Distributed denial-of-service (DDoS) attacks can be a major threat to the availability...
QoS Policy and its propagation via BGP (QPPB)
1. Packet Classification
Classification is the process of matching fields in the headers in order to identify packets that take a particular QoS action such as queuing, policing, shaping etc. The fields such as protocol type, source or destination IP address can be matched in an IP header. There is also a source or a destination port in a TCP header that is matchable for QoS classification. An extended IP access list with a permit action can be used to match any of these fields.
|Note: QoS Policy Propagation via BGP (QPPB) allows to classify packets based on access lists, BGP community lists, and BGP AS path. We will discuss it later.|
2. Packet Marking
Marking is the process of changing the IP packet headers so that such packets get marked and given a preferred treatment. Packets can be marked with either the IP Precedence or a DSCP value.
|Note: Classification and marking of packets is usually done on the edge devices. All network devices along the path that support Diffserv use the DSCP value (codepoint) in the IP header to select a per-hop behavior (PHB) for the packet and to provide the appropriate QoS treatment. We will discuss DSCP later.|
RFC 791 defines the legacy way of marking the IP header of packets with IP precedence.
2.1 Packet Marking with IP Precedence
There is an 8 bits value field inside of the IP header dedicated for QoS. The RFC 791 defines it as the Type of Service (TOS) byte (Picture 1). The bits T2, T1, T0 set delay, throughput and reliability, accordingly. For instance, the bit T2 = 0 means normal delay, while T2 =1 means low delay. The bits T2, T1 and T0 however, have not been used in practice, only the precedence bits were used. The bits CU1 and CU0 refer to Currently Unused and are reserved for the future use.
Picture 1: Bits inside the ToS Byte
The bits P2, P1 and P0 sets IP precedence to the packet. There are a total of 8 values with the higher value representing the higher preference. Packets with the lower precedence will be dropped by a router first in case of congestion. For instance, the lowest precedence of value 0 is set by a combination of bits 000 (Routine). The highest preference of value 7 is set by a combination of bits 111 (Network control).
2.2 Packet Marking with DSCP
Even though the IP precedence works well, it offers only 8 precedence values. RFC 2474 solves this drawback and replaces the TOS field inside of an IP header with a Differentiated Services (DS) field. The first 6 bits of a DS field are used to set the Differentiated Services Code Point (DSCP) values aka codepoints. The 6-bit DSCP field inside of a DS field gives us 64 DSCP values that are used for marking packets. (Picture 2).
Picture 2: Bits inside DS Byte
The two-bit Currently Unused (CU) field is reserved.
|Note: Differentiated services (DiffServ) is a computer networking architecture that specifies a simple and scalable mechanism for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks .|
There are three sets of DSCP values used in DiffServ.
2.2.1 Expedited Forwarding (EF)
The Expedited Forwarding (EF) DSCP value is a single decimal value – 46 (binary pattern 101110) used for marking packets that need low delay, low jitter and low loss. By default, Cisco IP phones mark voice payload (RTP) with the EF value of 46 and the signalization packets (SIP or SCCP) with CS3.
2.2.2 Class Selector (CS)
The DSCP Class Selector (CS) is created for backward compatibility with the legacy IP precedence QoS model that is using a 3-bit IP precedence field. The CS set contains 8 DSCP values, each matching one IP precedence value. For instance, CS0 is matching the IP precedence 0 and so on. As DSCP values are 6-bits, the first three bits in CS are matching the 3-bit IP precedence while the other three CS bits are set to 0. Table 1 shows matching IP precedence and Class selector values.
|IP Precedence (IPP)||Class Selector (CS)|
|Flash Override||4||100||CS4||32||100 000|
|Internetwork Control||6||110||CS6||48||110 000|
|Network Control||7||111||CS7||56||111 000|
Table 1: Matching Between CS and IPP
2.2.3 Assured Forwarding (AF)
Assured Forwarding (AF) is a set of 12 DSCP values that provide priority values to different data applications. RFC 2597 defines four AF classes and three levels of drop preference (probability) in each class. The AF name is presented in the Afxy format, where x refers to the class (1 through 4) and y refers to the drop probability (1- low, 2 – medium, 3 – high).
The packets marked with codepoints AF11, AF12 and AF12 would go into one queue of a router while packets marked with AF21, AF22 and AF33 would go to another.
Inside the queue 1, packets marked with AF13 would be dropped before the packets with AF11, since they are marked with a higher drop probability.
|Note: AF13 is a decimal 001 110. The first three bits 001 represent an AF class indicator (decimal 1), the next two bits 11 are the drop preference within the class (decimal 3). The last bit of the six bit field is always zero in an AF model. If the sixth bit is set to 1, the DSCP is a user defined value.|
3. QoS Policy Propagation via BGP (QPPB)
QPPB allows marking of packets based on an IP precedence or QoS group value (internal to the router) associated with a Border Gateway Protocol (BGP) route. A local router in a given AS influences the IP precedence of traffic (or QoS group) that is sent to the router from a remote AS based on the BGP attributes such as AS path or BGP communities. The QoS Policy is therefore implicitly propagated to the remote AS via BGP. Once a packet is classified, QoS features such as Committed Access Rate (CAR) and Weighted Random Early Detection (WRED) can be used to specify and enforce policies.
Picture 3: Network Topology
Let’s look at the following scenario. A customer (AS64501) has an agreement with the ISP (AS64500) regarding the 22.214.171.124/16 prefix. Traffic to and from the 126.96.36.199/16 prefix between AS64501 and AS64502 is treated preferentially within AS64500.
3.1 Initial Configuration
interface Loopback0 ip address 188.8.131.52 255.255.0.0 interface GigabitEthernet0/3 ip address 192.168.1.2 255.255.255.252 router bgp 64501 network 184.108.40.206 neighbor 192.168.1.1 remote-as 64500
interface Loopback0 ip address 220.127.116.11 255.255.255.255 interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.252 interface GigabitEthernet0/3 ip address 192.168.1.1 255.255.255.252
AS64500 runs OSPF as IGP for internal reachability.
router ospf 1 network 18.104.22.168 0.0.0.0 area 0 network 10.0.0.0 0.0.0.3 area 0 router bgp 64500 network 10.0.0.0 mask 255.255.255.0 neighbor 22.214.171.124 remote-as 64500 neighbor 126.96.36.199 update-source Loopback0 neighbor 188.8.131.52 next-hop-self neighbor 192.168.1.2 remote-as 64501
Static null route is needed to advertise prefix 10.0.0.0/24 via BGP.
ip route 10.0.0.0 255.255.255.0 Null0
interface Loopback0 ip address 184.108.40.206 255.255.255.255 interface GigabitEthernet0/1 ip address 10.0.0.2 255.255.255.252 interface GigabitEthernet0/2 ip address 10.0.0.6 255.255.255.252 router ospf 1 network 220.127.116.11 0.0.0.0 area 0 network 10.0.0.0 0.0.0.3 area 0 network 10.0.0.4 0.0.0.3 area 0
The RR router is configured as a route reflector for AS 64500 to avoid full-mesh.
router bgp 64500 bgp log-neighbor-changes neighbor 18.104.22.168 remote-as 64500 neighbor 22.214.171.124 update-source Loopback0 neighbor 126.96.36.199 route-reflector-client neighbor 188.8.131.52 remote-as 64500 neighbor 184.108.40.206 update-source Loopback0 neighbor 220.127.116.11 route-reflector-client
interface Loopback0 ip address 18.104.22.168 255.255.255.255 interface GigabitEthernet0/2 ip address 10.0.0.5 255.255.255.252 interface GigabitEthernet0/3 ip address 192.168.2.1 255.255.255.252 router ospf 1 network 22.214.171.124 0.0.0.0 area 0 network 10.0.0.4 0.0.0.3 area 0 router bgp 64500 neighbor 126.96.36.199 remote-as 64500 neighbor 188.8.131.52 update-source Loopback0 neighbor 184.108.40.206 next-hop-self neighbor 192.168.2.2 remote-as 64502
interface Loopback0 ip address 220.127.116.11 255.255.0.0 interface GigabitEthernet0/3 ip address 192.168.2.2 255.255.255.252 router bgp 64502 bgp log-neighbor-changes network 18.104.22.168 neighbor 192.168.2.1 remote-as 64500
Picture 4: Testing Connectivity Between AS64501 and AS64502
Picture 5: Testing Connectivity Between AS64502 and AS64501
3.2 Identifying BGP prefixes Requiring Preferential Treatment
In the event that we used BGP communities to identify the BGP prefix 22.214.171.124/16 (the one requiring preferential treatment), we would need to configure the PE1 router to tag the prefix with a BGP community. However, as we use the AS-PATH attribute to classify packets on edge routers, no configuration is needed.
3.3 Setting FIB policy entries based on the AS-PATH Attribute
When the prefix with special treatment is received from CE1, it contains the AS_PATH attribute set to 64501 (Picture 6). The prefix is propagated via iBGP within AS64500 to PE2.
Picture 6: PE-1 BGP Table with Prefix 126.96.36.199/16 Received from eBGP Peer CE-1
The AS path access-list 10 is configured on PE2 to match 64501 in the AS_PATH attribute field. The regular expression is matching all routes originating in AS64501 (even when AS_PATH is prepended).
ip as-path access-list 10 permit ^(64501_)+$
The route-map QPPB-AS-PATH-RM is matching 64501 in the AS-PATH attribute field and is applied to mark qos-group as 10.
route-map QPPB-AS-PATH-RM permit 10 match as-path 10 set ip qos-group 10
|Note: QoS-group ID is a user-specified number that is assigned to a packet when such packet matches the user-specified criteria. The packet can then be classified based on this number.|
We will apply the policy in BGP using a table-map command in order to reflect it in the FIB of PE2.
router bgp 64500 table-map QPPB-AS-PATH-RM
The command show ip cef 188.8.131.52 shows that prefix is marked with the qos-group ID 10 (Picture 7).
Picture 7: Prefix 184.108.40.206/16 Marked with QoS group 10
3.4 Configuring Traffic lookup on Interface and Setting QoS policies
Packets have been marked in the FIB of PE2 but no packets will be marked until we configure PE2 to apply the policy to incoming traffic on an interface. This is done using bgp-policy interface command.
The policy will be applied for the incoming interface of the traffic (Gi0/3) to apply the policy for destination address of the traffic (220.127.116.11/16).
interface GigabitEthernet0/3 bgp-policy destination ip-qos-map
3.5 Enabling Rate limit on Interface as Traffic is Received and Transmitted
Packets are now marked and we can set rate-limiting on the ingress port Gi0/3 using qos-group 10 which is applied at this port. The traffic rate will be limited to 5 Mbps (Picture 8).
interface GigabitEthernet0/3 ip address 192.168.2.1 255.255.255.252 rate-limit input qos-group 10 5000000 2500 2500 conform-action transmit exceed-action drop bgp-policy destination ip-qos-map
Picture 8: Rate-limit Set for GigabitEthernet0/3
The following output shows that when CE2 sends ICMP packets to 18.104.22.168/16 prefix, PE2 classifies this traffic based on the qos-group ID 10 and applies the rate-limit on traffic (Picture 9).
CE2# ping 22.214.171.124 source lo0 repeat 11999 timeout 0 size 1500
Picture 9: Traffic rate limited on Ingress Interface Gi0/3
QPPB offers convenient classification and marking when BGP is already in use, overcoming the scalability issue of classifying based on ACLs, and the administrative problems of listing the networks that need premium services.
Boost BGP Preformance
Automate BGP Routing optimization with Noction IRP
SUBSCRIBE TO NEWSLETTER
You May Also Like
Diverting DDoS traffic using the FlowSpec redirect via VRF capability. Configuration example.
In the previous article, we described different DDoS attacks and their impact on network infrastructure. We focused on...
BGP traffic rerouting, Flowspec, and the DDoS Scrubbing Centers
When it comes to distributed denial-of-service (DDoS) attacks, they are far from a downward trend. Although the...
Optimizing BGP convergence
When there is a change in the reachability of one or more prefixes, BGP needs to do some work to adapt to that change...