Internet DRAFT - draft-atarashi-dscp-policy


Network Working Group                                        R. Atarashi
Internet-Draft                        Communications Research Laboratory
Expires: April 1, 2002                                          F. Baker
                                                           Cisco Systems
                                                            October 2001

                         Reflexive DSCP Policy

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on April 1, 2002.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.


   In reviewing the specific use of the Differentiated Services
   Architecture for supporting the Internet Emergency Preparedness
   System, we found what we believe is a general issue.  This is that
   even though a client or peer can connect to a server or peer with a
   predictable DSCP value, the response does not have a predictable DSCP
   value.  We consider the issues, and recommend an approach to
   application policy regarding the DSCP.

Atarashi & Baker          Expires April 1, 2002                 [Page 1]
Internet-Draft                  Document                    October 2001

1. Introduction

   In reviewing the specific use of the Differentiated Services
   Architecture for supporting the Internet Emergency Preparedness
   System, we found what we believe is a general issue.  This is that
   even though a client or peer can connect to a server or peer with a
   predictable DSCP value, the response does not have a predictable DSCP
   value.  We consider the issues, and recommend an approach to
   application policy regarding the DSCP.

   As such, we will make specific recommendations for all applications.
   In doing so, we will use the language described in RFC 2119 [3].  The
   key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [3].

1.1 Problem Statement

    Figure 1 presents a connection being placed between two applications
   across a differentiated services network.

          . . . .                  . . . .                    . . . .
      .            .           .            .             .            .
    .  Client         .      .                .          .     Server    .
   .  /----------/    .     .  /------------/  .       . /---------------/.
   .         Router -----/----- Router Router ----/----- Router          .
    .                .       .                .        .                 .
      .            .           .            .            .             .
          . . . .                  . . . .                    . . . .

   Figure 1: Connection across a network

   A behavior aggregate originated in part by a certain client toward a
   given server in a remote network may have certain application
   requirements, such as requiring service appropriate to an ERP
   application, video stream, or voice.  One application may use
   different aggregates for different purposes, and therefore have
   different requirements.  So the application may not be able to tell,
   a priori, with what DSCP it should use or respond.

   In addition, DSCPs have local significance in the Differentiated
   Services Architecture.  It is possible and perhaps likely that a
   behavior aggregate might use different code points in different

Atarashi & Baker          Expires April 1, 2002                 [Page 2]
Internet-Draft                  Document                    October 2001

2. Policy recommendations

   We consider that there are a number of possible approaches to this
   issue.  The simplest, which we fear is currently standard in
   Differentiated Services hosts, is to simply select a default value,
   such as "always make TCP applications use AF11".  For some
   applications, such as voice (EF), this approach is appropriate, but
   for many it is not.

2.1 Default DSCP policy in a responder

   When a system accepts sessions initiated from another system, and
   there is no specific local policy, the responder SHOULD use the same
   DSCP Group as its request.  Thus, if a TCP SYN arrives using any of
   AF11, AF12, or AF13, the TCP SYN-ACK and subsequent messages SHOULD
   use AF11 as the DSCP.  When in doubt as to the set of DSCP code
   points comprising a DSCP Group, it SHOULD respond with exactly the
   same DSCP.

   There has been interest of late in changing the quality of service
   behavior for different portions of the same session, such as on a
   per-URL basis.  The requester could initiate this.  Thus, if the DSCP
   received on one TCP segment differs from the TCP used on a prior TCP
   segment in a session, the new DSCP SHOULD be reflected unless local
   policy prevents this.

   One way to implement this requires the receiving transport (TCP,
   SCTP, etc) to save the received DSCP and use an API to determine the
   correct responding DSCP from a configuration file.  The configuration
   file lists the 64 possible DSCP values and the correct response.  In
   most cases, the two SHOULD be the same, but the twelve AFxy code
   points map to AFx1.  Local policy MAY update this mapping.

2.2 Application-directed DSCP policy

   The originator of a session, which is to say the application that
   opens it, SHOULD normally select the DSCP value used.  This, of
   course, needs to be consistent with local network policy, and may be
   dictated entirely by that policy.

   The application would do this through an API, ideally one that maps
   the application to a DSCP value through local administrative policy.
   Thus, the API could set the DSCP for signaling of voice calls to a
   specific value, such as AF31.  It would be better, though, if the API
   were to set it to a key word such as "VoiceSignaling" or
   "DatabaseAccess", and enable the network administration to interpret
   the key word to an appropriate code point.  One way to implement this
   would be for the API code to look the key word up in a file or an

Atarashi & Baker          Expires April 1, 2002                 [Page 3]
Internet-Draft                  Document                    October 2001

   LDAP Policy.

   It is possible for the responding application to use this same API.
   For example, separate policies might apply to database records of one
   type and database records of another type, something that only the
   database access application could determine.  It is also possible for
   the application exchange to communicate a desired DSCP, and the
   responding application to use the API accordingly.  In such a case,
   the application exchange MUST specify the key word rather than the
   specific DSCP, as it cannot know the applicable policy in the
   responder's network.

Atarashi & Baker          Expires April 1, 2002                 [Page 4]
Internet-Draft                  Document                    October 2001

3. Security Considerations

   This document discusses policy, and describes a recommended default
   policy, for the use of a Differentiated Services Code Point by
   transports and applications.  If implemented as described, it should
   ask the network to do nothing that the network has not already
   allowed.  If that is the case, no new security issues should arise
   from the use of such a policy.

   It is possible, however, for the policy to be applied incorrectly, or
   for another policy to be applied, which would be incorrect in the
   network.  In that case, a policy issue exists which the network must
   detect, assess, and deal with.  This is a known security issue in any
   network dependent on policy-directed behavior.

Atarashi & Baker          Expires April 1, 2002                 [Page 5]
Internet-Draft                  Document                    October 2001

4. Acknowledgements

   The authors would like to thank Hiroyuki Ohno, Toshio Shimojo,
   Shigeru Miyake and Yoshifumi Atarashi for their suggestions.

Atarashi & Baker          Expires April 1, 2002                 [Page 6]
Internet-Draft                  Document                    October 2001


   [1]  "International Emergency Preparedness Scheme", ITU E.106, March

   [2]  "Service Description for an International Emergency Multimedia
        Service (Draft)", ITU-T F.706, August 2001.

   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [4]  Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of
        the Differentiated Services Field (DS Field) in the IPv4 and
        IPv6 Headers", RFC 2474, December 1998.

   [5]  Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. and W.
        Weiss, "An Architecture for Differentiated Services", RFC 2475,
        December 1998.

   [6]  Heinanen, J., Baker, F., Weiss, W. and J. Wroclawski, "Assured
        Forwarding PHB Group", RFC 2597, June 1999.

   [7]  Bernet, Y., Ford, P., Yavatkar, R., Baker, F., Zhang, L., Speer,
        M., Braden, R., Davie, B., Wroclawski, J. and E. Felstaine, "A
        Framework for Integrated Services Operation over Diffserv
        Networks", RFC 2998, November 2000.

Authors' Addresses

   Rei S. Atarashi
   Communications Research Laboratory
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795

   Phone: +81-42-327-6243
   Fax:   +81-42-327-9041

Atarashi & Baker          Expires April 1, 2002                 [Page 7]
Internet-Draft                  Document                    October 2001

   Fred Baker
   Cisco Systems
   1121 Via Del Rey
   Santa Barbara, CA  93117

   Phone: +1-408-526-4257
   Fax:   +1-413-473-2403

Atarashi & Baker          Expires April 1, 2002                 [Page 8]
Internet-Draft                  Document                    October 2001

Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Atarashi & Baker          Expires April 1, 2002                 [Page 9]