[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECN and issue 58

To: Black_David@emc.com
Subject: Re: ECN and issue 58
From: Joe Touch <touch@ISI.EDU>
Date: Thu, 04 Sep 2003 11:28:53 -0700
CC: kivinen@ssh.fi, ipsec@lists.tislabs.com
In-Reply-To: <B459CE1AFFC52D4688B2A5B842CA35EA7A4EFC@corpmx14.us.dg.com>
References: <B459CE1AFFC52D4688B2A5B842CA35EA7A4EFC@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030529

Black_David@emc.com wrote:

>>I think the text could be something like this:
>>----------------------------------------------------------------------
>>2.24 ECN (Explicit Congestion Notification)
>>
>>   The RFC 3168 includes two ECN operating modes. In order to avoid
>>   multiple ECN operating modes and negotiation, tunnel decapsulators
>>   for tunnel-mode Security Associations (SAs) created by IKEv2 MUST
>>   implement the full-functionality option processing specified in
>>   [RFC3168] and [RFC2401bis] to prevent discarding of ECN congestion
>>   indications.
> 
> 
> My proposed text:
> 
> When IPsec tunnels behave as originally specified in [RFC 2401], ECN usage
> is not appropriate for the outer IP headers because tunnel decapsulation
> processing discards ECN congestion indications to the detriment of the
> network.  ECN support for IPsec tunnels for IKEv1-based IPsec requires
> multiple  operating modes and negotiation (see [RFC 3168]).  IKEv2
> simplifies this situation requiring that ECN be usable in the outer IP
> headers of all tunnel-mode IPsec SAs created by IKEv2.  Specifically,
> tunnel encapsulators and decapsulators for all tunnel-mode Security
> Associations (SAs) created by IKEv2 MUST support the ECN full-functionality
> option for tunnels specified in [RFC3168] and MUST implement the tunnel
> encapsulation and decapsulation processing specified in [RFC2401bis] to
> prevent discarding of ECN congestion indications.
> 
> NB: [RFC 2401] reference is informative, [RFC 3168] and [2401bis] are
> normative.

It might be useful to consider that RFC2168 already specifies how ECN 
interacts with IP in IP (RFC2003) tunneling (sec 9.1), and that IPsec 
tunnels should follow that convention.

This is keeping with another goal, i.e., having 2401bis point to RFC2003 
excepting only security caveats, rather than (largely) respecifying an 
existing specification.

The security caveat is that an IPsec tunnel SA MAY set the DF bit but 
MUST NOT not clear it; the latter case should be interpreted (IMO) as 
"pass/encapsulate only if the inner packet's DF is not set, and drop 
otherwise" rather than actually clearing the bit in the header.

(this is addressed in draft-touch-ipsec-vpn-05.txt, Appendix A).

Joe

References:
- RE: ECN and issue 58
  - From: Black_David@emc.com

Prev by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Next by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Prev by thread: RE: ECN and issue 58
Next by thread: Re: ECN and issue 58
Index(es):
- Date
- Thread