Chapter 6 IPQoS in Depth (Reference)

This chapter contains reference materials that provide in-depth details about the following IPQoS topics:

• IPQoS Architecture and the diffserv Model

• IPQoS Configuration File

For an overview, refer to Chapter 1, Introducing IPQoS (Overview). For planning information, refer to Chapter 2, Planning for an IPQoS-Enabled Network (Tasks). For procedures for configuring IPQoS, refer to Chapter 3, Creating the IPQoS Configuration File (Tasks).

IPQoS Architecture and the diffserv Model

This section describes the IPQoS architecture and how it implements the differentiated services (diffserv) model that is defined in RFC 2475, An Architecture for Differentiated Services. The following elements of the diffserv model are included in IPQoS:

• Classifier

• Meter

• Marker

In addition, IPQoS includes the flow-accounting module and the dlcosmk marker for use with VLAN devices.

Classifier Module

In the diffserv model, the classifier is responsible for organizing selected traffic flows into groups on which to apply different service levels. The classifiers that are defined in RFC 2475 were originally designed for boundary routers. By contrast, the IPQoS classifier ipgpc is designed to handle traffic flows on hosts internal to the local network. Therefore, a network with both IPQoS systems and a diffserv router can provide a greater degree of differentiated services. For a technical description of ipgpc, refer to the ipgpc(7ipp) man page.

The ipgpc classifier does the following:

1. Selects traffic flows that meet the criteria that are specified in the IPQoS configuration file on the IPQoS-enabled system

   The QoS policy defines various criteria that must be present in packet headers. These criteria are called selectors. The ipgpc classifier compares these selectors against the headers of packets that are received by the IPQoS system. ipgpc then selects all matching packets.

2. Separates the packet flows into classes, network traffic with the same characteristics, as defined in the IPQoS configuration file

3. Examines the value in the packet's differentiated service (DS) field for the presence of a differentiated services (DS) codepoint

   The presence of the DS codepoint, also known as the DSCP, indicates whether the incoming traffic has been marked by the sender with a forwarding behavior.

4. Determines what further action is specified in the IPQoS configuration file for packets of a particular class

5. Passes the packets to the next IPQoS module that is specified in the IPQoS configuration file, or returns the packets to the network stream

For an overview of the classifier, refer to Classifier (ipgpc) Overview. For information on invoking the classifier in the IPQoS configuration file, refer to IPQoS Configuration File.

Selectors

ipgpc supports a variety of selectors that you can use in the filter clause of the IPQoS configuration file. When you define a filter, always use the minimum number of selectors that are needed to successfully retrieve traffic of a particular class. The amount of filters you define can impact IPQoS performance.

The next table lists the selectors available for ipgpc.

Meter Module

The meter tracks the transmission rate of flows on a per-packet basis and determines whether the packet conforms to the configured parameters. The meter module determines the next action for a packet from a set of actions that depend on packet size, configured parameters, and flow rate.

The meter consists of two metering modules, tokenmt and tswtclmt, which you configure in the IPQoS configuration file. You can configure either module or both modules for a class.

When you configure a metering module, you can define two parameters for rate:

• committed rate – Defines the acceptable transmission rate in bits per second for packets of a particular class

• peak rate – Defines the maximum transmission rate in bits per second that is allowable for packets of a particular class

A metering action on a packet can result in one of the following three outcomes:

• green – The packet causes the flow to remain within its committed rate.

• yellow – The packet causes the flow to exceed its committed rate but not its peak rate.

• red – The packet causes the flow to exceed its peak rate.

tokenmt Metering Module

The tokenmt module uses token buckets to measure the transmission rate of a flow. You can configure tokenmt to operate as a single-rate or two-rate meter. A tokenmt action instance maintains two token buckets that determine whether the traffic flow conforms to configured parameters.

The tokenmt(7ipp) man page explains how IPQoS implements the token meter paradigm. You can find more general information about token buckets in Kalevi Kilkki's Differentiated Services for the Internet and on a number of Web sites.

Configuration parameters for tokenmt are as follows:

• committed_rate – Specifies the committed rate of the flow in bits per second.

• committed_burst – Specifies the committed burst size in bits. The committed_burst parameter defines how many outgoing packets of a particular class can pass onto the network at the committed rate.

• peak_rate – Specifies the peak rate in bits per second.

• peak_burst – Specifies the peak or excess burst size in bits. The peak burst parameter grants to a traffic class a peak-burst size that exceeds the committed rate.

• color_aware – Turns on color-aware mode for tokenmt.

• color_map – Defines an integer array that maps DSCP values to green, yellow, or red.

Configuring tokenmt as a Single-Rate Meter

To configure tokenmt as a single-rate meter, do not specify a peak_rate parameter for tokenmt in the IPQoS configuration file. To configure a single-rate tokenmt instance to have a red, green, or yellow outcome, you must specify the peak_burst parameter. If you do not use the peak_burst parameter, you can configure tokenmt to have only a red or green outcome. For an example of a single-rate tokenmt with two outcomes, see Example 3–3.

When tokenmt operates as a single-rate meter, the peak_burst parameter is actually the excess burst size. committed_rate and either committed_burst or peak_burst must be nonzero positive integers.

Configuring tokenmt as a Two-Rate Meter

To configure tokenmt as a two-rate meter, specify a peak_rate parameter for the tokenmt action in the IPQoS configuration file. A two-rate tokenmt always has the three outcomes, red, yellow, and green. The committed_rate, committed_burst, and peak_burst parameters must all be non-zero positive integers.

Configuring tokenmt to Be Color Aware

To configure a two-rate tokenmt to be color aware, you must add parameters to specifically add “color awareness.” The following is an example action statement that configures color-aware tokenmt.

Example 6–1 Color-Aware tokenmt Action for the IPQoS Configuration File

action {
    module tokenmt
    name meter1
    params {
	      committed_rate 4000000
	      peak_rate 8000000
	      committed_burst 4000000
	      peak_burst 8000000
	      global_stats true
	      red_action_name continue
	      yellow_action_name continue
	      green_action_name continue
	      color_aware true
	      color_map {0-20,22:GREEN;21,23-42:RED;43-63:YELLOW}
    }
}

You turn on color awareness by setting the color_aware parameter to true. As a color-aware meter, tokenmt assumes that the packet has already been marked as red, yellow, or green by a previous tokenmt action. Color-aware tokenmt evaluates a packet by using the DS codepoint in the packet header in addition to the parameters for a two-rate meter.

The color_map parameter contains an array into which the DSCP in the packet header is mapped. Consider the following color_map array:

color_map {0-20,22:GREEN;21,23-42:RED;43-63:YELLOW}

Packets with a DSCP of 0–20 and 22 are mapped to green. Packets with a DSCP of 21 and 23–42 are mapped to red. Packets with a DSCP of 43–63 are mapped to yellow. tokenmt maintains a default color map, but you can change it as needed by using the color_map parameters.

In the color_action_name parameters, you can specify continue to complete processing of the packet. Or you can add an argument to send the packet to a marker action, for example, yellow_action_name mark22.

tswtclmt Metering Module

The tswtclmt metering module estimates average bandwidth for a traffic class by using a time-based rate estimator. tswtclmt always operates as a three-outcome meter. The rate estimator provides an estimate of the flow's arrival rate. This rate should approximate the running average bandwidth of the traffic stream over a specific period or time, its window. The rate estimation algorithm is taken from RFC 2859, A Time Sliding Window Three Colour Marker.

You use the following parameters to configure tswtclmt:

• committed_rate – Specifies the committed rate in bits per second

• peak_rate – Specifies the peak rate in bits per second

• window – Defines the time window, in milliseconds over which history of average bandwidth is kept

Marker Module

IPQoS includes two marker modules, dscpmk and dlcosmk. This section contains information for using both markers. Normally, you should use dscpmk because dlcosmk is only available for IPQoS systems with VLAN devices.

For technical information about dscpmk, refer to the dscpmk(7ipp) man page. For technical information about dlcosmk, refer to the dlcosmk(7ipp) man page.

Using the dscpmk Marker for Forwarding Packets

The marker receives traffic flows after they are processed by the classifier or metering modules. The marker marks the traffic with a forwarding behavior, which is the action to be taken on the flows after they leave the IPQoS system. Forwarding behavior to be taken on a traffic class is defined in the per-hop behavior (PHB). The PHB assigns a priority to a traffic class, which indicates the precedence flows of that class have in relation to other traffic classes. PHBs only govern forwarding behaviors on the IPQoS system's contiguous network. For more information on PHBs, refer to Per-Hop Behaviors.

Packet forwarding is the process of sending traffic of a particular class to its next destination on a network. For a host, such as an IPQoS system, a packet is forwarded from the host to the local network stream. For a diffserv router, a packet is forwarded from the local network to the router's next hop.

The marker marks the DS field in the packet header with a well-known forwarding behavior that is defined in the IPQoS configuration file. Thereafter, the IPQoS system and subsequent diffserv-aware systems forward the traffic as indicated in the DS field until the mark changes. To assign a PHB, the IPQoS system marks the DS field of the packet header with a value that is called the differentiated services (DS) codepoint, or DSCP. The diffserv architecture defines two types of forwarding behaviors, EF and AF, which use differing DS codepoints. For overview information about DS codepoints, refer to DS Codepoint (DSCP).

The IPQoS system reads the DS codepoint for the traffic flow and evaluates the flow's precedence in relation to other outgoing traffic flows. The IPQoS system then prioritizes all concurrent traffic flows and releases each flow onto the network by its priority.

The diffserv router receives the outgoing traffic flows and reads the DS field in the packet headers. The DS codepoint enables the router to prioritize and schedule the concurrent traffic flows and forward each flow by the priority that is indicated by the PHB. Note that the PHB cannot apply beyond the boundary router of the network unless diffserv-aware systems on subsequent hops also recognize the same PHB.

Expedited Forwarding (EF) PHB

Expedited forwarding (EF) guarantees that any packets that are marked with the recommended EF codepoint 46 (101110) receive the best treatment available on release to the network. EF forwarding is often compared to a leased line. Packets with the 46 (101110) codepoint are guaranteed preferential treatment by all diffserv routers en route to the packets' destination. For technical information about EF, refer to RFC 2598, An Expedited Forwarding PHB.

Assured Forwarding (AF) PHB

Assured forwarding (AF) provides four different classes of forwarding behaviors that you can specify to the marker. The next table shows the classes, the three drop precedences that are provided with each class, and the recommended DCSPs that are associated with each precedence. Each DSCP is represented by its AF value, its value in hexadecimal, and its value in binary.

Any diffserv-aware system can use the AF codepoint as a guide for providing differentiated forwarding behaviors to different classes of traffic.

For example, suppose your QoS policy assigns DSCPs of AF31 and AF13 to two different traffic classes. When packets that are marked AF31 (011010) leave the IPQoS system, they receive lower forwarding probability than the packets with AF13 (001110).

When these packets reach a diffserv router, the router evaluates the packets' codepoints along with DS codepoints of other traffic in the queue. The router then forwards or drops packets, depending on the available bandwidth and the priorities that are assigned by the packets' DS codepoints. Note that packets that are marked with the EF PHB are guaranteed bandwidth over packets that are marked with the various AF PHBs.

Coordinate packet marking between any IPQoS systems on your network and the diffserv router to ensure that packets are forwarded as expected. For example, suppose IPQoS systems on your network marks packets with AF21 (010010), AF13 (001110), AF43 (100110), and EF (101110) codepoints. You then need to add the AF21, AF13, AF43, and EF DS codepoints to the appropriate file on the diffserv router.

For a technical explanation of the AF codepoint table, refer to RFC 2597. Router manufacturers Cisco Systems and Juniper Networks have detailed information about setting the AF PHB in their Web sites. You can use this information to define AF PHBs for IPQoS systems as well as routers. Additionally, router manufacturers' documentation contains instructions for setting DS codepoints on their equipment.

Supplying a DS Codepoint to the Marker

The DS codepoint is 6 bits in length. The DS field is 1 byte long. When you define a DS codepoint in the IPQoS configuration file, the marker marks the first 6 significant bits of the packet header with the DS codepoint. The remaining 2 least-significant bits are unused.

To define a DS codepoint, you use the following parameter within a marker action statement:

 dscp_map{0-63:DS_codepoint}

The dscp_map parameter is a 64-element array, which you populate with the DS codepoint (DSCP) value. dscp_map is used to map incoming DSCPs to outgoing DSCPs that are applied by the dscpmk marker.

You must specify the DSCP value to dscp_map in hexadecimal notation. For example, you must translate the EF codepoint of 101110 into the hexadecimal value 46, which results in dscp_map{0-63:46}. For AF codepoints, you must translate the various codepoints that are shown in Table 6–2 to hexadecimal for use with dscp_map.

Using the dlcosmk Marker With VLAN Devices

The dlcosmk marker module marks a forwarding behavior in the MAC header of a datagram. You can use dlcosmk only on an IPQoS system with a VLAN interface.

dlcosmk adds four bytes, which are known as the VLAN tag, to the MAC header. The VLAN tag includes a 3-bit user priority value, which is defined by the IEEE 801.D standard. Diffserv-aware switches that understand VLAN can read the user priority field in a datagram. The 801.D user priority values implement the class of service (CoS) marks, which are well known and understood by commercial switches.

You can use the user priority values in dlcosmk marker action by defining the class of service marks that are listed in the next table.

For more information on dlcosmk, refer to the dlcosmk(7ipp) man page.

IPQoS Configuration for Systems With VLAN Devices

This section introduces a simple network scenario that shows how to implement IPQoS on systems with VLAN devices. The scenario includes two IPQoS systems, machine1 and machine2, that are connected by a switch. The VLAN device on machine1 has the IP address 10.10.8.1. The VLAN device on machine2 has the IP address 10.10.8.3.

The following IPQoS configuration file for machine1 shows a simple solution for marking traffic through the switch to machine2.

Example 6–2 IPQoS Configuration File for a System With a VLAN Device

fmt_version 1.0
action {
        module ipgpc
	      name ipgpc.classify

        filter {
                name myfilter2
                daddr 10.10.8.3
                class myclass
        }

        class {
                name myclass
                next_action mark4
        }
}

action {
        name mark4
        module dlcosmk
        params {
                cos 4
                next_action continue
		global_stats true
        }
}

In this configuration, all traffic from machine1 that is destined for the VLAN device on machine2 is passed to the dlcosmk marker. The mark4 marker action instructs dlcosmk to add a VLAN mark to datagrams of class myclass with a CoS of 4. The 4 user priority value indicates that the switch between the two machines should give controlled load forwarding to myclass traffic flows from machine1.

flowacct Module

The IPQoS flowacct module records information about traffic flows, a process that is referred to as flow accounting. The results of flow accounting are data that can be used for billing customers or for evaluating the amount of traffic to a particular class.

Flow accounting is optional. flowacct is typically the final module that metered or marked traffic flows might encounter before release onto the network stream. For an illustration of flowacct's position in the diffserv model, see Figure 1–1. For detailed technical information about flowacct, refer to the flowacct(7ipp) man page.

To enable flow accounting, you need to use the Solaris exacct accounting facility and the acctadm command, as well as flowacct. For the overall steps in setting up flow accounting, refer to Table 5–1.

flowacct Parameters

flowacct gathers information about flows in a flow table that is composed of flow records. Each entry in the table contains one flow record. You cannot display a flow-account table.

In the IPQoS configuration file, you define the following flowacct parameters to measure flow records and to write them to the table:

• timer – Defines an interval, in milliseconds, when timed-out flows are removed from the flow table and written to the file that is created by acctadm

• timeout – Defines a interval, in milliseconds, that specifies how long a packet flow must be inactive before it times out

  ---

  Note –

  You can configure timer and timeout to have different values.

  ---

• max_limit – Places an upper limit on the number of flow records that can be stored in the table

Flow Record Table

The flowacct module maintains a flow table that records all packet flows that are seen by a flowacct instance. A flow is identified by the following parameters, which comprise the flowacct 8–tuple.

• Source address

• Destination address

• Source port

• Destination port

• DSCP

• User ID

• Project ID

• Protocol

If all the parameters of the 8–tuple for a flow remain the same, the flow table contains only one entry. The max_limit parameter determines the number of entries that a flow table can contain.

The flow table is scanned at the interval that is specified in the IPQoS configuration file for the timer parameter. The default is 15 seconds. A flow “times out” when its packets are not seen by the IPQoS system for at least the timeout interval in the IPQoS configuration file. The default time-out interval is 60 seconds. Entries that have timed out are then written to the accounting file that is created with the acctadm command.

flowacct Records

A flowacct record contains the following attributes.

Using acctadm with the flowacct Module

You use the acctadm command to create a file in which to store the various flow records that are generated by flowacct. acctadm works in conjunction with the extended accounting facility. For technical information about acctadm, refer to the acctadm(1M) man page.

flowacct observes flows and fills its table with flow records. flowacct then evaluates its parameters and attributes in the interval that is specified by timer. When a packet is not seen for at least the last_seen plus timeout values, the packet times out. All timed-out entries are deleted from the flow table. They are then written to the accounting file each time the interval that is specified in the timer parameter elapses.

To invoke acctadm for use with the flowacct module, use the following syntax:

acctadm -e type -f filename flow

IPQoS Configuration File

This section contains full details about the parts of the IPQoS configuration file. The IPQoS boot-time activated policy is stored in the file /etc/inet/ipqosinit.conf. Although you can edit this file, the best practice for a new IPQoS system is to create a configuration file with a different name. Tasks for applying and debugging an IPQoS configuration are in Chapter 4, Starting Up and Maintaining IPQoS (Tasks).

The syntax of the IPQoS configuration file is shown in the next example. The example uses the following conventions:

• computer-style type - Syntactical information that is provided to explain the parts of the configuration file. You do not type any text that appears in computer style type.

• bold type - Literal text that you must type in the IPQoS configuration file. For example, you must always begin the IPQoS configuration file with fmt_version.

• italics type - Variable text that you replace with descriptive information about your configuration. For example, you must always replace action_name or module_name with information that pertains to your configuration.

Example 6–3 Syntax of the IPQoS Configuration File

file_format_version ::= fmt_version version

action_clause ::= action {
     name action_name
     module module_name
     params_clause |  ""
     cf_clauses
}
action_name ::= string
module_name ::= ipgpc | dlcosmk | dscpmk | tswtclmt | tokenmt | flowacct 

params_clause ::= params { 
     parameters
     params_stats |   ""
     }
parameters ::=    prm_name_value parameters |  ""
prm_name_value ::= param_name param_value 

params_stats ::= global_stats boolean

cf_clauses ::= class_clause cf_clauses |
               filter_clause cf_clauses | ""

class_clause ::= class {
     name class_name
     next_action next_action_name
     class_stats | ""
                 }
class_name  ::= string
next_action_name  ::= string
class_stats ::= enable_stats boolean
boolean ::= TRUE | FALSE

filter_clause ::= filter {
                name filter_name
                class class_name
                parameters
                }
filter_name ::= string

The remaining text describes each major part of the IPQoS configuration file.

action Statement

You use action statements to invoke the various IPQoS modules that are described in IPQoS Architecture and the diffserv Model.

When you begin the IPQoS configuration file, you must always begin with the version number. Then, you must add the following action to invoke the classifier:

fmt_version 1.0

action {
    module ipgpc
    name ipgpc.classify
}

Use the following syntax for all other action statements:

action {
name action_name
module module_name
params_clause | ""
cf_clauses
}

Module Definitions

The module definition indicates which module is to process the parameters in the action statement. The IPQoS configuration file can include the following modules.

Class Clause

You define a class clause for each class of traffic.

Use this syntax to define the remaining classes in the IPQoS configuration.

class {
     
      name class_name
      next_action next_action_name
}      

To enable statistics taking on a particular class, you must first enable global statistic in the ipgpc.classify action statement. For more information, refer to action Statement.

Use the enable_stats TRUE statement whenever you want to turn on statistics for a class. If you do not need to gather statistics for a class, you can specify enable_stats FALSE. Alternatively, you can eliminate the enable_stats statement.

Traffic on an IPQoS-enabled network that you do not specifically define is relegated to the default class.

Filter Clause

Filters are made up of selectors that group traffic flows into classes. These selectors specifically define the criteria to be applied to traffic of the class that was created in the class clause. If a packet matches all selectors of the highest-priority filter, the packet is considered to be a member of the filter's class. For a complete list of selectors that you can use with the ipgpc classifier, refer to Table 6–1.

You define filters in the IPQoS configuration file by using a filter clause, which has the following syntax:

filter { 
       name filter_name
       class class_name 
       parameters (selectors)
       }

Params Clause

The params clause contains processing instructions for the module that is defined in the action statement. Use the following syntax for the params clause:

params {
           parameters
           params_stats |  ""
       }

In the params clause, you use parameters that are applicable to the module.

The params_stats value in the params clause is either global_stats TRUE or global_stats FALSE. The global_stats TRUE instruction turns on UNIX-style statistics for the action statement where global statistics is invoked. You can view the statistics by using the kstat command. You must enable action statement statistics before you can enable per-class statistics.

ipqosconf Configuration Utility

You use the ipqosconf utility to read the IPQoS configuration file and configure IPQoS modules in the UNIX kernel. ipqosconf can perform the following actions:

• Apply the configuration file to the IPQoS kernel modules (ipqosconf -a) filename

• List the IPQoS configuration file currently resident in the kernel (ipqosconf -l)

• Ensure that the current IPQoS configuration is read and applied each time the machine reboots (ipqosconf -c)

• Flush the current IPQoS kernel modules (ipqosconf -f)

For technical information, refer to the ipqosconf(1M) man page.