Internet Draft

Differentiated Services WG                                     D. Black
INTERNET-DRAFT                                          EMC Corporation
Document: draft-ietf-diffserv-tunnels-02.txt                  July 2000


                   Differentiated Services and Tunnels

Status of this Memo

   This document is an Internet-Draft and is in full conformance
   with all provisions of Section 10 of RFC2026.  Internet-Drafts are
   working documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups. Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Discussion and suggestions for improvement are requested.  This
   draft will expire before January, 2001.  Distribution of this draft
   is unlimited.

1. Abstract

   This draft considers the interaction of Differentiated Services
   (diffserv) [RFC-2474, RFC-2475] with IP tunnels of various forms.
   The discussion of tunnels in the diffserv architecture [RFC-2475]
   provides insufficient guidance to tunnel designers and implementers.
   This document describes two conceptual models for the interaction of
   diffserv with IP tunnels and employs them to explore the resulting
   configurations and combinations of functionality.  An important
   consideration is how and where it is appropriate to perform diffserv
   traffic conditioning in the presence of tunnel encapsulation and
   decapsulation.  A few simple mechanisms are also proposed that limit
   the complexity that tunnels would otherwise add to the diffserv
   traffic conditioning model.  Security considerations for IPSec
   tunnels limit the possible functionality in some circumstances.

2. Conventions used in this document

   An IP tunnel encapsulates IP traffic in another IP header as it
   passes through the tunnel; the presence of these two IP headers is a
   defining characteristic of IP tunnels, although there may be
   additional headers inserted between the two IP headers.  The inner
   IP header is that of the original traffic; an outer IP header is

Black                                                         [Page 1]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   attached and detached at tunnel endpoints.  In general, intermediate
   network nodes between tunnel endpoints operate solely on the outer
   IP header, and hence diffserv-capable intermediate nodes access and
   modify only the DSCP field in the outer IP header.  The terms
   "tunnel" and "IP tunnel" are used interchangeably in this document.
   For simplicity, this document does not consider tunnels other than
   IP tunnels (i.e., for which there is no encapsulating IP header),
   such as MPLS paths and "tunnels" formed by encapsulation in layer 2
   (link) headers, although the conceptual models and approach
   described here may be useful in understanding the interaction of
   diffserv with such tunnels.

   This analysis considers tunnels to be unidirectional; bi-directional
   tunnels are considered to be composed of two unidirectional tunnels
   carrying traffic in opposite directions between the same tunnel
   endpoints.  A tunnel consists of an ingress where traffic enters the
   tunnel and is encapsulated by the addition of the outer IP header,
   an egress where traffic exits the tunnel and is decapsulated by the
   removal of the outer IP header, and intermediate nodes through which
   tunneled traffic passes between the ingress and egress.  This
   document does not make any assumptions about routing and forwarding
   of tunnel traffic, and in particular assumes neither the presence
   nor the absence of route pinning in any form.

3. Diffserv and Tunnels Overview

   Tunnels range in complexity from simple IP-in-IP tunnels [RFC-2003]
   to more complex multi-protocol tunnels, such as IP in PPP in L2TP in
   IPSec transport mode [RFC-1661, RFC-2401, RFC-2661].  The most
   general tunnel configuration is one in which the tunnel is not end-
   to-end, i.e., the ingress and egress nodes are not the source and
   destination nodes for traffic carried by the tunnel; such a tunnel
   may carry traffic with multiple sources and destinations.  If the
   ingress node is the end-to-end source of all traffic in the tunnel,
   the result is a simplified configuration to which much of the
   analysis and guidance in this document are applicable, and likewise
   if the egress node is the end-to-end destination.

   A primary concern for differentiated services is the use of the
   Differentiated Services Code Point (DSCP) in the IP header [RFC-
   2474, RFC-2475].  The diffserv architecture permits intermediate
   nodes to examine and change the value of the DSCP, which may result
   in the DSCP value in the outer IP header being modified between
   tunnel ingress and egress.  When a tunnel is not end-to-end, there
   are circumstances in which it may be desirable to propagate the DSCP
   and/or some of the information that it contains to the outer IP
   header on ingress and/or back to inner IP header on egress.  The
   current situation facing tunnel implementers is that [RFC-2475]
   offers incomplete guidance.  Guideline G.7 in Section 3 is an
   example, as some PHB specifications have followed it by explicitly
   specifying the PHBs that may be used in the outer IP header for
   tunneled traffic.  This is overly restrictive; for example, if a
   specification requires that the same PHB be used in both the inner

Black                                                         [Page 2]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   and outer IP headers, traffic conforming to that specification
   cannot be tunneled across domains or networks that do not support
   that PHB.  A more flexible approach that should be used instead is
   to describe the behavioral properties of a PHB that are important to
   preserve when traffic is tunneled and allow the outer IP header to
   be marked in any fashion that is sufficient to preserve those
   properties.

   This document proposes an approach in which traffic conditioning is
   performed in series with tunnel ingress or egress processing, rather
   than in parallel.  This approach does not create any additional
   paths that transmit information across a tunnel endpoint, as all
   diffserv information is contained in the DSCPs in the IP headers.
   The IPSec architecture [RFC-2401] requires that this be the case to
   preserve security properties at the egress of IPSec tunnels, but
   this approach also avoids complicating diffserv traffic conditioning
   blocks by introducing out-of-band inputs.  A consequence of this
   approach is that the last sentence of Guideline G.7 in Section 3 of
   [RFC-2475] becomes moot because there are no tunnel egress diffserv
   components that have access to both the inner and outer DSCPs.

   An additional advantage of this traffic conditioning approach is
   that it places no additional restrictions on the positioning of
   diffserv domain boundaries with respect to traffic conditioning and
   tunnel encapsulation/decapsulation components.  An interesting class
   of configurations involves a diffserv domain boundary that passes
   through (i.e., divides) a network node; such a boundary can be split
   to create a DMZ-like region between the domains that contains the
   tunnel encapsulation or decapsulation processing.  Diffserv traffic
   conditioning is not appropriate for such a DMZ-like region, as
   traffic conditioning is part of the operation and management of
   diffserv domains.

4. Conceptual Models for Diffserv Tunnels

   This analysis introduces two conceptual traffic conditioning models
   for IP tunnels based on an initial discussion that assumes a fully
   diffserv-capable network.  Configurations in which this is not the
   case are taken up in Section 4.2.

4.1 Conceptual Models for Fully DS-capable Configurations

   The first conceptual model is a uniform model that views IP tunnels
   as artifacts of the end to end path from a traffic conditioning
   standpoint; tunnels may be necessary mechanisms to get traffic to
   its destination(s), but have no significant impact on traffic
   conditioning.  In this model, any packet has exactly one DS Field
   that is used for traffic conditioning at any point, namely the DS
   Field in the outermost IP header; any others are ignored.
   Implementations of this model copy the DSCP value to the outer IP
   header at encapsulation and copy the outer header's DSCP value to
   the inner IP header at decapsulation.  Use of this model allows IP
   tunnels to be configured without regard to diffserv domain

Black                                                         [Page 3]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   boundaries because diffserv traffic conditioning functionality is
   not impacted by the presence of IP tunnels.

   The second conceptual model is a pipe model that views an IP tunnel
   as hiding the nodes between its ingress and egress so that they do
   not participate fully in traffic conditioning.  In this model, a
   tunnel egress node uses traffic conditioning information conveyed
   from the tunnel ingress by the DSCP value in the inner header, and
   ignores (i.e., discards) the DSCP value in the outer header.  The
   pipe model cannot completely hide traffic conditioning within the
   tunnel, as the effects of dropping and shaping at intermediate
   tunnel nodes may be visible at the tunnel egress and beyond.

   The pipe model has traffic conditioning consequences when the
   ingress and egress nodes are in different diffserv domains.  In such
   a situation, the egress node must perform traffic conditioning to
   ensure that the traffic exiting the tunnel has DSCP values
   acceptable to the egress diffserv domain (see Section 6 of the
   diffserv architecture [RFC-2475]).  An inter-domain TCA (Traffic
   Conditioning Agreement) between the diffserv domains containing the
   tunnel ingress and egress nodes may be used to reduce or eliminate
   egress traffic conditioning.  Complete elimination of egress traffic
   conditioning requires that the diffserv domains at ingress and
   egress have compatible service provisioning policies for the
   tunneled traffic and support all of the PHB groups and DSCP values
   used for that traffic in a consistent fashion.  Examples of this
   situation are provided by some virtual private network tunnels; it
   may be useful to view such tunnels as linking the diffserv domains
   at their endpoints into a diffserv region by making the tunnel
   endpoints virtually contiguous even though they may be physically
   separated by intermediate network nodes.

   The pipe model is also appropriate for situations in which the DSCP
   itself carries information through the tunnel.  For example, if
   transit between two domains is obtained via a path that uses the EF
   PHB [RFC-2598], the drop precedence information in the AF PHB DSCP
   values [RFC-2597] will be lost unless something is done to preserve
   it; an IP tunnel is one possible preservation mechanism.  A path
   that crosses one or more non-diffserv domains between its DS-capable
   endpoints may experience a similar information loss phenomenon if a
   tunnel is not used due to the limited set of DSCP codepoints that
   are compatible with such domains.

4.2 Considerations for Partially DS-capable Configurations

   If only the tunnel egress node is DS-capable, [RFC-2475] requires
   the egress node to perform any edge traffic conditioning needed by
   the diffserv domain for tunneled traffic entering from outside the
   domain.  If the egress node would not otherwise be a DS edge node,
   one way to meet this requirement is to perform edge traffic
   conditioning at an appropriate upstream DS edge node or nodes within
   the tunnel, and copy the DSCP value from the outer IP header to the
   inner IP header as part of tunnel decapsulation processing; this

Black                                                         [Page 4]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   applies the uniform model to the portion of the tunnel within the
   egress node's diffserv domain.  A second alternative is to discard
   the outer DSCP value as part of decapsulation processing, reducing
   the resulting traffic conditioning problem and requirements to those
   of an ordinary DS ingress node.  This applies the pipe model to the
   portion of the tunnel within the egress node's diffserv domain and
   hence the adjacent upstream node for DSCP marking purposes is the
   tunnel ingress node, rather than the immediately upstream
   intermediate tunnel node.

   If only the tunnel ingress node is DS-capable, [RFC-2475] requires
   that traffic emerging from the tunnel be compatible with the network
   at the tunnel egress.  If tunnel decapsulation processing discards
   the outer header's DSCP value without changing the inner header's
   DSCP value, the DS-capable tunnel ingress node is obligated to set
   the inner header's DSCP to a value compatible with the network at
   the tunnel egress.  The value 0 (DSCP of 000000) is used for this
   purpose by a number of existing tunnel implementations.  If the
   egress network implements IP precedence as specified in [RFC-791],
   then some or all of the eight class selector DSCP codepoints defined
   in [RFC-2474] may be usable.  DSCP codepoints other than the class
   selectors are not generally suitable for this purpose, as correct
   operation would usually require diffserv functionality at the DS-
   incapable tunnel egress node.

5. Ingress Functionality

   As described in Section 3 above, this analysis is based on an
   approach in which diffserv functionality and/or out-of-band
   communication paths are not placed in parallel with tunnel
   encapsulation processing.  This allows three possible locations for
   traffic conditioning with respect to tunnel encapsulation
   processing, as shown in the following diagram that depicts the flow
   of IP headers through tunnel encapsulation:

                                        +--------- [2 - Outer] -->>
                                       /
                                      /
   >>---- [1 - Before] -------- Encapsulate ------ [3 - Inner] -->>

   Traffic conditioning at [1 - Before] is logically separate from the
   tunnel, as it is not impacted by the presence of tunnel
   encapsulation, and hence should be allowed by tunnel designs and
   specifications.  Traffic conditioning at [2 - Outer] may interact
   with tunnel protocols that are sensitive to packet reordering; such
   tunnels may need to limit the functionality at [2 - Outer] as
   discussed further in Section 5.1.  In the absence of reordering
   sensitivity, no additional restrictions should be necessary,
   although traffic conditioning at [2 - Outer] may be responsible for
   remarking traffic to be compatible with the next diffserv domain
   that the tunneled traffic enters.



Black                                                         [Page 5]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   In contrast, the [3 - Inner] location is difficult to utilize for
   traffic conditioning because it requires functionality that reaches
   inside the packet to operate on the inner IP header.  This is
   impossible for IPSec tunnels and any other tunnels that are
   encrypted or employ cryptographic integrity checks.  Hence traffic
   conditioning at [3 - Inner] can often only be performed as part of
   tunnel encapsulation processing, complicating both the encapsulation
   and traffic conditioning implementations.  In many cases, the
   desired functionality can be achieved via a combination of traffic
   conditioners in the other two locations, both of which can be
   specified and implemented independently of tunnel encapsulation.

   An exception for which traffic conditioning functionality is
   necessary at [3 - Inner] occurs when the DS-incapable tunnel egress
   discards the outer IP header as part of decapsulation processing,
   and hence the DSCP in the inner IP header must be compatible with
   the egress network.  Setting the inner DSCP to 0 as part of
   encapsulation addresses most of these cases, and the class selector
   DCSP codepoint values are also useful for this purpose, as they are
   valid for networks that support IP precedence [RFC-791].

   The following table summarizes the achievable relationships among
   the before (B), outer (O), and inner (I) DSCP values and the
   corresponding locations of traffic conditioning logic.

   Relationship       Traffic Conditioning Location(s)
   ------------       --------------------------------
   B  = I  = O        No traffic conditioning required
   B != I  = O        [1 - Before]
   B  = I != O        [2 - Outer]
   B  = O != I        Limited support as part of encapsulation:
                        I can be set to 000000 or possibly one of
                        the class selector code points.
   B != I != O        Some combination of the above three scenarios.

   A combination of [1 - Before] and [2 - Outer] is applicable to many
   cases covered by the last two lines of the table, and may be
   preferable to deploying functionality at [3 - Inner].  Traffic
   conditioning may still be required for purposes such as rate and
   burst control even if DSCP values are not changed.

5.1 Ingress DSCP Selection and Reordering

   It may be necessary or desirable to limit the DS behavior aggregates
   that utilize an IP tunnel that is sensitive to packet reordering
   within the tunnel.  The diffserv architecture allows packets to be
   reordered when they belong to behavior aggregates among which
   reordering is permitted; for example, reordering is allowed among
   behavior aggregates marked with different Class Selector DSCPs [RFC-
   2474].  IPSec [RFC-2401] and L2TP [RFC-2661] provide examples of
   tunnels that are sensitive to packet reordering.  If IPSec's anti-
   replay support is configured, audit events are generated in response
   to packet reordering that exceeds certain levels, with the audit

Black                                                         [Page 6]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   events indicating potential security issues.  L2TP can be configured
   to restore the ingress ordering of packets at tunnel egress, not
   only undoing any differentiation based on reordering within the
   tunnel, but also negatively impacting the traffic (e.g., by
   increasing latency).  The uniform model cannot be completely applied
   to such tunnels, as arbitrary mixing of traffic from different
   behavior aggregates can cause these undesirable interactions.

   The simplest method of avoiding undesirable interactions of
   reordering with reordering-sensitive tunnel protocols and features
   is not to employ the reordering-sensitive protocols or features, but
   this is often not desirable or even possible.  When such protocols
   or features are used, interactions can be avoided by ensuring that
   the aggregated flows through the tunnel are marked at [2 - Outer] to
   constitute a single ordered aggregate (i.e., the PHBs used share an
   ordering constraint that prevents packets from being reordered).
   Tunnel protocol specifications should indicate both whether and
   under what circumstances a tunnel should be restricted to a single
   ordered aggregate as well as the consequences of deviating from that
   restriction.  For the IPSec and L2TP examples discussed above, the
   specifications should restrict each tunnel to a single ordered
   aggregate when protocol features sensitive to reordering are
   configured, and may adopt the approach of restricting all tunnels in
   order to avoid unexpected consequences of changes in protocol
   features or composition of tunneled traffic.  Diffserv
   implementations should not attempt to look within such tunnels to
   provide reordering-based differentiation to the encapsulated
   microflows.  If reordering-based differentiation is desired within
   such tunnels, multiple parallel tunnels between the same endpoints
   should be used.  This enables reordering among packets in different
   tunnels to coexist with an absence of packet reordering within each
   individual tunnel.  For IPSec and related security protocols, there
   is no cryptographic advantage to using a single tunnel for multiple
   ordered aggregates rather than multiple tunnels because any traffic
   analysis made possible by the use of multiple tunnels can also be
   performed based on the DSCPs in the outer headers of traffic in a
   single tunnel.  In general, the additional resources required to
   support multiple tunnels (e.g., cryptographic contexts), and the
   impact of multiple tunnels on network management should be
   considered in determining whether and where to deploy them.

5.2 Tunnel Selection

   The behavioral characteristics of a tunnel are an important
   consideration in determining what traffic should utilize the tunnel.
   This involves the service provisioning policies of all the
   participating domains, not just the PHBs and DSCPs marked on the
   traffic at [2 - Outer].  For example, while it is in general a bad
   idea to tunnel EF PHB traffic via a Default PHB tunnel, this can be
   acceptable if the EF traffic is the only traffic that utilizes the
   tunnel, and the tunnel is provisioned in a fashion adequate to
   preserve the behavioral characteristics required by the EF PHB.


Black                                                         [Page 7]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   Service provisioning policies are responsible for preventing
   mismatches such as forwarding EF traffic via an inadequately
   provisioned Default tunnel.  When multiple parallel tunnels with
   different behavioral characteristics are available, service
   provisioning policies are responsible for determining which flows
   should use which tunnels.  Among the possibilities is a coarse
   version of the uniform tunnel model in which the inner DSCP value is
   used to select a tunnel that will forward the traffic using a
   behavioral aggregate that is compatible with the traffic's PHB.

6. Egress Functionality

   As described in Section 3 above, this analysis is based on an
   approach in which diffserv functionality and/or out-of-band
   communication paths are not placed in parallel with tunnel
   encapsulation processing.  This allows three possible locations for
   traffic conditioners with respect to tunnel decapsulation
   processing, as shown in the following diagram that depicts the flow
   of IP headers through tunnel decapsulation:

   >>----[5 - Outer]-------------+
                                  \
                                   \
   >>----[4 - Inner] --------- Decapsulate ---- [6 - After] -->>

   Traffic conditioning at [5 - Outer] and [6 - After] is logically
   separate from the tunnel, as it is not impacted by the presence of
   tunnel decapsulation.  Tunnel designs and specifications should
   allow diffserv traffic conditioning at these locations. Such
   conditioning can be viewed as independent of the tunnel, i.e.,
   [5 - Outer] is traffic conditioning that takes place prior to tunnel
   egress, and [6 - After] is traffic conditioning that takes place
   after egress decapsulation.  An important exception is that the
   configuration of a tunnel (e.g., the absence of traffic conditioning
   at tunnel ingress) and/or the diffserv domains involved may require
   that all traffic exiting a tunnel pass through diffserv traffic
   conditioning to fulfill the diffserv edge node traffic conditioning
   responsibilities of the tunnel egress node.  Tunnel designers are
   strongly encouraged to include the ability to require that all
   traffic exiting a tunnel pass through diffserv traffic conditioning
   in order to ensure that traffic exiting the node is compatible with
   the egress node's diffserv domain.

   In contrast, the [4 - Inner] location is difficult to employ for
   traffic conditioning because it requires reaching inside the packet
   to operate on the inner IP header.  Unlike the [3 - Inner] case for
   encapsulation, there is no need for functionality to be performed at
   [4- Inner], as diffserv traffic conditioning can be appended to the
   tunnel decapsulation (i.e., performed at [6 - After]).

6.1 Egress DSCP Selection



Black                                                         [Page 8]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   The elimination of parallel functionality and data paths from
   decapsulation causes a potential loss of information.  As shown in
   the above diagram, decapsulation combines and reduces two DSCP
   values to one DSCP value, losing information in the most general
   case, even if arbitrary functionality is allowed.  Beyond this,
   allowing arbitrary functionality poses a structural problem, namely
   that the DSCP value from the outer IP header would have to be
   presented as an out-of-band input to the traffic conditioning block
   at [6 - After], complicating the traffic conditioning model.

   To avoid such complications, the simpler approach of statically
   selecting either the inner or outer DSCP value at decapsulation is
   recommended, leaving the full generality of traffic conditioning
   functionality to be implemented at [5 - Outer] and/or [6 - After].
   Tunnels should support static selection of one or the other DSCP
   value at tunnel egress.  The rationale for this approach is usually
   only one of the two DSCP values contains useful information.  The
   conceptual model for the tunnel provides a strong indication of
   which one contains useful information; the outer DSCP value usually
   contains the useful information for tunnels based on the uniform
   model, and the inner DSCP value usually contains the useful
   information for tunnels based on the pipe model.  IPSec tunnels are
   usually based on the pipe model, and for security reasons are
   required to select the inner DSCP value; they should not be
   configured to select the outer DSCP value in the absence of an
   adequate security analysis of the resulting risks and implications.

6.2 Egress DSCP Selection Case Study

   As a sanity check on the egress DSCP selection approach proposed
   above, this subsection considers a situation in which a more complex
   approach might be required.  Statically choosing a single DSCP value
   may not work well when both DSCPs are carrying information that is
   relevant to traffic conditioning.

   As an example, consider a situation in which different AF groups
   [RFC-2597] are used by the two domains at the tunnel endpoints, and
   there is an intermediate domain along the tunnel using RFC 791 IP
   precedences that is transited by setting the DSCP to zero.  This
   situation is shown in the following IP header flow diagram where I
   is the tunnel ingress node, E is the tunnel egress node and the
   vertical lines are domain boundaries.  The node at the left-hand
   vertical line sets the DSCP in the outer header to 0 in order to
   obtain compatibility with the middle domain:

                        |                   |
                  +-----|-------------------|------+
                 /      |                   |       \
   >>-----------I-------|-------------------|--------E---------->>
                        |                   |
      Ingress DS Domain        RFC 791         Egress DS domain
                            IP Precedence
                                Domain

Black                                                         [Page 9]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000


   In this situation, the DS edge node for the egress domain (i.e., the
   node at the right-hand vertical line) can select the appropriate AF
   group (e.g., via an MF classifier), but cannot reconstruct the drop
   precedence information that was removed from the outer header when
   it transited the RFC 791 domain (although it can construct new
   information via metering and marking).  The original drop precedence
   information is preserved in the inner IP header's DSCP, and could be
   combined at the tunnel egress with the AF class selection
   communicated via the outer IP header's DSCP.  The marginal benefit
   of being able to reuse the original drop precedence information as
   opposed to constructing new drop precedence markings does not
   justify the additional complexity introduced into tunnel egress
   traffic conditioners by making both DSCP values available to traffic
   conditioning at [6 - After].

7.  Diffserv and Protocol Translators

   A related issue involves protocol translators, including those
   employing the Stateless IP/ICMP Translation Algorithm [RFC-2765].
   These translators are not tunnels because they do not add or remove
   a second IP header to/from packets (e.g., in contrast to IPv6 over
   IPv4 tunnels [RFC-1933]) and hence do not raise concerns of
   information propagation between inner and outer IP headers.  The
   primary interaction between translators and diffserv is that the
   translation boundary is likely to also be a diffserv domain boundary
   (e.g., the IPv4 and IPv6 domains may have different policies for
   traffic conditioning and DSCP usage), and hence such translators
   should allow the insertion of diffserv edge node processing
   (including traffic conditioning) both before and after the
   translation processing.

8. Security Considerations

   The security considerations for the diffserv architecture discussed
   in [RFC-2474, RFC-2475] apply when tunnels are present.  One of the
   requirements is that a tunnel egress node in the interior of a
   diffserv domain is the DS ingress node for traffic exiting the
   tunnel, and is responsible for performing appropriate traffic
   conditioning.  The primary security implication is that the traffic
   conditioning is responsible for dealing with theft- and denial-of-
   service threats posed to the diffserv domain by traffic exiting from
   the tunnel.  The IPSec architecture [RFC-2401] places a further
   restriction on tunnel egress processing; the outer header is to be
   discarded unless the properties of the traffic conditioning to be
   applied are known and have been adequately analyzed for security
   vulnerabilities.  This includes both the [5 - Outer] and [6 - After]
   traffic conditioning blocks on the tunnel egress node, if present,
   and may involve traffic conditioning performed by an upstream DS-
   edge node that is the DS domain ingress node for the encapsulated
   tunneled traffic.

9. References

Black                                                        [Page 10]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000


   [RFC-791] J. Postel, "Internet Protocol", STD 5, RFC 791, September
   1981.

   [RFC-1661] W. Simpson, "The Point-to-Point Protocol (PPP)", STD 51,
   RFC 1661, July 1994.

   [RFC-1933] R. Gilligan and E. Nordmark, "Transition Mechanisms for
   IPv6 Hosts and Routers", RFC 1933, April 1996.

   [RFC-2003] C. Perkins, "IP Encapsulation within IP,", RFC 2003,
   October 1996.

   [RFC-2401] S. Kent and R. Atkinson, "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

   [RFC-2474] K. Nichols, S. Blake, F. Baker, and D. Black, "Definition
   of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
   Headers", RFC 2474, December 1998.

   [RFC-2475] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and
   W. Weiss, "An Architecture for Differentiated Services", RFC 2475,
   December 1998.

   [RFC-2597] J. Heinanen, F. Baker, W. Weiss, and J. Wroclawski,
   "Assured Forwarding PHB Group", RFC 2597. June 1999.

   [RFC-2598] V. Jacobson, K. Nichols, and K. Poduri, "An Expedited
   Forwarding PHB", RFC 2598, June 1999.

   [RFC-2661] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn,
   and B. Palter. "Layer Two Tunneling Protocol "L2TP"", RFC 2661,
   August 1999.

   [RFC-2765] E. Nordmark, "Stateless IP/ICMP Translation Algorithm
   (SIIT)", RFC 2765. February, 2000.

10. Acknowledgments

   Some of this material is based on discussions with Brian Carpenter,
   and in particular his presentation on this topic to the diffserv WG
   during the summer 1999 IETF meeting in Oslo.  Credit is also due to
   a number of people working on tunnel specifications  who have
   discovered limitations of the diffserv architecture [RFC-2475] in
   the area of tunnels.  Their patience with the time it has taken to
   address this set of issues is greatly appreciated.  Finally, this
   material has benefited from discussions within the diffserv WG, both
   in meetings and on the mailing list -- the contributions of
   participants in those discussions are gratefully acknowledged.

11. Author's Address

   David L. Black

Black                                                        [Page 11]
ietf-diffserv-tunnels    Diffserv and Tunnels                June 2000

   EMC Corporation
   42 South St.
   Hopkinton, MA   01748
   Phone: +1 (508) 435-1000 x75140
   Email: black_david@emc.com

















































Black                                                        [Page 12]