RFC 1193






Network Working Group                                         D. Ferrari
Request for Comments: 1193                                   UC Berkeley
                                                           November 1990



        CLIENT REQUIREMENTS FOR REAL-TIME COMMUNICATION SERVICES

Status of this Memo

   This memo describes client requirements for real-time communication
   services.  This memo provides information for the Internet community,
   and requests discussion and suggestions for improvements.  It does
   not specify any standard.  Distribution of this memo is unlimited.

Abstract

   A real-time communication service provides its clients with the
   ability to specify their performance requirements and to obtain
   guarantees about the satisfaction of those requirements.  In this
   paper, we propose a set of performance specifications that seem
   appropriate for such services; they include various types of delay
   bounds, throughput bounds, and reliability bounds.  We also describe
   other requirements and desirable properties from a client's
   viewpoint, and the ways in which each requirement is to be translated
   to make it suitable for lower levels in the protocol hierarchy.
   Finally, we present some examples of requirements specification, and
   discuss some of the possible objections to our approach.

   This research has been supported in part by AT&T Bell Laboratories,
   the University of California under a MICRO grant, and the
   International Computer Science Institute.  The views and conclusions
   in this document are those of the author and should not be
   interpreted as representing official policies, either expressed or
   implied, of any of the sponsoring organizations.

1.  Introduction

   We call real-time a computer communication service whose clients are
   allowed to specify their performance requirements and to obtain
   guarantees about the fulfillment of those requirements.

   Three terms in this definition need further discussion and
   clarification: clients, performance, and guarantees.

   Network architecture usually consists, at least from a logical
   viewpoint, of a stack of protocol layers. In the context of such an
   architecture, the notions of client and server apply to a number of



Ferrari                                                         [Page 1]

RFC 1193          Requirements for Real-Time Services      November 1990


   different pairs of entities: every layer (with the support of the
   underlying layers) provides a service to the layer immediately above
   it and is a client of its underlying layers.  In this paper, our
   considerations generally apply to any client-server pair.  However,
   most of them particularly refer to human clients (users, programmers)
   and to the ways in which such clients express their communication and
   processing needs to the system (e.g., interactive commands,
   application programs).  This type of client is especially important,
   since client needs at lower layers can be regarded as translations of
   the needs expressed by human clients at the top of the hierarchy.
   When the client is human, the server consists of the entire
   (distributed) system, including the hosts, their operating systems,
   and the networks interconnecting them.

   As for the generic term, performance, we will give it a fairly broad
   meaning.  It will include not only delay and throughput, the two main
   network performance indices, but also reliability of message
   delivery.  Real-time communication is concerned with those aspects of
   quality of service that have to do with performance in this broad
   sense.

   The term guarantee in this paper has a rather strong legal flavor.
   When a server guarantees a given level of performance for the
   communications of a client, it commits itself to providing that
   performance and to paying appropriate penalties if the actual
   performance turns out to be insufficient.  On the other hand, the
   client will have to obey certain rules, and will not be entitled to
   the requested performance guarantees unless those rules are
   scrupulously obeyed.  In other words, client and server have to enter
   into a contract specifying their respective rights and duties, the
   benefits that will accrue, the conditions under which those benefits
   will materialize, and the penalties they will incur for not keeping
   their mutual promises.  We believe that a legal viewpoint is to be
   adopted if serious progress in the delivery of communication services
   (not only the real-time ones) is desired.  Utility services, as well
   as other kinds of service, are provided under legally binding
   contracts, and a mature computer communication utility cannot fail to
   do the same.  In the field of real-time communication, such a
   contract will by definition include performance guarantees.

   Real-time services may be offered in any kind of network or
   internetwork. Some of their predictable applications are:

      (a)  digital continuous-media (motion video, audio)
           communication: lower bounds on throughput and upper bounds
           on delay or delay variability or both are needed to ensure
           any desired level of output quality; in the interactive case,
           both the values of delay and delay variabilities have to be



Ferrari                                                         [Page 2]

RFC 1193          Requirements for Real-Time Services      November 1990


           bounded; some limited message losses are often tolerable in
           the cases of video and voice (whenever very high quality is
           not required), but usually not in the case of sound;

      (b)  transmission of urgent messages in real-time distributed
           systems: delay bounds are the important guarantees to be
           provided in these applications; losses should ideally be
           impossible;

      (c)  urgent electronic-mail messages and, more in general,
           urgent datagrams: again, delay is the obvious index to be
           bounded in this case, but small probabilities of losses can
           often be tolerated;

      (d)  transfers of large files: minimum throughput bounds are
           usually more important than delay bounds in this
           application; also, all pieces of a file must be delivered
           with probability 1;

      (e)  fast request-reply communication: e.g., data base queries,
           information retrieval requests, remote procedure calls; this
           is another case in which delay (more precisely, round-trip
           delay) is the index of primary interest; reliability
           requirements are generally not very stringent.

   We conjecture that, when networks start offering well-designed and
   reasonably-priced real-time services, the use of such services will
   grow beyond the expectations of most observers.  This will occur
   primarily because new performance needs will be induced by the
   availability of guaranteed-performance options.  As the history of
   transportation and communication has repeatedly shown, faster
   services bring about major increases of the shipments that are
   perceived as urgent.  The phenomenon will be more conspicuous
   whenever the quality of service provided to non-real-time clients
   will deteriorate.  It is clear from this comment that we assume that
   real-time services will coexist within the same networks and
   internetworks with non-real-time communications.  Indeed, postulating
   a world in which the two types of service are segregated rather than
   integrated would be unrealistic, as it would go against the clear
   trend towards the eventual integration of all information services.
   For the same reason, the traffic in the network is assumed to be
   heterogeneous, i.e., to consist of a variety of types of messages,
   representing a variety of information media and their combinations,
   with a wide spectrum of burstiness values (from uncompressed
   continuous fixed-rate streams to very short and erratic bursts of
   information).

   This paper discusses the client requirements and characteristics of a



Ferrari                                                         [Page 3]

RFC 1193          Requirements for Real-Time Services      November 1990


   real-time communication service.  Server requirements and design
   principles will be the subject of a subsequent paper.  Section 2
   contains some considerations about the ways in which the clients
   specify their requirements, and those in which a server should reply
   to requests for real-time services.  Performance requirements are
   presented in Section 3; other properties that clients may need or
   desire are described in Section 4.  Section 5 deals with the problem
   of translating the requirements of a human client or an application
   for the equivalent lower-level ones.  In Section 6, we briefly
   present four examples of client requirement specifications, and in
   Section 7 we discuss some of the objections that can be raised
   against our approach.

2.  Client Requests and Server Replies

   No real-time service can be provided if the client does not specify,
   together with the requirements, the characteristics of the expected
   input traffic.  Describing input traffic and all the various
   requirements entails much work on the part of a client.  Gathering
   the necessary information and inputting it may be very time-
   consuming.  A well-designed real-time communication service will
   minimize the effort to be spent by a client.

   Sensible default values, the possibility of partial or incremental
   specifications (e.g., by editing preexisting specifications), and a
   number of standard descriptions should be provided.  These
   descriptions will include characterizations of inputs (e.g., those of
   a video stream for multimedia conferencing, an HDTV stream, a hi-fi
   audio stream, a file transfer stream, and so on) and standard sets of
   requirements.  With these aids, it might be possible for a human
   client to specify his or her request by a short phrase, perhaps
   followed by a few characters representing options or changes to the
   standard or default values.

   Since requests for real-time services may be denied because of a
   mismatch between the client's demands and the resources available to
   the server, the client will appreciate being informed about the
   reasons for any rejection, so that the request can be modified and
   resubmitted, or postponed, or cancelled altogether [Herr89].  The
   information provided by the server to a human client should be
   meaningful, useful, and non-redundant.  The reason for rejection
   should be understandable by the client (who should be assumed not to
   know any of the details of the operating system, of the protocols or
   of the network) and should be accompanied by data that will be useful
   to the client in deciding what to do as well as how the request ought
   to be modified to make it successful.  If, for example, a bound
   specified by the client cannot be guaranteed by the server under its
   current load, the information returned to the client should include



Ferrari                                                         [Page 4]

RFC 1193          Requirements for Real-Time Services      November 1990


   the minimum or maximum value of the bound that the server could
   guarantee; the client will thus be able to decide whether that bound
   would be acceptable (possibly with some other modifications as well)
   or not, and act accordingly.

   When the client is not a human being but an application or a process,
   the type of a server's replies should be very different from that
   just described [Herr89]; another standard interface, the one between
   an application and a real-time service, must therefore be defined,
   possibly in multiple, application-specific versions.

   Clients will also be interested in the pricing policies implemented
   by the server: these should be fair (or at least perceived to be
   fair) and easy to understand. The client should be able easily to
   estimate charges for given performance guarantees as a function of
   distance, time of day, and other variables, or to obtain these
   estimates from the server as a free off-line service.

3.  Performance Requirements

   A client can specify a service requirement using the general form

                               pred = TRUE,

   where some of the variables in predicate pred can be controlled or
   influenced by the server.

   A simple and popular form of performance requirement is that
   involving a bound.  A deterministic bound can be specified as

                  (var <= bound) = TRUE, or var <= bound,

   where variable var is server-controlled, while bound is client-
   specified.  The bounds in these expressions are upper bounds; if  <
   is replaced by  > , they become lower bounds.

   When the variable in the latter expression above is a probability, we
   have a statistical bound, and bound in that case is a probability
   bound; if the predicate is a deterministic bound, we have:

                 Prob (var <= bound) >= probability-bound.

   In this requirement, the variable has an upper bound, and the
   probability a lower bound.  Note that deterministic bounds can be
   viewed as statistical bounds that are satisfied with probability 1.

   A form of bound very similar to the statistical one is the fractional
   bound:



Ferrari                                                         [Page 5]

RFC 1193          Requirements for Real-Time Services      November 1990


                          Ca (var <= bound) >= b,

   where variable var has a value for each message in a stream, and Ca
   is a function that counts the number of times var satisfies the bound
   for any a consecutive messages in the stream; this number Ca must
   satisfy bound b.  Obviously, a fractional bound is realizable only if
   b <= a .  Fractional bounds will not be explicitly mentioned in the
   sequel, but they can be used in lieu of statistical bounds, and have
   over these bounds the avantages of easy verifiability and higher
   practical interest.

   In this section, we restrict our attention to those requirements that
   are likely to be the most useful to real-time clients.

3.1  Delay requirements

   Depending on the application, clients may wish to specify their delay
   requirements in different ways [Gait90].  The delays involved will
   usually be those of the application-oriented messages known to the
   client; for instance, the delay between the beginning of the client-
   level transmission of a video frame, file, or urgent datagram and the
   end of the client-level reception of the same frame, file, or urgent
   datagram.  (In those cases, e.g., in some distributed real-time
   systems, where message deadlines are assigned instead of message
   delays, we can always compute the latter from knowledge of the former
   and of the sending times, thereby reducing ourselves again to a delay
   bound requirement.)  Also, they will be the delays of those messages
   that are successfully delivered to the destination; the fraction of
   messages that are not, to which the delay bounds will not apply, will
   be bounded by reliability specifications.  Note that clients will
   express delay bounds by making implicit reference to their own
   clocks; the design of a real-time service for a large network will
   have to consider the impact on bounds enforcement of non-synchronized
   clocks [Verm90].  Some of the forms in which a delay requirement may
   be specified are

   (i)  deterministic delay bound:

                          Di <= Dmax  for all i,

   the client is delivered to the destination client-level entity, and
   Dmax is the delay upper bound specified by the client.  In our
   descriptions we assume, without loss of generality, that the client
   requesting a real-time service is the sending client, and that the
   destination (which could be a remote agent of the client or another
   user) is a third party with respect to the establishment of the
   particular communication being considered (In our descriptions we
   assume, without loss of generality, that the client requesting a



Ferrari                                                         [Page 6]

RFC 1193          Requirements for Real-Time Services      November 1990


   real-time service is the sending client, and that the destination
   (which could be a remote agent of the client or another user) is a
   third party with respect to the establishment of the particular
   communication being considered.);

   (ii)  statistical delay bound:

                       Prob ( Di <= Dmax ) >= Zmin,

      where Di and Dmax are defined as above, and Zmin is the lower
      bound of the probability of successful and timely delivery;

   (iii)  deterministic delay-jitter bound:

                   Ji = | Di - D | <= Jmax   for  all i,

      where D is the ideal, or target delay, Ji is the delay jitter of
      the i-th message delivered to the destination, and Jmax is the
      upper jitter bound to be specified by the client together with D;
      note that an equivalent form of this requirement consists of
      assigning a deterministic upper bound D + Jmax and a deterministic
      lower bound D - Jmax to the delays Di [Herr90];

   (iv)  statistical delay-jitter bound:

                   Prob (Ji <= Jmax) >= Umin, for all i,

      where  Umin  is the lower bound of the probability that Ji  be
      within its limits.

   Other forms of delay bound include bounds on average delay, delay
   variance, and functions of the sequence number of each message, for
   example, Dmax(i) for the deterministic case.  There may be
   applications in which one of these will be the preferred form, but,
   since we have not found any so far, we believe that the four types of
   bounds listed as (i)-(iv) above will cover the great majority of the
   practical cases.

3.2  Throughput requirements

   The actual throughput of an information transfer from a source to a
   destination is bounded above by the rate at which the source sends
   messages into the system.  Throughput may be lower than this rate
   because of the possibility of unsuccessful delivery or message loss.
   It is also bounded above by the maximum throughput, which is a
   function of, among other things, network load.  As the source
   increases its input rate, the actual throughput will grow up to a
   limit and then stop.  Clients concerned with the throughput of their



Ferrari                                                         [Page 7]

RFC 1193          Requirements for Real-Time Services      November 1990


   transfers will want to make sure that saturation is never reached, or
   is reached only with a suitably small probability and for acceptably
   short intervals.  Also, if the bandwidth allocated to a transfer is
   not constant, but varies dynamically on demand to accommodate, at
   least to some extent, peak requests, clients will be interested in
   adding an average throughput requirement, which should include
   information about the length of the interval over which the average
   must be computed [Ferr89a].

   Thus, reasonable forms for throughput requirements appear to be the
   following:

   (i)  deterministic throughput bound:

                          Ti >= Tmin, for all i,

      where Ti is the throughput actually provided by the server, and
      Tmin is the lower bound of throughput specified by the client,
      that is, the minimum throughput the server must offer to the
      client;

   (ii)  statistical throughput bound:

                        Prob (Ti >= Tmin) >= Vmin,

      where Ti and Tmin are defined as above, and Vmin is the lower
      bound of the probability that the server will provide a throughput
      greater than the lower bound;

   (iii) average throughput bound:

                                T >= Tave,

      where T is the average throughput provided by the server, Tave is
      its lower bound specified by the client, and both variables are
      averaged over an interval of duration I specified by the client;
      the above inequality must obviously hold for all intervals of
      duration I, i.e., even for that over which T is minimum.

   One clear difference between delay bounds and throughput bounds is
   that, while the server is responsible for delays, the actual
   throughputs of a non-saturated system are dictated by the input
   rates, which are determined primarily by the clients (though they may
   be influenced by the server through flow-control mechanisms).







Ferrari                                                         [Page 8]

RFC 1193          Requirements for Real-Time Services      November 1990


3.3  Reliability requirements

   The usefulness of error control via acknowledgments and
   retransmission in real-time applications is doubtful, especially in
   those environments where message losses are usually higher, i.e., in
   wide-area networks: the additional delays caused by acknowledgment
   and retransmission, and out-of-sequence delivery are likely to be
   intolerable in applications with stringent delay bounds, such as
   those having to do with continuous media.  Fortunately, the loss of
   some of the messages (e.g., video frames, voice packets) is often
   tolerable in these applications, but that of sound packets is
   generally intolerable.  In other cases, however, completeness of
   information delivery is essential (e.g., in file transfer
   applications), and traditional retransmission schemes will probably
   have to be employed.

   A message may be incorrect when delivered or may be lost in the
   network, i.e., not delivered at all.  Network unreliability (due, for
   example, to noise) is usually the cause of the former problem; buffer
   overflow (due to congestion) or node or link failure are those of the
   latter.  The client is not interested in this distinction: for the
   client, the message is lost in both cases.  Thus, the simplest form
   in which a reliability bound may be expressed and also, we believe,
   the one that will be most popular, is

              Prob (message is correctly delivered) >= Wmin,

   where Wmin is the lower bound of the probability of correct delivery,
   to be specified by the client.  The probability of message loss will
   obviously be bounded above by 1 - Wmin.  This is a statistical bound,
   but, as noted in Section 3, a deterministic reliability bound results
   if we set Wmin = 1.

   In those applications in which any message delivered with a delay
   greater than Dmax must be discarded, the fraction of messages usable
   by the destination will be bounded below by Wmin Zmin.  The client
   may actually specify the value of this product, and let the server
   decide the individual values of the two bounds, possibly subject to a
   client-assigned constraint, e.g., that the price of the service to
   the client be minimum.

   If the value of Wmin is greater than the system's reliability (the
   probability that a delivered message is correct), then there is no
   buffer space allocation in the hosts, interfaces, switches and
   routers or gateways that will allow the client-specified Wmin to be
   guaranteed.  In this case, the server uses error correcting codes, or
   (if the application permits) retransmission, or duplicate messages,
   or (if the sequencing problem discussed in Section 4.1 can be solved



Ferrari                                                         [Page 9]

RFC 1193          Requirements for Real-Time Services      November 1990


   satisfactorily or is not a problem) multiple physical channels for
   the same logical channel, or has to refuse the request.

4.  Other Required or Desirable Properties

   In this section, we briefly describe client requirements that cannot
   be easily expressed as bounds on, but are related to, communication
   performance.  These include sequencing, absence of duplications,
   failure recovery, and service setup time. We are not concerned here
   with features that may be very important but have a functionality
   (e.g., multicast capabilities) or security (e.g., client
   authentication) rather than a performance flavor. Requirements in
   these areas will generally have appreciable effects also on
   performance; we do not discuss them only because of space
   limitations.

   For a given application, some of these properties may be required,
   some others only desirable.  Also, some may be best represented as
   Boolean variables (present or absent), some others as continuous or
   multi-valued discrete variables, others yet as partially qualitative
   specifications.

4.1  Sequencing

   For applications involving message streams (rather than single
   datagrams), it may be necessary or desirable that messages be
   delivered in sequence, even though the sequence may not be complete.
   If the lower-level servers are not all capable of delivering messages
   sequentially, a resequencing operation may have to be performed at
   some higher level in the hierarchy.  In those cases in which
   reliability requirements make retransmission necessary, resequencing
   may delay delivery of a large number of messages by relatively long
   times.  An adequate amount of buffer space will have to be provided
   for this purpose at the level of the resequencer in the protocol
   hierarchy.

   If sequencing is not guaranteed by all servers at all levels, the
   application may be able to tolerate out-of-sequence messages as long
   as their number is small, or if the delay bound is so large that very
   few out-of-sequence messages have to be discarded because they are
   too late.  The client could be allowed to specify a bound on the
   probability that a message be delivered out of sequence, or to bundle
   out-of-sequence losses with the other types of message loss described
   by Wmin.  The client would specify the value of Wmin (or Wmin Zmin),
   and the server would have to decide how much probability to allow for
   buffer overflow, how much for network error, and how much for
   imperfect sequencing, taking into account the stringency of the delay
   bounds.



Ferrari                                                        [Page 10]

RFC 1193          Requirements for Real-Time Services      November 1990


   On the other hand, with fixed-route connections and appropriate
   queueing and scheduling in the hosts and in the network, it is often
   not too hard to ensure sequenced delivery at the various layers,
   hence also at the top.

4.2  Absence of duplications

   Most of the discussion of sequencing applies also to duplication of
   messages.  It is, however, easier and faster to eliminate
   duplications than to resequence, as long as some layer keeps track of
   the sequence numbers of the messages already received.  The
   specification of a bound may be needed only if duplications become
   very frequent, but this would be a symptom of serious network
   malfunction, and should not be dealt with in the same way as we
   handle delays or message losses.  These observations do not apply, of
   course, to the case of intentional duplication for higher
   reliability.

4.3  Failure recovery

   The contract between client and server of a real-time service will
   have to specify what will happen in the event of a server failure.
   Ideally, from the client's viewpoint, failures should be perfectly
   masked, and service should be completely fault-tolerant.  As we have
   already mentioned, however, it is usually unrealistic to expect that
   performance guarantees can be honored even in presence of failures.
   A little less unrealistic is to assume that service can resume a
   short time after a failure has disrupted it.  In general, clients may
   not only wish to know what will happen if a failure occurs, but also
   have a guaranteed upper bound on the likelihood of such an
   occurrence:

                          Prob (failure) <= Fmax.

   Different applications have different failure recovery requirements.
   Urgent datagrams or urgent message streams in most real-time
   distributed systems will probably not benefit much from recovery,
   unless it can be made so fast that hard deadlines may still be
   satisfied, at least in some cases.  In the case of video or audio
   transmission, timely resumption of service will normally be very
   useful or even necessary; thus, clients may need to be given
   guarantees about the upper bounds of mean or maximum time to repair;
   this may also be the case of other applications in which the
   deadlines are not so stringent, or where the main emphasis is on
   throughput and/or reliability rather than on delay.

   In communications over multi-node routes and/or long distances, the
   network itself may contain several messages for each source-



Ferrari                                                        [Page 11]

RFC 1193          Requirements for Real-Time Services      November 1990


   destination pair at the time a failure occurs.  The recovery scheme
   will have to solve the problems of failure notification (to all the
   system's components involved, and possibly also to the clients) and
   disposition of messages in transit.  The solutions adopted may make
   duplicate elimination necessary even in contexts in which no
   duplicates are ever created in the absence of failures.

4.4  Service setup time

   Real-time services must be requested before they can be used to
   communicate [Ferr89b].  Some clients may be interested in long-term
   arrangements which are set up soon after the signing of a contract
   and are kept in existence for long times (days, months, years).
   Others, typically for economical reasons, may wish to be allowed to
   request services dynamically and to avoid paying for them even when
   not in use.  The extreme case of short-term service is that in which
   the client wants to send one urgent datagram, but this is probably
   best handled by a service broker ("the datagraph office") using a
   permanent setup shared by many (or all) urgent datagrams.  In most
   other cases, a request for a short-term or medium-term service must
   be processed by the server before the client is allowed to receive
   that service (i.e., to send messages).  Certain applications will
   need the setup time to be short or, in any case, bounded: the maximum
   time the client will have to wait for a (positive or negative) reply
   to a request may have to be guaranteed by the server in the contract.

5.  Translating Requirements

   Performance specifications and other requirements are assigned at the
   top level, that of the human client or application, either explicitly
   or implicitly (see Section 2).  To be satisfied, these specifications
   need the support of all the underlying layers: we believe that a
   real-time service cannot be implemented on top of a server at some
   level that is unable to guarantee performance.  (Some of the other
   requirements can be satisfied even without this condition: for
   example, reliable delivery (when retransmission is acceptable) and
   sequencing.)  Upper-level requirements must be translated into
   lower-level ones, so that the implementation of the former will be
   adequately supported.  How should this be done?

5.1  Delay requirements

   The method for translating delay bounds macroscopically depends on
   the type of bound to be translated.  All methods have to deal with
   two problems: the effects of delays in the individual layers, and the
   effects of message fragmentation on the requirements.

   (i)  Deterministic delay bound.  A deterministic bound on the delay



Ferrari                                                        [Page 12]

RFC 1193          Requirements for Real-Time Services      November 1990


        encountered by a message in each layer (or group of layers) in
        the hosts will have to be estimated and enforced.
        The delay bound for a server at a given level will be obtained
        by subtracting the delay bounds of the layers above it in both
        the sending and the receiving host from the original global
        bound:

                      Dmax' = Dmax - SUMi {d(max,i)}.

      Message fragmentation can be handled by recalling that delay is
      defined as the difference between the instant of completion of the
      reception of a message and the instant when its shipment began.
      If x is the interfragment time (assumed constant for simplicity
      here) and f is the number of fragments in a message, we have

                            Dmax' = Dmax - x(f-1),

      where Dmax' is the fragment delay bound corresponding to the
      message delay bound Dmax, i.e., the delay of the first fragment.

   (ii)  Statistical delay bound.  The statistical case is more
         complicated.  If the bounds on the delay in each layer
         (or group of layers) are statistical, we may approach the
         problem of the messages delayed beyond the bound
         pessimistically, in which case we shall write

                    Zmin' = Zmin / (PRODi {z(min,i)}),


      where the index i spans the layers (or group of layers) above the
      given lower-level server, Zmin' is the probability bound to be
      enforced by that lower-level server, and d(max,i) and z(min,i) are
      the bounds for layer i.  (A layer has a sender side and a receiver
      side at the same level in the hierarchy.)  The expression for
      Zmin' is pessimistic because it assumes that a message delayed
      beyond its bound in a layer will not be able to meet the global
      bound Dmax.  (The expression above and the next one assume that
      the delays of a message in the layers are statistically
      independent of each other.  This assumption is usually not valid,
      but, in the light of the observations that follow the next
      expression, the error should be tolerable.)

      At the other extreme, we have the optimistic approach, which
      assumes that a message will not satisfy the global bound only if
      it is delayed beyond its local bound in each layer:

                Zmin' = 1 - (1 - Zmin)/(PRODi {1 - z(min,i)}).




Ferrari                                                        [Page 13]

RFC 1193          Requirements for Real-Time Services      November 1990


      The correct assumption will be somewhere in between the
      pessimistic and the optimistic ones.  However, in order to be able
      to guarantee the global bound, the system will have to choose the
      pessimistic approach, unless a better approximation to reality can
      be found.  An alternative that may turn out to be more convenient
      is the one of considering the bounds in the layers as
      deterministic, in which case Zmin' will equal Zmin, and the global
      bound will be statistical only because the network will guarantee
      a statistical bound.

      When estimating the effects of message fragmentation, the new
      bounds must refer to the fragment stream as though its components
      were independent of each other.  Assuming sequential delivery of
      fragments, a message is delayed beyond its bound if its last
      fragment is delayed beyond the fragment bound.  Our goal can be
      achieved by imposing the same probability bound on fragments as on
      messages [Verm90]. Thus,

                                Zmin' = Zmin.

      Note that both expressions for D prime sub max given in (i) above
      apply to the statistical delay bound case as well.

   (iii) Deterministic delay-jitter bound.  For the case of layer to
         layer translation, the discussion above yields:

                     Jmax' = Jmax - SUMi {j(max,i)} ,

      where j(max,i) is the deterministic jitter bound of the i-th layer
      above the given lower-level server.  When messages are fragmented,
      the delay jitter bound can be left unchanged:

                                Jmax' = Jmax .

      There would be reasons to reduce it in the case of message
      fragmentation only if the underlying server did not guarantee
      sequenced delivery, and if no resequencing of fragments were
      provided by the corresponding reassembly layer on the receiving
      side.

   (iv)  Statistical delay-jitter bound.  The interested reader will
         be able with little effort to derive the translation formulas
         for this case from the definition in Section 3.1 (iv)
         and from the discussion in (ii) and (iii) above.







Ferrari                                                        [Page 14]

RFC 1193          Requirements for Real-Time Services      November 1990


5.2  Throughput requirements

   Since all layers are in cascade, the throughput bounds would be the
   same for all of them if headers and sometimes trailers were not added
   at each layer for encapsulation or fragmentation. Thus, throughput
   bounds have to be increased as the request travels downward through
   the protocol hierarchy, and the server at each layer knows by how
   much, since it is responsible for these additions.

5.3  Reliability requirements

   If we assume, quite realistically, that the probability of message
   loss in a host is extremely small, then we do not have to change the
   value of Wmin when we change layers.

   The effects of message fragmentation are similar to those on
   statistical delay bounds, but in a given application a message may be
   lost even if only one of its fragments is lost.  Thus, we have

                        Wmin' = 1 - (1 - Wmin)/f ,

   where Wmin' is the lower bound of the correct delivery probability
   for the fragment stream, and f is the number of fragments per
   message.  The optimistic viewpoint, which is the one we adopted in
   Section 5.1 (ii), yields Wmin' = Wmin, and the observations made in
   that section about the true bound and about providing guarantees
   apply.

5.4  Other requirements

   Of the requirements and desiderata discussed in Section 4, those that
   are specified as a Boolean value or a qualitative attribute do not
   have to be modified for lower-level servers unless they are satisfied
   in some layer above those servers (e.g., no sequencing is to be
   required below the level where a resequencer operates).  When they
   are represented by a bound (e.g., one on the setup time, as described
   in Section 4.4), then bounds for the layers above a lower-level
   server will have to be chosen to calculate the corresponding bound
   for that server.  The above discussions of the translation of
   performance requirements will, in most cases, provide the necessary
   techniques for doing these calculations.

   The requirement that the server give clear and useful replies to
   client requests (see Section 2) raises the interesting problem of
   reverse translation, that from lower-level to upper-level
   specifications.  However, at least in most cases, this does not seem
   to be a difficult problem: all the translation formulas we have
   written above are very easily invertible (in other words, it is



Ferrari                                                        [Page 15]

RFC 1193          Requirements for Real-Time Services      November 1990


   straightforward to express Dmax as a function of Dmax', Zmin as a
   function of Zmin', and so on).

6.  Examples

   In this section we describe some examples of client requirements for
   real-time services.  Simplifying assumptions are introduced to
   decrease the amount of detail and increase clarity.  Our intent is to
   determine the usefulness of the set of requirements proposed above,
   and to investigate some of the problems that may arise in practical
   cases.  An assumption underlying all examples is that the network's
   transmission rate is 45 Mbits/s, and that the hosts can keep up with
   this rate when processing messages.

6.1  Interactive voice

   Let us assume that human clients are to specify the requirements for
   voice that is already digitized (at a 64 kbits/s rate) and packetized
   (packet size: 48 bytes, coinciding with the size of an ATM cell;
   packet transmission time: 8.53 microseconds ; packet interarrival
   time: 6 ms).  Since the communication is interactive, deterministic
   (and statistical) delay bounds play a very important role.  Jitter is
   also important, but does not dominate the other requirements as in
   non-interactive audio or video communication (see Section 6.2).  The
   minimum throughput offered by the system must correspond to the
   maximum input rate, i.e., 64 kbits/s; in fact, because of header
   overhead (5 control bytes for every 48 data bytes), total guaranteed
   throughput should be greater than 70.66 kbits/s, i.e., 8,834 bytes/s.
   (Since the client may not know the overhead introduced by the system,
   the system may have to compute this value from the one given by the
   client, which in this case would be 8 kbytes/s.)  The minimum average
   throughput over an interval as long as 100 s is 44% of Tmin, due to
   the silence periods [Brad64].

   Voice transmission can tolerate limited packet losses without making
   the speech unintelligible at the receiving end.  We assume that a
   maximum loss of two packets out of 100 (each packet corresponding to
   6 ms of speech) can be tolerated even in the worst case, i.e., when
   the two packets are consecutive.  Since packets arriving after their
   absolute deadline are discarded if the delay bound is to be
   statistical, then this maximum loss rate must include losses due to
   lateness, i.e., 0.98 will have to be the value of Zmin Wmin rather
   than just that of Wmin.

   This is illustrated in the first column of Table Ia, which consists
   of two subcolumns: one is for the choice of a deterministic delay
   bound, the other one for that of a statistical delay bound and a
   combined bound on the probability of lateness or loss.  If in a row



Ferrari                                                        [Page 16]

RFC 1193          Requirements for Real-Time Services      November 1990


   there is a single entry, that entry is the same for both subcolumns.
   Note that the maximum setup time could be made much longer if
   connections had to be reserved in advance.

   Since voice is packetized at the client's level, we will not have to
   worry about the effects of fragmentation while translating the
   requirements into their lower-level correspondents.

6.2  Non-interactive video

   At the level of the client, the video message stream consists of 1
   Mbit frames, to be transmitted at the rate of 30 frames per second.
   Thus, the throughput bounds (both deterministic and average) are,
   taking into account the overhead of ATM cell headers, 4.14 Mbytes/s.
   As in the case of interactive voice, we have two alternatives for the
   specification of delay bounds: the first subcolumn is for the
   deterministic bound case, the second for that of a statistical bound
   on delays and a combined probability bound on lateness or loss; the
   latter bound is set to at most 10 frames out of 100, i.e., three out
   of 30.  However, the really important bound in this case is the one
   on delay jitter, set at 5 ms, which is roughly equal to half of the
   interval between two successive frames, and between 1/4 and 1/5 of
   the transmission time.  This dominance of the jitter bound is the
   reason why the other delay bounds are in parentheses.

   If we assume that video frames will have to be fragmented into cells
   at some lower level in the protocol hierarchy, then these
   requirements must be translated at that level into those shown in the
   first column of Table II.  The values of Dmax' have been calculated
   with x = 12.8 microseconds and f = 2605 fragments/frame.  The range
   of Wmin' and of (Zmin Wmin)' is quite wide, and achieving its higher
   value (a probability of 1) may turn out to be either very expensive
   or impossible.  We observe, however, that a frame in which a packet
   or more are missing or have been incorrectly received does not have
   to be discarded but can be played with gaps or patched with the old
   packets in lieu of the missing or corrupted ones.  Thus, it may be
   possible to consider an optimistic approach (e.g., Zmin' = Zmin,
   Wmin' = Wmin, (Zmin Wmin)' = Zmin Wmin ) as sufficiently safe.

6.3  Real-time datagram

   A real-time datagram is, for instance, an alarm condition to be
   transmitted in an emergency from one machine to another (or a group
   of others) in a distributed real-time system.  The client
   requirements in this case are very simple: a deterministic bound is
   needed (we are assuming that this is a hard-real-time context), the
   reliability of delivery must be very high, and the service setup time
   should be very small.  The value of 0.98 for Wmin in Table Ib tries



Ferrari                                                        [Page 17]

RFC 1193          Requirements for Real-Time Services      November 1990


   to account for the inevitable network errors and to suggest that
   retransmission should not be used as might be necessary if we wanted
   to have Wmin = 1, because it would be too slow.  To increase
   reliability in this case, error correcting codes or spatial
   redundancy will have to be resorted to instead.

   Note that one method for obtaining a very small setup time consists
   of shipping such urgent datagrams on long-lasting connections
   previously created between the hosts involved and with the
   appropriate characteristics.  Note also that throughput requirements
   cannot be defined, since we are dealing with one small message only,
   which may not even have to be fragmented.  Guarantees on the other
   bounds will fully satisfy the needs of the client in this case.

6.4  File transfer

   Large files are to be copied from a disk to a remote disk.  We assume
   that the receiving disk's speed is greater than or equal to the
   sending disk's, and that the transfer could therefore proceed, in the
   absence of congestion, at the speed of the sending disk.  The message
   size equals the size of one track (11 Kbytes, including disk surface
   overhead such as intersector gaps), and the maximum input rate is
   5.28 Mbits/s.  Taking into account the ATM cell headers, this rate
   becomes 728 kbytes/s; this is the minimum peak throughput to be
   guaranteed by the system.  The minimum average throughput to be
   provided is smaller, due to head switching times and setup delays
   (seek times are even longer, hence need not be considered here): we
   set its value at 700 kbytes/s.

   Delay bounds are much less important in this example than in the
   previous ones; in Table Ib, we show deterministic and statistical
   bounds in parentheses.  Reliability must be eventually 1 to ensure
   the integrity of the file's copy.  This result will have to be
   obtained by error correction (which will increase the throughput
   requirements) or retransmission (which would break most delay bounds
   if they were selected on the basis of the first shipment only instead
   of the last one).

   The second column in Table II shows the results of translating these
   requirements to account for message fragmentation.  The values x =
   78.3 microseconds and f = 230 have been used to compute those of
   Dmax'.

7.  Discussion

   In this section, we briefly discuss some of the objections that can
   be raised concerning our approach to real-time service requirements.
   Some of the objections are fundamental ones: they are at least as



Ferrari                                                        [Page 18]

RFC 1193          Requirements for Real-Time Services      November 1990


   related to the basic decisions to be made in the design of the server
   as they are to client requirements.

   Objection 1: Guarantees are not necessary.

   This is the most radical objection, as it stems from a basic
   disagreement with our definition of real-time service.  The problem,
   however, is not with definitions or terminologies: the really
   important question is whether a type of service such as the one we
   call "real-time" will be necessary or at least useful in future
   networks.  This objection is raised by the optimists, those who
   believe that network bandwidth will be so abundant that congestion
   will become a disease of the past, and that delays will therefore be
   small enough that the enforcement of legalistic guarantees will not
   be necessary.  The history of computers and communications, however,
   does not unfortunately support these arguments, while it supports
   those of the pessimists.  In a situation of limited resources
   (limited with respect to the existing demand for them), we believe
   that there is no serious solution of the real-time communication
   problem other than one based on a policy for the allocation of
   resources that rigorously guarantees the satisfaction of performance
   needs.  Even if the approaches to be adopted in practical networks
   will provide only approximate guarantees, it is important to devise
   methods that offer without exceptions precisely defined bounds.
   These methods can at the very least be used as reference approaches
   for comparison and evaluation.

   Objection 2: Real-time services are too expensive because reservation
   of resources is very wasteful.

   This may be true if resources are exclusively reserved; for example,
   physical circuits used for bursty traffic in a circuit-switched
   network.  There are, however, other ways of building real-time
   services, based on priority mechanisms and preemption rather than
   exclusive reservation of resources.  With these schemes, the real-
   time traffic always finds the resources it needs by preempting non-
   real-time traffic, as long as the real-time load is kept below a
   threshold.  The threshold corresponds to the point where the demand
   by real-time traffic for the bottleneck resource equals the amount of
   that resource in the system.  With this scheme, all resources not
   used by real-time traffic can be used at any time by local tasks and
   non-real-time traffic.  Congestion may affect the latter, but not
   real-time traffic.  Thus, the only limitation is that a network
   cannot carry unbounded amounts of real-time traffic, and must refuse
   any further requests when it has reached the saturation point.






Ferrari                                                        [Page 19]

RFC 1193          Requirements for Real-Time Services      November 1990


   Objection 3: Real-time services can be built on top of non-real-time
   servers.

   If one accepts our interpretation of the term "guarantee," one can
   easily see that performance guarantees cannot be provided by a
   higher-level server unless it can rely on real-time support by its
   underlying server.  Since this is true at all levels, we conclude
   that a real-time network service and similar services at all
   intermediate levels are needed to provide guaranteed performance to
   human clients and applications.

   Objection 4: Delay bounds are not necessary, throughput requirements
   suffice.

   Guaranteeing minimum throughput bounds does not automatically and in
   general result in any stringent upper bound on delay.  Delays in the
   hosts and nodes of a packet-switching network fluctuate because of
   bursty real-time message streams, starting and ending of traffic on
   individual connections (even those with continuous, constant-rate
   traffic), and the behavior of scheduling algorithms.  Even if delays
   did not fluctuate, but had a constant value, it would be possible for
   a given throughput bound to be satisfied with many different constant
   values for the delay of each message.  If delay bounds are wanted,
   they must be explicitly guaranteed and enforced.  (In a circuit-
   switching network, the circuit assigned to a connection has its own
   throughput and its own delay.  These values may be considered as
   explicitly guaranteed and enforced.)

   But are delay bounds wanted?  We believe they are in digital video
   and audio communication, especially in the form of delay jitter
   bounds, and they will be in other contexts as soon as a service which
   can bound delays is offered.

   Objection 5: Satisfaction of statistical bounds is impossible to
   verify.

   Strictly speaking, this objection is valid.  No matter how many
   packets on a connection have been delayed beyond their bound (or lost
   or delivered with errors), it is always in principle possible for the
   server to redress the situation in the future and meet the given
   statistical requirements.  A more sensible and verifiable bound would
   be a fractional one (see Section 3).  For instance, such a bound
   could be specified as follows: out of 100 consecutive packets, no
   less than 97 shall not be late.  In this case, the bound is no longer
   Zmin, a probability of 0.97, but is given by the two values B = 97
   and A = 100; it is not only their ratio that counts but also their
   individual values.




Ferrari                                                        [Page 20]

RFC 1193          Requirements for Real-Time Services      November 1990


8.  Conclusion

   This paper has presented a specification of some of the requirements
   that human clients and applications may wish to impose on real-time
   communications.  Though those listed seem to be among the most useful
   and natural ones, no attempt has been made to be exhaustive and
   comprehensive.

   We have investigated delay bounds, throughput bounds, reliability
   bounds, and other requirements.  We have studied how the requirements
   should be translated from the client's level into forms suitable (and
   correct) for lower levels, described some examples of requirement
   specification, and discussed some of the objections that may be
   raised.

   The material in this paper covers only part of the first phase in the
   design of a real-time service: that during which the various
   requirements are assembled and examined to extract useful suggestions
   for the design of the server.  Server needs and design principles
   will be the subject of the subsequent paper mentioned several times
   above.

Acknowledgments

   Ralf Herrtwich and Dinesh Verma contributed ideas to, and corrected
   mistakes in, a previous version of the manuscript.  The author is
   deeply indebted to them for their help and for the many discussions
   he had with them on the topics dealt with in this paper.  The
   comments of Ramesh Govindan and Riccardo Gusella are also gratefully
   acknowledged.

References

   [Brad64]  Brady, P., "A Technique for Investigating On-Off Patterns
             of Speech", Bell Systems Technical Journal, Vol. 44,
             Pgs. 1-22, 1964.

   [Ferr89a] Ferrari, D., "Real-Time Communication in
             Packet-Switching Wide-Area Networks", Technical Report
             TR-89-022, International Computer Science Institute,
             Berkeley, May 1989.

   [Ferr89b] Ferrari D., and D. Verma, "A Scheme for Real-Time Channel
             Establishment in Wide-Area Networks", IEEE J. Selected
             Areas Communications SAC-8, April 1990.

   [Gait90]  Gaitonde, S., D. Jacobson, and A. Pohm, "Bounding Delay on
             a Multifarious Token Ring Network", Communications of the



Ferrari                                                        [Page 21]

RFC 1193          Requirements for Real-Time Services      November 1990


             ACM, Vol. 33, No. 1, Pgs. 20-28, January 1990.

   [Herr89]  Herrtwich R., and U. Brandenburg, "Accessing and
             Customizing Services in Distributed Systems", Technical
             Report TR-89-059, International Computer Science Institute,
             Berkeley, October 1989.

   [Herr90]  Herrtwich, R, personal communication, February 1990.

   [Verm90]  Verma, D., personal communication, February 1990.


                                 Table Ia
                    Examples of Client Requirements

                           Interactive  Non-Interactive
                              Voice           Video

Delay Bounds
deterministic:Dmax [ms]    200     -     (1000)    -
statistical:Dmax [ms]       -     200       -    (1000)
            Zmin            -     (*)       -      (*)
jitter:Jmax [ms]               1                5

Throughput Bounds
deterministic:Tmin [kby/s]   8.834            4140
average:Tave [kby/s]         3.933            4140
        I [s]                 100              100

Reliability Bound:Wmin     0.98   (*)     (0.90)   (*)
Delay&Reliability:ZminWmin  -    0.98       -      0.90

Sequencing                    yes              yes
Absence of Duplications       yes              yes
Failure Recovery:
 max.repair time [s]           10              100
Max.Setup Time [s]            0.8 (o)          15 (o)

----------------------------------

(*) To be chosen by the server
(o) Could be much longer if advance reservations were required
(+) Could be achieved by using a preexisting connection








Ferrari                                                        [Page 22]

RFC 1193          Requirements for Real-Time Services      November 1990


                                 Table Ib
                    Examples of Client Requirements

                           Real-Time     File
                            Datagram   Transfer

Delay Bounds
deterministic:Dmax [ms]        50      -   (1500)
statistical:Dmax [ms]           -    (1000)   -
            Zmin                -    (0.95)   -
jitter:Jmax [ms]                -             -

Throughput Bounds
deterministic:Tmin [kby/s]      -          728
average:Tave [kby/s]            -          700
        I [s]                   -          100

Reliability Bound:Wmin        0.98          1
Delay&Reliability:ZminWmin      -           -

Sequencing                      -          yes
Absence of Duplications        yes         yes
Failure Recovery:
 max.repair time [s]            -          100
Max.Setup Time [s]             0 (+)       5 (o)

----------------------------------

(*) To be chosen by the server
(o) Could be much longer if advance reservations were required
(+) Could be achieved by using a preexisting connection




















Ferrari                                                        [Page 23]

RFC 1193          Requirements for Real-Time Services      November 1990


                                Table II
                  Translation of the Requirements in Table I

                           Non-Interactive            File
                                Video               Transfer

Delay Bounds
deterministic:Dmax' [ms]     (966)    -            -    (1482)
statistical:Dmax' [ms]         -    (966)        (982)     -
            Zmin'              -     (*)         (0.95)    -
jitter:Jmax' [ms]                 5                    -

Reliability Bound:Wmin'      0.90-1  (*)               1

Delay&Reliability:(ZminWmin)'  -    0.90-1             -

_____________________________________

(*) To be chosen by the server



Security Considerations

   Security considerations are not discussed in this memo.

Author's Address

   Domenico Ferrari
   University of California
   Computer Science Division
   EECS Department
   Berkeley, CA 94720

   Phone: (415) 642-3806

   EMail: ferrari@UCBVAX.BERKELEY.EDU














Ferrari                                                        [Page 24]