[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 transport concerns

To: ipsec@lists.tislabs.com
Subject: Re: IKEv2 transport concerns
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 02 Dec 2002 18:19:37 -0500
In-reply-to: Your message of "Mon, 02 Dec 2002 10:56:14 EST." <277DD60FB639D511AC0400B0D068B71E0564C5D2@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Black" == Black David <Black_David@emc.com> writes:
    Black> (1) Any system running IKEv2 is REQUIRED to handle ECN (Explicit

  I think that this may be misplaced. I think that RFC2401bis is where
to say this. 

    Black> (2) Repeat after me ... "IKEv2 will not negotiate transport QoS".

  Okay, I'm not even sure that we all know what it is that we won't be doing.

  Are you telling me that, if a gateway system is aware of QoS that was
requested by an end system, that it can never inform the other gateway of
this fact?
  Clearly, a gateway system that knows of a QoS requested by an end system
(whether via RSVP or other) could easily present appropriate signaling for
the resulting tunnel. 

    Black> 	For diffserv code points, the proposal is for IKEv2 to have
    Black> 	each endpoint of a tunnel-mode or UDP-encapsulated-tunnel-mode
    Black> 	SA report to the other how it treats the outer DSCP values
    Black> 	on decapsulation (copy to inner vs. discard - nothing more
    Black> 	complex is needed, see RFC 2983 for a longer discussion).

    Black> 	Negotiating or configuring this ought to be out of scope for
    Black> 	IKEv2, but reporting what will be done can be a useful check
    Black> 	that something stupid isn't about to happen.

  Okay, so this is just advice.

    Black> In addition, it's important to negotiate encapsulation mode needs
    Black> separately from crypto processing - this turns out to dovetail
    Black> nicely 
    Black> with the NAT traversal requirements, yielding four encapsulation
    Black> modes: 

  yes, this is a very good idea.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPevqh4qHRg3pndX9AQHu9AQAywpNxdLs2C4+MttnkHDQomolhwhqUAG1
+sVku7zw17sUW4DFkx75zkftH3gl/Vpt17V4uCQp+r6MIzqqskVdQ4HRUbocO96/
zi8+pVx7O0j4HMr/h0dmKx1fYg7/Q10n4MjU4Mzlj35zSBrVto+zqvEdy4gD+/3Z
YbAEelFvT9s=
=Z4GM
-----END PGP SIGNATURE-----

References:
- IKEv2 transport concerns
  - From: Black_David@emc.com

Prev by Date: Re: Handling of IPcomp in IKEv2
Next by Date: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
Prev by thread: IKEv2 transport concerns
Next by thread: RE: IKEv2 transport concerns
Index(es):
- Date
- Thread