[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Choosing between IKEv2 and JFK
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Jan" == Jan Vilhuber <vilhuber@cisco.com> writes:
>> The requirement is that one is able to negotiate multiple tunnels with
>> different contents. We have that already. You have to negotiate a
>> per-port tunnel for each QoS flow.
Jan> Can you ever do different levels of Qos for the same 5-tuple? Would
Jan> this makse sense?
Sure, of course you can if you add a tuple :-)
So you'd be doing QoS based upon two different 6-tuples.
Jan> That's sort of my assertion. Something else did the check whether
Jan> you (the guy with the certificate) are allowed QoS for this traffic
Jan> at level X. IKE doesn't (and shouldn't IMHO) answer this question,
Jan> but should negotiate the tunnel for the different QoS level if
Jan> instructed to do so (by ipsec or rsvp or whatever...).
if you think about encryption as a "quality" of "service", then the SPD is
going to say something like:
for traffic from v.x.y.z/mask to a.b.c.d/mask on tcp port 25
do ESP-AES-SHA2 with "Telnet"-EF-QoS policy.
IKE will have to inform the other end that it is doing this so that the
reverse flow can have appropriate QoS applied. (Since the QOS will be based
upon proto,dst,SPI# not TCP ports).
Jan> Now what do you think of Angelos' idea of simply putting the max
Jan> level of Qos of all your flows onto the ESP tunnel, thereby
Jan> effectively elevating all low-priority traffic to high priority
Jan> traffic as far as the outer IP header is concerned? Seems that is
Jan> counter to what QoS is supposed to do, but I'd like to hear some
Jan> QoS-savvy opinions on this.
You can not have multiple levels of QoS for the same (proto,dst,SPI#).
There is simply no point.
If you want to do this, then you just negotiate one level of QoS. The
cryptographic reason to aggregate traffic is to defeat traffic analysis.
Any change in QoS setting at all reveals what is going on.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPIvCpYqHRg3pndX9AQGziQP/fIheE9SteTRA6nppg9TnZ/jD4GStN2UP
JzSGfL4FK+J6To3BR9Io21ftrt4bsewZnyc3mEV6UClpTegGGftW/JKUjeaUDLbf
iaL+BCqEU6OnTqyfzn7F0ep6Tj9HvYrbR6tcMB4xkXFTB3EH+iYSSxaGw5pm8whn
oguTsUyLvjs=
=bSBm
-----END PGP SIGNATURE-----