TSVWG B. Briscoe Internet Draft P. Eardley draft-briscoe-tsvwg-cl-architecture-01.txt D. Songhurst Expires: April 2006 BT F. Le Faucheur A. Charny Cisco Systems, Inc J. Barbiaz K. Chan Nortel October 24, 2005 A Framework for Admission Control over DiffServ using Pre-Congestion Notification draft-briscoe-tsvwg-cl-architecture-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on May 24, 2006. Briscoe Expires April 24, 2006 [Page 1] Internet-Draft Controlled Load architecture October 2005 Copyright Notice Copyright (C) The Internet Society (2005). All Rights Reserved. Abstract This document describes a framework to achieve an end-to-end Controlled Load (CL) service without the scalability problems of previous approaches. Flow admission control and if necessary flow pre-emption preserve the CL service to admitted flows. But interior routers within a large DiffServ-based region of the Internet do not require flow state or signalling. They only have to give early warning of their own congestion by bulk packet marking using a new pre-congestion notification behaviour. Gateways around the edges of the region convert measurements of this packet granularity marking into admission control and pre-emption functions at flow granularity. Authors' Note (TO BE DELETED BY THE RFC EDITOR UPON PUBLICATION) This document is posted as an Internet-Draft with the intention of eventually becoming an INFORMATIONAL RFC, rather than a standards track document. Table of Contents 1. Introduction................................................4 1.1. Summary................................................4 1.1.1. Admission control..................................5 1.1.2. Pre-emption........................................7 1.1.3. Both admission control and pre-emption.............8 1.2. Terminology............................................8 1.3. Existing terminology...................................10 1.4. Standardisation requirements...........................10 1.5. Structure of rest of the document......................10 2. Key aspects of the framework................................11 2.1. Key goals.............................................11 2.2. Key assumptions........................................12 2.3. Key benefits..........................................15 3. Architecture...............................................17 3.1. Admission control......................................17 3.1.1. Pre-Congestion Notification marking behaviour......17 3.1.2. Measurements to support admission control..........18 Briscoe Expires April 24, 2006 [Page 2] Internet-Draft Controlled Load architecture October 2005 3.1.3. How edge-to-edge admission control supports end-to-end QoS signalling..........................................19 3.1.4. Use case.........................................19 3.2. Pre-emption...........................................20 3.2.1. Alerting an ingress gateway that pre-emption may be needed..................................................20 3.2.2. Determining the right amount of CL traffic to drop.23 3.2.3. Use case for pre-emption..........................24 4. Details....................................................25 4.1. Ingress gateways.......................................26 4.2. Interior nodes........................................27 4.3. Egress gateways........................................27 4.4. Failures..............................................28 5. Potential future extensions.................................29 5.1. Multi-domain and multi-operator usage..................29 5.2. Adaptive bandwidth for the Controlled Load service......29 5.3. Controlled Load service with end-to-end Pre-Congestion Notification...............................................29 5.4. MPLS-TE...............................................30 6. Relationship to other QoS mechanisms........................30 6.1. IntServ Controlled Load................................30 6.2. Integrated services operation over DiffServ............30 6.3. Differentiated Services................................31 6.4. ECN...................................................31 6.5. RTECN.................................................31 6.6. RMD...................................................31 6.7. RSVP Aggregation over MPLS-TE..........................32 7. Security Considerations.....................................32 8. Acknowledgements...........................................33 9. Comments solicited.........................................33 10. Changes from the -00 version of this draft.................33 11. Appendixes................................................33 11.1. Appendix A: Explicit Congestion Notification..........33 11.2. Appendix B: What is distributed measurement-based admission control?...................................................35 11.3. Appendix C: Calculating the Exponentially weighted moving average (EWMA).............................................36 12. References................................................37 Authors' Addresses............................................41 Intellectual Property Statement................................42 Disclaimer of Validity........................................43 Copyright Statement...........................................43 Briscoe Expires April 24, 2006 [Page 3] Internet-Draft Controlled Load architecture October 2005 1. Introduction 1.1. Summary This document describes a framework to achieve an end-to-end controlled load service by using - within a large region of the Internet - DiffServ and edge-to-edge distributed measurement-based admission control and flow pre-emption. Controlled load service is a quality of service (QoS) closely approximating the QoS that the same flow would receive from a lightly loaded network element [RFC2211]. Controlled Load (CL) is useful for inelastic flows such as those for real-time media. In line with the "IntServ over DiffServ" framework defined in [RFC2998], the CL service is supported end-to-end and RSVP signalling [RFC2205] is used end-to-end, over an edge-to-edge DiffServ region. ___ ___ _______________________________________ ____ ___ | | | | | | | | | | | | | | |Ingress Interior Egress| | | | | | | | | |gateway nodes gateway| | | | | | | | | |-------+ +-------+ +-------+ +------| | | | | | | | | | CL- | | CL- | | CL- | | | | | | | | |..| |..|marking|..|marking|..|marking|..| Meter|..| |..| | | | | | |-------+ +-------+ +-------+ +------| | | | | | | | | | \ / | | | | | | | | | | \ / | | | | | | | | | | \ Congestion-Level-Estimate / | | | | | | | | | | \ (for admission control) / | | | | | | | | | | --<-----<----<----<-----<-- | | | | | | | | | | Sustainable-Aggregate-Rate | | | | | | | | | | (for pre-emption) | | | | | |___| |___| |_______________________________________| |____| |___| Sx Access CL-region Access Rx End Network Network End Host Host <------ edge-to-edge signalling -----> (for admission control & pre-emption) <-------------------end-to-end QoS signalling protocol---------------> Figure 1: Overall QoS architecture (NB terminology explained later) Briscoe Expires April 24, 2006 [Page 4] Internet-Draft Controlled Load architecture October 2005 In Section 1.1.1 we summarise how admission of new CL microflows is controlled so as to deliver the required QoS. In abnormal circumstances for instance a disaster affecting multiple interior nodes, then the QoS on existing CL microflows may degrade even if care was exercised when admitting those microflows before those circumstances. Therefore we also propose a mechanism (summarised in Section 1.1.2) to pre-empt some of the existing microflows. Then remaining microflows retain their expected QoS, while improved QoS is quickly restored to lower priority traffic. 1.1.1. Admission control This document describes a new admission control procedure for an edge-to-edge region, which uses a new per-hop Explicit Congestion Notification marking behaviour as a fundamental building block. In turn, an end-to-end CL service would use this as a building block within a broader QoS architecture. The per-hop, edge-to-edge and end-to-end aspects are now briefly introduced in turn. Appendix A provides a brief summary of Explicit Congestion Notification (ECN) [RFC3168]. It specifies that a router sets the ECN field to the Congestion Experienced (CE) value as a warning of incipient congestion. RFC3168 doesn't specify a particular algorithm for setting the CE codepoint, although RED (Random Early Detection) is expected to be used. We introduce a new algorithm in this document, called Pre-Congestion Notification. It aims to set the CE codepoint before there is any significant build-up of CL packets in the queue, but as an "early warning" when the amount of packets flowing is getting close to the engineered capacity. Hence it can be used with per-hop behaviours (PHBs) designed to operate with very low queue occupancy. Note that our use of the ECN field operates across the CL-region, i.e. edge-to-edge, and not host-to-host as in [RFC3168]. This framework assumes that the Pre-Congestion Notification behaviour is used in a controlled environment, i.e. within the controlled edge- to-edge region. Within the controlled edge-to-edge region, a particular packet receives the Pre-Congestion Notification behaviour if the packet's header fulfils two conditions: its DSCP (differentiated services codepoint) corresponds to the PHB for CL traffic, and also its ECN field indicates ECN Capable Transport (ECT). Briscoe Expires April 24, 2006 [Page 5] Internet-Draft Controlled Load architecture October 2005 Turning next to the edge-to-edge aspect. All nodes within a region of the Internet, which we call the CL-region, apply the PHB used for CL traffic and the Pre-Congestion Notification behaviour. Traffic must enter/leave the CL-region through ingress/egress gateways, which have special functionality. Typically the CL-region is the core or backbone of an operator. The CL service is achieved "edge-to-edge" across the CL-region, by using distributed measurement-based admission control: the decision whether to admit a new microflow depends on a measurement of the existing traffic between the same pair of ingress and egress gateways (i.e. the same pair as the prospective new microflow). (See Appendix B for further discussion on "What is distributed measurement-based admission control?") As CL packets travel across the CL-region, nodes will set the CE codepoint (according to the Pre-Congestion Notification algorithm) as an "early warning" of potential congestion, i.e. before there is any significant build-up of CL packets in the queue. For traffic from each remote ingress gateway, the CL-region's egress gateway measures the fraction of CL traffic for which the CE codepoint is set. The egress gateway calculates the value on a per bit basis as an exponentially weighted moving average (which we term Congestion- Level-Estimate). Then reports it to the CL-region's ingress gateway piggy-backed on the signalling for a new flow. The ingress gateway only admits the new CL microflow if the Congestion-Level-Estimate is less than a threshold value. Hence previously accepted CL microflows will suffer minimal queuing delay, jitter and loss. In turn, the edge-to-edge architecture is a building block in delivering an end-to-end CL service. The approach is similar to that described in [RFC2998] for Integrated services operation over DiffServ networks. Like [RFC2998], an IntServ class (CL in our case) is achieved end-to-end, with a CL-region viewed as a single reservation hop in the total end-to-end path. Interior nodes of the CL-region do not process flow signalling nor do they hold state. We assume that the end-to-end signalling mechanism is RSVP (Section 2.2). However, the RSVP signalling may itself be originated or terminated by proxies still closer to the edge of the network, such as home hubs or the like, triggered in turn by application layer signalling. [RFC2998] and our approach are compared further in Section 6.2. An important benefit compared with the IntServ over DiffServ model [RFC2998] arises from the fact that the load is controlled dynamically rather than with the traffic conditioning agreements (TCAs). TCAs were originally introduced in the (informational) DiffServ architecture [RFC2475] as an alternative to reservation processing in the interior region in order to reduce the burden on Briscoe Expires April 24, 2006 [Page 6] Internet-Draft Controlled Load architecture October 2005 interior nodes. With TCAs, in practice service providers rely on subscription-time Service Level Agreements that statically define the parameters of the traffic that will be accepted from a customer. The problem arises because the TCA at the ingress must allow any destination address, if it is to remain scalable. But for longer topologies, the chances increase that traffic will focus on an interior resource, even though it is within contract at the ingress [Reid], e.g. all flows converge on the same egress gateway. Even though networks can be engineered to make such failures rare, when they occur all inelastic flows through the congested resource fail catastrophically. Distributed measurement-based admission control avoids reservation processing (whether per flow or aggregated) on interior nodes but flows are still blocked dynamically in response to actual congestion on any interior node. Hence there is no need for accurate or conservative prediction of the traffic matrix. 1.1.2. Pre-emption An essential QoS issue in core and backbone networks is being able to cope with failures of nodes and links. The consequent re-routing can cause severe congestion on some links and hence degrade the QoS experienced by on-going microflows and other, lower priority traffic. Even when the network is engineered to sustain a single link failure, multiple link failures (e.g. due to a fibre cut or a node failure, or a natural disaster) can cause violation of capacity constraints and resulting QoS failures. Our solution uses rate-based pre-emption, so that sufficient of the previously admitted CL microflows are dropped to ensure that the remaining ones again receive QoS commensurate with the CL service and at least some QoS is quickly restored to other traffic classes. The solution has two aspects. First, triggering the ingress gateway to test whether pre-emption may be needed. This involves an optional new router marking behaviour for Pre-emption Alert. Secondly, calculating the right amount of traffic to drop. This involves the egress gateway measuring, and reporting to the ingress gateway, the current amount of CL traffic received from that particular ingress gateway. The ingress gateway compares this measurement (which is the amount that the network can actually support, and which we thus call the Sustainable-Aggregate-Rate) with the rate that it is sending and hence determines how much traffic needs to be pre-empted. Briscoe Expires April 24, 2006 [Page 7] Internet-Draft Controlled Load architecture October 2005 The solution operates within a little over one round trip time - the time required for microflow packets that have experienced Pre-emption Alert marking to travel downstream through the CL-region and arrive at the egress gateway, plus some additional time for the egress gateway to measure the rate seen after it has been alerted that pre- emption may be needed, and the time for the egress gateway to report this information to the ingress gateway. 1.1.3. Both admission control and pre-emption This document describes both the admission control and pre-emption mechanisms, and we suggest that an operator uses both. However, we do not require this and some operators may want to implement only one. For example, an operator could use just admission control, solving heavy congestion (caused by re-routing) by 'just waiting' - as sessions end, existing microflows naturally depart from the system over time, and the admission control mechanism will prevent admission of new microflows that use the affected links. So the CL-region will naturally return to normal controlled load service, but with reduced capacity. The drawback of this approach would be that until flows naturally depart to relieve the congestion, all flows and lower priority services will be adversely affected. As another example, an operator could use just admission control, avoiding heavy congestion (caused by re-routing) by 'capacity planning' - by configuring admission control thresholds to lower levels than the network could accept in normal situations such that the load after failure is expected to stay below acceptable levels even with reduced network resources. On the other hand, an operator could just rely for admission control on the traffic conditioning agreements of the DiffServ architecture [RFC2475]. The pre-emption mechanism described in this document would be used to counteract the problem described at the end of Section 1.1.1. 1.2. Terminology o Ingress gateway: node at an ingress to the CL-region. A CL-region may have several ingress gateways. o Egress gateway: node at an egress from the CL-region. A CL-region may have several egress gateways. Briscoe Expires April 24, 2006 [Page 8] Internet-Draft Controlled Load architecture October 2005 o Interior node: a node which is part of the CL-region, but isn't an ingress or egress node. o CL-region: A region of the Internet in which all traffic enters/leaves through an ingress/egress gateway and all nodes run the Pre-Congestion Notification and Pre-emption Alert behaviours. A CL-region is a DiffServ region (a DiffServ region is either a single DiffServ domain or set of contiguous DiffServ domains), but note that the CL-region does not use the traffic conditioning agreements (TCAs) of the (informational) DiffServ architecture. o CL-region-aggregate: all the microflows between a specific pair of ingress and egress gateways. Note there is no identifier unique to the aggregate. o Pre-Congestion Notification: a new algorithm for deciding whether to set the ECN CE codepoint (Explicit Congestion Notification Congestion Experienced), for use by all routers in the CL-region. A router sets the CE codepoint as an "early warning" that the load is nearing the engineered admission control capacity, before there is any significant build-up of CL packets in the queue. o Inverse-token-bucket: a token bucket for which tokens are added when packets are queued for transmission on the corresponding link and consumed at a fixed rate. This is the inverse of a normal token bucket. o Pre-emption Alert: a new router marking behaviour, for use by either all or none of the routers in the CL-region. A router re- marks a packet to Re-marked-CL to warn explicitly that pre-emption may be needed. o Congestion-Level-Estimate: the number of bits in CL packets that have the CE codepoint set, divided by the number of bits in all CL packets. It is calculated as an exponentially weighted moving average. It is calculated by an egress gateway for the CL packets from a particular ingress gateway, i.e. there is a Congestion- Level-Estimate for each CL-region-aggregate. o Sustainable-Aggregate-Rate: the rate of traffic that the network can actually support for a specific CL-region-aggregate. So it is measured by an egress gateway for the CL packets from a particular ingress gateway. Briscoe Expires April 24, 2006 [Page 9] Internet-Draft Controlled Load architecture October 2005 1.3. Existing terminology This is a placeholder for useful terminology that is defined elsewhere. 1.4. Standardisation requirements The framework described in this document has two new standardisation requirements: o new Pre-Congestion Notification and Pre-emption Alert marking behaviours are required, as detailed in [CL-marking]. o the end-to-end signalling protocol needs to be modified to carry the Congestion-Level-Estimate report (for admission control) and the Sustainable-Aggregate-Rate (for pre-emption). With our assumption of RSVP (Section 2.2) as the end-to-end signalling protocol, it means that extensions to RSVP are required, as detailed in [RSVP-ECN], for example to carry the Congestion-Level- Estimate and Sustainable-Aggregate-Rate information from egress gateway to ingress gateway. We are discussing whether the PHB used by CL traffic should be a new PHB (indicated by a new DSCP) or whether the Expedited Forwarding (EF) PHB can be used with the addition of the required ECN marking behaviour. Other than these things, the arrangement uses existing IETF protocols throughout, although not in their usual architecture. 1.5. Structure of rest of the document Section 2 describes some key aspects of the framework: our goals, assumptions and the benefits we believe it has. Section 3 describes the architecture (including a use case), whilst Section 4 summarises the required changes to the various nodes in the CL-region. Section 5 outlines some possible extensions. Section 6 provides some comparison with existing QoS mechanisms. Briscoe Expires April 24, 2006 [Page 10] Internet-Draft Controlled Load architecture October 2005 2. Key aspects of the framework In this section we discuss the key aspects of the framework: o At a high level, our key goals, i.e. the functionality that we want to achieve o The assumptions that we're prepared to make o The consequent benefits they bring 2.1. Key goals The framework achieves an end-to-end controlled load (CL) service where a segment of the end-to-end path is an edge-to-edge Pre- Congestion Notification region. CL is a quality of service (QoS) closely approximating the QoS that the same flow would receive from a lightly loaded network element [RFC2211]. It is useful for inelastic flows such as those for real-time media. o The CL service should be achieved despite varying load levels of other sorts of traffic, which may or may not be rate adaptive (i.e. responsive to packet drops or ECN marks). o The CL service should be supported for a variety of possible CL sources: Constant Bit Rate (CBR), Variable Bit Rate (VBR) and voice with silence suppression. VBR is the most challenging to support. o After a localised failure in the interior of the CL-region causing heavy congestion, the CL service should recover gracefully by pre- empting (dropping) some of the admitted CL microflows, whilst preserving as many of them as possible with their full CL QoS. o It is suggested that pre-emption needs to be completed within 1-2 seconds, because it is estimated that after a few seconds then many affected users will start to hang up (and then not only is a pre-emption mechanism redundant and possibly even counter- productive, but also many more flows than necessary to reduce congestion may hang up). Also, other, lower priority traffic classes will not be restored to partial service until the higher priority CL service reduces its load on shared links. Briscoe Expires April 24, 2006 [Page 11] Internet-Draft Controlled Load architecture October 2005 o The CL service should support emergency services ([EMERG-RQTS], [EMERG-TEL]) as well as the Assured Service which is the IP implementation of the existing ITU-T/NATO/DoD telephone system architecture known as Multi-Level Pre-emption and Precedence [ITU.MLPP.1990] [ANSI.MLPP.Spec][ANSI.MLPP.Supplement], or MLPP. In particular, this involves admitting new high priority sessions even when admission control thresholds are reached and new routine sessions are rejected. Similarly, this involves taking into account session priorities and properties at the time of pre- empting calls. 2.2. Key assumptions The framework does not try to deliver the above functionality in all scenarios. We make the following assumptions about the type of scenario to be solved. o Edge-to-edge: all the nodes in the CL-region are upgraded with the Pre-Congestion Notification and Pre-emption Alert mechanisms, and all the ingress and egress gateways are upgraded to perform the measurement-based admission control and pre-emption. Note that although the upgrades required are edge-to-edge, the CL service is provided end-to-end. o Additional load: we assume that any additional load offered within the reaction time of the admission control mechanism doesn't move the CL-region directly from no congestion to overload. So it assumes there will always be an intermediate stage where some CL packets have their CE codepoint set, but they are still delivered without significant QoS degradation. We believe this is valid for core and backbone networks with typical call arrival patterns (given the reaction time is little more than one round trip time across the CL-region), but is unlikely to be valid in access networks where the granularity of an individual call becomes significant. o Aggregation: we assume that in normal operations, there are many CL microflows within the CL-region, typically at least hundreds between any pair of ingress and egress gateways. The implication is that the solution is targeted at core and backbone networks and possibly parts of large access networks. Briscoe Expires April 24, 2006 [Page 12] Internet-Draft Controlled Load architecture October 2005 o Trust: we assume that there is trust between all the nodes in the CL-region. For example, this trust model is satisfied if one operator runs the whole of the CL-region. But we make no such assumptions about the end nodes, i.e. depending on the scenario they may be trusted or untrusted by the CL-region. o Signalling: we assume that the end-to-end signalling protocol is RSVP. Section 3 describes how the CL-region fits into such an end- to-end QoS scenario, whilst [RSVP-ECN] describes the extensions to RSVP that are required. o Separation: we assume that all nodes within the CL-region are upgraded with the CL mechanism, so the requirements of [Floyd] are met because the CL-region is an enclosed environment. Also, an operator separates CL-traffic in the CL-region from outside traffic by administrative configuration of the ring of gateways around the region. Within the CL-region we assume that the CL- traffic is separated from non-CL traffic. o Routing: we assume that one of the following applies: (same path) all packets between a pair of ingress and egress gateways follow the same path. This ensures that the Congestion- Level-Estimate used in the admission control procedure reflects the status of the path followed by the new flow's packets (load balanced) packets between a pair of ingress and egress gateways follow different paths but that the load balancing scheme is tuned in the CL-region to distribute load such that the different paths always receive comparable relative load. This ensures that the Congestion-Level-Estimate used in the admission control procedure (and which is computed taking into account packets travelling on all the paths) also approximately reflects the status of the actual path followed by the new microflow's packets (worst case assumed) packets between a pair of ingress and egress gateways follow different paths but that (i) it is acceptable for the operator to keep the CL traffic between this pair of gateways to a level dictated by the most loaded of all paths between this pair of gateways (so that CL traffic may be rejected - or even pre-empted in some situations - even if one or more of the paths between the pair of gateways is operating below its engineered levels) and that (ii) it is acceptable for that operator to configure engineered levels below optimum levels to compensate for the fact that the effect on the Congestion-Level-Estimate of the congestion experienced over one Briscoe Expires April 24, 2006 [Page 13] Internet-Draft Controlled Load architecture October 2005 of the paths may be diluted by traffic received over non- congested paths so that lower thresholds need to be used in these cases to ensure early admission control rejection and pre- emption over the congested paths. We are investigating ways of loosening the restrictions set by some of these assumptions, for instance: o Trust: to allow the CL-region to span multiple, non-trusting operators, using the technique of [Re-feedback] [Re-ECN] and mentioned in Section 5.1. o Signalling: we believe that the solution could operate with another signalling protocol such as NSIS. We would very much welcome input / collaboration with the NSIS community in order to carry out similar work as done for RSVP. It could also work with application level signalling as suggested in [RT-ECN]. o Additional load: we believe that the assumption is valid for core and backbone networks, with an appropriate margin between the inverse-token-bucket's token rate and the configured rate for CL traffic. However, in principle a burst of admission requests can occur in a short time. We expect this to be a rare event under normal conditions, but it could happen e.g.. due to a 'flash crowd'. If it does, then more flows may be admitted than should be, triggering the pre-emption mechanisms., To avoid the need for pre-emption, 'call gapping' could be used at the egress (i.e. the egress gateway paces out the admission of microflows). o Separation: the assumption that CL traffic is separated from non- CL traffic implies that the CL traffic has its own PHB, not shared with other traffic. We are looking at whether it could share Expedited Forwarding's PHB, but supplemented with the new Pre- Congestion Notification and Pre-emption Alert marking behaviours. If this is possible, other PHBs (like Assured Forwarding) could be supplemented with the same new behaviours. This is similar to how RFC3168 ECN was defined to supplement any PHB. o Routing: we are looking in greater detail at the solution in the presence of Equal Cost Multi-Path routing and at suitable enhancements. Briscoe Expires April 24, 2006 [Page 14] Internet-Draft Controlled Load architecture October 2005 2.3. Key benefits We believe that the mechanism described in this document has several advantages: o It achieves statistical guarantees of quality of service for microflows, delivering a very low delay, jitter and packet loss service suitable for applications like voice and video calls that generate real time inelastic traffic. This is because of its per microflow admission control scheme, combined with its dynamic on- path "early warning" of potential congestion. The guarantee is at least as strong as with IntServ Controlled Load (Section 6.1 mentions why the guarantee may be somewhat better), but without the scalability problems of per-microflow IntServ. o It can support "Emergency" and military Multi-Level Pre-emption and Priority services, even in times of heavy congestion (perhaps caused by failure of a node within the CL-region), by pre-empting on-going "ordinary CL microflows". o It scales well, because there is no signal processing or path state held by the interior nodes of the CL-region. o It is resilient, again because no state is held by the interior nodes of the CL-region. Hence during an interior routing change caused by a node failure no microflow state has to be relocated. The pre-emption mechanism further helps resilience because it rapidly reduces the load to one that the CL-region can support. o It helps preserve, through the pre-emption mechanism, QoS to as many microflows as possible and to lower priority traffic in times of heavy congestion (e.g.. caused by failure of an interior node). Otherwise long-lived microflows could cause loss on all CL microflows for a long time. o It avoids the potential catastrophic failure problem when the DiffServ architecture is used in large networks using statically provisioned capacity. This is achieved by controlling the load dynamically based on edge-to-edge-path real-time measurement of Pre-Congestion Notification, as discussed in Section 1.1.1. o It requires minimal new standardisation, because it reuses existing QoS protocols and algorithms. Briscoe Expires April 24, 2006 [Page 15] Internet-Draft Controlled Load architecture October 2005 o It can be deployed incrementally, region by region or network by network. Not all the regions or networks on the end-to-end path need to have it deployed. Two CL-regions can even be separated by a network that uses another QoS mechanism (e.g. MPLS-TE). o It provides a deployment path for use of ECN for real-time applications. Operators can gain experience of ECN before its applicability to end-systems is understood and end terminals are ECN capable. Briscoe Expires April 24, 2006 [Page 16] Internet-Draft Controlled Load architecture October 2005 3. Architecture 3.1. Admission control In this section we describe the admission control mechanism. We discuss the three pieces of the solution and then give an example of how they fit together in a use case: o the new Pre-Congestion Notification marking behaviour used by all nodes in the CL-region o how the measurements made support our admission control mechanism o how the edge to edge mechanism fits into the end to end RSVP signalling 3.1.1. Pre-Congestion Notification marking behaviour To support our admission control mechanism, each node in the CL- region runs an algorithm to determine whether to set the CE codepoint of a particular CL packet. Each link in the CL-region has a fixed rate (bandwidth) reflecting the engineered admission control capacity for CL traffic, under the control of management configuration. In order to make the description more specific we assume a bulk 'inverse-token-bucket' is used on each link; other implementations are possible. Tokens are added to our inverse-token-bucket when packets are queued for transmission on the corresponding link, and are consumed at a fixed rate that is slower than the configured rate. This means that the amount of tokens starts to increase before the actual queue builds up, but when it is in danger of doing so soon; hence it can be used as an "early warning" that the engineered capacity is nearly reached. The probability that a node sets the CE codepoint of a CL packet depends on the number of tokens in the inverse-token-bucket. Below one threshold value of the number of tokens no packets have their CE codepoint set and above the second they all do; in between, the probability increases linearly. Note that the same inverse-token-bucket is used for all the CL packets on that link, i.e. it operates in bulk on the CL behaviour aggregate and not per microflow. The algorithm is detailed in [CL- marking]. Briscoe Expires April 24, 2006 [Page 17] Internet-Draft Controlled Load architecture October 2005 Probability of setting ^ CE codepoint | | 1_| _______________ | / | / | / | / | / | / | / | / | / 0_|___________/ | -----------|---------|--------------> min- max- Amount of tokens in threshold threshold inverse-token-bucket Figure 2: Setting the Congestion Experienced Codepoint How does a node know that it should apply the new Pre-Congestion Notification marking behaviour? A CL packet is indicated by a combination of three things: the node itself is in the CL-region so it is configured with a behaviour for CL packets; the ECN codepoint is set to ECN-Capable Transport (ECT); and the DSCP is set to the value configured for the CL behaviour aggregate in the CL-region. On the third point, we are currently considering whether the PHB used by CL traffic should be a new PHB (indicated by a new DSCP) or whether the Expedited Forwarding (EF) PHB can be used. 3.1.2. Measurements to support admission control To support our admission control mechanism the egress measures the Congestion-Level-Estimate for traffic from each remote ingress gateway, i.e. per CL-region-aggregate. The Congestion-Level-Estimate is the number of bits in CL packets that have the CE codepoint set, divided by the number of bits in all CL packets. It is calculated as an exponentially weighted moving average. It is calculated by an egress node separately for the CL packets from each particular ingress node. This Congestion-Level-Estimate provides an estimate of how near the links on the path inside the CL-region are getting to the engineered admission control capacity. Note that the metering is Briscoe Expires April 24, 2006 [Page 18] Internet-Draft Controlled Load architecture October 2005 done separately per ingress node, because there may be sufficient capacity on all the nodes on the path between one ingress gateway and a particular egress, but not from a second ingress to that same egress gateway. 3.1.3. How edge-to-edge admission control supports end-to-end QoS signalling Consider a scenario that consists of two end hosts, each connected to their own access networks, which are linked by the CL-region. A source tries to set up a new CL microflow by sending an RSVP PATH message, and the receiving end host replies with an RSVP RESV message. Outside the CL-region some other method, for instance IntServ, is used to provide QoS. From the perspective of RSVP the CL- region is a single hop, so the RSVP PATH and RESV messages are processed by the ingress and egress gateways but are carried transparently across all the interior nodes; hence, the ingress and egress gateways hold per microflow state, whilst no state is kept by the interior nodes. So far this is as in IntServ over DiffServ [RFC2998]. However, in order to support our admission control mechanism, the egress gateway adds to the RESV message an opaque object which states the current Congestion-Level-Estimate for the relevant CL-region-aggregate. Details of the corresponding RSVP extensions are described in [RSVP-ECN]. 3.1.4. Use case To see how the three pieces of the solution fit together, we imagine a scenario where some microflows are already in place between a given pair of ingress and egress gateways, but the traffic load is such that no packets from these flows have their CE codepoint set as they travel across the CL-region. A source wanting to start a new CL microflow sends an RSVP PATH message. The egress gateway adds an object to the RESV message with the Congestion-Level-Estimate, which is zero. The ingress gateway sees this and consequently admits the new flow. It then forwards the RSVP RESV message upstream towards the source end host. Hence, assuming there's sufficient capacity in the access networks, the new microflow is admitted end-to-end. The source now sends CL packets, which arrive at the ingress gateway. The ingress uses a five-tuple filter to identify that the packets are part of a previously admitted CL microflow, and it also polices the microflow to ensure it remains within its traffic profile. (The ingress has learnt the required information from the RSVP messages). When forwarding a packet belonging to an admitted microflow, the ingress sets the packet's DSCP to that for the CL-traffic in the CL- region and the packet's ECN field to ECT, so that the interior nodes Briscoe Expires April 24, 2006 [Page 19] Internet-Draft Controlled Load architecture October 2005 know this is a CL packet. The CL packet now travels across the CL- region, with the CE codepoint getting set if necessary. Also, appropriate queue scheduling is needed in each node to ensure that CL traffic gets its configured bandwidth. Next, we imagine the same scenario but at a later time when load is higher at one (or more) of the interior nodes, which start to set the CE codepoint of CL packets because their arrival rate is nearing the configured rate. The next time a source tries to set up a CL microflow, the ingress gateway learns (from the egress) the relevant Congestion-Level-Estimate. If it is greater than some threshold value then the ingress refuses the request, otherwise it is accepted. It is also possible for an egress gateway to get a RSVP RESV message and not know what the Congestion-Level-Estimate is. For example, if there are no CL microflows at present between the relevant ingress and egress gateways. In this case the egress requests the ingress to send probe packets, from which it can initialise its meter. RSVP Extensions for such a request to send probe data can be found in [RSVP-ECN]. 3.2. Pre-emption In this section we describe the pre-emption mechanism. We discuss the two parts of the solution and then give an example of how they fit together in a use case: o How an ingress gateway is triggered to test whether pre-emption may be needed o How an ingress gateway determines the right amount of CL traffic to drop The mechanism is defined in [CL-marking] and [RSVP-ECN]. 3.2.1. Alerting an ingress gateway that pre-emption may be needed Alerting an ingress gateway that pre-emption may be needed is a two stage process: a router in the CL-region alerts an egress gateway that pre-emption may be needed; in turn the egress gateway alerts the relevant ingress gateway. Every router in the CL-region has the ability to alert egress gateways, which may be done either explicitly or implicitly: Briscoe Expires April 24, 2006 [Page 20] Internet-Draft Controlled Load architecture October 2005 o Explicit - every link in the CL-region has a configured traffic rate, which is a threshold above which it re-marks exceeding CL packets to Re-marked-CL. Reception of such a packet by the egress gateway acts as a Pre-emption Alert. Encoding of Re-marked-CL is under discussion (a new DSCP or leaving the DSCP unchanged and setting a new ECN codepoint). Note that the explicit mechanism only makes sense if all the routers in the CL-region have the functionality so that the egress gateways can rely on the explicit mechanism. Otherwise there is the danger that the traffic happens to focus on a router without it, and egress gateways then have to also watch for implicit pre-emption alerts. o Implicit - the router behaviour is unchanged from the Pre- Congestion marking behaviour described in the admission control section. The egress gateway treats a Congestion-Level-Estimate of (almost) 100% as an implicit alert that pre-emption may be required. ('Almost' because the Congestion-Level-Estimate is a moving average, so can never reach exactly 100%.) Probability of re-marking ^ CL packet to | Re-marked-CL | packet 1_| ______________ | | | | | | | | | | | | | | | | | | 0_|___________| | -----------|--------------> threshold CL traffic rate Figure 3: Re-marking CL packets to Re-marked-CL packets for explicit Pre-emption Alert Briscoe Expires April 24, 2006 [Page 21] Internet-Draft Controlled Load architecture October 2005 When one or more packets in a CL-region-aggregate alert the egress gateway of the need for pre-emption, whether explicitly or implicitly, the egress puts that CL-region-aggregate into Pre-emption Alert state. For each CL-region-aggregate in alert state it measures the rate of traffic at the egress gateway (i.e. the traffic rate of the appropriate CL-region-aggregate) and reports this to the relevant ingress gateway. The steps are: o Determine the relevant ingress gateway - for the explicit case the egress gateway examines the Re-marked-CL packet (resulting from Pre-emption Alert marking) and uses the state installed at the time of admission to determine which ingress gateway the packet came from. For the implicit case the egress gateway has already determined this information, because the Congestion-Level-Estimate is calculated per ingress gateway. o Measure the traffic rate of CL packets - as soon as the egress gateway is alerted (whether explicitly or implicitly) it measures the rate of CL traffic from this ingress gateway (i.e. for this CL-region-aggregate). Note that Re-marked-CL packets are excluded from that measurement. It should make its measurement quickly and accurately, but exactly how is up to the implementation. o Alert the ingress gateway - the egress gateway then immediately alerts the relevant ingress gateway about the fact that pre- emption may be required. This Alert message also includes the measured Sustainable-Aggregate-Rate, i.e. the egress rate of CL- traffic for this ingress gateway. The Alert message is sent using reliable delivery. Procedures for support of such an Alert using RSVP are defined in [RSVP-ECN]. ______________ / \ ________________ | | / \ | | CL packet |Update | / Is it a \ Y |Measure CL rate | arrives --->|Congestion- |--->/Re-marked-CL \--->|from ingress and| |Level-Estimate| \ packet? / |alert ingress | |______________| \ / |________________| \ / \ / Figure 4: Egress gateway action for explicit Pre-emption Alert Briscoe Expires April 24, 2006 [Page 22] Internet-Draft Controlled Load architecture October 2005 ______________ / \ ________________ | | / \ | | CL packet |Update | / C-L-E \ Y |Measure CL rate | arrives --->|Congestion- |--->/ threshold \--->|from ingress and| |Level-Estimate| \ exceeded? / |alert ingress | |______________| \ / |________________| \ / \ / Figure 5: Egress gateway action for implicit Pre-emption Alert 3.2.2. Determining the right amount of CL traffic to drop The method relies on the insight that the amount of CL traffic that can be supported between a particular pair of ingress and egress gateways, is the amount of CL traffic that is actually getting across the CL-region to the egress gateway without being re-marked to Re- marked-CL. Hence we term it the Sustainable-Aggregate-Rate. So when the ingress gateway gets the Alert message from an egress gateway, it compares: o The traffic rate that it is sending to this particular egress gateway (which we term ingress-rate) o The traffic rate that the egress gateway reports (in the Alert message) that it is receiving from this ingress gateway (which is the Sustainable-Aggregate-Rate) If the difference is significant, then the ingress gateway pre-empts some microflows. It only pre-empts if: Ingress-rate > Sustainable-Aggregate-Rate + error The "error" term is partially to allow for inaccuracies in the measurements of the rates. It is also needed because the ingress-rate is measured at a slightly later moment than the Sustainable- Aggregate-Rate, and it is quite possible that the ingress-rate has increased in the interim due to natural variation of the bit rate of the CL sources. So the "error" term allows for some variation in the ingress rate without triggering pre-emption. Briscoe Expires April 24, 2006 [Page 23] Internet-Draft Controlled Load architecture October 2005 The ingress gateway should pre-empt enough microflows to ensure that: New ingress-rate < Sustainable-Aggregate-Rate - error The "error" term here is used for similar reasons but in the other direction, to ensure slightly more load is shed than seems necessary, in case the two measurements were taken during a short-term fall in load. When the routers in the CL-region are using explicit pre-emption alerting, the ingress gateway would normally pre-empt microflows whenever it gets an alert (it always would if it were possible to set "error" equal to zero). For the implicit case however this is not so. It receives an Alert message when the Congestion-Level-Estimate reaches (almost) 100%, which is roughly when traffic exceeds the amount allocated for admission control of CL traffic at routers. However, it is only when packets are indeed dropped en route that the Sustainable-Aggregate-Rate becomes less than the ingress-rate so only then will pre-emption will actually occur on the ingress router. Hence with the implicit scheme, pre-emption can only be triggered once the system starts dropping packets and thus the QoS of flows starts being significantly degraded. This is in contrast with the explicit scheme which allows pre-emption to be triggered before any packet drop, simply when the traffic reaches a certain configured engineered pre-emption level. Therefore we believe that the explicit mechanism is superior. However it does require new functionality on all the routers (although this is little more than a bulk token bucket). 3.2.3. Use case for pre-emption To see how the pieces of the solution fit together in a use case, we imagine a scenario where many microflows have already been admitted. We confine our description to the explicit pre-emption mechanism. Now an interior router in the CL-region fails. The network layer routing protocol re-routes round the problem, but as a consequence traffic on other links increases. In fact let's assume the traffic on one link now exceeds its pre-emption threshold and so the router re-marks CL packets to Re-marked-CL. When the egress sees the first one of these packets it immediately determines which microflow this packet is part of (by using a five-tuple filter and comparing it with state installed at admission) and hence which ingress gateway the packet came from. It sets up a meter to measure the traffic rate from this ingress gateway, and as soon as possible sends a message to the Briscoe Expires April 24, 2006 [Page 24] Internet-Draft Controlled Load architecture October 2005 ingress gateway. This message alerts the ingress gateway that pre- emption may be needed and contains the traffic rate measured by the egress gateway. Then the ingress gateway determines the traffic rate that it is sending towards this egress gateway and hence it can calculate the amount of traffic that needs to be pre-empted. The ingress gateway could now just shed random microflows, but it is better if the least important ones are dropped. The ingress gateway could use information stored locally in each reservation's state (such as for example the RSVP pre-emption priority) as well as information provided by a policy decision point in order to decide which of the flows to shed (or perhaps which ones not to shed). The ingress gateway then initiates RSVP signalling to instruct the relevant destinations that their session has been terminated, and to tell (RSVP) nodes along the path to tear down associated RSVP state. To guard against recalcitrant sources, normal IntServ policing will block any future traffic from the dropped flows from entering the CL- region. Note that - with the explicit Pre-emption Alert mechanism - since the threshold for re-marking packets to Re-marked-CL may be set at significantly less than the physical line capacity, traffic pre- emption may be triggered before any congestion has actually occurred and before any packet is dropped. We extend the scenario further by imagining that (due to a disaster of some kind) further routers in the CL-region fail during the time taken by the pre-emption process described above. This is handled naturally, as packets will continue to be re-marked to Re-marked-CL and so the pre-emption process will happen for a second time. Pre-emption also helps emergency/military calls by taking into account the corresponding call priorities when selecting calls to be pre-empted, which is likely to be particularly important in a disaster scenario. 4. Details This section is intended to provide a systematic summary of the new functionality required by the routers in the CL-region. A network operator upgrades normal IP routers by: o Adding functionality related to admission control and pre-emption to all its ingress and egress gateways Briscoe Expires April 24, 2006 [Page 25] Internet-Draft Controlled Load architecture October 2005 o Adding Pre-Congestion Notification behaviour and Pre-emption Alert behaviour to all the nodes in the CL-region. We consider the detailed actions required for each of the types of node in turn. 4.1. Ingress gateways Ingress gateways perform the following tasks: o Classify incoming packets - decide whether they are CL or non-CL packets. This is done using an IntServ filter spec (source and destination addresses and port numbers), whose details have been gathered from the RSVP messaging. o Police - check that the microflow conforms with what has been agreed (i.e. it keeps to its agreed data rate). If necessary, packets which do not correspond to any reservations, packets which are in excess of the rate agreed for their reservation, and packets for a reservation that has earlier been pre-empted may be policed. Policing may be achieved via dropping or via re-marking of the packet's DSCP to a value different from the CL behaviour aggregate. o Packet ECN colouring - for CL microflows, set the ECN field to ECT(0) or ECT(1) (uses for ECT(0) and ECT(1) will be discussed in a later version of this document) o Perform 'interior node' functions (see next sub-section) o Admission Control - on new session establishment, consider the Congestion-Level-Estimate received from the corresponding egress gateway and most likely based on a simple configured threshold decide if a new call is to be admitted or rejected (taking into account local policy information as well as optionally information provided by a policy decision point). o Probe - if requested by the egress gateway to do so, the ingress gateway generates probe traffic so that the egress gateway can compute the Congestion-Level-Estimate from this ingress gateway. Probe packets may be simple data addressed to the egress gateway and require no protocol standardisation, although there will be best practice for their number, size and rate. o Measure - when it receives an Alert message from an egress gateway, it determines the rate at which it is sending packets to that egress gateway Briscoe Expires April 24, 2006 [Page 26] Internet-Draft Controlled Load architecture October 2005 o Pre-empt - calculate how much CL traffic needs to be pre-empted; decide which microflows should be dropped, perhaps in consultation with a Policy Decision Point; and do the necessary signalling to drop them. 4.2. Interior nodes Interior nodes do the following tasks: o Classify packets - examine the DSCP and ECN field to see if it's a CL packet o Non-CL packets are handled as usual, with respect to dropping them or setting their CE codepoint. o Pre-Congestion Notification - CL packets have their CE codepoint set according to the algorithm detailed in [CL-marking] and outlined in Section 3. o Pre-emption Alert - assuming the explicit Pre-emption Alert mechanism is being used, when the rate of CL traffic exceeds a threshold then re-mark packets to Re-marked-CL. 4.3. Egress gateways Egress gateways do the following tasks: o Classify packets - determine which ingress gateway a CL packet has come from. This is the previous RSVP hop, hence the necessary details are obtained just as with IntServ from the state associated with the packet five-tuple, which has been built using information from the RSVP messages. o Meter - for CL packets, calculate the fraction of the total number of bits which are in CE marked packets or in Re-marked-CL packets. The calculation is done as an exponentially weighted moving average (see Appendix). A separate calculation is made for CL packets from each ingress gateway. The meter works on an aggregate basis and not per microflow. Briscoe Expires April 24, 2006 [Page 27] Internet-Draft Controlled Load architecture October 2005 o Signal the Congestion-Level-Estimate - this is piggy-backed on the reservation reply. An egress gateway's interface is configured to know it is an egress gateway, so it always appends this to the RESV message. If the Congestion-Level-Estimate is unknown or is too stale, then the egress gateway can request the ingress gateway to send probes. o Packet colouring - for CL packets, set the DSCP and the ECN field to whatever has been agreed as appropriate for the next domain. By default the ECN field is set to the Not-ECT codepoint. Note that this results in the loss of the end-to-end meaning of the ECN field. It can usually be assumed that end-to-end congestion control is unnecessary within an end-to-end reservation. But if a genuine need is identified for end-to-end ECN semantics within a reservation, then an alternative is to tunnel CL packets across the CL-region, or to agree an extension to end-to-end signalling to indicate that the microflow uses an ECN-capable transport. We do not recommend such apparently unnecessary complexity. o Measure the rate - measure the rate of CL traffic from a particular ingress gateway (i.e. the rate for the CL-region- aggregate), when alerted (either explicitly or implicitly) that pre-emption may be required. The measured rate is reported back to the appropriate ingress gateway [RSVP-ECN]. 4.4. Failures If a gateway fails then regular RSVP procedures will take care of things. For example, say an ingress gateway fails. Then RSVP routers upstream of it do IP re-routing to a new ingress gateway. Then the upstream RSVP routers do RSVP fast local repair, i.e. attempt to re- establish reservations through the new ingress gateway and, for example, through the same egress gateway. As part of this, admission control is performed, using the procedure described in this document. This could result in some of the flows being rejected, but those accepted will receive the full QoS. If an interior node fails, then the regular IP routing protocol will re-route round it. If the new route can carry admitted traffic, flows gracefully continue. If instead this causes early warning of congestion from the new route, admission control based on pre- congestion notification will ensure new flows will not be admitted until enough existing flows have departed. Finally re-routing may result in heavy congestion, when the pre-emption mechanism will kick in. Briscoe Expires April 24, 2006 [Page 28] Internet-Draft Controlled Load architecture October 2005 5. Potential future extensions 5.1. Multi-domain and multi-operator usage This potential extension would eliminate the trust assumption (Section 2.2), so that the CL-region could consist of multiple domains run by different operators that did not trust each other. Then only the ingress and egress gateways of the CL-region would take part in the admission control procedure, i.e. at the ingress to the first domain and the egress from the final domain. The border routers between operators within the CL-region would only have to do bulk accounting - they wouldn't do per microflow metering and policing, and they wouldn't take part in signal processing or hold path state [Briscoe]. [Re-feedback, Re-feedback-I-D] explains how a downstream domain can police that its upstream domain does not 'cheat' by admitting traffic when the downstream path is over-congested. 5.2. Adaptive bandwidth for the Controlled Load service The admission control mechanism described in this document assumes that each router has a fixed bandwidth allocated to CL flows. A possible extension is that the bandwidth is flexible, depending on the level of non-CL traffic. If a large share of the current load on a path is CL, then more CL traffic can be admitted. And if the greater share of the load is non-CL, then the admission threshold can be proportionately lower. The approach re-arranges sharing between classes to aim for economic efficiency, whatever the traffic load matrix. It also deals with unforeseen changes to capacity during failures better than configuring fixed engineered rates. Adaptive bandwidth allocation can be achieved by changing the Pre-Congestion marking behaviour, so that the probability of setting the CE codepoint would now depend on the number of queued non-CL packets as well as the number of CL tokens. The adaptive bandwidth approach would be supplemented by placing limits on the adaptation to prevent starvation of the CL by other traffic classes and of other classes by CL traffic. 5.3. Controlled Load service with end-to-end Pre-Congestion Notification It may be possible to extend the framework to parts of the network where there are only a low number of CL microflows, i.e. the aggregation assumption (Section 2.2) doesn't hold. In the extreme it may be possible to operate the framework end-to-end, i.e. between end hosts. One potential method is to send probe packets to test whether the network can support a prospective new CL microflow. The probe packets would be sent at the same traffic rate as expected for the actual microflow, but in order not to disturb existing CL traffic a Briscoe Expires April 24, 2006 [Page 29] Internet-Draft Controlled Load architecture October 2005 router would always schedule probe packets behind CL ones (compare [Breslau00]); this implies they have a new DSCP. Otherwise the routers would treat probe packets identically to CL packets. In order to perform admission control quickly, in parts of the network where there are only a few CL microflows, the Pre-Congestion marking behaviour for probe packets would switch from CE marking no packets to CE marking them all for only a minimal increase in load. 5.4. MPLS-TE It may be possible to extend the framework for admission control of microflows into a set of MPLS-TE aggregates (Multi-protocol label switching traffic engineering). However it would require that the MPLS header could include the ECN field, which is not precluded by RFC3270. 6. Relationship to other QoS mechanisms 6.1. IntServ Controlled Load The CL mechanism delivers QoS similar to Integrated Services controlled load, but rather better as queues are kept empty by driving admission control from bulk inverse-token-buckets on each interface that can detect a rise in load before queues build, sometimes termed a virtual queue [AVQ, vq]. It is also more robust to route changes. 6.2. Integrated services operation over DiffServ Our approach to end-to-end QoS is similar to that described in [RFC2998] for Integrated services operation over DiffServ networks. Like [RFC2998], an IntServ class (CL in our case) is achieved end-to- end, with a CL-region viewed as a single reservation hop in the total end-to-end path. Interior routers of the CL-region do not process flow signalling nor do they hold state. Unlike [RFC2998] we do not require the end-to-end signalling mechanism to be RSVP, although it can be. Bearing in mind these differences, we can describe our architecture in the terms of the options in [RFC2998]. The DiffServ network region is RSVP-aware, but awareness is confined to (what [RFC2998] calls) the "border routers" of the DiffServ region. We use explicit admission control into this region, with static provisioning within it. The ingress "border router" does per microflow policing and sets Briscoe Expires April 24, 2006 [Page 30] Internet-Draft Controlled Load architecture October 2005 the DSCP and ECN fields to indicate the packets are CL ones (i.e. we use router marking rather than host marking). 6.3. Differentiated Services The DiffServ architecture does not specify any way for devices outside the domain to dynamically reserve resources or receive indications of network resource availability. In practice, service providers rely on subscription-time Service Level Agreements (SLAs) that statically define the parameters of the traffic that will be accepted from a customer. The CL mechanism allows dynamic reservation of resources through the DiffServ domain and, with the potential extension mentioned in Section 5.1, it can span multiple domains without active policing mechanisms at the borders (unlike DiffServ). Therefore we do not use the traffic conditioning agreements (TCAs) of the (informational) DiffServ architecture [RFC2475]. [Johnson] compares admission control with a 'generously dimensioned' DiffServ network as ways to achieve QoS. The former is recommended. 6.4. ECN The marking behaviour described in this document complies with the ECN aspects of the IP wire protocol RFC3168, but provides its own edge-to-edge feedback instead of the TCP aspects of RFC3168. All nodes within the CL-region are upgraded with the Pre-Congestion Notification and Pre-emption Alert mechanisms, so the requirements of [Floyd] are met because the CL-region is an enclosed environment. The operator prevents traffic arriving at a node that doesn't understand CL by administrative configuration of the ring of gateways around the CL-region. 6.5. RTECN Real-time ECN (RTECN) [RTECN, RTECN-usage] has a similar aim to this document (to achieve a low delay, jitter and loss service suitable for RT traffic) and a similar approach (per microflow admission control combined with an "early warning" of potential congestion through setting the CE codepoint). But it explores a different architecture without the aggregation assumption: host-to-host rather than edge-to-edge. 6.6. RMD Resource Management in DiffServ (RMD) [RMD] is similar to this work, in that it pushes complex classification, traffic conditioning and admission control functions to the edge of a DiffServ domain and Briscoe Expires April 24, 2006 [Page 31] Internet-Draft Controlled Load architecture October 2005 simplifies the operation of the interior nodes. One of the RMD modes uses measurement-based admission control, however it works differently: each interior node measures the user traffic load in the PHB traffic aggregate, and each interior node processes a local RESERVE message and compares the requested resources with the available resources (maximum allowed load minus current load). Hence a difference is that the CL architecture described in this document has been designed not to require interaction between interior nodes and signalling, whereas in RMD all interior nodes are QoS-NSLP aware. So our architecture involves less processing in interior nodes, is more agnostic to signalling, requires fewer changes to existing standards and therefore works with existing RSVP as well as having the potential to work with future signalling protocols like NSIS. RMD introduced the concept of Severe Congestion handling. The pre- emption mechanism described in the CL architecture has similar objectives but relies on different mechanisms. 6.7. RSVP Aggregation over MPLS-TE Multi-protocol label switching traffic engineering (MPLS-TE) allows scalable reservation of resources in the core for an aggregate of many microflows. To achieve end-to-end reservations, admission control and policing of microflows into the aggregate can be achieved using techniques such as RSVP Aggregation over MPLS TE Tunnels as per [AGGRE-TE]. However, in the case of inter-provider environments, these techniques require that admission control and policing be repeated at each trust boundary or that MPLS TE tunnels span multiple domains. 7. Security Considerations To protect against denial of service attacks, the ingress gateway of the CL-region needs to police all CL packets and drop packets in excess of the reservation. This is similar to operations with existing IntServ behaviour. For pre-emption, it is considered acceptable from a security perspective that the ingress gateway can treat "emergency/military" CL flows preferentially compared with "ordinary" CL flows. However, in the rest of the CL-region they are not distinguished (nonetheless, our proposed technique does not preclude the use of different DSCPs at the packet level as well as different priorities at the flow Briscoe Expires April 24, 2006 [Page 32] Internet-Draft Controlled Load architecture October 2005 level.). Keeping emergency traffic indistinguishable at the packet level minimises the opportunity for new security attacks. For example, if instead a mechanism used different DSCPs for "emergency/military" and "ordinary" packets, then an attacker could specifically target the former in the data plane (perhaps for DoS or for eavesdropping). Further security aspects to be considered later. 8. Acknowledgements The admission control mechanism evolved from the work led by Martin Karsten on the Guaranteed Stream Provider developed in the M3I project [GSPa, GSP-TR], which in turn was based on the theoretical work of Gibbens and Kelly [DCAC]. Kennedy Cheng, Gabriele Corliano, Carla Di Cairano-Gilfedder, Kashaf Khan, Peter Hovell, Arnaud Jacquet and June Tay (BT) helped develop and evaluate this approach. 9. Comments solicited Comments and questions are encouraged and very welcome. They can be sent to the Transport Area Working Group's mailing list, tsvwg@ietf.org, and/or to the authors. 10. Changes from the -00 version of this draft There are several modifications to the admission control mechanism described in the first version of the draft, but the main technical change is the addition of the whole of the Pre-emption mechanism. 11. Appendixes 11.1. Appendix A: Explicit Congestion Notification This Appendix provides a brief summary of Explicit Congestion Notification (ECN). [RFC3168] specifies the incorporation of ECN to TCP and IP, including ECN's use of two bits in the IP header. It specifies a method for indicating incipient congestion to end-nodes (egg as in RED, Random Briscoe Expires April 24, 2006 [Page 33] Internet-Draft Controlled Load architecture October 2005 Early Detection), where the notification is through ECN marking packets rather than dropping them. ECN uses two bits in the IP header of both IPv4 and IPv6 packets: 0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | DS FIELD, DSCP | ECN FIELD | +-----+-----+-----+-----+-----+-----+-----+-----+ DSCP: differentiated services codepoint ECN: Explicit Congestion Notification Figure A.1: The Differentiated Services and ECN Fields in IP. The two bits of the ECN field have four ECN codepoints, '00' to '11': +-----+-----+ | ECN FIELD | +-----+-----+ ECT CE 0 0 Not-ECT 0 1 ECT(1) 1 0 ECT(0) 1 1 CE Figure A.2: The ECN Field in IP. The not-ECT codepoint '00' indicates a packet that is not using ECN. The CE codepoint '11' is set by a router to indicate congestion to the end nodes. The term 'CE packet' denotes a packet that has the CE codepoint set. The ECN-Capable Transport (ECT) codepoints '10' and '01' (ECT(0) and ECT(1) respectively) are set by the data sender to indicate that the end-points of the transport protocol are ECN-capable. Routers treat the ECT(0) and ECT(1) codepoints as equivalent. Senders are free to use either the ECT(0) or the ECT(1) codepoint to indicate ECT, on a packet-by-packet basis. The use of both the two codepoints for ECT is motivated primarily by the desire to allow mechanisms for the data sender to verify that network elements are not erasing the CE codepoint, and that data receivers are properly reporting to the sender the receipt of packets with the CE codepoint set. ECN requires support from the transport protocol, in addition to the functionality given by the ECN field in the IP packet header. [RFC3168] addresses the addition of ECN Capability to TCP, specifying Briscoe Expires April 24, 2006 [Page 34] Internet-Draft Controlled Load architecture October 2005 three new pieces of functionality: negotiation between the endpoints during connection setup to determine if they are both ECN-capable; an ECN-Echo (ECE) flag in the TCP header so that the data receiver can inform the data sender when a CE packet has been received; and a Congestion Window Reduced (CWR) flag in the TCP header so that the data sender can inform the data receiver that the congestion window has been reduced. The transport layer (e.g.. TCP) must respond, in terms of congestion control, to a *single* CE packet as it would to a packet drop. The advantage of setting the CE codepoint as an indication of congestion, instead of relying on packet drops, is that it allows the receiver(s) to receive the packet, thus avoiding the potential for excessive delays due to retransmissions after packet losses. 11.2. Appendix B: What is distributed measurement-based admission control? This Appendix briefly explains what distributed measurement-based admission control is [Breslau99]. Traditional admission control algorithms for 'hard' real-time services (those providing a firm delay bound for example) guarantee QoS by using 'worst case analysis'. Each time a flow is admitted its traffic parameters are examined and the network re-calculates the remaining resources. When the network gets a new request it therefore knows for certain whether the prospective flow, with its particular parameters, should be admitted. However, parameter-based admission control algorithms result in under-utilisation when the traffic is bursty. Therefore 'soft' real time services - like Controlled Load - can use a more relaxed admission control algorithm. This idea suggests measurement-based admission control (MBAC). The aim of MBAC is to provide a statistical service guarantee. The classic scenario for MBAC is where each node participates in hop-by- hop admission control, characterising existing traffic locally through measurements (instead of keeping an accurate track of traffic as it is admitted), in order to determine the current value of some parameter e.g. load. Note that for scalability the measurement is of the aggregate of the flows in the local system. The measured parameter(s) is then compared to the requirements of the prospective flow to see whether it should be admitted. Briscoe Expires April 24, 2006 [Page 35] Internet-Draft Controlled Load architecture October 2005 MBAC may also be performed centrally for a network, it which case it uses centralised measurements by a bandwidth broker. We use distributed MBAC. "Distributed" means that the measurement is accumulated for the 'whole-path' using in-band signalling. In our case, this means that the measurement of existing traffic is for the same pair of ingress and egress gateways as the prospective microflow. In fact our mechanism can be said to be distributed in three ways: all nodes on the ingress-egress path affect the Congestion-Level- Estimate; the admission control decision is made just once on behalf of all the nodes on the path across the CL-region; and the ingress and egress gateways cooperate to perform MBAC. 11.3. Appendix C: Calculating the Exponentially weighted moving average (EWMA) At the egress gateway, for every CL packet arrival: [EWMA-total-bits]n+1 = (w * bits-in-packet) + ((1-w) * [EWMA- total-bits]n ) [EWMA-CE-bits]n+1 = (B * w * bits-in-packet) + ((1-w) * [EWMA-CE- bits]n ) Then, per new flow arrival: [Congestion-Level-Estimate]n+1 = [EWMA-CE-bits]n+1 / [EWMA- total-bits]n+1 where EWMA-total-bits is the total number of bits in CL packets, calculated as an exponentially weighted moving average (EWMA) EWMA-CE-bits is the total number of bits in CL packets where the packet has its CE codepoint set, again calculated as an EWMA. B is either 0 or 1: B = 0 if the CL packet does not have its CE codepoint set B = 1 if the CL packet has its CE codepoint set Briscoe Expires April 24, 2006 [Page 36] Internet-Draft Controlled Load architecture October 2005 w is the exponential weighting factor. Varying the value of the weight trades off between the smoothness and responsiveness of the estimate of the percentage of CE packets. However, in general both can be achieved, given our original assumption of many CL microflows and remembering that the EWMA is calculated on the basis of aggregate traffic between the ingress and egress gateways. There will be a threshold inter-arrival time between packets of the same aggregate below which the egress will consider the estimate of the Congestion-Level-Estimate as too stale, and it will then trigger generation of probes by the ingress. The first two per-packet algorithms can be simplified, if their only use will be where the result of one is divided by the result of the other in the third, per-flow algorithm. [EWMA-total-bits]'n+1 = bits-in-packet + (w' * [EWMA- total- bits]n ) [EWMA-CE-bits]'n+1 = (B * bits-in-packet) + (w' * [EWMA-CE-bits]n ) where w' = (1-w)/w. If w' is arranged to be a power of 2, these per packet algorithms can be implemented solely with a shift and an add. 12. References A later version will distinguish normative and informative references. [AGGRE-TE] Francois Le Faucheur, Michael Dibiasio, Bruce Davie, Michael Davenport, Chris Christou, Jerry Ash, Bur Goode, 'Aggregation of RSVP Reservations over MPLS TE/DS-TE Tunnels', draft-ietf-tsvwg-rsvp-dste-00 (work in progress), July 2005 Briscoe Expires April 24, 2006 [Page 37] Internet-Draft Controlled Load architecture October 2005 [ANSI.MLPP.Spec] American National Standards Institute, "Telecommunications- Integrated Services Digital Network (ISDN) - Multi-Level Precedence and Pre- emption (MLPP) Service Capability", ANSI T1.619-1992 (R1999), 1992. [ANSI.MLPP.Supplement] American National Standards Institute, "MLPP Service Domain Cause Value Changes", ANSI ANSI T1.619a-1994 (R1999), 1990. [AVQ] S. Kunniyur and R. Srikant "Analysis and Design of an Adaptive Virtual Queue (AVQ) Algorithm for Active Queue Management", In: Proc. ACM SIGCOMM'01, Computer Communication Review 31 (4) (October, 2001). [Breslau99] L. Breslau, S. Jamin, S. Shenker "Measurement-based admission control: what is the research agenda?", In: Proc. Int'l Workshop on Quality of Service 1999. [Breslau00] L. Breslau, E. Knightly, S. Shenker, I. Stoica, H. Zhang "Endpoint Admission Control: Architectural Issues and Performance", In: ACM SIGCOMM 2000 [Briscoe] Bob Briscoe and Steve Rudkin, "Commercial Models for IP Quality of Service Interconnect", BT Technology Journal, Vol 23 No 2, April 2005. [CL-marking] Forthcoming. Supercedes draft-briscoe-tsvwg-cl-phb-00. [DCAC] Richard J. Gibbens and Frank P. Kelly "Distributed connection acceptance control for a connectionless network", In: Proc. International Teletraffic Congress (ITC16), Edinburgh, pp. 941—952 (1999). [EMERG-RQTS] Carlberg, K. and R. Atkinson, "General Requirements for Emergency Telecommunication Service (ETS)", RFC 3689, February 2004. [EMERG-TEL] Carlberg, K. and R. Atkinson, "IP Telephony Requirements for Emergency Telecommunication Service (ETS)", RFC 3690, February 2004. [Floyd] S. Floyd, 'Specifying Alternate Semantics for the Explicit Congestion Notification (ECN) Field', draft- floyd-ecn-alternates-02.txt (work in progress), August 2005 Briscoe Expires April 24, 2006 [Page 38] Internet-Draft Controlled Load architecture October 2005 [GSPa] Karsten (Ed.), Martin "GSP/ECN Technology & Experiments", Deliverable: 15.3 PtIII, M3I Eu Vth Framework Project IST-1999-11429, URL: http://www.m3i.org/ (February, 2002) (superseded by [GSP-TR]) [GSP-TR] Martin Karsten and Jens Schmitt, "Admission Control Based on Packet Marking and Feedback Signalling ­-- Mechanisms, Implementation and Experiments", TU- Darmstadt Technical Report TR-KOM-2002-03, URL: http://www.kom.e-technik.tu- darmstadt.de/publications/abstracts/KS02-5.html (May, 2002) [ITU.MLPP.1990] International Telecommunications Union, "Multilevel Precedence and Pre-emption Service (MLPP)", ITU-T Recommendation I.255.3, 1990. [Johnson] DM Johnson, 'QoS control versus generous dimensioning', BT Technology Journal, Vol 23 No 2, April 2005 [Re-ECN] Bob Briscoe, Arnaud Jacquet, Alessandro Salvatori, 'Re-ECN: Adding Accountability for Causing Congestion to TCP/IP', draft-briscoe-tsvwg-re-ecn-tcp-00 (work in progress), October 2005. [Re-feedback] Bob Briscoe, Arnaud Jacquet, Carla Di Cairano- Gilfedder, Andrea Soppera, 'Re-feedback for Policing Congestion Response in an Inter-network', ACM SIGCOMM 2005, August 2005. [Reid] ABD Reid, 'Economics and scalability of QoS solutions', BT Technology Journal, Vol 23 No 2, April 2005 [RFC2211] J. Wroclawski, Specification of the Controlled-Load Network Element Service, September 1997 [RFC2309] Braden, B., et al., "Recommendations on Queue Management and Congestion Avoidance in the Internet", RFC 2309, April 1998. [RFC2474] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, December 1998 Briscoe Expires April 24, 2006 [Page 39] Internet-Draft Controlled Load architecture October 2005 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. and W. Weiss, 'A framework for Differentiated Services', RFC 2475, December 1998. [RFC2597] Heinanen, J., Baker, F., Weiss, W. and J. Wrocklawski, "Assured Forwarding PHB Group", RFC 2597, June 1999. [RFC2998] Bernet, Y., Yavatkar, R., Ford, P., Baker, F., Zhang, L., Speer, M., Braden, R., Davie, B., Wroclawski, J. and E. Felstaine, "A Framework for Integrated Services Operation Over DiffServ Networks", RFC 2998, November 2000. [RFC3168] Ramakrishnan, K., Floyd, S. and D. Black "The Addition of Explicit Congestion Notification (ECN) to IP", RFC 3168, September 2001. [RFC3246] B. Davie, A. Charny, J.C.R. Bennet, K. Benson, J.Y. Le Boudec, W. Courtney, S. Davari, V. Firoiu, D. Stiliadis, 'An Expedited Forwarding PHB (Per-Hop Behavior)', RFC 3246, March 2002. [RFC3270] Le Faucheur, F., Wu, L., Davie, B., Davari, S., Vaananen, P., Krishnan, R., Cheval, P., and J. Heinanen, "Multi- Protocol Label Switching (MPLS) Support of Differentiated Services", RFC 3270, May 2002. [RMD] Attila Bader, Lars Westberg, Georgios Karagiannis, Cornelia Kappler, Tom Phelan, 'RMD-QOSM - The Resource Management in DiffServ QoS model', draft-ietf-nsis- rmd-03 Work in Progress, June 2005. [RSVP-ECN] Francois Le Faucheur, Anna Charny, Bob Briscoe, Philip Eardley, Joe Barbiaz, Kwok-Ho Chan, 'RSVP Extensions for Admission Control over DiffServ using Pre- congestion Notification', draft-lefaucheur-rsvp-ecn-00 (work in progress), October 2005. [RTECN] Babiarz, J., Chan, K. and V. Firoiu, 'Congestion Notification Process for Real-Time Traffic', draft- babiarz-tsvwg-rtecn-04 Work in Progress, July 2005. [RTECN-usage] Alexander, C., Ed., Babiarz, J. and J. Matthews, 'Admission Control Use Case for Real-time ECN', draft- alexander-rtecn-admission-control-use-case-00, Work in Progress, February 2005. Briscoe Expires April 24, 2006 [Page 40] Internet-Draft Controlled Load architecture October 2005 [vq] Costas Courcoubetis and Richard Weber "Buffer Overflow Asymptotics for a Switch Handling Many Traffic Sources" In: Journal Applied Probability 33 pp. 886-- 903 (1996). Authors' Addresses Bob Briscoe BT Research B54/77, Sirius House Adastral Park Martlesham Heath Ipswich, Suffolk IP5 3RE United Kingdom Email: bob.briscoe@bt.com Dave Songhurst BT Research B54/69, Sirius House Adastral Park Martlesham Heath Ipswich, Suffolk IP5 3RE United Kingdom Email: dsonghurst@jungle.bt.co.uk Philip Eardley BT Research B54/77, Sirius House Adastral Park Martlesham Heath Ipswich, Suffolk IP5 3RE United Kingdom Email: philip.eardley@bt.com Briscoe Expires April 24, 2006 [Page 41] Internet-Draft Controlled Load architecture October 2005 Francois Le Faucheur Cisco Systems, Inc. Village d'Entreprise Green Side - Batiment T3 400, Avenue de Roumanille 06410 Biot Sophia-Antipolis France Email: flefauch@cisco.com Anna Charny Cisco Systems 300 Apollo Drive Chelmsford, MA 01824 USA Email: acharny@cisco.com Kwok Ho Chan Nortel Networks 600 Technology Park Drive Billerica, MA 01821 USA Email: khchan@nortel.com Jozef Z. Babiarz Nortel Networks 3500 Carling Avenue Ottawa, Ont K2H 8E9 Canada Email: babiarz@nortel.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of Briscoe Expires April 24, 2006 [Page 42] Internet-Draft Controlled Load architecture October 2005 such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Briscoe Expires April 24, 2006 [Page 43]