Ingress Policing


Per-Stream Filtering and Policing (IEEE P802.1Qci)

For industrial and automotive and other control oriented networks, there is a need to protect the rest of the network from potential congestion packet drops from misbehaving network devices. Ingress policing generically refers to methods used to prevent these traffic overload conditions (DDoS or erroneous delivery) from affecting the receiving node or port. These methods may be used to protect against software bugs on endpoints or switches/bridges but also against hostile devices or attacks. P802.1Qci provides filtering on a per stream basis by providing an input gate for each stream. Each gate would provide a pass/no-pass function based upon a policing function (leaky bucket, time window, maximum size, etc. Thought of another way: each talker has a contract with a respective listener (excess bandwidth, burst sizes, packet sizes, misuse of labels, etc.). The input gate serves to enforce that contract.