Differentiated Services WG                                     D. Black
INTERNET-DRAFT                                          EMC Corporation
Document: draft-ietf-diffserv-tunnels-00.txt              February 2000

                   Differentiated Services and Tunnels

Status of this Memo

   This document is an Internet-Draft and is in full conformance
   with all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   A revised version of this draft document will be submitted to the
   RFC editor as a Proposed Standard for the Internet Community.
   Discussion and suggestions for improvement are requested.  This
   document will expire before September, 2000.

   Distribution of this draft is unlimited.

1. Abstract

   This draft considers the interaction of Differentiated Services
   (diffserv) [RFC-2474, RFC-2475] with IP tunnels of various forms.
   The discussion of tunnels in the diffserv architecture [RFC-2475]
   has been found to provide insufficient guidance to tunnel designers
   and implementers.  With the aim of providing such guidance, this
   document describes two conceptual models for the interaction of
   diffserv with IP tunnels and employs them to explore the resulting
   configurations and combinations of functionality.  An important
   consideration is how and where it is appropriate to perform diffserv
   traffic conditioning in the presence of tunnel encapsulation and
   decapsulation.  A few simple mechanisms are also proposed that limit
   the complexity that tunnels would otherwise add to the diffserv
   traffic conditioning model; these mechanisms are also generally
   useful in situations where more general traffic conditioning is
   inappropriate or unavailable.  Security considerations for IPsec

Black                                                         [Page 1]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   tunnels may place limits on possible functionality in some

2. Conventions used in this document

   An IP tunnel encapsulates IP traffic in another IP header as it
   passes through the tunnel; the presence of these two IP headers is a
   defining characteristic of IP tunnels.  The inner IP header is that
   of the original traffic; an outer IP header is attached and detached
   at tunnel endpoints.  In general, intermediate network nodes between
   tunnel endpoints operate solely on the outer IP header, and hence
   diffserv-capable intermediate nodes can only access and modify the
   DSCP field in the outer IP header (e.g., for an encrypted tunnel,
   interior nodes cannot access the inner IP header).  The terms
   "tunnel" and "IP tunnel" are used interchangeably in this document.
   For simplicity, we do not consider issues raised by tunnels other
   than IP tunnels (i.e., where there is no encapsulating IP header),
   such as MPLS paths and "tunnels" formed by encapsulation in layer 2
   (link) headers.

   This document considers tunnels to be unidirectional; bi-directional
   tunnels are composed of two unidirectional tunnels carrying traffic
   in opposite directions between the same pair of tunnel endpoints.  A
   tunnel consists of an ingress where traffic enters the tunnel and is
   encapsulated by the addition of the outer IP header, an egress where
   traffic exits the tunnel and is decapsulated by the removal of the
   outer IP header, and intermediate nodes through which tunneled
   traffic passes between the ingress and egress.  This document does
   not make any assumptions about routing and forwarding of tunnel
   traffic, and in particular neither requires nor forbids any form of
   route pinning.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   this document are to be interpreted as described in [RFC-2119].

   Text in square brackets labeled "Author's note:" (e.g., [Author's
   note: this is a note from the author.]) is editorial in nature and
   will be addressed in a future version of this document.

3. Diffserv and Tunnels Overview

   Tunnels range in complexity from simple IP-in-IP tunnels [RFC-2003]
   to complex multi-protocol tunnels, such as IP in PPP in L2TP in
   IPsec transport mode [RFC-1661, RFC-2401, RFC-2661].  The most
   general tunnel configuration is one in which the tunnel is not end-
   to-end, i.e., the ingress and egress nodes are not the source and
   destination nodes for traffic carried by the tunnel.  If the ingress
   or egress nodes do coincide with the end-to-end source or
   destination, the result is a simplified configuration to which much
   of the analysis and recommendations in this document are applicable.

Black                                                         [Page 2]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   A primary concern for differentiated services is the use of the
   Differentiated Services Code Point (DSCP) in the IP header; see
   [RFC-2474, RFC-2475] for more extensive descriptions of the DSCP
   field and the diffserv architecture.  The diffserv architecture
   permits intermediate nodes to examine and change the value of the
   DSCP, which may result in the DSCP value in the outer IP header
   being modified between tunnel ingress and egress.  When a tunnel is
   not end-to-end, there are circumstances in which it may be desirable
   to propagate the DSCP and/or some of the information that it
   contains to the outer IP header on ingress and/or back to inner IP
   header on egress.  The current situation facing tunnel implementers
   is that [RFC-2475] offers some incomplete guidance, and guideline
   G.7 for PHB specification in Section 3 of that RFC is based on over-
   simplified assumptions about how tunnels are deployed with respect
   to DS domain boundaries.  The EF PHB specification [RFC-2598] may be
   too specific (in 20/20 hindsight) because its requirement to use EF
   in the outer header of tunneled EF packets (based on guideline G.7)
   is unworkable in domains that do not support EF, and excludes other
   techniques for conditioning tunneled EF traffic.

   This document proposes an approach in which traffic conditioning is
   performed in series with tunnel ingress or egress processing, not in
   parallel.  This approach does not create any additional paths that
   transmit information across a tunnel endpoint, as all diffserv
   information is contained in the DSCPs in the IP headers.  The IPsec
   architecture [RFC-2401] requires that this be the case to preserve
   security properties at the egress of IPsec tunnels, but this
   approach also avoids introducing out-of-band inputs to diffserv
   traffic conditioner blocks, which would complicate them.  Diffserv
   domain boundaries can then be positioned as appropriate for the set
   of traffic conditioning blocks and tunnel processing modules.  One
   configuration of interest involves a diffserv domain boundary that
   passes through (i.e., divides) a network node; it is acceptable to
   split such a boundary to create a DMZ-like region between the
   domains that contains the tunnel ingress or egress processing.
   Diffserv traffic conditioning is not appropriate for such a DMZ-like
   region, as that traffic conditioning is part of the operation and
   management of one or more diffserv domains.

4. Conceptual Models for Diffserv Tunnels

   There are two important conceptual traffic conditioning models for
   IP tunnels.  For clarity, the initial discussion of these models
   assumes a fully diffserv-capable network.  Configurations in which
   this is not the case are taken up in Section 4.2.

4.1 Conceptual Models for Fully DS-capable Configurations

   The first conceptual model is a uniform model that views IP tunnels
   as artifacts of the end to end path from a traffic conditioning
   standpoint; tunnels may be necessary mechanisms to get traffic to
   its destination(s), but have no significant impact on traffic
   conditioning.  In this model, any packet has exactly one DS Field

Black                                                         [Page 3]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   that is used for traffic conditioning at any point, namely the DS
   Field in the outermost IP header; any others are ignored.
   Implementations of this model copy the DSCP value to the outer IP
   header at encapsulation and copy the outer header's DSCP value to
   the inner IP header at decapsulation.  Use of this model allows IP
   tunnels to be configured without regard to diffserv domain
   boundaries because diffserv traffic conditioning functionality is
   not impacted by the presence of IP tunnels.

   The second conceptual model is a pipe model that views an IP tunnel
   as hiding the nodes between its ingress and egress so that they do
   not participate fully in traffic conditioning.  In this model, a
   tunnel egress node uses traffic conditioning information conveyed
   from the tunnel ingress by the DSCP value in the inner header, and
   ignores (i.e., discards) the DSCP value in the outer header.  This
   model cannot completely hide traffic conditioning within the tunnel,
   as the effects of dropping and shaping at intermediate tunnel nodes
   may be visible at the tunnel egress and beyond.  This model is
   particularly appropriate to configurations in which the ingress and
   egress nodes belong to the same diffserv domain but the IP tunnel
   may pass through other domains; virtual private networks (VPNs) may
   be configured in this fashion.  In this class of configurations, the
   DSCP values from the ingress node are valid at the egress node
   because both nodes are in the same diffserv domain. Other uses of
   the pipe model (i.e., for configurations in which the tunnel ingress
   and egress nodes are not in the same diffserv domain) SHOULD employ
   an inter-domain TCA (Traffic Conditioning Agreement) between the
   diffserv domains containing the tunnel ingress and egress nodes in
   order to specify the required egress traffic conditioning.

   The pipe conceptual model is also appropriate for situations in
   which the DSCP carries information that is within the tunnel.  For
   example, if transit between two domains is purchased via a tunnel
   that uses the EF PHB [RFC-2598], the drop precedence information in
   the AF PHB DSCP values [RFC-2597] will be destroyed unless something
   is done to preserve it; an IP tunnel is one possible preservation
   mechanism.  A tunnel that crosses one or more non-diffserv domains
   between its DS-capable endpoints may experience a similar
   information destruction phenomenon due to the limited set of DSCP
   codepoints that are compatible with such domains.

4.2 Considerations for Partially DS-capable Configurations

   If only the tunnel egress node is DS-capable, [RFC-2475] requires
   the egress node to perform any edge traffic conditioning needed by
   the diffserv domain for tunneled traffic entering from outside the
   domain.  If the egress node would not otherwise be a DS edge node,
   one way to meet this requirement is to perform edge traffic
   conditioning at an appropriate upstream DS edge node or nodes within
   the tunnel, and copy the DSCP value from the outer IP header to the
   inner IP header as part of tunnel decapsulation processing.  A
   second alternative discards the outer DSCP value as part of
   decapsulation processing, reducing the resulting traffic

Black                                                         [Page 4]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   conditioning problem and requirements to those of an ordinary DS
   ingress node.  This employs the pipe model of a tunnel and hence the
   adjacent upstream node for DSCP marking purposes is the tunnel
   ingress node, not the immediately upstream intermediate tunnel node.

   If only the tunnel ingress node is DS-capable, [RFC-2475] requires
   that traffic emerging from the tunnel be compatible with the network
   at the tunnel egress.  If tunnel decapsulation processing discards
   the outer header's DSCP value without changing the inner header's
   DSCP value, then the DS-capable tunnel ingress node MUST set the
   inner header's DSCP to a value compatible with the network at tunnel
   egress.  The value 0 (DSCP of 000000) is used for this purpose by a
   number of existing tunnel implementations.  If the egress network
   implements IP precedence as specified in [RFC-791], then some or all
   of the eight class selector DSCP codepoints defined in [RFC-2474]
   are usable. DSCP codepoints other than the class selectors SHOULD
   NOT be used for this purpose, as correct operation under these
   circumstances involves diffserv functionality at the DS-incapable
   tunnel egress node.

5. Ingress Functionality

   As described in Section 3 above, this draft is based on an approach
   in which diffserv functionality and/or out-of-band communication
   paths are not placed in parallel with tunnel encapsulation
   processing. This model allows three possible locations for traffic
   conditioners with respect to tunnel encapsulation processing, as
   shown in the following diagram that depicts the flow of IP headers
   through tunnel encapsulation:
                                        +--------- [2 - Outer] -->>
   >>---- [1 - Before] -------- Encapsulate ------ [3 - Inner] -->>

   Traffic conditioning at [1 - Before] and [2 - Outer] is logically
   separate from the tunnel, as it is not impacted by the presence of
   tunnel encapsulation.  Tunnel designs and specifications SHOULD
   permit diffserv traffic conditioning at these locations.  Such
   conditioning can be performed by standard diffserv traffic
   conditioning components, such as [Author's note: TBD based on
   further diffserv WG efforts], and can be viewed as independent of
   the tunnel (e.g., [1 - Before] can be viewed as separate traffic
   conditioning that takes place prior to tunnel ingress).

   In contrast, the [3 - Inner] location SHOULD NOT be utilized for
   traffic conditioning because it requires functionality that reaches
   inside the packet to operate on the inner IP header.  This is
   difficult in general, and is impossible for IPsec tunnels and any
   other tunnels that are encrypted or employ cryptographic integrity
   checks.  Hence traffic conditioning at [3 - Inner] can only be
   performed as part of tunnel encapsulation processing, complicating
   both the encapsulation and traffic conditioning implementations.  In
   many cases, the desired functionality can be achieved via a

Black                                                         [Page 5]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   combination of traffic conditioners in the other two locations, both
   of which can be specified and implemented independently of tunnel
   encapsulation processing

   An exception for which traffic conditioning functionality is
   necessary at [3 - Inner] occurs when the tunnel egress is not DS-
   capable and discards the outer IP header.  Setting the inner DSCP to
   0 as part of encapsulation addresses most of these cases, and
   implementations MAY support setting the inner DSCP to one of the
   class selector DCSP codepoint values, as these are valid for
   networks that support IP precedence.  This level of functionality
   (set the DSCP to one of the class selector codepoint values) is also
   generally appropriate for other traffic conditioning locations in
   configurations that do not support more general traffic conditioning
   at those locations.

   The following table summarizes the achievable relationships among
   the Before (B), outer (O), and inner (I) DSCP values and the
   corresponding locations of traffic conditioning logic.

   Relationship       Traffic Conditioning Location(s)
   ------------       --------------------------------
   B  = I  = O        No traffic conditioning required
   B != I  = O        [1 - Before]
   B  = I != O        [2 - Outer]
   B  = O != I        Limited support as part of encapsulation:
                        I can be set to 000000 or possibly one of
                        the class selector code points.
   B != I != O        Some combination of the above three cases.

   A combination of [1 - Before] and [2 - Outer] is applicable in many
   cases that fit one of the last two lines of the table, and this
   combination is RECOMMENDED in preference to deploying functionality
   at [3 - Inner].  Implementers are cautioned that traffic
   conditioning may still be required for purposes such as rate and
   burst control even if DSCP values are not changed.

   [Author's note: Is the above table useful?]

6. Egress Functionality

   As described in Section 3 above, this draft is based on an approach
   in which diffserv functionality and/or out-of-band communication
   paths are not placed in parallel with tunnel encapsulation
   processing. This allows three possible locations for traffic
   conditioners with respect to tunnel decapsulation processing, as
   shown in the following diagram that depicts the flow of IP headers
   through tunnel encapsulation:

   >>----[5 - Outer]-------------+
   >>----[4 - Inner] --------- Decapsulate ---- [6 - After] -->>

Black                                                         [Page 6]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000

   Traffic conditioning at [5 - Outer] and [6 - After] is logically
   separate from the tunnel, as it is not impacted by the presence of
   tunnel decapsulation.  Tunnel designs and specifications SHOULD
   permit diffserv traffic conditioning at these locations.  Such
   conditioning can be performed by standard diffserv traffic
   conditioning components, such as [Author's note: TBD based on
   further diffserv WG efforts], and can be viewed as independent of
   the tunnel (e.g., [6 - After] can be viewed as separate traffic
   conditioning that takes place after tunnel egress).  An important
   exception is that the configuration of a tunnel (e.g., the absence
   of traffic conditioning at tunnel ingress) and/or the diffserv
   domains involved may require that all traffic exiting a tunnel pass
   through diffserv traffic conditioning to fulfill the diffserv edge
   node traffic conditioning responsibilities of the tunnel egress
   node.  Tunnel specifications SHOULD include the ability to require
   that all traffic exiting a tunnel pass through diffserv traffic

   In contrast, the [4 - Inner] location SHOULD NOT be employed for
   traffic conditioning because it requires reaching inside the packet
   to operate on the inner IP header.  Unlike the [3 - Inner] case for
   encapsulation, there is no need for functionality to be performed
   here, as diffserv traffic conditioning can be appended to the tunnel
   decapsulation (i.e., performed at [6 - After]).

6.1 Egress DSCP Selection

   The elimination of parallel functionality and data paths from
   decapsulation causes a potential loss of information.  As shown in
   the diagram in Section 6, decapsulation combines and reduces two
   DSCP values to one DSCP value, losing information in the most
   general case, even if arbitrary functionality is allowed.  Beyond
   this, allowing arbitrary functionality poses a structural problem,
   namely that the DSCP value from the outer IP header would have to be
   presented as an out-of-band input to the traffic conditioning block
   at [6 - After], complicating the traffic conditioning model.

   To avoid such complications, we adopt the simpler approach of
   statically selecting either the inner or outer DSCP value at
   decapsulation, leaving the full generality of traffic conditioning
   functionality to be implemented at [5 - Outer] and/or [6 - After].
   Tunnels SHOULD support static selection of one or the other value at
   tunnel egress.  The rationale for this approach is that of the two
   DSCP values, usually only one of them contains useful information,
   with the other being of little value, and the conceptual model used
   for the tunnel provides a strong indication as to which one contains
   the useful information.  In general, the outer DSCP value contains
   the useful information for tunnels based on the uniform model, and
   the inner DSCP value contains the useful information for tunnels
   based on the pipe model.  IPsec tunnels are usually based on the
   pipe model, and for security reasons MUST default to selecting the
   outer DSCP value and SHOULD not select the inner DSCP value in the

Black                                                         [Page 7]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   absence of an adequate security analysis of the resulting risks and

6.2 Egress DSCP Selection Case Study

   As a sanity check on the simpler approach proposed above (i.e., in
   Section 6), this subsection considers a situation in which a more
   complex approach might be required.  Statically choosing a single
   DSCP value is a poor match to situations in which both DSCPs are
   carrying information that is needed to perform traffic conditioning
   (i.e., at [6 - After]) correctly.

   As an example, we consider a situation in which two different AF
   groups [RFC-2597] are being used by the two domains at the tunnel
   endpoints, and there is an intermediate domain along the tunnel that
   uses RFC 791 IP precedences that is transited by setting the DSCP to
   zero.  This situation is shown in the following IP header flow
   diagram where I is the tunnel ingress node, E is the tunnel egress
   node and the vertical lines are domain boundaries.  The node at the
   left-hand vertical line sets the DSCP in the outer header to 0 in
   order to obtain compatibility with the middle domain:

                        |                   |
                 /      |                   |       \
                        |                   |
      Ingress DS Domain        RFC 791         Egress DS domain
                            IP Precedence

   In this situation, the DS edge node for the egress domain (i.e., the
   node at the right-hand vertical line) can select the appropriate AF
   group (e.g., via an MF classifier), but cannot reconstruct the drop
   precedence information that was removed from the outer header when
   it transited the RFC 791 domain (although it can construct new
   information via metering and marking).  The original drop precedence
   information is preserved in the inner IP header's DSCP, and could be
   combined with the AF class selection communicated via the outer IP
   header's DSCP.  The marginal benefit of being able to reuse the
   original drop precedence information as opposed to constructing new
   drop precedence markings does not appear to justify the additional
   complexity that would be introduced into tunnel egress traffic

   [Author's note: Last sentence is an open issue for WG discussion.]

7.  Diffserv and Protocol Translators

   A related issue involves protocol translators, of which a specific
   example are those employing the Stateless IP/ICMP Translation
   Algorithm [RFC-2765].  These translators are not tunnels because
   they do not add or remove a second IP header to/from packets (e.g.,

Black                                                         [Page 8]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   in contrast to IPv6 over IPv4 tunnels [RFC-1933]) and hence do not
   raise concerns of information propagation between inner and outer IP
   headers.  The primary interaction between translators and diffserv
   is that the translation boundary is likely to also be a diffserv
   domain boundary (e.g., the IPv4 and IPv6 domains may have different
   policies for traffic conditioning and DSCP usage), and hence such
   translators SHOULD permit the insertion of diffserv edge node
   processing (i.e., including traffic conditioning) both before and
   after the translation processing.

8. Security Considerations

   The security considerations for the diffserv architecture discussed
   in [RFC-2474, RFC-2475] apply when tunnels are present; readers are
   referred to those documents for further information.  One of the
   requirements noted there is that a tunnel egress node in the
   interior of a diffserv domain is the DS ingress node for traffic
   exiting the tunnel, and is responsible for performing appropriate
   traffic conditioning.  The primary security implication is that the
   traffic conditioning is responsible for dealing with theft- and
   denial-of-service threats posed to the diffserv domain by traffic
   exiting from the tunnel.  The IPsec architecture [RFC-2401] places a
   further restriction on tunnel egress processing; the outer header
   MUST be discarded unless the properties of the traffic conditioning
   that will be applied are known and have been adequately analyzed for
   security vulnerabilities.  This includes both the [5 - Outer] and
   [6 - After] traffic conditioning blocks on the tunnel egress node,
   if present, and may involve traffic conditioning performed by an
   upstream DS-edge node that is the DS domain ingress node for the
   encapsulated tunneled traffic.

9. References

   [RFC-791] J. Postel, "Internet Protocol", STD 5, RFC 791, September

   [RFC-1661] W. Simpson, "The Point-to-Point Protocol (PPP)", STD 51,
   RFC 1661, July 1994.

   [RFC-1933] R. Gilligan and E. Nordmark, "Transition Mechanisms for
   IPv6 Hosts and Routers", RFC 1933, April 1996.

   [RFC-2003] C. Perkins, "IP Encapsulation within IP,", RFC 2003,
   October 1996.

   [RFC-2119] S. Bradner, "Key words for use in RFCs to Indicate
   Requirement Levels", RFC 2119, March 1997.

   [RFC-2401] S. Kent and R. Atkinson, "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

Black                                                         [Page 9]

ietf-diffserv-tunnels    Diffserv and Tunnels            February 2000
   [RFC-2474] K. Nichols, S. Blake, F. Baker, and D. Black, "Definition
   of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
   Headers", RFC 2474, December 1998.

   [RFC-2475] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and
   W. Weiss, "An Architecture for Differentiated Services", RFC 2475,
   December 1998.

   [RFC-2597] J. Heinanen, F. Baker, W. Weiss, and J. Wroclawski,
   "Assured Forwarding PHB Group", RFC 2597. June 1999.

   [RFC-2598] V. Jacobson, K. Nichols, and K. Poduri, "An Expedited
   Forwarding PHB", RFC 2598, June 1999.

   [RFC-2661] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn,
   and B. Palter. "Layer Two Tunneling Protocol "L2TP"", RFC 2661,
   August 1999.

   [RFC-2765] E. Nordmark, "Stateless IP/ICMP Translation Algorithm
   (SIIT)", RFC 2765. February, 2000.

   [Author's note: This needs to be extended by additional tunnel RFC
   references.  The references section of the Tunnel MIB RFC (RFC 2667)
   provides a good starting point.]

10. Acknowledgments

   Some of this material is based on discussions with Brian Carpenter,
   and in particular his presentation on this topic to the diffserv WG
   during the summer 1999 IETF meeting in Oslo.  Credit is also due to
   a people working on tunnel specifications [Author's note: names may
   appear here in a future version] who have discovered limitations of
   the diffserv architecture RFC (2475) in the area of tunnels.  Their
   kind patience with the time it has taken to address this set of
   issues has been greatly appreciated.  Finally, this material has
   benefited from discussions within the diffserv WG, and the
   contributions of participants in those discussions are gratefully

11. Author's Address

   David L. Black
   EMC Corporation
   42 South St.
   Hopkinton, MA   01748
   Phone: +1 (508) 435-1000 x75140
   Email: black_david@emc.com

Black                                                        [Page 10]