Network Working Group D. Ferrari
Request for Comments: 1193 UC Berkeley
November 1990
CLIENT REQUIREMENTS FOR REAL-TIME COMMUNICATION SERVICES
Status of this Memo
This memo describes client requirements for real-time communication
services. This memo provides information for the Internet community,
and requests discussion and suggestions for improvements. It does
not specify any standard. Distribution of this memo is unlimited.
Abstract
A real-time communication service provides its clients with the
ability to specify their performance requirements and to obtain
guarantees about the satisfaction of those requirements. In this
paper, we propose a set of performance specifications that seem
appropriate for such services; they include various types of delay
bounds, throughput bounds, and reliability bounds. We also describe
other requirements and desirable properties from a client's
viewpoint, and the ways in which each requirement is to be translated
to make it suitable for lower levels in the protocol hierarchy.
Finally, we present some examples of requirements specification, and
discuss some of the possible objections to our approach.
This research has been supported in part by AT&T Bell Laboratories,
the University of California under a MICRO grant, and the
International Computer Science Institute. The views and conclusions
in this document are those of the author and should not be
interpreted as representing official policies, either expressed or
implied, of any of the sponsoring organizations.
We call real-time a computer communication service whose clients are
allowed to specify their performance requirements and to obtain
guarantees about the fulfillment of those requirements.
Three terms in this definition need further discussion and
clarification: clients, performance, and guarantees.
Network architecture usually consists, at least from a logical
viewpoint, of a stack of protocol layers. In the context of such an
architecture, the notions of client and server apply to a number of
Ferrari [Page 1]
RFC 1193 Requirements for Real-Time Services November 1990
different pairs of entities: every layer (with the support of the
underlying layers) provides a service to the layer immediately above
it and is a client of its underlying layers. In this paper, our
considerations generally apply to any client-server pair. However,
most of them particularly refer to human clients (users, programmers)
and to the ways in which such clients express their communication and
processing needs to the system (e.g., interactive commands,
application programs). This type of client is especially important,
since client needs at lower layers can be regarded as translations of
the needs expressed by human clients at the top of the hierarchy.
When the client is human, the server consists of the entire
(distributed) system, including the hosts, their operating systems,
and the networks interconnecting them.
As for the generic term, performance, we will give it a fairly broad
meaning. It will include not only delay and throughput, the two main
network performance indices, but also reliability of message
delivery. Real-time communication is concerned with those aspects of
quality of service that have to do with performance in this broad
sense.
The term guarantee in this paper has a rather strong legal flavor.
When a server guarantees a given level of performance for the
communications of a client, it commits itself to providing that
performance and to paying appropriate penalties if the actual
performance turns out to be insufficient. On the other hand, the
client will have to obey certain rules, and will not be entitled to
the requested performance guarantees unless those rules are
scrupulously obeyed. In other words, client and server have to enter
into a contract specifying their respective rights and duties, the
benefits that will accrue, the conditions under which those benefits
will materialize, and the penalties they will incur for not keeping
their mutual promises. We believe that a legal viewpoint is to be
adopted if serious progress in the delivery of communication services
(not only the real-time ones) is desired. Utility services, as well
as other kinds of service, are provided under legally binding
contracts, and a mature computer communication utility cannot fail to
do the same. In the field of real-time communication, such a
contract will by definition include performance guarantees.
Real-time services may be offered in any kind of network or
internetwork. Some of their predictable applications are:
(a) digital continuous-media (motion video, audio)
communication: lower bounds on throughput and upper bounds
on delay or delay variability or both are needed to ensure
any desired level of output quality; in the interactive case,
both the values of delay and delay variabilities have to be
Ferrari [Page 2]
RFC 1193 Requirements for Real-Time Services November 1990
bounded; some limited message losses are often tolerable in
the cases of video and voice (whenever very high quality is
not required), but usually not in the case of sound;
(b) transmission of urgent messages in real-time distributed
systems: delay bounds are the important guarantees to be
provided in these applications; losses should ideally be
impossible;
(c) urgent electronic-mail messages and, more in general,
urgent datagrams: again, delay is the obvious index to be
bounded in this case, but small probabilities of losses can
often be tolerated;
(d) transfers of large files: minimum throughput bounds are
usually more important than delay bounds in this
application; also, all pieces of a file must be delivered
with probability 1;
(e) fast request-reply communication: e.g., data base queries,
information retrieval requests, remote procedure calls; this
is another case in which delay (more precisely, round-trip
delay) is the index of primary interest; reliability
requirements are generally not very stringent.
We conjecture that, when networks start offering well-designed and
reasonably-priced real-time services, the use of such services will
grow beyond the expectations of most observers. This will occur
primarily because new performance needs will be induced by the
availability of guaranteed-performance options. As the history of
transportation and communication has repeatedly shown, faster
services bring about major increases of the shipments that are
perceived as urgent. The phenomenon will be more conspicuous
whenever the quality of service provided to non-real-time clients
will deteriorate. It is clear from this comment that we assume that
real-time services will coexist within the same networks and
internetworks with non-real-time communications. Indeed, postulating
a world in which the two types of service are segregated rather than
integrated would be unrealistic, as it would go against the clear
trend towards the eventual integration of all information services.
For the same reason, the traffic in the network is assumed to be
heterogeneous, i.e., to consist of a variety of types of messages,
representing a variety of information media and their combinations,
with a wide spectrum of burstiness values (from uncompressed
continuous fixed-rate streams to very short and erratic bursts of
information).
This paper discusses the client requirements and characteristics of a
Ferrari [Page 3]
RFC 1193 Requirements for Real-Time Services November 1990
real-time communication service. Server requirements and design
principles will be the subject of a subsequent paper. Section 2
contains some considerations about the ways in which the clients
specify their requirements, and those in which a server should reply
to requests for real-time services. Performance requirements are
presented in Section 3; other properties that clients may need or
desire are described in Section 4. Section 5 deals with the problem
of translating the requirements of a human client or an application
for the equivalent lower-level ones. In Section 6, we briefly
present four examples of client requirement specifications, and in
Section 7 we discuss some of the objections that can be raised
against our approach.
No real-time service can be provided if the client does not specify,
together with the requirements, the characteristics of the expected
input traffic. Describing input traffic and all the various
requirements entails much work on the part of a client. Gathering
the necessary information and inputting it may be very time-
consuming. A well-designed real-time communication service will
minimize the effort to be spent by a client.
Sensible default values, the possibility of partial or incremental
specifications (e.g., by editing preexisting specifications), and a
number of standard descriptions should be provided. These
descriptions will include characterizations of inputs (e.g., those of
a video stream for multimedia conferencing, an HDTV stream, a hi-fi
audio stream, a file transfer stream, and so on) and standard sets of
requirements. With these aids, it might be possible for a human
client to specify his or her request by a short phrase, perhaps
followed by a few characters representing options or changes to the
standard or default values.
Since requests for real-time services may be denied because of a
mismatch between the client's demands and the resources available to
the server, the client will appreciate being informed about the
reasons for any rejection, so that the request can be modified and
resubmitted, or postponed, or cancelled altogether [Herr89]. The
information provided by the server to a human client should be
meaningful, useful, and non-redundant. The reason for rejection
should be understandable by the client (who should be assumed not to
know any of the details of the operating system, of the protocols or
of the network) and should be accompanied by data that will be useful
to the client in deciding what to do as well as how the request ought
to be modified to make it successful. If, for example, a bound
specified by the client cannot be guaranteed by the server under its
current load, the information returned to the client should include
Ferrari [Page 4]
RFC 1193 Requirements for Real-Time Services November 1990
the minimum or maximum value of the bound that the server could
guarantee; the client will thus be able to decide whether that bound
would be acceptable (possibly with some other modifications as well)
or not, and act accordingly.
When the client is not a human being but an application or a process,
the type of a server's replies should be very different from that
just described [Herr89]; another standard interface, the one between
an application and a real-time service, must therefore be defined,
possibly in multiple, application-specific versions.
Clients will also be interested in the pricing policies implemented
by the server: these should be fair (or at least perceived to be
fair) and easy to understand. The client should be able easily to
estimate charges for given performance guarantees as a function of
distance, time of day, and other variables, or to obtain these
estimates from the server as a free off-line service.
A client can specify a service requirement using the general form
pred = TRUE,
where some of the variables in predicate pred can be controlled or
influenced by the server.
A simple and popular form of performance requirement is that
involving a bound. A deterministic bound can be specified as
(var <= bound) = TRUE, or var <= bound,
where variable var is server-controlled, while bound is client-
specified. The bounds in these expressions are upper bounds; if <
is replaced by > , they become lower bounds.
When the variable in the latter expression above is a probability, we
have a statistical bound, and bound in that case is a probability
bound; if the predicate is a deterministic bound, we have:
Prob (var <= bound) >= probability-bound.
In this requirement, the variable has an upper bound, and the
probability a lower bound. Note that deterministic bounds can be
viewed as statistical bounds that are satisfied with probability 1.
A form of bound very similar to the statistical one is the fractional
bound:
Ferrari [Page 5]
RFC 1193 Requirements for Real-Time Services November 1990
Ca (var <= bound) >= b,
where variable var has a value for each message in a stream, and Ca
is a function that counts the number of times var satisfies the bound
for any a consecutive messages in the stream; this number Ca must
satisfy bound b. Obviously, a fractional bound is realizable only if
b <= a . Fractional bounds will not be explicitly mentioned in the
sequel, but they can be used in lieu of statistical bounds, and have
over these bounds the avantages of easy verifiability and higher
practical interest.
In this section, we restrict our attention to those requirements that
are likely to be the most useful to real-time clients.
Depending on the application, clients may wish to specify their delay
requirements in different ways [Gait90]. The delays involved will
usually be those of the application-oriented messages known to the
client; for instance, the delay between the beginning of the client-
level transmission of a video frame, file, or urgent datagram and the
end of the client-level reception of the same frame, file, or urgent
datagram. (In those cases, e.g., in some distributed real-time
systems, where message deadlines are assigned instead of message
delays, we can always compute the latter from knowledge of the former
and of the sending times, thereby reducing ourselves again to a delay
bound requirement.) Also, they will be the delays of those messages
that are successfully delivered to the destination; the fraction of
messages that are not, to which the delay bounds will not apply, will
be bounded by reliability specifications. Note that clients will
express delay bounds by making implicit reference to their own
clocks; the design of a real-time service for a large network will
have to consider the impact on bounds enforcement of non-synchronized
clocks [Verm90]. Some of the forms in which a delay requirement may
be specified are
(i) deterministic delay bound:
Di <= Dmax for all i,
the client is delivered to the destination client-level entity, and
Dmax is the delay upper bound specified by the client. In our
descriptions we assume, without loss of generality, that the client
requesting a real-time service is the sending client, and that the
destination (which could be a remote agent of the client or another
user) is a third party with respect to the establishment of the
particular communication being considered (In our descriptions we
assume, without loss of generality, that the client requesting a
Ferrari [Page 6]
RFC 1193 Requirements for Real-Time Services November 1990
real-time service is the sending client, and that the destination
(which could be a remote agent of the client or another user) is a
third party with respect to the establishment of the particular
communication being considered.);
(ii) statistical delay bound:
Prob ( Di <= Dmax ) >= Zmin,
where Di and Dmax are defined as above, and Zmin is the lower
bound of the probability of successful and timely delivery;
(iii) deterministic delay-jitter bound:
Ji = | Di - D | <= Jmax for all i,
where D is the ideal, or target delay, Ji is the delay jitter of
the i-th message delivered to the destination, and Jmax is the
upper jitter bound to be specified by the client together with D;
note that an equivalent form of this requirement consists of
assigning a deterministic upper bound D + Jmax and a deterministic
lower bound D - Jmax to the delays Di [Herr90];
(iv) statistical delay-jitter bound:
Prob (Ji <= Jmax) >= Umin, for all i,
where Umin is the lower bound of the probability that Ji be
within its limits.
Other forms of delay bound include bounds on average delay, delay
variance, and functions of the sequence number of each message, for
example, Dmax(i) for the deterministic case. There may be
applications in which one of these will be the preferred form, but,
since we have not found any so far, we believe that the four types of
bounds listed as (i)-(iv) above will cover the great majority of the
practical cases.
The actual throughput of an information transfer from a source to a
destination is bounded above by the rate at which the source sends
messages into the system. Throughput may be lower than this rate
because of the possibility of unsuccessful delivery or message loss.
It is also bounded above by the maximum throughput, which is a
function of, among other things, network load. As the source
increases its input rate, the actual throughput will grow up to a
limit and then stop. Clients concerned with the throughput of their
Ferrari [Page 7]
RFC 1193 Requirements for Real-Time Services November 1990
transfers will want to make sure that saturation is never reached, or
is reached only with a suitably small probability and for acceptably
short intervals. Also, if the bandwidth allocated to a transfer is
not constant, but varies dynamically on demand to accommodate, at
least to some extent, peak requests, clients will be interested in
adding an average throughput requirement, which should include
information about the length of the interval over which the average
must be computed [Ferr89a].
Thus, reasonable forms for throughput requirements appear to be the
following:
(i) deterministic throughput bound:
Ti >= Tmin, for all i,
where Ti is the throughput actually provided by the server, and
Tmin is the lower bound of throughput specified by the client,
that is, the minimum throughput the server must offer to the
client;
(ii) statistical throughput bound:
Prob (Ti >= Tmin) >= Vmin,
where Ti and Tmin are defined as above, and Vmin is the lower
bound of the probability that the server will provide a throughput
greater than the lower bound;
(iii) average throughput bound:
T >= Tave,
where T is the average throughput provided by the server, Tave is
its lower bound specified by the client, and both variables are
averaged over an interval of duration I specified by the client;
the above inequality must obviously hold for all intervals of
duration I, i.e., even for that over which T is minimum.
One clear difference between delay bounds and throughput bounds is
that, while the server is responsible for delays, the actual
throughputs of a non-saturated system are dictated by the input
rates, which are determined primarily by the clients (though they may
be influenced by the server through flow-control mechanisms).
Ferrari [Page 8]
RFC 1193 Requirements for Real-Time Services November 1990
The usefulness of error control via acknowledgments and
retransmission in real-time applications is doubtful, especially in
those environments where message losses are usually higher, i.e., in
wide-area networks: the additional delays caused by acknowledgment
and retransmission, and out-of-sequence delivery are likely to be
intolerable in applications with stringent delay bounds, such as
those having to do with continuous media. Fortunately, the loss of
some of the messages (e.g., video frames, voice packets) is often
tolerable in these applications, but that of sound packets is
generally intolerable. In other cases, however, completeness of
information delivery is essential (e.g., in file transfer
applications), and traditional retransmission schemes will probably
have to be employed.
A message may be incorrect when delivered or may be lost in the
network, i.e., not delivered at all. Network unreliability (due, for
example, to noise) is usually the cause of the former problem; buffer
overflow (due to congestion) or node or link failure are those of the
latter. The client is not interested in this distinction: for the
client, the message is lost in both cases. Thus, the simplest form
in which a reliability bound may be expressed and also, we believe,
the one that will be most popular, is
Prob (message is correctly delivered) >= Wmin,
where Wmin is the lower bound of the probability of correct delivery,
to be specified by the client. The probability of message loss will
obviously be bounded above by 1 - Wmin. This is a statistical bound,
but, as noted in Section 3, a deterministic reliability bound results
if we set Wmin = 1.
In those applications in which any message delivered with a delay
greater than Dmax must be discarded, the fraction of messages usable
by the destination will be bounded below by Wmin Zmin. The client
may actually specify the value of this product, and let the server
decide the individual values of the two bounds, possibly subject to a
client-assigned constraint, e.g., that the price of the service to
the client be minimum.
If the value of Wmin is greater than the system's reliability (the
probability that a delivered message is correct), then there is no
buffer space allocation in the hosts, interfaces, switches and
routers or gateways that will allow the client-specified Wmin to be
guaranteed. In this case, the server uses error correcting codes, or
(if the application permits) retransmission, or duplicate messages,
or (if the sequencing problem discussed in Section 4.1 can be solved
Ferrari [Page 9]
RFC 1193 Requirements for Real-Time Services November 1990
satisfactorily or is not a problem) multiple physical channels for
the same logical channel, or has to refuse the request.
In this section, we briefly describe client requirements that cannot
be easily expressed as bounds on, but are related to, communication
performance. These include sequencing, absence of duplications,
failure recovery, and service setup time. We are not concerned here
with features that may be very important but have a functionality
(e.g., multicast capabilities) or security (e.g., client
authentication) rather than a performance flavor. Requirements in
these areas will generally have appreciable effects also on
performance; we do not discuss them only because of space
limitations.
For a given application, some of these properties may be required,
some others only desirable. Also, some may be best represented as
Boolean variables (present or absent), some others as continuous or
multi-valued discrete variables, others yet as partially qualitative
specifications.
For applications involving message streams (rather than single
datagrams), it may be necessary or desirable that messages be
delivered in sequence, even though the sequence may not be complete.
If the lower-level servers are not all capable of delivering messages
sequentially, a resequencing operation may have to be performed at
some higher level in the hierarchy. In those cases in which
reliability requirements make retransmission necessary, resequencing
may delay delivery of a large number of messages by relatively long
times. An adequate amount of buffer space will have to be provided
for this purpose at the level of the resequencer in the protocol
hierarchy.
If sequencing is not guaranteed by all servers at all levels, the
application may be able to tolerate out-of-sequence messages as long
as their number is small, or if the delay bound is so large that very
few out-of-sequence messages have to be discarded because they are
too late. The client could be allowed to specify a bound on the
probability that a message be delivered out of sequence, or to bundle
out-of-sequence losses with the other types of message loss described
by Wmin. The client would specify the value of Wmin (or Wmin Zmin),
and the server would have to decide how much probability to allow for
buffer overflow, how much for network error, and how much for
imperfect sequencing, taking into account the stringency of the delay
bounds.
Ferrari [Page 10]
RFC 1193 Requirements for Real-Time Services November 1990
On the other hand, with fixed-route connections and appropriate
queueing and scheduling in the hosts and in the network, it is often
not too hard to ensure sequenced delivery at the various layers,
hence also at the top.
Most of the discussion of sequencing applies also to duplication of
messages. It is, however, easier and faster to eliminate
duplications than to resequence, as long as some layer keeps track of
the sequence numbers of the messages already received. The
specification of a bound may be needed only if duplications become
very frequent, but this would be a symptom of serious network
malfunction, and should not be dealt with in the same way as we
handle delays or message losses. These observations do not apply, of
course, to the case of intentional duplication for higher
reliability.
The contract between client and server of a real-time service will
have to specify what will happen in the event of a server failure.
Ideally, from the client's viewpoint, failures should be perfectly
masked, and service should be completely fault-tolerant. As we have
already mentioned, however, it is usually unrealistic to expect that
performance guarantees can be honored even in presence of failures.
A little less unrealistic is to assume that service can resume a
short time after a failure has disrupted it. In general, clients may
not only wish to know what will happen if a failure occurs, but also
have a guaranteed upper bound on the likelihood of such an
occurrence:
Prob (failure) <= Fmax.
Different applications have different failure recovery requirements.
Urgent datagrams or urgent message streams in most real-time
distributed systems will probably not benefit much from recovery,
unless it can be made so fast that hard deadlines may still be
satisfied, at least in some cases. In the case of video or audio
transmission, timely resumption of service will normally be very
useful or even necessary; thus, clients may need to be given
guarantees about the upper bounds of mean or maximum time to repair;
this may also be the case of other applications in which the
deadlines are not so stringent, or where the main emphasis is on
throughput and/or reliability rather than on delay.
In communications over multi-node routes and/or long distances, the
network itself may contain several messages for each source-
Ferrari [Page 11]
RFC 1193 Requirements for Real-Time Services November 1990
destination pair at the time a failure occurs. The recovery scheme
will have to solve the problems of failure notification (to all the
system's components involved, and possibly also to the clients) and
disposition of messages in transit. The solutions adopted may make
duplicate elimination necessary even in contexts in which no
duplicates are ever created in the absence of failures.
Real-time services must be requested before they can be used to
communicate [Ferr89b]. Some clients may be interested in long-term
arrangements which are set up soon after the signing of a contract
and are kept in existence for long times (days, months, years).
Others, typically for economical reasons, may wish to be allowed to
request services dynamically and to avoid paying for them even when
not in use. The extreme case of short-term service is that in which
the client wants to send one urgent datagram, but this is probably
best handled by a service broker ("the datagraph office") using a
permanent setup shared by many (or all) urgent datagrams. In most
other cases, a request for a short-term or medium-term service must
be processed by the server before the client is allowed to receive
that service (i.e., to send messages). Certain applications will
need the setup time to be short or, in any case, bounded: the maximum
time the client will have to wait for a (positive or negative) reply
to a request may have to be guaranteed by the server in the contract.
Performance specifications and other requirements are assigned at the
top level, that of the human client or application, either explicitly
or implicitly (see Section 2). To be satisfied, these specifications
need the support of all the underlying layers: we believe that a
real-time service cannot be implemented on top of a server at some
level that is unable to guarantee performance. (Some of the other
requirements can be satisfied even without this condition: for
example, reliable delivery (when retransmission is acceptable) and
sequencing.) Upper-level requirements must be translated into
lower-level ones, so that the implementation of the former will be
adequately supported. How should this be done?
The method for translating delay bounds macroscopically depends on
the type of bound to be translated. All methods have to deal with
two problems: the effects of delays in the individual layers, and the
effects of message fragmentation on the requirements.
(i) Deterministic delay bound. A deterministic bound on the delay
Ferrari [Page 12]
RFC 1193 Requirements for Real-Time Services November 1990
encountered by a message in each layer (or group of layers) in
the hosts will have to be estimated and enforced.
The delay bound for a server at a given level will be obtained
by subtracting the delay bounds of the layers above it in both
the sending and the receiving host from the original global
bound:
Dmax' = Dmax - SUMi {d(max,i)}.
Message fragmentation can be handled by recalling that delay is
defined as the difference between the instant of completion of the
reception of a message and the instant when its shipment began.
If x is the interfragment time (assumed constant for simplicity
here) and f is the number of fragments in a message, we have
Dmax' = Dmax - x(f-1),
where Dmax' is the fragment delay bound corresponding to the
message delay bound Dmax, i.e., the delay of the first fragment.
(ii) Statistical delay bound. The statistical case is more
complicated. If the bounds on the delay in each layer
(or group of layers) are statistical, we may approach the
problem of the messages delayed beyond the bound
pessimistically, in which case we shall write
Zmin' = Zmin / (PRODi {z(min,i)}),
where the index i spans the layers (or group of layers) above the
given lower-level server, Zmin' is the probability bound to be
enforced by that lower-level server, and d(max,i) and z(min,i) are
the bounds for layer i. (A layer has a sender side and a receiver
side at the same level in the hierarchy.) The expression for
Zmin' is pessimistic because it assumes that a message delayed
beyond its bound in a layer will not be able to meet the global
bound Dmax. (The expression above and the next one assume that
the delays of a message in the layers are statistically
independent of each other. This assumption is usually not valid,
but, in the light of the observations that follow the next
expression, the error should be tolerable.)
At the other extreme, we have the optimistic approach, which
assumes that a message will not satisfy the global bound only if
it is delayed beyond its local bound in each layer:
Zmin' = 1 - (1 - Zmin)/(PRODi {1 - z(min,i)}).
Ferrari [Page 13]
RFC 1193 Requirements for Real-Time Services November 1990
The correct assumption will be somewhere in between the
pessimistic and the optimistic ones. However, in order to be able
to guarantee the global bound, the system will have to choose the
pessimistic approach, unless a better approximation to reality can
be found. An alternative that may turn out to be more convenient
is the one of considering the bounds in the layers as
deterministic, in which case Zmin' will equal Zmin, and the global
bound will be statistical only because the network will guarantee
a statistical bound.
When estimating the effects of message fragmentation, the new
bounds must refer to the fragment stream as though its components
were independent of each other. Assuming sequential delivery of
fragments, a message is delayed beyond its bound if its last
fragment is delayed beyond the fragment bound. Our goal can be
achieved by imposing the same probability bound on fragments as on
messages [Verm90]. Thus,
Zmin' = Zmin.
Note that both expressions for D prime sub max given in (i) above
apply to the statistical delay bound case as well.
(iii) Deterministic delay-jitter bound. For the case of layer to
layer translation, the discussion above yields:
Jmax' = Jmax - SUMi {j(max,i)} ,
where j(max,i) is the deterministic jitter bound of the i-th layer
above the given lower-level server. When messages are fragmented,
the delay jitter bound can be left unchanged:
Jmax' = Jmax .
There would be reasons to reduce it in the case of message
fragmentation only if the underlying server did not guarantee
sequenced delivery, and if no resequencing of fragments were
provided by the corresponding reassembly layer on the receiving
side.
(iv) Statistical delay-jitter bound. The interested reader will
be able with little effort to derive the translation formulas
for this case from the definition in Section 3.1 (iv)
and from the discussion in (ii) and (iii) above.
Ferrari [Page 14]
RFC 1193 Requirements for Real-Time Services November 1990
Since all layers are in cascade, the throughput bounds would be the
same for all of them if headers and sometimes trailers were not added
at each layer for encapsulation or fragmentation. Thus, throughput
bounds have to be increased as the request travels downward through
the protocol hierarchy, and the server at each layer knows by how
much, since it is responsible for these additions.
If we assume, quite realistically, that the probability of message
loss in a host is extremely small, then we do not have to change the
value of Wmin when we change layers.
The effects of message fragmentation are similar to those on
statistical delay bounds, but in a given application a message may be
lost even if only one of its fragments is lost. Thus, we have
Wmin' = 1 - (1 - Wmin)/f ,
where Wmin' is the lower bound of the correct delivery probability
for the fragment stream, and f is the number of fragments per
message. The optimistic viewpoint, which is the one we adopted in
Section 5.1 (ii), yields Wmin' = Wmin, and the observations made in
that section about the true bound and about providing guarantees
apply.
Of the requirements and desiderata discussed in Section 4, those that
are specified as a Boolean value or a qualitative attribute do not
have to be modified for lower-level servers unless they are satisfied
in some layer above those servers (e.g., no sequencing is to be
required below the level where a resequencer operates). When they
are represented by a bound (e.g., one on the setup time, as described
in Section 4.4), then bounds for the layers above a lower-level
server will have to be chosen to calculate the corresponding bound
for that server. The above discussions of the translation of
performance requirements will, in most cases, provide the necessary
techniques for doing these calculations.
The requirement that the server give clear and useful replies to
client requests (see Section 2) raises the interesting problem of
reverse translation, that from lower-level to upper-level
specifications. However, at least in most cases, this does not seem
to be a difficult problem: all the translation formulas we have
written above are very easily invertible (in other words, it is
Ferrari [Page 15]
RFC 1193 Requirements for Real-Time Services November 1990
straightforward to express Dmax as a function of Dmax', Zmin as a
function of Zmin', and so on).
In this section we describe some examples of client requirements for
real-time services. Simplifying assumptions are introduced to
decrease the amount of detail and increase clarity. Our intent is to
determine the usefulness of the set of requirements proposed above,
and to investigate some of the problems that may arise in practical
cases. An assumption underlying all examples is that the network's
transmission rate is 45 Mbits/s, and that the hosts can keep up with
this rate when processing messages.
Let us assume that human clients are to specify the requirements for
voice that is already digitized (at a 64 kbits/s rate) and packetized
(packet size: 48 bytes, coinciding with the size of an ATM cell;
packet transmission time: 8.53 microseconds ; packet interarrival
time: 6 ms). Since the communication is interactive, deterministic
(and statistical) delay bounds play a very important role. Jitter is
also important, but does not dominate the other requirements as in
non-interactive audio or video communication (see Section 6.2). The
minimum throughput offered by the system must correspond to the
maximum input rate, i.e., 64 kbits/s; in fact, because of header
overhead (5 control bytes for every 48 data bytes), total guaranteed
throughput should be greater than 70.66 kbits/s, i.e., 8,834 bytes/s.
(Since the client may not know the overhead introduced by the system,
the system may have to compute this value from the one given by the
client, which in this case would be 8 kbytes/s.) The minimum average
throughput over an interval as long as 100 s is 44% of Tmin, due to
the silence periods [Brad64].
Voice transmission can tolerate limited packet losses without making
the speech unintelligible at the receiving end. We assume that a
maximum loss of two packets out of 100 (each packet corresponding to
6 ms of speech) can be tolerated even in the worst case, i.e., when
the two packets are consecutive. Since packets arriving after their
absolute deadline are discarded if the delay bound is to be
statistical, then this maximum loss rate must include losses due to
lateness, i.e., 0.98 will have to be the value of Zmin Wmin rather
than just that of Wmin.
This is illustrated in the first column of Table Ia, which consists
of two subcolumns: one is for the choice of a deterministic delay
bound, the other one for that of a statistical delay bound and a
combined bound on the probability of lateness or loss. If in a row
Ferrari [Page 16]
RFC 1193 Requirements for Real-Time Services November 1990
there is a single entry, that entry is the same for both subcolumns.
Note that the maximum setup time could be made much longer if
connections had to be reserved in advance.
Since voice is packetized at the client's level, we will not have to
worry about the effects of fragmentation while translating the
requirements into their lower-level correspondents.
At the level of the client, the video message stream consists of 1
Mbit frames, to be transmitted at the rate of 30 frames per second.
Thus, the throughput bounds (both deterministic and average) are,
taking into account the overhead of ATM cell headers, 4.14 Mbytes/s.
As in the case of interactive voice, we have two alternatives for the
specification of delay bounds: the first subcolumn is for the
deterministic bound case, the second for that of a statistical bound
on delays and a combined probability bound on lateness or loss; the
latter bound is set to at most 10 frames out of 100, i.e., three out
of 30. However, the really important bound in this case is the one
on delay jitter, set at 5 ms, which is roughly equal to half of the
interval between two successive frames, and between 1/4 and 1/5 of
the transmission time. This dominance of the jitter bound is the
reason why the other delay bounds are in parentheses.
If we assume that video frames will have to be fragmented into cells
at some lower level in the protocol hierarchy, then these
requirements must be translated at that level into those shown in the
first column of Table II. The values of Dmax' have been calculated
with x = 12.8 microseconds and f = 2605 fragments/frame. The range
of Wmin' and of (Zmin Wmin)' is quite wide, and achieving its higher
value (a probability of 1) may turn out to be either very expensive
or impossible. We observe, however, that a frame in which a packet
or more are missing or have been incorrectly received does not have
to be discarded but can be played with gaps or patched with the old
packets in lieu of the missing or corrupted ones. Thus, it may be
possible to consider an optimistic approach (e.g., Zmin' = Zmin,
Wmin' = Wmin, (Zmin Wmin)' = Zmin Wmin ) as sufficiently safe.
A real-time datagram is, for instance, an alarm condition to be
transmitted in an emergency from one machine to another (or a group
of others) in a distributed real-time system. The client
requirements in this case are very simple: a deterministic bound is
needed (we are assuming that this is a hard-real-time context), the
reliability of delivery must be very high, and the service setup time
should be very small. The value of 0.98 for Wmin in Table Ib tries
Ferrari [Page 17]
RFC 1193 Requirements for Real-Time Services November 1990
to account for the inevitable network errors and to suggest that
retransmission should not be used as might be necessary if we wanted
to have Wmin = 1, because it would be too slow. To increase
reliability in this case, error correcting codes or spatial
redundancy will have to be resorted to instead.
Note that one method for obtaining a very small setup time consists
of shipping such urgent datagrams on long-lasting connections
previously created between the hosts involved and with the
appropriate characteristics. Note also that throughput requirements
cannot be defined, since we are dealing with one small message only,
which may not even have to be fragmented. Guarantees on the other
bounds will fully satisfy the needs of the client in this case.
Large files are to be copied from a disk to a remote disk. We assume
that the receiving disk's speed is greater than or equal to the
sending disk's, and that the transfer could therefore proceed, in the
absence of congestion, at the speed of the sending disk. The message
size equals the size of one track (11 Kbytes, including disk surface
overhead such as intersector gaps), and the maximum input rate is
5.28 Mbits/s. Taking into account the ATM cell headers, this rate
becomes 728 kbytes/s; this is the minimum peak throughput to be
guaranteed by the system. The minimum average throughput to be
provided is smaller, due to head switching times and setup delays
(seek times are even longer, hence need not be considered here): we
set its value at 700 kbytes/s.
Delay bounds are much less important in this example than in the
previous ones; in Table Ib, we show deterministic and statistical
bounds in parentheses. Reliability must be eventually 1 to ensure
the integrity of the file's copy. This result will have to be
obtained by error correction (which will increase the throughput
requirements) or retransmission (which would break most delay bounds
if they were selected on the basis of the first shipment only instead
of the last one).
The second column in Table II shows the results of translating these
requirements to account for message fragmentation. The values x =
78.3 microseconds and f = 230 have been used to compute those of
Dmax'.
In this section, we briefly discuss some of the objections that can
be raised concerning our approach to real-time service requirements.
Some of the objections are fundamental ones: they are at least as
Ferrari [Page 18]
RFC 1193 Requirements for Real-Time Services November 1990
related to the basic decisions to be made in the design of the server
as they are to client requirements.
Objection 1: Guarantees are not necessary.
This is the most radical objection, as it stems from a basic
disagreement with our definition of real-time service. The problem,
however, is not with definitions or terminologies: the really
important question is whether a type of service such as the one we
call "real-time" will be necessary or at least useful in future
networks. This objection is raised by the optimists, those who
believe that network bandwidth will be so abundant that congestion
will become a disease of the past, and that delays will therefore be
small enough that the enforcement of legalistic guarantees will not
be necessary. The history of computers and communications, however,
does not unfortunately support these arguments, while it supports
those of the pessimists. In a situation of limited resources
(limited with respect to the existing demand for them), we believe
that there is no serious solution of the real-time communication
problem other than one based on a policy for the allocation of
resources that rigorously guarantees the satisfaction of performance
needs. Even if the approaches to be adopted in practical networks
will provide only approximate guarantees, it is important to devise
methods that offer without exceptions precisely defined bounds.
These methods can at the very least be used as reference approaches
for comparison and evaluation.
Objection 2: Real-time services are too expensive because reservation
of resources is very wasteful.
This may be true if resources are exclusively reserved; for example,
physical circuits used for bursty traffic in a circuit-switched
network. There are, however, other ways of building real-time
services, based on priority mechanisms and preemption rather than
exclusive reservation of resources. With these schemes, the real-
time traffic always finds the resources it needs by preempting non-
real-time traffic, as long as the real-time load is kept below a
threshold. The threshold corresponds to the point where the demand
by real-time traffic for the bottleneck resource equals the amount of
that resource in the system. With this scheme, all resources not
used by real-time traffic can be used at any time by local tasks and
non-real-time traffic. Congestion may affect the latter, but not
real-time traffic. Thus, the only limitation is that a network
cannot carry unbounded amounts of real-time traffic, and must refuse
any further requests when it has reached the saturation point.
Ferrari [Page 19]
RFC 1193 Requirements for Real-Time Services November 1990
Objection 3: Real-time services can be built on top of non-real-time
servers.
If one accepts our interpretation of the term "guarantee," one can
easily see that performance guarantees cannot be provided by a
higher-level server unless it can rely on real-time support by its
underlying server. Since this is true at all levels, we conclude
that a real-time network service and similar services at all
intermediate levels are needed to provide guaranteed performance to
human clients and applications.
Objection 4: Delay bounds are not necessary, throughput requirements
suffice.
Guaranteeing minimum throughput bounds does not automatically and in
general result in any stringent upper bound on delay. Delays in the
hosts and nodes of a packet-switching network fluctuate because of
bursty real-time message streams, starting and ending of traffic on
individual connections (even those with continuous, constant-rate
traffic), and the behavior of scheduling algorithms. Even if delays
did not fluctuate, but had a constant value, it would be possible for
a given throughput bound to be satisfied with many different constant
values for the delay of each message. If delay bounds are wanted,
they must be explicitly guaranteed and enforced. (In a circuit-
switching network, the circuit assigned to a connection has its own
throughput and its own delay. These values may be considered as
explicitly guaranteed and enforced.)
But are delay bounds wanted? We believe they are in digital video
and audio communication, especially in the form of delay jitter
bounds, and they will be in other contexts as soon as a service which
can bound delays is offered.
Objection 5: Satisfaction of statistical bounds is impossible to
verify.
Strictly speaking, this objection is valid. No matter how many
packets on a connection have been delayed beyond their bound (or lost
or delivered with errors), it is always in principle possible for the
server to redress the situation in the future and meet the given
statistical requirements. A more sensible and verifiable bound would
be a fractional one (see Section 3). For instance, such a bound
could be specified as follows: out of 100 consecutive packets, no
less than 97 shall not be late. In this case, the bound is no longer
Zmin, a probability of 0.97, but is given by the two values B = 97
and A = 100; it is not only their ratio that counts but also their
individual values.
Ferrari [Page 20]
RFC 1193 Requirements for Real-Time Services November 1990
This paper has presented a specification of some of the requirements
that human clients and applications may wish to impose on real-time
communications. Though those listed seem to be among the most useful
and natural ones, no attempt has been made to be exhaustive and
comprehensive.
We have investigated delay bounds, throughput bounds, reliability
bounds, and other requirements. We have studied how the requirements
should be translated from the client's level into forms suitable (and
correct) for lower levels, described some examples of requirement
specification, and discussed some of the objections that may be
raised.
The material in this paper covers only part of the first phase in the
design of a real-time service: that during which the various
requirements are assembled and examined to extract useful suggestions
for the design of the server. Server needs and design principles
will be the subject of the subsequent paper mentioned several times
above.
Acknowledgments
Ralf Herrtwich and Dinesh Verma contributed ideas to, and corrected
mistakes in, a previous version of the manuscript. The author is
deeply indebted to them for their help and for the many discussions
he had with them on the topics dealt with in this paper. The
comments of Ramesh Govindan and Riccardo Gusella are also gratefully
acknowledged.
References
[Brad64] Brady, P., "A Technique for Investigating On-Off Patterns
of Speech", Bell Systems Technical Journal, Vol. 44,
Pgs. 1-22, 1964.
[Ferr89a] Ferrari, D., "Real-Time Communication in
Packet-Switching Wide-Area Networks", Technical Report
TR-89-022, International Computer Science Institute,
Berkeley, May 1989.
[Ferr89b] Ferrari D., and D. Verma, "A Scheme for Real-Time Channel
Establishment in Wide-Area Networks", IEEE J. Selected
Areas Communications SAC-8, April 1990.
[Gait90] Gaitonde, S., D. Jacobson, and A. Pohm, "Bounding Delay on
a Multifarious Token Ring Network", Communications of the
Ferrari [Page 21]
RFC 1193 Requirements for Real-Time Services November 1990
ACM, Vol. 33, No. 1, Pgs. 20-28, January 1990.
[Herr89] Herrtwich R., and U. Brandenburg, "Accessing and
Customizing Services in Distributed Systems", Technical
Report TR-89-059, International Computer Science Institute,
Berkeley, October 1989.
[Herr90] Herrtwich, R, personal communication, February 1990.
[Verm90] Verma, D., personal communication, February 1990.
Table Ia
Examples of Client Requirements
Interactive Non-Interactive
Voice Video
Delay Bounds
deterministic:Dmax [ms] 200 - (1000) -
statistical:Dmax [ms] - 200 - (1000)
Zmin - (*) - (*)
jitter:Jmax [ms] 1 5
Throughput Bounds
deterministic:Tmin [kby/s] 8.834 4140
average:Tave [kby/s] 3.933 4140
I [s] 100 100
Reliability Bound:Wmin 0.98 (*) (0.90) (*)
Delay&Reliability:ZminWmin - 0.98 - 0.90
Sequencing yes yes
Absence of Duplications yes yes
Failure Recovery:
max.repair time [s] 10 100
Max.Setup Time [s] 0.8 (o) 15 (o)
----------------------------------
(*) To be chosen by the server
(o) Could be much longer if advance reservations were required
(+) Could be achieved by using a preexisting connection
Ferrari [Page 22]
RFC 1193 Requirements for Real-Time Services November 1990
Table Ib
Examples of Client Requirements
Real-Time File
Datagram Transfer
Delay Bounds
deterministic:Dmax [ms] 50 - (1500)
statistical:Dmax [ms] - (1000) -
Zmin - (0.95) -
jitter:Jmax [ms] - -
Throughput Bounds
deterministic:Tmin [kby/s] - 728
average:Tave [kby/s] - 700
I [s] - 100
Reliability Bound:Wmin 0.98 1
Delay&Reliability:ZminWmin - -
Sequencing - yes
Absence of Duplications yes yes
Failure Recovery:
max.repair time [s] - 100
Max.Setup Time [s] 0 (+) 5 (o)
----------------------------------
(*) To be chosen by the server
(o) Could be much longer if advance reservations were required
(+) Could be achieved by using a preexisting connection
Ferrari [Page 23]
RFC 1193 Requirements for Real-Time Services November 1990
Table II
Translation of the Requirements in Table I
Non-Interactive File
Video Transfer
Delay Bounds
deterministic:Dmax' [ms] (966) - - (1482)
statistical:Dmax' [ms] - (966) (982) -
Zmin' - (*) (0.95) -
jitter:Jmax' [ms] 5 -
Reliability Bound:Wmin' 0.90-1 (*) 1
Delay&Reliability:(ZminWmin)' - 0.90-1 -
_____________________________________
(*) To be chosen by the server
Security Considerations
Security considerations are not discussed in this memo.
Author's Address
Domenico Ferrari
University of California
Computer Science Division
EECS Department
Berkeley, CA 94720
Phone: (415) 642-3806
EMail: ferrari@UCBVAX.BERKELEY.EDU
Ferrari [Page 24]