Skinny pipe, skinny pipe, let me in!

Once upon a time there were four gluttonous pigs that traveled every day between lands of abundant slop. However, travel between these lands required crossing very skinny troughs (e.g., slop pipes). Consequently, the greedy pigs always competed fiercely to get over the pipe first. In some cases, all four pigs could pass the pipe at once. In other instances, only two or three could squeeze through at a time. Sometimes only one pig could get through. And once in a while, a pig would get stuck. Whenever all could not travel together, the other ravenous pigs would incessantly squeal, "Skinny pipe, skinny pipe, Let me in!"

This is not a fairy tale, but a present day saga about convergence--the transport of voice, data, video and multimedia--all over a single IP network. One huge challenge is converging the voice, data, video and multimedia pigs on the skinny pipes between enterprise and service provider networks. An expensive T-1 typically connects an enterprise LAN site with 100 Mb/s or more bandwidth slop to the service provider's network with gigabits of bandwidth slop. Or perhaps it is a DSL link with only 384 kb/s or a shared cable network connection.

The four pigs

The four pigs in our real-world story represent the different types of packet traffic converging on a pipe. The value of these packets to the enterprise and consequently to the service provider is indicated by color:

• Gold--Real-time, interactive voice and video communications

• Silver--Critical corporate data applications such as order processing, accounts receivable, ERP and others

• Bronze--Business-oriented intranet and e-mail traffic

• Brown--Internet-oriented traffic with much non-business use

Rules for letting the pigs in

To optimally converge all this traffic through the pipe, there are five basic rules that should govern how the pipe is used:

1. Premium interactive voice and video is the boss hog--Once a real-time, revenue generating, SLA-guaranteed voice or video call is accepted, it must have absolute priority over everything else. The key word here is "accepted." See Rule 5 below.

2. Don't starve data--Don't allow a pipe to be completely used by voice. It's critical to allow some data, especially the silver packets, to traverse the link.

3. If the boss isn't using the pipe, use all of it for data--The full capacity of the pipe must be available for data if there is no voice or video. Otherwise, we are still channelizing the pipe without benefiting from all the cost savings that come with complete convergence.

4. Even the boss needs limits--Call admission policies must control and limit the maximum number of total calls, the number by type of call--voice vs. video, the number initiated from inside vs. outside an enterprise location, and exceptions to these rules like emergency 911 calls.

5. "Not by the hair on your chinny, chin, chin." If the boss hog can't fit, don't even try letting it in. If the pipe is already congested, new call setup requests must be rejected (except for 911 calls). Adding just one more call to that pipe will deteriorate the quality of the new call as well as every other call on that pipe.

Fixing the plumbing into the pipe

To implement these rules, we need the right fencing before the skinny pipe gives us critical intelligence and control capabilities: 

• Traffic classification and prioritization--differentiate gold, silver, bronze and brown packets and prioritize traffic flow through the pipe based on packet color

• Pipe capacity and utilization--understand the total bandwidth of the pipe and the actual traffic volume flowing through the pipe

• Call admission control--accept or reject new calls based on configurable call limit policies and actual traffic flowing through the pipe

The right fencing requires not only the right gates to the pipe, but the right feeder pens--and in some cases, dye to color different packets. Let's take a look at what we have in our barnyard fencing tool kit that will give us these capabilities.

Traffic classification and prioritization: Getting out of the enterprise

To get traffic optimally out of the enterprise through the skinny pipe, we don't even want to try classifying the brown packets. We just want to ensure that we can classify everything else. This can be done fairly easily for silver and bronze packets using the network address of the various application servers.

Classifying gold packets requires more work. For IP phones and other devices that generate only gold bits, we need to either set the ToS bits correctly on the phone and/or assign them to a VLAN separate from data so the router can use the packet markings or VLAN virtual interface for prioritization over the skinny pipe.

For Windows XP PCs, there's a problem. A Windows XP PC supports all four colors of packets. We can't put this PC on the voice VLAN, because we'll end up classifying both the brown and gold packets from this PC as gold. We cannot rely on ToS bits either unless the softphone application can set them.

Problem 1: Many softphones today such as MSN Messenger or AOL Instant Messenger do not allow us to set ToS bits.

Across the service provider cloud, into another skinny pipe and out on the right VLAN

Once the packets leave the access router, they flow through the skinny pipe and enter the service provider cloud via its edge router. The QoS approach used in the cloud will not only have a major impact on the packet's ability to optimally traverse the cloud and get into the other skinny pipe, but also on getting onto the right VLAN in the enterprise. Prioritizing and routing the silver and bronze packets is easy since the same network address rules can be used. For the gold packets, again, things are more complicated.

Packets can be prioritized and routed correctly all the way to the enterprise VLAN only if the service provider:

• Trusts all of its customers to use the exact same ToS bit-marking scheme and correctly marks gold packets (this is a big "if" and is related to Problem 1.)

• Does not change the ToS bits and uses ToS or MPLS in its network. (MPLS just assigns an additional tag that doesn't change the ToS bits.)

With networks using DiffServe, a problem may exist since ToS and DiffServe bit markings overlap and may be incompatible. The gold packets won't be able to get on the right VLAN in the enterprise if the service provider has changed them.

Problem 2: If gold packet markings from another network cannot be trusted, the service provider changes the ToS bits, or DiffServe is used in the service provider cloud, the gold packets must be explicitly marked based on call signaling intelligence.

Pipe capacity, utilization and call admission control

The problem of understanding pipe capacity, utilization and making admission control decisions is very challenging. Routers using ToS and DiffServe for packet prioritization do not have the same concept of capacity limits as MPLS routers. Even if they did, they could not gracefully refuse a call because they do not participate in call setup messages. A router using any of these mechanisms will just try to cram every packet it receives through the skinny pipe.

RSVP won't solve the problem either because it cannot be used to establish a single reservation for a collection of related flows going in different directions. In the case of voice or video, multiple two-way signaling and media flows must all be accepted for the call to be started. Consequently, it's possible that reservations for the low-bandwidth call setup messages would be accepted, but not for high-bandwidth media flows. The results cause huge problems. Users hear or see nothing, an accounting record is created, and if the call is billable, huge customer care and billing reconciliation costs are incurred. Lastly, RSVP works on a first-come, first-served basis. It has no notion of call admission policies to reserve bandwidth for data by limiting the maximum number of total calls, the number by type of call (voice vs. video), the number initiated from inside vs. outside an enterprise location, and exceptions to rules like emergency 911 calls.

Problem 3: Today, no routers understand skinny pipe capacity and utilization, nor can they make call admission control decisions based on that intelligence.

The skinny on solving the three big skinny pipe problems

The key to overcoming these problems and successfully converging the four pigs through the skinny pipe is the tight integration of session signaling and media flow control. A new category of equipment has recently been introduced that specifically solves our 3 big problems. They also satisfy other critical security, SLA assurance, bandwidth policing and law enforcement requirements for interactive, session-oriented communications such as voice and video.

These products, called session border controllers, sit at the edge of the service provider network where skinny pipes connect and complement the traffic classification and prioritization capabilities of the service provider's edge router and the enterprise's access router. They handle both the SIP signaling messages and the RTP-based media packets with microsecond latency. They control call admission gracefully based upon pipe capacity, utilization and other policies, and tightly control just the signaled media flows including layer-2 and layer-3 QoS marking, network address and port translation, bandwidth policing and other functions.

Jim Hourihan is Vice President of Marketing & Product Management for Acme Packet.

Visit Acme Packet online.