QoS Preclassify

• VPNs are growing in popularity.

• The need to classify traffic within a traffic tunnel is also gaining importance.

(QoS preclassify) is a Cisco IOS feature that allows packets to be classified before tunneling and encryption occur.

• Preclassification allows traffic flows to be adjusted in congested environments.

The QoS for VPNs feature (QoS preclassify) is designed for tunnel interfaces. When the feature is enabled, the QoS features on the output interface classify packets before encryption, allowing traffic flows to be adjusted in congested environments. The result is more effective packet tunneling.

The QoS preclassify feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the appropriate QoS service before the data is encrypted and tunneled. The QoS for VPNs feature allows you to look inside the packet so that packet classification can be done based on original port numbers and source and destination IP addresses. This allows the service provider to treat mission-critical or multiservice traffic with higher priority across its network.

QoS preclassify is supported for generic routing encapsulation (GRE), IP-in-IP (IPIP) tunnels, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP), and IPSec.

QoS Preclassify Applications

This topic describes some of the VPN applications that support QoS preclassification and situations where preclassification is not appropriate.

QoS Preclassify Applications

When packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify packets.

Packets traveling across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested.

When packets are encapsulated by a tunneling or encryption protocol, the original packet header is no longer available for examination. From the QoS perspective, without the capability to examine the original packet header, providing differentiated levels of service becomes challenging. The main issue is that the QoS parameter normally found in the header of the IP packet should be reflected in the tunnel packet header, regardless of the type of tunnel in use.

These are the four primary tunneling protocols relevant to VPNs:

QoS Preclassify Issues: GRE Tunneling

ToS classification of encapsulated packets is based on the tunnel header.

By default, the ToS field of the original packet header is copied to the ToS field of the GRE tunnel header.

GRE tunnels commonly are used to provide dynamic routing resilience over IPSec, adding a second layer of encapsulation.

GRE tunnels based on RFC 1702 allow any protocol to be tunneled in an IP packet. Cisco offers support for encapsulation of data using either IPSec or GRE. In either of these scenarios, Cisco IOS software offers the ability to copy the IP type of service (ToS) values from the packet header into the tunnel header. This feature, which appears in Cisco IOS Release 11.3T, allows the ToS bits to be copied to the tunnel header when the router encapsulates the packets.

GRE tunneling allows routers between GRE-based tunnel endpoints to adhere to precedence bits, thereby improving the routing of premium service packets. Cisco IOS QoS technologies such as policy routing, weighted fair queuing (WFQ), and weighted random early detection (WRED), can operate on intermediate routers between GRE tunnel endpoints.

GRE tunnels are commonly used to provide dynamic routing resilience over IPSec. Normal IPSec configurations cannot transfer routing protocols, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF), or non-IP traffic, such as Internetwork Packet Exchange (IPX) and AppleTalk.

QoS Preclassify Issues: IPSec Authentication Header

IPSec AH is for authentication only and does not perform encryption.

With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header.

With transport mode, the original header is used and therefore the ToS byte is accessible.

IPSec does not define the specific security algorithms to use, but rather, IPSec provides an open framework for implementing industry-standard algorithms.

Authentication Header (AH) provides strong integrity and authentication for IP datagrams using the Secure Hash Algorithm (SHA) or Message Digest 5 (MD5) hash algorithm. AH can also provide non-repudiation. The Internet Assigned Numbers Authority (IANA) has assigned protocol number 51 to AH. Thus, in the presence of an AH header with both tunnel mode and transport mode, the IP header uses a value of 51 in the protocol field.

With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header.

QoS Preclassify Issues: IPSec Encapsulating Security Payload

IPSec ESP supports both authentication and encryption.

IPSec ESP consists of an unencrypted header followed by encrypted data and an encrypted trailer.

With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header.

6 Cisco Systems, Inc. All rights reserved.

IPSec does not define the specific security algorithms to use, but rather, IPSec provides an open framework for implementing industry-standard algorithms.

Encapsulating Security Payload (ESP) consists of an unencrypted header followed by encrypted data and an encrypted trailer. ESP can provide both encryption and authentication.

As with AH, ESP supports SHA and MD5 hash algorithms for authentication. ESP supports Data Encryption Standard (DES) and 3DES as encryption protocols. The ESP header is at least 8 bytes. The IANA has assigned protocol number 50 to ESP. Thus, in the presence of only an ESP header with both tunnel mode and transport mode, the IP header uses a value of 50 in the protocol field.

With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header.

Was this article helpful?

0 0

Post a comment