Re: [Cake] diffserv based on firewall mark

Cake - FQ_codel the next generation
 help / color / mirror / Atom feed

From: Sebastian Moeller <moeller0@gmx.de>
To: Jonathan Morton <chromatix99@gmail.com>,ching lu <lsching17@gmail.com>
Cc: cake@lists.bufferbloat.net
Subject: Re: [Cake] diffserv based on firewall mark
Date: Wed, 12 Oct 2016 22:19:05 +0200	[thread overview]
Message-ID: <DAAD1EAA-15D6-4627-95DC-6CB88AA1ED48@gmx.de> (raw)
In-Reply-To: <A60C23AF-D3DD-4046-9F7B-BA6B2F3599EB@gmail.com>

Hi there,

On October 12, 2016 5:36:32 PM GMT+02:00, Jonathan Morton <chromatix99@gmail.com> wrote:
>
>> On 12 Oct, 2016, at 15:40, ching lu <lsching17@gmail.com> wrote:
>> 
>> DSCP -> unreliable, easily spoofed by attacker
>
>I’d like to address the “easily spoofed by attacker” point
>specifically.
>
>Cake’s interpretation of Diffserv is as a three-way tradeoff between
>throughput priority, latency priority, and altruism.  If you choose a
>DSCP meaning “low latency” such as CS6 or EF, Cake gives it higher
>weight than average, but *only* if the aggregate bandwidth of
>supposedly low-latency traffic is below a reasonable fraction of the
>link bandwidth.  Beyond that point, it gets *lower* weight than
>average, but is still able to use spare bandwidth that happens to be
>available.
>
>There is no way to get “absolute priority”, which this type of attacker
>would presumably want, just by setting a particular DSCP.  The default
>“best effort” DSCP is in fact interpreted as “throughput priority”,
>which is what most bulk traffic wants.  In this respect, Cake differs
>from the original IP Precedence specification (which is long obsolete)
>and most other naive Diffserv implementations.
>
>In short, Cake does not unreasonably *trust* the DSCP field, but
>instead offers explicit incentives for traffic to set it correctly. 

With the slight complication that there is no canonically agreed upon value for correct, and cake' does not make it easy to predict how much traffic a specific priority tier will allow before degrading the requested priority, no? In short cake adds to the confusion independent of whether cake's rationale is sane... 


>This adheres to the relevant PHB specifications, which are published as
>RFCs and thus can be used as a standard.

The problem I see is that in the DSCP RFC it is explicitly stated that markings only are supposed/guaranteed to have meaning inside a dscp domain... With the home net typically being regarded as a domain independent of the ISPs...


>
>The CS1 or “Background” DSCP is the one with an altruistic meaning.  It
>has low priority whichever side of the bandwidth threshold it lies, so
>it always mostly yields to other traffic.  Clients are of course
>permitted to not set it, but that’s what your firewall rules are for. 
>The Diffserv spec explicitly allows you to change the DSCP on entry to
>your own network, which is what I suggested in my first reply.

They even recommend that IIRC, including recommending re-mapping to zero if in doubt.

Best Regards
        Sebastian

>
>Setting the DSCP with iptables rules should work just as well and in
>the same way as using the “firewall mark” functionality as you already
>do.  Set it up that way in the first instance, directly replacing each
>HTB+fq_codel combination with a Cake instance, and see how it works


>
> - Jonathan Morton

next prev parent reply	other threads:[~2016-10-12 20:19 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-12  5:52 ching lu
2016-10-12  7:26 ` Jonathan Morton
2016-10-12  8:11   ` ching lu
2016-10-12  9:10     ` moeller0
2016-10-12  9:35       ` ching lu
2016-10-12 10:05         ` moeller0
     [not found]           ` <CACHiF8D=iF4cww0QRC-UODpvC=oRmchP6jp3tT2A-=9M2piy+g@mail.gmail.com>
     [not found]             ` <CACHiF8BH2Pfx7de8Se6pv83tHUx1enLt_pc1MBp=uSs2mD=kYA@mail.gmail.com>
2016-10-12 10:17               ` ching lu
2016-10-12 10:21                 ` Dave Taht
2016-10-12 11:10                   ` Kevin Darbyshire-Bryant
2016-10-12 12:07                   ` moeller0
2016-10-12 12:04                 ` moeller0
2016-10-12 12:40                   ` ching lu
2016-10-12 13:07                     ` moeller0
2016-10-13  0:08                       ` ching lu
2016-10-12 15:36                     ` Jonathan Morton
2016-10-12 20:19                       ` Sebastian Moeller [this message]
2016-10-13  0:19                       ` ching lu
2016-10-13  0:26                         ` David Lang
2016-10-12 19:42 ` Y
2016-10-12 19:59   ` Sebastian Moeller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DAAD1EAA-15D6-4627-95DC-6CB88AA1ED48@gmx.de \
    --to=moeller0@gmx.de \
    --cc=cake@lists.bufferbloat.net \
    --cc=chromatix99@gmail.com \
    --cc=lsching17@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox