Re: TOS copying considered harmful

[Henry Spencer <henry@spsystems.net>]

On Tue, 19 Sep 2000, Olivier Kreet wrote:
> The best thing would probably be to have one tunnel per class of 
> service, but it is not always possible to set up parallel tunnels on 
> today's IPSec implementations (e.g. linux Freeswan).

Also, whether this is "best" depends on your priorities.  Making the TOS
field visible -- whether in one tunnel or parallel tunnels -- provides a
hint to traffic analysts and a covert channel for Trojan horses, so the
underlying assumption that this should be done is itself questionable. 

(This is another instance of the standard tradeoff:  security versus user
convenience.)

I note, also, that TOS isn't in 2401's list of packet selectors, so there
is no requirement in the current IPsec architecture that such parallel
tunnels be supported.  (FreeS/WAN currently doesn't do parallel tunnels
*at all*, for implementation reasons which will eventually be fixed...
but support for TOS-based tunnel selection would require non-standard
extensions to IPsec.)

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: TOS copying considered harmful
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
• Re: TOS copying considered harmful
• From: Michael Thomas <mat@cisco.com>

References:

• Re: TOS copying considered harmful
• From: Olivier Kreet <olivier.kreet@sxb.bsf.alcatel.fr>

---

• Prev by Date: Re: TOS copying considered harmful
• Next by Date: Re: TOS copying considered harmful
• Prev by thread: Re: TOS copying considered harmful
• Next by thread: Re: TOS copying considered harmful
• Index(es):
  • Main
  • Thread