[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TOS copying considered harmful
What I don't understand is how this differs from
plain old DSCP remapping that can happen for any
u-flow or aggregated flow on any incoming/outgoing
interface.
If you look at a tunnel as a virtual interface,
I don't think that IPsec needs to recommend much
of anything other than noting the traffic analysis
as a potential consideration when deciding how to
remark traffic.
Mike
Stephen Kent writes:
> Henry,
>
> In the revision of 2401 we plan to modify the text somewhat. This
> issue was discussed before and we took notes on the changes to be
> made, but have not distributed them to the list.
>
> We would like an IPsec implementation to be configurable re how it
> processes the TOS field for tunnel mode for transmitted and received
> packets. One configuration setting would operate as the current spec
> requires. Another would allow the field to be mapped to a fixed
> value, on a per SA basis. (The value might really be fixed for all
> traffic outbound from a device, but per SA granularity allows that as
> well.) This configuration option allows folks, on a local basis, to
> decide whether the covert channel provided by copying these bits
> outweighs the benefits of copying.
>
> For inbound traffic, the QoS folks have requested that we allow
> copying of the bits, which are currently discarded. One configuration
> option here would permit this, the other would maintain the status
> quo, i.e., discard.
>
> Would this set of options, plus the accompanying rationale, address
> your concerns?
>
> Steve
>
>
Follow-Ups:
References: