Network Working Group                                        S. Blake
Request for Comments: 2475            Torrent Networking Technologies
Category: Informational                                      D. Black
                                                      EMC Corporation
                                                           M. Carlson
                                                     Sun Microsystems
                                                            E. Davies
                                                            Nortel UK
                                                              Z. Wang
                                        Bell Labs Lucent Technologies
                                                             W. Weiss
                                                  Lucent Technologies
                                                        December 1998

              An Architecture for Differentiated Services

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.


   This document defines an architecture for implementing scalable
   service differentiation in the Internet.  This architecture achieves
   scalability by aggregating traffic classification state which is
   conveyed by means of IP-layer packet marking using the DS field
   [DSFIELD].  Packets are classified and marked to receive a particular
   per-hop forwarding behavior on nodes along their path.  Sophisticated
   classification, marking, policing, and shaping operations need only
   be implemented at network boundaries or hosts.  Network resources are
   allocated to traffic streams by service provisioning policies which
   govern how traffic is marked and conditioned upon entry to a
   differentiated services-capable network, and how that traffic is
   forwarded within that network.  A wide variety of services can be
   implemented on top of these building blocks.

Blake, et. al.               Informational                      [Page 1]

RFC 2475        Architecture for Differentiated Services   December 1998

Table of Contents

   1.  Introduction .................................................  2
     1.1  Overview  .................................................  2
     1.2  Terminology ...............................................  4
     1.3  Requirements ..............................................  8
     1.4  Comparisons with Other Approaches .........................  9
   2.  Differentiated Services Architectural Model .................. 12
     2.1  Differentiated Services Domain ............................ 12
       2.1.1  DS Boundary Nodes and Interior Nodes .................. 12
       2.1.2  DS Ingress Node and Egress Node ....................... 13
     2.2  Differentiated Services Region ............................ 13
     2.3  Traffic Classification and Conditioning ................... 14
       2.3.1  Classifiers ........................................... 14
       2.3.2  Traffic Profiles ...................................... 15
       2.3.3  Traffic Conditioners .................................. 15  Meters ............................................ 16  Markers ........................................... 16  Shapers ........................................... 17  Droppers .......................................... 17
       2.3.4  Location of Traffic Conditioners and MF Classifiers ... 17  Within the Source Domain .......................... 17  At the Boundary of a DS Domain .................... 18  In non-DS-Capable Domains ......................... 18  In Interior DS Nodes .............................. 19
     2.4  Per-Hop Behaviors ......................................... 19
     2.5  Network Resource Allocation ............................... 20
   3.  Per-Hop Behavior Specification Guidelines .................... 21
   4.  Interoperability with Non-Differentiated Services-Compliant
       Nodes ........................................................ 25
   5.  Multicast Considerations ..................................... 26
   6.  Security and Tunneling Considerations ........................ 27
     6.1  Theft and Denial of Service ............................... 28
     6.2  IPsec and Tunneling Interactions .......................... 30
     6.3  Auditing .................................................. 32
   7.  Acknowledgements ............................................. 32
   8.  References ................................................... 33
   Authors' Addresses ............................................... 34
   Full Copyright Statement ......................................... 36

1.  Introduction

1.1  Overview

   This document defines an architecture for implementing scalable
   service differentiation in the Internet.  A "Service" defines some
   significant characteristics of packet transmission in one direction
   across a set of one or more paths within a network.  These

Blake, et. al.               Informational                      [Page 2]

RFC 2475        Architecture for Differentiated Services   December 1998

   characteristics may be specified in quantitative or statistical terms
   of throughput, delay, jitter, and/or loss, or may otherwise be
   specified in terms of some relative priority of access to network
   resources.  Service differentiation is desired to accommodate
   heterogeneous application requirements and user expectations, and to
   permit differentiated pricing of Internet service.

   This architecture is composed of a number of functional elements
   implemented in network nodes, including a small set of per-hop
   forwarding behaviors, packet classification functions, and traffic
   conditioning functions including metering, marking, shaping, and
   policing.  This architecture achieves scalability by implementing
   complex classification and conditioning functions only at network
   boundary nodes, and by applying per-hop behaviors to aggregates of
   traffic which have been appropriately marked using the DS field in
   the IPv4 or IPv6 headers [DSFIELD].  Per-hop behaviors are defined to
   permit a reasonably granular means of allocating buffer and bandwidth
   resources at each node among competing traffic streams.  Per-
   application flow or per-customer forwarding state need not be
   maintained within the core of the network.  A distinction is
   maintained between:

   o  the service provided to a traffic aggregate,

   o  the conditioning functions and per-hop behaviors used to realize

   o  the DS field value (DS codepoint) used to mark packets to select a
      per-hop behavior, and

   o  the particular node implementation mechanisms which realize a
      per-hop behavior.

   Service provisioning and traffic conditioning policies are
   sufficiently decoupled from the forwarding behaviors within the
   network interior to permit implementation of a wide variety of
   service behaviors, with room for future expansion.

   This architecture only provides service differentiation in one
   direction of traffic flow and is therefore asymmetric.  Development
   of a complementary symmetric architecture is a topic of current
   research but is outside the scope of this document; see for example

   Sect. 1.2 is a glossary of terms used within this document.  Sec. 1.3
   lists requirements addressed by this architecture, and Sec. 1.4
   provides a brief comparison to other approaches for service
   differentiation.  Sec. 2 discusses the components of the architecture

Blake, et. al.               Informational                      [Page 3]

RFC 2475        Architecture for Differentiated Services   December 1998

   in detail.  Sec. 3 proposes guidelines for per-hop behavior
   specifications.  Sec. 4 discusses interoperability issues with nodes
   and networks which do not implement differentiated services as
   defined in this document and in [DSFIELD].  Sec. 5 discusses issues
   with multicast service delivery.  Sec. 6 addresses security and
   tunnel considerations.

1.2  Terminology

   This section gives a general conceptual overview of the terms used in
   this document.  Some of these terms are more precisely defined in
   later sections of this document.

   Behavior Aggregate (BA)   a DS behavior aggregate.

   BA classifier             a classifier that selects packets based
                             only on the contents of the DS field.

   Boundary link             a link connecting the edge nodes of two

   Classifier                an entity which selects packets based on
                             the content of packet headers according to
                             defined rules.

   DS behavior aggregate     a collection of packets with the same DS
                             codepoint crossing a link in a particular

   DS boundary node          a DS node that connects one DS domain to a
                             node either in another DS domain or in a
                             domain that is not DS-capable.

   DS-capable                capable of implementing differentiated
                             services as described in this architecture;
                             usually used in reference to a domain
                             consisting of DS-compliant nodes.

   DS codepoint              a specific value of the DSCP portion of the
                             DS field, used to select a PHB.

   DS-compliant              enabled to support differentiated services
                             functions and behaviors as defined in
                             [DSFIELD], this document, and other
                             differentiated services documents; usually
                             used in reference to a node or device.

Blake, et. al.               Informational                      [Page 4]

RFC 2475        Architecture for Differentiated Services   December 1998

   DS domain                 a DS-capable domain; a contiguous set of
                             nodes which operate with a common set of
                             service provisioning policies and PHB

   DS egress node            a DS boundary node in its role in handling
                             traffic as it leaves a DS domain.

   DS ingress node           a DS boundary node in its role in handling
                             traffic as it enters a DS domain.

   DS interior node          a DS node that is not a DS boundary node.

   DS field                  the IPv4 header TOS octet or the IPv6
                             Traffic Class octet when interpreted in
                             conformance with the definition given in
                             [DSFIELD].  The bits of the DSCP field
                             encode the DS codepoint, while the
                             remaining bits are currently unused.

   DS node                   a DS-compliant node.

   DS region                 a set of contiguous DS domains which can
                             offer differentiated services over paths
                             across those DS domains.

   Downstream DS domain      the DS domain downstream of traffic flow on
                             a boundary link.

   Dropper                   a device that performs dropping.

   Dropping                  the process of discarding packets based on
                             specified rules; policing.

   Legacy node               a node which implements IPv4 Precedence as
                             defined in [RFC791,RFC1812] but which is
                             otherwise not DS-compliant.

   Marker                    a device that performs marking.

   Marking                   the process of setting the DS codepoint in
                             a packet based on defined rules; pre-
                             marking, re-marking.

   Mechanism                 a specific algorithm or operation (e.g.,
                             queueing discipline) that is implemented in
                             a node to realize a set of one or more per-
                             hop behaviors.

Blake, et. al.               Informational                      [Page 5]

RFC 2475        Architecture for Differentiated Services   December 1998

   Meter                     a device that performs metering.

   Metering                  the process of measuring the temporal
                             properties (e.g., rate) of a traffic stream
                             selected by a classifier.  The
                             instantaneous state of this process may be
                             used to affect the operation of a marker,
                             shaper, or dropper, and/or may be used for
                             accounting and measurement purposes.

   Microflow                 a single instance of an application-to-
                             application flow of packets which is
                             identified by source address, source port,
                             destination address, destination port and
                             protocol id.

   MF Classifier             a multi-field (MF) classifier which selects
                             packets based on the content of some
                             arbitrary number of header fields;
                             typically some combination of source
                             address, destination address, DS field,
                             protocol ID, source port and destination

   Per-Hop-Behavior (PHB)    the externally observable forwarding
                             behavior applied at a DS-compliant node to
                             a DS behavior aggregate.

   PHB group                 a set of one or more PHBs that can only be
                             meaningfully specified and implemented
                             simultaneously, due to a common constraint
                             applying to all PHBs in the set such as a
                             queue servicing or queue management policy.
                             A PHB group provides a service building
                             block that allows a set of related
                             forwarding behaviors to be specified
                             together (e.g., four dropping priorities).
                             A single PHB is a special case of a PHB

   Policing                  the process of discarding packets (by a
                             dropper) within a traffic stream in
                             accordance with the state of a
                             corresponding meter enforcing a traffic

   Pre-mark                  to set the DS codepoint of a packet prior
                             to entry into a downstream DS domain.

Blake, et. al.               Informational                      [Page 6]

RFC 2475        Architecture for Differentiated Services   December 1998

   Provider DS domain        the DS-capable provider of services to a
                             source domain.

   Re-mark                   to change the DS codepoint of a packet,
                             usually performed by a marker in accordance
                             with a TCA.

   Service                   the overall treatment of a defined subset
                             of a customer's traffic within a DS domain
                             or end-to-end.

   Service Level Agreement   a service contract between a customer and a
   (SLA)                     service provider that specifies the
                             forwarding service a customer should
                             receive.  A customer may be a user
                             organization (source domain) or another DS
                             domain (upstream domain).  A SLA may
                             include traffic conditioning rules which
                             constitute a TCA in whole or in part.

   Service Provisioning      a policy which defines how traffic
   Policy                    conditioners are configured on DS boundary
                             nodes and how traffic streams are mapped to
                             DS behavior aggregates to achieve a range
                             of services.

   Shaper                    a device that performs shaping.

   Shaping                   the process of delaying packets within a
                             traffic stream to cause it to conform to
                             some defined traffic profile.

   Source domain             a domain which contains the node(s)
                             originating the traffic receiving a
                             particular service.

   Traffic conditioner       an entity which performs traffic
                             conditioning functions and which may
                             contain meters, markers, droppers, and
                             shapers. Traffic conditioners are typically
                             deployed in DS boundary nodes only.  A
                             traffic conditioner may re-mark a traffic
                             stream or may discard or shape packets to
                             alter the temporal characteristics of the
                             stream and bring it into compliance with a
                             traffic profile.

Blake, et. al.               Informational                      [Page 7]

RFC 2475        Architecture for Differentiated Services   December 1998

   Traffic conditioning      control functions performed to enforce
                             rules specified in a TCA, including
                             metering, marking, shaping, and policing.

   Traffic Conditioning      an agreement specifying classifier rules
   Agreement (TCA)           and any corresponding traffic profiles and
                             metering, marking, discarding and/or
                             shaping rules which are to apply to the
                             traffic streams selected by the classifier.
                             A TCA encompasses all of the traffic
                             conditioning rules explicitly specified
                             within a SLA along with all of the rules
                             implicit from the relevant service
                             requirements and/or from a DS domain's
                             service provisioning policy.

   Traffic profile           a description of the temporal properties
                             of a traffic stream such as rate and burst

   Traffic stream            an administratively significant set of one
                             or more microflows which traverse a path
                             segment.  A traffic stream may consist of
                             the set of active microflows which are
                             selected by a particular classifier.

   Upstream DS domain        the DS domain upstream of traffic flow on a
                             boundary link.

1.3  Requirements

   The history of the Internet has been one of continuous growth in the
   number of hosts, the number and variety of applications, and the
   capacity of the network infrastructure, and this growth is expected
   to continue for the foreseeable future.  A scalable architecture for
   service differentiation must be able to accommodate this continued

   The following requirements were identified and are addressed in this

   o  should accommodate a wide variety of services and provisioning
      policies, extending end-to-end or within a particular (set of)

   o  should allow decoupling of the service from the particular
      application in use,

Blake, et. al.               Informational                      [Page 8]

RFC 2475        Architecture for Differentiated Services   December 1998

   o  should work with existing applications without the need for
      application programming interface changes or host software
      modifications (assuming suitable deployment of classifiers,
      markers, and other traffic conditioning functions),

   o  should decouple traffic conditioning and service provisioning
      functions from forwarding behaviors implemented within the core
      network nodes,

   o  should not depend on hop-by-hop application signaling,

   o  should require only a small set of forwarding behaviors whose
      implementation complexity does not dominate the cost of a network
      device, and which will not introduce bottlenecks for future high-
      speed system implementations,

   o  should avoid per-microflow or per-customer state within core
      network nodes,

   o  should utilize only aggregated classification state within the
      network core,

   o  should permit simple packet classification implementations in core
      network nodes (BA classifier),

   o  should permit reasonable interoperability with non-DS-compliant
      network nodes,

   o  should accommodate incremental deployment.

1.4  Comparisons with Other Approaches

   The differentiated services architecture specified in this document
   can be contrasted with other existing models of service
   differentiation.  We classify these alternative models into the
   following categories: relative priority marking, service marking,
   label switching, Integrated Services/RSVP, and static per-hop

   Examples of the relative priority marking model include IPv4
   Precedence marking as defined in [RFC791], 802.5 Token Ring priority
   [TR], and the default interpretation of 802.1p traffic classes
   [802.1p].  In this model the application, host, or proxy node selects
   a relative priority or "precedence" for a packet (e.g., delay or
   discard priority), and the network nodes along the transit path apply
   the appropriate priority forwarding behavior corresponding to the
   priority value within the packet's header.  Our architecture can be
   considered as a refinement to this model, since we more clearly

Blake, et. al.               Informational                      [Page 9]

RFC 2475        Architecture for Differentiated Services   December 1998

   specify the role and importance of boundary nodes and traffic
   conditioners, and since our per-hop behavior model permits more
   general forwarding behaviors than relative delay or discard priority.

   An example of a service marking model is IPv4 TOS as defined in
   [RFC1349].  In this example each packet is marked with a request for
   a "type of service", which may include "minimize delay", "maximize
   throughput", "maximize reliability", or "minimize cost".  Network
   nodes may select routing paths or forwarding behaviors which are
   suitably engineered to satisfy the service request.  This model is
   subtly different from our architecture.  Note that we do not describe
   the use of the DS field as an input to route selection.  The TOS
   markings defined in [RFC1349] are very generic and do not span the
   range of possible service semantics.  Furthermore, the service
   request is associated with each individual packet, whereas some
   service semantics may depend on the aggregate forwarding behavior of
   a sequence of packets.  The service marking model does not easily
   accommodate growth in the number and range of future services (since
   the codepoint space is small) and involves configuration of the
   "TOS->forwarding behavior" association in each core network node.
   Standardizing service markings implies standardizing service
   offerings, which is outside the scope of the IETF.  Note that
   provisions are made in the allocation of the DS codepoint space to
   allow for locally significant codepoints which may be used by a
   provider to support service marking semantics [DSFIELD].

   Examples of the label switching (or virtual circuit) model include
   Frame Relay, ATM, and MPLS [FRELAY, ATM].  In this model path
   forwarding state and traffic management or QoS state is established
   for traffic streams on each hop along a network path.  Traffic
   aggregates of varying granularity are associated with a label
   switched path at an ingress node, and packets/cells within each label
   switched path are marked with a forwarding label that is used to
   lookup the next-hop node, the per-hop forwarding behavior, and the
   replacement label at each hop.  This model permits finer granularity
   resource allocation to traffic streams, since label values are not
   globally significant but are only significant on a single link;
   therefore resources can be reserved for the aggregate of packets/
   cells received on a link with a particular label, and the label
   switching semantics govern the next-hop selection, allowing a traffic
   stream to follow a specially engineered path through the network.
   This improved granularity comes at the cost of additional management
   and configuration requirements to establish and maintain the label
   switched paths.  In addition, the amount of forwarding state
   maintained at each node scales in proportion to the number of edge
   nodes of the network in the best case (assuming multipoint-to-point

Blake, et. al.               Informational                     [Page 10]

RFC 2475        Architecture for Differentiated Services   December 1998

   label switched paths), and it scales in proportion with the square of
   the number of edge nodes in the worst case, when edge-edge label
   switched paths with provisioned resources are employed.

   The Integrated Services/RSVP model relies upon traditional datagram
   forwarding in the default case, but allows sources and receivers to
   exchange signaling messages which establish additional packet
   classification and forwarding state on each node along the path
   between them [RFC1633, RSVP].  In the absence of state aggregation,
   the amount of state on each node scales in proportion to the number
   of concurrent reservations, which can be potentially large on high-
   speed links.  This model also requires application support for the
   RSVP signaling protocol.  Differentiated services mechanisms can be
   utilized to aggregate Integrated Services/RSVP state in the core of
   the network [Bernet].

   A variant of the Integrated Services/RSVP model eliminates the
   requirement for hop-by-hop signaling by utilizing only "static"
   classification and forwarding policies which are implemented in each
   node along a network path.  These policies are updated on
   administrative timescales and not in response to the instantaneous
   mix of microflows active in the network.  The state requirements for
   this variant are potentially worse than those encountered when RSVP
   is used, especially in backbone nodes, since the number of static
   policies that might be applicable at a node over time may be larger
   than the number of active sender-receiver sessions that might have
   installed reservation state on a node.  Although the support of large
   numbers of classifier rules and forwarding policies may be
   computationally feasible, the management burden associated with
   installing and maintaining these rules on each node within a backbone
   network which might be traversed by a traffic stream is substantial.

   Although we contrast our architecture with these alternative models
   of service differentiation, it should be noted that links and nodes
   employing these techniques may be utilized to extend differentiated
   services behaviors and semantics across a layer-2 switched
   infrastructure (e.g., 802.1p LANs, Frame Relay/ATM backbones)
   interconnecting DS nodes, and in the case of MPLS may be used as an
   alternative intra-domain implementation technology.  The constraints
   imposed by the use of a specific link-layer technology in particular
   regions of a DS domain (or in a network providing access to DS
   domains) may imply the differentiation of traffic on a coarser grain
   basis.  Depending on the mapping of PHBs to different link-layer
   services and the way in which packets are scheduled over a restricted
   set of priority classes (or virtual circuits of different category
   and capacity), all or a subset of the PHBs in use may be supportable
   (or may be indistinguishable).

Blake, et. al.               Informational                     [Page 11]

RFC 2475        Architecture for Differentiated Services   December 1998

2.  Differentiated Services Architectural Model

   The differentiated services architecture is based on a simple model
   where traffic entering a network is classified and possibly
   conditioned at the boundaries of the network, and assigned to
   different behavior aggregates.  Each behavior aggregate is identified
   by a single DS codepoint.  Within the core of the network, packets
   are forwarded according to the per-hop behavior associated with the
   DS codepoint.  In this section, we discuss the key components within
   a differentiated services region, traffic classification and
   conditioning functions, and how differentiated services are achieved
   through the combination of traffic conditioning and PHB-based

2.1  Differentiated Services Domain

   A DS domain is a contiguous set of DS nodes which operate with a
   common service provisioning policy and set of PHB groups implemented
   on each node.  A DS domain has a well-defined boundary consisting of
   DS boundary nodes which classify and possibly condition ingress
   traffic to ensure that packets which transit the domain are
   appropriately marked to select a PHB from one of the PHB groups
   supported within the domain.  Nodes within the DS domain select the
   forwarding behavior for packets based on their DS codepoint, mapping
   that value to one of the supported PHBs using either the recommended
   codepoint->PHB mapping or a locally customized mapping [DSFIELD].
   Inclusion of non-DS-compliant nodes within a DS domain may result in
   unpredictable performance and may impede the ability to satisfy
   service level agreements (SLAs).

   A DS domain normally consists of one or more networks under the same
   administration; for example, an organization's intranet or an ISP.
   The administration of the domain is responsible for ensuring that
   adequate resources are provisioned and/or reserved to support the
   SLAs offered by the domain.

2.1.1  DS Boundary Nodes and Interior Nodes

   A DS domain consists of DS boundary nodes and DS interior nodes.  DS
   boundary nodes interconnect the DS domain to other DS or non-DS-
   capable domains, whilst DS interior nodes only connect to other DS
   interior or boundary nodes within the same DS domain.

   Both DS boundary nodes and interior nodes must be able to apply the
   appropriate PHB to packets based on the DS codepoint; otherwise
   unpredictable behavior may result.  In addition, DS boundary nodes
   may be required to perform traffic conditioning functions as defined
   by a traffic conditioning agreement (TCA) between their DS domain and

Blake, et. al.               Informational                     [Page 12]

RFC 2475        Architecture for Differentiated Services   December 1998

   the peering domain which they connect to (see Sec. 2.3.3).

   Interior nodes may be able to perform limited traffic conditioning
   functions such as DS codepoint re-marking.  Interior nodes which
   implement more complex classification and traffic conditioning
   functions are analogous to DS boundary nodes (see Sec.

   A host in a network containing a DS domain may act as a DS boundary
   node for traffic from applications running on that host; we therefore
   say that the host is within the DS domain.  If a host does not act as
   a boundary node, then the DS node topologically closest to that host
   acts as the DS boundary node for that host's traffic.

2.1.2  DS Ingress Node and Egress Node

   DS boundary nodes act both as a DS ingress node and as a DS egress
   node for different directions of traffic.  Traffic enters a DS domain
   at a DS ingress node and leaves a DS domain at a DS egress node.  A
   DS ingress node is responsible for ensuring that the traffic entering
   the DS domain conforms to any TCA between it and the other domain to
   which the ingress node is connected.  A DS egress node may perform
   traffic conditioning functions on traffic forwarded to a directly
   connected peering domain, depending on the details of the TCA between
   the two domains.  Note that a DS boundary node may act as a DS
   interior node for some set of interfaces.

2.2  Differentiated Services Region

   A differentiated services region (DS Region) is a set of one or more
   contiguous DS domains.  DS regions are capable of supporting
   differentiated services along paths which span the domains within the

   The DS domains in a DS region may support different PHB groups
   internally and different codepoint->PHB mappings.  However, to permit
   services which span across the domains, the peering DS domains must
   each establish a peering SLA which defines (either explicitly or
   implicitly) a TCA which specifies how transit traffic from one DS
   domain to another is conditioned at the boundary between the two DS

   It is possible that several DS domains within a DS region may adopt a
   common service provisioning policy and may support a common set of
   PHB groups and codepoint mappings, thus eliminating the need for
   traffic conditioning between those DS domains.

Blake, et. al.               Informational                     [Page 13]

RFC 2475        Architecture for Differentiated Services   December 1998

2.3  Traffic Classification and Conditioning

   Differentiated services are extended across a DS domain boundary by
   establishing a SLA between an upstream network and a downstream DS
   domain.  The SLA may specify packet classification and re-marking
   rules and may also specify traffic profiles and actions to traffic
   streams which are in- or out-of-profile (see Sec. 2.3.2).  The TCA
   between the domains is derived (explicitly or implicitly) from this

   The packet classification policy identifies the subset of traffic
   which may receive a differentiated service by being conditioned and/
   or mapped to one or more behavior aggregates (by DS codepoint re-
   marking) within the DS domain.

   Traffic conditioning performs metering, shaping, policing and/or re-
   marking to ensure that the traffic entering the DS domain conforms to
   the rules specified in the TCA, in accordance with the domain's
   service provisioning policy.  The extent of traffic conditioning
   required is dependent on the specifics of the service offering, and
   may range from simple codepoint re-marking to complex policing and
   shaping operations.  The details of traffic conditioning policies
   which are negotiated between networks is outside the scope of this

2.3.1  Classifiers

   Packet classifiers select packets in a traffic stream based on the
   content of some portion of the packet header.  We define two types of
   classifiers.  The BA (Behavior Aggregate) Classifier classifies
   packets based on the DS codepoint only.  The MF (Multi-Field)
   classifier selects packets based on the value of a combination of one
   or more header fields, such as source address, destination address,
   DS field, protocol ID, source port and destination port numbers, and
   other information such as incoming interface.

   Classifiers are used to "steer" packets matching some specified rule
   to an element of a traffic conditioner for further processing.
   Classifiers must be configured by some management procedure in
   accordance with the appropriate TCA.

   The classifier should authenticate the information which it uses to
   classify the packet (see Sec. 6).

   Note that in the event of upstream packet fragmentation, MF
   classifiers which examine the contents of transport-layer header
   fields may incorrectly classify packet fragments subsequent to the
   first.  A possible solution to this problem is to maintain

Blake, et. al.               Informational                     [Page 14]

RFC 2475        Architecture for Differentiated Services   December 1998

   fragmentation state; however, this is not a general solution due to
   the possibility of upstream fragment re-ordering or divergent routing
   paths.  The policy to apply to packet fragments is outside the scope
   of this document.

2.3.2  Traffic Profiles

   A traffic profile specifies the temporal properties of a traffic
   stream selected by a classifier.  It provides rules for determining
   whether a particular packet is in-profile or out-of-profile.  For
   example, a profile based on a token bucket may look like:

     codepoint=X, use token-bucket r, b

   The above profile indicates that all packets marked with DS codepoint
   X should be measured against a token bucket meter with rate r and
   burst size b.  In this example out-of-profile packets are those
   packets in the traffic stream which arrive when insufficient tokens
   are available in the bucket.  The concept of in- and out-of-profile
   can be extended to more than two levels, e.g., multiple levels of
   conformance with a profile may be defined and enforced.

   Different conditioning actions may be applied to the in-profile
   packets and out-of-profile packets, or different accounting actions
   may be triggered.  In-profile packets may be allowed to enter the DS
   domain without further conditioning; or, alternatively, their DS
   codepoint may be changed.  The latter happens when the DS codepoint
   is set to a non-Default value for the first time [DSFIELD], or when
   the packets enter a DS domain that uses a different PHB group or
   codepoint->PHB mapping policy for this traffic stream.  Out-of-
   profile packets may be queued until they are in-profile (shaped),
   discarded (policed), marked with a new codepoint (re-marked), or
   forwarded unchanged while triggering some accounting procedure.
   Out-of-profile packets may be mapped to one or more behavior
   aggregates that are "inferior" in some dimension of forwarding
   performance to the BA into which in-profile packets are mapped.

   Note that a traffic profile is an optional component of a TCA and its
   use is dependent on the specifics of the service offering and the
   domain's service provisioning policy.

2.3.3  Traffic Conditioners

   A traffic conditioner may contain the following elements: meter,
   marker, shaper, and dropper.  A traffic stream is selected by a
   classifier, which steers the packets to a logical instance of a
   traffic conditioner.  A meter is used (where appropriate) to measure
   the traffic stream against a traffic profile.  The state of the meter

Blake, et. al.               Informational                     [Page 15]

RFC 2475        Architecture for Differentiated Services   December 1998

   with respect to a particular packet (e.g., whether it is in- or out-
   of-profile) may be used to affect a marking, dropping, or shaping

   When packets exit the traffic conditioner of a DS boundary node the
   DS codepoint of each packet must be set to an appropriate value.

   Fig. 1 shows the block diagram of a classifier and traffic
   conditioner.  Note that a traffic conditioner may not necessarily
   contain all four elements.  For example, in the case where no traffic
   profile is in effect, packets may only pass through a classifier and
   a marker.

                               |       |-------------------+
                        +----->| Meter |                   |
                        |      |       |--+                |
                        |      +-------+  |                |
                        |                 V                V
                  +------------+      +--------+      +---------+
                  |            |      |        |      | Shaper/ |
    packets =====>| Classifier |=====>| Marker |=====>| Dropper |=====>
                  |            |      |        |      |         |
                  +------------+      +--------+      +---------+

   Fig. 1: Logical View of a Packet Classifier and Traffic Conditioner  Meters

   Traffic meters measure the temporal properties of the stream of
   packets selected by a classifier against a traffic profile specified
   in a TCA.  A meter passes state information to other conditioning
   functions to trigger a particular action for each packet which is
   either in- or out-of-profile (to some extent).  Markers

   Packet markers set the DS field of a packet to a particular
   codepoint, adding the marked packet to a particular DS behavior
   aggregate.  The marker may be configured to mark all packets which
   are steered to it to a single codepoint, or may be configured to mark
   a packet to one of a set of codepoints used to select a PHB in a PHB
   group, according to the state of a meter.  When the marker changes
   the codepoint in a packet it is said to have "re-marked" the packet.

Blake, et. al.               Informational                     [Page 16]

RFC 2475        Architecture for Differentiated Services   December 1998  Shapers

   Shapers delay some or all of the packets in a traffic stream in order
   to bring the stream into compliance with a traffic profile.  A shaper
   usually has a finite-size buffer, and packets may be discarded if
   there is not sufficient buffer space to hold the delayed packets.  Droppers

   Droppers discard some or all of the packets in a traffic stream in
   order to bring the stream into compliance with a traffic profile.
   This process is know as "policing" the stream.  Note that a dropper
   can be implemented as a special case of a shaper by setting the
   shaper buffer size to zero (or a few) packets.

2.3.4  Location of Traffic Conditioners and MF Classifiers

   Traffic conditioners are usually located within DS ingress and egress
   boundary nodes, but may also be located in nodes within the interior
   of a DS domain, or within a non-DS-capable domain.  Within the Source Domain

   We define the source domain as the domain containing the node(s)
   which originate the traffic receiving a particular service.  Traffic
   sources and intermediate nodes within a source domain may perform
   traffic classification and conditioning functions.  The traffic
   originating from the source domain across a boundary may be marked by
   the traffic sources directly or by intermediate nodes before leaving
   the source domain.  This is referred to as initial marking or "pre-

   Consider the example of a company that has the policy that its CEO's
   packets should have higher priority.  The CEO's host may mark the DS
   field of all outgoing packets with a DS codepoint that indicates
   "higher priority".  Alternatively, the first-hop router directly
   connected to the CEO's host may classify the traffic and mark the
   CEO's packets with the correct DS codepoint.  Such high priority
   traffic may also be conditioned near the source so that there is a
   limit on the amount of high priority traffic forwarded from a
   particular source.

   There are some advantages to marking packets close to the traffic
   source.  First, a traffic source can more easily take an
   application's preferences into account when deciding which packets
   should receive better forwarding treatment.  Also, classification of

Blake, et. al.               Informational                     [Page 17]

RFC 2475        Architecture for Differentiated Services   December 1998

   packets is much simpler before the traffic has been aggregated with
   packets from other sources, since the number of classification rules
   which need to be applied within a single node is reduced.

   Since packet marking may be distributed across multiple nodes, the
   source DS domain is responsible for ensuring that the aggregated
   traffic towards its provider DS domain conforms to the appropriate
   TCA.  Additional allocation mechanisms such as bandwidth brokers or
   RSVP may be used to dynamically allocate resources for a particular
   DS behavior aggregate within the provider's network [2BIT, Bernet].
   The boundary node of the source domain should also monitor
   conformance to the TCA, and may police, shape, or re-mark packets as
   necessary.  At the Boundary of a DS Domain

   Traffic streams may be classified, marked, and otherwise conditioned
   on either end of a boundary link (the DS egress node of the upstream
   domain or the DS ingress node of the downstream domain).  The SLA
   between the domains should specify which domain has responsibility
   for mapping traffic streams to DS behavior aggregates and
   conditioning those aggregates in conformance with the appropriate
   TCA.  However, a DS ingress node must assume that the incoming
   traffic may not conform to the TCA and must be prepared to enforce
   the TCA in accordance with local policy.

   When packets are pre-marked and conditioned in the upstream domain,
   potentially fewer classification and traffic conditioning rules need
   to be supported in the downstream DS domain.  In this circumstance
   the downstream DS domain may only need to re-mark or police the
   incoming behavior aggregates to enforce the TCA.  However, more
   sophisticated services which are path- or source-dependent may
   require MF classification in the downstream DS domain's ingress

   If a DS ingress node is connected to an upstream non-DS-capable
   domain, the DS ingress node must be able to perform all necessary
   traffic conditioning functions on the incoming traffic.  In non-DS-Capable Domains

   Traffic sources or intermediate nodes in a non-DS-capable domain may
   employ traffic conditioners to pre-mark traffic before it reaches the
   ingress of a downstream DS domain.  In this way the local policies
   for classification and marking may be concealed.

Blake, et. al.               Informational                     [Page 18]

RFC 2475        Architecture for Differentiated Services   December 1998  In Interior DS Nodes

   Although the basic architecture assumes that complex classification
   and traffic conditioning functions are located only in a network's
   ingress and egress boundary nodes, deployment of these functions in
   the interior of the network is not precluded.  For example, more
   restrictive access policies may be enforced on a transoceanic link,
   requiring MF classification and traffic conditioning functionality in
   the upstream node on the link.  This approach may have scaling
   limits, due to the potentially large number of classification and
   conditioning rules that might need to be maintained.

2.4  Per-Hop Behaviors

   A per-hop behavior (PHB) is a description of the externally
   observable forwarding behavior of a DS node applied to a particular
   DS behavior aggregate.  "Forwarding behavior" is a general concept in
   this context.  For example, in the event that only one behavior
   aggregate occupies a link, the observable forwarding behavior (i.e.,
   loss, delay, jitter) will often depend only on the relative loading
   of the link (i.e., in the event that the behavior assumes a work-
   conserving scheduling discipline).  Useful behavioral distinctions
   are mainly observed when multiple behavior aggregates compete for
   buffer and bandwidth resources on a node.  The PHB is the means by
   which a node allocates resources to behavior aggregates, and it is on
   top of this basic hop-by-hop resource allocation mechanism that
   useful differentiated services may be constructed.

   The most simple example of a PHB is one which guarantees a minimal
   bandwidth allocation of X% of a link (over some reasonable time
   interval) to a behavior aggregate.  This PHB can be fairly easily
   measured under a variety of competing traffic conditions.  A slightly
   more complex PHB would guarantee a minimal bandwidth allocation of X%
   of a link, with proportional fair sharing of any excess link
   capacity.  In general, the observable behavior of a PHB may depend on
   certain constraints on the traffic characteristics of the associated
   behavior aggregate, or the characteristics of other behavior

   PHBs may be specified in terms of their resource (e.g., buffer,
   bandwidth) priority relative to other PHBs, or in terms of their
   relative observable traffic characteristics (e.g., delay, loss).
   These PHBs may be used as building blocks to allocate resources and
   should be specified as a group (PHB group) for consistency.  PHB
   groups will usually share a common constraint applying to each PHB
   within the group, such as a packet scheduling or buffer management
   policy.  The relationship between PHBs in a group may be in terms of
   absolute or relative priority (e.g., discard priority by means of

Blake, et. al.               Informational                     [Page 19]

RFC 2475        Architecture for Differentiated Services   December 1998

   deterministic or stochastic thresholds), but this is not required
   (e.g., N equal link shares).  A single PHB defined in isolation is a
   special case of a PHB group.

   PHBs are implemented in nodes by means of some buffer management and
   packet scheduling mechanisms.  PHBs are defined in terms of behavior
   characteristics relevant to service provisioning policies, and not in
   terms of particular implementation mechanisms.  In general, a variety
   of implementation mechanisms may be suitable for implementing a
   particular PHB group.  Furthermore, it is likely that more than one
   PHB group may be implemented on a node and utilized within a domain.
   PHB groups should be defined such that the proper resource allocation
   between groups can be inferred, and integrated mechanisms can be
   implemented which can simultaneously support two or more groups.  A
   PHB group definition should indicate possible conflicts with
   previously documented PHB groups which might prevent simultaneous

   As described in [DSFIELD], a PHB is selected at a node by a mapping
   of the DS codepoint in a received packet.  Standardized PHBs have a
   recommended codepoint.  However, the total space of codepoints is
   larger than the space available for recommended codepoints for
   standardized PHBs, and [DSFIELD] leaves provisions for locally
   configurable mappings.  A codepoint->PHB mapping table may contain
   both 1->1 and N->1 mappings.  All codepoints must be mapped to some
   PHB; in the absence of some local policy, codepoints which are not
   mapped to a standardized PHB in accordance with that PHB's
   specification should be mapped to the Default PHB.

2.5  Network Resource Allocation

   The implementation, configuration, operation and administration of
   the supported PHB groups in the nodes of a DS Domain should
   effectively partition the resources of those nodes and the inter-node
   links between behavior aggregates, in accordance with the domain's
   service provisioning policy.  Traffic conditioners can further
   control the usage of these resources through enforcement of TCAs and
   possibly through operational feedback from the nodes and traffic
   conditioners in the domain.  Although a range of services can be
   deployed in the absence of complex traffic conditioning functions
   (e.g., using only static marking policies), functions such as
   policing, shaping, and dynamic re-marking enable the deployment of
   services providing quantitative performance metrics.

   The configuration of and interaction between traffic conditioners and
   interior nodes should be managed by the administrative control of the
   domain and may require operational control through protocols and a
   control entity.  There is a wide range of possible control models.

Blake, et. al.               Informational                     [Page 20]

RFC 2475        Architecture for Differentiated Services   December 1998

   The precise nature and implementation of the interaction between
   these components is outside the scope of this architecture.  However,
   scalability requires that the control of the domain does not require
   micro-management of the network resources.  The most scalable control
   model would operate nodes in open-loop in the operational timeframe,
   and would only require administrative-timescale management as SLAs
   are varied.  This simple model may be unsuitable in some
   circumstances, and some automated but slowly varying operational
   control (minutes rather than seconds) may be desirable to balance the
   utilization of the network against the recent load profile.

3.  Per-Hop Behavior Specification Guidelines

   Basic requirements for per-hop behavior standardization are given in
   [DSFIELD].  This section elaborates on that text by describing
   additional guidelines for PHB (group) specifications.  This is
   intended to help foster implementation consistency.  Before a PHB
   group is proposed for standardization it should satisfy these
   guidelines, as appropriate, to preserve the integrity of this

   G.1:  A PHB standard must specify a recommended DS codepoint selected
   from the codepoint space reserved for standard mappings [DSFIELD].
   Recommended codepoints will be assigned by the IANA.  A PHB proposal
   may recommend a temporary codepoint from the EXP/LU space to
   facilitate inter-domain experimentation.  Determination of a packet's
   PHB must not require inspection of additional packet header fields
   beyond the DS field.

   G.2:  The specification of each newly proposed PHB group should
   include an overview of the behavior and the purpose of the behavior
   being proposed.  The overview should include a problem or problems
   statement for which the PHB group is targeted.  The overview should
   include the basic concepts behind the PHB group.  These concepts
   should include, but are not restricted to, queueing behavior, discard
   behavior, and output link selection behavior.  Lastly, the overview
   should specify the method by which the PHB group solves the problem
   or problems specified in the problem statement.

   G.3:  A PHB group specification should indicate the number of
   individual PHBs specified.  In the event that multiple PHBs are
   specified, the interactions between these PHBs and constraints that
   must be respected globally by all the PHBs within the group should be
   clearly specified.  As an example, the specification must indicate
   whether the probability of packet reordering within a microflow is
   increased if different packets in that microflow are marked for
   different PHBs within the group.

Blake, et. al.               Informational                     [Page 21]

RFC 2475        Architecture for Differentiated Services   December 1998

   G.4:  When proper functioning of a PHB group is dependent on
   constraints such as a provisioning restriction, then the PHB
   definition should describe the behavior when these constraints are
   violated.  Further, if actions such as packet discard or re-marking
   are required when these constraints are violated, then these actions
   should be specifically stipulated.

   G.5:  A PHB group may be specified for local use within a domain in
   order to provide some domain-specific functionality or domain-
   specific services.  In this event, the PHB specification is useful
   for providing vendors with a consistent definition of the PHB group.
   However, any PHB group which is defined for local use should not be
   considered for standardization, but may be published as an
   Informational RFC.  In contrast, a PHB group which is intended for
   general use will follow a stricter standardization process.
   Therefore all PHB proposals should specifically state whether they
   are to be considered for general or local use.

   It is recognized that PHB groups can be designed with the intent of
   providing host-to-host, WAN edge-to-WAN edge, and/or domain edge-to-
   domain edge services.  Use of the term "end-to-end" in a PHB
   definition should be interpreted to mean "host-to-host" for

   Other PHB groups may be defined and deployed locally within domains,
   for experimental or operational purposes.  There is no requirement
   that these PHB groups must be publicly documented, but they should
   utilize DS codepoints from one of the EXP/LU pools as defined in

   G.6:  It may be possible or appropriate for a packet marked for a PHB
   within a PHB group to be re-marked to select another PHB within the
   group; either within a domain or across a domain boundary.  Typically
   there are three reasons for such PHB modification:

   a. The codepoints associated with the PHB group are collectively
      intended to carry state about the network,
   b. Conditions exist which require PHB promotion or demotion of a
      packet (this assumes that PHBs within the group can be ranked in
      some order),
   c. The boundary between two domains is not covered by a SLA.  In this
      case the codepoint/PHB to select when crossing the boundary link
      will be determined by the local policy of the upstream domain.

   A PHB specification should clearly state the circumstances under
   which packets marked for a PHB within a PHB group may, or should be
   modified (e.g., promoted or demoted) to another PHB within the group.
   If it is undesirable for a packet's PHB to be modified, the

Blake, et. al.               Informational                     [Page 22]

RFC 2475        Architecture for Differentiated Services   December 1998

   specification should clearly state the consequent risks when the PHB
   is modified.   A possible risk to changing a packet's PHB, either
   within or outside a PHB group, is a higher probability of packet re-
   ordering within a microflow.  PHBs within a group may carry some
   host-to-host, WAN edge-to-WAN edge, and/or domain edge-to-domain edge
   semantics which may be difficult to duplicate if packets are re-
   marked to select another PHB from the group (or otherwise).

   For certain PHB groups, it may be appropriate to reflect a state
   change in the node by re-marking packets to specify another PHB from
   within the group.  If a PHB group is designed to reflect the state of
   a network, the PHB definition must adequately describe the
   relationship between the PHBs and the states they reflect.  Further,
   if these PHBs limit the forwarding actions a node can perform in some
   way, these constraints may be specified as actions the node should,
   or must perform.

   G.7:  A PHB group specification should include a section defining the
   implications of tunneling on the utility of the PHB group.  This
   section should specify the implications for the utility of the PHB
   group of a newly created outer header when the original DS field of
   the inner header is encapsulated in a tunnel.  This section should
   also discuss what possible changes should be applied to the inner
   header at the egress of the tunnel, when both the codepoints from the
   inner header and the outer header are accessible (see Sec. 6.2).

   G.8:  The process of specifying PHB groups is likely to be
   incremental in nature.  When new PHB groups are proposed, their known
   interactions with previously specified PHB groups should be
   documented.  When a new PHB group is created, it can be entirely new
   in scope or it can be an extension to an existing PHB group.  If the
   PHB group is entirely independent of some or all of the existing PHB
   specifications, a section should be included in the PHB specification
   which details how the new PHB group can co-exist with those PHB
   groups already standardized.  For example, this section might
   indicate the possibility of packet re-ordering within a microflow for
   packets marked by codepoints associated with two separate PHB groups.
   If concurrent operation of two (or more) different PHB groups in the
   same node is impossible or detrimental this should be stated.  If the
   concurrent operation of two (or more) different PHB groups requires
   some specific behaviors by the node when packets marked for PHBs from
   these different PHB groups are being processed by the node at the
   same time, these behaviors should be stated.

   Care should be taken to avoid circularity in the definitions of PHB

Blake, et. al.               Informational                     [Page 23]

RFC 2475        Architecture for Differentiated Services   December 1998

   If the proposed PHB group is an extension to an existing PHB group, a
   section should be included in the PHB group specification which
   details how this extension interoperates with the behavior being
   extended.  Further, if the extension alters or more narrowly defines
   the existing behavior in some way, this should also be clearly

   G.9:  Each PHB specification should include a section specifying
   minimal conformance requirements for implementations of the PHB
   group.  This conformance section is intended to provide a means for
   specifying the details of a behavior while allowing for
   implementation variation to the extent permitted by the PHB
   specification.  This conformance section can take the form of rules,
   tables, pseudo-code, or tests.

   G.10:  A PHB specification should include a section detailing the
   security implications of the behavior.  This section should include a
   discussion of the re-marking of the inner header's codepoint at the
   egress of a tunnel and its effect on the desired forwarding behavior.

   Further, this section should also discuss how the proposed PHB group
   could be used in denial-of-service attacks, reduction of service
   contract attacks, and service contract violation attacks.  Lastly,
   this section should discuss possible means for detecting such attacks
   as they are relevant to the proposed behavior.

   G.11:  A PHB specification should include a section detailing
   configuration and management issues which may affect the operation of
   the PHB and which may impact candidate services that might utilize
   the PHB.

   G.12:  It is strongly recommended that an appendix be provided with
   each PHB specification that considers the implications of the
   proposed behavior on current and potential services.  These services
   could include but are not restricted to be user-specific, device-
   specific, domain-specific or end-to-end services.  It is also
   strongly recommended that the appendix include a section describing
   how the services are verified by users, devices, and/or domains.

   G.13:  It is recommended that an appendix be provided with each PHB
   specification that is targeted for local use within a domain,
   providing guidance for PHB selection for packets which are forwarded
   into a peer domain which does not support the PHB group.

Blake, et. al.               Informational                     [Page 24]

RFC 2475        Architecture for Differentiated Services   December 1998

   G.14:  It is recommended that an appendix be provided with each PHB
   specification which considers the impact of the proposed PHB group on
   existing higher-layer protocols.  Under some circumstances PHBs may
   allow for possible changes to higher-layer protocols which may
   increase or decrease the utility of the proposed PHB group.

   G.15:  It is recommended that an appendix be provided with each PHB
   specification which recommends mappings to link-layer QoS mechanisms
   to support the intended behavior of the PHB across a shared-medium or
   switched link-layer.  The determination of the most appropriate
   mapping between a PHB and a link-layer QoS mechanism is dependent on
   many factors and is outside the scope of this document; however, the
   specification should attempt to offer some guidance.

4.  Interoperability with Non-Differentiated Services-Compliant Nodes

   We define a non-differentiated services-compliant node (non-DS-
   compliant node) as any node which does not interpret the DS field as
   specified in [DSFIELD] and/or does not implement some or all of the
   standardized PHBs (or those in use within a particular DS domain).
   This may be due to the capabilities or configuration of the node.  We
   define a legacy node as a special case of a non-DS-compliant node
   which implements IPv4 Precedence classification and forwarding as
   defined in [RFC791, RFC1812], but which is otherwise not DS-
   compliant.  The precedence values in the IPv4 TOS octet are
   compatible by intention with the Class Selector Codepoints defined in
   [DSFIELD], and the precedence forwarding behaviors defined in
   [RFC791, RFC1812] comply with the Class Selector PHB Requirements
   also defined in [DSFIELD].  A key distinction between a legacy node
   and a DS-compliant node is that the legacy node may or may not
   interpret bits 3-6 of the TOS octet as defined in [RFC1349] (the
   "DTRC" bits); in practice it will not interpret these bit as
   specified in [DSFIELD].  We assume that the use of the TOS markings
   defined in [RFC1349] is deprecated.  Nodes which are non-DS-compliant
   and which are not legacy nodes may exhibit unpredictable forwarding
   behaviors for packets with non-zero DS codepoints.

   Differentiated services depend on the resource allocation mechanisms
   provided by per-hop behavior implementations in nodes.  The quality
   or statistical assurance level of a service may break down in the
   event that traffic transits a non-DS-compliant node, or a non-DS-
   capable domain.

   We will examine two separate cases.  The first case concerns the use
   of non-DS-compliant nodes within a DS domain.  Note that PHB
   forwarding is primarily useful for allocating scarce node and link
   resources in a controlled manner.  On high-speed, lightly loaded
   links, the worst-case packet delay, jitter, and loss may be

Blake, et. al.               Informational                     [Page 25]

RFC 2475        Architecture for Differentiated Services   December 1998

   negligible, and the use of a non-DS-compliant node on the upstream
   end of such a link may not result in service degradation.  In more
   realistic circumstances, the lack of PHB forwarding in a node may
   make it impossible to offer low-delay, low-loss, or provisioned
   bandwidth services across paths which traverse the node.  However,
   use of a legacy node may be an acceptable alternative, assuming that
   the DS domain restricts itself to using only the Class Selector
   Codepoints defined in [DSFIELD], and assuming that the particular
   precedence implementation in the legacy node provides forwarding
   behaviors which are compatible with the services offered along paths
   which traverse that node.  Note that it is important to restrict the
   codepoints in use to the Class Selector Codepoints, since the legacy
   node may or may not interpret bits 3-5 in accordance with [RFC1349],
   thereby resulting in unpredictable forwarding results.

   The second case concerns the behavior of services which traverse
   non-DS-capable domains.  We assume for the sake of argument that a
   non-DS-capable domain does not deploy traffic conditioning functions
   on domain boundary nodes; therefore, even in the event that the
   domain consists of legacy or DS-compliant interior nodes, the lack of
   traffic enforcement at the boundaries will limit the ability to
   consistently deliver some types of services across the domain.  A DS
   domain and a non-DS-capable domain may negotiate an agreement which
   governs how egress traffic from the DS-domain should be marked before
   entry into the non-DS-capable domain.  This agreement might be
   monitored for compliance by traffic sampling instead of by rigorous
   traffic conditioning.  Alternatively, where there is knowledge that
   the non-DS-capable domain consists of legacy nodes, the upstream DS
   domain may opportunistically re-mark differentiated services traffic
   to one or more of the Class Selector Codepoints.  Where there is no
   knowledge of the traffic management capabilities of the downstream
   domain, and no agreement in place, a DS domain egress node may choose
   to re-mark DS codepoints to zero, under the assumption that the non-
   DS-capable domain will treat the traffic uniformly with best-effort

   In the event that a non-DS-capable domain peers with a DS domain,
   traffic flowing from the non-DS-capable domain should be conditioned
   at the DS ingress node of the DS domain according to the appropriate
   SLA or policy.

5.  Multicast Considerations

   Use of differentiated services by multicast traffic introduces a
   number of issues for service provisioning.  First, multicast packets
   which enter a DS domain at an ingress node may simultaneously take
   multiple paths through some segments of the domain due to multicast
   packet replication.  In this way they consume more network resources

Blake, et. al.               Informational                     [Page 26]

RFC 2475        Architecture for Differentiated Services   December 1998

   than unicast packets.  Where multicast group membership is dynamic,
   it is difficult to predict in advance the amount of network resources
   that may be consumed by multicast traffic originating from an
   upstream network for a particular group.  A consequence of this
   uncertainty is that it may be difficult to provide quantitative
   service guarantees to multicast senders.  Further, it may be
   necessary to reserve codepoints and PHBs for exclusive use by unicast
   traffic, to provide resource isolation from multicast traffic.

   The second issue is the selection of the DS codepoint for a multicast
   packet arriving at a DS ingress node.  Because that packet may exit
   the DS domain at multiple DS egress nodes which peer with multiple
   downstream domains, the DS codepoint used should not result in the
   request for a service from a downstream DS domain which is in
   violation of a peering SLA.  When establishing classifier and traffic
   conditioner state at an DS ingress node for an aggregate of traffic
   receiving a differentiated service which spans across the egress
   boundary of the domain, the identity of the adjacent downstream
   transit domain and the specifics of the corresponding peering SLA can
   be factored into the configuration decision (subject to routing
   policy and the stability of the routing infrastructure).  In this way
   peering SLAs with downstream DS domains can be partially enforced at
   the ingress of the upstream domain, reducing the classification and
   traffic conditioning burden at the egress node of the upstream
   domain.  This is not so easily performed in the case of multicast
   traffic, due to the possibility of dynamic group membership.  The
   result is that the service guarantees for unicast traffic may be
   impacted.  One means of addressing this problem is to establish a
   separate peering SLA for multicast traffic, and to either utilize a
   particular set of codepoints for multicast packets, or to implement
   the necessary classification and traffic conditioning mechanisms in
   the DS egress nodes to provide preferential isolation for unicast
   traffic in conformance with the peering SLA with the downstream

6.  Security and Tunneling Considerations

   This section addresses security issues raised by the introduction of
   differentiated services, primarily the potential for denial-of-
   service attacks, and the related potential for theft of service by
   unauthorized traffic (Sec. 6.1).  In addition, the operation of
   differentiated services in the presence of IPsec and its interaction
   with IPsec are also discussed (Sec. 6.2), as well as auditing
   requirements (Sec. 6.3).  This section considers issues introduced by
   the use of both IPsec and non-IPsec tunnels.

Blake, et. al.               Informational                     [Page 27]

RFC 2475        Architecture for Differentiated Services   December 1998

6.1  Theft and Denial of Service

   The primary goal of differentiated services is to allow different
   levels of service to be provided for traffic streams on a common
   network infrastructure.  A variety of resource management techniques
   may be used to achieve this, but the end result will be that some
   packets receive different (e.g., better) service than others.  The
   mapping of network traffic to the specific behaviors that result in
   different (e.g., better or worse) service is indicated primarily by
   the DS field, and hence an adversary may be able to obtain better
   service by modifying the DS field to codepoints indicating behaviors
   used for enhanced services or by injecting packets with the DS field
   set to such codepoints.  Taken to its limits, this theft of service
   becomes a denial-of-service attack when the modified or injected
   traffic depletes the resources available to forward it and other
   traffic streams.  The defense against such theft- and denial-of-
   service attacks consists of the combination of traffic conditioning
   at DS boundary nodes along with security and integrity of the network
   infrastructure within a DS domain.

   As described in Sec. 2, DS ingress nodes must condition all traffic
   entering a DS domain to ensure that it has acceptable DS codepoints.
   This means that the codepoints must conform to the applicable TCA(s)
   and the domain's service provisioning policy.  Hence, the ingress
   nodes are the primary line of defense against theft- and denial-of-
   service attacks based on modified DS codepoints (e.g., codepoints to
   which the traffic is not entitled), as success of any such attack
   constitutes a violation of the applicable TCA(s) and/or service
   provisioning policy.  An important instance of an ingress node is
   that any traffic-originating node in a DS domain is the ingress node
   for that traffic, and must ensure that all originated traffic carries
   acceptable DS codepoints.

   Both a domain's service provisioning policy and TCAs may require the
   ingress nodes to change the DS codepoint on some entering packets
   (e.g., an ingress router may set the DS codepoint of a customer's
   traffic in accordance with the appropriate SLA).  Ingress nodes must
   condition all other inbound traffic to ensure that the DS codepoints
   are acceptable; packets found to have unacceptable codepoints must
   either be discarded or must have their DS codepoints modified to
   acceptable values before being forwarded.  For example, an ingress
   node receiving traffic from a domain with which no enhanced service
   agreement exists may reset the DS codepoint to the Default PHB
   codepoint [DSFIELD].  Traffic authentication may be required to
   validate the use of some DS codepoints (e.g., those corresponding to
   enhanced services), and such authentication may be performed by
   technical means (e.g., IPsec) and/or non-technical means (e.g., the
   inbound link is known to be connected to exactly one customer site).

Blake, et. al.               Informational                     [Page 28]

RFC 2475        Architecture for Differentiated Services   December 1998

   An inter-domain agreement may reduce or eliminate the need for
   ingress node traffic conditioning by making the upstream domain
   partly or completely responsible for ensuring that traffic has DS
   codepoints acceptable to the downstream domain.  In this case, the
   ingress node may still perform redundant traffic conditioning checks
   to reduce the dependence on the upstream domain (e.g., such checks
   can prevent theft-of-service attacks from propagating across the
   domain boundary).  If such a check fails because the upstream domain
   is not fulfilling its responsibilities, that failure is an auditable
   event; the generated audit log entry should include the date/time the
   packet was received, the source and destination IP addresses, and the
   DS codepoint that caused the failure.  In practice, the limited gains
   from such checks need to be weighed against their potential
   performance impact in determining what, if any, checks to perform
   under these circumstances.

   Interior nodes in a DS domain may rely on the DS field to associate
   differentiated services traffic with the behaviors used to implement
   enhanced services.  Any node doing so depends on the correct
   operation of the DS domain to prevent the arrival of traffic with
   unacceptable DS codepoints.  Robustness concerns dictate that the
   arrival of packets with unacceptable DS codepoints must not cause the
   failure (e.g., crash) of network nodes.  Interior nodes are not
   responsible for enforcing the service provisioning policy (or
   individual SLAs) and hence are not required to check DS codepoints
   before using them.  Interior nodes may perform some traffic
   conditioning checks on DS codepoints (e.g., check for DS codepoints
   that are never used for traffic on a specific link) to improve
   security and robustness (e.g., resistance to theft-of-service attacks
   based on DS codepoint modifications).  Any detected failure of such a
   check is an auditable event and the generated audit log entry should
   include the date/time the packet was received, the source and
   destination IP addresses, and the DS codepoint that caused the
   failure.  In practice, the limited gains from such checks need to be
   weighed against their potential performance impact in determining
   what, if any, checks to perform at interior nodes.

   Any link that cannot be adequately secured against modification of DS
   codepoints or traffic injection by adversaries should be treated as a
   boundary link (and hence any arriving traffic on that link is treated
   as if it were entering the domain at an ingress node).  Local
   security policy provides the definition of "adequately secured," and
   such a definition may include a determination that the risks and
   consequences of DS codepoint modification and/or traffic injection do
   not justify any additional security measures for a link.  Link
   security can be enhanced via physical access controls and/or software
   means such as tunnels that ensure packet integrity.

Blake, et. al.               Informational                     [Page 29]

RFC 2475        Architecture for Differentiated Services   December 1998

6.2  IPsec and Tunneling Interactions

   The IPsec protocol, as defined in [ESP, AH], does not include the IP
   header's DS field in any of its cryptographic calculations (in the
   case of tunnel mode, it is the outer IP header's DS field that is not
   included).  Hence modification of the DS field by a network node has
   no effect on IPsec's end-to-end security, because it cannot cause any
   IPsec integrity check to fail.  As a consequence, IPsec does not
   provide any defense against an adversary's modification of the DS
   field (i.e., a man-in-the-middle attack), as the adversary's
   modification will also have no effect on IPsec's end-to-end security.
   In some environments, the ability to modify the DS field without
   affecting IPsec integrity checks may constitute a covert channel; if
   it is necessary to eliminate such a channel or reduce its bandwidth,
   the DS domains should be configured so that the required processing
   (e.g., set all DS fields on sensitive traffic to a single value) can
   be performed at DS egress nodes where traffic exits higher security

   IPsec's tunnel mode provides security for the encapsulated IP
   header's DS field.  A tunnel mode IPsec packet contains two IP
   headers: an outer header supplied by the tunnel ingress node and an
   encapsulated inner header supplied by the original source of the
   packet.  When an IPsec tunnel is hosted (in whole or in part) on a
   differentiated services network, the intermediate network nodes
   operate on the DS field in the outer header.  At the tunnel egress
   node, IPsec processing includes stripping the outer header and
   forwarding the packet (if required) using the inner header.     If
   the inner IP header has not been processed by a DS ingress node for
   the tunnel egress node's DS domain, the tunnel egress node is the DS
   ingress node for traffic exiting the tunnel, and hence must carry out
   the corresponding traffic conditioning responsibilities (see Sec.
   6.1).  If the IPsec processing includes a sufficiently strong
   cryptographic integrity check of the encapsulated packet (where
   sufficiency is determined by local security policy), the tunnel
   egress node can safely assume that the DS field in the inner header
   has the same value as it had at the tunnel ingress node.  This allows
   a tunnel egress node in the same DS domain as the tunnel ingress
   node, to safely treat a packet passing such an integrity check as if
   it had arrived from another node within the same DS domain, omitting
   the DS ingress node traffic conditioning that would otherwise be
   required.  An important consequence is that otherwise insecure links
   internal to a DS domain can be secured by a sufficiently strong IPsec

   This analysis and its implications apply to any tunneling protocol
   that performs integrity checks, but the level of assurance of the
   inner header's DS field depends on the strength of the integrity

Blake, et. al.               Informational                     [Page 30]

RFC 2475        Architecture for Differentiated Services   December 1998

   check performed by the tunneling protocol.  In the absence of
   sufficient assurance for a tunnel that may transit nodes outside the
   current DS domain (or is otherwise vulnerable), the encapsulated
   packet must be treated as if it had arrived at a DS ingress node from
   outside the domain.

   The IPsec protocol currently requires that the inner header's DS
   field not be changed by IPsec decapsulation processing at a tunnel
   egress node.  This ensures that an adversary's modifications to the
   DS field cannot be used to launch theft- or denial-of-service attacks
   across an IPsec tunnel endpoint, as any such modifications will be
   discarded at the tunnel endpoint.  This document makes no change to
   that IPsec requirement.

   If the IPsec specifications are modified in the future to permit a
   tunnel egress node to modify the DS field in an inner IP header based
   on the DS field value in the outer header (e.g., copying part or all
   of the outer DS field to the inner DS field), then additional
   considerations would apply.  For a tunnel contained entirely within a
   single DS domain and for which the links are adequately secured
   against modifications of the outer DS field, the only limits on inner
   DS field modifications would be those imposed by the domain's service
   provisioning policy.  Otherwise, the tunnel egress node performing
   such modifications would be acting as a DS ingress node for traffic
   exiting the tunnel and must carry out the traffic conditioning
   responsibilities of an ingress node, including defense against theft-
   and denial-of-service attacks (See Sec. 6.1).  If the tunnel enters
   the DS domain at a node different from the tunnel egress node, the
   tunnel egress node may depend on the upstream DS ingress node having
   ensured that the outer DS field values are acceptable.  Even in this
   case, there are some checks that can only be performed by the tunnel
   egress node (e.g., a consistency check between the inner and outer DS
   codepoints for an encrypted tunnel).  Any detected failure of such a
   check is an auditable event and the generated audit log entry should
   include the date/time the packet was received, the source and
   destination IP addresses, and the DS codepoint that was unacceptable.

   An IPsec tunnel can be viewed in at least two different ways from an
   architectural perspective.  If the tunnel is viewed as a logical
   single hop "virtual wire", the actions of intermediate nodes in
   forwarding the tunneled traffic should not be visible beyond the ends
   of the tunnel and hence the DS field should not be modified as part
   of decapsulation processing.  In contrast, if the tunnel is viewed as
   a multi-hop participant in forwarding traffic, then modification of
   the DS field as part of tunnel decapsulation processing may be
   desirable.  A specific example of the latter situation occurs when a
   tunnel terminates at an interior node of a DS domain at which the
   domain administrator does not wish to deploy traffic conditioning

Blake, et. al.               Informational                     [Page 31]

RFC 2475        Architecture for Differentiated Services   December 1998

   logic (e.g., to simplify traffic management).  This could be
   supported by using the DS codepoint in the outer IP header (which was
   subject to traffic conditioning at the DS ingress node) to reset the
   DS codepoint in the inner IP header, effectively moving DS ingress
   traffic conditioning responsibilities from the IPsec tunnel egress
   node to the appropriate upstream DS ingress node (which must already
   perform that function for unencapsulated traffic).

6.3  Auditing

   Not all systems that support differentiated services will implement
   auditing.  However, if differentiated services support is
   incorporated into a system that supports auditing, then the
   differentiated services implementation should also support auditing.
   If such support is present the implementation must allow a system
   administrator to enable or disable auditing for differentiated
   services as a whole, and may allow such auditing to be enabled or
   disabled in part.

   For the most part, the granularity of auditing is a local matter.
   However, several auditable events are identified in this document and
   for each of these events a minimum set of information that should be
   included in an audit log is defined.  Additional information (e.g.,
   packets related to the one that triggered the auditable event) may
   also be included in the audit log for each of these events, and
   additional events, not explicitly called out in this specification,
   also may result in audit log entries.  There is no requirement for
   the receiver to transmit any message to the purported sender in
   response to the detection of an auditable event, because of the
   potential to induce denial of service via such action.

7.  Acknowledgements

   This document has benefitted from earlier drafts by Steven Blake,
   David Clark, Ed Ellesson, Paul Ferguson, Juha Heinanen, Van Jacobson,
   Kalevi Kilkki, Kathleen Nichols, Walter Weiss, John Wroclawski, and
   Lixia Zhang.

   The authors would like to acknowledge the following individuals for
   their helpful comments and suggestions: Kathleen Nichols, Brian
   Carpenter, Konstantinos Dovrolis, Shivkumar Kalyana, Wu-chang Feng,
   Marty Borden, Yoram Bernet, Ronald Bonica, James Binder, Borje
   Ohlman, Alessio Casati, Scott Brim, Curtis Villamizar, Hamid Ould-
   Brahi, Andrew Smith, John Renwick, Werner Almesberger, Alan O'Neill,
   James Fu, and Bob Braden.

Blake, et. al.               Informational                     [Page 32]

RFC 2475        Architecture for Differentiated Services   December 1998

8.  References

   [802.1p]    ISO/IEC Final CD 15802-3 Information technology - Tele-
               communications and information exchange between systems -
               Local and metropolitan area networks - Common
               specifications - Part 3: Media Access Control (MAC)
               bridges, (current draft available as IEEE P802.1D/D15).

   [AH]        Kent, S. and R. Atkinson, "IP Authentication Header", RFC
               2402, November 1998.

   [ATM]       ATM Traffic Management Specification Version 4.0 <af-tm-
               0056.000>, ATM Forum, April 1996.

   [Bernet]    Y. Bernet, R. Yavatkar, P. Ford, F. Baker, L. Zhang, K.
               Nichols, and M. Speer, "A Framework for Use of RSVP with
               Diff-serv Networks", Work in Progress.

   [DSFIELD]   Nichols, K., Blake, S., Baker, F. and D. Black,
               "Definition of the Differentiated Services Field (DS
               Field) in the IPv4 and IPv6 Headers", RFC 2474, December

   [EXPLICIT]  D. Clark and W. Fang, "Explicit Allocation of Best Effort
               Packet Delivery Service", IEEE/ACM Trans. on Networking,
               vol. 6, no. 4, August 1998, pp. 362-373.

   [ESP]       Kent, S. and R. Atkinson, "IP Encapsulating Security
               Payload (ESP)", RFC 2406, November 1998.

   [FRELAY]    ANSI T1S1, "DSSI Core Aspects of Frame Rely", March 1990.

   [RFC791]    Postel, J., Editor, "Internet Protocol", STD 5, RFC 791,
               September 1981.

   [RFC1349]   Almquist, P., "Type of Service in the Internet Protocol
               Suite", RFC 1349, July 1992.

   [RFC1633]   Braden, R., Clark, D. and S. Shenker, "Integrated
               Services in the Internet Architecture: An Overview", RFC
               1633, July 1994.

   [RFC1812]   Baker, F., Editor, "Requirements for IP Version 4
               Routers", RFC 1812, June 1995.

   [RSVP]      Braden, B., Zhang, L., Berson S., Herzog, S. and S.
               Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
               Functional Specification", RFC 2205, September 1997.

Blake, et. al.               Informational                     [Page 33]

RFC 2475        Architecture for Differentiated Services   December 1998

   [2BIT]      K. Nichols, V. Jacobson, and L. Zhang, "A Two-bit
               Differentiated Services Architecture for the Internet",
     , November 1997.

   [TR]        ISO/IEC 8802-5 Information technology -
               Telecommunications and information exchange between
               systems - Local and metropolitan area networks - Common
               specifications - Part 5: Token Ring Access Method and
               Physical Layer Specifications, (also ANSI/IEEE Std 802.5-
               1995), 1995.

Authors' Addresses

   Steven Blake
   Torrent Networking Technologies
   3000 Aerial Center, Suite 140
   Morrisville, NC  27560

   Phone:  +1-919-468-8466 x232

   David L. Black
   EMC Corporation
   35 Parkwood Drive
   Hopkinton, MA  01748

   Phone:  +1-508-435-1000 x76140

   Mark A. Carlson
   Sun Microsystems, Inc.
   2990 Center Green Court South
   Boulder, CO  80301

   Phone:  +1-303-448-0048 x115

   Elwyn Davies
   Nortel UK
   London Road
   Harlow, Essex  CM17 9NA, UK

   Phone:  +44-1279-405498

Blake, et. al.               Informational                     [Page 34]

RFC 2475        Architecture for Differentiated Services   December 1998

   Zheng Wang
   Bell Labs Lucent Technologies
   101 Crawfords Corner Road
   Holmdel, NJ  07733


   Walter Weiss
   Lucent Technologies
   300 Baker Avenue, Suite 100
   Concord, MA  01742-2168


Blake, et. al.               Informational                     [Page 35]

RFC 2475        Architecture for Differentiated Services   December 1998

Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an

Blake, et. al.               Informational                     [Page 36]