As is known in the art, data is transferred between nodes over the Internet in the form of packets or datagrams. A packet typically consists of a header portion and a data portion. The data portion comprises a number of bytes or octets of data. There may be any minimum number of bytes in the data portion of the packet, but typical protocols also ensure that there is a maximum number of bytes of data that are transferred between each packet header. Because packets may be transmitted through different routes in the network to a destination node, they may reach the destination node out of order. Under the Transmission Control Protocol (TCP)/IP protocol and other protocols a sequence number is assigned to each packet to enable the destination node to restore the order of packets in the data transmission.
Referring now to FIG. 1, an exemplary definition of fields of an Internet Protocol (IP) packet header includes a number of fields that control how the data associated with the header is to be treated at a source and destination node. Exemplary fields include the source address 12j and the destination address 12k, which include the IP addresses of the communicating nodes. In addition, the IP header includes a version field 12a which identifies which version of the IP protocol should be used when parsing the IP header, and a protocol field 12h which identifies what other protocols are layered on top of the IP protocol. For example, certain protocols such as Transmission Control Protocol (TCP) include their own header, and the encoding of the TCP protocol in the protocol field alerts the destination node to interpret a portion of the data as a TCP header.
Another field in the IP header is the Type Of Service (TOS) field 12m. In the IP protocol, the TOS identifies the quality of service that should be afforded a given transmission between the identified source and destination nodes. For example, the field may be encoded to indicate a relative priority of the transmission; high priority transmissions would be given precedence over low priority transmissions at each of the source and destination nodes.
In version IPv4 and IPv6 of the IP protocol a replacement header field, called the Differentiated Services Code (DSC) field 13, is defined, which supersedes the definition of the IP TOS octet. Differentiated Services (generally referred to as Diffserv by the art), enables different Per Hop Behaviors (PHBs) to be experienced at different nodes for different types of traffic. Traffic having a certain type of per hop behavior are said to belong to a particular behavior aggregate. Diffserv thus allows a network subscriber to control the quality of service (QOS) that is associated with their traffic by entering into a service level agreement to obtain the desired behavior of traffic at certain nodes. Generally speaking, there is a correlation between the value in the DSC field and the per hop behavior desired for the data encapsulated in the data field of the corresponding packet, and the per hop behavior is the means by which a node allocates resources to the behavior aggregate. There can be a variety of different types of traffic between a common source and destination, each of which may have different per hop behaviors and therefore each of which has different access rights to the resources (buffers, etc.) of the destination node.
While there are many possible per hop behaviors, certain per hop behaviors have been defined in the art. These per hop behaviors include Best Effort Forwarding (BE), Assured Forwarding (AF) and Expedited Forwarding (EF).
Best Effort (BE) per hop behavior is the default per hop behavior of Diffserv. BE behavior aggregate packets may be sent into a network without adhering to any particular rules and the network will deliver as many of these packets as possible and as soon as possible, subject to other resource policy constraints. The reasonable implementation of this per hop behavior would be to forward packets in this aggregate whenever the output link is not required to satisfy another per hop behavior. A reasonable policy for constructing services ensures that the behavior aggregate was not starved by allowing some accesses to the resources.
Traffic that is forwarded as part of the Assured Forwarding (AF) behavior aggregate is forwarded with a high probability that it will reach the destination node as long as the aggregate traffic from each site does not exceed a subscribed threshold. For example, in a typical application, a company uses the Internet to interconnect its geographically distributed sites and wants an assurance that IP packets within this intranet are forwarded with high probability as long as the aggregate traffic from each site does not exceed the subscribed information rate (profile). Different levels of Assured Forwarding (AF) PHB group behavior may be offered by a service provider to meet the required bandwidth and cost associated with the customer.
Expedited Forwarding provides the highest priority per hop behavior. The intent of the Expedited Forwarding PHB is to provide a building block for low loss, low jitter and low delay services. The dominant causes of delay in packet network are set propagation delays in wide area links and tuning delay in switching and routers. Since propagation delays are a set property of the topology, delay can be minimized when queuing delays are minimized. The intent of the expedited forwarding per hop behavior is to provide a behavior in which suitably marked packets usually encounter short or empty queues. If queues remain short relative to buffer space available, packet loss is also kept to a minimum. An additional characteristic that may be EF or AF PHBs requirement is that the data packets often must be received in the order that they are transmitted.
A protocol that may be layered on top of the IP protocol is the Internet Protocol Security (IPsec) protocol. Internet Protocol Security (IPsec) is a security protocol that provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for services, and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of secure gateways, or between a security gateway and a host. The set of security services that IPsec can provide include access control, connectionless integrity, data origin authentication, limited traffic flow confidentiality, and the rejection of replayed packets (a form of partial sequence integrity).
One element of the IPsec protocol is the use of the Authentication Header (AH) 14. as shown in FIG. 2. The IP Authentication Header is used to provide connectionless integrity and data origin authentication for IP datagrams, and to provide protection against replays. AH offers an anti-replay (partial sequence integrity) service at the discretion of the receiver, to help counter denial of service (DoS) attacks. A DoS attack is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. The anti-replay mechanism seeks to overcome DoS attacks by assigning examining sequence number 15d of received packets, and dropping any packets having duplicate sequence numbers within a predefined window of time. As shown in FIG. 2, the sequence number 15d comprises 32 bits, and is used as a counter for the data packets associated with the secure transmission. Typical implementations do not allow duplicate sequence numbers to appear within a thirty two bit window, and therefore use five bits of the counter, before resetting to provide a new sequence number. In order to prevent DoS attacks, the anti-replay mechanism deletes packets having duplicate sequence numbers within the thirty-two packet window.
Referring now to FIG. 3, an exemplary Diffserv data flow is shown, wherein the IP packets may have layered thereon an Authentication Header for IPsec purposes, including sequence numbers. A first traffic stream is shown to include packets A1, A2 and A3, and a second traffic stream is shown to include packets B1, B2, B3. Source node 20 transmits both traffic streams to destination node 30. In the example of FIG. 3, assume that data transmission A, comprising packets A1, A2 and A3 are packets comprising the BE PHB aggregate, and transmission B, comprising packets B1, B2 and B3 are packets comprising an EF PHB aggregate. Source node 20 initiates the transmission of traffic stream A over the Internet 25 by forwarding packets A1 and A2 to destination node 30. As the packets are transmitted, they are assigned sequence numbers 1 and 2 respectively. Subsequent to the transmission of packets A1 and A2, data traffic belonging to the Expedited Forwarding per hop behavior aggregate is received at the source node 20. To implement the EF PHB for traffic stream B, the source node immediately substitutes the traffic stream B in its transmissions to destination node 30. Packet B1 is assigned sequence number 1, packet B2 is assigned sequence number 2, and packet B3 is assigned sequence number 3, and all packets are forwarded to the destination node. Following the transmission of packet B3 to the destination node, the final packet A3 of the first transmission can be forwarded to the destination node. Within a four packet transmission period, two packets have identical sequence numbers (packet A1 and B1 have matching sequence number 1, and packets A2 and B2 have matching sequence number 2). Typically the destination node will look to other characteristics of the packet, such as protocol, the DSC fields, and other identifying elements to arrange the appropriate packets with the appropriate transmission streams.
A problem arises, however, at the destination node due to the anti-replay mechanism of the IPsec protocol, because when packet B1 having the sequence number of 1 is received at the destination node it will be dropped since the duplicate sequence number potentially indicates a DoS attack. Thus, the contracted EF PHB for traffic stream B is not achieved. It would be desirable to determine a method of implementing Diffserv in networks having nodes operating using the IPsec protocol.