RE: ECN: Tunnel/SA relationship

["Black, David" <Black_David@emc.com>]

>  I did a "per-node" configuration for ECN friendliness, rather than
>	per-SA, for our implementation (see below).
>	Is it worth doing it or is it harmful?

Yes, it's worth doing.  I definitely want to encourage this sort of
experimentation.

>	Adding an attribute to SA (and modifying IKE daemon) looks too much
>	for me, and it seems to me that per-host configuration solves most
>	of the cases.
>
>	If it is harmful to ECN people, I'll be removing this code from
ours.

I don't think it's harmful.  The mechanisms in the draft are more general
(and hence more complex) in two areas:

(1) Putting the ECN support attribute in the SA allows one IPsec node
to deal with a collection of other nodes that have different levels
of ECN support and different opinions about whether to allow or
forbid ECN.  The intent of the draft is to allow one to add the SA
attribute without also requiring the negotiation support (IKE daemon
modifications); does this make things sufficiently simpler for you?

(2) The negotiation mechanism was put in to allow an IPsec node to
assure itself that ECN congestion notifications aren't being dropped
by its counterpart before allowing ECN on the tunnel.  If there's a
strong opinion on this list that this assurance is not valuable and
hence the negotiation is not worth implementing, I have no problem
with taking it out of the next version of the draft.

--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140, FAX: +1 (508) 497-6909
black_david@emc.com
---------------------------------------------------

---

• Prev by Date: Sequence Number
• Next by Date: Re: Sequence Number
• Prev by thread: Re: ECN: Tunnel/SA relationship
• Next by thread: DESX
• Index(es):
  • Main
  • Thread