Skip to main content

7. Security Considerations

There are a number of security issues associated with Differentiated Services, involving theft, denial, or modification of information in the DS field. These security issues, and those specific to this document, are discussed in [ARCH].

This document constrains portions of the codepoint space to allocation by Standards Action to reduce the probability of codepoint collisions. Since other network domains may be using the same EXP/LU codepoints for different local-use or experimental PHBs, there should be no assumption that the use of these codepoints has any form of uniform meaning globally.

The Differentiated Services architecture does not provide confidentiality protection per se. If such protection is required, it must be provided by other means, such as IP-layer encryption (IPsec).

Unauthorized access to high-quality or low-delay service may be a significant security issue, especially when the service offered can be differentiated from a slow or overloaded default service. For example, unauthorized users may attempt to obtain better quality of service than they are entitled to by forging DSCP values. The provider of a Differentiated Services domain is responsible for classifying and possibly conditioning traffic at its network boundaries, thus enforcing administrative policy and protecting that domain's resources from abuse. Such protection is typically done at the ingress of the DS domain since differentiation of service within the network generally does not require complex packet classification at every hop.

Users' DSCP values may be over-used or re-marked by downstream domains, which may result in them receiving less than their entitled quality of service. Since the DS field may be modified by any network element in transit, users expecting to receive a certain quality of service need a contractual agreement with their service provider to protect their traffic from unauthorized re-marking.

Boundary routers and host systems SHOULD be able to set the DS field to effect policy and policing functions, as described in [ARCH]. The provider of a DS domain MUST protect its boundary routers and related systems from unauthorized use to prevent unauthorized access and misuse of service.

Last updated on