Re: [LARTC] TOS Header

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] TOS Header
Date: Mon, 01 Dec 2003 06:59:40 +0000	[thread overview]
Message-ID: <marc-lartc-107026206002929@msgid-missing> (raw)

Alan,

 : I notice the ultimate traffic shaper script suggests using:
 :
 :  tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
 :         match ip tos 0x10 0xff  flowid 1:10
 :
 : To find high-priority SSH etc traffic by matching on certain flags in
 : the TOS header.

Frankly, it only finds packets that an ssh implementation (at least
openssh) has marked as "interactive".  Even telnet marks packets as
"interactive" with a TOS value of 0x10.

 : However, I was under the impression that the TOS header is no longer
 : used, instead replaced by DSCP. Is this correct?

No.  I'd recommend a tcpdump to prove this to yourself.  Or you can
examine mine [0].  But see also PSIkappa's corrective note that clever
users will create ssh tunnels to get the 0x10 TOS for non-interactive
traffic as well [1].

If you want to read an interesting story about ssh and TOS from last year
at about this time, see this note in the archive for a great introduction
to the sorts of troubles that TOS-mangling can bring with it [2].

The DSCP is a mark a packet receives as it enters a DiffServ domain.
There is no pretension (as with the TOS bits) that other network providers
are going to honour the DSCP bits.  In fact, I would be rather surprised
if a network provider using DiffServ failed to strip off (or replace) the
DSCP on all inbound packets.

 : If so, does the above command actually work? I've certainly not found
 : it to be a particular improvmeent, nothing like the improvement I get
 : if I match on dport 22.

I've found that the above command works for me, although you appear to
have missed the important TCP dest (or src) port match in your example.

   tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
          match ip dport  0x16 0xffff \
          match ip tos    0x10 0xff \
          flowid 1:10

I imagine that was just an oversight on your part.

 : Is it possible to do similar matching on the DS header? Does anybody
 : have a reference for what the DS header contains? I'm rather confused
 : about what it is and whether it's of any use. I've found the IANA DSCP
 : header allocation list, but the codes given don't mean anything to me

I presume you are talking about this site [3].

Well, be prepared for a little mountain of reading if you want to
understand the DiffServ architecture.  I find Leonardo Balliache's pages
an excellent introduction to DiffServ under Linux [4].

-Martin

 [0] http://mailman.ds9a.nl/pipermail/lartc/2002q4/006145.html
 [1] http://mailman.ds9a.nl/pipermail/lartc/2002q4/006146.html
 [2] http://mailman.ds9a.nl/pipermail/lartc/2002q4/005640.html
 [3] http://www.iana.org/assignments/dscp-registry
 [4] http://www.opalsoft.net/qos/DS.htm

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/