Re: IP DSCP across the Internet
On 5/7/15 3:05 AM, Mark Tinka wrote: And this is what sales and marketing droids don't get - so-called Premium Internet products abound that don't really mean anything. The competition that offer these products are basically hoping nothing happens, and that when it does, it seems as palatable as flying First Class in a plane that's going down. Which is usually a bad thing. I've never heard of an airplane backing into a mountain. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: IP DSCP across the Internet
On 7/May/15 11:12, James Bensley wrote: This. You can't really put SLAs on traffic that has to egress/ingress the Internet, if you try to you're asking for trouble, so we simply remark to 0 on all inbound traffic. And this is what sales and marketing droids don't get - so-called Premium Internet products abound that don't really mean anything. The competition that offer these products are basically hoping nothing happens, and that when it does, it seems as palatable as flying First Class in a plane that's going down. Focus energies on other things, I say... the customers that buy such services should know better, but alas... Mark.
Re: IP DSCP across the Internet
On 6 May 2015 at 03:27, Blake Dunlap iki...@gmail.com wrote: If there isn't a specific peering agreement which sets up DSCP marks with your Z side, you're going to have a bad time doing anything other than remarking to 0. -Blake This. You can't really put SLAs on traffic that has to egress/ingress the Internet, if you try to you're asking for trouble, so we simply remark to 0 on all inbound traffic. Jamas.
RE: IP DSCP across the Internet
seems pretty real to me, I know we (AS11404) mark to zero on ingress... I think that is the typical case otherwise people would just tag their flood style ddos traffic as max and try to take out everything. John From: NANOG [nanog-boun...@nanog.org] on behalf of Mike Hammett [na...@ics-il.net] Sent: Thursday, May 07, 2015 4:46 AM To: nanog list Subject: Re: IP DSCP across the Internet That sounds like a rather poor implementation. What if they had more than one VoIP call? Seems like this thread has more FUD than real examples. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Mikael Abrahamsson swm...@swm.pp.se To: Mark Tinka mark.ti...@seacom.mu Cc: nanog list nanog@nanog.org Sent: Thursday, May 7, 2015 4:32:52 AM Subject: Re: IP DSCP across the Internet On Wed, 6 May 2015, Mark Tinka wrote: With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there. I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamsson email: swm...@swm.pp.se
Re: IP DSCP across the Internet
On Wed, 6 May 2015, Mark Tinka wrote: With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there. I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: IP DSCP across the Internet
That sounds like a rather poor implementation. What if they had more than one VoIP call? Seems like this thread has more FUD than real examples. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Mikael Abrahamsson swm...@swm.pp.se To: Mark Tinka mark.ti...@seacom.mu Cc: nanog list nanog@nanog.org Sent: Thursday, May 7, 2015 4:32:52 AM Subject: Re: IP DSCP across the Internet On Wed, 6 May 2015, Mark Tinka wrote: With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there. I have heard similar stories where game traffic ended up in a 100 kilobit/s VoIP queue which worked fine until there were a lot of nearby players in the game, then things started working very badly. Also nice corner case :P So yes, setting all external Internet traffic to DSCP=BE (0) is something one wants to do. -- Mikael Abrahamsson email: swm...@swm.pp.se
Re: IP DSCP across the Internet
But don't trust that's going to be the rule. I recently had a situation where traffic across a congested public peering link between 2 large tier-2 carriers was honoring DSCP, resulting in some unexpected inconsistent behavior. Joel Mulkey Founder and CEO Bigleaf Networks Direct: +1 (503) 985-6964 | Support: +1 (503) 985-8298 | www.bigleaf.net On May 5, 2015, at 5:30 PM, Roland Dobbins rdobb...@arbor.net wrote: On 5 May 2015, at 17:27, Ramy Hashish wrote: Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? The BCP is to re-color on ingress. --- Roland Dobbins rdobb...@arbor.net
Re: IP DSCP across the Internet
On 6 May 2015, at 8:22, Joel Mulkey wrote: But don't trust that's going to be the rule. Yes, that's always the caveat. Just do what you can within your own span of administrative control. --- Roland Dobbins rdobb...@arbor.net
RE: IP DSCP across the Internet
I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN. Amazing how handy openvpn with no crypto is. :) -Original Message- From: Mark Tinka mark.ti...@seacom.mu Sent: 5/6/2015 12:39 AM To: Ramy Hashish ramy.ihash...@gmail.com; nanog@nanog.org nanog@nanog.org Subject: Re: IP DSCP across the Internet On 5/May/15 12:27, Ramy Hashish wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark. !DSPAM:5549a92270553521610807!
RE: IP DSCP across the Internet
I presume nothing is honored. I just encapsulate everything if I'm crossing networks outside my corporate WAN. Amazing how handy openvpn with no crypto is. :) -Original Message- From: Mark Tinka mark.ti...@seacom.mu Sent: 5/6/2015 12:39 AM To: Ramy Hashish ramy.ihash...@gmail.com; nanog@nanog.org nanog@nanog.org Subject: Re: IP DSCP across the Internet On 5/May/15 12:27, Ramy Hashish wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark. !DSPAM:5549a92270553521610807!
Re: IP DSCP across the Internet
On 5 May 2015, at 17:27, Ramy Hashish wrote: Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? The BCP is to re-color on ingress. --- Roland Dobbins rdobb...@arbor.net
Re: IP DSCP across the Internet
In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet. Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2). We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc. Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it. On May 5, 2015 5:30 PM, Ramy Hashish ramy.ihash...@gmail.com wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? Thanks, Ramy
Re: IP DSCP across the Internet
If there isn't a specific peering agreement which sets up DSCP marks with your Z side, you're going to have a bad time doing anything other than remarking to 0. -Blake On Tue, May 5, 2015 at 6:35 PM, Tim Jackson jackson@gmail.com wrote: In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet. Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2). We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc. Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it. On May 5, 2015 5:30 PM, Ramy Hashish ramy.ihash...@gmail.com wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? Thanks, Ramy
Re: IP DSCP across the Internet
On 6/May/15 03:35, Tim Jackson wrote: In general there are very few bad actors here in regards to trusting/accepting/using DSCP across the internet. Apple has a tendency to mark some traffic with EF that shouldn't be EF on PNIs, and Cogent leaks a lot of their internal markings into customers, but it's generally unmarked traffic from certain customers/peers. Other than that IMHO it's totally valid to accept, and nobody abuses it (other than those 2). We accept DSCP from the internet and do queue a few things higher towards customers for things like OTT VoIP etc. Remarking DSCP is bad IMHO, trusting it is another thing. You just have to be careful, and I suggest good netflow tools to keep an eye on it. We had an odd experience, once, where - due to old hardware - we could not remark traffic we were picking up from a peer in South Africa. With color-aware policing toward a customer in Uganda, any traffic coming from that peer in South Africa was getting dropped toward that customer in Uganda. After a very odd sequence of troubleshooting events, we found that the AF DSCP alues being set by the peer in South Africa (and us passing them due to the old kit not being able to remark on ingress) was causing the color-aware policer in Uganda to drop traffic toward the customer there. Re-configuring the policer to be color-blind fixed the issue, but you can imagine how such a corner case this was. Naturally, with new kit in now, our global QoS policy is in effect. We don't honor DSCP values that comes in via best-effort circuits (i.e., the Internet). Although not a very strong reason, this particular experience is one reason why. Mark.
Re: IP DSCP across the Internet
On 5/May/15 12:27, Ramy Hashish wrote: Good day all, A simple question, does Internet trust IP DSCP marking? Assume two ASs connected through two tier 1 networks, will the tier one networks trust any DSCP markings done from an AS to the other? I wouldn't bet on it. Some providers honor, most remark. We remark. We can only honor DSCP values on private circuits (l2vpn, l3vpn, that sort o' thing). Mark.
Re: IP DSCP across the Internet
We don't honor DSCP values that comes in via best-effort circuits (i.e., the Internet). Although not a very strong reason, this particular experience is one reason why. trusting markings of any sort which you do not need is an increase in attack, game playing, and/or bug surface. the only thing i would pass is ecn. randy
