Network Working Group R. Atarashi Internet-Draft Communications Research Laboratory Expires: April 1, 2002 F. Baker Cisco Systems October 2001 Reflexive DSCP Policy draft-atarashi-dscp-policy-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 1, 2002. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract In reviewing the specific use of the Differentiated Services Architecture for supporting the Internet Emergency Preparedness System, we found what we believe is a general issue. This is that even though a client or peer can connect to a server or peer with a predictable DSCP value, the response does not have a predictable DSCP value. We consider the issues, and recommend an approach to application policy regarding the DSCP. Atarashi & Baker Expires April 1, 2002 [Page 1] Internet-Draft Document October 2001 1. Introduction In reviewing the specific use of the Differentiated Services Architecture for supporting the Internet Emergency Preparedness System, we found what we believe is a general issue. This is that even though a client or peer can connect to a server or peer with a predictable DSCP value, the response does not have a predictable DSCP value. We consider the issues, and recommend an approach to application policy regarding the DSCP. As such, we will make specific recommendations for all applications. In doing so, we will use the language described in RFC 2119 [3]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [3]. 1.1 Problem Statement Figure 1 presents a connection being placed between two applications across a differentiated services network. . . . . . . . . . . . . . . . . . . . Client . . . . Server . . /----------/ . . /------------/ . . /---------------/. . Router -----/----- Router Router ----/----- Router . . . . . . . . . . . . . . . . . . . . . . . . . Figure 1: Connection across a network A behavior aggregate originated in part by a certain client toward a given server in a remote network may have certain application requirements, such as requiring service appropriate to an ERP application, video stream, or voice. One application may use different aggregates for different purposes, and therefore have different requirements. So the application may not be able to tell, a priori, with what DSCP it should use or respond. In addition, DSCPs have local significance in the Differentiated Services Architecture. It is possible and perhaps likely that a behavior aggregate might use different code points in different networks. Atarashi & Baker Expires April 1, 2002 [Page 2] Internet-Draft Document October 2001 2. Policy recommendations We consider that there are a number of possible approaches to this issue. The simplest, which we fear is currently standard in Differentiated Services hosts, is to simply select a default value, such as "always make TCP applications use AF11". For some applications, such as voice (EF), this approach is appropriate, but for many it is not. 2.1 Default DSCP policy in a responder When a system accepts sessions initiated from another system, and there is no specific local policy, the responder SHOULD use the same DSCP Group as its request. Thus, if a TCP SYN arrives using any of AF11, AF12, or AF13, the TCP SYN-ACK and subsequent messages SHOULD use AF11 as the DSCP. When in doubt as to the set of DSCP code points comprising a DSCP Group, it SHOULD respond with exactly the same DSCP. There has been interest of late in changing the quality of service behavior for different portions of the same session, such as on a per-URL basis. The requester could initiate this. Thus, if the DSCP received on one TCP segment differs from the TCP used on a prior TCP segment in a session, the new DSCP SHOULD be reflected unless local policy prevents this. One way to implement this requires the receiving transport (TCP, SCTP, etc) to save the received DSCP and use an API to determine the correct responding DSCP from a configuration file. The configuration file lists the 64 possible DSCP values and the correct response. In most cases, the two SHOULD be the same, but the twelve AFxy code points map to AFx1. Local policy MAY update this mapping. 2.2 Application-directed DSCP policy The originator of a session, which is to say the application that opens it, SHOULD normally select the DSCP value used. This, of course, needs to be consistent with local network policy, and may be dictated entirely by that policy. The application would do this through an API, ideally one that maps the application to a DSCP value through local administrative policy. Thus, the API could set the DSCP for signaling of voice calls to a specific value, such as AF31. It would be better, though, if the API were to set it to a key word such as "VoiceSignaling" or "DatabaseAccess", and enable the network administration to interpret the key word to an appropriate code point. One way to implement this would be for the API code to look the key word up in a file or an Atarashi & Baker Expires April 1, 2002 [Page 3] Internet-Draft Document October 2001 LDAP Policy. It is possible for the responding application to use this same API. For example, separate policies might apply to database records of one type and database records of another type, something that only the database access application could determine. It is also possible for the application exchange to communicate a desired DSCP, and the responding application to use the API accordingly. In such a case, the application exchange MUST specify the key word rather than the specific DSCP, as it cannot know the applicable policy in the responder's network. Atarashi & Baker Expires April 1, 2002 [Page 4] Internet-Draft Document October 2001 3. Security Considerations This document discusses policy, and describes a recommended default policy, for the use of a Differentiated Services Code Point by transports and applications. If implemented as described, it should ask the network to do nothing that the network has not already allowed. If that is the case, no new security issues should arise from the use of such a policy. It is possible, however, for the policy to be applied incorrectly, or for another policy to be applied, which would be incorrect in the network. In that case, a policy issue exists which the network must detect, assess, and deal with. This is a known security issue in any network dependent on policy-directed behavior. Atarashi & Baker Expires April 1, 2002 [Page 5] Internet-Draft Document October 2001 4. Acknowledgements The authors would like to thank Hiroyuki Ohno, Toshio Shimojo, Shigeru Miyake and Yoshifumi Atarashi for their suggestions. Atarashi & Baker Expires April 1, 2002 [Page 6] Internet-Draft Document October 2001 References [1] "International Emergency Preparedness Scheme", ITU E.106, March 2000. [2] "Service Description for an International Emergency Multimedia Service (Draft)", ITU-T F.706, August 2001. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [4] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, December 1998. [5] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. and W. Weiss, "An Architecture for Differentiated Services", RFC 2475, December 1998. [6] Heinanen, J., Baker, F., Weiss, W. and J. Wroclawski, "Assured Forwarding PHB Group", RFC 2597, June 1999. [7] Bernet, Y., Ford, P., Yavatkar, R., Baker, F., Zhang, L., Speer, M., Braden, R., Davie, B., Wroclawski, J. and E. Felstaine, "A Framework for Integrated Services Operation over Diffserv Networks", RFC 2998, November 2000. Authors' Addresses Rei S. Atarashi Communications Research Laboratory 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 JP Phone: +81-42-327-6243 Fax: +81-42-327-9041 EMail: ray@crl.go.jp Atarashi & Baker Expires April 1, 2002 [Page 7] Internet-Draft Document October 2001 Fred Baker Cisco Systems 1121 Via Del Rey Santa Barbara, CA 93117 US Phone: +1-408-526-4257 Fax: +1-413-473-2403 EMail: fred@cisco.com Atarashi & Baker Expires April 1, 2002 [Page 8] Internet-Draft Document October 2001 Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Atarashi & Baker Expires April 1, 2002 [Page 9]