IEN-183
                       Logical Addressing
                  Bolt Beranek and Newman Inc.
                          Eric C. Rosen
                            May 1981
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
                        Table of Contents
1   Introduction.......................................... 1
2   Translating Logical to Physical Addresses............. 7
2.1   Translation Locus................................... 7
2.2   Translation Methodology............................ 10
3   Organizing the Translation Tables.................... 17
4   Initializing the Translation Tables.................. 23
5   Updating the Translation Tables...................... 30
6   Operational and Implementation Considerations........ 49
7   Network Access Protocol Implications................. 53
                               -i-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
1  Introduction
        This paper is a slightly modified extract from BBN Report
No.  4473,  "ARPANET Routing Algorithm Improvement, Volume 1," by
Rosen, et al.  It proposes  a  scheme  for  implementing  logical
addressing  in  the  ARPANET.  However, the issues dealt with are
quite similar to the issues raised by the problem of implementing
logical  addressing in the Catenet (several IENs are currently in
preparation in which  we  argued  for  this  assertion  at  great
length.)   It is hoped, therefore, that the discussion will be of
interest to internet workers as well.
        In the current ARPANET, in order for a user  to  transmit
data  to  a particular host, he must know the PHYSICAL ADDRESS of
the host.  That is, he must know which node the host is connected
to,  and  he must know which port on that node is used to connect
that host.  Furthermore, this is the ONLY means  a  user  has  of
identifying  a host.  In many respects, the physical address of a
host computer can be compared to  a  person's  telephone  number.
The  problems  inherent  to  physical  addressing  in  a computer
network are similar to those  we  would  experience  in  ordinary
interpersonal  communication  if a person's telephone number were
the only means we had of identifying him.  Dialing  a  particular
telephone  number allows us to establish a communications channel
to a particular location.  This works well as long as the  person
                               -1-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
with  whom  we  wish  to  communicate  remains at that particular
location.  When the person  changes  his  location,  though,  the
phone  number becomes virtually useless, and the physical address
of a host computer becomes  equally  useless  if  the  computer's
location   within   the  network  changes.   In  the  context  of
interpersonal communication, this gives rise to the calling of  a
"wrong  number".  In the context of computer networking, this can
give rise to the more serious phenomenon of mis-delivery of data.
Furthermore,  when  a computer changes location within a network,
it is quite difficult to carry out  a  procedure  which  reliably
informs  all  users  of  its  new  physical  address.   There are
difficulties in identifying all users, difficulties in contacting
them  once  they are identified, difficulties in making sure that
the information receives  the  proper  level  of  attention  once
contact  is  made, and if all these difficulties are resolved, it
is still difficult to make  the  necessary  changes  to  computer
software  so  that  the new physical address is actually put into
use.
        There  is  another  sort  of  problem  would   occur   in
interpersonal  communication  if  our only means of identifying a
person were by his phone number.  It is very common  for  several
people  to share a phone number.  If we identified people only by
phone numbers, we could not distinguish among several  people  at
                               -2-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
the same location.  This problem arises in computer networking if
several computers share the  same  port.   There  are,  in  fact,
several  reasons  why  it  may  be  desirable  to  allow  several
computers to share the same port.  One reson is simply  the  need
to  get  by  with a less than optimal amount of equipment, either
due to economics or to shortage.  If some administration has  two
computers,  each of which needs to be on the network only part of
the day, but which do not need to be on the network at  the  same
time,  sharing  a  single  port  may  be  the best solution.  The
increasing cost-effectiveness of such devices as  port  expanders
and  local  networks  may also make it more and more desirable to
have several computers sharing the same port.  A related  problem
arises  if  one thinks of a network of computers as consisting of
"logical hosts," rather than physical hosts.  Whereas a  physical
host  would  be  a  particular  piece of hardware, a logical host
would be the instantiation of  a  particular  function.   Thus  a
physical  host  which supported (for example) time-sharing during
the day and batch processing at night could be  regarded  as  two
logical  hosts  which share the port on a time-division basis.  A
related application is the situation in which  the  functionality
of  two  (small)  physical  hosts  is  combined into one (larger)
physical host, which then can be thought of as consisting of  two
logical  hosts.   It could be very useful to have the flexibility
to move logical hosts freely around the network, perhaps changing
                               -3-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
the correspondence between particular logical and physical hosts,
without having to inform all users of the new physical addresses.
        Of  course,  the  reasons  these  problems  in   computer
networking  are  more  serious  than  the  analogous  problems in
interpersonal communication is that telephone numbers are not the
only,  or  even  the  primary, means we have of identifying other
people.  We can identify other people by NAME, and  this  greatly
facilitates  our ability to get in touch with people even as they
change location.  It also enables us to specify the individual we
wish  to  talk  to, in the situation where several people share a
telephone.  Similar advantages would accrue if we could  identify
computers  by  name rather than by physical address.  In order to
get our data to the appropriate computer,  its  physical  address
would  still  have to be determined.  But the user should be able
to tell the network the name of the appropriate computer (perhaps
a  logical  rather  than  a  physical  host), and let the network
itself map the name to  its  physical  address.   For  speed  and
reliability,   the   mapping   function  should  be  accomplished
automatically (i.e., by software) with  minimal  need  for  human
intervention.   Schemes  to  accomplish this are known as LOGICAL
ADDRESSING schemes,  and  the  name  of  a  computer  is  usually
referred  to  as  its  "logical address" (though in fact, logical
addresses are not addresses at all, since they, like  names,  are
                               -4-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
independent of location).
        A  good  logical  addressing  scheme  should  allow  more
flexibility  than may be already apparent.  We have spoken of the
need to be able  to  identify  a  computer  in  a  way  which  is
independent  of  location,  and  of  the  need  to be able to map
several distinct names onto a single physical address.  There  is
also a need to be able to map a single name onto several physical
addresses.   To  carry  out  the   analogy   with   interpersonal
communication,  this  would correspond to the case where a single
person has several  telephones,  with  different  phone  numbers,
possibly  at  different  locations.  This adds reliability to the
communications process, since if the person cannot be reached  at
one  phone  number,  perhaps he can be reached at another.  If he
can be reached at each of the numbers, he now can handle  several
conversations  simultaneously, i.e., he has increased throughput.
In computer networking, this sort  of  application  is  known  as
"multi-homing."  In  multi-homing,  a single computer connects to
the  network  through  several   ports,   usually   (though   not
necessarily) at several different network nodes.  This allows the
computer to remain on the network even though one of  its  access
lines,   ports,   or   home   nodes   fails,  thereby  increasing
reliability.  In  the  case  where  it  is  more  economical  (or
otherwise  more  practical)  to  obtain  several low-speed access
                               -5-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
lines than to obtain a single high speed line,  multi-homing  can
also  allow  a given host computer to obtain higher throughput at
less cost.
        Another sort of application which requires a single  name
to  map  into  several  physical  addresses  can be compared to a
business which has several branch offices, each with a  different
phone number, but whose customers do not care which branch office
they reach.  This can be useful in certain sorts of  internetting
applications.   Suppose,  for example, that an ARPANET user wants
to send a packet to SATNET, but that there  are  several  equally
good gateways between the two networks.  It may be convenient for
the user to simply specify a name  like  "Gateway-to-SATNET"  and
let  the  network  choose  which  of  the several gateways (i.e.,
physical  addresses)  to  use.   A  related  sort   of   possible
application  has  to  do with distributed processing and resource
sharing.  If some particular resource  is  available  at  any  of
several  locations  around  the  network,  it may be desirable to
allow the user to specify the resource by  name,  and  allow  the
network  to  map  that name onto some particular physical address
according to criteria that the user need not be aware of.   (Such
a  service  was  formerly offered by the ARPANET TIPs.  By typing
@N, a user would be connected to a  "Resource-Sharing  Executive"
on  one  of  several  network  TENEX systems.  The user, however,
                               -6-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
would have no way of knowing which system he was actually on.)
2  Translating Logical to Physical Addresses
2.1  Translation Locus
        It should be obvious that any implementation  of  logical
addressing  would  require  the network to maintain a translation
table.  The user would specify a logical address, and the network
would  use  this logical address as an index into the translation
table in order  to  obtain  the  physical  address  (or  list  of
physical  addresses)  to which it corresponds.  The network would
use the physical address internally to determine the  routing  of
user  messages.   The  need to maintain a translation table gives
rise to a multitude of design issues.  The  first  question  that
needs  to  be  answered is, where should the translation table be
located?   Should  every  node  maintain  a  copy  of  the  whole
translation  table,  or  should there be just a few copies of the
table scattered around the network in  strategic  locations?   If
there  are  only  a few copies scattered around the network, then
nodes which do not contain the tables would  have  to  query  the
nodes that do in order to perform the translation function.  This
is less efficient (both in terms of overhead and  response  time)
than   placing  the  table  in  every  node.   Considerations  of
                               -7-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
reliability and survivability also favor  placing  the  table  in
every node.  This eliminates the possibility of finding that, due
to network partition, all copies of  the  translation  table  are
inaccessible.   It eliminates the need to have some nodes serving
as hot or cold standby for the nodes which do  have  the  tables.
This  is  an  important  advantage, since the protocols needed to
implement "standby" tend to  be  slow  and  cumbersome,  or  else
unreliable.   Furthermore, if all nodes maintain identical copies
of the translation table, there is no  need  to  go  through  any
special  initialization  procedure  for creating the table when a
node first comes up.  Typically, a node which is just  coming  up
has  been reloaded from a neighboring node.  If all nodes have an
identical copy of the table, a node coming up can simply have its
table  reloaded  from its neighbor, i.e., can copy its neighbor's
table.  (Under certain unusual conditions this may give rise to a
race  condition, but as we shall see later, it is a race that can
be easily remedied and one that will  not  have  any  bad  effect
other than to slow the reload process.)
        There is, however, a possible disadvantage to having  the
tables  in  every  node.   That is simply the need to have enough
memory in every node to hold the  table.   In  certain  networks,
particularly  commercial ones, the network nodes may be of widely
varying sizes and capabilities, and the smaller  nodes  just  may
                               -8-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
not  be  able  to  hold  the  complete  translation  table.  Such
networks  would  necessarily  have   a   hierarchical   structure
(probably  with  some  form  of hierarchical routing), and a node
would not be able to hold a translation table unless it  were  at
or above a certain level in the hierarchy.
     Strictly speaking, only those nodes which will ever need  to
translate  a  logical  address to a physical address will need to
have a copy of the translation table.  Whether that is all  nodes
or  only  a  subset  of  the  nodes  depends  on  the translation
methodology that we adopt.  We have a  choice  between  requiring
translation  to  be done only at the source node, or requiring it
to be done also at tandem nodes.  In the former  case,  when  the
user  presents  some  data  to  the  network  and  specifies  its
destination with a logical address, the source node looks in  the
translation table, gets the physical address, places the physical
address in the packet header, and sends the packet  on  its  way.
Tandem  nodes  do  not look at the destination logical address at
all, but only at the physical address.  In the other  case,  each
tandem   node   looks  at  the  logical  address,  does  its  own
translation to physical address, and routes the  packet  on  that
basis.   The  packet  header  would  not even have to contain the
physical address.  If we do source  translation  only,  the  only
nodes  which  need  to  contain translation tables are those that
                               -9-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
connect to hosts which use logical addressing.   If  these  nodes
are  only  a  subset of all the nodes, then it may be feasible to
configure  these  nodes  with  more  memory  than   the   others.
Therefore,  we  must  look  at  the advantages of source node vs.
tandem node translation.
2.2  Translation Methodology
        Clearly, in the case where a logical address  maps  to  a
unique  physical  address, source node translation is superior to
tandem node translation.  As long as there is only  one  possible
physical address for that logical address, all nodes will produce
exactly  the  same  mapping.   There  is  thus  no  advantage  to
performing  the  mapping several times, and the scheme which does
it only once is more efficient.  There is, however, one exception
to  this.   When  the  translation  tables need to be updated, we
cannot expect all copies to  be  updated  simultaneously.   There
will  necessarily  be some short interval of time when not all of
the copies of the table around the  network  are  identical,  and
during this interval, tandem node translation may yield different
results than source  node  translation.   It  will  certainly  be
necessary to design some mechanism to deal with this problem, and
we shall propose one shortly for the ARPANET environment.  Tandem
node  translation,  however,  is  not  the right solution to this
                              -10-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
problem.  During the transient period, some copies of  the  table
will be right (up to date) and some wrong (out of date).  But the
copies at the tandem nodes will be no more  likely  to  be  right
than  the  copy  at  the  source node, so tandem node translation
would be as likely to amplify the problem as to reduce  it.   The
solution to this problem lies elsewhere.
        In the case where  a  logical  address  maps  to  several
physical  addresses (multi-homing), tandem node translation might
well  give  different  results  than  source  node   translation.
However,  we  must  now  distinguish  between virtual circuit and
datagram  traffic.   If  virtual  circuit  traffic  is  logically
addressed,  all translation must be performed at the source node.
In  fact,  the  translation  must  be  performed  only  once,  at
connection  set-up time.  This is the only way to ensure that all
traffic on a given circuit is sent to the same physical  address,
which  in  turn  is  the  only  way to provide the sequencing and
duplicate detection that is the RAISON D'ETRE of virtual  circuit
traffic.    (Additional   issues  having  to  do  with  logically
addressed virtual circuit traffic will be discussed later.)  Thus
the only possible advantage of tandem node translation would have
to do with datagram traffic which is destined  to  a  multi-homed
logical  address.  To understand the differences, though, between
source node and tandem node translation, we  must  first  discuss
                              -11-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
the  criteria  which a node uses to pick one physical address out
of the several that are available.  Even though a host is  multi-
homed,  any  particular  packet  for it can go to only one of its
physical addresses; some criterion for choosing the proper one in
each   particular  case  must  therefore  be  available.  Several
possible criteria come readily to mind:
        a)   When   there   are   several   physical    addresses
corresponding  to a given logical address, it may be desirable to
send packets to the physical address  which  is  closest  to  the
source  node, according to some metric of distance.  For example,
if we are interested in minimizing delay, we may want  to  choose
the physical address to which the delay from the source is least.
If SPF routing is used, this information  is  readily  available.
If  we  are interested in minimizing the use of network resources
by a particular packet  (i.e.,  in  maximizing  throughput  while
still  using  only  a  single  path),  we  may want to choose the
physical address which is the  least  number  of  hops  from  the
source.   (For  these  purposes, ties can be broken arbitrarily.)
Again, this information can be made readily available by the  SPF
routing  algorithm (although it is not readily available from the
ARPANET's particular implementation of that  algorithm,  since  a
table  of  hop-counts is not saved).  If either of these criteria
is used, tandem node  translation  can  result  in  better  route
                              -12-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
selection for the logically addressed datagram.  If delay changes
or topology changes take place while a packet is in  transit,  it
may  happen  that  the  "closest" physical address to some tandem
node is different from the physical address that was  closest  to
the source node when the packet first entered the network.  It is
easy to prove that, if SPF routing is used, this cannot result in
looping,  except as a transient phenomenon while a routing update
is traversing the network.  That is no  particular  disadvantage,
since  a  packet may be subject to that sort of transient looping
even when its  destination  physical  address  does  not  change.
However,  it  is  not clear that tandem node translation provides
much of an advantage  either,  especially  when  one  takes  into
account  the  additional  overhead of doing the re-translation at
each  tandem  node.   Doing  translation  at  tandem  nodes  will
necessarily  increase  the  nodal  delay  and  decrease the nodal
throughput.  These negative effects  may  outweigh  the  positive
effects  of  improved  route  selection for those relatively rare
cases in which delay or topology changes  significantly  while  a
packet  is  in  transit.   We  must  remember  that although real
improvements in route selection would only  occur  rarely  (since
delay and topology changes are very infrequent when compared with
average network transit times), re-translation would have  to  be
done  for EVERY logically addressed datagram.  Unfortunately, all
these effects are extremely difficult to quantify with any degree
                              -13-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
of  confidence.   Our  (somewhat  intuitive)  conclusion is that,
under the selection criterion of choosing  the  closest  physical
address,   tandem   node  translation  offers  at  best  a  small
improvement over source node translation, and at worst  a  severe
degradation.
        b) It is possible that some multi-homed hosts  will  want
to  establish an inherent ordering to their ports.  That is, they
may prefer to receive all their traffic on port  A,  unless  that
port  is inaccessible to the source of the traffic, in which case
they prefer to receive all traffic on port B, unless that port is
inaccessible  to  the  source  of the traffic, in which case they
prefer to receive all traffic on  port  C,  etc.   This  sort  of
strategy  may  be appropriate if certain of the host access lines
are charged according to a volume-based tariff, while others  are
not.   It  may also be appropriate if certain of the access lines
can be used more efficiently (i.e., can  be  serviced  with  less
host  CPU  bandwidth)  than  others.  (An example might be a host
which can access the ARPANET through an 1822 line and a VDH line.
It  might  be  desirable to avoid the VDH line, unless absolutely
necessary, since VDH lines tend to be used less efficiently.)  In
either case, the idea would be to reduce cost by favoring certain
ports over others, using  the  more  expensive  ports  only  when
needed  for purposes of reliability or availability.  Thus we may
                              -14-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
want  the  logical  addressing  scheme  to  support  an  inherent
ordering among the several physical addresses which correspond to
a given logical address.  With this scheme, there is no advantage
to  doing  tandem  node  translation.   There  will  be  only one
ordering for the set of physical  addresses  corresponding  to  a
logical  address,  so  tandem  nodes  should always pick the same
physical address as the source node  picked,  and  re-translation
would  simply  be  a  waste  of  resources.   There  are only two
exceptions to this.  The  first  exception  would  arise  in  the
situation   where   a   particular   physical   address   becomes
inaccessible as a packet routed to that address is traversing the
network.   However, since this can happen no matter what criteria
are used for choosing among the physical addresses, we put it off
for later consideration.  The second exception would arise if the
translation tables were  being  updated  while  a  packet  is  in
transit.   Clearly, some procedure to deal with this case must be
devised, since the update which is taking  place  may  invalidate
the  translation  which  was  done  at  the  source.  Tandem node
translation is not the proper solution, however, since  there  is
in  general no reason to believe that the tandem node is more up-
to-date than the source node.  We will return to this issue  when
we discuss the table updating procedures.
        c) Certain multi-homed hosts may have  a  preference  for
                              -15-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
receiving certain kinds of traffic over particular ports.  Thus a
dual-homed host may consider one of its ports more  suitable  for
receiving  batch traffic, and another more suitable for receiving
interactive traffic (perhaps the first port offers a higher speed
but  a  longer  delay  than  the second).  However, if one of the
ports is inaccessible from a particular source  node,  that  node
would send all its traffic (both kinds) to the port which remains
accessible.  With this criterion, we see once again  that  tandem
node translation offers no benefits, since, barring the case of a
port becoming inaccessible while a  packet  is  in  transit,  all
tandem nodes would select the same physical address as the source
node.
        d) Some multi-homed hosts may wish to try to  keep  their
several access lines as equally loaded as possible.  One possible
way to do this would be to establish an inherent ordering to  the
ports  (as  in  b, above), but to make the ordering different for
different source nodes (or hosts).  Clearly, this scheme requires
source node translation; tandem node translation would only serve
to defeat it.  Another possible way to achieve some sort of  load
leveling  would  be  for  each source node to send traffic to the
various physical addresses on a round-robin basis.  This would be
a  very crude form of control, but might work reasonably well for
particular traffic patterns.  This scheme  also  requires  source
                              -16-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
node   translation.   In  fact,  tandem  node  translation  could
actually cause packets to loop endlessly.
        We see then that none of the suggested selection criteria
give  any  very  large  advantage to tandem node translation, and
some of the criteria are actually in conflict with re-translation
at  tandem nodes.  Thus it is not necessary for all notes to hold
the translation tables; only those nodes connected to hosts which
use  logical  addressing  need hold the tables.  Of course, it is
still possible that the tables will be too large to  be  held  in
any  one  node,  in  which  case we would have to use distributed
database techniques to split the tables among several nodes.   We
will not consider that further here, but we will consider it in a
future IEN.
3  Organizing the Translation Tables
        Another issue having to do with the translation tables is
the  way  in which the tables should be organized.  Clearly we do
not want the  entries  in  the  table  to  be  in  random  order,
necessitating  a  lengthy  linear  search each time a translation
must be done.  Basically, there are two possible  ways  to  order
the  table.   We  can sort the table by logical address, and do a
binary search of the table whenever we need to do  a  logical-to-
                              -17-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
physical address translation.  This is a rather efficient form of
searching, but it causes inefficiencies when table  entries  have
to be inserted or deleted, since that would require a potentially
time-consuming expansion or compression of the table.  There are,
however,    ways   of   reducing   the   overhead   involved   in
insertions/deletions.  Deletions could be made "logically", i.e.,
by  marking  an entry deleted, rather than physically compressing
the table.  New entries could be inserted into an overflow  area,
which  itself  would  be  searched linearly whenever a particular
logical address could not be found in  the  main  table.   Actual
compression/expansion  of  the main table would be done only when
the overflow area filled.   Note,  however,  that  this  sort  of
strategy  would  necessarily complicate the search algorithm, and
this might  actually  do  more  harm  than  good,  especially  if
insertions  and  deletions  are rare events.  We shall see later,
when  we  discuss  the  conditions  under  which  insertions  and
deletions  are  required,  that these are indeed rare events.  We
conclude  tentatively  that,  if  a  sorted  table  with   binary
searching  is  used,  the use of an overflow area is probably not
necessary.
        The other possibility for organizing the table is to  use
hashing.   A  good  hashing  algorithm (i.e., one which minimizes
collisions) provides very efficient insertions and very efficient
                              -18-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
searches.   Deletions  are  not quite so efficient, but are still
more efficient, in general, than the table  compression  required
if  binary  searching  is  used.   However,  hashing  has certain
inherent problems which may make it less  suitable.   Choosing  a
hashing   algorithm   which  both  minimizes  collisions  and  is
computationally efficient is not a simple matter.   One  must  be
sure  that  the time needed to perform the hashing is really less
than the average time needed to find an entry in a  sorted  table
by  means of binary searching; otherwise, the efficiency is lost.
Furthermore, the number of collisions generated by  a  particular
hashing  algorithm  will  depend  on exactly which set of logical
addresses are in use.  The set of logical addresses in use during
a network's lifetime will be a slowly changing set, and a hashing
algorithm  which  is  excellent  at  one  time  may   give   poor
performance  at  another.  Hashing algorithms are also subject to
undetected programming bugs in  a  way  in  which  binary  search
algorithms  are  not.   A  bug  which  is inserted into a hashing
algorithm, which, for example, causes all entries  to  hash  into
the same bucket, might go undetected for years, although it would
cause a  significant  performance  degradation  by  reducing  the
efficiency  of the hashing technique to that of linear searching.
A bug in the binary search  algorithm,  however,  would  be  more
likely to come to someone's attention.  Its probable result would
not be performance  degradation,  but  rather,  failure  to  find
                              -19-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
certain  entries.   This would cause inability to deliver traffic
to certain logical addresses, and this would  certainly  come  to
the  users'  attention  very  quickly.  These qualitative reasons
would seem to indicate that binary  searching  is  preferable  to
hashing.   It  would  also  be  useful  to  do  some quantitative
analysis; that may be done at a later stage of our research.
        Someone may wonder why we  have  not  considered  a  much
simpler  method  of  organizing  the  tables.  Logical addresses,
after all, are just numbers (or at  least  are  representable  as
numbers).   If  the  set of logical addresses in use at any given
time is a contiguous set of numbers, then the  addresses  can  be
used  as  indexes directly into a translation table, with no need
either for hashing or for sorting.  The problem, of course,  lies
in  the  requirement  that  the  set  of logical addresses form a
contiguous  set  of  numbers.    Assigning   numbers   to   hosts
contiguously  may not be a problem in itself, but it does cause a
problem as soon as some host is removed from  the  network.   Its
number  (or  numbers, if it has several logical addresses) cannot
be left unused, or the size of the  translation  table  would  be
determined  not  by  the number of logical addresses currently in
use in the network, but rather by the number of logical addresses
that  have ever been in use in the network, a number which may be
much larger, and which in fact has  no  bound.   Yet  it  is  not
                              -20-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
acceptable simply to reassign the same logical addresses as hosts
enter or leave the network.  We all  have  some  experience  with
moving  to  a  new  location, getting a new telephone number, and
finding ourselves  frequently  getting  calls  intended  for  the
person  who  previously  had that number.  Such calls may persist
for years, especially if the  number  previously  belonged  to  a
business.   Receiving  phone  calls  or mail intended for someone
else who happens to have the  same  name  as  we  do  is  also  a
familiar  occurrence.   We  would  expect  analogous  problems if
logical  addresses  are  reassigned  (at  least,  if   they   are
reassigned  without some very long waiting period), especially if
the logical address previously belonged to a large service  host.
When  a  user  tries  to address a host which is no longer on the
network, he should receive  some  indication  of  that  fact;  he
should  NOT  have his data mis-delivered to some other host which
has been assigned the same name.  Thus it is preferable to have a
logical  addressing  scheme  which does not depend on the logical
addresses forming a contiguous set of numbers.
        Whatever means of organizing the table is chosen, it  may
still be useful to maintain a smaller table for use as a "cache."
The  cache  would  contain  the  n  most  recently  used  logical
addresses (where n is some small number), together with a pointer
to the absolute location of that logical  address  entry  in  the
                              -21-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
main  translation table.  When it is necessary to do translation,
the  cache  would  be  searched  before  the  main  table.    The
assumption  is  that  once  one  packet  for a particular logical
address is received from a source host, many  more  will  follow.
Thus  it  pays to optimize the search for that particular logical
address.  Choosing the optimum size for the cache, and the  means
of  searching  it  (linear  or  binary) are issues left for later
resolution.  These issues must be dealt with carefully,  however;
one would not want to find that searching the cache takes as long
or longer than searching the main table.  It is worth emphasizing
that the cache should contain a pointer into the main translation
table, rather than a copy  of  the  list  of  physical  addresses
associated  with  a  particular logical address.  For multi-homed
logical addresses, this is more efficient, since it involves less
copying.   Also,  if  there  are  variables  associated  with the
physical addresses, this enables unique copies of  the  variables
to  be  kept  in  the  main  table.   (Suppose, for example, that
packets are to be sent on a  round-robin  basis  to  the  several
physical   addresses   corresponding  to  a  multi-homed  logical
address.  This requires a variable to  be  associated  with  each
physical  address,  indicating  whether that physical address was
the last one to be sent data.  This variable must be kept in  the
main  table, not the cache, since one cannot rely on a particular
logical address always being present in the cache.)  This  means,
                              -22-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
of  course,  that  the  cache  must be cleared whenever there are
insertions or deletions into the main translation table, but that
should  not  be  very  expensive  as  long as such insertions and
deletions are relatively rare.
4  Initializing the Translation Tables
        We turn now to the issue of  how  the  translation  table
entries  are  to  be  set  up  in the first place.  That is, what
procedure is to  be  used  for  establishing  that  a  particular
logical  address  is  to  map  to  a  particular  set of physical
addresses.  One possibility for the ARPANET,  of  course,  is  to
have all the mappings set up by the Network Control Center (NCC).
This is quite reasonable in certain cases.  If  some  user  wants
his computer to be addressable by some new logical address (i.e.,
by a logical address not previously in use), it  makes  sense  to
have  him  contact  the  NCC  directly.   If  the user has proper
authorization, the NCC can then take action to  set  up  the  new
entry  in  all the translation tables.  A similar procedure would
also be appropriate if some logical  address  is  to  be  totally
removed  from  the translation tables (i.e., that logical address
will no longer be in use in that network).  This procedure  would
also  be appropriate when a particular computer is moved from one
location to another, necessitating a change  in  its  logical-to-
                              -23-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
physical  mapping,  or  if  the functionality of two computers is
combined into one, so that two logical addresses  which  formerly
mapped  to  distinct  physical  addresses  now  map  to  the same
physical address.  What all these cases have in  common  is  that
they  are  relatively infrequent (i.e., occurring on the order of
days, rather than on the order  of  minutes),  and  they  require
considerable    advance    planning.     The   first   of   these
characteristics ensures that NCC personnel will  not  be  swamped
with   translation   table   changes.    The   second   of  these
characteristics makes it feasible to coordinate such  changes  in
advance  with  the NCC.  Unfortunately, not all translation table
changes  have  these  characteristics.   For  example,  we   have
suggested that a good logical addressing scheme should facilitate
port-sharing.  That is, some user might want to unplug one of his
computers  from  the  network  and  use  that  port  for  another
computer.  He should be able to  do  this  without  much  advance
planning,  and  without  having to explicitly coordinate with the
NCC.  As soon as the change is  made,  users  who  are  logically
addressing the first computer should be told that it is no longer
on the network; only the logical address of the  second  computer
should  map to this port.  If this change in the mapping does not
take place immediately, the result can be mis-delivery  of  data,
as  packets  which  are logically addressed to the first computer
get mis-delivered to the second.  A similar situation  arises  if
                              -24-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
some  computer consists of several "logical hosts." Logical hosts
may come and go quite frequently, with  no  advance  planning  at
all.   The  logical  addressing  system  should  be able to adapt
immediately  to  such  changes,  without  any  need   for   human
intervention.   A related situation arises in the case of logical
addresses which  are  multi-homed.   We  have  already  discussed
various possible criteria for choosing among the several physical
addresses associated with a single multi-homed  logical  address.
But  before applying these criteria, any physical addresses which
are "inaccessible" from the source node  must  be  excluded.   If
some  host has two access lines into the network, and one of them
is inaccessible from a particular source node, then  all  traffic
from  that  source  node  should  be directed to the other access
line.  Indeed, this is one of  the  most  important  purposes  of
multi-homing.  This implies that a source node must have some way
of knowing that a  certain  physical  address  is  not  currently
accessible.   There  are  basically  two classes of reasons why a
given physical address might be inaccessible from a source  node.
The  first  is  that there is no path from the source node to the
destination node (either because the network is  partitioned,  or
because  the  destination  node  is  down).   This information is
readily available from the routing tables, and need not  be  kept
in  the  translation  tables.   It  is simple enough to check the
routing  tables  when  choosing  one  from  a  set  of   physical
                              -25-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
addresses.   The  other  reason  why  a physical address might be
inaccessible is that the port itself, or the access line from the
port  to  the  host,  has  failed.   Functionally,  this  is  the
equivalent of unplugging the host from the port.  It  may  happen
quite   frequently,   however,  and  certainly  with  no  advance
planning.  As  long  as  the  node  itself  is  up,  the  routing
algorithm  will give no indication that the port is inaccessible;
this information must somehow get into  the  translation  tables.
Clearly, we do not want to depend on human intervention to ensure
that this sort of change gets made  in  the  translation  tables.
What  is  needed  here  is  a  quick and reliable means of making
changes  in  the  translation  tables,  not  the  cumbersome  and
unreliable method of contacting the NCC.  The same problem arises
when the inaccessible port becomes accessible again.   One  wants
to  be  able  to begin using this port again as soon as possible,
without having to wait until NCC personnel have time to make  the
appropriate  changes  in  the  translation  tables.   So although
certain sorts of changes to the translation tables can be made by
the   NCC,   many  sorts  of  changes  will  occur  suddenly  and
unexpectedly, and need to become effective immediately.   So  the
procedure of having all translation table changes made by the NCC
is not satisfactory.
        There is another sort of problem with having  translation
                              -26-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
table changes made by the NCC.  The problem is that carelessness,
either by the NCC or by host site personnel, can result  in  mis-
delivery  of  data  if changes are made by the NCC.  Suppose, for
example, that a network controller makes a  typographical  error,
associating a logical address with an incorrect physical address.
If there is no further check on the validity of that mapping, one
computer  may  receive data intended for another.  A good logical
addressing  scheme   should   prevent   this   sort   of   simple
typographical  error  from  resulting  in mis-delivery.  The same
situation can occur if one computer is  carelessly  plugged  into
the  wrong  port.  In this case, networks which use only physical
addressing might also mis-deliver data.  However,  with  physical
addressing,  one  must  expect  mis-delivery  if some computer is
plugged into the wrong  port  (i.e.,  given  the  wrong  physical
address)  due  to carelessness.  With logical addressing, this is
not inevitable, and a good scheme should give  better  protection
against carelessness.
        Another possibility for setting up the translation  table
entries is to have each host, as it comes up on the network, tell
the network which logical addresses it wants to be  addressed  by
over   each   of   its  (physical)  ports.   This  would  require
augmentation of the host access protocol to  include  a  "Logical
Address  Declaration"  (LAD)  message.  A given host could put as
                              -27-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
many logical addresses as it wanted in each LAD message.   Multi-
homed  hosts  would  send the same LAD message over each of their
ports.  The  logical  addresses  specified  in  the  LAD  message
received over a given port would all be mapped to that particular
physical address.  Hosts would be allowed to change their logical
addresses  at  any  time by sending a LAD message to the network.
Since a host may wish to add  or  delete  logical  addresses  for
itself  at  any  time, there would have to be two options for the
LAD message -- "add" and "delete."  Whenever  a  particular  port
goes  down  (either  because  the  port  itself fails to function
properly, or because the access line between the network and  the
host  fails, or because the host itself crashes), all mappings of
logical addresses to that port would be cancelled.  When the host
can once again communicate with the network through that port, it
would have to redeclare its logical addresses with a LAD  message
before it could receive any logically addressed traffic.
        Allowing each host to set up its own  logical-to-physical
address  mappings  in  this  manner  has  several advantages over
having all the mappings set up by the NCC.  This procedure allows
sudden  and unplanned mapping changes to take effect immediately,
with no need for advance planning and coordination with the  NCC.
Since  the  mappings  are  cancelled immediately when a port goes
down, this procedure helps to ensure that, if  one  of  a  multi-
                              -28-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
homed host's ports is down, all data which is logically addressed
to that host will  go  to  the  other  ports.   If  one  host  is
unplugged  from  a  given port, and another plugged in its place,
the procedure ensures that the mapping  for  the  first  host  is
cancelled,   while  the  mapping  for  the  second  host  becomes
effective.  When a host goes down, there is  no  assumption  that
the   same   host  will  return  in  the  same  location.   Hence
carelessness on the part  of  site  personnel  or  NCC  personnel
cannot  result  in  mis-delivery of data; data which is logically
addressed to a certain host could only be  delivered  to  a  host
which has declared itself to have that logical address.
        There are, however, two quite serious problems with  this
procedure.  The first problem is that of spoofing.  That is, this
procedure offers no protection against the  situation  where  one
host declares itself to be addressable by a logical address which
is supposed to be the logical address of a different host.   Thus
the  procedure  allows  one  host to "steal" traffic intended for
another, simply by declaring itself  to  have  the  same  logical
address  as  the other.  This sort of spoofing might be done by a
malicious user, who is really  trying  to  steal  someone  else's
data,  or it might happen accidentally, as a result of programmer
or operator error.  In either case, we would like  to  have  some
procedure  which  is  less  prone to spoofing.  The other serious
                              -29-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
problem with this procedure is  that  it  can  easily  cause  the
translation  tables  to  overflow  in  size.   If  every host can
specify an uncontrolled and unlimited number of logical addresses
for  itself,  there  is  no  bound on the size of the translation
tables.  Since only a finite amount of memory will  be  available
for the translation tables, it is clearly not acceptable to allow
each host to specify an arbitray number of logical addresses  for
itself.
5  Updating the Translation Tables
        We have examined two different procedures for setting  up
the  logical-to-physical  address  mappings,  and have found that
they both have problems.  Many of these problems can be resolved,
however,  by  a combination of the two procedures.  Let us define
two characteristics of  a  logical-to-physical  address  mapping,
which we will call "authorized" and "effective." A mapping from a
particular logical address to a particular  physical  address  is
"authorized"  if  a  host  which  connects to the network at that
physical  address  is  allowed  to  use  that  logical   address.
Authorizations  would  change  very  infrequently, and only after
considerable advance  planning.   Hence  it  is  appropriate  for
authorizations  to be determined (i.e., added and deleted) by the
NCC.  A mapping from a particular logical address to a particular
                              -30-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
physical  address  would  be  said  to  be  "effective"  from the
perspective of a  given  source  node  if  (1)  that  mapping  is
authorized,  (2)  that  physical  address is accessible from that
source node, and (3) the host at that physical  address  has,  by
means  of  a  LAD  message,  declared itself to have that logical
address.  When a port goes down, all mappings to it  will  become
ineffective,  until  they  are made effective again by means of a
LAD message.  Logically addressed traffic will not  be  delivered
to  a particular physical address unless the mapping between that
logical address and that physical address is effective.   Changes
in  the  effectiveness  of a mapping will occur automatically, in
real-time, with no need for intervention by NCC personnel.   This
facilitates  multi-homing,  since  if  there  are  two authorized
mappings of a logical address to a physical address, and only one
is  effective,  that  one  can  be  chosen all the time until the
second becomes effective also.  It facilitates sharing  of  ports
(either  by  physical  or  by logical hosts), since each host has
control over the effectiveness (though not the authorization)  of
the  mappings  that affect it.  Carelessness by NCC personnel can
cause the wrong mappings to become authorized, but it  is  rather
unlikely  that  an  incorrectly  authorized  mapping could become
effective --  that  would  require  carefully  planned  malicious
intent.   Therefore,  such carelessness might prevent delivery of
data to some host, but would  not  cause  mis-delivery  of  data.
                              -31-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
Carelessness  by site personnel, such as plugging a host into the
wrong port, would not  cause  mis-delivery  of  data,  since  the
mapping  of  that  host's logical address to that particular port
would not be authorized.  The possibility of spoofing is  greatly
reduced; since host A cannot pretend to be host B unless it is at
a port which is already authorized for host B.  The size  of  the
translation  table  cannot  increase without bound, since that is
determined by the number of authorized mappings,  and  cannot  be
increased  by  LAD  messages.   This  means,  of course, that the
network access protocol must be further modified so that  it  can
provide   positive  and  negative  acknowledgments  for  the  LAD
messages.  For each logical address that  a  host  specifies  for
itself  in  a  LAD  message,  the  network  must  return either a
positive   or   a   negative   acknowledgment.    The    positive
acknowledgment  would indicate that the mapping is authorized and
has become effective.  The negative acknowledgment would indicate
that the mapping is not authorized.
        It must be emphasized that the suggested  procedures  are
not  intended  to provide security in any very strict sense.  For
networks in which security  is  a  very  important  issue  (e.g.,
AUTODIN  II), further study of these issues should be carried out
by security experts.
        It should also be emphasized that these  procedures  will
                              -32-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
allow  the  logical  addressing  scheme  to  continue to function
normally even if the NCC facilities are down.   It  does  require
centralized  intervention  to  add  or delete authorizations, and
this could not be done if the NCC were down.  For a fixed set  of
authorized  mappings,  however,  no  centralized  intervention is
required to determine the effectiveness of  the  mappings.   That
is, the real-time functionality and responsiveness of the logical
addressing scheme does not  depend  in  any  way  on  the  proper
functioning of the NCC.
        We have argued that the authorization of a mapping should
be  determined  by  the  NCC,  and the effectiveness of a mapping
should be determined by  the  network  node  which  contains  the
physical  address  (port)  to  which  the  mapping  is  made,  in
cooperation with the host that is connected  to  that  port.   We
have  also  argued  that  a full translation table (i.e., a table
containing all the effective mappings) should be stored  at  each
network  node  (or  more  precisely,  at  each network node which
serves as an access point for a host which can be either a source
or  a  destination  of logically addressed traffic).  However, we
have not yet discussed the algorithm by which  the  effectiveness
or  ineffectiveness  of  a particular logical-to-physical address
mapping is communicated to all network nodes.   We  turn  now  to
this  issue.   We  will  discuss  two  very different methods for
                              -33-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
building up the translation tables at all nodes.
        The first method is based upon an extension  of  the  SPF
routing algorithm, wherein each logical address is treated like a
stub node.  In this method,  each  node  is  initialized  with  a
partial translation table.  This table contains a list of all the
logical addresses which are  AUTHORIZED  to  map  TO  that  node,
(i.e.,  all  the  logical  addresses which correspond to ports at
that node).  Each of these logical addresses is associated with a
particular  port  or ports at that node.  At initialization time,
each of these logical addresses is treated just as  if  it  is  a
neighboring  node  which  is  down,  and the node sends an update
(similar to a routing update) to all other nodes, indicating that
all  authorized  mappings to itself are ineffective.  When a host
comes  up  over  a  particular  port,  it  declares  its  logical
address(es)  by means of one or more LAD messages.  The node then
checks its table of authorized mappings, and acknowledges to  the
host  (either  positively  or  negatively)  each  logical address
mentioned in the LAD message.   Whenever  a  logical  address  is
positively  acknowledged, it becomes effective, and the node must
broadcast an update to all other nodes declaring that mapping  to
be  effective.  Whenever a host declares (via a LAD message) that
it no longer wants to be  addressable  by  a  particular  logical
address, an update must be generated declaring that mapping to be
                              -34-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
ineffective.  Whenever a port goes down,  all  logical  addresses
mapping  to  it become ineffective, and an update indicating this
must be broadcast.  If the protocol  used  to  disseminate  these
updates  is  the  same  as  the  protocol  used in the ARPANET to
disseminate the updates of the SPF routing  algorithm,  then  all
nodes  will  be  able to build dynamically an up-to-date table of
effective mappings, just as the routing updates  enable  them  to
build an up-to-date topology table.  (The procedure used to build
the topology tables is described in [1].  The  updating  protocol
is  described  in [2] and [3].) In effect, this procedure extends
the routing algorithm to treat the hosts (or more precisely,  the
mappings  of  logical  addresses  to  physical addresses) as stub
nodes, and the ports as lines, except  that  there  is  no  delay
associated with a port, but only an up/down status.
        This procedure is attractive from a conceptual  point  of
view,  but it is not really cost-effective.  That is, it seems to
be too expensive to be practical.  One reason is that it is  hard
to  place  a  bound  on  the  size  of the updates.  The updating
protocol of the ARPANET routing  algorithm  is  quite  efficient,
because  the  updates  are  so small.  The maximum update size is
only 216 bits (from  a  node  with  5  neighbors).   The  logical
addressing  updates might be much longer, since there is no limit
on the number of logical addresses that may map to a given  node.
                              -35-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
The  updates  would  also have to be sent periodically, even when
there in no change in state.  These  features  are  necessary  to
ensure reliability in the face of such events as partitions, node
crashes, updates received out of order, etc.  With no restriction
on  the number of logical addresses which can map to a given node
(and it seems unwise to build in such a restriction), there is no
restriction  on  update size, and hence no bound on the bandwidth
needed for updating, or on the extra delay which may  be  imposed
on data packets due to the need to transmit the updates.
        The updating protocol which  was  designed  for  the  SPF
routing  algorithm  was  designed to get the updates to all nodes
very quickly, and with 100% reliability,  even  in  the  face  of
various  types  of  network  failures.   This  extreme  speed and
reliability is necessary for routing  updates,  since  rapid  and
reliable  updating  of  the routing tables is necessary to ensure
the integrity of the network.  Routing failures, after  all,  can
make  the  network completely unusable, and can be very difficult
to recover from, since most recovery  techniques  depend  on  the
NCC's  ability  to  communicate  with  the  nodes,  which in turn
depends  upon   the   integrity   of   the   routing   algorithm.
Fortunately,  the  protocol  used  for  disseminating the logical
addressing updates does not need all  the  functionality  of  the
updating  protocol  used  for routing, since the integrity of the
                              -36-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
logical addressing  scheme  is  not  quite  as  critical  as  the
integrity  of  the  routing  algorithm.  This enables us to use a
simpler and less expensive method of maintaining the  translation
tables, which we will now discuss.
        In this second method, each node is  initialized  with  a
translation  table  containing ALL the authorized mappings.  This
table would have an entry for every logical address that  can  be
used in the network.  Each logical address would be associated in
the table with all the physical addresses  to  which  it  has  an
authorized  mapping.   Associated  with  each  of  these physical
addresses would be a Boolean  variable  indicating  whether  that
particular  logical-to-physical  address  mapping is effective or
ineffective.  At  initialization  time  a  node  would  mark  all
mappings  to  itself  as  INEFFECTIVE,  and all mappings to other
nodes as EFFECTIVE.  Whenever a host declares itself, via  a  LAD
message, to have a certain logical address, the node looks in the
translation table to see if that mapping is authorized.  (This is
just an ordinary table look-up, indexed off the logical address.)
If not, a negative acknowledgment is sent to the  host.   If  the
mapping  is  authorized,  a positive acknowledgement is sent, and
the entry in the translation table is marked EFFECTIVE.  Whenever
a  port  goes  down,  the node marks all mappings to that port as
INEFFECTIVE.  Of course, this also requires a "reverse" search of
                              -37-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
the  table  (i.e.,  a  search  based  on  a physical, rather than
logical address).  To make this more efficient, when the  initial
reverse  search is done at initialization time, the node can save
a list of pointers into  the  translation  table.   Each  pointer
would correspond to a physical address entry for that node.  If a
separate table of pointers is kept for each port, the  node  will
be able to find in a very efficient manner entries which map to a
particular port.  Using this methodology, each node's translation
table  will correctly indicate, for each of the logical addresses
that map to IT, whether or not that mapping  is  effective.   (Of
course,  these  pointers would have to be adjusted whenever table
insertions or deletions are made.)
        When a source host sends a logically  addressed  datagram
packet  into  the  network,  the  source  node  will  search  the
translation table for  the  correct  mapping.   If  that  logical
address  cannot  be  found,  i.e.,  its use is not authorized, an
error message indicating this fact  should  be  returned  to  the
host,  and  the  packet  discarded.   If  that logical address is
found, but all the corresponding physical  addresses  are  either
marked  INEFFECTIVE,  or  else  are unreachable (according to the
routing algorithm), then the packet should be discarded, and  the
host  informed  of  that fact.  If some of the physical addresses
are both reachable (according to routing) and  marked  EFFECTIVE,
                              -38-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
then  one  should  be  chosen,  according to some set of criteria
(perhaps one of those which  we  discussed  above).   The  chosen
physical  address  should  be  placed in the packet header, along
with the logical address.  The packet should then be forwarded to
its  destination; in doing the forwarding, tandem nodes will look
only  at  the  physical  address.   According  to  the  procedure
described in the previous paragraph, all mappings to REMOTE ports
will be initially marked EFFECTIVE.  To see how such mappings can
get marked INEFFECTIVE, we must see what happens when a logically
addressed packet reaches its destination node.
        When a logically addressed datagram  packet  reaches  its
destination  node,  the node looks up that logical address in its
translation table.  It is possible, of course, that that  logical
address  will  not be found at all, or that it will be found, but
that there will be  no  authorized  mapping  to  this  particular
destination  node.  This would indicate some sort of disagreement
between the translation tables  at  the  source  and  destination
nodes.   There  are  three  possible causes of this disagreement:
(1) NCC error in setting up the translation tables, (2)  deletion
of  the  authorization  for that particular logical address while
the packet was in transit, or (3) a  race  condition,  whereby  a
translation  table  update authorizing the new logical address is
taking place, but the update has  not  reached  that  destination
                              -39-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
node  yet.   In  any  case,  the  data packet should be discarded
without delivery, and an error message should be sent to the  NCC
indicating  receipt  of  a  packet  with  an unauthorized logical
address.  This will alert NCC personnel to a possible error.   If
the  authorization for that logical address was deleted while the
packet was in transit, however, then the NCC need  not  take  any
action;  having the destination node simply discard the packet is
the correct procedure.  If, on the other hand,  that  logical-to-
physical  mapping is really authorized, but the update making the
authorization has not yet reached the destination node,  then  we
want  to  take  the  same  action  as  we would take for a packet
delivered according to an  authorized  but  ineffective  mapping.
This action shall be described in the next paragraph.
        Suppose that, upon looking up the logical address in  the
translation  table,  the destination node does find an authorized
mapping to itself, but that mapping is marked ineffective.   Then
there  are  two  actions  to take.  The first action is to try to
re-address and then re-send the message.   Of  course,  this  can
only  be  done if the destination logical address is multi-homed,
and at least one  of  the  corresponding  physical  addresses  is
effective.   If  this  is  not  the  case,  the  packet  must  be
discarded.  The second action is to send a special  message  back
to  the  source  node of that datagram packet.  We will call this
                              -40-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
message a "DNA message" (for "Destination Not Accessible").   The
DNA  message will specify that the particular logical-to-physical
address mapping used for that packet is not an EFFECTIVE mapping.
The  DNA  message  should  also  be sent in response to datagrams
which  appear  to  have  unauthorized  mappings   (see   previous
paragraph).   For  reliability, each logically addressed datagram
must carry the physical address of its source node (though not of
its  source  host),  so  that  the  DNA message can be physically
addressed to the source node.  It is not enough  for  the  packet
simply  to  carry the logical address of its source host, for two
reasons.  The first reason is that if the source host  is  multi-
homed,  the  destination node will not know which source node the
packet came from, and hence will not know where to send  the  DNA
message.   The  second  reason  has  to do with the fact that one
situation in which DNA messages  may  have  to  be  sent  is  the
situation  in which the translation table at the destination node
has been set up erroneously.  In this case, we  do  not  want  to
have  to rely on the integrity of the translation table to ensure
proper delivery of the DNA message.
        When a source node receives a DNA message indicating that
a  certain logical-to-physical address mapping is ineffective, it
must find the proper entry in its  translation  table,  and  mark
that  mapping  as ineffective.  Henceforth, incoming packets with
                              -41-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
that  particular  logical  address  will  not  be  sent  to  that
particular  physical  address.   If the logical address is multi-
homed, packets will be sent to one or more of the other  physical
addresses,  unless  all the mappings for that logical address are
ineffective.  If this is  the  case,  packets  for  that  logical
address  will  be discarded by the source node, which should also
return some sort of negative acknowledgment to the  source  host.
We  see  then  that the DNA messages provide a feedback mechanism
which enables a source node to tell when a mapping  to  a  remote
port  is ineffective.  The source node has no way to tell whether
this is the case, until it sends a packet to  that  port.   After
sending the packet, it will be explicitly told by the DNA message
if the mapping is ineffective.  If it receives no DNA message, it
assumes that the mapping is effective.  This may mean, of course,
that some  logically  addressed  packets  are  sent  to  a  wrong
physical  address.  However, if there are other possible physical
addresses corresponding to that logical address, and the original
destination  node  has  one  of  those  other  mappings marked as
effective, the packet will be re-addressed and  re-delivered,  so
there  is no data loss.  Note that there are two possible reasons
why  a  given  logical-to-physical  address  mapping   might   be
ineffective:   (1) the physical port might not be operational, or
(2) the host at that physical address  might  not  have  declared
itself  addressable  with  that logical address.  If desired, the
                              -42-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
DNA message can indicate which of these two reasons is applicable
in  the  particular case in hand.  This information can be stored
in the source node's translation table, and passed on  to  source
hosts  which  try  to  use  a  logical  address for which all the
mappings are ineffective.
        This procedure enables all  nodes  to  find  out  when  a
particular  authorized  mapping  is  ineffective.  We also need a
procedure to enable the nodes to find  out  when  an  ineffective
mapping becomes effective again (i.e., a port comes back up, or a
new LAD message is received at some remote site).  A  simple  but
effective  method  is the following.  At periodic intervals (say,
every 5 or 10 minutes) each node will go through its  translation
table  and  mark  ALL the entries which map to REMOTE ports to be
effective.  (Entries which map to  local  ports  will  be  marked
effective   or   ineffective   according  to  procedures  already
discussed.   The  current  procedure  will  not  apply  to   such
entries.)  This  enables  mappings to be used again shortly after
they become effective.  Of course, this  scheme  will  result  in
some packets being sent to the wrong physical address.  When that
happens, however, a DNA message will be  elicited,  causing  that
mapping  to  be  marked  ineffective  again  in that source node.
Furthermore, this scheme does  not  cause  any  unnecessary  data
loss,  since  packets  sent to the wrong physical address will be
                              -43-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
re-addressed and re-delivered, if possible.
        Although this method requires all nodes  to  periodically
mark  all  mappings to remote ports effective, it is important to
understand that it  does  not  require  any  time-synchronization
among  the  various  nodes.  Also, there is no reason why all the
mappings have to be marked  effective  at  the  same  time.   For
example,  if  the translation table contains 600 mappings, rather
than marking all of them effective every 10 minutes,  it  may  be
more efficient to mark one mapping effective each second, thereby
cycling through the table  every  ten  minutes  (though  if  this
method  is  used,  it must take account of table compressions and
expansions  which  may  occur  as  the  NCC   adds   or   deletes
authorizations).
        There is also an issue as to the exact methodology to  be
used  to  send  the  DNA  messages.  The simplest method is for a
destination node to send a DNA message to the source node of each
packet which arrives as the result of an ineffective mapping.  If
this method is used, there is no need to use a reliable transport
protocol in sending the DNA messages.  If, for some reason, a DNA
message fails to get through to the  source  node,  more  packets
will  arrive  at  the  wrong  destination  node, causing more DNA
messages to be sent, until one  of  them  finally  gets  through.
This method, however, might generate a virtually unbounded number
                              -44-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
of DNA messages, particularly in pure datagram networks  with  no
flow  or  congestion  control.   This in turn might contribute to
network congestion.  In order  to  gain  better  control  of  the
throughput  due  to  DNA  messages,  one could implement a scheme
which ensures that only  one  DNA  per  ineffective  mapping  per
source  node  can  be  sent within a certain time interval.  This
scheme would have a significant cost  in  table  space,  however.
Also,  it  would require some sort of reliable transport protocol
(e.g., positive acknowledgments from  the  source  node  when  it
receives the DNA message) to protect against the case where a DNA
message is  lost  in  transit.   This  issue  would  have  to  be
carefully considered before any implementation is done.
        The procedure to follow with virtual circuit  traffic  is
very  similar.   In  the  ARPANET,  a  single  virtual circuit or
"connection"  is  individuated  by  the  source  and  destination
physical  addresses.   The  user  takes  no  part in setting up a
connection; whenever a user sends a packet to the  network  which
is not a datagram, the network checks to see if a connection from
the user's physical address to the destination  physical  address
that  he  specified  is  already  in existence.  If not, the IMPs
automatically run a protocol to set up such a  connection.   With
logical  addressing,  we  would  want to redefine the notion of a
connection so that connections are  individuated  by  source  and
                              -45-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
destination   LOGICAL  address,  rather  than  physical  address.
However, translation would be done only at connection setup time.
Thereafter,  all  virtual  circuit  packets  received  by a given
source node with the same source logical address and  destination
logical  address  would  be  sent  on  the same connection.  If a
destination node  receives  a  connection  setup  message  for  a
logical  address whose mapping is ineffective, it will refuse the
connection, just as  it  would  refuse  a  setup  message  for  a
physical  connection  to  a  dead  port.   When  the  source node
receives the  refusal  message,  it  will  mark  that  particular
logical-to-physical  mapping  as ineffective.  If the destination
logical address is multi-homed, the source node  can  attempt  to
set  up  the  connection  again,  but  with  a different physical
destination address.  If a mapping becomes  ineffective  after  a
connection  has  already  been  set up, the destination node will
take action to reset the connection, also  informing  the  source
node that the mapping is now ineffective.
        Note that logically  addressed  virtual  circuit  packets
need  not  carry in their headers the logical addresses of either
the source or destination hosts, since that  information  can  be
stored  in  the  connections tables at the source and destination
nodes.  Of course, all  packets  sent  on  a  particular  logical
connection  will  go  to  the  same  physical  destination  port.
                              -46-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
However, if the destination node  or  port  goes  down,  and  the
destination    host   is   multi-homed,   the   above   procedure
automatically ensures that a new connection will be opened to one
of  the  ports  which  is not down.  Since the ARPANET connection
protocol is transparent to the user, the  user  need  never  know
that this has happened.
        It is interesting to compare this procedure (based on DNA
messages)  with  the previously discussed procedures (based on an
updating protocol similar  to  that  used  for  the  SPF  routing
algorithm).   The  latter  procedure  would ensure that all nodes
always agree (except during some very short transient period)  on
precisely  which  mappings  are  effective  and  which  are  not.
Mappings would be marked effective  (or  ineffective)  almost  as
soon  as  they  become so.  There would be no need for the source
nodes to probe the destination nodes by sending data  packets  to
possibly  incorrect  physical  addresses.   The  procedure we are
recommending does not have these features.   In  the  recommended
procedure,   different   nodes'   translation  tables  would  not
necessarily be in agreement all the time as to which mappings are
or  are  not  effective,  and  probing  is necessary.  This is an
acceptable situation though, since  the  sort  of  universal  and
immediate  agreement  which  is  necessary  to  ensure the proper
functioning of a routing algorithm just is not needed  to  ensure
                              -47-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
the   proper   functioning  of  the  logical  addressing  scheme.
However, THE  LACK  OF  UNIVERSAL  AGREEMENT  DOES  REQUIRE  THAT
TRANSLATION  BE  DONE  AT  SOURCE NODES RATHER THAN TANDEM NODES,
since the DNA-based procedure, while designed to keep the  tables
at  source  nodes  up-to-date, will not necessarily have the same
effect at tandem nodes.  (That is, DNA messages are sent  to  the
source nodes, NOT to tandem nodes.)
        There is  only  one  situation  in  which  re-translation
should  be  done  at  the  tandem  nodes.   Suppose  a  logically
addressed packet arrives at a tandem node, and that  node,  after
checking  its  routing  table, sees that the physical destination
address of that packet  is  unreachable.   If  the  packet  is  a
virtual  circuit  packet,  or  the tandem node does not implement
logical addressing (i.e., does not contain a translation  table),
the  packet  must  simply  be  discarded.  But if the packet is a
datagram, and the tandem node does have a translation  table,  it
should  re-translate  the  destination  logical  address, and re-
address  the  packet.   This  procedure  can  help   to   prevent
unnecessary  data  loss.   Note that this tandem node translation
would happen only rarely, and only  in  situations  in  which  it
could  not  serve  to  defeat the criteria according to which the
source node translation was done.
        It should be noted that, with the  recommended  procedure
                              -48-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
(unlike  the  alternative),  the size of the translation table at
each node is a function only of  the  number  of  authorizations.
That is, only changes in the authorizations require insertions or
deletions to the table.  This justifies our previous  claim  that
insertions and deletions are relatively rare events.
        It should also  be  pointed  out  that  nothing  in  this
procedure  prevents a computer from being multi-homed to a single
node.
6  Operational and Implementation Considerations
        This procedure requires each network node to  maintain  a
full   table  of  authorized  mappings.   There  are  operational
advantages to requiring all nodes  to  have  precisely  the  same
translation  table;  this simplifies the process whereby one node
can be reloaded from another in case of failure, and reduces  the
amount  of  site-dependent information that must be maintained in
the nodes.  (In  general,  the  more  site-dependent  information
there  is,  the  larger the Mean Time to Repair will be.) We have
not spoken explicitly of the way in which NCC  personnel  add  or
delete  authorizations.   This will require some protocol between
the nodes and the NCC.  This protocol would be  similar  in  some
ways  to  the  protocol  used  to  broadcast  software patches or
                              -49-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
packages to the nodes.  However, since we want to be able to make
incremental  changes  to  the tables (rather than broadcasting an
entire new table each time a change must be made), the node  will
have  to  contain  routines  to add to or delete from the tables.
The node may have  to  inhibit  interrupts  while  modifying  its
table,  so  that no translations are done while the table is in a
state of flux.  Also, no reloads may be done from  a  node  whose
table  is  in  a  state of flux.  These last two restrictions are
needed to prevent race conditions; these restrictions are  easily
implemented.
        When  the  NCC  makes  a   change   to   the   table   of
authorizations,  it  will  want  to receive some sort of positive
feedback, indicating that the change has indeed been  made.   One
method of doing this is to associate a sequence number with every
"add" or "delete" command.  Each node could  periodically  report
to  the NCC the sequence number of the last command that it fully
executed, and an entry could  appear  in  the  log  whenever  the
sequence  number  is other than expected.  If the nodes refuse to
execute commands which are received out of sequence,  this  would
enable  the  NCC  to determine whether each node has received the
correct sequence of commands.
        If memory considerations make it impossible for each node
to  contain a table of ALL authorized mappings, it is possible to
                              -50-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
get by with a shorter  table.   Strictly  speaking,  each  node's
table  need  contain only the logical addresses which map to that
node itself, PLUS those logical addresses which  the  node's  own
local  hosts  are  allowed  to use.  While this smaller table may
take less memory, it would,  however,  increase  the  operational
difficulties of table maintenance.  We have not yet said anything
explicit about the format of a logical address.  We recommend use
of  a 16-bit field for coding the logical addresses.  This should
be enough to prevent  bit-coding  limitations  from  placing  any
restriction on network growth.  The only other information needed
in the translation table is (1) destination node physical address
(8    bits    should    suffice),    (2)    one   bit   for   the
effective/ineffective variable, (3) enough bits to code the  port
numbers,  and  (4)  enough  bits  to code any variables needed to
implement the selection  criteria  used  for  multi-homed  hosts.
This  should  not  take  more  than two or three 16-bit words per
entry.  If space is a problem, it  is  possible  to  shorten  the
tables somewhat by deleting the port numbers.  Strictly speaking,
port numbers are only needed by the destination nodes, and  hence
need  not  appear  in  each node's copy of the translation table.
However, eliminating the  port  numbers  from  the  common  table
increases  the amount of site-specific information in the tables,
which is a disadvantage in itself.
                              -51-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
        It goes without saying that the use of logical addressing
has  implications  for  the  network  access  protocol.   We have
already discussed one aspect  of  the  network  access  protocol,
viz.,  the  need  for the host to send LAD messages to the source
node, and the need for positive and negative  acknowledgments  to
be  returned  to  the host.  A LAD message from a particular port
contains a list of logical addresses, with an indication for each
one  as  to  whether  the  host wants the mapping of that logical
address to that port  to  be  effective  or  not.   When  a  host
declares a mapping to be ineffective, the source node must always
return a positive  acknowledgment,  and  must  mark  the  mapping
ineffective in its translation table.  However, if the mapping is
not authorized (i.e., not in the translation table),  the  source
node  should also return a warning to the source host, since host
error is likely.  When a host declares a mapping to be effective,
the   node   will   return   either   a   positive   or  negative
acknowledgment, depending upon whether the mapping is  authorized
or  not.   When  a  host  declares  an  authorized  mapping to be
effective, the node must mark it so.  The host should be  allowed
to  send  LAD  messages  to the node at any time, and they should
take effect immediately.
                              -52-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
7  Network Access Protocol Implications
        The  use  of  a  logical  addressing  scheme   also   has
implications  on  the part of the network access protocol that is
used for ordinary data transport.  When a source  host  passes  a
message  to  its  source  node,  the message leader must indicate
whether logical or physical addressing is desired  (assuming  the
network  allows  both).   If  logical  addressing is desired, the
destination logical address must be indicated.  The  source  node
must  be  able  to  discard  that  message  (with  an appropriate
negative acknowledgment) if there is  no  effective  mapping  for
that  logical  address.   The  source  host  must also be able to
indicate its own logical address, if it wants to make this  known
to the destination host.  (Since the source host may have several
logical addresses, it must explicitly choose one to be carried to
the  destination  host.)  Again,  the source node must be able to
negatively acknowledge  and  then  discard  the  message  if  the
mapping  from  that logical address to the source host's physical
address is not effective.  Alternatively, one may want to  return
this  sort  of negative acknowledgment only if the source logical
address mapping is unauthorized, and allow the message to be sent
if the mapping is authorized but ineffective.  If this is done, a
particular "logical host" may be allowed to send data, but not to
receive it.
                              -53-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
        When a logically addressed message  is  passed  from  the
destination node to the destination host, the message header must
contain the destination logical address  (since  the  destination
host  may  have  more  than  one logical address), and the source
logical address, if any.   This  implies,  of  course,  that  the
source and destination logical addresses of datagram packets must
be carried across the network in the packet header.  (For virtual
circuit  packets,  the  logical  addresses  can  be  kept  in the
connection blocks in  the  source  and  destination  nodes.)  The
internal  packet  header must also carry the physical destination
node number (for addressing at tandem nodes),  and  the  physical
source  node number (so that DNA messages can be returned without
having to rely on  the  integrity  of  the  translation  tables).
However,  these  physical  node numbers need not be passed to the
destination host.  Note that there is no need  for  the  internal
packet  header to carry source or destination port numbers, since
these are usually determined by the combination of physical  node
number  and  logical address.  In the case where a host is multi-
homed to a single node, the port numbers are not  so  determined,
but  the destination node can make a choice of ports "at the last
minute," either by choosing according  to  one  of  the  criteria
already  discussed,  or  by  choosing  the port with the shortest
queue.
                              -54-
IEN-183                              Bolt Beranek and Newman Inc.
                                                    Eric C. Rosen
[1]  E.C. Rosen, J.G. Herman, I. Richer, J.M. McQuillan, ARPANET
Routing Algorithm  Improvements  --  Third  Semiannual  Technical
Report, BBN Report No. 4088, April 1979, chapter 2.
[2]  J.M. McQuillan,  I.  Richer,  E.C.  Rosen,  D.P.  Bertsekas,
ARPANET  Routing  Algorithm  Improvements  --  Second  Semiannual
Report, BBN Report No. 3940, October 1978, chapter 4.
[3]  E.C. Rosen, "The Updating Protocol of ARPANET's New  Routing
Algorithm," Computer Networks, February 1980, Volume 4, p. 11.
                              -55-