From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc2475.txt | 2019 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2019 insertions(+) create mode 100644 doc/rfc/rfc2475.txt (limited to 'doc/rfc/rfc2475.txt') diff --git a/doc/rfc/rfc2475.txt b/doc/rfc/rfc2475.txt new file mode 100644 index 0000000..fd7b2c8 --- /dev/null +++ b/doc/rfc/rfc2475.txt @@ -0,0 +1,2019 @@ + + + + + + +Network Working Group S. Blake +Request for Comments: 2475 Torrent Networking Technologies +Category: Informational D. Black + EMC Corporation + M. Carlson + Sun Microsystems + E. Davies + Nortel UK + Z. Wang + Bell Labs Lucent Technologies + W. Weiss + Lucent Technologies + December 1998 + + + An Architecture for Differentiated Services + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1998). All Rights Reserved. + +Abstract + + This document defines an architecture for implementing scalable + service differentiation in the Internet. This architecture achieves + scalability by aggregating traffic classification state which is + conveyed by means of IP-layer packet marking using the DS field + [DSFIELD]. Packets are classified and marked to receive a particular + per-hop forwarding behavior on nodes along their path. Sophisticated + classification, marking, policing, and shaping operations need only + be implemented at network boundaries or hosts. Network resources are + allocated to traffic streams by service provisioning policies which + govern how traffic is marked and conditioned upon entry to a + differentiated services-capable network, and how that traffic is + forwarded within that network. A wide variety of services can be + implemented on top of these building blocks. + + + + + + + + + +Blake, et. al. Informational [Page 1] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +Table of Contents + + 1. Introduction ................................................. 2 + 1.1 Overview ................................................. 2 + 1.2 Terminology ............................................... 4 + 1.3 Requirements .............................................. 8 + 1.4 Comparisons with Other Approaches ......................... 9 + 2. Differentiated Services Architectural Model .................. 12 + 2.1 Differentiated Services Domain ............................ 12 + 2.1.1 DS Boundary Nodes and Interior Nodes .................. 12 + 2.1.2 DS Ingress Node and Egress Node ....................... 13 + 2.2 Differentiated Services Region ............................ 13 + 2.3 Traffic Classification and Conditioning ................... 14 + 2.3.1 Classifiers ........................................... 14 + 2.3.2 Traffic Profiles ...................................... 15 + 2.3.3 Traffic Conditioners .................................. 15 + 2.3.3.1 Meters ............................................ 16 + 2.3.3.2 Markers ........................................... 16 + 2.3.3.3 Shapers ........................................... 17 + 2.3.3.4 Droppers .......................................... 17 + 2.3.4 Location of Traffic Conditioners and MF Classifiers ... 17 + 2.3.4.1 Within the Source Domain .......................... 17 + 2.3.4.2 At the Boundary of a DS Domain .................... 18 + 2.3.4.3 In non-DS-Capable Domains ......................... 18 + 2.3.4.4 In Interior DS Nodes .............................. 19 + 2.4 Per-Hop Behaviors ......................................... 19 + 2.5 Network Resource Allocation ............................... 20 + 3. Per-Hop Behavior Specification Guidelines .................... 21 + 4. Interoperability with Non-Differentiated Services-Compliant + Nodes ........................................................ 25 + 5. Multicast Considerations ..................................... 26 + 6. Security and Tunneling Considerations ........................ 27 + 6.1 Theft and Denial of Service ............................... 28 + 6.2 IPsec and Tunneling Interactions .......................... 30 + 6.3 Auditing .................................................. 32 + 7. Acknowledgements ............................................. 32 + 8. References ................................................... 33 + Authors' Addresses ............................................... 34 + Full Copyright Statement ......................................... 36 + +1. Introduction + +1.1 Overview + + This document defines an architecture for implementing scalable + service differentiation in the Internet. A "Service" defines some + significant characteristics of packet transmission in one direction + across a set of one or more paths within a network. These + + + +Blake, et. al. Informational [Page 2] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + characteristics may be specified in quantitative or statistical terms + of throughput, delay, jitter, and/or loss, or may otherwise be + specified in terms of some relative priority of access to network + resources. Service differentiation is desired to accommodate + heterogeneous application requirements and user expectations, and to + permit differentiated pricing of Internet service. + + This architecture is composed of a number of functional elements + implemented in network nodes, including a small set of per-hop + forwarding behaviors, packet classification functions, and traffic + conditioning functions including metering, marking, shaping, and + policing. This architecture achieves scalability by implementing + complex classification and conditioning functions only at network + boundary nodes, and by applying per-hop behaviors to aggregates of + traffic which have been appropriately marked using the DS field in + the IPv4 or IPv6 headers [DSFIELD]. Per-hop behaviors are defined to + permit a reasonably granular means of allocating buffer and bandwidth + resources at each node among competing traffic streams. Per- + application flow or per-customer forwarding state need not be + maintained within the core of the network. A distinction is + maintained between: + + o the service provided to a traffic aggregate, + + o the conditioning functions and per-hop behaviors used to realize + services, + + o the DS field value (DS codepoint) used to mark packets to select a + per-hop behavior, and + + o the particular node implementation mechanisms which realize a + per-hop behavior. + + Service provisioning and traffic conditioning policies are + sufficiently decoupled from the forwarding behaviors within the + network interior to permit implementation of a wide variety of + service behaviors, with room for future expansion. + + This architecture only provides service differentiation in one + direction of traffic flow and is therefore asymmetric. Development + of a complementary symmetric architecture is a topic of current + research but is outside the scope of this document; see for example + [EXPLICIT]. + + Sect. 1.2 is a glossary of terms used within this document. Sec. 1.3 + lists requirements addressed by this architecture, and Sec. 1.4 + provides a brief comparison to other approaches for service + differentiation. Sec. 2 discusses the components of the architecture + + + +Blake, et. al. Informational [Page 3] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + in detail. Sec. 3 proposes guidelines for per-hop behavior + specifications. Sec. 4 discusses interoperability issues with nodes + and networks which do not implement differentiated services as + defined in this document and in [DSFIELD]. Sec. 5 discusses issues + with multicast service delivery. Sec. 6 addresses security and + tunnel considerations. + +1.2 Terminology + + This section gives a general conceptual overview of the terms used in + this document. Some of these terms are more precisely defined in + later sections of this document. + + Behavior Aggregate (BA) a DS behavior aggregate. + + BA classifier a classifier that selects packets based + only on the contents of the DS field. + + Boundary link a link connecting the edge nodes of two + domains. + + Classifier an entity which selects packets based on + the content of packet headers according to + defined rules. + + DS behavior aggregate a collection of packets with the same DS + codepoint crossing a link in a particular + direction. + + DS boundary node a DS node that connects one DS domain to a + node either in another DS domain or in a + domain that is not DS-capable. + + DS-capable capable of implementing differentiated + services as described in this architecture; + usually used in reference to a domain + consisting of DS-compliant nodes. + + DS codepoint a specific value of the DSCP portion of the + DS field, used to select a PHB. + + DS-compliant enabled to support differentiated services + functions and behaviors as defined in + [DSFIELD], this document, and other + differentiated services documents; usually + used in reference to a node or device. + + + + + +Blake, et. al. Informational [Page 4] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + DS domain a DS-capable domain; a contiguous set of + nodes which operate with a common set of + service provisioning policies and PHB + definitions. + + DS egress node a DS boundary node in its role in handling + traffic as it leaves a DS domain. + + DS ingress node a DS boundary node in its role in handling + traffic as it enters a DS domain. + + DS interior node a DS node that is not a DS boundary node. + + DS field the IPv4 header TOS octet or the IPv6 + Traffic Class octet when interpreted in + conformance with the definition given in + [DSFIELD]. The bits of the DSCP field + encode the DS codepoint, while the + remaining bits are currently unused. + + DS node a DS-compliant node. + + DS region a set of contiguous DS domains which can + offer differentiated services over paths + across those DS domains. + + Downstream DS domain the DS domain downstream of traffic flow on + a boundary link. + + Dropper a device that performs dropping. + + Dropping the process of discarding packets based on + specified rules; policing. + + Legacy node a node which implements IPv4 Precedence as + defined in [RFC791,RFC1812] but which is + otherwise not DS-compliant. + + Marker a device that performs marking. + + Marking the process of setting the DS codepoint in + a packet based on defined rules; pre- + marking, re-marking. + + Mechanism a specific algorithm or operation (e.g., + queueing discipline) that is implemented in + a node to realize a set of one or more per- + hop behaviors. + + + +Blake, et. al. Informational [Page 5] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + Meter a device that performs metering. + + Metering the process of measuring the temporal + properties (e.g., rate) of a traffic stream + selected by a classifier. The + instantaneous state of this process may be + used to affect the operation of a marker, + shaper, or dropper, and/or may be used for + accounting and measurement purposes. + + Microflow a single instance of an application-to- + application flow of packets which is + identified by source address, source port, + destination address, destination port and + protocol id. + + MF Classifier a multi-field (MF) classifier which selects + packets based on the content of some + arbitrary number of header fields; + typically some combination of source + address, destination address, DS field, + protocol ID, source port and destination + port. + + Per-Hop-Behavior (PHB) the externally observable forwarding + behavior applied at a DS-compliant node to + a DS behavior aggregate. + + PHB group a set of one or more PHBs that can only be + meaningfully specified and implemented + simultaneously, due to a common constraint + applying to all PHBs in the set such as a + queue servicing or queue management policy. + A PHB group provides a service building + block that allows a set of related + forwarding behaviors to be specified + together (e.g., four dropping priorities). + A single PHB is a special case of a PHB + group. + + Policing the process of discarding packets (by a + dropper) within a traffic stream in + accordance with the state of a + corresponding meter enforcing a traffic + profile. + + Pre-mark to set the DS codepoint of a packet prior + to entry into a downstream DS domain. + + + +Blake, et. al. Informational [Page 6] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + Provider DS domain the DS-capable provider of services to a + source domain. + + Re-mark to change the DS codepoint of a packet, + usually performed by a marker in accordance + with a TCA. + + Service the overall treatment of a defined subset + of a customer's traffic within a DS domain + or end-to-end. + + Service Level Agreement a service contract between a customer and a + (SLA) service provider that specifies the + forwarding service a customer should + receive. A customer may be a user + organization (source domain) or another DS + domain (upstream domain). A SLA may + include traffic conditioning rules which + constitute a TCA in whole or in part. + + Service Provisioning a policy which defines how traffic + Policy conditioners are configured on DS boundary + nodes and how traffic streams are mapped to + DS behavior aggregates to achieve a range + of services. + + Shaper a device that performs shaping. + + Shaping the process of delaying packets within a + traffic stream to cause it to conform to + some defined traffic profile. + + Source domain a domain which contains the node(s) + originating the traffic receiving a + particular service. + + Traffic conditioner an entity which performs traffic + conditioning functions and which may + contain meters, markers, droppers, and + shapers. Traffic conditioners are typically + deployed in DS boundary nodes only. A + traffic conditioner may re-mark a traffic + stream or may discard or shape packets to + alter the temporal characteristics of the + stream and bring it into compliance with a + traffic profile. + + + + + +Blake, et. al. Informational [Page 7] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + Traffic conditioning control functions performed to enforce + rules specified in a TCA, including + metering, marking, shaping, and policing. + + Traffic Conditioning an agreement specifying classifier rules + Agreement (TCA) and any corresponding traffic profiles and + metering, marking, discarding and/or + shaping rules which are to apply to the + traffic streams selected by the classifier. + A TCA encompasses all of the traffic + conditioning rules explicitly specified + within a SLA along with all of the rules + implicit from the relevant service + requirements and/or from a DS domain's + service provisioning policy. + + Traffic profile a description of the temporal properties + of a traffic stream such as rate and burst + size. + + Traffic stream an administratively significant set of one + or more microflows which traverse a path + segment. A traffic stream may consist of + the set of active microflows which are + selected by a particular classifier. + + Upstream DS domain the DS domain upstream of traffic flow on a + boundary link. + +1.3 Requirements + + The history of the Internet has been one of continuous growth in the + number of hosts, the number and variety of applications, and the + capacity of the network infrastructure, and this growth is expected + to continue for the foreseeable future. A scalable architecture for + service differentiation must be able to accommodate this continued + growth. + + The following requirements were identified and are addressed in this + architecture: + + o should accommodate a wide variety of services and provisioning + policies, extending end-to-end or within a particular (set of) + network(s), + + o should allow decoupling of the service from the particular + application in use, + + + + +Blake, et. al. Informational [Page 8] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + o should work with existing applications without the need for + application programming interface changes or host software + modifications (assuming suitable deployment of classifiers, + markers, and other traffic conditioning functions), + + o should decouple traffic conditioning and service provisioning + functions from forwarding behaviors implemented within the core + network nodes, + + o should not depend on hop-by-hop application signaling, + + o should require only a small set of forwarding behaviors whose + implementation complexity does not dominate the cost of a network + device, and which will not introduce bottlenecks for future high- + speed system implementations, + + o should avoid per-microflow or per-customer state within core + network nodes, + + o should utilize only aggregated classification state within the + network core, + + o should permit simple packet classification implementations in core + network nodes (BA classifier), + + o should permit reasonable interoperability with non-DS-compliant + network nodes, + + o should accommodate incremental deployment. + +1.4 Comparisons with Other Approaches + + The differentiated services architecture specified in this document + can be contrasted with other existing models of service + differentiation. We classify these alternative models into the + following categories: relative priority marking, service marking, + label switching, Integrated Services/RSVP, and static per-hop + classification. + + Examples of the relative priority marking model include IPv4 + Precedence marking as defined in [RFC791], 802.5 Token Ring priority + [TR], and the default interpretation of 802.1p traffic classes + [802.1p]. In this model the application, host, or proxy node selects + a relative priority or "precedence" for a packet (e.g., delay or + discard priority), and the network nodes along the transit path apply + the appropriate priority forwarding behavior corresponding to the + priority value within the packet's header. Our architecture can be + considered as a refinement to this model, since we more clearly + + + +Blake, et. al. Informational [Page 9] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + specify the role and importance of boundary nodes and traffic + conditioners, and since our per-hop behavior model permits more + general forwarding behaviors than relative delay or discard priority. + + An example of a service marking model is IPv4 TOS as defined in + [RFC1349]. In this example each packet is marked with a request for + a "type of service", which may include "minimize delay", "maximize + throughput", "maximize reliability", or "minimize cost". Network + nodes may select routing paths or forwarding behaviors which are + suitably engineered to satisfy the service request. This model is + subtly different from our architecture. Note that we do not describe + the use of the DS field as an input to route selection. The TOS + markings defined in [RFC1349] are very generic and do not span the + range of possible service semantics. Furthermore, the service + request is associated with each individual packet, whereas some + service semantics may depend on the aggregate forwarding behavior of + a sequence of packets. The service marking model does not easily + accommodate growth in the number and range of future services (since + the codepoint space is small) and involves configuration of the + "TOS->forwarding behavior" association in each core network node. + Standardizing service markings implies standardizing service + offerings, which is outside the scope of the IETF. Note that + provisions are made in the allocation of the DS codepoint space to + allow for locally significant codepoints which may be used by a + provider to support service marking semantics [DSFIELD]. + + Examples of the label switching (or virtual circuit) model include + Frame Relay, ATM, and MPLS [FRELAY, ATM]. In this model path + forwarding state and traffic management or QoS state is established + for traffic streams on each hop along a network path. Traffic + aggregates of varying granularity are associated with a label + switched path at an ingress node, and packets/cells within each label + switched path are marked with a forwarding label that is used to + lookup the next-hop node, the per-hop forwarding behavior, and the + replacement label at each hop. This model permits finer granularity + resource allocation to traffic streams, since label values are not + globally significant but are only significant on a single link; + therefore resources can be reserved for the aggregate of packets/ + cells received on a link with a particular label, and the label + switching semantics govern the next-hop selection, allowing a traffic + stream to follow a specially engineered path through the network. + This improved granularity comes at the cost of additional management + and configuration requirements to establish and maintain the label + switched paths. In addition, the amount of forwarding state + maintained at each node scales in proportion to the number of edge + nodes of the network in the best case (assuming multipoint-to-point + + + + + +Blake, et. al. Informational [Page 10] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + label switched paths), and it scales in proportion with the square of + the number of edge nodes in the worst case, when edge-edge label + switched paths with provisioned resources are employed. + + The Integrated Services/RSVP model relies upon traditional datagram + forwarding in the default case, but allows sources and receivers to + exchange signaling messages which establish additional packet + classification and forwarding state on each node along the path + between them [RFC1633, RSVP]. In the absence of state aggregation, + the amount of state on each node scales in proportion to the number + of concurrent reservations, which can be potentially large on high- + speed links. This model also requires application support for the + RSVP signaling protocol. Differentiated services mechanisms can be + utilized to aggregate Integrated Services/RSVP state in the core of + the network [Bernet]. + + A variant of the Integrated Services/RSVP model eliminates the + requirement for hop-by-hop signaling by utilizing only "static" + classification and forwarding policies which are implemented in each + node along a network path. These policies are updated on + administrative timescales and not in response to the instantaneous + mix of microflows active in the network. The state requirements for + this variant are potentially worse than those encountered when RSVP + is used, especially in backbone nodes, since the number of static + policies that might be applicable at a node over time may be larger + than the number of active sender-receiver sessions that might have + installed reservation state on a node. Although the support of large + numbers of classifier rules and forwarding policies may be + computationally feasible, the management burden associated with + installing and maintaining these rules on each node within a backbone + network which might be traversed by a traffic stream is substantial. + + Although we contrast our architecture with these alternative models + of service differentiation, it should be noted that links and nodes + employing these techniques may be utilized to extend differentiated + services behaviors and semantics across a layer-2 switched + infrastructure (e.g., 802.1p LANs, Frame Relay/ATM backbones) + interconnecting DS nodes, and in the case of MPLS may be used as an + alternative intra-domain implementation technology. The constraints + imposed by the use of a specific link-layer technology in particular + regions of a DS domain (or in a network providing access to DS + domains) may imply the differentiation of traffic on a coarser grain + basis. Depending on the mapping of PHBs to different link-layer + services and the way in which packets are scheduled over a restricted + set of priority classes (or virtual circuits of different category + and capacity), all or a subset of the PHBs in use may be supportable + (or may be indistinguishable). + + + + +Blake, et. al. Informational [Page 11] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +2. Differentiated Services Architectural Model + + The differentiated services architecture is based on a simple model + where traffic entering a network is classified and possibly + conditioned at the boundaries of the network, and assigned to + different behavior aggregates. Each behavior aggregate is identified + by a single DS codepoint. Within the core of the network, packets + are forwarded according to the per-hop behavior associated with the + DS codepoint. In this section, we discuss the key components within + a differentiated services region, traffic classification and + conditioning functions, and how differentiated services are achieved + through the combination of traffic conditioning and PHB-based + forwarding. + +2.1 Differentiated Services Domain + + A DS domain is a contiguous set of DS nodes which operate with a + common service provisioning policy and set of PHB groups implemented + on each node. A DS domain has a well-defined boundary consisting of + DS boundary nodes which classify and possibly condition ingress + traffic to ensure that packets which transit the domain are + appropriately marked to select a PHB from one of the PHB groups + supported within the domain. Nodes within the DS domain select the + forwarding behavior for packets based on their DS codepoint, mapping + that value to one of the supported PHBs using either the recommended + codepoint->PHB mapping or a locally customized mapping [DSFIELD]. + Inclusion of non-DS-compliant nodes within a DS domain may result in + unpredictable performance and may impede the ability to satisfy + service level agreements (SLAs). + + A DS domain normally consists of one or more networks under the same + administration; for example, an organization's intranet or an ISP. + The administration of the domain is responsible for ensuring that + adequate resources are provisioned and/or reserved to support the + SLAs offered by the domain. + +2.1.1 DS Boundary Nodes and Interior Nodes + + A DS domain consists of DS boundary nodes and DS interior nodes. DS + boundary nodes interconnect the DS domain to other DS or non-DS- + capable domains, whilst DS interior nodes only connect to other DS + interior or boundary nodes within the same DS domain. + + Both DS boundary nodes and interior nodes must be able to apply the + appropriate PHB to packets based on the DS codepoint; otherwise + unpredictable behavior may result. In addition, DS boundary nodes + may be required to perform traffic conditioning functions as defined + by a traffic conditioning agreement (TCA) between their DS domain and + + + +Blake, et. al. Informational [Page 12] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + the peering domain which they connect to (see Sec. 2.3.3). + + Interior nodes may be able to perform limited traffic conditioning + functions such as DS codepoint re-marking. Interior nodes which + implement more complex classification and traffic conditioning + functions are analogous to DS boundary nodes (see Sec. 2.3.4.4). + + A host in a network containing a DS domain may act as a DS boundary + node for traffic from applications running on that host; we therefore + say that the host is within the DS domain. If a host does not act as + a boundary node, then the DS node topologically closest to that host + acts as the DS boundary node for that host's traffic. + +2.1.2 DS Ingress Node and Egress Node + + DS boundary nodes act both as a DS ingress node and as a DS egress + node for different directions of traffic. Traffic enters a DS domain + at a DS ingress node and leaves a DS domain at a DS egress node. A + DS ingress node is responsible for ensuring that the traffic entering + the DS domain conforms to any TCA between it and the other domain to + which the ingress node is connected. A DS egress node may perform + traffic conditioning functions on traffic forwarded to a directly + connected peering domain, depending on the details of the TCA between + the two domains. Note that a DS boundary node may act as a DS + interior node for some set of interfaces. + +2.2 Differentiated Services Region + + A differentiated services region (DS Region) is a set of one or more + contiguous DS domains. DS regions are capable of supporting + differentiated services along paths which span the domains within the + region. + + The DS domains in a DS region may support different PHB groups + internally and different codepoint->PHB mappings. However, to permit + services which span across the domains, the peering DS domains must + each establish a peering SLA which defines (either explicitly or + implicitly) a TCA which specifies how transit traffic from one DS + domain to another is conditioned at the boundary between the two DS + domains. + + It is possible that several DS domains within a DS region may adopt a + common service provisioning policy and may support a common set of + PHB groups and codepoint mappings, thus eliminating the need for + traffic conditioning between those DS domains. + + + + + + +Blake, et. al. Informational [Page 13] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +2.3 Traffic Classification and Conditioning + + Differentiated services are extended across a DS domain boundary by + establishing a SLA between an upstream network and a downstream DS + domain. The SLA may specify packet classification and re-marking + rules and may also specify traffic profiles and actions to traffic + streams which are in- or out-of-profile (see Sec. 2.3.2). The TCA + between the domains is derived (explicitly or implicitly) from this + SLA. + + The packet classification policy identifies the subset of traffic + which may receive a differentiated service by being conditioned and/ + or mapped to one or more behavior aggregates (by DS codepoint re- + marking) within the DS domain. + + Traffic conditioning performs metering, shaping, policing and/or re- + marking to ensure that the traffic entering the DS domain conforms to + the rules specified in the TCA, in accordance with the domain's + service provisioning policy. The extent of traffic conditioning + required is dependent on the specifics of the service offering, and + may range from simple codepoint re-marking to complex policing and + shaping operations. The details of traffic conditioning policies + which are negotiated between networks is outside the scope of this + document. + +2.3.1 Classifiers + + Packet classifiers select packets in a traffic stream based on the + content of some portion of the packet header. We define two types of + classifiers. The BA (Behavior Aggregate) Classifier classifies + packets based on the DS codepoint only. The MF (Multi-Field) + classifier selects packets based on the value of a combination of one + or more header fields, such as source address, destination address, + DS field, protocol ID, source port and destination port numbers, and + other information such as incoming interface. + + Classifiers are used to "steer" packets matching some specified rule + to an element of a traffic conditioner for further processing. + Classifiers must be configured by some management procedure in + accordance with the appropriate TCA. + + The classifier should authenticate the information which it uses to + classify the packet (see Sec. 6). + + Note that in the event of upstream packet fragmentation, MF + classifiers which examine the contents of transport-layer header + fields may incorrectly classify packet fragments subsequent to the + first. A possible solution to this problem is to maintain + + + +Blake, et. al. Informational [Page 14] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + fragmentation state; however, this is not a general solution due to + the possibility of upstream fragment re-ordering or divergent routing + paths. The policy to apply to packet fragments is outside the scope + of this document. + +2.3.2 Traffic Profiles + + A traffic profile specifies the temporal properties of a traffic + stream selected by a classifier. It provides rules for determining + whether a particular packet is in-profile or out-of-profile. For + example, a profile based on a token bucket may look like: + + codepoint=X, use token-bucket r, b + + The above profile indicates that all packets marked with DS codepoint + X should be measured against a token bucket meter with rate r and + burst size b. In this example out-of-profile packets are those + packets in the traffic stream which arrive when insufficient tokens + are available in the bucket. The concept of in- and out-of-profile + can be extended to more than two levels, e.g., multiple levels of + conformance with a profile may be defined and enforced. + + Different conditioning actions may be applied to the in-profile + packets and out-of-profile packets, or different accounting actions + may be triggered. In-profile packets may be allowed to enter the DS + domain without further conditioning; or, alternatively, their DS + codepoint may be changed. The latter happens when the DS codepoint + is set to a non-Default value for the first time [DSFIELD], or when + the packets enter a DS domain that uses a different PHB group or + codepoint->PHB mapping policy for this traffic stream. Out-of- + profile packets may be queued until they are in-profile (shaped), + discarded (policed), marked with a new codepoint (re-marked), or + forwarded unchanged while triggering some accounting procedure. + Out-of-profile packets may be mapped to one or more behavior + aggregates that are "inferior" in some dimension of forwarding + performance to the BA into which in-profile packets are mapped. + + Note that a traffic profile is an optional component of a TCA and its + use is dependent on the specifics of the service offering and the + domain's service provisioning policy. + +2.3.3 Traffic Conditioners + + A traffic conditioner may contain the following elements: meter, + marker, shaper, and dropper. A traffic stream is selected by a + classifier, which steers the packets to a logical instance of a + traffic conditioner. A meter is used (where appropriate) to measure + the traffic stream against a traffic profile. The state of the meter + + + +Blake, et. al. Informational [Page 15] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + with respect to a particular packet (e.g., whether it is in- or out- + of-profile) may be used to affect a marking, dropping, or shaping + action. + + When packets exit the traffic conditioner of a DS boundary node the + DS codepoint of each packet must be set to an appropriate value. + + Fig. 1 shows the block diagram of a classifier and traffic + conditioner. Note that a traffic conditioner may not necessarily + contain all four elements. For example, in the case where no traffic + profile is in effect, packets may only pass through a classifier and + a marker. + + +-------+ + | |-------------------+ + +----->| Meter | | + | | |--+ | + | +-------+ | | + | V V + +------------+ +--------+ +---------+ + | | | | | Shaper/ | + packets =====>| Classifier |=====>| Marker |=====>| Dropper |=====> + | | | | | | + +------------+ +--------+ +---------+ + + + Fig. 1: Logical View of a Packet Classifier and Traffic Conditioner + +2.3.3.1 Meters + + Traffic meters measure the temporal properties of the stream of + packets selected by a classifier against a traffic profile specified + in a TCA. A meter passes state information to other conditioning + functions to trigger a particular action for each packet which is + either in- or out-of-profile (to some extent). + +2.3.3.2 Markers + + Packet markers set the DS field of a packet to a particular + codepoint, adding the marked packet to a particular DS behavior + aggregate. The marker may be configured to mark all packets which + are steered to it to a single codepoint, or may be configured to mark + a packet to one of a set of codepoints used to select a PHB in a PHB + group, according to the state of a meter. When the marker changes + the codepoint in a packet it is said to have "re-marked" the packet. + + + + + + +Blake, et. al. Informational [Page 16] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +2.3.3.3 Shapers + + Shapers delay some or all of the packets in a traffic stream in order + to bring the stream into compliance with a traffic profile. A shaper + usually has a finite-size buffer, and packets may be discarded if + there is not sufficient buffer space to hold the delayed packets. + +2.3.3.4 Droppers + + Droppers discard some or all of the packets in a traffic stream in + order to bring the stream into compliance with a traffic profile. + This process is know as "policing" the stream. Note that a dropper + can be implemented as a special case of a shaper by setting the + shaper buffer size to zero (or a few) packets. + +2.3.4 Location of Traffic Conditioners and MF Classifiers + + Traffic conditioners are usually located within DS ingress and egress + boundary nodes, but may also be located in nodes within the interior + of a DS domain, or within a non-DS-capable domain. + +2.3.4.1 Within the Source Domain + + We define the source domain as the domain containing the node(s) + which originate the traffic receiving a particular service. Traffic + sources and intermediate nodes within a source domain may perform + traffic classification and conditioning functions. The traffic + originating from the source domain across a boundary may be marked by + the traffic sources directly or by intermediate nodes before leaving + the source domain. This is referred to as initial marking or "pre- + marking". + + Consider the example of a company that has the policy that its CEO's + packets should have higher priority. The CEO's host may mark the DS + field of all outgoing packets with a DS codepoint that indicates + "higher priority". Alternatively, the first-hop router directly + connected to the CEO's host may classify the traffic and mark the + CEO's packets with the correct DS codepoint. Such high priority + traffic may also be conditioned near the source so that there is a + limit on the amount of high priority traffic forwarded from a + particular source. + + There are some advantages to marking packets close to the traffic + source. First, a traffic source can more easily take an + application's preferences into account when deciding which packets + should receive better forwarding treatment. Also, classification of + + + + + +Blake, et. al. Informational [Page 17] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + packets is much simpler before the traffic has been aggregated with + packets from other sources, since the number of classification rules + which need to be applied within a single node is reduced. + + Since packet marking may be distributed across multiple nodes, the + source DS domain is responsible for ensuring that the aggregated + traffic towards its provider DS domain conforms to the appropriate + TCA. Additional allocation mechanisms such as bandwidth brokers or + RSVP may be used to dynamically allocate resources for a particular + DS behavior aggregate within the provider's network [2BIT, Bernet]. + The boundary node of the source domain should also monitor + conformance to the TCA, and may police, shape, or re-mark packets as + necessary. + +2.3.4.2 At the Boundary of a DS Domain + + Traffic streams may be classified, marked, and otherwise conditioned + on either end of a boundary link (the DS egress node of the upstream + domain or the DS ingress node of the downstream domain). The SLA + between the domains should specify which domain has responsibility + for mapping traffic streams to DS behavior aggregates and + conditioning those aggregates in conformance with the appropriate + TCA. However, a DS ingress node must assume that the incoming + traffic may not conform to the TCA and must be prepared to enforce + the TCA in accordance with local policy. + + When packets are pre-marked and conditioned in the upstream domain, + potentially fewer classification and traffic conditioning rules need + to be supported in the downstream DS domain. In this circumstance + the downstream DS domain may only need to re-mark or police the + incoming behavior aggregates to enforce the TCA. However, more + sophisticated services which are path- or source-dependent may + require MF classification in the downstream DS domain's ingress + nodes. + + If a DS ingress node is connected to an upstream non-DS-capable + domain, the DS ingress node must be able to perform all necessary + traffic conditioning functions on the incoming traffic. + +2.3.4.3 In non-DS-Capable Domains + + Traffic sources or intermediate nodes in a non-DS-capable domain may + employ traffic conditioners to pre-mark traffic before it reaches the + ingress of a downstream DS domain. In this way the local policies + for classification and marking may be concealed. + + + + + + +Blake, et. al. Informational [Page 18] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +2.3.4.4 In Interior DS Nodes + + Although the basic architecture assumes that complex classification + and traffic conditioning functions are located only in a network's + ingress and egress boundary nodes, deployment of these functions in + the interior of the network is not precluded. For example, more + restrictive access policies may be enforced on a transoceanic link, + requiring MF classification and traffic conditioning functionality in + the upstream node on the link. This approach may have scaling + limits, due to the potentially large number of classification and + conditioning rules that might need to be maintained. + +2.4 Per-Hop Behaviors + + A per-hop behavior (PHB) is a description of the externally + observable forwarding behavior of a DS node applied to a particular + DS behavior aggregate. "Forwarding behavior" is a general concept in + this context. For example, in the event that only one behavior + aggregate occupies a link, the observable forwarding behavior (i.e., + loss, delay, jitter) will often depend only on the relative loading + of the link (i.e., in the event that the behavior assumes a work- + conserving scheduling discipline). Useful behavioral distinctions + are mainly observed when multiple behavior aggregates compete for + buffer and bandwidth resources on a node. The PHB is the means by + which a node allocates resources to behavior aggregates, and it is on + top of this basic hop-by-hop resource allocation mechanism that + useful differentiated services may be constructed. + + The most simple example of a PHB is one which guarantees a minimal + bandwidth allocation of X% of a link (over some reasonable time + interval) to a behavior aggregate. This PHB can be fairly easily + measured under a variety of competing traffic conditions. A slightly + more complex PHB would guarantee a minimal bandwidth allocation of X% + of a link, with proportional fair sharing of any excess link + capacity. In general, the observable behavior of a PHB may depend on + certain constraints on the traffic characteristics of the associated + behavior aggregate, or the characteristics of other behavior + aggregates. + + PHBs may be specified in terms of their resource (e.g., buffer, + bandwidth) priority relative to other PHBs, or in terms of their + relative observable traffic characteristics (e.g., delay, loss). + These PHBs may be used as building blocks to allocate resources and + should be specified as a group (PHB group) for consistency. PHB + groups will usually share a common constraint applying to each PHB + within the group, such as a packet scheduling or buffer management + policy. The relationship between PHBs in a group may be in terms of + absolute or relative priority (e.g., discard priority by means of + + + +Blake, et. al. Informational [Page 19] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + deterministic or stochastic thresholds), but this is not required + (e.g., N equal link shares). A single PHB defined in isolation is a + special case of a PHB group. + + PHBs are implemented in nodes by means of some buffer management and + packet scheduling mechanisms. PHBs are defined in terms of behavior + characteristics relevant to service provisioning policies, and not in + terms of particular implementation mechanisms. In general, a variety + of implementation mechanisms may be suitable for implementing a + particular PHB group. Furthermore, it is likely that more than one + PHB group may be implemented on a node and utilized within a domain. + PHB groups should be defined such that the proper resource allocation + between groups can be inferred, and integrated mechanisms can be + implemented which can simultaneously support two or more groups. A + PHB group definition should indicate possible conflicts with + previously documented PHB groups which might prevent simultaneous + operation. + + As described in [DSFIELD], a PHB is selected at a node by a mapping + of the DS codepoint in a received packet. Standardized PHBs have a + recommended codepoint. However, the total space of codepoints is + larger than the space available for recommended codepoints for + standardized PHBs, and [DSFIELD] leaves provisions for locally + configurable mappings. A codepoint->PHB mapping table may contain + both 1->1 and N->1 mappings. All codepoints must be mapped to some + PHB; in the absence of some local policy, codepoints which are not + mapped to a standardized PHB in accordance with that PHB's + specification should be mapped to the Default PHB. + +2.5 Network Resource Allocation + + The implementation, configuration, operation and administration of + the supported PHB groups in the nodes of a DS Domain should + effectively partition the resources of those nodes and the inter-node + links between behavior aggregates, in accordance with the domain's + service provisioning policy. Traffic conditioners can further + control the usage of these resources through enforcement of TCAs and + possibly through operational feedback from the nodes and traffic + conditioners in the domain. Although a range of services can be + deployed in the absence of complex traffic conditioning functions + (e.g., using only static marking policies), functions such as + policing, shaping, and dynamic re-marking enable the deployment of + services providing quantitative performance metrics. + + The configuration of and interaction between traffic conditioners and + interior nodes should be managed by the administrative control of the + domain and may require operational control through protocols and a + control entity. There is a wide range of possible control models. + + + +Blake, et. al. Informational [Page 20] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + The precise nature and implementation of the interaction between + these components is outside the scope of this architecture. However, + scalability requires that the control of the domain does not require + micro-management of the network resources. The most scalable control + model would operate nodes in open-loop in the operational timeframe, + and would only require administrative-timescale management as SLAs + are varied. This simple model may be unsuitable in some + circumstances, and some automated but slowly varying operational + control (minutes rather than seconds) may be desirable to balance the + utilization of the network against the recent load profile. + +3. Per-Hop Behavior Specification Guidelines + + Basic requirements for per-hop behavior standardization are given in + [DSFIELD]. This section elaborates on that text by describing + additional guidelines for PHB (group) specifications. This is + intended to help foster implementation consistency. Before a PHB + group is proposed for standardization it should satisfy these + guidelines, as appropriate, to preserve the integrity of this + architecture. + + G.1: A PHB standard must specify a recommended DS codepoint selected + from the codepoint space reserved for standard mappings [DSFIELD]. + Recommended codepoints will be assigned by the IANA. A PHB proposal + may recommend a temporary codepoint from the EXP/LU space to + facilitate inter-domain experimentation. Determination of a packet's + PHB must not require inspection of additional packet header fields + beyond the DS field. + + G.2: The specification of each newly proposed PHB group should + include an overview of the behavior and the purpose of the behavior + being proposed. The overview should include a problem or problems + statement for which the PHB group is targeted. The overview should + include the basic concepts behind the PHB group. These concepts + should include, but are not restricted to, queueing behavior, discard + behavior, and output link selection behavior. Lastly, the overview + should specify the method by which the PHB group solves the problem + or problems specified in the problem statement. + + G.3: A PHB group specification should indicate the number of + individual PHBs specified. In the event that multiple PHBs are + specified, the interactions between these PHBs and constraints that + must be respected globally by all the PHBs within the group should be + clearly specified. As an example, the specification must indicate + whether the probability of packet reordering within a microflow is + increased if different packets in that microflow are marked for + different PHBs within the group. + + + + +Blake, et. al. Informational [Page 21] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + G.4: When proper functioning of a PHB group is dependent on + constraints such as a provisioning restriction, then the PHB + definition should describe the behavior when these constraints are + violated. Further, if actions such as packet discard or re-marking + are required when these constraints are violated, then these actions + should be specifically stipulated. + + G.5: A PHB group may be specified for local use within a domain in + order to provide some domain-specific functionality or domain- + specific services. In this event, the PHB specification is useful + for providing vendors with a consistent definition of the PHB group. + However, any PHB group which is defined for local use should not be + considered for standardization, but may be published as an + Informational RFC. In contrast, a PHB group which is intended for + general use will follow a stricter standardization process. + Therefore all PHB proposals should specifically state whether they + are to be considered for general or local use. + + It is recognized that PHB groups can be designed with the intent of + providing host-to-host, WAN edge-to-WAN edge, and/or domain edge-to- + domain edge services. Use of the term "end-to-end" in a PHB + definition should be interpreted to mean "host-to-host" for + consistency. + + Other PHB groups may be defined and deployed locally within domains, + for experimental or operational purposes. There is no requirement + that these PHB groups must be publicly documented, but they should + utilize DS codepoints from one of the EXP/LU pools as defined in + [DSFIELD]. + + G.6: It may be possible or appropriate for a packet marked for a PHB + within a PHB group to be re-marked to select another PHB within the + group; either within a domain or across a domain boundary. Typically + there are three reasons for such PHB modification: + + a. The codepoints associated with the PHB group are collectively + intended to carry state about the network, + b. Conditions exist which require PHB promotion or demotion of a + packet (this assumes that PHBs within the group can be ranked in + some order), + c. The boundary between two domains is not covered by a SLA. In this + case the codepoint/PHB to select when crossing the boundary link + will be determined by the local policy of the upstream domain. + + A PHB specification should clearly state the circumstances under + which packets marked for a PHB within a PHB group may, or should be + modified (e.g., promoted or demoted) to another PHB within the group. + If it is undesirable for a packet's PHB to be modified, the + + + +Blake, et. al. Informational [Page 22] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + specification should clearly state the consequent risks when the PHB + is modified. A possible risk to changing a packet's PHB, either + within or outside a PHB group, is a higher probability of packet re- + ordering within a microflow. PHBs within a group may carry some + host-to-host, WAN edge-to-WAN edge, and/or domain edge-to-domain edge + semantics which may be difficult to duplicate if packets are re- + marked to select another PHB from the group (or otherwise). + + For certain PHB groups, it may be appropriate to reflect a state + change in the node by re-marking packets to specify another PHB from + within the group. If a PHB group is designed to reflect the state of + a network, the PHB definition must adequately describe the + relationship between the PHBs and the states they reflect. Further, + if these PHBs limit the forwarding actions a node can perform in some + way, these constraints may be specified as actions the node should, + or must perform. + + G.7: A PHB group specification should include a section defining the + implications of tunneling on the utility of the PHB group. This + section should specify the implications for the utility of the PHB + group of a newly created outer header when the original DS field of + the inner header is encapsulated in a tunnel. This section should + also discuss what possible changes should be applied to the inner + header at the egress of the tunnel, when both the codepoints from the + inner header and the outer header are accessible (see Sec. 6.2). + + G.8: The process of specifying PHB groups is likely to be + incremental in nature. When new PHB groups are proposed, their known + interactions with previously specified PHB groups should be + documented. When a new PHB group is created, it can be entirely new + in scope or it can be an extension to an existing PHB group. If the + PHB group is entirely independent of some or all of the existing PHB + specifications, a section should be included in the PHB specification + which details how the new PHB group can co-exist with those PHB + groups already standardized. For example, this section might + indicate the possibility of packet re-ordering within a microflow for + packets marked by codepoints associated with two separate PHB groups. + If concurrent operation of two (or more) different PHB groups in the + same node is impossible or detrimental this should be stated. If the + concurrent operation of two (or more) different PHB groups requires + some specific behaviors by the node when packets marked for PHBs from + these different PHB groups are being processed by the node at the + same time, these behaviors should be stated. + + Care should be taken to avoid circularity in the definitions of PHB + groups. + + + + + +Blake, et. al. Informational [Page 23] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + If the proposed PHB group is an extension to an existing PHB group, a + section should be included in the PHB group specification which + details how this extension interoperates with the behavior being + extended. Further, if the extension alters or more narrowly defines + the existing behavior in some way, this should also be clearly + indicated. + + G.9: Each PHB specification should include a section specifying + minimal conformance requirements for implementations of the PHB + group. This conformance section is intended to provide a means for + specifying the details of a behavior while allowing for + implementation variation to the extent permitted by the PHB + specification. This conformance section can take the form of rules, + tables, pseudo-code, or tests. + + G.10: A PHB specification should include a section detailing the + security implications of the behavior. This section should include a + discussion of the re-marking of the inner header's codepoint at the + egress of a tunnel and its effect on the desired forwarding behavior. + + Further, this section should also discuss how the proposed PHB group + could be used in denial-of-service attacks, reduction of service + contract attacks, and service contract violation attacks. Lastly, + this section should discuss possible means for detecting such attacks + as they are relevant to the proposed behavior. + + G.11: A PHB specification should include a section detailing + configuration and management issues which may affect the operation of + the PHB and which may impact candidate services that might utilize + the PHB. + + G.12: It is strongly recommended that an appendix be provided with + each PHB specification that considers the implications of the + proposed behavior on current and potential services. These services + could include but are not restricted to be user-specific, device- + specific, domain-specific or end-to-end services. It is also + strongly recommended that the appendix include a section describing + how the services are verified by users, devices, and/or domains. + + G.13: It is recommended that an appendix be provided with each PHB + specification that is targeted for local use within a domain, + providing guidance for PHB selection for packets which are forwarded + into a peer domain which does not support the PHB group. + + + + + + + + +Blake, et. al. Informational [Page 24] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + G.14: It is recommended that an appendix be provided with each PHB + specification which considers the impact of the proposed PHB group on + existing higher-layer protocols. Under some circumstances PHBs may + allow for possible changes to higher-layer protocols which may + increase or decrease the utility of the proposed PHB group. + + G.15: It is recommended that an appendix be provided with each PHB + specification which recommends mappings to link-layer QoS mechanisms + to support the intended behavior of the PHB across a shared-medium or + switched link-layer. The determination of the most appropriate + mapping between a PHB and a link-layer QoS mechanism is dependent on + many factors and is outside the scope of this document; however, the + specification should attempt to offer some guidance. + +4. Interoperability with Non-Differentiated Services-Compliant Nodes + + We define a non-differentiated services-compliant node (non-DS- + compliant node) as any node which does not interpret the DS field as + specified in [DSFIELD] and/or does not implement some or all of the + standardized PHBs (or those in use within a particular DS domain). + This may be due to the capabilities or configuration of the node. We + define a legacy node as a special case of a non-DS-compliant node + which implements IPv4 Precedence classification and forwarding as + defined in [RFC791, RFC1812], but which is otherwise not DS- + compliant. The precedence values in the IPv4 TOS octet are + compatible by intention with the Class Selector Codepoints defined in + [DSFIELD], and the precedence forwarding behaviors defined in + [RFC791, RFC1812] comply with the Class Selector PHB Requirements + also defined in [DSFIELD]. A key distinction between a legacy node + and a DS-compliant node is that the legacy node may or may not + interpret bits 3-6 of the TOS octet as defined in [RFC1349] (the + "DTRC" bits); in practice it will not interpret these bit as + specified in [DSFIELD]. We assume that the use of the TOS markings + defined in [RFC1349] is deprecated. Nodes which are non-DS-compliant + and which are not legacy nodes may exhibit unpredictable forwarding + behaviors for packets with non-zero DS codepoints. + + Differentiated services depend on the resource allocation mechanisms + provided by per-hop behavior implementations in nodes. The quality + or statistical assurance level of a service may break down in the + event that traffic transits a non-DS-compliant node, or a non-DS- + capable domain. + + We will examine two separate cases. The first case concerns the use + of non-DS-compliant nodes within a DS domain. Note that PHB + forwarding is primarily useful for allocating scarce node and link + resources in a controlled manner. On high-speed, lightly loaded + links, the worst-case packet delay, jitter, and loss may be + + + +Blake, et. al. Informational [Page 25] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + negligible, and the use of a non-DS-compliant node on the upstream + end of such a link may not result in service degradation. In more + realistic circumstances, the lack of PHB forwarding in a node may + make it impossible to offer low-delay, low-loss, or provisioned + bandwidth services across paths which traverse the node. However, + use of a legacy node may be an acceptable alternative, assuming that + the DS domain restricts itself to using only the Class Selector + Codepoints defined in [DSFIELD], and assuming that the particular + precedence implementation in the legacy node provides forwarding + behaviors which are compatible with the services offered along paths + which traverse that node. Note that it is important to restrict the + codepoints in use to the Class Selector Codepoints, since the legacy + node may or may not interpret bits 3-5 in accordance with [RFC1349], + thereby resulting in unpredictable forwarding results. + + The second case concerns the behavior of services which traverse + non-DS-capable domains. We assume for the sake of argument that a + non-DS-capable domain does not deploy traffic conditioning functions + on domain boundary nodes; therefore, even in the event that the + domain consists of legacy or DS-compliant interior nodes, the lack of + traffic enforcement at the boundaries will limit the ability to + consistently deliver some types of services across the domain. A DS + domain and a non-DS-capable domain may negotiate an agreement which + governs how egress traffic from the DS-domain should be marked before + entry into the non-DS-capable domain. This agreement might be + monitored for compliance by traffic sampling instead of by rigorous + traffic conditioning. Alternatively, where there is knowledge that + the non-DS-capable domain consists of legacy nodes, the upstream DS + domain may opportunistically re-mark differentiated services traffic + to one or more of the Class Selector Codepoints. Where there is no + knowledge of the traffic management capabilities of the downstream + domain, and no agreement in place, a DS domain egress node may choose + to re-mark DS codepoints to zero, under the assumption that the non- + DS-capable domain will treat the traffic uniformly with best-effort + service. + + In the event that a non-DS-capable domain peers with a DS domain, + traffic flowing from the non-DS-capable domain should be conditioned + at the DS ingress node of the DS domain according to the appropriate + SLA or policy. + +5. Multicast Considerations + + Use of differentiated services by multicast traffic introduces a + number of issues for service provisioning. First, multicast packets + which enter a DS domain at an ingress node may simultaneously take + multiple paths through some segments of the domain due to multicast + packet replication. In this way they consume more network resources + + + +Blake, et. al. Informational [Page 26] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + than unicast packets. Where multicast group membership is dynamic, + it is difficult to predict in advance the amount of network resources + that may be consumed by multicast traffic originating from an + upstream network for a particular group. A consequence of this + uncertainty is that it may be difficult to provide quantitative + service guarantees to multicast senders. Further, it may be + necessary to reserve codepoints and PHBs for exclusive use by unicast + traffic, to provide resource isolation from multicast traffic. + + The second issue is the selection of the DS codepoint for a multicast + packet arriving at a DS ingress node. Because that packet may exit + the DS domain at multiple DS egress nodes which peer with multiple + downstream domains, the DS codepoint used should not result in the + request for a service from a downstream DS domain which is in + violation of a peering SLA. When establishing classifier and traffic + conditioner state at an DS ingress node for an aggregate of traffic + receiving a differentiated service which spans across the egress + boundary of the domain, the identity of the adjacent downstream + transit domain and the specifics of the corresponding peering SLA can + be factored into the configuration decision (subject to routing + policy and the stability of the routing infrastructure). In this way + peering SLAs with downstream DS domains can be partially enforced at + the ingress of the upstream domain, reducing the classification and + traffic conditioning burden at the egress node of the upstream + domain. This is not so easily performed in the case of multicast + traffic, due to the possibility of dynamic group membership. The + result is that the service guarantees for unicast traffic may be + impacted. One means of addressing this problem is to establish a + separate peering SLA for multicast traffic, and to either utilize a + particular set of codepoints for multicast packets, or to implement + the necessary classification and traffic conditioning mechanisms in + the DS egress nodes to provide preferential isolation for unicast + traffic in conformance with the peering SLA with the downstream + domain. + +6. Security and Tunneling Considerations + + This section addresses security issues raised by the introduction of + differentiated services, primarily the potential for denial-of- + service attacks, and the related potential for theft of service by + unauthorized traffic (Sec. 6.1). In addition, the operation of + differentiated services in the presence of IPsec and its interaction + with IPsec are also discussed (Sec. 6.2), as well as auditing + requirements (Sec. 6.3). This section considers issues introduced by + the use of both IPsec and non-IPsec tunnels. + + + + + + +Blake, et. al. Informational [Page 27] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +6.1 Theft and Denial of Service + + The primary goal of differentiated services is to allow different + levels of service to be provided for traffic streams on a common + network infrastructure. A variety of resource management techniques + may be used to achieve this, but the end result will be that some + packets receive different (e.g., better) service than others. The + mapping of network traffic to the specific behaviors that result in + different (e.g., better or worse) service is indicated primarily by + the DS field, and hence an adversary may be able to obtain better + service by modifying the DS field to codepoints indicating behaviors + used for enhanced services or by injecting packets with the DS field + set to such codepoints. Taken to its limits, this theft of service + becomes a denial-of-service attack when the modified or injected + traffic depletes the resources available to forward it and other + traffic streams. The defense against such theft- and denial-of- + service attacks consists of the combination of traffic conditioning + at DS boundary nodes along with security and integrity of the network + infrastructure within a DS domain. + + As described in Sec. 2, DS ingress nodes must condition all traffic + entering a DS domain to ensure that it has acceptable DS codepoints. + This means that the codepoints must conform to the applicable TCA(s) + and the domain's service provisioning policy. Hence, the ingress + nodes are the primary line of defense against theft- and denial-of- + service attacks based on modified DS codepoints (e.g., codepoints to + which the traffic is not entitled), as success of any such attack + constitutes a violation of the applicable TCA(s) and/or service + provisioning policy. An important instance of an ingress node is + that any traffic-originating node in a DS domain is the ingress node + for that traffic, and must ensure that all originated traffic carries + acceptable DS codepoints. + + Both a domain's service provisioning policy and TCAs may require the + ingress nodes to change the DS codepoint on some entering packets + (e.g., an ingress router may set the DS codepoint of a customer's + traffic in accordance with the appropriate SLA). Ingress nodes must + condition all other inbound traffic to ensure that the DS codepoints + are acceptable; packets found to have unacceptable codepoints must + either be discarded or must have their DS codepoints modified to + acceptable values before being forwarded. For example, an ingress + node receiving traffic from a domain with which no enhanced service + agreement exists may reset the DS codepoint to the Default PHB + codepoint [DSFIELD]. Traffic authentication may be required to + validate the use of some DS codepoints (e.g., those corresponding to + enhanced services), and such authentication may be performed by + technical means (e.g., IPsec) and/or non-technical means (e.g., the + inbound link is known to be connected to exactly one customer site). + + + +Blake, et. al. Informational [Page 28] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + An inter-domain agreement may reduce or eliminate the need for + ingress node traffic conditioning by making the upstream domain + partly or completely responsible for ensuring that traffic has DS + codepoints acceptable to the downstream domain. In this case, the + ingress node may still perform redundant traffic conditioning checks + to reduce the dependence on the upstream domain (e.g., such checks + can prevent theft-of-service attacks from propagating across the + domain boundary). If such a check fails because the upstream domain + is not fulfilling its responsibilities, that failure is an auditable + event; the generated audit log entry should include the date/time the + packet was received, the source and destination IP addresses, and the + DS codepoint that caused the failure. In practice, the limited gains + from such checks need to be weighed against their potential + performance impact in determining what, if any, checks to perform + under these circumstances. + + Interior nodes in a DS domain may rely on the DS field to associate + differentiated services traffic with the behaviors used to implement + enhanced services. Any node doing so depends on the correct + operation of the DS domain to prevent the arrival of traffic with + unacceptable DS codepoints. Robustness concerns dictate that the + arrival of packets with unacceptable DS codepoints must not cause the + failure (e.g., crash) of network nodes. Interior nodes are not + responsible for enforcing the service provisioning policy (or + individual SLAs) and hence are not required to check DS codepoints + before using them. Interior nodes may perform some traffic + conditioning checks on DS codepoints (e.g., check for DS codepoints + that are never used for traffic on a specific link) to improve + security and robustness (e.g., resistance to theft-of-service attacks + based on DS codepoint modifications). Any detected failure of such a + check is an auditable event and the generated audit log entry should + include the date/time the packet was received, the source and + destination IP addresses, and the DS codepoint that caused the + failure. In practice, the limited gains from such checks need to be + weighed against their potential performance impact in determining + what, if any, checks to perform at interior nodes. + + Any link that cannot be adequately secured against modification of DS + codepoints or traffic injection by adversaries should be treated as a + boundary link (and hence any arriving traffic on that link is treated + as if it were entering the domain at an ingress node). Local + security policy provides the definition of "adequately secured," and + such a definition may include a determination that the risks and + consequences of DS codepoint modification and/or traffic injection do + not justify any additional security measures for a link. Link + security can be enhanced via physical access controls and/or software + means such as tunnels that ensure packet integrity. + + + + +Blake, et. al. Informational [Page 29] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +6.2 IPsec and Tunneling Interactions + + The IPsec protocol, as defined in [ESP, AH], does not include the IP + header's DS field in any of its cryptographic calculations (in the + case of tunnel mode, it is the outer IP header's DS field that is not + included). Hence modification of the DS field by a network node has + no effect on IPsec's end-to-end security, because it cannot cause any + IPsec integrity check to fail. As a consequence, IPsec does not + provide any defense against an adversary's modification of the DS + field (i.e., a man-in-the-middle attack), as the adversary's + modification will also have no effect on IPsec's end-to-end security. + In some environments, the ability to modify the DS field without + affecting IPsec integrity checks may constitute a covert channel; if + it is necessary to eliminate such a channel or reduce its bandwidth, + the DS domains should be configured so that the required processing + (e.g., set all DS fields on sensitive traffic to a single value) can + be performed at DS egress nodes where traffic exits higher security + domains. + + IPsec's tunnel mode provides security for the encapsulated IP + header's DS field. A tunnel mode IPsec packet contains two IP + headers: an outer header supplied by the tunnel ingress node and an + encapsulated inner header supplied by the original source of the + packet. When an IPsec tunnel is hosted (in whole or in part) on a + differentiated services network, the intermediate network nodes + operate on the DS field in the outer header. At the tunnel egress + node, IPsec processing includes stripping the outer header and + forwarding the packet (if required) using the inner header. If + the inner IP header has not been processed by a DS ingress node for + the tunnel egress node's DS domain, the tunnel egress node is the DS + ingress node for traffic exiting the tunnel, and hence must carry out + the corresponding traffic conditioning responsibilities (see Sec. + 6.1). If the IPsec processing includes a sufficiently strong + cryptographic integrity check of the encapsulated packet (where + sufficiency is determined by local security policy), the tunnel + egress node can safely assume that the DS field in the inner header + has the same value as it had at the tunnel ingress node. This allows + a tunnel egress node in the same DS domain as the tunnel ingress + node, to safely treat a packet passing such an integrity check as if + it had arrived from another node within the same DS domain, omitting + the DS ingress node traffic conditioning that would otherwise be + required. An important consequence is that otherwise insecure links + internal to a DS domain can be secured by a sufficiently strong IPsec + tunnel. + + This analysis and its implications apply to any tunneling protocol + that performs integrity checks, but the level of assurance of the + inner header's DS field depends on the strength of the integrity + + + +Blake, et. al. Informational [Page 30] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + check performed by the tunneling protocol. In the absence of + sufficient assurance for a tunnel that may transit nodes outside the + current DS domain (or is otherwise vulnerable), the encapsulated + packet must be treated as if it had arrived at a DS ingress node from + outside the domain. + + The IPsec protocol currently requires that the inner header's DS + field not be changed by IPsec decapsulation processing at a tunnel + egress node. This ensures that an adversary's modifications to the + DS field cannot be used to launch theft- or denial-of-service attacks + across an IPsec tunnel endpoint, as any such modifications will be + discarded at the tunnel endpoint. This document makes no change to + that IPsec requirement. + + If the IPsec specifications are modified in the future to permit a + tunnel egress node to modify the DS field in an inner IP header based + on the DS field value in the outer header (e.g., copying part or all + of the outer DS field to the inner DS field), then additional + considerations would apply. For a tunnel contained entirely within a + single DS domain and for which the links are adequately secured + against modifications of the outer DS field, the only limits on inner + DS field modifications would be those imposed by the domain's service + provisioning policy. Otherwise, the tunnel egress node performing + such modifications would be acting as a DS ingress node for traffic + exiting the tunnel and must carry out the traffic conditioning + responsibilities of an ingress node, including defense against theft- + and denial-of-service attacks (See Sec. 6.1). If the tunnel enters + the DS domain at a node different from the tunnel egress node, the + tunnel egress node may depend on the upstream DS ingress node having + ensured that the outer DS field values are acceptable. Even in this + case, there are some checks that can only be performed by the tunnel + egress node (e.g., a consistency check between the inner and outer DS + codepoints for an encrypted tunnel). Any detected failure of such a + check is an auditable event and the generated audit log entry should + include the date/time the packet was received, the source and + destination IP addresses, and the DS codepoint that was unacceptable. + + An IPsec tunnel can be viewed in at least two different ways from an + architectural perspective. If the tunnel is viewed as a logical + single hop "virtual wire", the actions of intermediate nodes in + forwarding the tunneled traffic should not be visible beyond the ends + of the tunnel and hence the DS field should not be modified as part + of decapsulation processing. In contrast, if the tunnel is viewed as + a multi-hop participant in forwarding traffic, then modification of + the DS field as part of tunnel decapsulation processing may be + desirable. A specific example of the latter situation occurs when a + tunnel terminates at an interior node of a DS domain at which the + domain administrator does not wish to deploy traffic conditioning + + + +Blake, et. al. Informational [Page 31] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + logic (e.g., to simplify traffic management). This could be + supported by using the DS codepoint in the outer IP header (which was + subject to traffic conditioning at the DS ingress node) to reset the + DS codepoint in the inner IP header, effectively moving DS ingress + traffic conditioning responsibilities from the IPsec tunnel egress + node to the appropriate upstream DS ingress node (which must already + perform that function for unencapsulated traffic). + +6.3 Auditing + + Not all systems that support differentiated services will implement + auditing. However, if differentiated services support is + incorporated into a system that supports auditing, then the + differentiated services implementation should also support auditing. + If such support is present the implementation must allow a system + administrator to enable or disable auditing for differentiated + services as a whole, and may allow such auditing to be enabled or + disabled in part. + + For the most part, the granularity of auditing is a local matter. + However, several auditable events are identified in this document and + for each of these events a minimum set of information that should be + included in an audit log is defined. Additional information (e.g., + packets related to the one that triggered the auditable event) may + also be included in the audit log for each of these events, and + additional events, not explicitly called out in this specification, + also may result in audit log entries. There is no requirement for + the receiver to transmit any message to the purported sender in + response to the detection of an auditable event, because of the + potential to induce denial of service via such action. + +7. Acknowledgements + + This document has benefitted from earlier drafts by Steven Blake, + David Clark, Ed Ellesson, Paul Ferguson, Juha Heinanen, Van Jacobson, + Kalevi Kilkki, Kathleen Nichols, Walter Weiss, John Wroclawski, and + Lixia Zhang. + + The authors would like to acknowledge the following individuals for + their helpful comments and suggestions: Kathleen Nichols, Brian + Carpenter, Konstantinos Dovrolis, Shivkumar Kalyana, Wu-chang Feng, + Marty Borden, Yoram Bernet, Ronald Bonica, James Binder, Borje + Ohlman, Alessio Casati, Scott Brim, Curtis Villamizar, Hamid Ould- + Brahi, Andrew Smith, John Renwick, Werner Almesberger, Alan O'Neill, + James Fu, and Bob Braden. + + + + + + +Blake, et. al. Informational [Page 32] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +8. References + + [802.1p] ISO/IEC Final CD 15802-3 Information technology - Tele- + communications and information exchange between systems - + Local and metropolitan area networks - Common + specifications - Part 3: Media Access Control (MAC) + bridges, (current draft available as IEEE P802.1D/D15). + + [AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC + 2402, November 1998. + + [ATM] ATM Traffic Management Specification Version 4.0 , ATM Forum, April 1996. + + [Bernet] Y. Bernet, R. Yavatkar, P. Ford, F. Baker, L. Zhang, K. + Nichols, and M. Speer, "A Framework for Use of RSVP with + Diff-serv Networks", Work in Progress. + + [DSFIELD] Nichols, K., Blake, S., Baker, F. and D. Black, + "Definition of the Differentiated Services Field (DS + Field) in the IPv4 and IPv6 Headers", RFC 2474, December + 1998. + + [EXPLICIT] D. Clark and W. Fang, "Explicit Allocation of Best Effort + Packet Delivery Service", IEEE/ACM Trans. on Networking, + vol. 6, no. 4, August 1998, pp. 362-373. + + [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security + Payload (ESP)", RFC 2406, November 1998. + + [FRELAY] ANSI T1S1, "DSSI Core Aspects of Frame Rely", March 1990. + + [RFC791] Postel, J., Editor, "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC1349] Almquist, P., "Type of Service in the Internet Protocol + Suite", RFC 1349, July 1992. + + [RFC1633] Braden, R., Clark, D. and S. Shenker, "Integrated + Services in the Internet Architecture: An Overview", RFC + 1633, July 1994. + + [RFC1812] Baker, F., Editor, "Requirements for IP Version 4 + Routers", RFC 1812, June 1995. + + [RSVP] Braden, B., Zhang, L., Berson S., Herzog, S. and S. + Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 + Functional Specification", RFC 2205, September 1997. + + + +Blake, et. al. Informational [Page 33] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + [2BIT] K. Nichols, V. Jacobson, and L. Zhang, "A Two-bit + Differentiated Services Architecture for the Internet", + ftp://ftp.ee.lbl.gov/papers/dsarch.pdf, November 1997. + + [TR] ISO/IEC 8802-5 Information technology - + Telecommunications and information exchange between + systems - Local and metropolitan area networks - Common + specifications - Part 5: Token Ring Access Method and + Physical Layer Specifications, (also ANSI/IEEE Std 802.5- + 1995), 1995. + +Authors' Addresses + + Steven Blake + Torrent Networking Technologies + 3000 Aerial Center, Suite 140 + Morrisville, NC 27560 + + Phone: +1-919-468-8466 x232 + EMail: slblake@torrentnet.com + + + David L. Black + EMC Corporation + 35 Parkwood Drive + Hopkinton, MA 01748 + + Phone: +1-508-435-1000 x76140 + EMail: black_david@emc.com + + + Mark A. Carlson + Sun Microsystems, Inc. + 2990 Center Green Court South + Boulder, CO 80301 + + Phone: +1-303-448-0048 x115 + EMail: mark.carlson@sun.com + + + Elwyn Davies + Nortel UK + London Road + Harlow, Essex CM17 9NA, UK + + Phone: +44-1279-405498 + EMail: elwynd@nortel.co.uk + + + + +Blake, et. al. Informational [Page 34] + +RFC 2475 Architecture for Differentiated Services December 1998 + + + Zheng Wang + Bell Labs Lucent Technologies + 101 Crawfords Corner Road + Holmdel, NJ 07733 + + EMail: zhwang@bell-labs.com + + + Walter Weiss + Lucent Technologies + 300 Baker Avenue, Suite 100 + Concord, MA 01742-2168 + + EMail: wweiss@lucent.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Blake, et. al. Informational [Page 35] + +RFC 2475 Architecture for Differentiated Services December 1998 + + +Full Copyright Statement + + Copyright (C) The Internet Society (1998). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + +Blake, et. al. Informational [Page 36] + -- cgit v1.2.3