Service providers currently offer value-added Virtual Private Network (VPN) services, which provide secure network connections among multiple sites of a corporation over a shared network infrastructure. QoS VPNs not only connect a company's multiple sites in a secure manner, but also provide different levels of QoS to different classes of traffic based on the corporation's needs. Such value-added services may include better quality of service (QoS) guarantees for VPN tunnels, service differentiation among users, among other services. All of these benefits come at the cost of trusting the service provider to maintain security associations with the end points.
Differentiated Services (DiffServ) is a framework that classifies traffic into different classes having different traffic priority levels. At the edge of service provider's core networks with DiffServ QoS provisioning, traffic is classified and aggregated into the various classes with different levels of QoS requirements. The objective is to maximize the service provider's profit by allocating resources and accepting VPN requests so as to achieve high network utilization, low call block rate (especially in high priority classes), and minimal Service Level Agreement (SLA) violations of existing VPN connections.
Packets belonging to different classes are marked with different DiffServ Code Points (DSCP). These markings are typically done at the egress router/switch of a customer's network, or at the ingress router/switch of a service provider's network. Based on the service level agreement (SLA) for different classes of traffic, metering and policing are conducted at the ingress router/switch of a service provider's network to make sure that traffic conforms to the SLA between the customer and the service provider. Packets with different DSCPs are put into different queues and receive a particular per-hop forward behavior (PHB) along the route.
The current industry approaches for class-based bandwidth allocation and admission control consists of static bandwidth allocation with parameter-based admission, and dynamic bandwidth allocation with parameter-based admission control. Static bandwidth allocation usually results in poor network utilization, as the incoming bandwidth requests in each class do not map to the a priori bandwidth allocation to each class. Alternatively, some classes have too many requests to fit in the pre-allocated bandwidth, while some other classes have too few requests and leave allocated bandwidth unused. Dynamical allocation allocates bandwidth “on-the-fly”. Dynamic allocation improves network utilization, but may result in high call block rate in some high priority classes if their requests come after available bandwidth is allocated to low priority requests.
Given the bandwidth allocation scheme, an admission control algorithm is applied to decide whether a VPN request is accepted. There has been a lot of work on flow-based admission control in QoS networks (mostly with Integrated Services (IntServ)), but none provides a good solution for providing single-hop class-based bandwidth allocation and admission control in Diffserv networks. Those solutions are restricted to QoS services that provide per-flow assurance (e.g. IntServ), and do not address services that only give aggregated (per-class) service assurance, such as DiffServ, where no per-flow admission control is necessary. The input parameters to the admission control include: traffic and QoS parameters of a new request, load of accepted calls on the shared link, and available link bandwidth. The parameter-based admission control considers the worst-case scenario of incoming network traffic and results in low network utilization on the shared link.