To: Linda at ISIF Cc: JHaverty at BBNG IEN-181 Van Gateway: Some Routing and Performance Issues Jack Haverty Bolt Beranek and Newman Inc. May 1981 IEN-181 Bolt Beranek and Newman Inc. Jack Haverty The VAN gateway is a new facility currently under development for the internet community. Its intended purpose is to allow interconnection of the ARPANET and therefore the Internet with Telenet, but it also introduces a new mechanism whose failure or misuse can seriously affect the system. The key problem with use of the VAN gateway is to allow and encourage using it for legitimate purposes, while preventing utilization by unauthorized users or as a result of a software or hardware failure in the networks involved. There are two aspects to this problem. The first control on the gateway usage must be to assure that the packets being handled are legitimate, in that they are associated with authorized users. This is a specific example of the need for mechanisms which have been discussed at various times as "restricted routing" mechanisms. The second control problem is to assure that the gateway is being used as intended, with a reasonable level of traffic for the function being performed. Even if packets are being processed for authorized users, it is possible for failures within the routing system or host software, for example, to cause packets to loop endlessly. Failures of the network protocols could similarly cause duplicate packets to be sent needlessly. -1- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty In both cases, the concern results from the highly visible impact which use of Telenet incurs, since charges are computed on a per-packet basis. However, the same issues are inherent in the Catenet itself, in that misuse of the network consumes resources which are then unavailable for legitimate use. Thus the problem of managing use of the gateway is most critical for the VAN gateway, but applies as well to all gateways, and in fact to any shared resource. In the initial implementation of the VAN gateway, resource management is being provided by use of tables which enumerate the authorized users of the gateway. These users are simply the addresses of the hosts, both on the ARPANET (Catenet) side and on the Telenet side, which will be acceptable as valid source and destination addresses of packets which transit the gateway. All other packets which are received by the gateway will be discarded. In the internet architecture, the Telenet side of the gateway appears as a single network to the internet mechanisms. The gateway contains a table which maps artificial host addresses on that network into real 14-digit Telenet/X.25 addresses, in much the same way as other networks convert internet addresses into addresses for their particular attached network. X.25 virtual circuits are only permitted between the gateway and X.25 -2- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty hosts which are present in this translation table, which effectively defines the set of authorized gateway users in the X.25 community. No similar table is necessary for translation of addresses on the ARPANET side of the gateway, since this translation is well defined by the internet protocol. Without any additional mechanisms, this would permit any ARPANET host to use the VAN gateway. In addition, since gateways to other networks are simply ARPANET hosts, this would permit any host on the Catenet to use the VAN gateway. To restrict the user community of the VAN gateway, a second table is provided, which enumerates all internet addresses which are acceptable as sources or destinations on the ARPANET side of the gateway. Each internet datagram which arrives from the ARPANET or Telenet is checked to assure that the source and destination addresses in the internet header are listed in one of the two tables which define the set of hosts which are permitted to use the VAN gateway. The table entries will be set up directly by DARPA. In selecting the set of valid hosts, the reliability of the data presented to the gateway should be considered. -3- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty In particular, we note that there is a significant difference in the addresses presented at the gateway in the internet header of each packet. If such an address is in fact on the ARPANET, the gateway can verify it by comparison with the address supplied by the IMP in the ARPANET leader of the packet. For packets sent to the ARPANET, one can similarly expect the IMP subnet to deliver the packet to the host specified in the ARPANET leader. If the address of a packet handled by the gateway is on another component network of the Catenet, the packet is necessarily handled through one or more gateways. The internet structure permits gateways to freely enter the system. Gateways are in general under the control of the organization which owns them and/or the attached network. Gateways in general do not check the addresses in the internet headers of packets which they process, so it is possible for malfunctioning hardware or software to emit packets with incorrect addresses. If such addresses happen to be present in the VAN gateway tables, these packets will be processed by the VAN gateway. The impact of this situation on the policy for allowing use of the VAN gateway is that hosts on networks other than the ARPANET are to be considered somewhat less reliable in terms of enforcement of the usage policy. The mechanisms in the initial -4- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty VAN gateway implementation will provide some degree of control over the use of the gateway, but these mechanisms are not to be considered appropriate or complete in the general sense, and they are not proof against failures. These mechanisms are intended only as an interim measure. We suggest that further development work on the internet gateway system, of which the VAN gateway is a component, should address the problems of resource control at the internet system level. Any mechanism which restricts the usage of a gateway must be designed in conjunction with other network mechanisms, such as routing, flow control, load sharing, and error control. As an example, we can consider a hypothetical configuration in which two VAN gateways are connected to Telenet, one from ARPANET, and the other from SATNET, to support traffic between Telenet users and hosts on ARPANET or SATNET. Only these user/hosts would be listed in the VAN gateway tables. Since the VAN gateways are participants in the internet routing mechanisms, failure of the gateway between ARPANET and SATNET would cause the system to recognize the path through TELENET, as a transit network, as a viable route for ARPANET- SATNET traffic. However, this traffic would be discarded at the VAN gateway because the addresses are not listed in its tables. -5- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty This scenario will be avoided by preventing the two VAN gateways from being "neighbors" for routing purposes, which is acceptable only in restricted configurations. The general problem results from the usage restrictions at the VAN gateway, which makes the path a valid route for one class of packets, but invalid for other classes. The current routing mechanism cannot handle this situation. In addition, the effect of the usage restrictions on future mechanisms for handling partitioned networks, and load sharing of gateway paths, must be investigated. We have two mechanisms to propose for consideration as mechanisms to attack this problem. The first is a resource control model which is a result of the TIP Login work. The second involves the use of performance models, which monitor use of resources to determine if unexpected behavior occurs. These two mechanisms can be introduced to work more effectively in the VAN gateway problem. The architecture for the TIP Login system identifies several abstract modules which interact to implement the resource control functions. A "Control Point" is the module which directly controls the use of a resource. It is responsible for detecting an attempt to use some resource, collecting such information -6- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty which identifies who is trying to use the resource and what they are trying to do, and then permitting or denying use of the resource. The decision concerning whether or not a particular usage is allowed is made by a "Decision Module." This module takes the information supplied by the Control Point, and applies the algorithm which defines the resource usage policy. Typically, and particularly in the Tip Login case, the Decision Module will obtain more information about the particular user and/or resource involved in the decision, by using a distributed database system. In the TIP Login system, the Control Point is at each TIP. Decision Modules are located in special-purpose hosts. The database system is present in those hosts as well as on larger database-maintenance hosts, where tools to manipulate and modify the database exist. Typically the Decision Module identifies the particular individual attempting to use a TIP, and retrieves a record of information specific to that individual, which defines his authorizations (or lack thereof). Much of this mechanism should prove to be useful as a basis for control of gateways as well. In such a system, the control points would be at the gateways. Decision Modules might also be at the gateways, if decisions must be made on each packet. Decisions might be based on source or destination addresses, or -7- IEN-181 Bolt Beranek and Newman Inc. Jack Haverty on the identify of the individual responsible for the packet. We suggest that this approach be considered for further research. A problem which is not being addressed currently is the second control problem mentioned earlier, namely the monitoring of the use of some resource by an authorized user, to guarantee that the resource is being used as intended. In the VAN gateway case, for example, a malfunctioning TCP might cause many unnecessary packets to be handled, but since they are associated with authorized addresses, no control is applied. In addition to the obvious cost and performance penalties, lack of monitoring precludes the use of policies which grant limited use of resources to, for example, allow some users to handle only low- throughput traffic, or low priority traffic. We believe that the use of performance models, embedded within the gateways and for hosts, is a promising direction for attacking this problem. Limitations of the current LSI-11 implementation of the VAN gateway are likely to preclude any significant testing of these approaches. We have been pursuing these ideas as research issues, which have surfaced during the current implementation efforts. -8-