QoS and IPSec interactions
February 2, 2011 1 Comment
QoS Differentiated services efficiency depends on the consistency and the coherence of QoS policy deployed on a per-hop basis (PHB) along the traffic path.
Some services like IPSec encryption or tunnelling can cause issues to QoS. The purpose of this article is to clarify these interactions.
Outline
- Overview.
- Conclusions.
- Examples of deployment (Lab1,Lab2)
Overview
Interactions between QoS and IPSec are based on three principles:
- Order of operations
- QoS criteria
- QoS policy location
-
Order of operations: By default IOS performs tunnelling and VPN operations first and then apply QoS policy.
Figure1: default order of operation
With QoS pre-classification the previous order is inversed: QoS policy is performed first and then tunnelling and VPN processes.
Figure2: QoS pre-classification
Well, Technically the QoS operation is still performed after IPSec, but using original header fields preserved in a “temporary memory Structure”.
-
QoS criteria:
What your QoS policy is looking for?With GRE tunnelling or IPSec encryption, a new header is built and only ToS field is copied by default from the original to the new tunnel or IPSec header (tunnel mode). So, caution if your classification criteria are based on other fields than ToS/DSCP!
Figure3: TOS/DSCP preservation
-
QoS policy location
: QoS traffic classification is based on inspection of IP header fields like addresses, PID, ports, ToS …In fact, what is visible to QoS process depends on where your QoS policy is placed:
- On the tunnel interface, before header modification (tunnelling and VPN operations).
- On the physical interface, after header modification (tunnelling and VPN operations).
I hope the following illustrations will provide extra perception how QoS and IPSec are related.
Figure 4: ONLY QoS policy applied to physical interface (header visible)
Figure 5: IPSec + QoS policy applied to physical interface (only ToS preserved)
Figure 6: IPSec + QoS pre-classification (original header visible)
Figure 7: IPSec + QoS policy applied to tunnel interface (original IP header visible)
Table 1 summarises all combinations of the previously mentioned cases:
Table 1: summary
| cases | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | |
| QoS policy applied to | physical int. | X | X | X | X | ||||
| tunnel int. | X | X | X | X | |||||
| Order of operations | Default behaviour | X | X | X | x | ||||
| QoS pre-classification | X | X | X | X | |||||
| QoS policy criteria | ONLY ToS | X | X | X | x | ||||
| Other field than ToS (IP, ports) | X | x | X | x | |||||
| Results | QoS succeed | QoS succeed | QoS succeed | QoS succeed | QoS succeed | QoS succeed | QoS fails | QoS succeed | |
Conclusions:
|
QoS pre-classification is needed when: • Classification is based on packet IP header information (src/dst IP, PID, ports nbr., flags…) & • Service policy is applied to the physical interface (def. order of processes)
QoS pre-classification is NOT needed when:
Or
|
Lab 1 : IPSec applied to the physical interface
1-a)
- Default QoS order of operations (IPSec -> QoS)
- QoS is based on both DSCP and IP criteria
Figure5: IPSec encryption
R3:
| crypto isakmp policy 101 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 172.16.12.3 ! ! crypto ipsec transform-set MYTRANSFORMSET esp-3des esp-sha-hmac ! crypto ipsec profile MYIPSECPROFILE set transform-set MYTRANSFORMSET ! ! crypto map MYCRYPTOMAP 10 ipsec-isakmp set peer 172.16.12.3 set transform-set MYTRANSFORMSET match address IPSECACL ! ! class-map match-all MYNOTIPMAP match not access-group name IPSECACL match ip dscp af11 class-map match-all MYTOS5MAP match access-group name IPSECACL match ip dscp af11 class-map match-all MYNOTTOS5MAP match access-group name IPSECACL match not ip dscp af11 ! ! policy-map MYQOSPOLICY class MYTOS5MAP bandwidth 100 class MYNOTTOS5MAP drop class MYNOTIPMAP drop class class-default ! interface FastEthernet0/1 ip address 172.16.12.4 255.255.255.0 crypto map MYCRYPTOMAP service-policy output MYQOSPOLICY ! ip access-list extended IPSECACL permit icmp host 192.168.2.7 host 192.168.1.6 |
IPSec traffic (new IP Sec ESP header) is captured by the class “MYNOTIPMAP” and drop policy applied
| R3#sh policy-map int fa0/1 FastEthernet0/1
Service-policy output: MYQOSPOLICY
Class-map: MYTOS5MAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: ip dscp af11 (10) Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 48/0/0
Class-map: MYNOTTOS5MAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: not ip dscp af11 (10) drop
Class-map: MYNOTIPMAP (match-all)
5 minute offered rate 0 bps, drop rate 55000 bps Match: not access-group name IPSECACL Match: ip dscp af11 (10)
Class-map: class-default (match-any) 15 packets, 1520 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R3# |
R3 :
| R3#sh cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 172.16.12.4 172.16.12.3 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3# |
ICMP traffic is generated from R6 toward R7 with DSCP=af11
| R6#ping Protocol [ip]: Target IP address: 192.168.2.7 Repeat count [5]: 100000 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 40 % Invalid source Source address or interface: Type of service [0]: 40 Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 100000, 100-byte ICMP Echos to 192.168.2.7, timeout is 2 seconds: ……………………………………………………………. |
- RESULT = NOK
1-b) Apply QoS pre-classification (QoS -> IPSec)
R3:
| crypto map MYCRYPTOMAP 10 ipsec-isakmp set peer 172.16.12.4 set transform-set MYTRANSFORMSET match address IPSECACL qos pre-classify ! |
QoS is performed 1st (class “MYTOS5MAP” is triggered), and then IPSec is performed.
| R3#sh policy-map int fa0/1 FastEthernet0/1
Service-policy output: MYQOSPOLICY
Class-map: MYTOS5MAP (match-all) 1257 packets, 143298 bytes 5 minute offered rate 6000 bps, drop rate 0 bps Match: access-group name IPSECACL Match: ip dscp af11 (10) Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0
Class-map: MYNOTTOS5MAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: not ip dscp af11 (10) drop
Class-map: MYNOTIPMAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: not access-group name IPSECACL Match: ip dscp af11 (10) drop
Class-map: class-default (match-any) 31 packets, 4737 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R3# |
From R6 source of the traffic:
| R6#ping Protocol [ip]: Target IP address: 192.168.2.7 Repeat count [5]: 1000000 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: 40 Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 1000000, 100-byte ICMP Echos to 192.168.2.7, timeout is 2 seconds: …………………………U.U.U.U.U………!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
- RESULT = OK
Lab2 : IPSec applied to the GRE tunnel
-
2-a):
- Default QoS order of operations (IPSec -> QoS)
- QoS is based on both DSCP and IP criteria
- Default QoS order of operations (IPSec -> QoS)
Figure5: IPSec GRE tunnel encryptions
| interface Tunnel0 crypto map MYCRYPTOMAP ! interface FastEthernet0/1 service-policy output MYQOSPOLICY |
| R3#sh policy-map int fa0/1 FastEthernet0/1
Service-policy output: MYQOSPOLICY
Class-map: MYTOS5MAP (match-all)
5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: ip dscp af11 (10) Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0
Class-map: MYNOTTOS5MAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: not ip dscp af11 (10) drop
129 packets, 24510 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: not access-group name IPSECACL Match: ip dscp af11 (10) drop
Class-map: class-default (match-any) 30 packets, 3060 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R3# |
- RESULT = NOK
2-b) Apply QoS pre-classification (QoS -> IPSec)
| R3# interface Tunnel0 crypto map MYCRYPTOMAP ! interface FastEthernet0/1 service-policy output MYQOSPOLICY ! crypto map MYCRYPTOMAP 10 ipsec-isakmp qos pre-classify |
| R3#sh policy-map int fa0/1 FastEthernet0/1
Service-policy output: MYQOSPOLICY
Class-map: MYTOS5MAP (match-all) 1689 packets, 320910 bytes 5 minute offered rate 15000 bps, drop rate 0 bps Match: access-group name IPSECACL
Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0
Class-map: MYNOTTOS5MAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name IPSECACL Match: not ip dscp af11 (10) drop
Class-map: MYNOTIPMAP (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: not access-group name IPSECACL Match: ip dscp af11 (10) drop
Class-map: class-default (match-any) 2 packets, 120 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R3# |
- RESULT = OK
CCIE, the beginning! 