Page Numbers: Yes X: 530 Y: 10.5" First Page: 0 Not-on-first-page
Columns: 1 Edge Margin: .6" Between Columns: .4"
Margins: Top: 1.3" Bottom: 1"
Line Numbers: No Modulus: 5 Page-relative
Heading: Not-on-first-page
PUP: AN INTERNETWORK ARCHITECTURE
Pup: An Internetwork Architecture
by David R. Boggs, John F. Shoch, Edward A. Taft, and Robert M. Metcalfe1
CSL-79-10July 1979, revised October 1979
Abstract: Pup is the name of an internet packet format (PARC Universal Packet), a hierarchy of protocols, and a style of internetwork communication. The fundamental abstraction is an end-to-end media-independent internetwork datagram. Higher levels of functionality are achieved by end-to-end protocols that are strictly a matter of agreement among the communicating end processes.
This report explores important design issues, sets forth principles that have guided the Pup design, discusses the present implementation in moderate detail, and summarizes experience with an operational internetwork. This work serves as the basis for a functioning internetwork system that provides service to about 1000 computers, on 25 networks of 5 different types, using 20 internetwork gateways.
Key words and phrases: computer networks, protocols, packet switching, internets, network interconnection, gateways, datagrams, virtual circuits, fragmentation
Accepted for publication in IEEE Transactions on Communications, April 1980.
1Present affiliation: Computer Systems Laboratory, Stanford University, Stanford, California 94305.
XEROX
PALO ALTO RESEARCH CENTER
3333 Coyote Hill Road / Palo Alto / California 94304
1. Introduction
Research in network interconnection techniques has been motivated by the desire to permit communication among diverse, geographically distributed computing resources and users interconnected by a wide variety of network technologies.
It is the purpose of an internetwork architecture to provide a uniform framework for communication within a heterogeneous computing, communication, and applications environment. The work described in this paper represents one internetwork architecture, known as Pup, in widespread regular use within Xerox. The name referred originally to the abstract design of a standard internetwork datagram (the PARC Universal Packet), but has expanded in usage to include the whole hierarchy of internetwork protocols as well as a general style for internetwork communication.
To assist in understanding the design of the Pup protocols, it is useful to characterize briefly the environment in which this architecture has evolved.
The computational environment includes a large number of ‘‘Alto’’ minicomputers [Kay, 1977; Thacker et al., 1979] and other personal computers capable of high-quality interaction with human users. Supporting these are various specialized server systems that are shared among many users and provide access to expensive peripherals such as large disks, magnetic tapes, and high-quality printers. Additionally, there are several general-purpose time sharing systems providing customary services for terminal users.
The communications environment includes several different individual network designs. The dominant one is the ‘‘Ethernet’’ communications network, a local-area broadcast channel with a bandwidth of 3 megabits per second [Metcalfe & Boggs, 1976]. Long-haul communication facilities include the Arpanet, the ARPA Packet Radio network, and a collection of leased lines implementing an Arpanet-style store-and-forward network. These facilities have distinct native protocols and exhibit as much as three orders of magnitude difference in bandwidth.
The applications to be supported include a wide range of activities: terminal access to the time sharing services, electronic mail, file transfer, access to specialized data bases, document transmission, software distribution, and packet voice, to name just a few. We would also like to facilitate more ambitious explorations into the area generally referred to as ‘‘distributed computing.’’
This paper is organized as follows. In section 2 we discuss some of the design issues which have emerged in the formulation of the Pup architecture, while section 3 provides more detail on the protocols themselves. Section 4 describes briefly some of our operational experience with the present implementation. The final section presents a retrospective critique of the work, highlighting some areas which merit further attention.
2. Design principles and issues
Constructing an architecture for internetwork protocols is, first and foremost, an exercise in design: identifying individual issues, exploring alternative solutions, and then knitting these pieces together to form the final result. Along the way, many compromises are made as one trades off among different criteria: functionality, efficiency, generality, ease of implementation, extensibility, and others.
In this section we enumerate some of the major design issues confronted in the development of a network architecture and describe, in general terms, the choices made in the development of Pup. (Several of these and other issues are enumerated in [Cerf & Kirstein, 1978] and [Postel, 1980].) From this discussion the broad outlines of Pup will emerge; the section that follows provides more specific detail about the actual design.
2.1. The basic model: individual networks connected with gateways
As with most internetwork models, one envisions a collection of heterogeneous networks, connected with a set of internetwork gateways to form a loosely coupled system known generally as an internet [Cerf & Kahn, 1974; Sunshine, 1977a; Cerf & Kirstein, 1978]. An internet should provide the ability for any two hosts to communicate, so long as their own local networks are interconnected.
An important feature of the Pup internet model is that the hosts are the internet. Most hosts connect directly to a local network, rather than connecting to a network switch such as an IMP, so subtracting all the hosts would leave little more than wire. Gateways are simply hosts in the internet that are willing to forward packets among constituent networks. Thus, most of the properties of the internet are primarily artifacts of host software. The architecture must scale gracefully, and in particular must allow for the existence of a degenerate internet consisting of a single local network and no gateways.
2.2. Simplicity
One of the guiding principles in designing Pup has been the desire for simplicity. Pup is a framework for computer communications research, and simplicity is one of the best ways to minimize restrictions and maximize flexibility for experimentation. Attempting deliberately to eliminate unneeded complexity helps to keep the design open-ended. This in turn makes it easier to incorporate the existing diverse collection of networks and hosts and to accommodate new alternatives as the technology matures. Keeping the design simple helps to avoid building in technological anachronisms.
A second motivation for this principle is the desire to foster efficient implementations of the protocols in the host machines, which are typically quite small. Software overhead must be kept low in order to sustain high-bandwidth local communication, which constitutes the bulk of the traffic; yet the same software must support the full generality of internetwork communication.
2.3. Datagrams versus virtual circuits
There are two major approaches to providing an interface to packet-switched communications: accepting individual datagrams, or providing a higher level of service in the form of a virtual circuit. The two interfaces are not unrelated, since a virtual circuit interface is usually implemented within a network by the use of datagrams. In some sense, datagrams provide access to a network at a lower level, closer to its underlying capabilities. Datagrams are particularly useful in many kinds of transaction-oriented protocols. Furthermore, the task of the internet is significantly simplified if it need only transport independent, individually-addressed datagrams, without having to maintain the state required to support virtual circuits. If the internet provides a datagram interface, virtual circuit interfaces can be provided by adding appropriate mechanisms at the end points.
Therefore, the basic function provided by the Pup internet is the transport of datagrams; this simple abstraction is the foundation of Pup. The internet does not guarantee reliable delivery of datagrams (called ‘‘Pups’’); it simply gives its ‘‘best efforts’’ to deliver each one, and allows the end processes to build protocols which provide reliable communications of the quality they themselves desire [Metcalfe, 1973]. The internet has no notion of a connection. It transports each Pup independently, and leaves construction of a connection—if that is the appropriate interprocess communication model—to the end processes. Keeping fragile end-to-end state out of the packet transport system contributes to reliability and simplicity.
2.4. Individual networks as packet transport mechanisms
Individual networks within the internet can be viewed simply as packet transport mechanisms. As links in the internet they give their best efforts to deliver internet packets, but they do not guarantee reliable delivery. Packets may be lost, duplicated, delivered out of order, after a great delay, and with hidden damage. A network can have any combination of bandwidth, delay, error characteristics, topology, and economics; the routing algorithm should attempt to take these characteristics into consideration.
Encapsulation is an invertible, network-dependent transformation performed on a Pup to permit it to be carried transparently through a network: an abstract Pup is presented at one end, encapsulated for transmission through the net, and decapsulated at the other end, yielding the original Pup. For some networks, encapsulation consists merely of adding headers and trailers. More elaborate transformations may be necessary to pass a Pup through other networks (for example, using low-level acknowledgments or error correction because the network has a high loss rate). Encapsulation and decapsulation take place in a network-specific driver in which is vested all knowledge of the encapsulation technique. The internet specification has nothing to say about encapsulation except that it be invisible.
2.5. Internetwork gateways
We distinguish two kinds of gateways: media translators and protocol translators. Media gateways are hosts with interfaces to two or more packet transport mechanisms among which they forward internet datagrams, using the appropriate encapsulation for each. These are the heart of any datagram-based internet. Protocol gateways are hosts which speak two or more functionally similar but incompatible higher-level protocols used to transport information within networks, mapping one higher-level abstraction into the other. (It’s clear that a media gateway is just doing protocol translation at the link level, but the distinction is useful given the importance of internet datagrams in this architecture.)
In the Pup internet, media gateways are by definition simple, since all that is required of the translation process is that it preserve the semantics of internetwork datagrams. Protocol gateways are usually more difficult, even when the protocols are similar, since such higher-level protocols provide richer and more specialized semantics and it is not always clear how one should map the functionality of one protocol into another. Development of higher-level protocol translators between different network and internet architectures—e.g., between the Arpanet File Transfer Protocol (FTP) and the Pup-based FTP—is a thorny task, but one that must be confronted when interconnecting systems that do not share the necessary lower-level primitives.
2.6. A layered hierarchy of protocols
Layering of protocols is one of the most effective means for structuring a network design: each level uses the functions of the lower level, and adds some functionality of its own for possible use by the next level. Provided that suitable interfaces are maintained, an implementation at one level can be modified without impacting the overall structure; this helps to simplify both the design and the implementation.
Pup protocols are organized in a hierarchy, as shown in figure 1; the details of this figure will be presented in section 3. A level represents an abstraction, to be realized in different ways in different hosts. There are four levels of interest, but there may be more than one protocol at any level except level 1, representing a different use of the underlying layers. (The numbering of layers—and, indeed, the choice of points at which to divide the layers—is arbitrary; there is no relationship between Pup’s numbering and that of other designs such as the Open Systems Architecture.)
The level 0 abstraction is a packet transport mechanism. There are many realizations: an Ethernet channel, the Arpanet, the ARPA Packet Radio Network, our store-and-forward leased line network, and others. Level 0 protocols include specifications such as hardware interfaces, electrical and timing characteristics, bit encodings, line control procedures, and network-dependent packet formatting conventions. Associated with each packet transport mechanism is a convention for encapsulating Pups.
<==<PupFig1.press<
The level 1 abstraction is an internet datagram. The realization of this abstraction consists of the format of a Pup, a hierarchical addressing scheme, and an internetwork routing algorithm. There is only one box at level 1: the internet datagram protocol; it is this layer of commonality which unifies all of the different networks that might be used at level 0, and which makes available a uniform interface to all of the layers above. It is the purpose of this level to provide media independence while maintaining the common properties of the underlying packet networks.
The level 2 abstraction is an interprocess communication mechanism: a way to move bits without saying much about their form or content. Various level 2 protocols provide many combinations of reliability, throughput, delay, and complexity. These protocols can be divided into two classes according to the amount and lifetime of state information kept by the communicating end processes. Connectionless protocols support short-lived interactions; the end processes maintain little state, and usually only during the exchange of a few Pups—no more than a few seconds. Connection-based protocols support sustained interactions, generally requiring substantial state to be maintained at both ends, and for longer periods—minutes to hours.
Level 3 adds structure to the data moved at level 2, as well as conventions for how processes interact. For example, the File Transfer Protocol (FTP) consists of a set of conventions for talking about files and a format for sending them through a level 2 byte stream protocol connection. These are sometimes referred to as function-oriented protocols [Crocker et al., 1972].
Above level 3 the dividing lines become blurred, and individual applications evolve with their own natural decomposition into additional layers. With respect to layering of protocols, Pup is similar in many ways to the ARPA Internet and TCP design [Cerf & Kahn, 1974] and the Open Systems Architecture [Zimmermann, 1980]. Unlike the Open Systems Architecture (and others), Pup often has several alternative boxes which all rest on a lower level and offer different functionality and interfaces to the next higher level.
2.7. Naming, addressing, and routing
Names, addresses and routes are three important and distinct entities in an internet [Shoch, 1978]:
The name of a resource is what one seeks,
an address indicates where it is, and
a route is how to get there.
A name is a symbol, such as a human-readable text string, identifying some resource (process, device, service, etc.) An address is a data structure whose format is understood by level 1 of the internet, and which is used to specify the destination of a Pup. A route is the information needed to forward a Pup to its specified address. Each of these represents a tighter binding of information: names are mapped into addresses, and addresses are mapped into routes. Error recovery should successively fall back to find an alternate route, then an alternate address, and then an alternate name.
The mapping from names to addresses is necessarily application-specific, since the syntax and semantics of names depend entirely on what types of entities are being named and what use is being made of them. This is dealt with at the appropriate higher levels of protocol.
An address field, as contained in a Pup, is one of the important elements of commonality in the internet design. An end process sends and receives Pups through a port identified by a hierarchical address consisting of three parts: a network number, a host number, and a socket number. This structure reflects the attitude that the communicating parties are the end processes, not the hosts’ protocol handlers; among other things, this permits alternate implementations of a higher-level protocol to coexist in a single machine. (In contrast, the ARPA Internet project [Postel, 1980] takes the position that the socket abstraction does not belong at the internet level; therefore, ARPA Internet addresses contain only network and host numbers. When a packet arrives, it is first demultiplexed by the protocol type field in the internet header; higher-level protocols such as the TCP, datagram protocol, and packet voice protocol then impose their own concept of socket if they find it useful—which, as a practical matter, they all do.)
The actual process of routing a packet through the Pup internet uses a distributed adaptive routing procedure. The source process specifies only the destination address and not the path from source to destination. The internetwork gateways route Pups to the proper network, a network then routes Pups to the proper host, and a host routes Pups to the proper socket.
This routing process is associated with Level 1 in the protocol hierarchy, the level at which packet formats and internet addresses are standardized. The software implementing level 1 is sometimes referred to as a router. Thus, the routing table itself is kept at level 1; a very simple host (or gateway) would need only levels 0 and 1 in order to route Pups. But the routing table also requires periodic updating, as gateways exchange and distribute their current routing information; this routing table maintenance protocol is found logically at level 2 of the hierarchy.
Gateways provide internet routing tables to individual hosts as well as to each other. Hosts use this routing information to decide where to send outgoing packets destined other than to a directly-connected network.
2.8. Flow control and congestion control
Although the terms are often confused, flow control and congestion control attack two very different problems in packet-switched communication. Flow control is a mechanism used to regulate the behavior of a specific source and destination pair, so that the source does not send data at a rate greater than the receiver can process it. In an internet architecture, flow control remains the responsibility of the end-to-end protocols, particularly those at level 2 supporting regular stream traffic.
Congestion control is a network-wide mechanism, used to control the number and distribution of packets in the network so as to prevent system overload. Internet congestion control is necessary to help protect the gateways from being burdened with excessive traffic.
The Pup datagram-based internet model does not require that the internet successfully deliver every packet that has been accepted. Therefore, an intermediate gateway which suddenly encounters a period of severe congestion is free to discard packets, although the system should be engineered to make this an uncommon event.
If a gateway is forced to discard an incoming packet because of congestion, it should attempt to return some information to the source: an error Pup (negative acknowledgment) indicating that a packet had to be discarded in mid-route. This error Pup is simply returned to the source port, as identified in the discarded Pup; this is a good illustration of the value of including the socket number as part of the standard internet address. The source process can use this information to modify its transmission strategies—for example, to reduce its offered load (the rate at which it attempts to send Pups along the congested path) and thereby help to relieve the congestion.
Long-term congestion should eventually be reflected in the routing information exchanged among gateways, discouraging subsequent traffic from attempting to pass through a badly congested area.
2.9. Reliable transport
Defining datagrams to be less than perfectly reliable is realistic since it reflects the characteristics of many existing packet transport mechanisms. Probabilistic transmission is basic to the theory of operation of network designs such as Ethernet. Even in networks nominally designed to deliver correctly sequenced, error-free packets, occasional anomalies may result from certain hardware or software failures: an Arpanet IMP may crash while holding the only copy of a packet, or an X.25 virtual circuit may be reset.
As mentioned previously, the Pup internet always has the option of discarding packets to relieve congestion, though this is certainly not an optimal strategy. This point is of considerable practical importance when one considers the complicated measures required to avoid deadlock conditions in the Arpanet—conditions which are a direct consequence of attempting to provide reliable delivery of every packet in a store-and-forward network [Metcalfe, 1973; McQuillan & Walden, 1977]. Packet management strategies that attempt to guarantee perfect reliability must be designed to operate correctly under worst case conditions, whereas strategies that have the option of discarding packets when necessary need operate correctly only under most conditions. The idea is to sacrifice the guarantee of reliable delivery of individual packets and to capitalize on the resulting simplicity to produce higher reliability and performance overall.
For some applications, perfectly reliable transport is unnecessary and possibly even undesirable, especially if it is obtained at the cost of increased delay. For example, in real-time speech applications, loss of an occasional packet is of little consequence, but even short delays (or worse, highly variable ones) can cause significant degradation [Cohen, 1977; Sproull & Cohen, 1978].
Reliable delivery requires maintaining state information at the source and destination. The actions of a large class of simple servers, such as giving out routing tables or converting names into addresses, are idempotent (i.e., may be repeated without incremental effects), and a client of that service can simply retransmit a request if no response arrives. These protocols reduce to a simple exchange of Pups, with an occasional retransmission by the client, but with no state retained by the server. (The server may choose to retain answers to the last few requests to improve response time, but this optimization is invisible to the protocol.)
On the other hand, many applications such as file transfer and terminal connection do depend upon fully reliable transmission. In these cases, it is perfectly reasonable to build a reliable end-to-end protocol on top of the internet datagrams. Ultimately, reliability (by some definition) is always required; the issue is where it should be provided. The Pup attitude is that it is the responsibility of the end processes to define and implement whatever form of reliable transport is appropriate to the situation.
2.10. Packet fragmentation
It is inevitable that some process will want to send an internet packet which is too large to be directly encapsulated for transmission through an intermediate network that has a smaller maximum packet size. This problem is usually approached with one of two forms of packet fragmentation [Shoch, 1979a].
With internetwork fragmentation, an internet-wide design specifies the operations to be performed on a packet that is too large for a network it is about to enter. The internet datagram is fragmented into a number of smaller internet datagrams, thereafter to be transported independently and reassembled at the ultimate destination. This is the approach taken, for example, in the ARPA Internet design. It requires every destination to have procedures for reassembly.
Alternatively, one may use intranetwork fragmentation (or network-specific fragmentation): when presented with an oversize packet, the network-specific driver undertakes to fragment the packet in a manner specific to that network, to be reassembled by the corresponding driver as the packet exits the network (e.g., at the next gateway). This approach confines the fragmentation and reassembly procedures to the level 0 modules of hosts directly connected to the network in which fragmentation is required.
The Pup design does not attempt to provide any form of general internetwork fragmentation. This complex issue has been simply legislated out of existence by requiring that every agent in the internet handle Pups up to a standard maximum size, using network-specific fragmentation where necessary.
2.11. Broadcast packets
Broadcast packets are a particularly useful means for locating available resources or distributing information to many hosts at once. Some local networks, such as the Ethernet, directly support transmission of broadcast packets. In store-and-forward systems, however, specialized algorithms are required to propagate a packet efficiently to all hosts [Dalal, 1977; Dalal & Metcalfe, 1978]; no existing store-and-forward networks support any technique besides brute-force transmission of a packet to every node, though such a capability is now being implemented in the Arpanet.
Broadcasts may also be expensive since every host that receives one must expend some resources, if only to discard it. In networks where a broadcast involves generating more than one packet, there is the additional cost of creating and transporting the extra copies. Because of their potentially high cost, internet-wide broadcasts are not presently supported in the Pup design. Nor is it clear that such a capability would be desirable, since it would not extend well to a very large internet. The problem of locating distant resources in the internet at reasonable cost is a topic of current research.
But Pups can be broadcast on a single network; they are frequently used to locate nearby resources, or to permit gateways to announce their presence on a network. Implementation of the broadcast procedure is left to the network-specific driver, using the best technique available on that net.
2.12. Privacy and security
It must be recognized that in practical internet environments, packets may be delivered to the wrong host, intercepted by another host, or generated by a host masquerading as some other host. To prevent this would require one to interpose some agent between hosts and the internet and to specify a secure access control procedure. This would significantly increase the complexity of the internet, and truly suspicious users would probably not trust it anyway.
Processes are encouraged, however, to ensure the privacy and authenticity of their communication by whatever end-to-end encryption techniques seem appropriate [Needham & Schroeder, 1978]. Particularly vulnerable components, such as gateways and servers, should take precautions to protect their own integrity, but ultimate responsibility rests with the end processes. The Pup internet does not attempt to protect users from traffic analysis or from malicious replay of previous traffic.