[prev in list] [next in list] [prev in thread] [next in thread]
List: vpn
Subject: Re: prioritization and IP VPN
From: "Donkin, Richard" <rdonkin () ORCHESTREAM ! COM>
Date: 2000-07-21 22:26:29
[Download RAW message or body]
Xedia have a single box QoS and IPSec VPN solution, which should take care
of all this. Our products manage QoS on Xedias amongst other devices
(including Cisco and Bay) and don't seem to have any problem setting up CBQ
instances (which provide QoS) on top of IPSec tunnel instances in the Xedia
stack.
I'm not clear whether the tunnels go across the Internet or a single managed
IP network - if the latter, then DiffServ is quite applicable, i.e. you mark
packets before they enter the tunnels and the core network routers respect
this CoS allocation aka prioritisation. The important point is that the
tunnel encapsulation process must copy the IP Type of Service byte from the
inner header to the outer encapsulating header. The nice thing about
DiffServ is that the marking can cross barriers to classification such as
tunnel encapsulation and even NAT - however, you need to check your device
vendor does copy the TOS byte where appropriate.
Alternatively, if you are using the Internet as the core of the IPSec VPN,
you can using simple bandwidth management (queuing or TCP rate shaping at
the edge only, best effort in the core). Packeteer-style TCP rate shaping,
aka window pacing, is probably more effective when you can only manage
bandwidth at a single point since it has 'action at a distance' effects on
the end host's sending TCP instance. So if you are going for commodity
IPSec devices, you might be able to deploy Packeteers only at the central
hub site, if you have a hub-spoke VPN configuration. TCP rate shaping
doesn't really handle VoIP, though, which is why Packeteer has something
remarkably like priority queuing (as far as I can tell from their docs).
Packeteers have some nice measurement features too.
Finally, my company does service activation software for QoS-enabled MPLS
VPNs, aimed at providers - these have similar tunnel-encapsulation issues,
but the boxes I'm familiar with copy the IP Precedence into the MPLS CoS
(EXPerimental) field, so they let IP CoS work with MPLS CoS transparently.
For more information on QoS, see www.qosforum.com - also, there are some
links at http://www.orchestream.com/support/links.html.
Richard
--
rdonkin@orchestream.com http://www.orchestream.com
Tel: +44 (0)20 7348 1507 (direct) Orchestream Ltd.
+44 (0)20 7348 1500 (switchboard) Avon House, Kensington Village,
Fax: +44 (0)20 7348 1501 Avonmore Road
>>>> IP Service Activation >>>> London W14 8TS, UK
> -----Original Message-----
> From: MaN-H [mailto:man-h@NETCOURRIER.COM]
> Sent: Mon 17 July 2000 23:00
> To: VPN@SECURITYFOCUS.COM
> Subject: prioritization and IP VPN
>
>
> We want to implement a site to site connectivity using the
> CISCO IP VPN solution
> (IPSec tunnels, ESP).
> The problem is that we want to prioritize some applications
> (Citrix, VoIP).
> We have successfully tested the PacketShaper product provided
> buy Packeeter set
> before each CPE.
> Has somebody tested another solution, can he share his experience ?
>
> MaN-H
>
> VPN is sponsored by SecurityFocus.COM
>
VPN is sponsored by SecurityFocus.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic