[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TOS copying considered harmful




What I don't understand is how this differs from
plain old DSCP remapping that can happen for any
u-flow or aggregated flow on any incoming/outgoing
interface.

If you look at a tunnel as a virtual interface,
I don't think that IPsec needs to recommend much
of anything other than noting the traffic analysis
as a potential consideration when deciding how to
remark traffic.

		Mike

Stephen Kent writes:
 > Henry,
 > 
 > In the revision of 2401 we plan to modify the text somewhat.  This 
 > issue was discussed before and we took notes on the changes to be 
 > made, but have not distributed them to the list.
 > 
 > We would like an IPsec implementation to be configurable re how it 
 > processes the TOS field for tunnel mode for transmitted and received 
 > packets. One configuration setting would operate as the current spec 
 > requires. Another would allow the field to be mapped to a fixed 
 > value, on a per SA basis. (The value might really be fixed for all 
 > traffic outbound from a device, but per SA granularity allows that as 
 > well.) This configuration option allows folks, on a local basis, to 
 > decide whether the covert channel provided by copying these bits 
 > outweighs the benefits of copying.
 > 
 > For inbound traffic, the QoS folks have requested that we allow 
 > copying of the bits, which are currently discarded. One configuration 
 > option here would permit this, the other would maintain the status 
 > quo, i.e., discard.
 > 
 > Would this set of options, plus the accompanying rationale, address 
 > your concerns?
 > 
 > Steve
 > 
 > 


Follow-Ups: References: