rfc1125.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                          D. Estrin
Request for Comments:  1125              USC Computer Science Department
                                                           November 1989


      POLICY REQUIREMENTS FOR INTER ADMINISTRATIVE DOMAIN ROUTING

1  STATUS OF THIS MEMO

   The purpose of this memo is to focus discussion on particular
   problems in the Internet and possible methods of solution.  No
   proposed solutions in this document are intended as standards for the
   Internet.  Rather, it is hoped that a general consensus will emerge
   as to the appropriate solution to such problems, leading eventually
   to the development and adoption of standards.  Distribution of this
   memo is unlimited.

2  ABSTRACT

   Efforts are now underway to develop a new generation of routing
   protocol that will allow each Administrative Domain (AD) in the
   growing Internet (and internets in general) to independently express
   and enforce policies regarding the flow of packets to, from, and
   through its resources. (FOOTNOTE 1: The material presented here
   incorporates discussions held with members of the IAB Autonomous
   Networks Research Group and the Open Routing Working Group.)  This
   document articulates the requirements for policy based routing and
   should be used as input to the functional specification and
   evaluation of proposed protocols.

   Two critical assumptions will shape the type of routing mechanism
   that is devised: (1) the topological organization of ADs, and (2) the
   type and variability of policies expressed by ADs.  After justifying
   our assumptions regarding AD topology we present a taxonomy, and
   specific examples, of policies that must be supported by a PR
   protocol.  We conclude with a brief discussion of policy routing
   mechanisms proposed in previous RFCs (827, 1102, 1104, 1105).  Future
   RFCs will elaborate on the architecture and protocols needed to
   support the requirements presented here.

3  BACKGROUND

   The Research Internet has evolved from a single backbone wide area
   network with many connected campus networks, to an internet with
   multiple cross-country backbones, regional access networks, and a
   profusion of campus networks. (FOOTNOTE 2: The term Research Internet
   refers to a collection of government, university, and some private
   company, networks that are used by researchers to access shared



Estrin                                                          [Page 1]

RFC 1125                  Policy Requirements              November 1989


   computing resources (e.g., supercomputers), and for research related
   information exchange (e.g., distribution of software, technical
   documents, and email). The networks that make up the Research
   Internet run the DOD Internet Protocol [1].)  At times during its
   development the Research Internet topology appeared somewhat chaotic.
   Overlapping facilities and lateral (as opposed to hierarchical)
   connections seemed to be the rule rather than the exception.  Today
   the Research Internet topology is becoming more regular through
   coordination of agency investment and adoption of a hierarchy similar
   to that of the telephone networks'.  The result is several
   overlapping wide area backbones connected to regional networks, which
   in turn connect to campus networks at universities, research
   laboratories, and private companies. However, the telephone network
   has lateral connections only at the highest level, i.e., between long
   haul carriers.  In the Research Internet there exist lateral
   connections at each level of the hierarchy, i.e., between campus (and
   regional) networks as well.

   Additional complexity is introduced in the Research Internet by
   virtue of connections to private networks. Many private companies are
   connected to the Research Internet for purposes of research or
   support activities. These private companies connect in the same
   manner as campuses, via a regional network or via lateral links to
   other campuses. However, many companies have their own private wide
   area networks which physically overlap with backbone and/or regional
   networks in the research internet, i.e., private vertical bypass
   links.

   Implicit in this complex topology are organizational boundaries.
   These boundaries define Administrative Domains (ADs) which preclude
   the imposition of a single, centralized set of policies on all
   resources.  The subject of this paper is the policy requirements for
   resource usage control in the Research Internet.

   In the remainder of this section we describe the policy routing
   problem in very general terms. Section 4 examines the constraints and
   requirements that makes the problem challenging, and leads us to
   conclude that a new generation of routing and resource control
   protocols are needed. Section 5 provides more detail on our
   assumptions as to the future topology and configuration of
   interconnected ADs. We return to the subject of policy requirements
   in Section 7 and categorize the different types of policies that ADs
   in the research internet may want to enforce.  Included in this
   section are examples of FRICC policy statements.  (FOOTNOTE 3: The
   Federal Research Internet Coordinating Committee (FRICC) is made up
   of representatives of each of the major agencies that are involved in
   networking. They have been very effective in coordinating their
   efforts to eliminate inefficient redundancy and have proposed a plan



Estrin                                                          [Page 2]

RFC 1125                  Policy Requirements              November 1989


   for the next 10 years of internetworking for the government,
   scientific, and education community [2].)  Section 7 identifies types
   of policy statements that are problematic to enforce due to their
   dynamics, granularity, or performance implications. Several proposed
   mechanisms for supporting PR (including RFCs 827, 1102, 1104, 1105)
   are discussed briefly in Section 8. Future RFCs will elaborate on the
   architecture and protocols needed to support the requirements
   presented here.

3.1  POLICY ROUTING

   Previous protocols such as the Exterior Gateway Protocol (EGP)[3]
   embodied a limited notion of policy and ADs. In particular,
   autonomous system boundaries constrained the flow of routing database
   information, and only indirectly affected the flow of packets
   themselves.  We consider an Administrative Domain (AD) to be a set of
   hosts and network resources (gateways, links, etc.) that is governed
   by common policies.  In large internets that cross organization
   boundaries, e.g., the Research Internet, inter-AD routes must be
   selected according to policy-related parameters such as cost and
   access rights, in addition to the traditional parameters of
   connectivity and congestion. In other words, Policy Routing (PR) is
   needed to navigate through the complex web of policy boundaries
   created by numerous interconnected ADs. Moreover, each AD has its own
   privileges and perspective and therefore must make its own evaluation
   of legal and preferred routes.  Efforts are now underway to develop a
   new generation of routing protocol that will allow each AD to
   independently express and enforce policies regarding the flow of
   packets to, from, and through its resources [4].  (FOOTNOTE 4:  These
   issues are under investigation by the IAB Autonomous Networks
   Research Group and the IAB Open Routing Working Group. For further
   information contact the author.)

   The purpose of this paper is to articulate the requirements for such
   policy based routing. Two critical assumptions will shape the type of
   routing mechanism that is devised:

   * The topological organization of ADs, and
   * The type and variability of policies expressed by ADs.

   We make use of the policies expressed by owners of current Research
   Internet resources and private networks connected to the Research
   Internet to generalize types of policies that must be supported. This
   top down effort must be done with attention to the technical
   implications of the policy statements if the result is to be useful
   in guiding technical development. For example, some ADs express the
   desire to enforce local constraints over how packets travel to their
   destination. Other ADs are only concerned with preventing use of



Estrin                                                          [Page 3]

RFC 1125                  Policy Requirements              November 1989


   their own network resources by restricting transit.  Still other ADs
   are concerned primarily with recovering the expense of carrying
   traffic and providing feedback to users so that users will limit
   their own data flows; in other words they are concerned with
   charging.  We refer to ADs whose primary concern is communication to
   and from hosts within their AD as stub and to ADs whose primary
   concern is carrying packets to and from other ADs as transit}.  If we
   address control of transit alone, for example, the resulting
   mechanisms will not necessarily allow an AD to control the flow of
   its packets from source to destination, or to implement flexible
   charging schemes.  (FOOTNOTE 5: Gene Tsudik uses the analogy of
   international travel to express the need for source and transit
   controls. Each country expresses its own policies about travel to and
   through its land.  Travel through one country enroute to another is
   analogous to transit traffic in the network world. A traveler
   collects policy information from each of the countries of interest
   and plans an itinerary that conforms to those policies as well as the
   preferences of the traveler and his/her home nation.  Thus there is
   both source and transit region control of routing.)  Our purpose is
   to articulate a comprehensive set of requirements for PR as input to
   the functional specification, and evaluation, of proposed protocols.

4  WHY THE PROBLEM IS DIFFICULT

   Before proceeding with our description of topology and policy
   requirements this section outlines several assumptions and
   constraints, namely: the lack of global authority, the need to
   support network resource sharing as well as network interconnection,
   the complex and dynamic mapping of users to ADs and privileges, and
   the need for accountability across ADs.  These assumptions limit the
   solution space and raise challenging technical issues.

   The purpose of policy based routing is to allow ADs to interconnect
   and share computer and network resources in a controlled manner.
   Unlike many other problems of resource control, there is no global
   authority. Each AD defines its own policies with respect to its own
   traffic and resources. However, while we assume no global authority,
   and no global policies, we recognize that complete autonomy implies
   no dependence and therefore no communication.  The multi-organization
   internets addressed here have inherent regions of autonomy, as well
   as requirements for interdependence. Our mechanisms should allow ADs
   to design their boundaries, instead of requiring that the boundaries
   be either impenetrable or eliminated.

   One of the most problematic aspects of the policy routing
   requirements identified here is the need to support both network
   resource sharing and interconnection across ADs. An example of
   resource sharing is two ADs (e.g., agencies, divisions, companies)



Estrin                                                          [Page 4]

RFC 1125                  Policy Requirements              November 1989


   sharing network resources (e.g., links, or gateways and links) to
   take advantage of economies of scale.  Providing transit services to
   external ADs is another example of network resource sharing.
   Interconnection is the more common example of ADs interconnecting
   their independently used network resources to achieve connectivity
   across the ADs, i.e., to allow a user in one AD to communicate with
   users in another AD. In some respects, network resource control is
   simpler than network interconnection control since the potential
   dangers are fewer (i.e., denial of service and loss of revenue as
   compared with a wide range of attacks on end systems through network
   interconnection). However, controlled network resource sharing is
   more difficult to support.  In an internet a packet may travel
   through a number of transit ADs on its way to the destination.
   Consequently, policies from all transit ADs must be considered when a
   packet is being sent, whereas for stub-AD control only the policies
   of the two end point ADs have to be considered. In other words,
   controlled network resource sharing and transit require that policy
   enforcement be integrated into the routing protocols themselves and
   can not be left to network control mechanisms at the end points.
   (FOOTNOTE 6&7: Another difference is that in the interconnect case,
   traffic traveling over AD A's network resources always has a member
   of AD A as its source or destination (or both).  Under resource
   sharing arrangements members of both AD A and B are connected to the
   same resources and consequently intra-AD traffic (i.e., packets
   sourced and destined for members of the same AD) travels over the
   resources. This distinction is relevant to the writing of policies in
   terms of principal affiliation.  Economies of scale is one motivation
   for resource sharing. For example, instead of interconnecting
   separately to several independent agency networks, a campus network
   may interconnect to a shared backbone facility.  Today,
   interconnection is achieved through a combination of AD specific and
   shared arrangements. We expect this mixed situation to persist for
   "well-connected" campuses for reasons of politics, economics, and
   functionality (e.g., different characteristics of the different
   agency-networks). See Section 5 for more discussion.)

   Complications also result from the fact that legitimate users of an
   AD's resources are not all located in that AD. Many users (and their
   computers) who are funded by, or are affiliated with, a particular
   agency's program reside within the AD of the user's university or
   research laboratory.  They reside in a campus AD along with users who
   are legitimate users of other AD resources.  Moreover, any one person
   may be a legitimate user of multiple AR resources under varying
   conditions and constraints (see examples in Section 6). In addition,
   users can move from one AD to another. In other words, a user's
   rights can not be determined solely based on the AD from which the
   user's communications originate.  Consequently, PR must not only
   identify resources, it must identify principals and associate



Estrin                                                          [Page 5]

RFC 1125                  Policy Requirements              November 1989


   different capabilities and rights with different principals.  (The
   term principal is taken from the computer security community[7].)

   One way of reducing the compromise of autonomy associated with
   interconnection is to implement mechanisms that assure
   accountability} for resources used. Accountability may be enforced a
   priori, e.g., access control mechanisms applied before resource usage
   is permitted.  Alternatively, accountability may be enforced after
   the fact, e.g., record keeping or metering that supports detection