[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ipsec-ecn-00.txt

To: ipsec@lists.tislabs.com
Subject: draft-ipsec-ecn-00.txt
From: Black_David@emc.com
Date: Sun, 20 Jun 1999 18:47:49 -0400
Sender: owner-ipsec@lists.tislabs.com

I'd like to nudge the ipsec-ecn draft forward in
hopes of getting it closer to WG last call.

Since the original announcement of this draft, a
few comments have been made, but none of them
appear to require significant changes to the draft.

	A comment noted that the draft further
	couples the concepts of Tunnel and Security
	Association, and expressed the opinion that
	this coupling is the wrong architectural
	approach.

Since the WG does not seem inclined to make the
revisions to the IPsec architecture RFC required to
change the architectural approach in this area,
leaving the ipsec-ecn draft aligned to the current
ipsec architecture seems preferable.

	A comment indicated that per-node configuration
	is easier to implement than per-SA configuration.

After serious thought and despite initially encouraging
per-node configuration, it no longer seems to be a good
idea. The concern is that as ipsec and ecn deployment
scale up, many ecn-aware ipsec implementations will find
themselves communicating with a mixture of ecn-aware
and ecn-unaware ipsec tunnel endpoints.  In such
an environment with per-node configuration, the only 
reasonable thing to do is turn off ecn support for
all ipsec tunnels, which is not the desired outcome.

	Several comments noted that SA negotiation is
	complex, and adding to it is non trivial.  One
	comment suggested using ICMP after tunnel setup
	as a possible alternative.

The addition to SA negotiation in the draft is OPTIONAL
and will remain so; implementers are free to ignore it.
The authors still think that the assurance it provides
can be useful in a number of situations.  In practice, 
if nobody implements this, it can be deleted later on.

Extending ICMP to negotiate ECN after tunnel setup appears
to be a cure that's worse than the disease.  Some tunnels
do not permit traffic to be addressed to the egress
endpoint, hence the ICMP packet has to be addressed to
somewhere else, scanned for by the egress endpoint, and
discarded there or at its actual destination (not pretty).
Beyond that lies a set of problems caused by the fact
that ICMP is unreliable delivery, hence there is a
possibility of the packet being dropped, entailing
the invention of yet another ack/retransmit mechanism.
It seems better to optionally extend the existing SA
negotiation mechanism.

Please send comments on this email and the underlying
draft to the list.  The default plan in the absence of
further major comments is to incorporate the above
discussion into a -01 version of the draft for further
discussion in Oslo.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140, FAX: +1 (508) 497-6909
black_david@emc.com
---------------------------------------------------

Prev by Date: Re: draft-ietf-ipsec-notifymsg-00.txt
Next by Date: Re: IPSEC, IPv6 and mobile IP
Prev by thread: Re: draft-ietf-ipsec-notifymsg-00.txt (long)
Next by thread: ISAKMP over UDP, TCP of IP
Index(es):
- Main
- Thread