AARNet3's

Using AARNet3's traffic classes takes some 30Mbps. Traffic exceeding the policing is re-marked to
preparation by your network engineering staff. the Scavenger class.
This pamphlet briefly describes each class. Outgoing traffic is queued using fair queuing. If the
amount of outgoing traffic exceeds 30% of the link
Best Effort DSCP = BE
bandwidth then the traffic is re-marked to the Scavenger

traffic
This is used for the majority of traffic, but gives the class.
best performance for web and other TCP-based traffic.
Other markings DSCP = ?
Any amount of traffic is accepted. Outgoing traffic is
queued using the Random Early Detection algorithm. Traffic with a Differentiated Services Code Point

classes
which does not match a traffic class which is expected
Scavenger DSCP = CS1
from the site is re-marked to the Best Effort class.
This “worst effort” class can be used for bulk file
Invalid ICMP
transfers and for potentially disruptive traffic.
Any amount of traffic is accepted. Some Internet Control Message Protocol should not
Outgoing traffic on each link reserves 1% of the link be seen beyond the network boundary. This traffic is
bandwidth for Scavenger traffic. Outgoing traffic is dropped.
queued using the Random Early Detection algorithm. Invalid ICMP messages are: all Redirects,
Scavenger traffic has a higher drop probability than Best Information Request and Reply, Mask Request and Reply,
Effort traffic. Router Advertisement and Solicitation, Conversion Error.
Admission-controlled Voice DSCP=EF Diagnostic ICMP
This class can be used for Voice over IP traffic which Some ICMP traffic is only used for diagnostic
aims to rival the Public Switched Telephone Network in purposes and is frequently mis-used. This traffic is re-
availability. marked into the Scavenger class.
Customers using this class warrant that traffic Diagnostic ICMP messages are: Echo Request and
entering this class has passed admission control. Reply, Time Exceeded.
Admission control can be by a H.323 gateway, a H.323 AARNet encourages customers to adopt a similar
proxy, a SIP session border controller or by network policy and limit the rate of diagnostic messages rather
engineering design. than discard these messages at their firewall.
Incoming traffic from a customer is policed to
Operational ICMP
2Mbps. Traffic exceeding the policing is re-marked to the
Scavenger class. Some ICMP messages are validly used during the
Outgoing traffic is queued using a first-in first-out operation of a flow. These messages are passed without
priority queue. If the outgoing traffic exceeds 2Mbps then alteration to their class.
the excess traffic may be dropped.
Ethernet 802.1p mapping
Admission-controlled Video DSCP = AF41
The ethernet user_priority used by 802.1q VLAN
This class can be used for Video over IP traffic which trunks can be set to reflect the DSCP. If the switch cannot
aims to rival the Public Switched Telephone Network in directly interpret the IP DSCP then AARNet suggests these
availability. 802.1p user_priority values.
Customers using this class warrant that traffic Class DSCP Ethernet priority
entering this class has passed admission control. Scavenger CS1 Background 1
Admission control can be by a H.323 gateway, a H.323 Best effort BE Default 0
proxy, a SIP session border controller or by network AC Video AF41 Video 5
engineering design. Video traffic from an access grid AC Voice EF Voice 6
node is not admission controlled. Control CS6 Control 7
Incoming traffic from a customer is policed to
Measurement using ping and traceroute
Access to the router's processor is limited on
AARNet3 routers. There is a small and distinct queue for
ping and traceroute traffic to the processor and if that
queue fills then the requests are dropped.
Ping and traceroute traffic also travels in the
Scavenger worst-case class. This limits the misuse of
diagnostic protocols for “ping flooding” and the like.
Ping and traceroute results are generally valid for
diagnostic purposes but give very misleading results for
measuring network performance.
Campus network design
Sites attached to AARNet3 are divided into two
groups: those which have asked for the QoS service to be
enabled and those that have not.
Sites which have not asked for QoS to be enabled
have all traffic from their site marked as Best Effort.
Traffic to their site interprets the DSCP through the
AARNet3 network and sets DSCP the to Best Effort on the
last hop before the site.
Sites which ask for QoS to be enabled can nominate
to send Scavenger, Admission-controlled Video and/or
Admission-controlled Voice in addition to Best Effort.
The site indicate the traffic class by setting the DSCP
on each and every packet.
For the Admission Controlled classes the site
warrants to AARNet that the traffic marked with the DSCP
has encountered an admission control mechanism.
For a typical host subnet the site's router allows
DSCP = CS1; allows DSCP = EF and DSCP = AF41
traffic addressed to the H.323 proxy; and sets DSCP = BE
on all other traffic.
For a typical router-router subnet the site's router
allows all DSCP values.
The H.323 proxy, SIP session border controller, or
other admission control machine is placed into its own
subnet. The site's router allows all defined DSCP types
from the admission control devices, and police the
quantity of incoming traffic in the Voice and Video
classes.
The per-hop behavior on all interfaces is the same.
The range of available per-hop behaviours varies
considerably across router manufacturers. For Cisco
Systems a typical choice would be priority queuing for
Admission Controlled Voice, and bandwidth classes with
weighted random early detection for the other classes. Further information
There is no point using RED for non-responsive flows, so
queues for voice and video should use tail drop. A detailed specification of AARNet3's traffic classes
The AARNet3 implementation of Differentiated is at
Services does not use output traffic shaping. This is a www.aarnet.edu.au/Content.aspx?p=38
deliberate choice as typical implementation of the dual
leaky bucket traffic shaping mechanism have been shown
to perform poorly with TCP traffic. Correcting this requires
configuring a bucket size of the bandwidth-delay product
(about 64MB).
Using the Scavenger class
It is safe to allow users to mark traffic for the
Scavenger class. Servers which have many long-lived best
effort flows should consider marking their traffic with the
Scavenger class.
The most efficient way to do this is to alter the
software to use the setsockopt(..., IP_TOS, ...) function
after creating the socket.
The easiest way to use the Scavengerr service is to
use the computer's firewall to set the DSCP on outgoing
traffic. For example, on Linux
iptables --table mangle --append OUTPUT --out-
interface eth0 --protocol tcp --source-port http --
jump DSCP --set-dscp 8
Limitations
AARNet3 does not support the use of the Voice and
Video classes by soft phones which have not participated
in admission control. This is a deliberate choice to
prevent computers infected by malicious software from
denying service to the Voice and Video classes.
For the same reason AARNet3 does not support the
use of the Video class by access grids. The lack of
congestion awareness by access grids is problematic: a
wrongly directed mouse click can generate 30Mbps of
denial of service traffic. This threat to best effort traffic
from this lack of congestion awareness is a strong
argument for a worst-effort class for access grid video.
There is no “better than best effort” class for virtual
private network or storage area network traffic. This is a
lesson learned from the SQL Slammer worm, where the
interior of site networks had a severe denial of service. Australia's Academic and Research Network
Preferring VPN traffic would have lead to giving www.aarnet.edu.au
preference to traffic from sites which had yet to eradicate
the worm and reducing service to sites which had Text Copyright © AARNet Pty Ltd (ACN 084 540 518), 2006-2007.
eradicated the worm. Photography Copyright © That Will Guy @ flickr.com, 2006.
Written by Glen Turner. Distributed at Real Time Road Show.