rfc1125.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,179 行 · 第 1/4 页
TXT
1,179 行
Network Working Group D. Estrin
Request for Comments: 1125 USC Computer Science Department
November 1989
POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING
1 STATUS OF THIS MEMO
The purpose of this memo is to focus discussion on particular
problems in the Internet and possible methods of solution. No
proposed solutions in this document are intended as standards for the
Internet. Rather, it is hoped that a general consensus will emerge
as to the appropriate solution to such problems, leading eventually
to the development and adoption of standards. Distribution of this
memo is unlimited.
2 ABSTRACT
Efforts are now underway to develop a new generation of routing
protocol that will allow each Administrative Domain (AD) in the
growing Internet (and internets in general) to independently express
and enforce policies regarding the flow of packets to, from, and
through its resources. (FOOTNOTE 1: The material presented here
incorporates discussions held with members of the IAB Autonomous
Networks Research Group and the Open Routing Working Group.) This
document articulates the requirements for policy based routing and
should be used as input to the functional specification and
evaluation of proposed protocols.
Two critical assumptions will shape the type of routing mechanism
that is devised: (1) the topological organization of ADs, and (2) the
type and variability of policies expressed by ADs. After justifying
our assumptions regarding AD topology we present a taxonomy, and
specific examples, of policies that must be supported by a PR
protocol. We conclude with a brief discussion of policy routing
mechanisms proposed in previous RFCs (827, 1102, 1104, 1105). Future
RFCs will elaborate on the architecture and protocols needed to
support the requirements presented here.
3 BACKGROUND
The Research Internet has evolved from a single backbone wide area
network with many connected campus networks, to an internet with
multiple cross-country backbones, regional access networks, and a
profusion of campus networks. (FOOTNOTE 2: The term Research Internet
refers to a collection of government, university, and some private
company, networks that are used by researchers to access shared
Estrin [Page 1]
RFC 1125 Policy Requirements November 1989
computing resources (e.g., supercomputers), and for research related
information exchange (e.g., distribution of software, technical
documents, and email). The networks that make up the Research
Internet run the DOD Internet Protocol [1].) At times during its
development the Research Internet topology appeared somewhat chaotic.
Overlapping facilities and lateral (as opposed to hierarchical)
connections seemed to be the rule rather than the exception. Today
the Research Internet topology is becoming more regular through
coordination of agency investment and adoption of a hierarchy similar
to that of the telephone networks'. The result is several
overlapping wide area backbones connected to regional networks, which
in turn connect to campus networks at universities, research
laboratories, and private companies. However, the telephone network
has lateral connections only at the highest level, i.e., between long
haul carriers. In the Research Internet there exist lateral
connections at each level of the hierarchy, i.e., between campus (and
regional) networks as well.
Additional complexity is introduced in the Research Internet by
virtue of connections to private networks. Many private companies are
connected to the Research Internet for purposes of research or
support activities. These private companies connect in the same
manner as campuses, via a regional network or via lateral links to
other campuses. However, many companies have their own private wide
area networks which physically overlap with backbone and/or regional
networks in the research internet, i.e., private vertical bypass
links.
Implicit in this complex topology are organizational boundaries.
These boundaries define Administrative Domains (ADs) which preclude
the imposition of a single, centralized set of policies on all
resources. The subject of this paper is the policy requirements for
resource usage control in the Research Internet.
In the remainder of this section we describe the policy routing
problem in very general terms. Section 4 examines the constraints and
requirements that makes the problem challenging, and leads us to
conclude that a new generation of routing and resource control
protocols are needed. Section 5 provides more detail on our
assumptions as to the future topology and configuration of
interconnected ADs. We return to the subject of policy requirements
in Section 7 and categorize the different types of policies that ADs
in the research internet may want to enforce. Included in this
section are examples of FRICC policy statements. (FOOTNOTE 3: The
Federal Research Internet Coordinating Committee (FRICC) is made up
of representatives of each of the major agencies that are involved in
networking. They have been very effective in coordinating their
efforts to eliminate inefficient redundancy and have proposed a plan
Estrin [Page 2]
RFC 1125 Policy Requirements November 1989
for the next 10 years of internetworking for the government,
scientific, and education community [2].) Section 7 identifies types
of policy statements that are problematic to enforce due to their
dynamics, granularity, or performance implications. Several proposed
mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105)
are discussed briefly in Section 8. Future RFCs will elaborate on the
architecture and protocols needed to support the requirements
presented here.
3.1 POLICY ROUTING
Previous protocols such as the Exterior Gateway Protocol (EGP)[3]
embodied a limited notion of policy and ADs. In particular,
autonomous system boundaries constrained the flow of routing database
information, and only indirectly affected the flow of packets
themselves. We consider an Administrative Domain (AD) to be a set of
hosts and network resources (gateways, links, etc.) that is governed
by common policies. In large internets that cross organization
boundaries, e.g., the Research Internet, inter-AD routes must be
selected according to policy-related parameters such as cost and
access rights, in addition to the traditional parameters of
connectivity and congestion. In other words, Policy Routing (PR) is
needed to navigate through the complex web of policy boundaries
created by numerous interconnected ADs. Moreover, each AD has its own
privileges and perspective and therefore must make its own evaluation
of legal and preferred routes. Efforts are now underway to develop a
new generation of routing protocol that will allow each AD to
independently express and enforce policies regarding the flow of
packets to, from, and through its resources [4]. (FOOTNOTE 4: These
issues are under investigation by the IAB Autonomous Networks
Research Group and the IAB Open Routing Working Group. For further
information contact the author.)
The purpose of this paper is to articulate the requirements for such
policy based routing. Two critical assumptions will shape the type of
routing mechanism that is devised:
* The topological organization of ADs, and
* The type and variability of policies expressed by ADs.
We make use of the policies expressed by owners of current Research
Internet resources and private networks connected to the Research
Internet to generalize types of policies that must be supported. This
top down effort must be done with attention to the technical
implications of the policy statements if the result is to be useful
in guiding technical development. For example, some ADs express the
desire to enforce local constraints over how packets travel to their
destination. Other ADs are only concerned with preventing use of
Estrin [Page 3]
RFC 1125 Policy Requirements November 1989
their own network resources by restricting transit. Still other ADs
are concerned primarily with recovering the expense of carrying
traffic and providing feedback to users so that users will limit
their own data flows; in other words they are concerned with
charging. We refer to ADs whose primary concern is communication to
and from hosts within their AD as stub and to ADs whose primary
concern is carrying packets to and from other ADs as transit}. If we
address control of transit alone, for example, the resulting
mechanisms will not necessarily allow an AD to control the flow of
its packets from source to destination, or to implement flexible
charging schemes. (FOOTNOTE 5: Gene Tsudik uses the analogy of
international travel to express the need for source and transit
controls. Each country expresses its own policies about travel to and
through its land. Travel through one country enroute to another is
analogous to transit traffic in the network world. A traveler
collects policy information from each of the countries of interest
and plans an itinerary that conforms to those policies as well as the
preferences of the traveler and his/her home nation. Thus there is
both source and transit region control of routing.) Our purpose is
to articulate a comprehensive set of requirements for PR as input to
the functional specification, and evaluation, of proposed protocols.
4 WHY THE PROBLEM IS DIFFICULT
Before proceeding with our description of topology and policy
requirements this section outlines several assumptions and
constraints, namely: the lack of global authority, the need to
support network resource sharing as well as network interconnection,
the complex and dynamic mapping of users to ADs and privileges, and
the need for accountability across ADs. These assumptions limit the
solution space and raise challenging technical issues.
The purpose of policy based routing is to allow ADs to interconnect
and share computer and network resources in a controlled manner.
Unlike many other problems of resource control, there is no global
authority. Each AD defines its own policies with respect to its own
traffic and resources. However, while we assume no global authority,
and no global policies, we recognize that complete autonomy implies
no dependence and therefore no communication. The multi-organization
internets addressed here have inherent regions of autonomy, as well
as requirements for interdependence. Our mechanisms should allow ADs
to design their boundaries, instead of requiring that the boundaries
be either impenetrable or eliminated.
One of the most problematic aspects of the policy routing
requirements identified here is the need to support both network
resource sharing and interconnection across ADs. An example of
resource sharing is two ADs (e.g., agencies, divisions, companies)
Estrin [Page 4]
RFC 1125 Policy Requirements November 1989
sharing network resources (e.g., links, or gateways and links) to
take advantage of economies of scale. Providing transit services to
external ADs is another example of network resource sharing.
Interconnection is the more common example of ADs interconnecting
their independently used network resources to achieve connectivity
across the ADs, i.e., to allow a user in one AD to communicate with
users in another AD. In some respects, network resource control is
simpler than network interconnection control since the potential
dangers are fewer (i.e., denial of service and loss of revenue as
compared with a wide range of attacks on end systems through network
interconnection). However, controlled network resource sharing is
more difficult to support. In an internet a packet may travel
through a number of transit ADs on its way to the destination.
Consequently, policies from all transit ADs must be considered when a
packet is being sent, whereas for stub-AD control only the policies
of the two end point ADs have to be considered. In other words,
controlled network resource sharing and transit require that policy
enforcement be integrated into the routing protocols themselves and
can not be left to network control mechanisms at the end points.
(FOOTNOTE 6&7: Another difference is that in the interconnect case,
traffic traveling over AD A's network resources always has a member
of AD A as its source or destination (or both). Under resource
sharing arrangements members of both AD A and B are connected to the
same resources and consequently intra-AD traffic (i.e., packets
sourced and destined for members of the same AD) travels over the
resources. This distinction is relevant to the writing of policies in
terms of principal affiliation. Economies of scale is one motivation
for resource sharing. For example, instead of interconnecting
separately to several independent agency networks, a campus network
may interconnect to a shared backbone facility. Today,
interconnection is achieved through a combination of AD specific and
shared arrangements. We expect this mixed situation to persist for
"well-connected" campuses for reasons of politics, economics, and
functionality (e.g., different characteristics of the different
agency-networks). See Section 5 for more discussion.)
Complications also result from the fact that legitimate users of an
AD's resources are not all located in that AD. Many users (and their
computers) who are funded by, or are affiliated with, a particular
agency's program reside within the AD of the user's university or
research laboratory. They reside in a campus AD along with users who
are legitimate users of other AD resources. Moreover, any one person
may be a legitimate user of multiple AR resources under varying
conditions and constraints (see examples in Section 6). In addition,
users can move from one AD to another. In other words, a user's
rights can not be determined solely based on the AD from which the
user's communications originate. Consequently, PR must not only
identify resources, it must identify principals and associate
Estrin [Page 5]
RFC 1125 Policy Requirements November 1989
different capabilities and rights with different principals. (The
term principal is taken from the computer security community[7].)
One way of reducing the compromise of autonomy associated with
interconnection is to implement mechanisms that assure
accountability} for resources used. Accountability may be enforced a
priori, e.g., access control mechanisms applied before resource usage
is permitted. Alternatively, accountability may be enforced after
the fact, e.g., record keeping or metering that supports detection
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?