Managing the DSCP field

The DSCP field, found in the IP header, is used to manage congestion. In IPsec encapsulation, the default behavior of an SNS firewall is to replicate this field’s value in the original header in the header of the corresponding encrypted packet. Changing this field may disrupt the flow of traffic on an operator network.

R49 | SNS-SMC | Keep the DSCP field
Apart from the need for stronger security, it is advisable to keep the default configuration of the DSCP field.

However, when high security is required, making a copy of the DSCP field can create a hidden channel. The value of this field must therefore be controlled before it leaves the SNS firewall. One way to do so is to use the SNS firewall to change its value. This can be done in the Quality of service tab in the Action menu of a Pass filter rule. When the Impose value option is enabled, the New DSCP value menu will become available. The selected value is used as the DSCP field value of filtered packets. Apply this operation to filter rules for outgoing encrypted traffic.

R49+ | SNS-SMC | Control the DSCP field
When a higher level of security is required, the DSCP field of outgoing traffic should be changed to an arbitrary value.

The DSCP field of an encrypted packet can only be changed if outgoing implicit rules for hosted services have been disabled, as explained in the chapter Implicit rules, and an explicit filter rule with the "stateful inspection" option has been created.

The network operator can prioritize packets in its network based on the value of the DSCP field. Using a value of 0 makes it possible to keep the primary path.

  • Several connections pass through a tunnel,

  • The remote endpoint copies the value of the DSCP field from plaintext packets to encrypted packets,

  • QoS processing on the transit network rearranges the sequence of packets,

  • The local endpoint has an anti-replay window that is too small,

Legitimate packets may get lost.

The number of lost packets can be minimized by changing the ReplayWSize parameter. This can be done through the NSRPC command config ipsec profile phase2 update replaywsize=XX name=NN where XX is a value between 0 and 33554400 inclusive in increments of 8 and NN is the name of the encryption profile. The network and relevant traffic must be analyzed in order to set the appropriate ReplayWSize parameter. The Stormshield TAC can assist in this analysis. This value can also be manually added to the file /Firewall/ConfigFiles/VPN/01 where the value 01 corresponds to the number of the IPsec policy used.