[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TOS copying considered harmful
Henry,
In the revision of 2401 we plan to modify the text somewhat. This
issue was discussed before and we took notes on the changes to be
made, but have not distributed them to the list.
We would like an IPsec implementation to be configurable re how it
processes the TOS field for tunnel mode for transmitted and received
packets. One configuration setting would operate as the current spec
requires. Another would allow the field to be mapped to a fixed
value, on a per SA basis. (The value might really be fixed for all
traffic outbound from a device, but per SA granularity allows that as
well.) This configuration option allows folks, on a local basis, to
decide whether the covert channel provided by copying these bits
outweighs the benefits of copying.
For inbound traffic, the QoS folks have requested that we allow
copying of the bits, which are currently discarded. One configuration
option here would permit this, the other would maintain the status
quo, i.e., discard.
Would this set of options, plus the accompanying rationale, address
your concerns?
Steve
Follow-Ups:
References: