IP DSCP across the Internet

Mark Tinka mark.tinka at seacom.mu
Wed May 6 05:43:10 UTC 2015

On 6/May/15 03:35, Tim Jackson wrote:
> In general there are very few bad actors here in regards to
> trusting/accepting/using DSCP across the internet.
> Apple has a tendency to mark some traffic with EF that shouldn't be EF on
> PNIs, and Cogent leaks a lot of their internal markings into customers, but
> it's generally unmarked traffic from certain customers/peers. Other than
> that IMHO it's totally valid to accept, and nobody abuses it (other than
> those 2).
> We accept DSCP from the internet and do queue a few things higher towards
> customers for things like OTT VoIP etc.
> Remarking DSCP is bad IMHO, trusting it is another thing. You just have to
> be careful, and I suggest good netflow tools to keep an eye on it.

We had an odd experience, once, where - due to old hardware - we could
not remark traffic we were picking up from a peer in South Africa.

With color-aware policing toward a customer in Uganda, any traffic
coming from that peer in South Africa was getting dropped toward that
customer in Uganda. After a very odd sequence of troubleshooting events,
we found that the AF DSCP alues being set by the peer in South Africa
(and us passing them due to the old kit not being able to remark on
ingress) was causing the color-aware policer in Uganda to drop traffic
toward the customer there.

Re-configuring the policer to be color-blind fixed the issue, but you
can imagine how such a corner case this was.

Naturally, with new kit in now, our global QoS policy is in effect.

We don't honor DSCP values that comes in via best-effort circuits (i.e.,
the Internet). Although not a very strong reason, this particular
experience is one reason why.


More information about the NANOG mailing list