Monday, May 5, 2008

Packet Ordering requirements in network infrastructure devices

One of the goals of Internet is to maintain the packet ordering.  This goal requires that  infrastructure devices don't change the order of packets. That is, ingress packets from a port go in same order on egress ports after they go through the processing.

There are many types of infrastructure devices that come-in in the way of packets.  Some Infrastructure devices are now not only do routing or switching, but also do many other functions such as  deep packet inspection,  firewall,  Application detection,  IPS,  IPSec  VPN etc..  So, it becomes difficult for network infrastructure devices to keep up with this requirement.  Based on my understanding with some of deployments, this requirement is indeed relaxed.  My understanding of packet ordering requirements now is:

  •  If the infrastructure device is pure router or bridge (switch),  it is expected that all ingress packets from a port go out in the same order on egress ports.  Routers and switches might not be sending all ingress packets from a port to one egress port. That is, there is no one-to-one correspondence between ingress port to egress port.  Packet order is expected to be maintained across the ingress packets from a port which are going to an egress port.  That is, if set of packets from port1 are going to port2, then it is expected that the order of this set of packets is maintained. Routers and switches are not expected to maintain packet order across the packets which are going to different egress ports.  
  • It is difficult to see any router/switch without traffic prioritization function on the egress port.  Routers classify packets to different priority bands based on DSCP value and switches do this either based on DSCP value or COS value found in 802.1q headers.  Traffic prioritization function sends higher priority packets before the lower priority packets.  So, packet ordering requirement is not extended to packets belonging to different priorities. But, the packets from a ingress port belonging to same priority going to an egress port must go out in the order they were received. 
  • Firewall, IPS, DPI and other stateful applications work on 5-tuple sessions.  Here the packet ordering is expected to be kept intact within session.  There is no requirement to keep the ordering across sessions. This works fine for VOIP and other real-time traffic scenarios.  It is important to keep the jitter to low. Since jitter buffering is done on per session basis by VOIP end points, ensuring packet order is not changed within session seems fine.
  • IPsec is tunneling protocol.  One tunnel may carry many sessions.  Since sessions are not visible in the tunnel, it is required that IPsec function maintains the packet order within each security association (tunnel).  
Based on some comments from some service providers, I got an understanding that 0.001% of packets going in different order is acceptable.

Any comments?

    No comments: