Movatterモバイル変換
[0]ホーム
[RFC Home] [TEXT|PDF|HTML] [Tracker] [IPR] [Info page]
UNKNOWN
Network Working GroupRequest for Comments: 911 EGP GATEWAY UNDER BERKELEY UNIX 4.2 PAUL KIRTON University of Southern California, Information Sciences Institute Visiting Research Fellow from Telecom Australia Research Laboratories 22 August 1984 ABSTRACTThis report describes an implementation of the Exterior Gateway Protocol thatruns under the Unix 4.2 BSD operating system. Some issues related to localnetwork configurations are also discussed.Status of this Memo:This memo describes an implementation of the Exterior Gateway Protocol (EGP)(in that sense it is a status report). The memo also discusses some possibleextentions and some design issues (in that sense it is an invitation forfurther discussion). Distribution of this memo is unlimited. Funding for this research was provided by DARPA and Telecom Australia.
RFC 911 i Table of Contents1. INTRODUCTION 11.1 Motivation for Development 11.2 Overview of EGP 22. GATEWAY DESIGN 42.1 Routing Tables 4 2.1.1 Incoming Updates 5 2.1.2 Outgoing Updates 52.2 Neighbor Acquisition 62.3 Hello and Poll Intervals 62.4 Neighbor Cease 72.5 Neighbor Reachability 72.6 Sequence Numbers 82.7 Treatment of Excess Commands 82.8 Inappropriate Messages 82.9 Default Gateway 93. TESTING 104. FUTURE ENHANCEMENTS 114.1 Multiple Autonomous Systems 114.2 Interface Monitoring 114.3 Network Level Status Information 114.4 Interior Gateway Protocol Interface 125. TOPOLOGY ISSUES 135.1 Topology Restrictions and Routing Loops 13 5.1.1 Background 13 5.1.2 Current Policy 145.2 Present ISI Configuration 15 5.2.1 EGP Across ARPANET 17 5.2.2 EGP Across ISI-NET 17 5.2.3 Potential Routing Loop 185.3 Possible Future Configuration 18 5.3.1 Gateway to UCI-ICS 18 5.3.2 Dynamic Switch to Backup Gateway 19 5.3.2.1 Usual Operation 19 5.3.2.2 Host Initialization 19 5.3.2.3 When Both the Primary and Backup are Down 20 5.3.2.4 Unix 4.2 BSD 206. ACKNOWLEDGEMENT 217. REFERENCES 22
RFC 911 11. INTRODUCTIONThe Exterior Gateway Protocol (EGP) [Rosen 82; Seamonson & Rosen 84; Mills 84a]has been specified to allow autonomous development of different gateway systemswhile still maintaining global distribution of internet routing information.EGP provides a means for different autonomous gateway systems to exchangeinformation about the networks that are reachable via them.This report mainly describes an implementation of EGP that runs as a user * **process under the Berkeley Unix 4.2 operating system run on a VAX computer.Some related issues concerning local autonomous system configurations are alsodiscussed.The EGP implementation is experimental and is not a part of Unix 4.2 BSD. It isanticipated that Berkeley will incorporate a version of EGP in the future.The program is written in C. The EGP part is based on the C-Gateway codewritten by Liza Martin at MIT and the route management part is based on Unix4.2 BSD route management daemon, "routed".The EGP functions are consistent with the specification of [Mills 84a] exceptwhere noted.A knowledge of EGP as described in [Seamonson & Rosen 84; Mills 84a] isassumed.This chapter discusses the motivation for the project, Chapter 2 describes thegateway design, Chapter 3 is on testing, Chapter 4 suggests some enhancementsand Chapter 5 discusses topology issues.Further information about running the EGP program and describing the softwareis being published in an ISI Research Report ISI/RR-84-145 [Kirton 84].Requests for documentation and copies of the EGP program should be sent toJoyce Reynolds (JKReynolds@USC-ISIF.ARPA). Software support is not provided.1.1 Motivation for DevelopmentWith the introduction of EGP, the internet gateways will be divided into a"core" autonomous system (AS) of gateways maintained by Bolt, Beranek andNewman (BBN) and many "stub" AS's that are maintained by differentorganizations and have at least one network in common with a core AS gateway.The core AS will act as a hub for passing on routing information between_______________ * Unix is a trade mark of AT&T ** VAX is a trade mark of Digital Equipment Corporation
RFC 911 2different stub AS's so that it will only be necessary for stub AS's to conductEGP with a core gateway. Further detail is given in [Rosen 82].At the time of this project there were 28 "non-routing" gateways in theinternet. Non-routing gateways did not exchange routing information butrequired static entries in the core gateway routing tables. Since August 1,1984 thesestatic entries have been eliminated and previously non-routinggateways are required to communicate this information to the core gatewaysdynamically via EGP [Postel 84].At the USC Information Sciences Institute (ISI) there was a non-routing gatewayto the University of California at Irvine network (UCI-ICS). With theelimination of non-routing gateways from the core gateway tables it isnecessary to inform the core ISI gateway of the route to UCI-ICS using EGP.Also, we would like a backup gateway between ISI-NET and the ARPANET in casethe core ISI gateway is down. Such, a gateway would need to convey routinginformation via EGP. Details of the ISI network configuration are discussed inSection 5.2.Of the 28 non-routing gateways 23 were implemented by Unix systems, includingISI's. Also, ISI's proposed backup gateway was a Unix system. Thus there was alocal and general need for an EGP implementation to run under Unix. The currentversion of Unix that included Department of Defense (DoD) protocols wasBerkeley Unix 4.2 so this was selected.1.2 Overview of EGPThis report assumes a knowledge of EGP, however a brief overview is given herefor completeness. For further details refer to [Rosen 82] for the background toEGP, [Seamonson & Rosen 84] for an informal description, and [Mills 84a] for amore formal specification and implementation details.EGP is generally conducted between gateways in different AS's that share acommon network, that is, neighbor gateways.EGP consists of three procedures, neighbor acquisition, neighbor reachabilityand network reachability.Neighbor acquisition is a two way handshake in which gateways agree to conductEGP by exchanging Request and Confirm messages which include the minimum Helloand Poll intervals. Acquisition is terminated by exchanging Cease andCease-ack messages.Neighbor reachability is a periodic exchange of Hello commands and I-H-U (Iheard you) responses to ensure that each gateway is up. Currently a 30 secondminimum interval is used across ARPANET. Only one gateway need send commands asthe other can use them to determine reachability. A gateway sendingreachability commands is said to be in the active mode, while a gateway thatjust responds is in the passive mode.
RFC 911 3Network reachability is determined by periodically sending Poll commands andreceiving Update responses which indicate the networks reachable via one ormore gateways on the shared network. Currently 2 minute minimum interval isused across ARPANET.
RFC 911 42. GATEWAY DESIGNEGP is a polling protocol with loose timing constraints. Thus the only gatewayfunction requiring good performance is packet forwarding. Unix 4.2 already haspacket forwarding built into the kernel where best performance can be achieved.At the time of writing Unix 4.2 did not send ICMP (Internet Control MessageProtocol) redirect messages for misrouted packets. This is a requirement ofinternet gateways and will later be added by Berkeley.The EGP and route update functions are implemented as a user process. Thisfacilitates development and distribution as only minor changes need to be madeto the Unix kernel. This is a similar approach to the Unix route distributionprogram "routed" [Berkeley 83] which is based on the Xerox NS RoutingInformation Protocol [Xerox 81].2.1 Routing TablesA route consists of a destination network number, the address of the nextgateway to use on a directly connected network, and a metric giving thedistance in gateway hops to the destination network.There are two sets of routing tables, the kernel tables (used for packetforwarding) and the EGP process tables. The kernel has separate tables for hostand network destinations. The EGP process only maintains the network routingtables. The EGP tables are updated when EGP Update messages are received. Whena route is changed the kernel network tables are updated via the SIOCADDRT andSIOCDELRT ioctl system calls. At initialization the kernel network routingtables are read via the kernel memory image file, /dev/kmem, and copied intothe EGP tables for consistency.This EGP implementation is designed to run on a gateway that is also a host.Because of the relatively slow polling to obtain route updates it is possiblethat the host may receive notification of routing changes via ICMP redirectsbefore the EGP process is notified via EGP. Redirects update the kernel tablesdirectly. The EGP process listens for redirect messages on a raw socket andupdates its routing tables to keep them consistent with the kernel.The EGP process routing tables are maintained as two separate tables, one forexterior routes (via different AS gateways) and one for interior routes (viathe gateways of this AS). The exterior routing table is updated by EGP Updatemessages. The interior routing table is currently static and is set atinitialization time. It includes all directly attached nets, determined by theSIOCGIFCONF ioctl system call and any interior non-routing gateways read fromthe EGP initialization file, EGPINITFILE. The interior routing table could infuture be updated dynamically by an Interior Gateway Protocol (IGP).Maintaining separate tables for exterior and interior routing facilitates thepreparation of outgoing Update messages which only contain interior routinginformation [Mills 84b]. It also permits alternative external routes to theinternal routes to be saved as a backup in case an interior route fails.Alternate routes are flagged, RTS_NOTINSTALL, to indicate that the kernel
RFC 911 5routes should not be updated. In the current implementation alternate routesare not used.2.1.1 Incoming UpdatesEGP Updates are used to update the exterior routing table if one of thefollowing is satisfied: - No routing table entry exists for the destination network and the metric indicates the route is reachable (< 255). - The advised gateway is the same as the current route. - The advised distance metric is less than the current metric. - The current route is older (plus a margin) than the maximum poll interval for all acquired EGP neighbors. That is, the route was omitted from the last Update.If any exterior route entry, except the default route, is not updated by EGPwithin 4 minutes or 3 times the maximum poll interval, whichever is thegreater, it is deleted.If there is more than one acquired EGP neighbor, the Update messages receivedfrom each are treated the same way in the order they are received.In the worst case, when a route is changed to a longer route and the old routeis not first notified as unreachable, it could take two poll intervals toupdate a route. With the current poll interval this could be 4 minutes. UnderUnix 4.2 BSD TCP connections (Transmission Control Protocol) are closedautomatically after they are idle for 6 minutes. So this worst case will notresult in the automatic closure of TCP connections.2.1.2 Outgoing UpdatesOutgoing Updates include the direct and static networks from the interiorrouting table, except for the network shared with the EGP neighbor.The networks that are allowed to be advised in Updates may be specified atinitialization in EGPINITFILE. This allows particular routes to be excludedfrom exterior updates in cases where routing loops could be a problem. Anothercase where this option is necessary, is when there is a non-routing gatewaybelonging to a different AS which has not implemented EGP yet. Its routes mayneed to be included in the kernel routing table but they are not allowed to beadvised in outgoing updates.If the interior routing table includes other interior gateways on the networkshared with the EGP neighbor they are include in Updates as the appropriate
RFC 911 6first hop to their attached networks.The distance to networks is set as in the interior routing table except if theroute is marked down in which case the distance is set to 255. At presentroutes are only marked down if the outgoing interface is down. The state of allinterfaces is checked prior to preparing each outgoing Update using theSIOCGIFFLAGS ioctl system call.Unsolicited Updates are not sent.2.2 Neighbor AcquisitionEGPINITFILE lists the addresses of trusted EGP neighbor gateways, which areread at initialization. These will usually be core gateways as only coregateways provide full internet routing information. At the time of writingthere were three core gateways on ARPANET which support EGP, CSS-GATEWAY,ISI-GATEWAY and PURDUE-CS-GW, and two on MILNET, BBN-MINET-A-GW and AERONET-GW.EGPINITFILE also includes the maximum number of these gateways that should beacquired at any one time. This is usually expected to be just one. If thisgateway is declared down another gateway on the list will then be acquiredautomatically in sufficient time to ensure that the current routes are nottimed out.The gateway will only accept acquisitions from neighbors on the trusted listand will not accept them if it already has acquired its maximum quota. Thisprevents Updates being accepted from possibly unreliable sources.The ability to acquire core gateways that are not on the trusted list but havebeen learned of indirectly via Update messages is not included because not allcore gateways run EGP.New acquisition Requests are sent to neighbors in the order they appear inEGPINITFILE. No more new Requests than the maximum number of neighbors yet tobe acquired are sent at once. Any number of outstanding Requests areretransmitted at 32 second intervals up to 5 retransmissions each at which timethe acquisition retransmission interval is increased to 4 minutes. Once themaximum number of neighbors has been acquired, unacquired neighbors withoutstanding Requests are sent Ceases. This approach provides a compromisebetween fast response when neighbors do not initially respond and a desire tominimize the chance that a neighbor may be Ceased after it has sent a Confirmbut before it has been received. If the specified maximum number of neighborscannot be acquired, Requests are retransmitted indefinitely to all unacquiredneighbors.2.3 Hello and Poll IntervalsThe Request and Confirm messages include minimum values for Hello and Pollintervals. The advised minimums by this and the core gateways are currently 30and 120 seconds respectively.
RFC 911 7The received intervals are checked against upper bounds to guard againstnonsense values. The upper bounds are currently set at 120 and 480 secondsrespectively. If, they are exceeded the particular neighbor is considered badand not sent further Requests for one hour. This allows the situation to becorrected at the other gateway and normal operation to automatically resumefrom this gateway without an excess of unnecessary network traffic.The actual Hello and Poll intervals are chosen by first selecting the maximumof the intervals advised by this gateway and its peer. A 2 second margin isthen added to the Hello interval to take account of possible network delayvariations and the Poll interval is increased to the next integer ratio of theHello interval. This results in 32 second Hello and 128 second Poll intervals.If an Update is not received in response to a Poll, at most one repoll (samesequence number) is sent instead of the next scheduled Hello.2.4 Neighbor CeaseIf the EGP process is sent a SIGTERM signal via the Kill command, all acquiredneighbors are sent Cease(going down) commands. Ceases are retransmitted at thehello interval at most 3 times. Once all have either responded with Cease-acksor been sent three retransmitted Ceases the process is terminated.2.5 Neighbor ReachabilityOnly active reachability determination is implemented. It is done asrecommended in [Mills 84a] with a minor variation noted below.A shift register of responses is maintained. For each Poll or Hello commandsent a zero is shifted into the shift register. If a response (I-H-U, Updateor Error) is received with the correct sequence number the zero is replaced bya one. Before each new command is sent the reachability is determined byexamining the last four entries of the shift register. If the neighbor isreachable and <= 1 response was received the neighbor is consideredunreachable. If the neighbor is considered unreachable and >= 3 responses werereceived it is now considered reachable.A neighbor is considered reachable immediately after acquisition so that thefirst poll received from a core gateway (once it considers this gatewayreachable) will be responded to with an Update. Polls are not sent unless aneighbor is considered reachable and it has not advised that it considers thisgateway unreachable in its last Hello, I-H-U or Poll message. This preventsthe first Poll being discarded after a down/up transition. This is important asthe Polls are used for reachability determination. Following acquisition atleast one message must be received before the first Poll is sent. This is todetermine that the peer does not consider this gateway down. This usuallyrequires at least one Hello to be sent prior to the first poll. The discussionof this paragraph differs from [Mills 84a] which recommends that a peer beconsidered down following acquisition and Polls may be sent as soon as the peeris considered up. This is the only significant departure from the
RFC 911 8recommendations in [Mills 84a].Polls received by peers that are considered unreachable are sent an Errorresponse which allows their reachability determination to progress correctly.This action is an option within [Mills 84a].When a neighbor becomes unreachable all routes using it as a gateway aredeleted from the routing table. If there are known unacquired neighbors theunreachable gateway is ceased and an attempt is made to acquire a new neighbor.If all known neighbors are acquired the reachability determination is continuedfor 30 minutes ([Mills 84a] suggests 60 minutes) after which time theunreachable neighbor is ceased and reacquisition attempted every 4 minutes.This is aimed at reducing unnecessary network traffic.If valid Update responses are not received for three successive polls theneighbor is ceased and an alternative acquired or reacquisition is attempted in4 minutes. This provision is provided in case erroneous Update data formats arebeing sent by the neighbor. This situation did occur on one occasion duringtesting.2.6 Sequence NumbersSequence numbers are managed as recommended in [Mills 84a]. Single send andreceive sequence numbers are maintained for each neighbor. The send sequencenumber is initialized to zero and is incremented before each new Poll (notrepoll) is sent and at no other time. The send sequence number is used in allcommands. The receive sequence number is maintained by copying the sequencenumber of the last Request, Hello, or Poll command received from a neighbor.This sequence number is used in outgoing Updates. All responses (includingError responses) return the sequence number of the message just received.2.7 Treatment of Excess CommandsIf more than 20 commands are received from a neighbor in any 8 minute periodthe neighbor is considered bad, Ceased and reacquisition prevented for onehour.At most one repoll (same sequence number) received before the poll interval hasexpired (less a 4 second margin for network delay variability) is responded towith an Update, others are sent an Error response. When an Update is sent inresponse to a repoll the unsolicited bit is not set, which differs from therecommendation in [Mills 84a].2.8 Inappropriate MessagesIf a Confirm, Hello, I-H-U, Poll or Update is received from any gateway (knownor unknown) that is in the unacquired state, synchronization has probably beenlost for some reason. A Cease(protocol violation) message is sent to try andreduce unnecessary network traffic. This action is an option in [Mills 84a].
RFC 911 92.9 Default GatewayA default gateway may be specified in EGPINITFILE. The default route (net 0 inUnix 4.2 BSD) is used by the kernel packet forwarder if there is no specificroute for the destination network. This provides a final level of backup if allknown EGP neighbors are unreachable. This is especially useful if there is onlyone available EGP neighbor, as in the ISI case,Section 5.2.2.The default route is installed at initialization and deleted after a valid EGPUpdate message is received. It is reinstalled if all known neighbors areacquired but none are reachable, if routes time out while there are no EGPneighbors that are acquired and reachable, and prior to process termination.It is deleted after a valid EGP Update message is received because the defaultgateway will not know any more routing information than learned via EGP. If itwere not deleted, all traffic to unreachable nets would be sent to the defaultgateway under Unix 4.2 forwarding strategy.The default gateway should normally be set to a full-routing core gateway otherthan the known EGP neighbor gateways to give another backup in case all of theEGP gateways are down simultaneously.
RFC 911 103. TESTINGA few interesting cases that occurred during testing are briefly described.The use of sequence numbers was interpreted differently by differentimplementers. Consequently some implementations rejected messages as havingincorrect sequence numbers, resulting in the peer gateway being declared down.The main problem was that the specification was solely in narrative form whichis prone to inconsistencies, ambiguities and incompleteness. The more formalspecification of [Mills 84a] has eliminated these ambiguities.When testing the response to packets addressed to a neighbor gateway'sinterface that was not on the shared net a loop resulted as both gatewaysrepeatedly exchanged error messages indicating an invalid interface. Theproblem was that both gateways were sending Error responses after checking theaddresses but before the EGP message type was checked. This was rectified bynot sending an Error response unless it was certain that the message was notitself an Error response.On one occasion a core gateway had some form of data error in the Updatemessages which caused them to be rejected even though reachability was beingsatisfactorily conducted. This resulted in all routes being timed out. Thesolution was to count the number of successive Polls that do not result invalid Updates being received and if this number reaches 3 to Cease EGP andattempt to acquire an alternative gateway.Another interesting idiosyncrasy, reported by Mike Karels at Berkeley, resultsfrom having multiple gateways between MILNET and ARPANET. Each ARPANET host hasan assigned gateway to use for access to MILNET. In cases where the EGP gatewayis a host as well as a gateway, the EGP Update messages may indicate adifferent MILNET/ARPANET gateway from the assigned one. When the host/gatewayoriginates a packet that is routed via the EGP reported gateway, it willreceive a redirect to its assigned gateway. Thus the MILNET gateway can keepbeing switched between the gateway reported by EGP and the assigned gateway. Asimilar thing occurs when using routes to other nets reached via MILNET/ARPANETgateways.
RFC 911 114. FUTURE ENHANCEMENTS4.1 Multiple Autonomous SystemsThe present method of acquiring a maximum number of EGP neighbors from atrusted list implies that all the neighbors are in the same AS. The intentionis that they all be members of the core AS. When updating the routing tables,Updates are treated independently with no distinction made as to whether theadvised routes are internal or external to the peer's AS. Also, routingmetrics are compared without reference to the AS of the source.If EGP is to be conducted with additional AS's beside the core AS, allneighbors on the list would need to be acquired in order to ensure thatgateways from both AS's were always acquired. This results in an unnecessaryexcess of EGP traffic if redundant neighbors are acquired for reliability. Amore desirable approach would be to have separate lists of trusted EGP gatewaysand the maximum number to be acquire, for each AS. Routing entries would needto have the source AS added so that preference could be given to informationreceived from the owning AS (seeSection 5.1.2)4.2 Interface MonitoringAt present, interface status is only checked immediately prior to the sendingof an Update in response to a Poll. The interface status could be monitoredmore regularly and an unsolicited Update sent when a change is detected. Thisis one area where the slow response of EGP polling could be improved. This isof particular interest to networks that may be connected by dial-in lines.When such a network dials in, its associated interface will be marked as up butit will not be able to receive packets until the change has been propagated byEGP. This is one case where the unsolicited Update message would help, butthere is still the delay for other non-core gateways to poll core EGP gatewaysfor the new routing information.This was one case where it was initially thought that a kernel EGPimplementation might help. But the kernel does not presently pass interfacestatus changes by interrupts so a new facility would need to be incorporated.If this was done it may be just as easy to provide a user level signal when aninterface status changes.4.3 Network Level Status InformationAt present, network level status reports, such as IMP Destination Unreachablemessages, are not used to detect changes in the reachability of EGP neighborsor other neighbor gateways. This information should be used to improve theresponse time to changes.
RFC 911 124.4 Interior Gateway Protocol InterfaceAt present any routing information that is interior to the AS is static andread from the initialization file. The internal route management functions havebeen written so that it should be reasonably easy to interface an IGP fordynamic interior route updates. This is facilitated by the separation of theexterior and interior routing tables.The outgoing EGP Updates will be correctly prepared from the interior routingtable by rt_NRnets() whether or not static or dynamic interior routing is done.Functions are also provided for looking up, adding, changing and deletinginternal routes, i.e. rt_int_lookup(), rt_add(), rt_change() and rt_delete()respectively.The interaction of an IGP with the current data structures basically involvesthree functions: updating the interior routing table using a function similarto rt_NRupdate(), preparing outgoing interior updates similarly to rt_NRnets(),and timing out interior routes similarly to rt_time().
RFC 911 135. TOPOLOGY ISSUES5.1 Topology Restrictions and Routing Loops5.1.1 BackgroundEGP is not a routing algorithm. it merely enables exterior neighbors toexchange routing information which is likely to to be needed by a routingalgorithm. It does not pass sufficient information to prevent routing loops ifcycles exist in the topology [Rosen 82].Routing loops can occur when two gateways think there are alternate routes toreach a third gateway via each other. When the third gateway goes down they endup pointing to each other forming a routing loop. Within the present coresystem, loops are broken by counting to "infinity" (the internet diameter ingateway hops). This (usually) works satisfactorily because GGP propagateschanges fairly quickly as routing updates are sent as soon as changes occur.Also the diameter of the internet is quite small (5) and a universal distancemetric, hop count, is used. But this will be changed in the future.With EGP, changes are propagated slowly. Although a single unsolicited NRmessage can be sent, it won't necessarily be passed straight on to othergateways who must hear about it indirectly. Also, the distance metrics ofdifferent AS's are quite independent and hence can't be used to count toinfinity.The initial proposal was to prevent routing loops by restricting the topologyof AS's to a tree structure so that there are no multiple routes via alternateAS's. Multiple routes within the same AS are allowed as it is the interiorrouting strategies responsibility to control loops.[Mills 84b] has noted that even with the tree topology restriction, "we mustassume that transient loops may form within the core system from time to timeand that this information may escape to other systems; however, it would beexpected that these loops would not persist for very long and would be brokenin a short time within the core system itself. Thus a loop between non-coresystems can persist until the first round of Update messages sent to the othersystems after all traces of the loop have been purged from the core system oruntil the reachability information ages out of the tables, whichever occursfirst".With the initial simple stub EGP systems the tree topology restriction could besatisfied. But for the long term this does not provide sufficient robustness.[Mills 83] proposed a procedure by which the AS's can dynamically reconfigurethemselves such that the topology restriction is always met, without the needfor a single "core" AS. One AS would own a shared net and its neighbor AS'swould just conduct EGP with the owner. The owner would pass on such informationindirectly as the core system does now. If the owning AS is defined to beclosest to the root of the tree topology, any haphazard interconnection can
RFC 911 14form itself into an appropriate tree structured routing topology. By routingtopology I mean the topology as advised in routing updates. There may well beother physical connections but if they are not advised they will not be usedfor routing. Each AS can conduct EGP with at most one AS that owns one of itsshared nets. Any AS that is not conducting EGP over any net owned by another ASis the root of a subtree. It may conduct EGP with just one other AS that ownsone of its shared nets. This "attachment" combines the two subtrees into asingle subtree such that the overall topology is still a tree. Topologyviolations can be determined because two different AS's will report that theycan reach the same net.With such a dynamic tree, there may be preferred and backup links. In suchcases it is necessary to monitor the failed link so that routing can be changedback to the preferred link when service is restored.Another aspect to consider is the possibility of detecting routing loops andthen breaking them. Expiration of the packet time-to-live (TTL) could be usedto do this. If such a loop is suspected a diagnostic packet, such as ICMP echo,could be sent over the suspect route to confirm whether it is a loop. If a loopis detected a special routing packet could be sent over the route thatinstructs each gateway to delete the route after forwarding the packet on. Theacceptance of new routing information may need to be delayed for a hold downperiod. This approach would require sensible selection of the initial TTL. Butthis is not done by many hosts.5.1.2 Current PolicyConsidering the general trend to increased network interconnection and theavailability of alternative long-haul networks such as ARPANET, WBNET (widebandsatellite network), and public data networks the tree topology restriction isgenerally unacceptable. A less restrictive topology is currently recommended.The following is taken from [Mills 84b].EGP topological model: - An autonomous system consists of a set of gateways connected by networks. Each gateway in the system must be reachable from every other gateway in its system by paths including only gateways in that system. - A gateway in a system may run EGP with a gateway in any other system as long as the path over which EGP itself is run does not include a gateway in a third system. - The "core system" is distinguished from the others by the fact that only it is allowed to distribute reachability information about systems other than itself. - At least one gateway in every system must have a net in common with a gateway in the core system.
RFC 911 15 - There are no topological or connectivity restrictions other than those implied above.A gateway will use information derived from its configuration (directlyconnected nets), the IGP of its system, called S in the following, (interiornets) and EGP (interior and exterior nets of neighboring systems) to constructits routing tables. If conflicts with respect to a particular net N occur, theywill be resolved as follows: - If N is directly connected to the gateway, all IGP and EGP reports about N are disregarded. - If N is reported by IGP as interior to S and by EGP as either interior or exterior to another system, the IGP report takes precedence. - If N is reported by EGP as interior to one system and exterior to another, the interior report takes precedence. - If N is reported as interior by two or more gateways of the same system using EGP, the reports specifying the smallest hop count take precedence. - In all other cases the latest received report takes precedence.Old information will be aged from the tables.The interim model provides an acceptable degree of self-organization.Transient routing loops can occur between systems, but these are eventuallybroken by old reachability information being aged out of the tables. Given thefact that transient loops can occur due to temporary core-system loops, theadditional loops that might occur in the case of local nets homed to multiplesystems does not seem to increase the risk significantly.5.2 Present ISI ConfigurationA simplified version of the ISI network configuration is shown in Figure 5-1.ISI-Hobgoblin can provide a backup gateway function to the core ISI-Gatewaybetween ARPANET and ISI-NET. ISI-Hobgoblin is a VAX 11/750 which runs BerkeleyUnix 4.2. The EGP implementation described in this report is run onISI-Hobgoblin.ISI-Troll is part of a split gateway to the University of California at Irvinenetwork (UCI-ICS). The complete logical gateway consists of ISI-Troll, the 9600baud link and UCI-750A [Rose 84]. ISI-Troll runs Berkeley Unix 4.1a and hencecannot run the EGP program. It is therefore a non-routing gateway. Theexistence of UCI-ICS net must be advised to the core AS by ISI-Hobgoblin. Thiscan be done by including an appropriate entry in the EGPINITFILE.Hosts on ISI-NET, including ISI-Troll, have static route entries indicatingISI-Gateway as the first hop for all networks other than UCI-ICS and ISI-NET.
RFC 911 16 ------------------------------------------------- / \ / ARPANET \ \ 10 / \ / ------------------------------------------------- | | | | | | | | | +-------------+ +-------------+ +---------------+ | ISI-PNG11 | | | | | | Arpanet | | ISI-GATEWAY | | ISI-HOBGOBLIN | | Address | | | | Vax 11/750 | | logical | | Core EGP | | Unix 4.2 | | multiplexer | | | | | +-------------+ +-------------+ +---------------+ | | | | | | | | | --------------- ---------------------------- / \ / \ / 3 Mb/s Ethernet \ / ISI-NET \ \ net 10 / \ 128.9 / \ / \ / --------------- ---------------------------- | | | +--------------+ | ISI-TROLL | | Vax 11/750 | | Unix 4.1a | | Non-routing | | | | | | 9600 | ISI-TROLL, UCI-750A | | baud | and the link form a | | link | single logical gateway | | | | UCI-750A | | Vax 11/750 | | Unix 4.2 | +--------------+ | | | ---------------------- / \ / UCI-ICS \ \ 192.5.19 / \ / ---------------------- Figure 5-1: Simplified ISI Network Configuration
RFC 911 17EGP can either be conducted with ISI-Gateway across ARPANET or ISI-NET.5.2.1 EGP Across ARPANETISI-Hobgoblin will advise ISI-Gateway across ARPANET, and hence the coresystem, that it can reach ISI-NET and UCI-ICS.Packets from AS's exterior to ISI and destined for UCI-ICS will be routed viaISI-Gateway, ISI-Hobgoblin and ISI-Troll. The extra hop via ISI-Gateway (orother core EGP gateway) is because the core gateways do not currently pass onindirect-neighbor exterior gateway addresses in their IGP messages(Gateway-to-Gateway Protocol). Packets originating from UCI-ICS destined forexterior AS's will be routed via ISI-Troll and ISI-Gateway. Thus the incomingand out going packet routes are different.Packets originating from ISI-Hobgoblin as a host and destined for exterior AS'swill be routed via the appropriate gateway on ARPANET.UCI-ICS can only communicate with exterior AS's if ISI-Troll, ISI-Hobgoblin andISI-Gateway are all up. The dependence on ISI-Gateway could be eliminated ifISI-Troll routed packets via ISI-Hobgoblin rather than ISI-Gateway. However,as ISI-Hobgoblin is primarily a host and not a gateway it is preferable thatISI-Gateway route packets when possible.ISI-Hobgoblin can provide a back-up gateway function to ISI-Gateway as it canautomatically switch to an alternative core EGP peer if ISI-Gateway goes down.Even though ISI-Hobgoblin normally advises the core system that it can reachISI-NET the core uses its own internal route via ISI-Gateway in preference.For hosts on ISI-NET to correctly route outgoing packets they need their staticgateway entries changed from ISI-Gateway to ISI-Hobgoblin. At present thiswould have to be done manually. This would only be appropriate if ISI-Gatewaywas going to be down for an extended period.5.2.2 EGP Across ISI-NETISI-Hobgoblin will advise ISI-Gateway across ISI-NET that its indirectneighbor, ISI-Troll, can reach UCI-ICS net.All exterior packet routing for UCI-ICS will be via ISI-Gateway in bothdirections with no hops via ISI-Hobgoblin. Packets originating fromISI-Hobgoblin as a host and destined for exterior AS's will be routed viaISI-Gateway, rather than the ARPANET interface, in both directions, thus takingan additional hop.UCI-ICS can only communicate with exterior AS's if ISI-Troll and ISI-Gatewayare up and ISI-Hobgoblin has advised ISI-Gateway of the UCI-ICS route. IfISI-Hobgoblin goes down, communication will still be possible becauseISI-gateway (and other core gateways) do not time out routes to indirect
RFC 911 18neighbors. If ISI-Gateway then goes down, it will need to be readvised byISI-Hobgoblin of the UCI-ICS route, when it comes up.Conducting EGP over ISI-NET rather than ARPANET should provide more reliableservice for UCI-ICS for the following reasons: ISI-Gateway is specificallydesigned as a gateway, it is expected to be up more than ISI-Hobgoblin, it isdesirable to eliminate extra routing hops where possible and, the exteriorrouting information will persist after ISI-hobgoblin goes down. IfISI-Hobgoblin is to be used in its back-up mode, EGP could be restarted acrossARPANET after the new gateway routes are manually installed in the hosts.Therefore, EGP across ISI-NET was selected as the preferred mode of operation.5.2.3 Potential Routing LoopBecause both ISI-Gateway and ISI-Hobgoblin provide routes between ARPANET andISI-NET there is a potential routing loop. This topology in fact violates theoriginal tree structure restriction. Provided ISI-Hobgoblin does not conductEGP simultaneously with ISI-Gateway over ISI-NET and ARPANET, the gateways willonly ever know about the alternative route from the shared EGP network and notfrom the other network. Thus a loop cannot occur. For instance, if EGP isconducted over ISI-NET, both ISI-Gateway and ISI-Hobgoblin will know about thealternative routes via each other to ARPANET from ISI-NET, but they will notknow about the gateway addresses on ARPANET to be able to access ISI-NET fromARPANET. Thus they have insufficient routing data to be able to route packetsin a loop between themselves.5.3 Possible Future Configuration5.3.1 Gateway to UCI-ICSAn improvement in the reliability and performance of the service offered toUCI-ICS can be achieved by moving the UCI-ICS interface from ISI-Troll toISI-Hobgoblin. Reliability will improve because the connection will onlyrequire ISI-Hobgoblin and its ARPANET interface to be up and performance willimprove because the extra gateway hop will be eliminated.This will also allow EGP to be conducted across ARPANET giving access to thealternative core gateways running EGP. This will increase the chances of beingable to reliably acquire an EGP neighbor at all times. It will also eliminatethe extra hop via ISI-Gateway for packets originating from ISI-Hobgoblin, as ahost, and destined for exterior networks.This configuration change will be made at sometime in the future. It was notdone initially because ISI-Hobgoblin was experimental and down more often thanISI-Troll.
RFC 911 195.3.2 Dynamic Switch to Backup GatewayIt was noted inSection 5.2.1 that ISI-Hobgoblin can provide a backup gatewayfunction to ISI-Gateway between ARPANET and ISI-NET. Such backup gateways couldbecome a common approach to providing increased reliability.At present the change over to the backup gateway requires the new gateway routeto be manually entered for hosts on ISI-NET. This section describes a possiblemethod for achieving this changeover dynamically when the primary gateway goesdown.The aim is to be able to detect when the primary gateway is down and have allhosts on the local network change to the backup gateway with a minimum amountof additional network traffic. The hosts should revert back to the primarygateway when it comes up again.The proposed method is for only the backup gateway to monitor the primarygateway status and for it to notify all hosts of the new gateway address whenthere is a change.5.3.2.1 Usual OperationThe backup gateway runs a process which sends reachability-probe messages, suchas ICMP echoes, to the primary gateway every 30 seconds and uses the responsesto determine reachability as for EGP. If the primary gateway goes down a"gateway-address message" indicating the backup gateway address is broadcast(or preferably multicast) to all hosts. When the primary gateway comes upanother gateway message indicating the primary gateway address is broadcast.These broadcasts should be done four times at 30 second intervals to avoid theneed for acknowledgements and knowledge of host addresses.Each host would run a process that listens for gateway-address messages. If adifferent gateway is advised it changes the default gateway entry to the newaddress.5.3.2.2 Host InitializationWhen a host comes up the primary gateway could be down so it needs to be ableto determine that it should use the backup gateway. The host could read theaddress of the primary and backup gateways from a static initialization file.It would then set its default gateway as the primary gateway and send a"gateway-request message" to the backup gateway requesting the current gatewayaddress. The backup gateway would respond with a gateway-address message. Ifno response is received the gateway-request should be retransmitted three timesat 30 second intervals. If no response is received the backup gateway can beassumed down and the primary gateway retained as the default.Whenever the backup gateway comes up it broadcasts a gateway-address message.Alternatively, a broadcast (or multicast) gateway-request message could be
RFC 911 20defined to which only gateways would respond. The backup gateway-addressmessage needs to indicate that it is the backup gateway so that future requestsneed not be broadcast. Again, three retransmissions should be used. But theprimary gateway also needs to broadcast its address whenever it comes up.5.3.2.3 When Both the Primary and Backup are DownIf the primary gateway is down and the backup knows it is going down, it shouldbroadcast gateway-address messages indicating the primary gateway in case theprimary gateway comes up first.But the backup could go down without warning and the primary come up before it.If the primary gateway broadcasts a gateway-address message when it comes upthere is no problem. Otherwise, while hosts are using the backup gateway theyshould send a gateway-request message every 10 minutes. If no response isreceived it should be retransmitted 3 times at 30 second intervals and if stillno response the backup assumed down and the primary gateway reverted to.Thus the only time hosts need to send messages periodically is when the primarygateway does not send gateway-address messages on coming up and the backupgateway is being used. In some cases, such as at ISI, the primary gateway ismanaged by a different organization and experimental features cannot beconveniently added.5.3.2.4 Unix 4.2 BSDOne difficulty with the above is that there is no standard method of specifyinginternet broadcast or multicast addresses. Multicast addressing is preferableas only those participating need process the message (interfaces with hardwaremulticast detection are available). In the case of Unix 4.2 BSD an internetaddress with zero local address is assumed for the internet broadcast address.However, the general Internet Addressing policy is to use an all ones value toindicate a broadcast function.On Unix 4.2 BSD systems, both the gateway and host processes could be run atthe user level so that kernel modifications are not required.A User Datagram Protocol (UDP) socket could be reserved for host-backup-gatewaycommunication.Super user access to raw sockets for sending and receiving ICMP Echo messagesrequires a minor modification to the internet-family protocol switch table.
RFC 911 216. ACKNOWLEDGEMENTI acknowledge with thanks the many people who have helped me with this project,but in particular, Dave Mills, who suggested the project, Jon Postel fordiscussion and encouragement, Liza Martin for providing the initial EGP code,Berkeley for providing the "routed" code, Mike Brescia for assistance withtesting, Telecom Australia for funding me, and ISI for providing facilities.
RFC 911 227. REFERENCES[Berkeley 83] "Unix Programmer's Manual", Vol. 1, 4.2 Berkeley Software Distribution, University of California, Berkeley.[Kirton 84] Kirton, P.A., "EGP Gateway Under Berkeley Unix 4.2", University of Southern California, Information Sciences Institute, Research Report ISI/RR-84-145, to be published.[Mills 83] Mills, D.L., "EGP Models and Self-Organizing Systems" Message to EGP-PEOPLE@BBN-UNIX, Nov. 1983.[Mills 84a] Mills, D.L., "Exterior Gateway Protocol Formal Specification", Network Information CenterRFC 904, April 1984.[Mills 84b] Mills, D.L., "Revised EGP Model Clarified and Discussed", Message to EGP-PEOPLE@BBN-UNIX, May 1984.[Postel 84] Postel, J., "Exterior Gateway Protocol Implementation Schedule" Network Information CenterRFC 890, Feb. 1984.[Rose 84] Rose, M.T., "Low-Tech Connection into the ARPA-Internet: The Raw-Packet Split Gateway", Department of Information and Computer Science, University of California, Irvine, Technical Report 216, Feb. 1984.[Rosen 82] Rosen, E.C., "Exterior Gateway Protocol", Network Information CenterRFC 827, Oct. 1982.[Seamonson & Rosen 84] Seamonson, L.J. and Rosen, E.C., "Stub Exterior Gateway Protocol", Network Information CenterRFC 888, Jan. 84.[Xerox 81] "Internet Transport Protocols", Xerox System Integration Standard XSIS 028112, Dec. 1981.
[8]ページ先頭