PDA

View Full Version : ToS Markings



Gremlin
2007-01-21, 11:56
Hi all,

Is that possible to mark packets ToS field (DiffServ) with Checkpoint (Floodgate for instance)? Itíll be helpful if there is any way to use the Checkpoints ability to recognize applications and than mark packets ToS field accordingly (DsCp for instance).

Thanks in advance and have a great day .

derspot
2007-01-22, 17:42
I havent found such a setting , but it might be possible through a custom app on the OPSEC API. I think you should look for marking at the packet origin.

I think we need someone who understands this to comment.

For example WHY WHY WHY do we need to configure DiffServ at both the Interface/QOS level AND at the QOS Rule Base Itself.

Configuring DiffServ at the Interface level is obvious - you want Diffserv to apply here. However what is the reason for creating QOS rules under the DiffServ Classes at the QOS Rule base ?

Yasushi Kono
2007-01-23, 10:20
I am quite confused about this thread, but I am not a native English speaker. S, may be my English knowledge is not sufficient to extract the appropriate information.

Of course, you can mark the DiffServ Code Point by a QoS rule. You just have to add a QoS class and build a rule on top of that. You can verify it with Ethereal. I did it many times and it works definitely!

As you might now, the DSCP is inserted in the TOS field of the IP header.

chillyjim
2007-01-23, 10:37
Yasushi -- Can you provide a screen shot or two for this? I thought this was possible too, but I could not find it in the GUI.

derspot
2007-01-23, 12:11
I am quite confused about this thread, but I am not a native English speaker. S, may be my English knowledge is not sufficient to extract the appropriate information.

Of course, you can mark the DiffServ Code Point by a QoS rule. You just have to add a QoS class and build a rule on top of that. You can verify it with Ethereal. I did it many times and it works definitely!

As you might now, the DSCP is inserted in the TOS field of the IP header.

ARE U SAING THAT U ADD QOS RULES IN THE DIFFSERV QOS CLASS IN THE RULEBASE inorder to Mark the incoming packets in the IP packet and NOT to priotirize them based on markings already done ?

Barry J. Stiefel
2007-01-24, 12:06
ARE U SAING THAT U ADD QOS RULES IN THE DIFFSERV QOS CLASS IN THE RULEBASE inorder to Mark the incoming packets in the IP packet and NOT to priotirize them based on markings already done ?My understanding on this is that QoS can read the ToS byte and prioritize traffic based upon that information, but it cannot write to that byte.

derspot
2007-01-24, 21:53
heh, i hope i find 1 hour soon to test this , it can be easilily tested with Ehtereal ... one of the guys upthere says he tested and Floodgate DOES Mark in the TOS , I am not sure if he is sure if these packets have not been market before though. ( Say at the origin )

Yasushi Kono
2007-01-26, 12:49
HI Barry,

Check Point DOES label packets. I defined a QoS Class and associated the service FTP into the rule unter that QoS Class. Then, I did an

fw monitor -e "accept sport=21 or dport=21;" -o ~/ftp.out.

I took the output file to analyse it with Ethereal.

YOu just take one of the ftp packets and in the IP header, as you might know, at Byte No. 1 (Byte 0: Version + IHL; Byte 1: Type of Service), you can see the DiffServCodePoint (DSCP) which corresponds exactly with the DSCP you defined by the QoS Class!

This does work definitely! I am a Check POint Instructor (just like Barry) and am teaching that portion in every of my courses. So, I know that it works!!!

At that moment, I suffer from lacking time. So, perhaps at Saturday or Sunday I will try to make some screen shots on this. Perhaps, Check Point could take the Lab and insert it into the next Courseware (v. 1.2)? This will definitely be a great opportunity to learn a lot!

Kind regards,
Yasushi Kono (my private email address is: ykono@t-online.de)

Yasushi Kono
2007-01-26, 12:52
ARE U SAING THAT U ADD QOS RULES IN THE DIFFSERV QOS CLASS IN THE RULEBASE inorder to Mark the incoming packets in the IP packet and NOT to priotirize them based on markings already done ?

Yes, I am sure, because in my Lab environment, there is no device which marks the ToS field beforehand!

So, I think it is very important to know that Check POint is indeed able to label packets! This is a great feature!

Kind regards,
Yasushi

Yasushi Kono
2007-01-26, 12:55
Yasushi -- Can you provide a screen shot or two for this? I thought this was possible too, but I could not find it in the GUI.

I will try to find appropriate time, to show you a step-by-step instruction.

I will write it like the Labs in ordinary CP courses, so Check Point/Irving can adopt this and insert it into the next courseware.

Just like the VoIP lab I designed! Is there someone from the Courseware Development there? A great opportunity to improve the Security Administration II NGX Courseware!!!!!

chillyjim
2007-01-26, 13:08
Is there someone from the Courseware Development there? A great opportunity to improve the Security Administration II NGX Courseware!!!!!

I don't know if they are reading on a regular basis but I let one of my contacts in the ATC group know to take a quick look and pass this thread on to who she feels fit.

Barry J. Stiefel
2007-01-27, 09:42
HI Barry,

Check Point DOES label packets. I defined a QoS Class and associated the service FTP into the rule unter that QoS Class. Then, I did an

fw monitor -e "accept sport=21 or dport=21;" -o ~/ftp.out.

I took the output file to analyse it with Ethereal.

YOu just take one of the ftp packets and in the IP header, as you might know, at Byte No. 1 (Byte 0: Version + IHL; Byte 1: Type of Service), you can see the DiffServCodePoint (DSCP) which corresponds exactly with the DSCP you defined by the QoS Class!

This does work definitely! I am a Check POint Instructor (just like Barry) and am teaching that portion in every of my courses. So, I know that it works!!!

At that moment, I suffer from lacking time. So, perhaps at Saturday or Sunday I will try to make some screen shots on this. Perhaps, Check Point could take the Lab and insert it into the next Courseware (v. 1.2)? This will definitely be a great opportunity to learn a lot!

Kind regards,
Yasushi Kono (my private email address is: ykono@t-online.de) Wow! Thanks for doing the research on this. I didn't know this was possible.

Yasushi Kono
2007-01-28, 17:32
Wow! Thanks for doing the research on this. I didn't know this was possible.

Barry, I could not write down the Lab. I will try it until friday. It is not so difficult to configure that but as you might know: Lack of time.

Until tomorrow, I have to send a description on Upgrading IPSO to a publisher. After that I will have a couple of minutes to accomplish the task.

Yasushi

derspot
2007-01-29, 18:30
Thanks, Great , Awsome , Perfect

Yasushi Kono
2007-01-30, 15:38
Because of lack of time I just described the steps necessary to configure a QoS rule for ToS Marking. That's the way I do when teaching the QoS chapter in Security Administration II NGX !

Maybe, I will write a Word document with all the Screen shots inserted there tomorrow or the day after tomorrow. This week, I have to go to the customer's site in order to add a new Nokia box into an existing IP cluster. Piece of cake, as you all know.

Perhaps, the desciption above is good enough to understand what I am trying to tell. You could try to do the exercise in your Lab!

Kind regards,
Yasushi

Lab 14: CONFIGURING QoS CLASS FOR MARKING THE TOS FIELD

Our aim is to configure a new QoS Class. You will then see that Check Point VPN-1 Pro/Power is able to mark the Type of Service field of the IP header.

1) First of all, you have to add a new QoS Class: To accomplish this task click on Manage -> QoS -> QoS Classes. Then configure the appropriate settings for this Class.




2.) To insert the new QoS Class you have to click on the QoS Tab of SmartDashboard. Then insert this Class by right-clicking on the Best Effort Class and choosing the option “Add Class of Service Above”.
3.) Then right-click on this QoS class in order to add a new QoS rule by choosing the Add Rule below option.
4.) Specify a particular service under the Service column. Just as a Lab, you can add FTP into the cell.


Then, you have to associate the appropriate QoS class to the interface of your Security Gateway and install the QoS policy.

To prove that Check Point is indeed able to mark the ToS field, you can capture the ftp packets with fw monitor:

fw monitor –e “accept (([12:4,b]=10.1.1.101 and [16:4,b]=172.29.109.1) or ([12:4,b]=172.29.109.1 and [16,b]=10.1.1.101));” –o ~/ftp_dscp.out


Finally, you have to load the output file into Ethereal. There expand one of the FTP packets to look at the IP header information. Look at the DSCP field and you will notice that a Code Point is being inserted by Check Point.

derspot
2007-01-30, 16:41
U ROCK !

I have a question.

When we use the weights, limits and guarantees in QOS RULES THAT ARE UNDER A Class Of service, do these ( weights etc ) apply only to:

1. Already TOS Market Traffic.
2. Apply only to connections that match the QOS Rule that is under the QOS class but not necessarily are marked beforehand.
3. These weights are shared among all QOS Rules INCLUDING Rules that are outside THE QOS CLASS.


AS A BEST PRACTICE ARE WE SUPPOSED TO "ATTACH" THE QOS Classes Only to the External Interfaces ( Inbound and Outbound ) as found in the literature ?

Yasushi Kono
2007-02-01, 10:36
U ROCK !

I have a question.

When we use the weights, limits and guarantees in QOS RULES THAT ARE UNDER A Class Of service, do these ( weights etc ) apply only to:

1. Already TOS Market Traffic.
2. Apply only to connections that match the QOS Rule that is under the QOS class but not necessarily are marked beforehand.
3. These weights are shared among all QOS Rules INCLUDING Rules that are outside THE QOS CLASS.


AS A BEST PRACTICE ARE WE SUPPOSED TO "ATTACH" THE QOS Classes Only to the External Interfaces ( Inbound and Outbound ) as found in the literature ?


Only the second statement fits to your question. For instance, if you have one FW A and FW B. And on FW A, you have a QoS rule that labels all FTP packets with the DSCP of 100110, then on FW B the FTP packets come with the DSCP of 100110. But, if you create a QoS Rule on FW B for FTP with the sam DSCP, FW B will re-write the same DSCP into the FTP packet.

As I can tell from my experience, there is no possibility to create a QoS rule which only looks into the IP header to decide what to do with. So, already marked packets will be re-marked again. This point could be one aspect for CP developers as a "request for enhancement".

It is commonly indeed the best practice to attach the QoS class only to the external interface. Otherwise, all packets coming from I to o will be re-marked again, which could be considered as wasting performance!

Yasushi

derspot
2007-02-01, 22:17
thanks man.