Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? Thanks, Ramy
On 5 May 2015, at 17:27, Ramy Hashish wrote:
Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
The BCP is to re-color on ingress. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
But don't trust that's going to be the rule. I recently had a situation where traffic across a congested public peering link between 2 large "tier-2" carriers was honoring DSCP, resulting in some unexpected inconsistent behavior. Joel Mulkey Founder and CEO Bigleaf Networks Direct: +1 (503) 985-6964 | Support: +1 (503) 985-8298 | www.bigleaf.net
On May 5, 2015, at 5:30 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 5 May 2015, at 17:27, Ramy Hashish wrote:
Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
The BCP is to re-color on ingress.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet. Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2). We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc. Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it. On May 5, 2015 5:30 PM, "Ramy Hashish" <ramy.ihashish@gmail.com> wrote:
Good day all,
A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
Thanks,
Ramy
If there isn't a specific peering agreement which sets up DSCP marks with your Z side, you're going to have a bad time doing anything other than remarking to 0. -Blake On Tue, May 5, 2015 at 6:35 PM, Tim Jackson <jackson.tim@gmail.com> wrote:
In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet.
Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2).
We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc.
Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it. On May 5, 2015 5:30 PM, "Ramy Hashish" <ramy.ihashish@gmail.com> wrote:
Good day all,
A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
Thanks,
Ramy
On 6 May 2015 at 03:27, Blake Dunlap <ikiris@gmail.com> wrote:
If there isn't a specific peering agreement which sets up DSCP marks with your Z side, you're going to have a bad time doing anything other than remarking to 0.
-Blake
This. You can't really put SLAs on traffic that has to egress/ingress the Internet, if you try to you're asking for trouble, so we simply remark to 0 on all inbound traffic. Jamas.
On 7/May/15 11:12, James Bensley wrote:
This.
You can't really put SLAs on traffic that has to egress/ingress the Internet, if you try to you're asking for trouble, so we simply remark to 0 on all inbound traffic.
And this is what sales and marketing droids don't get - so-called "Premium Internet" products abound that don't really mean anything. The competition that offer these products are basically hoping nothing happens, and that when it does, it seems as palatable as flying First Class in a plane that's going down. Focus energies on other things, I say... the customers that buy such services should know better, but alas... Mark.
On 5/7/15 3:05 AM, Mark Tinka wrote:
And this is what sales and marketing droids don't get - so-called "Premium Internet" products abound that don't really mean anything.
The competition that offer these products are basically hoping nothing happens, and that when it does, it seems as palatable as flying First Class in a plane that's going down.
Which is usually a bad thing. I've never heard of an airplane backing into a mountain. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On 6/May/15 03:35, Tim Jackson wrote:
In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet.
Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2).
We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc.
Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it.
We had an odd experience, once, where - due to old hardware - we could not remark traffic we were picking up from a peer in South Africa. With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there. Re-configuring the policer to be color-blind fixed the issue, but you can imagine how such a corner case this was. Naturally, with new kit in now, our global QoS policy is in effect. We don't honor DSCP values that comes in via best-effort circuits (i.e., the Internet). Although not a very strong reason, this particular experience is one reason why. Mark.
We don't honor DSCP values that comes in via best-effort circuits (i.e., the Internet). Although not a very strong reason, this particular experience is one reason why.
trusting markings of any sort which you do not need is an increase in attack, game playing, and/or bug surface. the only thing i would pass is ecn. randy
On Wed, 6 May 2015, Mark Tinka wrote:
With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there.
I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamsson email: swmike@swm.pp.se
That sounds like a rather poor implementation. What if they had more than one VoIP call? Seems like this thread has more FUD than real examples. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Mikael Abrahamsson" <swmike@swm.pp.se> To: "Mark Tinka" <mark.tinka@seacom.mu> Cc: "nanog list" <nanog@nanog.org> Sent: Thursday, May 7, 2015 4:32:52 AM Subject: Re: IP DSCP across the Internet On Wed, 6 May 2015, Mark Tinka wrote:
With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there.
I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamsson email: swmike@swm.pp.se
seems pretty real to me, I know we (AS11404) mark to zero on ingress... I think that is the typical case otherwise people would just tag their flood style ddos traffic as max and try to take out everything. John ________________________________________ From: NANOG [nanog-bounces@nanog.org] on behalf of Mike Hammett [nanog@ics-il.net] Sent: Thursday, May 07, 2015 4:46 AM To: nanog list Subject: Re: IP DSCP across the Internet That sounds like a rather poor implementation. What if they had more than one VoIP call? Seems like this thread has more FUD than real examples. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Mikael Abrahamsson" <swmike@swm.pp.se> To: "Mark Tinka" <mark.tinka@seacom.mu> Cc: "nanog list" <nanog@nanog.org> Sent: Thursday, May 7, 2015 4:32:52 AM Subject: Re: IP DSCP across the Internet On Wed, 6 May 2015, Mark Tinka wrote:
With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there.
I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamsson email: swmike@swm.pp.se
On 5/May/15 12:27, Ramy Hashish wrote:
Good day all,
A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark.
I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN. Amazing how handy openvpn with no crypto is. :) -----Original Message----- From: "Mark Tinka" <mark.tinka@seacom.mu> Sent: 5/6/2015 12:39 AM To: "Ramy Hashish" <ramy.ihashish@gmail.com>; "nanog@nanog.org" <nanog@nanog.org> Subject: Re: IP DSCP across the Internet On 5/May/15 12:27, Ramy Hashish wrote:
Good day all,
A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other?
I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark. !DSPAM:5549a92270553521610807!
participants (13)
-
Blake Dunlap
-
Charles Wyble
-
James Bensley
-
Jay Hennigan
-
Joel Mulkey
-
John van Oppen
-
Mark Tinka
-
Mikael Abrahamsson
-
Mike Hammett
-
Ramy Hashish
-
Randy Bush
-
Roland Dobbins
-
Tim Jackson