The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
When data packets are transmitted across communication networks, various service policies, including quality of service (QoS) policies, may be applied to the data packets. These service policies allow a service provider to manage the data packets that are transmitted over the communication network. For example, service policies may include measures for reducing congestion at various points in the network, or may include measures that guarantee specified bandwidth requirements for certain users or network elements.
With greater frequency, various forms of security measures, such as IPsec or other measures that include encryption, are used in networks to maintain confidentiality of data packets. The application of security measures, by service providers in particular, has led to new challenges in the application of service policies. Specifically, it is very difficult to apply service policies, such as QoS, to data that is protected by IPsec or other security measures.
Generally, the difficulty arises because, after encryption, the actual content of a packet is unintelligible to the network components that traditionally apply service policies. Because the encrypted packet data is unintelligible, the network components are unable to examine packet data to determine whether a service should be applied to the packet.
In general, service policies are applied to packets when a packet is processed at an interface. For example, queuing classification may be applied on an outbound interface. Security measures, sometimes called security services, such as IPsec are generally applied before many QoS mechanisms are applied. Thus, after IPsec is applied to a packet, the packet becomes unintelligible and a router or switch cannot determine whether to apply QoS policy to the packet.
In certain prior approaches, there are two ways to apply service policies, such as QoS, to packets that are encrypted or are to be encrypted. The first option is to use some type of proprietary pre-classification. In this option, packets that require the application of service policies are identified prior to the application of encryption and are segregated so that the service policy can be applied prior to, during or after encryption. In the second option, service policies can be applied based on Type of Service (“ToS”) bits that may be copied to the IPsec headers during the IPsec processing. In effect, the ToS bits “mark” the encrypted packets that are subject to services.
However, pre-classification measures and the copying of ToS bits are often costly in terms of computational and memory resources. Therefore, it would be desirable to have a method of applying service policies, such as QoS, to encrypted packets in a manner that avoids, or reduces the reliance on, pre-classification or copying ToS bits.
In addition, additional complications arise when service providers with to apply service policies with IPsec in the context of Virtual Private Networks (VPN). In a VPN, data packets originate from a device, and travel across the Internet to the service provider via an IPsec tunnel that is terminated by the service provider. The data packets are then forwarded across a Multi-protocol Label Switching (“MPLS”) network towards the actual destination, which may be an enterprise network. Several customers of a service provider may have overlapping IP addresses. The addresses may be assigned from a pool of IP addresses, and may be, in effect, virtual IP addresses. Therefore, based on the IP address, service mechanisms such as QoS are unable to identify particular customers or users. As a result, in a VPN, customer or user-specific service policies cannot be applied based on an IP address.
Thus, it would be desirable to a have a mechanism to apply service policies to encrypted or unintelligible packets in networks that have users or customers with overlapping IP addresses.