IEN-156 Danny Cohen U S C / I S I September 7, 1980 CONTROLLED ROUTING IN THE CATENET ENVIRONMENT This note suggests the use of Strict Source Routing, SSR, for gaining more control over the routes which are used for messages to traverse the catenet. One of the cornerstones of the IN-philosophy is that users are completely separated from the low level transport issues such as routing. While this is generally so, there are some real world situations where it is desired that users be given a way to influence the routing. The ARPA Internet Protocol, IP, (see IEN-128), allows users to affect the routing decisions by using the source routing (SR) mechanism. There are several reasons for users to influence the routing, rather than trusting the catenet to figure out the best route. Some of these reasons are: [A] Help the catenet find a destination otherwise unknown. [B] Promoting the use of certain nets for reasons such as favorite tariff. [C] Avoiding certain networks for reasons such as various sensativities. The current source routing option of IP, as described in IEN-128 addresses mainly the first reason, [A], only. In order to provide help to the catenet in figuring a route it allows the user to provide a sequence of addresses such that each of them is locally unique (hence unambiguous and known) where it is supposed to be interpreted. Obviously, this sequence must be continuous in the sense that at each address the next address in the sequence, must be known. The choice of route from each address to the next is left to the catenet to determine. 2 IP "assume"s that the given source route is a sequence of IP-addresses, each in the 32-bit format of 8/24 for the "NET-ID" followed by the "REST" which is typically a host address, including gateways. However, this does not necessarily have to be so. If the NET-ID filed may include ESCAPE-CODES, as advocated in IEN-122, a much more powerful scheme may evolve. The above scheme may be used in some clever way also for [B], the promotion of the use of certain nets. However, it does not provide an acceptable solution for [C], the avoidance of certain networks. We argue that [C] is not a well formed requirement, and a tighter definition is required. The reason for introducing the requirement to avoid certain networks is based on the classification of nets into friends and foes. If one knows about all networks, one could classify them all. But if some are unknown, they lack classification. In a controlled environment, where foes should be avoided, the unclassified nets must be avoided, too. Hence, it is not enough to insist on avoiding the set of all known foe nets. One must insist, instead, on using only nets which are positively classified as friends. Therefore, [C] should be changed from "avoiding known foes" into "using only well established friends". Since the source routing technique which was described above does not tell the catenet how to route messages between the given addresses, it is possible for messages to be routed through foes while traversing a sequence of friendly addresses. Hence, the above source routing technique is not adequate at all for [C], avoiding all foes. In order to address this problem to following solution is proposed: Define a new variant of source routing, similar to the one described above, with the additional requirements that messages cross network boundaries only at the gateways specified in the source route. If there is no DIRECT connection, meaning through a single network between two successive addresses in the source route, the message should be discarded rather and no attempt is made to reach the next address via another intermediate network (and gateways). If this new option of Strict Source Routing, SSR, is adopted then it is up to the users to construct "safe" SSRs which include only networks and gateways which are positively identified as trustworthy friends and are known to have only gateways which are sure to handle the SSR properly. The source routing which is not SSR may be referred to as an LSR (Loose SR). 3 One may view the LSR as "piecewise end-to-end" routing at the IP (gateways) level, as opposed to the SSR which is a kind of hop-by-hop routing at the same level. The notion of a gateway being specified in a SSR has to be clarified. Gateway per se do not have IP addresses, but their interfaces to local networks do. Under SSR when the address Ni/Hj (Network/Host) is specified for a gateway, it is required to reach it through the network Ni even in the cases that other routes are available. Consider the following example: +---------------------------------------------------+ | A11 Network-Alpha A22 | +---------------------------------------------------+ | | ************* ************* * gateway-A * * gateway-B * ************* ************* | | +---------------------------------------------------------------------+ | H-1 B11 Network-Beta B22 H-2 | +---------------------------------------------------------------------+ | | ******* ******* * H-1 * * H-2 * ******* ******* If the SSR specifies the address (Alpha/A11) followed by the address (Beta/B22) then the only accepatble route is to cross Gateway-A and then to traverse the Network-Beta to B22. It is not acceptable for the Gateway-A to recognize that (Beta/B22) is actually a gateway which is also on Network-Alpha and therefore to route through this network to (Alpha/A22) expecting the message to cross Gateway-B there. Hence, H-1 can force his message to get to H-2 through the Network-Alpha by using the following SSR: (Beta/B11)-(Alpha/A22)-(Beta/H-2). If the Network-Alpha breaks between A11 and A22 this SSR will result in a communication failure, even though good routes through Network-Beta only are avilable, and might have been automatically used if LSR was used. 4 ON INTRANET SSR It is possible to carry the foes and friends classification further from the nets (internet) level down into the hosts (intranet) level. One way to achieve that effect is by "teaching" the half-gateways which are in each host about SSRs. However, in this case the definition of DIRECT connection has to be explicitly defined for each network. In the case of the ARPANET hosts cannot have this notions which is at the IMPs level. In the case of broadcast nets (such as satellite based, packets radios, Ethernet-like or ring-like nets) no connection is "direct enough" even though it has no intermediate agents along the way. It seems that SSRs are much more difficult to implement at the intranet (host) level, and we may be on better and safer ground by implementing SSRs at first only at the internet (nets and gateways) level. This obviously means that a net can be certified as a friendly net if, and only if, all of its hosts and intermediate agents are individually certified as such. For example, an Ethernet-like network is trustworthy only if all of its hosts (gateways included) are. However, a network such as the ARPANet can be trustworthy if all af its intermediate agents (the IMPs) are, even though some of its hosts are not. The difficulty of implementing intranet SSR should be of no surprise since the IN-philosophy is to hide the intranet technicalities from the internet users. CONCLUSION A Strict Source Routing could be used by a set of "certified friendly" networks in order to avoid the transmission of certain datagrams through all the networks which are parts of the catenet but are not as trustworthy as others.