Network Working Group S. Blake
Request for Comments: 2475 Torrent Networking Technologies
Category: Informational D. Black
EMC Corporation
M. Carlson
Sun Microsystems
E. Davies
Nortel UK
Z. Wang
Bell Labs Lucent Technologies
W. Weiss
Lucent Technologies
December 1998
Network Working Group S. Blake
Request for Comments: 2475 Torrent Networking Technologies
Category: Informational D. Black
EMC Corporation
M. Carlson
Sun Microsystems
E. Davies
Nortel UK
Z. Wang
Bell Labs Lucent Technologies
W. Weiss
Lucent Technologies
December 1998
An Architecture for Differentiated Services
一种区分服务体系结构
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Abstract
摘要
This document defines an architecture for implementing scalable service differentiation in the Internet. This architecture achieves scalability by aggregating traffic classification state which is conveyed by means of IP-layer packet marking using the DS field [DSFIELD]. Packets are classified and marked to receive a particular per-hop forwarding behavior on nodes along their path. Sophisticated classification, marking, policing, and shaping operations need only be implemented at network boundaries or hosts. Network resources are allocated to traffic streams by service provisioning policies which govern how traffic is marked and conditioned upon entry to a differentiated services-capable network, and how that traffic is forwarded within that network. A wide variety of services can be implemented on top of these building blocks.
本文档定义了在Internet中实现可扩展服务差异化的体系结构。该体系结构通过使用DS字段[DSFIELD]聚合通过IP层分组标记传送的流量分类状态来实现可伸缩性。对数据包进行分类和标记,以在其路径上的节点上接收特定的每跳转发行为。复杂的分类、标记、管理和塑造操作只需要在网络边界或主机上实施。网络资源通过服务供应策略分配给流量流,服务供应策略控制流量在进入具有区分服务能力的网络时如何标记和调节,以及流量在该网络内如何转发。在这些构建块之上可以实现多种服务。
Table of Contents
目录
1. Introduction ................................................. 2
1.1 Overview ................................................. 2
1.2 Terminology ............................................... 4
1.3 Requirements .............................................. 8
1.4 Comparisons with Other Approaches ......................... 9
2. Differentiated Services Architectural Model .................. 12
2.1 Differentiated Services Domain ............................ 12
2.1.1 DS Boundary Nodes and Interior Nodes .................. 12
2.1.2 DS Ingress Node and Egress Node ....................... 13
2.2 Differentiated Services Region ............................ 13
2.3 Traffic Classification and Conditioning ................... 14
2.3.1 Classifiers ........................................... 14
2.3.2 Traffic Profiles ...................................... 15
2.3.3 Traffic Conditioners .................................. 15
2.3.3.1 Meters ............................................ 16
2.3.3.2 Markers ........................................... 16
2.3.3.3 Shapers ........................................... 17
2.3.3.4 Droppers .......................................... 17
2.3.4 Location of Traffic Conditioners and MF Classifiers ... 17
2.3.4.1 Within the Source Domain .......................... 17
2.3.4.2 At the Boundary of a DS Domain .................... 18
2.3.4.3 In non-DS-Capable Domains ......................... 18
2.3.4.4 In Interior DS Nodes .............................. 19
2.4 Per-Hop Behaviors ......................................... 19
2.5 Network Resource Allocation ............................... 20
3. Per-Hop Behavior Specification Guidelines .................... 21
4. Interoperability with Non-Differentiated Services-Compliant
Nodes ........................................................ 25
5. Multicast Considerations ..................................... 26
6. Security and Tunneling Considerations ........................ 27
6.1 Theft and Denial of Service ............................... 28
6.2 IPsec and Tunneling Interactions .......................... 30
6.3 Auditing .................................................. 32
7. Acknowledgements ............................................. 32
8. References ................................................... 33
Authors' Addresses ............................................... 34
Full Copyright Statement ......................................... 36
1. Introduction ................................................. 2
1.1 Overview ................................................. 2
1.2 Terminology ............................................... 4
1.3 Requirements .............................................. 8
1.4 Comparisons with Other Approaches ......................... 9
2. Differentiated Services Architectural Model .................. 12
2.1 Differentiated Services Domain ............................ 12
2.1.1 DS Boundary Nodes and Interior Nodes .................. 12
2.1.2 DS Ingress Node and Egress Node ....................... 13
2.2 Differentiated Services Region ............................ 13
2.3 Traffic Classification and Conditioning ................... 14
2.3.1 Classifiers ........................................... 14
2.3.2 Traffic Profiles ...................................... 15
2.3.3 Traffic Conditioners .................................. 15
2.3.3.1 Meters ............................................ 16
2.3.3.2 Markers ........................................... 16
2.3.3.3 Shapers ........................................... 17
2.3.3.4 Droppers .......................................... 17
2.3.4 Location of Traffic Conditioners and MF Classifiers ... 17
2.3.4.1 Within the Source Domain .......................... 17
2.3.4.2 At the Boundary of a DS Domain .................... 18
2.3.4.3 In non-DS-Capable Domains ......................... 18
2.3.4.4 In Interior DS Nodes .............................. 19
2.4 Per-Hop Behaviors ......................................... 19
2.5 Network Resource Allocation ............................... 20
3. Per-Hop Behavior Specification Guidelines .................... 21
4. Interoperability with Non-Differentiated Services-Compliant
Nodes ........................................................ 25
5. Multicast Considerations ..................................... 26
6. Security and Tunneling Considerations ........................ 27
6.1 Theft and Denial of Service ............................... 28
6.2 IPsec and Tunneling Interactions .......................... 30
6.3 Auditing .................................................. 32
7. Acknowledgements ............................................. 32
8. References ................................................... 33
Authors' Addresses ............................................... 34
Full Copyright Statement ......................................... 36
This document defines an architecture for implementing scalable service differentiation in the Internet. A "Service" defines some significant characteristics of packet transmission in one direction across a set of one or more paths within a network. These
本文档定义了在Internet中实现可扩展服务差异化的体系结构。“服务”定义了网络中一组一条或多条路径在一个方向上的分组传输的一些重要特征。这些
characteristics may be specified in quantitative or statistical terms of throughput, delay, jitter, and/or loss, or may otherwise be specified in terms of some relative priority of access to network resources. Service differentiation is desired to accommodate heterogeneous application requirements and user expectations, and to permit differentiated pricing of Internet service.
可以以吞吐量、延迟、抖动和/或损耗的定量或统计术语来指定特性,或者可以以访问网络资源的某些相对优先级的方式来指定特性。服务差异化是为了适应异构应用程序需求和用户期望,并允许互联网服务的差异化定价。
This architecture is composed of a number of functional elements implemented in network nodes, including a small set of per-hop forwarding behaviors, packet classification functions, and traffic conditioning functions including metering, marking, shaping, and policing. This architecture achieves scalability by implementing complex classification and conditioning functions only at network boundary nodes, and by applying per-hop behaviors to aggregates of traffic which have been appropriately marked using the DS field in the IPv4 or IPv6 headers [DSFIELD]. Per-hop behaviors are defined to permit a reasonably granular means of allocating buffer and bandwidth resources at each node among competing traffic streams. Per-application flow or per-customer forwarding state need not be maintained within the core of the network. A distinction is maintained between:
该体系结构由网络节点中实现的许多功能元素组成,包括一小组每跳转发行为、分组分类功能和流量调节功能,包括计量、标记、整形和监管。该体系结构通过仅在网络边界节点上实现复杂的分类和调节功能,并通过将每跳行为应用于已使用IPv4或IPv6报头[DSFIELD]中的DS字段进行适当标记的流量聚合来实现可伸缩性。每跳行为被定义为允许在竞争流量流中的每个节点上分配缓冲区和带宽资源的合理粒度方法。每个应用程序流或每个客户的转发状态不需要在网络核心内维护。以下各项之间有区别:
o the service provided to a traffic aggregate,
o 向流量聚合提供的服务,
o the conditioning functions and per-hop behaviors used to realize services,
o 用于实现服务的调节功能和每跳行为,
o the DS field value (DS codepoint) used to mark packets to select a per-hop behavior, and
o 用于标记数据包以选择每跳行为的DS字段值(DS代码点),以及
o the particular node implementation mechanisms which realize a per-hop behavior.
o 实现每跳行为的特定节点实现机制。
Service provisioning and traffic conditioning policies are sufficiently decoupled from the forwarding behaviors within the network interior to permit implementation of a wide variety of service behaviors, with room for future expansion.
服务供应和流量调节策略与网络内部的转发行为充分解耦,以允许实现各种各样的服务行为,并有未来扩展的空间。
This architecture only provides service differentiation in one direction of traffic flow and is therefore asymmetric. Development of a complementary symmetric architecture is a topic of current research but is outside the scope of this document; see for example [EXPLICIT].
该体系结构仅在交通流的一个方向上提供服务差异,因此是不对称的。互补对称体系结构的开发是当前研究的主题,但不在本文件的范围内;例如,参见[EXPLICIT]。
Sect. 1.2 is a glossary of terms used within this document. Sec. 1.3 lists requirements addressed by this architecture, and Sec. 1.4 provides a brief comparison to other approaches for service differentiation. Sec. 2 discusses the components of the architecture
门派1.2是本文件中使用的术语表。秒。1.3列出了该架构(architecture)提出的要求,以及第。1.4提供了与其他服务差异化方法的简要比较。秒。2讨论了体系结构的组件
in detail. Sec. 3 proposes guidelines for per-hop behavior specifications. Sec. 4 discusses interoperability issues with nodes and networks which do not implement differentiated services as defined in this document and in [DSFIELD]. Sec. 5 discusses issues with multicast service delivery. Sec. 6 addresses security and tunnel considerations.
详细地秒。3提出了每跳行为规范的指导原则。秒。4讨论与未实现本文档和[DSFIELD]中定义的区分服务的节点和网络的互操作性问题。秒。5讨论多播服务交付的问题。秒。第6条涉及安全和隧道方面的考虑。
This section gives a general conceptual overview of the terms used in this document. Some of these terms are more precisely defined in later sections of this document.
本节给出了本文件中所用术语的一般概念概述。其中一些术语在本文件后面的章节中有更精确的定义。
Behavior Aggregate (BA) a DS behavior aggregate.
行为聚合(BA)DS行为聚合。
BA classifier a classifier that selects packets based only on the contents of the DS field.
BA分类器仅基于DS字段内容选择数据包的分类器。
Boundary link a link connecting the edge nodes of two domains.
边界链接连接两个域的边缘节点的链接。
Classifier an entity which selects packets based on the content of packet headers according to defined rules.
分类器根据定义的规则,根据数据包头的内容选择数据包的实体。
DS behavior aggregate a collection of packets with the same DS codepoint crossing a link in a particular direction.
DS行为聚合具有相同DS码点的数据包集合,这些数据包沿特定方向穿过链路。
DS boundary node a DS node that connects one DS domain to a node either in another DS domain or in a domain that is not DS-capable.
DS边界节点将一个DS域连接到另一个DS域或不支持DS的域中的节点的DS节点。
DS-capable capable of implementing differentiated services as described in this architecture; usually used in reference to a domain consisting of DS-compliant nodes.
能够实现本架构中所述的差异化服务的DS;通常用于指由符合DS的节点组成的域。
DS codepoint a specific value of the DSCP portion of the DS field, used to select a PHB.
DS代码点DS字段的DSCP部分的特定值,用于选择PHB。
DS-compliant enabled to support differentiated services functions and behaviors as defined in [DSFIELD], this document, and other differentiated services documents; usually used in reference to a node or device.
DS兼容,支持[DSFIELD]、本文档和其他差异化服务文档中定义的差异化服务功能和行为;通常用于指节点或设备。
DS domain a DS-capable domain; a contiguous set of nodes which operate with a common set of service provisioning policies and PHB definitions.
DS域一个支持DS的域;一组连续的节点,使用一组通用的服务提供策略和PHB定义进行操作。
DS egress node a DS boundary node in its role in handling traffic as it leaves a DS domain.
DS出口节点DS边界节点,其作用是在离开DS域时处理流量。
DS ingress node a DS boundary node in its role in handling traffic as it enters a DS domain.
DS入口节点DS边界节点,其作用是在进入DS域时处理流量。
DS interior node a DS node that is not a DS boundary node.
DS内部节点不是DS边界节点的DS节点。
DS field the IPv4 header TOS octet or the IPv6 Traffic Class octet when interpreted in conformance with the definition given in [DSFIELD]. The bits of the DSCP field encode the DS codepoint, while the remaining bits are currently unused.
DS字段当按照[DSFIELD]中给出的定义进行解释时,IPv4报头TOS八位字节或IPv6通信类八位字节。DSCP字段的位对DS码点进行编码,而剩余的位当前未使用。
DS node a DS-compliant node.
DS节点DS兼容节点。
DS region a set of contiguous DS domains which can offer differentiated services over paths across those DS domains.
DS区域一组连续的DS域,可通过这些DS域之间的路径提供不同的服务。
Downstream DS domain the DS domain downstream of traffic flow on a boundary link.
下游DS域边界链路上交通流下游的DS域。
Dropper a device that performs dropping.
滴管执行滴管操作的设备。
Dropping the process of discarding packets based on specified rules; policing.
丢弃基于指定规则的丢弃数据包的过程;维持治安。
Legacy node a node which implements IPv4 Precedence as defined in [RFC791,RFC1812] but which is otherwise not DS-compliant.
传统节点实现[RFC791,RFC1812]中定义的IPv4优先级,但不符合DS的节点。
Marker a device that performs marking.
标记执行标记的设备。
Marking the process of setting the DS codepoint in a packet based on defined rules; pre-marking, re-marking.
基于定义的规则标记在分组中设置DS码点的过程;预标记、重新标记。
Mechanism a specific algorithm or operation (e.g., queueing discipline) that is implemented in a node to realize a set of one or more per-hop behaviors.
机制在节点中实现的一种特定算法或操作(如排队规则),用于实现一组一跳或多跳行为。
Meter a device that performs metering.
计量器进行计量的装置。
Metering the process of measuring the temporal properties (e.g., rate) of a traffic stream selected by a classifier. The instantaneous state of this process may be used to affect the operation of a marker, shaper, or dropper, and/or may be used for accounting and measurement purposes.
测量由分类器选择的业务流的时间特性(例如,速率)的测量过程。该过程的瞬时状态可用于影响标记器、成型器或滴管的操作,和/或可用于核算和测量目的。
Microflow a single instance of an application-to-application flow of packets which is identified by source address, source port, destination address, destination port and protocol id.
微流由源地址、源端口、目的地址、目的端口和协议id标识的数据包的应用程序到应用程序流的单个实例。
MF Classifier a multi-field (MF) classifier which selects packets based on the content of some arbitrary number of header fields; typically some combination of source address, destination address, DS field, protocol ID, source port and destination port.
MF分类器一种多字段(MF)分类器,它根据一些任意数量的报头字段的内容选择数据包;通常是源地址、目标地址、DS字段、协议ID、源端口和目标端口的某种组合。
Per-Hop-Behavior (PHB) the externally observable forwarding behavior applied at a DS-compliant node to a DS behavior aggregate.
每跳行为(PHB)在DS兼容节点上应用于DS行为聚合的外部可观察转发行为。
PHB group a set of one or more PHBs that can only be meaningfully specified and implemented simultaneously, due to a common constraint applying to all PHBs in the set such as a queue servicing or queue management policy. A PHB group provides a service building block that allows a set of related forwarding behaviors to be specified together (e.g., four dropping priorities). A single PHB is a special case of a PHB group.
PHB组一组一个或多个PHB,由于适用于该组中所有PHB的共同约束(如队列服务或队列管理策略),只能同时有意义地指定和实现。PHB组提供一个服务构建块,允许同时指定一组相关的转发行为(例如,四个丢弃优先级)。单个PHB是PHB组的特例。
Policing the process of discarding packets (by a dropper) within a traffic stream in accordance with the state of a corresponding meter enforcing a traffic profile.
根据实施流量配置文件的相应仪表的状态,监控(通过滴管)丢弃流量流中数据包的过程。
Pre-mark to set the DS codepoint of a packet prior to entry into a downstream DS domain.
预标记,用于在进入下游DS域之前设置数据包的DS码点。
Provider DS domain the DS-capable provider of services to a source domain.
Provider DS domain具有DS功能的源域服务提供商。
Re-mark to change the DS codepoint of a packet, usually performed by a marker in accordance with a TCA.
重新标记:改变数据包的DS码点,通常由标记器根据TCA执行。
Service the overall treatment of a defined subset of a customer's traffic within a DS domain or end-to-end.
服务在DS域或端到端内对客户流量的定义子集进行整体处理。
Service Level Agreement a service contract between a customer and a (SLA) service provider that specifies the forwarding service a customer should receive. A customer may be a user organization (source domain) or another DS domain (upstream domain). A SLA may include traffic conditioning rules which constitute a TCA in whole or in part.
服务级别协议客户和(SLA)服务提供商之间的服务合同,规定客户应接收的转发服务。客户可以是用户组织(源域)或其他DS域(上游域)。SLA可包括构成TCA全部或部分的流量调节规则。
Service Provisioning a policy which defines how traffic Policy conditioners are configured on DS boundary nodes and how traffic streams are mapped to DS behavior aggregates to achieve a range of services.
服务提供定义如何在DS边界节点上配置流量策略调节器以及如何将流量流映射到DS行为聚合以实现一系列服务的策略。
Shaper a device that performs shaping.
整形器执行整形的设备。
Shaping the process of delaying packets within a traffic stream to cause it to conform to some defined traffic profile.
对业务流中的数据包进行延迟以使其符合某个定义的业务配置文件的过程进行整形。
Source domain a domain which contains the node(s) originating the traffic receiving a particular service.
源域包含发起接收特定服务的流量的节点的域。
Traffic conditioner an entity which performs traffic conditioning functions and which may contain meters, markers, droppers, and shapers. Traffic conditioners are typically deployed in DS boundary nodes only. A traffic conditioner may re-mark a traffic stream or may discard or shape packets to alter the temporal characteristics of the stream and bring it into compliance with a traffic profile.
交通调节器执行交通调节功能的实体,可能包含仪表、标记、滴管和整形器。流量调节器通常仅部署在DS边界节点中。业务调节器可重新标记业务流,或可丢弃或塑造分组以改变该流的时间特性并使其符合业务简档。
Traffic conditioning control functions performed to enforce rules specified in a TCA, including metering, marking, shaping, and policing.
为执行TCA中规定的规则而执行的交通调节控制功能,包括计量、标记、成型和监管。
Traffic Conditioning an agreement specifying classifier rules Agreement (TCA) and any corresponding traffic profiles and metering, marking, discarding and/or shaping rules which are to apply to the traffic streams selected by the classifier. A TCA encompasses all of the traffic conditioning rules explicitly specified within a SLA along with all of the rules implicit from the relevant service requirements and/or from a DS domain's service provisioning policy.
流量调节一种协议,指定分类器规则协议(TCA)和任何相应的流量配置文件,以及适用于分类器选择的流量流的计量、标记、丢弃和/或成形规则。TCA包含SLA中明确指定的所有流量调节规则,以及相关服务需求和/或DS域服务提供策略中隐含的所有规则。
Traffic profile a description of the temporal properties of a traffic stream such as rate and burst size.
流量分布描述流量流的时间特性,如速率和突发大小。
Traffic stream an administratively significant set of one or more microflows which traverse a path segment. A traffic stream may consist of the set of active microflows which are selected by a particular classifier.
交通流:一个或多个穿过路径段的微流的具有管理意义的集合。交通流可以包括由特定分类器选择的一组活动微流。
Upstream DS domain the DS domain upstream of traffic flow on a boundary link.
上游DS域边界链路上交通流上游的DS域。
The history of the Internet has been one of continuous growth in the number of hosts, the number and variety of applications, and the capacity of the network infrastructure, and this growth is expected to continue for the foreseeable future. A scalable architecture for service differentiation must be able to accommodate this continued growth.
互联网的历史是主机数量、应用程序数量和种类以及网络基础设施容量不断增长的历史,在可预见的未来,这种增长有望继续。服务差异化的可扩展体系结构必须能够适应这种持续增长。
The following requirements were identified and are addressed in this architecture:
确定了以下需求,并在该体系结构中加以解决:
o should accommodate a wide variety of services and provisioning policies, extending end-to-end or within a particular (set of) network(s),
o 应适应多种服务和供应策略,扩展端到端或在特定(一组)网络内,
o should allow decoupling of the service from the particular application in use,
o 应允许服务与正在使用的特定应用程序分离,
o should work with existing applications without the need for application programming interface changes or host software modifications (assuming suitable deployment of classifiers, markers, and other traffic conditioning functions),
o 应在不需要更改应用程序编程接口或修改主机软件的情况下使用现有应用程序(假设适当部署分类器、标记器和其他流量调节功能),
o should decouple traffic conditioning and service provisioning functions from forwarding behaviors implemented within the core network nodes,
o 应将流量调节和服务提供功能与核心网络节点内实施的转发行为分离,
o should not depend on hop-by-hop application signaling,
o 不应依赖于逐跳应用程序信令,
o should require only a small set of forwarding behaviors whose implementation complexity does not dominate the cost of a network device, and which will not introduce bottlenecks for future high-speed system implementations,
o 应该只需要一小部分转发行为,这些转发行为的实现复杂性不会控制网络设备的成本,并且不会为未来的高速系统实现带来瓶颈,
o should avoid per-microflow or per-customer state within core network nodes,
o 应避免核心网络节点内的每微流或每客户状态,
o should utilize only aggregated classification state within the network core,
o 应仅使用网络核心内的聚合分类状态,
o should permit simple packet classification implementations in core network nodes (BA classifier),
o 应允许在核心网络节点(BA分类器)中实现简单的数据包分类,
o should permit reasonable interoperability with non-DS-compliant network nodes,
o 应允许与不符合DS的网络节点进行合理的互操作,
o should accommodate incremental deployment.
o 应该适应增量部署。
The differentiated services architecture specified in this document can be contrasted with other existing models of service differentiation. We classify these alternative models into the following categories: relative priority marking, service marking, label switching, Integrated Services/RSVP, and static per-hop classification.
本文档中指定的差异化服务体系结构可以与其他现有的服务差异化模型进行对比。我们将这些可选模型分为以下几类:相对优先级标记、服务标记、标签交换、集成服务/RSVP和静态每跳分类。
Examples of the relative priority marking model include IPv4 Precedence marking as defined in [RFC791], 802.5 Token Ring priority [TR], and the default interpretation of 802.1p traffic classes [802.1p]. In this model the application, host, or proxy node selects a relative priority or "precedence" for a packet (e.g., delay or discard priority), and the network nodes along the transit path apply the appropriate priority forwarding behavior corresponding to the priority value within the packet's header. Our architecture can be considered as a refinement to this model, since we more clearly
相对优先级标记模型的示例包括[RFC791]中定义的IPv4优先级标记、802.5令牌环优先级[TR]以及802.1p流量类别[802.1p]的默认解释。在该模型中,应用程序、主机或代理节点为数据包选择相对优先级或“优先级”(例如,延迟或丢弃优先级),并且沿传输路径的网络节点应用与数据包报头内的优先级值相对应的适当优先级转发行为。我们的架构可以被认为是对这个模型的一种改进,因为我们更清楚地看到
specify the role and importance of boundary nodes and traffic conditioners, and since our per-hop behavior model permits more general forwarding behaviors than relative delay or discard priority.
指定边界节点和流量调节器的作用和重要性,因为我们的每跳行为模型允许比相对延迟或丢弃优先级更一般的转发行为。
An example of a service marking model is IPv4 TOS as defined in [RFC1349]. In this example each packet is marked with a request for a "type of service", which may include "minimize delay", "maximize throughput", "maximize reliability", or "minimize cost". Network nodes may select routing paths or forwarding behaviors which are suitably engineered to satisfy the service request. This model is subtly different from our architecture. Note that we do not describe the use of the DS field as an input to route selection. The TOS markings defined in [RFC1349] are very generic and do not span the range of possible service semantics. Furthermore, the service request is associated with each individual packet, whereas some service semantics may depend on the aggregate forwarding behavior of a sequence of packets. The service marking model does not easily accommodate growth in the number and range of future services (since the codepoint space is small) and involves configuration of the "TOS->forwarding behavior" association in each core network node. Standardizing service markings implies standardizing service offerings, which is outside the scope of the IETF. Note that provisions are made in the allocation of the DS codepoint space to allow for locally significant codepoints which may be used by a provider to support service marking semantics [DSFIELD].
服务标记模型的一个示例是[RFC1349]中定义的IPv4 TOS。在该示例中,每个分组都标记有对“服务类型”的请求,其可以包括“最小化延迟”、“最大吞吐量”、“最大可靠性”或“最小化成本”。网络节点可选择经适当设计以满足服务请求的路由路径或转发行为。这个模型与我们的架构有着微妙的不同。请注意,我们不描述使用DS字段作为路由选择的输入。[RFC1349]中定义的TOS标记非常通用,不跨越可能的服务语义范围。此外,服务请求与每个单独的数据包相关联,而一些服务语义可能取决于数据包序列的聚合转发行为。服务标记模型不容易适应未来服务数量和范围的增长(因为代码点空间很小),并且涉及在每个核心网络节点中配置“TOS->转发行为”关联。标准化服务标志意味着标准化服务产品,这超出了IETF的范围。注意,在DS码点空间的分配中作出了规定,以允许本地重要的码点,该码点可由提供者用于支持服务标记语义[DSFIELD]。
Examples of the label switching (or virtual circuit) model include Frame Relay, ATM, and MPLS [FRELAY, ATM]. In this model path forwarding state and traffic management or QoS state is established for traffic streams on each hop along a network path. Traffic aggregates of varying granularity are associated with a label switched path at an ingress node, and packets/cells within each label switched path are marked with a forwarding label that is used to lookup the next-hop node, the per-hop forwarding behavior, and the replacement label at each hop. This model permits finer granularity resource allocation to traffic streams, since label values are not globally significant but are only significant on a single link; therefore resources can be reserved for the aggregate of packets/ cells received on a link with a particular label, and the label switching semantics govern the next-hop selection, allowing a traffic stream to follow a specially engineered path through the network. This improved granularity comes at the cost of additional management and configuration requirements to establish and maintain the label switched paths. In addition, the amount of forwarding state maintained at each node scales in proportion to the number of edge nodes of the network in the best case (assuming multipoint-to-point
标签交换(或虚拟电路)模型的示例包括帧中继、ATM和MPLS[FRELAY,ATM]。在该模型中,为沿网络路径的每个跃点上的业务流建立路径转发状态和业务管理或QoS状态。不同粒度的业务聚合与入口节点处的标签交换路径相关联,并且每个标签交换路径内的分组/小区用转发标签标记,该转发标签用于查找下一跳节点、每跳转发行为以及每个跳的替换标签。该模型允许向业务流分配更细粒度的资源,因为标签值不具有全局意义,但仅在单个链路上具有意义;因此,可以为在具有特定标签的链路上接收的分组/小区的聚合保留资源,并且标签交换语义控制下一跳选择,允许业务流沿着经过网络的专门设计的路径。这种改进的粒度是以建立和维护标签交换路径的额外管理和配置需求为代价的。此外,在最佳情况下(假设多点对点),每个节点上保持的转发状态量与网络的边缘节点数量成比例缩放
label switched paths), and it scales in proportion with the square of the number of edge nodes in the worst case, when edge-edge label switched paths with provisioned resources are employed.
标签交换路径),并且在最坏的情况下,当使用具有供应资源的边缘标签交换路径时,它与边缘节点数量的平方成比例缩放。
The Integrated Services/RSVP model relies upon traditional datagram forwarding in the default case, but allows sources and receivers to exchange signaling messages which establish additional packet classification and forwarding state on each node along the path between them [RFC1633, RSVP]. In the absence of state aggregation, the amount of state on each node scales in proportion to the number of concurrent reservations, which can be potentially large on high-speed links. This model also requires application support for the RSVP signaling protocol. Differentiated services mechanisms can be utilized to aggregate Integrated Services/RSVP state in the core of the network [Bernet].
在默认情况下,集成服务/RSVP模型依赖于传统的数据报转发,但允许源和接收器交换信令消息,从而在它们之间的路径上的每个节点上建立额外的分组分类和转发状态[RFC1633,RSVP]。在没有状态聚合的情况下,每个节点上的状态量与并发保留的数量成比例扩展,在高速链路上,并发保留的数量可能会很大。该模型还要求应用程序支持RSVP信令协议。区分服务机制可用于聚合网络核心中的集成服务/RSVP状态[Bernet]。
A variant of the Integrated Services/RSVP model eliminates the requirement for hop-by-hop signaling by utilizing only "static" classification and forwarding policies which are implemented in each node along a network path. These policies are updated on administrative timescales and not in response to the instantaneous mix of microflows active in the network. The state requirements for this variant are potentially worse than those encountered when RSVP is used, especially in backbone nodes, since the number of static policies that might be applicable at a node over time may be larger than the number of active sender-receiver sessions that might have installed reservation state on a node. Although the support of large numbers of classifier rules and forwarding policies may be computationally feasible, the management burden associated with installing and maintaining these rules on each node within a backbone network which might be traversed by a traffic stream is substantial.
集成服务/RSVP模型的一个变体通过仅利用在沿网络路径的每个节点中实现的“静态”分类和转发策略,消除了逐跳信令的需求。这些策略在管理时间尺度上更新,而不是响应网络中活动的微流的瞬时混合。此变体的状态要求可能比使用RSVP时遇到的更差,尤其是在主干节点中,因为随着时间的推移,节点上可能适用的静态策略的数量可能大于节点上可能已安装保留状态的活动发送方-接收方会话的数量。尽管大量分类器规则和转发策略的支持在计算上可能是可行的,但是与在主干网络中可能被业务流穿越的每个节点上安装和维护这些规则相关联的管理负担是巨大的。
Although we contrast our architecture with these alternative models of service differentiation, it should be noted that links and nodes employing these techniques may be utilized to extend differentiated services behaviors and semantics across a layer-2 switched infrastructure (e.g., 802.1p LANs, Frame Relay/ATM backbones) interconnecting DS nodes, and in the case of MPLS may be used as an alternative intra-domain implementation technology. The constraints imposed by the use of a specific link-layer technology in particular regions of a DS domain (or in a network providing access to DS domains) may imply the differentiation of traffic on a coarser grain basis. Depending on the mapping of PHBs to different link-layer services and the way in which packets are scheduled over a restricted set of priority classes (or virtual circuits of different category and capacity), all or a subset of the PHBs in use may be supportable (or may be indistinguishable).
尽管我们将我们的体系结构与这些服务差异化的替代模型进行了对比,但应注意,采用这些技术的链路和节点可用于在互连DS节点的第2层交换基础设施(例如802.1p LAN、帧中继/ATM主干)上扩展差异化服务行为和语义,并且在MPLS的情况下,可以将MPLS用作替代的域内实现技术。在DS域的特定区域(或在提供对DS域的访问的网络中)中使用特定链路层技术所施加的约束可能意味着在粗粒度基础上区分业务。根据phb到不同链路层服务的映射,以及分组在受限优先级集合(或不同类别和容量的虚拟电路)上调度的方式,使用中的phb的全部或子集可能是可支持的(或不可区分的)。
The differentiated services architecture is based on a simple model where traffic entering a network is classified and possibly conditioned at the boundaries of the network, and assigned to different behavior aggregates. Each behavior aggregate is identified by a single DS codepoint. Within the core of the network, packets are forwarded according to the per-hop behavior associated with the DS codepoint. In this section, we discuss the key components within a differentiated services region, traffic classification and conditioning functions, and how differentiated services are achieved through the combination of traffic conditioning and PHB-based forwarding.
区分服务体系结构基于一个简单的模型,在该模型中,进入网络的流量被分类,并可能在网络边界处进行调节,并分配给不同的行为聚合。每个行为聚合由单个DS代码点标识。在网络核心内,根据与DS码点相关联的每跳行为转发数据包。在本节中,我们将讨论区分服务区域内的关键组件、流量分类和调节功能,以及如何通过流量调节和基于PHB的转发相结合来实现区分服务。
A DS domain is a contiguous set of DS nodes which operate with a common service provisioning policy and set of PHB groups implemented on each node. A DS domain has a well-defined boundary consisting of DS boundary nodes which classify and possibly condition ingress traffic to ensure that packets which transit the domain are appropriately marked to select a PHB from one of the PHB groups supported within the domain. Nodes within the DS domain select the forwarding behavior for packets based on their DS codepoint, mapping that value to one of the supported PHBs using either the recommended codepoint->PHB mapping or a locally customized mapping [DSFIELD]. Inclusion of non-DS-compliant nodes within a DS domain may result in unpredictable performance and may impede the ability to satisfy service level agreements (SLAs).
DS域是一组连续的DS节点,这些节点使用公共服务提供策略和在每个节点上实现的一组PHB组进行操作。DS域具有定义良好的边界,该边界由DS边界节点组成,DS边界节点对入口流量进行分类并可能对其进行调节,以确保对通过该域的数据包进行适当标记,以从域内支持的PHB组之一中选择PHB。DS域中的节点根据其DS码点选择数据包的转发行为,使用建议的码点->PHB映射或本地自定义映射[DSFIELD]将该值映射到支持的PHB之一。在DS域中包含不符合DS的节点可能会导致不可预测的性能,并可能妨碍满足服务级别协议(SLA)的能力。
A DS domain normally consists of one or more networks under the same administration; for example, an organization's intranet or an ISP. The administration of the domain is responsible for ensuring that adequate resources are provisioned and/or reserved to support the SLAs offered by the domain.
DS域通常由同一管理下的一个或多个网络组成;例如,组织的内部网或ISP。域的管理层负责确保提供和/或保留足够的资源以支持域提供的SLA。
A DS domain consists of DS boundary nodes and DS interior nodes. DS boundary nodes interconnect the DS domain to other DS or non-DS-capable domains, whilst DS interior nodes only connect to other DS interior or boundary nodes within the same DS domain.
DS域由DS边界节点和DS内部节点组成。DS边界节点将DS域互连到其他DS或不支持DS的域,而DS内部节点仅连接到同一DS域内的其他DS内部或边界节点。
Both DS boundary nodes and interior nodes must be able to apply the appropriate PHB to packets based on the DS codepoint; otherwise unpredictable behavior may result. In addition, DS boundary nodes may be required to perform traffic conditioning functions as defined by a traffic conditioning agreement (TCA) between their DS domain and
DS边界节点和内部节点必须能够基于DS码点对分组应用适当的PHB;否则可能导致不可预测的行为。此外,DS边界节点可能需要执行由其DS域和网络之间的流量调节协议(TCA)定义的流量调节功能
the peering domain which they connect to (see Sec. 2.3.3).
它们连接到的对等域(见第2.3.3节)。
Interior nodes may be able to perform limited traffic conditioning functions such as DS codepoint re-marking. Interior nodes which implement more complex classification and traffic conditioning functions are analogous to DS boundary nodes (see Sec. 2.3.4.4).
内部节点可能能够执行有限的流量调节功能,例如DS码点重新标记。实现更复杂分类和流量调节功能的内部节点类似于DS边界节点(见第2.3.4.4节)。
A host in a network containing a DS domain may act as a DS boundary node for traffic from applications running on that host; we therefore say that the host is within the DS domain. If a host does not act as a boundary node, then the DS node topologically closest to that host acts as the DS boundary node for that host's traffic.
包含DS域的网络中的主机可以充当来自该主机上运行的应用程序的流量的DS边界节点;因此,我们说主机在DS域中。如果主机不充当边界节点,则拓扑上最靠近该主机的DS节点将充当该主机流量的DS边界节点。
DS boundary nodes act both as a DS ingress node and as a DS egress node for different directions of traffic. Traffic enters a DS domain at a DS ingress node and leaves a DS domain at a DS egress node. A DS ingress node is responsible for ensuring that the traffic entering the DS domain conforms to any TCA between it and the other domain to which the ingress node is connected. A DS egress node may perform traffic conditioning functions on traffic forwarded to a directly connected peering domain, depending on the details of the TCA between the two domains. Note that a DS boundary node may act as a DS interior node for some set of interfaces.
对于不同的业务方向,DS边界节点既充当DS入口节点,也充当DS出口节点。流量在DS入口节点进入DS域,并在DS出口节点离开DS域。DS入口节点负责确保进入DS域的流量符合其与入口节点连接的其他域之间的任何TCA。DS出口节点可以根据两个域之间的TCA的细节,对转发到直接连接的对等域的流量执行流量调节功能。请注意,对于某些接口集,DS边界节点可以充当DS内部节点。
A differentiated services region (DS Region) is a set of one or more contiguous DS domains. DS regions are capable of supporting differentiated services along paths which span the domains within the region.
区分服务区域(DS区域)是一组一个或多个连续的DS域。DS区域能够沿着跨越区域内域的路径支持差异化服务。
The DS domains in a DS region may support different PHB groups internally and different codepoint->PHB mappings. However, to permit services which span across the domains, the peering DS domains must each establish a peering SLA which defines (either explicitly or implicitly) a TCA which specifies how transit traffic from one DS domain to another is conditioned at the boundary between the two DS domains.
DS区域中的DS域可以在内部支持不同的PHB组和不同的码点->PHB映射。然而,为了允许跨域的服务,对等DS域必须各自建立一个对等SLA,该SLA定义(显式或隐式)TCA,该TCA指定如何在两个DS域之间的边界处调节从一个DS域到另一个DS域的传输流量。
It is possible that several DS domains within a DS region may adopt a common service provisioning policy and may support a common set of PHB groups and codepoint mappings, thus eliminating the need for traffic conditioning between those DS domains.
DS区域内的多个DS域可能采用公共服务提供策略,并且可能支持一组公共PHB组和代码点映射,从而消除这些DS域之间的流量调节需求。
Differentiated services are extended across a DS domain boundary by establishing a SLA between an upstream network and a downstream DS domain. The SLA may specify packet classification and re-marking rules and may also specify traffic profiles and actions to traffic streams which are in- or out-of-profile (see Sec. 2.3.2). The TCA between the domains is derived (explicitly or implicitly) from this SLA.
通过在上游网络和下游DS域之间建立SLA,跨DS域边界扩展区分服务。SLA可以指定数据包分类和重新标记规则,也可以指定流量配置文件和对处于配置文件内或处于配置文件外的流量流的操作(参见第2.3.2节)。域之间的TCA(显式或隐式)源自此SLA。
The packet classification policy identifies the subset of traffic which may receive a differentiated service by being conditioned and/ or mapped to one or more behavior aggregates (by DS codepoint re-marking) within the DS domain.
分组分类策略识别可通过被调节和/或映射到DS域内的一个或多个行为聚合(通过DS码点重新标记)来接收区分服务的业务子集。
Traffic conditioning performs metering, shaping, policing and/or re-marking to ensure that the traffic entering the DS domain conforms to the rules specified in the TCA, in accordance with the domain's service provisioning policy. The extent of traffic conditioning required is dependent on the specifics of the service offering, and may range from simple codepoint re-marking to complex policing and shaping operations. The details of traffic conditioning policies which are negotiated between networks is outside the scope of this document.
流量调节根据域的服务提供策略,执行计量、整形、监管和/或重新标记,以确保进入DS域的流量符合TCA中指定的规则。所需的流量调节程度取决于服务提供的具体情况,可能包括从简单的代码点重新标记到复杂的警务和塑造操作。网络间协商的流量调节政策的详细信息不在本文件范围内。
Packet classifiers select packets in a traffic stream based on the content of some portion of the packet header. We define two types of classifiers. The BA (Behavior Aggregate) Classifier classifies packets based on the DS codepoint only. The MF (Multi-Field) classifier selects packets based on the value of a combination of one or more header fields, such as source address, destination address, DS field, protocol ID, source port and destination port numbers, and other information such as incoming interface.
分组分类器基于分组报头的某些部分的内容来选择业务流中的分组。我们定义了两种类型的分类器。BA(行为聚合)分类器仅基于DS码点对数据包进行分类。MF(多字段)分类器基于一个或多个报头字段(例如源地址、目的地地址、DS字段、协议ID、源端口和目的地端口号)和其他信息(例如传入接口)的组合的值来选择分组。
Classifiers are used to "steer" packets matching some specified rule to an element of a traffic conditioner for further processing. Classifiers must be configured by some management procedure in accordance with the appropriate TCA.
分类器用于“引导”将某些特定规则与流量调节器的元素相匹配的数据包,以便进一步处理。分类器必须按照适当的TCA通过某些管理程序进行配置。
The classifier should authenticate the information which it uses to classify the packet (see Sec. 6).
分类器应验证用于对数据包进行分类的信息(见第6节)。
Note that in the event of upstream packet fragmentation, MF classifiers which examine the contents of transport-layer header fields may incorrectly classify packet fragments subsequent to the first. A possible solution to this problem is to maintain
注意,在上游数据包碎片的情况下,检查传输层报头字段内容的MF分类器可能会错误地对第一个数据包碎片之后的数据包碎片进行分类。解决这个问题的一个可能办法是保持
fragmentation state; however, this is not a general solution due to the possibility of upstream fragment re-ordering or divergent routing paths. The policy to apply to packet fragments is outside the scope of this document.
碎裂状态;然而,由于上游片段重新排序或路由路径发散的可能性,这不是一般的解决方案。应用于数据包片段的策略超出了本文档的范围。
A traffic profile specifies the temporal properties of a traffic stream selected by a classifier. It provides rules for determining whether a particular packet is in-profile or out-of-profile. For example, a profile based on a token bucket may look like:
流量配置文件指定由分类器选择的流量流的时间属性。它提供了确定特定数据包是在配置文件中还是在配置文件外的规则。例如,基于令牌桶的配置文件可能如下所示:
codepoint=X, use token-bucket r, b
codepoint=X,使用令牌桶r,b
The above profile indicates that all packets marked with DS codepoint X should be measured against a token bucket meter with rate r and burst size b. In this example out-of-profile packets are those packets in the traffic stream which arrive when insufficient tokens are available in the bucket. The concept of in- and out-of-profile can be extended to more than two levels, e.g., multiple levels of conformance with a profile may be defined and enforced.
上面的配置文件表明,标记有DS码点X的所有数据包应根据速率为r和突发大小为b的令牌桶计量器进行测量。在此示例中,配置文件外数据包是指当bucket中可用令牌不足时到达的流量流中的数据包。概要文件内外的概念可以扩展到两个以上的级别,例如,可以定义和实施与概要文件的多个一致性级别。
Different conditioning actions may be applied to the in-profile packets and out-of-profile packets, or different accounting actions may be triggered. In-profile packets may be allowed to enter the DS domain without further conditioning; or, alternatively, their DS codepoint may be changed. The latter happens when the DS codepoint is set to a non-Default value for the first time [DSFIELD], or when the packets enter a DS domain that uses a different PHB group or codepoint->PHB mapping policy for this traffic stream. Out-of-profile packets may be queued until they are in-profile (shaped), discarded (policed), marked with a new codepoint (re-marked), or forwarded unchanged while triggering some accounting procedure. Out-of-profile packets may be mapped to one or more behavior aggregates that are "inferior" in some dimension of forwarding performance to the BA into which in-profile packets are mapped.
可以对配置文件内分组和配置文件外分组应用不同的调节动作,或者可以触发不同的记帐动作。在简档中分组可以被允许进入DS域而无需进一步调节;或者,或者,可以改变它们的DS码点。当DS代码点第一次设置为非默认值[DSFIELD]时,或当数据包进入使用不同PHB组或代码点->PHB映射策略的DS域时,会发生后者。配置文件外的数据包可能会一直排队,直到它们处于配置文件(成型)、丢弃(策略)、用新的代码点标记(重新标记)或在触发某些记帐过程时未更改地转发。配置文件外分组可以映射到一个或多个行为聚合,这些行为聚合在向配置文件内分组映射到的BA的转发性能的某个维度上是“劣”的。
Note that a traffic profile is an optional component of a TCA and its use is dependent on the specifics of the service offering and the domain's service provisioning policy.
请注意,流量配置文件是TCA的可选组件,其使用取决于服务提供的细节和域的服务提供策略。
A traffic conditioner may contain the following elements: meter, marker, shaper, and dropper. A traffic stream is selected by a classifier, which steers the packets to a logical instance of a traffic conditioner. A meter is used (where appropriate) to measure the traffic stream against a traffic profile. The state of the meter
交通调节器可能包含以下元素:仪表、标记器、成型器和滴管。流量流由分类器选择,分类器将数据包导向流量调节器的逻辑实例。使用仪表(在适当情况下)根据交通状况测量交通流。仪表的状态
with respect to a particular packet (e.g., whether it is in- or out-of-profile) may be used to affect a marking, dropping, or shaping action.
关于特定分组(例如,它是否在外形中)可用于影响标记、丢弃或成形动作。
When packets exit the traffic conditioner of a DS boundary node the DS codepoint of each packet must be set to an appropriate value.
当数据包退出DS边界节点的流量调节器时,必须将每个数据包的DS码点设置为适当的值。
Fig. 1 shows the block diagram of a classifier and traffic conditioner. Note that a traffic conditioner may not necessarily contain all four elements. For example, in the case where no traffic profile is in effect, packets may only pass through a classifier and a marker.
图1示出了分类器和流量调节器的框图。请注意,流量调节器不一定包含所有四个元素。例如,在没有有效的业务简档的情况下,分组可以仅通过分类器和标记。
+-------+
| |-------------------+
+----->| Meter | |
| | |--+ |
| +-------+ | |
| V V
+------------+ +--------+ +---------+
| | | | | Shaper/ |
packets =====>| Classifier |=====>| Marker |=====>| Dropper |=====>
| | | | | |
+------------+ +--------+ +---------+
+-------+
| |-------------------+
+----->| Meter | |
| | |--+ |
| +-------+ | |
| V V
+------------+ +--------+ +---------+
| | | | | Shaper/ |
packets =====>| Classifier |=====>| Marker |=====>| Dropper |=====>
| | | | | |
+------------+ +--------+ +---------+
Fig. 1: Logical View of a Packet Classifier and Traffic Conditioner
图1:分组分类器和流量调节器的逻辑视图
Traffic meters measure the temporal properties of the stream of packets selected by a classifier against a traffic profile specified in a TCA. A meter passes state information to other conditioning functions to trigger a particular action for each packet which is either in- or out-of-profile (to some extent).
流量表根据TCA中指定的流量配置文件测量分类器选择的数据包流的时间特性。仪表将状态信息传递给其他调节功能,以触发每个数据包的特定动作,这些数据包要么在配置文件内,要么在配置文件外(某种程度上)。
Packet markers set the DS field of a packet to a particular codepoint, adding the marked packet to a particular DS behavior aggregate. The marker may be configured to mark all packets which are steered to it to a single codepoint, or may be configured to mark a packet to one of a set of codepoints used to select a PHB in a PHB group, according to the state of a meter. When the marker changes the codepoint in a packet it is said to have "re-marked" the packet.
数据包标记将数据包的DS字段设置为特定的代码点,将标记的数据包添加到特定的DS行为聚合中。标记器可被配置为根据仪表的状态将指向它的所有分组标记为单个码点,或可被配置为将分组标记为用于选择PHB组中的PHB的一组码点之一。当标记改变数据包中的代码点时,称其为“重新标记”数据包。
Shapers delay some or all of the packets in a traffic stream in order to bring the stream into compliance with a traffic profile. A shaper usually has a finite-size buffer, and packets may be discarded if there is not sufficient buffer space to hold the delayed packets.
整形器延迟业务流中的部分或全部分组,以便使该流符合业务配置文件。整形器通常有一个有限大小的缓冲区,如果没有足够的缓冲空间来容纳延迟的数据包,数据包可能会被丢弃。
Droppers discard some or all of the packets in a traffic stream in order to bring the stream into compliance with a traffic profile. This process is know as "policing" the stream. Note that a dropper can be implemented as a special case of a shaper by setting the shaper buffer size to zero (or a few) packets.
丢弃者丢弃流量流中的部分或全部数据包,以便使该流符合流量配置文件。这个过程被称为“监控”流。请注意,通过将整形器缓冲区大小设置为零(或几个)数据包,滴管可以作为整形器的特例来实现。
Traffic conditioners are usually located within DS ingress and egress boundary nodes, but may also be located in nodes within the interior of a DS domain, or within a non-DS-capable domain.
流量调节器通常位于DS入口和出口边界节点内,但也可以位于DS域内部的节点内,或位于不支持DS的域内。
We define the source domain as the domain containing the node(s) which originate the traffic receiving a particular service. Traffic sources and intermediate nodes within a source domain may perform traffic classification and conditioning functions. The traffic originating from the source domain across a boundary may be marked by the traffic sources directly or by intermediate nodes before leaving the source domain. This is referred to as initial marking or "pre-marking".
我们将源域定义为包含发起接收特定服务的流量的节点的域。源域内的业务源和中间节点可以执行业务分类和调节功能。在离开源域之前,来自源域的跨边界流量可以由流量源直接标记,也可以由中间节点标记。这称为初始标记或“预标记”。
Consider the example of a company that has the policy that its CEO's packets should have higher priority. The CEO's host may mark the DS field of all outgoing packets with a DS codepoint that indicates "higher priority". Alternatively, the first-hop router directly connected to the CEO's host may classify the traffic and mark the CEO's packets with the correct DS codepoint. Such high priority traffic may also be conditioned near the source so that there is a limit on the amount of high priority traffic forwarded from a particular source.
考虑一个公司的例子,公司的首席执行官的数据包应该具有更高的优先级。CEO的主机可以用指示“更高优先级”的DS码点标记所有传出数据包的DS字段。或者,直接连接到CEO的主机的第一跳路由器可以对流量进行分类,并用正确的DS码点标记CEO的分组。这种高优先级通信量也可以在源附近进行调节,以便对从特定源转发的高优先级通信量有限制。
There are some advantages to marking packets close to the traffic source. First, a traffic source can more easily take an application's preferences into account when deciding which packets should receive better forwarding treatment. Also, classification of
标记靠近流量源的数据包有一些优点。首先,在决定哪些数据包应该得到更好的转发处理时,流量源可以更容易地考虑应用程序的首选项。此外,分类
packets is much simpler before the traffic has been aggregated with packets from other sources, since the number of classification rules which need to be applied within a single node is reduced.
在流量与来自其他来源的数据包聚合之前,数据包要简单得多,因为需要在单个节点中应用的分类规则的数量减少了。
Since packet marking may be distributed across multiple nodes, the source DS domain is responsible for ensuring that the aggregated traffic towards its provider DS domain conforms to the appropriate TCA. Additional allocation mechanisms such as bandwidth brokers or RSVP may be used to dynamically allocate resources for a particular DS behavior aggregate within the provider's network [2BIT, Bernet]. The boundary node of the source domain should also monitor conformance to the TCA, and may police, shape, or re-mark packets as necessary.
由于数据包标记可以分布在多个节点上,因此源DS域负责确保其提供商DS域的聚合流量符合适当的TCA。诸如带宽代理或RSVP之类的附加分配机制可用于为提供商网络内的特定DS行为聚合动态分配资源[2BIT,Bernet]。源域的边界节点还应监控与TCA的一致性,并可根据需要对数据包进行监控、整形或重新标记。
Traffic streams may be classified, marked, and otherwise conditioned on either end of a boundary link (the DS egress node of the upstream domain or the DS ingress node of the downstream domain). The SLA between the domains should specify which domain has responsibility for mapping traffic streams to DS behavior aggregates and conditioning those aggregates in conformance with the appropriate TCA. However, a DS ingress node must assume that the incoming traffic may not conform to the TCA and must be prepared to enforce the TCA in accordance with local policy.
业务流可以在边界链路的任一端(上游域的DS出口节点或下游域的DS入口节点)上被分类、标记和以其他方式调节。域之间的SLA应指定哪个域负责将流量流映射到DS行为聚合,并根据适当的TCA调节这些聚合。然而,DS入口节点必须假设传入流量可能不符合TCA,并且必须准备好根据本地策略实施TCA。
When packets are pre-marked and conditioned in the upstream domain, potentially fewer classification and traffic conditioning rules need to be supported in the downstream DS domain. In this circumstance the downstream DS domain may only need to re-mark or police the incoming behavior aggregates to enforce the TCA. However, more sophisticated services which are path- or source-dependent may require MF classification in the downstream DS domain's ingress nodes.
当数据包在上游域中被预先标记和调节时,下游DS域中可能需要支持更少的分类和流量调节规则。在这种情况下,下游DS域可能只需要重新标记或监控传入的行为聚合,以实施TCA。然而,依赖于路径或源的更复杂的服务可能需要在下游DS域的入口节点中进行MF分类。
If a DS ingress node is connected to an upstream non-DS-capable domain, the DS ingress node must be able to perform all necessary traffic conditioning functions on the incoming traffic.
如果DS入口节点连接到上游不支持DS的域,则DS入口节点必须能够对传入流量执行所有必要的流量调节功能。
Traffic sources or intermediate nodes in a non-DS-capable domain may employ traffic conditioners to pre-mark traffic before it reaches the ingress of a downstream DS domain. In this way the local policies for classification and marking may be concealed.
不支持DS的域中的业务源或中间节点可以使用业务调节器在业务到达下游DS域的入口之前对其进行预标记。这样就可以隐藏当地的分类和标记政策。
Although the basic architecture assumes that complex classification and traffic conditioning functions are located only in a network's ingress and egress boundary nodes, deployment of these functions in the interior of the network is not precluded. For example, more restrictive access policies may be enforced on a transoceanic link, requiring MF classification and traffic conditioning functionality in the upstream node on the link. This approach may have scaling limits, due to the potentially large number of classification and conditioning rules that might need to be maintained.
尽管基本架构假定复杂的分类和流量调节功能仅位于网络的入口和出口边界节点中,但不排除在网络内部部署这些功能。例如,可以在越洋链路上实施更严格的访问策略,要求链路上的上游节点具有MF分类和流量调节功能。由于可能需要维护大量的分类和条件规则,这种方法可能有缩放限制。
A per-hop behavior (PHB) is a description of the externally observable forwarding behavior of a DS node applied to a particular DS behavior aggregate. "Forwarding behavior" is a general concept in this context. For example, in the event that only one behavior aggregate occupies a link, the observable forwarding behavior (i.e., loss, delay, jitter) will often depend only on the relative loading of the link (i.e., in the event that the behavior assumes a work-conserving scheduling discipline). Useful behavioral distinctions are mainly observed when multiple behavior aggregates compete for buffer and bandwidth resources on a node. The PHB is the means by which a node allocates resources to behavior aggregates, and it is on top of this basic hop-by-hop resource allocation mechanism that useful differentiated services may be constructed.
每跳行为(PHB)是对应用于特定DS行为聚合的DS节点的外部可观察转发行为的描述。“转发行为”是本文中的一个一般概念。例如,如果只有一个行为聚合占用了一个链路,则可观察的转发行为(即丢失、延迟、抖动)通常仅取决于链路的相对负载(即,在该行为采用节省工作的调度规程的情况下)。当多个行为聚合在一个节点上竞争缓冲区和带宽资源时,主要会观察到有用的行为差异。PHB是节点将资源分配给行为聚合的手段,在这种基本的逐跳资源分配机制的基础上,可以构建有用的区分服务。
The most simple example of a PHB is one which guarantees a minimal bandwidth allocation of X% of a link (over some reasonable time interval) to a behavior aggregate. This PHB can be fairly easily measured under a variety of competing traffic conditions. A slightly more complex PHB would guarantee a minimal bandwidth allocation of X% of a link, with proportional fair sharing of any excess link capacity. In general, the observable behavior of a PHB may depend on certain constraints on the traffic characteristics of the associated behavior aggregate, or the characteristics of other behavior aggregates.
PHB最简单的例子是保证将链路的X%(在某个合理的时间间隔内)的最小带宽分配给行为聚合。该PHB可在各种竞争交通条件下相当容易地测量。稍微复杂一点的PHB将保证最小带宽分配为链路的X%,并按比例公平共享任何多余的链路容量。一般而言,PHB的可观察行为可能取决于相关行为集合的流量特征或其他行为集合的特征的某些约束。
PHBs may be specified in terms of their resource (e.g., buffer, bandwidth) priority relative to other PHBs, or in terms of their relative observable traffic characteristics (e.g., delay, loss). These PHBs may be used as building blocks to allocate resources and should be specified as a group (PHB group) for consistency. PHB groups will usually share a common constraint applying to each PHB within the group, such as a packet scheduling or buffer management policy. The relationship between PHBs in a group may be in terms of absolute or relative priority (e.g., discard priority by means of
phb可以根据其相对于其他phb的资源(例如,缓冲器、带宽)优先级,或者根据其相对可观察的业务特性(例如,延迟、丢失)来指定。这些PHB可用作分配资源的构建块,并应指定为一个组(PHB组),以确保一致性。PHB组通常共享应用于组内每个PHB的公共约束,例如数据包调度或缓冲区管理策略。组中PHB之间的关系可以是绝对或相对优先级(例如,通过
deterministic or stochastic thresholds), but this is not required (e.g., N equal link shares). A single PHB defined in isolation is a special case of a PHB group.
确定性或随机阈值),但这不是必需的(例如,N个相等的链路共享)。单独定义的单个PHB是PHB组的特例。
PHBs are implemented in nodes by means of some buffer management and packet scheduling mechanisms. PHBs are defined in terms of behavior characteristics relevant to service provisioning policies, and not in terms of particular implementation mechanisms. In general, a variety of implementation mechanisms may be suitable for implementing a particular PHB group. Furthermore, it is likely that more than one PHB group may be implemented on a node and utilized within a domain. PHB groups should be defined such that the proper resource allocation between groups can be inferred, and integrated mechanisms can be implemented which can simultaneously support two or more groups. A PHB group definition should indicate possible conflicts with previously documented PHB groups which might prevent simultaneous operation.
PHB通过一些缓冲区管理和数据包调度机制在节点中实现。PHB是根据与服务供应策略相关的行为特征定义的,而不是根据特定的实现机制定义的。通常,各种实现机制可能适合于实现特定PHB组。此外,很可能在节点上实现多个PHB组并在域内使用。PHB组的定义应确保可以推断组之间的适当资源分配,并且可以实现可同时支持两个或多个组的集成机制。PHB组定义应表明可能与先前记录的PHB组发生冲突,这可能会阻止同步操作。
As described in [DSFIELD], a PHB is selected at a node by a mapping of the DS codepoint in a received packet. Standardized PHBs have a recommended codepoint. However, the total space of codepoints is larger than the space available for recommended codepoints for standardized PHBs, and [DSFIELD] leaves provisions for locally configurable mappings. A codepoint->PHB mapping table may contain both 1->1 and N->1 mappings. All codepoints must be mapped to some PHB; in the absence of some local policy, codepoints which are not mapped to a standardized PHB in accordance with that PHB's specification should be mapped to the Default PHB.
如[DSFIELD]中所述,通过对接收到的数据包中的DS码点进行映射,在节点处选择PHB。标准化PHB有一个推荐的代码点。但是,代码点的总空间大于标准化PHB的推荐代码点可用空间,并且[DSFIELD]为本地可配置映射留下了规定。代码点->PHB映射表可能同时包含1->1和N->1映射。所有代码点必须映射到某个PHB;在缺乏某些本地政策的情况下,未根据PHB规范映射到标准化PHB的代码点应映射到默认PHB。
The implementation, configuration, operation and administration of the supported PHB groups in the nodes of a DS Domain should effectively partition the resources of those nodes and the inter-node links between behavior aggregates, in accordance with the domain's service provisioning policy. Traffic conditioners can further control the usage of these resources through enforcement of TCAs and possibly through operational feedback from the nodes and traffic conditioners in the domain. Although a range of services can be deployed in the absence of complex traffic conditioning functions (e.g., using only static marking policies), functions such as policing, shaping, and dynamic re-marking enable the deployment of services providing quantitative performance metrics.
DS域节点中受支持PHB组的实现、配置、操作和管理应根据域的服务提供策略,有效地划分这些节点的资源和行为聚合之间的节点间链路。流量调节器可通过实施TCA,并可能通过来自域中节点和流量调节器的操作反馈,进一步控制这些资源的使用。尽管在没有复杂的流量调节功能(例如,仅使用静态标记策略)的情况下,可以部署一系列服务,但警务、塑造和动态重新标记等功能可以部署提供定量性能指标的服务。
The configuration of and interaction between traffic conditioners and interior nodes should be managed by the administrative control of the domain and may require operational control through protocols and a control entity. There is a wide range of possible control models.
流量调节器和内部节点之间的配置和交互应由域的管理控制进行管理,可能需要通过协议和控制实体进行操作控制。有多种可能的控制模型。
The precise nature and implementation of the interaction between these components is outside the scope of this architecture. However, scalability requires that the control of the domain does not require micro-management of the network resources. The most scalable control model would operate nodes in open-loop in the operational timeframe, and would only require administrative-timescale management as SLAs are varied. This simple model may be unsuitable in some circumstances, and some automated but slowly varying operational control (minutes rather than seconds) may be desirable to balance the utilization of the network against the recent load profile.
这些组件之间交互的精确性质和实现不在该体系结构的范围之内。然而,可伸缩性要求域的控制不需要对网络资源进行微观管理。最具可扩展性的控制模型将在运行时间范围内以开环方式运行节点,并且只需要在SLA变化时进行管理时间尺度管理。这种简单的模型在某些情况下可能不合适,一些自动化但缓慢变化的操作控制(分钟而不是秒)可能有助于平衡网络利用率与最近的负载状况。
Basic requirements for per-hop behavior standardization are given in [DSFIELD]. This section elaborates on that text by describing additional guidelines for PHB (group) specifications. This is intended to help foster implementation consistency. Before a PHB group is proposed for standardization it should satisfy these guidelines, as appropriate, to preserve the integrity of this architecture.
[DSFIELD]中给出了每跳行为标准化的基本要求。本节通过描述PHB(集团)规范的附加指南详细阐述了该文本。这有助于促进实施的一致性。在建议PHB组进行标准化之前,PHB组应满足这些准则(视情况而定),以保持该体系结构的完整性。
G.1: A PHB standard must specify a recommended DS codepoint selected from the codepoint space reserved for standard mappings [DSFIELD]. Recommended codepoints will be assigned by the IANA. A PHB proposal may recommend a temporary codepoint from the EXP/LU space to facilitate inter-domain experimentation. Determination of a packet's PHB must not require inspection of additional packet header fields beyond the DS field.
G.1:PHB标准必须指定从为标准映射保留的代码点空间[DSFIELD]中选择的推荐DS代码点。建议的代码点将由IANA分配。PHB提案可能会从EXP/LU空间推荐一个临时代码点,以促进域间实验。确定数据包的PHB不得要求检查DS字段以外的其他数据包头字段。
G.2: The specification of each newly proposed PHB group should include an overview of the behavior and the purpose of the behavior being proposed. The overview should include a problem or problems statement for which the PHB group is targeted. The overview should include the basic concepts behind the PHB group. These concepts should include, but are not restricted to, queueing behavior, discard behavior, and output link selection behavior. Lastly, the overview should specify the method by which the PHB group solves the problem or problems specified in the problem statement.
G.2:每个新提议的PHB小组的规范应包括行为概述和提议行为的目的。概述应包括PHB小组针对的一个或多个问题陈述。概述应包括PHB组背后的基本概念。这些概念应包括但不限于排队行为、丢弃行为和输出链接选择行为。最后,概述应指定PHB小组解决问题陈述中指定的一个或多个问题的方法。
G.3: A PHB group specification should indicate the number of individual PHBs specified. In the event that multiple PHBs are specified, the interactions between these PHBs and constraints that must be respected globally by all the PHBs within the group should be clearly specified. As an example, the specification must indicate whether the probability of packet reordering within a microflow is increased if different packets in that microflow are marked for different PHBs within the group.
G.3:PHB组规范应指明指定的单个PHB的数量。如果指定了多个PHB,则应明确指定这些PHB之间的相互作用以及集团内所有PHB必须全面遵守的约束。例如,规范必须指出,如果微流中的不同分组被标记为组内的不同phb,则微流中的分组重新排序的概率是否增加。
G.4: When proper functioning of a PHB group is dependent on constraints such as a provisioning restriction, then the PHB definition should describe the behavior when these constraints are violated. Further, if actions such as packet discard or re-marking are required when these constraints are violated, then these actions should be specifically stipulated.
G.4:当PHB组的正常运行取决于约束(如供应约束)时,PHB定义应描述违反这些约束时的行为。此外,如果在违反这些约束条件时需要执行诸如数据包丢弃或重新标记之类的操作,则应明确规定这些操作。
G.5: A PHB group may be specified for local use within a domain in order to provide some domain-specific functionality or domain-specific services. In this event, the PHB specification is useful for providing vendors with a consistent definition of the PHB group. However, any PHB group which is defined for local use should not be considered for standardization, but may be published as an Informational RFC. In contrast, a PHB group which is intended for general use will follow a stricter standardization process. Therefore all PHB proposals should specifically state whether they are to be considered for general or local use.
G.5:可以指定PHB组在域内本地使用,以提供某些特定于域的功能或特定于域的服务。在这种情况下,PHB规范有助于为供应商提供一致的PHB组定义。但是,为本地使用而定义的任何PHB组均不应考虑标准化,但可作为信息RFC发布。相比之下,一般用途的PHB组将遵循更严格的标准化流程。因此,所有PHB建议书都应明确说明是否考虑将其用于一般用途或局部用途。
It is recognized that PHB groups can be designed with the intent of providing host-to-host, WAN edge-to-WAN edge, and/or domain edge-to-domain edge services. Use of the term "end-to-end" in a PHB definition should be interpreted to mean "host-to-host" for consistency.
众所周知,PHB组的设计目的可以是提供主机对主机、WAN边缘对WAN边缘和/或域边缘对域边缘服务。PHB定义中使用的术语“端到端”应解释为“主机到主机”,以保持一致性。
Other PHB groups may be defined and deployed locally within domains, for experimental or operational purposes. There is no requirement that these PHB groups must be publicly documented, but they should utilize DS codepoints from one of the EXP/LU pools as defined in [DSFIELD].
出于实验或操作目的,可在域内本地定义和部署其他PHB组。不要求必须公开记录这些PHB组,但它们应使用[DSFIELD]中定义的EXP/LU池之一的DS代码点。
G.6: It may be possible or appropriate for a packet marked for a PHB within a PHB group to be re-marked to select another PHB within the group; either within a domain or across a domain boundary. Typically there are three reasons for such PHB modification:
G.6:重新标记PHB组内PHB标记的数据包以选择该组内的另一个PHB可能是可能的,也可能是适当的;域内或跨域边界。此类PHB修改通常有三个原因:
a. The codepoints associated with the PHB group are collectively intended to carry state about the network, b. Conditions exist which require PHB promotion or demotion of a packet (this assumes that PHBs within the group can be ranked in some order), c. The boundary between two domains is not covered by a SLA. In this case the codepoint/PHB to select when crossing the boundary link will be determined by the local policy of the upstream domain.
a. 与PHB组相关联的码点共同用于承载关于网络b的状态。存在需要对数据包进行PHB升级或降级的条件(这假设组内的PHB可以按某种顺序排列),c。SLA不包括两个域之间的边界。在这种情况下,跨越边界链路时要选择的代码点/PHB将由上游域的本地政策确定。
A PHB specification should clearly state the circumstances under which packets marked for a PHB within a PHB group may, or should be modified (e.g., promoted or demoted) to another PHB within the group. If it is undesirable for a packet's PHB to be modified, the
PHB规范应明确说明在何种情况下,为PHB组内的PHB标记的数据包可以或应该修改(例如,升级或降级)为组内的另一PHB。如果不希望修改数据包的PHB,则
specification should clearly state the consequent risks when the PHB is modified. A possible risk to changing a packet's PHB, either within or outside a PHB group, is a higher probability of packet re-ordering within a microflow. PHBs within a group may carry some host-to-host, WAN edge-to-WAN edge, and/or domain edge-to-domain edge semantics which may be difficult to duplicate if packets are re-marked to select another PHB from the group (or otherwise).
规范应明确说明修改PHB时的后续风险。在PHB组内部或外部更改数据包PHB的一个可能风险是微流中数据包重新排序的概率更高。组内的PHB可能具有某些主机到主机、WAN边缘到WAN边缘和/或域边缘到域边缘语义,如果数据包被重新标记以从组中选择另一个PHB(或其他),这些语义可能很难复制。
For certain PHB groups, it may be appropriate to reflect a state change in the node by re-marking packets to specify another PHB from within the group. If a PHB group is designed to reflect the state of a network, the PHB definition must adequately describe the relationship between the PHBs and the states they reflect. Further, if these PHBs limit the forwarding actions a node can perform in some way, these constraints may be specified as actions the node should, or must perform.
对于某些PHB组,通过重新标记分组以指定组内的另一个PHB来反映节点中的状态变化可能是合适的。如果PHB组旨在反映网络状态,则PHB定义必须充分描述PHB与其反映的状态之间的关系。此外,如果这些PHB以某种方式限制了节点可以执行的转发操作,则这些约束可以指定为节点应该或必须执行的操作。
G.7: A PHB group specification should include a section defining the implications of tunneling on the utility of the PHB group. This section should specify the implications for the utility of the PHB group of a newly created outer header when the original DS field of the inner header is encapsulated in a tunnel. This section should also discuss what possible changes should be applied to the inner header at the egress of the tunnel, when both the codepoints from the inner header and the outer header are accessible (see Sec. 6.2).
G.7:PHB集团规范应包括一节,定义隧道对PHB集团效用的影响。本节应详细说明当内部报头的原始DS字段封装在隧道中时,新创建的外部报头的PHB组实用程序的含义。本节还应讨论,当可访问内部集管和外部集管的代码点时,应在隧道出口处对内部集管进行哪些可能的更改(见第6.2节)。
G.8: The process of specifying PHB groups is likely to be incremental in nature. When new PHB groups are proposed, their known interactions with previously specified PHB groups should be documented. When a new PHB group is created, it can be entirely new in scope or it can be an extension to an existing PHB group. If the PHB group is entirely independent of some or all of the existing PHB specifications, a section should be included in the PHB specification which details how the new PHB group can co-exist with those PHB groups already standardized. For example, this section might indicate the possibility of packet re-ordering within a microflow for packets marked by codepoints associated with two separate PHB groups. If concurrent operation of two (or more) different PHB groups in the same node is impossible or detrimental this should be stated. If the concurrent operation of two (or more) different PHB groups requires some specific behaviors by the node when packets marked for PHBs from these different PHB groups are being processed by the node at the same time, these behaviors should be stated.
G.8:指定PHB组的过程可能是渐进式的。当提出新的PHB组时,应记录其与先前指定PHB组的已知交互作用。创建新的PHB组时,它的范围可以是全新的,也可以是现有PHB组的扩展。如果PHB组完全独立于部分或全部现有PHB规范,则PHB规范中应包含一节,详细说明新PHB组如何与已标准化的PHB组共存。例如,本节可能指示微流中由与两个单独PHB组相关联的码点标记的分组的分组重新排序的可能性。如果同一节点中两个(或更多)不同PHB组的并发操作不可能或有害,则应说明这一点。当节点同时处理来自两个(或更多)不同PHB组的标记为PHB的数据包时,如果两个(或更多)不同PHB组的并发操作需要节点的某些特定行为,则应说明这些行为。
Care should be taken to avoid circularity in the definitions of PHB groups.
应注意避免PHB组定义中的循环性。
If the proposed PHB group is an extension to an existing PHB group, a section should be included in the PHB group specification which details how this extension interoperates with the behavior being extended. Further, if the extension alters or more narrowly defines the existing behavior in some way, this should also be clearly indicated.
如果建议的PHB组是现有PHB组的扩展,则PHB组规范中应包含一节,详细说明此扩展如何与被扩展的行为进行互操作。此外,如果扩展以某种方式改变或更狭义地定义了现有行为,那么也应该明确指出这一点。
G.9: Each PHB specification should include a section specifying minimal conformance requirements for implementations of the PHB group. This conformance section is intended to provide a means for specifying the details of a behavior while allowing for implementation variation to the extent permitted by the PHB specification. This conformance section can take the form of rules, tables, pseudo-code, or tests.
G.9:每个PHB规范应包括一节,规定PHB集团实施的最低合规性要求。本一致性部分旨在提供一种方法,用于指定行为的细节,同时允许在PHB规范允许的范围内进行实施变更。此一致性部分可以采用规则、表、伪代码或测试的形式。
G.10: A PHB specification should include a section detailing the security implications of the behavior. This section should include a discussion of the re-marking of the inner header's codepoint at the egress of a tunnel and its effect on the desired forwarding behavior.
G.10:PHB规范应包括详细说明行为安全含义的章节。本节应讨论在隧道出口处重新标记内部报头的代码点及其对所需转发行为的影响。
Further, this section should also discuss how the proposed PHB group could be used in denial-of-service attacks, reduction of service contract attacks, and service contract violation attacks. Lastly, this section should discuss possible means for detecting such attacks as they are relevant to the proposed behavior.
此外,本节还应讨论建议的PHB组如何用于拒绝服务攻击、减少服务契约攻击和违反服务契约攻击。最后,本节应讨论检测此类攻击的可能方法,因为它们与提议的行为相关。
G.11: A PHB specification should include a section detailing configuration and management issues which may affect the operation of the PHB and which may impact candidate services that might utilize the PHB.
G.11:PHB规范应包括一节,详细说明可能影响PHB运行以及可能影响可能使用PHB的候选服务的配置和管理问题。
G.12: It is strongly recommended that an appendix be provided with each PHB specification that considers the implications of the proposed behavior on current and potential services. These services could include but are not restricted to be user-specific, device-specific, domain-specific or end-to-end services. It is also strongly recommended that the appendix include a section describing how the services are verified by users, devices, and/or domains.
G.12:强烈建议在每个PHB规范中提供一个附录,该附录考虑了拟议行为对当前和潜在服务的影响。这些服务可以包括但不限于特定于用户、特定于设备、特定于域或端到端的服务。还强烈建议附录中包含一节,描述用户、设备和/或域如何验证服务。
G.13: It is recommended that an appendix be provided with each PHB specification that is targeted for local use within a domain, providing guidance for PHB selection for packets which are forwarded into a peer domain which does not support the PHB group.
G.13:建议为每个PHB规范提供一个附录,该规范针对域内的本地使用,为转发到不支持PHB组的对等域的数据包的PHB选择提供指导。
G.14: It is recommended that an appendix be provided with each PHB specification which considers the impact of the proposed PHB group on existing higher-layer protocols. Under some circumstances PHBs may allow for possible changes to higher-layer protocols which may increase or decrease the utility of the proposed PHB group.
G.14:建议在每个PHB规范中提供一个附录,该附录考虑了提议的PHB组对现有高层协议的影响。在某些情况下,PHB可能允许对高层协议进行可能的更改,这可能会增加或减少所提议的PHB组的效用。
G.15: It is recommended that an appendix be provided with each PHB specification which recommends mappings to link-layer QoS mechanisms to support the intended behavior of the PHB across a shared-medium or switched link-layer. The determination of the most appropriate mapping between a PHB and a link-layer QoS mechanism is dependent on many factors and is outside the scope of this document; however, the specification should attempt to offer some guidance.
G.15:建议为每个PHB规范提供一个附录,该附录建议映射到链路层QoS机制,以支持PHB在共享介质或交换链路层上的预期行为。PHB和链路层QoS机制之间最合适映射的确定取决于许多因素,不在本文档的范围之内;但是,规范应尝试提供一些指导。
We define a non-differentiated services-compliant node (non-DS-compliant node) as any node which does not interpret the DS field as specified in [DSFIELD] and/or does not implement some or all of the standardized PHBs (or those in use within a particular DS domain). This may be due to the capabilities or configuration of the node. We define a legacy node as a special case of a non-DS-compliant node which implements IPv4 Precedence classification and forwarding as defined in [RFC791, RFC1812], but which is otherwise not DS-compliant. The precedence values in the IPv4 TOS octet are compatible by intention with the Class Selector Codepoints defined in [DSFIELD], and the precedence forwarding behaviors defined in [RFC791, RFC1812] comply with the Class Selector PHB Requirements also defined in [DSFIELD]. A key distinction between a legacy node and a DS-compliant node is that the legacy node may or may not interpret bits 3-6 of the TOS octet as defined in [RFC1349] (the "DTRC" bits); in practice it will not interpret these bit as specified in [DSFIELD]. We assume that the use of the TOS markings defined in [RFC1349] is deprecated. Nodes which are non-DS-compliant and which are not legacy nodes may exhibit unpredictable forwarding behaviors for packets with non-zero DS codepoints.
我们将非区分服务兼容节点(非DS兼容节点)定义为不按照[DSFIELD]中的规定解释DS字段和/或不实施部分或全部标准化PHB(或在特定DS域中使用的PHB)的任何节点。这可能是由于节点的功能或配置造成的。我们将遗留节点定义为不符合DS的节点的特例,该节点实现[RFC791,RFC1812]中定义的IPv4优先级分类和转发,但在其他方面不符合DS。IPv4 TOS八位字节中的优先级值与[DSFIELD]中定义的类选择器代码点兼容,并且[RFC791,RFC1812]中定义的优先级转发行为符合[DSFIELD]中定义的类选择器PHB要求。传统节点和DS兼容节点之间的关键区别在于,传统节点可以解释也可以不解释[RFC1349]中定义的TOS八位字节的比特3-6(“DTRC”比特);实际上,它不会按照[DSFIELD]中的规定解释这些位。我们假设[RFC1349]中定义的TOS标记的使用是不推荐的。对于具有非零DS码点的数据包,不符合DS且不是传统节点的节点可能表现出不可预测的转发行为。
Differentiated services depend on the resource allocation mechanisms provided by per-hop behavior implementations in nodes. The quality or statistical assurance level of a service may break down in the event that traffic transits a non-DS-compliant node, or a non-DS-capable domain.
区分服务依赖于节点中每跳行为实现提供的资源分配机制。如果流量传输不符合DS的节点或不支持DS的域,则服务的质量或统计保证级别可能会崩溃。
We will examine two separate cases. The first case concerns the use of non-DS-compliant nodes within a DS domain. Note that PHB forwarding is primarily useful for allocating scarce node and link resources in a controlled manner. On high-speed, lightly loaded links, the worst-case packet delay, jitter, and loss may be
我们将研究两个不同的案例。第一种情况涉及在DS域中使用不符合DS的节点。请注意,PHB转发主要用于以受控方式分配稀缺节点和链路资源。在高速、轻负载链路上,最坏情况下的数据包延迟、抖动和丢失可能是:
negligible, and the use of a non-DS-compliant node on the upstream end of such a link may not result in service degradation. In more realistic circumstances, the lack of PHB forwarding in a node may make it impossible to offer low-delay, low-loss, or provisioned bandwidth services across paths which traverse the node. However, use of a legacy node may be an acceptable alternative, assuming that the DS domain restricts itself to using only the Class Selector Codepoints defined in [DSFIELD], and assuming that the particular precedence implementation in the legacy node provides forwarding behaviors which are compatible with the services offered along paths which traverse that node. Note that it is important to restrict the codepoints in use to the Class Selector Codepoints, since the legacy node may or may not interpret bits 3-5 in accordance with [RFC1349], thereby resulting in unpredictable forwarding results.
可以忽略不计,并且在这种链路的上游端上使用不符合DS的节点可能不会导致服务降级。在更现实的情况下,节点中缺少PHB转发可能导致无法跨穿过节点的路径提供低延迟、低损耗或供应的带宽服务。但是,如果DS域仅限于使用[DSFIELD]中定义的类选择器代码点,则使用遗留节点可能是一种可接受的替代方案,以及假设遗留节点中的特定优先级实现提供与沿着穿过该节点的路径提供的服务兼容的转发行为。注意,重要的是将使用中的码点限制为类选择器码点,因为传统节点可能根据[RFC1349]解释位3-5,也可能不解释位3-5,从而导致不可预测的转发结果。
The second case concerns the behavior of services which traverse non-DS-capable domains. We assume for the sake of argument that a non-DS-capable domain does not deploy traffic conditioning functions on domain boundary nodes; therefore, even in the event that the domain consists of legacy or DS-compliant interior nodes, the lack of traffic enforcement at the boundaries will limit the ability to consistently deliver some types of services across the domain. A DS domain and a non-DS-capable domain may negotiate an agreement which governs how egress traffic from the DS-domain should be marked before entry into the non-DS-capable domain. This agreement might be monitored for compliance by traffic sampling instead of by rigorous traffic conditioning. Alternatively, where there is knowledge that the non-DS-capable domain consists of legacy nodes, the upstream DS domain may opportunistically re-mark differentiated services traffic to one or more of the Class Selector Codepoints. Where there is no knowledge of the traffic management capabilities of the downstream domain, and no agreement in place, a DS domain egress node may choose to re-mark DS codepoints to zero, under the assumption that the non-DS-capable domain will treat the traffic uniformly with best-effort service.
第二种情况涉及穿越不支持DS的域的服务的行为。为了论证,我们假设一个不支持DS的域不在域边界节点上部署流量调节功能;因此,即使在域由遗留或符合DS的内部节点组成的情况下,边界处缺乏流量强制将限制跨域一致提供某些类型服务的能力。DS域和不支持DS的域可以协商协议,该协议控制在进入不支持DS的域之前如何标记来自DS域的出口流量。可以通过流量采样而不是通过严格的流量调节来监控该协议的合规性。或者,在知道不支持DS的域由遗留节点组成的情况下,上游DS域可以机会性地将区分服务业务重新标记到一个或多个类选择器码点。在不知道下游域的业务管理能力并且没有达成协议的情况下,DS域出口节点可以选择将DS码点重新标记为零,前提是不支持DS的域将以尽力而为的服务统一处理业务。
In the event that a non-DS-capable domain peers with a DS domain, traffic flowing from the non-DS-capable domain should be conditioned at the DS ingress node of the DS domain according to the appropriate SLA or policy.
如果不支持DS的域与DS域对等,则来自不支持DS的域的流量应根据适当的SLA或策略在DS域的DS入口节点进行调节。
Use of differentiated services by multicast traffic introduces a number of issues for service provisioning. First, multicast packets which enter a DS domain at an ingress node may simultaneously take multiple paths through some segments of the domain due to multicast packet replication. In this way they consume more network resources
通过多播流量使用区分服务会给服务提供带来许多问题。首先,由于多播分组复制,在入口节点处进入DS域的多播分组可以同时通过域的一些段采取多条路径。这样,他们就消耗了更多的网络资源
than unicast packets. Where multicast group membership is dynamic, it is difficult to predict in advance the amount of network resources that may be consumed by multicast traffic originating from an upstream network for a particular group. A consequence of this uncertainty is that it may be difficult to provide quantitative service guarantees to multicast senders. Further, it may be necessary to reserve codepoints and PHBs for exclusive use by unicast traffic, to provide resource isolation from multicast traffic.
而不是单播数据包。在多播组成员是动态的情况下,很难预先预测来自特定组的上游网络的多播流量可能消耗的网络资源量。这种不确定性的结果是,可能很难向多播发送方提供定量服务保证。此外,可能需要保留代码点和phb以供单播通信量专用,以提供与多播通信量的资源隔离。
The second issue is the selection of the DS codepoint for a multicast packet arriving at a DS ingress node. Because that packet may exit the DS domain at multiple DS egress nodes which peer with multiple downstream domains, the DS codepoint used should not result in the request for a service from a downstream DS domain which is in violation of a peering SLA. When establishing classifier and traffic conditioner state at an DS ingress node for an aggregate of traffic receiving a differentiated service which spans across the egress boundary of the domain, the identity of the adjacent downstream transit domain and the specifics of the corresponding peering SLA can be factored into the configuration decision (subject to routing policy and the stability of the routing infrastructure). In this way peering SLAs with downstream DS domains can be partially enforced at the ingress of the upstream domain, reducing the classification and traffic conditioning burden at the egress node of the upstream domain. This is not so easily performed in the case of multicast traffic, due to the possibility of dynamic group membership. The result is that the service guarantees for unicast traffic may be impacted. One means of addressing this problem is to establish a separate peering SLA for multicast traffic, and to either utilize a particular set of codepoints for multicast packets, or to implement the necessary classification and traffic conditioning mechanisms in the DS egress nodes to provide preferential isolation for unicast traffic in conformance with the peering SLA with the downstream domain.
第二个问题是为到达DS入口节点的多播分组选择DS码点。由于该分组可在与多个下游域对等的多个DS出口节点处退出DS域,因此所使用的DS码点不应导致对来自下游DS域的服务的请求违反对等SLA。当在DS入口节点处为接收跨越域的出口边界的区分服务的业务的集合建立分类器和业务调节器状态时,相邻下游传输域的标识和相应对等SLA的细节可纳入配置决策(取决于路由策略和路由基础设施的稳定性)。以这种方式,与下游DS域的对等sla可以部分地在上游域的入口处实施,从而减少上游域的出口节点处的分类和流量调节负担。由于可能存在动态组成员身份,因此在多播流量的情况下,这不容易执行。结果是,单播业务的服务保证可能会受到影响。解决此问题的一种方法是为多播流量建立单独的对等SLA,并利用多播数据包的特定码点集,或者,在DS出口节点中实现必要的分类和流量调节机制,以根据对等SLA与下游域提供对单播流量的优先隔离。
This section addresses security issues raised by the introduction of differentiated services, primarily the potential for denial-of-service attacks, and the related potential for theft of service by unauthorized traffic (Sec. 6.1). In addition, the operation of differentiated services in the presence of IPsec and its interaction with IPsec are also discussed (Sec. 6.2), as well as auditing requirements (Sec. 6.3). This section considers issues introduced by the use of both IPsec and non-IPsec tunnels.
本节讨论了引入差异化服务所引起的安全问题,主要是拒绝服务攻击的可能性,以及未经授权流量窃取服务的相关可能性(第6.1节)。此外,还讨论了存在IPsec时区分服务的操作及其与IPsec的交互(第6.2节),以及审核要求(第6.3节)。本节讨论使用IPsec和非IPsec隧道时引入的问题。
The primary goal of differentiated services is to allow different levels of service to be provided for traffic streams on a common network infrastructure. A variety of resource management techniques may be used to achieve this, but the end result will be that some packets receive different (e.g., better) service than others. The mapping of network traffic to the specific behaviors that result in different (e.g., better or worse) service is indicated primarily by the DS field, and hence an adversary may be able to obtain better service by modifying the DS field to codepoints indicating behaviors used for enhanced services or by injecting packets with the DS field set to such codepoints. Taken to its limits, this theft of service becomes a denial-of-service attack when the modified or injected traffic depletes the resources available to forward it and other traffic streams. The defense against such theft- and denial-of-service attacks consists of the combination of traffic conditioning at DS boundary nodes along with security and integrity of the network infrastructure within a DS domain.
区分服务的主要目标是允许在公共网络基础设施上为业务流提供不同级别的服务。可以使用各种资源管理技术来实现这一点,但最终结果将是一些分组接收到与其他分组不同(例如,更好)的服务。网络流量到导致不同(例如,更好或更差)服务的特定行为的映射主要由DS字段指示,因此,对手可以通过将DS字段修改为指示用于增强服务的行为的代码点,或者通过将DS字段设置为此类代码点的分组注入,来获得更好的服务。就其局限性而言,当修改或注入的流量耗尽可用于转发该流量和其他流量流的资源时,这种服务盗窃将成为拒绝服务攻击。针对此类盗窃和拒绝服务攻击的防御包括DS边界节点的流量调节与DS域内网络基础设施的安全性和完整性的结合。
As described in Sec. 2, DS ingress nodes must condition all traffic entering a DS domain to ensure that it has acceptable DS codepoints. This means that the codepoints must conform to the applicable TCA(s) and the domain's service provisioning policy. Hence, the ingress nodes are the primary line of defense against theft- and denial-of-service attacks based on modified DS codepoints (e.g., codepoints to which the traffic is not entitled), as success of any such attack constitutes a violation of the applicable TCA(s) and/or service provisioning policy. An important instance of an ingress node is that any traffic-originating node in a DS domain is the ingress node for that traffic, and must ensure that all originated traffic carries acceptable DS codepoints.
如第节所述。2、DS入口节点必须调节进入DS域的所有流量,以确保其具有可接受的DS码点。这意味着代码点必须符合适用的TCA和域的服务提供策略。因此,入口节点是针对基于修改的DS代码点(例如,流量无权访问的代码点)的盗窃和拒绝服务攻击的主要防御线,因为任何此类攻击的成功构成对适用TCA和/或服务提供策略的违反。入口节点的一个重要实例是,DS域中的任何流量发起节点都是该流量的入口节点,并且必须确保所有发起的流量携带可接受的DS码点。
Both a domain's service provisioning policy and TCAs may require the ingress nodes to change the DS codepoint on some entering packets (e.g., an ingress router may set the DS codepoint of a customer's traffic in accordance with the appropriate SLA). Ingress nodes must condition all other inbound traffic to ensure that the DS codepoints are acceptable; packets found to have unacceptable codepoints must either be discarded or must have their DS codepoints modified to acceptable values before being forwarded. For example, an ingress node receiving traffic from a domain with which no enhanced service agreement exists may reset the DS codepoint to the Default PHB codepoint [DSFIELD]. Traffic authentication may be required to validate the use of some DS codepoints (e.g., those corresponding to enhanced services), and such authentication may be performed by technical means (e.g., IPsec) and/or non-technical means (e.g., the inbound link is known to be connected to exactly one customer site).
域的服务供应策略和TCA都可能要求入口节点更改某些进入数据包上的DS码点(例如,入口路由器可能根据适当的SLA设置客户流量的DS码点)。入口节点必须调节所有其他入站流量,以确保DS码点是可接受的;被发现具有不可接受的代码点的数据包必须被丢弃,或者在转发之前必须将其DS代码点修改为可接受的值。例如,从不存在增强服务协议的域接收通信量的入口节点可以将DS码点重置为默认PHB码点[DSFIELD]。可能需要流量认证来验证某些DS码点(例如,那些对应于增强服务的码点)的使用,并且这种认证可以通过技术手段(例如,IPsec)和/或非技术手段(例如,已知入站链路恰好连接到一个客户站点)来执行。
An inter-domain agreement may reduce or eliminate the need for ingress node traffic conditioning by making the upstream domain partly or completely responsible for ensuring that traffic has DS codepoints acceptable to the downstream domain. In this case, the ingress node may still perform redundant traffic conditioning checks to reduce the dependence on the upstream domain (e.g., such checks can prevent theft-of-service attacks from propagating across the domain boundary). If such a check fails because the upstream domain is not fulfilling its responsibilities, that failure is an auditable event; the generated audit log entry should include the date/time the packet was received, the source and destination IP addresses, and the DS codepoint that caused the failure. In practice, the limited gains from such checks need to be weighed against their potential performance impact in determining what, if any, checks to perform under these circumstances.
域间协议可通过使上游域部分或完全负责确保通信量具有下游域可接受的DS码点来减少或消除入口节点通信量调节的需要。在这种情况下,入口节点仍然可以执行冗余流量调节检查以减少对上游域的依赖(例如,这种检查可以防止服务盗窃攻击跨域边界传播)。如果由于上游域未履行其职责而导致此类检查失败,则该失败为可审核事件;生成的审核日志条目应包括收到数据包的日期/时间、源和目标IP地址以及导致故障的DS代码点。在实践中,在确定在这些情况下执行哪些检查(如果有的话)时,需要将此类检查的有限收益与其潜在性能影响进行权衡。
Interior nodes in a DS domain may rely on the DS field to associate differentiated services traffic with the behaviors used to implement enhanced services. Any node doing so depends on the correct operation of the DS domain to prevent the arrival of traffic with unacceptable DS codepoints. Robustness concerns dictate that the arrival of packets with unacceptable DS codepoints must not cause the failure (e.g., crash) of network nodes. Interior nodes are not responsible for enforcing the service provisioning policy (or individual SLAs) and hence are not required to check DS codepoints before using them. Interior nodes may perform some traffic conditioning checks on DS codepoints (e.g., check for DS codepoints that are never used for traffic on a specific link) to improve security and robustness (e.g., resistance to theft-of-service attacks based on DS codepoint modifications). Any detected failure of such a check is an auditable event and the generated audit log entry should include the date/time the packet was received, the source and destination IP addresses, and the DS codepoint that caused the failure. In practice, the limited gains from such checks need to be weighed against their potential performance impact in determining what, if any, checks to perform at interior nodes.
DS域中的内部节点可依赖DS字段将区分服务通信量与用于实现增强服务的行为相关联。任何这样做的节点都取决于DS域的正确操作,以防止带有不可接受DS码点的流量到达。健壮性问题要求具有不可接受DS码点的数据包的到达不得导致网络节点的故障(例如崩溃)。内部节点不负责强制实施服务提供策略(或单个SLA),因此在使用DS代码点之前不需要检查它们。内部节点可对DS码点执行一些流量调节检查(例如,检查从未用于特定链路上流量的DS码点),以提高安全性和鲁棒性(例如,抵抗基于DS码点修改的服务盗窃攻击)。任何检测到的此类检查失败都是可审核事件,生成的审核日志条目应包括数据包接收日期/时间、源和目标IP地址以及导致失败的DS代码点。在实践中,在确定在内部节点执行什么(如果有)检查时,需要根据这些检查的潜在性能影响权衡这些检查的有限收益。
Any link that cannot be adequately secured against modification of DS codepoints or traffic injection by adversaries should be treated as a boundary link (and hence any arriving traffic on that link is treated as if it were entering the domain at an ingress node). Local security policy provides the definition of "adequately secured," and such a definition may include a determination that the risks and consequences of DS codepoint modification and/or traffic injection do not justify any additional security measures for a link. Link security can be enhanced via physical access controls and/or software means such as tunnels that ensure packet integrity.
任何不能充分保护以防DS码点修改或对手注入流量的链路都应被视为边界链路(因此,该链路上的任何到达流量都应被视为在入口节点进入域)。本地安全策略提供了“充分安全”的定义,该定义可能包括确定DS码点修改和/或流量注入的风险和后果不足以证明链路的任何额外安全措施的合理性。链路安全性可以通过物理访问控制和/或软件手段(如确保数据包完整性的隧道)来增强。
The IPsec protocol, as defined in [ESP, AH], does not include the IP header's DS field in any of its cryptographic calculations (in the case of tunnel mode, it is the outer IP header's DS field that is not included). Hence modification of the DS field by a network node has no effect on IPsec's end-to-end security, because it cannot cause any IPsec integrity check to fail. As a consequence, IPsec does not provide any defense against an adversary's modification of the DS field (i.e., a man-in-the-middle attack), as the adversary's modification will also have no effect on IPsec's end-to-end security. In some environments, the ability to modify the DS field without affecting IPsec integrity checks may constitute a covert channel; if it is necessary to eliminate such a channel or reduce its bandwidth, the DS domains should be configured so that the required processing (e.g., set all DS fields on sensitive traffic to a single value) can be performed at DS egress nodes where traffic exits higher security domains.
[ESP,AH]中定义的IPsec协议在其任何加密计算中不包括IP头的DS字段(在隧道模式下,不包括外部IP头的DS字段)。因此,网络节点对DS字段的修改不会影响IPsec的端到端安全性,因为它不会导致任何IPsec完整性检查失败。因此,IPsec不会针对对手对DS字段的修改(即中间人攻击)提供任何防御,因为对手的修改也不会影响IPsec的端到端安全。在某些环境中,在不影响IPsec完整性检查的情况下修改DS字段的能力可能构成隐蔽通道;如果有必要消除此类信道或减少其带宽,则应配置DS域,以便可以在DS出口节点处执行所需的处理(例如,将敏感流量上的所有DS字段设置为单个值),其中流量退出更高安全域。
IPsec's tunnel mode provides security for the encapsulated IP header's DS field. A tunnel mode IPsec packet contains two IP headers: an outer header supplied by the tunnel ingress node and an encapsulated inner header supplied by the original source of the packet. When an IPsec tunnel is hosted (in whole or in part) on a differentiated services network, the intermediate network nodes operate on the DS field in the outer header. At the tunnel egress node, IPsec processing includes stripping the outer header and forwarding the packet (if required) using the inner header. If the inner IP header has not been processed by a DS ingress node for the tunnel egress node's DS domain, the tunnel egress node is the DS ingress node for traffic exiting the tunnel, and hence must carry out the corresponding traffic conditioning responsibilities (see Sec. 6.1). If the IPsec processing includes a sufficiently strong cryptographic integrity check of the encapsulated packet (where sufficiency is determined by local security policy), the tunnel egress node can safely assume that the DS field in the inner header has the same value as it had at the tunnel ingress node. This allows a tunnel egress node in the same DS domain as the tunnel ingress node, to safely treat a packet passing such an integrity check as if it had arrived from another node within the same DS domain, omitting the DS ingress node traffic conditioning that would otherwise be required. An important consequence is that otherwise insecure links internal to a DS domain can be secured by a sufficiently strong IPsec tunnel.
IPsec的隧道模式为封装的IP头的DS字段提供安全性。隧道模式IPsec数据包包含两个IP报头:由隧道入口节点提供的外部报头和由数据包原始源提供的封装内部报头。当IPsec隧道(全部或部分)托管在差异化服务网络上时,中间网络节点在外部报头中的DS字段上操作。在隧道出口节点,IPsec处理包括剥离外部报头和使用内部报头转发数据包(如果需要)。如果隧道出口节点的DS域的DS入口节点尚未处理内部IP报头,则隧道出口节点是隧道出口流量的DS入口节点,因此必须执行相应的流量调节职责(见第6.1节)。如果IPsec处理包括对封装的分组的足够强的密码完整性检查(其中充分性由本地安全策略确定),则隧道出口节点可以安全地假定内部报头中的DS字段具有与它在隧道入口节点处具有的相同值。这允许与隧道入口节点位于相同DS域中的隧道出口节点安全地对待通过这种完整性检查的分组,如同它是从相同DS域中的另一个节点到达一样,省略否则将需要的DS入口节点流量调节。一个重要的结果是,DS域内部的不安全链路可以通过足够强的IPsec隧道来保护。
This analysis and its implications apply to any tunneling protocol that performs integrity checks, but the level of assurance of the inner header's DS field depends on the strength of the integrity
此分析及其含义适用于执行完整性检查的任何隧道协议,但内部报头的DS字段的保证级别取决于完整性的强度
check performed by the tunneling protocol. In the absence of sufficient assurance for a tunnel that may transit nodes outside the current DS domain (or is otherwise vulnerable), the encapsulated packet must be treated as if it had arrived at a DS ingress node from outside the domain.
由隧道协议执行的检查。在对可能在当前DS域外传输节点(或易受攻击)的隧道缺乏足够保证的情况下,必须将封装的数据包视为从域外到达DS入口节点。
The IPsec protocol currently requires that the inner header's DS field not be changed by IPsec decapsulation processing at a tunnel egress node. This ensures that an adversary's modifications to the DS field cannot be used to launch theft- or denial-of-service attacks across an IPsec tunnel endpoint, as any such modifications will be discarded at the tunnel endpoint. This document makes no change to that IPsec requirement.
IPsec协议当前要求隧道出口节点处的IPsec解封处理不会更改内部报头的DS字段。这确保了对手对DS字段的修改不能用于跨IPsec隧道端点发起盗窃或拒绝服务攻击,因为任何此类修改都将在隧道端点处被丢弃。本文档对IPsec要求没有任何更改。
If the IPsec specifications are modified in the future to permit a tunnel egress node to modify the DS field in an inner IP header based on the DS field value in the outer header (e.g., copying part or all of the outer DS field to the inner DS field), then additional considerations would apply. For a tunnel contained entirely within a single DS domain and for which the links are adequately secured against modifications of the outer DS field, the only limits on inner DS field modifications would be those imposed by the domain's service provisioning policy. Otherwise, the tunnel egress node performing such modifications would be acting as a DS ingress node for traffic exiting the tunnel and must carry out the traffic conditioning responsibilities of an ingress node, including defense against theft-and denial-of-service attacks (See Sec. 6.1). If the tunnel enters the DS domain at a node different from the tunnel egress node, the tunnel egress node may depend on the upstream DS ingress node having ensured that the outer DS field values are acceptable. Even in this case, there are some checks that can only be performed by the tunnel egress node (e.g., a consistency check between the inner and outer DS codepoints for an encrypted tunnel). Any detected failure of such a check is an auditable event and the generated audit log entry should include the date/time the packet was received, the source and destination IP addresses, and the DS codepoint that was unacceptable.
如果将来修改IPsec规范以允许隧道出口节点基于外部报头中的DS字段值修改内部IP报头中的DS字段(例如,将部分或全部外部DS字段复制到内部DS字段),则将应用额外的考虑。对于完全包含在单个DS域内且链路针对外部DS字段的修改得到充分保护的隧道,内部DS字段修改的唯一限制将是由域的服务提供策略施加的限制。否则,执行此类修改的隧道出口节点将充当退出隧道的流量的DS入口节点,并且必须履行入口节点的流量调节职责,包括防止盗窃和拒绝服务攻击(见第6.1节)。如果隧道在与隧道出口节点不同的节点处进入DS域,则隧道出口节点可依赖于上游DS入口节点,其已确保外部DS字段值是可接受的。即使在这种情况下,也存在一些只能由隧道出口节点执行的检查(例如,加密隧道的内部和外部DS码点之间的一致性检查)。任何检测到的此类检查失败都是可审核事件,生成的审核日志条目应包括数据包接收日期/时间、源和目标IP地址以及不可接受的DS代码点。
An IPsec tunnel can be viewed in at least two different ways from an architectural perspective. If the tunnel is viewed as a logical single hop "virtual wire", the actions of intermediate nodes in forwarding the tunneled traffic should not be visible beyond the ends of the tunnel and hence the DS field should not be modified as part of decapsulation processing. In contrast, if the tunnel is viewed as a multi-hop participant in forwarding traffic, then modification of the DS field as part of tunnel decapsulation processing may be desirable. A specific example of the latter situation occurs when a tunnel terminates at an interior node of a DS domain at which the domain administrator does not wish to deploy traffic conditioning
从体系结构的角度来看,可以至少以两种不同的方式查看IPsec隧道。如果将隧道视为逻辑单跳“虚拟线”,则转发隧道流量的中间节点的操作在隧道末端之外不应可见,因此DS字段不应作为解封装处理的一部分进行修改。相反,如果隧道被视为转发业务中的多跳参与者,则作为隧道去封装处理的一部分修改DS字段可能是可取的。当隧道在域管理员不希望部署流量调节的DS域的内部节点处终止时,出现后一种情况的特定示例
logic (e.g., to simplify traffic management). This could be supported by using the DS codepoint in the outer IP header (which was subject to traffic conditioning at the DS ingress node) to reset the DS codepoint in the inner IP header, effectively moving DS ingress traffic conditioning responsibilities from the IPsec tunnel egress node to the appropriate upstream DS ingress node (which must already perform that function for unencapsulated traffic).
逻辑(例如,简化交通管理)。这可以通过使用外部IP报头中的DS代码点(在DS入口节点处受到流量调节)重置内部IP报头中的DS代码点来支持,从而有效地将DS入口流量调节责任从IPsec隧道出口节点移动到适当的上游DS入口节点(必须已经对未封装的流量执行该功能)。
Not all systems that support differentiated services will implement auditing. However, if differentiated services support is incorporated into a system that supports auditing, then the differentiated services implementation should also support auditing. If such support is present the implementation must allow a system administrator to enable or disable auditing for differentiated services as a whole, and may allow such auditing to be enabled or disabled in part.
并非所有支持差异化服务的系统都将实施审计。但是,如果将差异化服务支持合并到支持审核的系统中,那么差异化服务实现也应该支持审核。如果存在此类支持,则实现必须允许系统管理员启用或禁用整个差异化服务的审核,并且可以允许部分启用或禁用此类审核。
For the most part, the granularity of auditing is a local matter. However, several auditable events are identified in this document and for each of these events a minimum set of information that should be included in an audit log is defined. Additional information (e.g., packets related to the one that triggered the auditable event) may also be included in the audit log for each of these events, and additional events, not explicitly called out in this specification, also may result in audit log entries. There is no requirement for the receiver to transmit any message to the purported sender in response to the detection of an auditable event, because of the potential to induce denial of service via such action.
在大多数情况下,审计的粒度是一个局部问题。然而,本文件中确定了几个可审计事件,并且为每个事件定义了应包含在审计日志中的最低信息集。对于这些事件中的每一个,审计日志中还可能包含附加信息(例如,与触发可审计事件的信息包相关的信息包),并且本规范中未明确调用的附加事件也可能导致审计日志条目。不要求接收方在检测到可审计事件时向声称的发送方发送任何消息,因为通过这种行为可能导致拒绝服务。
This document has benefitted from earlier drafts by Steven Blake, David Clark, Ed Ellesson, Paul Ferguson, Juha Heinanen, Van Jacobson, Kalevi Kilkki, Kathleen Nichols, Walter Weiss, John Wroclawski, and Lixia Zhang.
本文件受益于史蒂文·布莱克、大卫·克拉克、埃德·埃尔森、保罗·弗格森、朱哈·海纳宁、范·雅各布森、卡列维·基尔基、凯瑟琳·尼科尔斯、沃尔特·韦斯、约翰·沃克罗夫斯基和张丽霞的早期草案。
The authors would like to acknowledge the following individuals for their helpful comments and suggestions: Kathleen Nichols, Brian Carpenter, Konstantinos Dovrolis, Shivkumar Kalyana, Wu-chang Feng, Marty Borden, Yoram Bernet, Ronald Bonica, James Binder, Borje Ohlman, Alessio Casati, Scott Brim, Curtis Villamizar, Hamid Ould-Brahi, Andrew Smith, John Renwick, Werner Almesberger, Alan O'Neill, James Fu, and Bob Braden.
作者感谢以下个人的有益评论和建议:凯瑟琳·尼科尔斯、布赖恩·卡彭特、康斯坦蒂诺斯·多夫罗利斯、希夫库马尔·卡利亚纳、吴昌峰、马蒂·波登、约拉姆·伯奈、罗纳德·博尼卡、詹姆斯·宾德、博耶·奥尔曼、阿莱西奥·卡萨蒂、斯科特·布里姆、柯蒂斯·维拉米扎、哈米德·乌尔德·布拉希、安德鲁·史密斯、,约翰·伦威克、沃纳·阿尔梅斯伯格、艾伦·奥尼尔、詹姆斯·傅和鲍勃·布拉登。
[802.1p] ISO/IEC Final CD 15802-3 Information technology - Tele-communications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Media Access Control (MAC) bridges, (current draft available as IEEE P802.1D/D15).
[802.1p]ISO/IEC最终CD 15802-3信息技术-系统间远程通信和信息交换-局域网和城域网-通用规范-第3部分:媒体访问控制(MAC)网桥(当前草案作为IEEE P802.1D/D15提供)。
[AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.
[AH]Kent,S.和R.Atkinson,“IP认证头”,RFC 2402,1998年11月。
[ATM] ATM Traffic Management Specification Version 4.0 <af-tm-0056.000>, ATM Forum, April 1996.
[ATM]ATM流量管理规范版本4.0<af-tm-0056.000>,ATM论坛,1996年4月。
[Bernet] Y. Bernet, R. Yavatkar, P. Ford, F. Baker, L. Zhang, K. Nichols, and M. Speer, "A Framework for Use of RSVP with Diff-serv Networks", Work in Progress.
[Bernet]Y.Bernet、R.Yavatkar、P.Ford、F.Baker、L.Zhang、K.Nichols和M.Speer,“区分服务网络使用RSVP的框架”,正在进行中。
[DSFIELD] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, December 1998.
[DSFIELD]Nichols,K.,Blake,S.,Baker,F.和D.Black,“IPv4和IPv6报头中区分服务字段(DS字段)的定义”,RFC 24741998年12月。
[EXPLICIT] D. Clark and W. Fang, "Explicit Allocation of Best Effort Packet Delivery Service", IEEE/ACM Trans. on Networking, vol. 6, no. 4, August 1998, pp. 362-373.
[EXPLICIT]D.Clark和W.Fang,“尽力而为数据包交付服务的显式分配”,IEEE/ACM Trans。《网络》,第6卷,第4期,1998年8月,第362-373页。
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
[ESP]Kent,S.和R.Atkinson,“IP封装安全有效负载(ESP)”,RFC 2406,1998年11月。
[FRELAY] ANSI T1S1, "DSSI Core Aspects of Frame Rely", March 1990.
[FRELAY]ANSI T1S1,“帧依赖的DSSI核心方面”,1990年3月。
[RFC791] Postel, J., Editor, "Internet Protocol", STD 5, RFC 791, September 1981.
[RFC791]Postel,J.,编辑,“互联网协议”,STD 5,RFC 7911981年9月。
[RFC1349] Almquist, P., "Type of Service in the Internet Protocol Suite", RFC 1349, July 1992.
[RFC1349]Almquist,P.,“互联网协议套件中的服务类型”,RFC1349,1992年7月。
[RFC1633] Braden, R., Clark, D. and S. Shenker, "Integrated Services in the Internet Architecture: An Overview", RFC 1633, July 1994.
[RFC1633]Braden,R.,Clark,D.和S.Shenker,“互联网体系结构中的综合服务:概述”,RFC163331994年7月。
[RFC1812] Baker, F., Editor, "Requirements for IP Version 4 Routers", RFC 1812, June 1995.
[RFC1812]Baker,F.,编辑,“IP版本4路由器的要求”,RFC1812,1995年6月。
[RSVP] Braden, B., Zhang, L., Berson S., Herzog, S. and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997.
[RSVP]Braden,B.,Zhang,L.,Berson S.,Herzog,S.和S.Jamin,“资源预留协议(RSVP)——第1版功能规范”,RFC 22052997年9月。
[2BIT] K. Nichols, V. Jacobson, and L. Zhang, "A Two-bit Differentiated Services Architecture for the Internet", ftp://ftp.ee.lbl.gov/papers/dsarch.pdf, November 1997.
[2BIT]K.Nichols、V.Jacobson和L.Zhang,“互联网的两位差异化服务架构”,ftp://ftp.ee.lbl.gov/papers/dsarch.pdf,1997年11月。
[TR] ISO/IEC 8802-5 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 5: Token Ring Access Method and Physical Layer Specifications, (also ANSI/IEEE Std 802.5- 1995), 1995.
[TR]ISO/IEC 8802-5信息技术-系统间远程通信和信息交换-局域网和城域网-通用规范-第5部分:令牌环访问方法和物理层规范(也是ANSI/IEEE标准802.5-1995),1995年。
Authors' Addresses
作者地址
Steven Blake Torrent Networking Technologies 3000 Aerial Center, Suite 140 Morrisville, NC 27560
Steven Blake Torrent Networking Technologies 3000航空中心,140室,北卡罗来纳州莫里斯维尔,27560
Phone: +1-919-468-8466 x232
EMail: slblake@torrentnet.com
Phone: +1-919-468-8466 x232
EMail: slblake@torrentnet.com
David L. Black EMC Corporation 35 Parkwood Drive Hopkinton, MA 01748
David L.Black EMC Corporation马萨诸塞州霍普金顿帕克伍德大道35号01748
Phone: +1-508-435-1000 x76140
EMail: black_david@emc.com
Phone: +1-508-435-1000 x76140
EMail: black_david@emc.com
Mark A. Carlson Sun Microsystems, Inc. 2990 Center Green Court South Boulder, CO 80301
马克·A·卡尔森太阳微系统有限公司,地址:科罗拉多州博尔德市南绿苑中心2990号,邮编:80301
Phone: +1-303-448-0048 x115
EMail: mark.carlson@sun.com
Phone: +1-303-448-0048 x115
EMail: mark.carlson@sun.com
Elwyn Davies Nortel UK London Road Harlow, Essex CM17 9NA, UK
Elwyn Davies Nortel英国伦敦路哈洛,埃塞克斯CM17 9NA,英国
Phone: +44-1279-405498
EMail: elwynd@nortel.co.uk
Phone: +44-1279-405498
EMail: elwynd@nortel.co.uk
Zheng Wang Bell Labs Lucent Technologies 101 Crawfords Corner Road Holmdel, NJ 07733
郑王贝尔实验室朗讯科技新泽西州霍姆德尔克劳福德角路101号07733
EMail: zhwang@bell-labs.com
EMail: zhwang@bell-labs.com
Walter Weiss Lucent Technologies 300 Baker Avenue, Suite 100 Concord, MA 01742-2168
Walter Weiss-Lucent Technologies马萨诸塞州康科德贝克大道300号100室01742-2168
EMail: wweiss@lucent.com
EMail: wweiss@lucent.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。