[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 transport concerns

To: ipsec@lists.tislabs.com
Subject: Re: IKEv2 transport concerns
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 04 Dec 2002 13:17:12 -0500
In-reply-to: Your message of "Wed, 04 Dec 2002 02:37:42 EST." <277DD60FB639D511AC0400B0D068B71E0564C5EC@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Black" == Black David <Black_David@emc.com> writes:
    Black> Depends on the protocol.  RSVP certainly could be forwarded in principle
    Black> (need an SPD that understands protocol 46, or an encapsulation of some
    Black> form), although this may raise orthogonal issues about whether the tunnel
    Black> presents routable interfaces if the RSVP path extends beyond the tunnel
    Black> endpoints.  OTOH, there's been discussion of out-of-band protocols for
    Black> bandwidth brokers and the like that probably wouldn't go through the tunnel.

    >> Are there signaling protocols which an end systems can use to control
    >> QoS
    >> *towards* them? If so, how does the end system have the return stream of
    >> the
    >> tunnel properly signaled?

    Black> An instance of RSVP running the other way is one possibility, although
    Black> it requires serious cooperation from the other end of the tunnel.  L2TP's
    Black> diffserv extension (RFC 3308) may be useful when L2TP is in the stack.

  I take this as: no, there are no existing protocols that permit an end
system to control bandwidth to it.

  The ability to do this kind of thing is going to be critical when it comes
to dealing with DDoS attacks - select the traffic you WANT, bump it up, and
let RED deal with the rest.

  It will have to interact well with tunnels.
	
    >> Other than RSVP, what else is there at present? (I'm 
    >> certainly out of touch).

    Black> Not much.  In addition to RFC 3308, the nsis WG may produce something,
    Black> and there's been all sorts of other possibilities discussed, but no
    Black> RFCs that I can point to.

  Maybe, after term on nomcom is over, I can pay attention to that.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPe5GpYqHRg3pndX9AQGMCAP+MIge59pppji3aPFBTnObrtNcigRYeZ2v
9bMk5yfZ64jHDaawIetnIeEg+v8Hf90drYsHUvJjZescczKzx7tKujCInIIw1AFR
HbGaNaMPhMsJggNWYzYyHt0WJbH/3VotzTZtWvL7eFCSE8VyWpv/BUBmFmGiZxrA
0Nqwlru8Rgo=
=9S+y
-----END PGP SIGNATURE-----

References:
- RE: IKEv2 transport concerns
  - From: Black_David@emc.com

Prev by Date: Re: Requirements (was: How does IKEv2 provide solution to remote access?)
Next by Date: <none>
Prev by thread: RE: IKEv2 transport concerns
Next by thread: RE: IKEv2 transport concerns
Index(es):
- Date
- Thread