13.5. DiffServ with IPsec

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

The Differentiated Services (DiffServ) field in a packet can be used by network equipment to prioritize data traffic. The 8 bit DiffServ field consists of two parts: a 6 bit Differentiated Services Code Point (DSCP) and a 2 bit Explicit Congestion Notification (ECN). For IPsec, the DSCP bits related to a tunnel can be split into three types:

The DSCP bits of the packets involved in the IKE exchange for tunnel setup.
The DSCP bits of the outer tunnel IPsec packets.
The DSCP bits of the transported data inside the tunnel.

The administrator can alter the DSCP bits in the following ways:

For tunnel setup, the DSCP bits of IKE packets can have a specified fixed value.
The DSCP bits of the outer tunnel packets can be set to a fixed value or they can have the same value as the DSCP bits of the data inside the tunnel.

Setting up the above two options is described next.

Specifying the DSCP Bits for IKE Traffic

By default, all IKE packets sent by cOS Stream during tunnel setup have their DSCP value set to zero. This can be changed to a fixed value for a tunnel by setting the IKEDSCP property of the IPsecTunnel object. For example:

System:/> set Interface IPsecTunnel my_tunnel IKEDSCP=44

The IKE DSCP bits cannot be copied from other traffic, which can be done with the IPsec tunnel following the IKE negotiation.

Setting the DSCP Bits in the Outer Tunnel

By default, all IPsec outer tunnel packets sent by cOS Stream have their DSCP value set to zero. This can be changed to either of the following two options:

The DSCP bits can be set to a fixed value. This is done by setting the property DSCP for the IPsecTunnel object. For example:
```
System:/> set Interface IPsecTunnel my_tunnel DSCP=44
```
The DSCP bits can take on the value of the data transported inside the tunnel. This is done by setting the property CopyDSCP to a value of Yes for the IPsecTunnel object. For example:
```
System:/> set Interface IPsecTunnel my_tunnel CopyDSCP=Yes
```
If the CopyDSCP property is set to Yes, the DSCP property is ignored.

Propagating ECN Information Across the Tunnel

There is a 2 bit Explicit Congestion Notification (ECN) portion in the DiffServ field that is used to communicate network congestion information. To enable the propagation of ECN information about congestion from routers on the public outer network to the protected inner network, the ECN property of the IPsecTunnel object should be set to Yes. For example:

System:/> set Interface IPsecTunnel my_tunnel ECN=Yes

cOS Stream will now combine the ECN fields of the outer and inner IP header according to standardized rules.