Re: [Ieprep] Meaning of Single Administrative Domain

[Rex Buddenberg <budden@nps.navy.mil>]

Steve,

This is pretty important both to the organization and the technology. 
Ken's pretty much on target.  The definition you repeated is one that
matches up administrative control and autonomous systems and is
generally used in IETF.  

When the Internet (then ARPANet)  started tiering, the notion of
Autonomous Systems was born and routers got a differentiation with
exterior and interior gateway protocols.  (Hope this isn't too pedantic
a review).  
	Within an AS, we run an interior protocol (such as OSPF) and all
routers have identical knowledge of the network topology (assuming the
network is converged).  Administratively, this can only really happen if
we have a single administrative control.  This comprehensive knowledge
of which routers can directly talk with which is confined to the AS --
the outside world (other admin domains) don't know.  Rather they only
know where the gateways into this AS are.
	These gateways (border routers) say 'send traffic to this AS to me and
I'll take care of it'.  Exterior gateway protocols (BGP4) implement this
approach.  This handles the interface between administrative domains ...
and ASs.

Why's this important in emergency services?  Case 1 might be where the
fire department has a network in a community to control its assets and
the police department has another, different network.  Two ASs.  And
I've certainly seen communities where this kind of insularity exists. 
The upsides in this partitioning have to do with security (enclaving). 
The downsides include poorer Ao for a fixed amount of infrastructure,
greater difficulty in controlling QoS (assuming inadequate
overprovisioning that necessitates it) and flexibility to meet changing
situations.  
	Case 2 might be where the city administration runs the entire network
as a single AS.  The upsides and downsides noted above essentially
evert.  But one has to draw a line somewhere -- it doesn't make sense
for a community to attempt to run it's network as the same AS as a
national emergency service network (e.g. national level police force or
coast guard).  And it may or may not make sense for the emergency
services network to be in the same AS as the k12 schools.  
	The problem Ken is trying to frame comes from some past discussion on
this board where trying to pass diff-serv (DS byte) information across
border routers is deemed as:
	1) necessary to make diff-serv work end-to-end.  A good share of the
discussion is whether that's necessary.
	2) leaving a gaping security hole open.  A Bad Guy can flood a network
with high priority traffic and thereby impose a denial of service
attack.  (All the practicing ISPs lined up here -- they all zero out the
DS byte to close off the DOS vector). 

That help any?



On Tue, 2004-10-12 at 05:33, steve.norreys@bt.com wrote:
> All
> 
> Perhaps someone out there can help me as I am having some difficulty in
> defining the exact meaning of a single administrative domain that is
> part of the last call for "Emergency Telecommunications Services (ETS)
> Requirements for a Single Administrative Domain".
> 
> According to draft-ietf-ieprep-domain-req-02.txt section 1 the
> explanation of the Administrative Domain: is "The collection of
> resources under the control of a single administrative authority.  This
> authority establishes the design and operation of a set of resources
> (i.e., the network)." 
> 
> However further on in the document in section 4.2 in the explanation of
> the relationship to the work ongoing in the ITU-T this statement is
> made: "However, to provide a bridge of
> understanding, the reader can assume that ETS within the IETF is
> synonymous with TDR in the ITU -- each involving authorized use of a
> service that attempts to compensate for stressed conditions of
> resources."
> 
> These two statements are in my mind conflicting. In the recent ITU-T PCP
> meeting one of the definitions of TDR is to do with international
> communications to and from the disaster area and local communications at
> the disaster area. This is not a single network on the contrary it is a
> requirement for cooperation of many networks especially international
> networks.
> 
> I may have misunderstood the point here and would grateful if someone
> could put me on the correct path.
> 
> 
> Regards
> 
> Steve Norreys  
> Signalling and Protocols
> Tel:       +441277323220
> email    steve.norreys@bt.com
> 
> 
> British Telecommunications plc
> Registered office: 81 Newgate Street London EC1A 7AJ
> Registered in England no. 1800000
> This electronic message contains information from British
> Telecommunications plc which may be privileged or confidential. The
> information is intended to be for the use of the individual(s) or entity
> named above. If you are not the intended recipient be aware that any
> disclosure, copying, distribution or use of the contents of this
> information is prohibited. If you have received this electronic message
> in error, please notify us by telephone or email (to the numbers or
> address above) immediately. 
> Activity and use of the British Telecommunications plc E-mail system is
> monitored to secure its effective operation and for other lawful
> business purposes. Communications using this system will also be
> monitored and may be recorded to secure effective operation and for
> other lawful business purposes. 
> 
> 
> 
> _______________________________________________
> Ieprep mailing list
> Ieprep@ietf.org
> https://www1.ietf.org/mailman/listinfo/ieprep
-- 

b



_______________________________________________
Ieprep mailing list
Ieprep@ietf.org
https://www1.ietf.org/mailman/listinfo/ieprep