INTERNET-DRAFT Jagannathan Pathra B draft-jpathra-application-tag-00.txt Prabhuraj V K 9 May 9, 2009 Cisco Systems, Inc. Expires: 11 November, 2009 Classification of traffic using Application Tags Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This document describes a solution to classify Application-Layer traffic on switches using Application Tags. The Application Tags can be passed on to other switches in the Jagannathan Pathra B & Prabhuraj V K [Page 1] Internet Draft Classify traffic using Application Tags May 2009 Enterprise Network and also to switches in the Service Provider Network. Thus it provides a mechanism to classify and apply Quality of Service based on the Application-Layer Traffic. The advantage of this solution is that it requires no hardware upgrade on switch nor any Deep Packet Inspection (DPI) function on the switch. 1. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Table of Contents 1. Conventions.....................................................2 2. Table of Contents...............................................2 3. Introduction....................................................2 3.1. Terminology...................................................3 3.2. Acronyms......................................................3 4. Working.........................................................3 4.1. Passing of Application Tags...................................5 4.2. Advantages....................................................5 5. Security Considerations.........................................6 6. IANA Considerations.............................................6 7. References......................................................6 7.1. Normative References..........................................6 7.2. Informative References........................................6 8. Authors? Addresses..............................................6 3. Introduction The capability of the hosts/workstations to send tagged frames can be used to map Application-Layer details into the frames for the purpose of classification of Application-Layer Traffic and for QoS. The mapping of Application-Layer details into the frames is done using the Application Tags generated by the host/workstation or a Deep Packet Inspection capable device. Jagannathan Pathra B & Prabhuraj V K [Page 2] Internet Draft Classify traffic using Application Tags May 2009 3.1. Terminology VLAN Tag Frame with an 802.1Q VLAN identifier. Q-in-Q 802.1ad stackable VLANs or Q-in-Q. Special Hybrid Port A port on the switch which connects to host and it accepts Application tagged frames. Application tagged frames Frames with application layer classification mapped to Ethernet frames. Dot1x IEEE 802.1X 3.2. Acronyms LAN Local Area Network VLAN Virtual LAN VLAN tag VLAN Identifier AppID Application Tag TBD1 Ethertype New Ethertype value which denotes that the next 16 bits Specify the Application Tag. 4. Working The port on the switch which is connected to the host/workstation is configured as special hybrid port. This special hybrid port receives traffic from the host with Application Tags that identify different Application-Layer traffics. The exact method of mapping of the Application-Layer Traffic to the Application Tag is beyond the scope of the document.Few examples of generation and mapping of Application Tags to the Application-Layer traffic could be: 1) The administrator specifies on the host/workstation that traffic from Application A will have Application Tag 10, traffic from Application B will have Application Tag 4010 and so on. 2) A script or program on host which has a local database containing the mapping of Applications to the Application Tag. So when an application A sends traffic, the hosts sends out the traffic with Application Tag corresponding to the Application A. Jagannathan Pathra B & Prabhuraj V K [Page 3] Internet Draft Classify traffic using Application Tags May 2009 3) When an application on the host attempts to send traffic, the host contacts a server which has a database containing the mapping of the application to the Application Tag. The server responds back with the Application Tag. The host then sends out the traffic from Application A with the Application Tag received from the server. The Application Tag sent by the host will be of format as shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | unused| Application Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBD1 Ethertype Unused Unused Bits Application Tag Application Tag The Application Tag might be used to identify traffic sent by one particular application or in some cases, traffic sent by a set of applications which needs to be classified/treated same way. It is to be noted that the Application Tag is of similar format as the IEEE 802.1Q (VLAN Tagged frames). In such a case, most of the layer 2 switches require no hardware upgrade or Deep Packet Inspection capability. A software upgrade will be enough to identify the Application Tag. Once the switch can identify the application tag, it can apply Quality of Service features on the Application-Layer traffic just the way it could apply Quality of Service features on VLAN tagged frames. After acting on the traffic based on the Application Tag, the switch can drop these tags and then switching is done based on the VLAN configuration of the port. It is also possible that the Application Tags can be passed on the other switches in the network as described in the next section. Jagannathan Pathra B & Prabhuraj V K [Page 4] Internet Draft Classify traffic using Application Tags May 2009 Passing on the Application Tags to the other switch makes it possible for any other switch to classify the Application-Layer traffic. When the switch receives traffic with no Application Tag on the special hybrid port, then the traffic is classified as predetermined default Application Tag known as the native Application Tag. 4.1 Passing of Application Tags The switch which is connected to the host acts on the Application-Layer traffic based on the Application Tag. This Application Tag can be passed on to the other switches in the enterprise network or even to the service provide network so that any switch can identify traffic of a particular application or set of applications. The Application Tag is passed on to the other switches in a manner similar to the Q-in-Q traffic (IEEE 802.1ad). The difference will be that the outer tag with ethertype 0x8100 will signify VLAN ID and the inner tag with ethertype TBD1 will signify Application Tag. The intermediate switches will act on Application tag if they have the capability to look into inner tag else they will just switch the traffic based on the VLAN ID. Thus the Application classification can be done at any switch between the source and destination. 4.2 Advantages 1) Since the Application Tag is similar to the VLAN tag, it will require small software upgrade and no hardware modifications. 2) The Application Tag can be carried on to the other switches. Thus Application traffic details are not lost. 3) The feature will be backward compatible since the switches which are not aware of the TBD1 ethertype will simply switch the traffic. 4) The originator of the Application Tag need not always be a host. Even a Deep Packet Inspection capable device in the path of the traffic can add the Application Tag. Thus the host/workstation need not have the capability to send tagged frames. 5) Since the Application Tag is similar to VLAN ID, only 4094 Application Tags can be used. But if the 4 unused bits (which corresponds to CFI and user priority in VLAN tagged frames) are included, then 65,536 Application Tags can be used. Jagannathan Pathra B & Prabhuraj V K [Page 5] Internet Draft Classify traffic using Application Tags May 2009 5. Security Considerations The classification of traffic using Application Tags is insecure in that the method for mapping a particular Application-Layer traffic to a particular Application tag might be tampered with. For example, if the host/workstation is hacked, then it might be possible to map bad Applications with Application Tags reserved for good applications. 6. IANA Considerations IANA has assigned an ethertype calue of TBD1 to the ethernet number from the ethernet number space defined in the RFC 5342. 7. References 7.1. Normative References [802.1D-ORIG] Original 802.1D - ISO/IEC 10038, ANSI/IEEE Std 802.1D-1993 "MAC Bridges". 7.2. Informative References [802.1Q] 802.1Q - ANSI/IEEE Draft Standard P802.1Q/D11, "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks", July 1998. 8. Authors' Addresses Jagannathan Pathra B Cisco Systems, Inc. jpathra@cisco.com Prabhuraj V K Cisco Systems, Inc. prabraj@cisco.com Jagannathan Pathra B & Prabhuraj V K [Page 6]