On October 12, 2016 5:36:32 PM GMT+02:00, Jonathan Morton
>> On 12 Oct, 2016, at 15:40, ching lu <lschin...@gmail.com> wrote:
>> DSCP -> unreliable, easily spoofed by attacker
>I’d like to address the “easily spoofed by attacker” point
>Cake’s interpretation of Diffserv is as a three-way tradeoff between
>throughput priority, latency priority, and altruism. If you choose a
>DSCP meaning “low latency” such as CS6 or EF, Cake gives it higher
>weight than average, but *only* if the aggregate bandwidth of
>supposedly low-latency traffic is below a reasonable fraction of the
>link bandwidth. Beyond that point, it gets *lower* weight than
>average, but is still able to use spare bandwidth that happens to be
>There is no way to get “absolute priority”, which this type of attacker
>would presumably want, just by setting a particular DSCP. The default
>“best effort” DSCP is in fact interpreted as “throughput priority”,
>which is what most bulk traffic wants. In this respect, Cake differs
>from the original IP Precedence specification (which is long obsolete)
>and most other naive Diffserv implementations.
>In short, Cake does not unreasonably *trust* the DSCP field, but
>instead offers explicit incentives for traffic to set it correctly.
With the slight complication that there is no canonically agreed upon value for
correct, and cake' does not make it easy to predict how much traffic a specific
priority tier will allow before degrading the requested priority, no? In short
cake adds to the confusion independent of whether cake's rationale is sane...
>This adheres to the relevant PHB specifications, which are published as
>RFCs and thus can be used as a standard.
The problem I see is that in the DSCP RFC it is explicitly stated that markings
only are supposed/guaranteed to have meaning inside a dscp domain... With the
home net typically being regarded as a domain independent of the ISPs...
>The CS1 or “Background” DSCP is the one with an altruistic meaning. It
>has low priority whichever side of the bandwidth threshold it lies, so
>it always mostly yields to other traffic. Clients are of course
>permitted to not set it, but that’s what your firewall rules are for.
>The Diffserv spec explicitly allows you to change the DSCP on entry to
>your own network, which is what I suggested in my first reply.
They even recommend that IIRC, including recommending re-mapping to zero if in
>Setting the DSCP with iptables rules should work just as well and in
>the same way as using the “firewall mark” functionality as you already
>do. Set it up that way in the first instance, directly replacing each
>HTB+fq_codel combination with a Cake instance, and see how it works
> - Jonathan Morton
Cake mailing list