Network Working Group H-W. Braun Request for Comments: 1104 Merit/NSFNET June 1989 Models of Policy Based Routing 1. Status of this Memo The purpose of this RFC is to outline a variety of models for policy based routing. The relative benefits of the different approaches are reviewed. Discussions and comments are explicitly encouraged to move toward the best policy based routing model that scales well within a large internetworking environment. Distribution of this memo is unlimited. 2. Acknowledgements Specific thanks go to Yakov Rekhter (IBM Research), Milo Medin (NASA), Susan Hares (Merit/NSFNET), Jessica Yu (Merit/NSFNET) and Dave Katz (Merit/NSFNET) for extensively contributing to and reviewing this document. 3. Overview To evaluate the methods and models for policy based routing, it is necessary to investigate the context into which the model is to be used, as there are a variety of different methods to introduce policies. Most frequently the following three models are referenced: Policy based distribution of routing information Policy based packet filtering/forwarding Policy based dynamic allocation of network resources (e.g., bandwidth, buffers, etc.) The relative properties of those methods need to be evaluated to find their merits for a specific application. In some cases, more than one method needs to be implemented. While comparing different models for policy based routing, it is important to realize that specific models have been designed to satisfy a certain set of requirements. For different models these requirements may or may not overlap. Even if they overlap, they may have a different degree of granularity. In the first model, the requirements can be formulated at the Administrative Domain or network number level. In the second model, the requirements can be formulated at the end system level or probably even at the level of Braun [Page 1]
RFC 1104 Models of Policy Based Routing June 1989 individual users. In the third model, the requirements need to be formulated at both the end system and local router level, as well as at the level of Routing Domains and Administrative Domains. Each of these models looks at the power of policy based routing in a different way. They may be implemented separately or in combination with other methods. The model to describe policy based dynamic allocation of network resources is orthogonal to the model of policy based distribution of routing information. However, in an actual implementation each of these models may interact. It is important to realize that the use of a policy based scheme for individual network applications requires that the actual effects as well as the interaction of multiple methods need to be determined ahead of time by policy. While uncontrolled dynamic routing and allocation of resources may have a better real time behavior, the use of policy based routing will provide a predictable, stable result based on the desires of the administrator. In a production network, it is imperative to provide continuously consistent and acceptable services. 4. Policy based distribution of routing information Goals: The goal of this model is to enforce certain flows by means of policy based distribution of routing information. This enforcement allows control over who can and who can not use specific network resources. Enforcement is done at the network or Administrative Domain (AD) level - macroscopic policies. Description: A good example of policy based routing based on the distribution of routing information is the NSFNET with its interfaces to mid- level networks [1], [2]. At the interface into the NSFNET, the routing information is authenticated and controlled by four means: 1. Routing peer authentication based on the source address. 2. Verification of the Administrative Domain identification (currently EGP Autonomous System numbers). 3. Verification of Internet network numbers which are advertised via the routing peer. Braun [Page 2]
RFC 1104 Models of Policy Based Routing June 1989 4. Control of metrics via a Routing Policy Data Base for the announced Internet network numbers to allow for primary paths to the NSFNET as well as for paths of a lesser degree. At the interfaces that pass routing traffic out of the NSFNET, the NSS routing code authenticates the router acting as an EGP peer by its address as well as the Administrative Domain identification (Autonomous System Number). Outbound announcements of network numbers via the EGP protocol are controlled on the basis of Administrative Domains or individual network numbers by the NSFNET Routing Policy Data Base. The NSFNET routing policy implementation has been in place since July 1988 and the NSFNET community has significant experience with its application. Another example of policy controlled dissimination of routing information is a method proposed for ESNET in [3]. Benefits: A major merit of the control of routing information flow is that it enables the engineering of large wide area networks and allows for a more meshed environment than would be possible without tight control. Resource allocation in a non-hostile environment is possible by filtering specific network numbers or Administrative Domains on a per need basis. Another important benefit of this scheme is that it allows for network policy control with virtually no performance degradation, as only the routing packets themselves are relevant for policy control. Routing tables are generated as a result of these interactions. This means that this scheme imposes only very little impact on packet switching performance at large. Concerns: Policy based routing information distribution does not address packet based filtering. An example is the inability to prevent malicious attacks by introduced source routed IP packets. While resource allocation is possible, it extends largely to filtering on network numbers or whole Administrative Domains, but it would not extend to end systems or individual users. Costs: Policy based routing in the NSFNET is implemented in a series of Braun [Page 3]
RFC 1104 Models of Policy Based Routing June 1989 configuration files. These configuration files are in turn generated from a routing information database. The careful creation of this routing information database requires knowledge of the Internet at large. Because the Internet is changing constantly, the upkeep of this routing information database is a continuous requirement. However, the effort of collecting and maintaining an accurate view of the Internet at large can be distributed. Since policy controlled distribution of routing information allows for filtering on the basis of network numbers or Administrative Domains, the routing information database only needs to collect information for the more than 1300 networks within the Internet today. 5. Policy based packet filtering/forwarding Goals: The goal of the model of policy based packet filtering/forwarding is to allow the enforcement of certain flows of network traffic on a per packet basis. This enforcement allows the network administrator to control who can and who can not use specific network resources. Enforcement may be done at the end system or even individual user level - microscopic policies. Description: An example of packet/flow based policies is outlined in [4]. In a generic sense, policy based packet filtering/forwarding allows very tight control of the distribution of packet traffic. An implemented example of policy based filtering/forwarding is a protection mechanism built into the NSFNET NSS structure, whereby the nodes can protect themselves against packets targeted at the NSFNET itself by filtering according to IP destination. While this feature has so far not been enabled, it is fully implemented and can be turned on within a matter of seconds. Benefits: The principal merit of this scheme is that it allows the enforcement of packet policies and resource allocation down to individual end systems and perhaps even individual end users. It does not address a sane distribution of routing information. If policies are contained in the packets themselves it could identify users, resulting in the ability of users to move between Braun [Page 4]
RFC 1104 Models of Policy Based Routing June 1989 locations. Concerns: The major concern would be the potentially significant impact on the performance of the routers, as, at least for tight policy enforcements, each packet to be forwarded would need to be verified against a policy data base. This limitation makes the application of this scheme questionable using current Internet technology, but it may be very applicable to circuit switched environments (with source-routed IP packets being similar to a circuit switched environment). Another difficulty could be the sheer number of potential policies to be enforced, which could result in a very high administrative effort. This could result from the creation of policies at the per-user level. Furthermore, the overhead of carrying policy information in potentially every packet could result in additional burdens on resource availabilities. This again is more applicable to connection- oriented networks, such as public data networks, where the policy would only need to be verified at the call setup time. It is an open question how well packet based policies will scale in a large and non homogeneous Internet environment, where policies may be created by all of the participants. These creations of policy types of services may have to be doable in real time. Scaling may require hierarchy. Hierarchy may conflict with arbitrary Type of Service (TOS) routing, which is one of the benefits of this model. Costs of implementation: A large scale implemention of packet based policy routing would require a routing information base that would contain information down to the end system level and possibly end users. If one would assume that for each of the 1300 networks there is an average of 200 end systems, this would result in over 260000 end systems Internet wide. Each end system in turn could further contribute some information on the type of traffic desired, including types of service (issues like agency network selection), potentially on a per-user basis. The effort for the routing policy data base could be immense, in particular if there is a scaling requirement towards a variety of policies for backbones, mid-level networks, campus networks, subnets, hosts, and users. The administration of this "packet routing" database could be distributed. However, with a fully distributed database of this size several consistency checks would have to be built into the system. Braun [Page 5]
RFC 1104 Models of Policy Based Routing June 1989 6. Policy based dynamic allocation of network resources (e.g., bandwidth, buffers, etc.). Goals: Flexible and economical allocation of network resources based on current needs and certain policies. Policies may be formulated at the network or Administrative Domain (AD) levels. It is also possible to formulate policies which will regulate resource allocation for different types of traffic (e.g., Telnet, FTP, precedence indicators, network control traffic). Enforcement of policy based allocation of network resources might be implemented within the following parts of the network: routers for networks and Administrative Domain (AD) levels circuit switches for networks end systems establishing network connections Description: Policy based allocation of bandwidth could allow the modulation of the circuits of the networking infrastructure according to real time needs. Assuming that available resources are limited towards an upper bound, the allocation of bandwidth would need to be controlled by policy. One example might be a single end system that may or may not be allowed to, perhaps even automatically, take resources away from other end systems or users. An example of dynamic bandwidth allocation is the currently implemented circuit switched IDNX component of the NSFNET, as well as the MCI Digital Reconfiguration Service (DRS) which is planned for the NSFNET later this year. Another model for resource allocation occurs at the packet level, where the allocation is controlled by multiple packet queues. This could allow for precedence queuing, with preferences based on some type of service and preferred forwarding of recognized critical data, such as network monitoring, control and routing. An example can be found in the NSFNET, where the NSFNET nodes prefer traffic affiliated with the NSFNET backbone network number over all other traffic, to allow for predictable passing of routing information as well as effective network monitoring and control. At the other end of the spectrum, an implementation could also allow for queues of most deferrable traffic (such as large background file transfers). Braun [Page 6]
RFC 1104 Models of Policy Based Routing June 1989 Benefits: Dynamic allocation of bandwidth could allow for a truly flexible environment where the networking infrastructure could create bandwidth on a per need basis. This could result in significant cost reductions during times when little bandwidth is needed. This method could potentially accommodate real time transient high bandwidth requirements, potentially by reducing the bandwidth available to other parts of the infrastructure. A positive aspect is that the bandwidth allocation could be protocol independent, with no impact on routing protocols or packet forwarding performance. Policy based allocation of bandwidth can provide a predictable dynamic environment. The rules about allocation of bandwidth at the circuit level or at the packet level need to be determined by a consistent and predictable policy, so that other networks or Administrative Domains can tune their allocation of networking resources at the same time. Concerns: The policies involved in making dynamic bandwidth allocation in a largely packet switching environment possible are still in the development phase. Even the technical implications of infrastructure reconfiguration in result of events happening on a higher level still requires additional research. A policy based allocation of bandwidth could tune the network to good performance, but could cause networks located in other Administrative Domains to pass traffic poorly. It is important that network resource policy information for a network be discussed within the context of its Administrative Domain. Administrative Domains need to discuss their network resource allocation policies with other Administrative Domains. The technical problem of sharing network resource policy information could be solved by a making a "network resource policy information" database available to all administrators of networks and Administrative Domains. However, the political problems involved in creating a network resource policy with impact on multiple Administrative Domains does still require additional study. 7. Discussion Both the first and the second model of policy based routing are similar in the sense that their goal is to enforce certain flows. Braun [Page 7]
RFC 1104 Models of Policy Based Routing June 1989 This enforcement allows the control of access to scarce network resources (if the resource is not scarce, there is no performance reason to control access to it). The major difference is the level of enforcement: macroscopic level versus microscopic level control. Associated with the enforcement for a certain network resource is the cost. If this cost is higher than the cost required to make a particular resource less scarce, then the feasibility of enforcement may be questionable. If portions of the Internet find that microscopic enforcement of policy is necessary, then this will need to be implementable without significant performance degradation to the networking environment at large. Local policies within specific Routing Domains or Administrative Domains should not affect global Internet traffic or routing. Policies within Administrative Domains which act as traffic transit systems (such as the NSFNET) should not be affected by policies a single network imposes for its local benefit. Some models of policy routing are trying to deal with cases where network resources require rather complex usage policies. One of scenarios in [4] is one in which a specific agency may have some network resource (in the example it is a link) which is sometimes underutilized. The goal is to sell this resource to other agencies during the underutilization period to recover expenses. This situation is equivalent to the problem of finding optimum routes, with respect to a certain TOS, in the presence of network resources (e.g., links) with variable characteristics. Any proposed solution to this problem should address such issues as network and route stability. More feasibility study is necessary for the whole approach where links used for global communication are also subject to arbitrary local policies. An alternative approach would be to reconfigure the network topology so that underutilized links will be dropped and possibly returned to the phone company. This is comparable to what the NSFNET is planning on doing with the MCI Digital Reconfiguration Service (DRS). A DRS model may appear cleaner and more easy to implement than a complicated model like the one outlined in [4]. The models for policy based routing emphasize that careful engineering of the Internet needs to decided upon the profile of traffic during normal times, outage periods, and peak loads. This type of engineering is not a new requirement. However, there could potentially be a significant benefit in deciding these policies ahead of time and using policy based routing to implement specific routing policies. Braun [Page 8]
RFC 1104 Models of Policy Based Routing June 1989 8. Accounting vs. Policy Based Routing Quite often Accounting and Policy Based Routing are discussed together. While the application of both Accounting and Policy Based Routing is to control access to scarce network resources, these are separate (but related) issues. The chief difference between Accounting and Policy Based Routing is that Accounting combines history information with policy information to track network usage for various purposes. Accounting information may in turn drive policy mechanisms (for instance, one could imagine a policy limiting a certain organization to a fixed aggregate percentage of dynamically shared bandwidth). Conversely, policy information may affect accounting issues. Network accounting typically involves route information (at any level from AD to end system) and volume information (packet, octet counts). Accounting may be implemented in conjunction with any of the policy models mentioned above. Similar to the microscopic versus macroscopic policies, accounting may be classified into different levels. One may collect accounting data at the AD level, network level, host level, or even at the individual user level. However, since accounting may be organized hierarchically, microscopic accounting may be supported at the network or host level, while macroscopic accounting may be supported at the network or AD level. An example might be the amount of traffic passed at the interface between the NSFNET and a mid-level network or between a mid-level network and a campus. Furthermore, the NSFNET has facilities implemented to allow for accounting of traffic trends from individual network numbers as well as application-specific information. Full-blown accounting schemes suffer the same types of concerns previously discussed, with the added complication of potentially large amounts of additional data gathered that must be reliably retrieved. As pointed out in [4], policy issues may impact the way accounting data is collected (one administration billing for packets that were then dropped in the network of another administration). Microscopic accounting may not scale well in a large internet. Furthermore, from the standpoint of billing, it is not clear that the services provided at the network layer map well to the sorts of services that network consumers are willing to pay for. In the telephone network (as well as public data networks), users pay for end-to-end service and expect good quality service in terms of error rate and delay (and may be unwilling to pay for service that is viewed as unacceptable). In an internetworking environment, the heterogeneous administrative environment combined with the lack of end-to-end control may make this approach infeasible. Braun [Page 9]
RFC 1104 Models of Policy Based Routing June 1989 Lightweight approaches to accounting can be used (with less impact) when specific, limited goals are set. One suggested approach involves monitoring traffic patterns. If a pattern of abuse (e.g., unauthorized use) develops, an accounting system could track this and allow corrective action to be taken, by changing routing policy or imposing access control (blocking hosts or nets). Note that this is much less intrusive into the packet forwarding aspects of the routers, but requires distribution of a policy database that the accounting system can use to reduce the raw information. Because this approach is statistical in nature, it may be slow to react. 9. References [1] Rekhter, Y., "EGP and Policy Based Routing in the New NSFNET Backbone", RFC 1092, IBM Research, February 1989. [2] Braun, H-W., "The NSFNET Routing Architecture", RFC 1093, Merit/NSFNET Project, February 1989. [3] Collins, M., and R. Nitzan, "ESNET Routing", DRAFT Version 1.0, LLNL, May 1989. [4] Clark, D., "Policy Routing in Internet Protocols", RFC 1102, M.I.T. Laboratory for Computer Science, May 1989. Author's Address Hans-Werner Braun Merit Computer Network University of Michigan 1075 Beal Avenue Ann Arbor, Michigan 48109 Telephone: 313 763-4897 Fax: 313 747-3745 EMail: hwb@merit.edu Braun [Page 10]