INTERNET DRAFT Requirements for IP Version 4 Routers | November 28, 1994 Document Revision 1.50 | Revision Date: 11/18/94 | Philip Almquist -- Author Frank Kastenholz (Editor) FTP Software, Inc 2 High Street North Andover, Mass 01845-2620 USA kasten@ftp.com This document is an Internet Draft. Internet Drafts are | working documents of the Internet Engineering Task Force | (IETF), its Areas, and its Working Groups. Note that other | groups may also distribute working documents as Internet | Drafts. | Internet Drafts are draft documents valid for a maximum of six | months. Internet Drafts may be updated, replaced, or | obsoleted by other documents at any time. It is not | appropriate to use Internet Drafts as reference material or to | cite them other than as a ``working draft'' or ``work in | progress.'' Please check the 1id-abstracts.txt listing | contained in the internet-drafts Shadow Directories on | nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or | munnari.oz.au to learn the current status of any Internet | Draft. | | This is a working document only, it should neither be cited | nor quoted in any formal document. | This document will expire before 3 June 1995. | Distribution of this document is unlimited. | Please send comments to The editor or the Router Requirements | Working Group (rreq@isi.edu). If your comment pertains to a particular piece of text, please | remember to mention the section number. This document is very | large and locating the text solely by context might not be possible. Please also mention the date of this draft | (11/18/94) and the revision level (1.50). | November 28, 1994 This document is an updated version of RFC 1716, the | historical Router Requirements document. That RFC preserved | the significant work that went into the working group, but | failed to adequately describe current technology for the IESG | to consider it a current standard. The current editor had been asked to bring the document up to | date, so that it is useful as a procurement specification and | a guide to implementors. In this, he stands squarely on the | shoulders of those who have gone before him, and depends | largely on expert contributors for text. Any credit is | theirs, the errors are his. The content and form of this document are due, in large part, to the working group's chair, and document's original editor and author: Philip Almquist. It is also largely due to the | efforst of its previous editor, Frank Kastenholz. Without | their efforts, this document would not exist. November 28, 1994 - 2 - The memo replaces for RFC-1009, Requirements for Internet Gateways ([INTRO:1]). This memo defines and discusses requirements for devices that | perform the network layer forwarding function of the Internet | protocol suite. The Internet community usually refers to such devices as IP routers or simply routers; The OSI community refers to such devices as intermediate systems. Many older Internet documents refer to these devices as gateways, a name which more recently has largely passed out of favor to avoid confusion with application gateways. An IP router can be distinguished from other sorts of packet switching devices in that a router examines the IP protocol header as part of the switching process. It generally removes | the Link Layer header a message was received with, modifies | the IP header, and replaces the Link Layer header for | retransmission. The authors of this memo recognize, as should its readers, | that many routers support more than one protocol. Support for | multiple protocol suites will be required in increasingly | large parts of the Internet in the future. This memo, however, does not attempt to specify Internet requirements for protocol suites other than TCP/IP. This document enumerates standard protocols that a router connected to the Internet must use, and it incorporates by reference the RFCs and other documents describing the current specifications for these protocols. It corrects errors in the referenced documents and adds additional discussion and guidance for an implementor. For each protocol, this memo also contains an explicit set of requirements, recommendations, and options. The reader must understand that the list of requirements in this memo is | incomplete by itself. The complete set of requirements for an | Internet protocol router is primarily defined in the standard protocol specification documents, with the corrections, amendments, and supplements contained in this memo. This memo should be read in conjunction with the Requirements for Internet Hosts RFCs ([INTRO:2] and [INTRO:3]). Internet hosts and routers must both be capable of originating IP datagrams and receiving IP datagrams destined for them. The November 28, 1994 - 3 - major distinction between Internet hosts and routers is that routers implement forwarding algorithms, while Internet hosts | do not require forwarding capabilities. Any Internet host acting as a router must adhere to the requirements contained in this memo. The goal of open system interconnection dictates that routers must function correctly as Internet hosts when necessary. To achieve this, this memo provides guidelines for such instances. For simplification and ease of document updates, this memo tries to avoid overlapping discussions of host requirements with [INTRO:2] and [INTRO:3] and incorporates the relevant requirements of those documents by reference. In some cases the requirements stated in [INTRO:2] and [INTRO:3] are superseded by this document. A good-faith implementation of the protocols produced after careful reading of the RFCs should differ from the | requirements of this memo in only minor ways. Producing it | often requires some interaction with the Internet technical | community, and must follow good communications software | engineering practices. In many cases, the requirements in this document are already stated or implied in the standard protocol documents, so that their inclusion here is, in a sense, redundant. They were included because some past | implementation has made the wrong choice, causing problems of interoperability, performance, and/or robustness. This memo includes discussion and explanation of many of the requirements and recommendations. A simple list of requirements would be dangerous, because: + Some required features are more important than others, and some features are optional. + Some features are critical in some applications of routers but irrelevant in others. + There may be valid reasons why particular vendor products that are designed for restricted contexts might choose to use different specifications. However, the specifications of this memo must be followed to meet the general goal of arbitrary router interoperation across the diversity and complexity of the Internet. Although November 28, 1994 - 4 - most current implementations fail to meet these requirements in various ways, some minor and some major, this specification is the ideal towards which we need to move. These requirements are based on the current level of Internet architecture. This memo will be updated as required to provide additional clarifications or to include additional information in those areas in which specifications are still evolving. This memo emulates the layered organization used by [INTRO:2] and [INTRO:3]. Thus, Chapter 2 describes the layers found in the Internet architecture. Chapter 3 covers the Link Layer. Chapters 4 and 5 are concerned with the Internet Layer protocols and forwarding algorithms. Chapter 6 covers the Transport Layer. | Upper layer protocols are divided among Chapters 7, 8, | and 9. Chapter 7 discusses the protocols which routers | use to exchange routing information with each other. | Chapter 8 discusses network management. Chapter 9 | discusses other upper layer protocols. The final chapter covers operations and maintenance features. This organization was chosen for simplicity, clarity, and consistency with the Host Requirements RFCs. Appendices to this memo include a bibliography, a glossary, and some conjectures about future directions of router standards. In describing the requirements, we assume that an implementation strictly mirrors the layering of the protocols. However, strict layering is an imperfect model, both for the protocol suite and for recommended implementation approaches. Protocols in different layers interact in complex and sometimes subtle ways, and particular functions often involve multiple layers. There are many design choices in an implementation, many of which involve creative breaking of strict layering. Every implementor is urged to read [INTRO:4] and [INTRO:5]. Each major section of this memo is organized into the | following subsections: November 28, 1994 - 5 - (1) Introduction (2) Protocol Walk-Through - considers the protocol specification documents section-by-section, correcting errors, stating requirements that may be ambiguous or ill-defined, and providing further clarification or explanation. (3) Specific Issues - discusses protocol design and implementation issues that were not included in the walk-through. Under many of the individual topics in this memo, there is parenthetical material labeled DISCUSSION or IMPLEMENTATION. This material is intended to give a justification, clarification or explanation to the preceding requirements text. The implementation material contains suggested approaches that an implementor may want to consider. The DISCUSSION and IMPLEMENTATION sections are not part of the standard. In this memo, the words that are used to define the significance of each particular requirement are capitalized. These words are: + MUST This word means that the item is an absolute requirement of the specification. Violation of such | a requirement is a fundamental error; there is no | case where it is justified. + MUST IMPLEMENT This phrase means that this specification requires that the item be implemented, but does not require that it be enabled by default. + MUST NOT This phrase means that the item is an absolute prohibition of the specification. + SHOULD This word means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case November 28, 1994 - 6 - carefully weighed before choosing a different course. + SHOULD IMPLEMENT This phrase is similar in meaning to SHOULD, but is used when we recommend that a particular feature be provided but does not necessarily recommend that it be enabled by default. + SHOULD NOT This phrase means that there may exist valid reasons in particular circumstances when the described behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. + MAY This word means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. Some requirements are applicable to all routers. Other requirements are applicable only to those which implement particular features or protocols. In the following paragraphs, Relevant refers to the union of the requirements applicable to all routers and the set of requirements applicable to a particular router because of the set of features and protocols it has implemented. Note that not all Relevant requirements are stated directly in this memo. Various parts of this memo incorporate by reference sections of the Host Requirements specification, [INTRO:2] and [INTRO:3]. For purposes of determining compliance with this memo, it does not matter whether a Relevant requirement is stated directly in this memo or merely incorporated by reference from one of those documents. An implementation is said to be conditionally compliant if it satisfies all of the Relevant MUST, MUST IMPLEMENT, and MUST NOT requirements. An implementation November 28, 1994 - 7 - is said to be unconditionally compliant if it is conditionally compliant and also satisfies all of the Relevant SHOULD, SHOULD IMPLEMENT, and SHOULD NOT requirements. An implementation is not compliant if it is not conditionally compliant (i.e., it fails to satisfy one or more of the Relevant MUST, MUST IMPLEMENT, or MUST NOT requirements). This specification occasionally indicates that an | implementation SHOULD implement a management variable, | and that it SHOULD have a certain default value. An | unconditionally compliant implementation implements the | default behavior, and if there are other implemented | behaviors implements the variable. A conditionally | compliant implementation clearly documents what the | default setting of the variable is or, in the absence of | the implementation of a variable, may be construed to | be. An implementation that both fails to implement the | variable and chooses a different behavior is not | compliant. | For any of the SHOULD and SHOULD NOT requirements, a router may provide a configuration option that will cause the router to act other than as specified by the requirement. Having such a configuration option does not void a router's claim to unconditional compliance if | the option has a default setting, and that setting | causes the router to operate in the required manner. Likewise, routers may provide, except where explicitly prohibited by this memo, options which cause them to violate MUST or MUST NOT requirements. A router that | provides such options is compliant (either fully or | conditionally) if and only if each such option has a | default setting that causes the router to conform to the | requirements of this memo. Please note that the authors of this memo, although aware of market realities, strongly recommend against provision of such options. Requirements are labeled MUST or MUST NOT because experts in the field have judged them to be particularly important to interoperability or proper functioning in the Internet. Vendors should weigh carefully the customer support costs of providing options that violate | those rules. November 28, 1994 - 8 - Of course, this memo is not a complete specification of an IP router, but rather is closer to what in the OSI world is called a profile. For example, this memo requires that a number of protocols be implemented. Although most of the contents of their protocol specifications are not repeated in this memo, implementors are nonetheless required to implement the protocols according to those specifications. There are several reference documents of interest in checking the current status of protocol specifications and standardization: + INTERNET OFFICIAL PROTOCOL STANDARDS This document describes the Internet standards process and lists the standards status of the protocols. As | of this writing, the current version of this document | is [ARCH:7]. This document is periodically re-issued. You should always consult an RFC repository and use the latest version of this document. + Assigned Numbers This document lists the assigned values of the parameters used in the various protocols. For example, it lists IP protocol codes, TCP port numbers, | Telnet Option Codes, ARP hardware types, and Terminal Type names. As of this writing, the current version | of this document is [INTRO:7]. This document is periodically re-issued. You should always consult an RFC repository and use the latest version of this document. + Host Requirements This pair of documents reviews the specifications that apply to hosts and supplies guidance and clarification for any ambiguities. Note that these requirements also apply to routers, except where otherwise specified in this memo. As of this writing, the | current versions of these documents are [INTRO:2], and | [INTRO:3]. + Router Requirements (formerly Gateway Requirements) This memo. November 28, 1994 - 9 - Note that these documents are revised and updated at different times; in case of differences between these documents, the most recent must prevail. These and other Internet protocol documents may be obtained from the: DDN Network Information Center 14200 Park Meadow Drive, Suite 200 Chantilly, VA 22021 USA nic@ds.internic.net (800) 365-3642 or (703) 802-4535 There are several important lessons that vendors of Internet software have learned and which a new vendor should consider seriously. The enormous growth of the Internet has revealed problems of management and scaling in a large datagram- based packet communication system. These problems are being addressed, and as a result there will be continuing evolution of the specifications described in this memo. New routing protocols, algorithms, and architectures are constantly being developed. New | internet-layer protocols, and modifications to existing | protocols, are also constantly being devised. Routers | play a crucial role in the Internet, and the number of | routers deployed in the Internet is much smaller than | the number of hosts. Vendors should therefore expect | that router standards will continue to evolve much more | quickly than host standards. These changes will be carefully planned and controlled since there is extensive participation in this planning by the vendors and by the organizations responsible for operation of the networks. Development, evolution, and revision are characteristic November 28, 1994 - 10 - of computer network protocols today, and this situation will persist for some years. A vendor who develops computer communications software for the Internet protocol suite (or any other protocol suite!) and then fails to maintain and update that software for changing specifications is going to leave a trail of unhappy customers. The Internet is a large communication network, and the users are in constant contact through it. Experience has shown that knowledge of deficiencies in vendor software propagates quickly through the Internet technical community. At every layer of the protocols, there is a general rule (from [TRANS:2] by Jon Postel) whose application can lead to enormous benefits in robustness and interoperability: Be conservative in what you do, be liberal in what you accept from others. Software should be written to deal with every conceivable error, no matter how unlikely. Sooner or | later a packet will come in with that particular | combination of errors and attributes, and unless the software is prepared, chaos can ensue. It is best to | assume that the network is filled with malevolent | entities that will send packets designed to have the worst possible effect. This assumption will lead to suitably protective design. The most serious problems in the Internet have been caused by unforeseen mechanisms triggered by low probability events; mere human malice would never have taken so devious a course! Adaptability to change must be designed into all levels of router software. As a simple example, consider a protocol specification that contains an enumeration of values for a particular header field - e.g., a type field, a port number, or an error code; this enumeration must be assumed to be incomplete. If the protocol specification defines four possible error codes, the | software must not break when a fifth code is defined. An undefined code might be logged, but it must not cause a failure. November 28, 1994 - 11 - The second part of the principal is almost as important: | software on hosts or other routers may contain deficiencies that make it unwise to exploit legal but obscure protocol features. It is unwise to stray far from the obvious and simple, lest untoward effects result elsewhere. A corollary of this is watch out for misbehaving hosts; router software should be prepared to survive in the presence of misbehaving hosts. An important function of routers in the Internet is to limit the amount of disruption such hosts can inflict on the shared communication facility. The Internet includes a great variety of systems, each implementing many protocols and protocol layers, and | some of these contain bugs and misguided features in | their Internet protocol software. As a result of complexity, diversity, and distribution of function, the diagnosis of problems is often very difficult. Problem diagnosis will be aided if routers include a carefully designed facility for logging erroneous or strange events. It is important to include as much diagnostic information as possible when an error is logged. In particular, it is often useful to record the header(s) of a packet that caused an error. However, care must be taken to ensure that error logging does not consume prohibitive amounts of resources or otherwise interfere with the operation of the router. There is a tendency for abnormal but harmless protocol events to overflow error logging files; this can be avoided by using a circular log, or by enabling logging only while diagnosing a known failure. It may be useful to filter and count duplicate successive messages. One strategy that seems to work well is to both: + Always count abnormalities and make such counts accessible through the management protocol (see Chapter 8); and + Allow the logging of a great variety of events to be selectively enabled. For example, it might useful to be able to log everything or to log everything for host X. This topic is further discussed in [MGT:5]. November 28, 1994 - 12 - In an ideal world, routers would be easy to configure, and perhaps even entirely self-configuring. However, practical experience in the real world suggests that this is an impossible goal, and that many attempts by | vendors to make configuration easy actually cause | customers more grief than they prevent. As an extreme example, a router designed to come up and start routing packets without requiring any configuration information at all would almost certainly choose some incorrect parameter, possibly causing serious problems on any networks unfortunate enough to be connected to it. Often this memo requires that a parameter be a configurable option. There are several reasons for this. In a few cases there currently is some uncertainty or disagreement about the best value and it may be necessary to update the recommended value in the future. In other cases, the value really depends on external factors - e.g., the distribution of its communication load, or the speeds and topology of nearby networks - and self-tuning algorithms are unavailable and may be insufficient. In some cases, configurability is needed because of administrative requirements. Finally, some configuration options are required to communicate with obsolete or incorrect implementations of the protocols, distributed without sources, that persist in many parts of the Internet. To make correct systems coexist with these faulty systems, administrators must occasionally misconfigure the correct systems. This problem will correct itself gradually as the faulty systems are retired, but cannot be ignored by vendors. When we say that a parameter must be configurable, we do not intend to require that its value be explicitly read from a configuration file at every boot time. For many parameters, there is one value that is appropriate for all but the most unusual situations. In such cases, it is quite reasonable that the parameter default to that value if not explicitly set. This memo requires a particular value for such defaults in some cases. The choice of default is a sensitive issue when the configuration item controls accommodation November 28, 1994 - 13 - of existing, faulty, systems. If the Internet is to converge successfully to complete interoperability, the default values built into implementations must implement the official protocol, not misconfigurations to accommodate faulty implementations. Although marketing considerations have led some vendors to choose misconfiguration defaults, we urge vendors to choose defaults that will conform to the standard. Finally, we note that a vendor needs to provide adequate documentation on all configuration parameters, their limits and effects. In several places in this memo, specific algorithms that a router ought to follow are specified. These algorithms are not, per se, required of the router. A router need not implement each algorithm as it is written in this document. Rather, an implementation must present a behavior to the external world that is the same as a strict, literal, implementation of the specified algorithm. Algorithms are described in a manner that differs from the way a good implementor would implement them. For expository purposes, a style that emphasizes conciseness, clarity, and independence from implementation details has been chosen. A good implementor will choose algorithms and | implementation methods that produce the same results as these algorithms, but may be more efficient or less general. We note that the art of efficient router implementation is | outside the scope of this memo. November 28, 1994 - 14 - This chapter does not contain any requirements. However, it does contain useful background information on the general architecture of the Internet and of routers. General background and discussion on the Internet architecture and supporting protocol suite can be found in the DDN Protocol Handbook [ARCH:1]; for background see for example [ARCH:2], [ARCH:3], and [ARCH:4]. The Internet architecture and protocols are also covered in an ever-growing number of textbooks, such as [ARCH:5] and [ARCH:6]. The Internet system consists of a number of interconnected packet networks supporting communication among host computers using the Internet protocols. These protocols include the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), the Internet Group Management Protocol (IGMP), and a variety transport and application protocols that depend upon them. As was described in Section [1.2], the Internet Engineering Steering Group periodically releases an Official Protocols memo listing all of the Internet protocols. All Internet protocols use IP as the basic data transport mechanism. IP is a datagram, or connectionless, internetwork service and includes provision for addressing, type-of-service specification, fragmentation and reassembly, and security. ICMP and IGMP are considered integral parts of IP, although they are architecturally layered upon IP. ICMP provides error reporting, flow control, first-hop router redirection, and other maintenance and control functions. IGMP provides the mechanisms by which hosts and routers can join and leave IP multicast groups. Reliable data delivery is provided in the Internet protocol suite by Transport Layer protocols such as the Transmission Control Protocol (TCP), which provides end-end retransmission, resequencing and connection control. Transport Layer connectionless service is provided by the User Datagram Protocol (UDP). November 28, 1994 - 15 - To communicate using the Internet system, a host must implement the layered set of protocols comprising the Internet protocol suite. A host typically must implement at least one protocol from each layer. The protocol layers used in the Internet architecture are as follows [ARCH:7]: + Application Layer The Application Layer is the top layer of the Internet protocol suite. The Internet suite does not further subdivide the Application Layer, although some application layer protocols do contain some internal sub-layering. The application layer of the Internet suite essentially combines the functions of the top two layers - Presentation and Application - of the OSI Reference Model [ARCH:8]. The Application Layer in the Internet protocol suite also includes some of the function relegated to the Session Layer in the OSI Reference Model. We distinguish two categories of application layer protocols: user protocols that provide service directly to users, and support protocols that provide common system functions. The most common Internet user protocols are: - Telnet (remote login) - FTP (file transfer) - SMTP (electronic mail delivery) There are a number of other standardized user protocols and many private user protocols. Support protocols, used for host name mapping, booting, and management, include SNMP, BOOTP, TFTP, the Domain Name System (DNS) protocol, and a variety of routing protocols. Application Layer protocols relevant to routers are discussed in chapters 7, 8, and 9 of this memo. + Transport Layer The Transport Layer provides end-to-end communication services. This layer is roughly equivalent to the Transport Layer in the OSI Reference Model, except November 28, 1994 - 16 - that it also incorporates some of OSI's Session Layer establishment and destruction functions. There are two primary Transport Layer protocols at present: - Transmission Control Protocol (TCP) - User Datagram Protocol (UDP) TCP is a reliable connection-oriented transport service that provides end-to-end reliability, resequencing, and flow control. UDP is a connectionless (datagram) transport service. Other transport protocols have been developed by the research community, and the set of official Internet transport protocols may be expanded in the future. Transport Layer protocols relevant to routers are discussed in Chapter 6. + Internet Layer All Internet transport protocols use the Internet Protocol (IP) to carry data from source host to destination host. IP is a connectionless or datagram internetwork service, providing no end-to-end delivery guarantees. IP datagrams may arrive at the destination host damaged, duplicated, out of order, or not at all. The layers above IP are responsible for reliable delivery service when it is required. The IP protocol includes provision for addressing, type-of-service specification, fragmentation and reassembly, and security. The datagram or connectionless nature of IP is a fundamental and characteristic feature of the Internet architecture. The Internet Control Message Protocol (ICMP) is a control protocol that is considered to be an integral part of IP, although it is architecturally layered | upon IP - it uses IP to carry its data end-to-end. ICMP provides error reporting, congestion reporting, and first-hop router redirection. The Internet Group Management Protocol (IGMP) is an Internet layer protocol used for establishing dynamic November 28, 1994 - 17 - host groups for IP multicasting. The Internet layer protocols IP, ICMP, and IGMP are discussed in chapter 4. + Link Layer To communicate on a directly connected network, a | host must implement the communication protocol used to interface to that network. We call this a Link | Layer protocol. Some older Internet documents refer to this layer as the Network Layer, but it is not the same as the Network Layer in the OSI Reference Model. This layer contains everything below the Internet | Layer and above the Physical Layer (which is the | media connectivity, normally electrical or optical, | which encodes and transports messages). Its | responsibility is the correct delivery of messages, | among which it does not differentiate. Protocols in this Layer are generally outside the scope of Internet standardization; the Internet (intentionally) uses existing standards whenever possible. Thus, Internet Link Layer standards usually address only address resolution and rules for transmitting IP packets over specific Link Layer protocols. Internet Link Layer standards are discussed in chapter 3. The constituent networks of the Internet system are required to provide only packet (connectionless) transport. According to the IP service specification, datagrams can be delivered out of order, be lost or duplicated, and/or contain errors. For reasonable performance of the protocols that use IP (e.g., TCP), the loss rate of the network should be very low. In networks providing connection-oriented service, the extra reliability provided by virtual circuits enhances the end-end robustness of the system, but is not necessary for Internet operation. November 28, 1994 - 18 - Constituent networks may generally be divided into two classes: + Local-Area Networks (LANs) LANs may have a variety of designs. LANs normally | cover a small geographical area (e.g., a single building or plant site) and provide high bandwidth with low delays. LANs may be passive (similar to Ethernet) or they may be active (such as ATM). | + Wide-Area Networks (WANs) Geographically dispersed hosts and LANs are | interconnected by wide-area networks, also called long-haul networks. These networks may have a complex internal structure of lines and packet- switches, or they may be as simple as point-to- point lines. In the Internet model, constituent networks are connected together by IP datagram forwarders which are called routers or IP routers. In this document, every use of the term router is equivalent to IP router. Many older Internet documents refer to routers as gateways. Historically, routers have been realized with packet- switching software executing on a general-purpose CPU. However, as custom hardware development becomes cheaper and as higher throughput is required, but special- purpose hardware is becoming increasingly common. This specification applies to routers regardless of how they are implemented. A router connects to two or more logical interfaces, | represented by IP subnets or unnumbered point to point | lines (discussed in section [2.2.7]). Thus, it has at | least one physical interface. Forwarding an IP datagram generally requires the router to choose the address and | relevant interface of the next-hop router or (for the | final hop) the destination host. This choice, called | relaying or forwarding depends upon a route database | within the router. The route database is also called a | routing table or forwarding table. The term "router" | derives from the process of building this route | database; routing protocols and configuration interact | November 28, 1994 - 19 - in a process called routing. The routing database should be maintained dynamically to reflect the current topology of the Internet system. A router normally accomplishes this by participating in distributed routing and reachability algorithms with other routers. Routers provide datagram transport only, and they seek to minimize the state information necessary to sustain this service in the interest of routing flexibility and robustness. Packet switching devices may also operate at the Link Layer; such devices are usually called bridges. Network | segments that are connected by bridges share the same IP | network prefix forming a single IP subnet. These other | devices are outside the scope of this document. For technical, managerial, and sometimes political reasons, the routers of the Internet system are grouped into collections called autonomous systems. The routers included in a single autonomous system (AS) are expected to: + Be under the control of a single operations and | maintenance (O&M) organization; + Employ common routing protocols among themselves, to | dynamically maintain their routing databases. A number of different dynamic routing protocols have been developed (see Section [7.2]); the routing protocol within a single AS is generically called an interior gateway protocol or IGP. An IP datagram may have to traverse the routers of two | or more Autonomous Systems to reach its destination, and | the Autonomous Systems must provide each other with | topology information to allow such forwarding. An exterior gateway protocol (generally BGP or EGP) is used for this purpose. | November 28, 1994 - 20 - An IP datagram carries 32-bit source and destination addresses, each of which is partitioned into two parts - a constituent network prefix and a host number on that | network. Symbolically: IP-address ::= { , } | To finally deliver the datagram, the last router in its path must map the Host-number (or rest) part of an IP | address to the host's Link Layer address. | Although well documented elsewhere [INTERNET:2], it | is useful to describe the historical use of the | network prefix. The language developed to describe | it is used in this and other documents and permeates | the thinking behind many protocols. The simplest classical network prefix is the Class A, | B, or C network prefix. These address ranges are | discriminated by observing the values of the most | significant bits of the address, and break the | address into simple prefix and host number fields. | This is described in [INTERNET:18]. | This simple notion has been extended by the concept | of subnets. These were introduced in order to allow | arbitrary complexity of interconnected LAN structures | within an organization, while insulating the Internet | system against explosive growth in assigned network | prefixes and routing complexity. Subnets provide a | multi-level hierarchical routing structure for the | Internet system. The subnet extension, described in [INTERNET:2], is a required part of the Internet | architecture. The basic idea is to partition the | field into two parts: a subnet number, | and a true host number on that subnet: IP-address ::= { , , } The interconnected physical networks within an | organization use the same network prefix but | different subnet numbers. The distinction between | November 28, 1994 - 21 - the subnets of such a subnetted network is not | normally visible outside of that network. Thus, | routing in the rest of the Internet uses only the | part of the IP destination address. | Routers outside the network treat and together as an uninterpreted rest | part of the 32-bit IP address. Within the subnetted network, the routers use the extended network prefix: | { , } The bit positions containing this extended network | number have historically been indicated by a 32-bit | mask called the subnet mask. The | bits SHOULD be contiguous and fall between the | and the fields. More | up to date protocols do not refer to a subnet mask, | but to a prefix length; the "prefix" portion of an | address is that which would be selected by a subnet | mask whose most significant bits are all ones and the | rest are zeroes. The length of the prefix equals the | number of ones in the subnet mask. This document | assumes that all subnet masks are expressible as | prefix lengths. | The inventors of the subnet mechanism presumed that | each piece of an organization's network would have | only a single subnet number. In practice, it has | often proven necessary or useful to have several | subnets share a single physical cable. For this | reason, routers should be capable of configuring | multiple subnets on the same physical interfaces, and | treat them (from a routing or forwarding perspective) | as though they were distinct physical interfaces. | The explosive growth of the Internet has forced a | review of address assignment policies. The | traditional uses of Class A, B, and C networks are | being modified in order to achieve better use of IP's 32-bit address space. Classless Inter Domain Routing | (CIDR) [INTERNET:15] is a method currently being deployed in the Internet backbones to achieve this added efficiency. CIDR depends on deploying and | November 28, 1994 - 22 - routing to arbitrary addressing domains. In this | model, hosts and routers make no assumptions about | the use of addressing in the internet. The use of networks and subnets is now historical, | although the language used to describe them remains | in current use. They have been replaced by the more | tractable concept of a network prefix. A network | prefix is, by definition, a contiguous set of bits at | the more significant end of the address that defines | a set of systems; host numbers select among those | systems. There is no requirement that all of the | internet use network prefixes uniformly. To collapse | routing information, it is useful to divide the | internet into addressing domains. Within such a | domain, detailed information is available about | constituent networks; outside it, only the common | network prefix is advertised. The classical IP addressing architecture used | addresses and subnet masks to discriminate the host | number from the network prefix. With network | prefixes, it is sufficient to indicate the number of | bits in the prefix. Both representations are in | common use. Architecturally correct subnet masks are | capable of being represented using the prefix length | description. They comprise that subset of all | possible bits patterns that have | + a contiguous string of ones at the more | significant end, | + a contiguous string of zeros at the less | significant end, and | + no intervening bits. | Routers SHOULD always treat a route as a network | prefix, and SHOULD reject configuration and routing | information inconsistent with that model. | IP-address ::= { < Network-prefix>, | } | An effect of the use of CIDR is that the set of | November 28, 1994 - 23 - destinations associated with address prefixes in the | routing table may exhibit subset relationship. A | route describing a smaller set of destinations (a | longer prefix) is said to be more specific than a | route describing a larger set of destinations (a | shorter prefix); similarly, a route describing a | larger set of destinations (a shorter prefix) is said | to be less specific than a route describing a smaller | set of destinations (a longer prefix).Routers must | use the most specific matching route (the longest | matching network prefix) when forwarding traffic. IP multicasting is an extension of Link Layer multicast to IP internets. Using IP multicasts, a single datagram | can be addressed to multiple hosts without sending it to | all. In the extended case, these hosts may reside in | different address domains. This collection of hosts is called a multicast group. Each multicast group is represented as a Class D IP address. An IP datagram sent to the group is to be delivered to each group member with the same best-effort delivery as that provided for unicast IP traffic. The sender of the datagram does not itself need to be a member of the destination group. The semantics of IP multicast group membership are | defined in [INTERNET:4]. That document describes how | hosts and routers join and leave multicast groups. It also defines a protocol, the Internet Group Management Protocol (IGMP), that monitors IP multicast group membership. Forwarding of IP multicast datagrams is accomplished either through static routing information or via a multicast routing protocol. Devices that forward IP multicast datagrams are called multicast routers. They may or may not also forward IP unicasts. Multicast | datagrams are forwarded on the basis of both their | source and destination addresses. Forwarding of IP multicast packets is described in more detail in Section [5.2.1]. Appendix D discusses multicast routing protocols. | November 28, 1994 - 24 - Traditionally, each network interface on an IP host or router has its own IP address. This can cause | inefficient use of the scarce IP address space, since it | forces allocation of an IP network prefix to every | point-to-point link. To solve this problem, a number of people have proposed and implemented the concept of unnumbered serial lines. | An unnumbered serial line does not have any network | prefix associated with it. As a consequence, the network interfaces connected to an unnumbered serial line do not have IP addresses. Because the IP architecture has traditionally assumed that all interfaces had IP addresses, these unnumbered interfaces cause some interesting dilemmas. For example, some IP options (e.g. Record Route) specify that a router must insert the interface address into the option, but an unnumbered interface has no IP address. Even more fundamental (as we shall see in chapter 5) is that routes contain the IP address of the next hop router. A router expects that this IP address will be | on an IP (sub)net to which the router is connected. | That assumption is of course violated if the only | connection is an unnumbered serial line. To get around these difficulties, two schemes have been | conceived. The first scheme says that two routers connected by an unnumbered serial line are not really | two routers at all, but rather two half-routers that | together make up a single virtual router. The | unnumbered serial line is essentially considered to be | an internal bus in the virtual router. The two halves of the virtual router must coordinate their activities in such a way that they act exactly like a single router. This scheme fits in well with the IP architecture, but suffers from two important drawbacks. The first is that, although it handles the common case of a single unnumbered serial line, it is not readily extensible to handle the case of a mesh of routers and unnumbered serial lines. The second drawback is that the interactions between the half routers are necessarily complex and are not standardized, effectively precluding November 28, 1994 - 25 - the connection of equipment from different vendors using unnumbered serial lines. Because of these drawbacks, this memo has adopted an | alternate scheme, which has been invented multiple times but which is probably originally attributable to Phil Karn. In this scheme, a router that has unnumbered | serial lines also has a special IP address, called a router-id in this memo. The router-id is one of the router's IP addresses (a router is required to have at least one IP address). This router-id is used as if it is the IP address of all unnumbered interfaces. A router may be a stand-alone computer system, dedicated to its IP router functions. Alternatively, it is possible to embed router functions within a host operating system that supports connections to | two or more networks. The best-known example of an operating system with embedded router code is the Berkeley BSD system. The embedded router feature | seems to make building a network easy, but it has a number of hidden pitfalls: If a host has only a single constituent-network | interface, it should not act as a router. For example, hosts with embedded router code that gratuitously forward broadcast packets or datagrams on the same net often cause packet avalanches. If a (multihomed) host acts as a router, it must | implement ALL the relevant router requirements | contained in this document. For example, the routing protocol issues and the router control and monitoring problems are as hard and important for embedded routers as for stand-alone routers. Internet router requirements and specifications | may change independently of operating system | November 28, 1994 - 26 - changes. An administration that operates an | embedded router in the Internet is strongly | advised to have the ability to maintain and | update the router code. This might require | router source code. When a host executes embedded router code, it becomes | part of the Internet infrastructure. Thus, errors in software or configuration can hinder communication between other hosts. As a consequence, the host administrator must lose some autonomy. In many circumstances, a host administrator will need to disable router code embedded in the operating system. Embedded router code must be | organized so that it can be easily disabled. When a host running embedded router code is | concurrently used for other services, the | Operation and Maintenance requirements for the | two modes of use may conflict. For example, router O&M will in many cases be performed remotely by an operations center; this | may require privileged system access that the | host administrator would not normally want to | distribute. There are two basic models for interconnecting local-area networks and wide-area (or long-haul) networks in the Internet. In the first, the local- | area network is assigned a network prefix and all | routers in the Internet must know how to route to that network. In the second, the local-area network shares (a small part of) the address space of the wide-area network. Routers that support this second model are called address sharing routers or transparent routers. The focus of this memo is on routers that support the first model, but this is not intended to exclude the use of transparent routers. The basic idea of a transparent router is that the hosts on the local-area network behind such a router November 28, 1994 - 27 - share the address space of the wide-area network in front of the router. In certain situations this is a very useful approach and the limitations do not present significant drawbacks. The words in front and behind indicate one of the limitations of this approach: this model of interconnection is suitable only for a geographically (and topologically) limited stub environment. It requires that there be some form of logical addressing in the network level addressing of the wide-area network. All of the IP addresses in the local environment map to a few (usually one) physical address in the wide-area network. This mapping occurs in a way consistent with the { IP address <-> network address } mapping used throughout the wide- area network. Multihoming is possible on one wide-area network, but may present routing problems if the interfaces are geographically or topologically separated. Multihoming on two (or more) wide-area networks is a problem due to the confusion of addresses. The behavior that hosts see from other hosts in what is apparently the same network may differ if the transparent router cannot fully emulate the normal wide-area network service. For example, the ARPANET used a Link Layer protocol that provided a Destination Dead indication in response to an attempt | to send to a host that was off-line. However, if there were a transparent router between the ARPANET and an Ethernet, a host on the ARPANET would not | receive a Destination Dead indication for Ethernet | hosts. An Internet router performs the following functions: Conforms to specific Internet protocols specified in | this document, including the Internet Protocol (IP), Internet Control Message Protocol (ICMP), and others as necessary. Interfaces to two or more packet networks. For each | November 28, 1994 - 28 - connected network the router must implement the | functions required by that network. These functions typically include: + Encapsulating and decapsulating the IP datagrams | with the connected network framing (e.g., an Ethernet header and checksum), + Sending and receiving IP datagrams up to the | maximum size supported by that network, this size is the network's Maximum Transmission Unit or MTU, + Translating the IP destination address into an | appropriate network-level address for the connected | network (e.g., an Ethernet hardware address), if needed, and + Responding to the network flow control and error | indication, if any. See chapter 3 (Link Layer). Receives and forwards Internet datagrams. Important | issues in this process are buffer management, congestion control, and fairness. + Recognizes error conditions and generates ICMP | error and information messages as required. + Drops datagrams whose time-to-live fields have reached zero. + Fragments datagrams when necessary to fit into the | MTU of the next network. See chapter 4 (Internet Layer - Protocols) and chapter | 5 (Internet Layer - Forwarding) for more information. | Chooses a next-hop destination for each IP datagram, | based on the information in its routing database. See | chapter 5 (Internet Layer - Forwarding) for more information. | (Usually) supports an interior gateway protocol (IGP) | to carry out distributed routing and reachability | algorithms with the other routers in the same autonomous system. In addition, some routers will November 28, 1994 - 29 - need to support an exterior gateway protocol (EGP) to exchange topological information with other autonomous systems. See chapter 7 (Application Layer - Routing | Protocols) for more information. Provides network | management and system support facilities, including loading, debugging, status reporting, exception reporting and control. See chapter 8 (Application Layer - Network Management Protocols) and chapter 10 (Operation and Maintenance) for more information. A router vendor will have many choices on power, complexity, and features for a particular router product. It may be helpful to observe that the Internet system is neither homogeneous nor fully connected. For reasons of | technology and geography it is growing into a global interconnect system plus a fringe of LANs around the edge. More and more these fringe LANs are becoming richly interconnected, thus making them less out on the fringe and more demanding on router requirements. + The global interconnect system is composed of a number | of wide-area networks to which are attached routers of | several Autonomous Systems (AS); there are relatively few hosts connected directly to the system. + Most hosts are connected to LANs. Many organizations have clusters of LANs interconnected by local routers. Each such cluster is connected by routers at one or more points into the global interconnect system. If it is connected at only one point, a LAN is known as a stub network. Routers in the global interconnect system generally require: + Advanced Routing and Forwarding Algorithms These routers need routing algorithms that are highly | dynamic and also offer type-of-service routing. | Congestion is still not a completely resolved issue (see | Section [5.3.6]). Improvements in these areas are expected, as the research community is actively working on these issues. + High Availability November 28, 1994 - 30 - These routers need to be highly reliable, providing 24 hours a day, 7 days a week service. Equipment and | software faults can have a wide-spread (sometimes | global) effect. In case of failure, they must recover quickly. In any environment, a router must be highly | robust and able to oper + Advanced O&M Features Internet routers normally operate in an unattended mode. They will typically be operated remotely from a centralized monitoring center. They need to provide sophisticated means for monitoring and measuring traffic and other events and for diagnosing faults. + High Performance Long-haul lines in the Internet today are most | frequently 56 KBPS, DS1 (1.4Mbps), and DS3 (45Mbps) speeds. LANs are typically Ethernet (10Mbps) and, to a lesser degree, FDDI (100Mbps). However, network media technology is constantly advancing and even higher speeds are likely in the future. Full-duplex operation is provided at all of these speeds. The requirements for routers used in the LAN fringe (e.g., campus networks) depend greatly on the demands of the local networks. These may be high or medium-performance devices, probably competitively procured from several different vendors and operated by an internal organization (e.g., a campus computing center). The design of these routers should emphasize low average latency and good burst performance, together with delay and type-of-service sensitive resource management. In this environment there may be less formal O&M but it will not be less important. The need for the routing mechanism to be highly dynamic will become more important as networks become more complex and interconnected. Users will demand more out of their local connections because of the speed of the global interconnects. As networks have grown, and as more networks have become old enough that they are phasing out older equipment, it has become increasingly imperative that routers interoperate with routers from other vendors. November 28, 1994 - 31 - Even though the Internet system is not fully interconnected, many parts of the system need to have redundant connectivity. Rich connectivity allows reliable service despite failures of communication lines and routers, and it can also improve service by shortening Internet paths and by providing additional capacity. Unfortunately, this richer topology can make it much more difficult to choose the best path to a particular destination. The current Internet architecture is based on a set of assumptions about the communication system. The assumptions most relevant to routers are as follows: + The Internet is a network of networks. Each host is directly connected to some particular network(s); its connection to the Internet is only conceptual. Two hosts on the same network communicate with each other using the same set of protocols that they would use to communicate with hosts on distant networks. + Routers do not keep connection state information. | To improve the robustness of the communication system, routers are designed to be stateless, forwarding each IP packet independently of other packets. As a result, redundant paths can be exploited to provide robust service in spite of failures of intervening routers and networks. All state information required for end-to-end flow control and reliability is implemented in the hosts, in the transport layer or in application programs. All connection control information is thus co-located with the end points of the communication, so it will be lost only if an end point fails. Routers control message | flow only indirectly, by dropping packets or increasing network delay. Note that future protocol developments may well end up putting some more state into routers. This is | especially likely for multicast routing, resource | November 28, 1994 - 32 - reservation, and flow forwarding. + Routing complexity should be in the routers. Routing is a complex and difficult problem, and ought to be performed by the routers, not the hosts. An important objective is to insulate host software from changes caused by the inevitable evolution of the Internet routing architecture. + The system must tolerate wide network variation. A basic objective of the Internet design is to tolerate a wide range of network characteristics - e.g., bandwidth, delay, packet loss, packet reordering, and maximum packet size. Another objective is robustness against failure of individual networks, routers, and hosts, using whatever bandwidth is still available. Finally, the goal is full open system interconnection: | an Internet router must be able to interoperate robustly | and effectively with any other router or Internet host, across diverse Internet paths. Sometimes implementors have designed for less ambitious goals. For example, the LAN environment is typically much more benign than the Internet as a whole; LANs have low packet loss and delay and do not reorder packets. Some vendors have fielded implementations that are adequate for a simple LAN environment, but work badly for general interoperation. The vendor justifies such a product as being economical within the restricted LAN market. However, isolated LANs seldom stay isolated for | long. They are soon connected to each other, to organization-wide internets, and eventually to the global Internet system. In the end, neither the customer nor the vendor is served by incomplete or substandard routers. The requirements in this document are designed for a | full-function router. It is intended that fully compliant routers will be usable in almost any part of the Internet. November 28, 1994 - 33 - Although [INTRO:1] covers Link Layer standards (IP over | various data links, ARP, etc.), this document anticipates that Link-Layer material will be covered in a separate Link Layer Requirements document. A Link-Layer Requirements document | would be applicable to both hosts and routers. Thus, this document will not obsolete the parts of [INTRO:1] that deal with link-layer issues. Routers have essentially the same Link Layer protocol requirements as other sorts of Internet systems. These requirements are given in chapter 3 of Requirements for Internet Gateways [INTRO:1]. A router MUST comply with its requirements and SHOULD comply with its recommendations. Since some of the material in that document has become somewhat dated, some additional requirements and explanations are included below. DISCUSSION: It is expected that the Internet community will produce a Requirements for Internet Link Layer standard which | will supersede both this chapter and the chapter | entitled "INTERNET LAYER PROTOCOLS" in [INTRO:1]. This document does not attempt to specify the interface | between the Link Layer and the upper layers. However, note | well that other parts of this document, particularly chapter 5, require various sorts of information to be passed across this layer boundary. This section uses the following definitions: + Source physical address The source physical address is the Link Layer address of the host or router from which the packet was received. + Destination physical address The destination physical address is the Link Layer address to which the packet was sent. The information that must pass from the Link Layer to the November 28, 1994 - 34 - Internetwork Layer for each received packet is: (1) The IP packet [5.2.2], (2) The length of the data portion (i.e., not including the Link-Layer framing) of the Link Layer frame [5.2.2], (3) The identity of the physical interface from which the IP packet was received [5.2.3], and (4) The classification of the packet's destination physical address as a Link Layer unicast, broadcast, or multicast [4.3.2], [5.3.4]. In addition, the Link Layer also should provide: (5) The source physical address. The information that must pass from the Internetwork Layer to the Link Layer for each transmitted packet is: (1) The IP packet [5.2.1] (2) The length of the IP packet [5.2.1] (3) The destination physical interface [5.2.1] (4) The next hop IP address [5.2.1] In addition, the Internetwork Layer also should provide: (5) The Link Layer priority value [5.3.3.2] The Link Layer must also notify the Internetwork Layer if the packet to be transmitted causes a Link Layer precedence-related error [5.3.3.3]. Routers that can connect to 10Mb Ethernets MAY be able | to receive and forward Ethernet packets encapsulated | using the trailer encapsulation described in [LINK:1]. However, a router SHOULD NOT originate trailer encapsulated packets. A router MUST NOT originate November 28, 1994 - 35 - trailer encapsulated packets without first verifying, | using the mechanism described in [INTRO:2], that the immediate destination of the packet is willing and able to accept trailer-encapsulated packets. A router SHOULD NOT agree (using these same mechanisms) to accept trailer-encapsulated packets. Routers that implement ARP MUST be compliant and SHOULD | be unconditionally compliant with the requirements in | [INTRO:2]. The link layer MUST NOT report a Destination Unreachable error to IP solely because there is no ARP cache entry for a destination. A router MUST not believe any ARP reply that claims that | the Link Layer address of another host or router is a broadcast or multicast address. Routers that can connect to 10Mb Ethernets MUST be | compliant and SHOULD be unconditionally compliant with | the Ethernet requirements of [INTRO:2]. The MTU of each logical interface MUST be configurable. Many Link Layer protocols define a maximum frame size that may be sent. In such cases, a router MUST NOT allow an MTU to be set which would allow sending of frames larger than those allowed by the Link Layer protocol. However, a router SHOULD be willing to receive a packet as large as the maximum frame size even if that is larger than the MTU. DISCUSSION: Note that this is a stricter requirement than imposed on hosts by [INTRO:2], which requires that the MTU of each physical interface be configurable. If a network is using an MTU smaller than the maximum frame size for the Link Layer, a router may receive | packets larger than the MTU from misconfigured and | incompletely initialized hosts. The Robustness | November 28, 1994 - 36 - Principle indicates that the router should | successfully receive these packets if at all | possible. Contrary to [INTRO:1], the Internet does have a standard serial line protocol: the Point-to-Point Protocol (PPP), | defined in [LINK:2], [LINK:3], [LINK:4], and [LINK:5]. A serial line interface is any interface that is | designed to send data over a point to point interface. | Such interfaces include telephone, leased, dedicated or | direct lines (either 2 or 4 wire), and may use point to | point channels or virtual circuits of multiplexed | interfaces such as ISDN. They normally use a | standardized modem or bit serial interface (such as RS- | 232, RS-449 or V.35), using either synchronous or asynchronous clocking. Multiplexed interfaces often | have special physical interfaces. A general purpose serial interface is a serial line interface that does not solely access line a link layer | network. Link layer networks (such as X.25 or Frame | Relay) use an alternative IP link layer specification. Routers that contain such general purpose serial | interfaces MUST implement PPP. PPP MUST be supported on all general purpose serial interfaces on a router. The router MAY allow the line to be configured to use serial line protocols other than | PPP. All general purpose serial interfaces SHOULD | default to using PPP. This section provides guidelines to router implementors so that they can ensure interoperability with other routers using PPP over either synchronous or asynchronous links. It is critical that an implementor understand the semantics of the option negotiation mechanism. Options are a means for a local device to indicate to a remote peer what the local device will accept from | November 28, 1994 - 37 - the remote peer, not what it wishes to send. It is up to the remote peer to decide what is most convenient to send within the confines of the set of options that the local device has stated that it can accept. Therefore it is perfectly acceptable and normal for a remote peer to ACK all the options indicated in an LCP Configuration Request (CR) even if the remote peer does not support any of those options. Again, the options are simply a mechanism for either device to indicate to its peer what it will accept, not necessarily what it will send. The PPP Link Control Protocol (LCP) offers a number of options that may be negotiated. These options | include (among others) address and control field compression, protocol field compression, asynchronous character map, Maximum Receive Unit (MRU), Link Quality Monitoring (LQM), magic number (for loopback detection), Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and the 32-bit Frame Check Sequence (FCS). A router MAY use address/control field compression on | either synchronous or asynchronous links. A router | MAY use protocol field compression on either | synchronous or asynchronous links. A router that | indicates that it can accept these compressions MUST | be able to accept uncompressed PPP header information | also. DISCUSSION: These options control the appearance of the PPP header. Normally the PPP header consists of the | address, the control field, and the protocol | field. The address, on a serial line, is 0xFF, | indicating "broadcast". The control field is | 0x03, indicating "Unnumbered Information." The | Protocol Identifier is a two byte value indicating | the contents of the data area of the frame. If a system negotiates address and control field compression it indicates to its peer that it will accept PPP frames that have or do not have these fields at the front of the header. It does not indicate that it will be sending frames with these November 28, 1994 - 38 - fields removed. | Protocol field compression, when negotiated, | indicates that the system is willing to receive | protocol fields compressed to one byte when this | is legal. There is no requirement that the sender | actually do so. | Use of address/control field compression is | inconsistent with the use of numbered mode | (reliable) PPP. IMPLEMENTATION: Some hardware does not deal well with variable length header information. In those cases it makes most sense for the remote peer to send the full PPP header. Implementations may ensure this by not sending the address/control field and protocol field compression options to the remote peer. Even if the remote peer has indicated an ability to receive compressed headers there is no requirement for the local router to send compressed headers. A router MUST negotiate the Asynchronous Control | Character Map (ACCM) for asynchronous PPP links, but | SHOULD NOT negotiate the ACCM for synchronous links. If a router receives an attempt to negotiate the ACCM over a synchronous link, it MUST ACKnowledge the option and then ignore it. DISCUSSION: There are implementations that offer both | synchronous and asynchronous modes of operation | and may use the same code to implement the option | negotiation. In this situation it is possible that one end or the other may send the ACCM option on a synchronous link. A router SHOULD properly negotiate the maximum | receive unit (MRU). Even if a system negotiates an | MRU smaller than 1,500 bytes, it MUST be able to November 28, 1994 - 39 - receive a 1,500 byte frame. A router SHOULD negotiate and enable the link quality monitoring (LQM) option. DISCUSSION: This memo does not specify a policy for deciding whether the link's quality is adequate. However, it is important (see Section [3.3.6]) that a router disable failed links. A router SHOULD implement and negotiate the magic number option for loopback detection. A router MAY support the authentication options (PAP - Password Authentication Protocol, and/or CHAP - | Challenge Handshake Authentication Protocol). A router MUST support 16-bit CRC frame check sequence (FCS) and MAY support the 32-bit CRC. A router MAY offer to perform IP address negotiation. A router MUST accept a refusal (REJect) to perform IP address negotiation from the peer. Routers operating at link speeds of 19,200 BPS or | less SHOULD implement and offer to perform Van | Jacobson header compression. Routers that implement | VJ compression SHOULD implement an administrative | control enabling or disabling it. A router MUST have a mechanism to allow routing software to determine whether a physical interface is available to send packets or not. A router SHOULD have a mechanism to allow routing software to judge the quality of a physical interface. A router MUST have a mechanism for informing the routing software when a physical interface becomes available or unavailable to send packets because of administrative action. A router MUST have a mechanism for informing the routing software when it detects a Link level interface has become available or unavailable, for any reason. November 28, 1994 - 40 - DISCUSSION: It is crucial that routers have workable mechanisms for determining that their network connections are | functioning properly. Failure to detect link loss, | or failure to take the proper actions when a problem | is detected, can lead to black holes. The mechanisms available for detecting problems with network connections vary considerably, depending on the Link Layer protocols in use and also in some cases on the interface hardware chosen by the router manufacturer. The intent is to maximize the capability to detect failures within the Link-Layer constraints. November 28, 1994 - 41 - This chapter and chapter 5 discuss the protocols used at the Internet Layer: IP, ICMP, and IGMP. Since forwarding is obviously a crucial topic in a document discussing routers, chapter 5 limits itself to the aspects of the | protocols that directly relate to forwarding. The current chapter contains the remainder of the discussion of the Internet Layer protocols. Routers MUST implement the IP protocol, as defined by | [INTERNET:1]. They MUST also implement its mandatory | extensions: subnets (defined in [INTERNET:2]), IP | broadcast (defined in [INTERNET:3]), and Classless | Inter-Domain Routing (CIDR, defined in [INTERNET:15]). Router implementors need not consider compliance with | the section of [INTRO:2] entitled "Internet Protocol -- | IP," as that section is entirely duplicated or | superseded in this document. A router MUST be compliant, and SHOULD be unconditionally compliant, with | the requirements of the section entitled "SPECIFIC | ISSUES" relating to IP in [INTRO:2]. In the following, the action specified in certain cases | is to silently discard a received datagram. This means | that the datagram will be discarded without further | processing and that the router will not send any ICMP | error message (see Section [4.3]) as a result. However, | for diagnosis of problems a router SHOULD provide the | capability of logging the error (see Section [1.3.3]), | including the contents of the silently discarded | datagram, and SHOULD count datagrams discarded. RFC 791 [INTERNET:1] is the specification for the | Internet Protocol. | In datagrams received by the router itself, the IP | layer MUST interpret IP options that it understands | and preserve the rest unchanged for use by higher layer protocols. November 28, 1994 - 42 - Higher layer protocols may require the ability to set IP options in datagrams they send or examine IP options in datagrams they receive. Later sections of this document discuss specific IP option support required by higher layer protocols. DISCUSSION: Neither this memo nor [INTRO:2] define the order in which a receiver must process multiple options in the same IP header. Hosts and routers originating datagrams containing multiple options must be aware that this introduces an ambiguity in the meaning of certain options when combined with a source-route option. Here are the requirements for specific IP options: (a) Security Option Some environments require the Security option in every packet originated or received. Routers SHOULD IMPLEMENT the revised security option described in [INTERNET:5]. DISCUSSION: Note that the security options described in [INTERNET:1] and RFC 1038 ([INTERNET:16]) are obsolete. (b) Stream Identifier Option This option is obsolete; routers SHOULD NOT place this option in a datagram that the router originates. This option MUST be ignored in datagrams received by the router. (c) Source Route Options A router MUST be able to act as the final destination of a source route. If a router | receives a packet containing a completed source | route, the packet has reached its final | destination. In such an option, the pointer points beyond the last field and the destination address in the IP header addresses the router. | November 28, 1994 - 43 - The option as received (the recorded route) MUST be passed up to the transport layer (or to ICMP message processing). A correct response to a source-routed datagrams | traverses the same route. A router MUST provide | a means whereby transport protocols and | applications can reverse the source route in a | received datagram. This reversed source route | MUST be inserted into datagrams they originate | (see [INTRO:2] for details). Some applications in the router MAY require that the user be able to enter a source route. A router MUST NOT originate a datagram containing multiple source route options. What a router should do if asked to forward a packet containing multiple source route options is described in Section [5.2.4.1]. When a source route option is created, it MUST be correctly formed even if it is being created by reversing a recorded route that erroneously includes the source host (see case (B) in the discussion below). DISCUSSION: Suppose a source routed datagram is to be routed from source S to destination D via routers G1, G2, Gn. Source S constructs a datagram with G1's IP address as its destination address, and a source route option to get the datagram the rest of the way to its destination. However, there is an ambiguity in the specification over whether the source route option in a datagram sent out by S should be (A) or (B): (A): {>>G2, G3, Gn, D} <--- CORRECT (B): {S, >>G2, G3, Gn, D} <---- WRONG (where >> represents the pointer). If (A) is | sent, the datagram received at D will contain November 28, 1994 - 44 - the option: {G1, G2, Gn >>}, with S and D as the IP source and destination addresses. If (B) were sent, the datagram received at D would again contain S and D as the same IP source and destination addresses, but the option would be: {S, G1, i.e., the originating host would be the first hop in the route. (d) Record Route Option Routers MAY support the Record Route option in datagrams originated by the router. (e) Timestamp Option Routers MAY support the timestamp option in datagrams originated by the router. The following rules apply: + When originating a datagram containing a Timestamp Option, a router MUST record a timestamp in the option if - Its Internet address fields are not pre- specified or - Its first pre-specified address is the IP address of the logical interface over which the datagram is being sent (or the router's router-id if the datagram is being sent over an unnumbered interface). + If the router itself receives a datagram | containing a Timestamp Option, the router | MUST insert the current time into the | Timestamp Option (if there is space in the | option to do so) before passing the option to the transport layer or to ICMP for processing. + A timestamp value MUST follow the rules | defined in [INTRO:2]. IMPLEMENTATION: To maximize the utility of the timestamps November 28, 1994 - 45 - contained in the timestamp option, the | timestamp inserted should be, as nearly as practical, the time at which the packet arrived at the router. For datagrams originated by the router, the timestamp inserted should be, as nearly as practical, the time at which the datagram was passed to the Link Layer for transmission. Routers are called upon to insert their address into | Record Route, Strict Source and Record Route, Loose Source and Record Route, or Timestamp Options. When | a router inserts its address into such an option, it MUST use the IP address of the logical interface on which the packet is being sent. Where this rule cannot be obeyed because the output interface has no IP address (i.e., is an unnumbered interface), the router MUST instead insert its router-id. The | router's router-id is one of the router's IP | addresses; it may be specified on a system basis or | on a per-link basis. Which of the router's addresses is used as the router-id MUST NOT change (even across reboots) unless changed by the network manager. | Relevant management changes include reconfiguration | of the router such that the IP address used as the | router-id ceases to be one of the router's IP | addresses. Routers with multiple unnumbered interfaces MAY have multiple router-id's. Each unnumbered interface MUST be associated with a particular router-id. This association MUST NOT change (even across reboots) without reconfiguration of the router. DISCUSSION: This specification does not allow for routers that | do not have at least one IP address. We do not view this as a serious limitation, since a router needs an IP address to meet the manageability requirements of Chapter [8] even if the router is connected only to point-to-point links. IMPLEMENTATION: November 28, 1994 - 46 - One possible method of choosing the router-id that fulfills this requirement is to use the numerically smallest (or greatest) IP address (treating the address as a 32-bit integer) that is assigned to the router. The IP header contains two reserved bits: one in the | Type of Service byte and the other in the Flags field. A router MUST NOT set either of these bits to one in datagrams originated by the router. A router MUST NOT drop (refuse to receive or forward) a packet merely because one or more of these reserved bits has a non-zero value. DISCUSSION: Future revisions to the IP protocol may make use of these unused bits. These rules are intended to ensure that these revisions can be deployed without having to simultaneously upgrade all routers in the Internet. The Type-of-Service byte in the IP header is divided | into three sections: the Precedence field (high-order 3 bits), a field that is customarily called Type of Service or TOS (next 4 bits), and a reserved bit (the low order bit). Rules governing the reserved bit were described in Section [4.2.2.3]. A more extensive discussion of the TOS field and its use can be found in [ROUTE:11]. The description of the IP Precedence field is superseded by Section [5.3.3]. RFC 795, Service | Mappings, is obsolete and SHOULD NOT be implemented. | As stated in Section [5.2.2], a router MUST verify | the IP checksum of any packet that is received. The router MUST NOT provide a means to disable this November 28, 1994 - 47 - checksum verification. IMPLEMENTATION: A more extensive description of the IP checksum, including extensive implementation hints, can be found in [INTERNET:6] and [INTERNET:7]. A router MUST ignore IP options which it does not | recognize. A corollary of this requirement is that a router MUST implement the End of Option List option and the No Operation option, since neither contains an explicit length. DISCUSSION: All future IP options will include an explicit length. Fragmentation, as described in [INTERNET:1], MUST be | supported by a router. When a router fragments an IP datagram, it SHOULD minimize the number of fragments. When a router fragments an IP datagram, it MUST send the fragments in order. A fragmentation method that may generate | one IP fragment that is significantly smaller than the other MAY cause the first IP fragment to be the smaller one. DISCUSSION: There are several fragmentation techniques in common use in the Internet. One involves splitting the IP datagram into IP fragments with the first being MTU sized, and the others being approximately the same size, smaller than the MTU. The reason for this is twofold. The first IP fragment in the sequence will be the effective MTU of the current path between the hosts, and the | following IP fragments are sized to minimize the | further fragmentation of the IP datagram. Another technique is to split the IP datagram into MTU sized IP fragments, with the last fragment being November 28, 1994 - 48 - the only one smaller, as described in | [INTERNET:1]. A common trick used by some implementations of TCP/IP is to fragment an IP datagram into IP fragments that are no larger than 576 bytes when the IP datagram is to travel through a router. | This is intended to allow the resulting IP | fragments to pass the rest of the path without | further fragmentation. This would, though, create more of a load on the destination host, since it would have a larger number of IP fragments to reassemble into one IP datagram. It would also | not be efficient on networks where the MTU only | changes once and stays much larger than 576 bytes. | Examples include LAN networks such as an IEEE | 802.5 network with a MTU of 2048 or an Ethernet | network with an MTU of 1500). One other fragmentation technique discussed was splitting the IP datagram into approximately equal sized IP fragments, with the size less than or | equal to the next hop network's MTU. This is intended to minimize the number of fragments that would result from additional fragmentation further | down the path, and assure equal delay for each | fragment. Routers SHOULD generate the least possible number | of IP fragments. Work with slow machines leads us to believe that if it is necessary to fragment messages, sending | the small IP fragment first maximizes the chance of a host with a slow interface of receiving all the fragments. As specified in the corresponding section of | [INTRO:2], a router MUST support reassembly of | datagrams that it delivers to itself. | Time to Live (TTL) handling for packets originated or November 28, 1994 - 49 - received by the router is governed by [INTRO:2]; this | section changes none of its stipulations. However, | since the remainder of the IP Protocol section of | [INTRO:2] is rewritten, this section is as well. | Note in particular that a router MUST NOT check the TTL of a packet except when forwarding it. | A router MUST NOT originate or forward a datagram | with a Time-to-Live (TTL) value of zero. | A router MUST NOT discard a datagram just because it | was received with TTL less than 2; if it is to the | router and otherwise valid, the router MUST attempt | to receive it. | On messages the router originates, the IP layer MUST | provide a means for the transport layer to set the | TTL field of every datagram that is sent. When a | fixed TTL value is used, it MUST be configurable. | The current suggested value will be published in the | "Assigned Numbers" RFC. The TTL field has two | functions: limit the lifetime of TCP segments (see | RFC 793 [TCP:1], p. 28), and terminate Internet | routing loops. Although TTL is a time in seconds, it | also has some attributes of a hop-count, since each | router is required to reduce the TTL field by at | least one. | TTL expiration is intended to cause datagrams to be | discarded by routers, but not by the destination | host. Hosts that act as routers by forwarding | datagrams must therefore follow the router's rules | for TTL. | A higher-layer protocol may want to set the TTL in | order to implement an "expanding scope" search for | some Internet resource. This is used by some | diagnostic tools, and is expected to be useful for | locating the "nearest" server of a given class using | IP multicasting, for example. A particular transport | protocol may also want to specify its own TTL bound | on maximum datagram lifetime. | A fixed value must be at least big enough for the | November 28, 1994 - 50 - Internet "diameter," i.e., the longest possible path. | A reasonable value is about twice the diameter, to | allow for continued Internet growth. | All-subnets broadcasts (called multi-subnet | broadcasts in [INTERNET:3]) have been deprecated. See Section [5.3.5.3]. | There are now five classes of IP addresses: Class A through Class E. Class D addresses are used for IP multicasting [INTERNET:4], while Class E addresses are reserved for experimental use. A multicast (Class D) address is a 28-bit logical address that stands for a group of hosts, and may be either permanent or transient. Permanent multicast addresses are allocated by the Internet Assigned Number Authority [INTRO:7], while transient addresses | may be allocated dynamically to transient groups. Group membership is determined dynamically using IGMP [INTERNET:4]. We now summarize the important special cases for | Unicast (that is class A, B, and C) IP addresses, using the following notation for an IP address: { , } | and the notation -1 for a field that contains all 1 * bits and the notation 0 for a field that contains all 0 bits. * (a) { 0, 0 } This host on this network. It MUST NOT be used as a source address by routers, except the router MAY use this as a source address as part of an initialization procedure (e.g., if the router is using BOOTP to load its configuration information). Incoming datagrams with a source address of { 0, November 28, 1994 - 51 - 0 } which are received for local delivery (see | Section [5.2.3]), MUST be accepted if the router | implements the associated protocol and that | protocol clearly defines appropriate action to | be taken. Otherwise, a router MUST silently discard any locally-delivered datagram whose source address is { 0, 0 }. DISCUSSION: Some protocols define specific actions to take in response to a received datagram whose source address is { 0, 0 }. Two examples are BOOTP and ICMP Mask Request. The proper operation of these protocols often depends on the ability to receive datagrams whose source address is { 0, 0 }. For most protocols, however, it is best to ignore datagrams having a source address of { 0, 0 } since they were probably generated by a misconfigured host or router. Thus, if a | router knows how to deal with a given | datagram having a { 0, 0 } source address, | the router MUST accept it. Otherwise, the router MUST discard it. See also Section [4.2.3.1] for a non-standard use of { 0, 0 }. (b) { 0, } Specified host on this network. It MUST NOT be | sent by routers except that the router MAY use | this as a source address as part of an | initialization procedure by which the it learns | its own IP address. (c) { -1, -1 } Limited broadcast. It MUST NOT be used as a source address. A datagram with this destination address will be received by every host and router on the connected physical network, but will not be forwarded outside that network. November 28, 1994 - 52 - (d) { , -1 } | Directed Broadcast - a broadcast directed to the | specified network prefix. It MUST NOT be used as a source address. A router MAY originate Network Directed Broadcast packets. A router MUST receive Network Directed Broadcast packets; however a router MAY have a configuration option to prevent reception of these packets. Such an option MUST default to allowing reception. (e) { 127, } * Internal host loopback address. Addresses of this form MUST NOT appear outside a host. The is administratively assigned so | that its value will be unique in the entire world. IP addresses are not permitted to have the value 0 or | -1 for the or fields | except in the special cases listed above. This implies that each of these fields will be at least two bits long. For further discussion of broadcast addresses, see | Section [4.2.3.1]. When a router originates any datagram, the IP source * address MUST be one of its own IP addresses (but not a broadcast or multicast address). The only exception is during initialization. For most purposes, a datagram addressed to a broadcast or multicast destination is processed as if it had been addressed to one of the router's IP addresses; that is to say: + A router MUST receive and process normally any | packets with a broadcast destination address. + A router MUST receive and process normally any | packets sent to a multicast destination address | that the router has asked to receive. November 28, 1994 - 53 - The term specific-destination address means the equivalent local IP address of the host. The specific-destination address is defined to be the destination address in the IP header unless the header contains a broadcast or multicast address, in which case the specific-destination is an IP address assigned to the physical interface on which the datagram arrived. A router MUST silently discard any received datagram containing an IP source address that is invalid by the rules of this section. This validation could be done either by the IP layer or by each protocol in the transport layer. DISCUSSION: A misaddressed datagram might be caused by a Link Layer broadcast of a unicast datagram or by another router or host that is confused or misconfigured. For historical reasons, there are a number of IP | addresses (some standard and some not) which are used | to indicate that an IP packet is an IP broadcast. A router (1) MUST treat as IP broadcasts packets addressed to | 255.255.255.255 or { , -1 }. (2) SHOULD silently discard on receipt (i.e., do not | even deliver to applications in the router) any | packet addressed to 0.0.0.0 or { , 0 }. If these packets are not silently | discarded, they MUST be treated as IP broadcasts (see Section [5.3.5]). There MAY be a configuration option to allow receipt of these packets. This option SHOULD default to discarding them. (3) SHOULD (by default) use the limited broadcast | address (255.255.255.255) when originating an IP | November 28, 1994 - 54 - broadcast destined for a connected (sub)network | (except when sending an ICMP Address Mask Reply, as discussed in Section [4.3.3.9]). A router MUST receive limited broadcasts. (4) SHOULD NOT originate datagrams addressed to | 0.0.0.0 or { , 0 }. There MAY be a configuration option to allow generation of these packets (instead of using the relevant 1s format broadcast). This option SHOULD default to not generating them. DISCUSSION: In the second bullet, the router obviously cannot | recognize addresses of the form { , 0 } if the router has no interface to | that network prefix. In that case, the rules of the second bullet do not apply because, from the point of view of the router, the packet is not an IP broadcast packet. An IP router SHOULD satisfy the Host Requirements with respect to IP multicasting, as specified in | [INTRO:2]. An IP router SHOULD support local IP | multicasting on all connected networks. When a | mapping from Class D IP addresses to link-layer | addresses has been specified (see the various IP- | over-xxx specifications), it SHOULD use that mapping, | and MAY be configurable to use the data link | broadcast instead. On point-to-point links and all | other interfaces, multicasts are encapsulated as data | link broadcasts. Support for local IP multicasting includes originating multicast datagrams, joining multicast groups and receiving multicast datagrams, and leaving multicast groups. This implies support for all of [INTERNET:4] including IGMP (see Section | [4.4]). DISCUSSION: Although [INTERNET:4] is entitled Host Extensions for IP Multicasting, it applies to all IP systems, both hosts and routers. In particular, since routers may join multicast groups, it is correct November 28, 1994 - 55 - for them to perform the host part of IGMP, reporting their group memberships to any multicast routers that may be present on their attached networks (whether or not they themselves are multicast routers). Some router protocols may specifically require support for IP multicasting (e.g., OSPF [ROUTE:1]), or may recommend it (e.g., ICMP Router Discovery [INTERNET:13]). In order to eliminate fragmentation or minimize it, it is desirable to know what is the path MTU along the path from the source to destination. The path MTU is the minimum of the MTUs of each hop in the path. [INTERNET:14] describes a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path. For a path that passes through a router that does not support [INTERNET:14], this technique might not discover the correct Path MTU, but it will always choose a Path MTU as accurate as, and in many cases more accurate than, the Path MTU that would be chosen by older techniques or the current practice. When a router is originating an IP datagram, it SHOULD use the scheme described in [INTERNET:14] to limit the datagram's size. If the router's route to the datagram's destination was learned from a routing protocol that provides Path MTU information, the scheme described in [INTERNET:14] is still used, but the Path MTU information from the routing protocol SHOULD be used as the initial guess as to the Path MTU and also as an upper bound on the Path MTU. Under certain circumstances, it may be desirable to support subnets of a particular network being interconnected only via a path that is not part of | the subnetted network. This is known as discontiguous subnetwork support. Routers MUST support discontiguous subnetworks. November 28, 1994 - 56 - IMPLEMENTATION: In classical IP networks, this was very difficult | to achieve; in CIDR networks, it is a natural by- | product. Therefore, a router SHOULD NOT make | assumptions about subnet architecture, but SHOULD | treat each route as a generalized network prefix. | DISCUSSION: The Internet has been growing at a tremendous rate of late. This has been placing severe strains on the IP addressing technology. A major factor in this strain is the strict IP Address class boundaries. These make it difficult to | efficiently size network prefixes to their | networks and aggregate several network prefixes | into a single route advertisement. By eliminating the strict class boundaries of the IP address and treating each route as a generalized network | prefix, these strains may be greatly reduced. The technology for currently doing this is | Classless Inter Domain Routing (CIDR) [INTERNET:15]. For similar reasons, an address block associated with | a given network prefix could be subdivided into | subblocks of different sizes, so that the network | prefixes associated with the subblocks would have | different length. For example, within a block whose | network prefix is 8 bits long, one subblock may have | a 16 bit network prefix, another may have an 18 bit | network prefix, and a third a 14 bit network prefix. Routers MUST support variable length network prefixes | in both their interface configurations and their | routing databases. ICMP is an auxiliary protocol, which provides routing, | diagnostic and error functionality for IP. It is described in [INTERNET:8]. A router MUST support ICMP. November 28, 1994 - 57 - ICMP messages are grouped in two classes that are | discussed in the following sections: ICMP error messages: Destination Unreachable Section 4.3.3.1 Redirect Section 4.3.3.2 Source Quench Section 4.3.3.3 Time Exceeded Section 4.3.3.4 Parameter Problem Section 4.3.3.5 ICMP query messages: Echo Section 4.3.3.6 Information Section 4.3.3.7 Timestamp Section 4.3.3.8 Address Mask Section 4.3.3.9 Router Discovery Section 4.3.3.10 General ICMP requirements and discussion are in the next section. If an ICMP message of unknown type is received, it MUST be passed to the ICMP user interface (if the router has one) or silently discarded (if the router | does not have one). When originating an ICMP message, the router MUST initialize the TTL. The TTL for ICMP responses must | not be taken from the packet that triggered the response. Every ICMP error message includes the Internet header and at least the first 8 data bytes of the datagram that triggered the error. More than 8 bytes MAY be sent, but the resulting ICMP datagram SHOULD have a length of less than or equal to 576 bytes. The returned IP header (and user data) MUST be identical to that which was received, except that the router is not required to undo any modifications to the IP November 28, 1994 - 58 - header that are normally performed in forwarding that were performed before the error was detected (e.g., decrementing the TTL, or updating options). Note | that the requirements of Section [4.3.3.5] supersede this requirement in some cases (i.e., for a Parameter Problem message, if the problem is in a modified field, the router must undo the modification). See Section [4.3.3.5]) Except where this document specifies otherwise, the IP source address in an ICMP message originated by the router MUST be one of the IP addresses associated with the physical interface over which the ICMP message is transmitted. If the interface has no IP addresses associated with it, the router's router-id (see Section [5.2.5]) is used instead. ICMP error messages SHOULD have their TOS bits set to the same value as the TOS bits in the packet which provoked the sending of the ICMP error message, unless setting them to that value would cause the ICMP error message to be immediately discarded because it could not be routed to its destination. Otherwise, ICMP error messages MUST be sent with a normal (i.e. zero) TOS. An ICMP reply message SHOULD have its TOS bits set to the same value as the TOS bits in the ICMP request that provoked the reply. EDITOR'S COMMENTS: The following paragraph originally read: ICMP error messages MUST have their IP Precedence field set to the same value as the IP Precedence field in the packet which provoked the sending of the ICMP error message, except that the precedence value MUST be 6 (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL), SHOULD be 7, and MAY be settable for the following types of ICMP error messages: Unreachable, Redirect, Time Exceeded, and Parameter Problem. I believe that the following paragraph is November 28, 1994 - 59 - equivalent and easier for humans to parse (Source Quench is the only other ICMP Error message). Other interpretations of the original are sought. ICMP Source Quench error messages MUST have their IP Precedence field set to the same value as the IP Precedence field in the packet which provoked the sending of the ICMP Source Quench message. All other ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, and Parameter Problem) MUST have their precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL), SHOULD be 7. The IP Precedence value for these error messages MAY be settable. An ICMP reply message MUST have its IP Precedence field set to the same value as the IP Precedence field in the ICMP request that provoked the reply. If the packet which provokes the sending of an ICMP error message contains a source route option, the ICMP error message SHOULD also contain a source route option of the same type (strict or loose), created by reversing the portion before the pointer of the route recorded in the source route option of the original packet UNLESS the ICMP error message is an ICMP Parameter Problem complaining about a source route option in the original packet. DISCUSSION: In environments which use the U.S. Department of Defense security option (defined in [INTERNET:5]), ICMP messages may need to include a security option. Detailed information on this topic should be available from the Defense Communications Agency. An ICMP error message MUST NOT be sent as the result of receiving: + An ICMP error message, or November 28, 1994 - 60 - + A packet which fails the IP header validation tests described in Section [5.2.2] (except where that section specifically permits the sending of an ICMP error message), or + A packet destined to an IP broadcast or IP multicast address, or + A packet sent as a Link Layer broadcast or multicast, or + A packet whose source address has a network prefix | of zero or is an invalid source address (as | defined in Section [5.3.7]), or + Any fragment of a datagram other then the first | fragment (i.e., a packet for which the fragment | offset in the IP header is nonzero). Furthermore, an ICMP error message MUST NOT be sent in any case where this memo states that a packet is to be silently discarded. NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES. DISCUSSION: These rules aim to prevent the broadcast storms that have resulted from routers or hosts returning ICMP error messages in response to broadcast packets. For example, a broadcast UDP packet to a non-existent port could trigger a flood of ICMP Destination Unreachable datagrams from all devices that do not have a client for that destination port. On a large Ethernet, the resulting collisions can render the network useless for a second or more. Every packet that is broadcast on the connected network should have a valid IP broadcast address as its IP destination (see Section [5.3.4] and [INTRO:2]). However, some devices violate this rule. To be certain to detect broadcast packets, therefore, routers are required to check for a November 28, 1994 - 61 - link-layer broadcast as well as an IP-layer address. IMPLEMENTATION: This requires that the link layer inform the IP layer when a link-layer broadcast packet has been received; see Section [3.1]. A router which sends ICMP Source Quench messages MUST be able to limit the rate at which the messages can be generated. A router SHOULD also be able to limit the rate at which it sends other sorts of ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, Parameter Problem). The rate limit parameters SHOULD be settable as part of the configuration of the router. How the limits are applied (e.g., per router or p... | DISCUSSION: Two problems for a router sending ICMP error message are: (1) The consumption of bandwidth on the reverse path, and (2) The use of router resources (e.g., memory, CPU time) To help solve these problems a router can limit the frequency with which it generates ICMP error messages. For similar reasons, a router may limit the frequency at which some other sorts of messages, such as ICMP Echo Replies, are generated. IMPLEMENTATION: Various mechanisms have been used or proposed for limiting the rate at which ICMP messages are sent: (1) Count-based - for example, send an ICMP error message for every N dropped packets overall or per given source host. This mechanism might be appropriate for ICMP Source Quench, November 28, 1994 - 62 - but probably not for other types of ICMP messages. (2) Timer-based - for example, send an ICMP error message to a given source host or overall at most once per T milliseconds. (3) Bandwidth-based - for example, limit the rate at which ICMP messages are sent over a particular interface to some fraction of the attached network's bandwidth. If a route can not forward a packet because it has no routes at all to the destination network specified in the packet then the router MUST generate a Destination Unreachable, Code 0 (Network Unreachable) ICMP message. If the router does have routes to the destination network specified in the packet but the TOS specified for the routes is neither the default TOS (0000) nor the TOS of the packet that the router is attempting to route, then the router MUST generate a Destination Unreachable, Code 11 (Network Unreachable for TOS) ICMP message. If a packet is to be forwarded to a host on a network that is directly connected to the router (i.e., the router is the last-hop router) and the router has ascertained that there is no path to the destination host then the router MUST generate a Destination Unreachable, Code 1 (Host Unreachable) ICMP message. If a packet is to be forwarded to a host that is on a network that is directly connected to the router and the router cannot forward the packet because no route | to the destination has a TOS that is either equal to | the TOS requested in the packet or is the default TOS | (0000) then the router MUST generate a Destination Unreachable, Code 12 (Host Unreachable for TOS) ICMP message. DISCUSSION: The intent is that a router generates the November 28, 1994 - 63 - "generic" host/network unreachable if it has no path at all (including default routes) to the destination. If the router has one or more paths to the destination, but none of those paths have an acceptable TOS, then the router generates the "unreachable for TOS" message. The ICMP Redirect message is generated to inform a | local host that it should use a different next hop | router for certain traffic. Contrary to [INTRO:2], a router MAY ignore ICMP | Redirects when choosing a path for a packet originated by the router if the router is running a routing protocol or if forwarding is enabled on the router and on the interface over which the packet is being sent. A router SHOULD NOT originate ICMP Source Quench messages. As specified in Section [4.3.2], a router which does originate Source Quench messages MUST be able to limit the rate at which they are generated. DISCUSSION: Research seems to suggest that Source Quench consumes network bandwidth but is an ineffective (and unfair) antidote to congestion. See, for example, [INTERNET:9] and [INTERNET:10]. Section [5.3.6] discusses the current thinking on how routers ought to deal with overload and network congestion. A router MAY ignore any ICMP Source Quench messages it receives. DISCUSSION: A router itself may receive a Source Quench as the result of originating a packet sent to another router or host. Such datagrams might be, e.g., an EGP update sent to another router, or a telnet stream sent to a host. A mechanism has been proposed ([INTERNET:11], [INTERNET:12]) to make November 28, 1994 - 64 - the IP layer respond directly to Source Quench by controlling the rate at which packets are sent, however, this proposal is currently experimental and not currently recommended. When a router is forwarding a packet and the TTL field of the packet is reduced to 0, the requirements of section [5.2.3.8] apply. When the router is reassembling a packet that is destined for the router, it is acting as an Internet | host. [INTRO:2]'s reassembly requirements therefore | apply. When the router receives (i.e., is destined for the router) a Time Exceeded message, it MUST comply with | [INTRO:2]. A router MUST generate a Parameter Problem message for any error not specifically covered by another ICMP message. The IP header field or IP option including the byte indicated by the pointer field MUST be included unchanged in the IP header returned with this ICMP message. Section [4.3.2] defines an exception to this requirement. A new variant of the Parameter Problem message was defined in [INTRO:2]: Code 1 = required option is missing. DISCUSSION: This variant is currently in use in the military community for a missing security option. A router MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A router MUST be prepared to receive, reassemble and echo an ICMP Echo Request datagram at least as large as the maximum of 576 and the MTUs of all the connected networks. November 28, 1994 - 65 - The Echo server function MAY choose not to respond to ICMP echo requests addressed to IP broadcast or IP multicast addresses. A router SHOULD have a configuration option which, if enabled, causes the router to silently ignore all ICMP echo requests; if provided, this option MUST default to allowing responses. DISCUSSION: The neutral provision about responding to broadcast and multicast Echo Requests derives from | [INTRO:2]'s "Echo Request/Reply" section. As stated in Section [10.3.3], a router MUST also implement an user/application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes. All ICMP Echo Reply messages MUST be passed to this interface. The IP source address in an ICMP Echo Reply MUST be the same as the specific-destination address of the corresponding ICMP Echo Request message. Data received in an ICMP Echo Request MUST be entirely included in the resulting Echo Reply. If a Record Route and/or Timestamp option is received in an ICMP Echo Request, this option (these options) SHOULD be updated to include the current router and included in the IP header of the Echo Reply message, without truncation. Thus, the recorded route will be for the entire round trip. If a Source Route option is received in an ICMP Echo Request, the return route MUST be reversed and used as a Source Route option for the Echo Reply message. A router SHOULD NOT originate or respond to these messages. DISCUSSION: The Information Request/Reply pair was intended to support self-configuring systems such as diskless November 28, 1994 - 66 - workstations, to allow them to discover their IP | network prefixes at boot time. However, these messages are now obsolete. The RARP and BOOTP protocols provide better mechanisms for a host to discover its own IP address. A router MAY implement Timestamp and Timestamp Reply. If they are implemented then: + The ICMP Timestamp server function MUST return a Timestamp Reply to every Timestamp message that is received. It SHOULD be designed for minimum variability in delay. + An ICMP Timestamp Request message to an IP broadcast or IP multicast address MAY be silently discarded. + The IP source address in an ICMP Timestamp Reply MUST be the same as the specific-destination address of the corresponding Timestamp Request message. + If a Source Route option is received in an ICMP Timestamp Request, the return route MUST be reversed and used as a Source Route option for the Timestamp Reply message. + If a Record Route and/or Timestamp option is received in a Timestamp Request, this (these) option(s) SHOULD be updated to include the current router and included in the IP header of the Timestamp Reply message. + If the router provides an application-layer interface for sending Timestamp Request messages then incoming Timestamp Reply messages MUST be passed up to the ICMP user interface. The preferred form for a timestamp value (the standard value) is milliseconds since midnight, Universal Time. However, it may be difficult to provide this value with millisecond resolution. For November 28, 1994 - 67 - example, many systems use clocks that update only at line frequency, 50 or 60 times per second. Therefore, some latitude is allowed in a standard value: (a) A standard value MUST be updated at least 16 times per second (i.e., at most the six low- order bits of the value may be undefined). (b) The accuracy of a standard value MUST approximate that of operator-set CPU clocks, i.e., correct within a few minutes. IMPLEMENTATION: To meet the second condition, a router may need to query some time server when the router is booted or restarted. It is recommended that the UDP Time Server Protocol be used for this purpose. A more advanced implementation would use the Network Time Protocol (NTP) to achieve nearly millisecond clock synchronization; however, this is not required. A router MUST implement support for receiving ICMP Address Mask Request messages and responding with ICMP Address Mask Reply messages. These messages are defined in [INTERNET:2]. A router SHOULD have a configuration option for each logical interface specifying whether the router is allowed to answer Address Mask Requests for that interface; this option MUST default to allowing responses. A router MUST NOT respond to an Address Mask Request before the router knows the correct | address mask. A router MUST NOT respond to an Address Mask Request which has a source address of 0.0.0.0 and which arrives on a physical interface which has associated | with it multiple logical interfaces and the address | masks for those interfaces are not all the same. A router SHOULD examine all ICMP Address Mask Replies which it receives to determine whether the November 28, 1994 - 68 - information it contains matches the router's knowledge of the address mask. If the ICMP Address | Mask Reply appears to be in error, the router SHOULD | log the address mask and the sender's IP address. A router MUST NOT use the contents of an ICMP Address Mask Reply to determine the correct address mask. | Because hosts may not be able to learn the address | mask if a router is down when the host boots up, a router MAY broadcast a gratuitous ICMP Address Mask Reply on each of its logical interfaces after it has | configured its own address masks. However, this feature can be dangerous in environments which use variable length address masks. Therefore, if this | feature is implemented, gratuitous Address Mask Replies MUST NOT be broadcast over any logical interface(s) which either: + Are not configured to send gratuitous Address Mask Replies. Each logical interface MUST have a configuration parameter controlling this, and that parameter MUST default to not sending the gratuitous Address Mask Replies. + Share subsuming (but not identical) network | prefixes and physical interface. The { , -1 } form of the IP broadcast | address MUST be used for broadcast Address Mask | Replies. DISCUSSION: The ability to disable sending Address Mask Replies by routers is required at a few sites | which intentionally lie to their hosts about the | address mask. The need for this is expected to go away as more and more hosts become compliant with the Host Requirements standards. The reason for both the second bullet above and the requirement about which IP broadcast address | to use is to prevent problems when multiple IP | network prefixes are in use on the same physical | network. November 28, 1994 - 69 - An IP router MUST support the router part of the ICMP Router Discovery Protocol [INTERNET:13] on all connected networks on which the router supports either IP multicast or IP broadcast addressing. The implementation MUST include all of the configuration variables specified for routers, with the specified defaults. DISCUSSION: Routers are not required to implement the host part of the ICMP Router Discovery Protocol, but might find it useful for operation while IP forwarding is disabled (i.e., when operating as a host). DISCUSSION: We note that it is quite common for hosts to use RIP as the router discovery protocol. Such hosts listen to RIP traffic and use and use information extracted from that traffic to discover routers and to make decisions as to which router to use as a first-hop router for a given destination. While this behavior is discouraged, it is still common and implementors should be aware of it. IGMP [INTERNET:4] is a protocol used between hosts and multicast routers on a single physical network to establish hosts' membership in particular multicast groups. Multicast routers use this information, in conjunction with a multicast routing protocol, to support IP multicast forwarding across the Internet. A router SHOULD implement the host part of IGMP. November 28, 1994 - 70 - This section describes the process of forwarding packets. There is no separate specification of the forwarding function in IP. Instead, forwarding is covered by the protocol specifications for the internet layer protocols ([INTERNET:1], [INTERNET:2], [INTERNET:3], [INTERNET:8], and [ROUTE:11]). Since none of the primary protocol documents describe the forwarding algorithm in any detail, we present it here. This is just a general outline, and omits important details, such as handling of congestion, that are dealt with in later sections. It is not required that an implementation follow exactly the algorithms given in sections [5.2.1.1], [5.2.1.2], and [5.2.1.3]. Much of the challenge of writing router software is to maximize the rate at which the router can forward packets while still achieving the same effect of the algorithm. Details of how to do that are beyond the scope of this document, in part because they are heavily dependent on the architecture of the router. Instead, we merely point out the order dependencies among the steps: (1) A router MUST verify the IP header, as described in section [5.2.2], before performing any actions based on the contents of the header. This allows the router to detect and discard bad packets before the expenditure of other resources. (2) Processing of certain IP options requires that the router insert its IP address into the option. As noted in Section [5.2.4], the address inserted MUST be the address of the logical interface on which the packet is sent or the router's router-id if the packet is sent over an unnumbered interface. Thus, processing of these options cannot be completed until after the output interface is chosen. (3) The router cannot check and decrement the TTL before checking whether the packet should be delivered to the router itself, for reasons mentioned in Section November 28, 1994 - 71 - [4.2.2.9]. (4) More generally, when a packet is delivered locally to the router, its IP header MUST NOT be modified in any way (except that a router may be required to insert a timestamp into any Timestamp options in the IP header). Thus, before the router determines whether the packet is to be delivered locally to the router, it cannot update the IP header in any way that it is not prepared to undo. This section covers the general forwarding algorithm. This algorithm applies to all forms of packets to be forwarded: unicast, multicast, and broadcast. (1) The router receives the IP packet (plus additional information about it, as described in Section [3.1]) from the Link Layer. (2) The router validates the IP header, as described in Section [5.2.2]. Note that IP reassembly is not done, except on IP fragments to be queued for local delivery in step (4). (3) The router performs most of the processing of any IP options. As described in Section [5.2.4], some IP options require additional processing after the routing decision has been made. (4) The router examines the destination IP address of the IP datagram, as described in Section [5.2.3], to determine how it should continue to process the IP datagram. There are three possibilities: + The IP datagram is destined for the router, and should be queued for local delivery, doing reassembly if needed. + The IP datagram is not destined for the router, and should be queued for forwarding. + The IP datagram should be queued for November 28, 1994 - 72 - forwarding, but (a copy) must also be queued for local delivery. Since the local delivery case is well-covered by [INTRO:2], the following assumes that the IP datagram was queued for forwarding. If the destination is an IP unicast address: (5) The forwarder determines the next hop IP address for the packet, usually by looking up the packet's destination in the router's routing table. This procedure is described in more detail in Section [5.2.4]. This procedure also decides which network interface should be used to send the packet. (6) The forwarder verifies that forwarding the packet is permitted. The source and destination addresses should be valid, as described in Section [5.3.7] and Section [5.3.4] If the router supports administrative constraints on forwarding, such as those described in Section [5.3.9], those constraints must be satisfied. (7) The forwarder decrements (by at least one) and checks the packet's TTL, as described in Section [5.3.1]. (8) The forwarder performs any IP option processing that could not be completed in step 3. (9) The forwarder performs any necessary IP fragmentation, as described in Section [4.2.2.7]. Since this step occurs after outbound interface selection (step 5), all fragments of the same datagram will be transmitted out the same interface. (10) The forwarder determines the Link Layer address of the packet's next hop. The mechanisms for doing this are Link Layer-dependent (see chapter 3). (11) The forwarder encapsulates the IP datagram (or November 28, 1994 - 73 - each of the fragments thereof) in an appropriate Link Layer frame and queues it for output on the interface selected in step 5. (12) The forwarder sends an ICMP redirect if necessary, as described in Section [4.3.3.2]. If the destination is an IP multicast, the following steps are taken. Note that the main differences between the forwarding of IP unicasts and the forwarding of IP multicasts are + IP multicasts are usually forwarded based on both the datagram's source and destination IP addresses, + IP multicast uses an expanding ring search, + IP multicasts are forwarded as Link Level multicasts, and + ICMP errors are never sent in response to IP multicast datagrams. Note that the forwarding of IP multicasts is still somewhat experimental. As a result, the algorithm presented below is not mandatory, and is provided as an example only. (5a) Based on the IP source and destination addresses found in the datagram header, the router determines whether the datagram has been received on the proper interface for forwarding. If not, the datagram is dropped silently. The method for determining the proper receiving interface depends on the multicast routing algorithm(s) in use. In one of the simplest algorithms, reverse path forwarding (RPF), the proper interface is the one that would be used to forward unicasts back to the datagram source. (6a) Based on the IP source and destination addresses November 28, 1994 - 74 - found in the datagram header, the router determines the datagram's outgoing interfaces. In order to implement IP multicast's expanding ring search (see [INTERNET:4]) a minimum TTL value is specified for each outgoing interface. A copy of the multicast datagram is forwarded out each outgoing interface whose minimum TTL value is less than or equal to the TTL value in the datagram header, by separately applying the remaining steps on each such interface. (7a) The router decrements the packet's TTL by one. (8a) The forwarder performs any IP option processing that could not be completed in step (3). (9a) The forwarder performs any necessary IP fragmentation, as described in Section [4.2.2.7]. (10a) The forwarder determines the Link Layer address to use in the Link Level encapsulation. The mechanisms for doing this are Link Layer- dependent. On LANs a Link Level multicast or broadcast is selected, as an algorithmic translation of the datagrams' class D destination address. See the various IP-over- xxx specifications for more details. (11a) The forwarder encapsulates the packet (or each of the fragments thereof) in an appropriate Link Layer frame and queues it for output on the appropriate interface. Before a router can process any IP packet, it MUST perform a the following basic validity checks on the packet's IP header to ensure that the header is meaningful. If the packet fails any of the following tests, it MUST be silently discarded, and the error SHOULD be logged. (1) The packet length reported by the Link Layer must be large enough to hold the minimum length legal IP datagram (20 bytes). November 28, 1994 - 75 - (2) The IP checksum must be correct. (3) The IP version number must be 4. If the version number is not 4 then the packet may well be another version of IP, such as ST-II. (4) The IP header length field must be at least 5. (5) The IP total length field must be at least 4 * IP header length field. A router MUST NOT have a configuration option which allows disabling any of these tests. If the packet passes the second and third tests, the IP header length field is at least 4, and both the IP total length field and the packet length reported by the Link Layer are at least 16 then, despite the above rule, the router MAY respond with an ICMP Parameter Problem message, whose pointer points at the IP header length field (if it failed the fourth test) or the IP total length field (if it failed the fifth test). However, it still MUST discard the packet and still SHOULD log the error. These rules (and this entire document) apply only to version 4 of the Internet Protocol. These rules should not be construed as prohibiting routers from supporting other versions of IP. Furthermore, if a router can truly classify a packet as being some other version of IP then it ought not treat that packet as an error packet within the context of this memo. IMPLEMENTATION: It is desirable for purposes of error reporting, though not always entirely possible, to determine why a header was invalid. There are four possible reasons: + The Link Layer truncated the IP header + The datagram is using a version of IP other than the standard one (version 4). + The IP header has been corrupted in transit. November 28, 1994 - 76 - + The sender generated an illegal IP header. It is probably desirable to perform the checks in the order listed, since we believe that this ordering is most likely to correctly categorize the cause of the error. For purposes of error reporting, it may also be desirable to check if a packet which fails these tests has an IP version number equal to 6. If it does, the packet is probably an ST-II datagram and should be treated as such. ST-II is described in [FORWARD:1]. Additionally, the router SHOULD verify that the packet length reported by the Link Layer is at least as large as the IP total length recorded in the packet's IP header. If it appears that the packet has been truncated, the packet MUST be discarded, the error SHOULD be logged, and the router SHOULD respond with an ICMP Parameter Problem message whose pointer points at the IP total length field. DISCUSSION: Because any higher layer protocol which concerns itself with data corruption will detect truncation of the packet data when it reaches its final destination, it is not absolutely necessary for routers to perform the check suggested above in order to maintain protocol correctness. However, by making this check a router can simplify considerably the task of determining which hop in the path is truncating the packets. It will also reduce the expenditure of resources down-stream from the router in that down-stream systems will not need to deal with the packet. Finally, if the destination address in the IP header is not one of the addresses of the router, the router SHOULD verify that the packet does not contain a Strict Source and Record Route option. If a packet fails this test, the router SHOULD log the error and SHOULD respond with an ICMP Parameter Problem error with the pointer pointing at the offending packet's IP destination address. DISCUSSION: November 28, 1994 - 77 - Some people might suggest that the router should respond with a Bad Source Route message instead of a Parameter Problem message. However, when a packet fails this test, it usually indicates a protocol error by the previous hop router, whereas Bad Source Route would suggest that the source host had requested a nonexistent or broken path through the network. When a router receives an IP packet, it must decide whether the packet is addressed to the router (and should be delivered locally) or the packet is addressed to another system (and should be handled by the forwarder). There is also a hybrid case, where certain IP broadcasts and IP multicasts are both delivered locally and forwarded. A router MUST determine which of the these three cases applies using the following rules. | + An unexpired source route option is one whose pointer value does not point past the last entry in the source route. If the packet contains an unexpired source route option, the pointer in the option is advanced until either the pointer does point past the last address in the option or else the next address is not one of the router's own addresses. In the latter (normal) case, the packet is forwarded (and not delivered locally) regardless of the rules below. + The packet is delivered locally and not considered for forwarding in the following cases: - The packet's destination address exactly matches one of the router's IP addresses, - The packet's destination address is a limited broadcast address ({-1, -1}), and - The packet's destination is an IP multicast address | which is never forwarded (such as 224.0.0.1 or | 224.0.0.2) and (at least) one of the logical interfaces associated with the physical interface on which the packet arrived is a member of the November 28, 1994 - 78 - destination multicast group. + The packet is passed to the forwarder AND delivered locally in the following cases: - The packet's destination address is an IP broadcast address that addresses at least one of the router's logical interfaces but does not address any of the logical interfaces associated with the physical interface on which the packet arrived - The packet's destination is an IP multicast address | which is permitted to be forwarded (unlike | 224.0.0.1 and 224.0.0.2) and (at least) one of the | logical interfaces associated with the physical | interface on which the packet arrived is a member | of the destination multicast group. + The packet is delivered locally if the packet's destination address is an IP broadcast address (other than a limited broadcast address) that addresses at least one of the logical interfaces associated with the physical interface on which the packet arrived. The packet is ALSO passed to the forwarder unless the link on which the packet arrived uses an IP encapsulation that does not encapsulate broadcasts differently than unicasts (e.g. by using different Link Layer destination addresses). + The packet is passed to the forwarder in all other cases. DISCUSSION: The purpose of the requirement in the last sentence of the fourth bullet is to deal with a directed | broadcast to another network prefix on the same physical cable. Normally, this works as expected: the sender sends the broadcast to the router as a Link Layer unicast. The router notes that it arrived as a unicast, and therefore must be destined for a | different network prefix than the sender sent it on. Therefore, the router can safely send it as a Link | Layer broadcast out the same (physical) interface over which it arrived. However, if the router can't tell whether the packet was received as a Link Layer November 28, 1994 - 79 - unicast, the sentence ensures that the router does the safe but wrong thing rather than the unsafe but right thing. IMPLEMENTATION: As described in Section [5.3.4], packets received as Link Layer broadcasts are generally not forwarded. It may be advantageous to avoid passing to the forwarder packets it would later discard because of the rules in that section. Some Link Layers (either because of the hardware or because of special code in the drivers) can deliver to the router copies of all Link Layer broadcasts and multicasts it transmits. Use of this feature can simplify the implementation of cases where a packet has to both be passed to the forwarder and delivered locally, since forwarding the packet will automatically cause the router to receive a copy of the packet that it can then deliver locally. One must use care in these circumstances in order to prevent treating a received loop-back packet as a normal packet that was received (and then being subject to the rules of forwarding, etc etc). Even in the absence of such a Link Layer, it is of course hardly necessary to make a copy of an entire packet in order to queue it both for forwarding and for local delivery, though care must be taken with fragments, since reassembly is performed on locally delivered packets but not on forwarded packets. One simple scheme is to associate a flag with each packet on the router's output queue which indicates whether it should be queued for local delivery after it has been sent. When a router is going to forward a packet, it must determine whether it can send it directly to its destination, or whether it needs to pass it through another router. If the latter, it needs to determine which router to use. This section explains how these determinations are made. November 28, 1994 - 80 - This section makes use of the following definitions: + LSRR - IP Loose Source and Record Route option + SSRR - IP Strict Source and Record Route option + Source Route Option - an LSRR or an SSRR + Ultimate Destination Address - where the packet is being sent to: the last address in the source route of a source-routed packet, or the destination address in the IP header of a non-source-routed packet + Adjacent - reachable without going through any IP routers + Next Hop Address - the IP address of the adjacent host or router to which the packet should be sent next + IP Destination Address - the ultimate destination | address, except in source routed packets, where it is the next address specified in the source route + Immediate Destination - the node, system, router, end-system, or whatever that is addressed by the IP | Destination Address. If the destination address in the IP header is one of | the addresses of the router and the packet contains a Source Route Option, the IP Destination Address is | the address pointed at by the pointer in that option | if the pointer does not point past the end of the | option. Otherwise, the IP Destination Address is the | same as the IP destination address in the IP header. A router MUST use the IP Destination Address, not the | Ultimate Destination Address, when determining how to handle a packet. It is an error for more than one source route option to appear in a datagram. If it receives one, it SHOULD discard the packet and reply with an ICMP Parameter Problem message whose pointer points at the November 28, 1994 - 81 - beginning of the second source route option. After it has been determined that the IP packet needs to be forwarded in accordance with the rules | specified in Section [5.2.3], the following algorithm | MUST be used to determine if the Immediate | Destination is directly accessible (see | [INTERNET:2]). | (1) For each network interface that has not been | assigned any IP address (the unnumbered lines as | described in Section [2.2.7]), compare the | router-id of the other end of the line to the IP | Destination Address. If they are exactly equal, the packet can be transmitted through this interface. DISCUSSION: In other words, the router or host at the remote end of the line is the destination of the packet or is the next step in the source route of a source routed packet. (2) If no network interface has been selected in the | first step, for each IP address assigned to the router: (a) isolate the network prefix used by the | interface. IMPLEMENTATION: The result of this operation will usually have been computed and saved during initialization. (b) Isolate the corresponding set of bits from | the IP Destination Address of the packet. (c) Compare the resulting network prefixes. If | they are equal to each other, the packet can be transmitted through the corresponding network interface. (3) If the destination was not the router-id of a | neighbor on an unnumbered interface and was a | November 28, 1994 - 82 - member of no directly connected network prefix, | the IP Destination is accessible only through | some other router. The selection of the router | and the next hop IP address is described in | Section [5.2.4.3]. In the case of a host that | is not also a router, this may be the configured | default router. | Ongoing work in the IETF [ARCH:9, NRHP] | considers some cases such as when multiple IP | (sub)networks are overlaid on the same link | layer network. Barring policy restrictions, | hosts and routers using a common link layer | network can directly communicate even if they | are not in the same IP (sub)network, if there is | adequate information present. The Next Hop | Routing Protocol (NHRP) enables IP entities to | determine the "optimal" link layer address to be | used to traverse such a link layer network | towards a remote destination. | (4) If the selected "next hop" is reachable through an | interface configured to use NHRP, then the | following additional steps apply: | (a) Compare the IP Destination Address to the | destination addresses in the NHRP cache. If | the address is in the cache, then send the | datagram to the corresponding cached link | layer address. | (b) If the address is not in the cache, then | construct an NHRP request packet containing | the IP Destination Address. This message is | sent to the NHRP server configured for that | interface. This may be a logically separate | process or entity in the router itself. | (c) The NHRP server will respond with the proper | link layer address to use in order to transmit | the datagram and subsequent datagrams to the | same destination. The system MAY transmit the | datagram(s) to the traditional "next hop" | router while awaiting the NHRP reply. EDITOR'S COMMENTS: | November 28, 1994 - 83 - Additional useful or interesting information from * RoNH has been extracted and placed into an appendix to this note. The router applies the algorithm in the previous section to determine if the IP Destination Address is | adjacent. If so, the next hop address is the same as | the IP Destination Address. Otherwise, the packet must be forwarded through another router to reach its Immediate Destination. The selection of this router is the topic of this section. If the packet contains an SSRR, the router MUST discard the packet and reply with an ICMP Bad Source Route error. Otherwise, the router looks up the IP | Destination Address in its routing table to determine | an appropriate next hop address. DISCUSSION: Per the IP specification, a Strict Source Route must specify a sequence of nodes through which the packet must traverse; the packet must go from one node of the source route to the next, traversing intermediate networks only. Thus, if the router is not adjacent to the next step of the source route, the source route can not be fulfilled. Therefore, the ICMP Bad Source Route error. The goal of the next-hop selection process is to examine the entries in the router's Forwarding Information Base (FIB) and select the best route (if there is one) for the packet from those available in the FIB. Conceptually, any route lookup algorithm starts out with a set of candidate routes which consists of the entire contents of the FIB. The algorithm consists of a series of steps which discard routes from the set. These steps are referred to as Pruning Rules. Normally, when the algorithm terminates there is exactly one route remaining in the set. If the set ever becomes empty, the packet is discarded because the destination is unreachable. It is also possible for the algorithm to terminate when more than one route remains in the set. In this case, the router November 28, 1994 - 84 - may arbitrarily discard all but one of them, or may perform "load-splitting" by choosing whichever of the routes has been least recently used. With the exception of rule 3 (Weak TOS), a router MUST use the following Pruning Rules when selecting a next hop for a packet. If a router does consider TOS when making next-hop decisions, the Rule 3 must be applied in the order indicated below. These rules MUST be (conceptually) applied to the FIB in the order that they are presented. (For some historical perspective, additional pruning rules, and other common algorithms in use, see Appendix E). DISCUSSION: Rule 3 is optional in that Section [5.3.2] says that a router only SHOULD consider TOS when making forwarding decisions. (1) Basic Match This rule discards any routes to destinations | other than the IP Destination Address of the | packet. For example, if a packet's IP | Destination Address is 36.144.2.5, this step | would discard a route to net 128.12.0.0/16 but | would retain any routes to the network prefixes | 36.0.0.0/8 and 36.144.0.0/16, and any default routes. More precisely, we assume that each route has a destination attribute, called route.dest, and a | corresponding prefix length, called | route.length, to specify which bits of route.dest are significant. The IP Destination | Address of the packet being forwarded is | ip.dest. This rule discards all routes from the set of candidate routes except those for which | the most significant route.length bits of | route.dest and ip.dest are equal. (2) Longest Match Longest Match is a refinement of Basic Match, described above. After Basic Match pruning is performed, the remaining routes are examined to November 28, 1994 - 85 - determine the maximum number of bits set in any | of their route.mask attributes.The step then | discards from the set of candidate routes any | routes which have fewer than that maximum number | of bits set in their route.mask attributes. For example, if a packet's IP Destination | Address is 36.144.2.5 and there are network | prefixes 36.144.2.0/24, 36.144.0.0/16, and | 36.0.0.0/8, then this rule would keep only the | first (36.144.2.0/24) because its prefix length | is longest. (3) Weak TOS Each route has a type of service attribute, called route.tos, whose possible values are assumed to be identical to those used in the TOS field of the IP header. Routing protocols which | distribute TOS information fill in route.tos | appropriately in routes they add to the FIB; routes from other routing protocols are treated as if they have the default TOS (0000). The TOS | field in the IP header of the packet being | routed is called ip.tos. The set of candidate routes is examined to determine if it contains any routes for which route.tos = ip.tos. If so, all routes except | those for which route.tos = ip.tos are discarded. If not, all routes except those for which route.tos = 0000 are discarded from the set of candidate routes. Additional discussion of routing based on Weak | TOS may be found in [ROUTE:11]. DISCUSSION: The effect of this rule is to select only those routes which have a TOS that matches the TOS requested in the packet. If no such routes exist then routes with the default TOS are considered. Routes with a non-default TOS that is not the TOS requested in the packet are never used, even if such routes are the only available routes that go to the November 28, 1994 - 86 - packet's destination. (4) Best Metric Each route has a metric attribute, called route.metric, and a routing domain identifier, | called route.domain. Each member of the set of candidate routes is compared with each other member of the set. If route.domain is equal for the two routes and route.metric is strictly inferior for one when compared with the other, then the one with the inferior metric is discarded from the set. The determination of inferior is usually by a simple arithmetic comparison, though some protocols may have structured metrics requiring more complex comparisons. (5) Vendor Policy Vendor Policy is sort of a catch-all to make up for the fact that the previously listed rules are often inadequate to chose from among the possible routes. Vendor Policy pruning rules are extremely vendor-specific. See section [5.2.4.4]. This algorithm has two distinct disadvantages. Presumably, a router implementor might develop techniques to deal with these disadvantages and make them a part of the Vendor Policy pruning rule. (1) IS-IS and OSPF route classes are not directly handled. (2) Path properties other than type of service (e.g. MTU) are ignored. It is also worth noting a deficiency in the way that TOS is supported: routing protocols which support TOS are implicitly preferred when forwarding packets which have non-zero TOS values. The Basic Match and Longest Match pruning rules generalize the treatment of a number of particular types of routes. These routes are selected in the following, decreasing, order of preference: November 28, 1994 - 87 - (1) Host Route: This is a route to a specific end system. (2) Hierarchical Network Prefix Routes: This is a | route to a particular network prefix. Note that | the FIB may contain several routes to network | prefixes that subsume each other (one prefix is | the other prefix with additional bits). These | are selected in order of decreasing prefix | length. (5) Default Route: This is a route to all networks | for which there are no explicit routes. It is | by definition the route whose prefix length is | zero. If, after application of the pruning rules, the set of routes is empty (i.e., no routes were found), the packet MUST be discarded and an appropriate ICMP error generated (ICMP Bad Source Route if the IP | Destination Address came from a source route option; otherwise, whichever of ICMP Destination Host Unreachable or Destination Network Unreachable is appropriate, as described in Section [4.3.3.1]). One suggested mechanism for the Vendor Policy Pruning Rule is to use administrative preference. Each route has associated with it a preference value, | based on various attributes of the route (specific | mechanisms for assignment of preference values are | suggested below). This preference value is an integer in the range [0..255], with zero being the most preferred and 254 being the least preferred. 255 is a special value that means that the route should never be used. The first step in the Vendor Policy pruning rule discards all but the most preferable routes (and always discards routes whose preference value is 255). This policy is not safe in that it can easily be misused to create routing loops. Since no protocol ensures that the preferences configured for a router are consistent with the preferences configured in its November 28, 1994 - 88 - neighbors, network managers must exercise care in configuring preferences. + Address Match It is useful to be able to assign a single preference value to all routes (learned from the same routing domain) to any of a specified set of destinations, where the set of destinations is all destinations that match a specified network | prefix. + Route Class For routing protocols which maintain the distinction, it is useful to be able to assign a single preference value to all routes (learned from the same routing domain) which have a particular route class (intra-area, inter-area, external with internal metrics, or external with external metrics). + Interface It is useful to be able to assign a single preference value to all routes (learned from a particular routing domain) that would cause packets to be routed out a particular logical interface on the router (logical interfaces generally map one-to-one onto the router's network interfaces, except that any network interface which has multiple IP addresses will have multiple logical interfaces associated with it). + Source router It is useful to be able to assign a single preference value to all routes (learned from the same routing domain) which were learned from any of a set of routers, where the set of routers are those whose updates have a source address which | match a specified network prefix. + Originating AS For routing protocols which provide the information, it is useful to be able to assign a single preference value to all routes (learned from a particular routing domain) which originated in another particular routing domain. For BGP November 28, 1994 - 89 - routes, the originating AS is the first AS listed in the route's AS_PATH attribute. For OSPF external routes, the originating AS may be considered to be the low order 16 bits of the route's external route tag if the tag's Automatic bit is set and the tag's PathLength is not equal to 3. + External route tag It is useful to be able to assign a single preference value to all OSPF external routes (learned from the same routing domain) whose external route tags match any of a list of specified values. Because the external route tag may contain a structured value, it may be useful to provide the ability to match particular subfields of the tag. + AS path It may be useful to be able to assign a single preference value to all BGP routes (learned from the same routing domain) whose AS path "matches" any of a set of specified values. It is not yet clear exactly what kinds of matches are most useful. A simple option would be to allow matching of all routes for which a particular AS number appears (or alternatively, does not appear) anywhere in the route's AS_PATH attribute. A more general but somewhat more difficult alternative would be to allow matching all routes for which the AS path matches a specified regular expression. At the end of the Next-hop selection process, multiple routes may still remain. A router has several options when this occurs. It may arbitrarily discard some of the routes. It may reduce the number of candidate routes by comparing metrics of routes from routing domains which are not considered equivalent. It may retain more than one route and employ a load-splitting mechanism to divide traffic among them. Perhaps the only thing that can be said about the relative merits of the options is that load-splitting is useful in some situations but not November 28, 1994 - 90 - in others, so a wise implementor who implements load-splitting will also provide a way for the network manager to disable it. The IP header contains several reserved bits, in the Type of Service field and in the Flags field. Routers MUST NOT drop packets merely because one or more of these reserved bits has a non-zero value. Routers MUST ignore and MUST pass through unchanged the values of these reserved bits. If a router fragments a packet, it MUST copy these bits into each fragment. DISCUSSION: Future revisions to the IP protocol may make use of these unused bits. These rules are intended to ensure that these revisions can be deployed without having to simultaneously upgrade all routers in the Internet. As was discussed in Section [4.2.2.7], a router MUST support IP fragmentation. A router MUST NOT reassemble any datagram before forwarding it. DISCUSSION: A few people have suggested that there might be some topologies where reassembly of transit datagrams by routers might improve performance. In general, however, the fact that fragments may take different paths to the destination precludes safe use of such a feature. Nothing in this section should be construed to control or limit fragmentation or reassembly performed as a link layer function by the router. General requirements for ICMP were discussed in Section [4.3]. This section discusses ICMP messages which are November 28, 1994 - 91 - sent only by routers. The ICMP Destination Unreachable message is sent by a router in response to a packet which it cannot forward because the destination (or next hop) is unreachable or a service is unavailable A router MUST be able to generate ICMP Destination Unreachable messages and SHOULD choose a response code that most closely matches the reason why the message is being generated. The following codes are defined in [INTERNET:8] and [INTRO:2]: 0 = Network Unreachable - generated by a router if a forwarding path (route) to the destination network is not available; 1 = Host Unreachable - generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available; 2 = Protocol Unreachable - generated if the transport protocol designated in a datagram is not supported in the transport layer of the final destination; 3 = Port Unreachable - generated if the designated transport protocol (e.g. UDP) is unable to demultiplex the datagram in the transport layer of the final destination but has no protocol mechanism to inform the sender; 4 = Fragmentation Needed and DF Set - generated if a router needs to fragment a datagram but cannot since the DF flag is set; 5 = Source Route Failed - generated if a router cannot forward a packet to the next hop in a source route option; 6 = Destination Network Unknown - This code SHOULD November 28, 1994 - 92 - NOT be generated since it would imply on the part of the router that the destination network does not exist (net unreachable code 0 SHOULD be used in place of code 6); 7 = Destination Host Unknown - generated only when a router can determine (from link layer advice) that the destination host does not exist; 11 = Network Unreachable For Type Of Service - generated by a router if a forwarding path (route) to the destination network with the requested or default TOS is not available; 12 = Host Unreachable For Type Of Service - generated if a router cannot forward a packet because its route(s) to the destination do not match either the TOS requested in the datagram or the default TOS (0). The following additional codes are hereby defined: 13 = Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering; 14 = Host Precedence Violation. Sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port; 15 = Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level; NOTE: [INTRO:2] defined Code 8 for source host isolated. Routers SHOULD NOT generate Code 8; whichever of Codes 0 (Network Unreachable) and 1 (Host Unreachable) is appropriate SHOULD be used instead. [INTRO:2] also defined Code 9 for communication with destination network administratively prohibited and Code 10 for November 28, 1994 - 93 - communication with destination host administratively prohibited. These codes were intended for use by end-to-end encryption devices used by U.S military agencies. Routers SHOULD use the newly defined Code 13 (Communication Administratively Prohibited) if they administratively filter packets. Routers MAY have a configuration option that causes Code 13 (Communication Administratively Prohibited) messages not to be generated. When this option is enabled, no ICMP error message is sent in response to a packet which is dropped because its forwarding is administratively prohibited. Similarly, routers MAY have a configuration option that causes Code 14 (Host Precedence Violation) and Code 15 (Precedence Cutoff in Effect) messages not to be generated. When this option is enabled, no ICMP error message is sent in response to a packet which is dropped because of a precedence violation. Routers MUST use Host Unreachable or Destination Host Unknown codes whenever other hosts on the same destination network might be reachable; otherwise, the source host may erroneously conclude that all hosts on the network are unreachable, and that may not be the case. [INTERNET:14] describes a slight modification the form of Destination Unreachable messages containing Code 4 (Fragmentation needed and DF set). A router MUST use this modified form when originating Code 4 Destination Unreachable messages. The ICMP Redirect message is generated to inform a | local host the it should use a different next hop | router for a certain class of traffic. Routers MUST NOT generate the Redirect for Network or Redirect for Network and Type of Service messages | (Codes 0 and 2) specified in [INTERNET:8]. Routers | MUST be able to generate the Redirect for Host | message (Code 1) and SHOULD be able to generate the | Redirect for Type of Service and Host message (Code | November 28, 1994 - 94 - 3) specified in [INTERNET:8]. DISCUSSION: If the directly-connected network is not subnetted | (in the classical sense), a router can normally generate a network Redirect which applies to all hosts on a specified remote network. Using a network rather than a host Redirect may economize slightly on network traffic and on host routing table storage. However, the savings are not significant, and subnets create an ambiguity about the subnet mask to be used to interpret a network Redirect. In a CIDR environment, it is difficult | to specify precisely the cases in which network Redirects can be used. Therefore, routers must | send only host (or host and type of service) Redirects. A Code 3 (Redirect for Host and Type of Service) message is generated when the packet provoking the redirect has a destination for which the path chosen by the router would depend (in part) on the TOS requested. Routers which can generate Code 3 redirects (Host and Type of Service) MUST have a configuration option (which defaults to on) to enable Code 1 (Host) redirects to be substituted for Code 3 redirects. A router MUST send a Code 1 Redirect in place of a Code 3 Redirect if it has been configured to do so. If a router is not able to generate Code 3 Redirects then it MUST generate Code 1 Redirects in situations where a Code 3 Redirect is called for. Routers MUST NOT generate a Redirect Message unless all of the following conditions are met: + The packet is being forwarded out the same physical interface that it was received from, + The IP source address in the packet is on the same Logical IP (sub)network as the next-hop IP address, and November 28, 1994 - 95 - + The packet does not contain an IP source route option. The source address used in the ICMP Redirect MUST belong to the same logical (sub)net as the destination address. A router using a routing protocol (other than static routes) MUST NOT consider paths learned from ICMP Redirects when forwarding a packet. If a router is not using a routing protocol, a router MAY have a configuration which, if set, allows the router to consider routes learned via ICMP Redirects when forwarding packets. DISCUSSION: ICMP Redirect is a mechanism for routers to convey routing information to hosts. Routers use other mechanisms to learn routing information, and therefore have no reason to obey redirects. Believing a redirect which contradicted the router's other information would likely create routing loops. On the other hand, when a router is not acting as a router, it MUST comply with the behavior required of a host. A router MUST generate a Time Exceeded message Code 0 (In Transit) when it discards a packet due to an expired TTL field. A router MAY have a per-interface option to disable origination of these messages on that interface, but that option MUST default to allowing the messages to be originated. IGMP [INTERNET:4] is a protocol used between hosts and multicast routers on a single physical network to establish hosts' membership in particular multicast groups. Multicast routers use this information, in conjunction with a multicast routing protocol, to support IP multicast forwarding across the Internet. November 28, 1994 - 96 - A router SHOULD implement the multicast router part of IGMP. The Time-to-Live (TTL) field of the IP header is defined to be a timer limiting the lifetime of a datagram. It is an 8-bit field and the units are seconds. Each router (or other module) that handles a packet MUST decrement the TTL by at least one, even if the elapsed time was much less than a second. Since this is very often the case, the TTL is effectively a hop count limit on how far a datagram can propagate through the Internet. When a router forwards a packet, it MUST reduce the TTL by at least one. If it holds a packet for more than one second, it MAY decrement the TTL by one for each second. If the TTL is reduced to zero (or less), the packet MUST be discarded, and if the destination is not a multicast address the router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded in Transit) message to the source. Note that a router MUST NOT discard an IP unicast or broadcast packet with a non-zero TTL merely because it can predict that another router on the path to the packet's final destination will decrement the TTL to zero. However, a router MAY do so for IP multicasts, in order to more efficiently implement IP multicast's expanding ring search algorithm (see [INTERNET:4]). DISCUSSION: The IP TTL is used, somewhat schizophrenically, as both a hop count limit and a time limit. Its hop count function is critical to ensuring that routing problems can't melt down the network by causing packets to loop infinitely in the network. The time limit function is used by transport protocols such as TCP to ensure reliable data transfer. Many current implementations treat TTL as a pure hop count, and in parts of the Internet community there is a strong sentiment that the time limit function should instead be performed by the transport protocols that need it. November 28, 1994 - 97 - In this specification, we have reluctantly decided to follow the strong belief among the router vendors that the time limit function should be optional. They argued that implementation of the time limit function is difficult enough that it is currently not generally done. They further pointed to the lack of documented cases where this shortcut has caused TCP to corrupt data (of course, we would expect the problems created to be rare and difficult to reproduce, so the lack of documented cases provides little reassurance that there haven't been a number of undocumented cases). IP multicast notions such as the expanding ring search may not work as expected unless the TTL is treated as a pure hop count. The same thing is somewhat true of traceroute. ICMP Time Exceeded messages are required because the traceroute diagnostic tool depends on them. Thus, the tradeoff is between severely crippling, if not eliminating, two very useful tools vs. a very rare and transient data transport problem (which may not occur at all). The Type-of-Service byte in the IP header is divided into three sections: the Precedence field (high-order 3 bits), a field that is customarily called Type of Service or "TOS (next 4 bits), and a reserved bit (the low order bit). Rules governing the reserved bit were described in Section [4.2.2.3]. The Precedence field will be discussed in Section [5.3.3]. A more extensive discussion of the TOS field and its use can be found in [ROUTE:11]. A router SHOULD consider the TOS field in a packet's IP header when deciding how to forward it. The remainder of this section describes the rules that apply to routers that conform to this requirement. A router MUST maintain a TOS value for each route in its routing table. Routes learned via a routing protocol November 28, 1994 - 98 - which does not support TOS MUST be assigned a TOS of zero (the default TOS). To choose a route to a destination, a router MUST use an algorithm equivalent to the following: (1) The router locates in its routing table all available routes to the destination (see Section [5.2.4]). (2) If there are none, the router drops the packet because the destination is unreachable. See section [5.2.4]. (3) If one or more of those routes have a TOS that exactly matches the TOS specified in the packet, the router chooses the route with the best metric. (4) Otherwise, the router repeats the above step, except looking at routes whose TOS is zero. (5) If no route was chosen above, the router drops the packet because the destination is unreachable. The router returns an ICMP Destination Unreachable error specifying the appropriate code: either Network Unreachable with Type of Service (code 11) or Host Unreachable with Type of Service (code 12). DISCUSSION: Although TOS has been little used in the past, its use by hosts is now mandated by the Requirements for Internet Hosts RFCs ([INTRO:2] and [INTRO:3]). Support for TOS in routers may become a MUST in the future, but is a SHOULD for now until we get more experience with it and can better judge both its benefits and its costs. Various people have proposed that TOS should affect other aspects of the forwarding function. For example: (1) A router could place packets which have the Low Delay bit set ahead of other packets in its output queues. November 28, 1994 - 99 - (2) a router is forced to discard packets, it could try to avoid discarding those which have the High Reliability bit set. These ideas have been explored in more detail in [INTERNET:17] but we don't yet have enough experience with such schemes to make requirements in this area. This section specifies requirements and guidelines for appropriate processing of the IP Precedence field in routers. Precedence is a scheme for allocating resources in the network based on the relative importance of different traffic flows. The IP specification defines specific values to be used in this field for various types of traffic. The basic mechanisms for precedence processing in a router are preferential resource allocation, including both precedence-ordered queue service and precedence- based congestion control, and selection of Link Layer priority features. The router also selects the IP precedence for routing, management and control traffic it originates. For a more extensive discussion of IP Precedence and its implementation see [FORWARD:6]. Precedence-ordered queue service, as discussed in this section, includes but is not limited to the queue for the forwarding process and queues for outgoing links. It is intended that a router supporting precedence should also use the precedence indication at whatever points in its processing are concerned with allocation of finite resources, such as packet buffers or Link Layer connections. The set of such points is implementation-dependent. DISCUSSION: Although the Precedence field was originally provided for use in DOD systems where large traffic surges or major damage to the network are viewed as inherent threats, it has useful applications for many non- military IP networks. Although the traffic handling capacity of networks has grown greatly in recent years, the traffic generating ability of the users November 28, 1994 - 100 - has also grown, and network overload conditions still occur at times. Since IP-based routing and management protocols have become more critical to the successful operation of the Internet, overloads present two additional risks to the network: (1) High delays may result in routing protocol packets being lost. This may cause the routing | protocol to falsely deduce a topology (2) High delays may interfere with the use of network management tools to analyze and perhaps correct or relieve the problem in the network that caused the overload condition to occur. Implementation and appropriate use of the Precedence mechanism alleviates both of these problems. Routers SHOULD implement precedence-ordered queue service. Precedence-ordered queue service means that when a packet is selected for output on a (logical) link, the packet of highest precedence that has been queued for that link is sent. Routers that implement precedence-ordered queue service MUST also have a configuration option to suppress precedence-ordered queue service in the Internet Layer. Any router MAY implement other policy-based throughput management procedures that result in other than strict precedence ordering, but it MUST be configurable to suppress them (i.e., use strict ordering). As detailed in Section [5.3.6], routers that implement precedence-ordered queue service discard low precedence packets before discarding high precedence packets for congestion control purposes. Preemption (interruption of processing or transmission of a packet) is not envisioned as a function of the Internet Layer. Some protocols at other layers may provide preemption features. November 28, 1994 - 101 - Routers that implement precedence-ordered queueing MUST IMPLEMENT, and other routers SHOULD IMPLEMENT, Lower Layer Precedence Mapping. A router which implements Lower Layer Precedence Mapping: + MUST be able to map IP Precedence to Link Layer priority mechanisms for link layers that have such a feature defined. + MUST have a configuration option to select the Link Layer's default priority treatment for all IP traffic + SHOULD be able to configure specific nonstandard mappings of IP precedence values to Link Layer priority values for each interface. DISCUSSION: Some research questions the workability of the priority features of some Link Layer protocols, and some networks may have faulty implementations of the link layer priority mechanism. It seems prudent to provide an escape mechanism in case such problems show up in a network. On the other hand, there are proposals to use novel queueing strategies to implement special services such as low-delay service. Special services and queueing strategies to support them need further research and experimentation before they are put into widespread use in the Internet. Since these requirements are intended to encourage (but not force) the use of precedence features in the hope of providing better Internet service to all users, routers supporting precedence-ordered queue service should default to maintaining strict precedence ordering regardless of the type of service requested. Implementors may wish to consider that correct link layer mapping of IP precedence is required by DOD policy for TCP/IP systems used on DOD networks. November 28, 1994 - 102 - A router (whether or not it employs precedence- ordered queue service): (1) MUST accept and process incoming traffic of all precedence levels normally, unless it has been administratively configured to do otherwise. (2) MAY implement a validation filter to administratively restrict the use of precedence levels by particular traffic sources. If provided, this filter MUST NOT filter out or cut off the following sorts of ICMP error messages: Destination Unreachable, Redirect, Time Exceeded, and Parameter Problem. If this filter is provided, the procedures required for packet filtering by addresses are required for this filter also. DISCUSSION: Precedence filtering should be applicable to specific source/destination IP Address pairs, specific protocols, specific ports, and so on. An ICMP Destination Unreachable message with code 14 SHOULD be sent when a packet is dropped by the validation filter, unless this has been suppressed by configuration choice. (3) MAY implement a cutoff function which allows the router to be set to refuse or drop traffic with precedence below a specified level. This function may be activated by management actions or by some implementation dependent heuristics, but there MUST be a configuration option to disable any heuristic mechanism that operates without human intervention. An ICMP Destination Unreachable message with code 15 SHOULD be sent when a packet is dropped by the cutoff function, unless this has been suppressed by configuration choice. A router MUST NOT refuse to forward datagrams with IP precedence of 6 (Internetwork Control) or 7 (Network Control) solely due to precedence November 28, 1994 - 103 - cutoff. However, other criteria may be used in conjunction with precedence cutoff to filter high precedence traffic. DISCUSSION: Unrestricted precedence cutoff could result in an unintentional cutoff of routing and control traffic. In general, host traffic should be restricted to a value of 5 (CRITIC/ECP) or below although this is not a requirement and may not be valid in certain systems. (4) MUST NOT change precedence settings on packets it did not originate. (5) SHOULD be able to configure distinct precedence values to be used for each routing or management protocol supported (except for those protocols, such as OSPF, which specify which precedence value must be used). (6) MAY be able to configure routing or management traffic precedence values independently for each peer address. (7) MUST respond appropriately to Link Layer precedence-related error indications where provided. An ICMP Destination Unreachable message with code 15 SHOULD be sent when a packet is dropped because a link cannot accept it due to a precedence-related condition, unless this has been suppressed by configuration choice. DISCUSSION: The precedence cutoff mechanism described in (3) is somewhat controversial. Depending on the topological location of the area affected by the cutoff, transit traffic may be directed by routing protocols into the area of the cutoff, where it will be dropped. This is only a problem if another path which is unaffected by the cutoff exists between November 28, 1994 - 104 - the communicating points. Proposed ways of avoiding this problem include providing some minimum bandwidth to all precedence levels even under overload conditions, or propagating cutoff information in routing protocols. In the absence of a widely accepted (and implemented) solution to this problem, great caution is recommended in activating cutoff mechanisms in transit networks. A transport layer relay could legitimately provide the function prohibited by (4) above. Changing precedence levels may cause subtle interactions with TCP and perhaps other protocols; a correct design is a non-trivial task. The intent of (5) and (6) (and the discussion of IP Precedence in ICMP messages in Section [4.3.2]) is that the IP precedence bits should be appropriately set, whether or not this router acts upon those bits in any other way. We expect that in the future specifications for routing protocols and network management protocols will specify how the IP Precedence should be set for messages sent by those protocols. The appropriate response for (7) depends on the link layer protocol in use. Typically, the router should stop trying to send offensive traffic to that destination for some period of time, and should return an ICMP Destination Unreachable message with code 15 (service not available for precedence requested) to the traffic source. It also should not try to reestablish a preempted Link Layer connection for some period of time. The encapsulation of IP packets in most Link Layer protocols (except PPP) allows a receiver to distinguish November 28, 1994 - 105 - broadcasts and multicasts from unicasts simply by examining the Link Layer protocol headers (most commonly, the Link Layer destination address). The rules in this section which refer to Link Layer broadcasts apply only to Link Layer protocols which allow broadcasts to be distinguished; likewise, the rules which refer to Link Layer multicasts apply only to Link Layer protocols which allow multicasts to be distinguished. A router MUST NOT forward any packet which the router received as a Link Layer broadcast, unless it is | directed to an IP Multicast address. In this latter | case, one would presume that link layer broadcast was | used due to the lack of an effective multicast service. | A router MUST NOT forward any packet which the router received as a Link Layer multicast unless the packet's destination address is an IP multicast address. A router SHOULD silently discard a packet that is received via a Link Layer broadcast but does not specify an IP multicast or IP broadcast destination address. When a router sends a packet as a Link Layer broadcast, the IP destination address MUST be a legal IP broadcast or IP multicast address. There are two major types of IP broadcast addresses; limited broadcast and directed broadcast. In addition, there are three subtypes of directed broadcast; a | broadcast directed to a specified network prefix, a broadcast directed to a specified subnetwork, and a broadcast directed to all subnets of a specified network. Classification by a router of a broadcast into one of these categories depends on the broadcast address and on the router's understanding (if any) of the subnet structure of the destination network. The same broadcast will be classified differently by different routers. A limited IP broadcast address is defined to be all- ones: { -1, -1 } or 255.255.255.255. A net-directed or subnet-directed broadcast is composed | November 28, 1994 - 106 - of the network prefix of the IP address with a local | part of all-ones or { , -1 }. For example, a Class A net broadcast address is | net.255.255.255, a Class B net broadcast address is net.net.255.255 and a Class C net broadcast address is net.net.net.255 where net is a byte of the network address. The all-subnets-directed-broadcast is not well defined | in a CIDR environment, and was deprecated in version 1 | of this memo. As was described in Section [4.2.3.1], a router may * encounter certain non-standard IP broadcast addresses: + 0.0.0.0 is an obsolete form of the limited broadcast address + { , 0 } is an obsolete form of a | net-directed broadcast address. As was described in that section, packets addressed to any of these addresses SHOULD be silently discarded, but if they are not, they MUST be treated in accordance with the same rules that apply to packets addressed to the non-obsolete forms of the broadcast addresses described above. These rules are described in the next few sections. Limited broadcasts MUST NOT be forwarded. Limited broadcasts MUST NOT be discarded. Limited broadcasts MAY be sent and SHOULD be sent instead of directed broadcasts where limited broadcasts will suffice. DISCUSSION: Some routers contain UDP servers which function by resending the requests (as unicasts or directed broadcasts) to other servers. This requirement should not be interpreted as prohibiting such servers. Note, however, that such servers can easily cause packet looping if misconfigured. Thus, providers of such servers would probably be well-advised to document their setup carefully and to consider carefully the TTL on packets which are November 28, 1994 - 107 - sent. A router MUST classify as net-directed broadcasts all | valid, directed broadcasts destined for a remote network or an attached nonsubnetted network. A router MUST forward net-directed broadcasts. Net- directed broadcasts MAY be sent. A router MAY have an option to disable receiving net-directed broadcasts on an interface and MUST have an option to disable forwarding net-directed broadcasts. These options MUST default to permit receiving and forwarding net-directed broadcasts. DISCUSSION: There has been some debate about forwarding or not forwarding directed broadcasts. In this memo we have made the forwarding decision depend on the router's knowledge of the destination network | prefix. In general, routers cannot determine that | a message is unicast or directed broadcast apart | from this knowledge. The decision to forward or | not forward the message is by definition only | possible in the last hop router. The first version of this memo described an algorithm | for distributing a directed broadcast to all of the | subnets of a classical network number. This | algorithm was stated to be "broken," and certain | failure cases were specified. In a CIDR routing domain, wherein classical IP | network numbers are meaningless, the concept of an | all-subnets-directed-broadcast is also meaningless. | To the knowledge of the working group, the facility | was never implemented or deployed, and is now | relegated to the dustbin of history. * The first version of this memo spelled out procedures | for dealing with subnet-directed-broadcasts. In a | November 28, 1994 - 108 - CIDR routing domain, these are indistinguishable from | net-drected-broadcasts. The two are therefore | treated togeth in section [5.3.5.2 Directed | Broadcasts]. Congestion in a network is loosely defined as a condition where demand for resources (usually bandwidth or CPU time) exceeds capacity. Congestion avoidance tries to prevent demand from exceeding capacity, while congestion recovery tries to restore an operative state. It is possible for a router to contribute to both of these mechanisms. A great deal of effort has been spent studying the problem. The reader is encouraged to read | [FORWARD:2] for a survey of the work. Important papers | on the subject include [FORWARD:3], [FORWARD:4], [FORWARD:5], [FORWARD:10], [FORWARD:11], [FORWARD:12], | [FORWARD:13], [FORWARD:14], and [INTERNET:10], among others. The amount of storage that router should have available to handle peak instantaneous demand when hosts use reasonable congestion policies, such as described in [FORWARD:5], is a function of the product of the bandwidth of the link times the path delay of the flows using the link, and therefore storage should increase as this Bandwidth*Delay product increases. The exact function relating storage capacity to probability of discard is not known. When a router receives a packet beyond its storage capacity it must (by definition, not by decree) discard it or some other packet or packets. Which packet to discard is the subject of much study but, unfortunately, little agreement so far. A router MAY discard the packet it has just received; this is the simplest but not the best policy. Ideally, | the router should select a packet from one of the | sessions most heavily abusing the link, given that the | applicable Quality of Service policy permits this. A | recommended policy in datagram environments is to | discard a packet randomly selected from the queue (see | [FORWARD:2]). A router MAY use this Random Drop algorithm to determine which packet to discard. November 28, 1994 - 109 - If a router implements a discard policy (such as Random Drop) under which it chooses a packet to discard from among a pool of eligible packets: + If precedence-ordered queue service (described in | Section [5.3.3.1]) is implemented and enabled, the | router MUST NOT discard a packet whose IP precedence | is higher than that of a packet which is not | discarded. + A router MAY protect packets whose IP headers request | the maximize reliability TOS, except where doing so | would be in violation of the previous rule. + A router MAY protect fragmented IP packets, on the | theory that dropping a fragment of a datagram may | increase congestion by causing all fragments of the | datagram to be retransmitted by the source. + To help prevent routing perturbations or disruption | of management functions, the router MAY protect packets used for routing control, link control, or network management from being discarded. Dedicated routers (i.e.. routers which are not also general purpose hosts, terminal servers, etc.) can achieve an approximation of this rule by protecting packets whose source or destination is the router itself. Advanced methods of congestion control include a notion of fairness, so that the 'user' that is penalized by losing a packet is the one that contributed the most to the congestion. No matter what mechanism is implemented to deal with bandwidth congestion control, it is important that the CPU effort expended be sufficiently small that the router is not driven into CPU congestion also. As described in Section [4.3.3.3], this document | recommends that a router SHOULD NOT send a Source Quench to the sender of the packet that it is discarding. ICMP Source Quench is a very weak mechanism, so it is not necessary for a router to send it, and host software should not use it exclusively as an indicator of congestion. November 28, 1994 - 110 - An IP source address is invalid if it is an IP broadcast address or is not a class A, B, or C address. An IP destination address is invalid if it is not a class A, B, C, or D address. A router SHOULD NOT forward any packet which has an invalid IP source address or a source address on network 0. A router SHOULD NOT forward, except over a loopback interface, any packet which has a source address on network 127. A router MAY have a switch which allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks. A router SHOULD NOT forward any packet which has an invalid IP destination address or a destination address on network 0. A router SHOULD NOT forward, except over a loopback interface, any packet which has a destination address on network 127. A router MAY have a switch which allows the network manager to disable these checks. If such a switch is provided, it MUST default to performing the checks. If a router discards a packet because of these rules, it SHOULD log at least the IP source address, the IP destination address, and, if the problem was with the source address, the physical interface on which the packet was received and the Link Layer address of the host or router from which the packet was received. A router SHOULD IMPLEMENT the ability to filter traffic based on a comparison of the source address of a packet and the forwarding table for a logical interface on which the packet was received. If this filtering is enabled, the router MUST silently discard a packet if the interface on which the packet was received is not the interface on which a packet would be forwarded to reach the address contained in the source address. In simpler terms, if a router wouldn't route a packet containing this address through a particular interface, it shouldn't believe the address if it appears as a source address in a packet read from this interface. November 28, 1994 - 111 - If this feature is implemented, it MUST be disabled by default. DISCUSSION: This feature can provide useful security improvements in some situations, but can erroneously discard valid packets in situations where paths are asymmetric. As a means of providing security and/or limiting traffic through portions of a network a router SHOULD provide the ability to selectively forward (or filter) packets. If this capability is provided, filtering of packets MUST be configurable either to forward all packets or to | selectively forward them based upon the source and | destination prefixes. Each source and destination address SHOULD allow specification of an arbitrary | prefix length. If supported, a router MUST be configurable to allow one of an + Include list - specification of a list of network | prefix pairs to be forwarded, or an + Exclude list - specification of a list of network | prefix pairs NOT to be forwarded. A router MAY provide a configuration switch which allows a choice between specifying an include or an exclude | list, or other equivalent controls. A value matching any address (e.g. a keyword any, an | address with a mask of all 0's, or a network prefix | whose length is zero) MUST be allowed as a source and/or destination address. In addition to address pairs, the router MAY allow any combination of transport and/or application protocol and source and destination ports to be specified. The router MUST allow packets to be silently discarded (i.e.. discarded without an ICMP error message being November 28, 1994 - 112 - sent). The router SHOULD allow an appropriate ICMP unreachable message to be sent when a packet is discarded. The ICMP message SHOULD specify Communication Administratively Prohibited (code 13) as the reason for the destination being unreachable. The router SHOULD allow the sending of ICMP destination unreachable messages (code 13) to be configured for each combination of address pairs, protocol types, and ports it allows to be specified. The router SHOULD count and SHOULD allow selective logging of packets not forwarded. An IP router SHOULD support forwarding of IP multicast packets, based either on static multicast routes or on routes dynamically determined by a multicast routing protocol (e.g., DVMRP [ROUTE:9]). A router that forwards IP multicast packets is called a multicast router. For each physical interface, a router SHOULD have a configuration option which specifies whether forwarding is enabled on that interface. When forwarding on an interface is disabled, the router: + MUST silently discard any packets which are received on that interface but are not addressed to the router + MUST NOT send packets out that interface, except for datagrams originated by the router + MUST NOT announce via any routing protocols the availability of paths through the interface DISCUSSION: This feature allows the network manager to essentially turn off an interface but leaves it accessible for network management. Ideally, this control would apply to logical rather November 28, 1994 - 113 - than physical interfaces, but cannot because there is no known way for a router to determine which logical interface a packet arrived on when there is not a one-to-one correspondence between logical and physical interfaces. During the course of router operation, interfaces may fail or be manually disabled, or may become available for use by the router. Similarly, forwarding may be disabled for a particular interface or for the entire router or may be (re)enabled. While such transitions are (usually) uncommon, it is important that routers handle them correctly. When a router ceases forwarding it MUST stop advertising all routes, except for third party routes. It MAY continue to receive and use routes from other routers in its routing domains. If the forwarding database is retained, the router MUST NOT cease timing the routes in the forwarding database. If routes that have been received from other routers are remembered, the router MUST NOT cease timing the routes which it has remembered. It MUST discard any routes whose timers expire while forwarding is disabled, just as it would do if forwarding were enabled. DISCUSSION: When a router ceases forwarding, it essentially ceases being a router. It is still a host, and must follow all of the requirements of Host Requirements [INTRO: 2]. The router may still be a passive member of one or more routing domains, however. As such, it is allowed to maintain its forwarding database by listening to other routers in its routing domain. It may not, however, advertise any of the routes in its forwarding database, since it itself is doing no forwarding. The only exception to this rule is when the router is advertising a route which uses only some other router, but which this router has been asked to advertise. November 28, 1994 - 114 - A router MAY send ICMP destination unreachable (host unreachable) messages to the senders of packets that it is unable to forward. It SHOULD NOT send ICMP redirect messages. DISCUSSION: Note that sending an ICMP destination unreachable (host unreachable) is a router action. This message should not be sent by hosts. This exception to the rules for hosts is allowed so that packets may be rerouted in the shortest possible time, and so that black holes are avoided. When a router begins forwarding, it SHOULD expedite the sending of new routing information to all routers with which it normally exchanges routing information. If an interface fails or is disabled a router MUST remove and stop advertising all routes in its forwarding database which make use of that interface. It MUST disable all static routes which make use of that interface. If other routes to the same destination and TOS are learned or remembered by the router, the router MUST choose the best alternate, and add it to its forwarding database. The router SHOULD send ICMP destination unreachable or ICMP redirect messages, as appropriate, in reply to all packets which it is unable to forward due to the interface being unavailable. If an interface which had not been available becomes available, a router MUST reenable any static routes which use that interface. If routes which would use that interface are learned by the router, then these routes MUST be evaluated along with all of the other learned routes, and the router MUST make a decision as to which routes should be placed in the forwarding database. The implementor is referred to Chapter [7], Application Layer - Routing Protocols for further information on how this decision is made. November 28, 1994 - 115 - A router SHOULD expedite the sending of new routing information to all routers with which it normally exchanges routing information. Several options, such as Record Route and Timestamp, contain slots into which a router inserts its address when forwarding the packet. However, each such option has a finite number of slots, and therefore a router may find that there is not free slot into which it can insert its address. No requirement listed below should be construed as requiring a router to insert its address into an option that has no remaining slot to insert it into. Section [5.2.5] discusses how a router must choose which of its addresses to insert into an option. Unrecognized IP options in forwarded packets MUST be passed through unchanged. Some environments require the Security option in every packet; such a requirement is outside the scope of this document and the IP standard specification. Note, however, that the security options described in [INTERNET:1] and [INTERNET:16] are obsolete. Routers SHOULD IMPLEMENT the revised security option described in [INTERNET:5]. This option is obsolete. If the Stream Identifier option is present in a packet forwarded by the router, the option MUST be ignored and passed through unchanged. A router MUST implement support for source route options in forwarded packets. A router MAY implement a configuration option which, when enabled, causes all source-routed packets to be discarded. However, such an option MUST NOT be enabled by default. DISCUSSION: The ability to source route datagrams through the Internet is important to various network November 28, 1994 - 116 - diagnostic tools. However, in a few rare cases, source routing may be used to bypass administrative and security controls within a network. Specifically, those cases where manipulation of routing tables is used to provide administrative separation in lieu of other methods such as packet filtering may be vulnerable through source routed packets. Routers MUST support the Record Route option in forwarded packets. A router MAY provide a configuration option which, if enabled, will cause the router to ignore (i.e. pass through unchanged) Record Route options in forwarded packets. If provided, such an option MUST default to enabling the record-route. This option does not affect the processing of Record Route options in datagrams received by the router itself (in particular, Record Route options in ICMP echo requests will still be processed in accordance with Section [4.3.3.6]). DISCUSSION: There are some people who believe that Record Route is a security problem because it discloses information about the topology of the network. Thus, this document allows it to be disabled. Routers MUST support the timestamp option in forwarded packets. A timestamp value MUST follow the | rules given [INTRO:2]. If the flags field = 3 (timestamp and prespecified address), the router MUST add its timestamp if the next prespecified address matches any of the router's IP addresses. It is not necessary that the prespecified address be either the address of the interface on which the packet arrived or the address of the interface over which it will be sent. November 28, 1994 - 117 - IMPLEMENTATION: To maximize the utility of the timestamps contained in the timestamp option, it is suggested that the timestamp inserted be, as nearly as practical, the time at which the packet arrived at the router. For datagrams originated by the router, the timestamp inserted should be, as nearly as practical, the time at which the datagram was passed to the network layer for transmission. A router MAY provide a configuration option which, if enabled, will cause the router to ignore (i.e. pass through unchanged) Timestamp options in forwarded datagrams when the flag word is set to zero (timestamps only) or one (timestamp and registering IP address). If provided, such an option MUST default to off (that is, the router does not ignore the timestamp). This option does not affect the processing of Timestamp options in datagrams received by the router itself (in particular, a router will insert timestamps into Timestamp options in datagrams received by the router, and Timestamp options in ICMP echo requests will still be processed in accordance with Section [4.3.3.6]). DISCUSSION: Like the Record Route option, the Timestamp option can reveal information about a network's topology. Some people consider this to be a security concern. November 28, 1994 - 118 - A router is not required to implement any Transport Layer protocols except those required to support Application Layer protocols supported by the router. In practice, this means that most routers implement both the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). The User Datagram Protocol (UDP) is specified in [TRANS:1]. A router which implements UDP MUST be compliant, and SHOULD be unconditionally compliant, with the requirements of | [INTRO:2], except that: + This specification does not specify the interfaces | between the various protocol layers. Thus, a router's | interfaces need not comply with [INTRO:2], except where | compliance is required for proper functioning of | Application Layer protocols supported by the router. + Contrary to [INTRO:2], an application SHOULD NOT disable | generation of UDP checksums. | DISCUSSION: Although a particular application protocol may require that UDP datagrams it receives must contain a UDP checksum, there is no general requirement that received UDP datagrams contain UDP checksums. Of course, if a UDP checksum is present in a received datagram, the checksum must be verified and the datagram discarded if the checksum is incorrect. The Transmission Control Protocol (TCP) is specified in [TRANS:2]. A router which implements TCP MUST be compliant, and SHOULD be unconditionally compliant, with the requirements of | [INTRO:2], except that: + This specification does not specify the interfaces between the various protocol layers. Thus, a router need not comply with the following requirements of November 28, 1994 - 119 - [INTRO:2] (except of course where compliance is required for proper functioning of Application Layer protocols supported by the router): Section 4.2.2.2: Passing a received PSH flag to the application layer is now OPTIONAL. Section 4.2.2.4: A TCP MUST inform the application layer asynchronously whenever it receives an Urgent pointer and there was previously no pending urgent data, or whenever the Urgent pointer advances in the data stream. There MUST be a way for the application to learn how much urgent data remains to be read from the connection, or at least to determine whether or not more urgent data remains to be read. Section 4.2.3.5: An application MUST be able to set the value for R2 for a particular connection. For example, an interactive application might set R2 to ``infinity,'' giving the user control over when to disconnect. Section 4.2.3.7: If an application on a multihomed host does not specify the local IP address when actively opening a TCP connection, then the TCP MUST ask the IP layer to select a local IP address before sending the (first) SYN. See the function GET_SRCADDR() in Section 3.4. Section 4.2.3.8: An application MUST be able to specify a source route when it actively opens a TCP connection, and this MUST take precedence over a source route received in a datagram. + For similar reasons, a router need not comply with any of the requirements of [INTRO:2]. | + The requirements of section 4.2.2.6 of [INTRO:2] are amended as follows: a router which implements the host November 28, 1994 - 120 - portion of MTU discovery (discussed in Section [4.2.3.3] of this memo) uses 536 as the default value of SendMSS only if the path MTU is unknown; if the path MTU is known, the default value for SendMSS is the path MTU - 40. + The requirements of section 4.2.2.6 of [INTRO:2] are amended as follows: ICMP Destination Unreachable codes 11 and 12 are additional soft error conditions. Therefore, these message MUST NOT cause TCP to abort a connection. DISCUSSION: It should particularly be noted that a TCP implementation in a router must conform to the following requirements of [INTRO:2]: + Providing a configurable TTL. [4.2.2.1] + Providing an interface to configure keep-alive behavior, if keep-alives are used at all. [4.2.3.6] + Providing an error reporting mechanism, and the ability to manage it. [4.2.4.1] + Specifying type of service. [4.2.4.2] The general paradigm applied is that if a particular interface is visible outside the router, then all requirements for the interface must be followed. For example, if a router provides a telnet function, then it will be generating traffic, likely to be routed in the external networks. Therefore, it must be able to set the type of service correctly or else the telnet traffic may not get through. November 28, 1994 - 121 - An Autonomous System (AS) is defined as a set of routers all belonging under the same authority and all subject to a consistent set of routing policies. Interior gateway protocols (IGPs) are used to distribute routing information inside of an AS (i.e. intra-AS routing). Exterior gateway protocols are used to exchange routing information between ASs (i.e. inter-AS routing). Routing is one of the few places where the Robustness Principle (be liberal in what you accept) does not apply. Routers should be relatively suspicious in accepting routing data from other routing systems. A router SHOULD provide the ability to rank routing information sources from most trustworthy to least trustworthy and to accept routing information about any particular destination from the most trustworthy sources first. This was implicit in the original core/stub autonomous system routing model using EGP and various interior routing protocols. It is even more important with the demise of a central, trusted core. A router SHOULD provide a mechanism to filter out obviously invalid routes (such as those for net 127). Routers MUST NOT by default redistribute routing data they do not themselves use, trust or otherwise consider invalid. In rare cases, it may be necessary to redistribute suspicious information, but this should only happen under direct intercession by some human agency. In general, routers must be at least a little paranoid about accepting routing data from anyone, and must be especially careful when they distribute routing information provided to them by another party. See below for specific guidelines. Routers SHOULD IMPLEMENT peer-to-peer authentication for those routing protocols that support them. Except where the specification for a particular routing protocol specifies otherwise, a router SHOULD set the IP November 28, 1994 - 122 - Precedence value for IP datagrams carrying routing traffic it originates to 6 (INTERNETWORK CONTROL). DISCUSSION: Routing traffic with VERY FEW exceptions should be the highest precedence traffic on any network. If a system's routing traffic can't get through, chances are nothing else will. An Interior Gateway Protocol (IGP) is used to distribute routing information between the various routers in a particular AS. Independent of the algorithm used to implement a particular IGP, it should perform the following functions: (1) Respond quickly to changes in the internal topology of an AS (2) Provide a mechanism such that circuit flapping does not cause continuous routing updates (3) Provide quick convergence to loop-free routing (4) Utilize minimal bandwidth (5) Provide equal cost routes to enable load-splitting (6) Provide a means for authentication of routing updates Current IGPs used in the internet today are characterized as either being being based on a distance-vector or a link-state algorithm. Several IGPs are detailed in this section, including those most commonly used and some recently developed protocols which may be widely used in the future. Numerous other protocols intended for use in intra-AS routing exist in the Internet community. A router which implements any routing protocol (other November 28, 1994 - 123 - than static routes) MUST IMPLEMENT OSPF (see Section [7.2.2]) and MUST IMPLEMENT RIP (see Section [7.2.4]). A router MAY implement additional IGPs. Shortest Path First (SPF) based routing protocols are a * class of link-state algorithms which are based on the shortest-path algorithm of Dijkstra. Although SPF based algorithms have been around since the inception of the ARPANet, it is only recently that they have achieved popularity both inside both the IP and the OSI communities. In an SPF based system, each router obtains an exact replica of the entire topology database via a process known as flooding. Flooding insures a reliable transfer of the information. Each individual router then runs the SPF algorithm on its database to build the IP routing table. The OSPF routing protocol is an implementation of an SPF algorithm. The current version, OSPF version 2, is specified in [ROUTE:1]. Note that RFC-1131, which describes OSPF version 1, is obsolete. Note that to comply with Section [8.3] of this memo, a | router which implements OSPF is forced to implement the | OSPF MIB [MGT:14]. * The American National Standards Institute (ANSI) X3S3.3 committee has defined an intra-domain routing protocol. This protocol is titled Intermediate System to Intermediate System Routeing Exchange Protocol. Its application to an IP network has been defined in [ROUTE:2], and is referred to as Dual IS-IS (or sometimes as Integrated IS-IS). IS-IS is based on a link-state (SPF) routing algorithm and shares all the advantages for this class of protocols. RIP is specified in [ROUTE:3]. Although RIP is still quite important in the Internet, it is being replaced in sophisticated applications by more modern IGPs such as the ones described above. November 28, 1994 - 124 - Another common use for RIP is as a router discovery protocol. Section [4.3.3.10] briefly touches upon this subject. Dealing with changes in topology: [ROUTE:3], pp. 11 An implementation of RIP MUST provide a means for timing out routes. Since messages are occasionally lost, implementations MUST NOT invalidate a route based on a single missed update. Implementations MUST by default wait six times the update interval before invalidating a route. A router MAY have configuration options to alter this value. DISCUSSION: It is important to routing stability that all routers in a RIP autonomous system use similar timeout value for invalidating routes, and therefore it is important that an implementation default to the timeout value specified in the RIP specification. However, that timeout value is overly conservative in environments where packet loss is reasonably rare. In such an environment, a network manager may wish to be able to decrease the timeout period in order to promote faster recovery from failures. IMPLEMENTATION: There is a very simple mechanism which a router may use to meet the requirement to invalidate routes promptly after they time out. Whenever the router scans the routing table to see if any routes have timed out, it also notes the age of the least recently updated route which has not yet timed out. Subtracting this age from the timeout period gives the amount of time until the router again needs to scan the table for timed out November 28, 1994 - 125 - routes. Split Horizon: [ROUTE:3], pp. 14-15 An implementation of RIP MUST implement split horizon, a scheme used for avoiding problems caused by including routes in updates sent to the router from which they were learned. An implementation of RIP SHOULD implement Split horizon with poisoned reverse, a variant of split horizon which includes routes learned from a router sent to that router, but sets their metric to infinity. Because of the routing overhead which may be incurred by implementing split horizon with poisoned reverse, implementations MAY include an option to select whether poisoned reverse is in effect. An implementation SHOULD limit the period of time in which it sends reverse routes at an infinite metric. IMPLEMENTATION: Each of the following algorithms can be used to limit the period of time for which poisoned reverse is applied to a route. The first algorithm is more complex but does a more complete job of limiting poisoned reverse to only those cases where it is necessary. The goal of both algorithms is to ensure that poison reverse is done for any destination whose route has changed in the last Route Lifetime (typically 180 seconds), unless it can be sure that the previous route used the same output interface. The Route Lifetime is used because that is the amount of time RIP will keep around an old route before declaring it stale. The time intervals (and derived variables) used in the following algorithms are as follows: November 28, 1994 - 126 - Tu The Update Timer; the number of seconds between RIP updates. This typically defaults to 30 seconds. Rl The Route Lifetime, in seconds. This is the amount of time that a route is presumed to be good, without requiring an update. This typically defaults to 180 seconds. Ul The Update Loss; the number of consecutive updates that have to be lost or fail to mention a route before RIP deletes the route. Ul is calculated to be (Rl/Tu)+1. The +1 is to account for the fact that the first time the ifcounter is decremented will be less than Tu seconds after it is initialized. Typically, Ul will be 7: (180/30)+1. In The value to set ifcounter to when a destination is newly learned. This value is Ul-4, where the 4 is RIP's garbage collection timer/30 The first algorithm is: - Associated with each destination is a counter, called the ifcounter below. Poison reverse is done for any route whose destination's ifcounter is greater than zero. - After a regular (not triggered or in response to a request) update is sent, all of the non-zero ifcounters are decremented by one. - When a route to a destination is created, its ifcounter is set as follows: - If the new route is superseding a valid route, and the old route used a different (logical) output interface, November 28, 1994 - 127 - then the ifcounter is set to Ul. - If the new route is superseding a stale route, and the old route used a different (logical) output interface, then the ifcounter is set to MAX(0, Ul - INT(seconds that the route has been stale/Ut). - If there was no previous route to the destination, the ifcounter is set to In. - Otherwise, the ifcounter is set to zero - RIP also maintains a timer, called the resettimer below. Poison reverse is done on all routes whenever resettimer has not expired (regardless of the ifcounter values). - When RIP is started, restarted, reset, or otherwise has its routing table cleared, it sets the resettimer to go off in Rl seconds. The second algorithm is identical to the first except that: - The rules which set the ifcounter to non- zero values are changed to always set it to Rl/Tu, and - The resettimer is eliminated. Triggered updates: [ROUTE:3], pp. 15-16; pp. 29 Triggered updates (also called flash updates) are a mechanism for immediately notifying a router's neighbors when the router adds or deletes routes or changes their metrics. A router MUST send a triggered update when routes are deleted or their metrics are increased. A router MAY send a triggered update when routes are added or their metrics November 28, 1994 - 128 - decreased. Since triggered updates can cause excessive routing overhead, implementations MUST use the following mechanism to limit the frequency of triggered updates: (1) When a router sends a triggered update, it sets a timer to a random time between one and five seconds in the future. The router must not generate additional triggered updates before this timer expires. (2) If the router would generate a triggered update during this interval it sets a flag indicating that a triggered update is desired. The router also logs the desired triggered update. (3) When the triggered update timer expires, the router checks the triggered update flag. If the flag is set then the router sends a single triggered update which includes all of the changes that were logged. The router then clears the flag and, since a triggered update was sent, restarts this algorithm. (4) The flag is also cleared whenever a regular update is sent. Triggered updates SHOULD include all routes that have changed since the most recent regular (non-triggered) update. Triggered updates MUST NOT include routes that have not changed since the most recent regular update. DISCUSSION: Sending all routes, whether they have changed recently or not, is unacceptable in triggered updates because the tremendous size of many Internet routing tables could otherwise result in considerable bandwidth being wasted on November 28, 1994 - 129 - triggered updates. Use of UDP: [ROUTE:3], pp. 18-19. RIP packets sent to an IP broadcast address SHOULD have their initial TTL set to one. Note that to comply with Section [6.1] of this memo, a router SHOULD use UDP checksums | in RIP packets which it originates, MUST discard RIP packets received with invalid UDP checksums, but MUST NOT discard received RIP | packets simply because they do not contain UDP checksums. Addressing Considerations: [ROUTE:3], pp. 22 A RIP implementation SHOULD support host routes. If it does not, it MUST (as described on page 27 of [ROUTE:3]) ignore host routes in received updates. A router MAY log ignored hosts routes. The special address 0.0.0.0 is used to describe a default route. A default route is used as the route of last resort (i.e. when a route to the specific net does not exist in the routing table). The router MUST be able to create a RIP entry for the address 0.0.0.0. Input Processing - Response: [ROUTE:3], pp. 26 When processing an update, the following validity checks MUST be performed: + The response MUST be from UDP port 520. + The source address MUST be on a directly | connected subnet (or on a directly | connected, non-subnetted network) to be considered valid. + The source address MUST NOT be one of the | router's addresses. November 28, 1994 - 130 - DISCUSSION: Some networks, media, and interfaces allow a sending node to receive packets that it broadcasts. A router must not accept its own packets as valid routing updates and process them. The last requirement prevents a router from accepting its own routing updates and processing them (on the assumption that they were sent by some other router on the network). An implementation MUST NOT replace an existing route if the metric received is equal to the existing metric except in accordance with the following heuristic. An implementation MAY choose to implement the following heuristic to deal with the above situation. Normally, it is useless to change the route to a network from one router to another if both are advertised at the same metric. However, the route being advertised by one of the routers may be in the process of timing out. Instead of waiting for the route to timeout, the new route can be used after a specified amount of time has elapsed. If this heuristic is implemented, it MUST wait at least halfway to the expiration point before the new route is installed. RIP Shutdown An implementation of RIP SHOULD provide for a graceful shutdown using the following steps: (1) Input processing is terminated, (2) Four updates are generated at random intervals of between two and four seconds, These updates contain all routes that were previously announced, but with some metric changes. Routes that were being announced November 28, 1994 - 131 - at a metric of infinity should continue to use this metric. Routes that had been announced with a non-infinite metric should be announced with a metric of 15 (infinity - 1). DISCUSSION: The metric used for the above really ought to be 16 (infinity); setting it to 15 is a kludge to avoid breaking certain old hosts which wiretap the RIP protocol. Such a host will (erroneously) abort a TCP connection if it tries to send a datagram on the connection while the host has no route to the destination (even if the period when the host has no route lasts only a few seconds while RIP chooses an alternate path to the destination). RIP Split Horizon and Static Routes Split horizon SHOULD be applied to static routes by default. An implementation SHOULD provide a way to specify, per static route, that split horizon should not be applied to this route. The Gateway to Gateway protocol is considered obsolete and SHOULD NOT be implemented. Exterior Gateway Protocols are utilized for inter- Autonomous System routing to exchange reachability information for a set of networks internal to a particular autonomous system to a neighboring autonomous system. The area of inter-AS routing is a current topic of research inside the Internet Engineering Task Force. The Exterior Gateway Protocol (EGP) described in Section [7.3.3] has traditionally been the inter-AS protocol of choice. The Border Gateway Protocol (BGP-4) eliminates | November 28, 1994 - 132 - many of the restrictions and limitations of EGP, and is therefore growing rapidly in popularity. A router is not required to implement any inter-AS routing protocol. However, if a router does implement any inter-AS | protocol, it SHOULD implement BGP. Although it was not designed as an exterior gateway protocol, RIP (described in Section [7.2.4]) is sometimes used for inter-AS routing. The Border Gateway Protocol (BGP-4) is an inter-AS | routing protocol which exchanges network reachability information with other BGP speakers. The information for a network includes the complete list of ASs that traffic must transit to reach that network. This information can then be used to insure loop-free paths. This information is sufficient to construct a graph of AS connectivity from which routing loops may be pruned and some policy decisions at the AS level may be enforced. BGP is defined by [ROUTE:4]. [ROUTE:5] specifies the proper usage of BGP in the Internet, and provides some useful implementation hints and guidelines. [ROUTE:12] and [ROUTE:13] provide additional useful information. To comply with Section [8.3] of this memo, a router | which implements BGP is forced to implement the BGP | MIB [MGT:15]. To characterize the set of policy decisions that can be enforced using BGP, one must focus on the rule that an AS advertises to its neighbor ASs only those routes that it itself uses. This rule reflects the hop-by-hop routing paradigm generally used throughout the current Internet. Note that some policies cannot be supported by the hop-by-hop routing paradigm and thus require techniques such as source routing to enforce. For example, BGP does not enable one AS to send traffic to a neighbor AS intending that that traffic take a different route from that taken by November 28, 1994 - 133 - traffic originating in the neighbor AS. On the other hand, BGP can support any policy conforming to the hop-by-hop routing paradigm. Implementors of BGP are strongly encouraged to follow the recommendations outlined in Section 6 of [ROUTE:5]. While BGP provides support for quite complex routing policies (as an example see Section 4.2 in [ROUTE:5]), it is not required for all BGP implementors to support such policies. At a minimum, however, a BGP implementation: (1) SHOULD allow an AS to control announcements of the BGP learned routes to adjacent AS's. Implementations SHOULD support such control with at least the granularity of a single network. Implementations SHOULD also support such control with the granularity of an autonomous system, where the autonomous system may be either the autonomous system that originated the route, or the autonomous system that advertised the route to the local system (adjacent autonomous system). (2) SHOULD allow an AS to prefer a particular path to a destination (when more than one path is available). Such function SHOULD be implemented by allowing system administrator to assign weights to Autonomous Systems, and making route selection process to select a route with the lowest weight (where weight of a route is defined as a sum of weights of all AS's in the AS_PATH path attribute associated with that route). (3) SHOULD allow an AS to ignore routes with certain AS's in the AS_PATH path attribute. Such function can be implemented by using technique outlined in (2), and by assigning infinity as weights for such AS's. The route selection process must ignore routes that have weight equal to infinity. November 28, 1994 - 134 - The Exterior Gateway Protocol (EGP) specifies an EGP which is used to exchange reachability information between routers of the same or differing autonomous systems. EGP is not considered a routing protocol since there is no standard interpretation (i.e. metric) for the distance fields in the EGP update message, so distances are comparable only among routers of the same AS. It is however designed to provide high-quality reachability information, both about neighbor routers and about routes to non- neighbor routers. EGP is defined by [ROUTE:6]. An implementor almost certainly wants to read [ROUTE:7] and [ROUTE:8] as well, for they contain useful explanations and background material. DISCUSSION: The present EGP specification has serious limitations, most importantly a restriction which limits routers to advertising only those networks which are reachable from within the router's autonomous system. This restriction against propagating third party EGP information is to prevent long-lived routing loops. This effectively limits EGP to a two-level hierarchy. RFC-975 is not a part of the EGP specification, and should be ignored. Indirect Neighbors: RFC-888, pp. 26 An implementation of EGP MUST include indirect neighbor support. Polling Intervals: RFC-904, pp. 10 The interval between Hello command retransmissions and the interval between Poll retransmissions SHOULD be configurable but there MUST be a minimum value defined. November 28, 1994 - 135 - The interval at which an implementation will respond to Hello commands and Poll commands SHOULD be configurable but there MUST be a minimum value defined. Network Reachability: RFC-904, pp. 15 An implementation MUST default to not providing the external list of routers in other autonomous systems; only the internal list of routers together with the nets which are reachable via those routers should be included in an Update Response/Indication packet. However, an implementation MAY elect to provide a configuration option enabling the external list to be provided. An implementation MUST NOT include in the external list routers which were learned via the external list provided by a router in another autonomous system. An implementation MUST NOT send a network back to the autonomous system from which it is learned, i.e. it MUST do split- horizon on an autonomous system level. If more than 255 internal or 255 external routers need to be specified in a Network Reachability update, the networks reachable from routers that can not be listed MUST be merged into the list for one of the listed routers. Which of the listed routers is chosen for this purpose SHOULD be user configurable, but SHOULD default to the source address of the EGP update being generated. An EGP update contains a series of blocks of | classful network prefixes, where each block | contains a list of network prefixes reachable at a | particular distance via a particular router. If more than 255 networks are reachable at a particular distance via a particular router, they are split into multiple blocks (all of which have the same distance). Similarly, if more than 255 blocks are required to list the networks reachable via a particular router, the router's address is listed as many times as necessary to include all of the blocks in the update. Unsolicited Updates: RFC-904, pp. 16 November 28, 1994 - 136 - If a network is shared with the peer, an implementation MUST send an unsolicited update upon entry to the Up state assuming that the source network is the shared network. Neighbor Reachability: RFC-904, pp. 6, 13-15 The table on page 6 which describes the values of j and k (the neighbor up and down thresholds) is incorrect. It is reproduced correctly here: Name Active Passive Description ----------------------------------------------- j 3 1 neighbor-up threshold k 1 0 neighbor-down threshold The value for k in passive mode also specified incorrectly in RFC-904, pp. 14 The values in parenthesis should read: (j = 1, k = 0, and T3/T1 = 4) As an optimization, an implementation can refrain from sending a Hello command when a Poll is due. If an implementation does so, it SHOULD provide a user configurable option to disable this optimization. Abort timer: RFC-904, pp. 6, 12, 13 An EGP implementation MUST include support for the abort timer (as documented in section 4.1.4 of RFC-904). An implementation SHOULD use the abort timer in the Idle state to automatically issue a Start event to restart the protocol machine. Recommended values are P4 for a critical error (Administratively prohibited, Protocol Violation and Parameter Problem) and P5 for all others. The abort timer SHOULD NOT be started when a Stop event was manually initiated (such as via a network management protocol). Cease command received in Idle state: RFC-904, pp. 13 When the EGP state machine is in the Idle state, November 28, 1994 - 137 - it MUST reply to Cease commands with a Cease-ack response. Hello Polling Mode: RFC-904, pp. 11 An EGP implementation MUST include support for both active and passive polling modes. Neighbor Acquisition Messages: RFC-904, pp. 18 As noted the Hello and Poll Intervals should only be present in Request and Confirm messages. Therefore the length of an EGP Neighbor Acquisition Message is 14 bytes for a Request or Confirm message and 10 bytes for a Refuse, Cease or Cease-ack message. Implementations MUST NOT send 14 bytes for Refuse, Cease or Cease-ack messages but MUST allow for implementations that send 14 bytes for these messages. Sequence Numbers: RFC-904, pp. 10 Response or indication packets received with a sequence number not equal to S MUST be discarded. The send sequence number S MUST be incremented just before the time a Poll command is sent and at no other times. It is possible to exchange routing information between two autonomous systems or routing domains without using a standard exterior routing protocol between two separate, standard interior routing protocols. The most common way of doing this is to run both interior protocols independently in one of the border routers with an exchange of route information between the two processes. As with the exchange of information from an EGP to an IGP, without appropriate controls these exchanges of routing information between two IGPs in a single router are subject to creation of routing loops. Static routing provides a means of explicitly defining the November 28, 1994 - 138 - next hop from a router for a particular destination. A router SHOULD provide a means for defining a static route to a destination, where the destination is defined by an | network prefix. The mechanism SHOULD also allow for a metric to be specified for each static route. A router which supports a dynamic routing protocol MUST allow static routes to be defined with any metric valid for the routing protocol used. The router MUST provide the ability for the user to specify a list of static routes which may or may not be propagated via the routing protocol. In addition, a router SHOULD support the following additional information if it supports a routing protocol that could make use of the information. They are: + TOS, + Subnet Mask, or | + Prefix Length, or | + A metric specific to a given routing protocol that can | import the route. DISCUSSION: We intend that one needs to support only the things useful to the given routing protocol. The need for TOS | should not} Whether a router prefers a static route over a dynamic route (or vice versa) or whether the associated metrics are used to choose between conflicting static and dynamic routes SHOULD be configurable for each static route. A router MUST allow a metric to be assigned to a static route for each routing domain that it supports. Each such metric MUST be explicitly assigned to a specific routing domain. For example: route 36.0.0.0 255.0.0.0 via 192.19.200.3 rip metric 3 route 36.21.0.0 255.255.0.0 via 192.19.200.4 ospf inter-area metric 27 route 36.22.0.0 255.255.0.0 via 192.19.200.5 egp 123 November 28, 1994 - 139 - metric 99 route 36.23.0.0 255.255.0.0 via 192.19.200.6 igrp 47 metric 1 2 3 4 5 DISCUSSION: It has been suggested that, ideally, static routes should have preference values rather than metrics (since metrics can only be compared with metrics of other routes in the same routing domain, the metric of a static route could only be compared with metrics of other static routes). This is contrary to some current implementations, where static routes really do have metrics, and those metrics are used to determine whether a particular dynamic route overrides the static route to the same destination. Thus, this document uses the term metric rather than preference. This technique essentially makes the static route into a RIP route, or an OSPF route (or whatever, depending on the domain of the metric). Thus, the route lookup algorithm of that domain applies. However, this is NOT route leaking, in that coercing a static route into a dynamic routing domain does not authorize the router to redistribute the route into the dynamic routing domain. For static routes not put into a specific routing domain, the route lookup algorithm is: (1) Basic match (2) Longest match (3) Weak TOS (if TOS supported) (4) Best metric (where metric are implementation- defined) The last step may not be necessary, but it's useful in the case where you want to have a primary static route over one interface and a secondary static route over an alternate interface, with failover to the alternate path if the interface for the primary route fails. November 28, 1994 - 140 - Each router within a network makes forwarding decisions based upon information contained within its forwarding database. In a simple network the contents of the database may be statically configured. As the network grows more complex, the need for dynamic updating of the forwarding database becomes critical to the efficient operation of the network. If the data flow through a network is to be as efficient as possible, it is necessary to provide a mechanism for controlling the propagation of the information a router uses to build its forwarding database. This control takes the form of choosing which sources of routing information should be trusted and selecting which pieces of the information to believe. The resulting forwarding database is a filtered version of the available routing information. In addition to efficiency, controlling the propagation of routing information can reduce instability by preventing the spread of incorrect or bad routing information. In some cases local policy may require that complete routing information not be widely propagated. These filtering requirements apply only to non-SPF-based protocols (and therefore not at all to routers which don't implement any distance vector protocols). A router SHOULD log as an error any routing update advertising a route that vioolates the specifications of | this memo, unless the routing protocol from which the update was received uses those values to encode special routes (such as default routes). Filtering of routing information allows control of paths used by a router to forward packets it receives. A router should be selective in which sources of routing information it listens to and what routes it believes. Therefore, a router MUST provide the ability to specify: + On which logical interfaces routing information will | be accepted and which routes will be accepted from | each logical interface. November 28, 1994 - 141 - + Whether all routes or only a default route is | advertised on a logical interface. Some routing protocols do not recognize logical interfaces as a source of routing information. In such cases the router MUST provide the ability to specify + from which other routers routing information will be accepted. For example, assume a router connecting one or more leaf networks to the main portion or backbone of a larger network. Since each of the leaf networks has only one path in and out, the router can simply send a default route to them. It advertises the leaf networks to the main network. As the topology of a network grows more complex, the need for more complex route filtering arises. Therefore, a router SHOULD provide the ability to specify independently for each routing protocol: + Which logical interfaces or routers routing information (routes) will be accepted from and which routes will be believed from each other router or logical interface, + Which routes will be sent via which logical interface(s), and + Which routers routing information will be sent to, if this is supported by the routing protocol in use. In many situations it is desirable to assign a reliability ordering to routing information received from another router instead of the simple believe or don't believe choice listed in the first bullet above. A router MAY provide the ability to specify: + A reliability or preference to be assigned to each route received. A route with higher reliability will be chosen over one with lower reliability regardless of the routing metric associated with each route. November 28, 1994 - 142 - If a router supports assignment of preferences, the router MUST NOT propagate any routes it does not prefer as first party information. If the routing protocol being used to propagate the routes does not support distinguishing between first and third party information, the router MUST NOT propagate any routes it does not prefer. DISCUSSION: For example, assume a router receives a route to network C from router R and a route to the same network from router S. If router R is considered more reliable than router S traffic destined for network C will be forwarded to router R regardless of the route received from router S. Routing information for routes which the router does not use (router S in the above example) MUST NOT be passed to any other router. Routers MUST be able to exchange routing information between separate IP interior routing protocols, if independent IP routing processes can run in the same router. Routers MUST provide some mechanism for avoiding routing loops when routers are configured for bi- directional exchange of routing information between two separate interior routing processes. Routers MUST provide some priority mechanism for choosing routes from among independent routing processes. Routers SHOULD provide administrative control of IGP-IGP exchange when used across administrative boundaries. Routers SHOULD provide some mechanism for translating or transforming metrics on a per network basis. Routers (or routing protocols) MAY allow for global preference of exterior routes imported into an IGP. DISCUSSION: Different IGPs use different metrics, requiring some translation technique when introducing information from one protocol into another protocol with a different form of metric. Some IGPs can run multiple instances within the same router or set of routers. In this case metric information can be preserved exactly or translated. November 28, 1994 - 143 - There are at least two techniques for translation between different routing processes. The static (or reachability) approach uses the existence of a route advertisement in one IGP to generate a route advertisement in the other IGP with a given metric. The translation or tabular approach uses the metric in one IGP to create a metric in the other IGP through use of either a function (such as adding a constant) or a table lookup. Bi-directional exchange of routing information is dangerous without control mechanisms to limit feedback. This is the same problem that distance vector routing protocols must address with the split horizon technique and that EGP addresses with the third-party rule. Routing loops can be avoided explicitly through use of tables or lists of permitted/denied routes or implicitly through use of a split horizon rule, a no-third-party rule, or a route tagging mechanism. Vendors are encouraged to use implicit techniques where possible to make administration easier for network operators. November 28, 1994 - 144 - Note that this chapter supersedes any requirements stated in section 6.3 of [INTRO:3]. Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate using UDP/IP as its transport and network protocols. Others MAY be supported (e.g., see [MGT:25, MGT:26, MGT:27, and MGT:28]). SNMP management operations MUST operate as if the SNMP was implemented on the router itself. Specifically, management operations MUST be effected by sending SNMP management requests to any of the IP addresses assigned to any of the router's interfaces. The actual management operation may be performed either by the router or by a proxy for the router. DISCUSSION: This wording is intended to allow management either by proxy, where the proxy device responds to SNMP packets which have one of the router's IP addresses in the packets destination address field, or the SNMP is implemented directly in the router itself and receives packets and responds to them in the proper manner. It is important that management operations can be sent to one of the router's IP Addresses. In diagnosing network problems the only thing identifying the router that is available may be one of the router's IP address; obtained perhaps by looking through another router's routing table. All SNMP operations (get, get-next, get-response, set, and trap) MUST be implemented. Routers MUST provide a mechanism for rate-limiting the generation of SNMP trap messages. Routers MAY provide this mechanism via the algorithms for asynchronous alert management described in [MGT:5]. DISCUSSION: Although there is general agreement about the need to rate-limit traps, there is not yet consensus on how November 28, 1994 - 145 - this is best achieved. The reference cited is considered experimental. For the purposes of this specification, we assume that there is an abstract `community table' in the router. This table contains several entries, each entry for a specific community and containing the parameters necessary to completely define the attributes of that community. The actual implementation method of the abstract community table is, of course, implementation specific. A router's community table MUST allow for at least one entry and SHOULD allow for at least two entries. DISCUSSION: A community table with zero capacity is useless. It means that the router will not recognize any communities and, therefore, all SNMP operations will be rejected. Therefore, one entry is the minimal useful size of the table. Having two entries allows one entry to be limited to read-only access while the other would have write capabilities. Routers MUST allow the user to manually (i.e., without using SNMP) examine, add, delete and change entries in the SNMP community table. The user MUST be able to set the community name. The user MUST be able to configure communities as read-only (i.e., they do not allow SETs) or read-write (i.e., they do allow SETs). The user MUST be able to define at least one IP address to which traps are sent for each community. These addresses MUST be definable on a per-community basis. Traps MUST be enablable or disablable on a per-community basis. A router SHOULD provide the ability to specify a list of valid network managers for any particular community. If enabled, a router MUST validate the source address of the SNMP datagram against the list and MUST discard the datagram if its address does not appear. If the datagram is discarded the router MUST take all actions appropriate to an SNMP authentication failure. November 28, 1994 - 146 - DISCUSSION: This is a rather limited authentication system, but coupled with various forms of packet filtering may provide some small measure of increased security. The community table MUST be saved in non-volatile storage. The initial state of the community table SHOULD contain one entry, with the community name string public and read-only access. The default state of this entry MUST NOT send traps. If it is implemented, then this entry MUST remain in the community table until the administrator changes it or deletes it. DISCUSSION: By default, traps are not sent to this community. Trap PDUs are sent to unicast IP addresses. This address must be configured into the router in some manner. Before the configuration occurs, there is no such address, so to whom should the trap be sent? Therefore trap sending to the public community defaults to be disabled. This can, of course, be changed by an administrative operation once the router is operational. All MIBS relevant to a router's configuration are to be implemented. To wit: + The System, Interface, IP, ICMP, and UDP groups of MIB- II [MGT:2] MUST be implemented. + The Interface Extensions MIB [MGT:18] MUST be implemented. + The IP Forwarding Table MIB [MGT:20] MUST be implemented. + If the router implements TCP (e.g. for Telnet) then the TCP group of MIB-II [MGT:2] MUST be implemented. + If the router implements EGP then the EGP group of MIB- II [MGT:2] MUST be implemented. + If the router supports OSPF then the OSPF MIB [MGT:14] November 28, 1994 - 147 - MUST be implemented. + If the router supports BGP then the BGP MIB [MGT:15] MUST be implemented. + If the router has Ethernet, 802.3, or StarLan interfaces then the Ethernet-Like MIB [MGT:6] MUST be implemented. + If the router has 802.4 interfaces then the 802.4 MIB [MGT:7] MAY be implemented. + If the router has 802.5 interfaces then the 802.5 MIB [MGT:8] MUST be implemented. + If the router has FDDI interfaces that implement ANSI SMT 7.3 then the FDDI MIB [MGT:9] MUST be implemented. + If the router has FDDI interfaces that implement ANSI SMT 6.2 then the FDDI MIB [MGT:29] MUST be implemented. + If the router has RS-232 interfaces then the RS-232 [MGT:10] MIB MUST be implemented. + If the router has T1/DS1 interfaces then the T1/DS1 MIB [MGT:16] MUST be implemented. + If the router has T3/DS3 interfaces then the T3/DS3 MIB [MGT:17] MUST be implemented. + If the router has SMDS interfaces then the SMDS Interface Protocol MIB [MGT:19] MUST be implemented. + If the router supports PPP over any of its interfaces then the PPP MIBs [MGT:11], [MGT:12], and [MGT:13] MUST be implemented. + If the router supports RIP Version 2 then the RIP Version 2 MIB [MGT:21] MUST be implemented. + If the router supports X.25 over any of its interfaces then the X.25 MIBs [MGT:22, MGT:23 and MGT:24] MUST be implemented. The Internet Standard and Experimental MIBs do not cover November 28, 1994 - 148 - the entire range of statistical, state, configuration and control information that may be available in a network element. This information is, never the less, extremely useful. Vendors of routers (and other network devices) generally have developed MIB extensions that cover this information. These MIB extensions are called Vendor Specific MIBs. The Vendor Specific MIB for the router MUST provide access to all statistical, state, configuration, and control information that is not available through the Standard and Experimental MIBs that have been implemented. This information MUST be available for both monitoring and control operations. DISCUSSION: The intent of this requirement is to provide the ability to do anything on the router via SNMP that can be done via a console. A certain minimal amount of configuration is necessary before SNMP can operate (e.g., the router must have an IP address). This initial configuration can not be done via SNMP. However, once the initial configuration is done, full capabilities ought to be available via network management. The vendor SHOULD make available the specifications for all Vendor Specific MIB variables. These specifications MUST conform to the SMI [MGT:1] and the descriptions MUST be in the form specified in [MGT:4]. DISCUSSION: Making the Vendor Specific MIB available to the user is necessary. Without this information the users would not be able to configure their network management systems to be able to access the Vendor Specific parameters. These parameters would then be useless. The format of the MIB specification is also specified. Parsers which read MIB specifications and generate the needed tables for the network management station are available. These parsers generally understand only the standard MIB specification format. November 28, 1994 - 149 - Parameters altered by SNMP MAY be saved to non-volatile storage. DISCUSSION: Reasons why this requirement is a MAY: + The exact physical nature of non-volatile storage is not specified in this document. Hence, parameters may be saved in NVRAM/EEPROM, local floppy or hard disk, or in some TFTP file server or BOOTP server, etc. Suppose that that this information is in a file that is retrieved via TFTP. In that case, a change made to a configuration parameter on the router would need to be propagated back to the file server holding the configuration file. Alternatively, the SNMP operation would need to be directed to the file server, and then the change somehow propagated to the router. The answer to this problem does not seem obvious. This also places more requirements on the host holding the configuration information than just having an available tftp server, so much more that its probably unsafe for a vendor to assume that any potential customer will have a suitable host available. + The timing of committing changed parameters to non- volatile storage is still an issue for debate. Some prefer to commit all changes immediately. Others prefer to commit changes to non-volatile storage only upon an explicit command. November 28, 1994 - 150 - For all additional application protocols that a router implements, the router MUST be compliant and SHOULD be unconditionally compliant with the relevant requirements of [INTRO:3]. The Bootstrap Protocol (BOOTP) is a UDP/IP-based protocol which allows a booting host to configure itself dynamically and without user supervision. BOOTP provides a means to notify a host of its assigned IP address, the IP address of a boot server host, and the name of a file to be loaded into memory and executed ([APPL:1]). Other configuration information such as the | local prefix length or subnet mask, the local time offset, the addresses of default routers, and the addresses of various Internet servers can also be communicated to a host using BOOTP ([APPL:2]). In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In | such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, in order to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead. DISCUSSION: A BOOTP relay agent performs a task which is distinct from a router's normal IP forwarding function. While a router normally switches IP datagrams between networks more-or-less transparently, a BOOTP relay agent may more properly be thought to receive BOOTP messages as a final destination and then generate new BOOTP messages as a result. One should resist the notion of simply forwarding a BOOTP message straight through like a regular packet. This relay-agent functionality is most conveniently located in the routers which interconnect the clients | and servers (although it may alternatively be located in | a host which is directly connected to the client | November 28, 1994 - 151 - subnet). A router MAY provide BOOTP relay-agent capability. If it does, it MUST conform to the specifications in [APPL:3]. Section [5.2.3] discussed the circumstances under which a packet is delivered locally (to the router). All locally delivered UDP messages whose UDP destination port number is BOOTPS (67) are considered for special processing by the router's logical BOOTP relay agent. Sections [4.2.2.11] and [5.3.7] discussed invalid IP source addresses. According to these rules, a router must not forward any received datagram whose IP source address is 0.0.0.0. However, routers which support a BOOTP relay agent MUST accept for local delivery to the relay agent BOOTREQUEST messages whose IP source address is 0.0.0.0. November 28, 1994 - 152 - This chapter supersedes any requirements of [INTRO:3] relating | to "Extensions to the IP Module." Facilities to support operation and maintenance (O&M) activities form an essential part of any router implementation. Although these functions do not seem to relate directly to interoperability, they are essential to the network manager who must make the router interoperate and must track down problems when it doesn't. This chapter also includes some discussion of router initialization and of facilities to assist network managers in securing and accounting for their networks. The following kinds of activities are included under router O&M: + Diagnosing hardware problems in the router's processor, in its network interfaces, or in its connected networks, modems, or communication lines. + Installing new hardware + Installing new software. + Restarting or rebooting the router after a crash. + Configuring (or reconfiguring) the router. + Detecting and diagnosing Internet problems such as congestion, routing loops, bad IP addresses, black holes, packet avalanches, and misbehaved hosts. + Changing network topology, either temporarily (e.g., to bypass a communication line problem) or permanently. + Monitoring the status and performance of the routers and the connected networks. + Collecting traffic statistics for use in (Inter-)network planning. + Coordinating the above activities with appropriate vendors and telecommunications specialists. November 28, 1994 - 153 - Routers and their connected communication lines are often operated as a system by a centralized O&M organization. This organization may maintain a (Inter-)network operation center, or NOC, to carry out its O&M functions. It is essential that routers support remote control and monitoring from such a NOC through an Internet path, since routers might not be connected to the same network as their NOC. Since a network failure may temporarily preclude network access, many NOCs insist that routers be accessible for network management via an alternative means, often dialup modems attached to console ports on the routers. Since an IP packet traversing an internet will often use routers under the control of more than one NOC, Internet problem diagnosis will often involve cooperation of personnel of more than one NOC. In some cases, the same router may need to be monitored by more than one NOC, but only if necessary, because excessive monitoring could impact a router's performance. The tools available for monitoring at a NOC may cover a wide range of sophistication. Current implementations include multi-window, dynamic displays of the entire router system. The use of AI techniques for automatic problem diagnosis is proposed for the future. Router O&M facilities discussed here are only a part of the large and difficult problem of Internet management. These problems encompass not only multiple management organizations, but also multiple protocol layers. For example, at the current stage of evolution of the Internet architecture, there is a strong coupling between host TCP implementations and eventual IP-level congestion in the router system [OPER:1]. Therefore, diagnosis of congestion problems will sometimes require the monitoring of TCP statistics in hosts. There are currently a number of R&D efforts in progress in the area of Internet management and more specifically router O&M. These R&D efforts have already produced standards for router O&M. This is also an area in which vendor creativity can make a significant contribution. November 28, 1994 - 154 - There exists a minimum set of conditions that must be satisfied before a router may forward packets. A router MUST NOT enable forwarding on any physical interface unless either: (1) The router knows the IP address and associated | subnet mask or network prefix length of at least | one logical interface associated with that physical | interface, or (2) The router knows that the interface is an unnumbered | interface and also knows its router-id. These parameters MUST be explicitly configured: + A router MUST NOT use factory-configured default | values for its IP addresses, subnet masks, or router-id, and + A router MUST NOT assume that an unconfigured | interface is an unnumbered interface. DISCUSSION: There have been instances in which routers have been shipped with vendor-installed default addresses for interfaces. In a few cases, this has resulted in routers advertising these default addresses into active networks. A router MUST allow its IP addresses and their address | masks or prefix lengths to be statically configured and | saved in permanent storage. A router MAY obtain its IP addresses and their | corresponding address masks dynamically as a side effect of the system initialization process (see Section 10.2.3]); If the dynamic method is provided, the choice of method to be used in a particular router MUST be configurable. As was described in Section [4.2.2.11], IP addresses are | not permitted to have the value 0 or -1 in the or fields. Therefore, a router | SHOULD NOT allow an IP address or address mask to be set | to a value which would make any of the these fields | above have the value zero or -1. DISCUSSION: It is possible using arbitrary address masks to | create situations in which routing is ambiguous | (i.e., two routes with different but equally-specific subnet masks match a particular destination address). | This is one of the strongest arguments for the use of | network prefixes, and the reason the use of | discontiguous subnet masks is not permitted. A router SHOULD make the following checks on any address | mask it installs: + The mask is neither all ones nor all zeroes (the | prefix length is neither zero nor 32). + The bits which correspond to the network prefix part | of the address are all set to 1. | + The bits which correspond to the network prefix are | contiguous. DISCUSSION: The masks associated with routes are also sometimes called subnet masks, this test should not be applied to them. There has been a lot of discussion on how routers can and should be booted from the network. In general, these discussions have centered around BOOTP and TFTP. Currently, there are routers that boot with TFTP from the network. There is no reason that BOOTP could not be used for locating the server that the boot image should be loaded from. In general, BOOTP is a protocol used to boot end systems, and requires some stretching to accommodate its use with routers. If a router is using BOOTP to locate November 28, 1994 - 156 - the current boot host, it should send a BOOTP Request with its hardware address for its first interface, or, if it has been previously configured otherwise, with either another interface's hardware address, or another number to put in the hardware address field of the BOOTP packet. This is to allow routers without hardware | addresses (like synchronous line only routers) to use BOOTP for bootload discovery. TFTP can then be used to retrieve the image found in the BOOTP Reply. If there are no configured interfaces or numbers to use, a router MAY cycle through the interface hardware addresses it has until a match is found by the BOOTP server. A router SHOULD IMPLEMENT the ability to store parameters learned via BOOTP into local stable storage. A router MAY implement the ability to store a system image loaded over the network into local stable storage. A router MAY have a facility to allow a remote user to request that the router get a new boot image. Differentiation should be made between getting the new boot image from one of three locations: the one included in the request, from the last boot image server, and using BOOTP to locate a server. There is a range of possible models for performing O&M functions on a router. At one extreme is the local-only model, under which the O&M functions can only be executed locally (e.g., from a terminal plugged into the router machine). At the other extreme, the fully-remote model allows only an absolute minimum of functions to be performed locally (e.g., forcing a boot), with most O&M being done remotely from the NOC. There are intermediate models, such as one in which NOC personnel can log into the router as a host, using the Telnet protocol, to perform functions which can also be invoked locally. The local-only model may be adequate in a few router installations, but in general remote operation from a NOC will be required, and therefore remote O&M provisions are required for most routers. Remote O&M functions may be exercised through a control November 28, 1994 - 157 - agent (program). In the direct approach, the router would support remote O&M functions directly from the NOC using standard Internet protocols (e.g., SNMP, UDP or TCP); in the indirect approach, the control agent would support these protocols and control the router itself using proprietary protocols. The direct approach is preferred, although either approach is acceptable. The use of specialized host hardware and/or software requiring significant additional investment is discouraged; nevertheless, some vendors may elect to provide the control agent as an integrated part of the network in which the routers are a part. If this is the case, it is required that a means be available to operate the control agent from a remote site using Internet protocols and paths and with equivalent functionality with respect to a local agent terminal. It is desirable that a control agent and any other NOC software tools which a vendor provides operate as user programs in a standard operating system. The use of the standard Internet protocols UDP and TCP for communicating with the routers should facilitate this. Remote router monitoring and (especially) remote router control present important access control problems which must be addressed. Care must also be taken to ensure control of the use of router resources for these functions. It is not desirable to let router monitoring take more than some limited fraction of the router CPU time, for example. On the other hand, O&M functions must receive priority so they can be exercised when the router is congested, since often that is when O&M is most needed. Routers MUST support Out-Of-Band (OOB) access. OOB access SHOULD provide the same functionality as in-band access. DISCUSSION: This Out-Of-Band access will allow the NOC a way to access isolated routers during times when network access is not available. Out-Of-Band access is an important management tool November 28, 1994 - 158 - for the network administrator. It allows the access of equipment independent of the network connections. There are many ways to achieve this access. Whichever one is used it is important that the access is independent of the network connections. An example of Out-Of-Band access would be a serial port connected to a modem that provides dial up access to the router. It is important that the OOB access provides the same functionality as in-band access. In-band access, or accessing equipment through the existing network connection, is limiting, because most of the time, administrators need to reach equipment to figure out why it is unreachable. In band access is still very important for configuring a router, and for troubleshooting more subtle problems. Each router SHOULD operate as a stand-alone device for the purposes of local hardware maintenance. Means SHOULD be available to run diagnostic programs at the router site using only on-site tools. A router SHOULD be able to run diagnostics in case of a fault. For suggested hardware and software diagnostics see Section [10.3.3]. A router MUST include both in-band and out-of-band mechanisms to allow the network manager to reload, stop, and restart the router. A router SHOULD also contain a mechanism (such as a watchdog timer) which will reboot the router automatically if it hangs due to a software or hardware fault. A router SHOULD IMPLEMENT a mechanism for dumping the contents of a router's memory (and/or other state useful for vendor debugging after a crash), and either saving them on a stable storage device local to the router or saving them on another host via an up-line dump mechanism such as TFTP (see [OPER:2], [INTRO:3]). November 28, 1994 - 159 - Every router has configuration parameters which may need to be set. It SHOULD be possible to update the parameters without rebooting the router; at worst, a restart MAY be required. There may be cases when it is not possible to change parameters without rebooting the router (for instance, changing the IP address of an interface). In these cases, care should be taken to minimize disruption to the router and the surrounding network. There SHOULD be a way to configure the router over the network either manually or automatically. A router SHOULD be able to upload or download its parameters from a host or another router, and these parameters SHOULD be convertible into some sort of text format for making changes and then back to the form the router can read. A router SHOULD have some sort of stable storage for its configuration. A router SHOULD NOT believe protocols such as RARP, ICMP Address Mask Reply, and MAY not believe BOOTP. DISCUSSION: It is necessary to note here that in the future RARP, ICMP Address Mask Reply, BOOTP and other mechanisms may be needed to allow a router to auto-configure. Although routers may in the future be able to configure automatically, the intent here is to discourage this practice in a production environment until such time as auto- configuration has been tested more thoroughly. The intent is NOT to discourage auto-configuration all together. In cases where a router is expected to get its configuration automatically it may be wise to allow the router to believe these things as it comes up and then ignore them after it has gotten its configuration. A router SHOULD keep its system image in local non- volatile storage such as PROM, NVRAM, or disk. It MAY also be able to load its system software over the network from a host or another router. A router which can keep its system image in local November 28, 1994 - 160 - non-volatile storage MAY be configurable to boot its system image over the network. A router which offers this option SHOULD be configurable to boot the system image in its non-volatile local storage if it is unable to boot its system image over the network. DISCUSSION: It is important that the router be able to come up and run on its own. NVRAM may be a particular solution for routers used in large networks, since changing PROMs can be quite time consuming for a network manager responsible for numerous or geographically dispersed routers. It is important to be able to netboot the system image because there should be an easy way for a router to get a bug fix or new feature more quickly than getting PROMS installed. Also if the router has NVRAM instead of PROMs, it will netboot the image and then put it in NVRAM. A router MAY also be able to distinguish between different configurations based on which software it is running. If configuration commands change from one software version to another, it would be helpful if the router could use the configuration that was compatible with the software. There MUST be mechanisms for detecting and responding to misconfigurations. If a command is executed incorrectly, the router SHOULD give an error message. The router SHOULD NOT accept a poorly formed command as if it were correct. DISCUSSION: There are cases where it is not possible to detect errors: the command is correctly formed, but incorrect with respect to the network. This may be detected by the router, but may not be possible. Another form of misconfiguration is misconfiguration of the network to which the router is attached. A router MAY detect misconfigurations in the network. The router MAY log these findings to a file, either November 28, 1994 - 161 - on the router or a host, so that the network manager will see that there are possible problems on the network. DISCUSSION: Examples of such misconfigurations might be another router with the same address as the one in | question or a router with the wrong address mask. If a router detects such problems it is probably not the best idea for the router to try to fix the situation. That could cause more harm than good. Changing the configuration of a router SHOULD have minimal affect on the network. Routing tables SHOULD NOT be unnecessarily flushed when a simple change is made to the router. If a router is running several routing protocols, stopping one routing protocol SHOULD NOT disrupt other routing protocols, except in the case where one network is learned by more than one routing protocol. DISCUSSION: It is the goal of a network manager to run a network so that users of the network get the best connectivity possible. Reloading a router for simple configuration changes can cause disruptions in routing and ultimately cause disruptions to the network and its users. If routing tables are unnecessarily flushed, for instance, the default route will be lost as well as specific routes to sites within the network. This sort of disruption will cause significant downtime for the users. It is the purpose of this section to point out that whenever possible, these disruptions should be avoided. (1) A router MUST provide in-band network access, but (except as required by Section [8.2]) for security considerations this access SHOULD be disabled by default. Vendors MUST document the November 28, 1994 - 162 - default state of any in-band access. DISCUSSION: In-band access primarily refers to access via the normal network protocols which may or may not affect the permanent operational state of the router. This includes, but is not limited to Telnet/RLOGIN console access and SNMP operations. This was a point of contention between the operational out of the box and secure out of the box contingents. Any automagic access to the router may introduce insecurities, but it may be more important for the customer to have a router which is accessible over the network as soon as it is plugged in. At least one vendor supplies routers without any external console access and depends on being able to access the router via the network to complete its configuration. Basically, it is the vendors call whether or not in-band access is enabled by default; but it is also the vendors responsibility to make its customers aware of possible insecurities. (2) A router MUST provide the ability to initiate an ICMP echo. The following options SHOULD be implemented: + Choice of data patterns + Choice of packet size + Record route and the following additional options MAY be implemented: + Loose source route + Strict source route + Timestamps November 28, 1994 - 163 - (3) A router SHOULD provide the ability to initiate a traceroute. If traceroute is provided, then the 3rd party traceroute SHOULD be implemented. Each of the above three facilities (if implemented) SHOULD have access restrictions placed on it to prevent its abuse by unauthorized persons. Auditing and billing are the bane of the network operator, but are the two features most requested by those in charge of network security and those who are responsible for paying the bills. In the context of security, auditing is desirable if it helps you keep your network working and protects your resources from abuse, without costing you more than those resources are worth. (1) Configuration Changes Router SHOULD provide a method for auditing a configuration change of a router, even if it's something as simple as recording the operator's initials and time of change. DISCUSSION: Having the ability to track who made changes and when is highly desirable, especially if your packets suddenly start getting routed through Alaska on their way across town. (2) Packet Accounting Vendors should strongly consider providing a system for tracking traffic levels between pairs of hosts or networks. A mechanism for limiting the collection of this information to specific pairs of hosts or networks is also strongly encouraged. DISCUSSION: A host traffic matrix as described above can give the network operator a glimpse of traffic trends not apparent from other statistics. It November 28, 1994 - 164 - can also identify hosts or networks which are probing the structure of the attached networks - e.g., a single external host which tries to send packets to every IP address in the network address range for a connected network. (3) Security Auditing Routers MUST provide a method for auditing security related failures or violations to include: + Authorization Failures: bad passwords, invalid SNMP communities, invalid authorization tokens, + Violations of Policy Controls: Prohibited Source Routes, Filtered Destinations, and + Authorization Approvals: good passwords - Telnet in-band access, console access. Routers MUST provide a method of limiting or disabling such auditing but auditing SHOULD be on by default. Possible methods for auditing include listing violations to a console if present, logging or counting them internally, or logging them to a remote security server via the SNMP trap mechanism or the Unix logging mechanism as appropriate. A router MUST implement at least one of these reporting mechanisms - it MAY implement more than one. A vendor has a responsibility to use good configuration control practices in the creation of the software/firmware loads for their routers. In particular, if a vendor makes updates and loads available for retrieval over the Internet, the vendor should also provide a way for the customer to confirm the load is a valid one, perhaps by the verification of a checksum over the load. DISCUSSION: Many vendors currently provide short notice updates of their software products via the Internet. This a good trend and should be encouraged, but provides a November 28, 1994 - 165 - point of vulnerability in the configuration control process. If a vendor provides the ability for the customer to change the configuration parameters of a router remotely, for example via a Telnet session, the ability to do so SHOULD be configurable and SHOULD default to off. The router SHOULD require a password or other valid authentication before permitting remote reconfiguration. DISCUSSION: Allowing your properly identified network operator to twiddle with your routers is necessary; allowing anyone else to do so is foolhardy. A router MUST NOT have undocumented back door access and master passwords. A vendor MUST ensure any such access added for purposes of debugging or product development are deleted before the product is distributed to its customers. DISCUSSION: A vendor has a responsibility to its customers to ensure they are aware of the vulnerabilities present in its code by intention - e.g. in-band access. Trap doors, back doors and master passwords intentional or unintentional can turn a relatively secure router into a major problem on an operational network. The supposed operational benefits are not matched by the potential problems. November 28, 1994 - 166 - Implementors should be aware that Internet protocol standards are occasionally updated. These references are current as of this writing, but a cautious implementor will always check a recent version of the RFC index to ensure that an RFC has not been updated or superseded by another, more recent RFC. Reference [INTRO:6] explains various ways to obtain a current RFC index. APPL:1. B. Croft and J. Gilmore, Bootstrap Protocol (BOOTP), Request For Comments (RFC) 951, DDN Network Information Center, SRI International, Menlo Park, California, USA, September 1985. APPL:2. S. Alexander and R. Droms, DHCP Options and BOOTP Vendor Extensions, Request For Comments (RFC) 1533, October 1993. APPL:3. W. Wimer, Clarifications and Extensions for the Bootstrap Protocol, Request For Comments (RFC) 1542, October 1993. ARCH:1. DDN Protocol Handbook, NIC-50004, NIC-50005, NIC-50006 (three volumes), DDN Network Information Center, SRI International, Menlo Park, California, USA, December 1985. ARCH:2. V. Cerf and R. Kahn, A Protocol for Packet Network Intercommunication," IEEE Transactions on Communication, May 1974. Also included in [ARCH:1]. ARCH:3. J. Postel, C. Sunshine, and D. Cohen, The ARPA Internet Protocol," Computer Networks, vol. 5, no. 4, July 1981. Also included in [ARCH:1]. ARCH:4. B. Leiner, J. Postel, R. Cole, and D. Mills, The DARPA Internet Protocol Suite, Proceedings of INFOCOM '85, IEEE, Washington, DC, March 1985. Also in: IEEE Communications Magazine, March 1985. Also available from November 28, 1994 - 167 - the Information Sciences Institute, University of Southern California as Technical Report ISI-RS-85-153. ARCH:5. D. Comer, Internetworking With TCP/IP Volume 1: Principles, Protocols, and Architecture, Prentice Hall, Englewood Cliffs, NJ, 1991. ARCH:6. W. Stallings, Handbook of Computer-Communications Standards Volume 3: The TCP/IP Protocol Suite, Macmillan, New York, NY, 1990. ARCH:7. J. Postel, Internet Official Protocol Standards, Request For Comments (RFC) 1540, October 1993. ARCH:8. Information processing systems - Open Systems Interconnection - Basic Reference Model, ISO 7489, International Standards Organization, 1984. ARCH:9 | R. Braden, J. Postel, Y. Rekhter, | "Internet Architecture Extensions for Shared Media", | 05/20/1994 | FORWARD:1. IETF CIP Working Group (C. Topolcic, Editor), Experimental Internet Stream Protocol, Version 2 (ST-II), Request For Comments (RFC) 1190, DDN Network Information Center, SRI International, Menlo Park, California, USA, October 1990. FORWARD:2. A. Mankin and K. Ramakrishnan, Editors, Gateway Congestion Control Survey, Request For Comments (RFC) 1254, DDN Network Information Center, SRI International, Menlo Park, California, USA, August 1991. FORWARD:3. J. Nagle, On Packet Switches with Infinite Storage, IEEE Transactions on Communications, vol. COM-35, no. 4, April 1987. November 28, 1994 - 168 - FORWARD:4. R. Jain, K. Ramakrishnan, and D. Chiu, Congestion Avoidance in Computer Networks With a Connectionless Network Layer, Technical Report DEC-TR-506, Digital Equipment Corporation. FORWARD:5. V. Jacobson, Congestion Avoidance and Control, Proceedings of SIGCOMM '88, Association for Computing Machinery, August 1988. FORWARD:6. W. Barns, Precedence and Priority Access Implementation for Department of Defense Data Networks, Technical Report MTR-91W00029, The Mitre Corporation, McLean, Virginia, USA, July 1991. FORWARD:7 | Fang, Chen, Hutchins, | "Simulation Results of TCP Performance over ATM with and | without Flow Control", presentation to the ATM Forum, | November 15, 1993. | FORWARD:8 | V. Paxson, S. Floyd | "Wide Area Traffic: the Failure of Poisson Modelling", | short version in SIGCOMM '94 | FORWARD:9 | Leland, Taqqu, Willinger and Wilson, "On the Self-Similar | Nature of Ethernet Traffic", Proceedings of SIGCOMM '93, | September, 1993. | FORWARD:10 | S. Keshav "A Control Theoretic Approach to Flow | Control", SIGCOMM 91, pages 3-16 | FORWARD:11 | K.K. Ramakrishnan and R. Jain, "A Binary Feedback | Scheme for Congestion Avoidance in Computer Networks," | ACM Transactions of Computer Systems, vol. 8, no. 2, | 1980. | FORWARD:12 | H. Kanakia, P. Mishara, and A. Reibman]. An adaptive | November 28, 1994 - 169 - congestion control scheme for real-time packet video | transport. In Proceedings of ACM Sigcomm 1994, pages | 20-31, San Francisco, California, Sept 1993. | FORWARD:13 | A. Demers, S. Keshav, S. Shenker "Analysis and | Simulation of a Fair Queuing Algorithm", SIGCOMM 93 pages | 1-12 | FORWARD:14 | D. Clark, S. Shenker , L. Zhang, "Supporting Real-Time | Applicatios in an Integrated Services Packet Network: | Architecture and Mechanism", SIGCOMM 92 pages 14-26 | INTERNET:1. J. Postel, Internet Protocol, Request For Comments (RFC) 791, DDN Network Information Center, SRI International, Menlo Park, California, USA, September 1981. INTERNET:2. J. Mogul and J. Postel, Internet Standard Subnetting Procedure, Request For Comments (RFC) 950, DDN Network Information Center, SRI International, Menlo Park, California, USA, August 1985. INTERNET:3. J. Mogul, Broadcasting Internet Datagrams in the Presence of Subnets, Request For Comments (RFC) 922, DDN Network Information Center, SRI International, Menlo Park, California, USA, October 1984. INTERNET:4. S. Deering, Host Extensions for IP Multicasting, Request For Comments (RFC) 1112, DDN Network Information Center, SRI International, Menlo Park, California, USA, August 1989. INTERNET:5. S. Kent, U.S. Department of Defense Security Options for the Internet Protocol, Request for Comments (RFC) 1108, November 1991. INTERNET:6. R. Braden, D. Borman, and C. Partridge, Computing the Internet Checksum, Request For Comments (RFC) 1071, DDN November 28, 1994 - 170 - Network Information Center, SRI International, Menlo Park, California, USA, September 1988. INTERNET:7. T. Mallory and A. Kullberg, | INTERNET:8. J. Postel, Internet Control Message Protocol, Request For Comments (RFC) 792, DDN Network Information Center, SRI International, Menlo Park, California, USA, September 1981. INTERNET:9. A. Mankin, G. Hollingsworth, G. Reichlen, K. Thompson, R. Wilder, and R. Zahavi, Evaluation of Internet Performance - FY89, Technical Report MTR- 89W00216, MITRE Corporation, February, 1990. INTERNET:10. G. Finn, A Connectionless Congestion Control Algorithm, Computer Communications Review, vol. 19, no. 5, Association for Computing Machinery, October 1989. INTERNET:11. W. Prue, The Source Quench Introduced Delay (SQuID), Request For Comments (RFC) 1016, DDN Network Information Center, SRI International, J. Postel, August 1987. INTERNET:12. A. McKenzie, Some comments on SQuID, Request For Comments (RFC) 1018, DDN Network Information Center, SRI International, Menlo Park, California, USA, August 1987. INTERNET:13. S. Deering, ICMP Router Discovery Messages, Request For Comments (RFC) 1256, DDN Network Information Center, SRI International, Menlo Park, California, USA, September 1991. INTERNET:14. J. Mogul and S. Deering, Path MTU Discovery, Request For Comments (RFC) 1191, DDN Network Information Center, SRI International, Menlo Park, California, USA, November 1990. November 28, 1994 - 171 - INTERNET:15 V. Fuller, T. Li, J. Yi, and K. Varadhan, Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy Request For Comments (RFC) 1519, DDN Network Information Center, SRI International Menlo Park, California, USA September 1993. INTERNET:16 M. St. Johns, Draft Revised IP Security Option, Request for Comments 1038, January 1988. INTERNET:17 W. Prue and J. Postel, Queuing Algorithm to Provide Type-of-service For IP Links, Request for Comments 1046, February 1988. INTERNET:18 | J. Postel, Address Mappings , Request for Comments 796, | September 1981. | INTRO:1. R. Braden and J. Postel, Requirements for Internet Gateways, Request For Comments (RFC) 1009, DDN Network Information Center, SRI International, Menlo Park, California, USA, June 1987. INTRO:2. Internet Engineering Task Force (R. Braden, Editor), Requirements for Internet Hosts - Communication Layers, Request For Comments (RFC) 1122, DDN Network Information Center, SRI International, Menlo Park, California, USA, October 1989. INTRO:3. Internet Engineering Task Force (R. Braden, Editor), Requirements for Internet Hosts - Application and Support, Request For Comments (RFC) 1123, DDN Network Information Center, SRI International, Menlo Park, California, USA, October 1989. INTRO:4. D. Clark, Modularity and Efficiency in Protocol Implementations, Request For Comments (RFC) 817, DDN Network Information Center, SRI International, Menlo November 28, 1994 - 172 - Park, California, USA, July 1982. INTRO:5. D. Clark, The Structuring of Systems Using Upcalls, Proceedings of 10th ACM SOSP, December 1985. INTRO:6. O. Jacobsen and J. Postel, Protocol Document Order Information, Request For Comments (RFC) 980, DDN Network Information Center, SRI International, Menlo Park, California, USA, March 1986. INTRO:7. J. Reynolds and J. Postel, Assigned Numbers, Request For Comments (RFC) 1340, July 1992. This document is periodically updated and reissued with a new number. It is wise to verify occasionally that the version you have is still current. INTRO:8. DoD Trusted Computer System Evaluation Criteria, DoD publication 5200.28-STD, U.S. Department of Defense, December 1985. INTRO:9 G. Malkin and T. LaQuey Parker, Internet Users' Glossary, Request for Comments (RFC) 1392 (also FYI 0018), Network Information Center, January 1993. LINK:1. S. Leffler and M. Karels, Trailer Encapsulations, Request For Comments (RFC) 893, DDN Network Information Center, SRI International, Menlo Park, California, USA, April 1984. LINK:2 W. Simpson, The Point-to-Point Protocol (PPP) for the Transmission of Multi-protocol Datagrams over Point-to- Point Links, Request For Comments (RFC) 1331, May 1992. LINK:3 G. McGregor, The PPP Internet Protocol Control Protocol (IPCP), Request For Comments (RFC) 1332, May 1992. LINK:4 November 28, 1994 - 173 - B. Lloyd, W. Simpson, PPP Authentication Protocols, Request For Comments (RFC) 1334, May 1992. LINK:5 W. Simpson PPP Link Quality Monitoring, Request For Comments (RFC) 1333, May 1992. MGT:1. M. Rose and K. McCloghrie, Structure and Identification of Management Information of TCP/IP-based Internets, Request For Comments (RFC) 1155, DDN Network Information Center, SRI International, Menlo Park, California, USA, May 1990. MGT:2. K. McCloghrie and M. Rose (Editors), Management Information Base of TCP/IP-Based Internets: MIB-II, Request For Comments (RFC) 1213, DDN Network Information Center, SRI International, Menlo Park, California, USA, March 1991. MGT:3. J. Case, M. Fedor, M. Schoffstall, and J. Davin, Simple Network Management Protocol, Request For Comments (RFC) 1157, DDN Network Information Center, SRI International, Menlo Park, California, USA, May 1990. MGT:4. M. Rose and K. McCloghrie (Editors), Towards Concise MIB Definitions, Request For Comments (RFC) 1212, DDN Network Information Center, SRI International, Menlo Park, California, USA, March 1991. MGT:5. L. Steinberg, Techniques for Managing Asynchronously Generated Alerts, Request for Comments (RFC) 1224, May 1991. MGT:6. F. Kastenholz, Definitions of Managed Objects for the Ethernet-like Interface Types, Request for Comments (RFC) 1398, January 1993. MGT:7. R. Fox and K. McCloghrie, IEEE 802.4 Token Bus MIB, November 28, 1994 - 174 - Request for Comments (RFC) 1230, May 1991. MGT:8. E. Decker, R. Fox and K. McCloghrie, IEEE 802.5 Token Ring MIB, Request for Comments (RFC) 1231, February 1993. MGT:9. J. Case and A. Rijsinghani, FDDI Management Information Base, Request for Comments (RFC) 1512, September 1993. MGT:10. B. Stewart, Definitions of Managed Objects for RS-232- like Hardware Devices, Request for Comments (RFC) 1317, April 1992. MGT:11. F. Kastenholz, Definitions of Managed Objects for the Link Control Protocol of the Point-to-Point Protocol, Request For Comments (RFC) 1471 June 1992. MGT:12. F. Kastenholz, The Definitions of Managed Objects for the Security Protocols of the Point-to-Point Protocol, Request For Comments (RFC) 1472 June 1992. MGT:13. F. Kastenholz, The Definitions of Managed Objects for the IP Network Control Protocol of the Point-to-Point Protocol, Request For Comments (RFC) 1473 June 1992. MGT:14. F. Baker and R. Coltun, OSPF Version 2 Management Information Base, Request For Comments (RFC) 1253, August 1991. MGT:15. S. Willis and J. Burruss, Definitions of Managed Objects for the Border Gateway Protocol (Version 3), Request For Comments (RFC) 1269, October 1991. MGT:16. F. Baker, J. Watt, Definitions of Managed Objects for the DS1 and E1 Interface Types, Request For Comments (RFC) 1406, January 1993. November 28, 1994 - 175 - MGT:17. T. Cox and K. Tesink, Definitions of Managed Objects for the DS3/E3 Interface Types, Request For Comments (RFC) 1407, January 1993. MGT:18. K. McCloghrie, Extensions to the Generic-Interface MIB, Request For Comments (RFC) 1229, August 1992. MGT:19. T. Cox and K. Tesink, Definitions of Managed Objects for the SIP Interface Type, Request For Comments (RFC) 1304, February 1992. MGT:20 F. Baker, IP Forwarding Table MIB, Request For Comments (RFC) 1354, July 1992. MGT:21. G. Malkin and F. Baker, RIP Version 2 MIB Extension, Request For Comments (RFC) 1389, January 1993. MGT:22. D. Throop, SNMP MIB Extension for the X.25 Packet Layer, Request For Comments (RFC) 1382, November 1992. MGT:23. D. Throop and F. Baker, SNMP MIB Extension for X.25 LAPB, Request For Comments (RFC) 1381, November 1992. MGT:24. D. Throop and F. Baker, SNMP MIB Extension for MultiProtocol Interconnect over X.25, Request For Comments (RFC) 1461, May 1993. MGT:25. M. Rose, SNMP over OSI, Request For Comments (RFC) 1418, March 1993. MGT:26. G. Minshall and M. Ritter, SNMP over AppleTalk, Request For Comments (RFC) 1419, March 1993. MGT:27. S. Bostock, SNMP over IPX, Request For Comments (RFC) November 28, 1994 - 176 - 1420, March 1993. MGT:28. M. Schoffstall, C. Davin, M. Fedor, J. Case, SNMP over Ethernet, Request For Comments (RFC) 1089, February 1989. MGT:29. J. Case, FDDI Management Information Base, Request For Comments (RFC) 1285, January 1992. OPER:1. J. Nagle, Congestion Control in IP/TCP Internetworks, Request For Comments (RFC) 896, DDN Network Information Center, SRI International, Menlo Park, California, USA, January 1984. OPER:2. K.R. Sollins, TFTP Protocol (revision 2), Request For Comments (RFC) 1350, July 1992. ROUTE:1. J. Moy, OSPF Version 2, Request For Comments (RFC) 1247, DDN Network Information Center, SRI International, Menlo Park, California, USA, July 1991. ROUTE:2. R. Callon, Use of OSI IS-IS for Routing in TCP/IP and Dual Environments, Request For Comments (RFC) 1195, DDN Network Information Center, SRI International, Menlo Park, California, USA, December 1990. ROUTE:3. C. L. Hedrick, Routing Information Protocol, Request For Comments (RFC) 1058, DDN Network Information Center, SRI International, Menlo Park, California, USA, June 1988. ROUTE:4. K. Lougheed and Y. Rekhter, A Border Gateway Protocol 3 (BGP-3), Request For Comments (RFC) 1267, October 1991. ROUTE:5. P. Gross and Y. Rekhter, Application of the Border Gateway Protocol in the Internet, Request For Comments November 28, 1994 - 177 - (RFC) 1268, October 1991. ROUTE:6. D. Mills, Exterior Gateway Protocol Formal Specification, Request For Comments (RFC) 904, DDN Network Information Center, SRI International, Menlo Park, California, USA, April 1984. ROUTE:7. E. Rosen, Exterior Gateway Protocol (EGP), Request For Comments (RFC) 827, DDN Network Information Center, SRI International, Menlo Park, California, USA, October 1982. ROUTE:8. L. Seamonson and E. Rosen, "STUB" Exterior Gateway Protocol, Request For Comments (RFC) 888, DDN Network Information Center, SRI International, Menlo Park, California, USA, January 1984. ROUTE:9. D. Waitzman, C. Partridge, and S. Deering, Distance Vector Multicast Routing Protocol, Request For Comments (RFC) 1075, DDN Network Information Center, SRI International, Menlo Park, California, USA, November 1988. ROUTE:10. S. Deering, Multicast Routing in Internetworks and Extended LANs, Proceedings of SIGCOMM '88, Association for Computing Machinery, August 1988. ROUTE:11. P. Almquist, Type of Service in the Internet Protocol Suite, Request for Comments (RFC) 1349, July 1992. ROUTE:12. Y. Rekhter, Experience with the BGP Protocol, Request For Comments (RFC) 1266, October 1991. ROUTE:13. Y. Rekhter, BGP Protocol Analysis, Request For Comments (RFC) 1265, October 1991. TRANS:1. J. Postel, User Datagram Protocol, Request For Comments November 28, 1994 - 178 - (RFC) 768, DDN Network Information Center, SRI International, Menlo Park, California, USA, August 1980. TRANS:2. J. Postel, Transmission Control Protocol, Request For Comments (RFC) 793, DDN Network Information Center, SRI International, Menlo Park, California, USA, September 1981. November 28, 1994 - 179 - Subject to restrictions given below, a host MAY be able to act as an intermediate hop in a source route, forwarding a source-routed datagram to the next specified hop. However, in performing this router-like function, the host MUST obey all the relevant rules for a router forwarding source-routed datagrams [INTRO:2]. This includes the following specific provisions: (A) TTL The TTL field MUST be decremented and the datagram perhaps discarded as specified for a router in [INTRO:2]. (B) ICMP Destination Unreachable A host MUST be able to generate Destination Unreachable messages with the following codes: 4 (Fragmentation Required but DF Set) when a source- routed datagram cannot be fragmented to fit into the target network; 5 (Source Route Failed) when a source-routed datagram cannot be forwarded, e.g., because of a routing problem or because the next hop of a strict source route is not on a connected network. (C) IP Source Address A source-routed datagram being forwarded MAY (and normally will) have a source address that is not one of the IP addresses of the forwarding host. (D) Record Route Option A host that is forwarding a source-routed datagram containing a Record Route option MUST update that option, if it has room. (E) Timestamp Option A host that is forwarding a source-routed datagram containing a Timestamp Option MUST add the current timestamp to that option, according to the rules for this option. To define the rules restricting host forwarding of source- routed datagrams, we use the term local source-routing if the next hop will be through the same physical interface through which the datagram arrived; otherwise, it is non-local source-routing. November 28, 1994 - 180 - A host is permitted to perform local source-routing without restriction. A host that supports non-local source-routing MUST have a configurable switch to disable forwarding, and this switch MUST default to disabled. The host MUST satisfy all router requirements for configurable policy filters [INTRO:2] restricting non-local forwarding. If a host receives a datagram with an incomplete source route but does not forward it for some reason, the host SHOULD return an ICMP Destination Unreachable (code 5, Source Route Failed) message, unless the datagram was itself an ICMP error message. November 28, 1994 - 181 - This Appendix defines specific terms used in this memo. It also defines some general purpose terms that may be of interest. See also [INTRO:9] for a more general set of definitions. AS Autonomous System A collection of routers under a single administrative authority using a common Interior Gateway Protocol for routing packets. Connected Network A network prefix to which a router is interfaced is often | known as the local network or the subnetwork relative to | that router. However, these terms can cause confusion, and therefore we use the term Connected Network in this memo. Connected (Sub)Network A Connected (Sub)Network is an IP subnetwork to which a router is interfaced, or a connected network if the connected network is not subnetted. See also Connected Network. Datagram The unit transmitted between a pair of internet modules. data, called datagrams, from sources to destinations. The Internet Protocol does not provide a reliable communication facility. There are no acknowledgments either end-to-end or hop-by-hop. There is no error no retransmissions. There is no flow control. See IP. Default Route A routing table entry which is used to direct any data addressed to any network prefixes not explicitly listed | in the routing table. EGP Exterior Gateway Protocol A protocol which distributes routing information to the gateways (routers) which connect autonomous systems. See IGP. EGP-2 Exterior Gateway Protocol version 2 This is an EGP routing protocol developed to handle traffic between AS's in the Internet. November 28, 1994 - 182 - Forwarder The logical entity within a router that is responsible for switching packets among the router's interfaces. The Forwarder also makes the decisions to queue a packet for local delivery, to queue a packet for transmission out another interface, or both. Forwarding Forwarding is the process a router goes through for each packet received by the router. The packet may be consumed by the router, it may be output on one or more interfaces of the router, or both. Forwarding includes the process of deciding what to do with the packet as well as queuing it up for (possible) output or internal consumption. Fragment An IP datagram which represents a portion of a higher layer's packet which was too large to be sent in its entirety over the output network. IGP Interior Gateway Protocol A protocol which distributes routing information with an Autonomous System (AS). See EGP. Interface IP Address The IP Address and network prefix length that is assigned | to a specific interface of a router. Internet Address An assigned number which identifies a host in an internet. It has two parts: an IP address and a prefix | length. The prefix length indicates how many of the most | specific bits of the address consitute the network | prefix. IP Internet Protocol The network layer protocol for the Internet. It is a packet switching, datagram protocol defined in RFC 791. IP does not provide a reliable communications facility; that is, there are no end-to-end of hop-by-hop acknowledgments. IP Datagram November 28, 1994 - 183 - An IP Datagram is the unit of end-to-end transmission in the Internet Protocol. An IP Datagram consists of an IP header followed by all of higher-layer data (such as TCP, UDP, ICMP, and the like). An IP Datagram is an IP header followed by a message. An IP Datagram is a complete IP end-to-end transmission unit. An IP Datagram is composed of one or more IP Fragments. In this memo, the unqualified term Datagram should be understood to refer to an IP Datagram. IP Fragment An IP Fragment is a component of an IP Datagram. An IP Fragment consists of an IP header followed by all or part of the higher-layer of the original IP Datagram. One or more IP Fragments comprises a single IP Datagram. In this memo, the unqualified term Fragment should be understood to refer to an IP Fragment. IP Packet An IP Datagram or an IP Fragment. In this memo, the unqualified term Packet should generally be understood to refer to an IP Packet. Logical [network] interface We define a logical [network] interface to be a logical path, distinguished by a unique IP address, to a connected network. Martian Filtering A packet which contains an invalid source or destination address is considered to be martian and discarded. MTU (Maximum Transmission Unit) The size of the largest packet that can be transmitted or received through a logical interface. This size includes the IP header but does not include the size of any Link Layer headers or framing. Multicast November 28, 1994 - 184 - A packet which is destined for multiple hosts. See broadcast. Multicast Address A special type of address which is recognized by multiple hosts. A Multicast Address is sometimes known as a Functional Address or a Group Address. Network Prefix | The portion of an IP Address which signifies a set of | systems. It is selected from the IP Address by logically | anding a subnet mask with the address, or (equivalently) | setting the bits of the address not among the most | significant bits of the address to zero. | Originate Packets can be transmitted by a router for one of two reasons: 1) the packet was received and is being forwarded or 2) the router itself created the packet for transmission (such as route advertisements). Packets that the router creates for transmission are said to originate at the router. Packet A packet is the unit of data passed across the interface between the Internet Layer and the Link Layer. It includes an IP header and data. A packet may be a complete IP datagram or a fragment of an IP datagram. Path The sequence of routers and (sub-)networks which a packet traverses from a particular router to a particular destination host. Note that a path is uni-directional; it is not unusual to have different paths in the two directions between a given host pair. Physical Network A Physical Network is a network (or a piece of an internet) which is contiguous at the Link Layer. Its internal structure (if any) is transparent to the Internet Layer. In this memo, several media components that are connected November 28, 1994 - 185 - together via devices such as bridges or repeaters are considered to be a single Physical Network since such devices are transparent to the IP. Physical Network Interface This is a physical interface to a Connected Network and has a (possibly unique) Link-Layer address. Multiple Physical Network Interfaces on a single router may share the same Link-Layer address, but the address must be unique for different routers on the same Physical Network. router A special-purpose dedicated computer that attaches several networks together. Routers switch packets between these networks in a process known as forwarding. This process may be repeated several times on a single packet by multiple routers until the packet can be delivered to the final destination - switching the packet from router to router to router... until the packet gets to its destination. RPF Reverse Path Forwarding A method used to deduce the next hops for broadcast and multicast packets. serial line A physical medium which we cannot define, but we recognize one when we see one. See the U.S. Supreme Court's definitions on pornography. Silently Discard This memo specifies several cases where a router is to Silently Discard a received packet (or datagram). This means that the router should discard the packet without further processing, and that the router will not send any ICMP error message (see Section [4.3.2]) as a result. However, for diagnosis of problems, the router should provide the capability of logging the error (see Section [1.3.3]), including the contents of the silently- discarded packet, and should record the event in a statistics counter. Silently Ignore A router is said to Silently Ignore an error or condition November 28, 1994 - 186 - if it takes no action other than possibly generating an error report in an error log or via some network management protocol, and discarding, or ignoring, the source of the error. In particular, the router does NOT generate an ICMP error message. Specific-destination address This is defined to be the destination address in the IP header unless the header contains an IP broadcast or IP multicast address, in which case the specific-destination is an IP address assigned to the physical interface on which the packet arrived. subnet A portion of a network, which may be a physically independent network, which shares a network address with other portions of the network and is distinguished by a subnet number. A subnet is to a network what a network is to an internet. subnet number A part of the internet address which designates a subnet. It is ignored for the purposes internet routing, but is used for intranet routing. TOS Type Of Service A field in the IP header which represents the degree of reliability expected from the network layer by the transport layer or application. TTL Time To Live A field in the IP header which represents how long a packet is considered valid. It is a combination hop count and timer value. November 28, 1994 - 187 - This appendix lists work that future revisions of this document may wish to address. In the preparation of Router Requirements, we stumbled across several other architectural issues. Each of these is dealt with somewhat in the document, but still ought to be classified as an open issue in the IP architecture. Most of the he topics presented here generally indicate areas where the technology is still relatively new and it is not appropriate to develop specific requirements since the community is still gaining operational experience. Other topics represent areas of ongoing research and indicate areas that the prudent developer would closely monitor. (1) SNMP Version 2 (2) Additional SNMP MIBs (3) IDPR (4) CIPSO (5) IP Next Generation research (6) More detailed requirements for next-hop selection (7) More detailed requirements for leaking routes between routing protocols (8) Router system security (9) Routing protocol security (10) Internetwork Protocol layer security. There has been extensive work refining the security of IP since the original work writing this document. This security work should be included in here. (11) Route caching (12) Load Splitting (13) Sending fragments along different paths November 28, 1994 - 188 - (14) Variable length network prefixes. Routers are required | (MUST) support them, but are not required to detect ambiguous configurations. (15) Multiple logical (sub)nets on the same wire. Router Requirements does not require support for this. We made some attempt to identify pieces of the architecture (e.g. forwarding of directed broadcasts and issuing of Redirects) where the wording of the rules has to be done carefully to make the right thing happen, and tried to clearly distinguish logical interfaces from physical interfaces. However, we did not study this issue in detail, and we are not at all confident that all of the rules in the document are correct in the presence of multiple logical (sub)nets on the same wire. (15) Congestion control and resource management. On the advice of the IETF's experts (Mankin and Ramakrishnan) we deprecated (SHOULD NOT) Source Quench and said little else concrete (Section 5.3.6). (16) Developing a Link-Layer requirements document that would | be common for both routers and hosts. (17) Developing a common PPP LQM algorithm. (18) Investigate of other information (above and beyond section [3.2]) that passes between the layers, such as physical network MTU, mappings of IP precedence to Link Layer priority values, etc. (19) Should the Link Layer notify IP if address resolution | failed (just like it notifies IP when there is a Link | Layer priority value problem)? (20) Should all routers be required to implement a DNS resolver? (21) Should a human user be able to use a host name anywhere | you can use an IP address when configuring the router? Even in ping and traceroute? (22) Almquist's draft ruminations on the next hop and | ruminations on route leaking need to be reviewed, brought up to date, and published. November 28, 1994 - 189 - (23) Investigation is needed to determine if a redirect | message for precedence is needed or not. If not, are the type-of-service redirects acceptable? (24) RIPv2 and RIP+CIDR and variable length network prefixes. | (25) BGP-4 CIDR is going to be important, and everyone is betting on BGP-4. We can't avoid mentioning it. Probably need to describe the differences between BGP-3 and BGP-4, and explore upgrade issues... (26) Loose Source Route Mobile IP and some multicasting may require this. Perhaps it should be elevated to a SHOULD (per Fred Baker's Suggestion). November 28, 1994 - 190 - Multicasting is a relatively new technology within the Internet Protocol family. It is not widely deployed or commonly in use yet. Its importance, however, is expected to grow over the coming years. This Appendix describes some of the technologies being investigated for routing multicasts through the Internet. A diligent implementor will keep abreast of developments in this area in order to properly develop multicast facilities. This Appendix does not specify any standards or requirements. Multicast routing protocols enable the forwarding of IP multicast datagrams throughout a TCP/IP internet. Generally these algorithms forward the datagram based on its source and destination addresses. Additionally, the datagram may need to be forwarded to several multicast group members, at times requiring the datagram to be replicated and sent out multiple interfaces. The state of multicast routing protocols is less developed than the protocols available for the forwarding of IP unicasts. Two multicast routing protocols have been documented for TCP/IP; both are currently considered to be experimental. Both also use the IGMP protocol (discussed in Section [4.4]) to monitor multicast group membership. DVMRP, documented in [ROUTE:9], is based on Distance Vector or Bellman-Ford technology. It routes multicast datagrams only, and does so within a single Autonomous System. DVMRP is an implementation of the Truncated Reverse Path Broadcasting algorithm described in [ROUTE:10]. In addition, it specifies the tunneling of IP multicasts through non-multicast-routing-capable IP domains. MOSPF, currently under development, is a backward- compatible addition to OSPF that allows the forwarding of both IP multicasts and unicasts within an Autonomous System. MOSPF routers can be mixed with OSPF routers within a routing domain, and they will interoperate in the forwarding of unicasts. OSPF is a link-state or SPF-based November 28, 1994 - 191 - protocol. By adding link state advertisements that pinpoint group membership, MOSPF routers can calculate the path of a multicast datagram as a tree rooted at the datagram source. Those branches that do not contain group members can then be discarded, eliminating unnecessary datagram forwarding hops. | PIM, currently under development, is a multicast routing | protocol that runs over an existing unicast infrastructure. | PIM provides for both dense and sparse group membership. | It is different than other protocols, since it uses an | explicit join model for sparse groups. Joining occurs on a | shared tree and can switch to a per-source tree. Where | bandwidth is plentiful and group membership is dense, | overhead can be reduced by flooding data out all links and | later pruning exception cases where there are no group | members. | November 28, 1994 - 192 - Section [5.2.4.3] specifies an algorithm that routers ought to use when selecting a next-hop for a packet. This appendix provides historical perspective for the next-hop selection problem. It also presents several additional pruning rules and next-hop selection algorithms that might be found in the Internet. This appendix presents material drawn from an earlier, unpublished, work by Philip Almquist; Ruminations on the Next Hop. This Appendix does not specify any standards or requirements. It is useful to briefly review the history of the topic, beginning with what is sometimes called the "classic model" of how a router makes routing decisions. This model predates IP. In this model, a router speaks some single routing protocol such as RIP. The protocol completely determines the contents of the router's FIB. The route lookup algorithm is trivial: the router looks in the FIB for a route whose destination attribute exactly matches the | network prefix portion of the destination address in the | packet. If one is found, it is used; if none is found, the destination is unreachable. Because the routing protocol keeps at most one route to each destination, the problem of what to do when there are multiple routes which match the same destination cannot arise. Over the years, this classic model has been augmented in small ways. With the advent of default routes, subnets, and host routes, it became possible to have more than one routing table entry which in some sense matched the destination. This was easily resolved by a consensus that there was a hierarchy of routes: host routes should be preferred over subnet routes, subnet routes over net routes, and net routes over default routes. With the advent of variable length subnet masks (variable | length network prefixes), the general approach remained the same although its description became a little more | complicated; network prefixes were introduced as a | conscious simplification and regularization of the | architecture. We now say that each route to a network | November 28, 1994 - 193 - prefix route has a prefix length associated with it. This | prefix length indicates the number of bits in the prefix. | This may also be represented using the classical subnet | mask. A route cannot be used to route a packet unless each significant bit in the route's network prefix matches the | corresponding bit in the packet's destination address. | routes with more bits set in their masks are preferred over | routes which have fewer bits set in their masks. This is simply a generalization of the hierarchy of routes described above, and will be referred to for the rest of this memo as choosing a route by preferring longest match. Another way the classic model has been augmented is through a small amount of relaxation of the notion that a routing protocol has complete control over the contents of the routing table. First, static routes were introduced. For the first time, it was possible to simultaneously have two routes (one dynamic and one static) to the same destination. When this happened, a router had to have a | policy (in some cases configurable, and in other cases | chosen by the author of the router's software) which determined whether the static route or the dynamic route was preferred. However, this policy was only used as a tie-breaker when longest match didn't uniquely determine which route to use. Thus, for example, a static default route would never be preferred over a dynamic net route even if the policy preferred static routes over dynamic routes. The classic model had to be further augmented when inter- domain routing protocols were invented. Traditional routing protocols came to be called "interior gateway protocols" (IGPs), and at each Internet site there was a strange new beast called an "exterior gateway", a router which spoke EGP to several "BBN Core Gateways" (the routers which made up the Internet backbone at the time) at the | same time as it spoke its IGP to the other routers at its | site. Both protocols wanted to determine the contents of the router's routing table. Theoretically, this could result in a router having three routes (EGP, IGP, and static) to the same destination. Because of the Internet topology at the time, it was resolved with little debate that routers would be best served by a policy of preferring IGP routes over EGP routes. However, the sanctity of longest match remained unquestioned: a default route November 28, 1994 - 194 - learned from the IGP would never be preferred over a net route from learned EGP. Although the Internet topology, and consequently routing in the Internet, have evolved considerably since then, this slightly augmented version of the classic model has survived pretty much intact to this day in the Internet (except that BGP has replaced EGP). Conceptually (and often in implementation) each router has a routing table and one or more routing protocol processes. Each of these processes can add any entry that it pleases, and can delete or modify any entry that it has created. When routing a packet, the router picks the best route using longest match, augmented with a policy mechanism to break ties. Although this augmented classic model has served us well, it has a number of shortcomings: + It ignores (although it could be augmented to consider) path characteristics such as quality of service and MTU. + It doesn't support routing protocols (such as OSPF and Integrated IS-IS) that require route lookup algorithms different than pure longest match. + There has not been a firm consensus on what the tie- breaking mechanism ought to be. Tie-breaking mechanisms have often been found to be difficult if not impossible to configure in such a way that the router will always pick what the network manger considers to be the "correct" route. Section [5.2.4.3] defined several pruning rules to use to select routes from the FIB. There are other rules that could also be used. + OSPF Route Class Routing protocols which have areas or make a distinction between internal and external routes divide their routes into classes, where classes are rank-ordered in terms of preference. A route is always chosen from the most preferred class unless none is available, in which case one is chosen from the second most preferred class, and so on. In OSPF, the classes (in order from most preferred to least preferred) are intra-area, inter- November 28, 1994 - 195 - area, type 1 external (external routes with internal metrics), and type 2 external. As an additional wrinkle, a router is configured to know what addresses ought to be accessible via intra-area routes, and will not use inter- area or external routes to reach these destinations even when no intra-area route is available. More precisely, we assume that each route has a class attribute, called route.class, which is assigned by the routing protocol. The set of candidate routes is examined to determine if it contains any for which route.class = intra-area. If so, all routes except those for which route.class = intra-area are discarded. Otherwise, router checks whether the packet's destination falls within the address ranges configured for the local area. If so, the entire set of candidate routes is deleted. Otherwise, the set of candidate routes is examined to determine if it contains any for which route.class = inter-area. If so, all routes except those for which route.class = inter-area are discarded. Otherwise, the set of candidate routes is examined to determine if it contains any for which route.class = type 1 external. If so, all routes except those for which route.class = type 1 external are discarded. + IS-IS Route Class IS-IS route classes work identically to OSPF's. However, the set of classes defined by Integrated IS-IS is different, such that there isn't a one-to-one mapping between IS-IS route classes and OSPF route classes. The route classes used by Integrated IS-IS are (in order from most preferred to least preferred) intra-area, inter-area, and external. The Integrated IS-IS internal class is equivalent to the OSPF internal class. Likewise, the Integrated IS-IS external class is equivalent to OSPF's type 2 external class. However, Integrated IS-IS does not make a distinction between inter-area routes and external routes with internal metrics - both are considered to be inter-area routes. Thus, OSPF prefers true inter-area routes over external routes with internal metrics, whereas Integrated IS-IS gives the two types of routes equal preference. November 28, 1994 - 196 - + IDPR Policy A specific case of Policy. The IETF's Inter-domain Policy Routing Working Group is devising a routing protocol called Inter-Domain Policy Routing (IDPR) to support true policy-based routing in the Internet. Packets with certain combinations of header attributes (such as specific combinations of source and destination addresses or special IDPR source route options) are required to use routes provided by the IDPR protocol. Thus, unlike other Policy pruning rules, IDPR Policy would have to be applied before any other pruning rules except Basic Match. Specifically, IDPR Policy examines the packet being forwarded to ascertain if its attributes require that it be forwarded using policy-based routes. If so, IDPR Policy deletes all routes not provided by the IDPR protocol. This section examines several route lookup algorithms that are in use or have been proposed. Each is described by giving the sequence of pruning rules it uses. The strengths and weaknesses of each algorithm are presented The Revised Classic Algorithm is the form of the traditional algorithm which was discussed in Section [E.1]. The steps of this algorithm are: 1. Basic match 2. Longest match 3. Best metric 4. Policy Some implementations omit the Policy step, since it is needed only when routes may have metrics that are not comparable (because they were learned from different routing domains). The advantages of this algorithm are: (1) It is widely implemented. (2) Except for the Policy step (which an implementor can choose to make arbitrarily complex) the algorithm November 28, 1994 - 197 - is simple both to understand and to implement. Its disadvantages are: (1) It does not handle IS-IS or OSPF route classes, and therefore cannot be used for Integrated IS-IS or OSPF. (2) It does not handle TOS or other path attributes. (3) The policy mechanisms are not standardized in any way, and are therefore are often implementation- specific. This causes extra work for implementors (who must invent appropriate policy mechanisms) and for users (who must learn how to use the mechanisms. This lack of a standardized mechanism also makes it difficult to build consistent configurations for routers from different vendors. This presents a significant practical deterrent to multi-vendor interoperability. (4) The proprietary policy mechanisms currently provided by vendors are often inadequate in complex parts of the Internet. (5) The algorithm has not been written down in any generally available document or standard. It is, in effect, a part of the Internet Folklore. Some Router Requirements Working Group members have proposed a slight variant of the algorithm described in the Section [5.2.4.3]. In this variant, matching the type of service requested is considered to be more important, rather than less important, than matching as much of the destination address as possible. For example, this algorithm would prefer a default route which had the correct type of service over a network route which had the default type of service, whereas the algorithm in [5.2.4.3] would make the opposite choice. The steps of the algorithm are: 1. Basic match 2. Weak TOS 3. Longest match November 28, 1994 - 198 - 4. Best metric 5. Policy Debate between the proponents of this algorithm and the regular Router Requirements Algorithm suggests that each side can show cases where its algorithm leads to simpler, more intuitive routing than the other's algorithm does. In general, this variant has the same set of advantages and disadvantages that the algorithm specified in [5.2.4.3] does, except that pruning on Weak TOS before pruning on Longest Match makes this algorithm less compatible with OSPF and Integrated IS-IS than the standard Router Requirements Algorithm. OSPF uses an algorithm which is virtually identical to the Router Requirements Algorithm except for one crucial difference: OSPF considers OSPF route classes. The algorithm is: 1. Basic match 2. OSPF route class 3. Longest match 4. Weak TOS 5. Best metric 6. Policy Type of service support is not always present. If it is not present then, of course, the fourth step would be omitted This algorithm has some advantages over the Revised Classic Algorithm: (1) It supports type of service routing. (2) Its rules are written down, rather than merely being a part of the Internet folklore. (3) It (obviously) works with OSPF. However, this algorithm also retains some of the disadvantages of the Revised Classic Algorithm: (1) Path properties other than type of service (e.g. November 28, 1994 - 199 - MTU) are ignored. (2) As in the Revised Classic Algorithm, the details (or even the existence) of the Policy step are left to the discretion of the implementor. The OSPF Algorithm also has a further disadvantage (which is not shared by the Revised Classic Algorithm). OSPF internal (intra-area or inter-area) routes are always considered to be superior to routes learned from other routing protocols, even in cases where the OSPF route matches fewer bits of the destination address. This is a policy decision that is inappropriate in some networks. Finally, it is worth noting that the OSPF Algorithm's TOS support suffers from a deficiency in that routing protocols which support TOS are implicitly preferred when forwarding packets which have non-zero TOS values. This may not be appropriate in some cases. Integrated IS-IS uses an algorithm which is similar to but not quite identical to the OSPF Algorithm. Integrated IS-IS uses a different set of route classes, and also differs slightly in its handling of type of service. The algorithm is: 1. Basic Match 2. IS-IS Route Classes 3. Longest Match 4. Weak TOS 5. Best Metric 6. Policy Although Integrated IS-IS uses Weak TOS, the protocol is only capable of carrying routes for a small specific subset of the possible values for the TOS field in the IP header. Packets containing other values in the TOS field are routed using the default TOS. Type of service support is optional; if disabled, the fourth step would be omitted. As in OSPF, the specification does not include the Policy step. This algorithm has some advantages over the Revised November 28, 1994 - 200 - Classic Algorithm: (1) It supports type of service routing. (2) Its rules are written down, rather than merely being a part of the Internet folklore. (3) It (obviously) works with Integrated IS-IS. However, this algorithm also retains some of the disadvantages of the Revised Classic Algorithm: (1) Path properties other than type of service (e.g. MTU) are ignored. (2) As in the Revised Classic Algorithm, the details (or even the existence) of the Policy step are left to the discretion of the implementor. (3) It doesn't work with OSPF because of the differences between IS-IS route classes and OSPF route classes. Also, because IS-IS supports only a subset of the possible TOS values, some obvious implementations of the Integrated IS-IS algorithm would not support OSPF's interpretation of TOS. The Integrated IS-IS Algorithm also has a further disadvantage (which is not shared by the Revised Classic Algorithm): IS-IS internal (intra-area or inter-area) routes are always considered to be superior to routes learned from other routing protocols, even in cases where the IS-IS route matches fewer bits of the destination address and doesn't provide the requested type of service. This is a policy decision that may not be appropriate in all cases. Finally, it is worth noting that the Integrated IS-IS Algorithm's TOS support suffers from the same deficiency noted for the OSPF Algorithm. November 28, 1994 - 201 - Although the focus of this document is interoperability rather than security, there are obviously many sections of this document which have some ramifications on network security. Security means different things to different people. Security from a router's point of view is anything that helps to keep its own networks operational and in addition helps to keep the Internet as a whole healthy. For the purposes of this document, the security services we are concerned with are denial of service, integrity, and authentication as it applies to the first two. Privacy as a security service is important, but only peripherally a concern of a router - at least as of the date of this document. In several places in this document there are sections entitled ... Security Considerations. These sections discuss specific considerations that apply to the general topic under discussion. Rarely does this document say do this and your router/network will be secure. More likely, it says this is a good idea and if you do it, it *may* improve the security of the Internet and your local system in general. Unfortunately, this is the state-of-the-art AT THIS TIME. Few if any of the network protocols a router is concerned with have reasonable, built-in security features. Industry and the protocol designers have been and are continuing to struggle with these issues. There is progress, but only small baby steps such as the peer-to-peer authentication available in the BGP and OSPF routing protocols. In particular, this document notes the current research into developing and enhancing network security. Specific areas of research, development, and engineering that are underway as of this writing (December 1993) are in IP Security, SNMP Security, and common authentication technologies. Notwithstanding all of the above, there are things both vendors and users can do to improve the security of their router. Vendors should get a copy of Trusted Computer System Interpretation [INTRO:8]. Even if a vendor decides not to submit their device for formal verification under these guidelines, the publication provides excellent guidance on general security design and practices for computing devices. November 28, 1994 - 202 - O that we now had here | But one ten thousand of those men in England | That do no work to-day! | November 28, 1994