Differentiated Service - 1 Differentiated Service  All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang ( 國立清華大學資訊工程學系 黃能富教授

Differentiated Service - 2 Outline  Introduction  Architecture for DS  Services  Per-Hub Behaviors (PHB’s)  Interoperability with legacy and IntServ networks  Multicast issues  Security issues

Differentiated Service - 3 Existing Internet Services  Best-effort service is insufficient from many perspectives u Multimedia applications require some sort of delay and bandwidth guarantees u Some VIP users can pay more for better service  Packet forwarding routers are bottleneck advanced switching technique u layer 3, layer 4, and higher?

Differentiated Service - 4 Integrated Service (IntServ)  Support per-flow end-to-end QoS Guaranteed service Controlled-load service  RSVP Signaling protocol Soft state Receiver initiated reservation

Differentiated Service - 5 Some Concerns with IntServ  RSVP per-flow signaling and state is too much.  Can core routers do switching ?  How to integrate with ATM ?

Differentiated Service - 6 What is Differentiated Service ?  Provide different levels of service with scalability Mark packets according to their service requirement (DS codepoint) Based on the mark, core routers apply differentiated per-hop forwarding behavior (PHB) (active queue management) Only a limited number of PHB’s is defined, so traffic aggregation is required Edge routers do the heavy job: traffic classification (marking), conditioning,...

Differentiated Service - 7 Traffic Aggregates

Differentiated Service - 8 What is Differentiated Service ?  Features Keep the forwarding simple Push complexity to edges of network Provide differentiated services Provide service without assumption of traffic using it Provide service long-term and short-term provision Allow the best effort traffic dominates the Internet

Differentiated Service - 9 RSVP vs DiffServ Source: Ben Teitelbaum, QBone Architecture

Differentiated Service - 10 Why Differentiated Service  Simpler than RSVP/IntServ no per-flow signaling or state  More efficient core routers limited number of service classes  Range of different packet handling services and mapping possible  Supports VPNs Ipsec ESP leaves the IP header un-encrypted

Differentiated Service - 11 Why Differentiated Service Source: Chris Metz

Differentiated Service - 12 Quality of Service Approaches Source: Chris Metz

Differentiated Service - 13 DiffServ Architecture Source: Ben Teitelbaum, QBone Architecture

Differentiated Service - 14 DiffServ Architecture  Components Packet classifier (BA, MF) PHB (AF, EF) Traffic conditioner (meter, marker, shaper, policer, dropper) Service provision, resource management Service Level Agreement (SLA), Traffic Conditioning Agreement (TCA)

Differentiated Service - 15 DiffServ Architecture Model  DiffServ Domain A contiguous set of DS nodes which operate with a common service provisioning policy and set of PHB groups implemented on each node.  DiffServ Region A set of one or more contiguous DS domains.

Differentiated Service - 16 DiffServ Architecture Model DS Domain DS Region Ingress node Egress node Boundary node Interior node

Differentiated Service - 17 DiffServ Architecture Model  DS boundary nodes interconnect the DS domain to other DS or non-DS domains perform traffic conditioning functions  Interior nodes connect to other DS interior or boundary nodes perform limited traffic conditioning functions

Differentiated Service - 18 DiffServ Architecture Model  DS ingress node responsible for ensuring that the traffic entering the DS domain conforms to any TCA between it and the other domain  DS egress node perform traffic conditioning functions to make sure the forwarded traffic conforms to the TCA DS boundary nodes act both as a DS ingress node and as a DS egress node.

Differentiated Service - 19 DiffServ Architecture Model  Service the overall treatment of a defined subset of a customer’s traffic within a DS-domain or end- to-end. service providers combine PHB implementations with traffic conditioners, provisioning strategies and billing models which enable them to offer services. Providers and customers negotiate service level agreements (SLA).

Differentiated Service - 20 Service Level Agreement (SLA)  SLA is a service contract between a customer and a service provider a customer may be a user or DS domain  An important subset of SLA is Traffic conditioning agreement (TCA)  SLA may also includes packet classification rules, traffic conditioning, availability/ reliability, encryption, routing constraints, authentication, monitoring and auditing, pricing and billing, ….

Differentiated Service - 21 TCA  Specifies detailed service parameters for each service level performance parameters (delay, throughput, …) traffic profiles disposition of non-conforming traffic marking shaping

Differentiated Service - 22 Traffic Classifiers  Select packets based on the header BA (Behavior Aggregate) Classifier u Classify packets based on DS codepoint only. MF (Multi-Field) Classifier u Classify packets based on a combination of one or more header fields (source/destination address, DS field, protocol, source/destination port). u Fragment is an issue if classify based on transport layer header.

Differentiated Service - 23 DS Codepoint IPv4 TOS IPv6 uses the Traffic Class field (8-bit) (1349)

Differentiated Service - 24 DS Codepoint (DSCP)  Specify the service (PHB) a packet receives at a node  CU: Currently Unused  Default(BE):  xxx000 defined for backward compatibility with IP precedence bits

Differentiated Service - 25 Traffic Profiles  Specifies the temporal properties of a traffic stream selected by a classifier codepoint = x, use token bucket r, b  In-profile packets may be allowed to enter the DS domain without further conditioning  Out-of-profile packets may be queued until they are in-profile (shaped), discarded (policed), marked with a new codepoint (remarked), or forwarded unchanged while triggering some accounting procedure.

Differentiated Service - 26 Traffic Conditioners  Possible elements meter u measure temporal properties of a traffic stream against its traffic profile specified by TCA marker u Set the DS field of a packet to a codepoint u codepoint is used to map to a PHB in the core network shaper u delay packets to bring the stream into compliance with profile dropper u discard packets in a traffic stream to bring the stream into compliance with profile

Differentiated Service - 27 Classifier and Conditioner ClassifierMarker Shaper/ Dropper Meter

Differentiated Service - 28 Service Taxonomy  Qualitative services ( 質化） assurances offered are relative and can only be verified by comparison. e.g., delivered with low latency or low loss  Quantitative services ( 量化） provide concrete guarantees and could be measured irrespective of any other services e.g., 90% of in-profile traffic will be delivered with no more than 50msec latency.

Differentiated Service - 29 Service Taxonomy  Relative quantification service Traffic offered at service level E will be allotted twice the bandwidth of traffic delivered at service level F. Traffic with drop precedence AF12 has a higher probability of delivery than traffic with drop precedence AF13.  It will be necessary to specify quantitative policing profiles for quantitative service.

Differentiated Service - 30 Scope of Service  Topological extent over which the service is offered all traffic from ingress point A to any egress point. all traffic between ingress point A and egress point B. all traffic from ingress point A to a set of egress points.  Scope of service is part of the SLA governing ingress point A.  Several issues on services governing received traffic (all traffic between any ingress point and egress point B).

Differentiated Service - 31 Dynamic vs. Static SLAs  Static SLA norm at the present time specify a period of time when the SLA is valid (may be periodically renegotiated)  Dynamic SLA may change due to traffic load fluctuations SLA is applied to aggregates of traffic, should not be changed just due to flows added or deleted.

Differentiated Service - 32 Functionality at DiffServ Routers Source: Chris Metz

Differentiated Service - 33 Functionality at Provider’s Ingress  Police traffic according to TCA DS-Mark : Profile : Disposition of non- conforming traffic  Disposition remark to a lower service level delay in shaper drop  BA Classifier each class is metered for conformance following the profiler, dropper, shaper or re- marker may be employed.

Differentiated Service - 34 Functionality at Customer’s Egress  Marking It is preferable for the customer to mark (called pre-mark) its own traffic u mark by source host or intermediate nodes in the source domain  Shaping shape per service level at egress to avoid undesirable policing consequences at provider’s ingress. May want to do per-flow shaping to avoid misbehaving flows

Differentiated Service - 35 Functionality at Provider’s Egress  May have a peer DS domain connected to the egress may be required to remark, police, and/or shape the traffic. May provide value added functions, such as per-flow policing.

Differentiated Service - 36 Functionality at Interior Nodes  Should be simple classification plus queuing management.  Complex classification and traffic conditioning functions are not precluded. Due to restrictive access policies on a link, MF classifier and traffic conditioning functions may be required at the upstream node of the link. This will not scale up !

Differentiated Service - 37 Per-Hop Behaviors (PHB)  A description of externally observable forwarding behavior of a DS node applied to a particular DS behavior aggregate.  The PHB is the means by which a node allocates resources to behavior aggregates.  PHBs may be specified in terms of their resource priority to other PHBs, or their relative observable traffic characteristics.  PHBs may also be specified in minimum bandwidth allocation.

Differentiated Service - 38 Assured Forwarding PHB Group  PHB group A set of one or more PHBs that can only be meaningfully specified and implemented simultaneously.  Assured Forwarding (AF) PHB group Means for a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. Qualitative service Four AF classes are defined.

Differentiated Service - 39 Assured Forwarding PHB Group  AF PHB group provides N (4) independent AF classes u packets of class x do not have smaller forwarding time (delay) than class y if x<y (the larger the better) Within each class, there are M (3) different levels of drop precedence. u A packet with drop precedence p must not be forwarded with smaller probability than a packet with drop precedence q, if p<q (the smaller the better) An IP packet that belongs to an AF class I and has drop precedence j is marked with the AF codepoint AF ij.

Differentiated Service - 40 Assured Forwarding PHB Group  Traffic conditioning actions A DS domain may control the amount of AF traffic that enters or exists the domain. traffic conditioning actions may include shaping, discarding, increasing or decreasing the drop precedence, reassigning packets to other AF class. traffic conditioning actions must not cause reordering of packet of the same micro-flow.

Differentiated Service - 41 Assured Forwarding PHB Group  Queuing and discard behavior A DS node should implement all AF classes. Within each AF class, a DS node must accept all three drop precedence codepoints and they must yield at least two different levels of loss probability. u If two loss probability is provided, AFx1 must yield the lower loss probability and AFx2 and AFx3 yield the higher loss probability. It is recommended that the discard algorithm is based on RED-like algorithm.

Differentiated Service - 42 Assured Forwarding PHB Group  Recommended codepoints AF1AF2AF3AF4 low mid high x000 is reserved for conventional network control traffic 00x000 is reserved for conventional precedence forwarding

Differentiated Service - 43 Queue Scheduling/ Management DiffServ requires routers to support queue scheduling and management to prioritize outbound packets and control queue depth (minimize congestion) Source: Chris Metz

Differentiated Service - 44 Importance of Queue Management Full Queues are problematic - New connections cannot get through (called Lock- Out) - All packets from existing flows are dropped resulting in across- the- board TCP slow- starts (called Global Synchronization) -Can't handle bursts of traffic Source: Chris Metz

Differentiated Service - 45 RED Algorithm Source: Chris Metz

Differentiated Service - 46 AF Example Service  Olympic service Service classes u bronze (AF1), silver (AF2), gold (AF3) Precedence u AF11~AF13, AF21~AF23, AF31~AF33 Drop precedence level could be assigned by using a leaky bucket traffic policer with a rate and two burst sizes u less than the committed burst: low u between two burst levels: medium u greater than excess burst: high

Differentiated Service - 47 Expedited Forwarding PHB  Expedited Forwarding (EF) Can be used to build a low loss, low latency, low jitter, assured bandwidth, end-to-end service through DS domains. Forwarding rate for a traffic aggregate must equal or exceed a configurable rate, independent of other aggregates. This service is also called Premium service, or Virtual Leased Line (VLL) service. It is a quantitative service.

Differentiated Service - 48 Expedited Forwarding PHB  Recommended codepoint:  Traffic conditioner police all EF marked packets to a rate negotiated with the adjacent upstream domain. Packets in excess of the negotiated rate must be dropped. Higher priority over AF packets. u Two priority queues

Differentiated Service - 49 Handling AF & EF at Interior Nodes P-bit set? High-priority If A-bit set, inc a_cnt If A-bit set, inc a_cnt Low-priority Packets out RIO queue management RIO queue management If A-bit set, dec a_cnt If A-bit set, dec a_cnt

Differentiated Service - 50 Handling AF & EF at Border Node

Differentiated Service - 51 Provision and Configuration  Provision the determination and allocation of the resources needed at various points in the network dictate addition or removal of resources dictate the operating parameters  Configuration distribution of the appropriate operating parameters to network equipment to realize the provisioning objectives.

Differentiated Service - 52 Bandwidth Broker  Agent for automatic service provision can be configured with organizational policies. keep track of current allocation of marked traffic. interpret new requests to mark traffic according to policies and current allocation. allocate bandwidth for end-to-end connections with less state and simpler trust relationships. parcel out marked traffic allocations and set up lead routers. manage messages across boundaries u adjacent regions only (bilateral not multi-lateral)

Differentiated Service - 53 Bandwidth Broker  Operation sequence Host sends a request to BB u service type, target rate, max. burst, time period used BB authenticates the credentials Check available bandwidth u If the destination is outside the region, send message to “next hop” region’s BB (bilateral agreement) Configures the appropriate leaf router Periodically refresh the configuration (soft state)  Sends messages to edge devices using COPS protocol runs on a reliable TCP connection

Differentiated Service - 54 Bandwidth Broker DS Region InterDomain Protocol COPS BB RAR * RAR: Resource Allocation Request

Differentiated Service - 55 Bandwidth Broker COPS client DiffServ Manager DiffServ Manager Classification Policing Marking... Classification Policing Marking COPS client registers with BB 3. BB adds/removes flow filters 2. BB sends configured policy to edge device Priority Queuing by TOS queue1 queue2 queueN flows in 5. Filter match 6. Flows go to diff. queue

Differentiated Service - 56 Bandwidth Broker Architecture adjacent BB User/App Interface application server user/ host network operator Inter-Domain Interface Intra-Domain Interface edge routers edge routers Data Repository Routing Information Policy Manager Interface Network Management Interface

Differentiated Service - 57 Bandwidth Broker Architecture  User/Application interface requests directly from user/app on end host (via GUI)  Inter-domain communication interface negotiating SLA information between BBs in adjacent domains  Intra-domain communication interface setting edge device parameters for QoS/policy enforcement between edge router and BB  Routing table interface BGP routing information for inter-domain Internal routing information for intra-domain QoS-based routing in the future

Differentiated Service - 58 Bandwidth Broker Architecture  Data Repository data used by all components  Policy Manager interface utilize complex QoS/policy management functionality in policy manager coordination of SLAs and network resources provide admission control processing  Network Management interface coordination of network provision and monitoring

Differentiated Service - 59 Configuration  Top down distribution of configuration information information is pushed in a top down manner, from a domain’s logically centralized point of administration Bandwidth broker  Distribution via signaling From edges via signaling (RSVP) Supports dynamic TCA

Differentiated Service - 60 Configuration  Measurement-based configuration less necessary for quantitative provision (predictable) enhance efficiency with which qualitative provision can be achieved. Likely that measurement based for qualitative service would be used in conjunct with signalling.

Differentiated Service - 61 Multicast  Major issues Single ingress point with multiple egress nodes u Difficult to predict in advance the amount of resources required u Dynamic membership join and leave even harder u Due to capability of router and routing protocol, duplicate packets may appear on a link u May be necessary to use separate codepoints and PHBs for multicast and unicast services. Selection of DS codepoint u Different egress nodes to different peer domains may have different SLAs and codepoints

Differentiated Service - 62 Security  Theft adversary may be able to obtain better service by modifying the DS field to codepoints indicating behaviors used for enhanced services  Denial of service adversary may inject packets with the DS field set to a particular codepoints to cause unpredictable traffic conditioning  IPsec and tunneling IPsec ESP does not include IP header for encryption