Diff Serv and Qo S Support in Microsoft

Diff Serv and Qo. S Support in Microsoft Hosts Peter S. Ford peterf@microsoft. com NANOG, 8 June 1998

Agenda n n n Why Qo. S? Role of Hosts in providing Qo. S Microsoft NT Qo. S Components NANOG, 8 June 1998 Slide 2

Diff Serv WG Observation n “ 100 s of Bald Men arguing over 8 Combs” - An Internet Wag NANOG, 8 June 1998 Slide 3

What Needs Qo. S? n VPNs over the Internet u High value traffic - branch offices and telecommuters u Easy to do with static config of filter lists u Current focus of Industry Buzz n Applications sensitive to packet loss u SAP, SQL, RPC, SNA, DEC LAT, … u Web “RPC” - HTTP get u Audio over RTP/UDP - Voice over IP u Many of these are harder to do with static configurations based on layer 3 filters NANOG, 8 June 1998 Slide 4

Hosts and Qo. S n Qo. S, Diff Serv, etc. enhance carriage of application bits over the network n In many cases only the hosts/apps have knowledge of Qo. S needs u Certain web pages have priority Ø ports are not enough to classify traffic u End to end IP security Ø there are no ports to look at n Hosts have an important role in the evolving Qo. S landscape NANOG, 8 June 1998 Slide 5

Managing Resource Allocation In The Network n Current IP networks are “Best Effort” (BE) Standby Model w/in-flight bumping n “Qo. S Enabled Networks” - Network Resources allocated btw BE and “more important” traffic (e. g. queue, priority, bandwidth, etc. ) n Hosts signal network and request resource for entitled users/applications subject to Network Admission Control n Net Admins Authorize and Prioritize access to resources based on user application NANOG, 8 June 1998 Slide 6

Qo. S Mechanisms Exploited n Precedence/Priority u IP TOS/Precedence bits (layer 3) Ø tracking where differentiated services ends up. . . u IEEE 802. 1 p (layer 2) n Application Flows can be isolated, prioritized and scheduled by the Stack n Signaling into Network (RSVP, ATM) n Network Admins configure Qo. S Policy on hosts and in the network NANOG, 8 June 1998 Slide 7

Microsoft Qo. S Components LDAP for Policies Qo. S-aware Network mgmt. application Qo. S SP TCI API TCP/IP Packet Scheduler ACS/SBM Netcards Packet classifier Directory Services for Win. Sock 2 Qo. S Policy API Storage Routers/Switches NANOG, 8 June 1998 Slide 8

DS based Qo. S Networking Receiver FTP Netmeeting RSVP Traffic control 802. 1 p Priority Prio=5 RSVP PATH 1 Mbps controlled load \redmonduserx DS ISP w/Diff Serv Check \redmonduserx ACS Router Packets Rescheduled Prio=1 NANOG, 8 June 1998 Slide 9

Microsoft Qo. S Components n Win. Sock 2 Generic Qo. S API u Allows applications to request the Qo. S they need, regardless of the underlying mechanisms (RSVP, IP Priority, . . . ) n Qo. S Signaling - End System to Network u Explicit - RSVP with Policy Objects (e. g. user id) Ø integrated with IPSEC u Implicit - IP Diff Serv /IEEE 802. 1 p n Traffic Control API w/Kernel Stack Support u Kernel based queueing of traffic flows u IP, IEEE 802. 1 P precedence/priority n Admission Control Service u u u Qo. S Directory Console for Network Admins In network policy enforcement Also adds L 2 shared media management NANOG, 8 June 1998 Slide 10

ACS Management Model n Network Administers Qo. S Policies in the Directory Service u User Object is extended to permit a mapping from a User to a Group Profile Ø e. g. RedmondBob -> Programmers u Default policies at Organization Level Ø “All users can reserve up to 500 Kbps” Ø “Programmers get 100 Kbps” Ø Enterprise-wide User, Profile policies u Per Subnetwork Policies Ø Individual Users and Group Profiles NANOG, 8 June 1998 Slide 11

ACS Policy Operation n Host RSVP service provider inserts RSVP policy objects in RSVP messages u Contains User Identity represented as an encrypted DN {dc=com, dc=microsoft, ou=redmond, n=bob}Ksession u Security token to prove identity (kerberos ticket for ACS service) Ø Ticket encrypted in private key of ACS service Ø Session Key (Ksession) is in Ticket u Digital signature over RSVP message to avoid policy object reuse (cut and paste) n ACS servers in network authorize requests u Crack ticket to get identity of requestor u Check User’s Policy in the Directory NANOG, 8 June 1998 Slide 12

In Summary n Need many pieces of Qo. S picture to satisfy customer requirements u Diff Serv for ISPs and large networks u Fine grain policy control u Centralized management for Qo. S Policies Ø both Diff Serv and RSVP signaled flows Ø Use of Directory services n RSVP may prove useful in many ways u Internal provisioning of Qo. S - PASTE (Li and Rehkter) u Customer to ISP - dynamic signaling instead of the desert of pre- provisioning NANOG, 8 June 1998 Slide 13

Admission Control Services Policy Functionality n Admission Control Servers u part of RSVP process on a network server (NT, switch, router, etc. ) u implements RSVP and SBM u ACS takes requests and tests against policy and/or resource limits n Hosts can use RSVP signaling u Hosts on LANs also participate in SBM n Policies are maintained in the Directory (DS) u u ACS uses LDAP to retrieve Policy Information from DS ACS Policy is per subnetwork/per user Can be abstracted to “per Enterprise/Per Group” Enables approval/denial of resources based on user ID, time of day, resource limits (bandwidth, priority, . . . ), etc. n Can Aggregate requests into priority groups at ISP/WAN interfaces u can “re-write” user id to corp id at ISP boundaries NANOG, 8 June 1998 Slide 14

Extensibility of ACS Policy Framework n Can add new policy objects to RSVP messages n Can add new policy interpretation modules to ACS servers u API to call out to policy module n Can extend ACS policy objects in the Directory n End Systems can pull policy down from Directory to configure Qo. S NANOG, 8 June 1998 Slide 15