Network Working Group Pat R. Calhoun
INTERNET DRAFT Sun Microsystems, Inc.
Wei Luo
Cisco Systems, Inc.
Danny McPherson
Amber Networks, Inc.
Ken Peirce
Malibu Networks, Inc.
March 2001
L2TP Differentiated Services Extension
<draft-ietf-l2tpext-ds-03.txt>
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Calhoun, Luo, McPherson, Peirce [Page 1]
INTERNET DRAFT March 2001
2. Abstract
The Layer Two Tunneling Protocol (L2TP) [RFC 2661] provides a
standard method for tunneling PPP [RFC 1661] packets. The current
specification provides no provisions for supporting Differentiated
Services (diffserv) [RFC 2474, RFC 2475] over the L2TP control
connection or subsequent data sessions. As a result, no standard
mechanism currently exists within L2TP to provide L2TP protocol
negotiations for service discrimination.
This document describes mechanisms which enable L2TP to negotiate
desired DS values for the L2TP control connection, as well as
individual sessions within an L2TP tunnel.
3. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119].
4. Introduction
The L2TP specification currently provides no mechanism for supporting
diffserv (DS). This document describes mechanisms that enable L2TP
to indicate desired DS values to be associated with an L2TP control
connection, as well as individual sessions within an L2TP tunnel.
This document will describe how a set of L2TP peers MAY negotiate a
set of differential services indicators for a tunnel control
connection, as well as for individual sessions within the tunnel.
The actual bit interpretation of the DS field is beyond the scope of
this document, and is purposefully omitted. This document is
concerned only with defining a uniform exchange and subsequent
mapping mechanism for the DS AVPs.
Calhoun, Luo, McPherson, Peirce [Page 2]
INTERNET DRAFT March 2001
5. Control Connection Operation
As defined in [RFC 2661], a control connection operates in-band over
a tunnel to control the establishment, release, and maintenance of
sessions and of the tunnel itself. As such, this document provides a
mechanism to enable discrimination of L2TP control messages from
other packets. For this purpose, we introduce the Control Connection
DS (CCDS) AVP.
The presence of the CCDS AVP serves as an indication to the peer (LAC
or LNS) that the tunnel initiator wishes both the tunnel initiator
and terminator to use the per-hop behavior(s) (PHB(s)) indicated by
the AVP's DS value for all packets within the tunnel's control
connection. A PHB is a description of the externally observable
forwarding behavior of a DS node applied to a particular DS behavior
aggregate, as defined in [RFC 2475]. The most simple example of a
PHB is one which guarantees a minimal bandwidth allocation of a link
to a behavior aggregate.
Upon receipt of a Start-Control-Connection-Request (SCCRQ) containing
the CCDS AVP, if the tunnel terminator provides no support for the
CCDS AVP it MUST ignore the AVP and send a SCCRP to the tunnel
initiator without the CCDS AVP. The tunnel initiator interprets the
absence of the CCDS AVP in the SCCRP as as an indication that the
tunnel terminator is incapable of supporting CCDS.
Upon receipt of a SCCRP that contains no CCDS AVP in response to a
SCCRQ that contained a CCDS AVP, if the tunnel initiator wants to
continue tunnel establishment it sends a SCCCN. Otherwise, it sends
a StopCCN to the tunnel terminator to end the connection. The
StopCCN control message MUST contain a Result Code AVP that indicates
CCDS AVP value [TBD] as the reason for sending the StopCCN.
If the tunnel terminator provides support for CCDS, it SHOULD use the
Host Name AVP embedded in SCCRQ to consult its local policy, and to
determine whether local policy permits the requested DS value to be
used on this control connection. If it is unwilling or unable to
support the requested DS value after consulting the local policy, the
tunnel terminator MUST send a SCCRP control message containing a CCDS
AVP indicating the value it is willing to use. If the CCDS AVP value
is the same as the one in the SCCRQ, it signals the acceptence of the
requested DS value. If the value is different it serves as a
counter-offer by the tunnel terminator.
If the tunnel initiator receives an SCCRP that contains a CCDS AVP
with a value other than that requested in the SCCRQ, the tunnel
initiator SHOULD check the DS value against its own policy. If it is
unwilling to use the value, the tunnel initiator MUST send a StopCCN
Calhoun, Luo, McPherson, Peirce [Page 3]
INTERNET DRAFT March 2001
control message containing a Result Code AVP that indicates CCDS AVP
value [TBD] as the reason for sending the StopCCN.
5.1. Control Connection DS AVP (SCCRQ, SCCRP)
The CCDS AVP is encoded as Vendor ID 43, and the Attribute Value is
the 16-bit quantity 1 (the ID 43 reflects 3Com Corporation, it should
be changed to 0 and an official Attribute Value chosen should this
specification advance on as standards track).
Each CCDS AVP is encoded as follows:
Vendor ID = 43
Attribute = 1
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|H|0|0|0|0| Length | 43 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | DS Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This AVP MAY be present in the following message types: SCCRQ and
SCCRP. This AVP MAY be hidden (the H-bit set to 0 or 1) and is
optional (M-bit not set). The length (before hiding) of this AVP
MUST be 8 octets. The encoding of the DS value is described in
Section 7.
6. Session Operation
As defined in [RFC 2661], a L2TP session is connection-oriented. The
LAC and LNS maintain states for each call that is initiated or
answered by an LAC. An L2TP session is created between the LAC and
LNS when an end-to-end connection is established between a Remote
System and the LNS. Datagrams related to the connection are sent
over the tunnel between the LAC and LNS. As such, this document
provides a mechanism to enable discrimination for packets within an
particular session from those in other sessions. For this purpose,
we introduce the Session DS (SDS) AVP.
The presence of the SDS AVP serves as an indication to the peer (LAC
or LNS) that the session initiator wishes both the session initiator
and terminator to use the per-hop behavior(s) (PHB(s)) indicated by
the AVP's DS value for all packets within the session.
Calhoun, Luo, McPherson, Peirce [Page 4]
INTERNET DRAFT March 2001
Upon receipt of a Incoming-Call-Request (ICRQ) or Outgoing-Call-
Request (OCRQ) containing the SDS AVP if the session terminator
provides no support for the requested DS value, the session
terminator MUST ignore the SDS AVP and send a ICRP or OCRP to the
session initiator without the SDS AVP. The session initiator
interprets the absence of the SDS AVP in the ICRP or OCRP as an
indication that the session terminator is incapable of supporting
SDS.
Upon receipt of a ICRP or OCRP that contains no SDS AVP in response
to a ICRQ or OCRQ that contained a SDS AVP, if the session initiator
is willing to omit employing SDS AVP it continues session
establishment as defined in [RFC 2661]. Otherwise, it sends a CDN to
the session terminator to end the connection. The CDN control
message MUST contain a Result Code AVP that indicates SDS AVP value
[TBD] as the reason for sending the CDN.
In order to help the session terminator to distinguish one session
from another when looking up the DS value in its local or remote
policy database, the session initiator MAY use the Sub-Address AVP to
carry other session information in addition to the Calling Number AVP
(ICRQ), the Called Number AVP (ICRQ, OCRQ). As described in [RFC
2661], the Sub-Address AVP is an ASCII string for encoding additional
information, and it may be necessary for the administrators of the
LAC and the LNS to coordinate interpretation of the value in this
AVP. For instance, the administrators may agree upon using user name
in this AVP when carrying PPP in L2TP payload.
If the session terminator provides support for SDS, it SHOULD use the
the designated DS identification AVP (via out-of-band agreement
between the administrators of the LAC and LNS), e.g. Sub-Address,
Calling number AVP, to consult local policy and determinate whether
local policy permits the requested DS value to be used on this
session. If it is unwilling or unable to support the requested DS
value the session terminator MUST do one of the following:
1) Send a CDN message containing a Result Code AVP that indicates SDS
AVP value [TBD] as the reason for sending the CDN.
2) Send an Incoming-Call-Reply (ICRP) or Outgoing-Call-Reply (OCRP)
message containing a SDS AVP indicating the DS value the terminator
is willing to use for the session.
If the session terminator supports the DS value in the SDS AVP
session establishment MUST continue as defined in [RFC 2661].
If the session initiator receives an ICRP or OCRP that contains an
SDS AVP with a value other than that requested in the ICRQ or OCRQ,
Calhoun, Luo, McPherson, Peirce [Page 5]
INTERNET DRAFT March 2001
and the session initiator is unwilling to use the value, the session
initiator MUST send a CDN message containing a Result Code AVP that
indicates SDS AVP value [TBD] as the reason for sending the CDN.
If the session initiator receives an ICRP or OCRP that contains a SDS
AVP with a value other than that requested in the ICRP or OCRP, and
the session initiator is willing to use the value, the session
initiator MUST proceed as indicated in [RFC 2661].
6.1. Session DS AVP (ICRQ, ICRP, OCRQ, OCRP)
The SDS AVP is encoded as Vendor ID 43, and the Attribute Value is a
16-bit quantity 2 (the ID 43 reflects 3Com Corporation, it should be
changed to 0 and an official Attribute Value chosen should this
specification advance on as standards track).
Each SDS AVP is encoded as follows:
Vendor ID = 43
Attribute = 2
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|H|0|0|0|0| Length | 43 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | DS Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This AVP MAY be present in the following message types: ICRQ, ICRP,
OCRQ and OCRP. This AVP MAY be hidden (the H-bit set to 0 or 1) and
is optional (M-bit is not set 0). The length (before hiding) of this
AVP MUST be 8 octets. The encoding of the DS value is decribed in
Section 7.
Calhoun, Luo, McPherson, Peirce [Page 6]
INTERNET DRAFT March 2001
7. DS AVPs Correlation
CCDS AVP and SDS AVP are independent of each other. CCDS AVP is used
to signal diffserv for the control connection between two L2TP peers,
while SDS AVP is used for data connection. The DS value signaled in
one AVP SHOULD NOT have any implication on the DS value signaled in
the other AVP. Implementations MAY choose to implement either or
both DS AVPs, and operations MAY choose to enable diffserv on either
or both types of connections.
8. DS Value Encoding
The DS value is a left-justified 16-bit field using Per Hop Behavior
(PHB) encoding defined in [RFC 2836]. Note that [RFC 2836] and its
successor is the ultimate authority defining PHB encoding, and
governs if there is any conflict between it and the text reproduced
in this section.
When using PHBs defined by standards action, as per [RFC 2474], each
DS value is encoded as follows:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DSCP |0|0|0|0|0|0|0|0|X|0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the DS value comprises a single PHB, the encoding for the DS is
the encoding for this single PHB. It is the recommended DSCP value
for that PHB, left-justified in the 16-bit field, with bits 6 through
15 set to zero.
If the DS value comprises multiple PHBs, the encoding for the DS is
the encoding for this set of PHBs. It is the numerically smallest
value of the recommended DSCP for the various PHBs, left-justified in
the 16 bit field, with bits 6 through 13 and bit 15 set to zero and
with bit 14 set to one.
When using PHBs not defined by standards action, each DS value is
encoded as follows:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PHB id code |0|0|X|1|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Calhoun, Luo, McPherson, Peirce [Page 7]
INTERNET DRAFT March 2001
An arbitrary 12 bit PHB identification code, assigned by the IANA, is
placed left-justified in the 16 bit field. Bit 15 is set to 1, and
bit 14 is zero for a single PHB or 1 for a set of PHBs. Bits 12 and
13 are zero.
Upon successful establishment of an L2TP tunnel control connection or
individual L2TP session employing the appropriate DS AVP defined in
this document, both LAC and LNS MUST use their own PHB-to-DSCP
mappings of their present DS domains to map the PHB to a DSCP and
place it in the DS field of the outer IP header of packets
transmitted on the connection.
9. DSCP Selection
The requirements or rules of each service and DSCP mapping are set
through administrative policy mechanisms which are outside the scope
of this document.
10. Packet Reordering and Sequence Numbers
[RFC 2474] RECOMMENDS that PHB implementations not cause reordering
of packets within an individual connection. For L2TP, a set of PHBs
signaled using a single AVP SHOULD not cause additional packet
reordering within an individual connection vs. using a single PHB.
If a set of PHBs is capable of causing such reordering, then it
SHOULD not be signaled with a single L2TP AVP. As a consequence, use
of diffserv PHBs in accordance with this specification SHOULD not
cause additional packet reordering within an L2TP control or data
connection.
Sequence numbers are required to be present in all control messages
and are used to provide reliable delivery on the control connection,
as defined in [RFC 2661]. While packet reordering is inevitably as
much a function of the network as it is local traffic conditioning,
the probability of it occuring when employing the CCDS AVP is same as
when not employing the AVP. Data messages MAY use sequence numbers
to reorder packets and detect lost packets.
Calhoun, Luo, McPherson, Peirce [Page 8]
INTERNET DRAFT March 2001
11. Crossing Differentiated Services Boundaries
With the potential that an L2TP connection traverses an arbitrary
number of DS domains, signaling PHBs via L2TP is more appropriate
than signaling DSCPs, because it maintains a consistent end-to-end
differentiated service for the L2TP connection. As per [RFC 2983],
the negotiated PHBs are mapped to locally defined DSCPs of the
current DS domain at the tunnel ingress node. At the DS domain
boundary nodes, the DSCPs can be rewritten in the DS field of the
outer IP header, so that the DSCPs are always with respect to
whatever DS domain the packet happens to be in.
As a result, it is perfectly acceptable that the outermost DS field
of packets arriving on a given control connection or session are not
marked with the same DSCP value that was used by the tunnel ingress
node.
12. IANA Considerations
Should this document advance on as standards track official Attribute
Values need to be assigned for the CCDS and SDS AVPs.
13. Security Considerations
This encoding in itself raises no security issues. However, users of
this encoding should consider that modifying a DSCP MAY constitute
theft or denial of service, so protocols using this encoding MUST be
adequately protected. No new security issues beyond those discussed
in [RFC 2474] and [RFC 2475] are introduced here.
14. Acknowledgements
Many thanks to David Black, W. Mark Townsley, Nishit Vasavada, Andy
Koscinski and John Shriver for their review and insightful feedback.
Calhoun, Luo, McPherson, Peirce [Page 9]
INTERNET DRAFT March 2001
15. References
[RFC 1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD
51, RFC 1661, July 1994.
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 2474] Nichols et al., "Definition of the Differentiated
Services Field (DS Field) in the IPv4 and IPv6 Headers",
RFC 2474, December 1998.
[RFC 2475] Blake et al., "An Architecture for Differentiated
Services", RFC 2475, December 1998.
[RFC 2661] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn,
B. Palter, "Layer 2 Tunnel Protocol (L2TP)", RFC 2661,
August 1999.
[RFC 2836] S. Brim, B. Carpenter, F. Le Faucheur, "Per Hop Behavior
Identification Codes", RFC 2836, May 2000
[RFC 2983] D. Black, "Differentiated Services and Tunnels",
RFC 2983, October 2000
16. Authors' Address
Pat R. Calhoun
Network and Security Research Center, Sun Labs
Sun Microsystems, Inc.
15 Network Circle
Menlo Park, California, 94025
Phone: +1 650.786.7733
Email: pcalhoun@eng.sun.com
Wei Luo
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134
Phone: +1 408.525.6906
Email: luo@cisco.com
Danny McPherson
Amber Networks, Inc.
2465 Augustine Drive
Santa Clara, CA 95054
Phone: +1 408.486.6336
Calhoun, Luo, McPherson, Peirce [Page 10]
INTERNET DRAFT March 2001
Email: danny@ambernetworks.com
Ken Peirce
Malibu Networks, Inc.
1035 Suncast Lane, Suite 130
El Dorado Hills, CA 95762
Phone: +1 916.941.8814
Email: Ken@malibunetworks.com
Calhoun, Luo, McPherson, Peirce [Page 11]