Black_David@emc.com wrote: > IPsec currently makes QoS for tunnels somewhat difficult, as > RFC 2401 requires copying the DSCP from the inner header > to the outer header on tunnel ingress, and discarding it > at tunnel egress, even if it's been changed. This is > overly severe, and I believe/hope that it will be made more > flexible in the new version of RFC 2401. I can understand why this should be revisited, but it also requires a revision of RFC 2003. RFC 2401 already specifies some incompatible rules (e.g. for DF flag processing) that are in conflict with IPIP encapsulation as standardized in RFC 2003. (See draft-touch-ipsec-vpn-03.txt.) It may be useful to update 2401 and 2003 together. Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature