services (such as protection from denial-of-service attacks) that cannot be implemented in endpoints.
4 Today’s Internet is full of middleboxes, which are
functional elements located inside the
network and inserted into end-to-end
paths. On the other side of the divide,
performance of the network depends
to some extent on congestion control
in TCP endpoints. It is no longer true
that endpoint machines and networks
are always owned by different parties
(in clouds they are not), and no longer
true that network elements such as
routers are not programmable.
10
From a modeling perspective, the
divide between network and endpoints
is harmful for a very simple reason: If
we want to describe and verify communication (network) services, then we
must include all the agents involved in
providing those services.
User interfaces are inside machines. Figure 2 illustrates the new
model’s approach to network services
and the user interface. Each machine
participating in a network must be
running a member of that network. The
network member is a software or hardware module that implements some
subset of the network protocols. Members are connected by links, where a
link is a communication channel that
accepts packets from one member
and delivers them to another member.a Members of the network forward
packets that are not destined for them,
so a packet can reach its destination
through a path of members.
The users of networks are distributed application systems—computer systems with operational modules spread
across different physical machines.
The modules of a distributed system
need a network to communicate. The
main user interface to a network consists of the interfaces inside machines
between user modules and members
of the network.
An instance or usage of network service is a session. A network has packets,
which are its transmissible units of
data. A session transmits a set of packets that are related from the perspective of the user. In Figure 2, a one-way
session transmits packets from an ap-
a Although the model allows one-to-many sessions and links, for services such as broadcast
and multicast, they are omitted for simplicity.
HTTP and Ethernet would be one TCP
header and one IP header.
In this article, we present a new
way of describing the Internet, better
attuned to the realities of networking
today, and to meeting the challenges
of the future. Its central idea is that the
architecture of the Internet is a flexible
composition of many networks—not
just the networks acknowledged in the
classic Internet architecture, but many
other networks both above and below
the public Internet in a hierarchy of
abstraction. For example, the headers
in Figure 1 indicate the packet is being
transmitted through six networks below the application system. Our model
emphasizes the interfaces between
composed networks, while offering an
abstract view of network internals, so
we are not reduced to grappling with
masses of unstructured detail. In addition, we will show that understanding
network composition is particularly
important for three reasons:
Reuse of solution patterns: In the
new model, each composable network is a microcosm of networking,
with the potential to have all the basic mechanisms of networking such
as a namespace, routing, a forwarding
protocol, session protocols, and directories. Our experience with the model
shows this perspective illuminates solution patterns for problems that occur
in many different contexts, so that the
patterns (and their implementations!)
can be reused. This is a key insight of
Day’s seminal book Patterns in Network
Architecture.
7 By showing that interesting networking mechanisms can be
found at higher levels of abstraction,
the new model helps to bridge the artificial and unproductive divide between
networking and distributed systems.
17
Verification of trustworthy services:
Practically every issue of Communica-
tions contains a warning about the
risks of rapidly increasing automa-
tion, because software systems are too
complex for people to understand or
control, and too complex to make reli-
able. Networks are a central part of the
growth of automation, and there will be
increasing pressure to define require-
ments on communication services and
to verify they are satisfied.
14 As we will
show, the properties of trustworthy
services are defined at the interfaces
between networks, and are usually de-
pendent on the interaction of multiple
networks. This means they cannot be
verified without a formal framework
for network composition.
Evolution toward a better Internet:
In response to the weaknesses of the
current Internet, many researchers
have investigated “future Internet architectures” based on new technology
and “clean slate” approaches.
2, 20, 21, 25
These architectures are not compatible
enough to merge into one network design. Even if they were, it is debatable
whether they could satisfy the demands
for specialized services and localized
cost/performance trade-offs that have
already created so much complexity. A
study of compositional principles and
compositional reasoning might be the
key to finding the simplest Internet
architecture that can satisfy extremely
diverse requirements.
We begin with principles of the
classic architecture, and then discuss
why they have become less useful and
how they can be replaced. This should
help clarify that we are proposing a really new and different way of talking
about networks, despite the familiarity
of the terms and examples. We close by
considering potential benefits of the
new model.
The User Interface to a Network
The end-to-end principle. The best-known principle of the classic Internet
architecture is the end-to-end principle,
5, 8 which creates a sharp divide
between the network and the endpoint
machines that it serves. The principle says the functions of the network
should be minimized, so that it serves
everyone efficiently, and that whenever possible services should be implemented in the endpoint machines. The
endpoints are easily programmable (so
anyone can add services), and the end-to-end perspective is the best perspective for functions such as reliability.
The end-to-end principle is also
expressed by the slogan “smart edge,
dumb network.” Another implication
of the end-to-end principle is the user
interface to a network consists of the
links between endpoint machines and
the rest of the network.
Despite its tremendous explanatory and engineering value, the end-to-end principle does not describe the
Internet as a whole. We know there are