Re: TOS copying considered harmful

[Stephen Kent <kent@bbn.com>]

Henry,

In the revision of 2401 we plan to modify the text somewhat.  This 
issue was discussed before and we took notes on the changes to be 
made, but have not distributed them to the list.

We would like an IPsec implementation to be configurable re how it 
processes the TOS field for tunnel mode for transmitted and received 
packets. One configuration setting would operate as the current spec 
requires. Another would allow the field to be mapped to a fixed 
value, on a per SA basis. (The value might really be fixed for all 
traffic outbound from a device, but per SA granularity allows that as 
well.) This configuration option allows folks, on a local basis, to 
decide whether the covert channel provided by copying these bits 
outweighs the benefits of copying.

For inbound traffic, the QoS folks have requested that we allow 
copying of the bits, which are currently discarded. One configuration 
option here would permit this, the other would maintain the status 
quo, i.e., discard.

Would this set of options, plus the accompanying rationale, address 
your concerns?

Steve

---

Follow-Ups:

• Re: TOS copying considered harmful
• From: Michael Thomas <mat@cisco.com>
• Re: TOS copying considered harmful
• From: Henry Spencer <henry@spsystems.net>

References:

• TOS copying considered harmful
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: TOS copying considered harmful
• Next by Date: Re: TOS copying considered harmful
• Prev by thread: TOS copying considered harmful
• Next by thread: Re: TOS copying considered harmful
• Index(es):
  • Main
  • Thread