summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc1102.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc1102.txt')
-rw-r--r--doc/rfc/rfc1102.txt1235
1 files changed, 1235 insertions, 0 deletions
diff --git a/doc/rfc/rfc1102.txt b/doc/rfc/rfc1102.txt
new file mode 100644
index 0000000..27e1d5d
--- /dev/null
+++ b/doc/rfc/rfc1102.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Network Working Group D. Clark
+Request for Comments: 1102 M.I.T. Laboratory for Computer Science
+ May 1989
+
+
+ Policy Routing in Internet Protocols
+
+1. Status of this Memo
+
+ The purpose of this RFC is to focus discussion on particular problems
+ in the Internet and possible methods of solution. No proposed
+ solutions in this document are intended as standards for the
+ Internet. Distribution of this memo is unlimited.
+
+2. Introduction
+
+ An integral component of the Internet protocols is the routing
+ function, which determines the series of networks and gateways a
+ packet will traverse in passing from the source to the destination.
+ Although there have been a number of routing protocols used in the
+ Internet, they share the idea that one route should be selected out
+ of all available routes based on minimizing some measure of the
+ route, such as delay. Recently, it has become important to select
+ routes in order to restrict the use of network resources to certain
+ classes of customers. These considerations, which are usually
+ described as resource policies, are poorly enforced by the existing
+ technology in the Internet. This document proposes an approach to
+ integrating policy controls into the Internet.
+
+ I assume that the resources of the Internet: networks, links, and
+ gateways, are partitioned into Administrative Regions or ARs. Each
+ AR is governed by a somewhat autonomous administration, with distinct
+ goals as to the class of customers it intends to serve, the qualities
+ of service it intends to deliver, and the means for recovering its
+ cost. To construct a route across the Internet, a sequence of ARs
+ must be selected that collectively supply a path from the source to
+ the destination. This sequence of ARs will be called a Policy Route,
+ or PR. Each AR through which a Policy Route passes will be concerned
+ that the PR has been properly constructed. To this end, each AR may
+ wish to insure that the user of the PR is authorized, the requested
+ quality of service is supported, and that the cost of the service can
+ be recovered.
+
+ In the abstract, a Policy Route is a series of ARs, which are assumed
+ to be named with globally distinct identifiers. (The requirement for
+ global names for ARs suggests that the name space of ARs is flat.
+ That simplifying assumption is made in this RFC, but it should be
+ possible to extend the scheme described here to permit nesting of ARs
+
+
+
+Clark [Page 1]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ to reduce the amount of global information. The problem of adding
+ structure to the space of ARs is an exercise for later study.)
+ Before a PR can be used, however, it must be reduced to more concrete
+ terms; a series of gateways which connect the sequence of ARs. These
+ gateways will be called Policy Gateways.
+
+ Presently, the closest mechanism to policy routing in the Internet is
+ EGP, the Exterior Gateway Protocol. EGP was constructed to permit
+ regions of the Internet to communicate reachability information, even
+ though they did not totally share trust. In this respect, the
+ regions hooked together by EGP could each be viewed as Administrative
+ Regions. However, the mechanisms of EGP imposed a topological
+ restriction on the interconnection of the Administration Regions. In
+ practice, this has proved unsatisfactory. Policy matters are driven
+ by human concerns, and these have not turned out to be amenable to
+ topological constraints, or indeed to constraints of almost any sort.
+
+ The proposals in this memo are designed to permit as wide a latitude
+ as possible in the construction and enforcement of policies. In
+ particular, no topological restrictions are assumed. In general, the
+ approach taken in this memo is driven by the belief that since
+ policies reflect human concerns, the system should primarily be
+ concerned with enforcement of policy, rather than synthesis of
+ policy. The proposal permits both end points and transit services to
+ express and enforce local policy concerns.
+
+3. Policy Routes
+
+ Almost all approaches to policy control share, to some degree, the
+ idea of a Policy Route. The distinguishing component of a policy
+ approach is the procedure by which the Policy Route is synthesized.
+ One approach to synthesizing routes is to associate with each
+ distinct policy a subset of all the gateways in the system, and then
+ run a routing algorithm across the subset of the gateways. This
+ approach has several drawbacks. It requires a distinct routing
+ computation for every policy, which may be prohibitively expensive.
+ It requires the global agreement on the nature and scope of each
+ policy, which is at odds with the desire of Administrative Regions to
+ establish their own independent policy assertions. Finally, it
+ almost inevitably implies a topological restriction on the
+ interconnection of regions.
+
+ Another synthesis approach is to have each Policy Gateway examine
+ incoming packets and determine, based on local policy constraints,
+ the most appropriate next AR. This approach might possibly work, but
+ again has several drawbacks. First, it implies a substantial amount
+ of computation at each Policy Gateway. More importantly, it removes
+ the route selection from the location where it would most naturally
+
+
+
+Clark [Page 2]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ be executed, the end-points of the connection.
+
+ It is useful to think of the interconnected ARs as a marketplace, in
+ which various services are offered and users select among these
+ services to obtain packet transport. By this analogy, it seems
+ appropriate that the actual selection of the Policy Route should be
+ made by the end ARs desiring to send the packets, rather than by the
+ Policy Gateways. Looking to the phone system for comparison, it is
+ the customer of the phone system who selects which of the long
+ distance carriers to use, whether to purchase a fixed price service
+ or pay incrementally for usage, and so on. In this proposal,
+ therefore, Policy Routes are synthesized at the end point, where the
+ packet originates, and are attached to packets in order to direct
+ them through the appropriate series of ARs. In other words, Policy
+ Routes are a form of source routing. The role of synthesizing a
+ Policy Route is shared between the source AR and the particular
+ source host.
+
+ In this architecture, therefore, the function of the Policy Gateway
+ is not to synthesize the Policy Route, but to verify it. In the
+ following sections, we will address the two questions of how a Policy
+ Route is verified, and how a Policy Route is synthesized.
+
+ In determining that Policy Routes should be synthesized at the end
+ point, it is important to distinguish between those aspects of
+ routing that reflect legitimate policy concerns, and those aspects of
+ routing which, in reality, relate to the detailed operation of the
+ ARs. For example, if one were to represent Policy Routes using the
+ existing Internet source route mechanism, which allows the end point
+ to specify a series of gateways through which the packet should pass,
+ the result would be that too much function has been transferred from
+ the internals of the Internet to the end points. The end point would
+ have to have knowledge of exactly which gateways are up and
+ operational at a particular moment, and this degree of knowledge
+ cannot be justified by policy concerns. Further, it would be
+ necessary to run a systemwide gateway reachability protocol.
+
+ This proposal attempts to strike a balance between end point
+ specification of those concerns legitimately related to policy, and
+ local determination in the Policy Gateways of the more specific
+ details necessary for reliable operation. This leads to a two-level
+ routing model, in which the abstract Policy Route, a series of
+ administrative regions, is specified by the end point as a form of
+ source route, and each Policy Gateway selects the next actual Policy
+ Gateway that is to be used to forward this packet. In other words,
+ the abstract Policy Route is made concrete incrementally. This
+ division of function does require that the source AR know if there
+ are faults that have partitioned pairs of ARs that are normally
+
+
+
+Clark [Page 3]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ connected together. This implies a global reachability protocol to
+ be run for the purpose of providing information to the source AR, but
+ it need only concern itself at the level of ARs, not at the level of
+ gateways. In a later section on cost-recovery, the topic of gateway
+ selection will be discussed in more detail.
+
+ An objection to a scheme such as source routing is that the
+ potentially bulky source route must be in every packet, and must be
+ evaluated for each packet. One solution to this performance problem
+ is to employ a limited form of route setup, in which the actual
+ Policy Route is carried only in the first packet of a sequence, and a
+ short identifier or "handle" is included in subsequent packets of the
+ sequence. Each Policy Gateway evaluates the PR on first encounter,
+ and caches the result, which is then retrieved for later packets
+ using the handle in the packet. The idea of a handle and caching,
+ and the need for a form of route setup, is discussed later.
+
+4. Verification of Policy Routes
+
+ As a packet arrives at a Policy Gateway, attempting to enter an AR,
+ the Policy Gateway must decide whether it is legitimate to forward
+ this packet, and if so, at what next Policy Gateway the packet should
+ exit the AR (assuming that the final destination is not within the
+ AR). The information available to the Policy Gateway to support its
+ decision determines the range of policies that can be enforced.
+ Determining what information is to be available is therefore a
+ central feature of our proposal.
+
+4.1. Identifying the User
+
+ Classic routing decisions, those minimizing some cost, are typically
+ driven only by the destination of the packet. At a minimum, policy
+ decisions must be based both on the source and the destination of the
+ packet. In fact, source and destination addresses may not be
+ sufficient to determine policy, for an AR may support different users
+ with different rights, moreover a single user may wish to exercise
+ different rights at different times. I suggest that to identify the
+ user who is proposing to use this particular Policy Route, it is
+ sufficient that the packets contain the source host and AR, the
+ destination host and AR, and, optionally, a User Class Identifier, or
+ UCI. In a later section, I discuss how to prevent misuse of the user
+ class identifier.
+
+ In fact, the source and destination host address may not be needed to
+ support the practical range of policy decisions required at
+ intermediate ARs. Only the source and destination AR information may
+ be necessary. If individual host addresses are to be used, that
+ implies that intermediate ARs will want to keep track of the rights
+
+
+
+Clark [Page 4]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ of individual hosts. It would be much simpler if the source AR could
+ be trusted to permit only the proper hosts to use certain PRs. I
+ will consider this further in a later section when I discuss the role
+ of the Policy Controller.
+
+4.2. Verifying the Route
+
+ The packet contains an abstract Policy Route: a series of AR
+ identifiers. To validate this route, each Policy Gateway could store
+ the complete selection of acceptable policy routes, and require that
+ an incoming packet have a Policy Route that exactly matched one of
+ the stored entries. This degree of constraint probably overspecifies
+ the situation, and causes an information explosion. At the other end
+ of the scale, Policy Gateways could simply be sensitive to the source
+ AR and the destination AR. In some cases, particularly as regards to
+ billing, this does not provide sufficient constraints. This proposal
+ suggests that in deciding whether a given Policy Route is valid, a
+ Policy Gateway should look at the source and destination ARs, and
+ also the ARs immediately abutting the AR in question, called the
+ entry and exit ARs.
+
+ One can think of the verification information in the Policy Gateway
+ as a number of templates. Each template is associated with a valid
+ set of users, as described by the source and destination host address
+ and the optional User Class, and contains the four ARs described
+ above, Source, Destination, Exit, and Entry. An incoming packet
+ should be forwarded if, and only if, there is a template matching the
+ information in the packet. These templates will be called Policy
+ Terms.
+
+4.3. Conditions
+
+ The Policy Terms, as described so far, do not permit the expression
+ of a realistic range of policies. What is needed is the ability to
+ attach to a Policy Term a number of conditions, which describe
+ circumstances under which the term is valid. These might include
+ what type of service (TOS) is available, what times of day the term
+ is valid, what accounting options are valid, and so on. A time-of-
+ day condition, for example, would permit networks, like time-sharing
+ systems, to offer their off-peak capacity to a wider community.
+
+ In general, these conditions could be quite arbitrary. The important
+ constraint on these conditions is that any condition imposed by the
+ Policy Gateway must be understood by the end point, so that it can
+ generate Policy Routes which will conform to the condition. If this
+ is not so, and the Policy Gateway attaches capricious conditions to
+ its policy terms, then the end points will construct Policy Routes in
+ good faith which are rejected, leading to a failure to obtain service
+
+
+
+Clark [Page 5]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ and serious dissatisfaction among users. For this reason, it is
+ necessary that the nature of policy conditions be negotiated in
+ advance.
+
+ The most interesting and difficult conditions are those that relate
+ to the dynamic state of the network. An excellent example is a
+ bilateral mutual aid agreement between two transit ARs in which each
+ agrees to carry the load of the other if the other should go down.
+ To capture this agreement, each might wish to put in Policy Terms
+ with the condition that they are valid only if some other AR is non-
+ functional. In the earlier discussion of Policy Route synthesis, it
+ was necessary for the ARs to run a global up-down protocol to
+ describe the connectivity of ARs. This protocol is sufficient to
+ allow the Policy Gateway to know that some other AR is non-
+ functional, but care is required in the dynamics of this system to
+ ensure that the end point in the PR have a consistent view of the
+ up-down status of the world. Otherwise, there would be transient
+ service outages, which again would lead to user dissatisfaction.
+
+ In general, this proposal asserts that policies should not be based
+ on highly dynamic phenomenon. Administrative Regions should be
+ thought of as stable entities which do not change state rapidly.
+ Highly dynamic characteristics like queue length should be dealt with
+ by proper engineering internal to the AR. Precisely because
+ conditions must be propagated globally, attempting to base a
+ condition on a highly dynamic parameter is liable to lead to system
+ instability.
+
+4.4. Ownership of Policy Gateways
+
+ In Section 1, all the resources of the network were described as
+ being partitioned among the ARs. This statement does not extend to
+ the Policy Gateways, which sit on the boundary between ARs. Either
+ the Policy Gateway must be composed of two physical halves, connected
+ by a wire, or there must be a joint agreement for the ownership and
+ operation of the gateway. This is a matter for further study.
+
+5. Examples of Policy Terms
+
+ This section presents examples of how policy terms would be used to
+ express a range of practical policies. In order to give examples, it
+ is necessary to define a notation for policy terms. The following is
+ not necessarily the most compact form, but will be sufficient for
+ some simple examples.
+
+
+
+
+
+
+
+Clark [Page 6]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ A Policy Term will be expressed as follows:
+
+ ((Hs,ARs,ARent),(Hd,ARd,ARexit),UCI,Cg)
+
+ where:
+
+ Hs is the source host address,
+ ARs is the source AR,
+ ARent is the entry AR,
+
+
+
+ and these three values comprise the first "element" of the term,
+ describing the permitted access looking toward the source.
+ Similarly, for the destination, there is an element describing the
+ host address, the adjacent AR, and the ultimate AR.
+
+ In addition to the two directional elements of the term, there is
+ global information:
+
+ UCI is the User Class Id, and
+ Cg are any global conditions.
+
+ In many cases, an element will not want to constrain one of the
+ values, and we will use the "*" symbol to indicate a "wild-card"
+ match.
+
+ To construct some simple examples, here is a topology, where H
+ elements are hosts, G elements are Policy Gateways, and Numbered
+ elements are ARs.
+
+ H1 --- 1 --- G1 ----- 2 ------ G2 ----- 3 ----- H2
+ | |
+ | |
+ | |
+ |---- G3 ----- 4 ------ G4 ------|------ G5 --- 5
+ | |
+ | |
+ | H4
+ H3
+
+ In this picture, there are four hosts, five gateways, and five
+ Administrative Regions.
+
+ First, consider AR two. It has no hosts attached, and models a
+ transit service, such as the NSF network. It may have a very simple
+ policy: it will carry any traffic between universities, without
+ further constraint. If we let AR1 and AR3 be the regions of two
+
+
+
+Clark [Page 7]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ particular universities, then its policy term could be written as:
+
+ AR2: ((*,1,*),(*,3,*),*,*).
+
+ This says that AR 2 agrees to carry traffic from AR 1 to AR 3,
+ without concern as to the entry and exit AR, and for any hosts in
+ these ARs.
+
+ This notation works, but is very bulky, as a new term is required for
+ every pair of universities. There are several ways to compact the
+ notation. First, we can use the * and a new symbol, "-", to broaden
+ the terms a bit. For example:
+
+ AR2: ((*,1,*),(*,*,-),*,*)
+
+ would assert that AR 1 can use AR 2 to talk to any directly attached
+ AR, where we use the "-" to mean that the exit AR must be the
+ destination AR. In other words, the destination AR must be directly
+ attached to AR2. If AR 2 only attaches to universities, then this
+ would provide the proper constraint.
+
+ Another approach is to use the User Class ID:
+
+ AR2:((*,*,*),(*,*,*),University,*)
+
+ says that any traffic of any sort that has the User Class of
+ University is acceptable.
+
+ Another, and perhaps most suitable notation, is to observe that the
+ distinction between source and destination is actually artificial.
+ While it helps in this memo to have names for the two ends, either
+ end can be a source, depending on who sends the first packet. (A
+ later section explores the bi-directional nature of PRs). A more
+ general form of a PR is thus to permit any number of elements. That
+ is, a Policy Term can have more than two elements, and the meaning of
+ this is that a PR is valid if it uses any two of these.
+
+ For example, if university 5 wanted to use the AR2 service, AR2 might
+ write a Policy term as follows:
+
+ AR2:((*,1,*),(*,3,*),(*,5,*),*,*)
+
+ which would permit a policy route between hosts in any two of the ARs
+ 1, 3 and 5.
+
+ All the terms so far relate to the policies of AR2. If university 1
+ wanted to subscribe to this service, and use it to reach any other
+ site, it would specify terms of its own. For example:
+
+
+
+Clark [Page 8]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ AR1: ((*,1, -),(*,*,2),*,*).
+
+ This term says that any host in AR 1 can use AR 2 as a path to any
+ host in any AR. Again we use the "-" notation to indicate that the
+ entry AR is the same as the source AR, in this case the AR writing
+ the term.
+
+ The ARs numbered 3 and 5 are more interesting. While 3 is directly
+ attached to 2, 5 is not. Instead, 5 has attached to 3. If 3 wants
+ to use 2 for general transit service, it must provide a term similar
+ to the one provided by 1:
+
+ AR3: ((*,3,-),(*,*,2),*,*).
+
+ If 5 wants to use 2, more terms are required. Since 2 is not
+ directly attached, it cannot be named as the exit AR in a term
+ written by 5. The directly attached AR, 3, is all that can be named:
+
+ AR5: ((*,5,-),(*,*,3),*,*).
+
+ Then AR3 must agree to carry the transit traffic for 5.
+
+ AR3: ((*,5,-),(*,*,2),*,*)
+
+ AR3 might not want to carry all forms of transit traffic for 5, but
+ only of certain sorts or to certain locations. This could be
+ expressed by restricting the previous term. For example,
+
+ AR3: ((*,5,-),(*,2,-),*,*)
+
+ would permit traffic from 5 to cross 3 to reach 2, but only to hosts
+ directly in those ARs.
+
+ For some further examples, consider AR 4, which might represent the
+ AR of a commercial user. It connects together the hosts of that
+ user, for example, H3, and is connected to the other environment to
+ permit cross-communication. Given the terms so far, no traffic will
+ flow into this AR.
+
+ If AR 1 wants to permit communication with AR 4, it could add:
+
+ AR1: ((*,1,-),(*,4,-),*,*)
+
+ This would permit communication between hosts directly in each AR,
+ but no transit traffic. In particular, H3 and H2 cannot talk. There
+ are several different terms that would permit them to talk.
+
+
+
+
+
+Clark [Page 9]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ The direct path would be the following:
+
+ AR4: ((*,4,-),(H2,3,-),*,*)
+ AR3: ((*,3,-),(H3,4,-),*,*).
+
+ This would permit direct connection through G4. Note, for variety,
+ that each term has been set up so that any host in the local AR can
+ match, but only one host in the other AR. The combination happens to
+ permit only H3 and H2 to communicate.
+
+ If G4 were not there, another path would be via AR 2, which could be
+ permitted by suitable terms in ARs 1,2,3 and 4.
+
+ Even if G3 and G4 exist, no transit traffic will flow across AR 4
+ from 1 to 3. Even if 1 and 3 want it to:
+
+ AR1: ((*,1,-),(*,3,4),*,*) and
+ AR3: ((*,3,-),(*,1,4),*,*),
+
+ the lack of a term for AR4 will prevent a valid PR via that path.
+ Only if AR 4 added:
+
+ AR4:((*,1,-),(*,3,-),*,*)
+
+ would AR 4 start serving AR a transit path from 1 to 3.
+
+ If AR4 added:
+
+ AR4: ((*,4,-),(*,*,*),*,*), any host in AR 4 could talk to any host
+ anywhere else, but AR 4 would still not become a transit service.
+
+ These various examples demonstrate how individual ARs can offer
+ Policy Terms that can be combined to form a route. The notation
+ proposed here is probably not adequate to express the needed range of
+ policies. For example, it may be desirable to have lists of ARs as
+ part of a term, as well as single values and "*". Other notation
+ might be proposed to permit exclusion of a limited set of ARs. It
+ may also be appropriate to write elements that are directional, so
+ that connections can be "opened" in one direction but not in others.
+ This idea is vague in a connectionless architecture, but seems to
+ relate to some real policy requirements.
+
+ In general, the problem of expressing policy terms in compact form is
+ the same as the problem of constructing compact access control lists.
+ There is still an ongoing argument whether access control lists
+ should be ordered, and should permit exclusion, and so on. It would
+ seem that the exact same issues arise here. Some experience
+ attempting to express real policies may give guidance as to the
+
+
+
+Clark [Page 10]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ expressive power needed.
+
+6. Cost Recovery
+
+ Almost all of the existing Internet has been paid for as a capital
+ purchase and provided to the users as a free good. There are limited
+ examples of cost recovery, but these are based on an annual
+ subscription fee rather than a charge related to the utilization.
+ There is a growing body of opinion which says that accounting for
+ usage, if not billing for it, is an important component of effective
+ resource management. For this reason, tools for accounting and
+ billing must be a central part of any policy mechanism. However,
+ precisely because the administrative regions are autonomous, we
+ cannot impose a uniform form of billing policy on all of the regions.
+ Some of them may continue to provide service freely, or on the basis
+ of an annual fee. Others may charge on the basis of resources
+ consumed, but even here there may be variations in detail, as some
+ may charge by the packet and others may charge by the byte. Again,
+ in the telephone analogy, we see a variety of billing policies, with
+ both local and long distance carriers selling service either on the
+ basis of a monthly fee or on a fee-per-minute of usage, with time of
+ day conditions attached. The billing problem is thus a very
+ complicated one, for the user would presumably desire to minimize the
+ cost, in the context of the various outstanding conditions.
+
+ If we are actually to pay for use of services, there is also the
+ problem of collection. Using the current telephone system as an
+ example, there are two strategies for collecting revenues. One is
+ the pre-divestiture mode, in which the source AR (or the destination
+ AR in the case of a collect call) serves as a single collection point
+ for all of the ARs involved in the call. After divestiture, we see
+ another paradigm, in which the transit AR separately bills the
+ customer.
+
+ There are many reasons to support both collection formats. The
+ primary reason for separate billing is that not all regions may wish
+ to charge the user in the same units of currency. Some regions may
+ wish to charge actual dollars, while others may wish to charge using
+ some form of private allocation units. On the other hand, having a
+ single point of collection is very convenient, because it eliminates
+ a lot of duplicate effort in collection. It does, however, require a
+ greater degree of trust and coordination among ARs.
+
+ Single point collection also simplifies another sticky problem, lost
+ packets. For most types of service, the user would presumably be
+ offended if asked to pay for a significant number of packets
+ undelivered because they have been lost before reaching the
+ destination. If each region separately bills for its traffic, then
+
+
+
+Clark [Page 11]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ to avoid billing for packets that are lost between that AR and the
+ destination, it is necessary to have some form of lost packet
+ reporting, which travels backward through system decrementing the
+ counters of all the intervening ARs. If single point collection is
+ performed, then the usage meters can be put in the destination AR,
+ and periodically propagated to the billing AR, if that is a different
+ region.
+
+ The discussion of lost packets makes clear an important relationship
+ between billing and policy. If a Policy Route takes packets through
+ a region of known unreliability, the regions preceding it on the path
+ may be quite unwilling to forgive the charges for packets which have
+ successfully crossed their region, only to be lost further down the
+ route. A billing policy is a way of asserting that one region wishes
+ to divorce itself from the reliability behavior of another region.
+ The conditions in the policy terms, and corresponding policy routes,
+ must therefore be able to capture two distinct conditions. The first
+ is whether or not there exists a bilateral agreement between two ARs
+ by which one agrees to be the collection agent for the other. The
+ concatenation of a number of these agreements permits a single
+ collection point to be used for the entire policy route. The other
+ condition is whether or not the AR will accept packet and byte counts
+ from the next AR downstream as the basis of billing, or whether the
+ AR insists that the billing be based on the counts at the exit point
+ of this AR. This condition allows an AR to build a wall between it
+ and a subsequent unreliable AR. One can imagine certain regions
+ agreeing to carry traffic into unreliable regions, but only
+ grudgingly, knowing that the result is going to be user frustration
+ which may be directed to all the ARs indiscriminately. The use of a
+ specific policy condition can make clear to the end user which ARs do
+ not view themselves as interworking harmoniously.
+
+ To enforce these mechanisms, the abstract PR which is included in the
+ packet must be augmented with a number of conditions. First, for
+ each AR there is a 3-way flag which describes whether the billing
+ should be separately collected for the region, propagated back to the
+ source (which corresponds to the normal telephone company paradigm),
+ or propagated towards the destination (which corresponds to a collect
+ call). Second, there is a flag which indicates whether the region is
+ expected to accept from the next region downstream the packet and
+ byte counts as the basis of billing. Third, there must be a charge
+ code, a unique number somewhat resembling a credit card number to
+ which bills may be sent. The Policy Terms in the Gateways must
+ similarly be augmented to permit verification. The management of the
+ charge code, insuring its uniqueness and preventing its abuse, is
+ discussed later.
+
+ These conditions, which relate to agreements between two ARs, are
+
+
+
+Clark [Page 12]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ somewhat different from the conditions previously discussed, such as
+ time of day. Conditions relating to AR agreements will be called
+ "bilateral conditions," while the others are called "global
+ conditions." Note that even though bilateral conditions relate to
+ the agreement between two ARs, they can have global effects.
+
+7. Gateway Selection
+
+ In Section Two, this memo proposed that the end point should specify
+ an abstract Policy Route, as a series of ARs, and the Policy Gateway
+ at the entry to each AR should convert the next hop to a concrete
+ route, selecting the Policy Gateway to exit from this region into the
+ next. It turns out that this selection is not entirely devoid of
+ policy concerns, and some additional conditions are required in the
+ Policy Terms in order to make this operate properly.
+
+ In order that each Policy Gateway be able to select the next Policy
+ Gateway on the route, it is necessary to have a table which lists all
+ of the potential Policy Gateways that connect together adjacent
+ regions. Presumably, this information is very slowly changing, and
+ is not difficult to propagate. The more dynamic information that is
+ needed is whether each of these gateways is up. It is therefore
+ necessary that all of the Policy Gateways attached to a given AR must
+ run a local up-down algorithm, one which hopefully can determine not
+ only that each of the other gateways is up, but that its interfaces
+ are up and that it is properly forwarding traffic. It is slightly
+ complicated to design such a test. However, we do not have to design
+ a strategy for propagating this information globally, because it is
+ only needed by the other Policy Gateways attached to each region.
+
+ The policy matter related to concrete routes arises if there are
+ several gateways connecting two administrative regions. As described
+ so far, the exit Policy Gateway from any region (which is the entry
+ Policy Gateway for the next region) is selected by the entry Policy
+ Gateway for that region. In other words, each region may select its
+ exit gateway, but has no control over its entry gateway. There are
+ certain circumstances where a particular region might insist on being
+ able to control the entry gateway used. Imagine two parallel transit
+ regions, one which charges incrementally for service, the other of
+ which provides its service as a free good. Obviously, from the point
+ of view of the user, it is desirable to minimize the use of the
+ charging AR, and maximize the use of the free AR. But this may lead
+ to gross overloads in the free AR, and apparent discrimination
+ against the charging AR. The owner of the free AR, therefore, might
+ choose to impose a policy which says that it can be used only to
+ reach certain points which are not directly connected to the AR which
+ bills for its service, and the traffic must enter the free AR at the
+ closest point to the destination. In other words, the free AR
+
+
+
+Clark [Page 13]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ requires that it be allowed to choose its entry gateway so that it
+ minimizes its costs (which are not, in fact, being billed), with the
+ intent of shifting as much as possible of the cost onto the other
+ network.
+
+ By adding more bilateral conditions to the Policy Terms and the
+ Policy Route in the packet, it is possible to control the various
+ options for Policy Gateway selection. At each boundary between ARs,
+ there are only a limited number of ways to select the Policy Gateway.
+ Either it is selected by the entry side, by the exit side, or by some
+ collaborative algorithm specified through a bilateral agreement.
+ (There might be several such algorithms, which requires the
+ possibility of more complexity in the specification. In particular,
+ if two adjacent ARs have agreed to use a common routing metric for
+ some type of service, they may agree to make a common routing based
+ on this metric.)
+
+ Allowing the policy gateway to be selected by the AR which is on the
+ far side of the gateway represents an interesting implementation
+ problem. It would be possible to send some message in advance of the
+ packet, which requests the next AR to select its entry gateway. To
+ do this, it would figure out what its exit gateway would be, and then
+ figure backwards to minimize its costs (for example) to select the
+ potential entry gateway back into the immediate region. This is
+ complicated to describe, and would probably be complicated to
+ implement. One way to focus the problem is to observe that routes
+ are bi-directional, because a packet flow is bi-directional, and it
+ is very desirable that the packets from both directions follow the
+ same route. Once a packet has come back along the reverse route, the
+ gateway from which it emerges is precisely the gateway which should
+ be used for future traffic in the other direction. But each gateway,
+ in either the forward or reverse direction, must remember a decision
+ made by another AR.
+
+ For this to work it is necessary that gateways not be stateless. If
+ each Policy Gateway maintains a cache of recently computed Policy
+ Routes, in particular remembering the result of computing the gateway
+ for each abstract route, then by simply determining whether or not
+ the forward direction or the reverse direction is allowed to
+ constrain the gateway across this boundary, both policies can be
+ enforced. But this requires building gateways with state, which has
+ not been culturally acceptable in the Internet. I therefore consider
+ as a separate topic the virtues of state in Policy Gateways. I
+ believe that fairly simple algorithms exist to set up the required
+ bindings in the Policy Gateways, but that problem is a matter for
+ later study.
+
+
+
+
+
+Clark [Page 14]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+8. Flow States
+
+ The previous section suggested that the gateway needed to maintain
+ state in order to tie together the forward and reverse halves of a
+ flow. This solved the particular problem of tying together the
+ routing decision which had been made in each direction, so that they
+ could be used in the other. There are, in fact, a number of reasons
+ why the two halves of the flow should be tied together.
+
+ - There is considerable overhead in accounting and collecting for the
+ usage. It is clearly desirable to have both halves of the flow
+ metered jointly.
+
+ - If the route is not bi-directional, then a failure in the node
+ produces a uni-directional link. Uni-directional links are known
+ to cause anomalous behavior in protocols.
+
+ - As part of resource management, it may be desirable for
+ intermediate nodes to pass flow control information back to the
+ source of the flow. If identifiable reverse-direction packets
+ are passing through the gateway, then this information can be
+ piggy-backed onto those packets.
+
+ An additional advantage of maintaining state in the gateway is that
+ it will greatly reduce the overhead of dealing with incoming packets.
+ There are a number of decisions which the Policy Gateway must make
+ which are a part of forwarding a packet: it must validate the Policy
+ Route against its terms, it must create or modify an accounting
+ record, and it must select the next Policy Gateway. It is
+ unreasonable to imagine performing these tasks from scratch for each
+ incoming packet. Once these decisions have been made, the results
+ should be cached, so that they can be used for subsequent packets.
+
+ The stateless gateway was proposed as part of the Internet design in
+ order to insure a robust architecture. If the gateway has no state,
+ then a crash of a gateway cannot endanger an on-going connection. If
+ there is state in a gateway, and that state information is lost
+ because of a crash, then it is possible that a flow would be
+ disrupted.
+
+ In moving from a gateway with no state to a gateway which caches
+ information, it is necessary to ensure that the cached information
+ can be lost and reconstructed. The idea of keeping in gateways only
+ that state which can be easily reconstructed I call "soft state."
+
+
+
+
+
+
+
+Clark [Page 15]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+9. Synthesis and Selection of Policy Routes
+
+ In this proposal, a packet contains a Policy Route, which is verified
+ by each Policy Gateway along the way. This section discusses how the
+ Policy Route is created in the first place.
+
+ PR creation cannot be done totally automatically by the system, but
+ will in general require human judgment. Policies, after all, are
+ matters of human concern. The approach to PR creation is thus a
+ joint one, in which the system provides support to the persons
+ setting policy.
+
+ Most commonly, the desired PR will be selected from among those
+ available by first finding all valid PRs, and then picking one that
+ meets the requirements of the user and has the lowest real cost.
+ These two stages will be called synthesis and selection.
+
+ To synthesize a PR across a sequence of ARs, one must find a Policy
+ Term in each AR that would permit such a PR. The Policy Terms in
+ each adjacent AR must be compatible in their billing conditions and
+ other particulars. One can imagine finding a sequence of Policy
+ Terms that match, rather like dominoes, and reach from the source to
+ the destination.
+
+ For a Policy Term at some AR to be acceptable as a part of a PR, the
+ following must be true:
+
+ - The Source and Destination Host address and UCI must match the
+ term,
+
+ - The Source and Destination AR must match the term,
+
+ - The Entry and Exit AR must match the adjacent AR in the route,
+
+ - The conditions in the term relating to the adjacent AR (e.g.,
+ billing) must match the conditions in the term from that region.
+
+ These conditions, of course, are exactly what the Policy Gateway
+ would test in validating the PR when it is used.
+
+ As the route is synthesized from matching terms, the global
+ conditions of each term are noted, and the combination of these
+ become the condition under which the PR is valid. As a starting
+ point of the synthesis the user may have indicated constraints on the
+ acceptable conditions in order to limit the candidate terms in the
+ synthesis.
+
+ The result of PR synthesis, which is somewhat similar to the
+
+
+
+Clark [Page 16]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ computation in a link-state routing algorithm where each Policy Term
+ represents an abstract link, is a potentially long list of possible
+ PRs to each destination AR, each with attached conditions. The
+ selection process must identify one of these which is actually to be
+ used. The selection can be based on the conditions, and on the cost
+ of each PR.
+
+ To determine the cost, it must be possible to ask each AR to identify
+ the cost of using that Policy Term in the context of this particular
+ set of Entry and Exit ARs. Either there must be an architected
+ protocol for reporting these costs, or the task of cost determination
+ must be left to humans to perform outside the system. The problem
+ with architected cost reporting is that while some ARs may bill using
+ real dollars, others may bill in terms of abstract usage
+ authorizations which have no meaning outside that AR. Even so, I
+ believe that we should attempt to define a representation for
+ reporting the billing basis associated with each AR. This is a
+ matter for later study.
+
+ While PR synthesis may be an automated process, selection probably is
+ not. While cost minimization will help prune the list, and some
+ routes may be rejected automatically on the basis of conditions, part
+ of the selection will in general require human judgment. This
+ observation, together with the observation that PR synthesis may be
+ costly, suggests first that synthesis and selection cannot be done
+ for each packet or indeed each time a transport connection is
+ established, and second that it should not be done separately for
+ each host in the AR.
+
+ Instead, each AR should have one (or more) Policy Servers, servers
+ inside the AR which support the management of PRs. The Policy Server
+ would perform a number of functions.
+
+ - It would store the Policy Terms for the AR, and make them available
+ to the Policy Gateways and the Servers of other ARs as appropriate.
+
+ - It would synthesize potential PRs to reach other ARs, and remember
+ which of these have been selected for use.
+
+ - It will respond to requests from hosts in the AR for PRs, and
+ return them so that they can be included in outgoing packets.
+
+ - It will participate on behalf of the AR in AR up-down protocols,
+ and other inter-AR routing algorithms.
+
+ - It will remember the location of all Policy Gateways attached to
+ this AR.
+
+
+
+
+Clark [Page 17]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ - It will provide the management interface for those persons who must
+ establish AR policy: setting of local Policy Terms, selection of
+ Policy Routes, and so on.
+
+ A host wishing to send packets outside the local AR must first obtain
+ a PR to put into the packets. In the normal case, it would do so by
+ directing a request to the local Policy Server, supplying the desired
+ destination and other negotiable conditions. (For example, the TOS
+ is negotiable, the current time is not.) The Server, based on this
+ input, must select the most appropriate PR and return it.
+
+ At this point in the process, human intervention is not reasonable,
+ as it would take much too long. By now, sufficient selection must
+ have been done so that automated PR selection is possible. The most
+ direct implementation is that the manual selection process should
+ yield an ordered (or partially ordered) list of potential PRs, and
+ the list is searched in order until a PR is found that matches the
+ destination and conditions. That PR is then returned.
+
+10. Security
+
+ There are a number of aspects of this scheme which present
+ opportunities for abuse. In essentially all cases, the possible
+ abuse is theft of network resources or improper charging. They thus
+ have a somewhat different nature than problems related to corruption
+ or disclosure of data. Mechanism to insure proper use and charging
+ of resources often tolerate minor abuse in exchange for ease of
+ operation. Also, control is often based on detection and recovery
+ rather than prevention. Assumptions of this sort are probably
+ acceptable here as well. An isolated packet, which is not a part of
+ any sequence of packets, may be too small an item to account for or
+ control. But if a significant stream of packets goes unaccounted,
+ this is less acceptable.
+
+ There are three general options for abuse. One is to falsify the
+ user identification information in the PR, the source and destination
+ host, the User Class Id and the charge code. Another is to take a
+ valid PR and misuse it intact. And the third is to read out a valid
+ charge code from a PR and then make additional charges against it.
+
+ To protect against putting false user identification information into
+ a PR, the PRs should be sealed or signed, using a crypto sealing
+ technique. Since Policy Servers are the source of PRs, the sealing
+ can be done by the Server. This would require that the seal or
+ digital signature of each Server be known, but avoids the need to
+ have each host known. The Server would be trusted to seal only valid
+ PRs. It must only put User Class Ids and charge codes into PRs from
+ a source permitted to use them, for example.
+
+
+
+Clark [Page 18]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ Assuming a public key system, each Policy Server could have a
+ separate key pair, the public half of which was advertised in some
+ way. It is a matter for further study exactly what parts of the PR
+ need be sealed.
+
+ If the Policy Server violates this trust, and uses a UCI or charge
+ code with an unauthorized host, there are two sub-cases: the false
+ source host is in the same AS, or is outside it. If it is outside,
+ this can be detected by inspection of the PR, since the relation
+ between AR and network number is (almost) static. One approach is to
+ make an AR identifier part of the charge code, so that use of the
+ code can be rejected unless that AR is the source AR for the packet.
+ This works, but prevents using charge codes from a foreign location.
+ Other more general techniques could probably be proposed.
+
+ If the false source host is inside the AR, then further steps are
+ required to prevent the problem. One general solution is to note
+ that a PR is valid only if sealed by a Policy Server. Any AR
+ attempting to collect for usage should be required to keep a copy of
+ the PR as proof that the route was used. If there seems to be
+ unauthorized use of a charge code, the owner can ask to see the PR
+ which generated the charge, which will show the Policy Server which
+ constructed the route. If this is an unauthorized use, action can be
+ taken against the AR owning that Server, with the sealed PR as
+ evidence. In other words, detection and redress may be more effective
+ than prevention.
+
+ If we can assume that the Policy Server for a particular region is as
+ trustworthy as that AR requires, there is still the problem of a
+ Server of one region trying to steal from another AR. This could be
+ done, for example, by taking a valid PR, and sending data forward
+ along it from the "middle" of the route, so that what appears to be
+ coming from one source is actually coming from another in a different
+ AR.
+
+ This would require that packets coming back along the route towards
+ the original source be rerouted to the false source, which would
+ require that the whole routing function within the AR be corrupted.
+ It is unlikely that this would go long undetected, but if direct
+ control of this class of fraud is needed, it could be achieved by
+ requiring any AR intending to charge against a particular PR to
+ obtain from time to time a confirmation, sealed by the Server of the
+ source AR, that its policy gateway has in fact forwarded some number
+ of packets using this PR. This sort of function is probably overkill,
+ but this class of fraud needs to be considered.
+
+ Obviously, a more detailed study will be required of the problem of
+ resource theft, but I believe that a mechanism can be made to work
+
+
+
+Clark [Page 19]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ based on:
+
+ - Local trust of the Policy Server within each AR.
+
+ - Sealing of the PR by the Server.
+
+ - Selective validation of the seal at the Policy Gateway.
+
+ - Selective consistency checking of the PR at the Policy Gateway.
+
+ - Use of seal on PR as evidence of the source of the PR.
+
+11. An Experimental Program -- Migration to Policy Routing
+
+ The proposal above calls for several Internet components not present
+ today: the Policy Route IP option, Policy Gateways, Policy Servers,
+ and support protocols such as the global AS up-down protocol and the
+ local (to the AS) Policy Gateway up-down protocol. Any plan for
+ introduction of policy routing must provide a method to experiment
+ with the concept without changing all the hosts and the gateways now
+ in place.
+
+ Since the Policy Server is a new component which can be added to the
+ Internet without changing any existing components, it is easy to put
+ that facility in place. This, then, becomes the central part of an
+ experimental plan. Later, it is possible to imagine adding the policy
+ controls to some of the gateways. Most difficult will be modifying
+ all the hosts to use the PR IP option. Based on our experience with
+ adding minor features such as IP subnetworks, it will never be
+ possible to get the PR option into all the hosts, and policy routing
+ must be made to work anyway.
+
+ Taking into account these difficulties, here is a concrete
+ experimental plan, in three phases.
+
+ In Phase I, software for a Policy Server is created, and made
+ available to all potential ARs. As a part of its function, it has
+ two "temporary" feature, to mimic the function of the missing host
+ and gateway support.
+
+ To mimic the function of the policy gateway, two policy Servers are
+ placed "near" a current function gateway which happens to connect the
+ two ARs, one on each side of the current gateway, and representing
+ their respective ARs. These two Servers then proceed to fool the
+ current gateway as follows.
+
+ - The current gateway is given the two Servers as neighbors in its
+ routing exchanges. In this way, the Servers can control which
+
+
+
+Clark [Page 20]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ network numbers are advertised. This is similar to the way "gated"
+ is used today to control routes.
+
+ - A packet entering the AR is directed to the "near" Server inside
+ the AR, which performs the functions of the Policy Gateway and
+ then resends the packet. This may require the use of a regular
+ source route in some cases, but can probably just be done by
+ rewriting the destination IP address in the packet. (Note that
+ the IP PR option proposed in the Appendix has fields for the
+ original IP source and destination, so that these fields can be
+ reused in forwarding the packet from gateway to gateway.)
+
+ To deal with the lack of host support for the PR option, we again
+ make use of the Server. Since the Server is the recipient of all
+ routing information coming into the AR (since it has been set up as
+ the neighbor of the current gateway at the actual AR boundary) it
+ alone knows the proper routes out. Internally, it advertises itself
+ as the default gateway to all networks outside the AR, so that it
+ receives all the packets intending to leave the region. It, rather
+ than the host, adds the PR option and then sends the packet on the
+ Policy Gateway (or the matching Server in the next AR playing its
+ part) for relaying.
+
+ By controlling how routes are propagated by the regular gateways, it
+ is possible to prevent hosts from manually setting up routes to
+ bypass the Servers. In any event, enforcement is not the primary
+ concern in Phase I of the experiment.
+
+ In Phase II, certain of the current gateways are augmented with the
+ Policy Gateway functions. This will make enforcement easier, and
+ eliminate the extra hop which the packet had make in Phase I, as it
+ passed from one Server to another through the current gateway. At
+ the same time, some of the hosts are modified to insert the IP PR
+ option into the packet at the source. This will explore the problems
+ of PR selection.
+
+ In Phase III, the PR design is proposed for general implementation.
+
+12. Policy Route Setup
+
+ One objection to this scheme is the large size of the IP PR option.
+ With all the information proposed in this memo, it is larger than the
+ IP header itself. However, this problem can easily be avoided; the
+ PR option seldom need be sent.
+
+ Since the Policy Gateways are going to cache the result of processing
+ the PR, the cache holds the equivalent of the PR. All that is
+ required is a very short option in the packet which is a handle that
+
+
+
+Clark [Page 21]
+
+RFC 1102 Policy Routing in Internet Protocols May 1989
+
+
+ permits the gateway to find the correct cache entry. This handle
+ would be included in the original IP PR option, and then repeated in
+ every packet. The Policy Server which generated the PR could select
+ the handle, so it would be unique for each AR. Perhaps the AR id and
+ a 16 bit UID would be sufficient.
+
+ The full PR option needs to be in the packet only if the cached
+ Information in the gateway is lost. If a gateway crashes or the
+ route changes, the end point must reconstruct the caches in the
+ series of gateways that form the route. The end point could
+ determine that this was necessary either when a gateway reports
+ explicitly that it does not have an entry corresponding to a handle,
+ or when the host determines that it is not getting the desired
+ service.
+
+ This sort of action can be thought of as an extension to the idea of
+ retransmitting. In transport protocols such as TCP, the host keeps
+ track of the behavior of the network, and if it believes that
+ something is wrong (e.g., there is a lack of an acknowledgment), it
+ takes action to restore the desired service. Other examples include
+ switching to another gateway if the currently active adjacent gateway
+ seems to be down. Sending the full PR option in the packet is just
+ another example of allowing the end node to restore the state of the
+ connection if it seems to be broken.
+
+ Using this model, most packets would have only a short option
+ (perhaps 12 bytes).
+
+ This idea of restoring the state in the gateway as needed achieves
+ the idea of "soft state" mentioned earlier, and allows gateways with
+ state to achieve the same robustness associated with datagram
+ networks.
+
+Author's Address
+
+ David D. Clark
+ Massachusetts Institute of Technology
+ Laboratory for Computer Science
+ 545 Main Street
+ Cambridge, MA 02139
+
+ Phone: (617) 253-6003
+
+ Email: ddc@LCS.MIT.EDU
+
+
+
+
+
+
+
+Clark [Page 22]
+ \ No newline at end of file