IP DSCP across the Internet

Good day all,

A simple question, does Internet trust IP DSCP marking? Assume two ASs
connected through two tier 1 networks, will the tier one networks trust any
DSCP markings done from an AS to the other?



The BCP is to re-color on ingress.

But don't trust that's going to be the rule. I recently had a situation where traffic across a congested public peering link between 2 large "tier-2" carriers was honoring DSCP, resulting in some unexpected inconsistent behavior.

Joel Mulkey
Founder and CEO
Bigleaf Networks
Direct: +1 (503) 985-6964 | Support: +1 (503) 985-8298 | www.bigleaf.net

In general there are very few bad actors here in regards to
trusting/accepting/using DSCP across the internet.

Apple has a tendency to mark some traffic with EF that shouldn't be EF on
PNIs, and Cogent leaks a lot of their internal markings into customers, but
it's generally unmarked traffic from certain customers/peers. Other than
that IMHO it's totally valid to accept, and nobody abuses it (other than
those 2).

We accept DSCP from the internet and do queue a few things higher towards
customers for things like OTT VoIP etc.

Remarking DSCP is bad IMHO, trusting it is another thing. You just have to
be careful, and I suggest good netflow tools to keep an eye on it.

If there isn't a specific peering agreement which sets up DSCP marks
with your Z side, you're going to have a bad time doing anything other
than remarking to 0.


I wouldn't bet on it.

Some providers honor, most remark. We remark.

We can only honor DSCP values on private circuits (l2vpn, l3vpn, that
sort o' thing).


We had an odd experience, once, where - due to old hardware - we could
not remark traffic we were picking up from a peer in South Africa.

With color-aware policing toward a customer in Uganda, any traffic
coming from that peer in South Africa was getting dropped toward that
customer in Uganda. After a very odd sequence of troubleshooting events,
we found that the AF DSCP alues being set by the peer in South Africa
(and us passing them due to the old kit not being able to remark on
ingress) was causing the color-aware policer in Uganda to drop traffic
toward the customer there.

Re-configuring the policer to be color-blind fixed the issue, but you
can imagine how such a corner case this was.

Naturally, with new kit in now, our global QoS policy is in effect.

We don't honor DSCP values that comes in via best-effort circuits (i.e.,
the Internet). Although not a very strong reason, this particular
experience is one reason why.


We don't honor DSCP values that comes in via best-effort circuits
(i.e., the Internet). Although not a very strong reason, this
particular experience is one reason why.

trusting markings of any sort which you do not need is an increase in
attack, game playing, and/or bug surface. the only thing i would pass
is ecn.


Yes, that's always the caveat.

Just do what you can within your own span of administrative control.

I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN.

Amazing how handy openvpn with no crypto is. :slight_smile:


You can't really put SLAs on traffic that has to egress/ingress the
Internet, if you try to you're asking for trouble, so we simply remark
to 0 on all inbound traffic.


I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :stuck_out_tongue:

So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do.

And this is what sales and marketing droids don't get - so-called
"Premium Internet" products abound that don't really mean anything.

The competition that offer these products are basically hoping nothing
happens, and that when it does, it seems as palatable as flying First
Class in a plane that's going down.

Focus energies on other things, I say... the customers that buy such
services should know better, but alas...


That sounds like a rather poor implementation. What if they had more than one VoIP call?

Seems like this thread has more FUD than real examples.

seems pretty real to me, I know we (AS11404) mark to zero on ingress... I think that is the typical case otherwise people would just tag their flood style ddos traffic as max and try to take out everything.


Which is usually a bad thing. I've never heard of an airplane backing into a mountain.