IP DSCP across the Internet

Ramy_Hashish · May 5, 2015, 10:27am

Good day all,

A simple question, does Internet trust IP DSCP marking? Assume two ASs
connected through two tier 1 networks, will the tier one networks trust any
DSCP markings done from an AS to the other?

Thanks,

Ramy

Dobbins_Roland · May 6, 2015, 12:30am

The BCP is to re-color on ingress.

Joel_Mulkey · May 6, 2015, 1:22am

But don't trust that's going to be the rule. I recently had a situation where traffic across a congested public peering link between 2 large "tier-2" carriers was honoring DSCP, resulting in some unexpected inconsistent behavior.

Joel Mulkey
Founder and CEO
Bigleaf Networks
Direct: +1 (503) 985-6964 | Support: +1 (503) 985-8298 | www.bigleaf.net

Tim_Jackson · May 6, 2015, 1:35am

In general there are very few bad actors here in regards to
trusting/accepting/using DSCP across the internet.

Apple has a tendency to mark some traffic with EF that shouldn't be EF on
PNIs, and Cogent leaks a lot of their internal markings into customers, but
it's generally unmarked traffic from certain customers/peers. Other than
that IMHO it's totally valid to accept, and nobody abuses it (other than
those 2).

We accept DSCP from the internet and do queue a few things higher towards
customers for things like OTT VoIP etc.

Remarking DSCP is bad IMHO, trusting it is another thing. You just have to
be careful, and I suggest good netflow tools to keep an eye on it.

Blake_Dunlap1 · May 6, 2015, 2:27am

If there isn't a specific peering agreement which sets up DSCP marks
with your Z side, you're going to have a bad time doing anything other
than remarking to 0.

-Blake

Mark_Tinka1 · May 6, 2015, 5:38am

I wouldn't bet on it.

Some providers honor, most remark. We remark.

We can only honor DSCP values on private circuits (l2vpn, l3vpn, that
sort o' thing).

Mark.

Mark_Tinka1 · May 6, 2015, 5:43am

We had an odd experience, once, where - due to old hardware - we could
not remark traffic we were picking up from a peer in South Africa.

With color-aware policing toward a customer in Uganda, any traffic
coming from that peer in South Africa was getting dropped toward that
customer in Uganda. After a very odd sequence of troubleshooting events,
we found that the AF DSCP alues being set by the peer in South Africa
(and us passing them due to the old kit not being able to remark on
ingress) was causing the color-aware policer in Uganda to drop traffic
toward the customer there.

Re-configuring the policer to be color-blind fixed the issue, but you
can imagine how such a corner case this was.

Naturally, with new kit in now, our global QoS policy is in effect.

We don't honor DSCP values that comes in via best-effort circuits (i.e.,
the Internet). Although not a very strong reason, this particular
experience is one reason why.

Mark.

Bandy_Rush1 · May 6, 2015, 5:48am

We don't honor DSCP values that comes in via best-effort circuits
(i.e., the Internet). Although not a very strong reason, this
particular experience is one reason why.

trusting markings of any sort which you do not need is an increase in
attack, game playing, and/or bug surface. the only thing i would pass
is ecn.

randy

Dobbins_Roland · May 6, 2015, 12:47pm

Yes, that's always the caveat.

Just do what you can within your own span of administrative control.

Charles_N_Wyble2 · May 7, 2015, 3:14am

I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN.

Amazing how handy openvpn with no crypto is.

James_Bensley1 · May 7, 2015, 9:12am

This.

You can't really put SLAs on traffic that has to egress/ingress the
Internet, if you try to you're asking for trouble, so we simply remark
to 0 on all inbound traffic.

Jamas.

Mikael_Abrahamsson · May 7, 2015, 9:32am

I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case

So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do.

Mark_Tinka1 · May 7, 2015, 10:05am

And this is what sales and marketing droids don't get - so-called
"Premium Internet" products abound that don't really mean anything.

The competition that offer these products are basically hoping nothing
happens, and that when it does, it seems as palatable as flying First
Class in a plane that's going down.

Focus energies on other things, I say... the customers that buy such
services should know better, but alas...

Mark.

Mike_Hammett · May 7, 2015, 11:46am

That sounds like a rather poor implementation. What if they had more than one VoIP call?

Seems like this thread has more FUD than real examples.

John_van_Oppen1 · May 7, 2015, 8:02pm

seems pretty real to me, I know we (AS11404) mark to zero on ingress... I think that is the typical case otherwise people would just tag their flood style ddos traffic as max and try to take out everything.

John

Jay_Hennigan · May 8, 2015, 5:27pm

Which is usually a bad thing. I've never heard of an airplane backing into a mountain.