Re: TOS copying considered harmful

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

 >>>>> "Henry" == Henry Spencer <henry@spsystems.net> writes:
     Henry> On Tue, 19 Sep 2000, Olivier Kreet wrote:
     >> The best thing would probably be to have one tunnel per class of 
     >> service, but it is not always possible to set up parallel tunnels on 
     >> today's IPSec implementations (e.g. linux Freeswan).

     Henry> Also, whether this is "best" depends on your priorities.  Making the TOS
     Henry> field visible -- whether in one tunnel or parallel tunnels -- provides a
     Henry> hint to traffic analysts and a covert channel for Trojan horses, so the
     Henry> underlying assumption that this should be done is itself

   The hint for traffic analysers is moot.

   The *purpose* of copying the TOS/DSCP+ECM byte is so that packet will get
treated differently. The streams with higher priority will get noticed. 
  
   QoS and immunity to traffic analysis are fundamentally compatible. 
   QoS is about highlighting which traffic is which.

   This is a security vs convenience argument with varrying degrees of
paranoia. This is simply a binary choice.

   If you want to your activities to remain unnoticed to traffic analysis, you 
must send all data with the same quality of service.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems/while this plane is 45  |problem  with[
]     mcr@solidum.com   www.solidum.com\minutes late and cramped|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

---

References:

• Re: TOS copying considered harmful
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: TOS copying considered harmful
• Next by Date: Re: SA byte lifetime
• Prev by thread: Re: TOS copying considered harmful
• Next by thread: Re: TOS copying considered harmful
• Index(es):
  • Main
  • Thread