Integrated Services Provisioning Across Cryptographic Boundaries

IntServ resource reservation protocol (RSVP) is based on end-to-end signaling and the current HAIPE specification does not allow for RSVP signaling to be bypassed across cryptographic boundaries. Since end-to-end RVSP signaling traffic is not bypassed across HAIPE boundaries, it does not seamlessly allow for IntServ based QoS provisioning within the core Black network. This leads us to the challenge of defining a mechanism by which IntServ/RSVP can be supported within the core Black network. We built upon our prior work on a dynamic diffserv network QoS management framework developing an IntServ implementation that operates across HAIPE boundary. The objective of our effort was to allow for individual IntServ/RSVP sessions in the red security enclave to be aggregated into a finite set of dynamically instantiated IntServ/RSVP sessions between ingress and egress nodes within the black security enclave. We used simple policy based management whereby the RSVP daemon on the ingress black node monitors the DSCP values on its outbound ports to initiate the creation or deletion of aggregated IntServ/RSVP sessions to the appropriate egress black node. These egress black node sessions are dynamically resized based on traffic demand and network state. This approach allowed for end-to-end IntServ across HAIPE boundaries