IEN 32 Section 2.3.3.12 Title: Catenet Monitoring and Control: A Model for the Gateway Component Author: John Davidson [Davidson@BBNE] Note: This document contains figures which are not included in this on line version, the figures may be obtained in hardcopy from the author. CATENET MONITORING AND CONTROL: A MODEL FOR THE GATEWAY COMPONENT John Davidson Bolt Beranek and Newman, Inc. IEN #32 Internet Notebook Section 2.3.3.12 April 28, 1978 Catenet Monitoring and Control: A Model for the Gateway Component 1. INTRODUCTION At the last Internet meeting, some concern was expressed that we don't have a real "model" for what a gateway is, what it does, and how it does it, and that without such a model it is somewhat dificult to describe the kinds of activities which should be monitored or controlled by a Gateway Monitoring and Control Center (GMCC). To respond to that concern, we have written this note to express our recent thoughts about a gateway model. Although the note centers primarily around the topic of a gateway model, we have also included a few thoughts about possible models for the other components of a general internetwork structure. The note proceeds as follows. In Section 2 we try to establish a reason for wanting a model of a given internetwork component, and present a brief overview of the potential benefits of Monitoring and Control. This presentation is largely pedagogical since it is assumed that this document will, for a while at least, be the only introduction to the topic available. In Section 3 we discuss the fundamental kinds of activities which must be performed by any internet component if it is to participate in Monitoring and Control. This section establishes motivation for some of the mechanisms discussed in the rest of the paper. - 1 - In Section 4 we discuss the roles which the hosts, local Packet Switching Networks (PSNs), and the Gateway Monitoring and Control Centers (GMCCs) may have to play in Monitoring and Control for the internet. Then, in Section 5, we finally begin to discuss the principle characteristics of a possible gateway model. We examine first a list of practical constraints which influence the way in which the model is being designed, and then, suitably constrained, we begin the task of developing the model itself. A complete modelling has not yet been performed, and is likely to take quite a while to complete. Section 5, however, gives a suitable indication of the way in which the model will be developed, and of the alternative interpretations available to gateway designers who pattern their implementations after the model. - 2 - 2. CONTEXT F OR MODELING It is assumed that gateways exist to make communication possible between hosts on different packet switching networks. In this regard, they actually serve to make a single network out of several diverse, disjoint networks. Thus gateways can be said to form the nodes of a super-network, called a Catenet, whose "links" are the individual packet switching networks, and whose "hosts" are simply the individual hosts of the constituent PSNs. As the nodes of this super-net, the gateways will be responsible in part or in whole for tasks like routing, fragmentation, flow control, reassembly, retransmission, and perhaps data transformation (e.g. encryption/decryption), access control, and even authentication. We can assume that there are benefits to be derived from having the Catenet operate in a coordinated fashion. However, coordination is not achieved by default, because the Catenet is being constructed in pieces, with each piece potentially under the control of a distinct administrator, each gateway implemented in a unique processor, and each program conforming to a different programmer's view of the workings of a gateway. The Internetworking group brought together by ARPA is serving as the coordinating authority for the development of many of the components of the Catenet. To make the important administrative and technical decisions associated with Catenet construction, however, this group must be provided with technical inputs. Many of these inputs can come from theoretical studies, - 3 - protocol investigations, and pre-construction experiments, modeling, and simulation during Catenet development. But the most important source of technical inputs will ultimately be the Catenet itself. If the true operational characteristics of the net can be readily (and continually) determined, then the administrative issues associated with Catenet performance (questions like "why is the throughput not as predicted", "what components are proving unreliable", "should the net be expanded or reconfigured", etc) can be adequately resolved by appeal to the recorded statistics; collection and recording of these operational statistics form a part of what we refer to as Catenet "Monitoring". Also, since the Catenet will sometimes be the "target" of the Internet group or ARPA administrative policy, then, insofar as policy affects the operation of the net (e.g. such "policy" decisions as "failed components should be dumped, reloaded, and restarted ASAP"), technical tools must be provided which help implement the policy; these kinds of tools form a part of what we refer to as Catenet "Control". (Some readers may prefer to think of this as "Coordination" rather than "Control" which unfortunately may carry other undesirable connotations.) In order to be able to Monitor and Control the operation of the Catenet in accordance with administrative policy, in the presence of the diverse component implementations, some model for the network as a whole should be developed. Futher, models for each of the component types (gateways, packet switching nets, hosts) should be developed. These model implementations should then be instrumented in a way that makes it possible to - 4 - accumulate the technical inputs and to effect the operational policy desired by Catenet administrators. If the model implementations are appropriately general, then it is reasonable to dictate that individual implementations adhere to these basic models. BBN is currently pursuing the development of a model for the gateway component of the Catenet. In particular, we are trying to define how the model should be instrumented to provide the appropriate kinds of Monitoring and Control capabilities. Most of the capabilities we think are needed are similar in function to the capabilities already developed for the ARPANET and its Network Control Center, NCC. We are proposing, and in fact have actually begun, the construction of a Gateway Monitoring and Control Center (GMCC) patterned after the NCC (and currently sharing resources with it, since the NCC is already accessible to internetwork traffic and since the scope of the current GMCC is at this time quite modest). - 5 - 3. FUNDAMENTALS OF MONITORING AND CONTROL We assert that all of the Catenet components should be properly instrumented in software (and if necessary, in hardware) to measure the service which the Catenet as a whole provides, and to enhance the maintainability of the net as a whole. The instrumentation should provide us with all the mechanisms required to perform Performance Monitoring Event Recording Functional Testing Component Maintenance Here, by Performance Monitoring, we intend that the status of _______________________ Catenet components (both the binary "working/not-working" indication and the status of internal operational components) be made available to the GMCC. This will require that the Catenet components have a mechanism for communicating periodic status reports and instantaneous error reports "back" to the GMCC. This mechanism may or may not require that the reports from the various net components be synchronized in order to enable the GMCC to obtain a "snapshot" of the network as a whole; if synchronization is required, a synchronizing mechanism will be required as well. It is also undetermined whether a protected path (e.g. one using encryption to prevent spoofing) is required for communicating this information through the Catenet. - 6 - There should also be a mechanism by which the GMCC can request performance data from a Catenet component in the case of non-recurring measurements. The set of monitoring mechanisms installed in any particular component may differ from the set installed in any other component, depending on the granularity of measurement which is desired in each case. By Event Recording, we intend that the raw statistical data _______________ on, say, the number of messages or packets passing through a given component be made available to the GMCC in a standard way. Not only must there be a standard way of collecting the event statistics, but there must also be a way for a designated authority like the GMCC to reset the event counters, say, or turn on or off the event recording mechanisms. We shall have more to say on what events are significant in a subsequent section. By Functional Testing we intend that the GMCC be able to ___________________ direct the activities of the Catenet components either directly (by commanding performance of some task like message generation) or indirectly (by sending, or directing other components to send, messages through a given component) in order to exercise component mechanisms for error analysis or load testing. A useful mechanism in the ARPANET is the ability to isolate failed hardware components by forcing a loopback under software control at each of the component boundaries. The analogue of this scheme in the Catenet is probably simpler, since the boundaries are logically in software (e.g. in the gateway software in cases where a local PSN or another nearby gateway is being tested) or associated with the local PSN which may have reasonably flexible - 7 - control of the interface which connects it to a network host or to a gateway. Looping performed within a component should also be possible. To make use of these testing facilities, we need the ability to generate artificial traffic (and to discard it) and to reflect it (or turn it around) as required. Reflecting messages at gateways can, for example, give a measure of the throughput of Catenet links. By Component Maintenance, we intend that the GMCC have the _____________________ ability to coordinate, and in some cases perform, the analysis of failure for failed components, the restoration of failed components, the institution of program fixes, and the distribution of new releases. It is not clear that Component Maintenance can be the responsibility of just a single GMCC, of course, but if it is to be the responsibility of any GMCC-like component, then the mechanisms by which the failed component is to be handled, and how it is to be of use in the maintenance activity, should be adequately modelled for each component in question. In this regard, we see a potential need for incorporating mechanisms for self diagnosis in the component models, for enabling the GMCC (or some other network host in conjunction with or in place of the GMCC) to read and write arbitrary locations in a component's memory, etc. Note too that the gateway programs will be provided by various implementers. These implementers may in some cases be willing to allow a given GMCC to handle reloads and restarts of - 8 - their component when it fails. Both the implementer and the GMCC staff may have to be involved in debugging the component if the gateway's model debugging facility (which presumes the use of a GMCC) is all the original implementers have for accessing their component remotely. It might prove useful for the GMCC to be able to copy the contents of a failed component into a file for later inspection by the original implementers in case they are unavailable to copy the contents themselves at the time of malfunction. - 9 - 4. MODELS FOR THE PRINCIPLE CATENET COMPONENTS This note is principally about gateway modelling. However, we have asserted throughout, the need to model the other components of the general Catenet as well, so that we can use them in Monitoring and Control applications where they are needed and where they can be useful. Here we describe briefly the goals we have for modelling the other components. 4.1 The GMCC The functions of a GMCC should be able to be performed by any host in the composite net. In view of this, a high level description, or model, of the way a GMCC operates should be created. Both the GMCC program(s) and its data base(s) should be described in a way which allows Catenet users to reproduce the GMCC functions (this basically requires coding of the GMCC programs in a high order language) and to interrogate or duplicate the accumulated data base(s) as required for their own special purposes. Because each gateway, host, or local PSN component of the composite Catenet is potentially the property of a distinct administrative authority, it is conceivable that each might actually be monitored or controlled by a distinct GMCC. This would not necessarily be the best arrangement for purposes of overall net maintainability, but nonetheless must be allowed for. What is more likely, however, is that a given administrator will give permission to some approved Catenet GMCC to perform the Monitoring and Control activities associated with Performance - 10 - Monitoring, say, or with Event Recording, but reserve for itself the ability to perform the activities associated with Functional Testing and Component Maintenance. In this case, the Administrator's host will have to understand and be able to duplicate the model GMCC functions, and the Catenet component will have to know to respond to one or the other GMCC depending on the function being requested. Since different authorities might exist for each different function, this capability should be modelled. Further, the mechanism for changing the name or address of the various designated authorities should also be modelled. Then the fact that each Catenet component knows the name of the authority designated to perform a given function makes it possible to restrict arbitrary hosts from abusing their ability to emulate a GMCC. 4.2 The Hosts Members of the ARPANET NCC staff have asserted that "a key factor in network maintainability is the centralization of the responsibility for providing adequate user service. Since service is best defined at the man/machine interface, a significant gain in maintainability would come about if the user interface were completely at the man/machine boundary. By including a host within the sphere of responsibility of network maintenance, there could be more uniform and speedier resolution of problems within that host. Since the network design allows for dissimilar node programs, not much additional complexity is required to maintain a set of dissimilar service hosts. (Thus) - 11 - the scope of the network should be expanded to providing user services with corresponding benefits for both unified design and maintainability." This may be an extreme position, and may not actually be as easy as anticipated by the NCC staff, but nevertheless it is a position which has at least some validity, especially in view of the fact that gateways are themselves just hosts, and much of the modelling performed for gateways can thus be applied to other general purpose hosts. Consider what Monitoring and Control might be possible if some small component of the host's network software, such as the TCP program, were instrumented to allow Performance Monitoring, Event Recording, etc. under control of a GMCC. The instrumentation would simply provide that the TCP keep track of its events of interest and arrange for them to be made available in a convenient way to some other protocol module (perhaps) for transmission to the GMCC. In addition, if there is to be Control of a TCP, some internal means should be provided for a process to direct certain actions of the TCP (for example the resetting of accounting statistics). Certain other capabilities might also prove useful. The TCP should be able to report to the GMCC any errors it observes in packet formats, packet delivery, etc. so that host personnel with a reliable TCP implementation need not be concerned about error analysis for newly added, undebugged hosts, say. The GMCC is certainly in the appropriate position to be able to correlate abnormal TCP interactions with Catenet component outages and be - 12 - able to explain the abnormal behavior to the host via messages to the TCP. The TCP should be able to be instructed to discard certain messages or to echo them back to their source. It should perhaps be able to timestamp and trace various messages. These kinds of activities would all be possible given an appropriate and uniform instrumentation of the various TCP implementations. 4.3 The PSNs The links of the Catenet are the local PSNs. Unlike usual network links, these links are equipped with a processing capability in the form of their own node computers or their own NCC hosts, etc. Whatever form this processing capability takes, it can presumably be made to communicate with other Catenet components using the protocols for GMCC-to-component and component-to-GMCC communication. The local PSNs should be able to report errors in interfacing which occur at the PSN/gateway interface; they can also report gateway ups and downs as they observe them; they might be instrumented to assist in tracing and looping of messages sent to or through them; they could keep track of the length of gateway outages; and since the PSN is the only component with hardware (in most cases) connections to the gateway and host components, it can perhaps help in the restart or reload of these components. The techniques for performing any of these activities should be carefully and completely modelled. - 13 - 5. A MODEL FOR THE GATEWAY COMPONENT The principle thing we expect a gateway to do is to perform message routing; a suggested routing mechanism is presented in IEN No. 30, "Gateway Routing: An Implementation Specification", by Strazisar and Perlman. Beyond this, there are several secondary activities in which the gateway must play a role, and the large majority of these can be clustered under the general heading of Monitoring and Control. These are the activities we are most concerned with here. As discussed earlier, the gateway component, like any other component, should be instrumented to include mechanisms which allow it to cooperate with a GMCC in providing Performance Monitoring, Event Recording, Functional Testing, and Component (i.e. gateway) Maintenance. It is the role of the model to identify the mechanisms which should be used within the gateway to provide these various functions. 5.1 Considerations Affecting the Design The intent of this section is to give some insight into the process by which the model for the gateway component will be developed. There are a number of fundamental considerations which should be stated beforehand because of their impact on the way we want to think of gateways as an entity and thus on the way we think of the necessarily composed. The first of these is that a gateway should be considered to have a net-independent part and one or more net-dependent parts. The net-independent part should be considered the heart of the gateway -- the place where the - 14 - common functions of routing, flow control, etc. are actually performed; this part is hopefully divorced from considerations of the networks to which the gateway is attached. The net-dependent parts on the other hand may all be different, since the networks in most cases will be different, but each should have the same eessential structure: there will be modules which gate messages to and from the attached net, and modules which append or remove local headers to or from internet (and other) messages, etc. One of the challenges for the model designer and gateway implementer is to carefully design the boundary between the net-dependent and net-independent functions. The gateway model should be able to accommodate more than one type of gateway implementation. That is, it should accurately describe or apply to implementations such as: - the conventional gateway. This is a single processor performing gateway functions only and connected to only two nets. - a two- or multi-processor gateway. This is a distributed implementation of the gateway, such as the "half-gateway" model once considered; the mechanisms used by the separate processors to communicate with each other should not affect the model design. - gateways within general purpose host processors where the gateway program is just one of several that may want access to the network. - gateways connected to three or more networks. - gateways using only a single net interface. Such an arrangement might result if, for example, a single medium were used by two different nets. readdressing, say, .... - both big and small (in terms of power, size, cost, capability) gateways (including very simple - perhaps purely hardware - implementations). - 15 - - existing ARPANET gateways. - existing othernet (sic) gateways. - the gateway module which sits between a host TCP, say, and the network, and whose job it is to select a destination gateway consistent with the destination host. - a gateway with two or more interfaces to a single network. - a gateway which is (either always or sometimes) unwilling or unable to participate in Monitoring and Control exercises. - gateways which are responsible for access control or authentication. The need for these special functions may impact the form of certain mechanisms proposed for use in the model implementation. - gateways which need to perform fragmentation or reassembly of encrypted data messages, or which need to be able to understand special packet formats associated with secure data transmissions. - gateways which may without warning turn into "one-way" paths only for such applications as military EMCON. 5.2 The Beginnings of a Model There are several kinds of information which the gateway should be able to exchange with the GMCC in support of its Monitoring and Control activities. Among them are: Administrative Information This is information that identifies the gateway uniquely among all the components of the composite Catenet. To get a proper picture of the net at any given time, a GMCC would like to be able to discern, among other things, the computer type the memory size the gateway characterization (conventional, ARPANET, ...) the Administrator's name, address, phone number the program size, release number, release date and time - 16 - the addresses of hosts serving as GMCCs the names of connected nets, etc. Information such as this may best be sent unsolicited to a special service host when a gateway first comes up on the net after some outage; interested experimenters could then retrieve the information from the host much as is currently done in the ARPANET for retrieving Host status information. Measurement Information This information is simply the collective set of statistics accumulated by the gateway during its operation. They reflect the processing performed by the gateway in servicing internet traffic. Monitoring Information This is primarily the "up/down", "up for how long", "planned outages", "recent crash explanation", "net interface reset", etc. kinds of information which dictates to the GMCC the status and health of the gateway component. Control Information This is either the information sent by the GMCC to cause the gateway to enter a test, reload, or, restart mode, or the information sent by the gateway to the GMCC to report the results of component testing, to dump some of its memory, etc. Debugging Information Patterned after a general purpose time sharing host's DDT program which has complete control over the execution of subservient programs, the information associated with debugging includes commands to read or write a cell, to set or reset (pseudo) breakpoints, to search memory, etc. and the responses to these commands. Two kinds of DDTs may have to be accommodated in any given gateway implementation, one to be used by experimenters, say, and one, like XNET, to be used during initial debugging. Descriptive Information This is the information which conveys to the GMCC the list of capabilities possessed by the gateway; it includes a listing of the kinds of information collected and reported by the gateway, a characterization of queue capacities, a list of settable operational parameters, a description of the histograms maintained by the gateway, a list of the protocols supported, etc. It responds to the GMCC's questions about "what can you do", "how much can you do", etc. - 17 - Experimental Information This is the information associated with the manipulation of the component by experimenters. It is in part descriptive (experimenters can ask what experiments are supported, what parameters are allowed, what range on parameters is accepted, etc.), in part control (they can request initiation of an experiment), and in part measurement (they can request operational statistics associated with the experiment), but it seems reasonable to distinguish it as distinct from these other operational aspects insofar as possible; not all gateways which provide descriptive, control, and measurement information will also support experimental use. Accounting Information This information is basically the set of raw statistics which should be used by an administrator for charging for gateway utilization. It is reasonable to distinguish this information from pure measurement information since it is not necessarily of interest to a GMCC worrying about functional capabilities, and will likely have to be reported to some special host rather than a general purpose community GMCC. Operational Information This is included here just as a reminder that in addition to manipulating all the information associated with Monitoring and Control activities, the gateway will also want to occassionally handle internet messages, routing messages, and the rest of the information that is its "reason for being" in the first place! Note that it is possible to consider that each individual kind of information is associated with a particular kind of "event" which occurs within a gateway. Thus we may have Measurement events, Monitoring events, and even Administrative events within a functioning gateway. It is also the role of the gateway model to specify how these events are to be recognized, recorded, reported, caused, prevented, suspended, continued, etc. - 18 - At least three notions are central to our discusionss at this point. First, we have the four basic functions that we have discussed in detail before: Performance Monitoring, Event Recording, Functional Testing, and Component Maintenance. From a suitable, high level external viewpoint, these are the functions that the gateway is involved in. Second, we have the different kinds of information which must be recorded by the gateway and transported between the gateway and the GMCC. Each different kind of information implies possibly a distinct formatting requirement, distinct collection mechanism, etc. Finally, there are the several different mechanisms which must exist inside the gateway that can be used to collect, record, and report the different kinds of information. The most apparent mechanisms which exist in the gateway implementations are processes. Processes are the addressable resources which carry on dialogues with the GMCC and with each other in some cases. In addition to the distinct processes, there are other mechanisms which we will just label as "routines". Routines are best thought of as utility functions which may be invoked by any of the gateway processes to help each get its collecting, recording, and reporting done. An example of a utility routine might be one which formats a message according to gateway-to-GMCC protocol specifications and adds it to a queue of messages to be sent. Examples of processes are - the monitoring process which generates the periodic and spontaneous reports to the GMCC describing the operational status of the gateway. - 19 - - the measurement process which delivers cumulative statistics to the GMCC. - the echoing process which returns all received messages to the source from which they originated. - the memory transport process which moves portions of the gateway memory (programs or data) to or from the GMCC. - the terminal handling process which excanges ASCII character streams between the gateway's terminal (if one is present) and a specified internetwork source or destination. - the debugging process. - the message generator process. - etc. It should be obvious that processes do not deal one-to-one with the kinds of information we discussed above. A given process, such as the measurement process, may be used to report the cumulative statistics of each of several kinds of information. Alternatively, it may take more than one process to deal with all the information of any particular kind; for example experimental information as discussed above. And it is certainly likely that multiple distinct processes will have a need to share a single common routine whenever their processing requirements are identical; for example, tracing of messages sent from the GMCC to the debugger, to the echoer, or to the terminal handler should be done by having each process (conceptually) invoke the single trace mechanism. It may also be the case that two processes can be cascaded for the purpose of combining different kinds of information into a single net message. - 20 - 5.3 A Sample Modeling We will develop the gateway model in terms of a general purpose host's implementation, since this allows inclusion of as much mechanism as may be useful for the more general implementation. The figure below shows the principle components of the input handler for a net-dependent part of a general purpose gateway. First there is a hardware component which represents the physical interface between the network and the gateway processor. Obviously this interface will be different for different nets and for different processors, but as a model component should always correspond to some real chunk of hardware in any implementation. Second, there is a piece of code which serves to control the input portion of the net interface hardware. Its basic function is to effect the reading of messages from the network into gateway memory. In the process, it may perform intermediate parsing, do checksum and consistency processing, etc. Third, there is a message queue where unparsed messages reside after they have been received by the net interface routine but before they have been processed by any other gateway routine. This queue may be implemented in any of several ways, and may only have room for a single message in some implementations. (A "higher" level routine may perform queue management in this case, using a different data structure.) - 21 - - 22 - Fourth, there is a second routine depicted whose job it is to parse the received messages one-by-one and distribute them individually to new message queues based on the contents of their local network header. Finally, there are several model components (including both data structures and routines) which are not pictured, but still must be modelled; a subsequent and more complete modelling effort will certainly include them. These are data structures like buffer pools and routines like buffer managers, etc. Associated with these model components are a large number of parameters, both static and operational. These are the things we've been calling "events". In the following we give a sampling of the events of interest for each of the event types we identified before. The sampling is not complete, but it is representative of the kinds of information we might be interested in for purposes of Monitoring and Control in the gateway modelling. Of course, not all of the events are of equal interest or value; as modelers, we should attempt to identify as many as we can, and leave to the individual implementers the selection of which events they really want to record, report, etc. Events of Interest: Administrative - the name and manufacturer of the hardware interface - 23 - Measurement - a histogram of log[base 2] message sizes message counts for each distinct local header type Monitoring - cumulative uptime number of interface errors Control - reset counters place a message on the input queue Debugging - read the hardware status register Descriptive - Fan out for local headers queue size maximum message size Experimental - discard every second message at the interface Accounting - total bits received at the interface 5.4 Continuing the Sample Modeling In this section we continue the sample model introduced above by showing how certain of the data paths might be extended to account for subsequent message processing. It should be easy - 24 - to identify the events of interest in this extension given a little thought. Subsequent attempts at modelling will enumerate these in detail. Note that there are probably several alternative ways of depicting these later stages of message processing; this fact is compounded by the fact that this is the point in message processing where the net-dependent/net-independent boundary may be crossed. Further discussion of alternatives to this part of the model is postponed to the section entitled "Issues". Figure 2 shows the extension to the model. It begins where the previous figure left off. First, note that at this point we have separated the various types of messages arriving at the net interface into unique queues according to indicators in the local header. For this figure we will follow only a single path -- the one followed by internet messages which carry the normal internet traffic. These internet packets are removed from their queue by a routine which separates them again, this time according to the version bit, into a queue of messages which employ the previous internet formatting conventions and a queue of messages which employ the current conventions. From this latter queue, the messages are sent to another routine whose job is to initiate the option processing. In Figure 2, we have represented the options as subroutines without further elaboration; subsequent versions of the model should provide the elaboration. - 25 - - 26 - Finally, after option processing, the messsages are separated again into individual queues according to the values in the protocol field. Here, separate queues may be formed for unrecognized protocols, previous and current versions of TCP, gateway routing messages, and eventually the Monitoring and Control messages, the Datagram Protocol, the Real-Time Protocol, etc. As stated, we will not elaborate here on the events of interest for this part of the model; some should be obvious. - 27 - 5.5 Unresolved Issues In this section we want to address a number of issues which are not yet resolved in the modelling of the gateway component. Their resolution will probably depend on prolonged discussions in certain cases, on snap decisions in others; possibly in some cases a satisfactory resolution will not be possible, and whatever alternative solutions are proposed will all have to be included in a generalized modelling to make sure the modelling is comprehensive enough. At any rate, the topics which need further investigation are presented below. 5.5.1 Are the Event Types Correct First there needs to be some general agreement that the event types (information types) we have identified are sufficient for modelling purposes. It is probably the case that they are correct enough for a beginning, and that no particularly disruptive perturbation of the model would be caused if another event type had to someday be accommodated or an existing event type had to be deleted. However, the omission of an XNET information type (not to be confused with the distinct "debugging" type) may have to be remedied before too long. - 28 - 5.5.2 What Information Should be Communicated to the GMCC Here there is a lot of room for varying opinion. The next cut at the model will try to identify as many potential events of interest as possible. Obviously, not all these events will be of interest to all implementers; that's why the Monitoring and Control mechanisms must be sure to allow for only partial participation on the part of any particular implementation. However, it may also be the case that we omit some event that is of particular interest to some gateway implementer, or the information which we choose to record about the event is not quite what is needed for some implementer's needs. Our collection mechanism must be flexible enough to accommodate extensions at any time. Here the real issue may be how to control, administratively, the selection of events of interest so that all parties are satisfied with the set selected. 5.5.3 How Should Information be Communicated to the GMCC We are of the opinion that in most cases, the basic gateway-to-GMCC communication facility should be datagram oriented on the basis that (1) connection overhead may be too expensive for certain gateway implementations, that (2) no flow control is probably needed since the gateways will not be generating data too frequently and since GMCCs will generally have substantially greater storage and processing capabilities than will the gateways, and that (3) a practical reporting scheme - 29 - can probably be developed in which lost messages will not necessarily represent lost information, merely delayed delivery of information, since the contents of lost messages can be inferred from later messages, (this is the case for cumulative statistics for example); on the other hand, the datagrams should carry sequencing information, and will of course employ standard Internet Headers. Datagram service will be satisfactory in most cases, we hope. In certain instances, however, reliable transmissions may be extremely important; for these instances, some additional capability may have to be added. As yet, we have no real feel for the capabilities required; thus this is still an open issue. Also at issue is the decision as to whether internet messages directed at the various gateway processes should all carry a single protocol designator, or whether each different message type should command a distinct designator. It is not yet clear whether minimal gateway implementations would find it easier to process messages formatted in one way vs. the other, or whether it is too wasteful of the Internet Header's protocol field, or whether it is easier one way or the other to subsequently add or delete new message formats. Beyond these basic issues, there is also the issue of message formats and message content. Two alternatives present themselves as regards event reporting. We assume that event counters can be maintained in 16-bit words, say. We can insist that messages contain a fixed number of counters in a fixed order, and thus eliminate the need to transmit descriptive - 30 - information with each reporting message. Or, we can allow for every counter to be accompanied by another word which names the counter. Tradeoffs between the two strategies are not yet properly understood. 5.5.4 Addressing Processes from Outside the Gateway Each of the gateway processes responsible for some activity of Monitoring and Control has a unique identity, or name, within the Catenet. But because the gateway is attached to multiple nets, it is possible for each process to have multiple distinct addresses. We can assume that one reasonable modelling for the net-dependent input handler requires the input handler to recognize at the net interface all the messages addressed to processes which share its own net (and host) address. This is the case for example in a general purpose implementation of the gateway, since the general purpose input handler doesn't normally receive messages for processes that don't share its own net address. It probably should not be the responsibility of a given net-dependent input handler to be aware that it is playing a role in a gateway implementation, and thus to be cognizant of the alternative internet addresses of the gateway processes it thinks of as its own; i.e. the net-dependent code should not have to know what other nets the gateway is connected to. Therefore, if a message arrives at one net interface that specifies a resource (process) whose net address is different from that of the input handler, then the message should simply be handed off to a - 31 - special process which can effect the proper disposition for the message without further involvement of the input handler. Figure 3 depicts this arrangement. Here, each network has its own interface to a common copy of the gateway process, so that it can communicate with it directly whenever a message arrives which addresses the process via the appropriate net. However, when a message is received for a destination not known to the input handler, the message is simply handed to the special process, which in this figure is referred to as the "Postman". Note that the Postman can effect delivery to the processes via its own interface, so that successful delivery does not depend on the route taken by the message. (Note that the model might want to specify that the Postman be able to add messages to the input queues of the net-dependent input handlers as a means for effecting delivery in a uniform way.) The Postman here also has the responsibility for performing the tasks associated with the routing of messages to distant locations. That is, messages input at the gateway which are only passing through should be routed by the general gateway routing algorithms; these can be implemented by the Postman, or by some other process to which the Postman interfaces. There is, of course, another way to model the net-dependent/net-independent boundary. Figure 4 shows this other way. - 32 - - 33 - - 34 - Basically the difference here is that the net-dependent input handlers no longer have their own interfaces to the gateway processes. Instead, they simply pass all received messages to the internal Postman and allow it to effect delivery. This is an acceptable approach even if in the general purpose host implementation the net-dependent input handlers still have to worry about interfacing processes which aren't using Internet Headers. However, in this model, the Postman and the affected processes must be sure to not lose the destination address by which they were reached, lest they not be able to use the same address for the source in the header of their response messages. (We are somehow assuming that the recipient of a message whose source address does not match the destination address which was used for transmission, will not be anxious to perform the required reverse lookup to map the source address into a resource name. If we were to model this capability, it is not clear where the processing for this lookup would be performed.) At issue here then is just exactly which of these two models should be assumed for "the" model implementation. 5.5.5 Addressing Processes from Inside the Gateway Here is an issue which has certainly been touched on in other internet meetings; it is basically a discussion of the need for high level protocols to carry their own addressing information. - 35 - Gateway processes will have occassion to communicate with other processes in support of gateway routing or gateway Monitoring and Control. Traffic between two gateway processes may be intrahost, intranet, or internet, depending on the relative locations of the source and destination processes. At issue is whether in all cases a single data transport protocol should be used to effect message delivery. We have already "concluded" in the discussion of event reporting that gateway Monitoring and Control messages should employ Internet Headers in all cases. And it would certainly seem on the surface that this scheme is ideal. However, in certain cases this may not be true. We are struck by an inconsistency which arises when we try to attain symmetry in modelling the gateway's internal organization. At one point in the model, we have a process whose job it is to route messages through a given local net. Whenever _________ it is handed an internet message, it analyzes the header of the message in order to determine the desired destination, and hence what local address to specify in the net-dependent data transport protocol. The inconsistency is found because we don't have a corresponding process whose job it is to analyze higher level protocol headers in order to route messages through the internet ________ (using the internet data transport protocol). This means either that each of our Monitoring and Control processes must make up an Internet Header itself, or that, if some common process is to do it, the common process must be handed the addressing information by some "out-of-band" path (such as a shared memory control - 36 - block). This may not be easy to provide for a distributed gateway implementation, say. The real issue here, of course, is inspired by the problems we see for, say, TCP users, if the Internet and TCP Headers recently proposed are adopted for use in the Catenet. The fact that higher level protocols are being designed which don't carry their own addressing information means that these protocols will be practically unusable in any instance where the data transport protocol used to carry the messages is different from the data transport protocol embodied in the Internet Header. TCP, for example, would probably not be usable without Internet Headers in the ARPANET, since port addressing would be impossible. Although it is probably the case that we will not opt to include addressing information in the messages which adhere to our higher level Monitoring and Control protocols, and will thus in fact choose to use the Internet Header to provide addressing, we nevertheless wonder if it is wise to arbitrarily restrict these protocols to use with only a single data transport protocol. - 37 -