3. DISEÑO METODOLOGICO
3.4. TÉCNICAS E INSTRUMENTOS DE RECOLECCIÓN DE DATOS
3.4.1. Entrevista A Padres De Familia De Los Niveles 3A Y 3B:
Before packets may be enqueued within a queuing system, they must be classified. QoS packet classification may use a wide variety of parameters, including but not limited to those listed in Table 4-1.
Example 4-8 IP Queuing Policy Example
policy-map foo class control-n-mgmt-planes bandwidth percent 25 class data-plane bandwidth percent 75 interface pos1/1
service-policy output foo
Table 4-1 QoS Packet Classification Parameters
MQC Classification Parameter Represents
match ip precedence The IP precedence, per RFC 791
match ip dscp The IP DSCP (differentiated services code point), per RFC 2474
match vlan The IEEE 802.1Q VLAN that the IP packet was transmitted or received on
match dlci The Frame Relay DLCI (data-link connection identifier) that the IP packet was transmitted or received on
match access-group An IP standard or extended ACL (see “Interface ACL Techniques” earlier in this chapter)
match qos-group An IOS internal QoS group identifier that may be set using any of the other MQC classification parameters as well as through QoS Policy Propagation on BGP (see “BGP Policy Enforcement Using QPPB” later in this chapter)
match mpls experimental The MPLS Experimental (EXP) field value of an MPLS labeled packet (for more information on this field, refer to Chapter 7 and Appendix B)
IP precedence and DSCP values are specifically defined for IP QoS purposes. Hence, most IP QoS deployments classify packets using either the IP precedence or IP DSCP values. Packet coloring simply refers to setting the QoS classification identifier (for example, IP DSCP) according to each packet’s assigned traffic class as it ingresses the network. IP precedence is actively used on the Internet, and routing protocol traffic is set with IP precedence 6 and DSCP 48. Consider the following traffic classes that are commonly defined within differentiated services–based IP QoS architectures:
•
IP precedence (or class Selector DSCP) value 6: IP control plane protocols, including, for example, BGP, OSPF, RIP, PIM, IGMP, HSRP, and MPLS LDP.•
IP precedence (or class Selector DSCP) value 5: Real-time data plane traffic classthat supports applications such as Voice over IP (VoIP). It offers low delay, jitter, and packet loss.
•
IP precedence (or class Selector DSCP) value 0:Best-effort data plane traffic class that defines no minimum requirements for packet delay, jitter, or loss.For proper QoS handling, the IP precedence value associated with each packet must be set correctly. Otherwise, packets associated with one traffic class may be incorrectly enqueued within another traffic class queue, which prevents isolation between the different traffic classes (as outlined in the preceding “Queuing” section) and thereby enables low-priority traffic to adversely affect high-priority traffic. Using the traffic classes defined in the preceding list as an example, an attacker may attempt to launch a DoS attack against VoIP and control plane traffic by flooding the network with traffic marked as IP precedence values 5 and 6, respectively. Note that the attack traffic may be legitimate best-effort, transit traffic (that is, not malicious). However, because it is simply marked with IP precedence value 5 or 6, it is mistakenly serviced from the VoIP or control plane queues instead of the lower-priority best-effort traffic queue. A flood of such traffic may exhaust the real-time and control plane queues, resulting in increase packet drops, control protocol timeouts, and routing protocol failures. If routing protocols fail, IP reachability may be lost, resulting in a DoS condition. Similarly, packet drops within the real-time queue may adversely affect VoIP applications. Hence, to ensure proper packet classification downstream, packet coloring upstream or at the network edge is required. In this way, traffic isolation can be maintained between low- and high-priority traffic classes and between IP services (for example, Internet and IP VPNs).
IP QoS mechanisms are increasingly being deployed within SP backbones in support of differentiated services and to reduce the risk of collateral damage often caused by transit DoS attacks. QoS requires that packets be classified and colored. However, many SPs want to avoid modifying customer traffic QoS markings, because these packets may be marked in a manner appropriate for some application relevant to the customer’s internal environment. In this case, SPs may provide QoS transparency such that the customer marking is maintained end to end. IP QoS transparency is only supported if the SP tunnels traffic across its core using, for example, MPLS. If the SP tunnels customer traffic through MPLS, there is no need to recolor customer QoS markings at the edge because the customer
QoS markings are hidden when transiting the SP network. Therefore, the SP only needs to ensure that the tunnel header (for example, MPLS) is appropriately marked.
There are several different versions of QoS transparency. These are well defined within the RFC 3270 MPLS DiffServ tunneling specification. Note, however, that if traffic is not tunneled and the SP does not recolor customer QoS values at the network edge, isolation between traffic classes and services within the SP core cannot be assured. This may provide a potential DoS attack vector, as described previously.
The MQC policy shown in Example 4-9 illustrates re-marking the IP DSCP of all packets received on interface POS 1/1 to a value of 0. This prevents external transit traffic from entering a downstream control-n-mgmt-planestraffic queue defined in Example 4-8 above.
Based upon the queuing and recoloring configurations illustrated in Examples 4-8 and 4-9, transit traffic will be isolated from the network core control and management planes. This mitigates the risk of DoS attacks that aim to bypass QoS classification policies.