Providing precedence and preemption capability for integrated services flows across cryptographic boundaries

In cryptographically-partitioned networks, data within a packet can be used by routers in the plain-text enclaves to make quality of service (QoS) and precedence and preemption (P&P) decisions in regards to forwarding the packet and allocating resources for flows. However, while in a cipher-text shared transit network, the packet is encrypted and is opaque to routers in the transit network and cannot be used for QoS and P&P decisions. One piece of information that is available in an IPv4 network is the type of service (ToS) byte in the IPv4 packet header, which includes the 6-bit DiffServ Code Point (DSCP) and the 2-bit explicit congestion notification (ECN) and may be bypassed across the cryptographic boundary. We describe a method to allow routers in a transit network to make QoS and P&P decisions for Integrated Service (IntServ) flows using ReSerVation Protocol (RSVP) signaling based on the DSCP. In cryptographically-partitioned networks, data within a packet can be used by routers in the plain-text enclaves to make quality of service (QoS) and precedence and preemption (P&P) decisions in regards to forwarding the packet and allocating resources for flows. However, while in a cipher-text shared transit network, the packet is encrypted and is opaque to routers in the transit network and cannot be used for QoS and P&P decisions. One piece of information that is available in an IPv4 network is the Type of Service (ToS) byte in the IPv4 packet header, which includes the 6-bit DiffServ code point (DSCP) and the 2-bit explicit congestion notification (ECN) and may be bypassed across the cryptographic boundary. We describe a method to allow routers in a transit network to make QoS and P&P decisions for integrated service (IntServ) flows using reservation protocol (RSVP) signaling based on the DSCP. In our prior work, we described a technique of aggregating resources for IntServ flows between two Edge Networks within the cipher-text network,- by using a predetermined DiffServ Assured Forwarding (AF) class for all IntServ flows. The reserved resources were dynamically adjusted based on the amount of traffic with the appropriate DSCP traveling between the two edge networks. However, the technique would aggregate the resources for all RSVP flows between the two edge networks without regard to Precedence. In Global Information Grid Net-Centric Implementation Document: Quality of Service (T300), Table 2-4, "Long Term DoD DSCP Allocation" describes a mechanism of specifying the military precedence of a packet by using the dropping levels of the AF classes within DiffServ. Using this mechanism, we extend our previous work by aggregating the resources for each dropping level within the AF class reserved for IntServ flows. Thus, a router in the transit network can identify the precedence of all aggregated IntServ flows with allocated resources and can preempt the resources for the aggregation of lower precedence flows, if necessary, in order to allocate those resources to an aggregation of higher precedence flows. It then sets the ECN bits to Congestion Encountered (CE) in all packets of the aggregation of the lower precedence flows in order to indicate that the resources for those flows have been preempted within the cipher-text network. The ECN is bypassed across the cryptographic boundary and is visible in the plain-text enclaves. We also describe how we apply this technique to the other DiffServ AF classes.