When two or more distinct organizations interconnect their internal computer networks they form an Inter-Organization Network(ION). IONs support the exchange of cad/cam data between manufacturers and subcontractors, software distribution from vendors to users, customer input to suppliers' order-entry systems, and the shared use of expensive computational resources by research laboratories, as examples. This paper analyzes the technical implications of interconnecting networks across organization boundaries. After analyzing the organization context in which IONs are used, we demonstrate that such interconnections are not satisfied by traditional network design criteria of connectivity and transparency. To the contrary, a primary high-level requirement is access control, and participating organizations must be able to limit connectivity and make network boundaries visible. We describe a scheme based on non-discretionary control which allows interconnecting organizations to combine gateway, network, and system-level mechanisms to enforce cross-boundary control over invocation and information flow, while minimizing interference with internal operations. Access control requirements such as these impose new requirements on the underlying interconnection protocols. We demonstrate such alternative interconnection protocols that support loose coupling across administrative boundaries and that accommodate the necessary control mechanisms. Message-based gateways that support non-real-time invocation of services (e.g., file and print servers, financial transactions, VLSI design tools, etc.) are a promising basis for such loose couplings.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Benjamin, J., I tes~, M., Weingarten, R., Wheeler, W. 'Interconnecting SNA Networks'. IBM Systems Joernal 22, 4 (1983), 3.14-366.
	2	Bibs, I(. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372, The Mitre Corp., I3cdford, MA, April, 1977.
	3	Braden, R., Cole, R. Some Problems in the Inter-connection of Computer Networks. In Pathways to the Information Society: Proceedings of the 6th htternational Conference on. Computer Communications, Williams, W., Ed., North-Holland, i982, pp. 969-974.
	4	Cole, R., Higginson, P., Lloyd, P., Moulton, R. "International net faces problems handling mail and file transfer' Data Comm~tnicatfonz (June 1983), 175-187.
	5	Dallas, I. Implementation of a Gateway between a Cambridge Ring Local Area Network and a Packet Switching Wide Area Network. In Pathways to the Information Society: Proceedings of the 6th International Conference on Computer Communications, Williams, W., Ed., North-Holland, 1982, pp. 137-142.
	6	DeSchon, A. MCI Mail/Arpa Mail Forwarding. Technical Report ISI/RR-84-141, USC Information Sciences Institute, August, 1984.
	7	Estrin, D. Non-Discretionary Controls for Inter-Organization Networks. Proceedings of the 1985 Symposium on Security and Privacy, Silver Spring, MD, 1985, pp. 56-61.
	8	Estrin, D. Access to Inter-Organization Computer Networks. Ph.D. Th., M.I.T., Department of Electrical Engineering and Computer Science, August 1985.
	9	Horton, M. Standard for Interchange of USE:NET Messages. Request for Comments RFC 850, USC Information Sciences Institute, June, 1983.
	10	ISO. Directives for the Technical Work of ISO. International Standards Organization, Geneva, Switzerland, 1982.
	11	P. A. Karger, NON-DISCRETIONARY ACCESS CONTROL FOR DECENTRALIZED COMPUTING SYSTEMS, Massachusetts Institute of Technology, Cambridge, MA, 1977
	12	Carl E. Landwehr , Constance L. Heitmeyer , John McLean, A security model for military message systems, ACM Transactions on Computer Systems (TOCS), v.2 n.3, p.198-222, Aug. 1984  [doi>10.1145/989.991]
	13	Paul V. Mockapetris, The domain name system, Proc. of the IFIP WG 6.5 working conference on Computer-based message services, p.61-72, November 1984, Nottingham, United Kingdom
	14	Mogul, J. Internet Subnets. Request for Comments FtFC 917, USC Information Sciences Institute, October, 198.1.
	15	Mracek, J. Network Access Control in Multi-Net lnternet Transport. S.B. Thesis, Massaehusetts institute of Technology, Dept. of Electrical Engineering and Computer Science, June, 1983.
	16	Neweli, A., Sprouil, R. 'Computer Networks: Prospects for Scientists'. Science 215 (February 12 1982), 8't3-852.
	17	Sa{tzer, J. On the Naming and Binding of Network Destinations. In Local Computer Networks, Ravisio, P.C., ttopkins, G., Naffah, N., Eds., North-Holland Publishing Company, New York, 1982, pp. 311-318.
	18	Sunshine, C. "Interconnectiol of Computer Networks'. Computer ,~ctworka, 1 (I977), 17.5-I95.

• ACM SIGCOMM Computer Communication Review
  Volume 16 ,  Issue 3   Aug. 5, 1986