INDRA Working Paper INDRA Note 1114 IEN 190 9th. July 1981 Routing and Access Control in UK to US Services Robert Cole and Robert Braden ABSTRACT: The routing and access control problems for US-UK Catenet operations are discussed and an interim solution proposed, based on addressing mechanisms. Given the present generation of internet gateways, it is necessary to curtail the use of the full physical connectivity between the US and the UK to avoid gateway routing problems and undesirable paths. Department of Computer Science University College, London Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 C O N T E N T S 1. Introduction...........................................2 2. Background.............................................2 3. Network Connectivity...................................3 4. How it Will Work.......................................5 5. Access Control for the PTT Network Connections.........6 6. Reconfiguring for Failure..............................9 7. Issues in Internetworking.............................11 8. Conclusion............................................12 - 1 - [Cole and Braden] 1. Introduction The removal of the TIP at UCL, and the consequent change to TCP-based service from UCL to the DARPA Catenet, present some interesting problems in routing and access control. These problems are discussed here, and some interim (and ad hoc) solutions are presented. The changes in connectivity at UCL, and at RSRE, mean that the extension of the DARPA Catenet into the UK must be considered as a whole; hence this document also looks at the position of the RSRE network (PPSN) in the routing schemes. 2. Background When UCL moves over to an entirely TCP-based access to the Catenet, all of our traffic will be routed via a number of gateways. As most of the traffic will be destined for the ARPANET at least two gateways will be involved. UK users of hosts on the ARPANET can be divided into two groups: 1. Authorised MoD users -- this includes RSRE and UCL experimental traffic. 2. All other users The MoD authorised users are allowed to use SATNET as a path for their traffic into the ARPANET. The others must use a PTT-supplied path to cross the Atlantic and enter the ARPANET through a special gateway. The configurations and services UCL are putting forward for all users is presented in [1]. Essentially, MoD users may gain access to ARPANET via: a. PPSN b. TAC (dial-in terminals) c. PAD to PSS and UCL d. FTP via PSS and UCL Other users will access ARPANET via: a. PAD to UCL (via PSS or SRCNET) b. FTP to UCL (via PSS or SRCNET) From UCL, access control is applied for each user and the appropriate path is selected. - 2 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 This note describes how the paths are enforced, both for forward and return traffic, and how a number of routing problems from dual connectivity are avoided. 3. Network Connectivity The physical connections available between UK systems and the US are shown in figure 1. Note: i. Gateways are indicated by the letter "G". ii. That a single gateway has been assumed at PPSN for simplicity. iii. A single gateway (G') has been shown at UCL. When line 77 is removed, and until the C/70 gateway is installed, this gateway will be implemented by two smaller gateways having only 2 and 3 ports. The exact configuration is yet to be decided. The "PTT network path" includes the concatenated VAN/PTT networks TELENET and TYMNET in the US, IPSS across the Atlantic, and PSS and SRCNET in the UK. These networks all use X.25, and are joined by X.75 gateways which are not shown here. The gateway which is shown between the ARPANET and the VAN network TELENET is being built by BBN and is therefore know as the "BBN VAN gateway"; it will be sited in the US. Across the PTT network path, internet datagrams are encapsulated within X.25 packets, over virtual calls which are opened as required by the BBN VAN gateway or by UCL. We use the term "tunnel" for such a path using X.25 encapsulation of IP datagrams. A second tunnel is shown, linking UCL with PPSN within the UK, using the British Telecom network PSS. - 3 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 PTT network path G ____________________________________________ / | | / | | / | ___________ | / |---| SRC-PSS | | _________ | ----------- | | | | | | ARPA | __________ PSS Tunnel / | NET | | UCLNET |--------------| / | | ---------- | / --------- | | / \ __________ | | / ________ G --| SATNET | -- G' ---------------- G -| PPSN | ---------- | ________ -------- |___| C/30 | | TAC | -------- Figure 1. Physical Connections For UK-US Access The physical connectivity shown in figure 1 presents several serious problems for internet routing algorithms. The present generation of IP gateways [2] assumes all paths between gateways are equivalent in delay, cost, and administrative authorisation. The various paths shown in figure 1 include violations of all three of these conditions. For example, routing MoD or ARPANET traffic over the PTT path, hence over IPSS, between the US and UK will create unacceptable costs. As an interim solution, we propose to effectively reduce the connectivity, to that shown in Figure 2 [1]. The upper (PTT) path provides ARPANET access for non-MoD users, while the lower (SATNET) path is for MoD use. - 4 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 PTT path _____________ G -----------------------| SRC-PSS | / (IPSS tunnel) ------------- _________ | | | ARPA | __________ (PSS tunnel) | NET | | UCLNET |--------------| | | ---------- | --------- | | \ __________ | | ________ G --| SATNET | -- G' ----------------G-| PPSN | ---------- | ________ -------- |___| C/30 | | TAC | -------- Figure 2. Apparent Connectivity For Service 4. How it Will Work The reduction in connectivity between the available physical connections and the apparent connections is achieved by using addresses to convince the ARPANET gateways they are connected to logically disjoint networks. We also use addressing to ensure that US hosts use the correct path for return traffic. This is achieved by using different network numbers on each path, enabling the US hosts to select different gateways. Thus, we will represent all non-MoD users as coming from a network we will call SRC-PSS, and all other users as coming from UCLNET. Of course traffic from PPSN is not affected. In this way the US hosts will select the ARPANET-SATNET gateway (and thus the SATNET path) for MoD authorised users and the BBN VAN gateway for all others. We can summarise the paths from the UK to the US as: 1. From PPSN: this traffic has a direct link to the SATNET gateway, and only allows authorised traffic 2. From PSS: this traffic must pass through access control at UCL and thus the correct path is chosen 3. From TAC: this traffic has direct access to SATNET, but only authorised users will know the telephone number. Eventually TIP (TAC) login will increase the security. - 5 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 We can summarise the US to UK access (including UK-US return traffic) as a sequence of steps: 1. The US host will choose a gateway based on the destination network number. For MoD authorised users and all US users addressing PPSN and UCL networks, this will be the ARPANET-SATNET gateway. For all other users the BBN VAN gateway should be chosen. 2. Traffic arriving via the VAN gateway and IPSS will enter a UCL service host and be forwarded into PSS and SRCNET or to a local UCL host as required. The UCL service host will provide higher-level gateways which match the differing protocols in the DARPA Catenet and X.25 domains: a transport-service gateway for FTP traffic and a terminal protocol converter for terminal traffic. 3. Traffic arriving from the UCL-SATNET gateway will pass to either the TAC, PPSN gateway, or into the UCL network via the SATNET Access Machine (SAM) [3]. 5. Access Control for the PTT Network Connections Extensive use is made of the PTT networks for carrying user traffic and encapsulated datagrams. Controls are required to ensure that only authorised users are allowed to connect to the various entry points of the Catenet. There are two areas to be considered: user level access, and gateway access for encapsulated IP datagrams (tunnels). 1. All user level access to the Catenet from PSS and SRCNET is controlled at UCL by a login procedure, both for terminal access and file transfer. This is discussed in [1]. Similarly, any PSS access to PPSN will be vetted by the MoD's VAN gateway. 2. A more serious problem is the misuse of the tunnels across the PTT networks, for two reasons. First, one or both ends of a tunnel may need to treat the opposite end as a "trusted host" with respect to application of access controls. Since the two ends of the tunnel are connected with switched rather than permanent circuits, one must guard against a third host masquerading as one of the legitimate tunnel hosts. Secondly, the virtual X.25 calls used to carry IP traffic will incur usage charges. Across the international link IPSS, in particular, these charges will be substantial. - 6 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 Figure 1 shows the two tunnels that are planned. 1. From UCL to BBN VAN gateway via IPSS. (Prior to providing service, we will start accessing IPSS via PSS.) 2. From UCL to PPSN via PSS The "trusted host" problem can be handled easily, by having each end of the tunnel accept calls only from the expected host at the other end. Since the PTT network provides the remote host address, this tunnel can only be misused by "breaking" the PTT network. For example, the UCL end of the "PSS tunnel" will accept X.25 virtual calls only from the PPSN gateway, while the MoD VAN gateway to PPSN will accept X.25 virtual calls only from specified calling addresses. Similarly, UCL will only accept calls from the BBN VAN gateway, and the latter will have a list of acceptable calling addresses [4]. Usage charges can pose much greater difficulty. i. Accounting The IP tunnels and the VAN gateway [3] will operate only on IP datagrams, and therefore can account for usage only on the basis of addressing that is visible at that level of protocol. Thus, it is possible to account by internet host, but not by virtual call or even individual user. This forces any user-level accounting and access control back onto the hosts at each end of the virtual call, and at present no ARPANET hosts are prepared to accept this responsibility. Haverty [3] has pointed out a further problem with host-level accounting: the internet gateways do not ensure correct source addresses in the internet datagrams they process. Thus, the VAN gateway cannot rely upon even the alleged internet source host of a datagram destined for the tunnel. ii. GGP It is very undesirable to have internet gateways on both ends of a tunnel through a PTT network, since GGP messages interchanged by the gateways will generate excessive usage charges. Thus, in Figure 2 - 7 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 the UCL end of the IP tunnel must be an internet host, not a gateway. The PSS tunnel for PPSN cannot avoid this GGP traffic, but this path is expected to be used only for experiments in alternate routing, and will not normally exist. iii. Retransmission There are serious problems with the use of an end- to-end retransmission protocol like TCP across an IP tunnel. Some host implementations of TCP use retransmission timeout computations that are incapable of adapting to long network delays, causing execessive retransmissions when calling the UK. The result will be to create excessive usage charges which are not under user control. iv. Call Multiplexing To minimise usage costs, it is necessary to use the X.25 virtual call as efficiently as possible. In general, there should be at most one virtual call open for a given tunnel. When traffic ceases, this call should be closed after a suitable interval. The minimum call duration charge interval should be considered when choosing this idle-call timeout interval. If both ends of the tunnel open calls to each other simultaneously, two calls will result, and one must be closed. There can be an agreement between the two ends of the tunnel that one of them will always close a duplicate call. In the absence of such an agreement, a symmetric algorithm must be used to resolve the race. For example, each side can accept the incoming call and process traffic from it, wait for a random interval, and then close the incoming call (unless the other side has meanwhile closed the other outgoing call). In the event that both sides wait the same time and therefore close their calls simultaneously, the algorithm should be repeated. - 8 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 6. Reconfiguring for Failure The weak links in the routing seen by the Catenet gateways are the Atlantic connections. When one of these breaks, whole sections of the UK user population will be disconnected. In fact, the physical connectivity allows us to realign all UK-US traffic onto the single remaining path, and in theory this change is fairly easily made. In practice, the cost of using the PTT path and the politics of using the SATNET path may preclude such operations. However, we wish to understand the technical problems in switching from the normal dual path to either single path. 1. SATNET failure The MoD traffic via UCL may be routed via IPSS quite easily. PPSN may open their own virtual call to the BBN VAN gateway, but they would need to indicate themselves as neighbours to obtain traffic from the US side (this requires another null network). If a gateway at UCL made itself known as a neighbour to the BBN VAN gateway, a similar path would exist. In either case, traffic from the TAC would be catered for. See figure 3. Notice that the "PTT network path" in Figure 3 really constitutes two or three different internet networks -- SRC-PSS, UCLNET, and perhaps PPSN. For this to work, we require BBN's VAN gateway to support a number of different "local" networks on the VAN side. We believe this to be feasible within the general framework described in [4]. - 9 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 PTT network path (IPSS tunnels) G ________________________________________ / | | / | | / | ___________ | / |---| SRC-PSS | | _________ | ----------- | | | | | | ARPA | ______|___ PSS tunnel | | NET | | UCLNET |---------------| / | | ---------- | / --------- | | / | | / __________ | |/ ________ | SATNET | G' --------------- G -| PPSN | ---------- | ________ -------- |___| C/30 | | TAC | -------- Figure 3. Alternative paths for SATNET route failure 2. IPSS failure The non-MoD traffic could be switched by making it appear to come from UCLNET, however all existing connections would be lost as the addresses change. To continue using the PSS-SRC network addresses via SATNET would require UCL to impose a gateway and inform the UCL-SATNET gateway of the new neighbour. The dynamic rearrangement of Atlantic links requires the gateways to issue redirect message and the US hosts to act on them. See figure 4. ___________ G ------| SRC-PSS | | ----------- _________ | | | | | ARPA | _____|____ PSS tunnel | net | | UCLNET |-----------| | | ---------- | --------- | | \ __________ | | ________ G --| SATNET | -- G' ------------ G -| PPSN | ---------- | ________ -------- |___| C/30 | | TAC | -------- Figure 4. Alternative paths for IPSS route failure - 10 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 7. Issues in Internetworking The problems, and solutions, discussed above represent specific cases of more general issues in Catenet design and operation. In [5] [6] [7] Rosen presents a number of problems in the current Catenet design and implementation. He then goes on to propose a new model for catenet operation. This section will look at the UCL problems in this context, as a contribution to the debate. The addressing solution used at UCL to force a particular route on a packet has 3 disadvantages. 1. It reduces the potentially rich connectivity of the available physical connections to a minimum. 2. It manipulates Catenet routing in an unacceptable way (i.e. a hack). 3. It requires complicated manoevres to restore service via alternative paths when the minimum connectivity is further reduced by failures. It is not clear how easy it will be to automate any switchover. Ideally, the Catenet routing algorithms, implemented in the gateways, should be capable of knowing the full UK-US connectivity without the UK being used as an expressway for US-US traffic. In the present Catenet design and with the present Catenet protocols, such full knowledge by the gateways would have to be constrained by specifying source and return routes in each IP datagram. In practice we find that dependence upon source routing is impractical, as it requires every gateway, and every US host that any UK user may access, to support these 'options'. The overhead of this option on IPSS/PSS charges is another concern. Even more seriously, source routing would move the burden of reconfiguration back onto the hosts and, in the end, the users. In the model put forward by Rosen, gateway routing may be constrained by factors such as cost and suitability of paths. In the UCL case we should also add political factors arising from crossing national boundaries and Telecommunications monopolies. In the Rosen model the full UK-US connectivity would be available to the Switches. Thus we must look at some mechanisms by which we can constrain the actual routes available to particular classes of traffic. The obvious mechanism is to use a 'class field' in the packet which identifies a potential routing problem to the - 11 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 switches. However the UK is not alone in its problems, and in a general Catenet we can imagine a large number of paths having a number of user classes giving a very large class- problem space. Of course, if the entire Catenet is to be accessible from everywhere, each class/path combination must have a unique representation to enable the source Switch to plan a route. The situation is further complicated by allowing a gradation of class. It is not unreasonable to suppose that someone may be prepared to pay for a path (such as IPSS) if the first choice (say SATNET) is unable to provide the required level of service due to traffic loading or malfunction. Thus we also need a mechanism that can say 'if the delay on path X goes above d then use alternative path Y'. Similarly we may have a situation where an administration will say 'allow any users of class m on this path as long as the loading is less than n%'. All of this complexity for each packet! We admit this is an argument about the distant future; however we should consider these general problems now because we already have specific instances of them. As a final note, it is worth pointing out that the UCL addressing hack works because all UK-US traffic to the DARPA Catenet comes through UCL. This situation may not continue. It is not infeasible that a UK research establishment or a US Defense installation in the UK (or Europe) may obtain independent access to the Catenet. Or, the German SATNET installation might decide to increase their service reliability by adding extra connectivity. Each of these may use existing paths as alternatives. In these cases our addressing solution may fall apart, with disastrous results. 8. Conclusion The routing and access control problems for US-UK Catenet operations have been discussed and an interim solution proposed, based on addressing mechanisms. Given the present generation of internet gateways, it is necessary to curtail the use of the full physical connectivity between the US and the UK to avoid gateway routing problems and undesirable paths. Access control between the PTT networks and the DARPA Catenet has also been covered in some detail. - 12 - [Cole and Braden] Routing and Access Control Indra Note 1114 in UK-US Services IEN 190 References 1. Higginson, P. and Braden, R., UK-US Services, Indra Note 1101, IEN 185 2. Strazisar, G, How to Build a Gateway, IEN 109 3. Cole, R. and Lloyd, P., The SATNET Access Machine, Indra Note 1113 4. Haverty, J., Van Gateway: Some Routing and Performance Issues, IEN 181 5. Rosen, E, Issues in Internetting Part 1: Modelling the Internet, IEN 184 6. Rosen, E, Issues in Internetting Part 2: Accessing the Internet, IEN 187 7. Rosen, E, Issues in Internetting Part 3: Addressing, IEN 188 - 13 - [Cole and Braden]