******************** CSL Bulletin ******************* June 1992 TCP/IP or OSI? CHOOSING A STRATEGY FOR OPEN SYSTEMS The drive of users toward open systems reflects requirements to integrate information processing resources and to make automated information available throughout the organization. Standards- based products that fit into an open systems infrastructure are key to meeting these user requirements. Since complete open solutions are not yet available, users planning open systems have to choose strategies that will support their current systems as well as future systems. This bulletin provides information on data communications protocols that enable computer systems to communicate with other systems in an open environment. It discusses the choices that are available to users in the selection of network protocols for open systems and provides guidance for making selections to support both current and future systems. Federal agencies should consider these choices in the development of their policies for open systems. The Diversity of Computing Computer networks are becoming an indispensable component of computing. Today office workers, scientists, and engineers depend upon personal computers and workstations that are interconnected through local area networks (LANs). To share data with other users and to access data within the organization, users want to interconnect their personal computers, different LANs, mainframes, minicomputers, and perhaps supercomputers and parallel processors. Networking technologies for tying these various systems together are diverse, complex, and often incompatible. Standards for data communications are part of the solution to the problems of incompatible, heterogeneous computer systems. Today, two principal suites of standard data communications protocols are available to users, the Transmission Control Protocol/Internet Protocol (TCP/IP) and Open Systems Interconnection (OSI). Why Two Protocol Suites? Both TCP/IP and OSI provide many of the same capabilities: the interconnection of computers, local area, wide area, and other networks; the routing of information in packets or datagrams between networks; reliable data transmission; file transfers; remote log-in to a computer; and electronic mail. There are some differences, however, with respect to deployment, availability of applications, and technical features of the two suites. The federal government has helped to support the development of both TCP/IP and OSI. The government provided direct financial support to the development of TCP/IP as an early solution to incompatible networked systems. The government also has been collaborating with industry to develop and implement voluntary international standards for OSI to foster global open systems. The Development of TCP/IP The TCP/IP suite of protocols, which is older than OSI, has been used for about 10 years. TCP/IP is implemented on the Internet, a concatenation of about 5,000 networks and a million computers that are used by researchers in corporations, universities, and government laboratories for information exchange and collaborations. TCP/IP is included in Berkeley Software Distribution (BSD) UNIX, which is the fundamental operating system software for popular workstations used for scientific, engineering, and graphics applications. The federal government funded the development of BSD UNIX, and continues to support TCP/IP indirectly through the National Science Foundation Network (NSFnet), the NASA Science Internet (NSI), the Energy Sciences Network (ESnet), and through Defense Advanced Research Projects Agency (DARPA)-sponsored research for enhanced network services. BSD UNIX and TCP/IP have been used by students in universities, especially in the United States, for about a decade; as a result, TCP/IP is understood by many users, systems integrators, and developers. TCP/IP is more widely implemented than OSI. The Department of Commerce's International Trade Administration estimates that worldwide expenditures for TCP/IP hardware and software were $1.2 billion in 1991, while the world market for OSI products reached $550 million (U.S. Industrial Outlook-1992). This popularity may stem from the easy availability of the TCP/IP implementations to commercial suppliers who can provide TCP/IP networks without a major investment in protocol software development. With an immediate revenue stream, suppliers can concentrate resources on improving the usability of their TCP/IP networking products. The Development of OSI The success of TCP/IP as a solution for data communications among heterogeneous computers may be slowing the deployment of OSI applications. OSI is the accepted international standard for data communications, however, and it is expected to become the replacement for TCP/IP. OSI is specified for use by a growing number of governments around the world: the European Community legislates OSI; the United States Government mandates OSI (and the state governments are following); the Commonwealth of Australia has adopted OSI, as have Japan, Taiwan, and the Nordic Countries. OSI is also accepted by other groups with international scope, such as the World Federation of MAP/TOP User Groups. OSI standards are created and evolve in an open process, visible to users and suppliers throughout the world. The standards- development work is organized and scheduled so that plans can be drawn up for developing and deploying solutions that use the resulting standards. In addition, OSI standards are augmented by a rigorous testing process that improves the quality of OSI products and aids in managing the evolution of change. Advantages and Disadvantages of TCP/IP and OSI TCP/IP and OSI both facilitate data communications among heterogeneous computers. TCP/IP and OSI, which can interoperate via gateways, complement each other. The OSI protocol for routing packets (CLNP), which corresponds to IP, is deployed in a significant and growing segment of the Internet composed of largely TCP/IP-based computers and routers. CLNP is a more robust protocol than IP and has a larger and more versatile addressing field. A number of gateways exist for interoperation of TCP/IP mail (SMTP) with Message Handling Systems (X.400); TCP/IP file transfers (FTP) occur routinely on the Internet; OSI protocols for file transfer, access and management (FTAM) are also used on the Internet; some of the earliest pilots for the OSI directory service (X.500) are being conducted on the Internet. One reason for TCP/IP popularity may be its well-known application programming interfaces (API): sockets and streams. Proprietary products have been implemented using TCP/IP to distribute services across a network; for example, structured query language (SQL) access to relational databases, network file services allowing remote mounting of file systems, and remote windowing for bit-mapped graphics displays. X Window (which is part of NIST's Application Portability Profile) and proprietary window systems operate over TCP/IP. OSI can provide equivalent APIs that can be used by the same third-party software vendors to provide the same added features. For some of the features, such as SQL access and windowing, standard specifications are being developed to integrate the services into the OSI architecture in a standard manner, and to achieve more robust and complex services. TCP/IP application services are simple mail transfer (SMTP), file transfer (FTP), and remote log-in (Telnet). The OSI application services currently provide increased functionality over these services. The OSI mail service (X.400) provides an extensible framework for carrying information of all kinds, not simply personal mail messages. The OSI virtual terminal service supports more than simple character or line terminals: forms, page, and scroll modes are also supported. The OSI distributed directory service (X.500) is far more capable than the equivalent TCP/IP centralized directory service (Whois). OSI also provides enhanced technical capabilities over TCP/IP. For example, the TCP/IP address space encompasses 32 bits and is rapidly approaching exhaustion, while an OSI network address comprises 160 bits, a size that will provide global addressing into the foreseeable future. In addition, the routing protocols used with TCP/IP are constrained by the flat, 32-bit address so that the routing tables maintained in Internet switching nodes are growing quite large and, thus, becoming unwieldy. OSI routing protocols support a form of hierarchical routing so that address information can be more efficiently represented in summary form, reducing the amount of routing information that flows in the network and that must be stored in the switching nodes. OSI switching services should provide a natural transition path on the Internet as the TCP/IP address space limits are reached. Building for the future, OSI existing applications are being enhanced and new applications are being developed to provide additional user services. Message handling system (MHS, X.400) applications will soon provide standard security and directory services, along with the ability to interchange electronic data (EDI). FTAM applications are being enhanced to support transfer of additional document types, to facilitate remote file directory operations, and to supply restart and recovery operations. Virtual terminal applications are being extended with additional terminal types. Other new OSI applications include directory services (X.500), which will enable retrieval of information from locally maintained directory servers distributed throughout a network. Remote database access (RDA) products will extend SQL access across a network of heterogeneous databases. The distributed transaction processing (DTP) service will provide synchronized transactions, distributed across a set of network nodes. Implementations of the manufacturing messaging specification (MMS) allow real-time access to variables in process-control devices connected to a network. More Improvements Needed Both TCP/IP and OSI suites need improved upper-layer architectures and services. TCP/IP uses an antiquated upper- layers protocol encoding technique that is inferior to the OSI solution (ASN.1). TCP/IP uses well-known addresses for connecting to network services; OSI relies on a directory of names to find the address for a needed service. OSI forces an arbitrary three-layer structure (session, presentation, and application) onto the upper layers, creating built-in inefficiencies and making certain operations, such as encryption, more difficult than necessary. Neither architecture provides the desired flexibility to construct new application services by combining existing, refined, or newly defined components into a bundle of cooperating objects. Both TCP/IP and OSI have deficiencies regarding system-level issues, such as security, multi-casting, and multimedia. TCP/IP-related specifications (called RFCs or Request For Comments) are being developed for privacy-enhanced mail, including a system for distributing certificates in support of a general authentication service, and RFCs are also under consideration to provide security services for network management and routing. Kerberos, a secret-key authentication, integrity, and confidentiality system, has been developed at the Massachusetts Institute of Technology (MIT) under Project Athena and is being deployed in portions of the Internet. OSI standards are under development for authentication, confidentiality, and integrity at the network, transport, link, and application layers, but solutions are several years away. Wide-area multi-casting protocols are being considered for the Internet. OSI has a rich set of multimedia capabilities embedded in the electronic mail standard, while TCP/IP is just developing such extensions for SMTP. Neither TCP/IP nor OSI standards have capabilities for real-time, multimedia services. Both TCP/IP and OSI application services face increasing competition from LAN operating systems, from other proprietary protocols, and from market solutions such as those endorsed by the Open Software Foundation, Unix International, and X/Open. TCP/IP and OSI, while providing a wide array of the most useful networking functions and services, as well as a base on which to build other services, will never embody every new feature that users might employ -- at least not until the data network is viewed as a utility akin to the electric power grid or the voice telephone network. Guidance on Acquisition of Future Systems NIST recommends that agencies installing a new network or acquiring new data communications services specify and implement OSI as the standard protocol for multivendor information exchange. Where there are specific requirements that go beyond the capabilities available in OSI products today, OSI should be augmented with other network protocols as needed to meet such additional requirements. Usually this means accepting proprietary solutions. However, solicitations should make clear the agency's intent to reduce proprietary enhancements over time, and its plans to require the inclusion of additional OSI services in products as OSI specifications continue to mature. There may be instances where procuring TCP/IP products is sensible; for example, to add to an already existing large TCP/IP network. However, if the procurement is of significant size, then the systems should be purchased with a dual-stack capability to handle both TCP/IP and OSI, and routers should be upgraded to route both TCP/IP and OSI data. Further, systems (often called `dual-suited hosts') should include software to relay between TCP/IP and OSI applications. These capabilities are often called `application gateways' or, more specifically, `SMTP-X.400 Gateways' for electronic mail and `FTP-FTAM Gateways' for file transfer. These steps will prepare networks to support OSI and TCP/IP traffic and to facilitate interchange of information between OSI and TCP/IP computers. Once these capabilities are in place, future acquisitions can be converted to require OSI in lieu of TCP/IP. Sometimes, installing TCP/IP together with OSI might make sense in the procurement of a new network; for example, the acquisition of a large network of routers, servers, and workstations that has to integrate some older existing computers into the network. Often, TCP/IP implementations may exist for older computers for which no OSI implementation exists and for which no OSI implementation is planned. In this case, the migration path is straightforward: procure routers (often called `dual-suited routers') capable of switching both OSI and TCP/IP data and add some number of dual-suited hosts with application gateways. The new network will then support information exchange between old existing computers and the newly procured, OSI-capable equipment. Some vendors are developing OSI upper layer implementations such as FTAM and X.400 that run over TCP/IP. These developments will bear watching by Federal users. Summary The procurement of OSI products is recommended when a new network is acquired or when a significant upgrade is made to an existing network. The acquisition of TCP/IP protocols, in addition to OSI, is recommended only when the network being upgraded is already a TCP/IP network or when TCP/IP provides the only means of integrating older, existing computers into a new network. Acquiring TCP/IP alone is recommended only when the acquisition involves buying a single computer or a few workstations to connect to an existing large TCP/IP network, such as the Internet. Even here, since the Internet is adding support for OSI coexistence and interoperation with TCP/IP, procuring OSI in addition to TCP/IP makes good sense. In the 1990s we can expect that changes in technology will result in many more activities being automated, decentralized, and distributed geographically throughout an organization. Increased processing power, faster data networks, high-capacity data storage, expert systems, and neural networks are some of the technologies that will be available. New technology will have to coexist with existing technology. Data communications protocols are an essential component of the open systems environments that will make it possible for users to achieve multivendor systems with a full range of computing resources. In a box separated from rest of text: The Government Open Systems Interconnection Profile (GOSIP) defines a common set of data communications protocols that enable systems developed by different vendors to interoperate and the users of different applications on those systems to exchange information. GOSIP is based on national and international voluntary industry standards, and on implementation agreements developed by the OSI Implementors Workshop (co-sponsored by NIST and the Institute of Electrical and Electronics Engineers Computer Society). The initial version (Version 1) of GOSIP was issued in August 1990 as Federal Information Processing Standard (FIPS) 146. Version 1 supported electronic mail and file transfer, access and management applications, and the interconnection of networking technologies for CCITT Recommendation X.25, Carrier Sense Multiple Access with Collision Detection, Token Bus, and Token Ring. Use of Version 1 protocols is mandatory for federal government agencies that acquire computer networking products and services, and communications systems or services, that provide equivalent functionality to the protocols defined in the standard. Version 2 of GOSIP, which was issued in April 1991 as FIPS 146- 1, adds the virtual terminal service as a application and provides for the interconnection of Integrated Services Digital Network (ISDN) as a networking technology. Other additions in Version 2 include provisions for transfer of Office Document Architecture (ODA) formats, the end system to intermediate system protocol, and options for connectionless and connection-oriented services. The additional protocols in Version 2 may be cited in solicitations and contracts now, and will become mandatory for federal agency use in October 1992 when the systems to be acquired require functionality equivalent to the Version 2 protocols. NIST is collaborating with several industry groups to develop a common OSI specification that will consolidate the requirements of major U.S. computer users. The planned industry and government open systems specification (IGOSS) will enable these computer users to speak with one voice to vendors and to make up a large market for OSI products. In 1993, NIST expects to propose the IGOSS as Version 3 of GOSIP. Government Open Systems Interconnection Profile (FIPS 146-1) is available from the National Technical Information Service, Springfield, VA 22161. Telephone: 703-487-4650. FAX: 703- 321-8547. NIST operates a database system that provides online information about GOSIP tests, testing laboratories, and tested products. The database can be accessed by: Using the Internet address 129.6.48.100 and logging on under the user-name gosip-db. No password is necessary. Via a modem by dialing the phone number (301) 869-0096. Log in using the user-name gosip-db. No password is necessary. Recommended modem configuration is 8-bits, 1 stop bit, no parity and baud rates of 1200 or 2400 speed.