QoS and IPSec interactions


QoS Differentiated services efficiency depends on the consistency and the coherence of QoS policy deployed on a per-hop basis (PHB) along the traffic path.

Some services like IPSec encryption or tunnelling can cause issues to QoS. The purpose of this article is to clarify these interactions.

 

Outline

  • Overview.
  • Conclusions.
  • Examples of deployment (Lab1,Lab2)

 

Overview

Interactions between QoS and IPSec are based on three principles:

  • Order of operations
  • QoS criteria
  • QoS policy location

 

  1. Order of operations: By default IOS performs tunnelling and VPN operations first and then apply QoS policy.

     

    Figure1: default order of operation

    With QoS pre-classification the previous order is inversed: QoS policy is performed first and then tunnelling and VPN processes.

     

    Figure2: QoS pre-classification

    Well, Technically the QoS operation is still performed after IPSec, but using original header fields preserved in a “temporary memory Structure”.

     

  2. QoS criteria:
    What your QoS policy is looking for?

    With GRE tunnelling or IPSec encryption, a new header is built and only ToS field is copied by default from the original to the new tunnel or IPSec header (tunnel mode). So, caution if your classification criteria are based on other fields than ToS/DSCP!

     

    Figure3: TOS/DSCP preservation

     

  3. QoS policy location
    : QoS traffic classification is based on inspection of IP header fields like addresses, PID, ports, ToS …

    In fact, what is visible to QoS process depends on where your QoS policy is placed:

  • On the tunnel interface, before header modification (tunnelling and VPN operations).
  • On the physical interface, after header modification (tunnelling and VPN operations).

I hope the following illustrations will provide extra perception how QoS and IPSec are related.

 

Figure 4: ONLY QoS policy applied to physical interface (header visible)

 

Figure 5: IPSec + QoS policy applied to physical interface (only ToS preserved)

 

Figure 6: IPSec + QoS pre-classification (original header visible)

 

 

 

 

Figure 7: IPSec + QoS policy applied to tunnel interface (original IP header visible)

 

Table 1 summarises all combinations of the previously mentioned cases:

 

Table 1: summary

cases 1 2 3 4 5 6 7 8
QoS policy applied to physical int. X X X X
tunnel int. X X X X
Order of operations Default behaviour X X X x
QoS pre-classification X X X X
QoS policy criteria ONLY ToS X X X x
Other field than ToS (IP, ports) X x X x
Results QoS succeed QoS succeed QoS succeed QoS succeed QoS succeed QoS succeed QoS fails QoS succeed

Conclusions:

 

QoS pre-classification is needed when:

• Classification is based on packet IP header information (src/dst IP, PID, ports nbr., flags…)

&

• Service policy is applied to the physical interface (def. order of processes)

 

 

QoS pre-classification is NOT needed when:

  • Classification is based ONLY on ToS criterion.

Or

  • QoS Service policy is applied to tunnel interface (before performing VPN)

 

Lab 1 : IPSec applied to the physical interface

1-a)

  • Default QoS order of operations (IPSec -> QoS)
  • QoS is based on both DSCP and IP criteria

Figure5: IPSec encryption

R3:

crypto isakmp policy 101

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.12.3

!

!

crypto ipsec transform-set MYTRANSFORMSET esp-3des esp-sha-hmac

!

crypto ipsec profile MYIPSECPROFILE

set transform-set MYTRANSFORMSET

!

!

crypto map MYCRYPTOMAP 10 ipsec-isakmp

set peer 172.16.12.3

set transform-set MYTRANSFORMSET

match address IPSECACL

!

!

class-map match-all MYNOTIPMAP

match not access-group name IPSECACL

match ip dscp af11

class-map match-all MYTOS5MAP

match access-group name IPSECACL

match ip dscp af11

class-map match-all MYNOTTOS5MAP

match access-group name IPSECACL

match not ip dscp af11

!

!

policy-map MYQOSPOLICY

class MYTOS5MAP

bandwidth 100

class MYNOTTOS5MAP

drop

class MYNOTIPMAP

drop

class class-default

!

interface FastEthernet0/1

ip address 172.16.12.4 255.255.255.0

crypto map MYCRYPTOMAP

service-policy output MYQOSPOLICY

!

ip access-list extended IPSECACL

permit icmp host 192.168.2.7 host 192.168.1.6

 

IPSec traffic (new IP Sec ESP header) is captured by the class “MYNOTIPMAP” and drop policy applied

 

R3#sh policy-map int fa0/1

FastEthernet0/1

 

Service-policy output: MYQOSPOLICY

 

Class-map: MYTOS5MAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: ip dscp af11 (10)

Queueing

Output Queue: Conversation 265

Bandwidth 100 (kbps)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 48/0/0

 

Class-map: MYNOTTOS5MAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: not ip dscp af11 (10)

drop

 

Class-map: MYNOTIPMAP (match-all)


66 packets, 10956 bytes

5 minute offered rate 0 bps, drop rate 55000 bps

Match: not access-group name IPSECACL

Match: ip dscp af11 (10)


drop

 

Class-map: class-default (match-any)

15 packets, 1520 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

R3#

R3 :

R3#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

172.16.12.4 172.16.12.3 QM_IDLE 1001 0 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

R3#

 

ICMP traffic is generated from R6 toward R7 with DSCP=af11

 

R6#ping

Protocol [ip]:

Target IP address: 192.168.2.7

Repeat count [5]: 100000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 40

% Invalid source

Source address or interface:

Type of service [0]: 40

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100000, 100-byte ICMP Echos to 192.168.2.7, timeout is 2 seconds:

…………………………………………………………….

  • RESULT = NOK

1-b) Apply QoS pre-classification (QoS -> IPSec)

R3:

crypto map MYCRYPTOMAP 10 ipsec-isakmp

set peer 172.16.12.4

set transform-set MYTRANSFORMSET

match address IPSECACL

qos pre-classify

!

QoS is performed 1st (class “MYTOS5MAP” is triggered), and then IPSec is performed.

R3#sh policy-map int fa0/1

FastEthernet0/1

 

Service-policy output: MYQOSPOLICY

 

Class-map: MYTOS5MAP (match-all)

1257 packets, 143298 bytes

5 minute offered rate 6000 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: ip dscp af11 (10)

Queueing

Output Queue: Conversation 265

Bandwidth 100 (kbps)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

 

Class-map: MYNOTTOS5MAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: not ip dscp af11 (10)

drop

 

Class-map: MYNOTIPMAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: not access-group name IPSECACL

Match: ip dscp af11 (10)

drop

 

Class-map: class-default (match-any)

31 packets, 4737 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

R3#

From R6 source of the traffic:

R6#ping

Protocol [ip]:

Target IP address: 192.168.2.7

Repeat count [5]: 1000000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]: 40

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000000, 100-byte ICMP Echos to 192.168.2.7, timeout is 2 seconds:

…………………………U.U.U.U.U………!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  • RESULT = OK

Lab2 : IPSec applied to the GRE tunnel

  • 2-a):
    • Default QoS order of operations (IPSec -> QoS)
    • QoS is based on both DSCP and IP criteria

Figure5: IPSec GRE tunnel encryptions

 

 

interface Tunnel0

crypto map MYCRYPTOMAP

!

interface FastEthernet0/1

service-policy output MYQOSPOLICY

R3#sh policy-map int fa0/1

FastEthernet0/1

 

Service-policy output: MYQOSPOLICY

 

Class-map: MYTOS5MAP (match-all)


0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: ip dscp af11 (10)

Queueing

Output Queue: Conversation 265

Bandwidth 100 (kbps)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

 

Class-map: MYNOTTOS5MAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: not ip dscp af11 (10)

drop

 


Class-map: MYNOTIPMAP (match-all)

129 packets, 24510 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: not access-group name IPSECACL

Match: ip dscp af11 (10)

drop

 

Class-map: class-default (match-any)

30 packets, 3060 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

R3#

  • RESULT = NOK

2-b) Apply QoS pre-classification (QoS -> IPSec)

 

R3#

interface Tunnel0

crypto map MYCRYPTOMAP

!

interface FastEthernet0/1

service-policy output MYQOSPOLICY

!

crypto map MYCRYPTOMAP 10 ipsec-isakmp

qos pre-classify

R3#sh policy-map int fa0/1

FastEthernet0/1

 

Service-policy output: MYQOSPOLICY

 

Class-map: MYTOS5MAP (match-all)

1689 packets, 320910 bytes

5 minute offered rate 15000 bps, drop rate 0 bps

Match: access-group name IPSECACL


Match: ip dscp af11 (10)

Queueing

Output Queue: Conversation 265

Bandwidth 100 (kbps)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

 

Class-map: MYNOTTOS5MAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name IPSECACL

Match: not ip dscp af11 (10)

drop

 

Class-map: MYNOTIPMAP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: not access-group name IPSECACL

Match: ip dscp af11 (10)

drop

 

Class-map: class-default (match-any)

2 packets, 120 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

R3#

  • RESULT = OK
%d bloggers like this: