View
224
Download
0
Embed Size (px)
Citation preview
Differentiated Service - 1
Differentiated Service
All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: [email protected]).
國立清華大學資訊工程學系 黃能富教授E-mail: [email protected]
Differentiated Service - 2
Outline
IntroductionArchitecture for DSServicesPer-Hub Behaviors (PHB’s)Interoperability with legacy and IntS
erv networksMulticast issuesSecurity issues
Differentiated Service - 3
Existing Internet Services
Best-effort serviceis insufficient from many perspectives
Multimedia applications require some sort of delay and bandwidth guarantees
Some VIP users can pay more for better service
Packet forwardingrouters are bottleneckadvanced switching technique
layer 3, layer 4, and higher?
Differentiated Service - 4
Integrated Service (IntServ)
Support per-flow end-to-end QoSGuaranteed serviceControlled-load service
RSVPSignaling protocolSoft stateReceiver initiated reservation
Differentiated Service - 5
Some Concerns with IntServ
RSVP per-flow signaling and state is too much.
Can core routers do switching ?
How to integrate with ATM ?
Differentiated Service - 6
What is Differentiated Service ?
Provide different levels of service with scalabilityMark packets according to their service requirement
(DS codepoint)Based on the mark, core routers apply differentiated
per-hop forwarding behavior (PHB) (active queue management)
Only a limited number of PHB’s is defined, so traffic aggregation is required
Edge routers do the heavy job: traffic classification (marking), conditioning, ...
Differentiated Service - 8
What is Differentiated Service ?
Features Keep the forwarding simplePush complexity to edges of network Provide differentiated services Provide service without assumption of traffic using it
Provide service long-term and short-term provision
Allow the best effort traffic dominates the Internet
Differentiated Service - 10
Why Differentiated Service
Simpler than RSVP/IntServno per-flow signaling or state
More efficient core routerslimited number of service classes
Range of different packet handling services and mapping possible
Supports VPNsIpsec ESP leaves the IP header un-encrypt
ed
Differentiated Service - 14
DiffServ Architecture
ComponentsPacket classifier (BA, MF)PHB (AF, EF)Traffic conditioner (meter, marker, shaper
, policer, dropper)Service provision, resource managementService Level Agreement (SLA), Traffic Con
ditioning Agreement (TCA)
Differentiated Service - 15
DiffServ Architecture Model
DiffServ DomainA contiguous set of DS nodes which operat
e with a common service provisioning policy and set of PHB groups implemented on each node.
DiffServ RegionA set of one or more contiguous DS domai
ns.
Differentiated Service - 16
DiffServ Architecture Model
DS Domain
DS RegionIngress nodeEgress node
Boundary nodeInterior node
Differentiated Service - 17
DiffServ Architecture Model
DS boundary nodes interconnect the DS domain to other DS or non-DS domains
perform traffic conditioning functionsInterior nodes
connect to other DS interior or boundary nodes
perform limited traffic conditioning functions
Differentiated Service - 18
DiffServ Architecture Model
DS ingress noderesponsible for ensuring that the traffic entering the DS domain conforms to any TCA between it and the other domain
DS egress nodeperform traffic conditioning functions to make sure the forwarded traffic conforms to the TCA
DS boundary nodes act both as a DS ingress node and as a DS egress node.
Differentiated Service - 19
DiffServ Architecture ModelService
the overall treatment of a defined subset of a customer’s traffic within a DS-domain or end-to-end.
service providers combine PHB implementations with traffic conditioners, provisioning strategies and billing models which enable them to offer services.
Providers and customers negotiate service level agreements (SLA).
Differentiated Service - 20
Service Level Agreement (SLA)
SLA is a service contract between a customer and a service providera customer may be a user or DS domain
An important subset of SLA is Traffic conditioning agreement (TCA)
SLA may also includes packet classification rules, traffic conditioning, availability/ reliability, encryption, routing constraints, authentication, monitoring and auditing, pricing and billing, ….
Differentiated Service - 21
TCA
Specifies detailed service parameters for each service levelperformance parameters (delay, throughput, …)
traffic profilesdisposition of non-conforming trafficmarkingshaping
Differentiated Service - 22
Traffic Classifiers
Select packets based on the headerBA (Behavior Aggregate) Classifier
Classify packets based on DS codepoint only.MF (Multi-Field) Classifier
Classify packets based on a combination of one or more header fields (source/destination address, DS field, protocol, source/destination port).
Fragment is an issue if classify based on transport layer header.
Differentiated Service - 24
DS Codepoint (DSCP)
Specify the service (PHB) a packet receives at a node
CU: Currently UnusedDefault(BE): 000000xxx000 defined for backward compatibility
with IP precedence bits
Differentiated Service - 25
Traffic Profiles
Specifies the temporal properties of a traffic stream selected by a classifier
codepoint = x, use token bucket r, bIn-profile packets may be allowed to enter the
DS domain without further conditioning Out-of-profile packets may be queued until the
y are in-profile (shaped), discarded (policed), marked with a new codepoint (remarked), or forwarded unchanged while triggering some accounting procedure.
Differentiated Service - 26
Traffic Conditioners
Possible elementsmeter
measure temporal properties of a traffic stream against its traffic profile specified by TCA
marker Set the DS field of a packet to a codepoint codepoint is used to map to a PHB in the core network
shaper delay packets to bring the stream into compliance with
profiledropper
discard packets in a traffic stream to bring the stream into compliance with profile
Differentiated Service - 28
Service Taxonomy
Qualitative services ( 質化)assurances offered are relative and can only be v
erified by comparison.e.g., delivered with low latency or low loss
Quantitative services ( 量化)provide concrete guarantees and could be meas
ured irrespective of any other servicese.g., 90% of in-profile traffic will be delivered wit
h no more than 50msec latency.
Differentiated Service - 29
Service Taxonomy
Relative quantification serviceTraffic offered at service level E will be allotted twice the bandwidth of traffic delivered at service level F.
Traffic with drop precedence AF12 has a higher probability of delivery than traffic with drop precedence AF13.
It will be necessary to specify quantitative policing profiles for quantitative service.
Differentiated Service - 30
Scope of Service
Topological extent over which the service is offeredall traffic from ingress point A to any egress
point.all traffic between ingress point A and egress
point B.all traffic from ingress point A to a set of
egress points.Scope of service is part of the SLA
governing ingress point A.Several issues on services governing
received traffic (all traffic between any ingress point and egress point B).
Differentiated Service - 31
Dynamic vs. Static SLAsStatic SLA
norm at the present time specify a period of time when the SLA is valid (may be periodically renegotiated)
Dynamic SLAmay change due to traffic load fluctuations
SLA is applied to aggregates of traffic, should not be changed just due to flows added or deleted.
Differentiated Service - 33
Functionality at Provider’s Ingress
Police traffic according to TCA DS-Mark : Profile : Disposition of non-conforming traffic
Disposition remark to a lower service level delay in shaper drop
BA Classifier each class is metered for conformance following the profiler, dropper, shaper or re- marker may be employed.
Differentiated Service - 34
Functionality at Customer’s EgressMarking
It is preferable for the customer to mark (called pre-mark) its own traffic
mark by source host or intermediate nodes in the source domain
Shapingshape per service level at egress to avoid undesirable policing consequences at provider’s ingress.
May want to do per-flow shaping to avoid misbehaving flows
Differentiated Service - 35
Functionality at Provider’s Egress
May have a peer DS domain connected to the egress may be required to remark, police, and/or shape the traffic.
May provide value added functions, such as per-flow policing.
Differentiated Service - 36
Functionality at Interior Nodes
Should be simple classification plus queuing management.
Complex classification and traffic conditioning functions are not precluded.Due to restrictive access policies on a link, MF classifier and traffic conditioning functions may be required at the upstream node of the link.
This will not scale up !
Differentiated Service - 37
Per-Hop Behaviors (PHB)
A description of externally observable forwarding behavior of a DS node applied to a particular DS behavior aggregate.
The PHB is the means by which a node allocates resources to behavior aggregates.
PHBs may be specified in terms of their resource priority to other PHBs, or their relative observable traffic characteristics.
PHBs may also be specified in minimum bandwidth allocation.
Differentiated Service - 38
Assured Forwarding PHB Group
PHB groupA set of one or more PHBs that can only be meani
ngfully specified and implemented simultaneously.
Assured Forwarding (AF) PHB groupMeans for a provider DS domain to offer different
levels of forwarding assurances for IP packets received from a customer DS domain.
Qualitative serviceFour AF classes are defined.
Differentiated Service - 39
Assured Forwarding PHB Group
AF PHB group providesN (4) independent AF classes
packets of class x do not have smaller forwarding time (delay) than class y if x<y (the larger the better)
Within each class, there are M (3) different levels of drop precedence.
A packet with drop precedence p must not be forwarded with smaller probability than a packet with drop precedence q, if p<q (the smaller the better)
An IP packet that belongs to an AF class I and has drop precedence j is marked with the AF codepoint AFij.
Differentiated Service - 40
Assured Forwarding PHB Group
Traffic conditioning actionsA DS domain may control the amount of AF traffic that enters or exists the domain.
traffic conditioning actions may include shaping, discarding, increasing or decreasing the drop precedence, reassigning packets to other AF class.
traffic conditioning actions must not cause reordering of packet of the same micro-flow.
Differentiated Service - 41
Assured Forwarding PHB Group
Queuing and discard behavior A DS node should implement all AF classes. Within each AF class, a DS node must accept all
three drop precedence codepoints and they must yield at least two different levels of loss probability.
If two loss probability is provided, AFx1 must yield the lower loss probability and AFx2 and AFx3 yield the higher loss probability.
It is recommended that the discard algorithm is based on RED-like algorithm.
Differentiated Service - 42
Assured Forwarding PHB Group
Recommended codepointsAF1 AF2 AF3 AF4
low
mid
high
010000
010010
010100
011000 100000 101000
011010
011100 100100
100010
101100
101010
11x000 is reserved for conventional network control traffic00x000 is reserved for conventional precedence forwarding
Differentiated Service - 43
Queue Scheduling/ Management
DiffServ requires routers to support queue scheduling and management to prioritize outbound packets and control queue depth (minimize congestion)
Source: Chris Metz
Differentiated Service - 44
Importance of Queue Management
Full Queues are problematic - New connections cannot get through (called Lock- Out) - All packets from existing flows are dropped resulting in across- the- board TCP slow- starts (called Global Synchronization) -Can't handle bursts of traffic
Source: Chris Metz
Differentiated Service - 46
AF Example Service
Olympic service Service classes
bronze (AF1), silver (AF2), gold (AF3) Precedence
AF11~AF13, AF21~AF23, AF31~AF33 Drop precedence level could be assigned by using
a leaky bucket traffic policer with a rate and two burst sizes
less than the committed burst: low between two burst levels: medium greater than excess burst: high
Differentiated Service - 47
Expedited Forwarding PHB
Expedited Forwarding (EF)Can be used to build a low loss, low latency, low jitter, assured bandwidth, end-to-end service through DS domains.
Forwarding rate for a traffic aggregate must equal or exceed a configurable rate, independent of other aggregates.
This service is also called Premium service, or Virtual Leased Line (VLL) service.
It is a quantitative service.
Differentiated Service - 48
Expedited Forwarding PHB
Recommended codepoint: 101110Traffic conditioner
police all EF marked packets to a rate negotiated with the adjacent upstream domain.
Packets in excess of the negotiated rate must be dropped.
Higher priority over AF packets. Two priority queues
Differentiated Service - 49
Handling AF & EF at Interior Nodes
P-bit set?P-bit set? High-priorityHigh-priority
If A-bit set,inc a_cnt
If A-bit set,inc a_cnt Low-priorityLow-priority
Packetsout
RIO queuemanagementRIO queue
managementIf A-bit set,dec a_cnt
If A-bit set,dec a_cnt
Differentiated Service - 51
Provision and Configuration
Provision the determination and allocation of the resources needed at various points in the network
dictate addition or removal of resourcesdictate the operating parameters
Configuration distribution of the appropriate operating parameters to network equipment to realize the provisioning objectives.
Differentiated Service - 52
Bandwidth Broker
Agent for automatic service provision can be configured with organizational policies. keep track of current allocation of marked
traffic. interpret new requests to mark traffic
according to policies and current allocation. allocate bandwidth for end-to-end connections
with less state and simpler trust relationships. parcel out marked traffic allocations and set up
lead routers. manage messages across boundaries
adjacent regions only (bilateral not multi-lateral)
Differentiated Service - 53
Bandwidth BrokerOperation sequence
Host sends a request to BB service type, target rate, max. burst, time period
used
BB authenticates the credentialsCheck available bandwidth
If the destination is outside the region, send message to “next hop” region’s BB (bilateral agreement)
Configures the appropriate leaf routerPeriodically refresh the configuration (soft
state)Sends messages to edge devices using
COPS protocolruns on a reliable TCP connection
Differentiated Service - 54
Bandwidth Broker
DS Region
InterDomain Protocol
COPS
BB BBRAR
* RAR: Resource Allocation Request
Differentiated Service - 55
Bandwidth Broker
Bandwidth Broker
COPS clientCOPS client
DiffServManager
DiffServManager
ClassificationPolicingMarking
...
ClassificationPolicingMarking
...
1. COPS clientregisters with BB
3. BB adds/removes flow filters
2. BB sends configured policy to edge device
PriorityQueuingbyTOS
queue1
queue2
queueN
...
...
4. flows in 5. Filter match
6. Flows go to diff. queue
Differentiated Service - 56
Bandwidth Broker Architectureadjacent BB adjacent BB
User/AppInterface
applicationserver
user/host
networkoperator
Inter-DomainInterface
Intra-DomainInterface
edgerouters
edgerouters
DataRepository
RoutingInformation
Policy ManagerInterface
Network ManagementInterface
Differentiated Service - 57
Bandwidth Broker Architecture
User/Application interfacerequests directly from user/app on end host (via GUI)
Inter-domain communication interfacenegotiating SLA information between BBs in adjacent domain
s Intra-domain communication interface
setting edge device parameters for QoS/policy enforcement between edge router and BB
Routing table interfaceBGP routing information for inter-domainInternal routing information for intra-domainQoS-based routing in the future
Differentiated Service - 58
Bandwidth Broker Architecture
Data Repositorydata used by all components
Policy Manager interfaceutilize complex QoS/policy management functional
ity in policy managercoordination of SLAs and network resourcesprovide admission control processing
Network Management interfacecoordination of network provision and monitoring
Differentiated Service - 59
Configuration
Top down distribution of configuration information information is pushed in a top down manner, from a domain’s logically centralized point of administration
Bandwidth brokerDistribution via signaling
From edges via signaling (RSVP)Supports dynamic TCA
Differentiated Service - 60
Configuration
Measurement-based configuration less necessary for quantitative provi
sion (predictable)enhance efficiency with which qualit
ative provision can be achieved.Likely that measurement based for q
ualitative service would be used in conjunct with signalling.
Differentiated Service - 61
MulticastMajor issues
Single ingress point with multiple egress nodes Difficult to predict in advance the amount of resource
s required Dynamic membership join and leave even harder Due to capability of router and routing protocol, dupli
cate packets may appear on a link May be necessary to use separate codepoints and PH
Bs for multicast and unicast services.Selection of DS codepoint
Different egress nodes to different peer domains may have different SLAs and codepoints
Differentiated Service - 62
SecurityTheft
adversary may be able to obtain better service by modifying the DS field to codepoints indicating behaviors used for enhanced services
Denial of serviceadversary may inject packets with the DS field set t
o a particular codepoints to cause unpredictable traffic conditioning
IPsec and tunnelingIPsec ESP does not include IP header for encryption