1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
|
Network Working Group D. Black
Request for Comments: 2983 EMC Corporation
Category: Informational October 2000
Differentiated Services and Tunnels
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document considers the interaction of Differentiated Services
(diffserv) (RFC 2474, RFC 2475) with IP tunnels of various forms.
The discussion of tunnels in the diffserv architecture (RFC 2475)
provides insufficient guidance to tunnel designers and implementers.
This document describes two conceptual models for the interaction of
diffserv with Internet Protocol (IP) tunnels and employs them to
explore the resulting configurations and combinations of
functionality. An important consideration is how and where it is
appropriate to perform diffserv traffic conditioning in the presence
of tunnel encapsulation and decapsulation. A few simple mechanisms
are also proposed that limit the complexity that tunnels would
otherwise add to the diffserv traffic conditioning model. Security
considerations for IPSec tunnels limit the possible functionality in
some circumstances.
1. Conventions used in this document
An IP tunnel encapsulates IP traffic in another IP header as it
passes through the tunnel; the presence of these two IP headers is a
defining characteristic of IP tunnels, although there may be
additional headers inserted between the two IP headers. The inner IP
header is that of the original traffic; an outer IP header is
attached and detached at tunnel endpoints. In general, intermediate
network nodes between tunnel endpoints operate solely on the outer IP
header, and hence diffserv-capable intermediate nodes access and
modify only the DSCP field in the outer IP header. The terms
"tunnel" and "IP tunnel" are used interchangeably in this document.
For simplicity, this document does not consider tunnels other than IP
tunnels (i.e., for which there is no encapsulating IP header), such
Black Informational [Page 1]
^L
RFC 2983 Diffserv and Tunnels October 2000
as MPLS paths and "tunnels" formed by encapsulation in layer 2 (link)
headers, although the conceptual models and approach described here
may be useful in understanding the interaction of diffserv with such
tunnels.
This analysis considers tunnels to be unidirectional; bi-directional
tunnels are considered to be composed of two unidirectional tunnels
carrying traffic in opposite directions between the same tunnel
endpoints. A tunnel consists of an ingress where traffic enters the
tunnel and is encapsulated by the addition of the outer IP header, an
egress where traffic exits the tunnel and is decapsulated by the
removal of the outer IP header, and intermediate nodes through which
tunneled traffic passes between the ingress and egress. This
document does not make any assumptions about routing and forwarding
of tunnel traffic, and in particular assumes neither the presence nor
the absence of route pinning in any form.
2. Diffserv and Tunnels Overview
Tunnels range in complexity from simple IP-in-IP tunnels [RFC 2003]
to more complex multi-protocol tunnels, such as IP in PPP in L2TP in
IPSec transport mode [RFC 1661, RFC 2401, RFC 2661]. The most
general tunnel configuration is one in which the tunnel is not end-
to-end, i.e., the ingress and egress nodes are not the source and
destination nodes for traffic carried by the tunnel; such a tunnel
may carry traffic with multiple sources and destinations. If the
ingress node is the end-to-end source of all traffic in the tunnel,
the result is a simplified configuration to which much of the
analysis and guidance in this document are applicable, and likewise
if the egress node is the end-to-end destination.
A primary concern for differentiated services is the use of the
Differentiated Services Code Point (DSCP) in the IP header [RFC 2474,
RFC 2475]. The diffserv architecture permits intermediate nodes to
examine and change the value of the DSCP, which may result in the
DSCP value in the outer IP header being modified between tunnel
ingress and egress. When a tunnel is not end-to-end, there are
circumstances in which it may be desirable to propagate the DSCP
and/or some of the information that it contains to the outer IP
header on ingress and/or back to inner IP header on egress. The
current situation facing tunnel implementers is that [RFC 2475]
offers incomplete guidance. Guideline G.7 in Section 3 is an
example, as some PHB specifications have followed it by explicitly
specifying the PHBs that may be used in the outer IP header for
tunneled traffic. This is overly restrictive; for example, if a
specification requires that the same PHB be used in both the inner
and outer IP headers, traffic conforming to that specification cannot
be tunneled across domains or networks that do not support that PHB.
Black Informational [Page 2]
^L
RFC 2983 Diffserv and Tunnels October 2000
A more flexible approach that should be used instead is to describe
the behavioral properties of a PHB that are important to preserve
when traffic is tunneled and allow the outer IP header to be marked
in any fashion that is sufficient to preserve those properties.
This document proposes an approach in which traffic conditioning is
performed in series with tunnel ingress or egress processing, rather
than in parallel. This approach does not create any additional paths
that transmit information across a tunnel endpoint, as all diffserv
information is contained in the DSCPs in the IP headers. The IPSec
architecture [RFC 2401] requires that this be the case to preserve
security properties at the egress of IPSec tunnels, but this approach
also avoids complicating diffserv traffic conditioning blocks by
introducing out-of-band inputs. A consequence of this approach is
that the last sentence of Guideline G.7 in Section 3 of [RFC 2475]
becomes moot because there are no tunnel egress diffserv components
that have access to both the inner and outer DSCPs.
An additional advantage of this traffic conditioning approach is that
it places no additional restrictions on the positioning of diffserv
domain boundaries with respect to traffic conditioning and tunnel
encapsulation/decapsulation components. An interesting class of
configurations involves a diffserv domain boundary that passes
through (i.e., divides) a network node; such a boundary can be split
to create a DMZ-like region between the domains that contains the
tunnel encapsulation or decapsulation processing. Diffserv traffic
conditioning is not appropriate for such a DMZ-like region, as
traffic conditioning is part of the operation and management of
diffserv domains.
3. Conceptual Models for Diffserv Tunnels
This analysis introduces two conceptual traffic conditioning models
for IP tunnels based on an initial discussion that assumes a fully
diffserv-capable network. Configurations in which this is not the
case are taken up in Section 3.2.
3.1 Conceptual Models for Fully DS-capable Configurations
The first conceptual model is a uniform model that views IP tunnels
as artifacts of the end to end path from a traffic conditioning
standpoint; tunnels may be necessary mechanisms to get traffic to its
destination(s), but have no significant impact on traffic
conditioning. In this model, any packet has exactly one DS Field
that is used for traffic conditioning at any point, namely the DS
Field in the outermost IP header; any others are ignored.
Implementations of this model copy the DSCP value to the outer IP
header at encapsulation and copy the outer header's DSCP value to the
Black Informational [Page 3]
^L
RFC 2983 Diffserv and Tunnels October 2000
inner IP header at decapsulation. Use of this model allows IP
tunnels to be configured without regard to diffserv domain boundaries
because diffserv traffic conditioning functionality is not impacted
by the presence of IP tunnels.
The second conceptual model is a pipe model that views an IP tunnel
as hiding the nodes between its ingress and egress so that they do
not participate fully in traffic conditioning. In this model, a
tunnel egress node uses traffic conditioning information conveyed
from the tunnel ingress by the DSCP value in the inner header, and
ignores (i.e., discards) the DSCP value in the outer header. The
pipe model cannot completely hide traffic conditioning within the
tunnel, as the effects of dropping and shaping at intermediate tunnel
nodes may be visible at the tunnel egress and beyond.
The pipe model has traffic conditioning consequences when the ingress
and egress nodes are in different diffserv domains. In such a
situation, the egress node must perform traffic conditioning to
ensure that the traffic exiting the tunnel has DSCP values acceptable
to the egress diffserv domain (see Section 6 of the diffserv
architecture [RFC 2475]). An inter-domain TCA (Traffic Conditioning
Agreement) between the diffserv domains containing the tunnel ingress
and egress nodes may be used to reduce or eliminate egress traffic
conditioning. Complete elimination of egress traffic conditioning
requires that the diffserv domains at ingress and egress have
compatible service provisioning policies for the tunneled traffic and
support all of the PHB groups and DSCP values used for that traffic
in a consistent fashion. Examples of this situation are provided by
some virtual private network tunnels; it may be useful to view such
tunnels as linking the diffserv domains at their endpoints into a
diffserv region by making the tunnel endpoints virtually contiguous
even though they may be physically separated by intermediate network
nodes.
The pipe model is also appropriate for situations in which the DSCP
itself carries information through the tunnel. For example, if
transit between two domains is obtained via a path that uses the EF
PHB [RFC 2598], the drop precedence information in the AF PHB DSCP
values [RFC 2597] will be lost unless something is done to preserve
it; an IP tunnel is one possible preservation mechanism. A path that
crosses one or more non-diffserv domains between its DS-capable
endpoints may experience a similar information loss phenomenon if a
tunnel is not used due to the limited set of DSCP codepoints that are
compatible with such domains.
Black Informational [Page 4]
^L
RFC 2983 Diffserv and Tunnels October 2000
3.2 Considerations for Partially DS-capable Configurations
If only the tunnel egress node is DS-capable, [RFC 2475] requires the
egress node to perform any edge traffic conditioning needed by the
diffserv domain for tunneled traffic entering from outside the
domain. If the egress node would not otherwise be a DS edge node,
one way to meet this requirement is to perform edge traffic
conditioning at an appropriate upstream DS edge node within the
tunnel, and copy the DSCP value from the outer IP header to the inner
IP header as part of tunnel decapsulation processing; this applies
the uniform model to the portion of the tunnel within the egress
node's diffserv domain. A second alternative is to discard the outer
DSCP value as part of decapsulation processing, reducing the
resulting traffic conditioning problem and requirements to those of
an ordinary DS ingress node. This applies the pipe model to the
portion of the tunnel within the egress node's diffserv domain and
hence the adjacent upstream node for DSCP marking purposes is the
tunnel ingress node, rather than the immediately upstream
intermediate tunnel node.
If only the tunnel ingress node is DS-capable, [RFC 2475] requires
that traffic emerging from the tunnel be compatible with the network
at the tunnel egress. If tunnel decapsulation processing discards
the outer header's DSCP value without changing the inner header's
DSCP value, the DS-capable tunnel ingress node is obligated to set
the inner header's DSCP to a value compatible with the network at the
tunnel egress. The value 0 (DSCP of 000000) is used for this purpose
by a number of existing tunnel implementations. If the egress
network implements IP precedence as specified in [RFC 791], then some
or all of the eight class selector DSCP codepoints defined in [RFC
2474] may be usable. DSCP codepoints other than the class selectors
are not generally suitable for this purpose, as correct operation
would usually require diffserv functionality at the DS-incapable
tunnel egress node.
4. Ingress Functionality
As described in Section 3 above, this analysis is based on an
approach in which diffserv functionality and/or out-of-band
communication paths are not placed in parallel with tunnel
encapsulation processing. This allows three possible locations for
traffic conditioning with respect to tunnel encapsulation processing,
as shown in the following diagram that depicts the flow of IP headers
through tunnel encapsulation:
Black Informational [Page 5]
^L
RFC 2983 Diffserv and Tunnels October 2000
+--------- [2 - Outer] -->>
/
/
>>---- [1 - Before] -------- Encapsulate ------ [3 - Inner] -->>
Traffic conditioning at [1 - Before] is logically separate from the
tunnel, as it is not impacted by the presence of tunnel
encapsulation, and hence should be allowed by tunnel designs and
specifications. Traffic conditioning at [2 - Outer] may interact
with tunnel protocols that are sensitive to packet reordering; such
tunnels may need to limit the functionality at [2 - Outer] as
discussed further in Section 5.1. In the absence of reordering
sensitivity, no additional restrictions should be necessary, although
traffic conditioning at [2 - Outer] may be responsible for remarking
traffic to be compatible with the next diffserv domain that the
tunneled traffic enters.
In contrast, the [3 - Inner] location is difficult to utilize for
traffic conditioning because it requires functionality that reaches
inside the packet to operate on the inner IP header. This is
impossible for IPSec tunnels and any other tunnels that are encrypted
or employ cryptographic integrity checks. Hence traffic conditioning
at [3 - Inner] can often only be performed as part of tunnel
encapsulation processing, complicating both the encapsulation and
traffic conditioning implementations. In many cases, the desired
functionality can be achieved via a combination of traffic
conditioners in the other two locations, both of which can be
specified and implemented independently of tunnel encapsulation.
An exception for which traffic conditioning functionality is
necessary at [3 - Inner] occurs when the DS-incapable tunnel egress
discards the outer IP header as part of decapsulation processing, and
hence the DSCP in the inner IP header must be compatible with the
egress network. Setting the inner DSCP to 0 as part of encapsulation
addresses most of these cases, and the class selector DCSP codepoint
values are also useful for this purpose, as they are valid for
networks that support IP precedence [RFC 791].
The following table summarizes the achievable relationships among the
before (B), outer (O), and inner (I) DSCP values and the
corresponding locations of traffic conditioning logic.
Black Informational [Page 6]
^L
RFC 2983 Diffserv and Tunnels October 2000
Relationship Traffic Conditioning Location(s)
------------ --------------------------------
B = I = O No traffic conditioning required
B != I = O [1 - Before]
B = I != O [2 - Outer]
B = O != I Limited support as part of encapsulation:
I can be set to 000000 or possibly one of
the class selector code points.
B != I != O Some combination of the above three scenarios.
A combination of [1 - Before] and [2 - Outer] is applicable to many
cases covered by the last two lines of the table, and may be
preferable to deploying functionality at [3 - Inner]. Traffic
conditioning may still be required for purposes such as rate and
burst control even if DSCP values are not changed.
4.1 Ingress DSCP Selection and Reordering
It may be necessary or desirable to limit the DS behavior aggregates
that utilize an IP tunnel that is sensitive to packet reordering
within the tunnel. The diffserv architecture allows packets to be
reordered when they belong to behavior aggregates among which
reordering is permitted; for example, reordering is allowed among
behavior aggregates marked with different Class Selector DSCPs [RFC
2474]. IPSec [RFC 2401] and L2TP [RFC 2661] provide examples of
tunnels that are sensitive to packet reordering. If IPSec's anti-
replay support is configured, audit events are generated in response
to packet reordering that exceeds certain levels, with the audit
events indicating potential security issues. L2TP can be configured
to restore the ingress ordering of packets at tunnel egress, not only
undoing any differentiation based on reordering within the tunnel,
but also negatively impacting the traffic (e.g., by increasing
latency). The uniform model cannot be completely applied to such
tunnels, as arbitrary mixing of traffic from different behavior
aggregates can cause these undesirable interactions.
The simplest method of avoiding undesirable interactions of
reordering with reordering-sensitive tunnel protocols and features is
not to employ the reordering-sensitive protocols or features, but
this is often not desirable or even possible. When such protocols or
features are used, interactions can be avoided by ensuring that the
aggregated flows through the tunnel are marked at [2 - Outer] to
constitute a single ordered aggregate (i.e., the PHBs used share an
ordering constraint that prevents packets from being reordered).
Tunnel protocol specifications should indicate both whether and under
what circumstances a tunnel should be restricted to a single ordered
aggregate as well as the consequences of deviating from that
restriction. For the IPSec and L2TP examples discussed above, the
Black Informational [Page 7]
^L
RFC 2983 Diffserv and Tunnels October 2000
specifications should restrict each tunnel to a single ordered
aggregate when protocol features sensitive to reordering are
configured, and may adopt the approach of restricting all tunnels in
order to avoid unexpected consequences of changes in protocol
features or composition of tunneled traffic. Diffserv
implementations should not attempt to look within such tunnels to
provide reordering-based differentiation to the encapsulated
microflows. If reordering-based differentiation is desired within
such tunnels, multiple parallel tunnels between the same endpoints
should be used. This enables reordering among packets in different
tunnels to coexist with an absence of packet reordering within each
individual tunnel. For IPSec and related security protocols, there
is no cryptographic advantage to using a single tunnel for multiple
ordered aggregates rather than multiple tunnels because any traffic
analysis made possible by the use of multiple tunnels can also be
performed based on the DSCPs in the outer headers of traffic in a
single tunnel. In general, the additional resources required to
support multiple tunnels (e.g., cryptographic contexts), and the
impact of multiple tunnels on network management should be considered
in determining whether and where to deploy them.
4.2 Tunnel Selection
The behavioral characteristics of a tunnel are an important
consideration in determining what traffic should utilize the tunnel.
This involves the service provisioning policies of all the
participating domains, not just the PHBs and DSCPs marked on the
traffic at [2 - Outer]. For example, while it is in general a bad
idea to tunnel EF PHB traffic via a Default PHB tunnel, this can be
acceptable if the EF traffic is the only traffic that utilizes the
tunnel, and the tunnel is provisioned in a fashion adequate to
preserve the behavioral characteristics required by the EF PHB.
Service provisioning policies are responsible for preventing
mismatches such as forwarding EF traffic via an inadequately
provisioned Default tunnel. When multiple parallel tunnels with
different behavioral characteristics are available, service
provisioning policies are responsible for determining which flows
should use which tunnels. Among the possibilities is a coarse
version of the uniform tunnel model in which the inner DSCP value is
used to select a tunnel that will forward the traffic using a
behavioral aggregate that is compatible with the traffic's PHB.
5. Egress Functionality
As described in Section 3 above, this analysis is based on an
approach in which diffserv functionality and/or out-of-band
communication paths are not placed in parallel with tunnel
Black Informational [Page 8]
^L
RFC 2983 Diffserv and Tunnels October 2000
encapsulation processing. This allows three possible locations for
traffic conditioners with respect to tunnel decapsulation processing,
as shown in the following diagram that depicts the flow of IP headers
through tunnel decapsulation:
>>----[5 - Outer]-------------+
\
\
>>----[4 - Inner] --------- Decapsulate ---- [6 - After] -->>
Traffic conditioning at [5 - Outer] and [6 - After] is logically
separate from the tunnel, as it is not impacted by the presence of
tunnel decapsulation. Tunnel designs and specifications should allow
diffserv traffic conditioning at these locations. Such conditioning
can be viewed as independent of the tunnel, i.e., [5 - Outer] is
traffic conditioning that takes place prior to tunnel egress, and
[6 - After] is traffic conditioning that takes place after egress
decapsulation. An important exception is that the configuration of a
tunnel (e.g., the absence of traffic conditioning at tunnel ingress)
and/or the diffserv domains involved may require that all traffic
exiting a tunnel pass through diffserv traffic conditioning to
fulfill the diffserv edge node traffic conditioning responsibilities
of the tunnel egress node. Tunnel designers are strongly encouraged
to include the ability to require that all traffic exiting a tunnel
pass through diffserv traffic conditioning in order to ensure that
traffic exiting the node is compatible with the egress node's
diffserv domain.
In contrast, the [4 - Inner] location is difficult to employ for
traffic conditioning because it requires reaching inside the packet
to operate on the inner IP header. Unlike the [3 - Inner] case for
encapsulation, there is no need for functionality to be performed at
[4- Inner], as diffserv traffic conditioning can be appended to the
tunnel decapsulation (i.e., performed at [6 - After]).
5.1 Egress DSCP Selection
The elimination of parallel functionality and data paths from
decapsulation causes a potential loss of information. As shown in
the above diagram, decapsulation combines and reduces two DSCP values
to one DSCP value, losing information in the most general case, even
if arbitrary functionality is allowed. Beyond this, allowing
arbitrary functionality poses a structural problem, namely that the
DSCP value from the outer IP header would have to be presented as an
out-of-band input to the traffic conditioning block at [6 - After],
complicating the traffic conditioning model.
Black Informational [Page 9]
^L
RFC 2983 Diffserv and Tunnels October 2000
To avoid such complications, the simpler approach of statically
selecting either the inner or outer DSCP value at decapsulation is
recommended, leaving the full generality of traffic conditioning
functionality to be implemented at [5 - Outer] and/or [6 - After].
Tunnels should support static selection of one or the other DSCP
value at tunnel egress. The rationale for this approach is usually
only one of the two DSCP values contains useful information. The
conceptual model for the tunnel provides a strong indication of which
one contains useful information; the outer DSCP value usually
contains the useful information for tunnels based on the uniform
model, and the inner DSCP value usually contains the useful
information for tunnels based on the pipe model. IPSec tunnels are
usually based on the pipe model, and for security reasons are
currently required to select the inner DSCP value; they should not be
configured to select the outer DSCP value in the absence of an
adequate security analysis of the resulting risks and implications.
5.2 Egress DSCP Selection Case Study
As a sanity check on the egress DSCP selection approach proposed
above, this subsection considers a situation in which a more complex
approach might be required. Statically choosing a single DSCP value
may not work well when both DSCPs are carrying information that is
relevant to traffic conditioning.
As an example, consider a situation in which different AF groups [RFC
2597] are used by the two domains at the tunnel endpoints, and there
is an intermediate domain along the tunnel using RFC 791 IP
precedences that is transited by setting the DSCP to zero. This
situation is shown in the following IP header flow diagram where I is
the tunnel ingress node, E is the tunnel egress node and the vertical
lines are domain boundaries. The node at the left-hand vertical line
sets the DSCP in the outer header to 0 in order to obtain
compatibility with the middle domain:
| |
+-----|-------------------|------+
/ | | \
>>-----------I-------|-------------------|--------E---------->>
| |
Ingress DS Domain RFC 791 Egress DS domain
IP Precedence
Domain
In this situation, the DS edge node for the egress domain (i.e., the
node at the right-hand vertical line) can select the appropriate AF
group (e.g., via an MF classifier), but cannot reconstruct the drop
precedence information that was removed from the outer header when it
Black Informational [Page 10]
^L
RFC 2983 Diffserv and Tunnels October 2000
transited the RFC 791 domain (although it can construct new
information via metering and marking). The original drop precedence
information is preserved in the inner IP header's DSCP, and could be
combined at the tunnel egress with the AF class selection
communicated via the outer IP header's DSCP. The marginal benefit of
being able to reuse the original drop precedence information as
opposed to constructing new drop precedence markings does not justify
the additional complexity introduced into tunnel egress traffic
conditioners by making both DSCP values available to traffic
conditioning at [6 - After].
6. Diffserv and Protocol Translators
A related issue involves protocol translators, including those
employing the Stateless IP/ICMP Translation Algorithm [RFC 2765].
These translators are not tunnels because they do not add or remove a
second IP header to/from packets (e.g., in contrast to IPv6 over IPv4
tunnels [RFC 1933]) and hence do not raise concerns of information
propagation between inner and outer IP headers. The primary
interaction between translators and diffserv is that the translation
boundary is likely to also be a diffserv domain boundary (e.g., the
IPv4 and IPv6 domains may have different policies for traffic
conditioning and DSCP usage), and hence such translators should allow
the insertion of diffserv edge node processing (including traffic
conditioning) both before and after the translation processing.
7. Security Considerations
The security considerations for the diffserv architecture discussed
in [RFC 2474, RFC 2475] apply when tunnels are present. One of the
requirements is that a tunnel egress node in the interior of a
diffserv domain is the DS ingress node for traffic exiting the
tunnel, and is responsible for performing appropriate traffic
conditioning. The primary security implication is that the traffic
conditioning is responsible for dealing with theft- and denial-of-
service threats posed to the diffserv domain by traffic exiting from
the tunnel. The IPSec architecture [RFC 2401] places a further
restriction on tunnel egress processing; the outer header is to be
discarded unless the properties of the traffic conditioning to be
applied are known and have been adequately analyzed for security
vulnerabilities. This includes both the [5 - Outer] and [6 - After]
traffic conditioning blocks on the tunnel egress node, if present,
and may involve traffic conditioning performed by an upstream DS-edge
node that is the DS domain ingress node for the encapsulated tunneled
traffic.
Black Informational [Page 11]
^L
RFC 2983 Diffserv and Tunnels October 2000
8. References
[RFC 791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
1981.
[RFC 1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
RFC 1661, July 1994.
[RFC 1933] Gilligan, R. and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", RFC 1933, April 1996.
[RFC 2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
October 1996.
[RFC 2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC 2474] Nichols, K., Blake, S., Baker, F. and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC 2474, December
1998.
[RFC 2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.
and W. Weiss, "An Architecture for Differentiated
Services", RFC 2475, December 1998.
[RFC 2597] Heinanen, J., Baker, F., Weiss, W. and J. Wroclawski,
"Assured Forwarding PHB Group", RFC 2597. June 1999.
[RFC 2598] Jacobson, V., Nichols, K. and K. Poduri, "An Expedited
Forwarding PHB", RFC 2598, June 1999.
[RFC 2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G.
and B. Palter. "Layer Two Tunneling Protocol "L2TP"", RFC
2661, August 1999.
[RFC 2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm
(SIIT)", RFC 2765, February 2000.
Black Informational [Page 12]
^L
RFC 2983 Diffserv and Tunnels October 2000
9. Acknowledgments
Some of this material is based on discussions with Brian Carpenter,
and in particular his presentation on this topic to the diffserv WG
during the summer 1999 IETF meeting in Oslo. Credit is also due to a
number of people working on tunnel specifications who have discovered
limitations of the diffserv architecture [RFC 2475] in the area of
tunnels. Their patience with the time it has taken to address this
set of issues is greatly appreciated. Finally, this material has
benefited from discussions within the diffserv WG, both in meetings
and on the mailing list -- the contributions of participants in those
discussions are gratefully acknowledged.
10. Author's Address
David L. Black
EMC Corporation
42 South St.
Hopkinton, MA 01748
Phone: +1 (508) 435-1000 x75140
EMail: black_david@emc.com
Black Informational [Page 13]
^L
RFC 2983 Diffserv and Tunnels October 2000
11. Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Black Informational [Page 14]
^L
|