Network Working Group R. Atarashi
Internet-Draft Communications Research Laboratory
Expires: April 1, 2002 F. Baker
Cisco Systems
October 2001
Reflexive DSCP Policy
draft-atarashi-dscp-policy-00
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 1, 2002.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
In reviewing the specific use of the Differentiated Services
Architecture for supporting the Internet Emergency Preparedness
System, we found what we believe is a general issue. This is that
even though a client or peer can connect to a server or peer with a
predictable DSCP value, the response does not have a predictable DSCP
value. We consider the issues, and recommend an approach to
application policy regarding the DSCP.
Atarashi & Baker Expires April 1, 2002 [Page 1]
Internet-Draft Document October 2001
1. Introduction
In reviewing the specific use of the Differentiated Services
Architecture for supporting the Internet Emergency Preparedness
System, we found what we believe is a general issue. This is that
even though a client or peer can connect to a server or peer with a
predictable DSCP value, the response does not have a predictable DSCP
value. We consider the issues, and recommend an approach to
application policy regarding the DSCP.
As such, we will make specific recommendations for all applications.
In doing so, we will use the language described in RFC 2119 [3]. The
key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [3].
1.1 Problem Statement
Figure 1 presents a connection being placed between two applications
across a differentiated services network.
. . . . . . . . . . . .
. . . . . .
. Client . . . . Server .
. /----------/ . . /------------/ . . /---------------/.
. Router -----/----- Router Router ----/----- Router .
. . . . . .
. . . . . .
. . . . . . . . . . . .
Figure 1: Connection across a network
A behavior aggregate originated in part by a certain client toward a
given server in a remote network may have certain application
requirements, such as requiring service appropriate to an ERP
application, video stream, or voice. One application may use
different aggregates for different purposes, and therefore have
different requirements. So the application may not be able to tell,
a priori, with what DSCP it should use or respond.
In addition, DSCPs have local significance in the Differentiated
Services Architecture. It is possible and perhaps likely that a
behavior aggregate might use different code points in different
networks.
Atarashi & Baker Expires April 1, 2002 [Page 2]
Internet-Draft Document October 2001
2. Policy recommendations
We consider that there are a number of possible approaches to this
issue. The simplest, which we fear is currently standard in
Differentiated Services hosts, is to simply select a default value,
such as "always make TCP applications use AF11". For some
applications, such as voice (EF), this approach is appropriate, but
for many it is not.
2.1 Default DSCP policy in a responder
When a system accepts sessions initiated from another system, and
there is no specific local policy, the responder SHOULD use the same
DSCP Group as its request. Thus, if a TCP SYN arrives using any of
AF11, AF12, or AF13, the TCP SYN-ACK and subsequent messages SHOULD
use AF11 as the DSCP. When in doubt as to the set of DSCP code
points comprising a DSCP Group, it SHOULD respond with exactly the
same DSCP.
There has been interest of late in changing the quality of service
behavior for different portions of the same session, such as on a
per-URL basis. The requester could initiate this. Thus, if the DSCP
received on one TCP segment differs from the TCP used on a prior TCP
segment in a session, the new DSCP SHOULD be reflected unless local
policy prevents this.
One way to implement this requires the receiving transport (TCP,
SCTP, etc) to save the received DSCP and use an API to determine the
correct responding DSCP from a configuration file. The configuration
file lists the 64 possible DSCP values and the correct response. In
most cases, the two SHOULD be the same, but the twelve AFxy code
points map to AFx1. Local policy MAY update this mapping.
2.2 Application-directed DSCP policy
The originator of a session, which is to say the application that
opens it, SHOULD normally select the DSCP value used. This, of
course, needs to be consistent with local network policy, and may be
dictated entirely by that policy.
The application would do this through an API, ideally one that maps
the application to a DSCP value through local administrative policy.
Thus, the API could set the DSCP for signaling of voice calls to a
specific value, such as AF31. It would be better, though, if the API
were to set it to a key word such as "VoiceSignaling" or
"DatabaseAccess", and enable the network administration to interpret
the key word to an appropriate code point. One way to implement this
would be for the API code to look the key word up in a file or an
Atarashi & Baker Expires April 1, 2002 [Page 3]
Internet-Draft Document October 2001
LDAP Policy.
It is possible for the responding application to use this same API.
For example, separate policies might apply to database records of one
type and database records of another type, something that only the
database access application could determine. It is also possible for
the application exchange to communicate a desired DSCP, and the
responding application to use the API accordingly. In such a case,
the application exchange MUST specify the key word rather than the
specific DSCP, as it cannot know the applicable policy in the
responder's network.
Atarashi & Baker Expires April 1, 2002 [Page 4]
Internet-Draft Document October 2001
3. Security Considerations
This document discusses policy, and describes a recommended default
policy, for the use of a Differentiated Services Code Point by
transports and applications. If implemented as described, it should
ask the network to do nothing that the network has not already
allowed. If that is the case, no new security issues should arise
from the use of such a policy.
It is possible, however, for the policy to be applied incorrectly, or
for another policy to be applied, which would be incorrect in the
network. In that case, a policy issue exists which the network must
detect, assess, and deal with. This is a known security issue in any
network dependent on policy-directed behavior.
Atarashi & Baker Expires April 1, 2002 [Page 5]
Internet-Draft Document October 2001
4. Acknowledgements
The authors would like to thank Hiroyuki Ohno, Toshio Shimojo,
Shigeru Miyake and Yoshifumi Atarashi for their suggestions.
Atarashi & Baker Expires April 1, 2002 [Page 6]
Internet-Draft Document October 2001
References
[1] "International Emergency Preparedness Scheme", ITU E.106, March
2000.
[2] "Service Description for an International Emergency Multimedia
Service (Draft)", ITU-T F.706, August 2001.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[4] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of
the Differentiated Services Field (DS Field) in the IPv4 and
IPv6 Headers", RFC 2474, December 1998.
[5] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. and W.
Weiss, "An Architecture for Differentiated Services", RFC 2475,
December 1998.
[6] Heinanen, J., Baker, F., Weiss, W. and J. Wroclawski, "Assured
Forwarding PHB Group", RFC 2597, June 1999.
[7] Bernet, Y., Ford, P., Yavatkar, R., Baker, F., Zhang, L., Speer,
M., Braden, R., Davie, B., Wroclawski, J. and E. Felstaine, "A
Framework for Integrated Services Operation over Diffserv
Networks", RFC 2998, November 2000.
Authors' Addresses
Rei S. Atarashi
Communications Research Laboratory
4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795
JP
Phone: +81-42-327-6243
Fax: +81-42-327-9041
EMail: ray@crl.go.jp
Atarashi & Baker Expires April 1, 2002 [Page 7]
Internet-Draft Document October 2001
Fred Baker
Cisco Systems
1121 Via Del Rey
Santa Barbara, CA 93117
US
Phone: +1-408-526-4257
Fax: +1-413-473-2403
EMail: fred@cisco.com
Atarashi & Baker Expires April 1, 2002 [Page 8]
Internet-Draft Document October 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Atarashi & Baker Expires April 1, 2002 [Page 9]