1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
|
<pre>Network Working Group F. Baker
Request for Comments: 4923 Cisco Systems
Category: Informational P. Bose
Lockheed Martin
August 2007
<span class="h1">Quality of Service (QoS) Signaling in a Nested Virtual Private Network</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
Some networks require communication between an interior and exterior
portion of a Virtual Private Network (VPN) or through a concatenation
of such networks resulting in a nested VPN, but have sensitivities
about what information is communicated across the boundary,
especially while providing quality of service to communications with
different precedence. This note seeks to outline the issues and the
nature of the proposed solutions based on the framework for
Integrated Services operation over Diffserv networks as described in
<a href="./rfc2998">RFC 2998</a>.
<span class="grey">Baker & Bose Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Problem Statement ..........................................<a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Background Information and Terminology .....................<a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Nested VPNs ................................................<a href="#page-5">5</a>
<a href="#section-1.4">1.4</a>. Signaled QoS Technology ....................................<a href="#page-7">7</a>
<a href="#section-1.5">1.5</a>. The Resource Reservation Protocol (RSVP) ...................<a href="#page-9">9</a>
<a href="#section-1.6">1.6</a>. Logical Structure of a VPN Router .........................<a href="#page-10">10</a>
<a href="#section-2">2</a>. Reservation and Preemption in a Nested VPN .....................<a href="#page-13">13</a>
<a href="#section-2.1">2.1</a>. Reservation in a Nested VPN ...............................<a href="#page-14">14</a>
<a href="#section-2.2">2.2</a>. Preemption in a Nested VPN ................................<a href="#page-16">16</a>
<a href="#section-2.3">2.3</a>. Working through an Example ................................<a href="#page-17">17</a>
2.3.1. Initial Routine Reservations - Generating
Network State ......................................<a href="#page-18">18</a>
2.3.2. Initial Routine Reservations - Request
Reservation ........................................<a href="#page-19">19</a>
<a href="#section-2.3.3">2.3.3</a>. Installation of a Reservation Using Precedence .....<a href="#page-20">20</a>
<a href="#section-2.3.4">2.3.4</a>. Installation of a Reservation Using Preemption .....<a href="#page-21">21</a>
<a href="#section-3">3</a>. Data Flows within a VPN Router .................................<a href="#page-24">24</a>
3.1. VPN Routers That Carry Data across the
Cryptographic Boundary ....................................<a href="#page-24">24</a>
<a href="#section-3.1.1">3.1.1</a>. Plaintext to Ciphertext Data Flows .................<a href="#page-24">24</a>
<a href="#section-3.1.2">3.1.2</a>. Ciphertext to Plaintext Data Flows .................<a href="#page-27">27</a>
3.2. VPN Routers That Use the Network Guard for
Signaling across the Cryptographic Boundary ...............<a href="#page-28">28</a>
<a href="#section-3.2.1">3.2.1</a>. Signaling Flow .....................................<a href="#page-29">29</a>
<a href="#section-3.2.2">3.2.2</a>. Use Case with Network Guard ........................<a href="#page-30">30</a>
<a href="#section-4">4</a>. Security Considerations ........................................<a href="#page-33">33</a>
<a href="#section-5">5</a>. Acknowledgements ...............................................<a href="#page-34">34</a>
<a href="#section-6">6</a>. References .....................................................<a href="#page-34">34</a>
<a href="#section-6.1">6.1</a>. Normative References ......................................<a href="#page-34">34</a>
<a href="#section-6.2">6.2</a>. Informative References ....................................<a href="#page-35">35</a>
<span class="grey">Baker & Bose Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Problem Statement</span>
More and more networks wish to guarantee secure transmission of IP
traffic across public LANs or WANs and therefore use Virtual Private
Networks. Some networks require communication between an interior
and exterior portion of a VPN or through a concatenation of such
networks resulting in a nested VPN, but have sensitivities about what
information is communicated across the boundary, especially while
providing quality of service to communications with different
precedence. This note seeks to outline the issues and the nature of
the proposed solutions. The outline of the QoS solution for real-
time traffic has been described at a high level in [<a href="./rfc4542" title=""Implementing an Emergency Telecommunications Service (ETS) for Real-Time Services in the Internet Protocol Suite"">RFC4542</a>]. The
key characteristics of this proposal are that
o it uses standardized protocols,
o it includes reservation setup and teardown for guaranteed and
controlled load services using the standardized protocols,
o it is independent of link delay, and therefore consistent with
high delay*bandwidth networks as well as the more common variety,
o it has no single point of failure, such as a central reservation
manager,
o it provides for the preemption of established data flows,
o in that preemption, it not only permits a policy-admitted data
flow in, but selects a specific data flow to exclude based upon
control input rather than simply accepting a loss of service
dictated at the discretion of the network control function, and
o it interoperates directly with SIP Proxies, H.323 Gatekeepers, or
other call management subsystems to present the other services
required in a preemptive or preferential telephone network.
The thrust of the memo surrounds VPNs that use encryption in some
form, such as IPsec and their subsequent nesting across multiple
network domains. This specific type of VPNs is further clarified in
<a href="#section-1.3">Section 1.3</a>, which describes the nested VPN as an example of an IPsec
or IPsec like VPN under the context of a 'customer provisioned' VPN.
As a result, we will discuss the VPN router supporting "plaintext"
and "ciphertext" interfaces. However, the concept extends readily to
any form of aggregation, including the concept proposed in [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>]
of the IP traffic entering and leaving a network at identified
<span class="grey">Baker & Bose Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
points, and the use of other kinds of tunnels including Generic
Routing Encapsulation (GRE), IP/IP, MPLS, and so on.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Background Information and Terminology</span>
A note on the use of the words "priority" and "precedence" in this
document is in order. The term "priority" has been used in this
context with a variety of meanings, resulting in a great deal of
confusion. The term "priority" is used in this document to identify
one of several possible datagram scheduling algorithms. A scheduler
is used when deciding which datagram will be sent next on a computer
interface; a priority scheduler always chooses a datagram from the
highest priority class (queue) that is occupied, shielding one class
of traffic from most of the jitter by passing jitter it would
otherwise have experienced to another class. [<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>] applies the
term to a reservation, in a sense that this document will refer to as
"precedence". The term "precedence" is used in the sense implied in
the phrase "Multi-Level Precedence and Preemption" [<a href="#ref-ITU.MLPP.1990" title=""Multilevel Precedence and Preemption Service"">ITU.MLPP.1990</a>];
some classes of sessions take precedence over others, which may
result in bandwidth being admitted that might not otherwise have been
or may result in the prejudicial termination of a lower-precedence
session under a stated set of circumstances. For the purposes of the
present discussion, "priority" is a set of algorithms applied to
datagrams, where "precedence" is a policy attribute of sessions. The
techniques of priority comparisons are used in a router or a policy
decision point to implement precedence, but they are not the same
thing.
Along the same lines, it is important for the reader to understand
the difference between QoS policies and policies based on the
"precedence" or "importance" of data to the person or function using
it. Voice, regardless of the precedence level of the call, is
impeded by high levels of variation in network-induced delay. As a
result, voice is often serviced using a priority queue, transferring
jitter from that application's traffic to other applications. This
is as true of voice for routine calls as it is for flash traffic.
There are classes of application traffic that require bounded delay.
That is a different concept than "no jitter"; they can accept jitter
within stated bounds. Routing protocols such as OSPF or BGP are
critical to the correct functioning of network infrastructure. While
they are designed to work well with moderate loss levels, they are
not helped by them, and even a short period of high loss can result
in dramatic network events. Variation in delay, however, is not at
all an issue if it is within reasonable bounds. As a result, it is
common for routers to treat routing protocol datagrams in a way that
limits the probability of loss, accepting relatively high delay in
some cases, even though the traffic is absolutely critical to the
network. Telephone call setup exchanges have this characteristic as
<span class="grey">Baker & Bose Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
well: faced with a choice between loss and delay, protocols like SIP
and H.323 far prefer the latter, as the call setup time is far less
than it would be if datagrams had to be retransmitted, and this is
true regardless of whether the call is routine or of high precedence.
As such, QoS markings tell us how to provide good service to an
application independent of how "important" it may be at the current
time, while "importance" can be conveyed separately in many cases.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Nested VPNs</span>
One could describe a nested VPN network in terms of three network
diagrams. Figure 1 shows a simple network stretched across a VPN
connection. The VPN router (where, following [<a href="./rfc2460" title=""Internet Protocol, Version 6 (IPv6) Specification"">RFC2460</a>], a "router"
is "a node that forwards packets not explicitly addressed to
itself"), performs the following steps:
o receives an IP datagram from a plaintext interface,
o determines what remote enclave and therefore other VPN router to
forward it to,
o ensures that it has a tunnel mode security association (as
generally defined in <a href="./rfc4301#section-4">[RFC4301], Section 4</a>) with that router,
o encloses the encrypted datagram within another VPN (e.g., IPsec)
and IP header, and
o forwards the encapsulated datagram toward the remote VPN router.
The receiving VPN router reverses the steps:
o determines what security association the datagram was received
from,
o decrypts the interior datagram,
o forwards the now-decapsulated datagram on a plaintext interface.
The use of IPsec in this manner is described as the tunnel mode of
[<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] and [<a href="./rfc4303" title=""IP Encapsulating Security Payload (ESP)"">RFC4303</a>].
<span class="grey">Baker & Bose Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Host Host Host Host Host Host
/------------------/ /------------------/
Router -------Router
|
VPN-Router
||
|| IPsec Tunnel through routed network
||
VPN-Router
|
Router -------Router
/------------------/ /------------------/
Host Host Host Host Host Host
Figure 1: VPN-Connected Enclave
An important point to understand is that the VPN tunnel, like other
features of the routed network, are invisible to the host. The host
can infer that "something out there" is affecting the Path MTU,
introducing delay, or otherwise affecting its data stream, but if
properly implemented, it should be able to adapt to these. The words
"if properly implemented" are the bane of every network manager,
however; substandard implementations do demonstrably exist.
Outside of the enclave, the hosts are essentially invisible. The
communicating enclaves look like a simple data exchange between peer
hosts across a routed network, as shown in Figure 2.
Hosts Not Visible
/==================/
Router
|
VPN-Router
/---------------------/
Inner Domain
/---------------------/
VPN-Router
|
Router
/==================/
Hosts Not Visible
Figure 2: VPN-Connected Enclave from Exterior Perspective
Such networks can be nested and re-used in a complex manner. As
shown in Figure 3, a pair of enclaves might communicate across a
ciphertext network that, for various reasons, is itself re-encrypted
and transmitted across a larger ciphertext network. The reasons for
<span class="grey">Baker & Bose Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
doing this vary, but they relate to information-hiding in the wider
network, different levels of security required for different enclosed
enclaves, and so on.
Host Host Host Host Host Host
/------------------/ /------------------/
Router -------Router
|
VPN-Router VPN-Router VPN-Router
/---------------------/ /----------/
Router -------------Router
|
VPN-Router VPN-Router
/-----------/ /----------/
Router -------Router
|
|
Router -------Router
/-----------/ /----------/
VPN-Router VPN-Router
|
Router ------------Router
/---------------------/ /----------/
VPN-Router VPN-Router VPN-Router
|
Router -------Router
/------------------/ /------------------/
Host Host Host Host Host Host
Figure 3: Nested VPN
The key question this document explores is "how do reservations, and
preemption of reservations, work in such an environment?"
<span class="h3"><a class="selflink" id="section-1.4" href="#section-1.4">1.4</a>. Signaled QoS Technology</span>
The Integrated Services model for networking was originally proposed
in [<a href="./rfc1633" title=""Integrated Services in the Internet Architecture: an Overview"">RFC1633</a>]. In short, it divides all applications into two broad
classes: those that will adapt themselves to any available bandwidth,
and those that will not or cannot. In the words of [<a href="./rfc1633" title=""Integrated Services in the Internet Architecture: an Overview"">RFC1633</a>]:
One class of applications needs the data in each packet by a
certain time and, if the data has not arrived by then, the data
is essentially worthless; we call these "real-time"
applications. Another class of applications will always wait
for data to arrive; we call these "elastic" applications.
<span class="grey">Baker & Bose Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
The Integrated Services model defines data flows supporting
applications as either "real-time" or "elastic". It should be noted
that "real-time" traffic is also referred to as "inelastic" traffic,
and that elastic traffic is occasionally referred to as "non-real-
time".
In this view, the key issue is the so-called "playback point": a
real-time application is considered to have a certain point in time
at which data describing the next sound, picture, or whatever to be
delivered to a display device or forfeit its utility, while an
elastic application has no such boundary. Another way to look at the
difference is that real-time applications have an irreducible lower
bound on their bandwidth requirements. For example, the typical
G.711 payload is delivered in 160-byte samples (plus 40 bytes of IP/
UDP/RTP headers) at 20 millisecond intervals. This will yield 80
kbps of bandwidth, without silence suppression, and not accounting
for the layer 2 overhead. To operate in real-time, a G.711 codec
requires the network over which its data will be delivered to support
communications at 80 kbps at the IP layer with roughly constant end-
to-end delay and nominal or no loss. If this is not possible (if
there is significant loss or wide variations in delay), voice quality
will suffer. On the other hand, if many megabits of capacity are
available, the G.711 codec will not increase its bandwidth
requirements either. Although adaptive codecs exist (e.g., G.722.2
or G.726), the adaptive mechanism can either require greater or
lesser bandwidth and can adapt only within a certain range of
bandwidth requirements beyond which the quality of the data flow
required is not met. Elastic applications, however, will generally
adapt themselves to any network: if the bottleneck provides 9600 bits
per second, a Web transfer or electronic mail exchange will happen at
9600 bits per second, and if hundreds of megabits are available, the
TCP (or SCTP) transport will increase their transfer rate in an
attempt to reduce the time required to accomplish the transfer.
For real-time applications, those that require data to be delivered
end to end with at least a certain rate and with delays varying
between stated bounds, the Integrated Services architecture proposes
the use of a signaling protocol that allows the communicating
applications and the network to communicate about the application
requirements and the network's capability to deliver them. Several
such protocols have been developed or are under development, notably
including the Resource Reservation Protocol (RSVP) and Next Steps in
Signaling (NSIS). The present discussion is limited to RSVP,
although any protocol that delivers a similar set of capabilities
could be considered.
<span class="grey">Baker & Bose Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h3"><a class="selflink" id="section-1.5" href="#section-1.5">1.5</a>. The Resource Reservation Protocol (RSVP)</span>
RSVP is initially defined in [<a href="./rfc2205" title=""Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification"">RFC2205</a>] with a set of datagram
processing rules defined in [<a href="./rfc2209" title=""Resource ReSerVation Protocol (RSVP) -- Version 1 Message Processing Rules"">RFC2209</a>] and datagram details for
Integrated Services [<a href="./rfc2210" title=""The Use of RSVP with IETF Integrated Services"">RFC2210</a>]. Conceptually, this protocol specifies
a way to identify data flows from a source application to a
destination application and request specific resources for them. The
source may be a single machine or a set of machines listed explicitly
or implied, whereas the destination may be a single machine or a
multicast group (and therefore all of the machines in it). Each
application is specified by a transport protocol number in the IP
protocol field, or may additionally include destination and perhaps
source port numbers. The protocol is defined for both IPv4 [<a href="./rfc0791" title=""Internet Protocol"">RFC0791</a>]
and IPv6 [<a href="./rfc2460" title=""Internet Protocol, Version 6 (IPv6) Specification"">RFC2460</a>]. It was recognized immediately that it was also
necessary to provide a means to perform the same function for various
kinds of tunnels, which implies a relationship between what is inside
and what is outside the tunnel. Definitions were therefore developed
for IPsec [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>] and [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>] and for more generic forms of
tunnels [<a href="./rfc2746" title=""RSVP Operation Over IP Tunnels"">RFC2746</a>]. With the later development of the Differentiated
Services Architecture [<a href="./rfc2475" title=""An Architecture for Differentiated Services"">RFC2475</a>], definitions were added to specify
the Differentiated Services Code Point (DSCP) [<a href="./rfc2474" title=""Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers"">RFC2474</a>] to be used by
a standard RSVP data flow in [<a href="./rfc2996" title=""Format of the RSVP DCLASS Object"">RFC2996</a>] and to use a pair of IP
addresses and a DSCP as the identifying information for a data flow
[<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>].
In addition, the initial definition of the protocol included a
placeholder for policy information, and for preemption of
reservations. This placeholder was later specified in detail in
[<a href="./rfc2750" title=""RSVP Extensions for Policy Control"">RFC2750</a>] with a view to associating a policy [<a href="./rfc2872" title=""Application and Sub Application Identity Policy Element for Use with RSVP"">RFC2872</a>] with an
identity [<a href="./rfc3182" title=""Identity Representation for RSVP"">RFC3182</a>] and thereby enabling the network to provide a
contracted service to an authenticated and authorized user. This was
integrated with the Session Initiation Protocol [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>] in
[<a href="./rfc3312" title=""Integration of Resource Management and Session Initiation Protocol (SIP)"">RFC3312</a>]. Preemption of a reservation is specified as in [<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>]
-- a reservation that is installed in the network using an Preemption
Priority and retained using a separate Defending Priority may be
removed by the network via an RESV Error signal that removes the
entire reservation. This has issues, however, in that the matter is
often not quite so black and white. If the issue is that an existing
reservation for 80 kbps can no longer be sustained but a 60 kbps
reservation could, it is possible that a VoIP sender could change
from a G.711 codec to a G.729 codec and achieve that. Or, if there
are multiple sessions in a tunnel or other aggregate, one of the
calls could be eliminated leaving capacity for the others. [<a href="./rfc4495" title=""A Resource Reservation Protocol (RSVP) Extension for the Reduction of Bandwidth of a Reservation Flow"">RFC4495</a>]
seeks to address this issue.
In a similar way, a capability was added to limit the possibility of
control signals being spoofed or otherwise attacked [<a href="./rfc2747" title=""RSVP Cryptographic Authentication"">RFC2747</a>]
[<a href="./rfc3097" title=""RSVP Cryptographic Authentication -- Updated Message Type Value"">RFC3097</a>].
<span class="grey">Baker & Bose Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
[<a id="ref-RFC3175">RFC3175</a>] describes several features that are unusual in RSVP, being
specifically set up to handle aggregates in a service provider
network. It describes three key components:
o The <a href="./rfc3175">RFC 3175</a> session object, which identifies not the IP addresses
of the packets that are identified, but the IP addresses of the
ingress and egress devices in the network, and the DSCP that the
traffic will use.
o The function of a reservation "aggregator", which operates in the
ingress router and accepts individual reservations from the
"customer" network. It aggregates the reservations into the ISP
core in a tunnel or an MPLS LSP, or as a traffic stream that is
known to leave at the deaggregator.
o The function of a reservation "deaggregator", which operates in
the egress router and breaks the aggregate reservation and data
streams back out into individual data streams that may be passed
to other networks.
In retrospect, the Session Object specified by <a href="./rfc3175">RFC 3175</a> is useful but
not intrinsically necessary. If the ISP network uses tunnels, such
as MPLS LSPs, IP/IP or GRE tunnels or enclosing IPsec Security
Associations, the concepts of an aggregator and a deaggregator work
in the same manner, although the reservation mechanism would be that
of [<a href="./rfc3473" title=""Generalized Multi-Protocol Label Switching (GMPLS) Signaling Resource ReserVation Protocol-Traffic Engineering (RSVP-TE) Extensions"">RFC3473</a>] and [<a href="./rfc3474" title=""Documentation of IANA assignments for Generalized MultiProtocol Label Switching (GMPLS) Resource Reservation Protocol - Traffic Engineering (RSVP-TE) Usage and Extensions for Automatically Switched Optical Network (ASON)"">RFC3474</a>], [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>], [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>], or [<a href="./rfc2746" title=""RSVP Operation Over IP Tunnels"">RFC2746</a>].
<span class="h3"><a class="selflink" id="section-1.6" href="#section-1.6">1.6</a>. Logical Structure of a VPN Router</span>
The conceptual structure of a VPN router is similar to that of any
other router. In its simplest form, it is physically a two or more
port device (similar to that shown in Figure 4), which has one or
more interfaces to the protected enclave(s) and one or more
interfaces to the outside world. On the latter, it structures some
number of tunnels (in the case of an IPsec tunnel, having security
associations) that it can treat as point-to-point interfaces from a
routing perspective.
<span class="grey">Baker & Bose Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
+---------+ +-------+ +----+----+ +---------+
| RSVP | |Routing| |Net Guard| |IPsec Mgr|
+----+----+ +---+---+ +----+----+ +----+----+
| | | |
+----+-----------+------------+-----------------+----+
| IP |
+-----------+--------------------+------------+------+
| | |
| +-----+-----+ +----+------+
| | Encrypt/ | | Encrypt/ |
| |Decrypt for| |Decrypt for|
| | Security | | Security |
| |Association| |Association|
| +-----+-----+ +----+------+
| | |
+-----------+------------+ +-----+------------+------+
| Plaintext | | Ciphertext |
| Interface | | Interface |
+------------------------+ +-------------------------+
Figure 4: Logical Structure of a VPN Router
The encrypt/decrypt unit may be implemented as a function of the
plaintext router, as a function on its interface card, or as a
function of an external device with a private interface to the IP
routing functionality of the plaintext router. These are
conceptually equivalent, although there are practical differences in
implementation. The key issue is that when IP routing presents a
message to the encrypt/decrypt unit for transmission, it must also be
presented with the IP address of the plaintext routing peer, whether
host or router, to which the security association must be
established. This IP Address is used to select (and perhaps create)
the security association, and in turn select the appropriate set of
security parameters. This could also be implemented by presenting
the local Security Parameter Index (SPI) for the data, if it has been
created out of band by the Network Management Process.
In addition, it is necessary for aggregated signaling to be generated
for the ciphertext domain. This may be accomplished in several ways:
o by having the RSVP process on the plaintext router generate the
messages and having the encrypt/decrypt unit bypass them into the
ciphertext network
o by having the plaintext RSVP process advise a process in the
encrypt/decrypt implementation of what needs to be generated using
some local exchange, and having it generate such messages, or
<span class="grey">Baker & Bose Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
o by having a separate parallel network management system
intermediate between the plaintext and ciphertext routers, in
which case, the encrypt/decrypt unit and the parallel network
system must use the same address, and the ciphertext router must
distinguish between traffic for them based on SPI or the presence
of encryption.
Control plane signaling using this additional path is described in
<a href="#section-3.2">Section 3.2</a>. The information flow between the plaintext and
ciphertext domains includes
o IP datagrams via the encrypt/decrypt unit,
o RSVP signaling via the bypass path,
o Control information coordinating security associations, and
o precious little else.
<span class="grey">Baker & Bose Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Reservation and Preemption in a Nested VPN</span>
/ \
( +--+ +--+ enclave ) ,---------.
.----------. \ |H2+---+R2| / ,-' `
+--+ +--+`--.\ +--+ ++-+ / / +--+ +--+
|H1+---+R1| \`. | ,' / |R3+---+H3|
+--+ +-++ ) '--. +----++ _.-' ( ++-+ +--+
| / _.`---|VPN2||''-. \ |
enclave +----+-i.--'' +----++ `----.\ +----+ enclave
--------|VPN1|' | ``|VPN3| ,
,+----+ | +----+------'
,' --+-------+----------+------------------+---`.
,' ++-+ `.
,' |R7+--------+ `.
/ interface +--+ | \
domain 1 +-+--+ \
_.--------|VPN7|--------.
,-----'' +--+-+ `------. .
`-. ,-' | `-. .-'
`-: inner domain +-++ `.'
( |R9| )
.'. ++-+ ;-.
.' `-. | ,-' `-.
' `------. +-+--+ _.-----' `
interface `---------|VPN8|-------''
domain 2 +-+--+ /
\ | +--+ /
`. +----------+R8| ,'
`. ++-+ ,'
`. --+------------------+-----------+------+-- ,'
,-----+----+ | +----+------.
,' |VPN6|. | _.|VPN4| `
+----+.`----. +----+ _.--'' ,+----+
| \ `--=.-|VPN5|---:' / |
+--+ ++-+ : ,-'' +----+ `--. ; ++-+ +--+
|H6+---+R6| | ,' | `.| |R4+---+H4|
+--+ +--+ ;/ +--+ ++-+ : +--+ +--+
// |H5+---+R5| \
enclave ,'( +--+ +--+ `. enclave
`. ,' \ enclave / '-. ,
`-------' \ / `-------'
Figure 5: Reservations in a Nested VPN
Let us discuss how a resource reservation protocol, and specifically
RSVP, might be used in a nested virtual private network.
<span class="grey">Baker & Bose Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Reservation in a Nested VPN</span>
A reservation in a nested VPN is very much like a reservation in any
other network, with one exception: it is composed of multiple
reservations that must be coordinated. These include a reservation
within the originating and receiving enclaves and a reservation at
each layer of the VPN, as shown in Figure 5.
Thus, when a host in one enclave opens a reservation to a host in
another enclave, a reservation of the appropriate type and size is
created end to end. As it traverses the VPN router leaving its
enclave, the reservation information and the data are placed within
the appropriate tunnel (e.g., the IPsec Security Association for its
precedence level to the appropriate remote VPN router). At the
remote VPN router, it is extracted from the tunnel and passed on its
way to the target system. The data in the enclave will be marked
with a DSCP appropriate to its application and (if there is a
difference) precedence level, and the signaling datagrams (PATH and
RESV) are marked with a DCLASS object indicating that value. RSVP
signaling datagrams (PATH and RESV) are marked with a DCLASS object
indicating the value used for the corresponding data. The DSCP on
the signaling datagrams, however, is a DSCP for signaling, and has
the one provision that if routing varies by DSCP, then it must be a
DSCP that is routed the same way as the relevant data. The [<a href="./rfc2872" title=""Application and Sub Application Identity Policy Element for Use with RSVP"">RFC2872</a>]
policy object specifies the applicable policy (e.g., "routine service
for voice traffic") and asserts a [<a href="./rfc3182" title=""Identity Representation for RSVP"">RFC3182</a>] credential indicating its
user (which may be a person or a class of persons). As specified in
[<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>], it also specifies its Preemption Priority and its
Defending Priority; these enable the Preemption Priority of a new
session to be compared with the Defending Priority of previously
admitted sessions.
On the ciphertext side of the VPN router, no guarantees result unless
the VPN router likewise sets up a reservation to the peer VPN Router
across the ciphertext domain. Thus, the VPN router sets up an
[<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>], [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>], or [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] reservation to its peer.
The Session Object defined by [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>] or [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>] contains a field
called a "virtual destination port", which allows the multiplexing of
many reservations over a common security association and, in the
latter case, a common DSCP value. Thus, the voice traffic at every
precedence level might use the Expedited Forwarding (EF) DSCP and
service as described in [<a href="./rfc3246" title=""An Expedited Forwarding PHB (Per-Hop Behavior)"">RFC3246</a>], but the reservations would be for
"the aggregate of voice sessions at precedence Pn between these VPN
routers". This would allow the network administration to describe
policies with multiple thresholds, such as "a new session at
precedence Pn may be accepted if the total reserved bandwidth does
not exceed threshold Qn; if it is necessary and sufficient to accept
<span class="grey">Baker & Bose Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
the reservation, existing reservations at lower precedences may be
preemptively reduced to make acceptance of the new session possible".
In the [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] case, since the DSCP must be used to identify both
the reservation and the corresponding data stream, the aggregate
reservations for different precedence levels require different DSCP
values.
In either case, the fundamental necessity is for one VPN router to
act as what [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] calls the "aggregator" and another to act as
the "deaggregator", and extend a VPN tunnel between them. If the VPN
Tunnel is an IPsec Security Association between the VPN routers and
the IP packet is entirely contained within (such as is used to cross
a firewall), then the behavior of [<a href="./rfc2746" title=""RSVP Operation Over IP Tunnels"">RFC2746</a>] is required of the
tunnel. That bearer will have the following characteristics:
o it will have a DSCP corollary to the DSCP for the data or the same
DSCP as the data it carries,
o the reservations and data will be carried in security associations
between the VPN routers, and
o the specification for the reservation for the tunnel itself will
not be less than the sum of the requirements of the aggregated
reservations.
The following requirements relationships apply between the set of
enclosed reservations and the tunnel reservation:
o The sum of the average rates of the contained reservations, having
been adjusted for the additional IP headers, will be less than or
equal to the average rate of the tunnel reservation.
o The sum of the peak rates of the contained reservations, having
been adjusted for the additional IP headers, will be less than or
equal to the peak rate of the tunnel reservation.
o The sum of the burst sizes of the contained reservations, having
been adjusted for the additional IP headers, will be less than or
equal to the burst size of the tunnel reservation.
o The Preemption Priority of a tunnel reservation is identical to
that of the individual reservations it aggregates.
o The Defending Priority of a tunnel reservation is identical to
that of the individual reservations it aggregates.
<span class="grey">Baker & Bose Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
This would differ only in the case that measurement-based admission
is in use in the tunnel but not in the end system. In that case, the
tunnel's average bandwidth specification would be greater than or
equal to the actual average offered traffic. Such systems are beyond
the scope of this specification.
As a policy matter, it may be useful to note a quirk in the way
Internet QoS works. If the policies for various precedence levels
specify different thresholds (e.g., "to accept a new routine call,
the total reserved bandwidth after admission may not exceed X; to
accept a call with a higher precedence level, the total reserved
bandwidth after admission may not exceed X+Y, and this may be
achieved by preempting a call with a lower precedence level"), the
bandwidth Y effectively comes from the bandwidth in use by elastic
traffic rather than forcing a preemption event.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Preemption in a Nested VPN</span>
As discussed in <a href="#section-1.5">Section 1.5</a>, preemption is specified in [<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>] and
further addressed in [<a href="./rfc4495" title=""A Resource Reservation Protocol (RSVP) Extension for the Reduction of Bandwidth of a Reservation Flow"">RFC4495</a>]. The issue is that in many cases the
need is to reduce the bandwidth of a reservation due to a change in
the network, not simply to remove the reservation. In the case of an
end-system-originated reservation, the end system might be able to
accommodate the need through a change of codec; in the case of an
aggregate of some kind, it could reduce the bandwidth it is sending
by dropping one or more reservations entirely.
In a nested VPN or other kind of aggregated reservation, this means
that the deaggregator (the VPN router initiating the RESV signal for
the tunnel) must
o receive the RESV Error signaling it to reduce its bandwidth,
o re-issue its RESV accordingly,
o identify one or more of its aggregated reservations, enough to do
the job, and
o signal them to reduce their bandwidth accordingly.
It is possible, of course, that it is signaling them to reduce their
bandwidth to zero, which is functionally equivalent to removing the
reservation as described in [<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>].
In the routers in the core, an additional case arises. One could
imagine that some enclave presents the VPN with a single session, and
that session has a higher precedence level. If some interior link is
congested (e.g., the reserved bandwidth will exceed policy if the
<span class="grey">Baker & Bose Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
call is admitted), a session between a different pair of VPN routers
must be preempted. More generally, in selecting a reservation to
preempt, the core router must always select a reservation at the
lowest available Defending Priority. This is the reason that various
precedence levels must be kept separate in the core.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Working through an Example</span>
The network in Figure 5 shows three security layers: six plaintext
enclaves around the periphery, two ciphertext domains connecting them
at one layer (referred to in the diagram as an "interface domain"),
and a third ciphertext domain connecting the first two (referred to
in the diagram as an "inner domain"). The following distribution of
information exists:
o Each enclave has access to general routing information concerning
other enclaves it is authorized to communicate with: systems in it
can translate a DNS name for a remote host or domain and obtain
the corresponding address or prefix.
o Each enclave router also has specific routing information
regarding its own enclave.
o A default route is distributed within the enclave, pointing to its
VPN router.
o VPN Routers 1-6 are able to translate remote enclave prefixes to
the appropriate remote enclave's VPN router addresses.
o Each interface domain has access to general routing information
concerning the other interface domains, but not the enclaves.
Systems in an interface domain can translate a DNS name for a
remote interface domain and obtain the corresponding address or
prefix.
o Each interface domain router also has specific routing information
regarding its own interface domain.
o A default route is distributed within the interface domain,
pointing to the "inner" VPN router.
o VPN Routers 7 and 8 are able to translate remote interface domain
prefixes to remote VPN router addresses.
o Routers in the inner domain have routing information for that
domain only.
<span class="grey">Baker & Bose Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
While the example shows three levels, there is nothing magic about
the number three. The model can be extended to any number of
concentric layers.
Note that this example places unidirectional reservations in the
forward direction. In voice and video applications, one generally
has a reservation in each direction. The reverse direction is not
discussed, for the sake of clarity, but operates in the same way in
the reverse direction and uses the same security associations.
<span class="h4"><a class="selflink" id="section-2.3.1" href="#section-2.3.1">2.3.1</a>. Initial Routine Reservations - Generating Network State</span>
Now let us install a set of reservations from H1 to H4, H2 to H5, and
H3 to H6, and for the sake of argument, let us presume that these are
at the "routine" precedence. H1, H2, and H3 each initiate a PATH
signal describing their traffic. For the sake of argument, let us
presume that H1's reservation is for an [<a href="./rfc2205" title=""Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification"">RFC2205</a>] session, H2's
reservation is for a session encrypted using IPsec, and therefore
depends on [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>], and H3 (which is a Public Switched Telephone
Network (PSTN) gateway) sends an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] reservation comprising a
number of distinct sessions. Since these are going to H4, H5, and
H6, respectively, the default route leads them to VPN1, VPN2, and
VPN3, respectively.
The VPN routers each ensure that they have an appropriate security
association or tunnel open to the indicated remote VPN router (VPN4,
VPN5, or VPN6). This will be a security association or tunnel for
the indicated application at the indicated precedence level. Having
accomplished that, it will place the PATH signal into the security
association and forward it. If such does not already exist,
following [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>]'s aggregation model, it will now open a
reservation (send a PATH signal) for the tunnel/SA within the
interface domain; if the reservation does exist, the VPN router will
increase the bandwidth indicated in the ADSPEC appropriately. In
this example, these tunnel/SA reservations will follow the default
route to VPN7.
VPN7 ensures that it has an appropriate security association or
tunnel open to VPN8. This will be a security association or tunnel
for the indicated application at the indicated precedence level.
Having accomplished that, it will place the PATH signal into the
security association and forward it. If such does not already exist,
following [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>]'s aggregation model, it will now open a
reservation (send a PATH signal) for the tunnel/SA within the
interface domain; if the reservation does exist, the VPN router will
increase the bandwidth indicated in the ADSPEC appropriately. In
this example, this tunnel/SA reservation is forwarded to VPN8.
<span class="grey">Baker & Bose Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
VPN8 acts as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] deaggregator for the inner domain. This
means that it receives the PATH signal for the inner domain
reservation and stores state, decrypts the data stream from VPN7,
operates on the RSVP signals as an RSVP-configured router, and
forwards the received IP datagrams (including the updated PATH
signals) into its interface domain. The PATH signals originated by
VPN1, VPN2, and VPN3 are therefore forwarded towards VPN4, VPN5, and
VPN6 according to the routing of the interface domain.
VPN4, VPN5, and VPN6 each act as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] deaggregator for the
interface domain. This means that it receives the PATH signal for
the interface domain reservation and stores state, decrypts the data
stream from its peer, operates on the RSVP signals as an RSVP-
configured router, and forwards the received IP datagrams (including
the updated PATH signals) into its enclave. The PATH signals
originated by H1, H2, and H3 are therefore forwarded towards H4, H5,
and H6 according to the routing of the enclave.
H4, H5, and H6 now receive the original PATH signals and deliver them
to their application.
<span class="h4"><a class="selflink" id="section-2.3.2" href="#section-2.3.2">2.3.2</a>. Initial Routine Reservations - Request Reservation</span>
The application in H4, H5, and H6 decides to install the indicated
reservations, meaning that they now reply with RESV signals. These
signals request the bandwidth reservation. Following the trail left
by the PATH signals, the RESV signals traipse back to their
respective sources. The state left by the PATH signals leads them to
VPN4, VPN5, and VPN6, respectively. If the routers in the enclaves
are configured for RSVP, this will be explicitly via R4, R5, or R6;
if they are not, routing will lead them through those routers.
The various RSVP-configured routers en route in the enclave
(including the VPN router on the "enclave" side) will verify that
there is sufficient bandwidth on their links and that any other
stated policy is also met. Having accomplished that, each will
update its reservation state and forward the RESV signal to the next.
The VPN routers will also each generate an RESV for the reservation
within the interface domain, attempting to set or increase the
bandwidth of the reservation appropriately.
The various RSVP-configured routers en route in the interface domain
(including VPN8) will verify that there is sufficient bandwidth on
their links and that any other stated policy is also met. Having
accomplished that, each will update its reservation state and forward
the RESV signal to the next. VPN8 will also generate an RESV for the
<span class="grey">Baker & Bose Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
reservation within the inner domain, attempting to set or increase
the bandwidth of the reservation appropriately. This gets the
reservation to the inner deaggregator, VPN8.
The various RSVP-configured routers en route in the inner domain
(including VPN7) will verify that there is sufficient bandwidth on
their links and that any other stated policy is also met. Having
accomplished that, each will update its reservation state and forward
the RESV signal to the next. This gets the signal to VPN7.
VPN7 acts as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] aggregator for the inner domain. This
means that it receives the RESV signal for the inner domain
reservation and stores state, decrypts the data stream from VPN8,
operates on the RSVP signals as an RSVP-configured router, and
forwards the received IP datagrams (including the updated RESV
signals) into its interface domain. The RESV signals originated by
VPN4, VPN5, and VPN6 are therefore forwarded towards VPN1, VPN2, and
VPN3 through the interface domain.
VPN1, VPN2, and VPN3 each act as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] aggregator for the
interface domain. This means that it receives the RESV signal for
the interface domain reservation and stores state, decrypts the data
stream from its peer, operates on the RSVP signals as an RSVP-
configured router, and forwards the received IP datagrams (including
the updated RESV signals) into its enclave. The RESV signals
originated by H4, H5, and H6 are therefore forwarded towards H1, H2,
and H3 according to the routing of the enclave.
H1, H2, and H3 now receive the original RESV signals and deliver them
to their application.
<span class="h4"><a class="selflink" id="section-2.3.3" href="#section-2.3.3">2.3.3</a>. Installation of a Reservation Using Precedence</span>
Without going through the details called out in Sections <a href="#section-2.3.1">2.3.1</a> and
2.3.2, if sufficient bandwidth exists to support them, reservations
of other precedence levels or other applications may also be
installed across this network. If the "routine" reservations already
described are for voice, for example, and sufficient bandwidth is
available under the relevant policy, a reservation for voice at the
"priority" precedence level might be installed. Due to the mechanics
of preemption, however, this would not expand the existing "routine"
reservations in the interface and inner domains, as doing this causes
loss of information - how much of the reservation is now "routine"
and how much is "priority"? Rather, this new reservation will open
up a separate set of tunnels or security associations for traffic of
its application class at its precedence between that aggregator and
deaggregator.
<span class="grey">Baker & Bose Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
As a side note, there is an opportunity here that does not exist in
the PSTN. In the PSTN, all circuits are potentially usable by any
PSTN application under a certain set of rules (H channels, such as
those used by video streams, must be contiguous and ordered). As
such, if a channel is not made available to routine traffic but is
made available to priority traffic, the operator is potentially
losing revenue on the reserved bandwidth and deserves remuneration.
However, in the IP Internet, some bandwidth must be kept for basic
functions such as routing, and, in general, policies will not permit
100% of the bandwidth on an interface to be allocated to one
application at one precedence. As a result, it may be acceptable to
permit a certain portion (e.g., 50%) to be used by routine voice and
a larger amount (e.g., 60%) to be used by voice at a higher
precedence level. Under such a policy, a higher precedence
reservation for voice might not result in the preemption of a routine
call, but rather impact elastic traffic, and might be accepted at a
time that a new reservation of lower precedence might be denied.
In microwave networks, such as satellite or mobile ad hoc, one could
also imagine network management intervention that could change the
characteristics of the radio signal to increase the bandwidth under
some appropriate policy.
<span class="h4"><a class="selflink" id="section-2.3.4" href="#section-2.3.4">2.3.4</a>. Installation of a Reservation Using Preemption</span>
So we now have a number of reservations across the network described
in Figure 5 including several reservations at "routine" precedence
and one at "priority" precedence. For sake of argument, let us
presume that the link from VPN7 to R9 is now fully utilized - all of
the bandwidth allocated by policy to voice at the routine or priority
level has been reserved. Let us further imagine that a new
"priority" reservation is now placed from H3 to H6.
The process described in <a href="#section-2.3.1">Section 2.3.1</a> is followed, resulting in PATH
state across the network for the new reservation. This is installed
even though it is not possible to install a new reservation on VPN7-
R9, as it does not install any reservation and the network does not
know whether H6 will ultimately require a reservation.
The process described in <a href="#section-2.3.2">Section 2.3.2</a> is also followed. The
application in H6 decides to install the indicated reservation,
meaning that it now replies with an RESV signal. Following the trail
left by the PATH signal, the RESV signal traipses back towards H3.
VPN6 and (if RSVP was configured) R6 verify that there is sufficient
bandwidth on their links and that any other stated policy is also
met. Having accomplished that, each will update its reservation
<span class="grey">Baker & Bose Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
state and forward the RESV signal to the next. VPN6 also generates
an RESV for the reservation within the interface domain, attempting
to set or increase the bandwidth of the reservation appropriately.
VPN6, R8, and VPN8's "interface domain" sides now verify that there
is sufficient bandwidth on their links and that any other stated
policy is also met. Having accomplished that, each will update its
reservation state and forward the RESV signal to the next. VPN8 will
also generate an RESV for the reservation within the inner domain,
attempting to set or increase the bandwidth of the reservation
appropriately. This gets the reservation to the inner deaggregator,
VPN8.
VPN8's "inner domain" side and R9 now verify that there is sufficient
bandwidth on their links and that any other stated policy is also
met. At R9, a problem is detected - there is not sufficient
bandwidth under the relevant policy. In the absence of precedence,
R9 would now return an RESV Error indicating that the reservation
could not be increased or installed. In such a case, if a
preexisting reservation of lower bandwidth already existed, the
previous reservation would remain in place but the new bandwidth
would not be granted, and the originator (H6) would be informed. Let
us clarify what it means to be at a stated precedence: it means that
the POLICY_DATA object in the RESV contains a Preemption Priority and
a Defending Priority with values specified in some memo. With
precedence, [<a href="./rfc4495" title=""A Resource Reservation Protocol (RSVP) Extension for the Reduction of Bandwidth of a Reservation Flow"">RFC4495</a>]'s algorithm would have the Preemption Priority
of the new reservation compared to the Defending Priority of extant
reservations in the router, of which there are two: one VPN7->VPN8 at
"routine" precedence and one VPN7->VPN8 at "priority" precedence.
Since the Defending Priority of routine reservation is less than the
Preemption Priority of a "priority" reservation, the "routine"
reservation is selected. R9 determines that it will accept the
increase in its "priority" reservation VPN7->VPN8 and reduce the
corresponding "routine" reservation. Two processes now occur in
parallel:
o The routine reservation is reduced following the algorithms in
[<a href="./rfc4495" title=""A Resource Reservation Protocol (RSVP) Extension for the Reduction of Bandwidth of a Reservation Flow"">RFC4495</a>] and
o The priority reservation continues according to the usual rules.
R9 reduces its "routine" reservation by sending an RESV Error
updating its internal state to reflect the reduced reservation and
sending an RESV Error to VPN8 requesting that it reduce its
reservation to a number less than or equal to the relevant threshold
less the sum of the competing reservations. VPN8, acting as a
deaggregator, makes two changes. On the "inner domain" side, it
marks its reservation down to the indicated rate (the most it is now
<span class="grey">Baker & Bose Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
permitted to reserve), so that if an RESV Refresh event happens, it
will request the specified rate. On the "interface domain" side, it
selects one or more of the relevant reservations by an algorithm of
its choosing and requests that it likewise reduce its rate. For the
sake of argument, let us imagine that the selected reservation is the
one to VPN5. The RESV Error now makes its way through R8 to VPN5,
which similarly reduces its bandwidth request to the stated amount
and passes a RESV Error signal on the "enclave" side requesting that
the reservation be appropriately reduced.
H5 is now faced with a decision. If the request is to reduce its
reservation to zero, that is equivalent to tearing down the
reservation. In this simple case, it sends an RESV Tear to tear down
the reservation entirely and advises its application to adjust its
expectations of the session accordingly, which may mean shutting down
the session. If the request is to reduce it below a certain value,
however, it may be possible for the application to do so and remain
viable. For example, if a VoIP application using a G.711 codec (80
kbps) is asked to reduce its bandwidth below 70 kbps, it may be
possible to renegotiate the codec in use to G.729 or some other
codec. In such a case, the originating application should re-reserve
at the stated bandwidth (in this case, 70 kbps), initiate the
application level change, and let the application change the
reservation again (perhaps to 60 kbps) when it has completed that
process.
At the time the reservation is being processed at R9, for the
"priority" reservation, R9 believes that it has sufficient bandwidth
and that any other stated policy is also met, and it forwards the
RESV to VPN7. Each will update its reservation state and forward the
RESV signal to the next. VPN7 now acts as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] aggregator
for the inner domain. This means that it receives the RESV signal
for the inner domain reservation and stores state, decrypts the data
stream from VPN8, operates on the RSVP signals as an RSVP-configured
router, and forwards the received IP datagrams (including the updated
RESV signals) into its interface domain. The RESV signals originated
by VPN4, VPN5, and VPN6 are therefore forwarded towards VPN1, VPN2,
and VPN3 through the interface domain.
VPN3 now acts as an [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] aggregator for the interface domain.
This means that it receives the RESV signal for the interface domain
reservation and stores state, decrypts the data stream from its peer,
operates on the RSVP signals as an RSVP-configured router, and
forwards the received IP datagrams (including the updated RESV
signals) into its enclave. The RESV signal originated by H6 is
therefore forwarded towards H3 according to the routing of the
enclave.
<span class="grey">Baker & Bose Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
H3 now receives the original RESV signals and delivers it to the
relevant application.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Data Flows within a VPN Router</span>
This section details the data flows within a VPN router, in the
context of sessions as described in <a href="#section-2">Section 2</a>. It specifically
identifies the signaling flow at a given VPN boundary and
additionally elaborates the signaling mechanism with the aid of a
Network Guard. A use case describing the proposal in the context of
an operational scenario is presented herein.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. VPN Routers That Carry Data across the Cryptographic Boundary</span>
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Plaintext to Ciphertext Data Flows</span>
+-----------------------+ +----------------------+
| +--------------------+| |+--------------------+|
| |RSVP || ||Aggregate RSVP ||
| | || || ||
| |Per session: || ID ||Agg. Session ||
| | Destination ||--->|| Agg. Destination ||
| | Source || || Agg. Source= self ||
| | potential SPI || || Agg. SPI generated||
| | DSCP ---------> DSCP ||
| | vPort or protocol---------> vPort ||
| | and port || || ||
| | Mean rate ---------> Sum of mean rates ||
| | Peak rate ---------> f(Peak rates) ||
| | Burst Size ---------> Sum of Burst sizes||
| | || || ||
| +--------------------+| |+--------------------+|
| +--------------------+| |+--------------------+|
| | IP || || IP ||
| +--------------------+| |+--------------------+|
| +--------------------+| |+--------------------+|
| | Plaintext Interface|| ||Ciphertext Interface||
| +--------------------+| |+--------------------+|
+-----------------------+ +----------------------+
Figure 6: Data Flows in a VPN Router Outbound
<span class="grey">Baker & Bose Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Parameters on a reservation include:
Destination Address: On the plaintext side, the VPN router
participates in the end-to-end reservations being installed for
plaintext sessions. These may include individual flows as
described in [<a href="./rfc2205" title=""Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification"">RFC2205</a>], IPsec data flows [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>], aggregate
reservations [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>], or other types. It passes an identifier
for the ciphertext side of the deaggregator to its ciphertext
unit.
DSCP: The DSCP of the plaintext data flow is provided to the cipher
text side.
Virtual Port: The virtual destination port is provided to the cipher
text side. This may be derived from an [<a href="./rfc2207" title=""RSVP Extensions for IPSEC Data Flows"">RFC2207</a>] session object
or from policy information.
Mean Rate: The sum of the plaintext mean rates is provided to the
ciphertext unit.
Peak Rate: A function of the plaintext peak rates is provided to the
ciphertext unit. This function is less than or equal to the sum
of the peak rates.
Burst Size: The sum of the burst sizes is provided to the cipher
text unit.
Messages include:
Path: The plaintext PATH message is sent as encrypted data to the
ciphertext unit. In parallel, a trigger needs to be sent to the
ciphertext unit that results in it generating the corresponding
aggregated PATH message for the ciphertext side.
Path Error: This indicates that a PATH message sent to the remote
enclave was in error. In the error case, the message itself is
sent on as encrypted data, but a signal is sent to the ciphertext
side in case the error affects the ciphertext reservation (such as
removing or changing state).
Path Tear: The PATH Tear message is sent as encrypted data to the
ciphertext unit. In parallel, a signal is sent to the cipher text
side; it will trigger a Path Tear on its reservation in the event
that this is the last aggregated session, or change the
SENDER_TSPEC of the aggregated session.
<span class="grey">Baker & Bose Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
RESV: The plaintext RESV message is sent as encrypted data to the
ciphertext unit. In parallel, a trigger needs to be sent to the
ciphertext unit that results in it generating the corresponding
aggregated RESV message for the ciphertext side.
RESV Error: This indicates that a RESV message that was received as
data and forwarded into the enclave was in error or needed to be
preempted as described in [<a href="./rfc3181" title=""Signaled Preemption Priority Policy Element"">RFC3181</a>] or [<a href="./rfc4495" title=""A Resource Reservation Protocol (RSVP) Extension for the Reduction of Bandwidth of a Reservation Flow"">RFC4495</a>]. In the error
case, the message itself is sent on as encrypted data, but a
signal is sent to the ciphertext side in case the error affects
the ciphertext reservation (such as removing or changing state).
RESV Tear: The RESV Tear message is sent as encrypted data to the
ciphertext unit. In parallel, a signal is sent to the cipher text
side; it will trigger a RESV Tear on its reservation in the event
that this is the last aggregated session, or reduce the bandwidth
of an existing reservation.
RESV Confirm: This indicates that a RESV message received as data
and forwarded into the enclave, and is now being confirmed. This
message is sent as encrypted data to the ciphertext side, and, in
parallel, a signal is sent to potentially trigger an RESV Confirm
on the aggregate reservation.
<span class="grey">Baker & Bose Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. Ciphertext to Plaintext Data Flows</span>
+-----------------------+ +----------------------+
| +--------------------+| |+--------------------+|
| |RSVP || ||Aggregate RSVP ||
| | || || terminated ||
| |Per session: |+ || ||
| | Destination || || ||
| | Source <---------Decrypted RSVP ||
| | potential SPI || || message sent to ||
| | DSCP || || Plaintext unit ||
| | vPort or protocol || || *as data* for ||
| | and port || || normal processing ||
| | Mean rate || || ||
| | Peak rate || || ||
| | Burst Size || || ||
| | || || ||
| +--------------------+| |+--------------------+|
| +--------------------+| |+--------------------+|
| | IP || || IP ||
| +--------------------+| |+--------------------+|
| +--------------------+| |+--------------------+|
| |Plaintext Interface || ||Ciphertext Interface||
| +--------------------+| |+--------------------+|
+-----------------------+ +----------------------+
Figure 7: Data Flows in a VPN Router Inbound
The aggregate reservation is terminated by the ciphertext side of the
VPN router. The RSVP messages related to the subsidiary sessions are
carried in the encrypted tunnel as data, and therefore arrive at the
plaintext side with other data. As the plaintext side participates
in these reservations, some information is returned to the ciphertext
size to parameterize the aggregate reservation as described in
<a href="#section-3.1.1">Section 3.1.1</a> in the processing of the outbound messages.
<span class="grey">Baker & Bose Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. VPN Routers That Use the Network Guard for Signaling across the</span>
<span class="h3"> Cryptographic Boundary</span>
As described in <a href="#section-1.6">Section 1.6</a> the Network Guard provides an additional
path for the reservation signaling between the plaintext and cipher
text domains.
_.------------.
,--'' Plaintext Domain--.
,-' +--------+ +--------+ `-.
,' | Host | | Host | `.
,' +--------+ +--------+ `.
; :
| +----------------------+ |
: | +--------+ | |
`. | | Router | | ,'
`. | +---+----+ | ,'
`- | +----------+ | ,'
---| +-+--+ +-+--+--+ |'
|----|E/D |--|Net Grd| | VPN Router
,-'| +-+--+ +-+--+--+ |\
, | +----------+ | \
,' | +---+----+ | `.
,' | | Router | | |
/ | +--------+ | \
; +----------------------+ :
| |
: Ciphertext Domain ;
Figure 8: RSVP Passage via Network Guard
In this context, the VPN router is composed of a plaintext router, a
ciphertext router, an encrypt/decrypt implementation (such as a line
card or interface device), and a network management process that
manages the encrypt/decrypt implementation and potentially passes
defined information flows between the plaintext and ciphertext
domains. If the Network Guard is implemented as a software process
that exchanges configuration instructions between the routers, this
is simple to understand. If it is built as a separate systems
exchanging datagrams, it is somewhat more complex, but conceptually
equivalent. For example, the ciphertext router would consider an IP
datagram received via the Network Guard (control plane) as having
been received from and concerning the interface used in the data
plane to the encrypt/decrypt unit.
<span class="grey">Baker & Bose Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. Signaling Flow</span>
Encrypt/decrypt units may not be capable of terminating and
originating flows as described in <a href="#section-3.1">Section 3.1</a>, and policy may prevent
knowledge of the ciphertext network addresses in the plaintext
router. In such a case, the plaintext and ciphertext routers may use
the Network Guard as the path for the signaling flows. The Network
Guard performs the following functions to enable the flow of
reservation signaling across the cryptographic domain
o transforms plaintext session identifiers into ciphertext session
identifiers and vice-versa in IP datagrams and RSVP objects (e.g.
IP addresses)
o performs resource management of aggregated reservations (e.g.,
including ciphertext encapsulation overhead to resources
requested)
o reads and writes configuration on the encrypt/decrypt units as
necessary (e.g., reads plaintext to ciphertext IP address mapping)
In addition, the plaintext and ciphertext routers must support a
routing function or local interface that ensures that aggregated RSVP
messages flow via the Network Guard. However, the signaling flow
across the entire VPN router at a cryptographic boundary remains
identical to the description in <a href="#section-3.1">Section 3.1</a>.
A reader may note that the VPN router described in Figure 8 can be
collapsed into a single router with two halves, or the Network Guard
and the encrypt/decrypt units can be part of the plaintext router.
The details of alternate logical and physical architectures for the
VPN router are beyond the scope of this document.
<span class="grey">Baker & Bose Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. Use Case with Network Guard</span>
........................................
: VPN Router A :
: :
:+-----------++----------++-----------+:
+------+ RSVP :| || NetGrd-A || |:
|Host A|<---->:|PT-Router-A|+----------+|CT-Router-A|::::::::
+------+ :| || E/D-A || |: ::
:+-----------++----------++-----------+: ::
: A-RSVP : ::
: <:::::::::::::> : ::
:......................................: ::
A-RSVP ::
,---.
,' `.
/ \
; Interface :
| Domain |
: ;
\ /
`. ,'
'---'
A-RSVP ::
........................................ ::
: VPN Router B : ::
: : ::
:+-----------++----------++-----------+: ::
+------+ RSVP :| || NetGrd-B || |: ::
|Host B|<---->:|PT-Router-B|+----------+|CT-Router-B|::::::::
+------+ :| || E/D-B || |:
:+-----------++----------++-----------+:
: A-RSVP :
: <:::::::::::::> :
:......................................:
Figure 9: Aggregated RSVP via Network Guard
The above figure depicts a simple use case for aggregated signaling
with the Network Guard. In this scenario, Host A initiates RSVP
signaling to Host B for a reservation. The RSVP signaling between
the hosts is encapsulated by the VPN routers into encrypted tunnels.
Aggregated RSVP signaling is triggered by VPN routers, and flows into
the CT-Routers, as well as the interface domains, to reserve
resources at RSVP-capable routers on the path. The aggregation/
deaggregation point for RSVP reservations in this use case are the
PT-Routers. The signaling aggregation of RSVP into A-RSVP at the
PT-Router is similar to the data flow described in <a href="#section-3.1">Section 3.1</a>. The
<span class="grey">Baker & Bose Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Network Guard performs the additional functions described in <a href="#section-3.2.1">Section</a>
<a href="#section-3.2.1">3.2.1</a> to transform plaintext A-RSVP messages into suitable ciphertext
A-RSVP messages. A typical reservation set up in this case would
follow these steps.
o Host A sends RSVP PATH message to Host B.
o PT-Router-A encapsulates RSVP PATH message in encrypted tunnel to
VPN Router B.
o CT Routers and Interface domain carry encrypted RSVP PATH message
(like any other encrypted data message).
o PT-Router-B decrypts RSVP Path Message and sends an E2E PathErr
message to PT-Router-A in the encrypted tunnel.
o PT-Router-B forwards decrypted plaintext RSVP PATH message to Host
B.
o PT-Router-A receives E2E PathErr and sends an aggregated RSVP PATH
message towards PT-Router-B via the Network Guard.
o The NetGrd-A transforms the plaintext aggregate RSVP into the
ciphertext aggregate RSVP message as described in <a href="#section-3.2.1">Section 3.2.1</a>
and sends it to the CT-Router-A.
o The ciphertext aggregated RSVP message travels through ciphertext
routers in the interface domain.
o CT-Router-B receives the ciphertext aggregate RSVP message and
sends it to the NetGrd-B.
o The NetGrd-B transforms the ciphertext aggregate RSVP into the
plaintext aggregate RSVP message as described in <a href="#section-3.2.1">Section 3.2.1</a> and
sends it to the PT-Router-B.
The subsequent RSVP and Aggregate RSVP signaling follows a similar
flow, as described in detail in [<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] and [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>]to aggregate
each plaintext reservation into a corresponding ciphertext
reservation. This ensures that RSVP-capable ciphertext routers
reserve the required resources for a plaintext end-to-end
reservation. Subsequent mechanisms, such as preemption or the
increase and decrease of resources reserved, may be applied to these
reservations as described before in this document. The RSVP data
flow as described in <a href="#section-3.1">Section 3.1</a> within the VPN router (from the
plaintext router to the ciphertext router via the Guard) provides
necessary and sufficient information to routers in the ciphertext
domain to implement the QoS solution presented in the document.
<span class="grey">Baker & Bose Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
In this description, we have described the Network Guard as being
separate from the encrypt/decrypt unit. This separation exists
because in certain implementations, it is mandated by those who
specify the devices. The separation does not come for free, however;
the separation of the devices for system-engineering purposes is
expensive, and it imposes architectural problems. For example, when
the Guard is used to aggregate RSVP messages or Protocol Independent
Multicast (PIM) routing, the traffic is destined to the remote VPN
router. This means that the Guard must somehow receive and respond
to, on behalf of the VPN Router, messages that are not directed to
it. Several possible solutions exist; they should be selected
carefully based on the security and implementation needs of the
environment. They are as follows:
o In the simplest case, the Network Guard and encrypt/decrypt unit
can be two independent functions that utilize a common network and
MAC layer. This can allow the two functions to share a common MAC
and IP address, so that traffic destined for one function is also
received by the other. In the case that these two functions are
physically separated on two devices, they can still share a common
MAC and IP address; however, additional modifications may be
required on the Guard to filter and not process IP traffic not
destined for itself.
o The ciphertext interface of the Guard could be placed into
promiscuous mode, allowing it to receive all messages and discard
all but the few it is interested in. The security considerations
on putting a device in promiscuous mode at the VPN boundary needs
to be taken into account in this method.
o The Guard could be engineered to receive all from the ciphertext
router and pass the bulk of it on to the VPN router through
another interface. In this case, the Guard and the VPN router
would use the same IP address. This mechanism puts the load of
all data and management traffic destined for the VPN router upon
the Guard.
o The VPN router could be engineered to receive all traffic from the
ciphertext router and pass any unencrypted traffic it receives to
the Guard through another interface. In this case, the Guard and
the VPN router would use the same IP address.
o All the VPN router functions, as shown in Figure 9, could be
incorporated into a single chassis, with appropriate internal
traffic management to send some traffic into the plaintext enclave
and some to the Guard. In this case, the Guard and the VPN router
would be -- at least, functionally -- the same system.
<span class="grey">Baker & Bose Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Of these, clearly the last is the simplest architecturally and the
one that most minimizes the attendant risk.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
The typical security concerns of datagram integrity, node and user
authentication are implicitly met by the security association that
exists between the VPN routers. The secure data stream that flows
between the VPN routers is also used for the reservation signaling
datagrams flowing between VPN routers. Information that is contained
in these signaling datagrams receives the same level of encryption
that is received by the data streams.
One of the reasons cited for the nesting of VPN routes in <a href="#section-1.3">Section 1.3</a>
is the different levels of security across the nested VPN routers.
If the security level decreases from one VPN router to the next VPN
Router in the nested path, the reservation signaling datagrams will,
by default, receive the lower security-level treatment. For most
cases, the lower security treatment is acceptable. In certain
networks, however, the reservation signaling across the entire nested
path must receive the highest security-level treatment (e.g.,
encryption, authentication of signaling nodes). For example, the
highest precedence level may only be signaled to VPN routers that can
provide the highest security levels. If any VPN router in the nested
path is incapable of providing the highest security level, it cannot
participate in the reservation mechanism.
In the general case, the nested path may contain routers that are
either incapable of participating in VPNs or providing required
security levels. These routers can participate in the reservation
only if the lower security level is acceptable (as configured by
policy) for the signaling of reservation datagrams.
VPN routers encapsulate encrypted IP packets and prepend an extra
header on each packet. These packets, whether used for signaling or
data, should be identifiable, at a minimum by the IP addresses and
DSCP value. Therefore, the prepended header should contain, at a
minimum, the DSCP value corresponding to the signaled reservation in
each packet. This may literally be the same DSCP as is used for the
data (forcing control plane traffic to receive the same QoS treatment
as its data), or a different DSCP that is routed identically
(separating control and data-plane traffic QoS but not routing).
Additionally security considerations as described in [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>] and
[<a href="./rfc3175" title=""Aggregation of RSVP for IPv4 and IPv6 Reservations"">RFC3175</a>] are also applicable in this environment; they include the
integrity of RSVP messages can be ensured via mechanisms described in
[<a href="./rfc2747" title=""RSVP Cryptographic Authentication"">RFC2747</a>] and [<a href="./rfc3097" title=""RSVP Cryptographic Authentication -- Updated Message Type Value"">RFC3097</a>] and related key management (through manual
configuration or a key management protocol) at nodes between any
<span class="grey">Baker & Bose Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
aggregator and deaggregator pair that processes the messages. In
addition, confidentiality can be provided between hops by employing
IPsec. Further work in the IETF MSEC Working Group may be applicable
in these environments for key management and confidentiality.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Acknowledgements</span>
Doug Marquis, James Polk, Mike Tibodeau, Pete Babendreier, Roger
Levesque, and Subha Dhesikan gave early review comments.
Comments by Sean O'Keefe, Tony De Simone, Julie Tarr, Chris Christou,
and their associates resulted in <a href="#section-3.2">Section 3.2</a>.
Francois Le Faucheur, Bruce Davie, and Chris Christou (with Pratik
Bose) added [<a href="./rfc4860" title=""Generic Aggregate Resource ReSerVation Protocol (RSVP) Reservations"">RFC4860</a>], which clarified the interaction of this
approach with the DSCP.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC2205">RFC2205</a>] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) --
Version 1 Functional Specification", <a href="./rfc2205">RFC 2205</a>,
September 1997.
[<a id="ref-RFC2207">RFC2207</a>] Berger, L. and T. O'Malley, "RSVP Extensions for
IPSEC Data Flows", <a href="./rfc2207">RFC 2207</a>, September 1997.
[<a id="ref-RFC2746">RFC2746</a>] Terzis, A., Krawczyk, J., Wroclawski, J., and L.
Zhang, "RSVP Operation Over IP Tunnels", <a href="./rfc2746">RFC 2746</a>,
January 2000.
[<a id="ref-RFC2750">RFC2750</a>] Herzog, S., "RSVP Extensions for Policy Control", <a href="./rfc2750">RFC</a>
<a href="./rfc2750">2750</a>, January 2000.
[<a id="ref-RFC2996">RFC2996</a>] Bernet, Y., "Format of the RSVP DCLASS Object", <a href="./rfc2996">RFC</a>
<a href="./rfc2996">2996</a>, November 2000.
[<a id="ref-RFC3175">RFC3175</a>] Baker, F., Iturralde, C., Le Faucheur, F., and B.
Davie, "Aggregation of RSVP for IPv4 and IPv6
Reservations", <a href="./rfc3175">RFC 3175</a>, September 2001.
[<a id="ref-RFC4495">RFC4495</a>] Polk, J. and S. Dhesikan, "A Resource Reservation
Protocol (RSVP) Extension for the Reduction of
Bandwidth of a Reservation Flow", <a href="./rfc4495">RFC 4495</a>, May 2006.
<span class="grey">Baker & Bose Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
[<a id="ref-RFC4542">RFC4542</a>] Baker, F. and J. Polk, "Implementing an Emergency
Telecommunications Service (ETS) for Real-Time
Services in the Internet Protocol Suite", <a href="./rfc4542">RFC 4542</a>,
May 2006.
[<a id="ref-RFC4860">RFC4860</a>] Le Faucheur, F., Davie, B., Bose, P., Christou, C.,
and M. Davenport, "Generic Aggregate Resource
ReSerVation Protocol (RSVP) Reservations", <a href="./rfc4860">RFC 4860</a>,
May 2007.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-ITU.MLPP.1990">ITU.MLPP.1990</a>] International Telecommunications Union, "Multilevel
Precedence and Preemption Service", ITU-T
Recommendation I.255.3, 1990.
[<a id="ref-RFC0791">RFC0791</a>] Postel, J., "Internet Protocol", STD 5, <a href="./rfc791">RFC 791</a>,
September 1981.
[<a id="ref-RFC1633">RFC1633</a>] Braden, B., Clark, D., and S. Shenker, "Integrated
Services in the Internet Architecture: an Overview",
<a href="./rfc1633">RFC 1633</a>, June 1994.
[<a id="ref-RFC2209">RFC2209</a>] Braden, B. and L. Zhang, "Resource ReSerVation
Protocol (RSVP) -- Version 1 Message Processing
Rules", <a href="./rfc2209">RFC 2209</a>, September 1997.
[<a id="ref-RFC2210">RFC2210</a>] Wroclawski, J., "The Use of RSVP with IETF Integrated
Services", <a href="./rfc2210">RFC 2210</a>, September 1997.
[<a id="ref-RFC2460">RFC2460</a>] Deering, S. and R. Hinden, "Internet Protocol,
Version 6 (IPv6) Specification", <a href="./rfc2460">RFC 2460</a>, December
1998.
[<a id="ref-RFC2474">RFC2474</a>] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", <a href="./rfc2474">RFC 2474</a>,
December 1998.
[<a id="ref-RFC2475">RFC2475</a>] Blake, S., Black, D., Carlson, M., Davies, E., Wang,
Z., and W. Weiss, "An Architecture for Differentiated
Services", <a href="./rfc2475">RFC 2475</a>, December 1998.
[<a id="ref-RFC2747">RFC2747</a>] Baker, F., Lindell, B., and M. Talwar, "RSVP
Cryptographic Authentication", <a href="./rfc2747">RFC 2747</a>, January
2000.
<span class="grey">Baker & Bose Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
[<a id="ref-RFC2872">RFC2872</a>] Bernet, Y. and R. Pabbati, "Application and Sub
Application Identity Policy Element for Use with
RSVP", <a href="./rfc2872">RFC 2872</a>, June 2000.
[<a id="ref-RFC3097">RFC3097</a>] Braden, R. and L. Zhang, "RSVP Cryptographic
Authentication -- Updated Message Type Value", <a href="./rfc3097">RFC</a>
<a href="./rfc3097">3097</a>, April 2001.
[<a id="ref-RFC3181">RFC3181</a>] Herzog, S., "Signaled Preemption Priority Policy
Element", <a href="./rfc3181">RFC 3181</a>, October 2001.
[<a id="ref-RFC3182">RFC3182</a>] Yadav, S., Yavatkar, R., Pabbati, R., Ford, P.,
Moore, T., Herzog, S., and R. Hess, "Identity
Representation for RSVP", <a href="./rfc3182">RFC 3182</a>, October 2001.
[<a id="ref-RFC3246">RFC3246</a>] Davie, B., Charny, A., Bennet, J., Benson, K., Le
Boudec, J., Courtney, W., Davari, S., Firoiu, V., and
D. Stiliadis, "An Expedited Forwarding PHB (Per-Hop
Behavior)", <a href="./rfc3246">RFC 3246</a>, March 2002.
[<a id="ref-RFC3261">RFC3261</a>] Rosenberg, J., Schulzrinne, H., Camarillo, G.,
Johnston, A., Peterson, J., Sparks, R., Handley, M.,
and E. Schooler, "SIP: Session Initiation Protocol",
<a href="./rfc3261">RFC 3261</a>, June 2002.
[<a id="ref-RFC3312">RFC3312</a>] Camarillo, G., Marshall, W., and J. Rosenberg,
"Integration of Resource Management and Session
Initiation Protocol (SIP)", <a href="./rfc3312">RFC 3312</a>, October 2002.
[<a id="ref-RFC3473">RFC3473</a>] Berger, L., "Generalized Multi-Protocol Label
Switching (GMPLS) Signaling Resource ReserVation
Protocol-Traffic Engineering (RSVP-TE) Extensions",
<a href="./rfc3473">RFC 3473</a>, January 2003.
[<a id="ref-RFC3474">RFC3474</a>] Lin, Z. and D. Pendarakis, "Documentation of IANA
assignments for Generalized MultiProtocol Label
Switching (GMPLS) Resource Reservation Protocol -
Traffic Engineering (RSVP-TE) Usage and Extensions
for Automatically Switched Optical Network (ASON)",
<a href="./rfc3474">RFC 3474</a>, March 2003.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC4303">RFC4303</a>] Kent, S., "IP Encapsulating Security Payload (ESP)",
<a href="./rfc4303">RFC 4303</a>, December 2005.
<span class="grey">Baker & Bose Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Authors' Addresses
Fred Baker
Cisco Systems
1121 Via Del Rey
Santa Barbara, California 93117
USA
Phone: +1-408-526-4257
Fax: +1-413-473-2403
EMail: fred@cisco.com
Pratik Bose
Lockheed Martin
700 North Frederick Ave
Gaithersburg, Maryland 20871
USA
Phone: +1-301-240-7041
Fax: +1-301-240-5748
EMail: pratik.bose@lmco.com
<span class="grey">Baker & Bose Informational [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc4923">RFC 4923</a> QoS in a Nested VPN August 2007</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Baker & Bose Informational [Page 38]
</pre>
|
