RE: FW: [ipcdn] FW: [Diffserv] Dscp and DscpOrAny TCs

"Woundy, Richard" <> Sun, 09 March 2003 11:16 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id GAA19179 for <>; Sun, 9 Mar 2003 06:16:06 -0500 (EST)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h29BSYF04456 for; Sun, 9 Mar 2003 06:28:34 -0500
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h29B7iO03425; Sun, 9 Mar 2003 06:07:44 -0500
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h27LLYO10596 for <>; Fri, 7 Mar 2003 16:21:34 -0500
Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id QAA03663; Fri, 7 Mar 2003 16:09:20 -0500 (EST)
Received: from ( []) by (8.12.2/8.12.2) with ESMTP id h27L9sH4020710; Fri, 7 Mar 2003 14:10:35 -0700 (MST)
Received: from by with ESMTP ( Tumbleweed MMS SMTP Relay (MMS v5.5.0)); Fri, 07 Mar 2003 14:10:27 -0600
Received: by with Internet Mail Service ( 5.5.2653.19) id <DKVQ8RY6>; Fri, 7 Mar 2003 14:08:54 -0700
Message-ID: <>
From: "Woundy, Richard" <>
To: "'John Schnizlein'" <>
cc: "''" <>, "IPCDN WG (E-mail)" <>
Subject: RE: FW: [ipcdn] FW: [Diffserv] Dscp and DscpOrAny TCs
Date: Fri, 7 Mar 2003 14:10:24 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 1277D5491200844-02-01
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Diffserv Discussion List <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Transfer-Encoding: 7bit


Thanks for the pointing out that the DiffServ field code points in the
registry are just recommended values, not required values.

Let me react to this statement, which I believe is key to the discussion
about Dscp "filtering" in the DOCSIS Cable Device and Subscriber Management

>I don't appreciate the distinction. What was intended by PHB selector
>was that traffic could be selected from the aggregate by the DSCP.
>How is this different from filtering traffic based on DSCP matches?

The key difference between "PHB selection" and "filtering" is with regards
to the purpose for the matching.

I understand "PHB selection" to mean packet classifiers that map traffic
--based on a specific DSCP -- to a particular per hop behavior aggregate.

I understand "filtering" to mean packet classifiers that condition traffic
-- based on a specific DSCP value or group of values -- at the DS
boundaries, by re-marking DSCP values or similar actions. This function is
mentioned again in RFC 2474 section 7.1 (page 16):

   The defense against this class of theft- and denial-of-service
   attacks consists of the combination of traffic conditioning at DS
   domain boundaries with security and integrity of the network
   infrastructure within a DS domain.  DS domain boundary nodes MUST
   ensure that all traffic entering the domain is marked with codepoint
   values appropriate to the traffic and the domain, remarking the
   traffic with new codepoint values if necessary.  These DS boundary
   nodes are the primary line of defense against theft- and denial-of-
   service attacks based on modified codepoints, as success of any such
   attack indicates that the codepoints used by the attacking traffic
   were inappropriate...

The same device may apply both "filtering" and "PHB selection" to its
inbound traffic, in that order.

The most recent version of the DOCSIS Cable Device MIB (an update of RFC
will enable the Cable Modem (CM) to filter traffic based on criteria in the
new docsDevFilterInetTable, and overwrite the Dscp according to the

The DOCSIS Subscriber Management MIB,
will enable the Cable Modem Termination System (CMTS) to filter traffic
based on criteria in the docsSubMgtPktFilterTable. This table enables the
DOCSIS CMTS to drop traffic with illegal DSCPs that happen to elude a
compromised CM.

These two MIBs should define their DSCP-related objects according to best
practices for their intended functionality -- hence this email.

We do have a MIB in the IPCDN WG, the DOCSIS QoS MIB
<>, in
which the docsQosPktClassTable is similar to a PHB selection table. Unlike
the previous two MIBs, this MIB is constrained by some outdated notions of
packet selection during the DOCSIS 1.1 specification process (late '98/early
'99). For example, DOCSIS 1.1 specifically calls for an IP ToS comparison:
the packet's ToS is masked and compared to a range between "tos-low" and
"tos-high". See Appendix C. in

This implies that this base DOCSIS 1.1 specification is going to need to be
made DiffServ-aware, before the MIB can be made DiffServ-aware. I believe
there is some cable operator support for such a project.

-- Rich

-----Original Message-----
From: John Schnizlein []
Sent: Friday, March 07, 2003 2:15 PM
To: Woundy, Richard
Cc: ''
Subject: Re: FW: [ipcdn] FW: [Diffserv] Dscp and DscpOrAny TCs

Comments embedded in context below:

At 09:40 AM 3/7/2003, Woundy, Richard wrote:

>I'm looking for further reaction to my email below about DOCSIS/Dscp
>I think there are two issues here: are Dscp mask objects legal, 


>and are they worthwhile?


>... enable the DOCSIS equipment to act precisely as "re-marking boundary
>nodes", which are also described in RFC 2474 Section 3, pages 8-9:
>   The structure of the DS field shown above is incompatible with the
>   existing definition of the IPv4 TOS octet in [RFC791].  The
>   presumption is that DS domains protect themselves by deploying re-
>   marking boundary nodes, as should networks using the RFC 791
>   Precedence designations.  Correct operational procedure SHOULD follow
>   [RFC791], which states: "If the actual use of these precedence
>   designations is of concern to a particular network, it is the
>   responsibility of that network to control the access to, and use of,
>   those precedence designations."  Validating the value of the DS field
>   at DS boundaries is sensible in any case since an upstream node can
>   easily set it to any arbitrary value.  DS domains that are not
>   isolated by suitably configured boundary nodes may deliver
>   unpredictable service.
>   Nodes MAY rewrite the DS field as needed to provide a desired local
>   or end-to-end service.  Specifications of DS field translations at DS
>   boundaries are the subject of service level agreements between
>   providers and users, and are outside the scope of this document.
>   Standardized PHBs allow providers to build their services from a
>   well-known set of packet forwarding treatments that can be expected
>   to be present in the equipment of many vendors.
>On the other hand, I see the definite lack of structure in the DiffServ
>codepoints, and I am debating with myself whether a "Dscp mask" is worth
>trouble or not.
>In particular, I am looking at the current codepoint assignments in

You may be running into a subtlety that was worried about early in 
defining the DiffServ field. The code points in the registry are 
just recommended values, not required values. While there are 
requirements regarding which behaviors must be supported to claim 
DiffServ compliance, there is no requirement that the recommended 
values be used to indicate these behaviors.

The point is that there is no reliable structure for "the network 
operator to take advantage of". The presence of masks in data objects
would encourage creating the sort of structure the RFC prohibits.

Note the distinction between the SHOULD regarding values, and the MUST
regarding treating the value as a unit (copied farther below):

RFC 2474 section 2, page 5
   Codepoint: a specific value of the DSCP portion of the DS field.
   Recommended codepoints SHOULD map to specific, standardized PHBs.

>From: []
>Keep in mind we're talking about a *filter* here, not a PHB selector. 

I don't appreciate the distinction. What was intended by PHB selector
was that traffic could be selected from the aggregate by the DSCP.
How is this different from filtering traffic based on DSCP matches?

>And we'e not inferring bit-structure in the implementation, merely
>allowing the network operator to take advantage of any structure 
>that exists. Do we really want to require the operator to install 
>three separate filters to catch one AF class?
>I don't find anything in the cited paragraph that contraindicates this sort
>of usage. The fact that today's PHB selector set is likely to change is all
>the more reason to give a filter-installer some options for concise
>RFC 2474 Section 3, page 7
>   Implementors should note that the DSCP field is six bits wide.  DS-
>   compliant nodes MUST select PHBs by matching against the entire 6-bit
>   DSCP field, e.g., by treating the value of the field as a table index
>   which is used to select a particular packet handling mechanism which
>   has been implemented in that device.  The value of the CU field MUST
>   be ignored by PHB selection.  The DSCP field is defined as an
>   unstructured field to facilitate the definition of future per-hop
>   behaviors.


diffserv mailing list