the policy routing problem in very general terms. Section 4 examines the constraints and requirements that makes the problem challenging, and leads us to conclude that a new generation of routing and resource control protocols are needed. Section 5 provides more detail on our assumptions as to the future topology and configuration of interconnected ADs. We return to the subject of policy requirements in Section 7 and categorize the different types of policies that ADs in the research internet may want to enforce. Included in this section are examples of FRICC policy statements. (FOOTNOTE 3: The Federal Research Internet Coordinating Committee (FRICC) is made up of representatives of each of the major agencies that are involved in networking. They have been very effective in coordinating their efforts to eliminate inefficient redundancy and have proposed a plan Estrin [Page 2] RFC 1125 Policy Requirements November 1989 for the next 10 years of internetworking for the government, scientific, and education community [2].) Section 7 identifies types of policy statements that are problematic to enforce due to their dynamics, granularity, or performance implications. Several proposed mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105) are discussed briefly in Section 8. Future RFCs will elaborate on the architecture and protocols needed to support the requirements presented here. 3.1 POLICY ROUTING Previous protocols such as the Exterior Gateway Protocol (EGP)[3] embodied a limited notion of policy and ADs. In particular, autonomous system boundaries constrained the flow of routing database information, and only indirectly affected the flow of packets themselves. We consider an Administrative Domain (AD) to be a set of hosts and network resources (gateways, links, etc.) that is governed by common policies. In large internets that cross organization boundaries, e.g., the Research Internet, inter-AD routes must be selected according to policy-related parameters such as cost and access rights, in addition to the traditional parameters of connectivity and congestion. In other words, Policy Routing (PR) is needed to navigate through the complex web of policy boundaries created by numerous interconnected ADs. Moreover, each AD has its own privileges and perspective and therefore must make its own evaluation of legal and preferred routes. Efforts are now underway to develop a new generation of routing protocol that will allow each AD to independently express and enforce policies regarding the flow of packets to, from, and through its resources [4]. (FOOTNOTE 4: These issues are under investigation by the IAB Autonomous Networks Research Group and the IAB Open Routing Working Group. For further information contact the author.) The purpose of this paper is to articulate the requirements for such policy based routing. Two critical assumptions will shape the type of routing mechanism that is devised: * The topological organization of ADs, and * The type and variability of policies expressed by ADs. We make use of the policies expressed by owners of current Research Internet resources and private networks connected to the Research Internet to generalize types of policies that must be supported. This top down effort must be done with attention to the technical implications of the policy statements if the result is to be useful in guiding technical development. For example, some ADs express the desire to enforce local constraints over how packets travel to their destination. Other ADs are only concerned with preventing use of Estrin [Page 3] RFC 1125 Policy Requirements November 1989 their own network resources by restricting transit. Still other ADs are concerned primarily with recovering the expense of carrying traffic and providing feedback to users so that users will limit their own data flows; in other words they are concerned with charging. We refer to ADs whose primary concern is communication to and from hosts within their AD as stub and to ADs whose primary concern is carrying packets to and from other ADs as transit}. If we address control of transit alone, for example, the resulting mechanisms will not necessarily allow an AD to control the flow of its packets from source to destination, or to implement flexible charging schemes. (FOOTNOTE 5: Gene Tsudik uses the analogy of international travel to express the need for source and transit controls. Each country expresses its own policies about travel to and through its land. Travel through one country enroute to another is analogous to transit traffic in the network world. A traveler collects policy information from each of the countries of interest and plans an itinerary that conforms to those policies as well as the preferences of the traveler and his/her home nation. Thus there is both source and transit region control of routing.) Our purpose is to articulate a comprehensive set of requirements for PR as input to the functional specification, and evaluation, of proposed protocols. 4 WHY THE PROBLEM IS DIFFICULT Before proceeding with our description of topology and policy requirements this section outlines several assumptions and constraints, namely: the lack of global authority, the need to support network resource sharing as well as network interconnection, the complex and dynamic mapping of users to ADs and privileges, and the need for accountability across ADs. These assumptions limit the solution space and raise challenging technical issues. The purpose of policy based routing is to allow ADs to interconnect and share computer and network resources in a controlled manner. Unlike many other problems of resource control, there is no global authority. Each AD defines its own policies with respect to its own traffic and resources. However, while we assume no global authority, and no global policies, we recognize that complete autonomy implies no dependence and therefore no communication. The multi-organization internets addressed here have inherent regions of autonomy, as well as requirements for interdependence. Our mechanisms should allow ADs to design their boundaries, instead of requiring that the boundaries be either impenetrable or eliminated. One of the most problematic aspects of the policy routing requirements identified here is the need to support both network resource sharing and interconnection across ADs. An example of resource sharing is two ADs (e.g., agencies, divisions, companies) Estrin [Page 4] RFC 1125 Policy Requirements November 1989 sharing network resources (e.g., links, or gateways and links) to take advantage of economies of scale. Providing transit services to external ADs is another example of network resource sharing. Interconnection is the more common example of ADs interconnecting their independently used network resources to achieve connectivity across the ADs, i.e., to allow a user in one AD to communicate with users in another AD. In some respects, network resource control is simpler than network interconnection control since the potential dangers are fewer (i.e., denial of service and loss of revenue as compared with a wide range of attacks on end systems through network interconnection). However, controlled network resource sharing is more difficult to support. In an internet a packet may travel through a number of transit ADs on its way to the destination. Consequently, policies from all transit ADs must be considered when a packet is being sent, whereas for stub-AD control only the policies of the two end point ADs have to be considered. In other words, controlled network resource sharing and transit require that policy enforcement be integrated into the routing protocols themselves and can not be left to network control mechanisms at the end points. (FOOTNOTE 6&7: Another difference is that in the interconnect case, traffic traveling over AD A's network resources always has a member of AD A as its source or destination (or both). Under resource sharing arrangements members of both AD A and B are connected to the same resources and consequently intra-AD traffic (i.e., packets sourced and destined for members of the same AD) travels over the resources. This distinction is relevant to the writing of policies in terms of principal affiliation. Economies of scale is one motivation for resource sharing. For example, instead of interconnecting separately to several independent agency networks, a campus network may interconnect to a shared backbone facility. Today, interconnection is achieved through a combination of AD specific and shared arrangements. We expect this mixed situation to persist for "well-connected" campuses for reasons of politics, economics, and functionality (e.g., different characteristics of the different agency-networks). See Section 5 for more discussion.) Complications also result from the fact that legitimate users of an AD's resources are not all located in that AD. Many users (and their computers) who are funded by, or are affiliated with, a particular agency's program reside within the AD of the user's university or research laboratory. They reside in a campus AD along with users who are legitimate users of other AD resources. Moreover, any one person may be a legitimate user of multiple AR resources under varying conditions and constraints (see examples in Section 6). In addition, users can move from one AD to another. In other words, a user's rights can not be determined solely based on the AD from which the user's communications originate. Consequently, PR must not only identify resources, it must identify principals and associate Estrin [Page 5] RFC 1125 Policy Requirements November 1989 different capabilities and rights with different principals. (The term principal is taken from the computer security community[7].) One way of reducing the compromise of autonomy associated with interconnection is to implement mechanisms that assure accountability} for resources used. Accountability may be enforced a priori, e.g., access control mechanisms applied before resource usage is permitted. Alternatively, accountability may be enforced after the fact, e.g., record keeping or metering that supports detection and provides evidence to third parties (i.e., non-repudiation). Accountability mechanisms can also be used to provide feedback to users as to consumption of resources. Internally an AD often decides to do away with such feedback under the premise that communication is a global good and should not be inhibited. There is not necessarily a "global good" across AD boundaries. Therefore, it becomes more appropriate to have resource usage visible to users, whether or not actual charging for usage takes place. Another motivation that drives the need for accountability across AD boundaries is the greater variability in implementations. Different implementations of a single network protocol can vary greatly as to their efficiency [8]. We can not assume control over implementation across AD boundaries. Feedback mechanisms such as metering (and charging in some cases) would introduce a concrete incentive for ADs to employ efficient and correct implementations. PR should allow an AD to advertise and apply such accounting measures to inter-AD traffic. In summary, the lack of global authority, the need to support network resource sharing as well as network interconnection, the complex and dynamic mapping of users to ADs and rights, and the need for accountability across ADs, are characteristics of inter-AD communications which must be taken into account in the design of both policies and supporting technical mechanisms. 5 TOPOLOGY MODEL OF INTERNET Before discussing policies per se, we outline our model of inter-AD topology and how it influences the type of policy support required. Most members of the Internet community agree that the future Internet will connect on the order of 150,000,000 termination points and 100,000 ADs. However, there are conflicting opinions as to the AD topology for which we must design PR mechanisms. The informal argument is described here. SIMPLE AD TOPOLOGY AND POLICY MODEL Some members of the Internet community believe that the current complex topology of interconnected ADs is a transient artifact resulting from the evolutionary nature of the Research Internet's history. (FOOTNOTE 9: David Cheriton of Stanford University articulated this side of the argument at an Estrin [Page 6] RFC 1125 Policy Requirements November 1989 Internet workshop in Santa Clara, January, 1989). The critical points of this argument relate to topology and policy. They contend that in the long term the following three conditions will prevail: * The public carriers will provide pervasive, competitively priced, high speed data services. * The resulting topology of ADs will be stub (not transit) ADs connected to regional backbones, which in turn interconnect via multiple, overlapping long haul backbones, i.e., a hierarchy with no lateral connections between stub-ADs or regionals, and no vertical bypass links. * The policy requirements of the backbone and stub-ADs will be based only on charging for resource usage at the stub-AD to backbone-AD boundary, and to settling accounts between neighboring backbone providers (regional to long haul, and long haul to long haul). Under these assumptions, the primary requirement for general AD interconnect is a metering and charging protocol. The routing decision can be modeled as a simple least cost path with the metric in dollars and cents. In other words, restrictions on access to transit services will be minimal and the functionality provided by the routing protocol need not be changed significantly from current day approaches. COMPLEX AD TOPOLOGY AND POLICY MODEL The counter argument is that a more complex AD topology will persist. (FOOTNOTE 10: Much of the remainder of this paper attempts to justify and provide evidence for this statement.) The different assumptions about AD topology lead to the significantly different assumptions about AD policies. This model assumes that the topology of ADs will in many respects agree with the previous model of increased commercial carrier participation and resulting hierarchical structure. However, we anticipate unavoidable and persistent exceptions to the hierarchy. We assume that there will be a relatively small number of long haul transit ADs (on the order of 100), but that there may be tens of thousands of regional ADs and hundreds of thousands of stub ADs (e.g., campuses, laboratories, and private companies). The competing long haul offerings will differ, both in the services provided and in their packaging and pricing. Regional networks will overlap less and will connect campus and private company networks. However, many stub-ADs will retain some private lateral links for political, technical, and reliability reasons. For example, political incentives cause organizations to invest in bypass links that are not Estrin [Page 7] RFC 1125 Policy Requirements November 1989 always justifiable on a strict cost comparison basis; specialized technical requirements cause organizations to invest in links that have characteristics (e.g., data rate, delay, error, security) not available from public carriers at a competitive rate; and critical requirements cause organizations to invest in redundant back up links for reliability reasons. These exceptions to the otherwise regular topology are not dispensible. They will persist and must be accommodated, perhaps at the expense of optimality; see Section 5 for more detail. In addition, many private companies will retain their own private long haul network facilities. (FOOTNOTE 11: While private voice networks also exist, private data networks are more common. Voice requirements are more standardized because voice applications are more uniform than are data applications, and therefore the commercial services more often have what the voice customer wants at a price that is competitive with the private network option. Data communication requirements are still more specialized and dynamic. Thus, there is less opportunity for economy of scale in service offerings and it is harder to keep up to date with customer demand. For this reason we expect private data networks to persist for the near future. As the telephone companies begin to introduce the next generation of high speed packet switched services, the scenario should change. However, we maintain that the result will be a predominance, but not complete dominance, of public carrier use for long haul communication. Therefore, private data networks will persist and the routing architecture must accommodate controlled interconnection.) Critical differences between the two models follow from the difference in assumptions regarding AD topology. In the complex case, lateral connections must be supported, along with the means to control the use of such connections in the routing protocols. The different topologies imply different policy requirements. The first model assumes that all policies can be expressed and enforced in terms of dollars and cents and distributed charging schemes. The second model assumes that ADs want more varied control over their resources, control that can not be captured in a dollars and cents metric alone. We describe the types of policies to be supported and provide examples in the following section, Section 6. In brief, given private lateral links, ADs must be able to express access and charging related restrictions and privileges that discriminate on an AD basis. These policies will be diverse, dynamic, and new requirements will emerge over time, consequently support must be extensible. For example, the packaging and charging schemes of any single long haul service will vary over time and may be relatively elaborate (e.g., many tiers of service, special package deals, to achieve price discrimination). Note that these assumptions about complexity do not preclude some Estrin [Page 8] RFC 1125 Policy Requirements November 1989 collection of ADs from "negotiating away" their policy differences, i.e., forming a federation, and coordinating a simplified inter-AD configuration in order to reduce the requirements for inter-AD mechanisms. However, we maintain that there will persist collections of ADs that will not and can not behave as a single federation; both in the research community and, even more predominantly, in the broader commercial arena. Moreover, when it comes to interconnecting across these federations, non-negotiable differences will arise eventually. It is our goal to develop mechanisms that are applicable in the broader arena. The Internet community developed its original protocol suite with only minimal provision for resource control [9]. This was appropriate at the time of development based on the assumed community (i.e., researchers) and the ground breaking nature of the technology. The next generation of network technology is now being designed to take advantage of high speed media and to support high demand traffic generated by more powerful computers and their applications [10]. As with TCP/IP we hope that the technology being developed will find itself applied outside of the research community. This time it would be inexcusable to ignore resource control requirements and not to pay careful attention to their specification. Finally, we look forward to the Internet structure taking advantage of economies of scale offered by enhanced commercial services. However, in many respects the problem that stub-ADs may thus avoid, will be faced by the multiple regional and long haul carriers providing the services. The carriers' charging and resource control policies will be complex enough to require routing mechanisms similar to ones being proposed for the complex AD topology case described here. Whether the network structure is based on private or commercial services, the goal is to construct policy sensitive mechanisms that will be transparent to end users (i.e., the mechanisms are part of the routing infrastructure at the network level, and not an end to end concern). 6 POLICY TYPES This section outlines a taxonomy of internet policies for inter-AD topologies that allow lateral and bypass links. The taxonomy is intended to cover a wide range of ADs and internets. Any particular PR architecture we design should support a significant subset of these policy types but may not support all of them due to technical complexity and performance considerations. The general taxonomy is important input to a functional specification for PR. Moreover, it can be used to evaluate and compare the suitability and completeness of existing routing architectures and protocols for PR; see Section 8. Estrin [Page 9] RFC 1125 Policy Requirements November 1989 We provide examples from the Research Internet of the different policy types in the form of resource usage policy statements. These statements were collected through interviews with agency representatives, but they do not represent official policy. These sample policy statements should not} be interpreted as agency policy, they are provided here only as examples. Internet policies fall into two classes, access and charging. Access policies specify who can use resources and under what conditions. Charging policies specify the metering, accounting, and billing implemented by a particular AD. 6.1 TAXONOMY OF ACCESS POLICIES We have identified the following types of access policies that ADs may wish to enforce. Charging policies are described in the subsequent section. Section 6.3 provides more specific examples of both access and charging policies using FRICC policy statements. Access policies typically are expressed in the form: principals of type x can have access to resources of type y under the following conditions, z. The policies are categorized below according to the definition of y and z. In any particular instance, each of the policy types would be further qualified by definition of legitimate principals, , x, i.e., what characteristics x must have in order to access the resource in question. We refer to access policies described by stub and transit ADs. The two roles imply different motivations for resource control, however the types of policies expressed are similar; we expect the supporting mechanisms to be common as well. Stub and transit access policies may specify any of the following parameters: * SOURCE/DESTINATION Source/Destination policies prevent or restrict communication originated by or destined for particular ADs (or hosts or user classes within an AD). * PATH Path sensitive policies specify which ADs may or may not be passed through en route to a destination. The most general path sensitive policies allow stub and transit ADs to express policies that depend on any component in the AD path. In other words, a stub AD could reject a route based on any AD (or combination of ADs) in the route. Similarly, a transit AD could express a packet forwarding policy that behaves differently depending upon which ADs a packet has passed Estrin [Page 10] RFC 1125 Policy Requirements November 1989 through, and is going to pass through, en route to the destination. Less ambitious (and perhaps more reasonable) path sensitive policies might only discriminate according to the immediate neighbor ADs through which the packet is traveling (i.e., a stub network could reject a route based on the first transit AD in the route, and a transit AD could express a packet forwarding policy that depends upon the previous, and the subsequent, transit ADs in the route.) * QUALITY/TYPE OF SERVICE(QOS OR TOS) This type of policy restricts access to special resources or services. For example, a special high throughput, low delay link may be made available on a selective basis. * RESOURCE GUARANTEE These policies provide a guaranteed percentage of a resource on a selective, as needed basis. In other words, the resource can be used by others if the preferred-AD's offered load is below the guaranteed level of service. The guarantee may be to always carry intra-AD traffic or to always carry inter-AD traffic for a specific AD. * TEMPORAL Temporal policies restrict usage based on the time of day or other time related parameters. * HIGH LEVEL PROTOCOL Usage may be restricted to a specific high level protocol such as mail or file transfer. (Alternatively, such policies can be implemented as source/destination policies by configuring a host(s) within an AD as an application relay and composing policy terms that allow inter-AD access to only that host.) * RESOURCE LIMIT There may be a limit on the amount of traffic load a source may generate during a particular time interval, e.g., so many packets in a day, hour, or minute. * AUTHENTICATION REQUIREMENTS Conditions may be specified regarding the authenticability of principal identifying information. Some ADs might require some form of cryptographic proof as to the identity and affiliations of the principal before providing access to critical resources. The above policy types usually exist in combination for a particular AD, i.e., an AD's policies might express a combination of transit, source/destination, and QOS restrictions. This taxonomy will evolve as PR is applied to other domains. As will be seen in Section 6.3 an AD can express its charging and Estrin [Page 11] RFC 1125 Policy Requirements November 1989 access policies in a single syntax. Moreover, both stub and transit policies can co-exist. This is important since some ADs operate as both stub and transit facilities and require such hybrid control. 6.2 TAXONOMY OF CHARGING POLICIES Stub and transit charging policies may specify the following parameters: * UNIT OF ACCOUNTING (e.g., dollars or credits). * BASIS FOR CHARGING (e.g., per Kbyte or per Kpkt). * ACTUAL CHARGES (e.g., actual numbers such as $.50/Mbyte). * WHO IS CHARGED OR PAID (e.g., originator of packet, immediate neighbor from whom packet was received, destination of packet, a third party collection agent). * WHOSE PACKET COUNT is used (e.g., source, destination, the transit AD's own count, the count of some upstream or downstream AD). * BOUND ON CHARGES (e.g., to limit the amount that a stub AD is willing to spend, or the amount that a transit AD is willing to carry.) The enforcement of these policies may be carried out during route synthesis or route selection [4]. 6.3 EXAMPLE POLICY STATEMENTS The following policy statements were collected in the fall of 1988 through interviews with representatives of the federal agencies most involved in supporting internetworking. Once again we emphasize that these are not official policy statements. They are presented here to provide concrete examples of the sort of policies that agencies would like to enforce. Expressing policies as Policy Terms (PTs) Each policy is described in English and then expressed in a policy term (PT) notation suggested by Dave Clark in [4]. Each PT represents a distinct policy of the AD that synthesized it. The format of a PT is: [(H{src},AD{src},AD{ent}),(H{dst},AD{dst},AD{exit}),UCI, Cg,Cb] Hsrc stands for source host, ADsrc for source AD, ADent for entering AD (i.e., neighboring AD from which traffic is arriving directly), Hdst for destination host, ADdst for destination AD, ADexit for exit AD (i.e.,neighboring AD to which traffic is going directly), UCI for user class identifier, and Cg and Cb for global and bilateral Estrin [Page 12] RFC 1125 Policy Requirements November 1989 conditions, respectively. The purpose of a PT is to specify that packets from some host, H{src}, (or a group of hosts) in a source AD, AD{src}, are allowed to enter the AD in question via some directly connected AD, AD{ent}, and exit through another directly connected AD, AD{exit}, on its way to a host, H{dst}, (or a group of hosts) in some destination AD, AD{dst}. User Class Identifier (UCI) allows for distinguishing between various user classes, e.g., Government, Research, Commercial, Contract, etc. Global Conditions (Cg) represent billing and other variables. Bilateral Conditions (Cb) relate to agreements between neighboring ADs, e.g., related to metering or charging. In the example policy terms provided below we make use of the following abbreviations: Fricc for {DOE,NASA,DCA,NSF}, F for Federal Agency, Re for Regional, U for University, Co for Commercial Corporation, and Cc for Commercial Carrier. A hyphen, -, means no applicable matches. By examining a PT we can identify the type of policy represented, as per the taxonomy presented earlier. * If an AD specifies a policy term that has a null (-) entry for the ADexit, then it is disallowing transit for some group of users, and it is a transit policy. * If an AD specifies a policy term that lists itself explicitly as ADsrc or ADdst, it is expressing restrictions on who can access particular resources within its boundaries, or on who inside can obtain external access. In other words the AD is expressing a source/destination policy. * If ADexit or ADentr is specified then the policy expressed is an exit/entrance path policy. * If the global conditions include charging, QOS, resource guarantee, time of day, higher level application, resource limit, or authentication related information it is obviously a charging, QOS, resource guarantee, temporal, higher level application, resource limit, or authentication policy, respectively. As seen below, any one PT typically incorporates a combination of policy types. 6.3.1 THE FRICC In the following examples all policies (and PTs) are symmetrical under the assumption that communication is symmetrical. Estrin [Page 13] RFC 1125 Policy Requirements November 1989 NATIONAL SCIENCE FOUNDATION (NSF) 1. NSF will carry traffic for any host connected to a F/Re network talking to any other host connected to a F/Re via any F/Re entry and exit network, so long as there is it is being used for research or support. There is no authentication of the UCI and no per packet charging. NSFnet is a backbone and so does not connect directly to universities or companies...thus the indication of {F/Re} instead of {F/Re/U/Co} as ADent and ADexit. [NSF1: (*, {F/Re}, {F/Re})(*, {F/Re}, {F/Re}){research,support} {unauthenticated UCI,no-per-pkt charge}{}] 2. NSF will carry traffic to user and expert services hosts in NSF AD to/from any F/Re AD, via any F/Re AD. These are the only things that directly connect to NSFnet. [NSF2: ({User svcs, Expert Svcs},{NSF},{F/Re})(*,{F/Re},{-}){}{}{}] DEPARTMENT OF ENERGY (DOE) 1. DOE will carry traffic to and from any host directly connected to DOE so long as it is used for research or support. There is no authentication of the UCI and no per packet charging. [DOE1: (*,DOE,-)(*,*,*){research,support} {unauthenticated UCI,no-per-packet charge}{}] 2. DOE will carry traffic for any host connected to a F/Re network talking to any other host connected to a F/Re via any F/Re entry and exit network without regard to the UCI. There is no authentication of the UCI and no per packet charging. (in other words DOE is more restrictive with its own traffic than with traffic it is carrying as part of a resource sharing arrangement.) [DOE2: (*,{F/Re},{F/Re})(*,{F/Re},{F/Re}){} {unauthenticated UCI, no-per-pkt charge}{}] NATIONAL AERONAUTICS AND SPACE ADMINISTRATION (NASA) 1. Nasa will accept any traffic to/from members of the Nasa AD. But no transit. No UCI authentication and no per packet charge. [NASA1: (*,*,*)(*,Nasa,-){Nasa-research, support} {unauthenticated UCI,no-per-packet-charge}{}] 2. Nasa will carry transit traffic to/from other federal agency networks if it is in support of research, and if the total use of Estrin [Page 14] RFC 1125 Policy Requirements November 1989 available BW by non-nasa Federal agencies is below n%. NOTE THAT this non-interference policy type needs some more work in terms of integrating it into the routing algorithms. See Section 7. [NASA2: (*,{F},*)(*,{F},*){research,support} {per-packet accounting, limited to n% of available BW}{}] 3. NASA will carry commercial traffic to federal and regional and university ADs for nasa research or support. But it will not allow transit. The particular entry AD is not important. [NASA3: (*,{Co},*} (*,{F/R/U},*) {NASA research,support} {unauthenticated UCI, no per packet charge}{}] 4. On a case by case basis NASA may provide access to its resources on a cost reimbursed basis. Transit traffic will not be carried on this basis. [NASA4: (*,*,-)(*,*,-){} {per-packet-charge, limited to n% of available BW} {}] DEFENSE ADVANCED RESEARCH PROJECTS AGENCY (DARPA) 1. DARPA will carry traffic to/from any host in DARPA AD from any external host that can get it there so long as UCI is research or support. No UCI authentication or per packet charge. [DARPA1: (*,*,*)(*,DARPA,-){research,support} {unauthenticated-UCI, no per packet charge}{}] 2. DARPA will carry traffic for any host connected to a F/Re/U/Co network talking to any other host connected to a F/Re/U/Co via any F/Re/U/Co entry and exit network, so long as there is it is being used for research or support, and the network is not heavily congested!!. There is no authentication of the UCI and no per packet charging. NOTE: Darpa would like to say something about the need to enter the Darpa AD at the point closest to the destination...but i don't know how to express this... DARPA2: (*,{F/R/U/Co},{F/R/U/Co})(*,{F/R/U/Co},{F/R/U/Co}) {research,support}{unauthenticated-UCI,no per packet charge, non-interference basis}{}] DEFENSE COMMUNICATIONS AGENCY (DCA) 1. DCA will not carry any transit traffic. It will only accept and send traffic to and from its mailbridge(s) and only from and to hosts on other F/Re nets. All packets are marked and charged for by the Estrin [Page 15] RFC 1125 Policy Requirements November 1989 kilopacket. [DCA1:(mailbridge,DCA,-)(*,{F/Re},{F/Re}){research,support} {unauthenticated UCI, all incoming packets marked, per-kilopacket charge}{}] 6.3.2 THE REGIONALS Interviews with regional network administrations are now underway. In general their policies are still in formation due to the relatively recent formation of these regional networks. However, for the sake of illustration we provide an example of a hypothetical regional's network policies. REGIONAL A 1. Regional A will carry traffic from/to any directly connected F/Re/U network to any F/Re/U network via NSF if it is for a research or support UCI. (NSF requires that all Regional networks only pass it traffic that complies with its, NSF's, policies!) [Regional A:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},NSF){research,support} {unauthenticated UCI, no-per-packet charge}{}] REGIONAL B 1. Regional B will carry traffic from/to any directly connected F/Re/U network to any F/Re/U network via a commercial carrier regardless of its UCI. In this case the packets are charged for since the commercial carrier charges per kilopacket. [Regional B:(*,{F/Re/U},{F/Re/U})(*,{F/Re/U},Cc){} {unauthenticated UCI, per-kilopacket charge}{}] 6.3.3 CAMPUS AND PRIVATE NETWORKS Similar interviews should be conducted with administrators of campus and private networks. However, many aspects of their policies are contingent on the still unresolved policies of the regionals and federal agencies. In any event, transit policies will be critical for campus and private networks to flexibly control access to lateral links and private wide area networks, respectively. For example, a small set of university and private laboratories may provide access to special gigabit links for particular classes of researchers. On the other hand, source/destination policies should not be used in place of network level access controls for these end ADs. Estrin [Page 16] RFC 1125 Policy Requirements November 1989 6.3.4 COMMERCIAL SERVICES Currently commercial communication services play a low level role in most parts of today's Research Internet; they provide the transmission media, i.e.,leased lines. In the future we expect commercial carriers to provide increasingly higher level and enhanced services such as high speed packet switched backbone services. Because such services are not yet part of the Research Internet infrastructure there exist no policy statements. Charging and accounting are certain to be an important policy type in this context. Moreover, we anticipate the long haul services market to be highly competitive. This implies that competing service providers will engage in significant gaming in terms of packaging and pricing of services. Consequently, the ability to express varied and dynamic charging policies will be critical for these ADs. 7 PROBLEMATIC REQUIREMENTS Most of this paper has lobbied for articulation of relatively detailed policy statements in order to help define the technical mechanisms needed for enforcement. We promoted a top down design process beginning with articulation of desired policies. Now we feel compelled to mention requirements that are clearly problematic from the bottom up perspective of technical feasibility. * Non-interference policies are of the form "I will provide access for principals x to resources y so long as it does not interfere with my internal usage." The problem with such policies is that access to an AD at any point in time is contingent upon a local, highly dynamic, parameter that is not globally available. Therefore such a policy term could well result in looping, oscillations, and excessive route (re)computation overhead, both unacceptable. Consequently, this is one type of policy that routing experts suggest would be difficult to support in a very large decentralized internetwork. * Granularity can also be problematic, but not as devistating as highly dynamic PR contingencies. Here the caution is less specific. Very fine grain policies, which restrict access to particular hosts, or are contingent upon very fine grain user class identification, may be achieved more efficiently with network level access control [11] or end system controls instead of burdening the inter-AD routing mechanism. * Security is expensive, as always. Routing protocols are subject to fraud through impersonation, data substitution, and denial of service. Some of the proposed mechanisms provide some means for Estrin [Page 17] RFC 1125 Policy Requirements November 1989 detection and non-repudiation. However, to achieve a priori prevention of resource misuse is expensive in terms of per connection or per packet cryptographic overhead. For some environments we firmly believe that this will be necessary and we would prefer an architecture that would accommodate such variability [12]. In general, it is difficult to predict the impact of any particular policy term. Tools will be needed to assist people in writing and validating policy terms. 8 PROPOSED MECHANISMS Previous routing protocols have addressed a narrower definition of PR, as appropriate for the internets of their day. In particular, EGP [3], DGP[13], and BGP[6] incorporate a notion of policy restrictions as to where routing database information travels. None are intended to support policy based routing of packets as described here. More recent routing proposals such as Landmark [14] and Cartesian [15] could be used to restrict packet forwarding but are not suited to source/destination, and some of the condition-oriented, policies. We feel these policy types are critical to support. We note that for environments (e.g., within an AD substructure) in which the simple- AD-topology conjecture holds true, these alternatives may be suitable. RFC 1104 [5] provides a good description of shorter term policy routing requirements. Braun classifies three types of mechanisms, policy based distribution of route information, policy based packet forwarding, and policy based dynamic allocation of network resources. The second class is characterized by Dave Clark's PR architecture, RFC 1102 [4]. With respect to the longer term requirements laid out in this document, only this second class is expressive and flexible enough to support the multiplicity of stub and transit policies. In other words, the power of the PR approach (e.g., RFC1102) is not just in the added granularity of control pointed out by Braun, i.e., the ability to specify particular hosts and user classes. Its power is in the ability to express and enforce many types of stub and transit policies and apply them on a discriminatory basis to different ADs. In addition, this approach provides explicit support for stub ADs to control routes via the use of source routing. (FOOTNOTE 12: Moreover, the source routing approach loosens the requirements for every AD to share a complete view of the entire internet by allowing the source to detect routing loops.) (FOOTNOTE 13: The match between RFC1102 and the requirements specified in this document is hardly a coincidence since Clark's paper and discussions with him contributed to the requirements formulation presented here. His work is currently being evaluated and refined by the ANRG and ORWG.) Estrin [Page 18] RFC 1125 Policy Requirements November 1989 9 SUMMARY Along with the emergence of very high speed applications and media, resource management has become a critical issue in the Research Internet and internets in general. A fundamental characteristic of the resource management problem is allowing administratively ADs to interconnect while retaining control over resource usage. However, we have lacked a careful articulation of the types of resource management policies that need to be supported. This paper addresses policy requirements for the Research Internet. After justifying our assumptions regarding AD topology we presented a taxonomy and examples of policies that must be supported by a PR protocol. 10 ACKNOWLEDGMENTS Members of the Autonomous Networks Research Group and Open Routing Working Group have contributed significantly to the ideas presented here, in particular, Guy Almes, Lee Breslau, Scott Brim, Dave Clark, Marianne Lepp, and Gene Tsudik. In addition, Lee Breslau and Gene Tsudik provided detailed comments on a previous draft. David Cheriton inadvertently caused me to write this document. Sharon Anderson's contributions deserve special recognition. The author is supported by research grants from National Science Foundation, AT&T, and GTE. 11 REFERENCES [1] J. Postel, Internet Protocol, Network Information Center, RFC 791, September 1981. [2] G. Vaudreuil, The Federal Research Internet Coordinating Committee and National Research Network, ACM SIG Computer Communications Review,April 1988. [3] E. Rosen, Exterior Gateway Protocol (EGP), Network Information Center, RFC 827, October 1982. [4] D. Clark, Policy Routing in Internet Protocols, Network Information Center, RFC 1102, May 1989. [5] H.W.Braun, Models of Policy Based Routing, Network Information Center, RFC 1104, June 1989. [6] K. Lougheed, Y. Rekhter, A Border Gateway Protocol, Network Information Center, RFC 1105, June 1989. [7] J. Saltzer, M. Schroeder, The Protection of Information in Computer Systems, Proceedings of the IEEE, 63, 9 September 1975. Estrin [Page 19] RFC 1125 Policy Requirements November 1989 [8] V. Jacobson, Congestion Avoidance and Control. Proceedings of ACM Sigcomm, pp. 106-114, August 1988, Palo Alto, CA. [9] David Clark, Design Philosophy of the DARPA Internet Protocols, Proceedings of ACM Sigcomm, pp. 106-114, August 1988, Palo Alto, CA. [10] Gigabit Networking Group, B. Leiner, Editor. Critical Issues in High Bandwidth Networking, Network Information Center, RFC 1077, November 1988. [11] D. Estrin, J. Mogul and G. Tsudik, Visa Protocols for Controlling Inter-Organizational Datagram Flow, To appear in IEEE Journal on Selected Areas in Communications, Spring 1989. [12] D. Estrin and G. Tsudik, Security Issues in Policy Routing, IEEE Symposium on Research in Security and Privacy, Oakland, CA. May 1-3 1989. [13] M. Little, The Dissimilar Gateway Protocol, Technical report [14] P. Tsuchiya, The Landmark Hierarchy: A new hierarchy for routing in very large networks, IEEE SIGCOMM 88, Palo Alto, CA. September 1988. [15] G. Finn, Reducing the Vulnerability of Dynamic Computer Networks USC/Information Sciences Institute, Technical Report, ISI/RR-88- 201 July 1988. [16] A. Nakassis Routing Algorithm for Open Routing, Unpublished paper, Available from the author at the National Institute of Standards and Technology (formerly NBS), Washington D.C. 11 SECURITY CONSIDERATIONS This memo does not address the security aspects of the issues discussed. AUTHOR'S ADDRESS: Deborah Estrin University of Southern California Computer Science Department Los Angeles, CA 90089-0782 Phone: (213) 743-7842 EMail: Estrin@OBERON.USC.EDU Estrin [Page 20] RFC 1125 Policy Requirements November 1989 Estrin [Page 21]