From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 49E7B3B2A2 for ; Wed, 12 Oct 2016 11:36:37 -0400 (EDT) Received: by mail-lf0-x236.google.com with SMTP id b75so81026997lfg.3 for ; Wed, 12 Oct 2016 08:36:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OhKKpzzkaoJU7od5yCuwQmH/4PcA8AE8zfOXIIf8px0=; b=KuNorg41yDrOtfUWhupmLdjvm9Cdbg4HukTZfsvp42nD5CpLFcvS6dpKfhhFadEZTp krx9drVsDXAt8RpEyN1SoWCEHFSNJO0Rrw7kdpoBsp0l6xccrMuTskP076rDDRgkJ2+U 03sK8Fp6vIclqAWT4X30/6dFkSR1JL7QVG79/AH4Y/W333zPHe4eh1TzvT/iNnsOLpTr SrWx1EJmN13MblhHcwhSRiLvVGfqOF1JfMNN0wcrNjvjKWOL/G6fvZfL0bPcsNu2VfLp T44sYhUUVLne65bf3S0orzCN+/F8j27VQiVPUb6NA6/vx4rW3rJt8HgjAFcOhmU76x4r ABBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OhKKpzzkaoJU7od5yCuwQmH/4PcA8AE8zfOXIIf8px0=; b=kvkCE12tKhUAwVNHe4SdnNKVIckVxqFSLCdM1Aphp8R2dyX01Mp9bU9O8ioGQj/xWA RevP7QSXlVpFp6TAgOSe5s4gYFhAJszPeXtFRZqveDKuqbGxKEVEi5Io+9M+/0/5QI8p eKZWRiWQAtdc8407BzKMFXFen1h0lkyjsbUaWp7H6QLcgN/Oz9Q5Zs7Y/7kMK5FVtBGp 3OVC3OJvb3P2GrMsBW1PJZhC0TOosjphljpBBL0/GUkzVZS/oLkC09TI4AELmxhrPrhh Er5b/segA5PfXdFfIoXj1HICL5frhrRHmCYXb+CiTyYbBlEkLty8KyfpFAaXdspKZ/wh S5Qw== X-Gm-Message-State: AA6/9RmMnKqbg2afQDBbyFufHyDUm1mW4TX071mFWi/yiwQjSupyp4nPsh0mGbbnTjekuw== X-Received: by 10.25.24.154 with SMTP id 26mr1968600lfy.3.1476286595754; Wed, 12 Oct 2016 08:36:35 -0700 (PDT) Received: from [192.168.100.13] (37-33-90-35.bb.dnainternet.fi. [37.33.90.35]) by smtp.gmail.com with ESMTPSA id 35sm2415996lfp.5.2016.10.12.08.36.34 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Oct 2016 08:36:35 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Jonathan Morton In-Reply-To: Date: Wed, 12 Oct 2016 18:36:32 +0300 Cc: moeller0 , cake@lists.bufferbloat.net Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D2419FB-6649-4250-9D42-E6EDECFFCCDE@gmail.com> <95CB6153-524D-499A-8E85-231C5098A4DB@gmx.de> <42DC9EF5-80A0-439E-9507-085A0F566B22@gmx.de> To: ching lu X-Mailer: Apple Mail (2.3124) Subject: Re: [Cake] diffserv based on firewall mark X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 15:36:37 -0000 > On 12 Oct, 2016, at 15:40, ching lu wrote: >=20 > DSCP -> unreliable, easily spoofed by attacker I=E2=80=99d like to address the =E2=80=9Ceasily spoofed by attacker=E2=80=9D= point specifically. Cake=E2=80=99s interpretation of Diffserv is as a three-way tradeoff = between throughput priority, latency priority, and altruism. If you = choose a DSCP meaning =E2=80=9Clow latency=E2=80=9D such as CS6 or EF, = Cake gives it higher weight than average, but *only* if the aggregate = bandwidth of supposedly low-latency traffic is below a reasonable = fraction of the link bandwidth. Beyond that point, it gets *lower* = weight than average, but is still able to use spare bandwidth that = happens to be available. There is no way to get =E2=80=9Cabsolute priority=E2=80=9D, which this = type of attacker would presumably want, just by setting a particular = DSCP. The default =E2=80=9Cbest effort=E2=80=9D DSCP is in fact = interpreted as =E2=80=9Cthroughput priority=E2=80=9D, which is what most = bulk traffic wants. In this respect, Cake differs from the original IP = Precedence specification (which is long obsolete) and most other naive = Diffserv implementations. In short, Cake does not unreasonably *trust* the DSCP field, but instead = offers explicit incentives for traffic to set it correctly. This = adheres to the relevant PHB specifications, which are published as RFCs = and thus can be used as a standard. The CS1 or =E2=80=9CBackground=E2=80=9D DSCP is the one with an = altruistic meaning. It has low priority whichever side of the bandwidth = threshold it lies, so it always mostly yields to other traffic. Clients = are of course permitted to not set it, but that=E2=80=99s what your = firewall rules are for. The Diffserv spec explicitly allows you to = change the DSCP on entry to your own network, which is what I suggested = in my first reply. Setting the DSCP with iptables rules should work just as well and in the = same way as using the =E2=80=9Cfirewall mark=E2=80=9D functionality as = you already do. Set it up that way in the first instance, directly = replacing each HTB+fq_codel combination with a Cake instance, and see = how it works. - Jonathan Morton=