[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: Choosing between IKEv2 and JFK
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sun, 10 Mar 2002 15:31:35 -0500
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Sun, 10 Mar 2002 11:51:28 PST." <Pine.LNX.4.33.0203101142100.13311-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Jan" == Jan Vilhuber <vilhuber@cisco.com> writes:
    >> The requirement is that one is able to negotiate multiple tunnels with
    >> different contents. We have that already. You have to negotiate a
    >> per-port tunnel for each QoS flow.

    Jan> Can you ever do different levels of Qos for the same 5-tuple? Would
    Jan> this makse sense?

  Sure, of course you can if you add a tuple :-)
  So you'd be doing QoS based upon two different 6-tuples.

    Jan> That's sort of my assertion. Something else did the check whether
    Jan> you (the guy with the certificate) are allowed QoS for this traffic
    Jan> at level X. IKE doesn't (and shouldn't IMHO) answer this question,
    Jan> but should negotiate the tunnel for the different QoS level if
    Jan> instructed to do so (by ipsec or rsvp or whatever...).

  if you think about encryption as a "quality" of "service", then the SPD is
going to say something like:
   for traffic from v.x.y.z/mask to a.b.c.d/mask on tcp port 25
   do  ESP-AES-SHA2 with "Telnet"-EF-QoS policy.

  IKE will have to inform the other end that it is doing this so that the
reverse flow can have appropriate QoS applied. (Since the QOS will be based
upon proto,dst,SPI# not TCP ports).

    Jan> Now what do you think of Angelos' idea of simply putting the max
    Jan> level of Qos of all your flows onto the ESP tunnel, thereby
    Jan> effectively elevating all low-priority traffic to high priority
    Jan> traffic as far as the outer IP header is concerned? Seems that is
    Jan> counter to what QoS is supposed to do, but I'd like to hear some
    Jan> QoS-savvy opinions on this.

  You can not have multiple levels of QoS for the same (proto,dst,SPI#). 
  There is simply no point. 

  If you want to do this, then you just negotiate one level of QoS. The
cryptographic reason to aggregate traffic is to defeat traffic analysis. 
  Any change in QoS setting at all reveals what is going on.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPIvCpYqHRg3pndX9AQGziQP/fIheE9SteTRA6nppg9TnZ/jD4GStN2UP
JzSGfL4FK+J6To3BR9Io21ftrt4bsewZnyc3mEV6UClpTegGGftW/JKUjeaUDLbf
iaL+BCqEU6OnTqyfzn7F0ep6Tj9HvYrbR6tcMB4xkXFTB3EH+iYSSxaGw5pm8whn
oguTsUyLvjs=
=bSBm
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Choosing between IKEv2 and JFK
  - From: Michael Thomas <mat@cisco.com>

References:
- Re: Choosing between IKEv2 and JFK
  - From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: Choosing between IKEv2 and JFK
Next by Date: Call for agenda items
Prev by thread: Re: Choosing between IKEv2 and JFK
Next by thread: Re: Choosing between IKEv2 and JFK
Index(es):
- Date
- Thread