On the Design of an Internetwork Layer

Introduction

We start with the service model we expect from an internetwork layer, add some high level architectural issues for achieving a network that lasts, discuss some results that seem inevitable, and finally propose the sub-systems needed to make it all work.

Service Model

More than that, we are now seeing requirements on the net that it be capable of providing more than just delivery of the packets; end-points wish more control over how their packets are delivered. These requirements are usually grouped together under the term Quality of Service and include policy routing and resource reservation. The internetwork layer needs to provide these capabilities. Ideally the policy decisions are made by a combination of policies from the source and destination.

Security is the biggest open question in the design of an internetwork layer. Radia Perlman's thesis provides guidance as to how we can protect, at the network layer, against denial of service and theft of service attacks. The question is: which security services should the internetworking layer supply?

Multicast is also a requirement. I'm not going to say much more than that, not because I don't think multicast is important or that I want to slight it, I just haven't thought about it much and will leave that work to others who have. None the less, keep multicast in mind for everything that follows.

Finally, the internetwork layer has to be able to forward the packets. Networks are getting faster and will continue to do so. The internetwork layer must keep up while also providing the quality of service and security capabilities discussed above. For example, if providing the quality of service asked requires packet classification, the internetwork layer should provide means to allow efficient implementation of classification.

Architectural Issues

Names, Addresses, and Routes

names

locators

You may note that a locator is a name too. It names the location of the object instead of the object itself.

routes

selectors

do we need all these?

IP uses its addresses as locators, identifiers, and selectors. The primary use of the address is as a locator. The address belongs to an interface and names where that interface is connected to the network. When you move, your address changes. Except the address is used as an identifier as well; it's wired into the TCP checksum de-multiplexing and calculation so if the address is changed mid-connection, the TCP connection is lost. The DNS name of a machine doesn't change as it moves around the network but its identifier (as embodied in IP by its IP address) does.

NOTE: Of course, some people argue that the DNS name should also change when a host moves. They're really confused.

IP uses the destination IP address as its primary selector. Some routers also use the TOS field to provide a limited quality of service control over routing but since the TOS field has never come into widespread use in the Internet some routers also look for well known TCP or UDP ports for that information. With a requirement for per-connection quality of service, IPng will need better granularity in its selectors.

For destinations with multiple IP addresses the source is left to choose which destination address to use. Those different addresses may very well select different routes (while addresses are not routes they are used to find routes) but no routing information is available to the source that would enable it to make a reasonable decision.

Can't Change it All at Once

NOTE: One of the key points of special relativity is that across any significant distance there is no such thing as simultaneous. The Internet has significant distances.

Overall it implies that we should remove anything possible from the core internetwork layer in such a way that it is left to local implementation rather than distributed. Anything that is left to local implementation may be replaced locally as better technology comes along. More importantly, it can be replaced incrementally through the Internet.

Routing and Scaling

It is obvious that the future Internet will be too large for any one router, much less all routers, to know how to route to everywhere. They need a way to work when they know less then the entire routing state of the network. The question is how to do this?

One answer is what we do today in IP; information is pruned strictly by the addressing hierarchy. CIDR increases the number of levels in the addressing hierarchy to decrease the size of each level (especially the top one). Since this scheme only routes packets along the addressing hierarchy it constrains the network topology to also follow the addressing hierarchy. This is a limitation we should not place on the future Internet just yet.

Another important characteristic of the current IP approach to information abstraction in routing is that it is all precomputed in a distributed manner. The routing system figures out which routes are possible before it has need of any of those routes. With policy, these pre-computed routes include policy variations. Obviously this limits the range of possible policies to what the network as a whole knows how to compute.

The obvious alternative to precomputed routes is one where a router acquires routing information on demand. In this way the information it acquires is relevant to the router's needs and the router can process the information with respect to real policy requirements rather than imagined ones.

Results

Source Selected Routes

With the route chosen in one place, the routing algorithms do not have to be consistent networkwide to prevent routing loops. New routing algorithms can be fielded experimentally or incrementally replaced as better technology is created and the range of possible policy considerations can change with time. Actually, the route selection can be distributed recursively (consider the routing between specified nodes in IP loose source routing) and still gain these benefits.

It is unrealistic to expect a network wide routing system to compute all the possible routes taking all the possible policies into account. This includes issues like provider selection. It is easy to envision how to do provider selection through such hacks as multiple addresses if there is only one layer of provider above each end site. It is even conceivable that the routing protocol might compute those different routes. Once you envision a larger network, with three or four levels of provider above each site, it's quickly apparent that this approach simply does not scale.

The traditional reason that the Internet prefers hop-by-hop routing is that it more readily allows healing of network failures. Once quality of service enters the picture however (either policy or resource reservation), whoever is re-routing around the failure must understand the quality of service requirements of the connection it is re-routing. With distributed routing we have to distribute quality of service requirements to any router that might have to re-route whereas with source routing we have to send network failure information back to the source. Of the two pieces of information, network failure is not as likely to need extensions every few months so that is the preferable information to standardize into a protocol that must be globally consistent.

Source routing appears to be the choice that allows the flexibility the net needs.

Flows

Maps

Since these maps contain quality of service information which ranges from concrete information like the bandwidth and latency characteristics of a network to very nebulous concepts like the NSFNet Appropriate Use Policy, the map specification must be extensible and flexible. Since the map specification only transfers the information, it doesn't have to understand it. The usual specification care can give us a map specification that will name any future characteristics we care to add.

Renumbering

Since the new locator hierarchy could affect large portions of the net, even the entire net, and it will not be possible to notify the entire network simultaneously of this change, the network must continue to work while the renumbering is in progress and only some of the nodes to be renumbered have been notified. I'd suggest that this implies that any such renumbering must be automatic and hopefully invisible but I'm not completely sure of that.

One implication that I am sure of is that this means you really do not want to use locators as end-point identifiers. The end-point to which you are speaking is still there even if its locator changes.

Note that this sounds very similar to some mobile host requirements. A proper solution here may help both.

Network State

Some state, service state, by its nature can not go in the packets. Resource reservations and packet charging data are examples. Other information, user state, could go in either.

The task for any internetwork layer is to identify which state goes in the packets and which in the network, and for state that goes in the network, how does it get there and how is it maintained? Should the routers infer state from traffic they see or should state be installed explicitly? A lot of these will be efficiency tradeoffs with the decisions based on assumed network traffic patterns. In some cases we may be able to allow for either option and find out after the net is running which way the bulk of the traffic goes.

Sub-Systems

Forwarding and Route Calculation

Route Distribution

How the route distribution sub-system learns its map to distribute, how it knows what tags to put on which nodes, how it abstracts information from nodes lower down in the tree, these are all left to local decision. The protocols and algorithms that implement these parts of the network mapping system need not be standardized networkwide and so can be incrementally enhanced as we learn better ways to do them.

NOTE: Another piece here is policy distribution. In Nimrod we've put the route calculator at the source. But if we're going to allow destination policy too it needs a way to learn about the destination's policy requirements. More tags in the map? Maybe just a tag that says ``here be destination policies'' and you can invoke the destination policy protocol to learn about them? I like the idea of just putting destination policies in the map.

Flow Setup and Resource Reservation

NOTE: Flow setup and resource reservation seem awfully similar. Should they just be combined? I know RSVP is trying to do one without the other but they might work better combined.

Multicast

Like route calculation, computing the multicast tree is a local implementation. With better technology, you can replace the code in one place without disturbing the rest of the net.

The multicast sub-system needs a way to learn of the end points. This is certainly a widespread protocol where everyone involved has to agree. Only, however, within a single multicast communication. Each multicast system could use a different protocol here, again allowing for incremental upgrading of the technology.

Security

At the forwarding level, protection against internetwork level denial of service attacks requires authenticated packet classification so each packet needs authentication information.

The security sub-system is concerned with the maintenance and operation of these security pieces.

Further Work

We need to answer some of these questions up front. Some of them fortunately, are left to local implementation so we can field something that works now and replace parts as we learn better.

Conclusion