From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc712.txt | 955 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 955 insertions(+) create mode 100644 doc/rfc/rfc712.txt (limited to 'doc/rfc/rfc712.txt') diff --git a/doc/rfc/rfc712.txt b/doc/rfc/rfc712.txt new file mode 100644 index 0000000..8a2b481 --- /dev/null +++ b/doc/rfc/rfc712.txt @@ -0,0 +1,955 @@ + + + + + + +Network Working Group J.E. Donnelley +Request for Comments: 712 Lawrence Livermore Laboratory + February 1976 + + + A Distributed Capability Computing System (DCCS) + + This paper was prepared for submission to the international + Conference on Computer Communication, ICCC-76, August 3, 1976, + Toronto, Canada. + + This is a preprint of a paper intended for publication in a journal + of proceedings. Since changes may be made before publication, this + preprint is made available with the understanding that it will not be + cited without the permission of the author. + + The work reported in this paper was supported in part under contract + #EPA-IAG-D5-E681-DB with the Environmental Protection Agency and in + part under contract #[RA] 76-12 with the Department Of + Transportation. The report was prepared for the U.S. Energy Research + and Development Agency under contract #W-7405-Eng-48. + +A Distributed Capability Computing System (DCCS) + + This paper describes a distributed computing system. The first + portion introduces an idealized operating system called CCS + (Capability Computing System). In the second portion, the DCCS + protocols are defined and the processes necessary to support the DCCS + on a CCS are described. The remainder of the paper discusses + utilizing the DCCS protocol in a computer network involving + heterogeneous systems and presents some applications. The + applications presented are to optimally solve the single copy problem + for distributed data access and to construct a transparent network + resource optimization mechanism. + +The Capability Computing System (CCS) + + The CCS, though not exactly like any existing operating system, is + much like some of the existing capability list (C-list) operating + systems described in the literature [1-7]. Many of the features of + the CCS come from a proposed modification to the RATS operating + system [1-3]. + + In the documentation for most computer systems there are many + references to different types of objects. Typical objects discussed + are: files, processes, jobs, accounts, semaphores, tasks, words, + devices, forks, events, etc. etc.. One of the intents of C-list + + + + +Donnelley [Page 1] + +RFC 712 A Distributed Capability Computing System February 1976 + + + systems is to provide a uniform method of access to all such objects. + Having all CCS objects accessed through a uniform mechanism allow + DCCS to be implemented in a type independent manner. + + The CCS is a multiprocessing system supporting an active element + called a process. For most purposes, the reader's intuitive notion + of what a process is should suffice. A process is capable of + executing instructions like those in commercially available + computers. It has a memory area associated with it and has some + status indicators like "RUN" and "WAIT". In C-list systems, however, + a process also has a capability list (C-list). This list is an area + in which pointers to the objects that the process is allowed to + access are maintained. These pointers are protected by the system. + The process itself is only allowed to use its C-list as a source of + capabilities to access and as a repository for capabilities that it + has been granted. Figure 1 diagrams some typical processes that are + discussed later. In the diagrams, the left half of a process box is + the C-list and the right half is the memory. + + The key to the uniform access method in the CCS is the invocation + mechanism. This is the mechanism by which a process makes a request + on a capability in its C-list. An invocation is closely analogous to + a subroutine call on most computer systems. When a request is made, + the invoking process passes some parameters to a service routine and + receives some parameters in return. + + There are, however, several major differences between the invocation + mechanism and the usual subroutine calling mechanisms. The first + difference is that the service routine called is generally not in the + process's memory space. The service routine is pointed to by the + protected capability and can be implemented in hardware, microcode, + system kernel code, in another arbitrary process, or, as we shall see + in the DCCS, in another computer system. In Fig. 1. for example, the + serving process is servicing on invocation on the semaphore + requestor. + + A second difference is that, when invoking a capability, other + capabilities can be passed and returned along with strictly data + parameters. In the DCCS, capabilities and data can also be passed + through a communication network. + + The final important distinction of the invocation mechanism can best + be illustrated by considering the analogy to the outside teller + windows often seen at banks. These windows usually contain a drawer + that can be opened by the customer and teller are not both. Except + for this drawer, the customer and teller are physically isolated. In + the case of the invocation mechanism, the invoking process explicitly + passes certain capabilities and information to the service routine + + + +Donnelley [Page 2] + +RFC 712 A Distributed Capability Computing System February 1976 + + + and designated C-list locations and memory areas for the return + parameters. Except for these parameters, the invoking process and + the serving routine are isolated. In the DCCS, this protection + mechanism is extended throughout a network of systems. + + In the CCS, invoking a capability is the only way that a process can + pass or receive information or capabilities. All of what are often + referred to as system calls on a typical operating system are + invocations on appropriate capabilities in the CCS. A CCs C-list + envelopes its process. This fact is needed in order to transparently + move processes as described in the second application on network + optimization (page 23). + +CCS Capabilities + + To build the DCCS, we will assume certain primitive capabilities in + the CCS. The invocations below are represented for simplicity rather + than for efficiency or practicality. In practice, capabilities + generally have more highly optimized invocations with various error + returns, etc.. To characterize a capability, it suffices to describe + what it returns as a function of what it is passed. In the notation + used below, the passed parameter list is followed by a ">" and then + the returned parameter list. In each parameter list the data + parameters are followed by a "" and then the capability parameters. + + 1. File Capability + + a. "Read", index; > data; + + "Read" the data at the specified index. "Read" and the index + are passed. Data is returned. + + b. "Write", index, data; > ; + + Write the data into the area at the specified index. "Write", + the index, and the data are passed. Nothing is returned. + + 2. Directory Capability + + a. "Take", index; > ; capability + + "Take" the capability from the specified index in the + directory. "Take" and the index are passed. The capability is + returned. + + + + + + + +Donnelley [Page 3] + +RFC 712 A Distributed Capability Computing System February 1976 + + + b. "Give", index; capability> ; + + "Give" the capability to the directory at the index specified. + "Give" and the index are passed information. The capability is + also passed. Nothing is returned. + + c. "Find"; capability> result, index; + + A directory, like a process C-list, is a repository for + capabilities. The first two invocations are analogous to the + two file invocations presented except that they involve + capability parameters moved between directory and C-list + instead of between file and memory. The last invocation + searches the directory for the passed capability. If an + identical capability is found, "Yes" and the smallest index of + such a capability are returned. Otherwise "No" and 0 are + returned. + + 3. Nil Capability + + When a directory is initially created, it contains only nil + capabilities. Nil always returns "Empty". + + 4. Process Capability + + a. "Read", index; > data; + + b. "Write", index, data; > ; + + c. "Take", index; > ; capability + + d. "Give", index; capability> ; + + e. "Find"; capability> result, index; + + f. "Start"; > ; + + g. "Stop"; > ; + + The a. and b. invocations go to the process's memory space. C., d., + and e. go to its C-list. F. and g. start and stop process execution. + +The CCS Extension Mechanism + + There is one more basic capability mechanism needed for the CCS + implementation of the DCCS. This mechanism allows processes to set + themselves up to create new capabilities that they can service. Such + + + + +Donnelley [Page 4] + +RFC 712 A Distributed Capability Computing System February 1976 + + + mechanisms differ widely on existing C-list systems. A workable + mechanism is described. Another primitive capability is needed to + start things off: + + 5. Server Capability + + a. "Create requestor", requestor number; > ; requestor + + b. "My requestor?"; capability> answer, requestor number; + + c. "Wait"; > reason, requestor number, PD; request + + Two capabilities were introduced above besides the server, the + requestor and request capabilities. These capabilities will be + described as the invocations on a server are described. + + The first invocation creates and returns a requestor capability. The + number that is passed is associated with the requestor. The + requestor capability is the new capability being created. Any sort + of invocation can be performed on a requestor. This is their whole + reason for existence. A process with a server capability can make a + requestor look like any kind of capability. + + The "My requestor?" invocation can be used to determine if a + capability is a requestor on the invoked server, it returns either: + + "Yes", requestor number; or "No",0; + + The last invocation "Wait"s until something that requires the + server's attention happens. There are two important events that a + service routine needs to be notified about. If the last capability + to a requestor is overwritten so that the requestor cannot again be + invoked until a new one is created, the "wait" returns: + + "Deleted", requestor number, 0; Nil + + The last two parameters, 0 and Nil, are just filler for the returned + PD and request (see 5c). When a "wait" returns "Deleted", the + service routine can recycle any resources being used to service the + numbered requestor (e.g., the requestor number). + + The most important event that causes a "wait" to return is when one + of the requestors for the server is invoked. In this case the server + returns: + + "Invoked", requestor number, PD; request + + + + + +Donnelley [Page 5] + +RFC 712 A Distributed Capability Computing System February 1976 + + + The third parameter, labeled PD, stands for Parameter Descriptor. It + describes the number of each kind of parameter passing each way + during a requestor invocation. Specifically, it consists of four + numbers: Data bits passed, capabilities passed, data bits requested, + and capabilities requested. + + The last parameter received, the request capability, is used by the + serving process to retrieve the passed parameters and to return the + requested parameters to the requesting process. Accordingly, it has + the following invocations: + + 6. Request Capability + + a. "Read parameters"; > {The passed parameters + + b. "Return", {The return parameters}> ; + + The "Return" invocation has the additional effect of restarting the + requesting process. + + One thing that should be noted about the server mechanism is that + invocations on a server's requestors are queued until the server is + "wait"ed upon. This is one reason that a request is given a separate + capability. The serving process can, if it chooses, give the request + to some other process for servicing, while it goes back and waits on + its server for more requests. The corresponding situation in the + outside bank window analogy would be the case where the teller gives + the request to someone else for service so that the teller can return + to waiting customers. The request capability points back to the + requesting process so that the return can be properly effected. + + A sample service, that of the well known semaphore [8] service + routine keeps a table containing the semaphore values for each + semaphore that it is servicing. It also keeps a list of queued + requests that represent the processes that become hung in the + semaphore by "P"ing the semaphore when it has a value less than or + equal to zero. The invocations on a semaphore are: + + 7. Semaphore + + a. "P"; > ; + + b. "V"; > ; + + A diagram and flow chart for the semaphore serving process is given + in Figures 1. and 2. The flow charts are given include most of the + basic capability invocations, but do not include detailed + descriptions of table searches. The table structure for the + + + +Donnelley [Page 6] + +RFC 712 A Distributed Capability Computing System February 1976 + + + semaphore service routine includes entries for each supported + semaphore. Each entry contains the semaphore value and a link into a + list of pointers to the requests hung in the semaphore (if any). + + The most important feature of the server mechanism is that, by using + it, the functioning of any capability can be emulated. + + This property, similar to the insertion property discussed in [9], is + the cornerstone of the DCCS. The basic idea of the emulation is to + have the server "wait" for requests and pass them on to the + capability being emulated. Such emulation of a single capability is + flow charted in Figure 3. The emulation flow charted is an overview + that doesn't handle all situations correctly. For example, a + capability may not return to invocations in the same order that they + are received. These situations also appear in the DCCS, so their + handling will be discussed there rather than here. It is important + to note that, except for delays due to processing and communication, + the emulation done in the DCCS is exact. + +The DCCS Implementation + + The DCCS will initially be described on a network of CCS systems. We + will assume that there exists a network capability: + + 8. Network Capability + + a. "Input"; > Host no., message; + + b. "Output", Host no., message > ; + + It is assumed that the "Output" invocation returns immediately + after queuing the message for output and that the "input" + invocation waits until message is available. + + For pedagogical purposes, the description of the DCCS will be broken + into two parts. First a brief overview of the important mechanisms + will be given. The overview will gloss over some important issues + that will be resolved individually in the more complete description + that follows the overview. + + The intent of the DCCS is to allow capabilities on one host to be + referenced by processes on other hosts having the appropriate + capabilities. To do this, each host keeps a list of capabilities + that it supports for use by other hosts. Each host also supports a + server, which gives out requestors that are made to appear as if they + were the corresponding capability supported by the remote host. When + one of these emulated requestors is invoked, its parameters are + passed by the emulating host through the network to the supporting + + + +Donnelley [Page 7] + +RFC 712 A Distributed Capability Computing System February 1976 + + + host. The supporting host then sees to it that the proper capability + is invoked and passed the parameters. When the invoked parameters + are passed back through the network to the emulating host. The + emulating host then returns the return parameters to the requesting + process. + + For example, let us take the "Read" request on a file diagrammed in + figure 4. When the emulated file (a requestor) is invoked, the + emulating process receives "invoke", requestor number, PD; request. + The requestor number that is returned is actually a descriptor + consisting of two numbers: Host number, capability number. These + descriptors are called Remote Capability Descriptors (RCDs). An RCD + identifies a host and a capability in the list of capabilities + supported by that host. After receiving a request, the emulating + process reads the parameters passed by the requesting process and + sends them along with the Parameters Descriptor to the remote host in + an "invoke" message. + + When the remote host receives this information, it passes the + parameters to the supported file capability by invoking it and + specifies the proper return parameters as noted in the Parameter + Descriptor. When the invoked file return parameters, the returned + data is passed back through the network to the emulating host in a + "Return" message. The returned data is then returned to the + requesting process by performing a "Return" invocation on the request + capability initially received by the emulating host. When the + requesting process is awakened by the return, it will appear to it + exactly as if a local file had been invoked. + + This works fine when the parameters being passed and returned consist + simply of information, but what happens when there are capabilities + involved? In this case the routines use the existing remote + capability access mechanism and pass the appropriate descriptor. As + an example, the "Take" invocation on a directory is diagrammed in + figure 5. The only essential difference is the fact that a + capability has to be returned. When the capability is returned by + the invoked directory (or whatever it really is), the supporting host + allocates a new slot in its supported capability list for the + capability and returns a new descriptor to the emulating host. When + the emulating host receives the descriptor, it creates a new + requestor with the returned descriptor as its requestor number and + returns the requestor to the invoking process. The requestor so + returned acts as the capability taken from the remotely accessed + directory and can be invoked exactly as if were the real capability. + + One important thing to notice about this mechanism is that neither + the emulating host nor the supporting host need to have any idea what + kind of capabilities they are supporting. The mechanism is + + + +Donnelley [Page 8] + +RFC 712 A Distributed Capability Computing System February 1976 + + + independent of their type. Also important is the fact that neither + host need trust the other host with anything more than the + capabilities that it has been rightfully granted. Even the DCCS + processes themselves need only be trusted with the network + capabilities and with the supported capabilities. Finally, note that + no secret passwords which might be disclosed are needed for security. + The DCCS directly extends the CCS protection mechanisms, + + A more complete description of the DCCS will now be given. To avoid + unnecessary complication, however, several issues such as error + indications, system restart and recovery, network malfunctions, + message size limitations, resource problems, etc. are not discussed. + These issues are not unique to the DCCS and their solutions are not + pertinent here. + + As noted earlier, the complete DCCS must address several issues that + were glossed over in the initial overview. As these issues are + discussed, several message types are introduced beyond the "Invoke" + and "Return" messages discussed in the overview. The formats for all + the DCCS messages are summarized in figure 6. + + A. Timing - + + Invocations can take a very long time to complete. We saw an + example in the semaphore capability earlier. An even more graphic + example might be a clock capability that was requested to return + nothing AFTER 100 years had passed. Clearly we don't want to have + the emulating process wait until it receives a "Return" message + from the remote host before servicing more invocations. + + What is done in the emulating host is to add the request + capability to a list of pending requests after sending the + "invoke" message to the supporting host (this is somewhat like the + semaphore example earlier). The emulator can then go back and + wait for more local requests. + + There is a similar problem on the supporting side. We don't want + the process waiting on the network input capability to simply + invoke the supported capability and wait for return. What it must + do is to set up an invocation process to actually invoke the + supported capability so that pending network input can be promptly + serviced. The invoking process must then return the parameters + after it receives them. + + These additional mechanisms add complication of multiple requests + active between hosts. These requests are identified by a Remote + Request Number (RRN). The RRN is an index into the list of + pending requests. + + + +Donnelley [Page 9] + +RFC 712 A Distributed Capability Computing System February 1976 + + + B. Loops - + + If host A passes a capability to host B, and B is requested to + pass the requestor that is being used to emulate the capability + back to host A, should B simply add the requestor to its support + list and allow A to access it remotely? If it did, when the new + requestor was invoked on A, the parameters would be passed to B + where they would be passed to the requestor by the invoking + process. Invoking the requestor would cause the parameters to be + passed back through the network to A where the real capability + would finally be invoked. Then the return parameters would have + to go through the reverse procedure to get back A via B. This is + clearly not an optimal mechanism, + + The solution to this problem makes use of the "My requestor?" + invocation on a server capability described in 5b. When B checks + a capability that is to be returned to A with the "My requestor?" + invocation and finds that the capability is one of its requestors + with a requestor number indicating that it is supported on A, it + can simply return the requestor number (recall that is this is + really a Remote Capability Descriptor, RCD) to A, containing the + fact that the capability specified is one that is local to A and + giving A the index to the capability in its supported capability + list. + + C. Security + + The mechanism presented in B. brings up something of a security + issue. If B. tries to invoke a capability in A's supported list, + should A allow B access without question? If it did, any host on + the network could maliciously invoke any capability supported by + any other host. To allow access only if it has been granted + through the standard invocation mechanism, each host can maintain + a bit vector indicating which hosts have access to a given + capability. If a host does receive an invalid request, it is an + error condition. + + D. Indirection + + There is an additional twist on a Loop problem noted in B.. This + variation comes up when A passes a capability to B who then wants + to pass it to C. Here again B may unambiguously specify which + capability is to be passed by simply sending the Remote Capability + Descriptor (RCD) that is knows it by. The RCD indicates that the + capability, however, A would probably not believe that C should + have access to it. + + + + + +Donnelley [Page 10] + +RFC 712 A Distributed Capability Computing System February 1976 + + + B must tell A. "1, who have access to your 1'th capability, want + to grant it to host C". To do this, another message type is used. + The "Give" message specifies the supported capability and the host + that it should be given to (refer to figure 6). Here again, + giving away a capability that you don't have is an error + condition. + + E. Acknowledgement - + + There is one last problem with the "Give" message. If B sends the + "Give" message to A and then continues to send the Remote + Capability Descriptor (RCD) to C, C may try to use the RCD before + the "Give" is received by A. For this reason, B must wait until A + has "ACK"nowledged the "Give" message before sending the RCD to C. + This mechanism requires that hosts queue un"ACK"nowledged "Give"s. + The format for an "ACK" is given in figure 6. This queueing may + be avoided for most "Give"s after the first for a given RCD, but + only at the cost of much additional memory and broadcasting + "Delete"s (See F. below). + + F. Deletion - + + If all the requestors on A for a given capability supported on B + are deleted. A may tell B so that B may: + + a. Delete A's validation bit in the bit vector for the specified + capability and + + b. If there are no hosts left that require support of the given + capability, the capability may be deleted from the supported + capability list. + + This function requires a new "Delete" message. + + Figure 6 is a summary of the message formats. Figure7-11 flow chart + the complete DCCS. In the flow charts, abbreviations are used to + indicates the directories: + + CSL - Capability Support List + + RRL - Remote Request List + + IPL - Invocation Process List + + The table manipulation is not given in detail. Three tables are + needed. The first is associated with the CSL and contains the bit + vectors indicating access as noted in C. above. The second table is + associated with the RRL. It contains a host number for each active + + + +Donnelley [Page 11] + +RFC 712 A Distributed Capability Computing System February 1976 + + + request. An attempted return on a request by a host other that the + requested host is an error. The final table is a message buffer + containing the pending "Invoke" and "Return" requests. + + In order to avoid hazards in referencing the CSL and its table, a + semaphore called the CSLS is used. A message buffer semaphore, MBS, + is similarly used to lock the message buffer. For the RRL and IPL no + locks are needed with the algorithms given. + +Generalization and Application + + To implement the DCCS, we assumed a network of CCS systems. The + specifications of the CCS were, however, very loose. For example, no + mention was made of instruction sets. Any CCS-like implementation + could use the mechanisms described herein to snare their objects. A + process passed to system with a different instruction set, for + example, could be used as an efficient emulator. + + The most important generalization of the DCCS is to note that a given + implementation has no idea what kind of host it is talking to over + the network. Any sort of host could implement a protocol using the + messages given. For example, a single user system might allow its + user to perform arbitrary invocations on remote capabilities and keep + a table of returned capabilities. Such a system might also support + some kind of standard terminal capability that could be given to + remote processes. On a multi-user system, similar functions could be + performed for each user. + + In some sense, any system implementing the DCCS protocol becomes a + C-list system. The single user system could, for example, set up + remote processes servicing remote server capabilities giving out + requestors to the single user system or any other systems. Returns + from invocations could appear on the single user's terminal by remote + invocation of the terminal capability, etc.. + + Implementing the DCCS on non-C-list systems is similar in some + respects to what happened with some host to host protocol + implementations on the Department Of Defense's ARPA network [10]. + The ARPA network host to host protocols allows a process on one + system to communicate with a process on another. Many of the ARPA + net protocol implementations had the effect of introducing local + process to process communication in hosts that formerly had none. + + + + + + + + + +Donnelley [Page 12] + +RFC 712 A Distributed Capability Computing System February 1976 + + + Applications + + I. Single Copy + + The first application is a solution to what I have dubbed the + single copy problem for information resources. Whenever a + process receives information from a information resource, it + can only receive a local copy of the information. This fact is + apparent when the information come from a distributed data + base, but is also true in tightly coupled virtual memory + situations where information from shared memory must be copied + into local registers for processing. Once a process has a + local copy of some information, it might like to try to insure + that the information remains current, i.e., that it is the + single copy. + + The traditional solution to this problem is to lock the + information resource with a semaphore before making a local + copy and then invalidate the local copy before unlocking the + resource. This solution suffers from the fact that, even + though other processes may not be requesting the copied data, + the data must be unlocked quickly just in case. This can + result in many needless copies being made. + + What is needed is a mechanism for invalidating local copies + exactly when requests by other processes would force + invalidation. To offer such a mechanism, an information + resource can have, in addition to the usual reading and writing + invocations, the following: + + "White lock", portion; > ; write notify + + "RW lock", portion; >; RW notify + + The important invocation on the notify capabilities is: + + "Wait for notification"; > reason; + + The basic idea is to allow a process to request that it be + notified if an attempt is being made to invalidate its copy. + If the copy is used for reading only, the process need only + request notifications of attempted modifications of the data + ("Write lock"). When a process is so notified, it is expected + to invalidate its copy and delete its write notify capability + to inform the information resource server that the pending + write access may proceed. + + + + + +Donnelley [Page 13] + +RFC 712 A Distributed Capability Computing System February 1976 + + + In the read write lock case, the RW notify capability may also + be used for reading and writing the portion. Any other access + to the portion will cause notification. When notified, the + process with the RW notify capability is expected to write back + the latest copy of the information before deleting its RW + notify capability. + + Space does not permit presenting more details for this + mechanism. The important fact to notice is that it permits an + information resource to be shared in such a way that, though + the information may be widely distributed, it is made to appear + as a single copy. This mechanism has important applications to + distributed data bases. + + II. Network Resource Optimization + + The application that probably best demonstrates the usefulness + of the DCCS is the sort of network optimization capability that + can be used to create at least the primitive capabilities + introduced earlier: + + 9. Account Capability + + a. "Create", type; >; capability + + The passed type parameter could at least be any of: "File", + "Directory", "Process", or "Server". The appropriate type + of capability would be returned. The resources used for the + capability are charged to the particular account. + + Now suppose that a user on one CCS system within a DCCS network + has remote access to account capabilities on several other CCS + systems. This user could create what might be called a super + account capability to optimize use of his network resources. + The super account capability would actually be a requestor + serviced by a process with optimization desired would be + completely under user control, but some of the more obvious + examples are presented: + + 1. Static Object Creation Optimization + + a. When a new file is requested, create it on the system + with the fastest access or the least cost per bit. + + b. When a process is requested, create it on the system with + the fastest current response or with the least cost per + instruction. + + + + +Donnelley [Page 14] + +RFC 712 A Distributed Capability Computing System February 1976 + + + 2. Dynamic optimization. + + To do dynamic optimization, the super account would not give + the requesting process the capability that it received from + the remote account after its static optimization, but would + give out a requestor that it would make function like the + actual capability except optimized. + + a. When network conditions or user needs charges, files can + be moved to more effective systems. changes in cost + conditions might result in file movement. Charges in + reliability conditions might result in movement of files + and/or in addition or deletion of multiple copies. + + b. If system load conditions or CPU charges change, it might + be effective to relocate a process. The super account + service process could: create a new process on a more + effective system, stop the old process, move the old C- + list and memory to the new process and start the new + process up. The emulation process given to the user + would never appear to change. + + c. Similar optimizations can be done on any other + capabilities. + + Such a super account can automatically optimize a user's + network resources to suit the user's needs without changing + the functional characteristics of the objects being + optimized. + +Final Note + + The DCCS mechanisms defined in this paper are currently being + implemented on a Digital Equipment Corporation PDP-11/45 computer for + use as an experimental protocol on the ARPA computer network [10]. + The DCCS protocol will also form the basis for a gateway between the + ARPA network and Energy Research and Developement Agency's CTR + network [11]. It is the authors hope that the DCCS mechanism will + hasten the approach of the kind of networks that are needed to create + a truly free market in computational resources. + + Acknowledgements + + The author would like to thank the administrators and staff of the + Computer Research Project at the Lawrence Livemore Laboratory for + creating the kind of environment conductive to the ideas presented in + this paper. Special thanks are due to Charles Landau for many of the + C-list ideas as implemented in the current RATS system. + + + +Donnelley [Page 15] + +RFC 712 A Distributed Capability Computing System February 1976 + + +References + + 1. C. R. Landau, The RATS Operating System, Lawrence Livermore + Laboratory, Report UCRL-77378 (1975) + + 2. C. R. Landau, An Introduction to RATS (RISOS/ARPA Terminal + System): An Operating System for the DEC PDP-11/45, Lawrence + Livermore Laboratory, Report UCRL-51582 (1974) + + 3. J. E. Donnelley, Notes on RATS and Capability List Operating + Systems, Lawrence Livermore Laboratory, Report UCID-16902 (1975) + + 4. B. W. Lampson, "On Reliable and Extendable Operating Systems", + Techniques in Software Engineering, NATO Sci Comm. Workshop Material, + Vol. II (1969) + + 5. W. Wulf, et. al., "HYDRA: The Kernel of a Multiprocessor Operating + System", Communications of the ACM 17 6 (1974) + + 6. P. Neumann et. al., "On the Design of a Provably Secure Operating + System" International Workshop on Protection in Operating Systems, + IRIA (1974) + + 7. R. S. Fabry, "Capability-Based Addressing", CACM 17 7 (1974) + + 8. E. W. Dijkstra, "Cooperating Sequential Processes", published in + Programming Languages, F. Genuys, editor, Academic Press, pp. 43-112 + (1968) + + 9. F. A. Akkoyunlu, et. al., "Some Constraints and Tradeoffs in the + Design of Network Communications", Proceedings of the Fifth Symposium + on Operating System Principles, Vol. 9 No. 5 pp. 67-74 (1975) + + 10. L. G. Roberts and B. D. Wessler, "Computer Network Development to + Achieve Resource Sharing", AFLPS Conference Proceedings 36, pp. + 543-549 (1970) + + 11. "National CTR Computer Center", Lawrence Livermore Laboratory + Energy and Technology Review, Lawrence Livermore Laboratory UCRL- + 52000-75-12, December (1975) + + + + + + + + + + + +Donnelley [Page 16] + +RFC 712 A Distributed Capability Computing System February 1976 + + + The figures are not included in the online version. Interested + readers can obtain a hardcopy version of the documents including the + figures by requesting a copy of UCRL-77800 from: + + Technical Information Department + Lawrence Livermore Laboratory + University of California Livermore, California 94550 + + Questions or comments would be appreciated and should be directed to + the author: + + Though the U.S. mail: + + James E. Donnelley + Lawrence Livermore Laboratory L-307 + P. O. Box 808 + Livermore, California 94550 + + By telephone: + (415)447-1100 ext. 3406 + + Via ARPA net mail: + JED@BBN + + "This report was prepared as an account of work sponsored by the + United States Government. Neither the United States nor the United + States Energy Research & Development Administration, nor any of their + employees, nor any of their contractors, subcontractors or their + employees, makes any warranty, express or implied, or assumes any + legal liability or responsibility for the accuracy, completeness or + usefulness of any information, apparatus, product or process + disclosed, or represents that its use would not infringe privately- + owned rights." + + + + + + + + + + + + + + + + + + +Donnelley [Page 17] + -- cgit v1.2.3